An unidentifiable mechanism that helps you bypass GFW.

Overview

trojan

Build Status

An unidentifiable mechanism that helps you bypass GFW.

Trojan features multiple protocols over TLS to avoid both active/passive detections and ISP QoS limitations.

Trojan is not a fixed program or protocol. It's an idea, an idea that imitating the most common service, to an extent that it behaves identically, could help you get across the Great FireWall permanently, without being identified ever. We are the GreatER Fire; we ship Trojan Horses.

Documentations

An online documentation can be found here.
Installation guide on various platforms can be found in the wiki.

Contributing

See CONTRIBUTING.md.

Dependencies

License

GPLv3

Issues
  • 搭建tls速度慢,仅300k

    搭建tls速度慢,仅300k

    配置搭好了trojan,历经步骤为安装必要环境,申请letsencrypt证书,修改配置文件(修改了local_addr 和cert key的地址),trojan客户端是1.13,但是有几个问题 1.经测试vps运营商为hostwind搭建v2ray的tls付费域名速度达50M,现在用的v2ray+mkcp速度是100M,但我用linode搭建tls无论v2ray或trojan速度很慢,速度均在300k至500k,甚至满足不了流畅浏览网页的需求,域名解析服务器用的dnspod或付费域名的服务器也很慢,所有排除的DNS解析的原因 2.看起来trojan客户端并无异常,只是不少是disconnected,windows直接ping域名是可以ping通的,无论是国内或国外的网站ping,都可以ping通 想不出解决办法,所以来提问题 感谢

    enhancement 
    opened by xtwell 37
  • have some question when install

    have some question when install

    Build and Install

    Type in

    mkdir build cd build/ cmake .. make ctest sudo make install

    [email protected]:~/trojan/build# make install make: *** No rule to make target 'install'. Stop.

    help wanted question 
    opened by AndrewRussellGarfield 32
  • [BUG] 32位 ARM merlin 系统上运行不了。

    [BUG] 32位 ARM merlin 系统上运行不了。

    Welcome to trojan 1.14.0 [2019-12-30 17:27:22] [FATAL] fatal: set_option: Protocol not available [2019-12-30 17:27:22] [FATAL] exiting. . .

    交叉编译的,在R6300V2上运行不了。

    bug 
    opened by lonee6 28
  • [Feature Request] Add TPROXY support

    [Feature Request] Add TPROXY support

    • [x] I certify that I acknowledge if I don't follow the format below or I don't check this box, my issue will be closed immediately without any notice.

    It would be nice to have tproxy support to accept traffic from iptables, in this case it could act as a transparent proxy for LAN network.

    reference: https://www.kernel.org/doc/Documentation/networking/tproxy.txt

    enhancement 
    opened by cattyhouse 27
  • setup trogan-gfw behind nginx

    setup trogan-gfw behind nginx

    Dear @GreaterFire,

    Thanks for this great project. I have gone though the following link and successfully tested setup trojan before nginx. https://github.com/trojan-gfw/trojan/issues/67

    But as trojan doesn't support bind multiple certificates, and I have the request of hosting different websites(https) for different domains on the same server hosting trojan. So I hope to setup trojan behind nginx as nginx can support virtual servers. Can you share some sample config of nginx and trogan to help with this scenario.

    Thanks in advance.

    In additional, for socks5 problem on windows mentioned in the link below. https://github.com/trojan-gfw/trojan/issues/76 Based on my understanding, the advantage of sock5 is that it supports remote dns resolving comparing with socks4.
    v2ray has a configuration of "sniffing" which is quite useful under windows. In this case, even ie can work without third-party apps. Hope it helps.

    Cheers, Kevin

    enhancement 
    opened by zhangsan946 26
  • Nginx 反向代理握手失败

    Nginx 反向代理握手失败

    因为 443 端口需要提供其他服务,所以用 Nginx 做的代理。 Trojan server 启动监听 445 端口,配置 Nginx 片段:

    server {
    	listen 443 ssl;
    	ssl on;
    	ssl_certificate /etc/letsencrypt/live/www/fullchain.pem;
    	ssl_certificate_key /etc/letsencrypt/live/www/privkey.pem;
    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    	ssl_ciphers HIGH:!aNULL:!MD5;
    	server_name 我的域名;
    	location / {
    		proxy_pass http://127.0.0.1:445;
    	}
    }
    

    Trojan server config:

    {
    	"run_type": "server",
    	"local_addr": "0.0.0.0",
    	"local_port": 445,
    	"remote_addr": "127.0.0.1",
    	"remote_port": 80,
    	"password": [
    		"@777m777w"
    	],
    	"log_level": 0,
    	"ssl": {
    		"cert": "/etc/letsencrypt/live/www/fullchain.pem",
    		"key": "/etc/letsencrypt/live/www/privkey.pem",
    		"key_password": "",
    		"cipher": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
    		"prefer_server_cipher": true,
    		"alpn": [
    			"http/1.1"
    		],
    		"reuse_session": true,
    		"session_ticket": false,
    		"session_timeout": 600,
    		"plain_http_response": "",
    		"curves": "",
    		"dhparam": ""
    	},
    	"tcp": {
    		"prefer_ipv4": false,
    		"no_delay": true,
    		"keep_alive": true,
    		"fast_open": false,
    		"fast_open_qlen": 20
    	},
    	"mysql": {
    		"enabled": false,
    		"server_addr": "127.0.0.1",
    		"server_port": 3306,
    		"database": "trojan",
    		"username": "trojan",
    		"password": ""
    	}
    }
    

    Trojan client config:

    {
    	"run_type": "client",
    	"local_addr": "127.0.0.1",
    	"local_port": 1080,
    	"remote_addr": "我的域名",
    	"remote_port": 443,
    	"password": [
    		"@777m777w"
    	],
    	"append_payload": true,
    	"log_level": 0,
    	"ssl": {
    		"verify": true,
    		"verify_hostname": true,
    		"cert": "www/fullchain.pem",
    		"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RSA-AES128-GCM-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-SHA:RSA-AES256-SHA:RSA-3DES-EDE-SHA",
    		"sni": "",
    		"alpn": [
    			"h2",
    			"http/1.1"
    		],
    		"reuse_session": true,
    		"session_ticket": false,
    		"curves": ""
    	},
    	"tcp": {
    		"no_delay": true,
    		"keep_alive": true,
    		"fast_open": false,
    		"fast_open_qlen": 20
    	}
    }
    

    Trojan 服务器一直提示握手失败:

    [2019-02-21 16:48:54] [ERROR] 183.83.69.87:1653 SSL handshake failed: wrong version number [2019-02-21 16:48:54] [INFO] 183.83.69.87:1653 disconnected, 0 bytes received, 0 bytes sent, lasted for 0 seconds

    请问我应该如何配置代理转发?

    help wanted 
    opened by muweigg 25
  • transparent proxy iptables setup

    transparent proxy iptables setup

    I have setup the trojan on client mode, and it works like a wonder, but then I changed the mode to nat and setup the iptables with following rules:

    #!/bin/bash
    # Create an iptable chain PROXY
    iptables -t nat -N PROXY
    
    # Allow connection for the proxy itself
    iptables -t nat -A PROXY -m owner --uid-owner $(id -u $1) -j RETURN
    
    # Allow connection to reserved networks
    iptables -t nat -A PROXY -d 0.0.0.0/8 -j RETURN
    iptables -t nat -A PROXY -d 10.0.0.0/8 -j RETURN
    iptables -t nat -A PROXY -d 127.0.0.0/8 -j RETURN
    iptables -t nat -A PROXY -d 169.254.0.0/16 -j RETURN
    iptables -t nat -A PROXY -d 172.16.0.0/12 -j RETURN
    iptables -t nat -A PROXY -d 192.168.0.0/16 -j RETURN
    iptables -t nat -A PROXY -d 224.0.0.0/4 -j RETURN
    iptables -t nat -A PROXY -d 240.0.0.0/4 -j RETURN 
    
    # redirect the rest to the proxy port
    iptables -t nat -A PROXY -p tcp -j REDIRECT --to-ports $2
    
    # redirect tcp to PROXY 
    iptables -t nat -A OUTPUT -p tcp -j PROXY
    

    and executed sudo ./install_iptables proxy 1080, and I also modified the systemd config file to run trojan with user proxy. And it doesn't seem to be working. The log shows something like this:

    Oct 02 16:58:02 some-pc trojan[6691]: [2019-10-02 08:58:02] [INFO] 192.168.0.178:47374 disconnected, 0 bytes received, 0 bytes sent, lasted for 0 seconds
    Oct 02 16:58:02 some-pc trojan[6691]: [2019-10-02 08:58:02] [ERROR] 192.168.0.178:47376 unknown protocol
    Oct 02 16:58:02 some-pc trojan[6691]: [2019-10-02 08:58:02] [INFO] 192.168.0.178:47376 disconnected, 0 bytes received, 0 bytes sent, lasted for 0 seconds
    Oct 02 16:58:02 some-pc trojan[6691]: [2019-10-02 08:58:02] [ERROR] 192.168.0.178:47378 unknown protocol
    Oct 02 16:58:02 some-pc trojan[6691]: [2019-10-02 08:58:02] [INFO] 192.168.0.178:47378 disconnected, 0 bytes received, 0 bytes sent, lasted for 0 seconds
    Oct 02 16:58:02 some-pc trojan[6691]: [2019-10-02 08:58:02] [ERROR] 192.168.0.178:47380 unknown protocol
    Oct 02 16:58:02 some-pc trojan[6691]: [2019-10-02 08:58:02] [INFO] 192.168.0.178:47380 disconnected, 0 bytes received, 0 bytes sent, lasted for 0 seconds
    Oct 02 16:58:26 some-pc trojan[6691]: [2019-10-02 08:58:26] [INFO] 127.0.0.1:60148 disconnected, 42775 bytes received, 5018 bytes sent, lasted for 64 seconds
    Oct 02 16:58:51 some-pc trojan[6691]: [2019-10-02 08:58:51] [ERROR] 192.168.0.178:60544 unknown protocol
    Oct 02 16:58:51 some-pc trojan[6691]: [2019-10-02 08:58:51] [INFO] 192.168.0.178:60544 disconnected, 0 bytes received, 0 bytes sent, lasted for 0 seconds
    

    and the browser prints a secure connection error:

    Secure Connection Failed
    An error occurred during a connection to www.google.com. PR_END_OF_FILE_ERROR
    

    What's the problem with my setting? Do I need to also redirect udp packets to the proxy port?

    opened by hachikujimayoi298 23
  • 客户端cipher suit发送顺序和配置里面写的不一样啊

    客户端cipher suit发送顺序和配置里面写的不一样啊

    这样装蒜是不是装的不太像 XD

    测试用的ecc证书 image

    客户端配置就是默认的

    "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-CHACHA20-POLY1305-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RSA-AES128-GCM-SHA256:RSA-AES256-GCM-SHA384:RSA-AES128-SHA:RSA-AES256-SHA:RSA-3DES-EDE-SHA",

    服务端hello返回的是这个 image

    我认为这个顺序应该跟客户端发送的一样才更科学吧.

    opened by k79e 22
  • Design discussion

    Design discussion

    I would like to invite you to the discussion of the rationales and ideas for a better circumvention protocol.

    Many of the points below can have better context with citations but I try to keep it informal this time.

    Why use TLS

    Security

    The Shadowsocks specification has been reinventing cryptography to make up for apparent vulnerabilities from various probing attacks. It among other similar protocols try to recommend specific cipher suites and cryptographic configurations without professional analysis and audit. The fact that the Shadowsocks spec was fixed again and again with faulty cryptographic designs shows how hard it is to reinvent cryptography and why obfuscation is not possible without certain level of security.

    This subject has been much better researched and engineered for years as TLS. TLS provides confidentiality, authentication, and integrity. It protects against replay attack. It has mature and high performance and cross-platform implementations. It is only sensible to adopt commonly used best practices. Those who do not understand TLS are doomed to reinvent it, poorly.

    Obfuscation

    What Shadowsocks is doing is no different from Tor's pluggable transports, e.g. ScrambleSuit and obfs4, which have designed custom cryptographic protocols to replace Tor's default TLS stack, except that Tor's protocols are scholarly peer-reviewed.

    The assumption of these Tor PT protocols is that if the wire data look as random as possible (above the transport layer) it would be impossible to identify or classify. This assumption has its limitation. It is shown that random packet padding actually becomes a feature in itself and enables new entropy-based attacks.

    The bigger picture is that most traffic on the Internet does not look random. If an obfuscation protocol makes the data too random it attracts additional scrutiny. A thought experiment: the GFW intercepts 60% HTTP, 30% TLS, and 10% unrecognized high-entropy traffic. After the initial coarse traffic classification, the 10% traffic gets redirected for additional analysis, where more advanced methods become affordable.

    The obvious solution is to obfuscate above the transport layer inside real TLS. By moving the protocol up the layer, traffic classification at the transport layer is less effective and the obfuscated traffic is less likely to be scrutinized by being of a larger traffic class. (Note that it must be real TLS. Mimicry of HTTP (or TLS) has been shown to be easily detected.) I think this is part of the reason Meek (plain HTTPS proxy with fake TLS SNI) is given more attention at Tor. As more traffic moves to TLS this effect becomes more pronounced.

    Problems of TLS

    Information leak

    TLS is much more complex than TCP and give off much more information, mostly in TLS parameters in ClientHello and ServerHello, state transition, and certificates.

    • TLS parameters: Enable fingerprinting attacks. This can be mitigated by capturing common browsers' traffic and reusing the same parameters. It is also easy to verify this mitigation.
    • State transition: Enables deeper fingerprinting. This can be mitigated by using the same TLS library as the browser's. ShadowsocksR's forged TLS handshakes are easy to detect by examining protocol dynamics (example).

    In principles these protocol behaviors can be imitated perfectly by reusing a browser's TLS stack and it is easy to verify the imitation locally.

    • Certificates: They are identifiers themselves and the parameters used to create them also leak information. Possible mitigation options:
      • No certificates (TLS-PSK/TLS-SRP). TLS without certificates would be a unique traffic feature because this is rarely used.
      • Self-signed certificates. Must use certificate pinning otherwise insecure from MitM attacks.
      • Certificates signed with self-signed CA (not in browsers' default chain of trust). Could be an option as TLS middleboxes and organizations (e.g. 12306.cn) tend to use it.
      • Free SSL certificates (Let's Encrypt, StartSSL, et al.).
      • Paid SSL certificates.

    GFW people have proposed to prioritize traffic for more advanced analysis by a "trustworthiness" ranking of the certificates. This is essentially network-layer host behavior analysis applied at the TLS layer and the certificates are the new IP addresses. Indeed IP addresses can also have "trustworthiness" used to prioritize traffic for analysis, e.g. if 99% traffic of a foreign host is with a single domestic host, select it for advanced tunnel traffic classifiers; well-known IP addresses are whitelisted, etc.

    Traffic selection is always happening and it's a matter of degree of uniqueness of the certificates. In this sense CA-signed certificates (Let's Encrypt) can be even more unique than self-signed certificates because the former may represent less traffic than the latter. There are no clear wrong options here for circumvention but the choice of best practice remains an open question.

    Performance

    TLS handshakes introduce additional RTT on top of TCP handshakes. Latency is critical for network performance.

    The Shadowsocks protocol has no handshakes and its implementation uses TCP Fast Open which reduces even more handshake RTT. Although TCP Fast Open is not always usable as it is commonly obstructed by middleboxes.

    Speaking of RTT, VPNs at the network layer would have the least RTT among proxy schemes, but VPNs' usability is harmed by its requirement to configure the OS network stack. In this sense Shadowsocks' success is partly due to the fact that it requires little sysadmin work which is a reasonable tradeoff for TCP handshake RTT.

    There are remedies in TLS for the RTT problem. TLS 1.2 False Start extension reduces handshakes to 1-RTT. TLS 1.3 (draft) introduces a 0-RTT mode. But TLS 1.3 implementations are still not production-ready to match the 0-RTT performance in Shadowsocks protocol (I tried Chromium/BoringSSL, Nginx. Though HAProxy just put out 0-RTT support in 1.8-rc3, I was working with Nginx because it's easier for scripting. I hope I can get them working soon.)

    About TCP Fast Open, I found neither Nginx nor HAProxy has implemented it in client mode. Nginx gave an interesting reason: it's better to use persistent connections instead of creating new connections very fast. Shadowsocks creates a new proxy connection for each client request. It is arguable whether multiplexing would be better than that for Shadowsocks, but the benefit is obvious in the case of TLS where the cost of creating new connections is high.

    There are two schemes of multiplexing: one is multiplexing multiple streams into a single TCP connection, the other is connection reuse/connection pooling. Mux.Cool used by V2Ray is of the first scheme. The first scheme has a head-of-line blocking problem which increases latency, see this. The second one is used by Nginx as "keepalives." It works like this: For a new client connection, try to use an idle proxy connection in the pool or create a new connection; after the client connection is closed, do not close the proxy connection instead save it into the pool as idle (with an idle timeout).

    The Shadowsocks protocol does not allow multiplexing because it cannot distinguish the start and end of streams. Neither does the Trojan protocol but Trojan can be extended to allow this enhancement. To enable multiplexing the protocol can use a similar scheme as HTTP chunked transfer encoding:

    • Use a size field of two bytes to indicate the size of the chunk immediately following the size field. A size of zero indicates the end of stream.

    Traffic analysis

    I agree this is a legitimate threat and deserves attention. There has been a report of a specific TLS-in-TLS proxy being repeatably detected by traffic analysis, but at the same time GFW people have also admitted the limitation of practical traffic analysis (classifiers do not generalize, concept drift, etc.).

    The difficulty at the circumvention side is that there is no way to verify the effectiveness of any proposed traffic obfuscation technique in real-world setting and similarly there is no way to compare their relative effectiveness.

    Despite the theoretical trouble I think the current recommendation is to implement any basic packet padding scheme, which will be always better than no padding. More adversarial implementations of detectors of traffic obfuscators may prove useful in measuring the strength of them.

    Other rationales

    • In evaluating the threat of an attack, always examine how feasible for the censor to implement the particular attack, i.e. eliminate simple exploits first.
    • Develop a censorship event collection and reporting scheme (e.g. collect traffic flow metadata for replay experiments) so analysis can be empirically grounded instead of based on anecdotes and speculation.
    • Develop adversarial testing frameworks (e.g. sssniff) so the strength of obfuscation techniques can be verified and compared.
    • Usability matters. Even as we focus more on theoretical attacks we should still think about usability.
    • (Also, the old recommendation from WCP was that organization of GFW circumvention efforts should be decentralized and fragmented in nature. Increasingly centralized projects like Shadowsocks become easy targets for censorship research. This is why I do not support centralizing more efforts into the Shadowsocks plugin extension system.)

    @GreaterFire @micooz @WANG-lp @bosskwei @wongsyrone

    enhancement 
    opened by klzgrad 22
  • [ASK] create account

    [ASK] create account

    Trojan Version latest version 1.14.1 Describe the bug not really bug but i cant understood how Authenticator works especially hash password

    Logs

    Feb 7 18:12:11 cbtp trojan[9059]: [2020-02-07 18:12:11] [WARN] IP:PORT valid trojan request structure but possibly incorrect password (15ea5abf0d742d8d5d48d50d936fb70dfbc33cea68910d359549055e)

    i tried to make bash script to create account via terminal. addtrojan.sh

    CLIENT_NAME="$1" if [ "$CLIENT_NAME" == "" ]; then echo "INPUT USERNAME" read -p "Client name: " -e CLIENT_NAME fi CLIENT_PASS="$2" if [ "$CLIENT_PASS" == "" ]; then echo "INPUT PASSWORD" read -p "Client Pass: " -e CLIENT_PASS fi #hash password pwd=$(echo -n "$CLIENT_PASS" | sha224sum | awk '{print $1}') echo "USE trojan; INSERT INTO users (username, password, quota) VALUES ('$CLIENT_NAME', '$pwd' , '-1');" | mysql -utrojan -ppassmysql;

    reference: tutor1 and tutor2

    bug 
    opened by malikshi 21
  • [BUG] 开启h2后,网站图片加载失败,且ssllab显示http failure

    [BUG] 开启h2后,网站图片加载失败,且ssllab显示http failure

    • [ok ] I certify that I acknowledge if I don't follow the format below, or I'm using an old version of trojan, or I apparently fail to provide sufficient information (such as logs, specific numbers), or I don't check this box, my issue will be closed immediately without any notice.

    Trojan Version The version of trojan you are using. 1.13.0 Describe the bug A clear and concise description of what the bug is. 服务器和nginx均开启h2情况下,访问网站图片加载失败,去掉h2支持后加载正常 To Reproduce Steps to reproduce the behavior:

    1. Go to '...'
    2. Click on '....'
    3. Scroll down to '....'
    4. See error

    Expected behavior A clear and concise description of what you expected to happen. 图片加载正常 Logs If applicable, add logs to help explain your problem. not trojan request, connecting to 127.0.0.1:80 Environment Where are you running trojan? What is your proxy set up? debian9 nginx Additional context Add any other context about the problem here. h2有bug,开启后ssllab会出现http failure,仅使用http1.1则不会

    bug 
    opened by johnrosen1 20
  • [BUG] Trojan server process crashed silently

    [BUG] Trojan server process crashed silently

    • [x] I certify that I have read the contributing guidelines and I acknowledge if I don't follow the format below, or I'm using an old version of trojan, or I apparently fail to provide sufficient information (such as logs, specific numbers), or I don't check this box, my issue will be closed immediately without any notice.

    Trojan Version 1.16.0

    Describe the bug Server process crashed silently. The server has been setup successfully and it has been working well for a few hours. But after that the trojan process crashed silently without any error so it is hard to know what happened.

    To Reproduce Steps to reproduce the behavior:

    1. Run the trojan process with nohop, such as "nohup trojan -c myconfig.json -l log.txt > nohup.out 2>&1 &"
    2. It works well.
    3. About a few hours, maybe one hour or more. Number of users increased to 50.
    4. Server process crashed.
    5. Check the log.txt, there is no obvious trojan side error.

    Expected behavior

    1. Trojan should work and the process is still running.
    2. Or it crashed, but the log should show what happened.

    Logs If applicable, add logs to help explain your problem.

    Environment Ubuntu 1804, 2C4G VM. Config: { "run_type": "server", "local_addr": "0.0.0.0", "local_port": 443, "remote_addr": "www.abcxyz123.com", "remote_port": 443, "password": [ "mypassword" ], "log_level": 2, "ssl": { "cert": "/path/to/fullchain.cer", "key": "/path/to/private.key", "key_password": "", "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384", "prefer_server_cipher": true, "alpn": [ "http/1.1" ], "reuse_session": true, "session_ticket": false, "session_timeout": 60, "plain_http_response": "", "curves": "", "dhparam": "" }, "tcp": { "prefer_ipv4": true, "no_delay": true, "keep_alive": true, "reuse_port": true, "fast_open": true, "fast_open_qlen": 20 } }

    Additional context Before this crash, I find there is "Too many open files" and then the process crashed. So I set the ulimit -n 102400 and there is no such error anymore. But it still crashed silently.

    bug 
    opened by superbetacat 0
  • I use trojan in Ubuntu,but cannot access google[BUG]

    I use trojan in Ubuntu,but cannot access google[BUG]

    Trojan Version

    ./trojan -t /usr/local/etc/trojan/config.json Welcome to trojan 1.16.0 The config file looks good.

    Describe the bug When I run trojan, it shows as below: ~/trojan$ ./trojan -c /usr/local/etc/trojan/config.json Welcome to trojan 1.16.0 [2022-05-23 14:17:41] [WARN] trojan service (client) started at 127.0.0.1:1080

    Environment Ubuntu 20.04

    Additional context firewall port is connect [email protected]:~$ sudo ufw status Status: active

    To Action From


    1080/tcp ALLOW Anywhere
    1080/tcp (v6) ALLOW Anywhere (v6)

    what's wrong? please help.

    bug 
    opened by wangzy0327 0
  • Application certificate timeout

    Application certificate timeout

    When I use acme.sh When I use the following command with acme.sh acme.sh --issue -d <xxxx> -w /var/www/<file_name> apply certificate, The following error occurred:

    [Sat May 21 12:04:17 PM UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sat May 21 12:04:17 PM UTC 2022] Single domain='ubt.smartcell.ga'
    [Sat May 21 12:04:17 PM UTC 2022] Getting domain auth token for each domain
    [Sat May 21 12:04:18 PM UTC 2022] Getting webroot for domain='ubt.smartcell.ga'
    [Sat May 21 12:04:18 PM UTC 2022] Verifying: ubt.smartcell.ga
    [Sat May 21 12:04:19 PM UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
    [Sat May 21 12:04:22 PM UTC 2022] Pending, The CA is processing your order, please just wait. (2/30)
    [Sat May 21 12:04:25 PM UTC 2022] Pending, The CA is processing your order, please just wait. (3/30)
    [Sat May 21 12:04:29 PM UTC 2022] Pending, The CA is processing your order, please just wait. (4/30)
    [Sat May 21 12:04:32 PM UTC 2022] ubt.smartcell.ga:Verify error:104.238.128.131: Fetching http://ubt.smartcell.ga/.well-known/acme-challenge/m9BUswkZ3zufaIv0upo-PIS0p8YmQQmkS4rVjmiNOno: Timeout during connect (likely firewall problem)
    [Sat May 21 12:04:32 PM UTC 2022] Please add '--debug' or '--log' to check more details.
    [Sat May 21 12:04:32 PM UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    

    How should I solve it?

    opened by Beacon-Shuaiyuan 0
  • I want to use caddy reverse_proxy to trojan, Is it possible in principle?

    I want to use caddy reverse_proxy to trojan, Is it possible in principle?

    • [x] I certify that I have read the contributing guidelines and I acknowledge if I don't follow the format below, or I'm using an old version of trojan, or I apparently fail to provide sufficient information (such as logs, specific numbers), or I don't check this box, my issue will be closed immediately without any notice.

    Trojan Version 1.16.0

    Describe the bug I use the caddy transpond tls to trojan, but the client will get the "disconnected, 696700 bytes received, 14960 bytes sent, lasted for 374 seconds" error message. Is this because caddy thinks it's a bad tls protocol and can't continue?

    To Reproduce

    https://example.com {
      encode gzip
      tls [email protected]
    
      reverse_proxy * {
            to https://172.17.0.1:1443 // this is the trojan server
            transport http {
                tls_insecure_skip_verify
            }
      }
    }
    
    

    Logs I'm not get anything in the trojan server log.

    Additional context I want to use caddy because I lost the 443 port, so I want to use 80 instead of 443, but trojan can't redirect http requests on port 80 to https protocol, so I want to use caddy to manage all requests

    bug 
    opened by zccrs 0
  • 有无自签名证书使用成功的例子?

    有无自签名证书使用成功的例子?

    我发现使用自签名,必须将verify设置成false ,如果verify是true,很多材料说:

    客户端config.json:
    
    "ssl": {
            "verify": true,
            "verify_hostname": true,
            "cert": "./server.crt",
    
    服务端config.json:
    "log_level": 1,
        "ssl": {
            "cert": "/usr/local/etc/trojan/server.crt",
            "key":  "/usr/local/etc/trojan/server.key",
    
    其中server.crt为 同一个文件。
    

    我测试了,根本行不通。

    opened by yufeiluo 3
Releases(v1.16.0)
Owner
Trojan-GFW
A long-term advanced traffic obfuscation tool for GFW circumvention.
Trojan-GFW
The FLIP Fluids addon is a tool that helps you set up, run, and render high quality liquid fluid effects all within Blender, the free and open source 3D creation suite.

FLIP Fluids The FLIP Fluids addon is a tool that helps you set up, run, and render liquid simulation effects. Our custom built fluid engine is based a

Ryan Guy 1.3k Jun 21, 2022
An efficient and versatile system call hook mechanism

Zpoline: hooking system calls without pain Zpoline is a novel system call hook mechanism that offers the following advantages. 100 times faster than p

null 88 May 26, 2022
BLEND: A Fast, Memory-Efficient, and Accurate Mechanism to Find Fuzzy Seed Matches

BLEND is a mechanism that can efficiently find fuzzy seed matches between sequences to significantly improve the performance and accuracy while reducing the memory space usage of two important applications: 1) finding overlapping reads and 2) read mapping.

SAFARI Research Group at ETH Zurich and Carnegie Mellon University 10 May 31, 2022
Bypass it, you won't be Banned when playing cheats 2022

CFX-Bypass What's the purpose of this? Program blocks the outbounding and inbounding calls from adhesive so they won't get to check your hwid from the

Sarnax 32 Jun 20, 2022
Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use while playing the game and help you top the leaderboard.

WORDament_Solver Had a tough time playing Microsoft Wordament ? Well WORDament_Solver has your back. It suggests you meaningful words you can use whil

Tushar Agarwal 3 Aug 19, 2021
Calleree helps to analyze Ruby's caller-callee relationships.

Calleree Calleree helps to analyze Ruby's caller-callee relationships. Note that this tool consumes memory and introduces additional overhead because

Koichi Sasada 18 Sep 23, 2021
A simple library that helps Android developers to execute JavaScript code from Android native side easily without using Webview.

AndroidJSModule A simple library that helps Android developers to execute JavaScript code from Android native side easily without using Webview. Insta

Hung Nguyen 5 May 24, 2022
This project helps a person park their car in their garage in the same place every time.

garage-parking-sensor Description This project is developed to help a person park their car in their garage in the same place every time. Normally peo

Calvin Pereira 2 Sep 13, 2021
A C++ Node.js module that helps gathering informations on segmentation fault

node-segfault-handler A C++ Node.js module that helps gathering informations on segmentation fault Supported Platforms Linux Linux Alpine Windows MacO

Shiranuit 9 Jun 17, 2022
Patch for Titanfall 2 that helps prevent disconnects while the servers are being attacked by a DoS attack.

Titanfall2 DeltaBuf patch This patch for Titanfall 2 helps prevent disconnects while the servers are being attacked by a DoS attack. Disclaimer This i

null 5 Jun 11, 2022
Sorting Algorithm Visualiser using C and CSFML. Helps to visualise how different sorts works.

Project Name: Sorting Algorithm Visualizer About Project: This is a Sorting Algorithm Visualizer implemented using C programming language with GUI. It

Ritesh Narendra Chaudhari 10 Jun 15, 2022
Arduino-controlled bed that helps in reducing rate of disease infection by detecting whether a person accessed the safe space of a subject who is infected

Infection Control Bed BACKGROUND Spread of COVID-19 occurs via airborne parricels and droplets. People who are infected with COVID an release particle

Amir Hesham Ibrahim 3 Mar 17, 2022
Simple Software Application Package Installer for CachyOS which helps setting up & installing applications

cachyos-packageinstaller Simple Software Application Package Installer. Requirements C++20 feature required (tested with GCC 11.1.0 and Clang 13(clang

CachyOS 2 May 9, 2022
OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

offensiveph OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls. Usage Comp

Red Section 257 Jun 23, 2022
LMAO, its WinP4wn! A dead simple way to bypass company Group-Policies.

Win32.WinP4wn.dropper LMAO, its WinP4wn! A dead simple way to bypass a company Group-Policies. Abstract Win32.WinP4wn is a small dropper that uses an

Timo Sarkar 4 Jun 20, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 292 Jun 24, 2022
This is a library that can bypass the hidden api restriction on Android 9-12.

BypassHiddenApiRestriction This is a library that can bypass the restrictions on non-SDK interfaces on Android 9-12.

Wind 40 Jun 23, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components

ByeIntegrity 8.0 The eighth Windows privilege escalation attack in the ByeIntegrity family. ByeIntegrity 8.0 is the most complex one I've created so f

Arush Agarampur 212 Jun 10, 2022