{"id":47264492,"url":"https://github.com/anonvector/slipgate","last_synced_at":"2026-05-02T14:01:32.112Z","repository":{"id":340015079,"uuid":"1164187530","full_name":"anonvector/slipgate","owner":"anonvector","description":"⏺ SlipGate — Unified tunnel manager for Linux servers. Deploys and manages DNS tunnels (DNSTT, NoizDNS, Slipstream) and HTTPS proxies (NaiveProxy) with systemd integration, multi-tunnel DNS routing, user management, and one-tap client sharing via slipnet:// URIs.","archived":false,"fork":false,"pushed_at":"2026-05-02T12:15:22.000Z","size":870,"stargazers_count":259,"open_issues_count":7,"forks_count":25,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-05-02T13:29:12.013Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anonvector.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-22T19:09:57.000Z","updated_at":"2026-05-02T12:12:45.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/anonvector/slipgate","commit_stats":null,"previous_names":["anonvector/slipnet-server-setup"],"tags_count":30,"template":false,"template_full_name":null,"purl":"pkg:github/anonvector/slipgate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonvector%2Fslipgate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonvector%2Fslipgate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonvector%2Fslipgate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonvector%2Fslipgate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anonvector","download_url":"https://codeload.github.com/anonvector/slipgate/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anonvector%2Fslipgate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32536582,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-02T12:25:33.646Z","status":"ssl_error","status_checked_at":"2026-05-02T12:24:51.733Z","response_time":132,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-15T03:01:57.626Z","updated_at":"2026-05-02T14:01:32.104Z","avatar_url":"https://github.com/anonvector.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SlipGate\n\nUnified tunnel manager for Linux servers. Manages DNS tunnels (DNSTT, NoizDNS, Slipstream, VayDNS) and HTTPS proxies (NaiveProxy) with systemd services, multi-tunnel DNS routing, and user management. Designed for use with the [SlipNet](https://github.com/anonvector/SlipNet) Android VPN app.\n\n## Features\n\n- **Multi-transport**: DNSTT/NoizDNS (DNS tunnels with Curve25519 encryption), Slipstream (QUIC-based DNS), VayDNS (KCP-based DNS with Curve25519), NaiveProxy (HTTPS with Caddy), StunTLS (SSH over TLS + WebSocket)\n- **Dual backend**: Built-in SOCKS5 proxy or SSH forwarding (custom SSH port supported)\n- **DNS routing**: Single-tunnel or multi-tunnel mode with domain-based dispatch\n- **External routing**: Forward DNS queries for a domain to a custom port for user-managed protocols\n- **WARP integration**: Optional Cloudflare WARP outbound routing (see [dnstun-ezpz](https://github.com/aleskxyz/dnstun-ezpz) for an alternative approach)\n- **User management**: Multi-user SSH + SOCKS credentials (all users authenticate simultaneously), with bulk creation of up to 500 users per call\n- **Live dashboard**: Real-time TUI with CPU, RAM, traffic sparklines, per-protocol connection stats, and tunnel status\n- **Diagnostics**: Built-in health checks for services, ports, keys, DNS resolution, and boot persistence\n- **Interactive TUI + CLI**: Menu-driven setup or scriptable subcommands\n- **Systemd integration**: Service creation, lifecycle, and logs\n- **Auto-TLS**: Let's Encrypt via Caddy for NaiveProxy tunnels\n- **Self-update**: Version checking and binary replacement from GitHub releases\n- **Client sharing**: Generates `slipnet://` URIs for one-tap app import\n\n## Requirements\n\n- **OS**: Linux (Ubuntu 20.04+, Debian 10+, or similar)\n- **Domain**: DNS A record pointed at your server (required for DNS tunnels and NaiveProxy)\n- **Ports**: 53/udp (DNS tunnels), 443/tcp (NaiveProxy, StunTLS)\n\n## Quick Start\n\n**One-liner install:**\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/anonvector/slipgate/main/install.sh | sudo bash\n```\n\n**Or build from source:**\n\n```bash\ngit clone https://github.com/anonvector/slipgate.git\ncd slipgate\nmake build\nsudo ./slipgate install\n```\n\n**Offline install (SCP to server):**\n\nDownload the binaries you need from the [latest release](https://github.com/anonvector/slipgate/releases):\n\n```bash\n# On your local machine — download binaries\nmkdir slipgate-bundle \u0026\u0026 cd slipgate-bundle\ncurl -LO https://github.com/anonvector/slipgate/releases/latest/download/slipgate-linux-amd64\ncurl -LO https://github.com/anonvector/slipgate/releases/latest/download/dnstt-server-linux-amd64\ncurl -LO https://github.com/anonvector/slipgate/releases/latest/download/slipstream-server-linux-amd64\ncurl -LO https://github.com/anonvector/slipgate/releases/latest/download/caddy-naive-linux-amd64\n\n# SCP to server\nscp * user@server:/tmp/slipgate/\n\n# On the server\nchmod +x /tmp/slipgate/*\nsudo cp /tmp/slipgate/slipgate-linux-amd64 /usr/local/bin/slipgate\nsudo slipgate install --bin-dir /tmp/slipgate\n```\n\nThen launch the interactive menu:\n\n```bash\nsudo slipgate\n```\n\n## CLI Usage\n\n```\nslipgate # Interactive TUI menu\nslipgate install # Install dependencies and configure server\nslipgate uninstall # Remove all services, configs, and binaries\nslipgate update # Self-update and restart all services\nslipgate restart # Restart all services (DNS router, tunnels, SOCKS)\nslipgate users # Manage SSH/SOCKS users and view configs\nslipgate users add # Add a single user\nslipgate users bulk_add # Add multiple users in one batch (random creds, up to 500)\nslipgate users remove # Remove a user\nslipgate users list # List users and their per-tunnel configs\nslipgate stats # Live dashboard (CPU, RAM, traffic, connections, tunnels)\nslipgate diag # Run diagnostics (services, ports, keys, DNS, boot status)\nslipgate mtu [value] # Set MTU for all DNSTT/NoizDNS/VayDNS tunnels at once\n\n# Tunnel management\nslipgate tunnel add # Add tunnel(s) — supports multi-select and \"both\" backend\nslipgate tunnel edit [tag] # Edit tunnel settings (tag, MTU, keys)\nslipgate tunnel remove [tag] # Remove a tunnel\nslipgate tunnel remove --all # Remove all tunnels at once\nslipgate tunnel start [tag] # Start a tunnel\nslipgate tunnel stop [tag] # Stop a tunnel\nslipgate tunnel status # Show all tunnel statuses\nslipgate tunnel status [tag] # Show tunnel details (keys, MTU, port)\nslipgate tunnel share [tag] # Generate slipnet:// URI for clients\nslipgate tunnel logs [tag] # View tunnel logs\n\n# DNS routing\nslipgate router status # Show DNS routing config\nslipgate router mode # Switch between single/multi mode\nslipgate router switch # Change active tunnel (single mode)\n\n# Configuration\nslipgate config export # Export configuration\nslipgate config import # Import configuration\n\n# Internal (used by systemd services)\nslipgate dnsrouter serve # Start DNS router\nslipgate socks serve # Start built-in SOCKS5 proxy\nslipgate stuntls serve # Start StunTLS proxy\n```\n\n### Non-Interactive Examples\n\nAll commands support flags for scripting and automation. If any required flag is omitted, slipgate falls back to an interactive prompt.\n\n```bash\n# DNSTT tunnel\nsudo slipgate tunnel add \\\n --transport dnstt \\\n --backend socks \\\n --tag mydnstt \\\n --domain t.example.com\n\n# DNSTT tunnel with custom Curve25519 keys\nsudo slipgate tunnel add \\\n --transport dnstt \\\n --backend socks \\\n --tag mytunnel \\\n --domain t.example.com \\\n --private-key \u003c64-char-hex\u003e \\\n --public-key \u003c64-char-hex\u003e # optional, validated if provided\n\n# DNSTT with both backends (creates mydnstt-socks + mydnstt-ssh)\nsudo slipgate tunnel add \\\n --transport dnstt \\\n --backend both \\\n --tag mydnstt \\\n --domain t.example.com\n\n# VayDNS tunnel (KCP + Curve25519)\nsudo slipgate tunnel add \\\n --transport vaydns \\\n --backend socks \\\n --tag myvaydns \\\n --domain v.example.com\n\n# VayDNS with all tuning parameters\nsudo slipgate tunnel add \\\n --transport vaydns \\\n --backend both \\\n --tag myvaydns \\\n --domain v.example.com \\\n --record-type txt \\\n --idle-timeout 10s \\\n --keep-alive 2s \\\n --clientid-size 2 \\\n --queue-size 512\n\n# Slipstream tunnel\nsudo slipgate tunnel add \\\n --transport slipstream \\\n --backend ssh \\\n --tag myslip \\\n --domain s.example.com\n\n# NaiveProxy tunnel\nsudo slipgate tunnel add \\\n --transport naive \\\n --backend socks \\\n --tag myproxy \\\n --domain example.com \\\n --email admin@example.com \\\n --decoy-url https://www.wikipedia.org\n\n# StunTLS tunnel (SSH over TLS + WebSocket)\nsudo slipgate tunnel add \\\n --transport stuntls \\\n --tag mytls\n\n# External DNS routing (forward queries to a custom port)\nsudo slipgate tunnel add \\\n --transport external \\\n --tag my-proto \\\n --domain j.example.com \\\n --port 5301\n# Queries for j.example.com route to 127.0.0.1:5301\n\n# Direct SSH / SOCKS5 transports\nsudo slipgate tunnel add --transport direct-ssh --tag myssh\nsudo slipgate tunnel add --transport direct-socks5 --tag mysocks\n\n# Rename a tunnel\nsudo slipgate tunnel edit --tag mydnstt --new-tag my-tunnel\n\n# Change MTU on a DNSTT tunnel\nsudo slipgate tunnel edit --tag mydnstt --mtu 1232\n\n# Set MTU for all DNSTT/NoizDNS/VayDNS tunnels at once (rewrites and restarts each service)\nsudo slipgate mtu 1200\n\n# Tune VayDNS parameters\nsudo slipgate tunnel edit --tag myvaydns \\\n --mtu 1232 \\\n --record-type txt \\\n --idle-timeout 10s \\\n --keep-alive 2s \\\n --clientid-size 2 \\\n --queue-size 512\n\n# View tunnel details (keys, MTU, port, status)\nsudo slipgate tunnel status --tag mydnstt\n\n# Share tunnel config as slipnet:// URI\nsudo slipgate tunnel share mydnstt\n\n# Bulk-add SSH/SOCKS users (random passwords, up to 500 per call)\nsudo slipgate users bulk_add --count=50 --prefix=user\n# Creates user001..user050 with random passwords. A single SOCKS reload\n# and WARP rule sync runs for the whole batch.\n```\n\n## Architecture\n\n```\n ┌──────────────────┐\n │ SlipNet Client │\n │ │\n └────────┬─────────┘\n │\n DNS :53/udp ──────┼────── HTTPS/TLS :443/tcp\n │ │ │\n┌───────────────────┼───────────┼───────────┼──────────────────┐\n│ SERVER v │ v │\n│ │ │\n│ ┌────────────────────────┐ │ ┌───────────────────────┐ │\n│ │ DNS Router │ │ │ NaiveProxy │ │\n│ │ domain-based dispatch │ │ │ Caddy + Auto-TLS │ │\n│ │ single / multi mode │ │ │ + decoy website │ │\n│ │ + external routing │ │ └───────────┬───────────┘ │\n│ └──┬────────┬────────┬───┘ │ │ │\n│ │ │ │ │ ┌───────────────────────┐ │\n│ v v v │ │ StunTLS │ │\n│ ┌──────┐┌────────┐┌──────┐ │ │ SSH over TLS + WS │ │\n│ │DNSTT ││Slip- ││VayDNS│ │ │ self-signed cert │ │\n│ │NoizDN││stream ││ │ │ └───────────┬───────────┘ │\n│ │──────││────────││──────│ │ │ │\n│ │DNS ││QUIC ││KCP │ │ │ │\n│ │Curve ││TLS cert││Curve │ │ │ │\n│ │25519 ││ ││25519 │ │ │ │\n│ └──┬───┘└───┬────┘└──┬───┘ │ │ │\n│ └────────┼────────┘ │ │ │\n│ │ │ │ │\n│ v v v │\n│ ┌──────────────────────────────────────────────────────┐ │\n│ │ Backend Layer │ │\n│ │ │ │\n│ │ ┌──────────────────┐ ┌──────────────────────┐ │ │\n│ │ │ SOCKS5 Proxy │ │ SSH Forwarding │ │ │\n│ │ │ built-in Go │ │ port forwarding │ │ │\n│ │ │ :1080 │ │ :22 (configurable) │ │ │\n│ │ └────────┬─────────┘ └──────────┬───────────┘ │ │\n│ │ └─────────┬───────────────┘ │ │\n│ └──────────────────────┼───────────────────────────────┘ │\n│ v │\n│ ┌──────────────────────┐ │\n│ │ WARP (optional) │ │\n│ │ Cloudflare outbound │ │\n│ └──────────┬───────────┘ │\n│ v │\n│ Internet │\n└──────────────────────────────────────────────────────────────┘\n\n systemd: slipgate-dnsrouter, slipgate-socks5, slipgate-{tag}\n```\n\n### Transport Types\n\n| Transport | Protocol | Port | Description |\n|-----------|----------|------|-------------|\n| **DNSTT/NoizDNS** | DNS | 53/udp | Curve25519 encrypted DNS tunnel. A single server serves both DNSTT and NoizDNS clients. NoizDNS adds DPI evasion with base36/hex encoding and CDN prefix stripping |\n| **Slipstream** | QUIC DNS | 53/udp | QUIC-based tunnel with certificate authentication |\n| **VayDNS** | KCP DNS | 53/udp | KCP-based DNS tunnel with Curve25519 encryption. Supports configurable idle timeout, keepalive, queue size, and multiple DNS record types |\n| **NaiveProxy** | HTTPS | 443/tcp | Caddy with forwardproxy plugin. Auto-TLS via Let's Encrypt. Probe-resistant with decoy site |\n| **StunTLS** | TLS/WSS | 443/tcp | SSH over TLS + WebSocket proxy. Auto-detects WebSocket, HTTP CONNECT, raw TLS, and payload (DPI bypass) modes. Self-signed TLS cert, no domain required |\n| **External** | DNS | 53/udp | Routes DNS queries for a domain to a user-specified UDP port. No managed service — use for custom/private protocol testing |\n\n### Domain Layout\n\nEach DNS tunnel instance requires its own subdomain. When using both SOCKS and SSH backends, the install auto-generates subdomains by appending `s` to the SSH variant:\n\n| Tunnel | Domain | Backend |\n|--------|--------|---------|\n| dnstt-socks | `t.example.com` | SOCKS5 |\n| dnstt-ssh | `ts.example.com` | SSH |\n| slipstream-socks | `s.example.com` | SOCKS5 |\n| slipstream-ssh | `ss.example.com` | SSH |\n| vaydns-socks | `v.example.com` | SOCKS5 |\n| vaydns-ssh | `vs.example.com` | SSH |\n| naive-socks | `example.com` | SOCKS5 (shared domain) |\n| naive-ssh | `example.com` | SSH (shared domain) |\n\nNaiveProxy tunnels share a domain since they use HTTPS (port 443), not DNS. DNSTT and NoizDNS also share a domain — the same server handles both client types.\n\n**Required DNS records** (for the example above):\n\n```\nA ns.example.com → \u003cserver IP\u003e\nNS t.example.com → ns.example.com\nNS ts.example.com → ns.example.com\nNS s.example.com → ns.example.com\nNS ss.example.com → ns.example.com\nNS v.example.com → ns.example.com\nNS vs.example.com → ns.example.com\nA example.com → \u003cserver IP\u003e\n```\n\n### Routing Modes\n\n- **Single mode**: One active tunnel runs; DNS router on port 53 forwards to it\n- **Multi mode**: All tunnels run on local ports; DNS router on port 53 dispatches queries by domain. Auto-enabled when multiple DNS tunnels are created.\n\n## Client Configuration\n\nAfter creating a tunnel, generate a shareable config:\n\n```bash\nsudo slipgate tunnel share mytunnel\n```\n\nThis outputs a `slipnet://` URI that can be scanned or imported into the SlipNet Android app. For DNSTT tunnels, you'll be asked to choose between a DNSTT or NoizDNS client profile — both connect to the same server, but NoizDNS profiles enable DPI evasion on the client side.\n\n### User Model\n\nUsers are **global**, not scoped to specific tunnels or transports. `slipgate users add` only asks for a username and password — the protocol is a property of the tunnel, chosen at `tunnel add` time. Every user can authenticate against every tunnel using the same credentials, and `slipgate users list` prints one config block per (user × tunnel) pair. The client picks which tunnel to use by importing the matching `slipnet://` URI.\n\n## File Locations\n\n| Path | Description |\n|------|-------------|\n| `/etc/slipgate/config.json` | Main configuration |\n| `/etc/slipgate/tunnels/` | Per-tunnel keys, certs, and configs |\n| `/usr/local/bin/slipgate` | SlipGate binary (includes built-in SOCKS5 proxy) |\n| `/usr/local/bin/dnstt-server` | DNSTT transport binary |\n| `/usr/local/bin/slipstream-server` | Slipstream transport binary |\n| `/usr/local/bin/vaydns-server` | VayDNS transport binary |\n| `/usr/local/bin/caddy-naive` | Caddy with NaiveProxy plugin |\n\n## Building\n\n```bash\nmake build # Build for current platform\nmake build-linux # Cross-compile for linux/amd64 and linux/arm64\nmake test # Run tests\nmake release # Build release binaries\n```\n\n## Credits\n\nBuilt on top of [dnstm](https://github.com/net2share/dnstm) and [vaydns](https://github.com/net2share/vaydns) by [net2share](https://github.com/net2share). WARP integration inspired by [dnstun-ezpz](https://github.com/aleskxyz/dnstun-ezpz).\n\n## License\n\nAGPL-3.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanonvector%2Fslipgate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanonvector%2Fslipgate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanonvector%2Fslipgate/lists"}