{"id":49890946,"url":"https://github.com/ospab/ostp","last_synced_at":"2026-05-30T01:06:23.448Z","repository":{"id":357909296,"uuid":"1239086025","full_name":"ospab/ostp","owner":"ospab","description":"Next-generation stealth transport protocol in Rust for bypassing DPI, featuring 0-RTT resumption and advanced congestion control.","archived":false,"fork":false,"pushed_at":"2026-05-28T10:19:04.000Z","size":64697,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-28T11:15:48.168Z","etag":null,"topics":["0-rtt","bbr","dpi-bypass","networking","noise-protocol","privacy","proxy","rust","rust-lang","security","stealth","tokio","udp","vpn"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ospab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-14T18:43:19.000Z","updated_at":"2026-05-28T10:19:08.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ospab/ostp","commit_stats":null,"previous_names":["ospab/ostp"],"tags_count":136,"template":false,"template_full_name":null,"purl":"pkg:github/ospab/ostp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ospab%2Fostp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ospab%2Fostp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ospab%2Fostp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ospab%2Fostp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ospab","download_url":"https://codeload.github.com/ospab/ostp/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ospab%2Fostp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33676215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["0-rtt","bbr","dpi-bypass","networking","noise-protocol","privacy","proxy","rust","rust-lang","security","stealth","tokio","udp","vpn"],"created_at":"2026-05-15T21:00:53.002Z","updated_at":"2026-05-30T01:06:23.442Z","avatar_url":"https://github.com/ospab.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OSTP — Ospab Stealth Transport Protocol\n\n[Русский язык](README.ru.md) · [Wiki](https://github.com/ospab/ostp/wiki) · [Contributing](CONTRIBUTING.md) · [Releases](https://github.com/ospab/ostp/releases)\n\n![GitHub Release](https://img.shields.io/github/v/release/ospab/ostp?style=flat-square\u0026color=blue)\n![License: BSL 1.1](https://img.shields.io/badge/License-BSL%201.1-orange.svg?style=flat-square)\n![Platform: Windows | Linux | macOS | Android](https://img.shields.io/badge/Platform-Windows%20%7C%20Linux%20%7C%20macOS%20%7C%20Android-green.svg?style=flat-square)\n![Crypto](https://img.shields.io/badge/Crypto-Noise__NNpsk0-blueviolet?style=flat-square)\n![Transport](https://img.shields.io/badge/Transport-UDP%20ARQ-informational?style=flat-square)\n\n**OSTP** is a high-performance, censorship-resistant transport protocol designed to tunnel TCP traffic over UDP with full traffic obfuscation. Every byte on the wire — including packet headers — is cryptographically indistinguishable from random noise. Resistant to Deep Packet Inspection (DPI), active probing, and statistical traffic analysis.\n\n---\n\n## Quick Install\n\n### Linux\n```bash\nbash \u003c(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)\n```\n\n### Windows (PowerShell, run as Administrator)\n```powershell\nirm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex\n```\n\n### Manual Download\nDownload pre-built binaries for your platform from [GitHub Releases](https://github.com/ospab/ostp/releases).\n\n---\n\n## Key Features\n\n| Feature | Description |\n|---------|-------------|\n| **Full Traffic Obfuscation** | Every packet — including headers — is indistinguishable from random noise. Session IDs and nonces are masked with per-packet HMAC-derived keys. |\n| **Noise Protocol Handshake** | `Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s` — PSK-authenticated, forward-secret key exchange with no static identity exposure. |\n| **Reliable UDP (ARQ)** | Selective ACK/NACK with rate-limited retransmission, configurable reorder buffer, and exponential backoff. |\n| **Multiplexed Streams** | Multiple logical TCP streams over a single encrypted UDP session with per-stream flow control. |\n| **Seamless Roaming** | Clients can switch networks (WiFi ↔ LTE) without session interruption — tracked by session-ID, not IP. |\n| **Management API** | Built-in REST API for third-party panels (3x-ui, custom dashboards). Per-user stats, traffic limits, key CRUD. |\n| **Fallback Server** | TCP fallback proxy to a web server — makes OSTP indistinguishable from nginx during active probing. |\n| **Multi-Listener** | Bind to multiple addresses simultaneously (dual-stack IPv4/IPv6, multi-port). |\n| **TUN Mode** | Full-system VPN via `tun2socks` integration. All traffic transparently routed through the tunnel. |\n| **xHTTP Stealth (UoT)** | UDP-over-TCP tunnel disguised as standard HTTP/1.1 or TLS traffic to bypass Level 1 Deep Packet Inspection (DPI) whitelists. |\n| **XTLS-Reality** | Custom, dependency-free implementation of the Reality protocol using ChaCha20Poly1305 and X25519 for perfect TLS 1.3 impersonation. |\n| **TURN Relay** | RFC 5766 TURN support for environments where direct UDP is blocked. |\n| **Hot-Reload** | Runtime config reload without restart (access keys, exclusions, mux settings). |\n| **Structured Logging** | `tracing`-based logging with `RUST_LOG` filtering. JSON/file/syslog output support. |\n| **Cross-Platform** | Windows, Linux, macOS, Android, FreeBSD, MIPS, RISC-V. Single binary, no runtime dependencies. |\n\n---\n\n## Architecture\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│  Client                                                     │\n│  ┌──────────┐   ┌──────────┐   ┌────────────────────────┐   │\n│  │ Browser  │──▸│ SOCKS5/  │──▸│    Bridge (Mux)        │   │\n│  │ / Apps   │   │ HTTP     │   │  ┌─────────────────┐   │   │\n│  │          │   │ Proxy    │   │  │ ProtocolMachine │   │   │\n│  └──────────┘   └──────────┘   │  │ (Noise + AEAD)  │   │   │\n│                                │  └────────┬────────┘   │   │\n│  ┌──────────┐                  │           │            │   │\n│  │ TUN Mode │──────────────────┤      UDP Socket        │   │\n│  │tun2socks │                  │  (32MB buffers,        │   │\n│  └──────────┘                  │   obfuscated wire)     │   │\n│                                └───────────┬────────────┘   │\n└────────────────────────────────────────────┼────────────────┘\n                                             │ UDP\n┌────────────────────────────────────────────┼────────────────┐\n│  Server                                    │                │\n│  ┌─────────────────────────────────────────┴───────────┐    │\n│  │              Dispatcher                             │    │\n│  │  (Session lookup, roaming, replay guard, per-user   │    │\n│  │   traffic accounting, limit enforcement)            │    │\n│  └──┬──────────────────────┬───────────────────────────┘    │\n│     │                      │                                │\n│  ┌──▾──────────────────┐ ┌─▾──────────────────────────┐     │\n│  │ Relay Loop          │ │ Management API (REST)      │     │\n│  │ (per-stream TCP)    │ │ /api/users, /api/stats     │     │\n│  │ ──▸ Internet        │ │ Bearer token auth          │     │\n│  └─────────────────────┘ └────────────────────────────┘     │\n│                                                             │\n│  ┌──────────────────────────────────────────────────────┐   │\n│  │ Fallback TCP Proxy ──▸ nginx/caddy (anti-DPI)        │   │\n│  └──────────────────────────────────────────────────────┘   │\n└─────────────────────────────────────────────────────────────┘\n```\n\n---\n\n## Quick Start\n\n### 1. Generate config\n\n```bash\n# On your VPS (server):\n./ostp --init server\n\n# On your machine (client):\n./ostp --init client\n```\n\n### 2. Edit config\n\n**Server** — set your access keys:\n```jsonc\n{\n  \"mode\": \"server\",\n  \"listen\": \"0.0.0.0:50000\",\n  \"access_keys\": [\"YOUR_SECRET_KEY\"],\n  \"api\": { \"enabled\": true, \"bind\": \"127.0.0.1:9090\", \"token\": \"admin-token\" },\n  \"fallback\": { \"enabled\": false, \"listen\": \"0.0.0.0:443\", \"target\": \"127.0.0.1:8080\" }\n}\n```\n\n**Client** — point to your server:\n```jsonc\n{\n  \"mode\": \"client\",\n  \"server\": \"YOUR_SERVER_IP:50000\",\n  \"access_key\": \"YOUR_SECRET_KEY\",\n  \"socks5_bind\": \"127.0.0.1:1088\",\n  \"transport\": { \"mode\": \"udp\", \"stealth_sni\": \"vk.com\", \"stealth_port\": 443 },\n  \"tun\": { \"enable\": false, \"dns\": \"1.1.1.1\" }\n}\n```\n\n### 3. Run\n\n```bash\n./ostp                        # Uses config.json in current directory\n./ostp --config /path/to.json # Custom config path\n./ostp --check                # Validate config without running\n./ostp --generate-key         # Generate a new access key\n./ostp --links                # Print client share links\n```\n\n### 4. Connect via share link (one-liner)\n```bash\n./ostp \"ostp://ACCESS_KEY@server.com:50000?...\"\n```\n\u003e **Note**: Always wrap the `ostp://...` link in quotes (`\"`) so your terminal doesn't misinterpret special characters like `\u0026` or `?`.\n\n---\n\n## Management API\n\nBuilt-in REST API for building panels and dashboards.\n\n```bash\n# Server status\ncurl -H \"Authorization: Bearer mytoken\" http://127.0.0.1:9090/api/server/status\n\n# List all users with traffic stats  \ncurl -H \"Authorization: Bearer mytoken\" http://127.0.0.1:9090/api/users\n\n# Create a user with 10GB traffic limit\ncurl -X POST -H \"Authorization: Bearer mytoken\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"limit_bytes\": 10737418240}' \\\n  http://127.0.0.1:9090/api/users\n```\n\nFull API reference: [Management API](https://github.com/ospab/ostp/wiki/Management-API)\n\n---\n\n## CLI Reference\n\n```\nostp [OPTIONS] [URL]\n\nOptions:\n  --config \u003cPATH\u003e        Config file path (default: config.json)\n  --init \u003cMODE\u003e          Generate template config (server/client)\n  --check                Validate configuration and exit\n  -g, --generate-key     Generate a secure access key\n  -c, --count \u003cN\u003e        Number of keys to generate (default: 1)\n  --format \u003cFMT\u003e         Key format: hex, base64 (default: hex)\n  --links                Print client share links from server config\n\nArguments:\n  [URL]                  Connect via share link: ostp://KEY@HOST:PORT\n```\n\n---\n\n## Protocol Summary\n\n| Layer | Mechanism |\n|-------|-----------|\n| XTLS-Reality | Spoofed TLS 1.3 ClientHello, X25519 Key Exchange, ChaCha20-Poly1305 AEAD |\n| Key Exchange | Noise NNpsk0 (X25519 + ChaChaPoly + BLAKE2s) |\n| Encryption | ChaCha20-Poly1305 AEAD per-packet |\n| Header Obfuscation | HMAC-SHA256 derived per-packet mask |\n| Reliability | Selective ACK with cumulative + SACK ranges |\n| Retransmission | Rate-limited NACK + exponential backoff RTO |\n| Keepalive | Ping/Pong with RTT measurement every 5s |\n\n---\n\n## Building from Source\n\n```bash\n# Prerequisites: Rust 1.75+\ncargo build --release\n\n# Cross-compile for Linux\ncross build --release --target x86_64-unknown-linux-gnu\n\n# Run tests\ncargo test -p ostp-core -p ostp-server\n```\n\n---\n\n## Documentation\n\n- **[Wiki](https://github.com/ospab/ostp/wiki)** — Full documentation\n- [Installation](https://github.com/ospab/ostp/wiki/Installation)\n- [Configuration Reference](https://github.com/ospab/ostp/wiki/Configuration)\n- [Management API](https://github.com/ospab/ostp/wiki/Management-API)\n- [Protocol Design](https://github.com/ospab/ostp/wiki/Protocol-Design)\n- [Building from Source](https://github.com/ospab/ostp/wiki/Building-from-Source)\n- [FAQ](https://github.com/ospab/ostp/wiki/FAQ)\n\n---\n\n## License\n\nBusiness Source License 1.1. Free for personal and non-commercial use.  \nConverts to MIT License on May 14, 2030.\n\n---\n\n## Contact\n\n- **Telegram**: [@ospab0](https://t.me/ospab0)\n- **Email**: gvoprgrg@gmail.com\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fospab%2Fostp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fospab%2Fostp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fospab%2Fostp/lists"}