{"id":13413616,"url":"https://github.com/xtaci/kcptun","last_synced_at":"2025-05-12T16:19:08.418Z","repository":{"id":39623284,"uuid":"52595226","full_name":"xtaci/kcptun","owner":"xtaci","description":"A Quantum-Safe Secure Tunnel based on QPP, KCP, FEC, and N:M multiplexing.","archived":false,"fork":false,"pushed_at":"2025-05-09T02:24:01.000Z","size":9514,"stargazers_count":14124,"open_issues_count":130,"forks_count":2556,"subscribers_count":574,"default_branch":"master","last_synced_at":"2025-05-12T16:18:51.300Z","etag":null,"topics":["forward-error-correction","multiplex-networks","network-acceleration","quantum-permutation-pad","quantum-resistant-cryptosystems","reed-solomon-codes","reliable-udp","secure-tunnel","shannon-coding"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xtaci.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-02-26T09:54:46.000Z","updated_at":"2025-05-12T15:42:07.000Z","dependencies_parsed_at":"2023-12-21T18:02:36.562Z","dependency_job_id":"611ec8ea-075f-4f5d-b94b-f369c00ab3cd","html_url":"https://github.com/xtaci/kcptun","commit_stats":{"total_commits":437,"total_committers":20,"mean_commits":21.85,"dds":0.08924485125858128,"last_synced_commit":"a9225382a8966e49ec80815bdf9a0a0bffc3e3c5"},"previous_names":[],"tags_count":135,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xtaci%2Fkcptun","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xtaci%2Fkcptun/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xtaci%2Fkcptun/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xtaci%2Fkcptun/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xtaci","download_url":"https://codeload.github.com/xtaci/kcptun/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253774593,"owners_count":21962199,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forward-error-correction","multiplex-networks","network-acceleration","quantum-permutation-pad","quantum-resistant-cryptosystems","reed-solomon-codes","reliable-udp","secure-tunnel","shannon-coding"],"created_at":"2024-07-30T20:01:44.618Z","updated_at":"2025-05-12T16:19:08.397Z","avatar_url":"https://github.com/xtaci.png","language":"Go","readme":"# \u003cimg src=\"assets/logo.png\" alt=\"kcptun\" height=\"54px\" /\u003e \n\n[![Release][13]][14] [![Powered][17]][18] [![MIT licensed][11]][12] [![Build Status][3]][4] [![Go Report Card][5]][6] [![Downloads][15]][16] [![Docker][1]][2] \n\n[1]: https://img.shields.io/docker/pulls/xtaci/kcptun\n[2]: https://hub.docker.com/r/xtaci/kcptun\n[3]: https://img.shields.io/github/created-at/xtaci/kcptun\n[4]: https://img.shields.io/github/created-at/xtaci/kcptun\n[5]: https://goreportcard.com/badge/github.com/xtaci/kcptun\n[6]: https://goreportcard.com/report/github.com/xtaci/kcptun\n[11]: https://img.shields.io/github/license/xtaci/kcptun\n[12]: LICENSE.md\n[13]: https://img.shields.io/github/v/release/xtaci/kcptun?color=orange\n[14]: https://github.com/xtaci/kcptun/releases/latest\n[15]: https://img.shields.io/github/downloads/xtaci/kcptun/total.svg?maxAge=1800\u0026color=orange\n[16]: https://github.com/xtaci/kcptun/releases\n[17]: https://img.shields.io/badge/KCP-Powered-blue.svg\n[18]: https://github.com/skywind3000/kcp\n\n\u003cimg src=\"assets/kcptun.png\" alt=\"kcptun\" height=\"300px\"/\u003e\n\n\u003e *Disclaimer: kcptun maintains a single website — [github.com/xtaci/kcptun](https://github.com/xtaci/kcptun). Any websites other than [github.com/xtaci/kcptun](https://github.com/xtaci/kcptun) are not endorsed by xtaci.*\n\n### Requirements\n\n| Target | Minimum | Recommended |\n| --- | --- | --- |\n| System | aix darwin dragonfly freebsd linux netbsd openbsd solaris windows | linux |\n| Memory | \u003e20MB | \u003e32MB |\n| CPU | ANY | amd64 with AES-NI \u0026 AVX2 |\n\n*NOTE: if you are using kvm, make sure the guest os can do AES instructions*\n\u003cimg src=\"https://github.com/xtaci/kcptun/assets/2346725/9358e8e5-2a4a-4be9-9859-62f1aaa553b0\" alt=\"cpuinfo\" height=\"400px\"/\u003e\n\n### QuickStart\n\nDownload:\n\n`curl -L https://raw.githubusercontent.com/xtaci/kcptun/master/download.sh | sh`\n\nIncrease the number of open files on your server, as:\n\n`ulimit -n 65535`, or write it in `~/.bashrc`.\n\nSuggested `sysctl.conf` parameters for better handling of UDP packets:\n\n```\nnet.core.rmem_max=26214400 // BDP - bandwidth delay product\nnet.core.rmem_default=26214400\nnet.core.wmem_max=26214400\nnet.core.wmem_default=26214400\nnet.core.netdev_max_backlog=2048 // proportional to -rcvwnd\n```\n\nYou can also increase the per-socket buffer by adding parameter(default 4MB):\n```\n-sockbuf 16777217\n```\nfor **slow processors**, increasing this buffer is **CRITICAL** to receive packets properly.\n\nDownload a corresponding one from precompiled [Releases](https://github.com/xtaci/kcptun/releases).\n\n```\nKCP Client: ./client_darwin_amd64 -r \"KCP_SERVER_IP:4000\" -l \":8388\" -mode fast3 -nocomp -autoexpire 900 -sockbuf 16777217 -dscp 46\nKCP Server: ./server_linux_amd64 -t \"TARGET_IP:8388\" -l \":4000\" -mode fast3 -nocomp -sockbuf 16777217 -dscp 46\n```\nThe above commands will establish port forwarding channel for 8388/tcp as:\n\n\u003e Application -\u003e **KCP Client(8388/tcp) -\u003e KCP Server(4000/udp)** -\u003e Target Server(8388/tcp) \n\nwhich tunnels the original connection:\n\n\u003e Application -\u003e Target Server(8388/tcp) \n\n### Build from source\n\n```\n$ git clone https://github.com/xtaci/kcptun.git\n$ cd kcptun\n$ ./build-release.sh\n$ cd build\n```\n\nAll precompiled releases are generated from `build-release.sh` script.\n\n### Performance\n\n\u003cimg src=\"assets/fast.png\" alt=\"fast.com\" height=\"256px\" /\u003e \n\n![bandwidth](assets/bw.png)\n\n![flame](assets/flame.png)\n\n\u003e Practical bandwidth graph with parameters: -mode fast3 -ds 10 -ps 3\n\n\n\n### Basic Tuning Guide\n\n#### Improving Throughput\n\n\u003e **Q: I have a high-speed network link. How can I maximize bandwidth?**\n\n\u003e **A:** Increase `-rcvwnd` on the KCP Client and `-sndwnd` on the KCP Server **simultaneously and gradually**. The minimum of these values determines the maximum transfer rate of the link, as `wnd * mtu / rtt`. Then, try downloading something to see if it meets your requirements. (The MTU is adjustable with `-mtu`.)\n\n#### Improving Latency\n\n\u003e **Q: I'm using kcptun for gaming and want to avoid any lag.**\n\n\u003e **A:** Lag often indicates packet loss. You can reduce lag by changing the `-mode` parameter. \n\n\u003e For example: `-mode fast3`\n\n\u003e Aggressiveness/Responsiveness on retransmission for embedded modes:\n\n\u003e *fast3 \u003e fast2 \u003e fast \u003e normal \u003e default*\n\n#### Head-of-Line Blocking (HOLB)\n\nSince streams are multiplexed into a single physical channel, head-of-line blocking may occur. Increasing `-smuxbuf` to a larger value (default is 4MB) may mitigate this problem, though it will use more memory.\n\nFor versions \u003e= v20190924, you can switch to smux version 2. Smux v2 has options to limit per-stream memory usage. Set `-smuxver 2` to enable smux v2, and adjust `-streambuf` to limit per-stream memory usage. For example: `-streambuf 2097152` limits per-stream memory usage to 2MB. Limiting the stream buffer on the receiver side applies back-pressure to the sender, preventing the sender from overwhelming the buffer along the link. (The `-smuxver` setting **MUST** be **IDENTICAL** on both sides, the default is 1.)\n\n#### Slow Devices\n\nkcptun uses **Reed-Solomon Codes** to recover lost packets, which requires substantial computation. Low-end ARM devices may not perform well with kcptun. For optimal performance, a multi-core x86 home server CPU like AMD Opteron is recommended. If you must use ARM routers, it's best to disable `FEC` and use `salsa20` as the encryption method.\n\n### Expert Tuning Guide\n\n#### Overview\n\n\u003cp align=\"left\"\u003e\u003cimg src=\"assets/layeredparams.png\" alt=\"params\" height=\"450px\"/\u003e\u003c/p\u003e\n\n#### Usage\n\n```\n\u003e ./client_freebsd_amd64 -h\nNAME:\n kcptun - client(with SMUX)\n\nUSAGE:\n client_freebsd_amd64 [global options] command [command options] [arguments...]\n\nVERSION:\n 20240729\n\nCOMMANDS:\n help, h Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n --localaddr value, -l value local listen address (default: \":12948\")\n --remoteaddr value, -r value kcp server address, eg: \"IP:29900\" a for single port, \"IP:minport-maxport\" for port range (default: \"vps:29900\")\n --key value pre-shared secret between client and server (default: \"it's a secrect\") [$KCPTUN_KEY]\n --crypt value aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none, null (default: \"aes\")\n --mode value profiles: fast3, fast2, fast, normal, manual (default: \"fast\")\n --QPP enable Quantum Permutation Pads(QPP)\n --QPPCount value the prime number of pads to use for QPP: The more pads you use, the more secure the encryption. Each pad requires 256 bytes. (default: 61)\n --conn value set num of UDP connections to server (default: 1)\n --autoexpire value set auto expiration time(in seconds) for a single UDP connection, 0 to disable (default: 0)\n --scavengettl value set how long an expired connection can live (in seconds) (default: 600)\n --mtu value set maximum transmission unit for UDP packets (default: 1350)\n --sndwnd value set send window size(num of packets) (default: 128)\n --rcvwnd value set receive window size(num of packets) (default: 512)\n --datashard value, --ds value set reed-solomon erasure coding - datashard (default: 10)\n --parityshard value, --ps value set reed-solomon erasure coding - parityshard (default: 3)\n --dscp value set DSCP(6bit) (default: 0)\n --nocomp disable compression\n --sockbuf value per-socket buffer in bytes (default: 4194304)\n --smuxver value specify smux version, available 1,2 (default: 1)\n --smuxbuf value the overall de-mux buffer in bytes (default: 4194304)\n --streambuf value per stream receive buffer in bytes, smux v2+ (default: 2097152)\n --keepalive value seconds between heartbeats (default: 10)\n --snmplog value collect snmp to file, aware of timeformat in golang, like: ./snmp-20060102.log\n --snmpperiod value snmp collect period, in seconds (default: 60)\n --log value specify a log file to output, default goes to stderr\n --quiet to suppress the 'stream open/close' messages\n --tcp to emulate a TCP connection(linux)\n -c value config from json file, which will override the command from shell\n --pprof start profiling server on :6060\n --help, -h show help\n --version, -v print the version\n \n\u003e ./server_freebsd_amd64 -h\nNAME:\n kcptun - server(with SMUX)\n\nUSAGE:\n server_freebsd_amd64 [global options] command [command options] [arguments...]\n\nVERSION:\n 20240729\n\nCOMMANDS:\n help, h Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n --listen value, -l value kcp server listen address, eg: \"IP:29900\" for a single port, \"IP:minport-maxport\" for port range (default: \":29900\")\n --target value, -t value target server address, or path/to/unix_socket (default: \"127.0.0.1:12948\")\n --key value pre-shared secret between client and server (default: \"it's a secrect\") [$KCPTUN_KEY]\n --crypt value aes, aes-128, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none, null (default: \"aes\")\n --QPP enable Quantum Permutation Pads(QPP)\n --QPPCount value the prime number of pads to use for QPP: The more pads you use, the more secure the encryption. Each pad requires 256 bytes. (default: 61)\n --mode value profiles: fast3, fast2, fast, normal, manual (default: \"fast\")\n --mtu value set maximum transmission unit for UDP packets (default: 1350)\n --sndwnd value set send window size(num of packets) (default: 1024)\n --rcvwnd value set receive window size(num of packets) (default: 1024)\n --datashard value, --ds value set reed-solomon erasure coding - datashard (default: 10)\n --parityshard value, --ps value set reed-solomon erasure coding - parityshard (default: 3)\n --dscp value set DSCP(6bit) (default: 0)\n --nocomp disable compression\n --sockbuf value per-socket buffer in bytes (default: 4194304)\n --smuxver value specify smux version, available 1,2 (default: 1)\n --smuxbuf value the overall de-mux buffer in bytes (default: 4194304)\n --streambuf value per stream receive buffer in bytes, smux v2+ (default: 2097152)\n --keepalive value seconds between heartbeats (default: 10)\n --snmplog value collect snmp to file, aware of timeformat in golang, like: ./snmp-20060102.log\n --snmpperiod value snmp collect period, in seconds (default: 60)\n --pprof start profiling server on :6060\n --log value specify a log file to output, default goes to stderr\n --quiet to suppress the 'stream open/close' messages\n --tcp to emulate a TCP connection(linux)\n -c value config from json file, which will override the command from shell\n --help, -h show help\n --version, -v print the version\n```\n\n#### Multiport Dialer\n\nkcptun supports multi-port dialer like below:\n\n```\nclient: --remoteaddr IP:minport-maxport\nserver: --listen IP:minport-maxport\n\neg:\nclient: --remoteaddr IP:3000-4000\nserver: --listen 0.0.0.0:3000-4000\n```\nby specifying port-range, kcptun will automatically switch to next random port within port-range when establishing each new connection.\n\n\n#### Forward Error Correction\n\nIn coding theory, the [Reed–Solomon code](https://en.wikipedia.org/wiki/Reed%E2%80%93Solomon_error_correction) belongs to the class of non-binary cyclic error-correcting codes. The Reed–Solomon code is based on univariate polynomials over finite fields.\n\nIt is able to detect and correct multiple symbol errors. By adding t check symbols to the data, a Reed–Solomon code can detect any combination of up to t erroneous symbols, or correct up to ⌊t/2⌋ symbols. As an erasure code, it can correct up to t known erasures, or it can detect and correct combinations of errors and erasures. Furthermore, Reed–Solomon codes are suitable as multiple-burst bit-error correcting codes, since a sequence of b + 1 consecutive bit errors can affect at most two symbols of size b. The choice of t is up to the designer of the code, and may be selected within wide limits.\n\n![FED](assets/FEC.png)\n\n#### DSCP\n\nDifferentiated services or DiffServ is a computer networking architecture that specifies a simple, scalable and coarse-grained mechanism for classifying and managing network traffic and providing quality of service (QoS) on modern IP networks. DiffServ can, for example, be used to provide low-latency to critical network traffic such as voice or streaming media while providing simple best-effort service to non-critical services such as web traffic or file transfers.\n\nDiffServ uses a 6-bit differentiated services code point (DSCP) in the 8-bit differentiated services field (DS field) in the IP header for packet classification purposes. The DS field and ECN field replace the outdated IPv4 TOS field.\n\nsetting each side with ```-dscp value```, Here are some [Commonly used DSCP values](https://en.wikipedia.org/wiki/Differentiated_services#Commonly_used_DSCP_values).\n\n#### Cryptoanalysis\n\nkcptun is shipped with builtin packet encryption powered by various block encryption algorithms and works in [Cipher Feedback Mode](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Feedback_(CFB)), for each packet to be sent, the encryption process will start from encrypting a [nonce](https://en.wikipedia.org/wiki/Cryptographic_nonce) from the [system entropy](https://en.wikipedia.org/wiki//dev/random), so encryption to same plaintexts never leads to a same ciphertexts thereafter.\n\nThe contents of the packets are completely anonymous with encryption, including the headers(FEC,KCP), checksums and contents. Note that, no matter which encryption method you choose on you upper layer, if you disable encryption by specifying `-crypt none` to kcptun, the transmit will be insecure somehow, since the header is ***PLAINTEXT*** to everyone it would be susceptible to header tampering, such as jamming the *sliding window size*, *round-trip time*, *FEC property* and *checksums*. ```aes-128``` is suggested for minimal encryption since modern CPUs are shipped with [AES-NI](https://en.wikipedia.org/wiki/AES_instruction_set) instructions and performs even better than `salsa20`(check the table below).\n\nOther possible attacks to kcptun includes: a) [traffic analysis](https://en.wikipedia.org/wiki/Traffic_analysis), dataflow on specific websites may have pattern while interchanging data, but this type of eavesdropping has been mitigated by adapting [smux](https://github.com/xtaci/smux) to mix data streams so as to introduce noises, perfect solution to this has not appeared yet, theoretically by shuffling/mixing messages on larger scale network may mitigate this problem. b) [replay attack](https://en.wikipedia.org/wiki/Replay_attack), since the asymmetrical encryption has not been introduced into kcptun for some reason, capturing the packets and replay them on a different machine is possible, (notice: hijacking the session and decrypting the contents is still *impossible*), so upper layers should contain a asymmetrical encryption system to guarantee the authenticity of each message(to process message exactly once), such as HTTPS/OpenSSL/LibreSSL, only by signing the requests with private keys can eliminate this type of attack. \n\nImportant: \n1. `-crypt` and `-key` must be the same on both KCP Client \u0026 KCP Server.\n2. `-crypt xor` is also insecure and vulnerable to [known-plaintext attack](https://en.wikipedia.org/wiki/Known-plaintext_attack), do not use this unless you know what you are doing. (*cryptanalysis note: any type of [counter mode](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)) is insecure in packet encryption due to the shorten of counter period and leads to iv/nonce collision*)\n\nBenchmarks for crypto algorithms supported by kcptun:\n\n```\nBenchmarkSM4-4 \t 50000\t 32087 ns/op\t 93.49 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkAES128-4 \t 500000\t 3274 ns/op\t 916.15 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkAES192-4 \t 500000\t 3587 ns/op\t 836.34 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkAES256-4 \t 300000\t 3828 ns/op\t 783.60 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkTEA-4 \t 100000\t 15359 ns/op\t 195.32 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkXOR-4 \t20000000\t 90.2 ns/op\t33249.02 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkBlowfish-4 \t 50000\t 26885 ns/op\t 111.58 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkNone-4 \t30000000\t 45.8 ns/op\t65557.11 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkCast5-4 \t 50000\t 34370 ns/op\t 87.29 MB/s\t 0 B/op\t 0 allocs/op\nBenchmark3DES-4 \t 10000\t 117893 ns/op\t 25.45 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkTwofish-4 \t 50000\t 33477 ns/op\t 89.61 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkXTEA-4 \t 30000\t 45825 ns/op\t 65.47 MB/s\t 0 B/op\t 0 allocs/op\nBenchmarkSalsa20-4 \t 500000\t 3282 ns/op\t 913.90 MB/s\t 0 B/op\t 0 allocs/op\n```\n\nBenchmark result from openssl\n\n```\n$ openssl speed -evp aes-128-cfb\nDoing aes-128-cfb for 3s on 16 size blocks: 157794127 aes-128-cfb's in 2.98s\nDoing aes-128-cfb for 3s on 64 size blocks: 39614018 aes-128-cfb's in 2.98s\nDoing aes-128-cfb for 3s on 256 size blocks: 9971090 aes-128-cfb's in 2.99s\nDoing aes-128-cfb for 3s on 1024 size blocks: 2510877 aes-128-cfb's in 2.99s\nDoing aes-128-cfb for 3s on 8192 size blocks: 310865 aes-128-cfb's in 2.98s\nOpenSSL 1.0.2p 14 Aug 2018\nbuilt on: reproducible build, date unspecified\noptions:bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)\ncompiler: clang -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM\nThe 'numbers' are in 1000s of bytes per second processed.\ntype 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes\naes-128-cfb 847216.79k 850770.86k 853712.05k 859912.39k 854565.80k\n```\n\nThe encryption performance in kcptun is as fast as in openssl library(if not faster).\n\n#### Quantum Resistance\nQuantum Resistance, also known as quantum-secure, post-quantum, or quantum-safe cryptography, refers to cryptographic algorithms that can withstand potential code-breaking attempts by quantum computer.\nIn kcptun, after v20240701, it adapts [QPP](https://github.com/xtaci/qpp) based on [Kuang's Quantum Permutation Pad](https://epjquantumtechnology.springeropen.com/articles/10.1140/epjqt/s40507-022-00145-y) for quantum-resistent communication.\n![da824f7919f70dd1dfa3be9d2302e4e0](https://github.com/xtaci/kcptun/assets/2346725/7894f5e3-6134-4582-a9fe-e78494d2e417)\n\nTo enable QPP in kcptun, you need to set: \n```\n --QPP enable Quantum Permutation Pads(QPP)\n --QPPCount value the prime number of pads to use for QPP: The more pads you use, the more secure the encryption. Each pad requires 256 bytes. (default: 61)\n```\nYour could also specify\n```json\n \"qpp\":true,\n \"qpp-count\":61,\n```\nin your client and server side json file. These 2 parameters must be identical on both sides.\n\n1. To achieve **Effective Quantum-Resistance,**, specify at least **211** bytes in the `-key` parameter and ensure `-QPPCount` is no less than **7**.\n2. Make sure `-QPPCount` is **COPRIME(互素)** to **8**(or simply set to a **PRIME** number) like: \n```101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199... ```\n\n#### Memory Control\n\nRouters, mobile devices are susceptible to memory consumption; by setting GOGC environment(eg: GOGC=20) will make the garbage collector to recycle faster.\nReference: https://blog.golang.org/go15gc\n\nPrimary memory allocation are done from a global buffer pool *xmit.Buf*, in kcp-go, when we need to allocate some bytes, we can get from that pool, and a *fixed-capacity* 1500 bytes(mtuLimit) will be returned, the *rx queue*, *tx queue* and *fec queue* all receive bytes from there, and they will return the bytes to the pool after using to prevent *unnecessary zer0ing* of bytes. \nThe pool mechanism maintained a *high watermark* for slice objects, these *in-flight* objects from the pool will survive from the periodical garbage collection, meanwhile the pool kept the ability to return the memory to runtime if in idle, `-sndwnd`,`-rcvwnd`,`-ds`, `-ps`, these parameters affect this *high watermark*, the larger the value, the bigger the memory consumption will be.\n\n`-smuxbuf` also affects the maximum memory consumption, this parameter maintains a subtle balance between *concurrency* and *resource*, you can increase this value(default 4MB) to boost concurrency if you have many clients to serve and you get a powerful server at the same time, and also you can decrease this value to serve only 1 or 2 clients and hope this program can run under some embedded SoC system with limited memory and only you can access. (Notice that the `-smuxbuf` value is not proportional to concurrency, you need to test.)\n\n\n#### Compression\n\nkcptun has builtin snappy algorithms for compressing streams:\n\n\u003e Snappy is a compression/decompression library. It does not aim for maximum\n\u003e compression, or compatibility with any other compression library; instead,\n\u003e it aims for very high speeds and reasonable compression. For instance,\n\u003e compared to the fastest mode of zlib, Snappy is an order of magnitude faster\n\u003e for most inputs, but the resulting compressed files are anywhere from 20% to\n\u003e 100% bigger.\n\n\u003e Reference: http://google.github.io/snappy/\n\nCompression may save bandwidth for **PLAINTEXT** data, it's quite useful for specific scenarios as cross-datacenter replications, by compressing the redologs in dbms or kafka-like message queues and then transfer the data streams across the continent can be much faster.\n\nCompression is enabled by default, you can disable it by setting ```-nocomp``` on **BOTH** KCP Client \u0026 KCP Server **MUST** be **IDENTICAL**.\n\n#### SNMP\n\n```go\ntype Snmp struct {\n BytesSent uint64 // bytes sent from upper level\n BytesReceived uint64 // bytes received to upper level\n MaxConn uint64 // max number of connections ever reached\n ActiveOpens uint64 // accumulated active open connections\n PassiveOpens uint64 // accumulated passive open connections\n CurrEstab uint64 // current number of established connections\n InErrs uint64 // UDP read errors reported from net.PacketConn\n InCsumErrors uint64 // checksum errors from CRC32\n KCPInErrors uint64 // packet input errors reported from KCP\n InPkts uint64 // incoming packets count\n OutPkts uint64 // outgoing packets count\n InSegs uint64 // incoming KCP segments\n OutSegs uint64 // outgoing KCP segments\n InBytes uint64 // UDP bytes received\n OutBytes uint64 // UDP bytes sent\n RetransSegs uint64 // accumulated retransmitted segments\n FastRetransSegs uint64 // accumulated fast retransmitted segments\n EarlyRetransSegs uint64 // accumulated early retransmitted segments\n LostSegs uint64 // number of segs inferred as lost\n RepeatSegs uint64 // number of segs duplicated\n FECRecovered uint64 // correct packets recovered from FEC\n FECErrs uint64 // incorrect packets recovered from FEC\n FECParityShards uint64 // FEC segments received\n FECShortShards uint64 // number of data shards that's not enough for recovery\n}\n```\n\nSending a `SIGUSR1` signal to KCP Client or KCP Server will dump SNMP information to console, just like `/proc/net/snmp`. You can use this information to do fine-grained tuning.\n\n### Manual Control\n\nhttps://github.com/skywind3000/kcp/blob/master/README.en.md#protocol-configuration\n\n`-mode manual -nodelay 1 -interval 20 -resend 2 -nc 1`\n\nLow-level KCP configuration can be altered by using manual mode like above, make sure you really **UNDERSTAND** what these means before doing **ANY** manual settings.\n\n\n### Identical parameters\n\nThese parameters **MUST** be **IDENTICAL** on **BOTH** side:\n\n1. -key\n1. -crypt\n1. -nocomp\n1. -smuxver\n\n### References\n\n1. https://github.com/skywind3000/kcp -- KCP - A Fast and Reliable ARQ Protocol.\n1. https://github.com/xtaci/kcp-go/ -- A Production-Grade Reliable-UDP Library for golang\n1. https://github.com/klauspost/reedsolomon -- Reed-Solomon Erasure Coding in Go.\n1. https://en.wikipedia.org/wiki/Differentiated_services -- DSCP.\n1. http://google.github.io/snappy/ -- A fast compressor/decompressor.\n1. https://www.backblaze.com/blog/reed-solomon/ -- Reed-Solomon Explained.\n1. http://www.qualcomm.cn/products/raptorq -- RaptorQ Forward Error Correction Scheme for Object Delivery.\n1. https://en.wikipedia.org/wiki/PBKDF2 -- Key stretching.\n1. http://blog.appcanary.com/2016/encrypt-or-compress.html -- Should you encrypt or compress first?\n1. https://github.com/hashicorp/yamux -- Connection multiplexing library.\n1. https://tools.ietf.org/html/rfc6937 -- Proportional Rate Reduction for TCP.\n1. https://tools.ietf.org/html/rfc5827 -- Early Retransmit for TCP and Stream Control Transmission Protocol (SCTP).\n1. http://http2.github.io/ -- What is HTTP/2?\n1. http://www.lartc.org/ -- Linux Advanced Routing \u0026 Traffic Control\n1. https://en.wikipedia.org/wiki/Noisy-channel_coding_theorem -- Noisy channel coding theorem\n1. https://zhuanlan.zhihu.com/p/53849089 -- kcptun开发小记\n\n\n(注意:我没有任何社交网站的账号,请小心骗子。)\n","funding_links":[],"categories":["Networking","网络相关库","Go","网络","Golang","Web Development","\u003ca id=\"01e6651181d405ecdcd92a452989e7e0\"\u003e\u003c/a\u003e工具","HarmonyOS","其他_安全与渗透","others","Relational Databases","Go (531)","網絡","\u003cspan id=\"网络-networking\"\u003e网络 Networking\u003c/span\u003e","Others"],"sub_categories":["Transliteration","暂未分类","音译","Strings","C++/C Toolkit","\u003ca id=\"ea4dfcd8f33ec1852180c6283b2c8516\"\u003e\u003c/a\u003e未分类","Windows Manager","网络服务_其他","交流","Uncategorized","Advanced Console UIs","高级控制台界面","高級控制台界面","\u003cspan id=\"高级控制台用户界面-advanced-console-uis\"\u003e高级控制台用户界面 Advanced Console UIs\u003c/span\u003e","暂未分类这些库被放在这里是因为其他类别似乎都不适合。"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxtaci%2Fkcptun","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxtaci%2Fkcptun","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxtaci%2Fkcptun/lists"}