**Ombrac** is a high-performance, secure TCP-over-QUIC tunnel implemented in Rust
## Features
- **Secure**: Native TLS encryption built into the QUIC layer
- **High Performance**: Low-latency multiplexing via QUIC bidirectional streams
- **Versatile**: Supports SOCKS5, HTTP/HTTPS, and TUN device modes
- **Zero-RTT**: Supports 0-RTT and 0.5-RTT for near-instant connections
## Installation
The easiest way to get started is to download the latest pre-compiled binary from the [Releases Page](https://github.com/ombrac/ombrac/releases).
### Get Started
- **Homebrew**: `brew tap ombrac/tap && brew install ombrac`
- **Docker**: `docker pull ghcr.io/ombrac/ombrac/ombrac-server:latest`
- **Cargo**: `cargo install ombrac-client ombrac-server --features binary`
Options:
-c, --config Path to the JSON configuration file
-h, --help Print help
-V, --version Print version
Required:
-k, --secret Protocol Secret
-s, --server Address of the server to connect to
Protocol:
--auth-option Extended parameter of the protocol, used for authentication related information
Endpoint:
--http The address to bind for the HTTP/HTTPS server
--socks The address to bind for the SOCKS server
--tun-fd Use a pre-existing TUN device by providing its file descriptor `tun_ipv4`, `tun_ipv6`, and `tun_mtu` will be ignored
--tun-ipv4 The IPv4 address and subnet for the TUN device, in CIDR notation
--tun-ipv6 The IPv6 address and subnet for the TUN device, in CIDR notation
--tun-mtu The Maximum Transmission Unit (MTU) for the TUN device. [default: 1500]
--fake-dns The IPv4 address pool for the built-in fake DNS server, in CIDR notation. [default: 198.18.0.0/16]
--disable-udp-443 Disable UDP traffic to port 443 [possible values: true, false]
Transport:
--bind The address to bind for transport
--server-name Name of the server to connect (derived from `server` if not provided)
--tls-mode Set the TLS mode for the connection [possible values: tls, m-tls, insecure]
--ca-cert Path to the Certificate Authority (CA) certificate file in 'TLS' mode, if not provided, the system's default root certificates are used
--client-cert Path to the client's TLS certificate for mTLS
--client-key Path to the client's TLS private key for mTLS
--zero-rtt Enable 0-RTT for faster connection establishment [possible values: true, false]
--alpn-protocols Application-Layer protocol negotiation (ALPN) protocols [default: h3]
--congestion Congestion control algorithm to use (e.g. bbr, cubic, newreno) [default: bbr]
--cwnd-init Initial congestion window size in bytes
--idle-timeout
Options:
-c, --config Path to the JSON configuration file
-h, --help Print help
-V, --version Print version
Required:
-k, --secret Protocol Secret
-l, --listen Address to bind the server
Transport:
--tls-mode Set the TLS mode for the connection [possible values: tls, m-tls, insecure]
--ca-cert Path to the Certificate Authority (CA) certificate file in 'TLS' mode, if not provided, the system's default root certificates are used
--tls-cert Path to the server's TLS certificate
--tls-key Path to the server's TLS private key
--zero-rtt Enable 0-RTT for faster connection establishment [possible values: true, false]
--alpn-protocols Application-Layer protocol negotiation (ALPN) protocols [default: h3]
--congestion Congestion control algorithm to use (e.g. bbr, cubic, newreno) [default: bbr]
--cwnd-init Initial congestion window size in bytes
--idle-timeout Maximum idle time (in milliseconds) before closing the connection [default: 30000]
--keep-alive Keep-alive interval (in milliseconds) [default: 8000]
--max-streams Maximum number of bidirectional streams that can be open simultaneously [default: 1000]