[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1741":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":13,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},1741,"Turnable","TheAirBlow\u002FTurnable","TheAirBlow","VPN core for stealthy tunneling through TURN or via SFU","",null,"Go",252,6,3,0,13,69,18,2.54,"GNU General Public License v2.0",false,"main",[],"2026-06-12 02:00:32","# Turnable  ·  [🇷🇺 RU](README_RU.md)\nTurnable is a VPN core that tunnels TCP\u002FUDP traffic through [TURN](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FTraversal_Using_Relays_around_NAT) relay servers or via [SFU](https:\u002F\u002Fbloggeek.me\u002Fwebrtcglossary\u002Fsfu\u002F) provided by platforms like VKontakte. Traffic mimics legitimate WebRTC media and is encrypted, multiplexed, and spread across multiple peer connections. The entire codebase is modular and can be freely extended to add new features or support more platforms.\n\n---\n\n## Features\n1. Future-proof modular architecture\n2. Full support for both TCP and UDP sockets\n3. Tunneling through multiple peer connections to bypass ratelimits\n4. Multiplexing to allow establishing multiple route connections\n5. End-to-end encryption - forced for handshake, optional for data\n6. Convenient user and route management with proper authentication\n7. Overall more stable and less hacky implementation than others\n\n---\n\n## How it works\nThere are two methods of establishing a tunnel with a remote server that Turnable supports. Both of them allow to establish multiple TCP\u002FUDP connections via multiplexing, with traffic being spread through multiple peer connections to bypass platform ratelimits.\n\n\u003Cdetails>\n\u003Csummary>Relay - tunnel via TURN with an intermediate\u003C\u002Fsummary>\n\nThe client allocates a relay address on the platform's TURN server, connects to the Turnable server, and from there it forwards traffic to the configured destination. Simple and stable, but is usually heavily throttled and can be detected.\n\n```mermaid\nsequenceDiagram\n participant App as Source\n participant TC as Turnable Client\n participant TURN as TURN Server\n participant TS as Turnable Server\n participant Dest as Destination\n\n TC->>TURN: Join call, allocate relay endpoint\n Note over TC,TS: Dedicated tunnel established\n\n loop Traffic\n App->>TC: TCP\u002FUDP data\n TC->>TS: Relay\n TS->>Dest: Forwarded data\n Dest-->>TS: TCP\u002FUDP data\n TS->>TC: Relay\n TC-->>App: Forwarded data\n end\n```\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>Direct Relay - direct tunnel via TURN\u003C\u002Fsummary>\n\nThe client allocates a relay address on the platform's TURN server and connects to the destination server directly. Does not require a Turnable server. **⚠️ Not recommended and is dangerous to use.**\n\n```mermaid\nsequenceDiagram\n participant App as Source\n participant TC as Turnable Client\n participant TURN as TURN Server\n participant Dest as Destination\n\n TC->>TURN: Join call, allocate relay endpoint\n Note over TC,Dest: Dedicated tunnel established\n\n loop Traffic\n App->>TC: TCP\u002FUDP data\n TC->>Dest: Forwarded data\n Dest-->>TC: TCP\u002FUDP data\n TC-->>App: Forwarded data\n end\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>P2P - fake screencast via SFU ⚠️ WIP\u003C\u002Fsummary>\n\nThe client and server communicate through the platform's SFU, disguising all traffic as a screencast stream.\n\n```mermaid\nsequenceDiagram\n participant App as Source\n participant TC as Turnable Client\n participant SFU as SFU (VK)\n participant TSM as Server - Main Peer\n participant TSD as Server - Dedicated Peer\n participant Dest as Destination\n\n TC->>SFU: Join call, locate server main peer SSRC by username\n TC->>SFU: SDP response with main peer SSRC + start fake screencast\n TSM-->>TC: ready ack\n\n TC->>TSM: auth\n TSM-->>TC: auth ack + dedicated peer SSRC\n\n TC->>SFU: SDP response with dedicated peer SSRC\n TSD->>SFU: SDP response with client peer SSRC\n Note over TC,TSD: Dedicated tunnel established\n\n loop Traffic\n App->>TC: TCP\u002FUDP data\n TC->>TSD: Relay\n TSD->>Dest: Forwarded data\n Dest-->>TSD: TCP\u002FUDP data\n TSD->>TC: Relay\n TC-->>App: Forwarded data\n end\n```\n\n\u003C\u002Fdetails>\n\n---\n\n## Building\nPre-built binaries are available on the [releases page](https:\u002F\u002Fgithub.com\u002FTheAirBlow\u002FTurnable\u002Freleases). Pick the correct file for your OS and architecture.\n\nIf you would like to compile it yourself, run this command on the target machine:\n```bash\ngo build -o turnable .\u002Fcmd\n```\n\nCheck out the [ci.yml](https:\u002F\u002Fgithub.com\u002FTheAirBlow\u002FTurnable\u002Fblob\u002Fmain\u002F.github\u002Fworkflows\u002Fci.yml) workflow for cross-compilation.\n\n---\n\n## Setup\n\n\u003Cdetails>\n\u003Csummary>Turnable Server\u003C\u002Fsummary>\n\nTurnable provides end-to-end encryption, user and route management for your convenience. You need a VPS with a public IP and an internet connection, on which you are able to open ports freely. Keep in mind that Turnable is just a tunnel - you still need to set up a VPN\u002FProxy server. It is recommended that you use [WireGuard](https:\u002F\u002Fwww.wireguard.com\u002Fquickstart\u002F).\n\n#### 1. Generate a key pair\n```bash\n.\u002Fturnable config keygen\n# priv_key=whH\u002FS\u002FGPFJ37zGv8n...\n# pub_key=BWEx0ygunbFJFCrIN...\n```\n\n#### 2. Write `config.json`\n```json\n{\n \"platform_id\": \"vk.com\",\n \"call_id\": \"...\",\n \"priv_key\": \"...\",\n \"pub_key\": \"...\",\n \"relay\": {\n \"enabled\": true,\n \"proto\": \"dtls\",\n \"cloak\": \"none\",\n \"public_ip\": \"...\",\n \"port\": 56000\n },\n \"p2p\": {\n \"enabled\": false,\n \"username\": \"...\",\n \"cloak\": \"none\"\n },\n \"provider\": {\n \"type\": \"json\",\n \"path\": \"store.json\"\n }\n}\n```\n\n| Field | Description |\n|------------------------|-------------------------------------------------------------|\n| `platform_id` | Platform to use for signaling (see [Platforms](#platforms)) |\n| `call_id` | Platform specific call or meeting ID |\n| `priv_key` \u002F `pub_key` | Key pair for end-to-end encryption |\n| `relay.enabled` | Relay mode enabled flag |\n| `relay.proto` | Transport protocol (`dtls` \u002F `srtp` \u002F `none`) |\n| `relay.cloak` | Traffic obfuscation method (`none` for now) |\n| `relay.public_ip` | Public IP address of this server |\n| `relay.port` | UDP port for the DTLS\u002FSRTP listener |\n| `p2p.enabled` | P2P mode enabled flag **⚠️ WIP** |\n| `p2p.username` | Username to use in the call for P2P mode |\n| `p2p.cloak` | Traffic obfuscation method for P2P mode |\n| `provider.type` | User and Route provider type (`json`\u002F`raw`) |\n| `provider.path` | JSON file path relative to working directory (`json`) |\n\n#### 3. Write `store.json`\n```json\n{\n \"routes\": [\n {\n \"id\": \"https\",\n \"address\": \"127.0.0.1\",\n \"port\": 443,\n \"socket\": \"tcp\",\n \"transport\": \"kcp\",\n \"encryption\": \"handshake\",\n \"name\": \"My HTTPS Server\"\n }\n ],\n \"users\": [\n {\n \"uuid\": \"...\",\n \"allowed_routes\": [\"https\"],\n \"username\": \"user123\",\n \"type\": \"relay\",\n \"peers\": 10\n }\n ]\n}\n```\n\n| Field | Description |\n|----------------------------|--------------------------------------------------------------------------|\n| `routes[].id` | Unique route identifier |\n| `routes[].address` | Destination address to forward traffic to |\n| `routes[].port` | Destination port |\n| `routes[].socket` | Socket type (`tcp` \u002F `udp`) |\n| `routes[].transport` | Transport layer - use `kcp` for TCP, `none` for UDP |\n| `routes[].encryption` | Encryption mode (`handshake` \u002F `full`, defaults to `handshake`) |\n| `routes[].name` | Human-readable display name for this route |\n| `routes[].conn` | Connection type override (optional, uses user's type if not set) |\n| `users[].uuid` | Unique user identifier ([generate here](https:\u002F\u002Fwww.uuidgenerator.net\u002F)) |\n| `users[].allowed_routes` | List of route IDs this user is permitted to access |\n| `users[].username` | Username to use in the call |\n| `users[].type` | Connection type (`relay` \u002F `p2p`) |\n| `users[].peers` | Number of peer connections to establish |\n| `users[].forceturn` | Force TURN in P2P mode (optional) |\n\n> [!WARNING]\n> Do not share the user UUID willy-nilly, as it is used for authentication!\n\n#### 4. Start the server\n```bash\n.\u002Fturnable server\n```\n\n```\nFlags:\n -c, --config string server config JSON file path (default \"config.json\")\n -s, --store string server user\u002Froute store JSON file path (default \"store.json\")\n -V, --verbose enable verbose debug logging\n```\n\n#### 5. Generate client config\n```bash\n.\u002Fturnable config generate \u003Cuser-uuid> \u003Croute-id1> [route-id2 ...]\n# turnable:\u002F\u002Fuuid:call@vk.com\u002Froute?pub_key=...\n```\n\n```\nFlags:\n -c, --config string server config JSON file path (default \"config.json\")\n -j, --json output config in json format\n```\n\nProduced config URL or JSON is the only thing you need to provide to your users.\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>Turnable Client\u003C\u002Fsummary>\n\nSetting up a Turnable client is almost effortless. Keep in mind that Turnable is just a tunnel - you still need to set up a VPN\u002FProxy client. It is recommended that you use [WireGuard](https:\u002F\u002Fwww.wireguard.com\u002Fquickstart\u002F). To set it up on Android, follow [this guide](docs\u002Fclient\u002FANDROID.md).\n\n#### 1. Obtain a client config\n##### 1.1. With intermediary\nAsk a Turnable server operator for a client config.\n\n##### 1.2. Direct relay\nIf you would like to, you can directly connect to a remote UDP server if you do not care about stability, fast recovery, muxing, encryption, user management or anything that a Turnable server provides. **⚠️ Not recommended and is dangerous to use.**\n\n```bash\n.\u002Fturnable config direct \u003Cplatform-id> \u003Ccall-id> \u003Cusername> \u003Cgateway-addr> -n [peers]\n# turnable:\u002F\u002FINSECURE-DIRECT-RELAY:call@vk.com\u002F?username=...&type=direct&...\n```\n\n```\nFlags:\n -n, --peers int how many peer connections to use (default 1)\n -j, --json output config in json format\n```\n\n#### 2. Start the client\n```bash\n.\u002Fturnable client -l 127.0.0.1:1080 [config-url]\n```\n\n```\nFlags:\n -c, --config string client config JSON file path (default \"config.json\")\n -l, --listen string local TCP\u002FUDP listen address (ip:port) (default \"127.0.0.1:0\")\n -i, --no-interactive disable interactive mode\n -V, --verbose enable verbose debug logging\n```\n\nYou can either specify a path to the JSON file, or the configuration URL.\n\n#### 3. Point your app at the local address\nConfigure your proxy\u002FVPN client application to use `127.0.0.1:1080` (or whatever address you chose)\n\n\u003C\u002Fdetails>\n\n---\n\n## Reference\n### Platforms\n| ID | Description |\n|----------|-------------------------------------------------------------------------------------------------------------------------|\n| `vk.com` | Authenticates anonymously through [VKontakte](https:\u002F\u002Fvk.com) and joins a meeting. [Usage guide](docs\u002Fplatforms\u002FVK.md). |\n\n### Connection types\n| Type | Description |\n|----------|------------------------------------------------------------------------------------------------------------------------------------------------|\n| `relay` | Tunnels traffic through the platform's TURN server to the Turnable server gateway. |\n| `direct` | Tunnels traffic through the platform's TURN server directly to the destination server gateway. **⚠️ Not recommended and is dangerous to use.** |\n| `p2p` | Hides traffic inside fake screencasts routed through the platform's SFU. Requires SRTP and enabled Cloak. **⚠️ WIP** |\n\n### Protocols\n| Protocol | Description |\n|----------|---------------------------------------------------------------------|\n| `none` | No protocol at all. **⚠️ Not recommended and is dangerous to use.** |\n| `dtls` | Raw DTLS. Simple but detectable. Only supported in `relay` mode. |\n| `srtp` | DTLS+SRTP. Mimics real media traffic. Forced in `p2p` mode. |\n\n### Transports\n| Transport | Description |\n|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------|\n| `none` | No transport protocol at all. Only use for UDP routes. |\n| `kcp` | [KCP](https:\u002F\u002Fgithub.com\u002Fxtaci\u002Fkcp-go) - reliable and stable ordered stream over UDP. Recommended for TCP routes. |\n| `sctp` | [SCTP](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FStream_Control_Transmission_Protocol) - good enough, but not really ideal for our usecase. Not recommended. |\n\n### Encryption modes\n| Mode | Description |\n|-------------|-------------------------------------------------------------|\n| `handshake` | Encrypts only the initial handshake. Faster, less overhead. |\n| `full` | Encrypts all traffic end-to-end. |\n\n---\n\n## Missing features\n- Built-in WireGuard \u002F SOCKS5 server and client\n- Traffic obfuscation (cloak) implementations\n- Database user and route management\n- P2P connection type (via SFU)\n- Android app\n\n---\n\n## Credits\n- [vk-turn-proxy](https:\u002F\u002Fgithub.com\u002Fcacggghp\u002Fvk-turn-proxy) - original project, on which Turnable is partially based on.\n\n---\n\n## License\n[GNU General Public License v2.0](https:\u002F\u002Fgithub.com\u002FTheAirBlow\u002FTurnable\u002Fblob\u002Fmain\u002FLICENCE)\n","Turnable 是一个用于通过TURN中继服务器或SFU平台(如VKontakte)进行隐蔽隧道传输的VPN核心。它支持TCP和UDP流量,能够模仿合法的WebRTC媒体流,并对数据进行加密、多路复用并通过多个对等连接分发以绕过速率限制。项目采用模块化架构设计,便于扩展新功能和支持更多平台。适用于需要规避网络审查或速率限制的场景,如在特定地区访问受限内容时使用。其稳定性和安全性优于同类解决方案。",2,"2026-06-11 02:45:44","CREATED_QUERY"]