[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-73328":3},{"id":4,"name":5,"fullName":6,"owner":5,"repo":5,"description":7,"homepage":8,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":9,"rankLanguage":9,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":22,"hasPages":22,"topics":24,"createdAt":9,"pushedAt":9,"updatedAt":27,"readmeContent":28,"aiSummary":29,"trendingCount":15,"starSnapshotCount":15,"syncStatus":30,"lastSyncTime":31,"discoverSource":32},73328,"TrustTunnel","TrustTunnel\u002FTrustTunnel","Modern, fast and obfuscated VPN protocol","https:\u002F\u002Ftrusttunnel.org\u002F",null,"Rust",3271,211,21,35,0,29,52,426,87,108.98,"Apache License 2.0",false,"master",[25,26],"trusttunnel","vpn","2026-06-12 04:01:09","\u003C!-- markdownlint-disable MD041 -->\n\u003Cp align=\"center\">\n\u003Cpicture>\n\u003Csource media=\"(prefers-color-scheme: dark)\" srcset=\"https:\u002F\u002Fcdn.adguardcdn.com\u002Fwebsite\u002Fgithub.com\u002FTrustTunnel\u002Flogo_dark.svg\" width=\"300px\" alt=\"TrustTunnel\" \u002F>\n\u003Cimg src=\"https:\u002F\u002Fcdn.adguardcdn.com\u002Fwebsite\u002Fgithub.com\u002FTrustTunnel\u002Flogo_light.svg\" width=\"300px\" alt=\"TrustTunnel\" \u002F>\n\u003C\u002Fpicture>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\u003Ca href=\"#clients\">Clients\u003C\u002Fa>\n  · \u003Ca href=\"https:\u002F\u002Fagrd.io\u002Fios_trusttunnel\">App store\u003C\u002Fa>\n  · \u003Ca href=\"https:\u002F\u002Fagrd.io\u002Fandroid_trusttunnel\">Play store\u003C\u002Fa>\n\u003C\u002Fp>\n\n---\n\n## Table of Contents\n\n- [Introduction](#introduction)\n- [Server Features](#server-features)\n- [Client Features](#client-features)\n- [Quick start](#quick-start)\n    - [Endpoint setup](#endpoint-setup)\n        - [Install the endpoint](#install-the-endpoint)\n        - [Updating the endpoint](#updating-the-endpoint)\n        - [Endpoint configuration wizard](#endpoint-configuration-wizard)\n        - [Let's Encrypt certificate lifecycle](#lets-encrypt-certificate-lifecycle)\n        - [Running endpoint](#running-endpoint)\n        - [Export client configuration](#export-client-configuration)\n    - [Client setup](#client-setup)\n        - [Install the client](#install-the-client)\n        - [Updating the client](#updating-the-client)\n        - [Client configuration wizard](#client-configuration-wizard)\n        - [Running client](#running-client)\n- [Clients](#clients)\n- [See also](#see-also)\n- [Roadmap](#roadmap)\n- [License](#license)\n\n---\n\n## Introduction\n\nTrustTunnel is a modern, open-source VPN protocol originally developed by\n[AdGuard VPN][adguard-vpn] and now available for anyone to use and audit.\n\nIt delivers fast, secure, and reliable VPN connections without the usual trade-offs.\nBy design, TrustTunnel traffic is indistinguishable from regular HTTPS traffic,\nallowing it to bypass throttling and deep-packet inspection while maintaining\nstrong privacy protections.\n\nThe TrustTunnel project includes the VPN endpoint (this repository), the\n[library and CLI for the client][trusttunnel-client],\nand the [GUI application][trusttunnel-flutter-client].\n\n[adguard-vpn]: https:\u002F\u002Fadguard-vpn.com\n[trusttunnel-client]: https:\u002F\u002Fgithub.com\u002FTrustTunnel\u002FTrustTunnelClient\n[trusttunnel-flutter-client]: https:\u002F\u002Fgithub.com\u002FTrustTunnel\u002FTrustTunnelFlutterClient\n[app-store]: https:\u002F\u002Fagrd.io\u002Fios_trusttunnel\n[play-store]: https:\u002F\u002Fagrd.io\u002Fandroid_trusttunnel\n\n## Server Features\n\n- **VPN Protocol**: The library implements the VPN protocol compatible\n  with HTTP\u002F1.1, HTTP\u002F2, and QUIC. By mimicking regular network traffic, it\n  becomes impossible to detect and block.\n\n- **Flexible Traffic Tunneling**: TrustTunnel can tunnel TCP, UDP, and ICMP\n  traffic to and from the client.\n\n- **Platform Compatibility**: The server is compatible with Linux and macOS.\n  The client is available for Android, Apple, Windows, and Linux.\n\n---\n\n## Client Features\n\n- **Traffic Tunneling**: The library is capable of tunneling TCP, UDP, and ICMP\n  traffic from the client to the endpoint and back.\n\n- **Cross-Platform Support**: It supports Linux, macOS, and Windows platforms,\n  providing a consistent experience across different operating systems.\n\n- **System-Wide Tunnel and SOCKS5 Proxy**: It can be set up as a system-wide\n  tunnel, utilizing a virtual network interface, as well as a SOCKS5 proxy.\n\n- **Split Tunneling**: The library supports split tunneling, allowing users to\n  exclude connections to certain domains or hosts from routing through the VPN\n  endpoint, or vice versa, only routing connections to specific domains or hosts\n  through the endpoint based on an exclusion list.\n\n- **Custom DNS Upstream**: Users can specify a custom DNS upstream, which is\n  used for DNS queries routed through the VPN endpoint.\n\n---\n\n## Quick start\n\n### Endpoint setup\n\n#### Install the endpoint\n\nAn installation script is available that can be run with the following command:\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FTrustTunnel\u002FTrustTunnel\u002Frefs\u002Fheads\u002Fmaster\u002Fscripts\u002Finstall.sh | sh -s -\n```\n\nThe installation script will download the prebuilt package from the latest\nGitHub release for the appropriate system architecture and unpack it to\n`\u002Fopt\u002Ftrusttunnel`. The output directory could be overridden by specifying\n`-o DIR` flag at the end of the command above.\n\nIf you want to install a specific version (instead of the latest), use `-V \u003Cversion>`:\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FTrustTunnel\u002FTrustTunnel\u002Frefs\u002Fheads\u002Fmaster\u002Fscripts\u002Finstall.sh | sh -s - -V \u003Cversion>\n```\n\n> [!NOTE]\n> Prebuilt packages are available for `linux-x86_64`, `linux-aarch64`, and\n> `macos-universal` (Intel and Apple Silicon) architectures.\n\n#### Updating the endpoint\n\nThe installation script always installs the latest available version.\nSo, to update your installation, run the install command again:\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FTrustTunnel\u002FTrustTunnel\u002Frefs\u002Fheads\u002Fmaster\u002Fscripts\u002Finstall.sh | sh -s -\n```\n\nThis re-runs the installer and replaces the binaries in the installation\ndirectory (`\u002Fopt\u002Ftrusttunnel` by default, or the directory you specified with `-o DIR`).\n\n> [!NOTE]\n> Don't forget to stop the endpoint before updating:\n>\n> ```bash\n> sudo systemctl stop trusttunnel\n> ```\n>\n> To start the endpoint again after updating:\n>\n> ```bash\n> sudo systemctl start trusttunnel\n> ```\n\n#### Endpoint configuration wizard\n\nPlease refer to the [CONFIGURATION.md](CONFIGURATION.md) for the more detailed\ndocumentation on how to configure the endpoint.\n\nThe installation directory contains `setup_wizard` binary that helps generate\nthe config files required for the endpoint to run:\n\n```bash\ncd \u002Fopt\u002Ftrusttunnel\u002F\n.\u002Fsetup_wizard -h\n```\n\nThe setup wizard supports interactive mode, so you could run it and it will ask\nfor data required for endpoint configuration.\n\n```bash\ncd \u002Fopt\u002Ftrusttunnel\u002F\nsudo .\u002Fsetup_wizard\n```\n\n> [!NOTE]\n> `sudo` is required to manage TLS certificates properly.\n\nThe wizard will ask for the following fields, some of them have the default\nvalues you could safely use:\n\n- **The address to listen on** - specify the address for the endpoint to listen\n  on. Use `0.0.0.0:443` for native deployments (HTTPS on all interfaces).\n  If you run with Docker port mapping `443:8443`, set it to `0.0.0.0:8443`.\n- **Path to credentials file** - path where the user credentials for\n  authorization will be stored.\n- **Username** - the username the user will use for authorization.\n- **Password** - the user's password.\n- **Add one more user?** - select `yes` if you want to add more users, or `no`\n  to continue the configuration process.\n- **Path to the rules file** - path to store the filtering rules.\n- **Connection filtering rules** - you can add rules that the endpoint will use\n  to allow or disallow user's connections based on:\n    - Client IP address\n    - TLS random prefix\n    - TLS random with mask\n\n  Press `n` to allow all connections.\n- **Path to a file to store the library settings** - path to store the main\n  endpoint configuration file.\n- **Certificate selection** - choose how to obtain a TLS certificate:\n    - **Issue a Let's Encrypt certificate** (requires a public domain) - the\n      setup wizard has built-in ACME support and can automatically obtain a free,\n      publicly trusted certificate from Let's Encrypt. You'll need:\n        - A registered domain pointing to your server's IP address\n        - Port 80 accessible from the internet (for HTTP-01 challenge), or\n        - Ability to add DNS TXT records (for DNS-01 challenge)\n    - **Generate a self-signed certificate** - suitable for testing or when using\n      the CLI client only. Note: The Flutter client does not support self-signed\n      certificates **yet**.\n    - **Provide path to existing certificate** - use your own certificate files\n      obtained from another CA or tool like [certbot][certbot].\n- **Path to a file to store the TLS hosts settings** - path to store the TLS host settings file.\n\nAt this point all required configuration files are created and saved on disk.\n\n[certbot]: https:\u002F\u002Feff-certbot.readthedocs.io\u002Fen\u002Fstable\u002F\n\n#### Let's Encrypt certificate lifecycle\n\nThe setup wizard can obtain a Let's Encrypt certificate during initial setup, but you are responsible for ensuring it stays valid over time (renewal and service reload\u002Frestart).\n\nIf you're using Certbot to manage certificates and renew them automatically, follow the guide in [CERT_RENEWAL.md](CERT_RENEWAL.md).\n\n#### Running endpoint\n\nThe installed package contains the systemd service template, named\n`trusttunnel.service.template`.\n\nThis template can be used to set up the endpoint as a systemd service:\n\n> [!NOTE]\n> The template file assumes that the TrustTunnel Endpoint binary and all its\n> configuration files are located in `\u002Fopt\u002Ftrusttunnel` and have the default\n> file names. Modify the template if you have used the different paths.\n\n```bash\ncd \u002Fopt\u002Ftrusttunnel\u002F\ncp trusttunnel.service.template \u002Fetc\u002Fsystemd\u002Fsystem\u002Ftrusttunnel.service\nsudo systemctl daemon-reload\nsudo systemctl enable --now trusttunnel\n```\n\n#### Export client configuration\n\nThe endpoint binary can generate client configurations in two formats:\n\n##### Deep-Link Format (Default)\n\nGenerate a compact `tt:\u002F\u002F?` URI suitable for QR codes and mobile apps:\n\n```shell\n# \u003Cclient_name> - name of the client those credentials will be included in the configuration\n# \u003Caddress> - `ip`, `ip:port`, `domain`, or `domain:port` that the client will use to connect\n#           If only `ip` or `domain` is specified, the port from the `listen_address` field will be used\ncd \u002Fopt\u002Ftrusttunnel\u002F\n.\u002Ftrusttunnel_endpoint vpn.toml hosts.toml -c \u003Cclient_name> -a \u003Caddress>\n\n# Or explicitly specify the format:\n.\u002Ftrusttunnel_endpoint vpn.toml hosts.toml -c \u003Cclient_name> -a \u003Caddress> --format deeplink\n```\n\nThis outputs a `tt:\u002F\u002F?` deep-link URI that can be:\n\n- Shared directly with mobile clients\n- Used with the [CLI client][trusttunnel-client] or [TrustTunnel Flutter Client][trusttunnel-flutter-client]\n\nYou can also provide additional options:\n\n- `--name \u003Cdisplay_name>`: Set a custom display name for the server in the client app.\n- `--dns-upstream \u003Cdns_upstream>`: Specify a DNS upstream for the client. Can be an IP address\n  or a secure DNS URI (e.g., `tls:\u002F\u002F1.1.1.1`, `https:\u002F\u002Fdns.google\u002Fdns-query`).\n  This flag can be used multiple times to provide a list of DNS upstreams.\n\nExample with custom name and DNS upstreams:\n\n```shell\n.\u002Ftrusttunnel_endpoint vpn.toml hosts.toml -c \u003Cclient_name> -a \u003Caddress> \\\n    --name \"My Secure VPN\" \\\n    --dns-upstream 1.1.1.1 --dns-upstream tls:\u002F\u002F8.8.8.8\n```\n\nWhen `--generate-client-random-prefix` is used, the endpoint also appends an\nallow rule for the generated value to the `rules.toml` file referenced from\n`vpn.toml`.\n\n**Note**: If your certificate is signed by a trusted CA (e.g., Let's Encrypt), it will be\nautomatically omitted from the deep-link to keep it compact. Self-signed\ncertificates are included automatically.\n\n##### TOML Format (For CLI Client)\n\nGenerate a traditional TOML configuration file:\n\n```shell\ncd \u002Fopt\u002Ftrusttunnel\u002F\n.\u002Ftrusttunnel_endpoint vpn.toml hosts.toml -c \u003Cclient_name> -a \u003Cpublic_ip> --format toml\n```\n\nThis outputs a TOML configuration file suitable for the CLI client.\n\nBoth formats contain all necessary information to connect to the endpoint. See the\n[TrustTunnel Flutter Client documentation][trusttunnel-flutter-configuration] for setup instructions.\n\nCongratulations! You've done setting up the endpoint!\n\n[trusttunnel-flutter-configuration]: https:\u002F\u002Fgithub.com\u002FTrustTunnel\u002FTrustTunnelFlutterClient\u002Fblob\u002Fmaster\u002FREADME.md#server-configuration\n\n### Client setup\n\nMultiple clients are available for connecting to the endpoint — see the\n[Clients](#clients) section for the full list. The instructions below cover\nthe official **[CLI client][trusttunnel-client]** setup.\n\n#### Install the client\n\n##### Linux \u002F macOS\n\nAn installation script is available:\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FTrustTunnel\u002FTrustTunnelClient\u002Frefs\u002Fheads\u002Fmaster\u002Fscripts\u002Finstall.sh | sh -s -\n```\n\nThe installation script will download the prebuilt package from the latest GitHub release for the appropriate system architecture and unpack it to `\u002Fopt\u002Ftrusttunnel_client`. The output directory could be overridden by specifying `-o DIR` flag at the end of the command above.\n\n> [!NOTE]\n> Install script supports x86_64, aarch64, armv7, mips and mipsel architectures\n> for linux and arm64 and x86_64 for macos.\n\n##### Windows\n\nDownload the latest release archive from the\n[TrustTunnel Client releases page][trusttunnel-client-releases].\n\nExtract the archive to a directory of your choice, for example `C:\\TrustTunnel\\`.\n\n[trusttunnel-client-releases]: https:\u002F\u002Fgithub.com\u002FTrustTunnel\u002FTrustTunnelClient\u002Freleases\u002Flatest\n\n##### Router setup\n\nFor router deployments, please refer to router-specific client installation\nguides.\n\n- Keenetic routers: [TrustTunnel-Keenetic](https:\u002F\u002Fgithub.com\u002Fartemevsevev\u002FTrustTunnel-Keenetic)\n  (guide in Russian)\n\n#### Updating the client\n\n##### Linux \u002F macOS\n\nThe installation script always installs the latest available version.\nSo, to update your installation, run the install command again:\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FTrustTunnel\u002FTrustTunnelClient\u002Frefs\u002Fheads\u002Fmaster\u002Fscripts\u002Finstall.sh | sh -s -\n```\n\nThis re-runs the installer and replaces the binaries in the installation directory (`\u002Fopt\u002Ftrusttunnel_client` by default, or the directory you specified with `-o DIR`).\n\n> [!NOTE]\n> Don't forget to stop the client before updating (for example, by stopping the running process).\n\n##### Windows\n\nDownload the latest release from the\n[releases page][trusttunnel-client-releases] and replace the files\nin your installation directory.\n\n#### Client configuration wizard\n\nThe installation directory contains `setup_wizard` binary that helps generate\nthe config files required for the client to run.\n\n##### Linux \u002F macOS\n\n```bash\ncd \u002Fopt\u002Ftrusttunnel_client\u002F\n.\u002Fsetup_wizard -h\n```\n\nTo configure the client to use the config that was generated by endpoint, run\nthe following command:\n\n```bash\n.\u002Fsetup_wizard --mode non-interactive \\\n     --endpoint_config \u003Cendpoint_config> \\\n     --settings trusttunnel_client.toml\n```\n\n##### Windows\n\n```cmd\nsetup_wizard.exe --mode non-interactive ^\n    --endpoint_config \u003Cendpoint_config> ^\n    --settings trusttunnel_client.toml\n```\n\nIn both cases, `\u003Cendpoint_config>` is the path to the configuration file\ngenerated by the endpoint.\n\n`trusttunnel_client.toml` will contain all required configuration for the\nclient.\n\n> [!TIP]\n> The generated configuration contains basic settings to connect to the endpoint.\n> For advanced features, edit `trusttunnel_client.toml` directly. You can configure:\n>\n> - **VPN mode**: Route all traffic (`general`) or only specific destinations (`selective`)\n> - **Kill switch**: Block traffic when VPN disconnects\n> - **DNS upstreams**: Custom DNS resolvers (DoH, DoT, DoQ supported)\n> - **Exclusions**: Domains\u002FIPs to bypass or route through VPN\n> - **Listener type**: TUN device or SOCKS5 proxy\n>\n> See the [TrustTunnel CLI Client README](https:\u002F\u002Fgithub.com\u002FTrustTunnel\u002FTrustTunnelClient\u002Fblob\u002Fmaster\u002Ftrusttunnel\u002FREADME.md#configuration-reference) for all available options.\n\n\u003C!-- markdownlint-disable MD028 -->\n> [!NOTE]\n> After editing the config, restart the client for the changes to take effect.\n\n#### Running client\n\n##### Linux \u002F macOS\n\n```bash\ncd \u002Fopt\u002Ftrusttunnel_client\u002F\nsudo .\u002Ftrusttunnel_client -c trusttunnel_client.toml\n```\n\n`sudo` is required to set up the routes and tun interface.\n\n##### Windows\n\nOpen a terminal **as Administrator** and run:\n\n```cmd\ntrusttunnel_client.exe -c trusttunnel_client.toml\n```\n\nAdministrator privileges are required to set up routes and the TUN interface.\n\n## Clients\n\n### Official\n\n#### CLI\n\n[TrustTunnel Client][trusttunnel-client] — Linux, macOS, Windows\n\n#### GUI\n\n[TrustTunnel Flutter Client][trusttunnel-flutter-client] —\niOS, Android (macOS, Windows — coming soon).\nAvailable on [App Store][app-store]* and [Play Store][play-store].\n\n> [!NOTE]\n> \\* In some countries, the iOS app is not available in the App Store. You may need an Apple ID from another country to download it. [Learn how to change your App Store country](https:\u002F\u002Fchange-appstore-country.com\u002F).\n\n### Community\n\n> [!NOTE]\n> Community clients are developed and maintained independently.\n> They are not officially supported by the TrustTunnel team.\n\n#### GUI\n\n[TrustTunnel-GUI-Client](https:\u002F\u002Fgithub.com\u002Fblazuryk\u002FTrustTunnel-GUI-Client) — Windows GUI client, implemented as a Python wrapper for [TrustTunnel Client][trusttunnel-client]\n\n[Surge](https:\u002F\u002Fnssurge.com) — (Commercial) macOS and iOS network toolbox with experimental TrustTunnel support\n\n## See Also\n\n- [CONFIGURATION.md](CONFIGURATION.md) - Configuration documentation\n- [DEVELOPMENT.md](DEVELOPMENT.md) - Development documentation\n- [PROTOCOL.md](PROTOCOL.md) - Protocol specification\n- [CHANGELOG.md](CHANGELOG.md) - Changelog\n- [VERIFY_RELEASES.md](VERIFY_RELEASES.md) - How to verify releases\n\n## Roadmap\n\nWhile our VPN currently supports tunneling TCP\u002FUDP\u002FICMP traffic, we plan to add support for\npeer-to-peer communication between clients.\n\nStay tuned for this feature in upcoming releases.\n\n## License\n\nThis project is licensed under the Apache 2.0 License. See [LICENSE](LICENSE) for details.\n","TrustTunnel 是一个现代、快速且经过混淆的开源VPN协议。它由AdGuard VPN开发，旨在提供安全可靠且无明显性能损失的网络连接。TrustTunnel的核心功能包括模仿常规HTTPS流量以绕过流量限制和深度包检测，同时保持强大的隐私保护；支持多种协议（如HTTP\u002F1.1, HTTP\u002F2, QUIC）下的灵活隧道传输能力，能够处理TCP、UDP及ICMP等多种类型的网络数据流。该方案适合需要高度隐蔽性和稳定性的互联网访问场景，比如在执行敏感信息传输或规避网络审查时使用。服务器端兼容Linux与macOS系统，而客户端则广泛支持Android、iOS、Windows以及Linux等平台。",2,"2026-06-11 03:45:02","high_star"]