Protocol Types
Stash supports multiple types of proxy protocols, which can proxy TCP/UDP protocols.
Each proxy must have the following parameters:
name
: The name of the proxy, which must be unique for each proxy.type
: The type of the proxy.server
: The server address, which can be a domain name or an IP address.port
: The port.
Proxies may support the following parameters:
tls
: A boolean value indicating whether to use TLS for forwarding.skip-cert-verify
: A boolean value indicating whether to skip certificate verification during TLS handshake.sni
: A string representing the Server Name Indication (opens in a new tab) sent during TLS handshake. Ifsni
is empty, the default value is theserver
field.alpn
: An array of strings representing the Application-Layer Protocol Negotiation (ALPN) (opens in a new tab) sent during TLS handshake.interface-name
: The network interface to bind to. Only supported on macOS.
In addition, for latency testing of individual proxies, the following parameters can be modified:
benchmark-url
: The URL used for latency testing. The default value ishttp://www.apple.com/
.benchmark-timeout
: The timeout for latency testing, in seconds. The default value is 5 seconds.
You can visit here for more information on testing proxy latency.
Different types of proxies also require specifying additional parameters, which can be referred to in the following sections.
Shadowsocks
name: ss1
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: 'password'
udp: true
plugin: null
plugin-opts:
mode:
host:
The following encryption methods (cipher) are supported:
aes-128-gcm
aes-192-gcm
aes-256-gcm
aes-128-cfb
aes-192-cfb
aes-256-cfb
aes-128-ctr
aes-192-ctr
aes-256-ctr
rc4-md5
chacha20
chacha20-ietf
xchacha20
chacha20-ietf-poly1305
xchacha20-ietf-poly1305
The following plugins (plugin) are supported:
plugin: obfs
plugin-opts:
mode: tls # Obfuscation mode, can be either http or tls
host: bing.com # Obfuscation domain, should match the server configuration
plugin: v2ray-plugin
plugin-opts:
mode: websocket # Currently does not support QUIC protocol
tls: true # wss
skip-cert-verify: true # Do not verify the certificate
host: bing.com
path: '/'
headers: # Custom request headers
key: value
ShadowsocksR
name: ssr
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: 'password'
obfs: ''
protocol: ''
obfs-param: ''
protocol-param: ''
The supported encryption methods (cipher) are the same as Shadowsocks.
The supported obfuscation methods (obfs) are:
plain
http_simple
http_post
random_head
tls1.2_ticket_auth
tls1.2_ticket_fastauth
The supported protocols (protocol) are:
origin
auth_sha1_v4
auth_aes128_md5
auth_aes128_sha1
auth_chain_a auth_chain_b
SOCKS5
name: socks
type: socks5
server: server
port: 443
# username: username
# password: password
# tls: true
# skip-cert-verify: true
# udp: true
HTTP
name: http
type: http
server: server
port: 443
headers:
key: value
tls: true # https
skip-cert-verify: true
# username: username
# password: password
VMess
name: vmess
type: vmess
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
cipher: auto
network:
The supported encryption methods (cipher) are:
auto
aes-128-gcm
chacha20-poly1305
none
The supported network types (network) are:
ws
h2
http
grpc
network: ws
ws-opts:
path: /path
headers:
Host: v2ray.com
max-early-data: 2048
early-data-header-name: Sec-WebSocket-Protocol
network: h2
tls: true
h2-opts:
host:
- http.example.com
- http-alt.example.com
path: /
Snell
name: snell
type: snell
server: server
port: 443
psk: yourpsk
udp: true # Requires server version 3 or above
version: 3
# obfs-opts:
# mode: http # or tls
# host: bing.com
Snell UDP requires server version 3 or above.
The supported obfuscation modes (obfs-opts.mode) are:
- http
- tls
Trojan
name: trojan
type: trojan
server: server
port: 443
password: yourpassword
# udp: true
# sni: example.com # Server Name Indication, if empty, will use the value in the server field
# alpn:
# - h2
# - http/1.1
# skip-cert-verify: true
The supported network types (network) are:
ws
grpc
Hysteria
Hysteria is a feature-rich network tool (bilateral acceleration) optimized for adverse network environments, such as satellite networks, congested public Wi-Fi, and connections to foreign servers in China. Based on a modified version of the QUIC protocol.
Please refer to here (opens in a new tab) for Hysteria server deployment.
name: 'hysteria'
type: hysteria
server: server
port: 443
up-speed: 100 # Upload bandwidth (unit: Mbps)
down-speed: 100 # Download bandwidth (unit: Mbps)
auth-str: your-password
# auth: aHR0cHM6Ly9oeXN0ZXJpYS5uZXR3b3JrL2RvY3MvYWR2YW5jZWQtdXNhZ2Uv # bytes encoded in base64
protocol: '' # udp / wechat-video
obfs: '' # obfs password
sni: example.com # Server Name Indication, if empty, will use the value in the server field
alpn:
- hysteria
skip-cert-verify: true
The upload and download bandwidth are in Mbps, please fill in the correct values to avoid adverse effects.
External link: base64 online encoding tool (opens in a new tab).
Hysteria2
Please note that Hysteria 2 is completely incompatible with Hysteria 1.x. Please refer to the official documentation (opens in a new tab) for the differences between the two.
Please refer to here (opens in a new tab) for Hysteria2 server deployment.
name: 'hysteria2'
type: hysteria2
server: server
port: 443
auth: your-password
fast-open: true
sni: example.com # Server Name Indication, if empty, will use the value in the server field
skip-cert-verify: true
up-speed: 100 # Upload bandwidth (optional, unit: Mbps)
down-speed: 100 # Download bandwidth (optional, unit: Mbps)
VLESS
The XTLS protocol eliminates redundant encryption in a TLS environment and provides better forwarding performance.
name: vless
type: vless
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
# flow: xtls-rprx-direct
# skip-cert-verify: true
# network: h2
# tls: true
# ws-opts:
# path: /path
# headers:
# Host: v2ray.com
# grpc-opts:
# grpc-service-name: "example"
# h2-opts:
# host:
# - http.example.com
# - http-alt.example.com
# path: /
The supported XTLS modes (flow) are:
xtls-rprx-origin
xtls-rprx-direct
xtls-rprx-splice
TUIC
TUIC is a lightweight QUIC-based proxy protocol written in Rust. It currently supports v4 and v5 versions. You can find more information here (opens in a new tab).
name: tuic-v5
type: tuic
server: server
port: 443
version: 5
uuid: d0529668-8835-11ec-a8a3-0242ac120002 # for v5
password: your_password # for v5
skip-cert-verify: true
sni: ''
alpn:
- h3
name: tuic-v4
type: tuic
server: server
port: 443
version: 4
token: 'your_token' # for v4
skip-cert-verify: true
sni: ''
alpn:
- h3
Please note that the Stash client does not support an empty ALPN, and the default ALPN is h3. Please add the --alpn h3
parameter to the TUIC server.
Please select the appropriate congestion control algorithm --congestion-controller
parameter on the server to fully utilize the bandwidth.
WireGuard
WireGuard (opens in a new tab) is an efficient Layer 3 VPN. Stash supports using it as a Layer 4 proxy and supports forwarding WireGuard packets through other protocols.
name: wireguard
type: wireguard
server: server # domain is supported
port: 51820
ip: 10.8.4.8
# ipv6: fe80::e6bf:faff:fea0:9fae # optional
private-key: 0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI= # client private key
public-key: 0ag+C+rINHBnvLJLUyJeYkMWvIAkBjQPPObicuBUn1U= # peer public key
# preshared-key: # optional
dns: [1.0.0.1, 223.6.6.6] # optional
# mtu: 1420 # optional
# reserved: [0, 0, 0] # optional
# keepalive: 45 # optional
# underlying-proxy: # optional
# type: trojan
# server: your-underlying-proxy
# port: 443
# password: your-password
WireGuard is not designed for high throughput proxying. Stash needs to perform Layer 3 to Layer 4 conversion in user space, which incurs performance overhead compared to common proxy protocols. On mobile devices, WireGuard generally has lower throughput than Layer 4 proxy protocols.
If using underlying-proxy
, it must support UDP relay. It is recommended to
use protocols that support UDP over TCP (such as Trojan, VLESS, VMess, Snell).
DIRECT with Specified Interface
By creating a proxy with type direct
and specifying interface-name
, you can force certain traffic to go through a specific network interface. This is commonly used to solve the issue of VPN and Stash not being able to be used simultaneously.
For example, if the OpenVPN on your machine is using utun3
and you want all traffic from 10.4.8.0/24
to go through utun3
instead of the default network interface on macOS.
name: my-corp-vpn
type: direct
interface-name: utun3
rules:
- IP-CIDR,10.4.8.0/24,my-corp-vpn
Please change utun3
according to your actual situation.
You can use netstat -rn | grep utun3
to check the static routing table for utun3
.