Proxy Protocols
Proxy Types

Protocol Types

Stash supports multiple types of proxy protocols and can proxy TCP/UDP protocols.

Each proxy must have the following parameters:

  • name: Proxy name, and each proxy has a unique name.
  • type: Proxy type.
  • server: Server address, can be a domain name or IP address.
  • port: Port.

The proxy may support the following parameters:

In addition, for individual proxy latency testing, the following parameters can be modified:

  • benchmark-url: URL used for latency testing, defaults to
  • benchmark-timeout: Latency test timeout in seconds, defaults to 5 seconds.

You can visit here for more information about testing proxy latency.

Different types of proxies also need to specify some parameters, which can be referred to in the following text.


name: ss1
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: 'password'
udp: true
plugin: null

Support the following encryption methods (cipher):

  • aes-128-gcm
  • aes-192-gcm
  • aes-256-gcm
  • aes-128-cfb
  • aes-192-cfb
  • aes-256-cfb
  • aes-128-ctr
  • aes-192-ctr
  • aes-256-ctr
  • rc4-md5
  • chacha20
  • chacha20-ietf
  • xchacha20
  • chacha20-ietf-poly1305
  • xchacha20-ietf-poly1305

Support the following plugins (plugin):

plugin: obfs
  mode: tls # Obfuscation mode, can choose http or tls
  host: # Obfuscation domain name, needs to be consistent with the server configuration
plugin: v2ray-plugin
  mode: websocket # QUIC protocol not supported yet.
  tls: true # wss
  skip-cert-verify: true # Do not verify the certificate
  path: '/'
  headers: # Custom request header
    key: value


name: ssr
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: 'password'
obfs: ''
protocol: ''
obfs-param: ''
protocol-param: ''

Support the same encryption method (cipher) as Shadowsocks.

Supported obfuscation methods (obfs):

  • plain
  • http_simple
  • http_post
  • random_head
  • tls1.2_ticket_auth
  • tls1.2_ticket_fastauth

Supported protocols:

  • origin
  • auth_sha1_v4
  • auth_aes128_md5
  • auth_aes128_sha1
  • auth_chain_a auth_chain_b


name: socks
type: socks5
server: server
port: 443
# username: username
# password: password
# tls: true
# skip-cert-verify: true
# udp: true


name: http
type: http
server: server
port: 443
  key: value
tls: true # https
skip-cert-verify: true
# username: username
# password: password


name: vmess
type: vmess
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
cipher: auto

Supported encryption methods (cipher):

  • auto
  • aes-128-gcm
  • chacha20-poly1305
  • none

Supported carrying network protocols (network):

  • ws
  • h2
  • http
  • grpc
network: ws
  path: /path
  max-early-data: 2048
  early-data-header-name: Sec-WebSocket-Protocol
network: h2
tls: true
  path: /


name: snell
type: snell
server: server
port: 443
psk: yourpsk
udp: true # requires server version 3 or above
version: 3
# obfs-opts:
# mode: http # or tls
# host:

Snell UDP requires server version 3 or above.

Supported obfuscation modes (obfs-opts.mode):

  • http
  • tls


name: trojan
type: trojan
server: server
port: 443
password: yourpassword
# udp: true
# sni: # Server Name Indication, use server value if empty
# alpn:
#   - h2
#   - http/1.1
# skip-cert-verify: true

Supported carrying network protocols (network):

  • ws
  • grpc


Hysteria is a feature-rich network tool (bilateral acceleration) optimized for harsh network environments, such as satellite networks, crowded public Wi-Fi, and connections to foreign servers in China. Based on a modified version of the QUIC protocol.

For Hysteria server deployment, please refer to here (opens in a new tab).

name: 'hysteria'
type: hysteria
server: server
port: 443
up-speed: 100 # Upload bandwidth (unit: Mbps)
down-speed: 100 # Download bandwidth (unit: Mbps)
auth-str: your-password
# auth: aHR0cHM6Ly9oeXN0ZXJpYS5uZXR3b3JrL2RvY3MvYWR2YW5jZWQtdXNhZ2Uv # bytes encoded in base64
protocol: '' # udp / wechat-video
obfs: '' # obfs password
sni: # Server Name Indication, use server value if empty
  - hysteria
skip-cert-verify: true

Upload and download bandwidth are in Mbps, please fill in correctly, exceeding the actual bandwidth will have adverse effects.

External link: base64 online encoding tool (opens in a new tab).


XTLS protocol eliminates redundant encryption in a TLS environment, providing better forwarding performance.

name: vless
type: vless
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
# flow: xtls-rprx-direct
# skip-cert-verify: true
# network: h2
# tls: true
# ws-opts:
#   path: /path
#   headers:
#     Host:
# grpc-opts:
#   grpc-service-name: "example"
# h2-opts:
#   host:
#     -
#     -
#   path: /

Supported XTLS modes (flow):

  • xtls-rprx-origin
  • xtls-rprx-direct
  • xtls-rprx-splice


TUIC is a lightweight proxy protocol based on QUIC and written in rust language. You can find more information here (opens in a new tab).

name: tuic
type: tuic
server: server
port: 443
token: 'your_token'
skip-cert-verify: true
sni: ''
  - h3

Note that Stash client does not support empty ALPN, and the default ALPN is h3. Please add the --alpn h3 parameter to the server.

Please choose a suitable congestion control algorithm --congestion-controller parameter in order to fully utilize the bandwidth on the server.


WireGuard (opens in a new tab) is an efficient Layer 3 VPN, and Stash supports using it as a Layer 4 proxy and forwarding WireGuard packets through other protocols.

name: wireguard
type: wireguard
server: server # domain is supported
port: 51820
# ipv6: fe80::e6bf:faff:fea0:9fae # optional
private-key: 0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI= # client private key
public-key: 0ag+C+rINHBnvLJLUyJeYkMWvIAkBjQPPObicuBUn1U= # peer public key
# preshared-key: # optional
dns: [,] # optional
# mtu: 1420 # optional
# reserved: [0, 0, 0] # optional
# keepalive: 45 # optional
# underlying-proxy: # optional
#   type: trojan
#   server: your-underlying-proxy
#   port: 443
#   password: your-password

WireGuard is not a proxy protocol designed for high throughput, and Stash needs to complete the conversion between Layer 3 and Layer 4 in user space, which may result in a larger performace loss than commonly used proxy protocols. On mobile devices, the throughput of WireGuard is generally lower than that of Layer 4 proxy protocols.


If you use underlying-proxy, it must support UDP relay, and it is recommended to use UDP over TCP protocols (such as Trojan, VLESS, VMess, Snell).

DIRECT with Specified Interface

By creating a proxy of type direct and specifying interface-name, you can force some traffic to pass through a specified network card, which is commonly used to solve the problem that VPN and Stash cannot be used at the same time.

For example, if the OpenVPN on your local machine uses utun3 and you want to go through utun3 instead of macOS's default network card.

name: my-corp-vpn
type: direct
interface-name: utun3
  - IP-CIDR,,my-corp-vpn

Please change utun3 according to the actual situation.

You can use netstat -rn | grep utun3 to query the static routing table of utun3.