Protocol Types
Stash supports multiple types of proxy protocols, which can proxy TCP/UDP protocols.
Each proxy must have the following parameters:
name: The name of the proxy, which must be unique for each proxy.type: The type of the proxy.server: The server address, which can be a domain name or an IP address.port: The port.
The proxy may support the following parameters:
tls: A boolean value indicating whether to use TLS for forwarding.skip-cert-verify: A boolean value indicating whether to skip certificate verification during TLS handshake.server-cert-fingerprint: A string representing the SHA256 fingerprint of the server certificate for TLS handshake, encoded in Hex.sni: A string representing the Server Name Indication (opens in a new tab) sent during TLS handshake. Ifsniis empty, it defaults to theserverfield.alpn: An array of strings representing the Application-Layer Protocol Negotiation (ALPN) (opens in a new tab) sent during TLS handshake.interface-name: The network interface to bind to. Only supported on macOS.
In addition, for latency testing of individual proxies, the following parameters can be modified:
benchmark-url: The URL used for latency testing. Defaults tohttp://www.apple.com/.benchmark-timeout: The timeout for latency testing, in seconds. Defaults to 5 seconds.
You can visit here for more information on testing proxy latency.
For protocols based on QUIC, it is possible to periodically change the port to counteract ISP's throttling on individual ports, a method known as port hopping.
ports: A string representing multiple ports or port ranges, separated by commas, e.g.,443,8443,5000-6000.hop-interval: An integer representing the interval for port hopping, in seconds. Defaults to 30 seconds.
Different types of proxies also require specifying additional parameters, which can be referred to in the following sections.
Shadowsocks
name: ss1
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: 'password'
udp: true
plugin: null
plugin-opts:
mode:
host:The following encryption methods (cipher) are supported:
aes-128-gcmaes-192-gcmaes-256-gcmaes-128-cfbaes-192-cfbaes-256-cfbaes-128-ctraes-192-ctraes-256-ctrrc4-md5chacha20chacha20-ietfxchacha20chacha20-ietf-poly1305xchacha20-ietf-poly1305
The following plugins (plugin) are supported:
plugin: obfs
plugin-opts:
mode: tls # Obfuscation mode, can be either http or tls
host: bing.com # Obfuscation domain, should match the server configurationplugin: v2ray-plugin
plugin-opts:
mode: websocket # Currently does not support QUIC protocol
tls: true # wss
skip-cert-verify: true # Do not verify the certificate
host: bing.com
path: '/'
headers: # Custom request headers
key: valueShadowsocksR
name: ssr
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: 'password'
obfs: ''
protocol: ''
obfs-param: ''
protocol-param: ''The supported encryption methods (cipher) are the same as Shadowsocks.
The supported obfuscation methods (obfs) are:
plainhttp_simplehttp_postrandom_headtls1.2_ticket_authtls1.2_ticket_fastauth
The supported protocols (protocol) are:
originauth_sha1_v4auth_aes128_md5auth_aes128_sha1auth_chain_a auth_chain_b
SOCKS5
name: socks
type: socks5
server: server
port: 443
# username: username
# password: password
# tls: true
# skip-cert-verify: true
# udp: trueHTTP
name: http
type: http
server: server
port: 443
headers:
key: value
tls: true # https
skip-cert-verify: true
# username: username
# password: passwordVMess
name: vmess
type: vmess
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
cipher: auto
alterId: 64
network:The supported encryption methods (cipher) are:
autoaes-128-gcmchacha20-poly1305none
The supported network types (network) are:
wsh2httpgrpc
network: ws
ws-opts:
path: /path
headers:
Host: v2ray.com
max-early-data: 2048
early-data-header-name: Sec-WebSocket-Protocolnetwork: h2
tls: true
h2-opts:
host:
- http.example.com
- http-alt.example.com
path: /Snell
name: snell
type: snell
server: server
port: 443
psk: yourpsk
udp: true # Requires server version 3 or above
version: 3
# obfs-opts:
# mode: http # or tls
# host: bing.comSnell UDP requires server version 3 or above.
The supported obfuscation modes (obfs-opts.mode) are:
- http
- tls
Trojan
name: trojan
type: trojan
server: server
port: 443
password: yourpassword
# udp: true
# sni: example.com # Server Name Indication, if empty, will use the value in the server field
# alpn:
# - h2
# - http/1.1
# skip-cert-verify: trueThe supported network types (network) are:
wsgrpc
Hysteria
Hysteria is a feature-rich network tool (bilateral accelerator) optimized for adverse network environments, such as satellite networks, congested public Wi-Fi, and connections to foreign servers in China. Based on the modified QUIC protocol.
Please refer to here (opens in a new tab) for Hysteria server deployment.
name: 'hysteria'
type: hysteria
server: server
port: 443
up-speed: 100 # Upload bandwidth (unit: Mbps)
down-speed: 100 # Download bandwidth (unit: Mbps)
auth-str: your-password
# auth: aHR0cHM6Ly9oeXN0ZXJpYS5uZXR3b3JrL2RvY3MvYWR2YW5jZWQtdXNhZ2Uv # bytes encoded in base64
protocol: '' # udp / wechat-video
obfs: '' # obfs password
sni: example.com # Server Name Indication, if empty, will use the value in the server field
alpn:
- hysteria
skip-cert-verify: trueThe upload and download bandwidths are in Mbps. Please fill in the correct values to fully utilize the actual bandwidth. Exceeding the actual bandwidth may have a counterproductive effect.
External link: base64 online encoding tool (opens in a new tab).
Hysteria2
Please note that Hysteria 2 is completely incompatible with Hysteria 1.x. Please refer to the official documentation (opens in a new tab) for the differences between the two.
Please refer to here (opens in a new tab) for Hysteria2 server deployment.
name: 'hysteria2'
type: hysteria2
server: server
port: 443
auth: your-password
fast-open: true
sni: example.com # Server Name Indication, if empty, will use the value in the server field
skip-cert-verify: true
up-speed: 100 # Upload bandwidth (optional, unit: Mbps)
down-speed: 100 # Download bandwidth (optional, unit: Mbps)VLESS
The XTLS protocol eliminates redundant encryption in a TLS environment and provides better forwarding performance.
name: vless
type: vless
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
# flow: xtls-rprx-direct
# skip-cert-verify: true
# network: h2
# tls: true
# ws-opts:
# path: /path
# headers:
# Host: v2ray.com
# grpc-opts:
# grpc-service-name: "example"
# h2-opts:
# host:
# - http.example.com
# - http-alt.example.com
# path: /The supported XTLS modes (flow) are:
xtls-rprx-originxtls-rprx-directxtls-rprx-splice
TUIC
TUIC is a lightweight QUIC-based proxy protocol written in Rust, currently supporting v4 and v5 versions. You can find more information here (opens in a new tab).
name: tuic-v5
type: tuic
server: server
port: 443
version: 5
uuid: d0529668-8835-11ec-a8a3-0242ac120002 # for v5
password: your_password # for v5
skip-cert-verify: true
sni: ''
alpn:
- h3name: tuic-v4
type: tuic
server: server
port: 443
version: 4
token: 'your_token' # for v4
skip-cert-verify: true
sni: ''
alpn:
- h3Please note that the Stash client does not support an empty ALPN, and the default ALPN is h3. Please add the --alpn h3 parameter to the TUIC server.
Please select the appropriate congestion control algorithm --congestion-controller parameter on the server to fully utilize the bandwidth.
Juicity
Juicity (opens in a new tab) is a QUIC-based proxy protocol inspired by TUIC.
name: juicity
type: juicity
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
password: your_password
skip-cert-verify: true
sni: ''
alpn:
- h3WireGuard
WireGuard (opens in a new tab) is an efficient Layer 3 VPN. Stash supports using it as a Layer 4 proxy and supports forwarding WireGuard packets through other protocols.
name: wireguard
type: wireguard
server: server # domain is supported
port: 51820
ip: 10.8.4.8
# ipv6: fe80::e6bf:faff:fea0:9fae # optional
private-key: 0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI= # client private key
public-key: 0ag+C+rINHBnvLJLUyJeYkMWvIAkBjQPPObicuBUn1U= # peer public key
# preshared-key: # optional
dns: [1.0.0.1, 223.6.6.6] # optional
# mtu: 1420 # optional
# reserved: [0, 0, 0] # optional
# keepalive: 45 # optional
# underlying-proxy: # optional
# type: trojan
# server: your-underlying-proxy
# port: 443
# password: your-passwordWireGuard is not designed for high throughput proxy protocols. Stash needs to perform Layer 3 to Layer 4 conversion in user space, which incurs more performance overhead compared to common proxy protocols. On mobile devices, WireGuard generally has lower throughput than Layer 4 proxy protocols.
If using underlying-proxy, it must support UDP relay. It is recommended to use a protocol that supports UDP over TCP (such as Trojan, VLESS, VMess, Snell).
SSH
Forward TCP traffic through Secure Shell Protocol (SSH) (opens in a new tab), supporting password and key authentication.
Since SSH itself does not support forwarding UDP protocols, Stash cannot forward UDP traffic through the SSH protocol.
name: ssh
type: ssh
server: server # domain is supported
port: 22
user: root
password: password
private-key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI=
...
-----END RSA PRIVATE KEY-----
private-key-passphrase: your-passphrase # optionalDIRECT with Specified Interface
By creating a proxy of type direct and specifying interface-name, it is possible to force certain traffic to go through a specific network interface. This is commonly used to solve the issue of VPN and Stash not being able to be used simultaneously.
For example, if OpenVPN on the local machine is using utun3 and you want all traffic from 10.4.8.0/24 to go through utun3 instead of the default network interface on macOS.
name: my-corp-vpn
type: direct
interface-name: utun3rules:
- IP-CIDR,10.4.8.0/24,my-corp-vpnPlease change utun3 according to the actual situation.
You can use netstat -rn | grep utun3 to query the static routing table for utun3.