Protocol Types

Stash supports multiple types of proxy protocols and can proxy TCP/UDP protocols.

Each proxy must have the following parameters:

name: Proxy name, and each proxy has a unique name.
type: Proxy type.
server: Server address, can be a domain name or IP address.
port: Port.

The proxy may support the following parameters:

tls: Boolean value indicating whether to forward based on TLS.
skip-cert-verify: Boolean value indicating whether to skip certificate verification during TLS handshake.
sni: String specifying the Server Name Indication (opens in a new tab) sent during the TLS handshake. If sni is empty, it defaults to the server field.
alpn: Array of strings specifying the Application-Layer Protocol Negotiation (ALPN) (opens in a new tab) sent during the TLS handshake.
interface-name: Bound network card exit. Only supported on macOS.

In addition, for individual proxy latency testing, the following parameters can be modified:

benchmark-url: URL used for latency testing, defaults to http://www.apple.com/.
benchmark-timeout: Latency test timeout in seconds, defaults to 5 seconds.

You can visit here for more information about testing proxy latency.

Different types of proxies also need to specify some parameters, which can be referred to in the following text.

Shadowsocks

name: ss1
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: 'password'
udp: true
plugin: null
plugin-opts:
  mode:
  host:

Support the following encryption methods (cipher):

aes-128-gcm
aes-192-gcm
aes-256-gcm
aes-128-cfb
aes-192-cfb
aes-256-cfb
aes-128-ctr
aes-192-ctr
aes-256-ctr
rc4-md5
chacha20
chacha20-ietf
xchacha20
chacha20-ietf-poly1305
xchacha20-ietf-poly1305

Support the following plugins (plugin):

plugin: obfs
plugin-opts:
  mode: tls # Obfuscation mode, can choose http or tls
  host: bing.com # Obfuscation domain name, needs to be consistent with the server configuration

plugin: v2ray-plugin
plugin-opts:
  mode: websocket # QUIC protocol not supported yet.
  tls: true # wss
  skip-cert-verify: true # Do not verify the certificate
  host: bing.com
  path: '/'
  headers: # Custom request header
    key: value

ShadowsocksR

name: ssr
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: 'password'
obfs: ''
protocol: ''
obfs-param: ''
protocol-param: ''

Support the same encryption method (cipher) as Shadowsocks.

Supported obfuscation methods (obfs):

plain
http_simple
http_post
random_head
tls1.2_ticket_auth
tls1.2_ticket_fastauth

Supported protocols:

origin
auth_sha1_v4
auth_aes128_md5
auth_aes128_sha1
auth_chain_a auth_chain_b

SOCKS5

name: socks
type: socks5
server: server
port: 443
# username: username
# password: password
# tls: true
# skip-cert-verify: true
# udp: true

HTTP

name: http
type: http
server: server
port: 443
headers:
  key: value
tls: true # https
skip-cert-verify: true
# username: username
# password: password

VMess

name: vmess
type: vmess
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
cipher: auto
network:

Supported encryption methods (cipher):

auto
aes-128-gcm
chacha20-poly1305
none

Supported carrying network protocols (network):

ws
h2
http
grpc

network: ws
ws-opts:
  path: /path
  headers:
    Host: v2ray.com
  max-early-data: 2048
  early-data-header-name: Sec-WebSocket-Protocol

network: h2
tls: true
h2-opts:
  host:
    - http.example.com
    - http-alt.example.com
  path: /

Snell

name: snell
type: snell
server: server
port: 443
psk: yourpsk
udp: true # requires server version 3 or above
version: 3
# obfs-opts:
# mode: http # or tls
# host: bing.com

Snell UDP requires server version 3 or above.

Supported obfuscation modes (obfs-opts.mode):

http
tls

Trojan

name: trojan
type: trojan
server: server
port: 443
password: yourpassword
# udp: true
# sni: example.com # Server Name Indication, use server value if empty
# alpn:
#   - h2
#   - http/1.1
# skip-cert-verify: true

Supported carrying network protocols (network):

ws
grpc

Hysteria

Hysteria is a feature-rich network tool (bilateral acceleration) optimized for harsh network environments, such as satellite networks, crowded public Wi-Fi, and connections to foreign servers in China. Based on a modified version of the QUIC protocol.

For Hysteria server deployment, please refer to here (opens in a new tab).

name: 'hysteria'
type: hysteria
server: server
port: 443
up-speed: 100 # Upload bandwidth (unit: Mbps)
down-speed: 100 # Download bandwidth (unit: Mbps)
auth-str: your-password
# auth: aHR0cHM6Ly9oeXN0ZXJpYS5uZXR3b3JrL2RvY3MvYWR2YW5jZWQtdXNhZ2Uv # bytes encoded in base64
protocol: '' # udp / wechat-video
obfs: '' # obfs password
sni: example.com # Server Name Indication, use server value if empty
alpn:
  - hysteria
skip-cert-verify: true

Upload and download bandwidth are in Mbps, please fill in correctly, exceeding the actual bandwidth will have adverse effects.

External link: base64 online encoding tool (opens in a new tab).

VLESS

XTLS protocol eliminates redundant encryption in a TLS environment, providing better forwarding performance.

name: vless
type: vless
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
# flow: xtls-rprx-direct
# skip-cert-verify: true
# network: h2
# tls: true
# ws-opts:
#   path: /path
#   headers:
#     Host: v2ray.com
# grpc-opts:
#   grpc-service-name: "example"
# h2-opts:
#   host:
#     - http.example.com
#     - http-alt.example.com
#   path: /

Supported XTLS modes (flow):

xtls-rprx-origin
xtls-rprx-direct
xtls-rprx-splice

TUIC

TUIC is a lightweight proxy protocol based on QUIC and written in rust language. You can find more information here (opens in a new tab).

name: tuic
type: tuic
server: server
port: 443
token: 'your_token'
skip-cert-verify: true
sni: ''
alpn:
  - h3

💡

Note that Stash client does not support empty ALPN, and the default ALPN is h3. Please add the --alpn h3 parameter to the server.

Please choose a suitable congestion control algorithm --congestion-controller parameter in order to fully utilize the bandwidth on the server.

WireGuard

WireGuard (opens in a new tab) is an efficient Layer 3 VPN, and Stash supports using it as a Layer 4 proxy and forwarding WireGuard packets through other protocols.

name: wireguard
type: wireguard
server: server # domain is supported
port: 51820
ip: 10.8.4.8
# ipv6: fe80::e6bf:faff:fea0:9fae # optional
private-key: 0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI= # client private key
public-key: 0ag+C+rINHBnvLJLUyJeYkMWvIAkBjQPPObicuBUn1U= # peer public key
# preshared-key: # optional
dns: [1.0.0.1, 223.6.6.6] # optional
# mtu: 1420 # optional
# reserved: [0, 0, 0] # optional
# keepalive: 45 # optional
# underlying-proxy: # optional
#   type: trojan
#   server: your-underlying-proxy
#   port: 443
#   password: your-password

💡

WireGuard is not a proxy protocol designed for high throughput, and Stash needs to complete the conversion between Layer 3 and Layer 4 in user space, which may result in a larger performace loss than commonly used proxy protocols. On mobile devices, the throughput of WireGuard is generally lower than that of Layer 4 proxy protocols.

⚠️

If you use underlying-proxy, it must support UDP relay, and it is recommended to use UDP over TCP protocols (such as Trojan, VLESS, VMess, Snell).

DIRECT with Specified Interface

By creating a proxy of type direct and specifying interface-name, you can force some traffic to pass through a specified network card, which is commonly used to solve the problem that VPN and Stash cannot be used at the same time.

For example, if the OpenVPN on your local machine uses utun3 and you want 10.4.8.0/24 to go through utun3 instead of macOS's default network card.

name: my-corp-vpn
type: direct
interface-name: utun3

rules:
  - IP-CIDR,10.4.8.0/24,my-corp-vpn

💡

Please change utun3 according to the actual situation.

You can use netstat -rn | grep utun3 to query the static routing table of utun3.

Rule Set Proxy Groups