Protocol Types
Stash supports multiple types of proxy protocols and can proxy TCP/UDP protocols.
Each proxy must have the following parameters:
name
: Proxy name, and each proxy has a unique name.type
: Proxy type.server
: Server address, can be a domain name or IP address.port
: Port.
The proxy may support the following parameters:
tls
: Boolean value indicating whether to forward based on TLS.skip-cert-verify
: Boolean value indicating whether to skip certificate verification during TLS handshake.sni
: String specifying the Server Name Indication (opens in a new tab) sent during the TLS handshake. Ifsni
is empty, it defaults to theserver
field.alpn
: Array of strings specifying the Application-Layer Protocol Negotiation (ALPN) (opens in a new tab) sent during the TLS handshake.interface-name
: Bound network card exit. Only supported on macOS.
In addition, for individual proxy latency testing, the following parameters can be modified:
benchmark-url
: URL used for latency testing, defaults tohttp://www.apple.com/
.benchmark-timeout
: Latency test timeout in seconds, defaults to 5 seconds.
You can visit here for more information about testing proxy latency.
Different types of proxies also need to specify some parameters, which can be referred to in the following text.
Shadowsocks
name: ss1
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: 'password'
udp: true
plugin: null
plugin-opts:
mode:
host:
Support the following encryption methods (cipher):
aes-128-gcm
aes-192-gcm
aes-256-gcm
aes-128-cfb
aes-192-cfb
aes-256-cfb
aes-128-ctr
aes-192-ctr
aes-256-ctr
rc4-md5
chacha20
chacha20-ietf
xchacha20
chacha20-ietf-poly1305
xchacha20-ietf-poly1305
Support the following plugins (plugin):
plugin: obfs
plugin-opts:
mode: tls # Obfuscation mode, can choose http or tls
host: bing.com # Obfuscation domain name, needs to be consistent with the server configuration
plugin: v2ray-plugin
plugin-opts:
mode: websocket # QUIC protocol not supported yet.
tls: true # wss
skip-cert-verify: true # Do not verify the certificate
host: bing.com
path: '/'
headers: # Custom request header
key: value
ShadowsocksR
name: ssr
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: 'password'
obfs: ''
protocol: ''
obfs-param: ''
protocol-param: ''
Support the same encryption method (cipher) as Shadowsocks.
Supported obfuscation methods (obfs):
plain
http_simple
http_post
random_head
tls1.2_ticket_auth
tls1.2_ticket_fastauth
Supported protocols:
origin
auth_sha1_v4
auth_aes128_md5
auth_aes128_sha1
auth_chain_a auth_chain_b
SOCKS5
name: socks
type: socks5
server: server
port: 443
# username: username
# password: password
# tls: true
# skip-cert-verify: true
# udp: true
HTTP
name: http
type: http
server: server
port: 443
headers:
key: value
tls: true # https
skip-cert-verify: true
# username: username
# password: password
VMess
name: vmess
type: vmess
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
cipher: auto
network:
Supported encryption methods (cipher):
auto
aes-128-gcm
chacha20-poly1305
none
Supported carrying network protocols (network):
ws
h2
http
grpc
network: ws
ws-opts:
path: /path
headers:
Host: v2ray.com
max-early-data: 2048
early-data-header-name: Sec-WebSocket-Protocol
network: h2
tls: true
h2-opts:
host:
- http.example.com
- http-alt.example.com
path: /
Snell
name: snell
type: snell
server: server
port: 443
psk: yourpsk
udp: true # requires server version 3 or above
version: 3
# obfs-opts:
# mode: http # or tls
# host: bing.com
Snell UDP requires server version 3 or above.
Supported obfuscation modes (obfs-opts.mode):
- http
- tls
Trojan
name: trojan
type: trojan
server: server
port: 443
password: yourpassword
# udp: true
# sni: example.com # Server Name Indication, use server value if empty
# alpn:
# - h2
# - http/1.1
# skip-cert-verify: true
Supported carrying network protocols (network):
ws
grpc
Hysteria
Hysteria is a feature-rich network tool (bilateral acceleration) optimized for harsh network environments, such as satellite networks, crowded public Wi-Fi, and connections to foreign servers in China. Based on a modified version of the QUIC protocol.
For Hysteria server deployment, please refer to here (opens in a new tab).
name: 'hysteria'
type: hysteria
server: server
port: 443
up-speed: 100 # Upload bandwidth (unit: Mbps)
down-speed: 100 # Download bandwidth (unit: Mbps)
auth-str: your-password
# auth: aHR0cHM6Ly9oeXN0ZXJpYS5uZXR3b3JrL2RvY3MvYWR2YW5jZWQtdXNhZ2Uv # bytes encoded in base64
protocol: '' # udp / wechat-video
obfs: '' # obfs password
sni: example.com # Server Name Indication, use server value if empty
alpn:
- hysteria
skip-cert-verify: true
Upload and download bandwidth are in Mbps, please fill in correctly, exceeding the actual bandwidth will have adverse effects.
External link: base64 online encoding tool (opens in a new tab).
VLESS
XTLS protocol eliminates redundant encryption in a TLS environment, providing better forwarding performance.
name: vless
type: vless
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
# flow: xtls-rprx-direct
# skip-cert-verify: true
# network: h2
# tls: true
# ws-opts:
# path: /path
# headers:
# Host: v2ray.com
# grpc-opts:
# grpc-service-name: "example"
# h2-opts:
# host:
# - http.example.com
# - http-alt.example.com
# path: /
Supported XTLS modes (flow):
xtls-rprx-origin
xtls-rprx-direct
xtls-rprx-splice
TUIC
TUIC is a lightweight proxy protocol based on QUIC and written in rust language. You can find more information here (opens in a new tab).
name: tuic
type: tuic
server: server
port: 443
token: 'your_token'
skip-cert-verify: true
sni: ''
alpn:
- h3
Note that Stash client does not support empty ALPN, and the default ALPN is h3. Please add the --alpn h3
parameter to the server.
Please choose a suitable congestion control algorithm --congestion-controller
parameter in order to fully utilize the bandwidth on the server.
WireGuard
WireGuard (opens in a new tab) is an efficient Layer 3 VPN, and Stash supports using it as a Layer 4 proxy and forwarding WireGuard packets through other protocols.
name: wireguard
type: wireguard
server: server # domain is supported
port: 51820
ip: 10.8.4.8
# ipv6: fe80::e6bf:faff:fea0:9fae # optional
private-key: 0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI= # client private key
public-key: 0ag+C+rINHBnvLJLUyJeYkMWvIAkBjQPPObicuBUn1U= # peer public key
# preshared-key: # optional
dns: [1.0.0.1, 223.6.6.6] # optional
# mtu: 1420 # optional
# reserved: [0, 0, 0] # optional
# keepalive: 45 # optional
# underlying-proxy: # optional
# type: trojan
# server: your-underlying-proxy
# port: 443
# password: your-password
WireGuard is not a proxy protocol designed for high throughput, and Stash needs to complete the conversion between Layer 3 and Layer 4 in user space, which may result in a larger performace loss than commonly used proxy protocols. On mobile devices, the throughput of WireGuard is generally lower than that of Layer 4 proxy protocols.
If you use underlying-proxy
, it must support UDP relay, and it is
recommended to use UDP over TCP protocols (such as Trojan, VLESS, VMess,
Snell).
DIRECT with Specified Interface
By creating a proxy of type direct
and specifying interface-name
, you can force some traffic to pass through a specified network card, which is commonly used to solve the problem that VPN and Stash cannot be used at the same time.
For example, if the OpenVPN on your local machine uses utun3
and you want 10.4.8.0/24
to go through utun3
instead of macOS's default network card.
name: my-corp-vpn
type: direct
interface-name: utun3
rules:
- IP-CIDR,10.4.8.0/24,my-corp-vpn
Please change utun3
according to the actual situation.
You can use netstat -rn | grep utun3
to query the static routing table of utun3
.