Proxy Protocols
Proxy Types

Protocol Types

Stash supports multiple types of proxy protocols, which can proxy TCP/UDP protocols.

Each proxy must have the following parameters:

  • name: The name of the proxy, which must be unique for each proxy.
  • type: The type of the proxy.
  • server: The server address, which can be a domain name or an IP address.
  • port: The port.

Proxies may support the following parameters:

  • tls: A boolean value indicating whether to use TLS for forwarding.
  • skip-cert-verify: A boolean value indicating whether to skip certificate verification during TLS handshake.
  • sni: A string representing the Server Name Indication (opens in a new tab) sent during TLS handshake. If sni is empty, the default value is the server field.
  • alpn: An array of strings representing the Application-Layer Protocol Negotiation (ALPN) (opens in a new tab) sent during TLS handshake.
  • interface-name: The network interface to bind to. Only supported on macOS.

In addition, for latency testing of individual proxies, the following parameters can be modified:

  • benchmark-url: The URL used for latency testing. The default value is http://www.apple.com/.
  • benchmark-timeout: The timeout for latency testing, in seconds. The default value is 5 seconds.

You can visit here for more information on testing proxy latency.

Different types of proxies also require specifying additional parameters, which can be referred to in the following sections.

Shadowsocks

name: ss1
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: 'password'
udp: true
plugin: null
plugin-opts:
  mode:
  host:

The following encryption methods (cipher) are supported:

  • aes-128-gcm
  • aes-192-gcm
  • aes-256-gcm
  • aes-128-cfb
  • aes-192-cfb
  • aes-256-cfb
  • aes-128-ctr
  • aes-192-ctr
  • aes-256-ctr
  • rc4-md5
  • chacha20
  • chacha20-ietf
  • xchacha20
  • chacha20-ietf-poly1305
  • xchacha20-ietf-poly1305

The following plugins (plugin) are supported:

plugin: obfs
plugin-opts:
  mode: tls # Obfuscation mode, can be either http or tls
  host: bing.com # Obfuscation domain, should match the server configuration
plugin: v2ray-plugin
plugin-opts:
  mode: websocket # Currently does not support QUIC protocol
  tls: true # wss
  skip-cert-verify: true # Do not verify the certificate
  host: bing.com
  path: '/'
  headers: # Custom request headers
    key: value

ShadowsocksR

name: ssr
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: 'password'
obfs: ''
protocol: ''
obfs-param: ''
protocol-param: ''

The supported encryption methods (cipher) are the same as Shadowsocks.

The supported obfuscation methods (obfs) are:

  • plain
  • http_simple
  • http_post
  • random_head
  • tls1.2_ticket_auth
  • tls1.2_ticket_fastauth

The supported protocols (protocol) are:

  • origin
  • auth_sha1_v4
  • auth_aes128_md5
  • auth_aes128_sha1
  • auth_chain_a auth_chain_b

SOCKS5

name: socks
type: socks5
server: server
port: 443
# username: username
# password: password
# tls: true
# skip-cert-verify: true
# udp: true

HTTP

name: http
type: http
server: server
port: 443
headers:
  key: value
tls: true # https
skip-cert-verify: true
# username: username
# password: password

VMess

name: vmess
type: vmess
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
cipher: auto
network:

The supported encryption methods (cipher) are:

  • auto
  • aes-128-gcm
  • chacha20-poly1305
  • none

The supported network types (network) are:

  • ws
  • h2
  • http
  • grpc
network: ws
ws-opts:
  path: /path
  headers:
    Host: v2ray.com
  max-early-data: 2048
  early-data-header-name: Sec-WebSocket-Protocol
network: h2
tls: true
h2-opts:
  host:
    - http.example.com
    - http-alt.example.com
  path: /

Snell

name: snell
type: snell
server: server
port: 443
psk: yourpsk
udp: true # Requires server version 3 or above
version: 3
# obfs-opts:
# mode: http # or tls
# host: bing.com

Snell UDP requires server version 3 or above.

The supported obfuscation modes (obfs-opts.mode) are:

  • http
  • tls

Trojan

name: trojan
type: trojan
server: server
port: 443
password: yourpassword
# udp: true
# sni: example.com # Server Name Indication, if empty, will use the value in the server field
# alpn:
#   - h2
#   - http/1.1
# skip-cert-verify: true

The supported network types (network) are:

  • ws
  • grpc

Hysteria

Hysteria is a feature-rich network tool (bilateral acceleration) optimized for adverse network environments, such as satellite networks, congested public Wi-Fi, and connections to foreign servers in China. Based on a modified version of the QUIC protocol.

Please refer to here (opens in a new tab) for Hysteria server deployment.

name: 'hysteria'
type: hysteria
server: server
port: 443
up-speed: 100 # Upload bandwidth (unit: Mbps)
down-speed: 100 # Download bandwidth (unit: Mbps)
auth-str: your-password
# auth: aHR0cHM6Ly9oeXN0ZXJpYS5uZXR3b3JrL2RvY3MvYWR2YW5jZWQtdXNhZ2Uv # bytes encoded in base64
protocol: '' # udp / wechat-video
obfs: '' # obfs password
sni: example.com # Server Name Indication, if empty, will use the value in the server field
alpn:
  - hysteria
skip-cert-verify: true

The upload and download bandwidth are in Mbps, please fill in the correct values to avoid adverse effects.

External link: base64 online encoding tool (opens in a new tab).

Hysteria2

⚠️

Please note that Hysteria 2 is completely incompatible with Hysteria 1.x. Please refer to the official documentation (opens in a new tab) for the differences between the two.

Please refer to here (opens in a new tab) for Hysteria2 server deployment.

name: 'hysteria2'
type: hysteria2
server: server
port: 443
auth: your-password
fast-open: true
sni: example.com # Server Name Indication, if empty, will use the value in the server field
skip-cert-verify: true
up-speed: 100 # Upload bandwidth (optional, unit: Mbps)
down-speed: 100 # Download bandwidth (optional, unit: Mbps)

VLESS

The XTLS protocol eliminates redundant encryption in a TLS environment and provides better forwarding performance.

name: vless
type: vless
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
# flow: xtls-rprx-direct
# skip-cert-verify: true
# network: h2
# tls: true
# ws-opts:
#   path: /path
#   headers:
#     Host: v2ray.com
# grpc-opts:
#   grpc-service-name: "example"
# h2-opts:
#   host:
#     - http.example.com
#     - http-alt.example.com
#   path: /

The supported XTLS modes (flow) are:

  • xtls-rprx-origin
  • xtls-rprx-direct
  • xtls-rprx-splice

TUIC

TUIC is a lightweight QUIC-based proxy protocol written in Rust. It currently supports v4 and v5 versions. You can find more information here (opens in a new tab).

name: tuic-v5
type: tuic
server: server
port: 443
version: 5
uuid: d0529668-8835-11ec-a8a3-0242ac120002 # for v5
password: your_password # for v5
skip-cert-verify: true
sni: ''
alpn:
  - h3
name: tuic-v4
type: tuic
server: server
port: 443
version: 4
token: 'your_token' # for v4
skip-cert-verify: true
sni: ''
alpn:
  - h3
💡

Please note that the Stash client does not support an empty ALPN, and the default ALPN is h3. Please add the --alpn h3 parameter to the TUIC server.

Please select the appropriate congestion control algorithm --congestion-controller parameter on the server to fully utilize the bandwidth.

WireGuard

WireGuard (opens in a new tab) is an efficient Layer 3 VPN. Stash supports using it as a Layer 4 proxy and supports forwarding WireGuard packets through other protocols.

name: wireguard
type: wireguard
server: server # domain is supported
port: 51820
ip: 10.8.4.8
# ipv6: fe80::e6bf:faff:fea0:9fae # optional
private-key: 0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI= # client private key
public-key: 0ag+C+rINHBnvLJLUyJeYkMWvIAkBjQPPObicuBUn1U= # peer public key
# preshared-key: # optional
dns: [1.0.0.1, 223.6.6.6] # optional
# mtu: 1420 # optional
# reserved: [0, 0, 0] # optional
# keepalive: 45 # optional
# underlying-proxy: # optional
#   type: trojan
#   server: your-underlying-proxy
#   port: 443
#   password: your-password
💡

WireGuard is not designed for high throughput proxying. Stash needs to perform Layer 3 to Layer 4 conversion in user space, which incurs performance overhead compared to common proxy protocols. On mobile devices, WireGuard generally has lower throughput than Layer 4 proxy protocols.

⚠️

If using underlying-proxy, it must support UDP relay. It is recommended to use protocols that support UDP over TCP (such as Trojan, VLESS, VMess, Snell).

DIRECT with Specified Interface

By creating a proxy with type direct and specifying interface-name, you can force certain traffic to go through a specific network interface. This is commonly used to solve the issue of VPN and Stash not being able to be used simultaneously.

For example, if the OpenVPN on your machine is using utun3 and you want all traffic from 10.4.8.0/24 to go through utun3 instead of the default network interface on macOS.

name: my-corp-vpn
type: direct
interface-name: utun3
rules:
  - IP-CIDR,10.4.8.0/24,my-corp-vpn
💡

Please change utun3 according to your actual situation.

You can use netstat -rn | grep utun3 to check the static routing table for utun3.

Rule SetProxy Groups