Proxy Protocols
Proxy Types

Protocol Types

Stash supports multiple types of proxy protocols, which can proxy TCP/UDP protocols.

Each proxy must have the following parameters:

  • name: Proxy name, each proxy has a unique name.
  • type: Proxy type.
  • server: Server address, can be a domain name or IP address.
  • port: Port.

Proxies may support the following parameters:

  • tls: Boolean value, whether to forward based on TLS.
  • skip-cert-verify: Boolean value, whether to skip certificate verification during TLS handshake.
  • server-cert-fingerprint: String, the SHA256 fingerprint of the server certificate to verify during TLS handshake, encoded in Hex.
  • sni: String, the Server Name Indication (opens in a new tab) sent during TLS handshake. If sni is empty, it defaults to the server field.
  • alpn: String array, the Application-Layer Protocol Negotiation (ALPN) (opens in a new tab) sent during TLS handshake.
  • interface-name: Bind the network interface, only supported on macOS.

In addition, for latency testing of individual proxies, the following parameters can be modified:

  • benchmark-url: The URL used for latency testing, default is http://www.apple.com/.
  • benchmark-timeout: Timeout for latency testing, in seconds, default is 5 seconds.

You can visit here for more information on testing proxy latency.

Different types of proxies also need to specify some parameters, which can be referred to in the following sections.

Shadowsocks

name: ss1
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: 'password'
udp: true
plugin: null
plugin-opts:
  mode:
  host:

Supported encryption methods (cipher):

  • aes-128-gcm
  • aes-192-gcm
  • aes-256-gcm
  • aes-128-cfb
  • aes-192-cfb
  • aes-256-cfb
  • aes-128-ctr
  • aes-192-ctr
  • aes-256-ctr
  • rc4-md5
  • chacha20
  • chacha20-ietf
  • xchacha20
  • chacha20-ietf-poly1305
  • xchacha20-ietf-poly1305

Supported plugins (plugin):

plugin: obfs
plugin-opts:
  mode: tls # Obfuscation mode, can choose http or tls
  host: bing.com # Obfuscation domain, needs to be consistent with the server configuration
plugin: v2ray-plugin
plugin-opts:
  mode: websocket # Currently does not support QUIC protocol
  tls: true # wss
  skip-cert-verify: true # Do not verify the certificate
  host: bing.com
  path: '/'
  headers: # Custom request headers
    key: value

ShadowsocksR

name: ssr
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: 'password'
obfs: ''
protocol: ''
obfs-param: ''
protocol-param: ''

Supported encryption methods (cipher) are the same as Shadowsocks.

Supported obfuscation methods (obfs):

  • plain
  • http_simple
  • http_post
  • random_head
  • tls1.2_ticket_auth
  • tls1.2_ticket_fastauth

Supported protocols (protocol):

  • origin
  • auth_sha1_v4
  • auth_aes128_md5
  • auth_aes128_sha1
  • auth_chain_a auth_chain_b

SOCKS5

name: socks
type: socks5
server: server
port: 443
# username: username
# password: password
# tls: true
# skip-cert-verify: true
# udp: true

HTTP

name: http
type: http
server: server
port: 443
headers:
  key: value
tls: true # https
skip-cert-verify: true
# username: username
# password: password

VMess

name: vmess
type: vmess
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
cipher: auto
network:

Supported encryption methods (cipher):

  • auto
  • aes-128-gcm
  • chacha20-poly1305
  • none

Supported network types (network):

  • ws
  • h2
  • http
  • grpc
network: ws
ws-opts:
  path: /path
  headers:
    Host: v2ray.com
  max-early-data: 2048
  early-data-header-name: Sec-WebSocket-Protocol
network: h2
tls: true
h2-opts:
  host:
    - http.example.com
    - http-alt.example.com
  path: /

Snell

name: snell
type: snell
server: server
port: 443
psk: yourpsk
udp: true # Requires server version 3 or above
version: 3
# obfs-opts:
# mode: http # or tls
# host: bing.com

Snell UDP requires server version 3 or above.

Supported obfuscation modes (obfs-opts.mode):

  • http
  • tls

Trojan

name: trojan
type: trojan
server: server
port: 443
password: yourpassword
# udp: true
# sni: example.com # Server Name Indication, if empty, will use the value in the server field
# alpn:
#   - h2
#   - http/1.1
# skip-cert-verify: true

Supported network types (network):

  • ws
  • grpc

Hysteria

Hysteria is a feature-rich network tool (bilateral acceleration) optimized for harsh network environments, such as satellite networks, congested public Wi-Fi, and connecting foreign servers in China. Based on the modified QUIC protocol.

Please refer to here (opens in a new tab) for Hysteria server deployment.

name: 'hysteria'
type: hysteria
server: server
port: 443
up-speed: 100 # Upload bandwidth (unit: Mbps)
down-speed: 100 # Download bandwidth (unit: Mbps)
auth-str: your-password
# auth: aHR0cHM6Ly9oeXN0ZXJpYS5uZXR3b3JrL2RvY3MvYWR2YW5jZWQtdXNhZ2Uv # bytes encoded in base64
protocol: '' # udp / wechat-video
obfs: '' # obfs password
sni: example.com # Server Name Indication, if empty, will use the value in the server field
alpn:
  - hysteria
skip-cert-verify: true

Upload and download bandwidth are in Mbps, please fill in correctly, exceeding the actual bandwidth will have a negative effect.

External link: base64 online encoding tool (opens in a new tab).

Hysteria2

⚠️

Please note that Hysteria 2 is completely incompatible with Hysteria 1.x. Please refer to the official documentation (opens in a new tab) for the differences between the two.

Please refer to here (opens in a new tab) for Hysteria2 server deployment.

name: 'hysteria2'
type: hysteria2
server: server
port: 443
auth: your-password
fast-open: true
sni: example.com # Server Name Indication, if empty, will use the value in the server field
skip-cert-verify: true
up-speed: 100 # Upload bandwidth (optional, unit: Mbps)
down-speed: 100 # Download bandwidth (optional, unit: Mbps)

VLESS

The XTLS protocol eliminates redundant encryption in a TLS environment and provides better forwarding performance.

name: vless
type: vless
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
# flow: xtls-rprx-direct
# skip-cert-verify: true
# network: h2
# tls: true
# ws-opts:
#   path: /path
#   headers:
#     Host: v2ray.com
# grpc-opts:
#   grpc-service-name: "example"
# h2-opts:
#   host:
#     - http.example.com
#     - http-alt.example.com
#   path: /

Supported XTLS modes (flow):

  • xtls-rprx-origin
  • xtls-rprx-direct
  • xtls-rprx-splice

TUIC

TUIC is a lightweight QUIC-based proxy protocol written in Rust. It currently supports v4 and v5 versions. You can find more information here (opens in a new tab).

name: tuic-v5
type: tuic
server: server
port: 443
version: 5
uuid: d0529668-8835-11ec-a8a3-0242ac120002 # for v5
password: your_password # for v5
skip-cert-verify: true
sni: ''
alpn:
  - h3
name: tuic-v4
type: tuic
server: server
port: 443
version: 4
token: 'your_token' # for v4
skip-cert-verify: true
sni: ''
alpn:
  - h3
💡

Please note that the Stash client does not support an empty ALPN, and the default ALPN is h3. Please add the --alpn h3 parameter to the TUIC server.

Please select the appropriate congestion control algorithm --congestion-controller parameter on the server to make full use of the bandwidth.

Juicity

Juicity (opens in a new tab) is a QUIC-based proxy protocol inspired by TUIC.

name: juicity
type: juicity
server: server
port: 443
uuid: d0529668-8835-11ec-a8a3-0242ac120002
password: your_password
skip-cert-verify: true
sni: ''
alpn:
  - h3

WireGuard

WireGuard (opens in a new tab) is an efficient Layer 3 VPN. Stash supports using it as a Layer 4 proxy and supports forwarding WireGuard packets through other protocols.

name: wireguard
type: wireguard
server: server # domain is supported
port: 51820
ip: 10.8.4.8
# ipv6: fe80::e6bf:faff:fea0:9fae # optional
private-key: 0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI= # client private key
public-key: 0ag+C+rINHBnvLJLUyJeYkMWvIAkBjQPPObicuBUn1U= # peer public key
# preshared-key: # optional
dns: [1.0.0.1, 223.6.6.6] # optional
# mtu: 1420 # optional
# reserved: [0, 0, 0] # optional
# keepalive: 45 # optional
# underlying-proxy: # optional
#   type: trojan
#   server: your-underlying-proxy
#   port: 443
#   password: your-password
💡

WireGuard is not designed for high throughput proxy protocols. Stash needs to perform Layer 3 to Layer 4 conversion in user space, which incurs performance overhead compared to common proxy protocols. On mobile devices, WireGuard generally has lower throughput than Layer 4 proxy protocols.

⚠️

If using underlying-proxy, it must support UDP relay. It is recommended to use protocols that support UDP over TCP (such as Trojan, VLESS, VMess, Snell).

SSH

Forward TCP traffic through Secure Shell Protocol (SSH) (opens in a new tab), supports password and key authentication.

💡

Since SSH itself does not support forwarding UDP protocols, Stash cannot forward UDP traffic through the SSH protocol.

name: ssh
type: ssh
server: server # domain is supported
port: 22
user: root
password: password
private-key: |
  -----BEGIN RSA PRIVATE KEY-----
  MIIEpAIBAAKCAQEA0G6TTWwvgv8Gy5013/jv2GttkCLYYaNTArHV0NdNkGI=
  ...
  -----END RSA PRIVATE KEY-----
private-key-passphrase: your-passphrase # optional

DIRECT with Specified Interface

By creating a proxy with type direct and specifying interface-name, you can force certain traffic to go through a specific network interface. This is commonly used to solve the issue of VPN and Stash not being able to be used simultaneously.

For example, if the OpenVPN on the local machine is using utun3 and you want 10.4.8.0/24 to go through utun3 instead of the default network interface on macOS.

name: my-corp-vpn
type: direct
interface-name: utun3
rules:
  - IP-CIDR,10.4.8.0/24,my-corp-vpn
💡

Please change utun3 according to the actual situation.

You can use netstat -rn | grep utun3 to query the static routing table of utun3.