Skip to content

Configure

Jump to bottom
yuchting edited this page Nov 22, 2021 · 10 revisions

Introduction

Most configs are derived from original trojan project, you can find them in original trojan website. If you just change binary to trojan plus, your old config file is compatiable for trojan plus.

This document just list the experimental new config options.

NAT config

Actually if you have already ran original project as NAT run type, when you switch to trojan plus, you don't need change anything, the UDP port number is same as TCP's, it can receive and reply UDP packet from iptables directly.

Here're some new configs below:

{
    "run_type": "nat",
    ...
    "udp_socket_buf":1024000,
    "udp_forward_socket_buf":10240000,
    "udp_recv_buf":65536,
    ...
    "log_level": 0,
    "ssl": {
        "verify": false,
    ...
}

  • udp_forward_socket_buf: low-level system's socket buf for main receiving UDP socket, it just is effective in client-end in forward and nat type. The default value is 64K * 20. The main UDP socket just is created once when trojan plus runing, we just hope it receive message packet as possible as it can.

  • udp_socket_buf: low-level system's socket buf for all udp socket except main sockets created. The default it -1 that means socket's SO_RCVBUF/SO_SNDBUF will not be set, they are both 64K bytes in most OS kernals when a udp socket created. Some systems like MacOS cannot approve user application set it over 5MB.

  • udp_recv_buf: trojan plus application receiving buf, this buf will be used to receive data from system kernel, the default size is 8192. In most common cases, it's enough, but if you has a very special purposes and need to send a udp packet that size is over 8192, trojan will drop that udp packet, so you need set it greater.

If you don't know what thay really are, please don't configure them, leave them as default, because if you set them a large value, system RAM will be consumed very quickly when a lot of UDP connectings come.

TPROXY for tcp

We know if you need a transparent proxy router, you need to set iptables rules, there are two ways to implement, REDIRECT and TPROXY.

I don't want to fully introduce their differents and write a detail document how configure them, there are lot of web resouces about that.

Trojan plus default config supports REDIRECT tcp, following rules might be in you iptables rules:

iptables -t nat -N TCP_PROXY

# passby your server ip
iptables -t nat -A TCP_PROXY -d $server_ip -j RETURN 

# passby your local network
iptables -t nat -A TCP_PROXY -d 192.168.0.0/16 -j RETURN 

# change IP destion IP address to send to your client
iptables -t nat -A TCP_PROXY -p tcp -j REDIRECT --to-port $nat_client_tcp_port 

iptables -t nat -A PREROUTING -p tcp -j TCP_PROXY
iptables -t nat -A OUTPUT -p tcp -j TCP_PROXY

it's quite simple rules for transparent proxy router in your local network, actually, if you need to proxy UDP, you have to use mangle table and TPROXY of iptables:

# add a loop route table 
ip route add local 0/0 dev lo table 100
ip rule add fwmark 1 lookup 100


iptables -t mangle -N UDP_PROXY

# passby your server ip
iptables -t mangle -A UDP_PROXY -d $server_ip -j RETURN

# passby your local network
iptables -t nat -A TCP_PROXY -d 192.168.0.0/16 -j RETURN 

# mark the IP packet and the route table will pass this UDP to localhost's client's port without change IP desitination IP
iptables -t mangle -A UDP_PROXY -p udp -j TPROXY --on-port $nat_client_udp_port --tproxy-mark 1

# if you want to use TPROXY to process TCP message:
if [ $tcp_use_tproxy = "1" ]; then
    iptables -t mangle -A UDP_PROXY -p tcp -j TPROXY --on-port $nat_client_tcp_port --tproxy-mark 1
fi

iptables -t mangle -A PREROUTING -j UDP_PROXY

# you might need more rules about OUTPUT 
...

You may need to learn what meaning about these rules via Google.

If you want to use TPROXY to proxy TCP message, please set trojan plus config:

{
    "run_type": "nat",
    "local_addr": "0.0.0.0",
    "local_port": 10620,
    ...
    "tcp": {
        ...
        "use_tproxy" : true
    }
    ...
}

after you set the "use_tproxy" as true value, trojan plus knows the message from iptables is passed by TPROXY instead of REDIRECT, so it will use other ways to get information.

If your iptables' rules doesn't match trojan plus config (use_tproxy true/false), trojan plus won't work.

TCP timeout

This is a new config named "connect_time_out" in order to avoid be stuck when your remote trojan server is a non-exist address or it's domain and suddenly DNS failed.

{
    "run_type": "client",
    "local_addr": "0.0.0.0",
    "local_port": 10620,
    ...
    "tcp": {
        "no_delay": true,
        ...
        "connect_time_out" : 1
    }
    ...
}

The default value is 10, you can set it smaller or higher by your situation. It works in both client-end and server-end, in server-end, server will raise timeout exception when try to connect other websites, such as google, youtube and so on.

Experimental Configs

All trojan plus' features are in here:

{
    "run_type": "client",
    ...
    "tcp": {
        ...
    },
    "experimental":{
        "pipeline_num" : 10,
        "pipeline_ack_window" : 200,
        "pipeline_loadbalance_configs":[
            "/etc/trojan/config_balalance1.json",
            "/etc/trojan/config_balalance2.json",
        ],
        "pipeline_proxy_icmp": true
    }
}

Pipeline mode is long live connection mode, this wiki is detail document to explain why/how it works. Let me explain for you one by one. I'm sorry to tell you, all experimental configs are NOT compatible with original Trojan, you must update Trojan Plus both clients and servers for these configs.

  • pipeline_num: number of long live connections, if it's set into 0, the pipeline mode will be disabled. If you want to enable pipeline mode, you need set this config var greater than 0 both in client-end and server-end, but server won't decide pipeline connecting count, just a switch.

    The higher number will bring more stability of connections, but it will consume more unecessary system resource, the classic value we recommend is 10-50.

  • pipeline_ack_window: number of pipeline message packet that client-end or server-end can send without other-end confirm. Default value is 200, both effect in client-end and server-end. It's hard to explain for detail, but please DO follow the guide below by the ping value between client-end and server-end:

    • < 10 ms: set it 3-10,
    • 10-50 ms: set it 10-100,
    • 50-150 ms: set it 100-200,
    • > 150 ms: set it 200-300

      if you set it greater than it needs, it will consume unnecessary RAM, and got fake high bandwith testing; if you set it smaller than it needs, you can't get enough bandwith.

  • pipeline_loadbalance_configs: list of config for loadbalance, this config var will enable a big feature of trojan plus, highly recommend you read this wiki to know how to set the balance node. This var is only effect in client-end.

  • pipeline_proxy_icmp: enable icmp proxy. Trojan plus can help you proxy icmp(ping and traceroute) message for you, effect both in client-end and server-end, this wiki will explain for more detail. Because some applications or games use ping message to get netework connecting quality, if proxy software cannot transfer this kind of IP packet, these app/game will lost some features or cannot run properly.

Onece again, please set pipeline_num, pipeline_ack_window, pipeline_proxy_icmp same values both in client-end and server-end

Clone this wiki locally