Configuration
OSTP is configured via a single JSON file (supports // comments). The "mode" field determines whether it runs as a server or client.
# Generate a default config with a random access key:
./ostp --init server # VPS
./ostp --init client # Local machine
# Validate without running:
./ostp --check| Field | Type | Default | Description |
|---|---|---|---|
mode |
string | required | Must be "server"
|
listen |
string | string[] | "0.0.0.0:50000" |
UDP bind address(es). Supports single string or array for multi-listener |
access_keys |
string[] | required | Valid access keys. Hot-reloaded every 5 seconds |
turn_server |
string | null |
STUN/TURN server for NAT traversal |
debug |
bool | false |
Verbose packet-level logging |
| Field | Type | Default | Description |
|---|---|---|---|
api.enabled |
bool | false |
Enable the REST Management API |
api.bind |
string | "127.0.0.1:9090" |
API listen address |
api.token |
string | "" |
Bearer token for authentication |
See Management API for full endpoint reference.
Route server traffic through an upstream proxy (SOCKS5, HTTP CONNECT).
| Field | Type | Description |
|---|---|---|
outbound.enabled |
bool | Enable upstream proxy |
outbound.protocol |
string |
"socks5" or "http"
|
outbound.address |
string | Proxy address |
outbound.port |
u16 | Proxy port |
outbound.default_action |
string |
"proxy" or "direct"
|
outbound.rules |
array | Routing rules (see below) |
| Field | Type | Description |
|---|---|---|
domain_suffix |
string[] | Domains matching this suffix (e.g., [".onion"]) |
ip_cidr |
string[] | IP subnets (e.g., ["10.0.0.0/8"]) |
action |
string |
"proxy" or "direct"
|
Proxy unrecognized TCP connections to a web server, making OSTP look like a regular website during active probing.
| Field | Type | Default | Description |
|---|---|---|---|
fallback.enabled |
bool | false |
Enable TCP fallback proxy |
fallback.listen |
string | "0.0.0.0:443" |
TCP listen address |
fallback.target |
string | "127.0.0.1:8080" |
Target web server (nginx, caddy) |
| Field | Type | Default | Description |
|---|---|---|---|
mode |
string | required | Must be "client"
|
server |
string | required | Remote OSTP server (host:port) |
access_key |
string | required | Access key matching a server key |
socks5_bind |
string | "127.0.0.1:1088" |
Local SOCKS5/HTTP proxy address |
debug |
bool | false |
Verbose client logging |
| Field | Type | Description |
|---|---|---|
tun.enable |
bool | Enable TUN virtual adapter |
tun.wintun_path |
string | Path to wintun.dll (Windows only) |
tun.ipv4_address |
string | IP for the virtual adapter (e.g., "10.1.0.2/24") |
tun.dns |
string | DNS server for the tunnel |
| Field | Type | Description |
|---|---|---|
exclude.domains |
string[] | Domain suffixes to bypass |
exclude.ips |
string[] | IP/CIDR subnets to bypass |
exclude.processes |
string[] | Process names to bypass (Windows) |
| Field | Type | Description |
|---|---|---|
mux.enabled |
bool | Distribute streams across multiple sessions |
mux.sessions |
int | Number of parallel OSTP sessions |
| Field | Type | Description |
|---|---|---|
turn.enabled |
bool | Enable TURN relay |
turn.server_addr |
string | TURN server address |
turn.username |
string | TURN username |
turn.access_key |
string | TURN password |
{
"mode": "client",
"server": "example.com:50000",
"access_key": "c8a6fde902b4e23910cde882b7cf1612",
"socks5_bind": "127.0.0.1:1088",
"tun": {
"enable": true,
"dns": "1.1.1.1"
},
"exclude": {
"domains": ["bank.com"],
"ips": ["192.168.0.0/16"],
"processes": ["steam.exe"]
},
"mux": {
"enabled": false,
"sessions": 2
},
"turn": {
"enabled": false,
"server_addr": "turn.example.com:3478",
"username": "user",
"access_key": "pass"
},
"debug": false
}| Variable | Description |
|---|---|
RUST_LOG |
Logging filter (e.g., RUST_LOG=ostp_server=debug) |
{ "mode": "server", // Single address or array: ["0.0.0.0:50000", "[::]:50000"] "listen": "0.0.0.0:50000", "access_keys": [ "c8a6fde902b4e23910cde882b7cf1612" ], // Management REST API "api": { "enabled": true, "bind": "127.0.0.1:9090", "token": "your-secret-token" }, // Upstream proxy routing "outbound": { "enabled": false, "protocol": "socks5", "address": "127.0.0.1", "port": 9050, "default_action": "direct", "rules": [ { "domain_suffix": [".onion"], "action": "proxy" } ] }, // TCP fallback for anti-DPI camouflage "fallback": { "enabled": false, "listen": "0.0.0.0:443", "target": "127.0.0.1:8080" }, "debug": false }