Linux 下默认配置文件
/etc/gost/gost.yaml
场景一:UDP 端口转发(单目标)
这个配置用于把本机 21004/udp 转发到后端 10.0.0.20:21116,属于最常见的 UDP 端口转发场景。
配置
services:
- name: udp-forward-demo
addr: ":21004"
handler:
type: udp
listener:
type: udp
metadata:
keepAlive: "true"
ttl: "5s"
forwarder:
nodes:
- addr: "10.0.0.20:21116"关键字段
addr: ":21004":本机监听端口。handler.type: udp:按 UDP 协议处理流量。listener.type: udp:使用 UDP 监听器。metadata.keepAlive、metadata.ttl:连接保活与会话存活时间。forwarder.nodes[].addr:后端 UDP 服务地址。
场景二:通过 WSS 接入远端 SOCKS5(Nginx 443 入口)
这个场景是一组配套配置:服务端由 gost + Nginx 提供 WSS 入口,客户端通过本地 SOCKS5 接入该入口。
服务端配置
services:
- name: wss-entry-demo
addr: 127.0.0.1:18443
handler:
type: auto
listener:
type: wss
metadata:
path: /ws-relay
auth:
username: demo-user
password: demo-passwordserver {
listen 443 ssl;
server_name example.com;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/nginx/certs/example.com/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/example.com/privkey.pem;
location /ws-relay {
proxy_redirect off;
proxy_pass https://127.0.0.1:18443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_verify off;
}
}服务端关键字段
listener.type: wss:gost 以 WebSocket over TLS 方式监听。metadata.path: /ws-relay:需和 Nginxlocation保持一致。auth.username/password:客户端连接该 WSS 入口时使用的认证信息。proxy_set_header Upgrade/Connection:WebSocket 升级必需头。proxy_pass https://127.0.0.1:18443:Nginx 将外部请求转发到本地 gost WSS 监听地址。
客户端配置
对应客户端侧:本地暴露 127.0.0.1:1069 SOCKS5 代理,通过 http + wss 方式接入远端节点。
log:
level: warn
services:
- name: socks5-local
addr: "127.0.0.1:1069"
handler:
type: socks5
chain: relay-chain
listener:
type: tcp
chains:
- name: relay-chain
hops:
- nodes:
- name: edge-node
addr: "example.com"
connector:
type: http
auth:
username: "demo-user"
password: "demo-password"
dialer:
type: wss
metadata:
path: "/ws-relay"客户端关键字段
services[].handler.type: socks5:本地提供 SOCKS5 代理入口。services[].chain:把本地代理流量交给指定链路处理。connector.type: http:节点侧使用 HTTP 连接器。connector.auth:连接远端入口所需认证信息。dialer.type: wss+metadata.path:通过 WSS 拨号,并使用与服务端一致的路径。
场景三:通过 relay+wss 映射本地 TCP 端口
这个场景用于把客户端本地端口经由 WSS 隧道映射到服务端,实现跨网络的 TCP 转发。
服务端配置
services:
- name: secure-tunnel
addr: 127.0.0.1:18444
handler:
type: relay
metadata:
bind: true
listener:
type: wss
metadata:
path: /ws-tunnel
auth:
username: demo-user
password: demo-passwordserver {
listen 443 ssl;
server_name example.com;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/nginx/certs/example.com/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/example.com/privkey.pem;
location /ws-tunnel {
proxy_redirect off;
proxy_pass https://127.0.0.1:18444;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_verify off;
}
}服务端关键字段
handler.type: relay:使用 relay 模式处理隧道连接。handler.metadata.bind: true:允许服务端为 relay 建立绑定能力。listener.type: wss:通过 WSS 暴露入口。metadata.path: /ws-tunnel:需与 Nginxlocation和客户端参数一致。auth.username/password:WSS 入口认证信息。
客户端配置
log:
level: warn
services:
- name: rtcp-tunnel-client
addr: ":30444"
handler:
type: rtcp
listener:
type: rtcp
chain: relay-wss-chain
forwarder:
nodes:
- addr: "127.0.0.1:30443"
chains:
- name: relay-wss-chain
hops:
- nodes:
- name: relay-node
addr: "example.com:443"
connector:
type: relay
auth:
username: "demo-user"
password: "demo-password"
dialer:
type: wss
metadata:
path: "/ws-tunnel"
secure: "true"
serverName: "example.com"
nodelay: "true"等价命令行形式
export GOST_LOGGER_LEVEL=warn && gost -L "rtcp://:30444/127.0.0.1:30443" -F "relay+wss://demo-user:[email protected]?path=/ws-tunnel&secure=true&serverName=example.com&nodelay=true" > /tmp/g.log 2>&1 &客户端关键字段
handler.type: rtcp:启用 RTCP 端口映射处理逻辑。listener.type: rtcp+listener.chain:通过链路在远端侧建立监听。forwarder.nodes[].addr: "127.0.0.1:30443":映射到客户端本地目标服务。connector.type: relay+dialer.type: wss:通过 relay+wss 连接远端入口。metadata.path: "/ws-tunnel":需与服务端metadata.path、Nginxlocation保持一致。secure、serverName、nodelay:对应 TLS 校验、SNI 与低延迟参数。