trojan-client

SOCKS5 proxy client that tunnels traffic through a Trojan protocol server.

Overview

This crate implements a local SOCKS5 proxy that forwards traffic over a TLS connection to a remote trojan-server:

• SOCKS5 proxy — Listens locally and accepts SOCKS5 CONNECT and UDP ASSOCIATE requests
• TLS transport — Connects to the remote server via TLS with configurable SNI and custom CA support
• TCP CONNECT — Proxies TCP connections with header coalescing for reduced round trips
• UDP ASSOCIATE — Full UDP relay with SOCKS5 encapsulation and idle timeout
• Graceful shutdown — CancellationToken-based shutdown with SIGTERM/SIGINT handling

Architecture

Application ──SOCKS5──▶ trojan-client ──TLS──▶ trojan-server ──▶ Target
                           │
               ┌───────────┼───────────┐
               ▼                       ▼
          TCP CONNECT            UDP ASSOCIATE
          (relay)                (UDP relay loop)

Usage

As a binary (via main crate)

trojan client -c client.toml
trojan client --listen 127.0.0.1:1080 --remote server.example.com:443 --password secret

As a library

use trojan_client::{ClientArgs, run};
use tokio_util::sync::CancellationToken;

let token = CancellationToken::new();
run(client_config, token).await?;

Configuration

[client]
listen = "127.0.0.1:1080"
remote = "server.example.com:443"
password = "your-password"

[client.tls]
sni = "server.example.com"
alpn = ["h2", "http/1.1"]
skip_verify = false
# ca = "/path/to/ca.pem"       # Custom CA certificate

[client.tcp]
no_delay = true
keepalive_secs = 60

[logging]
level = "info"
format = "pretty"

CLI Overrides

trojan client -c config.toml \
  --listen 127.0.0.1:1080 \
  --remote server:443 \
  --password secret \
  --skip-verify \
  --log-level debug

License

GPL-3.0-only