Skip to content

feat: add GOST relay outbound proxy type#2795

Merged
wwqgtxx merged 2 commits into
MetaCubeX:Alphafrom
ztywyj:feat/gost-relay
May 16, 2026
Merged

feat: add GOST relay outbound proxy type#2795
wwqgtxx merged 2 commits into
MetaCubeX:Alphafrom
ztywyj:feat/gost-relay

Conversation

@ztywyj

@ztywyj ztywyj commented May 16, 2026

Copy link
Copy Markdown

Why

mihomo already supports gost-plugin for Shadowsocks over WebSocket/Mux-WebSocket, but that path is tied to the Shadowsocks plugin flow and does not cover GOST relay transports.

GOST relay is useful as a reusable outer hop: a relay server can forward TCP and UDP traffic to an internal proxy service, while the mihomo client only needs to connect to the public relay endpoint. This is especially useful on platforms where running a separate local GOST client is inconvenient, such as Android.

This PR adds native gost-relay support as a standalone outbound proxy type. Other outbound proxies can use it through dialer-proxy, so the relay transport stays generic without adding protocol-specific relay options to every outbound.

What Changed

  • Add a common GOST relay dialer under transport/gost.
  • Add a new gost-relay outbound proxy type.
  • Allow gost-relay to be used as a reusable dialer-proxy hop for existing outbound proxies.
  • Support:
    • relay+tls
    • relay+mtls via mux: true
    • optional relay username/password authentication
    • TLS SNI, certificate verification, certificate pinning, client certificate, and client TLS fingerprint
    • TCP CONNECT
    • UDP packet forwarding
    • forward mode, where the relay server selects its configured forwarding target
  • Move the existing GOST websocket plugin code into the shared transport/gost package.
  • Add configuration examples for Shadowsocks over GOST relay.

Example

GOST server

Example: expose a public GOST relay+TLS endpoint and let the mihomo client request the target address.

gost -L "relay+tls://:443?certFile=/etc/gost/server.crt&keyFile=/etc/gost/server.key"

If the real Shadowsocks server listens only on the relay server itself:

127.0.0.1:12345

then mihomo can ask the remote GOST relay to connect to that loopback address from the server side.

mihomo client

proxies:
  - name: gost-relay-hop
    type: gost-relay
    server: relay.example.com
    port: 443
    udp: true
    tls: true
    # mux: true # relay+mtls
    # sni: relay.example.com
    # username: user
    # password: pass
    # client-fingerprint: chrome
    # fingerprint: xxxx
    # certificate: ./client.crt
    # private-key: ./client.key
    # skip-cert-verify: true

  - name: ss-over-gost-relay
    type: ss
    # This address is dialed from the remote GOST relay server side.
    server: 127.0.0.1
    port: 12345
    cipher: chacha20-ietf-poly1305
    password: "password"
    udp: true
    # udp-over-tcp: true # use this instead if the SS server expects UoT over TCP
    dialer-proxy: gost-relay-hop

Forward Mode

If the GOST relay server is configured to forward to a fixed target itself, like this:

gost -L "relay+tls://:443/127.0.0.1:12345?certFile=/etc/gost/server.crt&keyFile=/etc/gost/server.key"

mihomo can configure the relay hop with forward: true:

proxies:
  - name: gost-relay-forward-hop
    type: gost-relay
    server: relay.example.com
    port: 443
    udp: true
    forward: true
    tls: true
    # mux: true
    # sni: relay.example.com
    # username: user
    # password: pass

  - name: ss-over-gost-relay-forward
    type: ss
    # In forward mode this address is only used to ask dialer-proxy for a stream.
    # The GOST relay server forwards the stream to its configured target.
    server: relay.example.com
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    udp: true
    dialer-proxy: gost-relay-forward-hop

Notes

  • gost-relay is intended to be used as a dialer-proxy hop for normal outbound proxies such as Shadowsocks, VMess, VLESS, Trojan, and other TCP-capable outbounds.
  • In the default mode, gost-relay connects to the configured relay endpoint and asks the remote relay server to connect to the target address requested by the upper proxy.
  • In forward: true mode, the GOST relay server chooses its own configured forwarding target.
  • Native UDP packet forwarding is supported when udp: true is enabled on the gost-relay hop. Shadowsocks udp-over-tcp can still be used through the TCP relay path when the remote Shadowsocks server expects UoT.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants