MCPcopy Index your code
hub / github.com/TrustTunnel/TrustTunnel

github.com/TrustTunnel/TrustTunnel @v1.0.33

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0.33 ↗ · + Follow
1,280 symbols 3,596 edges 82 files 184 documented · 14%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

TrustTunnel

Console client · Flutter-based app · App store · Play store


Table of Contents


Introduction

TrustTunnel is a modern, open-source VPN protocol originally developed by AdGuard VPN and now available for anyone to use and audit.

It delivers fast, secure, and reliable VPN connections without the usual trade-offs. By design, TrustTunnel traffic is indistinguishable from regular HTTPS traffic, allowing it to bypass throttling and deep-packet inspection while maintaining strong privacy protections.

The TrustTunnel project includes the VPN endpoint (this repository), the library and CLI for the client, and the GUI application.

Server Features

  • VPN Protocol: The library implements the VPN protocol compatible with HTTP/1.1, HTTP/2, and QUIC. By mimicking regular network traffic, it becomes impossible to detect and block.

  • Flexible Traffic Tunneling: TrustTunnel can tunnel TCP, UDP, and ICMP traffic to and from the client.

  • Platform Compatibility: The server is compatible with Linux and macOS. The client is available for Android, Apple, Windows, and Linux.


Client Features

  • Traffic Tunneling: The library is capable of tunneling TCP, UDP, and ICMP traffic from the client to the endpoint and back.

  • Cross-Platform Support: It supports Linux, macOS, and Windows platforms, providing a consistent experience across different operating systems.

  • System-Wide Tunnel and SOCKS5 Proxy: It can be set up as a system-wide tunnel, utilizing a virtual network interface, as well as a SOCKS5 proxy.

  • Split Tunneling: The library supports split tunneling, allowing users to exclude connections to certain domains or hosts from routing through the VPN endpoint, or vice versa, only routing connections to specific domains or hosts through the endpoint based on an exclusion list.

  • Custom DNS Upstream: Users can specify a custom DNS upstream, which is used for DNS queries routed through the VPN endpoint.


Quick start

Endpoint setup

Install the endpoint

An installation script is available that can be run with the following command:

curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnel/refs/heads/master/scripts/install.sh | sh -s -

The installation script will download the prebuilt package from the latest GitHub release for the appropriate system architecture and unpack it to /opt/trusttunnel. The output directory could be overridden by specifying -o DIR flag at the end of the command above.

If you want to install a specific version (instead of the latest), use -V <version>:

curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnel/refs/heads/master/scripts/install.sh | sh -s - -V <version>

[!NOTE] Prebuilt packages are available for linux-x86_64, linux-aarch64, and macos-universal (Intel and Apple Silicon) architectures.

Updating the endpoint

The installation script always installs the latest available version. So, to update your installation, run the install command again:

curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnel/refs/heads/master/scripts/install.sh | sh -s -

This re-runs the installer and replaces the binaries in the installation directory (/opt/trusttunnel by default, or the directory you specified with -o DIR).

[!NOTE] Don't forget to stop the endpoint before updating:

bash sudo systemctl stop trusttunnel

To start the endpoint again after updating:

bash sudo systemctl start trusttunnel

TrustTunnel Flutter Client 1.0 Warning

[!WARNING] TrustTunnel Flutter Client doesn't support self-signed certificates yet. If you want to use the TrustTunnel Flutter Client, you should have a valid certificate issued by a publicly trusted Certificate Authority (CA) associated with a registered domain for the IP address of the endpoint. Otherwise, the TrustTunnel Flutter Client will be unable to connect to the endpoint.

Endpoint configuration wizard

Please refer to the CONFIGURATION.md for the more detailed documentation on how to configure the endpoint.

The installation directory contains setup_wizard binary that helps generate the config files required for the endpoint to run:

cd /opt/trusttunnel/
./setup_wizard -h

The setup wizard supports interactive mode, so you could run it and it will ask for data required for endpoint configuration.

cd /opt/trusttunnel/
sudo ./setup_wizard

[!NOTE] sudo is required to manage TLS certificates properly.

The wizard will ask for the following fields, some of them have the default values you could safely use:

  • The address to listen on - specify the address for the endpoint to listen on. Use 0.0.0.0:443 for native deployments (HTTPS on all interfaces). If you run with Docker port mapping 443:8443, set it to 0.0.0.0:8443.
  • Path to credentials file - path where the user credentials for authorization will be stored.
  • Username - the username the user will use for authorization.
  • Password - the user's password.
  • Add one more user? - select yes if you want to add more users, or no to continue the configuration process.
  • Path to the rules file - path to store the filtering rules.
  • Connection filtering rules - you can add rules that the endpoint will use to allow or disallow user's connections based on:
    • Client IP address
    • TLS random prefix
    • TLS random with mask

Press n to allow all connections. - Path to a file to store the library settings - path to store the main endpoint configuration file. - Certificate selection - choose how to obtain a TLS certificate: - Issue a Let's Encrypt certificate (requires a public domain) - the setup wizard has built-in ACME support and can automatically obtain a free, publicly trusted certificate from Let's Encrypt. You'll need: - A registered domain pointing to your server's IP address - Port 80 accessible from the internet (for HTTP-01 challenge), or - Ability to add DNS TXT records (for DNS-01 challenge) - Generate a self-signed certificate - suitable for testing or when using the CLI client only. Note: The Flutter client does not support self-signed certificates yet. - Provide path to existing certificate - use your own certificate files obtained from another CA or tool like certbot. - Path to a file to store the TLS hosts settings - path to store the TLS host settings file.

At this point all required configuration files are created and saved on disk.

Let's Encrypt certificate lifecycle

The setup wizard can obtain a Let's Encrypt certificate during initial setup, but you are responsible for ensuring it stays valid over time (renewal and service reload/restart).

If you're using Certbot to manage certificates and renew them automatically, follow the guide in CERT_RENEWAL.md.

Running endpoint

The installed package contains the systemd service template, named trusttunnel.service.template.

This template can be used to set up the endpoint as a systemd service:

[!NOTE] The template file assumes that the TrustTunnel Endpoint binary and all its configuration files are located in /opt/trusttunnel and have the default file names. Modify the template if you have used the different paths.

cd /opt/trusttunnel/
cp trusttunnel.service.template /etc/systemd/system/trusttunnel.service
sudo systemctl daemon-reload
sudo systemctl enable --now trusttunnel

Export client configuration

The endpoint binary can generate client configurations in two formats:

Deep-Link Format (Default)

Generate a compact tt://? URI suitable for QR codes and mobile apps:

# <client_name> - name of the client those credentials will be included in the configuration
# <address> - `ip`, `ip:port`, `domain`, or `domain:port` that the client will use to connect
#           If only `ip` or `domain` is specified, the port from the `listen_address` field will be used
cd /opt/trusttunnel/
./trusttunnel_endpoint vpn.toml hosts.toml -c <client_name> -a <address>

# Or explicitly specify the format:
./trusttunnel_endpoint vpn.toml hosts.toml -c <client_name> -a <address> --format deeplink

This outputs a tt://? deep-link URI that can be:

You can also provide additional options:

  • --name <display_name>: Set a custom display name for the server in the client app.
  • --dns-upstream <dns_upstream>: Specify a DNS upstream for the client. Can be an IP address or a secure DNS URI (e.g., tls://1.1.1.1, https://dns.google/dns-query). This flag can be used multiple times to provide a list of DNS upstreams.

Example with custom name and DNS upstreams:

./trusttunnel_endpoint vpn.toml hosts.toml -c <client_name> -a <address> \
    --name "My Secure VPN" \
    --dns-upstream 1.1.1.1 --dns-upstream tls://8.8.8.8

When --generate-client-random-prefix is used, the endpoint also appends an allow rule for the generated value to the rules.toml file referenced from vpn.toml.

Note: If your certificate is signed by a trusted CA (e.g., Let's Encrypt), it will be automatically omitted from the deep-link to keep it compact. Self-signed certificates are included automatically.

TOML Format (For CLI Client)

Generate a traditional TOML configuration file:

cd /opt/trusttunnel/
./trusttunnel_endpoint vpn.toml hosts.toml -c <client_name> -a <public_ip> --format toml

This outputs a TOML configuration file suitable for the CLI client.

Both formats contain all necessary information to connect to the endpoint. See the TrustTunnel Flutter Client documentation for setup instructions.

Congratulations! You've done setting up the endpoint!

Client setup

You have a choice to use a CLI client or a GUI client (available on App Store and Play Store).

Install the client

Linux / macOS

An installation script is available:

curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnelClient/refs/heads/master/scripts/install.sh | sh -s -

The installation script will download the prebuilt package from the latest GitHub release for the appropriate system architecture and unpack it to /opt/trusttunnel_client. The output directory could be overridden by specifying -o DIR flag at the end of the command above.

[!NOTE] Install script supports x86_64, aarch64, armv7, mips and mipsel architectures for linux and arm64 and x86_64 for macos.

Windows

Download the latest release archive from the TrustTunnel Client releases page.

Extract the archive to a directory of your choice, for example C:\TrustTunnel\.

Router setup

For router deployments, please refer to router-specific client installation guides.

Updating the client

Linux / macOS

The installation script always installs the latest available version. So, to update your installation, run the install command again:

curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnelClient/refs/heads/master/scripts/install.sh | sh -s -

This re-runs the installer and replaces

Extension points exported contracts — how you extend this code

Source (Interface)
(no doc) [9 implementers]
lib/src/pipe.rs
Sink (Interface)
(no doc) [9 implementers]
lib/src/pipe.rs
PendingRequest (Interface)
An abstract interface for a still-not-responded request [3 implementers]
lib/src/downstream.rs
PendingRespond (Interface)
Encapsulates a non-responded transmitting part of an HTTP stream state [3 implementers]
lib/src/http_codec.rs
DroppingSink (Interface)
An abstract interface for a datagram transmitter implementation [3 implementers]
lib/src/http_codec.rs

Core symbols most depended-on inside this repo

clone
called by 241
lib/src/tls_demultiplexer.rs
len
called by 167
lib/src/icmp_utils.rs
map
called by 137
lib/src/utils.rs
as_str
called by 41
lib/src/tls_demultiplexer.rs
build
called by 32
lib/src/settings.rs
collect
called by 31
lib/src/metrics.rs
decode
called by 30
deeplink/src/lib.rs
request
called by 28
lib/src/http1_codec.rs

Shape

Method 520
Function 478
Class 188
Enum 64
Interface 30

Languages

Rust97%
Python2%
C1%

Modules by API surface

lib/src/settings.rs135 symbols
lib/src/quic_multiplexer.rs52 symbols
lib/src/net_utils.rs40 symbols
lib/src/http1_codec.rs36 symbols
lib/src/socks5_client.rs35 symbols
lib/src/icmp_utils.rs35 symbols
lib/src/http3_codec.rs35 symbols
endpoint/src/main.rs34 symbols
lib/src/http_forwarded_stream.rs32 symbols
deeplink/src/types.rs32 symbols
lib/src/http_downstream.rs30 symbols
lib/tests/common/mod.rs29 symbols

For agents

$ claude mcp add TrustTunnel \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page