Trojan

From ArchWiki
Jump to navigation Jump to search

Trojan is a proxy server, client and protocol, designed to bypass the Great Firewall of China by imitating HTTPS. Trojan claims to be unidentifiable.

Warning: Trojan has not undergone proper degrees of security auditing. Use it with caution!

Installation

Install the trojan package or trojan-gitAUR for the development version.

Configuration

Trojan cannot run without proper configuration. It uses JSON as its config format. All configuration work is done in /etc/trojan/. Detailed explanations of each field of the config file can be found here.

Examples of config files are at /usr/share/doc/trojan/examples/.

TLS certificate

You'll need to provide a TLS certificate and private key for Trojan servers to work. You can either apply for a free certificate with some automation tools like Acme.sh from Let's Encrypt or generate a self-signed one as shown in OpenSSL#Generate a self-signed certificate. Then, set the cert, key, and key_password(not necessarily) fields in the config file accordingly. Note that you should pin the certificate by setting cert on the client if you generate a self-signed certificate. Also, make sure that trojan on a server has enough permission to access the certificate and key file.

TCP Fast Open

For TCP Fast Open on servers to work, you'll need to turn it on in your OS:

# echo 3 > /proc/sys/net/ipv4/tcp_fastopen

Disguise

Trojan servers can be disguised as other services over TLS to prevent active probing. This can be done by, for example, running a web server with nginx and pointing remote_addr and remote_port fields to the server address and port.

Running

Systemd services

Trojan can be controlled with trojan.service and trojan@.service. For example, to start and enable Trojan with config file /etc/trojan/xxx.json, you can run:

# systemctl start trojan@xxx
# systemctl enable trojan@xxx

Running

# systemctl start trojan
# systemctl enable trojan

will start and enable trojan with /etc/trojan/config.json.

Manually

Trojan can also start in a shell, by running:

$ trojan /etc/trojan/config.json

You can replace /etc/trojan/config.json with any other config files. Note that Trojan outputs its log to stderr, so you'll have to redirect it to a file if you want to keep the log.

See also

GitHub Project