ScriptsJul 5, 2026·3 min read

GOST — Versatile Go Tunnel with Multi-Protocol Support

A simple yet powerful tunnel and proxy written in Go, supporting HTTP/HTTPS/SOCKS5/Shadowsocks/SNI/SSH/KCP/QUIC protocols. Functions as a proxy chain, port forwarder, and encrypted tunnel with a YAML-based configuration system.

Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
GOST
Direct install command
npx -y tokrepo@latest install 7384d620-786d-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

Introduction

GOST (GO Simple Tunnel) is a security tunnel and proxy tool written in Go. It supports a wide array of protocols and can chain proxies, forward ports, and create encrypted tunnels. Its YAML configuration and REST API make it suitable for both quick command-line use and complex multi-hop deployments.

What GOST Does

  • Creates encrypted tunnels over HTTP, SOCKS5, Shadowsocks, SSH, KCP, QUIC, and more
  • Chains multiple proxies together for multi-hop routing
  • Forwards TCP/UDP ports through encrypted channels
  • Provides TUN/TAP device support for VPN-like functionality
  • Exposes a REST API for dynamic runtime configuration

Architecture Overview

GOST v3 uses a pipeline architecture: listeners accept connections, handlers process them, and dialers establish outbound connections. Each component is pluggable — you can mix any listener (TCP, UDP, TUN, ICMP tunnel) with any handler (proxy, relay, tunnel) and dialer (direct, proxy chain, DNS). Configuration is hot-reloadable via YAML files or the REST API.

Self-Hosting & Configuration

  • Download a single static binary for your platform (no dependencies)
  • Configure via command-line flags for simple setups
  • Use YAML configuration files for complex multi-service deployments
  • Enable the REST API for dynamic configuration changes at runtime
  • Deploy as a systemd service for persistent background operation

Key Features

  • Multi-protocol: HTTP, SOCKS4/5, Shadowsocks, SSH, KCP, QUIC, WebSocket, gRPC
  • Proxy chaining: route traffic through multiple proxy hops
  • Dynamic configuration: REST API and hot-reload of YAML configs
  • TUN/TAP support: create virtual network interfaces for full VPN mode
  • ICMP tunnel: encapsulate traffic in ICMP packets for restricted networks

Comparison with Similar Tools

  • frp — focuses on reverse proxying NAT traversal; GOST is a general-purpose tunnel
  • Chisel — SSH-based TCP tunnel; GOST supports many more transport protocols
  • WireGuard — kernel-level VPN; GOST operates in userspace with more protocol flexibility
  • Shadowsocks — single protocol; GOST supports Shadowsocks plus a dozen others
  • ngrok — cloud-based tunnel service; GOST is fully self-hosted

FAQ

Q: What is the difference between GOST v2 and v3? A: v3 (go-gost/gost) is a complete rewrite with a modular pipeline architecture, YAML config, and REST API. v2 (ginuerzh/gost) is the older version.

Q: Can GOST be used as a VPN? A: Yes, with TUN mode enabled it can function as a VPN, routing all traffic through the tunnel.

Q: Does it support UDP forwarding? A: Yes, GOST supports UDP relay and forwarding across supported protocols.

Q: Is traffic encrypted by default? A: Encryption depends on the protocol chosen. TLS, SSH, Shadowsocks, and QUIC all provide encryption.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets