Introduction
GOST (GO Simple Tunnel) is a security tunnel and proxy tool written in Go. It supports a wide array of protocols and can chain proxies, forward ports, and create encrypted tunnels. Its YAML configuration and REST API make it suitable for both quick command-line use and complex multi-hop deployments.
What GOST Does
- Creates encrypted tunnels over HTTP, SOCKS5, Shadowsocks, SSH, KCP, QUIC, and more
- Chains multiple proxies together for multi-hop routing
- Forwards TCP/UDP ports through encrypted channels
- Provides TUN/TAP device support for VPN-like functionality
- Exposes a REST API for dynamic runtime configuration
Architecture Overview
GOST v3 uses a pipeline architecture: listeners accept connections, handlers process them, and dialers establish outbound connections. Each component is pluggable — you can mix any listener (TCP, UDP, TUN, ICMP tunnel) with any handler (proxy, relay, tunnel) and dialer (direct, proxy chain, DNS). Configuration is hot-reloadable via YAML files or the REST API.
Self-Hosting & Configuration
- Download a single static binary for your platform (no dependencies)
- Configure via command-line flags for simple setups
- Use YAML configuration files for complex multi-service deployments
- Enable the REST API for dynamic configuration changes at runtime
- Deploy as a systemd service for persistent background operation
Key Features
- Multi-protocol: HTTP, SOCKS4/5, Shadowsocks, SSH, KCP, QUIC, WebSocket, gRPC
- Proxy chaining: route traffic through multiple proxy hops
- Dynamic configuration: REST API and hot-reload of YAML configs
- TUN/TAP support: create virtual network interfaces for full VPN mode
- ICMP tunnel: encapsulate traffic in ICMP packets for restricted networks
Comparison with Similar Tools
- frp — focuses on reverse proxying NAT traversal; GOST is a general-purpose tunnel
- Chisel — SSH-based TCP tunnel; GOST supports many more transport protocols
- WireGuard — kernel-level VPN; GOST operates in userspace with more protocol flexibility
- Shadowsocks — single protocol; GOST supports Shadowsocks plus a dozen others
- ngrok — cloud-based tunnel service; GOST is fully self-hosted
FAQ
Q: What is the difference between GOST v2 and v3? A: v3 (go-gost/gost) is a complete rewrite with a modular pipeline architecture, YAML config, and REST API. v2 (ginuerzh/gost) is the older version.
Q: Can GOST be used as a VPN? A: Yes, with TUN mode enabled it can function as a VPN, routing all traffic through the tunnel.
Q: Does it support UDP forwarding? A: Yes, GOST supports UDP relay and forwarding across supported protocols.
Q: Is traffic encrypted by default? A: Encryption depends on the protocol chosen. TLS, SSH, Shadowsocks, and QUIC all provide encryption.