A versatile and efficient proxy framework with nice features suitable for various use cases.
- Support local DNS server. (Both UDP and TCP)
- Support DoH for local DNS server.
- Support DoT for local DNS server.
- Support NEW VMess protocol.
- Working API server.
- Support for Windows TUN.
- Support TLS fragmentation.
- Support HTTP outbound protocol.
- Support for VLess (Not yet implemented)
- Support for HTTP2 transport.
- Support for gRPC transport (Not yet implemented)
- Ability to change TLS fingerprinting (Not yet implemented)
- And many improvements.
[General]
loglevel = info
# Can set servers port, currently using local DNS server port.
# You can use other servers like 1.1.1.1:53
# Supported following urls
# tcp://1.1.1.1 or tcp://1.1.1.1:53
# udp://1.1.1.1 or udp://1.1.1.1:53
# or even 1.1.1.1 it mean udp://1.1.1.1:53
dns-server = udp://127.0.0.1:5323
routing-domain-resolve = true
always-fake-ip = *
socks-interface = 127.0.0.1
socks-port = 1080
http-interface = 127.0.0.1
http-port = 8080
# Following are the listen details for the local UDP+TCP DNS server.
dns-interface = 127.0.0.1
dns-port = 5323
# tun option only support tun = fd or tun = auto
# auto only works in Linux, Mac, and Windows
tun = auto
[Env]
# Here, we need to set BYPASS_ADDRS env variable to add bypassing routes.
# In the future we will implement a monitor that automatically does this.
# NOTE: All items inside [Env] are automatically exported to env variables.
# You export the following variables in the shell too.
BYPASS_ADDRS=188.114.98.0,188.114.99.0
ENABLE_IPV6=true
PREFER_IPV6=true
# Here can set API listen address details.
# Then you can use http://127.0.0.1:9090/api/v1/runtime/stat/html to see current connections.
# Or http://127.0.0.1:9090/api/v1/runtime/usage/json to see total usage
API_LISTEN=127.0.0.1:9090
# Here you can set REMOTE DNS servers for local DNS clients.
# If you need to connect to DNS servers directly so add IPs to BYPASS_ADDRS env variable.
# Currently supporting doh (DNS over HTTPS), dot (DNS over TLS) and TCP
# By default a round-robin scheduling balancing is used for remote servers.
# We will make new balancing methods in the future.
# Note: Fragmentation is optional.
[Dns]
Cloudflare_Dns_over_Https = doh, 1.1.1.1, 443, domain=cloudflare-dns.com, path=/dns-query, post=true, sni=cloudflare-dns.com, fragment=true, fragment-packets=0-1, fragment-length=6-19, fragment-interval=8-12
Cloudflare_Dns_over_Tls = dot, 1.1.1.1, 853, sni=cloudflare-dns.com, fragment=true, fragment-packets=0-1, fragment-length=6-19, fragment-interval=8-12
Google_Tcp = dot, 8.8.8.8, 53
# Here and in the above section meaning [Dns] you can enable TLS fragmentation.
# By setting the fragment option to true.
# This will fragment the TLS hello handshake (0-1 meaning first packet or TLS hello handshake packet)
# Into smaller packets (fragment-length=min,max in bytes) and send them by delay (fragment-interval=min,max in Millis)
[Proxy]
Trojan_Tls_Fragment_Websocket_Cdn = trojan, 188.114.98.0, 443, password=test, tls=true, fragment=true, fragment-packets=0-1, fragment-length=6-19, fragment-interval=8-12, sni=yourdomain_cloudflare_proxy_domain, ws=true, ws-host=yourdomain_cloudflare_proxy_domain, ws-path=/chat
Trojan_Tls_Http2_Fragment = trojan, 188.114.99.0, 443, password=test, tls=true, fragment=true, fragment-packets=0-1, fragment-length=6-19, fragment-interval=8-12, sni=yourdomain_cloudflare_domain, h2=true, h2-host=yourdomain_cloudflare_domain, h2-path=/chat
# Simple http tunnel proxy
# Mean the http proxy need support CONNECT method
# username and password are optional
HTTP = http, 1.2.3.4, 22222, username=test, password=test
# HTTPS tunnel proxy + fragmentation
# Fragmentation here is optional
HTTPS = http, 1.2.3.4, 22222, username=user, password=test, tls=true, sni=your_https_proxy_domain, fragment=true, fragment-packets=0-1, fragment-length=6-19, fragment-interval=8-12
# Here we used select outbound and can select the active outbound via API.
# POST http://127.0.0.1:9090/api/v1/app/outbound/select?outbound=Proxy&select=GB2
[Proxy Group]
Proxy = select, Trojan_Tls_Fragment_Websocket_Cdn, Trojan_Tls_Http2_Fragment
[Rule]
FINAL, Proxy
There are 2 transports for traffic multiplexing:
- AMux: A multiplexd transport based on reliable streams suitable for TCP-based protocols and transports
- QUIC: A UDP-based, multiplexed and secure transport
The benefit of amux is that we can reuse connections to reduce handshake overhead, it's not designed to be memory efficient because it focus only on reusing connections and not reducing the number of connections. While quic can reduce both handshake overhead and memory usage without suffering the head-of-line blocking issue.
There's the TUN inbound for this purpose, which is also of fundamental importance for VPN-like proxying use cases such as VPN apps on iOS and Android.
Outbounds such as failover, tryall, retry, random and their combinations are able to flexibly deliver reqeusts to other outbounds based on their own metrics to achieve high availability or load balancing behaviors.
Rule-based request routing is also supported. Requests can be routed to different outbounds based on domain, IP, GEOIP and port rules.
[General]
dns-server = 223.5.5.5
socks-interface = 127.0.0.1
socks-port = 1080
[Proxy]
Direct = directMore configuration examples can be found here. If you want more flexible control on the config options, the JSON format should be used, up-to-date examples for the JSON format could be found in the tests, both client-side and server-side config examples are presented there.
This syntax (tun = auto) is supported on macOS and Linux.
[General]
dns-server = 223.5.5.5
tun = auto
[Proxy]
Direct = directRunning in gateway mode requires a configuration with TUN mode enabled. Gateway mode can be enabled by an environment variable.
GATEWAY_MODE=true leaf -c config.conf- Maple: A lightweight Universal Windows proxy app based on leaf
Install Rust: https://www.rust-lang.org/tools/install
Install GCC or Clang.
Clone & Build:
git clone --recursive https://github.com/eycorsican/leaf.git
cd leaf
cargo build -p leaf-cliRun:
./target/debug/leaf --helpThis project is licensed under the Apache License 2.0.