1. Implement Connection Reuse:
   Currently, we encounter SSL handshake rejections due to fast connection handshakes, resulting in decreased speed and a poor user experience. While MUX partially addresses this issue, it introduces speed problems. To improve this, we suggest implementing connection reuse by enhancing the trojan protocol. This involves adding a command to signal the end of the current connection and keeping it in a connection pool for future use. Additionally, implementing a mechanism to periodically check connection status would ensure stability, especially in situations like NAT session deletion or receiving a reset.

2. Support Forwarding Traffic to a SOCKS5 Proxy:
   In certain scenarios, using the server that accepts the handshake as the outbound traffic server is undesirable, particularly when the server IP is not clean, and may cause restricting access to specific websites(Currently, Netflix restricts access based on client IP addresses. However, it would be beneficial to also support traffic forwarding to a SOCKS5 server. This would enable users to leverage V2Ray's capabilities for sniffing and making routing decisions based on domain names.
   ). However, forwarding all traffic to the backend server can create a heavy load. To address this, we propose adding support for a SOCKS5 client to selectively proxy traffic, excluding shadow-TLS handshake traffic. This would offer flexibility in routing traffic, load balancing, and maintaining network integrity.

Compilation fails on ubuntu, what dependencies are needed, how to compile?

This project is really great but It seems that the project does not support UDP (udp over tcp). Do you have any plans to add it?

Hi @Gowee - is there an active license for this codebase? I don't see anything explicitly documented in the README or code headers.

I read the document:
# client listen_addr remote_addr sni password
./noisy-shuttle client 127.0.0.1:1080 server.addr.example:443 www.example.com Teap0taa -v

The command I am executing on the client is
./noisy-shuttle client 0.0.0.0:1080 131.205.189.100:443 www.bing.com TYhdJS8u -v

There is no errors occur on startup

But when I make a http request via the socks5 proxy 127.0.0.1:1080 on the client
curl --socks5 127.0.0.1:1080 www.google.com

It tell me the request is failed

client logs:
failed to establish snowy tunnel: Not or invalid Server Hello

server logs
INFO serve{peer=54.45.88.4:57742}: fallback relay (unauthenticated)

A tight window limits bandwidth, while a loose window undermines the effectiveness of flow control, resulting in higher latency & jitter.

The current implementation (in dev branch) is ported from hyper, which appears to be nonoptimal.

Similar strategies are also used in other libraries:

Dotnet: https://github.com/dotnet/runtime/pull/54755/files
gRPC: https://github.com/grpc/grpc-go/blob/master/internal/transport/bdp_estimator.go
cURL: curl/curl@a4d8888
Chromium: https://source.chromium.org/search?q=kSpdySessionMaxRecvWindowSize&sq=
Nginx: https://github.com/nginx/nginx/blob/b489ba83e9be446923facfe1a2fe392be3095d1f/src/http/v2/ngx_http_v2.c#L244
Go: https://github.com/golang/net/blob/47caaff48d7cdfbc45b155988009eb57a72bbeaf/http2/server.go#L158

For simplicity of implementation and flexibility of ClientHello fingerprint, the tunnel implementation till now (v0.2.1) puts Noise ephemeral public key into client random. This provides no protection against active probing with replay attack aiming to distinguish camouflaged handshakes & traffic from authentic TLS stream, because the server has no way to tell whether the client actually owns the private key before sending back a responding Noise handshake. To mitigate it, the tunnel maintains a time-based LRU replay filter.

It is possible to use the same ephemeral key for both Noise and TLS key exchange (TLS 1.3 KeyShare or TLS 1.2 ClientKeyExchange). In this way, replayed ephemeral key and AEAD tag won't be effective by nature since a malicious client who has no corresponding private key won't able to finish the TLS handshake or verify any encrypted traffic at all.

The new proposed idea is more complex than the previous one to implement. And it does introduce some compatibility issues. Here are some considerations.

• Two ephemeral keys should be generated, one for KeyShare and one for ClientKeyExchange. The one actually used would be determined by the negotiated protocol version.
• It hinders possible future support of TLS session resumption (session id/session ticket in TLS 1.2 or PSK in TLS 1.3) since there might be no key exchange in such cases.
• Much more care is needed to extract the KX key from TLS 1.2 ClientKeyExchange so that the handshake relay function state won't be distinguished.

For the second point, to allow session resumption, a possible workaround is to maintain an association of TLS session tokens (ticket/id/PSK) and the session key negotiated by Noise on server-side in addition to the session storage of client-side TLS implementation. When initiating a TLS handshake, the client signs (HMAC) its session token. Whenever the server determines a TLS session is resumed, it extracts the Noise session key for encryption of later traffic from its association storage. A malicious client who attempts to replay previously-recorded resumption would have no TLS session key cached for the corresponding TLS session token, preventing it from verifying server response in order to distinguish anything. But maintaining the extra session association seems not to be easier than maintaining the current replay filter LRU, not to mention the case where the server forgets a session token sent by a legit client (e.g. after a server restarting).

Hi,
I was wondering if you have considered adding a reverse tunnel option?

I have remote systems behind NAT and it would be useful for them to create a tunnel to a central system that can then connect back over the tunnel (to SSH usually).

I'm having a look at the code to do it myself but I'm a Rust newb so it's hard going :)