In this page, we will look at the config file of trojan. Trojan uses JSON as the format of the config.
Note: all "\" in the paths under Windows MUST be replaced with "/".
{
"run_type": "client",
"local_addr": "127.0.0.1",
"local_port": 1080,
"remote_addr": "example.com",
"remote_port": 443,
"password": [
"password1"
],
"log_level": 1,
"ssl": {
"verify": true,
"verify_hostname": true,
"cert": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"sni": "",
"alpn": [
"h2",
"http/1.1"
],
"reuse_session": true,
"session_ticket": false,
"curves": ""
},
"tcp": {
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
}
}run_type: running trojan asclientlocal_addr: aSOCKS5server interface will be bound to the specified interface. Feel free to change this to0.0.0.0,::1,::or other addresses, if you know what you are doing.local_port: aSOCKS5interface will be bound to this portremote_addr: server address (hostname)remote_port: server portpassword: password used for verification (only the first password in the array will be used)log_level: how much log to dump. 0: ALL; 1: INFO; 2: WARN; 3: ERROR; 4: FATAL; 5: OFF.ssl:SSLspecific configurationsverify: whether to verifySSLcertificate STRONGLY RECOMMENDEDverify_hostname: whether to verifySSLhostname (specified in thesnifield) STRONGLY RECOMMENDEDcert: ifverifyis set totrue, the same certificate used by the server or a collection ofCAcertificates could be provided. If you leave this field blank,OpenSSLwill try to look for a systemCAstore and will be likely to fail. Certificates can be retrieved with this simple Python script.cipher: a cipher list to send and usecipher_tls13: a cipher list for TLS 1.3 to usesni: the Server Name Indication field in theSSLhandshake. If left blank, it will be set toremote_addr.alpn: a list ofALPNprotocols to sendreuse_session: whether to reuseSSLsessionsession_ticket: whether to use session tickets for session resumptioncurves:ECCcurves to send and use
tcp:TCPspecific configurationsno_delay: whether to disable Nagle's algorithmkeep_alive: whether to enable TCP Keep Alivereuse_port: whether to enable TCP port reuse (kernel support required)fast_open: whether to enable TCP Fast Open (kernel support required)fast_open_qlen: the server's limit on the size of the queue of TFO requests that have not yet completed the three-way handshake
This forward config is for port forwarding. Everything is the same as the client config, except for target_addr and target_port, which point to the destination endpoint, and udp_timeout, which controls how long (in seconds) a UDP session will last in idle.
{
"run_type": "forward",
"local_addr": "127.0.0.1",
"local_port": 5901,
"remote_addr": "example.com",
"remote_port": 443,
"target_addr": "127.0.0.1",
"target_port": 5901,
"password": [
"password1"
],
"udp_timeout": 60,
"log_level": 1,
"ssl": {
"verify": true,
"verify_hostname": true,
"cert": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"sni": "",
"alpn": [
"h2",
"http/1.1"
],
"reuse_session": true,
"session_ticket": false,
"curves": ""
},
"tcp": {
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
}
}The NAT config is for transparent proxy. You'll need to setup iptables rules to use it. Everything is the same as the client config.
{
"run_type": "nat",
"local_addr": "127.0.0.1",
"local_port": 12345,
"remote_addr": "example.com",
"remote_port": 443,
"password": [
"password1"
],
"log_level": 1,
"ssl": {
"verify": true,
"verify_hostname": true,
"cert": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"sni": "",
"alpn": [
"h2",
"http/1.1"
],
"reuse_session": true,
"session_ticket": false,
"curves": ""
},
"tcp": {
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
}
}{
"run_type": "server",
"local_addr": "0.0.0.0",
"local_port": 443,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"password1",
"password2"
],
"log_level": 1,
"ssl": {
"cert": "/path/to/certificate.crt",
"key": "/path/to/private.key",
"key_password": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"alpn": [
"http/1.1"
],
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": ""
}
}run_type: running trojan asserverlocal_addr: trojan server will be bound to the specified interface. Feel free to change this to::or other addresses, if you know what you are doing.local_port: trojan server will be bound to this portremote_addr: the endpoint address that trojan server will connect to when encountering other protocolsremote_port: the endpoint port that trojan server will connect when encountering other protocolspassword: an array of passwords used for verificationlog_level: how much log to dump. 0: ALL; 1: INFO; 2: WARN; 3: ERROR; 4: FATAL; 5: OFF.ssl:SSLspecific configurationscert: server certificate STRONGLY RECOMMENDED TO BE SIGNED BY A CA. It's preferred to use the full chain certificate here instead of the certificate alone.key: private key file for encryptionkey_password: password of the private key filecipher: a cipher list to usecipher_tls13: a cipher list for TLS 1.3 to useprefer_server_cipher: whether to prefer server cipher list in a connectionalpn: a list ofALPNprotocols to replyreuse_session: whether to reuseSSLsessionsession_ticket: whether to use session tickets for session resumptionsession_timeout: ifreuse_sessionis set totrue, specifySSLsession timeoutplain_http_response: respond to plain http request with this file (raw TCP)curves:ECCcurves to usedhparam: if left blank, default (RFC 3526) dhparam will be used, otherwise the specified dhparam file will be used
tcp:TCPspecific configurationsprefer_ipv4: whether to connect to the IPv4 address when there are both IPv6 and IPv4 addresses for a domainno_delay: whether to disable Nagle's algorithmkeep_alive: whether to enable TCP Keep Alivereuse_port: whether to enable TCP port reuse (kernel support required)fast_open: whether to enable TCP Fast Open (kernel support required)fast_open_qlen: the server's limit on the size of the queue of TFO requests that have not yet completed the three-way handshake
mysql: see Authenticator