Skip to content

Blog

Traffic Control — Bypass

Bypass (traffic diversion) means dividing traffic according to certain rules and then performing corresponding actions on the divided traffic to achieve a degree of traffic control.

For example, in a company with strict network管控, traffic can be categorized as:

  • Illegal traffic — disallowed traffic, such as services the company blocks access to.
  • Intranet traffic — traffic to internal company servers, which is only valid within the company network and should not be forwarded externally.
  • External traffic — traffic to external services, which may need to go through the company's proxy server.

GOST v3 Dynamic Bypass Implementation

Original post: https://groups.google.com/g/go-gost/c/b9Z0BcqUArw.

Bypass (traffic diversion) routes requests through a forwarding chain or bypasses it based on certain rules. In GOST v3, this is implemented via the bypass component.

GOST v3 introduced a recorder module, which is an alternative logging mechanism. Unlike general logging, the recorder can capture specific data, such as all client IPs accessing a service or all destination addresses being accessed.

Both bypass and recorder gained Redis support in v3. Bypass can dynamically load rules from Redis, while recorder can store data in Redis.

Using these features together, you can implement automatic bypass similar to COW. By default, requests do not use the forwarding chain, but when a direct connection fails, the chain is used instead.

Accessing Intranet HTTP Services with GOST

Original post: https://groups.google.com/g/go-gost/c/ouzBXF0Fqk8.

GOST 2.1 added remote port forwarding, which maps an intranet port to a specified external port. However, TCP remote port forwarding has a limitation: each time a connection is made to the external mapped port, the listening port closes and waits for the intranet gost to re-establish the connection and reopen it.

This limits its use to single-connection services like SSH, while multi-connection services like HTTP are not feasible.

GOST 2.2 added HTTP/2 support. Since HTTP/2 supports multiplexing — especially for HTTP — a single connection can transport multiple request/response pairs. This allows us to use HTTP/2 to access intranet HTTP services from the external network.

Global SOCKS5 Proxy with Redsocks + iptables on Linux

Original post: https://groups.google.com/g/go-gost/c/c7QCorgZiLU.

I previously wrote a similar document, but it was more complex because it included VPN configuration. Here is the simplified version.

Applications on Linux typically require manual proxy configuration within each app, and some apps don't support proxies at all. With redsocks + iptables, you can achieve VPN-like functionality by redirecting all TCP traffic through a SOCKS5 (or HTTPS) proxy.

The Origin of GOST and Its Use Cases

Original post: https://groups.google.com/g/go-gost/c/Cnh_4aeRVcg.

The idea for gost came about in 2013, which was also my first year at the current company. Upon joining, I found that the company's network restrictions were extreme: the only way to access the internet was through the corporate proxy, and without applying for higher privileges, you could only visit Baidu search — all other websites were blocked. Since our team was working on mobile internet, daily development and research were quite inconvenient.