txthinking / brook Goto Github PK

View Code? Open in Web Editor NEW

14.3K 470.0 2.4K 36.3 MB

A cross-platform programmable network tool

Home Page: https://brook.app

License: GNU General Public License v3.0

Go 99.84% JavaScript 0.16%

proxy vpn linux macos ios android windows socks5 zero-configuration cross-platform

brook's Introduction

Brook

A cross-platform programmable network tool.

Sponsor

❤️ Shiliew - China Optimized Network App

Getting Started

Server

bash <(curl https://bash.ooo/nami.sh)

nami install brook

brook server -l :9999 -p hello

GUI Client

iOS	Android	Mac	Windows	Linux	OpenWrt

/	/	App Mode	How	How	How

CLI Client

brook client -s 1.2.3.4:9999 -p hello --socks5 127.0.0.1:1080

GUI Documentation

Software for which this article applies

Programmable

Brook GUI will pass different global variables to the script at different times, and the script only needs to assign the processing result to the global variable out

Introduction to incoming variables

variable	type	condition	timing	description	out type
in_brooklinks	map	/	Before connecting	Predefine multiple brook links, and then programmatically specify which one to connect to	map
in_dnsquery	map	FakeDNS: On	When a DNS query occurs	Script can decide how to handle this request	map
in_address	map	/	When connecting to an address	script can decide how to connect	map
in_httprequest	map	/	When an HTTP(S) request comes in	the script can decide how to handle this request	map
in_httprequest,in_httpresponse	map	/	when an HTTP(S) response comes in	the script can decide how to handle this response	map

in_brooklinks

Key	Type	Description	Example
_	bool	meaningless	true

out, ignored if not of type map

Key	Type	Description	Example
...	...	...	...
custom name	string	brook link	brook://...
...	...	...	...

in_dnsquery

Key	Type	Description	Example
domain	string	domain name	google.com
type	string	query type	A
appid	string	App ID or path	com.google.Chrome.helper
interface	string	network interface. Mac only	en0

out, if it is error type will be recorded in the log. Ignored if not of type map

Key	Type	Description	Example
block	bool	Whether Block, default `false`	false
ip	string	Specify IP directly, only valid when `type` is `A`/`AAAA`	1.2.3.4
system	bool	Resolve by System DNS, default `false`	false
bypass	bool	Resolve by Bypass DNS, default `false`	false
brooklinkkey	string	When need to connect the Server，instead, connect to the Server specified by the key in_brooklinks	custom name

in_address

Key	Type	Description	Example
network	string	Network type, the value `tcp`/`udp`	tcp
ipaddress	string	IP type address. There is only of ipaddress and domainaddress. Note that there is no relationship between these two	1.2.3.4:443
domainaddress	string	Domain type address, because of FakeDNS we can get the domain name address here	google.com:443
appid	string	App ID or path	com.google.Chrome.helper
interface	string	network interface. Mac only	en0

out, if it is error type will be recorded in the log. Ignored if not of type map

Key	Type	Description	Example
block	bool	Whether Block, default `false`	false
ipaddress	string	IP type address, rewrite destination	1.2.3.4:443
ipaddressfrombypassdns	string	Use Bypass DNS to obtain `A` or `AAAA` IP and rewrite the destination, only valid when `domainaddress` exists, the value `A`/`AAAA`	A
bypass	bool	Bypass, default `false`. If `true` and `domainaddress`, then `ipaddress` or `ipaddressfrombypassdns` must be specified	false
mitm	bool	Whether to perform MITM, default `false`. Only valid when `network` is `tcp`. Need to install CA, see below	false
mitmprotocol	string	MITM protocol needs to be specified explicitly, the value is `http`/`https`	https
mitmcertdomain	string	The MITM certificate domain name, which is taken from `domainaddress` by default. If `ipaddress` and `mitm` is `true` and `mitmprotocol` is `https` then must be must be specified explicitly	example.com
mitmwithbody	bool	Whether to manipulate the http body, default `false`. will read the body of the request and response into the memory and interact with the script. iOS 50M total memory limit may kill process	false
mitmautohandlecompress	bool	Whether to automatically decompress the http body when interacting with the script, default `false`	false
mitmclienttimeout	int	Timeout for MITM talk to server, second, default 0	0
mitmserverreadtimeout	int	Timeout for MITM read from client, second, default 0	0
mitmserverwritetimeout	int	Timeout for MITM write to client, second, default 0	0
brooklinkkey	string	When need to connect the Server，instead, connect to the Server specified by the key in_brooklinks	custom name

in_httprequest

Key	Type	Description	Example
URL	string	URL	`https://example.com/hello`
Method	string	HTTP method	GET
Body	bytes	HTTP request body	/
...	string	other fields are HTTP headers	/

out, must be set to a request or response

in_httpresponse

Key	Type	Description	Example
StatusCode	int	HTTP status code	200
Body	bytes	HTTP response body	/
...	string	other fields are HTTP headers	/

out, must be set to a response

Write script

Tengo Language Syntax

Library

text: regular expressions, string conversion, and manipulation
math: mathematical constants and functions
times: time-related functions
rand: random functions
fmt: formatting functions
json: JSON functions
enum: Enumeration functions
hex: hex encoding and decoding functions
base64: base64 encoding and decoding functions

brook: brook module

Constants

* os: string, linux/darwin/windows/ios/android

Functions

* splithostport(address string) => map/error: splits a network address of the form "host:port" to { "host": "xxx", "port": "xxx" }
* country(ip string) => string/error: get country code from ip
* cidrcontainsip(cidr string, ip string) => bool/error: reports whether the network includes ip
* parseurl(url string) => map/error: parses a raw url into a map, keys: scheme/host/path/rawpath/rawquery
* parsequery(query string) => map/error: parses a raw query into a kv map
* map2query(kv map) => string/error: convert map{string:string} into a query string
* bytes2ints(b bytes) => array/error: convert bytes into [int]
* ints2bytes(ints array) => bytes/error: convert [int] into bytes
* bytescompare(a bytes, b bytes) => int/error: returns an integer comparing two bytes lexicographically. The result will be 0 if a == b, -1 if a < b, and +1 if a > b
* bytescontains(b bytes, sub bytes) => bool/error: reports whether sub is within b
* byteshasprefix(s bytes, prefix bytes) => bool/error: tests whether the bytes s begins with prefix
* byteshassuffix(s bytes, suffix bytes) => bool/error: tests whether the bytes s ends with suffix
* bytesindex(s bytes, sep bytes) => int/error: returns the index of the first instance of sep in s, or -1 if sep is not present in s
* byteslastindex(s bytes, sep bytes) => int/error: returns the index of the last instance of sep in s, or -1 if sep is not present in s
* bytesreplace(s bytes, old bytes, new bytes, n int) => bytes/error: returns a copy of the s with the first n non-overlapping instances of old replaced by new. If n < 0, there is no limit on the number of replacements
* pathescape(s string) => string/error: escapes the string so it can be safely placed inside a URL path segment, replacing special characters (including /) with %XX sequences as needed
* pathunescape(s string) => string/error: does the inverse transformation of pathescape
* queryescape(s string) => string/error: escapes the string so it can be safely placed inside a URL query
* queryunescape(s string) => string/error: does the inverse transformation of queryescape
* hexdecode(s string) => bytes/error: returns the bytes represented by the hexadecimal string s
* hexencode(s string) => string/error: returns the hexadecimal encoding of src

Debug script

It is recommended to use tun2brook on desktop to debug with fmt.println

Install CA

https://txthinking.github.io/ca/ca.pem

OS	How
iOS	https://www.youtube.com/watch?v=HSGPC2vpDGk
Android	Android has user CA and system CA, must be installed in the system CA after ROOT
macOS	`nami install mad ca.txthinking`, `sudo mad install --ca ~/.nami/bin/ca.pem`
Windows	`nami install mad ca.txthinking`, Admin: `mad install --ca ~/.nami/bin/ca.pem`

Some software may not read the system CA，you can use curl --cacert ~/.nami/bin/ca.pem to debug

Resources

CLI	Description
nami	A clean and tidy decentralized package manager
joker	Joker can turn process into daemon. Zero-Configuration
nico	Nico can work with brook wsserver together
zhen	zhen - process and cron manager
tun2brook	Proxy all traffic just one line command
mad	Generate root CA and derivative certificate for any domains and any IPs
hancock	Manage multiple remote servers and execute commands remotely
sshexec	A command-line tool to execute remote command through ssh
jb	write script in an easier way than bash
bash	Many one-click scripts
pacman	`pacman -S brook`
brew	`brew install brook`
docker	`docker run txthinking/brook`

Resources	Description
Protocol	Brook Protocol
Blog	Some articles you should read
YouTube	Some videos you should watch
Telegram	Ask questions here
Announce	All news you should care
GitHub	Other useful repos
Socks5 Configurator	If you prefer CLI brook client
IPvBar	See domain, IP and country in browser
TxThinking SSH	A SSH Terminal
Brook Deploy	Deploy brook with GUI
brook-manager	Brook Manager is a Brook management system for medium to large merchants
TxThinking	Everything

CLI Documentation

NAME

Brook - A cross-platform programmable network tool

SYNOPSIS

Brook

brook --help

Usage:

Brook [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]

GLOBAL OPTIONS

--clientHKDFInfo="": client HKDF info, most time you don't need to change this, if changed, all and each brook links in client side must be same, I mean each (default: "brook")
--dialWithDNS="": When a domain name needs to be resolved, use the specified DNS. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required. Note that for client-side commands, this does not affect the client passing the domain address to the server
--dialWithDNSPrefer="": This is used with the dialWithDNS parameter. Prefer A record or AAAA record. Value is A or AAAA
--dialWithIP4="": When the current machine establishes a network connection to the outside IPv4, both TCP and UDP, it is used to specify the IPv4 used
--dialWithIP6="": When the current machine establishes a network connection to the outside IPv6, both TCP and UDP, it is used to specify the IPv6 used
--dialWithNIC="": When the current machine establishes a network connection to the outside, both TCP and UDP, it is used to specify the NIC used
--dialWithSocks5="": When the current machine establishes a network connection to the outside, both TCP and UDP, with your socks5 proxy, such as 127.0.0.1:1081
--dialWithSocks5Password="": If there is
--dialWithSocks5TCPTimeout="": time (s) (default: 0)
--dialWithSocks5UDPTimeout="": time (s) (default: 60)
--dialWithSocks5Username="": If there is
--help, -h: show help
--ipLimitInterval="": Interval (s) for ipLimitMax (default: 0)
--ipLimitMax="": Limit the number of client IP addresses, be careful when using this parameter, as the client may have dynamic IP. Works with server/wsserver/wssserver/quicserver (default: 0)
--ipLimitWait="": How long (s) to wait for recovery after exceeding ipLimitMax (default: 0)
--log="": Enable log. A valid value is file path or 'console'. If you want to debug SOCKS5 lib, set env SOCKS5_DEBUG=true
--pprof="": go http pprof listen addr, such as :6060
--prometheus="": prometheus http listen addr, such as :7070. If it is transmitted on the public network, it is recommended to use it with nico
--prometheusPath="": prometheus http path, such as /xxx. If it is transmitted on the public network, a hard-to-guess value is recommended
--serverHKDFInfo="": server HKDF info, most time you don't need to change this, if changed, all and each brook links in client side must be same, I mean each (default: "brook")
--serverLog="": Enable server log, traffic and more. A valid value is file path or 'console'. Mutually exclusive with the --log parameter. Works with server/wsserver/wssserver/quicserver
--speedLimit="": Limit speed (b), such as 500kb/s: 500000, works with server/wsserver/wssserver/quicserver (default: 0)
--tag="": Tag can be used to the process, will be append into log or serverLog, such as: 'key1:value1'
--version, -v: print the version

COMMANDS

server

Run as brook server, both TCP and UDP

--blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_cidr4.txt
--blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_cidr6.txt
--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--blockGeoIP="": Block IP by Geo country code, such as US
--listen, -l="": Listen address, like: ':9999'
--password, -p="": Server password
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)
--updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

client

Run as brook client, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook client <-> $ brook server <-> dst]

--http="": Where to listen for HTTP proxy connections
--password, -p="": Brook server password
--server, -s="": Brook server address, like: 1.2.3.4:9999
--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)
--socks5ServerIP="": Only if your socks5 server IP is different from listen IP
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)
--udpovertcp: UDP over TCP

wsserver

Run as brook wsserver, both TCP and UDP, it will start a standard http server and websocket server

--blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_cidr4.txt
--blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_cidr6.txt
--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--blockGeoIP="": Block IP by Geo country code, such as US
--listen, -l="": Listen address, like: ':80'
--password, -p="": Server password
--path="": URL path (default: /ws)
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)
--updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)
--withoutBrookProtocol: The data will not be encrypted with brook protocol
--xForwardedFor: Replace the from field in --log, note that this may be forged

wsclient

Run as brook wsclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook wsclient <-> $ brook wsserver <-> dst]

--address="": Specify address instead of resolving addresses from host, such as 1.2.3.4:443
--http="": Where to listen for HTTP proxy connections
--password, -p="": Brook wsserver password
--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)
--socks5ServerIP="": Only if your socks5 server IP is different from listen IP
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)
--withoutBrookProtocol: The data will not be encrypted with brook protocol
--wsserver, -s="": Brook wsserver address, like: ws://1.2.3.4:80, if no path then /ws will be used. Do not omit the port under any circumstances

wssserver

Run as brook wssserver, both TCP and UDP, it will start a standard https server and websocket server

--blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_cidr4.txt
--blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_cidr6.txt
--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--blockGeoIP="": Block IP by Geo country code, such as US
--cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically
--certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically
--domainaddress="": Such as: domain.com:443. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used
--password, -p="": Server password
--path="": URL path (default: /ws)
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)
--updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)
--withoutBrookProtocol: The data will not be encrypted with brook protocol

wssclient

Run as brook wssclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook wssclient <-> $ brook wssserver <-> dst]

--http="": Where to listen for HTTP proxy connections
--link="": brook link, you can get it via $ brook link. The wssserver and password parameters will be ignored
--password, -p="": Brook wssserver password
--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)
--socks5ServerIP="": Only if your socks5 server IP is different from listen IP
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)
--wssserver, -s="": Brook wssserver address, like: wss://google.com:443, if no path then /ws will be used. Do not omit the port under any circumstances

quicserver

Run as brook quicserver, both TCP and UDP

--blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_cidr4.txt
--blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_cidr6.txt
--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--blockGeoIP="": Block IP by Geo country code, such as US
--cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically
--certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically
--domainaddress="": Such as: domain.com:443. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used
--password, -p="": Server password
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)
--updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)
--withoutBrookProtocol: The data will not be encrypted with brook protocol

quicclient

Run as brook quicclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook quicclient <-> $ brook quicserver <-> dst]. (Note that the global dial parameter is ignored now)

--address="": Specify address instead of resolving addresses from host, such as 1.2.3.4:443
--ca="": Specify ca instead of insecure, such as /path/to/ca.pem
--http="": Where to listen for HTTP proxy connections
--insecure: Client do not verify the server's certificate chain and host name
--password, -p="": Brook quicserver password
--quicserver, -s="": Brook quicserver address, like: quic://google.com:443. Do not omit the port under any circumstances
--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)
--socks5ServerIP="": Only if your socks5 server IP is different from listen IP
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)
--withoutBrookProtocol: The data will not be encrypted with brook protocol

relayoverbrook

Run as relay over brook, both TCP and UDP, this means access [from address] is equal to [to address], [src <-> from address <-> $ brook server/wsserver/wssserver/quicserver <-> to address]

--from, -f, -l="": Listen address: like ':9999'
--link="": brook link, you can get it via $ brook link. The server and password parameters will be ignored
--password, -p="": Password
--server, -s="": brook server or brook wsserver or brook wssserver or brook quicserver, like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://domain:443/ws, quic://domain.com:443
--tcpTimeout="": time (s) (default: 0)
--to, -t="": Address which relay to, like: 1.2.3.4:9999
--udpTimeout="": time (s) (default: 0)

dnsserveroverbrook

Run as dns server over brook, both TCP and UDP, [src <-> $ brook dnserversoverbrook <-> $ brook server/wsserver/wssserver/quicserver <-> dns] or [src <-> $ brook dnsserveroverbrook <-> dnsForBypass]

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--bypassDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--disableA: Disable A query
--disableAAAA: Disable AAAA query
--dns="": DNS server for resolving domains NOT in list (default: 8.8.8.8:53)
--dnsForBypass="": DNS server for resolving domains in bypass list. Such as 223.5.5.5:53 or https://dns.alidns.com/dns-query?address=223.5.5.5:443, the address is required (default: 223.5.5.5:53)
--link="": brook link, you can get it via $ brook link. The server and password parameters will be ignored
--listen, -l="": Listen address, like: 127.0.0.1:53
--password, -p="": Password
--server, -s="": brook server or brook wsserver or brook wssserver or brook quicserver, like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://domain.com:443/ws, quic://domain.com:443
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)

link

Generate brook link

--address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443
--ca="": When server is brook wssserver or brook quicserver, specify ca for untrusted cert, such as /path/to/ca.pem
--clientHKDFInfo="": client HKDF info, most time you don't need to change this, read brook protocol if you don't know what this is
--fragment="": When server is brook wssserver, split the ClientHello into multiple fragments and then send them one by one with delays (millisecond). The format is min_length:max_length:min_delay:max_delay, cannot be zero, such as 50:100:10:50, Note that: This is an experimental feature, currently only supported by the brook CLI and tun2brook.
--insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name
--name="": Give this server a name
--password, -p="": Password
--server, -s="": Support brook server, brook wsserver, brook wssserver, socks5 server, brook quicserver. Like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://google.com:443/ws, socks5://1.2.3.4:1080, quic://google.com:443
--serverHKDFInfo="": server HKDF info, most time you don't need to change this, read brook protocol if you don't know what this is
--tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome
--udpovertcp: When server is brook server, UDP over TCP
--username, -u="": Username, when server is socks5 server
--withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

connect

Run as client and connect to brook link, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook connect <-> $ brook server/wsserver/wssserver/quicserver <-> dst]

--http="": Where to listen for HTTP proxy connections
--link, -l="": brook link, you can get it via $ brook link
--socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)
--socks5ServerIP="": Only if your socks5 server IP is different from listen IP
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)

relay

Run as standalone relay, both TCP and UDP, this means access [from address] is equal to access [to address], [src <-> from address <-> to address]

--from, -f, -l="": Listen address: like ':9999'
--tcpTimeout="": time (s) (default: 0)
--to, -t="": Address which relay to, like: 1.2.3.4:9999
--udpTimeout="": time (s) (default: 0)

dnsserver

Run as standalone dns server

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--disableA: Disable A query
--disableAAAA: Disable AAAA query
--dns="": DNS server which forward to. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required (default: 8.8.8.8:53)
--listen, -l="": Listen address, like: 127.0.0.1:53
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)

dnsclient

Send a dns query

--dns, -s="": DNS server, such as 8.8.8.8:53 (default: 8.8.8.8:53)
--domain, -d="": Domain
--short: Short for A/AAAA
--type, -t="": Type, such as A (default: A)

dohserver

Run as standalone doh server

--blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically
--certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically
--disableA: Disable A query
--disableAAAA: Disable AAAA query
--dns="": DNS server which forward to. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required (default: 8.8.8.8:53)
--domainaddress="": Such as: domain.com:443, if you want to create a https server. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used
--listen="": listen address, if you want to create a http server behind nico
--path="": URL path (default: /dns-query)
--tcpTimeout="": time (s) (default: 0)
--udpTimeout="": time (s) (default: 0)

dohclient

Send a dns query

--doh, -s="": DOH server, the address is required (default: https://dns.quad9.net/dns-query?address=9.9.9.9%3A443)
--domain, -d="": Domain
--short: Short for A/AAAA
--type, -t="": Type, such as A (default: A)

dhcpserver

Run as standalone dhcp server. Note that you need to stop other dhcp servers, if there are.

--cache="": Cache file, local absolute file path, default is $HOME/.brook.dhcpserver
--count="": IP range from the start, which you want to assign to clients (default: 0)
--dnsserver="": The dns server which you want to assign to clients, such as: 192.168.1.1 or 8.8.8.8
--gateway="": The router gateway which you want to assign to clients, such as: 192.168.1.1
--interface="": Select interface on multi interface device. Linux only
--netmask="": Subnet netmask which you want to assign to clients (default: 255.255.255.0)
--serverip="": DHCP server IP, the IP of the this machine, you shoud set a static IP to this machine before doing this, such as: 192.168.1.10
--start="": Start IP which you want to assign to clients, such as: 192.168.1.100

socks5

Run as standalone standard socks5 server, both TCP and UDP

--limitUDP: The server MAY use this information to limit access to the UDP association. This usually causes connection failures in a NAT environment, where most clients are.
--listen, -l="": Socks5 server listen address, like: :1080 or 1.2.3.4:1080
--password="": Password, optional
--socks5ServerIP="": Only if your socks5 server IP is different from listen IP
--tcpTimeout="": Connection deadline time (s) (default: 0)
--udpTimeout="": Connection deadline time (s) (default: 0)
--username="": User name, optional

socks5tohttp

Convert socks5 to http proxy, [src <-> listen address(http proxy) <-> socks5 address <-> dst]

--listen, -l="": HTTP proxy which will be create: like: 127.0.0.1:8010
--socks5, -s="": Socks5 server address, like: 127.0.0.1:1080
--socks5password="": Socks5 password, optional
--socks5username="": Socks5 username, optional
--tcpTimeout="": Connection tcp timeout (s) (default: 0)

pac

Run as PAC server or save PAC to file

--bypassDomainList, -b="": One domain per line, suffix match mode. http(s):// or local absolute file path. Like: https://raw.githubusercontent.com/txthinking/brook/master/programmable/list/example_domain.txt
--file, -f="": Save PAC to file, this will ignore listen address
--listen, -l="": Listen address, like: 127.0.0.1:1980
--proxy, -p="": Proxy, like: 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' (default: SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT)

testsocks5

Test UDP and TCP of socks5 server

--dns="": DNS server for connecting (default: 8.8.8.8:53)
--domain="": Domain for query (default: http3.ooo)
--password, -p="": Socks5 password
--socks5, -s="": Like: 127.0.0.1:1080
--username, -u="": Socks5 username
-a="": The A record of domain (default: 137.184.237.95)

testbrook

Test UDP and TCP of brook server/wsserver/wssserver/quicserver. (Note that the global dial parameter is ignored now)

--dns="": DNS server for connecting (default: 8.8.8.8:53)
--domain="": Domain for query (default: http3.ooo)
--link, -l="": brook link. Get it via $ brook link
--socks5="": Temporarily listening socks5 (default: 127.0.0.1:11080)
-a="": The A record of domain (default: 137.184.237.95)

echoserver

Echo server, echo UDP and TCP address of routes

--listen, -l="": Listen address, like: ':7777'

echoclient

Connect to echoserver, echo UDP and TCP address of routes

--server, -s="": Echo server address, such as 1.2.3.4:7777
--times="": Times of interactions (default: 0)

ipcountry

Get country of IP

--ip="": 1.1.1.1

completion

Generate shell completions

--file, -f="": Write to file (default: brook_autocomplete)

mdpage

Generate markdown page

--file, -f="": Write to file, default print to stdout
--help, -h: show help

help, h

Shows a list of commands or help for one command

manpage

Generate man.1 page

--file, -f="": Write to file, default print to stdout. You should put to /path/to/man/man1/brook.1 on linux or /usr/local/share/man/man1/brook.1 on macos

help, h

Shows a list of commands or help for one command

Examples

List some examples of common scene commands, pay attention to replace the parameters such as IP, port, password, domain name, certificate path, etc. in the example by yourself

Run brook server

brook server --listen :9999 --password hello

then

server: 1.2.3.4:9999
password: hello

or get brook link

brook link --server 1.2.3.4:9999 --password hello --name 'my brook server'

or get brook link with --udpovertcp

brook link --server 1.2.3.4:9999 --password hello --udpovertcp --name 'my brook server'

Run brook wsserver

brook wsserver --listen :9999 --password hello

then

server: ws://1.2.3.4:9999
password: hello

or get brook link

brook link --server ws://1.2.3.4:9999 --password hello --name 'my brook wsserver'

or get brook link with domain, even if that's not your domain

brook link --server ws://hello.com:9999 --password hello --address 1.2.3.4:9999 --name 'my brook wsserver'

Run brook wssserver: automatically certificate

Make sure your domain has been resolved to your server IP successfully. Automatic certificate issuance requires the use of port 80

brook wssserver --domainaddress domain.com:443 --password hello

then

server: wss://domain.com:443
password: hello

or get brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver'

Run brook wssserver Use a certificate issued by an existing trust authority

Make sure your domain has been resolved to your server IP successfully

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem

then

server: wss://domain.com:443
password: hello

or get brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver'

Run brook wssserver issue untrusted certificates yourself, any domain

Install mad

nami install mad

Generate root ca

mad ca --ca /root/ca.pem --key /root/cakey.pem

Generate domain cert by root ca

mad cert --ca /root/ca.pem --ca_key /root/cakey.pem --cert /root/cert.pem --key /root/certkey.pem --domain domain.com

Run brook

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem

get brook link with --insecure

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --address 1.2.3.4:443 --insecure

or get brook link with --ca

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --address 1.2.3.4:443 --ca /root/ca.pem

withoutBrookProtocol

Better performance, but data is not strongly encrypted using Brook protocol. So please use certificate encryption, and it is not recommended to use --withoutBrookProtocol and --insecure together

withoutBrookProtocol automatically certificate

Make sure your domain has been resolved to your server IP successfully. Automatic certificate issuance requires the use of port 80

brook wssserver --domainaddress domain.com:443 --password hello --withoutBrookProtocol

get brook link

brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol

withoutBrookProtocol Use a certificate issued by an existing trust authority

Make sure your domain has been resolved to your server IP successfully

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol

get brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --withoutBrookProtocol

withoutBrookProtocol issue untrusted certificates yourself, any domain

Install mad

nami install mad

Generate root ca

mad ca --ca /root/ca.pem --key /root/cakey.pem

Generate domain cert by root ca

mad cert --ca /root/ca.pem --ca_key /root/cakey.pem --cert /root/cert.pem --key /root/certkey.pem --domain domain.com

Run brook wssserver

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol

Get brook link

brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol --address 1.2.3.4:443 --ca /root/ca.pem

Run brook socks5, A stand-alone standard socks5 server

brook socks5 --listen :1080 --socks5ServerIP 1.2.3.4

then

server: 1.2.3.4:1080

or get brook link

brook link --server socks5://1.2.3.4:1080

Run brook socks5 with username and password. A stand-alone standard socks5 server

brook socks5 --listen :1080 --socks5ServerIP 1.2.3.4 --username hello --password world

then

server: 1.2.3.4:1080
username: hello
password: world

or get brook link

brook link --server socks5://1.2.3.4:1080 --username hello --password world

brook relayoverbrook can relay a local address to a remote address over brook, both TCP and UDP, it works with brook server wsserver wssserver.

brook relayoverbrook ... --from 127.0.0.1:5353 --to 8.8.8.8:53

brook dnsserveroverbrook can create a encrypted DNS server, both TCP and UDP, it works with brook server wsserver wssserver.

brook dnsserveroverbrook ... --listen 127.0.0.1:53

Brook OpenWRT Router: Perfectly supports IPv4/IPv6/TCP/UDP. Native IPv6

https://www.txthinking.com/talks/articles/brook-openwrt-en.article

Turn macOS into a Gateway with Brook

https://www.txthinking.com/talks/articles/brook-macos-gateway-en.article

Turn Windows into a Gateway with Brook

https://www.txthinking.com/talks/articles/brook-windows-gateway-en.article

Turn Linux into a Gateway with Brook

https://www.txthinking.com/talks/articles/brook-linux-gateway-en.article

brook relay can relay a address to a remote address. It can relay any tcp and udp server

brook relay --from :9999 --to 1.2.3.4:9999

brook socks5tohttp can convert a socks5 to a http proxy

brook socks5tohttp --socks5 127.0.0.1:1080 --listen 127.0.0.1:8010

brook pac creates pac server

brook pac --listen 127.0.0.1:8080 --proxy 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' --bypassDomainList ...

brook pac creates pac file

brook pac --file proxy.pac --proxy 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' --bypassDomainList ...

There are countless examples; for more feature suggestions, it's best to look at the commands and parameters in the CLI documentation one by one, and blog, YouTube...

Diagram

Maybe outdated

overview

withoutBrookProtocol

relayoverbrook

dnsserveroverbrook

relay

dnsserver

tproxy

gui

script

brook's People

Stargazers

Watchers

Forkers

neugls mackgim dotwoo my3157 cbdcyb snake-git falser007 henfee csedge ruilvcom blues2012z wangliang7730 greatdou whyshan thomsontmx danie1s cubieb wingso di-stars k1587 inyko moecao itplanes m69w gz818 supertanglang lambchopinc joezhng shadowsocksr-100 aloux00 kwor 931743010 wxlg1117 shuiyouren mtxs007 adventurer taianjianbing snowmois lfyg guojunzhu wx1yyn george7878099 janewen delayk supair jackbuh httpsgithu demohunter guopp 673697831 go-awesome tangshitao cryptogun zengfufu suliuyes wanderpig dongyuwei slaeensh veniz peteroldman admin-backups cutemanworking skyburnoooomg imwindfly u91win lichang333 nicholaswan thekoc road0001 dulumao qinzhe vaginessa shanyifeng kevinfujiang hatsunemikuv entropy-xcy qianketian baidumail xi1314 lumieru error996 melxman lexesv kaipulasi sharsdela issmall ioioiokj esrever10 zzuli4519 user1121114685 solaa51 simith003 geeksu blakejia hanszhang pmphxs yangyuw alivelee ryuutanyou kirbyingithub

brook's Issues

iOS use both domain and ip white list automatic proxy

Now: only domain white list automatic proxy
Want: both domain and ip white list automatic proxy

Request: allow picking the Shadowsocks cipher

Describe actual behavior

Brook hard-codes the Shadowsocks cipher

What is your expected behavior

I'd like to choose which cipher to use

Please add this to ios whitelist

*.qlogo.cn
*.icloud.com
*.accuweather.com
*.ytimg.com
*.bdimg.com
*.qpic.cn
*.weather.com
*.baidu.com
*.qq.com
*.taobao.com

Let all cli client support to start a http(s) proxy

"Unsupport URL"是什么意思？怎么解决？

root@localhost:# ./brook bkserver --listen :9999 -p mypassword -t 10 -m mymusicname
Unsupport URL
root@localhost:# ./brook bkserver -l :9999 -p mypassword -t 10 -m mymusicname
Unsupport URL
root@localhost:~#

"Unsupport URL"是什么意思？怎么解决？

请问如何以go get方式编译

好像go get以后不会生成可执行文件请问如何操作？

Sent from my Xiaomi MI 5 using FastHub

作者的app很强大，提一个小小的建议，希望ios端可以添加一个代理模式选项

目前好多外服的游戏服务器都没在白名单下，但现在又没有全局代理，有点小尴尬。

Where can i find Brook iOS and Android Client codes?

Where can i find Brook iOS and Android Client codes?
Are clients also part of open source?

Android use both app and domain and ip automatic proxy

Now: only app white list automatic proxy.
Want: both app and domain and CIDR white list automatic proxy

Advice on current iOS version

Display passwords in the form of dots or asterisks instead of plaintext
(if possible) Add a widget

Thanks!

Is it a lifetime free software?

It is a good software and way better than many other vpn.But is it a lifetime free software?
I used lantern before ,but it is not free any more and not as stable as before. And brook is way better than it!!!
thx for your against to gfw!

请问可否提供一个windows下的server

请关爱windows server

iOS版本已被Apple从China App Store下架

请大家使用美区Apple ID下载 iOS版本

Can't work with iphone 6

同一个账号在我的 iphone 7上可以使用，但是在iphone6不行，无法访问外网。不知道什么原因 🙃

Screenshots

Could you add screenshots here on GitHub to get an idea of how the GUI looks like?

build local online PAC

Sometimes remote online pac was blocked by GFW.

作者是否考慮適配iOS 9或將iOS代碼開源？

iOS程序員一枚，手中有個不想升級的設備，不知道作者願不願意適配iOS 9或開源客戶端代碼？

一些建议;

建议增加一个一个过滤的选项，可以自行选择是否全局

为何iOS上的客户端用不了。

我在iPhone上，下载了客户端.其ss版可以正常使用，但brook版完全用不了，没法用来翻墙，虽然iPhone顶部出现了vpn字样。你测试过，能用brook模式翻墙吗？

Can't use in the macos

i can't use it in macos. The link is https://github.com/txthinking/brook/releases/download/v20170330/brookmacos
it show me that

未能打开文稿“brookmacos”。文本编码“Unicode (UTF-8)”不适用

Then i set config to support it, but it doesn't work.

optimization read allocate from heap to stack

Keep the code better readable is important than save memory.
But at the same time, the read action can be optimized

Sometimes Windows OS is not installed on C drive.

So, we can find iexplore.exe by "%PROGRAMFILES%\Internet Explorer\iexplore.exe"

白名单和win64客户端闪退问题

安卓国际版微博不在白名单内。。。

虽然自定义代理应用会有悖于简单容易配置的初衷，

但还是真心希望添加这个功能，毕竟白名单难免会有疏漏。

我用的是WIN7 X64，但32 64位客户端闪退了，管理员运行也是如此。

Request ARM/ARM64 Version of the Server (or compile-from-source tutorial)

Describe actual behavior

I have a Raspi and I want to set a Brook server based on ARMv7(Linux)
But I have no previous experience of go-compiling.

What is your expected behavior

Do you have any plan to release ARM/ARM64 Version of Brookserver? or can you provide Compile-from-source tutorial of Brook?Many Thanks!

Specifications like the version of the project, operating system, or hardware

RasperberryPi 3 , Orangepi

不管怎么说，在此炒鸡感谢原作者的奉献

debian 9.0无法运行服务端

https://github.com/txthinking/brook/releases/download/v20170723/brook_linux_arm64

无法运行

iOS端的源码是不是看不到的哈

想自己编写kcptun进去哈

Request: Support Shadowsocks v3

Describe actual behavior

Brook doesn't support the AEAD ciphers in v3 of the Shadowsocks protocol.

What is your expected behavior

I'd like to not only choose the cipher, but also have the AEAD ciphers available.

Sometime if the process killed by system, then can not stop vpn

Describe actual behavior

Sometime if the process killed by system, press stop button, vpn can not be quit.

What is your expected behavior

If I press stop button, vpn should be quit.

Specifications like the version of the project, operating system, or hardware

Brook for Android version: 20170323

Steps to reproduce the problem

Can not reproduce accurately.

00 build error

Describe actual behavior

./brook: line 1: syntax error near unexpected token newline' ./brook: line 1: !'

What is your expected behavior

Specifications like the version of the project, operating system, or hardware

go version go1.7.4 linux/amd64

Steps to reproduce the problem

I use the following command to compile the code

go get github.com/txthinking/socks5 ant pac brook
sh cli/brook/buildAll.sh

Then it says the syntax error.

Prohibit access to certain IP

Such as internal IP.

Please support scanning two-dimensional code:)

How to run brook as daemon/background

Is it possible to run the process of proxy server as daemon process?
Won't this process be killed as soon as I disconnect the terminal session with remote promote server?

Music response

The brook server should respond some (random) content with music for invalid(not brook) request

http request always goes through proxy, https is ok.

Describe actual behavior

open http://nstool.netease.com in the browser on iOS, it goes through the proxy.
open https://nstool.netease.com in the browser on iOS, it connects directly.

What is your expected behavior

The nstool.netease.com domain is in the white list https://github.com/txthinking/pac,
so it should be connected directly both http and https.

Specifications like the version of the project, operating system, or hardware

Brook Server: 20170330
Brook iOS: 20170401

Steps to reproduce the problem

Setup brook server
Install brook for iOS and set server information
start and ensure proxy works.
open http://nstool.netease.com

Could I be pay back for Brook One before 1 week trial ? And How...?

Could I be pay back for Brook One before 1 week trial? And How...?

在“启用或关闭Windows功能”中关闭IE后，启动brook出现找不到IE的提示

你好！这个问题很早就想你反馈过了。对于我这种默认使用Chrome，关闭IE的强迫症晚期患者有点难受。另外，能不能增加随系统启动并自动start的功能？还有，能不能提供无托盘模式，像GoAgent那样默默在后台运行？

if i need to worry my information when use this app

I have down load this app on my ios, first of all, thank you for offering such a total free and good app for us, but i fill a lot uneasy, since it is free, i am a lot worry about my information， if I should worry that

请教一下,在Windows下如何使用

我用管理员权限运行brookserver.exe,弹出框一闪就没了,不知道哪里出了问题
已有git和go的环境

Please open source the Android Client

Is Brook Server a proxy instead of a VPN that can access Google from China?

I install brook server in Linux in China, but iOS Client couldn't access Google...

Do I need to buy Pro version to access Google?

brook client for windows 不可以用.

[Version: 20170330] 已经可用

建议托盘图标颜色改一改，还有Windows 7系统(其他系统不清楚)需要管理员方式运行

建议托盘图标颜色改一改，任务栏是黑色的，图标也是黑色的，一开始以为没启动成功或者BUG。
还有Windows 7系统(其他系统不清楚)需要管理员方式运行，否则运行几秒后会自动退出。（这一条可以加到Windows客户端使用说明中）
还在使用测试...

ios telegram always connecting..

ios 上的 telegram 无法连接网络，在 mac 的telegram客户端上可以设置 socks 5 代理为 ss 的代理地址，
但是在 ios 上怎么得到 brook 开的ip端口呢？

请添加“连接成功”和“连接失败”提示

我随便填写都可以链接vpn 但是连不上网...

iOS socket error in twitter app

Describe actual behavior

In twitter app, can't connect to twitter when login, alert socket error

What is your expected behavior

Specifications like the version of the project, operating system, or hardware

brook 20170323, iOS 10

Steps to reproduce the problem

open Brook, and config server information, press start
visit google.com in browser for ensuring connect server successful
open twitter app, login

是否考虑把kcptun集成进来

It showed c://Program Files/Internet Explorer/iexplore.exe: file not exist

OS: Windows 10 RS1 64bit
Default Web Browser: Google Chrome 58
IE wasn't my default web browser and it was shut from control pannel. When Brook.exe was running, it always showed [Brook] exeac: "c://Program Files/Internet Explorer/iexplore.exe": file not exist. How should I deal with this issue? Reopening the IE from control pannel is the only way to solve the problem? Waiting for your advice. Thanks anyway and best wishes!

20170723版本中，Windows 客户端在哪里？

突然发现20170723版本中，Windows 客户端似乎不见了，只有两个服务端。。。

蛮有趣的

已搭建一个 a.o-l.pw:62499 密码 justforfun 音乐chinamobile_sdc 供大家玩耍不保证安全仅供测试顺便帮忙测试下体验效果怎样。😀😀😀😀😀😀

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.