TUN/TAP Device

GOST added support for TUN/TAP devices in version 2.9. You can create VPN via TUN/TAP devices.


You need to install the tap driver OpenVPN/tap-windows6 or OpenVPN client for Windows.



gost -L="tun://[method:password@][local_ip]:port[/remote_ip:port]?net="

method:password - Optional, encryption method and password for UDP tunnel. Supported methods are the same as shadowsocks/go-shadowsocks2.

local_ip:port - Local UDP tunnel listen address.

remote_ip:port - Optional, remote UDP server address, IP packets received by the local TUN device will be forwarded to the remote server via UDP tunnel.

net - Required, CIDR IP address of the TUN device, such as:

name - Optional, TUN device name.

mtu - Optional, MTU for TUN device. Default value is 1350.

route - Optional, comma-separated routing items, such as:,,

gw - Optional, routing gateway.

tcp - Optional, use fake TCP tunnel, default value is false means UDP-based tunnel.

Routing on server side (2.9.2+)

The server can access the client network by setting up routing table and gateway.

Default gateway

The server can set the default gateway through the gw parameter to specify the gateway of the routes in route parameter.

gost -L="tun://:8421?net=,"

Packets send to network and will be forwarded to the client with the IP through the TUN tunnel.

Gateway-specific routing

If you want to set a specific gateway for each route, you can specify it through a route configuration file:

gost -L="tun://:8421?net="

The configuration file route.txt format´╝Ü

# Destination   Gateway

The first column is the destination network.

The second column is the gateway.

Packets send to network will be forwarded to the client with the IP through the TUN tunnel.

Packets send to network will be forwarded to the client with the IP through the TUN tunnel.

TUN-based VPN (Linux)

The value specified by net option may need to be adjusted according to your actual situation.

Create a TUN device and establish a UDP tunnel

Server side
gost -L tun://:8421?net=
Client side
gost -L tun://:8421/SERVER_IP:8421?net=

When no error occurred, you can use the ip addr command to inspect the created TUN device:

$ ip addr show tun0
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1350 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::d521:ad59:87d0:53e4/64 scope link flags 800 
       valid_lft forever preferred_lft forever

Now you can ping the server address:

$ ping
64 bytes from icmp_seq=1 ttl=64 time=9.12 ms
64 bytes from icmp_seq=2 ttl=64 time=10.3 ms
64 bytes from icmp_seq=3 ttl=64 time=7.18 ms

iperf3 testing

Server side
$ iperf3 -s
Client side
$ iperf3 -c

IP routing and firewall rules

If you want the client to access the server network, you need to set the corresponding routing table and firewall rules according to your needs. For example, all the client external network traffic can be forwarded to the server.

Server side

Enable IP forwarding and set up firewall rules

$ sysctl -w net.ipv4.ip_forward=1

$ iptables -t nat -A POSTROUTING -s ! -o tun0 -j MASQUERADE
$ iptables -A FORWARD -i tun0 ! -o tun0 -j ACCEPT
$ iptables -A FORWARD -o tun0 -j ACCEPT
Client side

Set up firewall rules

The following operations will change the client's network environment, unless you know what you are doing, please be careful!
$ ip route add SERVER_IP/32 dev eth0   # replace the SERVER_IP and eth0
$ ip route del default   # delete the default route
$ ip route add default via  # add new default route


TAP devices are not supported by macOS.


gost -L="tap://[method:password@][local_ip]:port[/remote_ip:port]?net="

TUN/TAP tunnel over TCP

The TUN/TAP tunnel in GOST is based on the UDP protocol by default.

If you want to use TCP, you can choose the following methods:

Fake TCP

Fake TCP is not standard TCP, it just simulates the TCP protocol.

This feature is only available on Linux.

GOST uses xtaci/tcpraw with built-in support for TCP. This feature can be enabled via the tcp option.

Server side
gost -L "tun://:8421?net="
Client side
gost -L "tun://:0/SERVER_IP:8421?net="

Proxy chain (2.9.1+)

You can add a proxy chain to forward UDP data, analogous to UDP port forwarding.

High flexibility and compatibility, recommended.

The last node of the proxy chain (the last -F parameter) must support GOST socks5 or ssu protocol type, the transport can be any one.

ssu is supported in 2.10.1+.

Server side
gost -L tun://:8421?net=" -L socks5://:1080
Client side
gost -L tun://:0/:8421?net= -F socks5://SERVER_IP:1080

GOST port forwarding

Based on UDP port forwarding and proxy chain.

Server side
gost -L tun://:8421?net= -L socks5://:1080
Client side
gost -L tun://:8421/:8420?net= -L udp://:8420/:8421 -F socks5://server_ip:1080

Third-party tools