Squashed commit of the following:
commit 69935cd567e440938fa141dfec7c2105e819c1d0
Author: Sergey Fionov <sfionov@adguard.com>
Date: Tue Apr 28 17:26:40 2026 +0300
Post in separate job
commit 059e5e1a985c0067704eee611c092667aedca49e
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Thu Apr 16 15:59:19 2026 +0400
Update docs
commit ebc44df9614759c80e945ed866b74aec0e2fdad9
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Wed Apr 15 18:46:51 2026 +0400
Remove ghcr stuff from workflow
commit 17b2dce10221e10bfb86d9e598bb11f3e7d07229
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Wed Apr 15 18:06:04 2026 +0400
Use endpoint_ref if provided
commit aec9274a943ccf9984a05388d82bacf60d34ede2
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Wed Apr 15 17:57:54 2026 +0400
Remove PR number from inputs
commit 49e46a2d8d257cad3cb0fa7a299893fcfad2f00b
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Wed Apr 15 17:13:16 2026 +0400
Fix bench for PRs from forks
commit 27054519da6b1f18550ada3786bbf707f228752c
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Wed Apr 15 16:22:48 2026 +0400
Add worker_processes auto to nginx
commit 4cf615040849f0122dfe025b0e7fbb3ceafc857a
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Wed Apr 15 15:32:47 2026 +0400
User friendly client_repo input
commit 3f5e323bfc5c266df2b15e0269e4db3d67a5e07c
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 18:03:47 2026 +0400
Fix wg images
commit 63ea8f7d0ab89f3e354fecfad1b2ef8edb0b95eb
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 15:55:31 2026 +0400
Remove unneded endpoint ref input
commit 9c3ed6121b369c873c9ec6a262509be61e70268f
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 14:45:29 2026 +0400
Add options to bench tests type
commit e7c51798e029489e2e10c11fea16250953f62061
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 13:39:37 2026 +0400
Round off the speed
commit 5c042d636f72520ea5a368db3157b15bc6c62ee3
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 13:39:01 2026 +0400
Remove redundant line
commit 6616902656925ff17e83165dc084b8768c79616d
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 12:21:35 2026 +0400
Fix post comment job
commit c627f5fe178e49d17ac3c8ccd927955332cfa7a7
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 11:25:31 2026 +0400
fixup! Fix cache mounting
commit 6b445861b4a5ce14f75d2740f4cf68b0e2ce0313
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 11:25:19 2026 +0400
Improve removing containers
commit 42410ae41932cf17d12c0321725e822a6cc0d0bf
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 11:23:31 2026 +0400
Remove -x from scripts
commit 344992bf0f7d6e57279138aca6df4c5f04fbd2de
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Tue Apr 14 11:22:59 2026 +0400
Fix naming
commit 2cd55b892d12c0f9bdad800192a78e249822e594
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Mon Apr 13 18:10:09 2026 +0400
Fix cache mounting
commit 32518375743cda7e9b6d5bc07988ec81c97b96d8
Author: Andrey Yakushin <a.yakushin@adguard.com>
Date: Mon Apr 13 17:44:34 2026 +0400
Add workflow for endpoint bench
... and 4 more commits
|
||
|---|---|---|
| .github | ||
| bamboo-specs | ||
| bench | ||
| deeplink | ||
| endpoint | ||
| fastlane | ||
| lib | ||
| macros | ||
| scripts | ||
| tools | ||
| .dockerignore | ||
| .gitignore | ||
| .markdownlint.json | ||
| AGENTS.md | ||
| Cargo.lock | ||
| Cargo.toml | ||
| CERT_RENEWAL.md | ||
| CHANGELOG.md | ||
| CONFIGURATION.md | ||
| DEEP_LINK.md | ||
| DEVELOPMENT.md | ||
| docker-compose.yml | ||
| docker-entrypoint.sh | ||
| Dockerfile | ||
| Dockerfile.prebuilt | ||
| Gemfile | ||
| Gemfile.lock | ||
| LICENSE | ||
| Makefile | ||
| METRICS.md | ||
| PROTOCOL.md | ||
| README.md | ||
| rust-toolchain.toml | ||
| VERIFY_RELEASES.md | ||
Clients · App store · Play store
Table of Contents
Introduction
TrustTunnel is a modern, open-source VPN protocol originally developed by AdGuard VPN and now available for anyone to use and audit.
It delivers fast, secure, and reliable VPN connections without the usual trade-offs. By design, TrustTunnel traffic is indistinguishable from regular HTTPS traffic, allowing it to bypass throttling and deep-packet inspection while maintaining strong privacy protections.
The TrustTunnel project includes the VPN endpoint (this repository), the library and CLI for the client, and the GUI application.
Server Features
-
VPN Protocol: The library implements the VPN protocol compatible with HTTP/1.1, HTTP/2, and QUIC. By mimicking regular network traffic, it becomes impossible to detect and block.
-
Flexible Traffic Tunneling: TrustTunnel can tunnel TCP, UDP, and ICMP traffic to and from the client.
-
Platform Compatibility: The server is compatible with Linux and macOS. The client is available for Android, Apple, Windows, and Linux.
Client Features
-
Traffic Tunneling: The library is capable of tunneling TCP, UDP, and ICMP traffic from the client to the endpoint and back.
-
Cross-Platform Support: It supports Linux, macOS, and Windows platforms, providing a consistent experience across different operating systems.
-
System-Wide Tunnel and SOCKS5 Proxy: It can be set up as a system-wide tunnel, utilizing a virtual network interface, as well as a SOCKS5 proxy.
-
Split Tunneling: The library supports split tunneling, allowing users to exclude connections to certain domains or hosts from routing through the VPN endpoint, or vice versa, only routing connections to specific domains or hosts through the endpoint based on an exclusion list.
-
Custom DNS Upstream: Users can specify a custom DNS upstream, which is used for DNS queries routed through the VPN endpoint.
Quick start
Endpoint setup
Install the endpoint
An installation script is available that can be run with the following command:
curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnel/refs/heads/master/scripts/install.sh | sh -s -
The installation script will download the prebuilt package from the latest
GitHub release for the appropriate system architecture and unpack it to
/opt/trusttunnel. The output directory could be overridden by specifying
-o DIR flag at the end of the command above.
If you want to install a specific version (instead of the latest), use -V <version>:
curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnel/refs/heads/master/scripts/install.sh | sh -s - -V <version>
Note
Prebuilt packages are available for
linux-x86_64,linux-aarch64, andmacos-universal(Intel and Apple Silicon) architectures.
Updating the endpoint
The installation script always installs the latest available version. So, to update your installation, run the install command again:
curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnel/refs/heads/master/scripts/install.sh | sh -s -
This re-runs the installer and replaces the binaries in the installation
directory (/opt/trusttunnel by default, or the directory you specified with -o DIR).
Note
Don't forget to stop the endpoint before updating:
sudo systemctl stop trusttunnelTo start the endpoint again after updating:
sudo systemctl start trusttunnel
Endpoint configuration wizard
Please refer to the CONFIGURATION.md for the more detailed documentation on how to configure the endpoint.
The installation directory contains setup_wizard binary that helps generate
the config files required for the endpoint to run:
cd /opt/trusttunnel/
./setup_wizard -h
The setup wizard supports interactive mode, so you could run it and it will ask for data required for endpoint configuration.
cd /opt/trusttunnel/
sudo ./setup_wizard
Note
sudois required to manage TLS certificates properly.
The wizard will ask for the following fields, some of them have the default values you could safely use:
-
The address to listen on - specify the address for the endpoint to listen on. Use
0.0.0.0:443for native deployments (HTTPS on all interfaces). If you run with Docker port mapping443:8443, set it to0.0.0.0:8443. -
Path to credentials file - path where the user credentials for authorization will be stored.
-
Username - the username the user will use for authorization.
-
Password - the user's password.
-
Add one more user? - select
yesif you want to add more users, ornoto continue the configuration process. -
Path to the rules file - path to store the filtering rules.
-
Connection filtering rules - you can add rules that the endpoint will use to allow or disallow user's connections based on:
- Client IP address
- TLS random prefix
- TLS random with mask
Press
nto allow all connections. -
Path to a file to store the library settings - path to store the main endpoint configuration file.
-
Certificate selection - choose how to obtain a TLS certificate:
- Issue a Let's Encrypt certificate (requires a public domain) - the
setup wizard has built-in ACME support and can automatically obtain a free,
publicly trusted certificate from Let's Encrypt. You'll need:
- A registered domain pointing to your server's IP address
- Port 80 accessible from the internet (for HTTP-01 challenge), or
- Ability to add DNS TXT records (for DNS-01 challenge)
- Generate a self-signed certificate - suitable for testing or when using the CLI client only. Note: The Flutter client does not support self-signed certificates yet.
- Provide path to existing certificate - use your own certificate files obtained from another CA or tool like certbot.
- Issue a Let's Encrypt certificate (requires a public domain) - the
setup wizard has built-in ACME support and can automatically obtain a free,
publicly trusted certificate from Let's Encrypt. You'll need:
-
Path to a file to store the TLS hosts settings - path to store the TLS host settings file.
At this point all required configuration files are created and saved on disk.
Let's Encrypt certificate lifecycle
The setup wizard can obtain a Let's Encrypt certificate during initial setup, but you are responsible for ensuring it stays valid over time (renewal and service reload/restart).
If you're using Certbot to manage certificates and renew them automatically, follow the guide in CERT_RENEWAL.md.
Running endpoint
The installed package contains the systemd service template, named
trusttunnel.service.template.
This template can be used to set up the endpoint as a systemd service:
Note
The template file assumes that the TrustTunnel Endpoint binary and all its configuration files are located in
/opt/trusttunneland have the default file names. Modify the template if you have used the different paths.
cd /opt/trusttunnel/
cp trusttunnel.service.template /etc/systemd/system/trusttunnel.service
sudo systemctl daemon-reload
sudo systemctl enable --now trusttunnel
Export client configuration
The endpoint binary can generate client configurations in two formats:
Deep-Link Format (Default)
Generate a compact tt://? URI suitable for QR codes and mobile apps:
# <client_name> - name of the client those credentials will be included in the configuration
# <address> - `ip`, `ip:port`, `domain`, or `domain:port` that the client will use to connect
# If only `ip` or `domain` is specified, the port from the `listen_address` field will be used
cd /opt/trusttunnel/
./trusttunnel_endpoint vpn.toml hosts.toml -c <client_name> -a <address>
# Or explicitly specify the format:
./trusttunnel_endpoint vpn.toml hosts.toml -c <client_name> -a <address> --format deeplink
This outputs a tt://? deep-link URI that can be:
- Shared directly with mobile clients
- Used with the CLI client or TrustTunnel Flutter Client
You can also provide additional options:
--name <display_name>: Set a custom display name for the server in the client app.--dns-upstream <dns_upstream>: Specify a DNS upstream for the client. Can be an IP address or a secure DNS URI (e.g.,tls://1.1.1.1,https://dns.google/dns-query). This flag can be used multiple times to provide a list of DNS upstreams.
Example with custom name and DNS upstreams:
./trusttunnel_endpoint vpn.toml hosts.toml -c <client_name> -a <address> \
--name "My Secure VPN" \
--dns-upstream 1.1.1.1 --dns-upstream tls://8.8.8.8
When --generate-client-random-prefix is used, the endpoint also appends an
allow rule for the generated value to the rules.toml file referenced from
vpn.toml.
Note: If your certificate is signed by a trusted CA (e.g., Let's Encrypt), it will be automatically omitted from the deep-link to keep it compact. Self-signed certificates are included automatically.
TOML Format (For CLI Client)
Generate a traditional TOML configuration file:
cd /opt/trusttunnel/
./trusttunnel_endpoint vpn.toml hosts.toml -c <client_name> -a <public_ip> --format toml
This outputs a TOML configuration file suitable for the CLI client.
Both formats contain all necessary information to connect to the endpoint. See the TrustTunnel Flutter Client documentation for setup instructions.
Congratulations! You've done setting up the endpoint!
Client setup
Multiple clients are available for connecting to the endpoint — see the Clients section for the full list. The instructions below cover the official CLI client setup.
Install the client
Linux / macOS
An installation script is available:
curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnelClient/refs/heads/master/scripts/install.sh | sh -s -
The installation script will download the prebuilt package from the latest GitHub release for the appropriate system architecture and unpack it to /opt/trusttunnel_client. The output directory could be overridden by specifying -o DIR flag at the end of the command above.
Note
Install script supports x86_64, aarch64, armv7, mips and mipsel architectures for linux and arm64 and x86_64 for macos.
Windows
Download the latest release archive from the TrustTunnel Client releases page.
Extract the archive to a directory of your choice, for example C:\TrustTunnel\.
Router setup
For router deployments, please refer to router-specific client installation guides.
- Keenetic routers: TrustTunnel-Keenetic (guide in Russian)
Updating the client
Linux / macOS
The installation script always installs the latest available version. So, to update your installation, run the install command again:
curl -fsSL https://raw.githubusercontent.com/TrustTunnel/TrustTunnelClient/refs/heads/master/scripts/install.sh | sh -s -
This re-runs the installer and replaces the binaries in the installation directory (/opt/trusttunnel_client by default, or the directory you specified with -o DIR).
Note
Don't forget to stop the client before updating (for example, by stopping the running process).
Windows
Download the latest release from the releases page and replace the files in your installation directory.
Client configuration wizard
The installation directory contains setup_wizard binary that helps generate
the config files required for the client to run.
Linux / macOS
cd /opt/trusttunnel_client/
./setup_wizard -h
To configure the client to use the config that was generated by endpoint, run the following command:
./setup_wizard --mode non-interactive \
--endpoint_config <endpoint_config> \
--settings trusttunnel_client.toml
Windows
setup_wizard.exe --mode non-interactive ^
--endpoint_config <endpoint_config> ^
--settings trusttunnel_client.toml
In both cases, <endpoint_config> is the path to the configuration file
generated by the endpoint.
trusttunnel_client.toml will contain all required configuration for the
client.
Tip
The generated configuration contains basic settings to connect to the endpoint. For advanced features, edit
trusttunnel_client.tomldirectly. You can configure:
- VPN mode: Route all traffic (
general) or only specific destinations (selective)- Kill switch: Block traffic when VPN disconnects
- DNS upstreams: Custom DNS resolvers (DoH, DoT, DoQ supported)
- Exclusions: Domains/IPs to bypass or route through VPN
- Listener type: TUN device or SOCKS5 proxy
See the TrustTunnel CLI Client README for all available options.
Note
After editing the config, restart the client for the changes to take effect.
Running client
Linux / macOS
cd /opt/trusttunnel_client/
sudo ./trusttunnel_client -c trusttunnel_client.toml
sudo is required to set up the routes and tun interface.
Windows
Open a terminal as Administrator and run:
trusttunnel_client.exe -c trusttunnel_client.toml
Administrator privileges are required to set up routes and the TUN interface.
Clients
Official
CLI
TrustTunnel Client — Linux, macOS, Windows
GUI
TrustTunnel Flutter Client — iOS, Android (macOS, Windows — coming soon). Available on App Store* and Play Store.
Note
* In some countries, the iOS app is not available in the App Store. You may need an Apple ID from another country to download it. Learn how to change your App Store country.
Community
Note
Community clients are developed and maintained independently. They are not officially supported by the TrustTunnel team.
GUI
TrustTunnel-GUI-Client — Windows GUI client, implemented as a Python wrapper for TrustTunnel Client
Surge — (Commercial) macOS and iOS network toolbox with experimental TrustTunnel support
See Also
- CONFIGURATION.md - Configuration documentation
- DEVELOPMENT.md - Development documentation
- PROTOCOL.md - Protocol specification
- CHANGELOG.md - Changelog
- VERIFY_RELEASES.md - How to verify releases
Roadmap
While our VPN currently supports tunneling TCP/UDP/ICMP traffic, we plan to add support for peer-to-peer communication between clients.
Stay tuned for this feature in upcoming releases.
License
This project is licensed under the Apache 2.0 License. See LICENSE for details.