[server] ; Address to bind the wstunnel server (ws:// for non-TLS, wss:// for TLS) ; Example: wss://0.0.0.0:8080 or ws://[::]:8080 bind_address = wss://0.0.0.0:8080 ; (Linux only) Mark network packets with SO_MARK sockoption ; Requires root, sudo, or specific capabilities ; socket_so_mark = 123 ; Frequency of websocket ping to clients (set to 0 to disable) websocket_ping_frequency = 30s ; Disable color output in logs ; no_color = true ; Enable masking of websocket frames (only for non-TLS ws://, adds overhead) ; websocket_mask_frame = false ; DNS resolver(s) for domain name lookups ; Can specify multiple resolvers (e.g., dns://1.1.1.1, dns+https://1.1.1.1?sni=cloudflare-dns.com) ; Use system://0.0.0.0 for libc resolver ; dns_resolver = dns://1.1.1.1 ; Prefer IPv4 over IPv6 for DNS resolution (useful for broken IPv6 connections) ; dns_resolver_prefer_ipv4 = false ; Log verbosity level (TRACE, DEBUG, INFO, WARN, ERROR, OFF) log_level = INFO ; Restrict connections to specific destination:port pairs ; Can specify multiple restrictions ; restrict_to = google.com:443, localhost:22 ; Restrict websocket upgrade to specific path prefix (acts as a client authentication secret) ; restrict_http_upgrade_path_prefix = /custom/path ; Path to YAML restriction config file (automatically reloaded on change) ; restrict_config = /path/to/restrict.yaml ; Custom TLS certificate (PEM format, auto-reloaded on change) ; tls_certificate = /path/to/certificate.pem ; Custom TLS private key (PEM, EC, or RSA, auto-reloaded on change) ; tls_private_key = /path/to/private_key.pem ; Enable mTLS by specifying CA certificates for client authentication (PEM, auto-reloaded) ; tls_client_ca_certs = /path/to/ca_certs.pem ; HTTP proxy to connect to clients (format: user:pass@host:port) ; http_proxy = user:pass@proxy.example.com:8080 ; Override HTTP proxy login ; http_proxy_login = custom_login ; Override HTTP proxy password ; http_proxy_password = custom_password ; Idle timeout for remote-to-local server before unbinding (default: 3 minutes) remote_to_local_server_idle_timeout = 3m ; Number of worker threads (set via environment variable TOKIO_WORKER_THREADS) ; Note: This flag is ignored in the command line, use environment variable instead ; nb_worker_threads = 4 [client] ; Address of the wstunnel server (supports ws://, wss://, http://, https://) ; Example: wss://wstunnel.example.com or https://wstunnel.example.com server_address = wss://wstunnel.example.com ; Local-to-remote forwarding rules (tcp, udp, socks5, stdio, unix) ; Can specify multiple rules ; Examples: ; - tcp://1212:google.com:443 (listen locally on port 1212, forward to google.com:443) ; - udp://1212:1.1.1.1:53?timeout_sec=10 (listen on UDP port 1212, forward to 1.1.1.1:53, timeout after 10s) ; - socks5://[::1]:1212?login=admin&password=admin (SOCKS5 proxy with authentication) ; - stdio://google.com:443 (forward stdio to google.com:443) ; - unix:///tmp/wstunnel.sock:google.com:443 (listen on Unix socket, forward to google.com:443) ; local_to_remote = tcp://1212:google.com:443 ; Remote-to-local forwarding rules (tcp, udp, socks5, unix) ; Can specify multiple rules ; Examples: ; - tcp://1212:google.com:443 (server listens on port 1212, forwards to local google.com:443) ; - socks5://[::1]:1212 (server listens for SOCKS5, forwards dynamically to local) ; remote_to_local = tcp://1212:google.com:443 ; Disable color output in logs ; no_color = true ; (Linux only) Mark network packets with SO_MARK sockoption ; Requires root, sudo, or specific capabilities ; socket_so_mark = 123 ; Maximum number of idle connections to keep open to the server connection_min_idle = 0 ; Number of worker threads (set via environment variable TOKIO_WORKER_THREADS) ; Note: This flag is ignored in the command line, use environment variable instead ; nb_worker_threads = 4 ; Maximum backoff time for retrying server connections connection_retry_max_backoff = 5m ; Log verbosity level (TRACE, DEBUG, INFO, WARN, ERROR, OFF) log_level = INFO ; Domain name for SNI during TLS handshake ; Required if behind a CDN like Cloudflare to match HTTP HOST header ; tls_sni_override = example.com ; Disable sending SNI during TLS handshake ; tls_sni_disable = false ; Enable TLS certificate verification (disabled by default, allows self-signed certs) ; tls_verify_certificate = false ; HTTP proxy to connect to the server (format: user:pass@host:port) ; http_proxy = user:pass@proxy.example.com:8080 ; Override HTTP proxy login ; http_proxy_login = custom_login ; Override HTTP proxy password ; http_proxy_password = custom_password ; HTTP upgrade path prefix for websocket upgrade request http_upgrade_path_prefix = v1 ; Basic auth credentials for HTTP upgrade request (format: user:pass) ; http_upgrade_credentials = user:pass ; Frequency of websocket pings to the server (set to 0 to disable) websocket_ping_frequency = 30s ; Enable masking of websocket frames (only for non-TLS ws://, adds overhead) ; websocket_mask_frame = false ; Custom headers for HTTP upgrade request (format: HEADER_NAME: HEADER_VALUE) ; Can specify multiple headers ; http_headers = X-Custom-Header: Value ; File containing custom headers for HTTP upgrade request (format: HEADER_NAME: HEADER_VALUE per line) ; http_headers_file = /path/to/headers.txt ; TLS certificate (PEM) for mTLS client authentication ; Automatically reloaded on change ; tls_certificate = /path/to/certificate.pem ; TLS private key (PEM) for mTLS client authentication ; Automatically reloaded on change ; tls_private_key = /path/to/private_key.pem ; DNS resolver(s) for domain name lookups ; Can specify multiple resolvers (e.g., dns://1.1.1.1, dns+https://1.1.1.1?sni=cloudflare-dns.com) ; Use system://0.0.0.0 for libc resolver ; dns_resolver = dns://1.1.1.1 ; Prefer IPv4 over IPv6 for DNS resolution (useful for broken IPv6 connections) ; dns_resolver_prefer_ipv4 = false