shadowsocks/ech-tls-tunnel — explained in plain English
Analysis updated 2026-05-18
Hide a Shadowsocks tunnel's real destination from network observers using ECH.
Automatically obtain and renew a TLS certificate for the tunnel server on port 443 only.
Present a fake error page to probes that don't know the plugin's secret path.
| shadowsocks/ech-tls-tunnel | anthropics/cargo-nix-plugin | lily-protocol/lily-contracts | |
|---|---|---|---|
| Stars | 13 | 13 | 13 |
| Language | Rust | Rust | Rust |
| Setup difficulty | hard | hard | hard |
| Complexity | 4/5 | 4/5 | 4/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires running on both server and client with port 443 available for automatic certificate issuance.
This is a plugin for Shadowsocks, a tool people use to route internet traffic through a server when direct access is restricted. The plugin's job is to disguise that traffic so it looks, to anyone watching the network, like an ordinary HTTPS connection to a harmless website rather than a tunnel. It does this by wrapping each connection in a combination of two technologies: WebSockets (a way to keep a two-way connection open inside normal web traffic) and a TLS feature called Encrypted Client Hello (ECH). When a browser or app connects to a website over TLS, it normally sends the destination's name in plain text at the start of the handshake so routing equipment can direct the request. ECH encrypts that name. This plugin uses ECH so the real tunnel domain is hidden, and only the decoy domain name is visible to outside observers. On the server side, the plugin automatically requests and renews a TLS certificate from Let's Encrypt using a method that works entirely on port 443, so no other ports need to be open. Any connection that does not arrive on the correct secret path gets a fake error page that mimics a default web server response, making it harder for automated probes to detect that a tunnel is running. To use it, you run the plugin alongside Shadowsocks on both a server and a client device. The server generates a cryptographic key pair, and the client receives a small configuration string derived from that key pair. Once both sides are configured, the client gets a local proxy that routes its traffic through the disguised connection. The plugin is written in Rust and uses BoringSSL, a TLS library from Cloudflare, for the ECH functionality. It is intended to resist passive traffic inspection and basic active probing, but is not designed to defeat more sophisticated traffic analysis techniques.
A Shadowsocks plugin that disguises proxy traffic as ordinary HTTPS by hiding the real destination using Encrypted Client Hello.
Mainly Rust. The stack also includes Rust, BoringSSL, TLS.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.