ech-tls-tunnel

This is a plugin for Shadowsocks, a tool people use to route internet traffic through a server when direct access is restricted. The plugin's job is to disguise that traffic so it looks, to anyone watching the network, like an ordinary HTTPS connection to a harmless website rather than a tunnel.

It does this by wrapping each connection in a combination of two technologies: WebSockets (a way to keep a two-way connection open inside normal web traffic) and a TLS feature called Encrypted Client Hello (ECH). When a browser or app connects to a website over TLS, it normally sends the destination's name in plain text at the start of the handshake so routing equipment can direct the request. ECH encrypts that name. This plugin uses ECH so the real tunnel domain is hidden, and only the decoy domain name is visible to outside observers.

On the server side, the plugin automatically requests and renews a TLS certificate from Let's Encrypt using a method that works entirely on port 443, so no other ports need to be open. Any connection that does not arrive on the correct secret path gets a fake error page that mimics a default web server response, making it harder for automated probes to detect that a tunnel is running.

To use it, you run the plugin alongside Shadowsocks on both a server and a client device. The server generates a cryptographic key pair, and the client receives a small configuration string derived from that key pair. Once both sides are configured, the client gets a local proxy that routes its traffic through the disguised connection.

The plugin is written in Rust and uses BoringSSL, a TLS library from Cloudflare, for the ECH functionality. It is intended to resist passive traffic inspection and basic active probing, but is not designed to defeat more sophisticated traffic analysis techniques.