Unified tunnel manager for Linux servers. Manages DNS tunnels (DNSTT, NoizDNS, Slipstream, VayDNS) and HTTPS proxies (NaiveProxy) with systemd services, multi-tunnel DNS routing, and user management. Designed for use with the SlipNet Android VPN app.
- Multi-transport: DNSTT/NoizDNS (DNS tunnels with Curve25519 encryption), Slipstream (QUIC-based DNS), VayDNS (KCP-based DNS with Curve25519), NaiveProxy (HTTPS with Caddy), StunTLS (SSH over TLS + WebSocket)
- Dual backend: Built-in SOCKS5 proxy or SSH forwarding (custom SSH port supported)
- DNS routing: Single-tunnel or multi-tunnel mode with domain-based dispatch
- External routing: Forward DNS queries for a domain to a custom port for user-managed protocols
- WARP integration: Optional Cloudflare WARP outbound routing (see dnstun-ezpz for an alternative approach)
- User management: Multi-user SSH + SOCKS credentials (all users authenticate simultaneously), with bulk creation of up to 500 users per call
- Live dashboard: Real-time TUI with CPU, RAM, traffic sparklines, per-protocol connection stats, and tunnel status
- Diagnostics: Built-in health checks for services, ports, keys, DNS resolution, and boot persistence
- Interactive TUI + CLI: Menu-driven setup or scriptable subcommands
- Systemd integration: Service creation, lifecycle, and logs
- Auto-TLS: Let's Encrypt via Caddy for NaiveProxy tunnels
- Self-update: Version checking and binary replacement from GitHub releases
- Client sharing: Generates
slipnet://URIs for one-tap app import
- OS: Linux (Ubuntu 20.04+, Debian 10+, or similar)
- Domain: DNS A record pointed at your server (required for DNS tunnels and NaiveProxy)
- Ports: 53/udp (DNS tunnels), 443/tcp (NaiveProxy, StunTLS)
One-liner install:
curl -fsSL https://raw.githubusercontent.com/anonvector/slipgate/main/install.sh | sudo bashOr build from source:
git clone https://github.com/anonvector/slipgate.git
cd slipgate
make build
sudo ./slipgate installOffline install (SCP to server):
Download the binaries you need from the latest release:
# On your local machine — download binaries
mkdir slipgate-bundle && cd slipgate-bundle
curl -LO https://github.com/anonvector/slipgate/releases/latest/download/slipgate-linux-amd64
curl -LO https://github.com/anonvector/slipgate/releases/latest/download/dnstt-server-linux-amd64
curl -LO https://github.com/anonvector/slipgate/releases/latest/download/slipstream-server-linux-amd64
curl -LO https://github.com/anonvector/slipgate/releases/latest/download/caddy-naive-linux-amd64
# SCP to server
scp * user@server:/tmp/slipgate/
# On the server
chmod +x /tmp/slipgate/*
sudo cp /tmp/slipgate/slipgate-linux-amd64 /usr/local/bin/slipgate
sudo slipgate install --bin-dir /tmp/slipgateThen launch the interactive menu:
sudo slipgateslipgate # Interactive TUI menu
slipgate install # Install dependencies and configure server
slipgate uninstall # Remove all services, configs, and binaries
slipgate update # Self-update and restart all services
slipgate restart # Restart all services (DNS router, tunnels, SOCKS)
slipgate users # Manage SSH/SOCKS users and view configs
slipgate users add # Add a single user
slipgate users bulk_add # Add multiple users in one batch (random creds, up to 500)
slipgate users remove # Remove a user
slipgate users list # List users and their per-tunnel configs
slipgate stats # Live dashboard (CPU, RAM, traffic, connections, tunnels)
slipgate diag # Run diagnostics (services, ports, keys, DNS, boot status)
slipgate mtu [value] # Set MTU for all DNSTT/NoizDNS/VayDNS tunnels at once
# Tunnel management
slipgate tunnel add # Add tunnel(s) — supports multi-select and "both" backend
slipgate tunnel edit [tag] # Edit tunnel settings (tag, MTU, keys)
slipgate tunnel remove [tag] # Remove a tunnel
slipgate tunnel remove --all # Remove all tunnels at once
slipgate tunnel start [tag] # Start a tunnel
slipgate tunnel stop [tag] # Stop a tunnel
slipgate tunnel status # Show all tunnel statuses
slipgate tunnel status [tag] # Show tunnel details (keys, MTU, port)
slipgate tunnel share [tag] # Generate slipnet:// URI for clients
slipgate tunnel logs [tag] # View tunnel logs
# DNS routing
slipgate router status # Show DNS routing config
slipgate router mode # Switch between single/multi mode
slipgate router switch # Change active tunnel (single mode)
# Configuration
slipgate config export # Export configuration
slipgate config import # Import configuration
# Internal (used by systemd services)
slipgate dnsrouter serve # Start DNS router
slipgate socks serve # Start built-in SOCKS5 proxy
slipgate stuntls serve # Start StunTLS proxy
All commands support flags for scripting and automation. If any required flag is omitted, slipgate falls back to an interactive prompt.
# DNSTT tunnel
sudo slipgate tunnel add \
--transport dnstt \
--backend socks \
--tag mydnstt \
--domain t.example.com
# DNSTT tunnel with custom Curve25519 keys
sudo slipgate tunnel add \
--transport dnstt \
--backend socks \
--tag mytunnel \
--domain t.example.com \
--private-key <64-char-hex> \
--public-key <64-char-hex> # optional, validated if provided
# DNSTT with both backends (creates mydnstt-socks + mydnstt-ssh)
sudo slipgate tunnel add \
--transport dnstt \
--backend both \
--tag mydnstt \
--domain t.example.com
# VayDNS tunnel (KCP + Curve25519)
sudo slipgate tunnel add \
--transport vaydns \
--backend socks \
--tag myvaydns \
--domain v.example.com
# VayDNS with all tuning parameters
sudo slipgate tunnel add \
--transport vaydns \
--backend both \
--tag myvaydns \
--domain v.example.com \
--record-type txt \
--idle-timeout 10s \
--keep-alive 2s \
--clientid-size 2 \
--queue-size 512
# Slipstream tunnel
sudo slipgate tunnel add \
--transport slipstream \
--backend ssh \
--tag myslip \
--domain s.example.com
# NaiveProxy tunnel
sudo slipgate tunnel add \
--transport naive \
--backend socks \
--tag myproxy \
--domain example.com \
--email admin@example.com \
--decoy-url https://www.wikipedia.org
# StunTLS tunnel (SSH over TLS + WebSocket)
sudo slipgate tunnel add \
--transport stuntls \
--tag mytls
# External DNS routing (forward queries to a custom port)
sudo slipgate tunnel add \
--transport external \
--tag my-proto \
--domain j.example.com \
--port 5301
# Queries for j.example.com route to 127.0.0.1:5301
# Direct SSH / SOCKS5 transports
sudo slipgate tunnel add --transport direct-ssh --tag myssh
sudo slipgate tunnel add --transport direct-socks5 --tag mysocks
# Rename a tunnel
sudo slipgate tunnel edit --tag mydnstt --new-tag my-tunnel
# Change MTU on a DNSTT tunnel
sudo slipgate tunnel edit --tag mydnstt --mtu 1232
# Set MTU for all DNSTT/NoizDNS/VayDNS tunnels at once (rewrites and restarts each service)
sudo slipgate mtu 1200
# Tune VayDNS parameters
sudo slipgate tunnel edit --tag myvaydns \
--mtu 1232 \
--record-type txt \
--idle-timeout 10s \
--keep-alive 2s \
--clientid-size 2 \
--queue-size 512
# View tunnel details (keys, MTU, port, status)
sudo slipgate tunnel status --tag mydnstt
# Share tunnel config as slipnet:// URI
sudo slipgate tunnel share mydnstt
# Bulk-add SSH/SOCKS users (random passwords, up to 500 per call)
sudo slipgate users bulk_add --count=50 --prefix=user
# Creates user001..user050 with random passwords. A single SOCKS reload
# and WARP rule sync runs for the whole batch. ┌──────────────────┐
│ SlipNet Client │
│ │
└────────┬─────────┘
│
DNS :53/udp ──────┼────── HTTPS/TLS :443/tcp
│ │ │
┌───────────────────┼───────────┼───────────┼──────────────────┐
│ SERVER v │ v │
│ │ │
│ ┌────────────────────────┐ │ ┌───────────────────────┐ │
│ │ DNS Router │ │ │ NaiveProxy │ │
│ │ domain-based dispatch │ │ │ Caddy + Auto-TLS │ │
│ │ single / multi mode │ │ │ + decoy website │ │
│ │ + external routing │ │ └───────────┬───────────┘ │
│ └──┬────────┬────────┬───┘ │ │ │
│ │ │ │ │ ┌───────────────────────┐ │
│ v v v │ │ StunTLS │ │
│ ┌──────┐┌────────┐┌──────┐ │ │ SSH over TLS + WS │ │
│ │DNSTT ││Slip- ││VayDNS│ │ │ self-signed cert │ │
│ │NoizDN││stream ││ │ │ └───────────┬───────────┘ │
│ │──────││────────││──────│ │ │ │
│ │DNS ││QUIC ││KCP │ │ │ │
│ │Curve ││TLS cert││Curve │ │ │ │
│ │25519 ││ ││25519 │ │ │ │
│ └──┬───┘└───┬────┘└──┬───┘ │ │ │
│ └────────┼────────┘ │ │ │
│ │ │ │ │
│ v v v │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Backend Layer │ │
│ │ │ │
│ │ ┌──────────────────┐ ┌──────────────────────┐ │ │
│ │ │ SOCKS5 Proxy │ │ SSH Forwarding │ │ │
│ │ │ built-in Go │ │ port forwarding │ │ │
│ │ │ :1080 │ │ :22 (configurable) │ │ │
│ │ └────────┬─────────┘ └──────────┬───────────┘ │ │
│ │ └─────────┬───────────────┘ │ │
│ └──────────────────────┼───────────────────────────────┘ │
│ v │
│ ┌──────────────────────┐ │
│ │ WARP (optional) │ │
│ │ Cloudflare outbound │ │
│ └──────────┬───────────┘ │
│ v │
│ Internet │
└──────────────────────────────────────────────────────────────┘
systemd: slipgate-dnsrouter, slipgate-socks5, slipgate-{tag}
| Transport | Protocol | Port | Description |
|---|---|---|---|
| DNSTT/NoizDNS | DNS | 53/udp | Curve25519 encrypted DNS tunnel. A single server serves both DNSTT and NoizDNS clients. NoizDNS adds DPI evasion with base36/hex encoding and CDN prefix stripping |
| Slipstream | QUIC DNS | 53/udp | QUIC-based tunnel with certificate authentication |
| VayDNS | KCP DNS | 53/udp | KCP-based DNS tunnel with Curve25519 encryption. Supports configurable idle timeout, keepalive, queue size, and multiple DNS record types |
| NaiveProxy | HTTPS | 443/tcp | Caddy with forwardproxy plugin. Auto-TLS via Let's Encrypt. Probe-resistant with decoy site |
| StunTLS | TLS/WSS | 443/tcp | SSH over TLS + WebSocket proxy. Auto-detects WebSocket, HTTP CONNECT, raw TLS, and payload (DPI bypass) modes. Self-signed TLS cert, no domain required |
| External | DNS | 53/udp | Routes DNS queries for a domain to a user-specified UDP port. No managed service — use for custom/private protocol testing |
Each DNS tunnel instance requires its own subdomain. When using both SOCKS and SSH backends, the install auto-generates subdomains by appending s to the SSH variant:
| Tunnel | Domain | Backend |
|---|---|---|
| dnstt-socks | t.example.com |
SOCKS5 |
| dnstt-ssh | ts.example.com |
SSH |
| slipstream-socks | s.example.com |
SOCKS5 |
| slipstream-ssh | ss.example.com |
SSH |
| vaydns-socks | v.example.com |
SOCKS5 |
| vaydns-ssh | vs.example.com |
SSH |
| naive-socks | example.com |
SOCKS5 (shared domain) |
| naive-ssh | example.com |
SSH (shared domain) |
NaiveProxy tunnels share a domain since they use HTTPS (port 443), not DNS. DNSTT and NoizDNS also share a domain — the same server handles both client types.
Required DNS records (for the example above):
A ns.example.com → <server IP>
NS t.example.com → ns.example.com
NS ts.example.com → ns.example.com
NS s.example.com → ns.example.com
NS ss.example.com → ns.example.com
NS v.example.com → ns.example.com
NS vs.example.com → ns.example.com
A example.com → <server IP>
- Single mode: One active tunnel runs; DNS router on port 53 forwards to it
- Multi mode: All tunnels run on local ports; DNS router on port 53 dispatches queries by domain. Auto-enabled when multiple DNS tunnels are created.
After creating a tunnel, generate a shareable config:
sudo slipgate tunnel share mytunnelThis outputs a slipnet:// URI that can be scanned or imported into the SlipNet Android app. For DNSTT tunnels, you'll be asked to choose between a DNSTT or NoizDNS client profile — both connect to the same server, but NoizDNS profiles enable DPI evasion on the client side.
Users are global, not scoped to specific tunnels or transports. slipgate users add only asks for a username and password — the protocol is a property of the tunnel, chosen at tunnel add time. Every user can authenticate against every tunnel using the same credentials, and slipgate users list prints one config block per (user × tunnel) pair. The client picks which tunnel to use by importing the matching slipnet:// URI.
| Path | Description |
|---|---|
/etc/slipgate/config.json |
Main configuration |
/etc/slipgate/tunnels/ |
Per-tunnel keys, certs, and configs |
/usr/local/bin/slipgate |
SlipGate binary (includes built-in SOCKS5 proxy) |
/usr/local/bin/dnstt-server |
DNSTT transport binary |
/usr/local/bin/slipstream-server |
Slipstream transport binary |
/usr/local/bin/vaydns-server |
VayDNS transport binary |
/usr/local/bin/caddy-naive |
Caddy with NaiveProxy plugin |
make build # Build for current platform
make build-linux # Cross-compile for linux/amd64 and linux/arm64
make test # Run tests
make release # Build release binariesBuilt on top of dnstm and vaydns by net2share. WARP integration inspired by dnstun-ezpz.
AGPL-3.0