README
¶
GHOST
A custom VPN protocol designed to be statistically indistinguishable from real HTTPS browsing — built to survive signature DPI, ML-based flow classifiers, and active probing.
Status: Nothing works yet.
Why
Existing protocols (OpenVPN, WireGuard, even VLESS+Reality) are increasingly detected and blocked by modern censorship infrastructure. Recent academic work (USENIX Security 2024 — Xue et al., Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes) shows >70% true-positive detection of Reality at <0.1% false-positive rate. Meanwhile, ML-based flow classifiers and potential whitelist regimes are escalating the arms race.
GHOST takes a different angle: don't try to look like one specific protocol — look statistically identical to ordinary HTTPS browsing across every flow feature an ML classifier examines.
How
Five layers, each addressing a different detection vector:
| Layer | Purpose | Defends against |
|---|---|---|
| L1 TLS 1.3 + uTLS Chrome fingerprint | Handshake camouflage | JA3/JA3S signature DPI |
| L2 HTTP/2 + reverse-proxy fallback | Application camouflage | Active probing, behavioral fingerprinting |
| L3 Noise IK (constant-time) | Authentication | Timing side-channels, replay |
| L4 Binary multiplexer | Stream framing | — (internal) |
| L5 Statistical traffic shaper | Flow-level mimicry | ML classifiers, asymmetry/IAT analysis |
Full design rationale and threat model in research/. Wire format in docs/protocol.md.
Project Layout
cmd/
ghost-server/ server binary
ghost-client/ client binary
ghost-tools/ keygen, capture, classify utilities
internal/
transport/ L1: TCP + uTLS
camouflage/ L2: HTTP/2 wrapper
auth/ L3: Noise IK handshake + sessions
mux/ L4: stream multiplexer
shaper/ L5: traffic shaper
fallback/ reverse proxy for invalid auth
tun/ TUN interface (Linux)
config/ YAML config loader
profile/ empirical traffic distributions
test/
integration/ end-to-end tunnel tests
detection/ ML detection harness (Python)
docs/
protocol.md wire format specification
research/ design context, threat model, prior art
Build
make build # builds ghost-server, ghost-client, ghost-tools
make test # go test ./...
make clean
Or directly:
go build ./...
Requires Go 1.25+ (auto-bumped by golang.org/x/crypto). Linux only in v1.
Out of Scope (v1)
CDN relay (Cloudflare Workers), stream migration, multi-client server, mobile clients, GUI, Windows/macOS clients. See plan for v2+ items.
Legal & Ethical
GHOST is a censorship circumvention tool. Development is legal in most jurisdictions. Deployment in jurisdictions that prohibit such tools (including the Russian Federation as of 2024) may carry legal risk for operators and users. This project does not encourage breaking local laws — it exists to push the state of the art in network privacy research and to give users in restrictive environments a fighting chance.
This is not a public service. It is designed for small, private deployments by people who understand the risks.
License
TBD.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
ghost-client
command
Command ghost-client is the GHOST VPN client.
|
Command ghost-client is the GHOST VPN client. |
|
ghost-server
command
Command ghost-server is the GHOST VPN server.
|
Command ghost-server is the GHOST VPN server. |
|
ghost-tools
command
Command ghost-tools is a multi-command utility for GHOST operators.
|
Command ghost-tools is a multi-command utility for GHOST operators. |
|
internal
|
|
|
auth
Package auth implements GHOST's L3 authentication: Noise IK handshake, session ciphers, and key management.
|
Package auth implements GHOST's L3 authentication: Noise IK handshake, session ciphers, and key management. |
|
camouflage
Package camouflage implements L2 of the GHOST protocol stack: HTTP/2 semantic wrapping that makes tunnel traffic look like ordinary HTTPS API requests.
|
Package camouflage implements L2 of the GHOST protocol stack: HTTP/2 semantic wrapping that makes tunnel traffic look like ordinary HTTPS API requests. |
|
config
Package config loads and validates GHOST server and client YAML configs.
|
Package config loads and validates GHOST server and client YAML configs. |
|
fallback
Package fallback implements the reverse proxy that serves as the GHOST server's cover story.
|
Package fallback implements the reverse proxy that serves as the GHOST server's cover story. |
|
mux
Package mux implements L4 of the GHOST protocol stack: a binary stream multiplexer over a single bidirectional byte stream (the HTTP/2 DATA channel after L3 handshake).
|
Package mux implements L4 of the GHOST protocol stack: a binary stream multiplexer over a single bidirectional byte stream (the HTTP/2 DATA channel after L3 handshake). |
|
profile
Package profile defines the empirical traffic distribution format used by the L5 traffic shaper.
|
Package profile defines the empirical traffic distribution format used by the L5 traffic shaper. |
|
shaper
Package shaper implements L5 of the GHOST protocol stack: statistical traffic mimicry that makes tunnel flows indistinguishable from real HTTPS browsing to ML-based flow classifiers.
|
Package shaper implements L5 of the GHOST protocol stack: statistical traffic mimicry that makes tunnel flows indistinguishable from real HTTPS browsing to ML-based flow classifiers. |
|
transport
Package transport implements L1 of the GHOST protocol stack: TCP connections wrapped in TLS 1.3 with browser-matching fingerprints (uTLS on the client side, standard crypto/tls on the server side with a real CA-signed cert).
|
Package transport implements L1 of the GHOST protocol stack: TCP connections wrapped in TLS 1.3 with browser-matching fingerprints (uTLS on the client side, standard crypto/tls on the server side with a real CA-signed cert). |
|
tun
Package tun manages the GHOST TUN network interface (Linux).
|
Package tun manages the GHOST TUN network interface (Linux). |
|
version
Package version exposes build-time identifiers for GHOST binaries.
|
Package version exposes build-time identifiers for GHOST binaries. |