If you find some discrepancy or missing information - open a GitHub issue

Was this information useful? Then star the repository on GitHub

Proxy Tool - GOST


This tool can be used to hide/forward malicious network traffic.

That can be illegal => you are warned.


GOST is a tool for proxying pretty much anything and anyhow you want/need to.

Check out the nice documentation!

It can act as proxy server and client/forwarder.

If you need to be able to route some traffic through some kind of proxy - this is the tool for you!

It can proxy:

Forwarding to HTTP Proxy

# NFTables =TCP=> TPROXY (forwarder @ =HTTP[TCP]=> PROXY (squid http_port)

The current implementation of HTTP-forwarding in gost does not work correctly.


  • HTTP not working (always wants to tunnel over HTTP-CONNECT)

  • HTTPS over IPv6 not working


I’ve created a patched version of gost for exactly this purpose: proxy-forwarder


You can use it to catch DNAT traffic and forward it to a remote proxy-server like squid:

proxy-forwarder -P 4128 -F
# creates tcp & udp listeners for IPv4 & IPv6 on localhost:4128

# NAT non-internal targets to the proxy
## nftables
nft add rule nat output ip daddr != {,, } tcp dport { 80, 443 } dnat to

## iptables
iptables -t nat -A OUTPUT -p tcp ! -d --dport 443 -j DNAT --to-destination
iptables -t nat -A OUTPUT -p tcp ! -d --dport 80 -j DNAT --to-destination


If you want to also proxy UDP traffic - you might want to use the TPROXY integration:

proxy-forwarder -P 4128 -F -T

# to also set a fw-mark on processed traffic
proxy-forwarder -P 4128 -F -T -M 100

Config Examples:


You can run GOST TPROXY-mode with non-root users if you add a capability to the binary:

sudo setcap cap_net_raw+ep /usr/local/bin/gost
sudo chown root:gost /usr/local/bin/gost
chmod 750 /usr/local/bin/gost