A cross-platform programmable network tool

❤️ Shiliew - China Optimized Network App

• Brook
• Sponsor
• Getting Started
  • Server
  • GUI Client
  • CLI Client
• GUI Documentation
  • Software for which this article applies
  • Programmable
    • Introduction to incoming variables
    • in_brooklinks
    • in_dnsquery
    • in_address
    • in_httprequest
    • in_httpresponse
  • Write script
  • Debug script
  • Install CA
• 图形客户端文档
  • 本文适用的软件
  • 编程
    • 传入变量介绍
    • in_brooklinks
    • in_dnsquery
    • in_address
    • in_httprequest
    • in_httpresponse
  • 写脚本
  • 调试脚本
  • 安装 CA
• Resources
• CLI Documentation
• NAME
• SYNOPSIS
• GLOBAL OPTIONS
• COMMANDS
  • server
  • client
  • wsserver
  • wsclient
  • wssserver
  • wssclient
  • quicserver
  • quicclient
  • relayoverbrook
  • dnsserveroverbrook
  • tproxy
  • link
  • connect
  • relay
  • dnsserver
  • dnsclient
  • dohserver
  • dohclient
  • dhcpserver
  • socks5
  • socks5tohttp
  • pac
  • testsocks5
  • testbrook
  • echoserver
  • echoclient
  • ipcountry
  • completion
  • mdpage
    • help, h
  • manpage
  • help, h
• Diagram
  • overview
  • withoutBrookProtocol
  • relayoverbrook
  • dnsserveroverbrook
  • relay
  • dnsserver
  • tproxy
  • gui
  • script
• Examples
  • Run brook server
  • Run brook wsserver
  • Run brook wssserver: automatically certificate
  • Run brook wssserver Use a certificate issued by an existing trust authority
  • Run brook wssserver issue untrusted certificates yourself, any domain
  • withoutBrookProtocol
  • withoutBrookProtocol automatically certificate
  • withoutBrookProtocol Use a certificate issued by an existing trust authority
  • withoutBrookProtocol issue untrusted certificates yourself, any domain
  • Run brook socks5, A stand-alone standard socks5 server
  • Run brook socks5 with username and password. A stand-alone standard socks5 server
  • brook relayoverbrook can relay a local address to a remote address over brook, both TCP and UDP, it works with brook server wsserver wssserver.
  • brook dnsserveroverbrook can create a encrypted DNS server, both TCP and UDP, it works with brook server wsserver wssserver.
  • Brook OpenWRT Router: Perfectly supports IPv4/IPv6/TCP/UDP. Native IPv6
  • Turn macOS into a Gateway with Brook
  • Turn Windows into a Gateway with Brook
  • Turn Linux into a Gateway with Brook
  • brook relay can relay a address to a remote address. It can relay any tcp and udp server
  • brook socks5tohttp can convert a socks5 to a http proxy
  • brook pac creates pac server
  • brook pac creates pac file
  • There are countless examples; for more feature suggestions, it's best to look at the commands and parameters in the CLI documentation one by one, and blog, YouTube...
• 例子
  • 运行 brook server
  • 运行 brook wsserver
  • 运行 brook wssserver: 自动签发信任证书
  • 运行 brook wssserver 使用已有的信任机构签发的证书
  • 运行 brook wssserver 自己签发非信任证书, 甚至不是你自己的域名也可以
  • withoutBrookProtocol
  • withoutBrookProtocol 自动签发信任证书
  • withoutBrookProtocol 使用已有的信任机构签发的证书
  • withoutBrookProtocol 自己签发非信任证书, 甚至不是你自己的域名也可以
  • 运行 brook socks5, 一个独立的标准 socks5 server
  • 运行 brook socks5, 一个独立的标准 socks5 server, 指定用户名和密码
  • brook relayoverbrook 中继任何 TCP 和 UDP server, 让其走 brook 协议. 它与 brook server wsserver wssserver 一起工作
  • brook dnsserveroverbrook 用来创建一个加密 DNS Server, TCP and UDP, 它与 brook server wsserver wssserver 一起工作
  • Brook OpenWRT 路由器，完美支持 IPv4/IPv6/TCP/UDP，Native IPv6
  • 使用 Brook 把 macOS 变成网关
  • 使用 Brook 把 Windows 变成网关
  • 使用 Brook 把 Linux 变成网关
  • brook relay 可以中继任何 TCP 和 UDP server, 这是一个独立的功能, 它不依赖 brook server wsserver wssserver
  • brook socks5tohttp 将 socks5 proxy 转换为 http proxy
  • brook pac 创建一个 pac server
  • brook pac 创建一个 pac 文件
  • 例子不胜枚举，更多功能建议挨个看 CLI 文档的命令和参数吧，还有博客，YouTube 等...

A cross-platform programmable network tool.

❤️ Shiliew - China Optimized Network App

bash <(curl https://bash.ooo/nami.sh)

nami install brook

brook server -l :9999 -p hello

iOS	Android	Mac	Windows	Linux	OpenWrt
/	/	App Mode	How	How	How
/	/	App 模式	如何	如何	如何

brook client -s 1.2.3.4:9999 -p hello --socks5 127.0.0.1:1080

• Brook
• Shiliew
• tun2brook

Brook GUI will pass different global variables to the script at different times, and the script only needs to assign the processing result to the global variable out

out, ignored if not of type map

out, if it is error type will be recorded in the log. Ignored if not of type map

out, if it is error type will be recorded in the log. Ignored if not of type map

out, must be set to a request or response

out, must be set to a response

Tengo Language Syntax

Library

• text: regular expressions, string conversion, and manipulation

• math: mathematical constants and functions

• times: time-related functions

• rand: random functions

• fmt: formatting functions

• json: JSON functions

• enum: Enumeration functions

• hex: hex encoding and decoding functions

• base64: base64 encoding and decoding functions

• brook: brook module

  Constants
  
  * os: string, linux/darwin/windows/ios/android
  
  Functions
  
  * splithostport(address string) => map/error: splits a network address of the form "host:port" to { "host": "xxx", "port": "xxx" }
  * country(ip string) => string/error: get country code from ip
  * cidrcontainsip(cidr string, ip string) => bool/error: reports whether the network includes ip
  * parseurl(url string) => map/error: parses a raw url into a map, keys: scheme/host/path/rawpath/rawquery
  * parsequery(query string) => map/error: parses a raw query into a kv map
  * map2query(kv map) => string/error: convert map{string:string} into a query string
  * bytes2ints(b bytes) => array/error: convert bytes into [int]
  * ints2bytes(ints array) => bytes/error: convert [int] into bytes
  * bytescompare(a bytes, b bytes) => int/error: returns an integer comparing two bytes lexicographically. The result will be 0 if a == b, -1 if a < b, and +1 if a > b
  * bytescontains(b bytes, sub bytes) => bool/error: reports whether sub is within b
  * byteshasprefix(s bytes, prefix bytes) => bool/error: tests whether the bytes s begins with prefix
  * byteshassuffix(s bytes, suffix bytes) => bool/error: tests whether the bytes s ends with suffix
  * bytesindex(s bytes, sep bytes) => int/error: returns the index of the first instance of sep in s, or -1 if sep is not present in s
  * byteslastindex(s bytes, sep bytes) => int/error: returns the index of the last instance of sep in s, or -1 if sep is not present in s
  * bytesreplace(s bytes, old bytes, new bytes, n int) => bytes/error: returns a copy of the s with the first n non-overlapping instances of old replaced by new. If n < 0, there is no limit on the number of replacements
  * pathescape(s string) => string/error: escapes the string so it can be safely placed inside a URL path segment, replacing special characters (including /) with %XX sequences as needed
  * pathunescape(s string) => string/error: does the inverse transformation of pathescape
  * queryescape(s string) => string/error: escapes the string so it can be safely placed inside a URL query
  * queryunescape(s string) => string/error: does the inverse transformation of queryescape
  * hexdecode(s string) => bytes/error: returns the bytes represented by the hexadecimal string s
  * hexencode(s string) => string/error: returns the hexadecimal encoding of src
  

It is recommended to use tun2brook on desktop to debug with fmt.println

https://txthinking.github.io/ca/ca.pem

Some software may not read the system CA，you can use curl --cacert ~/.nami/bin/ca.pem to debug

• Brook
• Shiliew
• tun2brook

Brook GUI 会在不同时机向脚本传入不同的全局变量，脚本只需要将处理结果赋值到全局变量 out 即可

out, 如果不是 map 类型则会被忽略

out, 如果是 error 类型会被记录在日志。如果不是 map 类型则会被忽略

out, 如果是 error 类型会被记录在日志。如果不是 map 类型则会被忽略

out, 必须设置为一个 request 或 response

out, 必须设置为一个 response

Tengo Language Syntax

Library

• text: regular expressions, string conversion, and manipulation

• math: mathematical constants and functions

• times: time-related functions

• rand: random functions

• fmt: formatting functions

• json: JSON functions

• enum: Enumeration functions

• hex: hex encoding and decoding functions

• base64: base64 encoding and decoding functions

• brook: brook module

  Constants
  
  * os: string, linux/darwin/windows/ios/android
  
  Functions
  
  * splithostport(address string) => map/error: splits a network address of the form "host:port" to { "host": "xxx", "port": "xxx" }
  * country(ip string) => string/error: get country code from ip
  * cidrcontainsip(cidr string, ip string) => bool/error: reports whether the network includes ip
  * parseurl(url string) => map/error: parses a raw url into a map, keys: scheme/host/path/rawpath/rawquery
  * parsequery(query string) => map/error: parses a raw query into a kv map
  * map2query(kv map) => string/error: convert map{string:string} into a query string
  * bytes2ints(b bytes) => array/error: convert bytes into [int]
  * ints2bytes(ints array) => bytes/error: convert [int] into bytes
  * bytescompare(a bytes, b bytes) => int/error: returns an integer comparing two bytes lexicographically. The result will be 0 if a == b, -1 if a < b, and +1 if a > b
  * bytescontains(b bytes, sub bytes) => bool/error: reports whether sub is within b
  * byteshasprefix(s bytes, prefix bytes) => bool/error: tests whether the bytes s begins with prefix
  * byteshassuffix(s bytes, suffix bytes) => bool/error: tests whether the bytes s ends with suffix
  * bytesindex(s bytes, sep bytes) => int/error: returns the index of the first instance of sep in s, or -1 if sep is not present in s
  * byteslastindex(s bytes, sep bytes) => int/error: returns the index of the last instance of sep in s, or -1 if sep is not present in s
  * bytesreplace(s bytes, old bytes, new bytes, n int) => bytes/error: returns a copy of the s with the first n non-overlapping instances of old replaced by new. If n < 0, there is no limit on the number of replacements
  * pathescape(s string) => string/error: escapes the string so it can be safely placed inside a URL path segment, replacing special characters (including /) with %XX sequences as needed
  * pathunescape(s string) => string/error: does the inverse transformation of pathescape
  * queryescape(s string) => string/error: escapes the string so it can be safely placed inside a URL query
  * queryunescape(s string) => string/error: does the inverse transformation of queryescape
  * hexdecode(s string) => bytes/error: returns the bytes represented by the hexadecimal string s
  * hexencode(s string) => string/error: returns the hexadecimal encoding of src
  

建议使用 tun2brook 在电脑上fmt.println调试

https://txthinking.github.io/ca/ca.pem

注意有些软件可能不读取系统 CA，可以使用 curl --cacert ~/.nami/bin/ca.pem 调试

Brook - A cross-platform programmable network tool

Brook

brook [全局参数] 子命令 [子命令参数]

Usage:

Brook [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]

• --clientHKDFInfo="": client HKDF info, most time you don't need to change this, if changed, all and each brook links in client side must be same, I mean each (default: "brook")

• --dialWithDNS="": When a domain name needs to be resolved, use the specified DNS. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required. Note that for client-side commands, this does not affect the client passing the domain address to the server

• --dialWithDNSPrefer="": This is used with the dialWithDNS parameter. Prefer A record or AAAA record. Value is A or AAAA

• --dialWithIP4="": When the current machine establishes a network connection to the outside IPv4, both TCP and UDP, it is used to specify the IPv4 used

• --dialWithIP6="": When the current machine establishes a network connection to the outside IPv6, both TCP and UDP, it is used to specify the IPv6 used

• --dialWithNIC="": When the current machine establishes a network connection to the outside, both TCP and UDP, it is used to specify the NIC used

• --dialWithSocks5="": When the current machine establishes a network connection to the outside, both TCP and UDP, with your socks5 proxy, such as 127.0.0.1:1081

• --dialWithSocks5Password="": If there is

• --dialWithSocks5TCPTimeout="": time (s) (default: 0)

• --dialWithSocks5UDPTimeout="": time (s) (default: 60)

• --dialWithSocks5Username="": If there is

• --help, -h: show help

• --log="": Enable log. A valid value is file path or 'console'. If you want to debug SOCKS5 lib, set env SOCKS5_DEBUG=true

• --pprof="": go http pprof listen addr, such as :6060

• --prometheus="": prometheus http listen addr, such as :7070. If it is transmitted on the public network, it is recommended to use it with nico

• --prometheusPath="": prometheus http path, such as /xxx. If it is transmitted on the public network, a hard-to-guess value is recommended

• --serverHKDFInfo="": server HKDF info, most time you don't need to change this, if changed, all and each brook links in client side must be same, I mean each (default: "brook")

• --tag="": Tag can be used to the process, will be append into log, such as: 'key1:value1'

• --version, -v: print the version

Run as brook server, both TCP and UDP

• --blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

• --blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

• --blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --blockGeoIP="": Block IP by Geo country code, such as US

• --listen, -l="": Listen address, like: ':9999'

• --password, -p="": Server password

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

• --updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

Run as brook client, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook client <-> $ brook server <-> dst]

• --http="": Where to listen for HTTP proxy connections

• --password, -p="": Brook server password

• --server, -s="": Brook server address, like: 1.2.3.4:9999

• --socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

• --socks5ServerIP="": Only if your socks5 server IP is different from listen IP

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

• --udpovertcp: UDP over TCP

Run as brook wsserver, both TCP and UDP, it will start a standard http server and websocket server

• --blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

• --blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

• --blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --blockGeoIP="": Block IP by Geo country code, such as US

• --listen, -l="": Listen address, like: ':80'

• --password, -p="": Server password

• --path="": URL path (default: /ws)

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

• --updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

• --withoutBrookProtocol: The data will not be encrypted with brook protocol

• --xForwardedFor: Replace the from field in --log, note that this may be forged

Run as brook wsclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook wsclient <-> $ brook wsserver <-> dst]

• --address="": Specify address instead of resolving addresses from host, such as 1.2.3.4:443

• --http="": Where to listen for HTTP proxy connections

• --password, -p="": Brook wsserver password

• --socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

• --socks5ServerIP="": Only if your socks5 server IP is different from listen IP

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

• --withoutBrookProtocol: The data will not be encrypted with brook protocol

• --wsserver, -s="": Brook wsserver address, like: ws://1.2.3.4:80, if no path then /ws will be used. Do not omit the port under any circumstances

Run as brook wssserver, both TCP and UDP, it will start a standard https server and websocket server

• --blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

• --blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

• --blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --blockGeoIP="": Block IP by Geo country code, such as US

• --cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically

• --certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically

• --domainaddress="": Such as: domain.com:443. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used

• --password, -p="": Server password

• --path="": URL path (default: /ws)

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

• --updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

• --withoutBrookProtocol: The data will not be encrypted with brook protocol

Run as brook wssclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook wssclient <-> $ brook wssserver <-> dst]

• --address="": Specify address instead of resolving addresses from host, such as 1.2.3.4:443

• --ca="": When server is brook wssserver, specify ca instead of insecure, such as /path/to/ca.pem

• --http="": Where to listen for HTTP proxy connections

• --insecure: Client do not verify the server's certificate chain and host name

• --password, -p="": Brook wssserver password

• --socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

• --socks5ServerIP="": Only if your socks5 server IP is different from listen IP

• --tcpTimeout="": time (s) (default: 0)

• --tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

• --udpTimeout="": time (s) (default: 0)

• --withoutBrookProtocol: The data will not be encrypted with brook protocol

• --wssserver, -s="": Brook wssserver address, like: wss://google.com:443, if no path then /ws will be used. Do not omit the port under any circumstances

Run as brook quicserver, both TCP and UDP

• --blockCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

• --blockCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

• --blockDomainList="": One domain per line, suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --blockGeoIP="": Block IP by Geo country code, such as US

• --cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically

• --certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically

• --domainaddress="": Such as: domain.com:443. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used

• --password, -p="": Server password

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

• --updateListInterval="": Update list interval, second. default 0, only read one time on start (default: 0)

• --withoutBrookProtocol: The data will not be encrypted with brook protocol

Run as brook quicclient, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook quicclient <-> $ brook quicserver <-> dst]. (Note that the global dial parameter is ignored now)

• --address="": Specify address instead of resolving addresses from host, such as 1.2.3.4:443

• --ca="": Specify ca instead of insecure, such as /path/to/ca.pem

• --http="": Where to listen for HTTP proxy connections

• --insecure: Client do not verify the server's certificate chain and host name

• --password, -p="": Brook quicserver password

• --quicserver, -s="": Brook quicserver address, like: quic://google.com:443. Do not omit the port under any circumstances

• --socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

• --socks5ServerIP="": Only if your socks5 server IP is different from listen IP

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

• --withoutBrookProtocol: The data will not be encrypted with brook protocol

Run as relay over brook, both TCP and UDP, this means access [from address] is equal to [to address], [src <-> from address <-> $ brook server/wsserver/wssserver/quicserver <-> to address]

• --address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443

• --ca="": When server is brook wssserver or brook quicserver, specify ca instead of insecure, such as /path/to/ca.pem

• --from, -f, -l="": Listen address: like ':9999'

• --insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name

• --password, -p="": Password

• --server, -s="": brook server or brook wsserver or brook wssserver or brook quicserver, like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://domain:443/ws, quic://domain.com:443

• --tcpTimeout="": time (s) (default: 0)

• --tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

• --to, -t="": Address which relay to, like: 1.2.3.4:9999

• --udpTimeout="": time (s) (default: 0)

• --udpovertcp: When server is brook server, UDP over TCP

• --withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

Run as dns server over brook, both TCP and UDP, [src <-> $ brook dnserversoverbrook <-> $ brook server/wsserver/wssserver/quicserver <-> dns] or [src <-> $ brook dnsserveroverbrook <-> dnsForBypass]

• --address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443

• --blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --bypassDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --ca="": When server is brook wssserver or brook quicserver, specify ca instead of insecure, such as /path/to/ca.pem

• --disableA: Disable A query

• --disableAAAA: Disable AAAA query

• --dns="": DNS server for resolving domains NOT in list (default: 8.8.8.8:53)

• --dnsForBypass="": DNS server for resolving domains in bypass list. Such as 223.5.5.5:53 or https://dns.alidns.com/dns-query?address=223.5.5.5:443, the address is required (default: 223.5.5.5:53)

• --insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name

• --listen, -l="": Listen address, like: 127.0.0.1:53

• --password, -p="": Password

• --server, -s="": brook server or brook wsserver or brook wssserver or brook quicserver, like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://domain.com:443/ws, quic://domain.com:443

• --tcpTimeout="": time (s) (default: 0)

• --tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

• --udpTimeout="": time (s) (default: 0)

• --udpovertcp: When server is brook server, UDP over TCP

• --withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

Run as transparent proxy, a router gateway, both TCP and UDP, only works on Linux, [src <-> $ brook tproxy <-> $ brook server/wsserver/wssserver/quicserver <-> dst]. OpenWRT: https://www.txthinking.com/talks/articles/brook-openwrt-en.article

• --address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443

• --blockDomainList="": One domain per line, Suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --bypassCIDR4List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr4.txt

• --bypassCIDR6List="": One CIDR per line, https://, http:// or local file absolute path, like: https://txthinking.github.io/bypass/example_cidr6.txt

• --bypassDomainList="": One domain per line, Suffix match mode. https://, http:// or local file absolute path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --bypassGeoIP="": Bypass IP by Geo country code, such as US

• --ca="": When server is brook wssserver or brook quicserver, specify ca instead of insecure, such as /path/to/ca.pem

• --disableA: Disable A query

• --disableAAAA: Disable AAAA query

• --dnsForBypass="": DNS server for resolving domains in bypass list. Such as 223.5.5.5:53 or https://dns.alidns.com/dns-query?address=223.5.5.5:443, the address is required (default: 223.5.5.5:53)

• --dnsForDefault="": DNS server for resolving domains NOT in list (default: 8.8.8.8:53)

• --dnsListen="": Start a DNS server, like: ':53'. MUST contain IP, like '192.168.1.1:53', if you expect your gateway to accept requests from clients to other public DNS servers at the same time

• --doNotRunScripts: This will not change iptables and others if you want to do by yourself

• --insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name

• --link="": brook link. This will ignore server, password, udpovertcp, address, insecure, withoutBrookProtocol, ca, tlsfingerprint

• --listen, -l="": Listen address, DO NOT contain IP, just like: ':8888'. No need to operate iptables by default! (default: :8888)

• --password, -p="": Password

• --redirectDNS="": It is usually the value of dnsListen. If the client has set custom DNS instead of dnsListen, this parameter can be intercepted and forwarded to dnsListen. Usually you don't need to set this, only if you want to control it instead of being proxied directly as normal UDP data.

• --server, -s="": brook server or brook wsserver or brook wssserver or brook quicserver, like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://domain.com:443/ws, quic://domain.com:443

• --tcpTimeout="": time (s) (default: 0)

• --tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

• --udpTimeout="": time (s) (default: 0)

• --udpovertcp: When server is brook server, UDP over TCP

• --withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

Generate brook link

• --address="": When server is brook wsserver or brook wssserver or brook quicserver, specify address instead of resolving addresses from host, such as 1.2.3.4:443

• --ca="": When server is brook wssserver or brook quicserver, specify ca for untrusted cert, such as /path/to/ca.pem

• --clientHKDFInfo="": client HKDF info, most time you don't need to change this, read brook protocol if you don't know what this is

• --insecure: When server is brook wssserver or brook quicserver, client do not verify the server's certificate chain and host name

• --name="": Give this server a name

• --password, -p="": Password

• --server, -s="": Support brook server, brook wsserver, brook wssserver, socks5 server, brook quicserver. Like: 1.2.3.4:9999, ws://1.2.3.4:9999, wss://google.com:443/ws, socks5://1.2.3.4:1080, quic://google.com:443

• --serverHKDFInfo="": server HKDF info, most time you don't need to change this, read brook protocol if you don't know what this is

• --tlsfingerprint="": When server is brook wssserver, select tls fingerprint, value can be: chrome

• --udpovertcp: When server is brook server, UDP over TCP

• --username, -u="": Username, when server is socks5 server

• --withoutBrookProtocol: When server is brook wsserver or brook wssserver or brook quicserver, the data will not be encrypted with brook protocol

Run as client and connect to brook link, both TCP and UDP, to start a socks5 proxy, [src <-> socks5 <-> $ brook connect <-> $ brook server/wsserver/wssserver/quicserver <-> dst]

• --http="": Where to listen for HTTP proxy connections

• --link, -l="": brook link, you can get it via $ brook link

• --socks5="": Where to listen for SOCKS5 connections (default: 127.0.0.1:1080)

• --socks5ServerIP="": Only if your socks5 server IP is different from listen IP

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

Run as standalone relay, both TCP and UDP, this means access [from address] is equal to access [to address], [src <-> from address <-> to address]

• --from, -f, -l="": Listen address: like ':9999'

• --tcpTimeout="": time (s) (default: 0)

• --to, -t="": Address which relay to, like: 1.2.3.4:9999

• --udpTimeout="": time (s) (default: 0)

Run as standalone dns server

• --blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --disableA: Disable A query

• --disableAAAA: Disable AAAA query

• --dns="": DNS server which forward to. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required (default: 8.8.8.8:53)

• --listen, -l="": Listen address, like: 127.0.0.1:53

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

Send a dns query

• --dns, -s="": DNS server, such as 8.8.8.8:53 (default: 8.8.8.8:53)

• --domain, -d="": Domain

• --short: Short for A/AAAA

• --type, -t="": Type, such as A (default: A)

Run as standalone doh server

• --blockDomainList="": One domain per line, suffix match mode. https://, http:// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --cert="": The cert file absolute path for the domain, such as /path/to/cert.pem. If cert or certkey is empty, a certificate will be issued automatically

• --certkey="": The cert key file absolute path for the domain, such as /path/to/certkey.pem. If cert or certkey is empty, a certificate will be issued automatically

• --disableA: Disable A query

• --disableAAAA: Disable AAAA query

• --dns="": DNS server which forward to. Such as 8.8.8.8:53 or https://dns.google/dns-query?address=8.8.8.8%3A443, the address is required (default: 8.8.8.8:53)

• --domainaddress="": Such as: domain.com:443, if you want to create a https server. If you choose to automatically issue certificates, the domain must have been resolved to the server IP and 80 port also will be used

• --listen="": listen address, if you want to create a http server behind nico

• --path="": URL path (default: /dns-query)

• --tcpTimeout="": time (s) (default: 0)

• --udpTimeout="": time (s) (default: 0)

Send a dns query

• --doh, -s="": DOH server, the address is required (default: https://dns.quad9.net/dns-query?address=9.9.9.9%3A443)

• --domain, -d="": Domain

• --short: Short for A/AAAA

• --type, -t="": Type, such as A (default: A)

Run as standalone dhcp server. Note that you need to stop other dhcp servers, if there are.

• --cache="": Cache file, local absolute file path, default is $HOME/.brook.dhcpserver

• --count="": IP range from the start, which you want to assign to clients (default: 0)

• --dnsserver="": The dns server which you want to assign to clients, such as: 192.168.1.1 or 8.8.8.8

• --gateway="": The router gateway which you want to assign to clients, such as: 192.168.1.1

• --interface="": Select interface on multi interface device. Linux only

• --netmask="": Subnet netmask which you want to assign to clients (default: 255.255.255.0)

• --serverip="": DHCP server IP, the IP of the this machine, you shoud set a static IP to this machine before doing this, such as: 192.168.1.10

• --start="": Start IP which you want to assign to clients, such as: 192.168.1.100

Run as standalone standard socks5 server, both TCP and UDP

• --limitUDP: The server MAY use this information to limit access to the UDP association. This usually causes connection failures in a NAT environment, where most clients are.

• --listen, -l="": Socks5 server listen address, like: :1080 or 1.2.3.4:1080

• --password="": Password, optional

• --socks5ServerIP="": Only if your socks5 server IP is different from listen IP

• --tcpTimeout="": Connection deadline time (s) (default: 0)

• --udpTimeout="": Connection deadline time (s) (default: 0)

• --username="": User name, optional

Convert socks5 to http proxy, [src <-> listen address(http proxy) <-> socks5 address <-> dst]

• --listen, -l="": HTTP proxy which will be create: like: 127.0.0.1:8010

• --socks5, -s="": Socks5 server address, like: 127.0.0.1:1080

• --socks5password="": Socks5 password, optional

• --socks5username="": Socks5 username, optional

• --tcpTimeout="": Connection tcp timeout (s) (default: 0)

Run as PAC server or save PAC to file

• --bypassDomainList, -b="": One domain per line, suffix match mode. http(s):// or local absolute file path. Like: https://txthinking.github.io/bypass/example_domain.txt

• --file, -f="": Save PAC to file, this will ignore listen address

• --listen, -l="": Listen address, like: 127.0.0.1:1980

• --proxy, -p="": Proxy, like: 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' (default: SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT)

Test UDP and TCP of socks5 server

• --dns="": DNS server for connecting (default: 8.8.8.8:53)

• --domain="": Domain for query (default: http3.ooo)

• --password, -p="": Socks5 password

• --socks5, -s="": Like: 127.0.0.1:1080

• --username, -u="": Socks5 username

• -a="": The A record of domain (default: 137.184.237.95)

Test UDP and TCP of brook server/wsserver/wssserver/quicserver. (Note that the global dial parameter is ignored now)

• --dns="": DNS server for connecting (default: 8.8.8.8:53)

• --domain="": Domain for query (default: http3.ooo)

• --link, -l="": brook link. Get it via $ brook link

• --socks5="": Temporarily listening socks5 (default: 127.0.0.1:11080)

• -a="": The A record of domain (default: 137.184.237.95)

Echo server, echo UDP and TCP address of routes

• --listen, -l="": Listen address, like: ':7777'

Connect to echoserver, echo UDP and TCP address of routes

• --server, -s="": Echo server address, such as 1.2.3.4:7777

• --times="": Times of interactions (default: 0)

Get country of IP

• --ip="": 1.1.1.1

Generate shell completions

• --file, -f="": Write to file (default: brook_autocomplete)

Generate markdown page

• --file, -f="": Write to file, default print to stdout

• --help, -h: show help

Shows a list of commands or help for one command

Generate man.1 page

• --file, -f="": Write to file, default print to stdout. You should put to /path/to/man/man1/brook.1 on linux or /usr/local/share/man/man1/brook.1 on macos

Shows a list of commands or help for one command

Maybe outdated

List some examples of common scene commands, pay attention to replace the parameters such as IP, port, password, domain name, certificate path, etc. in the example by yourself

brook server --listen :9999 --password hello

then

• server: 1.2.3.4:9999
• password: hello

or get brook link

brook link --server 1.2.3.4:9999 --password hello --name 'my brook server'

or get brook link with --udpovertcp

brook link --server 1.2.3.4:9999 --password hello --udpovertcp --name 'my brook server'

brook wsserver --listen :9999 --password hello

then

• server: ws://1.2.3.4:9999
• password: hello

or get brook link

brook link --server ws://1.2.3.4:9999 --password hello --name 'my brook wsserver'

or get brook link with domain, even if that's not your domain

brook link --server ws://hello.com:9999 --password hello --address 1.2.3.4:9999 --name 'my brook wsserver'

Make sure your domain has been resolved to your server IP successfully. Automatic certificate issuance requires the use of port 80

brook wssserver --domainaddress domain.com:443 --password hello

then

• server: wss://domain.com:443
• password: hello

or get brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver'

Make sure your domain has been resolved to your server IP successfully

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem

then

• server: wss://domain.com:443
• password: hello

or get brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver'

Install mad

nami install mad

Generate root ca

mad ca --ca /root/ca.pem --key /root/cakey.pem

Generate domain cert by root ca

mad cert --ca /root/ca.pem --ca_key /root/cakey.pem --cert /root/cert.pem --key /root/certkey.pem --domain domain.com

Run brook

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem

get brook link with --insecure

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --address 1.2.3.4:443 --insecure

or get brook link with --ca

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --address 1.2.3.4:443 --ca /root/ca.pem

Better performance, but data is not strongly encrypted using Brook protocol. So please use certificate encryption, and it is not recommended to use --withoutBrookProtocol and --insecure together

Make sure your domain has been resolved to your server IP successfully. Automatic certificate issuance requires the use of port 80

brook wssserver --domainaddress domain.com:443 --password hello --withoutBrookProtocol

get brook link

brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol

Make sure your domain has been resolved to your server IP successfully

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol

get brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --withoutBrookProtocol

Install mad

nami install mad

Generate root ca

mad ca --ca /root/ca.pem --key /root/cakey.pem

Generate domain cert by root ca

mad cert --ca /root/ca.pem --ca_key /root/cakey.pem --cert /root/cert.pem --key /root/certkey.pem --domain domain.com

Run brook wssserver

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol

Get brook link

brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol --address 1.2.3.4:443 --ca /root/ca.pem

brook socks5 --listen :1080 --socks5ServerIP 1.2.3.4

then

• server: 1.2.3.4:1080

or get brook link

brook link --server socks5://1.2.3.4:1080

brook socks5 --listen :1080 --socks5ServerIP 1.2.3.4 --username hello --password world

then

• server: 1.2.3.4:1080
• username: hello
• password: world

or get brook link

brook link --server socks5://1.2.3.4:1080 --username hello --password world

brook relayoverbrook ... --from 127.0.0.1:5353 --to 8.8.8.8:53

brook dnsserveroverbrook ... --listen 127.0.0.1:53

https://www.txthinking.com/talks/articles/brook-openwrt-en.article

https://www.txthinking.com/talks/articles/brook-macos-gateway-en.article

https://www.txthinking.com/talks/articles/brook-windows-gateway-en.article

https://www.txthinking.com/talks/articles/brook-linux-gateway-en.article

brook relay --from :9999 --to 1.2.3.4:9999

brook socks5tohttp --socks5 127.0.0.1:1080 --listen 127.0.0.1:8010

brook pac --listen 127.0.0.1:8080 --proxy 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' --bypassDomainList ...

brook pac --file proxy.pac --proxy 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' --bypassDomainList ...

下面列举一些常用场景命令的例子, 注意自己替换示例中的 IP，端口，密码，域名，证书路径等参数

brook server --listen :9999 --password hello

然后

• server: 1.2.3.4:9999
• password: hello

或 获取 brook link

brook link --server 1.2.3.4:9999 --password hello --name 'my brook server'

或 获取 brook link 让 udp 走 tcp --udpovertcp

brook link --server 1.2.3.4:9999 --password hello --udpovertcp --name 'my brook server'

brook wsserver --listen :9999 --password hello

然后

• server: ws://1.2.3.4:9999
• password: hello

或 获取 brook link

brook link --server ws://1.2.3.4:9999 --password hello --name 'my brook wsserver'

或 获取 brook link 指定个域名, 甚至不是你自己的域名也可以

brook link --server ws://hello.com:9999 --password hello --address 1.2.3.4:9999 --name 'my brook wsserver'

注意：确保你的域名已成功解析到你服务器的 IP, 自动签发证书需要额外监听 80 端口

brook wssserver --domainaddress domain.com:443 --password hello

然后

• server: wss://domain.com:443
• password: hello

或 获取 brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver'

注意：确保你的域名已成功解析到你服务器的 IP

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem

然后

• server: wss://domain.com:443
• password: hello

或 获取 brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver'

安装 mad

nami install mad

使用 mad 生成根证书

mad ca --ca /root/ca.pem --key /root/cakey.pem

使用 mad 由根证书派发 domain.com 证书

mad cert --ca /root/ca.pem --ca_key /root/cakey.pem --cert /root/cert.pem --key /root/certkey.pem --domain domain.com

运行 brook

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem

获取 brook link 使用 --insecure

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --address 1.2.3.4:443 --insecure

或 获取 brook link 使用 --ca

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --address 1.2.3.4:443 --ca /root/ca.pem

性能更好，但数据不使用 Brook 协议进行强加密。所以请使用证书加密，并且不建议--withoutBrookProtocol 和--insecure 一起使用

注意：确保你的域名已成功解析到你服务器的 IP, 自动签发证书需要额外监听 80 端口

brook wssserver --domainaddress domain.com:443 --password hello --withoutBrookProtocol

获取 brook link

brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol

注意：确保你的域名已成功解析到你服务器的 IP

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol

获取 brook link

brook link --server wss://domain.com:443 --password hello --name 'my brook wssserver' --withoutBrookProtocol

安装 mad

nami install mad

使用 mad 生成根证书

mad ca --ca /root/ca.pem --key /root/cakey.pem

使用 mad 由根证书派发 domain.com 证书

mad cert --ca /root/ca.pem --ca_key /root/cakey.pem --cert /root/cert.pem --key /root/certkey.pem --domain domain.com

运行 brook wssserver

brook wssserver --domainaddress domain.com:443 --password hello --cert /root/cert.pem --certkey /root/certkey.pem --withoutBrookProtocol

获取 brook link

brook link --server wss://domain.com:443 --password hello --withoutBrookProtocol --address 1.2.3.4:443 --ca /root/ca.pem

brook socks5 --listen :1080 --socks5ServerIP 1.2.3.4

然后

• server: 1.2.3.4:1080

或 获取 brook link

brook link --server socks5://1.2.3.4:1080

brook socks5 --listen :1080 --socks5ServerIP 1.2.3.4 --username hello --password world

然后

• server: 1.2.3.4:1080
• username: hello
• password: world

或 获取 brook link

brook link --server socks5://1.2.3.4:1080 --username hello --password world

brook relayoverbrook ... --from 127.0.0.1:5353 --to 8.8.8.8:53

brook dnsserveroverbrook ... --listen 127.0.0.1:53

https://www.txthinking.com/talks/articles/brook-openwrt.article

https://www.txthinking.com/talks/articles/brook-macos-gateway.article

https://www.txthinking.com/talks/articles/brook-windows-gateway.article

https://www.txthinking.com/talks/articles/brook-linux-gateway.article

brook relay --from :9999 --to 1.2.3.4:9999

brook socks5tohttp --socks5 127.0.0.1:1080 --listen 127.0.0.1:8010

brook pac --listen 127.0.0.1:8080 --proxy 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' --bypassDomainList ...

brook pac --file proxy.pac --proxy 'SOCKS5 127.0.0.1:1080; SOCKS 127.0.0.1:1080; DIRECT' --bypassDomainList ...