Useful links
This is a long-awaited moment for us. We promised to open-source our protocol, and today we’re delivering on that promise. With TrustTunnel now open source, users and developers alike can explore, self-host, and build on the technology.
To get started, check out the following resources:
TrustTunnel website
TrustTunnel open-source repository on GitHub
TrustTunnel app for iOS
TrustTunnel app for Android
5 Likes
Wonder how it compares with the MASQUE protocol:
1 Like
Yeah I’m hoping the PG livestream to cover it all.
My interest was piqued, so I decided to investigate, as I hadn’t previously encountered MASQUE.
MASQUE is a standardized (IETF) framework that facilitates the concurrent operation of multiple network applications/tunnels within a single HTTP/3/QUIC connection. It leverages HTTP’s request/response semantics, multiplexes flows over streams, and utilizes unified congestion control. A pivotal aspect of this is running a proxy/VPN “behind an https server”.
TrustTunnel is a specific VPN protocol/implementation developed and open-sourced by AdGuard.
It appears that MASQUE is the standard, while TrustTunnel is a protocol within AdGuard’s ecosystem, much like Stealth is for Proton.
I’m really into MASQUE at the moment.
2 Likes
Thanks for the quick rundown.
1 Like
Someone should make an infographic showing the differences with such VPN protocols. And how they are or can be used either with one another or separately.
Between the many protocols and obfuscation options, it’s getting harder and harder to keep track. Or maybe I’m getting too old to remember them all.
My personal conviction is that it’s preferable to have multiple obfuscation alternatives, such as those offered by Mullvad and IVPN, because eventually one will get blocked or fail to function in a particular location. To my knowledge, no single, definitive solution exists. And undoubtedly, a great deal depends on what part of the world one resides in.
1 Like
I agree.
What I meant more was it it’d be nice to see the differences visually if it’s at all possible to showcase them for anyone to understand what protocol works or does what and consequently learn when to use which one.
MASQUE is basically a collective name for several RFC standards related to proxying over HTTP.
TrustTunnel is pretty similar and with some slight changes we could add support for them and make it compatible with masque (it’s on the roadmap, assessing it).
What I don’t like about these RFCs is that they insist on using HTTP3/QUIC and our experience shows that HTTP2/TCP is still crucial (that’s why TT supports both).
Overall, the transport protocol itself is a relatively simple part of the work. More time is consumed by additional features that make it “stealthy”. A couple examples:
-
In order to make it blend into regular web traffic we make it indistinguishable from Chromium’s. It’s constant work since Chromium changes TLS from version to version.
-
The server needs to implement anti-probing protection so that it wasn’t possible to scan the Internet for TrustTunnel servers.
7 Likes
Good thing you showed up to sort it out / fill in the gaps.
1 Like
Always nice to see the product team/company chime in promptly to clarify and answer things
2 Likes
Thank you for taking the time to clarify. A somewhat adjacent question I’ve been wondering about: Is AdGuard planning to implement (even partially) similar features as Mullvad’s DAITA? Windscribe and Obscura also have “decoy traffic” and “packet padding”, respectively, with the goal of making traffic pattern correlation more difficult. I would love to see something similar in AdGuard VPN since it is already faster than any other provider I’ve tried (even WARP+), and this would make me more comfortable using it over alternatives like Mullvad/Obscura.
With all due respect, I have doubts that AI-based traffic analysis is capable of producing results anywhere outside a lab. Your devices create quite a lot of noise by themselves. In addition to that I think WireGuard is more prone to this kind of analysis since how it works: every packet to the VPN server corresponds to a “source” net packet, with TT multiple packets can be bundled into one.
A different type of traffic analysis is actually used in the wild, China’s GFW tries to analyze traffic patterns to detect VPN servers and slow down connections to them. Solving this problem in my opinion has higher priority.
4 Likes
DAITA is wasteful, too; in terms of bandwidth.
When certain VPN providers implement something, anything… some tend to think that must absolutely be the gold standard…
It would be unlike these businesses, if they missed the opportunity to market… “AI” … somewhere…
Agree, but that’s a job that “proxifiers” do better, today. Projects like Lantern (who also use SingBox) and Psiphon do this and their clients / protocol implementation is open source. Admittedly they are much more complex and pack a garden variety of strategies. There also a host of protocols like VLess, VMess, Trojan, Hysteria etc… so I wonder why AdGuard chose to NIH rather than reuse / contribute to those? Trying to understand technical, if not socio-political reasons behind TrustTunnel as a standalone impl.
2 Likes
Please! I have yet to find a reliable VPN solution for use in China. We definitely need something that can defeat China’s GFW.
1 Like
TrustTunnel is new only technically, we’ve been using it for years and when we started developing it the list of obfuscated protocols was shorter, everyone was using Shadowsocks which is quite bad from the performance point of view.
What for XRay/Vless/VMess, at this point they remind me of OpenVPN, configurable and very flexible, but rather heavy because of that. People need a simple and fast set-and-forget working solution, and this is what we would like to provide.
3 Likes
Is the AdGuard VPN service using TrustTunnel? Will this work in China?