slipstream-tunnel

English | فارسی

Slipstream DNS tunnel setup with automatic DNS server scanning via dnscan.

The installer auto-installs missing runtime dependencies (for example sshpass, openssh-client, and DNS tools) when possible.

Quick Start

Server (outside Iran)

curl -fsSL https://raw.githubusercontent.com/Recoba86/slipstream-tunnel-control/main/install.sh | sudo bash -s -- server

Follow the prompts to configure Cloudflare DNS.

Client (inside Iran)

curl -fsSL https://raw.githubusercontent.com/Recoba86/slipstream-tunnel-control/main/install.sh | sudo bash -s -- client

After install, slipstream-tunnel command is available globally.

Offline Mode

If network is blocked, download binaries first then provide paths:

slipstream-tunnel client --dnscan ./dnscan.tar.gz --slipstream ./slipstream-client

Prerequisites

Server

• VPS with root access
• Domain with Cloudflare DNS
• 3x-ui panel installed (or any V2ray panel)
• OpenSSH server installed (sshd) if using SSH auth overlay

Client

• Linux machine with root access
• ssh + sshpass installed if using SSH auth client overlay
• For offline:
  • dnscan releases
  • slipstream releases

Uses a fork of slipstream-rust with fixes for CPU spin and connection stall bugs. The upstream repo is no longer actively maintained.

Available cores:

• dnstm (default, downloads from net2share/slipstream-rust-build)
• nightowl (stable legacy)
• plus (faster, experimental)

Commands

slipstream-tunnel server    # Setup server
slipstream-tunnel client    # Setup client
slipstream-tunnel edit      # Edit saved settings (domain/port/...)
slipstream-tunnel start     # Start tunnel service (current mode)
slipstream-tunnel stop      # Stop tunnel service (current mode)
slipstream-tunnel restart   # Restart tunnel service (current mode)
slipstream-tunnel status    # Show current status
slipstream-tunnel logs      # View logs (add -f to follow)
slipstream-tunnel health    # Check DNS and switch if slow
slipstream-tunnel watchdog  # Immediate runtime self-heal check (client mode)
slipstream-tunnel rescan    # Manual DNS rescan + switch best server
slipstream-tunnel dashboard # Small client dashboard
slipstream-tunnel servers   # Full verified DNS list (live ping + DNS latency)
slipstream-tunnel instance-add <name> # Add extra client instance on same host
slipstream-tunnel instance-list # List extra client instances
slipstream-tunnel instance-status <name> # Show one extra instance
slipstream-tunnel instance-start <name> # Start one extra instance
slipstream-tunnel instance-stop <name> # Stop one extra instance
slipstream-tunnel instance-restart <name> # Restart one extra instance
slipstream-tunnel instance-logs <name> [-f] # Logs for one extra instance
slipstream-tunnel instance-del <name> # Delete one extra instance
slipstream-tunnel menu      # Interactive monitoring menu (client/server)
sst                         # Short command for monitor menu
slipstream-tunnel speed-profile [fast|secure|status] # Toggle/check profile
slipstream-tunnel core-switch [dnstm|nightowl|plus] # Switch core in-place after install
slipstream-tunnel dnstm <subcommands...> # Pass-through to native dnstm manager (server+dnstm)
slipstream-tunnel auth-setup # Enable/update SSH auth overlay (server mode)
slipstream-tunnel auth-disable # Disable SSH auth overlay (server mode)
slipstream-tunnel auth-client-enable # Enable SSH auth overlay (client mode)
slipstream-tunnel auth-client-disable # Disable SSH auth overlay (client mode)
slipstream-tunnel auth-add   # Create SSH tunnel user
slipstream-tunnel auth-passwd # Change SSH tunnel user password
slipstream-tunnel auth-del   # Delete SSH tunnel user
slipstream-tunnel auth-list  # List SSH tunnel users
slipstream-tunnel uninstall # Remove everything
slipstream-tunnel remove    # Remove everything

Inside menu, actions are grouped into compact submenus (monitoring, service, auth/profile) for both server and client. When server core is dnstm, menu includes a native manager submenu for router/tunnel/backend/ssh-users/update actions. Client menu also includes a DNSTM submenu for per-tunnel transport/profile management (slipstream/dnstt).

Multi-Instance Client

You can run multiple client tunnels on one machine (different local ports), for example:

• 7001 -> Finland
• 7002 -> Dubai
• 7003 -> Netherlands

Example:

slipstream-tunnel instance-add finland
slipstream-tunnel instance-add dubai
slipstream-tunnel instance-list
slipstream-tunnel instance-status finland

Note: extra instances support both slipstream and dnstt transports (SSH auth overlay remains disabled).

Options

Option	Description
--domain	Tunnel domain (e.g., t.example.com)
--port	Server: target port / Client: listen port
--core	Core source: dnstm (default), nightowl, or plus
--dns-file	Custom DNS server list (skips subnet scan)
--dnscan	Path to dnscan tarball (offline mode)
--slipstream	Path to slipstream binary (offline mode)
--transport	Client transport: slipstream (default) or dnstt (dnstm core)
--dnstt-pubkey	Client transport=dnstt: DNSTT server public key (64 hex chars)
--dnstt-client	Client transport=dnstt: path to local dnstt-client binary
--slipstream-cert	Client transport=slipstream: optional pinned cert path
--dnstm-bin	Server: path to local dnstm binary (offline mode)
--dnstm-transport	Server (dnstm core): initial transport slipstream or dnstt
--dnstm-backend	Server (dnstm core): initial backend custom, socks, ssh, or shadowsocks
--dnstm-backend-tag	Server (dnstm core): initial backend tag
--dnstm-tunnel-tag	Server (dnstm core): initial tunnel tag
--dnstm-mode	Server (dnstm core): native router mode single or multi
--dnstm-ss-password	Server (dnstm core): optional initial Shadowsocks password
--dnstm-ss-method	Server (dnstm core): Shadowsocks method (default aes-256-gcm)
--manage-resolver	Allow server setup to edit resolver config
--ssh-auth	Server: enable SSH username/password auth overlay
--ssh-backend-port	Server: SSH daemon port behind slipstream when auth is enabled
--ssh-auth-client	Client: enable SSH username/password overlay
--ssh-user	Client: SSH username for auth overlay
--ssh-pass	Client: SSH password for auth overlay

How It Works

For A/B testing on a separate branch/environment:

slipstream-tunnel server --core dnstm --domain t.example.com
slipstream-tunnel client --core dnstm --domain t.example.com

Migrating Existing Hosts to New Default Core

If your server/client already has an older script/core installed, update and switch in-place:

curl -fL https://raw.githubusercontent.com/Recoba86/slipstream-tunnel-control/main/install.sh -o /usr/local/bin/slipstream-tunnel
chmod +x /usr/local/bin/slipstream-tunnel
hash -r
slipstream-tunnel core-switch dnstm

Run the same on both server and client hosts.

Server Setup

1. Guides Cloudflare DNS configuration (A + NS records)
2. Verifies DNS with dig
3. Auto-detects port 53 conflicts and attempts automatic safe remediation
4. If core is dnstm: installs native dnstm, creates initial backend + tunnel, and starts native router
5. If core is nightowl/plus: generates self-signed certificate, installs slipstream-server, and starts service
6. Optional (legacy cores only): enables SSH auth overlay and creates tunnel users

Client Setup

1. Prompts for transport (slipstream or dnstt) when core is dnstm
2. Downloads required client binaries (slipstream client and/or dnstt-client), cached for reuse
3. Prompts for tunnel listen port (default: 7000)
4. For slipstream: runs dnscan verification flow; for dnstt: builds reachable resolver candidates
5. Picks fastest resolver and starts the client service with the selected transport
6. Optional (legacy cores): asks SSH username/password and enables client SSH auth overlay
7. Sets up 5-minute health checks + 30-second runtime watchdog and opens interactive monitor menu

Health & Recovery

• Health check runs every 5 minutes via systemd timer
• Runtime watchdog runs every 30 seconds via systemd timer
• Tests current DNS server latency
• If latency > 1000ms, switches to better server
• If runtime errors or listener failures are detected, auto-restarts client stack
• Logs to ~/.tunnel/health.log
• You can trigger checks manually with slipstream-tunnel health, slipstream-tunnel watchdog, or full rescan with slipstream-tunnel rescan
• Use slipstream-tunnel dashboard or slipstream-tunnel menu for manual monitoring

SSH Auth Overlay

• During server setup, you can enable SSH username/password overlay.
• Script creates a dedicated SSH match-group (slipstream-tunnel) and tunnel users.
• Tunnel users are restricted to port-forwarding rules (no normal shell access expected).
• During client setup, you can enable SSH auth client mode and provide username/password.
• Manage server users later with: auth-add, auth-passwd, auth-del, auth-list.
• You can toggle overlays later with:
  • Server: auth-setup / auth-disable
  • Client: auth-client-enable / auth-client-disable

Note: on core dnstm, legacy SSH overlay commands are disabled because auth/backend handling is expected to be managed natively.

Native DNSTM Management

• Server setup on core dnstm now installs/uses the native dnstm manager.
• Initial native stack is created automatically (router install + initial backend + initial tunnel).
• Client setup on core dnstm can run either slipstream or dnstt transport per tunnel/instance.
• You can manage native features either from menu (Server Main Menu -> Native dnstm manager) or directly:

slipstream-tunnel dnstm router status
slipstream-tunnel dnstm tunnel list
slipstream-tunnel dnstm backend list
slipstream-tunnel dnstm ssh-users

Speed Profiles

• slipstream-tunnel speed-profile secure: SSH overlay ON (more secure, more overhead)
• slipstream-tunnel speed-profile fast: SSH overlay OFF (lower overhead, higher throughput)
• slipstream-tunnel speed-profile status: show current profile

In fast profile, use the Iran client public port directly (usually 7000).

TCP Tuning (BBR)

• Installer and edit flows attempt to enable bbr + fq automatically when kernel support exists.
• Verify with:
  • sysctl net.ipv4.tcp_available_congestion_control
  • sysctl net.ipv4.tcp_congestion_control
  • sysctl net.core.default_qdisc

Files

~/.tunnel/
├── config          # Current configuration
├── servers.txt     # Working DNS servers from scan
├── health.log      # Health check history
└── dnscan/         # dnscan binary and data

x-ui Setup

After running the script on both server and client:

1. Open x-ui panel on your server (3x-ui, x-ui, etc.)

2. Create inbound listening on slipstream server port

   • Port: 2053 (or your --port value)
   • Protocol: VLESS/VMess/etc.

3. Add external proxy to the inbound

   • Host: IP address of your Iran client machine
   • Port: 7000 (or your client --port value)

4. Export config and use in your V2Ray app

Troubleshooting

Server: "DNS not configured"

• Check Cloudflare DNS records
• Wait 5 minutes for DNS propagation
• Verify with: dig NS t.example.com

Client: "No DNS servers passed verification"

• Is the server running? systemctl status slipstream-server
• Is port 53 open on server?
• Check server logs: journalctl -u slipstream-server -f

Client: "Cannot download"

• Network is blocked
• Use offline mode with --dnscan and --slipstream options
• Get binaries from:
  • https://github.com/nightowlnerd/dnscan/releases
  • https://github.com/nightowlnerd/slipstream-rust/releases
  • https://github.com/Fox-Fig/slipstream-rust-plus-deploy/releases