Configuration

Running the Client

With a Config File

trojan client -c client.toml

With CLI Options

trojan client \
  --listen 127.0.0.1:1080 \
  --remote trojan.example.com:443 \
  --password "your-password"

CLI options override config file values when both are provided.

Full Configuration

[client]
listen = "127.0.0.1:1080"               # Local SOCKS5 listen address
remote = "trojan.example.com:443"        # Remote trojan-server address
password = "my-secret-password"          # Password (plaintext, hashed at runtime)

[client.tls]
# sni = "trojan.example.com"            # SNI (auto-extracted from remote by default)
alpn = ["h2", "http/1.1"]               # ALPN protocols
skip_verify = false                      # Skip TLS certificate verification (debug only)
# ca = "/path/to/custom-ca.pem"         # Custom CA certificate

[client.tcp]
no_delay = true
keepalive_secs = 300

[logging]
level = "info"

Options

TCP Options

Supported Proxy Modes

TCP CONNECT

Standard TCP proxying via SOCKS5 CONNECT command. The client:

1. Completes SOCKS5 handshake with the application
2. Establishes TLS connection to the Trojan server
3. Sends Trojan header with password hash and destination address
4. Relays data bidirectionally

The first data packet is bundled with the Trojan header to reduce latency and minimize traffic fingerprinting.

UDP ASSOCIATE

UDP proxying via SOCKS5 UDP ASSOCIATE. Used for DNS queries and other UDP traffic. The client:

1. Binds a local UDP socket
2. Establishes TLS connection to the Trojan server
3. Relays UDP packets between the local socket and the Trojan TCP stream
4. Closes when the SOCKS5 TCP control connection drops

Non-fragmented UDP only (FRAG=0x00). Fragmented packets are dropped.

Error Handling

• Individual connection errors are logged and the connection is closed without affecting other connections
• TLS handshake timeout: 10 seconds
• DNS resolution failure returns SOCKS5 error code 0x04 (Host unreachable)