Relay Node
Configuring intermediate relay nodes
A relay node (B) verifies the relay password from upstream, connects to the next hop, and forwards traffic transparently.
Running
trojan relay -c relay.tomlConfiguration
[relay]
listen = "0.0.0.0:443"
transport = "tls" # Inbound: "tls" (default) or "plain"
[relay.auth]
password = "relay-password"
[relay.outbound]
sni = "crates.io" # Default outbound SNI
[relay.timeouts]
handshake_timeout_secs = 5
connect_timeout_secs = 10
idle_timeout_secs = 300Options
| Option | Type | Default | Description |
|---|---|---|---|
listen | string | required | Listen address |
transport | string | "tls" | Inbound transport ("tls" or "plain") |
Auth
| Option | Type | Description |
|---|---|---|
password | string | Relay authentication password (hashed with SHA-224) |
Outbound
| Option | Type | Description |
|---|---|---|
sni | string | Default TLS SNI for outbound connections |
Timeouts
| Option | Type | Default | Description |
|---|---|---|---|
handshake_timeout_secs | int | 5 | Relay handshake timeout |
connect_timeout_secs | int | 10 | Outbound connection timeout |
idle_timeout_secs | int | 300 | Idle connection timeout |
TLS Certificates
Relay nodes automatically generate self-signed certificates at startup using ECDSA P-256. No certificate files are needed.
To use specific certificates:
[relay.tls]
cert = "/path/to/cert.pem"
key = "/path/to/key.pem"Certificate verification is skipped between relay nodes. Authentication relies on the relay password.
How It Works
- Upstream connects (entry node or previous relay)
- Relay reads the handshake: password hash + target address + metadata
- Password is verified against configured relay password
- Relay connects to the target address using the transport specified in metadata
- If the target is another relay, a new handshake is sent
- Bidirectional data relay begins
The relay node never sees the original Trojan protocol data — it only processes relay handshakes and forwards opaque bytes.