Covert UDP tunnel. Fragments traffic into 124-byte micro-frames. Evades DPI.
[App] → [SOCKS5:1080] → [sushStream Client] ══124B UDP══► [sushStream Server] → [Target]
Takes your traffic. Slices it into 73-byte encrypted chunks. Wraps in 7-byte header + 16-byte auth tag. Ships as 124-byte UDP datagrams. Looks like VoIP silence frames to DPI boxes.
# Build
cargo build --release
# Server (on your VPS)
./target/release/sush_daemon run --mode socks5 --bind 0.0.0.0:443 --secret "your-shared-secret"
# Client (on your machine)
./target/release/sush_daemon run --mode socks5 --server-ip YOUR_VPS_IP:443 --secret "your-shared-secret"
# Configure browser: SOCKS5 proxy → 127.0.0.1:1080Web UI at http://127.0.0.1:3000 - has stats and config export.
| Metric | Value |
|---|---|
| Micro-frame size | 124 bytes |
| Payload per frame | 73 bytes |
| Frames per 1280B packet | ~18 |
| Encryption | ChaCha20-Poly1305 |
| FEC | RaptorQ (adaptive 10-50%) |
| Survives packet loss | Up to 30% |
| Memory usage | ~7MB |
| CPU usage | ~3% |
- Replay protection: LRU nonce cache, 5-minute window, 100k entries
- DoS protection: 50 buffers max per source IP
- Zero-RTT auth: Wrong secret = silent drop (sush Mode)
- Header obfuscation: Sequence numbers XOR-masked with derived key
sush_daemon run [OPTIONS]
Options:
--mode <MODE> tun or socks5 [default: socks5]
--bind <ADDR> Server bind address [default: 0.0.0.0:8080]
--server-ip <ADDR> Remote server (client mode only)
--secret <KEY> Shared secret for encryption
--users-config <PATH> Path to users.toml [default: users.toml]
--port-seed <SEED> Enable port hopping with this seed
--base-port <PORT> Base port for hopping [default: 8080]
--time-step <SECS> Port rotation interval [default: 300]
sush_daemon generate-config --server <IP:PORT> --secret <KEY>
# Outputs SIP003-compatible import link# Linux (recommended)
cargo build --release
# Cross-compile to Windows
rustup target add x86_64-pc-windows-gnu
cargo build --release --target x86_64-pc-windows-gnuXDP kernel bypass (optional, Linux only):
# Requires: clang llvm libelf-dev
cargo build --release --features xdpsushwire/
├── sush_core/ # Protocol logic (fragmentation, crypto, FEC)
├── sush_daemon/ # Main binary (SOCKS5, TUN, Web UI)
├── sush_xdp/ # eBPF/XDP loader (optional)
├── sush_bench/ # Benchmarking tool
└── scripts/ # Test and deploy scripts
- Single-threaded I/O loop (good enough for ~100Mbps)
- XDP map updates are file-based, not live BPF map pinning
- No QUIC transport yet (raw UDP only)
- TUN mode requires root
MIT