Go to file
xtex 6dd0ab81e6
All checks were successful
ci/woodpecker/push/build Pipeline was successful
Update readme
2024-05-14 10:23:58 +00:00
.vscode Add rust-analyzer setting in VSCode and implement liveness check in PicoMux for geph5-exit 2024-04-01 14:26:29 -04:00
.woodpecker Add CI 2024-05-11 23:07:21 +08:00
binaries Remove unused import 2024-05-14 10:23:51 +00:00
contrib Generate checksums 2024-05-12 08:16:51 +08:00
libraries Merge https://github.com/geph-official/geph5 2024-05-14 10:18:14 +00:00
packaging/windows fix 2024-05-08 13:52:41 -04:00
.gitignore Remove Cargo.lock from .gitignore to track dependency lockfile changes 2024-03-04 20:54:55 -05:00
broker-setup.sh Update fastrand to 2.1.0, add cadence 1.4.0, implement stats tracking, and various code optimizations 2024-05-05 16:25:53 -04:00
Cargo.lock Merge https://github.com/geph-official/geph5 2024-05-14 10:18:14 +00:00
Cargo.toml Optimize artifact upload with matrix strategy, reduce log buffer to 300, set dev opt-level to 1, adjust logging, and improve log formatting 2024-04-22 17:52:54 -04:00
Containerfile Add CI 2024-05-11 23:07:21 +08:00
deploy-exit.sh Add auth handling, install dependencies, configure geph5-exit, and setup systemd services 2024-03-29 13:39:19 -04:00
gui-design.md fix 2024-04-01 19:26:30 -04:00
LICENSE Add CI 2024-05-11 23:07:21 +08:00
README.md Update readme 2024-05-14 10:23:58 +00:00


Wezen is a fork of Geph5, to provide some extra features.


  • Follow system settings for dark mode (upstream PR #5)
  • Newer dependencies (upstream PR #5)
  • Initialize database automatically, with a simple schema
  • Allow customizing mizaru's key count and key bits
  • Allow passing custom exit IP address (upstream PR #5)
  • Create mizaru keys directory if it does not exist (upstream PR #5)
  • Make PostgresQL TLS encryption optional (upstream PR #5)


Geph5 is a major rewrite with a few big architectural differences from Geph4 that largely serve the goal of simplifying and massively cleaning up the design:


  • sosistab2, or anything similar that builds a reliable transport on unreliable pipes, is no longer used. Instead, obfuscated transports must themselves provide reliable transport. In practice, this means that stuff is based on streams multiplexed over TCP, not packets and UDP.
  • The client no longer has complex logic for intelligently hot-swapping pipes. This has proven to be difficult to achieve given diverse network environments, extremely inaccurate/sleepy phone clocks, etc. Instead, a session is started and used until it breaks, and another session is started, etc. With fast enough session creation, the only noticeable difference is that proxied TCP connections reset, which most applications handle gracefully.
  • The central authentication server is called the broker, not the binder. It also now uses a simple JSON-RPC API without end-to-end encryption, with integrity-critical responses having ed25519 signatures.
    • Instead of an implementation based on RSA blind signatures with a vast number of keys, mizaru2 will use some scheme that embeds a few unblinded bits in each anonymous credential, as well as exit-side noninteractive verification. The latter will greatly reduce load on the broker as well as connection latency, since exits no longer need to communicate with the broker for every new session.
  • The broker is in charge of communicating with bridges and exits to set up routes for users. Complex (number of bridges) * (number of exits) communication patterns are eliminated, and the broker can be easily used to generate routes for Earendil and similar software.
  • VPN mode is supported by tunneling through stream ("socks5") mode, but with support for intercepting traffic tun2socks-style instead.
  • We pervasively use config files rather than massive strings of command-line arguments.
  • We no longer use webviews for GUI. Instead, GUI clients are written in Rust and directly call protocol libraries.


The code is generally licensed under MPL 2.0. Low-level libraries useful to a wide variety of projects, such as the sillad framework, are generally licensed under the ISC license.

Code organization

Unlike Geph4, Geph5 is organized in a Cargo workspace, "monorepo"-style:

  • libraries/ contains library crates that may depend on each other. All of these crates also receive crates.io releases.
  • binaries/ contains binary crates.
    • geph5-client
    • geph5-exit
    • geph5-bridge
    • geph5-broker