Home Website Security How to Configure Trojan Step by Step

How to Configure Trojan Step by Step

0
How to Configure Trojan Step by Step
How to Configure Trojan Step by Step

What Trojan is and what you need before starting

Trojan is a lightweight, tls-based proxy protocol often used to create an encrypted tunnel between a client and a server. It intentionally looks like ordinary TLS traffic to improve privacy and reduce detection risk compared with naked proxy protocols. Before you begin, make sure you have a legal, appropriate use case and the necessary components: a vps with a public IPv4 address, a domain name that points to that vps, root or sudo access on the server, and a valid TLS certificate (let’s encrypt is commonly used). Also decide whether you will use the original Trojan implementation or trojan-go (they share the same conceptual workflow but have different binary/config syntaxes).

High-level steps

Configuring Trojan typically follows the same flow: prepare the server OS, install and configure a web server if you want to use a reverse proxy (optional but common for certificate management), obtain a TLS certificate, install the Trojan server binary, create a secure configuration file and systemd unit, open firewall ports, then configure the client with matching parameters and test the connection. The rest of this guide walks through each phase with examples and sensible defaults.

1) Prepare the server

Start with a maintained linux distribution such as ubuntu LTS or Debian. Keep the system updated and install common packages you will need (nginx, certbot, unzip, curl). If you expect multiple services on the same host, plan ports and virtual hosts in advance. Below is a typical sequence for Ubuntu/Debian; adapt package manager commands for other distros. 

sudo apt update

sudo apt upgrade -y

sudo apt install -y nginx certbot python3-certbot-nginx unzip curl

2) Point your domain and obtain TLS certificate

Add an a record in your DNS control panel pointing your chosen domain (e.g., proxy.example.com) to the server’s IP. Wait for dns to propagate, then use Certbot to request a certificate. Using the Nginx plugin lets Certbot configure renewal hooks automatically. If you prefer a standalone method, stop nginx temporarily and use certbot –standalone. 

sudo certbot --nginx -d proxy.example.com

# or, if using standalone:

# sudo systemctl stop nginx

# sudo certbot certonly --standalone -d proxy.example.com

# sudo systemctl start nginx

Certbot stores certificates under /etc/letsencrypt/live/yourdomain/; you will reference the cert and key paths in the Trojan configuration.

3) Install the Trojan server

Download the official Trojan or trojan-go release for your architecture. For Trojan-Go, grab the latest binary, unpack, move it to /usr/local/bin and set executable permissions. Always verify checksums/signatures if available. 

# Example for trojan-go (replace with desired release and arch)

curl -sL  -o trojan-go.zip

unzip trojan-go.zip

sudo mv trojan-go /usr/local/bin/

sudo chmod +x /usr/local/bin/trojan-go

4) Create a secure Trojan config (server side)

Trojan uses a json config file that contains TLS paths, password(s), and port bindings. Use a long, random password string (treat it like a credential), and set the certificate and key paths to the files issued by Certbot. Example minimal trojan-go server configuration (adjust fields to your environment): 

{

  "run_type": "server",

  "local_addr": "0.0.0.0",

  "local_port": 443,

  "remote_addr": "127.0.0.1",

  "remote_port": 80,

  "password": ["YOUR_STRONG_PASSWORD_HERE"],

  "ssl": {

    "cert": "/etc/letsencrypt/live/proxy.example.com/fullchain.pem",

    "key": "/etc/letsencrypt/live/proxy.example.com/privkey.pem",

    "sni": "proxy.example.com"

  }

}

Save this file in a secure location such as /etc/trojan-go/config.json and restrict permissions so only root can read it (chmod 600).

5) Create a systemd service and enable autostart

Using systemd makes management straightforward. Create a unit file such as /etc/systemd/system/trojan-go.service that starts the binary with your config. Example unit: 

[Unit]

Description=trojan-go service

After=network.target
[Service]

Type=simple

User=root

ExecStart=/usr/local/bin/trojan-go -config /etc/trojan-go/config.json

Restart=on-failure

RestartSec=5s
[Install]

WantedBy=multi-user.target

Enable and start the service: 

sudo systemctl daemon-reload

sudo systemctl enable --now trojan-go

sudo systemctl status trojan-go

6) Firewall and port considerations

Open the port you configured (typically 443) and optionally limit ssh to a different port or specific IPs. If using ufw: 

sudo ufw allow 443/tcp

sudo ufw allow openssh

sudo ufw enable

Confirm the service binds to the expected interface and port with ss or netstat. If you run other services on 443 (for example, a web server), you can reverse-proxy through Nginx to the trojan backend or use SNI routing approaches; Nginx can serve an innocuous site and proxy the TLS stream to trojan if configured carefully.

7) Configure the client

Clients need a matching password, the server domain or IP, and the TLS settings. Many GUI clients exist (trojan-qt5, v2rayN with a Trojan plugin, or trojan-go client). A typical JSON for a trojan client: 

{

  "run_type": "client",

  "local_addr": "127.0.0.1",

  "local_port": 1080,

  "remote_addr": "proxy.example.com",

  "remote_port": 443,

  "password": ["YOUR_STRONG_PASSWORD_HERE"],

  "ssl": {

    "sni": "proxy.example.com"

  }

}

After starting the client, point your applications to 127.0.0.1:1080 (SOCKS5) or configure system-level proxying through a tool like proxychains, redsocks, or your OS proxy settings. Some GUI clients offer a system proxy auto-setup.

8) Test the connection and troubleshoot

Basic tests include verifying the client can establish a TLS handshake and browse to a simple site. On the client, check logs for connection success messages. On the server, use journalctl -u trojan-go -f to view runtime logs. Common issues and quick checks:

How to Configure Trojan Step by Step
What Trojan is and what you need before starting Trojan is a lightweight, tls-based proxy protocol often used to create an encrypted tunnel between a client and a server. It…
AI

  • Certificate errors: confirm cert paths in the server config and that the cert covers the domain used by the client.

  • Port closed: verify firewall rules and that the service is listening on the expected port (ss -tlnp).

  • Password mismatch: ensure both client and server have identical password strings.

  • DNS problems: ensure the client resolves proxy.example.com to the server IP (use nslookup/dig).

  • Conflicts with Nginx: if both Nginx and trojan use 443, either use different ports, configure Nginx to proxy TLS to trojan, or let trojan handle TLS and proxy HTTP/S through another virtual host.

Security and maintenance tips

Treat Trojan credentials and certificate private keys carefully , set strict file permissions and rotate passwords periodically. Keep the server OS and the trojan binary up to date, and monitor logs for suspicious activity. Enable automatic certificate renewals via Certbot (certbot renew runs from a system cron or systemd timer) and ensure any renewal hooks that reload the trojan service are in place if you rely on new certificates.

Summary

Setting up Trojan involves preparing a VPS and domain, obtaining a valid TLS certificate, installing the chosen Trojan binary, writing a secure JSON configuration on both server and client sides, enabling the service under systemd, and opening the required ports. Careful attention to certificate paths, matching credentials, and firewall configuration will prevent most common issues. Always use the setup responsibly and in compliance with local laws and acceptable use policies.

FAQs

Is Trojan legal to use?

Legality depends on your jurisdiction and how you use it. Trojan is a privacy/proxy tool; using it for legitimate privacy, testing, or secure access is typically legal, but bypassing laws, sanctions, or committing illicit activities is not. Check local regulations and terms of service for networks you connect to.

Can I use let’s encrypt certificates with Trojan?

Yes. Certbot-issued certificates (stored in /etc/letsencrypt/live/yourdomain/) are commonly used. Point the “cert” and “key” fields in the Trojan config to the fullchain.pem and privkey.pem files respectively. Ensure renewals are handled and the service reloads when certificates change.

Do I need Nginx or can Trojan handle TLS directly?

Trojan can handle TLS directly without Nginx. Nginx is useful if you want to host regular websites, have complex virtual hosting requirements, or prefer Certbot’s nginx plugin for certificate issuance with fewer steps. If both run on port 443, you must coordinate ports, use SNI-based routing, or proxy traffic appropriately.

How do I secure the server beyond the basic setup?

Use strong, unique passwords, restrict file permissions for config and keys, enable automatic updates where feasible, limit ssh access, employ intrusion detection or log monitoring, and consider fail2ban to reduce brute-force risk. Regularly review logs and update the trojan binary when releases address security issues.

Where can I find official releases and documentation?

Refer to the project’s official GitHub repository and release pages for downloads and documentation (look for trojan, trojan-go, or the client projects). Always download binaries from trusted sources and verify release signatures or checksums when provided.

RELATED ARTICLES

©
Exit mobile version
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.