Trojan — mihomo
mihomo speaks Trojan on both sides. The outbound supports tcp, ws, and grpc transports with TLS, REALITY, and ECH wrappers, plus the trojan-go compatible ss-opts layer that adds an inner Shadowsocks cipher on top of the Trojan password handshake.
Outbound
Entry under proxies: with type: trojan. Embeds BasicOption (common outbound fields).
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (required) | <string> | Unique proxy name. |
server | string | (required) | <host> | Upstream server hostname or IP. |
port | int | (required) | <port> | Upstream server port. |
password | string | (required) | <string> | Trojan password. |
alpn | []string | [] | h2 | http/1.1 | ALPN list offered during TLS handshake. |
sni | string | (server name) | <SNI> | TLS Server Name Indication. Defaults to `server`. |
skip-cert-verify | bool | false | true | false | Disable TLS verification (test only). |
fingerprint | string | (unset) | <SHA256 hex> | Pin the server's TLS certificate to this fingerprint. |
certificate | string | (unset) | <PEM file path> | Client certificate (mTLS). |
private-key | string | (unset) | <key file path> | Private key matching `certificate`. |
udp | bool | false | true | false | Allow UDP packets to be relayed through this outbound. |
network | string | tcp | tcp | ws | grpc | Underlying transport. |
ech-opts | ECHOptions | (disabled) | ECHOptions | Encrypted Client Hello configuration. |
reality-opts | RealityOptions | (disabled) | RealityOptions | REALITY client configuration. |
grpc-opts | GrpcOptions | (unset) | GrpcOptions | Settings for `network: grpc`. |
ws-opts | WSOptions | (unset) | WSOptions | Settings for `network: ws`. |
ss-opts | TrojanSSOption | (disabled) | TrojanSSOption | Optional Shadowsocks-over-Trojan layer (trojan-go style). |
client-fingerprint | string | (global) | chrome | firefox | safari | ios | edge | random | randomized | uTLS client-hello fingerprint. |
Source: adapter/outbound/trojan.go:38-58 · pinned at v1.19.27 (5184081)
ss-opts
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
enabled | bool | false | true | false | Wrap the Trojan stream in an additional Shadowsocks layer. |
method | string | (unset) | aes-128-gcm | aes-256-gcm | chacha20-ietf-poly1305 | Shadowsocks AEAD cipher used for the inner layer. |
password | string | (unset) | <string> | Password for the inner Shadowsocks layer (separate from the outer Trojan password). |
Source: adapter/outbound/trojan.go:61-65 · pinned at v1.19.27 (5184081)
Inbound
Entry under listeners: with type: trojan. Embeds BaseOption (listen, port).
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | []TrojanUser | (required) | [TrojanUser] | Accepted clients. |
ws-path | string | (unset) | /<path> | WebSocket path served on this listener. |
grpc-service-name | string | (unset) | <name> | gRPC service name accepted on this listener. |
certificate | string | (unset) | <PEM file path> | TLS server certificate. |
private-key | string | (unset) | <key file path> | TLS private key. |
client-auth-type | string | (none) | no-client-cert | request-client-cert | require-any-client-cert | verify-client-cert-if-given | require-and-verify-client-cert | Mutual-TLS client-auth mode. |
client-auth-cert | string | (unset) | <PEM file path> | CA bundle accepted as client roots. |
ech-key | string | (unset) | <ECH config> | Encrypted Client Hello material. |
allow-insecure | bool | false | true | false | Skip TLS client-certificate verification on the listener (testing only). |
reality-config | RealityConfig | (disabled) | RealityConfig | REALITY server configuration. |
mux-option | MuxOption | (disabled) | MuxOption | Multiplex settings (sing-style mux). |
ss-option | TrojanSSOption | (disabled) | TrojanSSOption | Shadowsocks-over-Trojan compat layer (must match outbound `ss-opts`). |
Source: listener/inbound/trojan.go:12-26 · pinned at v1.19.27 (5184081)
users[]
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
username | string | (unset) | <string> | Display name. |
password | string | (required) | <string> | Trojan password. |
Source: listener/inbound/trojan.go:28-31 · pinned at v1.19.27 (5184081)
Examples
Outbound — plain Trojan with TLS:
yaml
proxies:
- name: trojan-srv
type: trojan
server: example.com
port: 443
password: <password>
sni: example.com
udp: true
alpn: [h2, http/1.1]Outbound — Trojan over WebSocket with trojan-go ss-opts:
yaml
proxies:
- name: trojan-go
type: trojan
server: example.com
port: 443
password: <outer-password>
udp: true
network: ws
sni: example.com
ws-opts:
path: /tj
ss-opts:
enabled: true
method: aes-128-gcm
password: <inner-password>Inbound under listeners:
yaml
listeners:
- name: trojan-in
type: trojan
listen: 0.0.0.0
port: 443
users:
- username: alice
password: <password>
certificate: /etc/mihomo/server.crt
private-key: /etc/mihomo/server.keyNotes
ss-optsimplements the trojan-go pattern of stacking Shadowsocks AEAD inside the Trojan stream. The outer Trojan password authenticates the handshake; the inner Shadowsocks key encrypts the payload. The inbound'sss-optionblock must match the outbound'sss-optsexactly (enabled,method,password) or the inbound rejects the client.- mihomo has no equivalent of Xray's
fallbacks[]or sing-box'sfallback_for_alpn. For HTTP fallback behavior, terminate TLS in front of mihomo with a separate reverse proxy. - The outbound's
client-fingerprintis a per-proxy uTLS override. The global default isglobal-client-fingerprint.
Cross-core notes
- Xray uses
clients[]for inbound users, supports a list-formfallbacks[]chain, and rejects any non-emptyflowvalue. See Trojan — Xray-core. - sing-box uses
users[](name/password), and replaces the fallback list with a single defaultfallbackplus a per-ALPNfallback_for_alpnmap. See Trojan — sing-box.
Source: adapter/outbound/trojan.go:38-65 · v1.19.27 (5184081)