Skip to content

Instructions for using ZloyTrinity

Overview

ZloyTrinity is a networking tool for proxy makers with real p0f fingerprint spoofing at all stages of the connection. It uses a TUN interface to modify TCP traffic according to specified profiles. Optionally, it can run 3proxy bound to the tun interface to provide a SOCKS/HTTP proxy.

Command Line Options

zloytrinity [options]

Available Flags

  • -h — Show help
  • -v — Show version
  • -c <path> — Path to the configuration file (default: config.yml)
  • -l <level> — Logging level (default: 0)

Configuration

Create a config.yml file with the following settings:

  • id — string identifier of the configuration. If multiple instances of ZloyTrinity are run on the system, each instance must have its own identifier.
  • 3proxy — settings for the 3proxy server:
  • config_path — path to the 3proxy configuration file
  • enabled — flag to enable/disable 3proxy (if false, 3proxy will not start)
  • rewrite_config — flag to overwrite the configuration file (if false, ZloyTrinity will not attempt to overwrite the 3proxy configuration file, and you can use your own configuration)
  • socks_port — SOCKS proxy port (uint16) for generating the 3proxy config
  • work_dir — 3proxy working directory
  • internal_interface — name of the internal network interface for generating the 3proxy config (must match tun_name from the level above)
  • external_interface — name of the external network interface for generating the 3proxy config (must match uplink_interface from the level above)
  • tun_name — TUN interface name
  • tun_addrs — IP address settings for the TUN interface:
  • ipv4_enabled — flag to enable IPv4
  • ipv4_internal — internal IPv4 address of the TUN interface (outgoing TCP connections will come from this address)
    • IpV4System — system IPv4 address (which is assigned to the tun interface on the system side)
  • ipv6_enabled — flag to enable IPv6
  • ipv6_ndp — flag to enable NDP (Neighbor Discovery Protocol) for IPv6. Required if ndppd is not configured in the system.
  • ipv6_internal — internal IPv6 address of the TUN interface (outgoing TCP connections will come from this address)
  • ipv6_system — system IPv6 address (which is assigned to the tun interface on the system side)
  • os_profile — TCP connection modification profile
  • uplink_interface — name of the network interface for the outgoing connection
  • web_listen_addr - address and port for the web API interface (e.g., 127.0.0.1:8080)

Running

# Basic usage with the default config
zloytrinity

# Specify your own config
zloytrinity -c /path/to/config.yml

# Enable verbose logging
zloytrinity -l 1 -c config.yml

Stopping

Press Ctrl+C or send a SIGTERM signal to shut down gracefully. The tool will:
- Close the TUN file descriptor
- Remove the TUN interface
- Stop 3proxy, if it was running

API

The mandatory web_listen_addr parameter is specified in the configuration file - this is the address:port on which the web API will listen.

Currently, the API has no authorization. For security purposes, it is recommended to specify a local address and not grant Proxy or VPN users access to local addresses.

Available endpoints:
- /ping - check service availability
- /api/os_profile - get the current OS profile
- /api/os_profile?profile=macos - set the OS profile (not saved in the config)

Running multiple instances via systemd

An example configuration is provided in the example directory. It assumes that the ZloyTrinity executable itself will be located in /usr/local/sbin/, and its configuration and 3proxy configurations - in /srv/zloytrinity/.

After the configuration is copied to the server and adapted to your needs, you will need to enable the systemd service and start the instances.

systemctl daemon-reload

systemctl enable --now zloytrinity@00.service
systemctl enable --now zloytrinity@01.service
...

Viewing logs:

journalctl -f -u zloytrinity@00.service -u zloytrinity@01.service

FAQ

Check traffic passing through zloytrinity

Using interface binding:

curl -v --interface tun0 https://www.google.com

Using 3proxy (if you enabled it, for example on port 1080):

curl -v -x socks5://127.0.0.1:1080 https://www.google.com

Using 3proxy (if you enabled it, for example on port 1080) with domain address resolving on the proxy side:

curl -v -x socks5h://127.0.0.1:1080 https://www.google.com

ipv4_enabled=false ipv6_enabled=true

In this mode, zloytrinity allows IPv6 to pass, but does not allow IPv4.

How to make a curl request specifically using IPv6

If you are just using interface binding, you can simply use the -6 flag:

curl -6 -v --interface tun0 https://www.google.com

If you are using a proxy, you first need to find out the IPv6 address of the domain:

host -t AAAA www.google.com
curl -v -x socks5://127.0.0.1:1080 --resolve "www.google.com:443:[2607:f8b0:4004:c1b::93]" https://www.google.com

Or simply use SOCKS5H, then resolving will occur on the proxy side (the proxy must be configured for priority IPv6 resolving):

curl -v -x socks5h://127.0.0.1:1080 https://www.google.com

curl works, but almost nothing opens in the browser (via proxy)

There are 2 most likely problems here:

  1. Your browser is trying to connect to IPv4 addresses through the proxy, while IPv4 is disabled at the zloytrinity level.
    You need to somehow force it to send IPv6 addresses or domain names to the proxy. On macOS, I managed to achieve this only by obtaining an IPv6 address and disabling the default IPv4 route.
  2. The website address or its individual components (redirects, CDN, API, fonts, analytics) do not have AAAA records, causing the page load to partially or completely break.