The easiest way to connect is using dnstc (DNS Tunnel Client). Generate a shareable URL on the server and import it on the client:
# On the server — generate a shareable URL
sudo dnstm tunnel share -t my-tunnel
# For SSH backend tunnels, include credentials
sudo dnstm tunnel share -t my-tunnel --user tunnel-user --password secretThis outputs a dnst:// URL containing all connection info (transport, domain, certificates/keys, backend credentials).
# On the client — import and connect
dnstc tunnel import dnst://...
dnstc upFor manual client setup without dnstc, follow the sections below.
Download client binaries:
- slipstream-client
- dnstt-client
- sslocal (for Shadowsocks)
Get connection details from the server:
dnstm tunnel status <name>This shows:
- Domain
- Port
- Certificate fingerprint (Slipstream)
- Public key (DNSTT)
- Password and method (Shadowsocks)
Certificate and key files are stored per-tunnel on the server:
- Slipstream certificates:
/etc/dnstm/tunnels/<tag>/cert.pem - DNSTT public keys:
/etc/dnstm/tunnels/<tag>/server.pub
# On server
dnstm tunnel status <name>Note the domain, password, and encryption method.
scp root@server:/etc/dnstm/tunnels/<tag>/cert.pem ./cert.pem# Start slipstream tunnel (creates local TCP port)
slipstream-client -d DOMAIN -r 8.8.8.8:53 --cert cert.pem -l 5201 &
# Connect sslocal through the tunnel
sslocal -s 127.0.0.1:5201 -k "PASSWORD" -m METHOD -b 127.0.0.1:1080curl -x socks5h://127.0.0.1:1080 https://httpbin.org/ipscp root@server:/etc/dnstm/tunnels/<tag>/cert.pem ./cert.pemslipstream-client -d DOMAIN -r 8.8.8.8:53 --cert cert.pem -l 1080The tunnel acts directly as a SOCKS5 proxy (connects to microsocks on server).
curl -x socks5h://127.0.0.1:1080 https://httpbin.org/ipscp root@server:/etc/dnstm/tunnels/<tag>/cert.pem ./cert.pemslipstream-client -d DOMAIN -r 8.8.8.8:53 --cert cert.pem -l 2222ssh -p 2222 user@127.0.0.1ssh -D 1080 -p 2222 user@127.0.0.1Then use 127.0.0.1:1080 as SOCKS5 proxy.
# Start SSH with dynamic port forwarding in background
ssh -D 1080 -f -N -p 2222 user@127.0.0.1
# Test connection
curl -x socks5h://127.0.0.1:1080 https://httpbin.org/ipFrom server:
dnstm tunnel status <name>Copy the public key (64 hex digits).
dnstt-client -udp 8.8.8.8:53 -pubkey PUBLIC_KEY DOMAIN 127.0.0.1:1080Or with key file:
scp root@server:/etc/dnstm/tunnels/<tag>/server.pub ./
dnstt-client -udp 8.8.8.8:53 -pubkey-file server.pub DOMAIN 127.0.0.1:1080curl -x socks5h://127.0.0.1:1080 https://httpbin.org/ipdnstm tunnel status <name>dnstt-client -udp 8.8.8.8:53 -pubkey PUBLIC_KEY DOMAIN 127.0.0.1:2222ssh -p 2222 user@127.0.0.1ssh -o ProxyCommand="dnstt-client -udp 8.8.8.8:53 -pubkey PUBLIC_KEY DOMAIN 127.0.0.1:%p" user@localhostssh -D 1080 -p 2222 user@127.0.0.1# Start SSH with dynamic port forwarding in background
ssh -D 1080 -f -N -p 2222 user@127.0.0.1
# Test connection
curl -x socks5h://127.0.0.1:1080 https://httpbin.org/ipUse any public DNS resolver. Recommended order:
8.8.8.8(Google) - most reliable9.9.9.9(Quad9)1.1.1.1(Cloudflare)
If UDP is blocked, use DNS-over-TLS or DNS-over-HTTPS:
- DNSTT:
-dot 8.8.8.8:853or-doh https://dns.google/dns-query
-
Verify server is running:
dnstm router status
-
Check server logs:
dnstm tunnel logs <name>
-
Try a different DNS resolver (8.8.8.8 vs 1.1.1.1)
Copy the latest certificate from server:
scp root@server:/etc/dnstm/tunnels/<tag>/cert.pem ./cert.pemGet the correct key:
dnstm tunnel status <name>DNSTT is slower than Slipstream due to protocol overhead. For better performance, use Slipstream transports.
Check the client output for errors. Common issues:
- Certificate mismatch: re-copy the certificate
- DNS propagation: try a different resolver
- Server not running: check
dnstm router status