Back to Details

flowdriver-covert-transport

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

FlowDriver Covert Transport

FlowDriver 隐秘传输工具

Skill by ara.so — Daily 2026 Skills collection.
FlowDriver tunnels SOCKS5 proxy traffic through Google Drive API calls, making network traffic appear as legitimate cloud storage activity. It treats a shared Drive folder as a bidirectional data queue: the client uploads binary-encoded request packets, the server polls for them, opens real TCP connections, and returns responses as Drive files.
ara.so 开发的技能 — 属于2026每日技能合集。
FlowDriver 将SOCKS5代理流量通过Google Drive API调用进行传输,让网络流量看起来像是合法的云存储操作。它把一个共享Drive文件夹当作双向数据队列:客户端上传二进制编码的请求数据包,服务器轮询获取这些数据包,建立真实的TCP连接,并将响应以Drive文件的形式返回。

How It Works

工作原理

Local App → SOCKS5 → FlowDriver Client → Google Drive Folder → FlowDriver Server → Internet
                      (upload requests)   (shared queue)        (download + proxy)
  1. Client listens on a local SOCKS5 port, encodes TCP requests into a binary protocol, and uploads them to a Drive folder.
  2. Server polls the same folder, downloads request files, opens real TCP connections to destinations, and uploads response files back.
  3. Traffic appears as normal 
    googleapis.com
    API calls — resilient against SNI-based and DPI filtering.
本地应用 → SOCKS5 → FlowDriver 客户端 → Google Drive 文件夹 → FlowDriver 服务器 → 互联网
                      (上传请求)       (共享队列)             (下载 + 代理)
  1. 客户端监听本地SOCKS5端口,将TCP请求编码为二进制协议,然后上传到Drive文件夹。
  2. 服务器轮询同一个文件夹,下载请求文件,建立到目标地址的真实TCP连接,并将响应文件上传回文件夹。
  3. 流量表现为正常的
    googleapis.com
    API调用 — 能抵御基于SNI和DPI的过滤。

Installation

安装

Prerequisites

前置要求

  • Go 1.25+
  • Google Cloud project with Drive API enabled
  • credentials.json
    (OAuth2 Desktop App credentials)
  • Go 1.25+
  • 已启用Drive API的Google Cloud项目
  • credentials.json
    (OAuth2桌面应用凭证)

Build

构建

bash
git clone https://github.com/NullLatency/FlowDriver.git
cd FlowDriver
go build -o bin/client ./cmd/client
go build -o bin/server ./cmd/server
bash
git clone https://github.com/NullLatency/FlowDriver.git
cd FlowDriver
go build -o bin/client ./cmd/client
go build -o bin/server ./cmd/server

Google Drive API Setup

Google Drive API 配置

Step 1: Enable the API

步骤1:启用API

  1. Go to Google Cloud Console
  2. Create or select a project
  3. Enable Google Drive API under "APIs & Services"
  1. 访问 Google Cloud控制台
  2. 创建或选择一个项目
  3. 在「API与服务」下启用 Google Drive API

Step 2: Create OAuth2 Credentials

步骤2:创建OAuth2凭证

  1. "APIs & Services" → "Credentials" → "Create Credentials" → OAuth client ID
  2. Application type: Desktop App
  3. Download the JSON → rename to 
    credentials.json
  1. 「API与服务」→「凭证」→「创建凭证」→ OAuth客户端ID
  2. 应用类型:桌面应用
  3. 下载JSON文件 → 重命名为
    credentials.json

Step 3: Publish the App (Prevent Token Expiry)

步骤3:发布应用(防止令牌过期)

In "OAuth consent screen", click Publish App — otherwise tokens expire every 7 days (Testing mode).
在「OAuth同意屏幕」中点击 发布应用 — 否则令牌会每7天过期(测试模式)。

Configuration

配置

Client Config (
client_config.json
)

客户端配置(
client_config.json

json
{
  "listen_addr": "127.0.0.1:1080",
  "storage_type": "google",
  "google_folder_id": "",
  "refresh_rate_ms": 150,
  "flush_rate_ms": 300,
  "transport": {
    "TargetIP": "216.239.38.120:443",
    "SNI": "google.com",
    "HostHeader": "www.googleapis.com"
  }
}
Leave 
google_folder_id
empty on first run — FlowDriver auto-creates a "Flow-Data" folder and saves the ID back to config.
json
{
  "listen_addr": "127.0.0.1:1080",
  "storage_type": "google",
  "google_folder_id": "",
  "refresh_rate_ms": 150,
  "flush_rate_ms": 300,
  "transport": {
    "TargetIP": "216.239.38.120:443",
    "SNI": "google.com",
    "HostHeader": "www.googleapis.com"
  }
}
首次运行时留空
google_folder_id
— FlowDriver会自动创建一个 "Flow-Data" 文件夹,并将ID保存回配置文件。

Server Config (
server_config.json
)

服务器配置(
server_config.json

json
{
  "storage_type": "google",
  "google_folder_id": "SAME_FOLDER_ID_AS_CLIENT",
  "refresh_rate_ms": 150,
  "flush_rate_ms": 300
}
google_folder_id
must match between client and server configs.
json
{
  "storage_type": "google",
  "google_folder_id": "与客户端相同的文件夹ID",
  "refresh_rate_ms": 150,
  "flush_rate_ms": 300
}
客户端和服务器配置中的
google_folder_id
必须一致

Key Config Fields

关键配置字段

FieldDescriptionRecommended
listen_addr
Local SOCKS5 listener
127.0.0.1:1080
refresh_rate_ms
How often to poll Drive for new packets≥ 100ms
flush_rate_ms
How often to batch-upload pending data≥ 300ms
transport.TargetIP
Google API IP for direct TLS connection
216.239.38.120:443
transport.SNI
TLS SNI value sent in handshake
google.com
transport.HostHeader
HTTP Host header for API calls
www.googleapis.com
字段描述推荐值
listen_addr
本地SOCKS5监听地址
127.0.0.1:1080
refresh_rate_ms
轮询Drive获取新数据包的频率≥ 100ms
flush_rate_ms
批量上传待处理数据的频率≥ 300ms
transport.TargetIP
用于直接TLS连接的Google API IP
216.239.38.120:443
transport.SNI
TLS握手时发送的SNI值
google.com
transport.HostHeader
API调用的HTTP Host头
www.googleapis.com

Running FlowDriver

运行 FlowDriver

First-Time Authentication (Local Machine)

首次认证(本地机器)

Run the client once to complete OAuth2 flow:
bash
./bin/client -c client_config.json -gc credentials.json
  1. A URL appears in the terminal — open it in your browser
  2. Log in to Google and grant Drive permissions
  3. You'll be redirected to 
    http://localhost/...
    (page may not load — that's fine)
  4. Copy the full URL from the address bar and paste it into the terminal
  5. A 
    .token
    file is created alongside 
    credentials.json
运行客户端一次以完成OAuth2流程:
bash
./bin/client -c client_config.json -gc credentials.json
  1. 终端会显示一个URL — 在浏览器中打开它
  2. 登录Google并授予Drive权限
  3. 会被重定向到
    http://localhost/...
    (页面可能无法加载 — 这是正常的)
  4. 从地址栏复制完整URL并粘贴到终端
  5. 会在
    credentials.json
    旁边生成一个
    .token
    文件

Deploy Server (Remote Machine)

部署服务器(远程机器)

bash
undefined
bash
undefined

Copy both files to the server

将两个文件复制到服务器

scp credentials.json user@server:/path/to/flowdriver/ scp *.token user@server:/path/to/flowdriver/
scp credentials.json user@server:/path/to/flowdriver/ scp *.token user@server:/path/to/flowdriver/

Ensure server_config.json has the correct google_folder_id

确保server_config.json中的google_folder_id正确

(copy it from your local client_config.json after first run)

(首次运行后从本地client_config.json中复制)

Start the server

启动服务器

./bin/server -c server_config.json -gc credentials.json

The server auto-uses the existing `.token` — no browser needed.
./bin/server -c server_config.json -gc credentials.json

服务器会自动使用已有的`.token` — 无需浏览器。

Start the Client

启动客户端

bash
./bin/client -c client_config.json -gc credentials.json
bash
./bin/client -c client_config.json -gc credentials.json

Use the SOCKS5 Proxy

使用SOCKS5代理

bash
undefined
bash
undefined

Test with curl

用curl测试

curl --socks5 127.0.0.1:1080 https://example.com
curl --socks5 127.0.0.1:1080 https://example.com

Configure in browser (Firefox: Manual proxy → SOCKS5 → 127.0.0.1:1080)

在浏览器中配置(Firefox:手动代理 → SOCKS5 → 127.0.0.1:1080)

Use with any SOCKS5-aware application

在任何支持SOCKS5的应用中使用

export ALL_PROXY=socks5://127.0.0.1:1080

---
export ALL_PROXY=socks5://127.0.0.1:1080

---

CLI Reference

命令行参考

Client

客户端

bash
./bin/client -c <config_file> -gc <credentials_file>
bash
./bin/client -c <配置文件> -gc <凭证文件>

Flags:

参数:

-c Path to client_config.json

-c client_config.json的路径

-gc Path to credentials.json (OAuth2)

-gc credentials.json的路径(OAuth2凭证)

undefined
undefined

Server

服务器

bash
./bin/server -c <config_file> -gc <credentials_file>
bash
./bin/server -c <配置文件> -gc <凭证文件>

Flags:

参数:

-c Path to server_config.json

-c server_config.json的路径

-gc Path to credentials.json (OAuth2)

-gc credentials.json的路径(OAuth2凭证)


---

---

Code Examples

代码示例

Verify SOCKS5 Proxy in Go

在Go中验证SOCKS5代理

go
package main

import (
    "fmt"
    "io"
    "net/http"
    "golang.org/x/net/proxy"
)

func main() {
    // Connect through FlowDriver SOCKS5 proxy
    dialer, err := proxy.SOCKS5("tcp", "127.0.0.1:1080", nil, proxy.Direct)
    if err != nil {
        panic(err)
    }

    transport := &http.Transport{Dial: dialer.Dial}
    client := &http.Client{Transport: transport}

    resp, err := client.Get("https://httpbin.org/ip")
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()

    body, _ := io.ReadAll(resp.Body)
    fmt.Println(string(body))
}
go
package main

import (
    "fmt"
    "io"
    "net/http"
    "golang.org/x/net/proxy"
)

func main() {
    // 通过FlowDriver SOCKS5代理连接
    dialer, err := proxy.SOCKS5("tcp", "127.0.0.1:1080", nil, proxy.Direct)
    if err != nil {
        panic(err)
    }

    transport := &http.Transport{Dial: dialer.Dial}
    client := &http.Client{Transport: transport}

    resp, err := client.Get("https://httpbin.org/ip")
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()

    body, _ := io.ReadAll(resp.Body)
    fmt.Println(string(body))
}

Programmatic Config Generation

程序化生成配置

go
package main

import (
    "encoding/json"
    "os"
)

type TransportConfig struct {
    TargetIP   string
    SNI        string
    HostHeader string
}

type ClientConfig struct {
    ListenAddr     string          `json:"listen_addr"`
    StorageType    string          `json:"storage_type"`
    GoogleFolderID string          `json:"google_folder_id"`
    RefreshRateMs  int             `json:"refresh_rate_ms"`
    FlushRateMs    int             `json:"flush_rate_ms"`
    Transport      TransportConfig `json:"transport"`
}

func main() {
    cfg := ClientConfig{
        ListenAddr:     "127.0.0.1:1080",
        StorageType:    "google",
        GoogleFolderID: "", // auto-created on first run
        RefreshRateMs:  150,
        FlushRateMs:    300,
        Transport: TransportConfig{
            TargetIP:   "216.239.38.120:443",
            SNI:        "google.com",
            HostHeader: "www.googleapis.com",
        },
    }

    data, _ := json.MarshalIndent(cfg, "", "  ")
    os.WriteFile("client_config.json", data, 0644)
}
go
package main

import (
    "encoding/json"
    "os"
)

type TransportConfig struct {
    TargetIP   string
    SNI        string
    HostHeader string
}

type ClientConfig struct {
    ListenAddr     string          `json:"listen_addr"`
    StorageType    string          `json:"storage_type"`
    GoogleFolderID string          `json:"google_folder_id"`
    RefreshRateMs  int             `json:"refresh_rate_ms"`
    FlushRateMs    int             `json:"flush_rate_ms"`
    Transport      TransportConfig `json:"transport"`
}

func main() {
    cfg := ClientConfig{
        ListenAddr:     "127.0.0.1:1080",
        StorageType:    "google",
        GoogleFolderID: "", // 首次运行时自动创建
        RefreshRateMs:  150,
        FlushRateMs:    300,
        Transport: TransportConfig{
            TargetIP:   "216.239.38.120:443",
            SNI:        "google.com",
            HostHeader: "www.googleapis.com",
        },
    }

    data, _ := json.MarshalIndent(cfg, "", "  ")
    os.WriteFile("client_config.json", data, 0644)
}

Using with 
proxychains

proxychains
配合使用

bash
undefined
bash
undefined

/etc/proxychains4.conf

/etc/proxychains4.conf

Add at the bottom:

在底部添加:

socks5 127.0.0.1 1080

socks5 127.0.0.1 1080

proxychains4 curl https://example.com proxychains4 ssh user@remote-host

---
proxychains4 curl https://example.com proxychains4 ssh user@remote-host

---

Common Patterns

常见配置模式

Pattern: High-Latency Stable Connection

模式:高延迟稳定连接

For restricted networks where stability matters more than speed:
json
{
  "refresh_rate_ms": 300,
  "flush_rate_ms": 500
}
对于稳定性优先于速度的受限网络:
json
{
  "refresh_rate_ms": 300,
  "flush_rate_ms": 500
}

Pattern: Multiple Concurrent Users

模式:多用户并发

Increase poll intervals to avoid quota exhaustion:
json
{
  "refresh_rate_ms": 200,
  "flush_rate_ms": 400
}
增加轮询间隔以避免配额耗尽:
json
{
  "refresh_rate_ms": 200,
  "flush_rate_ms": 400
}

Pattern: Systemd Service (Server)

模式:Systemd服务(服务器)

ini
undefined
ini
undefined

/etc/systemd/system/flowdriver.service

/etc/systemd/system/flowdriver.service

[Unit] Description=FlowDriver Covert Transport Server After=network.target
[Service] Type=simple WorkingDirectory=/opt/flowdriver ExecStart=/opt/flowdriver/bin/server -c server_config.json -gc credentials.json Restart=on-failure RestartSec=5s
[Install] WantedBy=multi-user.target

```bash
sudo systemctl enable flowdriver
sudo systemctl start flowdriver
sudo systemctl status flowdriver
[Unit] Description=FlowDriver 隐秘传输服务器 After=network.target
[Service] Type=simple WorkingDirectory=/opt/flowdriver ExecStart=/opt/flowdriver/bin/server -c server_config.json -gc credentials.json Restart=on-failure RestartSec=5s
[Install] WantedBy=multi-user.target

```bash
sudo systemctl enable flowdriver
sudo systemctl start flowdriver
sudo systemctl status flowdriver

Pattern: Docker Deployment (Server)

模式:Docker部署(服务器)

dockerfile
FROM golang:1.25-alpine AS builder
WORKDIR /app
COPY . .
RUN go build -o bin/server ./cmd/server

FROM alpine:latest
WORKDIR /app
COPY --from=builder /app/bin/server .
dockerfile
FROM golang:1.25-alpine AS builder
WORKDIR /app
COPY . .
RUN go build -o bin/server ./cmd/server

FROM alpine:latest
WORKDIR /app
COPY --from=builder /app/bin/server .

Mount credentials.json, .token, and server_config.json as volumes

将credentials.json、.token和server_config.json挂载为卷

CMD ["./server", "-c", "server_config.json", "-gc", "credentials.json"]

```bash
docker run -d \
  -v $(pwd)/credentials.json:/app/credentials.json \
  -v $(pwd)/*.token:/app/ \
  -v $(pwd)/server_config.json:/app/server_config.json \
  flowdriver-server
CMD ["./server", "-c", "server_config.json", "-gc", "credentials.json"]

```bash
docker run -d \
  -v $(pwd)/credentials.json:/app/credentials.json \
  -v $(pwd)/*.token:/app/ \
  -v $(pwd)/server_config.json:/app/server_config.json \
  flowdriver-server

Troubleshooting

故障排查

Token Expires Every 7 Days

令牌每7天过期

Cause: App is in "Testing" mode on Google Cloud.
Fix: Go to OAuth consent screen → Publish App. Re-authenticate once after publishing.
原因:应用处于Google Cloud的「测试」模式。
解决方法:进入OAuth同意屏幕 → 发布应用。发布后重新认证一次。

google_folder_id
Mismatch

google_folder_id
不匹配

Symptom: Server polls indefinitely, client uploads but gets no responses.
Fix: After the first client run, check 
client_config.json
for the auto-saved 
google_folder_id
. Copy it exactly into 
server_config.json
.
症状:服务器无限轮询,客户端上传但无响应。
解决方法:首次运行客户端后,检查
client_config.json
中自动保存的
google_folder_id
,将其准确复制到
server_config.json
中。

API Quota Exhausted (429 errors)

API配额耗尽(429错误)

Symptom: Connections slow down or fail after sustained use.
Fix: Increase 
refresh_rate_ms
and 
flush_rate_ms
to ≥ 200ms. Never go below 100ms.
json
{
  "refresh_rate_ms": 200,
  "flush_rate_ms": 400
}
症状:持续使用后连接变慢或失败。
解决方法:将
refresh_rate_ms
flush_rate_ms
增加到≥200ms,不要低于100ms。
json
{
  "refresh_rate_ms": 200,
  "flush_rate_ms": 400
}

OAuth Callback URL Doesn't Load

OAuth回调URL无法加载

Expected behavior — the browser redirecting to 
http://localhost/...
and showing an error page is normal. Copy the full URL from the address bar anyway and paste it into the terminal.
这是预期行为 — 浏览器重定向到
http://localhost/...
并显示错误页面是正常的。无论如何,从地址栏复制完整URL并粘贴到终端即可。

.token
File Not Found on Server

服务器上找不到
.token
文件

bash
undefined
bash
undefined

The token file is named after credentials, check for it:

令牌文件以凭证命名,检查是否存在:

ls -la /path/to/flowdriver/*.token
ls -la /path/to/flowdriver/*.token

Re-run auth on local machine and re-copy:

在本地机器重新运行认证并重新复制:

./bin/client -c client_config.json -gc credentials.json scp *.token user@server:/path/to/flowdriver/
undefined
./bin/client -c client_config.json -gc credentials.json scp *.token user@server:/path/to/flowdriver/
undefined

Build Fails — Wrong Go Version

构建失败 — Go版本错误

bash
go version  # must be 1.25+
bash
go version  # 必须为1.25+

Install latest Go from https://go.dev/dl/

https://go.dev/dl/安装最新版Go

undefined
undefined

Test SOCKS5 Proxy Connectivity

测试SOCKS5代理连通性

bash
undefined
bash
undefined

Basic connectivity test

基础连通性测试

curl -v --socks5 127.0.0.1:1080 https://httpbin.org/ip
curl -v --socks5 127.0.0.1:1080 https://httpbin.org/ip

If it hangs: check client is running and authenticated

如果卡住:检查客户端是否运行并已认证

If connection refused: verify listen_addr in client_config.json

如果连接被拒绝:验证client_config.json中的listen_addr


---

---

Performance Considerations

性能考量

Scenario
refresh_rate_ms
flush_rate_ms
Single user, fast100300
Single user, stable150300
Multi-user / heavy200400
Quota-conscious300500
  • Each poll is a Drive API 
    list
    call — aggressive polling burns quota fast
  • Response latency = 
    refresh_rate_ms
    + upload/download time (typically 200–800ms total RTT)
  • Not suitable for real-time protocols (VoIP, gaming) — best for HTTP/HTTPS browsing and SSH
场景
refresh_rate_ms
flush_rate_ms
单用户、高速100300
单用户、稳定150300
多用户/高负载200400
配额敏感300500
  • 每次轮询都是一次Drive API的
    list
    调用 — 过于频繁的轮询会快速消耗配额
  • 响应延迟 = 
    refresh_rate_ms
    + 上传/下载时间(总RTT通常为200–800ms)
  • 不适用于实时协议(VoIP、游戏)— 最适合HTTP/HTTPS浏览和SSH