routing-switch
System-wide traffic routing through various proxy protocols
Version: 9.8.4 (build 319) | Size: 9.6MB | Author: Warith Al Maawali
License: Proprietary | Website: https://digi77.com
File Information
| Property | Value |
|---|---|
| Binary Name | routing-switch |
| Version | 9.8.4 (build 319) |
| Build Date | REDACTED-BUILD-TIME |
| Rust Version | 1.70.0 |
| File Size | 9.6MB |
| Author | Warith Al Maawali |
| License | Proprietary |
| Category | Kodachi Binary |
| Description | System-wide traffic routing through various proxy protocols |
| Git Commit | unknown |
| Metadata Generated | 2026-06-28T11:16:26Z |
| Binary Timestamp | Unknown |
| JSON Data | View Raw JSON |
SHA256 Checksum
702d9a86213dfa4d0933032a4d063cfda2cdb48502578323d4b4ebfdc0ce567a
Features
| # | Feature |
|---|---|
| 1 | System-wide traffic routing through proxy protocols |
| 2 | Support for OpenVPN, WireGuard, and Dante SOCKS5 |
| 3 | Support for Tor, Shadowsocks, V2Ray, and Xray protocols |
| 4 | Support for Mieru/Mita and Hysteria2 protocols |
| 5 | Automatic protocol scoring and selection |
| 6 | DNS leak prevention with multiple modes |
| 7 | Metric-based and direct routing options |
| 8 | External configuration file support |
| 9 | IPv4/IPv6 dual-stack support |
| 10 | QR code generation for mobile clients |
| 11 | VPNGate free VPN integration (100+ public servers, no auth required) |
| 12 | Comprehensive logging and monitoring |
Global Options
| Flag | Description |
|---|---|
-h, --help |
Print help information |
-v, --version |
Print version information |
-n, --info |
Display detailed information |
-e, --examples |
Show usage examples |
--json |
Output in JSON format |
--json-pretty |
Pretty-print JSON output with indentation |
--json-human |
Enhanced JSON output with improved formatting (like jq) |
--verbose |
Enable verbose output |
Commands
CONNECTION COMMANDS
connect
Connect to a proxy protocol (openvpn, wireguard use native routing; tor uses redsocks; dante, shadowsocks, v2ray, xray-*, mita use tun2socks)
Usage:
routing-switch connect <PROTOCOL> [OPTIONS]
disconnect
Disconnect current proxy connection
Usage:
routing-switch disconnect [OPTIONS]
status
Show current connection status
Usage:
routing-switch status [OPTIONS]
INFORMATION COMMANDS
dns-info
Display current DNS server information
Usage:
routing-switch dns-info [OPTIONS]
tor-dns-info
Display Tor DNS and SOCKS endpoint information
Usage:
routing-switch tor-dns-info [OPTIONS]
vps-info
Display VPS server information (hostname, IP, stats)
Usage:
routing-switch vps-info [OPTIONS]
list-protocols
List available protocols with scores
Usage:
routing-switch list-protocols [OPTIONS]
TESTING COMMANDS
test-protocol
Test a specific protocol connectivity
Usage:
routing-switch test-protocol <PROTOCOL> [OPTIONS]
benchmark
Benchmark all available protocols
Usage:
routing-switch benchmark [OPTIONS]
CONFIGURATION COMMANDS
export-config
Export protocol configurations to files
Usage:
routing-switch export-config [PROTOCOL] [OPTIONS]
showconfig
Show protocol configuration
Usage:
routing-switch showconfig [PROTOCOL] [OPTIONS]
showconfigurl
Show protocol configuration as URL
Usage:
routing-switch showconfigurl [PROTOCOL] [OPTIONS]
showconfigqr
Show protocol configuration as QR code
Usage:
routing-switch showconfigqr [PROTOCOL] [OPTIONS]
validate-qr
Validate QR code configurations against the auth card (file, stdin, or by protocol)
Usage:
routing-switch validate-qr [PROTOCOL] [OPTIONS]
MANAGEMENT COMMANDS
auto-select
Auto-select and connect to best protocol
Usage:
routing-switch auto-select [OPTIONS]
reset
Reset all routing to default state
Usage:
routing-switch reset [OPTIONS]
cleanup
Clean up orphaned processes and resources
Usage:
routing-switch cleanup [OPTIONS]
recover
Recover from partial failure state
Usage:
routing-switch recover [OPTIONS]
check-prerequisites
Check and fix network prerequisites for VPN connections (forwarding, NAT)
Usage:
sudo routing-switch check-prerequisites [OPTIONS]
MICROSOCKS SERVER MANAGEMENT
microsocks-enable
Enable microsocks SOCKS5 server for other devices
Usage:
routing-switch microsocks-enable -u USERNAME -p PASSWORD [--port PORT]
microsocks-disable
Disable microsocks SOCKS5 server
Usage:
routing-switch microsocks-disable
microsocks-status
Show microsocks server status
Usage:
routing-switch microsocks-status [OPTIONS]
VPNGATE FREE VPN
vpngate-fetch
Fetch VPNGate free public VPN server list
Usage:
routing-switch vpngate-fetch [OPTIONS]
vpngate-list
List cached VPNGate servers with filtering and sorting
Usage:
routing-switch vpngate-list [OPTIONS]
vpngate-connect
Connect to a VPNGate free VPN server by index (no auth required)
Usage:
sudo routing-switch vpngate-connect <INDEX> [OPTIONS]
vpngate-export
Export a VPNGate server's OpenVPN config as .ovpn file
Usage:
routing-switch vpngate-export <INDEX> [OPTIONS]
vpngate-export-all
Export all cached VPNGate servers as .ovpn files
Usage:
routing-switch vpngate-export-all [OPTIONS]
providers
Browse, fetch, and connect through commercial / free third-party VPN providers (VPN Gate, Riseup, NordVPN, IVPN, PIA, Surfshark, AirVPN, Mullvad-WG)
Usage:
routing-switch providers <SUBCOMMAND> [OPTIONS]
Operational Scenarios
Scenario-oriented workflows generated from the binary's built-in -e --json examples.
Scenario 1: BASIC CONNECTIONS
Connect to various proxy protocols
Step 1: Connect via OpenVPN
sudo routing-switch connect openvpn
Note
Requires OpenVPN configuration in auth card
Step 2: Connect via WireGuard
sudo routing-switch connect wireguard
Note
Ultra-fast, modern VPN protocol
Step 3: Connect via Dante SOCKS5 proxy
sudo routing-switch connect dante
Step 4: Route traffic through Tor - VPN-only, layered on an active Kodachi tunnel
sudo routing-switch connect wireguard
$ sudo routing-switch connect tor
Note
Kodachi's Tor SOCKS proxy is bound to the VPN network only - never exposed on a public IP, because a public Tor SOCKS port gets abused as an open proxy. So `connect tor` is NOT a standalone command: connect ANY Kodachi protocol FIRST (WireGuard, OpenVPN, or a proxy protocol - Shadowsocks/V2Ray/Xray/Hysteria2/Mita), then `connect tor` layers Tor on that tunnel (the underlay is kept, not disconnected). Running `connect tor` with no tunnel up is refused with on-screen guidance. Easier alternative for WireGuard/OpenVPN: set your browser's SOCKS5 proxy to 172.16.0.1:9050 (over OpenVPN) or 10.0.0.1:9050 (over WireGuard).
Step 5: Connect via Shadowsocks
sudo routing-switch connect shadowsocks
Note
Optimized for bypassing censorship
Step 6: Connect via V2Ray VMess
sudo routing-switch connect v2ray
Step 7: Connect via Xray VLESS TLS
sudo routing-switch connect xray-vless
Note
Lightweight, fast protocol with TLS
Step 8: Connect via Xray VLESS Reality
sudo routing-switch connect xray-vless-reality
Note
Most advanced censorship resistance
Step 9: Connect via Xray Trojan
sudo routing-switch connect xray-trojan
Note
Mimics HTTPS traffic
Step 10: Connect via Xray VMess
sudo routing-switch connect xray-vmess
Step 11: Connect via Mieru/Mita protocol
sudo routing-switch connect mita
Note
Anti-censorship protocol
Step 12: Connect via Hysteria2 protocol
sudo routing-switch connect hysteria2
Note
UDP-based, high-performance anti-censorship protocol
Scenario 2: EXTERNAL CONFIGURATION FILES
Connect a custom profile with --config instead of the auth card. OpenVPN/WireGuard take standard text bodies; v2ray/xray/shadowsocks/hysteria2/mita take the card-native services.<proto> JSON object (a custom profile is just a card service slice).
Step 1: Connect using external OpenVPN config file
sudo routing-switch connect openvpn --config /home/user/vpn.ovpn
Note
Supports standard .ovpn configuration files
Step 2: Connect using external WireGuard config
sudo routing-switch connect wireguard --config /path/to/wg0.conf
Note
Uses standard WireGuard .conf format
Step 3: Connect a custom Shadowsocks profile
sudo routing-switch connect shadowsocks --config /path/to/shadowsocks-profile.json
Note
File is the card-native services.shadowsocks JSON object (method, password, port, ipv4{host,url})
Step 4: Connect a custom V2Ray (VMess) profile
sudo routing-switch connect v2ray --config /path/to/v2ray-profile.json
Note
File is the card-native services.v2ray JSON object (uuid, port, network, path, security, alterId, ipv4{host,url})
Step 5: Connect a custom Xray profile (xray-vless / xray-vless-reality / xray-trojan / xray-vmess)
sudo routing-switch connect xray-vless-reality --config /path/to/xray-profile.json
Note
File is the card-native services.xray JSON object (domain, protocols{vless|trojan|vmess}, reality_public_key)
Step 6: Connect a custom Hysteria2 profile
sudo routing-switch connect hysteria2 --config /path/to/hysteria2-profile.json
Note
File is the card-native services.hysteria2 JSON object (password, port, protocol, obfs_type, obfs_password, ipv4{host,url})
Step 7: Connect a custom Mita/Mieru profile
sudo routing-switch connect mita --config /path/to/mita-profile.json
Note
File is the card-native services.mita JSON object (username, password, port, protocol, mtu, multiplexing, ipv4{host,url})
Step 8: Force connection with external config
sudo routing-switch connect openvpn --config ./vpn.ovpn --force
Note
Combines --config with other flags like --force
Step 9: External config in no-TUN mode
sudo routing-switch connect shadowsocks --config ~/configs/ss.json --no-tun
Note
Use external config for manual proxy setup
Scenario 3: IPV4/IPV6 SELECTION
Explicitly choose IPv4 or IPv6 connections
Step 1: Force IPv4 connection to Dante
sudo routing-switch connect dante --ipv4
Step 2: Force IPv6 connection to Dante
sudo routing-switch connect dante --ipv6
Note
Requires IPv6 support
Step 3: Connect Shadowsocks over IPv4
sudo routing-switch connect shadowsocks --ipv4
Step 4: Connect Tor over IPv6
sudo routing-switch connect tor --ipv6
Step 5: Use IPv6 for Xray VLESS
sudo routing-switch connect xray-vless --ipv6
Step 6: Connect Hysteria2 over IPv4
sudo routing-switch connect hysteria2 --ipv4
Step 7: Connect Hysteria2 over IPv6
sudo routing-switch connect hysteria2 --ipv6
Note
Requires IPv6 support
Scenario 4: NETWORK PREREQUISITES
Check and manage network prerequisites for VPN connections
Step 1: Check and fix network prerequisites
sudo routing-switch check-prerequisites
Note
Fixes only what's wrong, preserves correct settings
Step 2: Check prerequisites for IPv6 connections
sudo routing-switch check-prerequisites --ipv6
Note
Only enables IPv6 if system supports it
Step 3: Get prerequisites status in JSON format
sudo routing-switch check-prerequisites --json
Step 4: Connect with automatic prerequisites check
sudo routing-switch connect shadowsocks
Note
Prerequisites are checked by default
Step 5: Connect without prerequisites check
sudo routing-switch connect shadowsocks --skip-prerequisites
Note
Skips prerequisites for backward compatibility
Step 6: Force reconnection with prerequisites check
sudo routing-switch connect wireguard --force
Note
Prerequisites persist after disconnect for other VPN tools
Scenario 5: CONNECTION STATUS
Check and monitor connection status
Step 1: Show current connection status
sudo routing-switch status
Note
Requires sudo for accurate results (reads privileged system state)
Step 2: Get status in JSON format
sudo routing-switch status --json
Step 3: Pretty-printed JSON status
sudo routing-switch status --json-pretty
Step 4: Human-readable JSON status
sudo routing-switch status --json-human
Scenario 6: DNS MODES AND SECURITY
Control DNS routing for security and compatibility (DEFAULT: auto mode)
Step 1: DEFAULT: Auto mode (no special DNS routing)
sudo routing-switch connect wireguard
Note
DEFAULT safe mode - DNS flows through tunnel like all traffic. Note: May not work with all protocols
Step 2: Auto mode: DNS flows naturally through tunnel (explicit)
sudo routing-switch connect wireguard --dns-mode auto
Note
Same as omitting --dns-mode; explicit form for scripting
Step 3: Hybrid mode: VPN server DNS bypasses tunnel
sudo routing-switch connect wireguard --dns-mode hybrid
Note
⚠️ WARNING: May cause internet loss! Use 'sudo routing-switch recover' to restore connectivity. Good balance of security and reliability for home/office use when you need LAN access
Step 4: Strict mode: ALL DNS through tunnel
sudo routing-switch connect wireguard --dns-mode strict
Note
Most secure, may fail if VPN server uses hostname
Step 5: System mode: DNS bypasses tunnel
sudo routing-switch connect wireguard --dns-mode system
Note
⚠️ NOT SECURE - DNS leaks! Use only for debugging
Step 6: Exclude private networks from VPN
sudo routing-switch connect wireguard --exclude-private
Note
Keep LAN access while using VPN
Step 7: Hybrid DNS with private network exclusion
sudo routing-switch connect wireguard --dns-mode hybrid --exclude-private
Note
Good for home/office use when you need LAN access
Scenario 7: ROUTING MODES - SECURITY vs FAILOVER
Choose between Direct (preferred tunnel route) or Metric (with fallback) routing
Step 1: DEFAULT: Direct routing mode (MOST SECURE)
sudo routing-switch connect tor
Note
✅ RECOMMENDED - strongest default, paired with leak checks and kill-switch controls
Step 2: Metric routing mode (LESS SECURE, has fallback)
sudo routing-switch connect tor --metric
Note
⚠️ WARNING: Can leak traffic if TUN fails! Use only if you need failover
Step 3: Direct mode for Shadowsocks (default)
sudo routing-switch connect shadowsocks
Note
Strongest default; leak checks and health controls decide failure handling
Step 4: Metric mode for corporate VPN scenarios
sudo routing-switch connect dante --metric
Note
Use for work VPNs where you need automatic failover
Step 5: Metric mode with LAN access preserved
sudo routing-switch connect xray-vless --metric --exclude-private
Note
Corporate setup: VPN with failover + LAN access
Scenario 8: DISCONNECTION
Disconnect and restore normal routing
Step 1: Disconnect current proxy
sudo routing-switch disconnect
Step 2: Force disconnect even if issues
sudo routing-switch disconnect --force
Note
Kills all processes forcefully
Step 3: Disconnect and clean all firewall rules
sudo routing-switch disconnect --clean-firewall
Note
Use when network is stuck after disconnect due to lingering iptables rules
Step 4: Force disconnect with complete firewall cleanup
sudo routing-switch disconnect --force --clean-firewall
Note
Emergency recovery - resets all iptables rules (preserves Docker/KVM chains)
Step 5: Disconnect with JSON output
sudo routing-switch disconnect --json
Scenario 9: FORCE FLAG & PROTOCOL COMPATIBILITY
Understanding --force behavior and which protocols can layer together
Step 1: Creates LAYERED connection: Tor-over-WireGuard ✓ (no --force needed)
sudo routing-switch connect wireguard
$ sudo routing-switch connect tor
Note
LAYERED: connect tor keeps the VPN as its underlay (does NOT disconnect it). Traffic: App → Tor (redsocks) → WireGuard → Internet. Required: the worker Tor is VPN-only.
Step 2: Creates LAYERED connection: Tor-over-OpenVPN ✓ (no --force needed)
sudo routing-switch connect openvpn
$ sudo routing-switch connect tor
Note
connect tor keeps OpenVPN as its underlay. Tor uses iptables NAT, no interface conflict with tun0. The worker Tor is VPN-only - it cannot be connected standalone.
Step 3: Creates LAYERED connection: Tor-over-proxy ✓ (works for shadowsocks/v2ray/xray/hysteria2/mita)
sudo routing-switch connect shadowsocks
$ sudo routing-switch connect tor
Note
connect tor keeps the proxy protocol as its underlay. Works the same for all proxy protocols (shadowsocks/v2ray/xray/hysteria2/mita) - they all ride the tun2socks tun_routing device. The underlay's own uplink to its worker is auto-excluded from the Tor redirect so the tunnel is not broken.
Step 4: FAILS: Interface conflict ✗
sudo routing-switch connect shadowsocks
$ sudo routing-switch connect dante --force
Note
All tun2socks protocols (shadowsocks, dante, v2ray, xray-*, mita, hysteria2) share the same TUN device
Step 5: May create complex routing (untested)
sudo routing-switch connect shadowsocks
$ sudo routing-switch connect tor --force
Note
Different architectures (tun2socks vs iptables) - may work but not recommended
Step 6: Understanding protocol architectures
# PROTOCOL TYPES AND COMPATIBILITY:
Note
Compatible: Native+Tor. Incompatible: Any two tun2socks protocols
Step 7: Best practices for using --force
# RECOMMENDED LAYERING:
Note
--force allows connection despite existing protocol, but compatibility depends on architecture
Scenario 10: DNS INFORMATION
Check DNS configuration
Step 1: Show current DNS servers
routing-switch dns-info
Step 2: DNS info in JSON format
routing-switch dns-info --json
Scenario 11: TOR DNS INFORMATION
Check Tor DNS and SOCKS configuration
Step 1: Show Tor DNS and SOCKS endpoints
routing-switch tor-dns-info
Note
Resolves both regular and .onion domains
Step 2: Tor DNS info in JSON format
routing-switch tor-dns-info --json
Scenario 12: VPS SERVER INFORMATION
Display VPS server details and statistics
Step 1: Show basic VPS information
routing-switch vps-info
Step 2: Show detailed VPS stats
routing-switch vps-info --detailed
Note
Includes CPU load, memory, uptime, and connection stats
Step 3: VPS info in JSON format
routing-switch vps-info --json
Scenario 13: PROTOCOL LISTING
List available protocols with scores
Step 1: List all available protocols
routing-switch list-protocols
Step 2: Protocol list in JSON
routing-switch list-protocols --json
Step 3: Show only available protocols
routing-switch list-protocols --available-only
Note
Based on auth card
Step 4: Sort by security score
routing-switch list-protocols --sort-by-security
Step 5: Sort by speed score
routing-switch list-protocols --sort-by-speed
Scenario 14: AUTO-SELECTION
Automatically select best protocol
Step 1: Auto-select best protocol
sudo routing-switch auto-select
Step 2: Auto-select with minimum security
sudo routing-switch auto-select --min-security 90
Step 3: Prioritize speed in selection
sudo routing-switch auto-select --prefer-speed
Step 4: Auto-select with JSON output
sudo routing-switch auto-select --json
Scenario 15: PORT USAGE INFORMATION
Local SOCKS5 port allocation reference for protocols
Step 1: Each protocol uses specific port ranges
# Port allocation for tun2socks-based protocols
Note
High port numbers (30000+) avoid conflicts with system services
Step 2: How traffic flows through local SOCKS5 proxy
# Traffic flow for SOCKS5-based protocols
Note
The local SOCKS5 proxy listens on 127.0.0.1:PORT where PORT is from the allocated range
Step 3: Check which local ports are in use
ss -tlnp | grep 300
Note
Use this command to verify which proxy ports are active
Step 4: Native VPN protocols use different approaches
# WireGuard and OpenVPN port usage
Note
These protocols don't use tun2socks or local SOCKS5 proxies - they connect directly
Scenario 16: JSON OUTPUT FORMATS
Different JSON output options
Step 1: Compact JSON output
sudo routing-switch status --json
Note
Requires sudo for accurate results
Step 2: Pretty-printed JSON
sudo routing-switch status --json-pretty
Step 3: Human-enhanced JSON
sudo routing-switch status --json-human
Step 4: Pretty JSON protocol list
routing-switch list-protocols --json --json-pretty
Scenario 17: BENCHMARKING
Test protocol performance
Step 1: Benchmark all protocols (3 iterations default)
routing-switch benchmark
Note
Tests actual throughput
Step 2: Benchmark with custom iteration count
routing-switch benchmark --iterations 5
Note
More iterations = more accurate results
Step 3: Benchmark results in JSON
routing-switch benchmark --json
Scenario 18: TESTING PROTOCOLS
Test protocol connectivity without routing
Step 1: Test Tor connectivity
routing-switch test-protocol tor
Note
Doesn't change routing
Step 2: Extended protocol test
routing-switch test-protocol shadowsocks --extended
Step 3: Test all available protocols
routing-switch test-protocol all
Step 4: Test with JSON output
routing-switch test-protocol wireguard --json
Scenario 19: NO-TUN MODE (MANUAL PROXY)
Run proxy without TUN interface for manual configuration
Step 1: Start Shadowsocks SOCKS5 proxy without TUN
sudo routing-switch connect shadowsocks --no-tun
Note
Configure browser/app manually with localhost:30000
Step 2: Connect to Dante SOCKS5 without routing traffic
sudo routing-switch connect dante --no-tun
Note
Direct connection to remote Dante server
Step 3: Use Tor SOCKS5 proxy without system routing
sudo routing-switch connect tor --no-tun
Note
Tor must be running. Apps connect to port 9050
Step 4: V2Ray proxy in manual mode with JSON output
sudo routing-switch connect v2ray --no-tun --json
Note
V2Ray client runs, no system routing
Step 5: Xray VLESS proxy for manual configuration
sudo routing-switch connect xray-vless --no-tun
Step 6: Firefox proxy settings example
# Configure Firefox with no-TUN proxy:
Note
Each protocol uses different port ranges
Step 7: Chrome command line example
# Chrome with no-TUN proxy:
Step 8: Stop the proxy (works for both TUN and no-TUN modes)
sudo routing-switch disconnect
Scenario 20: CONFIGURATION EXPORT AND DISPLAY
Export and display protocol configurations
Step 1: Export all configurations to default location
routing-switch export-config
Note
Creates timestamped config files
Step 2: Export specific protocol configuration
routing-switch export-config wireguard
Step 3: Export all configs to custom path
routing-switch export-config all --path /tmp/vpn-configs/
Note
Creates directory if it doesn't exist
Step 4: Export with credentials included
routing-switch export-config shadowsocks --include-credentials
Note
⚠️ WARNING: Contains sensitive passwords
Step 5: Export with JSON output showing results
routing-switch export-config --json
Step 6: Display WireGuard configuration
routing-switch showconfig wireguard
Note
Masks sensitive data by default
Step 7: Show all protocol configs in pretty JSON
routing-switch showconfig all --json-pretty
Step 8: Show config with passwords hidden
routing-switch showconfig dante --mask-sensitive
Note
Safe for sharing/logging
Step 9: Get Shadowsocks connection URL
routing-switch showconfigurl shadowsocks
Note
URL can be imported into mobile apps
Step 10: Get SOCKS5 URLs in JSON format
routing-switch showconfigurl dante --json
Step 11: Get URLs for all available protocols
routing-switch showconfigurl all
Step 12: Generate QR code for WireGuard config
routing-switch showconfigqr wireguard
Note
Scan with WireGuard mobile app
Step 13: Generate IPv4 QR code for Shadowsocks (default)
routing-switch showconfigqr shadowsocks
Note
Shows IPv4 QR code by default for dual-stack protocols
Step 14: Generate IPv6 QR code for Shadowsocks
routing-switch showconfigqr shadowsocks --ipv6
Note
Use --ipv6 flag to show IPv6 QR for dual-stack protocols
Step 15: Generate QR without validation (faster)
routing-switch showconfigqr shadowsocks --skip-validation
Note
Skips automatic QR validation for debugging
Step 16: Generate all QR codes with strict validation
routing-switch showconfigqr all --strict-validation
Note
Fails if any QR code validation fails
Step 17: Get QR data in JSON format
routing-switch showconfigqr dante --json
Note
JSON includes the URL for QR generation
Step 18: Generate QR code and save as PNG file
routing-switch showconfigqr shadowsocks --save-files
Note
Saves clean PNG file: shadowsocks_ipv4.png
Step 19: Generate IPv6 QR code and save as PNG file
routing-switch showconfigqr shadowsocks --ipv6 --save-files
Note
Saves clean PNG file: shadowsocks_ipv6.png
Step 20: Generate both IPv4 and IPv6 QR codes
routing-switch showconfigqr shadowsocks --ipv4 --ipv6 --save-files
Note
Saves both shadowsocks_ipv4.png and shadowsocks_ipv6.png
Step 21: Generate all QR codes with pretty JSON output
routing-switch showconfigqr all --save-files --json-pretty
Note
Creates clean PNG files for all available protocols, supports all JSON formats
Step 22: Save QR file with human-enhanced JSON output
routing-switch showconfigqr wireguard --save-files --json-human
Note
VPN protocols use single filename (no IP version suffix)
Scenario 21: QR CODE VALIDATION
Validate QR codes against auth card
Step 1: Validate QR code from image file (NEW: direct filename)
routing-switch validate-qr shadowsocks_ipv4.png
Note
Smart detection: automatically finds file in current dir or results/qr-codes/
Step 2: Validate QR code from results/qr-codes directory
routing-switch validate-qr dante_ipv4.png
Note
Automatically looks in ./results/qr-codes/ if not found in current directory
Step 3: Validate QR code using explicit --file flag (legacy syntax)
routing-switch validate-qr --file shadowsocks_qr.png
Note
Both direct filename and --file flag work identically
Step 4: Validate QR URL from stdin
echo 'ss://...' | routing-switch validate-qr --stdin
Note
Useful for clipboard validation
Step 5: Validate all generated QR codes
routing-switch validate-qr all
Note
Checks all QR codes in results/qr-codes/
Step 6: Test QR code readability
routing-switch validate-qr --test-readability shadowsocks
Note
Round-trip test of QR generation
Step 7: JSON validation output
routing-switch validate-qr qr_code.png --json
Note
Machine-readable validation results
Scenario 22: ERROR RECOVERY
Recover from connection issues
Step 1: Force disconnect stuck connection
sudo routing-switch disconnect --force
Note
Use when normal disconnect fails
Step 2: Reset all routing to default
sudo routing-switch reset
Note
Emergency recovery command
Step 3: Clean up orphaned processes
sudo routing-switch cleanup
Step 4: Automatically diagnose and fix routing issues, restore network settings
sudo routing-switch recover
Note
Performs comprehensive recovery including cleanup, route restoration, and DNS reset
Scenario 23: MICROSOCKS SERVER MODE
Turn Kodachi into a SOCKS5 proxy server for other devices on your network
Step 1: Enable microsocks server with auto port detection
sudo routing-switch microsocks-enable -u microkodachi-8273 -p 'S@Cur9P@s@Wo-Ds'
Note
Automatically selects available port from 30050-30054 range. Used when Kodachi acts as a server. After connecting routing-switch to any service (WireGuard, V2Ray, etc.), enable microsocks so other PCs on your network can connect through this machine using the listening microsocks port. Strong credentials recommended for security.
Step 2: Enable with specific port
sudo routing-switch microsocks-enable -u microkodachi-8273 -p 'S@Cur9P@s@Wo-Ds' --port 30051
Note
Use when you need a specific port number within the 30050-30054 range
Step 3: Check microsocks server status
sudo routing-switch microsocks-status
Note
Requires sudo for accurate results (reads privileged state)
Step 4: Check status in JSON format
sudo routing-switch microsocks-status --json
Step 5: Stop microsocks server
sudo routing-switch microsocks-disable
Step 6: Full example of using Kodachi as a proxy server
# Complete server workflow:
Note
WORKFLOW: First connect routing-switch to any service (WireGuard, V2Ray, Shadowsocks, Hysteria2, etc.). Then enable microsocks to create a SOCKS5 proxy server. Other devices on your network can now connect through YOUR_IP:PORT using the provided credentials. All their traffic will flow through your active routing-switch connection.
Step 7: Microsocks uses dedicated port range
# Port range information:
Note
High port numbers (30000+) avoid conflicts with system services. Each protocol has its own dedicated range.
Step 8: How other devices connect
# Client connection example:
Note
Configure client device browsers/applications to use this SOCKS5 proxy. All traffic from client will be routed through Kodachi's active connection.
Scenario 24: VPNGATE FREE VPN
Connect to free VPNGate public servers (no authentication required)
Step 1: Fetch VPNGate server list from public API
routing-switch vpngate-fetch
Note
Downloads and caches server list (refreshes every hour)
Step 2: List all cached VPNGate servers
routing-switch vpngate-list
Note
Shows servers sorted by score (default)
Step 3: List top 10 Japanese servers by speed
routing-switch vpngate-list --country JP --sort speed -l 10
Note
Filter by country name or code, sort by speed/ping/score/sessions
Step 4: List US servers sorted by lowest ping
routing-switch vpngate-list --country US --sort ping
Step 5: Connect to VPNGate server at index 5
sudo routing-switch vpngate-connect 5
Note
Uses OpenVPN with free vpn/vpn credentials
Step 6: Force connect to server 12 (disconnect existing first)
sudo routing-switch vpngate-connect 12 --force
Step 7: Fetch servers with JSON output
routing-switch vpngate-fetch --json
Step 8: List servers in pretty JSON format
routing-switch vpngate-list --json-pretty
Step 9: Export top server's OpenVPN config as .ovpn file
routing-switch vpngate-export 1
Note
Includes embedded vpn/vpn credentials for standalone use
Step 10: Export all cached servers as .ovpn files
routing-switch vpngate-export-all
Note
Bulk export for use in external OpenVPN clients
Step 11: Export server #5 config with JSON output
routing-switch vpngate-export 5 --json
Scenario 25: EXTERNAL VPN PROVIDERS
Browse, fetch, and connect through commercial / free third-party VPN providers (VPN Gate, Riseup, NordVPN, IVPN, PIA, Surfshark, AirVPN, Mullvad-WG, …)
Step 1: Show every provider in the catalog with cache freshness
routing-switch providers list
Note
Reads dashboard/hooks/config/vpn-providers-public-api.json (user-editable)
Step 2: Same list in machine-readable JSON for the GUI / scripts
routing-switch providers list --json
Step 3: Fetch the live profile list for a provider into the cache
sudo routing-switch providers fetch vpngate
Note
Hits the provider's public endpoint. Cache lives at /opt/kodachi/dashboard/hooks/cache/vpn-providers/<id>/
Step 4: Bypass the per-provider cache TTL and always re-fetch
sudo routing-switch providers fetch vpngate --force
Note
Use this when you specifically want fresh data (e.g. after edits to the catalog endpoints).
Step 5: Browse cached profiles for a provider (table view)
routing-switch providers list-profiles vpngate
Step 6: Filter to top 5 Japanese profiles
routing-switch providers list-profiles vpngate --country jp --limit 5
Note
Country code is 2-letter ISO, lowercase. Use --protocol to filter by openvpn / wireguard / udp / tcp.
Step 7: JSON form (the GUI's primary surface)
routing-switch providers list-profiles vpngate --json-pretty
Step 8: Dump a single profile's .ovpn content to stdout (or pipe to a file)
routing-switch providers get-profile vpngate 1_219-100-37-203 > /tmp/jp.ovpn
Note
profile_id format is provider-specific; see `providers list-profiles --json`. The body is the actual OpenVPN config text — feed it to `routing-switch connect openvpn --config /tmp/jp.ovpn`.
Step 9: Re-read the catalog JSON after editing it on disk
routing-switch providers refresh-catalog
Note
Use this after manually editing vpn-providers-public-api.json (add custom providers, change endpoints) without restarting anything.
Step 10: Connect using a profile previously fetched via `providers get-profile`
sudo routing-switch connect openvpn --config /tmp/jp.ovpn --force
Note
The catalog provides the profile metadata; the connect command does the actual handshake. For paid-tier providers, use `providers credentials-set <id>` first, then `providers connect <id> <profile_id>` which auto-injects auth-user-pass.
Step 11: Save NordVPN service credentials (separate from the dashboard login)
sudo routing-switch providers credentials-set nordvpn --field username=foo --field password=bar
Note
Stored at ~/.config/kodachi/vpn-credentials.json with mode 0600, values sealed with AES-256-GCM (machine-bound key). credentials-list shows which providers are configured.
Step 12: Show which providers have stored credentials (values are never printed)
routing-switch providers credentials-list
Step 13: Connect via a provider profile, auto-injecting saved credentials into auth-user-pass
sudo routing-switch providers connect nordvpn pl150-nordvpn-com_udp
Note
Equivalent to: get-profile -> patch auth-user-pass -> connect openvpn --config <tempfile>. Re-execs in the same routing-switch process so all the connect prerequisites still run.
Step 14: Phase 5: import your own .ovpn / .conf / JSON / YAML config as a custom profile
routing-switch providers import-config --name 'My VPN' --file /tmp/my.ovpn
Note
Auto-detects OpenVPN / WireGuard / Shadowsocks / V2Ray / Hysteria2. Validation produces warnings, never blockers.
Step 15: Save the VPN account username/password for an imported OpenVPN profile (Proton VPN and most commercial providers)
sudo routing-switch providers credentials-set custom/my-vpn-20260522 --field username=foo --field password=bar
Note
Needed when the imported .ovpn has a bare `auth-user-pass` line. `connect custom <id>` then builds the auth-user-pass file automatically. The dashboard's Import panel does this for you.
Step 16: Import inline text with an explicit protocol hint (overrides auto-detect)
routing-switch providers import-config --name 'WG Peer' --text "$(cat ~/wg.conf)" --protocol-hint wireguard
Step 17: Browse the configs you've imported
routing-switch providers list-profiles custom
Step 18: Remove a previously-imported custom profile
routing-switch providers delete-custom-profile my-vpn-20260520143000
Step 19: CV-3 dry-run: preview detected protocol + endpoint + warnings without writing to cache
routing-switch providers validate-config --text "vless://uuid@example.com:8443?type=tcp#NY" --json
Note
Validates URI schemes (vmess/vless/trojan/ss/hysteria2/tuic), Clash YAML, sing-box JSON, and plain OpenVPN/WireGuard bodies. Always warnings, never blockers.
Step 20: Look up the country for a cached profile via ip-fetch (skips if already tagged)
routing-switch providers resolve-country riseup vpn12-nyc_udp_1194
Note
Pass --force to re-verify even if a country is already set (Verify mode).
Step 21: DNS-resolve the profile's hostname to an IPv4 and store in remote_ip
routing-switch providers resolve-ip riseup vpn12-nyc_udp_1194
Note
Uses `getent hosts` for resolution so it honors /etc/hosts overrides.
Step 22: Bulk DNS-resolve every cached profile in a provider that's missing an IP
routing-switch providers resolve-ips riseup --concurrency 8
Note
Bounded parallelism via tokio::sync::Semaphore so we don't hammer the resolver.
Step 23: Pick a random profile (optionally filtered by country) and connect
sudo routing-switch providers connect-random vpngate --country jp --force
Note
Useful for VPN Gate where load is largely uniform and randomness gives crowd-cover.
Step 24: Pick the fastest profile and connect (lowest measured latency if you've benchmarked; otherwise highest speed_bps)
sudo routing-switch providers connect-fastest vpngate --country jp --force
Note
Prefers latency_ms from `providers benchmark`. Without a benchmark, falls back to provider-reported speed_bps then lowest load.
Step 25: User-triggered latency probe: pings each cached server (ICMP → TCP-connect fallback) and stores latency_ms. Manual only — same UX as ip-fetch's cache refresh.
routing-switch providers benchmark vpngate --country jp --top 20 --concurrency 8 --timeout 3 --json
Note
Never auto-runs. `connect-fastest` will prefer benchmarked profiles once latency is stored.
Step 26: Drop the on-disk cache for one provider (index + configs/). Credentials are NOT touched.
sudo routing-switch providers clear-cache riseup --json
Note
Symmetric with `providers fetch`. Use --all to wipe every cached provider.
Step 27: Bulk wipe: remove every cached provider's index + configs in one shot
sudo routing-switch providers clear-cache --all --json
Note
Used by the dashboard "Clear all" bulk action. Idempotent.
Environment Variables
| Variable | Description | Default | Values |
|---|---|---|---|
RUST_LOG |
Set logging level (default: info) | info | error, warn, info, debug, trace |
Exit Codes
| Code | Description |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid arguments |
| 3 | Permission denied |