Run a Juicity server that accepts QUIC clients and relays TCP and UDP to the open internet.
Run a Juicity client that exposes a local SOCKS5 or HTTP CONNECT proxy for apps.
Use the forward map to expose a remote TCP or UDP service on a local port through the tunnel.
Generate a juicity:// share link or QR code from an existing config for client onboarding.
You need a TLS certificate and key, a working QUIC-friendly network path, and a recent stable Rust toolchain with a rustls or aws-lc-rs backend.
Juicity-RS is a Rust port of Juicity, a proxy protocol built on top of QUIC. QUIC is the modern network transport behind HTTP/3, and it bundles its own encryption and connection logic. Juicity uses QUIC to carry both TCP and UDP traffic between a client and a server, and the README highlights its UDP over Stream design, where UDP packets are multiplexed over QUIC's bidirectional streams to make UDP forwarding more efficient than in the older TUIC protocol it builds on. The project is laid out as three Rust crates in one workspace. juicity-common is a shared library that holds the configuration types, the wire protocol that stays compatible with the Go reference implementation, the crypto bits (AES-128-GCM and ChaCha20-Poly1305, plus certificate-chain hashing), constants like timeouts and MTU, and the code that turns a config into a juicity:// share link or a QR code. juicity-client is the binary that connects to a server and exposes a local SOCKS5 or HTTP CONNECT proxy and a port forwarder. juicity-server is the binary on the other side that accepts incoming QUIC connections, authenticates them with TLS Exported Keying Material as in RFC 5705, and relays the TCP and UDP traffic to wherever the client asked. To build it you need a recent stable Rust toolchain and a rustls or aws-lc-rs crypto backend. cargo build --release produces juicity-client and juicity-server binaries in target/release. Both sides use a JSON config file with the same 18 fields. The server file sets the listen address, a map of UUID to password for users, paths to a TLS certificate and private key, options for the outbound dialer (bind address, Linux fwmark, blocking UDP on port 443), the congestion control algorithm (BBR by default, with Cubic also available through quinn), and a log level. The client file sets a local SOCKS5 or HTTP listen address, the server host and port, a UUID and password, TLS SNI, optional certificate pinning through pinned_certchain_sha256, and a forward map. The forward map turns the client into a port forwarder as well as a proxy. Each entry maps a local address, optionally with a /tcp or /udp suffix, to a remote target reached through the QUIC tunnel. With no listen field set, the client runs in forward-only mode. Both binaries also accept a --gen-link flag that prints a juicity:// share link or a QR code from the current config, without starting the proxy itself.
Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.