masterhttprelayvpn-rust
Original:🇺🇸 English
Translated
Rust CLI + desktop UI for DPI bypass via Google Apps Script relay with TLS SNI concealment, supporting HTTP and SOCKS5 proxies
3installs
Sourcearadotso/trending-skills
Added on
NPX Install
npx skill4agent add aradotso/trending-skills masterhttprelayvpn-rustTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →MasterHttpRelayVPN-RUST
Skill by ara.so — Daily 2026 Skills collection.
A Rust port of MasterHttpRelayVPN that routes traffic through a Google Apps Script relay, hiding the real destination from DPI/censorship systems. The ISP sees TLS SNI ; the actual request is proxied inside the encrypted tunnel through your own Google Apps Script deployment.
www.google.comHow it works
Browser → HTTP(8085)/SOCKS5(8086) → mhrv-rs → TLS to Google IP (SNI: www.google.com)
→ Google edge → Apps Script relay → real destinationInstall
Prebuilt binaries (recommended)
Download from releases page:
- Linux:
mhrv-rs-linux-x86_64.tar.gz - macOS: or
mhrv-rs-macos-aarch64.tar.gzmhrv-rs-macos-x86_64.tar.gz - Windows:
mhrv-rs-windows-x86_64.zip - Android:
mhrv-rs-android-universal-v*.apk
Build from source
bash
# CLI only
cargo build --release
# CLI + desktop UI (egui)
cargo build --release --features ui
# Binaries output to:
# target/release/mhrv-rs (CLI)
# target/release/mhrv-rs-ui (Desktop UI)First Run: Install MITM CA
Required for HTTPS interception. Run once with elevated privileges:
bash
# macOS / Linux
sudo ./mhrv-rs --install-cert
# Windows (run as Administrator)
mhrv-rs.exe --install-cert
# Or use platform launchers (also starts the UI):
./run.command # macOS
./run.sh # Linux
run.bat # WindowsThe CA keypair is generated locally ( + ) and never leaves your machine.
ca/ca.crtca/ca.keyConfiguration
Config file locations
- macOS:
~/Library/Application Support/mhrv-rs/config.json - Linux:
~/.config/mhrv-rs/config.json - Windows:
%APPDATA%\mhrv-rs\config.json - Fallback: (current directory)
./config.json
Minimal config.json
config.jsonjson
{
"mode": "apps_script",
"script_id": "AKfycby...",
"auth_key": "$AUTH_KEY_FROM_CODE_GS",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"http_port": 8085,
"socks5_port": 8086
}Full config.json
with all options
config.jsonjson
{
"mode": "apps_script",
"script_id": "AKfycby...,AKfycbz...",
"auth_key": "$YOUR_AUTH_KEY",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"http_port": 8085,
"socks5_port": 8086,
"hosts": {
"example.com": "direct"
},
"upstream_socks5": null
}Key fields:
- :
mode(default) or"apps_script"(no relay, Google domains only)"google_only" - : Deployment ID from Google Apps Script. Comma-separate multiple for round-robin rotation
script_id - : Secret matching
auth_keyin yourAUTH_KEYCode.gs - : Google edge IP —
google_ipis a reliable default216.239.38.120 - : Keep as
front_domainwww.google.com - : Per-domain overrides —
hostsbypasses the relay entirely"direct" - : Forward through an external SOCKS5 (e.g.
upstream_socks5)"127.0.0.1:1080"
Google-only mode (no Apps Script needed)
json
{
"mode": "google_only",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"http_port": 8085,
"socks5_port": 8086
}Use this to bootstrap — access to deploy when Google is blocked.
script.google.comCode.gsCLI Commands
bash
# Start proxy server (reads config.json)
mhrv-rs serve
# Start with explicit config file
mhrv-rs serve --config /path/to/config.json
# Test end-to-end relay connectivity
mhrv-rs test
# Test SNI fronting only (no config required beyond google_ip + front_domain)
mhrv-rs test-sni
# Scan for fastest Google IP from your network
mhrv-rs scan-ips
# Install MITM CA to system trust store
mhrv-rs --install-cert
# Show version
mhrv-rs --version
# Show help
mhrv-rs --helpDeploy the Google Apps Script Relay
- Go to https://script.google.com → New project
- Replace default code with contents of
Code.gs - Set your auth key:
javascript
const AUTH_KEY = "your-strong-secret-here"; - Deploy → New deployment → Web app
- Execute as: Me
- Who has access: Anyone
- Copy the Deployment ID (looks like )
AKfycby... - Paste it into as
config.jsonscript_id
Common Patterns
Proxy browser traffic (HTTP proxy)
Set browser proxy to (HTTP). Most browsers: Settings → Network → Manual proxy.
127.0.0.1:8085bash
# Test with curl through the HTTP proxy
curl -x http://127.0.0.1:8085 https://example.comProxy via SOCKS5
bash
# curl via SOCKS5
curl --socks5 127.0.0.1:8086 https://example.com
# Use with any SOCKS5-aware application
export ALL_PROXY=socks5://127.0.0.1:8086Multiple script IDs for higher quota
json
{
"script_id": "AKfycby_first...,AKfycby_second...,AKfycby_third..."
}Each Google Apps Script deployment has its own quota. Round-robin rotation spreads load.
Per-domain direct routing
json
{
"hosts": {
"internal.company.com": "direct",
"192.168.1.0/24": "direct"
}
}Use with xray/v2ray as upstream
json
{
"upstream_socks5": "127.0.0.1:10808"
}Headless server deployment
bash
# Run CLI in background
nohup mhrv-rs serve > mhrv-rs.log 2>&1 &
# Or with systemd
cat > /etc/systemd/system/mhrv-rs.service << 'EOF'
[Unit]
Description=MasterHttpRelayVPN-RUST
After=network.target
[Service]
ExecStart=/usr/local/bin/mhrv-rs serve
Restart=on-failure
User=nobody
WorkingDirectory=/etc/mhrv-rs
[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now mhrv-rsDesktop UI
bash
# Launch UI directly
./mhrv-rs-ui # Linux/macOS
mhrv-rs-ui.exe # WindowsUI features:
- Config form with all settings
- Start / Stop proxy server
- Test button — sends one request through the relay end-to-end
- Scan button — finds fastest Google IP for your network
- Live traffic stats
- Log panel
Android
- Install
mhrv-rs-android-universal-v*.apk - Follow docs/android.md
- The app uses TUN via to capture all device IP traffic
tun2proxy
Android HTTPS caveat: From Android 7+, apps must opt in to trust user CAs. Chrome and Firefox work; Telegram, WhatsApp, Instagram, etc. do not. For those apps:
- Use SOCKS5 mode: point in-app proxy to
127.0.0.1:1081 - Use mode for Google services (no CA needed)
google_only - Set to an external VPS
upstream_socks5
Troubleshooting
"Connection refused" on proxy port
bash
# Check if mhrv-rs is running
ps aux | grep mhrv-rs
# Check ports are listening
ss -tlnp | grep -E '8085|8086' # Linux
netstat -an | grep -E '8085|8086' # macOS/Windows
# Try a different port if 8085 is taken
# Set http_port: 8181 in config.jsonHTTPS sites show certificate error
bash
# CA not installed — run:
sudo mhrv-rs --install-cert
# Firefox: manually import ca/ca.crt
# Settings → Privacy & Security → Certificates → View Certificates → Authorities → ImportApps Script relay errors / quota exceeded
- Add more entries (comma-separated) for rotation
script_id - Check your Apps Script execution log at https://script.google.com
- Verify in
AUTH_KEYmatchesCode.gsinauth_keyconfig.json
Find a working Google IP
bash
mhrv-rs scan-ipsUpdate in config with the fastest result.
google_ipCan't reach script.google.com to deploy Code.gs
Use mode temporarily:
google_onlybash
cp config.google-only.example.json config.json
mhrv-rs serve
# Set browser proxy to 127.0.0.1:8085
# Now open script.google.com in browser and deploy Code.gsTest SNI fronting without full config
bash
mhrv-rs test-sniVerify relay is working end-to-end
bash
mhrv-rs test
# Or via curl:
curl -v -x http://127.0.0.1:8085 https://httpbin.org/ipFile Structure
mhrv-rs/ # binary
mhrv-rs-ui/ # desktop UI binary
config.json # your config
ca/
ca.crt # MITM root cert (public, installed to system)
ca.key # MITM root key (private, stays local)
assets/
apps_script/
Code.gs # Apps Script relay source to deploy to Google