What Is MasterHttpRelayVPN-RUST?
MasterHttpRelayVPN-RUST is a Rust port of @masterking32's MasterHttpRelayVPN, maintained by therealaleph, and it packages the original apps_script DPI-bypass mode into two tiny binaries: a CLI and an egui desktop UI. MasterHttpRelayVPN-RUST is one of the best Proxy Tools for power users in censored networks, because it ships as a single ~2.5 MB executable with no runtime dependencies and runs on Linux, macOS, Windows, and Android 7+. The port was mostly written with Claude and reviewed by a human on every commit, which matters more here than marketing claims because the project is all about predictable network behavior.
Quick Overview
| Attribute | Details |
|---|---|
| Type | Proxy Tools |
| Best For | developers and power users in censored networks |
| Language/Stack | Rust, HTTP/SOCKS5 proxying, TUN bridging, JNI, egui, tun2proxy, Google Apps Script relay |
| License | MIT |
| GitHub Stars | N/A as of Feb 2026 |
| Pricing | Open-Source |
| Last Release | latest release — N/A |
Who Should Use MasterHttpRelayVPN-RUST?
Use MasterHttpRelayVPN-RUST if you need a local proxy that can make blocked traffic look like ordinary Google TLS traffic while still giving you control over the relay endpoint. It is built for people who are comfortable editing config, deploying a Google Apps Script web app, and choosing the right proxy mode for each app.
- Indie hackers in censored regions who need outbound access for browsers, API clients, or desktop tools without installing a heavyweight VPN stack.
- Android power users who want whole-device routing through TUN, but can accept the CA trust limits imposed by Android's network security model.
- Developers on locked-down machines where Python,
pip, or system packages are blocked and a single native binary is easier to deploy. - Operators testing hostile-network behavior who want to compare HTTP proxy, SOCKS5, and relay-based tunneling on the same codebase.
Not ideal for:
- Teams that need turnkey corporate VPN controls such as SSO, central policy enforcement, or audit dashboards.
- Users who cannot deploy Google Apps Script or whose Google access is already blocked at the account or network level.
- People whose critical apps refuse user-installed CAs on Android, because HTTPS interception will not work for every app.
Key Features of MasterHttpRelayVPN-RUST
- Single-binary Rust port — MasterHttpRelayVPN-RUST removes the Python dependency chain from the original project. That means no
pip install cryptography h2, no wheel issues, and no runtime requirement beyond the shipped executable. - Dual local proxy endpoints — The client exposes both HTTP proxy on
127.0.0.1:8085and SOCKS5 on127.0.0.1:8086. That makes MasterHttpRelayVPN-RUST usable from browsers,curl, Telegram, xray, and any app that can speak a standard local proxy protocol. - Google Apps Script relay model — You deploy a Web App in your own Google account, then the client relays requests through it. The setup keeps the actual destination hidden behind Google infrastructure, which is the core trick that makes this project different from packet-only DPI filters.
- TLS SNI concealment — The local client opens TLS to a Google IP with SNI set to
www.google.com, so the censor sees a permitted Google hostname. Inside the encrypted tunnel, theHostheader routes the request toscript.google.comand then to your Apps Script relay. - Direct handling for Google-owned domains — For domains like
google.com,youtube.com, andfonts.googleapis.com, MasterHttpRelayVPN-RUST can tunnel directly instead of going through the Apps Script hop. That avoids quota pressure and fixes theGoogle-Apps-Scriptuser-agent artifact for those domains. - Desktop UI plus CLI —
mhrv-rs-uigives you config forms, Start/Stop/Test controls, live stats, and a log panel, whilemhrv-rsworks headless for servers or scripted use. That split is useful if you want the same engine for both one-off debugging and repeatable automation. - Android TUN bridge — The Android build uses the same
mhrv-rscrate through JNI and adds atun2proxybridge, so device traffic can route through the proxy without per-app setup. The catch is the standard Android CA trust limitation, which affects many third-party apps.
MasterHttpRelayVPN-RUST vs Alternatives
| Tool | Best For | Key Differentiator | Pricing |
|---|---|---|---|
| MasterHttpRelayVPN-RUST | DPI bypass via your own Google relay | SNI concealment plus Apps Script relay you control | Open-Source |
| GoodbyeDPI | Windows packet-level DPI evasion | Local packet manipulation, no remote relay | Open-Source |
| Psiphon | Turnkey censorship circumvention | Managed network with minimal setup | Freemium |
| Xray-core | Custom proxy stacks on your own VPS | Flexible transport and routing primitives | Open-Source |
Pick MasterHttpRelayVPN-RUST when you want control over the relay and are willing to configure Google Apps Script yourself. Pick GoodbyeDPI when you only need local Windows filtering and do not want a relay or CA installation.
Pick Psiphon when you need something that works with almost no configuration and you are fine trading control for convenience. Pick Xray-core when you already run a VPS and want to build your own routing, transport, and protocol chain.
For visibility into where traffic actually lands, OpenTrace is the adjacent tool I would use to validate proxy hops and exit behavior. For scripted host rollout and repeatable install workflows, djevops is the better companion than hand-managing each machine.
How MasterHttpRelayVPN-RUST Works
MasterHttpRelayVPN-RUST works by separating the local transport from the remote fetcher, which is the whole point of the design. The local process accepts browser or app traffic over HTTP proxy or SOCKS5, then wraps that traffic in a TLS session that points at Google, so the censor sees www.google.com and lets it pass.
The encrypted stream is then routed by Google's frontend based on the HTTP Host header, which is why the relayed request can land on script.google.com while the outer TLS endpoint still looks like a normal Google connection. Your Apps Script Web App receives the request, fetches the real destination, and streams the response back through the same path.
The state model is intentionally simple: config.json holds runtime settings, ca/ca.crt and ca/ca.key store the local MITM root, and the launcher handles certificate installation on first run. Google-owned domains can be sent through a direct tunnel instead of the Apps Script hop, and the hosts map lets you extend that list when you know a domain should bypass the relay.
sudo ./mhrv-rs --install-cert
./mhrv-rs-ui
The first command installs the local CA so HTTPS interception works where the platform allows it. The second command starts the desktop UI, where you set the Apps Script Deployment ID, the shared AUTH_KEY, and any proxy mode or upstream settings you want to use.
Pros and Cons of MasterHttpRelayVPN-RUST
Pros:
- No Python dependency chain — MasterHttpRelayVPN-RUST avoids the fragile setup that often breaks in censored or locked-down environments.
- Cross-platform binaries — The same project covers Linux, macOS, Windows, and Android 7+, which keeps behavior consistent when you test across devices.
- SNI-based disguise — The outer TLS connection looks like Google traffic, which is exactly what many DPI systems are programmed to permit.
- Flexible proxy modes — HTTP proxy, SOCKS5,
PROXY_ONLY,google_only, andupstream_socks5give you more control than a single-purpose tunnel. - UI and CLI are both first-class — The desktop UI is good for first-time setup, and the CLI is better for headless use or scripted deployments.
- User-data-dir separation — Config and CA material stay in the OS user-data directory, which is cleaner than scattering secrets across the working tree.
Cons:
- You must deploy the relay yourself — MasterHttpRelayVPN-RUST is not turnkey, and the Google Apps Script step is real work.
- Android HTTPS interception is limited by app trust — Many apps on Android refuse user-installed CAs, so TUN mode does not magically fix every app.
- Google quotas and policy matter — Heavy use can hit Apps Script limits, and the project depends on Google continuing to tolerate the relay pattern.
- More moving parts than local packet filters — Compared with tools like GoodbyeDPI, this design adds a remote Web App, certificate installation, and config management.
Getting Started with MasterHttpRelayVPN-RUST
Start by downloading the prebuilt archive for your OS from the releases page, unpacking it, installing the CA once, and then launching the UI or CLI. MasterHttpRelayVPN-RUST expects you to deploy the Apps Script relay first, so the first real setup task is creating the Google Web App, setting a strong AUTH_KEY, and copying the Deployment ID into your config.
chmod +x mhrv-rs mhrv-rs-ui run.sh
sudo ./mhrv-rs --install-cert
./run.sh
After that, open the UI and point the client at your Apps Script deployment, then save config.json in the user-data directory. If your app can use a proxy directly, try 127.0.0.1:8086 for SOCKS5 or 127.0.0.1:8085 for HTTP before moving to full TUN routing on Android.
Verdict
MasterHttpRelayVPN-RUST is the strongest option for DPI bypass on consumer networks when you can deploy and maintain your own Google Apps Script relay. Its best trait is the low-friction Rust packaging with no Python dependency, but Android HTTPS interception still depends on app CA trust. If you want control and portability, use it; if you want a turnkey VPN, skip it.
