MasterHttpRelayVPN-RUST

Skill by ara.so — Daily 2026 Skills collection.

A Rust port of MasterHttpRelayVPN that routes traffic through a Google Apps Script relay, hiding the real destination from DPI/censorship systems. The ISP sees TLS SNI

www.google.com

; the actual request is proxied inside the encrypted tunnel through your own Google Apps Script deployment.

How it works

Browser → HTTP(8085)/SOCKS5(8086) → mhrv-rs → TLS to Google IP (SNI: www.google.com)
       → Google edge → Apps Script relay → real destination

Install

Prebuilt binaries (recommended)

Download from releases page:

• Linux:

  mhrv-rs-linux-x86_64.tar.gz

• macOS:

  mhrv-rs-macos-aarch64.tar.gz

  or

  mhrv-rs-macos-x86_64.tar.gz

• Windows:

  mhrv-rs-windows-x86_64.zip

• Android:

  mhrv-rs-android-universal-v*.apk

Build from source

# CLI only
cargo build --release

# CLI + desktop UI (egui)
cargo build --release --features ui

# Binaries output to:
# target/release/mhrv-rs       (CLI)
# target/release/mhrv-rs-ui    (Desktop UI)

First Run: Install MITM CA

Required for HTTPS interception. Run once with elevated privileges:

# macOS / Linux
sudo ./mhrv-rs --install-cert

# Windows (run as Administrator)
mhrv-rs.exe --install-cert

# Or use platform launchers (also starts the UI):
./run.command   # macOS
./run.sh        # Linux
run.bat         # Windows

The CA keypair is generated locally (

ca/ca.crt

+

ca/ca.key

) and never leaves your machine.

Configuration

Config file locations

• macOS:

  ~/Library/Application Support/mhrv-rs/config.json

• Linux:

  ~/.config/mhrv-rs/config.json

• Windows:

  %APPDATA%\mhrv-rs\config.json

• Fallback:

  ./config.json

  (current directory)

Minimal

config.json

{
  "mode": "apps_script",
  "script_id": "AKfycby...",
  "auth_key": "$AUTH_KEY_FROM_CODE_GS",
  "google_ip": "216.239.38.120",
  "front_domain": "www.google.com",
  "http_port": 8085,
  "socks5_port": 8086
}

Full

config.json

with all options

{
  "mode": "apps_script",
  "script_id": "AKfycby...,AKfycbz...",
  "auth_key": "$YOUR_AUTH_KEY",
  "google_ip": "216.239.38.120",
  "front_domain": "www.google.com",
  "http_port": 8085,
  "socks5_port": 8086,
  "hosts": {
    "example.com": "direct"
  },
  "upstream_socks5": null
}

Key fields:

• mode

  :

  "apps_script"

  (default) or

  "google_only"

  (no relay, Google domains only)

• script_id

  : Deployment ID from Google Apps Script. Comma-separate multiple for round-robin rotation

• auth_key

  : Secret matching

  AUTH_KEY

  in your

  Code.gs

• google_ip

  : Google edge IP —

  216.239.38.120

  is a reliable default

• front_domain

  : Keep as

  www.google.com

• hosts

  : Per-domain overrides —

  "direct"

  bypasses the relay entirely

• upstream_socks5

  : Forward through an external SOCKS5 (e.g.

  "127.0.0.1:1080"

  )

Google-only mode (no Apps Script needed)

{
  "mode": "google_only",
  "google_ip": "216.239.38.120",
  "front_domain": "www.google.com",
  "http_port": 8085,
  "socks5_port": 8086
}

Use this to bootstrap — access

script.google.com

to deploy

Code.gs

when Google is blocked.

CLI Commands

# Start proxy server (reads config.json)
mhrv-rs serve

# Start with explicit config file
mhrv-rs serve --config /path/to/config.json

# Test end-to-end relay connectivity
mhrv-rs test

# Test SNI fronting only (no config required beyond google_ip + front_domain)
mhrv-rs test-sni

# Scan for fastest Google IP from your network
mhrv-rs scan-ips

# Install MITM CA to system trust store
mhrv-rs --install-cert

# Show version
mhrv-rs --version

# Show help
mhrv-rs --help

Deploy the Google Apps Script Relay

1. Go to https://script.google.com → New project
2. Replace default code with contents of

   Code.gs

3. Set your auth key:

   const AUTH_KEY = "your-strong-secret-here";
   

4. Deploy → New deployment → Web app
   • Execute as: Me
   • Who has access: Anyone
5. Copy the Deployment ID (looks like

   AKfycby...

   )
6. Paste it into

   config.json

   as

   script_id

Common Patterns

Proxy browser traffic (HTTP proxy)

Set browser proxy to

127.0.0.1:8085

(HTTP). Most browsers: Settings → Network → Manual proxy.

# Test with curl through the HTTP proxy
curl -x http://127.0.0.1:8085 https://example.com

Proxy via SOCKS5

# curl via SOCKS5
curl --socks5 127.0.0.1:8086 https://example.com

# Use with any SOCKS5-aware application
export ALL_PROXY=socks5://127.0.0.1:8086

Multiple script IDs for higher quota

{
  "script_id": "AKfycby_first...,AKfycby_second...,AKfycby_third..."
}

Each Google Apps Script deployment has its own quota. Round-robin rotation spreads load.

Per-domain direct routing

{
  "hosts": {
    "internal.company.com": "direct",
    "192.168.1.0/24": "direct"
  }
}

Use with xray/v2ray as upstream

{
  "upstream_socks5": "127.0.0.1:10808"
}

Headless server deployment

# Run CLI in background
nohup mhrv-rs serve > mhrv-rs.log 2>&1 &

# Or with systemd
cat > /etc/systemd/system/mhrv-rs.service << 'EOF'
[Unit]
Description=MasterHttpRelayVPN-RUST
After=network.target

[Service]
ExecStart=/usr/local/bin/mhrv-rs serve
Restart=on-failure
User=nobody
WorkingDirectory=/etc/mhrv-rs

[Install]
WantedBy=multi-user.target
EOF

systemctl enable --now mhrv-rs

Desktop UI

# Launch UI directly
./mhrv-rs-ui        # Linux/macOS
mhrv-rs-ui.exe      # Windows

UI features:

• Config form with all settings
• Start / Stop proxy server
• Test button — sends one request through the relay end-to-end
• Scan button — finds fastest Google IP for your network
• Live traffic stats
• Log panel

Android

1. Install

   mhrv-rs-android-universal-v*.apk

2. Follow docs/android.md
3. The app uses TUN via

   tun2proxy

   to capture all device IP traffic

Android HTTPS caveat: From Android 7+, apps must opt in to trust user CAs. Chrome and Firefox work; Telegram, WhatsApp, Instagram, etc. do not. For those apps:

• Use SOCKS5 mode: point in-app proxy to

  127.0.0.1:1081

• Use

  google_only

  mode for Google services (no CA needed)
• Set

  upstream_socks5

  to an external VPS

Troubleshooting

"Connection refused" on proxy port

# Check if mhrv-rs is running
ps aux | grep mhrv-rs

# Check ports are listening
ss -tlnp | grep -E '8085|8086'   # Linux
netstat -an | grep -E '8085|8086' # macOS/Windows

# Try a different port if 8085 is taken
# Set http_port: 8181 in config.json

HTTPS sites show certificate error

# CA not installed — run:
sudo mhrv-rs --install-cert

# Firefox: manually import ca/ca.crt
# Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import

Apps Script relay errors / quota exceeded

• Add more

  script_id

  entries (comma-separated) for rotation
• Check your Apps Script execution log at https://script.google.com
• Verify

  AUTH_KEY

  in

  Code.gs

  matches

  auth_key

  in

  config.json

Find a working Google IP

mhrv-rs scan-ips

Update

google_ip

in config with the fastest result.

Can't reach script.google.com to deploy Code.gs

Use

google_only

mode temporarily:

cp config.google-only.example.json config.json
mhrv-rs serve
# Set browser proxy to 127.0.0.1:8085
# Now open script.google.com in browser and deploy Code.gs

Test SNI fronting without full config

mhrv-rs test-sni

Verify relay is working end-to-end

mhrv-rs test
# Or via curl:
curl -v -x http://127.0.0.1:8085 https://httpbin.org/ip

File Structure

mhrv-rs/                     # binary
mhrv-rs-ui/                  # desktop UI binary
config.json                  # your config
ca/
  ca.crt                     # MITM root cert (public, installed to system)
  ca.key                     # MITM root key (private, stays local)
assets/
  apps_script/
    Code.gs                  # Apps Script relay source to deploy to Google