R-VPN Documentation

A Stealth Transport Protocol with Double Ratchet Encryption

R-VPN is a next-generation VPN architecture designed for maximum stealth and security, built entirely in Rust.

Features

• 🔐 Strong Security: X3DH key exchange + Double Ratchet Algorithm for post-compromise security
• 🕵️ True Stealth: Indistinguishable from normal HTTPS traffic over WebSocket + TLS 1.3
• ⚡ High Performance: Serialized ratchet operations eliminate decryption failures under load
• 🌍 Split Tunneling: Built-in China domain bypass + ad blocking + force tunnel rules
• 🔧 Easy Deployment: Systemd service installers for both client and server
• 📱 Dual Mode: SOCKS5 proxy mode for routers + TUN mode for full VPN
• 🔄 Stable Connection: Connection cleanup and heartbeat detection for stable reconnection
• 🌐 DNS Caching: DNS caching with IPv6 filtering options
• 🛡️ Scanner Protection: Rate limiting and scanner protection

Quick Links

• Quick Start - Get up and running in minutes
• Installation - Download and install binaries
• Server Setup - Run as system services on Linux
• Client Configuration - Configure the client
• Server Setup - Set up your own server
• Split Tunneling - Configure routing rules
• Cryptography - Learn about the crypto

Overview

R-VPN operates over a single WebSocket connection multiplexed through port 443 with TLS 1.3, featuring a built-in reverse proxy that masks the VPN server behind a legitimate website. The protocol employs a hybrid cryptographic approach combining:

• X3DH (Extended Triple Diffie-Hellman) for initial key agreement
• Double Ratchet Algorithm for post-compromise security
• ChaCha20-Poly1305 for data encryption

Use Cases

Router Gateway Deployment (Recommended)

Deploy R-VPN client on your router to provide VPN access to your entire network without installing software on individual devices:

Internet ←→ R-VPN Server
                ↑
           Router/Gateway (R-VPN Client in SOCKS5 mode)
                ↓
         [Device1] [Device2] [Device3]

Individual Device Deployment

Run R-VPN in TUN mode on individual devices for full VPN tunneling:

Device (R-VPN Client in TUN mode) ←→ R-VPN Server ←→ Internet

Security Features

Feature	Status
Forward Secrecy	✅ X3DH per-session keys
Post-Compromise Security	✅ Double Ratchet ratcheting
Traffic Obfuscation	✅ TLS 1.3 + WebSocket
Active Probing Resistance	✅ Decoy website
Traffic Padding	✅ 1KB boundary padding
Connection Stability	✅ Heartbeat detection & cleanup
Scanner Protection	✅ Rate limiting

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                         CLIENT MODES                            │
├─────────────────────────────────────────────────────────────────┤
│  ┌─────────────────────────────────────────────────────────┐   │
│  │                    SOCKS5 MODE                          │   │
│  │  ┌──────────────┐    ┌─────────────┐    ┌───────────┐  │   │
│  │  │ :1080 SOCKS5 │◄──►│   Router/   │◄──►│ WebSocket │  │   │
│  │  │   Listener   │    │   Gateway   │    │ + Double  │  │   │
│  │  └──────────────┘    └─────────────┘    │  Ratchet  │  │   │
│  │                              ▲          └─────┬─────┘  │   │
│  │                              │                │        │   │
│  │                         iptables/nftables     │ TLS 1.3│   │
│  └───────────────────────────────────────────────┼────────┘   │
│                                                  │             │
│  ┌───────────────────────────────────────────────┼────────┐   │
│  │                      TUN MODE                 │        │   │
│  │  ┌─────────┐    ┌─────────────┐              │        │   │
│  │  │   TUN   │◄──►│ VPN Engine  │◄─────────────┘        │   │
│  │  │ Device  │    │ (Packet I/O)│                       │   │
│  │  └─────────┘    └─────────────┘                       │   │
│  └───────────────────────────────────────────────────────┘   │
└───────────────────────────────────────────────────────────────┘
                                              │
                           Port 443 (WebSocket over TLS 1.3)
                                              │
┌─────────────────────────────────────────────────────────────────┐
│                         SERVER                                  │
├─────────────────────────────────────────────────────────────────┤
│  ┌─────────────────────────────────────────────────────────┐   │
│  │              Reverse Proxy / Website                    │   │
│  │  ┌─────────────────────────────────────────────────┐   │   │
│  │  │  Normal HTTPS Traffic → Static Website Content │   │   │
│  │  │  WebSocket Path     → VPN Handler             │   │   │
│  │  └─────────────────────────────────────────────────┘   │   │
│  └─────────────────────────────────────────────────────────┘   │
│                              │                                  │
│  ┌───────────────────────────┼─────────────────────────────┐   │
│  │                           ▼                             │   │
│  │  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐ │   │
│  │  │   WebSocket │◄──►│   Double    │◄──►│   TUN to    │ │   │
│  │  │   Server    │    │   Ratchet   │    │   Internet  │ │   │
│  │  └─────────────┘    └─────────────┘    └─────────────┘ │   │
│  └────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘

License

R-VPN is licensed under the AGPL-3.0 license.