r-vpn

r-vpn is a stealth VPN designed to work in high-censorship environments. It tunnels all traffic over encrypted WebSocket connections that are deliberately disguised to look like ordinary HTTPS, making it extremely difficult for deep packet inspection (DPI) systems to detect or block.

---

Key Features

Signal-grade encryption Every connection uses X3DH key agreement (the same protocol as Signal) followed by the Double Ratchet algorithm. Each session gets a unique key and provides perfect forward secrecy — past traffic stays safe even if keys are later compromised.

DPI-resistant transport Traffic runs over WebSocket + TLS 1.3. The TLS handshake is fingerprinted to match real browser traffic (Chrome by default), and frame sizes are randomised, so passive analysis cannot distinguish r-vpn from ordinary HTTPS API traffic.

Cross-platform Available for macOS, Linux, FreeBSD, iOS, and Android. Desktop clients support SOCKS5 proxy and full-tunnel (TUN) modes. Mobile apps use direct TUN mode with kernel-level packet handling.

Split tunneling Route only specific apps, domains, or IP ranges through the tunnel. Built-in bypass rules for China IP ranges are included.

---

How it Works

Your device                    VPN Server               Target
──────────                     ──────────               ──────
App → TUN → [X3DH+Ratchet] → WebSocket/TLS → [relay] → Internet

1. The client establishes a WebSocket connection over TLS 1.3 to your server
2. An X3DH handshake derives a shared secret (no pre-shared passwords)
3. All subsequent data is encrypted with the Double Ratchet
4. The server relays traffic to the intended destination

---

Choosing Your Mode

r-vpn has two operating modes. Choose based on your needs:

SOCKS5 Proxy Mode

Best for: Desktop users who want app-specific proxying, or users who need granular control over which apps use the VPN.

• Runs a local SOCKS5 proxy at 127.0.0.1:1080
• Configure individual apps to use the proxy
• Supports SOCKS5 authentication for sharing with other devices
• Works alongside the built-in DNS proxy to prevent DNS leaks

TUN Full-Tunnel Mode

Best for: Mobile users, users who want all traffic through the VPN, or users connecting to a remote network.

• Creates a virtual network interface
• Routes all device traffic through the VPN
• On mobile: handled automatically by the OS VPN API
• On desktop: requires root/admin privileges

Feature	SOCKS5	TUN
Scope	Per-app	Full device
DNS handling	Via DNS proxy	Automatic via DHCP
Privilege required	None	Root/admin
Mobile support	No	Yes (built-in app)
Split tunnel granularity	Per-domain, per-CIDR	Per-domain, per-CIDR, per-country

---

Common Use Cases

• Remote desktop access: Use RDP/VNC from anywhere as if on the same network
• Development environments: Access dev servers, databases, and APIs remotely
• Private network linking: Connect offices across locations into one secure LAN
• Multi-cloud setup: Connect servers across cloud providers without public endpoints
• Split tunneling: Route streaming/gaming direct while VPN-ing everything else

---

Quick Links

• Deploy a server
• Set up the iOS app
• Set up the desktop client
• Server configuration reference
• Client configuration reference
• Use case scenarios
• DNS leak prevention
• Troubleshooting