Skip to content

r-vpn

r-vpn is a stealth VPN designed to work in high-censorship environments. It tunnels all traffic over encrypted WebSocket connections that are deliberately disguised to look like ordinary HTTPS, making it extremely difficult for deep packet inspection (DPI) systems to detect or block.

What's New in 1.0.5

macOS split tunnel fix — Split tunneling in macOS TUN mode was not routing bypass domains correctly in 1.0.4. This bug has been patched in 1.0.5 — split tunnel now works as expected, routing only tunnel domains through the VPN while letting bypass domains reach the internet directly.

iOS stability improvements — Proactive reconnect on network transitions (Wi-Fi ↔ cellular), race condition fixes in direct TUN mode, and better handling of network state changes.

DNS resilience overhaul — The DNS cache now uses real TTL values from upstream servers, supports negative caching to suppress retry storms, has proper size limits with automatic eviction, and runs periodic cleanup to prevent memory growth. UDP retries with backoff were added for bypass domain resolution on congested networks.

Android — Updated to version 1.0.5 with the latest DNS and routing fixes.

Key Features

End-to-end encryption Every connection uses X3DH key agreement followed by the Double Ratchet algorithm. Each session gets a unique key and provides perfect forward secrecy — past traffic stays safe even if keys are later compromised.

DPI-resistant transport Traffic runs over WebSocket + TLS 1.3. The TLS handshake is fingerprinted to match real browser traffic (Chrome by default), and frame sizes are randomised, so passive analysis cannot distinguish r-vpn from ordinary HTTPS API traffic.

Cross-platform Available for macOS, Linux, FreeBSD, iOS, and Android. Desktop clients support SOCKS5/HTTP proxy and full-tunnel (TUN) modes. Mobile apps use direct TUN mode with kernel-level packet handling.

Split tunneling Route only specific apps, domains, or IP ranges through the tunnel. Built-in bypass rules for China IP ranges are included.

How it Works

Your device                    VPN Server               Target
──────────                     ──────────               ──────
App → TUN → [X3DH+Ratchet] → WebSocket/TLS → [relay] → Internet
  1. The client establishes a WebSocket connection over TLS 1.3 to your server
  2. An X3DH handshake derives a shared secret (no pre-shared passwords)
  3. All subsequent data is encrypted with the Double Ratchet
  4. The server relays traffic to the intended destination

Choosing Your Mode

r-vpn has two operating modes. Choose based on your needs:

Proxy Mode

Best for: Desktop users who want app-specific proxying, or users who need granular control over which apps use the VPN.

  • Runs a local SOCKS5 proxy at 127.0.0.1:1080 and an optional HTTP proxy at 127.0.0.1:8118
  • Use HTTP_PROXY/HTTPS_PROXY environment variables for system-wide routing, or configure individual apps to use the SOCKS5 proxy
  • Supports authentication for sharing with other devices
  • Works alongside the built-in DNS proxy to prevent DNS leaks

TUN Full-Tunnel Mode

Best for: Mobile users, users who want all traffic through the VPN, or users connecting to a remote network.

  • Creates a virtual network interface
  • Routes all device traffic through the VPN
  • On mobile: handled automatically by the OS VPN API
  • On desktop: requires root/admin privileges
Feature Proxy (SOCKS5 / HTTP) TUN
Scope Per-app Full device
DNS handling Via DNS proxy Automatic via DHCP
Privilege required None Root/admin
Mobile support No Yes (built-in app)
Split tunnel granularity Per-domain, per-CIDR Per-domain, per-CIDR, per-country

Common Use Cases