therealaleph
cd6ff8d381
Four small fixes that address recurring user-issue patterns: - src/config.rs / src/domain_fronter.rs: auto_blacklist_strikes, auto_blacklist_window_secs, auto_blacklist_cooldown_secs config fields (#391, #444). Previously 3 strikes / 30s window / 120s cooldown were hard-coded. Single-deployment users on flaky networks hit this too aggressively; multi-deployment users want tighter fail-fast. Defaults preserve historical behavior. Power-user file edit only — no UI control yet. Clamps to [1, 86400] for durations. - src/config.rs / src/domain_fronter.rs / src/tunnel_client.rs: request_timeout_secs config field (#430, masterking32 PR #25). Replaces hard-coded BATCH_TIMEOUT 30s. DomainFronter::batch_timeout() exposes the value, fire_batch reads it. Clamped to [5s, 300s]. - tunnel-node/src/main.rs: detect MHRV_AUTH_KEY env var being set while TUNNEL_AUTH_KEY is unset, and emit a specific warning pointing at the right env var name. Catches the recurring #391/#444 docker run typo that made users chase phantom AUTH_KEY-mismatch decoys. - assets/launchers/run.bat: when both UI renderers (glow + wgpu) fail on older Windows / RDP / VM-without-GPU, fall back to launching mhrv-rs.exe (CLI) instead of just printing "open an issue". Addresses #417 / #426 / #487. CLI has the same proxy functionality on 127.0.0.1:8085 (HTTP) / :8086 (SOCKS5). 169 mhrv-rs lib tests + 33 tunnel-node tests still passing. UI build clean. ConfigWire round-trips the new fields with skip-default-on-write so unchanged configs stay clean.
Tunnel Node
Persian / فارسی: README.fa.md
HTTP tunnel bridge server for MasterHttpRelayVPN "full" mode. Bridges HTTP tunnel requests (from Apps Script) to real TCP connections.
Architecture
Phone → mhrv-rs → [domain-fronted TLS] → Apps Script → [HTTP] → Tunnel Node → [real TCP] → Internet
The tunnel node manages persistent TCP and UDP sessions. TCP sessions are real TCP connections to a destination server; UDP sessions are connected UDP sockets to one destination host:port. Data flows through a JSON protocol:
- connect — open TCP to host:port, return session ID
- data — write client data, return server response
- udp_open — open UDP to host:port, optionally send the first datagram
- udp_data — send one UDP datagram, or poll for returned datagrams when
dis omitted - close — tear down session
- batch — process multiple ops in one HTTP request (reduces round trips)
Deployment
Cloud Run
cd tunnel-node
gcloud run deploy tunnel-node \
--source . \
--region us-central1 \
--allow-unauthenticated \
--set-env-vars TUNNEL_AUTH_KEY=$(openssl rand -hex 24) \
--memory 256Mi \
--cpu 1 \
--max-instances 1
Docker — prebuilt image (any VPS)
The fastest path. Pull a prebuilt image and run it; no Rust toolchain needed on the VPS.
# Generate a strong secret. Save it — you'll paste the same value into CodeFull.gs.
SECRET=$(openssl rand -hex 24)
echo "Your TUNNEL_AUTH_KEY: $SECRET"
# Pull + run.
docker run -d \
--name mhrv-tunnel \
--restart unless-stopped \
-p 8080:8080 \
-e TUNNEL_AUTH_KEY="$SECRET" \
ghcr.io/therealaleph/mhrv-tunnel-node:latest
The :latest tag tracks the most recent release. To pin a specific version (recommended for production), use ghcr.io/therealaleph/mhrv-tunnel-node:v1.5.0 (or whatever release you're on). Image is available for linux/amd64 and linux/arm64.
docker-compose.yml if you prefer:
services:
tunnel:
image: ghcr.io/therealaleph/mhrv-tunnel-node:latest
restart: unless-stopped
ports:
- "8080:8080"
environment:
TUNNEL_AUTH_KEY: ${TUNNEL_AUTH_KEY}
Then TUNNEL_AUTH_KEY=your-secret docker compose up -d.
Docker — build from source
If you'd rather build the image yourself (or add custom changes):
cd tunnel-node
docker build -t tunnel-node .
docker run -p 8080:8080 -e TUNNEL_AUTH_KEY=your-secret tunnel-node
Direct binary
cd tunnel-node
cargo build --release
TUNNEL_AUTH_KEY=your-secret PORT=8080 ./target/release/tunnel-node
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
TUNNEL_AUTH_KEY |
Yes | changeme |
Shared secret — must match TUNNEL_AUTH_KEY in CodeFull.gs |
PORT |
No | 8080 |
Listen port (Cloud Run sets this automatically) |
Protocol
Single op: POST /tunnel
{"k":"auth","op":"connect","host":"example.com","port":443}
{"k":"auth","op":"data","sid":"uuid","data":"base64"}
{"k":"auth","op":"close","sid":"uuid"}
Batch: POST /tunnel/batch
{
"k": "auth",
"ops": [
{"op":"data","sid":"uuid1","d":"base64"},
{"op":"udp_data","sid":"uuid2","d":"base64"},
{"op":"close","sid":"uuid3"}
]
}
→ {"r": [{...}, {...}, {...}]}
Health check: GET /health → ok
Performance: deployment count and pipeline depth
The mhrv-rs client runs a pipelined batch multiplexer in full mode. Each Apps Script round-trip takes ~2s, so the client fires multiple batch requests concurrently — the pipeline depth equals the number of configured script deployment IDs (minimum 2, no upper cap).
More deployments = more concurrent batches hitting the tunnel-node = lower per-session latency. With 6 deployments, a new batch arrives every ~0.3s instead of every 2s.
The tunnel-node itself is stateless per-request (sessions are keyed by UUID), so it handles concurrent batches naturally. For best results, deploy 3–12 Apps Script instances across separate Google accounts and list all their deployment IDs in the client config.