|
| 1 | +# HTTPS VPN |
| 2 | + |
| 3 | +A lightweight, certification-ready VPN that uses standard HTTP/2 CONNECT over TLS — indistinguishable from regular browser traffic. |
| 4 | + |
| 5 | +## Why HTTPS VPN? |
| 6 | + |
| 7 | +| Problem | HTTPS VPN Solution | |
| 8 | +|---------|-------------------| |
| 9 | +| VPN protocols have unique signatures detectable by DPI | Uses standard HTTP/2 CONNECT — identical to browser HTTPS proxy | |
| 10 | +| No support for national cryptography standards | Pluggable crypto providers (GOST, SM2/SM3/SM4, etc.) | |
| 11 | +| Large codebases (~100K LOC) are expensive to certify | ~600 LOC core — 166x less code to audit | |
| 12 | +| Complex integration with existing infrastructure | Drop-in xray-core API compatible library | |
| 13 | + |
| 14 | +## Architecture |
| 15 | + |
| 16 | +``` |
| 17 | +┌─────────────────────────────────────────────────────────────┐ |
| 18 | +│ HTTPS VPN (~600 LOC) │ |
| 19 | +├─────────────────────────────────────────────────────────────┤ |
| 20 | +│ Config Parser │ HTTP/2 Server │ CONNECT Handler │ |
| 21 | +│ (xray-compat) │ (Go stdlib) │ │ |
| 22 | +├─────────────────────────────────────────────────────────────┤ |
| 23 | +│ Crypto Provider Interface │ |
| 24 | +├──────────────┬──────────────┬──────────────┬───────────────┤ |
| 25 | +│ US (AES) │ RU (GOST) │ CN (SM) │ ... │ |
| 26 | +│ stdlib │ certified │ certified │ │ |
| 27 | +└──────────────┴──────────────┴──────────────┴───────────────┘ |
| 28 | +``` |
| 29 | + |
| 30 | +## Traffic Pattern |
| 31 | + |
| 32 | +``` |
| 33 | +Browser HTTPS Proxy: Client ──TLS 1.3──> HTTP/2 ──CONNECT──> [data] |
| 34 | +HTTPS VPN: Client ──TLS 1.3──> HTTP/2 ──CONNECT──> [data] |
| 35 | + └─ with national crypto ─┘ |
| 36 | +``` |
| 37 | + |
| 38 | +AI-based DPI cannot distinguish HTTPS VPN traffic from regular browser traffic because it **is** the same protocol (RFC 7540 + RFC 7231). |
| 39 | + |
| 40 | +## Supported Cryptography Standards |
| 41 | + |
| 42 | +| Country | Standard | Signature | Hash | Cipher | Status | |
| 43 | +|---------|----------|-----------|------|--------|--------| |
| 44 | +| 🇺🇸 USA | NIST | ECDSA | SHA-2 | AES | Phase 1 | |
| 45 | +| 🇷🇺 Russia | GOST | GOST R 34.10 | Streebog | Kuznyechik | Phase 1 | |
| 46 | +| 🇨🇳 China | GM/T | SM2 | SM3 | SM4 | Phase 1 | |
| 47 | +| 🇪🇺 EU | ETSI | Brainpool | SHA-2 | AES | Phase 2 | |
| 48 | +| 🇯🇵 Japan | CRYPTREC | ECDSA | SHA-2 | Camellia | Phase 2 | |
| 49 | +| 🇰🇷 Korea | KISA | KCDSA | HAS-160 | SEED | Phase 2 | |
| 50 | + |
| 51 | +## xray-core Compatibility |
| 52 | + |
| 53 | +HTTPS VPN is designed as a drop-in replacement for xray-core library: |
| 54 | + |
| 55 | +```go |
| 56 | +// Before (xray-core) |
| 57 | +import "github.com/xtls/xray-core/core" |
| 58 | +server, _ := core.New(config) |
| 59 | +server.Start() |
| 60 | + |
| 61 | +// After (https-vpn) — same code works |
| 62 | +import "github.com/example/https-vpn/core" |
| 63 | +server, _ := core.New(config) |
| 64 | +server.Start() |
| 65 | +``` |
| 66 | + |
| 67 | +Existing xray JSON configs work without modification: |
| 68 | + |
| 69 | +```json |
| 70 | +{ |
| 71 | + "inbounds": [{ |
| 72 | + "port": 443, |
| 73 | + "protocol": "https-vpn", |
| 74 | + "settings": {}, |
| 75 | + "streamSettings": { |
| 76 | + "network": "h2", |
| 77 | + "security": "tls", |
| 78 | + "tlsSettings": { |
| 79 | + "certificates": [{"certificateFile": "...", "keyFile": "..."}] |
| 80 | + } |
| 81 | + } |
| 82 | + }], |
| 83 | + "outbounds": [{"protocol": "freedom"}] |
| 84 | +} |
| 85 | +``` |
| 86 | + |
| 87 | +Compatible with management panels: **3x-ui**, **Marzban**, and xray-based applications. |
| 88 | + |
| 89 | +## Code Size Comparison |
| 90 | + |
| 91 | +``` |
| 92 | +┌─────────────────────┬─────────────┬───────────────────┐ |
| 93 | +│ Component │ xray-core │ HTTPS VPN │ |
| 94 | +├─────────────────────┼─────────────┼───────────────────┤ |
| 95 | +│ Core code │ ~100,000 │ ~600 LOC │ |
| 96 | +│ Certification scope │ ~100,000 │ ~600 LOC │ |
| 97 | +│ Audit effort │ Months │ Days │ |
| 98 | +│ Attack surface │ Large │ Minimal │ |
| 99 | +└─────────────────────┴─────────────┴───────────────────┘ |
| 100 | +``` |
| 101 | + |
| 102 | +## Quick Start |
| 103 | + |
| 104 | +### Server |
| 105 | + |
| 106 | +```bash |
| 107 | +# Generate config |
| 108 | +https-vpn init --crypto us |
| 109 | + |
| 110 | +# Run server |
| 111 | +https-vpn run -c config.json |
| 112 | +``` |
| 113 | + |
| 114 | +### Client |
| 115 | + |
| 116 | +```bash |
| 117 | +# Connect to server |
| 118 | +https-vpn client -s server.example.com:443 -l 127.0.0.1:1080 |
| 119 | +``` |
| 120 | + |
| 121 | +Local SOCKS5 proxy available at `127.0.0.1:1080`. |
| 122 | + |
| 123 | +## Building |
| 124 | + |
| 125 | +```bash |
| 126 | +# Default (US crypto - Go stdlib) |
| 127 | +go build -o https-vpn ./cmd/https-vpn |
| 128 | + |
| 129 | +# With GOST support |
| 130 | +go build -tags gost -o https-vpn ./cmd/https-vpn |
| 131 | + |
| 132 | +# With SM support |
| 133 | +go build -tags sm -o https-vpn ./cmd/https-vpn |
| 134 | +``` |
| 135 | + |
| 136 | +## Project Structure |
| 137 | + |
| 138 | +``` |
| 139 | +https-vpn/ |
| 140 | +├── core/ # Main entry point (xray-compatible) |
| 141 | +├── transport/ # HTTP/2 CONNECT implementation |
| 142 | +├── crypto/ # Crypto provider interface |
| 143 | +│ ├── us/ # NIST (Go stdlib) |
| 144 | +│ ├── ru/ # GOST provider |
| 145 | +│ └── cn/ # SM provider |
| 146 | +├── infra/conf/ # Config parsing (xray-compatible) |
| 147 | +└── cmd/https-vpn/ # CLI |
| 148 | +``` |
| 149 | + |
| 150 | +## Design Principles |
| 151 | + |
| 152 | +1. **Minimal code** — ~600 LOC core, everything else is stdlib or certified libraries |
| 153 | +2. **Browser-identical traffic** — HTTP/2 CONNECT over TLS, same as browser HTTPS proxy |
| 154 | +3. **Pluggable crypto** — swap crypto providers without changing core code |
| 155 | +4. **Certification-ready** — small attack surface, isolated crypto modules |
| 156 | +5. **xray-compatible** — same API, same config format, drop-in replacement |
| 157 | + |
| 158 | +## Documentation |
| 159 | + |
| 160 | +- [Requirements](flows/ddd-https_vpn/01-requirements.md) — detailed requirements and decisions |
| 161 | +- [Specifications](flows/ddd-https_vpn/02-specifications.md) — technical specifications |
| 162 | +- [Implementation Plan](flows/ddd-https_vpn/03-plan.md) — development roadmap |
| 163 | + |
| 164 | +## License |
| 165 | + |
| 166 | +[TBD] |
| 167 | + |
| 168 | +## Contributing |
| 169 | + |
| 170 | +[TBD] |
0 commit comments