https://cmptrnb.github.io

Test script for MasterHttpRelayVPN-RUST full mode

This page documents my testing procedure. It is based on the developer's documentation at MasterHttpRelayVPN-RUST and in particular on issue #444 and #671.

Full mode routes all traffic end-to-end through a Google Apps Script, then through a remote tunnel-node. The trade-off versus apps_script mode is that it works for any protocol and any app, with no man-in-the-middle CA certificate required, but it results in higher latency.

For full mode, you will need to base your Google Apps Script on CodeFull.gs, not the normal Code.gs.

Step 1 -- Install Docker on VPS

SSH into your server as root.

Add Docker's official GPG key:

apt update && apt upgrade -y

apt install -y ca-certificates curl

install -m 0755 -d /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc

chmod a+r /etc/apt/keyrings/docker.asc

Add the Docker repository to your APT sources:

tee /etc/apt/sources.list.d/docker.sources <<EOF
Types: deb
URIs: https://download.docker.com/linux/debian
Suites: $(. /etc/os-release && echo "$VERSION_CODENAME")
Components: stable
Architectures: $(dpkg --print-architecture)
Signed-By: /etc/apt/keyrings/docker.asc
EOF

Update your store of package metadata:

apt update

Install Docker:

apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Test your Docker install:

docker run hello-world

You should see some messages, including:

Hello from Docker!
This message shows that your installation appears to be working correctly.

Step 2 -- Deploy tunnel-node on VPS

Open port tcp/8080 for input in your server firewall. Persist this change across reboots.

In the command below, change the literal YOUR_TUNNEL_AUTH_KEY to your choice of tunnel authentication key (password). Make a note of your choice for YOUR_TUNNEL_AUTH_KEY, as you'll need it in Step 3.

docker run -d --name mhrv-tunnel --restart unless-stopped -p 8080:8080 -e TUNNEL_AUTH_KEY="YOUR_TUNNEL_AUTH_KEY" ghcr.io/therealaleph/mhrv-tunnel-node:latest

docker-proxy is now listening on external port tcp/8080 (mapped to internal port tcp/8080).

Initial checks

Check that the firewall is open:

iptables -L -n | grep 8080

Response:

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080

Check the external listening port:

ss -tulpn | grep 8080

Response:

tcp LISTEN 0 4096 0.0.0.0:8080 0.0.0.0:* users:(("docker-proxy",pid=1975,fd=8))
tcp LISTEN 0 4096 [::]:8080 [::]:* users:(("docker-proxy",pid=1979,fd=8))

Check the internal listening port:

docker container logs mhrv-tunnel

Response:

INFO tunnel_node: tunnel-node listening on 0.0.0.0:8080

Issue the command below, replacing YOUR_TUNNEL_AUTH_KEY with your actual tunnel authentication key, as chosen a moment ago:

curl -X POST 'http://127.0.0.1:8080/tunnel' -H 'Content-Type: application/json' -d '{"k":"YOUR_TUNNEL_AUTH_KEY","op":"connect","host":"www.google.com","port":443}' --max-time 10 && echo ''

Response:

{"sid":"<UUID>","eof":false}

Exit your SSH session with the server:

exit

In a command prompt window on your PC, check the reachability of your server, replacing YOUR_VPS_IP by your actual server IP address:

curl.exe -k -i http://YOUR_VPS_IP:8080/

Response:

HTTP/1.1 404 Not Found
content-length: 0
date: Sun, 03 May 2026 14:57:16 GMT

Step 3 -- Create the Google Apps Script

Start a new Google Apps Script as follows:

1. In a browser on your PC, open https://script.google.com.
2. If necessary, sign in with your Google account.
3. Click New project at the top left.
4. Rename the project to, for example, MasterHttpRelayVPN-RUST full mode.
5. Completely delete the default code function myFunction() { ... }.
6. Open the file CodeFull.gs (not Code.gs) in the MasterHttpRelayVPN-RUST GitHub repository.
7. Copy all the contents from the script in the repository.
8. Paste them into the Apps Script editor, completely replacing what was there when you started.
9. Scroll up and find theses lines near the top of the code:

const AUTH_KEY = "CHANGE_ME_TO_A_STRONG_SECRET";
const TUNNEL_SERVER_URL = "http://YOUR_VPS_IP:8080";
const TUNNEL_AUTH_KEY = "YOUR_TUNNEL_AUTH_KEY";

Substitute in your choice of script authentication key (password) where it says CHANGE_ME_TO_A_STRONG_SECRET. Fill in your own values for YOUR_VPS_IP and YOUR_TUNNEL_AUTH_KEY (chosen in Step 2).

For testing purposes only, also scroll down and change diagnostic mode to true:

const DIAGNOSTIC_MODE = true;

Save the edited script.

Now deploy the script as follows:

1. At the top right, click Deploy > New deployment.
2. Click the gear icon next to Select type, and choose Web app.
3. Enter a description, e.g. MasterHttpRelayVPN-RUST full mode.
4. Set Execute as Me (your Google account).
5. Set Who has access to Anyone.
6. Click Deploy.
7. Click Authorize access.
8. You will see a warning window. Click Advanced, Go to MasterHttpRelayVPN-RUST full mode (unsafe), Continue, and Done to approve it.
9. Google displays a Deployment ID. It is a 72-character string.
10. Copy the Deployment ID into a text editor and save it. You'll need it in Step 5.

Step 4 -- Download mhrv-rs client

In a browser on your PC, go to the latest release page https://github.com/therealaleph/MasterHttpRelayVPN-RUST/releases/latest.

Download the client for your computer. For Windows it will be named mhrv-rs-windows-amd64.zip.

Unzip the zip file you just downloaded.

Step 5 -- First run

In your file manager, open the unzipped folder mhrv-rs-windows-amd64.

Double-click the launcher run.bat.

Make sure you trust the software, and if so click Run.

When asked if you want to install the CA certificate, you can choose No in the case of full mode.

The mhrv-rs control panel opens. Fill in the details:

• Mode: Full tunnel (no cert).
• Deployment IDs: Paste in the 72-character Deployment ID that Google displayed in Step 3.
• Auth key: Paste in the script authentication key (password) you chose in Step 3.
• Leave everything else at the defaults.
• Click Save config.
• The configuration file is saved as C:\Users\<your-windows-user>\AppData\Roaming\mhrv-rs\config\config.json.
• Click Start.
• The status circle (at the top right of the mhrv-rs control panel) goes green if it works.

Step 6 -- Tell your browser to use mhrv-rs

Firefox is recommended as the easiest browser for quickly setting a proxy server.

1. From the hamburger menu, select Settings.
2. On the General page, select Network Settings.
3. Choose Manual proxy configuration.
4. HTTP Proxy 127.0.0.1 Port 8085.
5. Check Also use this proxy for HTTPS.
6. Click OK.

Alternatively, or if you are using a different browser, you can set your system-wide proxy to 127.0.0.1 port 8085.

Step 7 -- Test from browser

In your browser, visit https://wtfismyip.com.

It should display your tunnel-node's IP address.

If you have any problems, open the Apps Script Executions tab, and look for the most recent _doTunnel run and its error, if any.

Step 8 -- Report issues

If you encounter any issues, report them on https://github.com/therealaleph/MasterHttpRelayVPN-RUST/issues.