A lightweight, certification-ready VPN that uses standard HTTP/2 CONNECT over TLS — indistinguishable from regular browser traffic.
| Problem | HTTPS VPN Solution |
|---|---|
| VPN protocols have unique signatures detectable by DPI | Uses standard HTTP/2 CONNECT — identical to browser HTTPS proxy |
| No support for national cryptography standards | Pluggable crypto providers (GOST, SM2/SM3/SM4, etc.) |
| Large codebases (~100K LOC) are expensive to certify | ~600 LOC core — 166x less code to audit |
| Complex integration with existing infrastructure | Drop-in xray-core API compatible library |
┌─────────────────────────────────────────────────────────────┐
│ HTTPS VPN (~600 LOC) │
├─────────────────────────────────────────────────────────────┤
│ Config Parser │ HTTP/2 Server │ CONNECT Handler │
│ (xray-compat) │ (Go stdlib) │ │
├─────────────────────────────────────────────────────────────┤
│ Crypto Provider Interface │
├──────────────┬──────────────┬──────────────┬───────────────┤
│ US (AES) │ RU (GOST) │ CN (SM) │ ... │
│ stdlib │ certified │ certified │ │
└──────────────┴──────────────┴──────────────┴───────────────┘
Browser HTTPS Proxy: Client ──TLS 1.3──> HTTP/2 ──CONNECT──> [data]
HTTPS VPN: Client ──TLS 1.3──> HTTP/2 ──CONNECT──> [data]
└─ with national crypto ─┘
AI-based DPI cannot distinguish HTTPS VPN traffic from regular browser traffic because it is the same protocol (RFC 7540 + RFC 7231).
HTTPS VPN is designed as a drop-in replacement for xray-core library:
// Before (xray-core)
import "github.com/xtls/xray-core/core"
server, _ := core.New(config)
server.Start()
// After (https-vpn) — same code works
import "github.com/example/https-vpn/core"
server, _ := core.New(config)
server.Start()Existing xray JSON configs work without modification:
{
"inbounds": [{
"port": 443,
"protocol": "https-vpn",
"settings": {},
"streamSettings": {
"network": "h2",
"security": "tls",
"tlsSettings": {
"certificates": [{"certificateFile": "...", "keyFile": "..."}]
}
}
}],
"outbounds": [{"protocol": "freedom"}]
}Compatible with management panels: 3x-ui, Marzban, and xray-based applications.
┌─────────────────────┬─────────────┬───────────────────┐
│ Component │ xray-core │ HTTPS VPN │
├─────────────────────┼─────────────┼───────────────────┤
│ Core code │ ~100,000 │ ~600 LOC │
│ Certification scope │ ~100,000 │ ~600 LOC │
│ Audit effort │ Months │ Days │
│ Attack surface │ Large │ Minimal │
└─────────────────────┴─────────────┴───────────────────┘
# Generate config
https-vpn init --crypto us
# Run server
https-vpn run -c config.json# Connect to server
https-vpn client -s server.example.com:443 -l 127.0.0.1:1080Local SOCKS5 proxy available at 127.0.0.1:1080.
# Default (US crypto - Go stdlib)
go build -o https-vpn ./cmd/https-vpn
# With GOST support
go build -tags gost -o https-vpn ./cmd/https-vpn
# With SM support
go build -tags sm -o https-vpn ./cmd/https-vpnhttps-vpn/
├── core/ # Main entry point (xray-compatible)
├── transport/ # HTTP/2 CONNECT implementation
├── crypto/ # Crypto provider interface
│ ├── us/ # NIST (Go stdlib)
│ ├── ru/ # GOST provider
│ └── cn/ # SM provider
├── infra/conf/ # Config parsing (xray-compatible)
└── cmd/https-vpn/ # CLI
- Minimal code — ~600 LOC core, everything else is stdlib or certified libraries
- Browser-identical traffic — HTTP/2 CONNECT over TLS, same as browser HTTPS proxy
- Pluggable crypto — swap crypto providers without changing core code
- Certification-ready — small attack surface, isolated crypto modules
- xray-compatible — same API, same config format, drop-in replacement
- Requirements — detailed requirements and decisions
- Specifications — technical specifications
- Implementation Plan — development roadmap
[TBD]
[TBD]