masterhttprelayvpn-proxy
MasterHttpRelayVPN Proxy
Skill by ara.so — Daily 2026 Skills collection.
MasterHttpRelayVPN is a domain-fronted HTTP/SOCKS5 proxy that tunnels traffic through Google Apps Script. It disguises requests as Google traffic to evade DPI/firewalls, performs local MITM TLS interception to re-encrypt traffic, and requires only a free Google account — no VPS needed.
Traffic flow:
Browser → Local Proxy (127.0.0.1:8085) → Google IP (front_domain) → Apps Script Relay → Target Website
Installation
git clone https://github.com/masterking32/MasterHttpRelayVPN.git
cd MasterHttpRelayVPN
pip install -r requirements.txt
Behind a firewall (PyPI mirror):
pip install -r requirements.txt -i https://mirror-pypi.runflare.com/simple/ --trusted-host mirror-pypi.runflare.com
Quick start scripts (handles venv + deps automatically):
# Linux/macOS
chmod +x start.sh && ./start.sh
# Windows
start.bat
Step 1: Deploy the Google Apps Script Relay
- Go to https://script.google.com/ and create a New project
- Delete default code, paste the contents of
apps_script/Code.gs - Set a strong password on this line:
const AUTH_KEY = "your-secret-password-here"; - Click Deploy → New deployment → Web app
- Execute as: Me
- Who has access: Anyone
- Copy the Deployment ID (long random string)
Step 2: Configure
Option A — Interactive wizard (recommended)
python setup.py
Prompts for Deployment ID, generates a random auth_key, writes config.json.
Option B — Manual config
cp config.example.json config.json
Edit config.json:
{
"mode": "apps_script",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"script_id": "AKfycb...",
"auth_key": "your-secret-password-here",
"listen_host": "127.0.0.1",
"listen_port": 8085,
"socks5_enabled": true,
"socks5_port": 1080,
"log_level": "INFO",
"verify_ssl": true
}
auth_keyinconfig.jsonmust matchAUTH_KEYinCode.gs.
Step 3: Run
python3 main.py
Install CA certificate (run once, or re-run anytime):
python main.py --install-cert
Configuration Reference
Main Settings
| Key | Description |
|---|---|
mode |
Always "apps_script" |
script_id |
Google Apps Script Deployment ID |
auth_key |
Shared secret between proxy and relay |
listen_host |
"127.0.0.1" (local only) or "0.0.0.0" (LAN) |
listen_port |
HTTP proxy port (default: 8085) |
socks5_enabled |
Enable SOCKS5 listener |
socks5_port |
SOCKS5 port (default: 1080) |
log_level |
DEBUG, INFO, WARNING, ERROR |
Advanced Settings
| Key | Default | Description |
|---|---|---|
google_ip |
"216.239.38.120" |
Google IP to connect through |
front_domain |
"www.google.com" |
Domain shown to firewall |
verify_ssl |
true |
Verify upstream TLS certs |
script_ids |
[] |
Multiple deployment IDs for load balancing |
lan_sharing |
false |
Allow LAN devices to use proxy |
block_hosts |
[] |
Hosts that return HTTP 403 (e.g. ".doubleclick.net") |
bypass_hosts |
["localhost", ".local", ".lan", ".home.arpa"] |
Hosts that go direct (no MITM/relay) |
Full config example with all advanced options
{
"mode": "apps_script",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"script_ids": [
"AKfycbDEPLOYMENT_ID_1",
"AKfycbDEPLOYMENT_ID_2"
],
"auth_key": "super-strong-random-password",
"listen_host": "0.0.0.0",
"listen_port": 8085,
"socks5_enabled": true,
"socks5_port": 1080,
"lan_sharing": true,
"log_level": "INFO",
"verify_ssl": true,
"block_hosts": [
".doubleclick.net",
"ads.example.com"
],
"bypass_hosts": [
"localhost",
".local",
".lan",
"192.168.1.1"
]
}
CA Certificate Installation (Required for HTTPS)
The proxy performs MITM TLS interception. A local CA is generated at ca/ca.crt on first run. Install it once per machine/browser.
Linux (Ubuntu/Debian)
sudo cp ca/ca.crt /usr/local/share/ca-certificates/masterhttp-relay.crt
sudo update-ca-certificates
macOS
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca/ca.crt
Windows (PowerShell as Admin)
certutil -addstore -f "ROOT" ca\ca.crt
Firefox (all platforms)
Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import → select ca/ca.crt → check "Trust this CA to identify websites"
⚠️ Never share the
ca/folder. Delete it to regenerate a fresh CA.
Browser Proxy Configuration
HTTP Proxy: 127.0.0.1:8085
SOCKS5 Proxy: 127.0.0.1:1080
Firefox
Settings → General → Network Settings → Manual proxy configuration:
- HTTP Proxy:
127.0.0.1, Port:8085 - Check: "Also use this proxy for HTTPS"
Chrome/Edge (Windows system proxy)
Settings → Network → Proxy → Manual proxy setup → 127.0.0.1:8085
Using curl for testing
curl -x http://127.0.0.1:8085 https://example.com
# or SOCKS5
curl --socks5 127.0.0.1:1080 https://example.com
Using requests in Python
import requests
proxies = {
"http": "http://127.0.0.1:8085",
"https": "http://127.0.0.1:8085",
}
response = requests.get("https://example.com", proxies=proxies)
print(response.status_code)
LAN Sharing Setup
Allow other devices on your network to use the proxy:
{
"lan_sharing": true,
"listen_host": "0.0.0.0",
"listen_port": 8085
}
On startup, the proxy logs your LAN IP addresses. Configure other devices to use <YOUR_LAN_IP>:8085.
Load Balancing with Multiple Relays
Deploy multiple Google Apps Script projects and list all Deployment IDs:
{
"script_ids": [
"AKfycbFIRST_DEPLOYMENT_ID",
"AKfycbSECOND_DEPLOYMENT_ID",
"AKfycbTHIRD_DEPLOYMENT_ID"
],
"auth_key": "same-password-in-all-scripts"
}
All Apps Script deployments must have the same
AUTH_KEYvalue.
Common Patterns
Blocking ads/trackers
{
"block_hosts": [
".doubleclick.net",
".googlesyndication.com",
".googleadservices.com",
"ads.example.com"
]
}
Bypassing local/LAN resources (no MITM)
{
"bypass_hosts": [
"localhost",
"127.0.0.1",
".local",
".lan",
".home.arpa",
"192.168.1.0/24"
]
}
Running with debug logging
# In config.json
{ "log_level": "DEBUG" }
# Or temporarily
python3 main.py
Scripted config generation
import json
import secrets
config = {
"mode": "apps_script",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"script_id": "PASTE_DEPLOYMENT_ID_HERE",
"auth_key": secrets.token_urlsafe(32),
"listen_host": "127.0.0.1",
"listen_port": 8085,
"socks5_enabled": True,
"socks5_port": 1080,
"log_level": "INFO",
"verify_ssl": True
}
with open("config.json", "w") as f:
json.dump(config, f, indent=2)
print(f"Generated auth_key: {config['auth_key']}")
print("Remember to set this same value as AUTH_KEY in Code.gs")
Troubleshooting
"Security warning" on every website
→ CA certificate not installed. Run python main.py --install-cert or follow the manual install steps above.
Connection refused on port 8085
→ Check listen_host and listen_port in config.json. Make sure python3 main.py is running.
"403 Forbidden" from relay
→ auth_key in config.json does not match AUTH_KEY in deployed Code.gs. Redeploy the script after fixing.
Google Apps Script quota exceeded
→ Free tier has daily quotas. Add more script_ids in config.json for load balancing across multiple deployments.
verify_ssl errors
{ "verify_ssl": false }
Use only for testing; not recommended for production.
Regenerate CA certificate
rm -rf ca/
python3 main.py # generates new ca/ca.crt on startup
# Then reinstall the certificate in OS/browser
Can't install Python packages (behind firewall)
pip install -r requirements.txt \
-i https://mirror-pypi.runflare.com/simple/ \
--trusted-host mirror-pypi.runflare.com
Test the proxy is working
# Should return your external IP routed through Google
curl -x http://127.0.0.1:8085 https://api.ipify.org
Project Structure
MasterHttpRelayVPN/
├── main.py # Entry point, starts HTTP + SOCKS5 listeners
├── setup.py # Interactive config wizard
├── config.json # Your configuration (gitignored)
├── config.example.json # Template
├── requirements.txt # Python dependencies
├── apps_script/
│ └── Code.gs # Google Apps Script relay code
├── ca/
│ ├── ca.crt # Generated CA certificate (install this)
│ └── ca.key # CA private key (keep secret)
├── start.sh # Linux/macOS quick start
└── start.bat # Windows quick start