GitFeed
Back to feed

ajavadinezhad/zyrln

ajavadinezhad/zyrln
212
+71/day
31
GoInfrastructure

Domain-fronting relay that routes traffic through Google infrastructure to bypass DPI-based censorship, Android VPN app + desktop proxy

From the README

Zyrln

A domain-fronting relay that routes traffic through Google infrastructure to bypass DPI-based censorship.

How It Works

your device
  → local proxy (Go)
  → Google-fronted Apps Script   ← looks like Google traffic to DPI
  → VPS exit relay
  → target site

TLS connections go to Google's IP ranges. The encrypted Host header targets your Apps Script deployment. From a DPI perspective the traffic is indistinguishable from normal Google traffic.

Features

  • Undetectable by DPI — all traffic exits from Google's IP ranges and is indistinguishable from normal Google traffic. There is no VPN fingerprint, no unusual port, and no dedicated server IP to block.
  • Request coalescing — concurrent browser requests are batched into a single Apps Script call. A page load that fires 30 requests uses 1–3 Apps Script executions instead of 30, dramatically extending daily quota.
  • In-proxy response cache — static assets (JS, CSS, fonts, images) are served from memory on repeat visits. Cached responses skip the relay entirely, making subsequent page loads significantly faster.
  • Multi-URL quota failover — configure multiple Apps Script deployments across different Google accounts. The relay sticks to the first URL until quota runs out, then switches transparently with no reconnection or dropped requests.
  • Full HTTPS support — the proxy performs local TLS termination so blocked HTTPS sites work transparently. No plaintext data leaves the device.
  • Android VPN — no root — one tap routes all browser traffic through the relay at the system level. No per-app configuration, no ADB, no root required.
  • Multiple saved configs — save as many relay configs as you want on Android and switch between them with a single tap. Useful for managing multiple Apps Script deployments or sharing configs between users.
  • Reachability probe tool — the desktop CLI can test which endpoints are reachable from your network before setting anything up. Covers baseline connectivity, Google APIs, domain-fronting, and the full relay chain so you know exactly what works and what doesn't.

Before You Start

The pre-built binaries and APK do not work out of the box. Zyrln is a client — it has no built-in relay. You must set up your own relay chain before anything works:

| What you need | Why | |---|---| | Google account | To deploy the Apps Script relay (free) | | VPS with a public IP | To run the exit relay, or use a Cloudflare Worker instead | | Auth key | A shared secret that ties all components together |

Generate your auth key once and keep it — you will use it in every component:

openssl rand -base64 32
# example: swrkwbMS1X666fjzReip+PbodKcPyDK7Xbk5gRSgRUE=

Setup

1. Deploy the Apps Script relay

This is the front door — it receives your traffic and forwards it to your VPS.

  1. Open script.google.com → New project
  2. Paste the contents of relay/apps-script/Code.gs
  3. Set the constants at the top:
View on GitHub