PipeProxy is a distributed HTTP/HTTPS proxy that multiplexes thousands of connections over a single AES-256-GCM encrypted WebSocket. No port forwarding, no VPN complexity — lightweight enough to run on a Raspberry Pi Zero.
Built from scratch in raw Node.js. No bloated frameworks, no hidden complexity — just fast, secure tunneling.
Thousands of concurrent proxy connections share a single WebSocket using a custom binary protocol. Each frame carries only a 9-byte header — type, connection ID, and payload length — delivering near-zero overhead even under massive parallelism.
Native zero-dependency encryption layer with integrity verification, replay attack prevention, and strict sequence tracking.
The client connects outbound to the VPS. No firewall rules needed, no exposed ports on your home network.
Designed for any Node.js environment. Only ws and dotenv as dependencies. Minimal memory footprint — runs smoothly even on the most constrained single-board computers like the Raspberry Pi Zero.
Dual-stack connectivity with automatic IPv6 → IPv4 fallback in 250ms. Dead or broken routes are instantly bypassed to ensure zero connection hangs in unpredictable network environments.
Dynamic flow control pauses fast senders when the tunnel is saturated. Frame size limits and buffer caps prevent memory exhaustion attacks.
The client initiates all connections outbound. Your VPS never reaches back into your private network — it simply relays multiplexed traffic.
Any browser, app, or script configured with a standard HTTP proxy connects to your VPS on port 3128. Supports both HTTP CONNECT tunneling and plain HTTP forwarding with optional Basic authentication.
The proxy server assigns each incoming connection a 4-byte ID and encodes it into a 9-byte binary frame — type, connection ID, payload length. All frames are multiplexed over a single persistent WebSocket to the client node.
Decodes the binary frames, opens the actual TCP connection to the target host using your home IP, and pipes data back through the tunnel. Supports IPv6 with Happy Eyeballs fallback and built-in SSRF protection.
Multiple independent security layers from the transport level to the application level.
The tunnel secret never crosses the wire. Cryptographic handshake prevents credential sniffing and replay attacks.
Enable HTTPS directly on the proxy endpoint to fully encrypt proxy authentication credentials.
Wrap the tunnel in TLS on port 443 — DPI firewalls see normal HTTPS traffic, not a custom protocol.
Forces Connection: close on proxied HTTP requests to prevent keep-alive routing confusion attacks.
Strict per-stream packet ordering within encrypted frames. Replayed or dropped packets trigger instant disconnect.
Blocks connections to private/local IP ranges by default, preventing server-side request forgery into your LAN.
PipeProxy is published on npm as the package pipeproxy. You can run it directly without cloning the repository.
Run directly without installing anything globally.
Install globally for permanent access across your system.
Full command reference accessible directly from your terminal.
Only two runtime dependencies — ws and dotenv.
Copy the example env files and set your tunnel secret, ports, and optional encryption settings.
Start the server on your VPS and the client on your Pi. Also works with Docker out of the box.
Quick answers to common questions about PipeProxy, security, and deployment.
PipeProxy is a distributed HTTP/HTTPS proxy that multiplexes thousands of connections over a single encrypted WebSocket tunnel (AES-256-GCM). It's built in raw Node.js for maximum speed and zero overhead.
No. PipeProxy uses reverse tunnels: the client initiates the connection to the VPS (outbound). This means you can expose services behind NAT or firewalls without any home router configuration.
Security is native: we use AES-256-GCM encryption, HMAC-SHA256 handshaking, and packet sequencing to prevent replay attacks. It also includes built-in SSRF protection by default.
PipeProxy is fully cross-platform. Because it's built for efficiency, it runs smoothly on everything from high-performance VPS servers to ultra-low-power IoT devices like the Raspberry Pi Zero.
Absolutely. Point your domain to your VPS IP and use a reverse proxy (like Nginx or Caddy). It can route traffic through the tunnel directly to your local application.
Yes. It supports full HTTP CONNECT tunneling for end-to-end TLS. You can also terminate SSL on the VPS to handle certificates centrally for your local services.
Extremely low. Each binary frame carries only a 9-byte header for multiplexing. This ensures your tunnel maintains near-native TCP performance even under heavy load.
Star the project, read the docs, and deploy your first encrypted proxy tunnel in under five minutes.