PipeProxy is a distributed HTTP/HTTPS proxy that multiplexes thousands of connections over a single AES-256-GCM encrypted WebSocket. No port forwarding, no VPN complexity — lightweight enough to run on a Raspberry Pi Zero.
Built from scratch in raw Node.js. No bloated frameworks, no hidden complexity — just fast, secure tunneling.
Thousands of concurrent proxy connections share a single WebSocket using a custom binary protocol. Each frame carries only a 9-byte header — type, connection ID, and payload length — delivering near-zero overhead even under massive parallelism.
Native zero-dependency encryption layer with integrity verification, replay attack prevention, and strict sequence tracking.
The client connects outbound to the VPS. No firewall rules needed, no exposed ports on your home network.
Only ws and dotenv as dependencies. Minimal memory footprint — runs smoothly even on the most constrained single-board computers like the Raspberry Pi Zero.
Dual-stack connectivity with automatic IPv6 → IPv4 fallback in 250ms. Dead or broken routes are instantly bypassed to ensure zero connection hangs in unpredictable network environments.
Dynamic flow control pauses fast senders when the tunnel is saturated. Frame size limits and buffer caps prevent memory exhaustion attacks.
The client initiates all connections outbound. Your VPS never reaches back into your private network — it simply relays multiplexed traffic.
Any browser, app, or script configured with a standard HTTP proxy connects to your VPS on port 3128. Supports both HTTP CONNECT tunneling and plain HTTP forwarding with optional Basic authentication.
The proxy server assigns each incoming connection a 4-byte ID and encodes it into a 9-byte binary frame — type, connection ID, payload length. All frames are multiplexed over a single persistent WebSocket to the client node.
Decodes the binary frames, opens the actual TCP connection to the target host using your home IP, and pipes data back through the tunnel. Supports IPv6 with Happy Eyeballs fallback and built-in SSRF protection.
Multiple independent security layers from the transport level to the application level.
The tunnel secret never crosses the wire. Cryptographic handshake prevents credential sniffing and replay attacks.
Enable HTTPS directly on the proxy endpoint to fully encrypt proxy authentication credentials.
Wrap the tunnel in TLS on port 443 — DPI firewalls see normal HTTPS traffic, not a custom protocol.
Forces Connection: close on proxied HTTP requests to prevent keep-alive routing confusion attacks.
Strict per-stream packet ordering within encrypted frames. Replayed or dropped packets trigger instant disconnect.
Blocks connections to private/local IP ranges by default, preventing server-side request forgery into your LAN.
Only two runtime dependencies — ws and dotenv.
Copy the example env files and set your tunnel secret, ports, and optional encryption settings.
Start the server on your VPS and the client on your Pi. Also works with Docker out of the box.
Star the project, read the docs, and deploy your first encrypted proxy tunnel in under five minutes.