Update: just followed the quickstart and worked great; speed is virtually line speed - impressive!
It's a thin HTTP/2 and HTTP/3 tunneling protocol for TCP, UDP, and ICMP traffic.
It should be easy to write an independent implementation based on this specification provided you already have an HTTP/2 or HTTP/3 library. Pretty neat!
One clarification that may not be obvious: open-sourcing this isn’t primarily about signaling or auditability. If that were the goal, a standalone protocol spec or a minimal reference repo would have been enough.
Instead, we’re deliberately shipping full client and server implementations because the end goal is for this to become an independent, vendor-neutral project, not something tied to AdGuard.
We want it to be usable by any VPN or proxy stack and, over time, to serve as a common baseline for stealthy transports — similar to the role xray/vless play today.
Happy to answer questions or clarify design choices.
GFW has been able to filter SNI to block https traffic for a few years now.
SNI isn't really the threat here, because any commercial VPN is going to be blocked by IP, no need for SNI. The bigger threat is tell-tale patterns of VPN use because of TLS-in-TLS, TLS-in-SSH, or even TLS-in-any-high-entropy-stream (eg. shadowsocks).
Proxy server can hide behind CDN like Cloudflare via websocket tunnel.
This is why GFW develops SNI filter, Cloudflare is too big to block.
cloudflare doesn't support domain fronting so any SNI spoofing won't work.
Any particular reason to adopt Rust for this project instead of Go as many of your other products?
Because I think since you have quite extensive Go codebase I would imagine you had to rewrite possibly a significant amount of code.
Go has a lot of strengths, but embedding performance-critical code as a shared library in a mobile app isn't among them.
I need to open ssh myself and for now I decided on tunnelling over http/3 terminated somewhere in aws/gcp/cf, but maybe your method is better.