fureunoir/bleach
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
No description
7 commits 2 branches 0 tags 27 MiB
  • Rust 56.4%
  • Vue 22.5%
  • TypeScript 12.7%
  • Makefile 4.5%
  • CSS 3.1%
  • Other 0.8%
Find a file
Exact
Egor fureunoir Gorbunov 5e1ad1e27e Update dependencies for BleachVPN: use BleachWG fork of boringtun, upgrade curve25519-dalek and fiat-crypto, and switch to PolyForm Noncommercial license.
2026-04-01 12:35:22 +03:00
.forgejo/workflows Rustified 2026-04-01 12:23:31 +03:00
.idea Add initial package.json, package-lock.json, and project assets 2026-04-01 11:30:01 +03:00
src Rustified 2026-04-01 12:23:31 +03:00
src-tauri Update dependencies for BleachVPN: use BleachWG fork of boringtun, upgrade curve25519-dalek and fiat-crypto, and switch to PolyForm Noncommercial license. 2026-04-01 12:35:22 +03:00
.gitignore Rustified 2026-04-01 12:23:31 +03:00
eslint.config.js Rustified 2026-04-01 12:23:31 +03:00
index.html Rustified 2026-04-01 12:23:31 +03:00
LICENSE Update dependencies for BleachVPN: use BleachWG fork of boringtun, upgrade curve25519-dalek and fiat-crypto, and switch to PolyForm Noncommercial license. 2026-04-01 12:35:22 +03:00
Makefile Rustified 2026-04-01 12:23:31 +03:00
package-lock.json Rustified 2026-04-01 12:23:31 +03:00
package.json Rustified 2026-04-01 12:23:31 +03:00
README.md Update dependencies for BleachVPN: use BleachWG fork of boringtun, upgrade curve25519-dalek and fiat-crypto, and switch to PolyForm Noncommercial license. 2026-04-01 12:35:22 +03:00
tsconfig.json Rustified 2026-04-01 12:23:31 +03:00
tsconfig.node.json Rustified 2026-04-01 12:23:31 +03:00
vite.config.ts Rustified 2026-04-01 12:23:31 +03:00

README.md

BleachVPN

Cross-platform VPN client supporting AmneziaWG 2.0, VLESS (all transports), and Bleach mode (VK/Yandex TURN relay for ISP whitelist bypass).

Built with Rust + Tauri v2 + Vue 3.

Protocols

Protocol Description
AmneziaWG 2.0 WireGuard with DPI-resistant obfuscation: junk packets, custom headers, protocol mimicry. Based on BleachWG (boringtun fork)
VLESS All transports: TCP, WebSocket, gRPC, HTTP/2, xHTTP. Security: TLS, Reality. Via leaf
Bleach AmneziaWG tunneled through VK/Yandex video call TURN servers to bypass ISP whitelists

How Bleach mode works

When ISPs enforce whitelists (only allowing traffic to approved IPs), regular VPNs stop working. Bleach exploits the fact that video call TURN servers are always whitelisted.

App ──DTLS──▶ TURN server (VK/Yandex) ──UDP──▶ VPS (AmneziaWG) ──▶ Internet
      ISP sees: video call traffic

Subscription URLs

Import a single subscription URL that contains multiple protocols:

https://example.com/sub/token
→ bleach://...#Server-1
  vless://uuid@host:443?...#Server-2
  awg://...#Server-3

The subscription body can be base64-encoded or plain text, one URL per line.

Platforms

Platform Status Bundle
Windows Supported NSIS / MSI
macOS Supported DMG
Linux Supported deb / AppImage
Android Planned APK (Tauri v2 mobile)
iOS Planned IPA (Tauri v2 mobile)

Development

Prerequisites

  • Rust stable
  • Node.js 22+
  • Platform deps:
    • Linux: libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
    • macOS: Xcode Command Line Tools
    • Windows: Visual Studio Build Tools + WebView2

Quick start

npm install
make dev

Makefile

Target What it does
make dev Tauri dev server with hot reload
make build Release build for current OS
make build-all All desktop platforms
make lint Rust (fmt + clippy) + Frontend (eslint + vue-tsc)
make fmt Auto-format everything
make test Rust unit tests
make clean Remove build artifacts
make install-deps Install toolchain dependencies

Architecture

src-tauri/src/
├── vpn/
│   ├── mod.rs            VpnEngine trait
│   ├── manager.rs        Tunnel lifecycle (start/stop/status)
│   ├── amneziawg.rs      AmneziaWG 2.0 engine (boringtun fork)
│   ├── vless.rs          VLESS engine (via leaf)
│   ├── bleach.rs         Bleach mode (AWG-over-TURN)
│   └── tun.rs            Cross-platform TUN device
├── turn/
│   ├── client.rs         TURN allocation + channel binding
│   ├── relay.rs          Parallel relay streams + reconnect
│   └── dtls.rs           DTLS 1.2 transport
├── creds/
│   ├── vk.rs             VK OAuth → TURN credentials
│   └── yandex.rs         Yandex → TURN credentials
├── config/
│   ├── models.rs         Config structs (Bleach, VLESS, AWG)
│   ├── parser.rs         URL scheme parsers
│   ├── store.rs          SQLite persistence
│   └── subscription.rs   Subscription URL fetcher
├── platform/             Per-OS TUN integration
├── commands.rs           Tauri IPC handlers
└── lib.rs                App setup + command registration

src/
├── views/                Home, Configs, Settings
├── components/           ConnectionButton, ConfigCard, LogViewer, ...
├── stores/               Pinia (vpn, config, settings)
├── composables/          Typed Tauri invoke wrappers
└── types/                TypeScript interfaces

Config URL schemes

bleach:// — AmneziaWG over TURN

bleach://<base64url-json>#<name>

vless:// — VLESS proxy

vless://<uuid>@<host>:<port>?type=ws&security=tls&sni=example.com&path=/ws#Name

awg:// — standalone AmneziaWG (no TURN)

awg://<base64url-json>#<name>

CI/CD

Forgejo Actions:

  • check.yml — runs on every push: cargo fmt, clippy, cargo test, eslint, vue-tsc
  • build.yml — on tags or manual: cross-platform matrix build (Win / macOS ARM+x86 / Linux), uploads artifacts

License

PolyForm Noncommercial 1.0.0 — free for personal, research, and noncommercial use. Commercial use is not permitted without separate agreement.

Special Thanks

  • vk-turn-proxy by @cacggghp — pioneered tunneling through VK/Yandex TURN servers
  • boringtun by Cloudflare — Rust WireGuard implementation (base for AWG fork)
  • AmneziaWG — WireGuard obfuscation protocol
  • leaf — Rust proxy framework (VLESS engine)
  • Tauri — cross-platform app framework