reproxy

One local proxy that
survives hostile networks.

reproxy classifies the network you're actually on — captive portals, TLS inspection, national filters — picks a transport that gets through, and exposes a normal SOCKS5/HTTP proxy your apps point at. When nothing works it fails closed and tells you why. It never silently leaks your traffic onto the open network.

How it works The five modes

Five honest modes

reproxy collapses any network into exactly one of five explicit states. Every status surface — CLI output, menu-bar glyph, the connect toggle — is just a view of the current mode. No false green lights.

Normalfull path works
The proxy path works end to end. You're online — just use the internet.
Degradedworking, reduced
It works, but on a weaker transport or with high loss. Most real sessions on hostile networks live here — and that's fine, not a failure.
EmergencyText~5–20 KB/s
Only a tiny DNS-sized channel is alive. Good for messaging, SSH, text — explicitly not normal internet, and never dressed up as it.
Captiveportal in the way
A hotel/airport login page is blocking real internet. Open the captive portal, complete the login, then re-run the check.
Offlineno viable route
Nothing got through. Fails closed, paired with a diagnosis of exactly what was blocked and what was tried.

How it works

reproxy runs a battery of probes against the live network, classifies the damage, then selects the best available transport from a ladder of modern and emergency options. Your browser only ever sees a plain local proxy.

# classify the current network $ reproxy diagnose mode Degraded best_transport vless_reality decision_reason no_quic_falls_back_to_reality probes dns_poison blocked · sni_reset blocked · quic blocked tls_mitm clean · reality ok · captive none listening socks5 127.0.0.1:1080 · http 127.0.0.1:1081

Every decision carries a decision_reason — always present, never hidden. That's how the product keeps its promise: failures are explained, not hidden, and a DNS tunnel is never called normal internet.

diagnose — what is this network?

A network fingerprint: the mode, the chosen transport, the decision reason, and a probe list with honest ok / blocked / intercepted / unknown states.

dpi — what kind of censorship?

A deeper fingerprint: DNS poisoning, SNI-triggered resets, TLS man-in-the-middle, QUIC blocking, captive-portal heuristics, ECH presence — each probed and reported.

The transport ladder it chooses from:

masque_h3 vless_reality h2_connect ws_https hysteria2 trojan shadowsocks_2022 cdn_fronted_h2 dnstt_doh dnstt_udp53 icmp_ptunnel

Why trust it

  • Fails closed by design. No silent direct egress for proxied traffic. If there's no safe path, you get a diagnosis — not a leak.
  • Honest degradation. Degraded says degraded; EmergencyText shows its bandwidth as a feature of the state, not fine print.
  • No accounts, no sign-in, no billing. It's a network utility, not a subscription. Point your apps at 127.0.0.1:1080 and go.
  • Nothing hidden from you. Every decision carries a machine-readable reason, and the diagnosis shows exactly which probes passed, failed, or couldn't tell.
  • Built for people behind real filtering. The page itself loads zero external fonts, CDNs, analytics, or trackers — consistent with what it describes.

Status

reproxy is in active development. The command-line client runs today: it exposes a local proxy your apps point at, and diagnose / dpi work anywhere.

# classify the network and start the local proxy $ reproxy diagnose $ reproxy dpi --fast # point your apps at the local proxy # SOCKS5 127.0.0.1:1080 # HTTP 127.0.0.1:1081

A native macOS menu-bar app is coming soon — same five-mode model, no terminal required — with brew install the likely path for the CLI. iOS (a system VPN toggle with QR-code import) follows. This page is where distribution will be announced.