{"id":42057599,"url":"https://github.com/qqrm/policy-router-rs","last_synced_at":"2026-01-26T07:17:23.304Z","repository":{"id":333792493,"uuid":"1138710693","full_name":"qqrm/policy-router-rs","owner":"qqrm","description":"SmartDPI Router RS is a Windows user mode traffic router that applies domain and app based policies to send selected traffic through a VPN core (sing-box VLESS) while routing specific targets like YouTube through a local DPI bypass proxy (CIADPI), with zero TUN loop issues.","archived":false,"fork":false,"pushed_at":"2026-01-21T09:40:28.000Z","size":108,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"dev","last_synced_at":"2026-01-21T13:54:21.804Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/qqrm.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-01-21T02:46:30.000Z","updated_at":"2026-01-21T09:40:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/qqrm/policy-router-rs","commit_stats":null,"previous_names":["qqrm/policy-router-rs"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/qqrm/policy-router-rs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qqrm%2Fpolicy-router-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qqrm%2Fpolicy-router-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qqrm%2Fpolicy-router-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qqrm%2Fpolicy-router-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/qqrm","download_url":"https://codeload.github.com/qqrm/policy-router-rs/tar.gz/refs/heads/dev","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qqrm%2Fpolicy-router-rs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28769586,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-26T06:37:25.426Z","status":"ssl_error","status_checked_at":"2026-01-26T06:37:23.039Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-26T07:17:22.614Z","updated_at":"2026-01-26T07:17:23.296Z","avatar_url":"https://github.com/qqrm.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SmartDPI Router RS\n\nSmartDPI Router RS is a Windows traffic router focused on one thing: split tunneling enforcement.\n\nIt provides policy based routing by process and by domain, sending traffic into one of multiple egress paths:\n\n- VPN path: a local VPN core proxy (sing-box VLESS, etc)\n- DPI bypass path: a local SOCKS5 or HTTP proxy (CIADPI) for targets like YouTube\n- DIRECT: no proxy\n- BLOCK: deny traffic\n\nThe goal is to keep DPI bypass tools stable (CIADPI must not break), while still having a working \"VPN for selected apps and domains\".\n\n## What we are building\n\nWe are building a router with two layers:\n\n1) Policy Engine (pure logic)\n- Reads config (rules)\n- Decides where a flow must go: vpn | proxy | direct | block\n- Explains why a decision was made (matched rule)\n\n2) Split Tunneling Enforcement (Windows)\n- Enforces policy for real traffic\n- Per app routing based on process identity\n- Optional domain routing via DNS correlation (domain -\u003e IP cache)\n- Loop prevention to avoid self sabotage\n\nThis is the core of the project: TUN with real per app bypass, so some processes never enter the VPN tunnel.\n\n## High level architecture\n\nWe split the implementation into three parts:\n\n1) `policy-routerd` (daemon)\n- Long running process\n- Owns enforcement lifecycle\n- Applies and maintains system state (WFP, routes, DNS cache, etc)\n- Optionally supervises external egress processes (sing-box, CIADPI)\n- Exposes a local control API (IPC)\n\n2) `policy-routerctl` (client)\n- CLI tool to manage the daemon\n- Sends commands via IPC:\n  - status\n  - reload\n  - stop\n  - explain\n  - diagnostics\n\n3) `policy-router-rs` (library)\n- Shared types\n- Config parsing\n- Policy engine\n- Rule matching and explanation\n- Domain suffix matching helpers\n\nThis separation is intentional:\n- daemon is the only component that touches Windows networking\n- ctl is safe to run anytime and never changes global state directly\n- GUI (Phase 3) will reuse the same IPC API as `policy-routerctl`\n\n## IPC\n\nDaemon and client communicate via local only IPC.\n\n## Build prerequisites\n\nBuilding requires clang/libclang because the `netstat2` dependency uses bindgen for Windows APIs.\n\n## CLI\n\nDaemon:\n- policy-routerd --config \u003cpath\u003e\n- policy-routerd --log-level \u003clevel\u003e (default: info, overridden by RUST_LOG)\n\nClient:\n- policy-routerctl status\n- policy-routerctl reload\n- policy-routerctl stop\n- policy-routerctl explain --process \u003cname\u003e --domain \u003cdomain\u003e\n\nOutput format:\n- default is human readable text\n- use --format json for stable machine readable output\n\n\nTarget for Windows:\n- Named Pipes (recommended)\n\nOptional later:\n- localhost HTTP API (debug only, locked down)\n\n## Egress paths\n\n### VPN egress\nA local proxy endpoint (provided by sing-box or compatible core):\n- inbound on `127.0.0.1:1488`\n- outbound goes to provider (VLESS, Reality, etc)\n\n### DPI bypass egress\nA dedicated local proxy endpoint (CIADPI or compatible):\n- SOCKS5 on `127.0.0.1:1080`\n- used for YouTube domains\n- must stay outside VPN and outside our packet mangling\n\n### DIRECT\nNo proxy, system networking as is.\n\n### BLOCK\nDrop traffic intentionally.\n\n## Hard requirements\n\n1) App routing must work\n- Selected apps go to VPN\n- Selected apps go to CIADPI\n- Selected apps go DIRECT\n- Selected apps are BLOCKED\n\n2) Domain routing must work (for the apps we route)\n- YouTube domain list -\u003e CIADPI\n- VPN whitelist domains -\u003e VPN\n- Optional direct domains -\u003e DIRECT\n\n3) No loop and no self sabotage\n- CIADPI process must never be routed into VPN\n- VPN core process must never be routed into CIADPI\n- defaults must be safe\n\n## Why PAC or system proxy is not enough\n\nPAC or system proxy only works for apps that respect proxy settings.\n\nThis project targets the stronger requirement:\n- route by process identity\n- enforce routing even if the app ignores proxy settings\n\nSo enforcement is done at the Windows networking layer (split tunneling).\n\n## MVP scope\n\n### Phase 1: policy engine + daemon and ctl skeleton\n\nPolicy:\n- TOML config\n- app rules + domain rules\n- decision output: vpn | proxy | direct | block\n- logs: matched rule + selected egress\n\nDaemon and ctl:\n- daemon process exists and stays running\n- ctl can connect via IPC and request:\n  - `explain` decision for (process, domain)\n  - `status`\n  - `reload` (re read config)\n  - `stop` (clean teardown)\n\nEnforcement (minimal, evolving):\n- start/stop supervision for:\n  - sing-box core (optional)\n  - CIADPI (optional)\n- prepare enforcement layer that can route by process\n  - first focus: process based vpn vs direct vs proxy\n  - then: domain based routing via DNS cache\n\n### Explicit non goals for Phase 1\n- full featured GUI\n- geoip/geosite management\n- DPI bypass logic inside this repo\n- \"works without admin permissions\"\n\n## Configuration (concept)\n\nTwo rule dimensions:\n- app rules: `process_name -\u003e egress`\n- domain rules: `domain_suffix -\u003e egress`\n\nDecision priority:\n1) block rules (app, domain)\n2) domain rules\n3) app rules\n4) default egress\n\nFor non-block rules, matching is evaluated by egress kind in a fixed order:\nSingbox first, then Socks5, then Direct. Block rules always take precedence\nand are evaluated before any non-block rules. The ordering does not depend on\negress id names or the order of keys in the TOML file, ensuring deterministic\nresults even when patterns overlap.\n\nExample outcomes:\n- `zen.exe` + `youtube.com` -\u003e `proxy` (CIADPI)\n- `zen.exe` + `chatgpt.com` -\u003e `vpn` (sing-box)\n- `ciadpi.exe` -\u003e `direct`\n- unknown app or domain -\u003e `direct`\n\n## Roadmap\n\nPhase 2:\n- stable split tunneling enforcement implementation (WFP)\n- domain routing via DNS correlation cache\n- rule sets and includes\n\nPhase 3:\n- GUI (optional)\n- profiles, presets, metrics\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqqrm%2Fpolicy-router-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqqrm%2Fpolicy-router-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqqrm%2Fpolicy-router-rs/lists"}