Warning
This is a hobby experiment, not a censorship-resistant transport. It was developed and tested primarily against signature-based DPI, not behavioral or traffic-analysis systems (e.g. GFW-style statistical detection).
While the realistic mode reduces traffic anomalies, no resistance against volume- or behavior-based analysis is claimed. Do not rely on this as your only circumvention layer in high-risk environments.
Also, this project is presented for educational purposes only. The author does not encourage violating the laws of your country and/or using this tool to access prohibited resources.
Proxy server that masquerades as a Minecraft server to establish encrypted tunnels and bypass network restrictions.
To connect to the server, use the client
- AES-GCM Encryption — All tunnel traffic encrypted with per-user key
- Minecraft Camouflage — Fully mimics Minecraft Java server
- Two Tunnel Modes:
fast— maximum speed (default)realistic— throttled + paced to look like real player traffic
- Stream Multiplexing — yamux (multiple connections over one tunnel)
- Realistic Player Simulation — moving player + terrain + fluctuating online count
- Multi-user Auth — passwords + optional nicknames + subscription links
The protocol leverages Minecraft's packet structure for stealth operation:
- Initial Handshake: Client connects and performs standard Minecraft handshake/status/login sequence
- Authentication: Username is derived from SHA256(password), validated against server's authorized users map
- Protocol Simulation: Server sends Join Game, Player Position, Keep-Alive, and Time Update packets to maintain appearance
- Tunnel Establishment: After authentication, yamux multiplexed session is initiated over the connection
- Traffic Encapsulation: Data is encrypted with AES-GCM and embedded inside Minecraft Chunk Data packets (0x25)
- Each chunk uses realistic coordinates based on simulated player position
- Includes authentic NBT heightmap data (MOTION_BLOCKING tag with packed height values)
- Encrypted payload follows the heightmap structure
- Stream Proxying: Each yamux stream reads target address and proxies TCP connection bidirectionally
The key insight: Minecraft chunk packets can be arbitrarily large and frequent, making them perfect carriers for encrypted tunnel traffic while maintaining protocol compliance.
- Linux server (Ubuntu, Debian, etc.)
- Root access (for installation)
- Open port (default 25565)
git clone https://github.com/dmitrymodder/minewire.git
cd minewire
sudo bash setup.shThe script automatically:
- Detects system architecture (amd64/arm64)
- Downloads the latest pre-compiled binary from GitHub Releases
- Verifies SHA256 checksum
- Creates system user
minewire - Installs binary to
/usr/local/bin/minewire-server - Creates config at
/etc/minewire/server.yaml - Installs systemd service
- Reloads systemd
curl -fsSL https://raw.githubusercontent.com/dmitrymodder/minewire/main/setup.sh | sudo bashNote: One-line install requires the repository to be cloned for config and service files. Use the Quick Install method above for first-time setup.
Download the latest binary from GitHub Releases:
# Download binary (replace amd64 with arm64 if needed)
sudo curl -fsSL -o /usr/local/bin/minewire-server \
https://github.com/dmitrymodder/minewire/releases/latest/download/minewire-server-linux-amd64
sudo chmod +x /usr/local/bin/minewire-server
# Create user
sudo useradd --system --no-create-home --shell /bin/false minewire
# Setup config
sudo mkdir -p /etc/minewire
sudo cp server.yaml /etc/minewire/server.yaml
sudo cp server-icon.png /etc/minewire/server-icon.png
sudo chown -R minewire:minewire /etc/minewire
sudo chmod 750 /etc/minewire
sudo chmod 640 /etc/minewire/server.yaml
# Install service
sudo cp minewire-server.service /etc/systemd/system/
sudo systemctl daemon-reloadopenssl rand -hex 16Example output: 3d7e8a190604e9da51a3543a23421d20
Edit /etc/minewire/server.yaml:
listen_port: "25565"
passwords:
- "YOUR_PASSWORD_1"
- "YOUR_PASSWORD_2"
# Minecraft metadata (for camouflage)
version_name: "1.21.10"
protocol_id: 773
icon_path: "server-icon.png"
motd: "§bMinewire Proxy Server\\n§eSecure Tunnel Active"
# Player simulation
max_players: 20
online_min: 4
online_max: 20
mode: "fast"
realistic_bandwidth_kb: 128
realistic_burst_kb: 512Replace with your 64x64 PNG:
sudo cp your-icon.png /etc/minewire/server-icon.png
sudo chown minewire:minewire /etc/minewire/server-icon.png# Start
sudo systemctl start minewire-server
# Stop
sudo systemctl stop minewire-server
# Restart
sudo systemctl restart minewire-server
# Status
sudo systemctl status minewire-server
# View logs
sudo journalctl -u minewire-server -n 50
# Follow logs
sudo journalctl -u minewire-server -f
# Enable auto-start
sudo systemctl enable minewire-serversudo ufw allow 25565/tcp
sudo ufw enablesudo firewall-cmd --permanent --add-port=25565/tcp
sudo firewall-cmd --reloadsudo systemctl stop minewire-server
sudo systemctl disable minewire-server
sudo rm /usr/local/bin/minewire-server
sudo rm /etc/systemd/system/minewire-server.service
sudo rm -rf /etc/minewire
sudo userdel minewire
sudo systemctl daemon-reloadmain.go- Entry point, connection handlinghandler.go- Protocol logic, encryption, tunnelingprotocol.go- Minecraft protocol primitives (VarInt, String, etc.)motion.go- Player movement simulation for realistic chunk coordinatesthrottle.go- Slows down traffic for realistic modeserver.yaml- Server configurationminewire-server.service- systemd service unitsetup.sh- Installation script
Authentication: Client hashes password with SHA256, takes first 8 hex chars, prefixes with "Player" to generate username. Server validates against pre-computed map.
Encryption: Per-user AES-GCM key derived from SHA256(password). Each write generates random nonce, encrypts data, prepends nonce to ciphertext.
Packet Structure: Chunk Data (0x25) format:
- Chunk X/Z coordinates (based on simulated player position)
- NBT heightmap compound tag with MOTION_BLOCKING long array (37 longs, 9-bit packed heights)
- VarInt length + encrypted payload
- Empty block entities and light mask arrays
Motion Simulation: Random walk algorithm with terrain-following Y-coordinate adjustment. Updates periodically to generate varied chunk coordinates, enhancing camouflage.
| Mode | Speed | Stealth Level | Use Case |
|---|---|---|---|
fast |
Maximum | Signature and patterns | Low-risk, maximum performance |
realistic |
Moderate (~120 KB/s by default) | All + traffic volume | Higher-risk environments |
MIT