VPS setup scripts and modules for routing all system traffic through an encrypted gateway proxy, bypassing restrictive firewalls.
Railway proxy server: o-x-api/internet-gateway
Blocked HTTPS (discord.com, google.com, etc.)
│
▼
┌─────────────────────────────┐
│ VPS (Daytona etc.) │
│ ┌───────────────────────┐ │
│ │ MITM Proxy (:8888) │──┼──► Railway Gateway (internet-gateway)
│ │ - intercepts HTTPS │ │ │
│ │ - re-encrypts via CA │ │ ▼
│ │ - forwards to Railway│ │ ┌──────────┐
│ └───────────────────────┘ │ │ /raw │──► Target (discord.com)
│ │ │ endpoint │
│ ┌───────────────────────┐ │ └──────────┘
│ │ QEMU VMs │ │
│ │ - use 10.0.2.2:8888 │──┼──► Host MITM (:8888) → Railway
│ └───────────────────────┘ │
└─────────────────────────────┘
- The Railway proxy (
*.up.railway.app) is whitelisted by most firewalls. - The VPS MITM proxy (port 8888) intercepts HTTPS via a dynamically-generated CA cert, re-encrypts, and forwards to Railway's
/rawendpoint. - Nested QEMU VMs reach the host's MITM proxy at
10.0.2.2:8888.
git clone https://github.com/o-x-api/internet-gateway.git
cd internet-gateway
railway login
railway upGo in Railway
** Sign Up With Your GitHub Account**
Then add this repo
https://github.com/o-x-api/internet-gateway
Click Deploy and Go setting Click Generate URL enter Port 8080
Note your Railway URL: https://your-project.up.railway.app
On your VPS:
curl -sSL https://raw.githubusercontent.com/o-x-api/internet-gateway-setup/main/setup.sh | bash| Step | Description |
|---|---|
| 1 | System update (apt update && apt upgrade) |
| 2 | Installs dependencies: openssl, curl, wget, nodejs, npm, node-forge |
| 3 | Generates a CA certificate for MITM HTTPS interception |
| 4 | Sets system-wide proxy environment variables (/etc/profile.d/, /etc/environment, .bashrc) |
| 5 | Creates and starts the MITM proxy server on port 8888 |
| 6 | Configures apt to use the proxy for HTTPS |
| 7 | Creates systemd service (or rc.local fallback) for auto-start |
| 8 | Runs connectivity tests against github.com, npmjs.org, discord.com |
# Restart proxy
pkill -f "node index.js" && cd /home/daytona/mitm-proxy && nohup node index.js >> /home/daytona/mitm-proxy.log 2>&1 &
# View logs
tail -f /home/daytona/mitm-proxy.logVMs running inside the VPS via QEMU can use the host's proxy. The host's MITM proxy is reachable at 10.0.2.2:8888 (QEMU's default gateway address).
Run vm-proxy inside the VM to auto-configure proxy, CA cert, and apt in one command:
sudo vm-proxyOr follow the manual steps below:
Step 1 — SSH into your VM:
# From the VPS host
ssh -p <ssh_port> root@localhostStep 2 — Copy the CA cert from the host into the VM:
The CA cert is needed so curl can verify the MITM proxy's certificates. Two ways:
Option A — SCP from host (if QEMU networking allows it):
# Inside the VM
scp -P <ssh_port> root@10.0.2.2:/tmp/mitm-ca.pem /tmp/Option B — Paste the cert directly (always works):
First, read the cert on the host VPS to see its content:
# Run on the HOST VPS, not inside the VM
cat /home/daytona/mitm-ca.pemCopy the entire output (from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----). Then paste it inside the VM:
# Run inside the VM — paste the cert content between the markers
cat > /usr/local/share/ca-certificates/mitm-ca.crt << 'CERT'
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
CERT
update-ca-certificates --freshYou can also find the cert on the host at /home/daytona/mitm-ca.pem or /tmp/mitm-ca.pem.
Step 3 — Configure proxy permanently (survives reboot):
# Proxy environment variables (applied on every login)
cat > /etc/profile.d/proxy.sh << 'EOF'
export http_proxy=http://10.0.2.2:8888
export https_proxy=http://10.0.2.2:8888
export HTTP_PROXY=http://10.0.2.2:8888
export HTTPS_PROXY=http://10.0.2.2:8888
export NO_PROXY=localhost,127.0.0.1,::1,10.0.2.2
export no_proxy=localhost,127.0.0.1,::1,10.0.2.2
EOF
chmod +x /etc/profile.d/proxy.sh
source /etc/profile.d/proxy.sh
# Install CA cert so curl works without --insecure
cp /tmp/mitm-ca.pem /usr/local/share/ca-certificates/mitm-ca.crt
update-ca-certificates --fresh
# apt proxy
mkdir -p /etc/apt/apt.conf.d
cat > /etc/apt/apt.conf.d/99proxy << 'EOF'
Acquire::http::Proxy "http://10.0.2.2:8888";
Acquire::https::Proxy "http://10.0.2.2:8888";
EOFStep 4 — Test:
curl -sI https://discord.com | head -2Expected output:
HTTP/1.1 200 Connection Established
The
200 Connection Establishedline is the proxy's CONNECT response. It means the proxy successfully intercepted and forwarded the request through the Railway gateway.
export http_proxy=http://10.0.2.2:8888
export https_proxy=http://10.0.2.2:8888
curl -sI --insecure https://discord.com | head -2The --insecure flag skips CA verification (use only for testing; install the CA cert for production use).
Note:
10.0.2.2is QEMU's default gateway — it always points to the host machine.
sed -i 's|GATEWAY_URL=.*|GATEWAY_URL=https://new-url.up.railway.app|' /etc/profile.d/internet-gateway.sh
pkill -f "node index.js" && . /etc/profile.d/internet-gateway.sh && cd /home/daytona/mitm-proxy && nohup node index.js >> /home/daytona/mitm-proxy.log 2>&1 &internet-gateway-setup/
├── README.md
├── setup.sh # VPS setup script (MITM proxy + env + auto-start)
├── internet-gateway.js # Client-side Node.js patching module
└── railway/
└── proxy.js # Railway gateway deployment code
Created by ABDULLAH