v0.5.1: static musl builds for OpenWRT (amd64 + arm64)

therealaleph · therealaleph · commit 6c5b62e5e6ae · 2026-04-22T02:29:26.000+03:00
A user on OpenWRT x86_64 reported the linux release doesn't run there — root cause was glibc vs musl mismatch (our gnu binary was looking for a dynamic linker that doesn't exist on router userlands). Add two musl targets that produce fully static PIE binaries: - x86_64-unknown-linux-musl -> mhrv-rs-linux-musl-amd64.tar.gz - aarch64-unknown-linux-musl -> mhrv-rs-linux-musl-arm64.tar.gz CI uses the messense/rust-musl-cross docker images (better-maintained than cargo-zigbuild with a pinned zig, which has version regressions on the ar wrapper between 0.13 and 0.16). Locally verified: - both archs cross-compile green in docker - resulting x86_64 binary (3.3 MB) runs in an alpine:latest container, --version / --help work, no dynamic lib requirements The musl archive skips the UI (routers are headless) and swaps run.sh for a procd init script (assets/openwrt/mhrv-rs.init) expecting the binary at /usr/bin/mhrv-rs and config at /etc/mhrv-rs/config.json. Side effect: switched tokio-rustls to default-features=false + ring (was pulling aws-lc-rs transitively, which can't easily cross-compile for musl). The main crate already uses ring explicitly, so no runtime behavior change. README gets a 'Running on OpenWRT (or any musl distro)' section in both English and Persian with scp + procd enable/start recipe. Closes #2.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,6 +29,12 @@ jobs:
           - target: x86_64-pc-windows-gnu
             os: windows-latest
             name: mhrv-rs-windows-amd64
+          - target: x86_64-unknown-linux-musl
+            os: ubuntu-latest
+            name: mhrv-rs-linux-musl-amd64
+          - target: aarch64-unknown-linux-musl
+            os: ubuntu-latest
+            name: mhrv-rs-linux-musl-arm64
 
     runs-on: ${{ matrix.os }}
 
@@ -61,6 +67,7 @@ jobs:
           echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config.toml
           echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config.toml
 
+
       - name: Install Windows MinGW toolchain
         if: matrix.target == 'x86_64-pc-windows-gnu'
         id: msys2
@@ -80,13 +87,32 @@ jobs:
           Add-Content -Path $env:USERPROFILE/.cargo/config.toml -Value "linker = '$gcc'"
 
       - name: Build CLI
+        if: "!endsWith(matrix.target, '-linux-musl')"
         run: cargo build --release --target ${{ matrix.target }} --bin mhrv-rs
 
+      # Fully-static musl builds for OpenWRT / Alpine / libc-less systems.
+      # messense/rust-musl-cross ships a pre-built musl toolchain so `ring`
+      # (rustls' crypto backend) cross-compiles cleanly on both archs.
+      - name: Build CLI (musl via docker)
+        if: matrix.target == 'x86_64-unknown-linux-musl'
+        run: |
+          docker run --rm --user "$(id -u):$(id -g)" -v "$PWD":/src -w /src \
+            messense/rust-musl-cross:x86_64-musl \
+            cargo build --release --target x86_64-unknown-linux-musl --bin mhrv-rs
+
+      - name: Build CLI (musl via docker, arm64)
+        if: matrix.target == 'aarch64-unknown-linux-musl'
+        run: |
+          docker run --rm --user "$(id -u):$(id -g)" -v "$PWD":/src -w /src \
+            messense/rust-musl-cross:aarch64-musl \
+            cargo build --release --target aarch64-unknown-linux-musl --bin mhrv-rs
+
       # UI build: we try to build the UI binary on every platform. If it fails
       # on cross-compile for linux-arm64 (missing arm64 system libs cross),
-      # we still ship the CLI.
+      # we still ship the CLI. We also skip the UI on musl targets (OpenWRT etc.
+      # are headless, bundling X11 makes no sense).
       - name: Build UI
-        if: matrix.target != 'aarch64-unknown-linux-gnu'
+        if: matrix.target != 'aarch64-unknown-linux-gnu' && !endsWith(matrix.target, '-linux-musl')
         run: cargo build --release --target ${{ matrix.target }} --features ui --bin mhrv-rs-ui
 
       - name: Package (unix)
@@ -99,12 +125,22 @@ jobs:
             cp target/${{ matrix.target }}/release/mhrv-rs-ui dist/mhrv-rs-ui
             chmod +x dist/mhrv-rs-ui
           fi
-          cp assets/launchers/run.sh dist/run.sh
-          chmod +x dist/run.sh
-          if [ "${{ runner.os }}" = "macOS" ]; then
-            cp assets/launchers/run.command dist/run.command
-            chmod +x dist/run.command
-          fi
+          # OpenWRT / musl archives get the procd init script instead of run.sh,
+          # since routers don't have a CA to install and run headless via procd.
+          case "${{ matrix.target }}" in
+            *-linux-musl)
+              cp assets/openwrt/mhrv-rs.init dist/mhrv-rs.init
+              chmod +x dist/mhrv-rs.init
+              ;;
+            *)
+              cp assets/launchers/run.sh dist/run.sh
+              chmod +x dist/run.sh
+              if [ "${{ runner.os }}" = "macOS" ]; then
+                cp assets/launchers/run.command dist/run.command
+                chmod +x dist/run.command
+              fi
+              ;;
+          esac
 
       - name: Build macOS .app bundle
         if: runner.os == 'macOS'
@@ -130,13 +166,20 @@ jobs:
         shell: bash
         run: |
           cd dist
-          if [ "${{ runner.os }}" = "Windows" ]; then
-            7z a -tzip "${{ matrix.name }}.zip" mhrv-rs.exe mhrv-rs-ui.exe run.bat
-          elif [ "${{ runner.os }}" = "macOS" ]; then
-            tar czf "${{ matrix.name }}.tar.gz" mhrv-rs mhrv-rs-ui run.sh run.command
-          else
-            tar czf "${{ matrix.name }}.tar.gz" mhrv-rs mhrv-rs-ui run.sh 2>/dev/null || tar czf "${{ matrix.name }}.tar.gz" mhrv-rs run.sh
-          fi
+          case "${{ matrix.target }}" in
+            *-pc-windows-*)
+              7z a -tzip "${{ matrix.name }}.zip" mhrv-rs.exe mhrv-rs-ui.exe run.bat
+              ;;
+            *-apple-darwin)
+              tar czf "${{ matrix.name }}.tar.gz" mhrv-rs mhrv-rs-ui run.sh run.command
+              ;;
+            *-linux-musl)
+              tar czf "${{ matrix.name }}.tar.gz" mhrv-rs mhrv-rs.init
+              ;;
+            *)
+              tar czf "${{ matrix.name }}.tar.gz" mhrv-rs mhrv-rs-ui run.sh 2>/dev/null || tar czf "${{ matrix.name }}.tar.gz" mhrv-rs run.sh
+              ;;
+          esac
 
       - uses: actions/upload-artifact@v4
         with:
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "mhrv-rs"
-version = "0.5.0"
+version = "0.5.1"
 edition = "2021"
 description = "Rust port of MasterHttpRelayVPN -- DPI bypass via Google Apps Script relay with domain fronting"
 license = "MIT"
@@ -24,7 +24,7 @@ ui = ["dep:eframe"]
 
 [dependencies]
 tokio = { version = "1", features = ["rt-multi-thread", "macros", "net", "time", "io-util", "signal", "sync"] }
-tokio-rustls = "0.26"
+tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "tls12"] }
 rustls = { version = "0.23", default-features = false, features = ["ring", "std", "tls12"] }
 rustls-pemfile = "2"
 webpki-roots = "0.26"
diff --git a/README.md b/README.md
@@ -211,6 +211,27 @@ Example config fragment (both UI and JSON):
 
 HTTP/HTTPS continues to route through the Apps Script relay (no change), and the SNI-rewrite tunnel for `google.com` / `youtube.com` / etc. keeps bypassing both — so YouTube stays as fast as before while Telegram gets a real tunnel.
 
+## Running on OpenWRT (or any musl distro)
+
+The `*-linux-musl-*` archives ship a fully static CLI that runs on OpenWRT, Alpine, and any libc-less Linux userland. Put the binary on the router and start it as a service:
+
+```sh
+# From a machine that can reach your router:
+scp mhrv-rs root@192.168.1.1:/usr/bin/mhrv-rs
+scp mhrv-rs.init root@192.168.1.1:/etc/init.d/mhrv-rs
+scp config.json root@192.168.1.1:/etc/mhrv-rs/config.json
+
+# On the router:
+chmod +x /usr/bin/mhrv-rs /etc/init.d/mhrv-rs
+/etc/init.d/mhrv-rs enable
+/etc/init.d/mhrv-rs start
+logread -e mhrv-rs -f   # tail its logs
+```
+
+LAN devices then point their HTTP proxy at the router's LAN IP (default port `8085`) or their SOCKS5 at `<router-ip>:8086`. Set `listen_host` to `0.0.0.0` in `/etc/mhrv-rs/config.json` so the router accepts LAN connections instead of localhost-only.
+
+Memory footprint is ~15-20 MB resident — fine on anything with ≥128 MB RAM. No UI is shipped for musl (routers are headless).
+
 ## Diagnostics
 
 - **`mhrv-rs test`** — sends one request through the relay and reports success/latency. Use this first whenever something breaks — it isolates "relay is up" from "client config is wrong".
@@ -429,6 +450,27 @@ Firefox cert store خودش را جدا دارد؛ installer تلاش می‌ک
 
 HTTP/HTTPS هیچ تغییری نمی‌کند (همچنان از Apps Script می‌رود) و تونل SNI-rewrite برای `google.com` / `youtube.com` / … هم سر جای خودش است — پس یوتوب مثل قبل سریع می‌ماند و تلگرام بالاخره یک تونل واقعی می‌گیرد.
 
+### اجرا روی OpenWRT (یا هر سیستم musl)
+
+آرشیوهای `*-linux-musl-*` یک CLI کاملاً static می‌دهند که روی OpenWRT، Alpine و هر userland لینوکسی بدون glibc اجرا می‌شود. باینری را روی روتر بگذارید و به‌عنوان سرویس راه بیندازید:
+
+```sh
+# از یک ماشین که به روترتان می‌رسد:
+scp mhrv-rs root@192.168.1.1:/usr/bin/mhrv-rs
+scp mhrv-rs.init root@192.168.1.1:/etc/init.d/mhrv-rs
+scp config.json root@192.168.1.1:/etc/mhrv-rs/config.json
+
+# روی خود روتر:
+chmod +x /usr/bin/mhrv-rs /etc/init.d/mhrv-rs
+/etc/init.d/mhrv-rs enable
+/etc/init.d/mhrv-rs start
+logread -e mhrv-rs -f
+```
+
+بعدش دستگاه‌های LAN، proxy HTTP خودشان را روی IP روتر پورت `8085` (یا SOCKS5 روی `8086`) بگذارند. در `/etc/mhrv-rs/config.json` مقدار `listen_host` را به `0.0.0.0` تغییر دهید تا روتر از LAN هم connection بپذیرد (نه فقط localhost).
+
+مصرف حافظه حدود ۱۵-۲۰ مگابایت است — روی هر روتری با حداقل ۱۲۸ مگابایت RAM اجرا می‌شود. UI برای musl ساخته نمی‌شود (روترها بدون صفحه‌نمایش هستند).
+
 ### محدودیت‌های شناخته‌شده
 
 این‌ها محدودیت‌های ذاتی روش Apps Script + SNI هستند، نه باگ در این کلاینت. نسخهٔ اصلی پایتون هم دقیقاً همین‌ها را دارد.
diff --git a/assets/openwrt/mhrv-rs.init b/assets/openwrt/mhrv-rs.init
@@ -0,0 +1,33 @@
+#!/bin/sh /etc/rc.common
+# OpenWRT procd init script for mhrv-rs.
+# Install as /etc/init.d/mhrv-rs, then:
+#   /etc/init.d/mhrv-rs enable
+#   /etc/init.d/mhrv-rs start
+#
+# Expects:
+#   /usr/bin/mhrv-rs           (the static musl binary from the release)
+#   /etc/mhrv-rs/config.json   (your config)
+
+START=99
+USE_PROCD=1
+
+BIN=/usr/bin/mhrv-rs
+CONFIG=/etc/mhrv-rs/config.json
+
+start_service() {
+    [ -x "$BIN" ] || return 1
+    [ -f "$CONFIG" ] || return 1
+
+    procd_open_instance
+    procd_set_param command "$BIN" --config "$CONFIG" --no-cert-check
+    procd_set_param respawn 3600 5 5
+    procd_set_param stdout 1
+    procd_set_param stderr 1
+    procd_set_param file "$CONFIG"
+    procd_close_instance
+}
+
+reload_service() {
+    stop
+    start
+}
