Plug & play USB privacy dongle, powered by Raspberry Pi Zero 2 W.
No apps. No drivers. Just plug it in, turn off WiFi, and browse anonymously through VPN or residential proxy.
| Feature | Description |
|---|---|
| β Plug & Play | Auto-detected as Ethernet on Windows (RNDIS) and macOS (ECM) |
| π‘οΈ WireGuard VPN | Fast, modern VPN with multi-profile support |
| π Residential Proxy | Transparent proxy through residential IPs with SNI extraction |
| π« Ad & Tracker Blocking | DNS-level blocking (StevenBlack, AdAway, malware lists) |
| π Split Tunneling | Route specific IPs outside the VPN |
| π² MAC Randomization | WiFi MAC auto-changes on each boot. Manual change from dashboard too |
| π Bandwidth Monitor | Real-time transfer stats and speed measurement |
| π Leak Protection | DNS leak prevention, WebRTC blocking, kill switch |
| π DNS Management | Google, Cloudflare, Quad9 presets or custom servers |
| π₯οΈ Web Dashboard | Manage everything from 192.168.7.1 |
| Software VPN | ShadowPlug | |
|---|---|---|
| Installation | App on every device | Plug in USB, done |
| Scope | Per-app or per-device | All traffic, OS-level |
| Leak risk | App crash = IP exposed | Hardware-level, no leaks |
| Detection | VPN process detectable | Invisible to OS |
| Portability | Tied to device install | Carry between any computer |
| Ad blocking | Separate tool needed | Built in |
| Residential proxy | Not available | Built-in rotation |
| Kill switch | Software-based, can fail | Network-level, always on |
| Speed | Full speed | ~30-40 Mbps VPN / ~12-15 Mbps proxy |
π‘ Speed note: The Pi Zero 2 W uses USB 2.0. In real-world tests, WireGuard VPN reaches ~30-40 Mbps (datacenter IP) and residential proxy ~12-15 Mbps (ISP routing overhead). More than enough for web browsing, video calls, and standard streaming.
- Raspberry Pi Zero 2 W
- microSD card (4 GB+)
- USB cable:
- Windows: micro-USB β USB-A
- Mac: micro-USB β USB-C (direct cable, not adapter)
- OpenWrt 25.x (bcm2710 image for Pi Zero 2 W)
A server running WireGuard is required. Any VPS provider works (Hetzner, DigitalOcean, Vultr, etc.) or any WireGuard-compatible commercial VPN.
For residential IP masking, you'll need a proxy service that supports HTTP CONNECT with authentication. Works with any compatible provider.
Download the Raspberry Pi Zero 2 W image and flash it:
gunzip -c openwrt-*.img.gz | sudo dd of=/dev/sdX bs=4M status=progressssh root@192.168.1.1
wget -O- https://raw.githubusercontent.com/erayerturk/shadowplug/main/setup/install.sh | shThe script will guide you through everything interactively:
β shadowplug Installer
[1/8] WiFi Setup
WiFi SSID: MyHomeWiFi
WiFi Password: supersecret123
Connected!
[2/8] Installing packages...
[3/8] Installing Python dependencies...
[4/8] Setting up USB gadget...
[5/8] Configuring network...
[6/8] Configuring firewall...
[7/8] Setting up WireGuard...
Your Pi's public key (add this to your VPN server):
aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890abcdefg=
Configure VPN server now? (y/n): y
Server IP: 49.13.x.x
Server Port [51820]: 51820
Server Public Key: xYzAbCdEfGhIjKlMnOpQrStUvWxYz1234567890xyz=
Client Address [10.7.0.2/24]: 10.7.0.2/24
VPN configured!
[8/8] Setting up ShadowPlug web UI...
β
Installation complete!
1. Plug the Pi into your computer via USB
2. Open http://192.168.7.1
3. Configure your VPN server
- Plug the Pi into your computer via USB
- Turn off WiFi on your computer
- Open
http://192.168.7.1and configure VPN or proxy - Verify:
curl ifconfig.meshould show your VPN/proxy IP
Need a VPN server? Run this on any VPS
wget -O- https://raw.githubusercontent.com/erayerturk/shadowplug/main/setup/server-setup.sh | sudo sh
shadowplug/
βββ README.md
βββ setup/
β βββ install.sh # Pi-side automated installer
β βββ server-setup.sh # VPN server setup script
β βββ configs/
β βββ usb-gadget # USB RNDIS+ECM composite init
β βββ wg0.conf.template # WireGuard config template
β βββ hotplug-usb-ip # Carrier-based IP assignment
β βββ shadowplug-service # Web UI init script
βββ web/
βββ app.py # Flask API backend
βββ proxy_server.py # Transparent proxy engine
βββ requirements.txt
βββ static/
βββ index.html # Dashboard SPA
βββ style.css # Dark theme
βββ app.js # Frontend logic
Mac/PC TCP traffic
β iptables PREROUTING (REDIRECT to :12345)
β proxy_server.py
β SO_ORIGINAL_DST (recovers real destination IP)
β TLS Client Hello SNI extraction (recovers domain name)
β HTTP CONNECT with auth to upstream proxy
β Residential proxy exit
- QUIC (UDP 443) is automatically blocked to force browsers to use TCP
- DNS is served by the Pi's local dnsmasq with MASQUERADE for upstream
- No redsocks - direct kernel-to-Python socket handoff via
SO_ORIGINAL_DST
| Tab | Description |
|---|---|
| VPN | WireGuard config, key generation, connection test, profile switching |
| Blocking | DNS-level ad/tracker/malware blocking with custom domains |
| Network | MAC randomization, bandwidth stats, split tunneling, firewall |
| Privacy | DNS leak protection, WebRTC blocking, kill switch |
| Proxy | Residential proxy config and transparent proxy management |
| DNS | DNS server settings with quick presets |
| System | CPU temperature, RAM, load average, reboot |
| Issue | Solution |
|---|---|
| Windows: Unknown device | Device Manager β Update driver β Network β Microsoft β Remote NDIS |
| Mac: No ethernet appearing | Use a direct micro-USB β USB-C cable (not via adapter) |
| Can't access dashboard | Check if Flask is running: ps | grep python |
| VPN not connecting | Verify keys match on both server and Pi |
| Blocking not working | Restart dnsmasq: /etc/init.d/dnsmasq restart |
| Proxy: still seeing VPN IP | Restart Chrome (clears QUIC cache) after enabling proxy |
| Proxy: 403 Forbidden | Some non-standard ports (8080, etc.) are blocked by residential proxies |
| No internet with WiFi off | Verify DHCP DNS is set to 192.168.7.1 |
Questions, feedback, or collaboration: contact@erayerturk.com
MIT