root
168596bcb5
Three follow-up fixes after the WinDivert→sing-box pivot: 1. Discord updater now routes through upstream. Previously only the process-name rule matched, but sing-box's TUN-side process detection on Windows mis-attributes the in-process Rust updater's TLS connection to e.g. steam.exe — the connection went direct and hit RKN block. Adding domain_suffix + ip_cidr rules for Cloudflare (162.159/16, 104.16/13, 172.64/13) and Fastly (199.232/16, 151.101/16) catches updates.discord.com regardless of which PID the kernel claims sent it. Verified via curl through mihomo: updates.discord.com responds 400 in 393ms (i.e. TLS handshake succeeds, only the path is wrong — proves the routing reaches it). 2. DiscordSystemHelper.exe added to TargetProcs alongside Update.exe (modern Discord builds use it for elevated updates). 3. UDP voice quality test removed from the checker. The STUN-via- relay burst measured private mihomo BND.ADDR (192.168.1.132) which is unroutable from external clients, so the test reported 100% loss every time despite voice actually working through sing-box's TUN+SOCKS5. The remaining 6 checks (TCP/greet/auth/ connect/UDP/api) cover what's actionable; voice quality is verified empirically by joining a Discord call. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Drover-Go
Discord proxy / DPI bypass tool. Routes Discord traffic through a SOCKS5 proxy via kernel-level packet capture (WinDivert), bypassing the limitations of in-app proxy settings and surviving Discord auto-updates.
What it solves
Discord doesn't support proxies for voice/video traffic. Existing DLL-injection tools (drover, discord-voice-proxy) modify Discord.exe, which:
- triggers antivirus heuristics (unsigned DLL injecting into a popular app),
- breaks every time Discord auto-updates,
- doesn't proxy
Update.exeitself, so the updater fails when Discord servers are blocked.
Drover-Go uses WinDivert — a Microsoft-signed kernel driver — to capture packets at the network stack level. No modification of Discord, works for any Discord variant (Stable/Canary/PTB/Vesktop), survives auto-updates, minimal AV detection.
Status
Pre-alpha. See implementation plan for details.
How it works
Discord.exe (unmodified)
↓ TCP/UDP
WinDivert.sys (kernel filter)
↓ matched packets
drover.exe (Go)
├── TCP redirect to local SOCKS5 listener → SOCKS5 CONNECT → upstream proxy
└── UDP encapsulation (RFC 1928) → SOCKS5 UDP ASSOCIATE → upstream proxy
For UDP voice that's blocked even via SOCKS5 (DPI on the proxy's TCP control channel), drover-go injects a fake QUIC initial packet (à la zapret-discord-youtube) before forwarding — DPI sees "QUIC to Google" instead of Discord media.
Requirements
- Windows 10 1903+ or Windows 11 (x64). ARM64 not supported by WinDivert.
- Administrator privileges for first run (driver install).
- Upstream SOCKS5 proxy with UDP ASSOCIATE support (e.g.
mihomo,sing-box).
Install
Download the latest release from releases:
drover-vX.Y.Z-setup.exe— installer with Start Menu shortcut, registers in Apps & Features for clean uninstall.drover-vX.Y.Z-windows-amd64.zip— portable, just unzip and run.
Verify SHA256 against SHA256SUMS.txt in the same release.
License
MIT for our code. WinDivert (embedded) is LGPL-3.0.
Acknowledgements
- imgk/divert-go — Go bindings for WinDivert
- imgk/shadow — transparent proxy reference architecture
- runetfreedom/force-proxy — SOCKS5 UDP ASSOCIATE flow reference
- Flowseal/zapret-discord-youtube — fake QUIC payload
- basil00/WinDivert — kernel packet capture driver