VPN Proxy Support

Purpose

Route headless Chrome traffic through a SOCKS5 proxy during first-time WhatsApp device linking. Only needed for the initial QR scan and “Loading your chats” phase – once the session is established, the proxy is no longer required.

Why Proxies Are Needed

WhatsApp checks the browser’s IP during the sync/“Loading your chats” phase after QR scan. Known VPN exit node IPs (ProtonVPN, etc.) trigger session termination. Regular datacenter IPs from VPS providers work fine.

Investigation Results

Conclusion: IP reputation determines success, not browser fingerprint. Use regular VPS IPs, not consumer VPN services.

Configuration

CHROME_PROXY Environment Variable

Set in the gateway .env file:

CHROME_PROXY=socks5://172.17.0.1:1080

The gateway provisioner passes this to Docker containers. Inside the container, WhatsAppService reads process.env.CHROME_PROXY and adds --proxy-server to Chrome launch args.

Important: Only Chrome traffic is proxied. Node.js/API traffic (slice backend) communicates directly – the proxy is not in the network path for API calls.

WireGuard Split Tunneling Setup

For running a SOCKS5 proxy through a WireGuard VPN:

• Table=off in [Interface] prevents WireGuard from overriding default routes
• Custom routing table: ip rule add from $IP table 42, ip route add default via $GW table 42
• microsocks bound to WireGuard interface IP for SOCKS5 proxy
• Docker containers reach host proxy via 172.17.0.1 (Docker bridge gateway)
• UFW must allow 172.17.0.0/16 to proxy ports

Recommended Strategy

1. Use cheap $3-5/month VPS instances (Hetzner, Vultr, DigitalOcean) for clean IPs
2. Run microsocks or similar lightweight SOCKS5 proxy on each VPS
3. Rotate IP after each first-time link
4. Proxy only needed for initial ~5 minutes of linking

Files Modified

Status

Complete. CHROME_PROXY support deployed. ProtonVPN IPs confirmed non-functional; regular VPS IPs work.