Shustree Routing Architecture and Whitelisting

Legal Compliance and Statutory Neutrality

The Shustree project operates strictly within the legal framework and is guided by the principle of rigorous legal positivism. In our operations, we rely exclusively on official statutory instruments, legally binding judicial decisions, and direct mandates issued by relevant regulatory and executive authorities.

As a purely technological service, Shustree maintains absolute legal and informational neutrality: any public statements, evaluative commentary by political figures, institutional press offices, or mass media representatives regarding private opinions on internet resource restrictions do not constitute sources of law and are deliberately disregarded when shaping the service's technical policies and routing algorithms.

Shustree operates on its own proprietary network infrastructure deployed across Tier III data centers adhering to the world's most stringent compliance standards (Selectel and Google Cloud). We fundamentally decline to lease questionable virtual capacities from low-cost providers, thereby guaranteeing maximum uptime, comprehensive data security, and the absolute absence of hidden logging.

Shustree's network logic entirely eliminates the use of third-party software. The entire ecosystem—ranging from edge routers to server-side proxy daemons—consists of software products developed entirely in-house.

1. Browser Extension: Two-Tier Selective Routing

Unlike extensions such as uBoost, HyperTube, and their numerous clones, which employ gray-hat schemes mapping foreign IP addresses to Russian servers via BGP, Shustree utilizes transparent, end-to-end physical routing:

• Initial Traffic Ingestion: All network requests originating from the browser extension are received by our primary Russian nodes hosted in highly interconnected Selectel data centers.
• Intelligent Separation: Traffic is instantaneously segregated at the internal gateway. Local Russian requests are processed directly, while international traffic is securely tunneled via isolated channels to our overseas hosts.

This provides users with all the benefits of legitimate, high-speed VPN access to unrestricted digital platforms, minimizing Round-Trip Time (RTT) due to optimized peering and traffic exchange layouts.

2. Android Mobile Client: L4 Tunneling and IP Filtering

Within the Shustree mobile application, traffic protection and routing are implemented at a deeper, lower-level layer:

Custom L4 Protocols (Transport Layer)

For traffic encapsulation, we utilize proprietary, lightweight Layer 4 (L4) protocols for both TCP and UDP. These protocols deliver cryptographic resilience, robust session encryption, and high throughput, preventing tunnel detection and throttling by telecom operators' Deep Packet Inspection (DPI) systems.

Traffic filtering is executed across two independent boundaries:

1. At the Client Application Level (Local): The initialized VpnService framework strictly bypasses traffic intended for platforms and social networks officially restricted in the RF (such as Facebook, Instagram, LinkedIn). This is achieved by explicitly declaring permitted applications via the system's addAllowedApplication API method. Consequently, resources from restricted platforms are routed into the network bypassing the Shustree tunnel, managed directly by the Android OS kernel.
   Android Developer Documentation: VpnService.Builder.addAllowedApplication
2. At the Proxy Server Level (Remote): The network gateway continuously cross-references and filters traffic against dynamically updated databases (IP address ranges), blocking nodes associated with malware distributors, phishing schemes, and non-child-safe content.

Engineering Specifics of Filtering: In contrast to the browser extension, where the chrome.proxy API allows operating with Fully Qualified Domain Names (FQDN) at the request initiation stage, the mobile app receives low-level IP packets via the system's VpnService interface before web host addresses are resolved into domains. Because of this, the Shustree backend works directly with massive subnets and IP ranges, ensuring instant filtering overhead-free of DNS resolution delays.

As part of a scheduled infrastructure upgrade, the mobile application will soon be transitioned to a hybrid routing architecture identical to the one used in our browser extension, enabling even more granular traffic selectivity.