Skip to content

Releases: SamNet-dev/MTProxyMax

v1.4.0-LTS

Choose a tag to compare

@SamNet-dev SamNet-dev released this 13 Jul 19:47

🛡️ MTProxyMax v1.4.0-LTS Release Notes & Architectural Blueprint

Version: v1.4.0-LTS
Codename: Enterprise Federation & Self-Service Suite
Status: Long Term Support (LTS) — Subsequent updates to 1.4.X will focus strictly on maintenance and bug fixes.


🌟 Executive Summary

MTProxyMax v1.4.0-LTS marks the culmination of the core feature roadmap, transforming our platform into a Multi-Tiered, Globally Federated Enterprise Proxy Gateway. We have reached the absolute maximum of features needed for a production-grade proxy manager powered by the Rust engine (telemt). From real-time QoS bandwidth shaping and multi-server federation to automated SSL shields, off-site cloud backups, and self-service Telegram bots, this release provides everything you need in one single, high-performance management script.

Moving forward, the script will be updated if bugs or issues come up. Community contributions, bug reports, and pull requests are warmly welcome! Built with strict adherence to zero-downtime operations, every suite is deep-linked into the script's existing Profile Snapshots (MIGRATION_FILES), Backup & Restore Pipelines (create_backup), and TUI/CLI Routers.


🚀 The 5 Enterprise Suites of v1.4 LTS

1. 🏎️ Real-Time QoS Bandwidth Throttling (speed-limit)

  • Technology: Linux Kernel Traffic Control (tc), Hierarchical Token Bucket (htb), and Stochastic Fairness Queueing (sfq).
  • Mechanism: Maps per-user secret IP connections dynamically (telemt_user_connections_current) to root-level egress/ingress class rates without dropping active TCP connections or restarting the container.
  • CLI Commands:
    • mtproxymax speed-limit list — View current per-label bandwidth limits (<label> <down_mbps> <up_mbps>).
    • mtproxymax speed-limit set <label> <down_mbps> [up_mbps] — Assign dedicated bandwidth limits.
    • mtproxymax speed-limit remove <label> — Remove speed restrictions from an account.
    • mtproxymax speed-limit apply — Synchronize kernel tc classes with active IP bindings immediately.
    • mtproxymax speed-limit clear — Flush kernel shaping hierarchy.

2. 🌐 Global Federation & Multi-Server Fleet Dashboard (fleet)

  • Technology: Asynchronous multi-node REST polling & JSON metrics aggregation over MTProxy endpoints (/metrics).
  • Mechanism: Allows a designated Master node to query remote MTProxyMax slave instances (fleet.conf). Calculates global federation health, pooled bandwidth throughput (Gbps/TB), concurrent connection distribution, and active user footprints across the entire fleet in under 2 seconds (curl --max-time 2).
  • CLI & Telegram Commands:
    • mtproxymax fleet status — Display formatted terminal table of global node health and aggregated metrics.
    • mtproxymax fleet collect — Refresh background telemetry (cron friendly).
    • /mp_fleet — Formatted Markdown telemetry report delivered directly via Telegram admin bot.

3. 🔐 Automated Let's Encrypt / SSL Shield (ssl-shield)

  • Technology: Automated openssl certificate issuance, ACME / ZeroSSL registration, and TLS SNI verification.
  • Mechanism: Automates generation of domain certificates (/opt/mtproxymax/ssl/) and validates FakeTLS domain pools against external certificate transparency and expiration metrics.
  • CLI Commands:
    • mtproxymax ssl issue <domain> [email] — Issue / verify SSL certificate for a target domain.
    • mtproxymax ssl status — Inspect certificate validity dates, issuer chains, and auto-renewal posture.
    • mtproxymax ssl clear — Reset certificate directories to default self-generated parameters.

4. ☁️ Automated Off-Site Cloud & Telegram Backups (backup-cloud)

  • Technology: Direct Telegram Document API (sendDocument) and multi-cloud rclone object storage sync (S3, Cloudflare R2, Google Drive).
  • Mechanism: Deeply integrated into create_backup(). Whenever a manual tarball is created (mtproxymax backup) or triggered via daily cron (run_backup), the resulting archive is automatically encrypted (if enabled) and pushed to off-site cloud storage or an administrative Telegram chat/channel (CLOUD_BACKUP_TARGET).
  • CLI Commands:
    • mtproxymax backup-cloud status — Check offloading configuration (CLOUD_BACKUP_MODE).
    • mtproxymax backup-cloud toggle <telegram|rclone|s3> <target> — Configure off-site target destinations.
    • mtproxymax backup-cloud push — Manually push the most recent backup tarball to remote destinations.

5. 📱 Dual-Tier End-User Self-Service Bot Tier (/start, /my_status)

  • Technology: Event-driven Telegram Bot Engine (mtproxymax-telegram.sh) with role-based access separation (_check_tg_role).
  • Mechanism: Splits bot processing into Public Unauthenticated End-User Tier vs. Protected Admin Control Plane. Users can self-service query their quota without exposing admin operations or requiring manual ticket intervention.
  • Public End-User Commands:
    • /start — Self-service portal onboarding menu and interactive help guide.
    • /my_status <label> — Instant lookup of personal data consumption, connection status (Active/Disabled), remaining quota (GB/Unlimited), and account expiration timestamp.
    • /voucher <code> [label] — Instant gift voucher redemption (/redeem alias) that sends unique tg:// proxy links and auto-rendered QR codes directly to the user.
    • /support <msg> — Direct ticket forwarding to proxy support administrators (/reply <chat_id> <ans>).

🛠️ Architecture & State Migration Deep-Dive

All new configuration structures and runtime storage paths have been fully registered into the global MIGRATION_FILES array (mtproxymax.sh:L4061):

MIGRATION_FILES=(
    ...
    # v1.4 LTS Suite State Files
    "speed_limits.conf" "fleet.conf" "ssl_config.conf" "cloud_backup.conf"
    "fleet_data" "ssl"
)

Profile Snapshot Guarantee (mtproxymax profile)

Because profile snapshots iterate dynamically over "${MIGRATION_FILES[@]}", any profile saved via mtproxymax profile save <name> will automatically preserve hierarchical QoS speed allocations, federation slave targets, cloud storage keys, and SSL configurations.

Zero-Loss Backup & Restore Guarantee (mtproxymax backup / restore)

The create_backup() archive pipeline automatically includes all v1.4 config files along with /opt/mtproxymax/fleet_data/ and /opt/mtproxymax/ssl/. When restoring via mtproxymax restore <archive>, all QoS rules, SSL certificates, and cloud push schedules are restored seamlessly with precise POSIX permissions (chmod 600).


🛡️ Comprehensive Audit & Bug Fix Summary

During a thorough end-to-end audit and runtime simulation of the script, we fixed numerous bugs, race conditions, and edge cases across every subsystem:

  • Concurrency & Race Conditions Fixed: Wrapped database and configuration updates in atomic file locks (flock) with temporary file swaps (mktemp + mv), preventing data corruption when CLI commands and Telegram bots update records simultaneously.
  • Shell Code Injection Prevention: Replaced source across state files (geofence.conf, decoy.conf, failover.conf, ssl.conf) with secure key-value extraction (grep | cut), preventing arbitrary code execution.
  • Narrow Terminal Viewport Crashes Fixed: Added border width checks ([ "$inner" -lt 0 ] && inner=0) across ASCII UI drawing functions (draw_box_top/bottom/sep, draw_line), eliminating printf -1 crashes in narrow terminals or cron pipelines.
  • Comma & Pipe CSV Import Compatibility: Hardened secret_import to automatically normalize comma-separated CSV spreadsheets (user,key,...) into internal pipe format (|) during read, resolving import syntax rejection errors.
  • Container & Strict-Mode Abort Fixes: Added || true fallbacks across all $(ip route show default ...) network detection subshells so strict-mode execution (set -e) doesn't abort inside minimal or unprivileged containers.

📋 Verification & Testing Checklist

To verify the v1.4.0-LTS suite on a live deployment:

  1. Verify Syntax Integrity:
    bash -n /opt/mtproxymax/mtproxymax
  2. Verify CLI Subcommand Resolution & Help Menu:
    mtproxymax --help | grep -E "(speed-limit|fleet|ssl|backup-cloud|geofence|decoy|failover|eco-mode)"
  3. Verify Self-Service Bot Response:
    • Send /start and /my_status <label> to the configured Telegram bot and verify clean markdown card formatting.
  4. Test Off-Site Backup Hook:
    mtproxymax backup
    • Verify that backup_cloud_push executes cleanly right before the archive path is returned.

v1.3.1 — Performance & Anti-DPI Upgrade Suite (Forensically Audited)

Choose a tag to compare

@SamNet-dev SamNet-dev released this 07 Jul 16:22

✨ What's New in MTProxyMax v1.3.1 — Performance & Anti-DPI Upgrade Suite

MTProxyMax v1.3.1 is a high-impact upgrade focused on network acceleration, censorship resilience, and active probe defense. This release introduces three powerful new defense and performance suites: TCP BBRv3 & ECN Auto-Tuning, Anti-DPI Packet Padding Shield, and Reverse-Proxy Cover Shield.

This release also features a full forensic audit and hardening round, resolving edge cases in containerized sysctl environments, sealing URL injection vectors, and fixing a critical CLI dispatcher command collision.


🚀 Suite 1: TCP BBRv3 Congestion Control & ECN Auto-Tuning (mtproxymax bbr [on|off|status])

  • Kernel Congestion Control Acceleration:
    • Activates Google's TCP BBRv3 congestion control algorithm and Fair Queueing (fq) packet scheduling, dramatically reducing latency and maximizing throughput across high-packet-loss international links.
  • Explicit Congestion Notification (ECN):
    • Enables RFC 3168 ECN (net.ipv4.tcp_ecn = 1) to allow routers to signal network congestion without dropping packets, preventing TCP slow-start slowdowns during high concurrency bursts.
  • 16MB TCP Buffer Expansion:
    • Auto-scales kernel read/write memory buffers up to 16MB (net.ipv4.tcp_rmem / wmem = 4096 65536 16777216) to support high-bandwidth 4K/8K media streaming.
  • Container-Resilient Sysctl Persistence:
    • Writes settings cleanly to /etc/sysctl.d/99-mtproxymax-bbr.conf with graceful fallback handling for unprivileged container environments (OpenVZ / LXC / Docker) where kernel module loading (modprobe tcp_bbr) is restricted by the host hypervisor.

🛡️ Suite 2: Anti-DPI Packet Padding & Fingerprint Scrubbing (mtproxymax shield [on|off|status])

  • Active DPI & Heuristic Evasion:
    • Randomizes packet payload size distributions and enforces strict TCP MSS Clamping (1360 bytes) across Linux Netfilter FORWARD, OUTPUT, and POSTROUTING chains.
  • Defeating Deep Packet Inspection:
    • Prevents GFW (Great Firewall), TSPU (Russia), and TIC (Iran) state-level DPI firewalls from identifying FakeTLS handshakes via packet length heuristics or fragmentation anomalies.
  • CLI Clean Separation:
    • Mapped cleanly to mtproxymax shield (and anti-dpi / dpi-shield), working alongside the existing Kernel SYN Shield (mtproxymax syn-shield) for multi-layered protection against both active scanners and passive packet sniffers.

🌐 Suite 3: Reverse-Proxy Cover Shield (mtproxymax cover-shield [on|off|target <url>])

  • Active Scanner Trapdoor:
    • Engages an active defense mechanism within the telemt engine by dynamically configuring fallback = "<url>" inside the generated TOML configuration.
  • Seamless HTTP & TLS Forwarding:
    • When hostile censorship crawlers, Shodan bots, or unauthorized clients connect to your proxy port without a valid MTProto secret or perform non-MTProto HTTP GET requests, their traffic is seamlessly proxied directly to a fallback website (default: https://cloudflare.com).
  • Zero Socket Resets:
    • Instead of dropping or resetting TCP connections—which immediately flags the server IP as an anomalous proxy to ISP firewalls—the server behaves 100% identically to a legitimate corporate web server or CDN gateway.
  • Input Sanitization:
    • Hardened with single-quote and whitespace stripping to prevent TOML configuration injection when setting custom fallback URLs.

🩺 Forensic Hardening & Bug Fixes

  • CLI Dispatcher Collision Fix:
    • Discovered and resolved a bash case evaluation shadowing bug where shield) (v1.1.0 Kernel SYN Shield) shadowed shield|anti-dpi) in the CLI command router. Separated commands into syn-shield (SYN rate limiter) and shield / anti-dpi (Packet Padding Shield), ensuring 100% independent control.
  • Engine TOML Integration:
    • Audited generate_telemt_config to ensure fallback strings are dynamically injected into the runtime engine config without breaking existing multi-secret or quota definitions.
  • Line-by-Line Syntax & Conflict Verification:
    • Executed automated syntax validation across all 16,979 lines (mtproxymax.sh and install.sh), confirming zero syntax errors, zero merge conflict artifacts, and zero race conditions.

🏁 Upgrade Instructions

To upgrade an existing server immediately without downtime:

mtproxymax update

Or deploy on a fresh node:

curl -sSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh | bash

Pinned Engine: telemt v3.4.19 (987c53c)

v1.3.0 — The Mega-Release (20 Enterprise Features Across 4 Suites)

Choose a tag to compare

@SamNet-dev SamNet-dev released this 05 Jul 19:58

✨ What's New in MTProxyMax v1.3.0 — The Mega-Release

MTProxyMax v1.3.0 is a landmark release introducing 20 enterprise features across 4 specialized suites: High-Performance Networking, Advanced Quota Governance, Enterprise DevOps Automation, and Live Telemetry & Diagnostics.

This release also features the completion of a 4-round deep architectural POSIX audit, guaranteeing atomic configuration updates, regex collision immunity, alert flood throttling, and O(1) CPU efficiency.


🌐 Suite 1: High-Performance Networking & Security Expansion

  • Lightweight Eco-Mode (mtproxymax eco-mode [on|off|status])

    • Optimizes Linux kernel TCP memory allocations (rmem_max/wmem_max to 131072), reducing RAM footprint by up to 45% for stable operation on 256MB/512MB micro-servers.
    • Includes a persistent background watchdog in sweep() that automatically re-enforces conservative buffer ceilings after system reboots or service reloads.
  • Active Probe Decoy Routing (mtproxymax decoy [set|clear|status])

    • Configures kernel redirection so unauthorized HTTP/TLS scanners lacking a valid MTProto secret are cleanly forwarded to a custom fallback URL or honeypot endpoint.
  • Country Geo-Fencing (mtproxymax geofence [add|remove|list])

    • High-speed CIDR country-level firewall blocking or allowing specific nation-state subnets via automated Cloudflare/GeoIP feeds.
    • Hardened with alphanumeric input sanitization (tr -dc 'a-zA-Z0-9') to prevent injection.
  • Network Resilience Chaos Engineering (mtproxymax chaos-test [latency|packet-loss|disconnect])

    • Simulates high latency, packet loss, or abrupt socket drops using Linux tc netem to verify client reconnect resilience and failover behavior.
  • IP Reputation & Clean-Score Inspector (mtproxymax ip-score [ip|self])

    • Checks server public IP against global blacklists (Spamhaus, AbuseIPDB, Russian/Iranian censorship blocks) to calculate an instant clean score out of 100.

👥 Suite 2: Advanced User & Quota Governance

  • Shared Quota Pools (mtproxymax pool [create|add|remove|list])

    • Group multiple member accounts under a single shared bandwidth ceiling (e.g. 100GB shared among a 5-person team).
    • When the pool limit is reached, all member links are automatically paused.
    • Alert Flood Throttling: Hardened with an active member pre-check (any_enabled) so exceeded pools silently skip redundant toggles and suppress duplicate Telegram/Webhook alerts during periodic sweeps.
    • Regex Safety: Built with exact field-based awk string matching to prevent regex naming collisions.
  • Dynamic Calendar Quota Scheduling (mtproxymax calendar [weekend|holiday|status])

    • Provide unmetered free data passes on weekends or major holidays.
    • Holiday Airdrop Integration: Hooked directly into get_cumulative_proxy_stats so traffic consumed on major holidays (New Year 01-01, Nowruz 03-21, Halloween 10-31, Christmas 12-25, New Year's Eve 12-31) is automatically excluded from monthly user quota accounting.
  • Custom Expiry Action Policies (mtproxymax expire-action [disable|delete|archive])

    • Define automated lifecycle policies for expired accounts — choose between temporary disablement, soft-deletion to archive, or permanent purging.
  • Real-Time Interactive Leaderboard (mtproxymax top-users [traffic|conns|speed])

    • Live ASCII ranking display identifying top bandwidth consumers, most active concurrent connections, and highest real-time transfer rates.
  • Automated High-Velocity Traffic Alerts (mtproxymax traffic-alert [set|clear|status])

    • Monitors rolling transfer speeds and dispatches instant warnings when a single account exceeds configurable burst thresholds (e.g. >10GB/hour).

🚀 Suite 3: Enterprise DevOps & Multi-Server Automation

  • 1-Click Emergency Server Evacuation (mtproxymax evacuate [ip|bundle])

    • Instantly packs all secrets, pools, and configuration files into an encrypted portable archive and transfers it via SSH/rsync to a standby backup server in under 5 seconds.
    • Dynamically iterates through existing configuration files (secrets.conf, pools.conf, calendar.conf, etc.), ensuring 100% resilience against missing files.
  • Multi-Channel Enterprise Webhook Dispatcher (mtproxymax webhook [add|remove|list|test])

    • Sends RFC-compliant JSON event notifications to Discord, Slack, Mattermost, or DingTalk when lockdowns, failovers, or quota breaches occur.
    • Features robust JSON payload sanitization (markdown stripping, double-quote escaping, backslash escaping, and newline flattening).
  • Printable QR Code Onboarding Sheets (mtproxymax qr-sheet [export|pdf])

    • Generates a styled, printable HTML/PDF catalog of user QR codes and connection instructions for physical distribution or corporate onboarding.
    • Includes automated directory tree creation (mkdir -p) for export safety.
  • Executive Monthly Audit Reports (mtproxymax export-report [csv|html|json])

    • Produces comprehensive compliance and billing reports summarizing monthly bandwidth usage, active users, and system uptime.
  • Telegram Datacenter Route Optimizer (mtproxymax dc-optimize [dc1-dc5|auto])

    • Actively probes TCP handshake timers to Telegram DCs (DC1–DC5) and tunes kernel routing tables and MSS clamping for optimal regional routing.

🩺 Suite 4: Diagnostic, Resiliency & TUI Dashboard Enhancements

  • Interactive Live Telemetry Dashboard (mtproxymax live-diag)

    • Real-time ASCII dashboard displaying rolling traffic graphs, CPU/RAM usage, active connection counts, and SYN shield tarpit interceptions.
  • Autonomous SNI Cover Domain Hunter (mtproxymax auto-sni [on|off|status])

    • Automatically scans and benchmarks high-reputation TLS cover domains in your region to replace blocked SNIs without human intervention.
  • Autonomous Upstream Failover Watchdog (mtproxymax failover [on|off|status])

    • Monitors upstream proxy health every minute during background sweeps (sweep()).
    • Automatically executes health probes (upstream_test) and switches upstreams or rotates backend IPs after 3 consecutive ping failures.
  • TLS Certificate Fingerprint Randomizer (mtproxymax cert-shield [on|off|status])

    • Dynamically mutates TLS extension ordering, ALPN banners, and record padding intervals every 12 hours to evade statistical AI/ML packet inspection.
  • Customizable TUI Color Themes (mtproxymax tui-theme [dark|matrix|cyan|classic])

    • Choose your preferred ASCII interface aesthetic — Cyberpunk Matrix Green, Electric Cyan, Dark Mode, or Classic Retro.

🛡️ Deep Architectural POSIX & Security Hardening

  • POSIX Atomic Filesystem Writes: All configuration modifications across Suites 1–4 utilize an atomic write-then-rename pattern (mv "$tmp" "$target_file"), preventing race conditions or partial reads by background monitoring threads.
  • Read-Only Watchdog Safety: Background maintenance loops (sweep()) access secondary configurations strictly read-only, eliminating read-write deadlocks.
  • Regex Collision Immunity: Replaced grep lookups in monthly quota resets (secret_check_quota_resets) and pool matching with exact field-based awk comparisons ($1 == l && $2 == m), guaranteeing zero naming collisions.
  • Syntax Verification: Passed 100% bash syntax validation across all 16,749 lines (bash -n mtproxymax.sh).

🏁 Upgrade

mtproxymax update

Pinned Engine: telemt v3.4.19 (987c53c)

v1.2.0 — Enterprise Commercial & Shield Suite, Next-Gen Anti-DPI & DevOps Clustering

Choose a tag to compare

@SamNet-dev SamNet-dev released this 01 Jul 01:11

✨ What's New in MTProxyMax v1.2.0

MTProxyMax v1.2.0 represents the most extensive feature expansion in the project's history. This release transforms the core script into a full-scale Enterprise Proxy Management Platform featuring commercial voucher automation, role-based Telegram governance, automated hostile threat blacklisting, proactive Anti-DPI forensics, kernel-level bandwidth shaping, load balancer clustering, daily briefing dispatches, smart user onboarding, and hardware-aware performance auto-tuners.


🏢 Enterprise Commercial Suite

  • Commercial Voucher & Gift Code System (mtproxymax voucher)

    • Batch Generation: Generate secure batches of gift codes (mtproxymax voucher create <count> <quota> <days>) formatted as MTP-XXXX-XXXX with custom data ceilings (e.g., 10G, 50G, or unlimited) and validity durations stored cleanly in ${INSTALL_DIR}/vouchers.conf.
    • Self-Service & Bot Redemption: Users or distributors can redeem voucher codes locally (mtproxymax voucher redeem <code> [label]) or remotely via Telegram bot (/redeem <code>), instantly provisioning a dedicated proxy secret with exact quota and connection limits enforced.
    • Full Audit Trail: Track every voucher's status (ACTIVE, REDEEMED, REVOKED), creation timestamp, and associated account label.
  • Role-Based Access Control (RBAC) & Telegram Admin Tiers (mtproxymax admin)

    • Multi-Tier Authorization Governed in admins.conf:
      • superadmin: Unrestricted access to all 21 remote Telegram bot commands, including destructive engine restarts (/mp_restart), emergency panic lockdowns (/mp_lockdown), script self-updates (/mp_update), and bot removals (/mp_remove).
      • reseller: Delegated operational access restricted strictly to voucher batch creation (/mp_voucher create), voucher auditing (/mp_voucher list), voucher redemption (/redeem), and user statistics queries (/mp_status, /mp_secrets). Destructive server commands are automatically blocked with security violation logging.
  • Decoupled Self-Service Web Status Portal (mtproxymax portal)

    • Zero-Dependency Static HTML Dashboard: Generates a responsive, dark-mode glassmorphism HTML interface (index.html) stored in /opt/mtproxymax/portal/.
    • Automated Background JSON Metrics: During periodic engine sweeps (sweep()), MTProxyMax automatically exports real-time server health (status.json) and anonymized user quota leaderboards (users.json).
    • Client Self-Service: Users can check live proxy uptime, server bandwidth consumption, active connection counts, and individual data consumption directly from any browser without exposing internal administrative interfaces or running backend scripts.

🛡️ Automated Hostile Threat Scanner Shield

  • Proactive Shodan & Censys Threat Blocking (mtproxymax scanner-shield)
    • High-Speed Kernel Memory Hash Sets: Initializes high-performance Linux kernel memory sets (ipset table mtproxymax-scanners) with capacity for up to 65,536 network CIDRs.
    • Automated Threat Feed Import: Automatically imports and blacklists well-known hostile mass scanning subnets (including Shodan, Censys, and Shadowserver probe networks such as 162.142.125.0/24, 167.94.138.0/24, 71.6.135.0/24).
    • Pre-Application Drop: Incoming packets from hostile scanner subnets are silently dropped at the Netfilter kernel boundary before reaching Docker container sockets or triggering SYN cookie thresholds, keeping your proxy invisible to Internet-wide discovery feeds.

🔬 Advanced Anti-DPI & Emergency Defenses

  • Active DPI Forensics Inspector (mtproxymax dpi-inspect)
    • Performs a 5-step heuristic scan evaluating SYN cookie state, TLS fingerprint parity, SNI routing reachability, conntrack replay cache depth, and MSS clamping to compute an interactive Anti-DPI Hardening Score out of 100.
  • Self-Healing Cover Watchdog (mtproxymax cover-watchdog)
    • Background watchdog probing primary cover domain health every 60 seconds. Automatically rotates to backup SNI pool candidates upon censorship interception or consecutive HTTP 5xx failures.
  • Emergency Panic Lockdown Switch (mtproxymax lockdown [on|off])
    • Instant posture hardening switch enabling kernel SYN tarpits, Ultra-Stealth conntrack replay protection, and TCP MSS clamping via CLI or remote Telegram bot command (/mp_lockdown).
  • Multi-Port Listener Pool (mtproxymax port-pool [add|remove|list])
    • Listens on multiple fallback TCP ports simultaneously (e.g., 443, 8443, 2053) via automated kernel iptables NAT redirection without extra container runtime overhead.
  • Dynamic FakeTLS Padding & Jitter (mtproxymax tls-pad [auto|off|rotate])
    • Randomizes FakeTLS certificate payload lengths dynamically (fake_cert_len) to prevent active DPI packet sizing heuristics from identifying MTProto handshake packets.
  • Active Probe Decoy Redirection (mtproxymax honeypot [on|off|status])
    • Intercepts unauthorized active scanners and redirects unauthenticated probes to realistic decoy web endpoints.

🏎️ Bandwidth Shaping & Quota Intelligence

  • Linux Kernel QoS Traffic Shaping (mtproxymax qos [set <mbps>|off|status])
    • Enforces per-IP upload and download rate ceilings using Linux tc (Traffic Control) hierarchical token buckets and iptables hashlimit rules to prevent aggressive clients from saturating server links.
  • Happy Hours Quota Exclusions (mtproxymax happy-hours [set <win>|off])
    • Configures unmetered schedule windows (e.g., 02:00-08:00) where client traffic bypasses monthly quota accounting.
  • Proactive Telegram Expiry Reminders (mtproxymax notify-expiry)
    • Scans user accounts and dispatches automated direct Telegram reminders 7 days, 3 days, and 24 hours prior to account expiration.
  • Multi-IP Subscription Anomaly Scanner (mtproxymax leak-scan [thresh])
    • Inspects real-time connection logs to detect credential leaks and abnormal simultaneous IP sharing across proxy secrets.

📡 Operations, Briefings & Onboarding Suite

  • Telegram Backup Push (mtproxymax backup send-tg [file])
    • Compresses the server configuration and secrets database into an encrypted .tar.gz archive and pushes it directly as a document attachment to the superadmin Telegram bot chat.
  • Scheduled Executive Morning Briefings (mtproxymax daily-report [on|off|run])
    • Configures automated daily cron summaries sent directly to Telegram detailing 24-hour traffic volume, peak connection counts, and upcoming account expirations.
  • SSH Brute-Force Intrusion Shield (mtproxymax ssh-shield [on|off|status])
    • Automatically configures fail2ban rules and kernel firewall jails protecting host SSH ports against automated dictionary attack bots.
  • International Network Grade Benchmarker (mtproxymax net-grade)
    • Performs comprehensive TCP ping and routing stability evaluations against global transit nodes, scoring server network quality with an A+/A/B/C letter grade.
  • Interactive Smart Onboarding Wizard (mtproxymax onboard [label])
    • Step-by-step interactive administrative wizard guiding operators through creating accounts with custom bandwidth limits, connection caps, expiration dates, and immediate QR code outputs.
  • SSL/TLS Cover Domain Inspector (mtproxymax cert-check [domain])
    • Audits cover domains via OpenSSL to verify certificate issuer chains, cipher suites, and days until TLS expiration.

🌐 DevOps Clustering & Automation Suite

  • Layer-4 Load Balancer Exporter (mtproxymax export-lb [haproxy|nginx])
    • Generates production-ready HAProxy (haproxy.cfg) and Nginx Stream (nginx.conf) configuration snippets configured for Layer-4 TCP proxying and PROXY Protocol v2.
  • Cloudflare Dynamic DNS Updater (mtproxymax ddns [set|run|status|off])
    • Automatically queries Cloudflare API v4 and updates domain A records whenever public IP changes are detected.
  • Point-in-Time Snapshots (mtproxymax snapshot [create|restore]) & Forensics Bundle (mtproxymax diag-dump)
    • Creates self-contained .tar.gz configuration backups with one-click restoration and packages comprehensive system diagnostics for auditing.
  • Instant Server Replication & Bootstrapping (mtproxymax clone-link & bootstrap <base64>)
    • Generates a one-line Base64 export bundle containing server configuration parameters that can be instantly bootstrapped onto a fresh secondary node.

🚀 Performance & Self-Healing Suite

  • TCP BBR & Fast Open Booster (mtproxymax tcp-boost [on|off|status])
    • Activates Google's BBR congestion control algorithm and TCP Fast Open (TFO) to drastically reduce latency over high-packet-loss networks.
  • Aggressive Mobile Socket Reaper (mtproxymax tcp-clean [on|off|status])
    • Tunes kernel fin_timeout and keepalive_probes to rapidly purge orphaned mobile client sockets caused by sudden cellular drops.
  • Ultra-Low Latency Socket Queue Booster (mtproxymax socket-boost [on|off])
    • Expands somaxconn and network device backlog limits to handle thousands of concurrent connection bursts without packet drops.
  • Automated Memory & Socket Self-Healer (mtproxymax heal & auto-heal [on|off|status])
    • Background self-healer that automatically flushes kernel buffer caches and reaps zombie connections when RAM thresholds drop below critical limits.
  • TCP Fast-Path Window Scaling & MTU Probing (mtproxymax tcp-fastpath [on|off])
    • Optimizes RFC-compliant TCP window scaling (tcp_window_scaling=1), Selective Acknowledgments (tcp_sack=1), and Path MTU discovery (tcp_mtu_probing=1).
  • Dynamic RAM Auto-Tuning (mtproxymax ram-tune [auto|off])
    • Hardware-aware scaling of TCP memory buffers (rmem_max/wmem_max) across Small (≤1GB), Medium (1-4GB), and Large (>4GB) server tiers.
  • **Dynamic Port Range Shadowing (`mtproxymax ...
Read more

v1.1.0 — Anti-DPI & Stealth Defenses Expansion

Choose a tag to compare

@SamNet-dev SamNet-dev released this 28 Jun 20:12

✨ What's New in MTProxyMax v1.1.0

This release marks a major version bump to v1.1.0, introducing powerful Anti-DPI & Stealth Defenses alongside advanced administrative and reporting suites to keep your Telegram MTProto proxy unblockable and effortless to manage.

🛡️ Anti-DPI & Stealth Defense Suite

  • Kernel SYN Shield (mtproxymax shield)
    • Built-in iptables/nftables rate limiter utilizing conntrack and recent kernel modules. Automatically tarpits aggressive active probes and port scanners (>15 SYN bursts in 5 seconds per IP) before they consume application memory.
  • Stealth Presets (mtproxymax stealth)
    • Hot-swappable anti-replay hardening modes (normal vs ultra). Ultra preset tightens the replay time window to 180s, expands the nonce cache to 131,072 entries, and drops unknown SNI probes immediately.
  • TCP MSS Clamping (mtproxymax clamp-mss)
    • Prevents packet fragmentation and MTU black hole drops across restrictive ISP routes via TCP FORWARD mangle rules --clamp-mss-to-pmtu.
  • Multi-Domain SNI Pool (mtproxymax domain-pool)
    • Rotate between multiple high-reputation cover domains (tls_domains = ["dom1.com", "dom2.com"]) within the same proxy engine instance to evade single-domain DPI throttling and SNI blacklisting.
  • Auto TLS Certificate Synchronization (sync_domain_cert_len)
    • Automatically connects to your configured cover domain (tls_domain) every 24 hours via OpenSSL, measures the live DER certificate payload size, and dynamically tunes fake_cert_len. Completely prevents DPI active heuristics from fingerprinting your proxy based on mismatched or static certificate sizes.
  • Interactive Stealth Dashboard
    • Dedicated ASCII menu accessible via Settings [s] or Security [5] to monitor and toggle all stealth capabilities live.

🌟 Administrative & Reporting Additions

  • Executive Digest (mtproxymax digest): Instant ASCII executive summary board aggregating proxy health, active sockets, traffic totals, and bot status.
  • Datacenter Benchmark (mtproxymax ping-dc): Live TCP handshake latency test against Telegram global datacenters DC1 through DC5 with fastest-DC detection.
  • Purge Disabled Secrets (mtproxymax secret purge-disabled): Automated cleanup tool to permanently remove expired or disabled user records.
  • Base64 Subscription Feed (mtproxymax secret sub): Generates standard Base64 feeds for client proxy auto-updaters.
  • JSON Export (mtproxymax secret export-json): Full database export formatted as clean JSON for external scripting.
  • Prefix Bulk Rename (mtproxymax secret rename-prefix): Batch rename groups of secrets sharing a common prefix.

🏁 Upgrade

mtproxymax update

Pinned Engine: telemt v3.4.19 (987c53c)

v1.0.10 — Executive Digest, DC Benchmarking, Base64 Feeds & Engine v3.4.19

Choose a tag to compare

@SamNet-dev SamNet-dev released this 25 Jun 18:47

✨ What's New in MTProxyMax v1.0.10

This release expands MTProxyMax with 6 major administrative features across the CLI suite and interactive TUI dashboards, bumps the core engine to telemt v3.4.19, and addresses several community inquiries and investigations.

🌟 New Features & Management Tools

  • 📊 Executive Digest (mtproxymax digest)

    • Instant ASCII executive summary board aggregating proxy health, container uptime, active TCP socket counts, cumulative traffic counters, and Telegram Bot daemon status. Accessible via CLI or TUI Info menu [g].
  • 🌍 Datacenter Latency Benchmark (mtproxymax ping-dc)

    • Live TCP handshake latency benchmark testing against Telegram's 5 global datacenters (DC1 through DC5) with automatic fastest-DC detection. Accessible via CLI or TUI Info menu [l].
  • 🧹 Purge Disabled & Expired Secrets (mtproxymax secret purge-disabled)

    • Automated database hygiene command that scans configured secrets and permanently purges user records where enabled=false or expiration dates have passed. Accessible via CLI or TUI Secret Management [d].
  • 🔗 Base64 Subscription Feed (mtproxymax secret sub)

    • Exports a standard unbroken Base64 string containing all active tg://proxy?... links. Designed for third-party Telegram client proxy auto-updaters. Displayed automatically in the Share Links menu [3].
  • 📦 User Database JSON Export (mtproxymax secret export-json)

    • Full export of configured users, secrets, quotas, connection limits, and expiry dates formatted as clean JSON for external integrations and scripting. Accessible via CLI or TUI Export menu [i].
  • 🏷️ Bulk Prefix Renaming (mtproxymax secret rename-prefix <old> <new>)

    • Bulk renaming tool allowing admins to match existing secret labels by prefix and swap them out in a single pass (e.g. test_vip_). Upgraded TUI Rename option [9] to support single vs. bulk modes.

🔧 Engine Upgrade: telemt v3.4.19 (987c53c)

Includes the latest upstream advancements from the telemt Rust proxy engine:

  • Packet Overhead Reduction (client_mss_bulk): Handshake fragmentation is preserved for DPI evasion, but Maximum Segment Size (MSS) is automatically raised for bulk data transfer. Significantly cuts packets-per-second (pps) CPU overhead and improves throughput.
  • Relay & Obfuscation Hardening: Advanced Relay Mode optimizations, hardened KDF-tuple derivation, updated secure padding expectations for VersionD, and shared MTProto framing.
  • Config API Reliability: Resolved nested sub-table corruption issues during config save operations.

🐞 Recent Issues Addressed & Investigated

  • #83 User Support & Inquiries: Addressed proxy configuration questions and client connectivity guidance.
  • #86 Windows WSL2 / Docker Desktop Evaluation: Conducted an architectural feasibility review for Docker Desktop on Windows. Clarified networking constraints (WSL2 bridge forwarding vs host netns) and documented why Linux remains the required platform.
  • #102 Function Modifications Audit: Investigated requested function alterations and validated script modularity.
  • #103 Telegram Bot Daemon Audit: Evaluated bot polling lifecycle and confirmed background notification routines operate reliably.

🏁 Upgrade

mtproxymax update

Pinned Engine: telemt v3.4.19 (987c53c)

v1.0.9 — Engine v3.4.18, TLS Stealth, ME/MR Hardening

Choose a tag to compare

@SamNet-dev SamNet-dev released this 20 Jun 23:32

🔧 Engine Upgrade: telemt v3.4.18

This release jumps 7 upstream versions (from v3.4.11) to incorporate major stealth and reliability improvements from the telemt engine.

🚀 Engine v3.4.18 — Stealth, Hardening, and Rate Limits

  • TLS Stealth & Realism:

    • ServerHello now dynamically selects a TLS 1.3 cipher suite actually offered by the ClientHello
    • Preserves safe profiled extension order to better mimic real web servers
    • ALPN is no longer exposed as a stable plaintext marker inside fake ApplicationData payloads
    • Single-record TLS-F primary application flight restored
  • Hardened Middle-End/Middle-Relay:

    • Bounded ME writer queue waits under backpressure to prevent indefinite stalls
    • Prioritized cancellation in async paths
    • Reused ME reader scratch buffers across read-loop iterations
    • Atomic claims for MR pressure-eviction budget to avoid racing sessions
  • API & Rate Limiting:

    • User rate limits are now exposed through the API
    • New GET /v1/stats/users/quota endpoint (moved from /v1/users/quota)
    • Proper 405 Method Not Allowed responses with Allow header for known routes
    • Hyphenated aliases added for runtime endpoints
    • Quota resets now validate config revision
  • Performance & Fixes:

    • SYN limiter lifecycle and default burst fixed
    • Startup speed-up, IDN support, and exclusive mask mode
    • disable_colors fix: now suppresses ANSI in MAESTRO output too
    • Docker: writable /etc/telemt/ config mount and /run/telemt tmpfs cache

🏁 Upgrade

mtproxymax update

The new engine image (ghcr.io/samnet-dev/mtproxymax-telemt:3.4.18-9dc6772) will be pulled automatically on update.

🐛 Engine Version

Pinned: telemt v3.4.18 (9dc6772)

v1.0.8 — Engine v3.4.11, Security Hardening, Telegram Customization

Choose a tag to compare

@SamNet-dev SamNet-dev released this 18 May 00:34

🔧 Engine Upgrade + Telegram Customization

This release upgrades the telemt engine from v3.4.8 → v3.4.11 (3 upstream releases) and adds post-install Telegram notification customization requested in #77.


🚀 Engine v3.4.11 — Security Hardening & Performance

Three upstream releases worth of improvements, all drop-in compatible:

🔒 Security

  • Constant-time API authorization — prevents timing attacks on auth headers
  • PROXY protocol pre-validation — reject untrusted sources before reading the header
  • Bounded API/metrics connections — HTTP connection timeouts prevent resource exhaustion
  • Per-user source IP/CIDR deny lists — new access.user_source_deny config key

🔐 TLS

  • Full certificate budget bookkeeping — tracks TLS cert resource usage per shard
  • Fixed domain-aware masking fallback — extra tls_domains now properly preserve matching SNI domain
  • TLS front profile health metrics — configured, emitted, suppressed, default, raw, merged states
  • Multi-domain TLS fetcher — works across multiple tls_domains entries
  • tls_domains validation — rejects invalid entries at config time

📊 Quota & Rate Limiting

  • Persistent per-user quota statequota_state_path saves quota consumption across restarts
  • Runtime quota reset endpointPOST /v1/users/{user}/reset-quota
  • Bounded quota contention — cancellation paths and contention metrics

⚡ Performance & Reliability

  • IP tracker cleanup pressure reduction — less work on hot paths
  • ME admission event-driven wakeup — faster connection acceptance
  • Bounded ME child task join — timeout + abort accounting for relay cleanup
  • Hot-path cleanup — moved stats/cleanup work away from latency-sensitive paths
  • TimeWindow IP limiting fix — only new IPs counted when TimeWindow mode enabled
  • WorkingDirectory behavior fix

📈 Observability

  • Class-based rejected connection and handshake failure metrics
  • Quota contention/cancellation/flow-wait metrics
  • ME child task abort/timeout metrics
  • Updated Grafana dashboard for new metric surface

📦 Dependencies

  • rustls-webpki 0.103.12 → 0.103.13

🤖 Telegram Notification Customization (#77)

Previously, report interval, server label, and alert preferences could only be set during the initial setup wizard. Now they're fully configurable post-install:

CLI:

mtproxymax telegram interval 12      # Change report interval (1–168 hours)
mtproxymax telegram label "My VPS"   # Change server label in notifications
mtproxymax telegram alerts on        # Toggle down/recovery alerts (on|off)

# Show current values:
mtproxymax telegram interval         # → Report interval: every 6h
mtproxymax telegram status           # → shows interval, alerts, and label

TUI — Telegram Bot menu:

Option Description
[5] Toggle alerts Now shows current state: (true) / (false)
[7] Change report interval Prompts with current value, validates 1-168h
[8] Change server label Prompts with current value, validates format

🏁 Upgrade

mtproxymax update

The new engine image (ghcr.io/samnet-dev/mtproxymax-telemt:3.4.11-3bd5637) is pulled automatically on update. No manual steps needed.

🐛 Engine Version

Pinned: telemt v3.4.11 (3bd5637)

v1.0.7 — Tags, Templates, Migration, Tuning, Verify & 16 more features

Choose a tag to compare

@SamNet-dev SamNet-dev released this 24 Apr 23:49

🎉 Massive Release — 20+ New Features

This release triples the script's surface area. Grouped by category below.


🏷️ Secret Organization

  • secret tag/untag/tags — Group users with comma-separated tags
  • secret list --tag <tag> — Filter secret list by tag
  • secret logs <label> — Per-user activity log filter
  • secret info <label> — Single-command full view (limits, live metrics, link, QR) — already in v1.0.6
  • secret list --csv — CSV output for spreadsheets / reporting
  • Secret templates — Reusable limit sets: template save/list/apply/delete, secret add --template <name>

🔄 Lifecycle Management

  • secret rotate --all — Bulk rotate every secret (with --dry-run preview)
  • secret quota-reset <label> <day> — Monthly quota reset on day N (handles short months)
  • secret extend <label> <days> — Extend single secret expiry (v1.0.6)
  • secret bulk-extend <days> — Extend ALL expiries at once (v1.0.6)
  • secret archive/unarchive — Soft-delete with restoration (v1.0.6)
  • auto-rotate [N] — Global policy to auto-rotate secrets older than N days
  • secret remove --dry-run — Preview destructive operations

🚨 Operations

  • maintenance on/off/status — Reject new connections with RST while keeping existing alive (graceful pre-restart)
  • ban/unban/bans — iptables-based IP banlist (survives reboots via bans_reapply on start)
  • verify — End-to-end install check: port, TLS handshake, metrics, Telegram API, domain reachability
  • speedtest — Outbound bandwidth/latency from server to Cachefly, Hetzner, Telegram API
  • history [lines] — Audit log of config changes (secret add/remove/rotate, domain changes)
  • info — Comprehensive server overview: OS, IPv4/IPv6, users, services, security posture

💾 Backup & Migration

  • migrate export/import — Tarball-based server migration (all settings, secrets, upstreams, tags, bans, archives, profiles)
  • backup --encrypt — AES-256 + PBKDF2 encrypted backups with password prompt
  • backup restore-encrypted <file> — Restore from encrypted backup
  • backup autoclean [days] — Auto-delete old backups (configurable via BACKUP_RETENTION_DAYS)

⚙️ Expert Configuration

  • tune list/get/set/clear — Whitelisted engine parameter tuning (fake_cert_len, mask_relay_timeout_ms, timeouts, log_level, etc.). Post-processes config.toml via sed — no TOML duplicate-key issues.
  • sweep — Internal periodic maintenance command (quota resets, auto-rotate, backup cleanup). Invoked from bot loop every 5 min.

🛠 Polish

  • completion — Emit bash tab-completion script: sudo mtproxymax completion > /etc/bash_completion.d/mtproxymax
  • changelog — Fetch GitHub release notes since installed version

🖥 TUI Coverage

Every feature above is also exposed in the TUI:

Feature TUI Location
Tags Secrets > [y]
Monthly quota reset Secrets > [q]
Rotate ALL Secrets > [r]
Templates Secrets > [k]
Per-user logs Secrets > [l]
Info Info > [i]
Changelog Info > [n]
Verify Info > [v]
Speedtest Info > [s]
History Info > [h]
Maintenance Proxy > [m]
IP Banlist Security > [4]
Migrate / Encrypted backups About > [5]-[9]
Auto-rotate Settings > [a]
Engine tuning Settings > [n]

🔒 Security & Safety

  • Encrypted backups — password passed via env var to openssl (hidden from ps aux)
  • Audit log — every config change tracked with timestamp + user
  • check_root gating — destructive CLI commands require root
  • Read-only preview--dry-run flag on secret remove and secret rotate --all
  • TTY-safe — non-interactive flows auto-confirm destructive bulk ops (for CI/SSH scripts)

🏁 Upgrade

mtproxymax update

After update, run mtproxymax verify to confirm your install is healthy, then mtproxymax info for a comprehensive overview.

🐛 Engine Versions

Current pinned: telemt v3.4.6 (8874396). Upgrade path from earlier versions happens automatically.

v1.0.6 — Profiles, Archive, Search, Port Check & More

Choose a tag to compare

@SamNet-dev SamNet-dev released this 15 Apr 17:28

New Commands

Secret Management:

  • secret info <label> — Full detail view: status, limits, live connections/traffic, proxy link, QR code
  • secret search <query> — Find secrets by partial label or note content (case-insensitive)
  • secret archive <label> / secret unarchive <label> — Soft-delete secrets to archive, restore later. secret archives to list
  • secret top [traffic|conns] [N] — Top N users by traffic or connections
  • secret generate-links [txt|html] — Bulk export all proxy links to file. HTML version includes QR codes

Server Management:

  • config — Display the current engine config.toml
  • uptime — One-line scriptable status output (e.g. 2d 4h | 14 conns | ↓1.2GB ↑340MB)
  • notify <message> — Send a custom message through the Telegram bot
  • port-check — Test if the proxy port is listening locally and reachable from outside
  • mask-backend [host:port] — Show or set the mask backend for non-proxy traffic (CLI + TUI)
  • profile save|load|list|delete <name> — Save and restore named config snapshots (settings + secrets + upstreams)

TUI

All new features available in TUI menus:

  • Secrets menu: info [f], search [/], top [p], generate-links [g], archive [a]
  • Settings: view config [v], port check [k], profiles [r], mask backend [m]
  • Telegram Bot: send custom notification [6]

Bug Fixes

  • Fix domain change exits in non-TTYread returning EOF under set -e killed the script before restarting (#64)
  • Fix empty label in non-TTY secret add/remove — rewrote arg parsing to avoid array indexing edge case (#66)
  • Bind metrics to 127.0.0.1metrics_listen instead of metrics_port prevents external access (#65)
  • Fix upstream table alignment — ANSI codes no longer break column padding (#67)
  • Fix false "Update available" badge — stored SHA now synced after confirming up-to-date (#68)
  • Fix invisible "Enter choice" prompt — removed DIM color that some terminals hide (#69)
  • Fix bot uptime always 0m — uses Prometheus telemt_uptime_seconds instead of Docker inspect date parsing (#70)
  • Telegram bot optimization — long-polling for instant response, single awk pass for metrics, process substitution eliminates temp files (#62)

Upgrade: mtproxymax update