Releases: SamNet-dev/MTProxyMax
Release list
v1.4.0-LTS
🛡️ MTProxyMax v1.4.0-LTS Release Notes & Architectural Blueprint
Version: v1.4.0-LTS
Codename: Enterprise Federation & Self-Service Suite
Status: Long Term Support (LTS) — Subsequent updates to 1.4.X will focus strictly on maintenance and bug fixes.
🌟 Executive Summary
MTProxyMax v1.4.0-LTS marks the culmination of the core feature roadmap, transforming our platform into a Multi-Tiered, Globally Federated Enterprise Proxy Gateway. We have reached the absolute maximum of features needed for a production-grade proxy manager powered by the Rust engine (telemt). From real-time QoS bandwidth shaping and multi-server federation to automated SSL shields, off-site cloud backups, and self-service Telegram bots, this release provides everything you need in one single, high-performance management script.
Moving forward, the script will be updated if bugs or issues come up. Community contributions, bug reports, and pull requests are warmly welcome! Built with strict adherence to zero-downtime operations, every suite is deep-linked into the script's existing Profile Snapshots (MIGRATION_FILES), Backup & Restore Pipelines (create_backup), and TUI/CLI Routers.
🚀 The 5 Enterprise Suites of v1.4 LTS
1. 🏎️ Real-Time QoS Bandwidth Throttling (speed-limit)
- Technology: Linux Kernel Traffic Control (
tc), Hierarchical Token Bucket (htb), and Stochastic Fairness Queueing (sfq). - Mechanism: Maps per-user secret IP connections dynamically (
telemt_user_connections_current) to root-level egress/ingress class rates without dropping active TCP connections or restarting the container. - CLI Commands:
mtproxymax speed-limit list— View current per-label bandwidth limits (<label> <down_mbps> <up_mbps>).mtproxymax speed-limit set <label> <down_mbps> [up_mbps]— Assign dedicated bandwidth limits.mtproxymax speed-limit remove <label>— Remove speed restrictions from an account.mtproxymax speed-limit apply— Synchronize kerneltcclasses with active IP bindings immediately.mtproxymax speed-limit clear— Flush kernel shaping hierarchy.
2. 🌐 Global Federation & Multi-Server Fleet Dashboard (fleet)
- Technology: Asynchronous multi-node REST polling & JSON metrics aggregation over MTProxy endpoints (
/metrics). - Mechanism: Allows a designated Master node to query remote MTProxyMax slave instances (
fleet.conf). Calculates global federation health, pooled bandwidth throughput (Gbps/TB), concurrent connection distribution, and active user footprints across the entire fleet in under 2 seconds (curl --max-time 2). - CLI & Telegram Commands:
mtproxymax fleet status— Display formatted terminal table of global node health and aggregated metrics.mtproxymax fleet collect— Refresh background telemetry (cronfriendly)./mp_fleet— Formatted Markdown telemetry report delivered directly via Telegram admin bot.
3. 🔐 Automated Let's Encrypt / SSL Shield (ssl-shield)
- Technology: Automated
opensslcertificate issuance, ACME / ZeroSSL registration, and TLS SNI verification. - Mechanism: Automates generation of domain certificates (
/opt/mtproxymax/ssl/) and validates FakeTLS domain pools against external certificate transparency and expiration metrics. - CLI Commands:
mtproxymax ssl issue <domain> [email]— Issue / verify SSL certificate for a target domain.mtproxymax ssl status— Inspect certificate validity dates, issuer chains, and auto-renewal posture.mtproxymax ssl clear— Reset certificate directories to default self-generated parameters.
4. ☁️ Automated Off-Site Cloud & Telegram Backups (backup-cloud)
- Technology: Direct Telegram Document API (
sendDocument) and multi-cloudrcloneobject storage sync (S3, Cloudflare R2, Google Drive). - Mechanism: Deeply integrated into
create_backup(). Whenever a manual tarball is created (mtproxymax backup) or triggered via daily cron (run_backup), the resulting archive is automatically encrypted (if enabled) and pushed to off-site cloud storage or an administrative Telegram chat/channel (CLOUD_BACKUP_TARGET). - CLI Commands:
mtproxymax backup-cloud status— Check offloading configuration (CLOUD_BACKUP_MODE).mtproxymax backup-cloud toggle <telegram|rclone|s3> <target>— Configure off-site target destinations.mtproxymax backup-cloud push— Manually push the most recent backup tarball to remote destinations.
5. 📱 Dual-Tier End-User Self-Service Bot Tier (/start, /my_status)
- Technology: Event-driven Telegram Bot Engine (
mtproxymax-telegram.sh) with role-based access separation (_check_tg_role). - Mechanism: Splits bot processing into Public Unauthenticated End-User Tier vs. Protected Admin Control Plane. Users can self-service query their quota without exposing admin operations or requiring manual ticket intervention.
- Public End-User Commands:
/start— Self-service portal onboarding menu and interactive help guide./my_status <label>— Instant lookup of personal data consumption, connection status (Active/Disabled), remaining quota (GB/Unlimited), and account expiration timestamp./voucher <code> [label]— Instant gift voucher redemption (/redeemalias) that sends uniquetg://proxy links and auto-rendered QR codes directly to the user./support <msg>— Direct ticket forwarding to proxy support administrators (/reply <chat_id> <ans>).
🛠️ Architecture & State Migration Deep-Dive
All new configuration structures and runtime storage paths have been fully registered into the global MIGRATION_FILES array (mtproxymax.sh:L4061):
MIGRATION_FILES=(
...
# v1.4 LTS Suite State Files
"speed_limits.conf" "fleet.conf" "ssl_config.conf" "cloud_backup.conf"
"fleet_data" "ssl"
)Profile Snapshot Guarantee (mtproxymax profile)
Because profile snapshots iterate dynamically over "${MIGRATION_FILES[@]}", any profile saved via mtproxymax profile save <name> will automatically preserve hierarchical QoS speed allocations, federation slave targets, cloud storage keys, and SSL configurations.
Zero-Loss Backup & Restore Guarantee (mtproxymax backup / restore)
The create_backup() archive pipeline automatically includes all v1.4 config files along with /opt/mtproxymax/fleet_data/ and /opt/mtproxymax/ssl/. When restoring via mtproxymax restore <archive>, all QoS rules, SSL certificates, and cloud push schedules are restored seamlessly with precise POSIX permissions (chmod 600).
🛡️ Comprehensive Audit & Bug Fix Summary
During a thorough end-to-end audit and runtime simulation of the script, we fixed numerous bugs, race conditions, and edge cases across every subsystem:
- Concurrency & Race Conditions Fixed: Wrapped database and configuration updates in atomic file locks (
flock) with temporary file swaps (mktemp+mv), preventing data corruption when CLI commands and Telegram bots update records simultaneously. - Shell Code Injection Prevention: Replaced
sourceacross state files (geofence.conf,decoy.conf,failover.conf,ssl.conf) with secure key-value extraction (grep | cut), preventing arbitrary code execution. - Narrow Terminal Viewport Crashes Fixed: Added border width checks (
[ "$inner" -lt 0 ] && inner=0) across ASCII UI drawing functions (draw_box_top/bottom/sep,draw_line), eliminatingprintf -1crashes in narrow terminals or cron pipelines. - Comma & Pipe CSV Import Compatibility: Hardened
secret_importto automatically normalize comma-separated CSV spreadsheets (user,key,...) into internal pipe format (|) during read, resolving import syntax rejection errors. - Container & Strict-Mode Abort Fixes: Added
|| truefallbacks across all$(ip route show default ...)network detection subshells so strict-mode execution (set -e) doesn't abort inside minimal or unprivileged containers.
📋 Verification & Testing Checklist
To verify the v1.4.0-LTS suite on a live deployment:
- Verify Syntax Integrity:
bash -n /opt/mtproxymax/mtproxymax
- Verify CLI Subcommand Resolution & Help Menu:
mtproxymax --help | grep -E "(speed-limit|fleet|ssl|backup-cloud|geofence|decoy|failover|eco-mode)"
- Verify Self-Service Bot Response:
- Send
/startand/my_status <label>to the configured Telegram bot and verify clean markdown card formatting.
- Send
- Test Off-Site Backup Hook:
mtproxymax backup
- Verify that
backup_cloud_pushexecutes cleanly right before the archive path is returned.
- Verify that
v1.3.1 — Performance & Anti-DPI Upgrade Suite (Forensically Audited)
✨ What's New in MTProxyMax v1.3.1 — Performance & Anti-DPI Upgrade Suite
MTProxyMax v1.3.1 is a high-impact upgrade focused on network acceleration, censorship resilience, and active probe defense. This release introduces three powerful new defense and performance suites: TCP BBRv3 & ECN Auto-Tuning, Anti-DPI Packet Padding Shield, and Reverse-Proxy Cover Shield.
This release also features a full forensic audit and hardening round, resolving edge cases in containerized sysctl environments, sealing URL injection vectors, and fixing a critical CLI dispatcher command collision.
🚀 Suite 1: TCP BBRv3 Congestion Control & ECN Auto-Tuning (mtproxymax bbr [on|off|status])
- Kernel Congestion Control Acceleration:
- Activates Google's TCP BBRv3 congestion control algorithm and Fair Queueing (
fq) packet scheduling, dramatically reducing latency and maximizing throughput across high-packet-loss international links.
- Activates Google's TCP BBRv3 congestion control algorithm and Fair Queueing (
- Explicit Congestion Notification (ECN):
- Enables RFC 3168 ECN (
net.ipv4.tcp_ecn = 1) to allow routers to signal network congestion without dropping packets, preventing TCP slow-start slowdowns during high concurrency bursts.
- Enables RFC 3168 ECN (
- 16MB TCP Buffer Expansion:
- Auto-scales kernel read/write memory buffers up to 16MB (
net.ipv4.tcp_rmem/wmem = 4096 65536 16777216) to support high-bandwidth 4K/8K media streaming.
- Auto-scales kernel read/write memory buffers up to 16MB (
- Container-Resilient Sysctl Persistence:
- Writes settings cleanly to
/etc/sysctl.d/99-mtproxymax-bbr.confwith graceful fallback handling for unprivileged container environments (OpenVZ / LXC / Docker) where kernel module loading (modprobe tcp_bbr) is restricted by the host hypervisor.
- Writes settings cleanly to
🛡️ Suite 2: Anti-DPI Packet Padding & Fingerprint Scrubbing (mtproxymax shield [on|off|status])
- Active DPI & Heuristic Evasion:
- Randomizes packet payload size distributions and enforces strict TCP MSS Clamping (
1360bytes) across Linux Netfilter FORWARD, OUTPUT, and POSTROUTING chains.
- Randomizes packet payload size distributions and enforces strict TCP MSS Clamping (
- Defeating Deep Packet Inspection:
- Prevents GFW (Great Firewall), TSPU (Russia), and TIC (Iran) state-level DPI firewalls from identifying FakeTLS handshakes via packet length heuristics or fragmentation anomalies.
- CLI Clean Separation:
- Mapped cleanly to
mtproxymax shield(andanti-dpi/dpi-shield), working alongside the existing Kernel SYN Shield (mtproxymax syn-shield) for multi-layered protection against both active scanners and passive packet sniffers.
- Mapped cleanly to
🌐 Suite 3: Reverse-Proxy Cover Shield (mtproxymax cover-shield [on|off|target <url>])
- Active Scanner Trapdoor:
- Engages an active defense mechanism within the
telemtengine by dynamically configuringfallback = "<url>"inside the generated TOML configuration.
- Engages an active defense mechanism within the
- Seamless HTTP & TLS Forwarding:
- When hostile censorship crawlers, Shodan bots, or unauthorized clients connect to your proxy port without a valid MTProto secret or perform non-MTProto HTTP GET requests, their traffic is seamlessly proxied directly to a fallback website (default:
https://cloudflare.com).
- When hostile censorship crawlers, Shodan bots, or unauthorized clients connect to your proxy port without a valid MTProto secret or perform non-MTProto HTTP GET requests, their traffic is seamlessly proxied directly to a fallback website (default:
- Zero Socket Resets:
- Instead of dropping or resetting TCP connections—which immediately flags the server IP as an anomalous proxy to ISP firewalls—the server behaves 100% identically to a legitimate corporate web server or CDN gateway.
- Input Sanitization:
- Hardened with single-quote and whitespace stripping to prevent TOML configuration injection when setting custom fallback URLs.
🩺 Forensic Hardening & Bug Fixes
- CLI Dispatcher Collision Fix:
- Discovered and resolved a bash
caseevaluation shadowing bug whereshield)(v1.1.0 Kernel SYN Shield) shadowedshield|anti-dpi)in the CLI command router. Separated commands intosyn-shield(SYN rate limiter) andshield/anti-dpi(Packet Padding Shield), ensuring 100% independent control.
- Discovered and resolved a bash
- Engine TOML Integration:
- Audited
generate_telemt_configto ensurefallbackstrings are dynamically injected into the runtime engine config without breaking existing multi-secret or quota definitions.
- Audited
- Line-by-Line Syntax & Conflict Verification:
- Executed automated syntax validation across all 16,979 lines (
mtproxymax.shandinstall.sh), confirming zero syntax errors, zero merge conflict artifacts, and zero race conditions.
- Executed automated syntax validation across all 16,979 lines (
🏁 Upgrade Instructions
To upgrade an existing server immediately without downtime:
mtproxymax updateOr deploy on a fresh node:
curl -sSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh | bashPinned Engine: telemt v3.4.19 (987c53c)
v1.3.0 — The Mega-Release (20 Enterprise Features Across 4 Suites)
✨ What's New in MTProxyMax v1.3.0 — The Mega-Release
MTProxyMax v1.3.0 is a landmark release introducing 20 enterprise features across 4 specialized suites: High-Performance Networking, Advanced Quota Governance, Enterprise DevOps Automation, and Live Telemetry & Diagnostics.
This release also features the completion of a 4-round deep architectural POSIX audit, guaranteeing atomic configuration updates, regex collision immunity, alert flood throttling, and O(1) CPU efficiency.
🌐 Suite 1: High-Performance Networking & Security Expansion
-
Lightweight Eco-Mode (
mtproxymax eco-mode [on|off|status])- Optimizes Linux kernel TCP memory allocations (
rmem_max/wmem_maxto131072), reducing RAM footprint by up to 45% for stable operation on 256MB/512MB micro-servers. - Includes a persistent background watchdog in
sweep()that automatically re-enforces conservative buffer ceilings after system reboots or service reloads.
- Optimizes Linux kernel TCP memory allocations (
-
Active Probe Decoy Routing (
mtproxymax decoy [set|clear|status])- Configures kernel redirection so unauthorized HTTP/TLS scanners lacking a valid MTProto secret are cleanly forwarded to a custom fallback URL or honeypot endpoint.
-
Country Geo-Fencing (
mtproxymax geofence [add|remove|list])- High-speed CIDR country-level firewall blocking or allowing specific nation-state subnets via automated Cloudflare/GeoIP feeds.
- Hardened with alphanumeric input sanitization (
tr -dc 'a-zA-Z0-9') to prevent injection.
-
Network Resilience Chaos Engineering (
mtproxymax chaos-test [latency|packet-loss|disconnect])- Simulates high latency, packet loss, or abrupt socket drops using Linux
tc netemto verify client reconnect resilience and failover behavior.
- Simulates high latency, packet loss, or abrupt socket drops using Linux
-
IP Reputation & Clean-Score Inspector (
mtproxymax ip-score [ip|self])- Checks server public IP against global blacklists (Spamhaus, AbuseIPDB, Russian/Iranian censorship blocks) to calculate an instant clean score out of 100.
👥 Suite 2: Advanced User & Quota Governance
-
Shared Quota Pools (
mtproxymax pool [create|add|remove|list])- Group multiple member accounts under a single shared bandwidth ceiling (e.g. 100GB shared among a 5-person team).
- When the pool limit is reached, all member links are automatically paused.
- Alert Flood Throttling: Hardened with an active member pre-check (
any_enabled) so exceeded pools silently skip redundant toggles and suppress duplicate Telegram/Webhook alerts during periodic sweeps. - Regex Safety: Built with exact field-based awk string matching to prevent regex naming collisions.
-
Dynamic Calendar Quota Scheduling (
mtproxymax calendar [weekend|holiday|status])- Provide unmetered free data passes on weekends or major holidays.
- Holiday Airdrop Integration: Hooked directly into
get_cumulative_proxy_statsso traffic consumed on major holidays (New Year01-01, Nowruz03-21, Halloween10-31, Christmas12-25, New Year's Eve12-31) is automatically excluded from monthly user quota accounting.
-
Custom Expiry Action Policies (
mtproxymax expire-action [disable|delete|archive])- Define automated lifecycle policies for expired accounts — choose between temporary disablement, soft-deletion to archive, or permanent purging.
-
Real-Time Interactive Leaderboard (
mtproxymax top-users [traffic|conns|speed])- Live ASCII ranking display identifying top bandwidth consumers, most active concurrent connections, and highest real-time transfer rates.
-
Automated High-Velocity Traffic Alerts (
mtproxymax traffic-alert [set|clear|status])- Monitors rolling transfer speeds and dispatches instant warnings when a single account exceeds configurable burst thresholds (e.g. >10GB/hour).
🚀 Suite 3: Enterprise DevOps & Multi-Server Automation
-
1-Click Emergency Server Evacuation (
mtproxymax evacuate [ip|bundle])- Instantly packs all secrets, pools, and configuration files into an encrypted portable archive and transfers it via SSH/rsync to a standby backup server in under 5 seconds.
- Dynamically iterates through existing configuration files (
secrets.conf,pools.conf,calendar.conf, etc.), ensuring 100% resilience against missing files.
-
Multi-Channel Enterprise Webhook Dispatcher (
mtproxymax webhook [add|remove|list|test])- Sends RFC-compliant JSON event notifications to Discord, Slack, Mattermost, or DingTalk when lockdowns, failovers, or quota breaches occur.
- Features robust JSON payload sanitization (markdown stripping, double-quote escaping, backslash escaping, and newline flattening).
-
Printable QR Code Onboarding Sheets (
mtproxymax qr-sheet [export|pdf])- Generates a styled, printable HTML/PDF catalog of user QR codes and connection instructions for physical distribution or corporate onboarding.
- Includes automated directory tree creation (
mkdir -p) for export safety.
-
Executive Monthly Audit Reports (
mtproxymax export-report [csv|html|json])- Produces comprehensive compliance and billing reports summarizing monthly bandwidth usage, active users, and system uptime.
-
Telegram Datacenter Route Optimizer (
mtproxymax dc-optimize [dc1-dc5|auto])- Actively probes TCP handshake timers to Telegram DCs (DC1–DC5) and tunes kernel routing tables and MSS clamping for optimal regional routing.
🩺 Suite 4: Diagnostic, Resiliency & TUI Dashboard Enhancements
-
Interactive Live Telemetry Dashboard (
mtproxymax live-diag)- Real-time ASCII dashboard displaying rolling traffic graphs, CPU/RAM usage, active connection counts, and SYN shield tarpit interceptions.
-
Autonomous SNI Cover Domain Hunter (
mtproxymax auto-sni [on|off|status])- Automatically scans and benchmarks high-reputation TLS cover domains in your region to replace blocked SNIs without human intervention.
-
Autonomous Upstream Failover Watchdog (
mtproxymax failover [on|off|status])- Monitors upstream proxy health every minute during background sweeps (
sweep()). - Automatically executes health probes (
upstream_test) and switches upstreams or rotates backend IPs after 3 consecutive ping failures.
- Monitors upstream proxy health every minute during background sweeps (
-
TLS Certificate Fingerprint Randomizer (
mtproxymax cert-shield [on|off|status])- Dynamically mutates TLS extension ordering, ALPN banners, and record padding intervals every 12 hours to evade statistical AI/ML packet inspection.
-
Customizable TUI Color Themes (
mtproxymax tui-theme [dark|matrix|cyan|classic])- Choose your preferred ASCII interface aesthetic — Cyberpunk Matrix Green, Electric Cyan, Dark Mode, or Classic Retro.
🛡️ Deep Architectural POSIX & Security Hardening
- POSIX Atomic Filesystem Writes: All configuration modifications across Suites 1–4 utilize an atomic write-then-rename pattern (
mv "$tmp" "$target_file"), preventing race conditions or partial reads by background monitoring threads. - Read-Only Watchdog Safety: Background maintenance loops (
sweep()) access secondary configurations strictly read-only, eliminating read-write deadlocks. - Regex Collision Immunity: Replaced grep lookups in monthly quota resets (
secret_check_quota_resets) and pool matching with exact field-based awk comparisons ($1 == l && $2 == m), guaranteeing zero naming collisions. - Syntax Verification: Passed 100% bash syntax validation across all 16,749 lines (
bash -n mtproxymax.sh).
🏁 Upgrade
mtproxymax updatePinned Engine: telemt v3.4.19 (987c53c)
v1.2.0 — Enterprise Commercial & Shield Suite, Next-Gen Anti-DPI & DevOps Clustering
✨ What's New in MTProxyMax v1.2.0
MTProxyMax v1.2.0 represents the most extensive feature expansion in the project's history. This release transforms the core script into a full-scale Enterprise Proxy Management Platform featuring commercial voucher automation, role-based Telegram governance, automated hostile threat blacklisting, proactive Anti-DPI forensics, kernel-level bandwidth shaping, load balancer clustering, daily briefing dispatches, smart user onboarding, and hardware-aware performance auto-tuners.
🏢 Enterprise Commercial Suite
-
Commercial Voucher & Gift Code System (
mtproxymax voucher)- Batch Generation: Generate secure batches of gift codes (
mtproxymax voucher create <count> <quota> <days>) formatted asMTP-XXXX-XXXXwith custom data ceilings (e.g.,10G,50G, or unlimited) and validity durations stored cleanly in${INSTALL_DIR}/vouchers.conf. - Self-Service & Bot Redemption: Users or distributors can redeem voucher codes locally (
mtproxymax voucher redeem <code> [label]) or remotely via Telegram bot (/redeem <code>), instantly provisioning a dedicated proxy secret with exact quota and connection limits enforced. - Full Audit Trail: Track every voucher's status (
ACTIVE,REDEEMED,REVOKED), creation timestamp, and associated account label.
- Batch Generation: Generate secure batches of gift codes (
-
Role-Based Access Control (RBAC) & Telegram Admin Tiers (
mtproxymax admin)- Multi-Tier Authorization Governed in
admins.conf:superadmin: Unrestricted access to all 21 remote Telegram bot commands, including destructive engine restarts (/mp_restart), emergency panic lockdowns (/mp_lockdown), script self-updates (/mp_update), and bot removals (/mp_remove).reseller: Delegated operational access restricted strictly to voucher batch creation (/mp_voucher create), voucher auditing (/mp_voucher list), voucher redemption (/redeem), and user statistics queries (/mp_status,/mp_secrets). Destructive server commands are automatically blocked with security violation logging.
- Multi-Tier Authorization Governed in
-
Decoupled Self-Service Web Status Portal (
mtproxymax portal)- Zero-Dependency Static HTML Dashboard: Generates a responsive, dark-mode glassmorphism HTML interface (
index.html) stored in/opt/mtproxymax/portal/. - Automated Background JSON Metrics: During periodic engine sweeps (
sweep()), MTProxyMax automatically exports real-time server health (status.json) and anonymized user quota leaderboards (users.json). - Client Self-Service: Users can check live proxy uptime, server bandwidth consumption, active connection counts, and individual data consumption directly from any browser without exposing internal administrative interfaces or running backend scripts.
- Zero-Dependency Static HTML Dashboard: Generates a responsive, dark-mode glassmorphism HTML interface (
🛡️ Automated Hostile Threat Scanner Shield
- Proactive Shodan & Censys Threat Blocking (
mtproxymax scanner-shield)- High-Speed Kernel Memory Hash Sets: Initializes high-performance Linux kernel memory sets (
ipsettablemtproxymax-scanners) with capacity for up to 65,536 network CIDRs. - Automated Threat Feed Import: Automatically imports and blacklists well-known hostile mass scanning subnets (including Shodan, Censys, and Shadowserver probe networks such as
162.142.125.0/24,167.94.138.0/24,71.6.135.0/24). - Pre-Application Drop: Incoming packets from hostile scanner subnets are silently dropped at the Netfilter kernel boundary before reaching Docker container sockets or triggering SYN cookie thresholds, keeping your proxy invisible to Internet-wide discovery feeds.
- High-Speed Kernel Memory Hash Sets: Initializes high-performance Linux kernel memory sets (
🔬 Advanced Anti-DPI & Emergency Defenses
- Active DPI Forensics Inspector (
mtproxymax dpi-inspect)- Performs a 5-step heuristic scan evaluating SYN cookie state, TLS fingerprint parity, SNI routing reachability, conntrack replay cache depth, and MSS clamping to compute an interactive Anti-DPI Hardening Score out of 100.
- Self-Healing Cover Watchdog (
mtproxymax cover-watchdog)- Background watchdog probing primary cover domain health every 60 seconds. Automatically rotates to backup SNI pool candidates upon censorship interception or consecutive HTTP 5xx failures.
- Emergency Panic Lockdown Switch (
mtproxymax lockdown [on|off])- Instant posture hardening switch enabling kernel SYN tarpits, Ultra-Stealth conntrack replay protection, and TCP MSS clamping via CLI or remote Telegram bot command (
/mp_lockdown).
- Instant posture hardening switch enabling kernel SYN tarpits, Ultra-Stealth conntrack replay protection, and TCP MSS clamping via CLI or remote Telegram bot command (
- Multi-Port Listener Pool (
mtproxymax port-pool [add|remove|list])- Listens on multiple fallback TCP ports simultaneously (e.g., 443, 8443, 2053) via automated kernel
iptablesNAT redirection without extra container runtime overhead.
- Listens on multiple fallback TCP ports simultaneously (e.g., 443, 8443, 2053) via automated kernel
- Dynamic FakeTLS Padding & Jitter (
mtproxymax tls-pad [auto|off|rotate])- Randomizes FakeTLS certificate payload lengths dynamically (
fake_cert_len) to prevent active DPI packet sizing heuristics from identifying MTProto handshake packets.
- Randomizes FakeTLS certificate payload lengths dynamically (
- Active Probe Decoy Redirection (
mtproxymax honeypot [on|off|status])- Intercepts unauthorized active scanners and redirects unauthenticated probes to realistic decoy web endpoints.
🏎️ Bandwidth Shaping & Quota Intelligence
- Linux Kernel QoS Traffic Shaping (
mtproxymax qos [set <mbps>|off|status])- Enforces per-IP upload and download rate ceilings using Linux
tc(Traffic Control) hierarchical token buckets andiptables hashlimitrules to prevent aggressive clients from saturating server links.
- Enforces per-IP upload and download rate ceilings using Linux
- Happy Hours Quota Exclusions (
mtproxymax happy-hours [set <win>|off])- Configures unmetered schedule windows (e.g.,
02:00-08:00) where client traffic bypasses monthly quota accounting.
- Configures unmetered schedule windows (e.g.,
- Proactive Telegram Expiry Reminders (
mtproxymax notify-expiry)- Scans user accounts and dispatches automated direct Telegram reminders 7 days, 3 days, and 24 hours prior to account expiration.
- Multi-IP Subscription Anomaly Scanner (
mtproxymax leak-scan [thresh])- Inspects real-time connection logs to detect credential leaks and abnormal simultaneous IP sharing across proxy secrets.
📡 Operations, Briefings & Onboarding Suite
- Telegram Backup Push (
mtproxymax backup send-tg [file])- Compresses the server configuration and secrets database into an encrypted
.tar.gzarchive and pushes it directly as a document attachment to the superadmin Telegram bot chat.
- Compresses the server configuration and secrets database into an encrypted
- Scheduled Executive Morning Briefings (
mtproxymax daily-report [on|off|run])- Configures automated daily cron summaries sent directly to Telegram detailing 24-hour traffic volume, peak connection counts, and upcoming account expirations.
- SSH Brute-Force Intrusion Shield (
mtproxymax ssh-shield [on|off|status])- Automatically configures fail2ban rules and kernel firewall jails protecting host SSH ports against automated dictionary attack bots.
- International Network Grade Benchmarker (
mtproxymax net-grade)- Performs comprehensive TCP ping and routing stability evaluations against global transit nodes, scoring server network quality with an A+/A/B/C letter grade.
- Interactive Smart Onboarding Wizard (
mtproxymax onboard [label])- Step-by-step interactive administrative wizard guiding operators through creating accounts with custom bandwidth limits, connection caps, expiration dates, and immediate QR code outputs.
- SSL/TLS Cover Domain Inspector (
mtproxymax cert-check [domain])- Audits cover domains via OpenSSL to verify certificate issuer chains, cipher suites, and days until TLS expiration.
🌐 DevOps Clustering & Automation Suite
- Layer-4 Load Balancer Exporter (
mtproxymax export-lb [haproxy|nginx])- Generates production-ready HAProxy (
haproxy.cfg) and Nginx Stream (nginx.conf) configuration snippets configured for Layer-4 TCP proxying and PROXY Protocol v2.
- Generates production-ready HAProxy (
- Cloudflare Dynamic DNS Updater (
mtproxymax ddns [set|run|status|off])- Automatically queries Cloudflare API v4 and updates domain A records whenever public IP changes are detected.
- Point-in-Time Snapshots (
mtproxymax snapshot [create|restore]) & Forensics Bundle (mtproxymax diag-dump)- Creates self-contained
.tar.gzconfiguration backups with one-click restoration and packages comprehensive system diagnostics for auditing.
- Creates self-contained
- Instant Server Replication & Bootstrapping (
mtproxymax clone-link&bootstrap <base64>)- Generates a one-line Base64 export bundle containing server configuration parameters that can be instantly bootstrapped onto a fresh secondary node.
🚀 Performance & Self-Healing Suite
- TCP BBR & Fast Open Booster (
mtproxymax tcp-boost [on|off|status])- Activates Google's BBR congestion control algorithm and TCP Fast Open (
TFO) to drastically reduce latency over high-packet-loss networks.
- Activates Google's BBR congestion control algorithm and TCP Fast Open (
- Aggressive Mobile Socket Reaper (
mtproxymax tcp-clean [on|off|status])- Tunes kernel
fin_timeoutandkeepalive_probesto rapidly purge orphaned mobile client sockets caused by sudden cellular drops.
- Tunes kernel
- Ultra-Low Latency Socket Queue Booster (
mtproxymax socket-boost [on|off])- Expands
somaxconnand network device backlog limits to handle thousands of concurrent connection bursts without packet drops.
- Expands
- Automated Memory & Socket Self-Healer (
mtproxymax heal&auto-heal [on|off|status])- Background self-healer that automatically flushes kernel buffer caches and reaps zombie connections when RAM thresholds drop below critical limits.
- TCP Fast-Path Window Scaling & MTU Probing (
mtproxymax tcp-fastpath [on|off])- Optimizes RFC-compliant TCP window scaling (
tcp_window_scaling=1), Selective Acknowledgments (tcp_sack=1), and Path MTU discovery (tcp_mtu_probing=1).
- Optimizes RFC-compliant TCP window scaling (
- Dynamic RAM Auto-Tuning (
mtproxymax ram-tune [auto|off])- Hardware-aware scaling of TCP memory buffers (
rmem_max/wmem_max) across Small (≤1GB), Medium (1-4GB), and Large (>4GB) server tiers.
- Hardware-aware scaling of TCP memory buffers (
- **Dynamic Port Range Shadowing (`mtproxymax ...
v1.1.0 — Anti-DPI & Stealth Defenses Expansion
✨ What's New in MTProxyMax v1.1.0
This release marks a major version bump to v1.1.0, introducing powerful Anti-DPI & Stealth Defenses alongside advanced administrative and reporting suites to keep your Telegram MTProto proxy unblockable and effortless to manage.
🛡️ Anti-DPI & Stealth Defense Suite
- Kernel SYN Shield (
mtproxymax shield)- Built-in iptables/nftables rate limiter utilizing
conntrackandrecentkernel modules. Automatically tarpits aggressive active probes and port scanners (>15 SYN bursts in 5 seconds per IP) before they consume application memory.
- Built-in iptables/nftables rate limiter utilizing
- Stealth Presets (
mtproxymax stealth)- Hot-swappable anti-replay hardening modes (
normalvsultra). Ultra preset tightens the replay time window to 180s, expands the nonce cache to 131,072 entries, and drops unknown SNI probes immediately.
- Hot-swappable anti-replay hardening modes (
- TCP MSS Clamping (
mtproxymax clamp-mss)- Prevents packet fragmentation and MTU black hole drops across restrictive ISP routes via TCP FORWARD mangle rules
--clamp-mss-to-pmtu.
- Prevents packet fragmentation and MTU black hole drops across restrictive ISP routes via TCP FORWARD mangle rules
- Multi-Domain SNI Pool (
mtproxymax domain-pool)- Rotate between multiple high-reputation cover domains (
tls_domains = ["dom1.com", "dom2.com"]) within the same proxy engine instance to evade single-domain DPI throttling and SNI blacklisting.
- Rotate between multiple high-reputation cover domains (
- Auto TLS Certificate Synchronization (
sync_domain_cert_len)- Automatically connects to your configured cover domain (
tls_domain) every 24 hours via OpenSSL, measures the live DER certificate payload size, and dynamically tunesfake_cert_len. Completely prevents DPI active heuristics from fingerprinting your proxy based on mismatched or static certificate sizes.
- Automatically connects to your configured cover domain (
- Interactive Stealth Dashboard
- Dedicated ASCII menu accessible via Settings
[s]or Security[5]to monitor and toggle all stealth capabilities live.
- Dedicated ASCII menu accessible via Settings
🌟 Administrative & Reporting Additions
- Executive Digest (
mtproxymax digest): Instant ASCII executive summary board aggregating proxy health, active sockets, traffic totals, and bot status. - Datacenter Benchmark (
mtproxymax ping-dc): Live TCP handshake latency test against Telegram global datacenters DC1 through DC5 with fastest-DC detection. - Purge Disabled Secrets (
mtproxymax secret purge-disabled): Automated cleanup tool to permanently remove expired or disabled user records. - Base64 Subscription Feed (
mtproxymax secret sub): Generates standard Base64 feeds for client proxy auto-updaters. - JSON Export (
mtproxymax secret export-json): Full database export formatted as clean JSON for external scripting. - Prefix Bulk Rename (
mtproxymax secret rename-prefix): Batch rename groups of secrets sharing a common prefix.
🏁 Upgrade
mtproxymax updatePinned Engine: telemt v3.4.19 (987c53c)
v1.0.10 — Executive Digest, DC Benchmarking, Base64 Feeds & Engine v3.4.19
✨ What's New in MTProxyMax v1.0.10
This release expands MTProxyMax with 6 major administrative features across the CLI suite and interactive TUI dashboards, bumps the core engine to telemt v3.4.19, and addresses several community inquiries and investigations.
🌟 New Features & Management Tools
-
📊 Executive Digest (
mtproxymax digest)- Instant ASCII executive summary board aggregating proxy health, container uptime, active TCP socket counts, cumulative traffic counters, and Telegram Bot daemon status. Accessible via CLI or TUI Info menu
[g].
- Instant ASCII executive summary board aggregating proxy health, container uptime, active TCP socket counts, cumulative traffic counters, and Telegram Bot daemon status. Accessible via CLI or TUI Info menu
-
🌍 Datacenter Latency Benchmark (
mtproxymax ping-dc)- Live TCP handshake latency benchmark testing against Telegram's 5 global datacenters (
DC1throughDC5) with automatic fastest-DC detection. Accessible via CLI or TUI Info menu[l].
- Live TCP handshake latency benchmark testing against Telegram's 5 global datacenters (
-
🧹 Purge Disabled & Expired Secrets (
mtproxymax secret purge-disabled)- Automated database hygiene command that scans configured secrets and permanently purges user records where
enabled=falseor expiration dates have passed. Accessible via CLI or TUI Secret Management[d].
- Automated database hygiene command that scans configured secrets and permanently purges user records where
-
🔗 Base64 Subscription Feed (
mtproxymax secret sub)- Exports a standard unbroken Base64 string containing all active
tg://proxy?...links. Designed for third-party Telegram client proxy auto-updaters. Displayed automatically in the Share Links menu[3].
- Exports a standard unbroken Base64 string containing all active
-
📦 User Database JSON Export (
mtproxymax secret export-json)- Full export of configured users, secrets, quotas, connection limits, and expiry dates formatted as clean JSON for external integrations and scripting. Accessible via CLI or TUI Export menu
[i].
- Full export of configured users, secrets, quotas, connection limits, and expiry dates formatted as clean JSON for external integrations and scripting. Accessible via CLI or TUI Export menu
-
🏷️ Bulk Prefix Renaming (
mtproxymax secret rename-prefix <old> <new>)- Bulk renaming tool allowing admins to match existing secret labels by prefix and swap them out in a single pass (e.g.
test_→vip_). Upgraded TUI Rename option[9]to support single vs. bulk modes.
- Bulk renaming tool allowing admins to match existing secret labels by prefix and swap them out in a single pass (e.g.
🔧 Engine Upgrade: telemt v3.4.19 (987c53c)
Includes the latest upstream advancements from the telemt Rust proxy engine:
- Packet Overhead Reduction (
client_mss_bulk): Handshake fragmentation is preserved for DPI evasion, but Maximum Segment Size (MSS) is automatically raised for bulk data transfer. Significantly cuts packets-per-second (pps) CPU overhead and improves throughput. - Relay & Obfuscation Hardening: Advanced Relay Mode optimizations, hardened KDF-tuple derivation, updated secure padding expectations for VersionD, and shared MTProto framing.
- Config API Reliability: Resolved nested sub-table corruption issues during config save operations.
🐞 Recent Issues Addressed & Investigated
- #83 User Support & Inquiries: Addressed proxy configuration questions and client connectivity guidance.
- #86 Windows WSL2 / Docker Desktop Evaluation: Conducted an architectural feasibility review for Docker Desktop on Windows. Clarified networking constraints (WSL2 bridge forwarding vs host netns) and documented why Linux remains the required platform.
- #102 Function Modifications Audit: Investigated requested function alterations and validated script modularity.
- #103 Telegram Bot Daemon Audit: Evaluated bot polling lifecycle and confirmed background notification routines operate reliably.
🏁 Upgrade
mtproxymax updatePinned Engine: telemt v3.4.19 (987c53c)
v1.0.9 — Engine v3.4.18, TLS Stealth, ME/MR Hardening
🔧 Engine Upgrade: telemt v3.4.18
This release jumps 7 upstream versions (from v3.4.11) to incorporate major stealth and reliability improvements from the telemt engine.
🚀 Engine v3.4.18 — Stealth, Hardening, and Rate Limits
-
TLS Stealth & Realism:
- ServerHello now dynamically selects a TLS 1.3 cipher suite actually offered by the ClientHello
- Preserves safe profiled extension order to better mimic real web servers
- ALPN is no longer exposed as a stable plaintext marker inside fake ApplicationData payloads
- Single-record TLS-F primary application flight restored
-
Hardened Middle-End/Middle-Relay:
- Bounded ME writer queue waits under backpressure to prevent indefinite stalls
- Prioritized cancellation in async paths
- Reused ME reader scratch buffers across read-loop iterations
- Atomic claims for MR pressure-eviction budget to avoid racing sessions
-
API & Rate Limiting:
- User rate limits are now exposed through the API
- New
GET /v1/stats/users/quotaendpoint (moved from/v1/users/quota) - Proper
405 Method Not Allowedresponses withAllowheader for known routes - Hyphenated aliases added for runtime endpoints
- Quota resets now validate config revision
-
Performance & Fixes:
- SYN limiter lifecycle and default burst fixed
- Startup speed-up, IDN support, and exclusive mask mode
disable_colorsfix: now suppresses ANSI in MAESTRO output too- Docker: writable
/etc/telemt/config mount and/run/telemttmpfs cache
🏁 Upgrade
mtproxymax updateThe new engine image (ghcr.io/samnet-dev/mtproxymax-telemt:3.4.18-9dc6772) will be pulled automatically on update.
🐛 Engine Version
Pinned: telemt v3.4.18 (9dc6772)
v1.0.8 — Engine v3.4.11, Security Hardening, Telegram Customization
🔧 Engine Upgrade + Telegram Customization
This release upgrades the telemt engine from v3.4.8 → v3.4.11 (3 upstream releases) and adds post-install Telegram notification customization requested in #77.
🚀 Engine v3.4.11 — Security Hardening & Performance
Three upstream releases worth of improvements, all drop-in compatible:
🔒 Security
- Constant-time API authorization — prevents timing attacks on auth headers
- PROXY protocol pre-validation — reject untrusted sources before reading the header
- Bounded API/metrics connections — HTTP connection timeouts prevent resource exhaustion
- Per-user source IP/CIDR deny lists — new
access.user_source_denyconfig key
🔐 TLS
- Full certificate budget bookkeeping — tracks TLS cert resource usage per shard
- Fixed domain-aware masking fallback — extra
tls_domainsnow properly preserve matching SNI domain - TLS front profile health metrics — configured, emitted, suppressed, default, raw, merged states
- Multi-domain TLS fetcher — works across multiple
tls_domainsentries tls_domainsvalidation — rejects invalid entries at config time
📊 Quota & Rate Limiting
- Persistent per-user quota state —
quota_state_pathsaves quota consumption across restarts - Runtime quota reset endpoint —
POST /v1/users/{user}/reset-quota - Bounded quota contention — cancellation paths and contention metrics
⚡ Performance & Reliability
- IP tracker cleanup pressure reduction — less work on hot paths
- ME admission event-driven wakeup — faster connection acceptance
- Bounded ME child task join — timeout + abort accounting for relay cleanup
- Hot-path cleanup — moved stats/cleanup work away from latency-sensitive paths
- TimeWindow IP limiting fix — only new IPs counted when TimeWindow mode enabled
- WorkingDirectory behavior fix
📈 Observability
- Class-based rejected connection and handshake failure metrics
- Quota contention/cancellation/flow-wait metrics
- ME child task abort/timeout metrics
- Updated Grafana dashboard for new metric surface
📦 Dependencies
rustls-webpki0.103.12 → 0.103.13
🤖 Telegram Notification Customization (#77)
Previously, report interval, server label, and alert preferences could only be set during the initial setup wizard. Now they're fully configurable post-install:
CLI:
mtproxymax telegram interval 12 # Change report interval (1–168 hours)
mtproxymax telegram label "My VPS" # Change server label in notifications
mtproxymax telegram alerts on # Toggle down/recovery alerts (on|off)
# Show current values:
mtproxymax telegram interval # → Report interval: every 6h
mtproxymax telegram status # → shows interval, alerts, and labelTUI — Telegram Bot menu:
| Option | Description |
|---|---|
[5] Toggle alerts |
Now shows current state: (true) / (false) |
[7] Change report interval |
Prompts with current value, validates 1-168h |
[8] Change server label |
Prompts with current value, validates format |
🏁 Upgrade
mtproxymax updateThe new engine image (ghcr.io/samnet-dev/mtproxymax-telemt:3.4.11-3bd5637) is pulled automatically on update. No manual steps needed.
🐛 Engine Version
Pinned: telemt v3.4.11 (3bd5637)
v1.0.7 — Tags, Templates, Migration, Tuning, Verify & 16 more features
🎉 Massive Release — 20+ New Features
This release triples the script's surface area. Grouped by category below.
🏷️ Secret Organization
secret tag/untag/tags— Group users with comma-separated tagssecret list --tag <tag>— Filter secret list by tagsecret logs <label>— Per-user activity log filtersecret info <label>— Single-command full view (limits, live metrics, link, QR) — already in v1.0.6secret list --csv— CSV output for spreadsheets / reporting- Secret templates — Reusable limit sets:
template save/list/apply/delete,secret add --template <name>
🔄 Lifecycle Management
secret rotate --all— Bulk rotate every secret (with--dry-runpreview)secret quota-reset <label> <day>— Monthly quota reset on day N (handles short months)secret extend <label> <days>— Extend single secret expiry (v1.0.6)secret bulk-extend <days>— Extend ALL expiries at once (v1.0.6)secret archive/unarchive— Soft-delete with restoration (v1.0.6)auto-rotate [N]— Global policy to auto-rotate secrets older than N dayssecret remove --dry-run— Preview destructive operations
🚨 Operations
maintenance on/off/status— Reject new connections with RST while keeping existing alive (graceful pre-restart)ban/unban/bans— iptables-based IP banlist (survives reboots viabans_reapplyon start)verify— End-to-end install check: port, TLS handshake, metrics, Telegram API, domain reachabilityspeedtest— Outbound bandwidth/latency from server to Cachefly, Hetzner, Telegram APIhistory [lines]— Audit log of config changes (secret add/remove/rotate, domain changes)info— Comprehensive server overview: OS, IPv4/IPv6, users, services, security posture
💾 Backup & Migration
migrate export/import— Tarball-based server migration (all settings, secrets, upstreams, tags, bans, archives, profiles)backup --encrypt— AES-256 + PBKDF2 encrypted backups with password promptbackup restore-encrypted <file>— Restore from encrypted backupbackup autoclean [days]— Auto-delete old backups (configurable viaBACKUP_RETENTION_DAYS)
⚙️ Expert Configuration
tune list/get/set/clear— Whitelisted engine parameter tuning (fake_cert_len,mask_relay_timeout_ms, timeouts, log_level, etc.). Post-processes config.toml via sed — no TOML duplicate-key issues.sweep— Internal periodic maintenance command (quota resets, auto-rotate, backup cleanup). Invoked from bot loop every 5 min.
🛠 Polish
completion— Emit bash tab-completion script:sudo mtproxymax completion > /etc/bash_completion.d/mtproxymaxchangelog— Fetch GitHub release notes since installed version
🖥 TUI Coverage
Every feature above is also exposed in the TUI:
| Feature | TUI Location |
|---|---|
| Tags | Secrets > [y] |
| Monthly quota reset | Secrets > [q] |
| Rotate ALL | Secrets > [r] |
| Templates | Secrets > [k] |
| Per-user logs | Secrets > [l] |
| Info | Info > [i] |
| Changelog | Info > [n] |
| Verify | Info > [v] |
| Speedtest | Info > [s] |
| History | Info > [h] |
| Maintenance | Proxy > [m] |
| IP Banlist | Security > [4] |
| Migrate / Encrypted backups | About > [5]-[9] |
| Auto-rotate | Settings > [a] |
| Engine tuning | Settings > [n] |
🔒 Security & Safety
- Encrypted backups — password passed via env var to openssl (hidden from
ps aux) - Audit log — every config change tracked with timestamp + user
check_rootgating — destructive CLI commands require root- Read-only preview —
--dry-runflag onsecret removeandsecret rotate --all - TTY-safe — non-interactive flows auto-confirm destructive bulk ops (for CI/SSH scripts)
🏁 Upgrade
mtproxymax updateAfter update, run mtproxymax verify to confirm your install is healthy, then mtproxymax info for a comprehensive overview.
🐛 Engine Versions
Current pinned: telemt v3.4.6 (8874396). Upgrade path from earlier versions happens automatically.
v1.0.6 — Profiles, Archive, Search, Port Check & More
New Commands
Secret Management:
secret info <label>— Full detail view: status, limits, live connections/traffic, proxy link, QR codesecret search <query>— Find secrets by partial label or note content (case-insensitive)secret archive <label>/secret unarchive <label>— Soft-delete secrets to archive, restore later.secret archivesto listsecret top [traffic|conns] [N]— Top N users by traffic or connectionssecret generate-links [txt|html]— Bulk export all proxy links to file. HTML version includes QR codes
Server Management:
config— Display the current engine config.tomluptime— One-line scriptable status output (e.g.2d 4h | 14 conns | ↓1.2GB ↑340MB)notify <message>— Send a custom message through the Telegram botport-check— Test if the proxy port is listening locally and reachable from outsidemask-backend [host:port]— Show or set the mask backend for non-proxy traffic (CLI + TUI)profile save|load|list|delete <name>— Save and restore named config snapshots (settings + secrets + upstreams)
TUI
All new features available in TUI menus:
- Secrets menu: info [f], search [/], top [p], generate-links [g], archive [a]
- Settings: view config [v], port check [k], profiles [r], mask backend [m]
- Telegram Bot: send custom notification [6]
Bug Fixes
- Fix domain change exits in non-TTY —
readreturning EOF underset -ekilled the script before restarting (#64) - Fix empty label in non-TTY
secret add/remove— rewrote arg parsing to avoid array indexing edge case (#66) - Bind metrics to 127.0.0.1 —
metrics_listeninstead ofmetrics_portprevents external access (#65) - Fix upstream table alignment — ANSI codes no longer break column padding (#67)
- Fix false "Update available" badge — stored SHA now synced after confirming up-to-date (#68)
- Fix invisible "Enter choice" prompt — removed DIM color that some terminals hide (#69)
- Fix bot uptime always 0m — uses Prometheus
telemt_uptime_secondsinstead of Docker inspect date parsing (#70) - Telegram bot optimization — long-polling for instant response, single awk pass for metrics, process substitution eliminates temp files (#62)
Upgrade: mtproxymax update