Releases: SamNet-dev/MTProxyMax
Release list
v1.3.1 — Performance & Anti-DPI Upgrade Suite (Forensically Audited)
✨ What's New in MTProxyMax v1.3.1 — Performance & Anti-DPI Upgrade Suite
MTProxyMax v1.3.1 is a high-impact upgrade focused on network acceleration, censorship resilience, and active probe defense. This release introduces three powerful new defense and performance suites: TCP BBRv3 & ECN Auto-Tuning, Anti-DPI Packet Padding Shield, and Reverse-Proxy Cover Shield.
This release also features a full forensic audit and hardening round, resolving edge cases in containerized sysctl environments, sealing URL injection vectors, and fixing a critical CLI dispatcher command collision.
🚀 Suite 1: TCP BBRv3 Congestion Control & ECN Auto-Tuning (mtproxymax bbr [on|off|status])
- Kernel Congestion Control Acceleration:
- Activates Google's TCP BBRv3 congestion control algorithm and Fair Queueing (
fq) packet scheduling, dramatically reducing latency and maximizing throughput across high-packet-loss international links.
- Activates Google's TCP BBRv3 congestion control algorithm and Fair Queueing (
- Explicit Congestion Notification (ECN):
- Enables RFC 3168 ECN (
net.ipv4.tcp_ecn = 1) to allow routers to signal network congestion without dropping packets, preventing TCP slow-start slowdowns during high concurrency bursts.
- Enables RFC 3168 ECN (
- 16MB TCP Buffer Expansion:
- Auto-scales kernel read/write memory buffers up to 16MB (
net.ipv4.tcp_rmem/wmem = 4096 65536 16777216) to support high-bandwidth 4K/8K media streaming.
- Auto-scales kernel read/write memory buffers up to 16MB (
- Container-Resilient Sysctl Persistence:
- Writes settings cleanly to
/etc/sysctl.d/99-mtproxymax-bbr.confwith graceful fallback handling for unprivileged container environments (OpenVZ / LXC / Docker) where kernel module loading (modprobe tcp_bbr) is restricted by the host hypervisor.
- Writes settings cleanly to
🛡️ Suite 2: Anti-DPI Packet Padding & Fingerprint Scrubbing (mtproxymax shield [on|off|status])
- Active DPI & Heuristic Evasion:
- Randomizes packet payload size distributions and enforces strict TCP MSS Clamping (
1360bytes) across Linux Netfilter FORWARD, OUTPUT, and POSTROUTING chains.
- Randomizes packet payload size distributions and enforces strict TCP MSS Clamping (
- Defeating Deep Packet Inspection:
- Prevents GFW (Great Firewall), TSPU (Russia), and TIC (Iran) state-level DPI firewalls from identifying FakeTLS handshakes via packet length heuristics or fragmentation anomalies.
- CLI Clean Separation:
- Mapped cleanly to
mtproxymax shield(andanti-dpi/dpi-shield), working alongside the existing Kernel SYN Shield (mtproxymax syn-shield) for multi-layered protection against both active scanners and passive packet sniffers.
- Mapped cleanly to
🌐 Suite 3: Reverse-Proxy Cover Shield (mtproxymax cover-shield [on|off|target <url>])
- Active Scanner Trapdoor:
- Engages an active defense mechanism within the
telemtengine by dynamically configuringfallback = "<url>"inside the generated TOML configuration.
- Engages an active defense mechanism within the
- Seamless HTTP & TLS Forwarding:
- When hostile censorship crawlers, Shodan bots, or unauthorized clients connect to your proxy port without a valid MTProto secret or perform non-MTProto HTTP GET requests, their traffic is seamlessly proxied directly to a fallback website (default:
https://cloudflare.com).
- When hostile censorship crawlers, Shodan bots, or unauthorized clients connect to your proxy port without a valid MTProto secret or perform non-MTProto HTTP GET requests, their traffic is seamlessly proxied directly to a fallback website (default:
- Zero Socket Resets:
- Instead of dropping or resetting TCP connections—which immediately flags the server IP as an anomalous proxy to ISP firewalls—the server behaves 100% identically to a legitimate corporate web server or CDN gateway.
- Input Sanitization:
- Hardened with single-quote and whitespace stripping to prevent TOML configuration injection when setting custom fallback URLs.
🩺 Forensic Hardening & Bug Fixes
- CLI Dispatcher Collision Fix:
- Discovered and resolved a bash
caseevaluation shadowing bug whereshield)(v1.1.0 Kernel SYN Shield) shadowedshield|anti-dpi)in the CLI command router. Separated commands intosyn-shield(SYN rate limiter) andshield/anti-dpi(Packet Padding Shield), ensuring 100% independent control.
- Discovered and resolved a bash
- Engine TOML Integration:
- Audited
generate_telemt_configto ensurefallbackstrings are dynamically injected into the runtime engine config without breaking existing multi-secret or quota definitions.
- Audited
- Line-by-Line Syntax & Conflict Verification:
- Executed automated syntax validation across all 16,979 lines (
mtproxymax.shandinstall.sh), confirming zero syntax errors, zero merge conflict artifacts, and zero race conditions.
- Executed automated syntax validation across all 16,979 lines (
🏁 Upgrade Instructions
To upgrade an existing server immediately without downtime:
mtproxymax updateOr deploy on a fresh node:
curl -sSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh | bashPinned Engine: telemt v3.4.19 (987c53c)
v1.3.0 — The Mega-Release (20 Enterprise Features Across 4 Suites)
✨ What's New in MTProxyMax v1.3.0 — The Mega-Release
MTProxyMax v1.3.0 is a landmark release introducing 20 enterprise features across 4 specialized suites: High-Performance Networking, Advanced Quota Governance, Enterprise DevOps Automation, and Live Telemetry & Diagnostics.
This release also features the completion of a 4-round deep architectural POSIX audit, guaranteeing atomic configuration updates, regex collision immunity, alert flood throttling, and O(1) CPU efficiency.
🌐 Suite 1: High-Performance Networking & Security Expansion
-
Lightweight Eco-Mode (
mtproxymax eco-mode [on|off|status])- Optimizes Linux kernel TCP memory allocations (
rmem_max/wmem_maxto131072), reducing RAM footprint by up to 45% for stable operation on 256MB/512MB micro-servers. - Includes a persistent background watchdog in
sweep()that automatically re-enforces conservative buffer ceilings after system reboots or service reloads.
- Optimizes Linux kernel TCP memory allocations (
-
Active Probe Decoy Routing (
mtproxymax decoy [set|clear|status])- Configures kernel redirection so unauthorized HTTP/TLS scanners lacking a valid MTProto secret are cleanly forwarded to a custom fallback URL or honeypot endpoint.
-
Country Geo-Fencing (
mtproxymax geofence [add|remove|list])- High-speed CIDR country-level firewall blocking or allowing specific nation-state subnets via automated Cloudflare/GeoIP feeds.
- Hardened with alphanumeric input sanitization (
tr -dc 'a-zA-Z0-9') to prevent injection.
-
Network Resilience Chaos Engineering (
mtproxymax chaos-test [latency|packet-loss|disconnect])- Simulates high latency, packet loss, or abrupt socket drops using Linux
tc netemto verify client reconnect resilience and failover behavior.
- Simulates high latency, packet loss, or abrupt socket drops using Linux
-
IP Reputation & Clean-Score Inspector (
mtproxymax ip-score [ip|self])- Checks server public IP against global blacklists (Spamhaus, AbuseIPDB, Russian/Iranian censorship blocks) to calculate an instant clean score out of 100.
👥 Suite 2: Advanced User & Quota Governance
-
Shared Quota Pools (
mtproxymax pool [create|add|remove|list])- Group multiple member accounts under a single shared bandwidth ceiling (e.g. 100GB shared among a 5-person team).
- When the pool limit is reached, all member links are automatically paused.
- Alert Flood Throttling: Hardened with an active member pre-check (
any_enabled) so exceeded pools silently skip redundant toggles and suppress duplicate Telegram/Webhook alerts during periodic sweeps. - Regex Safety: Built with exact field-based awk string matching to prevent regex naming collisions.
-
Dynamic Calendar Quota Scheduling (
mtproxymax calendar [weekend|holiday|status])- Provide unmetered free data passes on weekends or major holidays.
- Holiday Airdrop Integration: Hooked directly into
get_cumulative_proxy_statsso traffic consumed on major holidays (New Year01-01, Nowruz03-21, Halloween10-31, Christmas12-25, New Year's Eve12-31) is automatically excluded from monthly user quota accounting.
-
Custom Expiry Action Policies (
mtproxymax expire-action [disable|delete|archive])- Define automated lifecycle policies for expired accounts — choose between temporary disablement, soft-deletion to archive, or permanent purging.
-
Real-Time Interactive Leaderboard (
mtproxymax top-users [traffic|conns|speed])- Live ASCII ranking display identifying top bandwidth consumers, most active concurrent connections, and highest real-time transfer rates.
-
Automated High-Velocity Traffic Alerts (
mtproxymax traffic-alert [set|clear|status])- Monitors rolling transfer speeds and dispatches instant warnings when a single account exceeds configurable burst thresholds (e.g. >10GB/hour).
🚀 Suite 3: Enterprise DevOps & Multi-Server Automation
-
1-Click Emergency Server Evacuation (
mtproxymax evacuate [ip|bundle])- Instantly packs all secrets, pools, and configuration files into an encrypted portable archive and transfers it via SSH/rsync to a standby backup server in under 5 seconds.
- Dynamically iterates through existing configuration files (
secrets.conf,pools.conf,calendar.conf, etc.), ensuring 100% resilience against missing files.
-
Multi-Channel Enterprise Webhook Dispatcher (
mtproxymax webhook [add|remove|list|test])- Sends RFC-compliant JSON event notifications to Discord, Slack, Mattermost, or DingTalk when lockdowns, failovers, or quota breaches occur.
- Features robust JSON payload sanitization (markdown stripping, double-quote escaping, backslash escaping, and newline flattening).
-
Printable QR Code Onboarding Sheets (
mtproxymax qr-sheet [export|pdf])- Generates a styled, printable HTML/PDF catalog of user QR codes and connection instructions for physical distribution or corporate onboarding.
- Includes automated directory tree creation (
mkdir -p) for export safety.
-
Executive Monthly Audit Reports (
mtproxymax export-report [csv|html|json])- Produces comprehensive compliance and billing reports summarizing monthly bandwidth usage, active users, and system uptime.
-
Telegram Datacenter Route Optimizer (
mtproxymax dc-optimize [dc1-dc5|auto])- Actively probes TCP handshake timers to Telegram DCs (DC1–DC5) and tunes kernel routing tables and MSS clamping for optimal regional routing.
🩺 Suite 4: Diagnostic, Resiliency & TUI Dashboard Enhancements
-
Interactive Live Telemetry Dashboard (
mtproxymax live-diag)- Real-time ASCII dashboard displaying rolling traffic graphs, CPU/RAM usage, active connection counts, and SYN shield tarpit interceptions.
-
Autonomous SNI Cover Domain Hunter (
mtproxymax auto-sni [on|off|status])- Automatically scans and benchmarks high-reputation TLS cover domains in your region to replace blocked SNIs without human intervention.
-
Autonomous Upstream Failover Watchdog (
mtproxymax failover [on|off|status])- Monitors upstream proxy health every minute during background sweeps (
sweep()). - Automatically executes health probes (
upstream_test) and switches upstreams or rotates backend IPs after 3 consecutive ping failures.
- Monitors upstream proxy health every minute during background sweeps (
-
TLS Certificate Fingerprint Randomizer (
mtproxymax cert-shield [on|off|status])- Dynamically mutates TLS extension ordering, ALPN banners, and record padding intervals every 12 hours to evade statistical AI/ML packet inspection.
-
Customizable TUI Color Themes (
mtproxymax tui-theme [dark|matrix|cyan|classic])- Choose your preferred ASCII interface aesthetic — Cyberpunk Matrix Green, Electric Cyan, Dark Mode, or Classic Retro.
🛡️ Deep Architectural POSIX & Security Hardening
- POSIX Atomic Filesystem Writes: All configuration modifications across Suites 1–4 utilize an atomic write-then-rename pattern (
mv "$tmp" "$target_file"), preventing race conditions or partial reads by background monitoring threads. - Read-Only Watchdog Safety: Background maintenance loops (
sweep()) access secondary configurations strictly read-only, eliminating read-write deadlocks. - Regex Collision Immunity: Replaced grep lookups in monthly quota resets (
secret_check_quota_resets) and pool matching with exact field-based awk comparisons ($1 == l && $2 == m), guaranteeing zero naming collisions. - Syntax Verification: Passed 100% bash syntax validation across all 16,749 lines (
bash -n mtproxymax.sh).
🏁 Upgrade
mtproxymax updatePinned Engine: telemt v3.4.19 (987c53c)
v1.2.0 — Enterprise Commercial & Shield Suite, Next-Gen Anti-DPI & DevOps Clustering
✨ What's New in MTProxyMax v1.2.0
MTProxyMax v1.2.0 represents the most extensive feature expansion in the project's history. This release transforms the core script into a full-scale Enterprise Proxy Management Platform featuring commercial voucher automation, role-based Telegram governance, automated hostile threat blacklisting, proactive Anti-DPI forensics, kernel-level bandwidth shaping, load balancer clustering, daily briefing dispatches, smart user onboarding, and hardware-aware performance auto-tuners.
🏢 Enterprise Commercial Suite
-
Commercial Voucher & Gift Code System (
mtproxymax voucher)- Batch Generation: Generate secure batches of gift codes (
mtproxymax voucher create <count> <quota> <days>) formatted asMTP-XXXX-XXXXwith custom data ceilings (e.g.,10G,50G, or unlimited) and validity durations stored cleanly in${INSTALL_DIR}/vouchers.conf. - Self-Service & Bot Redemption: Users or distributors can redeem voucher codes locally (
mtproxymax voucher redeem <code> [label]) or remotely via Telegram bot (/redeem <code>), instantly provisioning a dedicated proxy secret with exact quota and connection limits enforced. - Full Audit Trail: Track every voucher's status (
ACTIVE,REDEEMED,REVOKED), creation timestamp, and associated account label.
- Batch Generation: Generate secure batches of gift codes (
-
Role-Based Access Control (RBAC) & Telegram Admin Tiers (
mtproxymax admin)- Multi-Tier Authorization Governed in
admins.conf:superadmin: Unrestricted access to all 21 remote Telegram bot commands, including destructive engine restarts (/mp_restart), emergency panic lockdowns (/mp_lockdown), script self-updates (/mp_update), and bot removals (/mp_remove).reseller: Delegated operational access restricted strictly to voucher batch creation (/mp_voucher create), voucher auditing (/mp_voucher list), voucher redemption (/redeem), and user statistics queries (/mp_status,/mp_secrets). Destructive server commands are automatically blocked with security violation logging.
- Multi-Tier Authorization Governed in
-
Decoupled Self-Service Web Status Portal (
mtproxymax portal)- Zero-Dependency Static HTML Dashboard: Generates a responsive, dark-mode glassmorphism HTML interface (
index.html) stored in/opt/mtproxymax/portal/. - Automated Background JSON Metrics: During periodic engine sweeps (
sweep()), MTProxyMax automatically exports real-time server health (status.json) and anonymized user quota leaderboards (users.json). - Client Self-Service: Users can check live proxy uptime, server bandwidth consumption, active connection counts, and individual data consumption directly from any browser without exposing internal administrative interfaces or running backend scripts.
- Zero-Dependency Static HTML Dashboard: Generates a responsive, dark-mode glassmorphism HTML interface (
🛡️ Automated Hostile Threat Scanner Shield
- Proactive Shodan & Censys Threat Blocking (
mtproxymax scanner-shield)- High-Speed Kernel Memory Hash Sets: Initializes high-performance Linux kernel memory sets (
ipsettablemtproxymax-scanners) with capacity for up to 65,536 network CIDRs. - Automated Threat Feed Import: Automatically imports and blacklists well-known hostile mass scanning subnets (including Shodan, Censys, and Shadowserver probe networks such as
162.142.125.0/24,167.94.138.0/24,71.6.135.0/24). - Pre-Application Drop: Incoming packets from hostile scanner subnets are silently dropped at the Netfilter kernel boundary before reaching Docker container sockets or triggering SYN cookie thresholds, keeping your proxy invisible to Internet-wide discovery feeds.
- High-Speed Kernel Memory Hash Sets: Initializes high-performance Linux kernel memory sets (
🔬 Advanced Anti-DPI & Emergency Defenses
- Active DPI Forensics Inspector (
mtproxymax dpi-inspect)- Performs a 5-step heuristic scan evaluating SYN cookie state, TLS fingerprint parity, SNI routing reachability, conntrack replay cache depth, and MSS clamping to compute an interactive Anti-DPI Hardening Score out of 100.
- Self-Healing Cover Watchdog (
mtproxymax cover-watchdog)- Background watchdog probing primary cover domain health every 60 seconds. Automatically rotates to backup SNI pool candidates upon censorship interception or consecutive HTTP 5xx failures.
- Emergency Panic Lockdown Switch (
mtproxymax lockdown [on|off])- Instant posture hardening switch enabling kernel SYN tarpits, Ultra-Stealth conntrack replay protection, and TCP MSS clamping via CLI or remote Telegram bot command (
/mp_lockdown).
- Instant posture hardening switch enabling kernel SYN tarpits, Ultra-Stealth conntrack replay protection, and TCP MSS clamping via CLI or remote Telegram bot command (
- Multi-Port Listener Pool (
mtproxymax port-pool [add|remove|list])- Listens on multiple fallback TCP ports simultaneously (e.g., 443, 8443, 2053) via automated kernel
iptablesNAT redirection without extra container runtime overhead.
- Listens on multiple fallback TCP ports simultaneously (e.g., 443, 8443, 2053) via automated kernel
- Dynamic FakeTLS Padding & Jitter (
mtproxymax tls-pad [auto|off|rotate])- Randomizes FakeTLS certificate payload lengths dynamically (
fake_cert_len) to prevent active DPI packet sizing heuristics from identifying MTProto handshake packets.
- Randomizes FakeTLS certificate payload lengths dynamically (
- Active Probe Decoy Redirection (
mtproxymax honeypot [on|off|status])- Intercepts unauthorized active scanners and redirects unauthenticated probes to realistic decoy web endpoints.
🏎️ Bandwidth Shaping & Quota Intelligence
- Linux Kernel QoS Traffic Shaping (
mtproxymax qos [set <mbps>|off|status])- Enforces per-IP upload and download rate ceilings using Linux
tc(Traffic Control) hierarchical token buckets andiptables hashlimitrules to prevent aggressive clients from saturating server links.
- Enforces per-IP upload and download rate ceilings using Linux
- Happy Hours Quota Exclusions (
mtproxymax happy-hours [set <win>|off])- Configures unmetered schedule windows (e.g.,
02:00-08:00) where client traffic bypasses monthly quota accounting.
- Configures unmetered schedule windows (e.g.,
- Proactive Telegram Expiry Reminders (
mtproxymax notify-expiry)- Scans user accounts and dispatches automated direct Telegram reminders 7 days, 3 days, and 24 hours prior to account expiration.
- Multi-IP Subscription Anomaly Scanner (
mtproxymax leak-scan [thresh])- Inspects real-time connection logs to detect credential leaks and abnormal simultaneous IP sharing across proxy secrets.
📡 Operations, Briefings & Onboarding Suite
- Telegram Backup Push (
mtproxymax backup send-tg [file])- Compresses the server configuration and secrets database into an encrypted
.tar.gzarchive and pushes it directly as a document attachment to the superadmin Telegram bot chat.
- Compresses the server configuration and secrets database into an encrypted
- Scheduled Executive Morning Briefings (
mtproxymax daily-report [on|off|run])- Configures automated daily cron summaries sent directly to Telegram detailing 24-hour traffic volume, peak connection counts, and upcoming account expirations.
- SSH Brute-Force Intrusion Shield (
mtproxymax ssh-shield [on|off|status])- Automatically configures fail2ban rules and kernel firewall jails protecting host SSH ports against automated dictionary attack bots.
- International Network Grade Benchmarker (
mtproxymax net-grade)- Performs comprehensive TCP ping and routing stability evaluations against global transit nodes, scoring server network quality with an A+/A/B/C letter grade.
- Interactive Smart Onboarding Wizard (
mtproxymax onboard [label])- Step-by-step interactive administrative wizard guiding operators through creating accounts with custom bandwidth limits, connection caps, expiration dates, and immediate QR code outputs.
- SSL/TLS Cover Domain Inspector (
mtproxymax cert-check [domain])- Audits cover domains via OpenSSL to verify certificate issuer chains, cipher suites, and days until TLS expiration.
🌐 DevOps Clustering & Automation Suite
- Layer-4 Load Balancer Exporter (
mtproxymax export-lb [haproxy|nginx])- Generates production-ready HAProxy (
haproxy.cfg) and Nginx Stream (nginx.conf) configuration snippets configured for Layer-4 TCP proxying and PROXY Protocol v2.
- Generates production-ready HAProxy (
- Cloudflare Dynamic DNS Updater (
mtproxymax ddns [set|run|status|off])- Automatically queries Cloudflare API v4 and updates domain A records whenever public IP changes are detected.
- Point-in-Time Snapshots (
mtproxymax snapshot [create|restore]) & Forensics Bundle (mtproxymax diag-dump)- Creates self-contained
.tar.gzconfiguration backups with one-click restoration and packages comprehensive system diagnostics for auditing.
- Creates self-contained
- Instant Server Replication & Bootstrapping (
mtproxymax clone-link&bootstrap <base64>)- Generates a one-line Base64 export bundle containing server configuration parameters that can be instantly bootstrapped onto a fresh secondary node.
🚀 Performance & Self-Healing Suite
- TCP BBR & Fast Open Booster (
mtproxymax tcp-boost [on|off|status])- Activates Google's BBR congestion control algorithm and TCP Fast Open (
TFO) to drastically reduce latency over high-packet-loss networks.
- Activates Google's BBR congestion control algorithm and TCP Fast Open (
- Aggressive Mobile Socket Reaper (
mtproxymax tcp-clean [on|off|status])- Tunes kernel
fin_timeoutandkeepalive_probesto rapidly purge orphaned mobile client sockets caused by sudden cellular drops.
- Tunes kernel
- Ultra-Low Latency Socket Queue Booster (
mtproxymax socket-boost [on|off])- Expands
somaxconnand network device backlog limits to handle thousands of concurrent connection bursts without packet drops.
- Expands
- Automated Memory & Socket Self-Healer (
mtproxymax heal&auto-heal [on|off|status])- Background self-healer that automatically flushes kernel buffer caches and reaps zombie connections when RAM thresholds drop below critical limits.
- TCP Fast-Path Window Scaling & MTU Probing (
mtproxymax tcp-fastpath [on|off])- Optimizes RFC-compliant TCP window scaling (
tcp_window_scaling=1), Selective Acknowledgments (tcp_sack=1), and Path MTU discovery (tcp_mtu_probing=1).
- Optimizes RFC-compliant TCP window scaling (
- Dynamic RAM Auto-Tuning (
mtproxymax ram-tune [auto|off])- Hardware-aware scaling of TCP memory buffers (
rmem_max/wmem_max) across Small (≤1GB), Medium (1-4GB), and Large (>4GB) server tiers.
- Hardware-aware scaling of TCP memory buffers (
- **Dynamic Port Range Shadowing (`mtproxymax ...
v1.1.0 — Anti-DPI & Stealth Defenses Expansion
✨ What's New in MTProxyMax v1.1.0
This release marks a major version bump to v1.1.0, introducing powerful Anti-DPI & Stealth Defenses alongside advanced administrative and reporting suites to keep your Telegram MTProto proxy unblockable and effortless to manage.
🛡️ Anti-DPI & Stealth Defense Suite
- Kernel SYN Shield (
mtproxymax shield)- Built-in iptables/nftables rate limiter utilizing
conntrackandrecentkernel modules. Automatically tarpits aggressive active probes and port scanners (>15 SYN bursts in 5 seconds per IP) before they consume application memory.
- Built-in iptables/nftables rate limiter utilizing
- Stealth Presets (
mtproxymax stealth)- Hot-swappable anti-replay hardening modes (
normalvsultra). Ultra preset tightens the replay time window to 180s, expands the nonce cache to 131,072 entries, and drops unknown SNI probes immediately.
- Hot-swappable anti-replay hardening modes (
- TCP MSS Clamping (
mtproxymax clamp-mss)- Prevents packet fragmentation and MTU black hole drops across restrictive ISP routes via TCP FORWARD mangle rules
--clamp-mss-to-pmtu.
- Prevents packet fragmentation and MTU black hole drops across restrictive ISP routes via TCP FORWARD mangle rules
- Multi-Domain SNI Pool (
mtproxymax domain-pool)- Rotate between multiple high-reputation cover domains (
tls_domains = ["dom1.com", "dom2.com"]) within the same proxy engine instance to evade single-domain DPI throttling and SNI blacklisting.
- Rotate between multiple high-reputation cover domains (
- Auto TLS Certificate Synchronization (
sync_domain_cert_len)- Automatically connects to your configured cover domain (
tls_domain) every 24 hours via OpenSSL, measures the live DER certificate payload size, and dynamically tunesfake_cert_len. Completely prevents DPI active heuristics from fingerprinting your proxy based on mismatched or static certificate sizes.
- Automatically connects to your configured cover domain (
- Interactive Stealth Dashboard
- Dedicated ASCII menu accessible via Settings
[s]or Security[5]to monitor and toggle all stealth capabilities live.
- Dedicated ASCII menu accessible via Settings
🌟 Administrative & Reporting Additions
- Executive Digest (
mtproxymax digest): Instant ASCII executive summary board aggregating proxy health, active sockets, traffic totals, and bot status. - Datacenter Benchmark (
mtproxymax ping-dc): Live TCP handshake latency test against Telegram global datacenters DC1 through DC5 with fastest-DC detection. - Purge Disabled Secrets (
mtproxymax secret purge-disabled): Automated cleanup tool to permanently remove expired or disabled user records. - Base64 Subscription Feed (
mtproxymax secret sub): Generates standard Base64 feeds for client proxy auto-updaters. - JSON Export (
mtproxymax secret export-json): Full database export formatted as clean JSON for external scripting. - Prefix Bulk Rename (
mtproxymax secret rename-prefix): Batch rename groups of secrets sharing a common prefix.
🏁 Upgrade
mtproxymax updatePinned Engine: telemt v3.4.19 (987c53c)
v1.0.10 — Executive Digest, DC Benchmarking, Base64 Feeds & Engine v3.4.19
✨ What's New in MTProxyMax v1.0.10
This release expands MTProxyMax with 6 major administrative features across the CLI suite and interactive TUI dashboards, bumps the core engine to telemt v3.4.19, and addresses several community inquiries and investigations.
🌟 New Features & Management Tools
-
📊 Executive Digest (
mtproxymax digest)- Instant ASCII executive summary board aggregating proxy health, container uptime, active TCP socket counts, cumulative traffic counters, and Telegram Bot daemon status. Accessible via CLI or TUI Info menu
[g].
- Instant ASCII executive summary board aggregating proxy health, container uptime, active TCP socket counts, cumulative traffic counters, and Telegram Bot daemon status. Accessible via CLI or TUI Info menu
-
🌍 Datacenter Latency Benchmark (
mtproxymax ping-dc)- Live TCP handshake latency benchmark testing against Telegram's 5 global datacenters (
DC1throughDC5) with automatic fastest-DC detection. Accessible via CLI or TUI Info menu[l].
- Live TCP handshake latency benchmark testing against Telegram's 5 global datacenters (
-
🧹 Purge Disabled & Expired Secrets (
mtproxymax secret purge-disabled)- Automated database hygiene command that scans configured secrets and permanently purges user records where
enabled=falseor expiration dates have passed. Accessible via CLI or TUI Secret Management[d].
- Automated database hygiene command that scans configured secrets and permanently purges user records where
-
🔗 Base64 Subscription Feed (
mtproxymax secret sub)- Exports a standard unbroken Base64 string containing all active
tg://proxy?...links. Designed for third-party Telegram client proxy auto-updaters. Displayed automatically in the Share Links menu[3].
- Exports a standard unbroken Base64 string containing all active
-
📦 User Database JSON Export (
mtproxymax secret export-json)- Full export of configured users, secrets, quotas, connection limits, and expiry dates formatted as clean JSON for external integrations and scripting. Accessible via CLI or TUI Export menu
[i].
- Full export of configured users, secrets, quotas, connection limits, and expiry dates formatted as clean JSON for external integrations and scripting. Accessible via CLI or TUI Export menu
-
🏷️ Bulk Prefix Renaming (
mtproxymax secret rename-prefix <old> <new>)- Bulk renaming tool allowing admins to match existing secret labels by prefix and swap them out in a single pass (e.g.
test_→vip_). Upgraded TUI Rename option[9]to support single vs. bulk modes.
- Bulk renaming tool allowing admins to match existing secret labels by prefix and swap them out in a single pass (e.g.
🔧 Engine Upgrade: telemt v3.4.19 (987c53c)
Includes the latest upstream advancements from the telemt Rust proxy engine:
- Packet Overhead Reduction (
client_mss_bulk): Handshake fragmentation is preserved for DPI evasion, but Maximum Segment Size (MSS) is automatically raised for bulk data transfer. Significantly cuts packets-per-second (pps) CPU overhead and improves throughput. - Relay & Obfuscation Hardening: Advanced Relay Mode optimizations, hardened KDF-tuple derivation, updated secure padding expectations for VersionD, and shared MTProto framing.
- Config API Reliability: Resolved nested sub-table corruption issues during config save operations.
🐞 Recent Issues Addressed & Investigated
- #83 User Support & Inquiries: Addressed proxy configuration questions and client connectivity guidance.
- #86 Windows WSL2 / Docker Desktop Evaluation: Conducted an architectural feasibility review for Docker Desktop on Windows. Clarified networking constraints (WSL2 bridge forwarding vs host netns) and documented why Linux remains the required platform.
- #102 Function Modifications Audit: Investigated requested function alterations and validated script modularity.
- #103 Telegram Bot Daemon Audit: Evaluated bot polling lifecycle and confirmed background notification routines operate reliably.
🏁 Upgrade
mtproxymax updatePinned Engine: telemt v3.4.19 (987c53c)
v1.0.9 — Engine v3.4.18, TLS Stealth, ME/MR Hardening
🔧 Engine Upgrade: telemt v3.4.18
This release jumps 7 upstream versions (from v3.4.11) to incorporate major stealth and reliability improvements from the telemt engine.
🚀 Engine v3.4.18 — Stealth, Hardening, and Rate Limits
-
TLS Stealth & Realism:
- ServerHello now dynamically selects a TLS 1.3 cipher suite actually offered by the ClientHello
- Preserves safe profiled extension order to better mimic real web servers
- ALPN is no longer exposed as a stable plaintext marker inside fake ApplicationData payloads
- Single-record TLS-F primary application flight restored
-
Hardened Middle-End/Middle-Relay:
- Bounded ME writer queue waits under backpressure to prevent indefinite stalls
- Prioritized cancellation in async paths
- Reused ME reader scratch buffers across read-loop iterations
- Atomic claims for MR pressure-eviction budget to avoid racing sessions
-
API & Rate Limiting:
- User rate limits are now exposed through the API
- New
GET /v1/stats/users/quotaendpoint (moved from/v1/users/quota) - Proper
405 Method Not Allowedresponses withAllowheader for known routes - Hyphenated aliases added for runtime endpoints
- Quota resets now validate config revision
-
Performance & Fixes:
- SYN limiter lifecycle and default burst fixed
- Startup speed-up, IDN support, and exclusive mask mode
disable_colorsfix: now suppresses ANSI in MAESTRO output too- Docker: writable
/etc/telemt/config mount and/run/telemttmpfs cache
🏁 Upgrade
mtproxymax updateThe new engine image (ghcr.io/samnet-dev/mtproxymax-telemt:3.4.18-9dc6772) will be pulled automatically on update.
🐛 Engine Version
Pinned: telemt v3.4.18 (9dc6772)
v1.0.8 — Engine v3.4.11, Security Hardening, Telegram Customization
🔧 Engine Upgrade + Telegram Customization
This release upgrades the telemt engine from v3.4.8 → v3.4.11 (3 upstream releases) and adds post-install Telegram notification customization requested in #77.
🚀 Engine v3.4.11 — Security Hardening & Performance
Three upstream releases worth of improvements, all drop-in compatible:
🔒 Security
- Constant-time API authorization — prevents timing attacks on auth headers
- PROXY protocol pre-validation — reject untrusted sources before reading the header
- Bounded API/metrics connections — HTTP connection timeouts prevent resource exhaustion
- Per-user source IP/CIDR deny lists — new
access.user_source_denyconfig key
🔐 TLS
- Full certificate budget bookkeeping — tracks TLS cert resource usage per shard
- Fixed domain-aware masking fallback — extra
tls_domainsnow properly preserve matching SNI domain - TLS front profile health metrics — configured, emitted, suppressed, default, raw, merged states
- Multi-domain TLS fetcher — works across multiple
tls_domainsentries tls_domainsvalidation — rejects invalid entries at config time
📊 Quota & Rate Limiting
- Persistent per-user quota state —
quota_state_pathsaves quota consumption across restarts - Runtime quota reset endpoint —
POST /v1/users/{user}/reset-quota - Bounded quota contention — cancellation paths and contention metrics
⚡ Performance & Reliability
- IP tracker cleanup pressure reduction — less work on hot paths
- ME admission event-driven wakeup — faster connection acceptance
- Bounded ME child task join — timeout + abort accounting for relay cleanup
- Hot-path cleanup — moved stats/cleanup work away from latency-sensitive paths
- TimeWindow IP limiting fix — only new IPs counted when TimeWindow mode enabled
- WorkingDirectory behavior fix
📈 Observability
- Class-based rejected connection and handshake failure metrics
- Quota contention/cancellation/flow-wait metrics
- ME child task abort/timeout metrics
- Updated Grafana dashboard for new metric surface
📦 Dependencies
rustls-webpki0.103.12 → 0.103.13
🤖 Telegram Notification Customization (#77)
Previously, report interval, server label, and alert preferences could only be set during the initial setup wizard. Now they're fully configurable post-install:
CLI:
mtproxymax telegram interval 12 # Change report interval (1–168 hours)
mtproxymax telegram label "My VPS" # Change server label in notifications
mtproxymax telegram alerts on # Toggle down/recovery alerts (on|off)
# Show current values:
mtproxymax telegram interval # → Report interval: every 6h
mtproxymax telegram status # → shows interval, alerts, and labelTUI — Telegram Bot menu:
| Option | Description |
|---|---|
[5] Toggle alerts |
Now shows current state: (true) / (false) |
[7] Change report interval |
Prompts with current value, validates 1-168h |
[8] Change server label |
Prompts with current value, validates format |
🏁 Upgrade
mtproxymax updateThe new engine image (ghcr.io/samnet-dev/mtproxymax-telemt:3.4.11-3bd5637) is pulled automatically on update. No manual steps needed.
🐛 Engine Version
Pinned: telemt v3.4.11 (3bd5637)
v1.0.7 — Tags, Templates, Migration, Tuning, Verify & 16 more features
🎉 Massive Release — 20+ New Features
This release triples the script's surface area. Grouped by category below.
🏷️ Secret Organization
secret tag/untag/tags— Group users with comma-separated tagssecret list --tag <tag>— Filter secret list by tagsecret logs <label>— Per-user activity log filtersecret info <label>— Single-command full view (limits, live metrics, link, QR) — already in v1.0.6secret list --csv— CSV output for spreadsheets / reporting- Secret templates — Reusable limit sets:
template save/list/apply/delete,secret add --template <name>
🔄 Lifecycle Management
secret rotate --all— Bulk rotate every secret (with--dry-runpreview)secret quota-reset <label> <day>— Monthly quota reset on day N (handles short months)secret extend <label> <days>— Extend single secret expiry (v1.0.6)secret bulk-extend <days>— Extend ALL expiries at once (v1.0.6)secret archive/unarchive— Soft-delete with restoration (v1.0.6)auto-rotate [N]— Global policy to auto-rotate secrets older than N dayssecret remove --dry-run— Preview destructive operations
🚨 Operations
maintenance on/off/status— Reject new connections with RST while keeping existing alive (graceful pre-restart)ban/unban/bans— iptables-based IP banlist (survives reboots viabans_reapplyon start)verify— End-to-end install check: port, TLS handshake, metrics, Telegram API, domain reachabilityspeedtest— Outbound bandwidth/latency from server to Cachefly, Hetzner, Telegram APIhistory [lines]— Audit log of config changes (secret add/remove/rotate, domain changes)info— Comprehensive server overview: OS, IPv4/IPv6, users, services, security posture
💾 Backup & Migration
migrate export/import— Tarball-based server migration (all settings, secrets, upstreams, tags, bans, archives, profiles)backup --encrypt— AES-256 + PBKDF2 encrypted backups with password promptbackup restore-encrypted <file>— Restore from encrypted backupbackup autoclean [days]— Auto-delete old backups (configurable viaBACKUP_RETENTION_DAYS)
⚙️ Expert Configuration
tune list/get/set/clear— Whitelisted engine parameter tuning (fake_cert_len,mask_relay_timeout_ms, timeouts, log_level, etc.). Post-processes config.toml via sed — no TOML duplicate-key issues.sweep— Internal periodic maintenance command (quota resets, auto-rotate, backup cleanup). Invoked from bot loop every 5 min.
🛠 Polish
completion— Emit bash tab-completion script:sudo mtproxymax completion > /etc/bash_completion.d/mtproxymaxchangelog— Fetch GitHub release notes since installed version
🖥 TUI Coverage
Every feature above is also exposed in the TUI:
| Feature | TUI Location |
|---|---|
| Tags | Secrets > [y] |
| Monthly quota reset | Secrets > [q] |
| Rotate ALL | Secrets > [r] |
| Templates | Secrets > [k] |
| Per-user logs | Secrets > [l] |
| Info | Info > [i] |
| Changelog | Info > [n] |
| Verify | Info > [v] |
| Speedtest | Info > [s] |
| History | Info > [h] |
| Maintenance | Proxy > [m] |
| IP Banlist | Security > [4] |
| Migrate / Encrypted backups | About > [5]-[9] |
| Auto-rotate | Settings > [a] |
| Engine tuning | Settings > [n] |
🔒 Security & Safety
- Encrypted backups — password passed via env var to openssl (hidden from
ps aux) - Audit log — every config change tracked with timestamp + user
check_rootgating — destructive CLI commands require root- Read-only preview —
--dry-runflag onsecret removeandsecret rotate --all - TTY-safe — non-interactive flows auto-confirm destructive bulk ops (for CI/SSH scripts)
🏁 Upgrade
mtproxymax updateAfter update, run mtproxymax verify to confirm your install is healthy, then mtproxymax info for a comprehensive overview.
🐛 Engine Versions
Current pinned: telemt v3.4.6 (8874396). Upgrade path from earlier versions happens automatically.
v1.0.6 — Profiles, Archive, Search, Port Check & More
New Commands
Secret Management:
secret info <label>— Full detail view: status, limits, live connections/traffic, proxy link, QR codesecret search <query>— Find secrets by partial label or note content (case-insensitive)secret archive <label>/secret unarchive <label>— Soft-delete secrets to archive, restore later.secret archivesto listsecret top [traffic|conns] [N]— Top N users by traffic or connectionssecret generate-links [txt|html]— Bulk export all proxy links to file. HTML version includes QR codes
Server Management:
config— Display the current engine config.tomluptime— One-line scriptable status output (e.g.2d 4h | 14 conns | ↓1.2GB ↑340MB)notify <message>— Send a custom message through the Telegram botport-check— Test if the proxy port is listening locally and reachable from outsidemask-backend [host:port]— Show or set the mask backend for non-proxy traffic (CLI + TUI)profile save|load|list|delete <name>— Save and restore named config snapshots (settings + secrets + upstreams)
TUI
All new features available in TUI menus:
- Secrets menu: info [f], search [/], top [p], generate-links [g], archive [a]
- Settings: view config [v], port check [k], profiles [r], mask backend [m]
- Telegram Bot: send custom notification [6]
Bug Fixes
- Fix domain change exits in non-TTY —
readreturning EOF underset -ekilled the script before restarting (#64) - Fix empty label in non-TTY
secret add/remove— rewrote arg parsing to avoid array indexing edge case (#66) - Bind metrics to 127.0.0.1 —
metrics_listeninstead ofmetrics_portprevents external access (#65) - Fix upstream table alignment — ANSI codes no longer break column padding (#67)
- Fix false "Update available" badge — stored SHA now synced after confirming up-to-date (#68)
- Fix invisible "Enter choice" prompt — removed DIM color that some terminals hide (#69)
- Fix bot uptime always 0m — uses Prometheus
telemt_uptime_secondsinstead of Docker inspect date parsing (#70) - Telegram bot optimization — long-polling for instant response, single awk pass for metrics, process substitution eliminates temp files (#62)
Upgrade: mtproxymax update
v1.0.5 — Clone, Bulk-Extend, Doctor, Stats & More
New Commands
secret clone <src> <new>— Duplicate a secret with all its limits (new key generated)secret bulk-extend <days>— Extend all secrets' expiry dates at once, re-enables expired onessecret extend <label> <days>— Extend a single secret's expirysecret rename <old> <new>— Rename a secret's labelsecret export— Export all secrets + limits to CSV (stdout or file)secret import <file>— Import secrets from CSV, skips duplicatessecret disable-expired— Scan and disable all expired secretssecret stats— Compact per-user overview: connections, IPs, traffic, quota %, expirysecret sort [traffic|conns|date|name]— Reorder the secrets listconnections— Live active connections per user with traffic breakdowndoctor— Comprehensive diagnostics: Docker, engine, port, metrics, domain TLS, secrets, disk, config, Telegram bot
Improvements
- Auto-rotate secrets on domain change — CLI and TUI now prompt to rotate all secrets when the domain changes, preventing stale proxy links
- QR code on secret add — Inline QR code shown after creating a secret (if
qrencodeinstalled) - Startup warnings —
mtproxymax startwarns about expired and near-expiry secrets - Connection limit warning — Setting
connsbelow 5 warns that Telegram uses ~3 TCP connections per device - Memory unit clarification — Prompts now show
e.g. 256m, 1gto prevent confusion
Engine
- Upgraded to telemt v3.3.39 — TLS fronting fix (improved fake-TLS compatibility), memory hard-bounds, bounded retries, conntrack control, ME2DC fast init, new relay methods
Bug Fixes
- Fix Docker install on Fedora 41+ — Use Fedora repo URL + support
dnf5 --addrepo(#61) - Fix Telegram bot —
grep: invalid optionon chat ID auto-detect, Markdown escaping breaking test messages (#58) - Fix
list backupscrash —lsexit code with no backups killed script underset -e(#57) - Fix masking toggle —
ddprefix when masking is off,securemode enabled for non-TLS connections (#58) - Fix hot-reload —
cpinstead ofmvto preserve Docker bind-mount inode (#31) - Show Docker error on start failure — No longer swallows
docker runerror output (#60)
TUI
All new features available in TUI menus:
- Secrets menu: rename [9], clone [c], extend [x], bulk-extend [e], disable-expired [d], stats [s], sort [t], export/import [i]
- Logs & Traffic: active connections [5]
- Info & Help: doctor [d]
Upgrade: mtproxymax update