v2.2.7

This release is mostly about 2 things:

1. Improve compatibility with ByeDPI
2. Change priorities so you do not need to disable auto-update anymore

Yes, I know and I see what happens with Telegram in Russia right now. Gonna do my best.

What's Changed

• fix: stabilize flaky CI tests by @dolonet in #426
• Change IP address set priority by @9seconds in #428
• More idiomatic Golang by @9seconds in #430
• Support fragmented TLS handshake records by @appolimp in #431
• Refactor TLS fragmenting by @9seconds in #433

New Contributors

• @appolimp made their first contribution in #431

Full Changelog: v2.2.6...v2.2.7

v2.2.6

This is a followup release to adress abnormal connections aborts if idle timeout is exceeded

What's Changed

• fix: use shared idle tracker for relay connections by @dolonet in #424

Full Changelog: v2.2.5...v2.2.6

v2.2.5

This release was mostly driven by great contribution made by @dolonet (please check his mtg fork if you are looking for multi-secret proxy). There are couple of fixes and some work towards decreasing memory requirements of the proxy (it was slim, now it is even more fit) + there is a more intelligent calculation of TLS certificate chain size based on real upstream data.

What's Changed

• Fix build with profiling by @9seconds in #401
• Update PGO by @9seconds in #402
• Update stale codeql configuration by @9seconds in #404
• Add dynamic cert noise calibration for FakeTLS handshake by @dolonet in #409
• Reduce per-connection memory overhead by @dolonet in #414
• fix: apply idle timeout to domain fronting relay by @dolonet in #416
• fix: prevent index out of range panic on 32-bit platforms by @dolonet in #415
• Add public-ipv4/public-ipv6 config options by @dolonet in #418
• Remove clock goroutine by @9seconds in #419
• fix: apply idle timeout to Telegram relay by @dolonet in #420
• Decrease a relay buffer size for MIPS devices by @9seconds in #421
• Build release artifacts in CI by @9seconds in #422

New Contributors

• @dolonet made their first contribution in #409

Full Changelog: v2.2.4...v2.2.5

v2.2.4

This release adds a new CLI command mtg doctor that helps understanding about possible problems with your current installations:

$ mtg doctor /path/to/my/config.toml
Deprecated options
  ✅ All good
Time skewness
  ✅ Time drift is -607.048µs, but tolerate-time-skewness is 5s
Validate native network connectivity
  ✅ DC 1
  ✅ DC 2
  ✅ DC 3
  ✅ DC 4
  ✅ DC 5
  ✅ DC 203
Validate network connectivity with proxy socks5://127.0.0.1:1080
  ✅ DC 1
  ✅ DC 2
  ✅ DC 3
  ✅ DC 4
  ✅ DC 5
  ✅ DC 203
Validate fronting domain connectivity
  ✅ xx.xx.xx.xx:yyy is reachable
Validate SNI-DNS match
  ✅ IP address xx.xx.xx.xx matches secret hostname <REDACTED>

What's Changed

• Add Config.GetConcurrency with default fallback by @roman901 in #395
• mtg doctor CLI command by @9seconds in #397
• Allow using directory bind mounts for a docker container by @9seconds in #398

New Contributors

• @roman901 made their first contribution in #395

Full Changelog: v2.2.3...v2.2.4

v2.2.3

Mostly technical release, followup of the previous one.

Added profile guided optimizations and plethora of new architectures. You want to try AMD64v3 (this is probably work now everywhere, including VPSes) and ARMv9.

Also, now there is official support of Windows.

What's Changed

• Add PGO by @9seconds in #385
• Document a necessety of increasing limits for systemd unit by @9seconds in #388
• Add more architectures for mtg by @9seconds in #386

Full Changelog: v2.2.2...v2.2.3

v2.2.2

This release brings no new features but decreases a CPU usage + trims down a memory usage.

What's Changed

• Show ip of telegram endpoints in event stream by @9seconds in #379
• Optimize waiting time for TLS chunker by @9seconds in #382
• Avoid double buffering in TLS hot path by @9seconds in #383

Full Changelog: v2.2.1...v2.2.2

v2.2.1

Mostly bug fix release with a very important fix related to socks5 interface.

Important note: if you have a problem with static loading, please disable auto-update setting. It seems that addresses provided by Telegram API are not very stable, so it worth to fallback to core IPs now.

What's Changed

• Fix preferIPOnlyIPv6 by @Maks-2012 in #366
• fix: ensure network.Dial and MakeHTTPClient use socks5 proxy by @saleacy in #367
• Fix flaky test by @9seconds in #368

New Contributors

• @Maks-2012 made their first contribution in #366
• @saleacy made their first contribution in #367

Full Changelog: v2.2.0...v2.2.1

v2.2.0

This version introduces a first major feature for the last couple of years. It is called doppelganger because I could not find a better name. This is logical continuation of cloaking (domain fronting, you name it).

Websites and applications are different. They communicate differently, and their patterns are different. Websites burst with short amount of traffic, and this can have long tails of sizes. Applications that are pumping JSON are usually sending very small packages.
This is reflected in TLS packet delays and TLS packet sizes.

Since 2.2.0 mtg introduces some artificial delays in sending of TLS packets back to client, and it tries very hard to look like a real website from statistical point of view.

Of course we cannot mimic it completely because Telegram still communicates like RPC but mtg tries to do its best in hiding this fact. It restructures TLS packets, it delays TLS packets.

Speaking on sizes of TLS packets, it supports 2 modes now: classic and DRS. Most of TLS libraries and implementation aims to always choose max size of TLS packet as possible but there are a couple of implementations that increase this size gradually aiming to get a fastest time-to-first-byte. Most notably, Go crypto/tls does that, and thus other projects like Caddy. So, if you have any insight about implementation, you can enable that setting.

This is how it could be set up:

[defense.doppelganger]
# mtg comes with very good defaults but if you want to be as specific as possible,
# please set a couple of URL from a domain in disguise. No need to drop many, but it makes sense
# use different ones. One image, one page, one static file is already good set.
#
# mtg will start to crawl them periodically and statistically mimic their TLS delays
urls = [
  "https://lalala"
]
# this is that Dynamic Record Sizing option
drs = false

Please see all settings in example config file. Also please read attached BEST_PRACTICES.md, it comes now with any archive.

If you are not sure, do not set anything. mtg has good enough defaults. As usual, if something does not work, try other projects like telemt. It does not matter what you use as long as you keep connected.

И дай нам сил пережить всю эту хероту.

What's Changed

• Include example config into distribution bundle by @9seconds in #348
• Doppleganger by @9seconds in #352
• Use native dialer to communicate with fronting domain by @9seconds in #353
• Use native dialer for scout by @9seconds in #355
• Speed up Github actions by @9seconds in #356
• Access command should use native dialer instead of network one by @9seconds in #357
• Make DRS optional by @9seconds in #358
• Fix android ping by @9seconds in #359
• Have a noise of variable size by @9seconds in #360
• Add docs about doppelganger by @9seconds in #361
• Decrease relay buffer size by @9seconds in #363
• Add document about best practices by @9seconds in #365

Full Changelog: v2.1.13...v2.2.0

v2.1.13

This release addresses long-running confusion related to DNS-over-HTTP mandatory option. Now it is fixed. Unfortunately, old network.doh-ip option is deprecated now, please use new network.dns.

This is doh-ip you should move from

# DEPRECATED option:
#  If dns option is specified, it will be used instead. No default is defined
#  anymore. But if you set this option, this is literally the same providing
#  https:// URL to `dns`.
#
#  In other words:
#
#    doh-ip = "1.1.1.1"
#
# is literally the same as
#
#    dns = "https://1.1.1.1"
# doh-ip = "1.1.1.1"

# Starting from mtg v2.1.12 we have changed a configuration for DNS. Now it
# supports DNS-over-HTTPS, DNS-over-TLS, custom UDP resolver and system
# resolver.
#
# Here is how to define DNS-over-HTTPS:
#  - https://1.1.1.1
#  - https://1.1.1.1/dns-query
#  - https://cloudflare-dns.com/dns-query
#  - https://cloudflare-dns.com
#
# Here is how to define DNS-over-TLS:
#  - tls://1.1.1.1
#  - tls://cloudflare-dns.com
#
# Here is how to define a custom UDP resolver (we support only IPs here)
#  - 1.1.1.1
#  - udp://1.1.1.1
#
# If you set it to empty string, default resolver will be used.
# But please comment out doh-ip
dns = "https://1.1.1.1"

So, in general you can use 4 different options for DNS setting:

1. Default resolver.

In that case just set dns to empty string:

[network]
dns = ""

so mtg will use local stub resolver for getting DNS records.

2. DNS-over-HTTPS

Just have https:// prefix:

[network]
dns = "https://1.1.1.1"

This will mean that mtg will use https://1.1.1.1/dns-query URL to resolve DNS. If path is different, just specify a full URL:

[network]
dns = "https://1.1.1.1/my-path"

3. DNS-over-TLS

Just use tls:// prefix:

[network]
dns = "tls://dns.google"

4. Classic UDP DNS

Either provide IP address or optionally prefix it with udp://

[network]
dns = "8.8.8.8"

and

[network]
dns = "udp://8.8.8.8"

are both equivalent way of setting that.

Please be aware that if you have to setup DNS, it means that there are some restrictions implied. It could be a good idea to have socks5 upstream connectivity in that case.

What's Changed

• Simplify network implementation by @9seconds in #346

Full Changelog: v2.1.12...v2.1.13

v2.1.12

This is hotfix release that aims to address the issue with a proxy that cannot access Telegram HTTP endpoints to get lists of updates DCs. It should help running it in restricted environment.

By default autoupdate now is disabled. You can explicitly enable it in config:

# If this setting is set, then mtg will try to get proxy updates from Telegram
# Usually this is completely fine to have it disabled, because mtg has a list
# of some core proxies hardcoded.
auto-update = false

What's Changed

• Do not panic if no addresses were found by @9seconds in #345
• Make auto updating optional by @9seconds in #344

Full Changelog: v2.1.11...v2.1.12