diff --git a/README.md b/README.md
index 5cfc277..6327233 100644
--- a/README.md
+++ b/README.md
@@ -2,189 +2,60 @@
***Löst Probleme, bevor andere überhaupt wissen, dass sie existieren*** / ***It solves problems before others even realize they exist***
-### [**Telemt Chat in Telegram**](https://t.me/telemtrs)
-#### Fixed TLS ClientHello is now available in Telegram Desktop starting from version 6.7.2: to work with EE-MTProxy, please update your client;
-#### Fixed TLS ClientHello for Telegram Android Client is available in [our chat](https://t.me/telemtrs/30234/36441); official releases for Android and iOS are "work in progress";
+> [!NOTE]
+>
+> Fixed TLS ClientHello is now available in **Telegram Desktop** starting from version **6.7.2**: to work with EE-MTProxy, please update your client;
+>
+> Fixed TLS ClientHello for Telegram Android Client is available in [our chat](https://t.me/telemtrs/30234/36441); **official releases for Android and iOS are "work in progress"**;
+
+
+ 
+
+
**Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as:
-- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md)
-- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/API.md)
-- Anti-Replay on Sliding Window
-- Prometheus-format Metrics
-- TLS-Fronting and TCP-Splicing for masking from "prying" eyes
+- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md);
+- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/API.md);
+- Anti-Replay on Sliding Window;
+- Prometheus-format Metrics;
+- TLS-Fronting and TCP-Splicing for masking from "prying" eyes.
+
+
⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**: we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler)
⚓ Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual
- Full support for all official MTProto proxy modes:
- - Classic
- - Secure - with `dd` prefix
- - Fake TLS - with `ee` prefix + SNI fronting
-- Replay attack protection
-- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪
-- Configurable keepalives + timeouts + IPv6 and "Fast Mode"
-- Graceful shutdown on Ctrl+C
-- Extensive logging via `trace` and `debug` with `RUST_LOG` method
+ - Classic;
+ - Secure - with `dd` prefix;
+ - Fake TLS - with `ee` prefix + SNI fronting;
+- Replay attack protection;
+- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪;
+- Configurable keepalives + timeouts + IPv6 and "Fast Mode";
+- Graceful shutdown on Ctrl+C;
+- Extensive logging via `trace` and `debug` with `RUST_LOG` method.
# GOTO
-- [Quick Start Guide](#quick-start-guide)
- [FAQ](#faq)
- - [Recognizability for DPI and crawler](#recognizability-for-dpi-and-crawler)
- - [Client WITH secret-key accesses the MTProxy resource:](#client-with-secret-key-accesses-the-mtproxy-resource)
- - [Client WITHOUT secret-key gets transparent access to the specified resource:](#client-without-secret-key-gets-transparent-access-to-the-specified-resource)
- - [Telegram Calls via MTProxy](#telegram-calls-via-mtproxy)
- - [How does DPI see MTProxy TLS?](#how-does-dpi-see-mtproxy-tls)
- - [Whitelist on IP](#whitelist-on-ip)
- - [Too many open files](#too-many-open-files)
+- [Architecture](docs/Architecture)
+- [Quick Start Guide](#quick-start-guide)
+- [Config parameters](docs/Config_params)
- [Build](#build)
- [Why Rust?](#why-rust)
- [Issues](#issues)
- [Roadmap](#roadmap)
-
## Quick Start Guide
-- [Quick Start Guide RU](docs/QUICK_START_GUIDE.ru.md)
-- [Quick Start Guide EN](docs/QUICK_START_GUIDE.en.md)
+- [Quick Start Guide RU](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide EN](docs/Quick_start/QUICK_START_GUIDE.en.md)
## FAQ
- [FAQ RU](docs/FAQ.ru.md)
- [FAQ EN](docs/FAQ.en.md)
-### Recognizability for DPI and crawler
-
-On April 1, 2026, we became aware of a method for detecting MTProxy Fake-TLS,
-based on the ECH extension and the ordering of cipher suites,
-as well as an overall unique JA3/JA4 fingerprint
-that does not occur in modern browsers:
-we have already submitted initial changes to the Telegram Desktop developers and are working on updates for other clients.
-
-- We consider this a breakthrough aspect, which has no stable analogues today
-- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
-- Here is our evidence:
- - 212.220.88.77 - "dummy" host, running `telemt`
- - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
- - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
- - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
- - Crawlers completely satisfied receiving responses from `mask_host`
- #### Client WITH secret-key accesses the MTProxy resource:
-
- 
-
- #### Client WITHOUT secret-key gets transparent access to the specified resource:
- - with trusted certificate
- - with original handshake
- - with full request-response way
- - with low-latency overhead
-```bash
-root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
-* Added petrovich.ru:443:212.220.88.77 to DNS cache
-* Hostname petrovich.ru was found in DNS cache
-* Trying 212.220.88.77:443...
-* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
-* ALPN: offers h2,http/1.1
-* TLSv1.3 (OUT), TLS handshake, Client hello (1):
-* CAfile: /etc/ssl/certs/ca-certificates.crt
-* CApath: /etc/ssl/certs
-* TLSv1.3 (IN), TLS handshake, Server hello (2):
-* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
-* TLSv1.3 (IN), TLS handshake, Certificate (11):
-* TLSv1.3 (IN), TLS handshake, CERT verify (15):
-* TLSv1.3 (IN), TLS handshake, Finished (20):
-* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
-* TLSv1.3 (OUT), TLS handshake, Finished (20):
-* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
-* ALPN: server did not agree on a protocol. Uses default.
-* Server certificate:
-* subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
-* start date: Jan 28 11:21:01 2025 GMT
-* expire date: Mar 1 11:21:00 2026 GMT
-* subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
-* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
-* SSL certificate verify ok.
-* using HTTP/1.x
-> HEAD / HTTP/1.1
-> Host: petrovich.ru
-> User-Agent: curl/7.88.1
-> Accept: */*
->
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* old SSL session ID is stale, removing
-< HTTP/1.1 200 OK
-HTTP/1.1 200 OK
-< Server: Variti/0.9.3a
-Server: Variti/0.9.3a
-< Date: Thu, 01 Jan 2026 00:0000 GMT
-Date: Thu, 01 Jan 2026 00:0000 GMT
-< Access-Control-Allow-Origin: *
-Access-Control-Allow-Origin: *
-< Content-Type: text/html
-Content-Type: text/html
-< Cache-Control: no-store
-Cache-Control: no-store
-< Expires: Thu, 01 Jan 2026 00:0000 GMT
-Expires: Thu, 01 Jan 2026 00:0000 GMT
-< Pragma: no-cache
-Pragma: no-cache
-< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-< Content-Type: text/html
-Content-Type: text/html
-< Content-Length: 31253
-Content-Length: 31253
-< Connection: keep-alive
-Connection: keep-alive
-< Keep-Alive: timeout=60
-Keep-Alive: timeout=60
-
-<
-* Connection #0 to host petrovich.ru left intact
-
-```
-- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
- - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
-### Telegram Calls via MTProxy
-- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
-### How does DPI see MTProxy TLS?
-- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
-- the SNI you specify sends both the client and the server;
-- ALPN is similar to HTTP 1.1/2;
-- high entropy, which is normal for AES-encrypted traffic;
-### Whitelist on IP
-- MTProxy cannot work when there is:
- - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
- - OR all TCP traffic is blocked
- - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
- - OR all TLS traffic is blocked
- - OR specified port is blocked: use 443 to make it "like real"
- - OR provided SNI is blocked: use "officially approved"/innocuous name
-- like most protocols on the Internet;
-- these situations are observed:
- - in China behind the Great Firewall
- - in Russia on mobile networks, less in wired networks
- - in Iran during "activity"
-### Too many open files
-- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
-- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
-- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
-```yaml
-ulimits:
- nofile:
- soft: 65536
- hard: 65536
-```
-- **System-wide** (optional): add to `/etc/security/limits.conf`:
-```
-* soft nofile 1048576
-* hard nofile 1048576
-root soft nofile 1048576
-root hard nofile 1048576
-```
-
-
## Build
```bash
# Cloning repo
@@ -207,7 +78,7 @@ telemt config.toml
```
### OpenBSD
-- Build and service setup guide: [OpenBSD Guide (EN)](docs/OPENBSD.en.md)
+- Build and service setup guide: [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md)
- Example rc.d script: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd)
- Status: OpenBSD sandbox hardening with `pledge(2)` and `unveil(2)` is not implemented yet.
diff --git a/README.ru.md b/README.ru.md
new file mode 100644
index 0000000..f5b0f9a
--- /dev/null
+++ b/README.ru.md
@@ -0,0 +1,123 @@
+# Telemt — MTProxy на Rust + Tokio
+
+***Решает проблемы раньше, чем другие узнают об их существовании***
+
+> [!Примечание]
+>
+> Исправленный TLS ClientHello доступен в **Telegram Desktop** начиная с версии **6.7.2**: для работы с EE-MTProxy обновите клиент.
+>
+> Исправленный TLS ClientHello для Telegram Android доступен в нашем чате; **официальные релизы для Android и iOS находятся в процессе разработки**.
+
+
+
+
+
+
+
+**Telemt** — это быстрый, безопасный и функциональный сервер, написанный на Rust. Он полностью реализует официальный алгоритм прокси Telegram и добавляет множество улучшений для продакшена:
+
+- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + жизненный цикл генераций](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md);
+- [Полноценный API с управлением](https://github.com/telemt/telemt/blob/main/docs/API.md);
+- Защита от повторных атак (Anti-Replay on Sliding Window);
+- Метрики в формате Prometheus;
+- TLS-fronting и TCP-splicing для маскировки от DPI.
+
+
+
+## Особенности
+
+⚓ Реализация **TLS-fronting** максимально приближена к поведению реального HTTPS-трафика.
+
+⚓ ***Middle-End Pool*** оптимизирован для высокой производительности.
+
+- Поддержка всех режимов MTProto proxy:
+ - Classic;
+ - Secure (префикс `dd`);
+ - Fake TLS (префикс `ee` + SNI fronting);
+- Защита от replay-атак;
+- Маскировка трафика (перенаправление неизвестных подключений на реальные сайты);
+- Настраиваемые keepalive, таймауты, IPv6 и «быстрый режим»;
+- Корректное завершение работы (Ctrl+C);
+- Подробное логирование через `trace` и `debug`.
+
+# Навигация
+- [FAQ](#faq)
+- [Архитектура](docs/Architecture)
+- [Быстрый старт](#quick-start-guide)
+- [Параметры конфигурационного файла](docs/Config_params)
+- [Сборка](#build)
+- [Почему Rust?](#why-rust)
+- [Известные проблемы](#issues)
+- [Планы](#roadmap)
+
+## Быстрый старт
+- [Quick Start Guide RU](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide EN](docs/Quick_start/QUICK_START_GUIDE.en.md)
+
+## FAQ
+
+- [FAQ RU](docs/FAQ.ru.md)
+- [FAQ EN](docs/FAQ.en.md)
+
+## Сборка
+
+```bash
+# Клонируйте репозиторий
+git clone https://github.com/telemt/telemt
+# Смените каталог на telemt
+cd telemt
+# Начните процесс сборки
+cargo build --release
+
+# Устройства с небольшим объёмом оперативной памяти (1 ГБ, например NanoPi Neo3 / Raspberry Pi Zero 2):
+# используется параметр lto = «thin» для уменьшения пикового потребления памяти.
+# Если ваш пользовательский набор инструментов переопределяет профили, не используйте Fat LTO.
+
+# Перейдите в каталог /bin
+mv ./target/release/telemt /bin
+# Сделайте файл исполняемым
+chmod +x /bin/telemt
+# Запустите!
+telemt config.toml
+```
+
+### Устройства с малым объемом RAM
+Для устройств с ~1 ГБ RAM (например Raspberry Pi):
+- используется облегчённая оптимизация линковщика (thin LTO);
+- не рекомендуется включать fat LTO.
+
+## OpenBSD
+
+- Руководство по сборке и настройке на английском языке [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md);
+- Пример rc.d скрипта: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd);
+- Поддержка sandbox с `pledge(2)` и `unveil(2)` пока не реализована.
+
+## Почему Rust?
+
+- Надёжность для долгоживущих процессов;
+- Детерминированное управление ресурсами (RAII);
+- Отсутствие сборщика мусора;
+- Безопасность памяти;
+- Асинхронная архитектура Tokio.
+
+## Известные проблемы
+
+- ✅ [Поддержка SOCKS5 как upstream](https://github.com/telemt/telemt/issues/1) -> added Upstream Management;
+- ✅ [Проблема зависания загрузки медиа на iOS](https://github.com/telemt/telemt/issues/2).
+
+## Планы
+
+- Публичный IP в ссылках;
+- Перезагрузка конфигурации на лету;
+- Привязка к устройству или IP для входящих и исходящих соединений;
+- Поддержка рекламных тегов по SNI / секретному ключу;
+- Улучшенная обработка ошибок;
+- Zero-copy оптимизации;
+- Проверка состояния дата-центров;
+- Отсутствие глобального изменяемого состояния;
+- Изоляция клиентов и справедливое распределение трафика;
+- «Политика секретов» — маршрутизация по SNI / секрету;
+- Балансировщик с несколькими источниками и отработка отказов;
+- Строгие FSM для handshake;
+- Улучшенная защита от replay-атак;
+- Веб-интерфейс: статистика, состояние работоспособности, задержка, пользовательский опыт...
diff --git a/docs/TUNING.de.md b/docs/Advanced_settings/TUNING.de.md
similarity index 100%
rename from docs/TUNING.de.md
rename to docs/Advanced_settings/TUNING.de.md
diff --git a/docs/TUNING.en.md b/docs/Advanced_settings/TUNING.en.md
similarity index 100%
rename from docs/TUNING.en.md
rename to docs/Advanced_settings/TUNING.en.md
diff --git a/docs/TUNING.ru.md b/docs/Advanced_settings/TUNING.ru.md
similarity index 100%
rename from docs/TUNING.ru.md
rename to docs/Advanced_settings/TUNING.ru.md
diff --git a/docs/API.md b/docs/Architecture/API/API.md
similarity index 100%
rename from docs/API.md
rename to docs/Architecture/API/API.md
diff --git a/docs/fronting-splitting/TLS-F-TCP-S.ru.md b/docs/Architecture/Fronting-splitting/TLS-F-TCP-S.ru.md
similarity index 99%
rename from docs/fronting-splitting/TLS-F-TCP-S.ru.md
rename to docs/Architecture/Fronting-splitting/TLS-F-TCP-S.ru.md
index 1f9f872..750fb48 100644
--- a/docs/fronting-splitting/TLS-F-TCP-S.ru.md
+++ b/docs/Architecture/Fronting-splitting/TLS-F-TCP-S.ru.md
@@ -130,7 +130,7 @@ mask_host:mask_port
**Telemt работает как TCP-переключатель:**
1) принимает соединение
-2️) определяет тип клиента
+2) определяет тип клиента
3) либо:
- обрабатывает MTProxy внутри
diff --git a/docs/middle-end/KDF-internals/MIDDLE-END-KDF.de.md b/docs/Architecture/Middle-end/KDF-internals/MIDDLE-END-KDF.de.md
similarity index 100%
rename from docs/middle-end/KDF-internals/MIDDLE-END-KDF.de.md
rename to docs/Architecture/Middle-end/KDF-internals/MIDDLE-END-KDF.de.md
diff --git a/docs/middle-end/KDF-internals/MIDDLE-END-KDF.en.md b/docs/Architecture/Middle-end/KDF-internals/MIDDLE-END-KDF.en.md
similarity index 100%
rename from docs/middle-end/KDF-internals/MIDDLE-END-KDF.en.md
rename to docs/Architecture/Middle-end/KDF-internals/MIDDLE-END-KDF.en.md
diff --git a/docs/middle-end/KDF-internals/MIDDLE-END-KDF.ru.md b/docs/Architecture/Middle-end/KDF-internals/MIDDLE-END-KDF.ru.md
similarity index 100%
rename from docs/middle-end/KDF-internals/MIDDLE-END-KDF.ru.md
rename to docs/Architecture/Middle-end/KDF-internals/MIDDLE-END-KDF.ru.md
diff --git a/docs/model/FakeTLS.png b/docs/Architecture/Model/FakeTLS.png
similarity index 100%
rename from docs/model/FakeTLS.png
rename to docs/Architecture/Model/FakeTLS.png
diff --git a/docs/model/MODEL.en.md b/docs/Architecture/Model/MODEL.en.md
similarity index 100%
rename from docs/model/MODEL.en.md
rename to docs/Architecture/Model/MODEL.en.md
diff --git a/docs/model/MODEL.ru.md b/docs/Architecture/Model/MODEL.ru.md
similarity index 100%
rename from docs/model/MODEL.ru.md
rename to docs/Architecture/Model/MODEL.ru.md
diff --git a/docs/model/architecture.png b/docs/Architecture/Model/architecture.png
similarity index 100%
rename from docs/model/architecture.png
rename to docs/Architecture/Model/architecture.png
diff --git a/docs/CONFIG_PARAMS.en.md b/docs/Config_params/CONFIG_PARAMS.en.md
similarity index 100%
rename from docs/CONFIG_PARAMS.en.md
rename to docs/Config_params/CONFIG_PARAMS.en.md
diff --git a/docs/FAQ.en.md b/docs/FAQ.en.md
index 5e5a78a..7d477b2 100644
--- a/docs/FAQ.en.md
+++ b/docs/FAQ.en.md
@@ -1,5 +1,4 @@
## How to set up a "proxy sponsor" channel and statistics via the @MTProxybot
-
1. Go to the @MTProxybot.
2. Enter the `/newproxy` command.
3. Send your server's IP address and port. For example: `1.2.3.4:443`.
@@ -32,13 +31,130 @@ use_middle_proxy = true
hello = "ad_tag"
hello2 = "ad_tag2"
```
+## Recognizability for DPI and crawler
-## Why do you need a middle proxy (ME)
+On April 1, 2026, we became aware of a method for detecting MTProxy Fake-TLS,
+based on the ECH extension and the ordering of cipher suites,
+as well as an overall unique JA3/JA4 fingerprint
+that does not occur in modern browsers:
+we have already submitted initial changes to the Telegram Desktop developers and are working on updates for other clients.
+
+- We consider this a breakthrough aspect, which has no stable analogues today
+- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
+- Here is our evidence:
+ - 212.220.88.77 - "dummy" host, running `telemt`
+ - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
+ - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
+ - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
+ - Crawlers completely satisfied receiving responses from `mask_host`
+ ### Client WITH secret-key accesses the MTProxy resource:
+
+
+
+ ### Client WITHOUT secret-key gets transparent access to the specified resource:
+ - with trusted certificate
+ - with original handshake
+ - with full request-response way
+ - with low-latency overhead
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+* Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+* CAfile: /etc/ssl/certs/ca-certificates.crt
+* CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+* subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+* start date: Jan 28 11:21:01 2025 GMT
+* expire date: Mar 1 11:21:00 2026 GMT
+* subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+* SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+>
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+<
+* Connection #0 to host petrovich.ru left intact
+
+```
+- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
+ - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
+
+
+## F.A.Q.
+
+### Telegram Calls via MTProxy
+- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
+
+### How does DPI see MTProxy TLS?
+- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
+- the SNI you specify sends both the client and the server;
+- ALPN is similar to HTTP 1.1/2;
+- high entropy, which is normal for AES-encrypted traffic;
+
+### Whitelist on IP
+- MTProxy cannot work when there is:
+ - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
+ - OR all TCP traffic is blocked
+ - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
+ - OR all TLS traffic is blocked
+ - OR specified port is blocked: use 443 to make it "like real"
+ - OR provided SNI is blocked: use "officially approved"/innocuous name
+- like most protocols on the Internet;
+- these situations are observed:
+ - in China behind the Great Firewall
+ - in Russia on mobile networks, less in wired networks
+ - in Iran during "activity"
+
+### Why do you need a middle proxy (ME)
https://github.com/telemt/telemt/discussions/167
-
-## How many people can use one link
-
+### How many people can use one link
By default, an unlimited number of people can use a single link.
However, you can limit the number of unique IP addresses for each user:
```toml
@@ -47,8 +163,7 @@ hello = 1
```
This parameter sets the maximum number of unique IP addresses from which a single link can be used simultaneously. If the first user disconnects, a second one can connect. At the same time, multiple users can connect from a single IP address simultaneously (for example, devices on the same Wi-Fi network).
-## How to create multiple different links
-
+### How to create multiple different links
1. Generate the required number of secrets using the command: `openssl rand -hex 16`.
2. Open the configuration file: `nano /etc/telemt/telemt.toml`.
3. Add new users to the `[access.users]` section:
@@ -64,7 +179,7 @@ user3 = "00000000000000000000000000000003"
curl -s http://127.0.0.1:9091/v1/users | jq
```
-## "Unknown TLS SNI" error
+### "Unknown TLS SNI" error
Usually, this error occurs if you have changed the `tls_domain` parameter, but users continue to connect using old links with the previous domain.
If you need to allow connections with any domains (ignoring SNI mismatches), add the following parameters:
@@ -73,7 +188,7 @@ If you need to allow connections with any domains (ignoring SNI mismatches), add
unknown_sni_action = "mask"
```
-## How to view metrics
+### How to view metrics
1. Open the configuration file: `nano /etc/telemt/telemt.toml`.
2. Add the following parameters:
@@ -87,6 +202,25 @@ metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
> [!WARNING]
> The value `"0.0.0.0/0"` in `metrics_whitelist` opens access to metrics from any IP address. It is recommended to replace it with your personal IP, for example: `"1.2.3.4/32"`.
+### Too many open files
+- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
+- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
+- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
+```yaml
+ulimits:
+ nofile:
+ soft: 65536
+ hard: 65536
+```
+- **System-wide** (optional): add to `/etc/security/limits.conf`:
+```
+* soft nofile 1048576
+* hard nofile 1048576
+root soft nofile 1048576
+root hard nofile 1048576
+```
+
+
## Additional parameters
### Domain in the link instead of IP
diff --git a/docs/FAQ.ru.md b/docs/FAQ.ru.md
index fa7d5c0..91d842d 100644
--- a/docs/FAQ.ru.md
+++ b/docs/FAQ.ru.md
@@ -32,6 +32,122 @@ use_middle_proxy = true
hello = "ad_tag"
hello2 = "ad_tag2"
```
+## Распознаваемость для DPI и сканеров
+
+1 апреля 2026 года нам стало известно о методе обнаружения MTProxy Fake-TLS, основанном на расширении ECH и порядке набора шифров,
+а также об общем уникальном отпечатке JA3/JA4, который не встречается в современных браузерах: мы уже отправили первоначальные изменения разработчикам Telegram Desktop и работаем над обновлениями для других клиентов.
+
+- Мы считаем это прорывом, которому на сегодняшний день нет стабильных аналогов;
+- Исходя из этого: если `telemt` настроен правильно, **режим TLS полностью идентичен реальному «рукопожатию» + обмену данными** с указанным хостом;
+- Вот наши доказательства:
+ - 212.220.88.77 — «фиктивный» хост, на котором запущен `telemt`;
+ - `petrovich.ru` — хост с `tls` + `masking`, в HEX: `706574726f766963682e7275`;
+ - **Без MITM + без поддельных сертификатов/шифрования** = чистое прозрачное *TCP Splice* к «лучшему» исходному серверу: MTProxy или tls/mask-host:
+ - DPI видит легитимный HTTPS к `tls_host`, включая *достоверную цепочку доверия* и энтропию;
+ - Краулеры полностью удовлетворены получением ответов от `mask_host`.
+
+ ### Клиент С секретным ключом получает доступ к ресурсу MTProxy:
+
+
+
+ ### Клиент БЕЗ секретного ключа получает прозрачный доступ к указанному ресурсу:
+ - с доверенным сертификатом;
+ - с исходным «рукопожатием»;
+ - с полным циклом запрос-ответ;
+ - с низкой задержкой.
+
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+* Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+* CAfile: /etc/ssl/certs/ca-certificates.crt
+* CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+* subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+* start date: Jan 28 11:21:01 2025 GMT
+* expire date: Mar 1 11:21:00 2026 GMT
+* subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+* SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+>
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+<
+* Connection #0 to host petrovich.ru left intact
+
+```
+- Мы поставили перед собой задачу, не сдавались и не просто «бились в пустоту»: теперь у нас есть что вам показать.
+- Не верите нам на слово? — Это прекрасно, и мы уважаем ваше решение: вы можете собрать свой собственный `telemt` или скачать готовую сборку и проверить её прямо сейчас.
+
+### Звонки в Telegram через MTProxy
+- Архитектура Telegram **НЕ поддерживает звонки через MTProxy**, а только через SOCKS5, который невозможно замаскировать
+
+### Как DPI распознает TLS-соединение MTProxy?
+- DPI распознает MTProxy в режиме Fake TLS (ee) как TLS 1.3
+- указанный вами SNI отправляется как клиентом, так и сервером;
+- ALPN аналогичен HTTP 1.1/2;
+- высокая энтропия, что нормально для трафика, зашифрованного AES;
+
+### Белый список по IP
+- MTProxy не может работать, если:
+ - отсутствует IP-связь с целевым хостом: российский белый список в мобильных сетях — «Белый список»;
+ - ИЛИ весь TCP-трафик заблокирован;
+ - ИЛИ трафик с высокой энтропией/зашифрованный трафик заблокирован: контент-фильтры в университетах и критически важной инфраструктуре;
+ - ИЛИ весь TLS-трафик заблокирован;
+ - ИЛИ заблокирован указанный порт: используйте 443, чтобы сделать его «как настоящий»;
+ - ИЛИ заблокирован предоставленный SNI: используйте «официально одобренное»/безобидное имя;
+- как и большинство протоколов в Интернете;
+- такие ситуации наблюдаются:
+ - в Китае за Великим файрволом;
+ - в России в мобильных сетях, реже в проводных сетях;
+ - в Иране во время «активности».
+
## Зачем нужен middle proxy (ME)
https://github.com/telemt/telemt/discussions/167
@@ -104,7 +220,7 @@ max_connections = 10000 # 0 - без ограничений, 10000 - по у
```
### Upstream Manager
-Для настройки исходящих подключений (апстримов) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:
+Для настройки исходящих подключений (Upstreams) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:
#### Привязка к исходящему IP-адресу
```toml
@@ -119,20 +235,20 @@ interface = "192.168.1.100" # Замените на ваш исходящий IP
- Без авторизации:
```toml
[[upstreams]]
-type = "socks5" # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234" # SOCKS-server Address
-weight = 1 # Set Weight for Scenarios
+type = "socks5" # выбор типа SOCKS4 или SOCKS5
+address = "1.2.3.4:1234" # адрес сервера SOCKS
+weight = 1 # вес
enabled = true
```
- С авторизацией:
```toml
[[upstreams]]
-type = "socks5" # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234" # SOCKS-server Address
-username = "user" # Username for Auth on SOCKS-server
-password = "pass" # Password for Auth on SOCKS-server
-weight = 1 # Set Weight for Scenarios
+type = "socks5" # выбор типа SOCKS4 или SOCKS5
+address = "1.2.3.4:1234" # адрес сервера SOCKS
+username = "user" # имя пользователя
+password = "pass" # пароль
+weight = 1 # вес
enabled = true
```
diff --git a/docs/OPENBSD.en.md b/docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md
similarity index 100%
rename from docs/OPENBSD.en.md
rename to docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md
diff --git a/docs/QUICK_START_GUIDE.en.md b/docs/Quick_start/QUICK_START_GUIDE.en.md
similarity index 100%
rename from docs/QUICK_START_GUIDE.en.md
rename to docs/Quick_start/QUICK_START_GUIDE.en.md
diff --git a/docs/QUICK_START_GUIDE.ru.md b/docs/Quick_start/QUICK_START_GUIDE.ru.md
similarity index 100%
rename from docs/QUICK_START_GUIDE.ru.md
rename to docs/Quick_start/QUICK_START_GUIDE.ru.md
diff --git a/docs/VPS_DOUBLE_HOP.en.md b/docs/Setup_examples/VPS_DOUBLE_HOP.en.md
similarity index 100%
rename from docs/VPS_DOUBLE_HOP.en.md
rename to docs/Setup_examples/VPS_DOUBLE_HOP.en.md
diff --git a/docs/VPS_DOUBLE_HOP.ru.md b/docs/Setup_examples/VPS_DOUBLE_HOP.ru.md
similarity index 100%
rename from docs/VPS_DOUBLE_HOP.ru.md
rename to docs/Setup_examples/VPS_DOUBLE_HOP.ru.md
diff --git a/docs/XRAY-SINGBOX-ROUTING.ru.md b/docs/Setup_examples/XRAY-SINGBOX-ROUTING.ru.md
similarity index 100%
rename from docs/XRAY-SINGBOX-ROUTING.ru.md
rename to docs/Setup_examples/XRAY-SINGBOX-ROUTING.ru.md
diff --git a/docs/assets/telegram_button.png b/docs/assets/telegram_button.png
new file mode 100644
index 0000000..645cdc5
Binary files /dev/null and b/docs/assets/telegram_button.png differ
diff --git a/docs/assets/telemt.png b/docs/assets/telemt.png
new file mode 100644
index 0000000..653e383
Binary files /dev/null and b/docs/assets/telemt.png differ