Merge 06eb112efd into 877d16659e

Add High-Load Configuration & Tuning Guide

README.md

@@ -2,189 +2,67 @@
 
 ***Löst Probleme, bevor andere überhaupt wissen, dass sie existieren*** / ***It solves problems before others even realize they exist***
 
-### [**Telemt Chat in Telegram**](https://t.me/telemtrs)
-#### Fixed TLS ClientHello is now available in Telegram Desktop starting from version 6.7.2: to work with EE-MTProxy, please update your client;
-#### Fixed TLS ClientHello for Telegram Android Client is available in [our chat](https://t.me/telemtrs/30234/36441); official releases for Android and iOS are "work in progress";
+> [!NOTE]
+>
+> Fixed TLS ClientHello is now available:
+> - in **Telegram Desktop** starting from version **6.7.2**
+> - in **Telegram Android Client** starting from version **12.6.4**
+> - **release for iOS is "work in progress"**
+>
+> To work with EE-MTProxy, please update your client!
 
+<p align="center">
+  <a href="https://t.me/telemtrs">
+    <img src="/docs/assets/telegram_button.svg" width="200"/>
+  </a>
+</p>
 
 **Telemt** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as:
-- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/model/MODEL.en.md)
-- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/API.md)
-- Anti-Replay on Sliding Window
-- Prometheus-format Metrics
-- TLS-Fronting and TCP-Splicing for masking from "prying" eyes
+- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + Generation Lifecycle](https://github.com/telemt/telemt/blob/main/docs/Architecture/Model/MODEL.en.md);
+- [Full-covered API w/ management](https://github.com/telemt/telemt/blob/main/docs/Architecture/API/API.md);
+- Anti-Replay on Sliding Window;
+- Prometheus-format Metrics;
+- TLS-Fronting and TCP-Splicing for masking from "prying" eyes.
 
-⚓ Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**:  we are confident we have it right - [see evidence on our validation and traces](#recognizability-for-dpi-and-crawler)
+![telemt_scheme](docs/assets/telemt.png)
 
-⚓ Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual
+Our implementation of **TLS-fronting** is one of the most deeply debugged, focused, advanced and *almost* **"behaviorally consistent to real"**:  we are confident we have it right - [see evidence on our validation and traces](docs/FAQ.en.md#recognizability-for-dpi-and-crawler)
+
+Our ***Middle-End Pool*** is fastest by design in standard scenarios, compared to other implementations of connecting to the Middle-End Proxy: non dramatically, but usual
 
 - Full support for all official MTProto proxy modes:
-  - Classic
-  - Secure - with `dd` prefix
-  - Fake TLS - with `ee` prefix + SNI fronting
-- Replay attack protection
-- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪
-- Configurable keepalives + timeouts + IPv6 and "Fast Mode"
-- Graceful shutdown on Ctrl+C
-- Extensive logging via `trace` and `debug` with `RUST_LOG` method
+  - Classic;
+  - Secure - with `dd` prefix;
+  - Fake TLS - with `ee` prefix + SNI fronting;
+- Replay attack protection;
+- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪;
+- Configurable keepalives + timeouts + IPv6 and "Fast Mode";
+- Graceful shutdown on Ctrl+C;
+- Extensive logging via `trace` and `debug` with `RUST_LOG` method.
+
+## One-command installation (update on re-ru)
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
+```
+See more in the [Quick Start Guide](docs/Quick_start/QUICK_START_GUIDE.en.md).
 
 # GOTO
-- [Quick Start Guide](#quick-start-guide)
 - [FAQ](#faq)
-  - [Recognizability for DPI and crawler](#recognizability-for-dpi-and-crawler)
-    - [Client WITH secret-key accesses the MTProxy resource:](#client-with-secret-key-accesses-the-mtproxy-resource)
-    - [Client WITHOUT secret-key gets transparent access to the specified resource:](#client-without-secret-key-gets-transparent-access-to-the-specified-resource)
-  - [Telegram Calls via MTProxy](#telegram-calls-via-mtproxy)
-  - [How does DPI see MTProxy TLS?](#how-does-dpi-see-mtproxy-tls)
-  - [Whitelist on IP](#whitelist-on-ip)
-  - [Too many open files](#too-many-open-files)
+- [Architecture](docs/Architecture)
+- [Quick Start Guide](#quick-start-guide)
+- [Config parameters](docs/Config_params)
 - [Build](#build)
 - [Why Rust?](#why-rust)
-- [Issues](#issues)
-- [Roadmap](#roadmap)
-
 
 ## Quick Start Guide
-- [Quick Start Guide RU](docs/QUICK_START_GUIDE.ru.md)
-- [Quick Start Guide EN](docs/QUICK_START_GUIDE.en.md)
+- [Quick Start Guide RU](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide EN](docs/Quick_start/QUICK_START_GUIDE.en.md)
 
 ## FAQ
 
 - [FAQ RU](docs/FAQ.ru.md)
 - [FAQ EN](docs/FAQ.en.md)
 
-### Recognizability for DPI and crawler
-
-On April 1, 2026, we became aware of a method for detecting MTProxy Fake-TLS, 
-based on the ECH extension and the ordering of cipher suites, 
-as well as an overall unique JA3/JA4 fingerprint 
-that does not occur in modern browsers: 
-we have already submitted initial changes to the Telegram Desktop developers and are working on updates for other clients.
-
-- We consider this a breakthrough aspect, which has no stable analogues today
-- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
-- Here is our evidence:
-    - 212.220.88.77 - "dummy" host, running `telemt`
-    - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
-    - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
-      - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
-      - Crawlers completely satisfied receiving responses from `mask_host`
-  #### Client WITH secret-key accesses the MTProxy resource:
-  
-  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
-  
-  #### Client WITHOUT secret-key gets transparent access to the specified resource:
-    - with trusted certificate
-    - with original handshake
-    - with full request-response way
-    - with low-latency overhead
-```bash
-root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
-* Added petrovich.ru:443:212.220.88.77 to DNS cache
-* Hostname petrovich.ru was found in DNS cache
-*   Trying 212.220.88.77:443...
-* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
-* ALPN: offers h2,http/1.1
-* TLSv1.3 (OUT), TLS handshake, Client hello (1):
-*  CAfile: /etc/ssl/certs/ca-certificates.crt
-*  CApath: /etc/ssl/certs
-* TLSv1.3 (IN), TLS handshake, Server hello (2):
-* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
-* TLSv1.3 (IN), TLS handshake, Certificate (11):
-* TLSv1.3 (IN), TLS handshake, CERT verify (15):
-* TLSv1.3 (IN), TLS handshake, Finished (20):
-* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
-* TLSv1.3 (OUT), TLS handshake, Finished (20):
-* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
-* ALPN: server did not agree on a protocol. Uses default.
-* Server certificate:
-*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
-*  start date: Jan 28 11:21:01 2025 GMT
-*  expire date: Mar  1 11:21:00 2026 GMT
-*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
-*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
-*  SSL certificate verify ok.
-* using HTTP/1.x
-> HEAD / HTTP/1.1
-> Host: petrovich.ru
-> User-Agent: curl/7.88.1
-> Accept: */*
-> 
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
-* old SSL session ID is stale, removing
-< HTTP/1.1 200 OK
-HTTP/1.1 200 OK
-< Server: Variti/0.9.3a
-Server: Variti/0.9.3a
-< Date: Thu, 01 Jan 2026 00:0000 GMT
-Date: Thu, 01 Jan 2026 00:0000 GMT
-< Access-Control-Allow-Origin: *
-Access-Control-Allow-Origin: *
-< Content-Type: text/html
-Content-Type: text/html
-< Cache-Control: no-store
-Cache-Control: no-store
-< Expires: Thu, 01 Jan 2026 00:0000 GMT
-Expires: Thu, 01 Jan 2026 00:0000 GMT
-< Pragma: no-cache
-Pragma: no-cache
-< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
-< Content-Type: text/html
-Content-Type: text/html
-< Content-Length: 31253
-Content-Length: 31253
-< Connection: keep-alive
-Connection: keep-alive
-< Keep-Alive: timeout=60
-Keep-Alive: timeout=60
-
-< 
-* Connection #0 to host petrovich.ru left intact
-
-```
-- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
-  - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
-### Telegram Calls via MTProxy
-- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
-### How does DPI see MTProxy TLS?
-- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
-- the SNI you specify sends both the client and the server;
-- ALPN is similar to HTTP 1.1/2;
-- high entropy, which is normal for AES-encrypted traffic;
-### Whitelist on IP
-- MTProxy cannot work when there is: 
-  - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
-  - OR all TCP traffic is blocked
-  - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
-  - OR all TLS traffic is blocked
-  - OR specified port is blocked: use 443 to make it "like real"
-  - OR provided SNI is blocked: use "officially approved"/innocuous name
-- like most protocols on the Internet; 
-- these situations are observed:
-  - in China behind the Great Firewall
-  - in Russia on mobile networks, less in wired networks
-  - in Iran during "activity"
-### Too many open files
-- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
-- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
-- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
-```yaml
-ulimits:
-  nofile:
-    soft: 65536
-    hard: 65536
-```
-- **System-wide** (optional): add to `/etc/security/limits.conf`:
-```
-*       soft    nofile  1048576
-*       hard    nofile  1048576
-root    soft    nofile  1048576
-root    hard    nofile  1048576
-```
-
-
 ## Build
 ```bash
 # Cloning repo
@@ -207,7 +85,7 @@ telemt config.toml
 ```
 
 ### OpenBSD
-- Build and service setup guide: [OpenBSD Guide (EN)](docs/OPENBSD.en.md)
+- Build and service setup guide: [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md)
 - Example rc.d script: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd)
 - Status: OpenBSD sandbox hardening with `pledge(2)` and `unveil(2)` is not implemented yet.
 
@@ -218,24 +96,3 @@ telemt config.toml
 - No garbage collector
 - Memory safety and reduced attack surface
 - Tokio's asynchronous architecture
-
-## Issues
-- ✅ [SOCKS5 as Upstream](https://github.com/telemt/telemt/issues/1) -> added Upstream Management
-- ✅ [iOS - Media Upload Hanging-in-Loop](https://github.com/telemt/telemt/issues/2)
-
-## Roadmap
-- Public IP in links
-- Config Reload-on-fly
-- Bind to device or IP for outbound/inbound connections
-- Adtag Support per SNI / Secret
-- Fail-fast on start + Fail-soft on runtime (only WARN/ERROR)
-- Zero-copy, minimal allocs on hotpath
-- DC Healthchecks + global fallback
-- No global mutable state
-- Client isolation + Fair Bandwidth
-- Backpressure-aware IO
-- "Secret Policy" - SNI / Secret Routing :D
-- Multi-upstream Balancer and Failover
-- Strict FSM per handshake
-- Session-based Antireplay with Sliding window, non-broking reconnects
-- Web Control: statistic, state of health, latency, client experience...

README.ru.md

@@ -0,0 +1,110 @@
+# Telemt — MTProxy на Rust + Tokio
+
+***Решает проблемы раньше, чем другие узнают об их существовании***
+
+> [!NOTE]
+>
+> Исправленный TLS ClientHello доступен в **Telegram Desktop** начиная с версии **6.7.2**: для работы с EE-MTProxy обновите клиент.
+>
+> Исправленный TLS ClientHello доступен в **Telegram Android** начиная с версии **12.6.4**; **официальный релиз для iOS находится в процессе разработки**.
+
+<p align="center">
+  <a href="https://t.me/telemtrs">
+    <img src="/docs/assets/telegram_button.svg" width="200"/>
+  </a>
+</p>
+
+**Telemt** — это быстрый, безопасный и функциональный сервер, написанный на Rust. Он полностью реализует официальный алгоритм прокси Telegram и добавляет множество улучшений для продакшена:
+
+- [ME Pool + Reader/Writer + Registry + Refill + Adaptive Floor + Trio-State + жизненный цикл генераций](https://github.com/telemt/telemt/blob/main/docs/Architecture/Model/MODEL.en.md);
+- [Полноценный API с управлением](https://github.com/telemt/telemt/blob/main/docs/Architecture/API/API.md);
+- Защита от повторных атак (Anti-Replay on Sliding Window);
+- Метрики в формате Prometheus;
+- TLS-fronting и TCP-splicing для маскировки от DPI.
+
+![telemt_scheme](docs/assets/telemt.png)
+
+## Особенности
+
+Реализация **TLS-fronting** максимально приближена к поведению реального HTTPS-трафика (подробнее - [FAQ](docs/FAQ.ru.md#распознаваемость-для-dpi-и-сканеров)).
+
+***Middle-End Pool*** оптимизирован для высокой производительности.
+
+- Поддержка всех режимов MTProto proxy:
+  - Classic;
+  - Secure (префикс `dd`);
+  - Fake TLS (префикс `ee` + SNI fronting);
+- Защита от replay-атак;
+- Маскировка трафика (перенаправление неизвестных подключений на реальные сайты);
+- Настраиваемые keepalive, таймауты, IPv6 и «быстрый режим»;
+- Корректное завершение работы (Ctrl+C);
+- Подробное логирование через `trace` и `debug`.
+
+
+## Быстрая установка (обновление при повторном запуске)
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
+```
+
+Подробнее об установке в [Quick Start Guide](docs/Quick_start/QUICK_START_GUIDE.ru.md).
+
+# Навигация
+- [FAQ](#faq)
+- [Архитектура](docs/Architecture)
+- [Быстрый старт](#quick-start-guide)
+- [Параметры конфигурационного файла](docs/Config_params)
+- [Сборка](#build)
+- [Почему Rust?](#why-rust)
+- [Известные проблемы](#issues)
+- [Планы](#roadmap)
+
+## Быстрый старт
+- [Quick Start Guide RU](docs/Quick_start/QUICK_START_GUIDE.ru.md)
+- [Quick Start Guide EN](docs/Quick_start/QUICK_START_GUIDE.en.md)
+
+## FAQ
+
+- [FAQ RU](docs/FAQ.ru.md)
+- [FAQ EN](docs/FAQ.en.md)
+
+## Сборка
+
+```bash
+# Клонируйте репозиторий
+git clone https://github.com/telemt/telemt 
+# Смените каталог на telemt
+cd telemt
+# Начните процесс сборки
+cargo build --release
+
+# Устройства с небольшим объёмом оперативной памяти (1 ГБ, например NanoPi Neo3 / Raspberry Pi Zero 2):
+# используется параметр lto = «thin» для уменьшения пикового потребления памяти.
+# Если ваш пользовательский набор инструментов переопределяет профили, не используйте Fat LTO.
+
+# Перейдите в каталог /bin
+mv ./target/release/telemt /bin
+# Сделайте файл исполняемым
+chmod +x /bin/telemt
+# Запустите!
+telemt config.toml
+```
+
+### Устройства с малым объемом RAM
+Для устройств с ~1 ГБ RAM (например Raspberry Pi):
+- используется облегчённая оптимизация линковщика (thin LTO);
+- не рекомендуется включать fat LTO.
+
+## OpenBSD
+
+- Руководство по сборке и настройке на английском языке [OpenBSD Guide (EN)](docs/Quick_start/OPENBSD_QUICK_START_GUIDE.en.md);
+- Пример rc.d скрипта: [contrib/openbsd/telemt.rcd](contrib/openbsd/telemt.rcd);
+- Поддержка sandbox с `pledge(2)` и `unveil(2)` пока не реализована.
+
+## Почему Rust?
+
+- Надёжность для долгоживущих процессов;
+- Детерминированное управление ресурсами (RAII);
+- Отсутствие сборщика мусора;
+- Безопасность памяти;
+- Асинхронная архитектура Tokio.
+

docker-compose.yml

@@ -9,11 +9,11 @@ services:
       - "127.0.0.1:9090:9090"
       - "127.0.0.1:9091:9091"
     # Allow caching 'proxy-secret' in read-only container
-    working_dir: /run/telemt
+    working_dir: /etc/telemt
     volumes:
-      - ./config.toml:/run/telemt/config.toml:ro
+      - ./config.toml:/etc/telemt/config.toml:ro
     tmpfs:
-      - /run/telemt:rw,mode=1777,size=1m
+      - /etc/telemt:rw,mode=1777,size=4m
     environment:
       - RUST_LOG=info
     # Uncomment this line if you want to use host network for IPv6, but bridge is default and usually better
@@ -21,11 +21,12 @@ services:
     cap_drop:
       - ALL
     cap_add:
-      - NET_BIND_SERVICE   # allow binding to port 443
+      - NET_BIND_SERVICE
+      - NET_ADMIN
     read_only: true
     security_opt:
       - no-new-privileges:true
     ulimits:
       nofile:
         soft: 65536
-        hard: 65536
+        hard: 262144

docs/Advanced_settings/HIGH_LOAD.en.md

@@ -0,0 +1,141 @@
+# High-Load Configuration & Tuning Guide
+When deploying Telemt under high-traffic load (tens or hundreds of thousands of concurrent connections), the standard OS network stack limits can lead to packet drops, high CPU context switching, and connection failures. This guide covers Linux kernel tuning, hardware configuration, and architecture optimizations required to prepare the server for high-load scenarios.
+
+---
+## 1. System Limits & File Descriptors
+Every TCP connection requires a file descriptor. At 100k connections, standard Linux limits (often 1024 or 65535) will be exhausted immediately.
+### System-Wide Limits (`sysctl`)
+Increase the global file descriptor limit in `/etc/sysctl.conf`:
+```ini
+fs.file-max = 2097152
+fs.nr_open = 2097152
+```
+### User-Level Limits (`limits.conf`)
+Edit `/etc/security/limits.conf` to allow the telemt (or proxy) user to allocate them:
+```conf
+* soft nofile 1048576
+* hard nofile 1048576
+root soft nofile 1048576
+root hard nofile 1048576
+```
+### Systemd / Docker Overrides
+If using **Systemd**, add to your `telemt.service`:
+```ini
+[Service]
+LimitNOFILE=1048576
+LimitNPROC=65535
+TasksMax=infinity
+```
+If using **Docker**, configure `ulimits` in `docker-compose.yaml`:
+```yaml
+services:
+  telemt:
+    ulimits:
+      nofile:
+        soft: 1048576
+        hard: 1048576
+```
+
+---
+## 2. Kernel Network Stack Tuning (`sysctl`)
+Create a dedicated file `/etc/sysctl.d/99-telemt-highload.conf` and apply it via `sysctl -p /etc/sysctl.d/99-telemt-highload.conf`.
+### 2.1 Connection Queues & SYN Flood Protection
+Increase the size of accept queues to absorb sudden connection spikes (bursts) and mitigate SYN floods:
+```ini
+net.core.somaxconn = 65535
+net.core.netdev_max_backlog = 65535
+net.ipv4.tcp_max_syn_backlog = 65535
+net.ipv4.tcp_syncookies = 1
+```
+### 2.2 Port Exhaustion & TIME-WAIT Sockets
+High churn rates lead to ephemeral port exhaustion. Expand the range and rapidly recycle closed sockets:
+```ini
+net.ipv4.ip_local_port_range = 10000 65535
+net.ipv4.tcp_fin_timeout = 15
+net.ipv4.tcp_tw_reuse = 1
+net.ipv4.tcp_max_tw_buckets = 2000000
+```
+### 2.3 TCP Keepalive (Aggressive Dead Connection Culling)
+By default, Linux keeps silent, dropped connections open for over 2 hours. This consumes memory at scale. Configure the system to detect and drop them in < 5 minutes:
+```ini
+net.ipv4.tcp_keepalive_time = 300
+net.ipv4.tcp_keepalive_intvl = 30
+net.ipv4.tcp_keepalive_probes = 5
+```
+### 2.4 TCP Buffers & Congestion Control
+Optimize memory usage per socket and switch to BBR (Bottleneck Bandwidth and Round-trip propagation time) to improve latency on lossy networks:
+```ini
+# Core buffer sizes
+net.core.rmem_default = 262144
+net.core.wmem_default = 262144
+net.core.rmem_max = 16777216
+net.core.wmem_max = 16777216
+# TCP specific buffers (min, default, max)
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
+# Enable BBR
+net.core.default_qdisc = fq
+net.ipv4.tcp_congestion_control = bbr
+```
+
+---
+## 3. Conntrack (Netfilter) Tuning
+If your server uses `iptables`, `ufw`, or `firewalld`, the Linux kernel tracks every connection state in a table (`nf_conntrack`). When this table fills up, Linux drops new packets.
+Check your current limit and usage:
+```bash
+sysctl net.netfilter.nf_conntrack_max
+sysctl net.netfilter.nf_conntrack_count
+```
+If it gets close to the limit, tune it up, and reduce the time established connections linger in the tracker:
+```ini
+# In /etc/sysctl.d/99-telemt-highload.conf
+net.netfilter.nf_conntrack_max = 2097152
+# Reduce timeout from default 5 days to 1 hour
+net.netfilter.nf_conntrack_tcp_timeout_established = 3600
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = 12
+```
+*Note: Depending on your OS, you may need to run `modprobe nf_conntrack` before setting these parameters.*
+
+---
+## 4. Multi-Tier Architecture: HAProxy Setup
+For massive traffic loads, buffering Telemt behind a reverse proxy like HAProxy can help absorb connection spikes and handle basic TCP connections before handing them off.
+### HAProxy High-Load `haproxy.cfg`
+```haproxy
+global
+    # Disable detailed logging under load
+    log stdout format raw local0 err
+    # maxconn 250000
+    
+    # Buffer tuning
+    tune.bufsize 16384
+    tune.maxaccept 64
+defaults
+    log     global
+    mode    tcp
+    option  clitcpka
+    option  srvtcpka
+    timeout connect 5s
+    timeout client  1h
+    timeout server  1h
+    # Quick purge for dead peers
+    timeout client-fin 10s
+    timeout server-fin 10s
+frontend proxy_in
+    bind *:443
+    maxconn 250000
+    option tcp-smart-accept
+    default_backend telemt_backend
+backend telemt_backend
+    option tcp-smart-connect
+    # Send-Proxy-V2 to preserve Client IP for Telemt's internal logic
+    server telemt_core 10.10.10.1:443 maxconn 250000 send-proxy-v2 check inter 5s
+```
+**Important**: Telemt must be configured to process the `PROXY` protocol on port `443` for this chain to work and preserve client IPs.
+
+---
+## 5. Diagnostics & Monitoring
+When operating under load, these commands are useful for diagnostics:
+* **Checking dropped connections (Queues full)**: `netstat -s | grep "times the listen queue of a socket overflowed"`
+* **Checking Conntrack drops**: `dmesg | grep conntrack`
+* **Checking File Descriptor usage**: `cat /proc/sys/fs/file-nr`
+* **Real-time connection states**: `ss -s` (Avoid using `netstat` on heavy loads).

docs/Advanced_settings/HIGH_LOAD.ru.md

@@ -0,0 +1,139 @@
+# Руководство по High-Load конфигурации и тюнингу
+При развертывании Telemt под высокой нагрузкой (десятки и сотни тысяч одновременных подключений), стандартные ограничения сетевого стека ОС могут приводить к потерям пакетов, переключениям контекста CPU и отказам в соединениях. В данном руководстве описана настройка ядра Linux, системных лимитов и аппаратной конфигурации для работы в подобных сценариях.
+
+---
+## 1. Системные лимиты и файловые дескрипторы
+Каждое TCP-сосоединение требует файлового дескриптора. При 100 тысячах соединений стандартные лимиты Linux (зачастую 1024 или 65535) будут исчерпаны немедленно.
+### Общесистемные лимиты (`sysctl`)
+Увеличьте глобальный лимит файловых дескрипторов в `/etc/sysctl.conf`:
+```ini
+fs.file-max = 2097152
+fs.nr_open = 2097152
+```
+### На уровне пользователя (`limits.conf`)
+Отредактируйте `/etc/security/limits.conf`, чтобы разрешить пользователю (от которого запущен telemt) резервировать дескрипторы:
+```conf
+* soft nofile 1048576
+* hard nofile 1048576
+root soft nofile 1048576
+root hard nofile 1048576
+```
+### Переопределения для Systemd / Docker
+Если используется **Systemd**, добавьте в ваш `telemt.service`:
+```ini
+[Service]
+LimitNOFILE=1048576
+LimitNPROC=65535
+TasksMax=infinity
+```
+Если используется **Docker**, задайте `ulimits` в `docker-compose.yaml`:
+```yaml
+services:
+  telemt:
+    ulimits:
+      nofile:
+        soft: 1048576
+        hard: 1048576
+```
+
+---
+## 2. Тонкая настройка сетевого стека ядра (`sysctl`)
+Создайте выделенный файл `/etc/sysctl.d/99-telemt-highload.conf` и примените его через `sysctl -p /etc/sysctl.d/99-telemt-highload.conf`.
+### 2.1 Очереди соединений и защита от SYN-флуда
+Увеличьте размеры очередей, чтобы поглощать внезапные всплески соединений и смягчить атаки типа SYN flood:
+```ini
+net.core.somaxconn = 65535
+net.core.netdev_max_backlog = 65535
+net.ipv4.tcp_max_syn_backlog = 65535
+net.ipv4.tcp_syncookies = 1
+```
+### 2.2 Исчерпание портов и TIME-WAIT сокеты
+Высокая текучесть приводит к нехватке временных (ephemeral) портов. Расширьте диапазон портов и позвольте ядру быстро переиспользовать закрытые сокеты:
+```ini
+net.ipv4.ip_local_port_range = 10000 65535
+net.ipv4.tcp_fin_timeout = 15
+net.ipv4.tcp_tw_reuse = 1
+net.ipv4.tcp_max_tw_buckets = 2000000
+```
+### 2.3 TCP Keepalive (Агрессивная очистка мертвых соединений)
+По умолчанию Linux держит "оборванные" TCP-сессии более 2 часов. Задайте параметры для обнаружения и сброса мертвых соединений за менее чем 5 минут:
+```ini
+net.ipv4.tcp_keepalive_time = 300
+net.ipv4.tcp_keepalive_intvl = 30
+net.ipv4.tcp_keepalive_probes = 5
+```
+### 2.4 Буферы TCP и управление перегрузками (Congestion Control)
+Оптимизируйте использование памяти на сокет и переключитесь на алгоритм BBR (Bottleneck Bandwidth and Round-trip propagation time) для улучшения задержки на плохих сетях:
+```ini
+# Размеры буферов ядра (по умолчанию и макс)
+net.core.rmem_default = 262144
+net.core.wmem_default = 262144
+net.core.rmem_max = 16777216
+net.core.wmem_max = 16777216
+# Специфичные TCP буферы (min, default, max)
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
+# Включение BBR
+net.core.default_qdisc = fq
+net.ipv4.tcp_congestion_control = bbr
+```
+
+---
+## 3. Тюнинг Conntrack (Netfilter)
+Если ваш сервер использует `iptables`, `ufw` или `firewalld`, ядро вынуждено отслеживать каждое соединение в таблице состояний (`nf_conntrack`). Когда эта таблица переполняется, Linux отбрасывает новые пакеты без уведомления приложения.
+Проверьте текущие лимиты и использование:
+```bash
+sysctl net.netfilter.nf_conntrack_max
+sysctl net.netfilter.nf_conntrack_count
+```
+Если вы близки к пределу, увеличьте таблицу и заставьте ядро быстрее удалять установленные соединения. Добавьте в `/etc/sysctl.d/99-telemt-highload.conf`:
+```ini
+net.netfilter.nf_conntrack_max = 2097152
+# Снижаем таймаут с дефолтных 5 дней до 1 часа
+net.netfilter.nf_conntrack_tcp_timeout_established = 3600
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = 12
+```
+*Внимание: в зависимости от ОС, вам может потребоваться выполнить `modprobe nf_conntrack` перед установкой этих параметров.*
+
+---
+## 4. Архитектура: Развертывание за HAProxy
+Для максимальных нагрузок выставление Telemt напрямую в интернет менее эффективно, чем использование оптимизированного L4-балансировщика. HAProxy эффективен в поглощении TCP атак, обработке рукопожатий и сглаживании всплесков подключений.
+### Оптимизация `haproxy.cfg` для High-Load
+```haproxy
+global
+    # Отключить детальные логи соединений под нагрузкой
+    log stdout format raw local0 err
+    maxconn 250000
+    # Тюнинг буферов и приема сокетов
+    tune.bufsize 16384
+    tune.maxaccept 64
+defaults
+    log     global
+    mode    tcp
+    option  clitcpka
+    option  srvtcpka
+    timeout connect 5s
+    timeout client  1h
+    timeout server  1h
+    # Быстрая очистка мертвых пиров
+    timeout client-fin 10s
+    timeout server-fin 10s
+frontend proxy_in
+    bind *:443
+    maxconn 250000
+    option tcp-smart-accept
+    default_backend telemt_backend
+backend telemt_backend
+    option tcp-smart-connect
+    # Send-Proxy-V2 обязателен для сохранения IP клиента внутри внутренней логики Telemt
+    server telemt_core 10.10.10.1:443 maxconn 250000 send-proxy-v2 check inter 5s
+```
+**Важно**: Telemt должен быть настроен на обработку протокола `PROXY` на порту `443`, чтобы получать оригинальные IP-адреса клиентов.
+
+---
+## 5. Диагностика
+Команды для выявления узких мест:
+* **Проверка дропов TCP (переполнение очередей)**: `netstat -s | grep "times the listen queue of a socket overflowed"`
+* **Контроль отбрасывания пакетов Conntrack**: `dmesg | grep conntrack`
+* **Проверка использования файловых дескрипторов**: `cat /proc/sys/fs/file-nr`
+* **Отображение состояния сокетов**: `ss -s` (Избегайте использования `netstat` под высокой нагрузкой).

docs/Config_params/CONFIG_PARAMS.en.md

@@ -1942,7 +1942,7 @@ This document lists all configuration keys accepted by `config.toml`.
 <a id="cfg-server-proxy_protocol_trusted_cidrs"></a>
 - `proxy_protocol_trusted_cidrs`
   - **Constraints / validation**: `IpNetwork[]`.
-    - If omitted, defaults to trust-all CIDRs (`0.0.0.0/0` and `::/0`).
+    - If omitted, defaults to an empty list and incoming PROXY headers are rejected.
     - If explicitly set to an empty array, all PROXY headers are rejected.
   - **Description**: Trusted source CIDRs allowed to provide PROXY protocol headers (security control).
   - **Example**:
@@ -3297,4 +3297,3 @@ If your backend or network is very bandwidth-constrained, reduce cap first. If p
     password = "secret"
     ```
 
-

docs/FAQ.en.md

@@ -1,5 +1,4 @@
 ## How to set up a "proxy sponsor" channel and statistics via the @MTProxybot
-
 1. Go to the @MTProxybot.
 2. Enter the `/newproxy` command.
 3. Send your server's IP address and port. For example: `1.2.3.4:443`.
@@ -32,13 +31,130 @@ use_middle_proxy = true
 hello = "ad_tag"
 hello2 = "ad_tag2"
 ```
+## Recognizability for DPI and crawler
 
-## Why do you need a middle proxy (ME)
+On April 1, 2026, we became aware of a method for detecting MTProxy Fake-TLS, 
+based on the ECH extension and the ordering of cipher suites, 
+as well as an overall unique JA3/JA4 fingerprint 
+that does not occur in modern browsers: 
+we have already submitted initial changes to the Telegram Desktop developers and are working on updates for other clients.
+
+- We consider this a breakthrough aspect, which has no stable analogues today
+- Based on this: if `telemt` configured correctly, **TLS mode is completely identical to real-life handshake + communication** with a specified host
+- Here is our evidence:
+    - 212.220.88.77 - "dummy" host, running `telemt`
+    - `petrovich.ru` - `tls` + `masking` host, in HEX: `706574726f766963682e7275`
+    - **No MITM + No Fake Certificates/Crypto** = pure transparent *TCP Splice* to "best" upstream: MTProxy or tls/mask-host:
+      - DPI see legitimate HTTPS to `tls_host`, including *valid chain-of-trust* and entropy
+      - Crawlers completely satisfied receiving responses from `mask_host`
+  ### Client WITH secret-key accesses the MTProxy resource:
+  
+  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
+  
+  ### Client WITHOUT secret-key gets transparent access to the specified resource:
+    - with trusted certificate
+    - with original handshake
+    - with full request-response way
+    - with low-latency overhead
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+*   Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+*  start date: Jan 28 11:21:01 2025 GMT
+*  expire date: Mar  1 11:21:00 2026 GMT
+*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+*  SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+> 
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+< 
+* Connection #0 to host petrovich.ru left intact
+
+```
+- We challenged ourselves, we kept trying and we didn't only *beat the air*: now, we have something to show you
+  - Do not just take our word for it? - This is great and we respect that: you can build your own `telemt` or download a build and check it right now
+
+
+## F.A.Q.
+
+### Telegram Calls via MTProxy
+- Telegram architecture **does NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
+
+### How does DPI see MTProxy TLS?
+- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
+- the SNI you specify sends both the client and the server;
+- ALPN is similar to HTTP 1.1/2;
+- high entropy, which is normal for AES-encrypted traffic;
+
+### Whitelist on IP
+- MTProxy cannot work when there is: 
+  - no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
+  - OR all TCP traffic is blocked
+  - OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
+  - OR all TLS traffic is blocked
+  - OR specified port is blocked: use 443 to make it "like real"
+  - OR provided SNI is blocked: use "officially approved"/innocuous name
+- like most protocols on the Internet; 
+- these situations are observed:
+  - in China behind the Great Firewall
+  - in Russia on mobile networks, less in wired networks
+  - in Iran during "activity"
+
+### Why do you need a middle proxy (ME)
 https://github.com/telemt/telemt/discussions/167
 
-
-## How many people can use one link
-
+### How many people can use one link
 By default, an unlimited number of people can use a single link.  
 However, you can limit the number of unique IP addresses for each user:
 ```toml
@@ -47,8 +163,7 @@ hello = 1
 ```
 This parameter sets the maximum number of unique IP addresses from which a single link can be used simultaneously. If the first user disconnects, a second one can connect. At the same time, multiple users can connect from a single IP address simultaneously (for example, devices on the same Wi-Fi network).
 
-## How to create multiple different links
-
+### How to create multiple different links
 1. Generate the required number of secrets using the command: `openssl rand -hex 16`.
 2. Open the configuration file: `nano /etc/telemt/telemt.toml`.
 3. Add new users to the `[access.users]` section:
@@ -64,7 +179,7 @@ user3 = "00000000000000000000000000000003"
 curl -s http://127.0.0.1:9091/v1/users | jq
 ```
 
-## "Unknown TLS SNI" error
+### "Unknown TLS SNI" error
 Usually, this error occurs if you have changed the `tls_domain` parameter, but users continue to connect using old links with the previous domain.
 
 If you need to allow connections with any domains (ignoring SNI mismatches), add the following parameters:
@@ -73,7 +188,7 @@ If you need to allow connections with any domains (ignoring SNI mismatches), add
 unknown_sni_action = "mask"
 ```
 
-## How to view metrics
+### How to view metrics
 
 1. Open the configuration file: `nano /etc/telemt/telemt.toml`.
 2. Add the following parameters:
@@ -87,6 +202,25 @@ metrics_whitelist = ["127.0.0.1/32", "::1/128", "0.0.0.0/0"]
 > [!WARNING]
 > The value `"0.0.0.0/0"` in `metrics_whitelist` opens access to metrics from any IP address. It is recommended to replace it with your personal IP, for example: `"1.2.3.4/32"`.
 
+### Too many open files
+- On a fresh Linux install the default open file limit is low; under load `telemt` may fail with `Accept error: Too many open files`
+- **Systemd**: add `LimitNOFILE=65536` to the `[Service]` section (already included in the example above)
+- **Docker**: add `--ulimit nofile=65536:65536` to your `docker run` command, or in `docker-compose.yml`:
+```yaml
+ulimits:
+  nofile:
+    soft: 65536
+    hard: 65536
+```
+- **System-wide** (optional): add to `/etc/security/limits.conf`:
+```
+*       soft    nofile  1048576
+*       hard    nofile  1048576
+root    soft    nofile  1048576
+root    hard    nofile  1048576
+```
+
+
 ## Additional parameters
 
 ### Domain in the link instead of IP

docs/FAQ.ru.md

@@ -32,11 +32,145 @@ use_middle_proxy = true
 hello = "ad_tag"
 hello2 = "ad_tag2"
 ```
+## Распознаваемость для DPI и сканеров
+
+1 апреля 2026 года нам стало известно о методе обнаружения MTProxy Fake-TLS, основанном на расширении ECH и порядке набора шифров, 
+а также об общем уникальном отпечатке JA3/JA4, который не встречается в современных браузерах: мы уже отправили первоначальные изменения разработчикам Telegram Desktop и работаем над обновлениями для других клиентов.
+
+- Мы считаем это прорывом, которому на сегодняшний день нет стабильных аналогов;
+- Исходя из этого: если `telemt` настроен правильно, **режим TLS полностью идентичен реальному «рукопожатию» + обмену данными** с указанным хостом;
+- Вот наши доказательства:
+    - 212.220.88.77 — «фиктивный» хост, на котором запущен `telemt`;
+    - `petrovich.ru` — хост с `tls` + `masking`, в HEX: `706574726f766963682e7275`;
+    - **Без MITM + без поддельных сертификатов/шифрования** = чистое прозрачное *TCP Splice* к «лучшему» исходному серверу: MTProxy или tls/mask-host:
+      - DPI видит легитимный HTTPS к `tls_host`, включая *достоверную цепочку доверия* и энтропию;
+      - Краулеры полностью удовлетворены получением ответов от `mask_host`.
+ 
+  ### Клиент С секретным ключом получает доступ к ресурсу MTProxy:
+  
+  <img width="360" height="439" alt="telemt" src="https://github.com/user-attachments/assets/39352afb-4a11-4ecc-9d91-9e8cfb20607d" />
+  
+  ### Клиент БЕЗ секретного ключа получает прозрачный доступ к указанному ресурсу:
+    - с доверенным сертификатом;
+    - с исходным «рукопожатием»;
+    - с полным циклом запрос-ответ;
+    - с низкой задержкой.
+
+```bash
+root@debian:~/telemt# curl -v -I --resolve petrovich.ru:443:212.220.88.77 https://petrovich.ru/
+* Added petrovich.ru:443:212.220.88.77 to DNS cache
+* Hostname petrovich.ru was found in DNS cache
+*   Trying 212.220.88.77:443...
+* Connected to petrovich.ru (212.220.88.77) port 443 (#0)
+* ALPN: offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+*  CAfile: /etc/ssl/certs/ca-certificates.crt
+*  CApath: /etc/ssl/certs
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server did not agree on a protocol. Uses default.
+* Server certificate:
+*  subject: C=RU; ST=Saint Petersburg; L=Saint Petersburg; O=STD Petrovich; CN=*.petrovich.ru
+*  start date: Jan 28 11:21:01 2025 GMT
+*  expire date: Mar  1 11:21:00 2026 GMT
+*  subjectAltName: host "petrovich.ru" matched cert's "petrovich.ru"
+*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
+*  SSL certificate verify ok.
+* using HTTP/1.x
+> HEAD / HTTP/1.1
+> Host: petrovich.ru
+> User-Agent: curl/7.88.1
+> Accept: */*
+> 
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+* old SSL session ID is stale, removing
+< HTTP/1.1 200 OK
+HTTP/1.1 200 OK
+< Server: Variti/0.9.3a
+Server: Variti/0.9.3a
+< Date: Thu, 01 Jan 2026 00:0000 GMT
+Date: Thu, 01 Jan 2026 00:0000 GMT
+< Access-Control-Allow-Origin: *
+Access-Control-Allow-Origin: *
+< Content-Type: text/html
+Content-Type: text/html
+< Cache-Control: no-store
+Cache-Control: no-store
+< Expires: Thu, 01 Jan 2026 00:0000 GMT
+Expires: Thu, 01 Jan 2026 00:0000 GMT
+< Pragma: no-cache
+Pragma: no-cache
+< Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+Set-Cookie: ipp_uid=XXXXX/XXXXX/XXXXX==; Expires=Tue, 31 Dec 2040 23:59:59 GMT; Domain=.petrovich.ru; Path=/
+< Content-Type: text/html
+Content-Type: text/html
+< Content-Length: 31253
+Content-Length: 31253
+< Connection: keep-alive
+Connection: keep-alive
+< Keep-Alive: timeout=60
+Keep-Alive: timeout=60
+
+< 
+* Connection #0 to host petrovich.ru left intact
+
+```
+- Мы поставили перед собой задачу, не сдавались и не просто «бились в пустоту»: теперь у нас есть что вам показать.
+- Не верите нам на слово? — Это прекрасно, и мы уважаем ваше решение: вы можете собрать свой собственный `telemt` или скачать готовую сборку и проверить её прямо сейчас.
+
+### Звонки в Telegram через MTProxy
+- Архитектура Telegram **НЕ поддерживает звонки через MTProxy**, а только через SOCKS5, который невозможно замаскировать
+
+### Как DPI распознает TLS-соединение MTProxy?
+- DPI распознает MTProxy в режиме Fake TLS (ee) как TLS 1.3
+- указанный вами SNI отправляется как клиентом, так и сервером;
+- ALPN аналогичен HTTP 1.1/2;
+- высокая энтропия, что нормально для трафика, зашифрованного AES;
+
+### Белый список по IP
+- MTProxy не может работать, если: 
+  - отсутствует IP-связь с целевым хостом: российский белый список в мобильных сетях — «Белый список»;
+  - ИЛИ весь TCP-трафик заблокирован;
+  - ИЛИ трафик с высокой энтропией/зашифрованный трафик заблокирован: контент-фильтры в университетах и критически важной инфраструктуре;
+  - ИЛИ весь TLS-трафик заблокирован;
+  - ИЛИ заблокирован указанный порт: используйте 443, чтобы сделать его «как настоящий»;
+  - ИЛИ заблокирован предоставленный SNI: используйте «официально одобренное»/безобидное имя;
+- как и большинство протоколов в Интернете; 
+- такие ситуации наблюдаются:
+  - в Китае за Великим файрволом;
+  - в России в мобильных сетях, реже в проводных сетях;
+  - в Иране во время «активности».
+
 
 ## Зачем нужен middle proxy (ME)
 https://github.com/telemt/telemt/discussions/167
 
 
+## Что такое dd и ee в контексте MTProxy?
+
+Это два разных режима работы прокси. Понять, какой режим используется, можно взглянув на начало секрета — там будет dd или ee, вот пример:
+tg://proxy?server=s1.dimasssss.space&port=443&secret=eebe3007e927acd147dde12bee8b1a7c9364726976652e676f6f676c652e636f6d
+
+dd — режим с мусорным трафиком, обфускацией данных, похожий на shadowsocks. У такого трафика есть заметный паттерн, который DPI умеют распознавать и впоследствии блокировать. Использовать этот режим на текущий момент не рекомендуется.
+
+ee — режим маскировки под существующий домен (FakeTLS), словно вы сёрфите в интернете через браузер. На текущий момент не попадает под блокировку.
+
+### Где эти режимы настраиваются?
+
+```toml
+В конфиге telemt.toml в разделе [general.modes]:
+classic = false # классический режим, давно стал бесполезным
+secure = false # переменная dd-режима
+tls = true # переменная ee-режима
+```
+
 ## Сколько человек может пользоваться одной ссылкой
 
 По умолчанию одной ссылкой может пользоваться неограниченное число людей.  
@@ -104,7 +238,7 @@ max_connections = 10000    # 0 - без ограничений, 10000 - по у
 ```
 
 ### Upstream Manager
-Для настройки исходящих подключений (апстримов) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:
+Для настройки исходящих подключений (Upstreams) добавьте соответствующие параметры в секцию `[[upstreams]]` файла конфигурации:
 
 #### Привязка к исходящему IP-адресу
 ```toml
@@ -119,20 +253,20 @@ interface = "192.168.1.100" # Замените на ваш исходящий IP
 - Без авторизации:
 ```toml
 [[upstreams]]
-type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # SOCKS-server Address
-weight = 1                 # Set Weight for Scenarios
+type = "socks5"            # выбор типа SOCKS4 или SOCKS5
+address = "1.2.3.4:1234"   # адрес сервера SOCKS
+weight = 1                 # вес
 enabled = true
 ```
 
 - С авторизацией:
 ```toml
 [[upstreams]]
-type = "socks5"            # Specify SOCKS4 or SOCKS5
-address = "1.2.3.4:1234"   # SOCKS-server Address
-username = "user"          # Username for Auth on SOCKS-server
-password = "pass"          # Password for Auth on SOCKS-server
-weight = 1                 # Set Weight for Scenarios
+type = "socks5"            # выбор типа SOCKS4 или SOCKS5
+address = "1.2.3.4:1234"   # адрес сервера SOCKS
+username = "user"          # имя пользователя
+password = "pass"          # пароль
+weight = 1                 # вес
 enabled = true
 ```
 

docs/Quick_start/QUICK_START_GUIDE.en.md

@@ -1,3 +1,19 @@
+# Very quick start
+
+### One-command installation / update on re-run
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
+```
+### Installing a specific version
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- 3.3.39
+```
+
+### Uninstall with full cleanup
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- purge
+```
+
 # Telemt via Systemd
 
 ## Installation
@@ -62,28 +78,60 @@ nano /etc/telemt/telemt.toml
 Insert your configuration:
 
 ```toml
+### Telemt Based Config.toml
+# We believe that these settings are sufficient for most scenarios 
+# where cutting-egde methods and parameters or special solutions are not needed
+
 # === General Settings ===
 [general]
+use_middle_proxy = true
+# Global ad_tag fallback when user has no per-user tag in [access.user_ad_tags]
 # ad_tag = "00000000000000000000000000000000"
-use_middle_proxy = false
+# Per-user ad_tag in [access.user_ad_tags] (32 hex from @MTProxybot)
+
+# === Log Level ===
+# Log level: debug | verbose | normal | silent
+# Can be overridden with --silent or --log-level CLI flags
+# RUST_LOG env var takes absolute priority over all of these
+log_level = "normal"
 
 [general.modes]
 classic = false
 secure = false
 tls = true
 
+[general.links]
+show = "*"
+# show = ["alice", "bob"] # Only show links for alice and bob
+# show = "*"              # Show links for all users
+# public_host = "proxy.example.com"  # Host (IP or domain) for tg:// links
+# public_port = 443                  # Port for tg:// links (default: server.port)
+
+# === Server Binding ===
 [server]
 port = 443
+# proxy_protocol = false           # Enable if behind HAProxy/nginx with PROXY protocol
+# metrics_port = 9090
+# metrics_listen = "0.0.0.0:9090"  # Listen address for metrics (overrides metrics_port)
+# metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]
 
 [server.api]
 enabled = true
-# listen = "127.0.0.1:9091"
-# whitelist = ["127.0.0.1/32"]
-# read_only = true
+listen = "0.0.0.0:9091"
+whitelist = ["127.0.0.0/8"]
+minimal_runtime_enabled = false
+minimal_runtime_cache_ttl_ms = 1000
+
+# Listen on multiple interfaces/IPs - IPv4
+[[server.listeners]]
+ip = "0.0.0.0"
 
 # === Anti-Censorship & Masking ===
 [censorship]
 tls_domain = "petrovich.ru"
+mask = true
+tls_emulation = true        # Fetch real cert lengths and emulate TLS records
+tls_front_dir = "tlsfront"   # Cache directory for TLS emulation
 
 [access.users]
 # format: "username" = "32_hex_chars_secret"

docs/Quick_start/QUICK_START_GUIDE.ru.md

@@ -1,4 +1,20 @@
-# Telemt через Systemd
+# Очень быстрый старт
+
+### Установка одной командой / обновление при повторном запуске
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh
+```
+### Установка нужной версии
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- 3.3.39
+```
+
+### Удаление с полной очисткой
+```bash
+curl -fsSL https://raw.githubusercontent.com/telemt/telemt/main/install.sh | sh -s -- purge
+```
+
+# Telemt через Systemd вручную
 
 ## Установка
 
@@ -62,31 +78,63 @@ nano /etc/telemt/telemt.toml
 Вставьте свою конфигурацию
 
 ```toml
-# === General Settings ===
+### Конфигурационный файл на основе Telemt
+# Мы полагаем, что этих настроек достаточно для большинства сценариев, 
+# где не требуются передовые методы, параметры или специальные решения
+
+# === Общие настройки ===
 [general]
+use_middle_proxy = true
+# Глобальный ad_tag, если у пользователя нет индивидуального тега в [access.user_ad_tags]
 # ad_tag = "00000000000000000000000000000000"
-use_middle_proxy = false
+# Индивидуальный ad_tag в [access.user_ad_tags] (32 шестнадцатеричных символа от @MTProxybot)
+
+# === Уровень логирования ===
+# Уровень логирования: debug | verbose | normal | silent
+# Можно переопределить с помощью флагов командной строки --silent или --log-level
+# Переменная окружения RUST_LOG имеет абсолютный приоритет над всеми этими настройками
+log_level = "normal"
 
 [general.modes]
 classic = false
 secure = false
 tls = true
 
+[general.links]
+show = "*"
+# show = ["alice", "bob"] # Показывать ссылки только для alice и bob
+# show = "*"              # Показывать ссылки для всех пользователей
+# public_host = "proxy.example.com"  # Хост (IP-адрес или домен) для ссылок tg://
+# public_port = 443                  # Порт для ссылок tg:// (по умолчанию: server.port)
+
+# === Привязка сервера ===
 [server]
 port = 443
+# proxy_protocol = false           # Включите, если сервер находится за HAProxy/nginx с протоколом PROXY
+# metrics_port = 9090
+# metrics_listen = "0.0.0.0:9090"  # Адрес прослушивания для метрик (переопределяет metrics_port)
+# metrics_whitelist = ["127.0.0.1", "::1", "0.0.0.0/0"]
 
 [server.api]
 enabled = true
-# listen = "127.0.0.1:9091"
-# whitelist = ["127.0.0.1/32"]
-# read_only = true
+listen = "0.0.0.0:9091"
+whitelist = ["127.0.0.0/8"]
+minimal_runtime_enabled = false
+minimal_runtime_cache_ttl_ms = 1000
 
-# === Anti-Censorship & Masking ===
+# Прослушивание на нескольких интерфейсах/IP-адресах - IPv4
+[[server.listeners]]
+ip = "0.0.0.0"
+
+# === Обход блокировок и маскировка ===
 [censorship]
 tls_domain = "petrovich.ru"
+mask = true
+tls_emulation = true        # Получить реальную длину сертификата и эмулировать запись TLS
+tls_front_dir = "tlsfront"   # Директория кэша для эмуляции TLS
 
 [access.users]
-# format: "username" = "32_hex_chars_secret"
+# формат: "имя_пользователя" = "секрет_из_32_шестнадцатеричных_символов"
 hello = "00000000000000000000000000000000"
 ```
 

docs/assets/telegram_button.svg

@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="250" height="50" viewBox="0 0 250 50">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: #1d98dc;
+      }
+    </style>
+  </defs>
+  <rect id="Прямоугольник_скругл._углы_1" data-name="Прямоугольник, скругл. углы 1" class="cls-1" width="250" height="50" rx="25" ry="25"/>
+  <image id="Join_us_" data-name="Join us!" x="53" y="12" width="144" height="24" xlink:href="data:img/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJAAAAAYCAYAAAAVpXQNAAAFnElEQVRoge2aS2hdRRjHf2Pro1aRW1BBpGpLUQRbNRbxsbCSSKWCD7gVFUFEko1gdykaxQeU1NdGEBpEXLjQdOPCLqSh4koXLUhXUk1a8YFQSVqlYm3tJ1/5bpl8mTn33Nxzb25q/nDbnDMzZ+Z88/+ec4KI0EFcDdwM/A183cmJlrBAUAJ16LdOREZEZJ+IfFTRHLtkNtZ0UmoiMm6zTYpI3/+ZoyprJ3vdC5ZXOEcALgT6gacAFfgNwEXAsQrn6QpEZBio21xK1F3AHYvtPapCCGHKeasZ/acKAl0KXAM8CjwNrAMucX3+6fYLL6HjaItAy4DVwHrgceARYIW16YNPAZfbtdJ2arHtZwhhp7mtuq1/qAeW1XNolUCrzDXdbRZng2vfB3wFPAncaPdOAN8vRuGEELb2wDJ6GmUItMJigAeAe4H7jEgxfgXeM/I8B6yN2v5YrARaQnMUEUgD4NuALcDtwK2Zfp8BO4DfgXfNncX4DfhhaS/OC0yZMTmHC9xbqbXZBIwAHwNjwLMZ8hwCtgFPACeB3QnyKL6zX9chIoMiMipzoWn5cFEZIJG2Dif6zCorRPfrIrLXjR9tp+zgU+iCfoOu72CmX5/JYNr1n7b75coWVl9ZLSLPi8gnIvKziJxOCD3GByKy0cZuFpEjmX6nROQVEbmim3UgE87+Ju/QwBxi0AaBEmuMMT1fErnntEWgjFJ5pMZNxvJo1IE+BO4Crk+k3x4HgLeAzy04fsbcVi3TXyvQh4G/WpTXvGGas7+F8SrMs1lXBXOPAkmNN9SsnjTQ7lzzha0xqTQt4mwary5sI3BTE/IoAd4GHgM+tesXgPcLyKM4CkwC/3ZJOLqWcXdbXetAMFgC4MmiJOqvYAm6MRNacIzm2+769C9UVdvkExNcY5qtIYIVS3PKNONvLLfM6jrgYWCz/X2lVZC1nvMN8CrwpdV0VpqgXkrEUB4/WgZ2pjIpFGPQBXljIYRZ9ZsQggphu4jo/6NR06Btfjs4EEIYcPPtNLcVb1y/WfNuo+YUXuWz2633QMHa5hBICXAcOAi8AdwDPAS8Duyxe1usvqPkucqE/nIJ8ih+MivULdSjeWYS2h8LaqcTVBUWKKe5Y+66yGp3Ep4Ag+2eJ6bS+G/t56Ex0ptuk4pw2txXV2DmOXYNE2ZtijARjampazENnC9yFsxX4heEQCoPERmLrKGSZ9LuTXhrVAZlrAgWH420QB7Fn2bZugW/KWWIUOnG5ghbgsjdxPYE0ZVQ440UvpW1lCWQuq5bWnzJoxlL1g4WyvSfN1AyW5w2lFGgUSuBpFxbrAhnx7ZigVqFEuhIxYKf9VL6iUF06bW8DNm8kBbLoW/bihRC0AB6rWVdPlbss3KDx1b7bCc0rFhZAq10p+uvAe/Y3zkcatLeKnyMM8tFmZuISVRUj2kgDpxnHCF7DfG7FQW+LQXFGvNZQrHKJxUWVxZiPgTaZtnZiBUSU1bmZAfSVO+bUwFfnO3UrGiWhPn6vszYXkRM7r5U3SpRLpjTnotxTAG9TJvXq0oeITwoIr+IyDYRWebaNojIFyJyJipzHxeRO9s4shi244jGtS+9T6e0wwTkz3bGY2HruMzz1iSeFaP0WVhGzqWOIgrG+zVr9lSP2uvuqGHOUUb0TnvjsdbWnzj+qWXWMG3zlSbQehHZJCIXZ9p1U3aIyDGbQD9/vKzCM6+sUBKCrjcZm0JSm12/hSaQX08O4+5+ikBlMOrm93JVEpV2YQetEn0y067m70Uzn3vsfOxEq0IqiSENAHNdrZYxkKqaJjBlxxztVqA7DovPmn0VmUrR54PdIYRsETZCrYoT8vi3UkTuF5Fr23zOcEJDCj+/SMHGeI0Uu1dY7+g1CxQ9R12Nt9DnXFKz03gbn5Jv4zOObEXeudG6iPAfDgYBtHqBCrAAAAAASUVORK5CYII="/>
+</svg>

install.sh

@@ -21,47 +21,212 @@ PORT_PROVIDED=0
 SECRET_PROVIDED=0
 AD_TAG_PROVIDED=0
 DOMAIN_PROVIDED=0
+LANG_PROVIDED=0
 
 ACTION="install"
 TARGET_VERSION="${VERSION:-latest}"
+LANG_CHOICE="en"
+
+set_language() {
+    case "$1" in
+        ru)
+            L_ERR_DOMAIN_REQ="требует аргумент (домен)."
+            L_ERR_PORT_REQ="требует аргумент (порт)."
+            L_ERR_PORT_NUM="Порт должен быть числом."
+            L_ERR_PORT_RANGE="Порт должен быть от 1 до 65535."
+            L_ERR_SECRET_REQ="требует аргумент (секрет)."
+            L_ERR_SECRET_HEX="Секрет должен содержать только HEX символы."
+            L_ERR_SECRET_LEN="Секрет должен состоять ровно из 32 символов."
+            L_ERR_ADTAG_REQ="требует аргумент (ad_tag)."
+            L_ERR_UNKNOWN_OPT="Неизвестная опция:"
+            L_WARN_EXTRA_ARG="Игнорируется лишний аргумент:"
+            L_ERR_REQ_ARG="требует аргумент (1, 2, en или ru)."
+            L_ERR_EMPTY_VAR="не может быть пустым."
+            L_ERR_INV_VER="Недопустимые символы в версии."
+            L_ERR_INV_BIN="Недопустимые символы в BIN_NAME."
+            L_ERR_ROOT="Для работы скрипта требуются права root или sudo."
+            L_ERR_SUDO_TTY="sudo требует пароль, но терминал (TTY) не обнаружен."
+            L_ERR_DIR_CHECK="Ошибка: конфиг является директорией."
+            L_ERR_CMD_NOT_FOUND="Необходимая команда не найдена:"
+            L_ERR_NO_DL_TOOL="Не установлен curl или wget."
+            L_ERR_NO_CP_TOOL="Необходима утилита cp или install."
+            L_WARN_NO_NET_TOOL="Утилиты сети не найдены. Проверка порта пропущена."
+            L_INFO_PORT_IGNORE="Порт занят текущим процессом телеметрии. Игнорируем."
+            L_ERR_PORT_IN_USE="Порт уже занят другим процессом:"
+            L_ERR_PORT_FREE="Освободите порт или укажите другой и попробуйте снова."
+            L_ERR_UNSUP_ARCH="Неподдерживаемая архитектура:"
+            L_ERR_CREATE_GRP="Не удалось создать группу"
+            L_ERR_CREATE_USR="Не удалось создать пользователя"
+            L_ERR_MKDIR="Не удалось создать директории"
+            L_ERR_INSTALL_DIR="не является директорией."
+            L_ERR_BIN_INSTALL="Не удалось установить бинарный файл"
+            L_ERR_BIN_COPY="Не удалось скопировать бинарный файл"
+            L_ERR_BIN_EXEC="Бинарный файл не исполняемый."
+            L_ERR_GEN_SEC="Не удалось сгенерировать секрет."
+            L_INFO_CONF_EXISTS="Конфиг уже существует. Обновление параметров..."
+            L_INFO_UPD_PORT="Обновлен порт:"
+            L_INFO_UPD_SEC="Обновлен секрет для пользователя 'hello'"
+            L_INFO_UPD_DOM="Обновлен tls_domain:"
+            L_INFO_UPD_TAG="Обновлен ad_tag"
+            L_ERR_CONF_INST="Не удалось установить конфиг"
+            L_INFO_CONF_OK="Конфиг успешно создан."
+            L_INFO_CONF_SEC="Настроен секрет для пользователя 'hello':"
+            L_WARN_SVC_FAIL="Не удалось запустить службу"
+            L_INFO_MANUAL_START="Менеджер служб не найден. Запустите вручную:"
+            L_INFO_UNINST_START="Начинается удаление"
+            L_U_STAGE_1=">>> Этап 1: Остановка служб"
+            L_U_STAGE_2=">>> Этап 2: Удаление конфигурации службы"
+            L_U_STAGE_3=">>> Этап 3: Завершение процессов пользователя"
+            L_U_STAGE_4=">>> Этап 4: Удаление бинарного файла"
+            L_U_STAGE_5=">>> Этап 5: Полная очистка (конфиг, данные, пользователь)"
+            L_INFO_KEEP_CONF="Примечание: Конфигурация сохранена. Используйте 'purge' для очистки."
+            L_INFO_I_START="Начинается установка"
+            L_I_STAGE_1=">>> Этап 1: Проверка окружения и зависимостей"
+            L_I_STAGE_1_5=">>> Этап 1.5: Интерактивная настройка"
+            L_I_PROMPT_DOM="\nПожалуйста, укажите домен TLS\nНажмите Enter, чтобы оставить по умолчанию [%s]: "
+            L_WARN_NO_TTY="Интерактивный режим недоступен (нет TTY). Используется:"
+            L_I_STAGE_2=">>> Этап 2: Загрузка архива"
+            L_ERR_TMP_DIR="Не удалось создать временную директорию"
+            L_ERR_TMP_INV="Временная директория недействительна"
+            L_INFO_FALLBACK="Сборка x86_64-v3 не найдена, откат к стандартной x86_64..."
+            L_ERR_DL_FAIL="Ошибка загрузки архива"
+            L_I_STAGE_3=">>> Этап 3: Распаковка архива"
+            L_ERR_EXTRACT="Ошибка распаковки архива."
+            L_ERR_BIN_NOT_FOUND="Бинарный файл не найден в архиве"
+            L_I_STAGE_4=">>> Этап 4: Настройка окружения (Юзер, Группа, Папки)"
+            L_I_STAGE_5=">>> Этап 5: Установка бинарного файла"
+            L_I_STAGE_6=">>> Этап 6: Генерация/Обновление конфигурации"
+            L_I_STAGE_7=">>> Этап 7: Установка и запуск службы"
+            L_OUT_WARN_H="УСТАНОВКА ЗАВЕРШЕНА С ПРЕДУПРЕЖДЕНИЯМИ"
+            L_OUT_WARN_D="Служба установлена, но не запустилась.\nПожалуйста, проверьте логи.\n"
+            L_OUT_SUCC_H="УСТАНОВКА УСПЕШНО ЗАВЕРШЕНА"
+            L_OUT_UNINST_H="УДАЛЕНИЕ ЗАВЕРШЕНО"
+            L_OUT_LINK="Ваша ссылка для подключения к Telegram Proxy:\n"
+            ;;
+        *)
+            L_ERR_DOMAIN_REQ="requires a domain argument."
+            L_ERR_PORT_REQ="requires a port argument."
+            L_ERR_PORT_NUM="Port must be a valid number."
+            L_ERR_PORT_RANGE="Port must be between 1 and 65535."
+            L_ERR_SECRET_REQ="requires a secret argument."
+            L_ERR_SECRET_HEX="Secret must contain only hex characters."
+            L_ERR_SECRET_LEN="Secret must be exactly 32 chars."
+            L_ERR_ADTAG_REQ="requires an ad_tag argument."
+            L_ERR_UNKNOWN_OPT="Unknown option:"
+            L_WARN_EXTRA_ARG="Ignoring extra argument:"
+            L_ERR_REQ_ARG="requires an argument (1, 2, en, ru)."
+            L_ERR_EMPTY_VAR="cannot be empty."
+            L_ERR_INV_VER="Invalid characters in version."
+            L_ERR_INV_BIN="Invalid characters in BIN_NAME."
+            L_ERR_ROOT="This script requires root or sudo."
+            L_ERR_SUDO_TTY="sudo requires a password, but no TTY detected."
+            L_ERR_DIR_CHECK="Safety check failed: Config is a directory."
+            L_ERR_CMD_NOT_FOUND="Required command not found:"
+            L_ERR_NO_DL_TOOL="Neither curl nor wget is installed."
+            L_ERR_NO_CP_TOOL="Need cp or install."
+            L_WARN_NO_NET_TOOL="Network tools not found. Skipping port check."
+            L_INFO_PORT_IGNORE="Port is in use by telemt. Ignoring as it will be restarted."
+            L_ERR_PORT_IN_USE="Port is already in use by another process:"
+            L_ERR_PORT_FREE="Please free the port or change it and try again."
+            L_ERR_UNSUP_ARCH="Unsupported architecture:"
+            L_ERR_CREATE_GRP="Cannot create group"
+            L_ERR_CREATE_USR="Cannot create user"
+            L_ERR_MKDIR="Failed to create directories"
+            L_ERR_INSTALL_DIR="is not a directory."
+            L_ERR_BIN_INSTALL="Failed to install binary"
+            L_ERR_BIN_COPY="Failed to copy binary"
+            L_ERR_BIN_EXEC="Binary not executable."
+            L_ERR_GEN_SEC="Failed to generate secret."
+            L_INFO_CONF_EXISTS="Config already exists. Updating parameters..."
+            L_INFO_UPD_PORT="Updated port:"
+            L_INFO_UPD_SEC="Updated secret for user 'hello'"
+            L_INFO_UPD_DOM="Updated tls_domain:"
+            L_INFO_UPD_TAG="Updated ad_tag"
+            L_ERR_CONF_INST="Failed to install config"
+            L_INFO_CONF_OK="Config created successfully."
+            L_INFO_CONF_SEC="Configured secret for user 'hello':"
+            L_WARN_SVC_FAIL="Failed to start service"
+            L_INFO_MANUAL_START="Service manager not found. Start manually:"
+            L_INFO_UNINST_START="Starting uninstallation of"
+            L_U_STAGE_1=">>> Stage 1: Stopping services"
+            L_U_STAGE_2=">>> Stage 2: Removing service configuration"
+            L_U_STAGE_3=">>> Stage 3: Terminating user processes"
+            L_U_STAGE_4=">>> Stage 4: Removing binary"
+            L_U_STAGE_5=">>> Stage 5: Purging configuration, data, and user"
+            L_INFO_KEEP_CONF="Note: Configuration kept. Run with 'purge' to remove completely."
+            L_INFO_I_START="Starting installation of"
+            L_I_STAGE_1=">>> Stage 1: Verifying environment and dependencies"
+            L_I_STAGE_1_5=">>> Stage 1.5: Interactive Setup"
+            L_I_PROMPT_DOM="\nPlease specify the TLS Domain\nPress Enter to keep default [%s]: "
+            L_WARN_NO_TTY="Interactive mode unavailable (no TTY). Using:"
+            L_I_STAGE_2=">>> Stage 2: Downloading archive"
+            L_ERR_TMP_DIR="Temp directory creation failed"
+            L_ERR_TMP_INV="Temp directory is invalid or was not created"
+            L_INFO_FALLBACK="x86_64-v3 build not found, falling back to standard x86_64..."
+            L_ERR_DL_FAIL="Download failed"
+            L_I_STAGE_3=">>> Stage 3: Extracting archive"
+            L_ERR_EXTRACT="Extraction failed."
+            L_ERR_BIN_NOT_FOUND="Binary not found in archive"
+            L_I_STAGE_4=">>> Stage 4: Setting up environment (User, Group, Directories)"
+            L_I_STAGE_5=">>> Stage 5: Installing binary"
+            L_I_STAGE_6=">>> Stage 6: Generating/Updating configuration"
+            L_I_STAGE_7=">>> Stage 7: Installing and starting service"
+            L_OUT_WARN_H="INSTALLATION COMPLETED WITH WARNINGS"
+            L_OUT_WARN_D="The service was installed but failed to start.\nPlease check the logs to determine the issue.\n"
+            L_OUT_SUCC_H="INSTALLATION SUCCESS"
+            L_OUT_UNINST_H="UNINSTALLATION COMPLETE"
+            L_OUT_LINK="Your Telegram Proxy connection link:\n"
+            ;;
+    esac
+}
+
+set_language "$LANG_CHOICE"
 
 while [ $# -gt 0 ]; do
     case "$1" in
         -h|--help) ACTION="help"; shift ;;
+        -l|--lang)
+            if [ "$#" -lt 2 ] || [ -z "$2" ]; then
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_REQ_ARG" >&2; exit 1
+            fi
+            case "$2" in
+                ru|2) LANG_CHOICE="ru"; set_language "$LANG_CHOICE"; LANG_PROVIDED=1 ;;
+                en|1) LANG_CHOICE="en"; set_language "$LANG_CHOICE"; LANG_PROVIDED=1 ;;
+                *) printf '[ERROR] %s %s\n' "$1" "$L_ERR_REQ_ARG" >&2; exit 1 ;;
+            esac
+            shift 2 ;;
         -d|--domain)
             if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s requires a domain argument.\n' "$1" >&2
-                exit 1
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_DOMAIN_REQ" >&2; exit 1
             fi
             TLS_DOMAIN="$2"; DOMAIN_PROVIDED=1; shift 2 ;;
         -p|--port)
             if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s requires a port argument.\n' "$1" >&2; exit 1
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_PORT_REQ" >&2; exit 1
             fi
             case "$2" in
-                *[!0-9]*) printf '[ERROR] Port must be a valid number.\n' >&2; exit 1 ;;
+                *[!0-9]*) printf '[ERROR] %s\n' "$L_ERR_PORT_NUM" >&2; exit 1 ;;
             esac
             port_num="$(printf '%s\n' "$2" | sed 's/^0*//')"
             [ -z "$port_num" ] && port_num="0"
             if [ "${#port_num}" -gt 5 ] || [ "$port_num" -lt 1 ] || [ "$port_num" -gt 65535 ]; then
-                printf '[ERROR] Port must be between 1 and 65535.\n' >&2; exit 1
+                printf '[ERROR] %s\n' "$L_ERR_PORT_RANGE" >&2; exit 1
             fi
             SERVER_PORT="$port_num"; PORT_PROVIDED=1; shift 2 ;;
         -s|--secret)
             if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s requires a secret argument.\n' "$1" >&2; exit 1
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_SECRET_REQ" >&2; exit 1
             fi
             case "$2" in
-                *[!0-9a-fA-F]*)
-                    printf '[ERROR] Secret must contain only hex characters.\n' >&2; exit 1 ;;
+                *[!0-9a-fA-F]*) printf '[ERROR] %s\n' "$L_ERR_SECRET_HEX" >&2; exit 1 ;;
             esac
             if [ "${#2}" -ne 32 ]; then
-                printf '[ERROR] Secret must be exactly 32 chars.\n' >&2; exit 1
+                printf '[ERROR] %s\n' "$L_ERR_SECRET_LEN" >&2; exit 1
             fi
             USER_SECRET="$2"; SECRET_PROVIDED=1; shift 2 ;;
         -a|--ad-tag|--ad_tag)
             if [ "$#" -lt 2 ] || [ -z "$2" ]; then
-                printf '[ERROR] %s requires an ad_tag argument.\n' "$1" >&2; exit 1
+                printf '[ERROR] %s %s\n' "$1" "$L_ERR_ADTAG_REQ" >&2; exit 1
             fi
             AD_TAG="$2"; AD_TAG_PROVIDED=1; shift 2 ;;
         uninstall|--uninstall)
@@ -69,14 +234,31 @@ while [ $# -gt 0 ]; do
             shift ;;
         purge|--purge) ACTION="purge"; shift ;;
         install|--install) ACTION="install"; shift ;;
-        -*) printf '[ERROR] Unknown option: %s\n' "$1" >&2; exit 1 ;;
+        -*) printf '[ERROR] %s %s\n' "$L_ERR_UNKNOWN_OPT" "$1" >&2; exit 1 ;;
         *)
             if [ "$ACTION" = "install" ]; then TARGET_VERSION="$1"
-            else printf '[WARNING] Ignoring extra argument: %s\n' "$1" >&2; fi
+            else printf '[WARNING] %s %s\n' "$L_WARN_EXTRA_ARG" "$1" >&2; fi
             shift ;;
     esac
 done
 
+if [ "$ACTION" != "help" ] && [ "$LANG_PROVIDED" -eq 0 ]; then
+    if [ -t 0 ] || [ -c /dev/tty ]; then
+        printf "\nSelect language / Выберите язык:\n"
+        printf "  1) English (default)\n"
+        printf "  2) Русский\n"
+        printf "Your choice / Ваш выбор [1/2]: "
+        read -r input_lang </dev/tty || input_lang=""
+        case "$input_lang" in
+            2) LANG_CHOICE="ru" ;;
+            *) LANG_CHOICE="en" ;;
+        esac
+    else
+        LANG_CHOICE="en"
+    fi
+    set_language "$LANG_CHOICE"
+fi
+
 say() {
     if [ "$#" -eq 0 ] || [ -z "${1:-}" ]; then
         printf '\n'
@@ -96,17 +278,33 @@ cleanup() {
 trap cleanup EXIT INT TERM
 
 show_help() {
-    say "Usage: $0 [ <version> | install | uninstall | purge ] [ options ]"
-    say "  <version>    Install specific version (e.g. 3.3.15, default: latest)"
-    say "  install      Install the latest version"
-    say "  uninstall    Remove the binary and service"
-    say "  purge        Remove everything including configuration, data, and user"
-    say ""
-    say "Options:"
-    say "  -d, --domain Set TLS domain (default: petrovich.ru)"
-    say "  -p, --port   Set server port (default: 443)"
-    say "  -s, --secret Set specific user secret (32 hex characters)"
-    say "  -a, --ad-tag Set ad_tag"
+    if [ "$LANG_CHOICE" = "ru" ]; then
+        say "Использование: $0 [ <версия> | install | uninstall | purge ] [ опции ]"
+        say "  <версия>     Установить конкретную версию (например, 3.3.15, по умолчанию: latest)"
+        say "  install      Установить последнюю версию"
+        say "  uninstall    Удалить бинарный файл и службу"
+        say "  purge        Полностью удалить вместе с конфигурацией, данными и пользователем"
+        say ""
+        say "Опции:"
+        say "  -d, --domain Указать домен TLS (по умолчанию: petrovich.ru)"
+        say "  -p, --port   Указать порт сервера (по умолчанию: 443)"
+        say "  -s, --secret Указать секрет пользователя (32 hex символа)"
+        say "  -a, --ad-tag Указать ad_tag"
+        say "  -l, --lang   Выбрать язык вывода (1/en или 2/ru)"
+    else
+        say "Usage: $0 [ <version> | install | uninstall | purge ] [ options ]"
+        say "  <version>    Install specific version (e.g. 3.3.15, default: latest)"
+        say "  install      Install the latest version"
+        say "  uninstall    Remove the binary and service"
+        say "  purge        Remove everything including configuration, data, and user"
+        say ""
+        say "Options:"
+        say "  -d, --domain Set TLS domain (default: petrovich.ru)"
+        say "  -p, --port   Set server port (default: 443)"
+        say "  -s, --secret Set specific user secret (32 hex characters)"
+        say "  -a, --ad-tag Set ad_tag"
+        say "  -l, --lang   Set output language (1/en or 2/ru)"
+    fi
     exit 0
 }
 
@@ -171,17 +369,13 @@ is_config_exists() {
 }
 
 verify_common() {
-    [ -n "$BIN_NAME" ] || die "BIN_NAME cannot be empty."
-    [ -n "$INSTALL_DIR" ] || die "INSTALL_DIR cannot be empty."
-    [ -n "$CONFIG_DIR" ] || die "CONFIG_DIR cannot be empty."
-    [ -n "$CONFIG_FILE" ] || die "CONFIG_FILE cannot be empty."
+    [ -n "$BIN_NAME" ] || die "BIN_NAME $L_ERR_EMPTY_VAR"
+    [ -n "$INSTALL_DIR" ] || die "INSTALL_DIR $L_ERR_EMPTY_VAR"
+    [ -n "$CONFIG_DIR" ] || die "CONFIG_DIR $L_ERR_EMPTY_VAR"
+    [ -n "$CONFIG_FILE" ] || die "CONFIG_FILE $L_ERR_EMPTY_VAR"
 
-    case "${INSTALL_DIR}${CONFIG_DIR}${WORK_DIR}${CONFIG_FILE}" in
-        *[!a-zA-Z0-9_./-]*) die "Invalid characters in paths." ;;
-    esac
-
-    case "$TARGET_VERSION" in *[!a-zA-Z0-9_.-]*) die "Invalid characters in version." ;; esac
-    case "$BIN_NAME" in *[!a-zA-Z0-9_-]*) die "Invalid characters in BIN_NAME." ;; esac
+    case "$TARGET_VERSION" in *[!a-zA-Z0-9_.-]*) die "$L_ERR_INV_VER" ;; esac
+    case "$BIN_NAME" in *[!a-zA-Z0-9_-]*) die "$L_ERR_INV_BIN" ;; esac
 
     INSTALL_DIR="$(get_realpath "$INSTALL_DIR")"
     CONFIG_DIR="$(get_realpath "$CONFIG_DIR")"
@@ -195,42 +389,42 @@ verify_common() {
     if [ "$(id -u)" -eq 0 ]; then
         SUDO=""
     else
-        command -v sudo >/dev/null 2>&1 || die "This script requires root or sudo."
+        command -v sudo >/dev/null 2>&1 || die "$L_ERR_ROOT"
         SUDO="sudo"
         if ! sudo -n true 2>/dev/null; then
             if ! [ -t 0 ]; then
-                die "sudo requires a password, but no TTY detected."
+                die "$L_ERR_SUDO_TTY"
             fi
         fi
     fi
 
     if [ -n "$SUDO" ]; then
         if $SUDO sh -c '[ -d "$1" ]' _ "$CONFIG_FILE"; then
-            die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
+            die "$L_ERR_DIR_CHECK"
         fi
     elif [ -d "$CONFIG_FILE" ]; then
-        die "Safety check failed: CONFIG_FILE '$CONFIG_FILE' is a directory."
+        die "$L_ERR_DIR_CHECK"
     fi
 
     for cmd in id uname awk grep find rm chown chmod mv mktemp mkdir tr dd sed ps head sleep cat tar gzip; do
-        command -v "$cmd" >/dev/null 2>&1 || die "Required command not found: $cmd"
+        command -v "$cmd" >/dev/null 2>&1 || die "$L_ERR_CMD_NOT_FOUND $cmd"
     done
 }
 
 verify_install_deps() {
-    command -v curl >/dev/null 2>&1 || command -v wget >/dev/null 2>&1 || die "Neither curl nor wget is installed."
-    command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "Need cp or install"
+    command -v curl >/dev/null 2>&1 || command -v wget >/dev/null 2>&1 || die "$L_ERR_NO_DL_TOOL"
+    command -v cp >/dev/null 2>&1 || command -v install >/dev/null 2>&1 || die "$L_ERR_NO_CP_TOOL"
 
-    if ! command -v setcap >/dev/null 2>&1 || ! command -v conntrack >/dev/null 2>&1; then
+    if ! command -v setcap >/dev/null 2>&1; then
         if command -v apk >/dev/null 2>&1; then
-            $SUDO apk add --no-cache libcap-utils libcap conntrack-tools >/dev/null 2>&1 || true
+            $SUDO apk add --no-cache libcap-utils libcap >/dev/null 2>&1 || true
         elif command -v apt-get >/dev/null 2>&1; then
-            $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin conntrack >/dev/null 2>&1 || {
+            $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin >/dev/null 2>&1 || {
                 $SUDO env DEBIAN_FRONTEND=noninteractive apt-get update -q >/dev/null 2>&1 || true
-                $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin conntrack >/dev/null 2>&1 || true
+                $SUDO env DEBIAN_FRONTEND=noninteractive apt-get install -y -q libcap2-bin >/dev/null 2>&1 || true
             }
-        elif command -v dnf >/dev/null 2>&1; then $SUDO dnf install -y -q libcap conntrack-tools >/dev/null 2>&1 || true
-        elif command -v yum >/dev/null 2>&1; then $SUDO yum install -y -q libcap conntrack-tools >/dev/null 2>&1 || true
+        elif command -v dnf >/dev/null 2>&1; then $SUDO dnf install -y -q libcap >/dev/null 2>&1 || true
+        elif command -v yum >/dev/null 2>&1; then $SUDO yum install -y -q libcap >/dev/null 2>&1 || true
         fi
     fi
 }
@@ -245,17 +439,17 @@ check_port_availability() {
     elif command -v lsof >/dev/null 2>&1; then
         port_info=$($SUDO lsof -i :${SERVER_PORT} 2>/dev/null | grep LISTEN || true)
     else
-        say "[WARNING] Network diagnostic tools (ss, netstat, lsof) not found. Skipping port check."
+        say "[WARNING] $L_WARN_NO_NET_TOOL"
         return 0
     fi
 
     if [ -n "$port_info" ]; then
         if printf '%s\n' "$port_info" | grep -q "${BIN_NAME}"; then
-            say "  -> Port ${SERVER_PORT} is in use by ${BIN_NAME}. Ignoring as it will be restarted."
+            say "  -> $L_INFO_PORT_IGNORE"
         else
-            say "[ERROR] Port ${SERVER_PORT} is already in use by another process:"
+            say "[ERROR] $L_ERR_PORT_IN_USE $SERVER_PORT:"
             printf '  %s\n' "$port_info"
-            die "Please free the port ${SERVER_PORT} or change it and try again."
+            die "$L_ERR_PORT_FREE"
         fi
     fi
 }
@@ -271,7 +465,7 @@ detect_arch() {
             fi
             ;;
         aarch64|arm64) echo "aarch64" ;;
-        *) die "Unsupported architecture: $sys_arch" ;;
+        *) die "$L_ERR_UNSUP_ARCH $sys_arch" ;;
     esac
 }
 
@@ -295,7 +489,7 @@ ensure_user_group() {
     if ! check_os_entity group telemt; then
         if command -v groupadd >/dev/null 2>&1; then $SUDO groupadd -r telemt
         elif command -v addgroup >/dev/null 2>&1; then $SUDO addgroup -S telemt
-        else die "Cannot create group"; fi
+        else die "$L_ERR_CREATE_GRP" ; fi
     fi
 
     if ! check_os_entity passwd telemt; then
@@ -307,12 +501,12 @@ ensure_user_group() {
             else
                 $SUDO adduser --system --home "$WORK_DIR" --shell "$nologin_bin" --no-create-home --ingroup telemt --disabled-password telemt
             fi
-        else die "Cannot create user"; fi
+        else die "$L_ERR_CREATE_USR"; fi
     fi
 }
 
 setup_dirs() {
-    $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" "$CONFIG_PARENT_DIR" || die "Failed to create directories"
+    $SUDO mkdir -p "$WORK_DIR" "$CONFIG_DIR" "$CONFIG_PARENT_DIR" || die "$L_ERR_MKDIR"
 
     $SUDO chown telemt:telemt "$WORK_DIR" && $SUDO chmod 750 "$WORK_DIR"
     $SUDO chown telemt:telemt "$CONFIG_DIR" && $SUDO chmod 750 "$CONFIG_DIR"
@@ -334,20 +528,20 @@ stop_service() {
 install_binary() {
     bin_src="$1"; bin_dst="$2"
     if [ -e "$INSTALL_DIR" ] && [ ! -d "$INSTALL_DIR" ]; then
-        die "'$INSTALL_DIR' is not a directory."
+        die "'$INSTALL_DIR' $L_ERR_INSTALL_DIR"
     fi
 
-    $SUDO mkdir -p "$INSTALL_DIR" || die "Failed to create install directory"
+    $SUDO mkdir -p "$INSTALL_DIR" || die "$L_ERR_MKDIR"
     
     $SUDO rm -f "$bin_dst" 2>/dev/null || true
 
     if command -v install >/dev/null 2>&1; then
-        $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "Failed to install binary"
+        $SUDO install -m 0755 "$bin_src" "$bin_dst" || die "$L_ERR_BIN_INSTALL"
     else
-        $SUDO cp "$bin_src" "$bin_dst" && $SUDO chmod 0755 "$bin_dst" || die "Failed to copy binary"
+        $SUDO cp "$bin_src" "$bin_dst" && $SUDO chmod 0755 "$bin_dst" || die "$L_ERR_BIN_COPY"
     fi
 
-    $SUDO sh -c '[ -x "$1" ]' _ "$bin_dst" || die "Binary not executable: $bin_dst"
+    $SUDO sh -c '[ -x "$1" ]' _ "$bin_dst" || die "$L_ERR_BIN_EXEC $bin_dst"
 
     if command -v setcap >/dev/null 2>&1; then
         $SUDO setcap cap_net_bind_service,cap_net_admin=+ep "$bin_dst" 2>/dev/null || true
@@ -404,40 +598,32 @@ EOF
 
 install_config() {
     if is_config_exists; then
-        say "  -> Config already exists at $CONFIG_FILE. Updating parameters..."
+        say "  -> $L_INFO_CONF_EXISTS"
 
         tmp_conf="${TEMP_DIR}/config.tmp"
         $SUDO cat "$CONFIG_FILE" > "$tmp_conf"
         
         escaped_domain="$(printf '%s\n' "$TLS_DOMAIN" | tr -d '[:cntrl:]' | sed 's/\\/\\\\/g; s/"/\\"/g')"
 
-        export AWK_PORT="$SERVER_PORT"
-        export AWK_SECRET="$USER_SECRET"
-        export AWK_DOMAIN="$escaped_domain"
-        export AWK_AD_TAG="$AD_TAG"
-        export AWK_FLAG_P="$PORT_PROVIDED"
-        export AWK_FLAG_S="$SECRET_PROVIDED"
-        export AWK_FLAG_D="$DOMAIN_PROVIDED"
-        export AWK_FLAG_A="$AD_TAG_PROVIDED"
-
-        awk '
+        awk -v port="$SERVER_PORT" -v secret="$USER_SECRET" -v domain="$escaped_domain" -v ad_tag="$AD_TAG" \
+            -v flag_p="$PORT_PROVIDED" -v flag_s="$SECRET_PROVIDED" -v flag_d="$DOMAIN_PROVIDED" -v flag_a="$AD_TAG_PROVIDED" '
         BEGIN { ad_tag_handled = 0 }
         
-        ENVIRON["AWK_FLAG_P"] == "1" && /^[ \t]*port[ \t]*=/ { print "port = " ENVIRON["AWK_PORT"]; next }
-        ENVIRON["AWK_FLAG_S"] == "1" && /^[ \t]*hello[ \t]*=/ { print "hello = \"" ENVIRON["AWK_SECRET"] "\""; next }
-        ENVIRON["AWK_FLAG_D"] == "1" && /^[ \t]*tls_domain[ \t]*=/ { print "tls_domain = \"" ENVIRON["AWK_DOMAIN"] "\""; next }
+        flag_p == "1" && /^[ \t]*port[ \t]*=/ { print "port = " port; next }
+        flag_s == "1" && /^[ \t]*hello[ \t]*=/ { print "hello = \"" secret "\""; next }
+        flag_d == "1" && /^[ \t]*tls_domain[ \t]*=/ { print "tls_domain = \"" domain "\""; next }
         
-        ENVIRON["AWK_FLAG_A"] == "1" && /^[ \t]*ad_tag[ \t]*=/ { 
+        flag_a == "1" && /^[ \t]*ad_tag[ \t]*=/ { 
             if (!ad_tag_handled) { 
-                print "ad_tag = \"" ENVIRON["AWK_AD_TAG"] "\""; 
+                print "ad_tag = \"" ad_tag "\""; 
                 ad_tag_handled = 1; 
             } 
             next 
         }
-        ENVIRON["AWK_FLAG_A"] == "1" && /^\[general\]/ { 
+        flag_a == "1" && /^\[general\]/ { 
             print; 
             if (!ad_tag_handled) { 
-                print "ad_tag = \"" ENVIRON["AWK_AD_TAG"] "\""; 
+                print "ad_tag = \"" ad_tag "\""; 
                 ad_tag_handled = 1; 
             } 
             next 
@@ -446,10 +632,10 @@ install_config() {
         { print }
         ' "$tmp_conf" > "${tmp_conf}.new" && mv "${tmp_conf}.new" "$tmp_conf"
 
-        [ "$PORT_PROVIDED" -eq 1 ] && say "  -> Updated port: $SERVER_PORT"
-        [ "$SECRET_PROVIDED" -eq 1 ] && say "  -> Updated secret for user 'hello'"
-        [ "$DOMAIN_PROVIDED" -eq 1 ] && say "  -> Updated tls_domain: $TLS_DOMAIN"
-        [ "$AD_TAG_PROVIDED" -eq 1 ] && say "  -> Updated ad_tag"
+        [ "$PORT_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_PORT $SERVER_PORT"
+        [ "$SECRET_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_SEC"
+        [ "$DOMAIN_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_DOM $TLS_DOMAIN"
+        [ "$AD_TAG_PROVIDED" -eq 1 ] && say "  -> $L_INFO_UPD_TAG"
 
         write_root "$CONFIG_FILE" < "$tmp_conf"
         rm -f "$tmp_conf"
@@ -457,14 +643,14 @@ install_config() {
     fi
 
     if [ -z "$USER_SECRET" ]; then
-        USER_SECRET="$(generate_secret)" || die "Failed to generate secret."
+        USER_SECRET="$(generate_secret)" || die "$L_ERR_GEN_SEC"
     fi
 
-    generate_config_content "$USER_SECRET" "$AD_TAG" | write_root "$CONFIG_FILE" || die "Failed to install config"
+    generate_config_content "$USER_SECRET" "$AD_TAG" | write_root "$CONFIG_FILE" || die "$L_ERR_CONF_INST"
     $SUDO chown root:telemt "$CONFIG_FILE" && $SUDO chmod 640 "$CONFIG_FILE"
 
-    say "  -> Config created successfully."
-    say "  -> Configured secret for user 'hello': $USER_SECRET"
+    say "  -> $L_INFO_CONF_OK"
+    say "  -> $L_INFO_CONF_SEC $USER_SECRET"
 }
 
 generate_systemd_content() {
@@ -517,7 +703,7 @@ install_service() {
         $SUDO systemctl enable "$SERVICE_NAME" || true
 
         if ! $SUDO systemctl start "$SERVICE_NAME"; then
-            say "[WARNING] Failed to start service"
+            say "[WARNING] $L_WARN_SVC_FAIL"
             SERVICE_START_FAILED=1
         fi
     elif [ "$svc" = "openrc" ]; then
@@ -527,15 +713,15 @@ install_service() {
         $SUDO rc-update add "$SERVICE_NAME" default 2>/dev/null || true
 
         if ! $SUDO rc-service "$SERVICE_NAME" start 2>/dev/null; then
-            say "[WARNING] Failed to start service"
+            say "[WARNING] $L_WARN_SVC_FAIL"
             SERVICE_START_FAILED=1
         fi
     else
         cmd="\"${INSTALL_DIR}/${BIN_NAME}\" \"${CONFIG_FILE}\""
         if [ -n "$SUDO" ]; then
-            say "  -> Service manager not found. Start manually: sudo -u telemt $cmd"
+            say "  -> $L_INFO_MANUAL_START sudo -u telemt $cmd"
         else
-            say "  -> Service manager not found. Start manually: su -s /bin/sh telemt -c '$cmd'"
+            say "  -> $L_INFO_MANUAL_START su -s /bin/sh telemt -c '$cmd'"
         fi
     fi
 }
@@ -566,12 +752,12 @@ kill_user_procs() {
 }
 
 uninstall() {
-    say "Starting uninstallation of $BIN_NAME..."
+    say "$L_INFO_UNINST_START $BIN_NAME..."
 
-    say ">>> Stage 1: Stopping services"
+    say "$L_U_STAGE_1"
     stop_service
 
-    say ">>> Stage 2: Removing service configuration"
+    say "$L_U_STAGE_2"
     svc="$(get_svc_mgr)"
     if [ "$svc" = "systemd" ]; then
         $SUDO systemctl disable "$SERVICE_NAME" 2>/dev/null || true
@@ -582,28 +768,30 @@ uninstall() {
         $SUDO rm -f "/etc/init.d/${SERVICE_NAME}"
     fi
 
-    say ">>> Stage 3: Terminating user processes"
+    say "$L_U_STAGE_3"
     kill_user_procs
 
-    say ">>> Stage 4: Removing binary"
+    say "$L_U_STAGE_4"
     $SUDO rm -f "${INSTALL_DIR}/${BIN_NAME}"
 
     if [ "$ACTION" = "purge" ]; then
-        say ">>> Stage 5: Purging configuration, data, and user"
+        say "$L_U_STAGE_5"
         $SUDO rm -rf "$CONFIG_DIR" "$WORK_DIR"
         $SUDO rm -f "$CONFIG_FILE"
-        sleep 1 
-        $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
+        
+        if check_os_entity passwd telemt; then
+            $SUDO userdel telemt 2>/dev/null || $SUDO deluser telemt 2>/dev/null || true
+        fi
         
         if check_os_entity group telemt; then
             $SUDO groupdel telemt 2>/dev/null || $SUDO delgroup telemt 2>/dev/null || true
         fi
     else
-        say "Note: Configuration and user kept. Run with 'purge' to remove completely."
+        say "$L_INFO_KEEP_CONF"
     fi
 
     printf '\n====================================================================\n'
-    printf '                    UNINSTALLATION COMPLETE\n'
+    printf '                    %s\n' "$L_OUT_UNINST_H"
     printf '====================================================================\n\n'
     exit 0
 }
@@ -612,21 +800,45 @@ case "$ACTION" in
     help) show_help ;;
     uninstall|purge) verify_common; uninstall ;;
     install)
-        say "Starting installation of $BIN_NAME (Version: $TARGET_VERSION)"
+        say "$L_INFO_I_START $BIN_NAME (Version: $TARGET_VERSION)"
 
-        say ">>> Stage 1: Verifying environment and dependencies"
+        say "$L_I_STAGE_1"
         verify_common
         verify_install_deps
 
-        if is_config_exists && [ "$PORT_PROVIDED" -eq 0 ]; then
+        if is_config_exists; then
             ext_port="$($SUDO awk -F'=' '/^[ \t]*port[ \t]*=/ {gsub(/[^0-9]/, "", $2); print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
-            if [ -n "$ext_port" ]; then
+            if [ -n "$ext_port" ] && [ "$PORT_PROVIDED" -eq 0 ]; then
                 SERVER_PORT="$ext_port"
             fi
+
+            ext_secret="$($SUDO awk -F'"' '/^[ \t]*hello[ \t]*=/ {print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
+            if [ -n "$ext_secret" ] && [ "$SECRET_PROVIDED" -eq 0 ]; then
+                USER_SECRET="$ext_secret"
+            fi
+
+            ext_domain="$($SUDO awk -F'"' '/^[ \t]*tls_domain[ \t]*=/ {print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
+            if [ -n "$ext_domain" ] && [ "$DOMAIN_PROVIDED" -eq 0 ]; then
+                TLS_DOMAIN="$ext_domain"
+            fi
         fi
 
         check_port_availability
 
+        if [ "$DOMAIN_PROVIDED" -eq 0 ]; then
+            say "$L_I_STAGE_1_5"
+            if [ -t 0 ] || [ -c /dev/tty ]; then
+                printf "$L_I_PROMPT_DOM" "$TLS_DOMAIN"
+                read -r input_domain </dev/tty || input_domain=""
+                if [ -n "$input_domain" ]; then
+                    TLS_DOMAIN="$input_domain"
+                fi
+            else
+                say "[WARNING] $L_WARN_NO_TTY $TLS_DOMAIN"
+            fi
+            DOMAIN_PROVIDED=1
+        fi
+
         if [ "$TARGET_VERSION" != "latest" ]; then
             TARGET_VERSION="${TARGET_VERSION#v}"
         fi
@@ -640,15 +852,15 @@ case "$ACTION" in
             DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
         fi
 
-        say ">>> Stage 2: Downloading archive"
-        TEMP_DIR="$(mktemp -d)" || die "Temp directory creation failed"
+        say "$L_I_STAGE_2"
+        TEMP_DIR="$(mktemp -d)" || die "$L_ERR_TMP_DIR"
         if [ -z "$TEMP_DIR" ] || [ ! -d "$TEMP_DIR" ]; then
-            die "Temp directory is invalid or was not created"
+            die "$L_ERR_TMP_INV"
         fi
 
         if ! fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}"; then
             if [ "$ARCH" = "x86_64-v3" ]; then
-                say "  -> x86_64-v3 build not found, falling back to standard x86_64..."
+                say "  -> $L_INFO_FALLBACK"
                 ARCH="x86_64"
                 FILE_NAME="${BIN_NAME}-${ARCH}-linux-${LIBC}.tar.gz"
                 if [ "$TARGET_VERSION" = "latest" ]; then
@@ -656,64 +868,58 @@ case "$ACTION" in
                 else
                     DL_URL="https://github.com/${REPO}/releases/download/${TARGET_VERSION}/${FILE_NAME}"
                 fi
-                fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "Download failed"
+                fetch_file "$DL_URL" "${TEMP_DIR}/${FILE_NAME}" || die "$L_ERR_DL_FAIL"
             else
-                die "Download failed"
+                die "$L_ERR_DL_FAIL"
             fi
         fi
 
-        say ">>> Stage 3: Extracting archive"
+        say "$L_I_STAGE_3"
         if ! gzip -dc "${TEMP_DIR}/${FILE_NAME}" | tar -xf - -C "$TEMP_DIR" 2>/dev/null; then
-            die "Extraction failed (downloaded archive might be invalid or 404)."
+            die "$L_ERR_EXTRACT"
         fi
 
         EXTRACTED_BIN="$(find "$TEMP_DIR" -type f -name "$BIN_NAME" -print 2>/dev/null | head -n 1 || true)"
-        [ -n "$EXTRACTED_BIN" ] || die "Binary '$BIN_NAME' not found in archive"
+        [ -n "$EXTRACTED_BIN" ] || die "$L_ERR_BIN_NOT_FOUND"
 
-        say ">>> Stage 4: Setting up environment (User, Group, Directories)"
+        say "$L_I_STAGE_4"
         ensure_user_group; setup_dirs; stop_service
 
-        say ">>> Stage 5: Installing binary"
+        say "$L_I_STAGE_5"
         install_binary "$EXTRACTED_BIN" "${INSTALL_DIR}/${BIN_NAME}"
 
-        say ">>> Stage 6: Generating/Updating configuration"
+        say "$L_I_STAGE_6"
         install_config
 
-        say ">>> Stage 7: Installing and starting service"
+        say "$L_I_STAGE_7"
         install_service
 
         if [ "${SERVICE_START_FAILED:-0}" -eq 1 ]; then
             printf '\n====================================================================\n'
-            printf '               INSTALLATION COMPLETED WITH WARNINGS\n'
+            printf '               %s\n' "$L_OUT_WARN_H"
             printf '====================================================================\n\n'
-            printf 'The service was installed but failed to start automatically.\n'
-            printf 'Please check the logs to determine the issue.\n\n'
+            printf '%b' "$L_OUT_WARN_D"
         else
             printf '\n====================================================================\n'
-            printf '                      INSTALLATION SUCCESS\n'
+            printf '                      %s\n' "$L_OUT_SUCC_H"
             printf '====================================================================\n\n'
         fi
 
-        svc="$(get_svc_mgr)"
-        if [ "$svc" = "systemd" ]; then
-            printf 'To check the status of your proxy service, run:\n'
-            printf '  systemctl status %s\n\n' "$SERVICE_NAME"
-        elif [ "$svc" = "openrc" ]; then
-            printf 'To check the status of your proxy service, run:\n'
-            printf '  rc-service %s status\n\n' "$SERVICE_NAME"
-        fi
+        SERVER_IP=""
+        if command -v curl >/dev/null 2>&1; then SERVER_IP="$(curl -s4 -m 3 ifconfig.me 2>/dev/null || curl -s4 -m 3 api.ipify.org 2>/dev/null || true)"
+        elif command -v wget >/dev/null 2>&1; then SERVER_IP="$(wget -qO- -T 3 ifconfig.me 2>/dev/null || wget -qO- -T 3 api.ipify.org 2>/dev/null || true)"; fi
+        [ -z "$SERVER_IP" ] && SERVER_IP="<YOUR_SERVER_IP>"
+        
+        if command -v xxd >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | xxd -p | tr -d '\n')"
+        elif command -v hexdump >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | hexdump -v -e '/1 "%02x"')"
+        elif command -v od >/dev/null 2>&1; then HEX_DOMAIN="$(printf '%s' "$TLS_DOMAIN" | od -A n -t x1 | tr -d ' \n')"
+        else HEX_DOMAIN=""; fi
 
-        API_LISTEN="$($SUDO awk -F'"' '/^[ \t]*listen[ \t]*=/ {print $2; exit}' "$CONFIG_FILE" 2>/dev/null || true)"
-        API_LISTEN="${API_LISTEN:-127.0.0.1:9091}"
+        CLIENT_SECRET="ee${USER_SECRET}${HEX_DOMAIN}"
 
-        printf 'To get your user connection links (for Telegram), run:\n'
-        if command -v jq >/dev/null 2>&1; then
-            printf '  curl -s http://%s/v1/users | jq -r '\''.data[]? | "User: \\(.username)\\n\\(.links.tls[0] // empty)\\n"'\''\n' "$API_LISTEN"
-        else
-            printf '  curl -s http://%s/v1/users\n' "$API_LISTEN"
-            printf '  (Tip: Install '\''jq'\'' for a much cleaner output)\n'
-        fi
+        printf '%b\n' "$L_OUT_LINK"
+        printf '  tg://proxy?server=%s&port=%s&secret=%s\n\n' "$SERVER_IP" "$SERVER_PORT" "$CLIENT_SECRET"
 
-        printf '\n====================================================================\n'
+        printf '====================================================================\n'
         ;;
 esac

src/config/defaults.rs

@@ -210,7 +210,7 @@ pub(crate) fn default_proxy_protocol_header_timeout_ms() -> u64 {
 }
 
 pub(crate) fn default_proxy_protocol_trusted_cidrs() -> Vec<IpNetwork> {
-    vec!["0.0.0.0/0".parse().unwrap(), "::/0".parse().unwrap()]
+    Vec::new()
 }
 
 pub(crate) fn default_server_max_connections() -> u32 {

src/config/load.rs

@@ -47,12 +47,18 @@ pub(crate) struct UserAuthEntry {
 
 impl UserAuthSnapshot {
     fn from_users(users: &HashMap<String, String>) -> Result<Self> {
+        // Keep runtime user ids stable across reloads so overload scans and
+        // sticky hints do not depend on HashMap iteration order.
+        let mut sorted_users: Vec<_> = users.iter().collect();
+        sorted_users
+            .sort_unstable_by(|(left, _), (right, _)| left.as_bytes().cmp(right.as_bytes()));
+
         let mut entries = Vec::with_capacity(users.len());
         let mut by_name = HashMap::with_capacity(users.len());
         let mut sni_index = HashMap::with_capacity(users.len());
         let mut sni_initial_index = HashMap::with_capacity(users.len());
 
-        for (user, secret_hex) in users {
+        for (user, secret_hex) in sorted_users {
             let decoded = hex::decode(secret_hex).map_err(|_| ProxyError::InvalidSecret {
                 user: user.clone(),
                 reason: "Must be 32 hex characters".to_string(),
@@ -1734,10 +1740,7 @@ mod tests {
             "#,
         )
         .unwrap();
-        assert_eq!(
-            cfg_missing.server.proxy_protocol_trusted_cidrs,
-            default_proxy_protocol_trusted_cidrs()
-        );
+        assert!(cfg_missing.server.proxy_protocol_trusted_cidrs.is_empty());
 
         let cfg_explicit_empty: ProxyConfig = toml::from_str(
             r#"
@@ -1758,6 +1761,46 @@ mod tests {
         );
     }
 
+    #[test]
+    fn runtime_user_auth_snapshot_order_is_stable_across_hashmap_insertion_orders() {
+        let mut left_users = HashMap::new();
+        left_users.insert(
+            "beta".to_string(),
+            "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb".to_string(),
+        );
+        left_users.insert(
+            "alpha".to_string(),
+            "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".to_string(),
+        );
+
+        let mut right_users = HashMap::new();
+        right_users.insert(
+            "alpha".to_string(),
+            "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".to_string(),
+        );
+        right_users.insert(
+            "beta".to_string(),
+            "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb".to_string(),
+        );
+
+        let left_snapshot = UserAuthSnapshot::from_users(&left_users).unwrap();
+        let right_snapshot = UserAuthSnapshot::from_users(&right_users).unwrap();
+
+        let left_names: Vec<_> = left_snapshot
+            .entries()
+            .iter()
+            .map(|entry| entry.user.as_str())
+            .collect();
+        let right_names: Vec<_> = right_snapshot
+            .entries()
+            .iter()
+            .map(|entry| entry.user.as_str())
+            .collect();
+
+        assert_eq!(left_names, ["alpha", "beta"]);
+        assert_eq!(left_names, right_names);
+    }
+
     #[test]
     fn unknown_sni_action_parses_and_defaults_to_drop() {
         let cfg_default: ProxyConfig = toml::from_str(

src/config/types.rs

@@ -1363,9 +1363,8 @@ pub struct ServerConfig {
 
     /// Trusted source CIDRs allowed to send incoming PROXY protocol headers.
     ///
-    /// If this field is omitted in config, it defaults to trust-all CIDRs
-    /// (`0.0.0.0/0` and `::/0`). If it is explicitly set to an empty list,
-    /// all PROXY protocol headers are rejected.
+    /// If this field is omitted in config, it defaults to an empty list and
+    /// all PROXY protocol headers are rejected until trusted CIDRs are set.
     #[serde(default = "default_proxy_protocol_trusted_cidrs")]
     pub proxy_protocol_trusted_cidrs: Vec<IpNetwork>,
 

src/proxy/handshake.rs

@@ -55,6 +55,7 @@ const STICKY_HINT_MAX_ENTRIES: usize = 65_536;
 const CANDIDATE_HINT_TRACK_CAP: usize = 64;
 const OVERLOAD_CANDIDATE_BUDGET_HINTED: usize = 16;
 const OVERLOAD_CANDIDATE_BUDGET_UNHINTED: usize = 8;
+const OVERLOAD_FULL_SCAN_USER_THRESHOLD: usize = CANDIDATE_HINT_TRACK_CAP;
 const RECENT_USER_RING_SCAN_LIMIT: usize = 32;
 
 type HmacSha256 = Hmac<Sha256>;
@@ -242,6 +243,9 @@ fn budget_for_validation(total_users: usize, overload: bool, has_hint: bool) ->
     if !overload {
         return total_users;
     }
+    if total_users <= OVERLOAD_FULL_SCAN_USER_THRESHOLD {
+        return total_users;
+    }
     let cap = if has_hint {
         OVERLOAD_CANDIDATE_BUDGET_HINTED
     } else {
@@ -250,6 +254,28 @@ fn budget_for_validation(total_users: usize, overload: bool, has_hint: bool) ->
     total_users.min(cap.max(1))
 }
 
+// Rotate partial overload scans across larger snapshots so one truncated
+// validation window does not permanently starve the same cold users.
+fn candidate_scan_start_offset_in(
+    shared: &ProxySharedState,
+    peer_ip: IpAddr,
+    total_users: usize,
+    candidate_budget: usize,
+) -> usize {
+    if total_users == 0 || candidate_budget >= total_users {
+        return 0;
+    }
+
+    let seq = shared
+        .handshake
+        .auth_candidate_scan_seq
+        .fetch_add(1, Ordering::Relaxed);
+    let mut hasher = shared.handshake.auth_probe_eviction_hasher.build_hasher();
+    peer_ip.hash(&mut hasher);
+    seq.hash(&mut hasher);
+    hasher.finish() as usize % total_users
+}
+
 fn parse_tls_auth_material(
     handshake: &[u8],
     ignore_time_skew: bool,
@@ -1312,7 +1338,14 @@ where
         }
 
         if !matched && !budget_exhausted {
-            for idx in 0..snapshot.entries().len() {
+            let fallback_start = candidate_scan_start_offset_in(
+                shared,
+                peer.ip(),
+                snapshot.entries().len(),
+                candidate_budget,
+            );
+            for offset in 0..snapshot.entries().len() {
+                let idx = (fallback_start + offset) % snapshot.entries().len();
                 let Some(user_id) = u32::try_from(idx).ok() else {
                     break;
                 };
@@ -1679,7 +1712,14 @@ where
         }
 
         if !matched && !budget_exhausted {
-            for idx in 0..snapshot.entries().len() {
+            let fallback_start = candidate_scan_start_offset_in(
+                shared,
+                peer.ip(),
+                snapshot.entries().len(),
+                candidate_budget,
+            );
+            for offset in 0..snapshot.entries().len() {
+                let idx = (fallback_start + offset) % snapshot.entries().len();
                 let Some(user_id) = u32::try_from(idx).ok() else {
                     break;
                 };

src/proxy/masking.rs

@@ -506,6 +506,40 @@ fn is_mask_target_local_listener_with_interfaces(
     local_addr: SocketAddr,
     resolved_override: Option<SocketAddr>,
     interface_ips: &[IpAddr],
+) -> bool {
+    let resolved_candidates = resolved_override
+        .as_ref()
+        .map(std::slice::from_ref)
+        .unwrap_or(&[]);
+    is_mask_target_local_listener_candidates_with_interfaces(
+        mask_host,
+        mask_port,
+        local_addr,
+        resolved_candidates,
+        interface_ips,
+    )
+}
+
+fn mask_ip_targets_local_listener(
+    mask_ip: IpAddr,
+    local_ip: IpAddr,
+    interface_ips: &[IpAddr],
+) -> bool {
+    let mask_ip = canonical_ip(mask_ip);
+    if mask_ip == local_ip {
+        return true;
+    }
+
+    local_ip.is_unspecified()
+        && (mask_ip.is_loopback() || mask_ip.is_unspecified() || interface_ips.contains(&mask_ip))
+}
+
+fn is_mask_target_local_listener_candidates_with_interfaces(
+    mask_host: &str,
+    mask_port: u16,
+    local_addr: SocketAddr,
+    resolved_candidates: &[SocketAddr],
+    interface_ips: &[IpAddr],
 ) -> bool {
     if mask_port != local_addr.port() {
         return false;
@@ -514,31 +548,14 @@ fn is_mask_target_local_listener_with_interfaces(
     let local_ip = canonical_ip(local_addr.ip());
     let literal_mask_ip = parse_mask_host_ip_literal(mask_host).map(canonical_ip);
 
-    if let Some(addr) = resolved_override {
-        let resolved_ip = canonical_ip(addr.ip());
-        if resolved_ip == local_ip {
-            return true;
-        }
-
-        if local_ip.is_unspecified()
-            && (resolved_ip.is_loopback()
-                || resolved_ip.is_unspecified()
-                || interface_ips.contains(&resolved_ip))
-        {
+    for addr in resolved_candidates {
+        if mask_ip_targets_local_listener(addr.ip(), local_ip, interface_ips) {
             return true;
         }
     }
 
     if let Some(mask_ip) = literal_mask_ip {
-        if mask_ip == local_ip {
-            return true;
-        }
-
-        if local_ip.is_unspecified()
-            && (mask_ip.is_loopback()
-                || mask_ip.is_unspecified()
-                || interface_ips.contains(&mask_ip))
-        {
+        if mask_ip_targets_local_listener(mask_ip, local_ip, interface_ips) {
             return true;
         }
     }
@@ -572,21 +589,67 @@ async fn is_mask_target_local_listener_async(
     mask_port: u16,
     local_addr: SocketAddr,
     resolved_override: Option<SocketAddr>,
+) -> bool {
+    let resolved_candidates = resolved_override
+        .as_ref()
+        .map(std::slice::from_ref)
+        .unwrap_or(&[]);
+    is_mask_target_local_listener_candidates_async(
+        mask_host,
+        mask_port,
+        local_addr,
+        resolved_candidates,
+    )
+    .await
+}
+
+async fn is_mask_target_local_listener_candidates_async(
+    mask_host: &str,
+    mask_port: u16,
+    local_addr: SocketAddr,
+    resolved_candidates: &[SocketAddr],
 ) -> bool {
     if mask_port != local_addr.port() {
         return false;
     }
 
     let interfaces = local_interface_ips_async().await;
-    is_mask_target_local_listener_with_interfaces(
+    is_mask_target_local_listener_candidates_with_interfaces(
         mask_host,
         mask_port,
         local_addr,
-        resolved_override,
+        resolved_candidates,
         &interfaces,
     )
 }
 
+// Resolve hostnames through the same OS DNS path `TcpStream::connect` uses so
+// self-target rejection also catches loopback and local-interface hostnames.
+async fn resolve_mask_target_candidates(
+    mask_host: &str,
+    mask_port: u16,
+    resolved_override: Option<SocketAddr>,
+) -> Vec<SocketAddr> {
+    if let Some(addr) = resolved_override {
+        return vec![addr];
+    }
+
+    if parse_mask_host_ip_literal(mask_host).is_some() {
+        return Vec::new();
+    }
+
+    let mut resolved = Vec::new();
+    if let Ok(addrs) = tokio::net::lookup_host((mask_host, mask_port)).await {
+        for addr in addrs {
+            if !resolved.contains(&addr) {
+                resolved.push(addr);
+            }
+        }
+    }
+
+    resolved
+}
+
 fn masking_beobachten_ttl(config: &ProxyConfig) -> Duration {
     let minutes = config.general.beobachten_minutes;
     let clamped = minutes.clamp(1, 24 * 60);
@@ -731,8 +794,15 @@ pub async fn handle_bad_client<R, W>(
     // Self-referential masking can create recursive proxy loops under
     // misconfiguration and leak distinguishable load spikes to adversaries.
     let resolved_mask_addr = resolve_socket_addr(mask_host, mask_port);
-    if is_mask_target_local_listener_async(mask_host, mask_port, local_addr, resolved_mask_addr)
-        .await
+    let resolved_mask_candidates =
+        resolve_mask_target_candidates(mask_host, mask_port, resolved_mask_addr).await;
+    if is_mask_target_local_listener_candidates_async(
+        mask_host,
+        mask_port,
+        local_addr,
+        &resolved_mask_candidates,
+    )
+    .await
     {
         let outcome_started = Instant::now();
         debug!(

src/proxy/shared_state.rs

@@ -48,6 +48,7 @@ pub(crate) struct HandshakeSharedState {
     pub(crate) sticky_user_by_sni_hash: DashMap<u64, u32>,
     pub(crate) recent_user_ring: Box<[AtomicU32]>,
     pub(crate) recent_user_ring_seq: AtomicU64,
+    pub(crate) auth_candidate_scan_seq: AtomicU64,
     pub(crate) auth_expensive_checks_total: AtomicU64,
     pub(crate) auth_budget_exhausted_total: AtomicU64,
 }
@@ -86,6 +87,7 @@ impl ProxySharedState {
                     .collect::<Vec<_>>()
                     .into_boxed_slice(),
                 recent_user_ring_seq: AtomicU64::new(0),
+                auth_candidate_scan_seq: AtomicU64::new(0),
                 auth_expensive_checks_total: AtomicU64::new(0),
                 auth_budget_exhausted_total: AtomicU64::new(0),
             },

src/proxy/tests/handshake_security_tests.rs

@@ -1146,9 +1146,9 @@ async fn tls_overload_budget_limits_candidate_scan_depth() {
     let mut config = ProxyConfig::default();
     config.access.users.clear();
     config.access.ignore_time_skew = true;
-    for idx in 0..32u8 {
+    for idx in 0..96u8 {
         config.access.users.insert(
-            format!("user-{idx}"),
+            format!("user-{idx:02}"),
             format!("{:032x}", u128::from(idx) + 1),
         );
     }
@@ -1203,6 +1203,64 @@ async fn tls_overload_budget_limits_candidate_scan_depth() {
     );
 }
 
+#[tokio::test]
+async fn tls_overload_full_scans_small_runtime_snapshot_to_preserve_cold_user_auth() {
+    let mut config = ProxyConfig::default();
+    config.access.users.clear();
+    config.access.ignore_time_skew = true;
+    for idx in 0..32u8 {
+        config.access.users.insert(
+            format!("user-{idx:02}"),
+            format!("{:032x}", u128::from(idx) + 1),
+        );
+    }
+    config.rebuild_runtime_user_auth().unwrap();
+
+    let replay_checker = ReplayChecker::new(128, Duration::from_secs(60));
+    let rng = SecureRandom::new();
+    let shared = ProxySharedState::new();
+    let now = Instant::now();
+    {
+        let mut saturation = shared.handshake.auth_probe_saturation.lock().unwrap();
+        *saturation = Some(AuthProbeSaturationState {
+            fail_streak: AUTH_PROBE_BACKOFF_START_FAILS,
+            blocked_until: now + Duration::from_millis(200),
+            last_seen: now,
+        });
+    }
+
+    let peer: SocketAddr = "198.51.100.214:44326".parse().unwrap();
+    let mut secret = [0u8; 16];
+    secret[15] = 32;
+    let handshake = make_valid_tls_handshake(&secret, 0);
+
+    let result = handle_tls_handshake_with_shared(
+        &handshake,
+        tokio::io::empty(),
+        tokio::io::sink(),
+        peer,
+        &config,
+        &replay_checker,
+        &rng,
+        None,
+        shared.as_ref(),
+    )
+    .await;
+
+    assert!(
+        matches!(result, HandshakeResult::Success(_)),
+        "overload mode must still authenticate valid cold users when runtime snapshot stays small"
+    );
+    assert_eq!(
+        shared
+            .handshake
+            .auth_expensive_checks_total
+            .load(Ordering::Relaxed),
+        32,
+        "small saturated snapshots must remain fully scannable"
+    );
+}
+
 #[tokio::test]
 async fn mtproto_runtime_snapshot_prefers_preferred_user_hint() {
     let mut config = ProxyConfig::default();
@@ -1255,6 +1313,66 @@ async fn mtproto_runtime_snapshot_prefers_preferred_user_hint() {
     );
 }
 
+#[tokio::test]
+async fn mtproto_overload_full_scans_small_runtime_snapshot_to_preserve_cold_user_auth() {
+    let mut config = ProxyConfig::default();
+    config.general.modes.secure = true;
+    config.access.users.clear();
+    config.access.ignore_time_skew = true;
+    for idx in 0..32u8 {
+        config.access.users.insert(
+            format!("user-{idx:02}"),
+            format!("{:032x}", u128::from(idx) + 1),
+        );
+    }
+    config.rebuild_runtime_user_auth().unwrap();
+
+    let shared = ProxySharedState::new();
+    let now = Instant::now();
+    {
+        let mut saturation = shared.handshake.auth_probe_saturation.lock().unwrap();
+        *saturation = Some(AuthProbeSaturationState {
+            fail_streak: AUTH_PROBE_BACKOFF_START_FAILS,
+            blocked_until: now + Duration::from_millis(200),
+            last_seen: now,
+        });
+    }
+
+    let replay_checker = ReplayChecker::new(128, Duration::from_secs(60));
+    let handshake = make_valid_mtproto_handshake(
+        "00000000000000000000000000000020",
+        ProtoTag::Secure,
+        2,
+    );
+    let peer: SocketAddr = "198.51.100.215:44326".parse().unwrap();
+
+    let result = handle_mtproto_handshake_with_shared(
+        &handshake,
+        tokio::io::empty(),
+        tokio::io::sink(),
+        peer,
+        &config,
+        &replay_checker,
+        false,
+        None,
+        shared.as_ref(),
+    )
+    .await;
+
+    assert!(
+        matches!(result, HandshakeResult::Success(_)),
+        "overload mode must still authenticate valid direct MTProto users when runtime snapshot stays small"
+    );
+    assert_eq!(
+        shared
+            .handshake
+            .auth_expensive_checks_total
+            .load(Ordering::Relaxed),
+        32,
+        "small saturated MTProto snapshots must remain fully scannable"
+    );
+}
+
 #[tokio::test]
 async fn alpn_enforce_rejects_unsupported_client_alpn() {
     let secret = [0x33u8; 16];

src/proxy/tests/masking_self_target_loop_security_tests.rs

@@ -88,6 +88,45 @@ async fn self_target_fallback_refuses_recursive_loopback_connect() {
     );
 }
 
+#[tokio::test]
+async fn self_target_fallback_refuses_recursive_hostname_connect() {
+    let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let local_addr = listener.local_addr().unwrap();
+    let accept_task = tokio::spawn(async move {
+        timeout(Duration::from_millis(120), listener.accept())
+            .await
+            .is_ok()
+    });
+
+    let mut config = ProxyConfig::default();
+    config.general.beobachten = false;
+    config.censorship.mask = true;
+    config.censorship.mask_unix_sock = None;
+    config.censorship.mask_host = Some("localhost".to_string());
+    config.censorship.mask_port = local_addr.port();
+    config.censorship.mask_proxy_protocol = 0;
+
+    let peer: SocketAddr = "203.0.113.99:55099".parse().unwrap();
+    let beobachten = BeobachtenStore::new();
+
+    handle_bad_client(
+        tokio::io::empty(),
+        tokio::io::sink(),
+        b"GET /",
+        peer,
+        local_addr,
+        &config,
+        &beobachten,
+    )
+    .await;
+
+    let accepted = accept_task.await.unwrap();
+    assert!(
+        !accepted,
+        "hostname self-target masking must fail closed without connecting to local listener"
+    );
+}
+
 #[tokio::test]
 async fn same_ip_different_port_still_forwards_to_mask_backend() {
     let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();