diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml new file mode 100644 index 0000000..347df8d --- /dev/null +++ b/.github/workflows/rust.yml @@ -0,0 +1,41 @@ +name: Rust + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +env: + CARGO_TERM_COLOR: always + +jobs: + build-and-test: + name: Build & Test + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install latest stable Rust toolchain + uses: dtolnay/rust-toolchain@stable + with: + components: rustfmt, clippy + + - name: Cache cargo registry & build artifacts + uses: actions/cache@v4 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + target + key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} + restore-keys: | + ${{ runner.os }}-cargo- + + - name: Build Release + run: cargo build --release --verbose + + - name: Check for unused dependencies + run: cargo udeps || true diff --git a/README.md b/README.md index 674a80c..3537f94 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,10 @@ - [Build](#build) - [How to use?](#how-to-use) - [Systemd Method](#telemt-via-systemd) +- [FAQ](#faq) + - [Telegram Calls](#telegram-calls-via-mtproxy) + - [DPI](#how-does-dpi-see-mtproxy-tls) + - [Whitelist on Network Level](#whitelist-on-ip) - [Why Rust?](#why-rust) ## Features @@ -62,6 +66,22 @@ WantedBy=multi-user.target 4. In Shell type `systemctl status telemt` - there you can reach info about current MTProxy status 5. In Shell type `systemctl enable telemt` - then telemt will start with system startup, after the network is up +## FAQ +### Telegram Calls via MTProxy +- Telegram architecture does **NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated +### How does DPI see MTProxy TLS? +- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3 +- the SNI you specify sends both the client and the server; +- ALPN is similar to HTTP 1.1/2; +- high entropy, which is normal for AES-encrypted traffic; +### Whitelist on IP +- MTProxy cannot work when there is: + - no IP connectivity to the target host + - OR all TCP traffic is blocked + - OR all TLS traffic is blocked, +- like most protocols on the Internet; +- this situation is observed in China behind the Great Chinese Firewall and in Russia on mobile networks + ## Why Rust? - Long-running reliability and idempotent behavior - Rust’s deterministic resource management - RAII @@ -70,17 +90,18 @@ WantedBy=multi-user.target - Tokio's asynchronous architecture ## Roadmap -- Zero-copy, minimal allocs on hotpath +- Public IP in links - Config Reload-on-fly -- No global mutable state +- Bind to device or IP for outbound/inbound connections +- Adtag Support per SNI / Secret - Fail-fast on start + Fail-soft on runtime (only WARN/ERROR) -- Client isolation +- Zero-copy, minimal allocs on hotpath +- DC Healthchecks + global fallback +- No global mutable state +- Client isolation + Fair Bandwidth - Backpressure-aware IO - "Secret Policy" - SNI / Secret Routing :D -- Adtag Support per SNI / Secret -- DC Healthchecks + global fallback - Multi-upstream Balancer and Failover -- Bind to device or IP for outbound/inbound connections - Strict FSM per handshake - Session-based Antireplay with Sliding window, non-broking reconnects - Web Control: statistic, state of health, latency, client experience... diff --git a/telemt.service b/telemt.service new file mode 100644 index 0000000..b08b4c8 --- /dev/null +++ b/telemt.service @@ -0,0 +1,12 @@ +[Unit] +Description=Telemt +After=network.target + +[Service] +Type=simple +WorkingDirectory=/bin +ExecStart=/bin/telemt /etc/telemt.toml +Restart=on-failure + +[Install] +WantedBy=multi-user.target