Merge branch 'main' of https://github.com/telemt/telemt

.github/workflows/rust.yml

@@ -0,0 +1,41 @@
+name: Rust
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build-and-test:
+    name: Build & Test
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Install latest stable Rust toolchain
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        components: rustfmt, clippy
+
+    - name: Cache cargo registry & build artifacts
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.cargo/registry
+          ~/.cargo/git
+          target
+        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-cargo-
+
+    - name: Build Release
+      run: cargo build --release --verbose
+
+    - name: Check for unused dependencies
+      run: cargo udeps || true

README.md

@@ -8,6 +8,10 @@
   - [Build](#build)
 - [How to use?](#how-to-use)
   - [Systemd Method](#telemt-via-systemd)
+- [FAQ](#faq)
+  - [Telegram Calls](#telegram-calls-via-mtproxy)
+  - [DPI](#how-does-dpi-see-mtproxy-tls)
+  - [Whitelist on Network Level](#whitelist-on-ip)
 - [Why Rust?](#why-rust)
 
 ## Features
@@ -62,6 +66,22 @@ WantedBy=multi-user.target
 4. In Shell type `systemctl status telemt` - there you can reach info about current MTProxy status
 5. In Shell type `systemctl enable telemt` - then telemt will start with system startup, after the network is up
 
+## FAQ
+### Telegram Calls via MTProxy
+- Telegram architecture does **NOT allow calls via MTProxy**, but only via SOCKS5, which cannot be obfuscated
+### How does DPI see MTProxy TLS?
+- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
+- the SNI you specify sends both the client and the server;
+- ALPN is similar to HTTP 1.1/2;
+- high entropy, which is normal for AES-encrypted traffic;
+### Whitelist on IP
+- MTProxy cannot work when there is: 
+  - no IP connectivity to the target host
+  - OR all TCP traffic is blocked
+  - OR all TLS traffic is blocked,
+- like most protocols on the Internet; 
+- this situation is observed in China behind the Great Chinese Firewall and in Russia on mobile networks
+
 ## Why Rust?
 - Long-running reliability and idempotent behavior
 - Rust’s deterministic resource management - RAII 
@@ -70,17 +90,18 @@ WantedBy=multi-user.target
 - Tokio's asynchronous architecture
 
 ## Roadmap
-- Zero-copy, minimal allocs on hotpath
+- Public IP in links
 - Config Reload-on-fly
-- No global mutable state
+- Bind to device or IP for outbound/inbound connections
+- Adtag Support per SNI / Secret
 - Fail-fast on start + Fail-soft on runtime (only WARN/ERROR)
-- Client isolation
+- Zero-copy, minimal allocs on hotpath
+- DC Healthchecks + global fallback
+- No global mutable state
+- Client isolation + Fair Bandwidth
 - Backpressure-aware IO
 - "Secret Policy" - SNI / Secret Routing :D
-- Adtag Support per SNI / Secret
-- DC Healthchecks + global fallback
 - Multi-upstream Balancer and Failover
-- Bind to device or IP for outbound/inbound connections
 - Strict FSM per handshake
 - Session-based Antireplay with Sliding window, non-broking reconnects
 - Web Control: statistic, state of health, latency, client experience...

telemt.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Telemt
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=/bin
+ExecStart=/bin/telemt /etc/telemt.toml
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target