Telemt - MTProxy on Rust + Tokio

Telemt is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as connection pooling, replay protection, detailed statistics, masking from "prying" eyes

GOTO

• Features
• Quick Start Guide
  • Build
• How to use?
  • Systemd Method
• FAQ
  • Telegram Calls
  • DPI
  • Whitelist on Network Level
• Why Rust?

Features

• Full support for all official MTProto proxy modes:
  • Classic
  • Secure - with dd prefix
  • Fake TLS - with ee prefix + SNI fronting
• Replay attack protection
• Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪
• Configurable keepalives + timeouts + IPv6 and "Fast Mode"
• Graceful shutdown on Ctrl+C
• Extensive logging via trace and debug with RUST_LOG method

Quick Start Guide

Build

# Cloning repo
git clone https://github.com/telemt/telemt 
# Changing Directory to telemt
cd telemt
# Starting Release Build
cargo build --release
# Move to /bin
mv ./target/release/telemt /bin
# Make executable
chmod +x /bin/telemt
# Lets go!
telemt config.toml

How to use?

Telemt via Systemd

1. Place your config to /etc/telemt.toml
2. Create service on /etc/systemd/system/telemt.service

[Unit]
Description=Telemt
After=network.target

[Service]
Type=simple
WorkingDirectory=/bin
ExecStart=/bin/telemt /etc/telemt.toml
Restart=on-failure

[Install]
WantedBy=multi-user.target

3. In Shell type systemctl start telemt - it must start with zero exit-code
4. In Shell type systemctl status telemt - there you can reach info about current MTProxy status
5. In Shell type systemctl enable telemt - then telemt will start with system startup, after the network is up

FAQ

Telegram Calls via MTProxy

• Telegram architecture does NOT allow calls via MTProxy, but only via SOCKS5, which cannot be obfuscated

How does DPI see MTProxy TLS?

• DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
• the SNI you specify sends both the client and the server;
• ALPN is similar to HTTP 1.1/2;
• high entropy, which is normal for AES-encrypted traffic;

Whitelist on IP

• MTProxy cannot work when there is:
  • no IP connectivity to the target host
  • OR all TCP traffic is blocked
  • OR all TLS traffic is blocked,
• like most protocols on the Internet;
• this situation is observed in China behind the Great Chinese Firewall and in Russia on mobile networks

Why Rust?

• Long-running reliability and idempotent behavior
• Rust’s deterministic resource management - RAII
• No garbage collector
• Memory safety and reduced attack surface
• Tokio's asynchronous architecture

Roadmap

• Public IP in links
• Config Reload-on-fly
• Bind to device or IP for outbound/inbound connections
• Adtag Support per SNI / Secret
• Fail-fast on start + Fail-soft on runtime (only WARN/ERROR)
• Zero-copy, minimal allocs on hotpath
• DC Healthchecks + global fallback
• No global mutable state
• Client isolation + Fair Bandwidth
• Backpressure-aware IO
• "Secret Policy" - SNI / Secret Routing :D
• Multi-upstream Balancer and Failover
• Strict FSM per handshake
• Session-based Antireplay with Sliding window, non-broking reconnects
• Web Control: statistic, state of health, latency, client experience...