The Ultimate Telegram MTProto Proxy Manager
One script. Full control. Zero hassle.
Quick Start β’ Features β’ Comparison β’ Telegram Bot β’ CLI Reference β’ Changelog β’ Full Guide β
MTProxyMax is a full-featured Telegram MTProto proxy manager powered by the telemt 3.x Rust engine. It wraps the raw proxy engine with an interactive TUI, a complete CLI, a Telegram bot for remote management, per-user access control, traffic monitoring, proxy chaining, and automatic updates β all in a single bash script.
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh)"Most MTProxy tools give you a proxy and a link. That's it. MTProxyMax gives you a full management platform:
- π’ Enterprise Commercial Suite β Batch gift code vouchers (
voucher create/redeem), Role-Based Access Control (admin add), and static glassmorphism Status Portal (portal) - π‘οΈ Automated Hostile Threat Shield β Live Shodan/Censys scanner blacklisting via
ipset(scanner-shield) - π‘οΈ Next-Gen Anti-DPI & Stealth Suite β Kernel SYN shield, TCP MSS clamping, multi-domain SNI pools, and active forensic inspection (
dpi-inspect) - ποΈ Bandwidth Shaping & Quotas β Linux
tcper-IP QoS limits, off-peak Happy Hours quota exclusions, and automated Telegram abuse/expiry alerts - π¨ Emergency Lockdown Switch β Instant panic posture hardening via CLI or Telegram bot (
/mp_lockdown) - π DevOps & Clustering Automation β HAProxy/Nginx load balancer config exporter, Cloudflare DDNS updater, and forensic snapshots
- π Multi-user secrets with individual bandwidth quotas, device limits, and expiry dates
- π·οΈ Tags & templates β group users by category, onboard in seconds with reusable limit sets
- π Monthly quota reset β subscription-style automatic traffic resets per user
- π€ Telegram bot with 21 administrative commands β manage users, view health digests, and trigger lockdowns from chat
- ποΈ Replication β sync config to slave servers automatically via rsync+SSH
- π¦ Server migration β tarball-based export/import with one command
- πΎ Encrypted backups β AES-256 backups with autoclean policy
- π₯οΈ Interactive TUI β no need to memorize commands, menu-driven setup
- π Prometheus metrics β real per-user traffic stats, not just iptables guesses
- π Proxy chaining β route through SOCKS5 upstreams for extra privacy
- π¨ Maintenance mode + IP banlist β graceful pre-restart, fine-grained blocking
- π©Ί Doctor, verify, audit log β comprehensive diagnostics and change history
- βοΈ Engine tuning β whitelisted parameter tuning without editing raw TOML
- π Auto-recovery + auto-rotate β detects downtime, rotates aging secrets automatically
- π³ Pre-built Docker images β installs in seconds, not minutes
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh)"The interactive wizard walks you through everything: port, domain, first user secret, and optional Telegram bot setup.
curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/mtproxymax.sh -o mtproxymax
chmod +x mtproxymax
sudo ./mtproxymax installmtproxymax # Open interactive TUI
mtproxymax status # Check proxy healthYour proxy traffic looks identical to normal HTTPS traffic. The Fake TLS V2 engine mirrors real TLS 1.3 sessions β per-domain profiles, real cipher suites, dynamic certificate lengths, and realistic record fragmentation.
- Multi-Domain SNI Pool (
tls_domains): Rotate between multiple high-reputation cover domains (e.g.,cloudflare.com,www.microsoft.com,www.google.com) within the same proxy engine instance to evade single-domain DPI throttling and SNI blacklisting (mtproxymax domain-pool <domains>). - Kernel SYN Shield: Built-in iptables/nftables rate limiter (
conntrack+recentmodule) that tarpits aggressive DPI active scanners (>15 SYN packets in 5 seconds per IP) before they reach the application layer (mtproxymax shield on). - Stealth Presets (
normalvsultra): Hot-swappable anti-replay hardening (mtproxymax stealth ultra).ultratightens the replay window to 180 seconds, expands the nonce cache to 131,072 entries, and drops unknown SNI probes immediately. - TCP MSS Clamping: Prevents MTU black hole drops and packet fragmentation by aligning TCP Maximum Segment Size
--clamp-mss-to-pmtu(mtproxymax clamp-mss on). - Multi-Port Listener Pool: Listen on multiple fallback TCP ports simultaneously (e.g., 443, 8443, 2053) using automated kernel NAT redirection without spawning extra container instances (
mtproxymax port-pool add <port>).
- DPI Readiness Inspector (
mtproxymax dpi-inspect): Runs an automated 5-point heuristic network forensic scan (cover domain reachability, certificate length parity, kernel SYN shield state, engine replay hardening preset, and TCP MSS clamping state) to assign your server a live Anti-DPI Hardening Score out of 100. - Automated Cover Watchdog (
mtproxymax cover-watchdog auto): A self-healing background daemon. If state firewalls or ISP censors block or throttle your primary cover domain (returning HTTP 5xx or connection timeouts), the watchdog automatically rotates to the next available backup domain in your pool and reloads the proxy engine.
Instantly harden server posture under active censorship or DDoS attacks:
mtproxymax lockdown onActivating lockdown instantly engages the Kernel SYN Shield, activates Ultra-Stealth conntrack hardening, enforces TCP MSS Clamping, and sends a priority broadcast alert to your Telegram administrator bot chat. You can also toggle lockdown remotely from Telegram via /mp_lockdown on.
- Kernel Traffic Shaping (
mtproxymax qos set <mbps>): Uses Linuxtc(Traffic Control) hierarchical token buckets and kernel firewall hashlimits to enforce strict per-IP speed limits (e.g., 5 Mbps per IP), preventing single users from saturating server uplink bandwidth. - Off-Peak Happy Hours (
mtproxymax happy-hours set 02:00-08:00): Define unmetered schedule windows. Any traffic consumed during Happy Hours completely bypasses user monthly bandwidth quota depletion. - Proactive Expiry Notifications (
mtproxymax notify-expiry): Scans active user accounts and dispatches automated direct Telegram reminder alerts 7 days, 3 days, and 24 hours prior to subscription expiration. - Abnormal Bandwidth Watchdog (
mtproxymax abuse-watch): Monitors rolling 24-hour traffic consumption and flags suspicious accounts exceeding 50GB/day.
- Layer-4 Load Balancer Exporter (
mtproxymax export-lb [haproxy|nginx]): Generates production-ready HAProxy (haproxy.cfg) and Nginx Stream (nginx.conf) configuration snippets configured with TCP pass-through and PROXY Protocol v2 headers. - Cloudflare Dynamic DNS (
mtproxymax ddns set <token> <zone_id> <record>): Automatically detects server public IP changes and updates Cloudflare DNS A records via API v4 (mtproxymax ddns run). - Forensic Diagnostics Dump (
mtproxymax diag-dump): Bundles kernel networking state, routing tables, active iptables rules, container inspect logs, and a redacted settings archive into a clean.tar.gzdiagnostic package. - Configuration Snapshots (
mtproxymax snapshot create <name>): Creates self-contained point-in-time tarball snapshots of all proxy settings, secrets, upstreams, domain pools, and geoblocks with one-click restoration (mtproxymax snapshot restore <name>).
- Direct Telegram Cloud Backups (
mtproxymax backup send-tg): Pushes your latest server backup archive (.tar.gz) directly to your Telegram bot admin chat as a file attachment, ensuring offsite disaster recovery even if your VPS disk fails. - Morning Executive Briefing (
mtproxymax daily-report on 08:00): Schedules an automated morning summary message detailing 24h traffic volume, active user counts, SYN shield interceptions, and expiring subscriptions. - SSH Intrusion Shield (
mtproxymax ssh-shield on): Configures fail2ban kernel jails tuned specifically for MTProto proxy servers, automatically banning IP addresses attempting SSH password brute-force attacks. - Network Quality Grade (
mtproxymax net-grade): Benchmarks DNS ping timers and TCP reachability against Telegram Datacenters (DC1βDC5) to calculate an instant server quality grade (A+,A,B,C/D). - Smart User Onboarding Wizard (
mtproxymax onboard <label>): Step-by-step interactive command automating user creation, device tier assignment, monthly data quotas, expiry windows, and Telegram QR link generation.
- Linux Kernel TCP BBR & Fast Open Booster (
mtproxymax tcp-boost on): Activates Google's TCP BBR congestion control algorithm and TCP Fast Open (tfo=3), doubling transfer speeds and eliminating packet-loss bottlenecks on international routes. - Dead Mobile Socket Keep-Alive Reaper (
mtproxymax tcp-clean on): Configures aggressive low-latency kernel keep-alive timers (keepalive_time=300,intvl=15), automatically detecting and purging orphaned mobile 4G/LTE sockets within 45 seconds. - Ultra-Low Latency Kernel Socket Booster (
mtproxymax socket-boost on): Expands listen backlog queues (somaxconn=65535) and optimizes buffer limits (notsent_lowat=16384) to eliminate packet bloat and reduce TCP handshake delays under burst concurrency. - Dynamic FakeTLS Record Padding & Jitter (
mtproxymax tls-pad auto): Randomizes certificate payload lengths between 1500 and 3800 bytes dynamically during periodic maintenance cycles, evading AI/ML statistical packet size analysis. - Active Probe Honeypot & Decoy Protection (
mtproxymax honeypot on): Engages kernel redirection posture so active censorship crawler bots without a valid MTProto secret are cleanly routed to your decoy cover domain. - Subscription Leak & Account Sharing Scanner (
mtproxymax leak-scan 3): Scans active connection tables to identify and flag subscription keys connecting from more than 3 distinct IP subnets simultaneously. - TLS Cover Domain Health & Verifier (
mtproxymax cert-check <domain>): Performs a deep SSL/TLS inspection of your FakeTLS cover domain (PROXY_DOMAIN), verifying HTTP status codes, expiration dates, and issuer chains to prevent ISP blocking. - One-Line VPS Cloner & Replication Bundle (
mtproxymax clone-link/bootstrap): Compresses your upstreams, tuning profiles, ad-tag, and templates into a secure Base64 string and outputs a single one-line command (mtproxymax bootstrap <base64>) that mirrors your server onto any new node in 5 seconds. - Emergency RAM & Socket Auto-Healer (
mtproxymax heal/auto-heal on): Reclaims dead OS pagecache, prunes orphanedTIME_WAITsockets, and expands Netfilter conntrack headroom (nf_conntrack_max=262144) with zero disruption to active proxy users. - TCP Fast-Path Window Scaling & MTU Probing (
mtproxymax tcp-fastpath on): Enables RFC-compliant TCP window scaling, Selective Acknowledgments (SACK), and automatic Path MTU discovery to maximize throughput on variable-MTU international links. - Dynamic RAM Auto-Tuning (
mtproxymax ram-tune auto): Inspects total server physical memory and auto-calculates safe TCP read/write buffer ceilings and kernelmin_free_kbytesthresholds, preventing OOM crashes on small VPS while unlocking full throughput on large servers. - Dynamic Port Range Shadowing (
mtproxymax port-hop add 2000:2050): Configures kernel-leveliptables/nftablesNAT port redirection over arbitrary port blocks, allowing instant client port-hopping during ISP throttling events without proxy engine restarts. - Multi-Core IRQ Packet Spreading (
mtproxymax cpu-tune on): Distributes incoming encrypted packet processing across all available CPU cores via Linux Receive Packet Steering (RPS/RFS), with automatic containerization fallback detection for LXC/OpenVZ environments.
- Commercial Voucher & Gift Code System (
mtproxymax voucher [create|list|revoke|redeem]): Monetize or distribute proxy access cleanly without requiring manual administrator intervention for each user.- Generates secure batch voucher codes formatted as
MTP-XXXX-XXXXwith customizable data quotas (e.g.,10G,50G,0for unlimited) and validity durations (e.g.,30days). - Vouchers are tracked in
${INSTALL_DIR}/vouchers.confwith full audit metadata (ACTIVE,REDEEMED,REVOKED, creation timestamp, and redemption account label). - Users or resellers can redeem vouchers locally via
mtproxymax voucher redeem <code> [label]or remotely via Telegram bot command/redeem <code>, instantly provisioning a dedicated proxy secret with exact quota and device ceilings enforced.
- Generates secure batch voucher codes formatted as
- Role-Based Access Control (
mtproxymax admin [add|remove|list]): Multi-tier administrative access governance for your Telegram management bot.- Configures role hierarchies stored in
${INSTALL_DIR}/admins.conf:superadmin: Full access to all 21 administrative commands, including destructive engine restarts (/mp_restart), emergency lockdowns (/mp_lockdown), bot removals (/mp_remove), and self-updates (/mp_update).reseller: Delegated commercial management rights restricted to voucher redemption (/redeem), voucher batch generation (/mp_voucher create <cnt> <qta> <dys>), and voucher inventory auditing (/mp_voucher list). Destructive engine commands are automatically blocked with security violation logging.
- Configures role hierarchies stored in
- Decoupled Self-Service Status Portal (
mtproxymax portal [enable|disable|port|generate|serve|status]): Lightweight, zero-dependency static web dashboard designed for client self-service and transparent uptime reporting.- Generates an ultra-responsive, modern dark-mode glassmorphism HTML page (
index.html) stored in${INSTALL_DIR}/portal/. - During periodic engine sweeps (
sweep()), MTProxyMax automatically exports real-time system metrics (status.json) and anonymized user leaderboard statistics (users.json). - Clients can view live proxy uptime, server bandwidth consumption, active connection counts, and individual quota progress directly from any browser without exposing administrative interfaces or requiring backend script execution.
- Can be served via built-in foreground test server (
mtproxymax portal serve) or hosted instantly behind Nginx/HAProxy/Cloudflare Pages.
- Generates an ultra-responsive, modern dark-mode glassmorphism HTML page (
- Proactive Shodan & Censys Threat Blocking (
mtproxymax scanner-shield [enable|disable|update|status]): Protects your proxy server from automated Internet-wide discovery engines and hostile security scanners.- Initializes high-performance kernel memory hash sets (
ipsettablemtproxymax-scanners) with capacity for up to 65,536 network CIDRs. - Automatically imports and blacklists well-known hostile mass scanning subnets (including Shodan, Censys, and Shadowserver probe networks such as
162.142.125.0/24,167.94.138.0/24,71.6.135.0/24, etc.). - Incoming packets from scanner IPs are silently dropped at the Netfilter kernel boundary before reaching the Docker proxy container or triggering SYN cookie thresholds, keeping your server completely invisible to threat discovery feeds.
- Initializes high-performance kernel memory hash sets (
If users report sudden connection drops or severe DPI throttling during internet disruptions, execute this 3-step recovery posture:
- Engage Instant Lockdown & Check Posture Score:
mtproxymax lockdown on mtproxymax dpi-inspect
- Add Backup Cover Domains & Fallback Ports:
mtproxymax domain-pool add www.microsoft.com,www.google.com mtproxymax port-pool add 8443
- Activate Automated Watchdog & Bandwidth Shaping:
mtproxymax cover-watchdog auto mtproxymax qos set 5
Each user gets their own secret key with a human-readable label:
- Add/remove users instantly β config regenerates and proxy hot-reloads
- Enable/disable access without deleting the key
- Rotate a user's secret β new key, same label, old link stops working
- QR codes β scannable directly in Telegram
Fine-grained limits enforced at the engine level:
| Limit | Description | Example | Best For |
|---|---|---|---|
| Max Connections | Concurrent TCP connections (~3 per device) | 15 |
Device limiting |
| Max IPs | Unique IP addresses allowed | 5 |
Anti-sharing / abuse |
| Data Quota | Lifetime bandwidth cap | 10G, 500M |
Fair usage |
| Expiry Date | Auto-disable after date | 2026-12-31 |
Temporary access |
Tip: Each Telegram app opens ~3 TCP connections (one per DC). So for device limiting, multiply by 3:
conns 15β max 5 devices. Setting below 5 will likely break even a single device. IP limits are less reliable because mobile users roam between cell towers (briefly showing 2 IPs for 1 device), and multiple devices behind the same WiFi share 1 IP. Useipsas a secondary anti-sharing measure.Traffic and quotas are lifetime (cumulative), not monthly. They don't auto-reset. Use
mtproxymax secret reset-traffic <label>to manually reset counters, or rotate the secret.
mtproxymax secret setlimits alice 100 5 10G 2026-12-31Limit Devices Per User (Recommended)
mtproxymax secret setlimit alice conns 5 # Single device (~3 conns per device, with headroom)
mtproxymax secret setlimit family conns 15 # Family β up to 5 devicesEach Telegram app opens ~3 TCP connections. Setting conns 5 allows one device with headroom. If someone shares their link, the second device will hit the limit.
Device Limit Tiers
| Scenario | conns |
ips (optional) |
|---|---|---|
| Single person, one device | 1 |
2 (allow roaming) |
| Single person, multiple devices | 3 |
5 |
| Small family | 5 |
10 |
| Small group / office | 30 |
50 |
| Public/open link | 0 |
0 (unlimited) |
Set
ipsslightly higher thanconnsto allow for mobile roaming (cell tower switches temporarily show 2 IPs for 1 device).
Time-Limited Sharing Link
mtproxymax secret add shared-link
mtproxymax secret setlimits shared-link 50 30 10G 2026-06-01When the expiry date hits, the link stops working automatically.
Per-Person Keys (Recommended)
mtproxymax secret add alice
mtproxymax secret add bob
mtproxymax secret add charlie
# Each person gets their own link β revoke individually
mtproxymax secret setlimit alice conns 10 # ~3 devices
mtproxymax secret setlimit bob conns 5 # 1 device
mtproxymax secret setlimit charlie conns 15 # ~5 devicesDisable, Rotate, Remove
mtproxymax secret disable bob # Temporarily cut off
mtproxymax secret enable bob # Restore access
mtproxymax secret rotate alice # New key, old link dies instantly
mtproxymax secret remove bob # Permanent removalFull proxy management from your phone. Setup takes 60 seconds:
mtproxymax telegram setup| Command | Description |
|---|---|
/mp_status |
Proxy status, uptime, connections |
/mp_secrets |
List all users with active connections |
/mp_link |
Get proxy details + QR code image |
/mp_add <label> |
Add new user |
/mp_remove <label> |
Delete user |
/mp_revoke <label> |
Revoke and purge a user secret immediately |
/mp_rotate <label> |
Generate new key for user |
/mp_enable <label> |
Re-enable disabled user |
/mp_disable <label> |
Temporarily disable user |
/mp_lockdown [on|off] |
Toggle emergency panic lockdown defensive posture |
/mp_digest |
View live executive health, posture, and traffic digest box |
/mp_limits |
Show all user limits |
/mp_setlimit |
Set user limits |
/mp_traffic |
Per-user traffic breakdown |
/mp_upstreams |
List proxy chains |
/mp_health |
Run diagnostics |
/mp_restart |
Restart proxy |
/mp_update |
Check for updates |
/mp_help |
Show all commands |
Automatic alerts & announcements:
- π¨ Emergency Lockdown activated β immediate posture alert
- π’ System Broadcasts (
mtproxymax broadcast <msg>) sent directly to admin chat - β° Proactive Expiry Alerts sent 7d, 3d, and 24h prior to account expiration
- π΄ Proxy down β instant notification + auto-restart attempt
- π’ Proxy started β sends connection details + QR codes
- π Periodic traffic reports at your chosen interval
Keep multiple proxy servers in sync automatically. The master pushes config changes to all slaves via rsync+SSH on a configurable interval. Slaves receive secrets.conf, upstreams.conf, instances.conf, and config.toml β their own role settings and local state are never overwritten.
Setup takes two commands:
# On master β run wizard, select Master, add slave
mtproxymax replication setup
# On slave β run wizard, select Slave
mtproxymax replication setupHow it works:
- Master generates a self-contained sync script at
/opt/mtproxymax/mtproxymax-sync.sh - A systemd timer fires every N seconds (default: 60) and runs the sync
- On change β proxy container on slave is automatically restarted
settings.confandreplication.confare always excluded β slave role is never overwritten
mtproxymax replication status # Show role, timer state, last sync
mtproxymax replication sync # Trigger immediate sync
mtproxymax replication logs # View sync log
mtproxymax replication test # Test SSH connectivity to all slaves
mtproxymax replication promote # Promote slave to master (failover)Roles:
| Role | Description |
|---|---|
| Master | Pushes config to slaves on schedule |
| Slave | Receives config, read-only. Changes must be made on master |
| Standalone | Replication disabled (default) |
Route traffic through intermediate servers:
# Route 20% through Cloudflare WARP
mtproxymax upstream add warp socks5 127.0.0.1:40000 - - 20
# Route through a backup VPS
mtproxymax upstream add backup socks5 203.0.113.50:1080 user pass 80
# Hostnames are supported (resolved by the engine)
mtproxymax upstream add remote socks5 my-proxy.example.com:1080 user pass 50Supports SOCKS5 (with auth), SOCKS4, and direct routing with weight-based load balancing. Addresses can be IPs or hostnames.
Prometheus metrics give you real per-user stats:
mtproxymax traffic # Per-user breakdown
mtproxymax status # Overview with connections count- Bytes uploaded/downloaded per user
- Active connections per user
- Cumulative tracking across restarts
mtproxymax geoblock add ir # Block Iran
mtproxymax geoblock add cn # Block China
mtproxymax geoblock list # See blocked countriesIP-level CIDR blocklists enforced via iptables β traffic is dropped before reaching the proxy.
mtproxymax adtag set <hex_from_MTProxyBot>Get your ad-tag from @MTProxyBot. Users see a pinned channel β you earn from the proxy.
mtproxymax engine status # Current engine version
mtproxymax engine rebuild # Force rebuild engine image
mtproxymax rebuild # Force rebuild from sourceEngine updates are delivered through mtproxymax update. Pre-built multi-arch Docker images (amd64 + arm64) are pulled automatically. Source compilation is the automatic fallback.
For regions where core.telegram.org is blocked, the engine can fetch proxy configuration from a custom mirror:
mtproxymax tg-urls # Show current URLs
mtproxymax tg-urls set secret https://mirror.example.com/getProxySecret
mtproxymax tg-urls set config-v4 https://mirror.example.com/getProxyConfig
mtproxymax tg-urls set config-v6 https://mirror.example.com/getProxyConfigV6
mtproxymax tg-urls clear # Reset to defaultsAlso available in TUI: Settings > [u] Custom Telegram URLs.
Single command that checks everything β Docker, engine, port, metrics, TLS cert, secrets, disk space, Telegram bot:
mtproxymax doctorMore targeted checks:
mtproxymax port-check # Test if port is reachable from outside
mtproxymax connections # Live active connections per user
mtproxymax uptime # One-line status (scriptable)
mtproxymax config # Display current engine configSave and restore entire configurations (settings + secrets + upstreams) as named snapshots. Useful for switching between stealth/debug/production setups:
mtproxymax profile save stealth # Snapshot current config
mtproxymax profile list # List saved profiles
mtproxymax profile load stealth # Restore + auto-restart
mtproxymax profile delete stealthManaging many users? These commands scale to hundreds of secrets:
mtproxymax secret info <label> # Full view of one user
mtproxymax secret search <query> # Find by label or notes
mtproxymax secret top [traffic|conns] # Top 5 users right now
mtproxymax secret sort [traffic|conns|date|name] # Reorder list
mtproxymax secret stats # Compact overview: traffic/quota/expiry %
mtproxymax secret generate-links [txt|html] # Bulk export all links (HTML includes QR codes)
mtproxymax secret export > backup.csv # Export to CSV
mtproxymax secret import backup.csv # Import from CSV
mtproxymax secret archive <label> # Soft-delete (restorable)
mtproxymax secret unarchive <label> # Restore from archive
mtproxymax secret clone <src> <new> # Duplicate with all limits
mtproxymax secret bulk-extend <days> # Extend all expiry dates
mtproxymax secret disable-expired # Auto-disable all expired secrets
mtproxymax secret purge-disabled # Permanently purge disabled/expired secrets
mtproxymax secret sub # Generate Base64 subscription link feed
mtproxymax secret export-json # Export user database formatted as JSON
mtproxymax secret rename-prefix <old> <new> # Bulk rename labels matching prefixTag users to group them logically (family, work, beta, premium), then run bulk operations by tag:
mtproxymax secret tag alice family,premium # Assign tags
mtproxymax secret list --tag family # Filter by tag
mtproxymax secret tags # Show all tags
mtproxymax secret untag alice # Clear tagsSave reusable limit templates to quickly onboard users:
mtproxymax template save premium 15 5 50G 2026-12-31 "Premium tier"
mtproxymax template list
mtproxymax secret add alice --template premium # Apply at creation
mtproxymax template apply premium bob # Apply to existing secretAlso available in TUI: Secrets > [y] Tags / [k] Templates.
Automatic scheduled operations β no cron setup required (runs from the Telegram bot's 5-min maintenance loop):
# Per-secret monthly reset β resets traffic counter on day N of each month (handles short months)
mtproxymax secret quota-reset alice 1 # Reset on the 1st
mtproxymax secret quota-reset bob 15 # Reset on the 15th
mtproxymax secret quota-reset alice off # Disable
# Global auto-rotate β rotates secrets older than N days
mtproxymax auto-rotate 90 # Rotate every 90 days
mtproxymax auto-rotate off # Disable
# Bulk rotate with dry-run
mtproxymax secret rotate --all --dry-run # Preview
mtproxymax secret rotate --all # Do itTUI: Secrets > [q] Monthly reset and [r] Rotate all, Settings > [a] Auto-rotate policy.
Maintenance mode rejects new connections with TCP RST while keeping existing sessions alive. Perfect for graceful pre-restart announcements:
mtproxymax maintenance on # Reject new clients
mtproxymax maintenance status # Check current state
mtproxymax maintenance off # RestoreIP banlist β block specific IPs/CIDRs at the firewall level (survives reboots):
mtproxymax ban 192.0.2.0/24 # Ban a subnet
mtproxymax ban 1.2.3.4 # Ban a single IP
mtproxymax bans # List all bans
mtproxymax unban 1.2.3.4 # Remove banDifferent from geo-blocking (which works by country). Both can run together.
Encrypted backups β AES-256-CBC with PBKDF2 key derivation (100k iterations). Password entered interactively, passed to openssl via environment variable (hidden from ps aux):
mtproxymax backup --encrypt # Create (password prompt)
mtproxymax backup restore-encrypted file.tar.gz.enc
mtproxymax backup autoclean 30 # Delete backups older than 30 daysSet BACKUP_RETENTION_DAYS in settings.conf for automatic cleanup via the bot's sweep loop.
Server migration β pack everything into a tarball and transfer:
# On old server
mtproxymax migrate export # β /tmp/mtproxymax-migrate-YYYYMMDD-HHMMSS.tar.gz
scp /tmp/mtproxymax-migrate-*.tar.gz new-server:/tmp/
# On new server
mtproxymax migrate import /tmp/mtproxymax-migrate-*.tar.gz
# Auto-backs up current state first, then restartsIncludes: settings, secrets, upstreams, instances, tags, archives, banlist, profiles. Replication role is preserved per-server.
Expose advanced engine parameters without editing raw TOML β changes are merged into the generated config.toml on every reload:
mtproxymax tune list # Show whitelisted params + current overrides
mtproxymax tune set fake_cert_len 4096 # Larger fake cert
mtproxymax tune set log_level debug # Verbose logging
mtproxymax tune set mask_relay_timeout_ms 120000 # 2-minute mask relay timeout
mtproxymax tune clear log_level # Revert one to default
mtproxymax tune clear all # Revert allWhitelisted params are regex-validated on input. Invalid values are rejected. Also available in TUI: Settings > [n] Engine tuning.
verify runs an end-to-end install check β Docker running, port bound, TLS handshake succeeds, domain reachable, Telegram API reachable, bot token valid:
mtproxymax verifyhistory shows an audit log of config changes (secret add/remove/rotate, domain changes, etc.) with timestamps:
mtproxymax history 100 # Last 100 eventsspeedtest measures outbound bandwidth and latency:
mtproxymax speedtestdigest displays an executive summary dashboard of uptime, sockets, traffic totals, and bot status:
mtproxymax digestping-dc benchmarks TCP handshake latency to global Telegram datacenters (DC1βDC5):
mtproxymax ping-dcGet tab-completion for all commands:
sudo mtproxymax completion > /etc/bash_completion.d/mtproxymax
source /etc/bash_completion.d/mtproxymax
# Now: mtproxymax <TAB> or mtproxymax secret <TAB> works| Feature | MTProxyMax v1.2 | mtg v2 (Go) | Official MTProxy (C) | Bash Installers |
|---|---|---|---|---|
| Engine | telemt 3.x (Rust) | mtg (Go) | MTProxy (C) | Various |
| FakeTLS V2 | β | β | β (needs patches) | Varies |
Active DPI Forensics (dpi-inspect) |
β (Score /100) | β | β | β |
| Self-Healing Cover Watchdog | β | β | β | β |
| Emergency Lockdown Switch | β | β | β | β |
| Kernel SYN Shield (Tarpit) | β (>15 SYN/5s) | β | β | β |
| Per-IP Bandwidth Shaping (QoS) | β
(Linux tc) |
β | β | β |
| Off-Peak Happy Hours | β | β | β | β |
| Multi-Port Pool Listeners | β (Kernel NAT) | β | Multi-process | Varies |
| Multi-Domain SNI Pools | β | β | β | β |
| TCP MSS Clamping | β | β | β | β |
| Layer-4 LB Exporter (HAProxy/Nginx) | β | β | β | β |
| Cloudflare Dynamic DNS (DDNS) | β | β | β | β |
| Configuration Snapshots | β | β | β | β |
| Traffic Masking | β | β | β | β |
| Multi-User Secrets | β (unlimited) | β (1 secret) | Multi-secret | Usually 1 |
| Per-User Limits | β (conns, IPs, quota, expiry) | β | β | β |
| Per-User Traffic Stats | β (Prometheus) | β | β | β |
| Telegram Bot | β (21 commands) | β | β | β |
| Interactive TUI | β | β | β | β |
| Proxy Chaining | β (SOCKS5/4, weighted) | β (SOCKS5) | β | β |
| Master-Slave Replication | β (rsync+SSH, systemd) | β | β | β |
| Geo-Blocking | β | IP allowlist/blocklist | β | β |
| Ad-Tag Support | β | β (removed in v2) | β | Varies |
| QR Code Generation | β | β | β | Some |
| Auto-Recovery | β (with alerts) | β | β | β |
| Auto-Update | β | β | β | β |
| Docker | β (multi-arch) | β | β | Varies |
| User Expiry Dates | β | β | β | β |
| Bandwidth Quotas | β | β | β | β |
| Device Limits | β | β | β | β |
| Tags & Templates | β | β | β | β |
| Encrypted Backups | β (AES-256) | β | β | β |
| Server Migration | β (tarball export/import) | β | β | β |
| Maintenance Mode | β (graceful RST) | β | β | β |
| Audit Log | β | β | β | β |
| Engine Tuning UI | β (whitelisted params) | β | Raw files | β |
| Active Development | β | β | Abandoned | Varies |
Why Not mtg?
mtg is solid and minimal β by design. It's "highly opinionated" and intentionally barebones. Fine for a single-user fire-and-forget proxy.
But mtg v2 dropped ad-tag support, only supports one secret, has no user limits, no management interface, and no auto-recovery.
Why Not the Official MTProxy?
Telegram's official MTProxy (C implementation) was last updated in 2019. No FakeTLS, no traffic masking, no per-user controls, manual compilation, no Docker.
Why Not a Simple Bash Installer?
Scripts like MTProtoProxyInstaller install a proxy and give you a link. That's it. No user management, no monitoring, no bot, no updates, no recovery.
MTProxyMax is not just an installer β it's a management platform that happens to install itself.
Telegram Client
β
βΌ
βββββββββββββββββββββββββββ
β Your Server (port 443) β
β βββββββββββββββββββββ β
β β Docker Container β β
β β βββββββββββββββ β β
β β β telemt β β β β Rust/Tokio engine
β β β (FakeTLS) β β β
β β ββββββββ¬βββββββ β β
β βββββββββββΌββββββββββ β
β β β
β ββββββββ΄βββββββ β
β βΌ βΌ β
β Direct SOCKS5 β β Upstream routing
β routing chaining β
βββββββββββ¬ββββββββββββββββ
β
βΌ
Telegram Servers
Master-Slave Replication (optional):
Master Server Slave Server(s)
ββββββββββββββββ ββββββββββββββββ
β mtproxymax βββrsyncβββΆ β mtproxymax β
β (systemd β +SSH β (receives β
β timer 60s) β β config) β
ββββββββββββββββ ββββββββββββββββ
| Component | Role |
|---|---|
| mtproxymax.sh | Single bash script: CLI, TUI, config manager |
| telemt | Rust MTProto engine running inside Docker |
| Telegram bot service | Independent systemd service polling Bot API |
| Replication sync service | systemd timer pushing config to slave servers |
| Prometheus endpoint | /metrics on port 9090 (localhost only) |
Proxy Management
mtproxymax install # Run installation wizard
mtproxymax uninstall # Remove everything
mtproxymax start # Start proxy
mtproxymax stop # Stop proxy
mtproxymax restart # Restart proxy
mtproxymax status # Show proxy status
mtproxymax digest # Executive summary report
mtproxymax ping-dc # Telegram DC latency benchmark
mtproxymax menu # Open interactive TUIUser Secrets
Core operations:
mtproxymax secret add <label> # Add user (optional: --template <name>)
mtproxymax secret remove <label> # Remove user (supports --dry-run)
mtproxymax secret list # List all users
mtproxymax secret list --tag <tag> # Filter list by tag
mtproxymax secret list --csv # Output as CSV for spreadsheets
mtproxymax secret info <label> # Full detail view (limits, traffic, link, QR)
mtproxymax secret search <query> # Find secrets by label or notes
mtproxymax secret rotate <label> # New key, same label
mtproxymax secret rotate --all # Bulk rotate (supports --dry-run)
mtproxymax secret clone <src> <new> # Duplicate with all limits
mtproxymax secret rename <old> <new> # Rename a secret
mtproxymax secret enable <label> # Re-enable user
mtproxymax secret disable <label> # Temporarily disable
mtproxymax secret disable-expired # Disable all expired secrets
mtproxymax secret link [label] # Show proxy link
mtproxymax secret qr [label] # Show QR code
mtproxymax secret generate-links [txt|html] # Bulk export all links
mtproxymax secret sub # Base64 subscription link feed
mtproxymax secret export-json # Export users as clean JSON
mtproxymax secret purge-disabled # Permanently purge disabled/expired
mtproxymax secret rename-prefix <o> <n> # Bulk rename matching prefix
mtproxymax secret note <label> [text] # Attach notes/description
mtproxymax secret logs <label> [lines] # Per-user activity logLimits & Quotas:
mtproxymax secret setlimit <label> <type> <value> # Set individual limit
mtproxymax secret setlimits <label> <conns> <ips> <quota> [expires] # Set all limits
mtproxymax secret extend <label> <days> # Extend one secret's expiry
mtproxymax secret bulk-extend <days> # Extend all secrets' expiry
mtproxymax secret quota-reset <label> <day|off> # Monthly quota reset on day N
mtproxymax secret reset-traffic <label|all> # Reset traffic countersTags & Templates:
mtproxymax secret tag <label> <tag1,tag2> # Assign tags to a secret
mtproxymax secret untag <label> # Clear all tags
mtproxymax secret tags [label] # Show all tags or for one secret
mtproxymax template save <name> <conns> <ips> <quota> [expires] [notes]
mtproxymax template list # List saved templates
mtproxymax template apply <name> <label> # Apply template to existing secret
mtproxymax template delete <name>
mtproxymax secret add alice --template premium # Add with preset limitsOrganization & Lifecycle:
mtproxymax secret sort [traffic|conns|date|name] # Reorder the list
mtproxymax secret top [traffic|conns] [N] # Top N users (default 5)
mtproxymax secret stats # Compact per-user overview
mtproxymax secret archive <label> # Soft-delete (restorable)
mtproxymax secret unarchive <label> # Restore from archive
mtproxymax secret archives # List archived secrets
mtproxymax secret export > file.csv # Export to CSV
mtproxymax secret import file.csv # Import from CSV
mtproxymax secret add-batch <l1> <l2> ... # Add many at once
mtproxymax secret remove-batch <l1> <l2> ... # Remove many at once
mtproxymax auto-rotate [N|off] # Global policy: auto-rotate older than N daysConfiguration
mtproxymax port [get|<number>] # Get/set proxy port
mtproxymax ip [get|auto|<address>] # Get/set custom IP for proxy links
mtproxymax domain [get|clear|<host>] # Get/set FakeTLS domain
mtproxymax mask-backend [host:port] # Set mask backend for non-proxy traffic
mtproxymax mask-relay-bytes [N|0|clear] # Max bytes per dir on mask relay (0=unlimited)
mtproxymax tg-urls [get|set <field> <url>|clear] # Custom Telegram infra URLs
mtproxymax adtag set <hex> # Set ad-tag
mtproxymax adtag remove # Remove ad-tag
mtproxymax config # Show current engine configEngine Tuning (advanced):
mtproxymax tune list # Show whitelisted tunable params + current values
mtproxymax tune get <param> # Show current value
mtproxymax tune set <param> <value> # Set a tunable (e.g. fake_cert_len, mask_relay_timeout_ms, log_level)
mtproxymax tune clear <param|all> # Clear one or all tuningsTunings are applied via sed post-processing on the generated config.toml β no TOML duplicate-key issues. Whitelisted params include: fake_cert_len, client_handshake, tg_connect, client_keepalive, client_ack, replay_check_len, replay_window_secs, ignore_time_skew, listen_backlog, max_connections, accept_permit_timeout_ms, prefer_ipv6, fast_mode, log_level, mask_relay_timeout_ms, mask_relay_idle_timeout_ms.
Profiles
mtproxymax profile save <name> # Snapshot current config
mtproxymax profile load <name> # Restore profile (auto-restarts)
mtproxymax profile list # List all saved profiles
mtproxymax profile delete <name> # Delete a profileBackup, Restore & Migration
# Regular (unencrypted) backups
mtproxymax backup # Create a timestamped backup
mtproxymax restore <file> # Restore from a backup file
mtproxymax backups # List available backups
mtproxymax backup autoclean [days] # Delete backups older than N days
# Encrypted backups (AES-256 + PBKDF2)
mtproxymax backup --encrypt # Create encrypted backup (password prompt)
mtproxymax backup restore-encrypted <file> # Restore encrypted backup
# Or: mtproxymax restore --encrypted <file>
# Server migration (tarball-based β all settings, secrets, tags, bans, archives, profiles)
mtproxymax migrate export [file] # Export all state to a tarball
mtproxymax migrate import <file> # Import state from a tarball (auto-backs up current first)The migrate workflow is perfect for server pivots: run migrate export on the old server, scp the tarball, run migrate import on the new server. Replication config is preserved per-role.
Notifications & Bot
mtproxymax notify <message> # Send custom message via Telegram bot
mtproxymax telegram setup # Interactive bot setup
mtproxymax telegram status # Show bot status
mtproxymax telegram test # Send test message
mtproxymax telegram interval <hours> # Change report interval (1-168h)
mtproxymax telegram label <name> # Change server label in notifications
mtproxymax telegram alerts <on|off> # Enable/disable down/recovery alerts
mtproxymax telegram disable # Disable bot
mtproxymax telegram remove # Remove bot completelyPeriodic Maintenance
mtproxymax sweep # Run all periodic tasks (called by bot loop every 5 min)
mtproxymax auto-rotate [N|off] # Auto-rotate secrets older than N days
# Monthly quota reset is per-secret: see `secret quota-reset` in User SecretsPeriodic tasks run automatically via the Telegram bot daemon's 5-min loop when installed. Can be triggered manually via sweep or scheduled via cron.
Polish & Completion
mtproxymax completion # Emit bash tab-completion script
mtproxymax changelog # Show GitHub release notes since installed version
# Install bash completion (root):
sudo mtproxymax completion > /etc/bash_completion.d/mtproxymax
# Or in your shell:
eval "$(mtproxymax completion)"Replication
mtproxymax replication setup # Interactive wizard (master/slave/standalone)
mtproxymax replication status # Role, timer state, last sync, slave list
mtproxymax replication add <host> [port] [label] # Register a slave server
mtproxymax replication remove <host_or_label> # Remove a slave
mtproxymax replication list # List all slaves
mtproxymax replication enable # Enable sync timer
mtproxymax replication disable # Disable sync timer
mtproxymax replication sync # Trigger immediate sync
mtproxymax replication test [host] # Test SSH connectivity to slave(s)
mtproxymax replication logs # Show sync log
mtproxymax replication reset # Remove all replication config
mtproxymax replication promote # Promote slave to master (failover)Enterprise Commercial & Shield Suite
mtproxymax voucher create <cnt> <qta> <dys> # Generate batch voucher codes
mtproxymax voucher list [active|all] # List vouchers and redemption status
mtproxymax voucher revoke <code> # Revoke a voucher code
mtproxymax voucher redeem <code> [label] # Redeem voucher code locally
mtproxymax admin add <chat_id> <role> # Add role-based Telegram admin (superadmin/reseller)
mtproxymax admin remove <chat_id> # Remove role-based Telegram admin
mtproxymax admin list # List configured Telegram admins
mtproxymax portal [enable|disable|status] # Manage Self-Service HTML Status Portal
mtproxymax scanner-shield [enable|disable] # Manage Automated Shodan/Censys Threat ShieldSecurity & Routing
Geo-Blocking:
mtproxymax geoblock add <CC> # Block country
mtproxymax geoblock remove <CC> # Unblock country
mtproxymax geoblock list # List blocked countriesIP Banlist:
mtproxymax ban <ip|cidr> # Ban a specific IP/CIDR (iptables, survives reboots)
mtproxymax unban <ip|cidr> # Remove ban
mtproxymax bans # List banned IPsMaintenance Mode:
mtproxymax maintenance on # Reject new connections gracefully (RST), keep existing alive
mtproxymax maintenance off # Restore normal operation
mtproxymax maintenance status # Check current stateUpstream Routing:
mtproxymax upstream list # List upstreams
mtproxymax upstream add <name> <type> <host:port> [user] [pass] [weight]
mtproxymax upstream remove <name> # Remove upstream
mtproxymax upstream test <name> # Test connectivity
mtproxymax sni-policy [mask|drop] # Unknown SNI action (mask=permissive, drop=strict)Next-Gen Anti-DPI, QoS & DevOps Suite
Anti-DPI & Posture Hardening:
mtproxymax shield [on|off|status] # Toggle Kernel SYN Shield (>15 SYN/5s tarpit)
mtproxymax stealth [ultra|normal|status] # Hot-swap engine replay window and cache size
mtproxymax clamp-mss [on|off|status] # Align TCP MSS to PMTU preventing packet drops
mtproxymax domain-pool [add|remove|list] # Manage multi-domain SNI rotation pool
mtproxymax port-pool [add|remove|list] # Listen on multi-port fallback pool via kernel NAT
mtproxymax lockdown [on|off|status] # Engage emergency panic defense postureForensics & Watchdogs:
mtproxymax dpi-inspect # Run active 5-point Anti-DPI readiness scan (/100 score)
mtproxymax cover-watchdog [test|auto] # Probe cover domain pool & auto-rotate on censorship
mtproxymax abuse-watch # Scan users for abnormal bandwidth spikes (>50GB/day)Bandwidth Shaping & Quotas:
mtproxymax qos [set <mbps>|off|status] # Linux tc token bucket per-IP bandwidth limiter
mtproxymax happy-hours [set <win>|off] # Define off-peak unmetered traffic windows
mtproxymax notify-expiry # Trigger proactive Telegram reminders (7d, 3d, 24h)
mtproxymax broadcast <message> # Send system announcement via Telegram botDevOps & Clustering Automation:
mtproxymax export-lb [haproxy|nginx] # Generate Layer-4 TCP load balancer config snippets
mtproxymax ddns [set|run|status|off] # Manage Cloudflare Dynamic DNS public IP updater
mtproxymax diag-dump # Create full forensic diagnostic bundle (.tar.gz)
mtproxymax snapshot [create|restore|list] # Manage point-in-time configuration tarballsOperations, Briefings & Onboarding Suite:
mtproxymax backup send-tg [file] # Push backup archive directly to Telegram bot chat
mtproxymax daily-report [on|off|run] # Schedule automated morning executive briefing
mtproxymax ssh-shield [on|off|status] # Enable fail2ban SSH brute-force intrusion shield
mtproxymax net-grade # Benchmark international routing & calculate A+/A/B/C grade
mtproxymax onboard [label] # Interactive step-by-step user onboarding wizardPerformance, Diagnostics & Self-Healing Suite:
mtproxymax tcp-boost [on|off|status] # Activate Linux Kernel TCP BBR & Fast Open booster
mtproxymax tcp-clean [on|off|status] # Activate aggressive keep-alive dead mobile socket reaper
mtproxymax socket-boost [on|off] # Apply ultra-low latency kernel socket queue expansion
mtproxymax tls-pad [auto|off|rotate] # Dynamic FakeTLS certificate length jitter & randomization
mtproxymax honeypot [on|off|status] # Enable active probe decoy redirection & protection
mtproxymax leak-scan [thresh] # Detect multi-IP subscription sharing anomalies
mtproxymax cert-check [domain] # Inspect cover domain SSL/TLS certificate health
mtproxymax clone-link # Export one-line Base64 server replication bundle
mtproxymax bootstrap <base64> # Deploy cloned config bundle on a fresh node
mtproxymax heal # Run emergency RAM & dead socket cleanup immediately
mtproxymax auto-heal [on|off|status] # Enable background automated RAM/socket self-healer
mtproxymax tcp-fastpath [on|off] # TCP window scaling, SACK & path MTU probing optimizer
mtproxymax ram-tune [auto|off] # Auto-detect RAM & apply optimal TCP memory buffers
mtproxymax port-hop [add|remove|list] # Dynamic multi-port NAT range redirection
mtproxymax cpu-tune [on|off|status] # Multi-core IRQ packet spreading (RPS/RFS)Monitoring
mtproxymax traffic # Per-user traffic breakdown
mtproxymax connections # Live active connections per user
mtproxymax metrics # Engine metrics dashboard
mtproxymax metrics live [seconds] # Auto-refresh metrics (default: 5s)
mtproxymax logs # Stream live logs
mtproxymax health # Quick health check
mtproxymax doctor # Comprehensive diagnostics (port, TLS, secrets, disk, bot)
mtproxymax verify # End-to-end install check (port, TLS, Telegram API, metrics)
mtproxymax port-check # Test if proxy port is reachable from outside
mtproxymax speedtest # Outbound bandwidth/latency test from server
mtproxymax uptime # One-line status (scriptable)
mtproxymax status [--json] # Proxy status (JSON for monitoring integrations)
mtproxymax info # Comprehensive server overview (OS, IPv4/IPv6, users, services)
mtproxymax history [lines] # Audit log of config changesEngine & Updates
mtproxymax engine status # Show current engine version
mtproxymax engine rebuild # Force rebuild engine image
mtproxymax rebuild # Force rebuild from source
mtproxymax update # Check for script + engine updates| Requirement | Details |
|---|---|
| OS | Ubuntu, Debian, CentOS, RHEL, Fedora, Rocky, AlmaLinux, Alpine |
| Docker | Auto-installed if not present |
| RAM | 256MB minimum |
| Access | Root required |
| Bash | 4.2+ |
| File | Purpose |
|---|---|
/opt/mtproxymax/settings.conf |
Proxy settings (port, domain, limits, tunings prefs) |
/opt/mtproxymax/secrets.conf |
User keys, limits, expiry dates |
/opt/mtproxymax/secrets_archive.conf |
Archived secrets (soft-deleted, restorable) |
/opt/mtproxymax/secrets_tags.conf |
User tags (label β comma-separated tags) |
/opt/mtproxymax/secrets_quota_reset.conf |
Per-secret monthly quota reset days |
/opt/mtproxymax/templates.conf |
Reusable limit templates |
/opt/mtproxymax/tunings.conf |
Engine parameter overrides (from tune set) |
/opt/mtproxymax/banlist.conf |
Banned IPs/CIDRs (iptables-backed) |
/opt/mtproxymax/upstreams.conf |
Upstream routing rules |
/opt/mtproxymax/instances.conf |
Multi-port instance config |
/opt/mtproxymax/profiles/ |
Saved config profiles (named snapshots) |
/opt/mtproxymax/audit.log |
Config change history |
/opt/mtproxymax/connection.log |
Per-user activity log |
/opt/mtproxymax/mtproxy/config.toml |
Generated telemt engine config |
/opt/mtproxymax/backups/ |
Automatic backups (auto-cleaned via BACKUP_RETENTION_DAYS) |
v1.2.0 β Enterprise Commercial & Shield Suite, Next-Gen Anti-DPI, QoS Bandwidth Shaping & DevOps Clustering Suite
- Commercial Voucher & Gift Code System (
mtproxymax voucher): Batch generation ofMTP-XXXX-XXXXvoucher codes with custom quotas and validity durations stored invouchers.conf. Supports local and Telegram bot (/redeem) code redemption. - Role-Based Access Control (
mtproxymax admin): Multi-tier Telegram bot admin authorization governingsuperadminandresellerprivileges inadmins.conf. Protects destructive operations while delegating voucher management. - Decoupled Self-Service Status Portal (
mtproxymax portal): Zero-dependency static HTML glassmorphism web dashboard (index.html) fed by periodic JSON engine exports (status.json,users.json) displaying live uptime and bandwidth stats. - Automated Hostile Threat Scanner Shield (
mtproxymax scanner-shield): High-speed kernelipsethash sets (mtproxymax-scanners) importing and dropping traffic from Shodan, Censys, and Shadowserver mass probe subnets before hitting Docker container sockets. - Active DPI Forensics (
mtproxymax dpi-inspect): 5-point heuristic diagnostic engine evaluating cover domain reachability, certificate parity, SYN shield state, replay cache depth, and MSS clamping to compute an interactive 0-100 posture score. - Self-Healing Cover Watchdog (
mtproxymax cover-watchdog): Automated background daemon probing primary cover domain health every 60s, rotating to backup SNI pool candidates upon censorship or HTTP 5xx failures. - Emergency Panic Lockdown (
mtproxymax lockdown): One-click panic posture activation enabling SYN tarpits, Ultra-Stealth conntrack hardening, and MSS clamping via CLI or remote bot commands (/mp_lockdown). - Multi-Port Listener Pool (
mtproxymax port-pool): Listen on multiple fallback TCP ports simultaneously via automated kerneliptablesNAT redirects without extra container runtime overhead. - Linux Kernel QoS Shaping (
mtproxymax qos): Hierarchical token bucket (tc) and hashlimit rate limiter restricting per-IP bandwidth consumption (e.g., 5 Mbps per IP). - Happy Hours Quota Exclusions (
mtproxymax happy-hours): Configures unmetered schedule windows where traffic bypasses user monthly quota accounting. - Telegram Bot Command Center (
mtproxymax secret qr,/mp_revoke,/mp_digest): 21 administrative chat commands plus multi-engine ASCII console QR rendering and automated expiry reminder dispatches (mtproxymax notify-expiry). - DevOps Clustering & Snapshot Suite (
export-lb,ddns,diag-dump,snapshot): Layer-4 HAProxy/Nginx PROXYv2 exporter, automated Cloudflare Dynamic DNS updater, forensics dump archiver, and point-in-time configuration tarball snapshots. - Operations & Onboarding Suite (
backup send-tg,daily-report,ssh-shield,net-grade,onboard): Direct cloud backups to Telegram bot admin chat, scheduled morning executive briefings, fail2ban SSH brute-force intrusion shielding, network quality grading benchmark, and smart user onboarding wizard. - Performance & Self-Healing Suite (
tcp-boost,tcp-clean,socket-boost,tls-pad,honeypot,tcp-fastpath,ram-tune,port-hop,cpu-tune,leak-scan,cert-check,clone-link,bootstrap,heal,auto-heal): Linux Kernel TCP BBR booster, aggressive keep-alive dead mobile socket reaper, ultra-low latency socket queue booster, dynamic FakeTLS record padding & length randomization, active probe decoy honeypot redirection, TCP fast-path window scaling & MTU probing, hardware-aware dynamic RAM buffer auto-tuning, kernel NAT port range shadowing for anti-throttling, multi-core IRQ packet spreading (RPS/RFS) with container fallback, multi-IP subscription sharing scanner, TLS cover domain certificate health verifier, one-line Base64 server replication cloner/bootstrapper, and emergency non-disruptive RAM/socket self-healer.
- Kernel SYN Shield (
mtproxymax shield): Built-in iptables/nftables rate limiter (conntrack+recentmodule) that tarpits aggressive active probes (>15 SYN/5s per IP) before they reach application layer memory. - Stealth Presets (
mtproxymax stealth): Hot-swappable anti-replay hardening (normalvsultra). Ultra reduces the replay window to 180s, expands nonce cache to 131,072 entries, and drops unknown SNI probes. - TCP MSS Clamping (
mtproxymax clamp-mss): Prevents MTU black hole drops and packet fragmentation via TCP FORWARD mangle hooks--clamp-mss-to-pmtu. - Multi-Domain SNI Pool (
mtproxymax domain-pool): Rotate between multiple high-reputation cover domains (tls_domains = ["dom1.com", "dom2.com"]) within the same engine instance to evade single-domain DPI throttling. - Auto Cert Synchronization (
sync_domain_cert_len): Connects to cover domain every 24h via OpenSSL, measures live DER payload size, and dynamically synchronizesfake_cert_lento evade static certificate heuristics. - Interactive TUI Menu: Dedicated ASCII dashboard (
show_stealth_menu) under Settings[s]and Security[5].
- Executive Digest (
mtproxymax digest): Instant ASCII summary board aggregating uptime, active socket counts, traffic totals, and Telegram bot daemon status - Datacenter Benchmark (
mtproxymax ping-dc): Live TCP handshake latency test against Telegram global datacenters DC1 through DC5 with fastest-DC detection - Base64 Subscriptions (
mtproxymax secret sub): Auto-generates standard Base64 proxy feeds compatible with third-party client auto-updaters - JSON Export (
mtproxymax secret export-json): Full user database dump formatted as JSON for external integrations - Cleanup & Bulk Tools: Permanently purge disabled/expired records (
secret purge-disabled) and bulk rename secret labels by prefix (secret rename-prefix)
- Upgraded telemt engine to v3.4.18 (7 upstream releases with TLS profile spoofing and async ME/MR queue backpressure)
- Added user quota rate limit API route
GET /v1/stats/users/quotaand exclusive masking mode - Docker tmpfs cache and log rotation improvements
- Upgraded telemt engine to v3.4.11 (constant-time API auth, PROXY protocol pre-validation, bounded connections)
- Persistent per-user quota tracking (
quota_state_path) and runtime quota reset API - Added Telegram bot configuration options: report interval, server notification label, and down/recovery alert toggles
- Added secret tagging (
secret tag/untag), reusable limit templates (template save/apply), and bulk operations - Added tarball-based server migration (
migrate export/import) and graceful maintenance mode (maintenance on/off) - Added persistent iptables IP banlist (
ban/unban), AES-256 encrypted backups, and engine parameter tuning (tune)
- Added user detail inspection (
secret info), search (secret search), top rankings, and soft-delete archiving - Added named configuration profiles (
profile save/load) and external port reachability tester (port-check) - Added custom mask backend routing (
mask-backend) and scriptableuptimecommand
- Upgraded telemt engine to v3.4.8 with bounded relay queues and TLS 1.3 fronting correctness
- Added user duplication (
secret clone), expiry extension (secret extend), and active connections view - Added comprehensive server diagnostics (
doctor) and instant long-polling Telegram bot response
- Added master/slave configuration replication (
replication setup) via automated rsync+SSH sync - Upgraded engine to v3.3.39 and introduced live Prometheus metrics console (
metrics live) - Added strict vs permissive unknown SNI handling policies (
sni-policy)
- Added multi-port listener support, secret hot-reloading, and quota auto-disable at 100% consumption
- Introduced JSON monitoring outputs, connection activity logs, and country geo-blocking whitelist
- Atomic traffic counter persistence surviving restarts and server reboots with batched stats loading
- Added multi-user batch creation and removal (
secret add-batch,secret remove-batch)
- Initial launch of MTProxyMax with telemt 3.x Rust engine, interactive TUI, CLI, FakeTLS, Telegram bot, and geo-blocking
Built on top of telemt β a high-performance MTProto proxy engine written in Rust/Tokio. All proxy protocol handling, FakeTLS, traffic masking, and per-user enforcement is powered by telemt.
For step-by-step tutorials with screenshots and detailed explanations, visit our guides on SamNet:
- Complete MTProto Proxy Setup Guide β Full walkthrough: install, multi-user management, FakeTLS, Telegram bot, proxy chaining, geo-blocking, replication, and ad-tag monetization.
- 3X-UI Panel Setup Guide β If you need VLESS/VMess/Reality/Trojan protocols alongside MTProto.
- Server Hardening Guide β Secure your proxy server: SSH hardening, firewall rules, fail2ban.
- iptables Cheat Sheet β Firewall rules reference for protecting your proxy.
- VPN Leak Test β Verify your proxy is hiding your real IP.
- Port Scanner β Check if your proxy port is accessible from the internet.
If you find MTProxyMax useful, consider supporting its development:
MIT License β see LICENSE for details.
The telemt engine (included as a Docker image) is licensed under the Telemt Public License 3 (TPL-3) β a permissive license that allows use, redistribution, and modification with attribution.
Copyright (c) 2026 SamNet Technologies
