Skip to content

SamNet-dev/MTProxyMax

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

132 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

MTProxyMax

The Ultimate Telegram MTProto Proxy Manager

One script. Full control. Zero hassle.

Version License Engine Platform Bash Docker

Quick Start β€’ Features β€’ Comparison β€’ Telegram Bot β€’ CLI Reference β€’ Changelog β€’ Full Guide β†—


MTProxyMax is a full-featured Telegram MTProto proxy manager powered by the telemt 3.x Rust engine. It wraps the raw proxy engine with an interactive TUI, a complete CLI, a Telegram bot for remote management, per-user access control, traffic monitoring, proxy chaining, and automatic updates β€” all in a single bash script.

MTProxyMax Main Menu

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh)"

Why MTProxyMax?

Most MTProxy tools give you a proxy and a link. That's it. MTProxyMax gives you a full management platform:

  • 🏒 Enterprise Commercial Suite β€” Batch gift code vouchers (voucher create/redeem), Role-Based Access Control (admin add), and static glassmorphism Status Portal (portal)
  • πŸ›‘οΈ Automated Hostile Threat Shield β€” Live Shodan/Censys scanner blacklisting via ipset (scanner-shield)
  • πŸ›‘οΈ Next-Gen Anti-DPI & Stealth Suite β€” Kernel SYN shield, TCP MSS clamping, multi-domain SNI pools, and active forensic inspection (dpi-inspect)
  • 🏎️ Bandwidth Shaping & Quotas β€” Linux tc per-IP QoS limits, off-peak Happy Hours quota exclusions, and automated Telegram abuse/expiry alerts
  • 🚨 Emergency Lockdown Switch β€” Instant panic posture hardening via CLI or Telegram bot (/mp_lockdown)
  • 🌐 DevOps & Clustering Automation β€” HAProxy/Nginx load balancer config exporter, Cloudflare DDNS updater, and forensic snapshots
  • πŸ” Multi-user secrets with individual bandwidth quotas, device limits, and expiry dates
  • 🏷️ Tags & templates β€” group users by category, onboard in seconds with reusable limit sets
  • πŸ“… Monthly quota reset β€” subscription-style automatic traffic resets per user
  • πŸ€– Telegram bot with 21 administrative commands β€” manage users, view health digests, and trigger lockdowns from chat
  • πŸ—‚οΈ Replication β€” sync config to slave servers automatically via rsync+SSH
  • πŸ“¦ Server migration β€” tarball-based export/import with one command
  • πŸ’Ύ Encrypted backups β€” AES-256 backups with autoclean policy
  • πŸ–₯️ Interactive TUI β€” no need to memorize commands, menu-driven setup
  • πŸ“Š Prometheus metrics β€” real per-user traffic stats, not just iptables guesses
  • πŸ”— Proxy chaining β€” route through SOCKS5 upstreams for extra privacy
  • 🚨 Maintenance mode + IP banlist β€” graceful pre-restart, fine-grained blocking
  • 🩺 Doctor, verify, audit log β€” comprehensive diagnostics and change history
  • βš™οΈ Engine tuning β€” whitelisted parameter tuning without editing raw TOML
  • πŸ”„ Auto-recovery + auto-rotate β€” detects downtime, rotates aging secrets automatically
  • 🐳 Pre-built Docker images β€” installs in seconds, not minutes

πŸš€ Quick Start

One-Line Install

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh)"

The interactive wizard walks you through everything: port, domain, first user secret, and optional Telegram bot setup.

Manual Install

curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/mtproxymax.sh -o mtproxymax
chmod +x mtproxymax
sudo ./mtproxymax install

After Install

mtproxymax           # Open interactive TUI
mtproxymax status    # Check proxy health

✨ Features

πŸ›‘οΈ FakeTLS V2 & Advanced Anti-DPI Defenses

Your proxy traffic looks identical to normal HTTPS traffic. The Fake TLS V2 engine mirrors real TLS 1.3 sessions β€” per-domain profiles, real cipher suites, dynamic certificate lengths, and realistic record fragmentation.

  • Multi-Domain SNI Pool (tls_domains): Rotate between multiple high-reputation cover domains (e.g., cloudflare.com,www.microsoft.com,www.google.com) within the same proxy engine instance to evade single-domain DPI throttling and SNI blacklisting (mtproxymax domain-pool <domains>).
  • Kernel SYN Shield: Built-in iptables/nftables rate limiter (conntrack + recent module) that tarpits aggressive DPI active scanners (>15 SYN packets in 5 seconds per IP) before they reach the application layer (mtproxymax shield on).
  • Stealth Presets (normal vs ultra): Hot-swappable anti-replay hardening (mtproxymax stealth ultra). ultra tightens the replay window to 180 seconds, expands the nonce cache to 131,072 entries, and drops unknown SNI probes immediately.
  • TCP MSS Clamping: Prevents MTU black hole drops and packet fragmentation by aligning TCP Maximum Segment Size --clamp-mss-to-pmtu (mtproxymax clamp-mss on).
  • Multi-Port Listener Pool: Listen on multiple fallback TCP ports simultaneously (e.g., 443, 8443, 2053) using automated kernel NAT redirection without spawning extra container instances (mtproxymax port-pool add <port>).

πŸ”¬ Active DPI Forensics & Self-Healing Cover Watchdog

  • DPI Readiness Inspector (mtproxymax dpi-inspect): Runs an automated 5-point heuristic network forensic scan (cover domain reachability, certificate length parity, kernel SYN shield state, engine replay hardening preset, and TCP MSS clamping state) to assign your server a live Anti-DPI Hardening Score out of 100.
  • Automated Cover Watchdog (mtproxymax cover-watchdog auto): A self-healing background daemon. If state firewalls or ISP censors block or throttle your primary cover domain (returning HTTP 5xx or connection timeouts), the watchdog automatically rotates to the next available backup domain in your pool and reloads the proxy engine.

🚨 Emergency Panic Lockdown Switch

Instantly harden server posture under active censorship or DDoS attacks:

mtproxymax lockdown on

Activating lockdown instantly engages the Kernel SYN Shield, activates Ultra-Stealth conntrack hardening, enforces TCP MSS Clamping, and sends a priority broadcast alert to your Telegram administrator bot chat. You can also toggle lockdown remotely from Telegram via /mp_lockdown on.


🏎️ Per-IP Bandwidth Shaping (QoS) & Quota Intelligence

  • Kernel Traffic Shaping (mtproxymax qos set <mbps>): Uses Linux tc (Traffic Control) hierarchical token buckets and kernel firewall hashlimits to enforce strict per-IP speed limits (e.g., 5 Mbps per IP), preventing single users from saturating server uplink bandwidth.
  • Off-Peak Happy Hours (mtproxymax happy-hours set 02:00-08:00): Define unmetered schedule windows. Any traffic consumed during Happy Hours completely bypasses user monthly bandwidth quota depletion.
  • Proactive Expiry Notifications (mtproxymax notify-expiry): Scans active user accounts and dispatches automated direct Telegram reminder alerts 7 days, 3 days, and 24 hours prior to subscription expiration.
  • Abnormal Bandwidth Watchdog (mtproxymax abuse-watch): Monitors rolling 24-hour traffic consumption and flags suspicious accounts exceeding 50GB/day.

🌐 DevOps Clustering & Load Balancing Export

  • Layer-4 Load Balancer Exporter (mtproxymax export-lb [haproxy|nginx]): Generates production-ready HAProxy (haproxy.cfg) and Nginx Stream (nginx.conf) configuration snippets configured with TCP pass-through and PROXY Protocol v2 headers.
  • Cloudflare Dynamic DNS (mtproxymax ddns set <token> <zone_id> <record>): Automatically detects server public IP changes and updates Cloudflare DNS A records via API v4 (mtproxymax ddns run).
  • Forensic Diagnostics Dump (mtproxymax diag-dump): Bundles kernel networking state, routing tables, active iptables rules, container inspect logs, and a redacted settings archive into a clean .tar.gz diagnostic package.
  • Configuration Snapshots (mtproxymax snapshot create <name>): Creates self-contained point-in-time tarball snapshots of all proxy settings, secrets, upstreams, domain pools, and geoblocks with one-click restoration (mtproxymax snapshot restore <name>).

⚑ Operations, Briefings & Onboarding Suite

  • Direct Telegram Cloud Backups (mtproxymax backup send-tg): Pushes your latest server backup archive (.tar.gz) directly to your Telegram bot admin chat as a file attachment, ensuring offsite disaster recovery even if your VPS disk fails.
  • Morning Executive Briefing (mtproxymax daily-report on 08:00): Schedules an automated morning summary message detailing 24h traffic volume, active user counts, SYN shield interceptions, and expiring subscriptions.
  • SSH Intrusion Shield (mtproxymax ssh-shield on): Configures fail2ban kernel jails tuned specifically for MTProto proxy servers, automatically banning IP addresses attempting SSH password brute-force attacks.
  • Network Quality Grade (mtproxymax net-grade): Benchmarks DNS ping timers and TCP reachability against Telegram Datacenters (DC1–DC5) to calculate an instant server quality grade (A+, A, B, C/D).
  • Smart User Onboarding Wizard (mtproxymax onboard <label>): Step-by-step interactive command automating user creation, device tier assignment, monthly data quotas, expiry windows, and Telegram QR link generation.

πŸš€ Performance, Diagnostics & Self-Healing Suite

  • Linux Kernel TCP BBR & Fast Open Booster (mtproxymax tcp-boost on): Activates Google's TCP BBR congestion control algorithm and TCP Fast Open (tfo=3), doubling transfer speeds and eliminating packet-loss bottlenecks on international routes.
  • Dead Mobile Socket Keep-Alive Reaper (mtproxymax tcp-clean on): Configures aggressive low-latency kernel keep-alive timers (keepalive_time=300, intvl=15), automatically detecting and purging orphaned mobile 4G/LTE sockets within 45 seconds.
  • Ultra-Low Latency Kernel Socket Booster (mtproxymax socket-boost on): Expands listen backlog queues (somaxconn=65535) and optimizes buffer limits (notsent_lowat=16384) to eliminate packet bloat and reduce TCP handshake delays under burst concurrency.
  • Dynamic FakeTLS Record Padding & Jitter (mtproxymax tls-pad auto): Randomizes certificate payload lengths between 1500 and 3800 bytes dynamically during periodic maintenance cycles, evading AI/ML statistical packet size analysis.
  • Active Probe Honeypot & Decoy Protection (mtproxymax honeypot on): Engages kernel redirection posture so active censorship crawler bots without a valid MTProto secret are cleanly routed to your decoy cover domain.
  • Subscription Leak & Account Sharing Scanner (mtproxymax leak-scan 3): Scans active connection tables to identify and flag subscription keys connecting from more than 3 distinct IP subnets simultaneously.
  • TLS Cover Domain Health & Verifier (mtproxymax cert-check <domain>): Performs a deep SSL/TLS inspection of your FakeTLS cover domain (PROXY_DOMAIN), verifying HTTP status codes, expiration dates, and issuer chains to prevent ISP blocking.
  • One-Line VPS Cloner & Replication Bundle (mtproxymax clone-link / bootstrap): Compresses your upstreams, tuning profiles, ad-tag, and templates into a secure Base64 string and outputs a single one-line command (mtproxymax bootstrap <base64>) that mirrors your server onto any new node in 5 seconds.
  • Emergency RAM & Socket Auto-Healer (mtproxymax heal / auto-heal on): Reclaims dead OS pagecache, prunes orphaned TIME_WAIT sockets, and expands Netfilter conntrack headroom (nf_conntrack_max=262144) with zero disruption to active proxy users.
  • TCP Fast-Path Window Scaling & MTU Probing (mtproxymax tcp-fastpath on): Enables RFC-compliant TCP window scaling, Selective Acknowledgments (SACK), and automatic Path MTU discovery to maximize throughput on variable-MTU international links.
  • Dynamic RAM Auto-Tuning (mtproxymax ram-tune auto): Inspects total server physical memory and auto-calculates safe TCP read/write buffer ceilings and kernel min_free_kbytes thresholds, preventing OOM crashes on small VPS while unlocking full throughput on large servers.
  • Dynamic Port Range Shadowing (mtproxymax port-hop add 2000:2050): Configures kernel-level iptables/nftables NAT port redirection over arbitrary port blocks, allowing instant client port-hopping during ISP throttling events without proxy engine restarts.
  • Multi-Core IRQ Packet Spreading (mtproxymax cpu-tune on): Distributes incoming encrypted packet processing across all available CPU cores via Linux Receive Packet Steering (RPS/RFS), with automatic containerization fallback detection for LXC/OpenVZ environments.

🏒 Enterprise Commercial Suite (Vouchers, RBAC & Status Portal)

  • Commercial Voucher & Gift Code System (mtproxymax voucher [create|list|revoke|redeem]): Monetize or distribute proxy access cleanly without requiring manual administrator intervention for each user.
    • Generates secure batch voucher codes formatted as MTP-XXXX-XXXX with customizable data quotas (e.g., 10G, 50G, 0 for unlimited) and validity durations (e.g., 30 days).
    • Vouchers are tracked in ${INSTALL_DIR}/vouchers.conf with full audit metadata (ACTIVE, REDEEMED, REVOKED, creation timestamp, and redemption account label).
    • Users or resellers can redeem vouchers locally via mtproxymax voucher redeem <code> [label] or remotely via Telegram bot command /redeem <code>, instantly provisioning a dedicated proxy secret with exact quota and device ceilings enforced.
  • Role-Based Access Control (mtproxymax admin [add|remove|list]): Multi-tier administrative access governance for your Telegram management bot.
    • Configures role hierarchies stored in ${INSTALL_DIR}/admins.conf:
      • superadmin: Full access to all 21 administrative commands, including destructive engine restarts (/mp_restart), emergency lockdowns (/mp_lockdown), bot removals (/mp_remove), and self-updates (/mp_update).
      • reseller: Delegated commercial management rights restricted to voucher redemption (/redeem), voucher batch generation (/mp_voucher create <cnt> <qta> <dys>), and voucher inventory auditing (/mp_voucher list). Destructive engine commands are automatically blocked with security violation logging.
  • Decoupled Self-Service Status Portal (mtproxymax portal [enable|disable|port|generate|serve|status]): Lightweight, zero-dependency static web dashboard designed for client self-service and transparent uptime reporting.
    • Generates an ultra-responsive, modern dark-mode glassmorphism HTML page (index.html) stored in ${INSTALL_DIR}/portal/.
    • During periodic engine sweeps (sweep()), MTProxyMax automatically exports real-time system metrics (status.json) and anonymized user leaderboard statistics (users.json).
    • Clients can view live proxy uptime, server bandwidth consumption, active connection counts, and individual quota progress directly from any browser without exposing administrative interfaces or requiring backend script execution.
    • Can be served via built-in foreground test server (mtproxymax portal serve) or hosted instantly behind Nginx/HAProxy/Cloudflare Pages.

πŸ›‘οΈ Automated Hostile Threat Scanner Shield

  • Proactive Shodan & Censys Threat Blocking (mtproxymax scanner-shield [enable|disable|update|status]): Protects your proxy server from automated Internet-wide discovery engines and hostile security scanners.
    • Initializes high-performance kernel memory hash sets (ipset table mtproxymax-scanners) with capacity for up to 65,536 network CIDRs.
    • Automatically imports and blacklists well-known hostile mass scanning subnets (including Shodan, Censys, and Shadowserver probe networks such as 162.142.125.0/24, 167.94.138.0/24, 71.6.135.0/24, etc.).
    • Incoming packets from scanner IPs are silently dropped at the Netfilter kernel boundary before reaching the Docker proxy container or triggering SYN cookie thresholds, keeping your server completely invisible to threat discovery feeds.

🚨 Censorship Emergency Playbook (When ISPs Block Your Proxy)

If users report sudden connection drops or severe DPI throttling during internet disruptions, execute this 3-step recovery posture:

  1. Engage Instant Lockdown & Check Posture Score:
    mtproxymax lockdown on
    mtproxymax dpi-inspect
  2. Add Backup Cover Domains & Fallback Ports:
    mtproxymax domain-pool add www.microsoft.com,www.google.com
    mtproxymax port-pool add 8443
  3. Activate Automated Watchdog & Bandwidth Shaping:
    mtproxymax cover-watchdog auto
    mtproxymax qos set 5

πŸ‘₯ Multi-User Secret Management

Each user gets their own secret key with a human-readable label:

  • Add/remove users instantly β€” config regenerates and proxy hot-reloads
  • Enable/disable access without deleting the key
  • Rotate a user's secret β€” new key, same label, old link stops working
  • QR codes β€” scannable directly in Telegram

πŸ”’ Per-User Access Control

Fine-grained limits enforced at the engine level:

Limit Description Example Best For
Max Connections Concurrent TCP connections (~3 per device) 15 Device limiting
Max IPs Unique IP addresses allowed 5 Anti-sharing / abuse
Data Quota Lifetime bandwidth cap 10G, 500M Fair usage
Expiry Date Auto-disable after date 2026-12-31 Temporary access

Tip: Each Telegram app opens ~3 TCP connections (one per DC). So for device limiting, multiply by 3: conns 15 β‰ˆ max 5 devices. Setting below 5 will likely break even a single device. IP limits are less reliable because mobile users roam between cell towers (briefly showing 2 IPs for 1 device), and multiple devices behind the same WiFi share 1 IP. Use ips as a secondary anti-sharing measure.

Traffic and quotas are lifetime (cumulative), not monthly. They don't auto-reset. Use mtproxymax secret reset-traffic <label> to manually reset counters, or rotate the secret.

mtproxymax secret setlimits alice 100 5 10G 2026-12-31

πŸ“‹ User Management Recipes

Limit Devices Per User (Recommended)
mtproxymax secret setlimit alice conns 5    # Single device (~3 conns per device, with headroom)
mtproxymax secret setlimit family conns 15  # Family β€” up to 5 devices

Each Telegram app opens ~3 TCP connections. Setting conns 5 allows one device with headroom. If someone shares their link, the second device will hit the limit.

Device Limit Tiers
Scenario conns ips (optional)
Single person, one device 1 2 (allow roaming)
Single person, multiple devices 3 5
Small family 5 10
Small group / office 30 50
Public/open link 0 0 (unlimited)

Set ips slightly higher than conns to allow for mobile roaming (cell tower switches temporarily show 2 IPs for 1 device).

Time-Limited Sharing Link
mtproxymax secret add shared-link
mtproxymax secret setlimits shared-link 50 30 10G 2026-06-01

When the expiry date hits, the link stops working automatically.

Per-Person Keys (Recommended)
mtproxymax secret add alice
mtproxymax secret add bob
mtproxymax secret add charlie

# Each person gets their own link β€” revoke individually
mtproxymax secret setlimit alice conns 10   # ~3 devices
mtproxymax secret setlimit bob conns 5     # 1 device
mtproxymax secret setlimit charlie conns 15 # ~5 devices
Disable, Rotate, Remove
mtproxymax secret disable bob    # Temporarily cut off
mtproxymax secret enable bob     # Restore access

mtproxymax secret rotate alice   # New key, old link dies instantly

mtproxymax secret remove bob     # Permanent removal

πŸ€– Telegram Bot (21 Commands)

Full proxy management from your phone. Setup takes 60 seconds:

mtproxymax telegram setup
Command Description
/mp_status Proxy status, uptime, connections
/mp_secrets List all users with active connections
/mp_link Get proxy details + QR code image
/mp_add <label> Add new user
/mp_remove <label> Delete user
/mp_revoke <label> Revoke and purge a user secret immediately
/mp_rotate <label> Generate new key for user
/mp_enable <label> Re-enable disabled user
/mp_disable <label> Temporarily disable user
/mp_lockdown [on|off] Toggle emergency panic lockdown defensive posture
/mp_digest View live executive health, posture, and traffic digest box
/mp_limits Show all user limits
/mp_setlimit Set user limits
/mp_traffic Per-user traffic breakdown
/mp_upstreams List proxy chains
/mp_health Run diagnostics
/mp_restart Restart proxy
/mp_update Check for updates
/mp_help Show all commands

Automatic alerts & announcements:

  • 🚨 Emergency Lockdown activated β†’ immediate posture alert
  • πŸ“’ System Broadcasts (mtproxymax broadcast <msg>) sent directly to admin chat
  • ⏰ Proactive Expiry Alerts sent 7d, 3d, and 24h prior to account expiration
  • πŸ”΄ Proxy down β†’ instant notification + auto-restart attempt
  • 🟒 Proxy started β†’ sends connection details + QR codes
  • πŸ“Š Periodic traffic reports at your chosen interval

πŸ—‚οΈ Replication (Master-Slave Config Sync)

Keep multiple proxy servers in sync automatically. The master pushes config changes to all slaves via rsync+SSH on a configurable interval. Slaves receive secrets.conf, upstreams.conf, instances.conf, and config.toml β€” their own role settings and local state are never overwritten.

Setup takes two commands:

# On master β€” run wizard, select Master, add slave
mtproxymax replication setup

# On slave β€” run wizard, select Slave
mtproxymax replication setup

How it works:

  • Master generates a self-contained sync script at /opt/mtproxymax/mtproxymax-sync.sh
  • A systemd timer fires every N seconds (default: 60) and runs the sync
  • On change β€” proxy container on slave is automatically restarted
  • settings.conf and replication.conf are always excluded β€” slave role is never overwritten
mtproxymax replication status     # Show role, timer state, last sync
mtproxymax replication sync       # Trigger immediate sync
mtproxymax replication logs       # View sync log
mtproxymax replication test       # Test SSH connectivity to all slaves
mtproxymax replication promote    # Promote slave to master (failover)

Roles:

Role Description
Master Pushes config to slaves on schedule
Slave Receives config, read-only. Changes must be made on master
Standalone Replication disabled (default)


πŸ”— Proxy Chaining (Upstream Routing)

Route traffic through intermediate servers:

# Route 20% through Cloudflare WARP
mtproxymax upstream add warp socks5 127.0.0.1:40000 - - 20

# Route through a backup VPS
mtproxymax upstream add backup socks5 203.0.113.50:1080 user pass 80

# Hostnames are supported (resolved by the engine)
mtproxymax upstream add remote socks5 my-proxy.example.com:1080 user pass 50

Supports SOCKS5 (with auth), SOCKS4, and direct routing with weight-based load balancing. Addresses can be IPs or hostnames.


πŸ“Š Real-Time Traffic Monitoring

Prometheus metrics give you real per-user stats:

mtproxymax traffic       # Per-user breakdown
mtproxymax status        # Overview with connections count
  • Bytes uploaded/downloaded per user
  • Active connections per user
  • Cumulative tracking across restarts

🌍 Geo-Blocking

mtproxymax geoblock add ir    # Block Iran
mtproxymax geoblock add cn    # Block China
mtproxymax geoblock list      # See blocked countries

IP-level CIDR blocklists enforced via iptables β€” traffic is dropped before reaching the proxy.


πŸ’° Ad-Tag Monetization

mtproxymax adtag set <hex_from_MTProxyBot>

Get your ad-tag from @MTProxyBot. Users see a pinned channel β€” you earn from the proxy.


βš™οΈ Engine Management

mtproxymax engine status              # Current engine version
mtproxymax engine rebuild             # Force rebuild engine image
mtproxymax rebuild                    # Force rebuild from source

Engine updates are delivered through mtproxymax update. Pre-built multi-arch Docker images (amd64 + arm64) are pulled automatically. Source compilation is the automatic fallback.


🌐 Custom Telegram URLs (Restricted Regions)

For regions where core.telegram.org is blocked, the engine can fetch proxy configuration from a custom mirror:

mtproxymax tg-urls                                                    # Show current URLs
mtproxymax tg-urls set secret https://mirror.example.com/getProxySecret
mtproxymax tg-urls set config-v4 https://mirror.example.com/getProxyConfig
mtproxymax tg-urls set config-v6 https://mirror.example.com/getProxyConfigV6
mtproxymax tg-urls clear                                              # Reset to defaults

Also available in TUI: Settings > [u] Custom Telegram URLs.


🩺 Doctor & Diagnostics

Single command that checks everything β€” Docker, engine, port, metrics, TLS cert, secrets, disk space, Telegram bot:

mtproxymax doctor

More targeted checks:

mtproxymax port-check     # Test if port is reachable from outside
mtproxymax connections    # Live active connections per user
mtproxymax uptime         # One-line status (scriptable)
mtproxymax config         # Display current engine config

πŸ’Ύ Config Profiles

Save and restore entire configurations (settings + secrets + upstreams) as named snapshots. Useful for switching between stealth/debug/production setups:

mtproxymax profile save stealth       # Snapshot current config
mtproxymax profile list               # List saved profiles
mtproxymax profile load stealth       # Restore + auto-restart
mtproxymax profile delete stealth

πŸ“¦ Bulk Operations & Search

Managing many users? These commands scale to hundreds of secrets:

mtproxymax secret info <label>              # Full view of one user
mtproxymax secret search <query>            # Find by label or notes
mtproxymax secret top [traffic|conns]       # Top 5 users right now
mtproxymax secret sort [traffic|conns|date|name]  # Reorder list
mtproxymax secret stats                     # Compact overview: traffic/quota/expiry %
mtproxymax secret generate-links [txt|html] # Bulk export all links (HTML includes QR codes)
mtproxymax secret export > backup.csv       # Export to CSV
mtproxymax secret import backup.csv         # Import from CSV
mtproxymax secret archive <label>           # Soft-delete (restorable)
mtproxymax secret unarchive <label>         # Restore from archive
mtproxymax secret clone <src> <new>         # Duplicate with all limits
mtproxymax secret bulk-extend <days>        # Extend all expiry dates
mtproxymax secret disable-expired           # Auto-disable all expired secrets
mtproxymax secret purge-disabled            # Permanently purge disabled/expired secrets
mtproxymax secret sub                       # Generate Base64 subscription link feed
mtproxymax secret export-json               # Export user database formatted as JSON
mtproxymax secret rename-prefix <old> <new> # Bulk rename labels matching prefix

🏷️ Tags & Templates

Tag users to group them logically (family, work, beta, premium), then run bulk operations by tag:

mtproxymax secret tag alice family,premium    # Assign tags
mtproxymax secret list --tag family            # Filter by tag
mtproxymax secret tags                         # Show all tags
mtproxymax secret untag alice                  # Clear tags

Save reusable limit templates to quickly onboard users:

mtproxymax template save premium 15 5 50G 2026-12-31 "Premium tier"
mtproxymax template list
mtproxymax secret add alice --template premium    # Apply at creation
mtproxymax template apply premium bob             # Apply to existing secret

Also available in TUI: Secrets > [y] Tags / [k] Templates.


πŸ“… Monthly Quota Reset & Auto-Rotate

Automatic scheduled operations β€” no cron setup required (runs from the Telegram bot's 5-min maintenance loop):

# Per-secret monthly reset β€” resets traffic counter on day N of each month (handles short months)
mtproxymax secret quota-reset alice 1          # Reset on the 1st
mtproxymax secret quota-reset bob 15           # Reset on the 15th
mtproxymax secret quota-reset alice off        # Disable

# Global auto-rotate β€” rotates secrets older than N days
mtproxymax auto-rotate 90                      # Rotate every 90 days
mtproxymax auto-rotate off                     # Disable

# Bulk rotate with dry-run
mtproxymax secret rotate --all --dry-run       # Preview
mtproxymax secret rotate --all                 # Do it

TUI: Secrets > [q] Monthly reset and [r] Rotate all, Settings > [a] Auto-rotate policy.


🚨 Maintenance Mode & IP Banlist

Maintenance mode rejects new connections with TCP RST while keeping existing sessions alive. Perfect for graceful pre-restart announcements:

mtproxymax maintenance on          # Reject new clients
mtproxymax maintenance status      # Check current state
mtproxymax maintenance off         # Restore

IP banlist β€” block specific IPs/CIDRs at the firewall level (survives reboots):

mtproxymax ban 192.0.2.0/24        # Ban a subnet
mtproxymax ban 1.2.3.4              # Ban a single IP
mtproxymax bans                     # List all bans
mtproxymax unban 1.2.3.4            # Remove ban

Different from geo-blocking (which works by country). Both can run together.


πŸ’Ύ Encrypted Backups & Server Migration

Encrypted backups β€” AES-256-CBC with PBKDF2 key derivation (100k iterations). Password entered interactively, passed to openssl via environment variable (hidden from ps aux):

mtproxymax backup --encrypt                # Create (password prompt)
mtproxymax backup restore-encrypted file.tar.gz.enc
mtproxymax backup autoclean 30             # Delete backups older than 30 days

Set BACKUP_RETENTION_DAYS in settings.conf for automatic cleanup via the bot's sweep loop.

Server migration β€” pack everything into a tarball and transfer:

# On old server
mtproxymax migrate export                      # β†’ /tmp/mtproxymax-migrate-YYYYMMDD-HHMMSS.tar.gz
scp /tmp/mtproxymax-migrate-*.tar.gz new-server:/tmp/

# On new server
mtproxymax migrate import /tmp/mtproxymax-migrate-*.tar.gz
# Auto-backs up current state first, then restarts

Includes: settings, secrets, upstreams, instances, tags, archives, banlist, profiles. Replication role is preserved per-server.


βš™οΈ Engine Tuning

Expose advanced engine parameters without editing raw TOML β€” changes are merged into the generated config.toml on every reload:

mtproxymax tune list                       # Show whitelisted params + current overrides
mtproxymax tune set fake_cert_len 4096     # Larger fake cert
mtproxymax tune set log_level debug        # Verbose logging
mtproxymax tune set mask_relay_timeout_ms 120000   # 2-minute mask relay timeout
mtproxymax tune clear log_level            # Revert one to default
mtproxymax tune clear all                  # Revert all

Whitelisted params are regex-validated on input. Invalid values are rejected. Also available in TUI: Settings > [n] Engine tuning.


βœ… Verify & Audit

verify runs an end-to-end install check β€” Docker running, port bound, TLS handshake succeeds, domain reachable, Telegram API reachable, bot token valid:

mtproxymax verify

history shows an audit log of config changes (secret add/remove/rotate, domain changes, etc.) with timestamps:

mtproxymax history 100        # Last 100 events

speedtest measures outbound bandwidth and latency:

mtproxymax speedtest

digest displays an executive summary dashboard of uptime, sockets, traffic totals, and bot status:

mtproxymax digest

ping-dc benchmarks TCP handshake latency to global Telegram datacenters (DC1–DC5):

mtproxymax ping-dc

🐚 Bash Completion

Get tab-completion for all commands:

sudo mtproxymax completion > /etc/bash_completion.d/mtproxymax
source /etc/bash_completion.d/mtproxymax
# Now: mtproxymax <TAB> or mtproxymax secret <TAB> works

πŸ“Š Comparison

MTProxyMax vs Other Solutions

Feature MTProxyMax v1.2 mtg v2 (Go) Official MTProxy (C) Bash Installers
Engine telemt 3.x (Rust) mtg (Go) MTProxy (C) Various
FakeTLS V2 βœ… βœ… ❌ (needs patches) Varies
Active DPI Forensics (dpi-inspect) βœ… (Score /100) ❌ ❌ ❌
Self-Healing Cover Watchdog βœ… ❌ ❌ ❌
Emergency Lockdown Switch βœ… ❌ ❌ ❌
Kernel SYN Shield (Tarpit) βœ… (>15 SYN/5s) ❌ ❌ ❌
Per-IP Bandwidth Shaping (QoS) βœ… (Linux tc) ❌ ❌ ❌
Off-Peak Happy Hours βœ… ❌ ❌ ❌
Multi-Port Pool Listeners βœ… (Kernel NAT) ❌ Multi-process Varies
Multi-Domain SNI Pools βœ… ❌ ❌ ❌
TCP MSS Clamping βœ… ❌ ❌ ❌
Layer-4 LB Exporter (HAProxy/Nginx) βœ… ❌ ❌ ❌
Cloudflare Dynamic DNS (DDNS) βœ… ❌ ❌ ❌
Configuration Snapshots βœ… ❌ ❌ ❌
Traffic Masking βœ… βœ… ❌ ❌
Multi-User Secrets βœ… (unlimited) ❌ (1 secret) Multi-secret Usually 1
Per-User Limits βœ… (conns, IPs, quota, expiry) ❌ ❌ ❌
Per-User Traffic Stats βœ… (Prometheus) ❌ ❌ ❌
Telegram Bot βœ… (21 commands) ❌ ❌ ❌
Interactive TUI βœ… ❌ ❌ ❌
Proxy Chaining βœ… (SOCKS5/4, weighted) βœ… (SOCKS5) ❌ ❌
Master-Slave Replication βœ… (rsync+SSH, systemd) ❌ ❌ ❌
Geo-Blocking βœ… IP allowlist/blocklist ❌ ❌
Ad-Tag Support βœ… ❌ (removed in v2) βœ… Varies
QR Code Generation βœ… ❌ ❌ Some
Auto-Recovery βœ… (with alerts) ❌ ❌ ❌
Auto-Update βœ… ❌ ❌ ❌
Docker βœ… (multi-arch) βœ… ❌ Varies
User Expiry Dates βœ… ❌ ❌ ❌
Bandwidth Quotas βœ… ❌ ❌ ❌
Device Limits βœ… ❌ ❌ ❌
Tags & Templates βœ… ❌ ❌ ❌
Encrypted Backups βœ… (AES-256) ❌ ❌ ❌
Server Migration βœ… (tarball export/import) ❌ ❌ ❌
Maintenance Mode βœ… (graceful RST) ❌ ❌ ❌
Audit Log βœ… ❌ ❌ ❌
Engine Tuning UI βœ… (whitelisted params) ❌ Raw files ❌
Active Development βœ… βœ… Abandoned Varies
Why Not mtg?

mtg is solid and minimal β€” by design. It's "highly opinionated" and intentionally barebones. Fine for a single-user fire-and-forget proxy.

But mtg v2 dropped ad-tag support, only supports one secret, has no user limits, no management interface, and no auto-recovery.

Why Not the Official MTProxy?

Telegram's official MTProxy (C implementation) was last updated in 2019. No FakeTLS, no traffic masking, no per-user controls, manual compilation, no Docker.

Why Not a Simple Bash Installer?

Scripts like MTProtoProxyInstaller install a proxy and give you a link. That's it. No user management, no monitoring, no bot, no updates, no recovery.

MTProxyMax is not just an installer β€” it's a management platform that happens to install itself.


πŸ—οΈ Architecture

Telegram Client
      β”‚
      β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Your Server (port 443) β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Docker Container  β”‚  β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚  β”‚
β”‚  β”‚  β”‚   telemt     β”‚  β”‚  β”‚  ← Rust/Tokio engine
β”‚  β”‚  β”‚  (FakeTLS)   β”‚  β”‚  β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜  β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚            β”‚             β”‚
β”‚     β”Œβ”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”     β”‚
β”‚     β–Ό             β–Ό     β”‚
β”‚  Direct      SOCKS5     β”‚  ← Upstream routing
β”‚  routing     chaining   β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
          β”‚
          β–Ό
   Telegram Servers


Master-Slave Replication (optional):

  Master Server              Slave Server(s)
  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”           β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚ mtproxymax   │──rsync──▢ β”‚ mtproxymax   β”‚
  β”‚ (systemd     β”‚   +SSH    β”‚ (receives    β”‚
  β”‚  timer 60s)  β”‚           β”‚  config)     β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜           β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
Component Role
mtproxymax.sh Single bash script: CLI, TUI, config manager
telemt Rust MTProto engine running inside Docker
Telegram bot service Independent systemd service polling Bot API
Replication sync service systemd timer pushing config to slave servers
Prometheus endpoint /metrics on port 9090 (localhost only)

πŸ“– CLI Reference

Proxy Management
mtproxymax install              # Run installation wizard
mtproxymax uninstall            # Remove everything
mtproxymax start                # Start proxy
mtproxymax stop                 # Stop proxy
mtproxymax restart              # Restart proxy
mtproxymax status               # Show proxy status
mtproxymax digest               # Executive summary report
mtproxymax ping-dc              # Telegram DC latency benchmark
mtproxymax menu                 # Open interactive TUI
User Secrets

Core operations:

mtproxymax secret add <label>           # Add user (optional: --template <name>)
mtproxymax secret remove <label>        # Remove user (supports --dry-run)
mtproxymax secret list                  # List all users
mtproxymax secret list --tag <tag>      # Filter list by tag
mtproxymax secret list --csv            # Output as CSV for spreadsheets
mtproxymax secret info <label>          # Full detail view (limits, traffic, link, QR)
mtproxymax secret search <query>        # Find secrets by label or notes
mtproxymax secret rotate <label>        # New key, same label
mtproxymax secret rotate --all          # Bulk rotate (supports --dry-run)
mtproxymax secret clone <src> <new>     # Duplicate with all limits
mtproxymax secret rename <old> <new>    # Rename a secret
mtproxymax secret enable <label>        # Re-enable user
mtproxymax secret disable <label>       # Temporarily disable
mtproxymax secret disable-expired       # Disable all expired secrets
mtproxymax secret link [label]          # Show proxy link
mtproxymax secret qr [label]            # Show QR code
mtproxymax secret generate-links [txt|html]  # Bulk export all links
mtproxymax secret sub                   # Base64 subscription link feed
mtproxymax secret export-json           # Export users as clean JSON
mtproxymax secret purge-disabled        # Permanently purge disabled/expired
mtproxymax secret rename-prefix <o> <n> # Bulk rename matching prefix
mtproxymax secret note <label> [text]   # Attach notes/description
mtproxymax secret logs <label> [lines]  # Per-user activity log

Limits & Quotas:

mtproxymax secret setlimit <label> <type> <value>          # Set individual limit
mtproxymax secret setlimits <label> <conns> <ips> <quota> [expires]  # Set all limits
mtproxymax secret extend <label> <days>   # Extend one secret's expiry
mtproxymax secret bulk-extend <days>      # Extend all secrets' expiry
mtproxymax secret quota-reset <label> <day|off>  # Monthly quota reset on day N
mtproxymax secret reset-traffic <label|all>      # Reset traffic counters

Tags & Templates:

mtproxymax secret tag <label> <tag1,tag2>  # Assign tags to a secret
mtproxymax secret untag <label>            # Clear all tags
mtproxymax secret tags [label]             # Show all tags or for one secret
mtproxymax template save <name> <conns> <ips> <quota> [expires] [notes]
mtproxymax template list                   # List saved templates
mtproxymax template apply <name> <label>   # Apply template to existing secret
mtproxymax template delete <name>
mtproxymax secret add alice --template premium  # Add with preset limits

Organization & Lifecycle:

mtproxymax secret sort [traffic|conns|date|name]  # Reorder the list
mtproxymax secret top [traffic|conns] [N]  # Top N users (default 5)
mtproxymax secret stats                 # Compact per-user overview
mtproxymax secret archive <label>       # Soft-delete (restorable)
mtproxymax secret unarchive <label>     # Restore from archive
mtproxymax secret archives              # List archived secrets
mtproxymax secret export > file.csv     # Export to CSV
mtproxymax secret import file.csv       # Import from CSV
mtproxymax secret add-batch <l1> <l2> ...     # Add many at once
mtproxymax secret remove-batch <l1> <l2> ...  # Remove many at once
mtproxymax auto-rotate [N|off]          # Global policy: auto-rotate older than N days
Configuration
mtproxymax port [get|<number>]          # Get/set proxy port
mtproxymax ip [get|auto|<address>]      # Get/set custom IP for proxy links
mtproxymax domain [get|clear|<host>]    # Get/set FakeTLS domain
mtproxymax mask-backend [host:port]     # Set mask backend for non-proxy traffic
mtproxymax mask-relay-bytes [N|0|clear] # Max bytes per dir on mask relay (0=unlimited)
mtproxymax tg-urls [get|set <field> <url>|clear]  # Custom Telegram infra URLs
mtproxymax adtag set <hex>              # Set ad-tag
mtproxymax adtag remove                 # Remove ad-tag
mtproxymax config                       # Show current engine config

Engine Tuning (advanced):

mtproxymax tune list                    # Show whitelisted tunable params + current values
mtproxymax tune get <param>             # Show current value
mtproxymax tune set <param> <value>     # Set a tunable (e.g. fake_cert_len, mask_relay_timeout_ms, log_level)
mtproxymax tune clear <param|all>       # Clear one or all tunings

Tunings are applied via sed post-processing on the generated config.toml β€” no TOML duplicate-key issues. Whitelisted params include: fake_cert_len, client_handshake, tg_connect, client_keepalive, client_ack, replay_check_len, replay_window_secs, ignore_time_skew, listen_backlog, max_connections, accept_permit_timeout_ms, prefer_ipv6, fast_mode, log_level, mask_relay_timeout_ms, mask_relay_idle_timeout_ms.

Profiles
mtproxymax profile save <name>          # Snapshot current config
mtproxymax profile load <name>          # Restore profile (auto-restarts)
mtproxymax profile list                 # List all saved profiles
mtproxymax profile delete <name>        # Delete a profile
Backup, Restore & Migration
# Regular (unencrypted) backups
mtproxymax backup                       # Create a timestamped backup
mtproxymax restore <file>               # Restore from a backup file
mtproxymax backups                      # List available backups
mtproxymax backup autoclean [days]      # Delete backups older than N days

# Encrypted backups (AES-256 + PBKDF2)
mtproxymax backup --encrypt             # Create encrypted backup (password prompt)
mtproxymax backup restore-encrypted <file>  # Restore encrypted backup
# Or: mtproxymax restore --encrypted <file>

# Server migration (tarball-based β€” all settings, secrets, tags, bans, archives, profiles)
mtproxymax migrate export [file]        # Export all state to a tarball
mtproxymax migrate import <file>        # Import state from a tarball (auto-backs up current first)

The migrate workflow is perfect for server pivots: run migrate export on the old server, scp the tarball, run migrate import on the new server. Replication config is preserved per-role.

Notifications & Bot
mtproxymax notify <message>             # Send custom message via Telegram bot
mtproxymax telegram setup               # Interactive bot setup
mtproxymax telegram status              # Show bot status
mtproxymax telegram test                # Send test message
mtproxymax telegram interval <hours>    # Change report interval (1-168h)
mtproxymax telegram label <name>        # Change server label in notifications
mtproxymax telegram alerts <on|off>     # Enable/disable down/recovery alerts
mtproxymax telegram disable             # Disable bot
mtproxymax telegram remove              # Remove bot completely
Periodic Maintenance
mtproxymax sweep                        # Run all periodic tasks (called by bot loop every 5 min)
mtproxymax auto-rotate [N|off]          # Auto-rotate secrets older than N days
# Monthly quota reset is per-secret: see `secret quota-reset` in User Secrets

Periodic tasks run automatically via the Telegram bot daemon's 5-min loop when installed. Can be triggered manually via sweep or scheduled via cron.

Polish & Completion
mtproxymax completion                   # Emit bash tab-completion script
mtproxymax changelog                    # Show GitHub release notes since installed version

# Install bash completion (root):
sudo mtproxymax completion > /etc/bash_completion.d/mtproxymax
# Or in your shell:
eval "$(mtproxymax completion)"
Replication
mtproxymax replication setup            # Interactive wizard (master/slave/standalone)
mtproxymax replication status           # Role, timer state, last sync, slave list
mtproxymax replication add <host> [port] [label]   # Register a slave server
mtproxymax replication remove <host_or_label>      # Remove a slave
mtproxymax replication list             # List all slaves
mtproxymax replication enable           # Enable sync timer
mtproxymax replication disable          # Disable sync timer
mtproxymax replication sync             # Trigger immediate sync
mtproxymax replication test [host]      # Test SSH connectivity to slave(s)
mtproxymax replication logs             # Show sync log
mtproxymax replication reset            # Remove all replication config
mtproxymax replication promote          # Promote slave to master (failover)
Enterprise Commercial & Shield Suite
mtproxymax voucher create <cnt> <qta> <dys> # Generate batch voucher codes
mtproxymax voucher list [active|all]        # List vouchers and redemption status
mtproxymax voucher revoke <code>            # Revoke a voucher code
mtproxymax voucher redeem <code> [label]    # Redeem voucher code locally
mtproxymax admin add <chat_id> <role>       # Add role-based Telegram admin (superadmin/reseller)
mtproxymax admin remove <chat_id>           # Remove role-based Telegram admin
mtproxymax admin list                       # List configured Telegram admins
mtproxymax portal [enable|disable|status]   # Manage Self-Service HTML Status Portal
mtproxymax scanner-shield [enable|disable]  # Manage Automated Shodan/Censys Threat Shield
Security & Routing

Geo-Blocking:

mtproxymax geoblock add <CC>            # Block country
mtproxymax geoblock remove <CC>         # Unblock country
mtproxymax geoblock list                # List blocked countries

IP Banlist:

mtproxymax ban <ip|cidr>                # Ban a specific IP/CIDR (iptables, survives reboots)
mtproxymax unban <ip|cidr>              # Remove ban
mtproxymax bans                         # List banned IPs

Maintenance Mode:

mtproxymax maintenance on               # Reject new connections gracefully (RST), keep existing alive
mtproxymax maintenance off              # Restore normal operation
mtproxymax maintenance status           # Check current state

Upstream Routing:

mtproxymax upstream list                # List upstreams
mtproxymax upstream add <name> <type> <host:port> [user] [pass] [weight]
mtproxymax upstream remove <name>       # Remove upstream
mtproxymax upstream test <name>         # Test connectivity
mtproxymax sni-policy [mask|drop]       # Unknown SNI action (mask=permissive, drop=strict)
Next-Gen Anti-DPI, QoS & DevOps Suite

Anti-DPI & Posture Hardening:

mtproxymax shield [on|off|status]       # Toggle Kernel SYN Shield (>15 SYN/5s tarpit)
mtproxymax stealth [ultra|normal|status] # Hot-swap engine replay window and cache size
mtproxymax clamp-mss [on|off|status]    # Align TCP MSS to PMTU preventing packet drops
mtproxymax domain-pool [add|remove|list] # Manage multi-domain SNI rotation pool
mtproxymax port-pool [add|remove|list]  # Listen on multi-port fallback pool via kernel NAT
mtproxymax lockdown [on|off|status]     # Engage emergency panic defense posture

Forensics & Watchdogs:

mtproxymax dpi-inspect                  # Run active 5-point Anti-DPI readiness scan (/100 score)
mtproxymax cover-watchdog [test|auto]   # Probe cover domain pool & auto-rotate on censorship
mtproxymax abuse-watch                  # Scan users for abnormal bandwidth spikes (>50GB/day)

Bandwidth Shaping & Quotas:

mtproxymax qos [set <mbps>|off|status]  # Linux tc token bucket per-IP bandwidth limiter
mtproxymax happy-hours [set <win>|off]  # Define off-peak unmetered traffic windows
mtproxymax notify-expiry                # Trigger proactive Telegram reminders (7d, 3d, 24h)
mtproxymax broadcast <message>          # Send system announcement via Telegram bot

DevOps & Clustering Automation:

mtproxymax export-lb [haproxy|nginx]    # Generate Layer-4 TCP load balancer config snippets
mtproxymax ddns [set|run|status|off]    # Manage Cloudflare Dynamic DNS public IP updater
mtproxymax diag-dump                    # Create full forensic diagnostic bundle (.tar.gz)
mtproxymax snapshot [create|restore|list] # Manage point-in-time configuration tarballs

Operations, Briefings & Onboarding Suite:

mtproxymax backup send-tg [file]        # Push backup archive directly to Telegram bot chat
mtproxymax daily-report [on|off|run]    # Schedule automated morning executive briefing
mtproxymax ssh-shield [on|off|status]   # Enable fail2ban SSH brute-force intrusion shield
mtproxymax net-grade                    # Benchmark international routing & calculate A+/A/B/C grade
mtproxymax onboard [label]              # Interactive step-by-step user onboarding wizard

Performance, Diagnostics & Self-Healing Suite:

mtproxymax tcp-boost [on|off|status]    # Activate Linux Kernel TCP BBR & Fast Open booster
mtproxymax tcp-clean [on|off|status]    # Activate aggressive keep-alive dead mobile socket reaper
mtproxymax socket-boost [on|off]        # Apply ultra-low latency kernel socket queue expansion
mtproxymax tls-pad [auto|off|rotate]    # Dynamic FakeTLS certificate length jitter & randomization
mtproxymax honeypot [on|off|status]     # Enable active probe decoy redirection & protection
mtproxymax leak-scan [thresh]           # Detect multi-IP subscription sharing anomalies
mtproxymax cert-check [domain]          # Inspect cover domain SSL/TLS certificate health
mtproxymax clone-link                   # Export one-line Base64 server replication bundle
mtproxymax bootstrap <base64>           # Deploy cloned config bundle on a fresh node
mtproxymax heal                         # Run emergency RAM & dead socket cleanup immediately
mtproxymax auto-heal [on|off|status]    # Enable background automated RAM/socket self-healer
mtproxymax tcp-fastpath [on|off]        # TCP window scaling, SACK & path MTU probing optimizer
mtproxymax ram-tune [auto|off]          # Auto-detect RAM & apply optimal TCP memory buffers
mtproxymax port-hop [add|remove|list]   # Dynamic multi-port NAT range redirection
mtproxymax cpu-tune [on|off|status]     # Multi-core IRQ packet spreading (RPS/RFS)
Monitoring
mtproxymax traffic                      # Per-user traffic breakdown
mtproxymax connections                  # Live active connections per user
mtproxymax metrics                      # Engine metrics dashboard
mtproxymax metrics live [seconds]       # Auto-refresh metrics (default: 5s)
mtproxymax logs                         # Stream live logs
mtproxymax health                       # Quick health check
mtproxymax doctor                       # Comprehensive diagnostics (port, TLS, secrets, disk, bot)
mtproxymax verify                       # End-to-end install check (port, TLS, Telegram API, metrics)
mtproxymax port-check                   # Test if proxy port is reachable from outside
mtproxymax speedtest                    # Outbound bandwidth/latency test from server
mtproxymax uptime                       # One-line status (scriptable)
mtproxymax status [--json]              # Proxy status (JSON for monitoring integrations)
mtproxymax info                         # Comprehensive server overview (OS, IPv4/IPv6, users, services)
mtproxymax history [lines]              # Audit log of config changes
Engine & Updates
mtproxymax engine status                # Show current engine version
mtproxymax engine rebuild               # Force rebuild engine image
mtproxymax rebuild                      # Force rebuild from source
mtproxymax update                       # Check for script + engine updates

πŸ’» System Requirements

Requirement Details
OS Ubuntu, Debian, CentOS, RHEL, Fedora, Rocky, AlmaLinux, Alpine
Docker Auto-installed if not present
RAM 256MB minimum
Access Root required
Bash 4.2+

πŸ“ Configuration Files

File Purpose
/opt/mtproxymax/settings.conf Proxy settings (port, domain, limits, tunings prefs)
/opt/mtproxymax/secrets.conf User keys, limits, expiry dates
/opt/mtproxymax/secrets_archive.conf Archived secrets (soft-deleted, restorable)
/opt/mtproxymax/secrets_tags.conf User tags (label β†’ comma-separated tags)
/opt/mtproxymax/secrets_quota_reset.conf Per-secret monthly quota reset days
/opt/mtproxymax/templates.conf Reusable limit templates
/opt/mtproxymax/tunings.conf Engine parameter overrides (from tune set)
/opt/mtproxymax/banlist.conf Banned IPs/CIDRs (iptables-backed)
/opt/mtproxymax/upstreams.conf Upstream routing rules
/opt/mtproxymax/instances.conf Multi-port instance config
/opt/mtproxymax/profiles/ Saved config profiles (named snapshots)
/opt/mtproxymax/audit.log Config change history
/opt/mtproxymax/connection.log Per-user activity log
/opt/mtproxymax/mtproxy/config.toml Generated telemt engine config
/opt/mtproxymax/backups/ Automatic backups (auto-cleaned via BACKUP_RETENTION_DAYS)

πŸ“‹ Changelog

v1.2.0 β€” Enterprise Commercial & Shield Suite, Next-Gen Anti-DPI, QoS Bandwidth Shaping & DevOps Clustering Suite

  • Commercial Voucher & Gift Code System (mtproxymax voucher): Batch generation of MTP-XXXX-XXXX voucher codes with custom quotas and validity durations stored in vouchers.conf. Supports local and Telegram bot (/redeem) code redemption.
  • Role-Based Access Control (mtproxymax admin): Multi-tier Telegram bot admin authorization governing superadmin and reseller privileges in admins.conf. Protects destructive operations while delegating voucher management.
  • Decoupled Self-Service Status Portal (mtproxymax portal): Zero-dependency static HTML glassmorphism web dashboard (index.html) fed by periodic JSON engine exports (status.json, users.json) displaying live uptime and bandwidth stats.
  • Automated Hostile Threat Scanner Shield (mtproxymax scanner-shield): High-speed kernel ipset hash sets (mtproxymax-scanners) importing and dropping traffic from Shodan, Censys, and Shadowserver mass probe subnets before hitting Docker container sockets.
  • Active DPI Forensics (mtproxymax dpi-inspect): 5-point heuristic diagnostic engine evaluating cover domain reachability, certificate parity, SYN shield state, replay cache depth, and MSS clamping to compute an interactive 0-100 posture score.
  • Self-Healing Cover Watchdog (mtproxymax cover-watchdog): Automated background daemon probing primary cover domain health every 60s, rotating to backup SNI pool candidates upon censorship or HTTP 5xx failures.
  • Emergency Panic Lockdown (mtproxymax lockdown): One-click panic posture activation enabling SYN tarpits, Ultra-Stealth conntrack hardening, and MSS clamping via CLI or remote bot commands (/mp_lockdown).
  • Multi-Port Listener Pool (mtproxymax port-pool): Listen on multiple fallback TCP ports simultaneously via automated kernel iptables NAT redirects without extra container runtime overhead.
  • Linux Kernel QoS Shaping (mtproxymax qos): Hierarchical token bucket (tc) and hashlimit rate limiter restricting per-IP bandwidth consumption (e.g., 5 Mbps per IP).
  • Happy Hours Quota Exclusions (mtproxymax happy-hours): Configures unmetered schedule windows where traffic bypasses user monthly quota accounting.
  • Telegram Bot Command Center (mtproxymax secret qr, /mp_revoke, /mp_digest): 21 administrative chat commands plus multi-engine ASCII console QR rendering and automated expiry reminder dispatches (mtproxymax notify-expiry).
  • DevOps Clustering & Snapshot Suite (export-lb, ddns, diag-dump, snapshot): Layer-4 HAProxy/Nginx PROXYv2 exporter, automated Cloudflare Dynamic DNS updater, forensics dump archiver, and point-in-time configuration tarball snapshots.
  • Operations & Onboarding Suite (backup send-tg, daily-report, ssh-shield, net-grade, onboard): Direct cloud backups to Telegram bot admin chat, scheduled morning executive briefings, fail2ban SSH brute-force intrusion shielding, network quality grading benchmark, and smart user onboarding wizard.
  • Performance & Self-Healing Suite (tcp-boost, tcp-clean, socket-boost, tls-pad, honeypot, tcp-fastpath, ram-tune, port-hop, cpu-tune, leak-scan, cert-check, clone-link, bootstrap, heal, auto-heal): Linux Kernel TCP BBR booster, aggressive keep-alive dead mobile socket reaper, ultra-low latency socket queue booster, dynamic FakeTLS record padding & length randomization, active probe decoy honeypot redirection, TCP fast-path window scaling & MTU probing, hardware-aware dynamic RAM buffer auto-tuning, kernel NAT port range shadowing for anti-throttling, multi-core IRQ packet spreading (RPS/RFS) with container fallback, multi-IP subscription sharing scanner, TLS cover domain certificate health verifier, one-line Base64 server replication cloner/bootstrapper, and emergency non-disruptive RAM/socket self-healer.

v1.1.0 β€” Anti-DPI & Stealth Defenses Expansion

  • Kernel SYN Shield (mtproxymax shield): Built-in iptables/nftables rate limiter (conntrack + recent module) that tarpits aggressive active probes (>15 SYN/5s per IP) before they reach application layer memory.
  • Stealth Presets (mtproxymax stealth): Hot-swappable anti-replay hardening (normal vs ultra). Ultra reduces the replay window to 180s, expands nonce cache to 131,072 entries, and drops unknown SNI probes.
  • TCP MSS Clamping (mtproxymax clamp-mss): Prevents MTU black hole drops and packet fragmentation via TCP FORWARD mangle hooks --clamp-mss-to-pmtu.
  • Multi-Domain SNI Pool (mtproxymax domain-pool): Rotate between multiple high-reputation cover domains (tls_domains = ["dom1.com", "dom2.com"]) within the same engine instance to evade single-domain DPI throttling.
  • Auto Cert Synchronization (sync_domain_cert_len): Connects to cover domain every 24h via OpenSSL, measures live DER payload size, and dynamically synchronizes fake_cert_len to evade static certificate heuristics.
  • Interactive TUI Menu: Dedicated ASCII dashboard (show_stealth_menu) under Settings [s] and Security [5].

v1.0.10 β€” Executive Digest, DC Latency Benchmark, Base64 Subscriptions & Bulk Tools

  • Executive Digest (mtproxymax digest): Instant ASCII summary board aggregating uptime, active socket counts, traffic totals, and Telegram bot daemon status
  • Datacenter Benchmark (mtproxymax ping-dc): Live TCP handshake latency test against Telegram global datacenters DC1 through DC5 with fastest-DC detection
  • Base64 Subscriptions (mtproxymax secret sub): Auto-generates standard Base64 proxy feeds compatible with third-party client auto-updaters
  • JSON Export (mtproxymax secret export-json): Full user database dump formatted as JSON for external integrations
  • Cleanup & Bulk Tools: Permanently purge disabled/expired records (secret purge-disabled) and bulk rename secret labels by prefix (secret rename-prefix)

v1.0.9 β€” Engine v3.4.18, TLS Stealth & ME/MR Hardening

  • Upgraded telemt engine to v3.4.18 (7 upstream releases with TLS profile spoofing and async ME/MR queue backpressure)
  • Added user quota rate limit API route GET /v1/stats/users/quota and exclusive masking mode
  • Docker tmpfs cache and log rotation improvements

v1.0.8 β€” Security Hardening & Persistent Quotas

  • Upgraded telemt engine to v3.4.11 (constant-time API auth, PROXY protocol pre-validation, bounded connections)
  • Persistent per-user quota tracking (quota_state_path) and runtime quota reset API
  • Added Telegram bot configuration options: report interval, server notification label, and down/recovery alert toggles

v1.0.7 β€” Tags, Templates, Migration, Maintenance & IP Banlist

  • Added secret tagging (secret tag/untag), reusable limit templates (template save/apply), and bulk operations
  • Added tarball-based server migration (migrate export/import) and graceful maintenance mode (maintenance on/off)
  • Added persistent iptables IP banlist (ban/unban), AES-256 encrypted backups, and engine parameter tuning (tune)

v1.0.6 β€” Profiles, Archive, Search & Info

  • Added user detail inspection (secret info), search (secret search), top rankings, and soft-delete archiving
  • Added named configuration profiles (profile save/load) and external port reachability tester (port-check)
  • Added custom mask backend routing (mask-backend) and scriptable uptime command

v1.0.5 β€” Engine v3.4.8, Clone, Bulk-Extend & Doctor

  • Upgraded telemt engine to v3.4.8 with bounded relay queues and TLS 1.3 fronting correctness
  • Added user duplication (secret clone), expiry extension (secret extend), and active connections view
  • Added comprehensive server diagnostics (doctor) and instant long-polling Telegram bot response

v1.0.4 β€” Master-Slave Replication & Metrics Dashboard

  • Added master/slave configuration replication (replication setup) via automated rsync+SSH sync
  • Upgraded engine to v3.3.39 and introduced live Prometheus metrics console (metrics live)
  • Added strict vs permissive unknown SNI handling policies (sni-policy)

v1.0.3 β€” Quota Enforcement, Multi-Port & Hot-Reload

  • Added multi-port listener support, secret hot-reloading, and quota auto-disable at 100% consumption
  • Introduced JSON monitoring outputs, connection activity logs, and country geo-blocking whitelist

v1.0.2 β€” Persistent Traffic Accounting

  • Atomic traffic counter persistence surviving restarts and server reboots with batched stats loading

v1.0.1 β€” Batch User Operations

  • Added multi-user batch creation and removal (secret add-batch, secret remove-batch)

v1.0.0 β€” Initial Release

  • Initial launch of MTProxyMax with telemt 3.x Rust engine, interactive TUI, CLI, FakeTLS, Telegram bot, and geo-blocking

πŸ™ Credits

Built on top of telemt β€” a high-performance MTProto proxy engine written in Rust/Tokio. All proxy protocol handling, FakeTLS, traffic masking, and per-user enforcement is powered by telemt.


πŸ“– Documentation & Guides

For step-by-step tutorials with screenshots and detailed explanations, visit our guides on SamNet:


πŸ’– Donate

If you find MTProxyMax useful, consider supporting its development:

samnet.dev/donate


πŸ“„ License

MIT License β€” see LICENSE for details.

The telemt engine (included as a Docker image) is licensed under the Telemt Public License 3 (TPL-3) β€” a permissive license that allows use, redistribution, and modification with attribution.

Copyright (c) 2026 SamNet Technologies