2025-12-30 21:29:04 +03:00
# Telemt - MTProxy on Rust + Tokio
2025-12-30 22:18:22 +03:00
**Telemt ** is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as connection pooling, replay protection, detailed statistics, masking from "prying" eyes
2025-12-30 21:29:04 +03:00
# GOTO
- [Features ](#features )
- [Quick Start Guide ](#quick-start-guide )
- [Build ](#build )
- [How to use? ](#how-to-use )
- [Systemd Method ](#telemt-via-systemd )
2026-01-07 18:54:44 +03:00
- [Configuration ](#configuration )
- [Minimal Configuration ](#minimal-configuration-for-first-start )
- [Advanced ](#advanced )
- [Upstream Manager ](#upstream-manager )
- [IP ](#bind-on-ip )
- [SOCKS ](#socks45-as-upstream )
2025-12-31 05:48:17 +03:00
- [FAQ ](#faq )
- [Telegram Calls ](#telegram-calls-via-mtproxy )
- [DPI ](#how-does-dpi-see-mtproxy-tls )
- [Whitelist on Network Level ](#whitelist-on-ip )
2025-12-30 22:18:22 +03:00
- [Why Rust? ](#why-rust )
2025-12-30 21:29:04 +03:00
## Features
- Full support for all official MTProto proxy modes:
- Classic
- Secure - with `dd` prefix
- Fake TLS - with `ee` prefix + SNI fronting
- Replay attack protection
- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪
- Configurable keepalives + timeouts + IPv6 and "Fast Mode"
- Graceful shutdown on Ctrl+C
- Extensive logging via `trace` and `debug` with `RUST_LOG` method
## Quick Start Guide
### Build
``` bash
# Cloning repo
git clone https://github.com/telemt/telemt
# Changing Directory to telemt
cd telemt
# Starting Release Build
cargo build --release
2025-12-30 21:31:54 +03:00
# Move to /bin
mv ./target/release/telemt /bin
# Make executable
chmod +x /bin/telemt
2025-12-30 21:29:04 +03:00
# Lets go!
2025-12-30 21:31:54 +03:00
telemt config.toml
2025-12-30 21:29:04 +03:00
```
## How to use?
### Telemt via Systemd
2026-01-02 16:33:07 +03:00
**0. Check port and generate secrets**
2026-01-02 16:31:55 +03:00
2026-01-02 16:31:29 +03:00
The port you have selected for use should be MISSING from the list, when:
``` bash
netstat -lnp
```
Generate 16 bytes/32 characters HEX with OpenSSL or another way:
``` bash
openssl rand -hex 16
```
2026-01-06 14:57:52 +03:00
OR
``` bash
xxd -l 16 -p /dev/urandom
```
OR
``` bash
python3 -c 'import os; print(os.urandom(16).hex())'
```
2026-01-02 16:33:07 +03:00
**1. Place your config to /etc/telemt.toml **
2026-01-02 16:54:35 +03:00
Open nano
``` bash
nano /etc/telemt.toml
```
2026-01-07 18:54:44 +03:00
paste your config from [Configuration ](#configuration ) section
2026-01-02 16:21:52 +03:00
2026-01-02 19:10:12 +03:00
then Ctrl+X -> Y -> Enter to save
2026-01-02 16:33:07 +03:00
**2. Create service on /etc/systemd/system/telemt.service **
2026-01-02 16:54:35 +03:00
Open nano
``` bash
nano /etc/systemd/system/telemt.service
```
paste this Systemd Module
2025-12-30 21:29:04 +03:00
``` bash
[ Unit]
Description = Telemt
After = network.target
[ Service]
Type = simple
WorkingDirectory = /bin
ExecStart = /bin/telemt /etc/telemt.toml
Restart = on-failure
[ Install]
WantedBy = multi-user.target
```
2026-01-02 16:54:35 +03:00
then Ctrl+X -> Y -> Enter to save
2026-01-02 16:33:07 +03:00
**3. ** In Shell type `systemctl start telemt` - it must start with zero exit-code
2026-01-02 16:33:42 +03:00
2026-01-02 16:33:07 +03:00
**4. ** In Shell type `systemctl status telemt` - there you can reach info about current MTProxy status
2026-01-02 16:33:42 +03:00
2026-01-02 16:33:07 +03:00
**5. ** In Shell type `systemctl enable telemt` - then telemt will start with system startup, after the network is up
2025-12-30 22:18:22 +03:00
2026-01-07 18:54:44 +03:00
## Configuration
### Minimal Configuration for First Start
``` toml
port = 443 # Listening port
show_links = [ "tele" , "hello" ]
[ users ]
tele = "00000000000000000000000000000000" # Replace the secret with one generated before
hello = "00000000000000000000000000000000" # Replace the secret with one generated before
[ modes ]
classic = false # Plain obfuscated mode
secure = false # dd-prefix mode
tls = true # Fake TLS - ee-prefix
tls_domain = "petrovich.ru" # Domain for ee-secret and masking
mask = true # Enable masking of bad traffic
mask_host = "petrovich.ru" # Optional override for mask destination
mask_port = 443 # Port for masking
prefer_ipv6 = false # Try IPv6 DCs first if true
fast_mode = true # Use "fast" obfuscation variant
client_keepalive = 600 # Seconds
client_ack_timeout = 300 # Seconds
```
### Advanced
#### Upstream Manager
To specify upstream, add config.toml to the end:
##### Bind on IP
``` toml
[ [ upstreams ] ]
type = "direct"
weight = 1
enabled = true
interface = "192.168.1.100" # Change to your outgoing IP
```
##### SOCKS4/5 as Upstream
- Without Auth:
``` toml
[ [ upstreams ] ]
type = "socks5" # Specify SOCKS4 or SOCKS5
address = "1.2.3.4:1234" # SOCKS-server Address
weight = 1 # Set Weight for Scenarios
enabled = true
```
- With Auth:
``` toml
[ [ upstreams ] ]
type = "socks5" # Specify SOCKS4 or SOCKS5
address = "1.2.3.4:1234" # SOCKS-server Address
username = "user" # Username for Auth on SOCKS-server
password = "pass" # Password for Auth on SOCKS-server
weight = 1 # Set Weight for Scenarios
enabled = true
```
2025-12-31 05:28:32 +03:00
## FAQ
### Telegram Calls via MTProxy
2026-01-07 18:54:44 +03:00
- Telegram architecture **does NOT allow calls via MTProxy ** , but only via SOCKS5, which cannot be obfuscated
2025-12-31 05:28:32 +03:00
### How does DPI see MTProxy TLS?
2025-12-31 05:44:48 +03:00
- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
2025-12-31 05:28:32 +03:00
- the SNI you specify sends both the client and the server;
- ALPN is similar to HTTP 1.1/2;
- high entropy, which is normal for AES-encrypted traffic;
### Whitelist on IP
- MTProxy cannot work when there is:
2026-01-06 15:10:14 +03:00
- no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
2025-12-31 05:28:32 +03:00
- OR all TCP traffic is blocked
2026-01-06 15:10:14 +03:00
- OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
- OR all TLS traffic is blocked
- OR specified port is blocked: use 443 to make it "like real"
- OR provided SNI is blocked: use "officially approved"/innocuous name
2025-12-31 05:29:09 +03:00
- like most protocols on the Internet;
2026-01-06 15:10:14 +03:00
- these situations are observed:
- in China behind the Great Firewall
- in Russia on mobile networks, less in wired networks
- in Iran during "activity"
2025-12-31 05:28:32 +03:00
2025-12-30 22:18:22 +03:00
## Why Rust?
- Long-running reliability and idempotent behavior
- Rust’
- No garbage collector
- Memory safety and reduced attack surface
- Tokio's asynchronous architecture
## Roadmap
2025-12-31 04:39:49 +03:00
- Public IP in links
2025-12-30 22:18:22 +03:00
- Config Reload-on-fly
2025-12-31 04:39:49 +03:00
- Bind to device or IP for outbound/inbound connections
- Adtag Support per SNI / Secret
2025-12-30 22:18:22 +03:00
- Fail-fast on start + Fail-soft on runtime (only WARN/ERROR)
2025-12-31 04:39:49 +03:00
- Zero-copy, minimal allocs on hotpath
- DC Healthchecks + global fallback
- No global mutable state
2025-12-31 04:45:28 +03:00
- Client isolation + Fair Bandwidth
2025-12-30 22:18:22 +03:00
- Backpressure-aware IO
- "Secret Policy" - SNI / Secret Routing :D
- Multi-upstream Balancer and Failover
- Strict FSM per handshake
- Session-based Antireplay with Sliding window, non-broking reconnects
- Web Control: statistic, state of health, latency, client experience...
