Telegram has been blocked since March 20, moving to a liberal Internet
Linux-first reliable CLI tunnel with pluggable transport architecture.
chameleon-core: config, protocol, Noise crypto channel, allowlist policy, relaychameleon-client: local SOCKS5 (CONNECT) clientchameleon-bridge: remote bridge server
- Transport:
raw - Protocol: TCP only
- No obfuscation / anti-DPI logic
- Local Web UI on
127.0.0.1
- Rust stable toolchain (
cargo,rustc)
Single TOML file can include both sections.
[client]
listen = "127.0.0.1:1080"
bridge_addr = "YOUR_BRIDGE_IP:443"
server_pubkey_b64 = "<BRIDGE_PUBLIC_KEY>"
transport = "raw"
max_frame = 65535
# Optional
auth_psk_b64 = ""
handshake_timeout_ms = 5000
connect_timeout_ms = 8000
relay_idle_timeout_ms = 60000
shutdown_grace_ms = 5000
web_ui_addr = "127.0.0.1:7777"
web_ui_enabled = true
web_ui_auth_token = ""
[bridge]
listen = "0.0.0.0:443"
server_privkey_b64 = "<BRIDGE_PRIVATE_KEY>"
transport = "raw"
allow_all = false
allow_cidrs = ["149.154.0.0/16", "91.108.4.0/22"]
allow_domains = ["telegram.org", "t.me", "telegram.me"]
max_frame = 65535
# Optional
auth_psk_b64 = ""
require_auth = false
handshake_timeout_ms = 5000
target_connect_timeout_ms = 8000
relay_idle_timeout_ms = 60000
shutdown_grace_ms = 5000
max_connections = 10000
deny_private_targets = true
allow_loopback_targets = false- Generate bridge keypair:
cargo run -p chameleon-bridge -- keygen- Optional: generate shared PSK (base64):
openssl rand -base64 32Set the same value to both client.auth_psk_b64 and bridge.auth_psk_b64. Set bridge.require_auth = true to enforce it.
- Run bridge:
cargo run -p chameleon-bridge -- run --config config.toml- Run client:
cargo run -p chameleon-client -- run --config config.toml- Configure Telegram/app/system to use SOCKS5 at
127.0.0.1:1080.
- Default:
http://127.0.0.1:7777 - If
web_ui_auth_tokenis empty at first run, the client generates a token and stores it in config. - Paste the token in the UI to enable API calls.
CLI helpers:
chameleon-client status --config config.toml
chameleon-client open-ui --config config.toml
chameleon-client install --config config.tomlFiles:
deploy/systemd/chameleon-bridge.servicedeploy/systemd/chameleon-client.service
Install example:
sudo cp deploy/systemd/chameleon-bridge.service /etc/systemd/system/
sudo cp deploy/systemd/chameleon-client.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now chameleon-bridge
sudo systemctl enable --now chameleon-clientsudo deploy/install/linux/install.shFiles:
deploy/docker/Dockerfiledeploy/docker/docker-compose.yml
Run example:
cd deploy/docker
cp config.toml.example config.toml
docker compose up --build -dBridge healthcheck uses nc -z 127.0.0.1 443.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
deploy\\install\\windows\\install.ps1 -DownloadWinSWConfig path: %ProgramData%\\Chameleon\\config.toml
See docs/windows-quickstart.md for details.
Set RUST_LOG=info or RUST_LOG=debug.
v0.2 logs include:
conn_id, peer- auth result
- target host/port
- bytes up/down
- session duration
- close reason (
upstream_eof,downstream_eof,idle_timeout)
Client log files rotate by size in the local log directory.
- Local e2e test with explicit SOCKS5 client.
- Single-VPS canary with
require_auth=true. - Controlled pilot with allowlist tuned for expected destinations.
- auth failure rate
- connect failure rate
- handshake latency
- target connect latency
- active connection saturation (
max_connections) - relay idle-timeout ratio
- Client-to-bridge link is encrypted/authenticated with Noise IK.
- Bridge can enforce PSK auth (
require_auth=true). deny_private_targets=trueblocks private/special destinations by policy.- Fail-closed: auth/policy errors reject connection.
rawtransport only- no UDP relay
- no OS-level traffic interception
- no stream multiplexing
GPL-3.0-or-later