Telemt is a fast, secure, and feature-rich server written in Rust: it fully implements the official Telegram proxy algo and adds many production-ready improvements such as connection pooling, replay protection, detailed statistics, masking from "prying" eyes
- Full support for all official MTProto proxy modes:
- Classic
- Secure - with
ddprefix - Fake TLS - with
eeprefix + SNI fronting
- Replay attack protection
- Optional traffic masking: forward unrecognized connections to a real web server, e.g. GitHub 🤪
- Configurable keepalives + timeouts + IPv6 and "Fast Mode"
- Graceful shutdown on Ctrl+C
- Extensive logging via
traceanddebugwithRUST_LOGmethod
This software is designed for Debian-based OS: in addition to Debian, these are Ubuntu, Mint, Kali, MX and many other Linux
- Download release
wget https://github.com/telemt/telemt/releases/latest/download/telemt- Move to Bin Folder
mv telemt /bin- Make Executable
chmod +x /bin/telemt- Go to How to use? section for for further steps
This instruction "assume" that you:
- logged in as root or executed
su -/sudo su - you already have an assembled and executable
telemtin /bin folder as a result of the Quick Start Guide or Build
0. Check port and generate secrets
The port you have selected for use should be MISSING from the list, when:
netstat -lnpGenerate 16 bytes/32 characters HEX with OpenSSL or another way:
openssl rand -hex 16OR
xxd -l 16 -p /dev/urandomOR
python3 -c 'import os; print(os.urandom(16).hex())'1. Place your config to /etc/telemt.toml
Open nano
nano /etc/telemt.tomlpaste your config from Configuration section
then Ctrl+X -> Y -> Enter to save
2. Create service on /etc/systemd/system/telemt.service
Open nano
nano /etc/systemd/system/telemt.servicepaste this Systemd Module
[Unit]
Description=Telemt
After=network.target
[Service]
Type=simple
WorkingDirectory=/bin
ExecStart=/bin/telemt /etc/telemt.toml
Restart=on-failure
[Install]
WantedBy=multi-user.targetthen Ctrl+X -> Y -> Enter to save
3. In Shell type systemctl start telemt - it must start with zero exit-code
4. In Shell type systemctl status telemt - there you can reach info about current MTProxy status
5. In Shell type systemctl enable telemt - then telemt will start with system startup, after the network is up
port = 443 # Listening port
show_links = ["tele", "hello"] # Specify users, for whom will be displayed the links
[users]
tele = "00000000000000000000000000000000" # Replace the secret with one generated before
hello = "00000000000000000000000000000000" # Replace the secret with one generated before
[modes]
classic = false # Plain obfuscated mode
secure = false # dd-prefix mode
tls = true # Fake TLS - ee-prefix
tls_domain = "petrovich.ru" # Domain for ee-secret and masking
mask = true # Enable masking of bad traffic
mask_host = "petrovich.ru" # Optional override for mask destination
mask_port = 443 # Port for masking
prefer_ipv6 = false # Try IPv6 DCs first if true
fast_mode = true # Use "fast" obfuscation variant
client_keepalive = 600 # Seconds
client_ack_timeout = 300 # SecondsTo use channel advertising and usage statistics from Telegram, get Adtag from @mtproxybot, add this parameter to the end of config.toml and specify it
ad_tag = "00000000000000000000000000000000" # Replace zeros to your adtag from @mtproxybotTo specify listening address and/or address in links, add to the end of config.toml:
[[listeners]]
ip = "0.0.0.0" # 0.0.0.0 = all IPs; your IP = specific listening
announce_ip = "1.2.3.4" # IP in links; comment with # if not usedTo specify upstream, add to the end of config.toml:
[[upstreams]]
type = "direct"
weight = 1
enabled = true
interface = "192.168.1.100" # Change to your outgoing IP- Without Auth:
[[upstreams]]
type = "socks5" # Specify SOCKS4 or SOCKS5
address = "1.2.3.4:1234" # SOCKS-server Address
weight = 1 # Set Weight for Scenarios
enabled = true- With Auth:
[[upstreams]]
type = "socks5" # Specify SOCKS4 or SOCKS5
address = "1.2.3.4:1234" # SOCKS-server Address
username = "user" # Username for Auth on SOCKS-server
password = "pass" # Password for Auth on SOCKS-server
weight = 1 # Set Weight for Scenarios
enabled = true- Telegram architecture does NOT allow calls via MTProxy, but only via SOCKS5, which cannot be obfuscated
- DPI sees MTProxy in Fake TLS (ee) mode as TLS 1.3
- the SNI you specify sends both the client and the server;
- ALPN is similar to HTTP 1.1/2;
- high entropy, which is normal for AES-encrypted traffic;
- MTProxy cannot work when there is:
- no IP connectivity to the target host: Russian Whitelist on Mobile Networks - "Белый список"
- OR all TCP traffic is blocked
- OR high entropy/encrypted traffic is blocked: content filters at universities and critical infrastructure
- OR all TLS traffic is blocked
- OR specified port is blocked: use 443 to make it "like real"
- OR provided SNI is blocked: use "officially approved"/innocuous name
- like most protocols on the Internet;
- these situations are observed:
- in China behind the Great Firewall
- in Russia on mobile networks, less in wired networks
- in Iran during "activity"
# Cloning repo
git clone https://github.com/telemt/telemt
# Changing Directory to telemt
cd telemt
# Starting Release Build
cargo build --release
# Move to /bin
mv ./target/release/telemt /bin
# Make executable
chmod +x /bin/telemt
# Lets go!
telemt config.toml- Long-running reliability and idempotent behavior
- Rust’s deterministic resource management - RAII
- No garbage collector
- Memory safety and reduced attack surface
- Tokio's asynchronous architecture
- Public IP in links
- Config Reload-on-fly
- Bind to device or IP for outbound/inbound connections
- Adtag Support per SNI / Secret
- Fail-fast on start + Fail-soft on runtime (only WARN/ERROR)
- Zero-copy, minimal allocs on hotpath
- DC Healthchecks + global fallback
- No global mutable state
- Client isolation + Fair Bandwidth
- Backpressure-aware IO
- "Secret Policy" - SNI / Secret Routing :D
- Multi-upstream Balancer and Failover
- Strict FSM per handshake
- Session-based Antireplay with Sliding window, non-broking reconnects
- Web Control: statistic, state of health, latency, client experience...