Releases: 9seconds/mtg
v2.2.3
Mostly technical release, followup of the previous one.
Added profile guided optimizations and plethora of new architectures. You want to try AMD64v3 (this is probably work now everywhere, including VPSes) and ARMv9.
Also, now there is official support of Windows.
What's Changed
- Add PGO by @9seconds in #385
- Document a necessety of increasing limits for systemd unit by @9seconds in #388
- Add more architectures for mtg by @9seconds in #386
Full Changelog: v2.2.2...v2.2.3
Contributors
Assets 37
- 21.8 KB
2026-03-20T10:40:43Z - 218 Bytes
2026-03-20T10:40:45Z - 3 KB
2026-03-20T10:40:45Z - 4.89 MB
2026-03-20T10:40:46Z - 4.9 MB
2026-03-20T10:40:47Z - 4.52 MB
2026-03-20T10:40:48Z - 4.54 MB
2026-03-20T10:40:49Z - 4.61 MB
2026-03-20T10:40:50Z - 4.8 MB
2026-03-20T10:40:51Z - 4.8 MB
2026-03-20T10:40:52Z -
2026-03-20T10:29:39Z -
2026-03-20T10:29:39Z - Loading
v2.2.2
This release brings no new features but decreases a CPU usage + trims down a memory usage.
What's Changed
- Show ip of telegram endpoints in event stream by @9seconds in #379
- Optimize waiting time for TLS chunker by @9seconds in #382
- Avoid double buffering in TLS hot path by @9seconds in #383
Full Changelog: v2.2.1...v2.2.2
Contributors
Assets 25
v2.2.1
Mostly bug fix release with a very important fix related to socks5 interface.
Important note: if you have a problem with static loading, please disable auto-update setting. It seems that addresses provided by Telegram API are not very stable, so it worth to fallback to core IPs now.
What's Changed
- Fix preferIPOnlyIPv6 by @Maks-2012 in #366
- fix: ensure network.Dial and MakeHTTPClient use socks5 proxy by @saleacy in #367
- Fix flaky test by @9seconds in #368
New Contributors
- @Maks-2012 made their first contribution in #366
- @saleacy made their first contribution in #367
Full Changelog: v2.2.0...v2.2.1
Contributors
Assets 25
v2.2.0
This version introduces a first major feature for the last couple of years. It is called doppelganger because I could not find a better name. This is logical continuation of cloaking (domain fronting, you name it).
Websites and applications are different. They communicate differently, and their patterns are different. Websites burst with short amount of traffic, and this can have long tails of sizes. Applications that are pumping JSON are usually sending very small packages.
This is reflected in TLS packet delays and TLS packet sizes.
Since 2.2.0 mtg introduces some artificial delays in sending of TLS packets back to client, and it tries very hard to look like a real website from statistical point of view.
Of course we cannot mimic it completely because Telegram still communicates like RPC but mtg tries to do its best in hiding this fact. It restructures TLS packets, it delays TLS packets.
Speaking on sizes of TLS packets, it supports 2 modes now: classic and DRS. Most of TLS libraries and implementation aims to always choose max size of TLS packet as possible but there are a couple of implementations that increase this size gradually aiming to get a fastest time-to-first-byte. Most notably, Go crypto/tls does that, and thus other projects like Caddy. So, if you have any insight about implementation, you can enable that setting.
This is how it could be set up:
[defense.doppelganger]
# mtg comes with very good defaults but if you want to be as specific as possible,
# please set a couple of URL from a domain in disguise. No need to drop many, but it makes sense
# use different ones. One image, one page, one static file is already good set.
#
# mtg will start to crawl them periodically and statistically mimic their TLS delays
urls = [
"https://lalala"
]
# this is that Dynamic Record Sizing option
drs = falsePlease see all settings in example config file. Also please read attached BEST_PRACTICES.md, it comes now with any archive.
If you are not sure, do not set anything. mtg has good enough defaults. As usual, if something does not work, try other projects like telemt. It does not matter what you use as long as you keep connected.
Π Π΄Π°ΠΉ Π½Π°ΠΌ ΡΠΈΠ» ΠΏΠ΅ΡΠ΅ΠΆΠΈΡΡ Π²ΡΡ ΡΡΡ Ρ Π΅ΡΠΎΡΡ.
What's Changed
- Include example config into distribution bundle by @9seconds in #348
- Doppleganger by @9seconds in #352
- Use native dialer to communicate with fronting domain by @9seconds in #353
- Use native dialer for scout by @9seconds in #355
- Speed up Github actions by @9seconds in #356
- Access command should use native dialer instead of network one by @9seconds in #357
- Make DRS optional by @9seconds in #358
- Fix android ping by @9seconds in #359
- Have a noise of variable size by @9seconds in #360
- Add docs about doppelganger by @9seconds in #361
- Decrease relay buffer size by @9seconds in #363
- Add document about best practices by @9seconds in #365
Full Changelog: v2.1.13...v2.2.0
Contributors
Assets 25
v2.1.13
This release addresses long-running confusion related to DNS-over-HTTP mandatory option. Now it is fixed. Unfortunately, old network.doh-ip option is deprecated now, please use new network.dns.
This is doh-ip you should move from
# DEPRECATED option:
# If dns option is specified, it will be used instead. No default is defined
# anymore. But if you set this option, this is literally the same providing
# https:// URL to `dns`.
#
# In other words:
#
# doh-ip = "1.1.1.1"
#
# is literally the same as
#
# dns = "https://1.1.1.1"
# doh-ip = "1.1.1.1"# Starting from mtg v2.1.12 we have changed a configuration for DNS. Now it
# supports DNS-over-HTTPS, DNS-over-TLS, custom UDP resolver and system
# resolver.
#
# Here is how to define DNS-over-HTTPS:
# - https://1.1.1.1
# - https://1.1.1.1/dns-query
# - https://cloudflare-dns.com/dns-query
# - https://cloudflare-dns.com
#
# Here is how to define DNS-over-TLS:
# - tls://1.1.1.1
# - tls://cloudflare-dns.com
#
# Here is how to define a custom UDP resolver (we support only IPs here)
# - 1.1.1.1
# - udp://1.1.1.1
#
# If you set it to empty string, default resolver will be used.
# But please comment out doh-ip
dns = "https://1.1.1.1"So, in general you can use 4 different options for DNS setting:
1. Default resolver.
In that case just set dns to empty string:
[network]
dns = ""so mtg will use local stub resolver for getting DNS records.
2. DNS-over-HTTPS
Just have https:// prefix:
[network]
dns = "https://1.1.1.1"This will mean that mtg will use https://1.1.1.1/dns-query URL to resolve DNS. If path is different, just specify a full URL:
[network]
dns = "https://1.1.1.1/my-path"3. DNS-over-TLS
Just use tls:// prefix:
[network]
dns = "tls://dns.google"4. Classic UDP DNS
Either provide IP address or optionally prefix it with udp://
[network]
dns = "8.8.8.8"and
[network]
dns = "udp://8.8.8.8"are both equivalent way of setting that.
Please be aware that if you have to setup DNS, it means that there are some restrictions implied. It could be a good idea to have socks5 upstream connectivity in that case.
What's Changed
Full Changelog: v2.1.12...v2.1.13
Contributors
Assets 25
v2.1.12
This is hotfix release that aims to address the issue with a proxy that cannot access Telegram HTTP endpoints to get lists of updates DCs. It should help running it in restricted environment.
By default autoupdate now is disabled. You can explicitly enable it in config:
# If this setting is set, then mtg will try to get proxy updates from Telegram
# Usually this is completely fine to have it disabled, because mtg has a list
# of some core proxies hardcoded.
auto-update = falseWhat's Changed
- Do not panic if no addresses were found by @9seconds in #345
- Make auto updating optional by @9seconds in #344
Full Changelog: v2.1.11...v2.1.12
Contributors
Assets 25
v2.1.11
Deprecation of dc-overrides
Apparently, Telegram made a bit better way of getting CDN DC. Now we can extract them from a public list. So, this setting is no longer relevant. Anyway, there was no a good way of getting those IPs
So, if you have this setting in your config:
# Telegram uses different DCs for different purposes. Unfortunately, most of
# DCs are not public, and dependent on a location of the current user, so
# mtg cannot know upfront about all of them, and how to access them. It has
# a default list of DCs, including some CDN IPs, but it is possible that some
# of them are not working for you. In this case, you can override them here.
[[dc-overrides]]
dc = 101
ips = ["127.0.0.1:443"]You can delete it. It is ignored. Now we have more robust way of doing that with autoupdates.
Rework of domain fronting configuration
Before that mtg used a following configuration for domain fronting:
# FakeTLS uses domain fronting protection. So it needs to know a port to
# access.
domain-fronting-port = 443Now there is a special dedicated section for that:
# This section is relevant to communication with fronting domain. Usually
# you do not need to setup anything here but there are plenty of cases, especially
# if you put mtg behind load balancer, when some specific configuration is
# required.
[domain-fronting]
# By default, mtg resolves the fronting hostname (from the secret) via DNS
# to establish a TCP connection. If DNS resolution of that hostname is blocked,
# you can specify an IP address to connect to directly. The hostname is still
# used for SNI in the TLS handshake.
#
# default value is not set (DNS resolution is used).
ip = "10.10.10.11"
# FakeTLS uses domain fronting protection. So it needs to know a port to
# access. Default value is 443
port = 443
# This makes a communication between both fronting website and mtg to use
# proxy protocol.
proxy-protocol = falseAll is optional.
domain-fronting.port
This is literally the same as domain-fronting-port setting. Old way is still working but deprecated. So, your configs will remain working. New setting has higher priority than old one.
domain-fronting.ip
Let's imagine that you have a website that is placed behind a load balancer. You also put mtg there. So, if you get a Telegram request, it would be served, otherwise mtg should rereoute to the real backend. But if you specify a domain, then mtg would access mtg again, and you can get a loop. This setting should force mtg to use this IP as a domain fronting IP, and this will make IP routing more reasonable.
domain-fronting.proxy-protocol
Same as above: if you have a chain of services that pass request to each other, it make sense to see real IPs in logs. Proxy protocol allows doing that. If you set this setting to true mtg will start talking with upstream using proxy protocol instead of plain TCP connection.
What's Changed
- Add domain-fronting-ip option by @ivulit in #334
- Check for vulnerabilities by @9seconds in #337
- Fetch DC203 from Telegram by @9seconds in #336
- Add support for domain fronting proxy protocol by @9seconds in #338
- Domain fronting config grouping by @9seconds in #339
New Contributors
Full Changelog: v2.1.10...v2.1.11
Contributors
Assets 25
v2.1.10
This is mostly chore release with 1 small feature: full support for proxy protocol. This is optional feature but quite handy for all users of load balancers like HAProxy or ELB. mtg supports both v1 and v2.
Here is how to enable it in your config:
# This defines what types of traffic mtg listens to. If you are not sure,
# then definitely keep it disable. Enable it only and only if incoming traffic
# is coming from some sort of load-balancer like HAProxy or ELB.
# https://www.haproxy.org/download/2.3/doc/proxy-protocol.txt
#
# mtg uses a library that supports v1 and v2 versions of ProxyProtocol.
# default value is false.
proxy-protocol-listener = trueWhat's Changed
- Tell about mise in readme by @9seconds in #329
- Mention telemt project in README by @9seconds in #330
- Chore updates for golang 1.26 by @9seconds in #331
- Recommend to use telemt for adtag carvings by @9seconds in #332
- Add support of proxy protocol by @9seconds in #333
Full Changelog: v2.1.9...v2.1.10
Contributors
Assets 25
v2.1.9
What's Changed
- Correctly build and push images into registry by @9seconds in #327
- Correctly connect to DC203/CDN by @9seconds in #326
Full Changelog: v2.1.8...v2.1.9
Contributors
Assets 25
v2.1.8
Do some chore operations after 3 years of absence. Dependency updates and other minor stuff
New Contributors
- @arashnm80 made their first contribution in #289
Full Changelog: v2.1.7...v2.1.8
