amnezia-vpn · yp-amnezia · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026
diff --git a/client/core/controllers/selfhosted/installController.cpp b/client/core/controllers/selfhosted/installController.cpp
@@ -103,7 +103,7 @@ ErrorCode InstallController::setupContainer(const ServerCredentials &credentials
                                             bool isUpdate)
 {
     qDebug().noquote() << "InstallController::setupContainer" << ContainerUtils::containerToString(container);
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode e = ErrorCode::NoError;
 
     e = isUserInSudo(credentials, sshSession);
@@ -168,11 +168,11 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
         }
         if (container == DockerContainer::MtProxy) {
             ServerCredentials credentials = adminConfig->credentials();
-            SshSession sshSession(this);
+            SshSession sshSession;
             MtProxyInstaller::uploadClientSettingsSnapshot(sshSession, credentials, container, newConfig);
         } else if (container == DockerContainer::Telemt) {
             ServerCredentials credentials = adminConfig->credentials();
-            SshSession sshSession(this);
+            SshSession sshSession;
             TelemtInstaller::uploadClientSettingsSnapshot(sshSession, credentials, container, newConfig);
         }
         adminConfig->updateContainerConfig(container, newConfig);
@@ -188,7 +188,7 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     bool reinstallRequired = isReinstallContainerRequired(container, oldConfig, newConfig);
     qDebug() << "InstallController::updateServerConfig for container" << container << "reinstall required is" << reinstallRequired;
@@ -211,6 +211,12 @@ ErrorCode InstallController::updateServerConfig(const QString &serverId, DockerC
         if (errorCode == ErrorCode::NoError) {
             errorCode = startupContainerWorker(credentials, container, newConfig, sshSession);
         }
+
+        if (errorCode == ErrorCode::NoError
+            && (container == DockerContainer::MtProxy || container == DockerContainer::Telemt)) {
+            const QString containerName = ContainerUtils::containerToString(container);
+            errorCode = sshSession.runScript(credentials, "sudo docker restart " + containerName);
+        }
     }
 
     const bool skipXrayInboundSync =
@@ -737,18 +743,6 @@ bool InstallController::isReinstallContainerRequired(DockerContainer container,
             if (oldPort != newPort) {
                 return true;
             }
-            const QString oldTransport = oldMt->transportMode.isEmpty() ? QString(
-                    protocols::mtProxy::transportModeStandard)
-                                                                        : oldMt->transportMode;
-            const QString newTransport = newMt->transportMode.isEmpty() ? QString(
-                    protocols::mtProxy::transportModeStandard)
-                                                                        : newMt->transportMode;
-            if (oldTransport != newTransport) {
-                return true;
-            }
-            if (oldMt->tlsDomain != newMt->tlsDomain) {
-                return true;
-            }
         }
     }
 
@@ -763,39 +757,6 @@ bool InstallController::isReinstallContainerRequired(DockerContainer container,
             if (oldPort != newPort) {
                 return true;
             }
-            const QString oldTransport = oldT->transportMode.isEmpty()
-                    ? QString(protocols::telemt::transportModeStandard)
-                    : oldT->transportMode;
-            const QString newTransport = newT->transportMode.isEmpty()
-                    ? QString(protocols::telemt::transportModeStandard)
-                    : newT->transportMode;
-            if (oldTransport != newTransport) {
-                return true;
-            }
-            if (oldT->tlsDomain != newT->tlsDomain) {
-                return true;
-            }
-            if (oldT->maskEnabled != newT->maskEnabled) {
-                return true;
-            }
-            if (oldT->tlsEmulation != newT->tlsEmulation) {
-                return true;
-            }
-            if (oldT->useMiddleProxy != newT->useMiddleProxy) {
-                return true;
-            }
-            if (oldT->tag != newT->tag) {
-                return true;
-            }
-            const QString oldUser = oldT->userName.isEmpty()
-                    ? QString::fromUtf8(protocols::telemt::defaultUserName)
-                    : oldT->userName;
-            const QString newUser = newT->userName.isEmpty()
-                    ? QString::fromUtf8(protocols::telemt::defaultUserName)
-                    : newT->userName;
-            if (oldUser != newUser) {
-                return true;
-            }
         }
     }
 
@@ -835,6 +796,20 @@ ErrorCode InstallController::installDockerWorker(const ServerCredentials &creden
 
     qDebug().noquote() << "InstallController::installDockerWorker" << stdOut;
 
+    if (container == DockerContainer::MtProxy || container == DockerContainer::Telemt) {
+        QString conntrackOut;
+        auto cbConntrack = [&](const QString &data, libssh::Client &) {
+            conntrackOut += data + "\n";
+            return ErrorCode::NoError;
+        };
+        sshSession.runScript(
+                credentials,
+                sshSession.replaceVars(amnezia::scriptData(SharedScriptType::install_conntrack),
+                                       amnezia::genBaseVars(credentials, DockerContainer::None, QString(), QString())),
+                cbConntrack, cbConntrack);
+        qDebug().noquote() << "InstallController::installDockerWorker install_conntrack:" << conntrackOut;
+    }
+
     if (container == DockerContainer::Awg2) {
         QRegularExpression regex(R"(Linux\s+(\d+)\.(\d+)[^\d]*)");
         QRegularExpressionMatch match = regex.match(stdOut);
@@ -970,7 +945,7 @@ ErrorCode InstallController::rebootServer(const QString &serverId)
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QString script = QString("sudo reboot");
 
@@ -998,7 +973,7 @@ ErrorCode InstallController::removeAllContainers(const QString &serverId)
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode errorCode = sshSession.runScript(credentials, amnezia::scriptData(SharedScriptType::remove_all_containers));
 
     if (errorCode == ErrorCode::NoError) {
@@ -1020,7 +995,7 @@ ErrorCode InstallController::removeContainer(const QString &serverId, DockerCont
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     const amnezia::ScriptVars removeContainerVars =
             amnezia::genBaseVars(credentials, container, QString(), QString());
     const bool removeDataVolume = (container == DockerContainer::MtProxy || container == DockerContainer::Telemt);
@@ -1129,7 +1104,7 @@ ErrorCode InstallController::scanServerForInstalledContainers(const QString &ser
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
@@ -1172,7 +1147,7 @@ ErrorCode InstallController::scanServerForInstalledContainers(const QString &ser
 ErrorCode InstallController::installServer(const ServerCredentials &credentials, DockerContainer container, int port,
                                            TransportProto transportProto, bool &wasContainerInstalled)
 {
-    SshSession sshSession(this);
+    SshSession sshSession;
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
     if (errorCode) {
@@ -1241,7 +1216,7 @@ ErrorCode InstallController::installContainer(const QString &serverId, DockerCon
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
 
     QMap<DockerContainer, ContainerConfig> installedContainers;
     ErrorCode errorCode = getAlreadyInstalledContainers(credentials, installedContainers, sshSession);
@@ -1283,7 +1258,7 @@ ErrorCode InstallController::installContainer(const QString &serverId, DockerCon
 ErrorCode InstallController::checkSshConnection(ServerCredentials &credentials, QString &output,
                                                 std::function<QString()> passphraseCallback)
 {
-    SshSession sshSession(this);
+    SshSession sshSession;
     ErrorCode errorCode = ErrorCode::NoError;
 
     if (credentials.secretData.contains("BEGIN") && credentials.secretData.contains("PRIVATE KEY")) {
@@ -1564,7 +1539,7 @@ ErrorCode InstallController::setDockerContainerEnabledState(const QString &serve
         return ErrorCode::InternalError;
     }
     const QString containerName = ContainerUtils::containerToString(container);
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString script = enabled ? QStringLiteral("sudo docker start %1").arg(containerName)
                                    : QStringLiteral("sudo docker stop %1").arg(containerName);
     const ErrorCode runError = sshSession.runScript(credentials, script);
@@ -1604,7 +1579,7 @@ ErrorCode InstallController::queryDockerContainerStatus(const QString &serverId,
         stdOut += data;
         return ErrorCode::NoError;
     };
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString script = QStringLiteral(
             "sudo docker inspect --format '{{.State.Status}}' %1 2>/dev/null || echo 'not_found'")
             .arg(containerName);
@@ -1638,7 +1613,7 @@ ErrorCode InstallController::queryMtProxyDiagnostics(const QString &serverId, Do
     if (!credentials.isValid()) {
         return ErrorCode::InternalError;
     }
-    SshSession sshSession(this);
+    SshSession sshSession;
     return MtProxyInstaller::queryDiagnostics(sshSession, credentials, container, listenPort, out);
 }
 
@@ -1661,7 +1636,7 @@ QString InstallController::fetchDockerContainerSecret(const QString &serverId, D
         stdOut += data;
         return ErrorCode::NoError;
     };
-    SshSession sshSession(this);
+    SshSession sshSession;
     const QString path = QStringLiteral("/data/secret");
     const QString cmd = QStringLiteral("sudo docker exec %1 cat %2").arg(containerName, path);
     const ErrorCode errorCode = sshSession.runScript(credentials, cmd, cbReadStdOut);

diff --git a/client/core/installers/mtProxyInstaller.cpp b/client/core/installers/mtProxyInstaller.cpp
@@ -71,48 +71,62 @@ ErrorCode MtProxyInstaller::queryDiagnostics(SshSession &sshSession, const Serve
                                              DockerContainer container, int listenPort,
                                              MtProxyContainerDiagnostics &out)
 {
-    out = {};
-    if (container != DockerContainer::MtProxy && container != DockerContainer::Telemt) {
-        return ErrorCode::InternalError;
-    }
-    const QString containerName = ContainerUtils::containerToString(container);
-    const QString script =
-            QStringLiteral(
-                    "PORT_OK=$(sudo docker exec %1 sh -c 'ss -tlnp 2>/dev/null | grep -q :%2 && echo yes || echo no' 2>/dev/null || echo no); "
-                    "TG_OK=$(curl -s --max-time 5 -o /dev/null -w '%%{http_code}' https://core.telegram.org/getProxySecret 2>/dev/null | grep -q '200' && echo yes || echo no); "
-                    "CLIENTS=$(sudo docker exec amnezia-mtproxy sh -c 'curl -s --max-time 3 http://localhost:2398/stats 2>/dev/null | grep -o \"total_special_connections:[0-9]*\" | cut -d: -f2' 2>/dev/null); "
-                    "CONF_TIME=$(sudo docker exec amnezia-mtproxy sh -c 'stat -c \"%%y\" /data/proxy-multi.conf 2>/dev/null | cut -d. -f1' 2>/dev/null || echo unknown); "
-                    "echo \"PORT_OK=${PORT_OK}\"; "
-                    "echo \"TG_OK=${TG_OK}\"; "
-                    "echo \"CLIENTS=${CLIENTS:-0}\"; "
-                    "echo \"CONF_TIME=${CONF_TIME}\"; "
-                    "echo \"STATS=http://localhost:2398/stats\";")
-                    .arg(containerName)
-                    .arg(listenPort);
-
-    QString stdOut;
-    auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
-        stdOut += data;
-        return ErrorCode::NoError;
-    };
-    const ErrorCode errorCode = sshSession.runScript(credentials, script, cbReadStdOut);
-    if (errorCode != ErrorCode::NoError) {
-        return errorCode;
-    }
-    for (const QString &line : stdOut.split('\n', Qt::SkipEmptyParts)) {
-        if (line.startsWith(QLatin1String("PORT_OK="))) {
-            out.portReachable = line.mid(8).trimmed() == QLatin1String("yes");
-        } else if (line.startsWith(QLatin1String("TG_OK="))) {
-            out.upstreamReachable = line.mid(6).trimmed() == QLatin1String("yes");
-        } else if (line.startsWith(QLatin1String("CLIENTS="))) {
-            out.clientsConnected = line.mid(8).trimmed().toInt();
-        } else if (line.startsWith(QLatin1String("CONF_TIME="))) {
-            out.lastConfigRefresh = line.mid(10).trimmed();
-        } else if (line.startsWith(QLatin1String("STATS="))) {
-            out.statsEndpoint = line.mid(6).trimmed();
+    out = { };
+    if (container == DockerContainer::MtProxy || container == DockerContainer::Telemt) {
+        const QString containerName = ContainerUtils::containerToString(container);
+        const bool isTelemt = container == DockerContainer::Telemt;
+
+        const QString sportFilter = QString::number(listenPort);
+        const QString peersCmd = QStringLiteral("sudo conntrack -L -p tcp --dport ") + sportFilter
+                + QStringLiteral(" 2>/dev/null | grep ESTABLISHED | awk '{for(i=1;i<=NF;i++) if($i ~ /^src=/){print "
+                                 "substr($i,5); break}}'");
+        const QString publicFilter = QStringLiteral(" | grep -vE "
+                                                    "'^(10\\.|127\\.|169\\.254\\.|192\\.168\\.|172\\.(1[6-9]|2[0-9]|3["
+                                                    "01])\\.|::1$|fe80:|f[cd][0-9a-f][0-9a-f]:)'");
+        const QString clientsCmd =
+                QStringLiteral("CLIENTS=$(") + peersCmd + publicFilter + QStringLiteral(" | sort -u | grep -c .); ");
+        const QString confFile =
+                isTelemt ? QStringLiteral("/data/config.toml") : QStringLiteral("/data/proxy-multi.conf");
+        const QString statsUrl = QString();
+
+        const QString script = QStringLiteral("CN=") + containerName + QStringLiteral("; ")
+                + QStringLiteral("PORT_OK=$(sudo ss -tlnp 2>/dev/null | grep -q :") + QString::number(listenPort)
+                + QStringLiteral(" && echo yes || echo no); ")
+                + QStringLiteral("TG_OK=$(curl -s --max-time 5 -o /dev/null -w '%{http_code}' "
+                                 "https://core.telegram.org/getProxySecret 2>/dev/null | grep -q '200' && echo yes || "
+                                 "echo no); ")
+                + clientsCmd + QStringLiteral("CONF_TIME=$(sudo docker exec \"$CN\" sh -c 'stat -c \"%y\" ") + confFile
+                + QStringLiteral(" 2>/dev/null | cut -d. -f1' 2>/dev/null || echo unknown); ")
+                + QStringLiteral("echo \"PORT_OK=${PORT_OK}\"; ") + QStringLiteral("echo \"TG_OK=${TG_OK}\"; ")
+                + QStringLiteral("echo \"CLIENTS=${CLIENTS:-0}\"; ") + QStringLiteral("echo \"CONF_TIME=${CONF_TIME}\"; ")
+                + QStringLiteral("echo \"STATS=") + statsUrl + QStringLiteral("\";");
+
+        QString stdOut;
+        auto cbReadStdOut = [&](const QString &data, libssh::Client &) {
+            stdOut += data;
+            return ErrorCode::NoError;
+        };
+        const ErrorCode errorCode = sshSession.runScript(credentials, script, cbReadStdOut);
+        if (errorCode != ErrorCode::NoError) {
+            return errorCode;
         }
+        for (const QString &line : stdOut.split('\n', Qt::SkipEmptyParts)) {
+            if (line.startsWith(QLatin1String("PORT_OK="))) {
+                out.portReachable = line.mid(8).trimmed() == QLatin1String("yes");
+            } else if (line.startsWith(QLatin1String("TG_OK="))) {
+                out.upstreamReachable = line.mid(6).trimmed() == QLatin1String("yes");
+            } else if (line.startsWith(QLatin1String("CLIENTS="))) {
+                out.clientsConnected = line.mid(8).trimmed().toInt();
+            } else if (line.startsWith(QLatin1String("CONF_TIME="))) {
+                out.lastConfigRefresh = line.mid(10).trimmed();
+            } else if (line.startsWith(QLatin1String("STATS="))) {
+                out.statsEndpoint = line.mid(6).trimmed();
+            }
+        }
+        return ErrorCode::NoError;
     }
-    return ErrorCode::NoError;
+
+    return ErrorCode::InternalError;
 }
 
 void MtProxyInstaller::uploadClientSettingsSnapshot(SshSession &sshSession, const ServerCredentials &credentials,

diff --git a/client/core/utils/constants/protocolConstants.h b/client/core/utils/constants/protocolConstants.h
@@ -271,6 +271,7 @@ namespace amnezia
             constexpr char workersModeAuto[]       = "auto";
             constexpr char workersModeManual[]     = "manual";
             constexpr int  maxWorkers              = 32;
+            constexpr int  botTagHexLength         = 32;
         }
 
     } // namespace protocols

diff --git a/client/core/utils/selfhosted/scriptsRegistry.cpp b/client/core/utils/selfhosted/scriptsRegistry.cpp
@@ -50,6 +50,7 @@ QString amnezia::scriptName(SharedScriptType type)
     switch (type) {
     case SharedScriptType::prepare_host: return QLatin1String("prepare_host.sh");
     case SharedScriptType::install_docker: return QLatin1String("install_docker.sh");
+    case SharedScriptType::install_conntrack: return QLatin1String("install_conntrack.sh");
     case SharedScriptType::build_container: return QLatin1String("build_container.sh");
     case SharedScriptType::remove_container: return QLatin1String("remove_container.sh");
     case SharedScriptType::remove_all_containers: return QLatin1String("remove_all_containers.sh");
@@ -366,6 +367,14 @@ amnezia::ScriptVars amnezia::genTelemtVars(const ContainerConfig &containerConfi
         vars.append({ { "$TELEMT_USE_MIDDLE_PROXY", c.useMiddleProxy ? QLatin1String("true") : QLatin1String("false") } });
         vars.append({ { "$TELEMT_MASK", c.maskEnabled ? QLatin1String("true") : QLatin1String("false") } });
         vars.append({ { "$TELEMT_TLS_EMULATION", c.tlsEmulation ? QLatin1String("true") : QLatin1String("false") } });
+
+        QStringList additionalList;
+        for (const QString &s : c.additionalSecrets) {
+            if (!s.isEmpty()) {
+                additionalList << s;
+            }
+        }
+        vars.append({ { "$TELEMT_ADDITIONAL_SECRETS", additionalList.join(QLatin1Char(',')) } });
     }
 
     return vars;

diff --git a/client/core/utils/selfhosted/scriptsRegistry.h b/client/core/utils/selfhosted/scriptsRegistry.h
@@ -21,6 +21,7 @@ enum SharedScriptType {
     // General scripts
     prepare_host,
     install_docker,
+    install_conntrack,
     build_container,
     remove_container,
     remove_all_containers,