feat(mtproto): adopt dolonet/mtg-multi and make MTProto inbounds multi-client

Replace the upstream 9seconds/mtg sidecar with the dolonet/mtg-multi fork so a single MTProto inbound can serve many per-user secrets. Each panel client is now one named FakeTLS secret in the fork's [secrets] section: clients are first-class (attach/detach, limits, expiry, per-client tg:// links) exactly like every other protocol, mirroring the WireGuard multi-client model. Per-client traffic and online status come from the fork's /stats JSON API (its Prometheus output has no per-user label), fed into the existing email-keyed client_traffics accumulator; an optional throttle caps concurrent connections. A one-time seeder converts each legacy single-secret inbound into a one-client inbound.

The fork ships only linux/darwin amd64/arm64 binaries but is pure Go, so provisioning builds it from source for every supported platform (release.yml, DockerInit.sh) while keeping the panel-expected mtg-<os>-<arch> filename and the 'run' verb, so process.go is untouched. Also fixes a pre-existing update.sh gap that never renamed the mtg binary for armv6/armv7 updates.
This commit is contained in:
MHSanaei
2026-07-06 16:04:32 +02:00
parent 5e9606aa4d
commit d97bd8643e
54 changed files with 1160 additions and 453 deletions
@@ -63,8 +63,21 @@ exports[`InboundSettingsSchema fixtures > parses mtproto-basic byte-stably 1`] =
{
"protocol": "mtproto",
"settings": {
"clients": [
{
"comment": "",
"email": "mtproto-user",
"enable": true,
"expiryTime": 0,
"limitIp": 0,
"reset": 0,
"secret": "ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d",
"subId": "",
"tgId": 0,
"totalGB": 0,
},
],
"fakeTlsDomain": "www.cloudflare.com",
"secret": "ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d",
},
}
`;
@@ -73,6 +86,20 @@ exports[`InboundSettingsSchema fixtures > parses mtproto-domain-fronting byte-st
{
"protocol": "mtproto",
"settings": {
"clients": [
{
"comment": "",
"email": "mtproto-user",
"enable": true,
"expiryTime": 0,
"limitIp": 0,
"reset": 0,
"secret": "ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d",
"subId": "",
"tgId": 0,
"totalGB": 0,
},
],
"debug": true,
"domainFronting": {
"ip": "127.0.0.1",
@@ -82,7 +109,7 @@ exports[`InboundSettingsSchema fixtures > parses mtproto-domain-fronting byte-st
"fakeTlsDomain": "www.cloudflare.com",
"preferIp": "prefer-ipv4",
"proxyProtocolListener": true,
"secret": "ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d",
"throttleMaxConnections": 5000,
},
}
`;
@@ -2,6 +2,12 @@
"protocol": "mtproto",
"settings": {
"fakeTlsDomain": "www.cloudflare.com",
"secret": "ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d"
"clients": [
{
"email": "mtproto-user",
"secret": "ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d",
"enable": true
}
]
}
}
@@ -2,10 +2,17 @@
"protocol": "mtproto",
"settings": {
"fakeTlsDomain": "www.cloudflare.com",
"secret": "ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d",
"clients": [
{
"email": "mtproto-user",
"secret": "ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d",
"enable": true
}
],
"proxyProtocolListener": true,
"preferIp": "prefer-ipv4",
"debug": true,
"throttleMaxConnections": 5000,
"domainFronting": {
"ip": "127.0.0.1",
"port": 9443,
+14
View File
@@ -26,4 +26,18 @@ describe('link-label parseLinkParts', () => {
it('returns null for an unparseable scheme', () => {
expect(parseLinkParts('not-a-link')).toBeNull();
});
// MTProto share links are tg://proxy deep links whose port rides in a query
// param, not the URL authority; they carry no transport and use FakeTLS.
it('labels an mtproto tg://proxy link with its query-param port and FakeTLS', () => {
const parts = parseLinkParts(
'tg://proxy?server=host.example.com&port=8443&secret=ee00#mt-inbound',
);
expect(parts?.protocol).toBe('MTProto');
expect(parts?.network).toBe('');
expect(parts?.security).toBe('FAKETLS');
expect(parts?.port).toBe('8443');
expect(parts?.remark).toBe('mt-inbound');
expect(parts && linkMetaText(parts)).toBe('mt-inbound:8443');
});
});
@@ -0,0 +1,41 @@
import { describe, expect, it } from 'vitest';
import { genInboundLinks } from '@/lib/xray/inbound-link';
import { InboundSchema } from '@/schemas/api/inbound';
// Multi-client MTProto renders one tg://proxy deep link per entry in
// settings.clients, each carrying that client's own FakeTLS secret.
function mtprotoInbound() {
return InboundSchema.parse({
id: 70,
remark: 'mt-mc',
port: 8443,
protocol: 'mtproto',
settings: {
fakeTlsDomain: 'www.cloudflare.com',
clients: [
{
email: 'alice',
secret: 'ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d',
enable: true,
},
{
email: 'bob',
secret: 'eeabcdefabcdefabcdefabcdefabcdef01676f6f676c652e636f6d',
enable: true,
},
],
},
});
}
describe('mtproto multi-client link fan-out', () => {
it('emits one tg://proxy per client from settings.clients', () => {
const out = genInboundLinks({ inbound: mtprotoInbound(), remark: 'mt-mc', fallbackHostname: 'mt.example.test' });
const links = out.split('\r\n').filter(Boolean);
expect(links).toHaveLength(2);
expect(links[0]).toContain('tg://proxy');
expect(links[0]).toContain('secret=ee0123456789abcdef0123456789abcdef7777772e636c6f7564666c6172652e636f6d');
expect(links[1]).toContain('secret=eeabcdefabcdefabcdefabcdefabcdef01676f6f676c652e636f6d');
});
});