feat(mtproto): adopt dolonet/mtg-multi and make MTProto inbounds multi-client

Replace the upstream 9seconds/mtg sidecar with the dolonet/mtg-multi fork so a single MTProto inbound can serve many per-user secrets. Each panel client is now one named FakeTLS secret in the fork's [secrets] section: clients are first-class (attach/detach, limits, expiry, per-client tg:// links) exactly like every other protocol, mirroring the WireGuard multi-client model. Per-client traffic and online status come from the fork's /stats JSON API (its Prometheus output has no per-user label), fed into the existing email-keyed client_traffics accumulator; an optional throttle caps concurrent connections. A one-time seeder converts each legacy single-secret inbound into a one-client inbound.

The fork ships only linux/darwin amd64/arm64 binaries but is pure Go, so provisioning builds it from source for every supported platform (release.yml, DockerInit.sh) while keeping the panel-expected mtg-<os>-<arch> filename and the 'run' verb, so process.go is untouched. Also fixes a pre-existing update.sh gap that never renamed the mtg binary for armv6/armv7 updates.
This commit is contained in:
MHSanaei
2026-07-06 16:04:32 +02:00
parent 5e9606aa4d
commit d97bd8643e
54 changed files with 1160 additions and 453 deletions
+78
View File
@@ -487,6 +487,74 @@ func HealMtprotoSecret(settings string) (string, bool) {
return string(out), true
}
// mtprotoSecretDomain extracts the FakeTLS domain embedded in the tail of a
// secret, returning an empty string when the secret is malformed. Each mtproto
// client carries its own domain inside its secret, so healing preserves it
// instead of forcing every client onto the inbound-level default.
func mtprotoSecretDomain(secret string) string {
s := secret
if strings.HasPrefix(s, "ee") || strings.HasPrefix(s, "dd") {
s = s[2:]
}
if len(s) <= 32 {
return ""
}
decoded, err := hex.DecodeString(s[32:])
if err != nil || len(decoded) == 0 {
return ""
}
return string(decoded)
}
// HealMtprotoClientSecrets normalises every client's FakeTLS secret in an
// mtproto inbound's settings JSON: each secret is rebuilt so it stays a valid
// FakeTLS value, keeping the client's own embedded domain when present and
// falling back to the inbound-level fakeTlsDomain otherwise. Returns the
// rewritten settings and true when anything changed.
func HealMtprotoClientSecrets(settings string) (string, bool) {
if settings == "" {
return settings, false
}
var parsed map[string]any
if err := json.Unmarshal([]byte(settings), &parsed); err != nil {
return settings, false
}
clients, ok := parsed["clients"].([]any)
if !ok || len(clients) == 0 {
return settings, false
}
defaultDomain, _ := parsed["fakeTlsDomain"].(string)
defaultDomain = strings.TrimSpace(defaultDomain)
changed := false
for _, raw := range clients {
client, ok := raw.(map[string]any)
if !ok {
continue
}
secret, _ := client["secret"].(string)
domain := mtprotoSecretDomain(secret)
if domain == "" {
domain = defaultDomain
}
if domain == "" {
continue
}
expected := "ee" + mtprotoSecretMiddle(secret) + hex.EncodeToString([]byte(domain))
if secret != expected {
client["secret"] = expected
changed = true
}
}
if !changed {
return settings, false
}
out, err := json.MarshalIndent(parsed, "", " ")
if err != nil {
return settings, false
}
return string(out), true
}
// Setting stores key-value configuration settings for the 3x-ui panel.
type Setting struct {
Id int `json:"id" form:"id" gorm:"primaryKey;autoIncrement"`
@@ -603,6 +671,7 @@ type Client struct {
AllowedIPs []string `json:"allowedIPs,omitempty"`
PreSharedKey string `json:"preSharedKey,omitempty"`
KeepAlive int `json:"keepAlive,omitempty"`
Secret string `json:"secret,omitempty" example:"ee1234567890abcdef1234567890abcd7777772e636c6f7564666c6172652e636f6d"` // MTProto FakeTLS secret
Email string `json:"email"` // Client email identifier
LimitIP int `json:"limitIp"` // IP limit for this client
TotalGB int64 `json:"totalGB" form:"totalGB"` // Total traffic limit in GB
@@ -632,6 +701,7 @@ type ClientRecord struct {
AllowedIPs string `json:"allowedIPs" gorm:"column:wg_allowed_ips"`
PreSharedKey string `json:"preSharedKey" gorm:"column:wg_pre_shared_key"`
KeepAlive int `json:"keepAlive" gorm:"column:wg_keep_alive;default:0"`
Secret string `json:"secret" gorm:"column:secret"`
LimitIP int `json:"limitIp" gorm:"column:limit_ip"`
TotalGB int64 `json:"totalGB" gorm:"column:total_gb"`
ExpiryTime int64 `json:"expiryTime" gorm:"column:expiry_time"`
@@ -815,6 +885,7 @@ func (c *Client) ToRecord() *ClientRecord {
AllowedIPs: strings.Join(c.AllowedIPs, ","),
PreSharedKey: c.PreSharedKey,
KeepAlive: c.KeepAlive,
Secret: c.Secret,
}
if c.Reverse != nil {
if b, err := json.Marshal(c.Reverse); err == nil {
@@ -866,6 +937,7 @@ func (r *ClientRecord) ToClient() *Client {
AllowedIPs: splitWireguardAllowedIPs(r.AllowedIPs),
PreSharedKey: r.PreSharedKey,
KeepAlive: r.KeepAlive,
Secret: r.Secret,
}
if r.Reverse != "" {
var rev ClientReverse
@@ -1017,6 +1089,12 @@ func MergeClientRecord(existing *ClientRecord, incoming *ClientRecord) []ClientM
keepSecret("preSharedKey")
}
}
if existing.Secret != incoming.Secret && incoming.Secret != "" {
if incomingNewer || existing.Secret == "" {
existing.Secret = incoming.Secret
keepSecret("secret")
}
}
if existing.AllowedIPs != incoming.AllowedIPs && incoming.AllowedIPs != "" {
if incomingNewer || existing.AllowedIPs == "" {
keep("allowedIPs", existing.AllowedIPs, incoming.AllowedIPs, incoming.AllowedIPs)
@@ -69,3 +69,40 @@ func TestHealMtprotoSecret(t *testing.T) {
t.Fatal("expected no change when fakeTlsDomain is missing")
}
}
func TestHealMtprotoClientSecrets(t *testing.T) {
// An empty client secret is filled from the inbound-level default domain.
in := `{"fakeTlsDomain":"a.com","clients":[{"email":"x","secret":""}]}`
out, changed := HealMtprotoClientSecrets(in)
if !changed {
t.Fatal("expected an empty client secret to be filled")
}
var parsed map[string]any
if err := json.Unmarshal([]byte(out), &parsed); err != nil {
t.Fatalf("healed settings not valid json: %v", err)
}
clients := parsed["clients"].([]any)
got := clients[0].(map[string]any)["secret"].(string)
if !strings.HasPrefix(got, "ee") || !strings.HasSuffix(got, hex.EncodeToString([]byte("a.com"))) {
t.Fatalf("filled client secret malformed: %q", got)
}
// Healing is idempotent once every client secret is valid.
if _, changed2 := HealMtprotoClientSecrets(out); changed2 {
t.Fatal("expected no change for already-valid client secrets")
}
// A client's own embedded domain is preserved even when it differs from the
// inbound-level default (per-client domain fronting).
own := "ee00112233445566778899aabbccddeeff" + hex.EncodeToString([]byte("b.com"))
in3 := `{"fakeTlsDomain":"a.com","clients":[{"email":"y","secret":"` + own + `"}]}`
out3, changed3 := HealMtprotoClientSecrets(in3)
if changed3 {
t.Fatalf("a valid per-client secret must be left untouched, got %q", out3)
}
// No clients array — nothing to heal.
if _, changed4 := HealMtprotoClientSecrets(`{"fakeTlsDomain":"a.com"}`); changed4 {
t.Fatal("expected no change when there are no clients")
}
}