Skip to content

Commit 40b6c19

Browse files
authored
Merge pull request #103 from shayanb/dev
v1.8.0 — Full MahsaNG v16, parallel DNS tunnels, V2Ray subscription, and low-RAM hardening
2 parents ce73f51 + abf81fb commit 40b6c19

53 files changed

Lines changed: 3361 additions & 455 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.env.example

Lines changed: 43 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -39,22 +39,36 @@ ENABLE_HYSTERIA2=true
3939
# Refs: github.com/shayanb/MoaV/issues/93
4040
ENABLE_SS=false
4141
ENABLE_WIREGUARD=true
42-
# dnstt/Slipstream enabled by default — broader client ecosystem than XDNS
43-
# (standalone binaries on 25+ platforms vs FinalMask-aware Xray clients like Happ)
42+
# dnstt/Slipstream/MasterDNS all enabled by default — broader client ecosystem
43+
# than XDNS (standalone binaries on 25+ platforms vs FinalMask-aware Xray clients
44+
# like Happ). All three run in parallel: dns-router fans queries out by subdomain
45+
# suffix (t./s./m.) so they share port 53 with no conflict. Each needs its own
46+
# NS record (DNSTT_SUBDOMAIN / SLIPSTREAM_SUBDOMAIN / MASTERDNS_SUBDOMAIN below).
4447
ENABLE_DNSTT=true
4548
ENABLE_SLIPSTREAM=true
49+
# MasterDNS - advanced DNS tunnel (ARQ + resolver LB), bundled in MahsaNG v16.
50+
# Adds a container. Coexists with dnstt/Slipstream via dns-router on its own
51+
# subdomain (MASTERDNS_SUBDOMAIN) — no port conflict. Set to false to opt out.
52+
ENABLE_MASTERDNS=true
4653
ENABLE_TRUSTTUNNEL=true
4754
ENABLE_TELEMT=true
4855
ENABLE_AMNEZIAWG=true
4956
ENABLE_ADMIN_UI=true
5057
ENABLE_CONDUIT=true
5158
ENABLE_SNOWFLAKE=true
59+
# GooseRelay - SOCKS5 over Google Apps Script -> this VPS exit (MahsaNG v16).
60+
# Opt-in: adds a container + needs PORT_GOOSE reachable from Google's network.
61+
# The Apps Script forwarder + client are set up by the end user.
62+
ENABLE_GOOSERELAY=false
5263
# VLESS+XHTTP+Reality via Xray-core
5364
ENABLE_XHTTP=true
5465
# XDNS - DNS tunnel via Xray mKCP+FinalMask (modern, per-user auth)
55-
# Disabled by default — requires FinalMask-aware client (Happ, Xray CLI)
56-
# NOTE: XDNS and dnstt/Slipstream both need port 53. Use `moav switch-dns` to swap.
57-
ENABLE_XDNS=false
66+
# Disabled by default — requires FinalMask-aware client (Happ, Xray CLI).
67+
# When enabled, dns-router routes x.<DOMAIN> → xray:5355 alongside dnstt/Slipstream/MasterDNS.
68+
# All four DNS tunnels run simultaneously on port 53 — no `moav switch-dns` needed.
69+
# Requires NS record: x.<DOMAIN> → dns.<DOMAIN> (see DNS Setup Step 5).
70+
# Requires FinalMask-aware client (Happ, Xray CLI) to actually use XDNS.
71+
ENABLE_XDNS=true
5872
# Grafana monitoring (requires 2GB+ RAM) — leave unset to be prompted during bootstrap
5973
#ENABLE_MONITORING=
6074

@@ -63,7 +77,7 @@ ENABLE_XDNS=false
6377
# =============================================================================
6478

6579
# sing-box - https://github.com/SagerNet/sing-box/releases
66-
SINGBOX_VERSION=1.12.23
80+
SINGBOX_VERSION=1.13.12
6781

6882
# wstunnel - https://github.com/erebe/wstunnel/releases
6983
WSTUNNEL_VERSION=10.5.5
@@ -94,6 +108,15 @@ TELEMT_VERSION=3.4.11
94108
# Tag list: https://repo.or.cz/dnstt.git/tags
95109
DNSTT_VERSION=v1.20260501.0
96110

111+
# MasterDNS (advanced DNS tunnel) - https://github.com/masterking32/MasterDnsVPN
112+
# This build matches the MasterDNS component bundled in MahsaNG v16.
113+
MASTERDNS_VERSION=v2026.05.10.180256-27c7e11
114+
115+
# GooseRelay (SOCKS5 over Google Apps Script) - https://github.com/kianmhz/GooseRelayVPN
116+
# v1.7.1 — fully interoperable with the GooseRelay client bundled in MahsaNG v16
117+
# (v1.7.x ↔ v1.6.x wire/config compatible per upstream).
118+
GOOSERELAY_VERSION=v1.7.1
119+
97120
# Xray-core (VLESS+XHTTP+Reality+XDNS) - https://github.com/XTLS/Xray-core/releases
98121
# Built from source for latest FinalMask/XDNS support
99122
XRAY_VERSION=v26.5.9
@@ -125,7 +148,10 @@ CLASH_EXPORTER_VERSION=0.0.4
125148
# tries Google first (fast for most), then goproxy.cn (not subject to Google's
126149
# CDN limits), then direct VCS. Override with your own Athens mirror or set to
127150
# "https://proxy.golang.org,direct" to force Google-only.
128-
GOPROXY=https://proxy.golang.org|https://goproxy.cn|direct
151+
# Quoted because the value is pipe-separated — without quotes, any script that
152+
# `source`s this file would parse the `|` as shell pipes. Docker Compose strips
153+
# the surrounding quotes when passing it as a build arg.
154+
GOPROXY="https://proxy.golang.org|https://goproxy.cn|direct"
129155
# GOSUMDB=off avoids a second hard dependency on Google's checksum server
130156
# (sum.golang.org), which is unreachable from the same networks that get 403s
131157
# above. Module integrity is still verified against the go.sum committed in each
@@ -164,7 +190,7 @@ REALITY_PRIVATE_KEY=
164190
XHTTP_REALITY_TARGET=dl.google.com:443
165191

166192
# =============================================================================
167-
# DNS TUNNEL CONFIGURATION (dnstunnel profile: dnstt + Slipstream)
193+
# DNS TUNNEL CONFIGURATION (dnstunnel profile: dnstt + Slipstream + MasterDNS)
168194
# =============================================================================
169195

170196
# Subdomain for dnstt DNS tunnel (NS record must point to this server)
@@ -175,6 +201,12 @@ DNSTT_SUBDOMAIN=t
175201
# Full tunnel domain: ${SLIPSTREAM_SUBDOMAIN}.${DOMAIN} (e.g., s.example.com)
176202
SLIPSTREAM_SUBDOMAIN=s
177203

204+
# Subdomain for MasterDNS tunnel (NS record must point to this server)
205+
# Full tunnel domain: ${MASTERDNS_SUBDOMAIN}.${DOMAIN} (e.g., m.example.com)
206+
# Enabled by default. Shares port 53 with dnstt/Slipstream via dns-router
207+
# (routed by subdomain) — no extra port needed.
208+
MASTERDNS_SUBDOMAIN=m
209+
178210
# Subdomain for XDNS tunnel (NS record must point to this server)
179211
# Full tunnel domain: ${XDNS_SUBDOMAIN}.${DOMAIN} (e.g., x.example.com)
180212
XDNS_SUBDOMAIN=x
@@ -287,16 +319,16 @@ PORT_HTTPS=443 # Reality (VLESS) + Hysteria2 (UDP)
287319
PORT_TROJAN=8443 # Trojan fallback
288320
PORT_WIREGUARD=51820 # WireGuard (UDP)
289321
PORT_WSTUNNEL=8080 # WebSocket tunnel for WireGuard
290-
# NOTE: PORT_DNS and PORT_XDNS both default to 53 — only one group can be active
291-
PORT_DNS=53 # dnstt + Slipstream (via dns-router) — enabled by default
292-
PORT_XDNS=5353 # XDNS (direct to xray) — set to 53 if switching to XDNS via `moav switch-dns xdns`
322+
PORT_DNS=53 # dns-router public port — all DNS tunnels share this (dnstt/Slipstream/MasterDNS/XDNS)
323+
PORT_XDNS=5356 # xray XDNS secondary host port — dns-router forwards internally to xray:5355
293324
PORT_ADMIN=9443 # Admin dashboard
294325
PORT_CDN=2082 # CDN WebSocket (VLESS+WS)
295326
PORT_AMNEZIAWG=51821 # AmneziaWG (obfuscated WireGuard, UDP)
296327
PORT_TRUSTTUNNEL=4443 # TrustTunnel (HTTP/2 + QUIC)
297328
PORT_TELEMT=993 # Telegram MTProxy (fake-TLS on IMAPS port)
298329
PORT_XHTTP=2096 # XHTTP (VLESS+XHTTP+Reality via Xray-core)
299330
PORT_SS=8388 # Shadowsocks-2022 (only used when ENABLE_SS=true)
331+
PORT_GOOSE=8444 # GooseRelay exit endpoint (only if ENABLE_GOOSERELAY=true)
300332
PORT_GRAFANA=9444 # Grafana monitoring dashboard
301333

302334
# Shadowsocks-2022 cipher (AEAD-2022 family). MoaV runs SS-2022 in multi-user

.gitignore

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,21 @@ configs/slipstream/key.pem
8383
# Telegram MTProxy (telemt) generated files
8484
configs/telemt/config.toml
8585

86+
# MasterDNS generated files (server_config.toml, server.domain, keys, …).
87+
# Ignore everything bootstrap/entrypoint writes here; keep only .gitkeep.
88+
configs/masterdns/*
89+
!configs/masterdns/.gitkeep
90+
91+
# GooseRelay generated files (server_config.json, …). Keep .gitkeep and the
92+
# vendored Apps Script template; ignore everything else generated at runtime.
93+
configs/gooserelay/*
94+
!configs/gooserelay/.gitkeep
95+
!configs/gooserelay/Code.gs.template
96+
97+
# Conduit lifetime rules — runtime-rewritten by update-conduit-offsets.sh.
98+
# Materialized from the committed .template on first monitoring start.
99+
configs/monitoring/conduit_lifetime.rules.yml
100+
86101
# DNS router
87102
configs/dns-router/
88103

0 commit comments

Comments
 (0)