@@ -39,22 +39,36 @@ ENABLE_HYSTERIA2=true
3939# Refs: github.com/shayanb/MoaV/issues/93
4040ENABLE_SS = false
4141ENABLE_WIREGUARD = true
42- # dnstt/Slipstream enabled by default — broader client ecosystem than XDNS
43- # (standalone binaries on 25+ platforms vs FinalMask-aware Xray clients like Happ)
42+ # dnstt/Slipstream/MasterDNS all enabled by default — broader client ecosystem
43+ # than XDNS (standalone binaries on 25+ platforms vs FinalMask-aware Xray clients
44+ # like Happ). All three run in parallel: dns-router fans queries out by subdomain
45+ # suffix (t./s./m.) so they share port 53 with no conflict. Each needs its own
46+ # NS record (DNSTT_SUBDOMAIN / SLIPSTREAM_SUBDOMAIN / MASTERDNS_SUBDOMAIN below).
4447ENABLE_DNSTT = true
4548ENABLE_SLIPSTREAM = true
49+ # MasterDNS - advanced DNS tunnel (ARQ + resolver LB), bundled in MahsaNG v16.
50+ # Adds a container. Coexists with dnstt/Slipstream via dns-router on its own
51+ # subdomain (MASTERDNS_SUBDOMAIN) — no port conflict. Set to false to opt out.
52+ ENABLE_MASTERDNS = true
4653ENABLE_TRUSTTUNNEL = true
4754ENABLE_TELEMT = true
4855ENABLE_AMNEZIAWG = true
4956ENABLE_ADMIN_UI = true
5057ENABLE_CONDUIT = true
5158ENABLE_SNOWFLAKE = true
59+ # GooseRelay - SOCKS5 over Google Apps Script -> this VPS exit (MahsaNG v16).
60+ # Opt-in: adds a container + needs PORT_GOOSE reachable from Google's network.
61+ # The Apps Script forwarder + client are set up by the end user.
62+ ENABLE_GOOSERELAY = false
5263# VLESS+XHTTP+Reality via Xray-core
5364ENABLE_XHTTP = true
5465# XDNS - DNS tunnel via Xray mKCP+FinalMask (modern, per-user auth)
55- # Disabled by default — requires FinalMask-aware client (Happ, Xray CLI)
56- # NOTE: XDNS and dnstt/Slipstream both need port 53. Use `moav switch-dns` to swap.
57- ENABLE_XDNS = false
66+ # Disabled by default — requires FinalMask-aware client (Happ, Xray CLI).
67+ # When enabled, dns-router routes x.<DOMAIN> → xray:5355 alongside dnstt/Slipstream/MasterDNS.
68+ # All four DNS tunnels run simultaneously on port 53 — no `moav switch-dns` needed.
69+ # Requires NS record: x.<DOMAIN> → dns.<DOMAIN> (see DNS Setup Step 5).
70+ # Requires FinalMask-aware client (Happ, Xray CLI) to actually use XDNS.
71+ ENABLE_XDNS = true
5872# Grafana monitoring (requires 2GB+ RAM) — leave unset to be prompted during bootstrap
5973# ENABLE_MONITORING=
6074
@@ -63,7 +77,7 @@ ENABLE_XDNS=false
6377# =============================================================================
6478
6579# sing-box - https://github.com/SagerNet/sing-box/releases
66- SINGBOX_VERSION = 1.12.23
80+ SINGBOX_VERSION = 1.13.12
6781
6882# wstunnel - https://github.com/erebe/wstunnel/releases
6983WSTUNNEL_VERSION = 10.5.5
@@ -94,6 +108,15 @@ TELEMT_VERSION=3.4.11
94108# Tag list: https://repo.or.cz/dnstt.git/tags
95109DNSTT_VERSION = v1.20260501.0
96110
111+ # MasterDNS (advanced DNS tunnel) - https://github.com/masterking32/MasterDnsVPN
112+ # This build matches the MasterDNS component bundled in MahsaNG v16.
113+ MASTERDNS_VERSION = v2026.05.10.180256-27c7e11
114+
115+ # GooseRelay (SOCKS5 over Google Apps Script) - https://github.com/kianmhz/GooseRelayVPN
116+ # v1.7.1 — fully interoperable with the GooseRelay client bundled in MahsaNG v16
117+ # (v1.7.x ↔ v1.6.x wire/config compatible per upstream).
118+ GOOSERELAY_VERSION = v1.7.1
119+
97120# Xray-core (VLESS+XHTTP+Reality+XDNS) - https://github.com/XTLS/Xray-core/releases
98121# Built from source for latest FinalMask/XDNS support
99122XRAY_VERSION = v26.5.9
@@ -125,7 +148,10 @@ CLASH_EXPORTER_VERSION=0.0.4
125148# tries Google first (fast for most), then goproxy.cn (not subject to Google's
126149# CDN limits), then direct VCS. Override with your own Athens mirror or set to
127150# "https://proxy.golang.org,direct" to force Google-only.
128- GOPROXY = https://proxy.golang.org|https://goproxy.cn|direct
151+ # Quoted because the value is pipe-separated — without quotes, any script that
152+ # `source`s this file would parse the `|` as shell pipes. Docker Compose strips
153+ # the surrounding quotes when passing it as a build arg.
154+ GOPROXY = " https://proxy.golang.org|https://goproxy.cn|direct"
129155# GOSUMDB=off avoids a second hard dependency on Google's checksum server
130156# (sum.golang.org), which is unreachable from the same networks that get 403s
131157# above. Module integrity is still verified against the go.sum committed in each
@@ -164,7 +190,7 @@ REALITY_PRIVATE_KEY=
164190XHTTP_REALITY_TARGET = dl.google.com:443
165191
166192# =============================================================================
167- # DNS TUNNEL CONFIGURATION (dnstunnel profile: dnstt + Slipstream)
193+ # DNS TUNNEL CONFIGURATION (dnstunnel profile: dnstt + Slipstream + MasterDNS )
168194# =============================================================================
169195
170196# Subdomain for dnstt DNS tunnel (NS record must point to this server)
@@ -175,6 +201,12 @@ DNSTT_SUBDOMAIN=t
175201# Full tunnel domain: ${SLIPSTREAM_SUBDOMAIN}.${DOMAIN} (e.g., s.example.com)
176202SLIPSTREAM_SUBDOMAIN = s
177203
204+ # Subdomain for MasterDNS tunnel (NS record must point to this server)
205+ # Full tunnel domain: ${MASTERDNS_SUBDOMAIN}.${DOMAIN} (e.g., m.example.com)
206+ # Enabled by default. Shares port 53 with dnstt/Slipstream via dns-router
207+ # (routed by subdomain) — no extra port needed.
208+ MASTERDNS_SUBDOMAIN = m
209+
178210# Subdomain for XDNS tunnel (NS record must point to this server)
179211# Full tunnel domain: ${XDNS_SUBDOMAIN}.${DOMAIN} (e.g., x.example.com)
180212XDNS_SUBDOMAIN = x
@@ -287,16 +319,16 @@ PORT_HTTPS=443 # Reality (VLESS) + Hysteria2 (UDP)
287319PORT_TROJAN = 8443 # Trojan fallback
288320PORT_WIREGUARD = 51820 # WireGuard (UDP)
289321PORT_WSTUNNEL = 8080 # WebSocket tunnel for WireGuard
290- # NOTE: PORT_DNS and PORT_XDNS both default to 53 — only one group can be active
291- PORT_DNS = 53 # dnstt + Slipstream (via dns-router) — enabled by default
292- PORT_XDNS = 5353 # XDNS (direct to xray) — set to 53 if switching to XDNS via `moav switch-dns xdns`
322+ PORT_DNS = 53 # dns-router public port — all DNS tunnels share this (dnstt/Slipstream/MasterDNS/XDNS)
323+ PORT_XDNS = 5356 # xray XDNS secondary host port — dns-router forwards internally to xray:5355
293324PORT_ADMIN = 9443 # Admin dashboard
294325PORT_CDN = 2082 # CDN WebSocket (VLESS+WS)
295326PORT_AMNEZIAWG = 51821 # AmneziaWG (obfuscated WireGuard, UDP)
296327PORT_TRUSTTUNNEL = 4443 # TrustTunnel (HTTP/2 + QUIC)
297328PORT_TELEMT = 993 # Telegram MTProxy (fake-TLS on IMAPS port)
298329PORT_XHTTP = 2096 # XHTTP (VLESS+XHTTP+Reality via Xray-core)
299330PORT_SS = 8388 # Shadowsocks-2022 (only used when ENABLE_SS=true)
331+ PORT_GOOSE = 8444 # GooseRelay exit endpoint (only if ENABLE_GOOSERELAY=true)
300332PORT_GRAFANA = 9444 # Grafana monitoring dashboard
301333
302334# Shadowsocks-2022 cipher (AEAD-2022 family). MoaV runs SS-2022 in multi-user
0 commit comments