Skip to content

Releases: SamNet-dev/paqctl

v1.1.0 - Supercharged Performance, Universal Cross-Platform Hardening & Self-Healing Watchdog

Choose a tag to compare

@SamNet-dev SamNet-dev released this 11 Jul 19:28

🚀 What's New in v1.1.0

This major release (v1.1.0) brings supercharged kernel & network performance tuning, universal self-healing watchdog automation, v2 multi-part URI configuration sharing, and exhaustive cross-platform hardening across both Linux servers/clients and Windows 10/11 devices. Every subsystem has undergone a 100% line-by-line audit to eliminate race conditions, edge case exceptions, and init system dependencies.


✨ High-Octane Performance & Network Supercharging

1. 🏎️ Paqet v1.1.0 KCP Profiles & Dual-Mode TCP Tuning

  • 6 Tuned KCP Profiles: Interactive selection across specialized transmission profiles (standard, fast, fast2, fast3, gaming, bulk) directly inside paqctl menu o and Windows setup (Option 3).
  • Direct TCP Flag Tuning: Full support for custom TCP local and remote flags (--tcp / tcp_flags), enabling custom flag combinations (AP for ACK+PSH, AS for ACK+SYN) for maximum DPI evasion and packet bypass.
  • Smart MTU Auto-Discovery: Automated ICMP path MTU sensing across both Linux (detect_optimal_mtu) and Windows (Find-OptimalMtu) with intelligent fallback (-M do vs -D on ping, plus universal multi-language $LASTEXITCODE parsing on PowerShell).

2. ⚡ Universal Kernel & Open File Limit Expansion

  • Automated Open File Expansion: Automatically generates /etc/security/limits.d/99-paqctl.conf and applies ulimit -n 1048576 alongside systemd service definitions (LimitNOFILE=1048576), ensuring maximum connection concurrency and zero Too many open files (EMFILE) bottlenecks across both systemd hosts and minimal containerized kernels (Docker, LXC, OpenVZ).

🛡️ Universal Self-Healing & Init System Independence

1. 🩺 Universal Self-Healing Watchdog (paqctl watchdog check)

  • Systemd & Non-Systemd Auto-Recovery: Added intelligent init environment sensing (manage_watchdog). On systemd environments, deploys paqctl-watchdog.timer (checked every 60s). On non-systemd environments (Alpine Linux OpenRC, SysVinit, Docker containers), automatically configures /etc/cron.d/paqctl-watchdog (* * * * * root paqctl watchdog check >/dev/null 2>&1) for zero-dependency auto-healing.
  • Real-Time Telegram Alerts: Instant notifications dispatched whenever the watchdog detects a service failure and triggers automatic recovery.

2. 🔥 Preemptive Firewall Precedence & Universal Persistence

  • Top-Priority Rule Injection (-I 1): All raw (NOTRACK) and mangle (RST DROP) firewall rules across _apply_firewall and install_systemd_service are now inserted at index 1 (-I 1). This guarantees proxy packet interception takes priority over Docker DOCKER-USER chains, UFW, and conntrack rules.
  • Universal Multi-Distro Persistence: Consolidated all firewall saving logic into persist_iptables_rules, supporting firewalld, Alpine OpenRC (/etc/init.d/iptables save), nftables (/etc/nftables.conf), netfilter-persistent, and /etc/sysconfig/iptables.

🌐 v2 Multi-Part URI Sharing & Copy-Paste Resiliency

1. 🔗 Shareable v2 URI Support (paqet://... & gfk://...)

  • Full v2 Format Support: Export and import both 8-part (paqet://ip|port|key|socks|mode|fwd_port|fwd_target|profile) and 9-part (paqet://...|kcp_profile) base64 URI strings across Linux and Windows clients with 100% round-trip variable preservation.
  • Automatic Network Sensing on Import: When importing a shareable URI string on a new Linux device (import_config_string), paqctl dynamically detects INTERFACE, LOCAL_IP, and GATEWAY_MAC to generate a production-ready config.yaml without prompt friction.

2. 📋 Copy-Paste & Base64 Sanitization

  • URL-Safe Base64 Normalization: Both paqctl.sh and paqet-client.ps1 automatically sanitize pasted base64 strings (- and _ to + and /), auto-append missing = padding, and safely fall back across base64 -D and base64 -d to prevent decoding crashes from truncated or chat-formatted text.

🔒 Process Management & Edge Case Hardening

  • Multiprocess Exception Safety (quic_client.py & quic_server.py): Replaced unsafe asyncio.create_task(writer.drain()) with exception-safe _safe_writer_drain(writer), cleanly catching ConnectionResetError and BrokenPipeError during high-throughput stream closures.
  • SIGINT / SIGTERM Signal Trapping (quic_client.py): Added explicit signal interception (handle_shutdown) to quic_client.py's parent loop, terminating child tunnel processes cleanly when stopped by systemd or orchestrators (mainclient.py). Eliminates infinite while True: respawn loops and orphaned socket binding (EADDRINUSE / WinError 10048).
  • Scapy Empty Payload Safety (vio_client.py & vio_server.py): Added strict layer checks (packet.haslayer(Raw) / hasattr(packet[TCP], 'load')) before payload extraction, preventing fatal AttributeError crashes when empty TCP keepalives, window probes, or pure ACKs arrive on raw sockets.
  • Windows 11 24H2 & Minimal Linux Compatibility: Upgraded mainclient.py and mainserver.py process cleanup to use PowerShell Get-CimInstance (handling Windows 11 24H2 where wmic is removed by default) and added killall fallback when pkill is absent on lightweight containers.
  • Canonical Process & Status Checks (paqctl.sh & paqet-client.ps1): Eliminated function overwriting (is_running) and upgraded get_main_pid() to query /run/paqctl.pid and systemctl show -p MainPID on Linux. On Windows, upgraded Stop-GfkClient and Get-ClientStatus to monitor and cleanly terminate all child GFK Python processes (mainclient, quic_client, vio_client), reporting real-time status and SOCKS5 proxy (127.0.0.1:14000).
  • Path Hardening: Added explicit export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH" across all installer headers and embedded wrapper scripts (/usr/local/bin/paqctl), guaranteeing reliable execution inside non-interactive cron jobs and restricted init containers.

v1.0.1 - Comprehensive Feature Expansion & Stability Release

Choose a tag to compare

@SamNet-dev SamNet-dev released this 07 Jul 17:02

🚀 What's New in v1.0.1

This release transforms paqctl into a full-featured, zero-risk proxy management toolkit with powerful live monitoring, advanced security controls, automated diagnostics, and quality-of-life improvements across both Linux and Windows.


✨ New Features

1. 📊 Diagnostics & Live Monitoring (Zero-Risk)

  • Active Client Monitor (sudo paqctl monitor | Menu c): Real-time interactive dashboard showing active connection counts, established proxy tunnels (ss/netstat), and unique client IP addresses.
  • Speed & Bandwidth Test (sudo paqctl speedtest | Menu t / Win 11): Built-in server bandwidth benchmarking using Ookla Speedtest CLI, Python speedtest-cli, or Cloudflare HTTP download fallback.
  • DNS Leak & Proxy Routing Check (sudo paqctl routing | Menu r / Win 10): Instant verification of SOCKS5 tunnel routing and external DNS resolver leak detection.

2. 🛡️ Security & Access Control

  • IP Ban & Allowlist Manager (sudo paqctl ban <ip> / unban <ip> | Menu f): Interactive firewall manager to drop unwanted traffic or abusive IPs using firewalld and iptables rules.
  • One-Click Key Rotation (sudo paqctl rotate-key | Menu k): Instantly generate and apply a new cryptographic secret key or GFK auth code, automatically updating server configurations and restarting background services without downtime.

3. 🛠️ Maintenance & Quality of Life (QoL)

  • System Cleanup & Cache Flush (sudo paqctl cleanup | Menu l / Win 13): Safe system maintenance tool that vacuums old systemd journal logs, clears temporary proxy artifacts, and flushes OS memory caches.
  • One-String Config Import & Export (sudo paqctl export / import | Menu e/m / Win 12): Share connection configurations as a single encoded URI string (paqet://... or gfk://...). Clients can import this string on Windows or Linux for instant, zero-error setup.
  • Boot Auto-Start Toggle (sudo paqctl enable / disable | Menu b): Easily enable or disable systemd boot persistence from the interactive menu.

🐛 Bug Fixes & Stability Improvements

  • Pipeline Resilience (set -eo pipefail Protection): Fixed premature script exits when network monitoring commands (ss / netstat) return zero established connections or empty grep results.
  • Config Import Auto-Creation: Fixed an edge case during string import where missing config.yaml files would cause sed errors; clean configuration files are now automatically generated on fresh installs.
  • Service State Handling During Key Rotation: Protected service restart calls so rotating keys does not fail if background proxy services were previously stopped.
  • Windows Speed Test Error Handling: Added try/catch wrappers around PowerShell curl.exe invocations to gracefully handle offline or disconnected proxy states during bandwidth tests.
  • Robust YAML Regex Parsing: Improved regular expression matching in Windows client scripts to reliably parse double-quoted, single-quoted, and unquoted YAML configuration strings.
  • Documentation & Localization: Synchronized English and Persian README guides and interactive menu banners across Linux and Windows to reflect version v1.0.1.