diff --git a/windows/paqet-client.ps1 b/windows/paqet-client.ps1
index 7d11bc9..c2b5996 100644
--- a/windows/paqet-client.ps1
+++ b/windows/paqet-client.ps1
@@ -345,9 +345,21 @@ function Install-Paqet {
 function New-PaqetConfig {
     param(
         [Parameter(Mandatory)][string]$Server,
-        [Parameter(Mandatory)][string]$SecretKey
+        [Parameter(Mandatory)][string]$SecretKey,
+        [string]$TcpLocalFlag = "PA",
+        [string]$TcpRemoteFlag = "PA"
     )
 
+    # Validate TCP flags (uppercase letters F,S,R,P,A,U,E,C, optionally comma-separated)
+    if ($TcpLocalFlag -cnotmatch '^[FSRPAUEC]+(,[FSRPAUEC]+)*$') {
+        Write-Warn "Invalid TCP local flag. Using default: PA"
+        $TcpLocalFlag = "PA"
+    }
+    if ($TcpRemoteFlag -cnotmatch '^[FSRPAUEC]+(,[FSRPAUEC]+)*$') {
+        Write-Warn "Invalid TCP remote flag. Using default: PA"
+        $TcpRemoteFlag = "PA"
+    }
+
     Write-Info "Detecting network..."
     $net = Get-NetworkInfo
     if (-not $net) { return $false }
@@ -360,6 +372,12 @@ function New-PaqetConfig {
         $net.GatewayMAC = Read-Host "  Enter gateway MAC (aa:bb:cc:dd:ee:ff)"
     }
 
+    # Convert comma-separated flags to YAML array format: PA,A -> ["PA", "A"]
+    $localFlagArray = ($TcpLocalFlag -split ',') | ForEach-Object { "`"$_`"" }
+    $remoteFlagArray = ($TcpRemoteFlag -split ',') | ForEach-Object { "`"$_`"" }
+    $localFlagYaml = "[" + ($localFlagArray -join ", ") + "]"
+    $remoteFlagYaml = "[" + ($remoteFlagArray -join ", ") + "]"
+
     $guidEscaped = "\\Device\\NPF_$($net.Guid)"
     $config = @"
 role: "client"
@@ -376,6 +394,9 @@ network:
   ipv4:
     addr: "$($net.IP):0"
     router_mac: "$($net.GatewayMAC)"
+  tcp:
+    local_flag: $localFlagYaml
+    remote_flag: $remoteFlagYaml
 
 server:
   addr: "$Server"
@@ -496,7 +517,8 @@ function New-GfkConfig {
     param(
         [Parameter(Mandatory)][string]$ServerIP,
         [Parameter(Mandatory)][string]$AuthCode,
-        [string]$SocksPort = "1080"
+        [string]$SocksPort = "1080",
+        [string]$TcpFlags = "AP"
     )
 
     # Validate inputs (security: prevent config injection)
@@ -508,6 +530,11 @@ function New-GfkConfig {
         Write-Err "Invalid auth code format"
         return $false
     }
+    # Validate TCP flags (uppercase letters only: F,S,R,P,A,U,E,C)
+    if ($TcpFlags -cnotmatch '^[FSRPAUEC]+$') {
+        Write-Warn "Invalid TCP flags. Using default: AP"
+        $TcpFlags = "AP"
+    }
 
     Write-Info "Detecting network..."
     $net = Get-NetworkInfo
@@ -571,6 +598,9 @@ quic_auth_code = "$AuthCode"
 quic_certificate = "cert.pem"
 quic_private_key = "key.pem"
 
+# TCP flags for violated packets (default: AP = ACK+PSH)
+tcp_flags = "$TcpFlags"
+
 # SOCKS proxy
 socks_port = $SocksPort
 "@
@@ -944,8 +974,19 @@ function Show-Menu {
                     Write-Host ""
                     $server = Read-Host "  Server address (e.g., 1.2.3.4:8443)"
                     $key = Read-Host "  Encryption key (16+ chars)"
+
+                    # Advanced options (hidden by default - just press Enter)
+                    Write-Host ""
+                    Write-Host "  Advanced options (press Enter for defaults - recommended):" -ForegroundColor DarkGray
+                    Write-Host "    TCP flags must match your server config. Only change if server admin says so." -ForegroundColor DarkGray
+                    Write-Host "    Valid flags: S A P R F U E C  |  Multiple: PA,A" -ForegroundColor DarkGray
+                    $tcpLocal = Read-Host "  TCP local flag [PA]"
+                    $tcpRemote = Read-Host "  TCP remote flag [PA]"
+                    if (-not $tcpLocal) { $tcpLocal = "PA" }
+                    if (-not $tcpRemote) { $tcpRemote = "PA" }
+
                     if ($server -and $key) {
-                        if (New-PaqetConfig -Server $server -SecretKey $key) {
+                        if (New-PaqetConfig -Server $server -SecretKey $key -TcpLocalFlag $tcpLocal -TcpRemoteFlag $tcpRemote) {
                             Write-Host ""
                             Write-Host "  Your SOCKS5 proxy: 127.0.0.1:1080" -ForegroundColor Green
                         }
@@ -957,8 +998,17 @@ function Show-Menu {
                     Write-Host ""
                     $server = Read-Host "  Server IP (e.g., 1.2.3.4)"
                     $auth = Read-Host "  Auth code (from server setup)"
+
+                    # Advanced options (hidden by default - just press Enter)
+                    Write-Host ""
+                    Write-Host "  Advanced options (press Enter for defaults - recommended):" -ForegroundColor DarkGray
+                    Write-Host "    TCP flags must match your server config. Only change if server admin says so." -ForegroundColor DarkGray
+                    Write-Host "    Valid flags: S A P R F U E C" -ForegroundColor DarkGray
+                    $tcpFlags = Read-Host "  TCP flags [AP]"
+                    if (-not $tcpFlags) { $tcpFlags = "AP" }
+
                     if ($server -and $auth) {
-                        if (New-GfkConfig -ServerIP $server -AuthCode $auth -SocksPort "14000") {
+                        if (New-GfkConfig -ServerIP $server -AuthCode $auth -SocksPort "14000" -TcpFlags $tcpFlags) {
                             Write-Host ""
                             Write-Host "  Your SOCKS5 proxy: 127.0.0.1:14000" -ForegroundColor Green
                         }