When an existing xray panel is detected, skip SOCKS5 setup entirely
since GFK is a raw TCP forwarder that works with any service on the
target port. Warn users to configure Iran panel outbound accordingly.
- Detect existing xray panel and skip SOCKS5 installation
- Check all target ports in multi-port mappings and report status
- Show clear ACTION REQUIRED warnings for Iran panel configuration
- Panel-aware install summary (not misleading SOCKS5 message)
- Clean up legacy standalone gfk-socks on reconfigure/uninstall
- Use ss -tln (not -tlnH) for broader iproute2 compatibility
- Add step-by-step panel setup guide in English and Farsi to README
Add iptables raw table NOTRACK rules for the VIO port, matching
what Paqet already has. Without NOTRACK, conntrack tracks the
crafted TCP packets which can cause them to be dropped by
hypervisor bridge netfilter (e.g. Proxmox).
Added to: boot script, _apply_firewall, _remove_firewall, and
install section.
Ref #27
VIO server constructed raw TCP packets with IP() which defaults
source IP to 0.0.0.0. Packets get dropped by routers so the
client never receives responses.
Fix: IP(src=vps_ip) to use the configured server IP.
Ref #27
When curl fails (common in restricted networks), automatically
fallback to wget with retries. Also:
- Increased timeout from 120s to 180s
- Added 3 retries with 5s delay for curl
- Added 3 tries for wget
- Show helpful manual download instructions on failure
OpenVZ containers use a different route format:
- Standard: "default via 192.168.1.1 dev eth0"
- OpenVZ: "default dev venet0 scope link"
The old code used awk '{print $5}' which returned "link" instead
of "venet0" on OpenVZ, causing the script to fail silently when
trying to get IP info from a non-existent "link" interface.
Changes:
- Parse route format to detect "via" vs "dev" patterns
- Use appropriate awk field based on route type
- Validate detected interface exists before using it
- Handle OpenVZ having no gateway (no "via" in route)
- Wrap IP detection pipeline in subshell with || true
Linux (paqctl.sh):
- Added tcp.local_flag and tcp.remote_flag to paqet config.yaml
- Added to Change configuration menu with clear instructions
- Strict validation: only uppercase FSRPAUEC, comma-separated allowed
- Supports multiple values: PA,A (cycles through patterns)
Windows (paqet-client.ps1):
- Added TCP flags to both paqet and GFK configuration
- Paqet: tcp.local_flag/remote_flag in config.yaml (default: PA)
- GFK: tcp_flags in parameters.py (default: AP)
- Case-sensitive validation (-cnotmatch) with safe defaults
- Clear instructions: flags must match server, only change if admin says so
Verified against official paqet examples:
- Output format exactly matches: local_flag: ["PA"]
- GFK format matches server expectation: tcp_flags = "AP"
- All injection attacks blocked by strict regex validation
Fixes#21
Adds support for custom TCP flags (local_flag, remote_flag) in paqet backend:
- Added to config.yaml generation with YAML array format ["PA"]
- Added to Change configuration menu with clear instructions
- Valid flags: S(SYN) A(ACK) P(PSH) R(RST) F(FIN) U(URG) E(ECE) C(CWR)
- Supports multiple values: PA,A (tries PA first, then A)
- Input validation prevents invalid flags
Fixes#21
The script uses 'set -eo pipefail' which causes grep to exit the script
silently when no matches are found (grep returns exit code 1).
Root cause: When a system only has loopback interface (lo), the command
grep -vE '^(lo|docker...)' returns exit 1 (no matches)
With pipefail, this causes the entire pipeline to fail, and with set -e,
the script exits silently without any error message.
Fix: Wrap grep commands in { grep ... || true; } to prevent pipeline
failures when grep finds no matches.
Affected functions:
- detect_network() in outer installer script
- detect_network() in embedded management script
- Network detection in settings menu
Fixes#25
- Correct description: KCP over raw TCP packets with custom flags (not UDP)
- Add paqetNG Android client link to README and TUI About section
- Thanks to paqet creator for the correction
- Bump PAQET_VERSION_PINNED to v1.0.0-alpha.14 in paqctl.sh (both outer and embedded scripts)
- Update Windows client version in paqet-client.ps1
- Update all version references in README.md (English and Farsi)
- Add ARM 32-bit (armv7) architecture support to detect_arch functions
- Update README platform tables to include ARM 32-bit downloads
The embedded heredoc script (installed to /usr/local/bin/paqctl) was calling
detect_network but the function was only defined in the outer installer script.
This caused "command not found" errors when adding paqet alongside gfw-knocker.
Add GFK_TCP_FLAGS setting to allow customizing TCP flags used in
violated TCP packets. This addresses cases where different flag
combinations (e.g. 'S', 'RA') may work better for certain networks.
Changes:
- Add tcp_flags parameter to vio_server.py and vio_client.py
- Add GFK_TCP_FLAGS to settings save/load with validation
- Add TCP flags menu option in change config for both server/client
- Default remains 'AP' for backwards compatibility
Validation: Only uppercase TCP flags allowed (F,S,R,P,A,U,E,C)
Removed the misleading "Both backends remain installed" line from the
switch_backend confirmation dialog. The remaining messages "Stop X"
and "Start Y" already clearly explain what happens.
The start-both.sh script was sourcing paqctl.conf which doesn't exist.
Changed to settings.conf where LISTEN_PORT and GFK_VIO_PORT are saved.
This caused iptables rules to always use default ports (8443/45000)
even when user configured different ports, resulting in port mismatch.
The offline/manual installation section had incorrect config.yaml format:
- Wrong: socks5.port → Correct: socks5[].listen
- Wrong: server.address → Correct: server.addr
- Wrong: transport.mode/key → Correct: transport.kcp.mode/key
- Missing: network.ipv4.addr, network.ipv4.router_mac, log.level
- Wrong command: -config → Correct: run -c
Added instructions for finding local IP and router MAC on each OS.
Fixed both English and Farsi sections.
Add comprehensive step-by-step instructions for users who can't
download from GitHub directly (behind DPI/firewall).
Includes:
- 8 clear steps with examples
- Fill-in-the-blank server info template
- Multiple transfer methods (SCP, USB, SFTP)
- Browser configuration for Firefox/Chrome
- Troubleshooting section
- Note to check releases page for latest version
Both English and Farsi versions included.
Requested-by: @Shaheding
Debian Trixie and other newer distros use nftables by default
and don't have iptables installed. Add iptables to dependency
check so it gets installed automatically during setup.
Reported-by: @Shaheding
Add directory existence checks in New-PaqetConfig and New-GfkConfig
before writing config files. Shows friendly error message instead of
"Could not find a part of the path" exception.
Reported-by: @SamDevApi
Windows client (paqet-client.ps1):
- Added Update-Paqet function with version tracking
- Added Get-InstalledPaqetVersion and Save-PaqetVersion helpers
- Creates backup before updating, restores on failure
- Added menu option 7 for update, moved About to option 8
All platforms:
- Switched paqet binary downloads from SamNet-dev/paqctl to hanselime/paqet
- Updated paqctl.sh PAQET_REPO to hanselime/paqet
- Updated README.md download URLs to hanselime/paqet
- Users now get paqet updates directly from upstream source
- Allows paqctl script releases without affecting paqet binary updates
The simple config format was incorrect - paqet expects the full YAML
structure with role, socks5, network, server, and transport sections.
Added network section with interface, ipv4.addr, and router_mac fields.
Added tips recommending paqctl for automatic network detection.
Fixes#12
Thanks to @pyr0ken for reporting this issue.
- macOS: chmod +x paqet_darwin_amd64
- Linux: chmod +x paqet_linux_amd64
Fixes both English and Persian documentation sections.
Thanks to @FarazFe for identifying this issue (PR #10)
- Fix health check to detect both tagged and untagged iptables rules
- Add missing RST DROP rule to install wizard (prevents kernel interference)
- Add missing IPv6 rules to boot script and install wizard
- Add iptables existence check in install wizard with warning
- Improve status display to show partial firewall state
- Use local variables with defaults for robustness
The health check was failing because it looked for untagged rules while
_apply_firewall() adds rules with -m comment --comment "paqctl" tag.
Now checks for both variants for backwards compatibility.
- Replace Linux-only 'pkill' command with cross-platform solution
- Use 'wmic' and 'taskkill' on Windows to kill existing Python processes
- Add CREATE_NEW_PROCESS_GROUP for proper signal handling on Windows
- Improve shutdown handling for both platforms
Fixes FileNotFoundError: [WinError 2] when starting GFK on Windows.
- Update README.md download URLs to match actual release filenames
- Add tar extraction commands for .tar.gz files
- Fix repository links from /paqet to /paqctl
Features:
- Dual backend support: paqet (KCP) and GFW-knocker (violated TCP + QUIC)
- Both backends can run simultaneously when both are installed
- Automatic config.yaml generation for paqet backend
- Windows client support with PowerShell script
- Telegram monitoring integration
- Systemd service management
Backends:
- paqet: Single Go binary with built-in SOCKS5 (port 1080)
- GFW-knocker: Python-based with violated TCP tunneling (port 14000)
