- Add firewalld direct rules as alternative to iptables when firewalld is active
- All firewall-cmd rules tagged with -m comment --comment "paqctl" for safe cleanup
- Query-before-add pattern prevents ALREADY_ENABLED errors on re-install
- Add libpcap.so.1 symlink creation for Fedora/RHEL compatibility
- Skip iptables install when firewalld is detected
- Changes apply to both outer installer and embedded management script
microsocks was a standalone SOCKS5 proxy started alongside the GFK
QUIC tunnel but had no awareness of it — traffic went directly to
the internet, bypassing the tunnel entirely. The correct SOCKS5
entry point is the VIO port from tcp_port_mapping, which tunnels
through QUIC to xray's SOCKS5 inbound on the server.
- Remove microsocks startup from both GFK client wrappers
- Fix all SOCKS5 port displays to use VIO port from GFK_PORT_MAPPINGS
- Update health check to validate the actual tunnel SOCKS5 port
- Fix hardcoded port in dashboard status line
- Regenerate client wrapper on update to clean up existing installs
- Remove microsocks install step and SOCKS5 port prompt for GFK
The menu status line showed Port: 8443 for clients because it used the
server-only LISTEN_PORT variable. Clients now show their actual
REMOTE_SERVER address instead.
3x-ui panel installs xray at a non-standard path that paqctl didn't
check, causing it to miss the existing installation and potentially
conflict with the panel. Updated check_xray_installed(), panel process
detection, inline xray checks, and non-systemd start fallbacks.
Escaped braces \{\} inside a character class [...] cause "Invalid
content of \{\}" errors on some bash versions. Curly braces are
literal inside character classes and don't need escaping.
Randomize TCP seq/ack numbers in VIO packets on both client and server
to reduce packet fingerprinting. Fix misleading SOCKS5 port display
when panel is detected but SOCKS5 auto-add didn't complete — previously
showed the panel port (e.g. 443) labeled as SOCKS5.
Ref #27, Fixes#35
GFK Linux clients had zero iptables rules, leaving the VIO client port
(default 40000) unprotected. The kernel's conntrack could drop incoming
VIO packets as INVALID, and the TCP stack would send RST responses to
the crafted VIO packets.
Added NOTRACK + INPUT DROP + RST DROP rules for GFK_VIO_CLIENT_PORT in:
- _apply_firewall() / _remove_firewall() in embedded script
- Outer install flow (replaces "no firewall rules needed")
- start-both.sh service startup script
- Add GFK_SOCKS_PORT, GFK_SOCKS_VIO_PORT, XRAY_PANEL_DETECTED to
save_settings() and _load_settings() across all script locations
- Status menu labels mappings as (panel)/(SOCKS5) when panel detected
- Status shows server-side and client-side proxy ports clearly
- Install summary CLIENT CONNECTION INFO box now shows which port
is SOCKS5 proxy vs panel, so users know exactly what to configure
When a server has an existing xray panel (3x-ui, Marzban), paqctl now
adds a SOCKS5 inbound on a free port (10443+) instead of skipping xray
setup entirely. This gives users two connections automatically:
- Panel mapping (e.g. 14000:443) for server-to-server panel traffic
- SOCKS5 mapping (e.g. 14001:10443) for direct proxy from Windows/Mac
Updates README with Setup A (server-to-server) and Setup B (direct
client) guides in both English and Farsi.
When an existing xray panel is detected, skip SOCKS5 setup entirely
since GFK is a raw TCP forwarder that works with any service on the
target port. Warn users to configure Iran panel outbound accordingly.
- Detect existing xray panel and skip SOCKS5 installation
- Check all target ports in multi-port mappings and report status
- Show clear ACTION REQUIRED warnings for Iran panel configuration
- Panel-aware install summary (not misleading SOCKS5 message)
- Clean up legacy standalone gfk-socks on reconfigure/uninstall
- Use ss -tln (not -tlnH) for broader iproute2 compatibility
- Add step-by-step panel setup guide in English and Farsi to README
Add iptables raw table NOTRACK rules for the VIO port, matching
what Paqet already has. Without NOTRACK, conntrack tracks the
crafted TCP packets which can cause them to be dropped by
hypervisor bridge netfilter (e.g. Proxmox).
Added to: boot script, _apply_firewall, _remove_firewall, and
install section.
Ref #27
When curl fails (common in restricted networks), automatically
fallback to wget with retries. Also:
- Increased timeout from 120s to 180s
- Added 3 retries with 5s delay for curl
- Added 3 tries for wget
- Show helpful manual download instructions on failure
OpenVZ containers use a different route format:
- Standard: "default via 192.168.1.1 dev eth0"
- OpenVZ: "default dev venet0 scope link"
The old code used awk '{print $5}' which returned "link" instead
of "venet0" on OpenVZ, causing the script to fail silently when
trying to get IP info from a non-existent "link" interface.
Changes:
- Parse route format to detect "via" vs "dev" patterns
- Use appropriate awk field based on route type
- Validate detected interface exists before using it
- Handle OpenVZ having no gateway (no "via" in route)
- Wrap IP detection pipeline in subshell with || true
Adds support for custom TCP flags (local_flag, remote_flag) in paqet backend:
- Added to config.yaml generation with YAML array format ["PA"]
- Added to Change configuration menu with clear instructions
- Valid flags: S(SYN) A(ACK) P(PSH) R(RST) F(FIN) U(URG) E(ECE) C(CWR)
- Supports multiple values: PA,A (tries PA first, then A)
- Input validation prevents invalid flags
Fixes#21
The script uses 'set -eo pipefail' which causes grep to exit the script
silently when no matches are found (grep returns exit code 1).
Root cause: When a system only has loopback interface (lo), the command
grep -vE '^(lo|docker...)' returns exit 1 (no matches)
With pipefail, this causes the entire pipeline to fail, and with set -e,
the script exits silently without any error message.
Fix: Wrap grep commands in { grep ... || true; } to prevent pipeline
failures when grep finds no matches.
Affected functions:
- detect_network() in outer installer script
- detect_network() in embedded management script
- Network detection in settings menu
Fixes#25
- Correct description: KCP over raw TCP packets with custom flags (not UDP)
- Add paqetNG Android client link to README and TUI About section
- Thanks to paqet creator for the correction
- Bump PAQET_VERSION_PINNED to v1.0.0-alpha.14 in paqctl.sh (both outer and embedded scripts)
- Update Windows client version in paqet-client.ps1
- Update all version references in README.md (English and Farsi)
- Add ARM 32-bit (armv7) architecture support to detect_arch functions
- Update README platform tables to include ARM 32-bit downloads
The embedded heredoc script (installed to /usr/local/bin/paqctl) was calling
detect_network but the function was only defined in the outer installer script.
This caused "command not found" errors when adding paqet alongside gfw-knocker.
Add GFK_TCP_FLAGS setting to allow customizing TCP flags used in
violated TCP packets. This addresses cases where different flag
combinations (e.g. 'S', 'RA') may work better for certain networks.
Changes:
- Add tcp_flags parameter to vio_server.py and vio_client.py
- Add GFK_TCP_FLAGS to settings save/load with validation
- Add TCP flags menu option in change config for both server/client
- Default remains 'AP' for backwards compatibility
Validation: Only uppercase TCP flags allowed (F,S,R,P,A,U,E,C)
Removed the misleading "Both backends remain installed" line from the
switch_backend confirmation dialog. The remaining messages "Stop X"
and "Start Y" already clearly explain what happens.
The start-both.sh script was sourcing paqctl.conf which doesn't exist.
Changed to settings.conf where LISTEN_PORT and GFK_VIO_PORT are saved.
This caused iptables rules to always use default ports (8443/45000)
even when user configured different ports, resulting in port mismatch.
Debian Trixie and other newer distros use nftables by default
and don't have iptables installed. Add iptables to dependency
check so it gets installed automatically during setup.
Reported-by: @Shaheding
Windows client (paqet-client.ps1):
- Added Update-Paqet function with version tracking
- Added Get-InstalledPaqetVersion and Save-PaqetVersion helpers
- Creates backup before updating, restores on failure
- Added menu option 7 for update, moved About to option 8
All platforms:
- Switched paqet binary downloads from SamNet-dev/paqctl to hanselime/paqet
- Updated paqctl.sh PAQET_REPO to hanselime/paqet
- Updated README.md download URLs to hanselime/paqet
- Users now get paqet updates directly from upstream source
- Allows paqctl script releases without affecting paqet binary updates
- Fix health check to detect both tagged and untagged iptables rules
- Add missing RST DROP rule to install wizard (prevents kernel interference)
- Add missing IPv6 rules to boot script and install wizard
- Add iptables existence check in install wizard with warning
- Improve status display to show partial firewall state
- Use local variables with defaults for robustness
The health check was failing because it looked for untagged rules while
_apply_firewall() adds rules with -m comment --comment "paqctl" tag.
Now checks for both variants for backwards compatibility.
- Update README.md download URLs to match actual release filenames
- Add tar extraction commands for .tar.gz files
- Fix repository links from /paqet to /paqctl
Features:
- Dual backend support: paqet (KCP) and GFW-knocker (violated TCP + QUIC)
- Both backends can run simultaneously when both are installed
- Automatic config.yaml generation for paqet backend
- Windows client support with PowerShell script
- Telegram monitoring integration
- Systemd service management
Backends:
- paqet: Single Go binary with built-in SOCKS5 (port 1080)
- GFW-knocker: Python-based with violated TCP tunneling (port 14000)
