MCPcopy Index your code
hub / github.com/9seconds/mtg

github.com/9seconds/mtg @v2.2.8

repository ↗ · DeepWiki ↗ · release v2.2.8 ↗ · Ask this repo → · + Follow
1,325 symbols 4,648 edges 213 files 144 documented · 11% updated 24d agov2.2.8 · 2026-04-07★ 3,60515 open issues
README

mtg

Highly-opinionated (ex-bullshit-free) MTPROTO proxy for Telegram.

CI codecov Go Reference

If you use v1.0 or upgrade broke you proxy, please read the chapter Version 2

If you want to have a proxy that supports adtag (possibility to promote a channel with a special Telegram bot), I recommend to use telemt project. v1 of mtg supports it but I do not see any reasonable point of using it: adtag requires communication via a fragile set of middle proxies, requires complex setup that must expose a public IPs, has lower bandwidth and latency.

mtg idea is simple: minimal unbloated proxy that can handle a reasonable scale ~10-20k simultaneous connections, has no user management, but ticks all checkboxes related to its main intent: provide a way to use Telegram.

Rationale

There are several available proxies for Telegram MTPROTO available. Here are the most notable:

You can use any of these. They work great and all implementations have feature parity now. This includes support of adtag, replay attack protection, domain fronting, faketls, and so on. mtg has a similar goal: to give a possibility to connect to Telegram in a restricted, censored environment. But it does it slightly differently in details that probably matter.

  • Domain fronting

For years mtg supports domain fronting. This technique means that it fallbacks to accessing a real website in case if request fails. It could fail by many reasons: anti-replay protection, accidental access to the webserver or stale request. Anyway, if mtg rejects this request, it does not break a connection. It connects to the websites and replicates everything that client has sent, and simply proxies it back as is. Users will see a response from the real website, byte-to-byte identical to the response of the real netloc.

  • Doppelganger

mtg also is a doppelganger of the website it fronts. Sure, with domain fronting users will see replies of the real website in case if something will go wrong. But what about such cases when everything is fine?

In that case mtg mimics TLS connection statistical characteristics as close as possible. Different application have different statistics of their patterns. Big CDN steadily pumping the data, small websites burst with short easily compressiable chunks of traffic.

mtg artificially emulates those delays to be statistically indistinguishable from the real website even if it covers connection of the very specific app. It also follows 2 most common patterns of traffic chunking, so censors will have to put more resources to find out that we have Telegram here but not a hookah webshop served by nginx.

  • Resource-efficient

It has to be resource-efficient. It does not mean that you will see the smallest memory usage. It means that it will try to use allocated resources in zero-waste mode, reusing as much memory as possible and so on.

  • Easily deployable

I strongly believe that Telegram proxies should follow the way of ShadowSocks: promoted channels is a strange way of doing business I suppose. I think the only viable way is to have a proxy that can be restored anywhere easily.

  • Supports proxy protocol v1/v2

This makes integration with loadbalancers like HAProxy and ELB a first class citizen by supporting their commuication protocols.

  • A single secret

I think that multiple secrets solve no problems and just complex software. I also believe that in the case of throwout proxies, this the feature is a useless luxury.

This is very controversial topic. Please read rationale (in russian) and use mtg-multi fork if you are disagree with.

  • No adtag support

Please read Version 2 chapter.

  • No management WebUI

This is an implementation of a simple lightweight proxy. I won't do that.

  • Proxy chaining

mtg has the support of SOCKS5 proxies. So, in theory, you can run this proxy as a frontend and route traffic via v2ray, Gost, Trojan, or any other project you like.

  • Native blocklist support

Previously, this was delegated to the FireHOL project or similar ones which track attacks and publish a list of potentially dangerous IPs. mtg has native support of such blocklists.

  • Can be used as a library

mtg v2 was redesigned in a way so it can be embedded into your software (written in Golang) with a minimum effort + you can replace some parts with those you want.

Please also to read about best practices.

Version 2

If you use version 1.x before, you are probably noticed some major backward non-compatible details:

  1. Configuration file
  2. Removed support of adtag

For the configuration file, please check out the full example in this repository. It has a lot of comments and most of the options are optional. We do have only secret and bind-to sections mandatory. Other sections in the example configuration file are filled with default values.

Adtag support was removed completely. This was done to debloat mtg and keep it simple and obvious. Hopefully, this goal is achieved and the source code is clean and straightforward enough.

I always was quite skeptical about adtag. In my POV, a proxy as a fat big connectivity point for hundreds of clients is an illusion. If you work in a censored environment, the first thing that authority does is IP blocking. For us, it means, those big proxies that can benefit from having a pinned channel are going to be blocked in a minute.

Proxy has to be intimate. It has to be shared within a small group as a family or maybe your college friends. It has to have a small number of connections and never publicly announced its presence. It has to fly under the radar. If the proxy is detected, you need to be able to give a rebirth on a new IP address as soon as possible. I do no think that having some special channel for such a use case makes any sense.

But other details like replay attack protection, domain fronting, accurate FakeTLS implementation, IP blacklisting, and proxy chaining matter here. If you work in censored perimeter like GFW-protected country, you probably want to have an MTPROTO proxy as a frontend that transports traffic via cloaked tunnels made by Trojan, Shadowsocks, v2ray, or Gost. That's why you have to have the support of chaining as a first-class citizen.

Yes, this is possible and doable with optional adtag support. But the truth is that the MTPROTO proxy for Telegram is just a thing that either work as a normal client (direct mode) or doing some RPC calls in TL language (adtag support). I understand the intention of the developers and I understand that they were under high pressure fighting with RKN and doing TON after that. Nothing is ideal. But for the proxy, it means that source code is full of complex non-trivial code which is required only to support a feature that we barely need.

So, to have a reasonable MTPROTO proxy, adtag support was removed. This is a rare chance in my career where software v2 debloats a previous version. It feels so good :)

Version 1 and 2

I do continue to support both versions 1 and 2. But in a different mode.

Version 1 is now officially in maintenance mode. It means that I won't make any new features or improvements there. You can consider a feature freeze there. No bugs are going to be fixed there except for critical ones. PRs are welcome though. The goal is to keep it working. It will get some periodical updates like updates to the new Golang version of dependencies version bump, but that's mostly it.

If you want to have mtg with adtag support, please use version 1.

Version 2 is going to have all my love, active support, bug fixing, etc. It is under active development and maintenance.

This project has several main branches

  1. master branch contains a bleeding edge. It may potentially have some features which will break your source code.
  2. stable branch contains dumps of a master branch when we consider it 'stable'. This is a branch you probably want to pick.
  3. v2 has a development of the v2.x version. In theory, it is the same as master but this will change when we have v3.x.
  4. v1 has a version 1.x.

Getting started

Download mise

mtg uses mise to maintain its development dependencies + replaces a make for building things. Please install it first.

Download a tool

Download binaries

Binaries can be downloaded from the release page. Also, you can download docker image.

For the current version, please download like

docker pull nineseconds/mtg:2

For version 1:

docker pull nineseconds/mtg:1

You may also check both Docker Hub and Github Registry. Please do not choose latest or stable if you want to avoid surprises. Always choose some version tag.

Also, if you have go installed, you can always download this tool with go get:

go install github.com/9seconds/mtg/v2@latest

Build from sources

git clone https://github.com/9seconds/mtg.git
cd mtg
mise install
mise tasks run build

or for the docker image:

mise tasks run image

Generate secret

If you already have a secret in Base64 format or that, which starts with ee, you can skip this chapter. Otherwise:

$ mtg generate-secret google.com
7ibaERuTSGPH1RdztfYnN4tnb29nbGUuY29t

or

$ mtg generate-secret --hex google.com
ee473ce5d4958eb5f968c87680a23854a0676f6f676c652e636f6d

equivalent commands with docker:

$ docker run --rm nineseconds/mtg:2 generate-secret google.com
7ibaERuTSGPH1RdztfYnN4tnb29nbGUuY29t

$ docker run --rm nineseconds/mtg:2 generate-secret --hex google.com
ee473ce5d4958eb5f968c87680a23854a0676f6f676c652e636f6d

This secret is a keystone for a proxy and your password for a client. You need to keep it secured.

We recommend choosing a hostname wisely. Here we have a google.com but in reality, all providers can easily detect that this is not a Google. Google has a list of networks it officially uses and your IP address won't probably belong to it. It is a great idea to hide behind some domain that has some relation to this IP address.

For example, you've bought a VPS from Digital Ocean. Then it might be a good idea to generate a secret for digitalocean.com then.

Check configuration

There is a special command for secret verification:

$ mtg doctor /path/to/my/config.toml
Deprecated options
  ✅ All good
Time skewness
  ✅ Time drift is -607.048µs, but tolerate-time-skewness is 5s
Validate native network connectivity
  ✅ DC 1
  ✅ DC 2
  ✅ DC 3
  ✅ DC 4
  ✅ DC 5
  ✅ DC 203
Validate network connectivity with proxy socks5://127.0.0.1:1080
  ✅ DC 1
  ✅ DC 2
  ✅ DC 3
  ✅ DC 4
  ✅ DC 5
  ✅ DC 203
Validate fronting domain connectivity
  ✅ xx.xx.xx.xx:yyy is reachable
Validate SNI-DNS match
  ✅ IP address xx.xx.xx.xx matches secret hostname <REDACTED>

It aims to find out possible inconsistencies and problems with your configuration. It makes sense to run it before executing any relevant commands.

Simple run mode

mtg supports 2 modes: simple and normal. Simple mode allows starting proxy with a small subset of configuration options you usually want to modify. This is quite good for oneliners that you can copy-paste and do not bother about external files whatsoever.

Let's take a look:

```console Usage: mtg simple-run

Run proxy without config file.

Arguments: A host:port to bind proxy to. Proxy secret.

Flags: -h, --help Show context-sensitive help. -v, --version Print version.

-d, --debug Run in debug mode. -c, --concurrency=8192 Max number of concurrent connection to proxy. -b, --tcp-buffer="4KB" Size of TCP buffer to use. -i, --prefer-ip="prefer-ipv6" IP preference. By default we prefer IPv6 with fallback to IPv4. -p, --domain-fronting-port=443 A port to access for domain fronting. -n, --doh-ip=1.1.1.1 IP addr

Extension points exported contracts — how you extend this code

Dialer (Interface)
Dialer defines an interface which is required to bootstrap a network instance from. [11 implementers]
network/init.go
Observer (Interface)
Observer is an instance that listens for the incoming events. As it is said in the package description, the default eve [5 …
events/init.go
Network (Interface)
Network defines a knowledge how to work with a network. It may sound fun but it encapsulates all the knowledge how to pr [5 …
mtglib/init.go
Network (Interface)
copypasted from mtglib [5 implementers]
mtglib/internal/doppel/init.go
StdLikeLogger (Interface)
StdLikeLogger is an interface which is close to [log.Logger]. This is commonly used by many 3pp tools. While mtglib itse [4 …
logger/init.go
File (Interface)
File is an abstraction for a entity that can be opened in some context. [3 implementers]
ipblocklist/files/init.go
CloseableReader (Interface)
CloseableReader is an [io.Reader] interface that can close its reading end. [3 implementers]
essentials/conns.go
FireholUpdateCallback (FuncType)
FireholUpdateCallback defines a signature of the callback that has to be execute when ip list is updated.
ipblocklist/firehol.go

Core symbols most depended-on inside this repo

Get
called by 137
internal/config/type_ip.go
Run
called by 124
mtglib/init.go
T
called by 124
stats/stream_info.go
String
called by 99
ipblocklist/files/init.go
Write
called by 84
mtglib/internal/tls/conn.go
Run
called by 44
mtglib/internal/dc/init.go
Contains
called by 42
mtglib/init.go
StreamID
called by 42
mtglib/init.go

Shape

Method 871
Struct 233
Function 199
Interface 18
FuncType 2
TypeAlias 2

Languages

Go100%

Modules by API surface

mtglib/internal/tls/fake/client_side_test.go55 symbols
mtglib/conns_internal_test.go45 symbols
mtglib/init.go28 symbols
mtglib/events.go22 symbols
mtglib/internal/tls/utils_test.go18 symbols
stats/statsd_test.go17 symbols
mtglib/conns.go17 symbols
stats/prometheus.go16 symbols
mtglib/proxy_test.go16 symbols
mtglib/internal/doppel/stats_test.go16 symbols
logger/zerolog.go16 symbols
stats/statsd.go15 symbols

Dependencies from manifests, versioned

github.com/OneOfOne/xxhashv1.2.8 · 1×
github.com/alecthomas/unitsv0.0.0-2024092700094 · 1×
github.com/armon/go-socks5v0.0.0-2016090218423 · 1×
github.com/babolivier/go-doh-clientv0.0.0-2020102816210 · 1×
github.com/beevik/ntpv1.5.0 · 1×
github.com/beorn7/perksv1.0.1 · 1×
github.com/cespare/xxhash/v2v2.3.0 · 1×
github.com/d4l3k/messagediffv1.2.1 · 1×
github.com/jarcoal/httpmockv1.0.8 · 1×

For agents

$ claude mcp add mtg \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact