Fallback to server parameter for DNS resolver if not specified

- Implement DnsTransportClient and polling logic
- Implement DnsTransportServer for TXT/NULL record handling
- Add dns_prober to find best public resolvers by region
- Update React GUI (Desktop) to support DNS Proxy and i18n
- Update Flutter App to support DNS Proxy settings
- Update CLI Setup Wizard to generate new v0.3.1 config with dns_transport block
- Add Wiki documentation for DNS Transport

.github/workflows/release.yml

@@ -25,6 +25,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Bump version based on tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: python scripts/bump_version.py ${{ github.ref_name }}
+
       - name: Setup Rust toolchain
         uses: dtolnay/rust-toolchain@stable
         with:
@@ -44,9 +48,6 @@ jobs:
       - name: Install musl-tools
         run: sudo apt-get update && sudo apt-get install -y musl-tools
 
-      - name: Create dummy dist for rust-embed
-        run: mkdir -p ostp-control/dist && touch ostp-control/dist/index.html
-
       - name: cargo check
         run: cargo check --workspace
 
@@ -141,16 +142,9 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      # ── Frontend Build ─────────────────────────────────────────────────────
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - name: Build Web Panel
-        working-directory: ostp-control
-        run: |
-          npm install
-          npm run build
+      - name: Bump version based on tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: python scripts/bump_version.py ${{ github.ref_name }}
 
       # ── Rust toolchain ─────────────────────────────────────────────────────
       - name: Setup Rust toolchain
@@ -254,6 +248,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Bump version based on tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: python scripts/bump_version.py ${{ github.ref_name }}
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -326,6 +324,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Bump version based on tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: python scripts/bump_version.py ${{ github.ref_name }}
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -388,6 +390,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Bump version based on tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: python scripts/bump_version.py ${{ github.ref_name }}
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -448,6 +454,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Bump version based on tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: python scripts/bump_version.py ${{ github.ref_name }}
+
       - name: Setup Java
         uses: actions/setup-java@v3
         with:

CONTRIBUTING.md

@@ -21,8 +21,8 @@ By contributing to this project, you agree to abide by our code of conduct and l
 
 To build and test OSTP locally, you will need:
 
-*   **Rust Toolchain (1.75+)**: Install via [rustup](https://rustup.rs/).
-*   **Node.js (18+) & npm**: Required to build the frontend control panel (`ostp-control`) and compile Tauri GUI resources.
+*   **Rust Toolchain**: Install via [rustup](https://rustup.rs/) (stable channel).
+*   **Node.js (18+) & npm**: Required to compile Tauri GUI resources.
 *   **Git**: For version control.
 
 ### Building the Project
@@ -33,15 +33,7 @@ To build and test OSTP locally, you will need:
     cd ostp
     ```
 
-2.  **Build the control panel frontend**:
-    ```bash
-    cd ostp-control
-    npm install
-    npm run build
-    cd ..
-    ```
-
-3.  **Build the entire Cargo workspace**:
+2.  **Build the entire Cargo workspace**:
     ```bash
     cargo build
     ```
@@ -59,8 +51,7 @@ The repository is organized as a Cargo workspace containing the following crates
 
 *   [`ostp-core/`](file:///d:/ospab-projects/ostp/ostp-core): Core protocol logic, including packet formatting, serialization, selective ACK/NACK (ARQ) state machine, and the Noise protocol (`Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s`) handshake.
 *   [`ostp-client/`](file:///d:/ospab-projects/ostp/ostp-client): Client implementations, including SOCKS5/HTTP local proxies, `tun2socks` integration, native TUN interface routing, and split-tunneling bypass mechanisms.
-*   [`ostp-server/`](file:///d:/ospab-projects/ostp/ostp-server): Server logic, session dispatcher, anti-probing fallback server proxying, access key database, and the REST API for control panel communication.
-*   [`ostp-control/`](file:///d:/ospab-projects/ostp/ostp-control): A modern web dashboard for server administration (user management, real-time metrics, bandwidth limits).
+*   [`ostp-server/`](file:///d:/ospab-projects/ostp/ostp-server): Server logic, session dispatcher, anti-probing fallback server proxying, access key database, and the REST API.
 *   [`ostp-gui/`](file:///d:/ospab-projects/ostp/ostp-gui): Tauri-based desktop GUI application for Windows and Linux.
 *   [`ostp-flutter/`](file:///d:/ospab-projects/ostp/ostp-flutter): Mobile client code for Android platforms.
 

CONTRIBUTING.ru.md

@@ -21,8 +21,8 @@
 
 Для локальной сборки и тестирования OSTP вам понадобятся:
 
-*   **Rust Toolchain (1.75+)**: Рекомендуется установить через [rustup](https://rustup.rs/).
-*   **Node.js (18+) и npm**: Необходимы для сборки веб-панели управления (`ostp-control`) и сборки интерфейса Tauri.
+*   **Rust Toolchain**: Установите через [rustup](https://rustup.rs/) (stable канал).
+*   **Node.js (18+) и npm**: Необходимы для сборки интерфейса Tauri.
 *   **Git**: Для контроля версий.
 
 ### Сборка проекта
@@ -33,15 +33,7 @@
     cd ostp
     ```
 
-2.  **Соберите веб-интерфейс панели управления**:
-    ```bash
-    cd ostp-control
-    npm install
-    npm run build
-    cd ..
-    ```
-
-3.  **Соберите весь Cargo-workspace**:
+2.  **Соберите весь Cargo-workspace**:
     ```bash
     cargo build
     ```
@@ -59,8 +51,7 @@
 
 *   [`ostp-core/`](file:///d:/ospab-projects/ostp/ostp-core): Базовая логика протокола: форматирование пакетов, сериализация, конечный автомат выборочного подтверждения (ARQ/ACK/NACK) и рукопожатие Noise (`Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s`).
 *   [`ostp-client/`](file:///d:/ospab-projects/ostp/ostp-client): Клиентская часть: локальные SOCKS5/HTTP прокси-серверы, интеграция с драйвером `wintun` / `tun2socks` и реализация раздельного туннелирования для прямого обхода трафика.
-*   [`ostp-server/`](file:///d:/ospab-projects/ostp/ostp-server): Серверная часть: диспетчеризация сессий, маскировка под классические веб-серверы при активном сканировании, база данных ключей доступа и REST API панели управления.
-*   [`ostp-control/`](file:///d:/ospab-projects/ostp/ostp-control): Панель администратора (пользователи, статистика трафика в реальном времени, лимиты скорости и объема данных).
+*   [`ostp-server/`](file:///d:/ospab-projects/ostp/ostp-server): Логика сервера, диспетчер сессий, защита от пробинга, база данных ключей и REST API.
 *   [`ostp-gui/`](file:///d:/ospab-projects/ostp/ostp-gui): Настольное приложение-клиент для Windows и Linux на платформе Tauri.
 *   [`ostp-flutter/`](file:///d:/ospab-projects/ostp/ostp-flutter): Мобильный клиент для платформы Android.
 

Cargo.lock

@@ -388,6 +388,16 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
 
+[[package]]
+name = "clipboard-win"
+version = "3.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fdf5e01086b6be750428ba4a40619f847eb2e95756eee84b18e06e5f0b50342"
+dependencies = [
+ "lazy-bytes-cast",
+ "winapi",
+]
+
 [[package]]
 name = "colorchoice"
 version = "1.0.5"
@@ -1252,6 +1262,12 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9dbbfed4e59ba9750e15ba154fdfd9329cee16ff3df539c2666b70f58cc32105"
 
+[[package]]
+name = "lazy-bytes-cast"
+version = "5.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10257499f089cd156ad82d0a9cd57d9501fa2c989068992a97eb3c27836f206b"
+
 [[package]]
 name = "lazy_static"
 version = "1.5.0"
@@ -1431,16 +1447,18 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
 [[package]]
 name = "ostp"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "base64",
  "clap",
+ "clipboard-win",
  "colored",
  "json_comments",
  "ostp-client",
  "ostp-core",
  "ostp-server",
+ "pico-args",
  "rand 0.8.5",
  "reqwest",
  "serde",
@@ -1453,7 +1471,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-client"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "base64",
@@ -1488,17 +1506,20 @@ dependencies = [
 
 [[package]]
 name = "ostp-core"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
+ "byteorder",
  "bytes",
  "chacha20poly1305",
  "hkdf",
  "hmac",
  "rand 0.8.5",
+ "serde",
  "sha2",
  "snow",
  "thiserror 1.0.69",
+ "tokio",
  "tracing",
  "x25519-dalek",
 ]
@@ -1522,7 +1543,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-server"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "axum",
@@ -1555,7 +1576,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-tun"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "libc",
@@ -1567,7 +1588,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-tun-helper"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "chrono",
@@ -1591,6 +1612,12 @@ version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 
+[[package]]
+name = "pico-args"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315"
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.17"

Cargo.toml

@@ -12,7 +12,7 @@ resolver = "2"
 [workspace.package]
 edition = "2021"
 license = "BSL 1.1"
-version = "0.3.1"
+version = "0.3.12"
 
 [workspace.dependencies]
 anyhow = "1.0"

LICENSE

@@ -1,74 +1,661 @@
-Business Source License 1.1
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
 
-Parameters
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
 
-Licensor:                     Ospab Foundation (represented by Syralev Georgiy)
-Licensed Work:                The Ospab Stealth Transport Protocol (OSTP) and all
-                              associated workspace crates, utilities, and documents.
-Additional Use Grant:         The Licensor hereby grants you the right to copy,
-                              modify, create derivative works, redistribute, and
-                              make non-production and non-commercial use of the
-                              Licensed Work. You are also permitted to use the
-                              Licensed Work in production for personal, private
-                              utility and non-profit organizations.
-Change Date:                  May 14, 2030
-Change License:               MIT License (as defined below)
+                            Preamble
 
------------------------------------------------------------------------------------
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
 
-Terms
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
 
-1. The Licensor hereby grants you the right to copy, modify, create derivative works, 
-   redistribute, and make use of the Licensed Work only as permitted by the 
-   Additional Use Grant.
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
 
-2. The Licensor hereby grants you the right to copy, modify, create derivative works, 
-   redistribute, and make use of the Licensed Work under the terms of the Change 
-   License on and after the Change Date.
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
 
-3. To the extent that any term of this License (including the Additional Use Grant 
-   and the Change License) is in conflict with the Terms of this License, these 
-   Terms shall take precedence.
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
 
-4. Every copy of the Licensed Work and any derivative work must include this 
-   License and all other copyright, trademark, and proprietary notices included 
-   with the Licensed Work.
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
 
-5. Any use of the Licensed Work that is not permitted by this License is a breach 
-   of this License and may terminate your rights under this License.
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
 
-6. DISCLAIMER OF WARRANTY. TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED 
-   WORK IS PROVIDED ON AN "AS IS" BASIS. THE LICENSOR MAKES NO REPRESENTATIONS OR 
-   WARRANTIES OF ANY KIND CONCERNING THE LICENSED WORK, EXPRESS OR IMPLIED, STATUTORY 
-   OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, 
-   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
+  The precise terms and conditions for copying, distribution and
+modification follow.
 
-7. LIMITATION OF LIABILITY. TO THE EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT 
-   WILL THE LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, 
-   CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE 
-   USE OF THE LICENSED WORK, EVEN IF THE LICENSOR HAS BEEN ADVISED OF THE 
-   POSSIBILITY OF SUCH DAMAGES.
+                       TERMS AND CONDITIONS
 
------------------------------------------------------------------------------------
+  0. Definitions.
 
-Change License Text (MIT License)
+  "This License" refers to version 3 of the GNU Affero General Public License.
 
-Copyright (c) 2026 Syralev Georgiy (Ospab Foundation)
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

README.md

@@ -1,128 +1,101 @@
 # OSTP — Ospab Stealth Transport Protocol
 
-[Русский язык](README.ru.md) · [Wiki](https://github.com/ospab/ostp/wiki) · [Contributing](CONTRIBUTING.md) · [Releases](https://github.com/ospab/ostp/releases)
+[Русский язык](README.ru.md) · [Wiki](https://github.com/ospab/ostp/wiki) · [Contributing](CONTRIBUTING.md) · [Releases](https://github.com/ospab/ostp/releases) · [Migration Guide](docs/migration_v0_3_1.md)
 
 ![GitHub Release](https://img.shields.io/github/v/release/ospab/ostp?style=for-the-badge&color=blue)
-![License: BSL 1.1](https://img.shields.io/badge/License-BSL%201.1-orange.svg?style=for-the-badge)
+![License: AGPL v3](https://img.shields.io/badge/License-AGPL%20v3-blue.svg?style=for-the-badge)
 ![Platform: Windows | Linux | macOS | Android](https://img.shields.io/badge/Platform-Windows%20%7C%20Linux%20%7C%20macOS%20%7C%20Android-green.svg?style=for-the-badge)
 ![Crypto](https://img.shields.io/badge/Crypto-Noise__NNpsk0-blueviolet?style=for-the-badge)
 ![Transport](https://img.shields.io/badge/Transport-UDP%20ARQ-informational?style=for-the-badge)
 
-> A fast, custom encrypted transport protocol written in Rust.
+OSTP (Ospab Stealth Transport Protocol) is an encrypted transport protocol written in Rust. It implements a custom ARQ transport over UDP and a UDP-over-TCP (UoT) mode. The protocol uses cryptographic masking for all packet headers and payloads to resist traffic classification by Deep Packet Inspection (DPI) systems.
 
-**OSTP** (Ospab Stealth Transport Protocol) is a high-performance transport protocol. It implements a custom ARQ transport over UDP, as well as a UoT (UDP-over-TCP) mode. Every byte on the wire — including packet headers — is cryptographically indistinguishable from random noise, making it highly resistant to Deep Packet Inspection (DPI).
+> [!IMPORTANT]
+> **Upgrading from v0.2.x?** Please read the [v0.3.1 Configuration Migration Guide](docs/migration_v0_3_1.md).
 
 ---
 
-## Quick Install
+## Technical Capabilities
 
-### Linux
-```bash
-bash <(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)
-```
-
-### Windows (PowerShell, run as Administrator)
-```powershell
-irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex
-```
-
-### Manual Download
-Download pre-built binaries for your platform from [GitHub Releases](https://github.com/ospab/ostp/releases).
-
----
-
-## Key Features
-
-| Feature | Description |
-|---------|-------------|
-| **Full Traffic Obfuscation** | Every packet — including headers — is indistinguishable from random noise. Session IDs and nonces are masked with per-packet HMAC-derived keys. |
-| **Noise Protocol Handshake** | `Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s` — PSK-authenticated, forward-secret key exchange with no static identity exposure. |
+| Capability | Description |
+|------------|-------------|
+| **Traffic Masking** | Header and payload encryption using per-packet HMAC-derived keys. Indistinguishable from random noise. |
+| **Noise Protocol** | `Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s` — PSK-authenticated, forward-secret key exchange. |
 | **Reliable UDP (ARQ)** | Selective ACK/NACK with rate-limited retransmission, configurable reorder buffer, and exponential backoff. |
-| **Multiplexed Streams** | Multiple logical TCP streams over a single encrypted UDP session with per-stream flow control. |
-| **Seamless Roaming** | Clients can switch networks (WiFi ↔ LTE) without session interruption — tracked by session-ID, not IP. |
-| **Management API** | Built-in REST API for third-party panels (3x-ui, custom dashboards). Per-user stats, traffic limits, key CRUD. |
-| **Fallback Server** | TCP fallback proxy to a web server — makes OSTP indistinguishable from nginx during active probing. |
-| **Multi-Listener** | Bind to multiple addresses simultaneously (dual-stack IPv4/IPv6, multi-port). |
-| **TUN Mode** | Full-system VPN via native `smoltcp` network stack without external dependencies. All traffic transparently routed through the tunnel. |
-| **xHTTP Stealth (UoT)** | UDP-over-TCP tunnel that completely hides traffic. Since all data is fully encrypted and length-prefixed, it bypasses DPI filters that block unknown UDP traffic by riding over a plain TCP connection. |
-| **Mobile & Web Apps** | Beautiful cross-platform mobile client (Flutter) and a modern Web Control Panel (React/Vite) for effortless server and client management. |
-| **TURN Relay** | RFC 5766 TURN support for environments where direct UDP is blocked. |
-| **Hot-Reload** | Runtime config reload without restart (access keys, exclusions, mux settings). |
-| **Structured Logging** | `tracing`-based logging with `RUST_LOG` filtering. JSON/file/syslog output support. |
-| **Cross-Platform** | Windows, Linux, macOS, Android, FreeBSD, MIPS, RISC-V. Single binary, no runtime dependencies. |
+| **Multiplexed Streams**| Multiple logical TCP streams over a single encrypted UDP session with per-stream flow control. |
+| **Session Roaming** | Connection persistence across IP changes via session ID tracking. |
+| **UoT Mode** | UDP-over-TCP encapsulation with length-prefixing to bypass UDP blocking. |
+| **Fallback Server** | TCP proxying to a legitimate web server to resist active probing. |
+| **TUN Mode** | Native network stack integration (`smoltcp`) for full-system routing without external dependencies. |
+| **Management API** | Built-in REST API for server administration, metrics, and key generation. |
+| **TURN Relay** | RFC 5766 TURN support for NAT traversal. |
 
 ---
 
 ## Architecture
 
 ```mermaid
-graph TD
-    subgraph Client ["Client"]
-        A[Browser / Apps] -->|SOCKS5 / HTTP| B(Bridge Multiplexer)
-        TUN[TUN Interface] -->|IP Packets| B
+flowchart LR
+    Apps[Local Apps] -->|SOCKS5 / TUN| CoreC
 
-        subgraph OSTPCoreClient ["OSTP Core Protocol"]
-            B --> C{Protocol Machine}
-            C -->|Noise Handshake| D[ChaCha20Poly1305 AEAD]
-            D -->|Obfuscated UDP Payload| E((UDP Socket))
-        end
+    subgraph Client [Client Node]
+        CoreC[OSTP Client] -.->|Encrypt & Mask| NetC[Transport Layer]
     end
 
-    E <==>|Encrypted & Obfuscated UDP Tunnel| F
+    NetC <==>|Encrypted UDP / UoT| NetS
 
-    subgraph Server ["Server"]
-        F((UDP Socket)) --> G{Dispatcher}
-        
-        subgraph OSTPCoreServer ["OSTP Core Backend"]
-            G -->|Auth & Decrypt| H[Session & State Guard]
-            H -->|TCP Stream| I[Relay Loop]
+    subgraph Server [Server Node]
+        NetS[Transport Layer] -.->|Decrypt & Auth| CoreS[OSTP Server]
+        NetS -->|Unauthenticated| Fallback[Fallback Server]
     end
 
-        G -->|Active Probing / Unauth| FB[TCP Fallback Proxy]
-        FB -->|Forward| NGINX[nginx / Caddy]
-        
-        H -->|Stats & Traffic| API[Management API]
-        
-        I -->|Outbound| WWW((Internet))
-    end
+    CoreS -->|Relay| WWW((Internet))
+    Fallback -->|Forward| Web((Web / NGINX))
 ```
 
 ---
 
 ## Quick Start
 
-### 1. Generate config
+### 1. Installation
 
+**Linux:**
 ```bash
-# On your VPS (server):
+bash <(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)
+```
+
+**Windows (PowerShell as Administrator):**
+```powershell
+irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex
+```
+
+### 2. Configuration
+
+Initialize the configuration files for the server and client:
+```bash
+# On the server:
 ./ostp --init server
 
-# On your machine (client):
+# On the client:
 ./ostp --init client
 ```
 
-### 2. Edit config
-
-**Server** — set your access keys:
+**Server Example** (`config.json`):
 ```jsonc
 {
   "mode": "server",
   "listen": "0.0.0.0:50000",
-  "access_keys": ["YOUR_SECRET_KEY"],
-  "api": { "enabled": true, "bind": "127.0.0.1:9090", "token": "admin-token" },
-  "fallback": { "enabled": false, "listen": "0.0.0.0:443", "target": "127.0.0.1:8080" }
+  "access_keys": ["YOUR_SECRET_KEY"]
 }
 ```
 
-**Client** — point to your server:
+**Client Example** (`config.json`):
 ```jsonc
 {
   "mode": "client",
   "version": "0.3.1",
-  "log": { "level": "info" },
   "inbounds": [
-    { "type": "local_proxy", "tag": "socks-in", "protocol": "socks", "listen": "127.0.0.1", "port": 1088 },
-    { "type": "tun", "tag": "tun-in", "auto_route": false, "mtu": 1140 }
+    { "type": "local_proxy", "tag": "socks-in", "protocol": "socks", "listen": "127.0.0.1", "port": 1088 }
   ],
   "outbounds": [
     {
@@ -132,90 +105,35 @@ graph TD
       "port": 50000,
       "access_key": "YOUR_SECRET_KEY",
       "transport": { "type": "udp" }
-    },
-    { "type": "direct", "tag": "direct" },
-    { "type": "block", "tag": "block" }
-  ],
-  "routing": {
-    "rules": [
-      { "domain_suffix": ["localhost"], "outbound": "direct" }
-    ],
-    "default_outbound": "proxy"
     }
+  ]
 }
 ```
 
-> **Note:** Upgrading from v0.2.x? Read the [v0.3.1 Migration Guide](MIGRATION_V0_3_1.md).
-
-### 3. Run
+### 3. Execution
 
 ```bash
-./ostp                        # Uses config.json in current directory
-./ostp --config /path/to.json # Custom config path
-./ostp --check                # Validate config without running
-./ostp --generate-key         # Generate a new access key
-./ostp --links                # Print client share links
+# Run with default config.json
+./ostp
+
+# Run with a specific config path
+./ostp --config /path/to/config.json
 ```
 
-### 4. Connect via share link (one-liner)
+Or connect via a one-line share link on the client:
 ```bash
-./ostp "ostp://ACCESS_KEY@server.com:50000?..."
-```
-
-> [!WARNING]
-> Always wrap the `ostp://...` link in quotes (`"`) so your terminal doesn't misinterpret special characters like `&` or `?`.
-
----
-
-## Management API
-
-Built-in REST API for building panels and dashboards.
-
-```bash
-# Server status
-curl -H "Authorization: Bearer mytoken" http://127.0.0.1:9090/api/server/status
-
-# List all users with traffic stats  
-curl -H "Authorization: Bearer mytoken" http://127.0.0.1:9090/api/users
-
-# Create a user with 10GB traffic limit
-curl -X POST -H "Authorization: Bearer mytoken" \
-  -H "Content-Type: application/json" \
-  -d '{"limit_bytes": 10737418240}' \
-  http://127.0.0.1:9090/api/users
-```
-
-Full API reference: [Management API](https://github.com/ospab/ostp/wiki/Management-API)
-
----
-
-## CLI Reference
-
-```
-ostp [OPTIONS] [URL]
-
-Options:
-  --config <PATH>        Config file path (default: config.json)
-  --init <MODE>          Generate template config (server/client)
-  --check                Validate configuration and exit
-  -g, --generate-key     Generate a secure access key
-  -c, --count <N>        Number of keys to generate (default: 1)
-  --format <FMT>         Key format: hex, base64 (default: hex)
-  --links                Print client share links from server config
-
-Arguments:
-  [URL]                  Connect via share link: ostp://KEY@HOST:PORT
+./ostp "ostp://YOUR_SECRET_KEY@YOUR_SERVER_IP:50000?transport=udp"
 ```
 
 ---
 
-## Protocol Summary
+## Protocol Specification
 
 | Layer | Mechanism |
 |-------|-----------|
 | Key Exchange | Noise NNpsk0 (X25519 + ChaChaPoly + BLAKE2s) zero-RTT |
 | Encryption | ChaCha20-Poly1305 AEAD per-packet |
-| Header Obfuscation | HMAC-SHA256 derived per-packet mask |
+| Header Masking | HMAC-SHA256 derived per-packet mask |
 | Reliability | Selective ACK with cumulative + SACK ranges |
 | Retransmission | Rate-limited NACK + exponential backoff RTO |
 | Keepalive | Ping/Pong with RTT measurement every 5s |
@@ -225,38 +143,31 @@ Arguments:
 ## Building from Source
 
 ```bash
-# Prerequisites: Rust 1.75+
+# Requires Rust 1.75+
 cargo build --release
 
 # Cross-compile for Linux
 cross build --release --target x86_64-unknown-linux-gnu
-
-# Run tests
-cargo test -p ostp-core -p ostp-server
 ```
 
 ---
 
 ## Documentation
 
-- **[Wiki](https://github.com/ospab/ostp/wiki)** — Full documentation
-- [Installation](https://github.com/ospab/ostp/wiki/Installation)
+- **[Wiki](https://github.com/ospab/ostp/wiki)**
 - [Configuration Reference](https://github.com/ospab/ostp/wiki/Configuration)
 - [Management API](https://github.com/ospab/ostp/wiki/Management-API)
 - [Protocol Design](https://github.com/ospab/ostp/wiki/Protocol-Design)
-- [Building from Source](https://github.com/ospab/ostp/wiki/Building-from-Source)
-- [FAQ](https://github.com/ospab/ostp/wiki/FAQ)
 
 ---
 
 ## License
 
-Business Source License 1.1. Free for personal and non-commercial use.  
-Converts to MIT License on May 14, 2030.
+GNU Affero General Public License v3.0 (AGPL-3.0). See [LICENSE](LICENSE) for more details.
 
 ---
 
-## Contact
+## Contacts
 
 - **Telegram**: [@ospab0](https://t.me/ospab0)
 - **Email**: gvoprgrg@gmail.com

README.ru.md

@@ -1,120 +1,101 @@
 # OSTP — Ospab Stealth Transport Protocol
 
-[English](README.md) · [Contributing](CONTRIBUTING.ru.md)
+[English](README.md) · [Wiki](https://github.com/ospab/ostp/wiki) · [Contributing](CONTRIBUTING.ru.md) · [Миграция v0.3.1](docs/migration_v0_3_1_ru.md)
 
 ![GitHub Release](https://img.shields.io/github/v/release/ospab/ostp?style=for-the-badge&color=blue)
-![License: BSL 1.1](https://img.shields.io/badge/License-BSL%201.1-orange.svg?style=for-the-badge)
+![License: AGPL v3](https://img.shields.io/badge/License-AGPL%20v3-blue.svg?style=for-the-badge)
 ![Platform: Windows | Linux | macOS | Android](https://img.shields.io/badge/Platform-Windows%20%7C%20Linux%20%7C%20macOS%20%7C%20Android-green.svg?style=for-the-badge)
 ![Crypto](https://img.shields.io/badge/Crypto-Noise__NNpsk0-blueviolet?style=for-the-badge)
 ![Transport](https://img.shields.io/badge/Transport-UDP%20ARQ-informational?style=for-the-badge)
 
-> Быстрый кастомный зашифрованный транспортный протокол на Rust.
+OSTP (Ospab Stealth Transport Protocol) — зашифрованный транспортный протокол, написанный на Rust. Реализует механизм ARQ поверх UDP, а также режим UoT (UDP-over-TCP). Протокол использует криптографическое маскирование заголовков и полезной нагрузки для защиты от систем глубокого анализа трафика (DPI).
 
-**OSTP** (Ospab Stealth Transport Protocol) — кастомный транспортный протокол. Реализует собственный ARQ-транспорт поверх UDP, а также режим UoT (UDP-over-TCP). Каждый байт, включая заголовки пакетов, криптографически неотличим от случайного шума, что делает его устойчивым к системам глубокого анализа трафика (DPI).
+> [!IMPORTANT]
+> **Обновляетесь с версии v0.2.x?** Пожалуйста, ознакомьтесь с [Руководством по миграции конфигурации v0.3.1](docs/migration_v0_3_1_ru.md).
 
 ---
 
-## Возможности
+## Технические характеристики
 
 | Возможность | Описание |
 |-------------|----------|
-| **Обфускация трафика** | Каждый пакет, включая заголовки, неотличим от случайного шума. Session ID и nonce маскируются HMAC-ключами, уникальными для каждого пакета. |
-| **Noise Protocol** | `Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s` — аутентификация через PSK, forward secrecy, без раскрытия идентичности. |
-| **Reliable UDP (ARQ)** | Selective ACK/NACK с rate-limited ретрансмиссией, настраиваемым reorder-буфером и exponential backoff. Разработан для 10 Гбит/с. |
+| **Маскирование трафика** | Шифрование заголовков и полезной нагрузки с помощью HMAC ключей на каждый пакет. Трафик неотличим от шума. |
+| **Noise Protocol** | `Noise_NNpsk0_25519_ChaChaPoly_BLAKE2s` — аутентификация через PSK, forward secrecy. |
+| **Reliable UDP (ARQ)** | Selective ACK/NACK с rate-limited ретрансмиссией, настраиваемым reorder-буфером и exponential backoff. |
 | **Мультиплексирование** | Несколько логических TCP-потоков поверх одной зашифрованной UDP-сессии с per-stream flow control. |
-| **Бесшовный роуминг** | Клиент может менять сети (WiFi ↔ 4G) без разрыва сессии — сервер отслеживает session-ID, а не IP-адрес. |
-| **TUN-режим** | Полносистемный VPN без внешних зависимостей (встроенный network stack на базе `smoltcp`). |
-| **xHTTP Стелс (UoT)** | Туннель UDP-over-TCP, который полностью скрывает трафик. Поскольку все данные полностью зашифрованы и имеют префикс длины, он обходит DPI фильтры, блокирующие неизвестный UDP трафик, передавая всё по обычному TCP соединению. |
-| **Мобильные и Web приложения** | Красивый кроссплатформенный мобильный клиент (Flutter) и современная Web панель управления (React/Vite) для удобного администрирования. |
-| **TURN Relay** | RFC 5766 TURN для окружений, где прямой UDP заблокирован. |
-| **Hot-Reload** | Перезагрузка конфига в рантайме без перезапуска (ключи, исключения, mux, TURN). |
-| **Кросс-платформа** | Windows, Linux, macOS, Android. Один бинарник, без зависимостей. |
+| **Session Roaming** | Сохранение соединения при смене IP-адреса благодаря отслеживанию по идентификатору сессии (session ID). |
+| **Режим UoT** | Инкапсуляция UDP внутри TCP с указанием длины пакетов для обхода блокировок неизвестного UDP-трафика. |
+| **Fallback Server** | Проксирование неаутентифицированных TCP подключений на веб-сервер для защиты от активного пробинга. |
+| **TUN-режим** | Полносистемная маршрутизация через встроенный сетевой стек `smoltcp` без внешних зависимостей. |
+| **Management API** | Встроенный REST API для администрирования сервера, сбора метрик и генерации ключей. |
+| **TURN Relay** | Поддержка RFC 5766 TURN для обхода NAT. |
 
 ---
 
 ## Архитектура
 
 ```mermaid
-graph TD
-    subgraph Client ["Клиент"]
-        A[Браузер / Прил.] -->|SOCKS5 / HTTP| B(Bridge Multiplexer)
-        TUN[TUN Интерфейс] -->|IP Пакеты| B
+flowchart LR
+    Apps[Приложения] -->|SOCKS5 / TUN| CoreC
 
-        subgraph OSTPCoreClient ["OSTP Core Протокол"]
-            B --> C{Protocol Machine}
-            C -->|Noise Handshake| D[ChaCha20Poly1305 AEAD]
-            D -->|Обфусцированный UDP| E((UDP Сокет))
-        end
+    subgraph Client [Клиент]
+        CoreC[OSTP Клиент] -.->|Шифрование| NetC[Транспортный уровень]
     end
 
-    E <==>|Зашифрованный UDP Туннель| F
+    NetC <==>|Зашифрованный UDP / UoT| NetS
 
-    subgraph Server ["Сервер"]
-        F((UDP Сокет)) --> G{Dispatcher}
-        
-        subgraph OSTPCoreServer ["OSTP Core Backend"]
-            G -->|Auth & Decrypt| H[Session & State Guard]
-            H -->|TCP Поток| I[Relay Loop]
+    subgraph Server [Сервер]
+        NetS[Транспортный уровень] -.->|Дешифрование| CoreS[OSTP Сервер]
+        NetS -->|Неавторизованные| Fallback[Fallback Сервер]
     end
 
-        G -->|Active Probing / Unauth| FB[TCP Fallback Proxy]
-        FB -->|Перенаправление| NGINX[nginx / Caddy]
-        
-        I -->|Outbound| WWW((Интернет))
-    end
+    CoreS -->|Проксирование| WWW((Интернет))
+    Fallback -->|Перенаправление| Web((Веб-сервер / NGINX))
 ```
 
 ---
 
-## Установка
+## Быстрый старт
 
-### Linux
+### 1. Установка
+
+**Linux:**
 ```bash
 bash <(curl -Ls https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.sh)
 ```
 
-### Windows (PowerShell от Администратора)
+**Windows (PowerShell от Администратора):**
 ```powershell
 irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | iex
 ```
 
----
+### 2. Конфигурация
 
-## Конфигурация
-
-Создать конфиг по умолчанию:
+Сгенерируйте базовые файлы конфигурации:
 ```bash
-./ostp --init server   # VPS
-./ostp --init client   # Локальная машина
+# На сервере:
+./ostp --init server
+
+# На клиенте:
+./ostp --init client
 ```
 
-### Сервер (`config.json`)
+**Пример конфигурации сервера** (`config.json`):
 ```jsonc
 {
   "mode": "server",
   "listen": "0.0.0.0:50000",
-  "access_keys": ["ВАШ_КЛЮЧ"],
-  "debug": false,
-  // Опционально: проксировать трафик через upstream
-  "outbound": {
-    "enabled": false,
-    "protocol": "socks5",
-    "address": "127.0.0.1",
-    "port": 9050,
-    "default_action": "proxy"
-  }
+  "access_keys": ["ВАШ_КЛЮЧ"]
 }
 ```
 
-### Клиент (`config.json`)
+**Пример конфигурации клиента** (`config.json`):
 ```jsonc
 {
   "mode": "client",
   "version": "0.3.1",
-  "log": { "level": "info" },
   "inbounds": [
-    { "type": "local_proxy", "tag": "socks-in", "protocol": "socks", "listen": "127.0.0.1", "port": 1088 },
-    { "type": "tun", "tag": "tun-in", "auto_route": false, "mtu": 1140 }
+    { "type": "local_proxy", "tag": "socks-in", "protocol": "socks", "listen": "127.0.0.1", "port": 1088 }
   ],
   "outbounds": [
     {
@@ -123,41 +104,26 @@ irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | ie
       "server": "IP_СЕРВЕРА",
       "port": 50000,
       "access_key": "ВАШ_КЛЮЧ",
-      "transport": { "type": "udp" },
-      "multiplex": { "enabled": false, "sessions": 1 }
-    },
-    { "type": "direct", "tag": "direct" },
-    { "type": "block", "tag": "block" }
-  ],
-  "routing": {
-    "rules": [
-      { "domain_suffix": ["example.local"], "outbound": "direct" },
-      { "ip_cidr": ["192.168.0.0/16"], "outbound": "direct" }
-    ],
-    "default_outbound": "proxy"
+      "transport": { "type": "udp" }
     }
+  ]
 }
 ```
 
-> **Примечание:** Обновляетесь с v0.2.x? Прочтите [Гайд по миграции на v0.3.1](MIGRATION_V0_3_1.md).
-
----
-
-## Использование
+### 3. Запуск
 
 ```bash
-# Запуск с конфигом
-./ostp --config config.json
-
-# Или просто (ищет config.json рядом с бинарником)
+# Запуск с конфигурацией по умолчанию (config.json)
 ./ostp
+
+# Запуск с указанием пути к конфигурации
+./ostp --config /path/to/config.json
 ```
 
-### TUN-режим (Windows)
-Использует встроенный сетевой стек `smoltcp` и виртуальный адаптер `wintun` (необходима `wintun.dll`). Требует запуска с правами Администратора.
-
-### TUN-режим (Linux)
-Использует встроенный сетевой стек `smoltcp` и `/dev/net/tun`. Требует запуска от имени `root` (или наличия `CAP_NET_ADMIN`).
+Либо подключение через однострочную ссылку на стороне клиента:
+```bash
+./ostp "ostp://ВАШ_КЛЮЧ@IP_СЕРВЕРА:50000?transport=udp"
+```
 
 ---
 
@@ -167,19 +133,17 @@ irm https://raw.githubusercontent.com/ospab/ostp/master/scripts/install.ps1 | ie
 |---------|----------|
 | Обмен ключами | Noise NNpsk0 (X25519 + ChaChaPoly + BLAKE2s) zero-RTT |
 | Шифрование | ChaCha20-Poly1305 AEAD на каждый пакет |
-| Обфускация заголовков | HMAC-SHA256 маска session_id + nonce, уникальная для каждого пакета |
+| Обфускация заголовков | HMAC-SHA256 маска на основе session_id и nonce |
 | Надёжность | Selective ACK с cumulative + SACK диапазонами |
-| Ретрансмиссия | Rate-limited NACK (30мс cooldown) + exponential backoff RTO |
-| Flow Control | Окно in-flight (только retransmittable фреймы) |
+| Ретрансмиссия | Rate-limited NACK + exponential backoff RTO |
 | Keepalive | Ping/Pong с измерением RTT каждые 5с |
-| Таймаут сессии | 60с на клиенте, 300с на сервере |
 
 ---
 
 ## Сборка из исходников
 
 ```bash
-# Требования: Rust toolchain (1.75+)
+# Требования: Rust 1.75+
 cargo build --release
 
 # Кросс-компиляция для Linux
@@ -190,16 +154,21 @@ cross build --release --target x86_64-unknown-linux-gnu
 
 ## Документация
 
-- [Архитектура](docs/ru/architecture.md)
+- **[Wiki](https://github.com/ospab/ostp/wiki)**
 - [Спецификация протокола](docs/ru/specification.md)
 - [Дизайн обфускации](docs/ru/obfuscation.md)
-- [Администрирование сервера](docs/ru/server.md)
+- [Архитектура](docs/ru/architecture.md)
 - [Настройка клиента](docs/ru/client.md)
-- [Интеграции](docs/ru/integrations.md)
 
 ---
 
 ## Лицензия
 
-Business Source License 1.1. Бесплатно для личного и некоммерческого использования.
-Переходит в MIT License 14 мая 2030 года.
+GNU Affero General Public License v3.0 (AGPL-3.0). Подробнее см. в файле [LICENSE](LICENSE).
+
+---
+
+## Контакты
+
+- **Telegram**: [@ospab0](https://t.me/ospab0)
+- **Email**: gvoprgrg@gmail.com

dnstt

@@ -0,0 +1 @@
+Subproject commit 0c5c52a57d899c05428c116898941761a2ed83c2

docs/migration_v0_3_1.md

@@ -0,0 +1,102 @@
+# OSTP v0.3.1 Configuration Migration
+
+In OSTP version 0.3.1, we have completely overhauled the `config.json` architecture for the client. The old monolithic structure (where all settings were in the root object) has been replaced by a modular system based on arrays of `inbounds` (incoming connections) and `outbounds` (outgoing connections), similar to Xray/V2Ray/Sing-box.
+
+This allows OSTP to scale, support multiple proxy servers, multiple entry points (SOCKS5, TUN), and complex routing (`routing`).
+
+## Automatic Migration
+
+The `ostp` core includes a built-in automatic migrator. Upon starting any program (cli, gui, flutter), the core will check your `config.json`. 
+
+If the configuration lacks the `"version": "0.3.1"` field, OSTP will **automatically** convert your old config into the new modular format and save it to disk without data loss.
+
+### What happens during migration:
+
+1. **TUN and SOCKS5** -> converted into the `inbounds` array.
+   - The `socks5_bind` setting becomes an inbound `local_proxy` (SOCKS).
+   - The `tun` setting becomes an inbound `tun`.
+2. **OSTP Server** -> moved into the `outbounds` array.
+   - Parameters `server`, `access_key`, `transport`, `mux` are combined into an outbound of type `"ostp"`.
+3. **Split Tunneling (Exclude)** -> converted into `routing` rules.
+   - Old `domains` and `ips` are converted into rules routing traffic to the `"direct"` outbound.
+   - All other requests are routed by default to the `"proxy"` outbound.
+4. **`version` fields**
+   - The field `"version": "0.3.1"` is added to prevent re-migration in the future. The `_comment` field has been removed.
+
+## Change Example
+
+### Before 0.3.1 (Old format)
+```json
+{
+  "mode": "client",
+  "log_level": "info",
+  "server": "1.2.3.4:50000",
+  "access_key": "secret",
+  "socks5_bind": "127.0.0.1:1088",
+  "tun": {
+    "enable": true
+  },
+  "exclude": {
+    "domains": ["localhost"]
+  }
+}
+```
+
+### After 0.3.1 (New format)
+```json
+{
+  "mode": "client",
+  "version": "0.3.1",
+  "log": {
+    "level": "info"
+  },
+  "inbounds": [
+    {
+      "type": "tun",
+      "tag": "tun-in",
+      "auto_route": true,
+      "mtu": 1140
+    },
+    {
+      "type": "local_proxy",
+      "tag": "socks-in",
+      "protocol": "socks",
+      "listen": "127.0.0.1",
+      "port": 1088
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "ostp",
+      "tag": "proxy",
+      "server": "1.2.3.4",
+      "port": 50000,
+      "access_key": "secret",
+      "transport": {
+        "type": "udp"
+      }
+    },
+    {
+      "type": "direct",
+      "tag": "direct"
+    },
+    {
+      "type": "block",
+      "tag": "block"
+    }
+  ],
+  "routing": {
+    "rules": [
+      {
+        "domain_suffix": ["localhost"],
+        "outbound": "direct"
+      }
+    ],
+    "default_outbound": "proxy"
+  }
+}
+```
+
+## Information for GUI Developers (ostp-gui, ostp-flutter)
+
+If you are developing integrations or third-party clients, **you no longer need to parse the old fields**. You should use the `inbounds` and `outbounds` arrays. If the GUI passes a `serde_json::Value` to the core, the core will migrate it itself before starting. However, to save changes from the UI, you must modify the new array structure explicitly.

ostp-client/src/bridge.rs

@@ -18,7 +18,7 @@ impl Default for BridgeMetrics {
     }
 }
 
-pub fn set_socket_protector<F>(f: F)
+pub fn set_socket_protector<F>(_f: F)
 where
     F: Fn(i32) -> bool + Send + Sync + 'static,
 {

ostp-client/src/config.rs

@@ -15,8 +15,6 @@ pub struct ClientConfig {
     pub routing: RoutingConfig,
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub gui: Option<serde_json::Value>,
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub api: Option<serde_json::Value>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -52,6 +50,8 @@ pub enum InboundConfig {
         protocol: String, // "socks" or "http"
         listen: String,
         port: u16,
+        #[serde(default)]
+        set_system_proxy: bool,
     },
 }
 
@@ -95,7 +95,15 @@ pub enum OutboundConfig {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TransportConfig {
     #[serde(default = "default_transport_mode")]
-    pub r#type: String, // "udp" or "uot"
+    pub r#type: String, // "udp", "uot", or "dns"
+    
+    // Settings for DNS transport
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub domain: Option<String>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub resolver: Option<String>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub pubkey: Option<String>,
 }
 
 fn default_transport_mode() -> String { "udp".to_string() }
@@ -104,6 +112,9 @@ impl Default for TransportConfig {
     fn default() -> Self {
         Self {
             r#type: default_transport_mode(),
+            domain: None,
+            resolver: None,
+            pubkey: None,
         }
     }
 }
@@ -163,33 +174,42 @@ impl ClientConfig {
             .with_context(|| format!("failed to parse JSON from {}", path.display()))?;
 
         let (migrated_json, was_migrated) = Self::migrate_json(raw_json);
-        
         if was_migrated {
-            tracing::info!("Config was migrated to v0.3.1. Saving to {}", path.display());
-            let serialized = serde_json::to_string_pretty(&migrated_json)?;
-            let header = "// OSTP Configuration v0.3.1\n// DO NOT EDIT THIS COMMENT - Migrator relies on it\n";
-            let final_content = format!("{}{}", header, serialized);
-            std::fs::write(&path, final_content)
-                .with_context(|| format!("failed to save migrated config to {}", path.display()))?;
+            tracing::warn!(
+                "Config at {} is in an outdated format. Run 'ostp --migrate' to upgrade it.",
+                path.display()
+            );
         }
 
         let config: ClientConfig = serde_json::from_value(migrated_json)
-            .with_context(|| format!("failed to deserialize migrated config from {}", path.display()))?;
+            .with_context(|| format!("failed to deserialize config from {}", path.display()))?;
 
         Ok(config)
     }
 
     /// Migrates old monolithic JSON to the new modular format.
     /// Returns the migrated JSON value and a boolean indicating if a migration occurred.
-    pub fn migrate_json(mut json: serde_json::Value) -> (serde_json::Value, bool) {
-        let is_migrated = json.get("version").and_then(|v| v.as_str()) == Some("0.3.1");
-        if is_migrated {
+    pub fn migrate_json(json: serde_json::Value) -> (serde_json::Value, bool) {
+        // Consider the config already migrated if:
+        // 1. Version matches exactly, OR
+        // 2. The JSON already has the new modular format (inbounds + outbounds arrays)
+        let has_version = json.get("version").and_then(|v| v.as_str()) == Some(env!("CARGO_PKG_VERSION"));
+        let has_new_format = json.get("inbounds").and_then(|v| v.as_array()).is_some()
+            && json.get("outbounds").and_then(|v| v.as_array()).is_some();
+        
+        if has_version || has_new_format {
+            // If format is already new but version is old, just bump the version
+            if has_new_format && !has_version {
+                let mut updated = json.clone();
+                updated["version"] = serde_json::json!(env!("CARGO_PKG_VERSION"));
+                return (updated, false);
+            }
             return (json, false);
         }
 
         // Needs migration
         let mut new_json = serde_json::json!({
-            "version": "0.3.1",
+            "version": env!("CARGO_PKG_VERSION"),
         });
 
         // 1. Log level
@@ -305,10 +325,6 @@ impl ClientConfig {
             new_json["gui"] = gui.clone();
         }
         
-        if let Some(api) = json.get("api") {
-            new_json["api"] = api.clone();
-        }
-
         (new_json, true)
     }
 }

ostp-client/src/logging.rs

@@ -92,7 +92,7 @@ pub fn init_tracing(level: &str, app_name: &str, version: &str) -> Option<tracin
             .with(stderr_layer)
             .try_init();
             
-        tracing::info!(
+        tracing::debug!(
             "{} v{} | OS: {} | Arch: {} | log_level: {} | log_file: {}",
             app_name,
             version,

ostp-client/src/runner.rs

@@ -1,8 +1,7 @@
 use anyhow::Result;
 use std::sync::Arc;
-use tokio::sync::{mpsc, watch};
+use tokio::sync::watch;
 
-use crate::app::{BridgeCommand, ConnectionStatus, UiEvent};
 use crate::config::{ClientConfig, InboundConfig};
 use crate::tunnel::balancer::Balancer;
 use crate::tunnel::outbounds::OutboundManager;
@@ -10,9 +9,9 @@ use crate::tunnel::router::Router;
 
 pub async fn run_client_core(
     config: ClientConfig,
-    metrics: Arc<crate::bridge::BridgeMetrics>,
+    _metrics: Arc<crate::bridge::BridgeMetrics>,
     mut shutdown_rx_ext: watch::Receiver<bool>,
-    config_rx: Option<watch::Receiver<ClientConfig>>,
+    _config_rx: Option<watch::Receiver<ClientConfig>>,
 ) -> Result<()> {
     println!("[ostp] Starting run_client_core with multi-server architecture");
 

ostp-client/src/runner.rs.bak

@@ -1,436 +0,0 @@
-use anyhow::Result;
-use tokio::sync::{mpsc, watch};
-
-use crate::app::BridgeCommand;
-use crate::bridge::{Bridge, BridgeMetrics};
-use crate::signal::wait_for_shutdown_signal;
-use crate::tunnel;
-use std::sync::Arc;
-use std::fs::OpenOptions;
-use std::io::Write as _;
-
-fn log_to_core_file(msg: &str) {
-    let path = std::env::current_exe()
-        .ok()
-        .and_then(|p| p.parent().map(|d| d.join("ostp-core.log")))
-        .unwrap_or_else(|| std::path::PathBuf::from("ostp-core.log"));
-    if let Ok(mut file) = OpenOptions::new().create(true).append(true).open(path) {
-        let _ = writeln!(file, "[{}] {}", chrono::Local::now().format("%Y-%m-%d %H:%M:%S"), msg);
-    }
-}
-
-#[cfg(target_os = "windows")]
-#[link(name = "kernel32")]
-extern "system" {
-    fn FreeConsole() -> i32;
-    fn GetConsoleWindow() -> *mut std::ffi::c_void;
-}
-
-#[cfg(target_os = "windows")]
-#[link(name = "user32")]
-extern "system" {
-    fn ShowWindow(hwnd: *mut std::ffi::c_void, cmd_show: i32) -> i32;
-}
-
-fn hide_console() {
-    #[cfg(target_os = "windows")]
-    unsafe {
-        let hwnd = GetConsoleWindow();
-        if !hwnd.is_null() {
-            ShowWindow(hwnd, 0); // SW_HIDE = 0
-        }
-        FreeConsole();
-    }
-}
-
-#[cfg(target_os = "windows")]
-pub fn is_admin() -> bool {
-    std::process::Command::new("net")
-        .arg("session")
-        .stdout(std::process::Stdio::null())
-        .stderr(std::process::Stdio::null())
-        .status()
-        .map(|s| s.success())
-        .unwrap_or(false)
-}
-
-#[cfg(target_os = "windows")]
-fn relaunch_as_admin() -> Result<()> {
-    use std::ffi::OsStr;
-    use std::os::windows::ffi::OsStrExt;
-    use std::ptr::null_mut;
-
-    let exe = std::env::current_exe()?;
-    let exe_wstr: Vec<u16> = exe.as_os_str().encode_wide().chain(Some(0)).collect();
-
-    let mut args_joined = String::new();
-    for arg in std::env::args().skip(1) {
-        if !args_joined.is_empty() {
-            args_joined.push(' ');
-        }
-        args_joined.push('"');
-        args_joined.push_str(&arg.replace('"', "\\\""));
-        args_joined.push('"');
-    }
-    let args_wstr: Vec<u16> = OsStr::new(&args_joined).encode_wide().chain(Some(0)).collect();
-
-    let dir = std::env::current_dir()?;
-    let dir_wstr: Vec<u16> = dir.as_os_str().encode_wide().chain(Some(0)).collect();
-
-    let verb_wstr: Vec<u16> = OsStr::new("runas").encode_wide().chain(Some(0)).collect();
-
-    #[link(name = "shell32")]
-    extern "system" {
-        fn ShellExecuteW(
-            hwnd: *mut std::ffi::c_void,
-            lpOperation: *const u16,
-            lpFile: *const u16,
-            lpParameters: *const u16,
-            lpDirectory: *const u16,
-            nShowCmd: i32,
-        ) -> isize;
-    }
-
-    unsafe {
-        let ret = ShellExecuteW(
-            null_mut(),
-            verb_wstr.as_ptr(),
-            exe_wstr.as_ptr(),
-            args_wstr.as_ptr(),
-            dir_wstr.as_ptr(),
-            1, // SW_SHOWNORMAL = 1
-        );
-        if ret <= 32 {
-            return Err(anyhow::anyhow!(
-                "Windows UAC Elevation failed or was denied by policy (ShellExecuteW code: {})", 
-                ret
-            ));
-        }
-    }
-
-    std::process::exit(0);
-}
-
-#[cfg(target_os = "linux")]
-pub fn is_root() -> bool {
-    unsafe { libc::geteuid() == 0 }
-}
-
-#[cfg(target_os = "linux")]
-fn relaunch_as_root() -> Result<()> {
-    use std::io::IsTerminal;
-    let exe = std::env::current_exe()?;
-    let args: Vec<String> = std::env::args().skip(1).collect();
-
-    let is_gui = std::env::var("DISPLAY").is_ok() || std::env::var("WAYLAND_DISPLAY").is_ok();
-    let is_term = std::io::stdout().is_terminal();
-
-    let mut cmd = if is_gui && !is_term {
-        let mut c = std::process::Command::new("pkexec");
-        c.arg(exe);
-        c
-    } else {
-        let mut c = std::process::Command::new("sudo");
-        c.arg(exe);
-        c
-    };
-
-    cmd.args(&args);
-    
-    let status = cmd.status().map_err(|e| anyhow::anyhow!("Failed to execute privilege escalation command: {}", e))?;
-    
-    if !status.success() {
-        return Err(anyhow::anyhow!("Privilege escalation failed or was denied."));
-    }
-
-    std::process::exit(0);
-}
-
-pub async fn run_client(config: crate::config::ClientConfig) -> Result<()> {
-    #[cfg(target_os = "windows")]
-    if config.mode == "tun" && !is_admin() {
-        println!("[ostp] TUN mode requires administrator privileges. Relaunching...");
-        relaunch_as_admin()?;
-    }
-
-    #[cfg(target_os = "linux")]
-    if config.mode == "tun" && !is_root() {
-        println!("[ostp] TUN mode requires root privileges. Requesting sudo/pkexec elevation...");
-        relaunch_as_root()?;
-    }
-
-    let bg = std::env::args().any(|a| a == "--bg");
-
-    if bg {
-        hide_console();
-    }
-
-    let metrics = Arc::new(BridgeMetrics {
-        bytes_sent: portable_atomic::AtomicU64::new(0),
-        bytes_recv: portable_atomic::AtomicU64::new(0),
-        connection_state: portable_atomic::AtomicU8::new(0),
-        rtt_ms: portable_atomic::AtomicU32::new(0),
-    });
-
-    let (shutdown_tx, shutdown_rx) = watch::channel(false);
-
-    tokio::spawn(async move {
-        if wait_for_shutdown_signal().await.is_ok() {
-            let _ = shutdown_tx.send(true);
-        }
-    });
-
-    run_client_core(config, metrics, shutdown_rx, None).await
-}
-
-pub async fn run_client_core(
-    mut config: crate::config::ClientConfig,
-    metrics: Arc<BridgeMetrics>,
-    mut shutdown_rx_ext: watch::Receiver<bool>,
-    mut config_rx: Option<watch::Receiver<crate::config::ClientConfig>>,
-) -> Result<()> {
-    #[cfg(target_os = "windows")]
-    if config.mode == "tun" && !is_admin() {
-        return Err(anyhow::anyhow!("Administrator privileges are required to initialize TUN mode. Please run the application as Administrator."));
-    }
-
-    #[cfg(target_os = "linux")]
-    if config.mode == "tun" && !is_root() {
-        return Err(anyhow::anyhow!("Root privileges are required to initialize TUN mode on Linux. Please run with sudo."));
-    }
-
-    log_to_core_file(&format!("[core] Starting run_client_core in mode: {}", config.mode));
-
-    // Resolve the server IP before we override system routing and DNS.
-    // This prevents DNS deadlock if the VPN disconnects and tries to reconnect,
-    // and also ensures we add the direct route to the exact IP the bridge connects to.
-    #[allow(unused_mut)]
-    let mut resolved_addrs: Vec<std::net::SocketAddr> = tokio::net::lookup_host(&config.ostp.server_addr)
-        .await
-        .map_err(|e| anyhow::anyhow!("Failed to resolve server address {}: {}", config.ostp.server_addr, e))?
-        .collect();
-        
-
-    let target_addr = resolved_addrs.first()
-        .ok_or_else(|| anyhow::anyhow!("No IP addresses resolved for {}", config.ostp.server_addr))?;
-        
-    log_to_core_file(&format!("[core] Resolved server address to {}", target_addr));
-    config.ostp.server_addr = target_addr.to_string();
-
-
-    #[cfg(target_os = "linux")]
-    if config.mode == "tun" {
-        println!("\n[ostp] ===========================================================================");
-        println!("[ostp] WARNING: You are starting TUN mode on a Linux system.");
-        println!("[ostp] If this is a remote headless server, routing all traffic through the TUN");
-        println!("[ostp] interface WILL DROP your SSH connection and lock you out!");
-        println!("[ostp] ");
-        println!("[ostp] SOLUTION: Add a static route for your client IP to bypass the TUN.");
-        println!("[ostp] Find your default gateway (ip route | grep default) and run:");
-        println!("[ostp]   sudo ip route add <your-client-ip> via <default-gateway-ip>");
-        println!("[ostp] ===========================================================================\n");
-    }
-
-    #[cfg(target_os = "linux")]
-    if config.mode == "proxy" {
-        println!("\n[ostp] ===========================================================================");
-        println!("[ostp] Proxy mode initialized on {}", config.local_proxy.bind_addr);
-        println!("[ostp] ===========================================================================\n");
-    }
-
-    let _sysproxy_guard = if config.mode == "proxy" {
-        // Enable system proxy and set initial ProxyOverride with user exclusions
-        let guard = Some(crate::sysproxy::SystemProxyGuard::enable(&config.local_proxy.bind_addr));
-        crate::sysproxy::update_proxy_bypass_list(
-            &config.exclusions.domains,
-            &config.exclusions.ips,
-        );
-        guard
-    } else {
-        None
-    };
-
-    if config.mode == "tun" && !config.exclusions.processes.is_empty() {
-        println!("[ostp] Process exclusions are not supported in TUN mode");
-    }
-
-    let (proxy_events_tx, proxy_events_rx) = mpsc::channel(256);
-    let (client_msgs_tx, client_msgs_rx) = mpsc::unbounded_channel();
-    
-    // Setup exclusions hot-reload channel
-    let (reload_tx, reload_rx) = watch::channel(config.exclusions.clone());
-
-    let mut bridge = Bridge::new(&config, metrics)?;
-    bridge.reload_tx = Some(reload_tx.clone());
-
-    let (ui_tx, mut ui_rx) = mpsc::channel(512);
-    let (cmd_tx, cmd_rx) = mpsc::channel(128);
-    let (shutdown_tx, shutdown_rx) = watch::channel(false);
-    let proxy_shutdown_rx = shutdown_tx.subscribe();
-
-
-    // Auto-connect on startup
-    let _ = cmd_tx.send(BridgeCommand::ToggleTunnel).await;
-
-    let debug_enabled = config.debug;
-
-    // Headless event logger
-    let cmd_tx_clone = cmd_tx.clone();
-    tokio::spawn(async move {
-        let mut last_status = None;
-        while let Some(msg) = ui_rx.recv().await {
-            match msg {
-                crate::app::UiEvent::Log(text) => {
-                    if debug_enabled || is_essential_log(&text) {
-                        log_to_core_file(&format!("[ostp] {text}"));
-                        println!("[ostp] {text}");
-                    }
-                }
-                crate::app::UiEvent::Metrics { status, rtt_ms, .. } => {
-                    let status_str = status.as_str().to_string();
-                    if last_status != Some(status_str.clone()) {
-                        last_status = Some(status_str.clone());
-                        println!("[ostp] Status: {} (rtt={:.1}ms)", status_str, rtt_ms);
-                    }
-                }
-                crate::app::UiEvent::Traffic { .. } => {}
-                crate::app::UiEvent::ProfileChanged(profile) => {
-                    if debug_enabled {
-                        println!("[ostp] Obfuscation profile: {profile:?}");
-                    }
-                }
-                crate::app::UiEvent::TunnelStopped => {
-                    println!("[ostp] Connection interrupted. Reconnecting in 5 seconds...");
-                    let cmd_tx_inner = cmd_tx_clone.clone();
-                    tokio::spawn(async move {
-                        tokio::time::sleep(tokio::time::Duration::from_secs(5)).await;
-                        let _ = cmd_tx_inner.send(BridgeCommand::ToggleTunnel).await;
-                    });
-                }
-            }
-        }
-    });
-
-    let mut bridge_task = tokio::spawn(async move {
-        bridge.run(ui_tx, cmd_rx, shutdown_rx, proxy_events_rx, client_msgs_tx).await
-    });
-
-    let config_clone = config.clone();
-    let proxy_exclusions_rx = reload_rx.clone();
-    let mut proxy_task = tokio::spawn(async move {
-        tunnel::run_local_proxy(
-            config.local_proxy,
-            config.ostp,
-            proxy_exclusions_rx,
-            config.debug,
-            proxy_shutdown_rx,
-            proxy_events_tx,
-            client_msgs_rx,
-        )
-        .await
-    });
-
-    let wintun_shutdown_rx = shutdown_tx.subscribe();
-    let wintun_exclusions_rx = reload_rx.clone();
-    let mut wintun_task = if config_clone.mode == "tun" {
-        Some(tokio::spawn(async move {
-            tunnel::run_tun_tunnel(config_clone, wintun_shutdown_rx, wintun_exclusions_rx).await
-        }))
-    } else {
-        None
-    };
-
-    // Wait for local_shutdown
-    let mut local_shutdown = shutdown_rx_ext.clone();
-    let cmd_tx_loop = cmd_tx.clone();
-    tokio::spawn(async move {
-        loop {
-            tokio::select! {
-                _ = local_shutdown.changed() => {
-                    if *local_shutdown.borrow() {
-                        let _ = cmd_tx_loop.send(BridgeCommand::Shutdown).await;
-                        break;
-                    }
-                }
-                Some(Ok(_)) = async {
-                    if let Some(ref mut rx) = config_rx {
-                        Some(rx.changed().await)
-                    } else {
-                        std::future::pending().await
-                    }
-                } => {
-                    if let Some(ref rx) = config_rx {
-                        let new_cfg = rx.borrow().clone();
-                        // Update Windows ProxyOverride so excluded domains/IPs
-                        // bypass the system proxy immediately (proxy mode only).
-                        crate::sysproxy::update_proxy_bypass_list(
-                            &new_cfg.exclusions.domains,
-                            &new_cfg.exclusions.ips,
-                        );
-                        let _ = reload_tx.send(new_cfg.exclusions);
-                    }
-                }
-            }
-        }
-    });
-
-    // Wait for either external shutdown OR any task to fail
-    tokio::select! {
-        _ = shutdown_rx_ext.changed() => {
-            let _ = cmd_tx.send(BridgeCommand::Shutdown).await;
-            let _ = shutdown_tx.send(true);
-        }
-        res = &mut bridge_task => {
-            let _ = shutdown_tx.send(true);
-            res.map_err(|e| anyhow::anyhow!("Bridge task panicked: {}", e))??;
-        }
-        res = &mut proxy_task => {
-            let _ = shutdown_tx.send(true);
-            res.map_err(|e| anyhow::anyhow!("Proxy task panicked: {}", e))??;
-        }
-        res = async {
-            if let Some(t) = wintun_task.as_mut() { t.await } else { std::future::pending().await }
-        } => {
-            let _ = shutdown_tx.send(true);
-            res.map_err(|e| anyhow::anyhow!("TUN task panicked: {}", e))??;
-        }
-    }
-
-    // Final cleanup: wait for tasks to finish
-    let _ = bridge_task.await;
-    let _ = proxy_task.await;
-    if let Some(task) = wintun_task {
-        let _ = task.await;
-    }
-
-    Ok(())
-}
-
-#[allow(dead_code)]
-fn format_bytes(bps: u64) -> String {
-    if bps >= 1_000_000 {
-        format!("{:.1}MB", bps as f64 / 1_000_000.0)
-    } else if bps >= 1_000 {
-        format!("{:.1}KB", bps as f64 / 1_000.0)
-    } else {
-        format!("{bps}B")
-    }
-}
-
-fn is_essential_log(text: &str) -> bool {
-    matches!(
-        text,
-        "Connection established"
-            | "TUN tunnel established"
-            | "TUN tunnel stopped"
-            | "Bridge stopped"
-            | "Runtime config reloaded"
-            | "Connecting to remote server..."
-    ) || text.starts_with("Connected to ")
-        || text.starts_with("TURN relay allocated")
-        || text.starts_with("TURN allocation failed")
-        || text.starts_with("Allocating TURN relay")
-        || text.starts_with("Connection failed:")
-        || text.starts_with("Connection lost")
-        || text.starts_with("Protocol tick fatal error")
-}

ostp-client/src/transport/dns.rs

@@ -0,0 +1,104 @@
+use std::sync::Arc;
+use std::time::Duration;
+use bytes::Bytes;
+use tokio::net::UdpSocket;
+use tokio::sync::{mpsc, Mutex};
+use rand::Rng;
+
+pub use ostp_core::dns::{
+    DnsPacket, DnsRecordType, encode_payload_to_domain,
+    decode_domain_to_payload,
+};
+use crate::transport::Transport;
+
+pub async fn start_dns_transport(domain: String, resolver: String, _pubkey: Option<String>) -> std::io::Result<Transport> {
+    let (app_tx, transport_rx) = mpsc::channel::<Bytes>(100);
+    let (transport_tx, app_rx) = mpsc::channel::<Bytes>(100);
+
+    let resolver_addr = if resolver.contains(':') {
+        resolver.clone()
+    } else {
+        format!("{}:53", resolver)
+    };
+
+    let socket = UdpSocket::bind("0.0.0.0:0").await?;
+    socket.connect(&resolver_addr).await?;
+    let socket = Arc::new(socket);
+
+    let sock_rx = socket.clone();
+    let sock_tx = socket;
+    let base_domain = domain.clone();
+
+    // Send task (reads from app, encodes into DNS TXT, sends to UDP socket)
+    tokio::spawn(async move {
+        let mut rx = transport_rx;
+        loop {
+            let data_opt = tokio::select! {
+                res = rx.recv() => res,
+                _ = tokio::time::sleep(Duration::from_secs(2)) => Some(Bytes::new()),
+            };
+            
+            let data = match data_opt {
+                Some(d) => d,
+                None => break, // App closed
+            };
+
+            // Encode data to base32 domain
+            let fqdn = encode_payload_to_domain(&data, &base_domain);
+            let id: u16 = rand::thread_rng().gen();
+            
+            // Randomly choose TXT or NULL for diversity (as requested)
+            let qtype = if rand::thread_rng().gen_bool(0.5) {
+                DnsRecordType::TXT
+            } else {
+                DnsRecordType::NULL
+            };
+
+            let packet = DnsPacket::new_query(id, &fqdn, qtype);
+            let encoded = packet.encode();
+
+            if let Err(e) = sock_tx.send(&encoded).await {
+                tracing::warn!("DNS transport send error: {}", e);
+                break;
+            }
+        }
+    });
+
+    // Receive task (reads from UDP socket, decodes DNS answer, sends to app)
+    let _base_domain_rx = domain.clone();
+    tokio::spawn(async move {
+        let mut buf = vec![0u8; 65535];
+        loop {
+            match sock_rx.recv(&mut buf).await {
+                Ok(n) => {
+                    if let Some(packet) = DnsPacket::decode(&buf[..n]) {
+                        for answer in packet.answers {
+                            if answer.rtype == DnsRecordType::TXT || answer.rtype == DnsRecordType::NULL {
+                                // If it's a TXT record, the response might be base32 encoded payload?
+                                // Actually, dnstt puts the payload in the TXT/NULL record data.
+                                // We'll just assume the rdata is the raw payload, or base32 encoded if it was sent as such.
+                                // Let's just pass the raw data (TXT strings are decoded in DnsPacket::decode)
+                                
+                                // Wait, dnstt server responds with raw bytes in NULL, and base32/chunked strings in TXT.
+                                // Our `DnsPacket::decode` already handles extracting TXT string bytes or NULL raw bytes into `rdata`.
+                                // Let's just send `rdata` to the app.
+                                if transport_tx.send(Bytes::from(answer.rdata)).await.is_err() {
+                                    return; // App closed
+                                }
+                            }
+                        }
+                    }
+                }
+                Err(e) => {
+                    tracing::warn!("DNS transport recv error: {}", e);
+                    break;
+                }
+            }
+        }
+    });
+
+    Ok(Transport::Dns {
+        tx: app_tx,
+        rx: Arc::new(Mutex::new(app_rx)),
+    })
+}

ostp-client/src/transport/mod.rs

@@ -1,4 +1,4 @@
-
+pub mod dns;
 use std::sync::Arc;
 use tokio::net::UdpSocket;
 use bytes::Bytes;
@@ -9,6 +9,10 @@ pub enum Transport {
     Uot {
         tx: tokio::sync::mpsc::Sender<Bytes>,
         rx: Arc<tokio::sync::Mutex<tokio::sync::mpsc::Receiver<Bytes>>>,
+    },
+    Dns {
+        tx: tokio::sync::mpsc::Sender<Bytes>,
+        rx: Arc<tokio::sync::Mutex<tokio::sync::mpsc::Receiver<Bytes>>>,
     }
 }
 
@@ -16,8 +20,8 @@ impl Transport {
     pub async fn send(&self, frame: &Bytes) -> std::io::Result<usize> {
         match self {
             Self::Udp(sock) => sock.send(frame).await,
-            Self::Uot { tx, .. } => {
-                tx.send(frame.clone()).await.map_err(|_| std::io::Error::new(std::io::ErrorKind::BrokenPipe, "uot closed"))?;
+            Self::Uot { tx, .. } | Self::Dns { tx, .. } => {
+                tx.send(frame.clone()).await.map_err(|_| std::io::Error::new(std::io::ErrorKind::BrokenPipe, "channel closed"))?;
                 Ok(frame.len())
             }
         }
@@ -26,14 +30,14 @@ impl Transport {
     pub async fn send_to(&self, frame: &Bytes, target: std::net::SocketAddr) -> std::io::Result<usize> {
         match self {
             Self::Udp(sock) => sock.send_to(frame, target).await,
-            Self::Uot { .. } => self.send(frame).await,
+            Self::Uot { .. } | Self::Dns { .. } => self.send(frame).await,
         }
     }
 
     pub async fn recv(&self, buf: &mut [u8]) -> std::io::Result<usize> {
         match self {
             Self::Udp(sock) => sock.recv(buf).await,
-            Self::Uot { rx, .. } => {
+            Self::Uot { rx, .. } | Self::Dns { rx, .. } => {
                 let mut rx = rx.lock().await;
                 match rx.recv().await {
                     Some(bytes) => {
@@ -41,7 +45,7 @@ impl Transport {
                         buf[..len].copy_from_slice(&bytes[..len]);
                         Ok(len)
                     }
-                    None => Err(std::io::Error::new(std::io::ErrorKind::BrokenPipe, "uot closed")),
+                    None => Err(std::io::Error::new(std::io::ErrorKind::BrokenPipe, "channel closed")),
                 }
             }
         }
@@ -50,7 +54,7 @@ impl Transport {
     pub fn local_addr(&self) -> std::io::Result<std::net::SocketAddr> {
         match self {
             Self::Udp(sock) => sock.local_addr(),
-            Self::Uot { .. } => Ok("0.0.0.0:0".parse().unwrap()),
+            Self::Uot { .. } | Self::Dns { .. } => Ok("0.0.0.0:0".parse().unwrap()),
         }
     }
 }

ostp-client/src/tunnel/balancer.rs

@@ -1,6 +1,5 @@
 use crate::config::{ClientConfig, OutboundConfig};
 use std::collections::HashMap;
-use std::sync::Arc;
 
 pub struct Balancer {
     outbounds: HashMap<String, OutboundConfig>,
@@ -60,6 +59,7 @@ impl Balancer {
     /// Fetches the config for a concrete outbound
     pub fn get_concrete_outbound(&self, tag: &str) -> Option<&OutboundConfig> {
         let resolved_tag = self.resolve_outbound(tag);
+        tracing::debug!("Balancer: tag '{}' resolved to '{}'", tag, resolved_tag);
         self.outbounds.get(&resolved_tag)
     }
 }

ostp-client/src/tunnel/inbounds/local_proxy.rs

@@ -14,13 +14,20 @@ pub async fn run_socks_inbound(
     outbound_manager: Arc<OutboundManager>,
     mut shutdown: watch::Receiver<bool>,
 ) -> Result<()> {
-    let InboundConfig::LocalProxy { tag, protocol, listen, port } = inbound_config else {
+    let InboundConfig::LocalProxy { tag, protocol, listen, port, set_system_proxy } = inbound_config else {
         return Err(anyhow!("Invalid config for LocalProxy inbound"));
     };
 
     let bind_addr = format!("{}:{}", listen, port);
     tracing::info!("Starting {} proxy inbound on {} (tag: {})", protocol, bind_addr, tag);
 
+    let _proxy_guard = if set_system_proxy {
+        let proxy_host = if listen == "0.0.0.0" { "127.0.0.1" } else { &listen };
+        Some(crate::sysproxy::SystemProxyGuard::enable(&format!("{}:{}", proxy_host, port)))
+    } else {
+        None
+    };
+
     let listener = TcpListener::bind(&bind_addr).await?;
 
     loop {
@@ -85,7 +92,7 @@ async fn handle_socks5_connection(
     }
     
     let atyp = buf[3];
-    let (target_host, mut ip_addr) = match atyp {
+    let (target_host, ip_addr) = match atyp {
         0x01 => { // IPv4
             stream.read_exact(&mut buf[0..4]).await?;
             let ip = std::net::Ipv4Addr::new(buf[0], buf[1], buf[2], buf[3]);

ostp-client/src/tunnel/inbounds/tun.rs

@@ -1,6 +1,7 @@
 use anyhow::{anyhow, Result};
 use std::sync::Arc;
 use crate::config::{ClientConfig, InboundConfig};
+#[allow(unused_imports)]
 use crate::tunnel::router::{Router, Session};
 use crate::tunnel::outbounds::OutboundManager;
 use tokio::sync::watch;
@@ -13,7 +14,7 @@ pub async fn run_tun_inbound(
     outbound_manager: Arc<OutboundManager>,
     mut shutdown: watch::Receiver<bool>,
 ) -> Result<()> {
-    use std::net::ToSocketAddrs;
+    
     use netstack_smoltcp::StackBuilder;
     use tokio::io::{AsyncReadExt, AsyncWriteExt};
     use futures::{StreamExt, SinkExt};
@@ -51,11 +52,11 @@ pub async fn run_tun_inbound(
         }
     }
 
-    // Build smoltcp network stack
+    // Build smoltcp network stack with proper buffer sizes for throughput
     let (stack, tcp_runner, udp_socket, tcp_listener) = StackBuilder::default()
-        .stack_buffer_size(1024)
-        .tcp_buffer_size(1024)
-        .udp_buffer_size(1024)
+        .stack_buffer_size(65536)   // 64KB for packet accumulation
+        .tcp_buffer_size(131072)    // 128KB for TCP streams
+        .udp_buffer_size(65536)     // 64KB for UDP datagrams
         .enable_tcp(true)
         .enable_udp(true)
         .mtu(mtu)
@@ -72,7 +73,7 @@ pub async fn run_tun_inbound(
     #[allow(unused_variables)]
     let mut _route_guard = None;
 
-    let (mut tun_to_stack, mut stack_to_tun) = {
+    let (tun_to_stack, stack_to_tun) = {
         #[cfg(target_os = "android")]
         {
             if let Some(fd) = fd {
@@ -183,7 +184,7 @@ pub async fn run_tun_inbound(
     let router_tcp = router.clone();
     let tag_tcp = tag.clone();
     
-    let mut tcp_accept_task = tokio::spawn(async move {
+    let tcp_accept_task = tokio::spawn(async move {
         let Some(mut listener) = tcp_listener else { return; };
         while let Some((mut stream, local, remote)) = listener.next().await {
             let om = outbound_manager_tcp.clone();
@@ -249,7 +250,7 @@ pub async fn run_tun_inbound(
     let router_udp = router.clone();
     let tag_udp = tag.clone();
     
-    let mut udp_proxy_task = tokio::spawn(async move {
+    let udp_proxy_task = tokio::spawn(async move {
         if let Some(udp_sock) = udp_socket {
             let (mut udp_rx, _udp_tx) = udp_sock.split();
             while let Some((payload, local, remote)) = udp_rx.next().await {

ostp-client/src/tunnel/outbounds/direct.rs

@@ -66,7 +66,7 @@ pub fn bind_socket_to_interface(socket: &tokio::net::TcpSocket, _is_ipv6: bool,
     Ok(())
 }
 
-pub async fn dial_tcp(target_host: &str, target_port: u16, phys_if_idx: Option<u32>) -> Result<TcpStream> {
+pub async fn dial_tcp(target_host: &str, target_port: u16, _phys_if_idx: Option<u32>) -> Result<TcpStream> {
     let addrs = tokio::net::lookup_host((target_host, target_port)).await?.collect::<Vec<_>>();
     if addrs.is_empty() {
         return Err(anyhow!("Could not resolve target host: {}", target_host));
@@ -79,7 +79,7 @@ pub async fn dial_tcp(target_host: &str, target_port: u16, phys_if_idx: Option<u
     };
 
     #[cfg(target_os = "windows")]
-    if let Some(idx) = phys_if_idx {
+    if let Some(idx) = _phys_if_idx {
         if let Err(e) = bind_socket_to_interface(&socket, target_addr.is_ipv6(), idx) {
             tracing::warn!("DIRECT: Failed to bind to physical interface {}: {}", idx, e);
         }

ostp-client/src/tunnel/outbounds/mod.rs

@@ -1,6 +1,5 @@
 use anyhow::{anyhow, Result};
 use std::sync::Arc;
-use tokio::net::TcpStream;
 use crate::tunnel::balancer::Balancer;
 use crate::config::OutboundConfig;
 
@@ -12,7 +11,7 @@ pub mod socks;
 pub struct OutboundManager {
     balancer: Arc<Balancer>,
     phys_if_index: Option<u32>,
-    phys_if_name: Option<String>,
+    _phys_if_name: Option<String>,
 }
 
 impl OutboundManager {
@@ -24,7 +23,7 @@ impl OutboundManager {
         Self {
             balancer,
             phys_if_index,
-            phys_if_name,
+            _phys_if_name: phys_if_name,
         }
     }
 
@@ -40,7 +39,7 @@ impl OutboundManager {
                 block::dial_tcp(target_host, target_port).await
             }
             OutboundConfig::Ostp { server, port, access_key, transport, multiplex, .. } => {
-                ostp::dial_tcp(server, *port, access_key, transport, multiplex).await
+                ostp::dial_tcp(target_host, target_port, server, *port, access_key, transport, multiplex).await
             }
             OutboundConfig::Socks { server, port, .. } => {
                 socks::dial_tcp(target_host, target_port, server, *port).await

ostp-client/src/tunnel/outbounds/ostp.rs

@@ -1,57 +1,185 @@
-use anyhow::{anyhow, Result};
+use anyhow::Result;
 use tokio::net::TcpStream;
 use crate::config::{TransportConfig, MultiplexConfig};
 
-use ostp_core::{NoiseRole, OstpEvent, ProtocolAction, ProtocolConfig, ProtocolMachine};
+use ostp_core::{OstpEvent, ProtocolAction, ProtocolConfig, ProtocolMachine};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::net::UdpSocket;
+
+/// Build the handshake payload the server expects:
+/// [timestamp_u64_be (8 bytes)] [session_id_u32_be (4 bytes)] [access_key bytes]
+fn build_handshake_payload(session_id: u32, access_key: &str) -> Vec<u8> {
+    let ts = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs();
+    let mut payload = Vec::with_capacity(12 + access_key.len());
+    payload.extend_from_slice(&ts.to_be_bytes());
+    payload.extend_from_slice(&session_id.to_be_bytes());
+    payload.extend_from_slice(access_key.as_bytes());
+    payload
+}
+
+/// Build a correctly configured ProtocolConfig for an outgoing OSTP connection.
+fn make_initiator_config(
+    session_id: u32,
+    access_key: &str,
+    transport_cfg: &TransportConfig,
+) -> ProtocolConfig {
+    let secrets = ostp_core::crypto::derive_all_secrets(access_key.as_bytes());
+    let payload = build_handshake_payload(session_id, access_key);
+    
+    let mtu = match transport_cfg.r#type.as_str() {
+        "dns" => 1100,
+        _ => 1350,
+    };
+
+    ProtocolConfig {
+        role: ostp_core::NoiseRole::Initiator,
+        psk: secrets.psk,
+        session_id,
+        handshake_payload: payload,
+        max_padding: 256,
+        padding_strategy: ostp_core::framing::PaddingStrategy::Adaptive,
+        obfuscation_key: secrets.obfuscation_key,
+        max_reorder: 16384,
+        max_reorder_buffer: 8192,
+        ack_delay_ms: 5,
+        rto_ms: 100,
+        max_retries: 8,
+        max_sent_history: 32768,
+        handshake_pad_min: secrets.handshake_pad_min,
+        handshake_pad_max: secrets.handshake_pad_max,
+        mtu,
+    }
+}
+
+fn random_session_id() -> u32 {
+    use std::collections::hash_map::DefaultHasher;
+    use std::hash::{Hash, Hasher};
+    let mut h = DefaultHasher::new();
+    std::time::Instant::now().hash(&mut h);
+    std::thread::current().id().hash(&mut h);
+    h.finish() as u32
+}
 
 pub async fn dial_tcp(
+    target_host: &str,
+    target_port: u16,
     server: &str,
     port: u16,
     access_key: &str,
-    _transport: &TransportConfig,
+    transport_cfg: &TransportConfig,
     _multiplex: &MultiplexConfig,
 ) -> Result<TcpStream> {
+    tracing::info!("Dialing OSTP server {}:{} for target {}:{}", server, port, target_host, target_port);
     let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await?;
     let local_addr = listener.local_addr()?;
     let client_stream = tokio::net::TcpStream::connect(local_addr).await?;
     let (mut server_stream, _) = listener.accept().await?;
 
-    let udp = tokio::net::UdpSocket::bind("0.0.0.0:0").await?;
-    udp.connect((server, port)).await?;
-    
-    let mut psk = [0u8; 32];
-    let key_bytes = access_key.as_bytes();
-    let len = key_bytes.len().min(32);
-    psk[..len].copy_from_slice(&key_bytes[..len]);
-    
-    let config = ProtocolConfig {
-        role: ostp_core::NoiseRole::Initiator,
-        psk,
-        session_id: 1,
-        handshake_payload: vec![],
-        max_padding: 0,
-        padding_strategy: ostp_core::framing::PaddingStrategy::Fixed(0),
-        obfuscation_key: [0; 8],
-        max_reorder: 16384,
-        max_reorder_buffer: 8192,
-        ack_delay_ms: 10,
-        rto_ms: 100,
-        max_retries: 5,
-        max_sent_history: 32768,
-        handshake_pad_min: 8,
-        handshake_pad_max: 24,
-        mtu: 1400,
-    };
+    let transport = make_transport(transport_cfg, server, port).await?;
 
+    let session_id = random_session_id();
+    let config = make_initiator_config(session_id, access_key, transport_cfg);
     let mut machine = ProtocolMachine::new(config).unwrap();
 
+    let target_host_str = target_host.to_string();
+
+        let server_str = server.to_string();
+        
         // Spawn bridge task
         tokio::spawn(async move {
+            // Send initial handshake
             if let Ok(action) = machine.on_event(OstpEvent::Start) {
-            handle_action(action, &udp, &mut server_stream).await;
+                handle_action(action, &transport, &mut server_stream).await;
             }
+    
+            // Wait for handshake response (server sends HandshakePayload back)
+            let mut buf = [0u8; 8192];
+            let mut handshake_success = false;
+            match tokio::time::timeout(
+                std::time::Duration::from_millis(15000),
+                transport.recv(&mut buf),
+            ).await {
+                Ok(Ok(n)) => {
+                    if let Ok(action) = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n]))) {
+                        handle_action(action, &transport, &mut server_stream).await;
+                        handshake_success = true;
+                    }
+                }
+                _ => {
+                    tracing::warn!("OSTP handshake timeout for {}:{}", server_str, port);
+                    return;
+                }
+            }
+
+        if !handshake_success {
+            tracing::warn!("TCP handshake failed or protocol machine error");
+            return;
+        }
+
+        // Send connection request
+        let connect_msg = ostp_core::relay::RelayMessage::Connect(format!("{}:{}", target_host_str, target_port));
+        let connect_encoded = connect_msg.encode();
+        if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(connect_encoded))) {
+            handle_action(action, &transport, &mut server_stream).await;
+        }
+
+        // ── Wait for ConnectOk before forwarding any data ─────────────────
+        // This is critical: if we enter the data loop immediately, the TLS
+        // ClientHello arrives at the server before it has established the
+        // outbound TCP connection, causing it to drop the packet as
+        // "Relay DATA for unknown stream".
+        // The kernel will buffer incoming data from server_stream while we wait.
+        let mut connect_ok = false;
+        match tokio::time::timeout(
+            std::time::Duration::from_secs(30),
+            async {
+                let mut wait_buf = [0u8; 8192];
+                loop {
+                    tokio::select! {
+                        Ok(n) = transport.recv(&mut wait_buf) => {
+                            if let Ok(action) = machine.on_event(OstpEvent::Inbound(
+                                bytes::Bytes::copy_from_slice(&wait_buf[..n]),
+                            )) {
+                                // Check for ConnectOk or Error before dispatching
+                                let result = check_connect_result(&action);
+                                handle_action(action, &transport, &mut server_stream).await;
+                                match result {
+                                    Some(true) => return true,
+                                    Some(false) => return false,
+                                    None => {}
+                                }
+                            }
+                        }
+                        _ = tokio::time::sleep(std::time::Duration::from_millis(10)) => {
+                            if let Ok(action) = machine.on_event(OstpEvent::Tick) {
+                                handle_action(action, &transport, &mut server_stream).await;
+                            }
+                        }
+                    }
+                }
+            },
+        )
+        .await
+        {
+            Ok(true) => {
+                tracing::debug!("ConnectOk received for {}:{}, starting data forwarding", target_host_str, target_port);
+                connect_ok = true;
+            }
+            Ok(false) => {
+                tracing::warn!("Server refused connection to {}:{}", target_host_str, target_port);
+            }
+            Err(_) => {
+                tracing::warn!("ConnectOk timeout for {}:{}", target_host_str, target_port);
+            }
+        }
+
+        if !connect_ok {
+            return;
+        }
+
+        // ── Main bidirectional data forwarding loop ───────────────────────
         let mut buf = [0u8; 65535];
         let mut udp_buf = [0u8; 65535];
 
@@ -59,57 +187,205 @@ pub async fn dial_tcp(
             tokio::select! {
                 Ok(n) = server_stream.read(&mut buf) => {
                     if n == 0 { break; }
-                    if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::copy_from_slice(&buf[..n]))) {
-                        handle_action(action, &udp, &mut server_stream).await;
+                    let data_msg = ostp_core::relay::RelayMessage::Data(buf[..n].to_vec());
+                    let encoded = data_msg.encode();
+                    if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
+                        handle_action(action, &transport, &mut server_stream).await;
                     }
                 }
-                Ok(n) = udp.recv(&mut udp_buf) => {
+                Ok(n) = transport.recv(&mut udp_buf) => {
                     if let Ok(action) = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&udp_buf[..n]))) {
-                        handle_action(action, &udp, &mut server_stream).await;
+                        handle_action(action, &transport, &mut server_stream).await;
                     }
                 }
                 _ = tokio::time::sleep(std::time::Duration::from_millis(10)) => {
                     if let Ok(action) = machine.on_event(OstpEvent::Tick) {
-                        handle_action(action, &udp, &mut server_stream).await;
+                        handle_action(action, &transport, &mut server_stream).await;
                     }
                 }
             }
         }
     });
 
+
     Ok(client_stream)
 }
 
 pub async fn handle_udp(
-    _client_src: std::net::SocketAddr,
-    _target_dst: std::net::SocketAddr,
-    _payload: bytes::Bytes,
-    _server: &str,
-    _port: u16,
-    _access_key: &str,
-    _transport: &TransportConfig,
+    client_src: std::net::SocketAddr,
+    target_dst: std::net::SocketAddr,
+    payload: bytes::Bytes,
+    server: &str,
+    port: u16,
+    access_key: &str,
+    transport_cfg: &TransportConfig,
     _multiplex: &MultiplexConfig,
 ) -> Result<()> {
-    Err(anyhow!("OSTP UDP handler not yet fully migrated"))
+    let transport = make_transport(transport_cfg, server, port).await?;
+
+    // Derive session_id from client source addr for stable per-flow sessions
+    let ip_bytes = match client_src.ip() {
+        std::net::IpAddr::V4(v4) => {
+            let o = v4.octets();
+            u32::from_be_bytes(o)
+        }
+        std::net::IpAddr::V6(v6) => {
+            let o = v6.octets();
+            u32::from_be_bytes([o[12], o[13], o[14], o[15]])
+        }
+    };
+    let session_id = ip_bytes ^ (client_src.port() as u32);
+
+    let config = make_initiator_config(session_id, access_key, transport_cfg);
+    let mut machine = ProtocolMachine::new(config)?;
+
+    // Send handshake first
+    if let Ok(action) = machine.on_event(OstpEvent::Start) {
+        handle_udp_action(action, &transport).await;
+    }
+
+    // Wait for handshake response (server sends HandshakePayload back)
+    let mut buf = [0u8; 8192];
+    match tokio::time::timeout(
+        std::time::Duration::from_millis(15000),
+        transport.recv(&mut buf),
+    ).await {
+        Ok(Ok(n)) => {
+            let _ = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n])));
+        }
+        _ => {
+            tracing::warn!("OSTP handshake timeout for {}:{}", server, port);
+            return Ok(());
+        }
+    }
+
+    // Send relay UdpAssociate + data
+    let assoc_msg = ostp_core::relay::RelayMessage::UdpAssociate;
+    let encoded = assoc_msg.encode();
+    if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
+        handle_udp_action(action, &transport).await;
+    }
+
+    let data_msg = ostp_core::relay::RelayMessage::UdpData(
+        format!("{}:{}", target_dst.ip(), target_dst.port()),
+        payload.to_vec()
+    );
+    let encoded = data_msg.encode();
+    if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
+        handle_udp_action(action, &transport).await;
+    }
+
+    // Keep-alive for a short time to receive response
+    for _ in 0..5 {
+        match tokio::time::timeout(
+            std::time::Duration::from_millis(100),
+            transport.recv(&mut buf),
+        ).await {
+            Ok(Ok(n)) => {
+                if let Ok(action) = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n]))) {
+                    // Just process incoming UDP response internally
+                    let _ = action;
+                }
+            }
+            _ => break,
+        }
+    }
+
+    Ok(())
 }
 
-async fn handle_action(action: ProtocolAction, udp: &UdpSocket, server_stream: &mut tokio::net::TcpStream) {
+async fn make_transport(
+    transport_cfg: &TransportConfig,
+    server: &str,
+    port: u16,
+) -> Result<crate::transport::Transport> {
+    match transport_cfg.r#type.as_str() {
+        "dns" => {
+            let domain = transport_cfg.domain.clone()
+                .unwrap_or_else(|| "tunnel.example.com".to_string());
+            let resolver = transport_cfg.resolver.clone()
+                .unwrap_or_else(|| server.to_string());
+            let transport = crate::transport::dns::start_dns_transport(domain, resolver, transport_cfg.pubkey.clone()).await
+                .map_err(|e| anyhow::anyhow!(e))?;
+            Ok(transport)
+        }
+        _ => {
+            let udp = tokio::net::UdpSocket::bind("0.0.0.0:0").await?;
+            udp.connect((server, port)).await?;
+            Ok(crate::transport::Transport::Udp(std::sync::Arc::new(udp)))
+        }
+    }
+}
+
+async fn handle_udp_action(action: ProtocolAction, transport: &crate::transport::Transport) {
     match action {
         ProtocolAction::SendDatagram(data) => {
-            let _ = udp.send(&data).await;
-        }
-        ProtocolAction::DeliverApp(_stream_id, payload) => {
-            let _ = server_stream.write_all(&payload).await;
+            let _ = transport.send(&data).await;
         }
         ProtocolAction::Multiple(actions) => {
             for a in actions {
-                match a {
-                    ProtocolAction::SendDatagram(data) => { let _ = udp.send(&data).await; }
-                    ProtocolAction::DeliverApp(_stream_id, payload) => { let _ = server_stream.write_all(&payload).await; }
-                    _ => {}
+                if let ProtocolAction::SendDatagram(data) = a {
+                    let _ = transport.send(&data).await;
                 }
             }
         }
         _ => {}
     }
 }
+
+async fn handle_action(action: ProtocolAction, transport: &crate::transport::Transport, server_stream: &mut tokio::net::TcpStream) {
+    match action {
+        ProtocolAction::SendDatagram(data) => {
+            let _ = transport.send(&data).await;
+        }
+        ProtocolAction::DeliverApp(_stream_id, payload) => {
+            if let Ok(msg) = ostp_core::relay::RelayMessage::decode(&payload) {
+                match msg {
+                    ostp_core::relay::RelayMessage::Data(data) => {
+                        let _ = server_stream.write_all(&data).await;
+                    }
+                    ostp_core::relay::RelayMessage::ConnectOk => {
+                        tracing::debug!("TCP Connection established successfully");
+                    }
+                    ostp_core::relay::RelayMessage::Error(err) => {
+                        tracing::warn!("Server returned TCP connection error: {}", err);
+                    }
+                    _ => {}
+                }
+            }
+        }
+        ProtocolAction::Multiple(actions) => {
+            for a in actions {
+                Box::pin(handle_action(a, transport, server_stream)).await;
+            }
+        }
+        _ => {}
+    }
+}
+
+/// Inspect a ProtocolAction for ConnectOk / Error relay messages.
+/// Returns Some(true) on ConnectOk, Some(false) on Error, None if neither.
+/// Works recursively through Multiple actions.
+fn check_connect_result(action: &ProtocolAction) -> Option<bool> {
+    match action {
+        ProtocolAction::DeliverApp(_stream_id, payload) => {
+            if let Ok(msg) = ostp_core::relay::RelayMessage::decode(payload) {
+                match msg {
+                    ostp_core::relay::RelayMessage::ConnectOk => return Some(true),
+                    ostp_core::relay::RelayMessage::Error(_) => return Some(false),
+                    _ => {}
+                }
+            }
+            None
+        }
+        ProtocolAction::Multiple(actions) => {
+            for a in actions {
+                if let Some(result) = check_connect_result(a) {
+                    return Some(result);
+                }
+            }
+            None
+        }
+        _ => None,
+    }
+}

ostp-client/src/tunnel/process_lookup.rs

@@ -126,7 +126,6 @@ pub fn get_process_name_from_port(port: u16) -> Option<String> {
     use std::fs;
     use std::io::{BufRead, BufReader};
 
-    let mut target_inode = None;
     let hex_port = format!("{:04X}", port);
 
     let check_net_file = |path: &str| -> Option<u64> {
@@ -146,12 +145,11 @@ pub fn get_process_name_from_port(port: u16) -> Option<String> {
         None
     };
 
-    target_inode = check_net_file("/proc/net/tcp")
+    let target_inode = check_net_file("/proc/net/tcp")
         .or_else(|| check_net_file("/proc/net/tcp6"))
         .or_else(|| check_net_file("/proc/net/udp"))
-        .or_else(|| check_net_file("/proc/net/udp6"));
+        .or_else(|| check_net_file("/proc/net/udp6"))?;
 
-    let target_inode = target_inode?;
     let socket_str = format!("socket:[{}]", target_inode);
 
     for entry in fs::read_dir("/proc").ok()?.filter_map(Result::ok) {

ostp-client/src/tunnel/router.rs

@@ -47,10 +47,10 @@ impl Router {
         if let Some(domains) = &rule.domain_suffix {
             let mut domain_match = false;
             if let Some(sni) = &session.sni {
-                let sni = sni.to_lowercase();
+                let sni_lower = sni.to_lowercase();
                 domain_match = domains.iter().any(|d| {
-                    let d = d.to_lowercase();
-                    sni == d || sni.ends_with(&format!(".{}", d))
+                    let d_lower = d.to_lowercase();
+                    sni_lower == d_lower || sni_lower.ends_with(&format!(".{}", d_lower))
                 });
             }
             if !domain_match {
@@ -63,8 +63,11 @@ impl Router {
         if let Some(processes) = &rule.process_name {
             let mut proc_match = false;
             if let Some(proc) = &session.process_name {
-                let proc = proc.to_lowercase();
-                proc_match = processes.iter().any(|p| proc.contains(&p.to_lowercase()));
+                let proc_lower = proc.to_lowercase();
+                proc_match = processes.iter().any(|p| {
+                    let p_lower = p.to_lowercase();
+                    proc_lower.contains(&p_lower)
+                });
             }
             if !proc_match {
                 return false;

ostp-control/dist/icons.svg

@@ -0,0 +1,24 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+  <symbol id="bluesky-icon" viewBox="0 0 16 17">
+    <g clip-path="url(#bluesky-clip)"><path fill="#08060d" d="M7.75 7.735c-.693-1.348-2.58-3.86-4.334-5.097-1.68-1.187-2.32-.981-2.74-.79C.188 2.065.1 2.812.1 3.251s.241 3.602.398 4.13c.52 1.744 2.367 2.333 4.07 2.145-2.495.37-4.71 1.278-1.805 4.512 3.196 3.309 4.38-.71 4.987-2.746.608 2.036 1.307 5.91 4.93 2.746 2.72-2.746.747-4.143-1.747-4.512 1.702.189 3.55-.4 4.07-2.145.156-.528.397-3.691.397-4.13s-.088-1.186-.575-1.406c-.42-.19-1.06-.395-2.741.79-1.755 1.24-3.64 3.752-4.334 5.099"/></g>
+    <defs><clipPath id="bluesky-clip"><path fill="#fff" d="M.1.85h15.3v15.3H.1z"/></clipPath></defs>
+  </symbol>
+  <symbol id="discord-icon" viewBox="0 0 20 19">
+    <path fill="#08060d" d="M16.224 3.768a14.5 14.5 0 0 0-3.67-1.153c-.158.286-.343.67-.47.976a13.5 13.5 0 0 0-4.067 0c-.128-.306-.317-.69-.476-.976A14.4 14.4 0 0 0 3.868 3.77C1.546 7.28.916 10.703 1.231 14.077a14.7 14.7 0 0 0 4.5 2.306q.545-.748.965-1.587a9.5 9.5 0 0 1-1.518-.74q.191-.14.372-.293c2.927 1.369 6.107 1.369 8.999 0q.183.152.372.294-.723.437-1.52.74.418.838.963 1.588a14.6 14.6 0 0 0 4.504-2.308c.37-3.911-.63-7.302-2.644-10.309m-9.13 8.234c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.894 0 1.614.82 1.599 1.82.001 1-.705 1.82-1.6 1.82m5.91 0c-.878 0-1.599-.82-1.599-1.82 0-.998.705-1.82 1.6-1.82.893 0 1.614.82 1.599 1.82 0 1-.706 1.82-1.6 1.82"/>
+  </symbol>
+  <symbol id="documentation-icon" viewBox="0 0 21 20">
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="m15.5 13.333 1.533 1.322c.645.555.967.833.967 1.178s-.322.623-.967 1.179L15.5 18.333m-3.333-5-1.534 1.322c-.644.555-.966.833-.966 1.178s.322.623.966 1.179l1.534 1.321"/>
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M17.167 10.836v-4.32c0-1.41 0-2.117-.224-2.68-.359-.906-1.118-1.621-2.08-1.96-.599-.21-1.349-.21-2.848-.21-2.623 0-3.935 0-4.983.369-1.684.591-3.013 1.842-3.641 3.428C3 6.449 3 7.684 3 10.154v2.122c0 2.558 0 3.838.706 4.726q.306.383.713.671c.76.536 1.79.64 3.581.66"/>
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M3 10a2.78 2.78 0 0 1 2.778-2.778c.555 0 1.209.097 1.748-.047.48-.129.854-.503.982-.982.145-.54.048-1.194.048-1.749a2.78 2.78 0 0 1 2.777-2.777"/>
+  </symbol>
+  <symbol id="github-icon" viewBox="0 0 19 19">
+    <path fill="#08060d" fill-rule="evenodd" d="M9.356 1.85C5.05 1.85 1.57 5.356 1.57 9.694a7.84 7.84 0 0 0 5.324 7.44c.387.079.528-.168.528-.376 0-.182-.013-.805-.013-1.454-2.165.467-2.616-.935-2.616-.935-.349-.91-.864-1.143-.864-1.143-.71-.48.051-.48.051-.48.787.051 1.2.805 1.2.805.695 1.194 1.817.857 2.268.649.064-.507.27-.857.49-1.052-1.728-.182-3.545-.857-3.545-3.87 0-.857.31-1.558.8-2.104-.078-.195-.349-1 .077-2.078 0 0 .657-.208 2.14.805a7.5 7.5 0 0 1 1.946-.26c.657 0 1.328.092 1.946.26 1.483-1.013 2.14-.805 2.14-.805.426 1.078.155 1.883.078 2.078.502.546.799 1.247.799 2.104 0 3.013-1.818 3.675-3.558 3.87.284.247.528.714.528 1.454 0 1.052-.012 1.896-.012 2.156 0 .208.142.455.528.377a7.84 7.84 0 0 0 5.324-7.441c.013-4.338-3.48-7.844-7.773-7.844" clip-rule="evenodd"/>
+  </symbol>
+  <symbol id="social-icon" viewBox="0 0 20 20">
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M12.5 6.667a4.167 4.167 0 1 0-8.334 0 4.167 4.167 0 0 0 8.334 0"/>
+    <path fill="none" stroke="#aa3bff" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.35" d="M2.5 16.667a5.833 5.833 0 0 1 8.75-5.053m3.837.474.513 1.035c.07.144.257.282.414.309l.93.155c.596.1.736.536.307.965l-.723.73a.64.64 0 0 0-.152.531l.207.903c.164.715-.213.991-.84.618l-.872-.52a.63.63 0 0 0-.577 0l-.872.52c-.624.373-1.003.094-.84-.618l.207-.903a.64.64 0 0 0-.152-.532l-.723-.729c-.426-.43-.289-.864.306-.964l.93-.156a.64.64 0 0 0 .412-.31l.513-1.034c.28-.562.735-.562 1.012 0"/>
+  </symbol>
+  <symbol id="x-icon" viewBox="0 0 19 19">
+    <path fill="#08060d" fill-rule="evenodd" d="M1.893 1.98c.052.072 1.245 1.769 2.653 3.77l2.892 4.114c.183.261.333.48.333.486s-.068.089-.152.183l-.522.593-.765.867-3.597 4.087c-.375.426-.734.834-.798.905a1 1 0 0 0-.118.148c0 .01.236.017.664.017h.663l.729-.83c.4-.457.796-.906.879-.999a692 692 0 0 0 1.794-2.038c.034-.037.301-.34.594-.675l.551-.624.345-.392a7 7 0 0 1 .34-.374c.006 0 .93 1.306 2.052 2.903l2.084 2.965.045.063h2.275c1.87 0 2.273-.003 2.266-.021-.008-.02-1.098-1.572-3.894-5.547-2.013-2.862-2.28-3.246-2.273-3.266.008-.019.282-.332 2.085-2.38l2-2.274 1.567-1.782c.022-.028-.016-.03-.65-.03h-.674l-.3.342a871 871 0 0 1-1.782 2.025c-.067.075-.405.458-.75.852a100 100 0 0 1-.803.91c-.148.172-.299.344-.99 1.127-.304.343-.32.358-.345.327-.015-.019-.904-1.282-1.976-2.808L6.365 1.85H1.8zm1.782.91 8.078 11.294c.772 1.08 1.413 1.973 1.425 1.984.016.017.241.02 1.05.017l1.03-.004-2.694-3.766L7.796 5.75 5.722 2.852l-1.039-.004-1.039-.004z" clip-rule="evenodd"/>
+  </symbol>
+</svg>

ostp-control/dist/index.html

@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" type="image/svg+xml" href="./favicon.svg" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>ostp-control</title>
+    <script type="module" crossorigin src="./assets/index-eeBKspfZ.js"></script>
+    <link rel="stylesheet" crossorigin href="./assets/index-DADo1Z55.css">
+  </head>
+  <body>
+    <div id="root"></div>
+  </body>
+</html>

ostp-core/Cargo.toml

@@ -12,7 +12,10 @@ rand.workspace = true
 snow.workspace = true
 thiserror.workspace = true
 tracing.workspace = true
+byteorder = "1.5"
 sha2.workspace = true
 hmac.workspace = true
 x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
 hkdf = "0.12.0"
+tokio.workspace = true
+serde = { version = "1.0", features = ["derive"] }

ostp-core/src/dns.rs

@@ -0,0 +1,413 @@
+use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
+use std::io::{Cursor, Read};
+
+const BASE32_ALPHABET: &[u8] = b"abcdefghijklmnopqrstuvwxyz234567";
+
+/// Encodes a byte slice into Base32 (RFC 4648) without padding, lowercase.
+pub fn base32_encode(data: &[u8]) -> String {
+    let mut result = String::with_capacity((data.len() * 8 + 4) / 5);
+    let mut buffer = 0u32;
+    let mut bits_left = 0;
+
+    for &b in data {
+        buffer = (buffer << 8) | (b as u32);
+        bits_left += 8;
+        while bits_left >= 5 {
+            bits_left -= 5;
+            let index = ((buffer >> bits_left) & 0x1F) as usize;
+            result.push(BASE32_ALPHABET[index] as char);
+        }
+    }
+
+    if bits_left > 0 {
+        let index = ((buffer << (5 - bits_left)) & 0x1F) as usize;
+        result.push(BASE32_ALPHABET[index] as char);
+    }
+
+    result
+}
+
+/// Decodes a Base32 string (case-insensitive, no padding) into a byte vector.
+pub fn base32_decode(encoded: &str) -> Option<Vec<u8>> {
+    let mut result = Vec::with_capacity(encoded.len() * 5 / 8);
+    let mut buffer = 0u32;
+    let mut bits_left = 0;
+
+    for c in encoded.bytes() {
+        let val = match c {
+            b'a'..=b'z' => c - b'a',
+            b'A'..=b'Z' => c - b'A',
+            b'2'..=b'7' => c - b'2' + 26,
+            _ => return None, // Invalid character
+        };
+
+        buffer = (buffer << 5) | (val as u32);
+        bits_left += 5;
+
+        if bits_left >= 8 {
+            bits_left -= 8;
+            result.push((buffer >> bits_left) as u8);
+        }
+    }
+
+    Some(result)
+}
+
+#[derive(Debug, Clone, PartialEq)]
+pub enum DnsRecordType {
+    A,
+    CNAME,
+    NULL,
+    TXT,
+    AAAA,
+    Unknown(u16),
+}
+
+impl From<u16> for DnsRecordType {
+    fn from(val: u16) -> Self {
+        match val {
+            1 => DnsRecordType::A,
+            5 => DnsRecordType::CNAME,
+            10 => DnsRecordType::NULL,
+            16 => DnsRecordType::TXT,
+            28 => DnsRecordType::AAAA,
+            _ => DnsRecordType::Unknown(val),
+        }
+    }
+}
+
+impl DnsRecordType {
+    pub fn as_u16(&self) -> u16 {
+        match self {
+            DnsRecordType::A => 1,
+            DnsRecordType::CNAME => 5,
+            DnsRecordType::NULL => 10,
+            DnsRecordType::TXT => 16,
+            DnsRecordType::AAAA => 28,
+            DnsRecordType::Unknown(v) => *v,
+        }
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct DnsQuestion {
+    pub name: String,
+    pub qtype: DnsRecordType,
+    pub qclass: u16, // Usually 1 (IN)
+}
+
+#[derive(Debug, Clone)]
+pub struct DnsAnswer {
+    pub name: String,
+    pub rtype: DnsRecordType,
+    pub rclass: u16,
+    pub ttl: u32,
+    pub rdata: Vec<u8>,
+}
+
+#[derive(Debug, Clone)]
+pub struct DnsPacket {
+    pub id: u16,
+    pub flags: u16,
+    pub questions: Vec<DnsQuestion>,
+    pub answers: Vec<DnsAnswer>,
+}
+
+impl DnsPacket {
+    pub fn new_query(id: u16, name: &str, qtype: DnsRecordType) -> Self {
+        DnsPacket {
+            id,
+            flags: 0x0100, // Standard query, recursion desired
+            questions: vec![DnsQuestion {
+                name: name.to_string(),
+                qtype,
+                qclass: 1, // IN
+            }],
+            answers: vec![],
+        }
+    }
+
+    pub fn new_response(id: u16, name: &str, rtype: DnsRecordType, rdata: Vec<u8>) -> Self {
+        DnsPacket {
+            id,
+            flags: 0x8180, // Response, standard query, recursion desired, recursion available
+            questions: vec![DnsQuestion {
+                name: name.to_string(),
+                qtype: rtype.clone(),
+                qclass: 1, // IN
+            }],
+            answers: vec![DnsAnswer {
+                name: name.to_string(),
+                rtype,
+                rclass: 1,
+                ttl: 0, // No caching
+                rdata,
+            }],
+        }
+    }
+
+    pub fn encode(&self) -> Vec<u8> {
+        let mut buf = Vec::new();
+        let _ = buf.write_u16::<BigEndian>(self.id);
+        let _ = buf.write_u16::<BigEndian>(self.flags);
+        let _ = buf.write_u16::<BigEndian>(self.questions.len() as u16);
+        let _ = buf.write_u16::<BigEndian>(self.answers.len() as u16);
+        let _ = buf.write_u16::<BigEndian>(0); // Authority PR
+        let _ = buf.write_u16::<BigEndian>(0); // Additional PR
+
+        for q in &self.questions {
+            encode_domain_name(&mut buf, &q.name);
+            let _ = buf.write_u16::<BigEndian>(q.qtype.as_u16());
+            let _ = buf.write_u16::<BigEndian>(q.qclass);
+        }
+
+        for a in &self.answers {
+            encode_domain_name(&mut buf, &a.name);
+            let _ = buf.write_u16::<BigEndian>(a.rtype.as_u16());
+            let _ = buf.write_u16::<BigEndian>(a.rclass);
+            let _ = buf.write_u32::<BigEndian>(a.ttl);
+            
+            if a.rtype == DnsRecordType::TXT {
+                // TXT records have character-strings length-prefixed
+                // We split into chunks of up to 255 bytes
+                let mut txt_data = Vec::new();
+                for chunk in a.rdata.chunks(255) {
+                    txt_data.push(chunk.len() as u8);
+                    txt_data.extend_from_slice(chunk);
+                }
+                let _ = buf.write_u16::<BigEndian>(txt_data.len() as u16);
+                buf.extend_from_slice(&txt_data);
+            } else {
+                let _ = buf.write_u16::<BigEndian>(a.rdata.len() as u16);
+                buf.extend_from_slice(&a.rdata);
+            }
+        }
+
+        buf
+    }
+
+    pub fn decode(data: &[u8]) -> Option<Self> {
+        if data.len() < 12 {
+            return None;
+        }
+
+        let mut cursor = Cursor::new(data);
+        let id = cursor.read_u16::<BigEndian>().ok()?;
+        let flags = cursor.read_u16::<BigEndian>().ok()?;
+        let qdcount = cursor.read_u16::<BigEndian>().ok()?;
+        let ancount = cursor.read_u16::<BigEndian>().ok()?;
+        let _nscount = cursor.read_u16::<BigEndian>().ok()?;
+        let _arcount = cursor.read_u16::<BigEndian>().ok()?;
+
+        let mut questions = Vec::new();
+        for _ in 0..qdcount {
+            let name = decode_domain_name(&mut cursor, data)?;
+            let qtype = cursor.read_u16::<BigEndian>().ok()?.into();
+            let qclass = cursor.read_u16::<BigEndian>().ok()?;
+            questions.push(DnsQuestion { name, qtype, qclass });
+        }
+
+        let mut answers = Vec::new();
+        for _ in 0..ancount {
+            let name = decode_domain_name(&mut cursor, data)?;
+            let rtype: DnsRecordType = cursor.read_u16::<BigEndian>().ok()?.into();
+            let rclass = cursor.read_u16::<BigEndian>().ok()?;
+            let ttl = cursor.read_u32::<BigEndian>().ok()?;
+            let rdlength = cursor.read_u16::<BigEndian>().ok()?;
+
+            let mut rdata = vec![0u8; rdlength as usize];
+            cursor.read_exact(&mut rdata).ok()?;
+
+            if rtype == DnsRecordType::TXT {
+                // Decode TXT string chunks
+                let mut decoded_txt = Vec::new();
+                let mut txt_cursor = Cursor::new(&rdata);
+                while txt_cursor.position() < rdata.len() as u64 {
+                    if let Ok(len) = txt_cursor.read_u8() {
+                        let mut chunk = vec![0u8; len as usize];
+                        if txt_cursor.read_exact(&mut chunk).is_ok() {
+                            decoded_txt.extend_from_slice(&chunk);
+                        } else {
+                            break;
+                        }
+                    } else {
+                        break;
+                    }
+                }
+                rdata = decoded_txt;
+            }
+
+            answers.push(DnsAnswer {
+                name,
+                rtype,
+                rclass,
+                ttl,
+                rdata,
+            });
+        }
+
+        // Skip authority and additional sections (not needed for basic payload extraction)
+        
+        Some(DnsPacket {
+            id,
+            flags,
+            questions,
+            answers,
+        })
+    }
+}
+
+fn encode_domain_name(buf: &mut Vec<u8>, name: &str) {
+    for part in name.split('.') {
+        if part.is_empty() {
+            continue;
+        }
+        let len = part.len().min(63) as u8;
+        buf.push(len);
+        buf.extend_from_slice(&part.as_bytes()[..len as usize]);
+    }
+    buf.push(0); // Root label
+}
+
+fn decode_domain_name(cursor: &mut Cursor<&[u8]>, full_data: &[u8]) -> Option<String> {
+    let mut parts = Vec::new();
+    let mut jumps = 0;
+    let mut current_pos = cursor.position();
+
+    loop {
+        if jumps > 100 {
+            return None; // Prevent infinite loops
+        }
+        
+        if current_pos >= full_data.len() as u64 {
+            return None;
+        }
+        
+        let len = full_data[current_pos as usize];
+        if len == 0 {
+            if jumps == 0 {
+                cursor.set_position(current_pos + 1);
+            }
+            break;
+        }
+
+        if len & 0xC0 == 0xC0 {
+            // Pointer
+            if current_pos + 1 >= full_data.len() as u64 {
+                return None;
+            }
+            let pointer = (((len & 0x3F) as u16) << 8) | (full_data[current_pos as usize + 1] as u16);
+            if jumps == 0 {
+                cursor.set_position(current_pos + 2);
+            }
+            jumps += 1;
+            current_pos = pointer as u64;
+            continue;
+        }
+
+        current_pos += 1;
+        if current_pos + len as u64 > full_data.len() as u64 {
+            return None;
+        }
+        
+        let part = &full_data[current_pos as usize..(current_pos + len as u64) as usize];
+        parts.push(String::from_utf8_lossy(part).into_owned());
+        current_pos += len as u64;
+
+        if jumps == 0 {
+            cursor.set_position(current_pos);
+        }
+    }
+
+    if parts.is_empty() {
+        Some(".".to_string())
+    } else {
+        Some(parts.join("."))
+    }
+}
+
+/// Encodes a payload into a list of subdomain labels and appends the base domain.
+/// Each label is max 63 chars. The base32 string is chunked.
+pub fn encode_payload_to_domain(payload: &[u8], base_domain: &str) -> String {
+    let encoded = base32_encode(payload);
+    let mut domain = String::new();
+    
+    let mut start = 0;
+    while start < encoded.len() {
+        let end = (start + 63).min(encoded.len());
+        domain.push_str(&encoded[start..end]);
+        domain.push('.');
+        start = end;
+    }
+    
+    domain.push_str(base_domain);
+    domain
+}
+
+/// Decodes a payload from a subdomain string, ignoring the base domain.
+pub fn decode_domain_to_payload(full_domain: &str, base_domain: &str) -> Option<Vec<u8>> {
+    // Strip base domain and trailing dots
+    let stripped = full_domain
+        .trim_end_matches('.')
+        .strip_suffix(base_domain)?;
+        
+    let stripped = stripped.trim_end_matches('.');
+    
+    let mut base32_str = String::with_capacity(stripped.len());
+    for part in stripped.split('.') {
+        base32_str.push_str(part);
+    }
+    
+    base32_decode(&base32_str)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_base32() {
+        let data = b"Hello, OSTP DNS Tunnel!";
+        let encoded = base32_encode(data);
+        let decoded = base32_decode(&encoded).unwrap();
+        assert_eq!(data.as_ref(), decoded.as_slice());
+    }
+
+    #[test]
+    fn test_domain_encoding() {
+        let payload = vec![0x12; 20];
+        let base_domain = "tunnel.example.com";
+        let domain = encode_payload_to_domain(&payload, base_domain);
+        
+        // Ensure no label is > 63 chars
+        for part in domain.split('.') {
+            assert!(part.len() <= 63);
+        }
+        
+        assert!(domain.ends_with(base_domain));
+        
+        let decoded = decode_domain_to_payload(&domain, base_domain).unwrap();
+        assert_eq!(payload, decoded);
+    }
+    
+    #[test]
+    fn test_dns_packet() {
+        let payload = vec![1, 2, 3, 4, 5];
+        let domain = encode_payload_to_domain(&payload, "t.com");
+        
+        let query = DnsPacket::new_query(1234, &domain, DnsRecordType::TXT);
+        let encoded_query = query.encode();
+        
+        let decoded_query = DnsPacket::decode(&encoded_query).unwrap();
+        assert_eq!(decoded_query.id, 1234);
+        assert_eq!(decoded_query.questions[0].name, domain);
+        assert_eq!(decoded_query.questions[0].qtype, DnsRecordType::TXT);
+        
+        let response_data = vec![5, 4, 3, 2, 1];
+        let response = DnsPacket::new_response(1234, &domain, DnsRecordType::TXT, response_data.clone());
+        let encoded_resp = response.encode();
+        
+        let decoded_resp = DnsPacket::decode(&encoded_resp).unwrap();
+        assert_eq!(decoded_resp.answers[0].rdata, response_data);
+    }
+}

ostp-core/src/dns_prober.rs

@@ -0,0 +1,94 @@
+use std::time::Duration;
+use tokio::time::Instant;
+use crate::dns::{DnsPacket, DnsRecordType, encode_payload_to_domain};
+use rand::Rng;
+use serde::{Deserialize, Serialize};
+
+#[derive(Serialize, Deserialize, Clone)]
+pub struct DnsProbeResult {
+    pub name: String,
+    pub ip: String,
+    pub latency_ms: Option<u64>,
+}
+
+const PUBLIC_DNS_SERVERS: &[(&str, &str)] = &[
+    ("Cloudflare",  "1.1.1.1"),
+    ("Cloudflare2", "1.0.0.1"),
+    ("Google",      "8.8.8.8"),
+    ("Google2",     "8.8.4.4"),
+    ("Quad9",       "9.9.9.9"),
+    ("AdGuard",     "94.140.14.14"),
+    ("Yandex",      "77.88.8.8"),
+    ("Yandex2",     "77.88.8.1"),
+    ("SkyDNS",      "193.58.251.251"),
+    ("AliDNS",      "223.5.5.5"),
+    ("Tencent",     "119.29.29.29"),
+    ("114DNS",      "114.114.114.114"),
+    ("Shecan",      "178.22.122.100"),
+    ("Electro",     "78.157.42.100"),
+    ("Begzar",      "185.55.226.26"),
+];
+
+async fn probe_resolver(domain: &str, resolver_ip: &str) -> Option<u64> {
+    let (probe_bytes, id) = {
+        let mut rng = rand::thread_rng();
+        let probe_bytes: [u8; 4] = rng.gen();
+        let id: u16 = rng.gen();
+        (probe_bytes, id)
+    };
+
+    let fqdn = encode_payload_to_domain(&probe_bytes, domain);
+    let qtype = if rand::thread_rng().gen_bool(0.5) { DnsRecordType::TXT } else { DnsRecordType::NULL };
+    let packet = DnsPacket::new_query(id, &fqdn, qtype);
+    let encoded = packet.encode();
+
+    let sock = tokio::net::UdpSocket::bind("0.0.0.0:0").await.ok()?;
+    sock.connect(format!("{}:53", resolver_ip)).await.ok()?;
+
+    let start = Instant::now();
+    sock.send(&encoded).await.ok()?;
+
+    let mut buf = [0u8; 4096];
+    match tokio::time::timeout(Duration::from_secs(2), sock.recv(&mut buf)).await {
+        Ok(Ok(n)) => {
+            if let Some(resp) = DnsPacket::decode(&buf[..n]) {
+                // Check if RCODE == 0 (NOERROR) and it has answers
+                let rcode = resp.flags & 0x000F;
+                if rcode == 0 && !resp.answers.is_empty() {
+                    return Some(start.elapsed().as_millis() as u64);
+                }
+            }
+            None
+        },
+        _ => None,
+    }
+}
+
+pub async fn run_dns_prober(domain: &str) -> Result<Vec<DnsProbeResult>, String> {
+    if domain.is_empty() {
+        return Err("Please enter the tunnel domain first (e.g. tunnel.myvpn.com)".into());
+    }
+
+    let tasks: Vec<_> = PUBLIC_DNS_SERVERS
+        .iter()
+        .map(|(name, ip)| {
+            let domain = domain.to_string();
+            let name = name.to_string();
+            let ip   = ip.to_string();
+            tokio::spawn(async move {
+                let latency_ms = probe_resolver(&domain, &ip).await;
+                DnsProbeResult { name, ip, latency_ms }
+            })
+        })
+        .collect();
+
+    let mut results = Vec::with_capacity(tasks.len());
+    for task in tasks {
+        if let Ok(r) = task.await {
+            results.push(r);
+        }
+    }
+
+    results.sort_by_key(|r| r.latency_ms.unwrap_or(u64::MAX));
+    Ok(results)
+}

ostp-core/src/lib.rs

@@ -4,6 +4,8 @@ pub mod framing;
 pub mod protocol;
 pub mod relay;
 pub mod resumption;
+pub mod dns;
+pub mod dns_prober;
 
 pub use crypto::NoiseRole;
 pub use framing::{TrafficProfile, PaddingStrategy};

ostp-core/src/protocol.rs

@@ -392,12 +392,20 @@ impl ProtocolMachine {
             self.last_recv_advance = Instant::now();
         } else {
             // Gap detected
+            if self.reorder_buffer.len() >= self.max_reorder_buffer {
+                tracing::warn!("Reorder buffer full ({}/{}), dropping new frame nonce={} to wait for recovery of nonce={}",
+                    self.reorder_buffer.len(), self.max_reorder_buffer, nonce, self.expected_recv_nonce
+                );
+            }
+
+            if nonce >= self.expected_recv_nonce {
                 if self.reorder_buffer.len() < self.max_reorder_buffer {
                     self.reorder_buffer.insert(nonce, action);
                 } else {
-                tracing::warn!("Reorder buffer full ({}/{}), dropping frame nonce={}",
-                    self.reorder_buffer.len(), self.max_reorder_buffer, nonce
-                );
+                    tracing::warn!("Reorder buffer still full after gap recovery, dropping frame nonce={}", nonce);
+                }
+            } else {
+                tracing::debug!("Frame nonce={} arrived too late after gap recovery, dropping", nonce);
             }
 
             // Rate-limited NACK: send at most once per 30ms to prevent retransmit storms.
@@ -511,32 +519,6 @@ impl ProtocolMachine {
     fn handle_tick(&mut self) -> Result<ProtocolAction, ProtocolError> {
         let mut actions = Vec::new();
 
-        // ── Gap Recovery ──────────────────────────────────────────────
-        // If expected_recv_nonce hasn't advanced for 500ms+ and there
-        // are buffered frames waiting, the sender likely evicted the lost
-        // frame from sent_history. Skip the gap to restore data flow.
-        // This trades a small amount of data loss for connection liveness.
-        if !self.reorder_buffer.is_empty()
-            && self.last_recv_advance.elapsed() > Duration::from_millis(500)
-        {
-            if let Some(&first_buffered) = self.reorder_buffer.keys().next() {
-                let skipped = first_buffered.saturating_sub(self.expected_recv_nonce);
-                self.expected_recv_nonce = first_buffered;
-                self.last_recv_advance = Instant::now();
-
-                let mut delivered = 0u64;
-                while let Some(buffered_action) = self.reorder_buffer.remove(&self.expected_recv_nonce) {
-                    actions.push(buffered_action);
-                    self.expected_recv_nonce = self.expected_recv_nonce.saturating_add(1);
-                    delivered += 1;
-                }
-                self.ack_pending = true;
-                tracing::debug!("Gap recovery: skipped {} lost frames, delivered {} buffered frames (reorder_buf={})",
-                    skipped, delivered, self.reorder_buffer.len()
-                );
-            }
-        }
-
         // ── Pending ACK flush ─────────────────────────────────────────
         if let Some(ack_frame) = self.build_ack_if_due()? {
             actions.push(ProtocolAction::SendDatagram(ack_frame));

ostp-flutter/android/app/src/main/kotlin/com/ospab/ostp_client/MainActivity.kt

@@ -95,6 +95,15 @@ class MainActivity : FlutterActivity() {
                         result.error("ERROR", e.message, null)
                     }
                 }
+                "runDnsProber" -> {
+                    try {
+                        val domain = call.argument<String>("domain") ?: "example.com"
+                        val json = net.ostp.client.OstpClientSdk.nativeRunDnsProber(domain)
+                        result.success(json)
+                    } catch (e: Throwable) {
+                        result.error("ERROR", e.message, null)
+                    }
+                }
                 "getInstalledApps" -> {
                     try {
                         val pm = packageManager

ostp-flutter/android/app/src/main/kotlin/net/ostp/client/OstpClientSdk.kt

@@ -50,4 +50,8 @@ object OstpClientSdk {
     @Keep
     @JvmStatic
     external fun notifyNetworkChanged()
+
+    @Keep
+    @JvmStatic
+    external fun nativeRunDnsProber(domain: String): String
 }

ostp-flutter/lib/main.dart

@@ -26,11 +26,11 @@ class OstpApp extends StatelessWidget {
       debugShowCheckedModeBanner: false,
       theme: ThemeData(
         brightness: Brightness.dark,
-        scaffoldBackgroundColor: const Color(0xFF08080F),
+        scaffoldBackgroundColor: const Color(0xFF030303),
         colorScheme: const ColorScheme.dark(
-          primary: Color(0xFF6C72FF),
-          secondary: Color(0xFF22D3A5),
-          surface: Color(0xFF151522),
+          primary: Color(0xFFF9FAFB),
+          secondary: Color(0xFF10B981),
+          surface: Color(0xFF09090B),
         ),
         fontFamily: 'Inter',
         useMaterial3: true,

ostp-flutter/lib/ui/home_screen.dart

@@ -6,6 +6,7 @@ import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:shared_preferences/shared_preferences.dart';
 import 'package:mobile_scanner/mobile_scanner.dart';
+import 'package:flutter_svg/flutter_svg.dart';
 import '../models/connection_state_enum.dart';
 import 'settings_screen.dart';
 import 'logs_screen.dart';
@@ -517,31 +518,16 @@ class _HomeScreenState extends State<HomeScreen> with TickerProviderStateMixin {
     return Scaffold(
       body: Stack(
         children: [
-          Positioned(
-            top: -150, right: -100,
-            child: Container(
-              width: 400, height: 400,
-              decoration: BoxDecoration(
-                shape: BoxShape.circle,
-                color: theme.colorScheme.primary.withOpacity(0.15),
-              ),
-              child: BackdropFilter(
-                filter: ImageFilter.blur(sigmaX: 100, sigmaY: 100),
-                child: Container(),
-              ),
-            ),
-          ),
-          Positioned(
-            bottom: -100, left: -100,
-            child: Container(
-              width: 350, height: 350,
-              decoration: BoxDecoration(
-                shape: BoxShape.circle,
-                color: theme.colorScheme.secondary.withOpacity(0.1),
-              ),
-              child: BackdropFilter(
-                filter: ImageFilter.blur(sigmaX: 100, sigmaY: 100),
-                child: Container(),
+          Center(
+            child: Opacity(
+              opacity: theme.brightness == Brightness.dark ? 0.05 : 0.06,
+              child: SvgPicture.asset(
+                'assets/logo.svg',
+                width: MediaQuery.of(context).size.width * 0.8,
+                fit: BoxFit.contain,
+                colorFilter: theme.brightness == Brightness.light 
+                    ? const ColorFilter.mode(Colors.black, BlendMode.srcIn) 
+                    : null,
               ),
             ),
           ),

ostp-flutter/lib/ui/settings_screen.dart

@@ -32,13 +32,13 @@ class _SettingsScreenState extends State<SettingsScreen> {
   late TextEditingController _domainsCtrl;
   late TextEditingController _ipsCtrl;
   late TextEditingController _processesCtrl;
-  late TextEditingController _stealthSniCtrl;
+  late TextEditingController _dnsDomainCtrl;
   late TextEditingController _pbkCtrl;
   late TextEditingController _sidCtrl;
 
   bool _obscureKey = true;
   bool _debugMode = false;
-  bool _wss = false;
+  late TextEditingController _dnsRegionCtrl;
   String _transportMode = 'udp'; // 'udp' | 'uot'
   String _tunStack = 'ostp'; // 'system' | 'ostp'
   bool _muxEnabled = false;
@@ -57,10 +57,10 @@ class _SettingsScreenState extends State<SettingsScreen> {
     _domainsCtrl = TextEditingController(text: widget.prefs.getString('ex_domains') ?? '');
     _ipsCtrl = TextEditingController(text: widget.prefs.getString('ex_ips') ?? '');
     _processesCtrl = TextEditingController(text: widget.prefs.getString('ex_processes') ?? '');
-    _stealthSniCtrl = TextEditingController(text: widget.prefs.getString('stealth_sni') ?? '');
-    _pbkCtrl = TextEditingController(text: widget.prefs.getString('pbk') ?? '');
+    _dnsDomainCtrl = TextEditingController(text: widget.prefs.getString('dns_domain') ?? '');
+    _dnsRegionCtrl = TextEditingController(text: widget.prefs.getString('dns_region') ?? '1.1.1.1');
+    _pbkCtrl = TextEditingController(text: widget.prefs.getString('tun_pbk') ?? '');
     _sidCtrl = TextEditingController(text: widget.prefs.getString('sid') ?? '');
-    _wss = widget.prefs.getBool('wss') ?? false;
     _transportMode = widget.prefs.getString('transport_mode') ?? 'udp';
     _tunStack = widget.prefs.getString('tun_stack') ?? 'ostp';
     _debugMode = widget.prefs.getBool('debug_mode') ?? false;
@@ -80,7 +80,8 @@ class _SettingsScreenState extends State<SettingsScreen> {
     _domainsCtrl.dispose();
     _ipsCtrl.dispose();
     _processesCtrl.dispose();
-    _stealthSniCtrl.dispose();
+    _dnsDomainCtrl.dispose();
+    _dnsRegionCtrl.dispose();
     _pbkCtrl.dispose();
     _sidCtrl.dispose();
     _muxSessionsCtrl.dispose();
@@ -97,11 +98,11 @@ class _SettingsScreenState extends State<SettingsScreen> {
     widget.prefs.setString('ex_ips', _ipsCtrl.text.trim());
     widget.prefs.setString('ex_processes', _processesCtrl.text.trim());
     widget.prefs.setBool('debug_mode', _debugMode);
-    widget.prefs.setBool('wss', _wss);
     widget.prefs.setString('transport_mode', _transportMode);
     widget.prefs.setString('tun_stack', _tunStack);
-    widget.prefs.setString('stealth_sni', _stealthSniCtrl.text.trim());
-    widget.prefs.setString('pbk', _pbkCtrl.text.trim());
+    widget.prefs.setString('dns_domain', _dnsDomainCtrl.text.trim());
+    widget.prefs.setString('dns_region', _dnsRegionCtrl.text.trim());
+    widget.prefs.setString('tun_pbk', _pbkCtrl.text.trim());
     widget.prefs.setString('sid', _sidCtrl.text.trim());
     widget.prefs.setBool('mux_enabled', _muxEnabled);
     widget.prefs.setString('mux_sessions', _muxSessionsCtrl.text.trim());
@@ -236,12 +237,11 @@ class _SettingsScreenState extends State<SettingsScreen> {
                     setState(() {
                       _serverCtrl.text = host;
                       _keyCtrl.text = key;
-                      _stealthSniCtrl.text = uri.queryParameters['sni'] ?? '';
-                      _pbkCtrl.text = uri.queryParameters['pbk'] ?? '';
-                      _sidCtrl.text = uri.queryParameters['sid'] ?? '';
-                      _wss = uri.queryParameters['wss'] == 'true';
-                      final type = uri.queryParameters['type'] ?? 'udp';
-                      _transportMode = type == 'tcp' || type == 'http' ? 'uot' : 'udp';
+                      _dnsDomainCtrl.text = uri.queryParameters['domain'] ?? '';
+                      _dnsRegionCtrl.text = uri.queryParameters['resolver'] ?? '1.1.1.1';
+                      
+                      final type = uri.queryParameters['type'];
+                      _transportMode = type == 'tcp' || type == 'http' ? 'uot' : (type == 'dns' ? 'dns' : 'udp');
                       _importCtrl.clear();
 
                       _saveSettings();
@@ -292,8 +292,8 @@ class _SettingsScreenState extends State<SettingsScreen> {
                       RadioListTile<String>(
                         value: 'udp',
                         groupValue: _transportMode,
-                        title: const Text('UDP (по умолчанию)', style: TextStyle(fontWeight: FontWeight.w600)),
-                        subtitle: const Text('Быстро, работает через Wi-Fi и большинство сетей', style: TextStyle(color: Colors.white54, fontSize: 12)),
+                        title: const Text('UDP (Default)', style: TextStyle(fontWeight: FontWeight.w600)),
+                        subtitle: const Text('Fast, works on Wi-Fi and most networks', style: TextStyle(color: Colors.white54, fontSize: 12)),
                         activeColor: Theme.of(context).colorScheme.secondary,
                         onChanged: (v) => setState(() { _transportMode = v!; _saveSettings(); }),
                       ),
@@ -301,111 +301,83 @@ class _SettingsScreenState extends State<SettingsScreen> {
                       RadioListTile<String>(
                         value: 'uot',
                         groupValue: _transportMode,
-                        title: Wrap(
-                          crossAxisAlignment: WrapCrossAlignment.center,
-                          spacing: 8,
-                          children: [
-                            const Text('UoT (UDP-over-TCP)', style: TextStyle(fontWeight: FontWeight.w600)),
-                            Container(
-                              padding: const EdgeInsets.symmetric(horizontal: 7, vertical: 2),
-                              decoration: BoxDecoration(
-                                color: const Color(0xFF6C72FF).withOpacity(0.2),
-                                borderRadius: BorderRadius.circular(6),
-                              ),
-                              child: const Text('xHTTP Стелс', style: TextStyle(fontSize: 10, color: Color(0xFF6C72FF), fontWeight: FontWeight.bold)),
-                            ),
-                          ],
-                        ),
-                        subtitle: const Text('Маскировка под HTTP-поток, обходит белые списки (уровень 1)', style: TextStyle(color: Colors.white54, fontSize: 12)),
+                        title: const Text('UoT (UDP-over-TCP)', style: TextStyle(fontWeight: FontWeight.w600)),
+                        subtitle: const Text('Masks as HTTP stream, bypasses whitelists', style: TextStyle(color: Colors.white54, fontSize: 12)),
                         activeColor: Theme.of(context).colorScheme.primary,
                         onChanged: (v) => setState(() { _transportMode = v!; _saveSettings(); }),
                       ),
+                      Divider(color: Colors.white.withOpacity(0.05), height: 1),
+                      RadioListTile<String>(
+                        value: 'dns',
+                        groupValue: _transportMode,
+                        title: const Text('DNS Proxy (Last Resort)', style: TextStyle(fontWeight: FontWeight.w600)),
+                        subtitle: const Text('Very slow, but works under strict DPI blocks', style: TextStyle(color: Colors.orangeAccent, fontSize: 12)),
+                        activeColor: Colors.orangeAccent,
+                        onChanged: (v) => setState(() { _transportMode = v!; _saveSettings(); }),
+                      ),
                     ],
                   ),
                 ),
-                const SizedBox(height: 16),
-                _buildToggle('WebSocket (WSS)', 'Инкапсулировать транспорт в RFC 6455 (для строгого DPI)', _wss, (val) {
-                  setState(() {
-                    _wss = val;
-                  });
-                }),
+                
                 const SizedBox(height: 16),
                 
-                // Stealth parameters
+                // DNS Proxy parameters
                 AnimatedCrossFade(
                   duration: const Duration(milliseconds: 250),
-                  crossFadeState: _transportMode == 'uot' ? CrossFadeState.showFirst : CrossFadeState.showSecond,
+                  crossFadeState: _transportMode == 'dns' ? CrossFadeState.showFirst : CrossFadeState.showSecond,
                   firstChild: Container(
                     padding: const EdgeInsets.all(16),
                     decoration: BoxDecoration(
-                      color: const Color(0xFF6C72FF).withOpacity(0.06),
+                      color: Colors.orangeAccent.withOpacity(0.06),
                       borderRadius: BorderRadius.circular(16),
-                      border: Border.all(color: const Color(0xFF6C72FF).withOpacity(0.2)),
+                      border: Border.all(color: Colors.orangeAccent.withOpacity(0.2)),
                     ),
                     child: Column(
                       crossAxisAlignment: CrossAxisAlignment.start,
                       children: [
                         Row(
                           children: [
-                            const Icon(Icons.security, size: 16, color: Color(0xFF6C72FF)),
+                            const Icon(Icons.dns, size: 16, color: Colors.orangeAccent),
                             const SizedBox(width: 8),
-                            const Text('Стелс параметры', style: TextStyle(fontWeight: FontWeight.bold, color: Color(0xFF6C72FF), fontSize: 14)),
+                            const Text('DNS Proxy Settings', style: TextStyle(fontWeight: FontWeight.bold, color: Colors.orangeAccent, fontSize: 14)),
                           ],
                         ),
                         const SizedBox(height: 4),
                         const Text(
-                          'Укажи домен из белого списка. OSTP подключится к серверу и подделает SNI / HTTP Host.',
+                          'Specify the domain pointing to your server. Details in Wiki.',
                           style: TextStyle(fontSize: 12, color: Colors.white38),
                         ),
                         const SizedBox(height: 16),
-                        Builder(builder: (context) {
-                          final List<String> domains = [
-                            'yastatic.net', 'mc.yandex.ru', 'st.mycdn.me',
-                            'top-fwz1.mail.ru', 'sso.passport.yandex.ru',
-                            'sberbank.ru', 'ad.mail.ru', 'ads.vk.com',
-                            'login.vk.com', 'api.sberbank.ru', 'ok.ru',
-                            'rostelecom.ru', 'rt.ru', 'tinkoff.ru',
-                            'x5.ru', 'ozon.ru', 'wildberries.ru', 'gosuslugi.ru', 'vk.com'
-                          ];
-                          String currentVal = _stealthSniCtrl.text.trim();
-                          if (currentVal.isEmpty) currentVal = 'vk.com';
-                          if (!domains.contains(currentVal)) {
-                            domains.add(currentVal);
-                          }
-                          return DropdownButtonFormField<String>(
-                            value: currentVal,
-                            dropdownColor: const Color(0xFF1E1E2C),
-                            style: const TextStyle(color: Colors.white, fontSize: 14),
-                            decoration: InputDecoration(
-                              labelText: 'Стелс Домен (Автоподставление)',
-                              labelStyle: const TextStyle(color: Colors.white54, fontSize: 13),
-                              border: OutlineInputBorder(borderRadius: BorderRadius.circular(12)),
-                              contentPadding: const EdgeInsets.symmetric(horizontal: 16, vertical: 12),
+                        _buildTextField('Domain (Points to Server)', _dnsDomainCtrl, hint: 'tunnel.myvpn.com'),
+                        const SizedBox(height: 16),
+                        Row(
+                          children: [
+                            Expanded(
+                              child: _buildTextField('DNS Resolver Server', _dnsRegionCtrl, hint: '1.1.1.1'),
+                            ),
+                            const SizedBox(width: 8),
+                            Padding(
+                              padding: const EdgeInsets.only(top: 24.0),
+                              child: ElevatedButton(
+                                onPressed: _showDnsProberDialog,
+                                style: ElevatedButton.styleFrom(
+                                  backgroundColor: Colors.orangeAccent.withOpacity(0.2),
+                                  foregroundColor: Colors.orangeAccent,
+                                  elevation: 0,
+                                  padding: const EdgeInsets.symmetric(horizontal: 12, vertical: 14),
+                                  shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(12)),
+                                ),
+                                child: const Text('PROBER', style: TextStyle(fontWeight: FontWeight.bold, fontSize: 12)),
+                              ),
+                            )
+                          ],
                         ),
-                            items: domains.map((String domain) {
-                              return DropdownMenuItem<String>(
-                                value: domain,
-                                child: Text(domain),
-                              );
-                            }).toList(),
-                            onChanged: (String? newValue) {
-                              if (newValue != null) {
-                                setState(() {
-                                  _stealthSniCtrl.text = newValue;
-                                  _saveSettings();
-                                });
-                              }
-                            },
-                          );
-                        }),
-
                       ],
                     ),
                   ),
                   secondChild: const SizedBox.shrink(),
                 ),
 
-
                 const SizedBox(height: 16),
                 _buildToggle('Multiplexing (Mux)', 'Combine multiple TCP streams to bypass throttling', _muxEnabled, (v) => setState(() => _muxEnabled = v)),
                 AnimatedCrossFade(
@@ -552,8 +524,12 @@ class _SettingsScreenState extends State<SettingsScreen> {
     if (host.isEmpty || key.isEmpty) return '';
 
     final queryParams = <String>[];
-    if (_stealthSniCtrl.text.trim().isNotEmpty) {
-      queryParams.add('sni=${Uri.encodeComponent(_stealthSniCtrl.text.trim())}');
+    if (_dnsDomainCtrl.text.trim().isNotEmpty) {
+      queryParams.add('domain=${Uri.encodeComponent(_dnsDomainCtrl.text.trim())}');
+    }
+    final resolver = _dnsRegionCtrl.text.trim();
+    if (resolver.isNotEmpty && resolver != '1.1.1.1') {
+      queryParams.add('resolver=${Uri.encodeComponent(resolver)}');
     }
     if (_pbkCtrl.text.trim().isNotEmpty) {
       queryParams.add('pbk=${Uri.encodeComponent(_pbkCtrl.text.trim())}');
@@ -561,9 +537,6 @@ class _SettingsScreenState extends State<SettingsScreen> {
     if (_sidCtrl.text.trim().isNotEmpty) {
       queryParams.add('sid=${Uri.encodeComponent(_sidCtrl.text.trim())}');
     }
-    if (_wss) {
-      queryParams.add('wss=true');
-    }
     if (_transportMode != 'udp') {
       queryParams.add('type=$_transportMode');
     }
@@ -629,6 +602,97 @@ class _SettingsScreenState extends State<SettingsScreen> {
     );
   }
 
+  Future<void> _showDnsProberDialog() async {
+    const channel = MethodChannel('com.ospab.ostp/vpn');
+    showDialog(
+      context: context,
+      barrierDismissible: false,
+      builder: (context) {
+        return StatefulBuilder(
+          builder: (context, setModalState) {
+            return AlertDialog(
+              backgroundColor: Theme.of(context).colorScheme.surface,
+              shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(20)),
+              title: const Text('DNS Prober', textAlign: TextAlign.center),
+              content: FutureBuilder<String?>(
+                future: channel.invokeMethod<String>('runDnsProber', {'domain': _dnsDomainCtrl.text.trim()}),
+                builder: (context, snapshot) {
+                  if (snapshot.connectionState == ConnectionState.waiting) {
+                    return const Column(
+                      mainAxisSize: MainAxisSize.min,
+                      children: [
+                        CircularProgressIndicator(),
+                        SizedBox(height: 16),
+                        Text('Sending real tunnel probes...', style: TextStyle(color: Colors.white54, fontSize: 13), textAlign: TextAlign.center),
+                      ],
+                    );
+                  }
+
+                  if (snapshot.hasError || !snapshot.hasData) {
+                    return Text('Error: ${snapshot.error}', style: const TextStyle(color: Colors.redAccent));
+                  }
+
+                  List<dynamic> results = [];
+                  try {
+                    results = jsonDecode(snapshot.data!);
+                  } catch (_) {}
+
+                  if (results.isEmpty) {
+                    return const Text('No results or all timed out.', style: TextStyle(color: Colors.redAccent));
+                  }
+
+                  return SizedBox(
+                    width: double.maxFinite,
+                    child: ListView.builder(
+                      shrinkWrap: true,
+                      itemCount: results.length,
+                      itemBuilder: (context, index) {
+                        final res = results[index];
+                        final name = res['name'] ?? '';
+                        final ip = res['ip'] ?? '';
+                        final latency = res['latency_ms'];
+                        
+                        final isBest = index == 0 && latency != null;
+                        
+                        return ListTile(
+                          onTap: latency != null ? () {
+                            setState(() {
+                              _dnsRegionCtrl.text = ip;
+                              _saveSettings();
+                            });
+                            Navigator.pop(context);
+                            ScaffoldMessenger.of(context).showSnackBar(SnackBar(content: Text('DNS set to $ip')));
+                          } : null,
+                          title: Text('${isBest ? '⭐ ' : ''}$name', style: const TextStyle(fontSize: 14)),
+                          subtitle: Text(ip, style: const TextStyle(fontSize: 12, color: Colors.white54)),
+                          trailing: Text(
+                            latency != null ? '$latency ms' : 'TIMEOUT',
+                            style: TextStyle(
+                              color: latency == null ? Colors.redAccent : (latency < 100 ? Colors.greenAccent : Colors.orangeAccent),
+                              fontWeight: FontWeight.bold,
+                            ),
+                          ),
+                          tileColor: isBest ? Colors.blueAccent.withOpacity(0.1) : null,
+                          shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(10)),
+                        );
+                      },
+                    ),
+                  );
+                },
+              ),
+              actions: [
+                TextButton(
+                  onPressed: () => Navigator.pop(context),
+                  child: const Text('Close'),
+                )
+              ],
+            );
+          }
+        );
+      }
+    );
+  }
+
   Future<void> _checkForUpdates() async {
     if (_isCheckingUpdates) return;
     setState(() { _isCheckingUpdates = true; });

ostp-flutter/pubspec.lock

@@ -134,6 +134,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "6.0.0"
+  flutter_svg:
+    dependency: "direct main"
+    description:
+      name: flutter_svg
+      sha256: "35882981abcbfb8c15b286f0cd690ff25bac12d95eff3e25ee207f37d4c42e7f"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.3.0"
   flutter_test:
     dependency: "direct dev"
     description: flutter
@@ -272,6 +280,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "1.9.1"
+  path_parsing:
+    dependency: transitive
+    description:
+      name: path_parsing
+      sha256: "883402936929eac138ee0a45da5b0f2c80f89913e6dc3bf77eb65b84b409c6ca"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.0"
   path_provider_linux:
     dependency: transitive
     description:
@@ -581,6 +597,30 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "3.1.5"
+  vector_graphics:
+    dependency: transitive
+    description:
+      name: vector_graphics
+      sha256: "2306c03da2ba81724afeb589c351ebbc0aa7d86005925be8f8735856dbe5e42d"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.2.2"
+  vector_graphics_codec:
+    dependency: transitive
+    description:
+      name: vector_graphics_codec
+      sha256: "99fd9fbd34d9f9a32efd7b6a6aae14125d8237b10403b422a6a6dfeac2806146"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.13"
+  vector_graphics_compiler:
+    dependency: transitive
+    description:
+      name: vector_graphics_compiler
+      sha256: "142a9146f447d15b10bdc00e21d5f4d83e5b32bb5f8f8f5a04c75311344923a3"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.2.6"
   vector_math:
     dependency: transitive
     description:

ostp-flutter/pubspec.yaml

@@ -16,7 +16,7 @@ publish_to: 'none' # Remove this line if you wish to publish to pub.dev
 # https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
 # In Windows, build-name is used as the major, minor, and patch parts
 # of the product and file versions while build-number is used as the build suffix.
-version: 0.2.98+13
+version: 0.3.12+25
 
 environment:
   sdk: ^3.11.4
@@ -34,6 +34,7 @@ dependencies:
   # The following adds the Cupertino Icons font to your application.
   # Use with the CupertinoIcons class for iOS style icons.
   cupertino_icons: ^1.0.8
+  flutter_svg: ^2.0.10
   shared_preferences: ^2.5.5
   mobile_scanner: ^5.0.0
   window_manager: ^0.5.1
@@ -72,9 +73,8 @@ flutter:
   uses-material-design: true
 
   # To add assets to your application, add an assets section, like this:
-  # assets:
-  #   - images/a_dot_burr.jpeg
-  #   - images/a_dot_ham.jpeg
+  assets:
+    - assets/logo.svg
 
   # An image asset can refer to one or more resolution-specific "variants", see
   # https://flutter.dev/to/resolution-aware-images

ostp-gui/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ostp-gui",
   "private": true,
-  "version": "0.1.0",
+  "version": "0.3.3",
   "type": "module",
   "scripts": {
     "tauri": "tauri",

ostp-gui/src-tauri/Cargo.lock

@@ -2665,7 +2665,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-client"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "base64 0.22.1",
@@ -2700,17 +2700,20 @@ dependencies = [
 
 [[package]]
 name = "ostp-core"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
+ "byteorder",
  "bytes",
  "chacha20poly1305",
  "hkdf",
  "hmac",
  "rand",
+ "serde",
  "sha2",
  "snow",
  "thiserror 1.0.69",
+ "tokio",
  "tracing",
  "x25519-dalek",
 ]
@@ -2720,12 +2723,16 @@ name = "ostp-gui"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "chacha20poly1305",
+ "hex",
  "json_comments",
  "ostp-client",
+ "ostp-core",
  "portable-atomic",
  "rand",
  "serde",
  "serde_json",
+ "sha2",
  "tauri",
  "tauri-build",
  "tauri-plugin-opener",
@@ -2735,7 +2742,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-tun"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "libc",

ostp-gui/src-tauri/Cargo.toml

@@ -26,7 +26,11 @@ tokio = { version = "1", features = ["full"] }
 anyhow = "1"
 tracing = "0.1"
 ostp-client = { path = "../../ostp-client" }
+ostp-core = { path = "../../ostp-core" }
 portable-atomic = "1"
 json_comments = "0.2"
 rand = "0.8"
+chacha20poly1305 = "0.10"
+sha2 = "0.10"
+hex = "0.4.3"