Fallback to server parameter for DNS resolver if not specified

Cargo.lock

@@ -388,6 +388,16 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
 
+[[package]]
+name = "clipboard-win"
+version = "3.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fdf5e01086b6be750428ba4a40619f847eb2e95756eee84b18e06e5f0b50342"
+dependencies = [
+ "lazy-bytes-cast",
+ "winapi",
+]
+
 [[package]]
 name = "colorchoice"
 version = "1.0.5"
@@ -1252,6 +1262,12 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9dbbfed4e59ba9750e15ba154fdfd9329cee16ff3df539c2666b70f58cc32105"
 
+[[package]]
+name = "lazy-bytes-cast"
+version = "5.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10257499f089cd156ad82d0a9cd57d9501fa2c989068992a97eb3c27836f206b"
+
 [[package]]
 name = "lazy_static"
 version = "1.5.0"
@@ -1431,16 +1447,18 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
 [[package]]
 name = "ostp"
-version = "0.3.8"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "base64",
  "clap",
+ "clipboard-win",
  "colored",
  "json_comments",
  "ostp-client",
  "ostp-core",
  "ostp-server",
+ "pico-args",
  "rand 0.8.5",
  "reqwest",
  "serde",
@@ -1453,7 +1471,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-client"
-version = "0.3.8"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "base64",
@@ -1488,7 +1506,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-core"
-version = "0.3.8"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "byteorder",
@@ -1497,9 +1515,11 @@ dependencies = [
  "hkdf",
  "hmac",
  "rand 0.8.5",
+ "serde",
  "sha2",
  "snow",
  "thiserror 1.0.69",
+ "tokio",
  "tracing",
  "x25519-dalek",
 ]
@@ -1523,7 +1543,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-server"
-version = "0.3.8"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "axum",
@@ -1556,7 +1576,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-tun"
-version = "0.3.8"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "libc",
@@ -1568,7 +1588,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-tun-helper"
-version = "0.3.8"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "chrono",
@@ -1592,6 +1612,12 @@ version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 
+[[package]]
+name = "pico-args"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315"
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.17"

Cargo.toml

@@ -12,7 +12,7 @@ resolver = "2"
 [workspace.package]
 edition = "2021"
 license = "BSL 1.1"
-version = "0.3.8"
+version = "0.3.12"
 
 [workspace.dependencies]
 anyhow = "1.0"

fix_delimiter.py

@@ -1,36 +0,0 @@
-import os
-
-with open('ostp/src/main.rs', 'r', encoding='utf-8') as f:
-    content = f.read()
-
-old_block = '''                    if let Some(key) = first_key {
-                    let host = get_or_ask_public_ip(&args.config);
-                    let mut query_params = Vec::<String>::new();
-                    query_params.push("type=udp".to_string());
-
-                    let mut link = format!("ostp://{}@{}:{}", key, host, port);
-                    if !query_params.is_empty() {
-                        link.push('?');
-                        link.push_str(&query_params.join("&"));
-                    }
-                    println!("  [1] {}", link);
-                }'''
-
-new_block = '''                    if let Some(key) = first_key {
-                        let host = get_or_ask_public_ip(&args.config);
-                        let mut query_params = Vec::<String>::new();
-                        query_params.push("type=udp".to_string());
-
-                        let mut link = format!("ostp://{}@{}:{}", key, host, port);
-                        if !query_params.is_empty() {
-                            link.push('?');
-                            link.push_str(&query_params.join("&"));
-                        }
-                        println!("  [1] {}", link);
-                    }
-                }'''
-
-content = content.replace(old_block, new_block)
-
-with open('ostp/src/main.rs', 'w', encoding='utf-8') as f:
-    f.write(content)

ostp-client/src/bridge.rs

@@ -18,7 +18,7 @@ impl Default for BridgeMetrics {
     }
 }
 
-pub fn set_socket_protector<F>(f: F)
+pub fn set_socket_protector<F>(_f: F)
 where
     F: Fn(i32) -> bool + Send + Sync + 'static,
 {

ostp-client/src/config.rs

@@ -50,6 +50,8 @@ pub enum InboundConfig {
         protocol: String, // "socks" or "http"
         listen: String,
         port: u16,
+        #[serde(default)]
+        set_system_proxy: bool,
     },
 }
 
@@ -172,33 +174,42 @@ impl ClientConfig {
             .with_context(|| format!("failed to parse JSON from {}", path.display()))?;
 
         let (migrated_json, was_migrated) = Self::migrate_json(raw_json);
-        
         if was_migrated {
-            tracing::info!("Config was migrated to v0.3.1. Saving to {}", path.display());
+            tracing::warn!(
-            let serialized = serde_json::to_string_pretty(&migrated_json)?;
+                "Config at {} is in an outdated format. Run 'ostp --migrate' to upgrade it.",
-            let header = "// OSTP Configuration v0.3.1\n// DO NOT EDIT THIS COMMENT - Migrator relies on it\n";
+                path.display()
-            let final_content = format!("{}{}", header, serialized);
+            );
-            std::fs::write(&path, final_content)
-                .with_context(|| format!("failed to save migrated config to {}", path.display()))?;
         }
 
         let config: ClientConfig = serde_json::from_value(migrated_json)
-            .with_context(|| format!("failed to deserialize migrated config from {}", path.display()))?;
+            .with_context(|| format!("failed to deserialize config from {}", path.display()))?;
 
         Ok(config)
     }
 
     /// Migrates old monolithic JSON to the new modular format.
     /// Returns the migrated JSON value and a boolean indicating if a migration occurred.
-    pub fn migrate_json(mut json: serde_json::Value) -> (serde_json::Value, bool) {
+    pub fn migrate_json(json: serde_json::Value) -> (serde_json::Value, bool) {
-        let is_migrated = json.get("version").and_then(|v| v.as_str()) == Some("0.3.1");
+        // Consider the config already migrated if:
-        if is_migrated {
+        // 1. Version matches exactly, OR
+        // 2. The JSON already has the new modular format (inbounds + outbounds arrays)
+        let has_version = json.get("version").and_then(|v| v.as_str()) == Some(env!("CARGO_PKG_VERSION"));
+        let has_new_format = json.get("inbounds").and_then(|v| v.as_array()).is_some()
+            && json.get("outbounds").and_then(|v| v.as_array()).is_some();
+        
+        if has_version || has_new_format {
+            // If format is already new but version is old, just bump the version
+            if has_new_format && !has_version {
+                let mut updated = json.clone();
+                updated["version"] = serde_json::json!(env!("CARGO_PKG_VERSION"));
+                return (updated, false);
+            }
             return (json, false);
         }
 
         // Needs migration
         let mut new_json = serde_json::json!({
-            "version": "0.3.1",
+            "version": env!("CARGO_PKG_VERSION"),
         });
 
         // 1. Log level

ostp-client/src/runner.rs

@@ -1,8 +1,7 @@
 use anyhow::Result;
 use std::sync::Arc;
-use tokio::sync::{mpsc, watch};
+use tokio::sync::watch;
 
-use crate::app::{BridgeCommand, ConnectionStatus, UiEvent};
 use crate::config::{ClientConfig, InboundConfig};
 use crate::tunnel::balancer::Balancer;
 use crate::tunnel::outbounds::OutboundManager;
@@ -10,9 +9,9 @@ use crate::tunnel::router::Router;
 
 pub async fn run_client_core(
     config: ClientConfig,
-    metrics: Arc<crate::bridge::BridgeMetrics>,
+    _metrics: Arc<crate::bridge::BridgeMetrics>,
     mut shutdown_rx_ext: watch::Receiver<bool>,
-    config_rx: Option<watch::Receiver<ClientConfig>>,
+    _config_rx: Option<watch::Receiver<ClientConfig>>,
 ) -> Result<()> {
     println!("[ostp] Starting run_client_core with multi-server architecture");
 

ostp-client/src/transport/dns.rs

@@ -5,8 +5,9 @@ use tokio::net::UdpSocket;
 use tokio::sync::{mpsc, Mutex};
 use rand::Rng;
 
-use ostp_core::dns::{
+pub use ostp_core::dns::{
-    DnsPacket, DnsRecordType, encode_payload_to_domain, decode_domain_to_payload,
+    DnsPacket, DnsRecordType, encode_payload_to_domain,
+    decode_domain_to_payload,
 };
 use crate::transport::Transport;
 
@@ -64,7 +65,7 @@ pub async fn start_dns_transport(domain: String, resolver: String, _pubkey: Opti
     });
 
     // Receive task (reads from UDP socket, decodes DNS answer, sends to app)
-    let base_domain_rx = domain.clone();
+    let _base_domain_rx = domain.clone();
     tokio::spawn(async move {
         let mut buf = vec![0u8; 65535];
         loop {

ostp-client/src/tunnel/balancer.rs

@@ -1,6 +1,5 @@
 use crate::config::{ClientConfig, OutboundConfig};
 use std::collections::HashMap;
-use std::sync::Arc;
 
 pub struct Balancer {
     outbounds: HashMap<String, OutboundConfig>,
@@ -60,6 +59,7 @@ impl Balancer {
     /// Fetches the config for a concrete outbound
     pub fn get_concrete_outbound(&self, tag: &str) -> Option<&OutboundConfig> {
         let resolved_tag = self.resolve_outbound(tag);
+        tracing::debug!("Balancer: tag '{}' resolved to '{}'", tag, resolved_tag);
         self.outbounds.get(&resolved_tag)
     }
 }

ostp-client/src/tunnel/inbounds/local_proxy.rs

@@ -14,13 +14,20 @@ pub async fn run_socks_inbound(
     outbound_manager: Arc<OutboundManager>,
     mut shutdown: watch::Receiver<bool>,
 ) -> Result<()> {
-    let InboundConfig::LocalProxy { tag, protocol, listen, port } = inbound_config else {
+    let InboundConfig::LocalProxy { tag, protocol, listen, port, set_system_proxy } = inbound_config else {
         return Err(anyhow!("Invalid config for LocalProxy inbound"));
     };
 
     let bind_addr = format!("{}:{}", listen, port);
     tracing::info!("Starting {} proxy inbound on {} (tag: {})", protocol, bind_addr, tag);
 
+    let _proxy_guard = if set_system_proxy {
+        let proxy_host = if listen == "0.0.0.0" { "127.0.0.1" } else { &listen };
+        Some(crate::sysproxy::SystemProxyGuard::enable(&format!("{}:{}", proxy_host, port)))
+    } else {
+        None
+    };
+
     let listener = TcpListener::bind(&bind_addr).await?;
 
     loop {
@@ -85,7 +92,7 @@ async fn handle_socks5_connection(
     }
     
     let atyp = buf[3];
-    let (target_host, mut ip_addr) = match atyp {
+    let (target_host, ip_addr) = match atyp {
         0x01 => { // IPv4
             stream.read_exact(&mut buf[0..4]).await?;
             let ip = std::net::Ipv4Addr::new(buf[0], buf[1], buf[2], buf[3]);

ostp-client/src/tunnel/inbounds/tun.rs

@@ -1,6 +1,7 @@
 use anyhow::{anyhow, Result};
 use std::sync::Arc;
 use crate::config::{ClientConfig, InboundConfig};
+#[allow(unused_imports)]
 use crate::tunnel::router::{Router, Session};
 use crate::tunnel::outbounds::OutboundManager;
 use tokio::sync::watch;
@@ -13,7 +14,7 @@ pub async fn run_tun_inbound(
     outbound_manager: Arc<OutboundManager>,
     mut shutdown: watch::Receiver<bool>,
 ) -> Result<()> {
-    use std::net::ToSocketAddrs;
+    
     use netstack_smoltcp::StackBuilder;
     use tokio::io::{AsyncReadExt, AsyncWriteExt};
     use futures::{StreamExt, SinkExt};
@@ -72,7 +73,7 @@ pub async fn run_tun_inbound(
     #[allow(unused_variables)]
     let mut _route_guard = None;
 
-    let (mut tun_to_stack, mut stack_to_tun) = {
+    let (tun_to_stack, stack_to_tun) = {
         #[cfg(target_os = "android")]
         {
             if let Some(fd) = fd {
@@ -183,7 +184,7 @@ pub async fn run_tun_inbound(
     let router_tcp = router.clone();
     let tag_tcp = tag.clone();
     
-    let mut tcp_accept_task = tokio::spawn(async move {
+    let tcp_accept_task = tokio::spawn(async move {
         let Some(mut listener) = tcp_listener else { return; };
         while let Some((mut stream, local, remote)) = listener.next().await {
             let om = outbound_manager_tcp.clone();
@@ -249,7 +250,7 @@ pub async fn run_tun_inbound(
     let router_udp = router.clone();
     let tag_udp = tag.clone();
     
-    let mut udp_proxy_task = tokio::spawn(async move {
+    let udp_proxy_task = tokio::spawn(async move {
         if let Some(udp_sock) = udp_socket {
             let (mut udp_rx, _udp_tx) = udp_sock.split();
             while let Some((payload, local, remote)) = udp_rx.next().await {

ostp-client/src/tunnel/outbounds/direct.rs

@@ -66,7 +66,7 @@ pub fn bind_socket_to_interface(socket: &tokio::net::TcpSocket, _is_ipv6: bool,
     Ok(())
 }
 
-pub async fn dial_tcp(target_host: &str, target_port: u16, phys_if_idx: Option<u32>) -> Result<TcpStream> {
+pub async fn dial_tcp(target_host: &str, target_port: u16, _phys_if_idx: Option<u32>) -> Result<TcpStream> {
     let addrs = tokio::net::lookup_host((target_host, target_port)).await?.collect::<Vec<_>>();
     if addrs.is_empty() {
         return Err(anyhow!("Could not resolve target host: {}", target_host));
@@ -79,7 +79,7 @@ pub async fn dial_tcp(target_host: &str, target_port: u16, phys_if_idx: Option<u
     };
 
     #[cfg(target_os = "windows")]
-    if let Some(idx) = phys_if_idx {
+    if let Some(idx) = _phys_if_idx {
         if let Err(e) = bind_socket_to_interface(&socket, target_addr.is_ipv6(), idx) {
             tracing::warn!("DIRECT: Failed to bind to physical interface {}: {}", idx, e);
         }

ostp-client/src/tunnel/outbounds/mod.rs

@@ -1,6 +1,5 @@
 use anyhow::{anyhow, Result};
 use std::sync::Arc;
-use tokio::net::TcpStream;
 use crate::tunnel::balancer::Balancer;
 use crate::config::OutboundConfig;
 
@@ -12,7 +11,7 @@ pub mod socks;
 pub struct OutboundManager {
     balancer: Arc<Balancer>,
     phys_if_index: Option<u32>,
-    phys_if_name: Option<String>,
+    _phys_if_name: Option<String>,
 }
 
 impl OutboundManager {
@@ -24,7 +23,7 @@ impl OutboundManager {
         Self {
             balancer,
             phys_if_index,
-            phys_if_name,
+            _phys_if_name: phys_if_name,
         }
     }
 
@@ -40,7 +39,7 @@ impl OutboundManager {
                 block::dial_tcp(target_host, target_port).await
             }
             OutboundConfig::Ostp { server, port, access_key, transport, multiplex, .. } => {
-                ostp::dial_tcp(server, *port, access_key, transport, multiplex).await
+                ostp::dial_tcp(target_host, target_port, server, *port, access_key, transport, multiplex).await
             }
             OutboundConfig::Socks { server, port, .. } => {
                 socks::dial_tcp(target_host, target_port, server, *port).await

ostp-client/src/tunnel/outbounds/ostp.rs

@@ -1,68 +1,185 @@
-use anyhow::{anyhow, Result};
+use anyhow::Result;
 use tokio::net::TcpStream;
 use crate::config::{TransportConfig, MultiplexConfig};
 
-use ostp_core::{NoiseRole, OstpEvent, ProtocolAction, ProtocolConfig, ProtocolMachine};
+use ostp_core::{OstpEvent, ProtocolAction, ProtocolConfig, ProtocolMachine};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::net::UdpSocket;
+
+/// Build the handshake payload the server expects:
+/// [timestamp_u64_be (8 bytes)] [session_id_u32_be (4 bytes)] [access_key bytes]
+fn build_handshake_payload(session_id: u32, access_key: &str) -> Vec<u8> {
+    let ts = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs();
+    let mut payload = Vec::with_capacity(12 + access_key.len());
+    payload.extend_from_slice(&ts.to_be_bytes());
+    payload.extend_from_slice(&session_id.to_be_bytes());
+    payload.extend_from_slice(access_key.as_bytes());
+    payload
+}
+
+/// Build a correctly configured ProtocolConfig for an outgoing OSTP connection.
+fn make_initiator_config(
+    session_id: u32,
+    access_key: &str,
+    transport_cfg: &TransportConfig,
+) -> ProtocolConfig {
+    let secrets = ostp_core::crypto::derive_all_secrets(access_key.as_bytes());
+    let payload = build_handshake_payload(session_id, access_key);
+    
+    let mtu = match transport_cfg.r#type.as_str() {
+        "dns" => 1100,
+        _ => 1350,
+    };
+
+    ProtocolConfig {
+        role: ostp_core::NoiseRole::Initiator,
+        psk: secrets.psk,
+        session_id,
+        handshake_payload: payload,
+        max_padding: 256,
+        padding_strategy: ostp_core::framing::PaddingStrategy::Adaptive,
+        obfuscation_key: secrets.obfuscation_key,
+        max_reorder: 16384,
+        max_reorder_buffer: 8192,
+        ack_delay_ms: 5,
+        rto_ms: 100,
+        max_retries: 8,
+        max_sent_history: 32768,
+        handshake_pad_min: secrets.handshake_pad_min,
+        handshake_pad_max: secrets.handshake_pad_max,
+        mtu,
+    }
+}
+
+fn random_session_id() -> u32 {
+    use std::collections::hash_map::DefaultHasher;
+    use std::hash::{Hash, Hasher};
+    let mut h = DefaultHasher::new();
+    std::time::Instant::now().hash(&mut h);
+    std::thread::current().id().hash(&mut h);
+    h.finish() as u32
+}
 
 pub async fn dial_tcp(
+    target_host: &str,
+    target_port: u16,
     server: &str,
     port: u16,
     access_key: &str,
     transport_cfg: &TransportConfig,
     _multiplex: &MultiplexConfig,
 ) -> Result<TcpStream> {
+    tracing::info!("Dialing OSTP server {}:{} for target {}:{}", server, port, target_host, target_port);
     let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await?;
     let local_addr = listener.local_addr()?;
     let client_stream = tokio::net::TcpStream::connect(local_addr).await?;
     let (mut server_stream, _) = listener.accept().await?;
 
-    let transport = match transport_cfg.r#type.as_str() {
+    let transport = make_transport(transport_cfg, server, port).await?;
-        "dns" => {
-            let domain = transport_cfg.domain.clone().unwrap_or_else(|| "tunnel.example.com".to_string());
-            let resolver = transport_cfg.resolver.clone().unwrap_or_else(|| "8.8.8.8".to_string());
-            crate::transport::dns::start_dns_transport(domain, resolver, transport_cfg.pubkey.clone()).await?
-        }
-        // Fallback to UDP for now if unknown
-        _ => {
-            let udp = tokio::net::UdpSocket::bind("0.0.0.0:0").await?;
-            udp.connect((server, port)).await?;
-            crate::transport::Transport::Udp(std::sync::Arc::new(udp))
-        }
-    };
-    
-    let mut psk = [0u8; 32];
-    let key_bytes = access_key.as_bytes();
-    let len = key_bytes.len().min(32);
-    psk[..len].copy_from_slice(&key_bytes[..len]);
-    
-    let config = ProtocolConfig {
-        role: ostp_core::NoiseRole::Initiator,
-        psk,
-        session_id: 1,
-        handshake_payload: vec![],
-        max_padding: 0,
-        padding_strategy: ostp_core::framing::PaddingStrategy::Fixed(0),
-        obfuscation_key: [0; 8],
-        max_reorder: 16384,
-        max_reorder_buffer: 8192,
-        ack_delay_ms: 10,
-        rto_ms: 100,
-        max_retries: 5,
-        max_sent_history: 32768,
-        handshake_pad_min: 8,
-        handshake_pad_max: 24,
-        mtu: 1400,
-    };
 
+    let session_id = random_session_id();
+    let config = make_initiator_config(session_id, access_key, transport_cfg);
     let mut machine = ProtocolMachine::new(config).unwrap();
 
+    let target_host_str = target_host.to_string();
+
+        let server_str = server.to_string();
+        
         // Spawn bridge task
         tokio::spawn(async move {
+            // Send initial handshake
             if let Ok(action) = machine.on_event(OstpEvent::Start) {
                 handle_action(action, &transport, &mut server_stream).await;
             }
+    
+            // Wait for handshake response (server sends HandshakePayload back)
+            let mut buf = [0u8; 8192];
+            let mut handshake_success = false;
+            match tokio::time::timeout(
+                std::time::Duration::from_millis(15000),
+                transport.recv(&mut buf),
+            ).await {
+                Ok(Ok(n)) => {
+                    if let Ok(action) = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n]))) {
+                        handle_action(action, &transport, &mut server_stream).await;
+                        handshake_success = true;
+                    }
+                }
+                _ => {
+                    tracing::warn!("OSTP handshake timeout for {}:{}", server_str, port);
+                    return;
+                }
+            }
+
+        if !handshake_success {
+            tracing::warn!("TCP handshake failed or protocol machine error");
+            return;
+        }
+
+        // Send connection request
+        let connect_msg = ostp_core::relay::RelayMessage::Connect(format!("{}:{}", target_host_str, target_port));
+        let connect_encoded = connect_msg.encode();
+        if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(connect_encoded))) {
+            handle_action(action, &transport, &mut server_stream).await;
+        }
+
+        // ── Wait for ConnectOk before forwarding any data ─────────────────
+        // This is critical: if we enter the data loop immediately, the TLS
+        // ClientHello arrives at the server before it has established the
+        // outbound TCP connection, causing it to drop the packet as
+        // "Relay DATA for unknown stream".
+        // The kernel will buffer incoming data from server_stream while we wait.
+        let mut connect_ok = false;
+        match tokio::time::timeout(
+            std::time::Duration::from_secs(30),
+            async {
+                let mut wait_buf = [0u8; 8192];
+                loop {
+                    tokio::select! {
+                        Ok(n) = transport.recv(&mut wait_buf) => {
+                            if let Ok(action) = machine.on_event(OstpEvent::Inbound(
+                                bytes::Bytes::copy_from_slice(&wait_buf[..n]),
+                            )) {
+                                // Check for ConnectOk or Error before dispatching
+                                let result = check_connect_result(&action);
+                                handle_action(action, &transport, &mut server_stream).await;
+                                match result {
+                                    Some(true) => return true,
+                                    Some(false) => return false,
+                                    None => {}
+                                }
+                            }
+                        }
+                        _ = tokio::time::sleep(std::time::Duration::from_millis(10)) => {
+                            if let Ok(action) = machine.on_event(OstpEvent::Tick) {
+                                handle_action(action, &transport, &mut server_stream).await;
+                            }
+                        }
+                    }
+                }
+            },
+        )
+        .await
+        {
+            Ok(true) => {
+                tracing::debug!("ConnectOk received for {}:{}, starting data forwarding", target_host_str, target_port);
+                connect_ok = true;
+            }
+            Ok(false) => {
+                tracing::warn!("Server refused connection to {}:{}", target_host_str, target_port);
+            }
+            Err(_) => {
+                tracing::warn!("ConnectOk timeout for {}:{}", target_host_str, target_port);
+            }
+        }
+
+        if !connect_ok {
+            return;
+        }
+
+        // ── Main bidirectional data forwarding loop ───────────────────────
         let mut buf = [0u8; 65535];
         let mut udp_buf = [0u8; 65535];
 
@@ -70,7 +187,9 @@ pub async fn dial_tcp(
             tokio::select! {
                 Ok(n) = server_stream.read(&mut buf) => {
                     if n == 0 { break; }
-                    if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::copy_from_slice(&buf[..n]))) {
+                    let data_msg = ostp_core::relay::RelayMessage::Data(buf[..n].to_vec());
+                    let encoded = data_msg.encode();
+                    if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
                         handle_action(action, &transport, &mut server_stream).await;
                     }
                 }
@@ -88,6 +207,7 @@ pub async fn dial_tcp(
         }
     });
 
+
     Ok(client_stream)
 }
 
@@ -101,64 +221,55 @@ pub async fn handle_udp(
     transport_cfg: &TransportConfig,
     _multiplex: &MultiplexConfig,
 ) -> Result<()> {
-    let transport = match transport_cfg.r#type.as_str() {
+    let transport = make_transport(transport_cfg, server, port).await?;
-        "dns" => {
+
-            let domain = transport_cfg.domain.clone().unwrap_or_else(|| "tunnel.example.com".to_string());
+    // Derive session_id from client source addr for stable per-flow sessions
-            let resolver = transport_cfg.resolver.clone().unwrap_or_else(|| "8.8.8.8".to_string());
+    let ip_bytes = match client_src.ip() {
-            crate::transport::dns::start_dns_transport(domain, resolver, transport_cfg.pubkey.clone()).await?
+        std::net::IpAddr::V4(v4) => {
+            let o = v4.octets();
+            u32::from_be_bytes(o)
         }
-        _ => {
+        std::net::IpAddr::V6(v6) => {
-            let udp = tokio::net::UdpSocket::bind("0.0.0.0:0").await?;
+            let o = v6.octets();
-            udp.connect((server, port)).await?;
+            u32::from_be_bytes([o[12], o[13], o[14], o[15]])
-            crate::transport::Transport::Udp(std::sync::Arc::new(udp))
         }
     };
+    let session_id = ip_bytes ^ (client_src.port() as u32);
 
-    let mut psk = [0u8; 32];
+    let config = make_initiator_config(session_id, access_key, transport_cfg);
-    let key_bytes = access_key.as_bytes();
-    let len = key_bytes.len().min(32);
-    psk[..len].copy_from_slice(&key_bytes[..len]);
-
-    let config = ProtocolConfig {
-        role: ostp_core::NoiseRole::Initiator,
-        psk,
-        session_id: u32::from_ne_bytes([
-            client_src.ip().to_string().as_bytes().get(0).copied().unwrap_or(0),
-            client_src.ip().to_string().as_bytes().get(1).copied().unwrap_or(0),
-            client_src.ip().to_string().as_bytes().get(2).copied().unwrap_or(0),
-            client_src.ip().to_string().as_bytes().get(3).copied().unwrap_or(0),
-        ]),
-        handshake_payload: vec![],
-        max_padding: 0,
-        padding_strategy: ostp_core::framing::PaddingStrategy::Fixed(0),
-        obfuscation_key: [0; 8],
-        max_reorder: 4096,
-        max_reorder_buffer: 2048,
-        ack_delay_ms: 50,
-        rto_ms: 200,
-        max_retries: 3,
-        max_sent_history: 8192,
-        handshake_pad_min: 8,
-        handshake_pad_max: 24,
-        mtu: 1400,
-    };
-
     let mut machine = ProtocolMachine::new(config)?;
 
-    // Send initial packet with UDP payload
+    // Send handshake first
     if let Ok(action) = machine.on_event(OstpEvent::Start) {
         handle_udp_action(action, &transport).await;
     }
 
-    // Send the actual UDP payload
+    // Wait for handshake response (server sends HandshakePayload back)
-    let relay_msg = ostp_core::relay::RelayMessage::Connect(format!("{}:{}", target_dst.ip(), target_dst.port()));
+    let mut buf = [0u8; 8192];
-    let encoded = relay_msg.encode();
+    match tokio::time::timeout(
+        std::time::Duration::from_millis(15000),
+        transport.recv(&mut buf),
+    ).await {
+        Ok(Ok(n)) => {
+            let _ = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n])));
+        }
+        _ => {
+            tracing::warn!("OSTP handshake timeout for {}:{}", server, port);
+            return Ok(());
+        }
+    }
+
+    // Send relay UdpAssociate + data
+    let assoc_msg = ostp_core::relay::RelayMessage::UdpAssociate;
+    let encoded = assoc_msg.encode();
     if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
         handle_udp_action(action, &transport).await;
     }
 
-    // Send data packet
+    let data_msg = ostp_core::relay::RelayMessage::UdpData(
-    let data_msg = ostp_core::relay::RelayMessage::Data(payload.to_vec());
+        format!("{}:{}", target_dst.ip(), target_dst.port()),
+        payload.to_vec()
+    );
     let encoded = data_msg.encode();
     if let Ok(action) = machine.on_event(OstpEvent::Outbound(1, bytes::Bytes::from(encoded))) {
         handle_udp_action(action, &transport).await;
@@ -166,13 +277,15 @@ pub async fn handle_udp(
 
     // Keep-alive for a short time to receive response
     for _ in 0..5 {
-        let mut buf = [0u8; 8192];
         match tokio::time::timeout(
             std::time::Duration::from_millis(100),
-            transport.recv(&mut buf)
+            transport.recv(&mut buf),
         ).await {
             Ok(Ok(n)) => {
-                let _ = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n])));
+                if let Ok(action) = machine.on_event(OstpEvent::Inbound(bytes::Bytes::copy_from_slice(&buf[..n]))) {
+                    // Just process incoming UDP response internally
+                    let _ = action;
+                }
             }
             _ => break,
         }
@@ -181,6 +294,29 @@ pub async fn handle_udp(
     Ok(())
 }
 
+async fn make_transport(
+    transport_cfg: &TransportConfig,
+    server: &str,
+    port: u16,
+) -> Result<crate::transport::Transport> {
+    match transport_cfg.r#type.as_str() {
+        "dns" => {
+            let domain = transport_cfg.domain.clone()
+                .unwrap_or_else(|| "tunnel.example.com".to_string());
+            let resolver = transport_cfg.resolver.clone()
+                .unwrap_or_else(|| server.to_string());
+            let transport = crate::transport::dns::start_dns_transport(domain, resolver, transport_cfg.pubkey.clone()).await
+                .map_err(|e| anyhow::anyhow!(e))?;
+            Ok(transport)
+        }
+        _ => {
+            let udp = tokio::net::UdpSocket::bind("0.0.0.0:0").await?;
+            udp.connect((server, port)).await?;
+            Ok(crate::transport::Transport::Udp(std::sync::Arc::new(udp)))
+        }
+    }
+}
+
 async fn handle_udp_action(action: ProtocolAction, transport: &crate::transport::Transport) {
     match action {
         ProtocolAction::SendDatagram(data) => {
@@ -203,17 +339,53 @@ async fn handle_action(action: ProtocolAction, transport: &crate::transport::Tra
             let _ = transport.send(&data).await;
         }
         ProtocolAction::DeliverApp(_stream_id, payload) => {
-            let _ = server_stream.write_all(&payload).await;
+            if let Ok(msg) = ostp_core::relay::RelayMessage::decode(&payload) {
+                match msg {
+                    ostp_core::relay::RelayMessage::Data(data) => {
+                        let _ = server_stream.write_all(&data).await;
+                    }
+                    ostp_core::relay::RelayMessage::ConnectOk => {
+                        tracing::debug!("TCP Connection established successfully");
+                    }
+                    ostp_core::relay::RelayMessage::Error(err) => {
+                        tracing::warn!("Server returned TCP connection error: {}", err);
+                    }
+                    _ => {}
+                }
+            }
         }
         ProtocolAction::Multiple(actions) => {
             for a in actions {
-                match a {
+                Box::pin(handle_action(a, transport, server_stream)).await;
-                    ProtocolAction::SendDatagram(data) => { let _ = transport.send(&data).await; }
-                    ProtocolAction::DeliverApp(_stream_id, payload) => { let _ = server_stream.write_all(&payload).await; }
-                    _ => {}
-                }
             }
         }
         _ => {}
     }
 }
+
+/// Inspect a ProtocolAction for ConnectOk / Error relay messages.
+/// Returns Some(true) on ConnectOk, Some(false) on Error, None if neither.
+/// Works recursively through Multiple actions.
+fn check_connect_result(action: &ProtocolAction) -> Option<bool> {
+    match action {
+        ProtocolAction::DeliverApp(_stream_id, payload) => {
+            if let Ok(msg) = ostp_core::relay::RelayMessage::decode(payload) {
+                match msg {
+                    ostp_core::relay::RelayMessage::ConnectOk => return Some(true),
+                    ostp_core::relay::RelayMessage::Error(_) => return Some(false),
+                    _ => {}
+                }
+            }
+            None
+        }
+        ProtocolAction::Multiple(actions) => {
+            for a in actions {
+                if let Some(result) = check_connect_result(a) {
+                    return Some(result);
+                }
+            }
+            None
+        }
+        _ => None,
+    }
+}

ostp-client/src/tunnel/process_lookup.rs

@@ -126,7 +126,6 @@ pub fn get_process_name_from_port(port: u16) -> Option<String> {
     use std::fs;
     use std::io::{BufRead, BufReader};
 
-    let mut target_inode = None;
     let hex_port = format!("{:04X}", port);
 
     let check_net_file = |path: &str| -> Option<u64> {
@@ -146,12 +145,11 @@ pub fn get_process_name_from_port(port: u16) -> Option<String> {
         None
     };
 
-    target_inode = check_net_file("/proc/net/tcp")
+    let target_inode = check_net_file("/proc/net/tcp")
         .or_else(|| check_net_file("/proc/net/tcp6"))
         .or_else(|| check_net_file("/proc/net/udp"))
-        .or_else(|| check_net_file("/proc/net/udp6"));
+        .or_else(|| check_net_file("/proc/net/udp6"))?;
 
-    let target_inode = target_inode?;
     let socket_str = format!("socket:[{}]", target_inode);
 
     for entry in fs::read_dir("/proc").ok()?.filter_map(Result::ok) {

ostp-core/Cargo.toml

@@ -17,3 +17,5 @@ sha2.workspace = true
 hmac.workspace = true
 x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
 hkdf = "0.12.0"
+tokio.workspace = true
+serde = { version = "1.0", features = ["derive"] }

ostp-core/src/dns.rs

@@ -1,5 +1,5 @@
 use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
-use std::io::{Cursor, Read, Write};
+use std::io::{Cursor, Read};
 
 const BASE32_ALPHABET: &[u8] = b"abcdefghijklmnopqrstuvwxyz234567";
 

ostp-core/src/dns_prober.rs

@@ -0,0 +1,94 @@
+use std::time::Duration;
+use tokio::time::Instant;
+use crate::dns::{DnsPacket, DnsRecordType, encode_payload_to_domain};
+use rand::Rng;
+use serde::{Deserialize, Serialize};
+
+#[derive(Serialize, Deserialize, Clone)]
+pub struct DnsProbeResult {
+    pub name: String,
+    pub ip: String,
+    pub latency_ms: Option<u64>,
+}
+
+const PUBLIC_DNS_SERVERS: &[(&str, &str)] = &[
+    ("Cloudflare",  "1.1.1.1"),
+    ("Cloudflare2", "1.0.0.1"),
+    ("Google",      "8.8.8.8"),
+    ("Google2",     "8.8.4.4"),
+    ("Quad9",       "9.9.9.9"),
+    ("AdGuard",     "94.140.14.14"),
+    ("Yandex",      "77.88.8.8"),
+    ("Yandex2",     "77.88.8.1"),
+    ("SkyDNS",      "193.58.251.251"),
+    ("AliDNS",      "223.5.5.5"),
+    ("Tencent",     "119.29.29.29"),
+    ("114DNS",      "114.114.114.114"),
+    ("Shecan",      "178.22.122.100"),
+    ("Electro",     "78.157.42.100"),
+    ("Begzar",      "185.55.226.26"),
+];
+
+async fn probe_resolver(domain: &str, resolver_ip: &str) -> Option<u64> {
+    let (probe_bytes, id) = {
+        let mut rng = rand::thread_rng();
+        let probe_bytes: [u8; 4] = rng.gen();
+        let id: u16 = rng.gen();
+        (probe_bytes, id)
+    };
+
+    let fqdn = encode_payload_to_domain(&probe_bytes, domain);
+    let qtype = if rand::thread_rng().gen_bool(0.5) { DnsRecordType::TXT } else { DnsRecordType::NULL };
+    let packet = DnsPacket::new_query(id, &fqdn, qtype);
+    let encoded = packet.encode();
+
+    let sock = tokio::net::UdpSocket::bind("0.0.0.0:0").await.ok()?;
+    sock.connect(format!("{}:53", resolver_ip)).await.ok()?;
+
+    let start = Instant::now();
+    sock.send(&encoded).await.ok()?;
+
+    let mut buf = [0u8; 4096];
+    match tokio::time::timeout(Duration::from_secs(2), sock.recv(&mut buf)).await {
+        Ok(Ok(n)) => {
+            if let Some(resp) = DnsPacket::decode(&buf[..n]) {
+                // Check if RCODE == 0 (NOERROR) and it has answers
+                let rcode = resp.flags & 0x000F;
+                if rcode == 0 && !resp.answers.is_empty() {
+                    return Some(start.elapsed().as_millis() as u64);
+                }
+            }
+            None
+        },
+        _ => None,
+    }
+}
+
+pub async fn run_dns_prober(domain: &str) -> Result<Vec<DnsProbeResult>, String> {
+    if domain.is_empty() {
+        return Err("Please enter the tunnel domain first (e.g. tunnel.myvpn.com)".into());
+    }
+
+    let tasks: Vec<_> = PUBLIC_DNS_SERVERS
+        .iter()
+        .map(|(name, ip)| {
+            let domain = domain.to_string();
+            let name = name.to_string();
+            let ip   = ip.to_string();
+            tokio::spawn(async move {
+                let latency_ms = probe_resolver(&domain, &ip).await;
+                DnsProbeResult { name, ip, latency_ms }
+            })
+        })
+        .collect();
+
+    let mut results = Vec::with_capacity(tasks.len());
+    for task in tasks {
+        if let Ok(r) = task.await {
+            results.push(r);
+        }
+    }
+
+    results.sort_by_key(|r| r.latency_ms.unwrap_or(u64::MAX));
+    Ok(results)
+}

ostp-core/src/lib.rs

@@ -5,6 +5,7 @@ pub mod protocol;
 pub mod relay;
 pub mod resumption;
 pub mod dns;
+pub mod dns_prober;
 
 pub use crypto::NoiseRole;
 pub use framing::{TrafficProfile, PaddingStrategy};

ostp-core/src/protocol.rs

@@ -392,12 +392,20 @@ impl ProtocolMachine {
             self.last_recv_advance = Instant::now();
         } else {
             // Gap detected
+            if self.reorder_buffer.len() >= self.max_reorder_buffer {
+                tracing::warn!("Reorder buffer full ({}/{}), dropping new frame nonce={} to wait for recovery of nonce={}",
+                    self.reorder_buffer.len(), self.max_reorder_buffer, nonce, self.expected_recv_nonce
+                );
+            }
+
+            if nonce >= self.expected_recv_nonce {
                 if self.reorder_buffer.len() < self.max_reorder_buffer {
                     self.reorder_buffer.insert(nonce, action);
                 } else {
-                tracing::warn!("Reorder buffer full ({}/{}), dropping frame nonce={}",
+                    tracing::warn!("Reorder buffer still full after gap recovery, dropping frame nonce={}", nonce);
-                    self.reorder_buffer.len(), self.max_reorder_buffer, nonce
+                }
-                );
+            } else {
+                tracing::debug!("Frame nonce={} arrived too late after gap recovery, dropping", nonce);
             }
 
             // Rate-limited NACK: send at most once per 30ms to prevent retransmit storms.
@@ -511,32 +519,6 @@ impl ProtocolMachine {
     fn handle_tick(&mut self) -> Result<ProtocolAction, ProtocolError> {
         let mut actions = Vec::new();
 
-        // ── Gap Recovery ──────────────────────────────────────────────
-        // If expected_recv_nonce hasn't advanced for 500ms+ and there
-        // are buffered frames waiting, the sender likely evicted the lost
-        // frame from sent_history. Skip the gap to restore data flow.
-        // This trades a small amount of data loss for connection liveness.
-        if !self.reorder_buffer.is_empty()
-            && self.last_recv_advance.elapsed() > Duration::from_millis(500)
-        {
-            if let Some(&first_buffered) = self.reorder_buffer.keys().next() {
-                let skipped = first_buffered.saturating_sub(self.expected_recv_nonce);
-                self.expected_recv_nonce = first_buffered;
-                self.last_recv_advance = Instant::now();
-
-                let mut delivered = 0u64;
-                while let Some(buffered_action) = self.reorder_buffer.remove(&self.expected_recv_nonce) {
-                    actions.push(buffered_action);
-                    self.expected_recv_nonce = self.expected_recv_nonce.saturating_add(1);
-                    delivered += 1;
-                }
-                self.ack_pending = true;
-                tracing::debug!("Gap recovery: skipped {} lost frames, delivered {} buffered frames (reorder_buf={})",
-                    skipped, delivered, self.reorder_buffer.len()
-                );
-            }
-        }
-
         // ── Pending ACK flush ─────────────────────────────────────────
         if let Some(ack_frame) = self.build_ack_if_due()? {
             actions.push(ProtocolAction::SendDatagram(ack_frame));

ostp-flutter/android/app/src/main/kotlin/com/ospab/ostp_client/MainActivity.kt

@@ -95,6 +95,15 @@ class MainActivity : FlutterActivity() {
                         result.error("ERROR", e.message, null)
                     }
                 }
+                "runDnsProber" -> {
+                    try {
+                        val domain = call.argument<String>("domain") ?: "example.com"
+                        val json = net.ostp.client.OstpClientSdk.nativeRunDnsProber(domain)
+                        result.success(json)
+                    } catch (e: Throwable) {
+                        result.error("ERROR", e.message, null)
+                    }
+                }
                 "getInstalledApps" -> {
                     try {
                         val pm = packageManager

ostp-flutter/android/app/src/main/kotlin/net/ostp/client/OstpClientSdk.kt

@@ -50,4 +50,8 @@ object OstpClientSdk {
     @Keep
     @JvmStatic
     external fun notifyNetworkChanged()
+
+    @Keep
+    @JvmStatic
+    external fun nativeRunDnsProber(domain: String): String
 }

ostp-flutter/lib/main.dart

@@ -26,11 +26,11 @@ class OstpApp extends StatelessWidget {
       debugShowCheckedModeBanner: false,
       theme: ThemeData(
         brightness: Brightness.dark,
-        scaffoldBackgroundColor: const Color(0xFF08080F),
+        scaffoldBackgroundColor: const Color(0xFF030303),
         colorScheme: const ColorScheme.dark(
-          primary: Color(0xFF6C72FF),
+          primary: Color(0xFFF9FAFB),
-          secondary: Color(0xFF22D3A5),
+          secondary: Color(0xFF10B981),
-          surface: Color(0xFF151522),
+          surface: Color(0xFF09090B),
         ),
         fontFamily: 'Inter',
         useMaterial3: true,

ostp-flutter/lib/ui/home_screen.dart

@@ -6,6 +6,7 @@ import 'package:flutter/material.dart';
 import 'package:flutter/services.dart';
 import 'package:shared_preferences/shared_preferences.dart';
 import 'package:mobile_scanner/mobile_scanner.dart';
+import 'package:flutter_svg/flutter_svg.dart';
 import '../models/connection_state_enum.dart';
 import 'settings_screen.dart';
 import 'logs_screen.dart';
@@ -517,31 +518,16 @@ class _HomeScreenState extends State<HomeScreen> with TickerProviderStateMixin {
     return Scaffold(
       body: Stack(
         children: [
-          Positioned(
+          Center(
-            top: -150, right: -100,
+            child: Opacity(
-            child: Container(
+              opacity: theme.brightness == Brightness.dark ? 0.05 : 0.06,
-              width: 400, height: 400,
+              child: SvgPicture.asset(
-              decoration: BoxDecoration(
+                'assets/logo.svg',
-                shape: BoxShape.circle,
+                width: MediaQuery.of(context).size.width * 0.8,
-                color: theme.colorScheme.primary.withOpacity(0.15),
+                fit: BoxFit.contain,
-              ),
+                colorFilter: theme.brightness == Brightness.light 
-              child: BackdropFilter(
+                    ? const ColorFilter.mode(Colors.black, BlendMode.srcIn) 
-                filter: ImageFilter.blur(sigmaX: 100, sigmaY: 100),
+                    : null,
-                child: Container(),
-              ),
-            ),
-          ),
-          Positioned(
-            bottom: -100, left: -100,
-            child: Container(
-              width: 350, height: 350,
-              decoration: BoxDecoration(
-                shape: BoxShape.circle,
-                color: theme.colorScheme.secondary.withOpacity(0.1),
-              ),
-              child: BackdropFilter(
-                filter: ImageFilter.blur(sigmaX: 100, sigmaY: 100),
-                child: Container(),
               ),
             ),
           ),

ostp-flutter/lib/ui/settings_screen.dart

@@ -38,7 +38,7 @@ class _SettingsScreenState extends State<SettingsScreen> {
 
   bool _obscureKey = true;
   bool _debugMode = false;
-  String _dnsRegion = 'Global';
+  late TextEditingController _dnsRegionCtrl;
   String _transportMode = 'udp'; // 'udp' | 'uot'
   String _tunStack = 'ostp'; // 'system' | 'ostp'
   bool _muxEnabled = false;
@@ -58,9 +58,9 @@ class _SettingsScreenState extends State<SettingsScreen> {
     _ipsCtrl = TextEditingController(text: widget.prefs.getString('ex_ips') ?? '');
     _processesCtrl = TextEditingController(text: widget.prefs.getString('ex_processes') ?? '');
     _dnsDomainCtrl = TextEditingController(text: widget.prefs.getString('dns_domain') ?? '');
-    _pbkCtrl = TextEditingController(text: widget.prefs.getString('pbk') ?? '');
+    _dnsRegionCtrl = TextEditingController(text: widget.prefs.getString('dns_region') ?? '1.1.1.1');
+    _pbkCtrl = TextEditingController(text: widget.prefs.getString('tun_pbk') ?? '');
     _sidCtrl = TextEditingController(text: widget.prefs.getString('sid') ?? '');
-    _dnsRegion = widget.prefs.getString('dns_region') ?? 'Global';
     _transportMode = widget.prefs.getString('transport_mode') ?? 'udp';
     _tunStack = widget.prefs.getString('tun_stack') ?? 'ostp';
     _debugMode = widget.prefs.getBool('debug_mode') ?? false;
@@ -81,6 +81,7 @@ class _SettingsScreenState extends State<SettingsScreen> {
     _ipsCtrl.dispose();
     _processesCtrl.dispose();
     _dnsDomainCtrl.dispose();
+    _dnsRegionCtrl.dispose();
     _pbkCtrl.dispose();
     _sidCtrl.dispose();
     _muxSessionsCtrl.dispose();
@@ -97,11 +98,11 @@ class _SettingsScreenState extends State<SettingsScreen> {
     widget.prefs.setString('ex_ips', _ipsCtrl.text.trim());
     widget.prefs.setString('ex_processes', _processesCtrl.text.trim());
     widget.prefs.setBool('debug_mode', _debugMode);
-    widget.prefs.setString('dns_region', _dnsRegion);
     widget.prefs.setString('transport_mode', _transportMode);
     widget.prefs.setString('tun_stack', _tunStack);
     widget.prefs.setString('dns_domain', _dnsDomainCtrl.text.trim());
-    widget.prefs.setString('pbk', _pbkCtrl.text.trim());
+    widget.prefs.setString('dns_region', _dnsRegionCtrl.text.trim());
+    widget.prefs.setString('tun_pbk', _pbkCtrl.text.trim());
     widget.prefs.setString('sid', _sidCtrl.text.trim());
     widget.prefs.setBool('mux_enabled', _muxEnabled);
     widget.prefs.setString('mux_sessions', _muxSessionsCtrl.text.trim());
@@ -237,7 +238,7 @@ class _SettingsScreenState extends State<SettingsScreen> {
                       _serverCtrl.text = host;
                       _keyCtrl.text = key;
                       _dnsDomainCtrl.text = uri.queryParameters['domain'] ?? '';
-                      _dnsRegion = uri.queryParameters['region'] ?? 'Global';
+                      _dnsRegionCtrl.text = uri.queryParameters['resolver'] ?? '1.1.1.1';
                       
                       final type = uri.queryParameters['type'];
                       _transportMode = type == 'tcp' || type == 'http' ? 'uot' : (type == 'dns' ? 'dns' : 'udp');
@@ -349,30 +350,27 @@ class _SettingsScreenState extends State<SettingsScreen> {
                         const SizedBox(height: 16),
                         _buildTextField('Domain (Points to Server)', _dnsDomainCtrl, hint: 'tunnel.myvpn.com'),
                         const SizedBox(height: 16),
-                        DropdownButtonFormField<String>(
+                        Row(
-                          value: _dnsRegion,
+                          children: [
-                          dropdownColor: const Color(0xFF1E1E2C),
+                            Expanded(
-                          style: const TextStyle(color: Colors.white, fontSize: 14),
+                              child: _buildTextField('DNS Resolver Server', _dnsRegionCtrl, hint: '1.1.1.1'),
-                          decoration: InputDecoration(
-                            labelText: 'DNS Resolver Region',
-                            labelStyle: const TextStyle(color: Colors.white54, fontSize: 13),
-                            border: OutlineInputBorder(borderRadius: BorderRadius.circular(12)),
-                            contentPadding: const EdgeInsets.symmetric(horizontal: 16, vertical: 12),
                             ),
-                          items: ['Global', 'Russia', 'China', 'Iran'].map((String region) {
+                            const SizedBox(width: 8),
-                            return DropdownMenuItem<String>(
+                            Padding(
-                              value: region,
+                              padding: const EdgeInsets.only(top: 24.0),
-                              child: Text(region),
+                              child: ElevatedButton(
-                            );
+                                onPressed: _showDnsProberDialog,
-                          }).toList(),
+                                style: ElevatedButton.styleFrom(
-                          onChanged: (String? newValue) {
+                                  backgroundColor: Colors.orangeAccent.withOpacity(0.2),
-                            if (newValue != null) {
+                                  foregroundColor: Colors.orangeAccent,
-                              setState(() {
+                                  elevation: 0,
-                                _dnsRegion = newValue;
+                                  padding: const EdgeInsets.symmetric(horizontal: 12, vertical: 14),
-                                _saveSettings();
+                                  shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(12)),
-                              });
+                                ),
-                            }
+                                child: const Text('PROBER', style: TextStyle(fontWeight: FontWeight.bold, fontSize: 12)),
-                          },
+                              ),
+                            )
+                          ],
                         ),
                       ],
                     ),
@@ -529,8 +527,9 @@ class _SettingsScreenState extends State<SettingsScreen> {
     if (_dnsDomainCtrl.text.trim().isNotEmpty) {
       queryParams.add('domain=${Uri.encodeComponent(_dnsDomainCtrl.text.trim())}');
     }
-    if (_dnsRegion != 'Global') {
+    final resolver = _dnsRegionCtrl.text.trim();
-      queryParams.add('region=${Uri.encodeComponent(_dnsRegion)}');
+    if (resolver.isNotEmpty && resolver != '1.1.1.1') {
+      queryParams.add('resolver=${Uri.encodeComponent(resolver)}');
     }
     if (_pbkCtrl.text.trim().isNotEmpty) {
       queryParams.add('pbk=${Uri.encodeComponent(_pbkCtrl.text.trim())}');
@@ -603,6 +602,97 @@ class _SettingsScreenState extends State<SettingsScreen> {
     );
   }
 
+  Future<void> _showDnsProberDialog() async {
+    const channel = MethodChannel('com.ospab.ostp/vpn');
+    showDialog(
+      context: context,
+      barrierDismissible: false,
+      builder: (context) {
+        return StatefulBuilder(
+          builder: (context, setModalState) {
+            return AlertDialog(
+              backgroundColor: Theme.of(context).colorScheme.surface,
+              shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(20)),
+              title: const Text('DNS Prober', textAlign: TextAlign.center),
+              content: FutureBuilder<String?>(
+                future: channel.invokeMethod<String>('runDnsProber', {'domain': _dnsDomainCtrl.text.trim()}),
+                builder: (context, snapshot) {
+                  if (snapshot.connectionState == ConnectionState.waiting) {
+                    return const Column(
+                      mainAxisSize: MainAxisSize.min,
+                      children: [
+                        CircularProgressIndicator(),
+                        SizedBox(height: 16),
+                        Text('Sending real tunnel probes...', style: TextStyle(color: Colors.white54, fontSize: 13), textAlign: TextAlign.center),
+                      ],
+                    );
+                  }
+
+                  if (snapshot.hasError || !snapshot.hasData) {
+                    return Text('Error: ${snapshot.error}', style: const TextStyle(color: Colors.redAccent));
+                  }
+
+                  List<dynamic> results = [];
+                  try {
+                    results = jsonDecode(snapshot.data!);
+                  } catch (_) {}
+
+                  if (results.isEmpty) {
+                    return const Text('No results or all timed out.', style: TextStyle(color: Colors.redAccent));
+                  }
+
+                  return SizedBox(
+                    width: double.maxFinite,
+                    child: ListView.builder(
+                      shrinkWrap: true,
+                      itemCount: results.length,
+                      itemBuilder: (context, index) {
+                        final res = results[index];
+                        final name = res['name'] ?? '';
+                        final ip = res['ip'] ?? '';
+                        final latency = res['latency_ms'];
+                        
+                        final isBest = index == 0 && latency != null;
+                        
+                        return ListTile(
+                          onTap: latency != null ? () {
+                            setState(() {
+                              _dnsRegionCtrl.text = ip;
+                              _saveSettings();
+                            });
+                            Navigator.pop(context);
+                            ScaffoldMessenger.of(context).showSnackBar(SnackBar(content: Text('DNS set to $ip')));
+                          } : null,
+                          title: Text('${isBest ? '⭐ ' : ''}$name', style: const TextStyle(fontSize: 14)),
+                          subtitle: Text(ip, style: const TextStyle(fontSize: 12, color: Colors.white54)),
+                          trailing: Text(
+                            latency != null ? '$latency ms' : 'TIMEOUT',
+                            style: TextStyle(
+                              color: latency == null ? Colors.redAccent : (latency < 100 ? Colors.greenAccent : Colors.orangeAccent),
+                              fontWeight: FontWeight.bold,
+                            ),
+                          ),
+                          tileColor: isBest ? Colors.blueAccent.withOpacity(0.1) : null,
+                          shape: RoundedRectangleBorder(borderRadius: BorderRadius.circular(10)),
+                        );
+                      },
+                    ),
+                  );
+                },
+              ),
+              actions: [
+                TextButton(
+                  onPressed: () => Navigator.pop(context),
+                  child: const Text('Close'),
+                )
+              ],
+            );
+          }
+        );
+      }
+    );
+  }
+
   Future<void> _checkForUpdates() async {
     if (_isCheckingUpdates) return;
     setState(() { _isCheckingUpdates = true; });

ostp-flutter/pubspec.lock

@@ -134,6 +134,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "6.0.0"
+  flutter_svg:
+    dependency: "direct main"
+    description:
+      name: flutter_svg
+      sha256: "35882981abcbfb8c15b286f0cd690ff25bac12d95eff3e25ee207f37d4c42e7f"
+      url: "https://pub.dev"
+    source: hosted
+    version: "2.3.0"
   flutter_test:
     dependency: "direct dev"
     description: flutter
@@ -272,6 +280,14 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "1.9.1"
+  path_parsing:
+    dependency: transitive
+    description:
+      name: path_parsing
+      sha256: "883402936929eac138ee0a45da5b0f2c80f89913e6dc3bf77eb65b84b409c6ca"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.0"
   path_provider_linux:
     dependency: transitive
     description:
@@ -581,6 +597,30 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "3.1.5"
+  vector_graphics:
+    dependency: transitive
+    description:
+      name: vector_graphics
+      sha256: "2306c03da2ba81724afeb589c351ebbc0aa7d86005925be8f8735856dbe5e42d"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.2.2"
+  vector_graphics_codec:
+    dependency: transitive
+    description:
+      name: vector_graphics_codec
+      sha256: "99fd9fbd34d9f9a32efd7b6a6aae14125d8237b10403b422a6a6dfeac2806146"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.1.13"
+  vector_graphics_compiler:
+    dependency: transitive
+    description:
+      name: vector_graphics_compiler
+      sha256: "142a9146f447d15b10bdc00e21d5f4d83e5b32bb5f8f8f5a04c75311344923a3"
+      url: "https://pub.dev"
+    source: hosted
+    version: "1.2.6"
   vector_math:
     dependency: transitive
     description:

ostp-flutter/pubspec.yaml

@@ -16,7 +16,7 @@ publish_to: 'none' # Remove this line if you wish to publish to pub.dev
 # https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
 # In Windows, build-name is used as the major, minor, and patch parts
 # of the product and file versions while build-number is used as the build suffix.
-version: 0.3.7+20
+version: 0.3.12+25
 
 environment:
   sdk: ^3.11.4
@@ -34,6 +34,7 @@ dependencies:
   # The following adds the Cupertino Icons font to your application.
   # Use with the CupertinoIcons class for iOS style icons.
   cupertino_icons: ^1.0.8
+  flutter_svg: ^2.0.10
   shared_preferences: ^2.5.5
   mobile_scanner: ^5.0.0
   window_manager: ^0.5.1
@@ -72,9 +73,8 @@ flutter:
   uses-material-design: true
 
   # To add assets to your application, add an assets section, like this:
-  # assets:
+  assets:
-  #   - images/a_dot_burr.jpeg
+    - assets/logo.svg
-  #   - images/a_dot_ham.jpeg
 
   # An image asset can refer to one or more resolution-specific "variants", see
   # https://flutter.dev/to/resolution-aware-images

ostp-gui/src-tauri/Cargo.lock

@@ -2665,7 +2665,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-client"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "base64 0.22.1",
@@ -2700,17 +2700,20 @@ dependencies = [
 
 [[package]]
 name = "ostp-core"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
+ "byteorder",
  "bytes",
  "chacha20poly1305",
  "hkdf",
  "hmac",
  "rand",
+ "serde",
  "sha2",
  "snow",
  "thiserror 1.0.69",
+ "tokio",
  "tracing",
  "x25519-dalek",
 ]
@@ -2720,12 +2723,16 @@ name = "ostp-gui"
 version = "0.1.0"
 dependencies = [
  "anyhow",
+ "chacha20poly1305",
+ "hex",
  "json_comments",
  "ostp-client",
+ "ostp-core",
  "portable-atomic",
  "rand",
  "serde",
  "serde_json",
+ "sha2",
  "tauri",
  "tauri-build",
  "tauri-plugin-opener",
@@ -2735,7 +2742,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-tun"
-version = "0.2.98"
+version = "0.3.12"
 dependencies = [
  "anyhow",
  "libc",

ostp-gui/src-tauri/Cargo.toml

@@ -26,6 +26,7 @@ tokio = { version = "1", features = ["full"] }
 anyhow = "1"
 tracing = "0.1"
 ostp-client = { path = "../../ostp-client" }
+ostp-core = { path = "../../ostp-core" }
 portable-atomic = "1"
 json_comments = "0.2"
 rand = "0.8"

ostp-gui/src-tauri/permissions/app-commands.toml

@@ -6,11 +6,15 @@ description = "Enables access to core OSTP commands"
 allow = [
   "start_tunnel",
   "stop_tunnel",
+  "reload_tunnel",
   "get_tunnel_status",
   "get_metrics",
   "get_config",
   "save_config",
   "get_wintun_install_path",
   "set_autostart",
-  "get_autostart"
+  "get_autostart",
+  "list_running_processes",
+  "kill_auto_search",
+  "run_dns_prober"
 ]

ostp-gui/src-tauri/src/dns_prober.rs

@@ -0,0 +1,6 @@
+use ostp_core::dns_prober::{run_dns_prober as core_run_dns_prober, DnsProbeResult};
+
+#[tauri::command]
+pub async fn run_dns_prober(domain: String) -> Result<Vec<DnsProbeResult>, String> {
+    core_run_dns_prober(&domain).await
+}

ostp-gui/src-tauri/src/lib.rs

@@ -8,6 +8,7 @@ use portable_atomic::Ordering;
 use tauri::Emitter;
 
 mod ipc_crypto;
+mod dns_prober;
 
 // ── Config types ─────────────────────────────────────────────────────────────
 
@@ -778,7 +779,7 @@ static SINGLE_INSTANCE_LOCK: std::sync::OnceLock<std::net::TcpListener> = std::s
 pub fn run() {
     if let Ok(listener) = std::net::TcpListener::bind("127.0.0.1:49153") {
         let _ = SINGLE_INSTANCE_LOCK.set(listener);
-    } else {
+    } else if !cfg!(debug_assertions) {
         show_error_dialog("Приложение OSTP GUI уже запущено!");
         return;
     }
@@ -874,7 +875,7 @@ pub fn run() {
             }
             _ => {}
         })
-        .invoke_handler(tauri::generate_handler![start_tunnel, stop_tunnel, reload_tunnel, get_tunnel_status, get_metrics, get_config, save_config, get_wintun_install_path, set_autostart, get_autostart, list_running_processes])
+        .invoke_handler(tauri::generate_handler![start_tunnel, stop_tunnel, reload_tunnel, get_tunnel_status, get_metrics, get_config, save_config, get_wintun_install_path, set_autostart, get_autostart, list_running_processes, dns_prober::run_dns_prober])
         .run(tauri::generate_context!())
         .expect("error while running tauri application");
 }

ostp-gui/src-tauri/tauri.conf.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://schema.tauri.app/config/2",
   "productName": "ostp-gui",
-  "version": "0.3.7",
+  "version": "0.3.12",
   "identifier": "com.ospab.ostp",
   "build": {
     "frontendDist": "../src"

ostp-gui/src/index.html

@@ -12,10 +12,9 @@
 <body>
   <div class="app-root">
 
-    <!-- Ambient light blobs -->
+    <!-- Eagle Watermark -->
-    <div class="ambient" aria-hidden="true">
+    <div class="watermark" aria-hidden="true">
-      <div class="blob blob-1"></div>
+      <img src="assets/logo.svg" alt="" />
-      <div class="blob blob-2"></div>
     </div>
 
     <!-- ── HOME SCREEN ──────────────────────────────────────────── -->
@@ -202,24 +201,20 @@
             </select>
           </div>
 
-          <div id="group-dns-proxy" style="display: none;">
+          <div id="group-dns-proxy" style="display: none; flex-direction: column; gap: 14px;">
             <div class="field-group">
               <label class="field-label" for="in-dns-domain" style="color: var(--c-warning);" data-i18n="label_dns_domain">Domain (Points to Server)</label>
               <input id="in-dns-domain" class="field-input" type="text" placeholder="tunnel.myvpn.com" spellcheck="false" />
-              <div style="font-size: 0.8rem; color: var(--c-sub); margin-top: 4px;">
-                <span data-i18n="dns_domain_hint">This is the "last resort" over public DNS servers. You need a domain pointing to your server (NS/A record).</span>
-                <span data-i18n="dns_guide">Detailed setup guide available in</span> <a href="https://github.com/ospab/ostp/wiki/DNS-Transport" target="_blank" style="color: var(--c-accent)" data-i18n="wiki_link">GitHub Wiki</a>.
-              </div>
             </div>
 
             <div class="field-group">
-              <label class="field-label" for="in-dns-region" data-i18n="label_dns_region">DNS Resolver Region (Prober)</label>
+              <label class="field-label" for="in-dns-region" data-i18n="label_dns_region">DNS Resolver Server</label>
-              <select id="in-dns-region" class="field-input">
+              <div class="input-wrap">
-                <option value="Global" data-i18n="opt_global">Global (Cloudflare, Google, etc)</option>
+                <input id="in-dns-region" class="field-input" type="text" placeholder="1.1.1.1" spellcheck="false" />
-                <option value="Russia" data-i18n="opt_russia">Russia (Yandex, VK, etc)</option>
+                <button id="btn-dns-prober" class="peek-btn" tabindex="-1" title="Find fastest DNS server" style="width:auto; padding: 0 8px; font-size: 0.7rem; color: var(--c-accent);">
-                <option value="China" data-i18n="opt_china">China (AliDNS, DNSPod, etc)</option>
+                  PROBER
-                <option value="Iran" data-i18n="opt_iran">Iran (Shatel, Electro, etc)</option>
+                </button>
-              </select>
+              </div>
             </div>
           </div>
 
@@ -380,6 +375,23 @@
         </div>
       </div>
     </div>
+      </div>
+    </div>
+
+    <!-- DNS Prober Modal -->
+    <div id="dns-prober-modal" class="modal-overlay hidden">
+      <div class="modal-content" style="min-width: 300px; max-width: 420px;">
+        <h3 class="modal-title">DNS Prober</h3>
+        <p class="modal-text" style="font-size: 0.8rem; color: var(--c-txt-2); margin-bottom: 12px;">
+          Sends a real DNS tunnel probe through each resolver and measures the round-trip time to your server. The fastest one is selected automatically.
+        </p>
+        <div id="prober-status" style="font-size: 0.75rem; color: var(--c-accent); margin-bottom: 10px; min-height: 18px;"></div>
+        <div id="prober-list" style="display: flex; flex-direction: column; gap: 5px; max-height: 280px; overflow-y: auto;"></div>
+        <div class="modal-actions" style="margin-top: 16px;">
+          <button id="btn-prober-close" class="btn secondary">Close</button>
+        </div>
+      </div>
+    </div>
 
   </div>
   <script type="module" src="main.js"></script>

ostp-gui/src/main.js

@@ -75,7 +75,7 @@ function bindSettingsInputs() {
   if (inTransport) {
     inTransport.addEventListener('change', () => {
       if (inTransport.value === 'dns') {
-        groupDnsProxy.style.display = 'block';
+        groupDnsProxy.style.display = 'flex';
       } else {
         groupDnsProxy.style.display = 'none';
       }
@@ -88,6 +88,86 @@ const btnWintunCancel    = $('btn-wintun-cancel');
 const btnWintunOpen      = $('btn-wintun-open');
 const wintunInstallPath  = $('wintun-install-path');
 
+const dnsProberModal     = $('dns-prober-modal');
+const proberStatus       = $('prober-status');
+const proberList         = $('prober-list');
+const btnProberClose     = $('btn-prober-close');
+const btnDnsProber       = $('btn-dns-prober');
+
+// ── DNS Prober ───────────────────────────────────────────────────────────────
+async function openDnsProber() {
+  dnsProberModal.classList.remove('hidden');
+  proberList.innerHTML = '';
+  proberStatus.textContent = 'Running probes...';
+
+  const domain = inDnsDomain?.value?.trim() || 'example.com';
+
+  let results;
+  try {
+    results = await invoke('run_dns_prober', { domain });
+  } catch (err) {
+    proberStatus.textContent = 'Error: ' + err;
+    return;
+  }
+
+  proberList.innerHTML = '';
+
+  if (!results || results.length === 0) {
+    proberStatus.textContent = 'No results.';
+    return;
+  }
+
+  let bestIp = null;
+
+  results.forEach((r, i) => {
+    const isBest = i === 0 && r.latency_ms != null;
+    if (isBest && !bestIp) bestIp = r.ip;
+
+    const row = document.createElement('div');
+    row.style.cssText = `
+      display: flex; align-items: center; justify-content: space-between;
+      padding: 6px 10px; border-radius: 6px; cursor: pointer;
+      background: ${isBest ? 'rgba(99,179,237,0.12)' : 'rgba(255,255,255,0.04)'};
+      border: 1px solid ${isBest ? 'rgba(99,179,237,0.35)' : 'transparent'};
+      transition: background 0.15s;
+    `;
+
+    const latText = r.latency_ms != null ? `${r.latency_ms} ms` : 'TIMEOUT';
+    const latColor = r.latency_ms == null ? '#f56565'
+      : r.latency_ms < 50 ? '#68d391'
+      : r.latency_ms < 150 ? '#f6e05e'
+      : '#fc8181';
+
+    row.innerHTML = `
+      <span style="font-size:0.78rem; color: var(--c-txt-1);">${isBest ? '⭐ ' : ''}${r.name}</span>
+      <span style="font-size:0.78rem; color: var(--c-txt-2);">${r.ip}</span>
+      <span style="font-size:0.78rem; font-weight:600; color:${latColor};">${latText}</span>
+    `;
+
+    if (r.latency_ms != null) {
+      row.addEventListener('click', () => {
+        inDnsRegion.value = r.ip;
+        scheduleAutoSave();
+        dnsProberModal.classList.add('hidden');
+        showToast('DNS server set to ' + r.ip, 'ok');
+      });
+      row.addEventListener('mouseenter', () => { row.style.background = 'rgba(99,179,237,0.18)'; });
+      row.addEventListener('mouseleave', () => { row.style.background = isBest ? 'rgba(99,179,237,0.12)' : 'rgba(255,255,255,0.04)'; });
+    }
+
+    proberList.appendChild(row);
+  });
+
+  if (bestIp) {
+    proberStatus.textContent = `✓ Best: ${bestIp} — click any row to select`;
+    // Auto-fill best
+    inDnsRegion.value = bestIp;
+    scheduleAutoSave();
+  } else {
+    proberStatus.textContent = 'All servers timed out.';
+  }
+}
+
 // ── Tag-input state ───────────────────────────────────────────────────────────
 // Map of tagId -> Set<string>
 const tagState = {
@@ -366,7 +446,7 @@ async function loadConfigIntoForm() {
         inKey.value = ostpOut.access_key || '';
         inTransport.value = ostpOut.transport?.type || 'udp';
         if (inTransport.value === 'dns') {
-          groupDnsProxy.style.display = 'block';
+          groupDnsProxy.style.display = 'flex';
           inDnsDomain.value = ostpOut.transport?.domain || '';
           inDnsRegion.value = ostpOut.transport?.resolver || 'Global';
         } else {
@@ -592,6 +672,7 @@ window.addEventListener('DOMContentLoaded', async () => {
   applyTranslations();
   setState('disconnected');
   updateKillSwitchVisibility();
+  bindSettingsInputs();
 
   // Event wiring
   if (window.__TAURI__ && window.__TAURI__.event) {
@@ -737,6 +818,22 @@ window.addEventListener('DOMContentLoaded', async () => {
     wintunModal.classList.add('hidden');
   });
 
+  // DNS Prober modal
+  if (btnDnsProber) {
+    btnDnsProber.addEventListener('click', openDnsProber);
+  }
+  if (btnProberClose) {
+    btnProberClose.addEventListener('click', () => {
+      dnsProberModal.classList.add('hidden');
+    });
+  }
+  // Close prober on backdrop click
+  if (dnsProberModal) {
+    dnsProberModal.addEventListener('click', (e) => {
+      if (e.target === dnsProberModal) dnsProberModal.classList.add('hidden');
+    });
+  }
+
   // Open wintun.net link — handled natively by <a target="_blank">, but also wire as fallback
   if (btnWintunOpen && window.__TAURI__) {
     btnWintunOpen.addEventListener('click', (e) => {

ostp-gui/src/styles.css

@@ -5,27 +5,27 @@
 
 /* ── Tokens — Dark (default) ─────────────────────────────────────────────── */
 :root {
-  /* Colors */
+  /* Colors - Dark (default) */
-  --c-bg:          #08080f;
+  --c-bg:          #030303;
-  --c-surface:     #0f0f1a;
+  --c-surface:     #09090b;
-  --c-card:        rgba(255,255,255,0.04);
+  --c-card:        rgba(255,255,255,0.02);
-  --c-card-border: rgba(255,255,255,0.07);
+  --c-card-border: rgba(255,255,255,0.05);
 
-  --c-accent:      #6c72ff;
+  --c-accent:      #52525b;
-  --c-accent-2:    #a78bfa;
+  --c-accent-2:    #71717a;
-  --c-accent-glow: rgba(108,114,255,0.35);
+  --c-accent-glow: rgba(255,255,255,0.05);
-  --c-accent-dim:  rgba(108,114,255,0.12);
+  --c-accent-dim:  rgba(255,255,255,0.03);
 
-  --c-green:       #22d3a5;
+  --c-green:       #10b981;
-  --c-green-glow:  rgba(34,211,165,0.35);
+  --c-green-glow:  rgba(16,185,129,0.25);
-  --c-green-dim:   rgba(34,211,165,0.10);
+  --c-green-dim:   rgba(16,185,129,0.10);
 
   --c-amber:       #f59e0b;
-  --c-red:         #f87171;
+  --c-red:         #ef4444;
 
-  --c-txt-1:       #e2e4f0;
+  --c-txt-1:       #fdfdfd;
-  --c-txt-2:       #636882;
+  --c-txt-2:       #a1a1aa;
-  --c-txt-3:       #343647;
+  --c-txt-3:       #52525b;
 
   /* Radii */
   --r-xs:  6px;
@@ -46,26 +46,26 @@
 
 /* ── Tokens — Light theme override ────────────────────────────────────────── */
 [data-theme="light"] {
-  --c-bg:          #f0f2fa;
+  --c-bg:          #f4f4f5;
   --c-surface:     #ffffff;
-  --c-card:        rgba(255,255,255,0.75);
+  --c-card:        rgba(0,0,0,0.02);
-  --c-card-border: rgba(0,0,0,0.08);
+  --c-card-border: rgba(0,0,0,0.06);
 
-  --c-accent:      #5b61f0;
+  --c-accent:      #e4e4e7;
-  --c-accent-2:    #8b5cf6;
+  --c-accent-2:    #d4d4d8;
-  --c-accent-glow: rgba(91,97,240,0.25);
+  --c-accent-glow: rgba(0,0,0,0.05);
-  --c-accent-dim:  rgba(91,97,240,0.10);
+  --c-accent-dim:  rgba(0,0,0,0.03);
 
-  --c-green:       #10b981;
+  --c-green:       #059669;
-  --c-green-glow:  rgba(16,185,129,0.25);
+  --c-green-glow:  rgba(5,150,105,0.2);
-  --c-green-dim:   rgba(16,185,129,0.10);
+  --c-green-dim:   rgba(5,150,105,0.1);
 
   --c-amber:       #d97706;
-  --c-red:         #ef4444;
+  --c-red:         #dc2626;
 
-  --c-txt-1:       #0f1020;
+  --c-txt-1:       #09090b;
-  --c-txt-2:       #5a5f7a;
+  --c-txt-2:       #52525b;
-  --c-txt-3:       #b0b4cc;
+  --c-txt-3:       #a1a1aa;
 }
 
 /* ── Light theme element overrides ───────────────────────────────────────── */
@@ -74,9 +74,6 @@ html[data-theme="light"] body {
   background: var(--c-bg);
 }
 
-html[data-theme="light"] .blob-1 { opacity: 0.08; }
-html[data-theme="light"] .blob-2 { opacity: 0.06; }
-
 html[data-theme="light"] .power-btn {
   background: var(--c-surface);
   box-shadow:
@@ -198,41 +195,32 @@ input, textarea { font-family: inherit; }
   overflow: hidden;
 }
 
-/* ── Ambient blobs ────────────────────────────────────────────────────────── */
+/* ── Watermark ────────────────────────────────────────────────────────────── */
-.ambient {
+.watermark {
   position: absolute;
-  inset: 0;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%);
+  width: 80%;
+  max-width: 600px;
   pointer-events: none;
   z-index: 0;
-  overflow: hidden;
+  opacity: 0.05;
+  user-select: none;
+  display: flex;
+  align-items: center;
+  justify-content: center;
 }
 
-.blob {
+.watermark img {
-  position: absolute;
+  width: 100%;
-  border-radius: 50%;
+  height: auto;
-  filter: blur(100px);
+  object-fit: contain;
-  will-change: transform;
 }
 
-.blob-1 {
+html[data-theme="light"] .watermark {
-  width: 400px; height: 400px;
+  opacity: 0.06;
-  background: var(--c-accent);
+  filter: invert(1);
-  opacity: 0.15;
-  top: -150px; right: -100px;
-  animation: blob-drift 28s infinite alternate ease-in-out;
-}
-
-.blob-2 {
-  width: 350px; height: 350px;
-  background: var(--c-green);
-  opacity: 0.10;
-  bottom: -100px; left: -100px;
-  animation: blob-drift 22s infinite alternate-reverse ease-in-out;
-}
-
-@keyframes blob-drift {
-  from { transform: translate(0, 0); }
-  to   { transform: translate(30px, 20px); }
 }
 
 /* ── Screen system ────────────────────────────────────────────────────────── */

ostp-jni/src/lib.rs

@@ -368,3 +368,31 @@ pub extern "system" fn Java_net_ostp_client_OstpClientSdk_notifyNetworkChanged(
 
     // No-op for now; multi-server handles network drops via keep-alives and reconnection
 }
+
+#[no_mangle]
+pub extern "system" fn Java_net_ostp_client_OstpClientSdk_nativeRunDnsProber(
+    mut env: JNIEnv,
+    _class: JClass,
+    domain: JString,
+) -> jstring {
+    let domain_str: String = match env.get_string(&domain) {
+        Ok(s) => s.into(),
+        Err(_) => return env.new_string("[]").unwrap().into_raw(),
+    };
+
+    let rt = tokio::runtime::Builder::new_current_thread()
+        .enable_all()
+        .build()
+        .unwrap();
+
+    let result = rt.block_on(async {
+        ostp_core::dns_prober::run_dns_prober(&domain_str).await
+    });
+
+    let json = match result {
+        Ok(res) => serde_json::to_string(&res).unwrap_or_else(|_| "[]".to_string()),
+        Err(_) => "[]".to_string(),
+    };
+
+    env.new_string(json).unwrap().into_raw()
+}

ostp-server/src/config.rs

@@ -1,8 +1,8 @@
 use serde::{Deserialize, Serialize};
-use crate::{api::ApiConfig, fallback::FallbackConfig, outbound::OutboundConfig, dns::DnsConfig};
+use crate::{fallback::FallbackConfig, dns::DnsConfig};
 
 #[derive(Debug, Deserialize, Serialize, Clone)]
-#[serde(tag = "type", rename_all = "snake_case")]
+#[serde(tag = "protocol", rename_all = "snake_case")]
 pub enum ServerInbound {
     Ostp {
         tag: String,
@@ -27,6 +27,15 @@ pub enum ServerInbound {
         username: Option<String>,
         #[serde(default, skip_serializing_if = "Option::is_none")]
         password_hash: Option<String>,
+    },
+    Dns {
+        tag: String,
+        listen: String,
+        domain: String,
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        pubkey: Option<String>,
+        #[serde(default, skip_serializing_if = "Option::is_none")]
+        privkey: Option<String>,
     }
 }
 
@@ -73,8 +82,9 @@ pub struct TransportConfigRaw {
 }
 
 #[derive(Debug, Deserialize, Serialize, Clone)]
-#[serde(tag = "type", rename_all = "snake_case")]
+#[serde(tag = "protocol", rename_all = "snake_case")]
 pub enum ServerOutbound {
+    #[serde(rename = "socks5")]
     Socks {
         tag: String,
         server: String,
@@ -121,9 +131,6 @@ pub struct ModularServerConfig {
     pub dns: Option<DnsConfig>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub license_key: Option<String>,
-    
-    #[serde(default, skip_serializing_if = "Option::is_none")]
-    pub dns_transport: Option<DnsTransportConfig>,
 }
 
 #[derive(Debug, Deserialize, Serialize, Clone)]

ostp-server/src/dispatcher.rs

@@ -12,7 +12,7 @@ use portable_atomic::AtomicU64;
 // const MAX_SESSIONS removed because dynamic limit is used
 
 pub enum DispatchOutcome {
-    Unauthorized,
+    Unauthorized(String),
     Accepted {
         responses: Vec<Bytes>,
         app_payloads: Vec<(u32, u16, Bytes)>, // session_id, stream_id, payload
@@ -182,7 +182,7 @@ impl Dispatcher {
 
     pub fn on_datagram(&mut self, peer: SocketAddr, packet: Bytes) -> Result<DispatchOutcome> {
         if packet.len() < 4 {
-            return Ok(DispatchOutcome::Unauthorized);
+            return Ok(DispatchOutcome::Unauthorized("packet too short".to_string()));
         }
 
         let mut session_id_opt = None;
@@ -239,7 +239,7 @@ impl Dispatcher {
                     tracing::info!("Dropping session {} for key {} (valid={}, over_limit={})",
                         session_id, access_key, key_valid, user_stats.is_over_limit());
                     self.drop_session(session_id);
-                    return Ok(DispatchOutcome::Unauthorized);
+                    return Ok(DispatchOutcome::Unauthorized("key invalid or over limit".to_string()));
                 }
             }
 
@@ -260,8 +260,7 @@ impl Dispatcher {
                 let action = match peer_state.machine.on_event(OstpEvent::Inbound(packet)) {
                     Ok(a) => a,
                     Err(e) => {
-                        tracing::warn!("Protocol error for session {}: {}", session_id, e);
+                        return Ok(DispatchOutcome::Unauthorized(format!("protocol error: {}", e)));
-                        return Ok(DispatchOutcome::Unauthorized);
                     }
                 };
 
@@ -303,13 +302,17 @@ impl Dispatcher {
         // Not an existing session — try each registered access key's derived obfuscation key
         let keys_snapshot: Vec<String> = self.access_keys.read().unwrap_or_else(|e| e.into_inner()).keys().cloned().collect();
 
+        let mut failed_trials = Vec::new();
         for candidate_key in keys_snapshot {
             let secrets = ostp_core::crypto::derive_all_secrets(candidate_key.as_bytes());
 
             // Decode the session_id using this key's obfuscation
             // The handshake mask is derived from the Noise payload at bytes [6..],
             // so we must deobfuscate the full packet, not just the header.
-            if packet.len() < 7 { continue; }
+            if packet.len() < 7 { 
+                failed_trials.push(format!("key {}: packet too short", candidate_key));
+                continue; 
+            }
             let mut trial = packet.to_vec();
             ostp_core::crypto::deobfuscate_packet_inplace(&mut trial, &secrets.obfuscation_key, true);
             let candidate_session_id = u32::from_be_bytes([trial[0], trial[1], trial[2], trial[3]]);
@@ -331,7 +334,10 @@ impl Dispatcher {
             };
             let action = match machine.on_event(OstpEvent::Inbound(packet.clone())) {
                 Ok(a) => a,
-                Err(_) => continue,
+                Err(e) => {
+                    failed_trials.push(format!("key {}: crypto err: {}", candidate_key, e));
+                    continue;
+                }
             };
 
             if let ProtocolAction::HandshakePayload(payload, response_opt) = action {
@@ -345,6 +351,7 @@ impl Dispatcher {
                     let sid_from_payload = u32::from_be_bytes(sid_bytes);
 
                     if sid_from_payload != candidate_session_id {
+                        failed_trials.push(format!("key {}: sid mismatch", candidate_key));
                         continue;
                     }
 
@@ -352,6 +359,7 @@ impl Dispatcher {
                     if let Ok(key_from_payload) = std::str::from_utf8(key_bytes) {
                         // The key embedded in the payload must match the candidate key we decoded with
                         if key_from_payload != candidate_key {
+                            failed_trials.push(format!("key {}: embedded key mismatch", candidate_key));
                             continue;
                         }
 
@@ -362,14 +370,16 @@ impl Dispatcher {
 
                         let drift = (now as i64 - ts as i64).abs();
                         if drift > 300 {
-                            tracing::warn!("Handshake rejected: timestamp drift {}s exceeds 300s limit (peer={})", drift, peer);
+                            let reason = format!("timestamp drift {}s exceeds 300s limit", drift);
+                            tracing::warn!("Handshake rejected for {}: {}", peer, reason);
+                            failed_trials.push(format!("key {}: {}", candidate_key, reason));
                             continue;
                         }
 
                         if !self.replay_cache.contains_key(&payload.to_vec()) {
                             if self.replay_cache.len() >= 50_000 {
                                 tracing::warn!("Replay cache full (100000 entries), rejecting handshake from {}", peer);
-                                return Ok(DispatchOutcome::Unauthorized);
+                                return Ok(DispatchOutcome::Unauthorized("replay cache full".to_string()));
                             }
 
                             self.replay_cache.insert(payload.to_vec(), ts);
@@ -383,7 +393,7 @@ impl Dispatcher {
                             // Check traffic limit before accepting
                             if user_stats.is_over_limit() {
                                 tracing::warn!("User {} exceeded traffic limit, rejecting handshake from {}", candidate_key, peer);
-                                return Ok(DispatchOutcome::Unauthorized);
+                                return Ok(DispatchOutcome::Unauthorized("user over traffic limit".to_string()));
                             }
 
                             self.peer_machines.insert(candidate_session_id, PeerState {
@@ -410,7 +420,13 @@ impl Dispatcher {
             }
         }
 
-        Ok(DispatchOutcome::Unauthorized)
+        let reason = if failed_trials.is_empty() {
+            "no valid handshake payload found".to_string()
+        } else {
+            format!("all key trials failed: {}", failed_trials.join(", "))
+        };
+
+        Ok(DispatchOutcome::Unauthorized(reason))
     }
 
     pub fn outbound_to_session(&mut self, session_id: u32, stream_id: u16, payload: Bytes) -> Result<Option<(Bytes, SocketAddr)>> {

ostp-server/src/lib.rs

@@ -45,7 +45,7 @@ pub(crate) enum UiEvent {
     PeerSeen { peer: IpAddr },
     #[allow(dead_code)] Rx { peer: IpAddr, bytes: usize },
     #[allow(dead_code)] Tx { peer: IpAddr, bytes: usize },
-    UnauthorizedProbe { peer: IpAddr, bytes: usize },
+    UnauthorizedProbe { peer: IpAddr, bytes: usize, reason: String },
     KeyCreated { key: String },
     Log(String),
     #[allow(dead_code)]
@@ -159,7 +159,12 @@ pub async fn run_server(
                                 #[derive(serde::Deserialize)]
                                 #[serde(untagged)]
                                 enum ReloadUser {
-                                    Detailed { access_key: String, name: Option<String>, limit_bytes: Option<u64> },
+                                    Detailed { 
+                                        #[serde(rename = "key")]
+                                        access_key: String, 
+                                        name: Option<String>, 
+                                        limit_bytes: Option<u64> 
+                                    },
                                     KeyOnly(String),
                                 }
                                 #[derive(serde::Deserialize)]
@@ -167,6 +172,8 @@ pub async fn run_server(
                                     mode: String,
                                     #[serde(default)]
                                     access_keys: Vec<ReloadUser>,
+                                    #[serde(default)]
+                                    inbounds: Vec<serde_json::Value>,
                                 }
                                 
                                 let mut stripped = json_comments::StripComments::new(content.as_bytes());
@@ -181,7 +188,23 @@ pub async fn run_server(
                                     Ok(cfg) => {
                                         if cfg.mode == "server" {
                                             let mut new_keys = HashMap::new();
-                                            for uc in cfg.access_keys {
+                                            let mut all_users = cfg.access_keys;
+                                            
+                                            for inbound in cfg.inbounds {
+                                                if let Some(protocol) = inbound.get("protocol").and_then(|p| p.as_str()) {
+                                                    if protocol == "ostp" {
+                                                        if let Some(users) = inbound.get("users").and_then(|u| u.as_array()) {
+                                                            for u in users {
+                                                                if let Ok(ru) = serde_json::from_value::<ReloadUser>(u.clone()) {
+                                                                    all_users.push(ru);
+                                                                }
+                                                            }
+                                                        }
+                                                    }
+                                                }
+                                            }
+
+                                            for uc in all_users {
                                                 let (k, m) = match uc {
                                                     ReloadUser::Detailed { access_key, name, limit_bytes } => (access_key, crate::api::UserMeta { name, limit_bytes }),
                                                     ReloadUser::KeyOnly(k) => (k, crate::api::UserMeta { name: None, limit_bytes: None }),
@@ -305,10 +328,9 @@ pub async fn run_server(
                 UiEvent::KeyCreated { key } => {
                     tracing::info!("Access key created: {key}");
                 }
-                UiEvent::UnauthorizedProbe { peer, bytes } => {
+                UiEvent::UnauthorizedProbe { peer, bytes, reason } => {
-                    if debug {
+                    // Make it a warn so it's always visible outside debug mode!
-                        tracing::debug!("Unauthorized probe from {peer} ({bytes} bytes)");
+                    tracing::warn!("Unauthorized probe from {peer} ({bytes} bytes): {reason}");
-                    }
                 }
                 UiEvent::PeerSeen { .. } => {}
                 _ => {}
@@ -553,8 +575,8 @@ async fn handle_udp_packet(
 ) -> Result<()> {
     let size = packet.len();
     match dispatcher.on_datagram(peer, packet) {
-        Ok(DispatchOutcome::Unauthorized) => {
+        Ok(DispatchOutcome::Unauthorized(reason)) => {
-            let _ = ui_event_tx.send(UiEvent::UnauthorizedProbe { peer: peer.ip(), bytes: size });
+            let _ = ui_event_tx.send(UiEvent::UnauthorizedProbe { peer: peer.ip(), bytes: size, reason });
         }
         Ok(DispatchOutcome::Accepted { responses, app_payloads, peer_addr }) => {
             let peer_ip = peer_addr.ip();

ostp-server/src/transport/dns.rs

@@ -6,7 +6,7 @@ use std::net::SocketAddr;
 use bytes::Bytes;
 use tokio::time::Duration;
 
-use ostp_core::dns::{DnsPacket, DnsRecordType, decode_domain_to_payload, encode_payload_to_domain};
+use ostp_core::dns::{DnsPacket, DnsRecordType, decode_domain_to_payload};
 use crate::config::DnsTransportConfig;
 use crate::UiEvent;
 

ostp-server/src/tui.rs

@@ -12,7 +12,7 @@ pub enum UiEvent {
     PeerSeen { peer: IpAddr },
     Rx { peer: IpAddr, bytes: usize },
     Tx { peer: IpAddr, bytes: usize },
-    UnauthorizedProbe { peer: IpAddr, bytes: usize },
+    UnauthorizedProbe { peer: IpAddr, bytes: usize, reason: String },
     KeyCreated { key: String },
     Log(String),
     KeyCount(usize),

ostp-tun/src/linux.rs

@@ -12,6 +12,8 @@ struct LinuxRouteGuard {
 
 impl Drop for LinuxRouteGuard {
     fn drop(&mut self) {
+        let _ = Command::new("ip").args(["route", "del", "0.0.0.0/1", "dev", "ostp_tun"]).output();
+        let _ = Command::new("ip").args(["route", "del", "128.0.0.0/1", "dev", "ostp_tun"]).output();
         let _ = Command::new("ip").args(["route", "del", "default", "dev", "ostp_tun"]).output();
         let _ = Command::new("ip").args(["route", "del", &format!("{}/32", self.server_ip)]).output();
         for route in &self.bypass_routes {
@@ -38,10 +40,6 @@ pub async fn create(opts: OstpTunOptions) -> Result<OstpTunInterface> {
         .mtu(opts.mtu)
         .up();
 
-    tun_cfg.platform_config(|cfg| {
-        cfg.packet_information(false);
-    });
-
     let dev = tun::create(&tun_cfg).map_err(|e| anyhow!("Failed to create TUN device: {}", e))?;
     let dev = tun::AsyncDevice::new(dev).map_err(|e| anyhow!("TUN device async failed: {}", e))?;
     tracing::info!("TUN device 'ostp_tun' created.");
@@ -74,7 +72,9 @@ pub async fn create(opts: OstpTunOptions) -> Result<OstpTunInterface> {
             bypass_routes.push(route);
         }
 
-        let _ = Command::new("ip").args(["route", "add", "default", "dev", "ostp_tun"]).output();
+        // Override default route gracefully by adding more specific /1 routes
+        let _ = Command::new("ip").args(["route", "add", "0.0.0.0/1", "dev", "ostp_tun"]).output();
+        let _ = Command::new("ip").args(["route", "add", "128.0.0.0/1", "dev", "ostp_tun"]).output();
         
         if opts.kill_switch {
             tracing::info!("Kill Switch: deleting original default route to prevent leakage.");

ostp-wiki/DNS-Transport.md

@@ -1,73 +0,0 @@
-# OSTP DNS Transport (Последний Рубеж)
-
-DNS Transport (DNS Прокси) — это экспериментальный транспорт, который является "последним рубежом" для обхода блокировок. Он используется, когда все остальные протоколы (UDP, UoT/TCP) полностью заблокированы провайдером или DPI.
-
-Он маскирует весь VPN-трафик под обычные запросы к DNS-серверам (разрешение имен), что делает его блокировку практически невозможной без отключения интернета в целом. OSTP использует запросы типа `TXT` и `NULL` для передачи данных, используя кодировку Base32.
-
-> **Внимание:** DNS-туннелирование работает значительно медленнее обычных протоколов из-за накладных расходов протокола DNS. Рекомендуется использовать этот режим только когда другие способы не работают.
-
-## Как это работает?
-
-Вместо того чтобы отправлять трафик напрямую на ваш сервер, клиент OSTP отправляет стандартный DNS-запрос на **публичные DNS-серверы** (например, 1.1.1.1, 8.8.8.8) или серверы выбранного вами региона (Prober).
-Публичный сервер-резолвер перенаправляет этот запрос на **ваш сервер** (как на авторитативный DNS-сервер для вашего домена), а ваш сервер отвечает обратно через резолвер.
-
-Для настройки этого механизма **вам понадобится собственный домен**.
-
----
-
-## Настройка на стороне сервера (Домен)
-
-Вам необходимо настроить NS-записи вашего домена так, чтобы они указывали на IP-адрес вашего OSTP сервера. 
-
-Например, вы владеете доменом `myvpn.com` и хотите использовать поддомен `t.myvpn.com` для туннеля, а IP вашего сервера — `192.168.1.100`.
-
-В панели управления вашего DNS-регистратора добавьте следующие записи:
-
-1. **A-запись:**
-   - Имя (Host): `ns.myvpn.com`
-   - Тип (Type): `A`
-   - Значение (Value): `192.168.1.100` (IP вашего OSTP-сервера)
-
-2. **NS-запись:**
-   - Имя (Host): `t.myvpn.com`
-   - Тип (Type): `NS`
-   - Значение (Value): `ns.myvpn.com`
-
-Теперь любой DNS-запрос к поддоменам `t.myvpn.com` будет направляться на ваш сервер (на порт 53).
-
----
-
-## Настройка сервера OSTP
-
-В файле конфигурации вашего OSTP сервера (`config.json` или `server.json`) необходимо включить прослушивание порта 53 для DNS транспорта:
-
-```json
-{
-  "mode": "server",
-  "dns_transport": {
-    "enabled": true,
-    "port": 53,
-    "domain": "t.myvpn.com"
-  }
-}
-```
-
-> **Важно:** Для прослушивания порта 53 на Linux обычно требуются root-права. Убедитесь, что сервер запущен с `sudo` или используйте возможности `setcap` для предоставления доступа к порту:
-> `sudo setcap cap_net_bind_service=+ep /path/to/ostp`
-
----
-
-## Настройка в приложении (Клиент)
-
-В клиенте OSTP (Desktop GUI или Mobile):
-
-1. Перейдите в **Settings (Настройки)**.
-2. В поле **Transport Protocol** выберите `DNS Proxy (Последний рубеж)`.
-3. Появится поле **Domain (Points to Server)** — введите сюда настроенный поддомен (например, `t.myvpn.com`).
-4. Поле **DNS Resolver Region** позволяет выбрать, через серверы какой страны/провайдера будет осуществляться маршрутизация пакетов (например, Global, Russia, China, Iran). Клиент (Prober) автоматически найдет наиболее быстрый публичный резолвер в этом регионе.
-
-## Ограничения и особенности
-
-- **Скорость:** Из-за размера DNS-пакетов и задержек публичных серверов, максимальная скорость может составлять 1-5 Мбит/с.
-- **Polling:** Поскольку DNS работает по принципу "Запрос-Ответ", клиент отправляет пустые поллинговые пакеты каждые 2 секунды, чтобы позволить серверу пересылать входящие данные.
-- **Поддержка DoH/DoT:** В текущей версии запросы к публичным резолверам отправляются в открытом виде (UDP порт 53). В будущих обновлениях будет добавлена поддержка DNS over HTTPS (DoH) для дополнительного слоя защиты от DPI-фильтров.

ostp-wiki/README.md

@@ -1,8 +0,0 @@
-# OSTP Wiki
-
-This repository contains the documentation and wiki pages for the Ospab Stealth Transport Protocol (OSTP).
-
-- [Configuration Guide](configuration_guide.md)
-- [API Endpoints](api_endpoints.md)
-- [DNS Transport (Последний Рубеж)](DNS-Transport.md)
-- [v0.3.1 Configuration Migration Guide](../docs/migration_v0_3_1.md)

ostp-wiki/api_endpoints.md

@@ -1,149 +0,0 @@
-# Справочник API управления OSTP
-
-Сервер OSTP предоставляет REST API для управления пользователями, просмотра статистики трафика и интерактивного редактирования конфигурации.
-
-По умолчанию API слушает на порту `9090` (хост настраивается в файле конфигурации).
-
----
-
-## Авторизация
-
-Все запросы к API (за исключением подписок) должны содержать заголовок `Authorization` с API-токеном (если токен включен в конфигурационном файле):
-
-```http
-Authorization: Bearer <ваш_api_токен>
-```
-
-Или в упрощенном виде:
-```http
-Authorization: <ваш_api_токен>
-```
-
----
-
-## Формат ответов
-
-Все ответы API возвращаются в формате JSON следующей структуры:
-
-```json
-{
-  "ok": true,
-  "data": ...,
-  "error": null
-}
-```
-
-В случае ошибки:
-```json
-{
-  "ok": false,
-  "data": null,
-  "error": "Описание ошибки"
-}
-```
-
----
-
-## Список эндпоинтов
-
-### 1. Статус сервера
-Возвращает текущую версию, аптайм и количество пользователей.
-
-* **URL**: `/api/server/status`
-* **Метод**: `GET`
-* **Формат `data`**:
-  ```json
-  {
-    "version": "0.2.30",
-    "uptime_seconds": 12053,
-    "active_users": 2,
-    "total_users": 5
-  }
-  ```
-
-### 2. Получение текущего конфига
-Запрашивает полное содержимое файла `config.json` с удалением комментариев для прямой модификации.
-
-* **URL**: `/api/server/config`
-* **Метод**: `GET`
-* **Формат `data`**: Полный JSON-конфиг сервера.
-
-### 3. Обновление конфига
-Записывает новый JSON конфигурации сервера в файл `config.json` на диске. Это автоматически вызывает **hot-reload** ядра (применение ключей доступа и лимитов).
-
-* **URL**: `/api/server/config`
-* **Метод**: `PUT`
-* **Тело запроса**: JSON нового конфигурационного файла.
-* **Формат `data`**: `true` в случае успешного сохранения.
-
-### 4. Список клиентов и их статистики
-Возвращает список всех зарегистрированных ключей доступа с их текущей загрузкой, скачиванием, активными сессиями и статусом подключения.
-
-* **URL**: `/api/users`
-* **Метод**: `GET`
-* **Формат `data`**:
-  ```json
-  [
-    {
-      "access_key": "ostp_key_sample1",
-      "bytes_up": 2405020,
-      "bytes_down": 491029402,
-      "connections": 2,
-      "limit_bytes": 10737418240,
-      "online": true,
-      "name": "Ноутбук"
-    }
-  ]
-  ```
-
-### 5. Создание клиента
-Генерирует новый ключ доступа (или регистрирует пользовательский).
-
-* **URL**: `/api/users`
-* **Метод**: `POST`
-* **Тело запроса**:
-  ```json
-  {
-    "access_key": "my_custom_key_optional",
-    "name": "Имя клиента",
-    "limit_bytes": 50000000000
-  }
-  ```
-* **Формат `data`**: Строка созданного ключа доступа.
-
-### 6. Удаление клиента
-Отзывает ключ доступа и сбрасывает все связанные активные сессии.
-
-* **URL**: `/api/users/:key`
-* **Метод**: `DELETE`
-* **Формат `data`**: `"User removed"`
-
-### 7. Обновление клиента
-Редактирует имя или лимит трафика для клиента.
-
-* **URL**: `/api/users/:key`
-* **Метод**: `PUT`
-* **Тело запроса**:
-  ```json
-  {
-    "name": "Новое имя",
-    "limit_bytes": 100000000000
-  }
-  ```
-* **Формат `data`**: `"User updated"`
-
-### 8. Сброс счетчиков трафика
-Обнуляет показания загрузки и скачивания для определенного пользователя.
-
-* **URL**: `/api/users/{key}/reset`
-* **Метод**: `POST`
-* **Формат `data`**: `true`
-
-### 9. Ссылка подписки клиента
-Возвращает ссылку подписки или конфигурационный файл для клиента. Авторизация по Bearer-токену **не требуется** (ключ авторизуется сам через URL).
-
-* **URL**: `/api/subscribe/:key`
-* **Метод**: `GET`
-* **Заголовки**:
-  - `Accept: text/plain` -> Возвращает текстовую ссылку `ostp://<key>@<host>:<port>?...`
-  - `Accept: application/json` -> Возвращает полный клиентский JSON-конфиг.

ostp-wiki/configuration_guide.md

@@ -1,125 +0,0 @@
-# Руководство по конфигурации OSTP (`config.json`)
-
-Файл `config.json` является основным конфигурационным файлом для сервера, клиента и реле.
-
-Ниже приведено подробное описание структуры для режима работы **Server**.
-
----
-
-## Полный пример конфигурации
-
-```json
-{
-  "mode": "server",
-  "log_level": "info",
-  "listen": "0.0.0.0:50000",
-  "access_keys": [
-    "some_simple_key",
-    {
-      "access_key": "detailed_key_with_limit",
-      "name": "Рабочий Ноутбук",
-      "limit_bytes": 107374182400
-    }
-  ],
-  "api": {
-    "enabled": true,
-    "bind": "127.0.0.1:9090",
-    "token": "7a3f8b2c4d9e0f1a2b3c4d5e6f7a8b9c"
-  },
-  "fallback": {
-    "enabled": false,
-    "listen": "0.0.0.0:443",
-    "target": "127.0.0.1:8080"
-  },
-  "reality": {
-    "enabled": false,
-    "dest": "www.microsoft.com:443",
-    "private_key": "...",
-    "pbk": "...",
-    "sid": "...",
-    "sni_list": ["www.microsoft.com"]
-  },
-  "outbound": {
-    "enabled": false,
-    "protocol": "socks5",
-    "address": "127.0.0.1",
-    "port": 9050,
-    "default_action": "proxy",
-    "rules": [
-      {
-        "domain_suffix": [".onion"],
-        "action": "proxy"
-      }
-    ]
-  },
-  "debug": false
-}
-```
-
----
-
-## Описание разделов конфигурации
-
-### 1. Основные параметры
-- **`mode`** (строка): Режим работы. Возможные варианты: `"server"`, `"client"`, `"relay"`.
-- **`log_level`** (строка): Уровень логирования. Варианты: `"debug"`, `"info"`, `"warn"`, `"error"`.
-- **`listen`** (строка или массив строк): Порт и интерфейсы, на которых сервер слушает входящие UDP (и опционально TCP/UoT) соединения. Примеры:
-  - `"0.0.0.0:50000"` (все IPv4 интерфейсы)
-  - `["0.0.0.0:50000", "[::]:50000"]` (поддержка IPv4 и IPv6 одновременно)
-- **`debug`** (логический): Включает подробное отладочное логирование протокола.
-
----
-
-### 2. Ключи доступа (`access_keys`)
-Раздел содержит массив ключей доступа. Поддерживается два формата записи (для обратной совместимости):
-1. **Простая строка**: Текст ключа доступа. Лимит трафика отсутствует.
-   ```json
-   "my_secure_key"
-   ```
-2. **Объект с метаданными**:
-   - `access_key` (строка, обязательно): Текст ключа для подключения.
-   - `name` (строка, опционально): Человекочитаемое описание клиента.
-   - `limit_bytes` (число, опционально): Лимит трафика в байтах (загрузка + скачивание).
-
-При достижении `limit_bytes` сессия клиента немедленно сбрасывается и подключение блокируется до обнуления счетчика или расширения лимита.
-
----
-
-### 3. REST API Управления (`api`)
-Используется для программного управления сервером и интеграции с внешними панелями.
-- **`enabled`** (логический): Включение встроенного веб-сервера API.
-- **`bind`** (строка): Интерфейс и порт для прослушивания (например, `"127.0.0.1:9090"`).
-- **`token`** (строка): Bearer-токен для авторизации администратора. Автоматически генерируется сервером при команде `ostp --init server`.
-
----
-
-### 4. Встроенный TCP Fallback прокси (`fallback`)
-Позволяет маскировать порт под веб-сервер при сканировании активными DPI-зондами.
-- **`enabled`** (логический): Включить проксирование TCP.
-- **`listen`** (строка): Порт прослушивания TCP/TLS (например, `"0.0.0.0:443"`).
-- **`target`** (строка): Локальный веб-сервер (например, `"127.0.0.1:8080"` на nginx/caddy), куда будут пересылаться все обычные запросы (не-OSTP трафик).
-
----
-
-### 5. Reality Маскировка (`reality`)
-Реализует спецификацию XTLS-Reality для бесшовной маскировки трафика под легитимный TLS-сервер.
-- **`enabled`** (логический): Включение маскировки.
-- **`dest`** (строка): Целевой домен маскировки (например, `"www.microsoft.com:443"`).
-- **`private_key`** (строка): Приватный ключ Reality сервера (X25519).
-- **`pbk`** (строка): Публичный ключ Reality сервера.
-- **`sid`** (строка, 8 байт hex): Идентификатор сессии.
-- **`sni_list`** (массив строк): Разрешенные SNI заголовки от клиентов.
-
----
-
-### 6. Правила маршрутизации (`outbound`)
-Позволяет пересылать часть исходящего трафика клиентов через прокси-сервер (например, SOCKS5/TOR).
-- **`enabled`** (логический): Включить исходящую маршрутизацию.
-- **`protocol`** (строка): Протокол прокси. На данный момент поддерживается `"socks5"`.
-- **`address`** (строка): Хост прокси-сервера.
-- **`port`** (число): Порт прокси-сервера.
-- **`default_action`** (строка): Действие для трафика, не попавшего под правила. Варианты: `"direct"` (напрямую с сервера) или `"proxy"` (через прокси).
-- **`rules`** (массив объектов): Список правил перенаправления:
-  - `domain_suffix` (массив строк): Фильтрация по суффиксу домена.
-  - `ip_cidr` (массив строк): Фильтрация по IP подсетям.
-  - `action` (строка): Действие при совпадении (`"direct"` или `"proxy"`).