SamNet-dev/dnstm-setup

📦 ⚡ VayDNS Tunnel Support

• 2 new tunnels: `vay1` (SOCKS on `v` subdomain) and `vay-ssh` (SSH on `vz` subdomain)
• Up to 8 tunnels total (Slipstream + DNSTT + NoizDNS + VayDNS, each with SOCKS and SSH)
• Transport option 4 in `--add-tunnel` TUI
• Binary downloaded automatically during setup; graceful fallback if unavailable
• Simpler service override than NoizDNS — supports `-udp` directly, no PT mode needed
• Full integration: `--status`, `--monitor`, `--diag`, `--add-domain`, `--remove-tunnel`, `--uninstall`

📦 📈 `--monitor` Command

• Live tunnel usage monitoring:
• Per-tunnel process stats (PID, CPU%, memory, uptime)
• Active SOCKS/SSH/DNS connection counts
• Total memory usage
• Recent journalctl logs
• Optimized: ~3 forks per tunnel, cached `ss` output
• ```bash
• sudo bash dnstm-setup.sh --monitor
• + 2 more

📦 🔍 `--diag` Command

• Comprehensive tunnel diagnostics with issue counting and fix hints:
• Binary validation (dnstm, dnstt-server `-udp` flag, noizdns-server/vaydns-server ELF check)
• Service status with journal log snippets on failure
• NoizDNS/VayDNS drop-in override and PT env var checks
• Config.json transport/MTU analysis with high-MTU warnings
• Port 53 binding, SSH localhost reachability, UFW/iptables rules
• Public/private key file presence per tunnel
• External DNS resolution test
• + 4 more

🐛 `--status` Hangs (Fixes #31)

• `dnstm tunnel share` had no timeout — could hang indefinitely when DNS/domain config is missing
• Added `timeout --kill-after=3 10` to all `dnstm` subcommand calls in the status path

🐛 Empty SlipNet URLs in `--status` (Fixes #32)

• When `dnstm tunnel list` doesn't include domains in its table output, slipnet:// URLs were silently skipped
• Added fallback to read tunnel domains from `/etc/dnstm/config.json` via jq or python3

🐛 SSH User Management Hangs (Fixes #33)

• `sshtun-user` commands were missing `</dev/null` stdin redirect, causing TTY blocking
• All `sshtun-user` calls (list, create, show, update, delete, configure) now have `</dev/null` and `timeout --kill-after=3`

📦 Other Improvements

• 9 DNS records (was 7) — 2 new NS records for VayDNS subdomains (`v`, `vz`)
• `--add-domain` creates VayDNS tunnels for backup domains
• `--add-tunnel` offers 4 transport choices: Slipstream, DNSTT, NoizDNS, VayDNS
• `--remove-tunnel` cleans up VayDNS service overrides
• `--uninstall` removes vaydns-server binary and drop-in files
• SSH user management generates VayDNS SSH share URLs
• Help text lists all 10 components (was 6)

📦 Upgrade

• ```bash
• curl -fsSL -o dnstm-setup.sh https://raw.githubusercontent.com/SamNet-dev/dnstm-setup/master/dnstm-setup.sh
• sudo bash dnstm-setup.sh
• ```

📦 Update from TUI

• New option 10) Update script in the management menu
• `--update` flag for CLI usage
• Auto-detects new versions, downloads, validates, and restarts

📦 SSH MAC Compatibility

• Fix for Bitvise and older SSH clients failing with `no match for method mac algo`
• Adds non-ETM SHA2 MACs as fallbacks while keeping ETM preferred
• Fixes #19

📦 DNS Safety (never locks users out)

• EXIT trap auto-fixes DNS if script crashes mid-operation
• `resolv.conf` backed up and locked with `chattr +i`
• Fallback nameservers written if DNS breaks after disabling stub listener

📦 3x-ui / Xray Backend

• Credentials set via `x-ui setting` binary (handles bcrypt hashing in v2.0+)
• Panel port set via binary, not just sqlite3
• Login probing validates JSON responses (not HTML error pages)
• Fixes #18

📦 microsocks GLIBC

• Proactive GLIBC compatibility check right after `dnstm install`
• Waits for dpkg lock (unattended-upgrades) before installing build tools

📦 NoizDNS

• Binaries self-hosted as GitHub release assets for reliability
• Binary validation uses `file` command instead of unreliable `-help` flag

📦 sshd_config Safety

• Backed up before `sshtun-user configure`
• Validated with `sshd -t` after modification
• Auto-rollback if validation fails

📦 🛡️ NoizDNS Tunnels (DPI-Resistant)

• Two new tunnel types added to the main setup — 6 tunnels instead of 4:
• NoizDNS + SOCKS (`n` subdomain) — DPI-resistant DNS tunnel for SOCKS proxy
• NoizDNS + SSH (`z` subdomain) — DPI-resistant DNS tunnel for SSH tunneling
• Zero extra configuration — binary downloaded automatically during setup
• Graceful degradation — if download fails, creates 4 standard tunnels and continues
• Works on all architectures (amd64, arm64, arm, 386)

📦 🔌 Xray Backend Integration (Optional)

• New optional feature to connect an existing 3x-ui panel (or raw Xray) to a DNS tunnel:
• ```bash
• sudo bash dnstm-setup.sh --add-xray
• ```
• Auto-detects 3x-ui (native or Docker) — or installs it for you (full panel or headless)
• 4 protocols: VLESS, Shadowsocks, VMess, Trojan
• Internal-only inbound on `127.0.0.1` — only reachable through the DNSTT tunnel
• Generates client configs — SlipNet URL + client URI for Nekobox/v2rayNG/Shadowrocket
• + 1 more

📦 Other Improvements

• 7 DNS records (was 5) — 2 new NS records for NoizDNS subdomains
• `--add-domain` now creates NoizDNS tunnels for backup domains
• `--status` displays NoizDNS tunnel info and SlipNet URLs
• `--remove-tunnel` properly cleans up Xray and NoizDNS service overrides
• Security — SQL injection prevention, cookie jar cleanup, restrictive file permissions, bcrypt password detection
• Portable — no `grep -P`, no `python3`, pure bash

📦 Full Tunnel Setup (v1.3)

• | Tunnel | Subdomain | Transport | Backend |
• |---|---|---|---|
• | slip1 | `t` | Slipstream (QUIC) | SOCKS |
• | dnstt1 | `d` | DNSTT (Noise) | SOCKS |
• | noiz1 | `n` | NoizDNS (DPI-resistant) | SOCKS |
• | slip-ssh | `s` | Slipstream (QUIC) | SSH |
• | dnstt-ssh | `ds` | DNSTT (Noise) | SSH |
• | noiz-ssh | `z` | NoizDNS (DPI-resistant) | SSH |