[WIP] paqet initial implementation -- Needs Testing

.env.example

@@ -36,6 +36,11 @@ ENABLE_TROJAN=true
 ENABLE_HYSTERIA2=true
 ENABLE_WIREGUARD=true
 ENABLE_DNSTT=true
+ENABLE_PAQET=false
+# Paqet advanced settings (optional)
+# PAQET_LOG_LEVEL=info     # Log level: debug, info, warn, error
+# PAQET_KCP_MODE=fast      # KCP mode: fast, normal, fast2, fast3
+# PAQET_ENCRYPTION=aes     # Encryption: aes, tea, xor, none
 ENABLE_ADMIN_UI=true
 
 # =============================================================================
@@ -84,6 +89,7 @@ PORT_TROJAN=8443     # Trojan fallback
 PORT_WIREGUARD=51820 # WireGuard (UDP)
 PORT_WSTUNNEL=8080   # WebSocket tunnel for WireGuard
 PORT_DNS=53          # DNS tunnel (dnstt)
+PORT_PAQET=9999      # Paqet raw packet proxy
 PORT_ADMIN=9443      # Admin dashboard
 
 # =============================================================================

CHANGELOG.md

@@ -9,10 +9,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - `moav test` verbose flag (`-v` or `--verbose`) for debugging connection issues
+- **Paqet protocol support** - Raw packet-level proxy that bypasses OS TCP/IP stack
+  - New `--profile paqet` for starting paqet service
+  - Auto-detection of network interface, server IP, and gateway MAC
+  - Automatic iptables NOTRACK rules to prevent kernel RST packets
+  - Client config generation in user bundles (`paqet-client.yaml`, `paqet-instructions.txt`)
+  - VPS compatibility check (OpenVZ/LXC not supported - requires KVM or bare metal)
+  - Documentation for setup, troubleshooting, and iptables persistence
 
 ### Changed
 - `moav test` now prefers IPv4 configs over IPv6 (tests `reality.txt` before `reality-ipv6.txt`)
 - `moav test` treats IPv6 network failures as warnings instead of errors (IPv6 may not be available in container)
+- Client container now includes paqet binary and libpcap for raw packet proxy support
 
 ### Fixed
 - **WireGuard-wstunnel not forwarding traffic** - wstunnel was trying to forward to localhost instead of wireguard container (changed `127.0.0.1:51820` to `moav-wireguard:51820`)

Dockerfile.client

@@ -35,6 +35,14 @@ RUN go install gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/sn
     echo "snowflake build failed"
 RUN cp /go/bin/client /snowflake-client 2>/dev/null || touch /snowflake-client
 
+# Build paqet from source
+FROM golang:1.23-alpine AS paqet-builder
+RUN apk add --no-cache git libpcap-dev gcc musl-dev
+ENV GOTOOLCHAIN=auto
+RUN git clone --depth 1 https://github.com/hanselime/paqet.git /src/paqet && \
+    cd /src/paqet && \
+    go build -o /paqet ./cmd || touch /paqet
+
 # =============================================================================
 # Final image - prefer pre-built binaries, fallback to built versions
 # =============================================================================
@@ -60,12 +68,14 @@ RUN apk add --no-cache \
     iproute2 \
     bind-tools \
     tor \
+    libpcap \
     && rm -rf /var/cache/apk/*
 
 # Copy built binaries from builder stages (as fallback)
 COPY --from=singbox-builder /sing-box /tmp/sing-box-built
 COPY --from=dnstt-builder /dnstt-client /tmp/dnstt-client-built
 COPY --from=snowflake-builder /snowflake-client /tmp/snowflake-client-built
+COPY --from=paqet-builder /paqet /tmp/paqet-built
 
 # sing-box: try pre-built, fallback to built
 # TARGETARCH is amd64 or arm64
@@ -103,6 +113,13 @@ RUN cp /tmp/dnstt-client-built /usr/local/bin/dnstt-client && \
     echo "dnstt: build failed (optional)"
 RUN rm -f /tmp/dnstt-client-built
 
+# paqet: always use built (no official releases)
+RUN cp /tmp/paqet-built /usr/local/bin/paqet && \
+    chmod +x /usr/local/bin/paqet && \
+    echo "paqet: using locally built binary" || \
+    echo "paqet: build failed (optional)"
+RUN rm -f /tmp/paqet-built
+
 # Create directories
 RUN mkdir -p /config /app /state /var/log/moav
 

Dockerfile.paqet

@@ -0,0 +1,56 @@
+# =============================================================================
+# MoaV Paqet - Raw Packet Level Proxy
+# =============================================================================
+# Paqet bypasses OS TCP/IP stack using pcap for packet capture/injection.
+# Requires: --network host --privileged (or NET_RAW + NET_ADMIN capabilities)
+# =============================================================================
+
+FROM golang:1.23-alpine AS builder
+
+# Install build dependencies
+RUN apk add --no-cache git libpcap-dev gcc musl-dev
+
+# Enable toolchain auto-download for newer Go versions
+ENV GOTOOLCHAIN=auto
+
+# Clone paqet source
+ARG PAQET_VERSION=master
+RUN git clone --depth 1 --branch ${PAQET_VERSION} https://github.com/hanselime/paqet.git /src/paqet
+
+WORKDIR /src/paqet
+
+# Download dependencies first (better caching)
+RUN go mod download
+
+# Build paqet
+RUN CGO_ENABLED=1 go build -ldflags="-s -w" -o /paqet ./cmd
+
+# =============================================================================
+# Final image
+# =============================================================================
+FROM alpine:3.20
+
+# Install runtime dependencies
+RUN apk add --no-cache \
+    libpcap \
+    iptables \
+    iproute2 \
+    bash \
+    curl \
+    jq \
+    && rm -rf /var/cache/apk/*
+
+# Copy paqet binary
+COPY --from=builder /paqet /usr/local/bin/paqet
+RUN chmod +x /usr/local/bin/paqet
+
+# Copy entrypoint
+COPY scripts/paqet-entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+
+# Create directories
+RUN mkdir -p /etc/paqet /state
+
+WORKDIR /app
+
+ENTRYPOINT ["/app/entrypoint.sh"]

README-fa.md

@@ -8,7 +8,7 @@
 
 ## ویژگی‌ها
 
-- **پروتکل‌های متعدد** - Reality (VLESS)، Trojan، Hysteria2، WireGuard (مستقیم و wstunnel)، تونل DNS
+- **پروتکل‌های متعدد** - Reality (VLESS)، Trojan، Hysteria2، WireGuard (مستقیم و wstunnel)، Paqet، تونل DNS
 - **اولویت پنهان‌کاری** - تمام ترافیک شبیه HTTPS معمولی، WebSocket، یا DNS به نظر می‌رسد
 - **اعتبارنامه‌های جداگانه برای هر کاربر** - ایجاد، لغو و مدیریت کاربران به صورت مستقل
 - **نصب آسان** - مبتنی بر Docker Compose، راه‌اندازی با یک دستور
@@ -142,6 +142,7 @@ docker compose --profile all up -d                 # شروع تمام سروی
 | Trojan | 8443/tcp | ★★★★☆ | ★★★★☆ | پشتیبان، از دامنه شما استفاده می‌کند |
 | WireGuard (مستقیم) | 51820/udp | ★★★☆☆ | ★★★★★ | VPN کامل، نصب ساده |
 | WireGuard (wstunnel) | 8080/tcp | ★★★★☆ | ★★★★☆ | VPN وقتی UDP مسدود است |
+| Paqet | 9999/tcp | ★★★☆☆ | ★★★☆☆ | بسته خام، دور زدن فایروال OS |
 | تونل DNS | 53/udp | ★★★☆☆ | ★☆☆☆☆ | آخرین راه‌حل، سخت برای مسدود کردن |
 | Psiphon | - | ★★★★☆ | ★★★☆☆ | مستقل، نیازی به سرور ندارد |
 | Tor (Snowflake) | - | ★★★★☆ | ★★☆☆☆ | مستقل، از شبکه Tor استفاده می‌کند |

README.md

@@ -8,7 +8,7 @@ Multi-protocol censorship circumvention stack optimized for hostile network envi
 
 ## Features
 
-- **Multiple protocols** - Reality (VLESS), Trojan, Hysteria2, WireGuard (direct & wstunnel), DNS tunnel
+- **Multiple protocols** - Reality (VLESS), Trojan, Hysteria2, WireGuard (direct & wstunnel), Paqet, DNS tunnel
 - **Stealth-first** - All traffic looks like normal HTTPS, WebSocket, or DNS
 - **Per-user credentials** - Create, revoke, and manage users independently
 - **Easy deployment** - Docker Compose based, single command setup
@@ -120,6 +120,7 @@ See [docs/SETUP.md](docs/SETUP.md) for complete setup instructions.
 | Trojan | 8443/tcp | ★★★★☆ | ★★★★☆ | Backup, uses your domain |
 | WireGuard (Direct) | 51820/udp | ★★★☆☆ | ★★★★★ | Full VPN, simple setup |
 | WireGuard (wstunnel) | 8080/tcp | ★★★★☆ | ★★★★☆ | VPN when UDP is blocked |
+| Paqet | 9999/tcp | ★★★☆☆ | ★★★☆☆ | Raw packet, bypasses OS firewall |
 | DNS Tunnel | 53/udp | ★★★☆☆ | ★☆☆☆☆ | Last resort, hard to block |
 | Psiphon | - | ★★★★☆ | ★★★☆☆ | Standalone, no server needed |
 | Tor (Snowflake) | - | ★★★★☆ | ★★☆☆☆ | Standalone, uses Tor network |

docker-compose.yml

@@ -132,6 +132,31 @@ services:
       - dnstt
       - all
 
+  # ===========================================================================
+  # PAQET: Raw packet-level proxy (last resort, bypasses OS firewall)
+  # ===========================================================================
+  paqet:
+    build:
+      context: .
+      dockerfile: Dockerfile.paqet
+    container_name: moav-paqet
+    restart: unless-stopped
+    # REQUIRED: Host network mode for raw packet access
+    network_mode: host
+    # REQUIRED: Privileged mode for pcap/raw sockets
+    privileged: true
+    volumes:
+      - moav_state:/state
+      - ./configs/paqet:/etc/paqet
+    environment:
+      - TZ=${TZ:-UTC}
+      - PAQET_PORT=${PORT_PAQET:-9999}
+      - PAQET_LOG_LEVEL=${PAQET_LOG_LEVEL:-info}
+      - PAQET_KCP_MODE=${PAQET_KCP_MODE:-fast}
+      - PAQET_ENCRYPTION=${PAQET_ENCRYPTION:-aes}
+    profiles:
+      - paqet
+
   # ===========================================================================
   # CERTBOT: TLS certificate management
   # ===========================================================================
@@ -290,7 +315,9 @@ services:
       - ENABLE_HYSTERIA2=${ENABLE_HYSTERIA2:-true}
       - ENABLE_WIREGUARD=${ENABLE_WIREGUARD:-true}
       - ENABLE_DNSTT=${ENABLE_DNSTT:-true}
+      - ENABLE_PAQET=${ENABLE_PAQET:-false}
       - ENABLE_ADMIN_UI=${ENABLE_ADMIN_UI:-true}
+      - PORT_PAQET=${PORT_PAQET:-9999}
     profiles:
       - setup
 

docs/CLIENTS.md

@@ -17,6 +17,7 @@ This guide explains how to connect to MoaV from various devices.
 - [WireGuard Setup](#wireguard-setup)
 - [Hysteria2 Setup](#hysteria2-setup)
 - [DNS Tunnel Setup (Last Resort)](#dns-tunnel-setup-last-resort)
+- [Paqet Setup (Last Resort)](#paqet-setup-last-resort)
 - [Psiphon Setup](#psiphon-setup)
 - [About Psiphon Conduit (Server Feature)](#about-psiphon-conduit-server-feature)
 - [About Tor Snowflake (Server Feature)](#about-tor-snowflake-server-feature)
@@ -37,6 +38,7 @@ This guide explains how to connect to MoaV from various devices.
 | [WireGuard](https://www.wireguard.com/) (Direct) | 51820/udp | Full VPN mode, simple setup |
 | [WireGuard](https://www.wireguard.com/) + [wstunnel](https://github.com/erebe/wstunnel) | 8080/tcp | VPN wrapped in WebSocket |
 | [DNS Tunnel](https://www.bamsoftware.com/software/dnstt/) | 53/udp | Last resort, slow but hard to block |
+| [Paqet](https://github.com/hanselime/paqet) | 9999/tcp | Raw packet proxy, bypasses OS firewall |
 | [Psiphon](https://psiphon.ca/) | Various | Standalone app, uses Psiphon network |
 | [Tor](https://www.torproject.org/) (Snowflake) | Various | Uses Tor network |
 
@@ -130,7 +132,8 @@ Try these in order. If one doesn't work, try the next:
 5. **WireGuard (wstunnel)** - VPN wrapped in WebSocket, for restrictive networks (port 8080/tcp)
 6. **Tor (Snowflake)** - Uses Tor network (no server needed)
 7. **DNS Tunnel** - Last resort, very slow but hard to block (port 53/udp)
-8. **Psiphon** - Standalone app only, uses Psiphon network (not via MoaV client)
+8. **Paqet** - Raw packet proxy, bypasses OS firewall (port 9999/tcp, requires root)
+9. **Psiphon** - Standalone app only, uses Psiphon network (not via MoaV client)
 
 ---
 
@@ -154,7 +157,7 @@ moav test user1
 moav test user1 --json
 ```
 
-The test checks: Reality, Trojan, Hysteria2, WireGuard (config validation), and dnstt.
+The test checks: Reality, Trojan, Hysteria2, WireGuard (config validation), dnstt, and Paqet.
 
 **Sample output:**
 ```
@@ -227,6 +230,7 @@ The client container includes:
 - **wireguard-go** - Userspace WireGuard implementation
 - **wstunnel** - WebSocket tunnel for WireGuard
 - **dnstt-client** - DNS tunnel client
+- **paqet** - Raw packet proxy (requires privileged mode)
 - **snowflake-client** - Tor Snowflake pluggable transport
 - **tor** - Tor daemon
 
@@ -505,6 +509,106 @@ See `dnstt-instructions.txt` in your bundle for detailed steps.
 
 ---
 
+## Paqet Setup (Last Resort)
+
+Paqet is a raw packet-level proxy that bypasses the OS TCP/IP stack using pcap. Use this when:
+- Other protocols are actively blocked
+- Deep packet inspection is defeating standard protocols
+- You need to operate below the firewall layer
+
+**Requirements:**
+- Root/administrator privileges
+- libpcap installed
+- NOT OpenVZ/LXC container (requires KVM, Xen, or bare metal)
+
+### Installation
+
+**Linux:**
+```bash
+# Install libpcap
+sudo apt install libpcap-dev  # Debian/Ubuntu
+sudo dnf install libpcap-devel  # Fedora/RHEL
+
+# Download paqet
+# From: https://github.com/hanselime/paqet/releases
+# Or build from source:
+go install github.com/hanselime/paqet/cmd/paqet@latest
+```
+
+**macOS:**
+```bash
+# libpcap is pre-installed
+# Download paqet binary or build from source
+```
+
+**Windows:**
+1. Install [Npcap](https://npcap.com) (required for raw packet access)
+2. Download paqet.exe from releases
+
+### Configuration
+
+Your bundle contains `paqet-client.yaml` and `paqet-instructions.txt`.
+
+**You must fill in YOUR network details:**
+
+1. Find your network interface:
+   ```bash
+   # Linux
+   ip a
+   # macOS
+   ifconfig
+   # Windows
+   Get-NetAdapter
+   ```
+
+2. Find your local IP:
+   ```bash
+   # Linux
+   ip -4 addr show eth0 | grep inet
+   # macOS
+   ifconfig en0 | grep inet
+   ```
+
+3. Find your gateway/router MAC:
+   ```bash
+   # Find gateway IP
+   ip route | grep default  # Linux
+   netstat -rn | grep default  # macOS
+
+   # Get MAC for gateway IP
+   arp -n GATEWAY_IP
+   ```
+
+4. Edit `paqet-client.yaml`:
+   ```yaml
+   network:
+     interface: "eth0"           # Your interface
+     ipv4:
+       addr: "192.168.1.100:0"   # Your local IP
+       router_mac: "aa:bb:cc:dd:ee:ff"  # Your gateway MAC
+   ```
+
+### Running
+
+```bash
+# Linux/macOS (requires root)
+sudo paqet run -c paqet-client.yaml
+
+# Windows (run as Administrator)
+paqet.exe run -c paqet-client.yaml
+```
+
+This creates a SOCKS5 proxy at `127.0.0.1:1080`.
+
+### Troubleshooting
+
+- **"permission denied"** - Run as root/admin
+- **"no route to host"** - Check gateway MAC address
+- **"pcap error"** - Install libpcap, verify interface name
+- **OpenVZ/LXC error** - Paqet requires KVM or bare metal (raw sockets not supported in containers)
+
+---
+
 ## Psiphon Setup
 
 Psiphon is a standalone circumvention tool that doesn't require your own server. It connects to the Psiphon network - a large, distributed system designed for censorship circumvention.

docs/SETUP.md

@@ -360,6 +360,7 @@ docker compose --profile proxy --profile conduit up -d        # Proxy + Psiphon
 #   proxy     - sing-box + decoy (main proxy services)
 #   wireguard - WireGuard VPN via wstunnel
 #   dnstt     - DNS tunnel (last resort)
+#   paqet     - Paqet raw packet proxy (last resort, requires host network)
 #   admin     - Stats dashboard (https://domain:9443 or https://ip:9443 in domain-less mode)
 #   conduit   - Psiphon bandwidth donation (includes traffic stats by country)
 #   snowflake - Tor Snowflake proxy (bandwidth donation for Tor users)