Paqet Protocol Support - Raw Packet Proxy

.env.example

@@ -40,6 +40,7 @@ ENABLE_TRUSTTUNNEL=true
 ENABLE_ADMIN_UI=true
 ENABLE_CONDUIT=true
 ENABLE_SNOWFLAKE=true
+ENABLE_PAQET=false
 # ENABLE_MONITORING=true  # Uncomment to enable Grafana monitoring (requires 2GB RAM)
 
 # =============================================================================
@@ -135,6 +136,7 @@ PORT_DNS=53          # DNS tunnel (dnstt)
 PORT_ADMIN=9443      # Admin dashboard
 PORT_CDN=2082        # CDN WebSocket (VLESS+WS)
 PORT_TRUSTTUNNEL=4443 # TrustTunnel (HTTP/2 + QUIC)
+PORT_PAQET=9999      # Paqet raw packet proxy
 PORT_GRAFANA=9444    # Grafana monitoring dashboard
 
 # =============================================================================
@@ -156,6 +158,15 @@ GRAFANA_SUBDOMAIN=grafana
 # Set to override with a custom name
 GRAFANA_APP_TITLE=
 
+# =============================================================================
+# PAQET CONFIGURATION (Raw Packet Proxy - Last Resort)
+# =============================================================================
+
+# Paqet advanced settings (optional)
+# PAQET_LOG_LEVEL=info     # Log level: debug, info, warn, error
+# PAQET_KCP_MODE=fast      # KCP mode: fast, normal, fast2, fast3
+# PAQET_ENCRYPTION=aes     # Encryption: aes, tea, xor, none
+
 # =============================================================================
 # CDN CONFIGURATION (Cloudflare CDN-fronted VLESS+WebSocket)
 # =============================================================================
@@ -172,7 +183,7 @@ CDN_WS_PATH=/ws
 # =============================================================================
 
 # Default profiles for 'moav start' (space-separated)
-# Options: proxy wireguard dnstt trusttunnel admin conduit snowflake monitoring
+# Options: proxy wireguard dnstt trusttunnel paqet admin conduit snowflake monitoring
 # Use 'all' for everything, or leave empty to be prompted
 DEFAULT_PROFILES=
 

README-fa.md

@@ -8,7 +8,7 @@
 
 ## ویژگی‌ها
 
-- **پروتکل‌های متعدد** - Reality (VLESS)، Trojan، Hysteria2، TrustTunnel، WireGuard (مستقیم و wstunnel)، تونل DNS
+- **پروتکل‌های متعدد** - Reality (VLESS)، Trojan، Hysteria2، TrustTunnel، WireGuard (مستقیم و wstunnel)، Paqet، تونل DNS
 - **اولویت پنهان‌کاری** - تمام ترافیک شبیه HTTPS معمولی، WebSocket، یا DNS به نظر می‌رسد
 - **اعتبارنامه‌های جداگانه برای هر کاربر** - ایجاد، لغو و مدیریت کاربران به صورت مستقل
 - **نصب آسان** - مبتنی بر Docker Compose، راه‌اندازی با یک دستور
@@ -153,6 +153,7 @@ docker compose --profile all up -d                 # شروع تمام سروی
 | TrustTunnel | 4443/tcp+udp | ★★★★★ | ★★★★☆ | HTTP/2 و QUIC، شبیه HTTPS |
 | WireGuard (مستقیم) | 51820/udp | ★★★☆☆ | ★★★★★ | VPN کامل، نصب ساده |
 | WireGuard (wstunnel) | 8080/tcp | ★★★★☆ | ★★★★☆ | VPN وقتی UDP مسدود است |
+| Paqet | 9999/tcp | ★★★☆☆ | ★★★☆☆ | پکت خام، عبور از فایروال سیستم‌عامل |
 | تونل DNS | 53/udp | ★★★☆☆ | ★☆☆☆☆ | آخرین راه‌حل، سخت برای مسدود کردن |
 | Psiphon | - | ★★★★☆ | ★★★☆☆ | مستقل، نیازی به سرور ندارد |
 | Tor (Snowflake) | - | ★★★★☆ | ★★☆☆☆ | مستقل، از شبکه Tor استفاده می‌کند |

README.md

@@ -8,7 +8,7 @@ Multi-protocol censorship circumvention stack optimized for hostile network envi
 
 ## Features
 
-- **Multiple protocols** - Reality (VLESS), Trojan, Hysteria2, TrustTunnel, WireGuard (direct & wstunnel), DNS tunnel
+- **Multiple protocols** - Reality (VLESS), Trojan, Hysteria2, TrustTunnel, WireGuard (direct & wstunnel), Paqet, DNS tunnel
 - **Stealth-first** - All traffic looks like normal HTTPS, WebSocket, or DNS
 - **Per-user credentials** - Create, revoke, and manage users independently
 - **Easy deployment** - Docker Compose based, single command setup
@@ -132,6 +132,7 @@ See [docs/SETUP.md](docs/SETUP.md) for complete setup instructions.
 | TrustTunnel | 4443/tcp+udp | ★★★★★ | ★★★★☆ | HTTP/2 & QUIC, looks like HTTPS |
 | WireGuard (Direct) | 51820/udp | ★★★☆☆ | ★★★★★ | Full VPN, simple setup |
 | WireGuard (wstunnel) | 8080/tcp | ★★★★☆ | ★★★★☆ | VPN when UDP is blocked |
+| Paqet | 9999/tcp | ★★★☆☆ | ★★★☆☆ | Raw packet, bypasses OS firewall |
 | DNS Tunnel | 53/udp | ★★★☆☆ | ★☆☆☆☆ | Last resort, hard to block |
 | Psiphon | - | ★★★★☆ | ★★★☆☆ | Standalone, no server needed |
 | Tor (Snowflake) | - | ★★★★☆ | ★★☆☆☆ | Standalone, uses Tor network |

docker-compose.yml

@@ -324,6 +324,33 @@ services:
       - trusttunnel
       - all
 
+  # ===========================================================================
+  # PAQET: Raw packet-level proxy (last resort)
+  # Bypasses OS TCP/IP stack using pcap - requires host network + privileged
+  # ===========================================================================
+  paqet:
+    build:
+      context: .
+      dockerfile: dockerfiles/Dockerfile.paqet
+    container_name: moav-paqet
+    restart: unless-stopped
+    # REQUIRED: Host network mode for raw packet access
+    network_mode: host
+    # REQUIRED: Privileged mode for pcap/raw sockets
+    privileged: true
+    volumes:
+      - moav_state:/state
+      - ./configs/paqet:/etc/paqet
+    environment:
+      - TZ=${TZ:-UTC}
+      - PAQET_PORT=${PORT_PAQET:-9999}
+      - PAQET_LOG_LEVEL=${PAQET_LOG_LEVEL:-info}
+      - PAQET_KCP_MODE=${PAQET_KCP_MODE:-fast}
+      - PAQET_ENCRYPTION=${PAQET_ENCRYPTION:-aes}
+    profiles:
+      - paqet
+      - all
+
   # ===========================================================================
   # ADMIN: Stats dashboard
   # ===========================================================================
@@ -570,6 +597,8 @@ services:
       - ENABLE_WIREGUARD=${ENABLE_WIREGUARD:-true}
       - ENABLE_DNSTT=${ENABLE_DNSTT:-true}
       - ENABLE_TRUSTTUNNEL=${ENABLE_TRUSTTUNNEL:-true}
+      - ENABLE_PAQET=${ENABLE_PAQET:-false}
+      - PORT_PAQET=${PORT_PAQET:-9999}
       - ENABLE_ADMIN_UI=${ENABLE_ADMIN_UI:-true}
       - CDN_SUBDOMAIN=${CDN_SUBDOMAIN:-}
       - CDN_DOMAIN=${CDN_DOMAIN:-}

dockerfiles/Dockerfile.client

@@ -23,6 +23,16 @@ RUN git clone https://www.bamsoftware.com/git/dnstt.git /tmp/dnstt && \
     cd /tmp/dnstt/dnstt-client && \
     GOOS=${TARGETOS} GOARCH=${TARGETARCH} CGO_ENABLED=0 go build -o /dnstt-client . || touch /dnstt-client
 
+# =============================================================================
+# Builder stage - compile paqet (no official releases available)
+# =============================================================================
+FROM golang:1.23-alpine AS paqet-builder
+RUN apk add --no-cache git libpcap-dev gcc musl-dev
+ENV GOTOOLCHAIN=auto
+RUN git clone --depth 1 https://github.com/hanselime/paqet.git /src/paqet && \
+    cd /src/paqet && \
+    go build -o /paqet ./cmd || touch /paqet
+
 # =============================================================================
 # Final image - download pre-built binaries for correct architecture
 # =============================================================================
@@ -49,6 +59,7 @@ RUN apk add --no-cache \
     iproute2 \
     bind-tools \
     tor \
+    libpcap \
     && rm -rf /var/cache/apk/*
 
 # Architecture mapping helper script
@@ -99,6 +110,14 @@ RUN ARCH=$(cat /tmp/arch) && \
     echo "snowflake-client ${SNOWFLAKE_VERSION} installed (${ARCH})" || \
     echo "snowflake-client: download failed (optional, needed for Tor)"
 
+# paqet: copy built binary from builder (no official releases)
+COPY --from=paqet-builder /paqet /tmp/paqet-built
+RUN cp /tmp/paqet-built /usr/local/bin/paqet && \
+    chmod +x /usr/local/bin/paqet && \
+    echo "paqet: using locally built binary" || \
+    echo "paqet: build failed (optional)"
+RUN rm -f /tmp/paqet-built
+
 # dnstt-client: copy cross-compiled binary from builder
 COPY --from=dnstt-builder /dnstt-client /usr/local/bin/dnstt-client
 RUN chmod +x /usr/local/bin/dnstt-client 2>/dev/null && \

dockerfiles/Dockerfile.paqet

@@ -0,0 +1,56 @@
+# =============================================================================
+# MoaV Paqet - Raw Packet Level Proxy
+# =============================================================================
+# Paqet bypasses OS TCP/IP stack using pcap for packet capture/injection.
+# Requires: --network host --privileged (or NET_RAW + NET_ADMIN capabilities)
+# =============================================================================
+
+FROM golang:1.23-alpine AS builder
+
+# Install build dependencies
+RUN apk add --no-cache git libpcap-dev gcc musl-dev
+
+# Enable toolchain auto-download for newer Go versions
+ENV GOTOOLCHAIN=auto
+
+# Clone paqet source
+ARG PAQET_VERSION=master
+RUN git clone --depth 1 --branch ${PAQET_VERSION} https://github.com/hanselime/paqet.git /src/paqet
+
+WORKDIR /src/paqet
+
+# Download dependencies first (better caching)
+RUN go mod download
+
+# Build paqet
+RUN CGO_ENABLED=1 go build -ldflags="-s -w" -o /paqet ./cmd
+
+# =============================================================================
+# Final image
+# =============================================================================
+FROM alpine:3.20
+
+# Install runtime dependencies
+RUN apk add --no-cache \
+    libpcap \
+    iptables \
+    iproute2 \
+    bash \
+    curl \
+    jq \
+    && rm -rf /var/cache/apk/*
+
+# Copy paqet binary
+COPY --from=builder /paqet /usr/local/bin/paqet
+RUN chmod +x /usr/local/bin/paqet
+
+# Copy entrypoint
+COPY scripts/paqet-entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+
+# Create directories
+RUN mkdir -p /etc/paqet /state
+
+WORKDIR /app
+
+ENTRYPOINT ["/app/entrypoint.sh"]

docs/CLIENTS.md

@@ -18,6 +18,7 @@ This guide explains how to connect to MoaV from various devices.
 - [CDN VLESS+WS Setup (When IP Blocked)](#cdn-vlessws-setup-when-ip-blocked)
 - [TrustTunnel Setup](#trusttunnel-setup)
 - [DNS Tunnel Setup (Last Resort)](#dns-tunnel-setup-last-resort)
+- [Paqet Setup (Last Resort)](#paqet-setup-last-resort)
 - [Psiphon Setup](#psiphon-setup)
 - [About Psiphon Conduit (Server Feature)](#about-psiphon-conduit-server-feature)
 - [About Tor Snowflake (Server Feature)](#about-tor-snowflake-server-feature)
@@ -40,6 +41,7 @@ This guide explains how to connect to MoaV from various devices.
 | [WireGuard](https://www.wireguard.com/) (Direct) | 51820/udp | Full VPN mode, simple setup |
 | [WireGuard](https://www.wireguard.com/) + [wstunnel](https://github.com/erebe/wstunnel) | 8080/tcp | VPN wrapped in WebSocket |
 | [DNS Tunnel](https://www.bamsoftware.com/software/dnstt/) | 53/udp | Last resort, slow but hard to block |
+| [Paqet](https://github.com/hanselime/paqet) | 9999/tcp | Raw packet proxy, bypasses OS firewall |
 | [Psiphon](https://psiphon.ca/) | Various | Standalone app, uses Psiphon network |
 | [Tor](https://www.torproject.org/) (Snowflake) | Various | Uses Tor network |
 
@@ -140,7 +142,8 @@ Try these in order. If one doesn't work, try the next:
 7. **WireGuard (wstunnel)** - VPN wrapped in WebSocket, for restrictive networks (port 8080/tcp)
 8. **Tor (Snowflake)** - Uses Tor network (no server needed)
 9. **DNS Tunnel** - Last resort, very slow but hard to block (port 53/udp)
-10. **Psiphon** - Standalone app only, uses Psiphon network (not via MoaV client)
+10. **Paqet** - Raw packet proxy, bypasses OS firewall (port 9999/tcp, requires root)
+11. **Psiphon** - Standalone app only, uses Psiphon network (not via MoaV client)
 
 ---
 
@@ -164,7 +167,7 @@ moav test user1
 moav test user1 --json
 ```
 
-The test checks: Reality, Trojan, Hysteria2, WireGuard (config validation), and dnstt.
+The test checks: Reality, Trojan, Hysteria2, WireGuard (config validation), dnstt, and Paqet.
 
 **Sample output:**
 ```
@@ -237,6 +240,7 @@ The client container includes:
 - **wireguard-go** - Userspace WireGuard implementation
 - **wstunnel** - WebSocket tunnel for WireGuard
 - **dnstt-client** - DNS tunnel client
+- **paqet** - Raw packet proxy (requires privileged mode)
 - **snowflake-client** - Tor Snowflake pluggable transport
 - **tor** - Tor daemon
 
@@ -586,6 +590,106 @@ See `dnstt-instructions.txt` in your bundle for detailed steps.
 
 ---
 
+## Paqet Setup (Last Resort)
+
+Paqet is a raw packet-level proxy that bypasses the OS TCP/IP stack using pcap. Use this when:
+- Other protocols are actively blocked
+- Deep packet inspection is defeating standard protocols
+- You need to operate below the firewall layer
+
+**Requirements:**
+- Root/administrator privileges
+- libpcap installed
+- NOT OpenVZ/LXC container (requires KVM, Xen, or bare metal)
+
+### Installation
+
+**Linux:**
+```bash
+# Install libpcap
+sudo apt install libpcap-dev  # Debian/Ubuntu
+sudo dnf install libpcap-devel  # Fedora/RHEL
+
+# Download paqet
+# From: https://github.com/hanselime/paqet/releases
+# Or build from source:
+go install github.com/hanselime/paqet/cmd/paqet@latest
+```
+
+**macOS:**
+```bash
+# libpcap is pre-installed
+# Download paqet binary or build from source
+```
+
+**Windows:**
+1. Install [Npcap](https://npcap.com) (required for raw packet access)
+2. Download paqet.exe from releases
+
+### Configuration
+
+Your bundle contains `paqet-client.yaml` and `paqet-instructions.txt`.
+
+**You must fill in YOUR network details:**
+
+1. Find your network interface:
+   ```bash
+   # Linux
+   ip a
+   # macOS
+   ifconfig
+   # Windows
+   Get-NetAdapter
+   ```
+
+2. Find your local IP:
+   ```bash
+   # Linux
+   ip -4 addr show eth0 | grep inet
+   # macOS
+   ifconfig en0 | grep inet
+   ```
+
+3. Find your gateway/router MAC:
+   ```bash
+   # Find gateway IP
+   ip route | grep default  # Linux
+   netstat -rn | grep default  # macOS
+
+   # Get MAC for gateway IP
+   arp -n GATEWAY_IP
+   ```
+
+4. Edit `paqet-client.yaml`:
+   ```yaml
+   network:
+     interface: "eth0"           # Your interface
+     ipv4:
+       addr: "192.168.1.100:0"   # Your local IP
+       router_mac: "aa:bb:cc:dd:ee:ff"  # Your gateway MAC
+   ```
+
+### Running
+
+```bash
+# Linux/macOS (requires root)
+sudo paqet run -c paqet-client.yaml
+
+# Windows (run as Administrator)
+paqet.exe run -c paqet-client.yaml
+```
+
+This creates a SOCKS5 proxy at `127.0.0.1:1080`.
+
+### Troubleshooting
+
+- **"permission denied"** - Run as root/admin
+- **"no route to host"** - Check gateway MAC address
+- **"pcap error"** - Install libpcap, verify interface name
+- **OpenVZ/LXC error** - Paqet requires KVM or bare metal (raw sockets not supported in containers)
+
+---
+
 ## Psiphon Setup
 
 Psiphon is a standalone circumvention tool that doesn't require your own server. It connects to the Psiphon network - a large, distributed system designed for censorship circumvention.

docs/SETUP.md

@@ -249,6 +249,7 @@ moav start all                   # Everything
 - `wireguard` - WireGuard VPN + wstunnel
 - `dnstt` - DNS tunnel
 - `trusttunnel` - TrustTunnel VPN
+- `paqet` - Raw packet proxy (last resort, requires host network)
 - `admin` - Admin dashboard
 - `conduit` - Psiphon bandwidth donation
 - `snowflake` - Tor bandwidth donation