Merge branch 'dev'

# Conflicts:
#	internal/clientcfg/fields.go
#	internal/clientcfg/generate.go
#	internal/version/version.go

Author: anonvector

README.md

@@ -4,11 +4,12 @@ Unified tunnel manager for Linux servers. Manages DNS tunnels (DNSTT, NoizDNS, S
 
 ## Features
 
-- **Multi-transport**: DNSTT/NoizDNS (DNS tunnels with Curve25519 encryption), Slipstream (QUIC-based DNS), VayDNS (KCP-based DNS with Curve25519), NaiveProxy (HTTPS with Caddy)
+- **Multi-transport**: DNSTT/NoizDNS (DNS tunnels with Curve25519 encryption), Slipstream (QUIC-based DNS), VayDNS (KCP-based DNS with Curve25519), NaiveProxy (HTTPS with Caddy), StunTLS (SSH over TLS + WebSocket)
 - **Dual backend**: Built-in SOCKS5 proxy or SSH forwarding
 - **DNS routing**: Single-tunnel or multi-tunnel mode with domain-based dispatch
+- **External routing**: Forward DNS queries for a domain to a custom port for user-managed protocols
 - **WARP integration**: Optional Cloudflare WARP outbound routing (see [dnstun-ezpz](https://github.com/aleskxyz/dnstun-ezpz) for an alternative approach)
-- **User management**: Managed SSH + SOCKS credentials per user
+- **User management**: Multi-user SSH + SOCKS credentials (all users authenticate simultaneously)
 - **Live dashboard**: Real-time TUI with CPU, RAM, traffic sparklines, per-protocol connection stats, and tunnel status
 - **Diagnostics**: Built-in health checks for services, ports, keys, DNS resolution, and boot persistence
 - **Interactive TUI + CLI**: Menu-driven setup or scriptable subcommands
@@ -21,7 +22,7 @@ Unified tunnel manager for Linux servers. Manages DNS tunnels (DNSTT, NoizDNS, S
 
 - **OS**: Linux (Ubuntu 20.04+, Debian 11+, or similar)
 - **Domain**: DNS A record pointed at your server (required for DNS tunnels and NaiveProxy)
-- **Ports**: 53/udp (DNS tunnels), 443/tcp (NaiveProxy)
+- **Ports**: 53/udp (DNS tunnels), 443/tcp (NaiveProxy, StunTLS)
 
 ## Quick Start
 
@@ -103,6 +104,7 @@ slipgate config import          # Import configuration
 # Internal (used by systemd services)
 slipgate dnsrouter serve        # Start DNS router
 slipgate socks serve            # Start built-in SOCKS5 proxy
+slipgate stuntls serve          # Start StunTLS proxy
 ```
 
 ### Non-Interactive Examples
@@ -168,6 +170,19 @@ sudo slipgate tunnel add \
   --email admin@example.com \
   --decoy-url https://www.wikipedia.org
 
+# StunTLS tunnel (SSH over TLS + WebSocket)
+sudo slipgate tunnel add \
+  --transport stuntls \
+  --tag mytls
+
+# External DNS routing (forward queries to a custom port)
+sudo slipgate tunnel add \
+  --transport external \
+  --tag my-proto \
+  --domain j.example.com
+# → prompts for target UDP port (e.g. 5301)
+# Queries for j.example.com route to 127.0.0.1:5301
+
 # Direct SSH / SOCKS5 transports
 sudo slipgate tunnel add --transport direct-ssh --tag myssh
 sudo slipgate tunnel add --transport direct-socks5 --tag mysocks
@@ -202,7 +217,7 @@ sudo slipgate tunnel share mydnstt
                        │                  │
                        └────────┬─────────┘
                                 │
-              DNS :53/udp ──────┼────── HTTPS :443/tcp
+              DNS :53/udp ──────┼────── HTTPS/TLS :443/tcp
                     │           │           │
 ┌───────────────────┼───────────┼───────────┼──────────────────┐
 │  SERVER           v           │           v                  │
@@ -211,12 +226,13 @@ sudo slipgate tunnel share mydnstt
 │  │      DNS Router        │   │   │     NaiveProxy        │  │
 │  │  domain-based dispatch │   │   │  Caddy + Auto-TLS     │  │
 │  │  single / multi mode   │   │   │  + decoy website      │  │
-│  └──┬────────┬────────┬───┘   │   └───────────┬───────────┘  │
-│     │        │        │       │               │              │
-│     v        v        v       │               │              │
-│  ┌──────┐┌────────┐┌──────┐   │               │              │
-│  │DNSTT ││Slip-   ││VayDNS│   │               │              │
-│  │NoizDN││stream  ││      │   │               │              │
+│  │  + external routing    │   │   └───────────┬───────────┘  │
+│  └──┬────────┬────────┬───┘   │               │              │
+│     │        │        │       │   ┌───────────────────────┐  │
+│     v        v        v       │   │     StunTLS           │  │
+│  ┌──────┐┌────────┐┌──────┐   │   │  SSH over TLS + WS   │  │
+│  │DNSTT ││Slip-   ││VayDNS│   │   │  self-signed cert     │  │
+│  │NoizDN││stream  ││      │   │   └───────────┬───────────┘  │
 │  │──────││────────││──────│   │               │              │
 │  │DNS   ││QUIC    ││KCP   │   │               │              │
 │  │Curve ││TLS cert││Curve │   │               │              │
@@ -255,6 +271,8 @@ sudo slipgate tunnel share mydnstt
 | **Slipstream** | QUIC DNS | 53/udp | QUIC-based tunnel with certificate authentication |
 | **VayDNS** | KCP DNS | 53/udp | KCP-based DNS tunnel with Curve25519 encryption. Supports configurable idle timeout, keepalive, queue size, and multiple DNS record types |
 | **NaiveProxy** | HTTPS | 443/tcp | Caddy with forwardproxy plugin. Auto-TLS via Let's Encrypt. Probe-resistant with decoy site |
+| **StunTLS** | TLS/WSS | 443/tcp | SSH over TLS + WebSocket proxy. Auto-detects WebSocket, HTTP CONNECT, raw TLS, and payload (DPI bypass) modes. Self-signed TLS cert, no domain required |
+| **External** | DNS | 53/udp | Routes DNS queries for a domain to a user-specified UDP port. No managed service — use for custom/private protocol testing |
 
 ### Domain Layout
 

cmd/socks.go

@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"strings"
+
 	"github.com/anonvector/slipgate/internal/proxy"
 	"github.com/spf13/cobra"
 )
@@ -17,17 +19,35 @@ func init() {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			addr, _ := cmd.Flags().GetString("addr")
 			port, _ := cmd.Flags().GetInt("port")
-			user, _ := cmd.Flags().GetString("user")
-			pass, _ := cmd.Flags().GetString("pass")
-			return proxy.Serve(addr, port, user, pass)
+			credsList, _ := cmd.Flags().GetStringArray("creds")
+
+			// Parse --creds user:pass pairs
+			creds := make(map[string]string)
+			for _, c := range credsList {
+				if i := strings.IndexByte(c, ':'); i > 0 {
+					creds[c[:i]] = c[i+1:]
+				}
+			}
+
+			// Fall back to legacy --user/--pass for single-user compat
+			if len(creds) == 0 {
+				user, _ := cmd.Flags().GetString("user")
+				pass, _ := cmd.Flags().GetString("pass")
+				if user != "" {
+					creds[user] = pass
+				}
+			}
+
+			return proxy.ServeMulti(addr, port, creds)
 		},
 		SilenceUsage:  true,
 		SilenceErrors: true,
 	}
 	serveCmd.Flags().String("addr", "127.0.0.1", "Listen address")
 	serveCmd.Flags().Int("port", 1080, "Listen port")
-	serveCmd.Flags().String("user", "", "Username for auth")
-	serveCmd.Flags().String("pass", "", "Password for auth")
+	serveCmd.Flags().String("user", "", "Username for auth (single user, legacy)")
+	serveCmd.Flags().String("pass", "", "Password for auth (single user, legacy)")
+	serveCmd.Flags().StringArray("creds", nil, "Credentials as user:pass (repeatable)")
 
 	socksCmd.AddCommand(serveCmd)
 	rootCmd.AddCommand(socksCmd)

cmd/stuntls.go

@@ -0,0 +1,36 @@
+package cmd
+
+import (
+	"github.com/anonvector/slipgate/internal/proxy"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	stuntlsCmd := &cobra.Command{
+		Use:   "stuntls",
+		Short: "Built-in TLS + WebSocket SSH proxy",
+	}
+
+	serveCmd := &cobra.Command{
+		Use:   "serve",
+		Short: "Start the TLS/WebSocket SSH proxy (used by systemd)",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			addr, _ := cmd.Flags().GetString("addr")
+			port, _ := cmd.Flags().GetInt("port")
+			sshAddr, _ := cmd.Flags().GetString("ssh")
+			cert, _ := cmd.Flags().GetString("cert")
+			key, _ := cmd.Flags().GetString("key")
+			return proxy.ServeStunTLS(addr, port, sshAddr, cert, key)
+		},
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+	serveCmd.Flags().String("addr", "0.0.0.0", "Listen address")
+	serveCmd.Flags().Int("port", 443, "Listen port")
+	serveCmd.Flags().String("ssh", "127.0.0.1:22", "SSH backend address")
+	serveCmd.Flags().String("cert", "", "TLS certificate file")
+	serveCmd.Flags().String("key", "", "TLS private key file")
+
+	stuntlsCmd.AddCommand(serveCmd)
+	rootCmd.AddCommand(stuntlsCmd)
+}

install.sh

@@ -30,17 +30,9 @@ OS=$(uname -s | tr '[:upper:]' '[:lower:]')
 
 BINARY="slipgate-${OS}-${ARCH}"
 
-# When fetched from the dev branch, find the latest dev-* pre-release;
-# otherwise use the latest stable release.
-# Can also be overridden: SLIPGATE_RELEASE_TAG=dev-abc1234 bash install.sh
+# Override with: SLIPGATE_RELEASE_TAG=v1.5.1 bash install.sh
 RELEASE_TAG="${SLIPGATE_RELEASE_TAG:-}"
-CHANNEL="dev"  # ← set to "dev" on dev branch, empty on main
-if [[ -z "$RELEASE_TAG" && "$CHANNEL" == "dev" ]]; then
-    {
-        RELEASE_TAG=$(curl -fsSL "https://api.github.com/repos/${REPO}/releases" \
-            | grep -o '"tag_name": *"dev-[^"]*"' | head -1 | cut -d'"' -f4 || true)
-    }
-fi
+CHANNEL=""  # ← set to "dev" on dev branch, empty on main
 
 if [[ -n "$RELEASE_TAG" ]]; then
     URL="https://github.com/${REPO}/releases/download/${RELEASE_TAG}/${BINARY}"

internal/actions/options.go

@@ -2,11 +2,27 @@ package actions
 
 // Shared select options used across multiple actions.
 
+// TransportOptions is the full list shown in `tunnel add`.
 var TransportOptions = []SelectOption{
 	{Value: "dnstt", Label: "DNSTT / NoizDNS — DNS tunnel"},
 	{Value: "slipstream", Label: "Slipstream — QUIC DNS tunnel"},
 	{Value: "vaydns", Label: "VayDNS — KCP DNS tunnel"},
 	{Value: "naive", Label: "NaiveProxy — HTTPS proxy with Caddy"},
+	{Value: "stuntls", Label: "StunTLS — SSH over TLS + WebSocket proxy"},
+	{Value: "external", Label: "External — Route DNS to a custom port"},
+	{Value: "direct-ssh", Label: "SSH — Direct SSH tunnel"},
+	{Value: "direct-socks5", Label: "SOCKS5 — Direct SOCKS5 proxy"},
+}
+
+// InstallTransportOptions is the subset shown in the install/wizard flows.
+// External is excluded because it routes to a user-managed service that
+// wouldn't exist yet during initial setup.
+var InstallTransportOptions = []SelectOption{
+	{Value: "dnstt", Label: "DNSTT / NoizDNS — DNS tunnel"},
+	{Value: "slipstream", Label: "Slipstream — QUIC DNS tunnel"},
+	{Value: "vaydns", Label: "VayDNS — KCP DNS tunnel"},
+	{Value: "naive", Label: "NaiveProxy — HTTPS proxy with Caddy"},
+	{Value: "stuntls", Label: "StunTLS — SSH over TLS + WebSocket proxy"},
 	{Value: "direct-ssh", Label: "SSH — Direct SSH tunnel"},
 	{Value: "direct-socks5", Label: "SOCKS5 — Direct SOCKS5 proxy"},
 }

internal/clientcfg/fields.go

@@ -46,18 +46,30 @@ const (
 	FNoizDNSStealth     = 38 // "0" or "1" (v18)
 	FDNSPayloadSize     = 39 // integer (v18)
 	FSOCKS5ServerPort   = 40 // integer, default 1080 (v18)
-	// v19: VayDNS fields
+	// v19: VayDNS fields (41-44)
 	FVayDNSDnsttCompat  = 41
 	FVayDNSRecordType   = 42
 	FVayDNSMaxQnameLen  = 43
 	FVayDNSRps          = 44
-	// v20: VayDNS advanced
+	// v20: VayDNS advanced (45-49)
 	FVayDNSIdleTimeout  = 45
 	FVayDNSKeepalive    = 46
 	FVayDNSUdpTimeout   = 47
 	FVayDNSMaxNumLabels = 48
 	FVayDNSClientIdSize = 49
-	TotalFields         = 50
+	// v21: SSH over TLS + HTTP proxy + WebSocket (50-58)
+	FSSHTlsEnabled            = 50
+	FSSHTlsSni                = 51
+	FSSHHttpProxyHost         = 52
+	FSSHHttpProxyPort         = 53
+	FSSHHttpProxyCustomHost   = 54
+	FSSHWsEnabled             = 55
+	FSSHWsPath                = 56
+	FSSHWsUseTls              = 57
+	FSSHWsCustomHost          = 58
+	// v22: SSH payload (raw prefix for DPI bypass)
+	FSSHPayload               = 59
+	TotalFields               = 60
 )
 
 // Client modes for DNSTT transport (server is the same, client behavior differs).
@@ -96,6 +108,11 @@ var TunnelTypeMap = map[string]map[string]map[string]string{
 			config.BackendSSH:   "naive_ssh",
 		},
 	},
+	config.TransportStunTLS: {
+		"": {
+			config.BackendSSH: "ssh",
+		},
+	},
 	config.TransportSSH: {
 		"": {
 			config.BackendSSH: "ssh",

internal/clientcfg/generate.go

@@ -30,7 +30,7 @@ func GenerateURI(tunnel *config.TunnelConfig, backend *config.BackendConfig, cfg
 	var fields [TotalFields]string
 
 	// Version and type
-	fields[FVersion] = "20"
+	fields[FVersion] = "22"
 	fields[FTunnelType] = GetTunnelType(tunnel.Transport, tunnel.Backend, opts.ClientMode)
 
 	name := tunnel.Tag
@@ -78,6 +78,14 @@ func GenerateURI(tunnel *config.TunnelConfig, backend *config.BackendConfig, cfg
 	fields[FVayDNSUdpTimeout] = "0"
 	fields[FVayDNSMaxNumLabels] = "0"
 	fields[FVayDNSClientIdSize] = "0"
+	// v21 defaults
+	fields[FSSHTlsEnabled] = "0"
+	fields[FSSHWsEnabled] = "0"
+	fields[FSSHWsPath] = "/"
+	fields[FSSHWsUseTls] = "1"
+	fields[FSSHHttpProxyPort] = "8080"
+	// v22 defaults
+	fields[FSSHPayload] = b64("")
 
 	// Transport-specific
 	switch tunnel.Transport {
@@ -99,8 +107,6 @@ func GenerateURI(tunnel *config.TunnelConfig, backend *config.BackendConfig, cfg
 			} else {
 				fields[FVayDNSRecordType] = "txt"
 			}
-			fields[FVayDNSMaxQnameLen] = "101"
-			fields[FVayDNSRps] = "0"
 			if tunnel.VayDNS.IdleTimeout != "" {
 				fields[FVayDNSIdleTimeout] = durationToSeconds(tunnel.VayDNS.ResolvedIdleTimeout())
 			}
@@ -127,6 +133,19 @@ func GenerateURI(tunnel *config.TunnelConfig, backend *config.BackendConfig, cfg
 			}
 		}
 
+	case config.TransportStunTLS:
+		if tunnel.StunTLS != nil {
+			// StunTLS server accepts raw TLS, WebSocket, HTTP CONNECT, and payload.
+			// Default to WebSocket (most compatible with CDNs and restrictive firewalls).
+			// Only set WebSocket fields — don't also set sshTlsEnabled, which is
+			// a Direct-mode flag and would be dead weight.
+			fields[FDomain] = getServerIP()
+			fields[FSSHPort] = fmt.Sprintf("%d", tunnel.StunTLS.Port)
+			fields[FSSHWsEnabled] = "1"
+			fields[FSSHWsUseTls] = "1"
+			fields[FSSHWsPath] = "/"
+		}
+
 	case config.TransportSSH, config.TransportSOCKS:
 		// Direct transports have no domain — use server IP
 		fields[FDomain] = getServerIP()
@@ -164,7 +183,6 @@ func GenerateURI(tunnel *config.TunnelConfig, backend *config.BackendConfig, cfg
 	return Encode(fields), nil
 }
 
-// durationToSeconds converts a Go duration string (e.g. "10s", "2m") to seconds string.
 func durationToSeconds(d string) string {
 	if d == "" {
 		return "0"

internal/config/tunnel.go

@@ -6,8 +6,10 @@ const (
 	TransportSlipstream = "slipstream"
 	TransportVayDNS     = "vaydns"
 	TransportNaive      = "naive"
+	TransportStunTLS    = "stuntls"
 	TransportSSH        = "direct-ssh"
 	TransportSOCKS      = "direct-socks5"
+	TransportExternal   = "external"
 )
 
 // TunnelConfig defines a single tunnel.
@@ -24,6 +26,7 @@ type TunnelConfig struct {
 	Slipstream *SlipstreamConfig `json:"slipstream,omitempty"`
 	VayDNS     *VayDNSConfig     `json:"vaydns,omitempty"`
 	Naive      *NaiveConfig      `json:"naive,omitempty"`
+	StunTLS    *StunTLSConfig    `json:"stuntls,omitempty"`
 }
 
 // DNSTTConfig holds config for DNSTT transport (serves both DNSTT and NoizDNS clients).
@@ -109,15 +112,29 @@ func (v *VayDNSConfig) ResolvedClientIDSize() int {
 	return v.ClientIDSize
 }
 
+// StunTLSConfig holds config for the TLS + WebSocket SSH proxy transport.
+// Accepts both raw TLS connections (stunnel-style) and WebSocket upgrades,
+// forwarding traffic to the SSH daemon.
+type StunTLSConfig struct {
+	Cert string `json:"cert"` // path to TLS certificate
+	Key  string `json:"key"`  // path to TLS private key
+	Port int    `json:"port"` // listen port (typically 443)
+}
+
 // IsDNSTunnel returns true if the transport uses DNS port 53.
 func (t *TunnelConfig) IsDNSTunnel() bool {
 	switch t.Transport {
-	case TransportDNSTT, TransportSlipstream, TransportVayDNS:
+	case TransportDNSTT, TransportSlipstream, TransportVayDNS, TransportExternal:
 		return true
 	}
 	return false
 }
 
+// HasManagedService returns true if slipgate manages a systemd service for this tunnel.
+func (t *TunnelConfig) HasManagedService() bool {
+	return t.IsDNSTunnel() && t.Transport != TransportExternal
+}
+
 // IsDirectTransport returns true for transports that expose a service directly (no tunnel).
 func (t *TunnelConfig) IsDirectTransport() bool {
 	switch t.Transport {