v0.0.18
Release Notes
What's New
Access Control
- Encryption passphrase (
--key): for reading — share with trusted friends - Remote management (
--allow-manageon server): enables send/channel management — disabled by default - If
--allow-managenot set on server, send and admin features are completely disabled - Client
--passwordnow protects ALL web endpoints with global HTTP Basic Auth
Channel Management
- Add/remove Telegram channels remotely via admin commands through DNS
- Channel management UI in the web frontend (requires
--allow-manage) - List/refresh channel configuration from the browser
Send Messages
- Send messages to Telegram channels and private chats through the DNS tunnel
- Full-stack implementation: client web UI → DNS query → server → Telegram API
- GCM-encrypted message data split into DNS labels
- Telegram RandomID fix — sending to own channels now works correctly
Message Compression
- Deflate compression reduces the number of DNS queries needed
- Backward compatible — clients auto-detect compressed vs raw data
- 1-byte compression header (0x00=raw, 0x01=deflate)
Web UI Password
- Protect the web UI with
--passwordflag - HTTP Basic Auth on all endpoints (constant-time comparison)
- Empty password = no authentication (default)
Web UI Overhaul
- Channel type badges (Private / Public)
- New message indicator badges
- Next-fetch countdown timer
- Send message panel (when Telegram is connected)
- Media type tag highlighting (
[IMAGE],[VIDEO],[DOCUMENT]) - Channels grouped by type in sidebar
- Telegram connection warning banner
- Debug mode enabled by default
- Footer with GitHub link
Android Support
android/arm64build target for Termux- UPX compression for smaller binaries
Edit Detection
- Detects message edits even when message count stays the same
- CRC32 content hash per channel transmitted in metadata
- Client skips refresh only when both message ID and content hash match
No-Telegram Mode
- Server
--no-telegramflag for users who can't or don't want to sign in to Telegram - Reads public channels without needing Telegram API credentials or phone number
- Safer: no credentials stored on the server
- Install script supports no-Telegram setup (recommended by default)
Install Script Improvements
- Telegram mode selection during install (no-Telegram recommended by default)
- Update flow: option to switch between Telegram and no-Telegram modes
- Easy one-liner curl commands for update and uninstall
- Passphrase sharing warning: anyone with your passphrase can read your messages
Protocol Improvements
- Variable block sizes (400-700 bytes) for anti-DPI
- DNS noise queries at random intervals (10-30s)
- Metadata expansion: NextFetch, TelegramLoggedIn, ChatType, CanSend
- Block retry on transient DNS failures
Security Hardening
- HTTP server timeouts (read: 30s, write: 60s, idle: 120s)
- DNS query name length validation for send messages
- Generic error responses (no internal error leakage)
- Constant-time password comparison
⚠️ Never share your passphrase publicly — anyone with it can run their own client and read all your messages.--passwordonly protects the web UI on your machine
Other Improvements
- Auto-open browser on client start
- Server next-fetch timer in protocol metadata
- Skip refresh when no new messages
- Prevent duplicate channel fetches
- Handle invalid passphrase errors gracefully
- Default rate limit: 5 QPS
- Configurable DNS timeout
- Persian README (README-FA.md)
Full Changelog: v0.0.17...v0.0.18