v2.5.3

SlipNet v2.5.3 — Changelog

DNS Scanner: TCP + Both-Transport Mode

The resolver scanner can now scan over plain TCP DNS as well as UDP, and a new Both mode probes each resolver on UDP and TCP in parallel:

• Per-resolver result tells you which transports actually work — many ISPs poison UDP/53 but leave TCP/53 alone (or vice versa).
• After a Both-mode scan, the result list emits a recommended transport hint (UDP, TCP, or MIXED) for the resolvers you select. Picking "Apply" auto-flips the profile's dnsTransport field; a MIXED selection surfaces a snackbar asking you to pick one explicitly.
• Profile editor surfaces the recommended transport so you don't have to remember which scan produced it.

---

Resolver TCP Pre-flight (Android)

Before the native bridge starts, the app now probes each TCP / DoT resolver in parallel with a TCP-connect (8 s budget per resolver — tuned for Iran cellular, where SYN retransmit + DPI + lossy 4G can stack to several seconds even on a healthy resolver) and drops the unresponsive ones. If every probe fails the original list is passed through unchanged so the bridge can surface the real error.

This eliminates the case where a single dead resolver in the list stalled connection setup while the native side waited on its timeout.

---

VLESS: Single SNI Field

The VLESS profile editor used to conflate "real SNI" and "DPI-evasion SNI override" into one fakeSni field, which made the editor confusing — particularly when the CDN cert hostname differed from the WebSocket Host header.

• A new vlessSni field replaces fakeSni for VLESS. Empty falls back to the WS Host (the [domain]); set explicitly when the cert hostname is different, or — against a server you control — to any decoy string for DPI evasion.
• Matches V2Ray / Xray's streamSettings.tlsSettings.serverName semantics 1-to-1.
• An automatic schema migration (DB v39, config v28) moves the value out of the legacy column on first launch — existing profiles keep working without re-import.

---

Tunnel Chaining Plumbing

SnowflakeBridge and DohBridge accept an optional upstream SOCKS5 address so layers can stack — e.g. DoH-over-Tor, where the Snowflake/Tor layer below provides a local SOCKS5 endpoint and the DoH bridge above tunnels its HTTPS through it.

• All DoH HTTPS connections and TCP CONNECT passthroughs route through the upstream SOCKS5 when set.
• For Snowflake: chaining works with obfs4 / meek_lite / webtunnel bridge lines (lyrebird honors TOR_PT_PROXY); the built-in Snowflake PT cannot proxy itself, so it skips the upstream.

---

Smaller Tor Binary

libtor.so rebuilt with a tighter feature flag set:

• arm64 — 9.26 MB → 8.65 MB (~7% smaller)
• armv7 — 7.61 MB → 5.40 MB (~29% smaller)

Reproducible via the new tools/build-tor.sh.

---

User Guide

EN and FA user guides ship with the repo (docs/SlipNet_User_Guide_EN.pdf, docs/SlipNet_User_Guide_FA.pdf, plus the markdown source docs/USER_GUIDE.md).

---

Other Changes

• Per-profile Real Ping — each profile's overflow menu now has a Real Ping action that runs the full tunnel handshake against just that profile, instead of having to ping the whole list. While a per-profile ping is in flight, the row's spinner reflects it.
• VLESS profile rows now show a dedicated VLESS icon in the profile list.
• dnsPayloadSize default changed from 100 → 0 (full KCP capacity). Profiles created before v2.5.3 keep their stored value; only newly created profiles see the new default.

---

Fixes

• CLI _ssh profiles no longer fail silently when SSH credentials are missing — surfaces a clear error instead of crashing during the SSH handshake.
• Reconnect loop in the CLI no longer leaks the previous SSH layer when the tunnel restarts.

v2.5.2

SlipNet v2.5.2 — Changelog

New Tunnel: VLESS over CDN

• VLESS over WebSocket through any CDN IP (Cloudflare tested). Routes UUID + raw TCP payload through the CDN edge to your server.
• WebSocket is the only transport currently exposed in the UI — importing a VLESS URI with a non-WebSocket transport (tcp, grpc, kcp, etc.) surfaces a warning and is skipped.
• Reality URIs are accepted but downgraded to plain TLS; XTLS-Vision flows are silently ignored. (A raw-TCP VLESS path exists inside the bridge for future use but is not reachable from the profile editor or the URI importer.)
• Built-in local SOCKS5 front — works in both VPN and proxy-only modes.

---

SNI Fragmentation (DPI Bypass)

Six strategies (selectable per profile):

• Micro ★★ — 1 byte per TLS record + forced TCP MSS cap. Strongest against reassembling DPI; reduces post-handshake throughput.
• Multi ★ — 16–40 byte TLS records with random jitter. Balanced stealth and speed.
• Disorder ★ — TTL-bombs the first half so packets arrive out of order. Defeats in-order reassembly DPI.
• Fake — Sends a decoy ClientHello (custom hostname) with low TTL; kernel retransmit delivers the real one after DPI decision.
• SNI Split — Classic byte-split inside the SNI hostname. Low overhead.
• Half — Splits the ClientHello in half. Fallback when SNI location cannot be parsed.

Advanced options (Profile Editor):

• Decoy Hostname (Fake) — Any allowed SNI (default: www.google.com). Truncated or space-padded to match real hostname length.
• Decoy TTL (Fake / Disorder) — 1–64 hops. Must expire between local DPI and CDN edge.
• Fragment Delay — ~50 ms (normal networks), 300–500 ms (aggressive DPI).
• Force TCP MSS — 0 = auto (Micro / padding only), 40–1400 = explicit cap, negative = disabled.
• ClientHello Padding — Micro-fragments every byte (~6× overhead).
• TLS SNI Override — Replace handshake SNI (domain fronting).
• WS Header Obfuscation — Browser-like randomized WebSocket upgrade headers.
• WS Cover Traffic — Random-size ping frames during relay.

---

Locked profiles

• VayDNS advanced settings are now editable on locked profiles. The full block (Response Record Type, Query Length, Query Rate Limit, Idle Timeout, Keepalive, UDP Timeout) renders in the locked-profile editor, so users can tune wire-level DNS behavior without needing the unlocked config. Core connection fields (server, UUID, resolvers) remain locked.

Server Reachability & Profile Sorting

• Sort by ping — Reorders profiles by latency (fastest first). Failed profiles sink to bottom; order persists.
• Improved DNS-tunnel testing (DNSTT, NoizDNS, VayDNS + SSH):
  • Iterates resolvers sequentially; fails only if all fail or time budget is exhausted.
  • Hard timeout prevents slow profiles from blocking the entire test.
  • Uses isolated ephemeral tunnel clients (unique ports) instead of shared bridges → fixes Bridge start failed / port collisions.
  • Stops after tunnel handshake (Noise + KCP + smux + SOCKS5 / SSH banner). Avoids false negatives from external fetch checks.
• VLESS testing now targets CDN edge directly (cdnIp:cdnPort) to match real TLS/WS behavior.

---

Fixes

• VayDNS / VayDNS+SSH traffic stats now update correctly in proxy-only mode (previously stuck at 0).

v2.5.0

v2.5.0 (Stable)

VayDNS Support

• New tunnel type: VayDNS and VayDNS + SSH
• Full VayDNS configuration: record type, QNAME length, RPS limit, DNSTT compat mode, idle timeout, keepalive, UDP timeout, max labels, client ID size
• VayDNS support in CLI with all options as flags

SSH Transport Enhancements

• SSH over TLS: wrap SSH connections in TLS for firewall bypass and domain fronting
• SSH over WebSocket: tunnel SSH through WebSocket connections (for CDN facades, xray, etc.)
• SSH over HTTP CONNECT proxy: route SSH through HTTP proxies
• SSH raw payload injection for DPI bypass
• Custom SNI hostname for TLS and WebSocket connections

DNS Scanner

• Dedicated E2E (end-to-end) scanner: test real tunnel connectivity through each resolver
• Run up to 10 E2E scans simultaneously for faster results
• CLI: --e2e-only mode and --e2e-concurrency flag

Multi-Resolver Mode

• New resolver modes: Fast (round-robin) and Reliable (fanout)
• Round-robin spread count: control how many resolvers each query is sent to (1–5)
• CLI: --resolver-mode fast|reliable and --spread-count N

Proxy Authentication

• New local proxy authentication setting for securing the SOCKS5 proxy
• Username/password protection prevents other apps from using the proxy without credentials
• Disabled by default

CLI Improvements

• Native SSH tunneling with TLS wrapping, WebSocket, HTTP CONNECT proxy, and raw payload support
• VayDNS tunnel support with all advanced options
• --spread-count flag for round-robin spread count override
• Locked config support: domain hidden, username shown
• Interactive mode respects locked config redaction

Other Changes

• Fix scanner race conditions
• Notification traffic speed toggle
• Friendly error messages for VayDNS UI
• Increase tunnel timeouts and filter IPv4-only DNS resolvers
• Fix traffic speed mismatch
• SSH retry improvements
• DPI tuning for NoizDNS

v2.5.0-beta2

v2.5.0-beta2

New Features

• VayDNS tunnel support — new tunnel type with full mobile bridge, configurable idle timeout, keepalive, UDP timeout, max payload, record type, RPS
  limit, and max label count
• SSH auto-retry — automatic 3-attempt retry for SSH connections over DNSTT, NoizDNS, and Slipstream tunnels
• Friendly error messages — raw Java/Go exceptions mapped to user-readable messages (timeouts, connection refused, etc.)
• Notification traffic counter setting — toggle traffic stats in the VPN notification

Bug Fixes

• Fix scanner E2E result persistence race condition (emitState CAS overwrite)
• Fix duplicate LazyColumn key crash in scan results
• Fix scan results back navigation responsiveness (throttle UI updates)
• Fix E2E results disappearing in prism mode
• Fix traffic speed mismatch between notification and UI (single source of truth, time-normalized)
• Fix scanner back button not stopping scan
• Preserve user's timeout when generating resolver lists
• Filter IPv4-only DNS resolvers to avoid IPv6 issues
• Fix SlipstreamBridge crash on disconnect (WeakReference → strong reference)
• Async onCleared to avoid blocking main thread on navigation

Improvements

• Move DNS resolver field higher in edit profile screen
• Open new profile bottom sheet fully expanded
• Increase SOCKS handshake and SSH connect timeouts for slow DNS tunnels

v2.4.4

v2.4.4 Changelog (since v2.4.1)

DoH Transport

• Added connection health check: automatically resets TLS after 5 consecutive failures
• Added send error backoff (2s) to prevent queue drain during outages
• Removed Cloudflare 1.1.1.1 IP-based DoH preset (TLS SNI incompatible)
• Fixed DoH URL hostname resolution that was breaking TLS handshakes

DNS Scanner

• Background scanning now survives navigating away from the screen
• E2E progress, active resolvers, and counts sync correctly across screen recreation
• Fixed stop + continue resetting working count to zero
• Fixed E2E re-testing all resolvers instead of resuming from where it left off
• Fixed E2E counter stuck at 0/N in advanced mode
• Fixed DNS results disappearing when starting E2E test
• Fixed notification tap pushing duplicate screens onto backstack
• Fixed fresh scan not clearing stale E2E state
• Back button now properly stops all scanning
• HTTP/SSH verification label corrected (was inverted), defaults to off
• Wake lock extended from 60 minutes to 4 hours for long scans

Networking & Tunnels

• Fixed divide-by-zero crash in DNS worker pool (race condition on pool size)
• Event-driven DNS pool death detection for faster reconnect
• DNS circuit breaker added to SSH tunnel
• DNS worker recreation respects circuit breaker to prevent spam loops
• Seamless reconnect bumped to 3 attempts, first delay shortened to 1s
• Fixed SSH channel semaphore stalling connections
• Always restart tun2socks on network change for reliable recovery
• Fixed DNS worker idle timeout with active keepalive

Profiles & Settings

• Upload/download speed limiter — configurable bandwidth caps per tunnel
• Global DNS resolver override in settings
• Fixed IPv6 resolver input corruption, blocked IPv6 (not supported)
• IP validation added to DNS resolver dialogs
• Split-tunnel defaults to allow mode
• Resolver deduplication
• SSH rate limiting
• Max channels warning when exceeding DNS tunnel safe limit
• Default SOCKS5 port changed from 1080 to 10880 (avoids conflicts with common apps)

UI & Notifications

• Reconnect button added to VPN notification
• Fixed notification reordering on Xiaomi/MIUI
• Pinned VPN notification position
• Clipboard support for config import/export
• Ping servers option in profile list menu
• Clear ping results option
• Distinct DNS icons, 8-resolver limit with global override banner

Other

• Slipstream error reporting improvements

v2.4.1

v2.4.1

New Features

• Pin profiles — Pin your favorite configs to the top of the profile list. Tap the 3-dot menu on any profile and select "Pin to top". Pinned profiles show a pin icon next to their name.
• Ping Servers — New lightweight "Ping Servers" option in the top bar menu. Does a simple TCP ping to check server reachability without establishing a tunnel. Works with all profile types including DOH and
  DNS-tunneled profiles (pings the resolver).
• Profile overflow menu — Edit, Share, Export, QR Code, and Pin actions are now consolidated into a clean 3-dot menu per profile.

NoizDNS

• Revert back changes

Android

• Add 5-second grace period to ignore spurious network changes after connection
• Remove stealth mode query size override from UI
• Update Snowflake to v2.12.1

CLI

• Remove --query-padding flag

Full Changelog: v2.4...v2.4.1

v2.4

SlipNet v2.4 — Changelog (since v2.3.2)

Prism Scanner

• Nonce-encoded response size — desired response size is now embedded in the probe nonce, bypassing resolver EDNS0 rewriting that silently broke sub-1232 sizes
• E2E tunnel testing — Prism mode now supports E2E tests on verified resolvers, same as Advanced mode
• Early exit on pass threshold — probes stop as soon as the threshold is reached instead of sending all remaining
• Default probes reduced from 20 to 10 (threshold 5) for faster scanning with early exit
• Response size default changed to 0 (server default) instead of hardcoded 1232
• Prism settings UI — split into two rows for better readability
• Note: Prism scan requires a server running https://github.com/anonvector/slipgate — it uses HMAC-authenticated probes that only SlipGate recognizes and responds to

DNS Scanner

• "All working" toggle added to Advanced and Prism results to filter between E2E-passed and all working resolvers
• "Load Last Scan IPs" fix — previously reloaded the full 58K default list instead of the saved IPs
• Button overlap fix — "Load Last Scan IPs" hidden when IR DNS/Country/Custom panels are open
• Empty resolver scanning — users can now open the scanner without filling in the DNS resolver field first
• E2E timeout default fixed from 7s to 15s
• E2E sort order — E2E tests now run in the order the results list is sorted (speed, prism score, etc.)

Hidden Resolvers

• Persistent defaults — original hidden resolvers are preserved in a separate DB field so users can switch back after setting custom resolvers
• DNS query size — now saved during profile export and configurable even on locked profiles

VPN & Connectivity

• Proxy chain support — chain multiple VPN profiles together (e.g., DNSTT → SSH → SOCKS5) for layered tunneling
• SOCKS5 proxy tunnel type — connect through external SOCKS5 proxies
• SOCKS5 auth injection fixed for SSH tunnel types
• DNS tunneling fix for Chinese OEM phones (Xiaomi, Poco, Huawei)

CLI

• Interactive menu — new TUI for managing profiles, scanning, and connecting without memorizing flags
• Add --query-size and --query-padding flags for DNS query size control
• SSH tunnel and SOCKS5 support added
• E2E tunnel testing with configurable concurrency and timeout
• Embedded resolver list for standalone scanning
• UPX compression for Linux/macOS binaries

Android

• Fix DNS tunneling on Chinese OEM phones (Xiaomi, Poco, Huawei)
• x86_64 architecture support added
• Quick Settings tile — long-press now opens the app (Android 13+)
• Scan foreground service for reliable background scanning

Full Changelog: v2.3.2...v2.4

Full Changelog: v2.3.2...v2.4

v2.3.2

Full Changelog: v2.3.1...v2.3.2
v2.3.2

Bug Fixes

• DoH custom URL test: Fixed an issue where the "Custom" test button silently skipped URLs that matched a preset DoH server. Custom tests now scan all user-entered URLs regardless of whether they appear in the presets list.
• Updated NoizDNS

Full Changelog: v2.3.1...v2.3.2

v2.3.1

v2.3.1

Stealth Improvements

• Improved encoding to enhance DPI resistance
  (server-side binary files must be updated)
• Added toggle to display the working DNS resolver in Simple Scanning Mode
• Added support for scanning DNS servers on ports other than 53
• Added ability to use a domain name as a DNS resolver

CLI

• SlipNet CLI now supports NoizDNS profiles
• Switched to the noizdns library

Fixes

• Fixed E2E scan crash
• Fixed HTTP proxy reliability issues
• Improved connection warning detection (faster + clearer message)
• Improved traffic statistics accuracy

Pull Requests

• Fix HTTP proxy reliability issues by @anonvector
  #61

---

Full Changelog
v2.3...v2.3.1

What's Changed

• v2.3.1: Fix HTTP proxy reliability issues by @anonvector in #61

Full Changelog: v2.3...v2.3.1

v2.3

What's Changed

• Parallel E2E scanning — end-to-end tunnel tests now run concurrently for faster resolver evaluation for DNSTT/NoizDNS
• Hidden DNS resolvers — profile creators can now hide resolver addresses from users, preventing exposure of DNS server
  infrastructure
• Add cross-platform CLI client for macOS, Linux, and Windows by @mirzaaghazadeh in #52
• Fix Android boot, widget, and reconnect flows by @yappologistic in #48
• Fix E2E test SSH variant detection for NoizDNS_SSH profiles by @anonvector in #49
• DNS payload size, scanner overhaul, bridge and resolver updates by @anonvector in #55
• Faster broken connection detection — SOCKS profiles (SSH/Naive) now detect failures in ~30s instead of ~120s
• Scanner UI overhaul — sortable E2E results, collapsible search, background scanning, neighbor toggle

New Contributors

• @yappologistic made their first contribution in #48
• @mirzaaghazadeh made their first contribution in #52

Full Changelog: v2.2.3...v2.3