v2.5.2

SlipNet v2.5.2 — Changelog

New Tunnel: VLESS over CDN

• VLESS over WebSocket through any CDN IP (Cloudflare tested). Routes UUID + raw TCP payload through the CDN edge to your server.
• WebSocket is the only transport currently exposed in the UI — importing a VLESS URI with a non-WebSocket transport (tcp, grpc, kcp, etc.) surfaces a warning and is skipped.
• Reality URIs are accepted but downgraded to plain TLS; XTLS-Vision flows are silently ignored. (A raw-TCP VLESS path exists inside the bridge for future use but is not reachable from the profile editor or the URI importer.)
• Built-in local SOCKS5 front — works in both VPN and proxy-only modes.

---

SNI Fragmentation (DPI Bypass)

Six strategies (selectable per profile):

• Micro ★★ — 1 byte per TLS record + forced TCP MSS cap. Strongest against reassembling DPI; reduces post-handshake throughput.
• Multi ★ — 16–40 byte TLS records with random jitter. Balanced stealth and speed.
• Disorder ★ — TTL-bombs the first half so packets arrive out of order. Defeats in-order reassembly DPI.
• Fake — Sends a decoy ClientHello (custom hostname) with low TTL; kernel retransmit delivers the real one after DPI decision.
• SNI Split — Classic byte-split inside the SNI hostname. Low overhead.
• Half — Splits the ClientHello in half. Fallback when SNI location cannot be parsed.

Advanced options (Profile Editor):

• Decoy Hostname (Fake) — Any allowed SNI (default: www.google.com). Truncated or space-padded to match real hostname length.
• Decoy TTL (Fake / Disorder) — 1–64 hops. Must expire between local DPI and CDN edge.
• Fragment Delay — ~50 ms (normal networks), 300–500 ms (aggressive DPI).
• Force TCP MSS — 0 = auto (Micro / padding only), 40–1400 = explicit cap, negative = disabled.
• ClientHello Padding — Micro-fragments every byte (~6× overhead).
• TLS SNI Override — Replace handshake SNI (domain fronting).
• WS Header Obfuscation — Browser-like randomized WebSocket upgrade headers.
• WS Cover Traffic — Random-size ping frames during relay.

---

Locked profiles

• VayDNS advanced settings are now editable on locked profiles. The full block (Response Record Type, Query Length, Query Rate Limit, Idle Timeout, Keepalive, UDP Timeout) renders in the locked-profile editor, so users can tune wire-level DNS behavior without needing the unlocked config. Core connection fields (server, UUID, resolvers) remain locked.

Server Reachability & Profile Sorting

• Sort by ping — Reorders profiles by latency (fastest first). Failed profiles sink to bottom; order persists.
• Improved DNS-tunnel testing (DNSTT, NoizDNS, VayDNS + SSH):
  • Iterates resolvers sequentially; fails only if all fail or time budget is exhausted.
  • Hard timeout prevents slow profiles from blocking the entire test.
  • Uses isolated ephemeral tunnel clients (unique ports) instead of shared bridges → fixes Bridge start failed / port collisions.
  • Stops after tunnel handshake (Noise + KCP + smux + SOCKS5 / SSH banner). Avoids false negatives from external fetch checks.
• VLESS testing now targets CDN edge directly (cdnIp:cdnPort) to match real TLS/WS behavior.

---

Fixes

• VayDNS / VayDNS+SSH traffic stats now update correctly in proxy-only mode (previously stuck at 0).

v2.5.0

v2.5.0 (Stable)

VayDNS Support

• New tunnel type: VayDNS and VayDNS + SSH
• Full VayDNS configuration: record type, QNAME length, RPS limit, DNSTT compat mode, idle timeout, keepalive, UDP timeout, max labels, client ID size
• VayDNS support in CLI with all options as flags

SSH Transport Enhancements

• SSH over TLS: wrap SSH connections in TLS for firewall bypass and domain fronting
• SSH over WebSocket: tunnel SSH through WebSocket connections (for CDN facades, xray, etc.)
• SSH over HTTP CONNECT proxy: route SSH through HTTP proxies
• SSH raw payload injection for DPI bypass
• Custom SNI hostname for TLS and WebSocket connections

DNS Scanner

• Dedicated E2E (end-to-end) scanner: test real tunnel connectivity through each resolver
• Run up to 10 E2E scans simultaneously for faster results
• CLI: --e2e-only mode and --e2e-concurrency flag

Multi-Resolver Mode

• New resolver modes: Fast (round-robin) and Reliable (fanout)
• Round-robin spread count: control how many resolvers each query is sent to (1–5)
• CLI: --resolver-mode fast|reliable and --spread-count N

Proxy Authentication

• New local proxy authentication setting for securing the SOCKS5 proxy
• Username/password protection prevents other apps from using the proxy without credentials
• Disabled by default

CLI Improvements

• Native SSH tunneling with TLS wrapping, WebSocket, HTTP CONNECT proxy, and raw payload support
• VayDNS tunnel support with all advanced options
• --spread-count flag for round-robin spread count override
• Locked config support: domain hidden, username shown
• Interactive mode respects locked config redaction

Other Changes

• Fix scanner race conditions
• Notification traffic speed toggle
• Friendly error messages for VayDNS UI
• Increase tunnel timeouts and filter IPv4-only DNS resolvers
• Fix traffic speed mismatch
• SSH retry improvements
• DPI tuning for NoizDNS

v2.5.0-beta2

v2.5.0-beta2

New Features

• VayDNS tunnel support — new tunnel type with full mobile bridge, configurable idle timeout, keepalive, UDP timeout, max payload, record type, RPS
  limit, and max label count
• SSH auto-retry — automatic 3-attempt retry for SSH connections over DNSTT, NoizDNS, and Slipstream tunnels
• Friendly error messages — raw Java/Go exceptions mapped to user-readable messages (timeouts, connection refused, etc.)
• Notification traffic counter setting — toggle traffic stats in the VPN notification

Bug Fixes

• Fix scanner E2E result persistence race condition (emitState CAS overwrite)
• Fix duplicate LazyColumn key crash in scan results
• Fix scan results back navigation responsiveness (throttle UI updates)
• Fix E2E results disappearing in prism mode
• Fix traffic speed mismatch between notification and UI (single source of truth, time-normalized)
• Fix scanner back button not stopping scan
• Preserve user's timeout when generating resolver lists
• Filter IPv4-only DNS resolvers to avoid IPv6 issues
• Fix SlipstreamBridge crash on disconnect (WeakReference → strong reference)
• Async onCleared to avoid blocking main thread on navigation

Improvements

• Move DNS resolver field higher in edit profile screen
• Open new profile bottom sheet fully expanded
• Increase SOCKS handshake and SSH connect timeouts for slow DNS tunnels

v2.4.4

v2.4.4 Changelog (since v2.4.1)

DoH Transport

• Added connection health check: automatically resets TLS after 5 consecutive failures
• Added send error backoff (2s) to prevent queue drain during outages
• Removed Cloudflare 1.1.1.1 IP-based DoH preset (TLS SNI incompatible)
• Fixed DoH URL hostname resolution that was breaking TLS handshakes

DNS Scanner

• Background scanning now survives navigating away from the screen
• E2E progress, active resolvers, and counts sync correctly across screen recreation
• Fixed stop + continue resetting working count to zero
• Fixed E2E re-testing all resolvers instead of resuming from where it left off
• Fixed E2E counter stuck at 0/N in advanced mode
• Fixed DNS results disappearing when starting E2E test
• Fixed notification tap pushing duplicate screens onto backstack
• Fixed fresh scan not clearing stale E2E state
• Back button now properly stops all scanning
• HTTP/SSH verification label corrected (was inverted), defaults to off
• Wake lock extended from 60 minutes to 4 hours for long scans

Networking & Tunnels

• Fixed divide-by-zero crash in DNS worker pool (race condition on pool size)
• Event-driven DNS pool death detection for faster reconnect
• DNS circuit breaker added to SSH tunnel
• DNS worker recreation respects circuit breaker to prevent spam loops
• Seamless reconnect bumped to 3 attempts, first delay shortened to 1s
• Fixed SSH channel semaphore stalling connections
• Always restart tun2socks on network change for reliable recovery
• Fixed DNS worker idle timeout with active keepalive

Profiles & Settings

• Upload/download speed limiter — configurable bandwidth caps per tunnel
• Global DNS resolver override in settings
• Fixed IPv6 resolver input corruption, blocked IPv6 (not supported)
• IP validation added to DNS resolver dialogs
• Split-tunnel defaults to allow mode
• Resolver deduplication
• SSH rate limiting
• Max channels warning when exceeding DNS tunnel safe limit
• Default SOCKS5 port changed from 1080 to 10880 (avoids conflicts with common apps)

UI & Notifications

• Reconnect button added to VPN notification
• Fixed notification reordering on Xiaomi/MIUI
• Pinned VPN notification position
• Clipboard support for config import/export
• Ping servers option in profile list menu
• Clear ping results option
• Distinct DNS icons, 8-resolver limit with global override banner

Other

• Slipstream error reporting improvements

v2.4.1

v2.4.1

New Features

• Pin profiles — Pin your favorite configs to the top of the profile list. Tap the 3-dot menu on any profile and select "Pin to top". Pinned profiles show a pin icon next to their name.
• Ping Servers — New lightweight "Ping Servers" option in the top bar menu. Does a simple TCP ping to check server reachability without establishing a tunnel. Works with all profile types including DOH and
  DNS-tunneled profiles (pings the resolver).
• Profile overflow menu — Edit, Share, Export, QR Code, and Pin actions are now consolidated into a clean 3-dot menu per profile.

NoizDNS

• Revert back changes

Android

• Add 5-second grace period to ignore spurious network changes after connection
• Remove stealth mode query size override from UI
• Update Snowflake to v2.12.1

CLI

• Remove --query-padding flag

Full Changelog: v2.4...v2.4.1

v2.4

SlipNet v2.4 — Changelog (since v2.3.2)

Prism Scanner

• Nonce-encoded response size — desired response size is now embedded in the probe nonce, bypassing resolver EDNS0 rewriting that silently broke sub-1232 sizes
• E2E tunnel testing — Prism mode now supports E2E tests on verified resolvers, same as Advanced mode
• Early exit on pass threshold — probes stop as soon as the threshold is reached instead of sending all remaining
• Default probes reduced from 20 to 10 (threshold 5) for faster scanning with early exit
• Response size default changed to 0 (server default) instead of hardcoded 1232
• Prism settings UI — split into two rows for better readability
• Note: Prism scan requires a server running https://github.com/anonvector/slipgate — it uses HMAC-authenticated probes that only SlipGate recognizes and responds to

DNS Scanner

• "All working" toggle added to Advanced and Prism results to filter between E2E-passed and all working resolvers
• "Load Last Scan IPs" fix — previously reloaded the full 58K default list instead of the saved IPs
• Button overlap fix — "Load Last Scan IPs" hidden when IR DNS/Country/Custom panels are open
• Empty resolver scanning — users can now open the scanner without filling in the DNS resolver field first
• E2E timeout default fixed from 7s to 15s
• E2E sort order — E2E tests now run in the order the results list is sorted (speed, prism score, etc.)

Hidden Resolvers

• Persistent defaults — original hidden resolvers are preserved in a separate DB field so users can switch back after setting custom resolvers
• DNS query size — now saved during profile export and configurable even on locked profiles

VPN & Connectivity

• Proxy chain support — chain multiple VPN profiles together (e.g., DNSTT → SSH → SOCKS5) for layered tunneling
• SOCKS5 proxy tunnel type — connect through external SOCKS5 proxies
• SOCKS5 auth injection fixed for SSH tunnel types
• DNS tunneling fix for Chinese OEM phones (Xiaomi, Poco, Huawei)

CLI

• Interactive menu — new TUI for managing profiles, scanning, and connecting without memorizing flags
• Add --query-size and --query-padding flags for DNS query size control
• SSH tunnel and SOCKS5 support added
• E2E tunnel testing with configurable concurrency and timeout
• Embedded resolver list for standalone scanning
• UPX compression for Linux/macOS binaries

Android

• Fix DNS tunneling on Chinese OEM phones (Xiaomi, Poco, Huawei)
• x86_64 architecture support added
• Quick Settings tile — long-press now opens the app (Android 13+)
• Scan foreground service for reliable background scanning

Full Changelog: v2.3.2...v2.4

Full Changelog: v2.3.2...v2.4

v2.3.2

Full Changelog: v2.3.1...v2.3.2
v2.3.2

Bug Fixes

• DoH custom URL test: Fixed an issue where the "Custom" test button silently skipped URLs that matched a preset DoH server. Custom tests now scan all user-entered URLs regardless of whether they appear in the presets list.
• Updated NoizDNS

Full Changelog: v2.3.1...v2.3.2

v2.3.1

v2.3.1

Stealth Improvements

• Improved encoding to enhance DPI resistance
  (server-side binary files must be updated)
• Added toggle to display the working DNS resolver in Simple Scanning Mode
• Added support for scanning DNS servers on ports other than 53
• Added ability to use a domain name as a DNS resolver

CLI

• SlipNet CLI now supports NoizDNS profiles
• Switched to the noizdns library

Fixes

• Fixed E2E scan crash
• Fixed HTTP proxy reliability issues
• Improved connection warning detection (faster + clearer message)
• Improved traffic statistics accuracy

Pull Requests

• Fix HTTP proxy reliability issues by @anonvector
  #61

---

Full Changelog
v2.3...v2.3.1

What's Changed

• v2.3.1: Fix HTTP proxy reliability issues by @anonvector in #61

Full Changelog: v2.3...v2.3.1

v2.3

What's Changed

• Parallel E2E scanning — end-to-end tunnel tests now run concurrently for faster resolver evaluation for DNSTT/NoizDNS
• Hidden DNS resolvers — profile creators can now hide resolver addresses from users, preventing exposure of DNS server
  infrastructure
• Add cross-platform CLI client for macOS, Linux, and Windows by @mirzaaghazadeh in #52
• Fix Android boot, widget, and reconnect flows by @yappologistic in #48
• Fix E2E test SSH variant detection for NoizDNS_SSH profiles by @anonvector in #49
• DNS payload size, scanner overhaul, bridge and resolver updates by @anonvector in #55
• Faster broken connection detection — SOCKS profiles (SSH/Naive) now detect failures in ~30s instead of ~120s
• Scanner UI overhaul — sortable E2E results, collapsible search, background scanning, neighbor toggle

New Contributors

• @yappologistic made their first contribution in #48
• @mirzaaghazadeh made their first contribution in #52

Full Changelog: v2.2.3...v2.3

v2.2.3

v2.2.3:

VPN

• Removed gstatic data probing — the periodic end-to-end probe (HTTP request to
  www.gstatic.com/generate_204 through the tunnel) has been removed.

Scanner

• Background scanning — scan continues when the app is backgrounded (wake lock keeps CPU alive)
• Collapsible search bar — hidden by default, toggle via search icon in the toolbar to save screen space
• Neighboring IP toggle — new "Scan neighboring IPs" setting to enable/disable /24 subnet expansion
• System back stops scan — pressing back gesture/button now properly stops the scan (previously only the
  toolbar arrow did)
• E2E timeout increased — default raised from 7s to 9s for better results on slower networks
• Performance — cached working IPs list to avoid redundant filtering on every recomposition

UI

• Profile name overflow fix — long profile names no longer push "Selected"/"Connected" badges off-screen
• Scan button prominence — "Scan for Working Resolvers" in edit profile is now a filled button
• Server setup guides relocated — moved to bottom of edit profile form with clearer styling and
  tunnel-specific labels

Build

• Lite flavor multi-ABI — lite now produces arm64, armeabi-v7a, and universal APKs (was arm64-only)