Anonnix VPN — Technical Documentation
Anonnix VPNAnonnix VPN — Technical Documentation
Architecture
Anonnix uses a Zero-Knowledge architecture. The system is designed so that even the operator cannot identify users. All identity derivation is based on irreversible HMAC-SHA256 cryptography.
Identity Derivation
chat_id (RAM only) -> HMAC-SHA256(MASTER_SECRET, chat_id) -> user_token (64 hex) -> UUID5(NAMESPACE, user_token[:16]) -> vpn_uuid -> user_token[:8].upper() -> ref_code
HMAC is a one-way function. Knowing vpn_uuid, it is mathematically impossible to recover chat_id without MASTER_SECRET.
VPN Protocols (sing-box)
VLESS + Reality (port 443) — Primary protocol. Traffic masquerades as TLS to yahoo.com. Uses XTLS-Vision flow with MUX multiplexing and padding. Impossible to distinguish from legitimate HTTPS.
Hysteria2 (port 8443/UDP) — QUIC-based protocol with Brutal congestion control. Achieves maximum speed even on lossy connections. Looks like regular QUIC traffic (YouTube, Google).
Shadowsocks-2022 (port 8388) — AEAD encryption with blake3. Shared key, no per-user UUID needed. Fallback protocol.
Server Hardening
sing-box logging: disabled (silent mode). /tmp mounted as tmpfs (RAM). bash history disabled. fail2ban active. UFW firewall. TCP BBR congestion control. Kernel tuning for 65535 connections. Automatic security updates.
Auto-Recovery
Watchdog (cron, every 60s): checks sing-box, bot, ports, internet, config validity, memory. Restarts any failed component automatically. Self-test (cron, every 5 min): verifies all VPN ports respond.
Payment Flow
Telegram Stars: User pays -> pre_checkout -> successful_payment -> record_stars_payment() -> activate_user(uuid) -> send config. Payment stored in /tmp/anonnix_stars.json (RAM).
CryptoPay: User pays -> CryptoPay API -> bot checks paid invoices (10s cache) -> /key activates UUID on server -> sends config.
Subscription Logic
Repeat payment adds +30 days to current expiry (not reset). Both Stars and CryptoPay checked; latest expiry wins. No database — all state derived from payment APIs + /tmp file.
Referral System
ref_code = first 8 hex chars of user_token (uppercase). Encoded in CryptoPay payload. 50% of payment (25 RUB) credited to referrer. Withdrawal in $TON to user's wallet.
Source Code
Open source: github.com/anonnixvpn/anonnix. Licensed under BSL 1.1 (non-commercial use allowed, commercial use requires license). Contributions welcome via Pull Requests.
Contributing
Fork the repo, make changes, submit PR. All PRs reviewed by maintainers. Security-sensitive changes require additional review. Do not commit secrets or .env files.