v1.8.5
🔐 TLS certificates now auto-renew
Fixes the 90-day certificate expiry that silently broke Trojan / Hysteria2 / CDN VLESS / admin TLS on long-running deployments. Renewal was never scheduled, and the renew script never actually invoked certbot (the compose entrypoint override swallowed it). Now:
- New
moav cert {status,renew,install,uninstall}command - Daily renewal via systemd timer (
moav-cert-renew.timer; cron.d fallback on non-systemd hosts), auto-installed onmoav startwhenDOMAINis set — opt out withCERT_AUTORENEW=false - Cert-consuming services restart automatically only when the certificate actually changed
Existing deployments: moav update then moav cert renew — this recovers an already-expired cert in place; the timer installs itself on the next moav start.
🕵️ AnyTLS protocol (opt-in)
sing-box-native protocol that defeats TLS-in-TLS fingerprinting for higher stealth than Trojan. Reuses the Trojan TLS cert/domain on TCP 8445, full user-bundle/revoke/client-test wiring, EN/FA docs. Off by default (ENABLE_ANYTLS=false) — client support is narrower (Hiddify, sing-box SFA/SFI, NekoBox, mihomo, Shadowrocket 2.2.65+). Thanks @ibeezhan (#132).
📦 Component updates (each reviewed against our exact usage)
- wstunnel 10.5.5 → 10.6.1 — fixes a process-abort panic (erebe/wstunnel#523) that a single port-scan probe against the public
ws://port could trigger, dropping all active WireGuard-over-wstunnel sessions - telemt 3.4.11 → 3.4.23 — Fake-TLS realism hardening (ServerHello fidelity, ALPN no longer a plaintext marker, synthetic key shares) applies automatically to our
tls_emulationmode - Xray-core v26.5.9 → v26.6.27 — XHTTP inbounds now ignore spoofed
X-Forwarded-For(XTLS/Xray-core#6309); finalmask UDP fix improves XDNS reliability (#6331)
⚙️ Network tuning followups
net.ipv4.tcp_max_syn_backlog = 8192added to the sysctl bundle (SYN-flood/reconnect-burst resilience)moav net applyprints a verification summary after applyingmoav doctor netgains packet-drop / PMTU / CGNAT / MTU checks
Also
- Hysteria2 inbound sets
ignore_client_bandwidth: true— keeps clients on BBR instead of Brutal (#131, thanks @ibeezhan) - Monitoring opt-in prompt defaults to No on <2 GB RAM hosts
- Admin dashboard fails closed on empty/default
ADMIN_PASSWORD(#126, thanks @raminrez)
Full changelog: https://github.com/shayanb/MoaV/blob/main/CHANGELOG.md#185---2026-07-11
Compare: v1.8.4...v1.8.5
Quick Install
curl -fsSL moav.sh/install.sh | bashThis will install MoaV to /opt/moav and guide you through setup.
Documentation
moav.sh/docs — Full documentation
- Setup Guide — Complete installation instructions
- Client Setup — How to connect from devices
- DNS Configuration — DNS records setup
- CLI Reference — All commands and options
- Monitoring — Grafana dashboards and metrics
- Troubleshooting — Common issues and solutions