The server configuration file defines how paqet operates in server mode, including listen address, network interface configuration, and transport settings.
Role Configuration
Must be set to "server" for server mode.
Logging
Log level for output. Options: none, debug, info, warn, error, fatal
Server Listen Configuration
Server listen address and port (e.g., ":9999"). The port must match the port configured in network.ipv4.addr and/or network.ipv6.addr.
Do not use standard ports (80, 443, etc.) as iptables rules can affect outgoing server connections. Choose a high port number like 9999.
Network Interface Settings
Network interface name to use (e.g., eth0, ens3, en0)
Windows only: Npcap device GUID in format \\Device\\NPF_{...}
IPv4 Configuration
Server IPv4 address and port (e.g., "10.0.0.100:9999"). The port must match listen.addr.
MAC address of the gateway/router in format aa:bb:cc:dd:ee:ff
IPv6 Configuration
Server IPv6 address and port (e.g., "[::1]:9999"). Optional. If configured, port must match listen.addr.
MAC address of the gateway/router for IPv6
TCP Configuration
TCP flags for local packets (Push+Ack by default)
PCAP Settings
PCAP socket buffer size in bytes (default: 8MB for server)
Transport Configuration
Transport protocol to use. Currently only "kcp" is supported.
Number of parallel connections (1-256)
KCP Settings
See Transport Configuration for detailed KCP protocol settings.
KCP mode preset. Options: normal, fast, fast2, fast3, manual
Maximum transmission unit in bytes (50-1500)
Receive window size for server
Send window size for server
Encryption key (must match client). Generate using paqet secret.
SMUX buffer size in bytes (4MB)
Stream buffer size in bytes (2MB)
SMUX keepalive interval in seconds
transport.kcp.smuxktimeout
SMUX keepalive timeout in seconds
Firewall Configuration
Since paqet uses pcap to bypass standard firewalls, you must configure iptables on the server to prevent kernel interference.
9999 with your actual listen port):
sudo iptables -t raw -A PREROUTING -p tcp --dport 9999 -j NOTRACK
sudo iptables -t raw -A OUTPUT -p tcp --sport 9999 -j NOTRACK
sudo iptables -t mangle -A OUTPUT -p tcp --sport 9999 --tcp-flags RST RST -j DROP
- Disable connection tracking for incoming connections on the paqet port
- Disable connection tracking for outgoing connections from the paqet port
- Drop RST packets from the kernel for this port
Complete Example
# paqet Server Configuration Example
# Role must be explicitly set
role: "server"
# Logging configuration
log:
level: "info" # none, debug, info, warn, error, fatal
# Server listen configuration
listen:
addr: ":9999" # CHANGE ME: Server listen port (must match network.ipv4.addr port)
# WARNING: Do not use standard ports (80, 443, etc.) as iptables rules
# can affect outgoing server connections.
# Network interface settings
network:
interface: "eth0" # CHANGE ME: Network interface (eth0, ens3, en0, etc.)
# guid: "\\Device\\NPF_{...}" # Windows only (Npcap).
# IPv4 configuration
ipv4:
addr: "10.0.0.100:9999" # CHANGE ME: Server IPv4 and port (port must match listen.addr)
router_mac: "aa:bb:cc:dd:ee:ff" # CHANGE ME: Gateway/router MAC address
# IPv6 configuration (optional)
ipv6:
addr: "[::1]:9999" # CHANGE ME: Server IPv6 and port (or remove if not using IPv6)
router_mac: "aa:bb:cc:dd:ee:ff" # CHANGE ME: Gateway/router MAC address
# TCP flags for packet crafting (optional - will use defaults)
tcp:
local_flag: ["PA"] # Local TCP flags (Push+Ack default)
# PCAP settings (optional - will use defaults)
# pcap:
# sockbuf: 8388608 # 8MB buffer (default for server)
# Transport protocol configuration
transport:
protocol: "kcp" # Transport protocol (currently only "kcp" supported)
conn: 1 # Number of connections (1-256, default: 1)
# tcpbuf: 8192 # TCP buffer size in bytes
# udpbuf: 4096 # UDP buffer size in bytes
# KCP protocol settings
kcp:
mode: "fast" # KCP mode: normal, fast, fast2, fast3, manual
# Manual mode parameters (only used when mode="manual")
# nodelay: 1 # 0=disable, 1=enable
# Enable for lower latency & aggressive retransmission
# Disable for TCP-like conservative behavior
# interval: 10 # Internal update timer interval in milliseconds (10-5000ms)
# Lower values increase responsiveness but raise CPU usage
# resend: 2 # Fast retransmit trigger (0-2)
# 0 = disabled (wait for timeout only)
# 1 = most aggressive (retransmit after 1 ACK skip)
# 2 = aggressive (retransmit after 2 ACK skips)
# nocongestion: 1 # Congestion control: 0=enabled, 1=disabled
# 0 = TCP-like fair congestion control (slow start, congestion avoidance)
# 1 = disable congestion control for maximum speed
# wdelay: false # Write batching behavior
# false = flush immediately (low latency, recommended for real-time)
# true = batch writes until next update interval (higher throughput)
# Controls when data is actually sent to the network
# acknodelay: true # ACK sending behavior
# true = send ACKs immediately when packets are received (lower latency)
# false = batch ACKs (more bandwidth efficient)
# Setting true reduces latency but increases bandwidth usage
# mtu: 1350 # Maximum transmission unit (50-1500)
# rcvwnd: 1024 # Receive window size (default for server)
# sndwnd: 1024 # Send window size (default for server)
# Encryption settings
# block: "aes" # Encryption: aes, aes-128, aes-128-gcm, aes-192, salsa20, blowfish, twofish, cast5, 3des, tea, xtea, xor, sm4, none, null.
key: "your-secret-key-here" # CHANGE ME: Secret key (must match client)
# Buffer settings (optional)
# smuxbuf: 4194304 # 4MB SMUX buffer
# streambuf: 2097152 # 2MB stream buffer
# smuxkalive: 2 # SMUX keepalive interval (seconds)
# smuxktimeout: 8 # SMUX keepalive timeout (seconds)
# Optional Forward Error Correction (FEC) - currently disabled
# Use these only if you need FEC for very lossy networks:
# dshard: 10 # Data shards for FEC
# pshard: 3 # Parity shards for FEC
Parameters marked with # CHANGE ME: must be customized for your environment.
See Also