Profile Configuration
The text-based profile is a cornerstone of MintFlow, designed to provide power users with a highly flexible and shareable way to control the app’s advanced networking capabilities.
Why Use Profiles?
- Complex Setups: Easily configure sophisticated routing rules, split DNS, and combinations of proxies and VPNs.
- Manage Multiple Configurations: Create and switch between different profiles for various scenarios (e.g., a “Work” profile with a corporate VPN and a “Home” profile for personal use).
- Share and Collaborate: Profiles are plain text, making them easy to share with other MintFlow users, version control with Git, or collaborate on.
- Import and Export: Seamlessly import profiles from URLs or files, and export your configurations to back them up or share them.
MintFlow uses a powerful and flexible text-based profile format to configure all aspects of the VPN and proxy behavior. This document details the syntax and all available configuration options.
Syntax Overview
The profile uses an INI-style format with sections enclosed in [].
# Comments start with # or //
[section-name]
key=value
# Lists are comma-separated
key=value1,value2,value3
# Structured values use subkey:subvalue pairs
key=subkey1:value1,subkey2:value2
Sections
[misc]
This section contains miscellaneous system-level settings.
| Key | Type | Description | Default |
|---|---|---|---|
tun-mtu | Integer | The MTU for the TUN interface. | |
exclude-lan-networks | Boolean | If true, local area networks will be excluded from the VPN. | false |
Example:
[misc]
tun-mtu=1420
exclude-lan-networks=true
[dns]
This section configures the DNS settings.
| Key | Type | Description |
|---|---|---|
system-dns | List of IPs | DNS servers to use when app-routing-enabled is false. |
app-routing-enabled | Boolean | Enables domain-based routing and split DNS. Default is false. |
direct-dns | List of DNS upstreams | DNS servers for direct connections when app-routing-enabled is true. Supports plain IP DNS, DoT, and DoH. |
vpn-dns | List of DNS upstreams | DNS servers for VPN/proxy connections when app-routing-enabled is true. Supports plain IP DNS, DoT, and DoH. |
bootstrap-dns | List of IPs | (New in 1.9.0) bootstrap resolvers used when encrypted VPN DNS upstreams are configured with domains. Defaults are provided by the app. |
direct-dns-follow-vpn | Boolean | (New in 1.8.0) whether DNS servers for direct connections should follow the split routing rule. |
optimistic-dns-caching | Boolean | (New in 1.9.0) enables optimistic DNS cache refresh. Default is true. |
DNS upstream formats:
- Plain IP DNS:
1.1.1.1,8.8.8.8 - DNS over TLS:
tls://cloudflare-dns.comortls://1.1.1.1 - DNS over HTTPS:
https://dns.google/dns-query
When vpn-dns contains an encrypted DNS server with a domain name, such as tls://p2.freedns.controld.com, add a VPN-DNS-SERVER-DOMAINS routing rule so MintFlow can resolve that DNS server domain through a selected VPN/proxy path instead of leaking bootstrap traffic to the direct network.
Example:
[dns]
app-routing-enabled=true
direct-dns=223.5.5.5,114.114.114.114
vpn-dns=tls://p2.freedns.controld.com,https://dns.google/dns-query
bootstrap-dns=1.1.1.1,8.8.8.8
optimistic-dns-caching=true
[l3vpns]
This section defines Layer 3 VPN interfaces. The key for each entry is a user-defined name for the interface.
Common Fields
| Key | Type | Description | Required |
|---|---|---|---|
type | String | The VPN type. Supported values: wireguard, amneziawg, openvpn. | Yes |
nickname | String | A user-friendly name for the interface. | No |
enabled | Boolean | Whether the interface is enabled. Defaults to true. | No |
WireGuard Specific Fields (When type=wireguard)
| Key | Type | Description | Required |
|---|---|---|---|
private-key | String | The private key for the interface. | Yes |
address | CIDR | The internal IP address and subnet for the interface. | Yes |
AmneziaWG Specific Fields (When type=amneziawg)
MintFlow 1.9.0 supports AmneziaWG 1.5 and 2.0 interface parameters. Peer fields are configured separately in [amneziawg-peers].
| Key | Type | Description | Required |
|---|---|---|---|
private-key | String | The private key for the interface. | Yes |
address | CIDR | The internal IP address and subnet for the interface. | Yes |
jc | Integer | Junk packet count parameter. | No |
jmin | Integer | Minimum junk packet size. | No |
jmax | Integer | Maximum junk packet size. | No |
s1 | Integer | AmneziaWG S1 parameter. | No |
s2 | Integer | AmneziaWG S2 parameter. | No |
s3 | Integer | AmneziaWG S3 parameter. | No |
s4 | Integer | AmneziaWG S4 parameter. | No |
h1 | Integer or range | H1 packet header value, for example 1 or 843739526-1233562642. | No |
h2 | Integer or range | H2 packet header value, for example 2 or 1383464517-1389039856. | No |
h3 | Integer or range | H3 packet header value, for example 3 or 1558777559-1611162592. | No |
h4 | Integer or range | H4 packet header value, for example 4 or 1797613837-1977519157. | No |
i1 … i5 | String | AmneziaWG 2.0 CPS instruction strings. Each field is limited to 255 UTF-8 bytes. Supported tags are <b>, <r>, <rd>, <rc>, and <t>. | No |
Example:
[l3vpns]
my-wireguard=type:wireguard,nickname:My WG,private-key:...,address:10.0.0.1/32
my-awg=type:amneziawg,nickname:My AWG,private-key:...,address:10.8.9.2/32,jc:4,jmin:40,jmax:70,s1:0,s2:0,s3:0,s4:0,h1:1,h2:2,h3:3,h4:4,i1:<r 33>
[wireguard-peers]
This section defines peers for WireGuard interfaces. The key for each entry is a user-defined name for the peer.
| Key | Type | Description | Required |
|---|---|---|---|
interface | String | The name of the l3vpns interface this peer belongs to. | Yes |
public-key | String | The public key of the peer. | Yes |
preshared-key | String | An optional pre-shared key. | No |
endpoint | String | The public endpoint of the peer (e.g., 1.2.3.4:51820). | Yes |
allowed-ips | List of CIDRs | A list of IP addresses/ranges to be routed through this peer. | Yes |
Example:
[wireguard-peers]
my-peer=interface:my-wireguard,public-key:...,endpoint:1.2.3.4:51820,allowed-ips:0.0.0.0/0
[amneziawg-peers]
This section defines peers for AmneziaWG interfaces. The key for each entry is a user-defined peer name. The fields match WireGuard peers, but interface must reference an [l3vpns] entry whose type is amneziawg.
| Key | Type | Description | Required |
|---|---|---|---|
interface | String | The name of the amneziawg interface this peer belongs to. | Yes |
public-key | String | The public key of the peer. | Yes |
preshared-key | String | An optional pre-shared key. | No |
endpoint | String | The public endpoint of the peer, for example 1.2.3.4:51820. | Yes |
allowed-ips | List of CIDRs | A list of IP addresses/ranges to be routed through this peer. | Yes |
Example:
[amneziawg-peers]
my-awg-peer=interface:my-awg,public-key:...,endpoint:1.2.3.4:51820,allowed-ips:0.0.0.0/0,::/0
[l4proxies]
This section defines Layer 4 proxies, like Shadowsocks and VMess. The key for each entry is a user-defined name for the proxy.
Common Fields
| Key | Type | Description | Required |
|---|---|---|---|
type | String | The proxy type. Supported: shadowsocks, vmess, anytls, http, socks5. | Yes |
nickname | String | A user-friendly name. | No |
server | String | The server address. | Yes |
port | Integer | The server port. | Yes |
enabled | Boolean | Whether the proxy is enabled. Defaults to true. | No |
route-via-vpn | Boolean | (New in 1.8.0) Whether the proxy need to route over the VPN, thus you can chain it traffic to another VPN/Proxy server. Default to false, server IP must be in IPv4 address. | No |
Shadowsocks Fields
| Key | Type | Description | Required |
|---|---|---|---|
password | String | The password. | Yes |
method | String | The encryption method. Supported AEAD methods: aes-128-gcm, aes-256-gcm, chacha20-ietf-poly1305. Supported Shadowsocks 2022 methods: 2022-blake3-aes-128-gcm, 2022-blake3-aes-256-gcm, 2022-blake3-chacha20-poly1305. | Yes |
obfs-type | String | Obfuscation type (tls or http). | No |
obfs-host | String | Obfuscation host (required for obfs-type). | No |
obfs-path | String | Obfuscation path (required for obfs-type=http). | No |
udp-forward | Boolean | Whether to forward UDP traffic. Defaults to false. | No |
For Shadowsocks 2022 methods, password must be a base64-encoded pre-shared key. The decoded key must be 16 bytes for 2022-blake3-aes-128-gcm, and 32 bytes for 2022-blake3-aes-256-gcm or 2022-blake3-chacha20-poly1305.
VMess Fields
| Key | Type | Description | Required |
|---|---|---|---|
user-id | UUID | The user ID. | Yes |
alter-id | Integer | The alter ID. | Yes |
security | String | Security type. E.g., auto. | Yes |
transport-type | String | Transport type (tcp or ws). | Yes |
ws-path | String | The WebSocket path (required for transport-type=ws). | No |
sni | String | Server Name Indication for TLS. | No |
skip-cert-check | Boolean | If true, skip certificate validation. Defaults to false. | No |
alpn | String | Application-Layer Protocol Negotiation. Defaults to h2,http/1.1. | No |
AnyTLS Fields
AnyTLS is configured as an L4 proxy with type=anytls. The fields below are based on the shared profile schema used by the mintflow-app branch currently used for vpprs integration; these AnyTLS profile fields are stable there and safe to use.
| Key | Type | Description | Required |
|---|---|---|---|
password | String | AnyTLS password. | Yes |
sni | String | TLS Server Name Indication. Defaults to the server value when omitted. | No |
skip-cert-check | Boolean | If true, skip upstream certificate validation. Defaults to false. | No |
session-reuse | Boolean | Enables AnyTLS idle session reuse. Defaults to true. | No |
idle-session-check-interval | Integer | Interval in seconds for checking idle AnyTLS sessions. Valid range: 1 to 3600. Defaults to 30. | No |
idle-session-timeout | Integer | Idle session timeout in seconds. Valid range: 1 to 3600. Defaults to 60. | No |
min-idle-sessions | Integer | Minimum idle sessions to keep. Valid range: 0 to 64. Defaults to 1. | No |
max-idle-sessions | Integer | Maximum idle sessions to keep. Valid range: 0 to 64. Defaults to 4. | No |
Example:
[l4proxies]
any=type:anytls,nickname:AnyTLS,server:any.example.com,port:443,password:secret,sni:cdn.example.com,skip-cert-check:false,session-reuse:true,idle-session-check-interval:30,idle-session-timeout:60,min-idle-sessions:1,max-idle-sessions:4,enabled:true
HTTP&Socks5 Fields
| Key | Type | Description | Required |
|---|---|---|---|
username | String | Proxy username for upstream authentication. | No |
password | String | Proxy password for upstream authentication. | No |
udp-forward | Boolean | SOCKS5 UDP forwarding flag. Currently kept for profile compatibility; UDP forwarding depends on runtime support. | No |
Example:
[l4proxies]
tshttp=type:http,nickname:tshttp,server:3.3.3.3,port:1055,enabled:true
tssocks=type:socks5,nickname:tssocks,server:10.1.1.1,port:1055,username:user,password:pass,enabled:true,udp-forward:false,route-via-vpn:true
ss2022=type:shadowsocks,nickname:SS2022,server:ss.example.com,port:8388,password:base64-psk,method:2022-blake3-aes-256-gcm,udp-forward:true,enabled:true
any=type:anytls,nickname:AnyTLS,server:any.example.com,port:443,password:secret,sni:cdn.example.com,skip-cert-check:false,session-reuse:true
[domain-sets]
This section defines named sets of domains for use in routing rules. The key is the set name.
Example:
[domain-sets]
social-media=twitter.com,facebook.com,instagram.com
[cidr-sets]
This section defines named sets of IP ranges (CIDRs) for use in routing rules. The key is the set name.
Example:
[cidr-sets]
private-ips=10.0.0.0/8,192.168.0.0/16
[routing]
This section defines the routing rules, which are processed from top to bottom. It does not use key-value pairs.
Rule Format: TYPE,VALUE,ACTION,TARGET for match rules, or TYPE,ACTION,TARGET for reserved/default rules such as DNS-FALLBACK, VPN-DNS-SERVER-DOMAINS, and DEFAULT.
| Type | Value | Action | Target | Description |
|---|---|---|---|---|
DOMAIN-SET | Name of a domain set | L3VPN, L4PROXY, DIRECT, DROP, REJECT | Name of an l3vpn/l4proxy | Route based on a domain set. |
CIDR-SET | Name of a CIDR set | L3VPN, L4PROXY, DIRECT, DROP, REJECT | Name of an l3vpn/l4proxy | Route based on a CIDR set. |
CIDR | A single CIDR | L3VPN, L4PROXY, DIRECT, DROP, REJECT | Name of an l3vpn/l4proxy | Route based on a single IP range. |
DNS-FALLBACK | (Not used) | DIRECT, L3VPN, L4PROXY, etc. | Name of an l3vpn/l4proxy | Default DNS behavior for domains not in any set. |
VPN-DNS-SERVER-DOMAINS | (Not used) | L3VPN, L4PROXY | Name of an l3vpn/l4proxy | (New in 1.9.0) route encrypted VPN DNS server domain bootstrap traffic through a selected VPN/proxy. Required when vpn-dns uses DoT/DoH upstreams with domain names. |
DEFAULT | (Not used) | DIRECT, L3VPN, L4PROXY, etc. | Name of an l3vpn/l4proxy | The final catch-all rule for all traffic. |
Example:
[routing]
DOMAIN-SET,social-media,L4PROXY,my-shadowsocks
CIDR-SET,private-ips,DIRECT
VPN-DNS-SERVER-DOMAINS,L4PROXY,my-shadowsocks
DEFAULT,L3VPN,my-wireguard
[http-engine]
This section configures the internal HTTP engine.
| Key | Type | Description |
|---|---|---|
enabled | Boolean | Enables the HTTP engine. Default false. |
domain-list | List of Strings | A list of domains to apply HTTP processing on. |
ca-p12 | String | A base64 encoded PKCS#12 certificate authority. Note: Only RSA keys are currently supported. |
ca-passphrase | String | The passphrase for the ca-p12 certificate. |
Example:
[http-engine]
enabled=true
domain-list=example.com
ca-p12=...
ca-passphrase=...
[http-url-rewrite]
This section defines URL rewrite rules for the HTTP engine. The key is a user-defined name for the rule.
| Key | Type | Description | Required |
|---|---|---|---|
match | Regexp | A regular expression to match the URL. | Yes |
action | String | The action to take. Supported: reject, redirect-302. | Yes |
target | String | The target URL for redirection. | No |
Example:
[http-url-rewrite]
block-ads=match:^https?://ads\..*,action:reject
redirect-google=match:^https?://google\.com,action:redirect-302,target:https://duckduckgo.com