Features

Subscriptions

Add groups by subscription URL. Refresh to pull and parse new profiles. The core sends HWID headers with every request and inspects response headers — x-hwid-max-devices-reached, x-hwid-not-supported, x-hwid-limit — surfacing warnings when device limits are hit.

• ▸Subscription metadata parsed from subscription-userinfo header
• ▸Traffic used / limit / expiry displayed in details panel
• ▸Per-group subscription URL editing
• ▸Global subscription_mutex prevents concurrent updates

HWID — device fingerprint

An 8-byte hex hardware ID is auto-generated on first run and stored in config.json. Sent with every subscription request alongside the device OS, kernel version, device model, and user-agent. Remnawave/Happ compatible.

• ▸x-hwid: 1fb1e0141ab3e35a (auto-generated, 16 lowercase hex chars)
• ▸x-device-os: Linux (runtime.GOOS)
• ▸x-ver-os: 6.12.0-arch1-1 (uname -r)
• ▸x-device-model: Arch Linux (/etc/os-release PRETTY_NAME)
• ▸user-agent: whoisthat/v0.7.0 (user-configurable)
• ▸Toggle off, reset, or customize the user-agent in Settings

Custom routing

Rules for domain, IP, protocol, and port redirect traffic to proxy, direct, or block outbounds. GeoIP and GeoSite are separate rule types. Dat files auto-download from v2fly on first startup and are verified with a real xray test config.

• ▸DNS bypass rule (UDP:53 → proxy) injected first
• ▸User rules appended in order, disabled rules skipped
• ▸freedom (direct) and blackhole (block) outbounds appended
• ▸GeoIP/GeoSite dat files auto-downloaded, verified, fallback to system paths
• ▸Default routing uses hardcoded CIDR ranges (no geo crash on missing dat)

Kill-switch

When enabled, blocks all non-VPN traffic if the connection drops. Uses a dedicated firewall table (whoisthat_ks) independent of TUN rules. Works in both SOCKS and TUN modes. Toggle in Settings.

• ▸Dedicated firewall table: whoisthat_ks
• ▸Independent from TUN routing rules
• ▸Active in both SOCKS5 proxy mode and full TUN mode

TUN mode — no root required

TUN mode creates a virtual network interface (default whoisthattun), sets up iptables or nftables rules (auto-detected), and routes all system traffic through the Xray SOCKS5 proxy via tun2socks. DNS queries are redirected to the first configured DNS server.

• ▸File capabilities: cap_net_admin, cap_net_raw, cap_setpcap
• ▸capset(2) → inheritable → prctl(PR_CAP_AMBIENT_RAISE) → ambient
• ▸All subprocesses inherit capabilities automatically
• ▸No sudo, no root, no setuid — pure Linux capabilities
• ▸Capability detection creates a real test TUN (wt-capcheck) and tears it down
• ▸Direct outbound bypass: root mode uses dedicated UID + policy routing, capability mode uses SO_MARK + fwmark

Profile testing

Three latency-test methods. Scan-all (t) tests every profile across all groups with deduplication. Focused test (T) targets only the selected profile or subscription group. Temporary xray instances spawned from a dynamic port pool.

• ▸tcp — direct TCP dial to host:port
• ▸http-get — via SOCKS5 → Cloudflare GET
• ▸http-head — via SOCKS5 → HEAD request
• ▸test-result: >0 latency ms · -1 failed · -2 testing · 0 untested

Encrypted profile DB

Profile files, group configs, and routing rules are encrypted at rest with AES-256-GCM. A 32-byte key is auto-generated on first run and stored with 0600 permissions. Reads try encrypted wrapper first, fall back to plaintext for backward compatibility, and migrate on next write.

• ▸Key: ~/.local/share/whoisthat/db/.key (32 random bytes, 0600)
• ▸Format: {"ciphertext":"<base64(nonce+ciphertext+tag)>"}
• ▸MigrateToEncrypted() runs on startup for legacy plaintext files
• ▸Core config.json is NOT encrypted — only contains ports

Detach / reattach

q closes the TUI but leaves the core and VPN running in the background. Reopen the TUI to reattach. Q or Ctrl+C sends die to the core and exits cleanly. On reattach, the TUI compares core_version in config.toml — reattaches if it matches, kills and respawns the core if it doesn't.

• ▸q — detach: VPN stays connected
• ▸Q / Ctrl+C — full quit: stops VPN, exits
• ▸Autoconnect skipped on reattach if already connected