Full Dossier
← BackCase File №WT-0.7.0

Features

Eight exhibits. Each one documented, tested, and shipped.

D-01INTELLIGENCE GATHERING

Subscriptions

Add groups by subscription URL. Refresh to pull and parse new profiles. The core sends HWID headers with every request and inspects response headers — x-hwid-max-devices-reached, x-hwid-not-supported, x-hwid-limit — surfacing warnings when device limits are hit.

Documented details
  • Subscription metadata parsed from subscription-userinfo header
  • Traffic used / limit / expiry displayed in details panel
  • Per-group subscription URL editing
  • Global subscription_mutex prevents concurrent updates
D-02IDENTIFICATION

HWID — device fingerprint

An 8-byte hex hardware ID is auto-generated on first run and stored in config.json. Sent with every subscription request alongside the device OS, kernel version, device model, and user-agent. Remnawave/Happ compatible.

Documented details
  • x-hwid: 1fb1e0141ab3e35a (auto-generated, 16 lowercase hex chars)
  • x-device-os: Linux (runtime.GOOS)
  • x-ver-os: 6.12.0-arch1-1 (uname -r)
  • x-device-model: Arch Linux (/etc/os-release PRETTY_NAME)
  • user-agent: whoisthat/v0.7.0 (user-configurable)
  • Toggle off, reset, or customize the user-agent in Settings
D-03TRAFFIC CONTROL

Custom routing

Rules for domain, IP, protocol, and port redirect traffic to proxy, direct, or block outbounds. GeoIP and GeoSite are separate rule types. Dat files auto-download from v2fly on first startup and are verified with a real xray test config.

Documented details
  • DNS bypass rule (UDP:53 → proxy) injected first
  • User rules appended in order, disabled rules skipped
  • freedom (direct) and blackhole (block) outbounds appended
  • GeoIP/GeoSite dat files auto-downloaded, verified, fallback to system paths
  • Default routing uses hardcoded CIDR ranges (no geo crash on missing dat)
D-04CONTAINMENT

Kill-switch

When enabled, blocks all non-VPN traffic if the connection drops. Uses a dedicated firewall table (whoisthat_ks) independent of TUN rules. Works in both SOCKS and TUN modes. Toggle in Settings.

Documented details
  • Dedicated firewall table: whoisthat_ks
  • Independent from TUN routing rules
  • Active in both SOCKS5 proxy mode and full TUN mode
D-05NETWORK ACCESS

TUN mode — no root required

TUN mode creates a virtual network interface (default whoisthattun), sets up iptables or nftables rules (auto-detected), and routes all system traffic through the Xray SOCKS5 proxy via tun2socks. DNS queries are redirected to the first configured DNS server.

Documented details
  • File capabilities: cap_net_admin, cap_net_raw, cap_setpcap
  • capset(2) → inheritable → prctl(PR_CAP_AMBIENT_RAISE) → ambient
  • All subprocesses inherit capabilities automatically
  • No sudo, no root, no setuid — pure Linux capabilities
  • Capability detection creates a real test TUN (wt-capcheck) and tears it down
  • Direct outbound bypass: root mode uses dedicated UID + policy routing, capability mode uses SO_MARK + fwmark
D-06RECONNAISSANCE

Profile testing

Three latency-test methods. Scan-all (t) tests every profile across all groups with deduplication. Focused test (T) targets only the selected profile or subscription group. Temporary xray instances spawned from a dynamic port pool.

Documented details
  • tcp — direct TCP dial to host:port
  • http-get — via SOCKS5 → Cloudflare GET
  • http-head — via SOCKS5 → HEAD request
  • test-result: >0 latency ms · -1 failed · -2 testing · 0 untested
D-07EVIDENCE LOCKER

Encrypted profile DB

Profile files, group configs, and routing rules are encrypted at rest with AES-256-GCM. A 32-byte key is auto-generated on first run and stored with 0600 permissions. Reads try encrypted wrapper first, fall back to plaintext for backward compatibility, and migrate on next write.

Documented details
  • Key: ~/.local/share/whoisthat/db/.key (32 random bytes, 0600)
  • Format: {"ciphertext":"<base64(nonce+ciphertext+tag)>"}
  • MigrateToEncrypted() runs on startup for legacy plaintext files
  • Core config.json is NOT encrypted — only contains ports
D-08OPERATIONAL PERSISTENCE

Detach / reattach

q closes the TUI but leaves the core and VPN running in the background. Reopen the TUI to reattach. Q or Ctrl+C sends die to the core and exits cleanly. On reattach, the TUI compares core_version in config.toml — reattaches if it matches, kills and respawns the core if it doesn't.

Documented details
  • q — detach: VPN stays connected
  • Q / Ctrl+C — full quit: stops VPN, exits
  • Autoconnect skipped on reattach if already connected

End of dossier.

For operational details, read the README on GitHub.