Profile Configuration
The text-based profile is a cornerstone of MintFlow, designed to provide power users with a highly flexible and shareable way to control the app’s advanced networking capabilities.
Why Use Profiles?
- Complex Setups: Easily configure sophisticated routing rules, split DNS, and combinations of proxies and VPNs.
- Manage Multiple Configurations: Create and switch between different profiles for various scenarios (e.g., a “Work” profile with a corporate VPN and a “Home” profile for personal use).
- Share and Collaborate: Profiles are plain text, making them easy to share with other MintFlow users, version control with Git, or collaborate on.
- Import and Export: Seamlessly import profiles from URLs or files, and export your configurations to back them up or share them.
MintFlow uses a powerful and flexible text-based profile format to configure all aspects of the VPN and proxy behavior. This document details the syntax and all available configuration options.
Syntax Overview
The profile uses an INI-style format with sections enclosed in [].
# Comments start with # or //
[section-name]
key=value
# Lists are comma-separated
key=value1,value2,value3
# Structured values use subkey:subvalue pairs
key=subkey1:value1,subkey2:value2
Sections
[misc]
This section contains miscellaneous system-level settings.
| Key | Type | Description | Default |
|---|---|---|---|
tun-mtu | Integer | The MTU for the TUN interface. | |
exclude-lan-networks | Boolean | If true, local area networks will be excluded from the VPN. | false |
Example:
[misc]
tun-mtu=1420
exclude-lan-networks=true
[dns]
This section configures the DNS settings.
| Key | Type | Description |
|---|---|---|
system-dns | List of IPs | DNS servers to use when app-routing-enabled is false. |
app-routing-enabled | Boolean | Enables domain-based routing and split DNS. Default is false. |
direct-dns | List of IPs | DNS servers for direct connections when app-routing-enabled is true. |
vpn-dns | List of IPs | DNS servers for VPN connections when app-routing-enabled is true. |
Example:
[dns]
app-routing-enabled=true
direct-dns=223.5.5.5,114.114.114.114
vpn-dns=8.8.8.8,1.1.1.1
[l3vpns]
This section defines Layer 3 VPN interfaces. The key for each entry is a user-defined name for the interface.
Common Fields
| Key | Type | Description | Required |
|---|---|---|---|
type | String | The VPN type. Supported values: wireguard, openvpn. | Yes |
nickname | String | A user-friendly name for the interface. | No |
enabled | Boolean | Whether the interface is enabled. Defaults to true. | No |
WireGuard Specific Fields (When type=wireguard)
| Key | Type | Description | Required |
|---|---|---|---|
private-key | String | The private key for the interface. | Yes |
address | CIDR | The internal IP address and subnet for the interface. | Yes |
Example:
[l3vpns]
my-wireguard=type:wireguard,nickname:My WG,private-key:...,address:10.0.0.1/32
[wireguard-peers]
This section defines peers for WireGuard interfaces. The key for each entry is a user-defined name for the peer.
| Key | Type | Description | Required |
|---|---|---|---|
interface | String | The name of the l3vpns interface this peer belongs to. | Yes |
public-key | String | The public key of the peer. | Yes |
preshared-key | String | An optional pre-shared key. | No |
endpoint | String | The public endpoint of the peer (e.g., 1.2.3.4:51820). | Yes |
allowed-ips | List of CIDRs | A list of IP addresses/ranges to be routed through this peer. | Yes |
Example:
[wireguard-peers]
my-peer=interface:my-wireguard,public-key:...,endpoint:1.2.3.4:51820,allowed-ips:0.0.0.0/0
[l4proxies]
This section defines Layer 4 proxies, like Shadowsocks and VMess. The key for each entry is a user-defined name for the proxy.
Common Fields
| Key | Type | Description | Required |
|---|---|---|---|
type | String | The proxy type. Supported: shadowsocks, vmess. | Yes |
nickname | String | A user-friendly name. | No |
server | String | The server address. | Yes |
port | Integer | The server port. | Yes |
enabled | Boolean | Whether the proxy is enabled. Defaults to true. | No |
Shadowsocks Fields
| Key | Type | Description | Required |
|---|---|---|---|
password | String | The password. | Yes |
method | String | The encryption method. E.g., aes-256-gcm. | Yes |
obfs-type | String | Obfuscation type (tls or http). | No |
obfs-host | String | Obfuscation host (required for obfs-type). | No |
obfs-path | String | Obfuscation path (required for obfs-type=http). | No |
udp-forward | Boolean | Whether to forward UDP traffic. Defaults to false. | No |
VMess Fields
| Key | Type | Description | Required |
|---|---|---|---|
user-id | UUID | The user ID. | Yes |
alter-id | Integer | The alter ID. | Yes |
security | String | Security type. E.g., auto. | Yes |
transport-type | String | Transport type (tcp or ws). | Yes |
ws-path | String | The WebSocket path (required for transport-type=ws). | No |
sni | String | Server Name Indication for TLS. | No |
skip-cert-check | Boolean | If true, skip certificate validation. Defaults to false. | No |
alpn | String | Application-Layer Protocol Negotiation. Defaults to h2,http/1.1. | No |
Example:
[l4proxies]
my-shadowsocks=type:shadowsocks,server:...,port:443,password:...,method:aes-256-gcm
[domain-sets]
This section defines named sets of domains for use in routing rules. The key is the set name.
Example:
[domain-sets]
social-media=twitter.com,facebook.com,instagram.com
[cidr-sets]
This section defines named sets of IP ranges (CIDRs) for use in routing rules. The key is the set name.
Example:
[cidr-sets]
private-ips=10.0.0.0/8,192.168.0.0/16
[routing]
This section defines the routing rules, which are processed from top to bottom. It does not use key-value pairs.
Rule Format: TYPE,VALUE,ACTION,TARGET
| Type | Value | Action | Target | Description |
|---|---|---|---|---|
DOMAIN-SET | Name of a domain set | L3VPN, L4PROXY, DIRECT, REJECT | Name of an l3vpn/l4proxy | Route based on a domain set. |
CIDR-SET | Name of a CIDR set | L3VPN, L4PROXY, DIRECT, REJECT | Name of an l3vpn/l4proxy | Route based on a CIDR set. |
CIDR | A single CIDR | L3VPN, L4PROXY, DIRECT, REJECT | Name of an l3vpn/l4proxy | Route based on a single IP range. |
DNS-FALLBACK | (Not used) | DIRECT, L3VPN, L4PROXY, etc. | Name of an l3vpn/l4proxy | Default DNS behavior for domains not in any set. |
DEFAULT | (Not used) | DIRECT, L3VPN, L4PROXY, etc. | Name of an l3vpn/l4proxy | The final catch-all rule for all traffic. |
Example:
[routing]
DOMAIN-SET,social-media,L4PROXY,my-shadowsocks
CIDR-SET,private-ips,DIRECT
DEFAULT,L3VPN,my-wireguard
[http-engine]
This section configures the internal HTTP engine.
| Key | Type | Description |
|---|---|---|
enabled | Boolean | Enables the HTTP engine. Default false. |
domain-list | List of Strings | A list of domains to apply HTTP processing on. |
ca-p12 | String | A base64 encoded PKCS#12 certificate authority. Note: Only RSA keys are currently supported. |
ca-passphrase | String | The passphrase for the ca-p12 certificate. |
Example:
[http-engine]
enabled=true
domain-list=example.com
ca-p12=...
ca-passphrase=...
[http-url-rewrite]
This section defines URL rewrite rules for the HTTP engine. The key is a user-defined name for the rule.
| Key | Type | Description | Required |
|---|---|---|---|
match | Regexp | A regular expression to match the URL. | Yes |
action | String | The action to take. Supported: reject, redirect-302. | Yes |
target | String | The target URL for redirection. | No |
Example:
[http-url-rewrite]
block-ads=match:^https?://ads\..*,action:reject
redirect-google=match:^https?://google\.com,action:redirect-302,target:https://duckduckgo.com