Other panels wrap each protocol in its own container or shell script.
Iceslab uses one small Go agent per node that spawns protocols natively.
Real PIDs, native logs, predictable resource limits. No docker-in-docker, no orchestration jungle.
Public alpha
Iceslab v0.1.1 - open-source operator panel under AGPL-3.0. First publish 2026-05-19, v0.1.1 patched 2026-05-20.
Open Iceslab →icecompany.tech/iceslab
/ Operator panel|Public alpha · v0.1.1 · 2026-05-20
Iceslab
Open-source operator panel for self-hosted VPN deployments. A small Go agent on each node spawns and supervises seven protocol runtimes - Hysteria 2, Xray, AmneziaWG, NaiveProxy, Shadowsocks 2022, MTProto, Mieru. AGPL-3.0-or-later.
Why Iceslab
Four things other panels
get wrong.
If you currently run Marzban, X-UI, 3X-UI, or Hiddify - this is the short version.
Other panels manage one or two protocols well.
Iceslab handles seven in a single dashboard.
Hysteria 2, Xray, AmneziaWG, NaiveProxy, Shadowsocks 2022, MTProto, Mieru - first-class, not bolted on.
Other panels pull "latest" of everything; a bad day upstream is a bad day for you.
Iceslab pins Hysteria and Xray to specific releases and commit SHAs.
Bootstrap scripts pin every protocol. Operators wanting full hardening set their own *_SHA env vars.
Other panels need five tools and three docs sites to actually operate.
Iceslab is one Docker Compose on the panel host, one bootstrap per node.
Caddy auto-TLS for the panel. Per-protocol bootstrap on the node. mTLS between them.
Compared to other panels
If you're choosing between
Marzban, Remnawave, 3x-ui.
Those panels are mature and work for many operators. Iceslab is the right pick in three specific cases.
Real Hysteria 2 with Brutal CC and port-hopping
Marzban wraps hysteria as a fake xray inbound.
Iceslab runs real `hysteria server` with full feature parity.
Kernel-native AmneziaWG
No other panel ships AWG as a DKMS kernel module.
Iceslab's bootstrap installs the DKMS module on the node.
All 7 protocols in one panel
Most panels handle one or two protocols well.
Iceslab covers Hysteria 2, Xray, AmneziaWG, Naive, SS 2022, MTProto, Mieru first-class.
Install
One bootstrap on the panel,
one per node.
Ubuntu 22.04+ or Debian 12+. The script provisions Docker, brings up Postgres + Redis + backend + frontend, and configures Caddy with auto-TLS. 5-10 minutes initial.
root@panel
$ sudo -i
$ PANEL_DOMAIN=panel.example.com \
bash <(curl -fsSL https://raw.githubusercontent.com/\
icecompany-tech/iceslab/main/scripts/install-iceslab.sh)
↳ Installing Docker and Compose plugin...
↳ Building panel images (backend, frontend)...
↳ Postgres + Redis + Caddy up.
✓ Panel ready in ~7 min. https://panel.example.com
$ # add node via panel UI, then on the node:
↳ Bootstrap Xray on node-fra-01 (pinned commit)
↳ Bootstrap Hysteria 2 v2.9.1 on node-fra-01
↳ mTLS handshake panel <-> node ok
✓ Node online. 2 inbounds, 0 users.
$ Protocol matrix
Seven protocols.
Hysteria and Xray pinned upstream.
- app/v2.9.1
Hysteria 2
app/v2.9.1Spec →QUIC
Apernet native server. High-throughput, congestion-robust.
- pinned commit
Xray
pinned commitSpec →VLESS / REALITY / Vision
VLESS + REALITY + Vision. Transports: raw, xhttp, ws, gRPC, httpupgrade, kcp. Trojan over REALITY.
- DKMS · latest
AmneziaWG
DKMS · latestSpec →WireGuard + obfs
DKMS kernel module. Obfuscated WireGuard for DPI-aggressive networks.
- xcaddy · latest
NaiveProxy
xcaddy · latestSpec →HTTP/2 + forwardproxy
Caddy fork via xcaddy. Looks like Chromium.
- via Xray
Shadowsocks 2022
via XraySpec →AEAD-2022
AEAD-2022 inbound, served by xray-core.
- 9seconds/mtg · latest
MTProto
9seconds/mtg · latestSpec →Fake-TLS
9seconds/mtg with Fake-TLS. For Telegram proxies.
- enfein/mieru · latest
Mieru
enfein/mieru · latestSpec →TCP · UDP
enfein/mieru. Stealth protocol with multiplexing.
Architecture
Panel host,
nodes anywhere.
The panel is one Docker Compose. Each node runs a small Go agent that spawns protocol runtimes as native processes. mTLS in between.
Panel host · Docker Compose
backend · frontend · postgres · redis · caddy
Fastify + Prisma · React + Mantine · auto-TLS via Caddy
Node agent · Go static binary
spawn · supervise · pin upstream versions · stream stats
hysteria 2v2.9.1
xraypinned
amneziawgDKMS
naivexcaddy
ss 2022via xray
mtprotomtg
mierulatest
outbound network
Panel stack
- API: TypeScript, Fastify 5, Prisma 7, PostgreSQL 16
- Jobs: Redis 7, BullMQ
- Auth: JWT (jose), bcrypt, mTLS via @peculiar/x509
- Frontend: React 19, Vite 8, Mantine 8, TanStack Query 5
Node agent
- Language: Go 1.22+
- Crypto: native crypto/tls
- Logging: slog
- Distribution: static binary, no runtime deps
Migration
Switching from Marzban,
X-UI, 3X-UI, or Hiddify?
We do it manually right now. An automated importer is on the Iceslab roadmap.
- 01Email operators@icecompany.tech with your current panel + rough scale (users, nodes).
- 02We schedule a 30-minute call to walk through your data.
- 03Together, we export your inbounds, users, and traffic counters.
- 04Iceslab imports them via a one-off script we keep in a private repo.
- 05We stay on the line until your old panel is fully decommissioned.
Typical migration takes a few hours. Plan a migration →
Next on the roadmap
Iceshard - the native client
for Iceslab operators.
Cross-platform native VPN client paired with Iceslab. Hiddify-style flow: user signs in once with an operator code, subscription syncs, app handles protocol switching. Q3-Q4 2026.
- •iOS first; Android after the first 1000 App Store users
- •Subscription import only from Iceslab panels - by design
- •Server and client rotate obfuscation in sync
- •Signed bundles, pinned certs, no random parsers
- •Paid mobile client - revenue model for operators
- Build queue: opens once Iceslab has enough operators to justify a branded client up-sell.
Read the spec →
Specs
What the panel and a node need.
- OS
- Ubuntu 22.04+ / Debian 12+ (panel and nodes)
- Architecture
- x86_64 (primary) · arm64 (untested)
- Memory
- Panel: 2 GB recommended · Node: depends on protocol mix (TBD after VPS smoke)
- Disk
- Panel: 10 GB recommended · Node: depends on traffic logs (TBD after VPS smoke)
- Network
- 1 public IP per node · UDP open for Hysteria/AWG
- Dependencies
- Docker + Compose plugin (installed by the script)
License
AGPL-3.0-or-later.
Free to run, copyleft on changes.
What you get
Free
Full source on GitHub. Self-host, modify, run as a service - the only string attached is the copyleft.
- · Panel (TypeScript + Fastify + Prisma + Postgres + Redis)
- · Frontend (React 19 + Vite + Mantine + TanStack Query)
- · Node agent (Go) with seven protocol runtimes
- · Bootstrap scripts with pinned upstream versions
Copyleft, in plain words
AGPL
If you run a modified Iceslab as a service, you must offer the modified source to your users. Standard AGPL. No separate commercial track.
- · Self-host unmodified - no obligations beyond AGPL
- · Modify for your own use - keep the changes private
- · Run modified version as a service - publish your changes
- · Redistribute - keep the AGPL notice intact
Lane 02 — Operators & resellers
Deploying Iceslab for
your own VPN business.
If you already run nodes — or want to — we'll help with deployment, migration, and reseller setup. Replies usually within a working day.
Write to
operators@icecompany.tech