Prepare release v1.2.28

Co-authored-by: Cursor <cursoragent@cursor.com>

README.md

@@ -8,22 +8,69 @@ TunnelX is a free and open-source Windows split-tunneling client built by **MaxF
 
 - App-based split tunneling for selected Windows processes
 - Full-route mode for whole-system tunneling
+- Windows L2TP/IPsec profile support
 - Xray-core / sing-box based V2Ray workflows
+- Dedicated SOCKS5/HTTP Proxy profiles with separate server, port, username, and password fields
 - OpenVPN Community support via user-provided `.ovpn` files for app-based split tunneling
 - Local SOCKS5 proxy for tools that need `127.0.0.1`
 - DNS redirect, IPv6 blocking, leak guard, route diagnostics, and traffic history
+- Multiple profiles, duplicate/edit flows, server tests, public exit IP detection, and release update checks
 - Persian-first Windows desktop UI
 
+## Quick Start
+
+1. Download the latest standalone release from GitHub Releases.
+2. Run TunnelX as Administrator. Route management, WinDivert, and packet interception require elevated privileges.
+3. Create a new profile or select an existing profile from the connection tab.
+4. Choose the connection type: L2TP/IPsec, V2Ray/Xray, SOCKS5/HTTP Proxy, or OpenVPN.
+5. Test the server, then enable the Windows apps that should use the tunnel.
+6. Add include or exclude destinations when needed, connect, and check the traffic health cards for DNS, IPv6, leaks, and route status.
+
+## Connection Types
+
+### L2TP/IPsec
+
+Enter the server address, username, password, and pre-shared key. TunnelX creates the Windows VPN connection and manages routes according to the selected-app policy or full-route mode.
+
+### V2Ray / Xray
+
+Paste a V2Ray/Xray link or JSON config into the profile. TunnelX uses sing-box for regular configs and switches to Xray-core for configs that require Xray-specific behavior such as `xhttp`.
+
+### SOCKS5/HTTP Proxy
+
+Use a SOCKS5/HTTP Proxy profile when you already have an external proxy endpoint. Enter the proxy server, port, and optional credentials. This is different from the local `127.0.0.1` SOCKS5 proxy, which is exposed after connection for tools that need a local proxy address.
+
 ## OpenVPN
 
 TunnelX can run an installed **OpenVPN Community** `openvpn.exe` with a user-selected `.ovpn` profile, then apply its own split-tunneling policy so only selected apps and included destinations use the OpenVPN tunnel.
 
 OpenVPN is not bundled with TunnelX. Install OpenVPN Community separately, select the `.ovpn` file in TunnelX, and enter the OpenVPN username/password if the server requires credentials. OpenVPN Connect alone is not enough for this mode because it manages routes and DNS through its own client.
 
+For split-tunnel compatibility, TunnelX prepares the OpenVPN config by controlling pushed route and DNS behavior. If OpenVPN reconnects and changes the tunnel IP, gateway, interface, or remote endpoint, TunnelX restarts its packet routing with the new values.
+
 ## Routing Notes
 
 Destination include/exclude rules match both the entered domain and its subdomains. For example, adding `githubusercontent.com` also covers `raw.githubusercontent.com` after DNS resolves it. Some HTTPS clients may still fail during certificate revocation checks if their OCSP/CRL hosts are not reachable through the selected route; add the downloader app or the relevant revocation domains to the include list when that happens.
 
+- Excluded destinations stay direct even for selected apps.
+- Included destinations use the tunnel even when the matching app is not selected.
+- For Store/MSIX, WebView2, or multi-process apps, keep the app open and refresh the app list.
+- In full-route mode, the whole system uses the tunnel; direct/exclude rules are still useful for keeping specific destinations on the normal route.
+
+## Local Data and Logs
+
+Profiles, selected apps, include/exclude destinations, connection history, and logs are stored on the user's Windows machine, typically under `%LOCALAPPDATA%\TunnelX` or next to the app depending on the feature. TunnelX does not intentionally send analytics or telemetry to the maintainer.
+
+Logs can contain process names, hostnames, IP addresses, ports, and connection state. Before posting logs publicly, remove server credentials, UUIDs, private keys, private endpoints, and other sensitive data.
+
+## Troubleshooting
+
+- If connection fails, check Administrator privileges, firewall rules, config validity, proxy ports, and prerequisites for the selected connection type.
+- If an app does not use the tunnel, enable it in the apps tab, keep it running, and refresh the app list.
+- If only one site or domain should use the tunnel, add it to include destinations. If it should stay direct, add it to exclusions.
+- If DNS or IPv6 status looks wrong, check the health cards after connection and reconnect once to rebuild routes and DNS rules.
+- For OpenVPN connection delays, verify the `.ovpn` file, credentials, and OpenVPN Community installation.
+
 ## Screenshots
 
 | Connection dashboard | Profile and server setup |
@@ -36,9 +83,9 @@ Destination include/exclude rules match both the entered domain and its subdomai
 
 ## Download
 
-Public downloads should be attached to GitHub Releases after release validation is complete:
+Public downloads are published through GitHub Releases:
 
-[GitHub project](https://github.com/MaxiFan/TunnelX)
+[Download the latest release](https://github.com/MaxiFan/TunnelX/releases/latest)
 
 Release assets are built and uploaded by GitHub Actions. Each published standalone executable includes a `.sha256` checksum file, and the release notes link back to the workflow run that produced the artifact.