Bypassing Censorship in the Age of DPI: A Stealth Tunnel with Hysteria 2
A QUIC-based, TLS-encrypted tunnel engineered to evade DPI and firewalls.
This content is for educational purposes only. Use of these tools must comply with local laws.
Around the globe, we see governments increasingly leveraging Deep Packet Inspection, traffic shaping, and protocol fingerprinting to identify and block encrypted tunnels such as VPNs. This digital clampdown rarely makes international headlines unless it’s extreme, but the trend is clear and growing. :)
Many traditional VPN protocols, including OpenVPN and WireGuard can be easily detected and throttled, or outright blocked. These technologies offer excellent performance and security, but they have recognizable signatures on the wire.
Over the years, I've written extensively about WireGuard. It's fast, reliable, and minimal, but it's fundamentally easy to detect due to its fixed UDP signature and lack of built-in obfuscation.
That’s where Hysteria 2 steps in.
What is Hysteria 2?
Hysteria 2 is a next-generation proxy tunnel designed to defeat censorship and DPI systems by mimicking regular HTTPS traffic. Built on top of UDP and QUIC (HTTP/3), Hysteria 2 provides encrypted, high-performance connections that are indistinguishable from legitimate web browsing to most filtering mechanisms.
Hysteria 2 is not just a replacement for VPNs like WireGuard, it's a stealth tunnel. It's built to look like normal web traffic while behaving like a VPN or proxy. It can be used to:
- Bypass national firewalls
- Evade ISP-level throttling or surveillance
- Tunnel around restrictive corporate firewalls
- Maintain privacy in hostile network environments
It accomplishes all this by combining:
- HTTP/3 (QUIC) transport
- TLS with valid certificates and Server Name Indication (SNI)
- Obfuscation using Salamander, a traffic pattern masker
- Masquerading using domain fronting or reverse proxy techniques
Proxy or VPN?
Technically, Hysteria 2 is a proxy tunnel, not a VPN in the traditional sense. It doesn’t modify your system’s network interface using TUN/TAP drivers like OpenVPN or WireGuard.
Instead, it creates SOCKS5 and HTTP proxy endpoints, which you can use on a per-app basis, or wrap using tools like tun2socks, Clash, or V2Ray to achieve full system routing.
Depending on your setup, you can:
- Route individual apps through the tunnel (browsers, email clients, torrent clients)
- Route your entire device through it (using Clash, tun2socks, Shadowrocket, etc.)
- Expose it network-wide as a proxy gateway for other devices
What Hysteria 2 Is Not
Hysteria 2 does not use kernel-level VPN tunnels unless paired with external tools and does not support legacy TCP tunneling (by design — QUIC is UDP-based). Instead, it encrypts all traffic using TLS with genuine certificates (Let's Encrypt or self-signed), obfuscates traffic signatures using Salamander and looks like QUIC-powered HTTPS traffic to observers and DPI engines.
🛠️ Server Requirements
Before you begin:
- You need a VPS (Ubuntu/Debian) in the country you are tunnelling to
- A domain name pointing to the VPS via A-record (e.g. via Cloudflare). This will be used for:
- TLS certificate issuance via ACME (Let's Encrypt)
- SNI-based masquerading
- Optional domain fronting or CDN-based deception
- Docker + Docker Compose installed
Server Installation (VPS)
Step 1: Install Docker
apt update && apt install -y docker docker-compose
Step 2: Create a directory
mkdir ~/hysteria && cd ~/hysteria
Step 3: Create hysteria.yaml
listen: :443
acme:
domains:
- yourdomain.com // replace this with your domain
email: [email protected] // replace this with your email
certDir: /acme
masquerade:
type: proxy
proxy:
url: https://yourdomain.com // replace this with your domain
rewriteHost: true
listenHTTP: :80
listenHTTPS: :443
forceHTTPS: true
auth:
type: password
password: strongpassword // replace this with a strong password
obfs:
type: salamander
salamander:
password: strongpasswordagain // replace this with a strong password
bandwidth:
up: 100 mbps
down: 100 mbps
Step 4: Create docker-compose.yml
version: "3.9"
services:
hysteria:
image: tobyxdd/hysteria
container_name: hysteria
restart: always
network_mode: "host"
volumes:
- acme:/acme
- ./hysteria.yaml:/etc/hysteria.yaml
command: ["server", "-c", "/etc/hysteria.yaml"]
volumes:
acme:
Step 5: Start the container
docker compose up -d
docker logs -f hysteria
Look for:
- Certificate maintenance started
- HTTP and HTTPS masquerade servers listening
Linux Desktop: Client Setup
Step 1: Download Client
wget https://github.com/apernet/hysteria/releases/latest/download/hysteria-linux-amd64
chmod +x hysteria-linux-amd64
mv hysteria-linux-amd64 /usr/local/bin/hysteria
Step 2: Create ~/.config/hysteria/client.yaml
server: yourdomain.com:443 // replace with your domain
auth: strongpassword // replace this with the strong password from your config
obfs:
type: salamander
salamander:
password: strongpassword2 // replace this with the strong password from your config
tls:
sni: yourdomain.com // replace with your domain
insecure: false
bandwidth:
up: 100 mbps
down: 100 mbps
socks5:
listen: 127.0.0.1:1080
http:
listen: 127.0.0.1:8080
Step 3: Run the client
hysteria client -c ~/.config/hysteria/client.yaml
🌐 Proxying Your Browser
Firefox
- Go to
about:preferences - Network Settings → Manual proxy
- SOCKS5:
127.0.0.1, Port:1080 - Enable: SOCKS v5 and "Proxy DNS when using SOCKS v5"
Chromium (via SwitchyOmega)
- Add new proxy profile
- Type: SOCKS5
- Host:
127.0.0.1, Port:1080
Mobile Support
Android (Clash or SagerNet)
- Import
client.yaml - Enable system-wide VPN mode
iOS (Shadowrocket or Stash)
- Protocol: Hysteria2
- Server: yourdomain.com (replace it with your domain)
- Port, password, obfs same as desktop
System-Wide Tunneling (Linux)
Option 1: proxychains
sudo apt install proxychains4
nano /etc/proxychains.conf
Set:
socks5 127.0.0.1 1080
Run apps with:
proxychains firefox
Option 2: tun2socks
Use tun2socks with a virtual TUN interface for true full-device routing.
Gateway Mode (Local Docker Proxy)
Want to proxy your entire network via Hysteria? You can deploy the client as a docker container, so it is always running locally. Then, you only need to connect to your local gateway from other devices, rather than having to run the tunnel on every client.
Here’s how:
1. Client Config (client.yaml)
server: yourdomain.com:443 // replace with your domain
auth: strongpassword // replace this with the strong password from your config
obfs:
type: salamander
salamander:
password: strongpassword2 // replace this with the strong password from your config
tls:
sni: yourdomain.com // replace with your domain
insecure: false
bandwidth:
up: 100 mbps
down: 100 mbps
socks5:
listen: 127.0.0.1:1080
http:
listen: 127.0.0.1:8080
2. Docker Compose for Client
version: '3.9'
services:
hysteria-client:
image: tobyxdd/hysteria
container_name: hysteria-client
restart: always
command: ["client", "-c", "/etc/hysteria/client.yaml"]
volumes:
- ./client.yaml:/etc/hysteria/client.yaml
network_mode: host
3. Route Devices
- Proxy browsers, apps or entire devices to
host-ip:1080(SOCKS5) - For advanced setups: combine with iptables, dnsmasq, or HAProxy
ACL: App Control & Filtering
Use ACLs to:
- Block domains
- Force direct access to others
Example:
reject(tiktok.com)
outbound(netflix.com, direct)
In your server YAML:
acl:
file: /etc/acl.txt
Concusion
Hysteria 2 is a countermeasure against a world increasingly hostile to open, uncensored internet access. In a time where circumvention tech must evolve or die, stealth proxies represent a new standard.
You now have the tools to deploy a censorship-resistant tunnel that can support both personal freedom and privacy and run quietly in the background like any other web connection.