Quick Answer: For light censorship (ISP blocks), a VPN or SOCKS5 proxy works. For heavy censorship with DPI (Iran, China, Russia), use VLESS+Reality via 3X-UI or paqctl — these make your traffic indistinguishable from normal HTTPS. For Telegram specifically, use MTProxyMax.
Need a VPS? Get started with DigitalOcean ($200 free credit for 60 days) or Vultr , or RackNerd ($100 free credit).
Internet censorship exists on a spectrum. Some countries block a few websites. Others run sophisticated Deep Packet Inspection (DPI) systems that detect and block VPN protocols, throttle encrypted traffic, and even modify DNS responses. This guide covers every bypass method — from simple to advanced — so you can choose the right tool for your situation.
How Censorship Works
Understanding how traffic is blocked helps you choose the right bypass method.
Level 1: DNS Blocking
The simplest form. The ISP returns a wrong IP address when you look up a blocked domain.
You: "What is the IP for twitter.com?"
ISP DNS: "It's 0.0.0.0" (lie)
Bypass: Change your DNS to 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google). See our How to Change DNS Server guide.
Level 2: IP Blocking
The ISP blocks connections to specific IP addresses (e.g., all of Twitter's servers).
Bypass: Use a VPN or proxy to connect through a different IP that is not blocked.
Level 3: Protocol Blocking
The ISP detects and blocks specific protocols (OpenVPN, WireGuard, PPTP) by analyzing packet headers.
Bypass: Use protocols that disguise traffic — VLESS+Reality, Shadowsocks, or obfuscated proxies.
Level 4: Deep Packet Inspection (DPI)
The most advanced form. DPI systems analyze traffic patterns, TLS fingerprints, packet sizes, and timing to detect even obfuscated VPN traffic. Used by China (Great Firewall), Iran, and Russia.
Bypass: Use protocols specifically designed to defeat DPI — VLESS+Reality, XTLS-Vision, paqctl, or domain-fronting through CDNs.
Level 5: Complete Shutdown
The government turns off the internet entirely. No bypass works during a full shutdown.
Partial bypass: Satellite internet (Starlink), mesh networks, or sneakernet.
Comparison: Every Bypass Method
| Method | Against DNS Block | Against IP Block | Against DPI | Speed | Ease of Setup |
|---|---|---|---|---|---|
| Change DNS | Yes | No | No | Fastest | 1 minute |
| Commercial VPN | Yes | Yes | Sometimes | Good | 2 minutes |
| WireGuard (self-hosted) | Yes | Yes | No (detectable) | Fastest VPN | 15 minutes |
| OpenVPN | Yes | Yes | No (detectable) | Good | 30 minutes |
| SOCKS5 proxy | Yes | Yes | Sometimes | Fast | 5 minutes |
| Shadowsocks | Yes | Yes | Moderate | Fast | 15 minutes |
| VLESS + Reality | Yes | Yes | Excellent | Fast | 20 minutes |
| VLESS + CDN | Yes | Yes | Excellent | Moderate | 30 minutes |
| MTProto proxy | Telegram only | Telegram only | Good (FakeTLS) | Fast | 5 minutes |
| paqctl (Paqet/GFK) | Yes | Yes | Excellent | Good | 10 minutes |
| Tor | Yes | Yes | Moderate | Slow | 5 minutes |
| DNS tunneling | Yes | Yes | Good | Very slow | Advanced |
| Psiphon | Yes | Yes | Good | Moderate | 2 minutes |
| SSH tunnel | Yes | Yes | Moderate | Good | 2 minutes |
Method 1: Change Your DNS
Best for: Level 1 censorship only (DNS blocking)
If your ISP just blocks DNS lookups, switching to a public DNS server bypasses it instantly:
# Set DNS to Cloudflare
# See full guide: /learn/how-to/how-to-change-dns-server/
| Provider | Server | Encrypted DNS |
|---|---|---|
| Cloudflare | 1.1.1.1 |
Yes (DoH, DoT) |
8.8.8.8 |
Yes (DoH, DoT) | |
| Quad9 | 9.9.9.9 |
Yes (DoH, DoT) |
Use DNS-over-HTTPS (DoH) to prevent the ISP from seeing your DNS queries. Most browsers support this natively:
- Chrome: Settings → Privacy → Use Secure DNS
- Firefox: Settings → Privacy → Enable DNS over HTTPS
Guide: How to Change DNS Server
Method 2: VPN (Self-Hosted WireGuard)
Best for: Level 1-2 censorship, privacy from ISP
Running your own VPN on a VPS gives you full control — no logs, no trust issues with commercial providers.
Quick Setup with SamNet-WG
SamNet-WG (wg-orchestrator) turns any VPS into a managed WireGuard VPN in under 5 minutes:
curl -sSL https://raw.githubusercontent.com/SamNet-dev/wg-orchestrator/main/install.sh | sudo bash
Features: TUI management, QR codes for mobile, bandwidth tracking, web dashboard.
sudo samnet → Peers → Add Peer → Scan QR on phone
Limitation: WireGuard traffic is easily detected by DPI. If your country blocks WireGuard, skip to Method 5 or 6.
Guide: WireGuard Setup Guide
Method 3: SSH Tunnel (SOCKS5)
Best for: Quick bypass when you already have SSH access to a server
The fastest method — no installation needed:
ssh -D 1080 -N -f user@your-server
This creates a SOCKS5 proxy at localhost:1080. Configure your browser to use it.
Pros: Works immediately, uses SSH (usually not blocked) Cons: Only proxies apps you configure, SSH can be detected by DPI
Guide: SOCKS5 Proxy Setup
Method 4: Shadowsocks
Best for: Level 2-3 censorship, widely used in China
Shadowsocks is a lightweight encrypted proxy designed to look like random traffic. It was the go-to tool for bypassing the Great Firewall for years.
Set up via 3X-UI panel:
Protocol: Shadowsocks
Port: 8388
Encryption: 2022-blake3-aes-128-gcm
Pros: Fast, lightweight, many clients available Cons: Modern DPI can detect Shadowsocks patterns. Not the best choice for the most aggressive firewalls.
Method 5: VLESS + Reality (Best for Heavy Censorship)
Best for: Level 3-4 censorship (Iran, China, Russia) — recommended
Reality is the most advanced stealth protocol. It makes your connection look exactly like a legitimate HTTPS connection to a real website (like yahoo.com). Even sophisticated DPI cannot tell the difference.
How It Works
Your device → [Looks like: HTTPS to yahoo.com] → Your server → Internet
DPI sees: A normal person visiting yahoo.com
Reality: Your traffic goes through your proxy server
The TLS handshake is indistinguishable from a real connection. If a censor probes your server directly, it forwards the request to the actual yahoo.com — your server responds exactly like the real site would.
Setup with 3X-UI Panel
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)
Then add a VLESS+Reality inbound:
| Setting | Value |
|---|---|
| Protocol | vless |
| Port | 8443 |
| Flow | xtls-rprx-vision |
| Security | reality |
| Dest (SNI target) | yahoo.com:443 |
| Fingerprint | chrome |
Full step-by-step: 3X-UI Panel Setup Guide (Section 4)
Using Cloudflare CDN (Extra Layer)
You can also route traffic through Cloudflare CDN so censors only see Cloudflare IP addresses. Important: CDN routing requires VLESS+WebSocket, not VLESS+Reality. Reality uses a custom TLS handshake that is incompatible with CDN TLS termination. Set up a separate VLESS+WS inbound on CDN-compatible ports (2082, 8880 for HTTP or 2083, 2087 for HTTPS).
Your device → Cloudflare CDN → Your server → Internet
Censor sees: Traffic to Cloudflare (cdn.yourdomain.com)
Cannot block without breaking all Cloudflare-hosted sites
Use Reality for direct connections (best stealth) and VLESS+WS+CDN as a fallback when your server IP gets blocked.
Guide: 3X-UI CDN Setup (Section 6) and Cloudflare Setup
Finding Clean Cloudflare IPs
If Cloudflare IPs are throttled in your region, use cfray to scan and find working IPs:
# Scans Cloudflare IP ranges for low-latency, unblocked IPs
# Tests your specific VLESS/VMess config against each IP
Method 6: paqctl (Purpose-Built for Censorship Bypass)
Best for: Level 4 censorship, specifically designed for Iran and China
paqctl is built specifically to bypass the most aggressive firewalls. It supports two methods:
Paqet (KCP over Raw TCP)
Uses the KCP protocol over raw TCP packets with custom flags. DPI systems cannot fingerprint this traffic because:
- Custom packet framing
- Traffic patterns don't match any known protocol
- Encryption makes payload analysis impossible
# Server
curl -fsSL https://raw.githubusercontent.com/SamNet-dev/paqctl/main/install.sh | sudo bash
# Creates SOCKS5 proxy at 127.0.0.1:1080 on your local machine
GFW-Knocker (Violated TCP + QUIC)
Uses "violated TCP" packets — TCP packets with intentionally incorrect flags that confuse DPI state machines — combined with QUIC tunneling. Designed specifically to defeat the Great Firewall.
When to use Paqet vs GFK:
- Paqet — Most situations, easier setup, works against most firewalls
- GFK — When Paqet is also blocked, specifically for GFW-level censorship
Method 7: MTProto Proxy (Telegram Only)
Best for: Accessing Telegram when it is blocked
If you only need Telegram and nothing else, an MTProto proxy is the simplest option. Users just tap a link and Telegram connects automatically.
Setup with MTProxyMax
MTProxyMax is a complete Telegram proxy manager:
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh)"
Features:
- FakeTLS V2 — traffic looks like normal HTTPS
- Multi-user with per-user bandwidth limits and expiry dates
- Telegram bot for remote management (17 commands)
- Proxy chaining — route through additional servers
- Replication — sync to slave servers
mtproxymax secret add alice
mtproxymax secret link alice # Get proxy link
Share the link — users tap it in Telegram and connect instantly.
Full guide: MTProto Proxy Setup
Method 8: Tor
Best for: Anonymity, accessing .onion sites
Tor routes your traffic through 3 random relays, making it nearly impossible to trace back to you.
Install
# Desktop: download Tor Browser from torproject.org
# Or command line:
sudo apt install tor -y
Pros: Strong anonymity, free, no server needed Cons: Slow (3 hops), Tor traffic is detectable by DPI, many websites block Tor exit nodes
Tor Bridges
If Tor is blocked, use bridges — unlisted relay nodes that censors don't know about:
- Open Tor Browser
- Connection settings → Configure bridge
- Use built-in bridges (obfs4, snowflake, meek)
Run Your Own Tor Bridge
Help others access Tor by running a bridge node:
torware — one-click Tor Bridge/Relay setup with live TUI dashboard and Telegram notifications.
curl -fsSL https://raw.githubusercontent.com/SamNet-dev/torware/main/install.sh | sudo bash
Method 9: DNS Tunneling
Best for: Last resort when everything else is blocked
DNS tunneling encodes data inside DNS queries. Since DNS is rarely completely blocked (it would break the internet), this can work when all other methods fail.
Limitations: Extremely slow (usually 5-50 Kbps), high latency. Only useful for basic text communication.
findns helps you find working DNS resolvers for DNS tunneling tools like dnstt:
# Scan for resolvers that support the record types you need
Method 10: Psiphon
Best for: Non-technical users who just need something that works
Psiphon is a free app that automatically selects the best bypass method for your network. It uses a combination of VPN, SSH, and HTTP proxy with obfuscation.
Download from psiphon.ca (not from app stores in censored countries — those may be blocked or fake).
conduit-manager helps deploy and manage Psiphon Conduit nodes at scale.
Method 11: SSH Tunneling with Obfuscation
Best for: When SSH port 22 is not blocked
Use tunnelforge for advanced SSH tunnel management with TLS obfuscation:
curl -fsSL https://raw.githubusercontent.com/SamNet-dev/tunnelforge/main/install.sh | sudo bash
Features: Full TUI, live dashboard, TLS obfuscation to disguise SSH as HTTPS, Telegram bot notifications, kill switch.
What to Use: Decision Flowchart
Is DNS blocking the only issue?
Yes → Change DNS to 1.1.1.1
No ↓
Are standard VPNs blocked?
No → Use WireGuard (SamNet-WG)
Yes ↓
Is it Iran/China/Russia-level DPI?
No → Try Shadowsocks or SOCKS5
Yes ↓
Do you need maximum stealth?
Yes → VLESS + Reality (3X-UI) or paqctl
Do you only need Telegram?
Yes → MTProxyMax
Do you need anonymity (not just bypass)?
Yes → Tor with bridges
Operational Security Tips
- Keep your server IP private — never share it publicly. Once flagged, it is blocked
- Use a CDN (Cloudflare) to hide your server IP — censors see Cloudflare IPs, not yours
- Have backup methods — if one is blocked, switch to another. Run multiple protocols on one server
- Monitor your server — check if it is accessible from inside the censored network
- Use different ports — high ports (8443, 10000+) get less scrutiny than 443
- Distribute links carefully — don't post proxy links publicly. Share privately
- Rotate credentials — if compromised, change keys immediately
- Keep software updated — censorship techniques evolve, so must your tools
Test Your Connection
After connecting through any bypass method:
- VPN Leak Test — check for IP, DNS, and WebRTC leaks
- What's My IP — verify your IP shows the proxy server, not your real IP
- Speed Test — check connection speed through the proxy
- DNS Toolbox — verify DNS is resolving correctly
Related Guides
- 3X-UI Panel Setup (Every Protocol)
- Xray Routing Guide
- MTProto Proxy Setup
- WireGuard VPN Setup
- SOCKS5 Proxy Setup
- What Is a VPN
- VPN Leak Guide
- Cloudflare Setup
- Server Hardening Guide
SamNet Open Source Tools
| Tool | Purpose | Link |
|---|---|---|
| paqctl | Censorship bypass (Paqet + GFK) | GitHub |
| MTProxyMax | Telegram proxy manager | GitHub |
| wg-orchestrator | WireGuard VPN management | GitHub |
| cfray | Cloudflare clean IP scanner | GitHub |
| torware | Tor Bridge/Relay setup | GitHub |
| findns | DNS tunnel resolver scanner | GitHub |
| tunnelforge | SSH tunnel manager | GitHub |
| conduit-manager | Psiphon Conduit manager | GitHub |