Quick Answer: For basic privacy, use a SOCKS5 proxy (SSH tunnel). For censorship bypass, use VLESS+Reality (most stealth) via 3X-UI. For Telegram specifically, use MTProxyMax. For maximum flexibility, run multiple protocols on one server.
Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).
A proxy server sits between you and the internet. Your traffic goes to the proxy, the proxy forwards it to the destination, and the response comes back through the proxy. The destination sees the proxy's IP, not yours.
But not all proxies are equal. Some encrypt traffic, some don't. Some are detectable by censors, some are invisible. Some handle all traffic, some only handle specific protocols. This guide explains every type.
Proxy vs VPN — What's the Difference?
| Proxy | VPN | |
|---|---|---|
| Scope | Per-app (configure each app) | System-wide (all traffic) |
| Encryption | Depends on protocol | Always encrypted |
| Speed | Generally faster | Slightly slower (encryption overhead) |
| Setup | Per-app configuration | One system setting |
| Detection | Varies by protocol | Detectable (known protocols) |
| Best for | Specific apps, censorship bypass | Full device privacy |
In practice, the line is blurred. VLESS and VMess act like VPNs when configured with clients like v2rayN or Hiddify. MTProto only proxies Telegram.
Part 1: HTTP/HTTPS Proxy
The simplest and oldest type. Your browser sends requests through the proxy server.
How It Works
Browser → HTTP Proxy → Website
- HTTP Proxy: Sees and can modify your traffic (no encryption between you and proxy)
- HTTPS Proxy (CONNECT): Creates a tunnel — proxy sees the destination but not the content
When to Use
- Corporate networks that require proxy configuration
- Simple web browsing redirection
- Caching (Squid proxy)
Limitations
- Only works for HTTP/HTTPS traffic (not UDP, gaming, etc.)
- HTTP proxy can see your data (HTTPS proxy can't see content but sees domains)
- Easy to detect and block
Part 2: SOCKS5 Proxy
A general-purpose proxy that handles any TCP/UDP traffic — web browsing, email, gaming, file transfer, anything.
How It Works
Any App → SOCKS5 Proxy → Destination
SOCKS5 is protocol-agnostic. It doesn't understand HTTP or any application protocol — it just forwards connections.
Features
- Any protocol: TCP and UDP
- Authentication: Username/password support
- No encryption by default: Wrap in SSH tunnel for security
- Fast: Minimal overhead
Setup Methods
SSH Tunnel (instant, no install):
ssh -D 1080 -N -f user@your-server
# SOCKS5 proxy at localhost:1080
Dante Server (dedicated):
Full guide: SOCKS5 Proxy Setup
When to Use
- Quick privacy setup via SSH
- Application-level proxy (browser, git, curl)
- When you already have SSH access to a server
Part 3: Shadowsocks
A lightweight encrypted proxy designed to bypass censorship. Created in 2012 by a Chinese developer to defeat the Great Firewall.
How It Works
Your Device → [Encrypted with shared key] → Shadowsocks Server → Internet
Traffic is encrypted with a pre-shared key using modern ciphers. To an observer, it looks like random data — no recognizable headers or handshake patterns.
Shadowsocks 2022
The latest version uses 2022-blake3-aes-128-gcm or 2022-blake3-aes-256-gcm ciphers with improved security:
# Generate a key
openssl rand -base64 32
Setup via 3X-UI panel:
| Setting | Value |
|---|---|
| Protocol | shadowsocks |
| Port | 8388 |
| Encryption | 2022-blake3-aes-256-gcm |
Strengths and Weaknesses
| Strengths | Weaknesses |
|---|---|
| Fast and lightweight | Modern DPI can detect traffic patterns |
| Simple setup | No built-in obfuscation |
| Many clients available | Less stealth than VLESS+Reality |
| Good general-purpose proxy |
When to Use
- Moderate censorship environments
- When you need speed and simplicity
- As a fallback protocol alongside others
Part 4: VMess
Created by the V2Ray project. VMess encrypts traffic and supports multiple transport layers (TCP, WebSocket, gRPC, QUIC).
How It Works
Your Device → [VMess encrypted] → [Transport: WS/TCP/gRPC] → Server → Internet
VMess uses a UUID for authentication. Each connection is encrypted, and the protocol includes built-in encryption so you don't need TLS on top (though you can add it).
Key Features
- Built-in encryption (AES-128-GCM or Chacha20-Poly1305)
- Multiple transport options (WebSocket for CDN compatibility)
- AlterID system (set to 0 for modern VMess)
- UUID-based authentication
Setup
Via 3X-UI:
| Setting | Value |
|---|---|
| Protocol | vmess |
| Port | 10410 |
| AlterID | 0 |
| Transport | tcp or ws |
When to Use
- When you need WebSocket transport for CDN routing
- Legacy setups (VMess predates VLESS)
- When clients only support VMess
VLESS is generally preferred over VMess for new setups — it's lighter and supports Reality.
Part 5: VLESS
The evolution of VMess. VLESS removes the built-in encryption (relying on TLS or Reality for encryption instead), making it lighter and faster.
How It Works
Your Device → [TLS/Reality encryption] → [VLESS protocol] → Server → Internet
VLESS itself doesn't encrypt — it relies on the transport layer (TLS, Reality) for security. This separation makes it more flexible and efficient.
VLESS + WebSocket (CDN Compatible)
Your Device → Cloudflare CDN → Your Server → Internet
WebSocket transport allows routing through CDNs like Cloudflare. Censors see Cloudflare IPs, not your server.
Setup: 3X-UI CDN Section
VLESS + Reality (Maximum Stealth)
Your Device → [Looks like HTTPS to yahoo.com] → Server → Internet
Reality makes the TLS handshake indistinguishable from a real connection to a legitimate website. Even advanced DPI can't tell the difference.
| Setting | Value |
|---|---|
| Protocol | vless |
| Flow | xtls-rprx-vision |
| Security | reality |
| Dest (SNI) | yahoo.com:443 |
| Fingerprint | chrome |
Setup: 3X-UI Reality Section
VLESS + CDN Note
VLESS+Reality cannot go through CDN. Reality requires a direct TCP connection. For CDN routing, use VLESS+WebSocket without Reality.
- Direct connection: Use VLESS+Reality (best stealth)
- Behind CDN: Use VLESS+WebSocket (best when server IP is blocked)
When to Use
- VLESS+Reality: Heavy censorship with DPI (Iran, China, Russia) — best stealth
- VLESS+WS+CDN: When your server IP is blocked — hide behind Cloudflare
- VLESS+WS (no CDN): General purpose with WebSocket transport
Part 6: Trojan
Designed to look like normal HTTPS traffic. Named after the Trojan horse — it disguises proxy traffic as regular web browsing.
How It Works
Your Device → [TLS (real HTTPS)] → Server → Internet
Trojan uses standard TLS encryption. To censors, it looks exactly like someone visiting an HTTPS website. Authentication uses a password hash sent inside the TLS connection.
Key Features
- Uses real TLS certificates (Let's Encrypt)
- Indistinguishable from normal HTTPS to passive observers
- Password-based authentication
- Can serve a real website on the same port (decoy)
Setup
Via 3X-UI:
| Setting | Value |
|---|---|
| Protocol | trojan |
| Port | 443 (with TLS) or high port (without) |
| Password | Strong password |
When to Use
- As a fallback when VLESS is detected
- When you have a valid TLS certificate
- Simpler setup than VLESS+Reality
Part 7: MTProto (Telegram Only)
A proxy protocol built specifically for Telegram. Users tap a link and Telegram connects automatically — no app installation or configuration needed.
How It Works
Telegram App → [MTProto encrypted + FakeTLS] → Proxy Server → Telegram Servers
MTProto only routes Telegram traffic. Other apps are unaffected.
FakeTLS Obfuscation
FakeTLS V2 makes proxy traffic look like a normal HTTPS connection to a cover domain:
- TLS handshake SNI points to
cloudflare.com(or any site) - Real cipher suites and fragmentation
- Non-Telegram probes get forwarded to the real cover site
Setup with MTProxyMax
MTProxyMax is a complete Telegram proxy manager:
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh)"
Features: multi-user with per-user limits, Telegram bot (17 commands), proxy chaining, traffic monitoring, geo-blocking, replication.
Full guide: MTProto Proxy Setup
When to Use
- Only need Telegram access
- Sharing with non-technical users (just tap a link)
- Running a community proxy
Part 8: Custom Censorship Bypass (paqctl)
Standard proxy protocols (even obfuscated ones) can eventually be fingerprinted by advanced DPI. paqctl uses completely non-standard protocols designed specifically to be undetectable.
Paqet (KCP over Raw TCP)
Uses the KCP protocol over raw TCP packets with custom flags. DPI systems can't fingerprint it because:
- Custom packet framing
- No recognizable protocol signatures
- Encrypted payload
GFW-Knocker
Uses "violated TCP" packets with intentionally wrong flags that confuse DPI state machines, combined with QUIC tunneling. Designed specifically for the Great Firewall.
curl -fsSL https://raw.githubusercontent.com/SamNet-dev/paqctl/main/install.sh | sudo bash
Both create a SOCKS5 proxy on your local machine that tunnels through your server.
Full guide: Bypass Internet Censorship
Part 9: Finding Clean IPs (cfray)
If Cloudflare IPs are throttled in your region, cfray scans all ~1.5 million Cloudflare IPs to find ones with low latency and good speed for your CDN-routed proxy.
Comparison: All Protocols
| Protocol | Encryption | Stealth | Speed | CDN Support | Best For |
|---|---|---|---|---|---|
| HTTP Proxy | None | None | Fast | No | Corporate networks |
| SOCKS5 | None (add SSH) | Low | Fast | No | Quick SSH tunnel |
| Shadowsocks | Built-in | Moderate | Fast | No | Moderate censorship |
| VMess | Built-in | Moderate | Good | Yes (WS) | Legacy, CDN |
| VLESS+WS | TLS | Good | Good | Yes | CDN routing |
| VLESS+Reality | Reality | Excellent | Fast | No | Heavy censorship |
| Trojan | TLS | Good | Good | No | HTTPS disguise |
| MTProto | FakeTLS | Good | Fast | No | Telegram only |
| paqctl | Custom | Excellent | Good | No | Heaviest censorship |
Running Multiple Protocols
The best approach is running multiple protocols on one server. If one gets blocked, switch to another:
- VLESS+Reality on port 8443 — primary, best stealth
- VLESS+WS on port 2082/8880 — CDN fallback via Cloudflare
- Shadowsocks on port 8388 — alternative
- Trojan on port 10420 — second alternative
- MTProxyMax on port 443 — Telegram users
Setup all of these with one panel: 3X-UI Panel Setup Guide
Test Your Proxy
After connecting through any proxy:
- VPN Leak Test — check for IP, DNS, WebRTC leaks
- What's My IP — verify IP shows proxy server
- Speed Test — check speed through proxy
- DNS Toolbox — verify DNS resolution
Related Guides
- 3X-UI Panel Setup — set up all protocols
- Xray Routing Guide — block countries, ports, ads
- SOCKS5 Proxy Setup — SSH tunnel and Dante
- MTProto Proxy Setup — Telegram proxy
- Bypass Internet Censorship — every bypass method
- What Is a VPN — VPN vs proxy explained
- Cloudflare Setup — CDN for proxy
- Complete Self-Hosting Guide — server setup basics
SamNet Open Source Tools
| Tool | Purpose |
|---|---|
| paqctl | Custom censorship bypass (Paqet + GFK) |
| MTProxyMax | Telegram proxy manager |
| cfray | Cloudflare clean IP scanner |
| wg-orchestrator | WireGuard VPN management |