The Complete Proxy Guide: Every Protocol Explained

9 min read
Intermediate Proxy VPN VLESS Shadowsocks Networking Guide

Prerequisites

  • Basic networking knowledge (what is an IP, what is a port)
  • A VPS for running your own proxy ($3-5/month)

Quick Answer: For basic privacy, use a SOCKS5 proxy (SSH tunnel). For censorship bypass, use VLESS+Reality (most stealth) via 3X-UI. For Telegram specifically, use MTProxyMax. For maximum flexibility, run multiple protocols on one server.

Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).

A proxy server sits between you and the internet. Your traffic goes to the proxy, the proxy forwards it to the destination, and the response comes back through the proxy. The destination sees the proxy's IP, not yours.

But not all proxies are equal. Some encrypt traffic, some don't. Some are detectable by censors, some are invisible. Some handle all traffic, some only handle specific protocols. This guide explains every type.


Proxy vs VPN — What's the Difference?

Proxy VPN
Scope Per-app (configure each app) System-wide (all traffic)
Encryption Depends on protocol Always encrypted
Speed Generally faster Slightly slower (encryption overhead)
Setup Per-app configuration One system setting
Detection Varies by protocol Detectable (known protocols)
Best for Specific apps, censorship bypass Full device privacy

In practice, the line is blurred. VLESS and VMess act like VPNs when configured with clients like v2rayN or Hiddify. MTProto only proxies Telegram.


Part 1: HTTP/HTTPS Proxy

The simplest and oldest type. Your browser sends requests through the proxy server.

How It Works

Browser → HTTP Proxy → Website
  • HTTP Proxy: Sees and can modify your traffic (no encryption between you and proxy)
  • HTTPS Proxy (CONNECT): Creates a tunnel — proxy sees the destination but not the content

When to Use

  • Corporate networks that require proxy configuration
  • Simple web browsing redirection
  • Caching (Squid proxy)

Limitations

  • Only works for HTTP/HTTPS traffic (not UDP, gaming, etc.)
  • HTTP proxy can see your data (HTTPS proxy can't see content but sees domains)
  • Easy to detect and block

Part 2: SOCKS5 Proxy

A general-purpose proxy that handles any TCP/UDP traffic — web browsing, email, gaming, file transfer, anything.

How It Works

Any App → SOCKS5 Proxy → Destination

SOCKS5 is protocol-agnostic. It doesn't understand HTTP or any application protocol — it just forwards connections.

Features

  • Any protocol: TCP and UDP
  • Authentication: Username/password support
  • No encryption by default: Wrap in SSH tunnel for security
  • Fast: Minimal overhead

Setup Methods

SSH Tunnel (instant, no install):

ssh -D 1080 -N -f user@your-server
# SOCKS5 proxy at localhost:1080

Dante Server (dedicated):

Full guide: SOCKS5 Proxy Setup

When to Use

  • Quick privacy setup via SSH
  • Application-level proxy (browser, git, curl)
  • When you already have SSH access to a server

Part 3: Shadowsocks

A lightweight encrypted proxy designed to bypass censorship. Created in 2012 by a Chinese developer to defeat the Great Firewall.

How It Works

Your Device → [Encrypted with shared key] → Shadowsocks Server → Internet

Traffic is encrypted with a pre-shared key using modern ciphers. To an observer, it looks like random data — no recognizable headers or handshake patterns.

Shadowsocks 2022

The latest version uses 2022-blake3-aes-128-gcm or 2022-blake3-aes-256-gcm ciphers with improved security:

# Generate a key
openssl rand -base64 32

Setup via 3X-UI panel:

Setting Value
Protocol shadowsocks
Port 8388
Encryption 2022-blake3-aes-256-gcm

Strengths and Weaknesses

Strengths Weaknesses
Fast and lightweight Modern DPI can detect traffic patterns
Simple setup No built-in obfuscation
Many clients available Less stealth than VLESS+Reality
Good general-purpose proxy

When to Use

  • Moderate censorship environments
  • When you need speed and simplicity
  • As a fallback protocol alongside others

Part 4: VMess

Created by the V2Ray project. VMess encrypts traffic and supports multiple transport layers (TCP, WebSocket, gRPC, QUIC).

How It Works

Your Device → [VMess encrypted] → [Transport: WS/TCP/gRPC] → Server → Internet

VMess uses a UUID for authentication. Each connection is encrypted, and the protocol includes built-in encryption so you don't need TLS on top (though you can add it).

Key Features

  • Built-in encryption (AES-128-GCM or Chacha20-Poly1305)
  • Multiple transport options (WebSocket for CDN compatibility)
  • AlterID system (set to 0 for modern VMess)
  • UUID-based authentication

Setup

Via 3X-UI:

Setting Value
Protocol vmess
Port 10410
AlterID 0
Transport tcp or ws

When to Use

  • When you need WebSocket transport for CDN routing
  • Legacy setups (VMess predates VLESS)
  • When clients only support VMess

VLESS is generally preferred over VMess for new setups — it's lighter and supports Reality.


Part 5: VLESS

The evolution of VMess. VLESS removes the built-in encryption (relying on TLS or Reality for encryption instead), making it lighter and faster.

How It Works

Your Device → [TLS/Reality encryption] → [VLESS protocol] → Server → Internet

VLESS itself doesn't encrypt — it relies on the transport layer (TLS, Reality) for security. This separation makes it more flexible and efficient.

VLESS + WebSocket (CDN Compatible)

Your Device → Cloudflare CDN → Your Server → Internet

WebSocket transport allows routing through CDNs like Cloudflare. Censors see Cloudflare IPs, not your server.

Setup: 3X-UI CDN Section

VLESS + Reality (Maximum Stealth)

Your Device → [Looks like HTTPS to yahoo.com] → Server → Internet

Reality makes the TLS handshake indistinguishable from a real connection to a legitimate website. Even advanced DPI can't tell the difference.

Setting Value
Protocol vless
Flow xtls-rprx-vision
Security reality
Dest (SNI) yahoo.com:443
Fingerprint chrome

Setup: 3X-UI Reality Section

VLESS + CDN Note

VLESS+Reality cannot go through CDN. Reality requires a direct TCP connection. For CDN routing, use VLESS+WebSocket without Reality.

  • Direct connection: Use VLESS+Reality (best stealth)
  • Behind CDN: Use VLESS+WebSocket (best when server IP is blocked)

When to Use

  • VLESS+Reality: Heavy censorship with DPI (Iran, China, Russia) — best stealth
  • VLESS+WS+CDN: When your server IP is blocked — hide behind Cloudflare
  • VLESS+WS (no CDN): General purpose with WebSocket transport

Part 6: Trojan

Designed to look like normal HTTPS traffic. Named after the Trojan horse — it disguises proxy traffic as regular web browsing.

How It Works

Your Device → [TLS (real HTTPS)] → Server → Internet

Trojan uses standard TLS encryption. To censors, it looks exactly like someone visiting an HTTPS website. Authentication uses a password hash sent inside the TLS connection.

Key Features

  • Uses real TLS certificates (Let's Encrypt)
  • Indistinguishable from normal HTTPS to passive observers
  • Password-based authentication
  • Can serve a real website on the same port (decoy)

Setup

Via 3X-UI:

Setting Value
Protocol trojan
Port 443 (with TLS) or high port (without)
Password Strong password

When to Use

  • As a fallback when VLESS is detected
  • When you have a valid TLS certificate
  • Simpler setup than VLESS+Reality

Part 7: MTProto (Telegram Only)

A proxy protocol built specifically for Telegram. Users tap a link and Telegram connects automatically — no app installation or configuration needed.

How It Works

Telegram App → [MTProto encrypted + FakeTLS] → Proxy Server → Telegram Servers

MTProto only routes Telegram traffic. Other apps are unaffected.

FakeTLS Obfuscation

FakeTLS V2 makes proxy traffic look like a normal HTTPS connection to a cover domain:

  • TLS handshake SNI points to cloudflare.com (or any site)
  • Real cipher suites and fragmentation
  • Non-Telegram probes get forwarded to the real cover site

Setup with MTProxyMax

MTProxyMax is a complete Telegram proxy manager:

sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/SamNet-dev/MTProxyMax/main/install.sh)"

Features: multi-user with per-user limits, Telegram bot (17 commands), proxy chaining, traffic monitoring, geo-blocking, replication.

Full guide: MTProto Proxy Setup

When to Use

  • Only need Telegram access
  • Sharing with non-technical users (just tap a link)
  • Running a community proxy

Part 8: Custom Censorship Bypass (paqctl)

Standard proxy protocols (even obfuscated ones) can eventually be fingerprinted by advanced DPI. paqctl uses completely non-standard protocols designed specifically to be undetectable.

Paqet (KCP over Raw TCP)

Uses the KCP protocol over raw TCP packets with custom flags. DPI systems can't fingerprint it because:

  • Custom packet framing
  • No recognizable protocol signatures
  • Encrypted payload

GFW-Knocker

Uses "violated TCP" packets with intentionally wrong flags that confuse DPI state machines, combined with QUIC tunneling. Designed specifically for the Great Firewall.

curl -fsSL https://raw.githubusercontent.com/SamNet-dev/paqctl/main/install.sh | sudo bash

Both create a SOCKS5 proxy on your local machine that tunnels through your server.

Full guide: Bypass Internet Censorship


Part 9: Finding Clean IPs (cfray)

If Cloudflare IPs are throttled in your region, cfray scans all ~1.5 million Cloudflare IPs to find ones with low latency and good speed for your CDN-routed proxy.


Comparison: All Protocols

Protocol Encryption Stealth Speed CDN Support Best For
HTTP Proxy None None Fast No Corporate networks
SOCKS5 None (add SSH) Low Fast No Quick SSH tunnel
Shadowsocks Built-in Moderate Fast No Moderate censorship
VMess Built-in Moderate Good Yes (WS) Legacy, CDN
VLESS+WS TLS Good Good Yes CDN routing
VLESS+Reality Reality Excellent Fast No Heavy censorship
Trojan TLS Good Good No HTTPS disguise
MTProto FakeTLS Good Fast No Telegram only
paqctl Custom Excellent Good No Heaviest censorship

Running Multiple Protocols

The best approach is running multiple protocols on one server. If one gets blocked, switch to another:

  1. VLESS+Reality on port 8443 — primary, best stealth
  2. VLESS+WS on port 2082/8880 — CDN fallback via Cloudflare
  3. Shadowsocks on port 8388 — alternative
  4. Trojan on port 10420 — second alternative
  5. MTProxyMax on port 443 — Telegram users

Setup all of these with one panel: 3X-UI Panel Setup Guide


Test Your Proxy

After connecting through any proxy:


Related Guides

SamNet Open Source Tools

Tool Purpose
paqctl Custom censorship bypass (Paqet + GFK)
MTProxyMax Telegram proxy manager
cfray Cloudflare clean IP scanner
wg-orchestrator WireGuard VPN management