Hysteria2 Setup Guide: The Fastest Censorship Bypass Protocol

Quick Answer: Hysteria2 is a QUIC-based proxy protocol that's faster than VLESS+Reality for most users. Install: download the binary, create a config, get a TLS cert, start. Client: use Nekobox, Hiddify, or Clash Meta. It defeats DPI by looking like regular QUIC/HTTP3 traffic.

Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).

What Is Hysteria2?

Hysteria2 is a censorship-resistant proxy protocol built on QUIC (the same protocol that powers HTTP/3 and is used by Google, YouTube, and Cloudflare). It's designed specifically for users in heavily censored countries like Iran, China, and Russia.

Why Hysteria2 Exists

Traditional proxy protocols have a fundamental problem in censored networks:

VPN protocols (WireGuard, OpenVPN) — easily detected and blocked by DPI
Shadowsocks — was effective for years, but modern DPI can now fingerprint it
VLESS+Reality — excellent stealth, but runs on TCP which is slower on lossy networks
Tor — anonymous but extremely slow

Hysteria2 solves this by using QUIC (UDP-based), which has two massive advantages:

Speed on bad networks: QUIC handles packet loss much better than TCP. On a lossy, throttled connection (typical in censored countries), Hysteria2 can be 2-5x faster than TCP-based protocols.
Hard to block: QUIC looks identical to normal HTTP/3 traffic. Blocking it means blocking Google, YouTube, and half the internet.

How It Compares

Protocol	Transport	Speed (lossy network)	DPI Resistance	Ease of Setup
Hysteria2	QUIC (UDP)	Fastest	Excellent	Easy
VLESS+Reality	TCP	Good	Excellent	Moderate
VLESS+WS+CDN	TCP via CDN	Moderate	Excellent	Complex
Shadowsocks	TCP	Good	Moderate	Easy
WireGuard	UDP	Fast	Poor (easily detected)	Easy
Tor	TCP	Very slow	Moderate	Easy

When to use Hysteria2 over VLESS+Reality:

Your connection has high packet loss or throttling
You need maximum speed
Your ISP throttles TCP but not UDP
You want the simplest high-performance setup

When to use VLESS+Reality instead:

Your ISP specifically blocks QUIC/UDP
You need CDN fallback (requires VLESS+WebSocket+CDN, not Reality or Hysteria2)
You need to run on port 443/TCP (some networks only allow TCP)

How Hysteria2 Works

Your Device (Nekobox/Hiddify/Clash)
    |
    |  QUIC connection (encrypted, looks like HTTP/3)
    |  SNI: your-domain.com (legitimate TLS certificate)
    |
    v
Your Server (Hysteria2)
    |
    |  Decrypts, forwards to the real internet
    |
    v
Destination (websites, apps, services)

The Technical Details

QUIC Protocol: Your device opens a QUIC connection to your server. QUIC is Google's protocol that runs on UDP and is used by Chrome, YouTube, Gmail, and most modern websites. DPI systems see "just another QUIC connection."

Real TLS Certificate: Hysteria2 uses a real TLS certificate (from Let's Encrypt) for your domain. When a censor probes your server, they see a valid certificate for a real domain — not a self-signed or spoofed certificate.

Brutal Congestion Control: This is Hysteria2's secret weapon. Instead of the standard QUIC congestion control (which slows down when it detects network congestion), Hysteria2 uses a custom "brutal" algorithm that aggressively pushes through throttled connections. You tell it your available bandwidth and it sends at that rate regardless of perceived congestion. This is why it's so fast on throttled networks.

Obfuscation (Optional): Hysteria2 can add an additional obfuscation layer (salamander) on top of QUIC, making the traffic look like random UDP rather than QUIC. Use this if your ISP specifically fingerprints and blocks QUIC.

Part 1: Server Setup

Prerequisites

A VPS running Linux (Ubuntu 22.04/24.04 recommended)
A domain name pointed to your VPS IP (A record)
Port 443/UDP open in your firewall

Install Hysteria2

# Official install script
bash <(curl -fsSL https://get.hy2.sh/)

# Verify
hysteria version

This installs the hysteria binary and creates a systemd service.

Get a TLS Certificate

Hysteria2 needs a valid TLS certificate. The easiest way:

# Install certbot
sudo apt install certbot -y

# Get certificate (standalone mode — temporarily uses port 80)
sudo certbot certonly --standalone -d your-domain.com

# Certificate files will be at:
# /etc/letsencrypt/live/your-domain.com/fullchain.pem
# /etc/letsencrypt/live/your-domain.com/privkey.pem

Alternative: Hysteria2 can get certificates automatically using its built-in ACME client (see config below).

Create Server Config

sudo nano /etc/hysteria/config.yaml

# Listen on port 443 UDP
listen: :443

# TLS certificate
tls:
  cert: /etc/letsencrypt/live/your-domain.com/fullchain.pem
  key: /etc/letsencrypt/live/your-domain.com/privkey.pem

# Or use built-in ACME (auto-gets certificates):
# acme:
#   domains:
#     - your-domain.com
#   email: [email protected]

# Authentication
auth:
  type: password
  password: your-strong-password-here

# Masquerade — what the server pretends to be when probed
masquerade:
  type: proxy
  proxy:
    url: https://www.bing.com
    rewriteHost: true

Configure Masquerade

The masquerade section is critical for censorship resistance. When someone (or a censor's probe) connects to your server with a regular browser instead of a Hysteria2 client, the server acts as a reverse proxy to the masquerade URL. The censor sees a normal website (Bing, in this example).

Options:

proxy — proxies requests to a real website (most convincing)
file — serves local files
string — returns a static string

Open Firewall

# UFW
sudo ufw allow 443/udp

# iptables
sudo iptables -A INPUT -p udp --dport 443 -j ACCEPT

Important: Hysteria2 uses UDP, not TCP. Make sure you open UDP port 443.

Start the Server

sudo systemctl start hysteria-server
sudo systemctl enable hysteria-server

# Check status
sudo systemctl status hysteria-server

# View logs
sudo journalctl -u hysteria-server -f

Part 2: Client Setup

Nekobox (Android — Recommended)

Install Nekobox from GitHub releases
Add server → Protocol: Hysteria2
Enter:

Server: your-domain.com
Port: 443
Password: your-strong-password-here
SNI: your-domain.com

Connect

Hiddify (Android/iOS — Recommended)

Install Hiddify (available on both platforms)
Add server → Hysteria2
Enter server details
Connect

Clash Meta / Mihomo (Desktop/Mobile)

Add to your Clash config:

proxies:
  - name: "hysteria2"
    type: hysteria2
    server: your-domain.com
    port: 443
    password: your-strong-password-here
    sni: your-domain.com

v2rayN (Windows)

Download v2rayN
Add server → Hysteria2
Enter server, port, password, SNI
Connect

Sing-box (Advanced)

{
  "outbounds": [
    {
      "type": "hysteria2",
      "server": "your-domain.com",
      "server_port": 443,
      "password": "your-strong-password-here",
      "tls": {
        "enabled": true,
        "server_name": "your-domain.com"
      }
    }
  ]
}

URI Format (for Sharing)

hy2://[email protected]:443?sni=your-domain.com#MyProxy

Share this link — users can import it into any Hysteria2-compatible client.

Part 3: Setup via 3X-UI Panel

If you already use 3X-UI for managing Xray, you can add Hysteria2 as an inbound:

Install 3X-UI (if not installed)

bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)

Add Hysteria2 Inbound

Open 3X-UI panel (https://your-ip:2053)
Inbounds → Add Inbound
Settings:

Setting	Value
Protocol	hysteria2
Port	443
Security	tls
Domain	your-domain.com
Certificate path	/etc/letsencrypt/live/your-domain.com/fullchain.pem
Key path	/etc/letsencrypt/live/your-domain.com/privkey.pem

Add clients with passwords
Copy the client link/QR code

3X-UI handles user management, traffic stats, and expiry dates through its web UI.

Part 4: Performance Tuning

Bandwidth Configuration (Brutal Mode)

Hysteria2's biggest advantage is its "brutal" congestion control. Configure it based on your actual bandwidth:

Server config:

# Server bandwidth (your VPS bandwidth)
bandwidth:
  up: 1 gbps
  down: 1 gbps

Client config (Clash Meta example):

proxies:
  - name: "hysteria2"
    type: hysteria2
    server: your-domain.com
    port: 443
    password: your-strong-password-here
    up: "50 mbps"      # Your actual upload speed
    down: "200 mbps"    # Your actual download speed

How to set bandwidth values:

Set the client down to your actual download speed (run a speed test)
Set the client up to your actual upload speed
The server values should match your VPS bandwidth (usually 1 Gbps)
If you set these too high, you waste bandwidth. Too low, you don't get full speed.

Port Hopping

If your ISP blocks specific UDP ports, Hysteria2 supports port hopping — the client rotates through multiple ports:

Server: Open a range of ports:

# Open UDP ports 20000-40000
sudo iptables -A INPUT -p udp --dport 20000:40000 -j ACCEPT

# Forward all these ports to Hysteria2 (listening on 443)
sudo iptables -t nat -A PREROUTING -p udp --dport 20000:40000 -j REDIRECT --to-ports 443

Client: Specify the port range:

proxies:
  - name: "hysteria2-hopping"
    type: hysteria2
    server: your-domain.com
    port: 443
    ports: "20000-40000"     # Hop through this range
    password: your-strong-password-here

Salamander Obfuscation

If your ISP specifically blocks QUIC, enable Salamander obfuscation to disguise traffic as random UDP:

Server config:

obfs:
  type: salamander
  salamander:
    password: your-obfs-password

Client config:

proxies:
  - name: "hysteria2-obfs"
    type: hysteria2
    server: your-domain.com
    port: 443
    password: your-strong-password-here
    obfs: salamander
    obfs-password: your-obfs-password

Part 5: Security Hardening

Use Fortify

Fortify auto-detects Hysteria2 and hardens your server:

bash <(curl -sL https://github.com/SamNet-dev/fortify/raw/main/install.sh)
fortify

It will:

Check TLS configuration
Block SMTP ports (prevent spam abuse)
Add rate limiting
Set up SYN flood protection
Score your overall security

Guide: Fortify Server Hardening

Block Abuse

Prevent users from using your proxy for spam or torrenting:

# Block SMTP (spam relay prevention)
sudo iptables -A OUTPUT -p tcp --dport 25 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 465 -j DROP
sudo iptables -A OUTPUT -p tcp --dport 587 -j DROP

Monitor Usage

# View Hysteria2 logs
sudo journalctl -u hysteria-server -f

# Check active connections
ss -unp | grep hysteria

# Monitor bandwidth
vnstat -l

Part 6: Multi-User Setup

With Hysteria2 Native Auth

Use a user-password file:

auth:
  type: userpass
  userpass:
    alice: password-for-alice
    bob: password-for-bob
    charlie: password-for-charlie

Each user gets their own URI:

hy2://alice:[email protected]:443?sni=your-domain.com#Alice
hy2://bob:[email protected]:443?sni=your-domain.com#Bob

With 3X-UI

3X-UI provides a full web UI for managing Hysteria2 users with:

Individual passwords per user
Traffic quotas
Expiry dates
Connection limits
QR codes and subscription links

This is the easiest way to manage multiple users. See 3X-UI Setup.

Hysteria2 vs VLESS+Reality: When to Use Which

Scenario	Use Hysteria2	Use VLESS+Reality
High packet loss / throttled network	Yes (QUIC handles this better)	Slower on lossy links
ISP blocks UDP/QUIC	No (Hysteria2 needs UDP)	Yes (TCP-based)
Need CDN fallback	No (no CDN support)	Yes (VLESS+WS+CDN)
Maximum speed	Yes (brutal congestion control)	Good but slower on bad networks
Port 443 TCP only networks	No	Yes
Server probing resistance	Good (masquerade)	Excellent (Reality handshake)
Client app support	Most modern clients	Most modern clients

Best strategy: Run both. Hysteria2 as primary (fast), VLESS+Reality as fallback (works when UDP is blocked). 3X-UI supports both on the same server.

Troubleshooting

# Check server status
sudo systemctl status hysteria-server

# Check logs for errors
sudo journalctl -u hysteria-server --no-pager | tail -30

# Check if port 443 UDP is open
ss -ulnp | grep 443

# Test from client side
# If connection fails, try with obfuscation (salamander)
# If still fails, your ISP may block all UDP — switch to VLESS+Reality (TCP)

Problem	Fix
Can't connect	Check firewall allows UDP 443: `sudo ufw allow 443/udp`
TLS certificate error	Check cert path in config. Renew: `sudo certbot renew`
Slow speed	Set correct bandwidth values in client config (brutal mode)
Connection drops frequently	Enable port hopping (see Part 4)
ISP blocks QUIC	Enable Salamander obfuscation or switch to VLESS+Reality
Server shows no connections	Check client SNI matches your domain exactly
Works on WiFi but not mobile data	Mobile carrier may block UDP. Try port hopping or switch protocol
"authentication failed"	Password mismatch between server and client config

Related Guides

Every Way to Bypass Internet Censorship — all methods compared
3X-UI Panel Setup — manage Hysteria2 + Xray in one panel
Xray Routing Guide — route traffic, block ads/torrents
SOCKS5 Proxy Setup — simpler proxy option
Complete Proxy Guide — every proxy protocol explained
Tor Explained — anonymity-focused alternative
DNS Tunneling Guide — last-resort bypass
Fortify Server Hardening — secure your proxy server
Server Hardening Guide — full security checklist
WireGuard Setup — VPN alternative
MTProto Proxy Setup — Telegram-specific proxy
Complete Self-Hosting Guide — VPS basics

SamNet Open Source Tools

Tool	Purpose
fortify	Server security hardening (auto-detects Hysteria2)
paqctl	Censorship bypass with Paqet + GFW-Knocker
cfray	Find clean Cloudflare IPs for CDN fallback
MTProxyMax	Telegram proxy manager
wg-orchestrator	WireGuard VPN management
torware	Tor Bridge/Relay setup

Related Tools

VPN Leak Test — verify proxy is working
Port Scanner — check if UDP port is open
What's My IP — verify IP changed
Speed Test — test connection speed through proxy
SSL Certificate Checker — verify TLS configuration