What is an MTProto proxy and why do you need it on a VPS?
MTProto proxy is a specialized proxy server developed by Telegram to ensure secure and effective circumvention of blockages. Unlike standard HTTP/SOCKS5 proxies, MTProto uses its own cryptographic protocol, which was originally designed for Telegram and offers several advantages, especially in conditions of active opposition from internet providers and government agencies. When you use your own MTProto proxy on a VPS, you gain full control over the connection, significantly increasing your network independence and privacy.
Advantages of your own MTProto proxy
Using your own MTProto proxy, deployed on a VPS, offers a number of significant advantages compared to public or third-party proxy services. These benefits relate to reliability, security, and connection speed.
- High speed and stability: Your own server is not overloaded with thousands of users. This means minimal latency and high bandwidth, which is critical for comfortable Telegram usage, especially when transferring media files.
- Full control over security: You do not entrust your data to third parties. Your own Telegram proxy server eliminates the possibility of traffic interception or analysis by the proxy provider. All traffic between your Telegram client and the proxy server is encrypted by the MTProto protocol.
- Bypassing blockages: MTProto is designed with the need to bypass censorship in mind. Thanks to the ability to disguise traffic as regular web traffic (fake-TLS), your proxy becomes less noticeable to Deep Packet Inspection (DPI) systems.
- Confidentiality: Your IP address remains hidden from Telegram, as well as from potential observers. Only you know about the existence and location of your proxy.
- Flexibility and scalability: You can configure the proxy to suit your needs, and if the number of users increases (for example, if you share it with friends or for a channel), you can easily scale VPS resources.
Difference between MTProto, VPN, and SOCKS5
While all these technologies serve to bypass blockages and ensure privacy, they work differently and have their own characteristics.
- VPN (Virtual Private Network): VPN creates an encrypted tunnel for all network traffic from your device. This means that absolutely all your applications will use the VPN connection. VPN provides a high level of anonymity and security but can be slower as it encrypts all traffic, and it is also more noticeable to DPI without additional obfuscations (such as Hiddify on VPS with VLESS Reality or Sing-box).
- SOCKS5: This is a universal proxy protocol that operates at the transport layer. SOCKS5 can proxy almost any traffic, but it does not provide encryption on its own. All traffic passes through the proxy in plain text unless the application uses its own encryption (e.g., HTTPS). For security, SOCKS5 is often combined with SSH tunnels or TLS obfuscation, as in the case of Shadowsocks.
- MTProto proxy: Designed specifically for Telegram. It works only for Telegram traffic, using its own encryption protocol. This makes it very effective for bypassing blockages specifically for Telegram, without slowing down other applications. MTProto also has built-in obfuscation mechanisms, making it less vulnerable to DPI compared to "bare" VPNs or SOCKS5.
Thus, if your main goal is reliable and fast access to Telegram with blockage circumvention, MTProto proxy VPS is one of the most optimal and targeted solutions.
Choosing a VPS for MTProto proxy: what to look for?
The right VPS choice is the foundation for stable and fast operation of your MTProto proxy. Although MTProto is not a resource-intensive protocol, some VPS parameters can significantly affect performance, especially when serving a large number of users. Valebyte.com offers various plans that are suitable for any task.
Minimum VPS requirements
To run a single MTProto proxy server serving up to 50-100 active users, the VPS requirements are quite modest:
- Processor (CPU): 1 vCPU with a frequency of 1 GHz or more. MTProto does not heavily load the CPU, so even a basic processor will suffice.
- Random Access Memory (RAM): 512 MB – 1 GB. The `mtg` application itself requires very little RAM (tens of megabytes), but the operating system and Docker container will need a bit more.
- Disk space: 10-20 GB SSD. This will be more than enough for OS installation, Docker, and log storage. NVMe drives, while faster, do not offer a significant advantage for a proxy but can be a nice bonus.
- Network Bandwidth: From 100 Mbps. This is the minimum comfortable speed. If you plan to share the proxy with a large number of people, it's better to aim for a wider channel.
- Server Geography: Choose a location that is geographically close to your users to minimize latency. Valebyte offers a wide selection of data centers worldwide.
Optimal characteristics for different loads
If you plan to use your Telegram proxy for a large number of people (e.g., for a large Telegram channel or community), you should consider more powerful plans. Below is a table with recommendations for choosing a VPS for various usage scenarios.
| Parameter | Up to 50 users | 50-200 users | 200-500+ users |
|---|---|---|---|
| CPU | 1 vCPU (1-2 GHz) | 2 vCPU (2+ GHz) | 4+ vCPU (2.5+ GHz) |
| RAM | 1 GB | 2 GB | 4+ GB |
| Disk | 20 GB SSD | 40 GB NVMe/SSD | 80+ GB NVMe |
| Bandwidth | 100-200 Mbps | 500 Mbps - 1 Gbps | 1+ Gbps |
| Valebyte Recommendation | Starter plans (from $3/month) | Medium plans (from $8/month) | Large/Custom plans (from $15/month) |
| Example Valebyte Plan | VPS-1 (1 vCPU, 1GB RAM, 20GB SSD) | VPS-2 (2 vCPU, 2GB RAM, 40GB NVMe) | VPS-4 (4 vCPU, 8GB RAM, 80GB NVMe) |
It's important to remember that even for heavy loads, the main bottleneck is most often network bandwidth, not CPU or RAM. Make sure your VPS provider offers sufficient and stable network connectivity. For tests and small projects, you can start with a cheap VPS with hourly billing, and then upgrade to a more powerful plan if needed.
Looking for a reliable server for your projects?
VPS from $10/month and dedicated servers from $9/month with NVMe, DDoS protection, and 24/7 support.
View offers →Preparing your VPS for `mtg` installation: basic steps
Before proceeding with the actual `mtg` installation, you need to prepare your VPS. This process includes updating the operating system, installing Docker, and configuring the firewall. These steps are standard for most deployments on Linux servers and ensure stable and secure operation.
System update and Docker installation
First, connect to your VPS via SSH. You will need an SSH client (e.g., PuTTY for Windows or the built-in terminal for macOS/Linux). Use the command:
ssh root@YOUR_VPS_IP_ADDRESS
After successful login, update the package list and installed packages to the latest versions. This will help avoid conflicts and vulnerabilities.
sudo apt update && sudo apt upgrade -y
Next, install Docker. Docker significantly simplifies application deployment and management by isolating them in containers. This is an ideal tool for MTProto configuration, as it allows you to run the proxy in a clean, pre-configured environment.
# Install necessary packages
sudo apt install ca-certificates curl gnupg lsb-release -y
# Add Docker's official GPG key
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
# Add Docker repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Update package list and install Docker Engine
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
# Verify Docker installation
sudo docker run hello-world
If the `sudo docker run hello-world` command executed successfully, Docker is installed correctly.
Opening ports and configuring the firewall
For the MTProto proxy to work correctly, you need to open specific ports in your VPS firewall. By default, `mtg` uses port 443 (or any other port you specify). Also, don't forget about the SSH port (usually 22).
We will use `ufw` (Uncomplicated Firewall), which is pre-installed in many Ubuntu distributions and is easy to configure.
# Allow SSH
sudo ufw allow ssh
# Allow MTProto proxy on port 443 (standard for fake-TLS)
sudo ufw allow 443/tcp
# Allow any other port if you plan to use it (e.g., 8888)
# sudo ufw allow 8888/tcp
# Enable firewall
sudo ufw enable
When enabling the firewall, `ufw` will ask for confirmation. Enter `y` and press Enter. You can check the firewall status with the command:
sudo ufw status verbose
Make sure that ports 22 and 443 (or your chosen proxy port) are allowed. If your VPS has a control panel with its own firewall (e.g., in Valebyte), ensure that the corresponding ports are also open there.
Need a dedicated server?
Compare prices from top providers. Configure and order in minutes.
Installing `mtg` on VPS via Docker: a step-by-step guide
Now that your VPS is prepared, we can proceed with the actual `mtg` installation. We will use the official `mtg` Docker image, which ensures easy deployment and up-to-date version. The entire process will take no more than 5 minutes.
Generating a secret key and configuring `mtg`
For the MTProto proxy to work, a secret key is required. This is a unique identifier for your proxy, used for client authentication. The key must be a 32-byte hexadecimal number.
You can generate the key using the following command:
head -c 16 /dev/urandom | xxd -ps
You will get a string like `1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d`. Save this key; it will be needed to start the Docker container and generate the link. We will call it `YOUR_SECRET_KEY`.
We will also need a random ad tag, which Telegram uses for statistics. You can generate it by visiting https://core.telegram.org/mtproto/TL-schema#adTag and finding the `ad_tag_hex` or `ad_tag_url` section. For example, you can use `00000000000000000000000000000000` for no ads, or generate a random one. For simplicity, we will use `00000000000000000000000000000000` in this guide.
Running the Docker container with `mtg`
Now we are ready to run `mtg` in Docker. We will use the `docker run` command.
docker run -d --name mtproto-proxy \
-p 443:443 \
-v /var/lib/mtproto-proxy:/data \
--restart=always \
telegrammessenger/mtproto-proxy:latest \
--secret YOUR_SECRET_KEY \
--tag 00000000000000000000000000000000 \
--port 443
Let's break down the command:
-d: Runs the container in detached mode.--name mtproto-proxy: Assigns a name to the container for easy management.-p 443:443: Maps host port 443 to container port 443. This is the port your proxy will run on. You can choose any other free port on the host, for example `-p 8888:443`, but then clients will need to specify that port.-v /var/lib/mtproto-proxy:/data: Mounts a directory on the host to store proxy data (e.g., statistics). This allows data to be preserved even when the container is recreated.--restart=always: Automatically restarts the container on failure or VPS reboot.telegrammessenger/mtproto-proxy:latest: Specifies the official `mtg` Docker image.--secret YOUR_SECRET_KEY: Passes your generated secret key. Be sure to replace `YOUR_SECRET_KEY` with your generated key!--tag 00000000000000000000000000000000: Passes the ad tag.--port 443: Specifies the internal container port on which `mtg` will listen for connections.
After executing this command, your MTProto proxy VPS should be running. You can check the container status with the command:
docker ps
You should see a container named `mtproto-proxy` in `Up` status. If you want to view container logs, use:
docker logs mtproto-proxy
Congratulations! Basic MTProto configuration is complete, and your proxy is running.
Masking MTProto proxy with fake-TLS: how to avoid blockages?
One of the most powerful advantages of an MTProto proxy is the ability to disguise traffic as regular web traffic (HTTPS) using fake-TLS technology. This makes your Telegram proxy server significantly more resistant to Deep Packet Inspection (DPI) systems, which are used to detect and block VPN and proxy connections.
How fake-TLS works
Fake-TLS (sometimes called TLS obfuscation) allows an MTProto proxy to appear as a regular HTTPS server. When DPI scans your traffic, it sees a standard TLS handshake and encrypted traffic that mimics a regular HTTPS connection to a website. Instead of blocking such traffic, DPI allows it to pass, as blocking all HTTPS traffic would paralyze internet operation. To implement fake-TLS, you would typically need a domain name and an SSL certificate. However, `mtg` can operate in fake-TLS mode even without a real domain and certificate, simply by mimicking a TLS handshake. Nevertheless, using a real domain and certificate significantly increases the effectiveness of the disguise.
Configuring a domain and SSL certificate for enhanced obfuscation
For maximum obfuscation effectiveness, it is recommended to use a real domain and SSL certificate. This makes your proxy virtually indistinguishable from a regular website.
- Register a domain name: Purchase an inexpensive domain (e.g., `.online`, `.xyz`, `.site`).
- Configure a DNS record: Create an A record for your domain (e.g., `proxy.yourdomain.com`) pointing to your VPS's IP address.
- Obtain an SSL certificate: Use Let's Encrypt to get a free SSL certificate. You can install `certbot` on your VPS for this:
- Add the `fake-tls` parameter to `mtg`: For this, you will need to specify the domain to be mimicked. Choose a popular website, for example, `google.com` or `telegram.org`. First, stop the current container:
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --standalone -d proxy.yourdomain.com
Follow the `certbot` instructions to obtain the certificate. The certificate files will be located in `/etc/letsencrypt/live/proxy.yourdomain.com/`.
docker stop mtproto-proxy
docker rm mtproto-proxy
Then, start a new container with the `--fake-tls` parameter:
docker run -d --name mtproto-proxy \
-p 443:443 \
-v /var/lib/mtproto-proxy:/data \
--restart=always \
telegrammessenger/mtproto-proxy:latest \
--secret YOUR_SECRET_KEY \
--tag 00000000000000000000000000000000 \
--port 443 \
--fake-tls YOUR_DOMAIN.COM
Important: Replace `YOUR_DOMAIN.COM` with the actual domain you want to mimic (e.g., `google.com`). If you are using your own domain with an SSL certificate, then instead of `--fake-tls YOUR_DOMAIN.COM`, you will need to specify the paths to the certificate and key files using the `--certificate` and `--key` parameters. However, for most users, simple imitation via `--fake-tls` is sufficient.
This simple step significantly increases your proxy's resistance to blockages, making its traffic indistinguishable from regular HTTPS traffic to the specified domain.
Generating a tg:// link and adding the proxy to Telegram
After successfully installing and configuring your Telegram proxy, the next step is to create a special `tg://` link that allows users to instantly add the proxy to their Telegram client. This significantly simplifies the connection process and distribution of your proxy.
Forming a unique link
The `tg://` link has the following format:
tg://proxy?server=YOUR_IP_ADDRESS&port=PROXY_PORT&secret=YOUR_SECRET_KEY
Where:
YOUR_IP_ADDRESS: The public IP address of your VPS.PROXY_PORT: The port on which your MTProto proxy operates (default 443).YOUR_SECRET_KEY: The secret key you generated earlier.
If you are using fake-TLS obfuscation, the secret key must be modified. You need to append a 16-byte `fake-TLS` domain (in hexadecimal format) to your 32-byte secret key. To do this, first get the 16-byte representation of the domain:
echo -n "YOUR_FAKE_TLS_DOMAIN" | head -c 16 | xxd -ps
For example, for `google.com`, this would be `676f6f676c652e636f6d000000000000` (if the domain is shorter than 16 bytes, it is padded with zeros). Then your secret key with fake-TLS will look like this:
dc9272bf7e44e27774972e259e830e07 + 676f6f676c652e636f6d000000000000
Where `dc9272bf7e44e27774972e259e830e07` is your original 32-byte key, and `676f6f676c652e636f6d000000000000` is the 16-byte fake-TLS domain. The full secret for the link: `YOUR_SECRET_KEY + FAKE_TLS_KEY`. Example of a full link with fake-TLS (replace data with your own):
tg://proxy?server=192.0.2.1&port=443&secret=dc9272bf7e44e27774972e259e830e07676f6f676c652e636f6d000000000000
If you are not using fake-TLS, simply use your 32-byte secret key without adding a domain.
Recommendation: For convenience, you can use online MTProto link generators, but always verify that they correctly form the link with your secret and fake-TLS domain.
Distributing the proxy and adding it to a channel
You can distribute the generated link in several ways:
- Direct link: Send it to friends or publish it in your Telegram channel. When the link is clicked, the Telegram client will automatically offer to connect to the proxy.
- QR code: Generate a QR code for your link. This is convenient for offline distribution or via images.
- Adding to a channel (optional): If you have a Telegram channel, you can add your proxy to the list of official channel proxies. To do this, you need to be the channel owner and use the bot @MTProxybot. The bot will help you link the proxy to the channel, making it available to all subscribers directly in Telegram's proxy settings. This is an excellent way for channel owners to ensure stable access to their content.
Once users connect, they will be able to use Telegram through your MTProto proxy VPS, bypassing blockages and enjoying a stable connection.
Need a dedicated server?
Compare prices from top providers. Configure and order in minutes.
Monitoring and optimizing MTProto proxy on VPS
After deploying an MTProto proxy, it's important not to just forget about it, but to regularly monitor its operation to ensure stability and high performance. This is especially relevant if your Telegram proxy server serves a large number of users.
Assessing load and choosing the optimal Valebyte plan
Monitoring VPS load will help you understand if current resources are sufficient or if it's time to consider an upgrade. Key metrics to pay attention to:
- CPU usage: The `htop` command (install: `sudo apt install htop`) will show current CPU load. MTProto typically consumes little CPU, but if the indicator is consistently above 50-70%, it may indicate overload.
- RAM usage: Also tracked via `htop`. If free RAM is consistently low and the system actively uses a SWAP file, this is a sign of insufficient memory.
- Network traffic: This is the most important metric for a proxy. Use `docker stats` to view network traffic for a specific `mtproto-proxy` container. You can also use utilities like `iftop` (install: `sudo apt install iftop`) to monitor overall server traffic. If the network channel is consistently loaded at 80% or more, users may experience delays.
# View Docker container statistics
docker stats mtproto-proxy
# Monitor network traffic (installation may be required)
sudo apt install iftop
sudo iftop -i eth0 # Replace eth0 with the name of your network interface
If you notice that your current VPS cannot handle the load, Valebyte offers flexible plans that allow you to easily scale resources. You can upgrade to a more powerful VPS with more CPU cores, more RAM, or a wider network channel. For example, for high-load proxies, a plan with 4-8 vCPU and 8-16 GB RAM, as well as a guaranteed 1 Gbit/s channel, might be suitable. VPS with instant activation will allow you to quickly switch to a new plan without long waits.
Updating and maintaining `mtg`
Regularly updating `mtg` and the Docker image is key to security and stable operation. Telegram developers constantly improve the protocol and add new features or security fixes.
- Stop and remove the old container:
- Remove the old Docker image:
- Download the new image and run the container: Use the same `docker run` command as during the initial installation. Docker will automatically download the latest version of the image.
docker stop mtproto-proxy
docker rm mtproto-proxy
docker rmi telegrammessenger/mtproto-proxy:latest
docker run -d --name mtproto-proxy \
-p 443:443 \
-v /var/lib/mtproto-proxy:/data \
--restart=always \
telegrammessenger/mtproto-proxy:latest \
--secret YOUR_SECRET_KEY \
--tag 00000000000000000000000000000000 \
--port 443 \
--fake-tls YOUR_DOMAIN.COM
Also, don't forget to periodically update your VPS's operating system itself:
sudo apt update && sudo apt upgrade -y
This ensures overall server security and protection against known vulnerabilities. For those interested in alternative ways to bypass blockages, Valebyte also offers solutions like Shadowsocks-2022 on VPS or Marzban on VPS, which can be useful for a wider range of tasks.
Conclusion
Installing your own MTProto proxy on a VPS is a fast, reliable, and effective way to gain independent access to Telegram, bypassing any blockages. With Docker and Valebyte's detailed guide, you can deploy your MTProto proxy VPS in just 5 minutes, ensuring a stable and secure connection for yourself and your users. Choose a suitable Valebyte.com plan to ensure your proxy operates flawlessly and with maximum performance.
Ready to choose a server?
VPS and dedicated servers in 72+ countries with instant activation and full root access.
Get started now →