Skip to main content
New in v6.2.0 - Hysteria2 is a high-performance proxy based on QUIC (HTTP/3) with the Salamander obfuscation layer. It appears as standard HTTP/3 traffic to DPI systems.

Hysteria2 with Salamander Obfuscation

Hysteria2 combines QUIC transport with “Brutal” congestion control for high performance over lossy networks. The Salamander obfuscation layer adds an extra layer of evasion.

Key Features

  1. HTTP/3 Appearance - Looks like standard QUIC/HTTP3 traffic
  2. Salamander Obfuscation - BLAKE2b-based payload obfuscation
  3. Brutal Congestion Control - Maintains bandwidth despite packet loss
  4. UDP Transport - Harder to fingerprint than TCP protocols

Deployment Notes for Iran

ISP-Specific Behavior:
  • Irancell (MTN): Best performance, QUIC generally allowed
  • Hamrah Aval (MCI): Mixed results, QUIC sometimes blocked
  • Rightel: Moderate performance
QUIC may be temporarily blocked during high-censorship periods.

Configuration

Server Requirements

You’ll need your own Hysteria2 server. Example server configuration:
# Server config (hysteria2.yaml)
listen: :443

tls:
  cert: /path/to/cert.pem
  key: /path/to/key.pem

auth:
  type: password
  password: YOUR_STRONG_PASSWORD

masquerade:
  type: proxy
  proxy:
    url: https://www.bing.com
    rewriteHost: true

Client Configuration

Interactive Mode

dns-mns
# Select: [8] Advanced Evasion Suite
# Then: [5] Hysteria2 Proxy

CLI Mode

# Basic Hysteria2 connection
dns-mns hysteria2 start \
  --server your-server.com:443 \
  --password YOUR_PASSWORD \
  --sni www.bing.com

# With Salamander obfuscation
dns-mns hysteria2 start \
  --server your-server.com:443 \
  --password YOUR_PASSWORD \
  --obfs-password SALAMANDER_KEY \
  --sni www.microsoft.com

Configuration File

# ~/.config/dns-mns/hysteria2.yaml
server: your-server.com:443
password: YOUR_PASSWORD
sni: www.microsoft.com
obfs:
  type: salamander
  password: YOUR_OBFS_PASSWORD
bandwidth:
  up: 50m
  down: 100m
Load with:
dns-mns hysteria2 start --config ~/.config/dns-mns/hysteria2.yaml

Salamander Obfuscation

How It Works

Original Payload: [DNS Query Data]

   [8-byte Salt] + XOR(BLAKE2b(key+salt), payload)

Obfuscated Payload: [Salt][Encrypted Data]

Enable Salamander

# With obfuscation password
dns-mns hysteria2 start \
  --server your-server.com:443 \
  --password AUTH_PASSWORD \
  --obfs-password SALAMANDER_SECRET

# URI format
hysteria2://auth@server:443/?obfs=salamander&obfs-password=secret&sni=target.com

Generating Obfuscation Password

# Generate strong obfuscation key
openssl rand -base64 32

# Or use dns-mns
dns-mns generate-password --length 32

Usage Examples

Basic DNS Proxy

# Start Hysteria2 DNS proxy
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --listen 127.0.0.1:5358

# Use as DNS server
dig @127.0.0.1 -p 5358 google.com

With Masquerade Target

# Use Microsoft as masquerade target (commonly whitelisted)
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --sni www.microsoft.com \
  --masquerade https://www.microsoft.com

Full Evasion Stack

# Hysteria2 + uTLS fingerprint + custom SNI
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --obfs-password salamander123 \
  --sni www.microsoft.com \
  --fingerprint firefox \
  --bandwidth-up 50m \
  --bandwidth-down 100m

Bandwidth Configuration

Brutal Congestion Control

Hysteria2 uses “Brutal” congestion control that maintains your configured bandwidth regardless of packet loss:
# Set bandwidth limits
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --bandwidth-up 20m \
  --bandwidth-down 100m

# Units: bps, kbps, mbps, gbps

Auto-Discovery

# Let Hysteria2 discover bandwidth
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --bandwidth-auto

Status and Monitoring

Check Status

# View connection status
dns-mns hysteria2 status

# JSON output
dns-mns hysteria2 status --json

# Output:
# {
#   "connected": true,
#   "server": "vpn.example.com:443",
#   "sni": "www.microsoft.com",
#   "obfuscated": true,
#   "queries": 1523,
#   "successes": 1520,
#   "errors": 3
# }

View Statistics

# Detailed statistics
dns-mns hysteria2 stats

# Reset statistics
dns-mns hysteria2 stats --reset

Logs

# View logs
dns-mns hysteria2 logs

# Follow logs
dns-mns hysteria2 logs --follow

# Debug level
dns-mns hysteria2 logs --level debug

Troubleshooting

QUIC Blocked

If you see “connection refused” or timeouts:
# Check if QUIC is blocked
nc -v -u vpn.example.com 443

# Try TCP fallback (use ShadowTLS instead)
dns-mns evasion shadowtls start \
  --server vpn.example.com:443 \
  --target www.microsoft.com:443

Authentication Failed

# Verify password
dns-mns hysteria2 test-auth \
  --server vpn.example.com:443 \
  --password secret123

# Check server logs for auth errors

Slow Performance

# Check current bandwidth
dns-mns hysteria2 stats

# Adjust bandwidth settings
dns-mns hysteria2 config set bandwidth.up 50m
dns-mns hysteria2 config set bandwidth.down 100m

# Restart with new settings
dns-mns hysteria2 restart

Frequent Disconnections

# Enable keepalive
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --keepalive 10s

# Increase timeout
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --timeout 60s

ISP-Specific Tips

Irancell (MTN)

Best performance. Use default settings:
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --obfs-password salamander

Hamrah Aval (MCI)

QUIC may be blocked. Test first:
# Test QUIC connectivity
dns-mns test-quic vpn.example.com:443

# If blocked, use ShadowTLS instead
dns-mns evasion shadowtls start ...

Rightel

Moderate performance. Use masquerade:
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --sni www.microsoft.com \
  --masquerade https://www.microsoft.com

Comparison with Other Protocols

FeatureHysteria2VLESS+REALITYShadowTLSAmneziaWG
ProtocolQUIC/HTTP3TCP/TLSTCP/TLSUDP/WireGuard
Speed⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐⭐☆⭐⭐⭐⭐☆
Stealth⭐⭐⭐⭐☆⭐⭐⭐⭐☆⭐⭐⭐⭐⭐⭐⭐⭐⭐☆
UDP Support✅ Native✅ Yes❌ No✅ Native
ObfuscationSalamanderXTLS VisionCertificate StealingJunk Packets
Best ForSpeedReliabilityMaximum StealthUDP Apps

Advanced Configuration

Custom QUIC Settings

# Advanced config
quic:
  maxIdleTimeout: 60s
  handshakeTimeout: 10s
  maxIncomingStreams: 100

obfs:
  type: salamander
  password: SECRET_PASSWORD

bandwidth:
  up: 50m
  down: 100m

Load Balancing

# Multiple servers
dns-mns hysteria2 start \
  --servers server1:443,server2:443 \
  --password secret123 \
  --strategy round-robin

Failover

# Automatic failover
dns-mns hysteria2 start \
  --primary server1:443 \
  --backup server2:443 \
  --password secret123 \
  --failover-timeout 30s

Security Considerations

Password Strength

# Generate strong password
openssl rand -base64 32

# Minimum recommended: 16 characters
# Ideal: 32+ random characters

Certificate Verification

# Pin certificate hash
dns-mns hysteria2 start \
  --server vpn.example.com:443 \
  --password secret123 \
  --pin-sha256 "SHA256_HASH"

References


Hysteria2 works best on Irancell (MTN). If you’re on Hamrah Aval (MCI) and QUIC is blocked, consider using ShadowTLS or VLESS+REALITY instead.