New in v6.2.0 - Hysteria2 is a high-performance proxy based on QUIC (HTTP/3) with the Salamander obfuscation layer. It appears as standard HTTP/3 traffic to DPI systems.
Hysteria2 with Salamander Obfuscation
Hysteria2 combines QUIC transport with “Brutal” congestion control for high performance over lossy networks. The Salamander obfuscation layer adds an extra layer of evasion.
Key Features
- HTTP/3 Appearance - Looks like standard QUIC/HTTP3 traffic
- Salamander Obfuscation - BLAKE2b-based payload obfuscation
- Brutal Congestion Control - Maintains bandwidth despite packet loss
- UDP Transport - Harder to fingerprint than TCP protocols
Deployment Notes for Iran
ISP-Specific Behavior:
- Irancell (MTN): Best performance, QUIC generally allowed
- Hamrah Aval (MCI): Mixed results, QUIC sometimes blocked
- Rightel: Moderate performance
QUIC may be temporarily blocked during high-censorship periods. Configuration
Server Requirements
You’ll need your own Hysteria2 server. Example server configuration:
# Server config (hysteria2.yaml)
listen: :443
tls:
cert: /path/to/cert.pem
key: /path/to/key.pem
auth:
type: password
password: YOUR_STRONG_PASSWORD
masquerade:
type: proxy
proxy:
url: https://www.bing.com
rewriteHost: true
Client Configuration
Interactive Mode
dns-mns
# Select: [8] Advanced Evasion Suite
# Then: [5] Hysteria2 Proxy
CLI Mode
# Basic Hysteria2 connection
dns-mns hysteria2 start \
--server your-server.com:443 \
--password YOUR_PASSWORD \
--sni www.bing.com
# With Salamander obfuscation
dns-mns hysteria2 start \
--server your-server.com:443 \
--password YOUR_PASSWORD \
--obfs-password SALAMANDER_KEY \
--sni www.microsoft.com
Configuration File
# ~/.config/dns-mns/hysteria2.yaml
server: your-server.com:443
password: YOUR_PASSWORD
sni: www.microsoft.com
obfs:
type: salamander
password: YOUR_OBFS_PASSWORD
bandwidth:
up: 50m
down: 100m
dns-mns hysteria2 start --config ~/.config/dns-mns/hysteria2.yaml
Salamander Obfuscation
How It Works
Original Payload: [DNS Query Data]
↓
[8-byte Salt] + XOR(BLAKE2b(key+salt), payload)
↓
Obfuscated Payload: [Salt][Encrypted Data]
Enable Salamander
# With obfuscation password
dns-mns hysteria2 start \
--server your-server.com:443 \
--password AUTH_PASSWORD \
--obfs-password SALAMANDER_SECRET
# URI format
hysteria2://auth@server:443/?obfs=salamander&obfs-password=secret&sni=target.com
Generating Obfuscation Password
# Generate strong obfuscation key
openssl rand -base64 32
# Or use dns-mns
dns-mns generate-password --length 32
Usage Examples
Basic DNS Proxy
# Start Hysteria2 DNS proxy
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--listen 127.0.0.1:5358
# Use as DNS server
dig @127.0.0.1 -p 5358 google.com
With Masquerade Target
# Use Microsoft as masquerade target (commonly whitelisted)
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--sni www.microsoft.com \
--masquerade https://www.microsoft.com
Full Evasion Stack
# Hysteria2 + uTLS fingerprint + custom SNI
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--obfs-password salamander123 \
--sni www.microsoft.com \
--fingerprint firefox \
--bandwidth-up 50m \
--bandwidth-down 100m
Bandwidth Configuration
Brutal Congestion Control
Hysteria2 uses “Brutal” congestion control that maintains your configured bandwidth regardless of packet loss:
# Set bandwidth limits
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--bandwidth-up 20m \
--bandwidth-down 100m
# Units: bps, kbps, mbps, gbps
Auto-Discovery
# Let Hysteria2 discover bandwidth
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--bandwidth-auto
Status and Monitoring
Check Status
# View connection status
dns-mns hysteria2 status
# JSON output
dns-mns hysteria2 status --json
# Output:
# {
# "connected": true,
# "server": "vpn.example.com:443",
# "sni": "www.microsoft.com",
# "obfuscated": true,
# "queries": 1523,
# "successes": 1520,
# "errors": 3
# }
View Statistics
# Detailed statistics
dns-mns hysteria2 stats
# Reset statistics
dns-mns hysteria2 stats --reset
Logs
# View logs
dns-mns hysteria2 logs
# Follow logs
dns-mns hysteria2 logs --follow
# Debug level
dns-mns hysteria2 logs --level debug
Troubleshooting
QUIC Blocked
If you see “connection refused” or timeouts:
# Check if QUIC is blocked
nc -v -u vpn.example.com 443
# Try TCP fallback (use ShadowTLS instead)
dns-mns evasion shadowtls start \
--server vpn.example.com:443 \
--target www.microsoft.com:443
Authentication Failed
# Verify password
dns-mns hysteria2 test-auth \
--server vpn.example.com:443 \
--password secret123
# Check server logs for auth errors
# Check current bandwidth
dns-mns hysteria2 stats
# Adjust bandwidth settings
dns-mns hysteria2 config set bandwidth.up 50m
dns-mns hysteria2 config set bandwidth.down 100m
# Restart with new settings
dns-mns hysteria2 restart
Frequent Disconnections
# Enable keepalive
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--keepalive 10s
# Increase timeout
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--timeout 60s
ISP-Specific Tips
Irancell (MTN)
Best performance. Use default settings:
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--obfs-password salamander
Hamrah Aval (MCI)
QUIC may be blocked. Test first:
# Test QUIC connectivity
dns-mns test-quic vpn.example.com:443
# If blocked, use ShadowTLS instead
dns-mns evasion shadowtls start ...
Rightel
Moderate performance. Use masquerade:
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--sni www.microsoft.com \
--masquerade https://www.microsoft.com
Comparison with Other Protocols
| Feature | Hysteria2 | VLESS+REALITY | ShadowTLS | AmneziaWG |
|---|
| Protocol | QUIC/HTTP3 | TCP/TLS | TCP/TLS | UDP/WireGuard |
| Speed | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐☆ | ⭐⭐⭐⭐☆ |
| Stealth | ⭐⭐⭐⭐☆ | ⭐⭐⭐⭐☆ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐☆ |
| UDP Support | ✅ Native | ✅ Yes | ❌ No | ✅ Native |
| Obfuscation | Salamander | XTLS Vision | Certificate Stealing | Junk Packets |
| Best For | Speed | Reliability | Maximum Stealth | UDP Apps |
Advanced Configuration
Custom QUIC Settings
# Advanced config
quic:
maxIdleTimeout: 60s
handshakeTimeout: 10s
maxIncomingStreams: 100
obfs:
type: salamander
password: SECRET_PASSWORD
bandwidth:
up: 50m
down: 100m
Load Balancing
# Multiple servers
dns-mns hysteria2 start \
--servers server1:443,server2:443 \
--password secret123 \
--strategy round-robin
Failover
# Automatic failover
dns-mns hysteria2 start \
--primary server1:443 \
--backup server2:443 \
--password secret123 \
--failover-timeout 30s
Security Considerations
Password Strength
# Generate strong password
openssl rand -base64 32
# Minimum recommended: 16 characters
# Ideal: 32+ random characters
Certificate Verification
# Pin certificate hash
dns-mns hysteria2 start \
--server vpn.example.com:443 \
--password secret123 \
--pin-sha256 "SHA256_HASH"
References
Hysteria2 works best on Irancell (MTN). If you’re on Hamrah Aval (MCI) and QUIC is blocked, consider using ShadowTLS or VLESS+REALITY instead.
