An MTProto Proxy for Telegram is a server-side application designed to facilitate secure and obfuscated access to the Telegram messaging service, primarily used for bypassing internet censorship and enhancing privacy by routing traffic through an intermediary server.
What is MTProto Proxy?
MTProto Proxy is a specific type of proxy server tailored for the Telegram messaging protocol (MTProto). Unlike standard SOCKS5 or HTTP proxies, an MTProto Proxy implements the MTProto protocol directly, allowing it to seamlessly integrate with Telegram clients. Its primary function is to obfuscate Telegram traffic, making it indistinguishable from typical HTTPS traffic to deep packet inspection systems. This capability is crucial in environments where Telegram is blocked or restricted.
Key characteristics:
* Protocol-Specific: Directly handles Telegram's MTProto protocol.
* Obfuscation: Encrypts and disguures Telegram traffic to evade censorship.
* Server-Side: Requires deployment on a dedicated server (VPS).
* Client-Side Integration: Telegram clients have native support for MTProto proxies.
Prerequisites for Setup
Setting up an MTProto Proxy requires a virtual private server (VPS) and basic Linux administration knowledge.
- Server: A VPS with root access.
- Operating System: Debian or Ubuntu Linux distributions are commonly used and well-supported. CentOS is also viable.
- Resources: Minimal CPU and RAM are sufficient for a basic proxy. 512MB RAM and 1 vCPU are typically adequate for hundreds of concurrent users.
- Network: An open port for incoming connections (default 443 or 80 is often used for obfuscation, but any port can be configured).
- Permissions: Root or sudo privileges on the server.
- Tools: Basic Linux command-line utilities (e.g.,
ssh,curl,aptoryum,systemctl,ufworiptables).
Setting Up an MTProto Proxy Server
Two common methods for deploying an MTProto Proxy are using the official Telegram proxy utility or a Docker container.
Method 1: Official Telegram Proxy (Recommended)
This method involves compiling and running the official Telegram proxy server application.
1. Update System and Install Dependencies
sudo apt update && sudo apt upgrade -y
sudo apt install -y git build-essential libssl-dev zlib1g-dev
For CentOS/RHEL:
sudo yum update -y
sudo yum install -y git make gcc openssl-devel zlib-devel
2. Clone and Build the Proxy
git clone https://github.com/TelegramMessenger/MTProxy.git
cd MTProxy
make && cd objs/bin
3. Generate Secret
A secret is required for client authentication and traffic obfuscation.
head -c 16 /dev/urandom | xxd -ps
This command generates a 32-character hexadecimal string. This will be your SECRET.
For example: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
4. Run the Proxy (Initial Test)
./mtproxy -p <PORT> -H <HOST_IP> -S <SECRET> --aes-pwd <PATH_TO_PROXY_SECRET_FILE> -M <WORKER_THREADS>
<PORT>: The port clients will connect to (e.g.,443).<HOST_IP>: Your server's public IP address.<SECRET>: The 32-character hex secret generated previously.<PATH_TO_PROXY_SECRET_FILE>: Typically/etc/mtproxy/proxy-secret(create this file with a random 64-byte secret for internal communication).<WORKER_THREADS>: Number of worker threads (e.g.,1).
For example:
mkdir -p /etc/mtproxy
head -c 64 /dev/urandom > /etc/mtproxy/proxy-secret
./mtproxy -p 443 -H 0.0.0.0 -S a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 --aes-pwd /etc/mtproxy/proxy-secret -M 1
0.0.0.0 binds to all available network interfaces.
5. Configure as a Systemd Service
For persistent operation, create a systemd service unit.
Create /etc/systemd/system/mtproxy.service:
[Unit]
Description=MTProto Proxy for Telegram
After=network.target
[Service]
Type=simple
ExecStart=/root/MTProxy/objs/bin/mtproxy -p 443 -H 0.0.0.0 -S a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 --aes-pwd /etc/mtproxy/proxy-secret -M 1
WorkingDirectory=/root/MTProxy/objs/bin
User=root
Restart=on-failure
[Install]
WantedBy=multi-user.target
Replace the ExecStart parameters with your specific port, secret, and file paths. Adjust WorkingDirectory if you cloned MTProxy to a different location.
Reload systemd, enable, and start the service:
sudo systemctl daemon-reload
sudo systemctl enable mtproxy
sudo systemctl start mtproxy
sudo systemctl status mtproxy
6. Firewall Configuration
Open the chosen port (e.g., 443) on your server's firewall.
UFW (Ubuntu/Debian):
sudo ufw allow 443/tcp
sudo ufw enable # if not already enabled
IPTables (CentOS/RHEL, or without UFW):
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo service iptables save # or use firewalld
Firewalld (CentOS/RHEL 7+):
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --reload
Method 2: Docker (Alternative)
Using Docker simplifies deployment and dependency management.
1. Install Docker
Follow official Docker installation guides for your OS.
2. Generate Secret
head -c 16 /dev/urandom | xxd -ps
This is your SECRET.
3. Run the Proxy with Docker
docker run -d --name mtproxy-server -p 443:443 --restart=always \
telegrammessenger/proxy:latest \
-S a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 \
--aes-pwd /etc/mtproxy/proxy-secret -M 1
-d: Run in detached mode.--name mtproxy-server: Assign a name to the container.-p 443:443: Map host port 443 to container port 443.--restart=always: Ensure the container restarts with the Docker daemon.telegrammessenger/proxy:latest: The official Docker image.-S <SECRET>: Your generated secret.--aes-pwd /etc/mtproxy/proxy-secret: A placeholder. Docker image generates this internally.-M 1: Number of worker threads.
Ensure your host firewall (UFW/Firewalld/IPTables) allows traffic on port 443. Docker handles internal networking.
Obtaining a Tag (Optional)
A tag is an optional parameter that allows proxy operators to link a sponsored channel to their proxy. When users connect via a tagged proxy, the sponsored channel is displayed at the top of their chat list.
To obtain a tag:
1. Message @MTProxybot on Telegram.
2. Send /newproxy to the bot.
3. Provide your proxy's public IP address and port.
4. The bot will provide a tag value.
Integrate the tag into your ExecStart command for the systemd service or Docker command:
# Systemd (add --tag <YOUR_TAG>)
ExecStart=/root/MTProxy/objs/bin/mtproxy -p 443 -H 0.0.0.0 -S a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 --aes-pwd /etc/mtproxy/proxy-secret -M 1 --tag <YOUR_TAG>
# Docker (add -T <YOUR_TAG>)
docker run -d --name mtproxy-server -p 443:443 --restart=always \
telegrammessenger/proxy:latest \
-S a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 -M 1 -T <YOUR_TAG>
Restart the MTProto Proxy service/container after adding the tag.
Connecting to the MTProto Proxy
Once the proxy server is running, users can connect via a direct link or manual configuration.
Proxy Link Format
The most convenient way to share the proxy is via a tg:// link:
tg://proxy?server=<SERVER_IP>&port=<PORT>&secret=<SECRET>
Example: tg://proxy?server=192.0.2.1&port=443&secret=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
Clicking this link on a device with Telegram installed will prompt the user to add the proxy.
Manual Configuration in Telegram App
- Open Telegram settings.
- Navigate to "Data and Storage" (or "Privacy and Security" on some clients).
- Select "Proxy Settings".
- Toggle "Use Proxy" or "SOCKS5/MTProto Proxy".
- Choose "MTProto Proxy".
- Enter the server's public IP address in the "Server" field.
- Enter the configured port (e.g., 443) in the "Port" field.
- Enter the
SECRETin the "Secret" field. - Save the settings.
Telegram clients will then attempt to connect via the configured MTProto Proxy.
Security Considerations
- Keep System Updated: Regularly update your server's operating system and installed packages to patch vulnerabilities.
- Strong Secrets: Use a strong, randomly generated secret. Avoid predictable patterns.
- Firewall: Restrict access to the proxy port using a firewall. Only allow necessary inbound connections.
- Monitor Logs: Regularly check proxy logs (
journalctl -u mtproxy.servicefor systemd) for unusual activity or errors. - Minimal Privileges: While the official proxy often runs as root for simplicity, consider running it under a less privileged user if possible, though this adds complexity to file permissions.
Troubleshooting Common Issues
- Connection Fails:
- Firewall: Verify the proxy port is open on the server's firewall.
- Incorrect Details: Double-check the server IP, port, and secret entered in the Telegram client.
- Proxy Not Running: Check the proxy service status (
sudo systemctl status mtproxyordocker ps). - Network Issues: Confirm the server has internet connectivity.
- Slow Performance:
- Server Resources: Monitor CPU, RAM, and network utilization on your VPS. Upgrade if resources are exhausted.
- Network Latency: High latency between the client and the proxy server can affect speed.
- Bandwidth: Ensure your VPS has sufficient bandwidth for the number of users.
- Proxy Not Starting:
- Logs: Review systemd logs (
journalctl -u mtproxy.service) or Docker logs (docker logs mtproxy-server) for error messages. - Dependencies: Ensure all required build dependencies are installed.
- Port Conflict: Verify no other service is using the chosen proxy port.
- Logs: Review systemd logs (
Comparison: MTProto Proxy vs. SOCKS5/HTTP Proxy
| Feature | MTProto Proxy | SOCKS5/HTTP Proxy |
|---|---|---|
| Protocol | Telegram's native MTProto protocol | Generic SOCKS5 or HTTP/HTTPS protocols |
| Obfuscation | Built-in, designed to bypass DPI | Minimal to none; traffic patterns are often identifiable |
| Censorship | Highly effective against Telegram blocking | Less effective; can be blocked by protocol analysis |
| Security | Encrypted traffic, specific to Telegram | Encrypted if used with TLS (HTTPS), otherwise plain |
| Configuration | Specific "Secret" required; native in Telegram apps | Server, Port, (optional) Username/Password; generic proxy settings |
| Use Case | Primarily for Telegram access in restricted regions | General internet traffic, various applications |
| Performance | Optimized for Telegram traffic | General-purpose; performance depends on implementation |