Against the backdrop of last year’s escalation of censorship in the Russian Federation, the articles by MiraclePTR were a breath of freedom for many Russian-speaking IT folks. I want to open the door to free information a bit wider and invite “non-techies” (“dummies”) who want to spin up a personal proxy server to bypass censorship but feel lost in the flood of information or got stopped by a confusing technical error.
In this article I’ve described a universal solution that provides transparent access to the global internet bypassing censorship, uses cutting-edge traffic obfuscation, doesn’t depend on a single corporation, and most importantly has ample “safety margin” against interference from censors.
This article is aimed at “dummies” unfamiliar with the subject area. However, people “in the know” may also find something useful (for example, a slightly simpler setup for proxying via CloudFlare without having to run nginx on the VPS).
If you still don’t have a personal proxy to bypass censorship — this is your sign.
A couple of months ago, in the Amnezia Telegram chat discussing censorship circumvention, a no-name brought up the example of “a dentist from Chertanovo” who would like to spin up his own server but “couldn’t hack” the techy articles, isn’t ready to Google errors, and just needs a clear manual: do this and it will work.
I’m kind of a “dentist from Chertanovo” myself: I haven’t worked in IT for over 15 years.
I remember how a couple of years ago I bought a virtual server “to play with” and was afraid to type commands there, so it idled for the whole paid period. But eventually, censorship circumvention became my hobby, I figured things out, and now I’m writing this piece with my past self in mind: back then I would have been glad to find an instruction like this.
I consider the proposed solution universal. That’s my subjective opinion backed by my own experience as well as that of like‑minded folks (not all of them:) from the TG chat where we discuss setting up and operating various proxies and VPNs. (note this is a chat, not a channel; I’m not its owner/moderator and it’s not monetized at the moment. Just a place to ask questions and share experience on the topic.)
Surely there will be readers who find the solution in this article excessive — or, conversely, insufficient (if so — feel free to jump into the comments). Still, I dare claim that once you set up a proxy following this guide, you’ll forget about censorship issues for a long time.
It takes me about half an hour to follow this guide; for someone totally new to the topic — couple of evenings.
I ask the techies to forgive me for describing some points overly in detail: one of the goals here is to raise IT literacy among non‑IT people.
You’ll find the actual step‑by‑step guide in the second part of the article. First I’ll orient those who want to understand the current landscape and justify the choices used.
There are both judicial and extrajudicial blocks in Russia. You can look up explicitly blocked resources on the Roskomnadzor (RKN) website. Such resources include, for example, the well‑known: Instagram, Facebook, RuTracker.
Extrajudicial blocks are more interesting. Around Russia’s “perimeter” there are already “black boxes” — RKN equipment — “TSPU” that censors all traffic crossing the border over wires. TSPU stands for Technological Means of Threat Prevention: anything RKN deems a “threat” can be quietly blocked. Thus, for example, they currently extrajudicially block the HideMy.name service; in the summer of 2023 they blocked popular protocols OpenVPN and WireGuard, and in the fall — in southern regions — blocked virtually all “unknown” TCP traffic. In other words, not only resources but also protocols of data transmission are subject to blocking.
Many extrajudicial blocks are turned on and off seemingly at random.
Moreover, extrajudicial blocking is being carried out by ISPs as well: there is evidence of extrajudicial traffic censorship within the country. Whether they do it on their own or TSPU devices (controlled by RKN) are also installed on internal backbones — I don’t know.
Finally, beyond blocking, RKN can “slow down” some resources, for example twitter. It’s possible that YouTube will share the same fate soon (I think it won’t be blocked outright but throttled… although Google itself is already doing a fine job of that). I’d love to be wrong, but if that happens, a personal proxy will be very helpful for comfortable access to the global video library.
And lastly: using censorship‑circumvention tools is not prohibited (not illegal) in Russia at this time.
For completeness, it’s worth mentioning coercive methods of censorship: publishing opinions on certain topics is criminally punishable in Russia, and a proxy won’t help with that. A proxy helps you access already published information.
As far as I know, technical bans on access to unwanted information in the West are minimal and nowhere near Russia’s. Formally, freedom is preserved
Blocking unwanted information happens a bit differently there. I see three main trends:
The first two trends are countered by common sense, and the third — by a proxy:).
Good news: practically all technically created barriers to information can be bypassed with a proxy server.
To follow this guide you’ll need to buy:
I wish I could link to a reliable VPS provider (to make it easier for “dummies” who don’t want to dive into the topic) — but no… I haven’t met a universal hoster. I’ll just outline the criteria, and you’ll have to choose a VPS yourself.
So you need a VPS that meets the following criteria:
A VPS like this typically costs $5 / 500 ₽ per month. Cheaper can be found ($0.99/130₽). A low price may be a sign of unreliability… or not.
And now the flame‑war question: should you buy a VPS from a foreign provider using a foreign card (or crypto), or can you buy from a hoster that accepts Russian cards?
I don’t have a definitive answer. If you don’t mind the hassle, I’d suggest a foreign hoster. Any payment with a Russian card deanonymizes you, and the authorities can find out who paid for the proxy if they want.
On the other hand, a proxy is a means to bypass censorship (which is fully legal at the moment), not a means of anonymity. No proxy guarantees absolute anonymity on the internet, even if you pay with crypto.
Here’s my take: I personally don’t have the goal of “remaining anonymous” and hiding the fact I paid for a server abroad, since my activity doesn’t break Russian laws (again: as of now).
So I pay for a foreign VPS with a Russian card. That works for me, I’m not imposing it, and I’ll likely change it someday.
Same with domain names: you can buy a .ru domain with a Russian card, or any domain (except .ru and .рф) abroad.
So, the goal is to create and configure a proxy: fast and hard to block.
There’s a great product — Amnezia. It also positions itself as a “universal solution” and supports a suitable protocol (cloak), but I don’t recommend it due to “growing pains”:
I wish Amnezia success — it really can become a universal solution in the future, but as of today I see only one candidate: the VLESS‑XTLS‑Reality.
UPDATE 11.2024
Since this article was published, Amnezia has learned to support an XRAY server with the VLESS protocol. Of course, there isn’t much freedom of configuration there (no alternate path via CDN or proxying through WARP), but as of today it’s a workable tool, albeit without a “safety margin”.
At the moment vless‑xtls‑reality cannot be detected using DPI (deep packet inspection — even in China). But the censor has other ways to interfere with it. So see the next list:
If you follow these conditions (in current realities) the server cannot be identified and blocked. Still, I like redundancy, so… in case your VPS gets unexpectedly blocked by IP — there’s a “Plan B”: proxying traffic through a CDN (Content Delivery Network).
CloudFlare CDN
CDNs are built to balance traffic for large sites and consist of hundreds of IP addresses, so the chance they’ll be blocked in Russia is minimal. I use one of the world’s largest CDNs — CloudFlare with the free plan. You’ll attach your purchased domain to CloudFlare to send traffic through it.
Proxying via a CDN is a bit slower than a direct connection to the server. But with a CDN, Roskomnadzor won’t learn your server’s IP at all.
CloudFlare Warp
Warp is a public proxy network by the same company CloudFlare, accessed via the WireGuard VPN protocol. From Russia you can’t connect to Warp, of course, but from a foreign VPS — no problem.
If CloudFlare disappears, the whole scheme will continue to work directly, and you’ll still be able to connect to any other CDN (there are dozens), and use any other foreign proxy instead of Warp. But as long as it works — use CloudFlare.
That’s it for theory — on to the how‑to.
As soon as you’ve purchased a VPS with a clean Debian 12 preinstalled there (see “Theory pt.2” above) — usually within minutes the provider will give you access to the server. Most often via e‑mail, sometimes in the panel.
During installation the script will ask you for a number; you should answer
Step 7: Generate a self‑signed TLS certificate and copy it into the 3X‑UI panel
That completes the server setup.
You can tinker further to harden the server and improve obfuscation, but for a “start” I consider it unnecessary. You’ve applied the minimum settings needed for stable operation.
Finally, save (Save button at the top of the page) and be sure to restart the panel (Restart Panel, Sure).
Save the panel access URL, login, and password somewhere.
Xray is the proxy server managed by the 3X‑UI panel. Xray is what supports the VLESS protocol with obfuscation.
Step 3: Find a donor site for obfuscation.
As early as step 4 the panel will suggest disguising as . It’ll do. But if your server is in Europe, that will add latency when opening new sites since Yahoo’s servers are in the U.S.
Ideally, find a site within your hoster’s subnet (here’s an instruction), but it may turn out there isn’t one in the subnet (happened to me).
So a simpler option: find a small site in the same country where you rented the VPS, then SSH to the server and ping it from there. If the response time is minimal (e.g., 15 ms) — it’s suitable.
Update 21.02: Reports have appeared that nltimes.nl is no longer suitable for obfuscation — it started protecting itself somehow and disguising as it stops working rather quickly. Choose other sites for obfuscation.
There are many apps, virtually for all platforms, and they’ve stood the test of time.
The interface is so simple I decided not to include screenshots.
After installing the app you only need to do two things:
That’s it! Hit the big round button — and the proxy will work!
Most apps (including browsers) understand the first mode. But not all. If some Windows app doesn’t see your proxy — switch to TUN mode (in Hiddify‑Next settings). For TUN mode to work, Hiddify‑Next must be launched “as administrator” (the app will remind you).
Hiddify‑Next on Android:
Android has a super handy “Split tunneling” option (in Hiddify‑Next settings). iOS doesn’t.
Split tunneling lets you choose which apps will use the proxy. For example, I can select “Proxy only selected apps” and tick: “Instagram, Canva, and Chrome.” After enabling the proxy, only these three apps will use it, while the rest (banking apps, Yandex Maps, etc.) will connect to their servers directly.
If you set up split tunneling for chosen apps, you can keep the proxy on on your phone all the time.
UPD: 01.2025 Hiddify has already been released for iOSHiddify, it’s stable and convenient, suitable for most people — I recommend it.
Other iOS apps (Streisand, Shadowrocket) may only be needed if you want to fine‑tune things — which is beyond this article.
Streisand is a free app, but in December it became paid for a few days. If it becomes paid again in the future (~200₽) — I think it’s worth the money.
So, the same two steps:
Then — paste it into the app via “+” in the top right.
Finally, go to “Routing”, and there (tick), (toggle “enable”), and go back (left arrow)
You can connect! (on first connect the phone will ask for a password).
I limited the guide to two apps, but if you want to experiment with others — there will be three links at the end with more info.
upd: I don’t have macOS to test, but @Spoofi pointed out that macOS Hiddify Next currently doesn’t “do” TUN mode (I wrote about TUN above), but FoxRay does.
upd 25.01. Streisand started showing ads. To keep them out of the way — after finishing all settings — you can enable/disable the VPN via system settings rather than the app UI. Another option is to use the paid ShadowRocket. There will be links at the end — there you can find ShadowRocket setup guides. If you’re setting up a proxy for the first time — I recommend starting with Streisand.
If you’ve followed the guide — your devices should already have a working proxy. But is it doing its job? Did the VPS provider mislead you? Let’s check.
If some Western site doesn’t let you in via the VPS, then as a workaround you can send traffic to that site via WARP.
To do this in the panel 3x‑ui->Xray Settings->Routing Rules find and edit the line — add sites separated by commas, e.g. (be sure to save changes and restart Xray)
After that Western sites will see the WARP network’s IP instead of your VPS IP, which will almost certainly bypass their censorship.
Yes, getting an IP address is always a lottery and there’s a small chance of issues, but most often it works the first time.
Although I don’t believe that — with the precautions taken — the server can ever be blocked, reality usually doesn’t care about our beliefs.
Proxying via a CDN is Plan B. Now you’ll set up another, backup connection that will work even if your VPS becomes unreachable from within Russia.
Step 1: Choose a domain registrar and make sure the domain name is available (see Theory pt.2), but DO NOT BUY it yet. CloudFlare only works with second‑level domains (there are exceptions, but they won’t help us). A second‑level domain is one with a single dot, like or .
For this guide I chose the domain name from the seller Dreamhost. Right now Dreamhost is giving away .store domains for free for 1 year — but only for customers who have previously bought something.
So you’ve bought the domain and set the required name servers. Activating a freshly purchased domain will take a few minutes — perfect time to finish CloudFlare setup.
Step 6: In (DNS) create an A record for your domain to your server’s IP. For me it looks like this:
Step 7: (I’ll skip screenshots)
Finally, test what you got. Export the key string of this new connection and copy it into the app — the proxy should work. (this isn’t the CDN yet; you’ve only connected to your VPS via port 2053 using VLESS‑gRPC, but soon CloudFlare will do that for you)
Update. In new versions of many apps, either a bug or a “feature” appeared that makes them incompatible with this step. Likely due to a quirk in the new sing-box core underpinning all client apps.
What to do? Use the proven Hiddify-Next app version 0.11.1
Or do this: in most cases filling the SNI field with your domain name (for example — in the screenshot it’s empty) solves the compatibility issue with new versions.
What if you have iOS, where only fresh app versions are available?
a) follow this step as instructed, filling the SNI field as well. There’s a chance the direct connection won’t work, but it will be useful at step 13
b) follow step 13 with the updated instructions; the CDN will work.
Step 10: Final CloudFlare setup.
If this message isn’t there, and instead you still see the page with two orange clouds — it means one of two things:
Theory: The ECH technology (Encrypted Client Hello) is designed to hide the addresses of visited sites from censors. Censors don’t like that. In China ECH has been blocked for years. I’m surprised RKN only did it now.
Our task is to masquerade as an innocuous site, not to hide the page address. So we don’t need ECH. We’ll disable it.
What to do: On free plans it can’t be disabled via the site, but there’s a workaround.
Run the following command in the command line:
Open a browser and go to (replace the site name with yours and the path with your own — the one you set for the 3x‑ui panel).
The 3x‑ui panel will open. From now on you’ll manage the panel from this address!
That means any censor visiting your site will see there’s a real web server there. The 3x‑ui panel itself acts as the web server, returning 404 for any address it doesn’t know. No outside observer will learn the panel’s address (). And if a censor listens to the traffic, they’ll see an encrypted gRPC stream used to serve web apps across the internet.
Before:
After:
Fair use
Obviously, the fact that CDNs allow proxying WebSockets and gRPC on their free tiers is an act of goodwill. Let’s not be greedy and use these capabilities only in truly desperate cases, which hopefully won’t come.
I tried to make this article comprehensive and self‑contained so you can set up a personal proxy server to bypass censorship with ample protection against blocking.
But in case you want to dig deeper — I recommend these three articles that inspired me and contain additional technical details and nuances:
