What is MTProto proxy and Fake-TLS — and why it bypasses DPI
In short: MTProto proxy is Telegram's official protocol for proxy servers, and Fake-TLS is an obfuscation technique where your Telegram traffic looks to the carrier like a regular visit to google.com. We break it down — this helps understand why our proxy works where others don't.
What is MTProto
MTProto is Telegram's own protocol, developed by Nikolai Durov in 2013. It's how the Telegram client and Telegram servers communicate. The protocol works over TCP and solves three tasks:
- Message encryption — all messages are encrypted with AES-256 in IGE mode with unique keys for each session.
- Integrity verification — every message is signed with SHA-256, packet substitution is impossible.
- Latency and loss detection — the client uses different data centers (DC1-DC5), and switches if one has issues.
When Telegram was blocked in Russia in 2018-2020, Durov's team added MTProto Proxy — a mode where the Telegram client connects not directly to Telegram servers but through an intermediate proxy server. This feature is built into the official iOS, Android, Desktop and Web clients.
What is Fake-TLS obfuscation
A simple MTProto proxy (without obfuscation) is easily detected by DPI: the first bytes of the connection have a characteristic structure recognized by any modern fingerprint analyzer. So Telegram added the Fake-TLS mode (also known as Secret v2):
- The connection starts with a real TLS ClientHello where SNI points to a legitimate domain (e.g. google.com).
- The proxy server replies with a real TLS ServerHello + certificate — visually indistinguishable from regular HTTPS traffic.
- Only after full TLS masking do the client and server start communicating via MTProto inside the established TLS tunnel.
To the carrier's DPI it looks like "the user opened google.com over HTTPS". Blocking this is impossible without breaking the entire country's HTTPS traffic.
Why our server works where others don't
We use the server software telemt v3.3 — a modern Rust implementation of MTProto proxy with open source. What's critical:
What the carrier's DPI sees after connecting
When you connect our proxy, your Telegram no longer talks to 149.154.160.0/20 (Telegram's range) directly but only connects to one IP — our proxy server in Frankfurt. To DPI it looks like clean HTTPS on 443 — no MTProto signs, no Telegram signatures.
TCP SYN → 95.85.227.248:443 TLS ClientHello, SNI=google.com, ALPN=h2,http/1.1 TLS ServerHello, certificate (valid) Application data: <encrypted> Application data: <encrypted>
Blocking without breaking the whole internet is impossible.
Are messages encrypted?
Yes, fully. The proxy has no access to your messages content — chats are end-to-end encrypted between Telegram client and Telegram servers, keys are generated by client and servers, the proxy only sees encrypted packets. Architecturally it's the same as a regular HTTPS proxy — it forwards encrypted packets but cannot decrypt them.
Separately, Secret Chats are additionally encrypted between clients — even Telegram servers themselves cannot read them.
How MTProto differs from VPN
- Scope. MTProto proxy works only for Telegram. VPN wraps all device traffic (YouTube, Instagram, Chrome, etc.).
- Speed. Proxy is faster than VPN because it doesn't re-encrypt already encrypted traffic (Telegram itself encrypts MTProto).
- Setup. Proxy requires no separate app — added directly in Telegram settings. VPN requires a client.
- Cost. Our proxy is free. A quality VPN usually costs $1-5 per month.
If besides Telegram you need YouTube, Instagram, ChatGPT — get MATRIX VPN with a 7-day trial. If only Telegram — our proxy will be enough forever.