Supported Protocols¶
MoaV deploys 12 protocols, each with different stealth characteristics, speed profiles, and network requirements. This diversity ensures that when one protocol is blocked, others remain available.
Protocol Overview¶
| Protocol | Port | Stealth | Speed | Domain Required |
|---|---|---|---|---|
| Reality (VLESS) | 443/tcp | Very High | High | No |
| Trojan | 8443/tcp | High | High | Yes |
| Hysteria2 | 443/udp | High | Very High | Yes |
| CDN (VLESS+WS) | 443 via CDN | Very High | Medium | Yes (Cloudflare) |
| TrustTunnel | 4443/tcp+udp | Very High | High | Yes |
| WireGuard | 51820/udp | Medium | Very High | No |
| AmneziaWG | 51821/udp | Very High | High | No |
| WireGuard (wstunnel) | 8080/tcp | High | High | No |
| Telegram MTProxy | 993/tcp | High | Medium | No |
| dnstt | 53/udp | Medium | Low | Yes |
| Slipstream | 53/udp | Medium | Low-Medium | Yes |
| Psiphon Conduit | dynamic | High | Medium | No |
| Tor Snowflake | dynamic | High | Low | No |
Protocols in Detail¶
Reality (VLESS)¶
Primary protocol. VLESS with Reality makes your proxy traffic indistinguishable from a real TLS connection to a legitimate website (e.g., dl.google.com). The server presents a genuine TLS certificate from the target site, passing even active probing.
- Port: 443/tcp
- Engine: sing-box
- Clients: Streisand, Hiddify, v2rayNG, v2rayN, NekoBox
Trojan¶
Password-authenticated TLS proxy. Traffic looks like normal HTTPS. Uses your domain's real TLS certificate from Let's Encrypt.
- Port: 8443/tcp
- Engine: sing-box
- Clients: Streisand, Hiddify, v2rayNG, v2rayN, Shadowrocket
Hysteria2¶
QUIC-based protocol optimized for high throughput on lossy networks. Includes built-in obfuscation to bypass QUIC blocking.
- Port: 443/udp
- Engine: sing-box
- Clients: Streisand, Hiddify, v2rayNG, v2rayN
- Note: Requires UDP. Blocked in some censored networks that drop all non-DNS UDP.
CDN (VLESS+WS)¶
Routes VLESS traffic through Cloudflare's CDN via WebSocket. When your server's IP is blocked, traffic goes through Cloudflare instead, making it unblockable without blocking all of Cloudflare.
- Port: 443 (Cloudflare) → 2082 (origin)
- Engine: sing-box
- Clients: Streisand, Hiddify, v2rayNG, v2rayN
- Requires: Cloudflare-proxied domain
TrustTunnel¶
Modern VPN protocol that looks like regular HTTPS traffic. Supports both HTTP/2 (TCP) and HTTP/3 (QUIC/UDP).
- Port: 4443/tcp + 4443/udp
- Engine: TrustTunnel (server) / TrustTunnelClient (client)
- Clients: TrustTunnel app (iOS, Android, macOS, Windows, Linux)
WireGuard¶
Fast kernel-level VPN. Simple, audited, and widely supported. Direct UDP connection.
- Port: 51820/udp
- Engine: sing-box + wstunnel
- Clients: WireGuard app (all platforms)
- Note: Easily fingerprinted by DPI. Use AmneziaWG or wstunnel variant in censored networks.
AmneziaWG¶
Obfuscated WireGuard variant that defeats Deep Packet Inspection. Adds junk packets, changes handshake timing, and modifies header fields to avoid detection.
- Port: 51821/udp
- Engine: amneziawg-tools
- Clients: AmneziaVPN (iOS, Android, macOS, Windows, Linux)
WireGuard (wstunnel)¶
WireGuard tunneled through WebSocket (TCP). Works when UDP is completely blocked.
Telegram MTProxy¶
Telegram-specific proxy with Fake-TLS V2. Emulates real TLS connections, including certificate mimicry and timing simulation. Provides direct access to Telegram when it's blocked.
- Port: 993/tcp (IMAPS port for stealth)
- Engine: telemt
- Clients: Telegram app (built-in proxy settings)
dnstt¶
DNS tunnel that encodes TCP traffic within DNS queries. Extremely hard to block without breaking DNS entirely. Very slow but works as a last resort when almost everything is blocked.
- Port: 53/udp
- Engine: dnstt
- Requires: Domain with NS delegation
Slipstream¶
QUIC-over-DNS tunnel. Similar to dnstt but uses QUIC for better throughput — typically 1.5-5x faster than dnstt.
- Port: 53/udp
- Engine: slipstream (Rust) / pre-built binaries
- Requires: Domain with NS delegation
Psiphon Conduit¶
Bandwidth donation to the Psiphon network. Psiphon users worldwide route through your server. Not a protocol you connect to — it's a way to help others bypass censorship.
- Engine: Psiphon Conduit
- Clients: Psiphon app (iOS, Android, Windows)
Tor Snowflake¶
Bandwidth donation to the Tor network. Acts as a Snowflake proxy, helping Tor users in censored regions connect. Like Conduit, this is about helping others.
- Engine: Snowflake
- Clients: Tor Browser with Snowflake bridge
Choosing Protocols¶
For censored networks (Iran, China, Russia):
- Start with Reality — highest stealth, most reliable
- Add CDN mode — works when your server IP is blocked
- Enable AmneziaWG — for full VPN when WireGuard is fingerprinted
- Enable DNS tunnels — last resort when almost everything is blocked
For general privacy:
- WireGuard — fastest, simplest
- Reality — when WireGuard is blocked
For helping others:
- Conduit — donate bandwidth to Psiphon users
- Snowflake — donate bandwidth to Tor users