Supported Protocols¶
MoaV deploys 13 protocols, each with different stealth characteristics, speed profiles, and network requirements. This diversity ensures that when one protocol is blocked, others remain available.
Protocol Overview¶
| Protocol | Port | Stealth | Speed | Domain Required |
|---|---|---|---|---|
| Reality (VLESS) | 443/tcp | Very High | High | No |
| Trojan | 8443/tcp | High | High | Yes |
| Hysteria2 | 443/udp | High | Very High | Yes |
| CDN (VLESS+WS) | 443 via CDN | Very High | Medium | Yes (Cloudflare) |
| TrustTunnel | 4443/tcp+udp | Very High | High | Yes |
| WireGuard | 51820/udp | Medium | Very High | No |
| AmneziaWG | 51821/udp | Very High | High | No |
| WireGuard (wstunnel) | 8080/tcp | High | High | No |
| Telegram MTProxy | 993/tcp | High | Medium | No |
| dnstt | 53/udp | Medium | Low | Yes |
| Slipstream | 53/udp | Medium | Low-Medium | Yes |
| Psiphon Conduit | dynamic | High | Medium | No |
| XHTTP (VLESS+XHTTP+Reality) | 2096/tcp | Very High | High | No |
| XDNS (VLESS+mKCP+DNS) | 53/udp | Medium | Low | Yes |
| Tor Snowflake | dynamic | High | Low | No |
| MahsaNet | — | — | — | No |
Protocols in Detail¶
Reality (VLESS)¶
Primary protocol. VLESS with Reality makes your proxy traffic indistinguishable from a real TLS connection to a legitimate website (e.g., dl.google.com). The server presents a genuine TLS certificate from the target site, passing even active probing.
- Port: 443/tcp
- Engine: sing-box
- Clients: Streisand, Hiddify, v2rayNG, v2rayN, NekoBox
Trojan¶
Password-authenticated TLS proxy. Traffic looks like normal HTTPS. Uses your domain's real TLS certificate from Let's Encrypt.
- Port: 8443/tcp
- Engine: sing-box
- Clients: Streisand, Hiddify, v2rayNG, v2rayN, Shadowrocket
Hysteria2¶
QUIC-based protocol optimized for high throughput on lossy networks. Includes built-in obfuscation to bypass QUIC blocking.
- Port: 443/udp
- Engine: sing-box
- Clients: Streisand, Hiddify, v2rayNG, v2rayN
- Note: Requires UDP. Blocked in some censored networks that drop all non-DNS UDP.
CDN (VLESS+WS)¶
Routes VLESS traffic through Cloudflare's CDN via WebSocket. When your server's IP is blocked, traffic goes through Cloudflare instead, making it unblockable without blocking all of Cloudflare.
- Port: 443 (Cloudflare) → 2082 (origin)
- Engine: sing-box
- Clients: Streisand, Hiddify, v2rayNG, v2rayN
- Requires: Cloudflare-proxied domain
TrustTunnel¶
Modern VPN protocol that looks like regular HTTPS traffic. Supports both HTTP/2 (TCP) and HTTP/3 (QUIC/UDP).
- Port: 4443/tcp + 4443/udp
- Engine: TrustTunnel (server) / TrustTunnelClient (client)
- Clients: TrustTunnel app (iOS, Android, macOS, Windows, Linux)
WireGuard¶
Fast kernel-level VPN. Simple, audited, and widely supported. Direct UDP connection.
- Port: 51820/udp
- Engine: sing-box + wstunnel
- Clients: WireGuard app (all platforms)
- Note: Easily fingerprinted by DPI. Use AmneziaWG or wstunnel variant in censored networks.
AmneziaWG¶
Obfuscated WireGuard variant that defeats Deep Packet Inspection. Adds junk packets, changes handshake timing, and modifies header fields to avoid detection.
- Port: 51821/udp
- Engine: amneziawg-tools
- Clients: AmneziaVPN (iOS, Android, macOS, Windows, Linux)
WireGuard (wstunnel)¶
WireGuard tunneled through WebSocket (TCP). Works when UDP is completely blocked.
Telegram MTProxy¶
Telegram-specific proxy with Fake-TLS V2. Emulates real TLS connections, including certificate mimicry and timing simulation. Provides direct access to Telegram when it's blocked.
- Port: 993/tcp (IMAPS port for stealth)
- Engine: telemt
- Clients: Telegram app (built-in proxy settings)
Anti-DPI Tuning Settings
telemt has 17+ configurable settings for hostile network environments. All configurable in `.env`: **Traffic Disguise (anti-DPI):** | Setting | Default | Purpose | |---------|---------|---------| | `TELEMT_KEEPALIVE_RANDOM` | `true` | Randomize keepalive payload to break DPI pattern-matching | | `TELEMT_KEEPALIVE_JITTER` | `4` | ±N seconds randomness on keepalive timing | | `TELEMT_KEEPALIVE_INTERVAL` | `20` | Base keepalive interval in seconds | | `TELEMT_WARMUP_JITTER` | `200` | Randomize connection establishment timing (ms) | **Connection Pool Resilience:** | Setting | Default | Purpose | |---------|---------|---------| | `TELEMT_POOL_SIZE` | `12` | Number of persistent connections to Telegram DCs | | `TELEMT_REINIT_SECS` | `600` | Rebuild all connections every N seconds (prevents long-connection fingerprinting) | | `TELEMT_HARDSWAP` | `true` | Build new pool before tearing down old (zero-downtime rotation) | | `TELEMT_HARDSWAP_DELAY_MIN` | `500` | Min delay between new connections during swap (ms) | | `TELEMT_HARDSWAP_DELAY_MAX` | `1200` | Max delay between new connections during swap (ms) | **Fast Reconnect:** | Setting | Default | Purpose | |---------|---------|---------| | `TELEMT_FAST_RETRIES` | `10` | Quick retries before exponential backoff | | `TELEMT_BACKOFF_BASE` | `300` | Backoff start interval (ms) | | `TELEMT_BACKOFF_CAP` | `10000` | Maximum backoff interval (ms) | **Config Stability:** | Setting | Default | Purpose | |---------|---------|---------| | `TELEMT_STABLE_SNAPSHOTS` | `3` | Require N consistent config snapshots before applying changes | | `TELEMT_APPLY_COOLDOWN` | `120` | Minimum seconds between config changes | **For aggressive censorship** (e.g., Iran during shutdowns): increase `TELEMT_POOL_SIZE` to 16-20, decrease `TELEMT_REINIT_SECS` to 300, and increase `TELEMT_FAST_RETRIES` to 20. Full tuning docs: [telemt TUNING.en.md](https://github.com/telemt/telemt/blob/main/docs/TUNING.en.md) | [API docs](https://github.com/telemt/telemt/blob/main/docs/API.md)dnstt¶
DNS tunnel that encodes TCP traffic within DNS queries. Extremely hard to block without breaking DNS entirely. Very slow but works as a last resort when almost everything is blocked.
- Port: 53/udp
- Engine: dnstt
- Requires: Domain with NS delegation
Slipstream¶
QUIC-over-DNS tunnel. Similar to dnstt but uses QUIC for better throughput — typically 1.5-5x faster than dnstt.
- Port: 53/udp
- Engine: slipstream (Rust) / pre-built binaries
- Requires: Domain with NS delegation
XHTTP (VLESS+XHTTP+Reality)¶
Experimental. VLESS over XHTTP transport with Reality TLS camouflage, powered by Xray-core. Uses the XHTTP (formerly splithttp) transport for multiplexed HTTP requests, making traffic look like regular web browsing. Reality handles TLS without needing a domain.
- Port: 2096/tcp
- Engine: Xray-core
- Clients: V2rayNG, Hiddify, Streisand, V2Box, V2rayN, V2rayU, NekoBox
- Note: Uses Xray-core (separate from sing-box). Disable with
ENABLE_XHTTP=falsein.env.
XDNS (VLESS+mKCP+DNS)¶
Experimental. DNS tunnel using Xray-core's mKCP transport with FinalMask XDNS. Encodes VPN traffic inside DNS queries — works when almost everything except DNS is blocked. Slower than other protocols but extremely resilient during heavy internet shutdowns.
- Port: 53/udp (direct to xray, not through dns-router)
- Engine: Xray-core (built from main branch for FinalMask support)
- Clients: Apps with FinalMask support (Happ beta, Xray CLI). Standard v2rayNG does not support FinalMask yet.
- Requires: Domain (for FinalMask packet formatting, NS delegation optional)
- Note: XDNS and dnstt/Slipstream both use port 53 — enable one OR the other in
.env. Client connects directly to server IP on port 53. Best for Telegram and lightweight chat apps — not fast enough for web browsing.
XDNS Tuning
| Setting | Default | Purpose | |---------|---------|---------| | `XDNS_MTU` | `35` | mKCP packet size. Smaller = works with more DNS resolvers. 35=safest, 67=most, 130=unrestricted | | `XDNS_SUBDOMAIN` | `x` | Subdomain for XDNS queries (x.yourdomain.com) | MTU depends on domain name length — shorter domain allows higher MTU. The values above are for ~19-character domains. For aggressive censorship: use `MTU=35` and connect via your ISP's DNS resolver.Psiphon Conduit¶
Bandwidth donation to the Psiphon network. Psiphon users worldwide route through your server. Not a protocol you connect to — it's a way to help others bypass censorship.
- Engine: Psiphon Conduit
- Clients: Psiphon app (iOS, Android, Windows)
Tor Snowflake¶
Bandwidth donation to the Tor network. Acts as a Snowflake proxy, helping Tor users in censored regions connect. Like Conduit, this is about helping others.
- Engine: Snowflake
- Clients: Tor Browser with Snowflake bridge
MahsaNet¶
Config donation to MahsaServer.com, a decentralized VPN config sharing platform for the Mahsa VPN app. With over 2 million users in Iran, Mahsa VPN connects to donated VPN configurations from servers worldwide. Unlike Conduit and Snowflake (which donate bandwidth), MahsaNet donates your server's VPN config links — Mahsa VPN users then connect directly to your server.
- Supported protocols: Reality (VLESS), Hysteria2, Trojan, CDN (VLESS+WS)
- Clients: Mahsa VPN app (Android, iOS)
- Setup: Register on MahsaServer.com, get API key, then
moav donate - Dashboard: Donate, list, and manage configs from the Admin Dashboard
Choosing Protocols¶
For censored networks (Iran, China, Russia):
- Start with Reality — highest stealth, most reliable
- Add CDN mode — works when your server IP is blocked
- Enable AmneziaWG — for full VPN when WireGuard is fingerprinted
- Enable DNS tunnels — last resort when almost everything is blocked
For general privacy:
- WireGuard — fastest, simplest
- Reality — when WireGuard is blocked
For helping others:
- Conduit — donate bandwidth to Psiphon users
- Snowflake — donate bandwidth to Tor users
- MahsaNet — donate VPN configs to Mahsa VPN users in Iran