When an ISP or national firewall throttles or blocks Telegram, the usual advice is "use a VPN." But there's a lighter, Telegram-specific tool that is often more resilient and far simpler for end users: the MTProto proxy with FakeTLS.
DPI vs. Telegram
Deep Packet Inspection classifies traffic by its protocol fingerprint. A plain MTProto stream or a naive proxy is easy to spot and drop. The trick is to make the connection look like something completely ordinary.
How FakeTLS works
MTProto is Telegram's own transport protocol. FakeTLS wraps it so the wire looks like a normal TLS 1.3 handshake to a real website:
- The client sends a TLS
ClientHellowith the SNI of a popular domain (e.g.www.microsoft.com). - Authentication is a per-user secret verified via an HMAC computed over the ClientHello (with the 32-byte random field acting as the digest).
- If the HMAC is invalid (a censor's active probe), the proxy transparently proxies the prober to the real fronting domain — so an attacker who pokes the port just gets Microsoft's real certificate back.
To a censor, a real client's flow is indistinguishable from an HTTPS visit to that domain. That's what keeps it working where generic proxies are already blocked.
A failure mode nobody documents: clock skew
Here's a real-world gotcha we hit in production. FakeTLS embeds a timestamp for anti-replay. If the proxy host's clock drifts more than a couple of minutes, every legitimate client handshake is rejected:
invalid faketls client hello: incorrect timestamp. got=..., now=..., diff=2m54s
The nasty part: the proxy still accepts TCP, still answers TLS, still passes an openssl s_client masquerade check — it looks perfectly alive. It just silently falls back to domain-fronting instead of relaying, so every user on that host is broken at once. The fix is boring but essential: run NTP (chrony) on every proxy host. We shipped a box without it and spent an afternoon chasing "the proxy is down" tickets that were really a 3-minute clock drift.
MTProto proxy vs VPN
| MTProto proxy | VPN | |
|---|---|---|
| Scope | Telegram only | whole device |
| Setup | one tap on a link | install + configure |
| Detectability | masked as TLS | often fingerprinted |
| Battery/speed | negligible / fast | heavier |
For unblocking Telegram specifically, MTProto is usually the better tool.
Try it
- Notes + setup (open): https://github.com/blureshot/free-telegram-proxy
- A free, working MTProto proxy (24h, no signup, one-tap): https://t.me/NotifyGproxyBot?start=devto
Full disclosure: that bot is the free tier of a proxy service I work on (GProxy). But the mechanics above are protocol-level and vendor-neutral — any FakeTLS MTProto proxy (mtg, mtprotoproxy) works the same way, and the clock-skew lesson applies to all of them.
Top comments (0)