GitHub link: shobanchiddarth/telegram-proxy-server-aws
Introduction
In my previous blog post I talked about using proxy servers for Telegram to bypass censorship. I also said using someone else's proxy server makes you less anonymous as the proxy server admins can easily see your traffic meta data. That is why I created an AWS infrastructure to one-click-deploy your own Telegram MTProto proxy instance in AWS cloud. Here is how it works.
Architecture
When deploying the terraform code to AWS as per the instructions in the GitHub, a new VPC is created in Thailand with one subnet, and one EC2 is launched there. That one EC2 pulls the telegram mtproto proxy zero config container and runs it volume mapped and makes the secrets file accessible to the host. And then the host pulls another docker image of a FastAPI app I wrote (code in the GitHub repo) to serve the proxy connection details (including that secret) and runs it volume mapped and servers it over port 80 while the proxy server is running over port 443.
The architecture has been kept simple because the intended usage is just one group of friends or family. The current configuration is enough to handle that much load. The EC2 instance type is t3.micro which is more than enough for that.
The Proxy Server
MTProto
MTProto is a custom protocol for proxy servers for Telegram. When you host a Telegram proxy server and enter the details of it in a Telegram client, the Telegram client sends all outbound requests to that server, encrypted and obfuscated, instead of to Telegram directly so that any regional restrictions can be bypassed and also it will look like a regular HTTPS website since it is made to run on port 443. ISP, government, and big tech will never know it is a Telegram proxy server as the connection is encrypted.
Region choice explanation
In the GitHub repo of the IaC, region is set to Thailand. This is because it is the closest AWS region to India that is not in a place that could be affected by the recent war and also not China. So that Indian users who connect to it will have low latency, since Telegram is banned in India (currently) there is no point in hosting it in India. If you want to host it anywhere else the GitHub repo linked above has instructions.
Security implications
Port 22 open to internet
Currently, the port 22 of the EC2 is exposed to the public internet. This is generally considered bad practice but it is a temporary measure and also I didn't want to commit my public IP address in a GitHub repo. When you host it, for more security, you can do any of the following
- Change the security group rules to allow only your public IP to port 22
- Use SSM
- Use AWS VPN (it is costly)
- Use EC2 Instance Connect from the AWS console (you will have to allow the port to AWS IP ranges)
- etc
Depending on your use case, you can choose what is best for you to avoid exposing port 22 to the internet.
Anyone who has the public IP of the EC2 can connect to the Telegram proxy (Port 80 open to the internet)
This is because both port 80 and 443 are open to the entire internet. In port 80, the management container used to expose proxy server connection details (which includes the secret) is running. I created it this way because the intended use for this project is the proxy server will be hosted by one person and will be shared to a small group of people who will keep it private. So if you want to hide the proxy server connection details from anyone who has the public IP then I suggest you don't allow port 80 to the entire internet, and instead allow it to only your public IP address or stop the container entirely and ssh into the machine using any of the above ways and read /data/secret manually and store it and send it to other people manually.
Other issues
Current architecture can't handle enormous load
The EC2 uses t3.micro (as it is in free tier) and there is only one available EC2 instance. And a lot of TCP segments will be sent back and forth per second per user. The current configuration can withstand a few users, like a few friends groups and family members, not entire towns or cities or countries. So don't share the connection details publicly.
The instance runs 24/7
If you don't want the instance to run 24/7 you can shut it down when you don't need it to save costs. Auto scaling groups and load balancing has not been set up since the target usage is a very small group of people. So the complexity is unnecessary. Elastic IP is used instead of associating a public IP address to an EC2 so that even after reboot, the EC2 still gets the same IP address. This way, the clients don't need to be reconfigured.
Cost Calculation
We are going to use calculator.aws to calculate the monthly costs for the current setup. Currently, we will be billed for the following.
- EC2 (t3.micro) running 24/7 (actually less than 24/7, as it will be manually shut down sometimes)
- EIP for the EC2
- EBS for the EC2 (gp3 8GB)
- Around 5 GB of internet egress (ingress is free) per month
I entered the details in the AWS cost calculator. Here are the results.
The estimate is $162.84/year. Which is $13.57/month. In India it is ₹1,280.89/month and ₹15,370.71/year. You can check it out here (this link will expire in 1 year, here is the json export in case it does expire).
{
"Name": "Telegram Proxy Server singular",
"Total Cost": {
"monthly": "13.57",
"upfront": "0.00",
"12 months": "162.84"
},
"Metadata": {
"Currency": "USD",
"Locale": "en_US",
"Created On": "20/06/2026",
"Legal Disclaimer": "AWS Pricing Calculator provides only an estimate of your AWS fees and doesn't include any taxes that might apply. Your actual fees depend on a variety of factors, including your actual usage of AWS services.",
"Share Url": "https://calculator.aws/#/estimate?id=ff8e02fad667c558874ab361764f3189427d0c64"
},
"Groups": {
"Services": [
{
"Service Name": "Amazon EC2 ",
"Description": "Proxy Server",
"Region": "Asia Pacific (Thailand)",
"Status": "",
"Service Cost": {
"monthly": "9.23",
"upfront": "0.00",
"12 months": "110.72"
},
"Properties": {
"Tenancy": "Shared Instances",
"Operating system": "Linux",
"Workload": "Consistent, Number of instances: 1",
"Advance EC2 instance": "t3.micro",
"Pricing strategy": "On-Demand Utilization: 24 Hours/Day",
"Enable monitoring": "disabled",
"DT Inbound: Internet": "5 GB per month",
"DT Outbound: Internet": "5 GB per month",
"DT Intra-Region:": "0 TB per month"
}
},
{
"Service Name": "Amazon Elastic Block Store (EBS)",
"Description": "default attached to EC2",
"Region": "Asia Pacific (Thailand)",
"Status": "",
"Service Cost": {
"monthly": "0.69",
"upfront": "0.00",
"12 months": "8.28"
},
"Properties": {
"Number of volumes": "1",
"Average duration of volume": "730 hours per month",
"Storage amount per volume": "8 GB",
"Snapshot Frequency": "No snapshot storage",
"Provisioning IOPS per volume (gp3)": "3000",
"General Purpose SSD (gp3) - Throughput": "125 MBps"
}
},
{
"Service Name": "Public IPv4 Address",
"Description": "TProxyVPC",
"Region": "Asia Pacific (Thailand)",
"Status": "",
"Service Cost": {
"monthly": "3.65",
"upfront": "0.00",
"12 months": "43.80"
},
"Properties": {
"Number of In-use public IPv4 addresses": "1"
}
}
]
}
}
This cost estimate is not for free tier accounts.
Step by step process to connect to the proxy server you deployed
Steps to deploy
Check the README of the GitHub repo I linked in the top of this blog.
Steps to connect to the proxy
- Visit the public EIP of your EC2 instance in a browser (as the container runs in port 80).
- The connection details for MTProto client will be visible.
- Follow these steps to enter those details into a Telegram client
- You will be able to use Telegram over a proxy
What I normally do for the above mentioned security implications
- I deploy it
- I open the public IP in a browser
- I note down the connection details
- I then remove the
allow 22andallow 80rules from the security groups. By commenting this part in terraform and doingterraform applyagain.
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [ "0.0.0.0/0" ]
}
Conclusion
I successfully created an AWS Terraform project for one click deploying a singular Telegram MTProto proxy server. I did this out of necessity, as government is banning Telegram currently in my area. Telegram is a private messaging app not owned by the government or Mark Zuckerberg and that is why they are trying as much as they can to stop people from using it, I already covered this in my previous blog post.
Now with this repo, anyone in the world can deploy a proxy server for Telegram easily and help their friends who are being censored from the internet. Right now this cannot handle massive load as I have mentioned above but I plan to improve this architecture in the near future by using auto scaling groups and AWS Network Load Balancer (load balance per TCP connection) between the proxy servers, bastion based SSH management, and lambda based manual scheduling and starting and stopping of servers, and the NLB DNS name will be used as the hostname in Telegram clients. But this is enough for a few number of people.
Top comments (0)