Technical

Should You Self-Host Your Own MTProto Proxy?

A pragmatic guide to running your own Telegram proxy server — pros, cons and setup.

MTProto Proxy Engineers · Censorship Circumvention Researchers

Published April 27, 2026 Updated May 15, 2026 8 min read 366 words

Why self-host?

Self-hosting gives you full control: your IP, your secret, your bandwidth, your uptime. Reasons to consider it: (1) you have a strong privacy threat model and do not want to trust any third party including TGFast; (2) you have a small audience (family, team) that you want a private proxy for; (3) you want to learn how MTProto works.

Why not self-host

Self-hosting is more work than it sounds. You need a VPS in an unrestricted country ($3-5/month minimum), basic Linux skills, and the willingness to monitor and rotate IPs when your single server gets blocked. TGFast does all of this for you for free with multiple proxies and 99.9% uptime. For most users, self-hosting is not worth it.

Get a free TGFast proxy

Browse the live country grid on the home page and tap any card to connect Telegram in one second — no signup, no logs.

Open the fleet

Recommended software

The most popular open-source MTProto proxy implementations are mtg (Go-based, fast, supports "ee" obfuscation) and mtprotopy (Python, easy to read). For production use we recommend mtg. Avoid the official Telegram-published binary — it is unmaintained and lacks modern features.

Setup with mtg in 5 minutes

Get a VPS in Germany, Netherlands or Singapore. Install Docker. Run:

SECRET=$(docker run --rm nineseconds/mtg generate-secret hex google.com)
docker run -d --name=mtg --restart=always -p 443:3128 nineseconds/mtg simple-run -t $SECRET 0.0.0.0:3128

This generates an "ee" secret with fake-TLS to google.com and starts a proxy on port 443. Connect with the printed tg:// link.

Stay updated

Join @FastTGProxyMT for instant alerts when servers move or new proxies launch.

Join Telegram Channel

IP rotation

A single self-hosted IP gets blocked in heavily censored countries within days to weeks. To stay alive, you need either: (a) a pool of IPs and a script that rotates the proxy across them; (b) a CDN front that masks the real IP. Both require more work. TGFast does this rotation for you across our multiple proxies.

Bandwidth and capacity

A typical user generates 50-500 KB/s of Telegram traffic during active use, near zero idle. A 1 vCPU / 1 GB RAM VPS with 1 TB monthly bandwidth comfortably handles 50 active users. For larger scale, increase bandwidth and use mtg's built-in rate limiting.

Privacy promise

If you self-host for privacy reasons, remember that the VPS provider can still see your traffic patterns. Choose a VPS provider with strong privacy commitments (e.g. Njalla, BuyVM, FlokiNET). Pay with Monero or pre-paid cards if anonymity is critical.

Frequently Asked Questions

How is MTProto different from SOCKS5 or Shadowsocks?

MTProto is Telegram's native protocol, so traffic looks indistinguishable from a normal Telegram connection to deep packet inspection. SOCKS5 is a generic proxy with a recognizable handshake; Shadowsocks adds obfuscation but still requires the operator to defend their port and keys against probing. MTProto with Fake-TLS adds a TLS-1.3-mimicking handshake that has proven the hardest of the three to fingerprint.

Why does the secret start with "dd" or "ee"?

The leading byte is a magic prefix that tells the Telegram client which obfuscation mode to negotiate. "dd" enables MTProto 2.0 random padding to defeat traffic analysis; "ee" indicates Fake-TLS mode where the entire session is wrapped in a TLS 1.3 handshake. Both are interoperable with all modern Telegram clients.

Can a network operator detect that I am using an MTProto proxy?

A determined operator can sometimes flag suspicious flows by timing analysis, but the encrypted payload itself is opaque. Fake-TLS makes detection significantly harder because the handshake mimics a real HTTPS site (including SNI, ALPN and certificate exchange). Even when flagged, blocking is per-IP, not per-protocol — which is why TGFast rotates IPs continuously.

Does an MTProto proxy add real cryptography or only obfuscation?

Both. The MTProto 2.0 transport adds AES-256-IGE encryption between client and server with per-session keys derived from the shared secret, and Fake-TLS wraps that channel inside a real TLS 1.3 handshake. Even if the proxy operator were malicious, they could not decrypt the inner Telegram session — that key is negotiated end-to-end with Telegram's data centres.

How does TGFast pick which servers to deploy and where?

We monitor latency and packet loss from probe nodes in 14 cities across the regions hit hardest by Telegram restrictions. New servers are spun up where the median latency to nearby ISPs falls below 80 ms and where the upstream provider has historically resisted ISP take-down requests. Capacity is rebalanced weekly.