Technical

Self-Hosting MTProto: Pre-Launch Checklist

Before launching your own MTProto proxy server, work through this 12-item checklist.

MTProto Proxy Engineers · Censorship Circumvention Researchers

Published April 27, 2026 Updated May 15, 2026 8 min read 391 words

Why a checklist

Self-hosting an MTProto proxy is technically simple but operationally finicky. Many self-hosted proxies are unreliable because the operator missed one or two basic checks. This checklist captures the critical items.

1. Server location

Pick a country with no Telegram restrictions and good peering to your target users. Germany, Netherlands, Singapore, Japan are typical choices. Avoid countries that block Telegram (your proxy will be slower than direct).

Get a free TGFast proxy

Browse the live country grid on the home page and tap any card to connect Telegram in one second — no signup, no logs.

Open the fleet

2. Provider reputation

Use a reputable VPS provider that does not block proxy/VPN-style use. Hetzner, OVH, Vultr, DigitalOcean and Linode all permit MTProto proxies in their terms. Avoid providers with strict acceptable use policies (some "premium gaming" hosts block any proxy use).

3. Resource allocation

1 vCPU, 1 GB RAM, 1 TB monthly bandwidth handles 50-100 active users. Scale linearly: 200 users = 2 vCPU + 2 TB bandwidth. Most starter VPS plans ($3-5/month) are sufficient.

Stay updated

Join @FastTGProxyMT for instant alerts when servers move or new proxies launch.

Join Telegram Channel

4. Software choice

Use mtg (https://github.com/9seconds/mtg) for new deployments — it is actively maintained, supports "ee" obfuscation and has good performance.

5. Port choice

Use a high random port (30000-60000). Avoid 80, 443, 8080. Document your choice for users.

6. Secret generation

Generate the secret on the server itself using mtg's built-in command. Do not reuse a secret across multiple servers — each server should have a unique secret to limit blast radius.

7. Firewall rules

On the host, allow inbound TCP on your chosen port only. Block everything else. Use ufw or iptables. This minimises attack surface.

8. Process supervision

Run mtg under systemd or Docker with restart=always. The proxy must auto-restart on crashes or it will silently fail.

9. Monitoring

Set up uptime monitoring (UptimeRobot has a free tier). Get alerts when your proxy goes down. A proxy that has been down for 6 hours is essentially useless.

10. Log management

Configure mtg to log only to stderr (no traffic content logging). Use logrotate to keep system logs from filling the disk. Discard access logs after 24 hours.

11. Bandwidth alerts

Set a bandwidth alert at 80% of your monthly cap. Telegram traffic is bursty — a surge of users can blow through your cap unexpectedly.

12. Backup proxy

Run a second proxy on a different provider in a different country. If your primary IP gets blocked, you have a fallback. This is what TGFast does at scale; it works at small scale too.

Frequently Asked Questions

How is MTProto different from SOCKS5 or Shadowsocks?

MTProto is Telegram's native protocol, so traffic looks indistinguishable from a normal Telegram connection to deep packet inspection. SOCKS5 is a generic proxy with a recognizable handshake; Shadowsocks adds obfuscation but still requires the operator to defend their port and keys against probing. MTProto with Fake-TLS adds a TLS-1.3-mimicking handshake that has proven the hardest of the three to fingerprint.

Why does the secret start with "dd" or "ee"?

The leading byte is a magic prefix that tells the Telegram client which obfuscation mode to negotiate. "dd" enables MTProto 2.0 random padding to defeat traffic analysis; "ee" indicates Fake-TLS mode where the entire session is wrapped in a TLS 1.3 handshake. Both are interoperable with all modern Telegram clients.

Can a network operator detect that I am using an MTProto proxy?

A determined operator can sometimes flag suspicious flows by timing analysis, but the encrypted payload itself is opaque. Fake-TLS makes detection significantly harder because the handshake mimics a real HTTPS site (including SNI, ALPN and certificate exchange). Even when flagged, blocking is per-IP, not per-protocol — which is why TGFast rotates IPs continuously.

Does an MTProto proxy add real cryptography or only obfuscation?

Both. The MTProto 2.0 transport adds AES-256-IGE encryption between client and server with per-session keys derived from the shared secret, and Fake-TLS wraps that channel inside a real TLS 1.3 handshake. Even if the proxy operator were malicious, they could not decrypt the inner Telegram session — that key is negotiated end-to-end with Telegram's data centres.

How does TGFast pick which servers to deploy and where?

We monitor latency and packet loss from probe nodes in 14 cities across the regions hit hardest by Telegram restrictions. New servers are spun up where the median latency to nearby ISPs falls below 80 ms and where the upstream provider has historically resisted ISP take-down requests. Capacity is rebalanced weekly.