Hysteria / Hysteria2#

Overview#

Hysteria is a proxy protocol built on QUIC (HTTP/3). It is engineered for speed and reliability over lossy or high-latency networks, using aggressive bandwidth estimation to maximize throughput. Hysteria2 is the second generation — rewritten from scratch with better obfuscation, simpler configuration, and native support for masquerading as standard HTTP/3 traffic.

How It Works#

  • QUIC-based — Uses UDP with built-in TLS 1.3 encryption, multiplexed streams, and 0-RTT handshakes.
  • Brutal congestion control — Actively probes available bandwidth and fills it. Performs exceptionally well on high-packet-loss or throttled connections.
  • Obfuscation (salamander) — Hysteria2 includes a built-in obfuscation layer that scrambles packet content to evade DPI signatures.
  • Masquerading — Can be configured to present a valid TLS certificate and mimic HTTP/3 (QUIC) traffic to a legitimate website.
  • UDP forwarding — Native UDP relay support for DNS, VoIP, and gaming.

Installation#

Requirements#

  • A Linux VPS (make sure port 443 is open)
  • Root access
  • Basic command-line skills
  • A text editor like nano or vim

Step 1: Become Root#

Switch to the root user:

sudo -s

Step 2: Install Hysteria 2#

Use the official script to install:

bash <(curl -fsSL https://get.hy2.sh/)

Step 3: Generate a Self-Signed SSL Certificate#

Run the following to create the certificate:

openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name prime256v1) \
  -keyout /etc/hysteria/server.key \
  -out /etc/hysteria/server.crt \
  -subj "/CN=pan.baidu.com" -days 36500

Adjust file permissions:

sudo chown hysteria /etc/hysteria/server.key
sudo chown hysteria /etc/hysteria/server.crt

Replace the CN field with a domain you want to use for masking, if applicable.

Step 4: Start the Server#

Start the Hysteria service:

systemctl start hysteria-server.service

And enable it to start at boot:

systemctl enable hysteria-server.service

Step 5: Configure Hysteria 2#

Create the configuration file:

cat << EOF > /etc/hysteria/config.yaml
listen: :443
tls:
  cert: /etc/hysteria/server.crt
  key: /etc/hysteria/server.key
auth:
  type: password
  password: 123456  # Be sure to change this!
masquerade:
  type: proxy
  proxy:
    url: https://pan.baidu.com  # Use a different domain if needed
rewriteHost: true
EOF

Make sure to choose a strong password and update the proxy.url if you’re using a different domain.

Step 6: Apply the Configuration#

Restart the server to load the new settings:

systemctl restart hysteria-server.service

All Set#

Your Hysteria 2 server is now running.

Tips#

  • Hysteria2 is ideal for networks with high packet loss (10%+) where TCP-based protocols degrade.
  • The salamander obfuscation type provides a good balance of stealth and performance.
  • Set realistic bandwidth limits to avoid drawing attention.

Caveats#

  • QUIC/UDP traffic may be throttled or blocked entirely by some ISPs and firewalls.
  • The aggressive bandwidth use can be conspicuous on metered or monitored connections.
  • Fewer clients support Hysteria2 compared to VLESS/VMess.
Backward VMess + WebSocket + TLS + CDN Hysteria2 + Fake SNI Forward
© 2026 Zenith Rifle