Hysteria2 + Fake SNI#

Overview#

Hysteria2 can be paired with fake SNI techniques to masquerade as standard HTTP/3 traffic to a popular website. The client presents a legitimate SNI in the TLS handshake (e.g., www.cloudflare.com), while the server responds with a valid certificate for that domain. Deep packet inspection sees only a normal QUIC connection to a known site.

How It Works#

  • QUIC + TLS 1.3 handshake — The client sends a ClientHello with a fake SNI pointing to a major website.
  • Certificate disguise — The server presents a valid TLS certificate for the fake SNI domain, completing a legitimate-looking handshake.
  • Post-handshake proxy — Once the TLS tunnel is established, Hysteria2 proxy traffic flows inside it.
  • Obfuscation layer — The built-in salamander obfuscation can be enabled on top for additional protection against statistical analysis.

Step 1: Stop the Hysteria 2 server#

systemctl stop hysteria-server

Step 2: Create a self‑signed SSL certificate#

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout h2.key -out h2.crt -subj "/CN=YOURSNI"

For example, if you want to spoof zoom.us, replace YOURSNI with zoom.us:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout h2.key -out h2.crt -subj "/CN=zoom.us"

Step 3: Edit the configuration file to use the new certificate#

Then run ls to see the files you have created:

ls

You should see the 2 files named h2.key and h2.crt.

Now run pwd to see your current directory:

pwd

Now point the Hysteria config to the new certificate and key you have created:

nano /etc/hysteria/config.yaml

Delete the section called:

acme:
  domains:
    - domain1.com
    - domain2.org
  email: your@email.net

And add this section instead:

tls:
  cert: some.crt
  key: some.key

Replace some.crt and some.key with the full path to the h2.crt and h2.key you created. Use pwd to see the directory and combine the file name with the output of pwd.

Example:

tls:
  cert: /root/h2.crt
  key: /root/h2.key

Step 4: Start the Hysteria 2 server#

systemctl start hysteria-server

Step 5: Configure your client#

Make sure to enable insecure mode, and everything else should be normal. Make sure you set the SNI as whatever SNI you used during certificate creation.

Tips#

  • Choose a fronting domain that is popular in your region and supports TLS 1.3.
  • Combine with salamander obfuscation for defense in depth.
  • A self-signed certificate is acceptable here since the disguise relies on the SNI field, not certificate validation — the censor checks the handshake, not the CA chain.

Caveats#

  • If the fronting domain is blocked by the censor, your service is also blocked until you switch.
  • QUIC traffic is increasingly inspected — some censors now analyze post-handshake traffic patterns.
  • Hysteria2’s distinct bandwidth behavior may still identify it even if the handshake looks normal.
Backward Hysteria / Hysteria2 Advanced Topics Forward
© 2026 Zenith Rifle