How ToLinux

How To: Set up an MTProto/MTProxy Telegram Proxy Server

Bypass firewalls or censorship that blocks Telegram

This post is being written because I set up an MTProto server for a friend in Russia who is concerned Telegram may be blocked soon after the country has decided to block uncensored western sites such as the BBC, Twitter, and Facebook and he is concerned Telegram may be next, but it is a good solution for bypassing blocking on a more local level. MTProto runs on any port you want, but using port 443 will disguise the outgoing connection to your server as ordinary HTTPS traffic – we will use port 443 in our guide.

You will need:

  • A VPS/VM, low spec is OK (ours has 2GB of RAM and a dual core 2GHz processor, I think far less would be fine and is running Ubuntu 20.04, but any distro should be fine). Ours is with IONOS (https://ionos.co.uk – not sponsored).
  • A domain if you wish to have a hostname for your server, you can just use the IP address of your server instead.
  • This guide also includes aspects copied from Telegram’s MTProxy GitHub, but their guide wasn’t quite right so I have amended aspects of it here. Their GitHub repo is here: https://github.com/TelegramMessenger/MTProxy

This guide assumes your server is already configured and up to date, and that you don’t have any other services listening on the port you intend to use. It is OK to have multiple things on the server, I have a VPN server running on mine too on different ports.

1. Ensure you have the requisite dependencies installed to build MTProxy from source:

On Ubuntu/Debian:

apt install git curl build-essential libssl-dev zlib1g-dev

On RHEL and RHEL derivatives (CentOS/Alma Linux/Rocky Linux etc):

yum install openssl-devel zlib-devel
yum groupinstall "Development Tools"
2. Then clone the repo, and build:
git clone https://github.com/TelegramMessenger/MTProxy
cd MTProxy
make && cd objs/bin

Find your current directory using pwd (stands for print working directory) and make a note of it, you will need it later on:

pwd

The output for pwd for me is: /root/MTProxy/objs/bin

3. Configure MTProxy

Now you’ll need to obtain a secret from Telegram which is used to connect to Telegram’s servers:

curl -s https://core.telegram.org/getProxySecret -o proxy-secret

Now obtain the current Telegram configuration, Telegram’s GitHub says to update daily so we’ll set up a cron to do that later.

curl -s https://core.telegram.org/getProxyConfig -o proxy-multi.conf

Next, generate a 16 character secret that you’ll use to authenticate users with your proxy server:

head -c 16 /dev/urandom | xxd -ps

Test the configuration by running MTProxy from the CLI.

./mtproto-proxy -u nobody -p 8888 -H 443 -S <secret> --aes-pwd proxy-secret proxy-multi.conf -M 1

From Telegram’s GitHub:

… where:
nobody is the username. mtproto-proxy calls setuid() to drop privilegies.
443 is the port, used by clients to connect to the proxy.
8888 is the local port. You can use it to get statistics from mtproto-proxy. Like wget localhost:8888/stats. You can only get this stat via loopback.
<secret> is the secret generated at step 3. Also you can set multiple secrets: -S <secret1> -S <secret2>.
proxy-secret and proxy-multi.conf are obtained at steps 1 and 2.
1 is the number of workers. You can increase the number of workers, if you have a powerful server.

4. Test the server

Then connect to the server to test by typing this into a web browser and allowing it to open in Telegram:

https://t.me//proxy?server=SERVER_NAME&port=PORT&secret=SECRET

E.g:

https://t.me//proxy?server=example.server.com&port=443&secret=94e5233dd994526b3ad95adf0ec79648

For bypassing censorship, I would suggest appending the secret (e.g; dd94e5233dd994526b3ad95adf0ec79648) with dd to use Telegram’s random padding mode (“Due to some ISPs detecting MTProxy by packet sizes, random padding is added to packets if such mode is enabled.”).

If it works, press CTRL+C to terminate, and now we can get to creating a service to keep this running permanently:

5. Create a service

Next we will copy MTProxy into /opt (the default directory for unbundled packages), you will need the directory you made a note of in step 2.

mkdir /opt/MTProxy
cp /root/MTProxy/objs/bin/* /opt/MTProxy/

Create systemd service file:

nano /etc/systemd/system/MTProxy.service

Edit this basic service (especially paths and params):

[Unit]
Description=MTProxy
After=network.target

[Service]
Type=simple
WorkingDirectory=/opt/MTProxy
ExecStart=/opt/MTProxy/mtproto-proxy -u nobody -p 8888 -H 443 -S <SECRET> --aes-pwd proxy-secret proxy-multi.conf -M 1
Restart=on-failure

[Install]
WantedBy=multi-user.target

Reload daemons:

systemctl daemon-reload

Test fresh MTProxy service:

systemctl restart MTProxy.service
# Check status, it should be active
systemctl status MTProxy.service

Enable it, to autostart service after reboot:

systemctl enable MTProxy.service
6. Automate fetching Telegram configuration and restarting the service

The last step is to automate fetching Telegram configuration (mentioned in step 3).

nano /opt/MTProxy/proxy-multi.sh

Paste in the following:

#!/bin/bash
# Script to fetch proxy-multi.conf
cd /opt/MTProxy
curl https://core.telegram.org/getProxyConfig > proxy-multi.conf
systemctl restart MTProxy.service

Then add the cronjob (it will run at midnight every day):

Open your crontab file in the interactive editor (on Ubuntu it allows you to pick an editor, but some distros will make you use VI/VIM):

crontab -e

Then paste the following line into the file:

0 0 * * * /bin/bash /opt/MTProxy/proxy-multi.sh

Now you’re done!

Jon Procter

Linux, Unix, and Windows server sysadmin.

Related Articles

Back to top button