← back to blog

How to Set Up an MTProto Proxy for Tajikistan (2026)

telegram mtproto tajikistan tutorial 2026

TL;DR

Spin up a $5/month VPS outside Tajikistan, compile the official Telegram MTProto proxy server from source, and start it on port 443 in FakeTLS mode so the traffic looks like ordinary HTTPS to deep packet inspection hardware. Add the resulting tg://proxy link on your Android or iOS device under Settings > Data and Storage > Proxy. The catch: virtually every public MTProto proxy circulating in Telegram channels is already fingerprinted and blocked by Tajikistan’s Service Communications Agency, so a shared or expired proxy will fail precisely during elections and political events, which are the moments that matter most. Running your own server with a fresh, rotating secret is the only reliable fix.

why MTProto matters in Tajikistan

Tajikistan blocks Telegram through the Service Communications Agency (SCA) using deep packet inspection rather than simple IP-based filtering. The SCA’s DPI hardware monitors connection patterns, protocol handshakes, and traffic signatures in real time at the point where Tajikistan’s international transit providers hand off to domestic carriers. A standard OpenVPN tunnel has a recognizable certificate exchange and cipher negotiation sequence. WireGuard has a distinctive handshake pattern. Even Shadowsocks has identifiable entropy characteristics under sustained traffic analysis. When any of these signatures appear on Tcell, Megafon TJ, or Babilon-T connections, the session is either dropped outright or throttled to below usable speeds. For a broader view of how this pattern plays out across countries with similar infrastructure, the 2026 Telegram censorship resource center documents current block status and the specific DPI techniques each country uses. The companion article why VPNs fail for Telegram in Tajikistan covers why VPN-based workarounds consistently fail for Telegram users there, in more detail than this guide can.

MTProto proxy is different in a technically important way. When FakeTLS mode is enabled, the proxy performs a complete, genuine TLS 1.3 handshake before any Telegram data is transmitted. The client supplies a server name indication (SNI) field that matches a real, well-known domain, and the TLS record layer looks byte-for-byte like ordinary HTTPS traffic. Telegram payloads are then tunneled inside this TLS session. At the packet level, an ISP’s DPI appliance sees what appears to be a sustained HTTPS session to a popular web service rather than a Telegram connection. This camouflage is precisely what the SCA cannot currently defeat without blocking all HTTPS traffic, which would bring down banking, government services, and e-commerce alongside Telegram. The blocking intensifies around elections and major political events, which is when targeted disruption of Telegram is most valuable to authorities. That is exactly when having your own server with a fresh secret makes the difference between a working connection and a blocked one.

prerequisites

Before starting the technical steps, confirm you have the following in place.

a VPS outside Tajikistan. Any reputable cloud provider works: AWS Lightsail, DigitalOcean, Vultr, Hetzner, Linode, or similar. For Telegram specifically, a Singapore datacenter gives excellent latency because Telegram has its own infrastructure in Singapore, meaning your proxy has a short, fast path to the datacenter. A Frankfurt or Amsterdam node is also solid given the geographic proximity to Central Asia. A basic 1 vCPU / 1 GB RAM plan at $4-6/month is more than sufficient. The MTProto proxy process is not CPU-intensive; it spends most of its time forwarding encrypted bytes rather than doing computation.

Debian 12 or Ubuntu 22.04 LTS. The official Telegram MTProto proxy Makefile is tested against these two distributions. Other Linux distributions will likely work but may require minor adjustments to package names or library paths.

a domain name or subdomain for FakeTLS. You do not need to host a website. You can embed any high-traffic domain (such as www.bing.com) in the FakeTLS secret without actually owning that domain. The SNI field is used for camouflage only; the proxy does not verify the TLS chain for the emulated domain.

basic SSH familiarity. You should be able to connect to a remote server, run commands, edit a file with nano or vi, and restart a systemd service. You do not need to be a Linux administrator.

For a current picture of the Telegram access situation in Tajikistan before you begin, including which ISPs are currently blocking and at what severity, read the Telegram in Tajikistan 2026 guide.

step 1: spin up the VPS

After creating your VPS instance and noting its public IP address, SSH in and prepare the build environment:

# connect to the new VPS
ssh root@YOUR_VPS_IP

# refresh the package index and apply all security updates
apt update && apt upgrade -y

# install the compiler toolchain and required libraries
apt install -y git build-essential libssl-dev zlib1g-dev \
  curl wget xxd net-tools ufw

# confirm gcc and make are both present
gcc --version
make --version

If the upgrade touched kernel packages, reboot before continuing:

reboot

Wait about 30 seconds, then reconnect. Next, configure the firewall. Port 443 is the target port because it is the standard HTTPS port. ISP-level DPI systems are calibrated to pass port 443 traffic freely on all three major Tajikistan networks. Blocking port 443 entirely would break HTTPS for the entire country, which no government has been willing to do in practice. Port 80, 8080, or non-standard ports attract more scrutiny from DPI rules and are a poor choice:

# always allow SSH first to prevent accidental lockout
ufw allow 22/tcp

# allow the MTProto proxy port
ufw allow 443/tcp

# enable the firewall
ufw --force enable
ufw status verbose

If your cloud provider has a separate network-level firewall (AWS Security Groups, DigitalOcean Cloud Firewall, Vultr Firewall), log into the provider panel and add an inbound TCP rule for port 443 there as well. The UFW rule on the VM and the provider’s edge firewall are independent layers, and both must permit the traffic.

step 2: build mtproto-proxy from the official Telegram repo

Telegram’s official C implementation of the MTProto proxy is maintained in a public GitHub repository. Building from source on your own VPS matters because the binary has not passed through anyone else’s hands, and you can inspect the code yourself if you want to confirm what it does.

# clone the official Telegram MTProxy repository
git clone https://github.com/TelegramMessenger/MTProxy.git
cd MTProxy

# compile the proxy (typically 60-120 seconds on a basic VPS)
make

When the build finishes, verify the binary exists and responds:

ls -lh objs/bin/mtproto-proxy
./objs/bin/mtproto-proxy --help

The help output should list flags including -H (HTTP port), -S (secret), -u (drop to user), and --aes-pwd. If you see a shared library error instead of the help text, install the missing package and re-run make. The most common missing libraries on a minimal Debian 12 install are libssl-dev and zlib1g-dev, both of which are included in the apt install command in step 1.

Now download the Telegram datacenter configuration files. These contain the Telegram server public keys used to authenticate proxy-to-datacenter connections. Without current versions of these files the proxy will reject connections with a decryption error:

# primary config (used for single-datacenter mode)
curl -s https://core.telegram.org/getProxyConfig -o proxy-secret

# multi-datacenter config (recommended, covers all Telegram DCs)
curl -s https://core.telegram.org/getProxyMultiConfig -o proxy-multi-config

# verify both files have content
wc -l proxy-secret proxy-multi-config

Both files should contain several hundred lines of key material. If either is empty or returns an error page, wait a minute and retry; Telegram’s config servers occasionally rate-limit repeated downloads. Keep these files in the MTProxy directory. You will re-download them as part of the weekly rotation routine described later.

step 3: generate the secret and start the proxy

The MTProto secret is a 16-byte random value encoded as 32 hex characters. In FakeTLS mode, this value is prefixed with ee and suffixed with the hex encoding of your chosen FakeTLS domain name, creating a longer compound secret that encodes both the authentication material and the TLS camouflage instruction.

Generate the random base secret:

# generate 16 bytes of randomness and encode as hex
SECRET=$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p)
echo "base secret: $SECRET"

Now construct the full FakeTLS secret. The domain you choose will appear as the SNI in every TLS handshake your proxy performs, so pick a domain with substantial HTTPS traffic on Tajikistan networks. www.bing.com is a solid choice because Microsoft’s search engine is not blocked in Tajikistan and generates constant HTTPS traffic that DPI systems treat as ordinary browser activity:

# choose your FakeTLS domain
DOMAIN="www.bing.com"

# hex-encode the domain name
DOMAIN_HEX=$(echo -n "$DOMAIN" | xxd -p)

# assemble the full FakeTLS secret (ee + base secret + domain hex)
FAKETLS_SECRET="ee${SECRET}${DOMAIN_HEX}"
echo "FakeTLS secret: $FAKETLS_SECRET"

Save this FakeTLS secret string somewhere safe. You will need it both in the next command and when configuring Telegram on your phone.

Create the systemd unit file to manage the proxy as a proper system service:

cat > /etc/systemd/system/mtproto-proxy.service << 'EOF'
[Unit]
Description=Telegram MTProto Proxy
After=network.target

[Service]
Type=simple
WorkingDirectory=/root/MTProxy
ExecStart=/root/MTProxy/objs/bin/mtproto-proxy \
  -u nobody \
  -p 8888 \
  -H 443 \
  -S YOUR_FAKETLS_SECRET \
  --aes-pwd /root/MTProxy/proxy-secret \
  /root/MTProxy/proxy-multi-config \
  -M 1
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

Replace YOUR_FAKETLS_SECRET with the string from the previous step. The -H 443 flag tells the proxy to accept external connections on port 443. The -p 8888 flag opens an internal statistics port that is not exposed to the internet by the UFW rules set earlier. The -M 1 flag enables multi-datacenter mode using the proxy-multi-config file, which routes connections to whichever Telegram datacenter is appropriate for each user’s account:

# reload systemd, enable the service for autostart, and start it now
systemctl daemon-reload
systemctl enable mtproto-proxy
systemctl start mtproto-proxy

# verify it is running
systemctl status mtproto-proxy

# confirm it is bound to port 443
ss -tlnp | grep 443

If the status shows Active: active (running) and ss shows the process bound to 0.0.0.0:443, the server side is complete.

Construct the Telegram deep link that users can tap to add the proxy in one step:

tg://proxy?server=YOUR_VPS_IP&port=443&secret=YOUR_FAKETLS_SECRET

The HTTPS equivalent works even when the Telegram app is not already open:

https://t.me/proxy?server=YOUR_VPS_IP&port=443&secret=YOUR_FAKETLS_SECRET

Send one of these links to yourself via email or a notes app so it is accessible on your phone in Tajikistan.

step 4: enter the proxy in Telegram on Android/iOS

If the tg://proxy link is accessible on your phone, tap it. Telegram will open a “Connect to proxy?” dialog showing the server IP, port, and secret. Tap Enable and Telegram will begin routing through the proxy immediately. A green indicator and a millisecond latency reading confirm the connection.

For manual configuration, the path is identical on Android and iOS:

  1. Open Telegram and go to Settings.
  2. Tap Data and Storage.
  3. Scroll down to the Proxy section and tap Use Proxy, then Add Proxy.
  4. Select MTProto as the proxy type (not SOCKS5, not HTTP).
  5. Enter your VPS IP in the Server field.
  6. Enter 443 in the Port field.
  7. Paste your full FakeTLS secret (starting with ee) into the Secret field.
  8. Tap Save, then tap the proxy entry to activate it.

A green latency indicator confirms a working connection. If you see a red error, the most common causes are: the proxy service is not running on the VPS (check with systemctl status mtproto-proxy), port 443 is blocked at the provider’s network-level firewall, the secret was truncated or contains a typo, or the proxy-secret and proxy-multi-config files are stale and need to be re-downloaded.

On Telegram Desktop (Windows, macOS, or Linux), the path is Settings > Privacy and Security > Use Proxy > Add Proxy, then the same MTProto fields. The desktop client shows the same latency indicator and connects through the same server.

One practical note for users connecting from Tcell and Megafon TJ mobile data: allow 10-15 seconds for the initial handshake. Both carriers apply an extra layer of traffic inspection on mobile data that can introduce a noticeable delay. The connection stabilizes once the initial DPI check passes. Users on Babilon-T fixed broadband connections typically see faster proxy negotiation, likely because the DPI equipment on that network is an older generation than what Tcell and Megafon TJ have deployed on their mobile infrastructure.

what breaks in Tajikistan (and how to harden)

The Service Communications Agency uses two main techniques that affect MTProto users specifically. The first is the service communications block, which targets Telegram’s own infrastructure IP ranges directly at the carrier routing level across Tcell, Megafon TJ, and Babilon-T. Direct connections to Telegram datacenter IPs are dropped before they exit Tajikistan’s network. Your self-hosted VPS sits on an IP address that is not in that block list, so the SCA’s DPI sees traffic going to what looks like a generic cloud server, and your proxy then connects onward to Telegram from outside Tajikistan’s jurisdiction. This is the fundamental reason a self-hosted MTProto proxy survives the service communications block while a direct Telegram connection does not. Public proxies accumulate in block lists within days of appearing in public Telegram channels, which is why shared proxies fail at the worst moments.

The second technique is the mobile VPN throttle deployed on mobile data connections. When traffic on Tcell or Megafon TJ mobile networks produces a VPN-like signature (consistent encrypted packet sizes, absence of typical HTTP request-response patterns, or anomalous SNI values relative to connection volume), the carrier throttles throughput to below 50 kbps. This is technically “not blocked” but is functionally unusable for any media. FakeTLS mode directly counters this by embedding a real, high-traffic domain name in the SNI field. An MTProto proxy running in FakeTLS mode with www.bing.com as the camouflage domain produces traffic patterns that the mobile VPN throttle does not recognize as a VPN connection, because the SNI and TLS handshake look exactly like a mobile browser loading HTTPS resources from a well-known host.

To stay ahead of both techniques during politically sensitive periods, follow this hardening routine. Rotate the secret at least once a week when elections or major events are approaching:

# generate a fresh base secret
NEW_SECRET=$(dd if=/dev/urandom bs=16 count=1 2>/dev/null | xxd -p)
DOMAIN_HEX=$(echo -n "www.bing.com" | xxd -p)
NEW_FAKETLS="ee${NEW_SECRET}${DOMAIN_HEX}"

# patch the systemd unit in place
sed -i "s/-S [a-f0-9]*/-S $NEW_FAKETLS/" /etc/systemd/system/mtproto-proxy.service
systemctl daemon-reload
systemctl restart mtproto-proxy
echo "new FakeTLS secret: $NEW_FAKETLS"

Re-download the Telegram config files on the same weekly schedule, because Telegram rotates datacenter keys periodically:

curl -s https://core.telegram.org/getProxyConfig -o /root/MTProxy/proxy-secret
curl -s https://core.telegram.org/getProxyMultiConfig -o /root/MTProxy/proxy-multi-config
systemctl restart mtproto-proxy

The table below places self-hosted MTProto in context against the other options Tajikistan users typically reach for when Telegram is disrupted:

method bypasses service communications block survives mobile VPN throttle setup effort cost
public MTProto proxy sometimes sometimes none free
self-hosted MTProto (this guide) yes yes, with FakeTLS medium ~$5-6/month VPS
commercial VPN no no low $5-15/month
SOCKS5 via residential mobile proxy yes yes low from $10/month

The gap between “public MTProto proxy” and “self-hosted MTProto” is what makes this guide worth following rather than grabbing a link from a Telegram channel.

when MTProto isn’t enough (segue to SOCKS5)

We operate Singapore Mobile Proxy on real SingTel, StarHub, M1, and Vivifi residential modems physically located in Singapore. Every connection exits through a genuine carrier IP address that has never appeared in a datacenter blocklist, because it belongs to a real SIM card rather than a cloud server. Telegram’s own datacenters are in Singapore, so the routing path from a Singapore mobile proxy to Telegram infrastructure is short and fast, typically 20-50 ms for users in Tajikistan. For users who have run a self-hosted MTProto proxy and find that their VPS IP eventually ends up in a carrier block list, or who simply do not want to manage server infrastructure, the SOCKS5 option sidesteps the problem at its root. The exit IP is a real mobile IP from a politically neutral jurisdiction, and it rotates on a schedule that prevents accumulation in any blocklist.

Configuration in Telegram is the same process as MTProto except you select SOCKS5 in the proxy type field. Enter 158.140.129.188 as the server address, your assigned port number, and your username and password from the subscription dashboard. Credentials follow the format 158.140.129.188:PORT:user:pass. There is no secret to generate or rotate manually; the mobile IP rotation is handled on the provider side. For a detailed walkthrough of the SOCKS5 configuration specifically for Tajikistan users, see Singapore SOCKS5 for Telegram in Tajikistan. Current plan pricing is at Singapore Mobile Proxy plans, and a free trial is available at /client/trial if you want to test latency from Tajikistan before committing to a subscription.

The self-hosted MTProto route in this guide is the right starting point for users who want full control, no recurring cost beyond the VPS, and the ability to share the proxy with a small trusted group. The SOCKS5 upgrade makes sense when VPS management is a burden, when your VPS IPs keep getting blocked, or when continuous uptime during elections is operationally critical and manual maintenance is not acceptable.

FAQ

Q: why does my self-hosted proxy work for a few days and then stop connecting from Tajikistan?

A: two likely causes. The first is stale Telegram config files. Telegram rotates the datacenter keys in proxy-secret and proxy-multi-config periodically, and once your local copies are outdated the proxy fails to authenticate to Telegram’s servers. Re-download both files with the curl commands from step 2 and restart the service. The second cause is that your VPS IP has been added to the service communications block list maintained by Tajikistan ISPs. You can test this by checking whether the proxy accepts connections from a network outside Tajikistan (it will) while failing from a Tajikistan connection (it will not). The fix is to migrate to a new VPS in a different datacenter region or switch providers entirely.

Q: does running this proxy hide my identity from Tajikistan authorities?

A: your ISP (Tcell, Megafon TJ, or Babilon) sees an HTTPS connection to a server outside Tajikistan. They cannot determine the content or identify the destination as Telegram, which is the purpose of FakeTLS mode. Telegram itself still knows your account identity because the proxy is transparent at the application layer. The proxy does not anonymize you from Telegram; it only prevents ISP-level DPI from identifying that you are communicating with Telegram at all.

Q: can I share my proxy with friends in Tajikistan?

A: yes. Send them the tg://proxy link with your VPS IP, port 443, and your FakeTLS secret. The official MTProto proxy implementation handles hundreds of concurrent users comfortably on a basic VPS. The practical limit is your VPS monthly bandwidth allocation rather than CPU. Keep the circle of people who know the secret reasonably small; wide distribution increases the chance the IP and secret combination surfaces in a public Telegram channel and gets added to a block list.

Q: what happens if I use a port other than 443?

A: port 443 is strongly recommended for Tajikistan. Port 80 and 8080 receive more DPI scrutiny because they are associated with unencrypted or proxy traffic patterns. Arbitrary high ports above 10000 are the most likely to be throttled on Tcell and Megafon TJ mobile networks. Some operators use port 2053 or 8443 as secondary options (these are common CDN ports that receive some tolerance), but none are as reliably unblocked as port 443.

Q: how often should I rotate the secret and update the config files?

A: once a month is sufficient during ordinary periods. In the weeks before or during Tajikistan elections or major political events, rotate the secret and re-download the config files weekly. A cron job handles the config refresh automatically without manual intervention: add 0 3 * * 1 curl -s https://core.telegram.org/getProxyMultiConfig -o /root/MTProxy/proxy-multi-config && systemctl restart mtproto-proxy to the root crontab for a weekly Monday 3 AM refresh.

Q: is it possible to run the proxy on a home server instead of a VPS?

A: only if the home server is physically located outside Tajikistan and has a publicly accessible IP address. Running the server inside Tajikistan defeats the purpose entirely: traffic to your local server is still inspectable by the local ISP before it reaches the proxy process. The server must be in a network jurisdiction where the Service Communications Agency has no authority and cannot apply the service communications block or the mobile VPN throttle.

disclaimer

this article is provided for informational and educational purposes only. laws and regulations governing the use of proxies, circumvention tools, and encrypted tunneling in Tajikistan may change without notice, and enforcement practices may differ from the written text of any law or regulation. nothing in this article constitutes legal advice. if you are located in Tajikistan or subject to Tajikistan jurisdiction, consult a qualified local legal professional before setting up or using any proxy or circumvention technology. singaporemobileproxy.com publishes this guide as a technical resource and does not assume liability for how the information is applied.

ready to try Singapore mobile proxies?

2-hour free trial. no credit card required.

start free trial
message me on telegram