Hysteria2 Guide: Fast QUIC Proxy for Tough Networks

Why Hysteria2 Survives Networks That Break TCP Proxies

Many travelers, remote workers, and apartment dwellers share the same frustration: the tunnel works at home, then collapses on hotel Wi-Fi, airport lounges, or congested LTE segments where latency spikes and throughput yo-yos for no obvious reason. Traditional TLS-over-TCP stacks hate bufferbloat and random loss because a single delayed segment can stall the entire byte stream. Hysteria2 takes a different path by riding QUIC over UDP, pairing modern loss recovery with congestion signals that react faster than old Reno-style TCP on noisy last-mile links.

This does not mean Hysteria2 is invisible on the wire. It means the protocol stack is engineered to keep useful throughput when the physical layer is messy. In Mihomo (the core historically called Clash Meta), hysteria2 is a first-class proxy type, so you can mix it beside VLESS, TUIC, or Shadowsocks inside one rules-driven profile. The client side is where most readers spend their time: importing credentials, declaring honest bandwidth, and aligning sni with the certificate story the server presents.

If you are still learning how DNS modes interact with TUN, skim our documentation hub before you chase protocol bugs that are actually resolver leakage.

How Hysteria2 Uses Bandwidth Hints and Congestion Control

Unlike minimalist proxies that blindly shovel bytes, Hysteria2 expects you to advertise plausible uplink and downlink ceilings through up and down fields. Those numbers are not vanity metrics; they inform the sender how aggressively to probe the path without creating a traffic jam that punishes every other flow in your apartment complex. Think of them as cooperation with the congestion controller rather than a speed guarantee.

When you under-declare bandwidth, you may leave performance on the table. When you wildly over-declare, you can trigger oscillation or get shaped harder by middleboxes that dislike bursty UDP. A practical approach is to start with realistic ISP plan numbers, run a few large downloads, then tighten the values if logs show repeated loss or if your access point overheats during peak hours.

QUIC also multiplexes streams without head-of-line blocking across the entire tunnel the way a single TCP connection would. For users who keep dozens of tabs, chat applications, and background sync jobs alive, that architectural difference often shows up as snappier page loads even when the megabit score on a speed test does not double overnight.

Prerequisites: Kernel, UDP, and Honest Expectations

Before you paste a subscription, confirm you are on a Mihomo-class build that actually lists Hysteria2 in release notes. Vintage Clash cores without Meta extensions will choke on the stanza immediately. Pull a maintained GUI bundle from our download page so the front-end, updater, and kernel stay on the same branch.

Next, verify UDP reachability to your server port. Hysteria2 is not a clever TCP disguise; it needs UDP datagrams to flow end to end. Corporate firewalls, captive portals, and some mobile carriers throttle or drop UDP aggressively. If UDP is broken, no amount of YAML artistry fixes the path—you need a different network, a different port strategy, or a fallback protocol from your operator.

Finally, align mental models with physics. Hysteria2 improves resilience; it does not repeal censorship laws, magically bypass active probing, or replace disciplined key hygiene. Treat passwords and endpoint hostnames as sensitive, rotate them when subscriptions leak, and keep backups of working profiles before you experiment.

Operator Checklist: Values You Must Collect

Whether you run your own server or buy access, gather a consistent parameter bundle before you touch YAML. At minimum you need: hostname or IP, port, authentication secret (password in most feeds), sni string, TLS verification policy, and any provider-specific obfuscation flags. If the service publishes a bandwidth policy, mirror those hints in up/down so the controller matches what the upstream expects.

Ask whether the deployment uses a public certificate, self-signed material, or a multiplexed entry that relies on a specific sni to select the correct virtual host. Mismatch here produces the classic symptom where ping succeeds yet the client log shows immediate authentication or TLS failures. Keep a text note of the exact strings; screenshots are terrible for diffing when operators rotate credentials.

If your provider ships both a plain profile and an obfuscated profile, grab both. Obfuscation adds CPU overhead but can survive naive UDP keyword filtering on some access networks. You will map those extras into optional obfs fields later.

Quick check: If you receive a hysteria2:// URI, decode the query parameters mentally against the YAML keys below. Panel exporters sometimes rename options, but the semantics stay the same.

Client YAML: A Baseline Hysteria2 Node for Mihomo

Add the proxy under proxies:, then reference the name inside proxy-groups exactly like any other outbound. The following template mirrors what most Mihomo users run in production; replace placeholders with live values from your operator.

proxies:
  - name: "HY2-Primary"
    type: hysteria2
    server: edge.example.net
    port: 443
    password: "long-random-secret-from-provider"
    sni: edge.example.net
    skip-cert-verify: false
    alpn:
      - h3
    up: "35 Mbps"
    down: "200 Mbps"

Several fields deserve extra commentary. sni must match the TLS name your client presents during handshake negotiation; it is not a free-form label. Keep skip-cert-verify on false unless you fully understand why the operator cannot obtain a normal public chain—turning verification off to silence errors is a fast track to person-in-the-middle risk.

alpn should follow whatever the server advertises. Many Hysteria2 deployments expect HTTP/3 semantics, hence h3, but blindly copying values from an old forum post is how you end up with handshakes that never complete. When in doubt, mirror the provider documentation exactly, then bisect changes if you must optimize.

Obfuscation, Ports, and When Extra Layers Help

Some networks do not block UDP outright but filter obvious fingerprints. Mihomo exposes optional obfuscation knobs that pair with the server configuration. A typical pattern adds a lightweight transform and a shared secret so casual DPI sees nondescript UDP flows rather than a textbook Hysteria2 signature. The cost is CPU on both ends and another secret to rotate.

If your operator enables obfuscation, you will see fields such as obfs type and obfs-password in their reference config. Copy them verbatim; mismatched obfuscation looks identical to a dead server from the client perspective. When obfuscation is not published, do not invent one—randomizing transforms without server support only wastes an afternoon.

Port choice still matters. UDP/443 is common because it blends with HTTPS traffic statistically, but some ISPs treat all UDP/443 as suspicious. Testing an alternate high port from your provider—when offered—can be faster than fighting a stubborn middlebox.

proxies:
  - name: "HY2-Obfs"
    type: hysteria2
    server: edge.example.net
    port: 443
    password: "long-random-secret-from-provider"
    sni: edge.example.net
    skip-cert-verify: false
    obfs: salamander
    obfs-password: "another-shared-secret"
    up: "35 Mbps"
    down: "200 Mbps"

Replace salamander and password strings with the exact pair your server operator documents; names and versions evolve, so treat this block as structural inspiration, not a universal constant.

Subscriptions, URIs, and Keeping Imports Auditable

Modern clients happily import hysteria2:// links. Still, verify the generated YAML after import: converters occasionally drop udp preferences, mis-map sni, or flatten obfuscation tuples. If your workflow relies on remote proxy-providers, remember refresh intervals: when operators rotate passwords, your cached file may look healthy while every handshake fails until the next pull.

For teams, prefer git-managed snippets over screenshots. Text diffs reveal accidental whitespace changes in passwords, which are maddeningly hard to spot in a UI. If you maintain multiple profiles—home, travel, lab—duplicate the working file before you merge experimental nodes so you can roll back in seconds.

Proxy Groups, url-test, and Failover Discipline

Hysteria2 shines as one leg inside a larger strategy. Create a select group for manual control, then add a url-test or fallback group that includes HY2 alongside TCP-friendly protocols. When UDP dies on a café network, the health check should swing traffic to a VLESS or Shadowsocks outbound without forcing you to open the YAML editor at the counter.

Keep probe URLs sensible. A lightweight HTTPS endpoint that responds quickly on multiple continents beats a giant file download that skews measurements. Tune intervals so you are not hammering the probe every few seconds—that behavior annoys operators and can get your account flagged for abuse.

For deeper tuning on latency versus stability, our speed optimization article walks through url-test tuning without chasing imaginary “turbo kernels.”

Hostile Networks: Cafés, Hotels, and LTE Without the Rose Tint

Airport Wi-Fi often rate-limits UDP per client to discourage video streaming. If your Hysteria2 session drops while TCP browsers still work, capture that signal: you are contending with policy, not a defective password. Switching to wired tethering, trying another SSID, or falling back to a TCP-based node is the pragmatic path.

Hotel portals love transparent proxies and DNS hijacks. Bring up the tunnel only after you understand how the captive portal interacts with TUN mode on your OS. Sometimes you must authenticate in an exempt browser session before enabling full-device capture. DNS leaks in that window are common; revisit the DNS section of our docs after you connect.

On cellular, carrier-grade NAT and aggressive buffering can exaggerate jitter. Hysteria2 usually copes better than naive TCP, but you should still expect peak-hour slowdowns. Declaring accurate up/down values prevents your phone from attempting sprint speeds the tower cannot deliver, which reduces pointless retransmissions.

Troubleshooting the Errors You Will Actually See

Immediate timeout, yet ICMP ping works: Confirm UDP to the advertised port, then verify sni, password, and obfuscation tuples. Ping uses ICMP and proves almost nothing about QUIC reachability.

Handshake succeeds but throughput collapses: Revisit bandwidth declarations, try another access point, and inspect whether your laptop VPN or antivirus is intercepting UDP flows. Some endpoint protection products treat unknown UDP as hostile by default.

Frequent disconnects at exactly 60 seconds: Look for middlebox session timers or double NAT scenarios. Switching server regions or lowering parallel connection bursts sometimes stabilizes the path more than tweaking cipher fantasies.

Works on Wi-Fi but not on mobile hotspot: Suspect carrier UDP filtering first. Keep a non-QUIC node in the same profile so you can failover without reinstalling software.

Security hygiene: Treat Hysteria2 passwords like API keys. If a subscription page leaks, rotate credentials with the operator and delete old URIs from chat logs and note apps.

Rules, DNS, and Why Transport Alone Is Not Enough

Hysteria2 optimizes the pipe between you and the exit; your rule set still decides which domains enter the pipe. A polished profile routes domestic CDNs directly when appropriate, sends sensitive categories to the QUIC group, and keeps fallback paths for protocols that survive locked-down networks. Naming groups clearly saves hours during late-night debugging.

DNS must mirror that intent. Misconfigured fake-ip or mixed resolver policies can leak queries around the tunnel even when the QUIC session is perfect. Align Mihomo DNS with your TUN or system-proxy mode, and retest after every major client upgrade because parser defaults shift over time.

Compliance, Ethics, and Realistic Expectations

Network regulations differ by country, employer, school, and venue. You are responsible for following applicable law and acceptable-use policies. This article is written for engineers building resilient remote access, researchers evaluating transport behavior, and travelers protecting credentials on untrusted access points—not as encouragement to break rules you are bound by.

No proxy protocol offers guaranteed anonymity. Combine technical controls with operational discipline: update clients regularly, prefer signed bundles from trusted distribution channels, and avoid random repackaged binaries that promise impossible speedups.

Consolidating QUIC, TCP, and Rules in One Client

Hysteria2 earns its reputation on difficult last-mile links because QUIC recovers from loss without the same head-of-line pain that haunts single-stream TCP tunnels. The configuration surface is smaller than sprawling VLESS matrices, but the details still matter: honest bandwidth, correct sni, optional obfuscation aligned with the server, and a failover group for the day UDP disappears.

Compared with juggling single-protocol apps, a maintained Mihomo-based client keeps Hysteria2, TUIC, and TCP-friendly nodes inside one rules engine so you spend time on productive work instead of context-switching between disconnected tools. When you are ready to standardize on a verified build with modern protocol coverage, pick up a current release from our download page and pair it with the documentation for DNS and routing polish. → Download Clash for free and experience the difference.