Error Troubleshooting & FAQ
Facing node timeouts, port conflicts, or streaming unlock issues? Find the most hardcore, detailed self-help guide right here.
Hot Tags
📖
VPN Basics & Insider Jargon
What is a VPN service provider ("airport")?
A VPN service provider (often called an "airport" in Chinese communities) is a platform that offers proxy node subscription services for bypassing internet restrictions. After purchasing a plan, you receive a subscription link that you can import into clients like Clash or Shadowrocket to access overseas nodes. The term "airport" originated because early client icons often featured a paper airplane.
#Clash#Shadowrocket#Subscription Issues
What is a subscription link?
A subscription link is a unique URL provided by your VPN provider. When your client requests this link, it automatically downloads and updates the latest server node configurations from the provider's backend.
#Subscription Issues
What is a public network relay node?
The provider rents a high-bandwidth server inside China (e.g., in Guangzhou or Shanghai) to aggregate your traffic, encrypt it, and forward it to overseas exit nodes. This is more stable and faster than your computer connecting directly to overseas servers.
#Dedicated Relay#Subscription Issues#Routing & Split Tunneling
What are IPLC / IEPL dedicated lines?
These are true enterprise-grade cross-border dedicated lines rented by providers. Traffic travels through internal fiber optic cables, bypassing the Great Firewall (GFW). They offer ultra-low latency, rock-solid stability, and never go down even during heavy censorship periods—but they come at a premium price.
#Connection Issues#Dedicated Relay#Subscription Issues
What is an exit node?
An exit node is the overseas server where your traffic finally exits. For example, when you visit Google, Google sees the IP address of this exit node (e.g., Hong Kong, Japan, or the United States).
#Subscription Issues
What is a "native IP" / unblocking IP?
A native IP is one whose registration location matches the actual data center location. Only such IPs can reliably unlock geo-restricted services like Netflix, Disney+, or ChatGPT, which have strict anti-fraud controls.
#Streaming Unblocking#AI Unblocking#IP Purity#Payments & Accounts
What is a "leaked-to-China IP"?
This refers to an overseas node IP that, due to prolonged heavy use by users in mainland China, has been flagged by Google's big data as "actually being used from China." As a result, you may see Chinese ads on YouTube or have Google Search default to Simplified Chinese.
#IP Purity
What is traffic multiplier / ratio?
A cost-adjustment rule set by providers. For example, if a node has a 10x multiplier, downloading 1GB of data will deduct 10GB from your plan. Conversely, with a 0.1x multiplier, downloading 10GB only consumes 1GB.
#Subscription Issues#Routing & Split Tunneling
What is an audit policy?
A set of server-side blocking rules implemented by providers to protect themselves. These typically block BitTorrent downloads, extreme political content, domestic scam/financial risk websites, and specific copyright complaint sites.
#Routing & Split Tunneling#Payments & Accounts
⚠️
Client Errors & Mysterious Disconnections
Why do all nodes show green latency but I can't open any websites?
This is most likely because your local system proxy is not enabled, or your system time is out of sync. Check that your computer/phone time is accurate to the second—TLS encryption is extremely sensitive to time differences. A mismatch of more than 1 minute will cause handshake failures.
#Connection Issues#Core Protocols
Why can WeChat send messages but my browser can't open any domestic websites when Clash proxy is on?
WeChat has built-in caching and routes some traffic through specific ports. The browser issue is usually because Clash has hijacked the system DNS but failed to resolve queries. Try toggling "System Proxy" off and on in the software settings, or switch to TUN mode.
#Connection Issues#Clash#Subscription Issues#TUN Mode#DNS Issues#Routing & Split Tunneling
Why does the client log keep showing "connection refused"?
The target server has rejected the connection. This could mean the node is temporarily down, or your subscription hasn't been updated in a while and the node's port has changed on the provider's backend.
#Subscription Issues
What is TUN mode, and when should I enable it?
TUN mode creates a virtual network adapter at the system level, forcibly routing all traffic from your computer through the proxy. If you find that certain games, UWP apps, or terminal commands aren't going through the proxy, enabling TUN mode will fix 99% of traffic leakage issues.
#Subscription Issues#TUN Mode#Gaming Acceleration
What should I do if I get an "invalid config" or "config file parse error" when importing a subscription?
This means the downloaded subscription file is corrupted. It usually happens when your plan has expired or your data is used up—the provider's server returns an HTML page (e.g., "no data remaining") instead of a valid YAML/JSON configuration.
#Subscription Issues#DNS Issues
Why do all nodes show Timeout as soon as I enable antivirus software (e.g., 360, Huorong)?
The antivirus's "network protection" or "malicious traffic interception" feature is mistakenly blocking the proxy software's virtual network adapter driver or local loopback port (e.g., 7890). You need to add the entire proxy software folder to the antivirus whitelist.
#Connection Issues#Subscription Issues#TUN Mode
After updating macOS, the system proxy toggle in my proxy software automatically unchecks itself immediately after I check it.
This is a system permission conflict. Go to "System Settings > Network > VPN & Filters" on your Mac, delete any old proxy configuration remnants, and re-grant the current proxy software permission to "add proxy configurations."
#Apple Devices
Why can't I access my local NAS from outside using its public IP after enabling the proxy?
The proxy software has taken over the return route for inbound external traffic, causing it to go through the provider's nodes. You need to add your local DDNS domain or internal IP range to the routing rules and set them to Direct.
#Subscription Issues#DNS Issues#Routing & Split Tunneling
What does "context canceled" mean in the client log?
It means the connection was actively canceled. This usually happens when you switch nodes before a webpage finishes loading, or when the browser initiates concurrent requests and the kernel automatically aborts slower connections. This is normal behavior.
#Common Errors
Windows prompts that wintun.sys is missing or failed to install, preventing the software from starting.
The virtual network adapter driver required for TUN mode has been blocked by the system. Right-click the client and run it as administrator, or manually download the driver from the Wintun official website and place it in the corresponding kernel directory of your software.
#TUN Mode
Tired of endless network errors?
Still struggling with node disconnections, timeouts, and errors? Upgrade to a native IP high-speed line and effortlessly unlock Netflix, Disney+, ChatGPT, TikTok, and more. Stop the hassle — get it done in one go.
Get Native IP Now🎬
Streaming & Geo-Restriction Bypass
Why does logging into ChatGPT with a US node still show "Access Denied" (error code 1020)?
OpenAI has extremely strict anti-fraud controls on data center IPs. This error means the node's IP has been blacklisted by OpenAI. Try clearing your browser cookies, opening an incognito window, and switching to a dedicated native node that is specifically labeled as "Unlocks OpenAI/ChatGPT" by your provider.
#AI Unblocking#IP Purity#Payments & Accounts
Why does Netflix say 'You seem to be using an unblocker or proxy'?
Netflix blocks IP ranges from commercial data centers. Non-unlocking nodes can only access Netflix Originals, not region-locked content. The fix is to ask your provider to change the node IP or switch to a dedicated streaming unblocking node.
#Streaming Unlock
Why does TikTok show a black screen or 'No Network Connection' when I connect to a Japanese node?
TikTok not only checks your IP but also forces a detection of your phone's SIM card country code (MCC). Chinese mainland SIM cards (460) are directly rejected. You need to remove your SIM card or use a client-side script (like Quantumult X/Loon rewrite rules) to spoof carrier information.
#Connection Issues#Streaming Unlock#Routing & Split Tunneling
Why are all the Google ads in Vietnamese when I'm connected to a Taiwan node?
This is called IP broadcast pollution. The IP was likely previously used in a Vietnamese data center and was recently purchased and broadcast to Taiwan, but Google's geolocation database hasn't updated yet. You just need to wait for Google to auto-correct it.
#Subscription Issues#DNS Issues
Why do I get extremely high latency and frequent disconnects when playing Steam/Epic games on a VPN node?
Standard VPN nodes are optimized for TCP traffic (web browsing and video streaming), but online gaming relies heavily on UDP traffic. Many providers disable UDP forwarding to save bandwidth, or their routing isn't optimized for gaming. For gaming, we strongly recommend using a dedicated 'game booster' instead of a standard web proxy.
#Subscription Issues#Routing & Split Tunneling#Gaming Acceleration
My account was suddenly frozen with a 'Compliance Risk' notice when logging into an overseas crypto exchange.
Many exchanges (like Binance and Coinbase) strictly prohibit access from US or other sensitive region IPs. If you set your node to global mode for the US, or if your node drifts through a restricted region, it will trigger the exchange's risk control system and auto-lock your account.
#Routing & Split Tunneling#Payments & Accounts
Why are many songs greyed out on Chinese music apps like NetEase Cloud Music and QQ Music when using a VPN?
Your split tunneling rules are failing, causing the music apps to think you are an overseas user. Due to copyright restrictions (limited to mainland China playback), the songs turn grey. You need to ensure your routing rules force NetEase or Tencent traffic to go Direct.
#Routing & Split Tunneling
Why does a website show 'Not available in your country/region due to local laws' when I use a Hong Kong node?
Some websites (like certain forums or adult sites) actively block IPs from Hong Kong to comply with local regulations. Simply switch to a Japan or Singapore node to access them.
#Unlock Support
🌐
Extreme Networks & ISP Blocking
Why can I connect to my VPN on mobile data (5G), but all nodes show red timeouts when I connect to my company's Wi-Fi?
Your company's enterprise firewall (like Sangfor or NetentSec) has Deep Packet Inspection (DPI) enabled. It blocks the non-standard ports used by VPN nodes or uses behavioral auditing to block suspicious encrypted traffic.
#Connection Issues#Subscription Issues
On my school's campus Wi-Fi, updating subscriptions and testing node speeds works fine, but I can't open any foreign websites.
The campus network uses DNS hijacking. While your client can ping the server IPs successfully, your domain requests are being forcibly resolved to wrong addresses at the campus gateway. You need to enable 'Remote DNS Resolution' in your client configuration.
#Connection Issues#Subscription Issues#DNS Issues
Why does my direct connection become extremely slow during peak hours (8 PM to 11 PM)?
This is due to severe congestion on the ISP's 'international exit bandwidth' during peak hours. Direct traffic has low priority and gets dropped indiscriminately. We recommend using your provider's 'transit nodes' or 'dedicated line nodes' during peak times, as they have guaranteed domestic bandwidth.
#Dedicated Lines & Transit#Subscription Issues#Routing & Split Tunneling
My VPN barely works after switching to China Broadnet (or Great Wall Broadband). Why?
China Broadnet and Great Wall Broadband are tier-2 or tier-3 ISPs. They don't have their own international gateways and must borrow bandwidth from China Telecom or China Unicom. They also have multiple layers of NAT, which is very unfriendly to encrypted traffic.
#Subscription Issues#Gaming Acceleration
Why do my VPN nodes keep disconnecting and web pages struggle to load on high-speed trains?
High-speed trains cause rapid cell tower handovers, and the signal itself suffers from the Doppler effect. The frequent micro-disconnections cause the proxy client's TCP handshake to constantly reset. Using nodes based on UDP protocols (like Hysteria 2 or TUIC) will significantly improve stability in this scenario.
#Gaming Acceleration#Underlying Protocols
My VPN provider's official website is inaccessible every few days. Did they go out of business?
No. The provider's landing page and official domain are sensitive sites and are often targeted for blocking by domestic ISPs (the GFW). Providers usually offer backup landing pages, Telegram channels, or permanent anti-blocking domains. You need to use these channels to get the latest official address.
#Connection Issues
💳
Subscriptions, Accounts & Payment Long-Tail Issues
Why are all my nodes showing red timeouts even though my plan hasn't expired yet?
This is almost always because your 'plan data' has been used up. VPN plans typically have two dimensions: 'time' and 'data'. If either runs out, your subscription becomes invalid. Please log into the official website to check your remaining data balance.
#Connection Issues#Subscription Issues
Why did my order show as 'timed out and unpaid' even though I paid for my plan with crypto (USDT-TRC20)?
Many users forget to account for the 'blockchain network fee (Gas Fee)'. If you withdraw from an exchange, they deduct a 1-2 USDT fee, meaning the final amount reaching the provider's wallet is less than the order price. The system cannot auto-callback to activate it. You need to contact provider support for a manual top-up.
#Connection Issues#Subscription Issues#Payments & Accounts
Why does my VPN provider say 'Your account has been suspended'?
You triggered the provider's anti-abuse audit rules. The most common reasons are: ① You shared your subscription link with too many people, exceeding the limit for concurrent public IPs; ② You used BitTorrent software (like Xunlei or BitComet) to download copyrighted files while connected, causing the server to receive complaints from overseas copyright organizations.
#Subscription Issues#Routing & Split Tunneling
What does 'Reset Subscription' do, and when should I use it?
This function completely invalidates your current subscription URL and generates a brand new one. If your subscription link is accidentally leaked or your traffic is being stolen, clicking reset will immediately disconnect all unauthorized devices.
#Subscription Issues
Why do I get a '404 Not Found' error when I try to update my subscription in the client after buying a new plan?
It's highly likely that the provider's 'subscription conversion/distribution domain' has been blocked by the domestic firewall (GFW). Try copying the 'plain text node list' from the official website, or use the provider's backup anti-blocking subscription domain to import.
#Subscription Issues
What's the difference between a 'One-Time Data Pack (Reset Pack)' and a 'Periodic Reset Plan'?
A periodic plan's data resets automatically on a fixed date each month (e.g., the 1st or your purchase date). A one-time data pack has no time limit; it lasts until you use up all the data inside. It's typically used as a temporary backup.
#Subscription Issues
Why does Alipay/WeChat Pay show 'This merchant is risky and cannot be paid'?
The online payment channels used by providers are usually third-party 'card issuing platforms' or overseas 'EasyPay' slice channels. The receiving accounts for these channels are easily flagged by domestic risk control due to abnormal transaction flow. In this case, you have to wait for the provider to change payment channels or switch to cryptocurrency payment.
#Payments & Accounts
Why can't I access my provider's website or use any of my purchased nodes (all red) while I'm abroad?
Some providers enable 'GeoIP blocking' on their servers, restricting access to their website and nodes to only IPs from mainland China to avoid overseas legal risks. If you need to use the service while abroad, you must apply for a whitelist from the provider's management.
#Connection Issues#Payments & Accounts
🔀
Routing Rules, DNS Leaks & Advanced Configuration
What are 'Global Mode' and 'Rule Mode'?
In Global mode, all your computer's traffic (including visiting Baidu or Taobao) is routed through the overseas node. This slows down domestic sites and consumes your data plan. In Rule mode, the software automatically decides: domestic sites connect Directly, and only sensitive foreign sites go through the Proxy. We strongly recommend using Rule mode for daily use.
#Subscription Issues#Routing & Split Tunneling
What is a DNS leak and why is it dangerous?
A DNS leak occurs when, even after you've enabled a proxy, your device still sends DNS queries for overseas websites to your local ISP's DNS server (e.g., 114.114.114.114). This allows your ISP to precisely log every sensitive site you visit, and it also makes your traffic highly vulnerable to DNS hijacking.
#DNS Issues
How do I force a specific domestic app (e.g., a particular game) to bypass the proxy in a Clash client?
Simply add a direct connection rule at the very top of the `rules:` section in your config file. The format is: `- PROCESS-NAME,game_process_name.exe,DIRECT` or `- DOMAIN-SUFFIX,domain-suffix.com,DIRECT`.
#Clash#Routing & Split Tunneling#Gaming Acceleration
What are GeoIP and GeoSite databases, and why should I update them regularly?
Think of them as the 'maps' your proxy client uses to identify traffic destinations. GeoIP maps IP addresses to their geographic locations, while GeoSite categorizes domain names for major websites. Regular updates ensure your client can accurately decide which traffic to send directly and which to route through the proxy.
#Subscription Issues#Routing & Split Tunneling
Why do I get a 502 error when accessing my local dev environment (like localhost or 127.0.0.1) with the proxy on?
This happens because your routing rules are incomplete, causing the client to send local loopback traffic to an overseas node, which obviously can't reach your local machine. You need to add `localhost` and `127.0.0.1` to your client's 'Bypass' or 'Proxy Bypass' list.
#Connection Issues#Subscription Issues#Routing & Split Tunneling
Why does my Taobao account keep triggering 'login from a new device/location' alerts even with split tunneling enabled?
Many apps make network requests to multiple domains in the background. If some edge-case domains aren't in your rule set and get routed through an overseas node, Taobao's system detects your account logging in from both China and abroad within the same second, triggering their security protocols.
#Routing & Split Tunneling#Payments & Accounts
What is a Proxy Chain?
A proxy chain routes your traffic through multiple proxy servers in sequence. For example: Your PC -> Transit Node -> Exit Node -> Your Private Privacy Node -> Final Target Website. This is used for maximum anonymity, but it comes with significantly higher latency.
#Dedicated Transit#Subscription Issues
Why do some websites stop loading after I change `udp: false` to `true` in my Clash config?
Some overseas servers or providers don't have UDP forwarding properly configured. When you force UDP on, your browser tries to load sites via the QUIC protocol (which runs on UDP). If the server drops this UDP traffic, the connection hangs and the page fails to load.
#Connection Issues#Clash#Subscription Issues#Gaming Acceleration#Core Protocols
📱
Device Compatibility & Special Scenarios
Why can't my computer access the internet through my iPhone's Shadowrocket hotspot?
iOS's underlying network isolation prevents hotspot traffic from automatically routing through the VPN. To share your proxy, you must enable 'Allow LAN Connections' in Shadowrocket's settings, then manually configure your computer's network proxy settings with your iPhone's local IP address and the proxy port.
#Shadowrocket#Subscription Issues#TUN Mode#Apple Devices
How do I install and use a VPN subscription on a Smart TV (Android TV / TV Box)?
Download a client optimized for TV remotes, like Clash for Android (with its TV-friendly UI) or v2rayNG. Transfer the APK file to your TV via a USB drive, then scan a subscription QR code displayed on your computer or phone to complete the setup.
#Clash#v2rayN#Subscription Issues#Android/TV
Why do my smart home devices (like Xiaomi robot vacuum, Baidu smart speaker) keep going offline after I set up a transparent proxy on my router?
Chinese IoT devices are extremely sensitive to network conditions and can't handle the latency or IP changes from overseas routing. If your router's rules accidentally send their traffic through a foreign node, they'll be rejected by their servers. You must set these devices to 'Force Direct Connection' in your router's settings, usually by their MAC address.
#Routing & Split Tunneling#Soft Router#Apple Devices
Why does my emulator (like LDPlayer or Nox) still show region restrictions for foreign mobile games, even with my VPN on?
Most Android emulators use a 'Bridged Network' mode, giving them a virtual IP address separate from your PC. This bypasses your computer's system proxy. The fix is to either enable TUN mode in your proxy client, or install a client like v2rayNG directly inside the emulator and import your subscription there.
#v2rayN#Subscription Issues#TUN Mode#Android/TV
Why does my video conferencing app (like DingTalk, Feishu, or Zoom) lag and drop packets when I'm at the office with my VPN on?
Video calls are extremely sensitive to latency and packet loss. If your rules route domestic conferencing traffic through an overseas node, the data has to travel thousands of extra kilometers, causing severe lag. You must ensure the domains or processes for these apps are set to direct connection in your whitelist.
#Subscription Issues#Routing & Split Tunneling
Why does my PS5/Switch show a Strict NAT type (NAT D / NAT 3) when connected through my computer's shared proxy?
Standard proxy nodes often don't support Full Cone NAT forwarding, or your client hasn't enabled UDP Full Cone mapping. For online gaming, you should use nodes specifically designed for game acceleration and enable the 'Full Cone' option in your client software.
#IP Purity#Gaming Acceleration
⚙️
Core Protocols & Soft Router Tech
What are the advantages of AEAD encryption in Shadowsocks over traditional methods?
AEAD (Authenticated Encryption with Associated Data) not only encrypts the data but also authenticates it to prevent tampering. Traditional methods like AES-CFB are vulnerable to replay attacks and active probing. AEAD ciphers (like AES-256-GCM and ChaCha20-Poly1305) verify data integrity before decryption, effectively resisting active probing and improving censorship resistance.
#Core Protocols
What was the original purpose of the AlterID mechanism in the VMess protocol, and why is it now deprecated?
AlterID was designed to generate multiple alternative IDs from a single master ID, making each connection appear to come from a different user to evade traffic fingerprinting and connection pattern analysis. However, with the widespread adoption of VMess AEAD, the security benefit of this multi-ID system became negligible while increasing CPU and memory overhead. The V2Ray team now recommends setting AlterID to 0 and relying solely on AEAD security.
#Subscription Issues#Core Protocols
What is the fundamental design difference between the Trojan and Shadowsocks protocols?
Shadowsocks aims to encrypt traffic into random, featureless data to 'avoid detection.' Trojan's core design philosophy is 'imitation.' It disguises itself as standard HTTPS traffic (TLS 1.2/1.3), making it indistinguishable from normal web browsing. If a non-Trojan probe request hits the server, Trojan simply forwards it to a real backend web server, allowing it to blend perfectly into the background noise of the internet.
#Subscription Issues#Core Protocols
Why can the Hysteria protocol maintain extremely high speeds even on networks with high packet loss?
Hysteria is based on the QUIC protocol (UDP) and uses a custom congestion control algorithm (like 'Brutal'). Traditional TCP interprets packet loss as a sign of congestion and drastically reduces its sending window. On international links, however, packet loss is often a constant condition, not a sign of congestion. Hysteria ignores this loss and aggressively sends UDP packets at the user-defined bandwidth rate, effectively 'maxing out' the connection even on poor quality networks.
#Gaming Acceleration#Core Protocols
What are the major architectural improvements in Hysteria 2 compared to Hysteria 1?
Hysteria 2 features a complete rewrite with a new protocol design. It moves away from heavy reliance on standard QUIC libraries, using a more streamlined custom UDP protocol that significantly reduces CPU usage and latency. It introduces more secure cryptographic handshakes, built-in Port Hopping to combat UDP QoS and port blocking, and simplifies configuration by removing the need for manual bandwidth tuning.
#Gaming Acceleration#Core Protocols
Both TUIC and Hysteria are based on QUIC, but how do their application scenarios and design focuses differ?
TUIC's design prioritizes 'standards' and 'elegant architecture.' It's built on standard QUIC, fully leveraging its 0-RTT handshake and multiplexing features to minimize latency, making it ideal for gaming and instant page loads. Hysteria, on the other hand, is all about 'aggressive speed,' using its radical congestion control to grab bandwidth on poor networks. In short, TUIC is best for decent lines where low latency is key, while Hysteria excels on high-loss lines where maximum throughput is the goal.
#Gaming Acceleration#Core Protocols
What redundant designs does the VLESS protocol remove compared to VMess?
VLESS is a stateless, lightweight protocol. It removes the complex encryption and timestamp verification mechanisms of VMess (which rely on synchronized client-server time). It no longer has built-in encryption, instead delegating all encryption tasks to underlying secure channels like TLS or XTLS. This makes VLESS extremely low-overhead and significantly more efficient for forwarding.
#Core Protocols
How does Xray's Reality protocol achieve TLS masquerading without needing a domain name or a public server certificate?
Reality intercepts and modifies the SNI in the TLS Client Hello, pointing it to a well-known website (e.g., Microsoft, Apple). On the server side, it dynamically generates a temporary public key that matches the target website using a specific algorithm. It doesn't actually possess the private key for that domain, but during the TLS handshake, the GFW sees the client establishing a connection with a legitimate, high-profile website. This eliminates the hassle of buying a domain and applying for a certificate, while making it difficult to block because it masquerades as a high-authority domain.
#Core Protocols#Apple Devices
How does XTLS's 'Direct' mode (Vision) boost proxy performance?
Traditional TLS proxies encrypt traffic once at the proxy layer, and then again with the outer TLS layer. XTLS Vision (Direct mode) detects when the inner traffic is also TLS (e.g., a user visiting an HTTPS site). After the handshake completes, it directly 'splices' the inner and outer data streams, forwarding the inner TLS encrypted data directly. This eliminates the double encryption and decryption process at the proxy protocol level, drastically reducing CPU overhead on the router and increasing maximum throughput.
#Subscription Issues#Routing & Split Tunneling#Core Protocols
What problem was the new Shadowsocks 2022 standard (SS-2022) created to solve compared to the old version?
Even with AEAD, the old version of SS had a limited window for replay attack protection and couldn't fully defend against packet length analysis. SS-2022 introduces session-based encryption and extremely strict anti-replay mechanisms. It also requires strict time verification on the server side (similar to VMess) and enhances security design for UDP traffic. This completely closes the loopholes for replay attacks and active probing, giving it the potential for quantum-resistant forward secrecy.
#Subscription Issues#Gaming Acceleration#Core Protocols
Under what circumstances does the Mux (multiplexing) feature in V2Ray/Xray actually slow down your connection?
Mux aims to reduce latency from TCP handshakes by multiplexing multiple data streams over a single TCP connection. However, in high-latency, high-packet-loss cross-border network environments, TCP's head-of-line blocking becomes a major issue. If the single underlying TCP connection drops a single packet, all data streams multiplexed on that connection must wait for the retransmission. Therefore, in poor network conditions, enabling Mux can cause all web pages to lag and speeds to plummet.
#Other Troubleshooting
Why do many VPN providers today no longer recommend ordinary TLS masquerading and instead prefer Reality or pure TCP encryption?
The traffic patterns of ordinary TLS masquerading (e.g., WebSocket+TLS) are increasingly being deep-learned by firewalls. Especially if the masquerading domain is an obscure, low-traffic one, it easily triggers active probing and blocking. Reality, on the other hand, can masquerade as high-frequency, well-known domains. Alternatively, pure TCP encryption (like SS), if made sufficiently random and featureless, often has a higher survival rate under current blocking strategies compared to poor-quality TLS masquerading.
#Subscription Issues#Core Protocols
How does the Port Hopping feature in Hysteria 2 solve the ISP's UDP QoS problem?
Many ISPs throttle (QoS) or even block high-volume traffic that occupies a single UDP port for a long time. Hysteria 2's Port Hopping feature allows the client and server to continuously and seamlessly change the target UDP port during communication. This spreads the traffic across multiple random ports, making it difficult for the ISP's traffic shaping equipment to identify it as a single, sustained high-bandwidth data stream, thus bypassing UDP QoS limits.
#Subscription Issues#Gaming Acceleration#Core Protocols
What are the main advantages and disadvantages of using the WebSocket protocol as a proxy transport layer?
The advantage is that WebSocket is a standard web protocol that can be relayed through CDNs (like Cloudflare). Even if the server IP is blocked, the node can be revived as long as the CDN's IP is accessible. It can also share port 443 with normal web services (using Nginx for routing). The disadvantage is that WebSocket has very high encapsulation overhead and bulky HTTP headers, leading to extremely low transmission efficiency and high latency. It is not suitable for gaming or proxies requiring very fast response times.
#Dedicated Lines & Relays#Routing & Split Tunneling#Gaming Acceleration#Core Protocols
What are the technical advantages of gRPC as a proxy transport protocol compared to WebSocket?
gRPC is based on the HTTP/2 protocol, natively supporting multiplexing and bidirectional streaming. It uses Protobuf for serialization and has highly efficient header compression, resulting in much lower protocol overhead than WebSocket. While maintaining the same advantages as WebSocket (being relayable through CDNs and compatible with Nginx routing), it offers lower latency and higher concurrent throughput.
#Streaming Unblocking#Dedicated Lines & Relays#IP Purity#Routing & Split Tunneling#Core Protocols
Why is the obfuscation (obfs) mechanism of ShadowsocksR (SSR) no longer secure in today's network environment?
SSR's obfuscation mechanism mainly relies on modifying packet headers to masquerade as HTTP or TLS traffic. This masquerade is 'static' and 'superficial'—it doesn't truly follow the interaction logic of the HTTP or TLS protocols. Against modern firewalls with Deep Packet Inspection (DPI) and machine learning capabilities, this mechanical feature modification is easily identified as anomalous traffic, leading to precise IP blocking.
#Subscription Issues#Core Protocols
In an Xray configuration file, what are the essential roles of Outbound and Inbound?
Inbound is responsible for receiving data from the client (e.g., browser or other software). It defines the local listening port and protocol (e.g., SOCKS5, HTTP). Outbound is responsible for sending the processed data out. It defines the target server's address, port, and the proxy protocol to be used (e.g., Vmess, Shadowsocks). Xray is the core engine that performs routing and protocol conversion between these two endpoints.
#Routing & Split Tunneling#Core Protocols
What improvements does Trojan-Go bring over the original Trojan, and what new features does it offer?
Trojan-Go is a complete rewrite of the C++ Trojan in Go. While maintaining compatibility, it adds multiplexing (Mux), WebSocket support, CDN relay capability, routing rules (similar to V2Ray's routing), and better cross-platform support. It addresses the original Trojan's shortcomings of limited functionality and inability to leverage CDNs, making it a more feature-complete proxy core.
#Dedicated Lines & Relays#Routing & Split Tunneling#Core Protocols
Why is stable UDP forwarding and NAT type crucial for gaming acceleration?
Real-time communication in most multiplayer online competitive games (e.g., CS:GO, Apex) relies on the UDP protocol. If the proxy tool doesn't support UDP forwarding, or if the resulting NAT type is Strict, it can prevent P2P connections, cause voice chat to fail, or make it impossible to find matches. A good proxy protocol needs to perfectly forward UDP packets and maintain a Full Cone NAT to ensure the best online gaming experience.
#Gaming Acceleration#Core Protocols
In the vless+tcp+xtls-rprx-vision configuration, how does XTLS-Vision prevent active probing?
XTLS-Vision strictly checks the characteristics of the TLS Client Hello during the handshake and adds random padding and length obfuscation during communication. If a probe attempts to send an illegal or replayed packet, the server silently drops it or fakes a normal network timeout response in a specific way. This prevents the probe from determining if a proxy service is running on the port based on the server's feedback.
#Connection Issues#Core Protocols
What are the consequences of misconfiguring the 'Dest' and 'ServerNames' parameters in the Reality protocol?
Dest is the address of the target masquerading website, and ServerNames is the SNI sent by the client. If they don't match, or if ServerNames isn't in the list of domains allowed by the target website's certificate, the firewall will detect a 'bait-and-switch' during interception. It will see that the domain requested by the client doesn't match the certificate domain returned by the server, directly exposing the proxy behavior and leading to the node being blocked.
#Core Protocols
What is 'Forward Secrecy', and what role does it play in modern proxy protocols (like those based on TLS 1.3)?
Forward Secrecy means that a unique set of temporary keys is generated for each session. Even if the server's long-term private key is compromised or leaked in the future, an attacker cannot decrypt past historical communication data that was intercepted and stored. TLS 1.3 mandates the use of forward secrecy (e.g., ECDHE) by default, which greatly enhances the security of proxy traffic against state-level surveillance.
#Subscription Issues#Core Protocols
How does the 'Connection Migration' feature of the QUIC protocol benefit circumvention on mobile devices?
With traditional TCP proxies, when a phone switches from Wi-Fi to cellular data (e.g., 5G), the local IP changes, causing the TCP connection to break and reconnect, leading to a brief proxy outage. The QUIC protocol uses a Connection ID instead of IP+Port to identify a connection. Therefore, no matter how the client's IP changes (e.g., switching networks), QUIC-based protocols (like Hysteria, TUIC) can seamlessly maintain the connection without interruption.
#Core Protocols
Why does using a CDN (like Cloudflare) to relay node traffic usually increase latency and reduce peak speed?
CDN relaying essentially adds a 'proxy of a proxy' between the user and the target server. Data packets are first sent to the CDN's edge node, and then the CDN forwards them to the origin server via its backbone network. This adds one or more routing hops and processing overhead, inevitably increasing physical latency. Furthermore, free CDN nodes often have concurrency and bandwidth limits, and can be affected by network congestion during peak hours, leading to an overall decrease in speed.
#Dedicated Lines & Relays#Subscription Issues#Routing & Split Tunneling
What is a "Bypass Router" and how does it relate to the main router in a network topology?
A bypass router isn't physically "off to the side" — it's logically a single-arm router. It connects to the main router's LAN port, with only the LAN interface active. The main router handles PPPoE dialing and DHCP, while the bypass router acts as a gateway, intercepting traffic from devices that need proxying (e.g., for circumvention or ad-blocking), processes it, then sends it back to the main router for internet access — without affecting the main router's stability.
#Subscription Issues#Routing & Split Tunneling#Soft Router
When setting up a bypass router on OpenWrt, how do you fix LAN devices being unable to access the internet (usually related to firewall settings)?
The inability to go online via a bypass router is usually due to missing NAT masquerading. The fix is to add an iptables rule in OpenWrt's "Firewall - Custom Rules": iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE. This rule rewrites the source IP of processed packets to the bypass router's IP, ensuring they are properly received and returned by the main router.
#Routing & Split Tunneling#Gaming Acceleration#Soft Router
What is the core principle of a Transparent Proxy?
A transparent proxy uses firewall rules (like iptables or nftables) on the gateway router to forcibly redirect (Redirect) or transparently proxy (Tproxy) TCP/UDP traffic from LAN devices to a local proxy core (e.g., Xray, Clash) without the devices being aware. Client devices don't need any proxy software or environment variables — just connect to Wi-Fi and you're good to go.
#Clash#Subscription Issues#Routing & Split Tunneling#Gaming Acceleration#Soft Router
What is the fundamental difference in traffic splitting mechanisms between OpenClash and PassWall, the two major proxy plugins for OpenWrt?
OpenClash is based on the Clash core, with traffic splitting logic controlled at the application layer via YAML config files (e.g., Rule Providers), offering high flexibility and support for complex logic. PassWall, on the other hand, relies on the router's underlying iptables, ipset, or nftables combined with dnsmasq/SmartDNS, performing IP and port-based splitting at the network and transport layers — lower overhead but less intuitive and complex rule configuration compared to Clash.
#Clash#DNS Issues#Routing & Split Tunneling#Soft Router
In transparent proxies, what's the difference between TProxy and Redirect traffic interception methods?
Redirect can only handle TCP traffic by modifying the destination port to forward data to the proxy, losing the original destination IP (which needs special recovery) and doesn't support UDP. TProxy (transparent proxy technology) operates at a lower level in the mangle table, supporting both TCP and UDP perfectly without altering any packet headers — making it the best solution for full-duplex transparent proxying, especially for gaming UDP forwarding.
#Subscription Issues#DNS Issues#Gaming Acceleration#Soft Router
Why do domestic websites often load slowly or fail to open due to "DNS pollution" when configuring circumvention tools on a soft router?
This happens because without proper DNS splitting, domestic domain resolution requests may be sent to polluted overseas DNS servers, or to domestic DNS servers that return incorrect, hijacked IPs. If the proxy plugin isn't correctly configured to "use domestic DNS for domestic domains and overseas DNS via proxy for foreign domains," DNS resolution becomes chaotic, impacting the speed and connectivity of domestic websites.
#Connection Issues#DNS Issues#Routing & Split Tunneling#Soft Router
What is Fake-IP mode, and how does it speed up webpage loading in OpenClash?
When a device initiates a domain resolution, Fake-IP mode instantly returns a fake LAN IP (e.g., 198.18.x.x) instead of querying the real public IP. The device then initiates a TCP connection to this fake IP, which is intercepted by the router. The router uses Clash's proxy tunnel to have the remote server resolve the real IP and fetch the data. This eliminates the wait time for a local DNS query, enabling "instant" page loads.
#Clash#DNS Issues#Routing & Split Tunneling#Soft Router
What role does the common dnsmasq play in network traffic splitting on a soft router?
dnsmasq is the default DNS and DHCP server on OpenWrt. When used without advanced proxy cores like Clash (e.g., with PassWall), dnsmasq works with ipset for traffic splitting: it sends domestic domain queries to the ISP's DNS and foreign domains to a clean DNS, then dynamically adds the resolved overseas IPs to an ipset set. The firewall then routes matching traffic into the proxy tunnel based on this ipset list.
#Clash#Subscription Issues#DNS Issues#Routing & Split Tunneling#Soft Router
What practical value does "MAC Address Filtering" or "Device Control" offer in LAN traffic splitting?
Not all devices on a home network need to go through a proxy. For example, a smart TV streaming domestic content through the proxy core — even via a direct domestic node — adds unnecessary CPU load on the router. By using MAC address control, you can route phones and computers through the transparent proxy while letting smart home devices and TVs bypass the proxy plugin entirely via the underlying gateway, improving overall network performance and stability.
#Subscription Issues#Routing & Split Tunneling#Soft Router#Apple Devices#Android/TV
Why do some devices (like PS5 or Xbox) get a Strict NAT type (NAT3) when using a bypass router (gateway mode)?
This is because in a bypass router setup, packets go through two NATs (one MASQUERADE on the bypass router, one NAT on the main router for dialing). Multiple NATs break UDP port mapping rules, causing P2P communication failures on game consoles. The fix usually involves removing the NAT masquerade rule on the bypass router — provided the main router supports static routing to route return traffic back to the bypass router's IP.
#Subscription Issues#Routing & Split Tunneling#Gaming Acceleration#Soft Router
What problem does SmartDNS on OpenWrt mainly solve, and is it necessary to use it with a proxy plugin?
SmartDNS's main function is to query multiple upstream DNS servers concurrently and return the fastest IP based on latency, optimizing CDN resolution results. It's not essential for circumvention tools, and if misconfigured, it can easily conflict with OpenClash's DNS module (e.g., Fake-IP), causing resolution loops or pages failing to load. Beginners are generally advised against mixing SmartDNS with proxy environments.
#Connection Issues#Clash#DNS Issues#Soft Router
Why is the AES-NI instruction set crucial for circumvention tools when choosing soft router hardware?
AES-NI is a hardware encryption instruction set built into the CPU. Most traditional proxy protocols (like Shadowsocks, Vmess's AES-128-GCM) rely on AES algorithms. CPUs with AES-NI (e.g., Intel J4125, N100) can handle gigabit-level encrypted traffic with minimal CPU usage, while ARM chips without it can bottleneck high-bandwidth speeds due to CPU saturation.
#Subscription Issues#Routing & Split Tunneling#Soft Router#Core Protocols
What is "Policy Routing" and how is it applied in multi-WAN or traffic splitting scenarios?
Policy routing breaks away from traditional destination-based routing tables, allowing flexible forwarding rules based on source IP, source port, protocol type, etc. On a soft router, for example, you can route traffic from a specific device through a VPN tunnel while others use the regular WAN port, or, when aggregating multiple broadband lines, direct different apps to use China Telecom or China Unicom lines.
#Routing & Split Tunneling#Soft Router#Core Protocols
When a soft router experiences "intermittent disconnections" (network drops for a few seconds then recovers), what are the common causes?
Common causes include: 1. Unstable or temporarily blocked proxy server nodes; 2. DNS resolution chaos, with upstream DNS servers rate-limiting or unresponsive; 3. Memory overflow or crash restart of cores like Clash; 4. Network driver bugs in the soft router's underlying firmware (e.g., certain custom OpenWrt builds), causing frequent Ethernet interface drops.
#Clash#DNS Issues#Routing & Split Tunneling#Soft Router
When configuring PassWall, what is the purpose of the China IP whitelist (Chnroute)?
Chnroute contains all IP address ranges allocated to mainland China. Configuring it in the router's firewall enables basic "bypass LAN and China IP" traffic splitting. This means all traffic destined for IPs within mainland China bypasses the proxy client and goes directly through the local ISP network, ensuring speed and regional restrictions for domestic services remain unaffected.
#Subscription Issues#Routing & Split Tunneling#Soft Router
What does "IPv6 Leak" mean in a transparent proxy environment, and how can it be prevented?
Many proxy nodes don't support IPv6. If LAN devices have IPv6 enabled and obtain a public IPv6 address, they may prefer local IPv6 direct connections when accessing dual-stack sites (like Google), bypassing the IPv4 transparent proxy rules — leading to access failures or real IP exposure. Prevention methods include disabling IPv6 DHCP assignment on OpenWrt or dropping IPv6 queries (Drop IPv6) in the proxy plugin.
#Routing & Split Tunneling#Soft Router
How can you deploy a transparent proxy as a bypass router on a standard Synology NAS using Docker?
Run a Docker container with macvlan network mode (e.g., an OpenWrt container or Clash core container) on the NAS. Macvlan allows the container to get an independent IP on the same subnet as the NAS. By manually setting the gateway and DNS of your home devices to this container's IP, the container acts as a bypass router, intercepting and processing network traffic for those devices.
#Clash#Subscription Issues#DNS Issues#Routing & Split Tunneling#Soft Router#Apple Devices
Besides OpenWrt, there are other soft-router systems like iKuai and RouterOS (ROS). How are they typically divided in a home network topology for circumvention?
iKuai and ROS usually serve as the main router, handling rock-solid broadband dial-up, QoS traffic control, and multi-WAN load balancing. OpenWrt, on the other hand, runs as a side-router inside a virtual machine, dedicated to running various circumvention and ad-blocking plugins. This combination ensures absolute stability for the core home network while enjoying OpenWrt's rich plugin ecosystem.
#Routing & Split Tunneling#Soft Router
In OpenClash, what are Rule Providers, and why are they better than writing static rules directly?
Rule Providers allow Clash to dynamically download and update rule lists from remote URLs (e.g., ad domain lists, Apple service domain lists). Compared to hardcoding thousands of rules directly into the local config file, Rule Providers significantly reduce the config file size and can be set to auto-update on a schedule, ensuring your split-tunneling rules are always up-to-date.
#Clash#Subscription Issues#Routing & Split Tunneling#Soft Router
Why does a 'Loopback' in transparent proxy firewall rules cause the router to crash or lose internet connectivity?
If the iptables firewall rules are misconfigured, traffic originating from the proxy software itself (used to connect to overseas servers) gets redirected back to the proxy's listening port, creating an infinite loop. Data packets spin in a dead loop inside the router, instantly exhausting CPU and memory resources, leading to a complete network crash. This loop must be broken by configuring an allowlist (e.g., excluding the user running the proxy or packets with specific marks).
#Connection Issues#Subscription Issues#Routing & Split Tunneling#Soft Router
What is AdGuard Home, and where does it sit in the DNS resolution chain of a soft-router circumvention topology?
AdGuard Home is a powerful network-wide ad-blocking and DNS management tool. In a standard soft-router topology, it usually sits at the very front (taking over port 53 for all devices on the LAN), responsible for filtering ad domains. After filtering, normal domain requests are forwarded to the backend OpenClash or PassWall for domestic/international split resolution, enabling ad-blocking and circumvention to coexist.
#Clash#DNS Issues#Routing & Split Tunneling#Soft Router
What are the advantages of using TUN mode (e.g., Clash Premium's TUN) as a global transparent proxy compared to iptables hijacking?
TUN mode creates a virtual network card (TUN device) at the system level. It modifies the system routing table to direct all traffic into this virtual network card for Clash to handle, without relying on complex iptables/nftables firewall rules. This gives TUN mode excellent cross-platform compatibility (Windows, macOS, Linux), extremely simple deployment, and native support for full TCP and UDP traffic interception.
#Clash#Subscription Issues#TUN Mode#DNS Issues#Routing & Split Tunneling#Gaming Acceleration#Soft Router#Apple Devices
In a multi-node proxy service, why is 'Load Balancing' or 'Failover' (auto-switching) on a soft-router sometimes not very effective?
Connectivity tests for circumvention nodes (usually PING or HTTP probes) have limitations. A node might show very low latency and normal HTTP responses, but its actual application traffic is already being blocked by the firewall. If the speed test mechanism isn't smart enough, load balancing will mistakenly route traffic to a 'zombie' node, leading to a worse user experience with frequent disconnections instead of improvement.
#Connection Issues#Subscription Issues#Routing & Split Tunneling#Soft Router
In home networking, why is 'ONT Bridged, Router Dial-Up' the first prerequisite for mastering soft routers and transparent proxies?
If the ONT handles dial-up and routing (ONT router mode), the ONT holds the highest control over the network, and the soft router can only act as a downstream device. Due to the ONT's weak and closed hardware, it cannot perform advanced operations like port forwarding, NAT type optimization, or custom DHCP gateway settings. Switching the ONT to bridge mode and letting the soft router handle dial-up allows the soft router to truly take over the home network and unlock its full potential.
#Routing & Split Tunneling#Gaming Acceleration#Soft Router
💼
Advanced Clients & Business Exclusives
What is a 'Module' in Surge, and how is it different from regular rules?
A Surge Module is a configuration fragment that can be dynamically enabled or disabled. Unlike rules hardcoded into the main Profile, a module can contain general rules, Rewrites, Scripts, and MITM certificates. Its biggest advantage is decoupling; users don't need to frequently modify the main config file. Instead, they can toggle modules on/off to achieve ad-blocking, specific app unlocking, or feature enhancements, greatly improving configuration flexibility and maintainability.
#Surge#Routing & Split Tunneling
In Quantumult X, how can MITM be used to unlock premium features within an app?
In Quantumult X, MITM is used to decrypt HTTPS traffic. First, you need to install and trust the CA certificate generated by Quantumult X on your device and enable the MITM toggle. Then, add the target app's domain to the Hostname list in the config file. Combined with Rewrite or Script functions, you can intercept the app's verification request to the server or modify the server's response data (e.g., changing is_vip: false to true), thereby achieving local unlocking of premium features.
#Subscription Issues
Sing-box's configuration is based on JSON format. What are the main parts of its core architecture?
Sing-box's configuration is presented in a highly structured JSON format. Its core architecture mainly consists of four parts: inbounds (defines how to receive local traffic, e.g., SOCKS, HTTP, or TUN), outbounds (defines how traffic is sent to external servers, including node protocols and direct/block rules), route (routing rules that direct inbound traffic to specific outbounds based on domain, IP, protocol, etc.), and dns (the DNS resolution module that handles domain query pollution prevention and coordinates with routing).
#Sing-box#Subscription Issues#TUN Mode#DNS Issues#Routing & Split Tunneling#Core Protocols
What are the advantages of the VLESS Reality protocol supported by Clash Meta (now Mihomo) compared to traditional TLS?
The Reality protocol eliminates the need for a real domain and server certificate required by traditional TLS. It dynamically simulates the TLS handshake process of a high-reputation website on an allowlist (like Microsoft or Apple's official site) between the client and server, presenting the target website's certificate to the firewall. This not only saves the hassle of buying a domain and applying for a certificate but also effectively resists active probing and TLS handshake fingerprinting, significantly reducing the chance of a node being blocked.
#Clash#Core Protocols#Apple Devices
What advanced operations can Surge's Scripting feature achieve?
Surge's scripting feature allows users to intervene in network requests at specific stages using JavaScript. The main types include: cron (scheduled tasks, like auto check-ins or rule updates), http-request (modify Headers or Body before a request is sent), http-response (modify content before the response is returned to the client), and network-changed (automatically execute actions when the network environment changes). This offers advanced users near-infinite customization capabilities, such as ad-blocking, request redirection, or dynamic parameter calculation.
#Surge#Subscription Issues#Routing & Split Tunneling
In Quantumult X's Rewrite rules, what is the difference between url 302/307 and url reject?
url 302 or url 307 are redirect rules. When a request matches a specific URL, Quantumult X returns an HTTP status code (302 for temporary redirect or 307 for internal redirect), directing the request to another custom URL. This is commonly used for bypassing regional restrictions or redirecting to a mirror site. url reject, on the other hand, directly drops the request, commonly used to block ad requests or privacy trackers, preventing them from consuming bandwidth or leaking data.
#Routing & Split Tunneling
In Sing-box, what is the fundamental difference between TUN mode and System Proxy in terms of traffic interception?
System Proxy primarily relies on the OS or browser's HTTP/SOCKS proxy settings and can only intercept traffic from applications that respect these settings; some apps (like command-line tools or certain games) might bypass it. TUN mode creates a virtual network card at the OS level, forcing all Layer 3 (network layer) traffic through this virtual card via the routing table. Therefore, TUN mode achieves true 'global proxy,' intercepting all TCP and UDP traffic from every application on the device.
#Sing-box#Subscription Issues#TUN Mode#Routing & Split Tunneling#Gaming Acceleration
In Clash Meta's routing rules, what is the underlying logic for GEOSITE and GEOIP matching?
GEOSITE matching is based on a pre-compiled domain name database (usually from v2ray/domain-list-community). It intercepts the request's domain name before DNS resolution; if the domain exists in a specified category (e.g., google), the corresponding rule is matched. GEOIP matching is based on an IP address range database. It only evaluates whether the resolved IP or a direct IP request belongs to a specific country or region (e.g., CN). To prevent DNS leaks and ensure precise split tunneling, Clash Meta typically uses both in combination.
#Clash#DNS Issues#Routing & Split Tunneling
In Surge's DNS module, what are the different application scenarios for 'server', 'local', and 'encrypted'?
'server' specifies the default traditional UDP/TCP DNS server for handling most resolution requests. 'local' usually points to the ISP-assigned local DNS or the router's gateway, used for resolving devices on the LAN or optimizing CDN node allocation for domestic websites. 'encrypted' refers to DoH (DNS over HTTPS) or DoT (DNS over TLS), used to prevent DNS queries from being eavesdropped on or tampered with during transmission, ensuring privacy and bypassing DNS poisoning.
#Surge#DNS Issues#Routing & Split Tunneling#Gaming Acceleration
When configuring nodes in Quantumult X, what is the purpose of the obfs (obfuscation) parameter?
The purpose of obfuscation (obfs) is to disguise proxy traffic as normal network traffic (such as HTTP or TLS). From the firewall's perspective, obfuscated traffic no longer exhibits the specific characteristics of proxy protocols (like Shadowsocks' fixed packet structure), but instead appears to be accessing a regular website. This effectively prevents firewalls from identifying proxy behavior based on Deep Packet Inspection (DPI), thereby reducing the risk of connections being reset or IPs being blocked.
#Subscription Issues#Core Protocols
How do rule_sets in Sing-box's route configuration enable efficient configuration management?
Rule_sets allow users to package large numbers of domains, IPs, or even complete rules into independent external files (which can be local files or remote URLs). In the route section of Sing-box, users simply reference the tag of this rule_set, eliminating the need to write thousands of lines of rules directly into the main configuration file. This drastically simplifies the configuration file's size and leverages Sing-box's built-in auto-update mechanism to keep rule databases (such as ad-block lists or anti-DNS-leak lists) real-time.
#Sing-box#Subscription Issues#Routing & Split Tunneling
What common load balancing and high availability strategies do proxy-groups in Clash Meta support?
Clash Meta supports several policy group types: select (manual selection), url-test (tests latency against a specified URL and automatically selects the node with the lowest latency), fallback (follows a list order, automatically switching to the next available node when the top node is unreachable), and load-balance (distributes different requests across multiple nodes using random or hash algorithms to increase throughput, though this may cause frequent IP changes).
#Clash
Why is the Dashboard in Surge's UI interface considered a powerful tool for network packet capture?
The Surge Dashboard provides real-time monitoring of network connections and requests. It not only displays the source application, destination domain, used policy, latency, and throughput for each connection, but also allows you to expand and view the complete HTTP request and response headers and body. Combined with MITM, developers or advanced users can easily inspect an app's network behavior, locate ad domains, or debug APIs, offering functionality nearly on par with professional desktop packet capture tools like Charles.
#Surge#Streaming Unlock
How do you handle local DNS Leaks in Quantumult X?
To prevent local DNS leaks, you can force the DNS resolution process for domains through the proxy in Quantumult X's configuration. By setting up [dns_exclusion] or specific node settings in the configuration file, you ensure that target domains are not resolved locally. Instead, the domain request is packaged and sent directly to the remote proxy server for resolution. This prevents the local ISP from seeing the accessed domains and avoids DNS pollution.
#DNS Issues
As an emerging client, what performance breakthroughs does Sing-box offer compared to V2ray-core and Xray-core?
Sing-box is written in Go and has been deeply optimized, resulting in significantly lower memory usage compared to traditional V2ray-core and Xray-core. Additionally, it natively integrates TUN mode, eliminating the complexity of configuring external transparent proxies. More importantly, Sing-box features a more modern and strict JSON configuration architecture and offers very rapid support for new protocols like Hysteria2, TUIC, and ShadowTLS, making it one of the best-performing proxy cores across all platforms.
#Sing-box#IP Purity#TUN Mode#Soft Router#Core Protocols
What pain point does the sniffer (traffic sniffing) feature in Clash Meta solve?
When applications (such as some games or apps using raw IP connections) do not send domain names but only pure IP requests, traditional domain-based routing rules fail. The sniffer can deeply inspect the initial data packets of outbound traffic (like TLS Client Hello or HTTP Host) and extract the real domain name (SNI). With the extracted domain name, Clash can re-match routing rules for precise split tunneling, thus solving routing errors caused by pure IP requests.
#Clash#Subscription Issues#DNS Issues#Routing & Split Tunneling#Gaming Acceleration
How do you configure Surge Mac's Gateway mode to provide internet access for the whole family?
On your local network, enable 'System Proxy' and 'Gateway' mode on the Mac running Surge, and note its local IP address. Then, access your home router's admin panel and set the default gateway and DNS server addresses in the DHCP settings to point to that Mac's IP. This way, all network traffic from devices on the local network (including TVs and game consoles) will first be processed by Surge, achieving clientless internet access for the entire household.
#Surge#Subscription Issues#DNS Issues#Routing & Split Tunneling#Gaming Acceleration#Apple Devices#Android/TV
How does the BoxJS plugin system in Quantumult X enhance the scripting experience?
BoxJS is essentially a data management environment running within Quantumult X (achieved by rewriting specific domains to redirect to a local interface). It allows users to configure and manage variables and parameters for various JavaScript scripts (like check-in scripts or panel scripts) through a graphical web interface, without needing to directly modify code or configuration files. This visual management significantly lowers the barrier to using advanced scripts.
#Other Issues
What conveniences does the clash_api compatibility layer in Sing-box provide?
Although Sing-box has its own independent configuration system, its core includes a built-in clash_api. This means users can start Sing-box while also enabling a control port (Restful API) similar to Clash. Consequently, users can utilize many third-party graphical panels developed based on the Clash API (such as Yacd or Metacubexd) to manage and monitor Sing-box's nodes and traffic policies, reducing the difficulty associated with the lack of a native GUI.
#Clash#Sing-box#IP Purity#Subscription Issues
What problem is the dns.fake-ip-filter in the Clash Meta configuration primarily designed to prevent?
In Fake-IP mode, Clash immediately returns a virtual IP (e.g., 198.18.0.1) to the client, saving the time of waiting for a real DNS resolution locally. However, certain applications (like STUN protocol, BitTorrent downloads, or LAN device discovery) strictly rely on real IPs to function correctly. dns.fake-ip-filter allows users to set a whitelist of domains. For domains on this list, Clash will perform a real DNS resolution instead of returning a Fake-IP, thus preventing connection failures for these applications.
#Clash#TUN Mode#DNS Issues#Core Protocols
What is the special significance of the 'Always On' VPN setting in Surge at the iOS system level?
When iOS is low on memory or the screen has been locked for a long time, the system may actively close background VPN processes to save battery. Enabling Surge's 'Always On' feature, combined with related settings, strongly signals the criticality of this process to the system, ensuring it stays resident in the background. This is crucial for users who need to continuously receive push notifications (like Telegram or WhatsApp) or run background scheduled scripts.
#Surge#Apple Devices
What are the differences between server_local and server_remote subscription parsing in the Quantumult X configuration file?
server_local is used for manually adding individual nodes, with the configuration saved in the local file. It's suitable for self-built nodes or occasional testing. server_remote is for node subscription links, supporting automatic periodic fetching of node lists from a remote server. It also supports adding icons via img-url and setting update intervals via update-interval. By combining regex filtering rules, users can filter out specific desired nodes from complex provider subscriptions.
#Subscription Issues#DNS Issues#Routing & Split Tunneling
How do you configure the Hysteria2 protocol in Sing-box to achieve acceleration in poor network conditions?
Hysteria2 is based on a modified QUIC protocol and uses a custom congestion control algorithm to aggressively utilize bandwidth. In Sing-box's outbound configuration, simply set the protocol type to hysteria2, fill in the server address and port, and configure the authentication password and obfuscation (obfs, like salamander obfuscation). On networks with high packet loss or ISP throttling, Hysteria2 can often achieve astonishing throughput far exceeding TCP-based protocols.
#Sing-box#Core Protocols
What performance advantages does the rule-providers mechanism in Clash Meta offer compared to the traditional method of writing rules directly?
Traditionally, writing hundreds or thousands of rules line by line into the configuration file causes Clash to start slowly and consume high memory. rule-providers allows loading rule lists from local or network sources and builds efficient Radix trees or hash tables in memory. This not only significantly speeds up traffic matching and lookup but also supports scheduled silent updates without interrupting the main program's operation.
#Clash#Subscription Issues#Routing & Split Tunneling
In TikTok operations, why is a 'Static Dedicated IP' a core element for maintaining account authority?
TikTok's risk control system is extremely sensitive to IP address changes. Frequently changing IPs or using shared dynamic IPs will cause the system to flag the account as being in an abnormal environment, easily triggering throttling, zero views, or even bans. A static dedicated IP ensures the consistency and purity of the network environment, making the system believe the account is a real, fixed-location regular user. This is a prerequisite for stable account nurturing and building authority.
#Streaming Unlock#Payments & Accounts
What is a "Residential ISP IP," and what is the core difference between it and a "Datacenter IP (Server IP)?"
A Residential ISP IP is an IP address assigned by a local Internet Service Provider (like Comcast or AT&T) to a real home broadband user. A Datacenter IP is an IP assigned by a cloud service provider (like AWS or Alibaba Cloud) to a server. The core difference lies in "trust level" (ASN attributes): Residential IPs are flagged as real users in target websites' databases and are extremely difficult to block. In contrast, Server IPs have strong commercial or proxy attributes, making them prone to CAPTCHAs, rate limiting, or outright access denial.
#Other Troubleshooting
Why do cross-border e-commerce professionals often get instantly banned when using a Datacenter IP to register on platforms like Amazon or Etsy?
Cross-border e-commerce platforms have top-tier anti-fraud systems (like Sift) that maintain massive IP reputation databases. The ASN (Autonomous System Number) of a Datacenter IP clearly belongs to a cloud provider, and real consumers typically don't use such IPs for shopping. When a platform detects a Datacenter IP being used for registration or critical operations, it flags the activity as high-risk—such as a bot, multi-accounting, or fraud—triggering an immediate ban.
#Payments & Accounts
What is the specific definition of a "Native IP" in the context of cross-border e-commerce network environments?
A Native IP is an IP where the registered location (Whois info), the operator's location, and the actual physical server location are all identical. For example, an IP registered in the U.S., belonging to a U.S. local operator, with the server also located in a U.S. data center. The opposite is a "Broadcast IP," such as a server in Japan but the IP's geolocation is broadcast as the U.S. Native IPs offer purer geographic data, enabling access to streaming or e-commerce services with extremely strict geo-verification.
#Streaming Unblocking#IP Purity#Gaming Acceleration
How do fingerprint browsers (like AdsPower, Hubstudio) prevent account association?
Browser fingerprints include User-Agent, screen resolution, Canvas rendering data, WebRTC, fonts, timezone, and language. Even with different proxy IPs, identical browser fingerprints allow platforms to determine multiple accounts belong to the same person. Fingerprint browsers modify and isolate these parameters at the kernel level, generating completely independent, non-replicable virtual browser environments for each account. This physically severs any connection between accounts.
#Other Troubleshooting
When operating TikTok, what network parameters do "spoofing detection" tools (like Whoer.net) typically focus on?
Spoofing detection primarily checks if a user's multi-dimensional data is consistent. Key focus areas include: 1) Whether the IP's country matches the system settings (language, timezone); 2) Whether WebRTC leaks a real local IP; 3) Whether the DNS region matches the proxy IP region; 4) Whether system-level proxies that could expose real identity are in use; 5) Even the hardware device's GPS location. Only when these parameters are highly unified can the spoofing score reach an ideal level.
#Streaming Unblocking#DNS Issues
What are the main business scenarios for cross-border e-commerce sellers to purchase "Dynamic Residential IPs"?
Compared to static dedicated IPs, dynamic residential IPs are billed by traffic and have a massive IP pool, changing IPs with each request or at fixed intervals. They are unsuitable for daily stable store operations but are perfect for large-scale scraping scenarios, such as: bulk crawling competitor pricing data, review manipulation, mass registration of basic accounts, or large-scale SEO rank tracking. Because the IPs constantly rotate and are all real home broadband connections, they perfectly bypass target websites' anti-scraping measures.
#Subscription Issues
When configuring a cross-border network, what is WebRTC leakage, and how can it be prevented?
WebRTC is a browser technology for real-time audio/video communication. However, a major security risk is its ability to bypass regular proxies and directly expose your real local IP, or even your real public IP, to target websites. Prevention methods include: installing a WebRTC blocking plugin in standard browsers; enabling the WebRTC proxy replacement feature in fingerprint browsers; or implementing traffic hijacking and forced proxy at the router level.
#Subscription Issues#DNS Issues#Routing & Split Tunneling
What is "IP Purity (IP Fraud Score)," and how should cross-border sellers test for it?
IP Purity, or IP Fraud Score, is a rating given by third-party security agencies (like Scamalytics, IPQualityScore) based on an IP's history of sending spam, participating in botnets, or engaging in fraudulent activity. A higher score means a "dirtier" IP. Before activating a new IP, cross-border sellers should use these tools to check its score. If flagged as high-risk, even a residential IP can lead to store bans.
#Other Troubleshooting
When dealing with TikTok bans (zero views), why is "environment isolation" and the "one device, one account, one IP" rule so important?
TikTok's client (especially on mobile) collects hardware identifiers (like IMEI, MAC address) and the app list. If one phone frequently switches between different country IPs to log into multiple accounts, the algorithm easily identifies this as marketing activity. Therefore, the safest approach is "one device (a clean, dedicated used phone or fingerprint environment), one account (single account), one IP (static dedicated local IP)." This creates physical and network-level isolation, fundamentally eliminating risk control triggers.
#Streaming Unblocking#Apple Devices#Payments & Accounts
Why is the "Dual ISP IP" highly regarded in the cross-border e-commerce community?
A Dual ISP IP means not only is the IP type identified as ISP (Residential), but its ASN provider is also recognized by authoritative databases as a major civilian broadband provider (like AT&T, Verizon). Some cloud providers might register a server IP as ISP, but the underlying ASN still reveals the cloud server identity (Single ISP). Dual ISP offers the highest level of trust, providing a significantly higher survival rate for operating on extremely strict platforms like Etsy.
#Other Troubleshooting
When building their own nodes, why do cross-border enterprises often abandon popular VPN subscriptions in favor of dedicated lines (IPLC/IEPL)?
VPN subscription IPs are highly shared, subject to heavy auditing and blocking, and risk sudden shutdowns or getting blocked by the GFW. This is unacceptable for enterprises relying on stable networks for overseas communication. IPLC (International Private Leased Circuit) is a physical cross-border intranet dedicated line that bypasses public firewall inspection, offering extremely low latency, zero packet loss, and high stability, ensuring enterprise-grade video conferencing and critical data transmission are foolproof.
#Dedicated Lines & Relays#Subscription Issues
When running ad campaigns on Amazon or Facebook, how does IP choice affect ad performance?
Ad platforms are highly sensitive to abnormal traffic. Using low-quality Datacenter IPs or frequently changing proxy IPs to log into the ad manager can lead the platform to suspect payment fraud, resulting in Business Manager (BM) bans or spending limits. Using a high-quality static residential IP that matches your company's registered address or personal billing address effectively avoids such risk controls, ensuring campaign continuity.
#Subscription Issues#Payments & Accounts
In cross-border e-commerce operations, is solving IP and browser fingerprint issues enough for "anti-association"?
Far from it. Beyond IP and browser fingerprints, deeper association factors include: registration details (duplicate company legal reps, addresses), payment info (same credit cards, receiving accounts), operational habits (e.g., bulk listing/unlisting at fixed times), and even uploaded image MD5 values and similar product descriptions. True anti-association is a systematic project requiring complete isolation across network, hardware, data, and operational behavior.
#Payments & Accounts
Besides IP purity, what is the most important network node requirement for TikTok live streaming e-commerce?
For live streaming, the most critical metric is "uplink bandwidth stability and low latency." Video streaming requires massive uplink throughput (typically needing a stable 5Mbps-10Mbps+). Any packet loss or jitter causes overseas viewers to see lag or audio-video desync, leading to audience loss. Therefore, TikTok live streaming almost always requires a cross-border dedicated line (like IPLC); standard broadband via a relay proxy is simply insufficient.
#Streaming Unblocking#Dedicated Lines & Relays
What are the pros and cons of a "Self-built VPS Dedicated Node" compared to purchasing "Static Residential IP Proxies" on the market?
The advantages of a self-built VPS dedicated node are lower cost, flexible configuration, and high bandwidth. The disadvantages are that the IP is almost 100% a datacenter IP (easily triggering e-commerce platform risk controls), requires self-maintenance of proxy protocols, and faces constant risk of IP blocking. Purchasing true static residential IP proxies is expensive with often limited bandwidth, but their extremely high IP trust level and ban-proof capability are unmatched by VPS, making them ideal for high-value e-commerce operations.
#Core Protocols#Payments & Accounts
When importing proxy IPs into a fingerprint browser, what are the security differences between supported protocols (HTTP, HTTPS, SOCKS5)?
HTTP proxies transmit data in plaintext, making them highly insecure. HTTPS proxies add TLS encryption, protecting data privacy during transmission. SOCKS5 proxies operate at a lower layer (session layer), supporting TCP and UDP with good performance, but they are typically unencrypted themselves (unless run within a tunnel). For cross-border business, to avoid ISP-level traffic hijacking, it's recommended to encrypt traffic within a low-level tunnel (like Clash, V2Ray) first, then map a local SOCKS5 proxy for the fingerprint browser to use.
#Clash#Subscription Issues#DNS Issues#Gaming Acceleration#Core Protocols
For professionals using WhatsApp for marketing, how is the risk of account bans directly related to the network environment?
WhatsApp's parent company, Meta, has extremely strict risk control. If an account's login IP frequently jumps between countries in a short period, or the IP range used has been blacklisted (due to heavy spam from that range), the system will immediately trigger an anomaly and ban the account. Furthermore, if the device isn't fully managed through a stable proxy and occasionally fails to connect directly to the domestic network, this is also recorded as high-risk network behavior by the risk control system.
#Routing & Split Tunneling#Payments & Accounts
What are "DNS Pollution" and "DNS Leakage," and how do they affect account security in cross-border e-commerce operations?
DNS Pollution is when the firewall blocks access to target websites by forging incorrect IPs (e.g., preventing you from opening Facebook). DNS Leakage is when your real domain query requests bypass the proxy and are obtained by your local ISP. For cross-border e-commerce, if a target platform's risk control system detects that your traffic comes from a U.S. IP, but your DNS resolution was performed by China Telecom, this creates a strong "feature conflict," easily leading to account association or demotion.
#Subscription Issues#DNS Issues#Payments & Accounts
When managing multiple cross-border e-commerce stores, what is the core logic behind using aggregated management tools like "Purple Spider Browser"?
Store management browsers like Purple Spider come with a massive pool of cloud-based static IPs and anti-association fingerprint environments. Their core logic is to provide sellers with a one-stop "fixed environment" service. Sellers don't need to set up complex nodes or configure underlying proxies themselves—the system automatically assigns clean, region-specific IPs and binds them to specific stores. Employees simply log into the tool to securely access each store in the cloud, preventing local network leaks and store associations caused by operational errors.
#Other Issues
Does "IPv6 Proxy" have a future in cross-border e-commerce risk control? What are its current limitations?
IPv6's address pool is virtually unlimited, theoretically allowing each account to have a completely exclusive, low-cost IP, greatly enhancing anti-risk capabilities. However, the limitation is that many global ISPs, cloud providers, and some e-commerce platforms still have incomplete IPv6 support, leading to compatibility issues. Additionally, the ecosystem for high-purity residential IPv6 proxies is not yet fully mature, and the market still relies primarily on IPv4 residential IPs.
#Payments & Accounts
When a TikTok account experiences "views stuck around 200 for a long time (the 200-view curse)," what network-level checks should be performed?
200 views usually mean the account has entered a low-weight pool. Network-level checks should include: 1) Whether the IP node is a shared datacenter IP, causing the account to be flagged as a marketing account; 2) Whether the IP's geographic location changes frequently, leading to location tag confusion; 3) Whether the device has removed the domestic SIM card or failed to clear the cache, causing location leaks; 4) Whether the disguise score on Whoer.net is below 100%. Only after ensuring the network environment is absolutely clean and stable should you optimize content quality.
#Streaming Unlock
Compared to "commercial proxy IPs," what irreplaceable advantages does "building a soft router on home broadband" have for foreign trade businesses?
If a foreign trade professional has relatives or friends in the target market (e.g., the US) who can help set up a soft router running a proxy server (like Wireguard or Xray) on their home broadband, they can obtain the most premium, authentic residential IP. This method is completely pollution-free, and its trust level far exceeds any commercially available "residential proxy" on the market (which may still be associated with gray-market activities). This is the most hardcore anti-ban measure for high-value stores.
#DNS Issues#Routing & Split Tunneling#Soft Router
When deploying a comprehensive network security solution for cross-border e-commerce enterprises, how should the "Zero Trust" architecture be applied?
The Zero Trust architecture requires "trusting no internal or external network." In a cross-border enterprise, employees must pass strict identity verification through a unified security gateway deployed by the company (such as Cloudflare Zero Trust or a self-built encrypted tunnel) before gaining access to proxy IP permissions for specific regions and store backends. This prevents environment leaks from unauthorized employee actions and protects the company's core assets through a unified, high-quality outbound IP.
X. Self-built Nodes, Security & Privacy, and Insider Info (Groups 153-200)
#Routing & Split Tunneling
What is the X-UI panel, and why is it so popular for building self-hosted nodes?
X-UI is a graphical proxy panel that supports multiple protocols. It supports protocols like Vmess, Vless, Trojan, and Shadowsocks, and allows you to manage traffic, limit ports, and set expiration times for multiple users from a single panel. Its popularity stems from its lightweight nature, minimalist web interface, one-click installation scripts, and rapid adoption of new technologies like XTLS, making it easy even for beginners to manage and build complex proxy nodes.
#Subscription Issues#Underlying Protocols
When building a self-hosted node, why is the VLESS+TCP+XTLS-Reality protocol combination recommended?
This is currently one of the best combinations for anti-blocking effectiveness and low latency. Reality technology eliminates the cumbersome steps of buying a domain and applying for a certificate required by traditional TLS configurations. It works by directly "borrowing" someone else's legitimate TLS certificate and domain (like those of major companies such as Microsoft or Apple) for camouflage. This not only reduces the chance of being detected by the firewall but also avoids the risk of your own domain being blocked, while XTLS provides excellent performance.
#Underlying Protocols#Apple Devices
What are the specific symptoms of a blocked camouflage domain (DNS pollution or SNI blocking), and how should it be resolved?
Symptoms usually include the node IP being pingable but the proxy software unable to connect, or directly accessing the camouflage domain showing a connection reset. If it's DNS pollution, try changing the node's IP or domain. If it's SNI blocking, the firewall has identified the SNI information during the TLS handshake. The most effective solution is to switch to an unblocked camouflage domain or upgrade directly to the Reality protocol to abandon the use of a real domain.
#DNS Issues#Underlying Protocols
When encountering a VPS port block or TCP block, how should you troubleshoot and respond?
For troubleshooting, use webmaster tools or multi-location ping tests to check if the IP is alive. If the IP is normal but a specific port (e.g., 443) is unreachable, it's usually a port block. In this case, modify the port to a new random one in the panel to restore functionality. If it's a TCP block (TCP unreachable but UDP works), you can use Cloudflare CDN for proxy forwarding or switch to a VPS provider that offers dynamic IP unblocking.
#Gaming Acceleration
Why does the speed of a self-hosted node slow down after being proxied through Cloudflare CDN?
Cloudflare's free CDN nodes are unevenly distributed globally. The free routing to mainland China is often poor, sometimes even routing through Europe or the US. Although the CDN can hide the real IP and salvage a blocked VPS, the traffic passes through Cloudflare's nodes, increasing the number of network hops and latency, leading to a significant drop in direct connection speed. During peak evening hours, congestion on CDN nodes makes the slowdown even more noticeable.
#Dedicated Transit#Routing & Split Tunneling
How can you use "Cloudflare Preferred IP" to improve the speed of a CDN-proxied node?
Preferred IP involves running a speed test script locally to scan for Cloudflare edge node IPs with the lowest latency and packet loss in your current network environment. You then enter these high-quality IPs (or preferred domains) into the "Address" field of your proxy client, while keeping the camouflage domain/SNI unchanged. This way, traffic is sent directly to the fastest CF node, significantly improving connection speed and stability.
#Subscription Issues
What is the principle behind BBR acceleration on a VPS, and can it really improve the speed of circumventing the firewall?
BBR (Bottleneck Bandwidth and Round-trip propagation time) is a TCP congestion control algorithm developed by Google. Traditional TCP drastically reduces its sending speed when encountering minor network packet loss. BBR, however, adjusts its sending window by calculating bandwidth and latency in real-time, maintaining high throughput even on international networks with higher packet loss rates. Enabling BBR usually significantly improves loading speeds and video streaming smoothness when using proxies.
#Other Issues
When choosing a VPS for a self-hosted node, what are the differences between lines like CN2 GIA, 9929, and CMIN2?
These are premium high-quality lines from major carriers. CN2 GIA is China Telecom's premium network, offering low latency and stability without congestion for outbound traffic. AS9929 (China Unicom A-Net) is Unicom's premium cross-border line with relatively ample bandwidth, often called the "Unicom version of GIA." CMIN2 (AS58807) is China Mobile's latest premium outbound network. VPSs using these lines for hosting websites or nodes have speeds far superior to standard backbone networks during peak evening hours.
#Dedicated Transit
What is streaming unlock (e.g., Netflix, Disney+), and how can it be achieved with a self-hosted node?
Streaming platforms block IP ranges from datacenters (VPS), only allowing viewing from local residential or native IPs. If a VPS's IP is identified as a datacenter IP, you may only see original content or be denied access. To achieve unlocking with a self-hosted node, you typically need to configure a DNS unlock service (like using Warp) or use a chain proxy (chain forwarding) to route traffic through a low-spec VPS or home broadband with a clean, native IP.
#Streaming Unlock#IP Purity#Subscription Issues#DNS Issues
After installing the X-UI panel, how do you ensure the panel's security and prevent malicious scanning?
First, don't use default ports like 54321; change them to high random ports. Second, you must change the default admin username and password, using strong passwords. Third, you can modify the panel's URL root path in the settings (add a complex string), so even if someone scans the port, they won't see the login page without knowing the correct URL path. Finally, use a firewall (like UFW) to restrict panel port access to specific IPs only.
#Other Issues
When using a WebSocket (WS) + TLS configuration for a node, what role does the Nginx reverse proxy play?
Nginx handles all HTTP/HTTPS requests on port 443. If it's a regular web page request, Nginx returns a normal camouflage webpage to handle active probing. If it's a WebSocket proxy request with a specific path, Nginx internally forwards it to the backend X-UI or V2ray listening port. This perfectly hides the proxy characteristics, making the traffic look like a normal HTTPS website visit.
#Subscription Issues
What does it mean when a self-hosted node's VPS has bidirectional traffic billing?
Most VPS providers count both inbound (traffic uploaded to the VPS) and outbound (traffic downloaded from the VPS) traffic. When you watch a video, the video data is first downloaded to the VPS (counted once), and then sent from the VPS to your phone (counted a second time). Therefore, 1GB of video actually consumes about 2GB of your VPS traffic quota. You must consider this when purchasing a VPS with a limited traffic plan.
#Subscription Issues
If a VPS's IP is unfortunately blocked by the firewall (completely blackholed), are there other ways to save it besides using a CDN?
If the provider allows it, the most direct method is to pay for or get a free IP change (e.g., BandwagonHost, Vultr). If you don't want to change the IP, you can buy a cheap, unblocked lightweight cloud server in mainland China or Hong Kong and use a tunnel (like Gost, Iptables) for domestic relay. Additionally, you can try using IPv6 (if your local broadband supports it and the firewall hasn't blocked that IPv6), as the firewall's restrictions on IPv6 are sometimes less strict.
#Dedicated Transit
What are IPLC and IEPL dedicated lines? Can self-hosted nodes purchase these lines?
IPLC (International Private Leased Circuit) and IEPL (International Ethernet Private Line) are cross-border private network lines that physically bypass the firewall (GFW). They offer extremely low latency and are immune to blocking. The cost of a true dedicated line is extremely high (billed by Mbps, very expensive), making it difficult for average users to afford dedicated bandwidth. The so-called "dedicated line VPS" available to individuals on the market is usually a NAT (shared IP and port) relay service offered on a shared hosting basis.
#Dedicated Transit#Gaming Acceleration
What's the trick to choosing a target website (Dest) when using the Reality protocol?
The target website must support TLS 1.3 and H2, and ideally, it should be a domain without complex CDN or firewall defenses. We recommend using well-known domains from major companies (like certain subdomains of Apple, Microsoft, or Amazon) that are located in the same region as your VPS. Absolutely avoid domains that are already blocked in mainland China, or domains that use CDNs like Cloudflare to forcibly block unknown SNIs—otherwise, the handshake will fail.
#Core Protocols#Apple Devices
Why does a TLS handshake sometimes fail due to a 'time inconsistency' when connecting to a self-built node?
Protocols like Vmess, ShadowsocksAEAD, Trojan, and various TLS-based protocols have very strict time verification. If the system time on your VPS server differs from your local device by more than 1 minute (sometimes 90 seconds), the anti-replay attack mechanism of encrypted communication will flag the connection as invalid. The fix is to use an NTP service to sync the time on both your VPS and local device, ensuring the time zone and time are exactly the same.
#Core Protocols
What's the difference between a 'native IP' and a 'broadcast IP' that VPS providers often talk about?
A native IP (local IP) means the IP's registered country/region matches the physical location of the VPS server. This type of IP is a huge advantage for streaming media unlocking and local service registrations. A broadcast IP (non-native IP), on the other hand, is an IP address originally registered in Country A but announced to a data center in Country B via BGP routing. While it's physically in Country B, many IP databases still think it's in Country A, making it impossible to unlock Country B's streaming services.
#Streaming Unblocking#IP Purity
What are the pros and cons of deploying a proxy node in a Docker container on a VPS?
The pros are environment isolation and incredibly easy deployment—a single docker-compose command can spin up all your services, and upgrades or migrations are a breeze without messing up the VPS's main system environment. The cons are a slight increase in system overhead and memory usage. Plus, for beginners unfamiliar with Docker network port mapping and IPv6 configuration, troubleshooting network issues can be much more difficult than with a direct installation.
#Other Troubleshooting
What is Shadowsocks-2022, and how is it different from traditional SS?
SS-2022 is a major upgrade to the Shadowsocks protocol. Compared to traditional SS, it introduces a completely new AEAD-based encryption mechanism, thoroughly fixing previous replay attack vulnerabilities and active probing risks. It also supports multi-user on a single port, significantly boosting its anti-censorship capabilities. While it's extremely secure, because the protocol is newer, the range of supported clients and panels isn't as broad as the older version yet.
#Core Protocols
How should I configure my self-built node to prevent it from being used as a BT download relay and avoid getting my VPS banned by the provider?
Many VPS providers (especially those in copyright-strict regions like the US and Europe) strictly prohibit the abuse of BT/PT for downloading pirated content. To prevent proxy users—or yourself—from accidentally triggering BT downloads and getting your VPS banned (or receiving a DMCA complaint), you must explicitly add blocking rules in the X-UI panel or V2ray config file's Routing settings to directly block all traffic related to BT, BitTorrent, and Trackers.
#Subscription Issues#Routing & Split Tunneling
Why is the Hysteria2 protocol so fast, and what are its downsides?
Hysteria2 is based on a custom QUIC (UDP) protocol. It uses an aggressive congestion control algorithm that aggressively grabs network bandwidth, allowing it to 'brute-force' max out speeds even on terrible networks. The downside is that many ISPs (like Great Wall Broadband or some regional China Telecom networks) will QoS throttle or even outright block sustained high-volume UDP traffic. Furthermore, this overly aggressive bandwidth-grabbing behavior is often called 'unsportsmanlike' and can negatively impact the experience of other users on the same host machine.
#Subscription Issues#Gaming Acceleration#Core Protocols
What is a DNS leak, and how can self-built node users prevent it?
A DNS leak happens when, while using a proxy, your DNS requests for foreign domains are sent directly to your local ISP's DNS server instead of through the proxy tunnel to a foreign DNS server. This lets your ISP see which websites you're visiting and can return poisoned IPs. To prevent leaks, you must configure remote DNS resolution in your client (like Clash or V2rayN) or enable TUN virtual network card mode to take over all DNS requests.
#Clash#v2rayN#TUN Mode#DNS Issues
Do I need to file for ICP filing for a self-built node? Is the risk of getting caught high?
Buying an overseas VPS for personal use (not providing it to others, not for profit) is generally in a gray area. Technically, the GFW will only block your IP, and it's extremely rare for someone to face legal consequences purely for personal self-built use. However, if you set up a relay on a domestic cloud provider (like Alibaba Cloud's mainland China data centers), you must have an ICP filing for your domain; otherwise, you can't use ports 80/443. Plus, domestic data centers have real-name systems and strict traffic auditing, making it very easy to get flagged. We strongly advise against building a proxy exit node on a domestic server.
#Dedicated Lines & Relays#Subscription Issues
How can I monitor my VPS's running status and traffic usage to avoid exceeding the monthly limit?
You can install monitoring tools (like ServerStatus or Nezha Probe) to monitor CPU, memory, and network traffic in real-time. For simpler needs, just use the `vnstat` command in the Linux terminal to check daily and monthly network interface traffic. Additionally, most mainstream VPS control panels also provide traffic charts. It's wise to set up reasonable alert thresholds to avoid being charged hefty overage fees or having your service suspended.
#Subscription Issues#TUN Mode
What does it mean when a 'VPN service provider exits' (run away), and what are the common warning signs?
A provider 'exiting' means they suddenly shut down their website, stop service, and disappear with users' money. Common warning signs include: running extremely aggressive promotions (like 90% off annual plans or 'heirloom' packages), suddenly canceling monthly subscriptions to only offer annual plans, customer service going silent for long periods or the official TG group being muted, widespread node timeouts left unfixed for days, and frequent domain changes without any announcement. If you see these signs, do not renew your subscription.
#Connection Issues#Subscription Issues
How do VPN service providers defend against DDoS attacks from competitors or hackers?
DDoS attacks are extremely common in this industry. Defense methods include: shielding the main website behind Cloudflare's premium tier for traffic scrubbing; using high-protection IPs or Anycast technology on the node side to distribute attack traffic; adopting a dynamic IP architecture to quickly abandon and replace node IPs under attack; and hiding the backend server's real IP by routing all traffic through a jump box (like a cheap NAT VPS) to prevent the main server from going down.
#Subscription Issues#Gaming Acceleration
What kind of scams are common when buying accounts or nodes in Telegram groups?
Telegram is an anonymous platform where funds are nearly impossible to recover. Common scams include: fake customer service from well-known providers DMing you to ask for a transfer; elaborate scams involving fake 'escrow' bots; selling cheap 'lifetime' services or 'heirloom' VPSs and blocking you after payment; and sending cracked proxy software (like a so-called 'premium' version of Clash) that contains malware to steal your computer passwords and crypto wallets.
#Clash
What does it mean when a VPN service uses audit rules? Why do they restrict access to certain websites?
Audit rules are firewall rules set by the service provider on their server. They restrict access to BT downloads, high-traffic speed test nodes, or dark web forums mainly to prevent their VPS from getting a DMCA copyright complaint and being shut down by the data center, or to prevent a few users from hogging all the bandwidth. Additionally, some providers block extremely political or scam websites to reduce the risk of being targeted by cyber police.
#Subscription Issues#Routing & Split Tunneling
What is 'being invited for tea by the cops', and what is the real probability and reason for an average VPN user getting caught?
'Being invited for tea' is internet slang for being summoned by the police for questioning. The probability of an average user being specifically targeted and arrested just for browsing foreign news or entertainment is extremely low. The real reasons people get caught are usually: posting radical, real-name comments on foreign platforms; using a VPN for cross-border gambling or fraud; using a domestic real-name payment tool to buy software that's already under surveillance; or downloading violent, terrorist, or severely prohibited content that triggers local anti-fraud monitoring.
#Payments & Accounts
Is it safe to use Alipay or WeChat Pay when buying a VPN service?
There is some risk. Domestic payment tools are strictly tied to your real identity. Reputable providers usually use a third-party payment platform or a card issuing website to isolate the money flow, so your bill will typically show 'purchase of virtual goods'. However, if the provider gets caught, the police can trace the payment flow through the third-party platform back to the real identities of all payers. That said, the police generally target the profitable providers, not the thousands of individual buyers.
#Payments & Accounts
For ultimate privacy, what's the best payment method for buying a VPN service or VPS?
The best method is using cryptocurrency (like USDT or Monero). Mainstream crypto transfers don't require real-name verification, completely severing the direct link between your money flow and real identity. Although USDT (TRC20) transactions are public on the blockchain, as long as your wallet address isn't linked to a real-name account on a domestic exchange, and the provider accepts crypto payments, you can achieve maximum purchase anonymity.
#Payments & Accounts
Why are many free VPNs or 'one-click proxy tools' actually very dangerous?
There's no such thing as a free lunch. Many free VPNs not only stuff your device with aggressive adware, but more dangerously, they collect and sell your browsing history, device fingerprints, and even passwords (because many free VPNs don't encrypt properly or have certificate issues). Even worse, some free apps are widely suspected of being honeypots, specifically designed to collect user logs for authorities.
#Other Troubleshooting
What is a 'honeypot VPN service', and how can I avoid falling into this trap?
A honeypot service is a proxy service secretly set up or taken over by authorities or malicious entities to monitor user behavior and collect personal information on those who express sensitive opinions. How to avoid them: don't use completely free, unknown services that claim they'll 'never charge'; be wary of services that force you to bind a domestic phone number to register; and always check reputable speed test channels or forums for historical reviews and reputation.
#Other Troubleshooting
Can so-called 'dedicated line' VPN services really prevent GFW blocking?
Yes. Real dedicated line services (like IPLC/IEPL) route their cross-border traffic through a physical private line, bypassing the GFW's inspection entirely before connecting to the public internet. Since the traffic doesn't go through the firewall, the GFW simply cannot detect or block its protocol characteristics. This is why, during annual 'sensitive periods' when regular public network services go down en masse, dedicated line services often remain completely unaffected.
#Dedicated Lines & Relays#Subscription Issues#Core Protocols
If I use a VPN on my company's internal network, can the IT department or my boss see what websites I visit?
If you're using a legitimate proxy client (like Clash in global or system proxy mode) on your personal computer, your traffic is encrypted and routed to the proxy server. Your company's web management devices (like Sangfor) can only see that you're exchanging large amounts of encrypted data with an overseas IP, but they cannot decrypt and view the actual web content. However, if your company has forced you to install a root certificate on your computer, then all HTTPS traffic can be decrypted and monitored.
#Clash#Subscription Issues#Routing & Split Tunneling
Since the traffic is encrypted, why does my ISP still call to warn me about visiting illegal overseas websites?
This is usually due to DNS leaks or visiting unencrypted HTTP websites. Additionally, even with encrypted content, firewalls and ISPs can still see the target domain you're visiting via SNI (Server Name Indication). More commonly, you may have installed the National Anti-Fraud Center app, or your device is connected to a traffic-sniffing device deployed in your residential area or workplace, triggering local keyword alert policies.
#Subscription Issues#DNS Issues
If I suspect my VPN provider is about to exit scam and I still have a balance left, what should I do?
In the vast majority of cases, that money is gone for good. Don't fall for scammers in Telegram groups claiming to be 'insiders' who can help you get a refund — that's a secondary scam. The only thing you can do is immediately stop using that provider's client (to prevent them from pushing malicious config files) and purchase a new subscription from a safe source. Consider it a tuition fee, and stick to monthly or quarterly plans going forward.
#Other Issues
What happens if my VPN provider's 'one-click subscribe' link gets leaked accidentally?
Your subscription link is essentially your account password. Anyone with that link can import it into their client and use your data plan without limits. Once leaked, your traffic will be drained quickly, and simultaneous connections from multiple locations may trigger the provider's anti-abuse system, leading to a permanent ban. If you discover a leak, immediately log into your provider's website and click the 'Reset Subscription Link' button.
#Subscription Issues#Payment & Account
Why can't I fully trust the 'speed tests' and 'benchmarks' from some review channels?
Many speed test channels have financial incentives (so-called 'affiliate commissions'). Speed test results can be faked by testing in optimal network conditions during off-peak hours, or providers may give VIP priority (QoS boosting) to the IP addresses used by test machines. Therefore, speed tests should only be used as a reference — they don't represent your real-world experience in your region, with your ISP, during peak evening hours.
#Other Issues
What are the security risks of using a +86 (Chinese) phone number to register for overseas services like Telegram or Twitter?
Using a +86 number means you're registering with real-name identification. When you post comments or join groups on overseas platforms, your account is strongly tied to your real identity in databases. Some platforms may have API vulnerabilities or insider threats that allow your phone number to be reverse-looked up. Additionally, domestic carriers can intercept SMS verification codes, and in extreme cases, cooperate with investigations to directly reset your account password.
#Other Issues
Facing high-intensity traffic analysis (DPI), which proxy protocol currently offers the highest security?
Currently, the most secure protocols are XTLS based on Reality and Shadowsocks-2022. They not only provide full encryption but also mimic normal HTTPS random traffic patterns, making them nearly impossible to identify through traditional packet length or entropy analysis. Additionally, Reality avoids active probing and SNI blocking by not using a real domain name.
#Subscription Issues#Core Protocols
Why do VPN providers always warn against using domestic software like 360, Xunlei, or QQ through the proxy?
Many domestic software have background scanning and reporting mechanisms. Xunlei not only secretly uses P2P uploads in the background, draining your bandwidth, but may also leak your proxy IP. 360 Antivirus and browsers may upload the URLs you visit or your node IP to their cloud sandbox for analysis, which is essentially reporting that node's IP to monitoring systems. It's strongly recommended to use a clean system or run these domestic apps in a virtual machine.
#Other Issues
What is a 'front proxy' or 'chain proxy'? How does it help with security?
Chain proxy means connecting multiple nodes in series. For example, traffic first goes to a domestic node A, which then forwards it to an overseas node B. To your ISP, it only looks like you're connecting to node A domestically. To overseas websites, the request appears to come from node B. This not only effectively hides your real IP (even if node B is compromised) but also improves cross-border connectivity by using a high-quality domestic entry point (node A).
#Subscription Issues
Some VPN providers offer 'enterprise customized clients'. Are they safe?
Most are not safe. Many customized clients are repackaged versions of old open-source software, containing potential vulnerabilities and possibly backdoors planted by the provider to lock your homepage, inject ads, or even monitor your clipboard. The safest approach is always to download the official open-source client (like Clash Verge Rev, v2rayN, or Shadowrocket) and manually import your nodes via the subscription link.
#Clash#v2rayN#Shadowrocket#Subscription Issues
How can I tell if my Telegram account is already compromised?
Warning signs include: frequently receiving login alerts from unknown devices or IPs in different locations; finding yourself added to spam groups you never joined; or suddenly receiving a flood of overseas verification code SMS messages. If this happens, immediately enable two-factor authentication (2FA) in Telegram settings, force-logout all unrecognized active sessions under 'Devices', and if necessary, change your linked phone number to an overseas virtual number.
#Other Issues
After a VPN provider exits scams, what happens to my personal information (email, password)?
Unscrupulous providers often package and sell the entire user database to other cybercriminal groups. This means your registered email, plaintext password (many providers' encryption is essentially useless), and even payment records can be leaked. Hackers will use this data for credential stuffing attacks, trying to log into your other important accounts. Therefore, never use the same password for your VPN provider as your primary email. Use a temporary email or a dedicated random password.
#Other Issues
Why do WeChat or domestic website images load slowly when my proxy is on?
This is usually because your proxy's routing rules (split tunneling) aren't configured correctly. If 'Global Mode' is enabled, traffic to domestic sites like WeChat or Baidu is routed through an overseas node and back, causing high latency. The correct approach is to use PAC mode or Clash's 'Rule' mode, so domestic traffic goes direct and overseas traffic goes through the proxy, keeping them separate.
#Clash#Subscription Issues#Routing & Split Tunneling
For complete beginners, what are the three most important tips for safe internet access?
First, always pay monthly for your VPN subscription and resist any long-term plan temptations. Second, use randomly generated strong passwords for registration, never reuse the same password across platforms, and only use official clients for your email and proxy. Third, keep your mouth shut — 'look but don't post' outside the firewall. Avoid any radical political discussions, stay away from the dark web and illegal content, and maintain a low profile to stay safe.
#Subscription Issues
🔧
Advanced VPN Debugging & Expert Setup
What is MTU (Maximum Transmission Unit) and why does it cause VPN slowdowns?
MTU defines the largest packet size that can be transmitted over your network. When you use a VPN (especially protocols like WireGuard or OpenVPN), the encryption adds extra bytes to the header. If the total packet size exceeds your ISP's MTU limit (usually 1500), the router must fragment the packet into smaller pieces, which drastically slows down connection speed and causes packet loss. Lowering the MTU in your VPN client settings (e.g., to 1420 or 1280 for WireGuard) often instantly fixes severe lag and webpage freezing.
#Core Protocols#Connection Issues#Speed Optimization
How do I fix severe bufferbloat while gaming on a VPN?
Bufferbloat occurs when your router's buffers fill up with large downloads (like streaming or torrenting), causing massive ping spikes for small gaming packets. To fix this while on a VPN, you must enable Smart Queue Management (SQM) on your router (like fq_codel or CAKE algorithms). Limit your total bandwidth in SQM settings to 90% of your maximum connection speed to ensure the buffers never overflow, guaranteeing low ping even when others are downloading.
#Gaming Acceleration#Soft Router#Speed Optimization
My Kill Switch failed, and my IP leaked. How does a strict system-level Kill Switch work?
A basic application-level kill switch merely monitors the VPN connection state; if it detects a drop, it blocks traffic. This is slow and prone to race conditions. A strict system-level Kill Switch modifies the operating system's firewall rules (like Windows Defender Firewall or macOS pf) to explicitly DENY all outgoing traffic unless it is directed to the specific IP address of the VPN server. This guarantees 100% no-leak security, even if the VPN app crashes.
#Connection Issues#IP Purity#Security & Leaks
Why does my VPN connection fail when using strict corporate firewalls (DPI), and how can I bypass it?
Deep Packet Inspection (DPI) analyzes the structure of your data packets. Standard OpenVPN or WireGuard handshakes are easily recognizable. To bypass DPI, you must use obfuscation protocols (like Shadowsocks-2022, XTLS Reality, or Stunnel). These wrap your VPN traffic to look exactly like standard HTTPS (web browsing) or completely randomized noise, making it impossible for the firewall to classify and block.
#Core Protocols#Connection Issues#Security & Leaks
How do I configure OpenWrt for transparent proxying with specific device bypass (Policy Routing)?
In OpenWrt with plugins like Passwall or OpenClash, transparent proxying sends all LAN traffic to the VPN. To bypass specific devices (like Smart TVs that block foreign IPs), go to the 'Access Control' or 'Routing' tab. Find the MAC address or local IP (e.g., 192.168.1.50) of the device, and set its proxy mode to 'Direct' (No Proxy). This ensures the TV connects to the local internet while your PC remains encrypted.
#Soft Router#Routing & Split Tunneling#Android/TV
Why is my VPN blocked on public hotel/airport Wi-Fi before I even log in to their captive portal?
Captive portals (the login pages for public Wi-Fi) use DNS hijacking to redirect your browser. If your VPN is set to 'Always-on' or has an aggressive Kill Switch, it blocks this DNS hijack, preventing the login page from loading. You must temporarily disable the VPN or Kill Switch, connect to the Wi-Fi, accept the terms on the captive portal, and then turn the VPN back on.
#Connection Issues#DNS Issues#Security & Leaks
What is the difference between TCP and UDP for VPN connections?
TCP guarantees packet delivery and order, making it highly reliable but slower (prone to high latency on bad connections). UDP fires packets without waiting for confirmation, making it blazing fast and ideal for streaming and gaming. Most modern VPNs (like WireGuard) use UDP exclusively. If your network restricts UDP, OpenVPN allows fallback to TCP over port 443, which mimics standard HTTPS traffic.
#Core Protocols#Gaming Acceleration#Speed Optimization
Why does my browser leak my real time zone and language, revealing my location even with a native IP?
A VPN only masks your IP address. Websites execute JavaScript to query your browser's internal APIs, revealing your system time zone (e.g., UTC+8), default language (zh-CN), and screen resolution. To prevent this, use anti-detect browsers, extensions like 'Timezone Spoofer', or brave/Tor browser to normalize your fingerprint to match your VPN's server location.
#IP Purity#Security & Leaks#Streaming Unblocking
How can I verify if my VPN is actually using ChaCha20-Poly1305 vs AES-256-GCM encryption?
On mobile devices (like older Androids without hardware AES acceleration), ChaCha20 is up to 3x faster and saves battery. You can check the active cipher in your VPN client's connection logs (e.g., OpenVPN logs will explicitly state the cipher negotiated during the handshake). If you have a modern PC/Mac, AES-256-GCM is preferred due to dedicated hardware decoding chips (AES-NI).
#Core Protocols#Speed Optimization#Apple Devices
What is a 'Double VPN' (Multi-Hop) and when is it necessary?
A Double VPN chains your connection through two separate servers in different countries (e.g., PC -> Switzerland -> Iceland -> Internet). It encrypts your data twice. It is necessary only for journalists, whistleblowers, or activists who need extreme anonymity to protect against server seizures. It is NOT recommended for general streaming or gaming, as it doubles your latency and halves your speed.
#Dedicated Transit#Security & Leaks#Core Protocols
No matching questions found
Try switching to another tab, or contact our live support.