Guide library
Step-by-step across the whole stack — from panel setup to sales.
What a commercial VPN really is in 2026, and why run your own
Not about "anonymity online" but about infrastructure you own and run yourself. How your own service differs from a subscription to someone else's, and why you'd get into this at all.
How a VPN tunnel works under the hood
What physically happens when a client "connects to the VPN." Encapsulation, encryption, exit point — plainly, but without lying.
Protocols overview: who, what, and when to pick
A map of transports without the fanaticism. How VLESS-Reality differs from XHTTP and Hysteria2, what survives inspection in 2026, and which combo to run by default.
How internet censorship works: DPI, TSPU, blocking
Not a "list of banned sites" but how inspection actually catches traffic in 2026. Signatures, JA3, active probing, and behavioral analysis — the mechanics of the adversary.
How to choose a server and location
Where to get a VPS for nodes and the panel, why the exit is only abroad, how not to buy a dirty IP, and why to spread nodes across different ASNs.
Start checklist: what you need before your first server
Practical checks before you install the panel. DNS, IP whiteness, basic host hardening, firewall — commands that catch problems at the start rather than in production.
The economics of a VPN service: where the margin comes from
Per-client cost, where the profit lives, and what kills it. Not "how to get rich" but how to do the unit math and not run at a loss on autopilot.
Glossary: VLESS, Reality, SNI, DPI, node, inbound in plain words
The terms that show up in every article, explained like a human. Come back here whenever you hit an unfamiliar word in a config.
Remnawave or 3x-ui: which panel to choose
Two panels for your own VPN — heavy node orchestration versus a light single server. How they differ in architecture, entry barrier, scale, and convenience, and which to take for which job.
The panel in 15 minutes: Remnawave and your first subscription
Install the panel on a clean server, hook up a domain, issue your first client. No magic, no extra fuss.
What Remnawave is and why you need a panel at all
Why without a panel you're not a service but a pile of hand-written configs. What Remnawave does, which containers it's made of, and how the profile→inbound→host→squad chain is wired.
Nodes and subscriptions: how the panel hands out access
How the panel pushes config to a node, what a subscription really is, and why one URL serves both a page and a config. The mechanics of handing out access, no commands.
Connecting a node and issuing your first subscription
Step by step: register a node in the panel, install the agent on the server, assemble the profile→inbound→host→squad chain, and issue a live subscription. With a hands-on check.
Branding the subscription page for your service
How to make the subscription page the face of your service: your own domain and path, logo, colors, "add to app" buttons, QR, and a privacy flag that hides the raw key.
Hosts and inbounds: how the panel assembles the client's link
What a host really is, how it differs from an inbound, and why the fingerprint lives on the host and not in the node's config. The mechanics of building the client link.
Configuring hosts: assembling a working link
Step by step: generate Reality keys, drop the inbound into the profile, create a host with the right fingerprint, and hand it to the client. Plus one node serving three transports at once.
Backing up and updating the panel without downtime
A dump of the Remnawave database, an auto-backup on cron with off-server export, a tested restore, and monitoring that catches a node going down before clients do.
Panel admin: roles, access, password reset
Extending Remnawave management: a Telegram bot and a web panel with roles, 2FA, and anti-abuse. API token, access rights, and login recovery via CLI straight into the database.
Limits, terms, and traffic reset for users
How to count the GB limit only on expensive nodes via the usage coefficient, make circumvention routes unlimited, and paint "pretty numbers" in the offer with the ×10 trick.
Installing 3x-ui in 10 minutes
Install 3x-ui in one command on a clean server, grab the random login-password-port-path, and log into the panel. What the installer does and where it puts everything.
3x-ui: panel settings and hardening
Out of the box the panel is open on bare HTTP to the whole internet. We close it: secret path, TLS on the panel, port change, IP access restriction, fail2ban, and Telegram login alerts.
3x-ui: clients and the subscription link
Create a client the right way — only through the UI (otherwise the panel wipes it from the config), set limits and expiry, turn on the subscription service, and hand a person one link for all their servers.
What Reality is and why it keeps a node alive
A marketing-free breakdown of how Reality hides a VPN inside someone else's TLS handshake, and why it's the one that survived Russian DPI where everything else dies.
VLESS + Reality: a config that doesn't get spotted
We break Reality down bone by bone and assemble a masquerade of someone else's TLS. Every parameter comes with an explanation of why it's there.
Vision (xtls-rprx-vision): why you need flow
Why Reality alone isn't enough and what flow Vision actually does — how it removes double encryption and breaks the packet-length analysis that DPI uses to finish off obfuscated traffic.
VLESS + TLS: a basic working config
Honest TLS on your own domain and certificate — a simple config that plays nice with CDNs and can fall back to a real site. A working profile plus issuing the cert.
XHTTP transport: when and why
What the XHTTP transport is (formerly SplitHTTP), how it's better than WebSocket, why it in particular passes behind a CDN, and when to pull it from reserve instead of TCP-Reality.
Setting up XHTTP over Reality
A working XHTTP inbound in two wrappings — direct with donor Reality, and behind a CDN with honest TLS. Keys, path, mode settings, and what to enter on the host.
VLESS gRPC: config and when to fall back to it
gRPC over Reality — HTTP/2 multiplexing, good as a hidden fallback in auto-select. A working profile, a selfsteal variant, and an honest word about its deprecated status in xray 26.
Hysteria2 and QUIC: upsides and gotchas
Why Hysteria2 flies where TCP dies, what aggressive BBR over QUIC/UDP buys you, and where the catch is — from providers that cut UDP to the subtlety of traffic accounting in the panel.
Hysteria2: standing it up and wiring it to the panel
The full Hysteria2 path in Remnawave — a cert via Certbot in Docker, mounting it into the node container, the config profile, cert auto-renewal, and the mandatory core swap for traffic accounting.
Choosing an SNI and a donor: how not to blow your cover
A donor is someone else's site your node hides behind. I break down which donor works, which one kills stealth, why you can't use one SNI on all nodes, and what the "SNI ≠ IP owner" mismatch is.
Inbounds: assembling protocol configs by hand
Every connection method is a combination of protocol, transport, and security. We break down the config-profile skeleton, how to change only the lines you need, and how to wire profile → node → Host → squad.
Selfsteal: how a node pretends to be an ordinary website
Reality's maximum stealth — the node masquerades as its own real site on the same IP. I break down how selfsteal removes the SNI ≠ IP mismatch and why an active probe lands on a real page.
Selfsteal + nginx: step by step
Building maximum stealth by hand — a decoy site on nginx via a unix socket with PROXY protocol, a cert for your own domain, an inbound per the official Remnawave template, and a stealth check.
MTProto proxy: a cheap bonus to the service
A Telegram-native proxy on a cheap VPS — a backup entry into the messenger and a funnel entry point. Two variants: the official one with a sponsor tag and mtg v2 with FakeTLS. Honest about the fact that MTProto is no longer a silver bullet.
Naive and AmneziaWG: alternative protocols
Two strong non-Xray fallbacks — NaiveProxy camouflaged as ordinary Chrome browsing via Caddy, and AmneziaWG, obfuscated WireGuard. When to reach for them and how to stand them up.
3x-ui: VLESS + Reality step by step
Building VLESS+Reality in the 3x-ui interface — the Security tab, auto-generated keys, choosing a live donor, and the Vision flow. With an important warning about the donor that breaks Reality on Xray 26.
3x-ui: XHTTP over Reality
Building an XHTTP inbound in 3x-ui — the Transmission tab with network=xhttp, path and the mode setting, on top of Reality stealth. Plus the XHTTP+TLS variant for fronting behind a CDN and the pitfalls with path and mode.
3x-ui: gRPC transport
gRPC over Reality in 3x-ui — HTTP/2 multiplexing as a hidden fallback for when TCP-Reality starts getting fingerprinted. The connection-creation form, serviceName, and an honest word about its deprecated status in Xray 26.
3x-ui: Hysteria2
Standing up Hysteria2 in 3x-ui — cert via Certbot, an inbound with protocol=hysteria2 and ALPN h3, open UDP/443, salamander obfuscation. Plus the gotchas: UDP gets throttled, ALPN must be h3, the cert lives 90 days.
Trojan: the config (and why it's going obsolete)
Trojan disguises itself as an ordinary HTTPS site with a fallback to a real page. Two working profiles — TLS with your own cert and Reality without one — plus an honest talk about why this is a backup, not a foundation.
Shadowsocks: why it's no longer an option
An old, simple proxy with no TLS masking. Dead under 2026 DPI, and a weak link in a cascade. I keep this article for reference; I don't advise building on it.
How TSPU thinks: fingerprint, statistics, probing
The mechanics of inspection without a single command. What exactly TSPU looks at, why statistics are more dangerous than signatures, and how to think about disguise instead of memorizing configs.
Beating TSPU and DPI in 2026: what actually works
Not a list of protocols, but a strategy. How TSPU behaves right now, what it throttles first, and how to make your node boring to inspect.
Active probing: how they check you
Why the censor knocks on your server itself and what it looks for in the response. A breakdown of active probing mechanics and the idea of self-steal, without a single command.
Resistance to active probing: setup
Setting up self-steal by hand — a decoy site on an nginx unix socket, Reality via PROXY protocol, the Host fields, and a stealth check. Real commands.
Diagnosing blocks: logs, metrics, tools
The client writes "it doesn't work." We walk the chain client → subscription → node → port → protocol → routing and find the layer where it breaks. Real commands.
WARP on the exit: why and what it gives
Why services cut your node as a data center and how a WARP exit fixes it. What WARP gives and what it doesn't solve — without a single command.
WARP on the exit: connecting it
We set up WARP as an Xray outbound — credentials via wgcf, a wireguard outbound, the critical reserved and noKernelTun on a node in Docker. Real commands.
Zapret and unblocking YouTube
YouTube is throttled at the packet level, and sending it abroad means a foreign region and ads. The solution: a cheap Russian host with zapret as a separate YouTube exit. Commands.
Operating under whitelists
During rolling shutdowns, mobile internet only allows the "whitelist." How to bring up an entry inside a whitelisted subnet, what SNI to set, and where to get the lists. Commands.
Hardening Reality for Russia: 443, fp, vision
Three things that make Reality "work for a couple of minutes → stop": a non-standard port, the chrome fingerprint, and the wrong transport. How to make the entry hold up from Russia. Commands.
Blocking Roundup: Summer 2026
A fresh snapshot of what tightened in RF filtering this summer, what gets hit first, and how operators are responding. No panic, no manuals from two years ago.
Why cascades and node chains are needed
Not "just more nodes," but survivability, a white exit, and hybrid routing from a single architecture. The "entry-consumable, exit-asset" principle without a single command.
A two-node cascade + WARP on the exit
A cheap Russian relay as the entry, a white foreign exit, and WARP on the exit for problem services. socat/iptables commands and a wireguard outbound.
A triple cascade: entry → relay → exit
A whitelisted Russian entry doesn't reach out at all, traffic exits from the second IP via sendThrough. The host and TSPU see a clean site. A ready profile and the vision-in-vision trap.
Cascade transport: MTU, sockopt, why it breaks
The cascade is assembled correctly, but "some sites load, others don't." A breakdown of MTU collapse, nested vision, and the whims of sendThrough — mechanics without commands.
Geo-splitting traffic: why routing
Why "everything through the node" is a bad VPN, while split routing makes it "invisible." The logic of RU-direct, anti-fraud on foreign domains, rule order — no commands.
Routing rules: setup
A ready split-routing config — Russia via direct, blocked via proxy, ads into block. A list of critical domains and delivery to the client. Real JSON.
Balancers and auto-select: how it works
Four levels of balancing from the client to the transport front, four Xray strategies, and why leastPing "works → stalls." Mechanics without commands.
leastPing auto-select: building it
A production auto-select in the subscription template — leastLoad over the pool, geo-dat-free routing, the pool defined by host tags. Plus the main delivery traps. Real JSON.
Node health: healthcheck and fault tolerance
The node is alive to the world but cut off for Russia — the observatory doesn't see this. How to check health from Russia, mechanically drain a dead node, and keep a hot reserve. Commands.
Google/YouTube geo without ads via a Russian exit
Why YouTube via a Russian IP runs almost ad-free and how to build it: a Google route to a Russian exit, DNS block without ECS, muffled IPv6, QUIC into the tunnel. Config.
A Backup Entry in an Hour
The main RF entry got blocked, clients are dropping. How to stand up a backup entry into the cascade in an hour without touching the exit or keys, so nobody re-installs anything. Commands.
What a Dirty IP Is and Why It Breaks Everything
We unpack where an address's reputation comes from, why the same config works from one node and goes red from another, and what exactly services see.
Where to Get White Subnets and How to Check
Practice: specific reputation checkers, a live test of an address, and how to keep a ready reserve of white IPs to replace burned ones.
Checking IP Reputation and Warm-Up
Practice: routine monitoring of an address's reputation, what to do with a \"warm\" vs. a \"cold\" IP, and how to carefully bring a new address into service.
How IPs End Up on Blacklists and How to Stay Off
The mechanics of blacklists — who maintains them, why addresses land there, why the whole subnet suffers, and how to behave so your nodes don't burn themselves down.
Where to Get White IPs in 2026
The market for white subnets got noticeably pricier and thinner over the year. Where to look for addresses with a decent reputation in 2026, what's actually worth paying for, and where the markup is thin air.
Client Apps Overview: Happ, v2rayTun, Hiddify, and Who Gets What
Which app to give a client for which platform, how "extended" clients differ from plain ones, and why the right choice cuts half your support tickets.
Happ: Install and Subscription Import
Step by step, we install Happ on iOS/Android, import the subscription, enable bypass for Russia and the kill-switch. An instruction you can hand to a client.
v2rayTun: Setup on the Phone
We install v2rayTun on Android/iOS, import the subscription, and fix the main pain point — when a Russian site still goes through the node. On gVisor and sniffing.
Hiddify: The Cross-Platform Client
One client on Windows, macOS, Linux, Android, and iOS. We install it, import the subscription, enable bypass for Russia, and unpack why Hiddify is convenient on the desktop.
Streisand on iOS: Setup
A light native client for iPhone and iPad. We install it, import the subscription, enable bypass for Russia, and unpack when Streisand beats Happ.
NekoBox / sing-box: For Desktop and Advanced Users
The client with maximum control. Subscription import, manual routing, TUN mode, and when it's worth reaching for sing-box instead of the friendly clients.
Subscription Import: Link, QR, Updating
Three ways to load a subscription into any client and how auto-update works. Universal mechanics, the same for Happ, Hiddify, v2rayTun, and the rest.
Server Description: Hints to the Client in Happ/INCY
How to replace the scary "VLESS | TCP | REALITY" with human-readable tile labels, where it's configured, and why only "extended" clients see it.
Client-Side Routing Rules
Ready-made split routing in the client's xray config: RF sites direct, blocked traffic through the node. The full routing block, how to read the rules, and how to distribute it via the subscription.
The Operator's Anonymity: Threat Model
Not "how to become invisible," but how not to tie the service to your identity. Where operators actually get burned and why deanonymization doesn't go through the server.
Opsec in Practice: Spreading the Trail
The organizational underside of an operator's anonymity. Separate identities, phone numbers, paying with crypto, breaking the KYC chain — layer by layer and with the pitfalls.
Panel Hardening: Locking Down Access
The panel is the prime target: take it and you take the whole service. We hide it behind a reverse proxy with basic auth and an IP allowlist, close ports, ssh by key, fail2ban.
Basic Server Protection: ssh, Firewall, fail2ban
The minimum you put on every server before anything else. We close ports, switch ssh to a key, hang fail2ban — three fronts of basic defense.
Detecting Key Sharing: How Distribution Gets Caught
Why an HWID limit doesn't stop key sharing, where sharing is actually visible, and by what signals it's caught. The mechanics of detection without a single command.
Anti-Sharing: HWID, Limits, IP-Based Detection
We set an HWID limit, collect online IPs across nodes, flag sharing by a threshold, and shut it down with a key reset. With a whitelist and no auto-ban.
The Subscription-Page Vulnerability: How to Close It
A critical hole was found in the separate subscription-page component. Exploit details are under embargo, but the attack window is already open. We check whether we're vulnerable and close it two ways.
Monitoring and Backup: So You Don't Sleep Through a Failure
A service dies quietly: a node went down overnight, a cert expired, the host ran out of balance. We set up Uptime Kuma with Telegram alerts and configure a DB backup with off-site upload.
Cloudflare ECH and the Russian Block: Why the Site Won't Load
A site behind Cloudflare opens from Russia only with a VPN, and without one — nothing, even though the domain isn't blocked. We break down why ECH is to blame and how this block works.
The Operator's Anonymity Checklist
A tight run-through list for opsec: identities, phone numbers, payments, receiving money, behavior. Go through it before launch and once a quarter — so you never leave a bridge back to your real name.
A Node Liveness Quick Check
A client writes "it's not working." In 5 minutes, work down a checklist to tell whether the exit is alive, the port answers, traffic flows, and it isn't throttled under RF. Commands.
How the Billing Loop Works: Bot, Panel, API
What the machine that sells subscriptions without you is made of. The roles of the bot, panel, and API, and why granting access is one chain, not a set of buttons.
Telegram Bot and Taking Payments: Sales on Autopilot
How to close the money → subscription chain without manual labor. Payment, key delivery, auto-renewal, referral system.
Taking Payments: Stars, Crypto, Processing
Which payment methods you can actually connect to the bot, what requires a legal entity and what doesn't, and how to enable each. With a focus on money flowing rather than getting lost on double grants.
Plans and Promo Codes: Setup
How to create a plan in Remnawave (it's a squad, not a line in a price list), tie it to the bot, and enable promo codes without holes for abuse.
Subscription Auto-Renewal
How to make the term renew without the customer — from simple reminders in the bot to full autopay with a saved card. And where the gotchas are.
A Grace Scheme for Non-Payers
A lifeline for those who forgot to renew: a small emergency access to reach the checkout. How to assemble it in the bot, where the gotchas are with two dates and the panel status.
Anti-Fraud: Chargebacks and Multi-Accounts
The three holes through which money leaks from a service — double grants, sharing, and trial/promo abuse plus chargebacks. How to close each procedurally.
The Referral System: Growth Without an Ad Budget
How to set up a referral program that brings customers for free — bonus days for both, payout for a payment, protection against self-referral.
Service Automation Scripts
Interactive scripts that take the routine off the operator — a Reality inbound generator, node installation, self-steal, cron backups, node auto-restart on cert renewal.
Support on Autopilot: FAQ Bot and Templates
How to build multi-tier support that puts out most tickets on its own and brings only complex cases to a live person. FAQ, templates, escalation.
The Unit Economics of a VPN Service in Detail
How to calculate per-customer cost, set the margin, and understand where profit is actually lost. It's not the block that kills a service, but bad economics.
Pricing: How Not to Undersell or Scare Off
How to price a VPN subscription — why dumping kills, where the anchor comes from, why an annual plan, and how a premium plan pulls the margin. Theory without numbers pulled from thin air.
The Funnel: From Click to Payment
Why a bot that "just sells a subscription" loses money. The four funnel stages — capture, conversion, retention, trust — and the logic of each.
Setting Up the Funnel in the Bot
How to assemble a funnel in the bot step by step — a free MTProto hook, a clean menu with transport auto-swap, a miniapp with a days ring, payment on your own site, a referral system, and a wheel.
VPN Marketing: Channels That Work
Where to actually get VPN customers — why the audience decides everything, why barter with bloggers, a Reels farm for adults, and how not to waste traffic at the purchase step.
Retention: Why It's Cheaper Than Acquisition
Why keeping a customer is many times cheaper than bringing a new one, and what actually holds a customer in the VPN niche — support, habit, anti-churn tactics.
Subscription Freeze and Vacation Mode
How to assemble a subscription "freeze" in the bot — a bank of days instead of churn when the customer travels. Fields, two operations, mandatory limits. With real mechanics.
Why CDN Fronting: Working Under Whitelists
Why an IP ban becomes useless behind a CDN, what you can and can't hide behind one, and why a CDN front saves you even during rolling shutdowns.
Yandex CDN in Front of a Node: Step by Step
A working recipe from a real deployment — Yandex Cloud CDN as a front for a node. yc CLI, certificate, resource, POST-block workaround via GET-only XHTTP, nginx. With a gotcha checklist.
Cloudflare in Front of the Service
Cloudflare as a front for a node — the most predictable benchmark, set up in four steps. But from Russia it has its own quirks, so it's for overseas use and backup.
CDN Fronting: An Advanced Case
A free Russian CDN as a front for a VLESS-XHTTP node — the full scheme with a packet-up inbound, a front on Caddy or nginx, CDN resource setup, and a Remnawave host. An advanced case.
How Whitelists Work and Why CDNs Save You
During rolling shutdowns, mobile internet works only against a whitelist — that's not a block, it's an allow-list. Why an ordinary VPS is dead during it and how to survive.
IP Rolling: Rotating Addresses Under Pressure
Why a blocked IP is a dead asset and churn, and how to keep a reserve of white addresses so clients don't notice blocks. The logic of mass IP selection.
Auto-Deploy: How to Roll Out a Turnkey Service
Why launching a VPN service is dozens of SSH commands that also break, and how auto-deploy removes that pain — panel, nodes, masking, and sales in a couple of clicks.