VLESS Mobile Network Setup: How to Bypass Blocking on MTS & Russian Carriers
Step-by-step guide to bypass VLESS blocking on mobile networks (MTS, Megafon, Beeline): SNI, TLS, Reality configurations, and alternative solutions for Russian mobile carriers.
How can I get VLESS to work over mobile data (MTS and other carriers)? It works fine on Wi‑Fi, but when I try to connect via my phone’s mobile network it gets heavily blocked. My server is running on aeza 3X‑UI. I’ve tried a few things:
- WebSocket + CDN with a Cloudflare‑managed domain
- VLESS + Reality
- Various SNI values (including web.max.ru and others)
None of these setups work on mobile. Any recommendations? I’m in Moscow.
Main Reasons for VLESS Blocking on Mobile Networks
The headaches with VLESS on Russian mobile networks come from newer censorship tactics that have been in play since mid‑2024. According to research from the net4people GitHub community, Russian providers have rolled out more sophisticated blocking mechanisms:
- TLS Police – Censors scrutinize TLS handshakes and block connections that don’t match the whitelist.
- Combined Checks – The system simultaneously checks the SNI, the server IP, and CIDR ranges.
- Mobile Segmentation – Blocks are applied separately to mobile and fixed networks.
As Reddit users point out, VLESS/Reality works fine over Wi‑Fi, but on mobile networks (MTS/Megafon) it shows “connected” while traffic stalls. This systematic pattern has led researchers to suspect a specialized approach targeting mobile traffic.
Optimal Configurations for Mobile Networks
1. VLESS + TLS + Obfuscation
{
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "your.server.ip",
"port": 443,
"users": [
{
"id": "your-uuid",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "st.ozone.ru",
"allowInsecure": true
}
}
}
]
}
2. VLESS + Reality + Correct SNI
{
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks",
"settings": {}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "your.server.ip",
"port": 443,
"users": [
{
"id": "your-uuid",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"serverName": "nspk.ru",
"fingerprint": "chrome"
}
}
}
]
}
Configuring SNI and Target Addresses
A key factor for mobile network compatibility is picking the right SNI (Server Name Indication). Studies show that Russian operators maintain a whitelist of domains.
Working SNI for MTS and Other Operators
- st.ozone.ru – one of the most reliable options.
- nspk.ru – works with a banking certificate.
- web.max.ru – specifically for MTS.
- sberbank.ru – a banking domain with high priority.
- mts.ru – the operator’s official domain.
Important: As noted in the GitHub discussion, censors rely on an SNI‑based whitelist in TLS handshakes. Using these domains as SNI dramatically boosts your odds of a successful connection. That said, simply picking one of them doesn’t guarantee a 100 % success rate—sometimes you need to combine them with other evasion techniques.
Configuring in 3X‑UI
- Go to the “Inbounds” section.
- Pick your VLESS inbound.
- In the “stream settings” → “tls” → “serverName” field, enter one of the approved domains.
- Set “allowInsecure”: true to bypass certificate validation.
Alternative Protocols and Workarounds
If VLESS keeps getting blocked, consider these alternatives:
1. Trojan Protocol
Trojan masquerades as an HTTPS connection, has a structure similar to VLESS, but tends to slip past DPI better:
{
"outbounds": [
{
"protocol": "trojan",
"settings": {
"vnext": [
{
"address": "your.server.ip",
"port": 443,
"users": [
{
"password": "your-password",
"email": "user@example.com"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "st.ozone.ru"
}
}
}
]
}
2. Shadowsocks + Obfs4
Shadowsocks is traditionally less effective, but with the right obfuscation it can work:
{
"outbounds": [
{
"protocol": "shadowsocks",
"settings": {
"vnext": [
{
"address": "your.server.ip",
"port": 443,
"users": [
{
"id": "your-password",
"method": "chacha20-ietf-poly1305",
"plugin": "obfs-local",
"pluginOpts": "obfs=tls;obfs-host=st.ozone.ru"
}
]
}
]
}
}
]
}
Practical Configuration Examples
Configuration for MTS in Moscow
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"listen": "127.0.0.1",
"port": 10808,
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true
}
},
{
"listen": "127.0.0.1",
"port": 10809,
"protocol": "http",
"settings": {}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "your.server.ip",
"port": 443,
"users": [
{
"id": "your-uuid",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "web.max.ru",
"allowInsecure": true,
"fingerprint": "chrome"
}
}
}
]
}
Diagnostic Tools
To troubleshoot mobile‑network issues, use the following tools:
1. Checking SNI
Use online tools to test TLS connections with different SNI values:
openssl s_client -connect your.server.ip:443 -servername st.ozone.ru
2. Traffic Analysis
Use Wireshark to analyze TLS handshakes and pinpoint where the block occurs.
3. Test Domains
Create a test config with various SNI values and check each one:
{
"tests": [
{"sni": "st.ozone.ru", "result": "unknown"},
{"sni": "nspk.ru", "result": "unknown"},
{"sni": "web.max.ru", "result": "unknown"},
{"sni": "sberbank.ru", "result": "unknown"}
]
}
Recommendations for Stable Operation
1. Regular SNI Rotation
As users note, even working SNI can stop working after a while. It’s recommended:
- Compile a list of 5–10 approved domains.
- Rotate the SNI every 1–2 weeks.
- Use rotation for different traffic types.
2. Using a CDN
Set up Cloudflare in “Full (strict)” mode and use its domains as SNI:
{
"streamSettings": {
"network": "ws",
"wsSettings": {
"headers": {
"Host": "your-cloudflare-domain.com"
}
}
}
}
3. Availability Monitoring
Set up server availability monitoring from various networks:
- Check via Wi‑Fi (control point).
- Check via MTS mobile network.
- Check via Megafon mobile network.
4. Backup Configurations
Prepare several configs with different protocols and SNI for quick switchover if a block occurs.
Conclusion
Solving VLESS blocking on Russian mobile networks requires a comprehensive approach:
- Use approved SNI: st.ozone.ru, nspk.ru, web.max.ru, sberbank.ru.
- Set up the right transport: VLESS + TLS or Reality with xtls‑rprx‑vision.
- Keep configs fresh: rotate SNI every 1–2 weeks.
- Have alternatives: Trojan, Shadowsocks with obfuscation.
- Monitor availability: track performance across Wi‑Fi, MTS, Megafon, and other networks.
The main challenge is that blocking methods keep evolving, so you need to keep an eye on changes and tweak your configs. By following these recommendations, you can keep VLESS running smoothly on MTS, Megafon, and other Russian mobile networks.
Sources
- GitHub net4people/bbs Issue #490 – Russia Censor Blocking Methods
- Reddit r/VPN – VLESS/Reality works on Wi‑Fi, stalls on Russian mobile
- GitHub hxehex/russia-mobile-internet-whitelist – Mobile network whitelists
- QNA Habr – VLESS+Reality stopped working on Yota mobile internet
- Dev.to – VLESS Protocol: How It Bypasses Censorship in Russia
- GitHub XTLS/Xray-core Discussion – Configuring VLESS + TCP + REALITY