gora.
VPN / censorship bypass

VPN bot: 4 protocols, 3 countries, 67 users

Telegram bot for VPN configs: WireGuard, Hysteria2, HTTP, SOCKS5 across three intercontinental servers. Per-user passwords, QR codes, channel-subscription gate.

Region
@vpnsrv18_bot · 3 countries (NL / US East / US West)
Role
Solo: server infra, bot, config generator, billing
Period
2024–2026
Industry
VPN / censorship bypass

Server addresses and Hysteria2 ports are published because they're already in DNS. Per-user passwords and WireGuard public keys are not.

Summary. Below — why four protocols, how multi-server is wired, and where the billing pain sits.

Why four protocols. One protocol doesn't solve every job. WireGuard is fast, but providers in Russia and Iran learned long ago to fingerprint the UDP handshake and throttle it. Hysteria2 over QUIC on port 443 disguises itself as HTTPS traffic to a CDN — it bypasses most filters. HTTP proxy is needed when the user only wants to route the browser, not all traffic. SOCKS5 is the fallback for apps that don't speak WireGuard and don't get along with QUIC.

Multi-server. vps1 in Amsterdam (Dutch jurisdiction, EU, low latency for Europe), vps2 in New York (US East), vps4 in Salt Lake City (US West, closer for some). Each server is described in the servers table: SSH access, WireGuard public key, Hysteria2 domain + obfs password, proxy ports. When the user requests a new config, the bot SSHes to the chosen server, adds a peer, and returns the ready config + QR.

Billing and limits. Limits are tracked bot-side — each user has a users.tariff record with allowed config count and traffic. cleanup.py runs from cron, SSHes through the servers, pulls traffic stats via WireGuard wg show transfer and Hysteria2 metrics, updates usage_logs. Over the cap → nudge in Telegram and temporary block.

Channel subscription as gate. Subscription middleware checks that the user is subscribed to @izgoy4u before every menu response. Unsubscribed → bot stays silent and asks them to resubscribe. Organic channel growth + multi-account defence.

No k8s, no Docker. Single SQLite file, systemd unit, paramiko for SSH. 67 users don't require anything beyond an aiogram app in one process. Complexity would only be justified at a real payment processor and tens of thousands of users — but the current architecture scales to thousands without changes.

What's inside

  • Four protocols in one bot: WireGuard for speed, Hysteria2 with QUIC for DPI bypass, HTTP proxy for browsers, SOCKS5 as universal fallback.
  • Three servers across three locations: vps1 Amsterdam (42/100 users), vps2 New York (31/100), vps4 Salt Lake City (20/100) — real load pulled from the servers table.
  • Hysteria2 on cdn.4brd188.com and cdn.httpsstonies.app behind Cloudflare — traffic looks like ordinary TLS to a CDN, not blocked.
  • Per-user Hysteria2 password — keys don't leak as a single pool, isolation against one compromised account.
  • QR codes generated on the fly: scan with Hiddify or WireGuard mobile and you're connected.
  • Subscription middleware: the bot only opens the menu after the user subscribes to channel @izgoy4u. Verified live via Telegram API.
  • Cleanup of inactive configs: cleanup.py kills keys for users who haven't used VPN for N days.
  • Free / Basic / Pro tiers: free — 1 config, 10 GB/month; paid — 3/10 configs, 100 GB or unlimited.
  • Live numbers on publication date: 67 users, 93 live VPN configs, 3 active servers.
  • Referral program: bonus configs for invited users. Stored in DB, no separate service.

Stack

  • aiogram 3
  • SQLAlchemy async + aiosqlite
  • WireGuard
  • Hysteria2
  • HTTP/SOCKS5 (Squid/Dante)
  • qrcode (Python)
  • paramiko (SSH to servers)
  • Cloudflare CDN (Hysteria2 domains)
  • systemd
  • VPS1 (Amsterdam) · VPS2 (NYC) · VPS4 (Salt Lake City)
Three narratives

One project — three angles

    VPN bot: 4 protocols, 3 countries, 67 users · hiregora.com