Do DPI systems actually let IPv6 traffic through?

No, that is a myth. Modern DPI systems analyze both IPv4 and IPv6 traffic. The advantage of IPv6 is not in "invisibility" to DPI, but in the fact that the sheer scale of the address space makes mass IP blocking practically impossible.

Is IPv6 mandatory for MTProxy to work?

No. MTProxy works perfectly on IPv4. IPv6 is an additional connection method that increases the resilience of the proxy against blockages.

How to check if my VPS supports IPv6?

Run the command: ip -6 addr show. If you see an address starting with 2xxx: or fdxx:, IPv6 is available.

What is dual-stack and why is it needed?

Dual-stack is a mode where the server listens on both IPv4 and IPv6 addresses simultaneously. The client automatically chooses the protocol. This increases the chances of a successful connection during partial blocks.

IPv6 for MTProxy: Bypassing Blocks via Address Space Scale

Q: Do I need to open IPv6 ports in the firewall separately?

Yes. ufw works with IPv4 and IPv6 separately. Add: sudo ufw allow 443/tcp and ensure that IPV6=yes is set in /etc/default/ufw.

When authorities block MTProxy, they most often block the specific IP addresses of the servers. This approach works against IPv4 but has a fundamental limitation against IPv6. Let's break down why — and how to use it.

IPv4 vs IPv6: What is the fundamental difference

The Internet operates on two generations of addressing. IPv4 and IPv6 coexist, but they have different properties that are important for bypassing censorship.

Key fact: A standard IPv6 block that an ISP assigns to a single server is a /64 prefix. It contains 2^64 = 18,446,744,073,709,551,616 addresses. Even if a censorship authority blocks 1,000,000 addresses per day, it would take them over 50,000 years to exhaust the entire /64 block.

Important clarification: IPv6 is not "invisible" to DPI

A common misconception: "DPI systems cannot analyze IPv6." This is not true.

Modern DPI complexes (including TSPU in Russia and equivalents in Iran) fully analyze IPv6 traffic at the content level. Fake TLS masquerading remains essential regardless of the IP version.

The advantage of IPv6 lies not in "invisibility", but in the unenumerability of addresses:

Blocking method	Against IPv4	Against IPv6
IP blocking	Effective (limited number of addresses)	Ineffective (2^64 addresses in one /64)
Content DPI	Works	Works exactly the same
Fake TLS bypassing DPI	Needed	Needed

How dual-stack works in the context of MTProxy

Dual-stack means your server listens simultaneously on IPv4 and IPv6 addresses. The client (Telegram) automatically chooses the protocol.

If your proxy's IPv4 address is blocked, but the IPv6 is not (which is typical in the early stages of blocking), clients with IPv6 will continue to work.

How to check IPv6 support on the server

# Check if an IPv6 address is present
ip -6 addr show

# Check IPv6 internet connection
ping6 google.com

# Find out out your IPv6 address
curl -6 ifconfig.me

If the server has an IPv6 address (starting with 2 or fc/fd), it is ready for dual-stack setup.

Configuring Docker for IPv6

By default, Docker does not support IPv6 for containers. You need to explicitly enable it.

Step 1: Enable IPv6 in the Docker daemon

Edit /etc/docker/daemon.json:

{
  "ipv6": true,
  "fixed-cidr-v6": "fd00::/80",
  "ip6tables": true,
  "experimental": true
}

Restart Docker:

systemctl restart docker

Step 2: Start MTProxy with explicit address binding

docker run -d \
  --name mtproxy \
  --restart always \
  -p 0.0.0.0:443:443 \
  -p [::]:443:443 \
  -e SECRET="YOUR_SECRET_EE..." \
  -e WORKERS=1 \
  -v proxy-config:/data \
  telegrammessenger/proxy:latest

The -p [::]:443:443 flag binds port 443 to any IPv6 address (the equivalent of 0.0.0.0 for IPv4).

Step 3: Verify dual-stack listening

docker exec mtproxy ss -tlnp | grep 443

You should see both 0.0.0.0:443 and [::]:443.

Configuring the firewall for IPv6

# Ubuntu/Debian with ufw
sudo ufw allow 443/tcp
sudo ufw allow 443/tcp comment 'MTProxy'

# Ensure IPv6 is enabled for ufw
grep IPV6 /etc/default/ufw
# Should be: IPV6=yes

For using iptables/ip6tables directly:

ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
ip6tables-save > /etc/iptables/rules.v6

IPv6 address in the connection link

A connection link with an IPv6 address looks like this:

tg://proxy?server=2a01:4f8:c2c:1234::1&port=443&secret=ee...

The Telegram client correctly handles IPv6 addresses in the server field. If necessary, you can provide both options:

# IPv4 link
tg://proxy?server=1.2.3.4&port=443&secret=ee...

# IPv6 link
tg://proxy?server=2a01:4f8:c2c:1234::1&port=443&secret=ee...

Users can choose whichever works on their network.

Practical value in real blocking scenarios

The experience of users in Iran and Russia shows a certain pattern: when a wave of blockages begins, ISPs first block the IPv4 addresses of the servers. IPv6 addresses get blocked later — sometimes with a delay of a few days or weeks.

This is not a guarantee, but a dual-stack setup increases the proxy's resilience during active blocking periods.

For more on configuring IPv6 in Docker, read the official Docker documentation. For IPv6 specifications, see RFC 4291 (IETF). About Telegram's infrastructure — at core.telegram.org/mtproto.

FAQ

Does DPI really let IPv6 through? No, this is a myth. Modern DPI systems analyze IPv6 too. The advantage of IPv6 is in the scale of the address space, not in "invisibility".

Is IPv6 mandatory? No. MTProxy works on IPv4. IPv6 is an additional resilience tool.

How to check IPv6 on the server? ip -6 addr show — if you see an address, IPv6 is available.

Do I need to open IPv6 ports in the firewall separately? Yes. ufw allow 443/tcp by default covers both protocols only if IPV6=yes is set in /etc/default/ufw.

What is dual-stack? Simultaneously listening on both IPv4 and IPv6. The client automatically selects the protocol.

Figured out IPv6? Read how to optimize server performance and how the DPI that IPv6 counters actually works.

List of working proxies — no setup required, updated every 60 seconds.