Hysteria — QUIC-Based Network Tunnel for High-Speed Unreliable Networks

Introduction

Hysteria is a proxy and tunneling tool powered by a custom QUIC transport layer called Brutal. It targets environments where traditional TCP-based proxies suffer from packet loss and throttling, making it popular for bypassing network restrictions on congested links.

What Hysteria Does

• Tunnels TCP and UDP traffic over a custom QUIC-based protocol with aggressive send rates
• Operates as a SOCKS5, HTTP, or transparent proxy on the client side
• Supports port forwarding for exposing local services through the tunnel
• Provides traffic masquerading to make connections appear as standard HTTPS
• Handles user authentication and bandwidth control per client

Architecture Overview

Hysteria consists of a server binary and a client binary, both written in Go. The server listens on a UDP port and negotiates QUIC connections with clients. The custom Brutal congestion control algorithm ignores traditional TCP-fair bandwidth sharing and instead sends at a user-specified rate, recovering from packet loss without backing off. The client multiplexes proxied connections over a single QUIC session, reducing handshake overhead.

Self-Hosting & Configuration

• Deploy the server on any VPS with a public IP and open UDP port
• Obtain a TLS certificate via ACME (built-in Let's Encrypt support) or provide your own
• Configure bandwidth limits in the server YAML to prevent abuse
• Use the client on desktops, phones (via third-party apps), or routers
• Integrate with authentication backends via HTTP-based user verification

Key Features

• Brutal congestion control delivers high throughput even on heavily congested links
• Built-in ACME for automatic TLS certificate provisioning
• Traffic obfuscation makes Hysteria traffic resemble regular HTTPS connections
• Multi-user support with per-user bandwidth limits and traffic statistics
• Zero-round-trip connection resumption via QUIC 0-RTT

Comparison with Similar Tools

• WireGuard — efficient VPN but uses fixed-rate UDP; Hysteria adapts to lossy networks with aggressive retransmission
• V2Ray/Xray — multi-protocol proxy suites; Hysteria focuses on QUIC-native performance
• TUIC — another QUIC-based proxy; Hysteria's Brutal CC is more aggressive on bad links
• SSH tunneling — simple but TCP-over-TCP causes head-of-line blocking; Hysteria avoids this via QUIC

FAQ

Q: Is Hysteria safe to use on shared servers? A: Set bandwidth limits in the server config to prevent individual clients from saturating the link.

Q: Does it support mobile devices? A: Yes. Third-party clients like NekoBox and Shadowrocket integrate Hysteria on iOS and Android.

Q: How does the Brutal congestion control work? A: Instead of probing available bandwidth like Cubic or BBR, Brutal sends at a user-defined target rate and retransmits lost packets without reducing speed.

Q: Can I use it with a CDN? A: Hysteria requires raw UDP connectivity, so it cannot be proxied through typical HTTP-only CDNs. Some providers offer UDP relay capabilities.

Sources

• https://github.com/apernet/hysteria
• https://hysteria.network/