Manual VPN Configuration: Best Settings 2026

If you are looking for best vpn manual settings — the correct values for protocols, ports, and encryption that actually work against Russian DPI — this article is exactly about that. Not general advice, but specific numbers that I have tested in practice in 2026.

Most articles on manual VPN configuration provide instructions like "click here, enter your login," but remain silent about what MTU to set, why WireGuard on 51820 is immediately visible on the Russian provider's network, and what Jc means in AmneziaWG. That's what we will analyze.

When manual VPN configuration is better than a ready-made application

A VPN application is convenient. You press a button, connect. But when the provider starts throttling traffic or blocking the protocol itself, the application with default settings often gives up first. Manual configuration allows you to choose the exact parameters that bypass a specific filter.

The application is blocked by the provider, but the manual configuration is not

DPI (Deep Packet Inspection) by Russian providers can recognize patterns of popular VPN applications — by ports, handshakes, and temporal characteristics of traffic. Manual configuration with a non-standard port and obfuscation looks different. That’s why a homemade WireGuard configuration on port 443 often works where the official application lags.

Flexible choice of port, protocol, and encryption

In manual mode, you choose: UDP or TCP, port 443 or 1194, which cipher to use. This is especially important with symmetric NAT from mobile operators — it often breaks UDP connections, and the only solution is to switch to TCP/443.

Configuration on devices without an application: router, Smart TV, Apple TV

Apple TV, Samsung/LG Smart TVs, and gaming consoles — PlayStation, Xbox — do not support VPN clients directly. The only way to route their traffic through a VPN is to configure it at the router level. Without manual configuration, this is impossible.

When manual configuration is NOT needed and it's easier to leave the application

If the VPN application works and the speed is satisfactory — there’s no need to change anything. Manual configuration carries the risk of errors in parameters, and then the connection may not establish at all or there will be DNS leaks. Beginners without experience are better off starting with a ready-made application and moving to manual configuration only when there is a specific problem.

Best parameters for protocols: WireGuard, OpenVPN, IKEv2, VLESS, Amnezia

This is where most guides fail — they provide general information without specific values. Below are the actual working ranges for the conditions in Russia in 2026. This is what is called best vpn manual settings in the professional community.

WireGuard: MTU, Keepalive, AllowedIPs — what values to set

WireGuard is fast and simple, but "bare" — without obfuscation — is easily detected by DPI due to its characteristic handshake. However, if the provider does not block it, this is the best choice for speed.

Specific parameters:

MTU: 1280–1420. Start with 1420. If pages load slowly with normal ping — decrease in steps of 10 down to 1280. On mobile networks, 1360 or lower is often needed.
PersistentKeepalive: 25. Keeps the connection through NAT. Without this parameter, the connection drops after a few minutes of inactivity.
AllowedIPs: 0.0.0.0/0, ::/0. Be sure to enable the IPv6 block — otherwise, IPv6 traffic will bypass the tunnel and reveal your real IP.
DNS: 1.1.1.1 or 9.9.9.9. Do not use the provider's DNS inside the tunnel.

OpenVPN: UDP vs TCP, port 443, tls-crypt and obfuscation

OpenVPN is an old horse, but flexible. UDP is faster, TCP is more reliable in poor networks. With strict DPI, switch to TCP/443 — this makes the traffic externally resemble HTTPS.

Be sure to usetls-crypt instead of the outdatedtls-auth — it encrypts even the TLS handshake and significantly complicates protocol recognition. Without this, OpenVPN on port 1194 is detected instantly. The parameterverb 3 in the config — enable for diagnostics, then remove.

IKEv2/IPsec: when it is suitable and where it gets cut

IKEv2 is good on iOS and macOS — it is built into the system, no separate application is needed. It quickly reconnects when switching networks (Wi-Fi → mobile). But IPsec on port 500/4500 UDP is cut by Roskomnadzor without ceremony where it actively applies blocks. For everyday use in Russia in 2026 — an unreliable choice, unless it works through a VPN server with a non-standard port.

Shadowsocks and VLESS/XRay: disguising as regular HTTPS traffic

VLESS with XTLS-Reality transport is, in my opinion, the best option for Russia right now. It pretends to be a regular TLS 1.3 connection to a real site (for example, to microsoft.com or apple.com), and DPI cannot distinguish it from legitimate traffic.

Shadowsocks is easier to set up but less resistant to active probing. If the provider applies aggressive DPI with active probing, Shadowsocks can be detected. VLESS/Reality is more reliable in this regard.

Both protocols operate on port 443. There is no point in using other ports.

AmneziaWG: parameters against DPI (Jc, Jmin, Jmax, S1, S2, H1-H4)

AmneziaWG is a fork of WireGuard with handshake obfuscation. It is the obfuscation parameters that make it invisible to DPI that can recognize standard WireGuard.

Parameter	What it does	Working value
Jc	Number of garbage packets in the handshake	3–10
Jmin	Minimum size of a garbage packet (bytes)	10–50
Jmax	Maximum size of a garbage packet (bytes)	50–1000
S1	Additional bytes in the first initiation packet	0–250
S2	Additional bytes in the response packet	0–250
H1–H4	Magic Header values (must be unique)	Random uint32

The server and client must use the same values for these parameters; otherwise, the connection will not be established. The Amnezia VPN application generates them automatically when creating the config. NvoVPN, for example, provides ready-made AmneziaWG configs through the personal account — no need to generate manually.

Step-by-step manual setup on different devices

Android: config import and manual parameter entry

For WireGuard — download the official WireGuard app from the Play Store. Create a tunnel via “+” → “Create from scratch” or “Import from file/QR”. When entering manually, specify the private key, interface address, DNS, MTU (1280–1420), and peer data (server public key, endpoint, AllowedIPs, PersistentKeepalive: 25).

For VLESS — use v2rayNG or NekoBox. Import via the link string vless:// or QR code. After importing, check in the peer settings that the correct Reality publicKey and shortId are specified.

iPhone/iOS: VPN profiles and client applications

iOS system settings only support IKEv2, L2TP, and PPTP (the latter should not be used at all, it is insecure). Path: Settings → General → VPN and Device Management → VPN → Add VPN Configuration.

WireGuard, VLESS, and Shadowsocks require a separate app from the App Store: WireGuard (official), Streisand, or Shadowrocket for VLESS/Shadowsocks. Shadowrocket costs $2.99 — it is paid, but works more reliably than free alternatives.

Windows: official clients and system settings

IKEv2 is configured through Control Panel → Network → Create a connection → VPN. For WireGuard — the official client wireguard.com/install. Import the .conf file via “Add tunnel”.

After connecting, check that the route 0.0.0.0/0 is indeed going through the tunnel:route printin the command line. If the IPv6 address is visible without a route through the VPN — add the block ::/0 to AllowedIPs.

Mac and Apple TV

On Mac, WireGuard is installed from the App Store or via Homebrew (brew install wireguard-tools). Apple TV does not have its own VPN client — it connects only through a router (see below). Starting with tvOS 17, there is support for IKEv2 through .mobileconfig profiles, but this is a niche scenario.

Router (OpenWrt/Keenetic) for the entire network

This is the only way to cover all devices at once — Smart TVs, consoles, Apple TV. On Keenetic: Internet → Other connections → WireGuard → Add. Insert the tunnel parameters, peer, specify MTU and DNS.

Important: after updating the firmware of Keenetic or OpenWrt, the VPN configuration sometimes resets. Save a backup of the config file in advance. On OpenWrt, the WireGuard config is located in /etc/config/network — you can back it up using scp.

Smart TVs and gaming consoles through the router

No additional actions are needed on the devices themselves — they receive internet from the router, which is already in the tunnel. The only nuance: if the VPN is configured only for part of the router's traffic, make sure that the MAC addresses of the necessary devices fall into the "VPN zone" of routing.

Bypassing blocks and throttling: YouTube, Instagram, Telegram, and others

The difference between complete blocking and throttling is important: during throttling, the YouTube site is technically accessible, but videos load at 144p. DPI identifies the traffic and reduces its priority without completely blocking it. To bypass, you need settings that hide the type of traffic.

Throttling YouTube and which parameters help

Throttling YouTube in Russia works through TSPU (technical means of countering threats) — equipment from Roskomnadzor on the provider's side. It can recognize YouTube traffic even through some VPN protocols.

What helps: VLESS+Reality on port 443 — the traffic looks like regular HTTPS to a third-party site. AmneziaWG — masks WireGuard as random noisy traffic. Shadowsocks with the obfs plugin — less reliable, but works in some cases. Plain WireGuard or OpenVPN without obfuscation can be processed by TSPU.

Instagram, Facebook, Twitter/X — protocol choice

These services are completely blocked by Roskomnadzor — not just throttled. Here, any working VPN tunnel will provide access. But if the provider blocks the VPN protocol itself — disguised options are needed: VLESS/Reality, Shadowsocks, AmneziaWG. Standard OpenVPN on 1194 or WireGuard on 51820 may be blocked at the protocol level.

TikTok and WhatsApp

TikTok in 2026 in Russia works unstably — some providers throttle, some do not. The same story as with YouTube: VLESS/Reality or AmneziaWG helps, port 443. WhatsApp is still available without VPN, but calls sometimes get cut off — if so, a VPN with UDP transport often solves the problem.

Telegram: VPN vs built-in proxies (MTProto)

Telegram has built-in support for MTProto proxies — this is easier for many users than manual VPN setup. But MTProto proxies do not encrypt all device traffic, only Telegram. If access to other services is needed — VPN is more appropriate. When choosing a VPN for Telegram, use the UDP protocol (WireGuard or OpenVPN UDP) — latency is lower, calls are of better quality.

What to do if the provider uses strict DPI and Roskomnadzor blocks the protocol

Steps to take with strict DPI: first, try changing the port to 443. If that doesn't help — switch to a disguising protocol (VLESS/Reality or AmneziaWG). If DPI starts blocking a previously working port — rotate ports and protocols. A good VPN service provides several endpoints with different ports specifically for this.

With double NAT (router behind a router), UDP tunnels often do not establish — switch to TCP/443. This is slower, but it works.

Speed test and diagnostics: checking that the setup works

No made-up numbers will be here. Speed depends on your plan, server load, and distance to it. The correct method is to measure it yourself and compare.

How to measure speed before and after connecting

Use fast.com or speedtest.net. Make 3 measurements without VPN, record the average. Connect to the VPN, wait 30 seconds, make another 3 measurements. Compare. A speed loss of 10–30% with a good VPN server in close proximity is normal. A loss of 70%+ indicates a problem with MTU, the server, or the protocol.

Checking for DNS and WebRTC leaks

Immediately after connecting, go to dnsleaktest.com and run the extended test. All DNS servers should belong to the VPN provider or the public DNS you selected (1.1.1.1, 9.9.9.9), but not your provider. A DNS leak means that the provider sees your requests, even if the IP is hidden.

Check for WebRTC leaks at browserleaks.com/webrtc. If your real IP is visible in the browser — disable WebRTC through an extension (for example, uBlock Origin with the appropriate setting) or in about:config in Firefox.

MTU adjustment: symptoms of incorrect value

A classic symptom of incorrect MTU: ping is normal, but large pages do not load or load halfway, videos freeze after buffering. This happens because small packets (ping) pass through, while large ones are fragmented or lost.

Diagnostics: on Linux/Mac runping -M do -s 1400<Server IP> and decrease the packet size until the ping goes through. Add 28 bytes (IP+ICMP headers) — this is your optimal MTU. On Windows:ping -f -l 1400<IP>.

Why speed drops and how to fix it

Diagnostics procedure for low speed:

Check the MTU (see above) — it is most often the culprit.
Switch UDP to TCP or vice versa — sometimes one of the options works better through the provider.
Change the server to the geographically closest one — every 100 ms of ping affects speed when using TCP.
Check the router's CPU load — WireGuard in software mode on a weak router hits the CPU at speeds above 50 Mbps.

If none of this helped — the problem is likely with an overloaded VPN server or that the provider is actively throttling this type of traffic. Then — switch the protocol or change the server.

What MTU should be set for WireGuard to avoid speed drops?

Start with 1420 — this is the standard value for most networks. If you notice drops or slow page loading with normal ping, decrease in steps of 10: 1410, 1400, and so on down to 1280. Mobile networks (4G/5G) and networks with DPI often require 1360 or lower — operators add their headers to packets, reducing effective MTU. Rule: find the minimum ping size without losses — this is your MTU.

Which protocol best bypasses DPI and Roskomnadzor blocks?

In the conditions of Russia in 2026 — VLESS+Reality and AmneziaWG. Both disguise themselves as regular TLS 1.3 traffic, and DPI cannot reliably distinguish them from legitimate HTTPS. Plain WireGuard on the standard port is quickly detected — it has a characteristic handshake. OpenVPN without tls-crypt and obfuscation is also visible. If the provider applies active probing (sends test packets to suspicious addresses) — VLESS/Reality performs better than Shadowsocks.

Is it possible to set up a VPN manually on an iPhone without an app?

Yes, but only IKEv2/IPsec and the outdated L2TP — through Settings → General → VPN. These are built-in protocols in iOS. WireGuard, VLESS, Shadowsocks, and AmneziaWG require a separate app from the App Store: WireGuard (free), Shadowrocket ($2.99), or Streisand. Without an app, these protocols do not work on iOS — a limitation of the operating system.

Why does manual VPN work slower than the app?

Most often — incorrect MTU. In second place: you chose TCP where the app used UDP (TCP adds overhead). The third reason — an overloaded or distant server. The fourth — on a weak router, the CPU cannot handle encryption. Check in this order: MTU → UDP/TCP → ping to the server → CPU load.

Which port to choose if the provider throttles VPN?

Port 443 TCP — the first choice. It is used by all HTTPS traffic on the internet, and the provider cannot block it without disabling half of the websites. This makes it the most resistant to filtering. UDP/443 also works and is faster than TCP — some providers do not filter UDP on 443. If this is also throttled — the problem is not with the port, but with the protocol itself: obfuscation is needed (VLESS/Reality, AmneziaWG).

Is it legal to use a manually configured VPN?

Using a VPN to protect personal data and access legal services is not criminally punishable for individuals in Russia. The legal side of the issue regarding your specific situation should be clarified with a specialist — we are not lawyers and do not provide legal guarantees. This article is solely about the technical aspects of configuring VPN for legal purposes.

Properly selected best vpn manual settings are not a single universal config, but a set of values for a specific provider and device. Start with WireGuard MTU 1420 and PersistentKeepalive 25, check for DNS leaks, measure speed. If the provider blocks — switch to VLESS/Reality or AmneziaWG with port 443. This path from simple to complex provides stable results.