News
7 min read

Trojan-GFW: setup and connection from scratch (2026)

Trojan-GFW: настройка и подключение с нуля (2026) If you are facing access issues to blocked websites like YouTube, Instagram, or TikTok, and your usual VPNs, such as WireGuard or OpenVPN, no longer work, you might want to consider Trojan-GFW. In this article, I will explain how to set up Trojan-GFW

Trojan-GFW: настройка и подключение с нуля (2026)

If you are facing access issues to blocked websites like YouTube, Instagram, or TikTok, and your usual VPNs, such as WireGuard or OpenVPN, no longer work, you might want to consider Trojan-GFW. In this article, I will explain how to set up Trojan-GFW: setup and connection, so that your traffic looks like regular HTTPS. This will help bypass blocks imposed by your provider and simplify access to necessary resources.

What is Trojan-GFW and when is it really needed

Trojan-GFW is a protocol that masks VPN traffic within a real TLS connection to a web server. This means that DPI (Deep Packet Inspection) perceives it as a regular visit to a website, making it more resilient to blocks. However, for Trojan to work, a domain and a valid TLS certificate are required, which distinguishes it from other solutions like Shadowsocks.

How Trojan masks traffic as regular HTTPS

Traffic masking occurs because Trojan uses the standard port 443, which is typically used for HTTPS. When you establish a connection, your traffic is encrypted and sent through this port, making it indistinguishable from regular web traffic. This significantly reduces the likelihood of detection and blocking by your provider.

How Trojan differs from Shadowsocks, VLESS/XRay, and WireGuard

Trojan-GFW can be seen as a middle ground between other protocols. WireGuard, while faster, is easier to detect and is blocked more often. VLESS+Reality does not require its own domain, but it can be more complicated to set up and use. Trojan, on the other hand, offers a good balance between speed and masking when a domain is available.

When Trojan helps against DPI and when it is useless

Trojan-GFW is indeed useful if your provider actively uses DPI to block traffic. However, if they have blocked your VPS's IP, even Trojan won't help. In such cases, consider changing the IP or using VLESS+Reality, which are less noticeable.

What you need to prepare before setup

Before you start the setup, make sure you have everything necessary. Here is a list of basic requirements:

  • VPS outside of blocking zones.
  • Your own domain, which must resolve to your server's IP.
  • TLS certificate via Let's Encrypt.
  • Open port 443 and basic server security.

VPS outside of blocking zones and location selection

Choosing a VPS is very important. It is best to choose servers in countries with minimal internet restrictions, such as Germany or the Netherlands. This will help avoid blocks and delays.

Your own domain and A record to the server's IP

A domain is a mandatory element for setting up Trojan. It must be registered and correctly configured with an A record pointing to your server's IP. Without this, masking will be useless.

TLS certificate via Let's Encrypt

I recommend using Let's Encrypt to obtain a free TLS certificate. It is important that the certificate is set up for automatic renewal using certbot; otherwise, your connection will stop working after 90 days.

Opening port 443 and basic server security

Port 443 must be open, and it is better to close all other ports. Do not leave SSH open with a password—use keys for server access.

Setting up the Trojan-GFW server: step by step

Now let's move on to the actual server setup. Here is a step-by-step guide:

Installing Trojan and config structure

First, let's install Trojan. Enter the following commands in the terminal:

sudo apt update sudo apt install trojan

After installation, you need to create a configuration file. Here is an example structure:

{

Key parameters: password, remote_addr, fallback

The password parameter is the password you will use to connect the client. remote_addr is your domain, and fallback is the address to which traffic will be redirected if the password does not match. This is very important for masking, as a real website must open.

Setting up a placeholder site for plausibility

I recommend setting up a simple placeholder site that will open when connecting to your domain. This will add another layer of masking. You can use Nginx for this.

Running as a systemd service and checking logs

After configuring, start Trojan as a systemd service:

sudo systemctl start trojan

And check the logs:

sudo journalctl -u trojan

Client connection on different devices

Now that the server is set up, let's discuss how to connect the client on different devices.

Android (v2rayNG / NekoBox): import and enter parameters

For Android, I recommend using the v2rayNG or NekoBox apps. You will need to enter the server address, port 443, password, and domain (SNI). Make sure the SNI matches the certificate on the server.

iPhone and iPad (Shadowrocket / Streisand)

On iOS devices, use Shadowrocket or Streisand. Note that these apps may be unavailable in the Russian App Store, so a foreign account will be required.

Windows (v2rayN) and Mac (V2Box / NekoRay)

For Windows, v2rayN is the best option, and for Mac — V2Box or NekoRay. The setup is similar: enter the server address, port, password, and domain.

Routers and Smart TVs: limitations and workarounds

On routers, Trojan-GFW support is limited. You will need OpenWrt firmware with XRay or Passwall installed. For Smart TVs, it's easier to connect through a router or phone.

Checking functionality, speed, and bypassing YouTube and Instagram blocks

After connecting, it's important to check if everything is working correctly.

How to ensure that traffic is going through Trojan and not leaking

Check that your IP address has changed. To do this, use services like whatismyip.com.

Checking the bypass of YouTube throttling

To check if the YouTube throttling bypass is working, try playing a video in high quality. If it doesn't lag, then everything is set up correctly.

Access to Instagram, Facebook, X (Twitter), and Telegram

Check access to blocked social networks. If everything works, you have successfully bypassed the blocks.

Measuring real speed and typical losses

To measure speed, use Speedtest. Compare the results before and after connecting. Keep in mind that speed may vary depending on the VPS and distance to the server.

Common errors and what to do if it doesn't connect

If you encounter problems, here are some common errors and solutions:

Certificate error and SNI mismatch

A common error is the mismatch between the domain on the client and the certificate. Make sure all parameters match.

Connection exists, but no internet

If the connection is established but there is no internet access, check the DNS and routing settings.

Provider still cuts the connection

If your provider is still blocking the connection, try changing the IP or switching to VLESS+Reality.

When it's easier to use a ready-made service instead of your own server

If you don't want to set up and maintain a VPS, you can consider ready-made services like NvoVPN. This can be a convenient option if you don't want to delve into technical details.

Can Trojan-GFW be set up without your own domain?

No. Trojan requires a real TLS certificate tied to a domain — this is the essence of obfuscation. Without a domain, consider VLESS+Reality or Shadowsocks.

Is Trojan faster or slower than WireGuard?

WireGuard is usually faster due to lower overhead, Trojan loses some speed on the TLS wrapper, but it is harder to block with DPI. The real difference depends on the VPS and distance to the server.

Why does the provider still cut the Trojan connection?

Reasons: incorrect SNI, lack of a placeholder site, using a non-standard port instead of 443, or a blacklisted IP. Check the fallback config and change the server if necessary.

Which app to choose for Trojan on iPhone?

Shadowrocket or Streisand will work. Important: they may be unavailable in the Russian App Store, a foreign Apple ID is needed. Specify the order of parameter input.

Is it legal to use Trojan-GFW and VPN in Russia?

Using a VPN for personal access to your accounts, work, and education is not prohibited for the user. Do not recommend circumventing the law, piracy, or access to prohibited content — only legal scenarios and access to your own resources.

What is more reliable today — Trojan or VLESS+Reality?

Reality does not require its own domain and is more resistant to active probing, while Trojan is simpler and has stood the test of time when a domain is available. Both are better than basic Shadowsocks against modern DPI.

Related articles

You might also like