v1.3.8Documentation

HyFabric Docs

Everything you need to understand, configure, and get the most out of HyFabric — the enterprise proxy network built for censorship resistance, speed, and privacy.

Get started View plans

Overview

HyFabric is an enterprise-grade proxy network designed from the ground up to defeat censorship, deep packet inspection, and network throttling. It delivers gigabit-class speeds on even the most restricted and lossy networks.

Gigabit speeds

Up to 1 Gbps per node with per-session fair-share shaping to keep every user fast.

DPI-proof traffic

Traffic obfuscation makes every connection look like ordinary HTTPS to deep packet inspectors.

50+ locations

Nodes across Asia, Europe, and the Americas. Always connect to the fastest nearby server.

Zero logs

No connection logs, no traffic logs, no timestamps. Nothing is ever recorded.

Port hopping

Automatically cycles ports to bypass port-based blocking without interrupting your session.

Smart traffic shaping

Gaming, streaming, and bulk traffic each get dynamically weighted priority queues.

Capability	Detail
Max throughput per node	1 Gbps+
Max concurrent sessions	10,000 (configurable)
Protocol	Proprietary QUIC-based transport
Obfuscation	Cryptographic packet disguise (Salamander)
Session TTL	Configurable per plan (default 1 hour)
Data quota	Unlimited on Pro / defined on lower tiers
UDP support	Full — gaming and voice calls work natively
Zero-log policy	Verified — no logs stored anywhere

Getting Started

Create your account

Choose a plan

Pick from Edge, Standard, or Pro depending on your speed and device needs.

Download your config

From the dashboard → Devices, generate a config file for your client app.

Import & connect

Import the config into Shadowrocket, Hiddify, Clash Meta, or Sing-box and tap Connect.

Tip:First time? Use the QR code on the Devices page to scan and import your config automatically in Shadowrocket or Hiddify.

Connection & Security

Every HyFabric connection is secured end-to-end using TLS 1.3 with modern cipher suites. The server presents a valid certificate from a trusted CA — there is no need to trust any custom root.

Authentication masquerade

An unauthenticated probe against a HyFabric node receives an HTTP 404 response — making the endpoint completely indistinguishable from an ordinary HTTPS web server. Passive observers and active scanners get no useful signal.

Probing Shield — 6-layer defence

Nodes are protected by a multi-layer active probe defence system:

Layer	Mechanism
1	Per-IP rate limiting + global connection cap (pre-TLS, essentially free to block)
2	TLS fingerprint analysis on the initial handshake
3	Anti-replay protection — detected replay attempts are blocked
4	Credential auth with HTTP 404 masquerade on denial
5	Timestamp drift validation — replayed credentials expire within 60 seconds
6	Auth frame arrival timeout — abandoned connections are immediately dropped

Detected probes are tarpitted — drip-fed a fake response at 1 byte per 5 seconds — consuming the scanner's resources without revealing anything useful.

DDoS protection

All nodes enforce both a per-IP connection rate limit (new connections per 60-second window) and a global concurrent session cap. Connections refused at this layer never reach TLS negotiation — protecting node performance under volumetric attack.

Note:IPv6 addresses are bucketed to /64 prefix to prevent subnet cycling attacks.

Performance & Speed

HyFabric uses a QUIC-based transport designed for high throughput on degraded or throttled networks. Unlike TCP-based proxies, QUIC handles packet loss and reordering far more efficiently — giving you better speeds on mobile networks, international links, and congested ISP connections.

Adaptive bandwidth shaping

Each node continuously measures its available capacity and distributes it fairly across all active sessions. Your speed automatically scales up when the node is lightly loaded and adjusts gracefully during peak hours — no manual throttle settings needed.

Fair share = min(node_capacity ÷ active_sessions, your_plan_cap)

The capacity estimate uses an exponential moving average that converges to ~95% of true capacity within 7 calibration cycles (~7 minutes). This keeps shaping smooth and prevents sudden speed drops from transient measurements.

Traffic priority — WFQ

The network classifies your traffic in real time and applies weighted fair queuing:

Traffic class	Priority multiplier	Examples
Gaming	4× (zero-delay bypass)	Online games, Discord voice
Streaming	2×	Netflix, YouTube, Twitch, Spotify
Default	1×	Web browsing, messaging
Bulk	0.5×	Software updates, large downloads

Note:Classification is done in memory only — no domains are logged or persisted.

Hardware fast-path

On supported nodes, a kernel-bypass packet processor handles UDP shaping directly at the network interface — reducing latency and CPU overhead compared to userspace processing. Your client apps benefit from this automatically.

Anti-Censorship

Key feature

HyFabric was built specifically for use in environments with aggressive internet censorship and deep packet inspection. Two complementary mechanisms work together to keep your connection alive even when ISPs actively block proxy traffic.

Traffic obfuscation (Salamander)

When enabled, every packet leaving your device is cryptographically disguised as random noise before it hits the network. DPI sensors that inspect UDP traffic cannot identify it as a proxy protocol — it looks like indistinguishable static.

The obfuscation uses a per-packet random salt so no two packets share the same keystream. This prevents both signature matching and statistical traffic analysis.

Important:The obfuscation password must be identical on both the server and your client config. A mismatch causes silent connection failure (connection timeout, no error shown).

Port hopping

Censorship systems often block specific UDP ports once they identify proxy traffic. HyFabric defeats this by automatically cycling through a configured range of ports on a schedule. Your client follows the same rotation, keeping the connection alive without any interruption.

Primary port:   :443  (always active, never rotated)
Hop ports:      :20000–20050  (4 active at any time, rotated every 30 s)

Note:Existing sessions are never interrupted by a port rotation — the connection continues on the old port until naturally closed, while new connections start on the latest active port.

Privacy & Anonymity

HyFabric operates a strict zero-log policy. No connection logs, no traffic logs, no DNS query logs, no timestamps, and no bandwidth records per user are stored on any node or in any database.

What we collect	What we do not collect
Your email (for billing)	Which websites you visit
Your subscription plan tier	When or how long you connect
Aggregate node bandwidth (for capacity planning)	Your real IP address post-connection
Payment records (via Stripe)	DNS queries made through the proxy

SSRF & egress protection

The proxy enforces outbound filtering that blocks connections to private IP ranges, localhost, and DNS names that resolve to internal infrastructure. This protects both users and the network from server-side request forgery attacks.

Node identity

Each node is cryptographically bound to its identity at installation time. A compromised node cannot impersonate another node or claim false metrics — the control plane verifies every payload cryptographically and rejects anything that doesn't match the registered identity.

Client Setup

HyFabric uses a standard subscription link format compatible with all major proxy clients. You can also download ready-to-import config files from your dashboard.

Subscription link

The easiest method. Copy your subscription URL from the dashboard → Devices page and paste it into your client's subscription import. The client will automatically fetch and update your server list.

https://sub.hyfabric.net/<your-auth-secret>

Manual config (Hysteria 2 YAML)

For advanced users or headless setups:

server: hk1.hyfabric.net:443
auth: <your-device-secret>

tls:
  sni: hk1.hyfabric.net
  insecure: false

obfs:
  type: salamander
  salamander:
    password: "<from your config download>"

Port hopping (optional)

server: hk1.hyfabric.net:443
portHopping:
  portRange: "20000-20050"
  interval: 30s

Tip:If your ISP blocks port 443 UDP, enable port hopping. This is the most effective way to restore connectivity on restrictive networks.

Supported Clients

HyFabric is compatible with all major Hysteria 2 and VLESS-compatible proxy clients:

Shadowrocket

iOS

Recommended for Apple devices

Hiddify

Android / Windows / macOS / Linux

Best cross-platform client

Clash Meta / Mihomo

Windows / macOS / Linux

Full config file support

Sing-box

All platforms

High-performance universal client

NekoBox

Android / Windows

Good Sing-box GUI

Hysteria 2 CLI

All platforms

Official command-line client

Note:VLESS Reality configs are also available for clients that support it. Download from the Devices page in your dashboard.

FAQ

Why is HyFabric faster than a traditional VPN?

Traditional VPNs use TCP tunnels which suffer from TCP-over-TCP retransmission problems on lossy links. HyFabric uses a QUIC-based transport which handles packet loss natively at the protocol level — giving far better throughput on mobile, international, or congested connections.

Does HyFabric work in China, Iran, or other heavily restricted countries?

Yes. The combination of traffic obfuscation and port hopping is specifically designed to defeat the censorship techniques used in these environments. Most users report full connectivity within seconds of connecting.

Can I use HyFabric for gaming?

Absolutely. UDP proxying is fully supported, and gaming traffic is automatically prioritised at 4× weight in the queue — meaning your game packets get processed before bulk traffic even under high node load.

Is there a bandwidth limit?

Pro plans have no data cap. Edge and Standard plans include a monthly quota that resets on your billing date. Your remaining quota is always visible in the dashboard.

How many devices can I connect at once?

This depends on your plan. Standard allows up to 3 simultaneous connections; Pro allows up to 10. Each device gets its own config file from the dashboard.

What happens if a node goes down?

Your client will automatically fail over to the next available server in your subscription list. Most clients handle this transparently without dropping your active sessions.

Does the obfuscation password need to match?

Yes — exactly. A mismatch between the server's obfuscation password and the one in your config causes all packets to be silently discarded. Always use the config downloaded directly from your dashboard to avoid this.

Ready to get connected?

Start your free trial — no credit card required.

Create free account See pricing