When you visit any website, your device sends a little name tag that says “Hey, I want to visit youtube.com.” This name tag is called SNI (Server Name Indication). Your ISP reads it.

Here’s the trick:

1. You set your VPN to send a fake SNI — a name tag that says “youtube.com” or “google.com”
2. Your ISP reads the name tag, sees a trusted website, and says “cool, go ahead”
3. But behind that fake name tag, your traffic is actually going through an encrypted SSH tunnel on Port 443 (the same port every HTTPS website uses)
4. Your ISP can’t block Port 443 without breaking the entire internet — so your tunnel goes right through

The full combo:
SSH (encrypted tunnel) + HTTPS on Port 443 (looks like normal web traffic) + fake SNI (looks like YouTube/Google) = your ISP sees absolutely nothing suspicious.

It’s like wearing a FedEx uniform to walk past security. You’re not FedEx. But they don’t check.

Try these alternatives:

• https://snihost.com/sni-generator — another generator with different country coverage
• https://tools.mr-medo.net/p/sni-bug-host-generator.html — wider country list
• https://www.aimtuto.com/p/sni-bug-host-generator.html — includes payload templates

DIY method: Common bug hosts that work in many countries:

• youtube.com
• google.com
• zoom.us
• microsoft.com
• cloudflare.com

These are domains ISPs almost never block because too many people use them. Try each one until something connects.

1. Open the app
2. Tap SSH connection type
3. Enter your SSH server details:
   • Host: your SSH server address
   • Port: 443
   • Username + Password: from your SSH provider
4. Scroll down to SNI Host field
5. Paste the SNI bug host you got from the generator (e.g., youtube.com)
6. Set Proxy Type to HTTPS
7. Set Proxy Port to 443
8. Hit Connect

If it connects — you’re through. Your ISP thinks you’re watching YouTube. You’re actually tunneling past their entire firewall.

1. Open the app
2. Go to SSH Settings
3. Enter your SSH server, port 443, username, password
4. Go to Payload Generator or SNI Settings
5. Paste your SNI bug host
6. Set remote proxy to HTTPS on port 443
7. Hit Connect

Shortcut: Search online for pre-made .ehi config files for your country + carrier. Import them directly — skips all manual setup.

1. Open the app
2. Tap the connection method dropdown → select Custom SNI
3. Enter your SNI bug host
4. Configure SSH tunnel settings (server, port 443, credentials)
5. Hit Connect

HA Tunnel has the biggest library of community-shared config files. Search “[your country] HA Tunnel Plus config 2025” for ready-to-use files.

You need an SSH account to tunnel through. These sites give free 3-7 day accounts:

• Search for “Free Premium SSH account” — tons of providers rotate credentials
• Most give you: server address, port (usually 22 or 443), username, password
• When it expires, just make another one — takes 30 seconds
• Always pick Port 443 when given the option — it’s the HTTPS port and hardest for ISPs to block

Your ISP would have to defeat ALL THREE of these simultaneously:

This is why the SSH + HTTPS + SNI combo is considered one of the strongest censorship bypass methods. Your ISP would literally have to break the internet to stop you.

Countries where this works:
China (GFW bypass), Iran, Myanmar, Russia, Pakistan, Egypt, UAE, Saudi Arabia, Turkey, Vietnam, South Korea (for certain sites), and basically anywhere with DPI-based censorship.