Kaitu LogoKaitu.io
k2 Protocol
Routers

  • Overview

    • k2 Protocol Overview

  • Getting Started

    • 1-Minute Quickstart
    • k2s Server Deployment
    • k2 Client Usage
    • Port Hopping Configuration Guide

  • Technical

    • Protocol Technical Details
    • Stealth Camouflage

  • Comparison

    • k2 vs Hysteria2: Congestion Control Comparison

Port Hopping Configuration Guide

Improve QUIC connection stability through UDP port hopping, preventing single-port throttling

Port Hopping Configuration Guide

QUIC communicates over a single UDP port by default. Some networks apply QoS throttling or blocking on fixed ports. Port hopping lets the client randomly select a UDP port from a configured range, bypassing single-port restrictions.

How It Works

Client --[UDP:50042]--> Server Firewall --[REDIRECT to :443]--> k2s

The client picks a random UDP port from the configured range. The server's firewall NAT rules redirect traffic from these ports to the k2s listening port (443).

Prerequisites

  • k2s server installed and running (sudo k2s setup)
  • Ports 443/tcp and 443/udp are open

Step 1: Configure Port Redirect

Set up firewall rules on the server to redirect UDP traffic from the hop port range to port 443.

Ubuntu / Debian (nftables)

# Add NAT redirect rule
sudo nft add table ip nat
sudo nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
sudo nft add rule ip nat prerouting udp dport 50000-50100 redirect to :443

# Persist
sudo nft list ruleset > /etc/nftables.conf
sudo systemctl enable nftables

Ubuntu / Debian (iptables, legacy)

sudo iptables -t nat -A PREROUTING -p udp --dport 50000:50100 -j REDIRECT --to-port 443

# Persist
sudo apt install -y iptables-persistent
sudo netfilter-persistent save

CentOS / RHEL / Rocky / AlmaLinux (firewalld)

sudo firewall-cmd --permanent --add-forward-port=port=50000-50100:proto=udp:toport=443
sudo firewall-cmd --reload

Alpine Linux (iptables)

sudo iptables -t nat -A PREROUTING -p udp --dport 50000:50100 -j REDIRECT --to-port 443

# Persist
sudo rc-update add iptables
sudo /etc/init.d/iptables save

Arch Linux (nftables)

sudo nft add table ip nat
sudo nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
sudo nft add rule ip nat prerouting udp dport 50000-50100 redirect to :443

sudo nft list ruleset > /etc/nftables.conf
sudo systemctl enable nftables

Step 2: Open Firewall Ports

Ensure inbound UDP traffic on the hop port range is allowed.

ufw

sudo ufw allow 50000:50100/udp

firewalld

sudo firewall-cmd --permanent --add-port=50000-50100/udp
sudo firewall-cmd --reload

iptables

sudo iptables -A INPUT -p udp --dport 50000:50100 -j ACCEPT

Cloud Security Groups

Add an inbound rule in your cloud platform's security group / firewall settings:

ProtocolPort RangeSource
UDP50000-501000.0.0.0/0

Applies to AWS, Alibaba Cloud, Tencent Cloud, GCP, Azure, etc.

Step 3: Update Client URI

Add the &hop=50000-50100 parameter to the connection URI:

k2v5://alice:token@1.2.3.4:443?ech=...&pin=...&hop=50000-50100&country=JP#tokyo

Paste the updated URI into the client's node management page.

Verification

Server Side

# nftables
sudo nft list ruleset | grep 50000

# iptables
sudo iptables -t nat -L -n | grep 50000

Client Side

After connecting, check the logs to confirm hop ports are in use.

Customizing Port Range

  • Default range 50000-50100 (101 ports), recommend at least 50 ports
  • Port range must not conflict with other services on the server
  • Starting port should be >= 49152 (dynamic/private port range)
Kaitu LogoKaitu

Secure and convenient network proxy solution

Product

  • Client Download
  • Smart Router Products
  • Retailer Program
  • Changelog

Support

  • User Guide
  • FAQ
  • Contact Us
  • Homeschool Setup Guide

Legal Terms

  • Privacy Policy
  • Terms of Service

愿上帝为你开路

© 2026 Kaitu LLC. All rights reserved.