CreateYourVPN Academy

Finding a masking site: the subnet scanner

How CreateYourVPN's subnet scanner finds real neighbour websites you can masquerade as (the Reality SNI/DEST), why a nearby site is the best camouflage, and how to start, read, and stop a scan.

In the inbounds lesson we picked a site to masquerade as — the popular HTTPS site your VPN traffic pretends to be. That choice matters more than it looks, and the panel has a tool that makes it for you: the subnet scanner. This lesson explains what a good masking site is, why a neighbour of your own server is usually the best one, and how the scanner finds those neighbours automatically.

Why the masking site matters

Every inbound runs on VLESS + Reality. Reality makes your traffic look like an ordinary HTTPS visit to some real, popular website — and it does so by actually completing the first part of a real TLS handshake with that site. In the panel this site shows up as the "Website to masquerade as" field; in advanced mode it splits into the technical parameters DEST (the real host to borrow the handshake from) and SERVER_NAMES (the name your users' apps announce, the SNI).

For the disguise to hold, the site has to satisfy a few conditions at once:

  • It speaks modern TLS 1.3 and HTTP/2 (older sites give the handshake away).
  • It is large and unremarkable — traffic to it doesn't stand out.
  • It is not blocked in your server's country (a blocked "cover" defeats the whole point).
  • It is reachable fast from the server (the handshake is real network traffic).

Why a neighbour is the best cover

The last point is the interesting one. Your server sits in a data centre, surrounded by other machines in the same subnet — often other customers of the same hosting provider, running perfectly ordinary websites. Masquerading as one of those neighbours has two advantages:

  • Latency is near zero. The DEST handshake never leaves the data centre, so connections set up faster.
  • It blends in. Traffic from your server to a machine one rack over is exactly what a data centre sees all day.

The catch: you don't know your neighbours by heart. That is precisely what the scanner is for.

What the subnet scanner does

The scanner asks your server to quietly probe its own neighbourhood and report back which neighbours would make good Reality covers.

The server probes its network neighbours — the machines with nearby IP addresses: first its own subnet, then a wider block around it (a /20 by default).

For each neighbour that answers, it checks the handshake: does it offer TLS 1.3 and advertise HTTP/2? Only those qualify as Reality dests.

The confirmed sites are collected, de-duplicated, and saved against your server. The panel shows them as ready-to-use suggestions.

The scan runs automatically the first time a server is set up, so by the time you open the inbound form the suggestions are usually already there. You can also run it by hand at any time.

The scanner only reads — it opens a normal connection to each neighbour and looks at the TLS handshake, exactly as any browser would. It changes nothing on those machines and stores nothing but the domain names it confirmed.

Where to find it

The same scan result is shared everywhere the masking site is chosen, so the suggestions and the live progress stay in sync:

  • In the inbound form, under the "Website to masquerade as" field — the "Find sites in subnet" button and, once a scan has run, quick chips with the found domains. Click a chip to fill the field.
  • In the server's modal (open a server from your cluster), in the "Masking sites (SNI)" section — the same scan with a summary of how many sites were found.
  • On the "in progress" card on the home page — while a freshly added server is still being set up, the scan progress shows right there.

Reading the results

The quick chips show the sites found in your subnet, minus the ones your inbounds already use. So as you spend candidates on inbounds, they drop off the list, and a site you free up comes back. If every found site is already in use, the panel says so and invites you to enter a domain by hand or rescan.

A neighbour is a good cover, not a magic one. Still prefer a candidate that is not blocked in your server's country — a large, boring site. If nothing nearby fits, entering a well-known global site by hand (Google, Microsoft, Apple, Cloudflare) is always a valid fallback.

Starting, stopping, and rescanning

  • Start — press "Find sites in subnet" (or "Rescan" after a previous run). A wide scan takes about a minute; results appear gradually as each /24 is checked, so you don't have to wait for the whole thing to pick a site.
  • Stop — found enough? Press "Stop". The button changes to "Stopping…" while the server finishes the chunk it's on; everything found so far is kept. When it settles, the scan is marked done and "Rescan" appears.
  • Rescan — runs a fresh scan and refreshes the candidate list. Use it if you moved the server, or if the neighbourhood might have changed.

You can stop a scan with a single click — it will show "Stopping…" briefly and then finish on its own. There's no need to press Stop twice or wait before starting a new scan.

Key takeaways

  • The masking site (Reality DEST/SNI) must be a large, unblocked TLS 1.3 + HTTP/2 site — and a neighbour of your server is usually the best one: fast and unremarkable.
  • The subnet scanner finds those neighbours for you: it probes the server's /24/20, keeps the sites that qualify, and offers them as one-click suggestions.
  • It runs automatically at setup and can be re-run any time, from the inbound form, the server modal, or the in-progress card.
  • Quick chips = found sites minus the ones already used; free one up and it returns.
  • Start, stop (single click → "Stopping…"), and rescan as needed — everything found is always kept.

Up next

An inbound can be more than a single door — it can be a chain of servers, where traffic enters in one country and leaves in another. Each hop picks its own masking site, so the scanner earns its keep there too.

On this page