k2 Protocol Overview

k2 is Kaitu's proprietary stealth tunnel protocol family. The current version, k2, features k2cc adaptive rate control, QUIC+H3 primary transport, TCP-WebSocket fallback, Encrypted Client Hello, and TLS fingerprint mimicry.

k2 Protocol Overview

k2 is Kaitu's proprietary stealth network tunnel protocol family, designed for high-censorship environments. The protocol evolves across major versions, each representing a generation of core architecture. k2 is the current production version — connection URLs start with k2://, and all Kaitu clients and the k2 CLI use k2 by default.

k2 features k2cc (Adaptive Rate Control), a proprietary congestion control algorithm that automatically finds the optimal sending rate in high-loss, high-latency networks — no manual bandwidth configuration needed. It uses QUIC/HTTP3 as the primary transport, with automatic TCP-WebSocket fallback when QUIC is blocked, combined with ECH encrypted SNI and TLS fingerprint mimicry to make tunnel traffic indistinguishable from real HTTPS browsing.

Terminology

Term	Meaning
k2	Kaitu's proprietary stealth tunnel protocol family (project name)
k2cc	Adaptive Rate Control algorithm (standalone component, shared by all protocol versions)
k2	Current protocol version, client-server architecture
k2p (planned)	Future protocol version, P2P architecture, also uses k2cc

k2 Core Features

k2cc Adaptive Rate Control

k2cc is the k2 protocol family's key differentiator. Unlike traditional congestion control algorithms, k2cc automatically discovers the optimal sending rate:

Capability	k2cc (k2)	Traditional (e.g. Brutal)
Bandwidth config	Fully automatic, zero-config	Manual bandwidth specification
Packet loss response	Distinguishes congestion from censorship loss	Ignores all loss signals
Latency control	RTT-aware, suppresses bufferbloat	Fixed rate, causes queue buildup
Network adaptation	Real-time bandwidth tracking	No dynamic probing
Fairness	Coexists peacefully with other traffic	Crowds out other connections

k2cc's core innovation is censorship-aware loss handling: in high-censorship networks, most packet loss comes from firewalls actively dropping packets rather than true congestion. k2cc automatically distinguishes censorship-induced loss from congestion loss, avoiding unnecessary rate reduction and maintaining throughput far above traditional algorithms under GFW-like conditions.

For details, see k2cc Adaptive Rate Control. For performance benchmarks, see k2 vs Hysteria2.

Stealth Transport

k2 achieves traffic stealth through four layers of defense:

ECH (Encrypted Client Hello): Encrypts the real destination hostname inside the TLS handshake; DPI only sees a major CDN's public hostname
TLS Fingerprint Mimicry: Uses uTLS to replicate Chrome/Firefox/Safari TLS handshake signatures
Traffic Pattern Matching: TLS record padding lengths match real Cloudflare server responses exactly
Active Probe Resistance: Non-ECH connections are transparently forwarded to the real website

For details, see Stealth Camouflage.

Zero-Config Deployment

One command starts the server — it auto-generates all keys and certificates and prints a ready-to-use connection URL. One command connects the client — k2cc automatically finds the optimal rate. No manual configuration needed.

# Server (30 seconds)
curl -fsSL https://kaitu.io/i/k2s | sudo sh
sudo k2s run

# Client (30 seconds)
curl -fsSL https://kaitu.io/i/k2 | sudo sh
sudo k2 up k2://abc123:tok456@203.0.113.5:443?ech=AEX0...&pin=sha256:...

Transport Layer

QUIC/H3 Primary: Native multiplexing, no head-of-line blocking, k2cc maintains high throughput on lossy networks
TCP-WebSocket Fallback: Auto-switches when QUIC is blocked; smux provides stream multiplexing
Single Port :443: QUIC and TCP share the same port, minimizing exposure
UDP Port Hopping: hop=START-END parameter rotates UDP ports to defeat port-based QoS throttling

Identity and Authentication

k2 URL: All parameters in a single URL: k2://UDID:TOKEN@HOST:PORT?ech=...&pin=...
Three-Layer Identity: TCP destination IP (plaintext) → Outer SNI (plaintext, CDN public hostname) → Inner SNI (ECH-encrypted)
Zero-Config Server: Auto-generates all keys and certificates on first run, prints a ready-to-use URL

Quick Navigation

Document	Description
1-Minute Quickstart	Start the server and connect in under a minute
k2s Server Deployment	Detailed server installation and configuration
k2 Client Usage	Client installation and common commands
k2cc Rate Control	k2cc core capabilities, censorship awareness, auto rate probing
k2 Protocol Architecture	URL format, ECH, three-layer identity, transport layer
Stealth Camouflage	ECH, TLS fingerprinting, and active probe resistance
k2cc vs BBR	k2cc vs Google BBR performance comparison under censorship
k2 vs Hysteria2	k2cc vs Brutal/BBR congestion control comparison
k2 vs VLESS+Reality	Stealth approach and anti-blocking comparison

FAQ

How does k2 compare to other tunnel protocols?

k2 is the only tunnel protocol that combines censorship-aware congestion control (k2cc), ECH encrypted SNI, and TLS fingerprint mimicry. Hysteria2 lacks censorship awareness. VLESS+Reality cannot run on QUIC. Under GFW's 26% probabilistic packet loss, k2 maintains effective throughput while traditional algorithms achieve less than 10% of theoretical capacity.

Is k2 open source?

k2's protocol design, ECH config derivation, and TLS fingerprint mimicry are fully documented publicly. The k2cc algorithm's design principles and capabilities are public, but the implementation is Kaitu's original intellectual property. The 14-scenario benchmark framework is open source — anyone can verify results independently.

What's the difference between k2 and Clash/Shadowrocket?

Clash and Shadowrocket are proxy clients (traffic routers). k2 is a tunnel protocol. They operate at different layers — Clash handles traffic splitting, k2 handles tunnel transport. The Kaitu client has k2 built in, no need for Clash.

Where should I start?

For a quick setup, see 1-Minute Quickstart. To understand why k2 is faster, read k2cc Adaptive Rate Control. To understand why k2 is more secure, read Stealth Camouflage.

Supported Platforms

The k2 CLI runs on Linux and macOS. The Kaitu desktop client (macOS/Windows) and mobile client (iOS/Android) ship with k2 built-in — no separate installation needed.

Visit the download page to get the Kaitu client.

k2 Protocol Overview

Terminology

Term	Meaning
k2	Kaitu's proprietary stealth tunnel protocol family (project name)
k2cc	Adaptive Rate Control algorithm (standalone component, shared by all protocol versions)
k2	Current protocol version, client-server architecture
k2p (planned)	Future protocol version, P2P architecture, also uses k2cc

k2 Core Features

k2cc Adaptive Rate Control

k2cc is the k2 protocol family's key differentiator. Unlike traditional congestion control algorithms, k2cc automatically discovers the optimal sending rate:

Capability	k2cc (k2)	Traditional (e.g. Brutal)
Bandwidth config	Fully automatic, zero-config	Manual bandwidth specification
Packet loss response	Distinguishes congestion from censorship loss	Ignores all loss signals
Latency control	RTT-aware, suppresses bufferbloat	Fixed rate, causes queue buildup
Network adaptation	Real-time bandwidth tracking	No dynamic probing
Fairness	Coexists peacefully with other traffic	Crowds out other connections

For details, see k2cc Adaptive Rate Control. For performance benchmarks, see k2 vs Hysteria2.

Stealth Transport

k2 achieves traffic stealth through four layers of defense:

ECH (Encrypted Client Hello): Encrypts the real destination hostname inside the TLS handshake; DPI only sees a major CDN's public hostname
TLS Fingerprint Mimicry: Uses uTLS to replicate Chrome/Firefox/Safari TLS handshake signatures
Traffic Pattern Matching: TLS record padding lengths match real Cloudflare server responses exactly
Active Probe Resistance: Non-ECH connections are transparently forwarded to the real website

For details, see Stealth Camouflage.

Zero-Config Deployment

# Server (30 seconds)
curl -fsSL https://kaitu.io/i/k2s | sudo sh
sudo k2s run

# Client (30 seconds)
curl -fsSL https://kaitu.io/i/k2 | sudo sh
sudo k2 up k2://abc123:tok456@203.0.113.5:443?ech=AEX0...&pin=sha256:...

Transport Layer

QUIC/H3 Primary: Native multiplexing, no head-of-line blocking, k2cc maintains high throughput on lossy networks
TCP-WebSocket Fallback: Auto-switches when QUIC is blocked; smux provides stream multiplexing
Single Port :443: QUIC and TCP share the same port, minimizing exposure
UDP Port Hopping: hop=START-END parameter rotates UDP ports to defeat port-based QoS throttling

Identity and Authentication

k2 URL: All parameters in a single URL: k2://UDID:TOKEN@HOST:PORT?ech=...&pin=...
Three-Layer Identity: TCP destination IP (plaintext) → Outer SNI (plaintext, CDN public hostname) → Inner SNI (ECH-encrypted)
Zero-Config Server: Auto-generates all keys and certificates on first run, prints a ready-to-use URL

Quick Navigation

Document	Description
1-Minute Quickstart	Start the server and connect in under a minute
k2s Server Deployment	Detailed server installation and configuration
k2 Client Usage	Client installation and common commands
k2cc Rate Control	k2cc core capabilities, censorship awareness, auto rate probing
k2 Protocol Architecture	URL format, ECH, three-layer identity, transport layer
Stealth Camouflage	ECH, TLS fingerprinting, and active probe resistance
k2cc vs BBR	k2cc vs Google BBR performance comparison under censorship
k2 vs Hysteria2	k2cc vs Brutal/BBR congestion control comparison
k2 vs VLESS+Reality	Stealth approach and anti-blocking comparison

FAQ

How does k2 compare to other tunnel protocols?

Is k2 open source?

What's the difference between k2 and Clash/Shadowrocket?

Where should I start?

For a quick setup, see 1-Minute Quickstart. To understand why k2 is faster, read k2cc Adaptive Rate Control. To understand why k2 is more secure, read Stealth Camouflage.

Supported Platforms

The k2 CLI runs on Linux and macOS. The Kaitu desktop client (macOS/Windows) and mobile client (iOS/Android) ship with k2 built-in — no separate installation needed.

Visit the download page to get the Kaitu client.