If you've tried to use a VPN in mainland China recently, you know the pattern: it works for a few days, sometimes a few hours, then stops. You switch servers. It works again. Then stops. Repeat until you run out of patience or servers.
The Great Firewall (GFW) is the most sophisticated internet filtering system in the world. It doesn't just block IPs — it actively hunts for circumvention tools using protocol fingerprinting, statistical traffic analysis, and aggressive active probing.
This post covers what actually gets through as of June 2026, why most consumer VPNs fail, and how to set up a connection that the GFW can't distinguish from normal web browsing.
How the GFW Blocks VPNs
The GFW uses a layered approach. Each layer kills a different class of circumvention tool.
Layer 1: IP and DNS Blocking
The simplest layer. Known VPN server IPs and domains are added to a blocklist distributed to all Chinese ISPs. Any connection attempt to these addresses is dropped at the routing level.
This is why "server hopping" in consumer VPNs works temporarily — you connect before the new IP gets added to the list.
Layer 2: Deep Packet Inspection (DPI)
The GFW's DPI system analyzes packet headers, timing, sizes, and entropy patterns in real time. Every VPN protocol has a unique fingerprint:
- OpenVPN: distinctive handshake pattern, easily identified
- WireGuard: smaller fingerprint but still recognizable through handshake timing and packet structure
- IKEv2/IPSec: long-established signatures, blockable at the ISP level
DPI doesn't need to decrypt your traffic. It just needs to recognize the shape of the protocol wrapping it.
Layer 3: Active Probing
This is the GFW's most aggressive technique. When a connection to an unknown server is detected, the GFW sends its own packets to that server — probing it to see how it responds.
- A real web server returns a valid HTTP response
- A VPN server returns a VPN handshake (or times out)
- The GFW flags servers that don't behave like normal web infrastructure
This is why "obfuscated" VPN servers eventually stop working. They may survive passive DPI, but active probing eventually reveals them.
Layer 4: Statistical Traffic Analysis
Even when individual packets look innocent, the GFW analyzes traffic patterns. A connection to www.microsoft.com that sends 500MB of upload traffic at 3am looks suspicious — because real users don't browse Microsoft that way.
This layer is harder to trigger but catches poorly configured circumvention tools that leak traffic patterns.
What Works in China: VLESS+Reality
The protocol that consistently defeats all four GFW layers is VLESS with Reality TLS.
How It Passes Each Layer
Layer 1 (IP Blocking): Uses standard port 443 with an IP that isn't on any blocklist. Providers rotate IPs when needed.
Layer 2 (DPI): The TLS handshake is byte-for-byte identical to Chrome's. DPI sees a standard HTTPS connection to a real website. No protocol fingerprint to match against.
Layer 3 (Active Probing): If the GFW probes the server without valid credentials, it gets forwarded to the real website (e.g., Microsoft). The probe receives a genuine TLS certificate, valid HTTP response, and real HTML content. There is no way to distinguish this from a legitimate web server.
Layer 4 (Statistical Analysis): Traffic patterns match normal HTTPS browsing — encrypted web traffic on port 443. No unusual handshake timing, no distinctive packet sizes.
The Reality Difference
VLESS itself is just a lightweight encrypted transport. The magic is in Reality — the TLS layer that makes it invisible.
Reality works by "borrowing" the TLS certificate of a real website. When your client connects, the server proxies the TLS ClientHello to, for example, www.microsoft.com. Microsoft's server responds with its actual certificate, signed by a real Certificate Authority.
Your authentication credentials — an x25519 key pair and a short ID — are embedded inside the ClientHello in a way that's invisible to anyone without the corresponding private key.
If the GFW connects without credentials, it gets forwarded to Microsoft and receives a perfectly normal web page. The server is indistinguishable from a legitimate HTTPS endpoint.
Setup Guide: 3 Steps
Step 1: Get Your Access Key
Choose a VLESS+Reality provider. After signup, you receive a connection URL that looks like:
vless://uuid@server-ip:443?type=tcp&security=reality&sni=www.microsoft.com&fp=chrome&...
This URL contains everything your client needs: server address, encryption keys, camouflage settings, and TLS parameters.
Try Store4Gateway free for 24 hours →
Step 2: Install a Client
You need a client that supports VLESS+Reality. Two free options:
- Hiddify — All platforms, one-tap import from QR code. Most popular VLESS client globally.
- v2RayTun — Android, iOS, Windows. Lightweight, fast, free on official app stores.
Full installation guide with screenshots →
Step 3: Scan and Connect
Open your client, scan the QR code from your dashboard, and tap connect. The client imports all configuration automatically — no manual setup required.
Important: What VLESS+Reality Can't Do
Be realistic about what any circumvention tool can and can't do:
Can do:
- ✓ Bypass protocol-level filtering (DPI, fingerprinting, active probing)
- ✓ Make your traffic look like normal HTTPS
- ✓ Work on standard consumer internet connections
Can't do:
- ✗ Defeat IP-level blocks if your specific server gets blacklisted (provider must rotate IPs)
- ✗ Work during extreme whitelist-only crackdowns (e.g., major political events)
- ✗ Hide the volume of your traffic from statistical analysis
- ✗ Guarantee 100% uptime — China's censorship adapts continuously
What About Other Methods?
Shadowsocks + Plugin
Shadowsocks with v2ray-plugin (WebSocket over TLS) worked well from 2018–2021. The GFW has since developed active probing techniques that detect it — particularly the certificate anomaly (self-signed or own-domain cert) and the non-browser TLS fingerprint. Some servers still work, but it's increasingly unreliable.
WireGuard + Obfuscation
WireGuard's handshake is small but distinctive. Obfuscation wrappers help against passive DPI but don't survive active probing. WireGuard has no mechanism like Reality to respond to probes with genuine web content.
Tor with Bridges
Tor bridges (obfs4, meek) still work for some users but are extremely slow — often unusable for video, voice, or large downloads. The GFW actively enumerates and blocks bridge IPs.
Choosing a Provider
If you're evaluating VLESS+Reality services for use in China:
| Priority | Feature | Why |
|---|---|---|
| Critical | Reality TLS, not just VLESS/V2Ray | Without Reality, the GFW's active probing will eventually find and block your server |
| Critical | IP rotation capability | When your server's IP gets blacklisted, you need a fresh one fast |
| High | QR code / one-click setup | Manual VLESS config is error-prone; misconfiguration = blocked |
| High | No connection/destination logs | Traffic metadata in China carries real risk |
| Medium | Crypto payment | Financial privacy matters — Bitcoin Lightning or USDT preferred |
| Medium | Multiple Asia-Pacific servers | Lower latency: Tokyo, Singapore, Hong Kong exit nodes |
Bottom Line
China's GFW is the world's most advanced internet filter. It doesn't just block — it actively hunts. Protocols designed a decade ago (OpenVPN, WireGuard, IPSec, Shadowsocks) were built for a different threat model and can't survive modern active probing indefinitely.
VLESS+Reality works because it was designed for this threat model. It doesn't try to hide a VPN handshake — it eliminates the handshake entirely and replaces it with something the GFW can't distinguish from the billions of legitimate HTTPS connections it sees every day.
As of June 2026, it's the most reliable method available for bypassing the Great Firewall.
See also: