Bypassing blocks and DPI
Deep packet inspection (DPI) is how networks detect and disrupt VPNs. In Russia, TSPU systems use DPI to throttle or block common VPN signatures. This page explains how DPI works, why ordinary VPNs are easy to spot, and how Tunari’s AmneziaWG and VLESS+Reality modes help traffic look like normal HTTPS/TLS, with no guarantees and results that may vary.
What DPI is and how censors use it
DPI inspects not just where packets go but how they look and behave. It can examine headers, handshake patterns, TLS fingerprints, Server Name Indication (SNI), packet sizes, and flow timing to identify protocols.
In Russia, ТСПУ (TSPU) boxes at ISPs use DPI to detect and interfere with traffic that matches known VPN signatures. When a match is found, the system can throttle, block, or reset connections.
Because DPI focuses on recognizable patterns, connections that reveal protocol-specific traits are more likely to be flagged, especially during the initial handshake.
Why ordinary VPNs get blocked
Many standard VPNs have distinctive handshakes or predictable traffic shapes. Classic OpenVPN, IKEv2, or even vanilla WireGuard can expose telltale markers such as fixed handshake sequences, characteristic packet sizes, or use of specific ports that DPI can key on.
Some censors also use active probing: when they suspect a VPN service on an IP/port, they attempt to connect and verify the protocol. Signature lists are updated over time, which is why a server or port that worked yesterday may fail today.
The result is that ordinary VPN sessions can be throttled or dropped mid-handshake, forcing users into a cycle of switching ports, servers, or protocols.
How Tunari helps resist DPI
Tunari supports multiple protocols so you can choose what works best on your network: WireGuard (default, fast), AmneziaWG, VLESS+Reality, OpenVPN, and IKEv2. For censorship resistance, the key options are AmneziaWG and VLESS+Reality.
AmneziaWG is a censorship-resistant variant of WireGuard. It is designed to change how WireGuard traffic appears on the wire, reducing reliance on the static signatures DPI tools look for. See our AmneziaWG deep-dive for more detail.
VLESS+Reality is built to make VPN traffic look like ordinary HTTPS/TLS. To DPI, flows resemble a regular encrypted web session, which helps avoid blocks that target recognizable VPN handshakes or UDP patterns.
In our tests, these modes have helped maintain connectivity on TSPU-filtered networks in Russia, but no method is guaranteed to work everywhere or forever. Network conditions and censorship tactics change.
Using Tunari in practice
Start with VLESS+Reality. If it is restricted on your network, switch to AmneziaWG, then try standard WireGuard, OpenVPN, or IKEv2. Rotating servers and protocols can help when filters change.
Tunari currently offers servers in France, Poland, and Canada, and the network is expanding. Some nodes are tuned for Russia (MSS/MTU clamping and placement on niche ASNs) to help avoid attention from common DPI paths.
Security and privacy are core: AES-256 encryption, a strict no-logs policy by design (not independently audited yet), and a Kill Switch that blocks all traffic if the VPN tunnel drops so your real IP does not leak.
Apps are available for iOS (App Store), Android (Google Play), and Windows, with macOS in alpha. Standard plans allow up to 10 simultaneous device connections. Pay with cards, SBP, or USDT. TunariVPN Sp. z o.o. is registered in Warsaw, Poland under EU jurisdiction, and offers a 7-day free trial and a 30-day money-back guarantee, with support via the Telegram bot and email.
Frequently asked questions
Try Tunari free for 7 days
Start your 7-day free trial with no credit card required; use iOS, Android, or Windows, pay by cards, SBP, or USDT, and get a 30-day money-back guarantee.
View pricing