How DPI Identifies VPN Traffic: Technical Methods in China, Russia, Iran

Deep packet inspection (DPI) has become a standard tool for identifying and blocking VPN traffic in countries with centralized internet control. China, Russia, and Iran have each deployed overlapping but distinct technical approaches to detect encrypted tunnels, with varying levels of sophistication and enforcement intensity.

DPI itself is not new. Equipment manufacturers like Sandvine, Allot, and Procera Networks have offered packet analysis tools for decades. What has evolved is the scale of deployment and the specificity of detection signatures targeting particular VPN protocols. Rather than blocking all encrypted traffic—a technically crude approach that would disrupt legitimate HTTPS and financial transactions—state-level systems now target the behavioral and cryptographic markers that distinguish VPN protocols from normal internet traffic.

CHINA'S LAYERED APPROACH

China's Great Firewall employs multiple detection methods simultaneously. The most documented is TLS SNI (Server Name Indication) inspection: when a client initiates a TLS handshake, the SNI field contains the domain name in plaintext before encryption completes. The firewall examines this field and blocks connections to known VPN provider domains. This method is cheap to operate and effective against users connecting directly to commercial VPN infrastructure.

A second mechanism targets protocol fingerprinting. OpenVPN, WireGuard, and other protocols generate distinctive packet patterns—specific sizes, timings, and sequences that differ from HTTPS or other benign protocols. Machine learning models trained on packet captures can classify traffic with reasonable accuracy even without decryption. According to research from Citizen Lab and open reports on the Great Firewall, systems operated by the Ministry of Industry and Information Technology (MIIT) maintain databases of known VPN signatures.

Third, the firewall performs active probing: when suspicious traffic is detected, systems send probe packets back to the source IP to elicit responses that confirm protocol identity. If the response matches a known VPN signature, the connection is flagged for throttling or blocking. This method is more resource-intensive but allows confirmation without passive inspection alone.

RUSSIA'S ROSKOMNADZOR OPERATIONS

Russia's Roskomnadzor (Federal Service for Supervision of Communications) has coordinated blocking through ISP-level DPI equipment deployed at major internet exchange points. Rather than attempting wholesale protocol blocking—which would damage e-commerce and banking—Roskomnadzor focuses on known VPN provider IP addresses and domains.

Publicly available research from Roskomsvoboda and OONI measurements in Russia show a hybrid approach: DNS filtering blocks queries to known VPN provider domains; BGP-level route hijacking redirects traffic to known VPN server IP ranges toward sinkhole addresses; and DPI systems flag and throttle traffic matching OpenVPN and WireGuard signatures. The system prioritizes blocking commercial VPN services over detecting all encrypted tunnel traffic.

Starting around 2022-2023, Roskomnadzor began deploying what security researchers term "active DPI" methods, where blocking systems inject RST packets to terminate connections matching VPN signatures. This is technically simple—cheaper than sustained throttling—and forces users to retry connections, creating friction without complete blocking.

IRAN'S CENTRALIZED CONTROL

Iran's system, operated through the Ministry of Information and Communications Technology (MoTT) and Information and Communications Technology Council (ICTA), represents the most centralized architecture. All international internet traffic passes through a limited number of gateway chokepoints, where comprehensive DPI is feasible.

According to OONI data from Iran and reports by Access Now, Iranian systems employ all three categories of DPI: SNI inspection on TLS handshakes, protocol fingerprinting for OpenVPN and WireGuard, and increasingly, active measurement of traffic entropy and payload patterns. During periods of civil unrest, Iran has deployed additional techniques: throttling all traffic to known VPN server ASNs (autonomous system numbers), and performing statistical analysis to identify users whose traffic patterns match encrypted tunnel behavior even without matching specific protocol signatures.

Iran also conducts periodic blocking campaigns where entire categories of traffic are temporarily filtered, then refined based on appeal and false-positive feedback—a technique sometimes called "testing and tightening."

TECHNICAL CIRCUMVENTION METHODS

VPN protocols and tools have evolved in response. WireGuard's minimal packet overhead makes fingerprinting harder than older protocols, but the protocol's distinctive handshake structure remains identifiable under active probing. OpenVPN, particularly with obfuscation wrappers like obfs4, can disguise the initial handshake as ordinary TLS, defeating simple pattern matching.

Tor pluggable transports—specifically Snowflake and the newer WebTunnel—route traffic through proxy servers that make Tor difficult to distinguish from ordinary web browsing. REALITY and Vision protocols attempt similar disguise by impersonating legitimate TLS connections.

Shadowsocks and V2Ray/Xray use SOCKS proxying and custom encryption to avoid protocol fingerprinting, though they remain vulnerable to behavioral analysis if traffic volume and timing patterns are unusual.

None of these methods is immune to all detection vectors. A determined adversary with access to encrypted keys can always identify VPN traffic in retrospect. The practical question is cost and friction: how many resources must an operator deploy to block a given proportion of users, and what false-positive damage results.

As of 2026, the arms race continues. User-facing tools add obfuscation layers and protocol variation; state systems respond with broader statistical detection and hardware-accelerated active probing. The outcome remains asymmetric: blocking requires less technical sophistication than staying unblocked, but scale matters more than elegance.