Quiz Entry - updated: 2026.07.05
Why is traditional VPN traffic (OpenVPN, WireGuard) easy for DPI to detect and block?
Classic VPN protocols have recognisable fingerprints — distinctive packet headers, typical ports, unique handshake byte-sequences, and a constant encrypted stream — so DPI can identify and block them.
Deep Packet Inspection detects traditional VPNs through:
- Protocol fingerprint: OpenVPN uses specific packet headers.
- Port patterns: typically port
1194(UDP) or443(TCP). - Handshake signature: unique byte sequences during connection setup.
- Traffic timing: a constant encrypted data stream with no idle gaps.
Result: VPN traffic is identified and blocked. This is exactly why, in censored environments, a plain VPN often stops working — and why disguising tools (like Trojan proxies and pluggable transports) exist.
Tip: A VPN is encrypted but not disguised — it looks obviously like "a VPN." The next evolution is making the traffic look like something boring and ubiquitous, e.g. ordinary HTTPS.
Go deeper:
Deep packet inspection (Wikipedia) — how DPI fingerprints protocols by header/port/handshake patterns.