What actually works in Russia 2026: TSPU technical view

If you have a Russian friend or work with Russian colleagues, you have probably seen this happen: a VPN they had been using for years suddenly stops connecting. They switch to another. That works for a week. Then it stops too.

This is not a coincidence and it is not random. It is TSPU (the Technical Means of Countering Threats) doing exactly what it was deployed to do, getting better at it month by month, and Roskomnadzor publishing increasingly explicit goals about how far they intend to take it.

Here is what TSPU actually does, what it has successfully blocked, what is still working in May 2026, and where the trajectory is heading.

What TSPU is and how it sees your traffic

TSPU is filtering hardware and software deployed at every licensed Russian ISP since 2021, mandated by the 2019 sovereign-internet law. It sits inline at the ISP gateway. Every packet that leaves a Russian network or arrives at one passes through TSPU first. The hardware is operated by the ISP but configured centrally by the Center for Monitoring and Control of Public Communications Network (CoSDP), which is part of the Roskomnadzor apparatus.

Functionally, TSPU is a deep packet inspection system. It does several things:

Pattern matching. TSPU keeps a library of protocol fingerprints. WireGuard's first handshake packet is always 148 bytes with a specific structure: a 1-byte type field, three reserved zero bytes, a 4-byte sender index, and a 32-byte unencrypted ephemeral public key. TSPU matches this in real time. The detection accuracy is near 100%.

Entropy analysis. Encrypted traffic has high entropy — bytes look random, no recognisable structure. Normal HTTPS traffic has mixed entropy: a structured TLS handshake with predictable certificate chains, then encrypted application data with characteristic record sizes. A Shadowsocks connection is high-entropy from packet one. TSPU flags streams whose entropy profile does not match any known legitimate protocol.

Active probing. When TSPU sees a suspicious connection, it can dispatch its own connection to the same destination IP and port within seconds. If the response from that server differs from what a legitimate service would return, the IP gets added to the block list.

Statistical analysis. TSPU tracks aggregate behaviour per IP, per ASN, per region. If a single Russian residential IP suddenly opens 50 long-lived TLS connections to a VPS provider that hosts no legitimate Russian-popular services, that pattern itself becomes a detection signal.

These aren't theoretical capabilities. They are running, today, against every connection from every Russian residential and mobile network.

What TSPU has blocked

Through Q1 2026, the protocols TSPU successfully fingerprints and blocks at every major Russian ISP:

WireGuard. Since 2023. The 148-byte handshake initiation packet is too rigid to vary; some "obfuscated WireGuard" variants exist (NordVPN's NordLynx, Mullvad's standard configuration) but TSPU detects all of them. Connection from a Russian ISP fails within 1-3 seconds.

OpenVPN (TCP and UDP). Since 2022, with increasing accuracy. OpenVPN's TLS handshake has distinctive timing and the control channel uses a recognisable framing format. Even OpenVPN-XOR and obfs4 wrappers are detected.

IKEv2 / IPsec / L2TP. Detected by ESP packet structure or IKEv2 handshake. Blocked.

Plain VLESS without Vision. This is the late-2025 development. TSPU was upgraded to fingerprint generic VLESS streams. Some providers shipping Reality but without the Vision flow (xtls-rprx-vision) are now also affected, because Vision is what eliminates the TLS-in-TLS pattern that this fingerprint matches against. Plain VLESS, with or without basic Reality, is now blocked.

Shadowsocks. Including AEAD variants. Entropy analysis catches high-entropy streams; active probing catches the absence of a real TLS handshake.

SOCKS5. Detected by handshake structure.

obfs4 and meek. The Tor pluggable transports. Detected by entropy and timing patterns.

Most "stealth" or "obfuscated" modes from major VPN brands. ExpressVPN's Lightway, NordVPN's NordLynx with obfuscation, Surfshark's Camouflage, ProtonVPN's standard Stealth — pattern-matched to varying degrees. Some still work intermittently; none reliably.

This is why Russian VPN users keep cycling through providers. Each major brand's primary protocol is detectable. The "obfuscated" mode that gets sold as a censorship-bypass feature is a generation behind what TSPU can fingerprint.

What still works in May 2026

The protocols that handshake reliably from Russian residential and mobile networks:

VLESS Reality with the Vision flow. This is the load-bearing combination. Reality performs a real TLS 1.3 handshake to a real public host (microsoft.com, cloudflare.com, apple.com) and forwards that host's actual certificate. The Vision flow eliminates the TLS-in-TLS detection signal. Together, the traffic is statistically indistinguishable from a normal browser connecting to that host.

Per a USENIX Security paper and our own server telemetry, Reality+Vision handshake success in Russia in May 2026 is around 95%. The remaining 5% comes from IP-reputation blocking on specific VPS ranges, not protocol detection. If the IP your VPN provider uses has a reputation pattern (residential users connecting to a VPS that also serves a stable HTTPS site), TSPU sometimes flags it. Solution: rotate IP ranges, prefer providers that maintain "clean" IP space.

We wrote the long protocol guide on Reality if you want the architectural detail.

NaiveProxy. Uses Chrome's actual networking stack to make HTTP/2 connections to a real backend. The traffic is byte-identical to Chrome traffic because it literally is. Less widely deployed than Reality, but works.

Hysteria 2. A QUIC-based protocol with strong masquerading and low overhead on lossy networks. Some Russian ISPs throttle Hysteria more aggressively than others; success rate varies but is generally above 70%.

ShadowTLS. Performs a real TLS handshake to a public host, similar in spirit to Reality. Less mature than Reality but works on TSPU.

The pattern is clear. Anything that performs a real TLS 1.3 handshake to a real public host survives TSPU. Anything that does not — even with creative obfuscation — eventually gets fingerprinted.

Fexyn's auto-switching

We do not expect users to know any of this.

Fexyn Bolt is our WireGuard implementation. Fexyn Stealth is our VLESS Reality+Vision implementation. The Fexyn client tries Bolt first because it is faster. If the network blocks or throttles Bolt, the client switches to Stealth automatically. The user does not need to configure anything.

In Russia, we recommend pinning Stealth as the default in app settings rather than waiting for the auto-detection. This skips the failed-Bolt-attempt step and connects faster on networks where we already know Bolt does not work.

The full architecture is documented in the helper service notes for protocol rotation. The short version: each protocol has its own connection state machine, the rotation engine treats Bolt-failure as a signal to upgrade to Stealth without a user prompt, and we measure success per-protocol per-server-region so the rotation logic improves as TSPU evolves.

What Roskomnadzor is likely to try next

The 2026 Roskomnadzor budget includes roughly 20 billion rubles per year for permanent VPN-censorship infrastructure. The published goal is blocking 92% of VPN apps by 2030. The trajectory is escalation. Some of the next steps are predictable:

More aggressive IP-reputation scoring. TSPU already does some of this, blocking IP ranges that show patterns matching VPN deployments. Expanding this is cheap and avoids the protocol-detection problem entirely. The defence is provider-side: maintain "clean" IP ranges, rotate IPs, ideally use residential or business-grade IP space rather than known VPS ranges.

Camouflage-host whitelisting. TSPU could maintain a list of approved camouflage hosts (Microsoft, Cloudflare, Apple) and either block traffic to them entirely (politically expensive — Russian businesses depend on these services) or do deeper inspection of TLS sessions to flagged camouflage hosts. The deeper-inspection path requires breaking the TLS session, which would require an Iranian-style state-CA-injection move that Russia has tried in limited form but not at scale.

Statistical timing analysis. Reality+Vision is statistically indistinguishable from a real Microsoft browsing session at the packet level, but a single user generating sustained Microsoft connections for hours every day at high throughput is a behavioural pattern that does not match typical Microsoft user behaviour. This kind of analysis requires significant compute and produces many false positives, which is why it is not deployed yet.

Per-app blocking inside the tunnel. TSPU can already detect known WhatsApp, Signal, and Telegram traffic patterns even when they are tunneled through a VPN — because the inner traffic still has timing and packet-size signatures. So far this is only used selectively against high-profile targets. Broader deployment would dramatically increase TSPU's compute cost and is not yet operational.

The architectural advantage of Reality is that the deception is structural. There is no fake handshake, no fake certificate, no fake target. The deception is a small piece of cryptographic material hidden inside an otherwise-genuine TLS handshake. To detect it, TSPU would need to break TLS itself or maintain a behavioural model of every legitimate user of every camouflage host. Neither is cheap.

What this means for you

If you live in Russia or travel there, the practical answer is simple. Use a VPN that ships VLESS Reality with the Vision flow. Pin it as your default protocol. Use crypto for billing because card payment infrastructure is broken for Russian users on Western services. Install your VPN before you need to download it inside Russia, because VPN provider websites get blocked at any time.

If you operate a VPN service for Russian users — and a lot of self-hosters do — keep an eye on the XTLS Reality issue tracker, maintain Reality+Vision (not plain Reality), use rotating high-traffic camouflage hosts, and prefer "clean" IP space.

If you are reading this because a VPN you used to use stopped working in Russia — that is the system functioning as designed. The fix is a different protocol, not a different server. Most major brands (NordVPN, ExpressVPN, Surfshark, ProtonVPN, Mullvad) currently do not ship VLESS Reality at all. The smaller subset that does ship it (Astrill, Fexyn, several self-host stacks) is the working set in 2026.

Try Fexyn free for 7 days. Stealth (VLESS Reality with Vision flow) is included on every plan. Crypto-only billing for Russia ($2.99/month, Tier 4). The Russia country page has the full setup detail. The protocol guide explains why Reality with Vision keeps working when everything else fails.