What is active probing

Active probing is a censorship-detection technique. Instead of only analysing traffic passively (which is what deep packet inspection and entropy analysis do), the censor's infrastructure connects to suspected proxy servers and compares the server's response against what a legitimate service would return. If the response differs, the IP is added to the block list.

China's Great Firewall has been doing this since at least 2012. Iran, Russia, and Pakistan have all deployed similar capabilities at varying levels.

How active probing works

When the censor's infrastructure sees a connection that might be a proxy — based on traffic patterns, IP reputation, or other passive signals — it dispatches its own connection to the same destination, often within minutes:

1. The censor sees a connection from a residential user to IP 1.2.3.4 on port 443.
2. The censor's infrastructure connects to 1.2.3.4:443 itself.
3. The infrastructure sends a request that a legitimate web service would handle (a TLS ClientHello, an HTTP/1.1 GET, etc.).
4. It records the response.
5. The response is compared against what a legitimate service would have returned.

If the suspect server returns something inconsistent with a real service — wrong certificate chain, wrong HTTP response headers, wrong server software fingerprint, no response at all to certain probe types — the IP gets added to the censor's block list.

What active probing catches

Several categories of proxy:

Trojan deployments. Trojan does a real TLS handshake but uses a self-issued certificate (Let's Encrypt or self-signed). The active prober compares the certificate against Certificate Transparency records for the claimed domain. If the cert is not what CT says about that domain, the server is flagged.

Servers running known proxy software. Many proxy implementations have detectable HTTP response patterns when probed with non-standard requests. Shadowsocks, V2Ray, and earlier implementations have been caught this way.

Servers that fail to respond like real web services. A real web server returns an error page for invalid requests, or redirects to HTTPS for HTTP, or has specific headers. Proxies that do not implement these behaviours stand out.

Servers that auto-disconnect non-authenticated probers. If the suspect server immediately closes connections that do not authenticate, that is itself a signal that the server expects authenticated clients — i.e., it is a proxy.

How VLESS Reality defeats active probing

VLESS Reality with the Vision flow is structurally resistant to active probing. The trick: when an unauthenticated connection arrives at a Reality server, the server transparently proxies the connection to the real public site it is camouflaging as.

The flow:

1. The active prober connects to the Reality server.
2. The prober is not authenticated (it does not have the shortId or X25519 keys).
3. The Reality server transparently proxies the prober's connection to, say, microsoft.com.
4. The prober gets a response from the real Microsoft server.
5. The certificate is real. The headers are real. The behaviour is real.
6. There is no inconsistency to detect because the response IS the real Microsoft response.

The only thing that distinguishes a Reality client from a real Microsoft user is the encrypted shortId hidden inside the TLS key-share extension — invisible to the active prober. Active probing has nothing to flag.

What still works against Reality

Active probing in the strict sense — connect, compare response — does not catch Reality. Two adjacent attacks remain partial threats:

IP reputation analysis. Noticing that a residential IP repeatedly opens long-lived TLS connections to a specific VPS that also proxies to Microsoft, and treating that pattern as suspicious. This catches some Reality deployments but is expensive to operate at scale and produces false positives.

Behavioural traffic analysis. A user generating sustained Microsoft connections for hours every day at high throughput is a behavioural pattern that does not match typical Microsoft user behaviour. This kind of analysis requires significant compute and produces many false positives, which is why it is not deployed at scale yet.

For most users in active-DPI markets in 2026, Reality + Vision plus reasonable IP-pool hygiene is enough. The detection rate against properly-deployed Reality is under 5% based on community reports.

Why active probing is hard to defeat in general

Censors set the rules of the game. The censor decides what is a "legitimate" service and what is not. Any proxy that does not perfectly impersonate a legitimate service has some signal that distinguishes it. The only way to fully defeat active probing is to BE a legitimate service for any unauthenticated request — which is what Reality does by transparently proxying to the real site.

This is also why "obfuscation" approaches built on top of WireGuard or OpenVPN do not survive sophisticated active probing. They make the traffic look HTTPS-like but the server's response to active probing is not a real web service's response. The wrapper passes a passive look; it fails the active probe.

Try Fexyn free for 7 days — Stealth (VLESS Reality with Vision) on every plan; defeats active probing by being structurally indistinguishable from real HTTPS to the camouflage host.