What is DPI (deep packet inspection)

Deep packet inspection — DPI — is what happens when network equipment doesn't just route a packet, it reads it. The switch or firewall pulls open the payload, looks at the bytes inside, and tries to figure out what application or protocol generated them. Then it acts on what it finds: throttling, blocking, logging, or letting through.

DPI is the layer ISPs use to throttle BitTorrent. It's the layer corporate firewalls use to enforce "no Netflix during business hours." And it's the layer state-level censors use to block VPNs when the user thought they were tunneling around restrictions.

How DPI identifies traffic

Every protocol has a fingerprint. DPI software has a library of those fingerprints and matches packets against them.

Some examples:

• WireGuard — UDP, distinctive handshake message types 1 to 4, fixed message lengths in known ranges.
• OpenVPN — TLS handshake with characteristic timing, plus an OpenVPN-specific control channel pattern.
• IPSec/IKEv2 — UDP/500 and UDP/4500 with very recognizable handshake structures.
• Standard "obfuscation" wrappers — TLS handshake structurally different from a real browser handshake (timing, padding distribution, extension order).

Each fingerprint is small and cheap to check. A single DPI box can fingerprint millions of flows per second on commodity hardware.

Why DPI is hard to defeat

Wrapping VPN traffic in something that looks like HTTPS is the obvious move, and it's exactly what most "obfuscation" features do. The problem: TLS handshakes have their own fingerprints. The order of extensions, the choice of cipher suites, the padding behaviour — all of it forms a pattern that DPI can match.

Iran, Russia, and Turkey have all blocked specific TLS handshake patterns associated with consumer VPN obfuscation. The arms race is constant: a fingerprint added to DPI hardware blocks a generation of obfuscated VPNs until they update.

How VLESS Reality works around DPI

VLESS Reality is structurally different. Instead of generating a TLS handshake that looks like a real one, it does an actual TLS 1.3 handshake to an actual public website. The certificate is the real certificate that website serves. The SNI is the real SNI. The handshake timing is whatever TLS 1.3 produces.

DPI sees a connection to microsoft.com, with microsoft.com's real certificate, indistinguishable from any other browser opening microsoft.com. To block it, the censor would need to block microsoft.com — which has too many other consumers depending on it.

Read more in Deep packet inspection, explained.

What this means for users

If your network is DPI-filtered (Turkey under BTK, Russia under Roskomnadzor's TSPU, China under the GFW, Kazakhstan with Qaznet-style interception attempts), standard VPN protocols often fail. Connections drop, throughput collapses to dial-up speeds, or handshakes get reset.

Fexyn ships VLESS Reality as Fexyn Stealth specifically for these networks. Try it free for 7 days and see whether it gets through your specific connection.

The country-specific guides cover the carrier-level details for the worst DPI environments: VPN for Turkey, VPN for Russia, VPN for Kazakhstan, VPN for Pakistan, VPN for Belarus. To see which other countries deploy DPI in one view, the global censorship map has a "DPI deployed" filter.

The clearest everyday example of DPI in action is VoIP blocking in the Gulf and Egypt — carriers identify and drop WhatsApp, FaceTime, and Skype call signalling at the packet level while letting text messaging through. See VPN for WhatsApp for how Stealth restores those calls.