What is TSPU

TSPU is Russia's nationwide deep-packet-inspection infrastructure. The Russian initialism stands for Технические средства противодействия угрозам — Technical Means of Countering Threats. It is mandated by the 2019 "sovereign internet" law (Federal Law 90-FZ amending Federal Law 126-FZ), and has been deployed at every licensed Russian ISP since 2021.

TSPU sits inline at the ISP gateway. Every packet that leaves a Russian network or arrives at one passes through TSPU first. The hardware is operated by the ISP under regulatory mandate; the configuration is managed centrally by the Center for Monitoring and Control of Public Communications Network (CoSDP), part of the Roskomnadzor regulator.

What TSPU does

Functionally, TSPU is a deep packet inspection system with several capabilities:

• Protocol fingerprinting. TSPU keeps a library of protocol fingerprints (WireGuard's 148-byte handshake initiation, OpenVPN's TLS handshake timing, Shadowsocks's high-entropy stream pattern). Real-time pattern matching at line rate.
• Active probing. When TSPU sees a suspicious connection, it can dispatch its own probe to the same destination. Servers that respond differently from legitimate services get blocked.
• Statistical analysis. TSPU tracks aggregate behaviour per IP, per ASN, per region. Anomalous patterns (residential IPs opening many long-lived TLS connections to specific VPS providers) become detection signals.
• URL and domain blocking. TSPU implements Roskomnadzor's blocklist at the network layer.

What TSPU has blocked

As of May 2026, TSPU successfully fingerprints and blocks at every major Russian ISP:

• WireGuard (since 2023)
• OpenVPN (since 2022)
• IKEv2 / IPsec
• Plain VLESS (since late 2025)
• Shadowsocks (including AEAD variants)
• SOCKS5
• obfs4 and meek (Tor pluggable transports)
• Most "obfuscated" or "stealth" modes from major commercial VPN brands

Roskomnadzor has blocked hundreds of VPN services by name, with a stated public goal of blocking the majority of VPN apps within the next several years.

What still works

The protocols that survive TSPU in 2026 share an architectural property: real TLS 1.3 handshake to a real public site, no fake handshake to fingerprint, no self-issued certificate to detect via Certificate Transparency comparison.

• VLESS Reality with the Vision flow
• NaiveProxy
• Hysteria 2 (sometimes)
• ShadowTLS

Why this matters

Russia is the second-most-aggressive VPN-blocking environment in the world after China. The pattern is that TSPU's detection capabilities continue to improve and Roskomnadzor's budget for permanent VPN-censorship infrastructure (~20 billion rubles per year) keeps growing. Standard commercial VPNs that did not invest in DPI-resistant protocols are progressively unusable from Russian networks.

For Russian users, the practical answer is a VPN that ships VLESS Reality with the Vision flow. Fexyn does. The technical detail is here, and the Reality protocol guide covers why this protocol architecturally resists TSPU.

Try Fexyn free for 7 days — Stealth (VLESS Reality with Vision) is included on every plan.