A VPN for journalists in places that watch the network

The problem with most VPNs in censored countries

National-level filters don't just block known VPN IPs. They use deep packet inspection to recognise the fingerprints of VPN protocols themselves: the way a WireGuard handshake looks on the wire, the distinctive shape of an OpenVPN session. When DPI sees a VPN, it can drop the connection silently or throttle it to unusable speeds.

Most consumer VPNs respond to this with "obfuscation" modes that wrap traffic in TLS padding. These help against simple filters and lose against modern ones. Iran's filters and Russia's GFW-style infrastructure regularly defeat OpenVPN-over-TLS within weeks of a new fingerprint becoming popular.

VLESS Reality is different

Fexyn Stealth uses VLESS Reality, run on XRay. The technique:

• The VPN client establishes a real TLS 1.3 connection to a real, well-known website (a handshake host like microsoft.com or cloudflare.com).
• The TLS handshake is genuine. If the censor probes your connection, they see a valid certificate from a real CA, served by a real public site.
• Inside that handshake, the VPN data flows. The payload is indistinguishable from any other HTTPS session to the same host.

DPI cannot tell a Reality session apart from someone loading microsoft.com from a browser. Blocking it would mean blocking the handshake host, which the censor probably doesn't want to do.

Technical details on VLESS Reality · Background reading

No-logs, in precise terms

Fexyn does not log browsing history, DNS queries, or traffic content. The only data we keep is what's needed to run the service: account, billing, authentication events, and limited connection counters (device count, plan state). The full breakdown — including what we explicitly do not claim — is on the no-logs policy page.

We have not yet completed a third-party no-logs audit. We say that on the no-logs page rather than hiding it. When an audit is done, we'll publish the result.

Short-lived certificates

The certificates Fexyn issues to your client are valid for 24 hours, not months. If a reporter's laptop is seized at a border, the cert on it expires the next day. There's no scramble to revoke a long-lived credential while CRL distribution lags.

Why this matters more than the marketing copy makes it sound

Protocol rotation when one is blocked

Censors update fingerprints. A protocol that worked last week can stop working without warning. Fexyn ships three protocols (Bolt / Stealth / Secure) and the app rotates if one fails. You don't have to know which one is currently working in your country.

For high-risk environments, set Stealth as the default and let rotation handle the rest. The other protocols stay available as fallback.

Jurisdiction

Fexyn LLC is registered in Wyoming, United States. The US has strong press-freedom protections and warrant requirements. Fexyn does not operate servers in countries that compel data sharing as a condition of doing business; the network skips jurisdictions where that's a known risk. We maintain a warrant canary, updated monthly.

Operational notes for hostile networks

• Pay with cryptocurrency if a card-linked subscription is a risk. Fexyn accepts BTC, ETH, USDT, and others.
• Don't reuse the same email address you use for everything else for the Fexyn account.
• Use separate machines for high-risk reporting where possible. A VPN can't protect a compromised endpoint.
• Test before you travel. Run Fexyn from your home network for a week first to confirm everything works the way you expect.
• If Fexyn stops working in a particular country, the trial protects you and the 30-day refund covers the first paid period. We won't pretend universal connectivity.

Related reading

• VLESS Reality / XRay on Fexyn
• Deep packet inspection, explained
• Why VLESS Reality beats WireGuard in censored countries
• Global censorship map
• VPN for Russia
• VPN for Turkey
• VPN for UAE
• VPN for Pakistan
• VPN for Egypt
• VPN for Ukraine
• VPN for activists
• No-logs policy
• Warrant canary