What Is Deep Packet Inspection? How Networks Detect VPNs
When a hotel network, an office firewall or a national censor blocks your VPN, the machinery doing it is usually deep packet inspection: equipment that looks past the address labels on your traffic and examines the traffic itself. Here’s how it works, in escalating order of sophistication, and what actually gets through it.
Ordinary inspection vs deep inspection
Routers normally read only packet headers: where the traffic is going, on which port. That’s like sorting mail by the envelope. DPI reads the letter. It examines the shape, timing and content patterns of the data stream itself, which is how it can say “this is a VPN” even when the traffic is encrypted and the port looks innocent.
The detection ladder
1. Port blocking (not DPI yet). The crudest filter: block UDP 500/4500 and IKEv2 dies, block 1194 and default OpenVPN dies. Trivial to apply, trivial to dodge by changing ports, which is why serious networks don’t stop here.
2. Protocol signatures. Every protocol has a recognisable handshake. OpenVPN’s TLS-inside-TLS pattern, WireGuard’s distinctive first packets: DPI equipment matches these like fingerprints, on any port. This is the layer that kills “OpenVPN on port 443” tricks, and it’s why simply moving to the HTTPS port stopped working years ago.
3. SNI inspection. When a TLS connection opens, the requested server name (SNI) is visible. Firewalls read it and block by name. A VPN server’s hostname on a blocklist ends the story regardless of encryption.
4. TLS fingerprinting. Beyond the name, the TLS handshake itself has a shape (cipher ordering, extensions), and VPN clients historically looked different from browsers. Censors classify handshakes and drop the ones that don’t look like real browsers talking to real websites.
5. Active probing. The censor’s endgame: when a suspicious server is spotted, the censor connects to it and pokes it. If it answers like a proxy instead of a real website, it gets blocklisted. This is what retired whole protocol generations (including Trojan), because their servers could be unmasked by anyone who asked.
6. Throttling instead of blocking. The subtle variant: don’t block, just degrade. Unknown UDP streams get shaped to a crawl, long-lived encrypted flows get squeezed. Users blame the VPN, not the network.
How modern stealth answers each rung
VLESS Reality
Presents the genuine TLS handshake of a real, well-known website. SNI inspection sees a normal site (rung 3). Fingerprinting sees a normal handshake (rung 4). An active probe gets the real website back (rung 5). It rides TCP 443, so port games are irrelevant (rung 1). Details: VLESS Reality protocol.
Hysteria2
Rides QUIC, so to inspection it resembles ordinary HTTP/3 traffic (rung 2), and its congestion control shrugs off shaping and lossy links (rung 6). Its limit is rung 1 in one specific form: networks that block unfamiliar UDP wholesale, which is exactly when you switch to Reality. Details: Hysteria2 protocol.
Corporate and campus firewalls: signature matching and SNI blocklists are standard features of enterprise gear
Hotels, airports, public Wi-Fi: usually rungs 1 to 3, occasionally more
ISPs: mostly throttling (rung 6), sometimes SNI-level blocking by legal requirement
National firewalls: the full ladder, including active probing, with the Great Firewall as the reference implementation
What this means in practice
If your VPN connects at home but spins forever on some network, you’ve met one of the rungs above. The fix isn’t a better password or a reinstall; it’s a protocol whose traffic doesn’t classify as VPN at all. In the VPNBaron app, Baron Pathfinder walks the ladder for you, falling back to the stealth protocols when ordinary routes are filtered. Manually, your stealth subscription carries both stealth protocols for every location, importable into V2Box or Hiddify.