The Great Firewall is not a single wall. It is a layered system of detection technologies operating at every level of the network stack. Understanding how it works is essential for choosing a VPN that actually survives it.
Method 1: Deep Packet Inspection (DPI)
DPI systems sit at China's international gateways and analyze every packet in real-time. They examine not just the destination IP and port, but the actual contents and patterns within the packet. For a detailed breakdown, see our article on what deep packet inspection is and how it works.
Each VPN protocol has a fingerprint. OpenVPN's control channel has a distinctive opcode byte (0x00-0x09). WireGuard's handshake initiation is always 148 bytes with a specific message type field. Even Shadowsocks, once considered stealth, has detectable entropy patterns that distinguish it from legitimate HTTPS.
Modern DPI operates at wire speed -- there is no performance penalty for the analysis. Every packet, billions per second, is classified in real-time.
Method 2: IP Blocklisting
The GFW maintains regularly updated blocklists of VPN server IPs. Sources include:
- Scraping VPN provider websites and API endpoints for server lists
- Monitoring data center IP ranges commonly used by VPN providers
- User reports and manual discovery
- Automated probing of suspected VPN server IPs
When a commercial VPN adds a new server, it is often discovered and blocked within hours to days.
Method 3: Active Probing
This is the GFW's most clever technique. When DPI or traffic analysis suggests an IP might be a VPN server, the GFW sends its own connection attempts. If the server responds like VPN software rather than a legitimate web server, the IP is confirmed as a VPN and blocked.
For example, if a server claims to be running HTTPS (port 443) but does not respond with a valid HTTP response to a GET request, it is likely a VPN. OpenVPN, WireGuard, and Shadowsocks servers all fail this test because they respond with their respective protocol handshakes, not HTTP responses.
Why VLESS+Reality Survives Active Probing
VLESS+Reality handles probe connections differently. When a connection arrives that does not carry valid VLESS authentication, the server transparently forwards it to the real target website (microsoft.com). The GFW's probe receives an authentic Microsoft HTTPS response, confirming the server is "legitimate."
Method 4: Statistical Traffic Analysis
Machine learning models analyze traffic metadata: packet sizes, inter-arrival times, connection durations, and bandwidth patterns. VPN traffic has statistical properties that differ from normal web browsing -- more uniform packet sizes, longer connection durations, different bandwidth patterns.
VLESS+Reality counters this with Vision flow control, which shapes traffic patterns to match the statistical profile of normal HTTPS browsing.
Method 5: DNS Manipulation
DNS queries for VPN-related domains are intercepted and poisoned. If you try to resolve expressvpn.com, your query is either blocked or returned with an incorrect IP. This prevents users from even reaching VPN provider websites to download software or retrieve server configurations.
DNS-over-TLS and DNS-over-HTTPS can bypass this, but only if the DNS resolver itself is not blocked.
What This Means for VPN Selection
Any VPN that survives in China must counter all five methods simultaneously:
- Use a protocol with no detectable DPI fingerprint
- Use an IP that is not in any VPN blocklist
- Respond to active probes like a legitimate web server
- Generate traffic patterns indistinguishable from normal HTTPS
- Encrypt all DNS queries
Currently, VLESS+Reality on a private dedicated server is the only widely available solution that addresses all five simultaneously. This is exactly how KookVPN is built.