Deep Packet Inspection (DPI) is the technology at the heart of China's Great Firewall. Unlike simple IP blocking (which just blocks connections to known addresses), DPI examines the actual contents of every data packet flowing through China's international gateways -- in real-time, at wire speed, billions of packets per second.
How DPI Works
Every data packet on the internet has two parts: the header (addressing information) and the payload (actual content). Simple firewalls only look at headers -- source IP, destination IP, port number. DPI looks at the payload.
When you connect to a VPN, the DPI system examines the first few packets of your connection. Each VPN protocol has a distinctive pattern in these initial packets -- a fingerprint that identifies the protocol.
Protocol Fingerprints the GFW Detects
OpenVPN
OpenVPN's control channel uses a distinctive opcode byte (values 0x00-0x09) in the first byte of each packet. The handshake exchange follows a predictable sequence. The GFW has detected OpenVPN since 2018 -- it is the most easily identified VPN protocol.
WireGuard
WireGuard's handshake initiation message is always exactly 148 bytes with a 1-byte message type field. The response is always 92 bytes. This size consistency is a clear fingerprint. Detection was added to the GFW around 2022.
Shadowsocks
Shadowsocks encrypts all traffic, so there is no plaintext fingerprint. However, encrypted traffic has statistical properties: high entropy (randomness), uniform packet sizes, and specific connection patterns. Machine learning classifiers trained on these features can identify Shadowsocks connections with high accuracy.
VLESS+Reality
VLESS+Reality does not have a VPN fingerprint because it mimics legitimate HTTPS traffic. The TLS handshake matches a real browser connecting to microsoft.com. The DPI system sees standard TLS 1.3 traffic with proper certificates, SNI, and handshake patterns. There is no distinctive packet to fingerprint.
DPI at Scale
China's DPI infrastructure operates at the international gateway level. All traffic entering or leaving China passes through these gateways. The processing is hardware-accelerated, using custom FPGA or ASIC chips designed for high-speed pattern matching. There is no significant latency penalty -- the inspection happens at wire speed.
Evading DPI
There are two approaches to evading DPI:
- Obfuscation: Add a layer on top of a VPN protocol that obscures its fingerprint. This is what Astrill's StealthVPN and NordVPN's NordWhisper do. The problem is that obfuscation can itself be detected -- the patterns of obfuscated traffic differ from normal traffic.
- Mimicry: Make VPN traffic look identical to legitimate traffic. This is what VLESS+Reality does. Instead of hiding VPN traffic, it impersonates HTTPS traffic. The DPI system cannot block it without also blocking all HTTPS connections to the mimicked domain.
Key insight: The GFW's DPI has had years to study every VPN protocol. Obfuscation buys time but eventually gets detected. Mimicry of essential protocols (HTTPS) provides a more fundamental defense because blocking the mimicked traffic would break China's own internet infrastructure.