Frequently Asked Questions

Yes. KookVPN uses the VLESS+Reality+Vision protocol, which has a 98% success rate against China's Great Firewall as of March 2026. Unlike commercial VPNs that use detectable protocols like OpenVPN or WireGuard, Reality protocol mimics legitimate HTTPS traffic to microsoft.com. The GFW cannot distinguish KookVPN connections from normal web browsing. Our founder uses KookVPN daily from inside China and has maintained 100% uptime since launch.

Three fundamental differences: (1) Protocol -- KookVPN uses VLESS+Reality+Vision, the only protocol that mimics real HTTPS traffic. Astrill uses StealthVPN, ExpressVPN uses Lightway, NordVPN uses NordLynx -- all have detectable signatures. (2) Infrastructure -- You get a dedicated private server, not a shared IP pool with thousands of other users. When one user on a shared VPN server gets flagged by the GFW, everyone on that IP gets blocked. (3) Builder -- KookVPN was built by an expat who lived in China for 15 years and stakes his own livelihood on it working every day. It is not a corporate product from a company that has never experienced the GFW firsthand.

Download the KookVPN desktop client from our download page. Run the installer, which takes about 60 seconds. Launch the app, enter your credentials, and click Connect. The entire process takes under 3 minutes. The app requires administrator privileges because it uses TUN mode to capture all OS-level traffic, which needs to create a virtual network adapter. See our setup guide for detailed step-by-step instructions with screenshots.

KookVPN currently supports Windows (10 and 11). The custom desktop client uses sing-box with TUN mode for complete traffic capture. macOS and Linux support are on the roadmap. For mobile devices, you can use compatible third-party clients like Hiddify, v2rayNG (Android), or Streisand (iOS) with your KookVPN connection configuration.

We do not offer a free trial because each customer gets dedicated server infrastructure that costs real money to provision. However, we offer a 7-day money-back guarantee with no questions asked. If KookVPN does not work for you, you get a full refund. Given our 98% success rate, we are confident you will not need it. See our refund policy for details.

Speed depends on your ISP and time of day. Typical results: China Telecom users see 75-80 Mbps downloads via our Singapore server. China Unicom users can achieve 90-100 Mbps. China Mobile has the most variability due to inferior international routing. BBR congestion control is enabled on our servers, which optimizes TCP throughput on high-latency connections. Peak hour degradation (7-11 PM CST) affects all international traffic in China, not just VPN traffic. See our speed test results for detailed benchmarks.

VLESS is a lightweight proxy protocol. Reality replaces traditional TLS certificates by mimicking the TLS handshake of legitimate websites (like microsoft.com). Vision adds flow control and traffic shaping. Together, they create connections that are indistinguishable from normal HTTPS browsing. The key innovation is that Reality uses the real target site's TLS certificate instead of a custom one, making active probing by the GFW ineffective -- probes get microsoft.com's real response, not a VPN fingerprint.

The GFW uses five main detection methods: Deep Packet Inspection (DPI), IP blocking, active probing, statistical traffic analysis, and DNS manipulation. VLESS+Reality+Vision defeats all five: (1) DPI sees standard TLS 1.3 handshakes. (2) Your dedicated IP is not in any VPN blocklist. (3) Active probes get forwarded to the real microsoft.com. (4) Vision's flow control creates traffic patterns identical to HTTPS browsing. (5) DNS-over-TLS prevents DNS manipulation. This is why VLESS+Reality has a 98% success rate compared to 81% for Hysteria2 and near-zero for WireGuard/OpenVPN.

TUN mode creates a virtual network adapter at the operating system level that captures ALL traffic -- not just browser traffic, but every application, CLI tool, API call, and background process. This is critical for two reasons: (1) Applications like Claude Code, Codex CLI, and Gemini CLI make direct API connections that browser-based VPN extensions cannot capture. (2) DNS queries, WebRTC connections, and background telemetry can leak your real IP through standard proxy modes. TUN mode ensures zero leaks. See our detailed TUN mode explanation.

Split routing sends Chinese traffic (WeChat, Alipay, Taobao, Meituan, etc.) directly through your normal ISP connection while routing international traffic (Google, YouTube, Claude, OpenAI, etc.) through the VPN tunnel. This is essential because: (1) Chinese apps perform better on direct connections. (2) Some Chinese services actively block foreign IPs. (3) WeChat and Alipay payment systems can flag accounts that connect from overseas IPs. KookVPN handles split routing automatically -- you do not need to configure anything.

Singapore offers the best balance of latency, bandwidth, and routing for connections from mainland China. It is geographically close (low latency), has excellent peering with Chinese ISPs via multiple submarine cables, and DigitalOcean's Singapore datacenter provides clean IPs that are not associated with VPN services. Tokyo is an alternative with slightly lower latency for some Chinese ISPs, but Singapore consistently provides the most reliable routing across all three major Chinese ISPs (Telecom, Unicom, Mobile).

KookVPN uses DNS-over-TLS (DoT) for all DNS queries. When connected, your DNS requests are encrypted and sent through the VPN tunnel to trusted DNS servers -- not your ISP's DNS which can be monitored and manipulated. This prevents the GFW from seeing what domains you are resolving, which is one of the ways it detects and throttles VPN users. Additionally, TUN mode ensures no DNS queries bypass the tunnel.

BBR (Bottleneck Bandwidth and Round-trip propagation time) is Google's TCP congestion control algorithm. Traditional TCP algorithms like CUBIC reduce throughput when they detect packet loss, which is catastrophic on China-to-international links where 2-8% packet loss is normal. BBR instead models the network path to find the optimal sending rate, which can improve throughput by 50-100% on lossy international connections. KookVPN servers have BBR enabled by default.

Not with the current desktop client, which requires Windows. However, if you have a router running OpenWrt or similar firmware, you can configure sing-box or Xray-core directly on the router using your KookVPN connection details. This would provide VPN coverage for every device on your network. Router setup is an advanced configuration -- contact support if you need guidance.

Each KookVPN subscription is provisioned with dedicated server infrastructure. The number of simultaneous connections depends on your plan. Standard plans support up to 3 concurrent connections. Business plans support more. Contact us for specific requirements.

KookVPN includes a kill switch that immediately blocks all internet traffic if the VPN connection drops. This prevents your real China IP from being exposed to services like Anthropic, OpenAI, or Google -- which could trigger a permanent account ban. The kill switch activates in under 100ms and remains active until the VPN reconnects (auto-reconnect is enabled by default). This is the single most important safety feature for AI developers working in China.

We accept cryptocurrency (Bitcoin, USDT), PayPal, and credit cards via Stripe (Visa, Mastercard, American Express). Cryptocurrency is recommended for maximum privacy. PayPal and Stripe are available for users who prefer traditional payment methods. All transactions are processed through secure third-party processors -- we never store your payment information.

We offer a 7-day money-back guarantee with no questions asked. If KookVPN does not meet your expectations within the first 7 days of your subscription, contact support@kookvpn.com for a full refund. Refunds are processed within 5-7 business days to the original payment method. See our refund policy for complete details.

Yes. For teams of 5 or more, we offer dedicated team infrastructure with centralized management, priority support, and volume pricing. Each team member gets their own dedicated connection. Contact business@kookvpn.com to discuss your team's requirements.

Send an email to support@kookvpn.com with your account email and we will process the cancellation immediately. There are no cancellation fees, no retention departments, no dark patterns. If you are within the 7-day guarantee period, you will receive a full refund.

KookVPN's pricing ($30/month, $15/month annual, $12.50/month 2-year) matches Astrill because the infrastructure costs are comparable -- we provision dedicated server resources for each customer rather than cramming thousands of users onto shared servers. The difference is what you get for that price: a protocol that actually works (VLESS+Reality vs detectable StealthVPN), a dedicated server (not shared with thousands), and support from someone who actually uses VPN in China daily.

Currently, Singapore (SGP1) is our primary server location, offering the best balance of speed and reliability for connections from mainland China. We are evaluating additional locations including Tokyo and San Francisco for customers who need specific geographic routing. Contact support if you have a specific location requirement.

VPN usage in China occupies a legal gray area. The regulations primarily target unauthorized VPN providers operating within China, not individual users. Millions of foreign nationals and Chinese professionals use VPNs daily for work. There are no known cases of foreign nationals being punished specifically for personal VPN use. That said, we are not lawyers and this is not legal advice. KookVPN's Reality protocol makes your traffic look like normal HTTPS browsing, which means there is no detectable "VPN signal" to flag.

China Telecom offers the most stable international routing, especially with CN2 (premium) lines -- expect 75-80 Mbps. China Unicom provides slightly faster peak speeds (90-100 Mbps) with decent international peering. China Mobile has the worst international routing and heaviest throttling -- avoid it for VPN use if possible. If you have a choice of ISP, China Telecom or China Unicom are recommended. See our detailed ISP comparison.

Yes, this is exactly what KookVPN was designed for. TUN mode captures all CLI traffic at the OS level, so commands like claude, codex, and gemini all route through the VPN automatically. Your dedicated server IP is not in any AI company's VPN blocklist because it is a standard DigitalOcean IP, not associated with commercial VPN services. Combined with the kill switch, your real IP is never exposed to AI APIs. See our AI developers page for more details.

AI companies (Anthropic, OpenAI, Google) maintain blocklists of known VPN IP ranges -- NordVPN, ExpressVPN, Astrill, etc. KookVPN uses a dedicated DigitalOcean IP that belongs to their standard hosting IP range, not a VPN range. As far as AI companies are concerned, your traffic originates from a standard Singapore cloud server, which is a completely normal origin for API traffic. This is the fundamental advantage of private infrastructure over commercial VPN services.

The NPC (held annually in March) is one of the most intense internet restriction periods. The GFW significantly increases enforcement, blocking many commercial VPN servers and throttling international bandwidth. Most Astrill and ExpressVPN users experience severe disruption. KookVPN's VLESS+Reality protocol is specifically designed to survive these crackdowns because the GFW cannot distinguish it from legitimate HTTPS traffic. Our users have reported uninterrupted service during NPC sessions.

Yes. KookVPN's split routing feature sends Chinese app traffic (WeChat, Alipay, Taobao, Meituan, Didi, etc.) directly through your normal ISP connection. Only international traffic routes through the VPN. This means your Chinese apps work perfectly while you have full access to blocked international services. WeChat and Alipay payment systems can flag accounts that connect from foreign IPs -- split routing prevents this.

Yes. KookVPN routes streaming traffic through our Singapore server with BBR congestion control optimized for high-throughput connections. Users typically achieve 4K streaming quality on YouTube and Netflix. The key advantage over commercial VPNs is that your dedicated IP is not flagged by streaming services' VPN detection systems. See our streaming page for details.

Free VPNs in China are either: (1) Honeypots operated by entities that log and sell your data, (2) Ad-supported services with bandwidth caps and terrible speeds, or (3) Services using detectable protocols that get blocked within days. More importantly, free VPNs use shared IP pools that are immediately flagged by AI companies. Using a free VPN to access Claude Code or OpenAI is a fast track to getting your account permanently banned. Your data and API access are worth more than $12.50/month.

A commercial VPN (Astrill, ExpressVPN, NordVPN) puts thousands or millions of users on shared server pools. This means: (1) IP addresses are well-known to the GFW and AI companies. (2) One user's bad behavior can get the entire IP range blocked. (3) Server load is unpredictable. A private VPN like KookVPN gives you dedicated infrastructure. Your IP is yours alone. No cross-contamination. No shared load. No public IP lists for the GFW to scrape. See our detailed comparison.

Since launch, KookVPN has maintained 100% uptime. The VLESS+Reality protocol has not been blocked by the GFW during any sensitive period, including the March 2026 NPC session. If the server IP were ever compromised, we have an automated IP rotation procedure that provisions a new server from a snapshot within minutes. This has not been necessary so far.

First, check that you are running the app as administrator (right-click, "Run as administrator"). TUN mode requires admin privileges. Second, verify your system clock is synchronized -- Reality protocol authentication is time-sensitive. Third, try disconnecting and reconnecting. If issues persist, check our troubleshooting guide or contact support with your operating system, ISP, and approximate location.

Slow speeds are usually caused by ISP throttling, not KookVPN itself. Try these steps: (1) Run a speed test without VPN to establish your baseline. (2) Check if you are on China Mobile, which has the worst international routing -- consider switching to Telecom or Unicom. (3) Avoid peak hours (7-11 PM CST) for bandwidth-heavy tasks. (4) Ensure BBR is enabled (it is by default on KookVPN servers). (5) If speeds are consistently below 20 Mbps, contact support -- we may need to investigate your ISP's routing.

This means the app does not have sufficient privileges to create the virtual network adapter. Solutions: (1) Run the app as administrator. (2) Ensure wintun.dll is present in the KookVPN directory. (3) Check that no other VPN or virtual adapter software is conflicting (disable Hyper-V if not needed). (4) Temporarily disable your antivirus, which may be blocking the TUN driver installation. If none of these work, contact support.

If you are using a company-managed device, your employer may have endpoint monitoring software installed that operates below the VPN layer. KookVPN encrypts all network traffic leaving your device, so network-level monitoring by your employer's IT department would only see encrypted connections to what appears to be microsoft.com (the Reality SNI target). However, endpoint agents with kernel-level access can potentially see traffic before encryption. For maximum privacy, use KookVPN on a personal device.

The KookVPN desktop client is built on open-source components: sing-box (GPLv3) for the VPN engine and Xray-core (MPL-2.0) for the server-side VLESS+Reality implementation. The KookVPN client application itself (the GUI wrapper and configuration logic) is proprietary. We believe in transparency about our technology -- the underlying protocol specifications (VLESS, Reality, Vision) are fully documented in the Xray-core project. You can verify exactly how the encryption and authentication work.