From zero to connected in 3 minutes.

No networking PhD required. But if you want the technical deep dive on why this works when everything else fails, keep scrolling.

01

Sign Up

Choose your plan and create your account. Payment via crypto, PayPal, or Stripe. Takes 2 minutes.

02

Download KookVPN

Download the custom desktop client for Windows. One installer, no dependencies, no configuration.

03

Click Connect

Open KookVPN, click connect. The app handles server selection, protocol config, and TUN adapter setup automatically.

04

You're Protected

All traffic encrypted and routed through Singapore. The GFW sees normal HTTPS to microsoft.com. Everything works.

Under the hood

What happens when you click connect

1

TUN Adapter Starts

KookVPN creates a virtual network adapter via wintun. All system traffic redirected through it.

2

TLS Handshake

Your device initiates what appears to be a normal HTTPS connection to microsoft.com. Standard TLS 1.3.

3

Reality Auth

Embedded in the TLS handshake: a session ID that authenticates you via ECDH shared secrets. Invisible to the GFW.

4

Tunnel Active

Encrypted traffic flows through VLESS tunnel to Singapore. Vision applies flow control to match HTTPS patterns.

Technical Architecture

The complete technology stack

Every layer purpose-built for one goal: maintaining a 100% undetectable, zero-leak connection from China.

Application Layer

KookVPN Desktop Client

Python + CustomTkinter + sing-box

Custom app with one-click connect, system tray, auto-reconnect. Runs sing-box v1.13.2 under the hood.

Transport Layer

VLESS + Reality + Vision

Xray-core 26.2.6 + uTLS

VLESS proxy protocol + Reality TLS mimicry + Vision flow control. Connections indistinguishable from normal HTTPS.

Network Layer

TUN Mode

sing-box TUN + wintun.dll

Virtual network adapter captures ALL OS-level traffic. Every app, every DNS query, every API call -- encrypted.

Server Layer

Singapore SGP1

Ubuntu 24.04 + BBR + DoT

Dedicated DigitalOcean server. BBR congestion control, DNS-over-TLS, UFW + cloud firewall (ports 22, 443 only).

The killer feature

Why active probing can't detect us

The GFW doesn't just analyze traffic passively. It actively probes suspected VPN servers. If the server responds differently than the claimed service, it's blocked.

This kills Shadowsocks, Trojan, and most obfuscation protocols. They look like HTTPS on the surface, but probes reveal non-standard responses.

Reality's solution: unauthenticated connections (including GFW probes) are forwarded to the real destination -- microsoft.com. Probes get microsoft.com's actual response. There is literally nothing to detect.

KookVPN User VPN tunnel
GFW Probe microsoft.com
Scanner Bot microsoft.com

Ready to experience the difference?

Connect in 3 minutes. 7-day money-back guarantee.

Get KookVPN Now See How It Works