Cloudflare ECH and the Russian Block: Why the Site Won't Load
A classic riddle: your panel or site sits behind Cloudflare, opens perfectly from abroad, and from Russia without a VPN — dead silence, while the domain itself isn't blocked anywhere. Let's break down why this happens, what ECH has to do with it, and how it ties into inspection now reading not names but behavior.
This material is about engineering your own infrastructure and is educational in nature. You comply with the laws of your own jurisdiction yourself.
The symptom that throws you off
The situation almost every operator gets stuck on. You've spun up a panel, site, or mini-app behind Cloudflare — turned on proxying, the orange cloud. From abroad everything flies, returns 200, the domain isn't on any blocklist. And from Russia without a VPN the page just won't open: the connection hangs and drops. Turn on any VPN — and it all works instantly.
The first thought is "the domain got blocked." You check the lists — no. The second is "the origin went down." But from abroad it responds. The third is "Cloudflare banned Russia." Also no — other sites behind CF open. The riddle is that the culprit is neither a domain block nor the server, but a specific TLS extension.
What ECH is and why it breaks
The root of the problem is ECH (Encrypted Client Hello), which Cloudflare has been enabling on zones by default for a while now. To understand what it has to do with this, recall how the start of an HTTPS connection works in the first place.
When a browser reaches out to a site, in its very first message (the ClientHello) it names in plaintext which hostname it's going to — that's the SNI field. It's precisely by this field that traffic inspection has worked for years: saw a forbidden name in the SNI — dropped the connection. ECH was invented to close this gap: it encrypts the entire ClientHello, including the SNI. Inspection can no longer see which site you're going to.
Sounds like a boon for privacy — and it is, everywhere else in the world. But since late 2024, Russian inspection reacts to ECH specifically toward Cloudflare extremely bluntly: since the name is hidden and this is a connection to CF, it tears down the whole handshake. The logic is simple — "I can't see where the client is going, but I can see it's ECH to Cloudflare → drop."
Why it works through a VPN
Now it's clear why a VPN cures the symptom. When you're under a VPN, your traffic exits to the internet outside the reach of Russian inspection. The ECH handshake to Cloudflare happens from a foreign point, where nobody tears it down. Inspection inside the country sees only the encrypted tunnel to your node and has no idea that inside it is a request to a site behind CF.
That is, the site was accessible the whole time. The problem lived exactly on the "Russian client → Cloudflare" leg, and only because of ECH. The domain isn't banned, the origin is alive, CF works — yet the page won't load. Hence the confusion.
How to confirm it without guessing
The trait that distinguishes this case from a real block is the presence of an ECH config in the domain's DNS record. Cloudflare publishes it in a special HTTPS record (type 65): an ech= parameter and a cloudflare-ech.com marker appear there. If it's present — you've almost certainly hit this exact scenario, not a block. If it's absent and the site is still unreachable from Russia, the cause is different and needs a different cure.
The idea is not to fix it blindly. The "opens only with a VPN" symptom occurs both with a real domain block, with DNS poisoning, and with ECH. Telling them apart is a matter of one DNS-record check, not trial-and-error through solutions.
What to do about it (and why it's about the whole design)
It's cured on the Cloudflare side — ECH can be turned off on the zone, and then Russian inspection again sees an ordinary ClientHello, which it leaves alone, and the page opens without a VPN. It's a reversible setting that takes a few minutes and applies immediately to all subdomains of the zone. The exact steps are a matter of practice; here it's more important to understand the mechanics.
And these mechanics are part of the bigger picture. Traffic inspection in 2026 has long stopped working off lists of IPs and domains. It reacts to how the connection looks: a hidden SNI to a known provider is a signal in itself, even without a forbidden name. This is exactly the same logic by which VPN protocols get throttled: not "what address" but "why does this connection look unusual." Understand this logic and you understand why some things open from Russia and others don't, and you stop fixing blindly.
Exactly how to turn off ECH in the Cloudflare panel and what to do if CF throttles the whole zone — in the practical articles on clean entry and block circumvention. And the general logic of behavioral inspection we cover in the DPI-circumvention section.
Next guide The Operator's Anonymity Checklist → ↗ Article unclear or something off? Message me and I will help or fix it. @notrealvpn →