← Back to library
Basics Theory

How internet censorship works: DPI, TSPU, blocking

To keep nodes alive you have to understand not "what's blocked" but exactly how the thing that blocks works. Let's break down the logic of traffic inspection as of 2026 — without it, you're applying any protocol guide blind.

This material covers the engineering of your own network infrastructure and is educational in nature. Complying with the laws of your own jurisdiction is on you.

Censorship stopped being about IP lists long ago

The beginner's main misconception is thinking a block means "added an IP to a blacklist." That's how it worked about five years ago. Today traffic inspection (known in Russia as TSPU — technical means of countering threats) is statistics and behavior, not a list.

The difference is fundamental. An IP list is beaten by changing addresses. Behavioral inspection can't be beaten by changing addresses — it looks not at where you're going but at how your connection looks and behaves. So modern node defense isn't "hide the IP," it's "make the traffic statistically indistinguishable from ordinary HTTPS."

Four ways to catch you

Inspection catches a VPN by several signals at once. Here they are, from simple to sophisticated.

1. Signatures

The cheapest one: inspection looks at the first bytes of the packet. Many protocols have a characteristic sequence there — like a barcode. See a familiar barcode — cut it. Working against this are transports whose connection start looks like ordinary TLS, with no telltale marks.

2. TLS fingerprint (JA3)

When a client establishes a TLS connection, it sends a ClientHello — a set of parameters that reveals what software is sending it. A real browser has one set, a bare VPN client has another — rare and recognizable. The imprint of these parameters is called the JA3 fingerprint.

If your client sends a ClientHello that shows up in three VPN apps and nowhere else, that's a flag. Working against this is uTLS: it rewrites the ClientHello so it's byte-for-byte like a real browser's (Firefox, QQ, etc.). Hence the importance of the fingerprint field in setup — an empty fingerprint gives you away instantly.

3. Active probing

Inspection doesn't just watch traffic passively — it knocks on your port itself and watches how it responds. If a VPN server sits at the address and responds to a "random" request in some suspicious way (hangs, sends garbage, doesn't behave like a site), that gives it away completely.

Here Reality's mechanics save you: if something knocks on the port that isn't a genuine client (no correct secret), the node silently proxies the request to the donor — to a real, large site. From the outside it looks as if that site really does live at the address. The probe finds nothing.

4. Behavioral analysis

The nastiest one. Inspection looks not at a single packet but at the whole stream: packet lengths, intervals between them, the ratio of upload to download. Ordinary web browsing has its own statistical picture; a VPN tunnel has a different one. Even a perfectly disguised handshake doesn't save you if the stream that follows "breathes" unlike a browser.

Working against this are transports that fragment and repackage the stream (XHTTP, gRPC), throwing off the statistics of lengths and timings. This is exactly why bare Reality over TCP is already not enough under a harsh regime — the handshake is perfect, but the behavior still gives you away.

What this looks like in practice

Inspection rarely cuts dead on the first packet. Typical symptoms an operator learns to read:

  • "Works for a couple of seconds, then dead" — the connection established, but behavioral analysis finished it off after a few seconds. Or the IP itself is already poisoned and gets cut on approach.
  • Dips at peak hours — in the evening the load on inspection is higher, filters are more aggressive. What flew during the day slows down at night.
  • Waves by date — inspection updates in jerks. After each round, half the guides on the internet stop working within a day, because filters got tuned against them.
  • Home/mobile difference — with mobile operators inspection is often stricter, right up to "allowlists" where only government services and banks get through.

A separate beast: infrastructure pressure

Beyond technical inspection there's administrative pressure. The regulator sends hosts lists of VPN-server IPs with a demand to block them. Russian providers cave to this and ban nodes in batches by subnet.

The practical takeaway that shapes the entire architecture: exit nodes only abroad. Inside the country, at most a cascade entry point, relay, or the panel — things through which no client exit traffic flows.

What follows from this for the operator

The whole defense strategy comes down to one idea — be statistically boring. The less your node stands out against ordinary HTTPS across all four signals, the longer it lives. Hence the whole design:

  • a browser-like handshake (uTLS, the right fingerprint);
  • web-like behavior (a transport that fragments the stream);
  • surviving probing (Reality with a real donor);
  • an IP that's not in a dirty subnet and not on a Russian host used for exit.

Next in this section — how to pick a server and location so the fourth signal (IP and hosting) doesn't kill all your other work. And the detailed practice of beating inspection is covered in the "Circumvention" section — there it's concrete configs against each of the four doors.

Next guide How to choose a server and location → Article unclear or something off? Message me and I will help or fix it. @notrealvpn →
This material is educational and covers network-infrastructure engineering. You are responsible for complying with the laws of your jurisdiction.