A curated list of tools, protocols, and technologies for bypassing internet blocks, inspired by this project.

This list focuses on tools and strategies designed to defeat active network-level filtering, such as Deep Packet Inspection (DPI), DNS blocking, and protocol-level blacklisting.

Internet blocks are multi-layered systems and not simple on/off switches. Bypassing them is similar to a cat-and-mouse game.

Filtering mechanisms primarily include:

DNS Filtering / Poisoning / Hijacking

The censor intercepts requests to resolve a domain name and either returns no answer or a false IP address. This is the simplest and most common form of blocking, but also the easiest to bypass in some cases. To bypass it, a third party (not from your ISP) DNS server should be used with a DNS protocol supporting encryption like DNS over HTTPS. If blocks are still in place, your ISP may be using DPI.

Deep Packet Inspection (DPI)

This is a more advanced method. State-level “middle boxes” (like Russia's TSPU or China's Great Firewall (GFW)) actively inspect the content of unencrypted (or encrypted for their own certificate authority) traffic. For encrypted traffic, they inspect the “metadata,” such as the Server Name Indication (SNI) in a TLS handshake. The SNI field, which states the domain you are visiting, is unencrypted and provides a simple way for censors to identify and block HTTPS connections. Bypassing this requires specialized programs. If blocks are still in place, your ISP may be using IP blacklisting.

IP Blacklisting

The censor blocks all network traffic to and from known IP addresses associated with a “forbidden” service (e.g., a VPN provider's servers or a specific website). Bypassing this is harder and requires connecting to a proxy/VPN server that doesn't have these restrictions. This can create a chicken-and-egg problem, like a proxy/VPN service being IP blocked but needing a proxy/VPN to bypass it.

Protocol Filtering

The DPI system is configured to identify and block the “fingerprints” of circumvention protocols themselves. Standard OpenVPN and WireGuard traffic is easily identifiable and is a primary target for blocking. Ports of commonly used protocols can be blocked too (e.g., port 51820 can be blocked to prevent a WireGuard connection if there are no alternative ports).

The tools in this list are all solutions to one or more of these methods. They either:

1. Manipulate packets at a low level to confuse the DPI,
2. Obfuscate (disguise) traffic to look like something benign and unblockable (like standard web traffic), or
3. Decentralize content, so there is no single server to block.

This is a “meta” category. Before you can bypass censorship, you must prove it is happening and understand how. These tools are not for circumvention, but for detection. They are critical for activists, journalists, and researchers.

The Open Observatory of Network Interference. A free, open-source software and global network for measuring internet censorship. A project born out of The Tor Project, now an independent non-profit. Volunteers run the OONI Probe app on their mobile devices or computers from within 241 countries. The results are aggregated and published on the public OONI Explorer website. It is used to increase transparency, document censorship events globally, and provide hard, verifiable evidence of network interference and blocking.

The app runs a series of tests to check for censorship:

• Web Connectivity: It tries to access a list of websites (including globally and locally sensitive ones) from the user's network and from a control network, then compares the results.
• App Blocking: It tests for blocks on specific apps like WhatsApp, Telegram, and Signal.
• Circumvention Tool Blocking: It tests if circumvention tools themselves (like Tor, Psiphon, and Lantern) are reachable.

PROs:

• Provides Hard Evidence: It is the best tool for scientifically proving how and what is being censored on a specific network.
• Global & Open Data: All data is publicly available for analysis, which is an invaluable resource for researchers, journalists, and human rights organizations.
• Easy to Use: The mobile app is simple for non-technical volunteers to run.

CONs:

• Potential Risk to User: Running OONI Probe is not anonymous. Your ISP and any network monitor can see that you are running it. While OONI states the risk is “theoretical” and no user has faced consequences, this is a real risk in high-stakes environments.
• Provocative Tests: The app intentionally tests “provocative or objectionable sites (e.g., pornography)”, which might be illegal to even attempt to access in some countries, regardless of intent.

If you are in a risky situation, please do your research and do not trust any single source (including this one). These quick recommendations are for people with less sensitive threat models.

This category of tools is fundamentally different from VPNs. They allow access to specific blocked services without the disruptive side effects of a VPN, such as changing your IP address. They also don't bypass IP blacklisting.

These tools work by “desynchronizing” the censor's view of the network connection from the server's, causing the inspection to fail while allowing the real connection to proceed. They provide no extra encryption or anonymity; your ISP can still see what sites you are visiting, but their automated blocking mechanism is fooled.

A stand-alone, high-performance DPI circumvention tool designed to “desynchronize” DPI systems by manipulating network packets at a low level. Zapret was created primarily to target the “Sovereign Internet” (RuNet) blocking system in Russia.

Zapret is designed to run on a Linux-based gateway, such as a home router running OpenWrt or directly on a user's Linux desktop.

Zapret uses low-level packet manipulation via components like nfqws and tpws. It employs a variety of “DPI desync” techniques, which can be configured by the user. These include sending fake packets (e.g., with the --dpi-desync=fake parameter), fragmenting packets (--dpi-desync=fakedsplit), and modifying packet checksums or TTLs to “fool” the inspection system (--dpi-desync-fooling=badsum). The tool includes a blockcheck.sh script that a user can run to test and identify the most effective desync parameters for their specific ISP.

PROs:

• High Performance: Adds negligible latency. Because it typically only manipulates the first few packets of a connection to break the DPI's state, it is significantly faster than a full tunnel.
• No IP Change: This is its most significant advantage. It does not change your public IP address, making it ideal for accessing local, geo-restricted services (like banking, streaming, or city services) that would be broken by a VPN. It also does not need to trust any third party servers.
• Transparent: When installed on a router, it works transparently for all devices on the network (phones, computers, consoles) with no client-side software required.
• Adaptive: It is highly configurable to adapt to the specific, evolving DPI strategies used by different ISPs and nation-states.

CONs:

• No Extra Privacy or Anonymity: This is critical to understand. Zapret does not provide extra privacy or anonymity. Your ISP can still see which sites you are visiting; the tool just prevents the automated block to provide access.
• Specific Use Case: It only defeats DPI. It does not bypass DNS-level blocking (it must be paired with an encrypted DNS service like DoH/DoT) or IP-address-level bans.

A user-friendly DPI circumvention utility designed specifically for the Windows operating system. It runs on a user's local Windows PC (versions 7 through 11 are supported). It works by installing a Windows filter driver to intercept and modify packets as they leave the machine. It employs multiple methods simultaneously to be effective against a wide range of DPI systems. These methods include: TCP-level fragmentation, HTTP header manipulation (e.g., replacing Host with hoSt, or removing spaces), and sending fake packets with low TTLs to “poison” the DPI's state and cause it to fail. It also includes modes to redirect DNS requests to non-standard ports to bypass simple DNS poisoning.

PROs:

• Easy to Use: This is its primary advantage. It is ideal for non-technical Windows users. The most common use case involves just running a single .cmd script.
• No IP Change: Shares the same benefits as Zapret; it does not interfere with local, geo-restricted services. Also, no third party to trust.
• Effective: It is designed to actively bypass both “Passive DPI” (which tries to “race” the real server with a fake reset packet) and “Active DPI” (which sits in-line and modifies traffic).

CONs:

• No Extra Privacy or Anonymity: Like Zapret, this provides no extra encryption and is not a privacy tool. It is for access only.

This category includes the standard, “baseline” protocols for proxies and VPNs. These tools are not designed for censorship circumvention and are the primary targets for blocking. Their distinct protocol “fingerprints” make them easy for DPI systems to identify and filter. They are included here as a baseline to illustrate why the more advanced, obfuscated tools in the next section are necessary.

An extremely simple, fast, and modern VPN (Virtual Private Network) protocol. A modern protocol (initial release 2015) that is now part of the Linux kernel. Runs on client and server machines, supported natively or via apps on all major operating systems. It uses state-of-the-art cryptography and has a very small, auditable code base (under 4,000 lines of code). It operates over UDP.

PROs:

• Extremely Fast: Significantly higher performance and lower latency compared to OpenVPN, due to its lightweight code and modern encryption.
• Simple & Secure: A small code base makes it easier to audit and less susceptible to attack.
• Quick Reconnects: Connects and reconnects almost instantly, making it ideal for mobile devices switching between Wi-Fi and cellular data.

CONs:

• Easily Blocked: This is its key weakness for censorship. It has a distinct, recognizable protocol fingerprint. It is not designed to bypass DPI and is actively blocked in countries like China and Russia. Protocols like AmneziaWG (modified version of WireGuard designed to prevent DPI) should be used when possible.

A mature, open-source, and highly configurable VPN protocol. First released in 2001, it has been the industry standard for over two decades. It uses a custom security protocol based on SSL/TLS. It can run over either TCP or UDP, which makes it flexible.

PROs:

• Mature: Battle-tested and thoroughly audited for decades.
• Flexible: Can be configured to run over any port and use either TCP or UDP.

CONs:

• Easily Blocked: Like WireGuard, its handshake is very distinct and easily identified and blocked by DPI systems.
• Slow: It is much slower and has higher latency than WireGuard. Its code base is big (400,000+ lines).

A secure, standards-based VPN protocol (Internet Key Exchange version 2). Developed by Microsoft and Cisco, and standardized by the IETF. Native to most modern operating systems. It is often used in self-hosted setups (like Algo).

PROs:

• Native Support: Supported “out of the box” by Windows, Android, macOS, and iOS.
• Stable: Very good at re-establishing a connection quickly when a network drops.

CONs:

• Easily Blocked: It is not a circumvention tool and is easily detected and blocked by DPI.

A low-level proxy protocol that can route virtually any type of network traffic from any application (SOCKS5 since 1996). A client application sends traffic to a SOCKS5 server, which then forwards it to the final destination. It operates at Layer 5 (the Session Layer).

PROs:

• Extremely Versatile: Can handle any type of traffic, including web, P2P, gaming, and email.

CONs:

• Not Encrypted: Provides zero encryption by itself. All traffic is sent in the clear and is fully visible to an ISP.
• Trivially Blocked: Unencrypted, identifiable traffic is extremely easy for any DPI system to inspect and block.

A basic, high-level proxy protocol designed exclusively for web (HTTP and HTTPS) traffic. Primarily used by web browsers. It operates at Layer 7 (the Application Layer).

PROs:

• Simple: Easy to set up and widely supported by all browsers.

CONs:

• Extremely Limited: Only works for web traffic.
• Not Encrypted: Provides no encryption for your connection to the proxy (when no HTTPS).
• Not Anonymous: HTTP proxies typically add headers (like X-Forwarded-For) that identify the original user's IP address.
• Trivially Blocked: Very easy to detect and block.

This category represents the “engine” for most modern, robust circumvention. The development of these protocols illustrates the “cat-and-mouse” arms race.

1. Phase 1 (Encrypt): Standard VPNs (OpenVPN, WireGuard) are encrypted but have obvious “fingerprints”.
2. Phase 2 (Scramble): Tools like Shadowsocks and obfs4 encrypt and “scramble” traffic to look like “random” data.
3. Phase 3 (Mimic): Tools like V2Ray (VLESS+TLS) and Trojan are designed to mimic standard, benign HTTPS traffic.
4. Phase 4 (Be Indistinguishable): Tools like Naïve Proxy reuse the actual network stack from a real browser (Chrome) to be bit-for-bit indistinguishable.

A fast, encrypted SOCKS5 proxy. It is not a full VPN. Originally created in 2012 by “clowwindy” specifically to bypass the Great Firewall (GFW) of China. Its strength is its simplicity and its use of modern AEAD ciphers. It “disguises” traffic to look like HTTPS but does not explicitly mimic another protocol.

PROs:

• Fast and Lightweight: Generally faster than full VPNs and complex multi-layered tools.
• Selective: Easy to configure which traffic goes through it (e.g., using a PAC file).

CONs:

• Detectable by Advanced DPI: Advanced DPI can detect Shadowsocks traffic through traffic analysis and active probing.
• Not a Full VPN: Does not tunnel all system traffic by default, leading to potential “leaks”.

A platform or framework for building proxies. It is not a single protocol, but a “box” that can manage multiple inbound and outbound protocols, transports, and advanced routing rules. By wrapping its proxy traffic inside Web Socket and TLS, it makes the traffic appear as standard, indistinguishable HTTPS traffic.

PROs:

• Extremely Flexible: Can be configured to mimic HTTPS, run over Web Sockets, use QUIC, etc.
• Resilient: Its multiprotocol nature means it can be reconfigured if one method is blocked.
• Advanced Routing: Can selectively route traffic based on domain or IP.

CONs:

• Complex: Requires understanding of its complex concepts of inbounds, outbounds, and transports.
• Performance Overhead: Layered encryption adds significant latency.
• VMess is Detectable: The original VMess protocol is now considered detectable by advanced GFW packet sniffing.

• VMess: The original, feature-rich protocol for V2Ray. It has its own built-in encryption and authentication methods. It is considered more “heavy” and less safe against modern GFW probing.
• VLESS: A newer, lightweight protocol. It removes VMess's built-in encryption layer and delegates security to the underlying transport layer, such as TLS. This simplifies the handshake, improves speed, and makes it more indistinguishable from a standard HTTPS website.

A high-performance, open-source proxy platform and a fork of V2Ray. Developed by the XTLS community. Xray-core supports all of V2Ray's protocols and adds XTLS. XTLS is a “direct encryption” technology that avoids the performance-draining “TLS-in-TLS” problem, resulting in lower latency and higher speeds than VLESS+TLS.

PROs:

• Faster: X-ray with its XTLS protocol is generally considered faster and more efficient.
• Backward Compatible: Acts as a drop-in, enhanced replacement for V2Ray-core.
• Advanced Protocols: VLESS and XTLS are highly effective at mimicking standard web traffic.

CONs:

• Complexity: Inherits all of V2Ray's complexity.
• Less Documentation: Newer technology with poorer documentation than established setups.

A proxy protocol that is specifically designed to perfectly imitate a real HTTPS server. It runs on a server, binds to port 443, and simultaneously serves a real, working website. This makes it highly resistant to the “active probing” techniques.

PROs:

• Extremely Stealthy: Mimics HTTPS perfectly and serves a real website as a disguise.
• High Performance: Simpler protocol that uses TLS directly.

CONs:

• Requires a Domain Name: You must have a registered domain name and a valid SSL/TLS certificate.
• Vulnerable to TLS-in-TLS Detection: Censors have started detecting the “TLS-in-TLS” pattern.

A proxy that re-uses the network stack from the Chromium browser to camouflage its traffic. A “Phase 4” tool. It uses HTTP/2 multiplexing, HTTP/2 traffic padding, and the exact TLS handshake of a real Chrome browser.

PROs:

• The “Most” Stealthy: Arguably the most advanced tool for defeating traffic analysis and fingerprinting.
• High Performance: Leverages Chrome's high-performance HTTP/2 stack.

CONs:

• Complex: Requires a Caddy server with a specific plugin, domain name, and TLS cert.
• Still a Proxy: Not a full system-wide VPN.

Instead of trusting a commercial VPN, these scripts automate the setup of a private server on a cloud provider.

A set of Ansible scripts that automates the deployment of a minimalist, secure personal VPN. Created by Trail of Bits. It installs WireGuard and IKEv2/IPsec, deliberately excluding obfuscation tools.

PROs:

• Secure by Default: Uses modern, strong protocols with secure ciphers.
• Minimalist: Includes only the minimal software you need.
• Clientless (IKEv2): Supported natively by most OS.

CONs:

• Not for Censorship Bypass: WireGuard and IKEv2 are easily detected and blocked by DPI.
• Security Vulnerabilities: Theoretical risk of MitM if the VPS is compromised due to self-signed certs.

Automates the deployment of a full suite of anti-censorship tools (“kitchen sink” approach). Installs WireGuard, OpenVPN, Shadowsocks, Trojan, Tor bridges, and more.

PROs:

• Extremely Versatile: Gives the user many options to try if one is blocked.
• Designed for Censorship: Specifically designed for circumvention.

CONs:

• “Kitchen Sink” Risk: Dramatically increases the potential attack surface.
• Less Secure Defaults: More permissive defaults than Algo.
• Outdated: Did not get updated for a long time.

Designed for anonymity. However, to be anonymous, you first must be able to connect.

A free, open-source network and browser that provides anonymity by routing traffic through a three-layer “onion” of volunteer-run relays.

PROs:

• Strong Anonymity: The most-studied tool for public-internet anonymity.
• Pluggable Transports: Built-in system to bypass blocking.
• Easy to Use: The Tor Browser is a simple, all-in-one application.

CONs:

• Very Slow: Impractical for streaming or large downloads.
• Blocked by Default: Relay lists are public and easily blocked.
• Stigma: Can attract suspicion from ISPs or law enforcement.

obfs4

The modern “scrambler” (Phase 2). Makes Tor traffic “look random, like nothing”. Can be blocked by whitelists.

meek

The “domain fronting” transport (Phase 3). Makes Tor traffic look like it's going to a major CDN. Very slow and fragile; major providers blocked it.

Web Tunnel

A newer transport that masks Tor traffic as a standard HTTPS connection.

Snowflake

A peer-to-peer transport. Connects to ephemeral proxies run by volunteers in their web browsers.

A decentralized, anonymous network layer. Uses “Garlic Routing” which bundles multiple messages together and sends them through unidirectional tunnels.

PROs:

• Excellent for Hidden Services: Optimized for “eepsites”.
• Decentralized & Resilient: Distributed and P2P-friendly.
• Harder Analysis: Unidirectional tunnels make traffic analysis harder.

CONs:

• Not for Public Web Access: Relies on volunteer-run “out proxies” which are few and slow.
• Slow: Complex P2P routing.

Censorship-resistance-by-design. If there is no single server, there is no single point to block.

A decentralized, peer-to-peer web-like network. Uses Bitcoin cryptography for identity and BitTorrent to distribute content.

PROs:

• Extremely Censorship-Resistant: Cannot be taken down by DMCA or government order.
• Zero Hosting Cost: The audience provides the infrastructure.
• Works Offline: Browse “seeded” sites without internet.

CONs:

• Not Anonymous by Default: IP is visible to peers.

A decentralized, P2P network where all users contribute disk space and bandwidth. Content is retrieved by a key, not a location. Nodes do not know what content they are storing.

PROs:

• Anonymous by Design: Anonymity built-in for publishers and consumers.
• Deniable Storage: Plausible deniability for hosts.

CONs:

• “Forgets” Content: Unpopular data is eventually dropped.
• Static Content Only: No dynamic sites.

A decentralized, peer-to-peer protocol. Uses content-based addressing (CID) instead of location-based addressing.

PROs:

• Highly Censorship-Resistant: Content itself cannot be blocked.
• Data Integrity: Cryptographic CIDs guarantee the exact file.

CONs:

• Not Anonymous by Default: IP is visible.
• Content is Not Permanent: Files disappear if not “pinned”.
• Censorable at the Gateway: Public gateways can filter content.

Files are distributed across thousands of users' computers. Extremely resilient against takedowns.

PROs:

• Distributed & Fast: Speeds up as more people host.
• No Central Logs: Makes surveillance resource-intensive.

CONs:

• Not Anonymous by Default: IPs are public.
• Stigma: ISPs actively throttle or block torrents.

Protocols that encrypt DNS queries to prevent tracking and poisoning.

• DoT: Dedicated port 853.
• DoH: Uses port 443 (standard web traffic).
• DNS Crypt: Encrypts payloads using public keys.

PROs:

• Bypasses DNS Filtering: Primary benefit.
• Stealthy (DoH): Indistinguishable from HTTPS.

CONs:

• DoT is Easily Blocked: Port 853 can be blocked.
• Does Not Bypass DPI: Useless if SNI or IP is blocked.

A TLS 1.3 extension that encrypts the SNI, closing the metadata leak in HTTPS.

PROs:

• Defeats SNI-Based DPI: Makes this class of censorship obsolete.
• Proactive & Native: Protects all users by default when adopted.

CONs:

• Not Yet Standard: Not universally deployed.
• Already Being Blocked: Russia blocks ECH directly; China blocks encrypted DNS to prevent ECH.

Privacy Frontends

Proxy traffic to upstream services. Upstream doesn't see your IP, but usually limited to specific websites and can be unstable.

Website Mirrors

Viewing alternative hosted versions of sites. Only some content has mirrors.

Federated Services

Distributed alternatives to centralized platforms. Can leak metadata.

If one or more of these are true, a VPN may be necessary:

• Connecting to untrusted hotspots.
• Untrusted websites (IP loggers).
• Geo-blocked regularly.
• ISP blocks content.
• Lack of trust in ISP.
• Need servers in specific countries.
• ISP throttling.

• Source Availability: Open-source projects preferred.
• Security: Strong security practices, audited code.
• Community Support: Active forums and issue trackers.
• Cost-Effectiveness: Fits budget requirements.
• No Walled Gardens: Prefer self-hosted or alternative client capable software.
• Proven Track Record: Mature projects.

This part of the guide is taken from the i2p projects comparison page. You may read the Tor Overview page to learn how Tor works.

• Internet censorship circumvention: Wikipedia
• Zapret Documentation
• Goodbye DPI GitHub
• Shadowsocks Official
• V2Ray Core
• X-ray Core
• Tor Circumvention Manual
• I2P Anonymous Network
• OONI Open Observatory of Network Interference