Your VPN stopped
working. Why?
It held yesterday, it's silent today. It's not the app — TSPU sits on the line, and it learned to recognise VPNs. Here's how the filter cuts the connection and what survives it.
TSPU ("technical means of countering threats") is equipment installed at Russian carriers. It's essentially a deep traffic analyser (DPI) that looks not only at where a connection goes, but at how it looks inside.
Blocking used to run off a simple address list. TSPU works finer: it can recognise the very fingerprint of VPN protocols and cut them — even when the server is new and listed nowhere.
Three ways you get spotted
By site name (SNI)
At the start of a secure connection the server name travels in clear text. The filter reads it and decides — pass or cut. That's how domains get blocked.
By protocol fingerprint
Typical VPNs (WireGuard, OpenVPN, bare Shadowsocks) have a recognisable packet "shape". DPI spots it and chokes the connection without even knowing the address.
By address and ports
Known VPN-provider IPs and unusual ports get blocked. And in whitelist mode, everything but the approved set is cut.
Don't hide the VPN — be indistinguishable
If DPI looks for a "VPN shape", then the traffic must not have one. Vexin masquerades the connection as ordinary HTTPS: to the filter it looks like a routine visit to a major site. Nothing to recognise — nothing to cut.
On top of that the client watches the line itself: if a node gets choked, it switches to a live one and changes the masquerade. No manual configs. That's why Vexin holds where a typical VPN drops after the first wave of blocks.
- HTTPS masquerade — no recognisable protocol fingerprint
- Auto-switching — a live node is picked for you
- No logs — no browsing history, DNS or content kept
A separate harsh case is whitelist mode, when mobile internet is cut entirely. We covered it separately.
Most likely TSPU tightened on your line. The equipment recognises the fingerprint of typical VPN protocols and cuts them. Changing the server or protocol inside the same app usually doesn't help — you need a different masquerade approach.
Rarely, and not for long. Once DPI learns a protocol's shape, cycling settings inside one app gives a temporary effect. Only masquerading as ordinary traffic works reliably.
Vexin was built against TSPU from the start. Traffic is masqueraded as ordinary HTTPS, and the client switches to a live node when blocked. So the connection holds where mass-market VPNs drop.
No. We keep no browsing history, DNS queries or traffic content. A minimum of session metadata remains for billing and is deleted within 30 days.
A VPN that won't be choked.
Connect in a minute. 7-day refund if it doesn't work for you.