What Is VPN Obfuscation? (Stealth VPN Explained)
VPN obfuscation (also called 'stealth VPN') disguises encrypted VPN traffic to look like regular HTTPS web traffic. Without obfuscation, a firewall or ISP using Deep Packet Inspection (DPI) can identify and block VPN traffic even when encrypted. Obfuscation is essential for users in China, Russia, Iran, and other countries with VPN restrictions.
How normal VPN traffic is detected
Encrypted VPN traffic has identifiable characteristics: specific packet sizes, timing patterns, protocol signatures, and port usage. Even without reading the encrypted content, a firewall using Deep Packet Inspection can say 'this looks like OpenVPN traffic' and block it. China's Great Firewall, Russia's FAPSI, and corporate firewalls all use DPI to detect VPN use.
How obfuscation works
Obfuscation wraps VPN packets in an additional layer to disguise them:
The most effective obfuscation disguises VPN traffic as port 443 HTTPS traffic — the same port used by every website. It's extremely difficult to block without breaking normal web browsing.
- XOR obfuscation: Applies XOR cipher to packet headers to mask VPN signatures. Basic but effective against basic DPI.
- Obfsproxy (Tor project): Designed to bypass censorship. Randomizes packet sizes and timing to prevent traffic analysis.
- HTTPS mimicry: Makes VPN traffic look identical to regular HTTPS traffic — same port (443), same packet patterns. Very effective.
- Shadowsocks: Originally designed to bypass China's Great Firewall. Uses SOCKS5 proxy protocol with encryption. Popular in China.
- V2Ray/VMess/VLESS: More advanced protocols designed for circumvention. Common in China and Iran.
- Stunnel: Wraps any traffic in TLS. Makes VPN traffic indistinguishable from HTTPS.
Which VPNs have obfuscation?
- ExpressVPN: Lightway protocol with obfuscation. Best for China — has extensive infrastructure there.
- NordVPN: 'Obfuscated servers' toggle in Settings. Uses XOR + custom TCP protocol.
- Surfshark: Camouflage Mode (automatic when using OpenVPN TCP). No extra steps needed.
- ProtonVPN: Stealth protocol — WireGuard wrapped in TLS. Works in censored regions.
- Mullvad: Obfuscation via Shadowsocks and DAITA (Defence Against AI-guided Traffic Analysis).
- Astrill: Specifically designed for China. StealthVPN and OpenWeb protocols both work there.
Do you need obfuscation?
- Yes, you need it: If you're in China, Russia, Iran, UAE, Oman, Turkey, or other countries that restrict VPNs. Also useful in restrictive workplaces or schools that use DPI to block VPNs.
- No, you don't need it: If you're in a country with unrestricted internet (US, UK, most of EU, Canada, Australia). Standard VPN protocols work fine.
- Maybe: If you're in a country with selective VPN restrictions, or if your ISP throttles known VPN traffic.
Frequently asked questions
Does obfuscation make the VPN slower?
Yes, slightly. The additional encryption and packet processing adds overhead — typically 10–20% speed reduction compared to standard WireGuard. For most purposes, this is barely noticeable. It's a worthwhile trade-off if you're in a censored network.
Which VPN works in China?
ExpressVPN is the most consistent choice for China, with extensive infrastructure and regular protocol updates as China's firewall evolves. Astrill, NordVPN obfuscated servers, and Surfshark Camouflage Mode also work. No VPN is 100% reliable in China — the Great Firewall adapts constantly.
Is stealth VPN the same as obfuscated VPN?
Yes — they're the same thing described from different angles. 'Stealth' emphasizes that the VPN hides its nature. 'Obfuscated' describes the technical process of disguising the traffic. Both refer to VPN traffic that has been disguised to evade detection.