Why Shadowsocks Gets Through When VPNs Don't
Who this is for
If you live in Iran, Myanmar, Russia, or mainland China — or you've traveled there and watched your VPN stop working the moment you landed — this post is for you. This is not a guide for the privacy-curious; it is a guide for people who have a specific problem: the network they are on actively blocks circumvention tools, and they need to know why and what to do about it. We will explain what makes VPNs detectable, what Shadowsocks is and why it was built, where plain Shadowsocks still falls short, and what we run on top of it.
What a VPN actually is
A VPN — WireGuard, OpenVPN, IKEv2, or the branded variants built on top of them — creates an encrypted tunnel between your device and a server. Your traffic goes through the tunnel; the destination sees the server's IP, not yours.
The problem for censorship circumvention is that VPN protocols are distinctive. WireGuard uses UDP on a fixed port with a well-documented handshake. OpenVPN has a recognizable TLS certificate structure. IKEv2 opens predictable port combinations. Deep-packet inspection (DPI) equipment does not need to decrypt your traffic to identify it — it only needs to observe the shape of your packets.
This is fine in places where blocking is coarse (country-level IP bans, DNS poisoning). It fails in places that run real DPI infrastructure.
Why VPNs get blocked
The blocking techniques used by the GFW (China's "Great Firewall") and similar systems in Iran and Myanmar fall into a few categories:
Protocol fingerprinting. WireGuard, OpenVPN, and IKEv2 each produce a measurable traffic signature — packet sizes, timing patterns, and handshake sequences that do not appear in ordinary TLS sessions. A classifier trained on these signatures can flag a connection in milliseconds.
Port blocking. Standard VPN ports (UDP 1194 for OpenVPN, UDP 51820 for WireGuard, UDP 500/4500 for IKEv2) are trivially blacklisted at the firewall.
IP reputation lists. The major VPN providers rotate IPs, but their infrastructure is well-known. Residential IP proxies are more resilient, but most consumer VPN apps still rely on datacenter ranges that are monitored.
Active probing. This is the most sophisticated technique. When the firewall suspects a connection might be a proxy, it sends its own crafted packets to the server to test how it responds. A real VPN server responds in a way that confirms it; an ordinary HTTPS server does not. Commercial VPN providers have to patch their servers against active probing continuously — and they do not always win.
NordVPN, ExpressVPN, and others now ship obfuscation layers ("obfuscated servers," "NoBorders mode") specifically to fight this. They work in many countries. They fail in the GFW's most aggressive configurations because the obfuscation is a layer on top of a VPN protocol — the underlying shape can still leak.
What Shadowsocks is
Shadowsocks was created in 2012 specifically to defeat the GFW. It is not a VPN. It is an encrypted proxy protocol — a SOCKS5-style proxy wrapped in a cipher stream — and it was designed from the beginning to look like random, unremarkable traffic rather than a VPN.
The core idea: instead of creating a tunnel that announces itself as a tunnel, Shadowsocks sends encrypted bytes that are statistically indistinguishable from a stream of random data. There is no obvious handshake, no certificate exchange, no protocol banner. To passive DPI inspection, the connection looks like noise.
The protocol is specified in SIP002 (URI format for key exchange), and the reference server implementation we use is shadowsocks-rust, which implements AEAD ciphers (ChaCha20-Poly1305, AES-256-GCM) so the traffic is both encrypted and authenticated.
Where Shadowsocks alone falls short
Plain Shadowsocks has been partially cracked by GFW active probing since roughly 2019. The attack works like this: the firewall identifies a connection that might be Shadowsocks (the traffic has the right entropy profile, the port is suspicious), then sends its own probe to the server. A standard Shadowsocks server that receives an unexpected probe will either time out or respond with garbage — both behaviors that confirm it is a proxy.
AEAD ciphers close one attack surface (replay attacks and stream manipulation), but they do not solve the probe-response problem. A modern firewall can detect AEAD-only Shadowsocks with moderate confidence, especially with extended observation.
This is not a theoretical problem. Reports from users in Iran and China since 2022 confirm that plain SS connections on suspicious ports are routinely disrupted within hours to days.
How our stack actually resists detection
The answer to active probing is to make your server look — from every angle, including a live probe — like an ordinary HTTPS server.
We run shadowsocks-rust with v2ray-plugin, a transport plugin that wraps Shadowsocks traffic inside a standard WebSocket-over-TLS session on port 443. The TLS certificate is real. The SNI is set to a popular, unblocked domain. The HTTP Upgrade looks exactly like a normal WebSocket handshake.
What a firewall sees:
- A TLS connection to
443/tcpwith a valid certificate - SNI pointing to a real popular hostname
- WebSocket upgrade headers that match what a browser sends
- No identifiable Shadowsocks handshake in the payload
What happens when the firewall actively probes:
- The probe connects to port 443 and gets a TLS handshake back
- If it sends an HTTP request, it receives a valid HTTP response
- There is nothing to trigger a Shadowsocks classification
This is sometimes called "TLS camouflage" or "HTTPS mode." The v2ray-plugin repository documents the plugin argument format and the WebSocket transport in detail. Our access key URLs follow the SIP002 URI scheme with the plugin parameter embedded, so any compatible client (Sing-box, Outline, v2rayNG, Clash, or Shadowrocket) will configure the full chain automatically from a single QR scan.
We do not claim this defeats every censorship system on every configuration. We say it is designed to resist the known active-probing techniques documented by researchers and operators since 2019. Against passive DPI, it is strong — the traffic is structurally indistinguishable from HTTPS. Against active probing, it is substantially more robust than plain Shadowsocks or a VPN with a bolt-on obfuscation layer.
Honest comparison
| Standard VPN | Plain Shadowsocks | SS + v2ray-plugin (what we run) | |
|---|---|---|---|
| Passive DPI resistance | Low (distinctive handshake) | Medium (looks like random data) | High (looks like HTTPS) |
| Active probe resistance | Medium (obfuscated servers help) | Low (probe exposes it) | High (real TLS server responds) |
| Speed overhead | Low to medium | Low | Low (one TLS layer) |
| Full-tunnel (all traffic) | Yes | No — per-app proxy | No — per-app proxy |
| Client support | Native OS support | Requires a client app | Requires a client app with plugin support |
| Setup | One-click (most providers) | QR scan | QR scan (plugin config is automatic) |
The one place VPNs still win is full-tunnel routing — all your traffic goes through by default, no per-app configuration. Shadowsocks is a proxy; if an app does not honor system proxy settings, it bypasses Shadowsocks. Most modern mobile clients (Sing-box, v2rayNG on Android, Clash on all platforms) handle this with TUN mode, which does cover all traffic. Outline does not — it is per-app. We note this so you pick the right client for your use case.
Trade-offs we accept
It is a proxy, not a VPN. Traffic that does not route through the proxy is not protected or tunneled. This is a feature for many users (lower overhead, no routing leaks from the VPN client itself), and a limitation for others (need to configure each app or use a TUN-mode client).
It is not an anonymity tool. Shadowsocks hides your traffic content and makes circumvention harder to detect and block. It does not make you anonymous. The exit server sees your destination. We see that you have a subscription and how many bytes you have transferred. We store bandwidth totals to enforce your plan — no timestamps, no destinations. But if you need verifiable anonymity, add Tor. Shadowsocks is the tunnel; Tor is the anonymity layer.
You are trusting us with the server. This is true of any proxy service. We are not asking you to take our word for it — we are asking you to evaluate our incentives (we operate a public subscription service with reputational stakes) and make a rational decision. The code for our provisioning and key management is auditable.
Get started
Scan the QR code on your dashboard with any of these clients:
- Android — Shadowsocks Android (official) or Hiddify (popular in Iran)
- Windows — Shadowsocks Windows
- macOS — ShadowsocksX
- Linux — shadowsocks-rust
Plans start at $3/month for 50 GB. If you are connecting from Iran or Myanmar, check our regional pricing — annual Starter is available at a lower price for those regions specifically.
Prefer Telegram? Our support bot handles connection troubleshooting, plan questions, and billing in both English and Farsi.
Crypto accepted: BTC and BTC Lightning via BTCPay Server, USDT-TRC20 for Tron wallets.