Not all VPN protocols work in China. In fact, most don’t.
Standard WireGuard gets blocked within minutes. Plain OpenVPN gets detected instantly. IKEv2 doesn’t even connect. The Great Firewall uses deep packet inspection (DPI) and AI-based traffic analysis to identify and block VPN traffic patterns in real-time.
Only protocols with obfuscation — technology that disguises VPN traffic as normal internet activity — can reliably get through. This guide explains which protocols work, which are dead, and what your VPN is actually doing behind the scenes.
Quick Answer: What Works in 2026#
| Protocol | Status in China | Speed | Used By |
|---|---|---|---|
| Lightway (ExpressVPN) | ✅ Reliable | Fast | ExpressVPN |
| StealthVPN (Astrill) | ✅ Very Reliable | Medium-Fast | Astrill |
| VLESS + REALITY | ✅ Most stealthy | Fast | Self-hosted / Xray |
| Hysteria2 | ✅ Fast + stealthy | Very Fast | Self-hosted |
| Trojan | ✅ Good | Medium-Fast | Self-hosted |
| OpenVPN TCP + obfuscation | ✅ Decent fallback | Slow | NordVPN, many providers |
| WireGuard + obfuscation | ⚠️ Works with extra setup | Very Fast | Astrill, tech-savvy users |
| V2Ray (VMess + TLS) | ⚠️ Conditional | Medium | Self-hosted |
| WireGuard (plain) | ❌ Detected quickly | Very Fast | — |
| Shadowsocks (plain) | ❌ Detected | Fast | — |
| IKEv2 / IPSec | ❌ Easily detected | Fast | — |
| SoftEther / L2TP | ❌ Dead | Slow | — |
If you use a commercial VPN: You don’t choose protocols — your VPN does it automatically. ExpressVPN uses Lightway, Astrill uses StealthVPN, NordVPN uses obfuscated OpenVPN. Just connect and go.
If you’re technical / self-hosting: VLESS + REALITY is the current gold standard, with Hysteria2 as the speed champion.
How the Great Firewall Detects VPNs#
Before understanding which protocols work, you need to understand what you’re up against:
3 Detection Methods the GFW Uses#
| Method | How It Works | What It Catches |
|---|---|---|
| DPI (Deep Packet Inspection) | Analyzes packet headers and payloads for known VPN patterns | OpenVPN, IPSec, plain WireGuard, Shadowsocks |
| IP Blocking | Blocks connections to known VPN server IPs | VPNs that don’t rotate IPs quickly |
| Behavioral Analysis | AI/ML detects traffic patterns that look like VPN use (encrypted streams, consistent bandwidth) | Protocols without traffic mimicry |
Why Standard VPNs Fail#
When you connect to a standard WireGuard server, the GFW sees:
- UDP traffic on unusual ports
- Consistent encrypted data stream
- Connection to a known data center IP
This takes the GFW milliseconds to identify and block.
What “Obfuscation” Actually Means#
Obfuscation is the technique of making VPN traffic look like normal internet activity. Instead of sending recognizable VPN packets, the protocol:
- Wraps VPN data inside normal HTTPS traffic — looks like you’re browsing a website
- Uses standard ports (443 for HTTPS, 80 for HTTP) — not suspicious VPN ports
- Mimics traffic patterns of regular web browsing — not a constant encrypted stream
- Uses legitimate TLS certificates — indistinguishable from real website connections
This is why obfuscation is the critical factor, not encryption strength or protocol speed.
Protocol-by-Protocol Breakdown#
1. Shadowsocks — Once Great, Now Detected#
| Type | Proxy (not a full VPN) |
| China Status (2026) | ❌ Detected — do not rely on it |
| Speed | Fast when it works |
| Stealth | Low — distinctive traffic pattern |
| Setup | Medium |
What happened: Shadowsocks was the go-to protocol for China from 2012–2019. The GFW deployed machine-learning detection around 2019 that identifies Shadowsocks traffic patterns. Plain Shadowsocks is now blocked within minutes in most Chinese cities.
Why it mattered: Shadowsocks was created by a Chinese developer specifically to bypass the GFW. It’s lightweight, fast, and was incredibly effective for years. The GFW caught up.
Verdict: Dead as a standalone solution. Some variants (ShadowsocksR, Shadowsocks + plugins) may work temporarily but are not reliable.
2. V2Ray / VMess — Still Conditional#
| Type | Proxy platform (supports multiple protocols) |
| China Status (2026) | ⚠️ Works with WebSocket + TLS + CDN |
| Speed | Medium |
| Stealth | High (when properly configured) |
| Setup | Hard |
How it works: V2Ray is a proxy platform that supports multiple protocols. The most common setup for China is VMess + WebSocket + TLS — this disguises your traffic as HTTPS communication. When combined with a CDN like Cloudflare, the GFW can’t see the actual server IP.
Problem: Since 2024, reports of V2Ray instability have increased. The GFW has improved detection of VMess traffic patterns even through TLS.
Verdict: Works conditionally with proper setup (WebSocket + TLS + CDN). Not as reliable as VLESS + REALITY. Requires technical expertise.
3. VLESS + REALITY — Current Gold Standard#
| Type | Proxy (Xray project, V2Ray fork) |
| China Status (2026) | ✅ Most stealthy protocol available |
| Speed | Fast |
| Stealth | Very High |
| Setup | Very Hard (self-hosted only) |
What makes it special: VLESS + REALITY “borrows” the TLS certificate of a real website (like microsoft.com or apple.com). To the GFW, your connection looks identical to a normal visit to that website. Unlike older TLS tricks that used suspicious self-signed certificates, REALITY uses genuine certificates — making it virtually indistinguishable from legitimate traffic.
Why it works: The GFW would have to block connections to microsoft.com or apple.com entirely to block this protocol, which would cause massive collateral damage.
Catch: Only available through self-hosted servers or specialized providers. No mainstream commercial VPN offers this.
4. Trojan — Full HTTPS Disguise#
| Type | Proxy |
| China Status (2026) | ✅ Works well |
| Speed | Medium-Fast |
| Stealth | High |
| Setup | Hard (needs domain + TLS certificate) |
How it works: Trojan wraps all traffic in TLS (HTTPS). To the GFW, it looks like you’re visiting a normal HTTPS website. Requires a real domain name and TLS certificate.
Verdict: Effective and relatively simple (compared to V2Ray). Good middle-ground option for self-hosters.
5. Hysteria2 — Speed Champion#
| Type | Proxy (QUIC-based) |
| China Status (2026) | ✅ Fast and stealthy |
| Speed | Very Fast (UDP-based) |
| Stealth | High (disguised as QUIC/HTTP-3) |
| Setup | Hard |
How it works: Hysteria2 uses QUIC (the protocol behind HTTP/3). Since QUIC is widely used by legitimate services (Cloudflare, CDNs, many modern websites), the GFW can’t block QUIC traffic without breaking huge portions of the internet.
Why it’s fast: UDP-based with custom congestion control. Significantly faster than TCP-based protocols, especially for streaming and downloads.
Catch: UDP-based protocols can be throttled by ISPs during congestion. May not be as stable during peak hours.
6. WireGuard — Fast But Exposed#
| Type | Full VPN |
| China Status (2026) | ❌ Plain WireGuard is detected; ⚠️ works with obfuscation layer |
| Speed | Very Fast (~3× OpenVPN) |
| Stealth | Low (plain) / Medium (with obfuscation) |
| Setup | Easy (plain) / Hard (with obfuscation) |
The problem: WireGuard uses UDP with a distinctive handshake pattern. The GFW identifies it within seconds. Plain WireGuard simply does not work in China.
The workaround: Add an obfuscation layer on top:
- udp2raw — disguises WireGuard UDP as TCP
- wstunnel — tunnels WireGuard through WebSocket + TLS
- Astrill’s implementation — Astrill wraps WireGuard with their own stealth layer
Verdict: Only use WireGuard in China if your VPN provider has wrapped it with obfuscation (Astrill does this). Don’t use plain WireGuard.
7. OpenVPN — The Fallback#
| Type | Full VPN |
| China Status (2026) | ❌ UDP blocked; ✅ TCP + obfuscation works |
| Speed | Slow-Medium |
| Stealth | Low (plain) / Medium-High (with obfuscation) |
| Setup | Easy |
OpenVPN UDP: Easily detected and blocked. Don’t use it in China.
OpenVPN TCP + obfuscation: NordVPN uses this approach. Traffic is tunneled through TCP port 443 with scrambled headers. Slower than other options but reliable as a fallback.
Verdict: Use OpenVPN TCP as a last resort when faster protocols fail. Not ideal for streaming or large downloads.
8. IKEv2 / IPSec — Dead in China#
| Type | Full VPN (native on iOS/macOS/Windows) |
| China Status (2026) | ❌ Easily detected |
| Speed | Fast |
| Stealth | Very Low |
Why it fails: IPSec uses distinctive UDP ports (500, 4500) and has a recognizable handshake. The GFW blocks it immediately. Useful everywhere else in the world — just not in China.
Verdict: Don’t use IKEv2 in China. If your VPN’s app shows “IKEv2” as an option, switch to a different protocol.
Proprietary Stealth Protocols (Commercial VPNs)#
Major VPN providers develop their own obfuscation protocols. Here’s what each uses:
ExpressVPN — Lightway#
| Protocol | Lightway (proprietary, open-source core) |
| Obfuscation | Automatic — built into every connection |
| China Reliability | ✅ High |
| User Action Needed | None — just connect |
ExpressVPN’s Lightway protocol includes automatic obfuscation. When it detects you’re in China (or any restricted region), it activates stealth mode without any user configuration. This is why ExpressVPN is the easiest VPN to use in China — you just tap connect.
NordVPN — Obfuscated Servers#
| Protocol | OpenVPN TCP + obfuscation |
| Obfuscation | Manual activation required |
| China Reliability | ✅ High (when configured correctly) |
| User Action Needed | Must select “Obfuscated Servers” from specialty menu |
NordVPN uses OpenVPN TCP with scrambled headers. Critical: You MUST manually select “Obfuscated Servers” from the Specialty Servers menu. Regular NordVPN servers do NOT work in China.
Astrill — StealthVPN + VIP#
| Protocol | StealthVPN (proprietary) + WireGuard option |
| Obfuscation | Multiple stealth layers |
| China Reliability | ✅ Very High (especially with VIP addon) |
| User Action Needed | Select StealthVPN protocol; VIP addon for dedicated IPs |
Astrill is purpose-built for China. Their StealthVPN protocol uses multiple obfuscation techniques and frequent IP rotation. The VIP addon provides dedicated server IPs that are far more resistant to GFW blocking.
Protocol Selection by Scenario#
| Your Situation | Best Protocol | Why |
|---|---|---|
| Tourist, just needs it to work | ExpressVPN Lightway (auto) | Zero configuration |
| Business traveler, needs reliability | Astrill StealthVPN + VIP | Dedicated IPs, fastest recovery |
| Budget, need it to work | NordVPN obfuscated OpenVPN | Works, just slower |
| Self-hosting, maximum stealth | VLESS + REALITY | Nearly undetectable |
| Self-hosting, maximum speed | Hysteria2 | Fastest protocol for China |
| Self-hosting, easy setup | Trojan | Good balance of stealth and simplicity |
| VPN failed, need a quick fix | Switch to OpenVPN TCP | Best fallback when primary protocol fails |
| Tech-savvy, want WireGuard speeds | WireGuard + udp2raw or wstunnel | WireGuard speed with stealth wrapping |
How Obfuscation Actually Works (Simplified)#
Think of it like this:
Without obfuscation:
Your phone → [VPN signal 🚨] → GFW blocks it ❌With obfuscation:
Your phone → [looks like normal HTTPS traffic 🌐] → GFW lets it through → arrives at VPN server → unblocks the internetThe VPN wraps your data in a “disguise” that looks like ordinary web browsing. The GFW sees what appears to be a normal HTTPS connection to a website — something billions of people do every day — and lets it pass.
FAQ#
What protocol does ExpressVPN use in China? ExpressVPN uses Lightway, their proprietary protocol with built-in obfuscation. It activates automatically when you connect — no settings to change.
Is WireGuard blocked in China? Yes, plain WireGuard is detected and blocked quickly. Only use WireGuard in China if your VPN provider wraps it with an obfuscation layer (Astrill does this).
Is Shadowsocks still working in China? No. Plain Shadowsocks has been detected by the GFW since 2019. Some variants with plugins may work temporarily, but it’s not reliable for 2026.
What’s the best protocol for China if I self-host? VLESS + REALITY is currently the hardest for the GFW to detect, followed by Hysteria2 for speed. Both require significant technical expertise to set up.
Does NordVPN work in China? Yes, but you must connect to Obfuscated Servers (under Specialty Servers). Regular NordVPN servers don’t work in China. Use OpenVPN TCP protocol.
Why does my VPN work on some days but not others? The GFW constantly updates its detection algorithms. VPN providers respond by rotating server IPs and updating obfuscation techniques. During sensitive political periods, blocking intensifies. Your VPN may stop working for hours, then recover as the provider deploys new server IPs.
What’s the difference between a VPN and a proxy? A VPN encrypts all traffic from your device. A proxy (Shadowsocks, V2Ray, Trojan) only routes specific traffic. For most users in China, the practical difference is minimal — both bypass the GFW when properly configured. Commercial VPNs are easier; self-hosted proxies offer more control.
Related Guides: