SecureFox logo[SECUREFOX]
//11Anti-Block

Slip past DPI without slowing your stream.

Fragment the TLS handshake into chunks too small for deep packet inspection to fingerprint. Costs 200-500 ms on first connect; zero impact on throughput after that.

//01Why this matters

Most VPNs die at the handshake, not the tunnel.

When a carrier or state firewall wants to block VPNs, it doesn't have to read your encrypted traffic — it just fingerprints the handshake. The exact byte length of a ClientHello, the order of TLS extensions, the timing between the first few packets: those signals are enough to recognise OpenVPN, IKEv2, even unmodified WireGuard. Once recognised, your connection is dropped or throttled to dial-up speed before the encrypted tunnel ever exists. Anti-block mode splits that first handshake into pieces small enough that DPI never sees a complete fingerprint — which means your tunnel survives the moment when most VPNs die.

//02How it works

Pay 0.4 seconds once. Save the whole session.

When anti-block is active, the client breaks the TLS ClientHello into 4-8 fragments of 100-200 bytes each, with a small jittered delay between each fragment. By the time the censor's middlebox has reassembled enough to attempt fingerprinting, the handshake has completed and the tunnel is encrypted. After that initial step, anti-block does nothing — every byte of data flows at full speed, with no fragmentation, no extra hops, no measurable overhead. The price is paid entirely in the connect step, and only once per session.

Connect time penalty+200 to +500 ms (one-time)
Throughput penalty0% — handshake only
Fragment size100-200 bytes (Indonesia tuned)
When activeAuto (default) · or force On in censored regions
//03Use cases

Where anti-block earns its keep.

01

Strict mobile carriers

Telkomsel prepaid, IndiHome on certain routes, and many other carriers in censorship-heavy markets fingerprint VPN handshakes and drop them at the gateway. Anti-block defeats that detection layer.

02

Inside China, Iran, Russia

State-grade firewalls go further than carriers — they actively probe suspected VPN endpoints. Anti-block paired with REALITY makes your traffic indistinguishable from ordinary HTTPS, which is the only viable approach in these networks.

03

Hostile public Wi-Fi

Airport, hotel, and café Wi-Fi often blocks anything that doesn't look like web browsing. Anti-block fragments the handshake enough that the captive portal can't recognise it as VPN and lets it through.

//04What you get

Anti-detection without the usual cost.

  • Defeats DPI handshake fingerprinting on consumer carriers and state firewalls
  • Zero throughput cost — fragmentation ends the moment the tunnel is up
  • Auto-detect mode probes the network and only fragments when needed
  • Manual override (On / Auto / Off) for known-hostile networks like China and Iran
  • Region-tuned defaults (Indonesia, Iran, Russia have field-tested fragment profiles)
//05Anti-block FAQ

Common questions about handshake fragmentation.

Will anti-block make my Netflix / YouTube slower?+

No — only the first 0.4 seconds of the connection are affected. Once the tunnel is up, streaming, downloads, and gaming run at exactly the same speed as without anti-block. The penalty is paid entirely in the handshake, never in the data plane.

Should I just leave it on all the time?+

If you're frequently on networks that block VPNs (mobile data in Indonesia, China, Iran, Russia), yes. On clean home Wi-Fi or unblocked corporate networks, leaving it on Auto means it stays off until needed — fastest connect time when the network isn't hostile. The cost of leaving it forced On is just ~400 ms per connect, which most users won't notice.

Does this leak that I'm using a VPN?+

The opposite — anti-block exists specifically to hide that fact. Without it, deep packet inspection can fingerprint a VPN handshake in milliseconds. With it, the handshake looks like a slow TLS connection to a normal website, which is consistent with bad mobile signal.

Why not always fragment, even after handshake?+

Because every fragment adds overhead. Fragmenting the handshake — a fixed-size packet that DPI specifically fingerprints — is high-value. Fragmenting every byte of bulk transfer would cut throughput dramatically with no extra anti-detection benefit, since DPI doesn't fingerprint random-looking encrypted data.

//06Features

Related features

Privacy & DPI Resistance

AES-256-GCM wrapped in REALITY transport. SecureFox traffic looks like a normal HTTPS visit, so deep packet inspection has nothing to fingerprint.

READ MORE

Built for Speed

WireGuard for clean networks, VLESS + XTLS-Vision when DPI is in the way. Zero-copy splice on the data path means near-line-rate throughput.

READ MORE
[ Ready ]

Try it free.

Anonymous mode gives you 1 GB every week, no account required. Sign up later for 2 GB.

Get the app