Originally, VPN technology was designed for secure communication between banks, enterprises, and corporations. Bypassing censorship was merely a “side effect” that has since become one of its primary applications.
When choosing a VPN solution (or before setting up your own self-hosted server), always check the list of protocols it supports. The protocol determines the connection speed, stability, battery consumption, and the reliability of protection against surveillance. Here is a breakdown of the most common VPN protocols to help you make an informed choice.
Vintage: PPTP and L2TP/IPSec
PPTP is the most “ancient” protocol on this list. It is very fast, but it trades security for speed due to its weak encryption and data protection. The culprit is the outdated MS-CHAP v2 encryption, which has been widely criticized since 1999. Furthermore, it is completely ineffective against modern censorship blocks. You might use it only if security isn't a priority and you simply need to change your IP to access an older website.
L2TP over IPSec is more reliable than PPTP. It is relatively easy to set up: at the time of publication, it is supported by default by macOS, iOS, and Android. However, Microsoft announced its departure from PPTP and L2TP back in 2024. Its downsides are that it is slower and easily blocked because it uses fixed ports UDP 500 and 4500, which are easy for regulators to identify and shut down.
The bottom line: both protocols are technically and morally obsolete. We do not recommend using PPTP or L2TP/IPSec. Let's consider better options.
Sharp: IKEv2
The main advantage of this protocol is its ability to switch between networks instantly. For example, if you leave your house—disconnecting from Wi-Fi and connecting to a 4G/5G network—IKEv2 will reroute your traffic so quickly that your music stream won't even skip a beat.
This is made possible by the MOBIKE protocol (Mobility and Multihoming Extension for IKEv2, RFC 4555), which allows the connection to update its parameters instead of rebuilding the entire tunnel from scratch. Data packets are redirected to the new address in milliseconds, so the music player's buffer never runs dry.
Despite its flexibility, it is still blocked by censorship authorities in several countries, including China, Iran and Russia.
The bottom line: IKEv2 is an excellent choice for smartphones, provided that VPN services are not actively blocked in your country.
Ironclad: OpenVPN
The main advantage of OpenVPN is its encryption based on robust algorithms such as AES-256. At the same time, its ability to operate over TCP port 443 allows it to mimic ordinary web traffic, making it harder to block. This is one of the protocol's key strengths.
However, OpenVPN trades speed for stealth: compared to WireGuard, this protocol consumes five times the server's CPU resources.
Approaching its 25th anniversary, OpenVPN is a well-known entity to DPI (Deep Packet Inspection) systems, which have had years to learn how to identify and block it without affecting companies that rely on the protocol for business purposes.
The bottom line: OpenVPN is versatile but struggles with high-speed data transfer. Furthermore, regulatory bodies around the world have been actively learning how to recognize and block traffic transmitted through it.
Neoclassical: WireGuard (WG)
The core idea behind WireGuard is maximum speed with minimal code (roughly 4,000 lines, compared to over 600,000 in OpenVPN and 400,000 in IPSec). It is faster than OpenVPN and much easier on mobile batteries.
It is worth quoting Linus Torvalds, the creator of Linux:
“Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.”
WireGuard uses UDP exclusively at the transport layer. However, its packets have a distinct structure and do not mask or obfuscate the protocol. Regulators use these signs to identify and block the secure connection. In countries with strict censorship, DPI systems have learned to detect this handshake and block it promptly.
The bottom line: even the most sophisticated protocols eventually lose their edge. Fortunately, they can be modernized. Protocols like IKEv2, OpenVPN, and WireGuard were built during the era of “blacklists,” where the goal was simply to access a few forbidden sites. Today, countries like China and Russia are moving toward “whitelists”—allowing access only to approved sites and blocking everything else on the internet.
Let's talk about the protocols that have made bypassing censorship one of their primary missions.
Deceptively Simple: Trojan
Clarification: Trojan is not a VPN, but a proxy protocol running overTLS.
Designed specifically to bypass the Great Firewall of China, it hides user data inside harmless-looking HTTPS traffic—hence the name. Distinguishing it from standard web traffic is extremely difficult.
However, researchers Liuying Lv and Peng Zhou from Shanghai University demonstrated a detection mechanism for Trojan in their paper “TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requests”, published in January 2025.
The bottom line: Trojan uses innovative techniques to mask traffic, but regulators are already learning to counter it.
The Elusive: AmneziaWG
We began developing AmneziaWG in 2024 against the backdrop of the mass blocking of OpenVPN and WireGuard in Russia. We used WireGuard as a foundation—we were impressed by its speed, and we only had to teach it to hide itself.
To evade eavesdroppers, AmneziaWG 1.5 obfuscates traffic at the transport layer by:
- modifying packet headers,
- randomizing handshake message sizes,
- mimicking common UDP protocols.
Throughout these changes, the core cryptographic engine of WireGuard remains untouched, ensuring that the performance and security are fully preserved.
Let’s break down the terminology with an analogy. Imagine you are sending letters in bright orange envelopes labeled “Private Correspondence.” The postal worker cannot read the messages, because those are encrypted (for example, with Sherlock Holmes’ “Dancing Men” cipher). However, the worker has been ordered to discard all orange envelopes, so your messages never reach their destination.
To confuse the mailman, AWG folds orange envelopes into white, gray, and multi-colored ones, mixing them into a pile before delivering them to the post office. The mailman looks at your correspondence and sees no “orange” reason to intercept it.
This is exactly what happens with the TLS handshakes that Roskomnadzor (the Russian regulator) uses to identify VPN traffic. Amnezia WireGuard varies the parameters of these handshakes, depriving the censor of a consistent recognition template.
The bottom line: while prioritizing stealth, AWG maintains the high-speed performance of the original protocol.
The Evasive: Xray (with VLESS and Reality)
Another disclaimer: like Trojan, Xray is not a VPN, but a proxy protocol running over TLS.
Let’s clarify the terminology:
- VLESS is the actual proxy protocol.
- Xray is the core that handles requests on the client and server sides.
- Reality is the technology that obfuscates traffic, making it indistinguishable to regulators.
Their combined effort allows the connection to evade surveillance rather than just encrypt data. Essentially, this toolset pretends to be a legitimate connection. If Xray notices that a censor is watching, it masks your traffic as a standard connection to a third-party site—for example, Yahoo!. To a network analyzer, your proxy server becomes indistinguishable from that site’s actual server. Meanwhile, you gain access to the required resource.
This protocol was virtually invulnerable to Russian authorities until November 2025, when Roskomnadzor specialists learned to detect Xray/VLESS in a set of regions. This is yet another reminder of the constant evolution of censorship. All the while, Amnezia WireGuard has emerged as a successful alternative for users in Russia.
The bottom line: Xray is available to Amnezia VPN Premium users, but as of this writing, it occasionally experiences stability issues and should be considered a situational tool. It is useful in specific scenarios but does not guarantee 100% stability. Our team is actively working on restoring reliable Xray performance.
Censorship is the Engine of Progress
The Xray incident confirms that no protocol is eternal or universal. However, this is no reason to give up. In the summer of 2025, Roskomnadzor disrupted AWG 1.0, and our specialists responded with a more resilient AWG 1.5.
Spoiler alert: at the time of publication, AWG 2.0 is being prepared for release.
The race between censors and VPN developers continues, and we strive to stay two steps ahead (or at least one). Choose the protocol that fits your needs, but keep in mind the technical limits of each.
2 min