You've been through this before. Your VPN worked fine. Then one day — nothing. You switch servers. Still nothing. You try a different protocol in the settings. You uninstall and reinstall. Maybe you search Reddit for answers and find a thread from three months ago saying the same thing. Eventually, something starts working again, for a while.

This is not random. It follows a pattern. And once you understand the pattern, the solution becomes obvious.

The Great Firewall is not a static wall

Most people picture the GFW as a list of blocked websites — a filter that sits between China and the outside internet. That part is real, but it's the least interesting part. The more sophisticated layer is what China's censors call active probing, combined with statistical traffic analysis.

Here's what actually happens when you connect to a VPN in China:

Your traffic travels from your phone or laptop to a server outside China. The firewall sees this connection and notices something: the traffic pattern doesn't look like normal HTTPS traffic to a website. Regular websites send data in specific ways — the timing, the packet sizes, the handshake sequence all follow patterns. VPN traffic has different patterns. Not always immediately obvious ones, but different enough to flag.

When the firewall detects a suspicious connection, it doesn't always block it immediately. Sometimes it keeps watching. Sometimes it sends its own probe — a connection attempt to the suspected VPN server from inside China — to confirm what it suspects. If the server responds in a way that confirms it's a VPN endpoint, the IP gets added to a block list.

This is why your VPN doesn't fail instantly. There's often a delay between when you start using a VPN and when it gets blocked. And it's why the same VPN might work for your colleague in Shanghai but not for you in Beijing — blocking isn't always uniform across the country.

Why shared VPNs fail faster

ExpressVPN, NordVPN, and every other commercial VPN service share their server IP addresses across thousands of customers. This creates a fundamental problem that can't be engineered away.

When 50,000 people are tunneling traffic through the same IP address, that IP becomes a very attractive target. The firewall notices the volume of connections. Researchers inside China are constantly testing and reporting blocked IPs. The VPN providers respond by adding new servers, rotating IPs, and pushing updates. The firewall blocks the new IPs. This cycle repeats endlessly.

The result for you: every few weeks or months, your particular server gets caught in a new round of blocking. The VPN pushes an update, you get a new server, it works again — until it doesn't.

This is not a bug in your VPN. It's the natural outcome of the shared IP model. There is no version of ExpressVPN or NordVPN that permanently solves this, because the model itself is what the firewall is exploiting.

What the firewall actually looks for

Modern traffic analysis inside China looks for several things simultaneously:

TLS fingerprinting. Every application that makes a TLS connection (the encryption layer under HTTPS) leaves a fingerprint in the handshake. Different VPN clients leave different fingerprints than real browsers. The firewall has catalogued the fingerprints of every major VPN protocol — OpenVPN, WireGuard, standard IKEv2. When it sees one, it knows.

Entropy analysis. Encrypted VPN traffic tends to be very uniformly random — high entropy. Real HTTPS traffic to websites has more structure. Sophisticated analysis can distinguish between the two even without breaking the encryption.

Destination reputation. VPN servers tend to be hosted on specific cloud providers (AWS, DigitalOcean, Vultr) in specific data centers. The firewall maintains lists of IP ranges that are known hosting infrastructure — versus IP ranges used by residential internet, CDNs, and legitimate businesses. A connection to a known hosting IP gets more scrutiny.

The core insight: The firewall isn't trying to read your traffic. It's trying to identify what kind of traffic it is. If your connection looks like a VPN, it will eventually get blocked, regardless of encryption strength.

Why WireGuard is particularly bad in China

WireGuard is technically excellent — fast, efficient, modern cryptography. It's also immediately identifiable. WireGuard uses UDP by default and has a distinctive handshake pattern that the GFW has been trained to recognize. Connections using standard WireGuard in China are typically blocked within seconds of being detected, not weeks.

This surprises many people who associate modern protocols with better privacy. But fingerprint resistance and encryption strength are completely separate properties. WireGuard is highly private in terms of what data it protects. It is very poor at hiding what it is.

The only approach that actually works long-term

The solution has to address the root cause: your traffic needs to be genuinely indistinguishable from normal HTTPS traffic — not just encrypted, not just obfuscated, but actually performing a real TLS handshake with a real domain.

This is what the Xray Reality protocol does, and it's fundamentally different from anything the commercial VPN industry offers.

Instead of tunneling your traffic inside a VPN protocol, Reality performs a complete TLS handshake with an actual legitimate domain — a real website that exists, that has a real certificate, that any TLS inspector would verify as authentic. Your traffic then rides inside that established TLS session. The firewall sees a TLS connection to, say, a cloud storage service or a software company. Because that's technically what it is.

There's no VPN fingerprint to detect, because there's no VPN handshake. There's no distinctive packet pattern, because the TLS session is genuine. Deep packet inspection confirms what the firewall already suspects — a real TLS connection — and moves on.

But there's a second factor: your own IP

Even with the best protocol, shared infrastructure creates risk. If 10,000 people are using a server with the same IP, that IP eventually draws attention regardless of how good the traffic looks.

A dedicated server — one that only you and the people you choose use — has an IP address with no history, no pattern of mass tunneling, nothing to distinguish it from any other small cloud server running a legitimate application. There's no reason for the firewall to look twice at it.

This is the combination that produces stable, long-term connectivity in China: a protocol that looks like normal traffic, on an IP address that has no suspicious history.

In practice, this means: A properly configured Xray Reality server on a fresh VPS, used only by you and your household, tends to stay unblocked indefinitely. Not because the firewall can't theoretically detect it — but because there's nothing about it that triggers detection in the first place.

The setup is the hard part

The Xray Reality protocol is not something you install from an app store. It requires server-side configuration — choosing the right domain to borrow for the TLS handshake, configuring certificate handling, setting up the correct client parameters, and making sure the whole chain is actually working before you depend on it.

The protocol itself is open source and free. The $5/month VPS it runs on is paid directly to whatever provider you choose. The only thing RouteVeil charges for is doing the configuration correctly — so you don't spend a week debugging why your connection is being detected and blocked.

Once it's running, it tends to keep running.

The pattern of VPNs failing in China is not going away. The arms race between the GFW and commercial VPN providers is permanent, because shared infrastructure is fundamentally exploitable. The alternative — your own server, properly configured — sidesteps the arms race entirely by not being part of it.

Set up your own server — no recurring fees to us

One-time $99 setup. Your server, your IP, on a $5/month VPS you own and pay directly. Works in China, Russia, Iran, and Turkey.

Contact on Telegram →

Related reading

→ Xray Reality vs WireGuard: why one works in China and the other doesn't → Russia blocked Telegram. Then their banking system crashed.