Does WireGuard work in China without obfuscation?

No. The GFW identifies the WireGuard handshake distinctly and drops the traffic within seconds. TLS/WS obfuscation is mandatory for mainland China and Iran.

V2Ray vs Cloak, which one should I pick?

V2Ray + WS + TLS (Trojan-Go) for China = goes through almost everywhere, actively maintained. Cloak is simpler to set up, OK for Iran/Turkey but detected faster in China.

Is it legal to use these tools?

In the EU/US/France: yes. In China/Iran/Russia: illegal locally, with variable penalties. This guide is educational — you alone are responsible for usage.

Custom VPN routing on Contabo: DPI bypass Iran / China 2026

Affiliate disclosure — This article contains affiliate links (Contabo, NordVPN). If you order a VPS or a subscription through our links, we earn a commission at no extra cost to you. It doesn't influence the content: we document what we actually run in production, including when an affiliated product doesn't fit your case.

You followed our self-host WireGuard on Contabo guide, it works perfectly from Paris or Berlin, and then you fly to Shanghai or Tehran for two weeks. Surprise: the tunnel connects for 3 seconds, then silence. No clean timeout, just dropped packets. Welcome to Deep Packet Inspection (DPI), where national firewalls identify WireGuard down to the byte.

This guide explains why plain WireGuard gets crushed by the GFW (Great Firewall of China) or SmartFilter (Iran), and gives 3 tested setups on a Contabo VPS to slip through: V2Ray + WebSocket + TLS, Cloak as a frontend, and Shadowsocks 2022. None is magical — each carries a cost in latency, throughput and complexity — but one of the three almost always works depending on the country.

How Deep Packet Inspection works

A classic firewall filters on source/dest IP and port. DPI goes further: it inspects packet content, identifies the protocol regardless of port, and applies rules. The three notorious censors in 2026:

GFW (mainland China) — The most sophisticated. Combines signature matching (handshake patterns), entropy analysis (an encrypted packet has a specific entropy), active probing (the firewall opens an outbound connection to your server to test its behavior) and machine learning on inter-packet timing. Reference work: Hoang et al., "How Great is the Great Firewall?" (USENIX Security 2021) and the live data at GFW Report.
SmartFilter (Iran, TCI) — Less sophisticated than the GFW but aggressive. Blocks on known signatures (OpenVPN, WireGuard, IKEv2) and throttles suspicious TLS flows toward non-whitelisted IPs. During unrest (Sept 2022, Nov 2024), switches to "near-closed internet" mode with a whitelist of domestic IPs only.
TSPU (Russia, Roskomnadzor) — Deployed since 2021, ramping up. Progressively blocks Tor, OpenVPN, WireGuard. More lax on TLS flows toward Cloudflare, but that changes every month.

The WireGuard initial handshake is distinctly identifiable: 148 bytes, fixed structure (message type 1), no padding. A modern DPI spots it in <50 ms. That's why plain WireGuard works everywhere… except where you actually need it.

The goal of the three setups below: make VPN traffic indistinguishable from legitimate HTTPS traffic to a residential-looking domain. If the firewall can't tell your flow apart from a Cloudflare CDN session, it can't block without collateral damage.

Setup 1 — V2Ray + WebSocket + TLS (Trojan-Go) on Contabo

This is our default pick for China. The traffic looks like a visitor browsing a WordPress site over HTTPS. The GFW can detect WebSocket with long-term temporal analysis, but the TLS 1.3 + real SNI + reverse-proxy combo (Caddy) makes it very hard to filter without collateral damage.

Prerequisites:

A Contabo VPS S (€4.99/mo) — Singapore or Tokyo datacenter for acceptable China latency (~50-80 ms vs 250 ms from Europe). If you don't have a VPS yet, check the Contabo VPS S 24-month offer.
A real domain you control (e.g. cdn.yourdomain.com) pointing at the VPS IP. No domain = no TLS = no bypass.
Cloudflare DNS proxy (orange cloud), optional but recommended to mask the origin IP.

Install (Ubuntu 24.04 LTS, as root):

# 1. Caddy reverse proxy + auto Let's Encrypt cert
apt update && apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
apt update && apt install -y caddy

# 2. V2Ray
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

Config /usr/local/etc/v2ray/config.json:

{
  "inbounds": [{
    "port": 10000,
    "listen": "127.0.0.1",
    "protocol": "vmess",
    "settings": {
      "clients": [{ "id": "UUID-GENERATED-WITH-uuidgen", "alterId": 0 }]
    },
    "streamSettings": {
      "network": "ws",
      "wsSettings": { "path": "/cdn-static/v3/assets" }
    }
  }],
  "outbounds": [{ "protocol": "freedom" }]
}

Caddy config /etc/caddy/Caddyfile:

cdn.yourdomain.com {
  root * /var/www/html
  file_server
  handle /cdn-static/v3/assets {
    reverse_proxy 127.0.0.1:10000
  }
}

Drop a real static HTML page in /var/www/html/index.html (a cooking blog, a fake portfolio — doesn't matter, it has to look legitimate when the GFW probes your domain). Enable:

systemctl enable --now caddy v2ray

On the client (V2RayN on Windows, V2Box on iOS, v2rayNG on Android), configure a VMess WS+TLS server pointing at cdn.yourdomain.com:443, path /cdn-static/v3/assets, same UUID. Test: open the client in China, traffic should flow without drops.

Measured overhead from Beijing via Contabo Singapore: latency +15 ms vs plain WireGuard (impossible in China anyway), throughput ~85 Mbps (vs 195 sustained for plain WireGuard in Europe). Fine for browsing, mediocre for HD streaming.

Setup 2 — Cloak (frontend for WireGuard / OpenVPN)

Cloak is a TLS wrapper simpler than V2Ray, sitting in front of an existing tunnel (WireGuard, OpenVPN, Shadowsocks). For someone who already has a working WireGuard setup and just wants to add an obfuscation layer: this is the fastest path.

Pros:

Setup in 15 minutes, no complex domain/TLS handling (built-in ACME auto cert).
Works well in Iran and Turkey where DPI is less aggressive than the GFW.
Light CPU footprint: ~5% of one vCPU for 100 Mbps of traffic.

Cons:

The GFW can detect Cloak with behavioral analysis (specific timing patterns). We've seen connections last 3-7 days then get blocked in mainland China.
Less actively maintained than V2Ray (last major commit 2023). Not dead, but slow evolution.

Server install:

wget https://github.com/cbeuw/Cloak/releases/download/v2.7.0/ck-server-linux-amd64-v2.7.0
chmod +x ck-server-linux-amd64-v2.7.0 && mv $_ /usr/local/bin/ck-server
ck-server -k  # generate keypair

Create /etc/cloak/ckserver.json:

{
  "ProxyBook": {
    "wireguard": ["udp", "127.0.0.1:51820"]
  },
  "BindAddr": [":443"],
  "BypassUID": ["GENERATED-UID"],
  "RedirAddr": "www.bing.com",
  "PrivateKey": "YOUR-PRIVATE-KEY"
}

RedirAddr is critical: if the firewall probes your server without a valid Cloak handshake, it's redirected to www.bing.com (camouflage). Pick a popular domain, not blacklisted in the target country (avoid Google in China).

Start:

systemctl enable --now ck-server

On the client, the ck-client app (binary available for Linux/macOS/Win/Android) takes the same config plus the matching PublicKey. The WireGuard tunnel is then established on top of Cloak — from the WireGuard app, your endpoint points at 127.0.0.1:local-cloak-port instead of the VPS IP.

Setup 3 — Shadowsocks 2022 (chacha20-ietf-poly1305)

Shadowsocks is the ancestor of anti-censorship tools (created by "clowwindy" in China in 2012). The 2022 version (official spec) fixes several cryptographic weaknesses of v1 and is still recommended by Chinese users for its simplicity/performance ratio.

Ideal use case:

Iran, Turkey, UAE — passes almost always.
Mainland China as a backup when V2Ray has a bad day.
You want a lightweight setup (5 MB binary, 10-line config).

Honest limits:

Without a TLS plugin (v2ray-plugin), Shadowsocks 2022 stays detectable by the GFW via statistical entropy analysis. We recommend it with v2ray-plugin enabled.
If you want a "set and forget" setup that survives GFW updates: pick V2Ray.

Install:

apt install -y shadowsocks-libev v2ray-plugin

Config /etc/shadowsocks-libev/config.json:

{
  "server": "0.0.0.0",
  "server_port": 8443,
  "password": "STRONG-PASSWORD-32-CHARS",
  "method": "chacha20-ietf-poly1305",
  "plugin": "v2ray-plugin",
  "plugin_opts": "server;tls;host=cdn.yourdomain.com;path=/api/v2"
}

systemctl enable --now shadowsocks-libev

On the client: Outline (Google Jigsaw) or Shadowrocket (iOS) natively support SS 2022 + v2ray-plugin. Import the generated ss://... URI and you're connected.

Which setup for which country

Table based on real tests (Q4 2025 / Q1 2026) from local accounts and jump VPSes. Ratings change fast — always cross-check with GFW Report before traveling.

Country	V2Ray WS+TLS	Cloak	Shadowsocks 2022	Notes
Mainland China	Excellent	Average	Average	V2Ray = default. SS only with v2ray-plugin.
Iran	Excellent	Excellent	Good	All pass outside of blackout periods.
Russia	Good	Average	Average	TSPU blocking progressively, vary ports.
Turkey	Excellent	Excellent	Excellent	DPI not aggressive except around elections.
UAE	Excellent	Excellent	Good	VoIP blocked, tunnel passes.
Saudi Arabia	Good	Good	Good	Less sophisticated, but many topical blocks.

For business trips to China, we always plan a backup: V2Ray primary + Shadowsocks 2022 secondary on two different VPSes (different datacenters ideally). If one falls, the other holds.

Performance overhead

iperf3 + curl measurements, Contabo Singapore VPS, mobile 5G client in Beijing (March 2026, ~10 sessions per method):

Method	Added latency	Max throughput	Server CPU @ 50 Mbps
Plain WireGuard (Europe baseline)	+8 ms	195 Mbps	4%
V2Ray WS + TLS	+18 ms	85 Mbps	22%
Cloak + WireGuard	+12 ms	110 Mbps	14%
Shadowsocks 2022 + v2ray-plugin	+14 ms	95 Mbps	12%

Pragmatic conclusion: all methods cost 40 to 55% of max throughput vs plain WireGuard. That's normal — each TLS + WS layer adds overhead, and the double encapsulation (Cloak) doubles the headers. For browsing and 720p video calls, all are fine. For 4K, you'll need a beefier VPS (VPS M or Cloud VPS 10).

When an obfuscated commercial VPN is simpler

Editorial honesty: if you're going to China for two weeks and don't want to debug Caddy at midnight from a hotel, a commercial VPN with obfuscated servers is more cost-efficient on time. Our reference in that category: NordVPN with its obfuscated servers.

The pros:

Native mobile apps, automatic kill switch, 24/7 chat support.
Obfuscation enabled in 2 clicks (advanced settings → obfuscated servers).
Works in 80% of cases in China. When it breaks, they update their servers within days.

The cons:

You share IP with other users (bad for Stripe/Cloudflare outside China).
Price doubles on renewal (see our 5-year cost analysis).
In Iran during a blackout, even NordVPN falls — only a self-hosted setup with IP rotation holds.

The combination NordVPN for occasional trips + Contabo self-host for daily life is the best compromise for most digital nomads moving around Asia or the Middle East.

Custom VPN routing on Contabo: DPI bypass Iran / China 2026

How Deep Packet Inspection works

Setup 1 — V2Ray + WebSocket + TLS (Trojan-Go) on Contabo

Setup 2 — Cloak (frontend for WireGuard / OpenVPN)

Setup 3 — Shadowsocks 2022 (chacha20-ietf-poly1305)

Which setup for which country

Performance overhead

When an obfuscated commercial VPN is simpler

Further reading

Read next

WireGuard vs OpenVPN on VPS: real iperf3 benchmarks 2026

Ready-to-use WireGuard config templates 2026

Monitor your VPS VPN with Prometheus + Grafana (2026)