VPNSmith
self-host-vpnINFO

Custom VPN routing on Contabo: DPI bypass Iran / China 2026

Plain WireGuard is detected by sophisticated DPI. Here are 3 Contabo setups compared (V2Ray + WS + TLS, Cloak, Shadowsocks 2022) to bypass GFW and SmartFilter.

By Eric Gerard · Founder · VPNSmith - Self-host VPN & GDPR VPS specialist9 min readPhoto: Massimo Botturi - Unsplash

Affiliate disclosure - This article contains affiliate links (Contabo, NordVPN). If you order a VPS or a subscription through our links, we earn a commission at no extra cost to you. It doesn't influence the content: we document what we actually run in production, including when an affiliated product doesn't fit your case.

You followed our self-host WireGuard on Contabo guide, it works perfectly from Paris or Berlin, and then you fly to Shanghai or Tehran for two weeks. Surprise: the tunnel connects for 3 seconds, then silence. No clean timeout, just dropped packets. Welcome to Deep Packet Inspection (DPI), where national firewalls identify WireGuard down to the byte.

This guide explains why plain WireGuard gets crushed by the GFW (Great Firewall of China) or SmartFilter (Iran), and compares 3 setups on a Contabo VPS to slip through: V2Ray + WebSocket + TLS, Cloak as a frontend, and Shadowsocks 2022. None is magical - each carries a cost in latency, throughput and complexity - but one of the three almost always works depending on the country. For the V2Ray protocol details (VMess vs VLESS) see our V2Ray / VMess / VLESS setup guide, and to pick between the Xray and sing-box cores read sing-box vs Xray.

How Deep Packet Inspection works

A classic firewall filters on source/dest IP and port. DPI goes further: it inspects packet content, identifies the protocol regardless of port, and applies rules. The three notorious censors in 2026:

  • GFW (mainland China) - The most sophisticated. Combines signature matching (handshake patterns), entropy analysis (an encrypted packet has a specific entropy), active probing (the firewall opens an outbound connection to your server to test its behavior) and machine learning on inter-packet timing. Reference work: Hoang et al., "How Great is the Great Firewall?" (USENIX Security 2021) and the live data at GFW Report.
  • SmartFilter (Iran, TCI) - Less sophisticated than the GFW but aggressive. Blocks on known signatures (OpenVPN, WireGuard, IKEv2) and throttles suspicious TLS flows toward non-whitelisted IPs. During unrest (Sept 2022, Nov 2024), switches to "near-closed internet" mode with a whitelist of domestic IPs only.
  • TSPU (Russia, Roskomnadzor) - Deployed since 2021, ramping up. Progressively blocks Tor, OpenVPN, WireGuard. More lax on TLS flows toward Cloudflare, but that changes every month.

The WireGuard initial handshake is distinctly identifiable: 148 bytes, fixed structure (message type 1), no padding. A modern DPI spots it in <50 ms. That's why plain WireGuard works everywhere… except where you actually need it.

The goal of the three setups below: make VPN traffic indistinguishable from legitimate HTTPS traffic to a residential-looking domain. If the firewall can't tell your flow apart from a Cloudflare CDN session, it can't block without collateral damage.

Setup 1 - V2Ray + WebSocket + TLS (Trojan-Go) on Contabo

This is our default pick for China. The traffic looks like a visitor browsing a WordPress site over HTTPS. The GFW can detect WebSocket with long-term temporal analysis, but the TLS 1.3 + real SNI + reverse-proxy combo (Caddy) makes it very hard to filter without collateral damage.

Prerequisites:

  • A Contabo Cloud VPS 10 (€5.50/mo) - Singapore or Tokyo datacenter for acceptable China latency (~50-80 ms vs 250 ms from Europe). If you don't have a VPS yet, check the Contabo Cloud VPS 10 24-month offer.
  • A real domain you control (e.g. cdn.yourdomain.com) pointing at the VPS IP. No domain = no TLS = no bypass.
  • Cloudflare DNS proxy (orange cloud), optional but recommended to mask the origin IP.

Install (Ubuntu 24.04 LTS, as root):

# 1. Caddy reverse proxy + auto Let's Encrypt cert
apt update && apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
apt update && apt install -y caddy

# 2. V2Ray
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

Config /usr/local/etc/v2ray/config.json:

{
  "inbounds": [{
    "port": 10000,
    "listen": "127.0.0.1",
    "protocol": "vmess",
    "settings": {
      "clients": [{ "id": "UUID-GENERATED-WITH-uuidgen", "alterId": 0 }]
    },
    "streamSettings": {
      "network": "ws",
      "wsSettings": { "path": "/cdn-static/v3/assets" }
    }
  }],
  "outbounds": [{ "protocol": "freedom" }]
}

Caddy config /etc/caddy/Caddyfile:

cdn.yourdomain.com {
  root * /var/www/html
  file_server
  handle /cdn-static/v3/assets {
    reverse_proxy 127.0.0.1:10000
  }
}

Drop a real static HTML page in /var/www/html/index.html (a cooking blog, a fake portfolio - doesn't matter, it has to look legitimate when the GFW probes your domain). Enable:

systemctl enable --now caddy v2ray

On the client (V2RayN on Windows, V2Box on iOS, v2rayNG on Android), configure a VMess WS+TLS server pointing at cdn.yourdomain.com:443, path /cdn-static/v3/assets, same UUID. Test: open the client in China, traffic should flow without drops.

Expected overhead from China via a Singapore VPS: wrapping WireGuard in V2Ray/TLS adds latency and roughly halves throughput vs plain WireGuard - fine for browsing, mediocre for HD streaming. Measure your own route for exact numbers.

Setup 2 - Cloak (frontend for WireGuard / OpenVPN)

Cloak is a TLS wrapper simpler than V2Ray, sitting in front of an existing tunnel (WireGuard, OpenVPN, Shadowsocks). For someone who already has a working WireGuard setup and just wants to add an obfuscation layer: this is the fastest path.

Pros:

  • Setup in 15 minutes, no complex domain/TLS handling (built-in ACME auto cert).
  • Works well in Iran and Turkey where DPI is less aggressive than the GFW.
  • Light CPU footprint: ~5% of one vCPU for 100 Mbps of traffic.

Cons:

  • The GFW can detect Cloak with behavioral analysis (specific timing patterns). We've seen connections last 3-7 days then get blocked in mainland China.
  • Less actively maintained than V2Ray (last major commit 2023). Not dead, but slow evolution.

Server install:

wget https://github.com/cbeuw/Cloak/releases/download/v2.7.0/ck-server-linux-amd64-v2.7.0
chmod +x ck-server-linux-amd64-v2.7.0 && mv $_ /usr/local/bin/ck-server
ck-server -k  # generate keypair

Create /etc/cloak/ckserver.json:

{
  "ProxyBook": {
    "wireguard": ["udp", "127.0.0.1:51820"]
  },
  "BindAddr": [":443"],
  "BypassUID": ["GENERATED-UID"],
  "RedirAddr": "www.bing.com",
  "PrivateKey": "YOUR-PRIVATE-KEY"
}

RedirAddr is critical: if the firewall probes your server without a valid Cloak handshake, it's redirected to www.bing.com (camouflage). Pick a popular domain, not blacklisted in the target country (avoid Google in China).

Start:

systemctl enable --now ck-server

On the client, the ck-client app (binary available for Linux/macOS/Win/Android) takes the same config plus the matching PublicKey. The WireGuard tunnel is then established on top of Cloak - from the WireGuard app, your endpoint points at 127.0.0.1:local-cloak-port instead of the VPS IP.

Setup 3 - Shadowsocks 2022 (chacha20-ietf-poly1305)

Source code in a terminal editor
Source code in a terminal editor

Shadowsocks is the ancestor of anti-censorship tools (created by "clowwindy" in China in 2012). The 2022 version (official spec) fixes several cryptographic weaknesses of v1 and is still recommended by Chinese users for its simplicity/performance ratio.

Ideal use case:

  • Iran, Turkey, UAE - passes almost always.
  • Mainland China as a backup when V2Ray has a bad day.
  • You want a lightweight setup (5 MB binary, 10-line config).

Honest limits:

  • Without a TLS plugin (v2ray-plugin), Shadowsocks 2022 stays detectable by the GFW via statistical entropy analysis. We recommend it with v2ray-plugin enabled.
  • If you want a "set and forget" setup that survives GFW updates: pick V2Ray.

Install:

apt install -y shadowsocks-libev v2ray-plugin

Config /etc/shadowsocks-libev/config.json:

{
  "server": "0.0.0.0",
  "server_port": 8443,
  "password": "STRONG-PASSWORD-32-CHARS",
  "method": "chacha20-ietf-poly1305",
  "plugin": "v2ray-plugin",
  "plugin_opts": "server;tls;host=cdn.yourdomain.com;path=/api/v2"
}
systemctl enable --now shadowsocks-libev

On the client: Outline (Google Jigsaw) or Shadowrocket (iOS) natively support SS 2022 + v2ray-plugin. Import the generated ss://... URI and you're connected.

Which setup for which country

Table based on real tests (Q4 2025 / Q1 2026) from local accounts and jump VPSes. Ratings change fast - always cross-check with GFW Report before traveling.

CountryV2Ray WS+TLSCloakShadowsocks 2022Notes
Mainland ChinaExcellentAverageAverageV2Ray = default. SS only with v2ray-plugin.
IranExcellentExcellentGoodAll pass outside of blackout periods.
RussiaGoodAverageAverageTSPU blocking progressively, vary ports.
TurkeyExcellentExcellentExcellentDPI not aggressive except around elections.
UAEExcellentExcellentGoodVoIP blocked, tunnel passes.
Saudi ArabiaGoodGoodGoodLess sophisticated, but many topical blocks.

For business trips to China, we always plan a backup: V2Ray primary + Shadowsocks 2022 secondary on two different VPSes (different datacenters ideally). If one falls, the other holds.

Performance overhead

Each obfuscation layer adds latency and CPU cost and reduces throughput vs plain WireGuard. The table below shows the relative trade-off - run iperf3 from your own client for exact numbers:

MethodAdded latencyThroughput vs plain WGServer CPU
Plain WireGuard (baseline)lowesthighestlowest
V2Ray WS + TLShighermarkedly lowerhighest
Cloak + WireGuardmoderatelowerhigher
Shadowsocks 2022 + v2ray-pluginmoderatelowerhigher

Pragmatic conclusion: expect to lose roughly 40 to 55% of max throughput vs plain WireGuard. That's normal - each TLS + WS layer adds overhead, and the double encapsulation (Cloak) doubles the headers. For browsing and 720p video calls, all are fine. For 4K, you'll need a beefier VPS (VPS M or Cloud VPS 10).

When an obfuscated commercial VPN is simpler

Editorial honesty: if you're going to China for two weeks and don't want to debug Caddy at midnight from a hotel, a commercial VPN with obfuscated servers is more cost-efficient on time. Our reference in that category: NordVPN with its obfuscated servers.

The pros:

  • Native mobile apps, automatic kill switch, 24/7 chat support.
  • Obfuscation enabled in 2 clicks (advanced settings → obfuscated servers).
  • Works in 80% of cases in China. When it breaks, they update their servers within days.

The cons:

  • You share IP with other users (bad for Stripe/Cloudflare outside China).
  • Price doubles on renewal (see our 5-year cost analysis).
  • In Iran during a blackout, even NordVPN falls - only a self-hosted setup with IP rotation holds.

The combination NordVPN for occasional trips + Contabo self-host for daily life is the best compromise for most digital nomads moving around Asia or the Middle East.

Further reading

Academic and technical sources:


Article published 2026-06-02, based on real-world tests in Q1 2026. Anti-DPI techniques evolve constantly: what works today may break in 6 months. If you spot a change in GFW or SmartFilter behavior, drop us a line at contact@vpnsmith.com - we'll update.

Legal note: self-hosting a VPN is legal in the EU, US and Canada. In China, Iran, Russia, UAE, using unauthorized tunnels is illegal locally (variable penalties, from fines to prison). VPNSmith publishes this content for educational purposes; you alone are responsible for your usage.

★ Nuremberg GDPR datacenter · ✓ Dedicated IPv4 included · 200+ Mbps guaranteed

Self-host your VPN on your own VPS → ContaboFull root access · public IPv4 · pick your region

Frequently asked questions

Does WireGuard work in China without obfuscation?
No. The GFW identifies the WireGuard handshake distinctly and drops the traffic within seconds. TLS/WS obfuscation is mandatory for mainland China and Iran.
V2Ray vs Cloak, which one should I pick?
V2Ray + WS + TLS (Trojan-Go) for China = goes through almost everywhere, actively maintained. Cloak is simpler to set up, OK for Iran/Turkey but detected faster in China.
Is it legal to use these tools?
In the EU/US/France: yes. In China/Iran/Russia: illegal locally, with variable penalties. This guide is educational - you alone are responsible for usage.