Russia's 15 GB VPN Cap: How Obfuscation Protocols Stay Invisible

Russia's 15 GB Mobile Cap: What the Regulation Actually Says

From autumn 2026, mobile operators in Russia will be required to classify and separately meter so-called "international" internet traffic. Once a subscriber's foreign-routed data reaches 15 GB in a billing month, any additional traffic over that threshold will attract a surcharge — currently proposed at around 150 ₽ per gigabyte. Fixed broadband connections are not affected by this measure, at least in the initial rollout. This is a mobile-specific rule.

The original implementation date was 1 May 2025. That date passed without enforcement. Regulators pushed the deadline to autumn 2026, citing technical readiness at the operator level. The delay is real, and it matters: anyone who read about this last year and assumed it had quietly died should be aware that the rulemaking is still active, just slower than originally announced.

The practical consequence for VPN users is straightforward. If your VPN server sits outside Russia — which is the entire point of using one — your mobile operator will count every byte through it as international traffic. Standard VPN protocols make this trivially easy to detect, and that is the problem this article addresses.

This guide is about keeping your VPN working reliably on aggressive mobile networks, whether in Russia, Iran, China, or anywhere else that deploys deep packet inspection at scale.

Why Standard VPN Protocols Get Caught

The common assumption is that a VPN is safe because its traffic is encrypted. Encryption protects the contents of your packets — it does nothing to hide the shape of them. And shape is exactly what modern deep packet inspection looks at.

Russia's TSPU (Технические Средства Противодействия Угрозам) infrastructure, deployed across Russian operators since 2019, does not need to read your packets to identify what they are. It inspects handshake patterns, packet size distributions, inter-packet timing, and protocol-specific fingerprints. Every mainstream VPN protocol has a recognisable signature at this level.

• WireGuard uses a fixed UDP handshake structure with a very specific initiator message length (148 bytes) and a response of 92 bytes. That pattern is trivially fingerprinted, even with no decryption involved.
• OpenVPN over UDP has a recognisable TLS Client Hello with a specific cipher suite ordering and session ticket pattern. Over TCP on port 443, it superficially resembles HTTPS — but the certificate exchange and subsequent packet cadence give it away within a few hundred milliseconds.
• IKEv2 operates on UDP 500 and 4500. Its exchange structure is standardised and unambiguous to any competent DPI ruleset.

The TSPU system also has access to traffic metadata at the national backbone level, not just at individual operator equipment. This means obfuscation needs to hold up against centralised analysis, not just edge-router inspection. Approaches that worked in 2020 — wrapping OpenVPN in a basic TLS tunnel, using non-standard ports — are no longer sufficient against a properly maintained ruleset.

The protocols described below are designed specifically to survive this environment.

What "International Traffic" Actually Means in Practice

The classification problem for operators is harder than it looks. A significant portion of the internet Russian users access daily is served from CDN nodes physically located outside Russia. Cloudflare, Akamai, and Google's edge infrastructure all have Russian PoPs, but also route traffic from nodes in Frankfurt, Amsterdam, and elsewhere depending on load. Determining whether a given TLS session is "international" requires the operator to maintain continuously updated IP geolocation data and make real-time routing decisions — neither of which is trivial at scale.

Several Russian-registered services use foreign IP ranges for technical or legacy reasons. Miscategorisation is inevitable, and early implementation will almost certainly produce billing disputes from users who never touched a VPN.

Despite that messiness, VPN traffic is the obvious and easiest target. It concentrates on a small number of well-known provider IP ranges, it routes almost everything internationally by definition, and its protocols are distinguishable by DPI even when the operator is uncertain about borderline CDN cases. Operators under regulatory pressure to enforce the cap will prioritise what they can reliably classify — and VPN protocols, in their plain form, are the most reliably classifiable traffic on the network.

This is why obfuscation at the protocol level matters more than simply choosing a different server location or port.

Obfuscation Protocols That Work

The following protocols are not theoretical. They are in active use in China, Iran, and Russia right now, tested against production DPI infrastructure. Each has different trade-offs in speed, complexity, and client availability.

AmneziaWG

AmneziaWG is a fork of WireGuard developed specifically to defeat the fingerprinting problem that makes plain WireGuard visible. It addresses the core issue directly: WireGuard's handshake messages have fixed, predictable sizes. AmneziaWG inserts configurable junk data packets before the real handshake begins, and randomises the sizes of initiation and response messages so they no longer match the known WireGuard signature.

The practical effect is that a DPI system looking for the WireGuard handshake pattern sees noise instead. The underlying cryptography is unchanged — it is still WireGuard under the hood — so performance is nearly identical to plain WireGuard once the connection is established. The obfuscation overhead is minimal: a few extra packets at connection time, not sustained throughout the session.

AmneziaWG was purpose-built for exactly this threat model — a state-level DPI system that knows what WireGuard looks like. Official clients are available for Windows, macOS, iOS, and Android. Configuration requires a server running the AmneziaWG kernel module, which is available as a drop-in for most Linux distributions. It is the most WireGuard-like option in terms of user experience, which makes it a good first choice for users already familiar with WireGuard configuration.

VLESS + Reality (Xray)

VLESS+Reality is the most technically sophisticated obfuscation approach currently in widespread deployment. It was developed within the Xray-core project as a response to China's GFW becoming capable of detecting the previous generation of TLS-based camouflage (XTLS).

The key innovation is that Reality does not generate its own TLS certificate. Instead, it borrows the real TLS handshake from a legitimate, high-traffic website — typically something like microsoft.com, apple.com, or a similarly trusted CDN origin. A DPI system performing passive inspection sees a TLS 1.3 handshake that is cryptographically valid for the legitimate site. Active probing — where the inspection system connects to your server directly to see what it responds with — is defeated because the server can route non-VLESS connections to the real destination site, making it indistinguishable from a genuine reverse proxy.

This is materially different from earlier approaches that merely looked like TLS while generating fake certificates. Those approaches failed against active probing. Reality holds up because the cryptographic material is real.

The trade-off is setup complexity. On the server side, Reality requires Xray-core configuration with a correctly chosen "dest" domain and matching fingerprint settings. On the client side, you need a client that supports VLESS+Reality — this is not standard in most commercial VPN apps, but is available in dedicated clients. Speed overhead is low; the handshake is slightly more expensive than plain WireGuard but the throughput once connected is comparable.

PremierVPN supports VLESS+Reality through PremierVPN X for macOS and PremierVPN X for Windows. You can read a detailed technical breakdown of how the protocol works in our VLESS+Reality protocol guide.

Shadowsocks-2022 with v2ray-plugin

Shadowsocks in its original form is no longer sufficient against current DPI. The 2022 edition of the protocol (defined in the shadowsocks-org specification) introduced authenticated encryption, replay protection, and a cleaner wire format that is substantially harder to fingerprint than the original.

When combined with the v2ray-plugin in WebSocket+TLS mode, the resulting traffic looks like standard HTTPS WebSocket traffic — the kind generated by countless web applications, chat platforms, and streaming services. This gives it strong passive-inspection resistance. Active probing is partially mitigated by routing non-Shadowsocks requests to a real web page, though this is less robust than Reality's approach.

Shadowsocks-2022 + v2ray-plugin is a good middle-ground option: better DPI resistance than plain protocols, simpler to configure than Reality, and with client support available on all major platforms via the Shadowrocket (iOS), v2rayNG (Android), and Nekoray (desktop) clients.

Cloak / OpenVPN-over-TLS

Cloak is a pluggable transport that wraps OpenVPN (or other protocols) inside a TLS session with a realistic-looking browser fingerprint. It is conceptually similar to what Reality achieves but less sophisticated in its active-probing resistance. The server presents a plausible HTTPS front — a simple web page — to connections that do not carry valid Cloak authentication tokens.

This approach works in environments where DPI is primarily passive, meaning the inspection system classifies traffic based on what it observes without actively connecting to endpoints to verify them. In networks with active probing capability — which TSPU increasingly has — Cloak provides weaker guarantees than Reality. It remains useful in scenarios where Reality is not available or where OpenVPN is specifically required for policy reasons.

Setup complexity is moderate. Server-side requires the Cloak server binary and an OpenVPN configuration that hands off to it. Client-side requires both an OpenVPN client and the Cloak client binary. It is not as seamless as AmneziaWG but more accessible than full Reality configuration.

Protocol Comparison

Protocol	DPI Resistance	Speed Overhead	Client Availability	Setup Complexity
AmneziaWG	High (passive)	Very low	Good (official apps)	Low–Medium
VLESS + Reality	Very high (active + passive)	Low	Moderate (specialist clients)	Medium–High
Shadowsocks-2022 + v2ray-plugin	High (passive)	Low–Medium	Good (cross-platform)	Medium
Cloak / OpenVPN-over-TLS	Medium (passive only)	Medium	Moderate	Medium

What No Longer Works

It is worth being direct about the approaches that are no longer effective against current DPI, so you do not spend time configuring something that will fail when you need it.

• Plain OpenVPN on port 443: Superficially resembles HTTPS, but the TLS Client Hello fingerprint, cipher suite ordering, and subsequent packet timing are distinctive enough to be caught by any maintained DPI ruleset. This has not reliably evaded TSPU for several years.
• Stunnel wrapping: Wrapping a VPN protocol in a basic TLS tunnel via stunnel adds a real TLS layer, but the inner protocol's traffic patterns often remain detectable, and the stunnel TLS profile itself is fingerprinted. Works against unsophisticated inspection; does not work against TSPU.
• obfs4: Developed for Tor and once effective, obfs4 signatures are now well-documented in commercial DPI rulesets. Chinese and Russian inspection systems have had detection capability for obfs4 for several years. It should be treated as a deprecated approach for this threat model.

If your current VPN setup relies on any of these, it may still function during periods of low enforcement — but it is not a reliable long-term configuration for a network that actively deploys TSPU.

Practical Setup Guidance

There are two broad approaches: use a provider that already supports these protocols, or self-host a server and configure the stack yourself.

Provider route: The simplest option, provided the provider actually supports obfuscated protocols — not just WireGuard and OpenVPN rebranded as "stealth mode." Ask specifically which protocol is being used under the hood. If the answer is WireGuard with a non-standard port, that is not obfuscation in any meaningful sense. You want AmneziaWG, VLESS+Reality, or Shadowsocks-2022 as named protocol options.

Self-hosted route: A VPS in a jurisdiction outside Russia, running Xray-core for Reality or the AmneziaWG kernel module, gives you full control. The downside is ongoing maintenance: IP ranges get blocked, server configurations need updating, and you need to manage fallback yourself. For technical users, this is often the most reliable option because you control every parameter.

Multi-protocol fallback: The most resilient setup uses protocol fallback. Your device attempts WireGuard first — it is fast and works on most networks without issue. If the connection fails or degrades, it automatically switches to Reality or AmneziaWG. This avoids the latency cost of running the heavier protocol all the time while ensuring you are never left without a working connection.

For PremierVPN users, VLESS+Reality is available through PremierVPN X. Setup guides are available for macOS and Windows. For standard WireGuard and OpenVPN on mobile, see the iOS setup guide and Android setup guide.

Whichever route you take, test your setup before you need it. Run an IP leak test to confirm your traffic is routing correctly, and verify that your apparent IP changes as expected when connected.

What to Expect After the Regulation Takes Effect

Enforcement will not be uniform on day one. Large operators with fully deployed TSPU equipment will classify and meter VPN traffic earlier and more accurately than smaller regional carriers. Expect a period of inconsistent enforcement as the technical rollout catches up with the regulatory mandate — this is precisely what happened with earlier Russian content-blocking rules.

The longer-term picture is a familiar one: the same cat-and-mouse dynamic that has played out in China over the past decade. Reality was developed in direct response to the GFW's ability to detect its predecessor (XTLS). It has remained functional against the GFW for over two years as of writing — not because the GFW has not tried to block it, but because the design is fundamentally harder to detect without also blocking legitimate TLS traffic to major sites.

AmneziaWG was built with exactly this Russian threat model in mind: a system that knows what WireGuard looks like and blocks it specifically. The junk-packet and handshake randomisation approach means that blocking AmneziaWG requires either blocking all WireGuard-like UDP traffic (which has significant collateral damage) or maintaining a detection ruleset that keeps pace with configurable randomisation.

Neither protocol is unbreakable. Sufficiently motivated and resourced inspection systems can always escalate. But both protocols represent the current state of the art for maintaining VPN connectivity on aggressively filtered mobile networks, and they are the reasonable choice for anyone who needs reliable connectivity past autumn 2026.

PremierVPN and Obfuscation Protocol Support

PremierVPN is a UK-based, independent provider with a strict no-logs policy. We support WireGuard and OpenVPN across our standard apps for Windows, macOS, iOS, and Android. For networks that require stronger obfuscation, PremierVPN X for macOS and PremierVPN X for Windows bring VLESS+Reality support — the same protocol technology that has sustained connectivity through China's GFW.

If you are evaluating options ahead of Russia's 2026 enforcement, or if you are already on a network where plain WireGuard is being throttled, VLESS+Reality is the protocol to start with. We built PremierVPN X specifically because standard protocol support is not enough on networks that have invested in deep packet inspection.