VPN on VPS to Bypass Rostelecom Blocks: Shadowsocks, V2Ray
Discover reliable VPN solutions like Shadowsocks, V2Ray (VLESS/TLS+WS), Trojan, and SoftEther for VPS to evade Rostelecom blocks. Learn obfuscation techniques, TCP/443 setups, and quick configs for ISP-resistant connections.
Which VPN solutions can I install on a virtual private server (VPS) that Rostelecom won’t block? I’ve found that OpenVPN, WireGuard, SOCKS and IPsec are blocked by Rostelecom (they work on other VPS providers). What VPN software, protocols, ports or obfuscation/configuration techniques are recommended to reliably connect through a VPS despite ISP blocking?
Shadowsocks, V2Ray (VMess/VLESS with TLS+WS or XTLS), Trojan and SSL-based servers (SoftEther SSTP / ocserv AnyConnect) deployed on your own VPS—served on TCP/443 with a real domain and valid TLS certificate or wrapped in a TLS/WebSocket tunnel—are the most reliable options to bypass Rostelecom blocking. OpenVPN, WireGuard, plain SOCKS and IPsec are commonly fingerprinted; to get them working you’ll usually need to run them over TCP/443 and/or encapsulate them in TLS (stunnel/gost/v2ray-plugin) or use purpose-built proxy stacks like Amnezia or Outline.
Contents
- Why Rostelecom blocks standard VPNs and what passes
- Best VPN software and protocols to install on a VPS (Shadowsocks, V2Ray, Trojan, SoftEther)
- Obfuscation and traffic-masking techniques (TLS, WebSocket, SNI, plugins)
- Making OpenVPN, WireGuard and IPsec work: wrapping and tunneling
- Operational checklist before you deploy on a VPS
- Quick setup examples: V2Ray (VLESS/ws/tls) and Shadowsocks + plugin
- Sources
- Conclusion
Why Rostelecom blocks standard VPNs and what passes
Rostelecom (like many large ISPs) uses a mix of port blocking, traffic classification and deep packet inspection (DPI). UDP-based and protocol‑fingerprinted flows — WireGuard, OpenVPN (UDP), IPsec/ESP, plain SOCKS — are easy to detect and throttle or drop; community reports show those protocols failing while connections to specially masked servers survive (Habr Q&A examples, real-user tests).
What tends to pass better? Anything that genuinely looks like ordinary HTTPS/TLS traffic (SSTP/SoftEther, AnyConnect/ocserv), or modern proxy stacks that can run as TLS+WebSocket or mimic standard HTTP(S) handshakes (V2Ray/VLESS with TLS+WS or XTLS, Trojan, Shadowsocks with TLS wrapper). These approaches reduce the obvious fingerprints DPI looks for.
Best VPN software and protocols to install on a VPS (Shadowsocks, V2Ray, Trojan, SoftEther)
Short list (what to try first)
- V2Ray / Xray (VMess, VLESS, XTLS) — very flexible; implement VLESS/VMess over TLS+WebSocket (ws+tls) or XTLS for lower overhead. See the official protocol docs for configuration concepts: V2Ray VMess docs.
- Shadowsocks (shadowsocks-libev / SS-2022) — lightweight SOCKS proxy that works well when combined with a TLS/WebSocket wrapper or the v2ray-plugin; Outline is an easy managed installer built on Shadowsocks (Outline / Shadowsocks coverage on Habr, practical Shadowsocks guide).
- Trojan — implements a TLS handshake that closely resembles HTTPS, so DPI has a harder time distinguishing it from normal web traffic (supported in the V2Ray ecosystem and many installers).
- SoftEther / SSTP — SoftEther can present an SSL/TLS-like stream (SSTP), and users often report SoftEther/SSTP surviving ISP filtering; Habr community threads cite SoftEther as practical in such situations (community reports).
- ocserv / AnyConnect — OpenConnect (ocserv) implements a TLS-based VPN compatible with Cisco AnyConnect clients; it commonly passes TLS-oriented filtering.
- Amnezia & managed installers — Amnezia is a collection of pre-built tools you can deploy on a VPS (OpenVPN/SSTP/Xray/others) that simplifies setting up obfuscated stacks; see the official Amnezia install docs: Amnezia install guide.
- Outline — if you want simple deployment for Shadowsocks-based tunnels, Outline can save time; it’s mentioned as a reliable practical option for bypass setups (Habr piece on tools and protocols).
Which to pick? If stealth is the priority: V2Ray (VLESS+tls+ws or XTLS) or Trojan. If simplicity and cross-platform clients matter: Shadowsocks/Outline. If you need an SSL/TLS VPN that behaves like HTTPS for compatibility with corporate networks or strict DPI: SoftEther SSTP or ocserv.
Obfuscation and traffic-masking techniques (TLS, WebSocket, SNI, plugins)
The core idea: make your VPN traffic look like ordinary web TLS so DPI can’t easily classify it.
Practical techniques
- TLS + WebSocket (ws+tls): run the proxy inside WebSocket over TLS on port 443. Very common with V2Ray (streamSettings network = “ws”, security = “tls”) and with Shadowsocks + v2ray-plugin. This makes packets look like normal HTTPS traffic and supports path/SNI masking.
- See V2Ray examples and guides: V2Ray docs.
- VLESS + XTLS: XTLS (in Xray/V2Ray forks) reduces overhead while keeping a TLS-like handshake that resists DPI better than plain VMess in some environments.
- Use a real domain + valid certificate: issue a Let’s Encrypt cert for a domain that resolves to your VPS IP, set SNI to that domain in server/client configs. That makes TLS handshake fields consistent with normal web hosts.
- Plugin wrappers and TLS tunnels: stunnel, v2ray-plugin, gost/caddy or other TLS proxies can wrap an arbitrary TCP service inside TLS. OpenVPN can be wrapped by stunnel; Shadowsocks can be run with v2ray-plugin to obtain ws+tls characteristics (practical Shadowsocks vs VPN discussion).
- Obfuscation layers for OpenVPN: obfsproxy/obfs4 and similar tools add a scrambling layer that defeats simple DPI signatures. Community write-ups recommend obfuscation plugins for stubborn filters.
- Multi-protocol & fallback: run several services on the VPS (e.g., V2Ray on 443, Shadowsocks on 8443, ocserv on another port). If one stream is blocked, clients can fall back automatically or manually.
Why not domain‑fronting? Domain fronting is broadly less reliable now (many CDNs disallow it). SNI masquerading with your own domain + real cert is the practical, maintainable choice.
Making OpenVPN, WireGuard and IPsec work: wrapping and tunneling
OpenVPN
- OpenVPN UDP is commonly blocked or degraded. Two reliable workarounds:
- Run OpenVPN over TCP on port 443 (so it looks like HTTPS). Many users have success with this simple change (user report).
- Wrap OpenVPN inside stunnel or an obfuscation proxy (stunnel accepts TLS on 443 and forwards to OpenVPN listening on localhost).
- Tradeoff: TCP-over-TCP can hurt performance (latency, retransmissions).
WireGuard
- WireGuard is UDP-based and has a small, constant header that DPI can fingerprint. Options:
- Encapsulate WireGuard in a TLS tunnel (stunnel, gost) so the outer layer looks like HTTPS/TLS. That preserves WireGuard’s fast crypto inside a stealthy outer layer.
- Convert UDP to TCP with UDP→TCP proxies or UDP-over-QUIC solutions; this keeps traffic moving but adds complexity.
- Expect some performance penalty from encapsulation, but it often lets WireGuard function where raw UDP is dropped.
IPsec / ESP
- IPsec ESP packets are frequently blocked or rate-limited. If you need an SSL-like VPN, pick SSTP/ocserv/Trojan or V2Ray instead — they use TLS and are more resistant to filtering.
If you must use a protocol that’s fingerprinted, wrap it. Running the protocol raw on commonly-blocked ports is a quick way to fail.
Operational checklist before you deploy on a VPS
Quick practical checklist
- Use your own private VPS (avoid free/public VPN endpoints). Community tests show non-Rostelecom VPS in NL/Europe work well for many people (user threads).
- Buy or point a domain at the VPS IP and issue a LetsEncrypt certificate (certbot). Set that domain as SNI in your config.
- Serve the stealth protocol on TCP/443; keep HTTP(S) on the same IP if needed.
- Configure TLS+WS (V2Ray/Shadow with plugin) or Trojan/ocserv so the handshake looks like ordinary HTTPS.
- Implement monitoring and automatic cert renewal (cron + certbot).
- Provide fallbacks: run multiple services on varied ports (443, 8443, 4433).
- Test from a client behind Rostelecom: use openssl s_client -connect your.domain:443 -servername your.domain to confirm TLS handshake looks correct; verify the WebSocket path if used.
- Harden the VPS: disable unused services, apply updates, configure UFW/iptables to expose only needed ports.
- Keep config private and rotate credentials regularly.
Quick setup examples: V2Ray (VLESS/ws/tls) and Shadowsocks + plugin
V2Ray (VLESS + WS + TLS) — minimal inbound example (server side)
{
"inbounds": [{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [{"id": "YOUR-UUID-HERE"}]
},
"streamSettings": {
"network": "ws",
"wsSettings": {"path": "/ws"},
"security": "tls",
"tlsSettings": {
"certificates": [
{"certificateFile": "/etc/letsencrypt/live/example.com/fullchain.pem",
"keyFile": "/etc/letsencrypt/live/example.com/privkey.pem"}
]
}
}
}],
"outbounds": [{"protocol": "freedom"}]
}
Client side: point the client at your domain on port 443, enable TLS, set the WebSocket path to /ws and set SNI to your domain.
Shadowsocks + v2ray-plugin (concept)
- Server: run shadowsocks-libev listening on localhost and start v2ray-plugin in server mode with --server --tls --host=example.com --path=/ws.
- Client: configure Shadowsocks client to use plugin v2ray-plugin with options like server;tls;host=example.com;path=/ws (plugin argument syntax varies by client).
OpenVPN + stunnel (concept)
- stunnel listens on 443 with your certificate and forwards decrypted traffic to OpenVPN on 1194 (localhost). Clients connect to stunnel on 443. This hides OpenVPN inside normal TLS.
For full install guides and step-by-step examples, community and how‑to posts are very helpful — see practical writeups on Shadowsocks and V2Ray installation (Shadowsocks practical guide, V2Ray install/how‑to).
Sources
- How which VPN works with Rostelecom? - Habr Q&A
- Rostelecom blocks VPN traffic? - Habr Q&A
- Shadowsocks VPN: differences and how to use Shadowsocks
- Shadowsocks-libev: how to quickly and safely bypass blocks
- Reliable bypass of blocks in 2024: protocols, clients and server setup
- Setting up personal shadowsocks+v2ray server to bypass blocks / Habr
- VMess · Project V Official (V2Ray docs)
- How to install V2Ray proxy on Linux server — FirstByte guide
- Amnezia — Installing VPN on your server (docs)
Conclusion
If Rostelecom is blocking raw OpenVPN/WireGuard/SOCKS/IPsec, pick protocols and software that genuinely look like HTTPS: V2Ray (VLESS/VMess with TLS+WS or XTLS), Trojan, Shadowsocks (with TLS/WebSocket plugin or Outline), or SSL-based servers such as SoftEther SSTP or ocserv/AnyConnect. Run the service on TCP/443, use a real domain and Let’s Encrypt certificate, and add an obfuscation/wrapping layer (ws+tls, stunnel, plugins) where needed — Amnezia and Outline can speed deployment. Try one approach, test from behind Rostelecom, and keep a fallback protocol/port ready; that combination almost always restores connectivity.