DEV Community

Cover image for Building a DPI-Resistant VPN with VLESS REALITY & Nginx (Open Source)
Obelisk PN
Obelisk PN

Posted on

Building a DPI-Resistant VPN with VLESS REALITY & Nginx (Open Source)

#networking #opensource #security #showdev

tags: opensource, security, python, bash

If you live in a region with strict internet censorship (like China, Iran, or Russia), you probably know that the golden age of traditional VPNs is over. Protocols like OpenVPN, IPSec, and even WireGuard are easily identified and blocked by Deep Packet Inspection (DPI) systems within milliseconds.

To keep our users connected, my team and I built Obelisk PN β€” a privacy service based on the Xray-core and the VLESS REALITY protocol.

Today, we are open-sourcing our core engine (server deployment and routing logic). In this post, I want to share the architectural decisions that make our network invisible to DPI.

1. The Nginx Facade (Active Probing Defense)

Modern censors don't just passively analyze traffic; they actively probe suspicious IP addresses. If a censor detects encrypted traffic going to an unknown server, they send HTTP/TLS requests to that IP. If the server drops the connection or replies with an Xray/V2ray handshake error, the IP gets instantly banned.

To prevent this, we use an Nginx Facade:

  1. We run standard Nginx on port 443.
  2. If a censor probes the server, Nginx returns a valid 200 OK with a generic HTML stub. To the censor, it looks like a forgotten developer's server.
  3. If a legitimate client connects, Nginx uses the PROXY Protocol to seamlessly forward the VLESS traffic to the local Xray-core backend.

You can check our automated setup script (setup.sh) in the GitHub repo to see how we configure the kernel (BBR, tcp_fastopen) and the Nginx streams.

2. Split Routing Logic

Tunneling 100% of a user's traffic through a foreign server is inefficient. If a user tries to access a local banking app or a government service while connected to a server in the Netherlands, they face high latency and risk triggering anti-fraud systems.

In our config_builder.py, we implemented strict split-tunneling rules:

  • Connections to local domains (e.g., .ru zones) and local IP ranges bypass the VPN tunnel entirely.
  • Only censored or sensitive traffic is encrypted and sent through the VLESS tunnel.

This ensures zero speed loss for local services while maintaining absolute privacy for the rest of the web.

3. The Zero-Logs Proof

"Zero-logs" is the most abused buzzword in the VPN industry. We decided to prove it by opening our deployment code.

If you look at our Xray configurations, you will see that the loglevel is forced to none, and access logs are physically routed to /dev/null. We only collect infrastructure metrics to maintain uptime.

Why keep the evasion signatures closed?

While we open-sourced our privacy and routing layers, we intentionally kept our specific TLS evasion signatures (like dynamic spiderX paths and SNI pools) private. In the cat-and-mouse game against national firewalls, publishing exact obfuscation patterns acts as a free training dataset for DPI algorithms. We open-sourced everything that proves our privacy, but kept our survival mechanisms proprietary.

Conclusion

Building a censorship-resistant network requires more than just installing a script; it requires understanding how traffic analyzers think.

I invite the community to review our code, suggest improvements, or use it as a reference for your own privacy setups:
πŸ‘‰ GitHub: obeliskpn-core

And if you just want a reliable, ready-to-use service that bypasses DPI without draining your battery, feel free to check out Obelisk PN.

Stay private, stay free!

Top comments (0)