A DPI-resistant VPN designed to work in heavily censored networks.

Related repositories: tiredvpn/tiredvpn-android — Android client

TiredVPN is a censorship-resistant VPN that uses multiple bypass strategies to establish and maintain connectivity in networks with active Deep Packet Inspection (DPI). Instead of relying on a single obfuscation technique, it implements an adaptive strategy engine that automatically selects the best transport based on current network conditions.

The system probes available strategies, ranks them by latency and reliability, and falls back to alternatives mid-session if the active strategy gets blocked. This makes it effective against sophisticated filtering systems like TSPU (Russia), GFW (China), and similar DPI infrastructure.

Key design goals:

• Resilience -- no single point of failure; if one strategy is blocked, the client seamlessly switches to another.
• Stealth -- traffic patterns are morphed to resemble legitimate services (video streaming, CDN traffic, HTTPS browsing).
• Performance -- multiplexed connections via smux, QUIC transport, and adaptive RTT masking minimize overhead.

• 20+ DPI bypass strategies with automatic selection and mid-session fallback
• QUIC and TLS transports with Salamander padding and SNI fragmentation
• REALITY protocol -- impersonates legitimate websites with near-perfect TLS fingerprints
• HTTP/2 steganography -- hides tunnel data inside real HTTP/2 frames
• Traffic morphing -- statistically matches traffic patterns of popular services
• Geneva engine -- country-specific packet manipulation rules (Russia, China, Iran, Turkey)
• Multiplexed connections via smux for efficient stream management
• TUN mode for full system traffic tunneling
• SOCKS5 and HTTP proxy modes
• Port hopping with random, sequential, and Fibonacci strategies
• IPv6 transport with dual-stack support and automatic fallback
• Encrypted Client Hello (ECH) to hide SNI from DPI
• Post-quantum cryptography (ML-KEM-768 + ML-DSA-65)
• Multi-hop routing through chained servers
• Prometheus-compatible metrics endpoint
• Android integration via JNI (c-shared build mode)
• Docker support with multi-stage builds
• Client management with Redis backend and REST API
• QR code generation for mobile client provisioning

Download the latest binary for your platform:

curl -LO https://github.com/tiredvpn/tiredvpn/releases/latest/download/tiredvpn-linux-amd64.tar.gz
tar xzf tiredvpn-linux-amd64.tar.gz
sudo mv tiredvpn-linux-amd64 /usr/local/bin/tiredvpn

Available platforms: linux-amd64, linux-arm64. Other installation methods are described in the Docker and Building from Source sections below.

openssl rand -hex 32

For testing, create a self-signed certificate:

openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
  -days 365 -nodes -keyout server.key -out server.crt \
  -subj "/CN=your-server.com"

For production, use Let's Encrypt with certbot:

sudo certbot certonly --standalone -d your-server.com
# Certificates will be at:
#   /etc/letsencrypt/live/your-server.com/fullchain.pem
#   /etc/letsencrypt/live/your-server.com/privkey.pem

tiredvpn server \
  -listen :443 \
  -cert server.crt \
  -key server.key \
  -secret <your-secret>

The server listens on both TCP (TLS) and UDP (QUIC) by default. It serves a fake website to unauthenticated visitors, making it indistinguishable from a normal HTTPS server.

tiredvpn client \
  -server your-server.com:443 \
  -secret <your-secret> \
  -listen 127.0.0.1:1080

This starts a local SOCKS5 proxy on port 1080. Point your browser or applications to socks5://127.0.0.1:1080.

sudo tiredvpn client \
  -server your-server.com:443 \
  -secret <your-secret> \
  -tun \
  -tun-routes 0.0.0.0/0

This creates a TUN interface and routes all traffic through the VPN.

TiredVPN is configured entirely via CLI flags. Run tiredvpn server -help or tiredvpn client -help for the full list.

# Add a client (multi-client mode with Redis)
tiredvpn admin add -api http://127.0.0.1:8080 -server vpn.example.com:443

# List clients
tiredvpn admin list -api http://127.0.0.1:8080

# Delete a client
tiredvpn admin delete -api http://127.0.0.1:8080 -id <client-id>

# Generate QR code for mobile app
tiredvpn admin qr -server vpn.example.com:443 -secret <secret>

Pre-built images are available on Docker Hub. Platforms: linux/amd64, linux/arm64.

docker run -d \
  --name tiredvpn-server \
  -p 443:443/tcp \
  -p 443:443/udp \
  -v /path/to/certs:/certs:ro \
  tiredvpn/tiredvpn:latest \
  server -listen :443 \
  -cert /certs/server.crt \
  -key /certs/server.key \
  -secret <your-secret>

curl -O https://raw.githubusercontent.com/tiredvpn/tiredvpn/main/docker-compose.yml
TIREDVPN_SECRET=<your-secret> docker compose up -d

Or with a custom docker-compose.yml:

version: "3.8"

services:
  tiredvpn-server:
    image: tiredvpn/tiredvpn:latest
    ports:
      - "443:443/tcp"
      - "443:443/udp"
    volumes:
      - ./certs:/certs:ro
    command:
      - "server"
      - "-listen"
      - ":443"
      - "-cert"
      - "/certs/server.crt"
      - "-key"
      - "/certs/server.key"
      - "-secret"
      - "${TIREDVPN_SECRET}"
      - "-redis"
      - "redis:6379"
    depends_on:
      - redis
    restart: unless-stopped

  redis:
    image: redis:7-alpine
    volumes:
      - redis-data:/data
    restart: unless-stopped

volumes:
  redis-data:

docker build -t tiredvpn .

• Go 1.26 or later
• Linux, macOS, or Windows (TUN mode requires Linux)

git clone https://github.com/tiredvpn/tiredvpn.git
cd tiredvpn
make build

Or directly with Go:

go build -o tiredvpn ./cmd/tiredvpn/

make build-linux

make build-android

make test

TiredVPN includes an adaptive strategy engine that automatically selects the best transport. Each strategy targets a different aspect of DPI evasion.

The strategy engine supports:

• Automatic probing -- tests all available strategies and ranks by latency
• Circuit breakers -- disables failing strategies after configurable threshold
• Mid-session fallback -- switches strategy without dropping the connection
• Periodic re-probing -- re-evaluates blocked strategies on a timer
• Benchmarking -- tiredvpn client -benchmark to test all strategies

cmd/tiredvpn/          CLI entrypoint (server, client, admin)
internal/
  server/              Server-side connection handling, TLS/QUIC listeners
  client/              Client-side proxy, TUN, strategy orchestration
  strategy/            DPI bypass strategies and adaptive engine
  tun/                 TUN device management
  mux/                 smux multiplexer integration
  tunnel/              Tunnel abstractions
  proxy/               SOCKS5 and HTTP proxy
  tls/                 TLS utilities and uTLS fingerprinting
  evasion/             Low-level evasion primitives
  geneva/              Geneva packet manipulation engine
  porthopping/         Port hopping logic
  multiport/           Multi-port listener
  pool/                IP address pool for TUN clients
  metrics/             Prometheus metrics collector
  padding/             Traffic padding utilities
  protect/             Android VpnService socket protection
  control/             Android control socket protocol
  config/              Configuration types
  log/                 Structured logging
  benchmark/           Strategy benchmarking
  ktls/                Kernel TLS offload

Full documentation is available in the docs/ directory:

• Getting Started
• Server Reference
• Client Reference
• DPI Bypass Strategies
• Deployment Guide
• Security Model
• Monitoring

Contributions are welcome. Please see CONTRIBUTING.md for guidelines on submitting patches, reporting issues, and the development workflow.

Before submitting a pull request:

1. Run make test and ensure all tests pass
2. Run make lint if you have golangci-lint installed
3. Keep commits focused and well-described

• GitHub Discussions — feature ideas, Q&A

TiredVPN is licensed under the GNU Affero General Public License v3.0.