Traffic Disguise / Mimicry
Make your VPN traffic indistinguishable from regular internet activity using 10 specialized mimicry profiles powered by the Reality protocol
Traffic Disguise
Make your VPN traffic indistinguishable from regular internet activity. OrbVPN's 10 specialized mimicry profiles use the Reality protocol with authentic TLS fingerprints and HTTP headers to bypass even the most advanced deep packet inspection systems.
What Is Traffic Disguise / Mimicry?
Traffic Disguise, also known as protocol mimicry, is a feature that makes your VPN traffic look like ordinary, everyday internet traffic from well-known services. Instead of sending data using recognizable VPN protocol patterns, OrbVPN wraps your encrypted VLESS traffic inside the authentic TLS fingerprints, Server Name Indication (SNI), and HTTP headers of major platforms like Microsoft Teams, Google, Zoom, and more.
This matters because advanced firewalls and censorship systems use deep packet inspection (DPI) to identify and block VPN traffic based on its protocol signature. Even if the content of your traffic is encrypted, the pattern and structure of VPN packets can reveal that a VPN is being used. Traffic Disguise eliminates this fingerprint entirely by making your connection indistinguishable from a legitimate connection to a trusted service.
OrbVPN implements mimicry through the Reality protocol, an advanced extension of VLESS that performs a real TLS handshake with the target service's certificate, making it cryptographically impossible for censors to distinguish your VPN traffic from genuine traffic to that service.
Beyond Encryption
Encryption protects the content of your traffic. Mimicry protects the fact that you are using a VPN at all. Together, they provide both privacy and complete stealth against even state-level censorship systems.
How It Works: The Reality Protocol
When Traffic Disguise is enabled, OrbVPN applies a mimicry layer on top of the VLESS tunnel using the Reality protocol. This is fundamentally different from simple protocol obfuscation.
Reality SNI (Server Name Indication)
Each mimicry profile uses the real SNI of the service it imitates. When inspected, your TLS handshake shows a connection to teams.microsoft.com, google.com, or whichever service the profile mimics. This SNI matches the actual certificate, making detection impossible.
Authentic TLS Fingerprinting
The TLS Client Hello message is crafted to match the exact fingerprint of the real client for each service. This includes cipher suite ordering, extensions, elliptic curves, and signature algorithms that match genuine browser or app traffic.
Custom HTTP Headers
Each profile generates HTTP headers that match the real service's traffic patterns. User-Agent strings, content types, accepted encodings, and custom service-specific headers all match what a genuine client would send.
Traffic Pattern Matching
Packet sizes, timing intervals, and burst patterns are shaped to match the statistical profile of the selected service. A Teams mimicry session looks like a real Teams call; a Google mimicry session looks like real Google browsing.
Why Reality Is Different from Simple Obfuscation
Traditional VPN obfuscation wraps VPN traffic in a shell of random-looking data or simple HTTPS headers. Advanced DPI systems can detect these because the underlying traffic patterns do not match any real service. Reality is fundamentally different: it performs a genuine TLS handshake using the actual certificate of the target service, and the SNI, fingerprint, and traffic patterns are indistinguishable from the real thing.
Cryptographic Authenticity
Reality uses the actual TLS certificate of the target service during the handshake. A censor cannot tell whether a connection to teams.microsoft.com is a real Teams session or an OrbVPN connection using the Teams mimicry profile. This is what makes Reality undetectable by current DPI technology.
All 10 Mimicry Profiles
OrbVPN includes 10 specialized mimicry profiles, each designed to imitate the traffic patterns of a specific well-known service. Each profile is optimized for different regions and network environments.
1. Microsoft Teams
Profile: Microsoft Teams
Disguises your VPN traffic as Microsoft Teams video conferencing. Uses teams.microsoft.com SNI with the Chrome TLS fingerprint and Teams-specific HTTP headers including MS-CV correlation vectors.
Best For
Corporate networks and enterprise firewalls that whitelist Microsoft services. Effective worldwide, especially in environments where Teams is the standard communication tool and its traffic is always permitted.
Technical Details:
- Reality SNI:
teams.microsoft.com - TLS Fingerprint: Chrome (latest)
- Key Headers:
MS-CVcorrelation vector, Microsoft-specificUser-Agent - Recommended Regions: Global, corporate networks, enterprise environments
2. Google
Profile: Google
Disguises traffic as Google services (Search, Gmail, YouTube). Uses www.google.com SNI with the Chrome TLS fingerprint. Google traffic is among the most common on any network, making it an excellent default disguise.
Best For
General-purpose censorship bypass worldwide. Google traffic is expected on virtually every network. Particularly effective in regions where Google services remain accessible but VPNs are blocked.
Technical Details:
- Reality SNI:
www.google.com - TLS Fingerprint: Chrome (latest)
- Key Headers: Standard Chrome
User-Agent, Google-specificAcceptheaders - Recommended Regions: Global, default choice for most environments
3. Shaparak (Iranian Banking Gateway)
Profile: Shaparak
Disguises traffic as connections to Iran's national banking and payment gateway. Uses shaparak.ir SNI with a Firefox TLS fingerprint. Banking traffic is never blocked by Iranian censorship systems.
Best For
Iran specifically. Shaparak handles all online banking transactions in Iran, and its traffic is always whitelisted by the national firewall. This is the most reliable profile for bypassing Iranian internet restrictions.
Technical Details:
- Reality SNI:
shaparak.ir - TLS Fingerprint: Firefox (latest)
- Key Headers: Banking-specific
Acceptheaders, Farsi language preferences - Recommended Regions: Iran (primary), Persian-speaking regions
Iran Users
Shaparak is the recommended first choice for users in Iran. Since all online banking in Iran passes through Shaparak, blocking this traffic would cripple the entire national payment system. This makes it the most reliable unblockable disguise in Iran.
4. DNS-over-HTTPS (DoH)
Profile: DNS-over-HTTPS
Disguises traffic as DNS-over-HTTPS queries to Cloudflare. Uses cloudflare-dns.com SNI with the Chrome TLS fingerprint. DoH is increasingly common and is typically whitelisted by firewalls.
Best For
Networks that allow DoH but block VPNs. Effective in Iran, corporate environments, and university networks. DoH traffic is low-volume by nature, making it ideal for light browsing.
Technical Details:
- Reality SNI:
cloudflare-dns.com - TLS Fingerprint: Chrome (latest)
- Key Headers:
Accept: application/dns-message, DoH-specific content types - Recommended Regions: Iran, corporate networks, university networks
5. Zoom
Profile: Zoom
Disguises traffic as Zoom video conferencing. Uses zoom.us SNI with the Chrome TLS fingerprint and Zoom-specific meeting headers. Video conferencing traffic is rarely blocked.
Best For
Corporate and educational networks that permit video conferencing. Effective globally, especially in work-from-home environments where Zoom traffic is expected and whitelisted.
Technical Details:
- Reality SNI:
zoom.us - TLS Fingerprint: Chrome (latest)
- Key Headers: Zoom meeting-specific headers, conferencing
User-Agent - Recommended Regions: Global, corporate networks, educational institutions
6. FaceTime (Apple)
Profile: FaceTime
Disguises traffic as Apple FaceTime video calls. Uses facetime.apple.com SNI with a Safari TLS fingerprint. Apple service traffic is widely permitted and rarely inspected.
Best For
Networks where Apple services are whitelisted. Effective on iOS and macOS devices where FaceTime traffic is expected. The Safari TLS fingerprint matches what the host OS would naturally produce.
Technical Details:
- Reality SNI:
facetime.apple.com - TLS Fingerprint: Safari (latest)
- Key Headers: Apple-specific
User-Agent, FaceTime media type headers - Recommended Regions: Global, Apple-centric environments
7. VK (VKontakte)
Profile: VK
Disguises traffic as VKontakte (VK) social media. Uses vk.com SNI with a Chrome TLS fingerprint. VK is Russia's largest social network and its traffic is never blocked by Russian internet authorities.
Best For
Russia and CIS countries. VK is the dominant social media platform in Russia. Its traffic is always permitted, making this the most reliable profile for bypassing Russian internet restrictions (TSPU/DPI).
Technical Details:
- Reality SNI:
vk.com - TLS Fingerprint: Chrome (latest)
- Key Headers: VK-specific API headers, Russian locale preferences
- Recommended Regions: Russia (primary), CIS countries, Russian-speaking regions
Russia Users
VK is the recommended first choice for users in Russia. Since VK is Russia's national social network owned by a state-aligned company, blocking its traffic is not feasible. This makes it the most reliable unblockable disguise in Russia.
8. Yandex
Profile: Yandex
Disguises traffic as Yandex services (Search, Mail, Maps). Uses yandex.ru SNI with a Chrome TLS fingerprint. Yandex is Russia's primary search engine and its traffic is critical national infrastructure.
Best For
Russia and CIS countries as an alternative to the VK profile. Yandex traffic is omnipresent on Russian networks. Use this as a fallback if VK profile is somehow disrupted.
Technical Details:
- Reality SNI:
yandex.ru - TLS Fingerprint: Chrome (latest)
- Key Headers: Yandex-specific service headers, Russian locale preferences
- Recommended Regions: Russia, CIS countries, Russian-speaking regions
9. WeChat
Profile: WeChat
Disguises traffic as WeChat messaging. Uses weixin.qq.com SNI with a Chrome TLS fingerprint. WeChat is China's essential communication platform used by over a billion people.
Best For
China specifically. WeChat is the backbone of Chinese digital communication, payments, and social life. Its traffic is never blocked by the Great Firewall, making this the most reliable profile for Chinese users.
Technical Details:
- Reality SNI:
weixin.qq.com - TLS Fingerprint: Chrome (latest)
- Key Headers: WeChat-specific API headers, Chinese locale preferences
- Recommended Regions: China (primary), Chinese-speaking regions
China Users
WeChat is the recommended first choice for users in China. WeChat (Weixin) is indispensable to daily life in China, handling messaging, payments, government services, and more. The Great Firewall cannot block WeChat traffic without disrupting the entire Chinese internet ecosystem.
10. HTTPS (Standard)
Profile: HTTPS
Disguises traffic as standard HTTPS web browsing. Uses a generic TLS fingerprint matching common web browsers. The most universally compatible profile that works on virtually any network.
Best For
General use worldwide. When no specific service profile is needed, HTTPS is the safest default. It blends with the vast majority of internet traffic on any network.
Technical Details:
- Reality SNI: Generic HTTPS endpoint
- TLS Fingerprint: Chrome (latest)
- Key Headers: Standard browser headers, common
AcceptandAccept-Encodingvalues - Recommended Regions: Global, default fallback profile
Regional Recommendations
OrbVPN's Smart Connect feature automatically selects the optimal mimicry profile based on your detected region. Here are the recommended profiles for each major censored region.
Iran
Primary: Shaparak (banking gateway). Secondary: DoH (Cloudflare DNS). Fallback: Google. Shaparak traffic is essential financial infrastructure that can never be blocked.
Russia
Primary: VK (social media). Secondary: Yandex (search/services). Fallback: Google. VK and Yandex are state-aligned Russian services whose traffic is always permitted.
China
Primary: WeChat (messaging/payments). Secondary: HTTPS (standard). Fallback: Google. WeChat is critical Chinese infrastructure that the Great Firewall cannot block.
Corporate Networks
Primary: Microsoft Teams. Secondary: Zoom. Fallback: Google. Enterprise video conferencing traffic is almost universally whitelisted on corporate firewalls.
Universities
Primary: Google. Secondary: Zoom. Fallback: DoH. Educational networks typically allow Google and video conferencing services but block VPNs.
General / Unknown
Primary: Google. Secondary: HTTPS. Fallback: Microsoft Teams. Google traffic is the most common on any network worldwide and the safest general-purpose disguise.
How Smart Connect Auto-Selects Profiles
When Smart Connect is enabled, OrbVPN automatically determines the best mimicry profile without any manual configuration. Here is how the selection process works.
Region Detection
Smart Connect determines your current geographic region and network characteristics using IP geolocation and network signature analysis.
Profile Ranking
Based on your detected region, Smart Connect ranks all 10 mimicry profiles by their likelihood of success. For example, in Iran, Shaparak is ranked first; in Russia, VK is ranked first.
Connection Attempt
Smart Connect attempts to connect using the highest-ranked profile. If the connection succeeds and traffic flows normally, the session begins.
Automatic Fallback
If the first profile fails or is blocked, Smart Connect automatically tries the next profile in the ranked list. This process continues through all available profiles until a working connection is established.
Profile Memory
Smart Connect remembers which profile worked on your current network and prioritizes it for future connections. This reduces connection time on subsequent sessions.
Fully Automatic
Smart Connect handles all mimicry profile selection, testing, and fallback automatically. Most users should leave Smart Connect enabled and never need to manually select a profile. The system learns from your network environment and improves over time.
Manual Profile Selection
For experienced users who want full control over which mimicry profile is used, Manual mode provides direct access to all 10 profiles.
Open Connection Settings
Launch OrbVPN and navigate to Settings, then Connection Settings. Find the Traffic Disguise / Mimicry section.
Switch to Manual Mode
Toggle from Auto to Manual mode. The profile carousel becomes visible, showing all 10 available mimicry profiles.
Browse Profiles
Swipe through the profile carousel. Each profile card displays the service name, a brief description, recommended regions, and the Reality SNI that will be used.
Select Your Profile
Tap on the profile you want to use. The selected profile is highlighted and will be used for all subsequent connections until you change it.
Connect
Return to the main screen and connect to a VPN server. Your traffic will be disguised using the selected mimicry profile for the entire session.
When to Use Manual Mode
Manual mode is useful when you know exactly which service is whitelisted on your current network, when Smart Connect selects a profile that does not work well in your specific situation, or when you want to test different profiles to find the fastest option.
Mimicry Modes
OrbVPN offers two modes for Traffic Disguise, giving you the choice between automatic intelligence and manual control.
Auto Mode (Recommended)
In Auto mode, OrbVPN automatically selects and switches the mimicry profile based on your current region and network environment. The Smart Connect engine analyzes DPI signatures, network restrictions, and connection success rates to choose the most effective disguise in real time.
Intelligent Region-Based Selection
OrbVPN detects your region and selects the profile most likely to succeed. In Iran it chooses Shaparak, in Russia it chooses VK, in China it chooses WeChat, and in corporate networks it chooses Teams.
Automatic Fallback Chain
If the primary profile is blocked, the engine automatically cycles through the ranked fallback chain without dropping your session. You stay connected while it finds a working profile.
Manual Mode
In Manual mode, you select the specific mimicry profile from a carousel of all 10 options. This gives experienced users full control over which traffic pattern is used.
Profile Carousel
Swipe through all 10 available mimicry profiles and select the one you want. Each card shows the service name, SNI, recommended region, and a brief technical description.
Fixed Selection
Your chosen mimicry profile remains active for the entire session. The engine will not switch profiles automatically, giving you predictable and consistent behavior.
When to Use Mimicry
Traffic Disguise is especially valuable in specific network environments where standard VPN connections are detected and blocked.
Deep Packet Inspection (DPI)
Networks that use DPI to identify and block VPN protocols based on traffic signatures. Reality mimicry makes your traffic cryptographically indistinguishable from the genuine service.
National Firewalls
Countries like Iran, Russia, and China that actively block VPN traffic at the national level. Service-specific profiles like Shaparak, VK, and WeChat use traffic patterns that these firewalls cannot block.
Corporate Firewalls
Enterprise networks that restrict traffic to approved protocols. Teams and Zoom profiles pass through as legitimate enterprise communication, while Google and HTTPS blend with normal browsing.
Restrictive Wi-Fi Networks
Public Wi-Fi at hotels, airports, and institutions that block VPN protocols. Traffic Disguise ensures your VPN works even on the most restrictive networks by mimicking allowed services.
Mimicry vs Bridge Mode
Both Traffic Disguise and Bridge Mode are designed to bypass network restrictions, but they work differently and can be combined for maximum effectiveness.
Traffic Disguise (Mimicry)
Reshapes your VPN traffic to be cryptographically identical to a real service using Reality protocol. Works directly between your device and the VPN server. Best for DPI bypass and protocol-based censorship.
Bridge Mode
Routes your connection through an intermediary bridge server before reaching the VPN server. The bridge acts as a relay to circumvent IP-based blocking. Best when VPN server IP addresses are blocked.
Maximum Stealth: Use Both Together
For the strongest censorship resistance, enable both Traffic Disguise and Bridge Mode simultaneously. Your traffic is first disguised as a legitimate service using Reality mimicry, then routed through a bridge server in an unrestricted country. This defeats both DPI-based and IP-based blocking simultaneously.
Performance Impact
Traffic Disguise adds a processing layer to your VPN connection. The impact varies by profile.
Minimal Speed Impact
The Reality mimicry layer adds very little overhead. Most users experience less than 5% speed reduction compared to an undisguised VLESS connection. The TLS handshake adds negligible latency.
Slight Latency Increase
Traffic shaping and TLS fingerprint matching add approximately 5-15ms of latency. This is imperceptible for browsing, streaming, and most online activities.
Troubleshooting
Connection Fails with Disguise On
Try switching to a different mimicry profile. If in Iran, try Shaparak first, then DoH. If in Russia, try VK first, then Yandex. If all profiles fail, combine Traffic Disguise with Bridge Mode.
Slower Than Expected Speeds
Switch from Manual mode to Auto mode so Smart Connect can select the most efficient profile. Some profiles involve heavier traffic shaping than others. HTTPS and Google profiles typically have the lowest overhead.
VPN Still Detected
Some networks block by IP address rather than DPI. Enable Bridge Mode in addition to Traffic Disguise. This routes through an intermediate server whose IP is not on the block list.
Auto Mode Switching Frequently
Frequent profile switching indicates the network is actively probing connections. This is normal on heavily censored networks like those in Iran and China. Auto mode is handling it optimally by finding the working profile.
Specific Profile Not Connecting
Verify the server you are connecting to supports the selected mimicry profile. Not all servers support all 10 profiles. Try a different server or let Smart Connect choose the server and profile together.
Profile Works Then Stops
Some censorship systems adapt over time. If a profile that previously worked stops connecting, switch to an alternative profile from the same region recommendation list. Smart Connect handles this automatically.
Make Your VPN Invisible
With 10 specialized mimicry profiles powered by the Reality protocol, OrbVPN makes your VPN connection indistinguishable from legitimate traffic to the world's most trusted services. Bypass any firewall, any DPI system, any censorship.