Is obfuscation the same as encryption?

No. Encryption protects the content of your traffic. Obfuscation hides the fact that you are using a VPN at all. Both are useful; they solve different problems.

Is Cloak or Hysteria2 faster?

Hysteria2 is faster in most cases because it uses UDP and avoids TCP-over-TCP overhead. Cloak is more reliable on networks where UDP is blocked or degraded.

🔐Technical

Obfuscated VPN protocols: Cloak, Hysteria2, Reality, and what they actually do

Standard VPN protocols such as OpenVPN and IKEv2 have recognizable network fingerprints. On restrictive networks, those fingerprints can be matched against known-VPN patterns and the connection can be throttled or blocked. Obfuscated protocols solve this by making VPN traffic look like something else — usually ordinary HTTPS or QUIC.

This page is a plain-language explanation of how the four main obfuscated transports work and when each matters.

The problem obfuscation solves

A VPN tunnel carries encrypted traffic. From a distance, an observer cannot read what you are sending. But they can see that you are sending something through a tunnel — the shape of the traffic (packet sizes, timing, handshake patterns, TLS certificate details) gives away that this is a VPN and not a normal web browsing session.

Deep packet inspection on restrictive networks exploits these signatures. Unobfuscated OpenVPN, for example, has a distinctive handshake that DPI can recognize in milliseconds and drop.

Obfuscation means shaping the VPN traffic to look indistinguishable from ordinary web traffic — HTTPS to a website, QUIC to a video streaming service. A network observer sees "someone is visiting websites" and nothing more.

Cloak

Cloak is a plugin that sits in front of an OpenVPN server and terminates TLS connections on port 443. From the network's perspective, a Cloak-wrapped OpenVPN connection looks identical to someone visiting a legitimate HTTPS website. The actual VPN handshake happens inside the TLS channel, hidden from DPI.

Transport: TCP on port 443 (same as ordinary HTTPS)
Visible to DPI: TLS handshake indistinguishable from a real web server
Strengths: very high stealth, mature implementation, handles adverse network conditions gracefully
Weaknesses: TCP-over-TCP overhead makes it slower than UDP-based transports

Hysteria2

Hysteria2 is a newer protocol built on QUIC (the UDP-based transport protocol behind HTTP/3). It uses password authentication and includes an obfuscation plugin called salamander that scrambles the QUIC headers into random-looking UDP packets.

Transport: UDP (typically on port 443)
Visible to DPI: scrambled UDP that does not match any known protocol signature
Strengths: very fast (no TCP-over-TCP penalty), modern congestion control, resilient to packet loss
Weaknesses: some networks block UDP entirely, in which case Hysteria2 cannot establish

Hysteria2 with salamander is currently the fastest working transport on most East Asian networks in 2026.

Reality

Reality is a protocol from the Xray/v2ray ecosystem that does something clever: it impersonates a real public website. A Reality connection to a VPN server actually forwards to a real popular website (google.com, microsoft.com, etc.) until the client provides a specific token, at which point it is switched into VPN mode. To any outside observer, the connection is genuinely to a real site.

Transport: TCP on port 443
Visible to DPI: indistinguishable from a real HTTPS visit to a known website
Strengths: highest stealth possible, no fingerprint because it literally is a connection to a real site
Weaknesses: requires the VPN server to have specific network configuration

Shadowsocks

Shadowsocks is an older obfuscation protocol that encrypts traffic with a symmetric cipher and sends it over plain TCP. Each packet looks like random bytes to an observer. It is less sophisticated than Cloak or Reality but remains widely deployed and works on many restrictive networks.

Transport: TCP (or UDP) on arbitrary ports
Visible to DPI: random-looking encrypted data with no protocol signature
Strengths: simple, fast, mature, broadly compatible
Weaknesses: distinctive statistical properties that advanced DPI has learned to detect in recent years

Which to use when

Network condition	Best protocol
Clean home broadband	OpenVPN UDP or the default automatic mode
Standard hotel Wi-Fi	Cloak or Hysteria2
Restrictive hotel / corporate network	Cloak (TCP-443 is hardest to block)
Standard mainland China connection	Hysteria2 first, Cloak fallback
UDP-blocked network	Cloak (TCP)
Mobile carrier network	Hysteria2 or Cloak

UnblockMeVPN supports Cloak and Hysteria2 in all clients. Reality and Shadowsocks are not currently part of our shipping product.

Try UnblockMeVPN

Private VPN for Windows, Android, and macOS. iPhone support coming soon. Plans from $3.99/month. 7-day money-back guarantee.

Download apps View plans