Anti-Censorship Evasion

A standard WireGuard handshake is highly recognizable. Authoritarian firewalls (like the GFW) use Deep Packet Inspection (DPI) to identify the static headers of typical VPN protocols and silently drop the connection. Tunnely implements aggressive countermeasures.

QUIC Obfuscation

To bypass signature-based DPI, Tunnely can wrap its standard WireGuard UDP packets inside of entirely synthetic QUIC (HTTP/3) frames.

When the local daemon detects repeated connection timeouts, it dynamically falls back to Obfuscation Mode. The daemon constructs a valid TLS 1.3 ClientHello matching the fingerprint of a standard Chromium web browser attempting to negotiate an HTTP/3 connection.

The authoritarian firewall inspects the packet, identifies it as standard web traffic heading to a presumed web server, and allows the UDP datagram to pass. Once it reaches the Tunnely Entry relay, the synthetic QUIC headers are stripped away, revealing the pristine, encrypted WireGuard packet underneath.

Domain Fronting (Emergency Fallback)

In extreme scenarios where the exit IP address of the Tunnely relay itself is blocked via an IP blacklist, the client will attempt to bootstrap via Domain Fronting.

The client routes its initial cryptographic handshake physically to a highly-reputable, "uncensorable" CDN (Content Delivery Network, e.g., Cloudflare, CloudFront). Because blocking an entire CDN IP block would cripple the nation's internet functionality, the connection is allowed.

However, the HTTP Host header encrypted within the secure TLS envelope instructs the CDN's edge server to route the request internally to the Tunnely backend API, completely bypassing the national IP blacklist.