VPN blocked in Russia in June 2026: what happened and what works now
In short: in late May and early June 2026 Roskomnadzor reconfigured the DPI systems carriers run on their networks — Russia's carrier-grade DPI, locally known as "TSPU" — to work on a new principle: blocking traffic not by a protocol's signature, but by indirect characteristics of the connection (the server's IP-address range, the properties of the encrypted channel, the frequency of connections, the digital fingerprint). The method turned out to be so blunt that it caught not only VPNs but ordinary Russian services as well: the hosting providers Selectel, Beget and Timeweb officially reported outages, projects on Cloudflare went down, and so did a number of mobile apps. Among access tools, the ones holding up best are those not tied to a single static signature: VLESS over an xHTTP or gRPC transport, Hysteria2 (which runs over UDP), and services that can switch transport on the fly.
If your VPN suddenly stopped connecting in early June, a familiar site started "dropping", or an app began hanging — you almost certainly did nothing wrong. What changed was neither your device nor your carrier, but the filtering method itself at the backbone level. Let's go through it step by step: what happened, why it hit even legal resources, and what to do about it.
What exactly happened in June 2026
Until that point, VPN blocking in Russia worked mainly by signatures: the DPI systems looked for a protocol's characteristic "fingerprint" in the traffic (the WireGuard handshake, OpenVPN packet patterns) and cut connections on a match. For years the defense against this was disguise — for example REALITY, which during its handshake borrows the TLS certificate of a real, popular website.
In late May and early June 2026 the approach changed. According to a vc.ru publication dated 10 June 2026 (citing RBC), Roskomnadzor updated the DPI configuration so that the blocking decision is now made by indirect characteristics: the server's IP-address range, the properties of the encrypted connection, the frequency of connections, and the digital fingerprint. In other words, the system no longer tries to prove "this is a VPN" — it cuts anything that *behaves* like a tunnel, without bothering to investigate.
This is a direct continuation of the February shift. Back on 17 February 2026 the DPI systems began applying behavioral analysis — looking not at the handshake but at the character of the traffic after it (by experts' estimates — connection duration, timings, and the symmetry of packets). The June reconfiguration scaled this principle up to the backbone level.
Why even legal Russian sites broke
The most telling part of the June wave is not the blocking of VPNs as such, but the collateral damage. When the filter cuts by indirect characteristics, any service with a continuous encrypted channel falls under the definition of a "suspicious" connection: mobile apps, real-time services, cloud platforms, b2b tools, and especially projects running through Cloudflare.
The result is documented: customers of Selectel, Beget and Timeweb — three of the largest Russian hosting providers — reported mass outages. The providers stated the cause plainly: an "update to the configuration of the technical countermeasures against threats". In other words, it was not the "circumvention crowd" that suffered, but ordinary Russian businesses: online stores, corporate dashboards, mobile apps whose connections merely looked like a tunnel from the outside.
The key technical takeaway of June 2026: blocking has become probabilistic rather than precise. The DPI systems cut by "looks like a VPN" rather than by "proven to be a VPN". That is why things that used to work break — both VPNs and legal services.
This is part of a bigger plan, not a one-off glitch
The June reconfiguration fits into the regulator's long-term strategy. Roskomnadzor's roadmap for traffic control and filtering states a goal of pushing the efficiency of detecting and blocking VPN traffic to 92% and bringing up to 98% of internet traffic under control by the end of 2030.
It's important here not to give in to headline panic. Experts (in particular the analyst Vakulin, in a comment to sevastopol.su) emphasize: the 92% figure is a target benchmark, not a guaranteed technical result and certainly not "92 blocked services", as is sometimes claimed. This is about the gradual refinement of detection methods, not the named blocking of specific apps. The practical meaning for the user is one and the same: pressure will mount in waves, and what wins is not any particular protocol but the tool's ability to adapt faster than the filter updates.
What stopped working, and what survived
If we boil the mid-June 2026 state down to a table:
| Protocol / transport | Status in Russia (June 2026) |
|---|---|
| WireGuard, OpenVPN (bare) | Blocked — fixed fingerprint |
| Shadowsocks without obfuscation | Mostly detected |
| VLESS + REALITY over bare TCP | Detected behaviorally since 17 February 2026 |
| VLESS over xHTTP / gRPC, Hysteria2 (UDP) | Pass — no static signature |
A full per-protocol breakdown with numbers and setup lives in a separate article — see what passes the DPI: protocol status; for how to choose a transport deliberately, see the 2026 protocol guide. In short: a static protocol clung to at any cost is doomed, because sooner or later the filter will describe its behavior. The only viable approach is transport rotation.
What to do right now
First — don't look for the fault in your app. If everything worked before June and then stopped all at once, the cause is almost always the backbone filter, not your settings. Reinstalling the app and switching carriers won't help here: MTS, Beeline, MegaFon and Tele2 all use the same class of DPI equipment.
Second — choose a solution by the principle of adaptivity, not by the protocol name in the advertising. A service that can change transport on the server side rides out a wave of filter reconfiguration without any action from you: you don't have to manually rebuild your config every time the DPI updates. That is exactly how MegaV's managed adaptive stack is built: the transport is chosen and switched on the server side, the specific transport is not fixed and changes as the filter updates, and on your end the connection simply keeps working. We unpacked why familiar configs suddenly die in the article why VPN doesn't work in 2026.
Third — install a working tool in advance, while direct access to the download is still open. During periods of escalation, downloading a new app without an already-working access channel becomes a problem in its own right.
Frequently asked questions
Is it true that 92 VPN services were blocked in June 2026?
No, that's a distortion. Roskomnadzor's plans state a goal of reaching 92% efficiency in blocking VPN traffic by 2030 — that's a detection target, not a list of 92 specific services and not a one-off block. The June wave was a change in the filtering method, not the publication of a "blacklist".
Why did ordinary sites and apps break along with VPNs?
Because the new DPI method cuts by indirect characteristics — IP range, connection properties, frequency of connections. Any service with a continuous encrypted channel falls under that definition, which is why the outages hit Selectel, Beget, Timeweb and projects on Cloudflare, not just VPNs.
Will switching carriers or reinstalling the app help?
Usually no. The DPI is a single class of equipment used by all the major carriers, so moving from one to another doesn't save you. The problem is not in the app or the carrier, but in the filtering method at the backbone.
Which protocol is the most reliable right now?
As of June 2026, the ones holding up best are VLESS over an xHTTP or gRPC transport and Hysteria2 (which runs over UDP, filtered more weakly). But reliability comes not from the protocol itself, but from the service's ability to rotate transport as the filter updates.
Is this permanent or temporary?
The blocking waves will keep recurring — it's part of the regulator's long-term strategy. Any particular transport can "drop" at any moment, so the only durable strategy is an adaptive service that changes transport faster than the filter can describe it.
Bottom line
June 2026 did not bring a "magical" new list of 92 blocked services — it brought a change in the very principle of blocking. The DPI systems shifted to filtering by indirect characteristics, and the method proved so blunt that it took down legal Russian infrastructure — Selectel, Beget, Timeweb, services on Cloudflare. For the user the conclusion is simple: static protocols and "eternal" configs are becoming a thing of the past, and what works is what adapts. A managed adaptive transport survives such waves without any manual rebuilding — and that, not the protocol name on the label, is the selection criterion in 2026.