Home Research Russian Platforms Ordered to Restrict VPN Users
Research

Russian Platforms Ordered to Restrict VPN Users

Examining the feasibility of cutting off VPN-based access to Sber and VK for Russian users

We analyze specific problems in real-time and provide updates on internet censorship, explaining:

  • What is happening
  • How it works
  • How can it be countered

In our first breakdown, we examine the requirement by the Russian Ministry of Digital Development to block access to major Russian internet platforms for VPN users. The Ministry has already issued a manual to these resources on how to impose the restrictions. The goal of this publication is to provide developers with recommendations on how to bypass this manual.

According to the published research source files from the RKS Global report, the Android portion of the manual has already been implemented by some apps, at least partially and in a fragmented way. The report suggests that none of the 30 analyzed applications implement the full Android methodology (GeoIP, direct, and indirect indicators via a decision matrix). However, a significant part of them utilizes specific components, particularly direct indicators and reporting VPN status to the server.

Key Findings: Research Data vs. The Manual

  • The RKS Global study identified the following implementations (as per the Manual):
    • TRANSPORT_VPN
    • system proxy
    • Tor/proxy detection
    • tun/tap/wg/ppp interface checks
    • reading /proc/net/tcp*
    • reporting VPN/Proxy status to the server
  • Partially implemented:
    • characteristic proxy ports
    • local proxy/localhost indicators
    • the GeoIP stage (applications likely perform this check on the server side)

To disrupt detection promoted by the Manual, developers of VPNs, anonymizers, and other circumvention tools should focus on indicators already widely used in Android apps: TRANSPORT_VPN, tun0/… interfaces, access to/proc/net/tcp*, system proxies, and status reporting. Here we provide our recommendations for the developers.

1. Move the tunnel off the client device

1.1. VPN on a router/access point

Set up the VPN on a home or office router so the Android device lacks TRANSPORT_VPN, tun0, modified routes, or custom DNS.

  • Examples: Almost all major services (Proton, Mullvad, IVPN, NordVPN, etc.) publish official guides for OpenWrt, AsusWRT, and other routers (OpenVPN/WireGuard on the router).

1.2. VPN / Proxy inside a VM or container

Run the circumvention tool inside a virtual machine or container while running apps outside in a «clean» network.

  • Examples: Many providers offer WireGuard/OpenVPN configs for installation in VMs (WSL2, VirtualBox, VMware). In OpenWrt/WSL2 communities, one can find scenarios where a VPN runs in a separate VM while the host stays without tunneling for specific apps.

2. Android: minimize system indicators

2.1. Avoid system VPN for all apps

Instead of using the global VpnService, use either in-app proxies (a proxy inside the application itself) or split tunneling so that sensitive applications do not detect the VPN.

Examples:

  • Some «browser VPNs» and proxy browsers implement circumvention only within their apps, without any system profile.
  • Many commercial VPNs use app-based split tunneling, where apps excluded from the tunnel use the standard network and do not see TRANSPORT_VPN.

2.2. Split tunneling with banks/government apps excluded

Provide users with an easy way to exclude specific apps from the tunnel to prevent them from «seeing» VPN flags.

Examples:

  • ProtonVPN, NordVPN, and others offer an «exclude apps» mode in their split tunneling settings, often with examples of banking and streaming services that do not like VPNs.
  • Tailscale enables app-based split tunneling.

3. Interfaces, routing, and DNS

3.1. Interface names

Avoid standard names such as tun0, wg0, ppp0, etc., which the manual suggests using as indirect indicators.

  • Examples: Some software (particularly custom WireGuard wrappers and enterprise solutions) already uses non-standard interface names. This can be confirmed in their documentation and some configs.

3.2. Routing and MTU

Avoid standing out through unusual MTU values and routes. Use values as close as possible to ordinary mobile or home networks; avoid excessive custom routes.

  • Examples: Some providers provide documentation explaining why they use specific MTU settings and how to change them, including a discussion of fragmentation issues. Some providers recommend configurations that mirror standard settings for stability.

3.3. DNS

Avoid setting the system DNS to 127.0.0.1 unless necessary. Keep the DNS settings looking «ordinary» (e.g., using a neutral public DNS) and encrypt it within the tunnel on your side.

  • Examples: Many VPN clients implement DoH/DoT (DNS over HTTPS/TLS) inside the tunnel while maintaining «usual» DNS settings on the device, often marketed as «DNS leak protection without changing your system DNS settings.» 

4. Minimizing visibility via /proc

4.1. Local ports and /proc/net/*

Avoid maintaining obvious local listeners on standard Tor/VPN ports. Avoid creating lots of connections to 127.0.0.1.

  • Example: Some commercial VPNs have already moved away from the «local SOCKS on 127.0.0.1:1080» model toward more integrated solutions.

4.2. Package and process names

Avoid using obvious words like VPN, proxy, Tor, or X-Ray in package names if the product is intended to circumvent censorship.

  • Example: Some mobile apps do not include «vpn» in their package ID, even if the word appears in the marketing name. Sometimes the marketing names even use VPS instead of VPN, which is technically different.

5. Split tunneling profiles and exclusions (as preventive protection from client-side detectors)

5.1. «Safe app» profiles

Offer pre-configured user profiles in the application in advance, where the typical apps favored by the Ministry of Digital Development (banks, government services, major marketplaces) are placed on the VPN exclusion list.

  • Example: Some mobile clients explicitly provide lists of application types in their instructions that should be excluded.

5.2. Intercepting/spoofing application actions under the manual

For advanced users: use techniques to spoof responses from ConnectivityManager, /proc, etc. in specific apps.

  • Example: The existing «Android VPN detection bypass» project (Frida) demonstrates that intercepting and spoofing system calls is a viable defense model.

6. UX and operating modes

6.1. Clearly explain the modes

The VPN client UI should clearly distinguish between «full tunnel,» «split tunneling,» and «selected apps only.» Highlight modes that are «compatible with sensitive apps.»

  • Examples: Some VPN clients already have UI settings for split tunneling. In manuals, this is sometimes referred to as ” VPN detection circumvention ” but is called a «compatibility mode for banking and government apps»; these very phrases can be used.

7. Explicit «gaps» in the manual already exploited by developers

  • Router-based VPNs/proxies are widely recommended, and the manual itself acknowledges that these are nearly impossible to detect at the client level.
  • VM/Container-based VPNs/proxies are actively used by technically advanced users and in corporate environments.
  • App-based split tunneling (Tailscale, major VPNs) allows for the exact scenario the manual fears: «dangerous» apps see a clean network, while the rest of the traffic remains tunneled.

How Russian Platforms Restrict Access for VPN Users

On April 16, Meduza published an overview of how Russian platforms were cutting off VPN users. At the request of the authorities, major Russian online providers have begun imposing mass restrictions on access for users in Russia with VPNs enabled, to remain on government-approved “whitelists” and ensure they continue to function during potential internet shutdowns.

Affected services include government portals (Gosuslugi, EMIAS), marketplaces (Ozon, Wildberries, DNS (an electronics retailer), Detsky Mir), banking apps (Sberbank, Alfa-Bank, VTB, T-Bank), food delivery and retail services (Magnit, Yandex Lavka, Samokat, VkusVill), online cinemas (Kinopoisk, Okko, Wink, Ivi), social networks (VKontakte), medical services, transport and travel platforms (Russian Railways, Tutu.ru, Aviasales, Yandex Go, 2GIS, car-sharing services), as well as other digital services such as Gismeteo, Yandex Mail, HeadHunter, and Profi.ru.

All these measures increase pressure on users. Regulatory authorities are effectively forcing people to disable VPNs to access essential services, thereby imposing a censored internet. Meduza emphasizes that it continues to provide access to its website without a VPN via mirrors, plugins, and its app, presenting this as a way to stay connected even when blocked.

Sources

Don’t miss the next Riposte!

We don’t spam! Read more in our privacy policy

Related posts

Telegram’s Block Bypass Mechanism is Becoming Increasingly Unresponsive for Russian Users Developer Resources are Becoming Less Accessible in Russia. Reasons and Possible Responses Roskomnadzor Demands IP Data from Telecom Operators. Methods and Possible Responses Roskomnadzor Dreams of Blocking 92% of VPNs Government Takes Control on the Hosting Providers