Which VPN actually works in 2026?

Only services with modern protocols stay reliable: VLESS Reality, Hysteria 2, xHTTP, AmneziaWG. Legacy OpenVPN and WireGuard are recognized by DPI on sight. Lunaire carries all four protocols in one subscription and auto-switches between them.

What is a multi-protocol VPN?

A VPN whose client supports several protocols simultaneously (Hysteria 2, VLESS Reality, xHTTP, AmneziaWG) and switches to whichever performs best in current conditions. No single protocol is bulletproof; a multi-protocol stack is.

Why did OpenVPN and WireGuard stop working?

Both have fixed signatures in the first bytes of their handshake. Modern DPI systems identify them instantly and drop the connection at the network layer. Newer protocols like VLESS Reality disguise themselves as ordinary HTTPS and stay indistinguishable.

Is there a free VPN that actually works?

Lunaire's DUSK plan gives 5 GB per day forever, on one device, free. All four protocols, auto-switch, no-logs included. Enough to verify stability before committing to a paid tier.

2026-04-20

How to choose a VPN in 2026

An honest checklist: which protocols actually work, why multi-protocol matters, what to look for, and why Lunaire is built the way it is.

Start free

TL;DR

Choosing a VPN in 2026 is no longer about "which country the server is in" and "how much per month." Networks in filtered regions now analyze traffic behavior, not just headers. Decade-old protocols — OpenVPN, WireGuard, plain Shadowsocks — get recognized in milliseconds and either dropped or throttled into uselessness. Pick by five criteria: protocol stack, multi-protocol client, logging policy, infrastructure quality, and client-side automation. Lunaire is engineered around all five.

What changed in 2026

DPI systems picked up a new layer this year: behavioral analysis on neural networks. Previously, hiding a signature in the packet header or masking a TLS handshake was enough. Not anymore. DPI now looks at the shape of the flow — session length, packet sizes, burst patterns, entropy, ratio of inbound vs outbound traffic. Regular web browsing and a long-lived VPN tunnel look different even when both use TLS 1.3.

On top of that, mobile operators and some regions run whitelist mode: the filter blocks everything by default and only allows a known list of services. That's not individual site blocking — that's an "allow-list" architecture. A VPN that ignores this model and sits on a random foreign VPS simply doesn't start in those networks.

Another new tactic: "session freezing." Instead of killing a connection with TCP RST (easy to filter), the network simply stops forwarding packets once a single TCP session has transferred 15–20 kilobytes. The client thinks the server froze. Any VPN that drives one long stream through one TCP socket will degrade.

Bottom line: in 2026, "a VPN that works" is not just "a server in the Netherlands and a connect button." It's a full architecture — modern protocols, client automation, server infrastructure that adapts to network conditions.

Why legacy protocols stopped working

OpenVPN, WireGuard, L2TP/IPsec, PPTP, ShadowTLS v3, old Shadowsocks versions — all of these get recognized on the first DPI layer. It's a byte-level match: compare the first 16–32 bytes of the packet against a signature database.

WireGuard starts its handshake with 0x01 (initiation) or 0x02 (response). That's in the RFC; you can't change it without breaking compatibility. OpenVPN starts with 0x38. Every modern filter knows these by heart. No "encrypted wrapper" on top of plain WireGuard helps, because the first bytes are still fixed.

The next layer is TLS fingerprinting. If a protocol pretends to be HTTPS, the filter hashes the TLS ClientHello parameters (JA3/JA4) — SSL version, cipher suites, extensions, elliptic curves. Go's TLS stack has its own fingerprint. Python requests has its own. curl has its own. Real browsers have theirs. The filter compares the hash against a database and busts non-browser clients. A modern VPN must use libraries like uTLS that mimic Chrome or Firefox byte-for-byte. Otherwise "looks like HTTPS" is cosmetic.

Layer three is active probing. The filter itself connects to a suspicious server and checks whether a real website answers, whether the TLS certificate matches the SNI, whether it can GET the favicon. A VPN server that responds with a closed port or a weird error on direct access gives itself away instantly. In 2026, a working server must respond to probes with a valid HTTPS response from a real Let's Encrypt certificate.

Layer four — the most expensive one — is the behavioral ML model described above. Even a perfectly masked handshake doesn't save you if the traffic inside the tunnel has the "wrong" pattern. The defense is to split the flow into many short HTTP requests, randomize packet sizes, add padding.

Five criteria for picking a VPN in 2026

Any service calling itself "the best VPN for Russia" in 2026 should pass a five-point check. If even one is weak, the service is unstable.

1. A modern protocol stack

Specifically: VLESS Reality, Hysteria 2, xHTTP, AmneziaWG. That's the four-protocol set that actually works across all providers and mobile carriers in April 2026. Anything older — OpenVPN, WireGuard, IKEv2, PPTP, plain Shadowsocks — is archaeology. A service offering only "WireGuard with obfuscation" is not the same defense tier as full Reality with self-steal SNI.

VLESS Reality — TLS 1.3 handshake disguised as a real domain (Microsoft, Apple, Cloudflare). Serves the external site's certificate, responds to active probes with a normal HTTPS response. Indistinguishable from regular web traffic.
Hysteria 2 — QUIC/UDP with the Brutal congestion control algorithm and Salamander obfuscation. Squeezes maximum throughput out of lossy networks and mobile internet. 0-RTT handshake — instant reconnect on drops.
VLESS xHTTP — HTTP/2 tunnel in packet-up mode. Each VPN packet is a separate HTTP request, a separate short TCP session. The behavioral ML model doesn't see a long bidirectional stream — there technically isn't one.
AmneziaWG 2.0 — WireGuard with anti-pattern parameters: junk packets (Jc, Jmin, Jmax), per-packet-type padding (S1–S4), modified magic headers (H1–H4). Standard WireGuard signature disappears.

2. Multi-protocol and auto-switch

No single protocol is bulletproof. Reality fails on networks that block TCP/443. Hysteria 2 dies where UDP is filtered. xHTTP is slower on stable networks. AmneziaWG needs UDP. A multi-protocol client carries all four options and picks the live one on the fly. This isn't a settings checkbox — it's an architectural requirement for a modern VPN.

In Lunaire this is called Protocol Engine. The client monitors all available protocols in parallel, measures latency and loss, switches in milliseconds. The user sees one "Connect" button; failover runs under the hood.

3. Logging policy and privacy

No-logs VPN isn't a marketing slogan — it's a concrete technical architecture. The server must not keep:

connection history with user IP addresses,
visited domain and DNS query logs,
long-lived user ↔ IP ↔ timestamp mappings.

What's acceptable: aggregate traffic metrics (daily byte totals for billing), node status, authentication events without content. Everything else is a leak.

Provider jurisdiction and physical node location matter too. Lunaire encrypts sensitive fields in the database at the application layer (AES-256-GCM): Hysteria passwords, AmneziaWG private keys, SSH credentials. If the database leaks, the secrets stay unreadable without the master key.

4. Client-side automation

A good VPN in 2026 isn't "turn it on and go." It's a set of small defenses that run without user input:

Kill switch — if the VPN connection drops, all traffic is blocked rather than leaking to the open internet. On Android that means the Always-on VPN API.
Split tunneling — choose which apps go through the VPN and which stay direct. Useful for banking apps and local services.
DNS over HTTPS / TLS — DNS queries are encrypted; otherwise the provider sees which domains you resolve even when VPN traffic itself is protected.
Auto-connect on Wi-Fi — automatic connection when joining public networks.

5. Server infrastructure

Nodes should run on non-standard ports (3443, 6443, 2053 — not just 443), carry valid TLS certificates on proper domains, serve real web content on direct access (a web frontend as the answer to active probing), use BBR v3 for TCP-based protocols, and run a modern Linux kernel.

The number of locations matters less than the quality of each node. Fifty locations on oversold VPS is worse than eight locations on dedicated hardware with guaranteed bandwidth.

What to pick right now

Concrete recommendations by scenario.

Regular home Wi-Fi, no whitelist mode. Hysteria 2 as primary, VLESS Reality as fallback. That's the default client config in Lunaire.

Mobile internet (MTS, MegaFon, Beeline, T2). Whitelist mode active, UDP may be filtered to off-list nodes. You need a TCP/443-based masked protocol — VLESS Reality or xHTTP. Lunaire keeps both in the subscription.

Aggressive-regime region. Only nodes on whitelist-friendly infrastructure (Yandex Cloud and similar) plus behavioral defense (xHTTP packet-up) work. Generic VPN services on European VPS go silent here.

On a router. AmneziaWG is the only practical option if the router can't run sing-box. A .conf file per node, a single tunnel for all household traffic.

Why Lunaire is built this way

We built Lunaire as a direct answer to all five criteria.

Four protocols in the stack. One subscription, all of: Hysteria 2 with Brutal and Salamander, VLESS Reality with uTLS Chrome, VLESS xHTTP packet-up, AmneziaWG 2.0 with a full anti-DPI parameter set. Not "protocol support" — a complete implementation of each with per-user auth.

Protocol Engine. The client runs all protocols in parallel, measures latency and loss, switches to the best one in milliseconds. When the primary starts degrading, traffic moves to the fallback before the user notices.

No-logs architecture. Secrets in the database are AES-256-GCM encrypted. Visited-domain logs aren't kept. Billing runs on aggregate traffic volume, not on request history.

Android client. Kill switch via Always-on VPN API, per-app split tunneling, trusted networks (auto-disconnect on known Wi-Fi), DNS-over-HTTPS, all four protocols supported natively. Sing-box 1.13.2 under the hood.

Infrastructure. Nodes on non-standard ports, valid TLS certificates on owned domains, web frontends for active-probe responses, BBR v3 across all TCP-based protocols.

DUSK tier. 5 GB per day forever, one device, all four protocols, full client functionality. We let you verify Lunaire works in your specific network before you pay.

What to avoid

"WireGuard VPN, 60+ countries, $0.99/month." Plain WireGuard with no real obfuscation. Will not work in 2026.
VPN with no free tier. You can't verify it works in your network before paying. Deal-breaker.
Single protocol in the subscription. Even if it's Reality — a network that blocks TCP/443 takes it down.
"Military-grade AES-256 encryption." A marketing line that says nothing about the actual architecture. Every modern TLS uses AES-256. What matters is the transport protocol and the logging policy.
No technical documentation. If the site doesn't describe the protocol stack, ports, and logging policy — red flag.

Takeaway

Picking a VPN in 2026 is an engineering decision, not a website-comparison exercise. The five-criteria check (protocol stack, multi-protocol, logging policy, client automation, infrastructure quality) is an honest filter. Services that pass all five can be called working.

Lunaire is built exactly around that check. Hysteria 2, VLESS Reality, xHTTP packet-up, AmneziaWG 2.0 in one subscription. Protocol Engine with auto-switch. No-logs. Android client with kill switch and split tunneling. A free DUSK tier to verify everything with your own eyes before paying.

Verify now via the Telegram bot. No registration, no card: subscription gets created, install the client, connect, use it.