How modern VPN protocols work

A VPN connection is not one monolithic mechanism — it's a stack of layers. Each layer can be swapped independently, and different protocols pick different combos.

Разные протоколы выбирают разные комбинации:

QUIC is a transport protocol Google developed in 2012 and the IETF standardized in 2021 (RFC 9000). The idea: bundle TCP + TLS + HTTP/2 into one. Runs over UDP but still gives delivery guarantees, encryption and stream multiplexing.

Why it matters for VPNs

• 3× faster handshake — 1 RTT vs 3 RTT for TCP+TLS.
• 0-RTT resumption — first byte ships immediately on reconnect.
• No head-of-line blocking — streams don't fight each other.
• Userspace CC updates — no kernel rebuilds.

TLS 1.3 was standardized in 2018 and today powers ~80% of HTTPS. Key difference from 1.2 — a drastically simplified handshake.

Where performance lives. CC decides how much data to send per unit of time: too much — loss and backoff, too little — idle channel.

WireGuard is an excellent 2018-era protocol. Minimal overhead, simple format, modern crypto. But it has architectural limits that bite in 2026.

• Fixed packet format — you can't swap CC without touching the kernel.
• UDP-only — no TCP fallback when the carrier blocks UDP.
• No built-in camouflage — WireGuard traffic fingerprints easily.
• Static handshake — no 0-RTT resumption.

Hysteria 2 solves all of that: userspace with flexible CC, QUIC camouflage, 0-RTT, TCP fallback possible. Lunaire doesn't ship WireGuard as a primary protocol for these reasons.

Camouflage is a separate layer trying to make VPN traffic look like something ordinary. Three approaches:

Short answer: Hysteria 2 primary + VLESS Reality fallback for UDP-blocked networks. Lunaire ships both in one client — no manual setup.