>GFW has been able to filter SNI to block https traffic for a few years now.

SNI isn't really the threat here, because any commercial VPN is going to be blocked by IP, no need for SNI. The bigger threat is tell-tale patterns of VPN use because of TLS-in-TLS, TLS-in-SSH, or even TLS-in-any-high-entropy-stream (eg. shadowsocks).

▲

rfv6723 10 hours ago | parent [-]

> because any commercial VPN is going to be blocked by IP, no need for SNI.

Proxy server can hide behind CDN like Cloudflare via websocket tunnel.

This is why GFW develops SNI filter, Cloudflare is too big to block.

	▲	eptcyka 6 hours ago \| parent \| next [-]
		CDN traffic is quite expensive, don’t believe it would be feasible to provide a VPN product for that. But for individuals, sure.
	▲	gruez 10 hours ago \| parent \| prev [-]
		>Proxy server can hide behind CDN like Cloudflare via websocket tunnel. cloudflare doesn't support domain fronting so any SNI spoofing won't work.