A detailed technical comparison of NavLink with popular traffic tunneling protocols.
| Feature | OpenVPN | WireGuard | Outline | Tor | NavLink |
|---|---|---|---|---|---|
| Obfuscation | |||||
| DPI-resistant | No | No | Partial | Partial | Yes |
| Indistinguishable from HTTPS | No | No | No | No | Yes |
| TLS fingerprint rotation | No | No | No | No | Yes |
| Decoy CDN traffic | No | No | No | No | Yes |
| Active probe resistance | No | No | Partial | No | Yes |
| Infrastructure | |||||
| Server IPs not public | No | No | No | No | Yes |
| Multi-hop routing | No | No | No | Yes | Yes |
| Encrypted key format | No | No | No | No | Yes |
| Network | |||||
| UDP | Yes | Yes | No | No | Yes |
| Works without UDP | Partial | No | Yes | Yes | Yes |
| Split tunneling | Partial | Partial | No | No | Yes |
| Speed | Partial | Yes | Yes | No | Yes |
| Management | |||||
| Enterprise management | Partial | No | No | No | Yes |
| OTA auto-updates | No | No | Partial | Partial | Yes |
| Key leak detection | No | No | No | No | Yes |
Partial indicates the feature exists but requires manual configuration or has significant limitations in typical deployments.
DPI systems have evolved alongside obfuscation protocols. Each popular solution has a structural flaw that cannot be fixed without replacing the protocol entirely.
OpenVPN's TLS handshake has a unique signature: a fixed cipher suite, specific ALPN, and non-standard ClientHello structure. Modern DPI identifies it in milliseconds. Its TCP-over-TLS mode is little better: the stream structure differs from browser traffic.
WireGuard runs exclusively over UDP. Its packets are identifiable by characteristic size and entropy even without payload inspection. In strictly filtered networks UDP is blocked at the transport layer — WireGuard stops working entirely.
Shadowsocks traffic is fully encrypted and resembles neither HTTP nor TLS. Statistical entropy analysis detects such streams: they lack the structural patterns of browser TLS. Modern DPI in some countries detects Outline more reliably than it does OpenVPN.
Three-hop onion routing provides strong anonymity but typical throughput is single-digit megabits. Guard node IP addresses are publicly listed and routinely blocked. Even pluggable transports over Tor do not solve the speed problem.
Some carriers operate in whitelist mode: only connections to whitelisted addresses are permitted, everything else is silently dropped at TCP level. Here is how different protocols behave under these conditions.