Skip to main content

TurkeyDPI

TurkeyDPI is a powerful DPI (Deep Packet Inspection) bypass tool specifically designed for Turkish ISPs. It uses advanced packet fragmentation techniques to evade SNI-based blocking and restore access to censored websites.

The Problem

Turkish ISPs use Deep Packet Inspection to analyze your traffic and block access to certain websites. When you connect to blocked sites like discord.com, the DPI system reads the Server Name Indication (SNI) in plaintext during the TLS handshake: 
Client → Server: TLS ClientHello
  ├─ TLS Record Header: 16 03 03 [length]
  ├─ Handshake Type: 01 (ClientHello)
  ├─ Version, Random, Session ID...
  └─ Extensions:
       └─ SNI (type 0x0000): "discord.com"  ← DPI reads this
The DPI box sees discord.com in plaintext, matches it against a blocklist, and kills the connection.

The Solution

TurkeyDPI exploits a fundamental property of TCP: it’s a stream protocol. The server doesn’t care if data arrives in one packet or twenty—it reassembles everything. But DPI boxes are stateless and inspect packets individually.

How Fragmentation Works

1

Detect TLS/HTTP Traffic

TurkeyDPI identifies TLS ClientHello messages and HTTP requests containing SNI or Host headers.
2

Fragment Packets

The proxy splits packets at strategic positions to prevent DPI from extracting the hostname:
Normal:     [TLS Header + ClientHello + SNI "discord.com"] → DPI blocks

Fragmented: [TLS Hea] [der + Cli] [entHello] [+ SNI "dis] [cord.com"]

            DPI sees 5 incomplete packets, can't extract SNI

            Server reassembles → valid TLS handshake
3

Add Timing Delays

Optional delays between fragments (10-50ms) defeat DPI buffering attempts.
4

Bypass DNS Blocking

Uses DNS-over-HTTPS (DoH) to Cloudflare 1.1.1.1 for encrypted DNS resolution, preventing DNS poisoning.

Key Features

SNI Fragmentation

Splits TLS ClientHello packets to hide the Server Name Indication from DPI inspection.

HTTP Host Fragmentation

Fragments HTTP Host headers across multiple TCP segments to evade detection.

ISP Presets

Pre-configured profiles optimized for Turk Telekom, Vodafone, and Superonline.

DNS-over-HTTPS

Encrypted DNS resolution through Cloudflare to bypass ISP DNS poisoning.

Zero Configuration

Works out of the box with sensible defaults. Just run and set your browser proxy.

High Performance

Written in Rust with async I/O for minimal latency and maximum throughput.

Bypass Techniques

TurkeyDPI employs multiple evasion strategies:

1. SNI Fragmentation

Splits the TLS ClientHello at critical positions to prevent DPI from parsing the SNI extension: 
// From: engine/src/bypass.rs:194
if split_pos > 0 && split_pos < data.len() {
    let segment_size = self.config.max_segment_size.max(1);
    
    if segment_size < split_pos {
        // Fragment into multiple small segments
        let mut pos = 0;
        while pos < split_pos {
            let end = (pos + segment_size).min(split_pos);
            result.fragments.push(Bytes::copy_from_slice(&data[pos..end]));
            pos = end;
        }
        result.fragments.push(Bytes::copy_from_slice(&data[split_pos..]));
    }
}

2. HTTP Host Header Fragmentation

For plain HTTP traffic, splits the Host header value: 
GET / HTTP/1.1
Host: twit  →  [first packet]
ter.com     →  [second packet]
Connection: close

3. Timing Jitter

Some DPI boxes buffer packets briefly hoping to reassemble. Adding delays defeats this: 
[fragment 1] ──────────────────────────────→
                wait 10ms
             [fragment 2] ────────────────→
                wait 10ms
                          [fragment 3] ──→

4. DNS-over-HTTPS

ISPs also poison DNS queries. TurkeyDPI uses encrypted DNS: 
Normal:    DNS query for discord.com → ISP returns fake IP
With DoH:  HTTPS POST to 1.1.1.1/dns-query → encrypted → real IP

Quick Start

Get started in under 60 seconds:

Installation

Install TurkeyDPI using Cargo or build from source

Quick Start Guide

Run your first bypass proxy and configure your browser

Architecture

TurkeyDPI is built with a modular architecture: 
cli/        CLI binary and command-line interface
engine/     Core bypass logic and packet transforms
backend/    Proxy server implementations (HTTP CONNECT, SOCKS5)
control/    Daemon control and IPC
TurkeyDPI is designed specifically for Turkish ISPs but the techniques work against any stateless DPI system that inspects individual packets.

How It Works - Deep Dive

TLS Record Structure

Every TLS record follows this format: 
Byte:   0      1-2     3-4      5+
      ┌────┬────────┬────────┬─────────────────────┐
      │ 16 │ 03 03  │ length │ Handshake data...   │
      └────┴────────┴────────┴─────────────────────┘
        │      │        │
        │      │        └─ 2 bytes: record length
        │      └─ TLS version (0x0303 = TLS 1.2)
        └─ Content type (0x16 = Handshake)
The SNI extension sits inside the handshake data, typically 40-200 bytes in. TurkeyDPI parses the ClientHello to find the exact byte offset of the hostname, then strategically splits the packet.

Fragment Strategy

The split point is critical. Turkish DPI specifically looks for:
  1. Content type 0x16 (handshake)
  2. Handshake type 0x01 (ClientHello)
  3. SNI extension with readable hostname
TurkeyDPI splits before the handshake type is visible: 
Original:  [16] [03 03] [00 xx] [01 00 00 ... SNI ...]

                                 Handshake type

Split:     [16 03] [03 00 xx 01 00 ... SNI ...]

               DPI never sees complete record header
Or splits the SNI hostname itself: 
SNI field: [...] [00 0b] "discord.com" [...]

Split:     [...] [00 0b] "disc" | "ord.com" [...]

ISP Presets

TurkeyDPI includes optimized configurations for major Turkish ISPs. Each preset uses different fragmentation strategies:
PresetTLS SplitMax SegmentFragment DelayBest For
aggressive0 (SNI middle)5 bytes10msMaximum bypass effectiveness
turk-telekom2 bytes20 bytes0msTurk Telekom networks
vodafone3 bytes30 bytes100μsVodafone Turkey
superonline1 byte15 bytes0msSuperonline ISP

Why Rust?

TurkeyDPI is written in Rust for:
  • Performance: Zero-cost abstractions and no garbage collection
  • Safety: Memory safety without runtime overhead
  • Concurrency: Tokio async runtime handles thousands of connections
  • Reliability: Type system catches bugs at compile time

License

TurkeyDPI is open source under the MIT License.
This tool is designed to restore access to legitimate services blocked by censorship. Always comply with local laws and use responsibly.

Next Steps

Install

Get TurkeyDPI installed on your system

Quick Start

Run the bypass proxy in 60 seconds

GitHub

View source code and contribute

Build docs developers (and LLMs) love

Get started for freeTalk to us