Course Module 04: Advanced TLS and DPI-Resistant Transport
When bare WireGuard isn't enough: how modern TLS-in-TLS transports (REALITY, Hysteria, naiveproxy) avoid statistical classification by inline deep-packet-inspection systems. Architecture, configuration, and the threat model that justifies the extra complexity.
This is module 04 of the RouteHarden Network Engineering Course. Most readers will never need this module. If your threat model from module 01 only includes hostile public WiFi and opaque commercial VPN providers, the WireGuard tunnel you built in module 03 is sufficient and adding TLS-in-TLS only adds latency and operational complexity.
Read this module if you are operating on a network that performs inline statistical classification of encrypted traffic — corporate DPI appliances, certain ISPs, certain country-level filtering. The cost is real; pay it only if your threat model justifies it.
By the end of this module you will:
- Understand how inline DPI actually classifies traffic in 2026 (it is not signature matching)
- Compare REALITY, Hysteria, naiveproxy, and Trojan on their classification-resistance properties
- Configure a single REALITY server end-to-end
- Know which class of transport to pick for which threat
We do this kind of work for hire.
Network architecture review, self-hosted privacy stacks, zero-trust corporate VPNs.