For many, November 28, 2025, began with complaints about WhatsApp. Some users are unable to send or receive text messages and media files, and when attempting a voice or video call, the client hangs indefinitely on the 'Connecting' status before dropping the call.
Telecom operators (MegaFon, Beeline) are reporting normal network operations. And technically, they aren't lying: connectivity exists, and Meta's IP addresses are (mostly) accessible. The problem lies deeper—at the level of L7 filtering by TSPU.
What's happening under the hood?
TCP Traffic (Text/Photos): It passes through HTTPS/TLS tunnels with issues, but not for everyone. Blocking it could have 'carpet bombing' consequences, so it's being left alone for now.
UDP Traffic (Voice/Video): To establish a P2P connection (or a connection via a Relay server), the messenger uses the STUN (Session Traversal Utilities for NAT) protocol.
This is where DPI kicks in. The filter is configured not for IP addresses, but for protocol signatures. The equipment detects the characteristic headers (Magic Cookie) of WhatsApp's STUN packets and drops them. The handshake fails, and the media stream (RTP) is not established.
Solution 1: 'Smart' VPN and Routing
The classic option is a VPN. However, the reality of 2025 is that standard OpenVPN or 'vanilla' WireGuard are increasingly subject to shaping or complete protocol blocking.
Most public VPNs have two problems that 'kill' voice communication:
'Burned' subnets: The IP address ranges of popular VPN services are known to Roskomnadzor (RKN). The TSPU might not block the entire protocol, but simply shape (slow down) or drop UDP packets from these addresses. As a result, text messages in WhatsApp go through, but calls fail.
The 'noisy neighbors' problem: Thousands of users share a single public IP. This creates high jitter. It's not a big deal for YouTube (which has buffering), but VoIP protocols (RTP/STUN) are extremely sensitive to packet sequence loss. The voice starts to 'crackle' or the connection drops.
Renting a personal server (VDS)
This solution gives you a clean IP address (no neighbors means no jitter) and full control over the protocols.
Where to get a server?
There are now plenty of hosting providers that accept Russian cards and offer foreign locations (Netherlands, Germany, Finland).
Among the popular and proven options ('the people's choice'):
Aeza — popular for their high port speeds and protection, with locations in Europe.
VDSina — a classic, huge selection of plans, easy payment.
HostVDS — budget options, suitable if you need a server just for a messenger.
Timeweb Cloud — has foreign nodes, user-friendly panel.
How to set it up (Without Linux knowledge)?
You don't have to be a sysadmin. The easiest way to set up your own VPN right now is by using AmneziaVPN (or similar all-in-one solutions).
You buy a VDS, and you receive an IP address and password (root) via email.
Download the AmneziaVPN client on your PC.
Enter the server details.
Choose the protocol AmneziaWG (a modified WireGuard, resistant to blocking) or XRay (VLESS-Reality).
The software will install everything on the server itself in a couple of minutes.
Advanced users can also manually deploy panels like 3X-UI or Marzban for more fine-grained routing configuration.
If you don't want to configure a VDS - The Y2Y Model
There are services that handle all the 'technical magic' for you. A prime example is hynet.space, which implements the Y2Y model.
Essentially, it's a full-fledged personal VDS, but in a 'turnkey' solution format. You get the same benefits as with a manually configured server (privacy, clean IP), but the platform completely handles management, updates, and the complex technical aspects.
2. Split Tunneling
Forcing all traffic through a foreign server is a bad idea.
First, it creates unnecessary load and latency.
Second, Russian services (Banks, Gosuslugi, Kinopoisk) may not be accessible from foreign IPs.
In modern clients (v2rayNG, NekoBox, AmneziaVPN), you can configure routing:
WhatsApp / Instagram / Discord —> route through the tunnel (VPN).
RU-segment and banks —> route directly (Direct).
This is configured once and allows you to forget about the 'On/Off' switch.
Solution 2: Android (ByeByeDPI)
In the mobile segment (without root access and direct access to iptables), the only viable vector is using Android's VPNService to intercept and modify traffic in userland. The ByeByeDPI utility (dovote port) handles this task perfectly, but it requires specific configuration for UDP.
1. Basic Setup
The standard mode for bypassing website blocks (HTTP/TLS) is useless here.
Install ByeByeDPI (releases on GitHub or 4PDA).
In the engine settings, be sure to activate [UDP Desynchronization].
This mode applies 'fake' or 'disorder' strategies to UDP packets, allowing STUN requests to slip through TSPU filters.
2. The 'Sberbank' Problem and Split Tunneling (Critical)
Many users, after happily enabling ByeByeDPI, find that their banking apps (Sber, T-Bank) and Gosuslugi stop working.
Reason: High-security applications detect the local VPN interface or an attempt to intercept traffic (MITM allergy) and terminate the connection.
Solution: Configure split tunneling (App List).
Do not tunnel all of the device's traffic.
In the ByeByeDPI interface, find the 'Select applications' section (or Mode: Allow Selected).
Switch the mode to 'Proxy only selected'.
Check the boxes for WhatsApp (and Telegram, if you're having issues).
Let the rest of the traffic bypass the tunnel (Direct).
This configuration solves two problems at once:
Restores VoIP calls.
Eliminates conflicts with Russian services and doesn't drain the battery by processing unnecessary traffic.
Solution 3: OpenWRT (Gateway)
The 'cleanest' method is to solve the problem at the home router level. This eliminates the need to configure each phone and laptop individually. If you have OpenWRT with the zapret package, the procedure takes two minutes.
The logic here is the same as with the recent fix for YouTube/Discord. We are interested in the configuration file /opt/zapret/config.
Configuration:
Open the config file via SSH or the web interface (LuCI).
Find the variables responsible for UDP and QUIC (they are often cut 'for good measure').
Set the desynchronization strategies:
codeBash
# Стратегии для QUIC и UDP # --dpi-desync-any-protocol важен, так как STUN не всегда распознается как стандартный веб-трафик NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake --dpi-desync-repeats=6" NFQWS_OPT_DESYNC_UDP="--dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol"
Restart the service: /etc/init.d/zapret restart.
After this, voice traffic will pass transparently for all clients on the local network (iOS, Android, SmartTV).
Solution 4: Windows (Zapret / Windivert)
For the desktop version (Windows 10/11), classic HTTP block circumvention methods (like the regular GoodbyeDPI) are powerless here, as we need to manipulate UDP packets. The most flexible tool right now is Zapret by bol-van.
We have two paths: the 'lazy' one and the 'precision' one.
Option A: The 'Discord' Method (Quick)
Community members have noticed that the heuristics for blocking WhatsApp almost perfectly mirror the algorithms applied to Discord Voice. Therefore, the standard preset for 'Discord' works great for getting WhatsApp calls to work as well.
Download the latest release of zapret-win-bundle.
Find the preset_discord_media.cmd file (or a similar one mentioning UDP/Discord).
Run it as an administrator.
Mechanics: The script runs the winws driver with UDP desynchronization parameters (--dpi-desync=fake), which confuses the DPI when it tries to analyze the packet header.
Option B: Custom STUN Filter (Advanced)
If you don't want to bypass unnecessary traffic or if the ready-made preset is unstable, it's better to use precision filtering.
User Rusificator proposed an elegant solution via windivert: filter traffic not by IP (which Meta constantly changes), but by protocol signature.
1. Create a filter
In the zapret\windivert.filter folder, create a file named windivert.whatsapp_stun.txt. Paste the rule to catch STUN packets (Magic Cookie 0x2112A442) into it:
!impostor and !loopback and ( outbound and udp and udp.PayloadLength>=20 and udp.Payload32[1]=0x2112A442 and udp.Payload[0]<0x40 )
2. Create the launch file in the root of the zapret folder, create run_whatsapp_fix.cmd:
start "zapret: wa_stun" /min "%~dp0winws.exe" ^ --wf-raw=@"%~dp0windivert.filter\windivert.whatsapp_stun.txt" ^ --filter-l7=stun --dpi-desync=fake --dpi-desync-repeats=2
Result: We only 'break' the call initiation packets. Once the connection is established, the media stream (RTP) flows within the established session, which DPI usually does not terminate.