I touched on deep packet inspection in my post about VPNs, but I never really went into the details of it because it’s not something you or I will have to worry about in the foreseeable future (hopefully things stay that way). It’s mostly used by authoritarian governments (think China from here on out) to keep an eye on their citizens. If someone were to use a VPN to bypass a firewall or location-locked content, DPI would see this, deny the web service, and tell the government to “pay a visit” to the user.
But how does it work? A packet is a piece of information that contains data about your current internet usage. It contains the web data that you are passing between you and the server, a source and destination IP address, a source and destination MAC address, and a whole bunch of other stuff that doesn’t matter in terms of this explanation. All of this is packed up layer by layer (imagine an envelope inside another envelope inside another envelope and so on) into what we call a packet, which is passed over the web. The Great Firewall will see these packets and take a look at the destination MAC address; if it’s not approved, it gets rejected. This is where a VPN works; it disguises the destination MAC address so that the Great Firewall will let it by. The government caught onto this and has started implementing DPI. They look through all the layers and see what the web data is so that it can’t be disguised. Imagine they receive an envelope and open it. It contains another one. Previously, they would put this envelope back in and let it through. With DPI, they tear into the second one. Which contains a third one, which they open. This goes on until they see unapproved web traffic, they get angry, they throw the VPN user in jail or worse.
The way around this? Disguise your VPN traffic. The current solution is to use stunnel, but they’ll catch onto that soon enough, and someone will find another way to get around.