At the beginning of May, documents appeared on the Roskomnadzor website showing that the regulator planned to block 92% of VPNs by 2030. And on May 14, The Bell discovered that the page hosting these documents had been taken down. The documents contained information about the budget of the Automated Security System for the Russian segment of the internet (ASBI). This system controls the TSPU – the very set of tools that helps the Russian authorities block internet resources.

It is unclear whether the documents were published by mistake, but the plans themselves are curious. Let us examine how the 92% target might be achieved, whether it is even possible, where this figure could have come from, how much it might actually affect the availability of VPN services, and, most importantly, how to resist these plans. There is no doubt that that restricting VPN usage is one of the stated goals of the Russian regulator and Russian security services.

Vanished documents and new details

In early May, journalists found on the Roskomnadzor website documents about subsidies for the “Main Radio Frequency Centre” (GRFC) for the development of the Automated Security System for the Russian segment of the internet (ASBI), where a KPI was explicitly stated for the first time: “the average level of effectiveness in restricting access to tools for bypassing VPN blocks through signatures” of 92% by 2030. A few days later, these files disappeared from the website, but by that time, several media outlets had already saved and analyzed them.

Novaya Gazeta Europe clarified that the subsidy documents for the Main Radio Frequency Center (GRFC) for 2025–2026 specified three concrete targets:

• “average level of effectiveness in restricting access to tools for bypassing VPN blocks through signatures” – 92%;
• share of traffic in the Russian segment of the internet processed annually by ASBI – 98%;
• total processing speed – 831,100 Gbit.

The Moscow Times pointed out that these KPIs continue the line of “sovereign internet” laws and the development of TSPU, the technical means to counter threats, which can be used to route and filter traffic.

Gazeta.Ru noted that the decision setting the 92% KPI was signed on 13 January 2025, indicating that the VPN targets were embedded in the budget well in advance and do not represent a spontaneous reaction to the political events of 2026.

To summarize, it is not about a “randomly published document”, but rather a formalized component of a long‑term program to build infrastructure for large-scale traffic filtering.

A part of systemic policy

Roskomnadzor’s plans for ASBI and TSPU have been set out in its documents for several years already.

In the 2023 annual report of the Federal State Unitary Enterprise Main Radio Frequency Center (GRFC), ASBI is described as one of the key systems: the GRFC “ensures the development and operation of the Automated Security System for the Russian segment of the internet (ASBI)” and operates the TSPU.

In other subsidy decisions, Roskomnadzor regularly finances “the operation of the information system for monitoring and managing the public communication network” and “tools for monitoring telecom operators’ compliance with requirements when providing traffic transit services”. The wording is very similar to what is used in the document on ASBI and TSPU.

In other words, the KPIs of 92% and 98% of traffic are not the beginning, but another step: previously, the focus was on “creating and developing” the system, whereas now we see specific metrics for its effectiveness.

Recommendations for VPN developers

For VPN developers, Roskomnadzor’s plans send a clear signal that enforcement will rely not only on blocking IPs and domains, but also through improving DPI, signature‑based analytics, and traffic‑level machine learning. This is already influencing product decisions.

Why this matters for developers:

• The KPI of “92% signature‑based effectiveness” means that the regulator will consider it a success if the majority of “typical” VPN traffic (OpenVPN, standard WireGuard, popular Shadowsocks configurations, etc.) is successfully detected and restricted.
• At the same time, there are plans to filter up to 98% of all traffic through ASBI/TSPU, meaning the scale is infrastructural rather than targeted.
• Even now, public comments from Russian and foreign VPN providers include recommendations to move away from “clean” protocols toward disguising traffic as ordinary HTTPS traffic.

For example, in a recent TechRadar piece on Russia’s campaign against VPNs, a Windscribe representative explicitly says that “standard WireGuard or OpenVPN is trivially detected by DPI” and recommends using obfuscated protocols (AmneziaWG, Stealth, WStunnel, etc.), as well as router‑level VPN and split tunneling, which the Russian authorities themselves acknowledge as difficult to detect.

For VPN developers targeting Russia and other heavily censored countries, it makes sense to:

• Move away from “clean” signatures: add obfuscated modes for OpenVPN and WireGuard.
• Use protocols whose structure and timing are as close as possible to ordinary HTTPS traffic.
• Use camouflage and domain fronting (where this is still possible), disguising traffic as that of popular CDNs and ordinary websites.
• Combine several techniques (VLESS + Reality, disguising traffic as legitimate domains, mTLS) to complicate active probing.
• Build flexible configurations: give users the ability to quickly switch between protocols and modes.
• Support self‑hosted options, where the user runs their own server whose traffic is minimally distinguishable.
• Minimize metadata leakage: ensure that packet sizes, timing, and connection behavior do not betray the presence of a VPN tunnel.
• Build resistance to active probing into protocol design — active probing involves DPI infrastructure connecting directly to a suspected VPN server to analyze its response.

The more large‑scale and “rigid” the filtering infrastructure becomes, the more important it is for VPN developers to think not only about encryption, but also about how their traffic looks “from the outside”. This is directly tied to whether their services will survive in an environment where 98% of national traffic can be routed through DPI infrastructure with a specific blocking KPI.