Protocol Mimicry Endpoints

Traffic disguise endpoints that make VPN connections appear as legitimate service traffic to bypass DPI and censorship.

Overview

OrbMesh can disguise VPN traffic as legitimate service traffic to bypass Deep Packet Inspection (DPI) and protocol-based censorship. Each mimicry endpoint replicates the TLS fingerprint, packet timing, and traffic patterns of a specific service, making it indistinguishable from genuine traffic.

How Protocol Mimicry Works

When a mimicry endpoint is used, OrbMesh wraps VPN tunnel data in a protocol envelope that mimics a well-known service. The TLS handshake, certificate chain, SNI, ALPN, and packet sizes all match the targeted service. DPI systems see what appears to be a normal Microsoft Teams call, Google Drive sync, or banking transaction -- not a VPN connection.

Automatic Selection via SmartConnect

You do not need to manually choose a mimicry profile. The SmartConnect API analyzes your network environment and recommends the optimal mimicry profile automatically. Use /smartconnect/hints to get recommendations before connecting.

Supported Mimicry Profiles

All mimicry endpoints accept POST requests with JWT bearer authentication. The VPN tunnel data is sent as the request body.

EndpointDisguiseBest For
/teams/Microsoft Teams video conferenceCorporate networks with Teams allowed
/google/Google Search/Drive trafficNetworks permitting Google services
/drive/Google Drive file syncNetworks with Drive access
/meet/Google Meet video conferencingNetworks permitting Google Meet
/calendar/Google Calendar syncLow-bandwidth, low-suspicion traffic
/shaparak/Iranian banking infrastructure (Shaparak)Iranian networks allowing financial traffic
/zoom/Zoom video conferencingNetworks with Zoom access
/facetime/Apple FaceTime callsApple-friendly networks
/vk/VKontakte (Russian social network)Russian networks where VK is allowed
/yandex/Yandex servicesRussian networks where Yandex is allowed
/wechat/WeChat messagingChinese networks where WeChat is allowed

Microsoft Teams Mimicry

Disguises VPN traffic as a Microsoft Teams video conference call. This is the most commonly recommended mimicry profile for corporate and censored networks, as Teams traffic is widely permitted.

POST/teams/

Tunnel VPN traffic disguised as Microsoft Teams video conference traffic

Authentication:Bearer Token

Code Examples 

# The mimicry tunnel is typically managed by OrbVPN client apps.
# Raw usage sends encapsulated VPN packets:
curl -X POST https://198.51.100.1:8443/teams/ \
  -H "Authorization: Bearer DEVICE_TOKEN" \
  -H "Content-Type: application/octet-stream" \
  --data-binary @tunnel_payload.bin

Google Services Mimicry

Disguises VPN traffic as Google Search or Google Drive traffic.

POST/google/

Tunnel VPN traffic disguised as Google Search/Drive traffic

Authentication:Bearer Token

Code Examples 

curl -X POST https://198.51.100.1:8443/google/ \
  -H "Authorization: Bearer DEVICE_TOKEN" \
  -H "Content-Type: application/octet-stream" \
  --data-binary @tunnel_payload.bin

Google Drive Mimicry

Disguises VPN traffic as Google Drive file synchronization.

POST/drive/

Tunnel VPN traffic disguised as Google Drive sync traffic

Authentication:Bearer Token

Google Meet Mimicry

Disguises VPN traffic as Google Meet video conferencing.

POST/meet/

Tunnel VPN traffic disguised as Google Meet video call traffic

Authentication:Bearer Token

Google Calendar Mimicry

Disguises VPN traffic as Google Calendar synchronization. This produces low-bandwidth, periodic traffic patterns ideal for maintaining persistent connections with minimal suspicion.

POST/calendar/

Tunnel VPN traffic disguised as Google Calendar sync traffic

Authentication:Bearer Token

Shaparak Mimicry

Disguises VPN traffic as Iranian banking infrastructure (Shaparak) transactions. Effective in Iranian networks where financial traffic receives priority treatment and is rarely blocked.

POST/shaparak/

Tunnel VPN traffic disguised as Iranian banking (Shaparak) traffic

Authentication:Bearer Token

Region-Specific Profile

The Shaparak mimicry profile is specifically designed for Iranian networks. It replicates the TLS fingerprint and traffic patterns of the Shaparak banking gateway, which is critical infrastructure and therefore not subject to the same filtering as general internet traffic.

Zoom Mimicry

Disguises VPN traffic as Zoom video conferencing calls.

POST/zoom/

Tunnel VPN traffic disguised as Zoom video conference traffic

Authentication:Bearer Token

FaceTime Mimicry

Disguises VPN traffic as Apple FaceTime calls. Effective on networks that allow Apple services.

POST/facetime/

Tunnel VPN traffic disguised as Apple FaceTime call traffic

Authentication:Bearer Token

VKontakte Mimicry

Disguises VPN traffic as VKontakte (VK) social network traffic. Designed for Russian networks where VK is widely permitted.

POST/vk/

Tunnel VPN traffic disguised as VKontakte social network traffic

Authentication:Bearer Token

Yandex Mimicry

Disguises VPN traffic as Yandex service traffic. Designed for Russian networks where Yandex is a dominant platform.

POST/yandex/

Tunnel VPN traffic disguised as Yandex service traffic

Authentication:Bearer Token

WeChat Mimicry

Disguises VPN traffic as WeChat messaging traffic. Designed for Chinese networks where WeChat is universally permitted.

POST/wechat/

Tunnel VPN traffic disguised as WeChat messaging traffic

Authentication:Bearer Token

DNS over HTTPS (DoH)

Provides a standard DNS-over-HTTPS endpoint following RFC 8484. This can be used as a standalone secure DNS resolver or as part of the Smart DNS service.

POST/dns-query

DNS-over-HTTPS resolver endpoint (RFC 8484 compliant)

Authentication:No Auth Required

Public DoH Endpoint

The DoH endpoint is available without authentication for standard DNS resolution. When used with Smart DNS (authenticated), it applies the user's streaming service routing rules.

Code Examples 

# Query using DNS wire format (RFC 8484)
curl -X POST https://198.51.100.1:8443/dns-query \
  -H "Content-Type: application/dns-message" \
  --data-binary @dns_query.bin

# Query using JSON format
curl -X GET "https://198.51.100.1:8443/dns-query?name=example.com&type=A" \
  -H "Accept: application/dns-json"

Response

200DNS query response (JSON format shown)
{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "Question": [
    { "name": "example.com.", "type": 1 }
  ],
  "Answer": [
    {
      "name": "example.com.",
      "type": 1,
      "TTL": 300,
      "data": "93.184.216.34"
    }
  ]
}

When to Use Mimicry

1

Check SmartConnect Hints

Call /smartconnect/hints with your country, ISP, and platform to get a recommended mimicry profile. If the response recommends a specific mimicry, use it.

2

Connect with Protocol

Establish a connection using your chosen VPN protocol (WireGuard, VLESS, or OrbConnect). The mimicry profile wraps the tunnel transport.

3

Route Through Mimicry Endpoint

Instead of connecting directly to the protocol tunnel endpoint, route your traffic through the recommended mimicry endpoint (e.g., /teams/ instead of /wireguard/tunnel).

4

Report Telemetry

After the connection, report success or failure via /smartconnect/telemetry so the system can improve its recommendations for other users in your network environment.

Mimicry is Not Encryption

Protocol mimicry disguises the outer appearance of your traffic but does not replace the underlying VPN encryption. The VPN tunnel (WireGuard, VLESS, or OrbConnect) provides the actual encryption. Mimicry adds a camouflage layer on top to prevent the encrypted tunnel from being identified and blocked.

Related Endpoints

Bridge Mode Endpoints

Previous Page

OrbGuard Labs API Overview

Next Page

On this page

Overview
Supported Mimicry Profiles
Microsoft Teams Mimicry
Code Examples
Google Services Mimicry
Code Examples
Google Drive Mimicry
Google Meet Mimicry
Google Calendar Mimicry
Shaparak Mimicry
Zoom Mimicry
FaceTime Mimicry
VKontakte Mimicry
Yandex Mimicry
WeChat Mimicry
DNS over HTTPS (DoH)
Code Examples
Response
When to Use Mimicry
Related Endpoints