AnonymFlow
voyage-censureINFO

Best Travel VPN 2026: Which Still Work in China, Russia & Iran

Most VPNs are blocked where you need them most. Which ones still work abroad in 2026 - China, Russia, Iran, UAE: NordVPN, ExpressVPN, Mullvad, Windscribe compared, with obfuscated servers, setup, and the legal status per country before you fly.

By Eric Gerard · Editor · AnonymFlow23 min readPhoto: Unsplash

Last updated: 2026-06-25 Next scheduled review: 2026-09-25 (quarterly) Written by: Eric Gerard, AnonymFlow.com - synthesis of public sources and community reports

Sources & method - This is not a private test bench. It cross-references public sources (Roskomnadzor releases, Tor Project and GFW Report status reports, Reporters Without Borders 2026 Press Freedom Index, provider protocol documentation) with continuous community reports on Reddit (r/VPN, r/China, the Iran-VPN sub). Criteria tracked: supported obfuscation protocols, independent no-log audits, jurisdiction, and reported per-country bypass reliability. The situation can change from one week to the next.

Three VPNs still reliably beat China's Great Firewall, Russia's Roskomnadzor, and Iran's DPI in June 2026: NordVPN (Obfuscated + NordWhisper), ExpressVPN (Lightway masked), and Surfshark (NoBorders). The non-negotiable rule: install everything before boarding - Chinese, Russian, and Iranian app stores block VPN downloads entirely. This guide synthesizes, from public sources and community reports, what still works in May 2026 and how to configure it per country.

This guide consolidates the configurations known to work, country by country, drawing on public sources and community reports, with VPNs reputed to beat filtering, protocols to enable, the pre-departure preparation procedure, and pitfalls specific to each destination. The underlying logic: a travel VPN is no longer a generic product, it is a configuration adapted to each destination country. The same provider may pass in China and fail in Russia depending on the protocol + server + obfuscation combination.

Summary table: which VPNs work in which countries in May 2026

Before going into per-country detail, here is the summary in a table. Ratings reflect reliability reported publicly (provider documentation and community reports on Reddit r/VPN, r/China, the Iran-VPN sub) - these are not measurements from a private test bench, and the situation changes from one week to the next. "Stable" = generally accessible with the right configuration. "Intermittent" = passes at times depending on the session. "Blocked" = near-systematic failure.

CountryNordVPNSurfsharkExpressVPNMullvadProtonVPN
ChinaStable (Obfuscated + NordWhisper)Stable (NoBorders)Stable (Lightway masked)IntermittentIntermittent
RussiaStable (Obfuscated)Stable (NoBorders)StableStable (bridges)Intermittent
IranIntermittentIntermittentStableStable (bridges)Intermittent
UAEStableStableStableStableStable
Saudi ArabiaStableStableStableStableStable
TurkeyStableStableStableStableStable
IndiaStableStableStableStableStable
IndonesiaStableStableStableStableStable

Reading the table. In May 2026, the UAE, Saudi Arabia, Turkey, India, and Indonesia pose no major technical difficulty for commercial VPNs: filtering exists (banned content categories, free VoIP banned in the UAE) but does not actively target VPNs themselves. China, Russia, and Iran concentrate the real difficulties. For these three countries, specific configuration of Obfuscated servers and protocol choice matters more than the provider itself. Mullvad and ProtonVPN, otherwise excellent in privacy terms, are less reliable in these three markets because their infrastructure is not optimized for cutting-edge state censorship bypass.

For travelers looking for the per-country procedure rather than this synthesis, jump straight to the dedicated scenarios: VPN China travel, VPN UAE & Dubai travel, VPN Russia travel, VPN Turkey travel, and VPN Saudi Arabia 2026. Each scenario page details the local network configuration, ISP-blocked services, and the specific server + protocol combinations reported to work.

Update 2026: what changed in the last quarter (Q1–Q2)

Internet filtering practices evolve continuously. Five underlying trends to know before departure - they directly influence VPN choice. These are qualitative observations drawn from public sources, not measurements from a private test bench.

Trend 1 - China is strengthening its DPI. The Great Firewall combines packet inspection and fingerprinting techniques capable of identifying VPN protocols even when encrypted, including non-obfuscated WireGuard-style protocols. Consequence: vanilla protocols are frequently cut, and only obfuscated or stealth protocols (HTTPS masking, Shadowsocks/V2Ray) tend to pass more reliably. An older configuration may no longer work - update before each trip.

Trend 2 - Roskomnadzor is tightening blocking in stages. The Russian regulator regularly blocks new commercial VPN IP ranges and refines its DPI to identify standard VPN protocols, including OpenVPN on port 443. VPNs with active obfuscation or stealth protocols (obfuscated servers, TLS masking, Shadowsocks/V2Ray) hold up better. Detailed procedure in our VPN Russia travel scenario.

Trend 3 - Financial sanctions complicate paying for VPNs in Iran. International sanctions often make it impossible to subscribe to a commercial VPN from an Iranian bank card - you need an active subscription paid before departure with a Western card. And during political unrest, Iran has a documented history of total internet shutdowns during which even paid VPNs stop working.

Trend 4 - UAE blocks free VoIP. Operator blocking (Etisalat, du) on WhatsApp Call, FaceTime, and Skype targets free VoIP calls, within a legal framework protecting the local telco model. Using a commercial VPN (NordVPN, Surfshark, ExpressVPN) generally restores these calls - no aggressive anti-VPN blocking on these providers in the UAE. Full configuration in our VPN UAE & Dubai travel scenario.

Trend 5 - Tor Snowflake bridges remain a fallback. Snowflake bridges (volunteer relays distributed via browser plugin) are designed to circumvent censorship, and the Tor Project recommends them in strictly filtered countries. Practical consequence for travelers: Snowflake remains a useful last-resort backup when commercial VPNs fall - install Tor Browser before departure and configure Snowflake bridges from the network at home.

Why a travel VPN is necessary in 2026

Beyond censorship circumvention, four distinct motivations justify packing a VPN in your travel setup. Distinguishing them helps size the real need.

Reason 1 - Censorship and blocked content. In countries covered by this guide, access to common Western services is filtered: Google, WhatsApp, Instagram, Facebook, Twitter/X, YouTube in China; Facebook, Instagram, and many media outlets in Russia since 2022; Telegram and WhatsApp in Iran depending on the period; WhatsApp Call and FaceTime audio in the UAE. For a business traveler who must retain access to usual tools, a VPN is non-negotiable. Reporters Without Borders publishes the annual World Press Freedom Index summarizing these restrictions, and Freedom House complements it with the Freedom on the Net report detailing practices country by country.

Reason 2 - Streaming and home catalogue. International travel immediately triggers geofiltering on streaming platforms. Netflix switches to the local catalogue of the visited country (which can be much poorer than the UK or US), Prime Video applies catalogue restrictions, Disney+ verifies the connection IP, and especially BBC iPlayer, Hulu, Peacock, ITVX, Channel 4 are fully blocked outside their home country. A VPN with a server in the home country solves the problem in seconds for most catalogues. Details in our complete streaming VPN guide.

Reason 3 - Public WiFi and hotel security. Travel multiplies connections to public WiFi - airports, hotels, cafés, conferences. These networks are observable by the local operator, sometimes actively manipulated. Without a VPN, visited domains, DNS queries, and TLS metadata leak to the operator. With an active VPN and system-mode kill switch, the tunnel encrypts all traffic at the device exit point. The topic is treated in depth in our public WiFi risks 2026 article.

Reason 4 - Dynamic pricing and IP discrimination. Booking sites (hotels, flights, car rentals, event tickets) often apply dynamic pricing based on visitor IP geolocation. Connecting through a VPN with a server in the target country sometimes yields resident prices rather than tourist prices. The effect is not systematic and varies by platform, but on Chinese or Indian high-speed train tickets, or Russian museum entries, the gap can reach 30–50%. Legal practice but a grey area under each site's terms of service.

China: beating the Great Firewall in 2026

China is the most technically demanding case. The Great Firewall (officially "Golden Shield Project") has existed since 2003 and has evolved continuously. In May 2026, its technical stack combines several layers: IP blocking for major Western services (Google, Facebook, YouTube), machine-learning DPI on encrypted VPN protocol signatures, SNI inspection to identify target domains, and selective cutoffs during sensitive political events (Tiananmen anniversary, Party congresses). Up-to-date technical details on the Wikipedia Great Firewall page.

What works in practice. The providers generally considered most effective are those with active obfuscation: NordVPN with Obfuscated servers and traffic masked as standard HTTPS, ExpressVPN with Lightway and automatic masking, and Astrill (long-standing premium provider centered on the China market, high price but dedicated engineering). Mullvad and ProtonVPN pass at times via their bridges and Stealth servers, but with less reported stability. Nothing is guaranteed.

China-specific configuration. Disable standard WireGuard and NordLynx, which are identifiable by DPI and systematically blocked. Switch to NordWhisper (NordVPN) or OpenVPN TCP on port 443, which resembles HTTPS traffic and passes most filters. Enable Obfuscated servers (NordVPN) or NoBorders mode (Surfshark) which add an extra layer of obfuscation. Test the configuration on the home network before departure to validate it works - if it fails at home, it will fail in China.

Install the VPN BEFORE departure. NordVPN, ExpressVPN, and most competitors' download sites are blocked from China. The iOS China region App Store has not distributed any VPN app since 2017 (Apple complied with a government request). The Play Store is officially blocked (Chinese Android users go through third-party stores Huawei, Xiaomi, Vivo). Operational consequence: if you arrive in Beijing without a preinstalled VPN, you are stuck. The complete procedure is detailed in the HowTo at the top of this article - preparation 48–72 hours before departure.

Legal risks. Chinese law has officially banned unauthorized VPNs since 2017, but no documented sanction against an end-user tourist as of May 2026. Known prosecution cases concern local commercial operators distributing VPNs without licenses, not foreign tourists using a personal account. Pragmatic practice: use the VPN, do not discuss it with local authorities if asked, do not take screenshots of the VPN interface, and keep the app in a discreet folder on the phone. See our China VPN guide 2026 for the detailed procedure and backup plans (Shadowsocks, Cloudflare WARP, Lantern).

Russia: bypassing Roskomnadzor since 2022

The Russian context flipped in March 2022 with the invasion of Ukraine and the mass shutdown of access to Western media and platforms. Roskomnadzor (the national communications regulator) blocked Facebook, Instagram, Twitter/X, and a growing number of commercial VPNs. The Wikipedia Roskomnadzor page documents the evolution since 2017. Freedom House classifies Russia "Not Free" in its Freedom on the Net 2025 report, with an Internet Freedom score close to Iran's level.

What still works in May 2026. Surprising for pre-2022 regulars: despite the intensity of blocking, several major commercial VPNs still get through Russia via Obfuscated servers. NordVPN and Surfshark maintain high reliability with Obfuscated servers + NordWhisper and NoBorders mode respectively. ExpressVPN also passes via Lightway-Streisand. Mullvad uses effective obfs4 bridges. ProtonVPN passes at times via Stealth protocol. Technical competition is intense because Roskomnadzor learned to identify standard VPN protocols - each provider must innovate continuously to remain accessible.

Russia-specific configuration. As in China, disable standard WireGuard and NordLynx. Enable Obfuscated servers and the stealthiest available protocol (NordWhisper, OpenVPN TCP 443 with masking). Test on the home network. Prepare 2 providers in redundancy - the situation can change overnight, and a backup avoids total cutoff. Mullvad remains the most independent backup option: no email registration, cash payment by mail possible, audited Swedish infrastructure.

Legal and practical risks. Russian federal law of 2017 bans VPNs that provide access to prohibited content, but explicitly targets providers (obligation to filter the Roskomnadzor blacklist) - not end users. No documented sanction against a Western tourist VPN user in May 2026. Operational precaution: do not activate the VPN during sensitive administrative interactions (digital customs declaration, electronic visa application), do not take screenshots of the interface, and use the nearest server to minimize traffic signature. The EFF Surveillance Self-Defense offers updated travel advice applicable to the Russian context.

UAE, Saudi Arabia: VoIP banned and streaming filtered

Glowing fibre-optic network cables
Glowing fibre-optic network cables

The United Arab Emirates and Saudi Arabia constitute an intermediate case: no widespread blocking of commercial VPNs, but specific restrictions on certain uses (free VoIP, political content, gambling). Filtering is handled by national operators (Etisalat and du in the UAE, STC in Saudi Arabia) under regulatory supervision (TRA in UAE, CITC in Saudi Arabia).

UAE specifics: free VoIP ban. WhatsApp calls, FaceTime, Skype, Messenger calls are blocked at IP/SNI level by local operators. This block is not anti-VPN - it is a commercial protection of the local telco business model. Theoretical VPN use to bypass this restriction carries a fine of up to AED 500,000 under the 2012 cybercrime law (article 9), never documented as applied to a tourist. In practice, all Western tourists use a VPN to call from Dubai or Abu Dhabi, and no case has been reported as of May 2026.

Configuration for UAE and Saudi Arabia. No specific configuration needed: standard commercial VPNs pass without difficulty. NordVPN, Surfshark, ExpressVPN, Mullvad, ProtonVPN all work with default configurations. The only useful adjustment: choose a geographically close server (Egypt, Bahrain, Turkey) to minimize latency on VoIP calls, and enable kill switch to avoid leaks if the tunnel drops mid-call.

Streaming in UAE and Saudi Arabia. Local Netflix and Prime Video catalogues differ from Western catalogues, BBC iPlayer blocked, Hulu blocked, ITVX blocked. A VPN server in the UK or US restores access. No aggressive anti-VPN blocking on these services from the UAE, so stable functioning. Streaming outside the UAE for business travelers: very commonly used in practice.

Iran: massive filtering and backup plans

Iran applies the strictest internet filtering of the countries covered by this guide, with total internet cutoffs during sensitive political events. Telegram and WhatsApp have been blocked multiple times in 2022–2025, Instagram is filtered, most Western media outlets are blocked, and DPI filtering is comparable to China's. Reporters Without Borders ranks Iran among the five most restrictive countries worldwide in its World Press Freedom Index.

What works in May 2026. ExpressVPN and Mullvad maintain the best reliability thanks to obfsproxy bridges and Stealth configurations. NordVPN passes intermittently via Obfuscated servers. Surfshark passes with NoBorders mode. Tor with Snowflake bridges remains an effective backup when all VPNs fail. Cloudflare WARP (technically not a strict VPN but a managed WireGuard tunnel) often gets through when commercial VPNs fail - useful as emergency backup.

Payment restrictions. Iranian specificity: international financial sanctions prevent payments to most Western services, including commercial VPNs. Operational consequence: impossible to subscribe to a VPN once on site with an Iranian card or bank account. Solution: subscribe before departure with a Western card, pay a long subscription (12–24 months) to cover the trip, and note account credentials outside cloud password managers (which can be blocked locally).

Pre-departure preparation for Iran. Install 3 distinct VPNs (e.g., ExpressVPN + Mullvad + NordVPN), download Cloudflare WARP, configure Tor with Snowflake bridges (procedure documented on the Tor Project site). Keep a list of obfs4 bridges on a physical medium (paper). Also prepare an international eSIM (Airalo Middle East or Turkcell Roaming) - international routing partially bypasses local filtering. Setup complexity justifies at least 48–72 hours of preparation before departure.

Legal risks. Iranian law has banned unauthorized VPNs since 2009, but no documented sanction against a Western tourist as of May 2026. Known prosecutions concern domestic activists or local VPN service operators, not end-user tourists. High operational precaution: discreet VPN in a non-obvious folder, no screenshots, VPN disabled during administrative interactions, and use of the nearest server to minimize traffic signature.

Turkey, India, Indonesia: intermediate cases

Three countries that apply existing but less restrictive filtering than the four main cases, with specifics worth knowing.

Turkey. Cyclical political filtering depending on context (elections, sensitive events), periodic blocking of certain social networks (Twitter/X several times in 2022–2024), commercial VPNs not aggressively blocked. Configuration: standard VPN suffices, no need for Obfuscated servers. For streaming, watch out for Netflix Turkey catalogue variations vs Europe.

India. 2022 law requiring VPN providers to retain user logs for 5 years - result: NordVPN, ExpressVPN, and most major players removed their physical servers from India but maintain virtual servers with India exit IP (the actual server is in Singapore or elsewhere). Consequence for a tourist: use a no-log India server, or a Singapore server for mobility use. Local filtering is limited (pirated content categories or pornography) and does not target VPNs.

Indonesia. Cyclical filtering of certain platforms (DuckDuckGo, Steam, Yahoo, PayPal blocked in 2022–2023 due to government registration procedure, since unblocked), no anti-VPN aggression. Standard configuration suffices. For Netflix Indonesia vs UK, significant catalogue gap - VPN with UK or US server useful.

VPN on hotel WiFi: risks and preparation

Travel multiplies connections on hotel WiFi, which poses distinct risks from state filtering: local observation by the operator, sniffing by other guests connected to the same network, sometimes compromised captive portals, systematic commercial profiling on hotel chains. The topic is treated in depth in our dedicated VPN hotel WiFi article, here is the practical summary.

What the hotel sees on your connection. Without a VPN, the hotel's WiFi operator sees every visited domain via DNS queries (cleartext UDP 53 by default) and the SNI of the TLS handshake (cleartext even when HTTPS content is encrypted). Hotel chains heavily use Cisco Meraki, Aruba, or Ruckus with analytics modules that cross-reference this data with your customer profile (room number, length of stay, frequency). Data resold to marketing providers in most cases. An active VPN closes this leak - the hotel sees only an encrypted tunnel to a distant server.

VPN setup before connecting to hotel WiFi. Simple 3-step procedure. First, launch the VPN on eSIM or mobile 4G (before WiFi connection) - the tunnel goes up on the cellular network first. Second, enable system-mode kill switch which blocks all outgoing traffic if the tunnel drops. Third, connect to hotel WiFi - the VPN stays active during the transition, and the captive portal displays for terms validation. Most modern VPN clients (NordVPN, ExpressVPN, Surfshark) automatically handle the captive portal without breaking the tunnel.

Risks by hotel type. Low-cost hotels with shared-password WiFi: risk of sniffing by other guests. Business hotels with dedicated per-room WiFi: reduced risk but strong internal profiling. Hotels in censored zones (China, Russia, Iran): double layer - hotel WiFi + national filtering. For business travelers with sensitive work email, the minimum combination is top-3 VPN + hardware 2FA or TOTP + never entering critical credentials on a captive portal.

Streaming during travel: home catalogue

Travel immediately triggers geofiltering of streaming platforms, with concrete impact on daily use. Here is the mapping in May 2026.

Netflix. Automatic switch to the local catalogue of the visited country on connection. Netflix Spain, Italy, Mexico, India, Japan catalogues - all different from the UK or US catalogue. A VPN with a server in the home country restores the usual catalogue. NordVPN and Surfshark maintain high reliability on Netflix UK/US from abroad (detailed measurements in our complete VPN streaming guide). Special case: Netflix US from abroad treated in a dedicated article for reverse travelers.

BBC iPlayer. Strict UK-only geofiltering, more aggressive control than Netflix. Requires a UK server with residential IP and an existing BBC iPlayer account. Setup detailed in our BBC iPlayer abroad guide.

Hulu, Peacock, ITVX, Channel 4. Strict home country geofiltering, no access outside the zone without VPN. Immediate restoration with US/UK server via NordVPN or Surfshark. Typical use case: an American traveler on holiday in Europe wanting to watch Hulu or Peacock live. Works without difficulty in May 2026.

Disney+, Prime Video, HBO Max. Variable regional catalogues, less aggressive geofiltering than BBC. A standard VPN with UK or US server restores the target catalogue in most cases.

Local platforms of the visited country. Interesting reverse: a traveler can subscribe to a local platform during their stay (Hotstar in India, iQiyi in China, Wink in Russia) to access the local catalogue. Legal, sometimes cheaper than abroad, and requires using a VPN with a server in the target country once back home.

Editorial pick
4.6 / 5

Test NordVPN for 2026 travel - Obfuscated servers included

Deloitte no-log audit 2024 · NordWhisper beats China/Russia · 30-day money-back

Deloitte audit 202430-day guarantee14M+ users
See the offer

Preparing your phone and laptop before departure

The 48–72 hours of preparation before departure entirely determines what follows. Once on site without adequate setup, it is too late to catch up: download sites are blocked, the local App Store does not distribute the apps, international payments may fail. The complete procedure is documented in the HowTo at the top of this article. Here are the critical points.

Provider redundancy. Subscribe to 2 distinct VPNs in parallel (e.g., NordVPN + Surfshark, or NordVPN + Mullvad). Marginal cost of an extra month: $10–15, far less than the cost of a business trip without critical connectivity. Redundancy is non-negotiable for China and Iran.

Apps installed and tested. All travel apps (VPN, eSIM, alternative messaging Signal, hardened browsers Brave) installed from the home country App Store. Android APKs saved on Drive/Dropbox accessible via VPN once on site. Test each combination on the home network before departure: primary VPN + home WiFi, backup VPN, VPN on activated eSIM.

International eSIM as a complement. Airalo, Holafly, Saily, or Nomad depending on destination. For China specifically, eSIM routed via Hong Kong (Airalo China plan, GigSky). For Iran and Russia, verify international roaming availability. Activation QR code saved locally (not cloud).

Non-VPN backup plan. Cloudflare WARP installed, Tor with Snowflake bridges configured, obfs4 addresses noted on physical paper. Contact of a relative outside the zone for emergency relay in case of total cutoff (case observed in Iran during political events).

Accounts and payments. Verify VPN subscription validity for at least 30 days. Password noted outside cloud manager (which can be blocked). Backup payment card for auto-renewal. Primary email accessible via VPN (Gmail may require 2FA validation blocked in China without VPN).

Final summary table and verdict

Operational synthesis after per-country detail. The logic remains the same: a travel VPN is no longer a generic product but a configuration adapted to the destination, and pre-departure preparation determines viability of the whole setup.

For travel to mainland China, Russia, Iran. Demanding configuration. Install NordVPN with Obfuscated servers and NordWhisper protocol + a backup provider (Surfshark NoBorders or Mullvad bridges). International eSIM mandatory (Airalo routed via Hong Kong for China). Test on the home network before departure. Cloudflare WARP + Tor Snowflake bridges backup plan. Minimum 48–72h preparation.

For travel to UAE, Saudi Arabia, Turkey, India, Indonesia. Standard configuration. NordVPN or Surfshark with default configuration suffices. System-mode kill switch for hotel WiFi. Optional eSIM for flexibility. No special configuration needed.

For streaming during travel. Server in the home country for Netflix UK/US, BBC iPlayer, Hulu, Peacock, ITVX. NordVPN and Surfshark are reputed reliable on all these platforms. Details in our complete streaming VPN guide.

For hotel WiFi security. Mandatory kill switch, auto-connect on unsecured networks, never enter sensitive credentials on captive portal. See our complete public WiFi 2026 guide for the detailed procedure.

Transversal verdict. NordVPN remains the best travel compromise in 2026 for 80% of destinations thanks to the combination of Obfuscated servers, NordWhisper protocol, and global infrastructure. Surfshark stands out for streaming and offers excellent value with unlimited connections. Mullvad remains the reference option for strict privacy with anonymous payment. ExpressVPN excels on China and Iran with Lightway-UDP. Direct comparison detailed in Surfshark vs NordVPN 2026 and our NordVPN review 2026.

Editorial pick
4.4 / 5

Test Surfshark for travel - unlimited connections

NoBorders mode auto · TLS Camouflage · 30-day money-back · Ideal for traveling families

Deloitte audit 202330-day guaranteeUnlimited devices
See the offer

Going further. Related reading on these topics: using a VPN in Cuba, the Telegram ban in India and whether VPNs are legal in the UK.

See also. Related: VPN for ChatGPT and Best VPN for China 2026.

Tools and guides for 2026 travel


Sources

  1. Verizon. (2024). Data Breach Investigations Report 2024. Verizon Enterprise Solutions. https://www.verizon.com/business/resources/reports/dbir/
  2. Reporters Without Borders. (2026). World Press Freedom Index 2026. RSF. https://rsf.org/en/index
  3. Freedom House. (2025). Freedom on the Net 2025 - Russia. Freedom House. https://freedomhouse.org/country/russia/freedom-net/2025
  4. EFF. (2024). Surveillance Self-Defense - Travel Advice. Electronic Frontier Foundation. https://ssd.eff.org/playlist/protecting-yourself-on-social-networks
  5. Tor Project. Snowflake Bridges Setup. https://www.torproject.org/
  6. Wikipedia. Great Firewall. https://en.wikipedia.org/wiki/Great_Firewall
  7. Wikipedia. Roskomnadzor. https://en.wikipedia.org/wiki/Roskomnadzor
  8. RFC 8484. (2018). DNS Queries over HTTPS (DoH). IETF. https://datatracker.ietf.org/doc/html/rfc8484
  9. RFC 5389. (2008). Session Traversal Utilities for NAT (STUN). IETF. https://datatracker.ietf.org/doc/html/rfc5389
  10. UK Foreign, Commonwealth & Development Office. Foreign Travel Advice. https://www.gov.uk/foreign-travel-advice

Method and limits

This guide is an editorial synthesis drawing on public sources (Roskomnadzor, Tor Project, GFW Report, Reporters Without Borders, Freedom House, provider protocol documentation) and cross-referenced community reports (r/VPN, r/China, the Iran-VPN sub). It is not a private test bench: we did not measure the connections ourselves from these countries. The per-country reliability ratings reflect what is publicly reported and change from one week to the next - always verify before you travel, and keep in mind that nothing is guaranteed against state-level filtering.


Article published 29 May 2026. Synthesis drawing on community reports on Reddit (r/VPN, r/China, r/Iran), the Reporters Without Borders World Press Freedom Index, the Freedom House Freedom on the Net 2025 report, and public documentation of filtering practices country by country. The UK FCDO and US State Department publish per-country travel advice and country information that usefully complements this reading on non-technical aspects (visa, health, physical security).

Editorial pick
4.6 / 5

Stay connected anywhere with NordVPN

Obfuscated servers for restrictive networks · 60+ countries · 30-day money-back

Deloitte audit 202430-day guarantee14M+ users
See the offer
Everything you need to know.

Frequently asked questions

Which VPN should I choose for China in 2026?

The providers generally considered most effective against the Great Firewall are those offering active obfuscation: NordVPN (Obfuscated servers + traffic masked as HTTPS), ExpressVPN (Lightway and automatic obfuscation), and Astrill (long-standing premium provider focused on the China market). Nothing is guaranteed: the Great Firewall evolves continuously and a provider that works one day may be blocked the next. The criterion that matters is not average bandwidth but **connection stability** and support for stealth protocols. Critical to install BEFORE departure: NordVPN, ExpressVPN, and nearly all alternative download sites are blocked from Chinese IPs, and the Chinese region App Store (iOS China) has not distributed any VPN apps since 2017. Also set up a paid account in advance: account creation and international payments are sometimes blocked. See our [best VPNs for China - which to choose](/en/blog/best-vpn-china-2026-which-to-choose) for the ranked picks, and our [dedicated China VPN guide](/en/blog/vpn-china-great-firewall-2026) for the detailed procedure.

Is using a VPN legal in Russia as a tourist?

Technically no since 2017 (federal law banning VPNs that provide access to prohibited content), but no documented sanction against an end-user tourist. The law targets VPN providers, not users, and Roskomnadzor concentrates its efforts on infrastructure-side server and app blocking - not on tracking tourists. Since March 2022, blocking has intensified: ProtonVPN, NordVPN, ExpressVPN, and most commercial VPNs are blocked at IP and DPI level. VPNs that still get through use obfuscated servers (NordVPN Obfuscated, ExpressVPN Lightway-Streisand, Mullvad bridges) or undetectable protocols (Shadowsocks, V2Ray, Cloudflare WARP which is not strictly a VPN). For a Western tourist: install 2 or 3 VPNs before departure, keep Tor as a backup, do not activate the VPN in sensitive official contexts (digital customs declaration, visa application, administrative interactions). No known cases of smartphone searches for VPN use against an average tourist as of May 2026.

Do I need a VPN for streaming while on holiday?

Yes if your primary catalogue is in your home country and you travel abroad: Netflix, Prime Video, Disney+, and HBO Max enforce strict IP-based geofiltering, while BBC iPlayer, Hulu, Peacock, ITVX are fully blocked outside their home country. Concretely, a British traveler on holiday in Spain loses access to BBC iPlayer live and the UK Netflix catalogue, switching to Netflix Spain (different catalogue). A VPN with a server in the home country restores access in seconds: all the platforms listed work with NordVPN or Surfshark via UK or US servers in 2026. For BBC iPlayer abroad specifically, plan for a UK server and an existing BBC iPlayer account - geofiltering is stricter than Netflix. Details in our [complete streaming VPN guide](/en/blog/our-vpn-streaming-guide) with per-platform stability measurements. Note: using a VPN to bypass geoblocking is a grey area - it violates platform terms of service but no civil sanction has been documented against a legitimate paying subscriber.

Is the hotel WiFi safe enough for work emails?

No, and this is the most costly business travel reflex. Hotel WiFi networks heavily use Cisco Meraki, Aruba, or Ruckus with analytics modules that log domains visited at DNS level and cross-reference this data with the customer profile (room number, length of stay). On Asian chains and some low-cost European hotels, the shared WiFi password allows any other connected guest to attempt promiscuous-mode sniffing. For business emails with sensitive data, the minimum combination is enterprise VPN OR top-3 commercial VPN (NordVPN, ExpressVPN, Surfshark) with system-mode kill switch, plus hardware 2FA or TOTP on the mail account. Ideally, transfer critical use to mobile hotspot (personal 4G/5G tethering) for banking operations and contract signing. See our [dedicated VPN on hotel WiFi article](/en/blog/vpn-hotel-wifi-travel) for the step-by-step procedure.

Which eSIM should I pick alongside a VPN?

Four players dominate the travel eSIM market in May 2026: Airalo (widest coverage, ~200 countries), Holafly (unlimited plans up to 90 days), Saily (NordVPN companion, native integration), Nomad (competitive Europe packages). For travel to China, Iran, or Russia specifically, an international eSIM offers a critical advantage: the data connection routes through the international partner network (often Hong Kong for China, Turkey for Iran) instead of the local network subject to filtering. Result: a VPN on an Airalo eSIM in China often works when the same VPN on a local Chinese SIM does not. Indicative cost: $15–30 for 10 GB in China over 14 days. For Russia, verify exact coverage before purchase (some carriers cut international roaming in 2022–2024). For streaming on the move, plan for at least 30 GB depending on usage. The eSIM pairs perfectly with a commercial VPN: eSIM for connectivity, VPN for privacy and bypass.

What is the legal risk of using a VPN abroad?

For a Western tourist in the countries covered by this guide (China, Russia, UAE, Iran, Turkey, India, Indonesia), no documented sanction against private VPN use as of May 2026. Restrictive legislation targets providers (cooperation obligations, app blocking) and sometimes domestic activists - never Western tourists. Reporters Without Borders and Freedom House publish annual updates of the 'Internet Freedom' ranking and no report mentions a tourist arrest for VPN use. Exceptions to know: (1) Iran since 2024 - strengthened financial sanctions on providers themselves, no user impact; (2) UAE - theoretical fines up to AED 500,000 for fraudulent VPN use (typically free VoIP like WhatsApp Call that bypasses telco billing), never applied to a tourist; (3) North Korea and Turkmenistan - OPSEC level beyond standard travel scope. Practical advice: avoid screenshots of the VPN interface, keep the app in a non-obvious folder, and use the nearest server to minimize traffic signature. The UK Foreign, Commonwealth & Development Office publishes per-country travel advice that can supplement this reading.

What changed for VPNs in China between 2025 and 2026?

The underlying trend is well documented publicly. The Great Firewall has strengthened its DPI (deep packet inspection) over the years and can now identify VPN protocols even when encrypted, including non-obfuscated WireGuard-style protocols - hence the value of obfuscated servers and stealth protocols (HTTPS masking). The iOS China region App Store has not distributed VPN apps since 2017, and the list of removed apps keeps growing, confirming the need to install BEFORE departure from a Western Apple ID. Practical impact: an older configuration may no longer work - verify protocols and providers before each trip.

Did Russian blocking intensify in 2026?

Roskomnadzor's blocking of VPNs has tightened in stages since 2022, which is well documented. The regulator regularly blocks new commercial VPN IP ranges and refines its DPI to identify standard VPN protocols, including OpenVPN on port 443. The VPNs that get through best are those with active obfuscation or stealth protocols (obfuscated servers, TLS masking, Shadowsocks/V2Ray, Mullvad obfs4 bridges). Practical consequence: a subscription that worked from Moscow a year earlier may now require switching to obfs4 bridges manually configured before departure. Practical guide also in our [VPN Russia travel scenario](/en/vpn-travel/vpn-russia-travel).

Iran VPN crackdown 2026: what are the new restrictions?

Iran applies one of the strictest filtering regimes in the world and has a documented history of total internet shutdowns during political unrest (for example during the 2019 and 2022 protests), during which even paid VPNs stop working. Separately, international financial sanctions often make it impossible to subscribe to a commercial VPN with an Iranian bank card - so you need an active subscription paid before departure with a Western card. Commonly cited backup plan: Cloudflare WARP (free, technically a managed WireGuard, less aggressively blocked than commercial VPNs) plus Tor with Snowflake bridges configured outside Iran. Nothing is guaranteed during a total shutdown.

Does a VPN work in the UAE in 2026?

Yes for tourists using paid VPNs for privacy - NordVPN, ExpressVPN, and Surfshark all connect reliably in the UAE in 2026 without blocking. The UAE law targets fraudulent use (bypassing local telco VoIP billing via free apps like WhatsApp Call), not tourists using standard VPN traffic. No documented case of a tourist penalized for VPN use. That said, avoid activating a VPN before official interactions (customs, immigration). For streaming, UAE ISPs do not actively block commercial VPNs, making it one of the easier censored-country destinations compared to China or Iran.

Do free VPNs work in China in 2026?

In practice, no. China's ML-DPI firewall now identifies and blocks commercial-grade VPN traffic within minutes; free VPNs with no obfuscation are cut immediately. In June 2026, only paid services with active obfuscation layers (NordVPN NordWhisper, ExpressVPN Lightway-Streisand, Surfshark NoBorders) maintain reliable connectivity. Free VPNs lack the infrastructure to rotate blocked IP ranges and update protocol fingerprints at the required pace. Cloudflare WARP (free) is the only exception - it uses WireGuard over a Cloudflare infrastructure not aggressively blocked in China as of June 2026, but it is not a VPN and provides no privacy guarantee beyond IP masking.

Do VPNs still work in China in 2026?

Yes, but only a few VPNs bypass the Great Firewall reliably in 2026: NordVPN (obfuscated servers), ExpressVPN (Lightway protocol), Mullvad (WireGuard + obfuscation), and Windscribe (Stealth mode). Most free VPNs are blocked.

Is it legal to use a VPN in Russia, Iran, or UAE?

Legal status varies: Russia allows VPN use but bans unregistered providers. Iran tolerates personal VPN use. UAE permits VPNs for corporate purposes but restricts circumventing VoIP blocks. Check local laws before using.

What are obfuscated servers?

Obfuscated servers disguise VPN traffic as regular HTTPS traffic, making it harder for firewalls in China, Iran, and Russia to detect and block. NordVPN and Surfshark offer this feature.