Where to find it:
Settings → Account Security → Domain Spoofing
Supported Versions:
-
iOS 8.0 and above
-
Android 3.0 and above
🔍 What is SNI?
SNI (Server Name Indication) is part of the TLS/SSL protocol. When your device connects to a website using HTTPS, it sends the domain name in plaintext at the very beginning of the handshake.
This means that firewalls, network providers, or censorship systems can see which website you’re trying to visit, even if your connection is encrypted.
🧪 How SNI Spoofing Works
With SNI spoofing enabled, 5UF VPN replaces the real domain name (e.g., realvpn.example.com) with a harmless and widely accepted domain (e.g., bing.com, baidu.com) during the TLS handshake.
The goal is to deceive censorship or firewall systems that block access based on SNI data, allowing the connection to go through.
✅ This spoofing only affects the initial handshake. Your real VPN session and traffic are not affected or rerouted.
🌍 Typical Use Cases
|
Situation |
Recommended |
Description |
|---|---|---|
|
VPN access blocked in China |
✅ Yes |
Helps bypass domain-based GFW restrictions |
|
Public Wi-Fi in schools, offices, hotels |
✅ Yes |
Circumvents SNI-based restrictions |
|
Captive portals in airports or malls |
✅ Yes |
Tricks login systems into allowing access |
|
Mobile data plans with limited domains (e.g., music/video streaming) |
✅ Yes |
Mimics “zero-rated” domains to save bandwidth or avoid throttling |
|
Normal, unrestricted networks |
❌ Not needed |
Adds connection time without benefit |
⚠️ Important Notes
-
Recommended spoof domains include popular sites like baidu.com, bing.com, and apple.com
-
Not all protocols support SNI spoofing. For example, QUIC/HTTP/3 may not be compatible. Consider switching to TCP mode in Advanced Settings.
-
Some VPN servers may reject connections if the SNI domain does not match their TLS certificate. If connection fails, try turning the feature off and reconnect.
❓ Frequently Asked Questions (FAQ)
Q1: What is SNI spoofing and why do I need it?
SNI spoofing helps you bypass firewalls by replacing the domain name in your TLS handshake with a commonly allowed domain. This is useful when VPN connections are blocked by domain name.
Q2: Does this change the VPN server I’m connecting to?
No. The real connection still goes to the VPN server you selected. Only the domain used in the TLS handshake is disguised.
Q3: Can I choose a custom spoofed domain?
Yes. The system predefines some common domain names, such as the domain name used to detect available Wi-Fi links in IOS.
Q4: It doesn’t work on my school or office network. What should I try?
Try enabling TCP mode instead of UDP in Advanced Settings. Some networks block or inspect UDP packets more aggressively.
Q5: Can this help me use zero-rated data plans from my carrier (e.g., music streaming)?
Yes, in some cases. If your ISP allows free access to specific services by domain name, SNI spoofing can trick the system into treating your connection as part of that service.
Q6: Does SNI spoofing work in all cases?
No. Some networks perform deeper inspection or block based on other handshake details. SNI spoofing improves success rate but is not guaranteed in every environment.
