Why Your VPN Keeps Failing for Telegram in Myanmar 2026
TL;DR
Myanmar’s junta has deployed deep packet inspection hardware across the MPT, Ooredoo, and ATOM backbone to identify and terminate VPN handshakes before a usable tunnel can establish. The exit IP address ranges belonging to NordVPN, ExpressVPN, Surfshark, and Mullvad have been catalogued and blacklisted at the routing level by state censors, regardless of what protocol version you choose. Even when a VPN tunnel connects briefly, a second DPI layer running downstream identifies the Telegram MTProto protocol on the outbound stream and resets the session. That’s why users see a green lock in their VPN app while Telegram spins at the connecting screen indefinitely.
mechanism 1: DPI fingerprinting on the Myanmar backbone
OpenVPN, WireGuard, and IKEv2 each produce distinctive handshake signatures that modern deep packet inspection equipment can identify within the first few packets of a session. OpenVPN typically runs over UDP on port 1194 or TCP on port 443, producing a characteristic TLS client hello followed by predictable certificate exchange timing and packet interval patterns. WireGuard generates a specific handshake initiation message with a fixed 148-byte format that is trivially matched by a signature database. IKEv2 uses UDP on ports 500 and 4500 with well-documented packet structures that haven’t changed meaningfully in years. These signatures are not secrets and they are not exploitable bugs. They’re the predictable output of correctly implemented, standardised protocols, which is exactly what makes them easy to fingerprint. Every NordVPN client on Android sends an OpenVPN or WireGuard handshake that looks identical to every other NordVPN client on Android. They’re all running the same code against the same RFC.
Since the 2021 coup, Myanmar’s military government has mandated that MPT, the state-owned carrier and dominant backbone operator in the country, install and operate DPI hardware capable of classifying encrypted traffic by protocol at line rate. Ooredoo Myanmar and ATOM, the carrier formerly branded as Mytel and backed by the Myanmar military, operate under identical regulatory mandates and have implemented equivalent filtering systems. The junta publicly described a mass VPN audit program beginning in 2022, framing it as a national security measure, and that program has been expanded and updated every year since. Critically, this filtering happens at the point where traffic leaves your ISP and enters the backbone, not at your router, not at some device you could reconfigure. A TCP packet carrying a WireGuard handshake initiation from a phone in Yangon is classified and terminated before it reaches the border router, before it reaches any server you rented, and before any VPN client on your device can report a failure. The client sees a timeout, retries with a fallback port, and eventually surfaces an unhelpful “connection failed” message. Changing VPN servers or toggling protocols doesn’t change what those first packets look like on the wire.
It is worth understanding what DPI hardware is actually doing in practice. These systems do not need to decrypt traffic to identify it. They operate on observable characteristics at the packet level: handshake byte sequences, timing intervals between packets, packet size distributions, and the ratio of inbound to outbound traffic. A WireGuard session has a distinctive rhythm even before any payload has been exchanged. OpenVPN over TCP on port 443 looks different from legitimate HTTPS on port 443 in ways that a trained classifier can distinguish with high confidence. The vendors selling this hardware to governments , companies headquartered in Europe and North America , publish technical whitepapers describing exactly how accurate their classifiers are. Myanmar’s censors are not building this themselves. They are buying commercial products that come with pre-trained signature libraries and update subscriptions, the same way an enterprise buys an intrusion detection system.
For a broader view of how censorship infrastructure across countries with active blocking programs has evolved, the 2026 Telegram censorship resource center documents changes to blocking patterns in real time.
mechanism 2: commercial VPN IP blacklists
Even a perfectly obfuscated VPN handshake eventually has to exit through a server with an IP address, and commercial VPN provider IP ranges are not secret. NordVPN publishes its full server list in a machine-readable format so clients can connect efficiently. ExpressVPN, Surfshark, Mullvad, and Proton VPN all expose their server configurations in ways that are trivially discoverable: purchase a subscription, run a packet capture, and every server IP the client connects to is yours to enumerate. Researchers have built automated systems to do exactly this at scale. Censors have been doing the same thing for years. The result is that block lists maintained by Myanmar’s censors contain comprehensive coverage of the IP ranges operated by every major commercial VPN provider. These lists are updated regularly. When NordVPN adds new servers, those servers are typically identified and added to block lists within days or weeks, not months.
The practical consequence for a user in Myanmar is disorienting. Your VPN client may report a successful connection to a server that wasn’t yet blacklisted at that exact moment. Telegram then attempts to connect through the tunnel. The outbound traffic from the VPN exit server toward Telegram’s IP ranges hits a routing hop that recognises the destination, drops the packets, and returns a TCP RST. Your Telegram client sits at “connecting” because from Telegram’s perspective, the session never completed. Alternatively, the VPN exit IP itself is already blacklisted, the routing failure is invisible to your client because the tunnel appears to establish over a loopback that doesn’t reveal the downstream failure, and you get the same stuck loading screen. Both failure modes produce the same user-visible symptom: VPN green, Telegram broken.
The table below summarises the known blacklist status of major commercial VPN providers from the perspective of Myanmar network monitoring as of mid-2026. “Confirmed blocked” means the provider’s published server IP ranges are on documented block lists. “Intermittently blocked” means some server IPs pass while others do not, typically because the provider rotates IPs faster than block list updates propagate. “Unknown” means no reliable independent public data is available.
| Provider | Server IP Disclosure | Myanmar Blacklist Status | Obfuscation Available |
|---|---|---|---|
| NordVPN | Full public server list | Confirmed blocked | Obfuscated servers (TCP/443) |
| ExpressVPN | Full public server list | Confirmed blocked | Lightway with obfuscation |
| Surfshark | Full public server list | Confirmed blocked | NoBorders mode |
| Mullvad | Full public server list | Confirmed blocked | No built-in obfuscation |
| Proton VPN | Full public server list | Intermittently blocked | Stealth protocol |
| Windscribe | Partial disclosure | Intermittently blocked | Stealth mode (port 443) |
The obfuscation column deserves attention. Obfuscation wraps VPN traffic in a second layer designed to mimic ordinary HTTPS traffic, which addresses the DPI fingerprinting problem described in mechanism 1. It does not address the exit IP blacklist problem. If the server your obfuscated NordVPN session exits from is already on Myanmar’s routing block list, the obfuscation layer is irrelevant. The traffic still exits from a recognisable datacenter IP range, and the destination filtering kills it anyway. Obfuscation and IP blacklisting are two separate failure modes that require two separate solutions.
Another factor that accelerates block list construction is the behaviour of VPN clients themselves. Most commercial VPN clients perform automatic server selection by testing latency to a pool of servers and connecting to the fastest one. This means a single VPN provider might offer hundreds of candidate servers, but each client ends up connecting to a small subset of well-performing servers that are geographically close to the user. For Myanmar users, that means the Southeast Asia and Singapore server pools get the heaviest use and receive the most focused attention from censors. A server that appeared to work yesterday may have been added to Myanmar’s routing filter table overnight precisely because it was handling high volumes of circumvention traffic.
mechanism 3: Telegram-protocol blocking after VPN connect
This is the failure mode that frustrates users who have already read about DPI and obfuscation and feel like they’ve done everything right. The VPN connects. The lock icon appears. A speed test through the tunnel works. A website loads. But Telegram stays at the connecting screen, or briefly shows the message list and then disconnects within seconds. The explanation is that Myanmar’s censorship architecture operates at two distinct layers, not one, and those layers are geographically separated.
The first layer, described in the previous two sections, operates at your ISP’s network edge. It targets the VPN tunnel itself. If the VPN tunnel survives the first layer, your traffic exits the VPN server somewhere outside Myanmar. At that point the traffic is on the open internet, travelling toward Telegram’s servers. Telegram’s MTProto protocol has a recognisable handshake. It connects to specific IP ranges that Telegram publishes in its own technical documentation. When your VPN exit is a datacenter server in a country that shares routing infrastructure or filtering agreements, the Telegram-bound traffic can still be intercepted and reset by equipment on the path.
There is also a more direct version of this problem that applies specifically to users on mobile data in Myanmar. Ooredoo Myanmar and ATOM have implemented SIM-level traffic profiling that operates independently of application-layer protocol analysis. This system associates traffic patterns with individual SIM card identifiers. When a SIM card generates traffic that matches the Telegram connection pattern (the volume, timing, and app-layer signature of MTProto connections), the SIM itself can be flagged, rate-limited, or suspended. This does not require the carrier to decrypt the traffic. It operates on observable metadata: how often a device connects to certain IP ranges, how large the data transfers are, and how regular the heartbeat connections are. VPN encryption hides the content of packets but does not hide the fact that your device is making frequent, regular connections to a specific set of addresses. If those addresses are Telegram’s servers, the pattern is visible regardless of tunnel encryption.
Multiple journalists and activists who reported from Myanmar between 2023 and 2025 described SIM cards being suspended after sustained Telegram use even while running a commercial VPN. The VPN provides content confidentiality. It does not provide metadata anonymity against the carrier that is processing your SIM’s radio connection. For users who need to manage multiple Telegram accounts under these conditions, the approach described in the Telegram in Myanmar 2026 guide covers operational practices that reduce SIM-level exposure.
The interaction between these two mechanisms , downstream Telegram-protocol blocking and SIM-level traffic profiling , is what makes commercial VPNs structurally insufficient for Myanmar users, not just operationally inconvenient. Even if a future VPN product solved the DPI fingerprinting and IP blacklist problems completely, it would still leave the carrier-side metadata exposure unaddressed. A solution that routes Telegram traffic through an IP address that does not match Telegram’s known server ranges, and that originates from a carrier IP rather than a datacenter IP, addresses both the downstream protocol detection problem and the origin IP problem simultaneously.
what survives DPI in 2026
Three approaches have shown the most resilience against Myanmar’s current censorship architecture. None of them are permanently guaranteed because censorship infrastructure is iterative. Each one addresses a specific failure mode that commercial VPNs consistently fail to handle.
The first approach is MTProto over FakeTLS. Telegram supports a native proxy protocol called MTProto proxy that was specifically designed for use in censored environments. When the proxy server wraps its handshake in a FakeTLS layer, the initial connection looks like an ordinary HTTPS session to a DPI classifier. The critical variable is the IP address of the proxy server. A FakeTLS MTProto proxy hosted on a residential or mobile IP in a neutral jurisdiction is much harder to block than one running on a recognisable datacenter IP, because the censor cannot block it without also blocking all traffic to that IP range. That would require blocking a real carrier’s consumer network. The operational limitation is that running your own MTProto proxy requires a server you control in a jurisdiction outside Myanmar’s influence, and keeping that server’s IP off block lists is an ongoing task. Public MTProto proxy lists published online are typically harvested by censors within days of publication and blocked quickly.
The second approach is mobile SOCKS5 to a neutral jurisdiction. A SOCKS5 connection over port 443 to a residential mobile carrier IP in a politically neutral country is difficult to distinguish from an ordinary HTTPS request at the handshake level. The exit IP belongs to a real consumer mobile network, not a datacenter, so it’s not on any commercial VPN block list. Telegram routed through a Singapore carrier IP reaches Telegram’s Singapore data center along a short, fast path that does not cross routing infrastructure where Myanmar-linked filtering applies. Singapore SOCKS5 for Telegram in Myanmar covers this configuration in detail, including how to enter the proxy settings directly in the Telegram app.
The third approach is Tor with obfs4 transport. obfs4 wraps Tor traffic in a randomised byte stream that has no identifiable signature for a DPI classifier to match against. The reliability of this approach against Myanmar’s current infrastructure is reasonable for text messaging. The practical limitation is latency. Routing through three Tor relays adds enough delay to make Telegram voice calls and video calls unusable, and large file transfers become painful. For users whose primary need is text communication and who prioritise anonymity above throughput, obfs4 Tor is a viable option. For users who need to use Telegram as a normal communication tool with media, voice, and responsive message delivery, the latency overhead is prohibitive.
We operate a network of Singapore-based residential mobile proxies because the second approach consistently outperforms the other two for everyday Telegram use. The pattern we’ve seen from Myanmar-based users follows a predictable sequence: commercial VPN, then discovery of the VPN IP blacklists, then attempting to self-host MTProto proxies on datacenter servers, then watching those get blocked as well. A carrier-grade mobile IP in Singapore solves the IP reputation problem at the root, because the IP belongs to SingTel, StarHub, M1, or Vivifi’s consumer mobile network, not to any VPN provider.
why Singapore mobile exits work where consumer VPN datacenter exits don’t
Consumer VPN providers build their networks on datacenter infrastructure because it is cheap and easy to scale. A NordVPN server in Singapore is sitting in a commercial data centre, using IP space allocated to a datacenter autonomous system number. Any censor with access to a routing table can distinguish “datacenter IP in Singapore” from “residential mobile IP in Singapore” by querying the ASN. Myanmar’s block lists target datacenter ASNs because that is where commercial VPN servers live. A SingTel mobile IP, by contrast, is allocated to SingTel’s consumer mobile network AS. It is the same address space that millions of SingTel subscribers use every day for ordinary browsing and app usage. There is no packet-level signal that distinguishes a proxied connection through a SingTel mobile IP from an ordinary SingTel subscriber visiting the same Telegram server, because the traffic flows through the same carrier infrastructure.
The cost asymmetry between datacenter IPs and carrier mobile IPs matters here in ways that directly affect censor behaviour. Datacenter IPs are inexpensive, abundant, and easy to discover at scale. A censor can identify every IP in a /16 block belonging to an AWS or Equinix ASN and block the entire range without worrying much about collateral damage to legitimate traffic. Blocking a SingTel consumer mobile IP range, on the other hand, requires blocking traffic that is indistinguishable from ordinary SingTel consumer sessions. That creates significant collateral damage and is technically and diplomatically costly. Real residential carrier IPs also cannot be provisioned at scale the way datacenter IPs can. Each one requires a physical SIM card in a physical modem connected to a real carrier’s network. This scarcity is a feature for our users. It means censors cannot apply systematic bulk-blocking logic the way they do with datacenter ranges.
Singapore’s geography matters for a second reason specific to Telegram. Telegram operates data centers in Singapore as part of its distributed infrastructure. When your Telegram session routes through a Singapore mobile exit, the path from the exit IP to Telegram’s server is entirely within Singapore’s domestic network routing. That path does not cross any international backbone where Myanmar-influenced filtering or partner-country filtering could apply. The result is lower latency than routing through European or North American VPN exits, and routing that avoids the transit hops where secondary filtering is most likely to intervene.
Singapore is also a politically neutral jurisdiction relative to Myanmar. Singapore does not participate in any coordinated censorship arrangement with Myanmar’s junta. Obtaining a proxy subscription through Singapore Mobile Proxy plans does not require any Myanmar-government-issued identification. The service accepts both cryptocurrency and standard credit cards, which matters for users in a jurisdiction where digital payment metadata is monitored. There is no local-country KYC requirement that would require a subscriber to present identification to authorities in their home country.
For context on how to think about proxy infrastructure use responsibly, the ethical mobile proxy use guide covers the relevant considerations.
what to switch to
The fastest practical change for someone who has been using NordVPN or ExpressVPN and watching Telegram fail is to stop using a VPN entirely for this purpose and replace it with a SOCKS5 proxy configured directly inside the Telegram app. Telegram has native SOCKS5 support on Android, iOS, and all desktop platforms. You don’t need a separate tunneling app. You don’t need to route all your device traffic through the proxy. You configure the proxy inside Telegram’s settings and only Telegram uses it.
An SMP subscription provides credentials in this format:
158.140.129.188:PORT:user:pass
Where 158.140.129.188 is the shared Singapore gateway IP, PORT is the port assigned to your subscription, and user:pass are your individual credentials. Before entering the settings in Telegram, verify that the proxy is reachable and that it can reach Telegram’s Singapore data center:
# test SOCKS5 reachability and connectivity to Telegram DC4 (Singapore)
curl -x socks5h://user:pass@158.140.129.188:PORT \
--connect-timeout 10 \
-o /dev/null -s -w "%{http_code} %{time_total}s\n" \
https://149.154.167.51/
# expected: 200 0.3s or similar sub-second response
# connection refused or timeout means wrong port or credentials
# try both socks5h:// and socks5:// if one fails
Replace user, pass, and PORT with the values from your subscription dashboard. A 200 response with a sub-second time confirms the proxy is reachable and the path to Telegram’s Singapore DC is clean. Then open Telegram, go to Settings, Privacy and Security, Advanced, and then Proxy Settings. Add a SOCKS5 entry with host 158.140.129.188, your assigned port, and your username and password. Telegram reconnects immediately through the Singapore carrier IP.
For users managing multiple accounts, assign separate SMP credentials per account. Sharing a single proxy credential across multiple accounts ties those accounts to the same IP session, which can cause Telegram to flag the accounts as related. multi-account Telegram in Myanmar covers credential isolation and session management in detail.
For users who are choosing between MTProto proxy and SOCKS5 and aren’t sure which fits their specific situation, mtproto vs socks5 telegram compares latency, anonymity properties, and configuration complexity across both approaches.
Sticky session mode keeps the same Singapore carrier IP for the duration of your Telegram session, which reduces re-authentication prompts and keeps Telegram’s connection state stable. Rotating mode assigns a new IP on each connection request, which is better for users running multiple independent accounts where IP correlation between sessions needs to be minimised. Both modes are available on all SMP plans. A free trial is available at /client/trial and requires no payment method upfront, so you can verify that the proxy path works from your specific ISP before purchasing a subscription.
FAQ
Q: Why does my VPN show connected but Telegram still fails to load? A: This is the two-layer problem. Your VPN tunnel connects through the first DPI layer. Then your Telegram traffic exits the VPN server and travels toward Telegram’s servers. A second DPI inspection point, or a routing block on Telegram’s IP ranges, resets the Telegram connection independently. The VPN handles one layer and the Telegram block is a separate, downstream filter.
Q: Does switching from OpenVPN to WireGuard fix the problem in Myanmar? A: No. Both protocols have distinctive handshake signatures that Myanmar’s DPI classifies. WireGuard’s fixed 148-byte handshake initiation is particularly easy to fingerprint. Switching protocols addresses the specific protocol signature, but Myanmar’s DPI maintains signatures for all common VPN protocols. Even if one protocol briefly evades detection, the exit IP blacklist problem remains regardless of which protocol you use.
Q: Is using a VPN or proxy legal in Myanmar in 2026? A: Myanmar law under the military government has criminalised VPN possession under broad cybercrime and national security statutes. Enforcement is selective but has been applied against journalists, activists, and ordinary users. Proxy tools occupy an ambiguous legal position under the same statutes. This article is informational only and does not constitute legal advice. Readers are solely responsible for assessing personal risk under applicable law.
Q: Why does a Singapore mobile IP work when a Singapore-based VPN server does not? A: The difference is autonomous system classification. A VPN server in Singapore is hosted in a commercial datacenter and its IP belongs to a datacenter ASN. Censors can identify and block datacenter ASN ranges systematically without significant collateral damage. A SingTel or StarHub mobile IP belongs to a consumer carrier ASN. Blocking those ranges would mean blocking all traffic from millions of legitimate SingTel and StarHub mobile subscribers, which creates collateral damage that makes bulk blocking impractical.
Q: Does Telegram’s “secret chat” feature help get around the block? A: No. Secret chat provides end-to-end encryption for message content, but the underlying MTProto transport protocol that carries the connection is the same for all Telegram chat types. Myanmar’s DPI classifies traffic by the protocol handshake and the destination IP range, not by the content of the messages. Secret chat does not change the observable characteristics of the connection.
Q: Which carrier in Myanmar is the most aggressive in blocking Telegram? A: MPT, the state-owned carrier, applies the most consistent and deepest filtering because it is directly under military government operational control and serves as the primary backbone operator. Ooredoo Myanmar and ATOM operate under equivalent regulatory mandates and have implemented the same DPI filtering requirements. Changing your SIM card between carriers does not reliably solve the problem because the blocking mandate applies to all licensed carriers.
Q: Does the time of day affect whether my VPN or proxy connection works? A: For VPN connections, time of day has minimal effect because the block list and DPI rules are applied continuously at the routing level, not on a schedule. However, some users have observed that connection reliability through any circumvention tool varies during peak traffic hours , evenings in Myanmar especially , because the censorship hardware operates under heavier load and may apply filtering less precisely, or conversely, may be more sensitive to anomalous traffic patterns when baseline traffic is high. For mobile SOCKS5, the exit IP’s availability depends on the carrier network at the exit location; Singapore carrier IPs are highly stable and not subject to routing changes during Myanmar peak hours.
Q: Can I use the same SOCKS5 proxy for both Telegram and other apps at the same time? A: Telegram’s built-in proxy setting applies only to Telegram. If you want other applications to use the same proxy, you would need to configure it at the operating system or router level, which is a different configuration entirely. For most Myanmar users trying to access Telegram specifically, configuring the proxy only inside Telegram is simpler and means your other device traffic is not affected. This also reduces the risk that high-volume traffic from other apps on the same proxy credentials could trigger rate limiting.
disclaimer
This article is provided for informational purposes only. Internet circumvention tools involve legal risk that varies significantly by jurisdiction. In Myanmar, the military government has enacted laws that explicitly criminalise VPN software use and that broadly restrict access to communications tools deemed a threat to national security. Enforcement of these laws is ongoing. Readers operating in Myanmar or connecting through Myanmar networks are solely responsible for understanding and complying with applicable local law. Singapore Mobile Proxy does not provide legal advice, and nothing in this article should be read as a recommendation to violate Myanmar law or the laws of any other jurisdiction.