When an SSL Handshake Fails but Your Code Is Fine: Real-Debrid

TL;DR

If every Real-Debrid call suddenly bombs with\ TLS connect error: packet length too long (or invalid SSL record) and you’re on a Turkish ISP, the state DPI filter is intercepting api.real-debrid.com ( 94.140.0.0/16 ).
Point your client at https://app.real-debrid.com instead—or route that /16 through a VPN—and everything works again.

What Happened?

1. Early 2025: Turkey’s national content-filtering infrastructure quietly added the entire 94.140.0.0/16 range (Real-Debrid’s API/download servers) to its block list.
2. The filter works even on port 443. When your client starts a TLS handshake, the DPI box injects a plain-text HTTP page (“Access denied”) instead of letting the SSL packets through.
3. OpenSSL/mbedTLS instantly bails out, surfacing cryptic errors like packet length too long or invalid SSL record.
4. The public front-end real-debrid.com lives on Cloudflare (different IPs) and still loads fine, so Real-Debrid’s own /vpn checker says “Your IP isn’t blocked,” adding to the confusion.

How We Diagnosed It

2 Ways to Solve It

1 — Switch Hostnames (fastest)

Real-Debrid mirrors every API endpoint on app.real-debrid.com. Change your client’s base URL or hijack DNS (/etc/hosts, Pi-hole, OpenWrt dnsmasq). Takes under two minutes, survives router reboots, and needs no VPN.

2 — Selective VPN / WireGuard Tunnel

If you prefer to leave your automation code untouched:

• Install vpn-policy-routing on OpenWrt.
• Route 94.140.0.0/16 (or just api.real-debrid.com) through a Real-Debrid-friendly VPN exit.
• Everything else stays on your regular ISP line.

Final Thoughts

Sometimes the bytes you get back simply aren’t TLS at all. They’re a government filter talking clear-text on a port that’s supposed to be encrypted.

Now you know the signs, the root cause, and the 2-minute DNS fix. Happy (and still legal) torrent automation!