Censorship-circumvention protocols compared
If you read English-language VPN content, you have heard about WireGuard and OpenVPN. If you read Chinese-language or Russian-language tech forums, you have heard about a different family of protocols: Shadowsocks, V2Ray, Trojan, Hysteria, NaiveProxy, TUIC. This second family was built specifically to defeat censorship that the WireGuard / OpenVPN family cannot.
The English-speaking VPN industry has mostly ignored these protocols. That gap is widening as DPI in censorship-heavy markets gets better. In May 2026 the protocols that actually work in Russia, China, Iran, and Pakistan are mostly from the second family, not the first.
Here is the honest comparison. What each protocol is, how it tries to evade detection, where it succeeds and where it fails. We ship VLESS Reality and we will explain why we picked it over the alternatives — but we will not pretend the alternatives are bad. Several of them are excellent for specific situations.
The detection problem these protocols are solving
A modern censorship system does not need to decrypt your traffic to know what protocol you are running. It needs to recognise the shape of the traffic on the wire.
Three detection signals matter:
Protocol fingerprint. WireGuard's handshake initiation packet is always exactly 148 bytes with a fixed structure. OpenVPN's TLS handshake has distinctive timing. Even basic Shadowsocks streams look different from real HTTPS — high entropy from packet one, no preceding handshake.
Statistical entropy analysis. Encrypted traffic has high entropy (random-looking bytes). Normal HTTPS traffic has mixed entropy: a structured TLS handshake with predictable certificate chains, then encrypted application data with characteristic record sizes. Streams that show high entropy from packet one without a TLS handshake stand out.
Active probing. When a censor sees a connection that might be a proxy, the censor sends its own connection to the same server. If the server's response differs from a legitimate service, the IP gets blocked.
Each protocol below tries to defeat some subset of these. None defeats all of them perfectly. The best ones come close.
Shadowsocks (and Shadowsocks AEAD)
What it is. Shadowsocks was created in 2012 by a Chinese developer (clowwindy) to bypass the Great Firewall. It is a simple SOCKS5-style proxy with a stream cipher wrapping the connection. Originally chacha20-ietf-poly1305 was the recommended cipher; AEAD-based variants superseded it around 2018.
How it tries to evade detection. Shadowsocks does not. The protocol's only defence is that the encrypted traffic looks like random bytes, which is harder to fingerprint than a structured protocol like WireGuard. There is no TLS handshake, no fake-server, no active-probing resistance.
How it fails. The Great Firewall has been blocking Shadowsocks reliably since around 2017. The detection method evolved: first, signature-based catches on early plain-Shadowsocks; later, entropy analysis catches AEAD variants because the absence of any TLS handshake combined with high-entropy payloads is itself a fingerprint. By 2024-2026, both Russian TSPU and the GFW achieve 30-60% Shadowsocks detection rates per community testing.
Where it still works. Lightly-filtered countries (Vietnam, parts of Indonesia, some periods in Turkey). Self-hosted Shadowsocks with obfs-tls or simple-obfs plugins occasionally still works in China but is fragile.
When to choose it. Almost never in 2026. Use Shadowsocks if you have specific operational reasons (existing infrastructure, simplicity, offline tooling) and you are not in a heavy-DPI country. Otherwise, move to Reality, NaiveProxy, or Hysteria.
V2Ray and VMess
What it is. V2Ray was created in 2015 as a more flexible successor to Shadowsocks. It supports multiple transports (TCP, mKCP, WebSocket, HTTP/2, QUIC) and multiple protocols layered on top (VMess, Shadowsocks, SOCKS, HTTP). VMess is V2Ray's native protocol — encrypted, with a timestamp-based authentication scheme.
How it tries to evade detection. V2Ray's flexibility is its evasion strategy. By layering VMess inside HTTP/2 over TLS to a real-looking domain, you can build a stream that looks superficially like HTTPS to a website. The "WebSocket + TLS + Web" deployment pattern was popular in 2017-2020.
How it fails. VMess itself has detectable patterns (the timestamp-based auth window is fingerprintable). The "WebSocket + TLS + Web" deployment requires you to operate a real-looking website behind the proxy — which is more operational complexity than self-hosters typically maintain. Active probing catches deployments that have a generic placeholder website that does not match the SNI claimed.
Where it still works. Self-hosted V2Ray with VMess + WebSocket + TLS to a real CDN-fronted domain still works in many places, including parts of China and Russia, if maintained carefully. Most commercial V2Ray deployments are detected.
When to choose it. If you are running a self-hosted setup and have the engineering effort to maintain a real-looking website behind the proxy, V2Ray remains viable. For a commercial VPN, Reality is the better choice — same XRay-core ecosystem, better detection resistance, less operational fragility.
Trojan-GFW
What it is. Trojan was created in 2019 specifically to defeat the Great Firewall. The design: perform a real TLS handshake to your server, but the certificate is your own (self-issued, or from Let's Encrypt). Authenticated clients tunnel; unauthenticated clients get served a real-looking website.
How it tries to evade detection. Better than Shadowsocks or V2Ray, because Trojan does a real TLS handshake — the entropy profile matches HTTPS. Active probing returns a real website, not a placeholder. Looks like a normal HTTPS site to most observers.
How it fails. The certificate is the giveaway. Trojan deployments use Let's Encrypt or self-signed certificates for domains the operator controls. Certificate Transparency logs show those certificates exist; if a censor compares a suspect server's certificate against what CT says about that domain (does the CT log show this is a real production site? Does the certificate's other subject names match what a real production site would have?), Trojan deployments stand out. Sophisticated censors deploy "active probing with TLS comparison" — connect to the suspect server, fetch the cert, compare against CT records for the claimed domain, flag inconsistencies.
Where it still works. Most countries with light DPI. China still catches well-deployed Trojan setups but inconsistently. Russia's TSPU catches Trojan that uses generic certs but misses Trojan with carefully-rotated certs and high-traffic camouflage domains.
When to choose it. If you are self-hosting and Reality is too operationally complex, Trojan with Let's Encrypt + a real fronting CDN is a reasonable second-best. For commercial VPNs, Reality is strictly better — Reality forwards a real third-party certificate, eliminating the CT-comparison vector.
VLESS Reality (with Vision flow)
What it is. Reality was released in XRay-core v1.8.0 in early 2023. The breakthrough: instead of using your own certificate (Trojan's pattern), Reality forwards the actual certificate of a real public site like Microsoft or Cloudflare. The server proxies unauthenticated connections to that real site.
The Vision flow (xtls-rprx-vision) added in late 2023 eliminates the TLS-in-TLS detection signal that would otherwise be visible through traffic analysis.
How it tries to evade detection. Reality is the only protocol on this list whose handshake is a real TLS 1.3 handshake to a real public site. The certificate the client sees is the actual Microsoft (or Cloudflare, or Apple) certificate, with the actual signatures from real CAs, in the actual Certificate Transparency logs. There is no fake to detect because nothing is fake.
The deception is structural: hidden inside the encrypted key-share extension of the TLS handshake, a small piece of cryptographic material identifies authenticated clients. Everything an observer can see is genuine HTTPS to a host they cannot afford to block.
How it fails (rarely). IP-reputation analysis: a censor noticing that a residential IP repeatedly opens long-lived TLS connections to a specific VPS that also proxies to Microsoft. Russia's TSPU has had limited success with this, blocking some VPS IP ranges. Detection rate against properly-deployed Reality from clean IP space is under 5% based on community reports through May 2026.
Where it works. Russia, China, Iran, Pakistan, UAE, Saudi Arabia, Turkey. Reality with Vision is the most reliable consumer-VPN protocol in active-DPI environments in 2026.
When to choose it. Any time you need a VPN that survives DPI. The only reasons not to choose Reality: speed (Reality runs over TCP, so on lossy mobile networks Hysteria can be faster), or self-hosting simplicity (Reality requires more configuration than Trojan or Shadowsocks). For everyday consumer VPN use in censorship-heavy markets, Reality is the answer.
Hysteria 2
What it is. Hysteria is a QUIC-based protocol designed for high-loss, high-latency networks. It uses a custom congestion control algorithm (Brutal) that aggressively recovers from packet loss. Hysteria 2, released 2023, added improved authentication and traffic masquerading.
How it tries to evade detection. Hysteria runs over QUIC (HTTP/3), so it looks superficially like browser HTTP/3 traffic. Hysteria 2 added masquerading mode that proxies unauthenticated connections to a real backend, similar to Reality's design. The certificate is your own (Let's Encrypt-style), so it shares Trojan's certificate-transparency vulnerability — though this is mitigated by HTTP/3 being newer and CT-comparison detection being less mature for QUIC than for TLS.
How it fails. QUIC fingerprinting is its own emerging field. Different QUIC implementations have detectable variations in how they handle packet number encryption, version negotiation, and ACK frequency. Hysteria's QUIC fingerprint is increasingly distinguishable from Chrome's QUIC fingerprint as detection methods improve. Some Iranian and Chinese ISPs throttle Hysteria more aggressively than other QUIC traffic.
Where it works. Mobile networks with high packet loss (where TCP-based protocols stall). Lightly-filtered censorship environments. Some periods in Russia and China where the QUIC fingerprint detection has not been deployed.
When to choose it. Mobile-heavy use cases on lossy networks where Reality's TCP performance is the bottleneck. Hysteria 2's UDP-over-QUIC handles packet loss far better than TCP. Where Reality fails for performance reasons (not detection reasons), Hysteria can be a better fit.
NaiveProxy
What it is. NaiveProxy was created by klzgrad to leverage Chrome's actual networking stack. The proxy server runs Caddy (a webserver). NaiveProxy clients use the Chromium network stack to make HTTP/2 connections to the Caddy server. The traffic is byte-identical to Chrome traffic because it literally is Chrome network code.
How it tries to evade detection. Strongest browser-fingerprint match of any protocol on this list. Detection requires distinguishing NaiveProxy's Chromium fingerprint from real Chrome's Chromium fingerprint, which is only possible at the timing/behavioural layer (real users have variable session patterns; NaiveProxy users have proxy-like patterns).
How it fails. Behavioural analysis catches users who run NaiveProxy 24/7 with sustained high-throughput flows that do not match real-user browsing patterns. The detection has not been widely deployed (it is more expensive than fingerprint-based detection), but architecturally NaiveProxy is not invulnerable.
Where it works. Russia, China, Iran, Pakistan — most active-DPI markets. Less widely deployed than Reality (smaller user base = harder to blend in with), but technically excellent.
When to choose it. Self-hosting with strong privacy requirements and willingness to maintain Caddy infrastructure. NaiveProxy is genuinely excellent for advanced users; its smaller deployment footprint is the main reason commercial VPNs do not ship it.
TUIC
What it is. TUIC (Thinking-Up-Initial-Connections) is a QUIC-based protocol designed for low-latency proxying. It runs over QUIC like Hysteria but with different congestion-control choices and authentication.
How it tries to evade detection. TUIC v5 added TLS-1.3-mimicry on top of QUIC for the handshake. The protocol is newer (2022-2023) and less battle-tested than Reality or Hysteria.
Where it works. TUIC is most popular in the Chinese-language self-hoster community. Commercial deployments are rare. Detection resistance is similar to Hysteria — works in many places, not yet under sustained attack.
When to choose it. Niche. If you are an advanced user who wants QUIC's loss-handling benefits with a cleaner protocol design than Hysteria, TUIC is worth investigating. For most users, Reality or Hysteria is the better-supported choice.
Comparison table
| Protocol | DPI resistance | Speed (clean network) | Speed (lossy network) | Maturity | Self-host complexity | Commercial VPN deployments |
|---|---|---|---|---|---|---|
| Shadowsocks AEAD | Low | Fast | Moderate | Mature | Low | Many, mostly small providers |
| V2Ray VMess | Low-moderate | Fast | Moderate | Mature | Moderate | Some |
| Trojan-GFW | Moderate | Fast | Moderate | Mature | Moderate | Few commercial |
| VLESS Reality + Vision | Highest | Moderate (TCP) | Moderate | Production | High | Fexyn, Astrill, few others |
| Hysteria 2 | Moderate-high | Very fast | Excellent | Recent (2023) | Moderate | Few commercial |
| NaiveProxy | High | Moderate | Moderate | Recent (2020) | Moderate | None at scale |
| TUIC v5 | Moderate-high | Fast | Excellent | Recent (2023) | Moderate | None at scale |
Real-world detection rates (May 2026)
Based on community testing and our own server telemetry across the working pool of protocols:
| Country | Shadowsocks AEAD | Trojan | VLESS Reality+Vision | Hysteria 2 | NaiveProxy |
|---|---|---|---|---|---|
| Russia (TSPU) | Mostly blocked | Inconsistent | ~95% success | ~70% success | ~90% success |
| China (GFW) | 30-60% blocked | Inconsistent | Works, IP-block churn | ~60% success | ~85% success |
| Iran (FRA) | Mostly blocked | Inconsistent | Works | Inconsistent | Works |
| Pakistan (PTA) | Inconsistent | Inconsistent | ~80% success | ~50% success | ~70% success |
| UAE (TRA) | Throttled | Inconsistent | Works | Throttled | Works |
These numbers have meaningful uncertainty — they are based on community reports and our own telemetry, not formal academic measurements. The relative ranking is stable across reports we have seen; absolute percentages drift week to week.
Why Fexyn ships Reality
We considered all six protocols when we built Fexyn. The decision rested on four points.
Detection resistance. Reality with Vision is the strongest available against active DPI. NaiveProxy is comparable but with smaller deployed footprint, which means fewer users to blend in with — a long-term detection risk we did not want to take.
Production maturity. Reality has been in active production since early 2023, across thousands of self-hosted deployments and several commercial providers. The bug-fix cadence is healthy. The XRay-core ecosystem is well-maintained. By contrast, TUIC and Hysteria 2 are newer and have had more recent breaking changes.
TCP simplicity for our infrastructure. Reality runs over TCP. Our server fleet (Frankfurt, Helsinki, Cyprus, Ashburn) was already provisioned for TCP-based protocols. Switching to QUIC would have required rebuilding our backend. The TCP performance penalty on lossy networks is real but acceptable for the markets we serve.
Camouflage host availability. Reality requires a real public site as the camouflage target. Microsoft, Cloudflare, and Apple are all reasonable choices and difficult for any censor to block. The other protocols either do not need camouflage (Shadowsocks) or use self-controlled domains (Trojan) — neither of which is as resilient.
We do not pretend Reality is universally optimal. On lossy mobile networks Hysteria would outperform us. For self-hosters who want operational simplicity, Trojan or Shadowsocks are easier. NaiveProxy is technically excellent and we monitor whether to ship it as an alternative protocol.
For the markets we focus on — Russia, Turkey, the Gulf, Pakistan, Iran — Reality is the right answer in 2026.
What is likely to change
Protocol viability against censorship is not stable. Some predictions:
Reality's dominance will narrow. Russia's TSPU is investing heavily in detection. The Reality-vs-Reality+Vision distinction emerged in late 2025; another distinction will emerge by mid-2027. Reality will keep working but the configuration details that matter will shift.
Hysteria 2 / TUIC adoption will grow. As mobile networks dominate emerging markets and lossy-network performance becomes a bigger deal, QUIC-based protocols will catch up to Reality on detection resistance. The current 70% Russia success rate will rise.
NaiveProxy will get more commercial deployments. Browser-fingerprint matching is a strong long-term defence. The blocker has been operational complexity (running Caddy backends), which will get easier as tooling matures.
Shadowsocks will fade. Detection rates will keep climbing. Self-hosters will migrate to Reality or NaiveProxy. Commercial deployments are already rare and will get rarer.
The protocol you choose today is not a permanent decision. The healthy assumption is that detection improves continuously and that the right answer in 2027 will be different from the right answer in 2026. That is why Fexyn's auto-protocol-rotation (try Bolt first, fall back to Stealth on filtering, switch the camouflage target as Reality evolves) is more important than the specific protocol we ship at any given moment.
Try Fexyn free for 7 days — Stealth (VLESS Reality with Vision) is included on every plan.
Read further: VLESS Reality protocol guide, What works in Russia in 2026, Deep packet inspection explained, VLESS vs Shadowsocks, VLESS vs WireGuard.