VLESS Reality: the protocol guide for VPN users in 2026
If you are looking for a VPN that works in Russia, Iran, China, or Pakistan in 2026, you have probably hit the same wall everyone else does. WireGuard handshakes get killed within seconds. OpenVPN is barely better. Most of the "stealth" or "obfuscated" modes from major brands are pattern-matched too.
The protocol that has held up is VLESS Reality. It is the technical reason a small number of consumer VPNs (including Fexyn) keep working in DPI-heavy networks while the household names get blocked.
This is the long version. What Reality actually is, why it works, where it does not, and where it sits relative to the other censorship-circumvention protocols you may have heard about.
What is VLESS Reality
VLESS is a transport protocol from the XRay-core project, originally built by developers in China who needed something the Great Firewall could not detect.
Reality is a feature on top of VLESS, released in Xray-core v1.8.0 in early 2023. Earlier obfuscation tricks tried to make VPN traffic look like HTTPS. Reality does not approximate. It performs an actual TLS 1.3 handshake to an actual public website, and forwards that site's actual certificate to the client.
Three things are real:
- The TLS handshake is a real TLS 1.3 handshake, byte-identical to what your browser would send.
- The certificate the server returns is a real certificate, signed by a real CA, for a real domain like
www.microsoft.com. - The handshake target is a real production site that already serves millions of legitimate users.
There is nothing fake to detect. The deception is structural: hidden inside the handshake, a small amount of pre-shared cryptographic material identifies authenticated clients. Everything an observer can see is genuine HTTPS to a host they cannot afford to block.
Why "looks like HTTPS" was not enough
DPI does not need to decrypt your traffic to identify the protocol carrying it. It just needs to recognise the shape of the traffic on the wire.
WireGuard's handshake initiation is always exactly 148 bytes, with a 1-byte type field, three reserved zero bytes, a 4-byte sender index, and a 32-byte ephemeral public key. The structure never varies. Russia's TSPU can detect WireGuard with near-100% accuracy on the first packet.
OpenVPN has timing patterns and a recognisable control-channel framing. The Great Firewall has been blocking it reliably for years.
Earlier obfuscation tools tried to dodge this:
- obfs4 wrapped traffic in a layer designed to look like random noise. Then DPI started flagging high-entropy streams that did not match any known protocol. Random noise is conspicuous when everything around it has structure.
- Shadowsocks has the same entropy problem. AEAD variants helped, but the absence of a TLS handshake remained detectable. Chinese DPI flags Shadowsocks streams when they show high-entropy payloads from packet one, with no preceding handshake.
- Trojan went further by performing a real TLS handshake and serving a real-looking website to unauthenticated probers. The break: Trojan uses a self-issued certificate, and Certificate Transparency logs make those certificates trivially distinguishable from the real Microsoft or Cloudflare certs they were trying to imitate.
The pattern across all of them: they tried to imitate normal traffic without actually being normal traffic. Given enough analysis, the imitation breaks.
How Reality actually works
Step by step, what happens when your client connects:
1. ClientHello. The Fexyn client opens a TCP connection to the Fexyn server and sends a TLS 1.3 ClientHello. The SNI field carries the real hostname of a real public site (we use rotating high-traffic targets — www.microsoft.com is the canonical example). The ClientHello is generated by uTLS to mimic a current Chrome, Firefox, or Safari fingerprint exactly. Any DPI looking at the ClientHello sees a normal browser opening a connection to Microsoft.
2. Authentication inside the handshake. Hidden inside the key-share extension (which TLS 1.3 keeps encrypted from passive observation), the client passes a shortId plus an X25519 public key. The server validates these. Authentication is invisible from outside the handshake.
3. The server connects to the real target. Concurrent with step 2, the Fexyn server opens its own TLS connection to the actual www.microsoft.com. It performs a legitimate handshake. Microsoft does not know or care that Fexyn is doing this; it looks like one more reverse proxy.
4. The real certificate is forwarded back. The certificate chain Microsoft returns gets handed back to the client. The client verifies it the same way a browser would. The chain is genuine, the SCTs are in Certificate Transparency, the issuer is a public CA.
5a. Authenticated clients tunnel. If step 2 passed, the server uses the established TLS session as a transport for VLESS frames. VPN data flows inside what looks like an HTTPS session to Microsoft.
5b. Unauthenticated clients are forwarded. If a censor's prober connects without valid credentials, the server transparently proxies them to the real www.microsoft.com. They get real Microsoft content. Real headers. Real TLS records. Real everything. The server is indistinguishable from a legitimate reverse proxy in front of Microsoft.
That is the whole game. A passive observer sees HTTPS to Microsoft. An active prober gets Microsoft. The only thing that distinguishes a real Reality client from any other Microsoft visitor is the encrypted shortId in the key-share extension, which the censor cannot read.
Active probing resistance
Censors do not just analyse traffic passively. They probe.
When the Great Firewall sees a connection that might be a proxy, it dispatches its own connection to the same server within minutes. If the server's response differs from a legitimate service, the IP gets blocked.
This is how every Trojan deployment eventually gets caught. A prober connects, fails to authenticate, and the server returns a placeholder web page. The placeholder might serve fine for HTML, but the certificate does not match what Certificate Transparency says that domain should have. Or the HTTP response headers are subtly different from the real software the domain claims to run. Small inconsistencies, but enough.
Reality has nothing to compare against because there is no fake. The active prober gets connected to the real Microsoft. Same certificate Certificate Transparency expects. Same headers Microsoft serves. Same content Microsoft hosts. There is no inconsistency to find.
The only remaining attack is IP reputation: noticing that an IP receives connections from residential users and also proxies to Microsoft, and that pattern is unusual. Russia's TSPU has had limited success with this, blocking some VPS IP ranges that match the pattern. The detection rate against properly-deployed Reality from residential-looking IPs is still under 5% based on community reports through early 2026.
The Vision flow and why TLS-in-TLS matters
There is one subtlety worth understanding. When you tunnel VPN traffic inside a TLS connection, every HTTPS site you visit through the tunnel generates its own TLS handshake. That creates TLS records nested inside TLS records: a "TLS-in-TLS" pattern visible through traffic analysis even when the data is encrypted.
The XTLS Vision flow (xtls-rprx-vision) detects when the inner payload is already TLS-protected and passes it through with minimal additional wrapping. The outer Reality TLS handles authentication and framing; the inner application TLS flows without redundant encryption.
A 2024 USENIX paper confirmed that VLESS+Vision traffic is statistically indistinguishable from a direct HTTPS connection to the camouflage host, even under packet-size and timing analysis. Without Vision, the TLS-in-TLS pattern would still be a viable detection signal.
Fexyn ships VLESS Reality with the Vision flow by default. You do not have to think about it.
Why it matters: the DPI arms race
The protocol-level fight in 2026 is happening on three main fronts.
Russia's TSPU has been operational since 2021 and now sits at every licensed Russian ISP. It blocks WireGuard, OpenVPN, IKEv2, L2TP, plain VLESS without Reality, and SOCKS5 with high accuracy. Roskomnadzor has blocked 469 VPN services by name as of February 2026. Russia is also experimenting with blocking generic VLESS (without Reality) as of late 2025. Reality with Vision still gets through because the camouflage host is something Roskomnadzor cannot block without breaking essential services.
China's Great Firewall has been the hardest environment for VPNs since at least 2009. The April 2026 escalation physically unplugged thousands of relay servers and added entropy analysis, QUIC SNI inspection, and DoH identification. Shadowsocks detection now hits 30-60% accuracy. Reality keeps working because the camouflage flow looks like normal HTTPS to a host the GFW cannot block.
Iran's TLS-fingerprint MITM is a different beast. Iran's filtering infrastructure performs partial MITM on TLS handshakes during periods of unrest, looking for protocol fingerprints inside encrypted traffic. Plain WireGuard and OpenVPN do not survive this. Reality does, because Reality's handshake is, by construction, a real handshake to a real site.
Turkey's BTK-mandated DPI, Pakistan's PTA crackdown (December 2025), and Egypt's TE Data filtering all run lighter versions of the same playbook. The protocol-level filtering keeps escalating; Reality keeps adapting because there is no fake handshake to fingerprint.
VLESS Reality vs other protocols
| Protocol | DPI resistance | Speed | Maturity | When to use |
|---|---|---|---|---|
| WireGuard | None — fingerprinted by 148-byte initiation | Fastest | Production | Open networks. Anywhere without active VPN filtering. |
| OpenVPN | Low — recognisable handshake and timing | Slower than WireGuard | Mature | Compatibility fallback. Lightly-filtered networks. |
| Shadowsocks (AEAD) | Moderate — entropy analysis catches it in China | Fast | Mature | Older Chinese networks before 2024 escalation. |
| V2Ray VMess | Low-moderate | Moderate | Aging | Legacy XRay deployments. |
| Trojan-GFW | Moderate — caught by certificate-transparency mismatches | Fast | Mature | Improvement over Shadowsocks; still detectable by active probing. |
| Hysteria 2 | Moderate — QUIC fingerprints | Very fast on lossy networks | Recent | Mobile networks with high packet loss; some censorship-light environments. |
| NaiveProxy | High — uses Chrome's own networking stack | Moderate | Recent | When you need browser-grade indistinguishability for HTTP/2. |
| VLESS Reality + Vision | Highest — real TLS handshake, real certificate, real target | Moderate (TCP handshake overhead) | Production | Russia, China, Iran, UAE, Saudi Arabia, Pakistan, Turkey. Anywhere with active DPI. |
The honest summary: in any country that is not actively trying to block VPN traffic, WireGuard wins on speed. As soon as the network starts filtering protocols, the answer is whichever Reality variant your provider ships. Hysteria has speed advantages on lossy mobile networks but its QUIC fingerprint is still a detection signal. NaiveProxy is technically strong but has a smaller deployed footprint, which means fewer providers ship it and fewer users to blend in with.
We compared the major censorship-circumvention protocols in detail if you want to go deeper than this table.
Why most major VPNs do not ship Reality
This was the question we had before we started Fexyn, and it has a few answers.
Reality requires XRay-core. XRay is a Go codebase originally built for self-hosters in China. The major VPN brands all ship their own protocol stacks (NordVPN's NordLynx is custom WireGuard, ExpressVPN's Lightway is a custom protocol, Mullvad and ProtonVPN run modified WireGuard). None of them have rebuilt their server fleets and clients around an open-source codebase from a different ecosystem. Doing it properly is a significant engineering project.
Reality requires real camouflage targets. You cannot point Reality at a domain you control. A censor would notice that thousands of users connect to a domain hosted on the same VPS as your VPN server. You need to use major public sites (Microsoft, Cloudflare, Apple) and route through them transparently. The major VPN brands have not built this infrastructure.
Reality is harder to support. When a Reality connection fails, the failure modes branch: it could be the camouflage domain, the shortId, the X25519 keys, the uTLS fingerprint, the server's connection to the camouflage target, or half a dozen other things. WireGuard fails in three ways and you can diagnose each one in 30 seconds. Reality requires more depth in the support team.
Most VPNs have not had to. If your customer base is in the US, UK, and Germany, WireGuard works fine. The Reality moat exists for users in countries where WireGuard does not work. That is a smaller commercial market, which is why the brands optimised for the larger market do not invest in it.
We made the opposite choice. Fexyn was built primarily for users in censorship-heavy markets: Russia, Turkey, the Gulf, Pakistan, Iran. In those markets, Reality is not a feature. It is the only thing that works.
How Fexyn ships Reality
Fexyn Stealth is our productisation of VLESS Reality with the Vision flow. The technical details:
- Server-side: XRay-core v26+ on every Fexyn server (Frankfurt, Helsinki, Cyprus, Ashburn).
- Camouflage targets: rotating set of high-traffic public sites; the client receives a complete configuration from our API at connect time, so the camouflage target can be updated without a client release.
- uTLS fingerprint: matches current Chrome, Firefox, and Safari fingerprints; we update these as browsers update so the fingerprint never goes stale.
- Authentication: per-device shortId plus per-server X25519 keys, rotated every 24 hours via our PKI.
- Vision flow: enabled by default, eliminates the TLS-in-TLS pattern.
Most users do not need to touch any of this. Fexyn's protocol rotation engine tries Fexyn Bolt (WireGuard) first because it is faster. If Bolt is blocked or throttled by your network, the client switches to Stealth automatically. You do not need to configure anything.
In countries where Bolt is known not to work (Russia, Iran, China), pin Stealth as the default in app settings. We document this on the country pages: Russia, Pakistan, UAE, Saudi Arabia, Turkey.
When Reality is the wrong answer
Reality is not free.
- Latency. Reality adds about 100 ms to the connection setup compared to WireGuard, because of the extra TLS handshake to the camouflage target. After that, ongoing traffic is roughly the same as any other TLS session.
- TCP overhead. Reality runs over TCP. WireGuard runs over UDP. On lossy networks (mobile, congested Wi-Fi), TCP head-of-line blocking causes occasional stalls that UDP would avoid.
- CPU on the client. Reality's TLS 1.3 handshake is heavier than WireGuard's Noise handshake. On older phones or low-power machines, you will notice the difference at connect time.
If you are connecting from a network with no DPI (your home connection in Berlin, an airport in Amsterdam, an office in Toronto), there is no reason to pay these costs. WireGuard is faster, simpler, and works fine.
The decision is essentially: is anything between you and the open internet trying to block VPNs? If yes, use Stealth. If no, use Bolt. Fexyn's app makes the decision automatically by default.
Real-world detection rates
Based on community testing and our own server telemetry through early 2026:
| Country | WireGuard | OpenVPN | VLESS Reality |
|---|---|---|---|
| Russia (TSPU) | Blocked instantly | Blocked or throttled | ~95% success |
| China (GFW) | Blocked | Blocked | Works, occasional IP-range blocks |
| Iran | Blocked | Intermittent | Works |
| Turkey (BTK) | Blocked during incidents | Throttled | Works |
| UAE (Etisalat / du) | Throttled | Throttled | Works |
| Pakistan (PTA) | Blocked since Dec 2025 | Blocked | ~80% success |
| Saudi Arabia (CITC) | Throttled, varies by carrier | Throttled | Works |
The Russian success rate is limited mostly by IP-reputation blocking on specific VPS ranges, not by protocol detection. Pakistan's 80% rate reflects that PTA's DPI is ramping up and even Reality occasionally degrades on specific carriers at specific times. No protocol gives 100% reliability everywhere; Reality is the closest you can get in 2026.
Frequently asked questions
Is VLESS Reality the same as VLESS?
No. VLESS is the underlying protocol. Reality is a transport layer that wraps VLESS in a real TLS 1.3 handshake to a real public site. You can run VLESS without Reality (most early deployments did), but plain VLESS is now blocked in Russia and several other DPI environments. When people say "VLESS" in 2026, they almost always mean VLESS Reality with the Vision flow.
Can the Great Firewall block Reality?
To block Reality completely, China would need to block the camouflage host — Microsoft, Cloudflare, Apple. Doing that would break essential business services for Chinese users. So far, China has not been willing to pay that price. The active blocking against Reality is at the IP-reputation layer, which catches some deployments but not all.
Why forward to Microsoft instead of using your own domain?
If we used a Fexyn-controlled domain as the camouflage target, every connection would go to a Fexyn IP. A censor would notice the pattern: residential users connecting to fexyn-something.com is a recognisable VPN client. Using a real public site means our connections blend in with the millions of legitimate connections to that site every day.
How is this different from "stealth" or "obfuscated" modes from NordVPN, ExpressVPN, ProtonVPN?
Those modes wrap WireGuard or OpenVPN in TLS-like padding. The wrapper makes the traffic look TLS-shaped but it is not a real TLS handshake — there is no real certificate and no real target site. DPI in Russia, Iran, and several other markets has been pattern-matching that style of obfuscation since 2023. Reality is structurally different: there is no wrapper, the handshake is real.
Do I need to configure Reality myself?
Not on Fexyn. Sign up, install the app, connect. The app picks the right protocol for your network. In censorship-heavy markets, pin Stealth in settings to skip the auto-detection.
What about Hysteria, NaiveProxy, TUIC?
They are all interesting protocols. Hysteria 2 is excellent on lossy mobile networks. NaiveProxy uses real Chrome network code so it has browser-grade indistinguishability. TUIC is a QUIC-based design with promising properties. None of them have Reality's combination of (a) real TLS to real public sites, (b) Vision flow eliminating TLS-in-TLS detection, and (c) deployed footprint large enough to blend into. We monitor them; right now Reality is the strongest available choice for the markets we serve. Detailed protocol comparison here.
Will Russia block Reality next?
Russia is investigating it. The 2026 Roskomnadzor budget includes ~20 billion rubles a year for "permanent VPN censorship infrastructure." But the architectural problem is real: Reality cannot be blocked without blocking the camouflage host, and the camouflage hosts are sites Russia cannot afford to break. The pragmatic answer is that Reality will keep working until Russia is willing to break Microsoft and Cloudflare for ordinary users, which it has not been willing to do so far. We track the situation and will update this page as it evolves.
If you are in a country where standard VPN protocols stop working, try Fexyn free for 7 days. No card required. Stealth (VLESS Reality with Vision flow) is included on every plan. We use Tier 4 pricing ($2.99/month) for Russia, Pakistan, and several other markets. Crypto-only billing for Russia; card or crypto everywhere else.
Read further: VLESS Reality on Fexyn, How VLESS Reality makes VPN traffic invisible to censors, Why VLESS Reality beats WireGuard in censored countries, Deep packet inspection explained, the censorship map.