Shadowsocks vs Trojan-GFW

Shadowsocks (2012) and Trojan-GFW (2019) are both censorship-circumvention tools. Trojan was designed specifically because Shadowsocks had become detectable; it represents an architectural step forward. In 2026 both have been substantially superseded by VLESS Reality, but the comparison is useful for understanding the lineage.

At a glance

	Shadowsocks (AEAD)	Trojan-GFW
Released	2012, AEAD 2017	2019
Approach	Encrypted SOCKS5 stream	Real TLS handshake to your domain
Handshake	None	Real TLS 1.3
Certificate	None	Your own (Let's Encrypt typical)
Detection method	Entropy + active probing	CT log comparison + active probing
GFW detection rate (2026)	30-60%	Moderate, varies
Setup complexity	Low	Moderate
Speed	Fast	Slightly slower

How each works

Shadowsocks wraps a SOCKS5-style stream in symmetric encryption. From the first packet, the connection is encrypted bytes. There is no TLS handshake, no fake-server response if probed. The entire defence is "encrypted bytes look like nothing in particular."

Trojan performs a real TLS 1.3 handshake to your own server using your own certificate. Authenticated clients tunnel inside the TLS session; unauthenticated connections see a placeholder website you configure. To passive observation, the connection looks like ordinary HTTPS to your domain.

The architectural advance Trojan made over Shadowsocks: the handshake is real. Entropy classifiers cannot flag the connection because the TLS handshake's entropy profile is normal.

Why both have weakening positions

Shadowsocks weakened by entropy classifiers. Around 2017-2020, Chinese and other DPI deployments deployed classifiers that flag streams with high entropy from packet one and no preceding TLS handshake. Shadowsocks's architecture is exactly that pattern. AEAD variants helped briefly; current detection rates are 30-60% in heavy-DPI markets.

Trojan weakened by Certificate Transparency comparison. Trojan deployments use certificates the operator obtained from a CA — typically Let's Encrypt. The certificates appear in Certificate Transparency logs. Sophisticated DPI active probers compare the certificate they retrieve from the suspect server against CT records for the claimed domain. A Trojan deployment's cert pattern (recently issued, short renewal history, Let's Encrypt issuer for a not-otherwise-public domain) does not match what real production websites typically show. The pattern is a flag.

Both protocols still work in lighter-DPI environments. Both fail in the most aggressive markets (China's GFW post-April-2026 escalation, Russia's TSPU, Iran's FRA).

When each was the right tool

Shadowsocks (2012-2017): the canonical censorship-circumvention tool. Defeated the Great Firewall through 2014-ish; detection grew through 2015-2017.

Trojan (2019-2022): the next-generation answer when Shadowsocks became detectable. Worked well in heavy-DPI environments through 2020-2022. Detection has grown since.

VLESS Reality with Vision (2023-present): the current answer. Survives in environments where Shadowsocks and Trojan fail.

When each is still appropriate

Shadowsocks: lightly-filtered networks. Self-hosting projects with tooling already in place. Some legacy deployments. Generally not a 2026 recommendation for users in heavy-DPI markets.

Trojan: mid-difficulty environments. Self-hosters with domain-management infrastructure. Users specifically wanting to avoid the operational complexity of Reality.

Reality: any active-DPI market. The current answer for users in Russia, China, Iran, UAE, Pakistan, Saudi, Turkey.

What Fexyn ships

Reality with the Vision flow as Fexyn Stealth. We do not ship Shadowsocks or Trojan as primary protocols. The censorship-circumvention space has moved past both for the markets we serve.

Try Fexyn free for 7 days — Stealth (VLESS Reality + Vision), the current-generation censorship-circumvention protocol.