Glossary
VLESS Reality vs Trojan-GFW
Both perform real TLS handshakes. Trojan uses your own certificate; Reality uses a third party's. Reality survives Certificate Transparency comparison; Trojan increasingly does not.
Trojan-GFW (released 2019) and VLESS Reality (released 2023) both target the same problem and use related-but-different approaches. Reality is the architectural successor; Trojan still works in some environments but is increasingly detectable.
At a glance
| Trojan-GFW | VLESS Reality + Vision | |
|---|---|---|
| Released | 2019 | 2023 |
| TLS handshake | Real, to your own domain | Real, to third-party public domain |
| Certificate | Your own (Let's Encrypt typical) | Third party's actual cert (Microsoft, etc.) |
| Active probing response | Your own placeholder server | Real third-party site |
| Certificate Transparency vulnerability | Yes — your cert is in CT logs | No — you do not control the cert |
| Setup complexity | Moderate | Higher (camouflage host configuration) |
| Detection rates (China/Russia 2026) | Moderate, climbing | <5% |
The Trojan model
Trojan performs a real TLS 1.3 handshake to a server you control, using a certificate you obtained (Let's Encrypt typically). Authenticated clients tunnel; unauthenticated connections (active probers) get served a placeholder website you also configure.
The defence: the handshake is real, the certificate is real, the placeholder website is real. To passive observation, this looks like ordinary HTTPS to your domain.
The vulnerability: Certificate Transparency. CT logs contain every TLS certificate issued by major CAs. If a censor's active prober gets your certificate during a probe, they can compare it against what CT records say about your domain — and your Trojan deployment's cert pattern is recognisable.
Specifically: a real production website typically has a certificate that has been valid for months or years, has been renewed multiple times, has a corporate-style organisation field. A Trojan deployment typically has a Let's Encrypt cert issued days or weeks ago for a domain with no other production-cert history. The pattern is a flag.
Sophisticated DPI deployments — China's GFW, increasingly others — look at CT records during active probing and detect Trojan deployments by these patterns. The detection is not perfect but is meaningful.
The Reality model
Reality does NOT use your own certificate. The Reality server forwards the certificate of a real public site (microsoft.com, cloudflare.com, apple.com). Authenticated clients tunnel inside the established TLS session; unauthenticated connections are transparently proxied to the real public site.
The certificate the active prober sees is the real Microsoft (or Cloudflare, or Apple) certificate. CT records match. The certificate is what real users see when connecting to that domain. There is no Trojan-style cert-vs-CT mismatch because there is no fake.
The cost is operational: Reality requires the server to maintain real-time TLS proxying to the camouflage host. The configuration is more complex than Trojan.
Active probing resistance
Both protocols handle passive DPI similarly — real TLS handshake means entropy and timing match HTTPS norms. The difference is in active probing.
Trojan: prober connects, gets your placeholder website, can compare your certificate against CT for inconsistencies. Vulnerable.
Reality: prober connects, gets transparent-proxied to the real Microsoft site, sees real Microsoft certificate, sees real Microsoft response. Indistinguishable from a normal Microsoft visit.
This is the structural advantage Reality has over Trojan. The detection asymmetry has been growing as CT-based detection matures.
Vision flow
Reality with the Vision flow (xtls-rprx-vision) further eliminates the TLS-in-TLS pattern visible in traffic analysis. Trojan does not have an equivalent; the inner-TLS-inside-outer-TLS pattern is detectable through traffic analysis even though the handshakes are individually real.
For users in markets where traffic-analysis detection is sophisticated (China specifically, increasingly Russia), Reality + Vision is meaningfully more resistant than Trojan.
When each works
Trojan: mid-difficulty censorship environments. Iran's filtering catches some Trojan deployments; UAE's catches some. The pattern: sophisticated self-hosters maintaining careful domain hygiene get longer Trojan lifetime; casual deployments fail faster.
Reality: all the markets where Trojan fails. China, Russia, Iran, UAE, Saudi, Pakistan. Plus the rest of the markets where Trojan still works (Reality works there too).
In 2026, the practical recommendation is Reality. Trojan still has some operational lifetime but the detection trajectory is unfavourable.
Self-hosting
Trojan is easier to self-host. Standard tooling, minimal configuration beyond domain + certificate.
Reality requires choosing a camouflage host, configuring the proxy logic, managing the Vision flow, picking and rotating shortIds. Specialised tooling (XRay-core); more moving parts.
For users who want to self-host with maximum simplicity, Trojan is friendlier. For users who want maximum detection resistance, Reality is better despite the complexity.
What Fexyn ships
Reality with the Vision flow as Fexyn Stealth. We do not ship Trojan as a primary protocol because Reality is operationally better in our target markets. Some commercial providers offer both as configurable protocol options.
Try Fexyn free for 7 days — Reality + Vision on every plan.
Related terms
Try Fexyn free for 7 days
Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.
See pricing