What is Reality (Reality protocol)

Reality is a transport mechanism for VPN traffic, added to XRay-core in version 1.8.0 in early 2023. It is used most often with the VLESS protocol; the combination is usually written "VLESS Reality" or just "Reality."

The problem Reality solves: how do you build a VPN connection that deep packet inspection cannot detect? Earlier obfuscation tools (Shadowsocks, Trojan, plain VLESS) tried to make traffic look like HTTPS. The detection problem they all hit: their TLS handshake is fake, their certificate is self-issued, or their behaviour during active probing differs from a real website.

Reality is structurally different. It performs a real TLS 1.3 handshake to a real public site like microsoft.com, and forwards that site's actual certificate to the client. The TLS handshake is real. The certificate chain is real. The site you appear to be connecting to is a real production service that millions of legitimate users connect to.

How it works

When a client connects to a Reality server:

1. The client sends a TLS 1.3 ClientHello with the SNI of a real public site (microsoft.com, cloudflare.com, apple.com — the operator chooses).
2. Hidden inside the encrypted key-share extension, the client passes a shortId and X25519 public key to authenticate.
3. The Reality server opens its own TLS connection to the actual real site and performs a legitimate handshake.
4. The certificate the real site returns is forwarded to the client. The chain validates against trusted CAs because it is a real certificate from real CAs.
5. Authenticated clients get a tunnelled session inside the established TLS connection. Unauthenticated clients are transparently proxied to the real site, so any prober gets a real response.

There is no fake handshake to detect. The deception is structural — a small piece of cryptographic material hidden inside an otherwise-genuine TLS handshake.

The Vision flow

A subtle detection vector: when VPN traffic runs inside a TLS tunnel, the encrypted payload contains its own TLS handshakes (every HTTPS site you visit through the tunnel generates one). This creates a TLS-in-TLS pattern detectable through traffic analysis.

The Vision flow (xtls-rprx-vision) eliminates this. It detects when the inner payload is already TLS-protected and passes it through with minimal additional wrapping. The outer Reality TLS handles authentication and framing; the inner application TLS flows without redundant encryption.

The result is that VLESS+Reality+Vision traffic is statistically very close to a direct HTTPS connection to the camouflage host — the TLS-in-TLS pattern that earlier obfuscated protocols leaked is gone.

When it matters

Reality is overkill on networks without active VPN filtering. WireGuard is faster and simpler; use it where it works.

Reality matters in countries where standard VPN protocols get blocked: Russia (TSPU), China (Great Firewall), Iran (Filtering Resistance Agency), Pakistan (PTA), UAE and Saudi Arabia (carrier-level DPI), Turkey (BTK). In those networks, Reality with Vision is currently the most reliable consumer-VPN protocol.

How Fexyn ships it

Fexyn Stealth is our productisation of VLESS Reality with the Vision flow. The client receives the camouflage target, shortId, and X25519 keys from our API at connect time, so configuration updates do not require a client release. uTLS fingerprints are kept current so the ClientHello matches a recent Chrome, Firefox, or Safari.

The Fexyn rotation engine tries WireGuard first by default; if that is blocked, it switches to Stealth automatically. Users in known-restrictive networks (Russia, Iran, China) can pin Stealth as the default.

Read more in the Reality protocol guide, VLESS Reality on Fexyn, and How VLESS Reality makes VPN traffic invisible to censors.

Try Fexyn free for 7 days — Stealth is included on every plan.