Fexyn
Fexyn

Glossary

What is VLESS

A VPN protocol designed to look indistinguishable from regular HTTPS traffic, used to defeat DPI in censored countries.

VLESS is a VPN protocol that runs on XRay (a fork of v2ray-core). It was built specifically for users in countries where standard VPN protocols get fingerprinted and blocked by deep packet inspection.

The headline feature is Reality mode. Standard "obfuscated" VPNs try to make their handshake look like HTTPS — but the handshake they generate isn't a real one, and DPI can usually tell. VLESS Reality does something different: it performs an actual TLS 1.3 handshake to an actual public website. The certificate served back is the real certificate. The SNI is the real SNI. To DPI, the connection is structurally identical to any other HTTPS session to that host.

How Reality works

The flow:

  1. The Fexyn client opens a TCP connection to a Fexyn server and sends a TLS 1.3 ClientHello with the SNI of a real public site (microsoft.com, cloudflare.com, or a similar high-traffic host). A small piece of authentication material (shortId + X25519 public key) is hidden inside the encrypted key-share extension.
  2. The Fexyn server opens its own TLS connection to the actual real site and forwards the handshake.
  3. The certificate the real site returns flows back to the client unchanged — it is the real certificate from the real CA. The chain validates. The handshake completes.
  4. Authenticated clients get a tunnelled VPN session inside the established TLS 1.3 connection. Unauthenticated probers are transparently proxied to the real site, so they get a real response.

For DPI watching the wire, the traffic looks like a normal HTTPS browser session to a major public site. Same SNI as everyone else's connection to that site. Same certificate. Same handshake timing and behaviour as a real browser.

To block this, the censor would have to block the handshake host — and that host is something like Microsoft or Cloudflare, which most other internet traffic in the country also depends on. The collateral damage is too high.

Why this is structurally different

Most "obfuscation" approaches start from a VPN protocol and try to disguise it as HTTPS. VLESS Reality starts from real HTTPS and carries VPN data inside it. The difference matters: "looks like HTTPS to a quick glance" is fingerprintable; "is HTTPS, indistinguishable from any other HTTPS session to the same host" is not.

In countries running TSPU (Russia), GFW (China), or BTK-mandated DPI (Turkey), this matters. A standard WireGuard connection gets throttled within seconds. VLESS Reality keeps working.

Cost

VLESS Reality is heavier than WireGuard:

  • Extra latency from the TLS 1.3 handshake (~100-200 ms more on initial connect).
  • More CPU on the client because of the heavier cryptography.
  • Slightly higher per-packet overhead than WireGuard.

It's worth it when WireGuard is blocked. It's overkill when WireGuard works fine.

How Fexyn ships it

Fexyn Stealth is VLESS Reality. Fexyn's rotation engine tries WireGuard first by default; if WireGuard fails or gets throttled, it falls back to Stealth. Users in known-restrictive networks (Turkey, Russia, Iran, China) can pin Stealth as the default in app settings.

Read more in VLESS Reality on Fexyn, What is the VLESS protocol, and VLESS Reality explained.

Try Fexyn free for 7 days — Stealth is included on every plan.

Related terms

Try Fexyn free for 7 days

Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.

See pricing
What is VLESS — What It Is and Why It Matters | Fexyn VPN