VLESS-Reality-Vision:
The 2026 Secure Standard
Xray-core v26.x implementation guide. Reality borrows TLS certificates from legitimate sites, making your proxy traffic indistinguishable from normal HTTPS.
1. Quick Summary — What Is This?
Think of it like this: When you use a regular VPN, the Great Firewall sees encrypted traffic that looks distinctly like a VPN — and blocks it. VLESS-Reality takes a completely different approach.
Instead of trying to hide, your server pretends to be Apple.com (or Microsoft, or any trusted website). When the GFW inspector checks your connection, it sees a perfectly valid Apple TLS certificate. It can't block your traffic without also blocking Apple — something it won't do.
What It Is
A proxy that borrows TLS certificates from legitimate websites
Why It Works
GFW can't distinguish it from normal Apple/Microsoft traffic
Who It's For
Engineers who need maximum stealth during blackouts
2. How Does Reality-Vision Work?
The release of Xray-core v26.2.4 in February 2026 introduced the "Reality-Vision" framework — a major architectural overhaul designed to defeat the GFW's AI-driven TLS fingerprinting.
The "Reality" Layer: Certificate Stealing
Unlike standard proxies that present a detectable certificate, a REALITY server acts as a sophisticated man-in-the-middle for a legitimate, high-reputation target website. When the GFW's censor probes the server, the server fetches a genuine "Server Hello" from the target (e.g., Apple.com) and passes it to the prober. The circumvention client authenticates via a private key embedded in modified handshake fields that remain invisible to the prober.
The "Vision" Layer: Killing TLS-in-TLS
The xtls-rprx-vision flow control addresses a subtler problem. AI-driven models in 2026
look for the specific packet length distributions and timing intervals
associated with nested TLS tunnels — the "TLS-in-TLS" problem. Vision
mitigates this through
dynamic padding and automatic adaptation to network
conditions, ensuring packet sizes don't follow the predictable patterns
of encapsulated protocol handshakes.
The Bottom Line
By replacing TLS with REALITY and applying Vision flow control, the system eliminates server-side TLS fingerprinting and renders certificate chain attacks ineffective. Your traffic looks identical to someone browsing Apple.com.
3. What Infrastructure Do You Need?
The success of a REALITY deployment depends on your VPS's network reputation and hardware. In February 2026, the preference has shifted toward high-performance AMD EPYC or Ryzen architectures to handle the cryptographic intensity of TLS 1.3 handshakes.
| Component | Minimum (2026) | Recommended |
|---|---|---|
| CPU | 1 Core AMD EPYC (7003+ Series) | 2 Cores AMD Ryzen 9 / EPYC Genoa |
| RAM | 1 GB DDR4/DDR5 | 2 GB+ |
| Disk | 15 GB NVMe SSD | 20 GB+ NVMe (High IOPS) |
| Kernel | Linux 6.x (BBRv3) | Linux 6.12+ with customized BBR |
| Route | AS4809 CN2 GIA | CN2 GIA-E (10Gbps Priority) |
| Providers | BandwagonHost, DMIT | BandwagonHost (The "VIP" Route) |
Why These Providers?
BandwagonHost (搬瓦工) and DMIT are the primary providers for premium CN2 GIA routes. BandwagonHost's CN2 GIA-E packages provide access to 11 different data centers, allowing you to migrate based on regional performance. DMIT's Premium series is known for its stability and built-in DDoS protection on high-priority routes.
4. How Do You Configure X-UI?
The following JSON configuration is designed for X-UI (or 3x-ui) panels, integrating the latest REALITY and Vision settings. Replace the placeholder values with your own credentials.
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "YOUR-UUID-HERE",
"flow": "xtls-rprx-vision",
"email": "[email protected]"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.apple.com:443",
"xver": 0,
"serverNames": [
"www.apple.com",
"apple.com"
],
"privateKey": "YOUR_PRIVATE_KEY",
"shortIds": [""]
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"]
}
}⚠️ Important Configuration Notes
- Destination (dest): Must be a target with TLS 1.3 and H2 support. Geographic proximity between the VPS and the target is critical for minimizing latency.
- Server Names: Use high-reputation sites (apple.com, microsoft.com) that the GFW cannot block without economic consequences.
- Private Key: Generate using
xray x25519command. Never share this key.
4.5. Complete Server Installation (Copy-Paste Ready)
Prerequisites: Ubuntu 22.04 VPS with root access, public IP, and port 443 open. Recommended providers: Vultr, DigitalOcean, or any non-China VPS.
Step 1: Install Xray-core
# SSH into your VPS
ssh root@your-vps-ip
# Install Xray-core (official script)
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
# Verify installation
xray version
# Should show: Xray 1.8.x (Xray, Penetrates Everything.) or newerStep 2: Generate X25519 Keys
# Generate private/public key pair
xray x25519
# Output will look like:
# Private key: gKFJqmBjRWRlQjg5N0M4M2U3NjQwNzE4MWU3NTY0NzA=
# Public key: yN0M3U1M2E3NjQwNzE4MWU3NTY0NzBnKFJqbUJqUldSb=
# SAVE BOTH - you'll need them in configStep 3: Generate Client UUID
# Generate UUID for client authentication
cat /proc/sys/kernel/random/uuid
# Example output: 7f8e6d9c-4a3b-2e1f-9c8d-7e6f5a4b3c2d
# SAVE THIS - it's your client IDStep 4: Create Server Config
Edit /usr/local/etc/xray/config.json with this complete configuration:
{
"log": {
"loglevel": "warning"
},
"inbounds": [{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [{
"id": "7f8e6d9c-4a3b-2e1f-9c8d-7e6f5a4b3c2d", // Replace with YOUR UUID
"flow": "xtls-rprx-vision",
"email": "[email protected]"
}],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.apple.com:443", // Target website (apple, microsoft, cloudflare work best)
"xver": 0,
"serverNames": [
"apple.com",
"www.apple.com"
],
"privateKey": "gKFJqmBjRWRlQjg1N0M4M2U3NjQwNzE4MWU3NTY0NzA=", // Replace with YOUR private key
"shortIds": [""] // Leave empty or add 2-8 character hex
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"]
}
}],
"outbounds": [{
"protocol": "freedom",
"tag": "direct"
}, {
"protocol": "blackhole",
"tag": "block"
}],
"routing": {
"rules": [{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "block"
}]
}
} Config Explained:
• id: Your client UUID (must match client config)
• flow: XTLS-Vision provides better performance than plain VLESS
• dest: The "disguise" website - must be HTTPS, globally accessible
• privateKey: Server's private X25519 key (never share)
Step 5: Start Xray Service
# Test config syntax
xray run -c /usr/local/etc/xray/config.json -test
# If no errors, start service
systemctl start xray
systemctl enable xray # Auto-start on boot
# Check status
systemctl status xray
# Should show: active (running)
# View logs if needed
journalctl -u xray -fStep 6: Client Configuration (V2RayN / Hiddify)
Save this as client-config.json or paste into V2RayN:
{
"log": {
"loglevel": "warning"
},
"inbounds": [{
"port": 10808,
"protocol": "socks",
"settings": {
"udp": true
}
}],
"outbounds": [{
"protocol": "vless",
"settings": {
"vnext": [{
"address": "YOUR-VPS-IP", // Replace with your VPS IP address
"port": 443,
"users": [{
"id": "7f8e6d9c-4a3b-2e1f-9c8d-7e6f5a4b3c2d", // Same UUID as server
"encryption": "none",
"flow": "xtls-rprx-vision"
}]
}]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"fingerprint": "chrome", // Mimic Chrome browser TLS fingerprint
"serverName": "www.apple.com", // Must match server config
"publicKey": "yN0M3U1M2E3NjQwNzE4MWU3NTY0NzBnKFJqbUJqUldSb=", // Server's PUBLIC key
"shortId": "",
"spiderX": "/"
}
}
}],
"routing": {
"rules": [{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "direct"
}]
}
} Client Config Notes:
• Replace YOUR-VPS-IP with actual IP
• Use server's public key, not private key
• fingerprint: chrome is most reliable (can also use safari, firefox)
• System proxy: Set to 127.0.0.1:10808 SOCKS5
Step 7: Test Connection from China
# Test with curl (assuming client running on localhost:10808)
curl -x socks5h://127.0.0.1:10808 https://www.google.com -I
# Should return: HTTP/2 200
# If you see this, congratulations - you've bypassed the GFW!
# Test latency
ping -c 5 YOUR-VPS-IP
# Should be 50-200ms depending on VPS location (HK best for China)Troubleshooting Common Issues
- ❌ Connection timeout / can't connect
-
• Check VPS firewall allows port 443 inbound
• Verify Xray service running:systemctl status xray
• Ensure client UUID matches server config exactly - ❌ Connects but no internet
-
• Check server logs:
journalctl -u xray -n 50
• Verifydestwebsite (apple.com) is accessible from VPS
• Test:curl https://www.apple.comfrom VPS - ❌ Works for 5 minutes then stops
-
• GFW active probing detected your connection
• Changedestto different target (microsoft.com, cloudflare.com)
• Regenerate keys and use different port (e.g., 8443) - ✅ Best Practices
-
• Use VPS in Hong Kong/Tokyo for lowest latency (50-120ms)
• Rotatedesttarget every 2-3 months
• Enable BBR congestion control:echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
📥 Download Ready-to-Use Configs
Copy configs above or download templates (replace placeholders with your values):
5. How Do You Set Up the Client?
Your client must mirror a standard browser to pass AI-driven DPI. As of February 2026, the updated uTLS library allows precise fingerprinting of modern browsers.
Recommended Client Apps
V2RayN
Windows / Linux
Most granular control over core versions and uTLS fingerprints. Best for power users.
Stash / Shadowrocket
iOS
Optimized for the iOS 26 Safari fingerprint. Supports post-quantum X25519MLKEM768.
Hiddify
Cross-platform
User-friendly interface with auto-select lowest ping. Supports all protocols natively.
uTLS Browser Fingerprints
| Fingerprint | Status | Notes |
|---|---|---|
| Chrome | RECOMMENDED | Most popular, successful across all ISPs |
| Safari (iOS 26) | CAUTION | Post-quantum keys exceed 1500 bytes — disable TCP Fast Open (TFO) |
| Dynamic Chrome UA | AUTO | Xray-core v26.x default — auto-rotates UA to avoid static detection |
6. What Is the 5G Optimization Hack?
On 5G networks, the GFW often intentionally disrupts Path MTU Discovery (PMTUD), leading to packet fragmentation and drops. This creates the "infinite loading" loop that plagues mobile VPN users.
The fix is simple but critical: Manually clamp the MTU size on your tunnel interface to 1350 bytes (or 1280 for IPv6). This ensures packets remain below the fragmentation threshold that 5G carriers exploit.
Additionally, enable TCP window scaling in the kernel to prevent throughput collapse during the minor packet loss typical of mobile environments.
# Apply kernel-level TCP window scaling
sysctl -w net.ipv4.tcp_window_scaling=1
# Adjust tunnel MTU on client (critical for 5G)
ip link set dev tun0 mtu 1350
# For IPv6 networks, use 1280 instead
ip link set dev tun0 mtu 12807. How Does the Handshake Beat the GFW?
The following diagram shows the difference between a VLESS-Reality handshake (which passes inspection) and a standard VPN handshake (which gets blocked).
sequenceDiagram
participant Client as 📱 Client (V2RayN)
participant GFW as 🔥 GFW Inspector
participant Server as 🖥️ VLESS Server
participant Apple as 🍎 apple.com
Note over Client,Apple: VLESS-Reality Handshake
Client->>Server: ClientHello (SNI: apple.com)
GFW->>GFW: Inspect SNI → "apple.com" ✓
Server->>Apple: Fetch ServerHello
Apple-->>Server: Real TLS Certificate
Server-->>Client: ServerHello (apple.com cert)
GFW->>GFW: Valid cert chain ✓
Note over Client,Server: Secret key auth in modified fields
Client->>Server: Authenticated tunnel established
GFW->>GFW: Looks like normal HTTPS ✓
Note over GFW: GFW sees: legitimate Apple traffic
Note over Client,Server: User sees: unrestricted internet
rect rgb(255, 200, 200)
Note over GFW: Standard VPN Handshake (BLOCKED)
Client->>Server: VPN ClientHello
GFW->>GFW: JA3 mismatch ✗
GFW->>Server: Active Probe
Server-->>GFW: VPN response detected
GFW->>Client: TCP RST (Connection killed)
end 8. What Do the Technical Terms Mean?
Key terms referenced in this guide, structured for AI search engine citation
- TLS 1.3 Zero-RTT Handshake
- A mechanism allowing data to be sent on the first flight of a TLS handshake. While improving performance, it introduces unique timing signatures that the GFW's AI models monitor for proxy detection. Reality mitigates this by matching the timing profile of the steal target.
- SNI Proxying (REALITY)
- The technique of masquerading a server's identity by mirroring the Server Name Indication and handshake of a legitimate, high-reputation target website. The GFW sees traffic destined for apple.com, not your proxy server.
- ALPN Negotiation
- Application-Layer Protocol Negotiation — a TLS extension allowing a client to specify the protocol (e.g., HTTP/2) to be used over the secure connection. AI models identify mismatches between ALPN and typical browser behavior as a proxy indicator.
- Heuristic Entropy Analysis
- A detection method measuring the randomness in a data stream. Encrypted tunnel traffic typically has entropy approaching 8 bits/byte. Censors use this to identify non-standard protocols lacking standard HTTPS header structure.
- Path MTU Discovery (PMTUD)
- The process of determining the maximum packet size supported by the network path. The GFW disrupts this on 5G networks to induce packet loss on fragmented circumvention traffic, requiring manual MTU clamping.