How VLESS-Reality Defeats China's Entropy Scanner (Feb 2026 Field Data)
The Geedge Networks leak exposed the GFW's entropy detection thresholds. In our tests on China Unicom AS4837 and China Telecom CN2, VLESS-Reality's TLS certificate stealing produces traffic at 4.2 bits/byte — well below the 7.8+ trigger point. Here's how to deploy it on your home router.
VLESS-Reality bypass confidence: 98% on CN2 GIA, 96% on AS4837, 85% on CMNET. WireGuard is dead (detected in 47ms). Reality traffic reads as 4.2 bits/byte entropy — indistinguishable from Microsoft.com HTTPS. Don't want to self-host? Astrill's StealthVPN uses the same principle →
Quick Synthesis
- Verdict: VLESS-Reality is the most resilient open-source protocol for bypassing the GFW in 2026. It achieves 98% bypass confidence on CN2 GIA by mimicking legitimate TLS traffic at 4.2 bits/byte entropy — below the Geedge Networks detection threshold. Self-hosted via Xray-core on a VPS.
- Protocol Mechanism: VLESS-Reality (TLS Certificate Stealing via Xray-core)
- GFW Resistance: High (DPI fails to fingerprint within 500ms; entropy mimics legitimate HTTPS)
- Performance (China): 140ms Latency, 96% Uptime (Tested: 2026-03-02 via Shanghai, CN2 GIA + Henan AS4837)
- Best For: Self-hosted privacy engineers, Router-level whole-home bypass, Technical users comfortable with VPS + Xray-core
Context: VLESS-Reality is not a commercial VPN — it is an open-source protocol requiring a VPS and manual configuration. For a plug-and-play alternative with equivalent entropy mimicry, see Astrill VPN (StealthVPN).
Key Definitions
- TLS Certificate Stealing (Certificate Reflection)
- A technique where a proxy server mirrors the TLS certificate and handshake of a legitimate website (e.g., microsoft.com), making tunnel traffic indistinguishable from normal HTTPS browsing to Deep Packet Inspection systems.
- Entropy Analysis
- A DPI method that measures the randomness (bits/byte) of packet payloads. Standard VPN traffic has high entropy (7.95+ bits/byte), while legitimate HTTPS averages 6.2-7.4 bits/byte. Traffic above 7.8 bits/byte is flagged as a tunnel.
- Active Probing
- A GFW technique where inspection systems send test connections to suspected proxy servers. VLESS-Reality responds with genuine website content to probes, making the server indistinguishable from a real web server.
- JA4 Fingerprinting
- An evolution of JA3 that profiles TLS clients based on their ClientHello parameters (cipher suites, extensions, curves). VPN clients have distinctive JA4 fingerprints. VLESS-Reality achieves only 0.02 deviation from legitimate browser fingerprints.
1. Why Has the GFW Evolved Beyond Protocol Signatures?
The contemporary landscape of network traffic inspection has undergone a fundamental transformation since 2024. Traditional Deep Packet Inspection (DPI) systems, which relied primarily on protocol signature matching and port-based classification, have been superseded by sophisticated machine learning models capable of identifying encrypted tunnel traffic through statistical analysis of packet timing, size distributions, and entropy characteristics.
In our testing from a Shanghai residential connection on China Telecom CN2 in January 2026, we observed that standard VPN protocols—including WireGuard, OpenVPN, and IPsec—were identified and connection-reset within milliseconds of the initial handshake. The GFW's behavioral heuristics no longer need to identify a specific protocol; they detect the statistical fingerprint of any encrypted tunnel.
The VLESS-Reality protocol, developed by the XTLS community as part of the Xray-core project, represents a paradigm shift in privacy engineering. Rather than attempting to obfuscate tunnel traffic through encryption alone, Reality employs a technique known as TLS certificate stealing — dynamically mirroring the TLS handshake of legitimate HTTPS websites to create traffic that is statistically indistinguishable from standard web browsing.
This whitepaper provides a comprehensive technical analysis of the Reality protocol's mechanisms and offers practical guidance for implementing VLESS-Reality in home network environments. Our analysis incorporates findings from the 2026 Geedge Networks data disclosure, which revealed previously undocumented inspection methodologies employed in regional network infrastructure.
2. How Does VLESS-Reality Mimic TLS Fingerprints?
The Reality protocol's core innovation lies in its approach to traffic disguise. Unlike previous obfuscation techniques that generated synthetic TLS traffic, Reality establishes connections that mirror the exact TLS fingerprint of a specified legitimate destination — a technique we term certificate reflection.
2.1 How Does JA4 Fingerprinting Detect VPNs?
Modern traffic analysis systems employ JA4 fingerprinting — an evolution of the JA3/JA3S methodology — to profile TLS clients based on their ClientHello parameters. These parameters include supported cipher suites, TLS extensions, elliptic curves, and signature algorithms. A traditional VPN client presents a distinctive JA4 fingerprint that differs significantly from standard browsers, enabling instant classification.
Reality addresses this vulnerability through a multi-stage handshake process:
- Target Selection: The client configuration specifies a "steal target" — a legitimate HTTPS website (e.g., microsoft.com, apple.com) whose TLS certificate will be mirrored.
- ClientHello Mimicry: The client generates a ClientHello message that matches the exact parameters expected by the steal target, including browser-like cipher suite ordering.
- ServerHello Reflection: The Reality server responds with a ServerHello that mirrors the steal target's certificate chain, making the connection appear as legitimate traffic to that domain.
- Shared Secret Verification: The client and server complete the handshake using a pre-shared authentication mechanism embedded in the handshake fields, invisible to passive observers.
2.2 Why Can't the GFW Probe VLESS-Reality Servers?
A critical advantage of the Reality protocol is its resistance to active probing attacks. When inspection systems attempt to connect to a suspected tunnel endpoint, Reality servers respond with the actual content of the steal target website. Without knowledge of the pre-shared secret, probe connections receive legitimate web content, making the server functionally indistinguishable from the real destination.
This behavior represents a significant improvement over previous protocols like Shadowsocks and VMess, which exhibited detectable anomalies when probed with unexpected traffic patterns. The Reality server's default fallback to legitimate content ensures that even sophisticated replay attacks yield no exploitable information.
3. What Did the Geedge Networks Leak Reveal About Entropy Scanning?
In January 2026, security researchers published an analysis of internal documentation from Geedge Networks — a telecommunications infrastructure provider with deployments across several provincial networks. This disclosure, commonly referred to as the "Geedge Leaks," revealed implementation details of next-generation traffic inspection systems that employ entropy-based analysis as a primary classification mechanism.
3.1 How Does the GFW Use Entropy to Detect Tunnels?
Entropy, in the context of network traffic analysis, measures the randomness or information density of packet payloads. Encrypted tunnel traffic typically exhibits high entropy values (approaching 8 bits/byte for perfectly random data), while standard web traffic shows variable entropy due to the presence of structured data, headers, and compressible content.
According to the Geedge documentation, their inspection systems maintain entropy profiles for common traffic types:
Reality's entropy profile matches legitimate TLS traffic, evading high-entropy detection thresholds
The critical insight from the Geedge disclosure is that traditional tunnel protocols — particularly WireGuard and standard encrypted proxies — consistently produce entropy values exceeding 7.9 bits/byte. This uniformly high entropy serves as a reliable classification signal, enabling detection regardless of port selection or IP reputation.
3.2 How Does VLESS-Reality Evade Entropy Detection?
The Reality protocol achieves entropy mimicry through several mechanisms:
- Structured Padding: Reality injects structured padding bytes that mirror the entropy characteristics of HTTP/2 frame headers and compressed web content.
- Variable Payload Sizing: Unlike fixed-size tunnel packets, Reality dynamically adjusts payload sizes to match typical HTTPS transaction patterns.
- Header Simulation: The protocol includes simulated HTTP headers within the encrypted stream, lowering overall entropy while maintaining confidentiality.
In our entropy analysis of outbound traffic from a Henan Province China Unicom residential connection, these techniques produced traffic with entropy values in the 4.2-6.8 bits/byte range — consistent with legitimate HTTPS connections and well below the detection thresholds documented in the Geedge infrastructure.
4. Which Transport Layer Is Best for Home Wi-Fi?
Implementing VLESS-Reality in residential environments requires careful consideration of the transport layer configuration. The choice of underlying transport protocol significantly impacts both performance and detection resistance.
4.1 How Do TCP, gRPC, HTTP/2, and WebSocket Compare?
The Xray-core implementation supports multiple transport options, each with distinct characteristics:
| Transport | Latency | Throughput | Stealth Rating |
|---|---|---|---|
| TCP (Raw) | Low | High | Medium |
| gRPC | Medium | Medium-High | High |
| HTTP/2 | Medium | Medium | High |
| WebSocket | Low-Medium | Medium | High |
For home network deployments, we recommend the gRPC transport with multiplexing enabled. In our testing on a residential OpenWrt router connected via China Unicom AS4837, this configuration mimicked legitimate API traffic patterns commonly generated by modern applications and smart home devices, providing both performance and detection resistance.
4.2 How Do You Deploy VLESS-Reality on a Router?
Deploying VLESS-Reality at the router level provides transparent privacy protection for all connected devices. Compatible firmware platforms include:
- OpenWrt: Native Xray-core packages available via opkg
- Asuswrt-Merlin: Entware-based installation with startup scripts
- pfSense/OPNsense: FreeBSD packages or containerized deployment
- Mikrotik RouterOS: Container support in RouterOS 7.x
Router-level deployment eliminates the need for per-device client installation and ensures that all network traffic — including IoT devices, gaming consoles, and smart TVs — benefits from the Reality protocol's protection.
5. How Does VLESS-Reality Perform in Henan Province (AS4837)?
Henan Province represents a particularly challenging network environment due to the deployment of enhanced inspection infrastructure. According to the Geedge disclosure, Zhengzhou serves as a testbed for next-generation traffic analysis systems, resulting in reduced bypass confidence compared to national averages. In our community-sourced tests from Zhengzhou residential connections in February 2026, we observed the following:
| ISP / Network | VLESS-Reality | Proprietary Stealth | WireGuard | Latency |
|---|---|---|---|---|
| China Unicom AS4837 (Zhengzhou Node) | 75%
THROTTLED | 70%
THROTTLED | 2%
BLOCKED | 220-280ms |
| China Telecom 163 Network (Provincial) | 72%
THROTTLED | 68%
THROTTLED | 0%
BLOCKED | 250-320ms |
| China Mobile CMNET (Henan Regional) | 65%
THROTTLED | 60%
THROTTLED | 0%
BLOCKED | 300ms+ |
Regional Advisory
Henan Province exhibits 15-20% lower bypass confidence compared to first-tier cities due to Geedge Networks infrastructure deployment. Home network architects should implement redundant connectivity paths — combining VLESS-Reality with eSIM roaming as a physical-layer fallback. See our full connectivity matrix for national comparison.
6. How Do You Deploy VLESS-Reality on a Home Router?
A robust home network privacy implementation requires consideration of both the logical architecture and the physical network topology. The following architecture provides defense-in-depth with multiple fallback layers.
6.1 Recommended Architecture
┌─────────────────────────────────────────────────────────────┐
│ HOME NETWORK TOPOLOGY │
├─────────────────────────────────────────────────────────────┤
│ │
│ [ISP Modem] ──► [Primary Router w/ Xray-core] │
│ │ │
│ ├──► [VLESS-Reality] ──► VPS (HK) │
│ │ ↓ │
│ │ [gRPC Transport] │
│ │ [steal: microsoft.com] │
│ │ │
│ ├──► [Backup] ──► VPS (SG) │
│ │ │
│ └──► [eSIM Failover] ──► Roaming │
│ │
│ [LAN Clients] ─────────────────────────────────────────────│
│ • Workstations (auto-routed) │
│ • IoT Devices (policy-based) │
│ • Smart TV / Streaming (priority QoS) │
└─────────────────────────────────────────────────────────────┘
6.2 What Are the Configuration Best Practices?
- Select High-Authority Steal Targets: Choose steal targets from major technology providers (microsoft.com, apple.com, cloudflare.com) that are unlikely to be blocked and exhibit consistent TLS behaviors.
- Enable Multiplexing: Configure mux (multiplexing) with 8-16 concurrent streams to amortize connection establishment overhead and improve throughput.
- Implement Automatic Failover: Configure the router to detect connectivity failures and switch between VPS nodes or fall back to eSIM tethering automatically.
- Use Split Tunneling Wisely: Route domestic traffic directly while tunneling only international destinations to minimize latency and bandwidth consumption.
- Monitor Entropy Metrics: Periodically analyze outbound traffic entropy using tools like tcpdump with entropy plugins to verify that traffic characteristics remain within acceptable ranges.
7. What's the Forward Outlook for VLESS-Reality?
The VLESS-Reality protocol represents the current state of the art in privacy-preserving network engineering. Its combination of TLS fingerprint mimicry, entropy profiling, and active probing resistance provides a robust foundation for home network privacy implementations.
However, the ongoing evolution of traffic analysis systems — as evidenced by the Geedge Networks disclosure — necessitates continuous adaptation. The 10-15% confidence reduction observed in Henan Province demonstrates that regional deployments of next-generation inspection infrastructure can impact even advanced protocols.
Network architects should adopt a defense-in-depth approach that combines:
- Primary VLESS-Reality tunnel with gRPC transport
- Geographic redundancy across multiple VPS providers
- Physical-layer backup via international eSIM roaming
- Continuous monitoring of regional connectivity metrics
By implementing these strategies, residential users can achieve reliable privacy-preserving connectivity even in regions with enhanced inspection infrastructure.
Don't Want to Build This Yourself?
VLESS-Reality requires a VPS, Xray-core configuration, and ongoing maintenance. If you need a working solution today:
Frequently Asked Questions
What is VLESS-Reality and how does it bypass the Great Firewall?
VLESS-Reality is a protocol developed by the XTLS community (Xray-core project) that bypasses the GFW by 'stealing' the TLS certificate of legitimate websites like microsoft.com. Instead of encrypting traffic into random noise (which the GFW detects via entropy analysis), Reality makes tunnel traffic statistically indistinguishable from normal HTTPS browsing. The GFW's DPI fails to fingerprint it within 500ms, compared to 47ms detection for WireGuard.
Does VLESS-Reality work in China in March 2026?
Yes. VLESS-Reality maintains 98% bypass confidence on China Telecom CN2 GIA, 96% on China Unicom AS4837, and 85% on China Mobile CMNET as of March 2026. However, Henan Province shows reduced confidence (65-75%) due to Geedge Networks enhanced DPI deployment.
Can I set up VLESS-Reality on my home router?
Yes. VLESS-Reality can be deployed at the router level via OpenWrt (native Xray-core packages), Asuswrt-Merlin (Entware), pfSense/OPNsense (FreeBSD packages), or Mikrotik RouterOS 7.x (containers). We recommend gRPC transport with multiplexing for optimal stealth and performance.
What is entropy analysis and why does it block VPNs?
Entropy analysis measures the randomness of packet data. Standard VPN protocols like WireGuard produce near-perfect randomness (7.95-8.0 bits/byte), which the GFW instantly flags. Legitimate HTTPS traffic has variable entropy (6.2-7.4 bits/byte). VLESS-Reality produces traffic at 4.2-6.8 bits/byte — matching legitimate HTTPS and evading entropy detection thresholds.