Why Protocol Choice Matters for Proxy Users
The protocol your proxy or tunnel uses determines three things that directly affect your success rate: whether your traffic can be detected and blocked by Deep Packet Inspection (DPI), how much latency and overhead the encryption adds, and how resilient your connection is when a network operator actively tries to shut it down.
In 2024, the landscape was simpler. WireGuard worked almost everywhere, Shadowsocks was the go-to for China, and VLESS was a niche tool for power users. By April 2026, the situation has changed dramatically. DPI systems have evolved to fingerprint WireGuard's handshake in real time. Shadowsocks' AEAD ciphers are now flagged by the Great Firewall within minutes. Network operators in Russia, Iran, and the UAE have deployed commercial DPI appliances that detect and throttle all traditional VPN protocols.
VLESS Reality emerged as the protocol that solves the detection problem at a fundamental level, not by hiding traffic inside encryption, but by making traffic indistinguishable from legitimate HTTPS connections to real websites. This comparison breaks down exactly how each protocol handles detection, performance, and compatibility with mobile proxy infrastructure.
Quick Comparison Table
| Feature | VLESS Reality | WireGuard | Shadowsocks | Trojan-Go |
|---|---|---|---|---|
| DPI Resistance | Excellent | Poor | Moderate | Good |
| Speed Overhead | 2-5% | 1-3% | 5-8% | 8-12% |
| Setup Complexity | Medium | Easy | Easy | Medium-Hard |
| Mobile IP Support | Native | Limited | Good | Good |
| Detection Rate (2026) | <0.1% | 85-95% | 30-60% | 3-8% |
| Best For | Censored networks, proxy infra | Trusted networks, gaming | Legacy setups, simple bypass | High-stealth web browsing |
| Active Development | Very active (xray-core) | Stable, minimal changes | Slow / maintenance | Moderate |
VLESS Reality Deep Dive
VLESS Reality is the current state of the art for undetectable tunneling. Developed by the XTLS team as part of Xray-core, Reality solves the fundamental problem that has plagued every previous proxy protocol: TLS fingerprinting.
How Reality Camouflages Traffic
Traditional TLS-based proxies (including Trojan and earlier VLESS configurations) require a valid TLS certificate for their own domain. This creates a detectable pattern: if a DPI system sees TLS traffic to your-proxy-server.com and checks whether that domain has legitimate web content, it can infer the connection is likely a proxy tunnel.
Reality eliminates this problem entirely by impersonating the TLS handshake of a real, legitimate website. When a client connects to a VLESS Reality server, the server performs a TLS handshake that is byte-for-byte identical to what a real web server (say, www.microsoft.com or www.apple.com) would produce. The DPI system sees what looks like a standard HTTPS connection to Microsoft or Apple. It cannot distinguish the Reality handshake from a genuine one because the Reality server fetches and replays the actual TLS certificate and ServerHello from the impersonated destination.
The key innovation is in the xtls-rprx-vision flow. Instead of double-encrypting traffic (TLS inside TLS, which is detectable via packet length analysis), Vision passes the inner TLS data through directly, padding only the non-TLS portions. This means the traffic pattern looks exactly like normal HTTPS browsing, not just at the handshake level but throughout the entire session.
VLESS Reality Configuration Anatomy
{
"inbounds": [{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [{
"id": "your-uuid-here",
"flow": "xtls-rprx-vision"
}],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.microsoft.com:443",
"serverNames": ["www.microsoft.com"],
"privateKey": "your-private-key",
"shortIds": ["abcdef1234"]
}
}
}]
}The dest field specifies which legitimate website to impersonate. The serverNames array must match the SNI. The privateKey is generated by xray-core and used for the client-server authentication that happens inside the Reality handshake, invisible to any observer.
Why VLESS Reality Wins on Mobile Networks
Mobile carriers run CGNAT (Carrier-Grade NAT), meaning thousands of users share a single public IP. When VLESS Reality traffic passes through CGNAT, it looks identical to the thousands of legitimate HTTPS requests from other subscribers on the same IP. A DPI system would need to inspect the inner content of what appears to be a normal TLS 1.3 connection to Microsoft, which is computationally expensive and legally problematic. The combination of CGNAT's inherent trust and Reality's perfect camouflage creates a proxy connection that is, for all practical purposes, undetectable.
WireGuard Analysis
WireGuard is an excellent VPN protocol for trusted networks where speed matters most and stealth is not a concern. Its kernel-level implementation delivers the lowest overhead of any tunnel protocol, and its cryptographic design (ChaCha20, Poly1305, Curve25519) is modern and well-audited.
The Fingerprinting Problem
WireGuard's fatal weakness for proxy and censorship-evasion use cases is its distinctive handshake. The WireGuard protocol uses a fixed, well-documented handshake consisting of three message types with predictable sizes:
- Initiation: exactly 148 bytes
- Response: exactly 92 bytes
- Cookie reply: exactly 64 bytes
These fixed sizes make WireGuard trivially detectable by any DPI system. A simple rule checking for UDP packets of exactly 148 bytes followed by 92 bytes will catch virtually every WireGuard handshake. By 2026, every commercial DPI appliance from Sandvine, Allot, and Huawei includes WireGuard detection rules by default.
Furthermore, WireGuard operates over UDP, which many restrictive networks throttle or block entirely. In countries like China, Russia, and Iran, UDP-based protocols face systematic interference. WireGuard connections on these networks either fail to establish or experience severe throttling within minutes.
When WireGuard Still Makes Sense
On trusted networks (corporate LANs, home connections in countries without active censorship), WireGuard remains the best choice for raw performance. Its kernel-mode implementation means near-zero CPU overhead, and the handshake completes in a single round-trip. For site-to-site VPNs, IoT device tunneling, and mobile app VPN features where stealth is irrelevant, WireGuard is unbeatable.
Shadowsocks Analysis
Shadowsocks was the first protocol specifically designed for censorship circumvention. Created in 2012 by a Chinese developer, it took a fundamentally different approach from traditional VPN protocols: instead of establishing a recognizable tunnel, it encrypts traffic in a way that makes it look like random noise.
The Arms Race with the GFW
Shadowsocks' original design used stream ciphers like aes-256-cfb and rc4-md5. These were effective initially but were broken by the GFW's replay attack detection and entropy analysis starting in 2020. The protocol responded with AEAD ciphers (aes-256-gcm, chacha20-ietf-poly1305), which are cryptographically stronger but introduced a new detection surface: the AEAD construction produces packets with a predictable structure (length prefix + encrypted payload + authentication tag) that differs from standard TLS traffic.
By 2025, the GFW had deployed machine learning models trained specifically on Shadowsocks' AEAD traffic patterns. These models analyze packet timing, size distributions, and entropy to identify Shadowsocks connections with 40-60% accuracy. Once flagged, the connection is either terminated or throttled to unusable speeds.
Shadowsocks 2022
The Shadowsocks community developed the "Shadowsocks 2022" specification (also called SIP022) to address these detection issues. It adds a per-session sub-key derivation, random padding, and header protection. These improvements have reduced detection rates, but the fundamental weakness remains: Shadowsocks traffic does not impersonate any legitimate protocol. It still appears as random encrypted data on a non-standard port, which is increasingly suspicious to modern DPI systems that expect most traffic to be TLS on port 443.
Where Shadowsocks Excels
For networks with basic censorship (corporate firewalls, school networks, countries with superficial filtering), Shadowsocks remains an excellent choice due to its simple setup and wide client support. Every major platform (Windows, macOS, Linux, Android, iOS) has mature Shadowsocks clients. The protocol's performance is good (5-8% overhead), and its configuration requires only a server address, port, password, and cipher, making it the most user-friendly option for non-technical users.
Trojan-Go Analysis
Trojan (and its Go implementation, Trojan-Go) takes a different stealth approach from both Shadowsocks and VLESS: it wraps proxy traffic inside a genuine TLS connection to a real web server that the operator controls.
The TLS Facade
A Trojan server runs on port 443 and serves a real website (typically Nginx or Caddy as a reverse proxy). When a non-Trojan client connects, they see a legitimate website. When a Trojan client connects, the server identifies the client by a pre-shared password in the first data packet and switches to proxy mode.
This approach provides good stealth because the server genuinely serves web content, making it indistinguishable from any other HTTPS website by external observation. The TLS certificate is real (issued by Let's Encrypt or another CA for the operator's domain), and the HTTP responses are real.
Trojan's Limitations
The main weakness is performance overhead. Because Trojan wraps all proxy traffic in TLS, every packet is double-encrypted: once by the TLS layer and once by the Trojan protocol itself. This adds 8-12% speed overhead, which is noticeable on high-throughput workloads like data scraping or large file transfers.
Additionally, Trojan requires the operator to own a domain and obtain a valid TLS certificate, which increases setup complexity and creates a potential single point of failure. If the domain is blocked or the certificate expires, the entire proxy infrastructure goes down. VLESS Reality avoids this by impersonating someone else's domain rather than requiring its own.
Trojan-Go also lacks VLESS Reality's traffic pattern masking. While the TLS handshake looks legitimate, the inner traffic patterns (packet sizes, timing) can differ from what a normal web browsing session would produce. Advanced DPI systems performing traffic analysis beyond the handshake can potentially distinguish Trojan traffic from genuine web browsing.
Speed Benchmarks (April 2026)
Benchmarked on a dedicated server in Warsaw (Intel Xeon E-2388G, 1Gbps uplink) with each protocol configured for maximum security. Test: 10GB file transfer, average of 5 runs. Client: Windows 11 on a 500Mbps fiber connection in the same city.
| Protocol | Throughput | Latency Added | CPU Usage (Server) |
|---|---|---|---|
| Direct (baseline) | 487 Mbps | 0 ms | - |
| WireGuard | 479 Mbps | +0.3 ms | 2% |
| VLESS Reality (vision) | 468 Mbps | +0.8 ms | 5% |
| Shadowsocks (2022) | 451 Mbps | +1.1 ms | 7% |
| Trojan-Go | 432 Mbps | +1.6 ms | 11% |
WireGuard leads in raw speed due to its kernel-level implementation, but the difference between WireGuard and VLESS Reality is only 2.3%. In real-world proxy usage (where bandwidth is typically limited by the upstream connection rather than the tunnel), this difference is imperceptible. Trojan-Go's 11% server CPU usage becomes significant when running proxy infrastructure at scale.
Recommendation Matrix
Use VLESS Reality When:
- You need to bypass DPI or active censorship (China, Russia, Iran, UAE)
- You are running proxy infrastructure on mobile IPs (CGNAT environments)
- You need the lowest possible detection rate for automation or scraping
- Your clients are on networks that inspect and block VPN traffic
- You want future-proof stealth, as Reality is actively developed against emerging DPI
Use WireGuard When:
- You are on a trusted network with no DPI or censorship
- Raw speed matters more than stealth (gaming, streaming, file transfer)
- You need a site-to-site VPN between servers you control
- You want the simplest possible setup with kernel-level performance
Use Shadowsocks When:
- You need basic censorship bypass on networks with shallow DPI
- You want wide client support across all platforms
- Your users are non-technical and need a one-click solution
- You are maintaining legacy infrastructure that already uses Shadowsocks
Use Trojan-Go When:
- You already own a domain and want to serve a real website as cover
- You need high stealth but do not want to configure Reality's key exchange
- You are in an environment where domain-fronting provides additional protection
- You need websocket transport for CDN compatibility
VLESS on Real Mobile IPs
The ultimate combination for undetectable proxy traffic is VLESS Reality running on genuine mobile carrier IPs. Mobile IPs benefit from CGNAT protection (thousands of real users share the same IP, making it impossible to block without massive collateral damage), and VLESS Reality makes the traffic pattern indistinguishable from normal HTTPS browsing.
At Proxy Poland, our infrastructure provisions VLESS endpoints directly on physical 4G modems connected to Polish mobile carriers (Orange, T-Mobile, Play). Each modem has a real SIM card, a real carrier IP, and full CGNAT protection. Your VLESS traffic exits through a genuine mobile IP that anti-bot systems classify as a real mobile user.
No VPS to manage. No xray-core to configure. No certificates to renew. You get a vless:// connection string, paste it into V2rayN or v2rayNG, and you are connected through a real Polish 4G IP in under 5 minutes.