← Back to library
Basics Theory

Protocols overview: who, what, and when to pick

Not a "top protocols" list but a map: what exists, how they differ, and what to actually run right now. We'll work through the decision logic so you're not poking at random but understand why the combo is what it is. Ready-made configs are in the "Protocols" section; here it's just the mechanics of the decision.

This material covers the engineering of your own network infrastructure and is educational in nature. Complying with the laws of your own jurisdiction is on you.

The three signals they catch you by

Before you pick a protocol, you need to understand what you're even defending against. Inspection catches a VPN by three things:

  1. The handshake and SNI — how the TLS connection setup looks and which domain the client is supposedly reaching.
  2. Traffic behavior — packet lengths, timings, the ratio of upload to download.
  3. The IP address — the node's address itself being on a blacklist or in a suspicious subnet.

A good transport closes the first two. The third (IP) can't be closed by a transport — that's what CDN and address rotation are for. Keep this in mind: choosing a protocol solves problems 1 and 2, but not problem 3.

The main players

I won't list everything — only what actually lives in 2026. A quick word on each and where it belongs.

  • VLESS-TCP-Reality — the workhorse. During the handshake your node impersonates someone else's big site (the donor): from the outside it looks as if a real, large HTTPS resource lives at that address. High speed, high resilience. The primary protocol for every node.
  • VLESS-Selfsteal — the same Reality, but the donor is your own real site on the node. Maximum disguise: inspection knocks on the port and sees a real site, because it's genuinely there. Used under the harshest regime, requires standing up your own site on the node.
  • VLESS-gRPC-Reality — traffic wrapped in gRPC over HTTP/2. Medium speed, high resilience. Currently flagged as deprecated (the core is pushing toward XHTTP), but still fine as a hidden reserve for auto-switching.
  • VLESS-XHTTP — a transport that wraps the stream so it travels well behind a CDN. The primary option when blocking is by IP and you need to hide behind someone else's big edge. You pay in latency, you get survivability.
  • VLESS-TCP-TLS — honest TLS on your domain without Reality disguise. CDN-compatible, but the domain "shows" — not suitable as a primary transport under harsh inspection.
  • Trojan — disguised as an ordinary HTTPS site. Kept as a reserve of a different "kind" so a block on one type doesn't kill everything.
  • Hysteria2 — runs over QUIC (that's UDP, not TCP). Holds up excellently on bad networks and at peak hours, when TCP is being choked. Downside: UDP is cut entirely in some places. The second transport on a node for mobile and evening dips.
  • Shadowsocks — no TLS disguise, noticeable under harsh inspection. Legacy, only as a last-ditch fallback.

How this plays out in practice

You don't need to run everything. The working scheme for 2026 is short:

  1. Primary channel — VLESS-Reality on 443/TCP. You can set up your own domain on the node — take Selfsteal (the most resilient). Don't want the hassle — plain Reality with an external donor.
  2. Second transport on the same node — Hysteria2 (UDP). When TCP is choked in the evening or on mobile, Hysteria often still flies. Keep it as an emergency button.
  3. Hidden reserves for auto-switching — gRPC and XHTTP. The client sees a single "Auto-select," and if it's their TCP specifically that's being cut, the switch quietly moves them to another transport.
  4. When they ban by IP — XHTTP behind a CDN. That's a separate survival layer, not the primary channel.
  5. For the client — a subscription with multiple hosts. One channel goes down, the second works, automatically.

In one line: Selfsteal (or Reality) + Hysteria2 on every node, gRPC/XHTTP in reserve, CDN when they cut by IP. That's enough for the overwhelming majority of services.

The hygiene people forget

Even the right protocol gets killed by sloppy operation. Three rules that extend a node's life:

  • Don't flash the same SNI or the same donor across all nodes — rotate. The same fingerprint across the whole fleet = the whole thing falls at once.
  • Keep two transports on a node. Reality gets cut — Hysteria2 works, and vice versa.
  • Change ports and donors after a wave of blocks. What held for a month can become a giveaway after an inspection update.

What to expect going forward

The point is to grasp the philosophy, not memorize a table: a protocol isn't "set once forever," it's a consumable you rotate. What's resilient today may become the first candidate for a ban in six months, because it went mainstream and the filters got tuned for it.

Next in this section we'll break down how internet censorship actually works — DPI, TSPU, the mechanics of blocking. Without understanding the adversary, protocol choice stays a superstition: "run Reality, everyone runs Reality." But once you understand what each transport works against, the choice becomes an engineering decision you can defend.

Next guide How internet censorship works: DPI, TSPU, blocking → Article unclear or something off? Message me and I will help or fix it. @notrealvpn →
This material is educational and covers network-infrastructure engineering. You are responsible for complying with the laws of your jurisdiction.