Quick answer by platform
- iOS — set-and-forget: Shadowrocket. Simple, every protocol, no scripting. Fine for 90% of users.
- iOS — power user: Surge. MITM + scripting + complex rule sets. Best DX in the space if you actually need it.
- iOS — middle ground: Stash or Loon. Cheaper Surge with most features.
- Android: Clash for Android (free, open-source) or V2rayNG (free).
- Desktop: sing-box (CLI, open-source) — recommended. Or Clash Verge / Stash for Mac for GUI.
- OpenWRT routers: sing-box direct, or OpenClash if you want a GUI.
Trade-offs that actually matter
- Rule routing: per-app / per-domain / per-process targeting. Surge + Stash + Loon yes; Shadowrocket coarse; Clash powerful but YAML-heavy.
- MITM (HTTPS decoding): Surge + Stash + Loon only. Useful for ad-blocking + per-request scripting; Shadowrocket can't.
- Scripting: JS modules on Surge / Quantumult X. Rewrite headers, mock APIs, CDN-failover. Power-user only.
- Subscription import: all accept a sub URL. Some (Stash, Clash) handle Clash Provider format; pure-v2ray clients want vmess:// or vless://.
- Battery + perf: kernel-mode (sing-box on routers) beats user-space clients. Less is more on mobile.
For our audience specifically
If you're routing crypto traffic to bypass regional blocks or for IP-hygiene during swaps, you don't need scripting. Shadowrocket / Stash on iOS, Clash for Android, sing-box on desktop is enough. Save Surge for when you actually want to write rule-set scripts.
If you're an OpenWRT operator running a tunnel for the whole household, jump straight to sing-box at the router. Mobile clients on top of router-level tunneling double-encrypt — pick one or the other.
What we don't list as a "VPN"
These tools are not VPNs in the consumer sense — they don't ship with a built-in provider, you BYO server (or buy a subscription separately). For traditional VPN reviews see /vpns. Both layers are useful; just don't confuse them.