xmr.club
指南 EN 中文 ES RU
← all guides

代理協議 — Shadowsocks、V2Ray、Trojan、Hysteria、VLESS

Modern proxy clients support a half-dozen different tunneling protocols. They are not interchangeable — each makes different trade-offs on detectability, throughput, and the kind of network they survive.

The headline list

  • Shadowsocks (SS): the simple, old standard. Stream cipher over TCP, no obfuscation. Easily classified by DPI in 2024+. Use only on benign networks.
  • SSR (Shadowsocks-R): SS plus simple obfuscation modules. Largely deprecated.
  • V2Ray / VMess: the workhorse for 2018-2022. AEAD over WebSocket / mKCP / TCP. Now blocked frequently by behavior-based DPI.
  • VLESS: V2Ray's lighter sibling — no built-in auth, relies on TLS for crypto. Pair with Reality or XTLS-Vision for current best detection-resistance.
  • Trojan: pretends to be HTTPS to a normal-looking server. Works well on networks that whitelist common TLS traffic.
  • Hysteria / Hysteria2: QUIC-based, UDP underlay. Excellent throughput on lossy networks; UDP is increasingly throttled where TCP isn't.
  • TUIC: another QUIC-based protocol, less common.
  • WireGuard: kernel-level VPN protocol. Fast, simple, well-audited. Not designed for obfuscation; where it's allowed, the cleanest choice.

Threat-model fit

  • Casual ISP / employer: any of the above works. Pick by ergonomics.
  • Filtered network with permissive TLS: Trojan or VLESS + Reality. Looks like normal HTTPS.
  • Aggressive DPI environment: VLESS + Reality / XTLS-Vision, port 443, real domain. The choice of server matters more than the protocol.
  • Lossy mobile network: Hysteria2 if UDP is allowed; falls back to VLESS otherwise.
  • Just need a clean IP: WireGuard via a VPN provider. Don't over-engineer.

Detectability is a moving target

What works today on aggressive networks won't work next year. Treat any "this protocol is undetectable" claim with suspicion — they were saying that about V2Ray in 2020 too.

Practical advice: use the most boring-looking option that still works. Today (late 2026) that's VLESS + Reality on port 443 with a real third-party domain.

Where to host the server side

See /hosting for no-KYC VPS providers we recommend. Pay with XMR or LN for the cleanest paper trail. Avoid the largest cloud providers if anonymity is the goal — small offshore + Tor-friendly hosts are listed at A-grade in our hosting category.