Practical Info 7 min read

VPN Protocols That Actually Work in China: VLESS+REALITY, Hysteria2 & (2026)

Deep dive into VPN protocols that bypass China's Great Firewall in 2026. VLESS+REALITY vs Hysteria2 vs WireGuard+udp2raw explanation, GFW detection strategies, and what's dead (Shadowsocks).

Table of Contents
Advertisement

Hero image

Why This Matters

China’s Great Firewall (GFW) is not a static wall. It’s an active, learning censorship system that continuously adapts to blocking circumvention tools. A protocol that worked in 2023 may be instantly detectable in 2026. Shadowsocks — the darling of China VPN users for a decade — is now trivially detected by the GFW’s DPI (Deep Packet Inspection) and largely unusable on its own inside China.

Understanding which protocols work, and WHY they work, is the difference between frustration and reliable internet access.

What’s Dead or Dying

Shadowsocks: The GFW can detect Shadowsocks traffic through its distinctive encryption handshake pattern, even with obfuscation plugins. Some SS implementations still work (ShadowsocksR with specific configurations, Outline VPN), but it’s a constant cat-and-mouse game. Assume standalone Shadowsocks is blocked.

OpenVPN (unobfuscated): The GFW detects OpenVPN’s distinctive protocol signature instantly. OpenVPN wrapped in an obfuscation layer (stunnel, obfsproxy) can work, but it’s more effort than modern alternatives.

L2TP/IPsec, PPTP: Completely blocked at the protocol level. Don’t bother.

Image

What Actually Works in 2026

VLESS + REALITY (Xray) — The Current Champion

VLESS is a lightweight transport protocol in the Xray (formerly V2Ray) ecosystem. REALITY is its killer feature: instead of using a self-signed TLS certificate (which the GFW can flag as “suspicious — who issues their own cert?”), REALITY borrows the real TLS certificate of a legitimate website — microsoft.com, apple.com, cloudflare.com.

When the GFW inspects the TLS handshake, it sees a connection to microsoft.com with microsoft’s real certificate. The connection looks identical to someone visiting Microsoft’s website. But the actual data packets are routed to your proxy server.

Why it works: The GFW faces a dilemma. It can’t block connections to microsoft.com without breaking the internet for everyone. It can’t distinguish your encrypted proxy traffic from someone genuinely browsing Microsoft’s website. The protocol is, for now, invisible to DPI.

Setup difficulty: Medium-high. Requires renting a VPS outside China, installing Xray, configuring VLESS+REALITY with a destination site, and setting up a client. The v2rayN client (Windows) and v2rayNG (Android) are the most commonly used.

Hysteria2 — Speed Demon

Hysteria2 is built on QUIC (the protocol behind HTTP/3), which is a modified UDP transport. It disguises proxy traffic as HTTP/3 — the protocol used by YouTube, Instagram, and most major websites for video streaming. To the GFW, Hysteria2 traffic looks like someone watching a high-bitrate video.

Why it works: HTTP/3 is ubiquitous. Blocking or deeply inspecting all HTTP/3 traffic would degrade the internet experience for everyone. Hysteria2 piggybacks on this ubiquity, plus it’s extremely fast (QUIC’s multiplexed connections avoid TCP head-of-line blocking).

Setup difficulty: Medium. Requires a server with Hysteria2 installed. The client is available on most platforms. Configuration is simpler than VLESS+REALITY.

WireGuard + udp2raw — The Fallback

WireGuard is fast and lean but easily detected — its protocol signature is unique and the GFW identifies it instantly. udp2raw wraps WireGuard’s UDP packets in TCP headers with obfuscation, making them look like normal TCP traffic.

Why it works: WireGuard itself doesn’t work. WireGuard tunneled through udp2raw does — the GFW sees innocuous TCP traffic, not WireGuard’s distinctive UDP signatures. The tradeoff: speed (wrapping adds overhead, and TCP-over-TCP has inherent inefficiency).

Setup difficulty: Medium. WireGuard is the simplest VPN to configure, but adding udp2raw introduces complexity.

Commercial VPNs: Built on These Protocols

| VPN Provider | Protocol Used | Notes | |---|---|---| | Astrill | StealthVPN (proprietary, WireGuard-based with heavy obfuscation) | Historically most reliable inside China | | ExpressVPN | Lightway (proprietary, uses wolfSSL) | Good obfuscation, consistent | | Surfshark | WireGuard + Camouflage/NoBorders mode | Works when obfuscated servers are selected | | NordVPN | NordLynx (WireGuard-based) + obfuscated servers | Inconsistent inside China — works sometimes | | Mullvad | WireGuard + Shadowsocks bridge | Low-profile, less aggressively blocked | | V1VPN | Hysteria2 + VLESS+REALITY | Newer player, uses modern protocols, gaining expat community trust |

If you don’t want to set up your own server, Astrill and ExpressVPN are the most consistent commercial VPNs inside China. They invest heavily in protocol obfuscation specifically for the China market.

Self-Hosted vs Commercial

| | Self-Hosted (VPS + Xray/Hysteria2) | Commercial VPN | |---|---|---| | Cost | ¥30-80/month ($4-11) for a VPS | ¥60-150/month ($8-21) | | Reliability | High (your IP, not shared, less likely to be blocked) | Medium (shared IPs can get blocked in batches) | | Technical skill needed | High (server setup, config, troubleshooting) | Low (install app, log in, click connect) | | Speed | High (dedicated bandwidth) | Medium (shared bandwidth) | | Risk | Your server IP could be blocked eventually | Provider IP ranges are actively targeted by GFW |

For most travelers, a commercial VPN is the pragmatic choice. The hours spent setting up and maintaining a self-hosted solution aren’t worth the ¥50/month savings on a 2-week trip. For long-term expats in China: self-hosting becomes worthwhile.

The Red Queen’s Race

The GFW is constantly evolving. In 2025, it gained the ability to perform active probing — sending crafted packets to suspected VPN servers to see how they respond. Proxies that respond incorrectly are flagged and blocked within minutes. This is why REALITY’s TLS-borrowing trick is so important: the server responds exactly as a real web server would, because it IS using a real server’s certificate.

Protocols that work today will eventually be blocked. New protocols will emerge. This is the Red Queen’s race — running as fast as you can just to stay in the same place. The good news: as of mid-2026, the race is being won. The tools are better than they’ve ever been. The GFW is formidable, but it has limits — it can’t block connections to the entire internet without breaking China’s economic connectivity.

FAQ

The technical landscape for internet access in China is better in 2026 than it’s been in years. The protocols are more sophisticated. The detection tools have limits. If you’re technical, VLESS+REALITY on a VPS is the gold standard. If you’re not, install Astrill before departure and focus on enjoying your trip.

Advertisement
Advertisement

Related Articles