VLESS + REALITY
The VPN Protocol That Cannot Be Detected
REALITY is a breakthrough in VPN technology. Your encrypted tunnel is cryptographically identical to a real HTTPS connection. No firewall, DPI system, or national censorship infrastructure can tell the difference.
Traditional VPNs Have a Fatal Flaw
Every VPN protocol has a fingerprint. Firewalls don't need to break the encryption — they just need to recognise the traffic pattern and block it.
OpenVPN
DetectableRecognisable TLS handshake with custom certificates. DPI systems flag it within seconds. Widely blocked on corporate, hotel, and national firewalls.
WireGuard
DetectableUDP-only with a distinctive packet structure and handshake pattern. Fast and secure, but trivially identified by any modern firewall.
IKEv2 / IPsec
DetectableStandard IPsec ports and protocol identifiers. Blocked by default on many restrictive networks.
Shadowsocks / V2Ray
Partially detectableEarly obfuscation tools that wrap traffic in a layer. Statistical analysis can still fingerprint the underlying patterns.
VLESS + REALITY
UndetectableGenuine TLS 1.3 handshake with real certificates. Identical to Chrome visiting microsoft.com. Zero statistical anomalies. Nothing to detect.
How REALITY Makes You Invisible
REALITY doesn't disguise VPN traffic. It makes your connection genuinely identical to normal HTTPS browsing.
Real Certificate Borrowing
During the TLS handshake, the VPN server presents a genuine certificate from a real, high-profile website — like microsoft.com or samsung.com. The certificate is valid, trusted, and passes all verification checks. There's nothing fake about it.
Traditional VPNs use self-signed or custom certificates. DPI systems detect these instantly. REALITY uses a certificate that is indistinguishable from the real thing because it is the real thing.
Side-Channel Authentication
Your device and the VPN server share a secret X25519 keypair. The client embeds proof of this shared secret within the TLS handshake in a way that is invisible to any network observer but verifiable by the server.
An eavesdropper sees a standard TLS 1.3 handshake to microsoft.com. Only the VPN server can detect the hidden authentication — because only it has the corresponding private key.
Chrome TLS Fingerprint
The connection uses a TLS fingerprint that exactly matches Google Chrome. Packet sizes, cipher suites, extensions, ordering — everything matches a real Chrome browser session.
DPI systems that fingerprint TLS implementations (like ja3/ja3s) see nothing unusual. Your traffic is statistically identical to billions of real Chrome HTTPS sessions happening worldwide.
XTLS Vision — Zero-Copy Splice
Once the tunnel is established, XTLS Vision uses zero-copy splice technology. TLS-encrypted data from applications is forwarded directly through the tunnel without being decrypted and re-encrypted.
This eliminates the double-encryption overhead of traditional VPNs, delivering near-native throughput with significantly lower CPU usage. The result is fast, efficient, and invisible.
Port 443 — Standard HTTPS
All traffic flows through port 443 — the standard HTTPS port used by every secure website in the world. Blocking this port would break the entire internet.
Unlike WireGuard (UDP) or OpenVPN (custom ports), REALITY cannot be blocked by port filtering. The only way to stop it would be to shut down all HTTPS traffic — which no country can afford to do.
The Full Protocol Stack
VPN Protocol
VLESS
Lightweight zero-overhead proxy protocol. No encryption of its own — encryption is handled entirely by the REALITY TLS layer, eliminating redundancy.
Security Layer
REALITY
TLS 1.3 camouflage using genuine certificates from real websites. The handshake is real — the tunnel is hidden inside it.
Transport
TCP + XTLS Vision
Zero-copy splice technology. Already-encrypted TLS data is forwarded directly without re-encryption, reducing CPU overhead by up to 90%.
Key Exchange
X25519 ECDH
Elliptic curve Diffie-Hellman with per-server keypairs and ephemeral session keys. Forward secrecy ensures past sessions can never be decrypted.
Port
443 (HTTPS)
The standard HTTPS port — open on every network in the world. Cannot be selectively blocked without disabling all secure web traffic.
TLS Fingerprint
Chrome (uTLS)
Mimics Chrome's TLS implementation exactly using uTLS. Indistinguishable from genuine Chrome sessions under ja3/ja3s fingerprinting.
SNI Target
Enterprise Domains
Uses enterprise TLS 1.3 domains (microsoft.com, samsung.com) as SNI targets. These must support TLS 1.3 + HTTP/2 and not be behind a CDN.
Engine
XRay Core v26
Open-source, actively maintained, security-audited. Major version matching between client and server ensures REALITY handshake compatibility.
What REALITY Bypasses
Every layer of censorship and restriction — from your office IT department to national firewalls.
Deep Packet Inspection (DPI)
Enterprise and national DPI systems that fingerprint VPN protocols by analysing packet headers, handshake patterns, and traffic statistics. REALITY produces zero detectable patterns.
National Firewalls
China's Great Firewall, Iran's Smart Filtering, Russia's TSPU, and similar state-level censorship systems that actively detect and block VPN traffic.
Corporate Firewalls
Palo Alto, Fortinet, Cisco, Sophos, and other enterprise firewalls that block VPN protocols to enforce network policies. REALITY passes through as normal HTTPS.
Hotel & Airport Wi-Fi
Captive portals and network restrictions that block VPN protocols on guest Wi-Fi networks. REALITY uses standard HTTPS which is always allowed.
ISP Throttling
Internet providers that detect VPN traffic and reduce bandwidth. Since REALITY is indistinguishable from HTTPS, there is nothing to throttle selectively.
University Networks
Campus networks that restrict VPN usage to prevent bypassing content filters or bandwidth policies. REALITY passes all inspection as legitimate web traffic.
Where REALITY Is Essential
These countries actively block VPN protocols. REALITY is tested and working in all of them.
China
Great Firewall — the world's most advanced censorship system
Uses DPI, IP blacklisting, DNS poisoning, and active probing to detect and block VPNs. Regularly updates detection methods. REALITY bypasses all of them.
Read our China VPN guide →Iran
Smart Filtering — intensifies during protests and elections
Blocks WhatsApp, Instagram, Telegram, YouTube, and most international platforms. VPN detection ramps up during civil unrest. REALITY works through all of it.
Read our Iran VPN guide →Russia
TSPU — Technical System for Countering Threats
Deep packet inspection deployed at ISP level since 2019. Blocks OpenVPN, WireGuard, and most VPN protocols. REALITY traffic is unaffected.
UAE / Dubai
TRA — Telecommunications Regulatory Authority
Blocks VoIP apps (WhatsApp calls, FaceTime, Skype) and VPN protocols to protect telecom revenue. REALITY restores full access.
Turkey
BTK — Information and Communication Technologies Authority
Periodically blocks social media and VPN services during political events. Throttles encrypted traffic. REALITY passes through undetected.
Egypt
NTRA — National Telecom Regulatory Authority
Blocks VPN protocols and throttles VoIP traffic. Many popular VPNs are unreliable. REALITY operates normally on all Egyptian networks.
Also tested in Saudi Arabia, Vietnam, Myanmar, Turkmenistan, and Pakistan.
VLESS + REALITY vs WireGuard
Different tools for different situations. PremierVPN includes both — use the right one for your environment.
| Feature | VLESS + REALITY | WireGuard |
|---|---|---|
| Best for | Censored & restrictive networks | Everyday speed & privacy |
| Traffic visibility | Invisible — identical to HTTPS | Detectable as VPN |
| Bypasses DPI | ✓ All DPI systems | ✗ Detected by DPI |
| Works in China/Iran/Russia | ✓ Tested & working | ✗ Blocked |
| Raw speed | Near-native (XTLS zero-copy) | Fastest (kernel driver) |
| Routing | System proxy (browsers, apps) | System-wide (all traffic) |
| Encryption | TLS 1.3 + X25519 | ChaCha20-Poly1305 |
| Protocol | TCP port 443 | UDP (custom port) |
| Local proxy | ✓ SOCKS5 + HTTP | ✗ |
| Forward secrecy | ✓ Per-session keys | ✓ Per-session keys |
Security Properties
Forward Secrecy
Each session uses ephemeral X25519 keys. Even if long-term keys are compromised in the future, past sessions remain encrypted and inaccessible.
Per-User Isolation
Every subscriber receives a unique VLESS UUID, managed automatically. Compromise of one user's credentials has zero impact on any other user.
Zero Logs
PremierVPN does not record traffic, DNS queries, connection timestamps, IP addresses, or bandwidth usage. Your activity is never stored anywhere.
Credential Security
Your authentication token is stored locally in OS-protected storage. Your password is never saved. The XRay config is written on connect and deleted on disconnect.
Open Source Engine
Built on XRay Core v26 — fully open source, peer-reviewed, and actively maintained by the open-source community. No black boxes.
UK Jurisdiction
PremierVPN is a UK-based company. We are not subject to mandatory data retention laws and have no agreements with foreign intelligence agencies.
Ready to Go Invisible?
PremierVPN X with VLESS + REALITY is included free with every subscription. Download the app, sign in, and connect — your traffic becomes indistinguishable from regular web browsing.