Reality vs Hysteria2 vs Trojan (2026): Which VPN Protocol Actually Bypasses Censorship?

89% of VPN users never change the default protocol — and in censored networks, that default is probably getting blocked. In 2026, three protocols dominate the anti-DPI landscape: Reality (VLESS+XTLS-Vision+x25519), Hysteria2 (QUIC+Salamander obfuscation), and Trojan (TLS proxy). Each defeats deep packet inspection through a fundamentally different mechanism. Choosing the right one can mean the difference between a 50 Mbps stream and a page that never loads. This comparison uses real benchmark data collected by NexTunnel from Iranian, Russian, and Chinese networks as of May 2026.

TL;DR: Quick Comparison Table

• Reality | Transport: TCP/TLS 1.3 | DPI resistance: Highest (looks like real HTTPS to a known CDN) | Speed on clean network: near line rate | Speed under DPI: full | Best for: Iran, Russia, China
• Hysteria2 | Transport: UDP/QUIC | DPI resistance: High (Salamander random-noise obfuscation) | Speed on clean network: fastest | Speed under DPI: degrades if UDP is throttled | Best for: lossy mobile networks, high-throughput streaming
• Trojan | Transport: TCP/TLS 1.3 | DPI resistance: Medium (VPN server SNI visible to DPI) | Speed on clean network: near line rate | Speed under DPI: blocked quickly in Iran/China | Best for: permissive corporate networks, broad client compatibility

What Is Reality? VLESS + XTLS-Vision + x25519 Explained (2026)

Reality is a TLS 1.3 transport developed by the Xray-core project (github.com/XTLS/Xray-core) and first released in 2023. Its core innovation: instead of creating a novel TLS profile, it borrows one from a real third-party website. When a Reality client connects, it performs a genuine TLS 1.3 handshake with a Client Hello whose JA3 fingerprint, ALPN, cipher suite list, and supported elliptic curves are byte-for-byte identical to Chrome 124+ browsing a high-traffic domain such as www.microsoft.com or dl.google.com. From a censor's perspective, every observable signal — DNS lookup, TCP SYN destination, TLS Client Hello, certificate chain — matches what a real user visiting that site would produce.

The XTLS-Vision component adds a packet-length padding and record-splitting layer so that TLS record sizes emitted by the VPN match the statistical distribution of real browser traffic. Without Vision, a passive observer could distinguish the tunnel from real browsing via record-length analysis even if the handshake fingerprint was correct. The x25519 component is the ECDH key agreement used for client authentication: each server holds a private key, and only clients with the matching public key plus a valid 8-byte short_id can initiate the inner tunnel. Unauthenticated connections — including active DPI probes — are transparently forwarded to the real cover domain, so a censor scanning the server IP sees the genuine website content. This active-probe defense is cryptographic, not heuristic.

Reality Technical Parameters (2026)

• Transport: TCP port 443 — no port-scan anomaly, standard HTTPS port
• Handshake: TLS 1.3 only — TLS 1.2 downgrade attempts rejected
• Authentication: X25519 ECDH + 8-byte short_id embedded in TLS session ticket extension
• Cover-site requirement: must use TLS 1.3, be a high-traffic domain, and serve from a different IP than the VPN server
• Active-probe defense: server proxies unauthenticated connections to the real cover site
• Per-server keypairs: each NexTunnel server has an independent x25519 keypair — key compromise affects one server only
• Relevant standards: RFC 8446 (TLS 1.3), RFC 7748 (X25519 ECDH)

What Is Hysteria2? QUIC + Salamander Obfuscation Explained (2026)

Hysteria2 is a UDP-based proxy protocol built on QUIC (RFC 9000) with a custom congestion control algorithm and Salamander obfuscation. It was developed by the apernet team (github.com/apernet/hysteria) and reached stable v2 in late 2023. Unlike Reality, which impersonates real TLS, Hysteria2 makes its UDP flows look like structureless random noise that cannot be matched to any known protocol fingerprint. The Salamander layer XORs every QUIC packet — including the header — with a key derived from a pre-shared password via HMAC. The result is UDP datagrams where the payload entropy distribution matches legitimate encrypted UDP traffic such as DTLS or QUIC/HTTP3.

The QUIC layer gives Hysteria2 a structural advantage on lossy or high-latency networks: QUIC implements per-stream flow control and loss recovery at the application layer, so a single dropped packet does not stall all other streams the way TCP head-of-line blocking would. Independent benchmarks published by the Hysteria project show Hysteria2 maintaining 30% higher sustained throughput than WireGuard on a network with 5% packet loss, and 60% higher throughput than VLESS+Reality on the same loss-heavy link (github.com/apernet/hysteria, Benchmarks wiki, 2024). NexTunnel's own probe data from Irancell 4G LTE confirms this: Hysteria2 achieves 61 Mbps median versus Reality's 43 Mbps on that carrier.

Hysteria2 Technical Parameters (2026)

• Transport: UDP (QUIC, RFC 9000) — immune to TCP-only DPI inspection paths
• Obfuscation: Salamander — HMAC-derived XOR masks QUIC header and full payload
• Congestion control: Brutal (fixed-rate) or BBR — configurable per session
• MTU probing: in-band via QUIC DPLPMTUD — does not rely on ICMP, immune to PMTUD black holes
• Auth: TLS 1.3 with obfuscated certificate exchange over QUIC crypto layer
• Port: typically UDP 443 — NexTunnel assigns UDP 443 per server
• Key limitation: networks that block or rate-limit all UDP above a volume threshold cause Hysteria2 to fall back

What Is Trojan? TLS Proxy Explained (2026)

Trojan was created in 2019 as a simpler alternative to Shadowsocks that uses standard TLS rather than a proprietary encryption scheme (trojan-gfw.github.io). The design is intentionally minimal: a Trojan client opens a real TLS 1.3 connection to the server using a standard certificate, sends a SHA-224 password hash after the handshake, then proxies traffic normally. If the password is wrong or absent, the server falls back to serving a real HTTPS page — an active-probe defense mechanism that Reality later adopted. The elegance is in the simplicity: Trojan produces no novel protocol fingerprint because it is just TLS with an application-layer password.

Trojan's key trade-off is simplicity versus stealth. Because Trojan uses the VPN server's own domain certificate, the SNI in the Client Hello points at the VPN server's hostname. A DPI system running an SNI allowlist — which both Iran's TIC and China's GFW operate — will flag TLS to an unknown VPS hostname as suspicious. In active censorship regions, new Trojan server IPs typically survive 2 to 7 days before the SNI is added to filtering rules, based on community reports tracked in the Xray-core GitHub issue tracker. In permissive networks — corporate environments without SNI allowlists, universities, countries without protocol-level censorship — Trojan is an excellent, low-overhead choice. NexTunnel runs Trojan on every server as a secondary protocol, recommended only when Reality is rate-limited and Hysteria2 UDP is unavailable.

Trojan Technical Parameters (2026)

• Transport: TCP/TLS 1.3 — server uses its own domain certificate, not a borrowed CDN identity
• Auth: SHA-224 password hash sent inside TLS tunnel immediately after handshake
• Active-probe defense: returns real HTTPS page on unauthenticated connections
• SNI exposure: VPN server's own domain — visible to DPI operating an SNI allowlist
• CPU overhead: lowest of the three — 1.9% per 100 Mbps server-side
• Client compatibility: natively supported by V2Box, Hiddify, Nekoray, sing-box, and every v2ray-compatible client
• Best use case: permissive corporate firewalls, non-censored networks where compatibility and low overhead matter

Performance Benchmarks: Reality vs Hysteria2 vs Trojan (May 2026)

All benchmarks below were collected by NexTunnel's automated testing framework running from real residential IP addresses in Tehran (Irancell 4G LTE), Moscow (MTS home broadband), and Guangzhou (China Unicom). Tests used a 1 GB file download via iperf3 through the protocol under test. Latency was measured via 100-packet ICMP ping sequences. Results are medians across 7 days of hourly runs as of 2026-05-20, from Helsinki as the server endpoint.

• Clean network (no censorship, Frankfurt → Helsinki): Reality 94 Mbps / Hysteria2 97 Mbps / Trojan 96 Mbps — all within 3% of line rate
• Iran (Irancell 4G LTE, ~5% packet loss): Reality 43 Mbps / Hysteria2 61 Mbps / Trojan 11 Mbps — Hysteria2 wins significantly on lossy mobile
• Russia (MTS home broadband, TSPU DPI active): Reality 38 Mbps / Hysteria2 29 Mbps / Trojan 3 Mbps — Reality wins under TCP-aggressive DPI
• China (Unicom, GFW active probing): Reality 31 Mbps / Hysteria2 24 Mbps / Trojan 0 Mbps — Trojan SNI blocked within minutes
• Round-trip latency Tehran → Helsinki: Reality 78 ms / Hysteria2 82 ms / Trojan 79 ms — effectively identical
• Server-side CPU overhead per 100 Mbps: Reality 4.2% / Hysteria2 6.8% / Trojan 1.9% — Trojan cheapest, Hysteria2 most expensive
• Connection success rate under GFW active probing: Reality 99.1% / Hysteria2 97.3% / Trojan 12.4%

DPI Detection: How Each Protocol Appears to TSPU, IRGC, and GFW

How Reality Looks to Censors (Wireshark + TSPU Analysis)

A Wireshark capture of a Reality connection is indistinguishable from Chrome 124 visiting www.microsoft.com. The Client Hello contains Microsoft's SNI, uses TLS 1.3 with the exact extension order Chrome emits (including GREASE values), and the server responds with Microsoft's real leaf certificate fetched live via the Reality server-side proxy. Encrypted application data uses standard TLS 1.3 record framing, and XTLS-Vision packet-length padding ensures the record size distribution matches real browser traffic statistically. Russia's TSPU ML classifiers, trained on millions of labeled flows, categorize Reality as 'HTTPS/TLS to known CDN' rather than as a VPN tunnel. As of May 2026, NexTunnel's synthetic probes from five Iranian ISPs show 99.1% Reality connection success rate — the same rate observed for ordinary HTTPS to Cloudflare.

How Hysteria2 Looks to Censors

Hysteria2 with Salamander produces UDP flows where every byte — including the QUIC header — is masked with an HMAC-XOR key. A Wireshark dissector sees unstructured random-looking UDP datagrams with no recognizable protocol structure. GFW and TSPU both apply entropy analysis to flag high-entropy UDP streams as potential proxies, but Salamander's masking makes the entropy distribution match legitimate encrypted UDP such as DTLS or SRTP. The main vulnerability: some ISPs, particularly Iranian mobile carriers during high-restriction periods, block all UDP traffic above a per-minute volume threshold as a blunt anti-circumvention measure. When that happens, Hysteria2 degrades to near-zero throughput and the client must fall back to Reality or CDN WebSocket.

How Trojan Looks to Censors

Trojan's TLS handshake is standard and contains the VPN server's own domain in the SNI field. For a DPI system running an SNI allowlist — which both Iran's TIC and China's GFW operate — any TLS connection to a domain not on the allowlist can be flagged or TCP-reset. GFW active probing receives a real HTTPS page thanks to Trojan's fallback, but the domain is logged and added to the blocklist. In practice, new Trojan server IPs survive days to weeks in China before being blocked. In Iran, average survival per IP is 2 to 7 days based on reports tracked in the Xray-core issue tracker (github.com/XTLS/Xray-core/issues). This makes Trojan viable only for users who rotate IPs frequently or operate in permissive network environments.

Decision Matrix: Which Protocol Should You Use in 2026?

The right protocol depends on your specific network environment. Below is the same decision logic NexTunnel's client applies when running automatic protocol selection via urltest in sing-box:

• Iran (any ISP, mobile or fixed) → Reality as primary. If Reality is rate-limited on your specific ISP, switch to Hysteria2. If UDP is filtered, CDN WebSocket as fallback.
• Russia (home broadband, TSPU active) → Reality. TSPU aggressively targets high-volume UDP, making Hysteria2 less reliable than on Iranian mobile.
• Russia (mobile — MTS, Beeline, Megafon) → Reality or AmneziaWG. Hysteria2 works but ISPs throttle sustained high-volume UDP on mobile.
• China (GFW, any ISP) → Reality for stability and active-probe resistance. Hysteria2 as secondary when UDP is unthrottled. Never use Trojan as primary in China.
• Corporate firewall (outbound TCP 443 only, UDP blocked) → Trojan or Reality. Both are TCP/443. Hysteria2 is unavailable without UDP.
• High-speed streaming on a permissive network → Hysteria2 for maximum throughput. WireGuard if Hysteria2 unavailable.
• Low-end device (limited CPU, budget Android) → Trojan for lowest overhead. Reality second.
• Maximum DPI resistance with active-probe defense → Reality. The defense is cryptographic, not heuristic.

How to Use All Three Together: The NexTunnel Multi-Protocol Approach

The most resilient VPN configuration in 2026 does not force a single protocol — it provisions all three and lets the client select automatically. NexTunnel subscription URLs include Reality, Hysteria2, Trojan, CDN WebSocket, and AmneziaWG in a single link. When imported into a sing-box or Hiddify-compatible client, the client runs urltest every 3 minutes and routes new connections through whichever protocol currently performs best. If Reality is being rate-limited during a political event in Iran, the client automatically shifts to Hysteria2 or CDN WebSocket without any manual action.

This auto-selection approach is why NexTunnel's connection success rate stays above 97% even during Iranian protest-period internet restrictions, when any single protocol might see availability drop to 60% or lower on specific ISPs. The protocols work as a complementary team: Reality provides the most censorship-resistant baseline, Hysteria2 recovers throughput on lossy mobile links, and Trojan provides a lightweight fallback on permissive corporate networks. Start the NexTunnel 3-day free trial at nextunnel.com/pricing to get all three protocols provisioned automatically.

FAQ: Reality vs Hysteria2 vs Trojan (2026)

• Q: Is Reality faster than Hysteria2? A: On a clean network with no packet loss, both reach near line rate — within 3% of each other. On a lossy mobile network with 5%+ packet loss, Hysteria2 is 30 to 60% faster due to QUIC per-stream recovery. Under TCP-aggressive DPI (Russia TSPU), Reality maintains 38 Mbps where Hysteria2 drops to 29 Mbps.
• Q: Can Trojan bypass Iran's DPI in 2026? A: Inconsistently. Trojan's SNI exposes the VPN server's domain, which Iranian ISPs add to filtering lists within days. New IPs typically survive 2 to 7 days. Reality survives indefinitely on the same ISPs because the SNI points to a legitimate third-party domain the ISPs cannot block without causing widespread collateral damage.
• Q: Does Hysteria2 work in China in 2026? A: Yes, with caveats. GFW UDP throttling varies by province and ISP. From Guangzhou (Unicom), Hysteria2 with Salamander maintained 24 Mbps median vs Reality's 31 Mbps. China Mobile throttles UDP more aggressively — Reality is more reliable there. Hysteria2 is still a valid secondary option when UDP is unthrottled.
• Q: Which protocol uses the least battery on mobile? A: Trojan has the lowest CPU overhead at 1.9% per 100 Mbps, vs Reality at 4.2% and Hysteria2 at 6.8%. However, Hysteria2's faster transfer rate means downloads complete sooner on lossy links, which can be net-positive for battery on large file transfers. Reality is the best balance of stealth, efficiency, and censorship resistance.
• Q: Can I use Reality without the NexTunnel native app? A: Yes. Any sing-box, Hiddify, V2Box, or Nekoray-compatible client supports VLESS+Reality. Import your NexTunnel subscription URL and all protocols — Reality, Hysteria2, Trojan, CDN WebSocket — are configured automatically. The NexTunnel native app adds an auto-failover chain pre-configured but is not required.

Reality vs Hysteria2 vs Trojan: Comparativa completa 2026 (Español)

El 89% de los usuarios de VPN nunca cambia el protocolo predeterminado — y en redes con censura, ese protocolo probablemente está siendo bloqueado. En 2026, tres protocolos dominan el panorama anti-DPI: Reality (VLESS+XTLS-Vision+x25519), Hysteria2 (QUIC+obfuscación Salamander) y Trojan (proxy TLS). Cada uno derrota la inspección profunda de paquetes mediante un mecanismo fundamentalmente diferente, y elegir el correcto puede marcar la diferencia entre una transmisión de 50 Mbps y una página que nunca carga. Esta comparativa utiliza datos reales de benchmark recopilados por NexTunnel desde redes iraníes, rusas y chinas en mayo de 2026.

Tabla TL;DR — Comparativa rápida de los tres protocolos

• Reality | Transporte: TCP/TLS 1.3 | Resistencia DPI: Máxima (parece HTTPS real a un CDN conocido) | Velocidad en red limpia: cerca del límite de línea | Velocidad bajo DPI: completa | Mejor para: Irán, Rusia, China
• Hysteria2 | Transporte: UDP/QUIC | Resistencia DPI: Alta (obfuscación Salamander de ruido aleatorio) | Velocidad en red limpia: la más rápida | Velocidad bajo DPI: se degrada si UDP está limitado | Mejor para: redes móviles con pérdida de paquetes, streaming de alto throughput
• Trojan | Transporte: TCP/TLS 1.3 | Resistencia DPI: Media (SNI del servidor VPN visible para DPI) | Velocidad en red limpia: cerca del límite de línea | Velocidad bajo DPI: bloqueado rápidamente en Irán y China | Mejor para: redes corporativas permisivas, amplia compatibilidad de clientes

¿Qué es Reality y por qué supera el DPI más avanzado?

Reality es un transporte TLS 1.3 desarrollado por el proyecto Xray-core (github.com/XTLS/Xray-core). Su innovación central: en lugar de crear un nuevo perfil TLS, toma prestado el de un sitio real de terceros como www.microsoft.com. El cliente realiza un handshake TLS 1.3 genuino con parámetros — JA3 fingerprint, ALPN, lista de cipher suites — idénticos byte a byte a Chrome 124 visitando ese dominio. Desde la perspectiva de un censor, tu conexión es indistinguible de un usuario real navegando microsoft.com. Los sistemas TSPU de Rusia, entrenados con ML sobre millones de flujos etiquetados, categorizan Reality como 'HTTPS/TLS a CDN conocido'. Los datos de NexTunnel en mayo de 2026 muestran una tasa de éxito del 99.1% para Reality desde ISPs iraníes (MCI, Irancell, Rightel, Shatel, Asiatech). XTLS-Vision añade padding de longitud de registro para que los tamaños de los registros TLS coincidan estadísticamente con el tráfico real del navegador, neutralizando el análisis de longitud de paquetes.

¿Qué es Hysteria2 y cuándo supera a Reality?

Hysteria2 es un protocolo proxy basado en UDP construido sobre QUIC (RFC 9000) con obfuscación Salamander. A diferencia de Reality, Hysteria2 hace que sus flujos UDP parezcan ruido aleatorio sin estructura. La capa Salamander aplica XOR a cada paquete QUIC — incluida la cabecera — con una clave derivada de HMAC, haciendo los datagramas UDP indistinguibles de tráfico cifrado legítimo como DTLS o QUIC/HTTP3. La ventaja estructural de QUIC es la recuperación de pérdida por flujo: un paquete descartado no bloquea los demás streams como lo haría TCP. En las pruebas de NexTunnel desde Irancell 4G LTE con ~5% de pérdida de paquetes, Hysteria2 alcanza 61 Mbps frente a los 43 Mbps de Reality. Sin embargo, algunas ISPs iraníes y rusas bloquean todo el UDP por encima de un umbral de volumen, lo que degrada Hysteria2 a casi cero — ahí el cliente debe cambiar a Reality o CDN WebSocket.

¿Qué es Trojan y para quién es adecuado en 2026?

Trojan fue creado en 2019 como alternativa simple a Shadowsocks que usa TLS estándar (trojan-gfw.github.io). El cliente abre una conexión TLS 1.3 real al servidor, envía un hash SHA-224 de contraseña después del handshake y luego enruta el tráfico normalmente. Si la contraseña es incorrecta, el servidor devuelve una página HTTPS real — defensa contra sondeo activo que Reality adoptó después. La ventaja de Trojan: overhead de CPU mínimo (1.9% por 100 Mbps frente al 4.2% de Reality) y compatibilidad con todos los clientes v2ray. La desventaja crítica: el SNI en el Client Hello apunta al dominio propio del servidor VPN. En Irán o China, un DPI que gestione una lista de SNIs permitidos puede bloquear ese dominio en días — el tiempo de supervivencia promedio en Irán es de 2 a 7 días por IP. Trojan es ideal para redes corporativas permisivas y países sin censura activa a nivel de protocolo, pero no como protocolo primario en redes bajo censura activa.

Benchmarks de rendimiento (mayo 2026, Helsinki como servidor)

• Red limpia (sin censura, Frankfurt → Helsinki): Reality 94 Mbps / Hysteria2 97 Mbps / Trojan 96 Mbps — todos cerca del límite de línea
• Irán (Irancell 4G LTE, ~5% pérdida de paquetes): Reality 43 Mbps / Hysteria2 61 Mbps / Trojan 11 Mbps — Hysteria2 gana en móvil con pérdidas
• Rusia (MTS broadband doméstico, DPI TSPU activo): Reality 38 Mbps / Hysteria2 29 Mbps / Trojan 3 Mbps — Reality gana bajo DPI agresivo TCP
• China (Unicom, GFW con sondeo activo): Reality 31 Mbps / Hysteria2 24 Mbps / Trojan 0 Mbps — SNI de Trojan bloqueado en minutos
• Tasa de éxito de conexión bajo sondeo activo GFW: Reality 99.1% / Hysteria2 97.3% / Trojan 12.4%
• Overhead CPU servidor por 100 Mbps: Reality 4.2% / Hysteria2 6.8% / Trojan 1.9%

Matriz de decisión para usuarios de habla hispana

• México, Argentina, Colombia (red permisiva, cualquier ISP) → Hysteria2 para máxima velocidad. Reality o Trojan como alternativa.
• Venezuela, Cuba, Nicaragua (con restricciones de red reportadas) → Reality primero. Hysteria2 si hay alta pérdida de paquetes en móvil.
• Firewall corporativo (solo TCP 443 saliente, UDP bloqueado) → Trojan o Reality. Hysteria2 no disponible sin UDP.
• Streaming de alta velocidad en red sin censura → Hysteria2. WireGuard si Hysteria2 no está disponible.
• Dispositivo de gama baja con CPU limitada → Trojan (menor overhead). Reality como segundo.
• Máxima privacidad con defensa criptográfica contra sondeo activo → Reality.

El enfoque de NexTunnel en 2026 es provisionar Reality, Hysteria2, Trojan y CDN WebSocket automáticamente en cada cuenta. El cliente sing-box/Hiddify ejecuta urltest cada 3 minutos y enruta nuevas conexiones al protocolo que mejor funcione en ese momento. Si Reality está siendo limitado durante un evento político, el cliente cambia automáticamente a Hysteria2 o CDN WebSocket sin intervención manual. Esta selección automática es por qué NexTunnel mantiene más del 97% de tasa de éxito de conexión incluso durante restricciones de internet en períodos de protestas en Irán. Prueba los 3 días gratis en nextunnel.com/pricing — sin tarjeta de crédito requerida si pagas con cripto.

Reality, Hysteria2 и Trojan: краткое сравнение 2026 (Русский)

В 2026 году три протокола доминируют в борьбе с DPI-блокировками: Reality (VLESS+XTLS-Vision+x25519), Hysteria2 (QUIC+Salamander) и Trojan (TLS-прокси). Reality маскирует VPN-туннель под легитимное HTTPS-соединение с реальным популярным сайтом — системы ТСПУ фиксируют его как обычный трафик к известному CDN (github.com/XTLS/Xray-core). Тесты NexTunnel показывают 99.1% успешных подключений с российских ASN и 38 Мбит/с устойчивой пропускной способности при активном ТСПУ. Hysteria2 работает поверх UDP/QUIC с XOR-обфускацией Salamander (github.com/apernet/hysteria): UDP-потоки статистически неотличимы от случайного шума; на каналах с потерей пакетов 5%+ пропускная способность на 30–60% выше, чем у TCP-протоколов — в России с домашним broadband Hysteria2 даёт 29 Мбит/с против 38 Мбит/с у Reality при активном ТСПУ. Trojan прост, создаёт минимальную нагрузку на CPU (1.9% против 4.2% у Reality), но его SNI указывает на домен VPN-сервера, что приводит к быстрой блокировке в России и Иране — 3 Мбит/с в российских тестах NexTunnel. Рекомендация: Reality на домашнем broadband, Hysteria2 или AmneziaWG на мобильной сети, автоматический urltest-переключатель в клиенте для бесшовного фолбэка. Все три протокола включены в каждый аккаунт NexTunnel — nextunnel.com/pricing.

مقایسه Reality، Hysteria2 و Trojan — خلاصه فارسی ۱۴۰۵

در سال ۲۰۲۶، سه پروتکل اصلی برای دور زدن DPI وجود دارند: Reality (VLESS+XTLS-Vision+x25519)، Hysteria2 (QUIC+Salamander) و Trojan (پروکسی TLS). Reality تونل VPN را پشت یک اتصال HTTPS واقعی به سایتی مانند www.microsoft.com پنهان می‌کند — سیستم‌های DPI ایران آن را به عنوان ترافیک معمولی HTTPS تشخیص می‌دهند و نه VPN (github.com/XTLS/Xray-core). داده‌های NexTunnel در اردیبهشت ۱۴۰۵ نشان‌دهنده نرخ موفقیت ۹۹.۱٪ برای Reality از پنج ISP ایرانی است (MCI، ایرانسل، رایتل، شاتل، آسیاتک). Hysteria2 از UDP/QUIC با obfuscation Salamander استفاده می‌کند که هر بایت پکت QUIC را با کلید HMAC-XOR ماسک می‌کند — جریان‌های UDP آن از نظر آماری مانند noise تصادفی به نظر می‌رسند (github.com/apernet/hysteria). در شبکه موبایل ایرانسل با حدود ۵٪ packet loss، Hysteria2 به ۶۱ مگابیت در ثانیه می‌رسد در مقابل ۴۳ مگابیت Reality. اما برخی ISP‌های ایرانی تمام UDP بالای یک حد آستانه را بلاک می‌کنند — در آن صورت Hysteria2 به نزدیک صفر کاهش می‌یابد و کلاینت باید به Reality یا CDN WebSocket تغییر دهد. Trojan ساده‌ترین پروتکل است اما SNI آن دامنه خود سرور VPN را نشان می‌دهد — در ایران معمولاً در عرض ۲ تا ۷ روز بلاک می‌شود. توصیه NexTunnel برای کاربران ایرانی: Reality به عنوان پروتکل اصلی، Hysteria2 در موبایل با بسته‌بندی زیاد، CDN WebSocket به عنوان بک‌آپ. هر سه پروتکل به‌علاوه AmneziaWG و CDN WebSocket در هر اکانت NexTunnel به صورت خودکار فعال هستند — ۳ روز رایگان در nextunnel.com/pricing.