Most VPN providers publicly support two or three protocols. NexTunnel runs twelve in parallel on every server in our pool — Helsinki, Nuremberg, Dubai, USA, México and the rest. The reason is simple: there is no single best protocol for every network. A protocol that wins in Tehran will lose in a corporate firewall in Frankfurt, and the only way to give every user a usable connection is to cover the whole space.
The full lineup
- VLESS+Reality (TCP/443) — flagship, default for most users
- VLESS+Reality on alternative ports/SNI — for stricter networks
- VLESS over WebSocket+TLS+CDN — fronted by Cloudflare for maximum censorship resistance
- Trojan over TLS — classic stealth, useful when Reality is rate-limited
- VMess+TLS — older but widely supported by client apps
- Shadowsocks 2022 (AEAD) — minimal handshake, good for low-end devices
- Hysteria2 (UDP/QUIC) — best throughput on lossy mobile networks
- TUIC v5 — UDP-based, similar profile to Hysteria2 with different fingerprint
- WireGuard — for users who already have native WG clients
- OpenVPN UDP and TCP — universal compatibility, including legacy routers
- IKEv2/IPsec — native on iOS/macOS, no third-party app needed
Picking by environment
Heavy censorship (Iran, China, Russia)
Reality first. CDN WebSocket as a backup. Hysteria2 if UDP gets through. Avoid OpenVPN and IKEv2 — both have well-known DPI signatures and will be detected almost immediately on networks with active inspection.
Restrictive corporate networks
These usually allow only outbound TLS on 443. CDN WebSocket through Cloudflare is the high-percentage play — it looks like ordinary HTTPS to a Cloudflare-hosted site. If outbound DNS over HTTPS is also blocked, we fall back to Reality with a borrowed-site IP that the corporate proxy already trusts.
High-latency or lossy mobile
Hysteria2 dominates here. QUIC's per-packet authentication and built-in congestion control survive packet loss far better than TCP-based protocols, and the Salamander obfuscation layer keeps it indistinguishable from random UDP at the line level.
Streaming and low-overhead use cases
WireGuard is the throughput champion in clean networks. We default streaming-tier accounts to WG when the user reports being in a permissive ISP, and we monitor latency on the link to detect if the ISP starts shaping it.
How we measure
Every device that connects to NexTunnel emits a small telemetry ping with the protocol it used and whether the connection succeeded. We aggregate this per-server and per-protocol, anonymised and bucketed by country code only — no IPs, no usernames. The result is a live heatmap of which protocols work where, which feeds the recommendation engine in your dashboard.
Why all 12 on every server
Operationally it is more complex to run twelve protocols than two. But it removes the worst failure mode in our category: the user who pays for a VPN, finds it does not connect on their network, and leaves. A new device on a strange ISP can try Reality first, then CDN, then Hysteria2, then TUIC, all from a single account, until something gets through. That is the difference between a tool that mostly works and one that works.