Twelve protocols across all NexTunnel servers — pick the one that beats your network's restrictions or wins the speed test.
How each protocol fares against the real DPI stacks deployed by these governments.
| Protocol | China | Russia | Iran | UAE |
|---|---|---|---|---|
| OpenVPN | ✕ | ⚠ | ✕ | ⚠ |
| WireGuard | ✕ | ⚠ | ✕ | ⚠ |
| VLESS Reality | ✓ | ✓ | ✓ | ✓ |
| Hysteria2 | ✓ | ✓ | ✓ | ✓ |
✓ works · ⚠ unstable · ✕ blocked. Based on field reports from our user base; results vary by ISP and time of day.
Our flagship protocol. Mimics a real TLS handshake with a target site so DPI cannot tell it apart from normal HTTPS traffic.
Best for: Heavy censorship (Russia, Iran, China). Most users should start here.
Same Reality cipher on alternate ports and SNI for networks that block port 443 or our default SNI fingerprint.
Best for: Corporate firewalls and stricter ISPs that block the standard profile.
VLESS over WebSocket fronted by Cloudflare. Traffic is indistinguishable from any other Cloudflare-hosted site.
Best for: Networks that block direct TLS but allow Cloudflare. Maximum censorship resistance.
QUIC-based UDP transport with BBR congestion control. The fastest option when UDP is allowed.
Best for: Streaming, gaming, and any high-bandwidth workload over good networks.
Pure TLS 1.3 with a password-only authentication layer. Indistinguishable from a regular HTTPS website.
Best for: Networks where Reality is detected but plain TLS is allowed.
Modern QUIC-based protocol with multiplexing and 0-RTT handshakes. Fast even on lossy or high-latency networks.
Best for: Mobile networks, satellite links, and unstable Wi-Fi.
ShadowTLS wraps Mieru in a real TLS 1.3 handshake. Strong against active probing and TLS fingerprinting.
Best for: Active-probe DPI environments where Reality is detected.
Battle-tested SOCKS5-style proxy with the new 2022-blake3-aes-256-gcm cipher and randomized ports.
Best for: China (GFW) and as a reliable fallback when newer protocols fail.
Modern kernel-grade VPN with Curve25519 + ChaCha20-Poly1305. The fastest classic VPN protocol.
Best for: Open networks where pure speed and battery life matter most.
WireGuard fork that injects junk packets to defeat DPI fingerprinting. Works where vanilla WireGuard is blocked.
Best for: Russia (TSPU), Iran, and any network that DPI-blocks vanilla WireGuard.
Industry-standard VPN with broad client support across every platform and router.
Best for: Legacy clients, routers, and corporate compatibility requirements.
Native VPN built into iOS, macOS, and Windows. Survives network changes (Wi-Fi to LTE) without dropping.
Best for: Mobile devices that want zero-app-install native VPN integration.
Every plan includes every protocol. Switch any time from your dashboard.
View pricing