Picture a machine sitting between you and the internet, reading every connection you make and sorting them into “fine” and “not fine.” That machine is Deep Packet Inspection, or DPI, and it is very good at recognizing a VPN. To get past it you cannot look like a VPN at all. You have to look like the most boring traffic on the network.
This post explains how VLESS, Xray, and Reality do exactly that, in simple words. No deep networking background needed. If you know what a website and an internet connection are, you can follow along.
The problem with normal VPNs
A VPN sends your internet traffic through another computer first. Your real destination is hidden, and the network you are on only sees the connection to that one computer.
The trouble is that old VPN protocols are easy to recognize. Tools like OpenVPN and WireGuard have a clear “shape” on the network. A system called Deep Packet Inspection (DPI) looks at traffic and can say “that is a VPN” very quickly. Once it knows, it blocks the connection.
So hiding the destination is not enough. You also need to hide the fact that you are using a VPN at all.
The key idea behind Reality
Every secure website connection (HTTPS) starts with a TLS handshake. During this handshake, your device sends a small piece of plain, readable text called the SNI. SNI just means “the name of the website I want to visit.” A censor reads the SNI to decide if a connection is allowed.
Reality uses this to its advantage. Instead of putting your VPN server’s name in the SNI, it puts the name of a big, trusted website, for example www.microsoft.com. The connection then borrows the real certificate of that trusted website. So the censor sees a connection that looks exactly like a normal visit to Microsoft.
Blocking it would mean blocking Microsoft itself, and no censor wants to do that.
Here are the pieces and what each one does:
- VLESS is the protocol that carries your data. It is very light and adds almost no extra “fingerprint” of its own.
- Xray-core is the software you run. It is the engine that speaks VLESS and runs Reality.
- Reality is the camouflage layer. It is the part that borrows a real website’s identity.
- SNI / domain is the trusted website name you choose to hide behind.
What it looks like as a VPN
You rent a small server in another country. You install Xray with Reality on it. You point your laptop or phone at it. After that, your browsing travels through an encrypted tunnel to that server, and the server connects to the real internet for you.
flowchart LR
A["YOUR DEVICE<br/>laptop or phone<br/>Xray client"]
B["YOUR SERVER<br/>rented abroad<br/>Xray + Reality"]
C["The open internet<br/>Google, YouTube,<br/>news, anything"]
A -- "encrypted tunnel" --> B
B -- "exit point" --> C
What the censor sees
This is the important part. The censor watches your connection leave the network, but the disguise holds.
sequenceDiagram
participant D as Your Device
participant S as Your Server (Reality)
participant C as Censor / ISP
D->>S: ClientHello, SNI = www.microsoft.com<br/>+ hidden secret key
S-->>D: ServerHello, borrowing Microsoft's real certificate
D->>S: Encrypted tunnel, you browse freely
Note over C: Looking at the connection, the censor sees:<br/>SNI = www.microsoft.com<br/>Cert = valid, belongs to Microsoft<br/>Verdict: "Normal HTTPS to Microsoft. Allow it."
All of your activity, every website and every app, is wrapped inside one connection that appears to go to a trusted website.
Because Reality relies on the newest web security standard (TLS 1.3), the details of that borrowed certificate are actually hidden from the censor on the way back to your device. The censor sees the www.microsoft.com request go out, but they cannot easily read the certificate coming back to verify it. To them, it is just a solid, unreadable block of normal secure traffic.
Active probing
Smart censors do more than watch. They also test suspicious servers by connecting to them directly. This is called active probing. If a server answers in a strange, VPN-like way, the censor blocks it.
Reality has an answer for this. The handshake from a real user contains a secret key. The server checks for that key:
flowchart LR
Y["YOU<br/>you have the key"]
P["CENSOR PROBE<br/>no key"]
K{"Server checks:<br/>does the handshake<br/>have the secret key?"}
T["VPN TUNNEL"]
F["FORWARD"]
B["Your browsing"]
R["The real microsoft.com"]
Y -- "Hello + KEY" --> K
P -- "Hello, NO KEY" --> K
K -- "yes" --> T --> B
K -- "no" --> F --> R
If the censor probes your server without the key, the server quietly forwards them to the genuine Microsoft website. The censor sees a normal web page load and decides the server is boring. Only you, with the correct key, get into the tunnel.
Same server, same address, two completely different results.
Weakness
This stack is strong, but it is not magic. There is one detail it cannot hide.
What the connection claims: "I am www.microsoft.com"
Where it actually goes: 198.51.100.20
^^^^^^^^^^^^^^^^
a normal hosting IP, NOT an Microsoft address
A very advanced censor could check whether the IP address truly belongs to Microsoft. It does not, because the server is yours. In theory this mismatch can be caught.
In practice, doing this check for every connection across an entire country is slow and expensive. That is exactly why Reality works well. It is cheap for you to run and costly for a censor to defeat.
You can also make this mismatch harder to spot by being clever about your disguise. If your rented server is on Amazon AWS, you can choose to hide behind a trusted website that is also hosted on AWS. The censor checks the IP, sees it belongs to Amazon, and assumes everything is normal.
Who actually uses this
This is mostly a tool for privacy and for reaching the open internet. People living under heavy internet filtering use it to read news, study, and stay in touch. Anyone who simply does not want their internet provider logging every site they visit can use it too. Tested results from inside China in 2026 still show very high success rates for this approach, which says a lot about how well the camouflage holds.
It is not a hacking tool by nature. It is a regular VPN that happens to be very good at not being noticed.