Modern circumvention stacks combine a client, a core (or platform), and one or more transport protocols to bypass censorship while balancing speed, reliability, and detectability. This guide gives you a practical overview of the most used software and the protocols they speak, with quick picks and best practices.
Quick Start
Pick one stack that matches your needs and platform. These are proven, stable choices:
- Stealth, general purpose: VLESS + Reality on Xray or Sing-box (TCP/TLS1.3).
- High throughput on bad networks: Hysteria2 (QUIC/UDP) via Sing-box.
- Simple and CDN-friendly: Trojan (or VLESS) over WebSocket + TLS behind Nginx/Caddy.
- Full-device tunnel and ease of use: WireGuard (VPN) with a good client app.
- Highest anonymity over speed: Tor with obfs4 bridges; accept higher latency.
Common client choices: Windows (V2RayN, Clash Meta-based clients), macOS (ClashX Meta), Android (Clash Meta for Android, v2rayNG), iOS (Shadowrocket, Stash, Surge). Use Clash Meta-based apps if you want rule-based traffic control and a GUI.
| Stack | Description |
|---|---|
| VLESS + Reality (Xray/Sing-box) | stealth, TCP, TLS1.3 |
| Trojan + TLS (+WS) + CDN (Nginx/Caddy) | camouflage, 443 |
| Shadowsocks + v2ray-plugin + WS + TLS | simple, CDN-friendly |
| Hysteria2 (QUIC/UDP) | speed on lossy links |
| WireGuard (VPN) | full tunnel, simple |
Tip: Whatever you choose, pair it with sane DNS. Prefer DoH/DoQ or split-horizon DNS that resolves domestic domains directly and foreign domains via proxy.
Clients at a Glance
Note: Many clients embed different cores; supported protocols can vary by build.
| Client | Platforms | Supports (high-level) | Links |
|---|---|---|---|
| Clash Meta for Android | Android | Clash Meta core; rules; VLESS/Reality, Trojan, SS, VMess | GitHub |
| Clash for Android | Android | Clash (classic) core; rules; SS, VMess | Play Store / GitHub |
| v2rayNG | Android | Xray/V2Ray; VMess, VLESS, Trojan, SS | Play Store / GitHub |
| Shadowsocks (Android) | Android | Shadowsocks (AEAD) | Play Store / GitHub |
| Outline (Android) | Android | Outline (SS-based) | Play Store / GitHub / HomePage |
| Shadowrocket | iOS | SS, V2Ray, Trojan (multi-protocol) | App Store |
| Stash | iOS | Rule-based client; multi-protocol | App Store |
| Potatso Lite | iOS | Shadowsocks | App Store |
| Potatso 2 | iOS | Shadowsocks | App Store |
| Outline (iOS) | iOS | Outline (SS-based) | GitHub / HomePage |
| ClashX Meta | macOS | Clash Meta core; rules; VLESS/Reality, Trojan, SS, VMess | GitHub |
| ClashX (classic) | macOS | Clash core; rules; SS, VMess | GitHub |
| ClashX Pro | macOS | Clash core with extras | App Center / GitHub |
| V2rayU | macOS | V2Ray/Xray; VMess/VLESS/Trojan/SS | GitHub |
| ShadowsocksX-NG | macOS | Shadowsocks | GitHub |
| Clash Verge | Windows | Clash/Meta-based GUI; rules | GitHub |
| Clash for Windows | Windows | Clash-based GUI; rules | GitHub |
| v2rayN | Windows | Xray/V2Ray; VMess, VLESS, Trojan, SS | GitHub |
| Shadowsocks (Windows) | Windows | Shadowsocks | GitHub |
| Qv2ray | Windows/macOS/Linux | Xray/V2Ray GUI; multi-protocol | GitHub / HomePage |
| Outline Client | Windows/macOS/Linux | Outline (SS-based) | GitHub / HomePage |
| MerlinClash | Router (Merlin/KoolCenter) | Clash on router firmware | Telegram |
| 梅林喵 | Router (Merlin) | Merlin firmware + Clash guide | Home Page |
Platforms at a Glance
| Name | Role | Key strengths | Notes |
|---|---|---|---|
| Sing-box | Core (client/server) | Modern, fast, broad protocol support (VLESS/Reality, Hysteria2, WireGuard) | Cross‑platform; active development |
| V2Ray (v2fly) | Core | Mature ecosystem, VMess/VLESS, flexible routing | Legacy-friendly; slower feature pace |
| Xray | Core | Reality, XTLS, strong TCP performance | Largely V2Ray-compatible configs |
| Clash Meta | Client/manager | Rule engine, TUN/DNS, modern transports | Active fork used by many GUIs |
| Clash (classic) | Client/manager | Solid rules and providers | Feature-frozen vs Meta |
| Shadowsocks (software) | Core/client | Simple, fast AEAD proxy | Pair with WS+TLS for DPI resistance |
| Tor | Network/client | High anonymity via onion routing | High latency/blocked by some sites |
| Surge | Client (iOS/macOS) | Premium UI, scripting, policy routing | Paid, closed-source |
| Hiddify | Client/manager | Easy profile packaging, onboarding | Capabilities depend on core |
| Nginx | Reverse proxy | TLS termination, CDN/fronting | Use with WS/TLS camouflage |
| Caddy | Reverse proxy | Auto-HTTPS, simple config | Great for quick TLS setups |
| HAProxy | Reverse proxy | High-performance L4/L7 proxying | Robust load balancing |
Protocols at a Glance
| Protocol | Purpose | Typical pairing |
|---|---|---|
| VMess | Original V2Ray protocol; flexible but fingerprintable if plain | V2Ray/Xray with TLS/WS or Reality |
| VLESS | Modern, simpler alternative to VMess | Xray/Sing-box with TLS or Reality |
| Trojan | HTTPS camouflage over TLS (443) | Fronted by Nginx/Caddy; optional WS |
| Shadowsocks | Encrypted SOCKS5-based proxy (AEAD) | With v2ray-plugin WS+TLS or domain fronting |
| Hysteria (v2) | QUIC/UDP, high throughput on lossy links | Sing-box; tune congestion/auth |
| WireGuard | Modern UDP VPN, full-device tunnel | Any OS; simple config, fast |
| SOCKS5 / HTTP(S) | Standard proxy interfaces (not secure alone) | App ↔ client hop inside secure tunnel |
| Reality / XTLS | TLS1.3 mimic and efficient TLS flow | Xray/Sing-box with VLESS (stealth/perf) |
Clients at a Glance
Note: Many clients embed different cores; supported protocols can vary by build. Links are curated from your Awesome Tools page.
| Client | Platforms | Supports (high-level) | Links |
|---|---|---|---|
| Clash Meta for Android | Android | Clash Meta core; rules; VLESS/Reality, Trojan, SS, VMess | GitHub |
| Clash for Android | Android | Clash (classic) core; rules; SS, VMess | Play Store / GitHub |
| v2rayNG | Android | Xray/V2Ray; VMess, VLESS, Trojan, SS | Play Store / GitHub |
| Shadowsocks (Android) | Android | Shadowsocks (AEAD) | Play Store / GitHub |
| Outline (Android) | Android | Outline (SS-based) | Play Store / GitHub / HomePage |
| Shadowrocket | iOS | SS, V2Ray, Trojan (multi-protocol) | App Store |
| Stash | iOS | Rule-based client; multi-protocol | App Store |
| Potatso Lite | iOS | Shadowsocks | App Store |
| Potatso 2 | iOS | Shadowsocks | App Store |
| Outline (iOS) | iOS | Outline (SS-based) | GitHub / HomePage |
| ClashX Meta | macOS | Clash Meta core; rules; VLESS/Reality, Trojan, SS, VMess | GitHub |
| ClashX (classic) | macOS | Clash core; rules; SS, VMess | GitHub |
| ClashX Pro | macOS | Clash core with extras | App Center / GitHub |
| V2rayU | macOS | V2Ray/Xray; VMess/VLESS/Trojan/SS | GitHub |
| ShadowsocksX-NG | macOS | Shadowsocks | GitHub |
| Clash Verge | Windows | Clash/Meta-based GUI; rules | GitHub |
| Clash for Windows | Windows | Clash-based GUI; rules | GitHub |
| v2rayN | Windows | Xray/V2Ray; VMess, VLESS, Trojan, SS | GitHub |
| Shadowsocks (Windows) | Windows | Shadowsocks | GitHub |
| Qv2ray | Windows/macOS/Linux | Xray/V2Ray GUI; multi-protocol | GitHub / HomePage |
| Outline Client | Windows/macOS/Linux | Outline (SS-based) | GitHub / HomePage |
| MerlinClash | Router (Merlin/KoolCenter) | Clash on router firmware | Telegram |
| 梅林喵 | Router (Merlin) | Merlin firmware + Clash guide | Home Page |
Software Platforms / Cores
These are the programs that implement transports, routing, and encryption. Some are server cores, some are primarily clients.
Sing-box
Sing-box is a modern, high-performance core that supports a wide range of protocols: VMess, VLESS, Trojan, Shadowsocks/SS AEAD (and 2022 ciphers), Hysteria2 (QUIC/UDP), SOCKS/HTTP, and WireGuard. It runs on Linux, Windows, macOS, Android, and more.
- Highlights: Actively developed, efficient, rich routing/DNS, Hysteria2 and Reality support, JSON/TOML config, good cross-platform story.
- Use cases: All-in-one server core; client core for Clash-like apps or V2RayN (newer versions); fast stacks for mobile and desktop.
- Pros: Performance, breadth of protocols, modern transports, clean config model.
- Cons: Rapidly evolving; config details can change between versions; older clients may lag in features.
V2Ray (v2fly core)
V2Ray popularized VMess and provides a flexible platform with routing, DNS, and multiple transports (TCP, mKCP, WebSocket, HTTP/2). It also supports VLESS, Trojan, and Shadowsocks through plugins or native support.
- Highlights: Mature ecosystem, many tutorials, highly configurable.
- Use cases: Classic VMess/VLESS deployments; as a server or client core for many GUIs.
- Pros: Stability, community docs, wide client compatibility.
- Cons: VMess is easier to fingerprint than modern alternatives when misconfigured; performance and features trail Xray/Sing-box in some areas.
Xray
Xray is a fork of V2Ray focused on modern transports and performance. It introduced XTLS (Vision) and Reality for better stealth and efficiency. Xray remains highly compatible with V2Ray-style configs while adding new features sooner.
- Highlights: Reality (TLS1.3 mimic) support, XTLS Vision, good TCP performance, broad protocol support (VLESS, Trojan, Shadowsocks, VMess).
- Use cases: VLESS + Reality stacks; upgraded V2Ray configs with better stealth; efficient TCP tunneling.
- Pros: Modern transport options, performance improvements, active development.
- Cons: New features can be complex; requires care to configure securely.
Clash Meta (MetaCubeX)
Clash Meta is an actively developed fork of the Clash core, widely embedded in modern GUI clients. It retains Clash’s powerful rule engine and adds support for newer transports and features.
- Highlights: VLESS (incl. Reality), Trojan, Hysteria2/TUIC, enhanced TUN, Fake-IP/redir-host, richer DNS (DoH/DoQ, split with detours), better fingerprint/TLS options.
- Use cases: Daily driver client with policy routing, split tunneling, per-app/process rules, and modern protocol support across desktop and mobile.
- Pros: Modern transports, robust TUN/DNS, broad protocol coverage, active development.
- Cons: Not a server core; capability depends on the packaged core/build in the client; some Meta-only fields are not backward compatible with classic Clash.
Clash (classic)
The original Clash project (Dreamacro) that popularized rule-based policy routing for clients. It remains usable but is largely feature-frozen compared to Meta.
- Highlights: Solid rule engine, providers, and mature desktop clients (e.g., Clash for Windows, ClashX) built around the classic core.
- Use cases: Legacy configurations and environments that don’t require the newest transports.
- Pros: Stable and familiar; abundant community profiles and guides.
- Cons: Inactive/slow-moving; lacks many modern transports (Reality, Hysteria2/TUIC) and newer DNS/TUN capabilities available in Clash Meta.
Shadowsocks (original software)
Shadowsocks is both a protocol and a family of implementations. It’s simple and efficient (AEAD ciphers), and widely supported by clients. On its own it’s simpler to detect than TLS-based transports, but remains effective with proper plugins or camouflage.
- Highlights: Simplicity, speed, huge client ecosystem.
- Use cases: Lightweight proxy; combined with WebSocket+TLS via plugins for better camouflage.
- Pros: Easy to deploy, low overhead, stable.
- Cons: Needs obfuscation or TLS wrapping to resist DPI; limited feature set compared to newer platforms.
Tor (The Onion Router)
Tor provides high anonymity through layered encryption across volunteer relays. It prioritizes privacy over speed, making it suitable for sensitive browsing, not streaming or bulk transfers.
- Highlights: Onion routing, bridges (obfs4, meek), censorship circumvention in many regions.
- Use cases: High-privacy browsing, metadata protection, research/journalism.
- Pros: Strong anonymity set, free, mature.
- Cons: High latency, lower throughput; some sites block Tor exits.
Surge
Surge is a powerful, closed-source client for iOS and macOS with advanced rule-based routing, scripting, and traffic inspection. It integrates with server cores like Xray/Sing-box via standard protocols.
- Highlights: Premium UI/UX, automation, granular control.
- Use cases: Power-user client on Apple platforms; policy routing and debugging.
- Pros: Excellent usability and features.
- Cons: Paid, closed-source; not a server core.
Hiddify
Hiddify is a multi-platform auto-proxy client/manager that leverages backends like Sing-box and Xray. It focuses on ease of use, packaging profiles, and simplifying client setup across platforms.
- Highlights: One-stop client packaging; profile distribution.
- Use cases: Distributing working configs to less-technical users; quick client onboarding.
- Pros: Convenience, cross-platform reach.
- Cons: Tied to underlying cores for capabilities; less control for advanced tuning.
Nginx / HAProxy / Caddy (as reverse proxies)
These reverse proxies terminate TLS, forward HTTP, and can front protocols over WebSocket/HTTP/2. They are often used to make traffic look like normal HTTPS and to serve a legitimate site at the same domain.
- Highlights: TLS termination, HTTP routing, CDN compatibility, fallback to a real site.
- Use cases: Trojan or (VLESS/Shadowsocks via plugin) over WebSocket+TLS; serving a cover website on
/and proxying tunnel on a path/hostname. - Pros: Enterprise-grade performance; easy certificate management (Caddy/ACME).
- Cons: Adds complexity; misconfiguration can expose your tunnel.
Major Protocols
These are the “languages” used by the platforms to communicate securely and evade blocking.
VMess
The original V2Ray protocol. Flexible but relatively easy to fingerprint if used without modern transports or camouflage. Generally recommended only when you need legacy compatibility.
- Strengths: Mature, widely supported, many guides.
- Caveats: Prefer VLESS/Trojan for new setups; consider WebSocket+TLS or Reality if you must use VMess.
VLESS
Successor to VMess with a simpler design. Often paired with TLS (including XTLS/Reality) for stealth and performance.
- Strengths: Modern, efficient, excellent with Reality or WebSocket+TLS.
- Caveats: Without TLS/XTLS, detection risks rise; configure DNS/SNI carefully.
Trojan
Trojan disguises proxy traffic as standard HTTPS. It relies on a valid certificate and typical HTTPS endpoints, often on port 443. Can be combined with WebSocket and fronted by Nginx/Caddy or a CDN.
- Strengths: Looks like real HTTPS; good compatibility.
- Caveats: Needs proper TLS/SNI and a real site as cover for best results.
Shadowsocks (protocol)
An encrypted SOCKS5-based proxy using AEAD ciphers. Simple and fast; best combined with TLS/WS plugins or domain fronting to resist DPI.
- Strengths: Lightweight, efficient, huge client support.
- Caveats: Plain SS can be detected; use plugins like
v2ray-plugin(WS+TLS) where possible.
Hysteria (v2)
Performance-focused protocol over QUIC/UDP, designed for high speed and resilience to packet loss. Great for file transfers and streaming on poor links.
- Strengths: Throughput and stability under loss/latency.
- Caveats: UDP can be rate-limited or blocked; tune congestion control and auth.
WireGuard
Modern UDP-based VPN with strong cryptography and minimal configuration. Excellent for full-device tunneling and site-to-site links.
- Strengths: Simplicity, speed, cross-platform kernels/userspace.
- Caveats: UDP-blocking environments may hinder it; use ports and obfuscation tricks if needed.
SOCKS5 / HTTP(S)
Standard proxy protocols. Useful between local apps and a client, or within a chain. Not secure on their own; pair with encryption/transport layers.
- Strengths: Ubiquitous; many apps support them directly.
- Caveats: Use only over secure tunnels.
Reality / XTLS
Advanced transport and flow-control mechanisms primarily in Xray (and supported in Sing-box). Reality makes TLS1.3 handshakes mimic a real site using its fingerprint, improving indistinguishability. XTLS (Vision) reduces overhead and improves performance for TLS-protected streams.
- Strengths: Excellent stealth and efficiency when configured correctly.
- Caveats: Requires careful parameter choices (fingerprint, SNI/ServerName, ShortID, fallbacks).
Patterns and Topologies
Use these as starting points; adapt to your environment.
[Stealth]
Client --VLESS+Reality--> Xray/Sing-box (TCP/TLS1.3)
- Choose a popular TLS1.3 site fingerprint; set ShortID; no real cert required by Reality.
[Camouflage via Web]
Client --WS+TLS--> Nginx/Caddy --(reverse proxy)--> Xray/Sing-box (Trojan/VLESS/SS)
- Serve a real site on "/"; mount tunnel on "/ws" or a subdomain; use CDN if desired.
[Throughput on bad links]
Client --Hysteria2 (QUIC/UDP)--> Sing-box
- Tune auth, UDP ports, and congestion control; expect great speed if UDP allowed.
[Full device tunnel]
Client --WireGuard--> Server (NAT/Forwarding)
- Route 0.0.0.0/0 via WG; combine with policy routing/DNS split for best UX.
Best Practices
- DNS hygiene: Use DoH/DoQ or split DNS with proxy detours; avoid leaking queries.
- SNI and TLS: Match SNI/ServerName to a plausible host; keep TLS1.3 where possible; use uTLS/fingerprints if supported.
- Camouflage: Always serve a legitimate site when fronting with Nginx/Caddy; avoid empty domains.
- Rotate and monitor: Change keys/IDs periodically; watch for packet loss, RSTs, or throttling that indicate detection.
- Least exposure: Close unused ports; prefer 443/80 only; enable firewalls and rate limits.
- Client UX: For daily use, prefer Clash Meta-based clients with rules to keep domestic traffic direct and sensitive apps proxied.
Security and Legal
Bypassing network restrictions may violate local laws or terms of service. Understand your jurisdiction and risks before proceeding. Always protect your accounts and personal data, keep systems updated, and avoid distributing configurations that expose your infrastructure.
Further Reading
- Sing-box documentation: https://sing-box.sagernet.org/
- V2Ray (v2fly) docs: https://www.v2fly.org/
- Xray project: https://xtls.github.io/
- Clash Meta and clients: https://github.com/MetaCubeX
- Clash (classic): https://github.com/Dreamacro/clash
- Shadowsocks: https://shadowsocks.org/
- Tor Project: https://www.torproject.org/
- Caddy: https://caddyserver.com/ | Nginx: https://nginx.org/ | HAProxy: https://www.haproxy.org/
If you want, I can add minimal server/client config templates for your preferred stack (e.g., VLESS+Reality on Xray, Hysteria2 on Sing-box, or Trojan+WS behind Caddy).