adminIntroduction: The New Frontier of Stealth
For years, the standard for V2Ray stealth was VLESS + wSS + CDN (Article 12). This method hid traffic inside HTTPS and masked the IP behind Cloudflare. However, modern, aggressive censors have evolved. They no longer just passively inspect traffic; they use Active Probing. The firewall sends a test connection to your V2Ray server and “interrogates” it. If your server doesn’t respond exactly like a legitimate, known website (like Google or Netflix), the firewall flags it as a proxy and blocks the IP.
The REALITY Protocol is the cutting-edge solution designed specifically to defeat Active Probing. It eliminates the need for you to own a domain name or manage TLS certificates. Instead, it allows your V2Ray server to steal the identity of a major, unblockable website (the “Target Site”). When a censor probes your server, REALITY ensures your server responds identically to that Target Site, making your tunnel hide in plain sight by masquerading as something too important to block.
Section 1: The Threat: Active Probing and TLS Fingerprinting
To understand why REALITY is necessary, we must first understand the modern threats it counters.
1. Active Probing (The Interrogation)
This method involves the censor sending a TLS request (the same kind of request your browser sends) to your server’s IP address. The censor checks:
- Does the server respond on Port 443? (Yes, standard for HTTPS).
- What TLS certificate does it present? If it presents a cheap, generic, or self-signed certificate, it’s flagged as suspicious.
- Does it behave like a known server? If the server’s handshake timing or error messages differ from the site it claims to be, it is blocked.
2. TLS Fingerprinting (The Identity Check)
Every device and program uses a unique signature when initiating a TLS connection, known as a Client Hello Fingerprint (JA3/Jager). Censors maintain a database of these fingerprints. If your client tries to connect to your server using a fingerprint that doesn’t match a standard browser (like Chrome), or if your server’s initial response doesn’t match the Target Site’s known behavior, the connection is immediately identified as anomalous and dropped.
REALITY forces both the client and server to use highly customized, pre-verified fingerprints that match common browsers and a Target Site, making the traffic indistinguishable from legitimate activity.
Section 2: The Core Mechanism of REALITY
REALITY works by embedding the key authentication data within the TLS handshake itself, essentially “piggybacking” on the encryption setup.
1. The Key Generation (The Secret)
Unlike VLESS, which uses a simple UUID, REALITY uses a stronger, longer private key (X25519) and a shorter public key derived from it.
- Server Side: Holds the Private Key.
- Client Side: Holds the Public Key (and the Short ID). This asymmetric cryptography ensures that even if someone intercepts the traffic, they cannot impersonate the server without the private key.
2. SNI Mimicry (serverNames and dest)
The Server Name Indication (SNI) is the domain name your client tells the server it wants to connect to during the handshake.
- Target Site (
dest): This is the IP and port of the real, unblockable site you want to mimic (e.g.,www.microsoft.com:443). - Mimicked SNIs (
serverNames): These are the fake domains your client pretends to connect to (e.g.,azure.microsoft.com).
How it works: When a censor probes your server IP using the SNI azure.microsoft.com, your V2Ray server (acting as a “Man-in-the-Middle”) forwards that handshake to the real Microsoft server. It captures Microsoft’s genuine TLS certificate and sends it back to the censor. The censor sees a valid, trusted Microsoft certificate signed by a major CA, assumes the connection is legitimate, and allows it.
3. Connection Flow
- Valid Client: If the client sends the correct REALITY Public Key in the handshake, the V2Ray server intercepts the connection before it reaches Microsoft, establishes the tunnel, and processes the proxy traffic.
- Invalid Probe: If a censor (or random user) connects without the key, V2Ray acts as a transparent proxy, forwarding the traffic to Microsoft. The probe sees the real Microsoft site, confirming the “legitimacy” of the server.
Section 3: Mandatory Prerequisites and Configuration
REALITY is powerful but requires strict adherence to its configuration rules.
Prerequisites Checklist:
- VLESS Protocol: REALITY is built as a transport mechanism specifically for VLESS (VLESS + REALITY).
- Static Public IP: Your V2Ray server must have a static IP address; it cannot be hidden behind a CDN (like Cloudflare) because the REALITY mechanism relies on controlling the direct connection and the client’s public IP during the handshake.
- Correct Time Sync: As with all VLESS protocols, NTP time synchronization is mandatory.
- Target Site Selection: You must choose a high-profile, legitimate website to mimic (e.g., a major cloud provider or a large streaming service) that supports TLS 1.3 and H2.
Server Inbound Configuration (REALITY Example)
"inbounds": [
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{ "id": "YOUR-UUID", "flow": "xtls-rprx-vision" }
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality", // Enable REALITY
"realitySettings": {
"show": false, // Silent mode
"dest": "[www.microsoft.com:443](https://www.microsoft.com:443)", // The Real Site to steal identity from
"xver": 0,
"serverNames": [
"[www.microsoft.com](https://www.microsoft.com)",
"azure.microsoft.com"
], // Domains the client must use as SNI
"privateKey": "YOUR-GENERATED-PRIVATE-KEY", // The core secret
"shortIds": [""] // Optional short authentication string
}
}
}
]
Section 4: REALITY vs. CDN Obfuscation
| Feature | REALITY | VLESS + CDN (wSS) |
|---|---|---|
| Stealth Type | Identity Theft (Mimics a specific real site) | Hiding (Masks IP behind a large CDN) |
| IP Exposure | Exposed (but censors are fooled by the reply) | Hidden (behind the CDN’s large pool) |
| Against Active Probing | Excellent (Responds exactly like the Target Site) | Good (Responds like a generic HTTPS server) |
| Configuration | Complex (Key generation, finding target IP) | Simpler (Requires domain registration) |
| Throughput | Excellent (Direct connection, no CDN hop) | Good (Slight latency penalty from CDN) |
Conclusion: The New Gold Standard
The REALITY protocol is the current gold standard for environments facing constant, automated, and advanced censorship measures. By fundamentally shifting the security model from simple encryption to cryptographically validated identity theft, REALITY creates a tunnel that is not merely encrypted, but is practically invisible. While it requires a direct connection (exposing the IP), the resilience it offers against sophisticated firewall analysis—by making your server indistinguishable from a giant like Microsoft or Google—is unmatched in the current anti-censorship landscape.
