Why VLESS + Reality, and when you need it
A plain WireGuard or OpenVPN tunnel is great for privacy, but in countries with heavy censorship it has one weakness: deep packet inspection (DPI) can recognise the protocol by its fingerprint and block it, even without reading what is inside. That is exactly what has been happening in Russia, where operators block VPNs at the TSPU boxes on every network and regulators have pushed toward total blocking of VPN traffic.
Reality is the current best answer to that. It is a transport for the VLESS protocol (from the Xray project) that makes your connection look like an ordinary visit to a real, popular HTTPS website. It borrows that site's genuine TLS handshake, so to a censor's DPI your traffic is indistinguishable from normal browsing - and unlike older tricks it survives active probing: if a censor connects to your server to test it without the right key, the server quietly forwards them to the real site you are borrowing, so they just see an ordinary website and suspect nothing. Best of all, Reality needs no domain name and no TLS certificate of your own. We will set it up through 3X-UI, a web panel that does the hard parts for you.
- A cheap KVM-based VPS running Ubuntu 22.04 or 24.04. For bypassing censorship, pick a location outside the country doing the blocking, ideally with a fresh, clean IP.
- root SSH access (your provider emails this).
- About 20 minutes. This is a step up from a basic VPN, but the panel keeps it manageable.
root.Step 1: Connect and update the server
Log in over SSH (replace with your server's IP) and install the latest updates:
ssh root@YOUR_SERVER_IP
apt update && apt upgrade -y
Step 2: Install the 3X-UI panel
3X-UI installs with a single command. Run it and answer the prompts - when asked, set a username, a strong password, and a panel port:
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)
When it finishes, open the management menu at any time by typing:
x-ui
From that menu you can see (and change) the panel's port, login and secret access path. Note those three things down - you need them to open the panel in your browser.
Step 3: Log in and lock down the panel
Open the panel in your browser using the values from the previous step:
http://YOUR_SERVER_IP:PANEL_PORT/ACCESS_PATH
Log in, then harden it right away in Panel Settings:
- Change the login to a unique username and a long password if you have not already.
- Keep the secret access path (the random part of the URL) - it hides the panel from scanners.
- Set the panel to listen on a non-obvious port, and never reuse your VPN port for it.
While you are in Panel Settings, also switch on TCP BBR - it is a single toggle and it noticeably speeds up the connection, especially when the server is far away.
Step 4: Create the VLESS + Reality inbound
This is the core step, and the panel does the cryptography for you. In the panel open Inbounds and click Add Inbound, then set:
- Protocol:
vless. - Port:
443. The standard HTTPS port makes the traffic blend in. If a heavily censored network later starts throttling you on443, try moving the inbound to a random high port such as43821- some DPI systems skip deep inspection on non-standard ports to save resources. The trade-off:443looks like normal HTTPS, a high port does not. - Security:
reality. This is what makes the magic work. - Dest / Target: a real HTTPS site to impersonate. It must be foreign (outside the country blocking you), not itself blocked there, and support TLS 1.3 and HTTP/2. Proven donors are
www.microsoft.com:443,www.samsung.com:443,www.nvidia.com:443orwww.apple.com:443. Avoid sites that are blocked or throttled where you are (in Russia that means Google, Instagram, Facebook and X) and avoid anything behind Cloudflare - and the lower the ping from your VPS the better (aim for under ~30 ms), ideally in the same data centre. Modern 3X-UI even suggests a Target and SNI pair for you; you can accept it or set your own. - SNI / Server Names: the exact domain of the site you chose above (for example
www.samsung.com) - it must match what the target serves.
Now click the panel's buttons to generate the key pair (the x25519 public and private keys) and the shortIds - Reality needs them, and the panel fills them in automatically. Make sure the flow is set to xtls-rprx-vision - it is the standard choice for Reality: it hides the tell-tale "TLS inside TLS" pattern and makes the tunnel much faster. Save the inbound.
Advanced, optional: in the most aggressive networks some users switch the inbound's transport to XHTTP for extra resilience against behavioural analysis. It is newer and opinions differ, so treat it as an experiment rather than the default - plain Reality with Vision works for the vast majority.
Step 5: Open the firewall
Allow SSH, your inbound port (443) and the panel port from Step 2, then enable the firewall. Replace PANEL_PORT with your actual panel port:
ufw allow 22/tcp
ufw allow 443/tcp
ufw allow PANEL_PORT/tcp
ufw enable
22), allow that port instead before ufw enable, or you will lock yourself out.The secret access path plus a strong password keep the panel safe on that open port. If you would rather keep it fully hidden, do not allow the panel port above - instead reach the panel through an SSH tunnel from your own computer, then open http://localhost:8080 in your browser:
ssh -L 8080:localhost:PANEL_PORT root@YOUR_SERVER_IP
Step 6: Get your connection link
Back in Inbounds, find the client you just created and open its QR code or the vless:// share link (the panel shows both). That single link contains everything a client app needs - the address, the keys and the Reality settings. On a phone you will scan the QR code; on a computer you will paste the link.
To add more devices later, create another client inside the same inbound - each person gets their own link.
Step 7: Install a client app and connect
Reality works with any modern Xray-based client. Pick your platform below, import the link from Step 6, and connect.
Android: install v2rayNG - in heavily censored regions get it from the official GitHub releases rather than the Play Store, where it may be missing or faked. Tap + in the top corner, choose Scan QR code, point it at the panel's QR, then tap the round connect button at the bottom.
iPhone and iPad: install Streisand (free) from the App Store - V2Box and FoXray work well too. Tap +, choose Add from QR code or paste the vless:// link, then toggle the connection on and allow the VPN profile.
Windows: install Hiddify (simplest) or Nekoray. Copy the vless:// link, choose Add profile -> From clipboard, then press connect.
macOS: install Hiddify (also on the Mac App Store). Click Add profile -> From clipboard after copying the vless:// link, then press connect.
Linux desktop: use Hiddify or Nekoray. Import the vless:// link from the clipboard, select the server and connect.
Step 8: Verify it works
With the client connected, confirm two things on our own Network tools page. First, that the internet now sees your server's IP - shown at the top of the page. Second, open the DNS Leak Test tab: the resolvers listed should not belong to your home ISP. If both look right, your Reality tunnel is live.
Common mistakes
- Bad "dest" choice. If the site you impersonate is slow, blocked where you are, or does not support TLS 1.3, the connection will be flaky. Pick a big, fast, always-up site.
- SNI does not match the dest. The Server Name must be a domain the target actually serves. Mismatches cause instant disconnects.
- Panel left wide open. Never leave the panel on a guessable port with a weak password - it is full control of your server. Firewall it or tunnel to it.
- Provider firewall. Some hosts have their own firewall in a control panel on top of
ufw; make sure port443is open there too. - Port 443 already in use. If the server already runs a web server (Apache or Nginx) on
443, the inbound will not start. Free that port first, or give the inbound a different one. - Client fingerprint not set. In the client, the TLS fingerprint (uTLS) should be a real browser such as
chrome. The panel's share link usually sets this for you, but check it if the connection is unstable. - Using a blocked-country VPS. A server physically inside the censored network can be blocked at the source. Host it abroad.
The honest limits
Reality is excellent at hiding that you are using a VPN from network censors, but the usual honest limits of self-hosting still apply: your provider can see the IP addresses connecting to your server, and on a VPS the host can snapshot the machine's RAM. If you want to reduce what your own server records on disk, follow up with our guide on how to make your VPS keep no logs. Bear in mind this is a moving target too: censors keep escalating - Russia's TSPU, for instance, added behavioural analysis of VLESS tunnels in early 2026 and started blocking at the ASN level - so keep Xray and the panel updated and be ready to switch your dest or port if a connection starts to degrade. And as always, a VPN changes where your traffic appears to come from - it does not put you above the law of wherever you live.
x-ui and choose update), and back up the inbound's keys somewhere safe.