How to Bypass DPI Blocking with VLESS + Reality (3X-UI Guide)

Difficulty: Intermediate 10 min read Updated: 18.07.2026 13
How to Bypass DPI Blocking with VLESS + Reality (3X-UI Guide)
When a censor's DPI starts blocking plain WireGuard and OpenVPN, VLESS + Reality is the answer: it disguises your VPN as an ordinary visit to a real HTTPS website, needs no domain or certificate of your own, and survives active probing. This guide sets it up step by step with the 3X-UI web panel.

Why VLESS + Reality, and when you need it

A plain WireGuard or OpenVPN tunnel is great for privacy, but in countries with heavy censorship it has one weakness: deep packet inspection (DPI) can recognise the protocol by its fingerprint and block it, even without reading what is inside. That is exactly what has been happening in Russia, where operators block VPNs at the TSPU boxes on every network and regulators have pushed toward total blocking of VPN traffic.

Reality is the current best answer to that. It is a transport for the VLESS protocol (from the Xray project) that makes your connection look like an ordinary visit to a real, popular HTTPS website. It borrows that site's genuine TLS handshake, so to a censor's DPI your traffic is indistinguishable from normal browsing - and unlike older tricks it survives active probing: if a censor connects to your server to test it without the right key, the server quietly forwards them to the real site you are borrowing, so they just see an ordinary website and suspect nothing. Best of all, Reality needs no domain name and no TLS certificate of your own. We will set it up through 3X-UI, a web panel that does the hard parts for you.

  • A cheap KVM-based VPS running Ubuntu 22.04 or 24.04. For bypassing censorship, pick a location outside the country doing the blocking, ideally with a fresh, clean IP.
  • root SSH access (your provider emails this).
  • About 20 minutes. This is a step up from a basic VPN, but the panel keeps it manageable.
Self-contained: this guide takes you from a fresh VPS all the way to a working Reality tunnel, with no prior setup needed. Reach for Reality when a plain VPN gets blocked; if you just want a simpler everyday VPN, see our WireGuard guide. Run everything below as root.

Step 1: Connect and update the server

Log in over SSH (replace with your server's IP) and install the latest updates:

ssh root@YOUR_SERVER_IP
apt update && apt upgrade -y

Step 2: Install the 3X-UI panel

3X-UI installs with a single command. Run it and answer the prompts - when asked, set a username, a strong password, and a panel port:

bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)

When it finishes, open the management menu at any time by typing:

x-ui

From that menu you can see (and change) the panel's port, login and secret access path. Note those three things down - you need them to open the panel in your browser.

Step 3: Log in and lock down the panel

Open the panel in your browser using the values from the previous step:

http://YOUR_SERVER_IP:PANEL_PORT/ACCESS_PATH

Log in, then harden it right away in Panel Settings:

  • Change the login to a unique username and a long password if you have not already.
  • Keep the secret access path (the random part of the URL) - it hides the panel from scanners.
  • Set the panel to listen on a non-obvious port, and never reuse your VPN port for it.

While you are in Panel Settings, also switch on TCP BBR - it is a single toggle and it noticeably speeds up the connection, especially when the server is far away.

Do not expose the panel to everyone. The safest setup is to leave the panel port closed in the firewall (Step 5) and reach it through an SSH tunnel, or at least protect it with a strong password and the secret path. The panel controls your whole server.

Step 4: Create the VLESS + Reality inbound

This is the core step, and the panel does the cryptography for you. In the panel open Inbounds and click Add Inbound, then set:

  • Protocol: vless.
  • Port: 443. The standard HTTPS port makes the traffic blend in. If a heavily censored network later starts throttling you on 443, try moving the inbound to a random high port such as 43821 - some DPI systems skip deep inspection on non-standard ports to save resources. The trade-off: 443 looks like normal HTTPS, a high port does not.
  • Security: reality. This is what makes the magic work.
  • Dest / Target: a real HTTPS site to impersonate. It must be foreign (outside the country blocking you), not itself blocked there, and support TLS 1.3 and HTTP/2. Proven donors are www.microsoft.com:443, www.samsung.com:443, www.nvidia.com:443 or www.apple.com:443. Avoid sites that are blocked or throttled where you are (in Russia that means Google, Instagram, Facebook and X) and avoid anything behind Cloudflare - and the lower the ping from your VPS the better (aim for under ~30 ms), ideally in the same data centre. Modern 3X-UI even suggests a Target and SNI pair for you; you can accept it or set your own.
  • SNI / Server Names: the exact domain of the site you chose above (for example www.samsung.com) - it must match what the target serves.

Now click the panel's buttons to generate the key pair (the x25519 public and private keys) and the shortIds - Reality needs them, and the panel fills them in automatically. Make sure the flow is set to xtls-rprx-vision - it is the standard choice for Reality: it hides the tell-tale "TLS inside TLS" pattern and makes the tunnel much faster. Save the inbound.

Advanced, optional: in the most aggressive networks some users switch the inbound's transport to XHTTP for extra resilience against behavioural analysis. It is newer and opinions differ, so treat it as an experiment rather than the default - plain Reality with Vision works for the vast majority.

Step 5: Open the firewall

Allow SSH, your inbound port (443) and the panel port from Step 2, then enable the firewall. Replace PANEL_PORT with your actual panel port:

ufw allow 22/tcp
ufw allow 443/tcp
ufw allow PANEL_PORT/tcp
ufw enable
Check your SSH port first. If your provider set SSH to a non-standard port (not 22), allow that port instead before ufw enable, or you will lock yourself out.

The secret access path plus a strong password keep the panel safe on that open port. If you would rather keep it fully hidden, do not allow the panel port above - instead reach the panel through an SSH tunnel from your own computer, then open http://localhost:8080 in your browser:

ssh -L 8080:localhost:PANEL_PORT root@YOUR_SERVER_IP

Back in Inbounds, find the client you just created and open its QR code or the vless:// share link (the panel shows both). That single link contains everything a client app needs - the address, the keys and the Reality settings. On a phone you will scan the QR code; on a computer you will paste the link.

To add more devices later, create another client inside the same inbound - each person gets their own link.

Step 7: Install a client app and connect

Reality works with any modern Xray-based client. Pick your platform below, import the link from Step 6, and connect.

Android: install v2rayNG - in heavily censored regions get it from the official GitHub releases rather than the Play Store, where it may be missing or faked. Tap + in the top corner, choose Scan QR code, point it at the panel's QR, then tap the round connect button at the bottom.

iPhone and iPad: install Streisand (free) from the App Store - V2Box and FoXray work well too. Tap +, choose Add from QR code or paste the vless:// link, then toggle the connection on and allow the VPN profile.

Windows: install Hiddify (simplest) or Nekoray. Copy the vless:// link, choose Add profile -> From clipboard, then press connect.

macOS: install Hiddify (also on the Mac App Store). Click Add profile -> From clipboard after copying the vless:// link, then press connect.

Linux desktop: use Hiddify or Nekoray. Import the vless:// link from the clipboard, select the server and connect.

Step 8: Verify it works

With the client connected, confirm two things on our own Network tools page. First, that the internet now sees your server's IP - shown at the top of the page. Second, open the DNS Leak Test tab: the resolvers listed should not belong to your home ISP. If both look right, your Reality tunnel is live.

Common mistakes

  • Bad "dest" choice. If the site you impersonate is slow, blocked where you are, or does not support TLS 1.3, the connection will be flaky. Pick a big, fast, always-up site.
  • SNI does not match the dest. The Server Name must be a domain the target actually serves. Mismatches cause instant disconnects.
  • Panel left wide open. Never leave the panel on a guessable port with a weak password - it is full control of your server. Firewall it or tunnel to it.
  • Provider firewall. Some hosts have their own firewall in a control panel on top of ufw; make sure port 443 is open there too.
  • Port 443 already in use. If the server already runs a web server (Apache or Nginx) on 443, the inbound will not start. Free that port first, or give the inbound a different one.
  • Client fingerprint not set. In the client, the TLS fingerprint (uTLS) should be a real browser such as chrome. The panel's share link usually sets this for you, but check it if the connection is unstable.
  • Using a blocked-country VPS. A server physically inside the censored network can be blocked at the source. Host it abroad.

The honest limits

Reality is excellent at hiding that you are using a VPN from network censors, but the usual honest limits of self-hosting still apply: your provider can see the IP addresses connecting to your server, and on a VPS the host can snapshot the machine's RAM. If you want to reduce what your own server records on disk, follow up with our guide on how to make your VPS keep no logs. Bear in mind this is a moving target too: censors keep escalating - Russia's TSPU, for instance, added behavioural analysis of VLESS tunnels in early 2026 and started blocking at the ASN level - so keep Xray and the panel updated and be ready to switch your dest or port if a connection starts to degrade. And as always, a VPN changes where your traffic appears to come from - it does not put you above the law of wherever you live.

Keep it yours: give every device its own client entry in the panel so you can revoke one without touching the others, keep 3X-UI updated (run x-ui and choose update), and back up the inbound's keys somewhere safe.
Tags: vless reality xray 3x-ui dpi censorship vpn bypass blocking anonymity