VLESS and VMess Proxy Protocols
What are VMess and VLESS
VMess and VLESS are proxy protocols developed as part of the V2Ray project (Project V) for bypassing internet censorship. They are designed to disguise proxy traffic as regular HTTPS, making them resilient to DPI (Deep Packet Inspection).
VMess (V2Ray Mess) is the first V2Ray protocol. It includes encryption and authentication at the protocol level.
VLESS is a lightweight version of VMess. It removes built-in encryption (delegated to TLS), which reduces overhead and improves performance.
Why New Protocols Are Needed
The Problem with Classic Proxies
SOCKS5 — The protocol is unencrypted. DPI easily identifies SOCKS5 traffic by its handshake.
HTTP CONNECT — The CONNECT method is visible in plain text. Easily detectable.
OpenVPN — Has characteristic traffic patterns identifiable by DPI.
Shadowsocks — Was effective, but the GFW (Great Firewall of China) learned to detect it through active probing and traffic analysis.
The V2Ray Solution
V2Ray designed protocols that:
- Have no characteristic patterns (look like regular HTTPS)
- Are resilient to active probing
- Support multiple transports (WebSocket, gRPC, HTTP/2)
- Disguise proxy traffic within a legitimate TLS connection
VMess in Detail
How it Works
VMess uses UUID-based authentication and symmetric encryption. Each request includes:
- Authentication — A 16-byte hash of UUID + timestamp. The server verifies the UUID against its list.
- Header Encryption — AES-128-CFB encryption of request metadata.
- Data Encryption — AES-128-GCM or ChaCha20-Poly1305 for the payload.
Protection Against Replay Attacks
VMess includes a timestamp in the authentication header. The server rejects requests with an outdated timestamp (120-second window) and remembers processed IDs to prevent replay.
VMess Disadvantages
- Double encryption (VMess + TLS) creates unnecessary overhead
- Vulnerability to active probing if misconfigured
- Complex protocol implementation
VLESS in Detail
Differences from VMess
VLESS removes built-in encryption, retaining only UUID-based authentication. Encryption is entirely delegated to an external layer (TLS/XTLS).
Advantages:
- Less overhead (no double encryption)
- Higher performance
- Simpler implementation
- Better compatibility with modern TLS libraries
XTLS (Xray TLS)
XTLS is an optimized version of TLS developed for Xray-core. When transmitting TLS traffic (client HTTPS requests), XTLS avoids re-encryption by passing already encrypted data directly.
This provides:
- 50-70% reduction in CPU load
- Increased throughput
- Indistinguishability from regular TLS traffic
VLESS + Reality
Reality is a new obfuscation mechanism that allows a proxy server to "impersonate" an existing real website (e.g., microsoft.com). When DPI inspects the server, it sees a genuine TLS certificate and the content of the real website.
Transports
VMess and VLESS support multiple transports:
| Transport | Description | Obfuscation |
|---|---|---|
| TCP | Direct TCP connection | Minimal |
| WebSocket | Via WebSocket over HTTPS | Appears as a WebSocket application |
| gRPC | Via gRPC over HTTP/2 | Appears as a gRPC API |
| HTTP/2 | Via HTTP/2 stream | Appears as HTTP/2 traffic |
| QUIC | Via QUIC/HTTP3 | Appears as QUIC traffic |
| mKCP | UDP transport, obfuscation as various UDP protocols | Can be disguised as FaceTime, WireGuard |
VLESS vs VMess vs Shadowsocks vs SOCKS5
| Parameter | VLESS | VMess | Shadowsocks | SOCKS5 |
|---|---|---|---|---|
| Encryption | Delegated to TLS | Built-in | Built-in | None |
| DPI Evasion | Excellent | Good | Moderate | None |
| Active probing | Resilient (Reality) | Moderate | Vulnerable | Vulnerable |
| Performance | High (XTLS) | Moderate | Good | High |
| Configuration | Complex | Complex | Moderate | Simple |
| Compatibility | Xray, V2Ray | V2Ray, Xray | Wide | Universal |
Clients and Servers
Server Implementations
Xray-core — The primary implementation supporting VLESS, VMess, XTLS, Reality. The most up-to-date.
V2Ray-core — The original implementation. Supports VMess and VLESS (without XTLS).
Sing-box — A universal proxy platform with support for all protocols.
Clients
| Platform | Clients |
|---|---|
| Windows | V2rayN, Nekoray, Clash Verge |
| macOS | V2rayU, ClashX, Surge |
| Linux | V2rayA, Nekoray |
| Android | V2rayNG, SagerNet, NekoBox |
| iOS | Shadowrocket, Quantumult X, Surge |
Practical Applications
Bypassing Censorship
The primary purpose is to bypass the GFW and other DPI systems. VLESS+Reality+XTLS is currently considered the most resilient combination.
Corporate VPN
Obfuscating VPN traffic as HTTPS to bypass corporate firewall restrictions.
Proxy Infrastructure
VLESS/VMess can be used as a transport layer for proxy services, providing encryption and obfuscation.
Conclusion
VLESS and VMess are advanced proxy protocols designed for DPI evasion. VLESS with XTLS and Reality currently offers the best combination of performance, security, and detection resilience. For bypassing internet censorship (China, Iran, Russia), these protocols have become the de facto standard.