Comparing VPN Protocols for Connectivity from China

Back when I was running a communication service for foreign companies based in China, I compiled notes on VPN servers I had built. Since I had the material, I decided to compare each protocol from the perspective of connecting from within China.

Protocols Compared

The six protocols covered here:

ShadowSocks - Proxy (2012–)
V2Ray - Proxy (2016–)
SoftEther VPN - VPN (2014–)
WireGuard - VPN (2018–)
OpenConnect - VPN (2009–)
IKEv2 - VPN (2005–)

Note: ShadowSocks and V2Ray are technically proxies rather than VPNs, but they are commonly discussed as “VPNs for China,” so they are included here.

Comparison Table

Protocol	Type	Speed	Setup	GFW Evasion	2025 Status
ShadowSocks	Proxy	◎	○	△	×
V2Ray	Proxy	○	△	○	△
SoftEther	VPN	○	△	×	×
WireGuard	VPN	◎	○	△	△
OpenConnect	VPN	○	△	○	○
IKEv2	VPN	○	△	×	×

Legend: ◎ = Excellent, ○ = Good, △ = Conditional, × = Not recommended

Protocol Details

ShadowSocks

Status: DPI (Deep Packet Inspection) detection ramped up around 2019, and it is now largely unusable on its own.

Developed by a Chinese programmer in 2012
Highly effective in its early days, but could not keep pace with GFW evolution
Distinctive traffic patterns make it vulnerable to machine-learning-based detection

Rating: × (Not recommended as a standalone solution)

V2Ray (WebSocket + TLS)

Status: A CloudFlare CDN + WebSocket + TLS configuration may still work in some cases.

Can disguise traffic as HTTPS
Routing through a CDN hides the server IP
However, reports of unstable connections have increased since 2024

Rating: △ (Conditionally viable with CDN + TLS)

SoftEther VPN

Status: L2TP/IPsec is detected. SSL-VPN mode depends on conditions.

Offers flexibility through multi-protocol support
However, Microsoft deprecated L2TP/IPsec in 2024
The GFW can easily detect and block IPsec traffic

Rating: × (Not suitable for connections from China)

WireGuard

Status: Detected on its own, but effective when combined with obfuscation.

Extremely fast (roughly 3× OpenVPN)
Small codebase makes security auditing straightforward
However, its UDP-based traffic pattern is distinctive
May work for short, low-traffic sessions

Rating: △ (Unstable standalone; effective with obfuscation)

OpenConnect

Status: SSL/TLS-based, disguises traffic as HTTPS, and still has a chance of working in China.

Open-source VPN compatible with Cisco AnyConnect
Looks like HTTPS traffic, making it strong against censorship
Works with the widely used AnyConnect client out of the box
Using a legitimate Let’s Encrypt certificate makes detection even harder

Rating: ○ (Effective via SSL/TLS disguise)

IKEv2

Status: IPSec-based, easily detected by the GFW. Not recommended for China.

Native support on iOS / macOS / Windows
Excels at reconnecting on mobile devices
However, the IPSec protocol is easily detected by the GFW
Uses the distinctive UDP ports 500/4500

Rating: × (IPSec is detected. Fine for domestic use)

Recommendations as of 2025

Most Effective Protocols

The protocols currently considered hardest for the GFW to detect:

VLESS + REALITY (Xray) — top contender
Hysteria2 — UDP-based, fast, QUIC disguise
Trojan-Go — full HTTPS disguise

These belong to the V2Ray / Xray family of projects. Configuration is complex, but detection is difficult.

What is VLESS + REALITY?

A protocol developed by Xray, a fork of V2Ray. It “borrows” the TLS certificate of a real HTTPS site (e.g., microsoft.com) for communication. To the GFW, it looks like an ordinary visit to microsoft.com.

Traditional TLS disguises were prone to exposure through suspicious self-signed certificates, but REALITY uses a genuine certificate, making it indistinguishable. You do not even need to prepare your own domain or certificate.

What is Hysteria2?

A QUIC (HTTP/3)-based protocol. Although UDP-based, it disguises itself as Google’s QUIC protocol.

“If Google is blocked from China, how can QUIC disguise be effective?” — a fair question. QUIC itself is widely used by services beyond Google (Cloudflare, Facebook, various CDNs). Completely blocking QUIC would break all HTTP/3-capable services, making protocol-level blocking impractical.

It is also very fast (UDP + custom congestion control).

If You Want to Use WireGuard

To leverage WireGuard’s simplicity and speed while evading the GFW:

udp2raw to disguise traffic as TCP
wstunnel to tunnel over WebSocket
Place Shadowsocks or V2Ray in front for a dual-layer setup

Choosing a VPS

Regardless of protocol, the VPS IP address matters.

VPS providers with poor connectivity:

Sakura Internet (Japan) — blocked at the IP range level
Some budget domestic (Japanese) VPS providers

VPS providers with better connectivity:

Vultr (Singapore, Hong Kong)
DigitalOcean (Singapore)
Linode (Singapore)
BandwagonHost (Hong Kong)

Key point: Avoid the Tokyo region. Japanese IP ranges tend to be more heavily monitored and restricted from China. Choose a region close to China but outside Japan, such as Singapore or Hong Kong.

Note: This is based on experience, and conditions change constantly.

Conclusion

No protocol guarantees a connection every time.

The GFW is constantly evolving, and AI-powered machine-learning detection was introduced in the second half of 2024. ShadowSocks, once highly effective, is now detected, and V2Ray has become conditional.

Current recommendations:

Ease of setup: WireGuard + udp2raw (TCP disguise)
Stability: VLESS + REALITY (Xray)
Speed: Hysteria2

WireGuard is unstable on its own, but becomes a strong option when combined with obfuscation. Above all, its configuration is simple, making troubleshooting easier.

Back when I was running that service, ShadowSocks just worked… times have changed.

References

GFW Report — Technical analysis of the GFW
Xray-core — VLESS + REALITY
Hysteria — Official Hysteria2 site