VLESS + REALITY without a domain: working Xray + 3X-UI setup for China-facing VPS
Contents
Notes on getting VLESS + REALITY actually running between a VPS and a client, written as a follow-up to the VPN comparison article where I picked it as the strongest candidate for China-facing connections. This covers the Xray side: server setup directions, client app choices, how the TLS camouflage works in practice, fallback handling, and the gotchas to know before relying on it. For an alternative, see the Hysteria2 setup notes.
What VLESS + REALITY is
This is a protocol developed by Xray, a fork of V2Ray. It communicates by “borrowing” TLS certificates from real HTTPS sites.
Problems with conventional TLS spoofing:
- Self-signed certificates or Let’s Encrypt certificates are easy to flag as “looks real, but suspicious”
- You need to obtain and manage your own domain and certificate
What REALITY solves:
- It uses the TLS certificate of a real site such as
microsoft.comorcloudflare.com - From the GFW’s point of view, it looks like normal access to
microsoft.com - You do not need to prepare your own domain or certificate
Note: REALITY and Hysteria2 are not compatible. They cannot be combined.
Server setup overview
What you need
- A Linux VPS
- Open ports: TCP/443 (other ports are also possible)
- No domain required - that is one of REALITY’s big advantages
Installation methods
3X-UI (recommended):
A web UI panel that makes user management and traffic monitoring easy.
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)After installation, open the web UI and add a VLESS + REALITY inbound.
Direct Xray-core install:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ installYou will need to create the config file manually.
Key settings
Parameters you need when configuring REALITY:
| Parameter | Description |
|---|---|
dest | The spoofed destination site, such as www.microsoft.com:443 |
serverNames | The domain used for SNI |
privateKey / publicKey | REALITY key pair, generated with xray x25519 |
shortIds | Client authentication ID |
How to choose the spoofed site:
- It must support TLS 1.3 and HTTP/2
- It must not be blocked from China
- Examples:
microsoft.com,cloudflare.com,www.lovelive-anime.jp
Management panels
| Panel | Notes |
|---|---|
| 3X-UI | Recommended. Feature-rich, Japanese supported |
| X-UI | Simpler, but development has slowed |
| Marzban | Multi-node support |
Client apps
The easiest option is to use an existing client app.
Windows / macOS / Linux
| App | Notes |
|---|---|
| v2rayN | Windows/macOS/Linux, Xray core recommended |
| Hiddify | Cross-platform, free, open source |
| NekoRay | Qt-based GUI client |
| ClashX Meta | macOS client with Clash Meta core |
If you choose the Xray core in v2rayN, it supports VLESS + REALITY.
Android
| App | Notes |
|---|---|
| v2rayNG | Android version of v2rayN |
| Hiddify | Recommended. Free and ad-free |
| NekoBox | Download the APK from GitHub |
iOS
| App | Notes |
|---|---|
| Shadowrocket | Paid (about $3), most feature-rich |
| FoXray | Free, based on Xray |
| Stash | Paid, Clash-compatible |
Connection methods
Add the config to the client app in any of these ways:
- URI scheme: paste a
vless://uuid@server:443?...URL - Subscription: generate a subscription URL in 3X-UI or another panel and import it
- QR code: scan a QR code generated by the panel
- Manual setup: enter the server address, port, UUID, public key, and so on
Custom app development
Libraries and SDKs if you want to build your own app.
Go
XTLS/Xray-core - the official implementation and the reference for VLESS + REALITY.
go get github.com/xtls/xray-coresing-box, for multiple protocols
sing-box - a Go library that supports many protocols, including REALITY.
- Supports Hysteria2, Trojan, Shadowsocks, and more at the same time
- Requires Go 1.21 or later
- Used internally by Hiddify and NekoBox
This is the better choice if you are building an app that handles multiple protocols.
Mobile app development
If you are building a VPN app for iOS or Android:
- Call Xray-core or sing-box through FFI
- Use a VPNclient Engine - Swift for iOS, Kotlin for Android, with a Go/C++ engine
- Use LibXray - a C binding for Xray-core
In practice, forking and modifying an existing open-source client such as v2rayNG or Hiddify is the more realistic path.
Comparison with Hysteria2
| Item | VLESS + REALITY | Hysteria2 |
|---|---|---|
| Base protocol | TCP (TLS 1.3) | UDP (QUIC) |
| Spoofing method | Borrow real-site certificates | QUIC spoofing |
| Speed | Fast | Very fast |
| Domain | Not required | Not required |
| Setup difficulty | Slightly higher | Medium |
| Compatibility | Cannot be combined | Cannot be combined |
Which one you choose depends on the environment. Use REALITY if UDP is blocked; choose Hysteria2 if speed matters more.
Related articles
- Comparison of VPN protocols for China-facing connectivity
- Hysteria2 server setup and client connection overview