VLESS + REALITY from just the Xray-core binary and two config files — no panel, no root — then an openssl s_client probe confirms the real Cloudflare cert comes back, proof the disguise holds.
Looked at what actually replaces Tailscale on Linux when the issue is DNS/netfilter/CGNAT invasiveness, not WireGuard itself. Headscale, NetBird, Netmaker, Nebula, and Cloudflare Tunnel each solve a different slice. The real fix is separating private management access from public-facing APIs.
Using Veilora's VeilShift™ as a lens, this piece breaks down what DPI looks at, and what VLESS + XHTTP + REALITY, uTLS, and xPaddingBytes can and cannot hide.
Set up VLESS + REALITY on a Linux VPS using Xray and 3X-UI without owning a domain. Working server config, client app picks, how TLS camouflage borrows microsoft.com/cloudflare.com certs against GFW DPI, and the pitfalls before relying on it.
Hysteria2 setup notes from a China-facing VPS — the actually-working YAML config, what to do when UDP/443 is blocked, Brutal congestion control pitfalls, and client apps per platform. Overview-level, not a full step-by-step.
Step-by-step guide to building an IKEv2 VPN server with strongSwan on CentOS 7, including certificate setup, firewall rules, and client configuration for iOS, macOS, Windows, and Android.
Six VPN protocols (ShadowSocks, V2Ray, SoftEther, WireGuard, OpenConnect, IKEv2) compared from someone who actually ran them inside China. As of 2026, most are detected by GFW machine-learning, including ShadowSocks and IPSec-based protocols. What still connects: VLESS+REALITY, Hysteria2, and WireGuard with obfuscation (udp2raw or wstunnel). Includes VPS region notes (avoid Tokyo, pick Singapore/Hong Kong).