News
14 min read

Xray (VLESS): setup and connection in 2026

Xray (VLESS): setup and connection in 2026 Xray: setup and connection is what most people have questions about at the practical stage. They have heard about the protocol itself, obtained the config somewhere, but what to do with it next is unclear. This article addresses this gap: from importing the

Xray (VLESS): setup and connection in 2026

Xray: setup and connection is what most people have questions about at the practical stage. They have heard about the protocol itself, obtained the config somewhere, but what to do with it next is unclear. This article addresses this gap: from importing the key to a working connection on Android, iPhone, Windows, and Mac.

What is Xray and why does it bypass DPI better than classic VPNs

Xray, VLESS, and Reality in simple terms

Xray is the core, a fork of the V2Ray project, written in Go. It is not a VPN in the traditional sense — it is more of a transport engine that can wrap traffic in different protocols. VLESS is one of those protocols, lightweight and without unnecessary cryptography inside (encryption is handled by the TLS layer outside).

Reality is an extension on top of VLESS. The essence is that your traffic is disguised as a regular TLS connection to a real website — for example, to amazon.com or microsoft.com. The provider's DPI system sees a correct TLS handshake with a known domain and cannot distinguish it from actual site visits. This is why Reality is harder to block than a classic VPN.

How Xray differs from WireGuard, OpenVPN, and Shadowsocks

WireGuard is an excellent protocol, fast and battery-efficient. But its signature is recognizable on the network: a specific pattern of UDP traffic is easily detected by DPI. Roskomnadzor and major operators already know how to slow it down or block it on specific ports.

IKEv2 is the same story. Fast, convenient, built into iOS and Windows — but the signature is standard, with no obfuscation. OpenVPN, although it can work over TCP/443 and pretend to be HTTPS, has its handshake long since added to DPI filter databases. Shadowsocks is easier to deploy and worked well until 2022, but modern DPI from SORM handles it significantly better than before.

AmneziaWG is an interesting alternative: it is WireGuard with header obfuscation. It works better than plain WireGuard, but Reality is still a step ahead in masking. An honest downside of Xray is the complexity of setup and a slightly higher CPU load compared to WireGuard.

When Xray is really needed, and when a regular VPN is enough

If you just need to encrypt traffic in a café or access a corporate network — WireGuard or IKEv2 will suffice and won't require any hassle with configs. But if the provider has already started throttling YouTube to 144p, and Instagram, Facebook, Twitter/X, and Telegram occasionally do not open or load with delays — traffic masking is needed.

In this case, VLESS with Reality is what currently works. It’s not a panacea forever, but for 2026, it’s the best available option against deep packet inspection.

What you need before setup: config, subscription, and client choice

Where the VLESS config comes from (link vless://, QR code, subscription)

The config comes in one of three formats. The first is a string of the formvless://UUID@host:port?.... The second is a QR code that contains the same string, just in a convenient scanning format. The third is a subscription link (subscription URL), usually starting withhttps:// and returns a list of configs in base64 — convenient when there are multiple servers and they are updated.

You can set up the config yourself on a VPS (Hetzner, Vultr, DigitalOcean — any outside of the Russian Federation will do), take it from a closed Telegram channel, or get it through a VPN service that provides a ready-made VLESS subscription. NvoVPN, for example, provides a subscription link — just paste it into the client, and the servers are pulled automatically without manual copying of UUIDs and keys.

But here’s what’s important: do not import configs from random public Telegram channels with hundreds of thousands of subscribers. Some of them are traps for traffic collection. Free cheese is only found in a mousetrap.

Xray clients for each platform

Platform Client Features
Android v2rayNG, NekoBox Free, Google Play and F-Droid, subscription support
iPhone / iPad Streisand, V2Box Free, App Store; Shadowrocket is more powerful, but $2.99
Windows Nekoray, v2rayN, Hiddify Nekoray and Hiddify are the most convenient in 2026
macOS V2Box, Hiddify, Nekoray V2Box is available in the App Store, the others are on GitHub
Router OpenWrt + xray plugin For the whole house, but requires technical knowledge

How to check if the config is working before import

Look at the parameters in the line: they should betype=tcp ortype=grpc,security=reality, filled withpbk (public key Reality) andsni — masking domain. If any of these parameters are missing, the config is likely outdated or incomplete.

The relevance date can be indirectly checked like this: if the config was obtained more than a month ago from a public source, the keys have likely already changed or the server is down. A fresh config from a subscription updates automatically during synchronization.

Setting up and connecting Xray step by step

For those looking for specifics on Xray: the setup and connection on each platform differs slightly, but the logic is the same — import, select profile, enable, check.

Android: setup in v2rayNG

Install v2rayNG from Google Play or F-Droid (version 1.8.x and above). Open the app. If you have the linevless:// — tap “+” in the top right corner → “Import from clipboard” (first copy the line). If there is a QR code — “+” → “Scan QR”. If it’s a subscription link — “Subscription” → “Add” → paste the URL → “Update”.

After importing, select the desired profile from the list (tap on it, it will be highlighted). Tap the triangle play button at the bottom of the screen. Android will request permission to create a VPN profile — allow it. After connecting, a key icon will appear in the status bar.

The default routing mode in v2rayNG is “By rules”. If some sites do not open — switch to “Global” in settings → “Routing”. Check the result on 2ip.ru: it should show your server's IP, not your home IP.

iPhone and iPad: setup in Streisand or V2Box

Streisand and V2Box — both are free and available in the App Store. Download one of them. In Streisand: tap “+” → “Import from clipboard” or “Scan QR”. For a subscription link: “+” → “Subscribe” → paste the URL. Select a profile from the list, tap “Connect”.

iOS will show a system prompt “The app wants to add a VPN configuration” on the first connection — this is normal, tap “Allow” and enter Face ID or passcode. Without this step, the connection will not start. The VPN icon will appear in the status bar next to the Wi-Fi signal.

Shadowrocket ($2.99) — if the budget allows, it’s worth getting: it has flexible routing and supports dozens of protocols. But for basic tasks, Streisand is quite sufficient.

Windows: setup in Nekoray or Hiddify

Nekoray is downloaded from GitHub (repository MatsuriDayo/nekoray), the current version as of July 2026 is 3.x. After installation, launch it, in the menu select “Add profile from clipboard” or “Add profile from subscription URL”. Right-click on the profile → “Start”. An icon will appear in the system tray — status “Connected”.

Hiddify is easier for beginners: the interface is in Russian, there is a built-in latency test. Download the installer from GitHub (hiddify/hiddify-next), install it, add a subscription through “Add config” → paste the URL. Hiddify will automatically determine the best server by ping.

An important point for Windows: make sure the proxy mode is set to “System Proxy” or “TUN Mode” — otherwise, the browser will route traffic through the proxy, but other applications will not. TUN Mode requires administrator rights.

macOS: connection through V2Box

V2Box is available in the Mac App Store — this is the easiest way. After installation: tap “+” → “Import from clipboard” or “Add subscription”. Select a profile, tap “Connect”. macOS will request permission to add a VPN configuration in system settings — a window “System Settings → VPN” will open, tap “Allow”.

If you want more flexible routing — Hiddify for macOS (GitHub, hiddify/hiddify-next) supports rules by domains and IP. Nekoray also works, but builds for macOS are updated a bit less frequently.

Router on OpenWrt: basic setup

This is an option for those who want to route all home traffic through Xray without setting up each device. A router with OpenWrt is needed (for example, GL.iNet or TP-Link with compatible firmware) and the packagexray-core from the opkg repository.

After installing xray-core, configure the config in/etc/xray/config.json — there you manually enter the parameters from your vless string: UUID, address, port, Reality public key, SNI. Routing is configured through ip-rule and nftables. This is not for beginners — if you have no experience with OpenWrt, it's better to start with a client on a separate device.

Speed test and checking bypassing blocks

How to honestly measure speed before and after

First, measure without VPN: open speedtest.net or fast.com, record download, upload, and ping. Then connect through Xray and repeat the test on the same Speedtest server. Look at three indicators: download speed, upload speed, and latency.

A speed drop of 20-40% when obfuscating is normal. Reality adds overhead for the TLS handshake and packet processing. For comparison: on WireGuard, the drop is usually 5-15%. This is a fair price for bypassing DPI — if your provider is not throttling speed, WireGuard is objectively faster. But if YouTube is already lagging without VPN — a 20% overhead difference doesn't concern you much.

Checking bypassing YouTube throttling

Go to YouTube and open a video in 4K (2160p) or at least 1080p. Without VPN, when throttled by the provider — the video either hangs on buffering or automatically switches to 144-360p. After connecting through Xray: manually select the quality 1080p or 4K and time how long it takes for the video to start loading without interruptions.

Additionally, open stats for nerds (right-click on the video → "Statistics for nerds"): there you can see the current buffering speed. If it is consistently above 3-4 Mbps at 1080p — throttling is removed.

Checking access to Instagram, Facebook, Twitter/X

After connecting, go to the browser (not the app — apps sometimes cache DNS) at instagram.com, facebook.com, twitter.com. If they open — routing is working. Also check Telegram Web at web.telegram.org.

If social media apps do not open even after connecting — they may be using their own DNS over HTTPS (DoH) bypassing the system one, and your proxy is not intercepting it. In this case, TUN mode or fake-dns configuration in the client is needed.

Not connecting or sites not opening: troubleshooting errors

Handshake failed / TLS errors Reality

This is the most common problem when setting up Xray with Reality. The number one reason is time desynchronization on the device. TLS requires that the client and server time differ by no more than a few minutes. Check the system time: on Android — "Settings → General → Date and time → Automatically"; on Windows — "Settings → Time & Language → Sync now".

The second reason is an incorrect Reality public key (pbk) or incorrect SNI in the config. If you entered the parameters manually, double-check each character. UUID, pbk, and short-id must match what is configured on the server. An error in one character — and the handshake will not pass.

The third, specific reason: the SNI domain for obfuscation (for example,www.microsoft.com) itself turned out to be blocked in the Russian Federation or unavailable from your network. Reality simulates visiting this site — if it is unreachable, the handshake fails. Solution: change the SNI to another unblocked domain in the config.

Connection exists, but there is no internet

The client shows "Connected", the IP status has changed, but the browser says "No connection". The first thing to check is the routing mode. In v2rayNG, Nekoray, and Hiddify, the "By rules" mode may be enabled by default, which allows only blocked sites through the proxy, while others go directly. If the rules are set incorrectly — nothing opens. Switch to "Global" and check again.

The second reason is DNS leakage or DNS blocking. If the client sends DNS requests outside the tunnel, the provider responds with blocked IPs or does not respond at all. In the client settings, check that the DNS server (usually 8.8.8.8 or 1.1.1.1) goes through the tunnel, not directly. On 2ip.ru in the "DNS leak" section, you can check whose DNS servers are visible from the outside.

Another scenario — two VPN profiles are active simultaneously. On Android and iOS, the system allows only one active VPN connection, but sometimes an old profile does not deactivate correctly. Go to the system network settings and make sure that only one VPN is active.

Works on Wi-Fi, but not on mobile internet (and vice versa)

This is one of the most non-obvious cases. Mobile operators (MTS, Beeline, MegaFon, Tele2) have their own DPI systems, independent of the home provider. A config that works perfectly through Rostelecom at home may be throttled differently by the mobile operator.

Try changing the port: if a non-standard port like 8443 or 2053 is currently used, try 443 (standard HTTPS). Many operators block non-standard ports at the mobile network level but do not touch 443. Also, check if IPv6 is enabled on mobile internet — it may bypass the tunnel and reveal the real address. Temporarily disable IPv6 on the device for testing.

Corporate and school networks are a separate story. There, DPI cuts traffic by ports and sometimes inspects even TLS by client fingerprint (JA3/JA4). In such cases, changing the client or switching to port 80 with WebSocket transport helps — but that's already a different server configuration.

The provider started blocking the config

This happens. DPI updates, and a specific combination of host, port, SNI, and fingerprint gets blocked. It's not scary — the algorithm of actions is as follows:

  1. Update the subscription: in the client, click "Update subscription" — the service may already provide new configs.
  2. Try another server from the list (if there are several in the subscription).
  3. Change the port: 443 → 2053 or vice versa.
  4. If you set up the server yourself — generate a new Reality config with a different SNI and a new pair of keys using the commandxray x25519 on the server.
  5. As a temporary measure — try another transport: grpc instead of tcp or WebSocket.

The same protocol, but with different parameters, behaves differently under DPI. Usually, rotating parameters restores access without changing the entire infrastructure.

How is VLESS-Reality better than WireGuard for bypassing blocks?

Reality masks your traffic as a real TLS connection to a legitimate site. DPI sees something indistinguishable from visiting, say, microsoft.com — and does not block it. WireGuard is faster and simpler, but its UDP signature is well-known to DPI systems, and operators can slow it down and block it. For the task of bypassing YouTube throttling or accessing Instagram — masking is more important than speed.

Is Xray legal?

Xray is a traffic encryption tool, just like TLS or SSH. It is legal in itself. You, as the user, are responsible for which resources you connect to. This article is a technical guide; it does not encourage breaking any laws.

Why did the connection establish, but the sites do not load?

Most often — incorrect routing mode: traffic is bypassing the proxy due to incorrect rules. Switch to "Global." The second option is a DNS leak: requests go directly to the provider, which returns blocked addresses. The third is a desynchronization of system time, which breaks TLS. Check these three points in order.

Do I need to set up my own server for Xray?

No. You can rent a VPS and set everything up yourself — then you have full control over the keys and config. An alternative is to use a ready-made VLESS subscription from a VPN service, such as NvoVPN: just paste the link into the client, and the servers will be added automatically. The second option is simpler, the first is more flexible.

Which Xray client should I choose for iPhone?

Streisand and V2Box — both are free and available in the App Store. They support importing vless:// strings and subscription links. After importing, you need to allow the installation of the VPN profile in the iOS system settings once — without this step, the connection will not start. Shadowrocket is more powerful in routing but costs $2.99.

The provider blocked my config — what should I do?

First, update the subscription in the client — fresh configs may already be available. Try another server or port (443 almost always works). If the server is your own — generate a new Reality config with a different SNI and a new pair of keys. DPI cuts a specific combination of parameters, not the protocol itself, so rotation usually helps.

Related articles

You might also like