DPI Bypass User Guide
Xray-core includes advanced DPI (Deep Packet Inspection) bypass capabilities that are effective against modern censorship systems including ТСПУ (Russia), GFW (China), and similar infrastructure.
Quick Start: Maximum DPI Bypass Configuration
json
{
"outbounds": [{
"protocol": "vless",
"tag": "proxy",
"settings": {
"vnext": [{
"address": "your-server.com",
"port": 443,
"users": [{
"id": "uuid-here",
"encryption": "none"
}]
}]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "www.microsoft.com:443",
"serverNames": ["www.microsoft.com"],
"publicKey": "public-key-here",
"shortId": "short-id-here",
"fingerprint": "chrome"
}
}
}]
}This configuration provides maximum DPI bypass using:
- REALITY protocol - Mimics real website TLS fingerprint
- VLESS - Lightweight protocol with no recognizable headers
- Chrome fingerprint - Matches most common browser
DPI Bypass Techniques Explained
1. REALITY Protocol
What it does: Makes your TLS connection indistinguishable from a legitimate connection to a real website (like microsoft.com, apple.com, etc.).
How it works:
- Copies TLS fingerprint of target website
- Uses target website's certificate chain
- Establishes connection that looks identical to real traffic
Why it's effective:
DPI sees: Client Hello → Exactly matches Chrome → www.microsoft.com
DPI thinks: Legitimate connection to Microsoft
Reality: Encrypted proxy traffic underneathConfiguration:
json
"streamSettings": {
"security": "reality",
"realitySettings": {
"dest": "www.microsoft.com:443", // Target to mimic
"serverNames": ["www.microsoft.com"], // SNI to send
"publicKey": "your-server-pubkey", // From server config
"shortId": "your-short-id", // From server config
"fingerprint": "chrome" // Browser to mimic
}
}Available Fingerprints:
chrome- Chrome browser (recommended, most common)firefox- Firefox browserchrome_120,chrome_131- Specific Chrome versionsfirefox_105,firefox_120- Specific Firefox versionschrome_115_pq- Post-quantum variant (experimental)
Server Selection Tips:
| Target | Pros | Cons |
|---|---|---|
www.microsoft.com | Very common, high traffic | Microsoft may block abuse |
www.apple.com | Common, stable | Apple IP ranges may be filtered |
www.cloudflare.com | CDN, many IPs | Cloudflare-aware DPI may exist |
www.google.com | Most common | Google services often targeted |
⚠️ Important: The target server must:
- Support TLS 1.3
- Have a valid certificate
- Be accessible from your location
- Support the chosen fingerprint's cipher suites
2. ECH (Encrypted Client Hello)
What it does: Encrypts the SNI (Server Name Indication) field, making it impossible for DPI to see which domain you're connecting to.
How it works:
Normal TLS: Client Hello (SNI: proxy.com visible to DPI)
ECH: Client Hello (SNI: encrypted, DPI cannot read)Why it's effective:
- TSPU and similar systems rely on SNI for HTTPS blocking
- ECH completely hides the domain name
- Compatible with REALITY for layered protection
Configuration:
json
"streamSettings": {
"security": "tls",
"tlsSettings": {
"serverName": "your-server.com",
"ech": {
"config": "base64-encoded-ech-config",
"config": "https://1.1.1.1/dns-query" // OR DNS-DoH server
}
}
}ECH Config Sources:
- Direct base64 (from server provider)
- DNS query - Automatic via DoH server
Format: "domain+https://dns-server/dns-query" Example: "cloudflare.com+https://1.1.1.1/dns-query"
Force Query Modes:
full(default) - Fail if ECH config not foundhalf- Continue without ECH if query failsnone- Don't query, use cached only
ECH + REALITY Combination:
json
"streamSettings": {
"security": "reality",
"realitySettings": {
"dest": "www.microsoft.com:443",
"serverNames": ["www.microsoft.com"],
"publicKey": "...",
"shortId": "...",
"fingerprint": "chrome"
},
"ech": {
"config": "https://1.1.1.1/dns-query",
"forceQuery": "full"
}
}3. TLS Fingerprints
What it does: Makes your TLS handshake match specific browsers, preventing fingerprint-based detection.
Available Fingerprints:
Chrome (recommended for most users):
chrome, chrome_120, chrome_131 (latest)
chrome_100, chrome_102, chrome_106
chrome_106_shuffle, chrome_115_pqFirefox:
firefox, firefox_120
firefox_105, firefox_102When to use each:
| Fingerprint | Best For | Notes |
|---|---|---|
chrome | General use | Most common, blends in |
firefox | Alternative | Good backup |
chrome_131 | Latest browser | May be less tested |
chrome_115_pq | Post-quantum | Experimental |
4. Transport Protocols
VLESS (recommended):
- Lightweight, minimal headers
- No recognizable protocol signature
- Best for new deployments
VMess (legacy):
- More traffic overhead
- Older protocol, may be fingerprinted
- Use only if required for compatibility
Trojan:
- Mimics real HTTPS traffic
- Good for environments with protocol whitelisting
Configuration Templates
Template 1: Maximum DPI Bypass (REALITY)
Best for: Russia (ТСПУ), China (GFW), Iran
json
{
"outbounds": [{
"protocol": "vless",
"tag": "reality-proxy",
"settings": {
"vnext": [{
"address": "your-server-ip",
"port": 443,
"users": [{
"id": "your-uuid",
"flow": "xtls-rprx-vision",
"encryption": "none"
}]
}]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "www.microsoft.com:443",
"serverNames": ["www.microsoft.com"],
"publicKey": "your-public-key",
"shortId": "0",
"fingerprint": "chrome",
"spiderX": "/"
}
}
}]
}Template 2: ECH-Only Configuration
Best for: When REALITY server not available
json
{
"outbounds": [{
"protocol": "vless",
"tag": "ech-proxy",
"settings": {
"vnext": [{
"address": "your-server.com",
"port": 443,
"users": [{
"id": "your-uuid",
"encryption": "none"
}]
}]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "your-server.com",
"fingerprint": "chrome",
"ech": {
"config": "https://1.1.1.1/dns-query",
"forceQuery": "full"
}
}
}
}]
}Template 3: Trojan with ECH
Best for: Protocol whitelist environments
json
{
"outbounds": [{
"protocol": "trojan",
"tag": "trojan-proxy",
"settings": {
"servers": [{
"address": "your-server.com",
"port": 443,
"password": "your-password"
}]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "your-server.com",
"fingerprint": "chrome",
"ech": {
"config": "base64-ech-config-or-dns-url",
"forceQuery": "half"
}
}
}
}]
}Advanced Configuration
Multi-Server Failover
json
{
"outbounds": [
{
"tag": "reality-primary",
"protocol": "vless",
"streamSettings": {
"security": "reality",
"realitySettings": {
"dest": "www.microsoft.com:443",
"serverNames": ["www.microsoft.com"],
"fingerprint": "chrome"
}
}
},
{
"tag": "reality-backup",
"protocol": "vless",
"streamSettings": {
"security": "reality",
"realitySettings": {
"dest": "www.apple.com:443",
"serverNames": ["www.apple.com"],
"fingerprint": "firefox"
}
}
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [{
"type": "field",
"outboundTag": "reality-backup",
"domain": ["geosite:category-ads-all"]
}]
}
}Fingerprint Rotation
Some advanced setups rotate fingerprints periodically. This can be achieved with external scripting or by maintaining multiple server configurations.
Troubleshooting
Issue: "REALITY: processed invalid connection"
Cause: Server returned real certificate (not expected)
Solutions:
- Check if target server is accessible
- Verify
serverNamesmatches target domain - Try different target server
- Check if
publicKeyis correct
Issue: ECH connection failures
Cause: ECH config not available or incompatible
Solutions:
- Change
forceQueryto"half"or"none" - Try different DNS server (Cloudflare, Google, Quad9)
- Verify server supports ECH
- Check for DNS interference
Issue: Connection drops after a few minutes
Cause: Session timeout or DPI learning
Solutions:
- Enable multiplexing (
muxSettings) - Change fingerprint
- Switch to different target server
- Check server logs for errors
Issue: Slow connection speeds
Cause: Suboptimal transport settings
Solutions:
- Enable XTLS-Vision (
flow: "xtls-rprx-vision") - Use TCP instead of WebSocket if not required
- Check if QUIC is available in your region
- Verify server bandwidth
System-Specific Guidance
Russia (ТСПУ)
Recommended Configuration: REALITY + Chrome fingerprint
Targets to Avoid:
telegram.org- Actively blocked.rudomains - May be inspected more closely- Known proxy providers
Recommended Targets:
www.microsoft.comwww.apple.comwww.cloudflare.com
China (GFW)
Recommended Configuration: REALITY + VLESS
Additional Measures:
- Use CDN-fronted servers if possible
- Enable
xtls-rprx-visionflow - Consider Shadowsocks 2022 fallback
Iran
Recommended Configuration: REALITY or Trojan
Known Issues:
- Deep SSL inspection in some cases
- Consider ECH for SNI hiding
Security Best Practices
- Never share private keys - Your REALITY private key is secret
- Use UUIDs - Never use predictable user IDs
- Regular updates - Keep Xray-core updated for latest bypasses
- Monitoring - Check server logs for DPI detection attempts
- Redundancy - Maintain backup servers and configurations
Performance Optimization
Enable XTLS-Vision
json
"users": [{
"id": "uuid",
"flow": "xtls-rprx-vision" // Splice optimization
}]Benefits:
- Reduced CPU usage
- Lower latency
- Better throughput
Requirements:
- Both client and server support XTLS
- TCP transport
- REALITY or TLS security
Disable Unused Features
json
"streamSettings": {
"sockopt": {
"tcpKeepAliveInterval": 30,
"tcpKeepAliveIdle": 60
}
}References
- TSPU Documentation:
docs/tspu/- Internal analysis of Russian censorship system - Research Notes:
docs/tspu/RESEARCH.md- Technical research on DPI bypass - Upstream Documentation: https://xtls.github.io
Last Updated: 2025-03-25 Xray-core Version: 1.8.x+ Status: Production Ready