Xray-core — High-Performance Proxy with XTLS and REALITY

Introduction

Xray-core is an enhanced fork of V2Ray maintained by the XTLS community. It was created to push performance boundaries by introducing XTLS (a zero-copy TLS forwarding mechanism) and REALITY (a next-generation obfuscation protocol that uses real TLS certificates from other sites). Xray maintains backward compatibility with V2Ray configurations while adding features that reduce CPU usage and increase throughput.

What Xray-core Does

• Proxies network traffic using VLESS, VMess, Trojan, and Shadowsocks with optional XTLS acceleration
• Implements REALITY protocol that borrows TLS fingerprints from legitimate websites for stealth
• Achieves near-zero CPU overhead via splice/zero-copy on Linux when forwarding encrypted streams
• Provides the same routing engine as V2Ray with GeoIP and domain-based traffic splitting
• Supports fallback mechanisms that serve real HTTPS content to probing connections

Architecture Overview

Xray shares V2Ray's inbound/outbound/routing architecture but extends the transport layer with XTLS Vision and REALITY. XTLS detects the inner TLS handshake and switches to raw splice after negotiation, bypassing redundant encryption. REALITY generates server-side TLS certificates on the fly using a target site's public key, so the connection appears identical to visiting that site. Fallbacks route non-proxy traffic to a real web server.

Self-Hosting & Configuration

• Install on any Linux VPS with the one-line script; it sets up systemd service and log rotation
• Configure REALITY by specifying a dest (target site), serverNames, and generating key pairs with xray x25519
• Use short IDs and spider parameters to restrict unauthorized access to the proxy endpoint
• Enable stats and API endpoints for monitoring connection metrics and dynamic user management
• Deploy multiple inbound listeners on different ports for protocol segmentation

Key Features

• XTLS Vision flow provides zero-copy forwarding that cuts CPU usage by up to 90% on encrypted traffic
• REALITY eliminates the need for a domain and TLS certificate while maintaining full TLS 1.3 appearance
• Fallback chains serve legitimate HTTPS responses to scanners, making the server indistinguishable from a normal site
• Full compatibility with all V2Ray protocols, transports, and client applications
• Active community with frequent releases addressing new detection techniques

Comparison with Similar Tools

• V2Ray — The upstream project; Xray adds XTLS/REALITY and higher throughput but diverges in protocol support
• sing-box — Modern rewrite with cleaner config; Xray focuses on TLS-level innovations
• Hysteria — QUIC-based with different performance characteristics; Xray operates over TCP/TLS
• Trojan-Go — Trojan protocol only; Xray supports Trojan plus multiple other protocols in one binary
• Shadowsocks-rust — Lightweight single-protocol; Xray provides multi-protocol routing and obfuscation

FAQ

Q: Do I need a domain name to use Xray with REALITY? A: No. REALITY generates TLS certificates using another site's public key, so you only need a VPS IP address. This is one of its main advantages over traditional TLS setups.

Q: What is the difference between XTLS Vision and direct TLS? A: XTLS Vision detects the inner TLS handshake and uses Linux splice to forward encrypted payloads without decrypting and re-encrypting them, achieving near-native throughput.

Q: Is Xray compatible with existing V2Ray clients? A: Yes. Clients like v2rayN, v2rayNG, Qv2ray, and Nekoray support Xray configurations. REALITY requires client versions that implement the REALITY handshake.

Q: How does REALITY resist active probing? A: When a prober connects without the correct short ID, Xray forwards the connection to the real target site, returning genuine TLS responses. The prober cannot distinguish the proxy from the target.

Sources

• https://github.com/XTLS/Xray-core
• https://xtls.github.io/en/