TCP + Reality gets blocked

[oknabe]

Integrity requirements

• I have read all the comments in the issue template and ensured that this issue meet the requirements.
• I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• I provided the complete config and logs, rather than just providing the truncated parts based on my own judgment.
• I searched issues and did not find any similar issues.
• The problem can be successfully reproduced in the latest Release

Description

Reality suddenly stopped working with one of my internet connections. I'm reporting this as a potential bug since your slogan is "Xray, Penetrates Everything."

It looks like the protocol itself gets blocked by the government firewall. I suspect that the firewall modifies the TLS ClientHello during the connection, causing the Xray server to reject it. However, I'm not sure whether this is the real cause, this is just a hypothesis based on the symptoms. If you need more information to debug and fix, I'm ready to help.

What I've found:

1. The website I use to mask my Xray server is accessible via the server’s IP and the blocking internet provider. That is, the connection is not blocked by the IP or the SNI.
2. It happens on one of my internet connections and doesn't happen on another. I’m using the same device, the same client version, and the same server configuration. The only difference is the internet provider.
3. The server is running the latest version of Xray (25.10.15).
4. I tested with different client applications, but the issue persists across all of them.
5. I didn't change the server or client configuration recently. This morning the connection worked for a short time, and then it stopped working completely. Though, rarely it works for a short time after conncting (this happened during the log collection).
6. Changing the fragmentation settings in the client (length=40, interval=10, packets=5; length=10, interval=22, packets=10) didn't hlep.
7. Changing domain names for SNI didn't help.
8. Changing the fingerprints in the client settings didn't help.
9. The server logs show multiple "failed to read client hello" messages with my IP. That is, the connection is not fully blocked.
10. Changing the server IP, data center, and country made no difference either, except...
11. When connecting through the same ISP to another Xray server located in my country (Russia), using the same config except for the SNI, the VPN works without issues. This suggests that only servers outside Russia are affected.

Let me know what I cando to collect more debug information for you.

Reproduction Method

You need to be under an ISP that blocks Reality like in my case. Just try to access Internet using Xray VLESS + Reality using the configurations provided by me.

Client config

Details

{
  "api" : {
    "listen" : "127.0.0.1:10085",
    "services" : [
      "HandlerService"
    ],
    "tag" : "api"
  },
  "dns" : {
    "queryStrategy" : "UseIPv4"
  },
  "inbounds" : [
    {
      "listen" : "127.0.0.1",
      "port" : 10808,
      "protocol" : "socks",
      "settings" : {
        "auth" : "noauth",
        "udp" : true
      },
      "sniffing" : {
        "destOverride" : [
          "quic",
          "tls",
          "http"
        ],
        "enabled" : true,
        "excludedDomains" : [

        ],
        "metadataOnly" : false,
        "routeOnly" : true
      },
      "tag" : "socks-in"
    },
    {
      "listen" : "127.0.0.1",
      "port" : 10809,
      "protocol" : "http",
      "settings" : {
        "auth" : "noauth",
        "udp" : true
      },
      "sniffing" : {
        "destOverride" : [
          "quic",
          "tls",
          "http"
        ],
        "enabled" : true,
        "excludedDomains" : [

        ],
        "metadataOnly" : false,
        "routeOnly" : true
      },
      "tag" : "http"
    },
    {
      "listen" : "127.0.0.1",
      "port" : 10820,
      "protocol" : "socks",
      "settings" : {
        "auth" : "noauth",
        "udp" : true
      },
      "sniffing" : {
        "destOverride" : [
          "quic",
          "tls",
          "http"
        ],
        "enabled" : true,
        "excludedDomains" : [

        ],
        "metadataOnly" : false,
        "routeOnly" : true
      },
      "tag" : "socks-direct"
    }
  ],
  "log" : {
    "access" : "\/Users\/freedom\/Library\/Group Containers\/group.su.ffg.happ\/Library\/Application Support\/Xray\/logs\/access",
    "dnsLog" : true,
    "loglevel" : "Debug"
  },
  "outbounds" : [
    {
      "protocol" : "vless",
      "settings" : {
        "vnext" : [
          {
            "address" : "4.3.2.1",
            "port" : 443,
            "users" : [
              {
                "encryption" : "none",
                "flow" : "xtls-rprx-vision",
                "id" : "947b2a27-d5ba-4df4-8e0c-571899511104",
                "level" : 8,
                "security" : "auto"
              }
            ]
          }
        ]
      },
      "streamSettings" : {
        "network" : "tcp",
        "realitySettings" : {
          "fingerprint" : "chrome",
          "mldsa65Verify" : "",
          "publicKey" : "If7Xei16e5rjIJWqTElGLmdJ-qu5rP7IttdCDJ4GusY",
          "serverName" : "www.google.com",
          "shortId" : "37b4985385c55e4c",
          "show" : false,
          "spiderX" : ""
        },
        "security" : "reality",
        "tcpSettings" : {
          "header" : {
            "request" : {
              "headers" : {
                "Host" : [
                  ""
                ]
              },
              "method" : "GET",
              "path" : [
                ""
              ]
            },
            "type" : "none"
          }
        }
      },
      "tag" : "proxy"
    },
    {
      "protocol" : "freedom",
      "tag" : "direct"
    },
    {
      "protocol" : "blackhole",
      "tag" : "block"
    }
  ],
  "policy" : {
    "levels" : {
      "8" : {
        "bufferSize" : 3,
        "connIdle" : 100,
        "downlinkOnly" : 4,
        "handshake" : 3,
        "statsUserDownlink" : false,
        "statsUserOnline" : false,
        "statsUserUplink" : false,
        "uplinkOnly" : 2
      }
    },
    "system" : {
      "statsInboundDownlink" : false,
      "statsInboundUplink" : false,
      "statsOutboundDownlink" : false,
      "statsOutboundUplink" : false
    }
  },
  "remarks" : "Test",
  "routing" : {
    "domainStrategy" : "AsIs",
    "rules" : [
      {
        "inboundTag" : [
          "socks-direct"
        ],
        "outboundTag" : "direct"
      }
    ]
  }
}

Server config

Details

{
  "log": {
    "loglevel": "debug",
    "dnsLog": true
  },
  "routing": {
    "rules": [],
    "domainStrategy": "AsIs"
  },
  "inbounds": [
    {
      "port": 443,
      "protocol": "vless",
      "tag": "vless_tls",
      "settings": {
        "clients": [
          {
            "id": "947b2a27-d5ba-4df4-8e0c-571899511104",
            "email": "user1@myserver",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "www.google.com:443",
          "xver": 0,
          "serverNames": [
            "www.google.com"
          ],
          "privateKey": "iEsTlYHFGjuHrj3GDY6fo8q6s21ceCwb1g1D_NAS2X0",
          "minClientVer": "",
          "maxClientVer": "",
          "maxTimeDiff": 0,
          "shortIds": [
            "0123456789abcdef"
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "tag": "block"
    }
  ]
}

Client log

From Happ

2025/11/23 05:15:37.573902 [Warning] core: Xray 25.10.15 started
23.11.2025 05:15:37 XrayCoreStart - {"success":true} app: v3.5.2
23.11.2025 05:16:53 Tunnel stopped.
Stop reason: - userInitiated

Server log

journalctI logs

[0x3mp7y]

Yes, this is continuation of Russia's DPI testing new ways to block TLS tunnels as told there: net4people/bbs#546

Also mux doesn't seem to help currently.

[RPRX]

Failed to read client hello? 指的是 Client Hello 都发不出去吗

[RPRX]

The website I use to mask my Xray server is accessible via the server’s IP and the blocking internet provider. That is, the connection is not blocked by the IP or the SNI.

如果是这样的话可能要完全符合典型 h2 的流量特征才可以（match），有尝试过 #5102 (comment) 吗

[RPRX]

此外，看到你是用自己的域名，尝试 XHTTP + Browser Dialer

[tytapory]

They’re most likely blocking it based on indirect traffic fingerprints. I have one configuration that routes traffic directly to the US, and another that goes through a chain (a server in Russia masquerading as my site -> a server in Kazakhstan masquerading as a random API -> the US). The chained setup works for my friends in locations where my other direct configs fail.

The website I use to mask the Xray server in Russia is just a placeholder page, but its DNS record actually points to this server, so from the outside it looks like a legitimate site hosted at that IP.

[RPRX]

我们不需要一遍又一遍类似的情况报告

我们需要的是你们手动改代码 #5102 (comment) 来确定是否有效，这也能为月底出的 Seed 提供参考

[Fangliding]

如果xhttp有用搞不好是看握手后前几个包的h2特征了
如果是这样的话理论上grpc也可以

[RPRX]

如果xhttp有用搞不好是看握手后前几个包的h2特征了 如果是这样的话理论上grpc也可以

要不先直接出 Switch

[0x3mp7y]

If xHTTP works, it's probably because of the h2 characteristics of the first few packets after the handshake. If that's the case, theoretically gRPC should also work.

Yes, that's the case actually

[Fangliding]

如果xhttp有用搞不好是看握手后前几个包的h2特征了 如果是这样的话理论上grpc也可以

要不先直接出 Switch

和这个没关系吧 抓后续流量那比较好的办法也就用这些h2 based了 要不就再自己调vless enc的padding参数
还有我还发现padding参数这么设计的一个问题 很多行为其实是qa式的 比如客户端发出setting服务端再回复 vless enc这样独立的time based模式没法正确模拟 要么就只能自己算rtt填进去假装是质询 但是应用层rtt不是稳定的 比如下面tcp丢个包上面就会大幅波动 这样可能就会发生假装的请求还没过去 假装响应就来了

[RPRX]

Switch 的话，XTLS 代理网页甚至不用整形，把握手后的流量拼到新连接上就是 100% 浏览器浏览网页的特征，连二次加密都没有

你说的 VLESS Enc 1-RTT padding 问题我设计时就想过，1-RTT 握手十分钟就一次，甚至设置 18 小时一次也行，没必要搞太复杂的

[RPRX]

既然提到了 VLESS Enc，目前有一个不用改代码也能改流量特征的方法：REALITY 内套一个 1-RTT 的 VLESS Enc，可以自定义 padding

目前不清楚俄罗斯在测试的这套过滤方法是用 Vision 训练出的黑名单还是用浏览器流量训练出的白名单，要先弄清楚这个问题

[Fangliding]

我没说vless enc本身的握手 我的意思是 100-111-1111.75-0-111.50-0-3333 那样的基于时间的padding 这样没法模仿出比如 客户端发500字节假请求 服务端收到后回复600假响应回来这样

[RPRX]

VLESS Enc 那个 padding 就是 1-RTT 时才会用到的，我知道你的意思，我本来打算给 Seed 设计一应一答的，但如果最终走向 h2 流量特征白名单那可能 Seed 也不用出了，整形成 Chrome h2 的流量特征那还不如 Browser Dialer 或直接 Switch，但是得他们先测试

[shiroxxsora]

When I use proxy mode, the VPN works, but sometimes it stops working for a minute.