REALITY, Xray, and AmneziaWG: The 2026 Anti-Censorship Protocol Stack Explained

Three protocols are carrying most of the anti-censorship world in 2026: REALITY(TLS camouflage that borrows legitimate servers' certificates), Xray (the umbrella project that implements REALITY alongside VLESS and other obfuscation transports), and AmneziaWG (obfuscated WireGuard developed by the Amnezia team). This post explains what each does, how they defeat deep packet inspection, how detection frameworks like IPLogs fight back, and which combination is most effective against the 2026 Great Firewall, TSPU, and Iranian filternet.

REALITY — TLS camouflage that borrows real certificates

REALITY is a transport-layer obfuscation protocol designed to make VLESS traffic indistinguishable from connections to a real website. When a client connects, it performs a real TLS handshake with a genuine public website (for example, www.apple.com or www.microsoft.com) — but the REALITY server intercepts that handshake as a middlebox and injects its own pre-shared key into the key derivation. A legitimate client sees a normal handshake with Apple. An authorized VLESS client completes the handshake but negotiates a shadow tunnel on top.

The trick is that if a censor tries to investigate by probing the server — repeating the handshake with slight variations — the server switches to a fallback certificate that is the real Apple or Microsoft certificate, making the server look identical to the cover website. Blocking it requires blocking Apple or Microsoft, which is a political and operational cost most censors cannot pay.

Detecting REALITY

The canonical detection technique is SNI fuzzing: probe the server with the real SNI, then probe again with a small perturbation (e.g., appending a non-existent subdomain). A legitimate CDN like Apple responds identically to both. A REALITY server almost always exposes a small behavioral difference on the perturbed probe — typically a different cipher suite order, a different session ticket length, or a slightly different handshake latency because the server is delegating to its fallback instead of serving the request natively.

IPLogs implements SNI fuzzing as the active_probe_reality signal. The detection is imperfect but fires reliably enough to push a verdict fromclean to suspicious when combined with other mid-weight signals.

Xray — the umbrella project

Xray is a fork of V2Ray that implements VLESS, the third-generation lightweight proxy protocol designed to replace VMess. VLESS has almost no built-in obfuscation of its own — the design choice was to decouple the transport from the obfuscation so that transport wrappers (REALITY, WebSocket, gRPC, QUIC, XHTTP) can be swapped based on adversary conditions.

Typical 2026 deployments layer REALITY on top of VLESS on top of a VPS running an unmodified nginx or caddy as a cover service, often behind Cloudflare for additional obfuscation. Self-hosted REALITY + Cloudflare WARP is the deployment pattern with the highest observed survival rate inside China, Russia, and Iran in 2026.

AmneziaWG — obfuscated WireGuard

Standard WireGuard has two properties that make it easy to fingerprint and block: it uses a distinctive initial packet format (handshake initiation packets have a fixed structure and size), and it operates on UDP/51820 by default. Both are trivial to match in DPI.

AmneziaWG (the obfuscated fork shipped by AmneziaVPN) addresses both problems:

• Packet shape randomization. The initial handshake packet has random-length junk prepended and appended so size-based signatures miss it.
• Junk-byte initial phase. Before the real handshake, the client sends several junk packets of random sizes to mask the handshake-init timing pattern. (This is the same behavior IPLogs originally produced false positives on — we addressed it by requiring multiple correlating signals before flagging.)
• Configurable ports. AmneziaWG commonly runs on TCP/443 or random high UDP ports rather than UDP/51820.

AmneziaWG is the default in AmneziaVPN's client apps on iOS, Android, Windows, macOS, and Linux, making it the most approachable obfuscated WireGuard deployment for non-technical users. It is effective against Russia's TSPU, Iran's filternet, and (as of early 2026) China's GFW — though the GFW's Q2 2026 ML upgrade appears to be closing the gap on junk-byte pattern detection.

Which combination wins in 2026

For users in the hardest censorship environments (China, Iran, Turkmenistan), the empirical winner is:

Xray VLESS + REALITY targeting a Cloudflare edge IP, hosted on a small VPS outside the censored country, with AmneziaWG as a fallback when REALITY is blocked.

The survivability comes from the operational cost of blocking: REALITY-wrapped traffic to Cloudflare is indistinguishable from millions of legitimate connections to Cloudflare, and Cloudflare is too big to blanket-block. When REALITY is temporarily disrupted (usually during politically sensitive windows), AmneziaWG on random UDP ports takes over and works until the DPI systems retune.

What this looks like from the detector side

IPLogs, and detectors like it, do not care about user-side circumvention — we care about classifying the exit side. REALITY exit servers on Hetzner, OVH, and DigitalOcean are detectable as datacenter IPs with high confidence, flagged as dc_ip at weight 0.1. When combined with an active REALITY cert-switch probe (if the endpoint responds), the verdict reaches vpn_likely without difficulty.

AmneziaWG exits are harder but still tractable. The nonstandard-port signal fires on random UDP. When the endpoint is directly probeable, the WireGuard handshake-init probe (cf. our 7-layer method) triggers a handshake response on AmneziaWG deployments that have not been carefully configured to drop unrecognized initiators.

References

• Xray-core GitHub, REALITY specification, 2023–2026.
• Amnezia-VPN GitHub and documentation, amnezia.org, 2026.
• Qubes OS Forum, "Installation of Amnezia VPN and Amnezia WG" community guide, 2026.
• Saropa Contacts, "Global (De)Censorship Report 2025: Freedom, Protocols & Technologies".