What are Proxy Protocols?
A proxy protocol is the "language" used between your Clash client and the server. It determines how data is encrypted and transmitted. Picking the right one affects your speed, privacy, and ability to bypass censorship.
Different protocols focus on **encryption strength**, **traffic obfuscation**, **efficiency**, and **DPI resistance**. The Mihomo core supports the widest range of protocols, giving you the freedom to switch based on your network environment.
Encryption & Security
Protocols use algorithms like AES-256-GCM, ChaCha20, or TLS 1.3 to prevent eavesdropping and data tampering, keeping your traffic private.
Obfuscation & Anti-Blocking
Advanced protocols mimic normal HTTPS or other traffic, making it hard for Deep Packet Inspection (DPI) to identify and block your connection.
Performance & Latency
QUIC-based protocols (Hysteria 2, TUIC) significantly outperform traditional TCP in unstable or high-latency networks due to better congestion control.
SHADOWSOCKS / SSR
Shadowsocks (SS) was created by @clowwindy in 2012 and remains one of the world's most popular anti-censorship protocols. Its core design uses AEAD encryption (AES-256-GCM, etc.) to turn traffic into a stream of random-looking bytes that is difficult to distinguish from normal encrypted data.
Clash fully supports all SS encryption methods and can be used with plugins like `simple-obfs` or `v2ray-plugin` for added DPI resistance. Mihomo also supports ShadowsocksR (SSR).
Beginners using their first subscription, standard daily browsing, and situations where simplicity and "set it and forget it" are priorities.
AEAD Certified Encryption
Modern algorithms like AES-256-GCM ensure data integrity and prevent MITM attacks or traffic tampering while providing strong encryption.
Obfuscation Plugins
Plugins like simple-obfs and v2ray-plugin deeply mask Shadowsocks traffic, allowing it to bypass strict DPI filtering.
Lightweight & Efficient
Minimal headers with very low CPU and memory overhead. Less than 1% performance loss at Gigabit speeds. Ideal for low-end servers and routers.
Native UDP Support
Supports UDP relay for gaming, video calls, and DNS. Low latency and reliable performance for all UDP-based traffic.
Widest Ecosystem Support
Almost all providers support Shadowsocks. It is the most compatible protocol across Clash, Mihomo, Surge, Quantumult X, and more.
VMESS / VLESS
VMess is an encrypted transport protocol from the V2Ray project. It uses UUID for authentication and supports AEAD encryption. Compatible with WebSocket, gRPC, and HTTP/2 transports with TLS, it performs excellently in complex network environments.
VLESS is the successor to VMess, delegating encryption to TLS to reduce overhead and improve performance. Mihomo supports VLESS + XTLS Reality, which mimics real website fingerprints to provide some of the strongest anti-detection capabilities for self-hosting.
Users in complex firewall environments, those needing CDN relay (e.g., Cloudflare) to hide server IPs, or tech-savvy users self-hosting with VLESS + Reality.
Flexible Multi-Transport
Supports WebSocket, gRPC, HTTP/2, and XHTTP. Can be deployed with Cloudflare CDN or reverse proxies to completely hide your server's IP address.
VLESS + XTLS Reality
Reality technology uses valid TLS certificates from real websites for obfuscation. To an external observer, your traffic is indistinguishable from visiting a real HTTPS site.
Mux (Multiplexing)
h2mux/smux combines multiple proxy connections into a single TCP stream. This reduces handshake latency and significantly improves performance on high-ping networks.
Secure UUID Auth
Uses a globally unique UUID instead of a plaintext password. VMess also includes timestamp verification to prevent replay attacks.
Top Choice for Self-Hosting
Supported by V2Ray, Xray-core, and most major server tools. It has a massive community and excellent documentation for technical users.
TROJAN / TROJAN-GO
Trojan takes a clever approach: instead of actively obfuscating traffic, it disguises the proxy as a real HTTPS web server. It listens on port 443 with a valid TLS certificate. To a firewall, it looks like a normal HTTPS site, making it nearly impossible to detect.
Trojan-Go is an enhanced version that adds WebSocket support (for CDN relay), extra AEAD encryption, and multiplexing, further improving performance and anti-blocking flexibility.
Users in regions with strict censorship and IP blocking; those self-hosting who prioritize maximum stealth and valid TLS signatures.
Port 443 HTTPS Mimicry
Completely disguises traffic as HTTPS on port 443 with real TLS certificates. Firewalls cannot distinguish it from normal web browsing based on port or protocol.
Fallback Mechanism
Non-Trojan connections automatically fall back to a real web service (like Nginx). The server appears normal to external scanners, reducing the risk of targeted blocking.
WebSocket + CDN (Trojan-Go)
Trojan-Go supports WebSocket, allowing you to use Cloudflare or other CDNs as a relay. This hides your server IP and helps bypass direct IP bans.
TLS 1.3 High Performance
Uses TLS 1.3 by default with no extra encryption overhead. Handshakes are fast, and speeds on high-bandwidth lines are close to native HTTPS.
Password Hash Auth
Uses SHA-224 password hashing for easy setup. No complex UUIDs required, making it ideal for quick self-hosted deployments.
TUIC V5 / HYSTERIA 2
TUIC v5 and Hysteria 2 are next-gen protocols based on the QUIC transport layer (RFC 9000). They are designed for unstable and high-latency networks. TUIC v5 features 0-RTT handshakes and native UDP, perfect for browsing with many short connections.
Hysteria 2 goes further with a custom BBR Brutal algorithm. It can saturate available bandwidth even with 20%+ packet loss, outperforming traditional protocols on transoceanic links, satellite internet, and noisy 4G/5G networks.
Unstable networks (high latency/packet loss); users needing max download speeds for 4K video or large files; low-latency gaming and VoIP; mobile users frequently switching between WiFi and data.
QUIC Transport Layer
Built on UDP-based QUIC with native TLS 1.3, multiplexing, and connection migration (no disconnect when your IP changes). Much better for mobile than TCP.
0-RTT Fast Handshake
Supports 0-RTT reconnection. This makes switching between WiFi and 4G seamless and significantly reduces initial connection times.
BBR Brutal (Hysteria 2)
A custom BBR algorithm that maintains full speed even at 20%+ packet loss. It is several times faster than standard protocols in poor network conditions.
Native UDP over QUIC
Proxies UDP traffic natively without fakeTCP overhead. This provides much lower latency for gaming, P2P, and voice calls.
Connection Migration
The QUIC protocol allows connections to stay alive even if your IP changes (e.g., leaving your house and switching to LTE), providing a superior mobile experience.
WIREGUARD / SNELL
WireGuard is a modern VPN protocol known for its simple codebase (under 4000 lines), incredible speed, and strong security. It is built into the Linux kernel (5.6+). Mihomo natively integrates WireGuard, allowing you to use it like any other node without a separate VPN app.
Snell v4 is a proprietary high-performance protocol for Surge. It supports multiplexing and UDP over TCP. It offers excellent latency and throughput for advanced users using both Surge and Clash.
Technical users with self-hosted VPS; server and router deployments; power users who need Snell compatibility for Surge and Clash setups.
Modern Cryptography
Uses Curve25519, ChaCha20-Poly1305, and BLAKE2s. The cryptographic suite is state-of-the-art, audit-friendly, and extremely secure.
Kernel-Level Performance
With its inclusion in the Linux kernel, it enjoys unmatched performance on Linux and Android. CPU usage is much lower than OpenVPN or IPSec under heavy loads.
Stateless · Seamless Roaming
Zero overhead when idle. Automatically handles IP changes without needing a new handshake, providing a flawless experience on mobile devices.
Native Mihomo Integration
Use WireGuard nodes directly in your Mihomo (Clash.Meta) config. Enjoy full rule splitting and policy group support without external clients.
Snell Multiplexing (v4)
Snell v4 uses multiplexing to reduce TCP handshakes. This significantly lowers Time to First Byte (TTFB) on high-latency links for a snappier web experience.
HTTP / SOCKS5
HTTP and SOCKS5 are the most universal proxy protocols. Almost all network-enabled software and operating systems support them. Clash can connect to upstream HTTP/SOCKS5 servers and also opens local HTTP (default port 7890) and SOCKS5 (default port 7891) ports for your apps to use directly.
HTTP proxies only support TCP and are easily identified by firewalls. SOCKS5 is more versatile, supporting both TCP and UDP. Before TUN mode became standard, SOCKS5 was the primary way to achieve system-wide proxying and remains essential for legacy software compatibility.
Sharing a proxy with multiple devices on a local network; integrating with Proxifier, curl, or git; and debugging specific API requests or network behaviors during development.
Universal Compatibility
Native support across all major OSs, browsers, and apps. No extra drivers or setup required—just plug and play.
Local Proxy Ports
Clash provides local HTTP (7890) and SOCKS5 (7891) ports. Browsers can simply point to 127.0.0.1:7890 without needing virtual NIC drivers.
HTTP CONNECT Tunneling
Supports secure HTTPS tunnels via the CONNECT method. Widely used in corporate gateways and browser extensions like SwitchyOmega.
SOCKS5 UDP Proxy
SOCKS5 natively supports UDP traffic forwarding, suitable for gaming tools, video calls, or DNS proxying.
Developer Friendly
The simple protocol structure makes it easy to analyze traffic with tools like Wireshark or mitmproxy.
PROTOCOL
COMPARISON
A direct comparison of major proxy protocols—encryption, anti-blocking, performance, and UDP support at a glance.
| Protocol | Transport | Encryption | Anti-Blocking | Performance | UDP Support | Beginner Friendly | Best Scenario |
|---|---|---|---|---|---|---|---|
| Shadowsocks | TCP + UDP | High | Medium | Fast | ✓ | ✓ | General Providers · Daily Use |
| VMess | TCP / WS / gRPC | High | High | Medium | ✓ | △ | CDN Relay · Anti-DPI |
| VLESS + Reality | TCP / WS / gRPC | Extreme | Extreme | Fast | ✓ | ✗ | Strict Censorship · Self-Hosting |
| Trojan | TCP / WebSocket | High | Extreme | Fast | △ | △ | Censored Areas · Self-Hosting |
| TUIC v5 | QUIC(UDP) | High | Medium | Extreme | ✓ | △ | Weak Network · Short Conns |
| Hysteria 2 | QUIC(UDP) | High | Medium | Extreme | ✓ | △ | Packet Loss · High Speed |
| WireGuard | UDP | Extreme | Low | Extreme | ✓ | ✗ | VPS Owners · Technical Users |
| HTTP / SOCKS5 | TCP(+UDP) | Low | Very Low | Fast | △ | ✓ | LAN Sharing · Debugging |
HOW TO
CHOOSE
Find the perfect protocol for your specific needs without diving into technical jargon.
Just bought a sub,
beginner level
Plug and play. Most providers use Shadowsocks or VMess. Clash handles everything automatically—just pick the node with the lowest ping.
Banned IPs /
Strict Censorship
If standard protocols are blocked or your IP is targeted, you need high stealth. Trojan and VLESS + Reality are the best choices for bypassing advanced firewalls (requires self-hosting).
Poor Quality /
Max Speed
In high-latency, high-loss environments (like satellite or weak 4G), standard TCP fails. QUIC-based Hysteria 2 and TUIC v5 are built to maintain high speeds in these conditions.
Self-Hosted VPS /
Max Control
If you have your own server and want max performance, go with WireGuard or VLESS + Reality. They represent the gold standard in modern proxy speed and security.
Download Clash Client Now
Mihomo supports all protocols listed here. One client for Windows, macOS, Android, iOS, and Linux.
Free DownloadFAQ
PROTOCOLS FAQ
Which protocols do Clash and Mihomo support?
Original Clash supports Shadowsocks, VMess, Trojan, and standard SOCKS/HTTP. Mihomo (Clash.Meta) adds VLESS + Reality, TUIC v5, Hysteria 2, WireGuard, and more. Mihomo is the recommended core for complete support.
What is the difference between VMess and VLESS?
VMess is the classic V2Ray protocol with built-in encryption. VLESS is a leaner version that delegates encryption to TLS for better performance. If your server supports **VLESS + Reality**, choose it for superior stealth. Otherwise, VMess + TLS + WebSocket is a solid choice.
Is Hysteria 2 really faster?
On a perfect connection, the difference is small. But in **poor network conditions** with high packet loss (5%-30%), Hysteria 2's BBR Brutal algorithm can be 3-10x faster than traditional protocols. It's best for long-distance links or weak mobile data.
How do I check which protocol my provider uses?
In your Clash client (like Clash Verge Rev), go to the "Proxies" tab and tap/click a node to see its details. It will show the type (ss, vmess, trojan, etc.). You can also check your provider's website or dashboard.
Is Shadowsocks still safe?
Standard Shadowsocks is still secure (AEAD), but its traffic pattern can be detected in some regions. To stay safe: 1. Use modern algorithms like AES-256-GCM; 2. Pair it with the `v2ray-plugin` for obfuscation; 3. If you're still being blocked, switch to Trojan or Reality.
How do I manually add nodes to a Clash config?
Clash uses YAML. Declare nodes under the `proxies:` section with parameters like server, port, password, and type. For detailed syntax, check our Setup Guide or the official Mihomo documentation.