This document covers every protocol/transport combination VortexUI supports, with copy-paste inbound configurations. All examples assume the panel is running and you create inbounds via the API or UI — the panel renders the native Xray/sing-box JSON automatically.
- Protocol Capability Matrix
- VLESS
- VMess
- Trojan
- Shadowsocks
- Hysteria2
- TUIC
- Outbound Examples
- Routing Examples
VortexUI runs on two interchangeable cores — Xray-core and sing-box — and the
available protocols, transports, and security layers differ per core. The panel exposes
this as a live per-protocol capability matrix (GET /api/capabilities), and that
matrix is the single source of truth: the inbound editor only offers the
protocol/transport/security combinations the selected node's core actually supports.
The tables below mirror it for v1.2.3.
| Capability | Supported values |
|---|---|
| Inbound protocols | vless, vmess, trojan, shadowsocks (+ SS-2022 multi-user), socks, http, dokodemo |
| Stream transports | tcp, ws, grpc, httpupgrade, http/h2, xhttp, mkcp (mKCP) |
| Security | none, tls, reality |
Notes:
- TLS accepts an
alpnlist (e.g.h2,http/1.1) for negotiation. - TCP transport supports a header type of
noneorhttp(HTTP camouflage). - xHTTP supports a
modeselector (auto,packet-up,stream-up,stream-one). - REALITY is available on raw
tcponly (typically withxtls-rprx-visionflow).
| Capability | Supported values |
|---|---|
| Inbound protocols | vless, vmess, trojan, shadowsocks, hysteria2, tuic, wireguard, hysteria (v1), shadowtls, anytls, socks, http, naive |
| Stream transports | tcp, ws, grpc, httpupgrade, http/h2, quic |
| Security | none, tls, reality |
Notes:
- UDP-native protocols (
hysteria2,tuic,hysteria,wireguard) manage their own transport and do not take a stream transport setting.
A few protocols do not carry a stream transport at all — they are point-to-point or manage their own framing:
| Protocol | Core | Transport | Security |
|---|---|---|---|
socks |
both | none (raw TCP) | plaintext |
http |
both | none (raw TCP) | plaintext |
naive |
sing-box | none | TLS mandatory |
dokodemo |
xray | none (raw TCP/UDP) | plaintext |
socks and http are plaintext inbounds (no TLS) — use them only on trusted
networks or behind a local relay. naive mandates TLS. dokodemo is a transparent
port-forward/destination inbound and carries no stream settings.
The most censorship-resistant setup. No real certificate needed — the server impersonates a legitimate website.
| Field | Value |
|---|---|
| Protocol | vless |
| Port | 443 |
| Network | tcp |
| Security | reality |
| SNI | www.microsoft.com (or any high-traffic site) |
| Flow | xtls-rprx-vision |
Panel UI steps:
- Go to Nodes → Inbounds → Add
- Set protocol
vless, port443, networktcp, securityreality - Click Generate in the REALITY section to get keys
- Set SNI to a target domain (e.g.
www.microsoft.com) - Set flow to
xtls-rprx-vision
Raw JSON (for advanced use):
{
"reality": {
"private_key": "<generated>",
"short_ids": ["<generated>"],
"server_names": ["www.microsoft.com"],
"dest": "www.microsoft.com:443"
}
}Best for CDN (Cloudflare) fronting.
| Field | Value |
|---|---|
| Protocol | vless |
| Port | 443 |
| Network | ws |
| Security | tls |
| SNI | your-domain.com |
| Path | /vless-ws |
Low-latency multiplexed transport, CDN-compatible.
| Field | Value |
|---|---|
| Protocol | vless |
| Port | 443 |
| Network | grpc |
| Security | tls |
| SNI | your-domain.com |
| Path | vless-grpc (service name) |
Modern alternative to WebSocket, lower overhead.
| Field | Value |
|---|---|
| Protocol | vless |
| Port | 443 |
| Network | httpupgrade |
| Security | tls |
| Path | /vless-hu |
Direct TLS with XTLS splice for maximum performance.
| Field | Value |
|---|---|
| Protocol | vless |
| Port | 443 |
| Network | tcp |
| Security | tls |
| Flow | xtls-rprx-vision |
Classic CDN-frontable setup.
| Field | Value |
|---|---|
| Protocol | vmess |
| Port | 443 |
| Network | ws |
| Security | tls |
| Path | /vmess-ws |
| Host | your-domain.com |
Simple direct connection (no TLS needed for trusted networks).
| Field | Value |
|---|---|
| Protocol | vmess |
| Port | 10086 |
| Network | tcp |
| Security | none |
| Field | Value |
|---|---|
| Protocol | vmess |
| Port | 443 |
| Network | grpc |
| Security | tls |
| Path | vmess-grpc |
| Field | Value |
|---|---|
| Protocol | trojan |
| Port | 443 |
| Network | tcp |
| Security | tls |
| SNI | your-domain.com |
CDN-compatible Trojan.
| Field | Value |
|---|---|
| Protocol | trojan |
| Port | 443 |
| Network | ws |
| Security | tls |
| Path | /trojan-ws |
| Field | Value |
|---|---|
| Protocol | trojan |
| Port | 443 |
| Network | grpc |
| Security | tls |
| Path | trojan-grpc |
Modern AEAD cipher (recommended).
| Field | Value |
|---|---|
| Protocol | shadowsocks |
| Port | 8388 |
| Network | tcp |
| Security | none |
| Method | 2022-blake3-aes-128-gcm |
| Field | Value |
|---|---|
| Protocol | shadowsocks |
| Port | 8388 |
| Network | tcp |
| Security | none |
| Method | aes-128-gcm or chacha20-ietf-poly1305 |
UDP-based, high-speed protocol (sing-box only).
| Field | Value |
|---|---|
| Protocol | hysteria2 |
| Port | 443 |
| Network | udp |
| Security | tls |
| SNI | your-domain.com |
Note: Requires sing-box core on the node. Set VORTEX_CORE=singbox.
QUIC-based protocol with multiplexing (sing-box only).
| Field | Value |
|---|---|
| Protocol | tuic |
| Port | 443 |
| Network | udp |
| Security | tls |
| SNI | your-domain.com |
Note: Requires sing-box core on the node.
{ "tag": "direct", "protocol": "freedom" }{ "tag": "blocked", "protocol": "blackhole" }{
"tag": "proxy-de",
"protocol": "vless",
"address": "de-server.example.com",
"port": 443,
"uuid": "your-uuid",
"network": "ws",
"security": "tls",
"sni": "de-server.example.com",
"path": "/chain"
}{
"tag": "socks-exit",
"protocol": "socks",
"address": "127.0.0.1",
"port": 1080,
"username": "user",
"password": "pass"
}[
{
"priority": 1,
"name": "block-ads",
"domains": ["geosite:category-ads-all"],
"outbound_tag": "blocked"
},
{
"priority": 2,
"name": "iran-direct",
"domains": ["geosite:ir"],
"ip": ["geoip:ir"],
"outbound_tag": "direct"
},
{
"priority": 10,
"name": "everything-else",
"port": "1-65535",
"outbound_tag": "proxy-de"
}
]{
"balancer": {
"tag": "auto-best",
"selectors": ["proxy-"],
"strategy": "leastPing",
"probe_url": "https://www.gstatic.com/generate_204",
"probe_interval": "10s"
},
"rule": {
"priority": 5,
"name": "balance-all",
"inbound_tags": ["vless-ws"],
"balancer_tag": "auto-best"
}
}- REALITY is the gold standard for censorship bypass — use it as default
- WebSocket + CDN for Cloudflare protection (add Cloudflare DNS)
- gRPC for lowest latency when CDN supports it
- Hysteria2 for maximum speed on unrestricted networks
- Separate ports for each protocol to avoid conflicts
- Use GeoIP/Geosite rules to route Iranian traffic directly
- Enable the balancer for multi-proxy failover (leastPing recommended)
- XTLS-Vision flow only works with TCP transport (not WS/gRPC)
| Client | VLESS+Reality | VLESS+WS | VMess+WS | Trojan | SS | Hysteria2 | TUIC |
|---|---|---|---|---|---|---|---|
| v2rayNG | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Hiddify | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Clash Meta | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| sing-box | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Shadowrocket | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Streisand | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| NekoBox | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
For more examples, see the XTLS/Xray-examples repository.