Transport Configuration
Transport configuration controls how the current Xray instance communicates with its peer. That peer may be another Xray node, or it may simply be any ordinary public network target.
It covers the part below the proxy protocol itself, including transport methods, transport security, and additional low-level behavior.
These three categories belong to different layers and can usually be combined:
- Transport methods specify how the data stream is carried, such as RAW, WebSocket, gRPC, Hysteria, and others.
- Transport security specifies the protection mechanism used during transport, such as TLS or REALITY.
- Additional configuration supplements low-level network behavior and final traffic obfuscation.
Some transport settings directly affect how a connection is established with the remote side. For settings that require negotiation, both sides usually need compatible configurations. For example, if one side uses WebSocket, the other side must also use WebSocket, otherwise the connection cannot be established.
For direct outbounds such as Freedom, the peer is usually any ordinary public network target, such as Amazon's website or WeChat's servers. In that case, transport configuration does not need to negotiate with the other side, and generally cannot do so either. Instead, it is used to control how the local connection is sent. In that scenario, only sockopt is available.
StreamSettingsObject
StreamSettingsObject corresponds to the streamSettings item in InboundObject or OutboundObject. Each inbound or outbound can be configured with its own transport settings.
{
// outbound example; also applies to inbound
"outbounds": [
{
// ...
"streamSettings": {
// Transport methods
"method": "raw",
"rawSettings": {},
"xhttpSettings": {},
"kcpSettings": {},
"grpcSettings": {},
"wsSettings": {},
"httpupgradeSettings": {},
"hysteriaSettings": {},
// Transport security
"security": "none",
"realitySettings": {},
"tlsSettings": {},
// Additional configuration
"finalmask": {},
"sockopt": {}
}
}
]
}2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Transport Methods
method: "raw" | "xhttp" | "mkcp" | "grpc" | "websocket" | "httpupgrade" | "hysteria"
Transport method used by the data stream. The default value is raw.
rawSettings: RawObject
RAW configuration for the data stream. Only valid when method is raw.
xhttpSettings: XHTTPObject
XHTTP configuration for the data stream. Only valid when method is xhttp.
kcpSettings: KcpObject
mKCP configuration for the data stream. Only valid when method is mkcp.
grpcSettings: GRPCObject
gRPC configuration for the data stream. Only valid when method is grpc.
wsSettings: WebSocketObject
WebSocket configuration for the data stream. Only valid when method is websocket.
httpupgradeSettings: HTTPUpgradeObject
HTTPUpgrade configuration for the data stream. Only valid when method is httpupgrade.
hysteriaSettings: HysteriaObject
Hysteria configuration for the data stream. Only valid when method is hysteria.
Transport Security
security: "none" | "reality" | "tls"
Whether to enable transport security. Supported options are:
"none"means disabled (default)."reality"means using REALITY."tls"means using TLS.
realitySettings: RealityObject
REALITY configuration. REALITY is a modified form of TLS that uses the appearance and handshake characteristics of a target site as camouflage.
Only valid when security is reality. It can only be used together with the RAW, XHTTP, and gRPC transport methods.
TIP
REALITY is currently one of the most secure transport-security schemes, and from the outside its traffic looks consistent with ordinary web traffic. Enabling REALITY together with a suitable XTLS Vision flow-control mode can also deliver performance gains of several times or even more than ten times.
tlsSettings: TLSObject
TLS configuration. TLS is provided by Go. In normal cases the negotiation result is TLS 1.3. DTLS is not supported.
Only valid when security is tls. It supports use with the RAW, XHTTP, mKCP, gRPC, WebSocket, HTTPUpgrade, and Hysteria transport methods.
Additional Configuration
finalmask: FinalMaskObject
FinalMask configuration, used for the final stage of traffic obfuscation.
sockopt: SockoptObject
Configuration related to low-level network behavior.
Transport Compatibility Quick Reference
Both inbounds and outbounds can configure transport methods and transport security through streamSettings. In actual configurations, the proxy protocol, transport method, and transport security must be compatible with one another.
Inbound/Outbound Protocols and Transport Methods
This table corresponds to protocol + streamSettings.method.
raw | xhttp | grpc | websocket | httpupgrade | mkcp | hysteria | |
|---|---|---|---|---|---|---|---|
http | Supported | Supported | Supported | Supported | Supported | Supported | Supported |
socks [1] | Limited | Limited | Limited | Limited | Limited | Limited | Limited |
shadowsocks [1] | Limited | Limited | Limited | Limited | Limited | Limited | Limited |
vmess | Supported | Supported | Supported | Supported | Supported | Supported | Supported |
vless | Supported | Supported | Supported | Supported | Supported | Supported | Supported |
trojan | Supported | Supported | Supported | Supported | Supported | Supported | Supported |
hysteria | N/A | N/A | N/A | N/A | N/A | N/A | Supported |
wireguard | N/A | N/A | N/A | N/A | N/A | N/A | N/A |
[1] When XUDP is not enabled for Socks or Shadowsocks, UDP traffic uses the protocol's native UDP path and bypasses the configured transport method; TCP traffic is not subject to this limitation. See XUDP.
Transport Methods and Transport Security
This table corresponds to streamSettings.method + streamSettings.security.
none | tls | reality | |
|---|---|---|---|
raw | Supported | Supported | Supported |
xhttp | Supported | Supported | Supported |
grpc | Supported | Supported | Supported |
websocket | Supported | Supported | Not supported |
httpupgrade | Supported | Supported | Not supported |
mkcp | Supported | Supported | Not supported |
hysteria | Not supported | Required | Not supported |
Inbound/Outbound Protocols and Transport Security
This table corresponds to protocol + streamSettings.security.
none | tls | reality | Protocol-layer security | |
|---|---|---|---|---|
http | Supported | Supported | Supported | None |
socks | Supported | Limited [1] | Limited [1] | None |
shadowsocks | Supported | Limited [1] | Limited [1] | Payload encryption and integrity [2] |
vmess | Supported | Supported | Supported | Handshake authentication and payload encryption [2] |
vless | Limited [3] | Supported | Supported | Optional Encryption [4] |
trojan | Limited [3] | Supported | Supported | Authentication only |
hysteria | Not supported | Required | Not supported | None (relies on TLS) |
wireguard | N/A | N/A | N/A | Encrypted tunnel [2] |
[1] When XUDP is not enabled for Socks or Shadowsocks, UDP traffic uses the protocol's native UDP path and bypasses the configured TLS or REALITY; TCP traffic is not subject to this limitation. See XUDP.
[2] Shadowsocks and VMess protect the payload, but lack TLS 1.3-style forward secrecy, and their traffic patterns can still be classified. WireGuard uses sufficiently strong cryptography, but its fixed UDP signature is easy to identify and block. None of the three provides the ordinary HTTPS appearance offered by TLS/REALITY, so they are unsuitable for direct censorship circumvention.
[3] When streamSettings.security is none, VLESS (without Encryption enabled) and Trojan can connect only to private network addresses.
[4] VLESS Encryption is optional and disabled by default (encryption: "none"). When enabled, it allows connections to public network addresses even if streamSettings.security is none. It protects the VLESS payload but does not provide the ordinary HTTPS appearance of TLS/REALITY, so it is unsuitable for direct censorship circumvention.