If you live in or travel to a region with strict internet censorship, you already know the harsh truth: standard VPN protocols don't work anymore. Deep Packet Inspection (DPI) easily detects and blocks OpenVPN, and even WireGuard is increasingly being throttled or banned.
Recently, I published a comprehensive guide on how to quickly set up your own AmneziaWG2 server on a VPS. Amnezia WireGuard is fantastic and incredibly fast, but if you are facing severe, aggressive network restrictions, you need something stealthier.
You need Xray (VLESS Reality).
In this quick guide, I’ll show you how to deploy it on an existing self-hosted server in literally two clicks, explain the core settings, and show you a real-world speed test on a basic $5 VPS.
If you prefer a quick visual walkthrough, check out my 60-second YouTube Shorts guide here:
Why Xray and VLESS Reality?
Xray is a core routing network that supports multiple protocols. What we are actually deploying through the Amnezia app is VLESS Reality.
Unlike traditional VPNs that look like VPNs to your ISP, VLESS Reality completely masks your traffic. It makes your VPN connection look exactly like a standard, secure HTTPS visit to a completely innocent website (like Google or Microsoft). To a firewall or DPI system, you are just a regular user browsing the web.
The 2-Click Setup
Note: This assumes you already have a VPS and the Amnezia client installed. If not, refer to my Full Setup Guide first.
If your server is already linked to the app, adding Xray takes seconds:
1. Add the Protocol
Go to your server settings, tap on Protocols, and select Xray.
2. Choose the Right Port
The app will ask you for a port. Because VLESS Reality masks your traffic as secure web traffic (TLS/HTTPS), you must use port 443. Using any other port will look suspicious to DPI systems and defeat the purpose of the masking.
Hit Install and wait a couple of minutes.
3. Configure SNI (Disguised As)
Once installed, open the Xray settings. You will see a field called "Disguised as traffic from". This is your SNI (Server Name Indication) domain.
By default, the app uses www.googletagmanager.com. For most users, this works perfectly out of the box because it's a highly trusted, globally accessible domain. However, if you are in a country where Google services are blocked, you can easily change this to a regional alternative (like a local news site, university portal, or Microsoft domain) right here.
The Reality Check: Performance vs. Stealth
So, how does it perform? Let's look at the numbers.
My test setup:
- VPS: DigitalOcean droplet with just 1 vCPU and 1GB RAM (the absolute cheapest tier).
- Base Connection: My raw home Wi-Fi speed is around 80–90 Mbps.
Here are the results:
- Amnezia WireGuard: Delivers around 70 Mbps. It barely touches the speed limit because WireGuard is incredibly lightweight.
- Xray (VLESS Reality): Drops to around 25 Mbps.
Why the drop?
VLESS Reality is doing a massive amount of cryptographic work. It is taking your traffic, encrypting it, and wrapping it inside a fake TLS handshake to fool DPI systems. Doing this in real-time on a single-core, 1GB RAM server is a heavy burden. You are paying for ultimate stealth with CPU cycles and bandwidth.
Is 25 Mbps enough?
Absolutely. For a personal self-hosted VPN running on the cheapest hardware available, 25 Mbps is more than enough to comfortably stream 1080p/4K video, browse heavily, and use social media without noticing a difference.
If you want both extreme stealth and gigabit speeds, you will simply need to upgrade your VPS to a multi-core plan to handle the encryption overhead.
Conclusion
If your WireGuard is getting blocked, don't give up on your self-hosted setup. Adding Xray (VLESS Reality) takes two clicks, utilizes port 443, and relies on SNI masking to slice through the strictest firewalls on the planet.
Have you tried VLESS Reality yet? What SNI domains work best in your region? Let me know in the comments below!
Don't forget to check out the Full AmneziaWG2 Setup Guide to get started from scratch.
Top comments (0)