Shadowsocks, Trojan, or VLESS: Best in 2025?

Q: Is VLESS better than Trojan for censorship resistance?

Both can be highly resistant when paired with modern transports such as REALITY or WebSocket over TLS. VLESS is more flexible because it separates authentication from encryption and supports XTLS flow offloading, while Trojan relies on standard HTTPS-like TLS handshakes. In practice, detection depends more on the transport layer and server configuration than the base protocol name.

Q: Does Clash support all three protocols?

Mihomo-based Clash clients support Shadowsocks, Trojan, and VLESS out of the box when your subscription YAML lists them. Legacy Clash Premium cores may lack VLESS and some newer Shadowsocks ciphers. Use Clash Verge Rev, Mihomo Party, or Clash for Android with a current Mihomo kernel for the broadest protocol coverage.

Q: Is Shadowsocks still worth using in 2025?

Yes, especially on low-power routers and when your provider still ships AEAD ciphers such as chacha20-ietf-poly1305 or aes-128-gcm. Shadowsocks is lightweight and fast, but plain SS without obfuscation is easier for deep packet inspection to fingerprint than TLS-wrapped Trojan or VLESS with REALITY.

Why Protocol Choice Matters for Clash Users

When you import a Clash subscription, the client downloads a YAML profile packed with node names, regions, and policy groups. What the GUI rarely explains is the wire protocol each node uses: Shadowsocks, Trojan, or VLESS. That label is not cosmetic—it shapes encryption, how traffic looks on the wire, UDP support, and whether a censor can fingerprint your connection without decrypting it.

Mihomo (the kernel inside Clash Verge Rev, Mihomo Party, and current Clash for Android builds) speaks all three. You do not manually "enable" a protocol in the app; the subscription author already chose it per server. Understanding the differences helps you filter slow or blocked nodes, explain why one Tokyo server works while another times out, and decide whether to pay for a provider that still ships legacy Shadowsocks-only plans or one that defaults to VLESS with modern transports.

Scope: This article compares the three most common protocols in Clash subscriptions today. VMess, Hysteria2, and TUIC are outside the scope here; they follow similar "pick the transport wisely" rules but use different client stacks.

There is no universal winner. Shadowsocks remains the lightest and cheapest to host. Trojan pioneered "look like HTTPS" tunneling. VLESS strips overhead and pairs with Project X transports such as REALITY for state-of-the-art masquerading. Your best pick depends on network conditions, device CPU, and whether your threat model is casual geo-unblocking or sustained filtering on hostile networks.

Shadowsocks: The Lightweight Legacy Standard

Shadowsocks was designed as a simple encrypted proxy: client and server share a password and cipher, traffic is wrapped, and there is no elaborate handshake mimicking another protocol. That minimalism made SS ubiquitous on low-end VPS boxes and OpenWrt routers years before full-featured cores like Mihomo existed.

Modern deployments must use AEAD ciphers—for example chacha20-ietf-poly1305 or aes-128-gcm. Older stream ciphers (rc4-md5, aes-256-cfb) are broken or deprecated and should be avoided. When configured correctly, Shadowsocks adds modest CPU overhead and often delivers the lowest latency on clean routes because the protocol itself is thin.

Strengths

Extremely low resource usage—ideal for routers and budget VPS plans.
Mature ecosystem; almost every provider still offers at least a few SS nodes.
Simple configuration in Clash YAML—no TLS certificates required on the server side for basic setups.
Full TCP and UDP relay when the server and client both support it (check your provider docs).

Weaknesses

Traffic patterns differ from normal HTTPS; active probing and statistical analysis can flag plain SS on restrictive networks.
No built-in domain fronting or TLS camouflage unless you add plugins (simple-obfs, v2ray-plugin) that are themselves increasingly fingerprinted.
Cipher and plugin mismatches are a common support headache—one wrong field and the node shows timeout in Clash.

# Example Shadowsocks node in a Clash/Mihomo profile
proxies:
  - name: "Tokyo-SS"
    type: ss
    server: example.com
    port: 8388
    cipher: chacha20-ietf-poly1305
    password: "your-shared-secret"
    udp: true

Prefer SS nodes on stable home or office networks where speed matters more than deep camouflage. On airport Wi-Fi or carrier networks known for protocol filtering, prioritize Trojan or VLESS entries in the same subscription instead of forcing an SS node to work.

Trojan: TLS Masquerading and Real-World Stealth

Trojan takes the opposite design philosophy: the tunnel rides inside a real TLS session that resembles ordinary HTTPS. A Trojan server listens on 443 with a valid certificate (often behind Nginx or Caddy). Unauthenticated clients see a normal website; clients with the correct password and protocol header get proxied. To middleboxes that only inspect TLS metadata, the flow looks like garden-variety web traffic.

Trojan was a meaningful step up from plain Shadowsocks on networks that block non-standard ports and obvious proxy signatures. It remains popular because operators already know how to deploy TLS certificates, and Clash has supported type: trojan for years with few surprises.

Strengths

Strong default camouflage when TLS 1.3, sane cipher suites, and a believable fallback site are configured.
Works well on port 443—rarely blocked compared to random high ports.
Predictable behavior in Mihomo; good UDP support via Trojan-Go variants when providers enable it.
Easier for auditors to reason about than stacks of plugins on Shadowsocks.

Weaknesses

TLS handshakes add CPU and a few milliseconds of latency—negligible on desktop, noticeable on very old routers.
Certificate-based fingerprinting: censors can probe suspected IPs and classify Trojan if the fallback page or ALPN list looks wrong.
SNI and domain blocking still apply—you are not invisible, you are merely dressed as HTTPS.
Requires proper cert management; expired or self-signed setups erode both stealth and trust.

# Example Trojan node in Mihomo
proxies:
  - name: "US-Trojan"
    type: trojan
    server: node.example.com
    port: 443
    password: "trojan-password"
    sni: node.example.com
    skip-cert-verify: false
    udp: true

Never set skip-cert-verify: true on public Wi-Fi just to silence errors. Fix the certificate or SNI instead. Clash will connect, but you lose authentication of the server and open yourself to interception on hostile networks.

VLESS: Modern Minimalism and Transport Flexibility

VLESS is part of the Project X / Xray lineage. It removes redundant encryption inside the protocol—the transport layer (TLS, REALITY, WebSocket, gRPC, XHTTP) handles protection instead. A UUID identifies the user. That separation lets operators swap transports without changing the core protocol, and enables features such as XTLS Vision flow control that cuts double-encryption overhead on TLS bridges.

In 2025, many premium subscriptions default new nodes to VLESS + REALITY or VLESS over WebSocket because REALITY borrows real certificates from third-party sites, making active probing far harder than static Trojan fallbacks. Mihomo added and refined VLESS support across several releases, so current Clash Verge Rev builds handle most provider templates without custom patches.

Strengths

Most flexible transport menu—TLS, REALITY, WS, gRPC, HTTPUpgrade—within one protocol family.
Lower per-packet overhead than VMess; designed for high concurrency and multiplexing.
REALITY and XTLS options target networks where plain Trojan TLS is actively probed.
Future-facing: new transports land in Xray first, then filter into Mihomo.

Weaknesses

Configuration surface is larger—flow, fingerprint, public key, short ID fields confuse beginners.
Older Clash cores and some router forks may lack VLESS or specific flow modes; update your client.
Misconfigured REALITY (wrong serverNames or stale destination site) causes instant failure with opaque logs.
Not every budget provider runs Xray; SS and Trojan remain more common on legacy plans.

# Example VLESS + REALITY node (fields vary by provider)
proxies:
  - name: "SG-VLESS-REALITY"
    type: vless
    server: 203.0.113.10
    port: 443
    uuid: "00000000-0000-0000-0000-000000000001"
    network: tcp
    tls: true
    udp: true
    flow: xtls-rprx-vision
    servername: www.cloudflare.com
    reality-opts:
      public-key: "BASE64KEY"
      short-id: "abcd1234"

If your subscription mixes VLESS nodes with exotic flow settings, import it into Clash Verge Rev and run a latency test before editing YAML by hand. Providers often ship working snippets—duplicating them incorrectly is the top reason "VLESS works in the vendor app but not Clash."

Head-to-Head Comparison

Use the table below as a quick reference. "Stealth" summarizes resistance to passive fingerprinting on a hostile network when the server is competently configured—not a guarantee of unblockability.

Dimension	Shadowsocks	Trojan	VLESS
Wire appearance	Custom encrypted stream	Standard TLS / HTTPS-like	Depends on transport (TLS, REALITY, WS…)
Typical port	High random ports	443 (recommended)	443 or 80 with WS/XHTTP
Encryption model	Built-in AEAD cipher	TLS + inner payload	Transport-layer TLS / REALITY; optional Vision flow
UDP / gaming	Good when enabled	Good on Trojan-Go setups	Good; verify provider UDP relay
Server cost	Lowest CPU/RAM	Moderate (TLS)	Moderate to high (Xray stack)
Stealth (well configured)	Moderate — plain SS is fingerprintable	High — classic TLS mimicry	Very high with REALITY / modern TLS fingerprints
Clash / Mihomo support	Universal	Universal	Universal on current Mihomo; check version
Beginner friendliness	High — few fields	Medium — TLS/SNI concepts	Lower — more knobs

Performance notes that actually matter in Clash

Protocol choice is rarely the bottleneck compared to distance to the server, congested peering, and CPU on your device. On a 2020-era laptop, all three protocols saturate a 500 Mbps line when the route is clean. On a MIPS router, heavy VLESS + TLS stacks may CPU-cap before Shadowsocks does. For gaming, pick the lowest-latency node in the right region first; only then worry about whether it is SS, Trojan, or VLESS. Our game acceleration guide covers TUN and url-test tuning once you have a stable node type.

Which Protocol Should You Choose in 2025?

Treat the decision as a hierarchy: network environment first, device capability second, provider quality always.

Pick Shadowsocks when…

You are on a relatively open network and want maximum speed per watt on routers or old hardware.
Your provider only exposes SS on a specialty "IEPL" or "IPLC" line—internal routing matters more than protocol name.
You need the simplest possible YAML for lab testing or a homelab outbound hop.

Pick Trojan when…

You need reliable TLS camouflage without learning REALITY key rotation.
Corporate or campus networks allow HTTPS to arbitrary domains but block odd ports and raw SS patterns.
Your operator already maintains polished Trojan fallbacks and valid certificates—you get stealth without Xray complexity.

Pick VLESS when…

You are on networks that actively probe suspected proxy TLS (REALITY and Vision are the current countermeasures).
You want one protocol entry that can switch between WS, gRPC, and TCP transports as blocking evolves.
You run a current Mihomo client and your subscription documents VLESS parameters completely.

Practical workflow inside Clash: create a select policy group with three child groups—SS-Auto, Trojan-Auto, VLESS-Auto—each running url-test over same-region nodes. Switch groups when one protocol class starts timing out without rewiring your entire rule set.

If you are new to Clash entirely, protocol comparison comes after installation. Start with our complete Clash setup guide to import a subscription, then return here to understand why your provider labels nodes the way it does. For desktop client choice, see Clash Verge Rev tutorial.

Frequently Asked Questions

Is VLESS better than Trojan for censorship resistance?

Both can excel when the transport is modern. Trojan's advantage is simplicity: real TLS, real cert, believable website. VLESS + REALITY goes further by imitating TLS to legitimate third-party sites without hosting identical certificates yourself. Neither helps if the server IP is listed or the domain is blocked—stealth is not invisibility.

Does Clash support all three protocols?

Current Mihomo-based clients do. Legacy Clash Premium forks may miss VLESS or newer Shadowsocks ciphers. Check Settings → Core version in Clash Verge Rev and update if VLESS nodes fail to parse. Clash for Android with the Meta kernel likewise supports all three when the subscription YAML is valid.

Is Shadowsocks still worth using in 2025?

Absolutely on performance-sensitive paths and private backhaul lines. It is less ideal as your only protocol on hostile networks. Treat SS as the fast workhorse in a diversified subscription, not the sole stealth layer.

Can I mix protocols in one Clash profile?

Yes—that is normal. Subscriptions routinely ship SS, Trojan, and VLESS nodes together. Rules and policy groups decide which traffic hits which node; the protocols coexist in the same YAML file without conflict.

Why do two "Trojan" nodes behave differently in latency tests?

Protocol name matches, but server load, routing, UDP support, and TLS settings differ. url-test measures reachability to the proxy, not protocol quality. Always test the specific node, not the label.

Single-protocol VPN apps force one tunnel type for everything and hide the YAML—you cannot route domestic traffic direct or swap transports when blocking shifts. Browser extensions only cover HTTP and never see game or terminal traffic. Plain Shadowsocks clients lack rule-based split routing entirely. Clash with Mihomo gives you all three protocols in one profile, transparent rules, and the freedom to move from a fast SS node at home to a VLESS REALITY node on the road without changing applications. That flexibility—not any one protocol badge—is what makes the stack age well in 2025.

Download Clash free for every platform →