Published by Clash Official Site. When you open a proxy provider subscription, the node list often contains Shadowsocks (SS), VMess, Trojan, VLESS, and other protocols, sometimes paired with transport layers like WebSocket, gRPC, or TLS. For newcomers, these terms can feel like black magic — which one is faster? which is more stable? which works best with Clash? This article breaks down proxy protocol selection across four dimensions: design, obfuscation, performance overhead, and practical choice.
The Role of Protocols: A Tunnel Above the Transport Layer
Protocols act as an encrypted "tunnel" between you and the remote server, encapsulating raw traffic for forwarding. Clash / Mihomo handles config parsing, node selection, and rule execution, then communicates with the server via the selected protocol. Different protocols vary in handshake method, encryption strength, and traffic fingerprint — there is no single "best" protocol, only one that best fits your network environment and tolerance for traffic analysis.
Choosing a protocol isn't about picking the "best" — it's about picking the one least likely to be disrupted on your current network, while meeting your performance needs.
Shadowsocks (SS / SSR)
SS is one of the oldest and most widely deployed lightweight protocols. Its concept is simple: symmetric encryption + random port. Low deployment cost, very popular on mobile and routers in early years. SS nodes typically offer low latency and low CPU overhead, ideal for raw speed.
The downside is a relatively identifiable traffic fingerprint, making it easier to detect on DPI-heavy networks. SSR added obfuscation plugins on top of SS, but its maintenance activity is far behind newer-generation protocols. Today, many providers still offer SS as a backup or internal route, with Trojan or VMess/VLESS as the primary protocol.
VMess and VLESS
VMess comes from the V2Ray ecosystem and supports many encryption and transport combinations (TCP, mKCP, WebSocket, gRPC, etc.), offering great flexibility. Paired with TLS and CDN relay, traffic can be disguised as normal HTTPS, making it significantly harder to detect than bare SS.
VLESS is a lightweight evolution of VMess with the built-in encryption layer removed, typically paired with TLS / XTLS to further reduce overhead and improve throughput. In Clash Meta, VLESS with XTLS-Reality has become standard on many high-performance routes. Config complexity is slightly higher than SS, but providers generally bundle it ready-to-import via subscription.
Trojan: The Stable HTTPS-Disguised Choice
Trojan's design philosophy is "look like normal TLS website traffic." Unauthorized access falls back to a real web service, making it hard for traffic analyzers to distinguish. Compared to VMess, Trojan's protocol header is simpler, often yielding more consistent throughput on the same hardware.
For most users, Trojan + TLS nodes are the go-to balance of speed and stability, especially for streaming and large file downloads. Trojan-gRPC / Trojan-WebSocket further adds CDN-friendly penetration capability.
| Protocol | Speed | Detection resistance | Config difficulty | Best for |
|---|---|---|---|---|
| Shadowsocks | High | Average | Low | Low-latency backup, internal routes |
| VMess | Medium-high | High | Medium | Flexible relay, multiple transports |
| VLESS | High | High | Medium | High-performance primary routes |
| Trojan | High | High | Low | Daily use, streaming |
Transport Layer: How WebSocket, gRPC, and TCP Differ
The same protocol can be layered with different transport methods. Plain TCP direct is simplest with lowest latency, but exposes more of the IP surface. WebSocket and gRPC with TLS are suited to "hiding inside normal web traffic" — at the cost of slightly more handshake overhead. If you often see packet loss during peak hours, try CDN-based WebSocket/gRPC nodes first; for low-latency gaming, a same-datacenter TCP or direct Trojan connection is usually better.
Practical Selection Tips
- Daily browsing and video: Prioritize Trojan or VLESS+TLS nodes — balanced latency and stability.
- Restrictive network environments: Choose VMess or Trojan with WebSocket/gRPC relay, following your provider's recommended routes.
- Speed testing and node selection: Don't judge by protocol label alone — the same protocol from different datacenters varies far more than the protocol itself.
- Clash compatibility: The Mihomo core fully supports all the above protocols. After importing a subscription, no manual protocol-type changes are needed.
Summary
Shadowsocks is light and fast but weaker on detection resistance; VMess / VLESS are flexible and suit complex relay setups; Trojan excels with HTTPS camouflage and is the go-to primary choice for most users. The real determinant of experience is usually datacenter quality, line bandwidth, and congestion level — not the protocol name. Test a few different nodes (different protocols) within the same provider and settle on 2–3 reliable routes for daily use.
Not installed a client yet? Visit the official download page for Clash Verge Rev, ClashMeta, and more cross-platform clients, and follow the setup guide to import your subscription.
Related Articles