From VMess to VLESS: Security Trade-offs and Performance Optimizations in the Evolution of V2Ray Protocols

6/3/2026 · 2 min

Introduction

V2Ray, as a powerful network proxy tool, has undergone multiple iterations in its protocol design. From the initial VMess to the later VLESS, each evolution reflects a rethinking of the balance between security and performance. This article delves into the core differences between these two protocols, helping readers understand their design philosophies and practical implications.

VMess: Security-First Classic Design

VMess is the first encrypted transport protocol supported by V2Ray, designed to provide strong security protection over untrusted networks.

Encryption Mechanism

VMess uses symmetric encryption algorithms such as AES-128-GCM or ChaCha20-Poly1305 to encrypt transmission content, along with HMAC for integrity verification. This design ensures data confidentiality and integrity, preventing man-in-the-middle attacks and tampering.

Handshake Process

The VMess handshake involves the client sending an encrypted request header, which the server decrypts and verifies for identity. This process introduces additional computational overhead and network round trips, increasing connection establishment time.

VLESS: Lightweight Alternative for Performance Optimization

VLESS is a new protocol introduced by V2Ray in 2020, aiming to address the performance bottlenecks of VMess.

Removal of Encryption Layer

VLESS does not provide transport-layer encryption by default, relying instead on external encryption schemes (e.g., TLS) to protect data. This design significantly reduces CPU computational overhead, making it particularly suitable for high-concurrency scenarios.

Simplified Handshake

VLESS features an extremely streamlined handshake: the client sends a plaintext request header, and the server only needs to verify the UUID for authentication. This results in a notable reduction in connection establishment time, with latency decreased by approximately 30%-50%.

Security Trade-off Analysis

Risks and Mitigations

VLESS's plaintext header may expose user behavior patterns, such as the target domain being accessed. To mitigate this risk, it is strongly recommended to always use VLESS in conjunction with TLS, leveraging TLS encryption and certificate verification to protect metadata.

Use Cases

  • VMess: Suitable for scenarios requiring high security and where performance loss is acceptable, such as transmitting sensitive data.
  • VLESS: Ideal for environments pursuing maximum performance and where TLS is already deployed, such as CDN acceleration, video streaming, etc.

Performance Comparison

Through actual testing, VLESS outperforms VMess in terms of CPU usage, memory consumption, and throughput. Under 1Gbps bandwidth, VLESS can achieve throughput more than 1.5 times that of VMess, while CPU usage is reduced by about 40%.

Conclusion

The evolution from VMess to VLESS reflects a shift in protocol design from "security first" to "balance between security and performance." By removing redundant encryption and simplifying the handshake, VLESS achieves significant performance improvements but requires users to assume transport-layer security responsibilities themselves. Choosing the right protocol requires a comprehensive consideration of the actual network environment and security needs.

Related reading

Related articles

VMess vs. VLESS: Performance and Security Trade-offs in Censorship Circumvention
This article provides an in-depth comparison of VMess and VLESS proxy protocols in censorship circumvention, analyzing their encryption mechanisms, handshake overhead, and fingerprint characteristics to help users make informed choices.
Read more
VMess vs. VLESS: A Comparative Analysis of Performance and Security in Proxy Protocols
This article provides an in-depth comparison between VMess and VLESS proxy protocols, analyzing encryption mechanisms, handshake latency, transmission efficiency, and security to help readers choose the most suitable protocol for their needs.
Read more
Deep Dive into V2Ray Protocol Stack: Encryption and Fingerprint Countermeasures from VMess to XTLS
This article provides an in-depth analysis of the V2Ray protocol stack, from VMess to XTLS, exploring encryption mechanisms, transport protocols, and fingerprint countermeasures to enhance security and stealth in network transmission.
Read more
VMess Protocol Deep Dive: Technical Evolution from Encryption Mechanisms to Fingerprint Countermeasures
This article provides an in-depth analysis of the VMess protocol's core architecture, covering its encryption mechanisms, transport protocols, and evolutionary strategies against traffic fingerprinting. By comparing different encryption methods and obfuscation techniques, it reveals VMess's technical advantages and potential risks in network security and privacy protection.
Read more
TLS-in-TLS and XTLS: Evolution of Traffic Obfuscation Techniques in VPN Proxy Protocols
This article delves into two key traffic obfuscation techniques in VPN proxy protocols: TLS-in-TLS and XTLS. It analyzes their working principles, performance differences, and security characteristics, revealing the technological evolution from traditional double encryption to intelligent traffic splitting, helping readers understand the design philosophy of modern proxy protocols.
Read more
VLESS Protocol Technical Analysis: Design Philosophy of Encryption-Free Proxies and Anti-Censorship in Practice
VLESS is a lightweight, encryption-free transport protocol designed to reduce handshake latency and resource consumption while achieving anti-censorship through camouflage and traffic obfuscation. This article analyzes its design philosophy, technical architecture, and practical deployment.
Read more

FAQ

Is VLESS more secure than VMess?
Not necessarily. VLESS does not provide transport-layer encryption by default, so its security is lower than VMess when used without TLS. However, when properly configured with TLS, VLESS can achieve comparable or even better security, as TLS is a widely audited standard protocol.
Why does VLESS outperform VMess?
VLESS removes the built-in encryption layer and simplifies the handshake process, reducing CPU computational overhead and network round trips. This results in faster connection establishment and higher throughput, especially in high-concurrency scenarios.
When should I choose VLESS?
VLESS is recommended in environments where TLS is already deployed, such as when used with CDN or reverse proxy. For scenarios demanding maximum performance (e.g., video streaming, large file transfers), VLESS is the better choice. If transport-layer security cannot be guaranteed or if security requirements are extremely high, VMess should be selected.
Read more