The Evolution of V2Ray Protocols: Balancing Performance and Security from VMess to VLESS

4/12/2026 · 4 min

The Evolution of V2Ray Protocols: Balancing Performance and Security from VMess to VLESS

VMess Protocol: The Foundation and Design Philosophy of V2Ray

VMess (Versatile Messaging) protocol was the core transport protocol originally designed for the V2Ray project, first released in 2016. It employs a Time-based One-Time Password (TOTP) authentication mechanism, where each connection is verified using a dynamically generated ID, effectively preventing replay attacks. The design philosophy of VMess reflected the early proxy protocols' extreme pursuit of security—prioritizing confidentiality and integrity even at the cost of some performance.

In terms of protocol structure, VMess consists of an authentication header, command section, and data transmission layer. The authentication header uses AES-128-CFB encryption, the command section employs AES-128-CFB or ChaCha20-Poly1305 encryption, while data transmission supports multiple stream encryption methods. This multi-layer encryption architecture, while secure, introduced significant computational overhead and protocol complexity. Another characteristic of VMess is its comprehensive metadata support, including complete encapsulation of connection type, port, address, and other information, which laid the foundation for advanced routing features but also increased the size of protocol headers.

VLESS Protocol: A Minimalist Technological Revolution

In 2020, the V2Ray community introduced the VLESS (Very Lightweight and Efficient Stream) protocol, marking a significant shift in protocol design philosophy. The core idea of VLESS is "simplicity is security"—improving performance by reducing unnecessary encryption layers and protocol features, while relying on outer transport protocols (like TLS) for security assurance.

The VLESS protocol removed the command encryption layer present in VMess, retaining only essential authentication functions. It uses UUID as user identification and supports innovative technologies like XTLS to achieve "zero-copy" transmission, significantly reducing CPU usage and latency. In design, VLESS is more modular, delegating encryption responsibilities to mature protocols like TLS while focusing on efficient traffic forwarding. This design not only improves performance but also simplifies implementation complexity and reduces potential security vulnerabilities.

Performance tests show that under identical network conditions, VLESS achieves approximately 15-30% higher throughput and 20-40% lower latency compared to VMess, with differences being more pronounced on mobile devices and low-performance servers. This performance advantage primarily comes from: 1) Reduced encryption/decryption operations; 2) Optimized packet structure; 3) Better hardware acceleration compatibility.

Evolution of Security Models: From Built-in Security to Layered Defense

VMess adopted a "built-in security" model, deeply integrating encryption and authentication within the protocol itself. This model performed excellently against Deep Packet Inspection (DPI) in early stages, but its advantages gradually diminished with the普及 and optimization of standard protocols like TLS. The complexity of VMess also introduced maintenance challenges—each cryptographic component implementation required continuous auditing and updates.

VLESS embraces a "layered defense" philosophy, separating security responsibilities: transport layer security is handled by TLS/XTLS, while the application layer only handles simple authentication and forwarding. This model offers several advantages: First, it leverages the mature TLS ecosystem, including certificate management, protocol updates, and security patches; Second, it reduces vulnerabilities that might be introduced by custom encryption implementations; Finally, it keeps the protocol core lean, facilitating auditing and maintenance.

It's important to note that VLESS doesn't lower security standards but rather changes how security responsibilities are distributed. When used with the latest TLS versions (1.3 and above), its security actually surpasses early VMess configurations while achieving better performance and compatibility.

Practical Deployment Considerations and Future Outlook

In actual deployments, protocol selection must consider specific scenarios: VMess remains a reliable choice for environments requiring maximum compatibility (such as legacy client support); while VLESS is the superior option for new deployments pursuing ultimate performance. Hybrid deployment strategies are also becoming popular—using VLESS as the primary protocol with VMess as a fallback.

The evolution of V2Ray protocols reflects several trends in modern networking: 1) Specialization and division of labor, with each layer protocol focusing on specific problems; 2) Performance becoming a key metric, especially in high-throughput scenarios; 3) Security shifting from "implementing ourselves" to "relying on proven standards." In the future, we may see more minimalist designs similar to VLESS, along with better hardware acceleration integration.

Configuration Examples and Migration Guide

Migrating from VMess to VLESS is relatively straightforward, with main changes being the protocol field in configuration files and removal of some encryption settings. Here's a basic comparison:

VMess configuration example:

{
  "protocol": "vmess",
  "settings": {
    "clients": [
      {
        "id": "uuid-generated-here",
        "alterId": 64,
        "security": "auto"
      }
    ]
  }
}

VLESS configuration example:

{
  "protocol": "vless",
  "settings": {
    "clients": [
      {
        "id": "uuid-generated-here",
        "flow": "xtls-rprx-direct"
      }
    ],
    "decryption": "none"
  }
}

During migration, note: 1) Update both client and server to versions supporting VLESS; 2) Regenerate configurations and test connectivity; 3) Consider gradual migration rather than immediate switch. Performance-sensitive applications should prioritize testing XTLS flow control modes for optimal throughput.

Related reading

Related articles

Deep Dive into V2Ray Protocols: Technical Evolution and Security Considerations from VMess to XTLS
This article provides an in-depth analysis of the technical evolution of V2Ray core protocols from VMess to XTLS, covering protocol design principles, encryption mechanisms, performance optimization, and security considerations to help readers understand the characteristics and applicable scenarios of different protocols.
Read more
Practical V2Ray Routing Strategies: A Guide to Fine-Grained Traffic Splitting by Domain and IP
This article delves into the core principles and configuration methods of V2Ray routing strategies, focusing on how to achieve fine-grained traffic splitting based on domain names and IP addresses to optimize network performance, improve access speed, and ensure critical traffic takes the optimal path.
Read more
VMess vs. VLESS: A Comparative Analysis of Performance and Security in Proxy Protocols
This article provides an in-depth comparison between VMess and VLESS proxy protocols, analyzing encryption mechanisms, handshake latency, transmission efficiency, and security to help readers choose the most suitable protocol for their needs.
Read more
Deep Dive into V2Ray Protocol Stack: Encryption and Fingerprint Countermeasures from VMess to XTLS
This article provides an in-depth analysis of the V2Ray protocol stack, from VMess to XTLS, exploring encryption mechanisms, transport protocols, and fingerprint countermeasures to enhance security and stealth in network transmission.
Read more
VMess Protocol Deep Dive: Technical Evolution from Encryption Mechanisms to Fingerprint Countermeasures
This article provides an in-depth analysis of the VMess protocol's core architecture, covering its encryption mechanisms, transport protocols, and evolutionary strategies against traffic fingerprinting. By comparing different encryption methods and obfuscation techniques, it reveals VMess's technical advantages and potential risks in network security and privacy protection.
Read more
From Shadowsocks to Trojan: Evolution and Security Assessment of Modern VPN Proxy Protocols
This article reviews the evolution of modern VPN proxy protocols from Shadowsocks to Trojan, analyzing their design philosophies, encryption mechanisms, and anti-detection capabilities, with a comprehensive security assessment to provide technical insights for network acceleration and privacy protection.
Read more

FAQ

What are the fundamental security differences between VMess and VLESS?
VMess employs a built-in multi-layer encryption security model, implementing a complete encryption and authentication system within the protocol itself. VLESS adopts a layered security model, delegating encryption responsibilities to outer protocols like TLS, while handling only authentication and forwarding internally. When paired with modern TLS, VLESS security is not inferior to VMess, while reducing risks associated with custom encryption implementations.
Which protocol should ordinary users choose: VMess or VLESS?
For new users and deployments, VLESS is recommended due to its better performance, simpler configuration, and superior compatibility with modern TLS. For users requiring legacy client support or specific compatibility scenarios, VMess remains a reliable choice. In practice, a dual-protocol coexistence approach can be considered.
What role does XTLS technology play in VLESS?
XTLS (XTrancy TLS) is a significant technological innovation in the VLESS ecosystem. It employs "zero-copy" technology to directly forward TLS-encrypted data in kernel space, avoiding multiple data copies between user space and kernel space. This dramatically reduces CPU overhead and latency, making it particularly suitable for high-throughput scenarios.
Read more