V2Ray Profile Types, Transports, TLS and REALITY Explained
An accurate reference to HTTP Tweak V2Ray profile categories, supported transport labels, security settings, provider handoff, and troubleshooting.
“V2Ray configuration” is often used as a broad label for profiles handled by V2Ray- or Xray-compatible cores. A working profile is a coordinated set of values: the outbound protocol, server identity, transport, and security layer must all match the server. Changing one label without changing the server does not convert the service.
HTTP Tweak packages, imports, configures, and uses supported profile data. It does not provision the remote V2Ray/Xray service, create provider UUIDs, open firewall ports, issue TLS certificates, or sell accounts. Obtain complete authorized values from the server operator, then preserve their relationships when building a configuration.
Supported profile categories
HTTP Tweak organizes V2Ray-compatible entries into these categories:
| Category | What it represents | Provider material to verify |
|---|---|---|
| Default/raw | A complete raw compatible configuration for cases that need the general representation | Entire JSON/profile structure and referenced outbound settings |
| VLESS | A VLESS outbound/profile | Address, port, user ID, flow when applicable, transport, and security |
| VMess | A VMess outbound/profile | Address, port, user ID, transport, and security/profile parameters |
| Shadowsocks | A Shadowsocks outbound/profile | Address, port, method, password, and relevant plugin/profile values |
| SOCKS | An upstream SOCKS proxy profile | Address, port, authentication when required, and expected proxy behavior |
| HTTP | An upstream HTTP proxy profile | Address, port, authentication when required, and proxy scheme/behavior |
| Trojan | A Trojan outbound/profile | Address, port, password, transport, and security values |
| Hysteria2 | A Hysteria2-compatible profile | Address, port, authentication, TLS-related names/options, and provider limits |
| WireGuard | A WireGuard-compatible profile represented in the supported V2Ray configuration path | Interface/peer keys, addresses, endpoint, routes, and related values |
Choose the category that matches the issued service. Default/raw is not a magic fallback for incomplete credentials; it expects a coherent complete compatible configuration. Likewise, Hysteria2 and WireGuard are distinct profile categories and should not be modeled as VMess variants.
Supported transport labels
For profiles that use an Xray transport selection, HTTP Tweak supports:
| Transport | Common label | Values that frequently must match |
|---|---|---|
| TCP | TCP | Header/type settings and any security parameters |
| mKCP | mKCP | Seed/header options and server-compatible parameters |
| WebSocket | WS | Path, Host header where used, and reverse-proxy route |
| HTTP Upgrade | HTTP Upgrade | Path/Host and upgrade handling at the proxy/server |
| XHTTP | XHTTP | Mode and XHTTP-specific host/path settings supplied by the provider |
| HTTP/2 | H2 | Host, path, TLS/security expectations, and server support |
| gRPC | gRPC | Service name, authority/host where required, and security |
The supported labels are TCP, mKCP, WS, HTTP Upgrade, XHTTP, H2, and gRPC. Not every profile category uses every transport, and not every server core/version accepts every combination. Hysteria2 and WireGuard have their own protocol behavior; do not add an unrelated WS or gRPC setting unless the provider's actual configuration calls for it.
TLS and REALITY are security settings, not transports
Transport answers “how are records carried?” Security answers “how is the connection authenticated or protected at that layer?” HTTP Tweak supports profiles using TLS and REALITY where the chosen protocol and server support them.
| Security mode | Values often involved | Common failure |
|---|---|---|
| TLS | Server name/SNI, certificate expectations, ALPN or fingerprint options when supplied | Connecting by an address while sending the wrong server name |
| REALITY | Server name, public key, short ID, fingerprint, and other provider-issued parameters | Copying a public key or short ID from a different server |
Do not disable certificate checks simply to hide a mismatch. Confirm the hostname, device clock, provider certificate/security mode, and every issued value. A REALITY profile cannot be reconstructed from only an address, port, and user ID.
How to read a provider profile
Break a profile into four layers:
- Protocol/category — Default/raw, VLESS, VMess, Shadowsocks, SOCKS, HTTP, Trojan, Hysteria2, or WireGuard.
- Endpoint and identity — address, port, UUID/password/key, and any flow or method.
- Transport — TCP, mKCP, WS, HTTP Upgrade, XHTTP, H2, or gRPC when applicable, plus its host/path/service parameters.
- Security — none where valid for that service, TLS, or REALITY, plus the matching names and keys.
If a URI imports but fails, compare the decoded values with the provider record layer by layer. Do not post the full URI to a public decoder: it often contains reusable credentials.
Provider handoff checklist
A V2Ray profile provider or reseller should deliver:
- the precise HTTP Tweak category;
- a complete URI, raw profile, or documented field set;
- address, port, and identity/secret values;
- exact transport label and its required host, path, seed, mode, or service name;
- exact TLS or REALITY values;
- activation and expiry information;
- whether the profile is private, cohort-shared, or intentionally public;
- client-version requirements and a change-notification channel;
- a tested replacement process.
The provider should also test the same exported profile customers will import. A server-side JSON file and a client outbound are not automatically interchangeable.
Import and packaging workflow
Use an issued complete profile
Prefer the current material from the operator. Remove chat formatting, but do not “clean up” characters inside passwords, UUIDs, keys, paths, or encoded URIs.
Select the matching category
Put VLESS in VLESS, Trojan in Trojan, and so on. Use Default/raw for a complete raw compatible configuration when that general representation is actually required.
Confirm transport and security together
For a WS + TLS profile, verify both the WS path/Host and TLS server name. For gRPC + REALITY, verify the service name and every REALITY value. A correct transport with the wrong security data still fails.
Protect sensitive distribution
Profile URIs, raw JSON, passwords, UUIDs, and WireGuard private keys are credentials. Use controlled configuration delivery and rotate material that reaches a public channel. If a profile is deliberately public, Public Configurations can provide an import/discovery path, but it does not provision or guarantee the endpoint.
Test on the actual client path
Import on a supported HTTP Tweak client, connect through representative networks, and test DNS and traffic. Record the released profile revision and upstream provider reference.
Troubleshooting matrix
| Symptom | Likely layer | Checks |
|---|---|---|
| URI/profile will not parse | Format/category | Complete text, correct category, supported representation, no chat-added spaces |
| Timeout | Endpoint/network | DNS, address, port, firewall, provider status, network reachability |
| Immediate authentication failure | Protocol identity | UUID, password, method, key, flow, account expiry |
| WS or HTTP Upgrade failure | Transport | Path, Host, reverse-proxy upgrade route |
| gRPC failure | Transport | Service name, authority/host, HTTP/2 availability |
| TLS handshake/name error | TLS | Server name, certificate, device time, ALPN/fingerprint values |
| REALITY rejection | REALITY | Public key, short ID, server name, fingerprint, flow compatibility |
| Connects without usable traffic | Routing/DNS/provider | Routes, DNS, peer permissions, provider limits, server health |
Change one verified variable at a time. Randomly cycling through transports can hide the original mismatch and makes support logs less useful.
Developers automating saved profiles can read the Client API documentation; services needing stateless configuration generation can review the Business API documentation. See Tutorials for client workflows and Communities for general help, always with secrets redacted.
Frequently asked questions
Is VLESS a transport?
No. VLESS is a profile/protocol category. WS, TCP, gRPC, and the other listed options are transports that may be used with compatible profiles.
Are TLS and REALITY transports?
No. They are security modes/settings layered with a compatible protocol and transport.
Can I change VMess to VLESS by selecting a different category?
No. The server must provide a valid VLESS service and identity. Relabeling VMess values does not change the upstream protocol.
Should every profile use WS or gRPC?
No. Use the transport configured on the server. Compatibility and network needs determine the choice, not popularity.
When should I use Default/raw?
Use it for a complete compatible raw configuration that requires the general representation. It does not fill in missing provider details or repair an unsupported combination.
Does HTTP Tweak create V2Ray accounts?
No. HTTP Tweak handles supported configuration data and client use. The remote service operator creates accounts, keys, endpoints, and capacity.