V2Ray

V2Ray Profile Types, Transports, TLS and REALITY Explained

An accurate reference to HTTP Tweak V2Ray profile categories, supported transport labels, security settings, provider handoff, and troubleshooting.

HTTP Tweak Editorial Team 7 min read

“V2Ray configuration” is often used as a broad label for profiles handled by V2Ray- or Xray-compatible cores. A working profile is a coordinated set of values: the outbound protocol, server identity, transport, and security layer must all match the server. Changing one label without changing the server does not convert the service.

HTTP Tweak packages, imports, configures, and uses supported profile data. It does not provision the remote V2Ray/Xray service, create provider UUIDs, open firewall ports, issue TLS certificates, or sell accounts. Obtain complete authorized values from the server operator, then preserve their relationships when building a configuration.

Supported profile categories

HTTP Tweak organizes V2Ray-compatible entries into these categories:

Category What it represents Provider material to verify
Default/raw A complete raw compatible configuration for cases that need the general representation Entire JSON/profile structure and referenced outbound settings
VLESS A VLESS outbound/profile Address, port, user ID, flow when applicable, transport, and security
VMess A VMess outbound/profile Address, port, user ID, transport, and security/profile parameters
Shadowsocks A Shadowsocks outbound/profile Address, port, method, password, and relevant plugin/profile values
SOCKS An upstream SOCKS proxy profile Address, port, authentication when required, and expected proxy behavior
HTTP An upstream HTTP proxy profile Address, port, authentication when required, and proxy scheme/behavior
Trojan A Trojan outbound/profile Address, port, password, transport, and security values
Hysteria2 A Hysteria2-compatible profile Address, port, authentication, TLS-related names/options, and provider limits
WireGuard A WireGuard-compatible profile represented in the supported V2Ray configuration path Interface/peer keys, addresses, endpoint, routes, and related values

Choose the category that matches the issued service. Default/raw is not a magic fallback for incomplete credentials; it expects a coherent complete compatible configuration. Likewise, Hysteria2 and WireGuard are distinct profile categories and should not be modeled as VMess variants.

Supported transport labels

For profiles that use an Xray transport selection, HTTP Tweak supports:

Transport Common label Values that frequently must match
TCP TCP Header/type settings and any security parameters
mKCP mKCP Seed/header options and server-compatible parameters
WebSocket WS Path, Host header where used, and reverse-proxy route
HTTP Upgrade HTTP Upgrade Path/Host and upgrade handling at the proxy/server
XHTTP XHTTP Mode and XHTTP-specific host/path settings supplied by the provider
HTTP/2 H2 Host, path, TLS/security expectations, and server support
gRPC gRPC Service name, authority/host where required, and security

The supported labels are TCP, mKCP, WS, HTTP Upgrade, XHTTP, H2, and gRPC. Not every profile category uses every transport, and not every server core/version accepts every combination. Hysteria2 and WireGuard have their own protocol behavior; do not add an unrelated WS or gRPC setting unless the provider's actual configuration calls for it.

TLS and REALITY are security settings, not transports

Transport answers “how are records carried?” Security answers “how is the connection authenticated or protected at that layer?” HTTP Tweak supports profiles using TLS and REALITY where the chosen protocol and server support them.

Security mode Values often involved Common failure
TLS Server name/SNI, certificate expectations, ALPN or fingerprint options when supplied Connecting by an address while sending the wrong server name
REALITY Server name, public key, short ID, fingerprint, and other provider-issued parameters Copying a public key or short ID from a different server

Do not disable certificate checks simply to hide a mismatch. Confirm the hostname, device clock, provider certificate/security mode, and every issued value. A REALITY profile cannot be reconstructed from only an address, port, and user ID.

How to read a provider profile

Break a profile into four layers:

  1. Protocol/category — Default/raw, VLESS, VMess, Shadowsocks, SOCKS, HTTP, Trojan, Hysteria2, or WireGuard.
  2. Endpoint and identity — address, port, UUID/password/key, and any flow or method.
  3. Transport — TCP, mKCP, WS, HTTP Upgrade, XHTTP, H2, or gRPC when applicable, plus its host/path/service parameters.
  4. Security — none where valid for that service, TLS, or REALITY, plus the matching names and keys.

If a URI imports but fails, compare the decoded values with the provider record layer by layer. Do not post the full URI to a public decoder: it often contains reusable credentials.

Provider handoff checklist

A V2Ray profile provider or reseller should deliver:

  • the precise HTTP Tweak category;
  • a complete URI, raw profile, or documented field set;
  • address, port, and identity/secret values;
  • exact transport label and its required host, path, seed, mode, or service name;
  • exact TLS or REALITY values;
  • activation and expiry information;
  • whether the profile is private, cohort-shared, or intentionally public;
  • client-version requirements and a change-notification channel;
  • a tested replacement process.

The provider should also test the same exported profile customers will import. A server-side JSON file and a client outbound are not automatically interchangeable.

Import and packaging workflow

Use an issued complete profile

Prefer the current material from the operator. Remove chat formatting, but do not “clean up” characters inside passwords, UUIDs, keys, paths, or encoded URIs.

Select the matching category

Put VLESS in VLESS, Trojan in Trojan, and so on. Use Default/raw for a complete raw compatible configuration when that general representation is actually required.

Confirm transport and security together

For a WS + TLS profile, verify both the WS path/Host and TLS server name. For gRPC + REALITY, verify the service name and every REALITY value. A correct transport with the wrong security data still fails.

Protect sensitive distribution

Profile URIs, raw JSON, passwords, UUIDs, and WireGuard private keys are credentials. Use controlled configuration delivery and rotate material that reaches a public channel. If a profile is deliberately public, Public Configurations can provide an import/discovery path, but it does not provision or guarantee the endpoint.

Test on the actual client path

Import on a supported HTTP Tweak client, connect through representative networks, and test DNS and traffic. Record the released profile revision and upstream provider reference.

Troubleshooting matrix

Symptom Likely layer Checks
URI/profile will not parse Format/category Complete text, correct category, supported representation, no chat-added spaces
Timeout Endpoint/network DNS, address, port, firewall, provider status, network reachability
Immediate authentication failure Protocol identity UUID, password, method, key, flow, account expiry
WS or HTTP Upgrade failure Transport Path, Host, reverse-proxy upgrade route
gRPC failure Transport Service name, authority/host, HTTP/2 availability
TLS handshake/name error TLS Server name, certificate, device time, ALPN/fingerprint values
REALITY rejection REALITY Public key, short ID, server name, fingerprint, flow compatibility
Connects without usable traffic Routing/DNS/provider Routes, DNS, peer permissions, provider limits, server health

Change one verified variable at a time. Randomly cycling through transports can hide the original mismatch and makes support logs less useful.

Developers automating saved profiles can read the Client API documentation; services needing stateless configuration generation can review the Business API documentation. See Tutorials for client workflows and Communities for general help, always with secrets redacted.

Frequently asked questions

Is VLESS a transport?

No. VLESS is a profile/protocol category. WS, TCP, gRPC, and the other listed options are transports that may be used with compatible profiles.

Are TLS and REALITY transports?

No. They are security modes/settings layered with a compatible protocol and transport.

Can I change VMess to VLESS by selecting a different category?

No. The server must provide a valid VLESS service and identity. Relabeling VMess values does not change the upstream protocol.

Should every profile use WS or gRPC?

No. Use the transport configured on the server. Compatibility and network needs determine the choice, not popularity.

When should I use Default/raw?

Use it for a complete compatible raw configuration that requires the general representation. It does not fill in missing provider details or repair an unsupported combination.

Does HTTP Tweak create V2Ray accounts?

No. HTTP Tweak handles supported configuration data and client use. The remote service operator creates accounts, keys, endpoints, and capacity.

Keep exploring

Browse every published category, tutorial, product article, and future update from one general content hub.

Back to blog