3x-uiTransports & Security
The transports and security layers 3x-ui exposes — TLS, REALITY, XTLS-Vision, and VLESS encryption — and which combinations are valid.
A transport decides how packets are carried between client and server, and a security layer decides how they're encrypted and disguised. The panel only offers valid combinations; this page lists the rules it enforces.
Transports
| Transport | When to use it |
|---|---|
| TCP (Raw) | Lowest overhead. The basis for REALITY + XTLS-Vision and fallbacks. |
| WebSocket | Works through CDNs and HTTP reverse proxies; very compatible. |
| gRPC | HTTP/2-based; multiplexes well and proxies cleanly through Nginx. |
| HTTPUpgrade | CDN-friendly HTTP/1.1 upgrade, lighter than full WebSocket. |
| XHTTP | Extended HTTP transport for HTTP-based proxying. |
| HTTP | HTTP/2 transport. |
Security
The security layer is one of none, tls, or reality, with these
eligibility rules:
| Security | Eligible transports | Eligible protocols |
|---|---|---|
| TLS | tcp, ws, http, grpc, httpupgrade, xhttp | VLESS, VMess, Trojan, Shadowsocks (and Hysteria2) |
| REALITY | tcp, http, grpc, xhttp | VLESS, Trojan |
REALITY disguises your server as a real TLS site and needs no certificate — see REALITY.
XTLS-Vision flow
The xtls-rprx-vision flow is fast and DPI-resistant. It's available for
VLESS when either:
- the transport is raw TCP with TLS or REALITY security (classic XTLS-Vision), or
- the transport is XHTTP with VLESS encryption enabled (see below).
Set the flow on the VLESS client, not the inbound.
VLESS encryption (ML-KEM)
VLESS supports post-quantum encryption (ML-KEM / mlkem768x25519), stored in
the inbound's decryption (server) and clients' encryption (for link
generation). When enabled, it unlocks the Vision flow over XHTTP. Generate the
keys from the panel's VLESS settings.
Shadowsocks ciphers
Shadowsocks inbounds support both classic ciphers and Shadowsocks-2022
(method names starting with 2022-blake3-). Most ciphers are multi-user;
2022-blake3-chacha20-poly1305 is single-user.
Transports and security must match on both ends. The client's share link
encodes them (type=ws, security=reality, flow=xtls-rprx-vision, …) —
decode any link with the share-link inspector.