Subscriptions often mix several protocols in the same list: SS, VMess, Trojan, and more. What's the difference between them, and which one should you actually prefer? This article lines up five mainstream protocols side by side so you can decide with confidence.
Five protocols in one table
| Protocol | Encryption | Obfuscation | Overhead | One-line take |
|---|---|---|---|---|
Shadowsocks |
AEAD symmetric encryption | Weak (traffic pattern is distinctive) | Very low | The light, simple veteran — still solid when paired with a plugin |
VMess |
Built-in dynamic encryption | Medium (can be wrapped in WebSocket + TLS) | Medium | The core of the V2Ray ecosystem — full-featured but a bit heavy |
VLESS |
No native encryption, relies on TLS | Strong (with Reality/XTLS) | Low | A leaner successor to VMess with better performance |
Trojan |
Fully encrypted via TLS | Strong (looks like plain HTTPS) | Low | Hides in plain sight — excellent at avoiding detection |
WireGuard |
Modern crypto suite | Weak (UDP signature is obvious) | Very low | The speed champion, but easy to throttle since it's easy to spot |
Going through each one
Shadowsocks: simplicity done right
The oldest of the bunch, with a minimalist design: a single layer of symmetric encryption, then forward. Its strengths are being light, fast, and battery-friendly, especially on mobile. Its weakness is that encrypted traffic alone doesn't disguise itself as anything else, so after years in the wild it's become easier to fingerprint. Modern deployments typically pair it with shadow-tls or v2ray-plugin to make up for that.
VMess and VLESS: two generations of the same idea
VMess is V2Ray's flagship protocol, with built-in user authentication and dynamic encryption, and it's very flexible when combined with WebSocket + TLS + a CDN. VLESS simplifies things: it leaves encryption to an outer TLS layer and focuses purely on authentication and forwarding, which gives it better latency and throughput. If a subscription offers both for the same location, go with VLESS.
Trojan: hiding in plain HTTPS
Trojan's approach is clever: instead of inventing a new protocol, it mimics the most common traffic on the internet — plain HTTPS. From the outside, a Trojan node is nearly indistinguishable from an ordinary website server, making it one of the hardest protocols to detect and block. The tradeoff is that it needs a real domain and certificate to set up, which is a bit more involved — but that's the provider's problem, not something you notice as a user.
WireGuard: built for speed
Runs in kernel space, handshakes almost instantly, and reconnects in a second — it wins raw throughput benchmarks almost every time. But it runs over UDP with an obvious traffic signature, and some networks will throttle or block it outright based on QoS rules. Best treated as a backup rather than your daily driver.
My recommendations
- Everyday browsing: Trojan or VLESS first — stable and hard to detect.
- Mobile devices: Shadowsocks' battery efficiency is a clear win, and it recovers quickly when switching networks.
- Heavy downloads: WireGuard or VLESS for the highest throughput.
- Restrictive networks: Trojan (traffic on port 443 that looks like plain HTTPS is hard to single out and block).
In your Clash config, you can freely mix nodes running different protocols into the same group and let url-test automatically pick whichever performs best right now — let the numbers settle the protocol debate for you:
proxy-groups: - name: "Smart Select" type: url-test proxies: [HK-Trojan, Tokyo-VLESS, Singapore-SS, LA-WG] url: "http://www.gstatic.com/generate_204" interval: 300 tolerance: 50 # switch only when 50ms+ faster
How to tell which protocol each node in your subscription uses
After importing a subscription, Clash automatically detects each node's protocol type, usually shown as a small tag (ss / vmess / vless / trojan / wg) next to the node's name or in its details. If you're writing config by hand, the node's type field is the protocol name — match it against the table above to know what you're dealing with. Don't overthink mixed subscriptions either: just drop everything into the same url-test group and let automatic speed testing decide which one gets used:
proxies: - name: "HK-Trojan-01" type: trojan server: example.hk-node.com port: 443 password: "your-password" sni: example.hk-node.com # must match the cert's domain udp: true
Two common misconceptions
- "Newer protocols are always better." VLESS is newer than VMess, but if a provider sets it up carelessly (say, without Reality/XTLS), it can perform worse than a well-tuned Trojan node. The protocol sets the ceiling; how well it's actually deployed determines the real-world experience.
- "Stronger encryption means more security." All five protocols have plenty strong encryption for normal use. What actually determines whether you're easy to detect and block is obfuscation ability and traffic fingerprinting — not whether the encryption algorithm itself is strong enough.
So don't fall into the trap of "bigger numbers are always better" when picking a protocol — factor in your own network and use case instead. If you're not sure, closing your eyes and picking Trojan or VLESS is a safe bet for most people.
Beyond the protocol: other factors worth watching
Comparing protocols on paper is only half the homework. Real-world experience also depends on a few things people often overlook:
- Line quality: the same Trojan protocol can feel completely different depending on whether it runs over a premium dedicated transit line versus standard shared transit — dedicated lines tend to have steadier latency and hold up better at peak times, at a higher cost.
- How well the provider implements it: details like encryption parameters, TLS fingerprint masking, and certificate setup directly determine how easy a node is to single out and throttle. This is entirely down to the provider's technical execution, and it's nearly impossible to judge from a node's name alone.
- How "clean" the exit IP is: the same protocol on the same line can behave very differently if its exit IP has been shared by too many users or previously flagged for abuse — you might see more CAPTCHAs or throttling on certain sites, and that has nothing to do with the protocol itself.
One last thing: you don't need to memorize any of this
A rough understanding of these protocols is all you really need — you shouldn't have to agonize over which one to pick every single day. Mix your nodes into a group by protocol type and let automatic speed testing pick a winner; if a specific node feels bad, just swap it out instead of digging through protocol parameters. This article is mainly here to give you a basic mental framework so an unfamiliar protocol name in a subscription doesn't leave you completely lost — that's really all it's for.
Summary
Each of the five protocols has its own strengths: Shadowsocks is light and battery-friendly; VMess/VLESS are full-featured and flexible across old and new deployments; Trojan stands out at avoiding detection; WireGuard tops out at the highest speed but is easy to spot. For everyday browsing, favor Trojan or VLESS; for mobile, consider Shadowsocks; for heavy downloads, try WireGuard or VLESS. More important than memorizing a spec sheet is mixing nodes of different protocols into the same auto-speed-test group and letting actual performance speak for itself — after all, the same protocol can turn out completely differently depending on the provider, so specs on paper are only a reference, never the whole story.