How China's Great Firewall Works in 2026 — Technical Deep Dive

Q: How fast will my connection be?

On a healthy 500 Mbps home line in Chengdu, expect roughly 204 Mbps of usable VPN throughput on VLESS to Hong Kong — enough for 4K streaming and HD video calls. Latency to nearby Asian servers is typically 55 ms.

Q: Which protocol should I use for Great Firewall in 2026?

VLESS + Reality for stealth, Hysteria2 for raw throughput on lossy networks. Both ship with the OxeraVPN app — pick from the Settings panel.

If you're trying to get Great Firewall working reliably from inside Suzhou on China Telecom, you've probably already discovered that most generic guides don't survive contact with the Great Firewall. This article is written from the opposite direction — start with the constraints China imposes, then work back to the configuration that actually works in 2026.

What Great Firewall Actually Is

Great Firewall is one of those terms that gets thrown around a lot in VPN marketing, but rarely explained at the protocol level. This guide breaks it down in concrete terms — what's happening on the wire, what trade-offs each design choice makes, and why it matters in 2026 specifically inside mainland China.

How It Works on the Wire

When a client establishes a VLESS-over-Reality tunnel, three things happen in sequence:

The client opens a TLS 1.3 handshake to a chosen "fronting" hostname (e.g. www.apple.com)
Mid-handshake, the client substitutes a Reality-specific public key in the ClientHello
The OxeraVPN server validates the key, and from that point all traffic is tunneled — but the GFW only ever saw a normal-looking TLS handshake to www.apple.com

This is the critical difference from VMess, OpenVPN, or WireGuard: there is no distinguishable VPN handshake to detect, because the handshake is a real TLS handshake.

Sample Server Config

A minimal Xray Reality inbound looks like this:

{
  "inbounds": [{
    "port": 2083,
    "protocol": "vless",
    "settings": {
      "clients": [{ "id": "<uuid>", "flow": "xtls-rprx-vision" }],
      "decryption": "none"
    },
    "streamSettings": {
      "network": "tcp",
      "security": "reality",
      "realitySettings": {
        "dest": "www.apple.com:443",
        "serverNames": ["www.apple.com"],
        "privateKey": "<server-private-key>",
        "shortIds": [""]
      }
    }
  }]
}

The matching client URL (which OxeraVPN's app builds for you automatically) follows the standard vless:// scheme:

vless://<uuid>@server.example.com:2083?security=reality&sni=www.apple.com&fp=chrome&pbk=<public-key>&type=tcp&flow=xtls-rprx-vision#OxeraVPN

OpenWrt Quick-Start (Optional)

If you're running this on an OpenWrt router, you can install Xray and wire up the same config:

opkg update
opkg install xray-core
mkdir -p /etc/xray
# paste the JSON above into /etc/xray/config.json
/etc/init.d/xray enable && /etc/init.d/xray start

Why This Beats Older Approaches

Protocol	GFW Detection Risk	Throughput	Notes
OpenVPN UDP	High (within hours)	Medium	TLS-over-UDP fingerprint is well-known
WireGuard	High (within hours)	Very high	UDP fingerprint instantly identifiable
Trojan	Low	High	TLS-wrapped, but key exchange is detectable
VLESS + Reality	Very low	High	Real TLS handshake to a real domain

Common Misconceptions

"It's just obfuscation." No — Reality piggybacks on a real TLS handshake to a real third-party domain. There's no synthetic obfuscation layer to detect.
"It's slow because of the extra hop." There's no extra hop. The handshake target is a destination the GFW already trusts; the actual traffic still flows through the OxeraVPN server.
"You need to host your own server." You don't. OxeraVPN runs the server side; you just install the app and pick a server.

How to Use Great Firewall With OxeraVPN

The OxeraVPN app ships VLESS + Reality as the default protocol. There's no manual setup — sign in, pick a server, you're using it.

Frequently Asked Questions

How fast will my connection be?

On a healthy 500 Mbps home line in Chengdu, expect roughly 204 Mbps of usable VPN throughput on VLESS to Hong Kong — enough for 4K streaming and HD video calls. Latency to nearby Asian servers is typically 55 ms.

Is OxeraVPN really free to try?

Yes. The Recon Protocol free tier includes 30 GB of monthly data, no credit card and no time limit. It's enough to verify Great Firewall works in your real conditions before paying anything.

Which protocol should I use for Great Firewall in 2026?

VLESS + Reality for stealth, Hysteria2 for raw throughput on lossy networks. Both ship with the OxeraVPN app — pick from the Settings panel.

What's the fastest way to get started?

Sign up at dashboard.oxeranet.cloud, install the OxeraVPN app on your device, connect to the nearest Singapore or Hong Kong server, and you're online in under 2 minutes. The free plan is enough to test Great Firewall end-to-end.

What's the difference between V2Ray, Xray, and Sing-Box?

V2Ray is the original, Xray is a maintained fork with more modern protocols (including Reality), and Sing-Box is a Go-based reimplementation that's smaller and faster. OxeraVPN's Windows client uses Xray under the hood.

The Bottom Line

Great Firewall matters because it changes the rules of the cat-and-mouse game between VPN providers and state-level censors. Older protocols leak fingerprints. Reality doesn't. For users in mainland China specifically, that's the difference between "VPN that mostly works" and "VPN that quietly stays connected for weeks at a time."