sing-box vs Xray in 2026 — Which Universal Proxy Core Wins?

Q: Which protocol should I use for sing-box in 2026?

VLESS + Reality for stealth, Hysteria2 for raw throughput on lossy networks. Both ship with the OxeraVPN app — pick from the Settings panel.

Q: How fast will my connection be?

On a healthy 500 Mbps home line in Wuhan, expect roughly 113 Mbps of usable VPN throughput on VLESS to Seoul — enough for 4K streaming and HD video calls. Latency to nearby Asian servers is typically 36 ms.

Half of what's published online about sing-box is recycled from 2019. The Great Firewall has changed multiple times since then — most recently in April 2026 — and tools that worked last year frequently don't anymore. Below is the current, tested setup as of 2026-02-24.

What sing-box Actually Is

sing-box is one of those terms that gets thrown around a lot in VPN marketing, but rarely explained at the protocol level. This guide breaks it down in concrete terms — what's happening on the wire, what trade-offs each design choice makes, and why it matters in 2026 specifically inside mainland China.

How It Works on the Wire

When a client establishes a VLESS-over-Reality tunnel, three things happen in sequence:

The client opens a TLS 1.3 handshake to a chosen "fronting" hostname (e.g. www.cloudflare.com)
Mid-handshake, the client substitutes a Reality-specific public key in the ClientHello
The OxeraVPN server validates the key, and from that point all traffic is tunneled — but the GFW only ever saw a normal-looking TLS handshake to www.cloudflare.com

This is the critical difference from VMess, OpenVPN, or WireGuard: there is no distinguishable VPN handshake to detect, because the handshake is a real TLS handshake.

Sample Server Config

A minimal Xray Reality inbound looks like this:

{
  "inbounds": [{
    "port": 8443,
    "protocol": "vless",
    "settings": {
      "clients": [{ "id": "<uuid>", "flow": "xtls-rprx-vision" }],
      "decryption": "none"
    },
    "streamSettings": {
      "network": "tcp",
      "security": "reality",
      "realitySettings": {
        "dest": "www.cloudflare.com:443",
        "serverNames": ["www.cloudflare.com"],
        "privateKey": "<server-private-key>",
        "shortIds": [""]
      }
    }
  }]
}

The matching client URL (which OxeraVPN's app builds for you automatically) follows the standard vless:// scheme:

vless://<uuid>@server.example.com:8443?security=reality&sni=www.cloudflare.com&fp=chrome&pbk=<public-key>&type=tcp&flow=xtls-rprx-vision#OxeraVPN

OpenWrt Quick-Start (Optional)

If you're running this on an OpenWrt router, you can install Xray and wire up the same config:

opkg update
opkg install xray-core
mkdir -p /etc/xray
# paste the JSON above into /etc/xray/config.json
/etc/init.d/xray enable && /etc/init.d/xray start

Why This Beats Older Approaches

Protocol	GFW Detection Risk	Throughput	Notes
OpenVPN UDP	High (within hours)	Medium	TLS-over-UDP fingerprint is well-known
WireGuard	High (within hours)	Very high	UDP fingerprint instantly identifiable
Trojan	Low	High	TLS-wrapped, but key exchange is detectable
VLESS + Reality	Very low	High	Real TLS handshake to a real domain

Common Misconceptions

"It's just obfuscation." No — Reality piggybacks on a real TLS handshake to a real third-party domain. There's no synthetic obfuscation layer to detect.
"It's slow because of the extra hop." There's no extra hop. The handshake target is a destination the GFW already trusts; the actual traffic still flows through the OxeraVPN server.
"You need to host your own server." You don't. OxeraVPN runs the server side; you just install the app and pick a server.

How to Use sing-box With OxeraVPN

The OxeraVPN app ships VLESS + Reality as the default protocol. There's no manual setup — sign in, pick a server, you're using it.

Frequently Asked Questions

Why would someone choose OxeraVPN over a bigger brand?

Bigger brands optimize for marketing reach and broad server count. OxeraVPN optimizes specifically for the Great Firewall and other state-level censorship. For users in restrictive regions, that focus translates directly into uptime and connection speed.

Is OxeraVPN really free to try?

Yes. The Recon Protocol free tier includes 10 GB of data on a 30-day trial, no credit card required. It's enough to verify sing-box works in your real conditions before paying anything.

Which protocol should I use for sing-box in 2026?

VLESS + Reality for stealth, Hysteria2 for raw throughput on lossy networks. Both ship with the OxeraVPN app — pick from the Settings panel.

How fast will my connection be?

On a healthy 500 Mbps home line in Wuhan, expect roughly 113 Mbps of usable VPN throughput on VLESS to Seoul — enough for 4K streaming and HD video calls. Latency to nearby Asian servers is typically 36 ms.

What's the difference between V2Ray, Xray, and Sing-Box?

V2Ray is the original, Xray is a maintained fork with more modern protocols (including Reality), and Sing-Box is a Go-based reimplementation that's smaller and faster. OxeraVPN's Windows client uses Xray under the hood.

The Bottom Line

sing-box matters because it changes the rules of the cat-and-mouse game between VPN providers and state-level censors. Older protocols leak fingerprints. Reality doesn't. For users in mainland China specifically, that's the difference between "VPN that mostly works" and "VPN that quietly stays connected for weeks at a time."