Protocol Selection
VPN Protocol Guide
Choose the right protocol for your network. OrbVPN ships five user-selectable protocols plus Smart Connect — each engineered for a different balance of speed, stealth, and censorship resistance.
Available Protocols
OrbVPN gives you Auto (Smart Connect) plus four hand-tunable protocols. A fifth, OrbX Native, is in development and will appear automatically once it ships. Every protocol carries multiple transport modes, so even when an entire protocol is blocked you usually have a working path.
Auto — Smart Connect
Races protocols, transports, and mimicry profiles, then verifies real traffic flows and your public IP actually changed before locking in. Start here if you are unsure.
WireGuard
Modern UDP tunnel with the lowest overhead and best raw speed. The primary choice for streaming, gaming, and everyday use on open networks. Also runs over a CDN-fronting WebSocket bridge when UDP is blocked.
VLESS
The flagship anti-censorship protocol. Defaults to the Reality transport (XTLS-Vision) with 10 mimicry profiles. Carries five more transports — Plain TCP, WebSocket, gRPC, and CDN-Fronting — for Iran, Russia, and China.
OrbConnect
OrbVPN's own HTTPS-tunnel protocol with optional FIPS 140-3 cipher mode for enterprise and government compliance. Runs direct or through a Cloudflare CDN WebSocket bridge for stealth.
SSH Tunnel
A SOCKS5 tunnel over SSH with optional OSSH obfuscation (ChaCha20 + Argon2id). Excellent on networks that allow SSH but fingerprint everything else — a strong last-resort bypass.
OrbX Native
OrbVPN's next-generation proprietary protocol, currently in development. It is listed in the app as Coming Soon and will activate for everyone the moment it is production-ready.
Reality is a VLESS transport, not a separate protocol
You will never select "Reality" on its own. Reality (XTLS-Vision) is the default transport mode of VLESS — it forges a perfect TLS handshake against a real, allowed website so deep packet inspection sees ordinary HTTPS. Choosing VLESS gives you Reality automatically.
Which Protocol Should I Use?
Pick based on your network and your goal. When in doubt, leave it on Auto and let Smart Connect decide.
Streaming & Downloads
WireGuard first for top speed, OrbConnect as a stealthy backup if your ISP throttles UDP. Pair with SmartDNS for geo-unblocking.
Gaming & Video Calls
WireGuard for the lowest latency. If UDP is blocked, WireGuard's CDN-fronting transport keeps you on the same protocol.
Censored Networks (Iran / Russia / China)
VLESS with a region-matched mimicry profile (Shaparak for Iran, VK or Yandex for Russia, WeChat for China). Plain TCP and CDN-Fronting transports defeat DPI. Smart Connect builds this chain for you.
SSH-Friendly / Hardened Networks
When a firewall permits SSH but blocks VPN signatures, the SSH Tunnel — with OSSH obfuscation — slips through where other protocols stall.
How to Switch Protocols
Disconnect Current Session
Tap the power button to disconnect from your current VPN session before changing protocols.
Open the Protocol Selector
Go to the Protocol screen from the connection view, or open Settings and choose your protocol.
Choose a Protocol
Select Auto, WireGuard, VLESS, OrbConnect, or SSH Tunnel. For VLESS, SSH, WireGuard, and OrbConnect you can also pick a transport mode (see Transport Modes).
Reconnect
Select your server and tap connect. Wait for the handshake and traffic verification to complete.
Confirm the IP Changed
OrbVPN verifies that real traffic flows and your public IP actually changed. If it can't, it surfaces the failure instead of showing a fake connection.
Protocol Flowchart
Start with WireGuard. If UDP is blocked, switch to its CDN-fronting transport or move to OrbConnect. On censored networks, use VLESS with a mimicry profile and a Plain TCP or CDN-Fronting transport. If everything else is fingerprinted, fall back to the SSH Tunnel with OSSH. Or simply enable Auto (Smart Connect) and let OrbVPN test the whole chain for you.
Protocol Security at a Glance
WireGuard
State-of-the-art cryptography (ChaCha20-Poly1305, Curve25519), perfect forward secrecy, and a tiny code base. Fast and hard to misconfigure.
VLESS + Reality
Reality TLS fingerprint masquerading borrows a real allowed site's certificate chain. Combined with 10 mimicry profiles and Plain TCP, it is OrbVPN's primary anti-DPI vector.
OrbConnect
HTTPS-tunnel transport with an optional FIPS 140-3 cipher mode for compliance-bound deployments. CDN-fronting hides it inside ordinary Cloudflare HTTPS.
SSH Tunnel
Standard SSH crypto, plus OSSH obfuscation that scrambles the handshake with ChaCha20 keyed by Argon2id so DPI sees random bytes, not SSH.
FIPS 140-3 Mode (OrbConnect)
OrbConnect can run in a FIPS 140-3 cipher mode for users with government or enterprise compliance requirements. When enabled, the protocol restricts itself to FIPS-approved algorithms.
When to Enable
Turn on FIPS mode if your organization mandates FIPS 140-3 validated cryptography. Most home users do not need it.
Trade-offs
FIPS mode narrows the available cipher set, which can slightly affect handshake options. Leave it off for maximum compatibility on consumer networks.
Network Compatibility
Home WiFi
All protocols work well. WireGuard recommended for best speeds.
Mobile Data
WireGuard or OrbConnect for 4G/5G. If your carrier throttles VPN traffic, VLESS with a mimicry profile blends in.
Public & Restricted WiFi
VLESS (Reality) or OrbConnect CDN-fronting blend into ordinary HTTPS. The SSH Tunnel works where only SSH is permitted.
Heavy Censorship
VLESS with Plain TCP or CDN-Fronting plus a region mimicry profile. Set a manual region override so the app picks the right chain even if geolocation fails.
Protocol Troubleshooting
WireGuard Issues
UDP blocking or port restrictions. Switch to WireGuard CDN-fronting, or move to VLESS or OrbConnect.
VLESS Issues
Connects but no data (typical Iran throttling) — switch from Reality to the Plain TCP transport, or try a different mimicry profile.
OrbConnect Issues
Slow handshake or refused connection — try the CDN-fronting transport, or fall back to VLESS or the SSH Tunnel.
SSH Tunnel Issues
If direct SSH is fingerprinted, switch to OSSH, OSSH+WebSocket, or OSSH+CDN for obfuscated handshakes.
Let Smart Connect Decide
Enable Auto (Smart Connect) to have OrbVPN automatically test protocols, transports, and mimicry profiles in the optimal order for your detected region — verifying real traffic before it settles on a path. You can also ask Hylon AI, OrbVPN's in-app assistant, for protocol guidance.
Protocol Questions?
Our technical team can help you choose the optimal protocol, transport, and mimicry profile for your specific network and region.