Subscriptions often mix several protocols in the same list: SS, VMess, Trojan, and more. What's the difference between them, and which one should you actually prefer? This article lines up five mainstream protocols side by side so you can decide with confidence.

Five protocols in one table

ProtocolEncryptionObfuscationOverheadOne-line take
Shadowsocks AEAD symmetric encryption Weak (traffic pattern is distinctive) Very low The light, simple veteran — still solid when paired with a plugin
VMess Built-in dynamic encryption Medium (can be wrapped in WebSocket + TLS) Medium The core of the V2Ray ecosystem — full-featured but a bit heavy
VLESS No native encryption, relies on TLS Strong (with Reality/XTLS) Low A leaner successor to VMess with better performance
Trojan Fully encrypted via TLS Strong (looks like plain HTTPS) Low Hides in plain sight — excellent at avoiding detection
WireGuard Modern crypto suite Weak (UDP signature is obvious) Very low The speed champion, but easy to throttle since it's easy to spot

Going through each one

Shadowsocks: simplicity done right

The oldest of the bunch, with a minimalist design: a single layer of symmetric encryption, then forward. Its strengths are being light, fast, and battery-friendly, especially on mobile. Its weakness is that encrypted traffic alone doesn't disguise itself as anything else, so after years in the wild it's become easier to fingerprint. Modern deployments typically pair it with shadow-tls or v2ray-plugin to make up for that.

VMess and VLESS: two generations of the same idea

VMess is V2Ray's flagship protocol, with built-in user authentication and dynamic encryption, and it's very flexible when combined with WebSocket + TLS + a CDN. VLESS simplifies things: it leaves encryption to an outer TLS layer and focuses purely on authentication and forwarding, which gives it better latency and throughput. If a subscription offers both for the same location, go with VLESS.

Trojan: hiding in plain HTTPS

Trojan's approach is clever: instead of inventing a new protocol, it mimics the most common traffic on the internet — plain HTTPS. From the outside, a Trojan node is nearly indistinguishable from an ordinary website server, making it one of the hardest protocols to detect and block. The tradeoff is that it needs a real domain and certificate to set up, which is a bit more involved — but that's the provider's problem, not something you notice as a user.

WireGuard: built for speed

Runs in kernel space, handshakes almost instantly, and reconnects in a second — it wins raw throughput benchmarks almost every time. But it runs over UDP with an obvious traffic signature, and some networks will throttle or block it outright based on QoS rules. Best treated as a backup rather than your daily driver.

My recommendations

  1. Everyday browsing: Trojan or VLESS first — stable and hard to detect.
  2. Mobile devices: Shadowsocks' battery efficiency is a clear win, and it recovers quickly when switching networks.
  3. Heavy downloads: WireGuard or VLESS for the highest throughput.
  4. Restrictive networks: Trojan (traffic on port 443 that looks like plain HTTPS is hard to single out and block).

In your Clash config, you can freely mix nodes running different protocols into the same group and let url-test automatically pick whichever performs best right now — let the numbers settle the protocol debate for you:

Mixed-protocol group example
proxy-groups:
  - name: "Smart Select"
    type: url-test
    proxies: [HK-Trojan, Tokyo-VLESS, Singapore-SS, LA-WG]
    url: "http://www.gstatic.com/generate_204"
    interval: 300
    tolerance: 50   # switch only when 50ms+ faster
Keep in mind The protocol is only one link in the chain — the quality of the underlying route (a premium dedicated line, standard transit routing, or a direct connection) usually affects your experience more than the choice of protocol itself.

How to tell which protocol each node in your subscription uses

After importing a subscription, Clash automatically detects each node's protocol type, usually shown as a small tag (ss / vmess / vless / trojan / wg) next to the node's name or in its details. If you're writing config by hand, the node's type field is the protocol name — match it against the table above to know what you're dealing with. Don't overthink mixed subscriptions either: just drop everything into the same url-test group and let automatic speed testing decide which one gets used:

Hand-written node example (Trojan)
proxies:
  - name: "HK-Trojan-01"
    type: trojan
    server: example.hk-node.com
    port: 443
    password: "your-password"
    sni: example.hk-node.com    # must match the cert's domain
    udp: true

Two common misconceptions

  1. "Newer protocols are always better." VLESS is newer than VMess, but if a provider sets it up carelessly (say, without Reality/XTLS), it can perform worse than a well-tuned Trojan node. The protocol sets the ceiling; how well it's actually deployed determines the real-world experience.
  2. "Stronger encryption means more security." All five protocols have plenty strong encryption for normal use. What actually determines whether you're easy to detect and block is obfuscation ability and traffic fingerprinting — not whether the encryption algorithm itself is strong enough.

So don't fall into the trap of "bigger numbers are always better" when picking a protocol — factor in your own network and use case instead. If you're not sure, closing your eyes and picking Trojan or VLESS is a safe bet for most people.

Beyond the protocol: other factors worth watching

Comparing protocols on paper is only half the homework. Real-world experience also depends on a few things people often overlook:

  • Line quality: the same Trojan protocol can feel completely different depending on whether it runs over a premium dedicated transit line versus standard shared transit — dedicated lines tend to have steadier latency and hold up better at peak times, at a higher cost.
  • How well the provider implements it: details like encryption parameters, TLS fingerprint masking, and certificate setup directly determine how easy a node is to single out and throttle. This is entirely down to the provider's technical execution, and it's nearly impossible to judge from a node's name alone.
  • How "clean" the exit IP is: the same protocol on the same line can behave very differently if its exit IP has been shared by too many users or previously flagged for abuse — you might see more CAPTCHAs or throttling on certain sites, and that has nothing to do with the protocol itself.

One last thing: you don't need to memorize any of this

A rough understanding of these protocols is all you really need — you shouldn't have to agonize over which one to pick every single day. Mix your nodes into a group by protocol type and let automatic speed testing pick a winner; if a specific node feels bad, just swap it out instead of digging through protocol parameters. This article is mainly here to give you a basic mental framework so an unfamiliar protocol name in a subscription doesn't leave you completely lost — that's really all it's for.

Summary

Each of the five protocols has its own strengths: Shadowsocks is light and battery-friendly; VMess/VLESS are full-featured and flexible across old and new deployments; Trojan stands out at avoiding detection; WireGuard tops out at the highest speed but is easy to spot. For everyday browsing, favor Trojan or VLESS; for mobile, consider Shadowsocks; for heavy downloads, try WireGuard or VLESS. More important than memorizing a spec sheet is mixing nodes of different protocols into the same auto-speed-test group and letting actual performance speak for itself — after all, the same protocol can turn out completely differently depending on the provider, so specs on paper are only a reference, never the whole story.