Hello everyone.
The first quarter of 2026 has been the busiest in Chute’s history. Over the past three months we have added support for eight new proxy protocols, more than tripling the protocol lineup that was available at the end of 2025. Today I want to walk through each one — what it is, why it matters, and where it fits in your toolbox.
Hysteria2
Hysteria2 is a modern UDP-based protocol built on QUIC. It uses the BLAKE2b hash function for its Salamander obfuscation layer, which XORs the entire handshake to make traffic indistinguishable from random bytes. The protocol multiplexes TCP streams and UDP datagrams over a single QUIC connection using RFC 9221 datagrams, and supports brutal congestion control — it can aggressively fill your available bandwidth.
Why we added it: Hysteria2 is rapidly becoming the go-to protocol for users on lossy or high-latency networks. Its QUIC-based transport handles packet loss far more gracefully than TCP-based alternatives, and the built-in obfuscation means it works on networks where UDP is throttled but not blocked.
WireGuard
WireGuard is a modern VPN protocol known for its simplicity — about 4,000 lines of code compared to OpenVPN’s 70,000+ — and its strong cryptographic guarantees. We integrated WireGuard through a native FFI adapter that provides full tunnel support: TCP proxying over the WireGuard tunnel, UDP transport, and lwIP stack sharing for TUN mode.
Why we added it: WireGuard has become the standard for self-hosted VPNs. Many of our users already run WireGuard servers and have been asking to route their Chute traffic through them alongside other proxy protocols. Now they can.
REALITY
REALITY is a TLS-based anti-censorship protocol that makes proxy traffic look exactly like a normal connection to a legitimate website. It works by performing a real TLS 1.3 handshake with a real external server — say, microsoft.com — and using that server’s certificate as camouflage. To an observer, your connection looks like you are browsing Microsoft’s website. But inside the TLS tunnel, the proxy traffic flows.
We implemented REALITY with manual TLS 1.3 handshake control, AES-256-GCM encryption, and uTLS fingerprint alignment to match real browser TLS fingerprints. The spiderX feature enables automatic scanning for viable camouflage targets.
ShadowTLS v3
ShadowTLS is another TLS-based obfuscation protocol, but with a different approach: it starts a TLS handshake, then deliberately sends a wrong HMAC to make the server reject the connection — which looks like a failed TLS attempt to any observer. After the fake rejection, the real proxy traffic begins inside what appears to be an abandoned connection.
Version 3 brings improved handshake timing, better padding to obscure packet sizes, and stronger protection against active probing.
gRPC Transport
gRPC is a high-performance RPC framework from Google that runs over HTTP/2. We added gRPC as a transport option for three existing protocols — Trojan, VMess, and VLESS — allowing them to tunnel inside gRPC streams.
Why this matters: on networks where standard proxy traffic is blocked but gRPC (used by many cloud services) is allowed, this provides a natural camouflage. The bidirectional streaming model of gRPC also maps well to proxy traffic, and HTTP/2 multiplexing means multiple connections share a single TCP socket.
Shadowsocks 2022
Shadowsocks 2022 is the next-generation version of the Shadowsocks protocol. It replaces the legacy AEAD cipher construction with BLAKE3-based key derivation and ChaCha20-Poly1305 encryption, providing stronger security guarantees and better performance. We support the full SS2022 specification, including both single-user and multi-user modes.
TUIC
TUIC is a lightweight UDP-based proxy protocol built on QUIC. It is designed to be simple and fast — a thin alternative to the heavier Hysteria2 when you do not need all the bells and whistles. TUIC provides basic authentication, supports both TCP and UDP proxying, and benefits from QUIC’s built-in reliability and congestion control.
VMess AEAD
The VMess protocol originally used a custom authentication scheme that was showing its age. The AEAD upgrade replaces this with standard AEAD encryption (authenticated encryption with associated data), bringing VMess in line with modern cryptographic best practices. This is a drop-in improvement — all existing VMess configurations continue to work, just with stronger encryption.
What This Means
Taken together, these eight protocols represent a philosophy: give users as many tools as possible, and let them choose the right one for their network. Each protocol has a different set of trade-offs — speed vs. stealth, simplicity vs. flexibility, TCP vs. UDP. By supporting all of them, Chute adapts to whatever network conditions you encounter.
All eight protocols are available now on iOS and macOS. Check the Chute Manual for configuration details.
Thanks.
Chute Devs