The problem it solves

Traditional TLS camouflage needs your own domain and certificate; once either is fingerprinted, the node is exposed. REALITY instead "borrows" a genuine large site (e.g. www.microsoft.com) for the TLS handshake, so a man in the middle sees that big site's real certificate and can't tell the difference.

Key parameters

  • dest / SNI: the borrowed target — pick a major site reachable from your region that does not sit behind a CDN.
  • publicKey: the server's public key; the client must match it exactly.
  • shortId / fingerprint: the fingerprint that mimics a common browser like Chrome.

In practice

REALITY works only on VLESS and needs no domain of your own — its biggest convenience for self-hosters. Clients usually pull these parameters from a subscription or share link; getting any one wrong by hand means it won't connect.