VLESS Reality on Windows: client setup with v2rayN

If you've stood up a VLESS+Reality endpoint, the next problem is getting your devices onto it cleanly. iOS has Shadowrocket. macOS has Shadowrocket and FoxRay. Linux has the Xray binary itself. Windows is where most people stall, because the most popular Windows client (Clash) doesn't support Reality natively, and the ones that do — v2rayN, NekoBox, Hiddify — all look a little intimidating on first contact.

This is the v2rayN path. It's the boring choice: actively maintained, ships the official Xray-core kernel, and accepts the same subscription URL your other clients consume. If you can paste a URL, you can finish this in five minutes.

Why v2rayN over Clash

Clash is excellent for rule-based routing across Shadowsocks, Trojan, and VMess, but its support for Reality has historically lagged upstream Xray-core, and its configuration model assumes a YAML file you maintain by hand. v2rayN takes a subscription URL, parses VLESS Reality directly, and stays current with Xray-core because that's what it embeds. For a single user consuming a single endpoint, it's the lowest-effort option.

NekoBox and Hiddify-Next are reasonable alternatives if you prefer their UI; the steps below are 80% identical because all three speak the same subscription-link format.

Prerequisite: .NET 8 Desktop Runtime

v2rayN 7.x is a WPF app and needs the .NET 8 Desktop Runtime installed before it'll launch. Check first — open a Command Prompt and run:

dotnet --list-runtimes

Look for a line containing Microsoft.WindowsDesktop.App 8.x.x. If it's missing, install it from Microsoft's .NET download page — pick "Desktop Runtime" → x64. About 60 MB. No restart needed.

If you prefer winget:

winget install Microsoft.DotNet.DesktopRuntime.8

Install v2rayN

There's no installer; you unzip and run.

1. Go to the v2rayN releases page.
2. Under Assets, download v2rayN-windows-64-desktop.zip (~80 MB; this bundle includes Xray-core, so you don't need to install the kernel separately).
3. Right-click the zip → Extract All → choose a stable folder. C:\Tools\v2rayN or %LOCALAPPDATA%\Programs\v2rayN are both fine. Don't run it from %TEMP% or the Downloads folder.
4. Double-click v2rayN.exe. Windows SmartScreen will warn that the file is unsigned — click More info → Run anyway.
5. The app minimizes to the system tray (bottom-right of the taskbar, next to the clock). Click the V icon to bring the window forward.

Optional but recommended: add the install directory to your Defender exclusions. Without it, Defender will occasionally quarantine the bundled Xray-core binary as a false positive. Run PowerShell as Administrator:

Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Programs\v2rayN"

Import your subscription

A VLESS Reality subscription URL is an HTTP(S) endpoint that returns a base64-encoded list of vless://... links. v2rayN ingests these directly — you don't paste individual links.

1. Top menu bar: Subscription → Subscription settings (or Ctrl+B).
2. In the dialog, click Add (top-left).
3. Fill in:
   • Remarks: any label you want — this is what shows up grouping the imported servers.
   • URL: paste your subscription URL. It typically looks like https://your-endpoint.example/<random-token>/sub.
   • Leave the rest default. The "User Agent" field can stay blank unless your server filters by UA.
4. Click OK and close the dialog.
5. Top menu: Subscription → Update subscription (Skip proxy). The "Skip proxy" variant fetches the subscription directly, ignoring any current proxy. Important on the first run, before you have a proxy active.

The main server list will populate with whatever nodes your subscription returns. Multi-node subscriptions appear as a flat list grouped under the remark you set.

Pick a node and connect

Double-click any server in the main list to set it as active. The active row is highlighted and the tray icon updates. That's the equivalent of tapping a server in Shadowrocket — no other action required.

If you only need some applications to use the proxy, you can stop here and point those applications at 127.0.0.1:10808 (SOCKS5) or 127.0.0.1:10809 (HTTP) directly. v2rayN's local listeners are on by default; confirm under Settings → Parameter Settings → Core: Basic settings if you need to change the ports.

For a Windows-wide tunnel, you have two options, and the difference matters.

System Proxy vs TUN mode

System Proxy sets the standard Windows proxy registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings. Apps that honor those settings — Edge, Chrome, most HTTP libraries, Windows Update — route through v2rayN. Apps that don't — many games, some torrent clients, some VOIP clients that hardcode their own transport — bypass it. No admin needed.

To enable: top toolbar System Proxy → Set system proxy. To disable: same menu → Clear system proxy.

TUN mode creates a virtual network adapter and reroutes the entire IP stack through Xray-core. Every TCP and UDP connection from every application — including ones that ignore the system proxy — goes through the tunnel. This is closer to a traditional VPN's behavior.

To enable: top toolbar TUN mode → Set TUN mode. The first time you do this, v2rayN will install the WinTUN driver (Wintun.dll) and request administrator elevation. Approve both. Subsequent toggles are seamless.

When to use which:

	System Proxy	TUN mode
Setup	nothing	WinTUN driver + admin once
Catches	apps honoring Windows proxy settings	all TCP/UDP from all apps
Overhead	none	small CPU, small RAM
Best for	normal browsing, daily use	games, torrent clients, anything that ignores proxy settings

Don't enable both at once. Pick one. Both at once creates routing loops that manifest as "everything is slow" or "DNS never resolves."

Verify the egress

Once a node is active and proxying is on:

1. Open a browser, visit ifconfig.me or whoami.akamai.net.
2. The IP shown should be your egress IP — whatever your endpoint's outbound path looks like to the public internet. If your endpoint chains through a residential proxy, that's the residential proxy's IP. If it egresses directly from the VPS, that's the VPS's IP.
3. Run a DNS leak test. The resolvers listed should match whatever your endpoint configures, not your ISP's. If you see your ISP's resolvers, your client is bypassing the tunnel for DNS — check Settings → Routing settings and confirm geosite:private and direct-LAN rules aren't accidentally short-circuiting 8.8.8.8 or similar.

If the egress IP is the VPS's public IP and you expected a residential exit, the issue is server-side — Xray on your endpoint isn't routing through its upstream proxy. v2rayN can't tell you that from the client.

Daily use

• Switch nodes: double-click another row. Instant.
• Refresh subscription: Subscription → Update subscription (Skip proxy). You can also set an auto-refresh interval in the subscription dialog — 24 hours is a sensible default.
• Pause without quitting: System Proxy → Clear system proxy (or the TUN equivalent). v2rayN stays running in the tray.
• Quit: right-click the tray icon → Exit. Closing the main window only minimizes, which catches people out on day one.

Don't run two proxy clients at once

If you have Clash, Hiddify, or any other proxy client installed alongside v2rayN, disable System Proxy and TUN mode in every client except the one you're using. Two clients fighting over the Windows proxy registry will leave you in a state where neither works reliably.

The cleanest move: pick v2rayN as your daily driver and uninstall the others. If you specifically need Clash-style rule routing, v2rayN's Settings → Routing settings does support direct/proxy/block rules with geosite and geoip data. It's less ergonomic to edit than a Clash config, but it covers the same surface area.

From zero to "Windows traffic is on your Reality endpoint" is about five minutes the first time, and zero clicks every time after.