VLESS+REALITY, VLESS+WS+TLS, Trojan+TLS, and VMess+TLS. Tray-app simple, kernel-grade fast.
The current builds are unsigned. macOS will refuse to open the
.dmg on first launch and Windows SmartScreen
will warn before running the
.msi. Both are bypassed in seconds:
After dragging Nexray.app into
/Applications, run this once in Terminal
(you'll be prompted for your password):
sudo xattr -dr com.apple.quarantine /Applications/Nexray.app
Then double-click as normal. No need to repeat after updates installed via the same path.
Double-click the
.msi. SmartScreen shows
"Windows protected your PC". Click More info →
Run anyway. The warning appears only on first launch
of each version.
VLESS (CDN-WS or REALITY), Trojan (TCP+TLS), and VMess (TCP+TLS, AEAD-only). Refuses Shadowsocks, the WebSocket variants of vmess/trojan, and every other legacy or insecure-by-default combination — by design.
Paste any Shadowrocket-style subscription URL. Servers are grouped by source, latency-probed automatically, one-click-importable.
Built-in rules + your own . Domestic sites stay direct, ads blocked, everything else proxied.
Kernel-level packet capture for apps that ignore SOCKS. Safe-restore on quit — no orphaned routes.
Per-group "Auto" toggle keeps the active profile pinned to the lowest-latency server in your subscription, automatically.
English, 简体中文, 繁體中文, Русский. Auto-detected from your system, switchable in Settings.