diff --git a/adapters/outbound/vmess.go b/adapters/outbound/vmess.go
index 5f543dff..a9365526 100644
--- a/adapters/outbound/vmess.go
+++ b/adapters/outbound/vmess.go
@@ -77,7 +77,18 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Headers: v.option.HTTPOpts.Headers,
 		}
 
-		c, err = vmess.StreamHTTPConn(c, httpOpts), nil
+		c = vmess.StreamHTTPConn(c, httpOpts)
+	default:
+		// handle TLS
+		if v.option.TLS {
+			host, _, _ := net.SplitHostPort(v.addr)
+			tlsOpts := &vmess.TLSConfig{
+				Host:           host,
+				SkipCertVerify: v.option.SkipCertVerify,
+				SessionCache:   getClientSessionCache(),
+			}
+			c, err = vmess.StreamTLSConn(c, tlsOpts)
+		}
 	}
 
 	if err != nil {
diff --git a/component/vmess/tls.go b/component/vmess/tls.go
new file mode 100644
index 00000000..8ed19777
--- /dev/null
+++ b/component/vmess/tls.go
@@ -0,0 +1,24 @@
+package vmess
+
+import (
+	"crypto/tls"
+	"net"
+)
+
+type TLSConfig struct {
+	Host           string
+	SkipCertVerify bool
+	SessionCache   tls.ClientSessionCache
+}
+
+func StreamTLSConn(conn net.Conn, cfg *TLSConfig) (net.Conn, error) {
+	tlsConfig := &tls.Config{
+		ServerName:         cfg.Host,
+		InsecureSkipVerify: cfg.SkipCertVerify,
+		ClientSessionCache: cfg.SessionCache,
+	}
+
+	tlsConn := tls.Client(conn, tlsConfig)
+	err := tlsConn.Handshake()
+	return tlsConn, err
+}