Xray Reality / VLESS Setup

Posted on In Views: Disqus:

Xray Reality / VLESS Setup

This note records a minimal Xray Reality / VLESS setup.

The example values are fake but shaped like real values, so the config is easier to read than a wall of placeholders.

Example environment:

  • server: vpn.example.com
  • listen port: 443
  • client UUID: 11111111-2222-4333-8444-555555555555
  • Reality private key: example_private_key_do_not_use
  • Reality public key: example_public_key_do_not_use
  • Reality short id: a1b2c3d4e5f60708
  • camouflage target: www.microsoft.com:443

Replace all of them.

Service Commands

Check the service:

1
2
sudo systemctl status xray
sudo journalctl -u xray -e --no-pager

After editing the config, test it before restart:

1
2
sudo xray run -test -config /usr/local/etc/xray/config.json
sudo systemctl restart xray

Generate IDs And Keys

1
2
3
xray uuid
xray x25519
openssl rand -hex 8

Keep the private key on the server. Put the public key in the client config.

Server Config Example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
{
  "inbounds": [
    {
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "11111111-2222-4333-8444-555555555555",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "www.microsoft.com:443",
          "xver": 0,
          "serverNames": ["www.microsoft.com"],
          "privateKey": "example_private_key_do_not_use",
          "shortIds": ["a1b2c3d4e5f60708"]
        }
      }
    }
  ],
  "outbounds": [
    { "protocol": "freedom" }
  ]
}

Firewall

Only the public entry port needs to be open:

1
sudo nft add rule inet filter input tcp dport 443 accept

If SSH uses a custom port such as 22222, keep that rule separate and preferably source-restricted.

Client-Side Fields

A client profile usually needs:

1
2
3
4
5
6
7
8
address: vpn.example.com
port: 443
uuid: 11111111-2222-4333-8444-555555555555
flow: xtls-rprx-vision
security: reality
sni: www.microsoft.com
publicKey: example_public_key_do_not_use
shortId: a1b2c3d4e5f60708

Notes

  • privateKey, UUID, and short id are secrets. Do not publish real values.
  • Time sync matters. If the client and server clocks are too far apart, debugging becomes confusing.
  • Start with a direct connection first. Add extra reverse proxies only after the base config works.