// This config is based on // https://github.com/XTLS/Xray-examples/blob/main/VLESS-TCP-XTLS-Vision-REALITY/REALITY.ENG.md { "log": { "access": "none", "error": "", "loglevel": "warning", "dnsLog": false }, // Turns on traffic statistics, see https://xtls.github.io/en/config/stats.html#statsobject // and https://xtls.github.io/en/config/policy.html#policyobject // and special "api" tag below "stats": { }, "policy": { "levels": { // default level "0": { "statsUserUplink": true, "statsUserDownlink": true } }, "system": { "statsOutboundUplink": true, "statsOutboundDownlink": true } }, // enables API interface https://xtls.github.io/en/config/api.html#apiobject "api": { "tag": "api", "services": [ "StatsService" ] }, // Forward each inbound connections to corresponding `outboundTag`. If no rules match, // the traffic is sent out by the first outbound in `outbounds` section. "routing": { "domainStrategy": "IPIfNonMatch", "rules": [ { "type": "field", "inboundTag": [ "api" ], "outboundTag": "api" }, // guide udp traffic to `block` outbound { "type": "field", "network": "udp", "outboundTag": "block" }, // block localhost connections through xray { "type": "field", "ip": [ "geoip:private" ], "outboundTag": "block" }, // guide bittorent traffic to `block` outbound { "type": "field", "protocol": [ "bittorrent" ], "outboundTag": "block" }, // block traffic to popular ports of torrent trackers // and to popular ports of torrent clients { "type": "field", "port": "6969,6881-6889", "outboundTag": "block" }, // block traffic from popular ports of torrent clients { "type": "field", "sourcePort": "6881-6889", "outboundTag": "block" }, // exceptions for *.ru websites that shouldn't be blocked { "type": "field", "domain": [ "ext:customgeo.dat:coherence-extra-exceptions" ], "outboundTag": "direct" }, // block domestic client traffic if it's coming somehow (e.g. wrong client config) { "type": "field", "domain": [ "geosite:cn", "domain:cn", // punycode for national Chinese top-level domains .中国, .中國, .公司, .网络 "domain:xn--fiqs8s", "domain:xn--fiqz9s", "domain:xn--55qx5d", "domain:xn--io0a7i", "domain:ru", // punycode for cyrillic Russian top-level domain .рф "domain:xn--p1ai", "domain:by", // punycode for national Belorussian top-level domain .бел "domain:xn--90ais", "domain:ir", // extra domains that are used by domestic sites, see https://github.com/EvgenyNerush/coherence-grabber/tree/main "ext:customgeo.dat:coherence-extra" ], "outboundTag": "block" }, { "type": "field", "ip": [ "geoip:cn", "geoip:ru", "geoip:by", "geoip:ir" ], "outboundTag": "block" } ] }, // server-side inbound configuration "inbounds": [ // gRPC API inbound, used to get statistics { "listen": "127.0.0.1", "port": 8080, "protocol": "dokodemo-door", "settings": { "address": "127.0.0.1" }, "tag": "api" }, // main inbound, clients connect to it { "listen": "0.0.0.0", "port": 443, "protocol": "vless", // VLESS settings "settings": { "clients": [ { // can be generated with `xray uuid` "id": "client_id", // some email; appears in logs "email": "client_email", // Optional; if specified, clients must enable XTLS. // XTLS is Xray's original technology, which doesn't encrypt TLS traffic (which is already encrypted), // providing outstanding performance and no fingerprints of double-encrypted TLS. // XTLS has the same security as TLS. // https://xtls.github.io/en/config/transport.html#streamsettingsobject "flow": "xtls-rprx-vision" } ], "decryption": "none" }, // settings of transport protocol, https://xtls.github.io/en/config/transport.html#streamsettingsobject "streamSettings": { "network": "tcp", "security": "reality", // REALITY fallback options; see also https://xtls.github.io/en/config/features/fallback.html "realitySettings": { // optional; if true, outputs debug information "show": false, // with failed authentication VLESS will forward traffic to this address "dest": "www.youtube.com:443", "xver": 0, // required; list of server names which client can provide to the server during the handshake. // (The internet provider sees "serverName" of client config in the client-server traffic, then a censor // can use this for active probing. Thus, this names should be in accordance with "dest" above.) "serverNames": [ "www.youtube.com" ], // required; generate with `xray x25519`; use paired publicKey in client configs "privateKey": "private_key", "shortIds": [ // required, list of shortIds available to clients, can be used to distinguish different clients "short_id" ] } }, // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ], "routeOnly": true } }, // extra inbound; its main purpose is to get fallback to "dest" at port 80. Many regular websites // have open ports 80 (http) and 443 (https). { "listen": "0.0.0.0", "port": 80, "protocol": "vless", // VLESS settings "settings": { "clients": [ { // can be generated with `xray uuid` "id": "client_id", // some email; appears in logs "email": "client_email", // Optional; if specified, clients must enable XTLS. // XTLS is Xray's original technology, which doesn't encrypt TLS traffic (which is already encrypted), // providing outstanding performance and no fingerprints of double-encrypted TLS. // XTLS has the same security as TLS. // https://xtls.github.io/en/config/transport.html#streamsettingsobject "flow": "xtls-rprx-vision" } ], "decryption": "none" }, // settings of transport protocol, https://xtls.github.io/en/config/transport.html#streamsettingsobject "streamSettings": { "network": "tcp", "security": "reality", // REALITY fallback options; see also https://xtls.github.io/en/config/features/fallback.html "realitySettings": { // optional; if true, outputs debug information "show": false, // with failed authentication VLESS will forward traffic to this address "dest": "www.youtube.com:80", "xver": 0, // required; list of server names which client can provide to the server during the handshake. // (The internet provider sees "serverName" of client config in the client-server traffic, then a censor // can use this for active probing. Thus, this names should be in accordance with "dest" above.) "serverNames": [ "www.youtube.com" ], // required; generate with `xray x25519`; use paired publicKey in client configs "privateKey": "private_key", "shortIds": [ // required, list of shortIds available to clients, can be used to distinguish different clients "short_id" ] } }, // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ], "routeOnly": true } }, // this inbound can be used with Nginx configured to listen grpc on IPv6 address; // vless can't give a reasonable fallback when used with grpc, but nginx can; // see 'CDN' section in Readme for details { "tag": "grpc", "listen": "127.0.0.1", "port": 50051, "protocol": "vless", "settings": { "clients": [ { "id": "client_id" } ], "decryption": "none" }, "streamSettings": { "network": "grpc", "grpcSettings": { // nginx config should contain `location /your_service_name` "serviceName": "your_service_name" } } } ], // server-side outbound configuration "outbounds": [ // direct connection; fallback, see `routing` section { "protocol": "freedom", "tag": "direct" }, // for that should be blocked { "protocol": "blackhole", "tag": "block" } ] }