// This config is based on // https://github.com/XTLS/Xray-examples/blob/main/VLESS-TCP-XTLS-Vision-REALITY/REALITY.ENG.md { "log": { "access": "none", "error": "", "loglevel": "warning", "dnsLog": false }, // Forward each inbound connections to corresponding `outboundTag`. If no rules match, // the traffic is sent out by the first outbound in `outbounds` section. "routing": { "domainStrategy": "IPIfNonMatch", "rules": [ { "type": "field", "port": "80", "network": "udp", "outboundTag": "block" }, { "type": "field", "ip": [ // localhost connections "geoip:private" ], "outboundTag": "block" }, { "type": "field", "protocol": [ "bittorrent" ], "outboundTag": "block" }, // block domestic client traffic if it's coming somehow (e.g. wrong client config) { "type": "field", "domain": [ "geosite:cn", "domain:cn", "domain:xn--fiqs8s", "domain:xn--fiqz9s", "domain:xn--55qx5d", "domain:xn--io0a7i", "domain:ru", "domain:xn--p1ai", "domain:by", "domain:xn--90ais", "domain:ir", "ext:customgeo.dat:coherence-extra" ], "outboundTag": "block" }, { "type": "field", "ip": [ "geoip:cn", "geoip:ru", "geoip:by", "geoip:ir" ], "outboundTag": "block" } ] }, // server-side inbound configuration "inbounds": [ // main inbound, clients connect to it { "listen": "0.0.0.0", "port": 443, "protocol": "vless", // VLESS settings "settings": { "clients": [ { // can be generated with `xray uuid` "id": "client_id", // some email; appears in logs "email": "client_email", // Optional; if specified, clients must enable XTLS. // XTLS is Xray's original technology, which doesn't encrypt TLS traffic (which is already encrypted), // providing outstanding performance and no fingerprints of double-encrypted TLS. // XTLS has the same security as TLS. // https://xtls.github.io/en/config/transport.html#streamsettingsobject "flow": "xtls-rprx-vision" } ], "decryption": "none" }, // settings of transport protocol, https://xtls.github.io/en/config/transport.html#streamsettingsobject "streamSettings": { "network": "tcp", "security": "reality", // REALITY fallback options; see also https://xtls.github.io/en/config/features/fallback.html "realitySettings": { // optional; if true, outputs debug information "show": false, // with failed authentication VLESS will forward traffic to this address "dest": "www.youtube.com:443", "xver": 0, // required; list of server names which client can provide to the server during the handshake. // (The internet provider sees "serverName" of client config in the client-server traffic, then a censor // can use this for active probing. Thus, this names should be in accordance with "dest" above.) "serverNames": [ "www.youtube.com" ], // required; generate with `xray x25519`; use paired publicKey in client configs "privateKey": "private_key", "shortIds": [ // required, list of shortIds available to clients, can be used to distinguish different clients "short_id" ] } }, // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject "sniffing": { "enabled": true, "destOverride": [ "http", "tls", "quic" ] } }, // extra inbound; its main purpose is to get fallback to "dest" at port 80. Many regular websites // have open ports 80 (http) and 443 (https). { "listen": "0.0.0.0", "port": 80, "protocol": "vless", // VLESS settings "settings": { "clients": [ { // can be generated with `xray uuid` "id": "client_id", // some email; appears in logs "email": "client_email", // Optional; if specified, clients must enable XTLS. // XTLS is Xray's original technology, which doesn't encrypt TLS traffic (which is already encrypted), // providing outstanding performance and no fingerprints of double-encrypted TLS. // XTLS has the same security as TLS. // https://xtls.github.io/en/config/transport.html#streamsettingsobject "flow": "xtls-rprx-vision" } ], "decryption": "none" }, // settings of transport protocol, https://xtls.github.io/en/config/transport.html#streamsettingsobject "streamSettings": { "network": "tcp", "security": "reality", // REALITY fallback options; see also https://xtls.github.io/en/config/features/fallback.html "realitySettings": { // optional; if true, outputs debug information "show": false, // with failed authentication VLESS will forward traffic to this address "dest": "www.youtube.com:80", "xver": 0, // required; list of server names which client can provide to the server during the handshake. // (The internet provider sees "serverName" of client config in the client-server traffic, then a censor // can use this for active probing. Thus, this names should be in accordance with "dest" above.) "serverNames": [ "www.youtube.com" ], // required; generate with `xray x25519`; use paired publicKey in client configs "privateKey": "private_key", "shortIds": [ // required, list of shortIds available to clients, can be used to distinguish different clients "short_id" ] } }, // used to make transparent proxies, see https://xtls.github.io/en/config/inbound.html#sniffingobject "sniffing": { "enabled": true, "destOverride": [ "http", "tls", "quic" ] } } ], // server-side outbound configuration "outbounds": [ // direct connection { "protocol": "freedom", "tag": "direct" }, // for that should be blocked { "protocol": "blackhole", "tag": "block" } ] }