Network Censorship Circumvention

XTLS Proxy Guide

XTLS REALITY is the best proxy protocol for bypassing censorship at home (ISP blocking), school/work (e.g. Fortinet), China, Russia, Iran etc. It makes all your traffic appear as though it is coming from the same unblocked SNI. This guide uses the 3X-UI web panel to make setup and editing easier.

Requirements: A VPS or home server. VPS must have ports 443 and 2053 open to internet. Home server must have those ports forwarded to the server machine

Free Oracle VPS guide. Recommended OS = Ubuntu Server. Home server can only be used if there is no censorship at home.

Use DigitalPlat for free domain, fake info works. Do NOT choose an obvious proxy domain name (e.g. xtls, proxy, bypass etc).

This guide may be difficult for beginners self hosting for the first time.

Server Side Method

If you open the panel in browser before binding domain with certificate (step 8), the site will be http. This means you risk being detected for bypassing censorship and could face legal trouble. Ensure you follow the steps correctly.
  1. Terminal SSH into your server machine ssh ubuntu@publicip.
  2. Run sudo su.
  3. Run apt update then apt upgrade.
  4. Run ufw allow 443/tcp and ufw allow 2053/tcp
  5. Run curl https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh | bash. Note the green text containing username and password towards the end of the install logs.
  6. Run x-ui and select Change Port (9) and enter port 2053.
  7. Open Cloudflare dashboard and select Onboard a domain. Type in your domain, skip DNS related steps. Paste the two nameservers into DigitalPlat dashboard → My domains → Each of Name Server 1 and 2.
  8. Bind the domain with certificate to harden the panel to https. Select Cloudflare SSL Certificate (19). Global API Key is found here and registered email is the Cloudflare account email.
  9. Go to DNS → Records Tab. Click Add Record.
Port 2053 can be replaced with any port except 443 if required.
Type: A
Name: Can be anything, this will be the prefix for your domain (e.g. prefix.domain.qzz.io). Or @ for root (no prefix)
Content: Public IP of server machine

Leave the rest as default then click save.

  1. Select View Current Settings (10) for the web panel address and open the link. You will need to add the prefix to the domain if you set one in step 9.
  2. Login to the panel using info from step 5 or reset using Reset Username & Password (6).
  3. Go to the inbounds tab. Select Add Inbound.
Remark: XTLS REALITY
Port: 443
Protocol: vless
Security: Reality
Target: An unblocked domain:443 (e.g. www.microsoft.com:443)
SNI: An unblocked domain (e.g. www.microsoft.com)

Click Get New Cert, leave the rest as default then click create.

  1. Click the + icon next to the inbound you have made under the ID column. This shows you all the accounts that can connect to your proxy. Optional: To add more clients, click the 3 dots menu and click Add client.
  2. Click the QR code icon next to the user you want. Click the QR code itself on the right side to add the text config to clipboard.

Client Side Method

Requirement: Proxy Client

Your client must support the xray core. Recommended: v2rayN (PC), Nekobox (Android), V2Box (IOS)

  1. Open your client and select scan the QR code or import config text from clipboard.

Home Server Info

  • Minimum requirements to run the server is 1GB ram, 15GB storage, 1 CPU core. Therefore you could run the server on a virtual machine alongside your primary OS, dual boot and switch to the server when you leave home, or use a cheap Raspberry Pi.
  • Enable boot computer when power is reconnected within BIOS settings. This ensures your pc is kept on even after a power outage.
  • Within modem web panel, go to the DHCP tab. Set a static private IP for your server computer. This ensures port forwarding is kept pointed to your server working even after a modem restart.

Dynamic DNS

IP usually changes when modem is restarted. Auto update domain DNS so it stays pointed at your home IP.

  1. Run git clone https://github.com/K0p1-Git/cloudflare-ddns-updater.
  2. Run nano cloudflare-ddns-updater/cloudflare-template.sh to edit the script. Fill in the lines required.
  3. Run crontab -e.
  4. Add this line 0 * * * * /bin/bash cloudflare-ddns-updater/cloudflare-template.sh. This is an hourly schedule to set IP within DNS.

Port Forwarding

  1. Run ip addr in terminal. Note your device’s private IP address.
  2. Open your modem’s web panel.
  3. Go to the Port Forwarding (aka Port Mapping) tab.
  4. Create two rules: one for UDP and one for TCP. For each rule, enter the private IP address, the private and public port, all 443.
  5. Repeat for the panel port.
Your panel may allow setting both protocols in one rule. Whitelisted Public IP is optional.

Credits

Huge shoutout to Zenith Rifle for teaching me.