Network Censorship Circumvention

XTLS Proxy Guide

XTLS REALITY is the best and strongest proxy protocol for bypassing censorship at home (ISP blocking), school/work (e.g. Fortinet), China, Russia, Iran, etc. It makes all your traffic appear as though it is coming from the same unblocked SNI (site). This guide uses the 3X-UI web panel to make setup and editing easier.

If the environment you are trying to bypass is home, school, or work, you should first try free VPNs such has WARP, Proton, Windscribe, or Phiphon.

Requirements: A VPS or home server with ports 443 and 2053 open to the internet.

Free Oracle VPS guide. Recommended OS = Ubuntu Server.

Home Server Info

Use DigitalPlat for free domain, fake info works. Do NOT choose an obvious proxy domain name (e.g. xtls, proxy, bypass etc).

This guide may be difficult for beginners self hosting for the first time. It may be easier to buy from proxy sellers (aka ‘机场’ for China) online.

Server Side Method

If you open the panel in browser before binding domain with certificate (step 7), the site will be http. This means you risk being detected for bypassing censorship and could face legal trouble. Ensure you follow the steps correctly.
Port 2053 can be replaced with any port except 443 if required.

  1. Terminal SSH into your server machine ssh ubuntu@publicip.
  2. Run sudo su.
  3. Run apt update then apt upgrade.
  4. Run ufw allow 443/tcp and ufw allow 2053/tcp
  5. Run curl https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh | bash. Note the green text containing login username and password towards the end of the install logs.
  6. Run x-ui and select Change Port (9) and enter port 2053.
  7. Bind the domain with certificate to harden the panel to https. Select Cloudflare SSL Certificate (19).
  8. Open Cloudflare dashboard and select Onboard a domain. Type in your domain, skip DNS related steps. Paste the two nameservers into DigitalPlat dashboard → My domains → Each of Name Server 1 and 2. Global API Key is found here and registered email is the Cloudflare account email.
  9. Go to DNS → Records Tab. Click Add Record.
  • Run curl https://ipinfo.io/ip to find public ip of server machine
Type: A
Name: files
Content: <Public IP of server machine>

Name can be anything, this will be your domain prefix. Disable Proxied, leave TTL as default then click save.

  1. Go to DNS → Records Tab. Click Add Record.
Type: CNAME
Name: @
Content: files.<yourdomain> # (e.g files.domain.qzz.io)

Enable Proxied, leave TTL as default then click save.

  1. Select View Current Settings (10) for the web panel address and open the link.
  2. Login to the panel using info from step 5 or reset using Reset Username & Password (6).
  3. Go to the inbounds tab. Select Add Inbound.
Remark: XTLS REALITY
Port: 443
Protocol: vless
Security: Reality
Target: An unblocked domain:443 # (e.g. www.microsoft.com:443)
SNI: An unblocked domain # (e.g. www.microsoft.com)

Click Get New Cert, leave the rest as default then click create.

  1. Click the + icon next to the inbound you have made under the ID column. This shows you all the accounts that can connect to your proxy. Optional: To add more clients, click the 3 dots menu and click Add client.
  2. Click the QR code icon next to the user you want. Click the QR code itself on the right side to add the client config text to clipboard.

Client Side Method

Requirement: Proxy Client

Your client must support the xray core. Recommended: v2rayN (PC), Nekobox (Android), V2Box (IOS)

  1. Open your client and select scan the QR code or import client config text from clipboard (from step 15).
  2. Edit the inported server client config and add the prefix (from step 10) to the Server Address (e.g files.domain.qzz.io).

Home Server Info

  • Minimum requirements to run the server is 1GB ram, 15GB storage, 1 CPU core. Therefore you could run the server on a virtual machine alongside your primary OS, dual boot and switch to the server when you leave home, or use a cheap Raspberry Pi.
  • Enable boot computer when power is reconnected within BIOS settings. This ensures your pc is kept on even after a power outage.
  • Within modem web panel, go to the DHCP tab. Set a static private IP for your server computer. This ensures port forwarding is kept pointed to your server working even after a modem restart. Home server can only be used if there is no censorship at home.

Dynamic DNS

IP usually changes when modem is restarted. Auto update domain DNS so it stays pointed at your home IP.

  1. Run git clone https://github.com/K0p1-Git/cloudflare-ddns-updater.
  2. Run nano cloudflare-ddns-updater/cloudflare-template.sh to edit the script. Fill in the lines required using record from step 9.
  3. Run crontab -e.
  4. Add this line 0 * * * * /bin/bash cloudflare-ddns-updater/cloudflare-template.sh. This is an hourly schedule to set IP within DNS.

Port Forwarding

Ports must be forwarded to be open to the internet.

  1. Run ip addr in terminal. Note your device’s private IP address which is in the line inet.
  2. Open your modem’s web panel.
  3. Go to the Port Forwarding (aka Port Mapping) tab.
  4. Create two rules: one for UDP and one for TCP. For each rule, enter the private IP address, the private and public port, all 443.
  5. Repeat for the panel port, 2053.
Your panel may allow setting both protocols in one rule. Whitelisted Public IP is optional.

Credits

Huge shoutout to Zenith Rifle for teaching me.

Support requests are not permitted in the guide’s comments and will be removed. For support, please use the FMHY Discord server. Feedback for the guide is welcome here.