How to make and configure your own VPN

This article is an extended tutorial on how to install and configure your VPN on VLESS with XTLS-Reality controlled via the 3x-UI GUI interface.

Why this particular protocol?

The peculiarity of VLESS-Reality is that: HTTPS packets are taken and sent through our pre-prepared foreign server (VPS), as if through a proxy. However, it is worth considering that we will refer to it as some kind of www.google.combut in the standard handshake procedure we perform a hidden authorization procedure – thanks to which the server will understand that we are its elephant.

And if someone (read as RKN) tries to access our “site” without authorization (attack referred to as Active Probing) then in return he will only receive a copy www.google.com with all necessary certificates. RKN will think that our server is just a Google server, and not a VPN, and will not block anything.

— In addition, since HTTPS packets that will be passed through the proxy are already encrypted, they do not require additional encryption, and no deep package inspection i.e. DPI Accordingly, he won’t suspect us of anything.

some will begin to wonder why not AmneziaWG or the famous ShadowSocks from the skies, but because during large-scale blocking everything that is not HTTPS can go under the knife.

I want to set up a server with XTLS-Reality, how can I do this as correctly as possible?

The essence of Reality is to disguise itself as some popular site, so when you decide to do this, you need to ensure that your IP (the IP of your VPS) behaves completely identical to the real server that you are pretending to be. If that “real” server is listening on port 80 (plain HTTP), then you also need to configure nginx or a firewall rule to forward HTTP requests to the original server. If the “real” server doesn't listen for SSH connections on standard port 22, then yours shouldn't either.
— If your hoster provides reverse-DNS records for an IP address, make sure that there is no default value left there (usually with the hoster’s domain), but rather set the reverse-DNS that is visible for the IP address of the resource you are masquerading as.

Is it true that VLESS does not use encryption and is therefore unsafe to use for sensitive data.

No. Just because VLESS does not provide encryption at the protocol level does not mean that the data is transmitted unencrypted. VLESS always runs on top of TLS; traffic is encrypted by TLS mechanisms, and not by VLESS itself. There is no security problem here, everything is secure.

Which is better XTLS-Reality, or just VLESS + XTLS-Vision?

There are two advantages of XTLS-Reality. Firstly, it’s easy to set up; you don’t need any domains, certificates, etc. Secondly, due to the possibility of masquerading as any popular site, it can be used to get through the white lists of censors – for example, in Iran for a long time they blocked/cut everything on the slightest suspicion, but they had yahoo.com on the white lists, and proxies masquerading as him worked.

А теперь приступим к установке и минимальной настройке VPN своими руками.

Hosting for VPN

There are a lot of hosting providers, some are cheaper, but in this article we will look at installation on aeza.netits advantages are: replenishment via SBP; RF cards of all stripes; installing a server with 3x-UI in a couple of clicks and a little configuration of the preset by keys.

Registration and registration of the server

First of all, you need to register (login data will be duplicated by email) and enter the control panel, after which we replenish the balance in ways convenient for you; for citizens of the Russian Federation, all conditions are met, as previously written replenishment via SBP; RF cards of all stripes;

Next, in the column under the aeza logo, select “Virtual Server” (we are talking about the side panel) and from this moment the configuration of our future server begins.

Name: doesn't matter, optional

Selecting a location: Amsterdam

Tariff selection: Shared – tariff NLs-1

Selecting an operating system and software: preinstalled software and looking for 3x-UI Ubuntu 22.04

Selecting a payment period and placing an order: I billed monthly, you never know what will happen to the hosting provider.

Backups: disable (they are not necessary for our needs)

Server name, location selection and tariff

Selecting an operating system, payment period and backups

Installation

After successfully registering and paying for the server, go to the “My Services” section (we’re talking about the sidebar), then click on our server name with the flag to get to a page with a brief summary about the server:

At this stage we are only interested in the IP address; username and password.

Connecting via SSH to the server

I will try to analyze it on three different OSes in parallel, indicating for each which command and at what stage it is necessary to enter.

Linux:

$ ssh username@ip-address -p 22

Where username is the administrator’s login on the server, and IP-address, accordingly, is her IP address.

Windows:

С некоторых пор подключаться через SSH из операционной системы Windows также стало можно через командную строку. Раньше для этого применялись сторонние приложения (вроде PuTTY или Cygwin и пр.), но в десятой версии ОС был добавлен встроенный OpenSSH клиент, который работает так же, как в Линукс.

The only difference is that this utility is disabled by default, and in order to start executing commands, you need to install it in the settings.

To do this, take several steps:

Open Settings – Applications.
Select the “Additional components” sub-item.
Find “OpenSSH Client” in the list and click “Install”. If this button is not present, then the service is already enabled.
After installation, restart your computer.

Now you need to open the command line. You can find it through search or press Win+R, enter “cmd” in the field and Enter. In this case, the process of connecting via SSH in Windows and Linux will be identical.

MacOS:

ssh username@ip-address -p 22

So, if you see “Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-113-generic x86_64)” in the command line, then you are on the right track and everything is going well, then enter the command:

nano 3x-ui.txt

We will see three important lines for us: URL; Login; Password.

We go into the browser and paste your link into the address bar, in my case it’s:

http://77.221.154.202:16068

You will be greeted with an authorization window

Enter the username and password that we received thanks to the command nano 3x-ui.txt and we get to the control panel, the next step is to create a key and configure the configuration.

The window that will greet us after successful authorization

Go to the “Connections” section – “Add connection”

We don’t pay attention to the fact that I have a client, nothing will happen in your case.

Setting up VLESS with XTLS-Reality

Note: name for more convenient identification of keys in the control panel (worth it if you are going to distribute different keys)

Protocol: vless

IP Port: leave it blank, as in the screenshot above

Port: by default you will have a certain value set, erase it and set it to 443

We’ll return to the “Client” tab a little later, for now we’ll move on below:

Transfer protocol: TCP (we leave everything below as default)

Safety: REALITY

xVer — leave the value 0;
uTLS— select which browser the VPN connection will be disguised as. I recommend choosing Chrome, because it is the most popular;
Dest — destination, indicate the domain and port. I left yahoo.com:443;
SNI – this is the domain under which we will masquerade. We put it identically to the point Dest yahoo.com, www.yahoo.com;
Short ID — private key generated automatically;
Private Key and Public Key – don’t touch it, just press the button Get New Keys and the keys will be automatically generated;
Sniffing, HTTP, TLS, QUIC, FAKEDNS – leave it as default.

Client setup:

Email: the same as with the note, the name is for convenience;

Flow: select xtls-rprx-vision from the list.

We don’t touch the rest, leave it as default and click on “Create” (the key is ready)

For ease of connection from mobile devices, click on “+” on the client and a QR code icon will appear in front of us, click and save:

To get a text key, click on the “i” icon

The key is ready, now you need to decide on the client to connect to, my main OS is Mac OS, I can recommend it FoXray (for those with macOS 13.1 and newer) if you have older OS, I recommend using V2Box; from clients on iOS, I advise you to also install FoXraybut there are a lot of other clients.

Windows – InvisibleMan-XRay expand Assets and select the desired zip x64 for 64 bit systems, x86 for 32 bit systems. There are other clients who are more stable.

Android – NakeBox expand Assets and there will be apk there. Select arm64. At the time of writing, the latest release was called: NB4A-1.3.1-arm64-v8a.apk

Even more educational content from the world of OSINT in the Telegram channel – @secur_researcher