Xray Vmess + TLS + WS with Self-Signed Certificate

Posted on

Xray is a fork of V2Ray. By following this post, you can create an Xray Vmess + TLS + WebSocket server without having to buy a domain name.

The server in this post runs Debian 11, and the client runs Windows 11.

Install Nginx on Server

1
apt install nginx

Create Self-Signed Certificate

Create a directory to hold your certificate:

1
mkdir /etc/openssl

Change into the directory that will hold your certificate:

1
cd /etc/openssl

Generate a private key for your certificate:

1
openssl ecparam -out example.com.key -name secp384r1 -genkey

Generate a certificate signing request:

1
openssl req -new -sha256 -key example.com.key -out example.com.csr

Enter anything you like for Country Name, State or Province Name, Locality Name, Organization Name, and Organizational Unit Name. For example:

1
2
3
4
5
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:

For Common Name, put example.com.

Leave Email Address blank.

Leave the ‘extra’ attributes (challenge password and company name) blank.

Sign the certificate signing request, creating your certificate:

1
openssl x509 -req -sha256 -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt

Make the server private key readable:

1
chmod +r example.com.key

Configure Nginx

Generate Diffie-Hellman parameters:

1
openssl dhparam -out /etc/nginx/dhparam 2048;

This may take a long time.

Edit the Nginx default site:

1
vi /etc/nginx/sites-available/default

Delete the default contents, and enter contents as below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/openssl/example.com.crt;
    ssl_certificate_key /etc/openssl/example.com.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; 
    ssl_session_tickets off;
    ssl_dhparam /etc/nginx/dhparam;
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
    location /abcdefgh {
	proxy_redirect off;
	proxy_pass http://127.0.0.1:12345;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    
}

Change /abcdefgh to a secret path of your choice.

Save the configuration file.

Restart Nginx:

1
systemctl restart nginx

Install V2Ray on Server

Change back to the home directory:

1
cd ~

Download the installation script:

1
wget https://raw.githubusercontent.com/XTLS/Xray-install/main/install-release.sh

Make the install script executable:

1
chmod +x install-release.sh

Run the installer:

1
./install-release.sh

Configure V2Ray on Server

Edit the configuration file:

1
vi /usr/local/etc/xray/config.json

Delete existing contents and insert as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
  "log": {
    "loglevel": "warning",
    "access": "/var/log/xray/access.log", 
    "error": "/var/log/xray/error.log"
  },
  "inbounds": [
    {
      "port": 12345, 
      "listen": "127.0.0.1",
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "abe98b93-bd82-432f-8a41-0328a8aa5f5a",  
            "alterId": 64
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
          "path": "/abcdefgh"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

Change /abcdefgh to the secret path of your choice that you configured Nginx to use.

Change abe98b93-bd82-432f-8a41-0328a8aa5f5a to the UUID of your choice.

Save the file with your edits.

Restart V2Ray on Server

1
systemctl restart xray

End work on server:

1
exit

Download V2Ray to Windows Client

Now work on your Windows PC that will be the client.

Open a browser and go to https://github.com/XTLS/Xray-core/releases.

Download the most recent release of Xray-windows-64.zip.

Unzip Xray-windows-64.zip.

Configure Xray on Windows Client

Copy and paste the configuration below into Windows Notepad:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
  "inbounds": [
    {
      "port": 1080,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "settings": {
        "auth": "noauth",
        "udp": false
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "123.45.67.89",
            "port": 443,
            "users": [
              {
                "id": "abe98b93-bd82-432f-8a41-0328a8aa5f5a",
                "alterId": 64
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "security": "tls",
        "tlsSettings": {
          "allowInsecure": true,
          "serverName": "example.com"
        },
        "wsSettings": {
          "path": "/abcdefgh",
          "headers": {
            "Host": "example.com"
          }
        }
      }
    }
  ]
}

Replace 123.45.67.89 by your server IP address.

Change /abcdefgh to the secret path of your choice that you configured Nginx to use.

Change abe98b93-bd82-432f-8a41-0328a8aa5f5a to the UUID of your choice.

Save this in a file named config.json (with no .txt on the end) in the same folder as the Xray application, Downloads\Xray-windows-64.

Close Notepad.

Connect Windows Client to Server

Open the Windows Run box with Win+r, type cmd, and click OK. This opens a Windows Command Prompt.

Change into the Xray directory:

1
cd Downloads\Xray-windows-64

Run Xray with your configuration file:

1
xray.exe -c config.json

If Windows Defender Firewall intervenes, click Allow access.

Install Firefox Browser

If you do not already have Firefox installed, install Firefox now from https://www.mozilla.org/en-US/firefox/new.

Configure Firefox Browser

In Settings, under Network Settings, configure Firefox to use a SOCKSv5 proxy server at IP address 127.0.0.1, port 1080. Check the box to proxy DNS requests when using SOCKS v5.

Test Windows Client to Server Connection

In Firefox, visit https://whatismyipaddress.com.

You should see the IP address and location of your server, not your client.