### Install Dependencies and Run Local Development Server Source: https://xtls.github.io/document/document.html Install project dependencies using pnpm and start the local development server to preview the documentation. Ensure Node.js and pnpm are installed first. ```bash pnpm install pnpm run docs:dev ``` -------------------------------- ### Install and Register with wgcf-cli Source: https://xtls.github.io/document/level-2/warp.html Install the `wgcf-cli` tool and use it to register for a Warp account. This command downloads and executes the installation script. ```bash bash -c "$(curl -L wgcf-cli.vercel.app)" ``` ```bash wgcf-cli register ``` -------------------------------- ### Download Xray Installation Script Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Use wget to download the official Xray installation script. This is the first step in installing Xray on your server. ```shell wget https://github.com/XTLS/Xray-install/raw/main/install-release.sh ``` -------------------------------- ### Execute Xray Installation Script Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Run the downloaded installation script using bash with sudo privileges. This command initiates the Xray server installation process. ```shell sudo bash install-release.sh ``` -------------------------------- ### Start WireGuard Tunnel Source: https://xtls.github.io/document/level-2/redirect.html Use this command to bring up the WireGuard interface named 'wg0'. Ensure WireGuard is installed and configured. ```bash wg-quick up wg0 ``` -------------------------------- ### Example: Run Xray client with specific user and config Source: https://xtls.github.io/document/level-2/iptables_gid.html An example command to set the maximum open file limit and run the Xray client in the background using the 'xray_tproxy' user and a specified configuration file. ```bash ulimit -SHn 1000000 sudo -u xray_tproxy xray -c /etc/xray/config.json & ``` -------------------------------- ### Install Nginx on Ubuntu Source: https://xtls.github.io/document/level-1/fallbacks-with-sni.html Installs Nginx from official repositories on Ubuntu systems. This involves adding the Nginx repository and GPG key before installing the package. ```bash sudo apt install curl gnupg2 ca-certificates lsb-release echo "deb [arch=amd64] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \ | sudo tee /etc/apt/sources.list.d/nginx.list curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - sudo apt update sudo apt install nginx ``` -------------------------------- ### Install openresolv Source: https://xtls.github.io/document/level-2/redirect.html This command installs the openresolv package, which may be necessary if the DNS field is used in the WireGuard [Interface] configuration. ```bash apt install openresolv ``` -------------------------------- ### Install common OpenWrt dependencies Source: https://xtls.github.io/document/level-2/iptables_gid.html Installs essential libraries for Xray to function correctly on OpenWrt. These are common dependencies that might be missing. ```bash opkg install libopenssl ca-certificates ``` -------------------------------- ### Install acme.sh and Obtain Let's Encrypt Certificate Source: https://xtls.github.io/document/level-1/fallbacks-with-sni.html Installs acme.sh, sets the Cloudflare API token, and issues a Let's Encrypt certificate using DNS-01 validation for multiple domains. It then installs the certificate and configures auto-renewal. ```bash curl https://get.acme.sh | sh ``` ```bash export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje" ``` ```bash acme.sh --issue -d example.com -d *.example.com --dns dns_cf ``` ```bash mkdir /etc/ssl/xray ``` ```bash acme.sh --install-cert -d example.com --fullchain-file /etc/ssl/xray/cert.pem --key-file /etc/ssl/xray/privkey.key --reloadcmd "chown nobody:nogroup -R /etc/ssl/xray && systemctl restart xray" ``` -------------------------------- ### Install Nginx on Debian Source: https://xtls.github.io/document/level-0/ch05-webpage.html Installs the Nginx web server on a Debian-based system. Ensure your system is up-to-date before installation. ```shell sudo apt update && sudo apt install nginx ``` -------------------------------- ### Start Xray Service Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Starts the Xray service using systemd. Ensure the configuration file is correctly set up before running. ```shell sudo systemctl start xray ``` -------------------------------- ### WireGuard Configuration Example Source: https://xtls.github.io/document/level-2/redirect.html This is a sample WireGuard configuration file. Ensure to replace placeholders like , , , , and : with your actual values. ```ini [Interface] PrivateKey = Address = Address = DNS = 8.8.8.8 MTU = 1280 [Peer] PublicKey = AllowedIPs = ::/0 AllowedIPs = 0.0.0.0/0 Endpoint = : ``` -------------------------------- ### Install acme.sh Certificate Management Tool Source: https://xtls.github.io/document/level-0/ch06-certificates.html Use wget to download and execute the acme.sh installation script. This command fetches the script and pipes it directly to the shell for execution. ```shell wget -O - https://get.acme.sh | sh ``` -------------------------------- ### Install TLS Certificate for Xray Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Use the acme.sh script with the --install-cert command to copy and install the obtained TLS certificate and key files to the designated Xray certificate directory. Ensure you replace '二级域名.你的域名.com' with your actual domain. ```shell acme.sh --install-cert -d 二级域名.你的域名.com --ecc \ --fullchain-file ~/xray_cert/xray.crt \ --key-file ~/xray_cert/xray.key ``` -------------------------------- ### Update Package List and Install sudo Source: https://xtls.github.io/document/level-0/ch04-security.html Refresh the list of available software packages and then install the 'sudo' package, which allows permitted users to run commands as the superuser. ```shell apt update && apt install sudo ``` -------------------------------- ### Install iptables modules on OpenWrt Source: https://xtls.github.io/document/level-2/iptables_gid.html Installs necessary iptables modules for tproxy and extra functionalities on OpenWrt systems. Ensure these are installed if Xray fails to run. ```bash opkg install sudo iptables-mod-tproxy iptables-mod-extra ``` -------------------------------- ### Enable WireGuard on Boot Source: https://xtls.github.io/document/level-2/redirect.html Configure WireGuard to start automatically when the system boots and then start the service immediately. This ensures the tunnel is active after a reboot. ```bash systemctl enable wg-quick@wg0 ``` ```bash systemctl start wg-quick@wg0 ``` -------------------------------- ### Enable Xray Service Auto-start Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Ensures the Xray service starts automatically when the system boots up. This is the default behavior for services intended to run continuously. ```shell sudo systemctl enable xray ``` -------------------------------- ### Outbound Configuration Example Source: https://xtls.github.io/document/level-1/routing-lv1-part1.html Defines three essential outbound configurations: 'direct-out' for direct connections, 'proxy-out-vless' for proxied connections, and 'block' for dropping traffic. The order of these outbounds is crucial for the default routing behavior. ```json { "outbounds": [ { "tag": "direct-out", "protocol": "freedom" }, { "tag": "proxy-out-vless" // ... ... }, { "tag": "block", "protocol": "blackhole" } ] } ``` -------------------------------- ### Run xray-core on Windows Source: https://xtls.github.io/document/level-0/ch08-xray-clients.html Use this command in the Windows command prompt or PowerShell to run xray-core. Ensure you replace the example paths with your actual file locations. ```shell C:\Xray-windows-64\xray.exe -c C:\Xray-windows-64\config.json ``` -------------------------------- ### Basic VLESS Fallback Configuration Source: https://xtls.github.io/document/level-1/fallbacks-lv1.html This configuration demonstrates a simple fallback setup for the VLESS protocol. Non-VLESS traffic on port 443 is redirected to port 8080 for further processing. ```json { "inbounds": [ { "port": 443, "protocol": "vless", "settings": { "users": [ // ... ... ], "decryption": "none", "fallbacks": [ { "dest": 8080 // 默认回落到防探测的代理 } ] }, "streamSettings": { // ... ... } } ] } ``` -------------------------------- ### Configure sudo Privileges Source: https://xtls.github.io/document/level-0/ch04-security.html Edit the sudoers file to grant specific users sudo privileges. This example adds the 'vpsadmin' user and configures passwordless sudo access. ```shell visudo ``` -------------------------------- ### Compile Nginx with Stream Module Source: https://xtls.github.io/document/level-2/nginx_or_haproxy_tls_tunnel.html Compile Nginx from source with the necessary modules for stream processing and SSL/TLS support. Ensure all build dependencies are installed before configuring and making. ```bash curl -O -L http://nginx.org/download/nginx-1.22.1.tar.gz tar -zxvf nginx-1.22.1.tar.gz cd nginx-1.22.1 apt install gcc make ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_v2_module --with-stream --with-stream_ssl_module make && make install ``` -------------------------------- ### Corrected Xray Routing Rules Example Source: https://xtls.github.io/document/level-1/routing-lv1-part2.html This demonstrates the correct way to configure routing rules by separating different matching criteria into distinct rules. Each rule uses a single matching criterion, ensuring that traffic is correctly routed based on IP or domain independently. ```json { "routing": { "domainStrategy": "AsIs", "rules": [ { "ip": ["223.5.5.5"], "outboundTag": "direct-out" }, { "domain": ["full:direct.yourdomain.com"], "outboundTag": "direct-out" } ] } } ``` -------------------------------- ### Advanced VLESS Fallback with Multiple Paths Source: https://xtls.github.io/document/level-1/fallbacks-lv1.html This configuration showcases an advanced fallback setup for VLESS, utilizing multiple paths for traffic differentiation. It includes fallbacks for specific paths like /websocket, /vmesstcp, and /vmessws, as well as a default fallback for other traffic. ```json { "port": 443, "protocol": "vless", "settings": { "users": [ { "id": "", // 填写你的 UUID "flow": "xtls-rprx-vision", "level": 0, "email": "love@example.com" } ], "decryption": "none", "fallbacks": [ { "dest": 1310, // 默认回落到 Xray 的 Trojan 协议 "xver": 1 }, { "path": "/websocket", // 必须换成自定义的 PATH "dest": 1234, "xver": 1 }, { "path": "/vmesstcp", // 必须换成自定义的 PATH "dest": 2345, "xver": 1 }, { "path": "/vmessws", // 必须换成自定义的 PATH "dest": 3456, "xver": 1 } ] }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "alpn": ["http/1.1"], "certificates": [ { "certificateFile": "/path/to/fullchain.crt", // 换成你的证书,绝对路径 "keyFile": "/path/to/private.key" // 换成你的私钥,绝对路径 } ] } } } ``` -------------------------------- ### iptables Rules for Transparent Proxy (Stage 1 - Initial) Source: https://xtls.github.io/document/level-2/transparent_proxy/transparent_proxy.html Initial iptables rules to redirect all PREROUTING chain traffic to Xray. This setup may cause connectivity issues for the gateway itself and requires careful handling of return traffic. ```bash ip rule add fwmark 1 table 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -N XRAY iptables -t mangle -A XRAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 iptables -t mangle -A XRAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 iptables -t mangle -A PREROUTING -j XRAY ``` -------------------------------- ### Routing Rule Example: Default Proxy Source: https://xtls.github.io/document/level-1/routing-lv1-part1.html This routing configuration prioritizes proxying for non-China domains and ads, while allowing direct connections for China domains. Unmatched traffic defaults to the first outbound, which is 'proxy-out-vless' in this setup, resulting in default scientific internet access. ```json { "rules": [ { "domain": "geosite:category-ads-all", "outboundTag": "block" }, { "domain": "geosite:cn", "outboundTag": "direct-out" }, { "domain": "geolocation-!cn", "outboundTag": "proxy-out-vless" } ] } ``` -------------------------------- ### Create Website Directory and Index File Source: https://xtls.github.io/document/level-0/ch05-webpage.html Creates a directory for website files and an index.html file using nano editor. Remember to replace '~' with your actual username if not root. ```shell mkdir -p ~/www/webpage/ && nano ~/www/webpage/index.html ``` -------------------------------- ### Remove Xray Installation Script Source: https://xtls.github.io/document/level-0/ch07-xray-server.html After successful installation, remove the downloaded installation script to clean up your server. Using a full path is a recommended safety practice. ```shell rm ~/install-release.sh ``` -------------------------------- ### 安装证书到指定位置 Source: https://xtls.github.io/document/level-0/ch06-certificates.html 证书申请成功后,使用 `--installcert` 命令将其安装到指定的目录,并生成 `.crt` 和 `.key` 文件。此命令需要指定证书、密钥和完整链文件的目标路径。 ```shell vpsadmin@vps-server:~$ acme.sh --installcert -d 二级域名.你的域名.com --cert-file /你要安装到的位置/cert.crt --key-file /你要安装到的位置/cert.key --fullchain-file /你要安装到的位置/fullchain.crt --ecc [Mon 14 Feb 2022 03:00:25 PM CST] Installing cert to: /etc/xray/cert/cert.crt [Mon 14 Feb 2022 03:00:25 PM CST] Installing key to: /etc/xray/cert/cert.key [Mon 14 Feb 2022 03:00:25 PM CST] Installing full chain to: /etc/xray/cert/fullchain.crt ``` -------------------------------- ### Create Xray Configuration File Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Opens the Xray configuration file in the nano editor for editing. Requires sudo privileges. ```shell sudo nano /usr/local/etc/xray/config.json ``` -------------------------------- ### Create BBR configuration file Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Use nano to create or edit the sysctl configuration file for BBR. ```shell sudo nano /etc/sysctl.d/99-bbr.conf ``` -------------------------------- ### Incorrect Xray Routing Rule Example Source: https://xtls.github.io/document/level-1/routing-lv1-part2.html This example shows an incorrect routing rule where multiple matching criteria (IP and domain) are combined in a single rule. This configuration will not work as intended because the conditions are ANDed, not ORed, meaning both must be true simultaneously for the rule to match. ```json { "routing": { "domainStrategy": "AsIs", "rules": [ { "ip": ["223.5.5.5"], "domain": ["full:direct.yourdomain.com"], "outboundTag": "direct-out" } ] } } ``` -------------------------------- ### Add New User Source: https://xtls.github.io/document/level-0/ch04-security.html Create a new user account on the system. This is a fundamental step in moving away from using the root user for daily operations. ```shell adduser vpsadmin ``` -------------------------------- ### Clone Project X Documentation Repository Source: https://xtls.github.io/document/document.html Clone the documentation repository to your local machine for making complex edits. Ensure you replace 'your-github-username' with your actual GitHub username. ```bash git clone https://github.com/your-github-username/Xray-docs-next.git ``` -------------------------------- ### Disable Xray Service Auto-start Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Prevents the Xray service from starting automatically on system reboot. Use this if you want to manually control when Xray runs. ```shell sudo systemctl disable xray ``` -------------------------------- ### netfilter-persistent Systemd Service Configuration Source: https://xtls.github.io/document/level-2/tproxy.html This is the systemd service file for netfilter-persistent. It manages the saving and loading of iptables rules. Use this if you selected iptables for persistence and installed iptables-persistent. ```ini [Unit] Description=netfilter persistent configuration DefaultDependencies=no Wants=network-pre.target systemd-modules-load.service local-fs.target Before=network-pre.target shutdown.target After=systemd-modules-load.service local-fs.target Conflicts=shutdown.target Documentation=man:netfilter-persistent(8) [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/sbin/netfilter-persistent start ; /usr/sbin/ip route add local default dev lo table 100 ; /usr/sbin/ip rule add fwmark 1 table 100 ExecStop=/usr/sbin/netfilter-persistent stop ; /usr/sbin/ip route flush dev lo table 100 ; /usr/sbin/ip rule del table 100 [Install] WantedBy=multi-user.target ``` -------------------------------- ### Generate Warp Account Configuration (wgcf) Source: https://xtls.github.io/document/level-2/warp.html Use `wgcf` to register for a Warp account and generate a configuration file. This method requires downloading and running the `wgcf` binary. ```bash wgcf register ``` ```bash wgcf generate ``` -------------------------------- ### Xray-core Client Configuration (config.json) Source: https://xtls.github.io/document/level-0/ch08-xray-clients.html This JSON configuration file sets up xray-core as a client. It includes logging, DNS, routing, inbound, and outbound configurations for traffic management, such as direct connection for domestic traffic, proxying for international traffic, and blocking ads. Ensure 'uuid', 'address', and 'serverName' are replaced with your specific details. ```json { // 1_日志设置 // 注意,本例中我默认注释掉了日志文件,因为windows, macOS, Linux 需要写不同的路径,请自行配置 "log": { // "access": "/home/local/xray_log/access.log", // 访问记录 // "error": "/home/local/xray_log/error.log", // 错误记录 "loglevel": "warning" // 内容从少到多: "none", "error", "warning", "info", "debug" }, // 2_DNS设置 "dns": { "servers": [ // 2.1 国外域名使用国外DNS查询 { "address": "1.1.1.1", "domains": ["geosite:geolocation-!cn"] }, // 2.2 国内域名使用国内DNS查询,并期待返回国内的IP,若不是国内IP则舍弃,用下一个查询 { "address": "223.5.5.5", "domains": ["geosite:cn"], "expectIPs": ["geoip:cn"] }, // 2.3 作为2.2的备份,对国内网站进行二次查询 { "address": "114.114.114.114", "domains": ["geosite:cn"] }, // 2.4 最后的备份,上面全部失败时,用本机DNS查询 "localhost" ] }, // 3_分流设置 // 所谓分流,就是将符合否个条件的流量,用指定`tag`的出站协议去处理(对应配置的5.x内容) "routing": { "domainStrategy": "IPIfNonMatch", "rules": [ // 3.1 广告域名屏蔽 { "domain": ["geosite:category-ads-all"], "outboundTag": "block" }, // 3.2 国内域名直连 { "domain": ["geosite:cn"], "outboundTag": "direct" }, // 3.3 国外域名代理 { "domain": ["geosite:geolocation-!cn"], "outboundTag": "proxy" }, // 3.4 走国内"223.5.5.5"的DNS查询流量分流走direct出站 { "ip": ["223.5.5.5"], "outboundTag": "direct" }, // 3.5 国内IP直连 { "ip": ["geoip:cn", "geoip:private"], "outboundTag": "direct" } // 3.6 默认规则 // 在Xray中,任何不符合上述路由规则的流量,都会默认使用【第一个outbound(5.1)】的设置,所以一定要把转发VPS的outbound放第一个 ] }, // 4_入站设置 "inbounds": [ // 4.1 一般都默认使用socks5协议作本地转发 { "tag": "socks-in", "protocol": "socks", "listen": "127.0.0.1", // 这个是通过socks5协议做本地转发的地址 "port": 10800, // 这个是通过socks5协议做本地转发的端口 "settings": { "udp": true } }, // 4.2 有少数APP不兼容socks协议,需要用http协议做转发,则可以用下面的端口 { "tag": "http-in", "protocol": "http", "listen": "127.0.0.1", // 这个是通过http协议做本地转发的地址 "port": 10801 // 这个是通过http协议做本地转发的端口 } ], // 5_出站设置 "outbounds": [ // 5.1 默认转发VPS // 一定放在第一个,在routing 3.6 里面已经说明了,这等于是默认规则,所有不符合任何规则的流量都走这个 { "tag": "proxy", "protocol": "vless", "settings": { "address": "a-name.yourdomain.com", // 替换成你的真实域名 "port": 443, "id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", // 和服务器端的一致 "flow": "xtls-rprx-vision", "encryption": "none", "level": 0 }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "serverName": "a-name.yourdomain.com", // 替换成你的真实域名 "allowInsecure": false, // 禁止不安全证书 "fingerprint": "chrome" // 通过 uTLS 库 模拟 Chrome / Firefox / Safari 或随机生成的指纹 } } }, // 5.2 用`freedom`协议直连出站,即当routing中指定'direct'流出时,调用这个协议做处理 { "tag": "direct", "protocol": "freedom" }, // 5.3 用`blackhole`协议屏蔽流量,即当routing中指定'block'时,调用这个协议做处理 { "tag": "block", "protocol": "blackhole" } ] } ``` -------------------------------- ### HAProxy Client Configuration for WebSocket over HTTP/2 Source: https://xtls.github.io/document/level-2/nginx_or_haproxy_tls_tunnel.html Configure HAProxy as a client to support WebSocket over HTTP/2. This setup is for scenarios where the client needs to tunnel WebSocket traffic through HTTP/2. ```haproxy global log /dev/log local0 alert log /dev/log local1 alert stats socket /dev/shm/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user root group root daemon # 调整 HTTP/2 的性能,当遇到 HTTP/2 性能问题时都可以设置相关项,更多设置见 Haproxy 文档 tune.h2 部分 https://docs.haproxy.org/2.7/configuration.html tune.h2.initial-window-size 536870912 # 初始窗口大小,建议设置,默认值 65536 单位 byte,此值在突发大流量情况下需要一定加载时间,建议根据网速调整 tune.h2.max-concurrent-streams 512 # 复用线路数,可根据情况设置,默认值 100,一般不用设置(官方不建议改动) ssl-default-server-options ssl-min-ver TLSv1.3 defaults log global mode http timeout connect 5s timeout client 300s timeout server 300s frontend xray bind 127.0.0.1:6666 default_backend tunnel backend tunnel server tunnel www.example.com:443 ssl verify none sni req.hdr(host) ws h2 alpn h2 # ws over HTTP/2 ``` -------------------------------- ### Apply sysctl configuration Source: https://xtls.github.io/document/level-0/ch07-xray-server.html Load the new sysctl configuration to make the BBR settings effective. ```shell sudo sysctl --system ``` -------------------------------- ### Allow New SSH Port in Firewall (UFW) Source: https://xtls.github.io/document/level-0/ch04-security.html After changing the SSH port, add a firewall rule to allow traffic on the new port. This example uses ufw for Ubuntu. ```shell sudo ufw allow 9753/tcp ``` -------------------------------- ### Basic Outbound Configuration (VLESS + XTLS) Source: https://xtls.github.io/document/level-1/routing-lv1-part1.html Sets up an outbound connection for Xray using the VLESS protocol with TCP and XTLS for secure and efficient data transmission to a VPS. It includes server details and TLS settings. ```json { "outbounds": [ { "tag": "proxy-out-vless", "protocol": "vless", "settings": { "address": "a-name.yourdomain.com", "port": 443, "id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", "flow": "xtls-rprx-vision", "encryption": "none", "level": 0 }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "serverName": "a-name.yourdomain.com", "allowInsecure": false, "fingerprint": "chrome" } } } ] } ``` -------------------------------- ### HAProxy Client Configuration for TCP TLS Tunnel Source: https://xtls.github.io/document/level-2/nginx_or_haproxy_tls_tunnel.html Configure HAProxy as a client to establish a TCP TLS tunnel. This setup is suitable for direct connections where the server expects TLS. ```haproxy global log /dev/log local0 alert log /dev/log local1 alert stats socket /dev/shm/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user root group root daemon # 隧道强制使用 TLS 1.3 ssl-default-server-options ssl-min-ver TLSv1.3 defaults log global mode tcp timeout connect 5s timeout client 300s timeout server 300s frontend xray bind 127.0.0.1:6666 # 监听本机 6666 端口 default_backend tunnel backend tunnel server tunnel www.example.com:443 ssl verify none sni req.hdr(host) alpn h2,http/1.1 # 域名或 IP 均可以,若填域名建议在 hosts 中指定 IP 降低解析时间;alpn 与服务器协商,服务器端为 alpn h2,http1.1 时,客户端指定为 h2 则隧道为 HTTP2 方式连接,指定为 http1.1 为 HTTP 方式,双端均写优先 h2 ``` -------------------------------- ### Generate Warp Account using warp-reg.sh Source: https://xtls.github.io/document/level-2/warp.html A convenient script to register for a Warp account and obtain configuration details. Run this command to execute the script and get your account information. ```bash bash -c "$(curl -L warp-reg.vercel.app)" ``` -------------------------------- ### Check WireGuard Module Loading Source: https://xtls.github.io/document/level-2/redirect.html Verify that the WireGuard kernel module has been loaded successfully by checking the list of loaded modules. ```bash lsmod | grep wireguard ``` -------------------------------- ### HAProxy Server Configuration for TCP TLS Tunnel Source: https://xtls.github.io/document/level-2/nginx_or_haproxy_tls_tunnel.html Configure HAProxy as a server to accept incoming TCP TLS connections. This setup includes SSL certificate binding and ALPN negotiation. ```haproxy global log /dev/log local0 alert log /dev/log local1 alert stats socket /dev/shm/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user root group root daemon # 指定安全套件并指定 ssl 版本最低 1.2 增加真实性 ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 defaults log global mode tcp timeout connect 5s timeout client 300s timeout server 300s frontend tls-in bind :::443 ssl crt /path/to/pem alpn h2,http/1.1 # haproxy 使用 pem 进行 ssl 解密,pem 由 cat www.example.com.crt www.example.com.key > www.example.com.pem 获得 default_backend xray tcp-request inspect-delay 5s tcp-request content accept if HTTP use_backend web if HTTP backend xray server xray /dev/shm/vless.sock # 支持 abstract 格式: "abns@vless.sock" ;loopback 方式:127.0.0.1:6666 backend web server web /dev/shm/h1h2c.sock # 回落到网页 ``` -------------------------------- ### Trojan Fallback Configuration for Port 1310 Source: https://xtls.github.io/document/level-1/fallbacks-lv1.html Configure Trojan protocol to fall back to port 1310. This setup includes settings for users and a fallback destination to port 80 for anti-probing. ```json { "port": 1310, "listen": "127.0.0.1", "protocol": "trojan", "settings": { "users": [ { "password": "", // 填写你的密码 "level": 0, "email": "love@example.com" } ], "fallbacks": [ { "dest": 80 // 或者回落到其它也防探测的代理 } ] }, "streamSettings": { "network": "tcp", "security": "none", "tcpSettings": { "acceptProxyProtocol": true } } } ```