Introduction
VLESS with Reality protocol makes proxy traffic indistinguishable from normal HTTPS connections. Deep packet inspection (DPI) cannot differentiate it from regular browsing because Reality mimics a real TLS handshake with a legitimate website.
Prerequisites
- VPS with port 443 open
- Ubuntu/Debian
1. Install Xray-core
sudo bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
2. Generate Credentials and Get Server IP
Run these commands and save the output. Values are referenced as <PLACEHOLDER> in later sections.
xray uuid # <UUID>
xray x25519 # PrivateKey → <PRIVATE_KEY>, Password → <PUBLIC_KEY>
openssl rand -hex 8 # <SHORT_ID>
curl -4 ifconfig.me # <SERVER_IP>
Passwordin xray output is actually the public key (confusing naming). Never share your<PRIVATE_KEY>.
3. Choose SNI (Server Name Indication)
Reality works by mimicking TLS connections to a real website. The SNI you choose must meet these requirements:
- Supports TLS 1.3 and HTTP/2
- Geographically close to your VPS (same region/datacenter)
- Not behind Cloudflare CDN
Common options: www.microsoft.com, www.apple.com, www.yahoo.com
For advanced users: RealiTLScanner can find domains in your VPS’s datacenter.
4. Server Configuration
sudo nano /usr/local/etc/xray/config.json
Choose one option:
- TCP + Vision — hides TLS-in-TLS patterns from DPI, widely supported
- XHTTP — newer transport, fragments data across HTTP requests, more resistant to traffic analysis
Configs below use
www.microsoft.comas default. If you chose a different SNI in Section 3, updatedest,serverNames, and the client URLs.
Option A: TCP + Vision
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "<UUID>",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.microsoft.com:443",
"xver": 0,
"serverNames": ["www.microsoft.com"],
"privateKey": "<PRIVATE_KEY>",
"shortIds": ["<SHORT_ID>"]
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
}
]
}
Option B: XHTTP Config
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "<UUID>"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "xhttp",
"xhttpSettings": {
"path": "/xh"
},
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.microsoft.com:443",
"xver": 0,
"serverNames": ["www.microsoft.com"],
"privateKey": "<PRIVATE_KEY>",
"shortIds": ["<SHORT_ID>"]
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"]
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
}
]
}
5. Start Xray
sudo systemctl enable xray
sudo systemctl status xray
View logs: sudo journalctl -u xray -f
Open port 443 on your VPS firewall if not already open.
After config changes, restart Xray:
sudo systemctl restart xray
6. Client Connection URL
Import these URLs into your client app. Replace placeholders with your values.
TCP + Vision:
vless://<UUID>@<SERVER_IP>:443?encryption=none&flow=xtls-rprx-vision&security=reality&sni=www.microsoft.com&fp=chrome&pbk=<PUBLIC_KEY>&sid=<SHORT_ID>&type=tcp#reality-tcp
XHTTP:
vless://<UUID>@<SERVER_IP>:443?encryption=none&security=reality&sni=www.microsoft.com&fp=chrome&pbk=<PUBLIC_KEY>&sid=<SHORT_ID>&type=xhttp&path=/xh#reality-xhttp
7. Client App
Happ — available for iOS, Android, macOS, Windows, Linux, and TV. Built on Xray core with XHTTP support.
Happ client with imported VLESS Reality config
8. QR Code (Optional)
Generate a QR code for easy mobile import:
sudo apt install qrencode -y # Debian/Ubuntu
brew install qrencode # macOS
qrencode -o vless-tcp.png "vless://<UUID>@<SERVER_IP>:443?encryption=none&flow=xtls-rprx-vision&security=reality&sni=www.microsoft.com&fp=chrome&pbk=<PUBLIC_KEY>&sid=<SHORT_ID>&type=tcp#reality-tcp"
Scan the QR code with your client app to import the config.