VLESS + XTLS + REALITY#

Overview#

VLESS is a lightweight transport protocol from the Xray project. It strips encryption overhead by delegating encryption to the outer TLS layer. Combined with XTLS (direct TLS transmission) and REALITY (TLS fingerprint mimicry), it is one of the most stealthy options available today.

How It Works#

  • VLESS — A minimal proxy protocol with no built-in encryption. Relies entirely on TLS for confidentiality.
  • XTLS — A flow control mechanism that allows the proxy to directly forward TLS traffic without decrypting and re-encrypting, reducing CPU overhead and latency.
  • REALITY — Mimics the TLS handshake of a real website (e.g., www.microsoft.com). Active probes see a genuine TLS connection to that site, not a proxy.

Installation#

If you already have XUI English installed, you can install 3x-ui by running:

sudo bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)

This applies to new users as well.

Follow the directions on the screen to set up your admin username, password, and port.

Port Forward via SSH#

Before opening the web panel, create a secure SSH tunnel to forward the panel’s port to your local machine:

  1. Open a terminal on your local machine and run:
ssh -N -L 8080:127.0.0.1:<port-you-set> username@<server-ip>

Keep this terminal window open. This forwards the remote X-UI panel port securely to localhost:8080 on your local computer.

Access Web UI#

  1. Open your browser and access the panel locally:
http://127.0.0.1:8080
  1. Log in, and you will see the dashboard.

⚠️ All your existing endpoints will not be migrated, so keep that in mind.

Configuration#

  1. Click Inbounds.
  2. Click Add Inbounds.
  3. For Protocol, choose VLESS if it’s not the default.
  4. Follow the config below:
Enable: True
Remark: (Any name you want to use)
Protocol: VLESS
Listen IP: (Leave blank)
Port: 443
Total Flow: (Leave default)
Duration: (Leave blank)
Client: Only change one thing from the dropdown — change Flow from 'none' to 'xtls-rprx-vision'
Transmission: TCP (RAW)
Proxy Protocol: False
HTTP Obfuscation: False
Sockopt: False
External Proxy: False
Security: Reality
Show: False
Xver: (Leave default)
uTLS: Chrome or Firefox or Edge (whichever browser you use most often)
Dest (Target): An SNI that is good and must use TLS 1.3 — e.g., `www.microsoft.com:443`
SNI: Same as above, but without the port — e.g., `www.microsoft.com`
Max Time Diff (ms): (Leave default)
Short IDs: (Leave default)
SpiderX: (Leave default)
Click **Get New Cert** — this will auto-fill the Public Key and Private Key.

Tips#

  • Choose a REALITY target site that is popular and accessible in your region.
  • Regularly verify your TLS fingerprint matches the target site.

Caveats#

  • VLESS without encryption is not secure over untrusted networks — always pair with TLS.
  • REALITY requires careful target selection to avoid raising suspicion.
  • REALITY requires a direct TLS handshake — CDN proxying will break the server-side fingerprint verification.
Backward Protocols VMess + WebSocket + TLS + CDN Forward
© 2026 Zenith Rifle