VMess + WebSocket + TLS + CDN#

Overview#

VMess is V2Ray’s original encrypted protocol. When layered with WebSocket, TLS, and a CDN, traffic blends into ordinary HTTPS WebSocket connections, making it difficult to distinguish from normal web traffic.

How It Works#

  • VMess — Provides its own encryption and authentication layer, with support for metadata obfuscation.
  • WebSocket — Wraps VMess traffic inside WebSocket frames, which look like standard browser WebSocket connections.
  • TLS — Encrypts the entire WebSocket stream, making it indistinguishable from HTTPS.
  • CDN — Routes traffic through a content delivery network, hiding the real server IP and providing DDoS resistance.

Setup: VMESS + WS + TLS + AES#

Requirements#

  • A domain name with Cloudflare
  • A Linux VPS with port forwarding for 443 and a random port
  • Basic command line skills
  • Root access

Install X-UI#

  1. To install X-UI, execute the following in a terminal:
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)

Follow the on-screen instructions. Make sure you enable system startup.

Disable Firewall#

If you’re using a Debian-based distro:

  1. If ufw is not installed, install it:
sudo apt install ufw
  1. Disable the firewall:
sudo ufw disable

Port Forward via SSH#

Before accessing the web panel, create a secure SSH tunnel to forward the panel’s port to your local machine:

  1. Open a terminal on your local machine and run:
ssh -N -L 8080:127.0.0.1:<port-you-set> username@<server-ip>

Keep this terminal window open. This forwards the remote X-UI panel port securely to localhost:8080 on your local computer.

Access X-UI Panel#

  1. Open your browser and access:
http://127.0.0.1:8080

This will be shown to you after launching X-UI with sudo x-ui.

  1. Log in with the credentials.

Generate a Self-Signed Certificate#

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout selfsigned.key -out selfsigned.crt

Make sure you have OpenSSL installed. During the prompt, enter:

  • Country Name (2-letter code) – e.g., US
  • Common Name (CN) – enter your domain (e.g., example.com)
  • Leave the rest optional or fill as needed.

Configure VMESS Endpoint#

  1. Tap “Inbounds”.
  2. Click the "+" button to create a new inbound.
  3. Configure settings as below:
Remark: Name your server
Protocol: VMESS
Listening IP: (leave blank for default)
Port: 443
Total Traffic (GB): (leave blank)
Expiry Date: (leave blank)
Disable Insecure Encryption: Disabled
Transmission: ws
Accept Proxy Protocol: Disabled
Path: /
TLS: Enabled
Domain Name: Your domain name
Upload your Certificate.crt and Private.key
Sniffing: Enabled
  1. Click “Add To” to save.

Forward Port 443#

  1. Go to the control panel or router of your device. (This might be firewall rules.)
  2. Forward port 443.

Configure Cloudflare#

  1. Activate your domain in Cloudflare if not already done.
  2. Set an A Record pointing to your VPS public IP. Make sure to turn on proxy.
  3. Go to SSL/TLS in Cloudflare and set it to Full (not Full Strict).

Tips#

  • Use a CDN that supports WebSocket proxying.
  • Choose a domain that does not draw attention.
  • Enable CDN caching for non-proxy paths to further blend in.
  • Use a valid TLS certificate (Let’s Encrypt).

Caveats#

  • CDN adds latency.
  • Some CDNs block or throttle WebSocket traffic.
  • VMess metadata can be fingerprinted if the adversary has the capability to inspect it.
  • CDN termination means the CDN operator can see your traffic metadata.
Backward VLESS + XTLS + REALITY Hysteria / Hysteria2 Forward
© 2026 Zenith Rifle