What's new

Tutorial Installing v2ray vmess + websocket + TLS using Cloudflare CDN setup

Bon-chan

Forum Veteran
Joined
Mar 18, 2018
Posts
1,105
Reaction
4,851
Points
779
Tutorial on how to:
* Setup v2ray VMESS + WebSocket + TLS using CloudFlare CDN services on VPS (Debian/RHEL based OS only)

Aim of this setup is to hide your server identity (IP Address) on public.
Note: This will not obfuscate your server outgoing connection into CloudFlare CDN.
Actual setup is just normal v2ray installation running as VMess listening on localhost and a Nginx web server frontend for Websocket + TLS client request forwarder.

Prerequisite:
  • A own VPS Server with a Public IP Address (must be configured to allow inbound/outbound connections to the following ports: 80,443,10035)(For AWS/Azure/Alibabacloud/GoogleCloud users, make sure provided ports are open on your firewall)
  • [For newbies] to avoid some errors, i suggest to run this tutorial to a fresh/newly deployed instance/vps
  • A little knowledge about linux commands (knew how to navigate using cd,ls,rm,cp and mv , and also knew how to use nano(text editor)
  • Own CloudFlare Account with a domain ready for setup, must be enabled Full SSL/TLS Encryption (no cloudflare or domain account? get them free here: https://phcorner.net/threads/1020514)
  • A scratch notepad for taking notes or file-editing

!! Prepare a stable internet connectivity, avoid running same commands twice or more. Avoid too much typographical errors. Follow instructions carefully

1. We need to get the Origin certificates first.
Login to your CloudFlare account (You do not have permission to view the full content of this post. Log in or register now.) On your dashboard, goto SSL/TLS >> Origin Server >> then click "Create Certificate"
1pic.jpg
On Private key type, select ECDSA
2pic.jpg
and just click "Next"
3pic.jpg
2. Im using cl1p.net Services as a online clipboard to excess using SFTP or any interactive file transfer on our tutorial.
Go to your browser, add a new tab. we will going to create cl1p.net link, just think some unique lone urlname, then access it as a url.
example: You do not have permission to view the full content of this post. Log in or register now.
im using the following URL for my 2 files(you can change it too, save them in a notepad, later i will explain how to use them inside of your vps terminal/shell):
Certificate file: You do not have permission to view the full content of this post. Log in or register now.
Certificate key file: You do not have permission to view the full content of this post. Log in or register now.
Copy first the origin certificate, then paste it to your Certificate file cl1p URL (mine is You do not have permission to view the full content of this post. Log in or register now.)
4pic.jpg
5pic.jpg
then click "Paste and Create".
Same in the private key, paste it to your Certificate key file URL (mine is You do not have permission to view the full content of this post. Log in or register now.)
6pic.jpg
7pic.jpg
then click "Paste and Create".
- I set all may clips as "Destroy cl1p when viewed" so if i accidentally visit my clip it will be automatically deleted, also the secure way of sharing some sensitive data in public like certs and priv keys. You can decide on how your cl1ps are going to be deleted (by expiry or by viewing them once)
Just keep all 2 links, dont visit them.
After all of these, go back to our last session on Cloudflare tab, finish it by clicking "OK"
3. Set a hostname for our server, mine is You do not have permission to view the full content of this post. Log in or register now. (you can choose any subdomain you want to your server hostname).To access DNS Management, just find "DNS" on upper navigation of your CloudFlare dashboard and click it.
click "Add record" for new dns record
OR if www is already existed on your record list, click the "Pencil" button to modify it.
Type: A
Name: www
IPv4 Address: <your VPS IP address>
TTL: Auto
Proxy status: Proxied
8pic.jpg
then click "Save"
4. now we're leaving CloudFlare dns management dashboard. We're looking forward now to our VPS, prepare your ssh client and access your VPS root terminal (for sudo users: run su - to access root of your VPS) after logging in to root, run some update/upgrade commands on your package manager to ensure no installation errors appear during v2ray & nginx installation.
Debian/Ubuntu: apt update && apt upgrade -y -f
CentOS/Fedora/RHEL: yum update -y || dnf update -y
5. run v2ray server installer script from You do not have permission to view the full content of this post. Log in or register now. project.
but before that, double check if curl,unzip and nginx package is installed.
Debian/Ubuntu: apt install curl unzip nginx net-tools lsof -y
CentOS/Fedora/RHEL: yum install curl unzip nginx net-tools lsof -y || dnf install curl unzip nginx net-tools lsof -y
If error occured while Installing NGiNX on Debian/Ubuntu, because your package manager attempts to install also nginx-full and nginx-light. try to uninstall nginx-full, nginx-light, nginx-extras.
apt remove --purge nginx-* -y -f
then autoremove nginx install remains:
apt autoremove -y -f
and update your package manager
apt update
lastly, install nginx:
apt install nginx -y
after curl & unzip install, run:
Bash:
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
wait until it finish
9pic.jpg
6. Remember our 2 links we created earlier? we'll going to download them via cURL command then put them inside /usr/local/etc/v2ray directory.
First alternate or change some values here (copy these commands & paste them on your notepad, edit them, change "cl1p.net" into "api.cl1p.net", then run on your terminal):
Bash:
export CertURL='https://api.cl1p.net/orange-ju-filecert' && export KeyURL='https://api.cl1p.net/orange-ju-filekey'
then run:
Bash:
v2raydir='/usr/local/etc/v2ray' && curl -kL "$CertURL" -o $v2raydir/cert.pem && curl -kL "$KeyURL" -o $v2raydir/key.pem && curl -kL "https://support.cloudflare.com/hc/article_attachments/360037898732/origin_ca_ecc_root.pem" -o $v2raydir/root_ecc.pem
7. After downloading three files, create a fullchain certificate by running this commannd:
Bash:
v2raydir='/usr/local/etc/v2ray' && printf "%b\n" "$(cat $v2raydir/cert.pem)\n$(cat $v2raydir/cert.pem)\n$(cat $v2raydir/root_ecc.pem)" > $v2raydir/fullchain.pem
8. Now generate UUID using this command:
Bash:
v2ctl uuid
copy the output and paste it to your notepad
9. now download my v2ray server config template and modify: change SERVER_DOMAIN to your domain (mine is You do not have permission to view the full content of this post. Log in or register now.) and GENERATE_UUID_CODE to your recent generated UUID (mine is 73bafbda-a33b-4b24-9cd2-60ad898cfec7)
Im using a shortcut here (download from my gist, then modify configs using sed command)
- My v2ray config setup = websocket set (Header/Host: ourdomain.ml ; Path "/") and security type : "auto" , alter id is 64, server port: 443
(copy these commands & paste them on your notepad, edit them, then run on your terminal):
Bash:
export MyDomain='www.orange-ju.ml' && export MyUUID='73bafbda-a33b-4b24-9cd2-60ad898cfec7'
then run:
Bash:
v2rayconf='/usr/local/etc/v2ray/config.json' && nginxv2conf='/etc/nginx/conf.d/v2ray.conf' && gistlink='https://gist.githubusercontent.com/Bonveio/59e8b9561e20e8b612f65a3d47a97d13/raw' && curl -kL "$gistlink/config.json" -o $v2rayconf && curl -kL "$gistlink/v2ray.conf" -o $nginxv2conf && sed -i "s|SERVER_DOMAIN|$MyDomain|g;s|GENERATED_UUID_CODE|$MyUUID|g" $v2rayconf && sed -i "s|DOMAIN_HERE|$MyDomain|g" $nginxv2conf
10. remove all nginx default configs if we want to just use nginx server as v2ray frontend, run:
Bash:
rm -rf /etc/nginx/{default.d,conf.d/default.conf,sites-*}
Be noted that some default nginx configs have some "server {}" object listening on port 80 inside nginx.conf, just remove by editing using nano /etc/nginx/nginx.conf
Remember to make sure Port 80 and 443 is open and no other services using it (find using netstat -tulnp all services running on 80 and 443 and kill it)
run these command to kill existing 80 and 443 port:
Bash:
for PORT in "80" "443"; do { [ ! -z "$(lsof -ti:${PORT} -s tcp:listen)" ] && kill $(lsof -ti:${PORT}); }; done
then lastly, run these to start v2ray and nginx server
Bash:
systemctl start v2ray &>/dev/null && systemctl restart nginx
double check if our v2ray and nginx server are running
Bash:
netstat -tlnp | grep -E '(:10035|:443|:80)'
1pic.jpg
11. If you already knew how to setup on client, skip this step, Go to your v2ray client, your app must support "Import from clipboard" feature, use this template client .json config, copy all then goto your v2ray client app, find "Import from clipboard"
modify "SERVER_DOMAIN_HERE.ML" as your server domain and "YOUR_UUID_CODE_HERE" to your generated UUID code earlier
JSON:
{
  "dns": {
    "servers": [
      "8.8.8.8"
    ]
  },
  "inbounds": [
    {
      "port": 10808,
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "userLevel": 8
      },
      "sniffing": {
        "destOverride": [
          "http",
          "tls"
        ],
        "enabled": false
      },
      "tag": "socks"
    },
    {
      "port": 10809,
      "protocol": "http",
      "settings": {
        "userLevel": 8
      },
      "tag": "http"
    }
  ],
  "log": {
    "loglevel": "warning"
  },
  "outbounds": [
    {
      "mux": {
        "enabled": false
      },
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "SERVER_DOMAIN_HERE.ML",
            "port": 443,
            "users": [
              {
                "alterId": 64,
                "id": "YOUR_UUID_CODE_HERE",
                "level": 8,
                "security": "none"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "security": "tls",
        "tlsSettings": {
          "allowInsecure": true,
          "serverName": "SERVER_DOMAIN_HERE.ML"
        },
        "wsSettings": {
          "headers": {
            "Host": "SERVER_DOMAIN_HERE.ML"
          },
          "path": "/"
        }
      },
      "tag": "proxy"
    },
    {
      "protocol": "freedom",
      "settings": {},
      "tag": "direct"
    },
    {
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      },
      "tag": "block"
    }
  ],
  "policy": {
    "levels": {
      "8": {
        "connIdle": 300,
        "downlinkOnly": 1,
        "handshake": 4,
        "uplinkOnly": 1
      }
    },
    "system": {
      "statsOutboundUplink": true,
      "statsOutboundDownlink": true
    }
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": []
  },
  "stats": {}
}
 

Attachments

Last edited:
[XX='phc-exert, c: 728737, m: 746290'][/XX] Nasaktuhan lang paps HAHHA.. By the way open ba yung ports nung napanalunan natin kagabi na ubuntu paps?
 
[XX='phc-exert, c: 728743, m: 746290'][/XX] Mamats sa info paps, first time nagkavultr eh HAHAHHAA
 
may installer na po yan, available sa github repository ni angristan

wireguard-installer po ata ang name

kung want nyo po wireguard na hosted ng cloudflare, tignan nyo po yung project nila na CloudFlare WARP. wireguard-supported po ang services, hanapin nyo nalang po sa google kung paano kumuha ng .wg config from cloudflare-warp
 

Similar threads

Back
Top