To address the risks of blocking or banning such as TLS in TLS and fingerprinting, the Xray-core team has introduced two innovative technical solutions: VLESS Vision and VLESS Reality. They can effectively hide and protect the characteristics of traffic, enhancing security and stability. If you want to learn more details, please click on Vision and Reality for more information.
The following will set up VLESS+Reality+uTLS+Vision, which can solve the TLS in TLS and fingerprint issues, making it a relatively excellent solution.
Part Zero: Buy a Server#
Part One: Standards for Obtaining a Domain Name#
Reality does not require you to own a domain name yourself, as it can use someone else's domain, but not just any stolen domain will work well.
The stolen domain determines the speed, connectivity, and stability of the node you set up. Below is an introduction to what kind of domain meets the standards.
1.1 Standards for Target Websites#
The target website must meet 5 conditions:
- Use TLS 1.3 protocol
- Use X25519 signature algorithm
- Support HTTP/2 protocol (H2)
- Do not use CDN - If the Reality target website uses CDN, the data will be forwarded to the CDN node, making your Reality node a reverse proxy acceleration node for others.
- Can be accessed directly in China without relying on any proxy.
1.2 How to Check Target Websites#
Now that I understand these 5 standards, how do I check if a website domain meets these 5 standards?
- Check TLS 1.3 support
-
Open the website, press F12, and change the display language in the settings.
-
Under the "Security" tab, "Connection" should display "TLS 1.3, X25519 and AES_xxxx," as shown in the image below.
-
- Check HTTP/2 support
-
Alternatively, enter
window.chrome.loadTimes()?.npnNegotiatedProtocol
in the console, and the output value should be "h2."
-
- Check if the website uses Cloudflare CDN; if it does, this domain cannot be used.
-
Add
/cdn-cgi/trace
to the end of the website URL. For example, if the domain you are interested in ishttps://codepen.io
, add/cdn-cgi/trace
to the end, resulting inhttps://codepen.io/cdn-cgi/trace
. If the content of the URL appears as shown in the image below, it indicates that the website is using Cloudflare CDN, which cannot be used.
-
- Connectivity testing method within China
-
Enter the domain and click "Continuous Test."
-
Wait for it to test; you don't need to wait for all 100 packets to be sent. Just ensure that no province in China shows a 100% packet loss like in the image below, indicating that the network quality is entirely red. This means that this province cannot access this website (blocked).
-
My suggestion is that it is best if all provinces in China can connect, but if you test a domain and find that it can be accessed in Shanghai but not in Jiangsu, and you think you won't use this node in Jiangsu, that's fine; you can choose what you like.
Part Two: Methods for Obtaining Reality Target Websites#
Recommendation: Steal your own > Steal from neighbors > Steal from the library, university, or tourism bureau where the server is located > Steal from tested ones > Steal from large companies.
2.1 Steal Your Own Domain#
If you have your own domain, deploying a website on your own server and using your own domain is the best option (the domain DNS record points to the machine where you deploy Reality).
For example, if your server is in the United States and you have deployed your own website on this server, https://aaa.example.com
, then this aaa.example.com
is the best choice, bar none (it needs to meet the "1.1 Standards for Target Websites" mentioned above).
2.2 Steal from Your Neighbor's Domain#
Use FOFA search queries; it's a bit complicated but will hardly affect speed (the following methods will affect speed).
ASN Query Tool: https://tools.ipip.net/as.php
FOFA Target Website Query Tool: https://fofa.info
-
First, use the ASN query tool to input your server's IP and record the ASN where your server is located.
-
Use the search condition in the code block below, replacing ASN with the number you queried, and search in FOFA. The example code below means "query autonomous domain 16509, US region, port 443, certificate not issued by Let's Encrypt or ZeroSSL, and the website with a successful request."
The country field is a two-letter code for the country/region, which can be found on the following websites
asn=="16509" && country=="US" && port=="443" && cert!="Let's Encrypt" && cert.issuer!="ZeroSSL" && status_code="200"
-
From the search results, find websites with domain names and check them against the conditions mentioned in "1.1 Standards for Target Websites." If they all meet the criteria, record this website domain for future use.
2.3 Steal from Libraries, Universities, or Tourism Bureaus Where the Server is Located#
Assuming the server is located in the United States, you can look for:
- Search for well-known universities in the United States, check their official websites, and verify them against the 5 conditions mentioned in "1.1 Standards for Target Websites."
- Search for official websites of libraries in the United States and check them against "1.1..."
- Search for tourism websites in the United States...
2.4 Steal from Pre-Tested Domains#
Use websites that have been pre-tested on third-party platforms; this method is simple but cannot control the location, and it is unlikely to achieve optimal speed.
On the above two websites, find A+ rated websites and check them against the 5 conditions mentioned in "1.1 Standards for Target Websites." If they all meet the criteria, record this website domain for future use.
2.5 Steal from Large Companies' Websites (not recommended, reason)#
www.icloud.com
airbnb【different regions have different domain names, it's best to search yourself】
www.airbnb.co.uk
www.airbnb.ca
www.airbnb.com.sg
www.airbnb.com.au
www.airbnb.co.in
addons.mozilla.org
www.microsoft.com
www.lovelive-anime.jp
www.tesla.com
wareval.com
www.nvidia.com
www.sap.com
Part Three: Setting Up Nodes on the Server#
Once we have obtained a suitable domain name, it's time to set up nodes on the server. Here, it is recommended to use X-UI to set up nodes, as the original X-UI has not been updated or maintained for a long time. The following X-UI is a modified version from GitHub: Click to Access
3.1 Install X-UI#
-
First, execute the command to install.
bash <(curl -Ls https://raw.githubusercontent.com/FranzKafkaYu/x-ui/master/install.sh)
-
During the installation process, you will be prompted to set a username and password, which we need to set. Choose a username and password you like.
-
You will also need to set a port, which is the port used to access your X-UI interface via IP + port, for example, setting it to 6311.
-
When information related to "x-ui management script usage" appears, it means the installation was successful. At this point, you can access the panel via IP + port, for example, http://5.5.5.5:6311, and log in with your username and password.
3.2 Use X-UI to Set Up Nodes#
- First, switch the kernel version of X-UI, and it is recommended to use the latest version.
- After switching the kernel version, click on the "Inbound List" on the left, then click "Add Inbound."
- The areas that need to be changed are as follows:
- Remark: Give it a name, such as
reality-vision
. - Add User: Click the "+" icon to add a user. Do not click on those +3, +5 options, as you will end up adding many users.
- Reality: Turn on the switch for Reality.
- User's flow:
xtls-rprx-vision
(this option will only appear if Reality is enabled). - Target Website: Your chosen domain + 443, for example:
www.nvidia.com:443
, do not add http or https. - Optional Domain: Your chosen website, such as:
www.nvidia.com
, do not add http or https.
- Remark: Give it a name, such as
- Click the "Add" button at the bottom.
3.3 Using the Node#
The Meta kernel provides a high degree of freedom. Below, only the simplest method is introduced, without discussing more complex methods.
Using in Clash Verge Rev
We can go to the subscription conversion page to start using this node.
- In X-UI, click on the "Inbound List" menu, find the node you just created, click "View" on the details, and then click "Copy Link."
- Open https://sub.lainbo.com/
- Paste the copied link into the "Subscription Link" input box. The content after
#
in the link is the name of the node, which can be changed to something easier for you to recognize. You can also put your original airport link (ss link) in front, allowing you to merge the newly created node with the airport node into one subscription.
- You don't need to worry about other form items; click the "Generate Subscription Link" button at the bottom.
- The generated link can be entered in the "Subscription" menu of Clash Verge Rev in the top input box, and then click "Import" to use.
Using in Clash Meta for Android
Similarly, if you have an airport link, merge it with the airport link; if not, just enter vless://xxxxx
, and you can generate a subscription for use in Clash Meta for Android and other mobile apps with the meta kernel.
Using in Shadowrocket
On iOS, among the four major software, only Shadowrocket can use Reality protocol nodes. Others also support it (V2BOX, FoXray, sing-box), but they are relatively niche and will not be introduced here.
The usage method is similar to Clash Verge Rev. You need to obtain the original subscription link from the airport and a Gist link for the self-built node. In the subscription conversion website, also select "Client" as Clash to generate a new subscription link.
- It is recommended to convert this link into a QR code, then
- On the Shadowrocket homepage, click the "+" in the upper right corner, and find "Scan QR Code" at the bottom to import and use.