All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to set up Xray Reality on a cheap VPS — works in China and Russia (2026)
I've been running this setup for a while and it's one of the more reliable ways to get through the GFW and Russian TSPU filtering right now. Writing it up properly since most existing guides are outdated.
Why Xray Reality and not WireGuard/OpenVPN?
WireGuard is great but trivially detected — the GFW fingerprints it within seconds. OpenVPN on 443 used to work but is now blocked in most regions of China.
VLESS+Reality is different: it doesn't just encrypt traffic, it impersonates a real TLS website. To a firewall doing deep packet inspection, your traffic looks like someone visiting microsoft.com or apple.com.
What you need
- A VPS outside China/Russia — HK, Singapore, or Europe all work. 512MB RAM is enough.
- No domain required (one of the advantages of Reality over older Xray configs)
- Root SSH access
- iOS: Shadowrocket ($2.99) / Android: v2rayNG (free) / Windows: v2rayN (free)
Step 1 — Install Xray
SSH into your VPS and run the official installer:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
This installs Xray to /usr/local/bin/xray and creates a systemd service.
Step 2 — Generate keys
xray x25519
Save the output — you get a Private key and a Public key. You need both.
Also generate a short ID:
openssl rand -hex 8
Save this too.
Step 3 — Pick a destination domain
This is the site your traffic will "pretend" to be. Pick any popular HTTPS site accessible from your VPS:
www.microsoft.comwww.apple.comwww.lowendtalk.com(meta but works)
Verify TLSv1.3 support:
curl -v --tlsv1.3 https://www.microsoft.com 2>&1 | grep "TLSv1.3"
Step 4 — Write the config
Create /usr/local/etc/xray/config.json:
{
"inbounds": [{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [{
"id": "PASTE-A-UUID-HERE",
"flow": "xtls-rprx-vision"
}],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "www.microsoft.com:443",
"serverNames": ["www.microsoft.com"],
"privateKey": "YOUR-PRIVATE-KEY",
"shortIds": ["YOUR-SHORT-ID"]
}
}
}],
"outbounds": [{"protocol": "freedom"}]
}
Generate a UUID: xray uuid
Replace PASTE-A-UUID-HERE, YOUR-PRIVATE-KEY, and YOUR-SHORT-ID with your values.
Step 5 — Start Xray
systemctl restart xray
systemctl status xray
Should show active (running). If not: journalctl -u xray -n 50
Step 6 — Configure your client
In Shadowrocket, v2rayN, or v2rayNG, create a new VLESS connection:
| Field | Value |
|---|---|
| Address | your VPS IP |
| Port | 443 |
| UUID | from your config |
| Flow | xtls-rprx-vision |
| Transport | TCP |
| Security | Reality |
| Public Key | from Step 2 |
| Short ID | from Step 2 |
| SNI | www.microsoft.com |
Step 7 — Split tunneling (optional but recommended)
In Shadowrocket set mode to Rule and add:
GEOIP,CN,DIRECT— Chinese IPs connect directlyGEOIP,RU,DIRECT— Russian IPs connect directlyFINAL,PROXY— everything else through VPS
This keeps banking apps and local services fast. Full routing guide: https://routeveil.com/blog/does-split-tunneling-matter-xray-shadowrocket
Common issues
Port 443 already in use: Check if nginx/apache is running. Stop it or change Xray to a different port.
Connection refused: Make sure port 443 is open in both the OS firewall and your VPS provider's network panel.
Reality handshake fails: The dest domain might not support TLSv1.3, or it may block requests from VPS IPs. Try a different dest domain.
Works at home, blocked at office/school: Some networks do SNI filtering. Try a different destination domain.
Notes
This runs fine on the cheapest VPS you can find — 512MB RAM, 1 vCPU is more than enough. I've been using a $3.50/month VPS for this without issues.
Happy to answer questions.
Comments
$99 to run a script in the terminal? dayum.
{
"log": {
"level": "warn",
"timestamp": true
},
"inbounds": [
{
"type": "vless",
"tag": "vless-reality-in",
"listen": "::",
"listen_port": 58888,
"users": [
{
"uuid": "5c1a8888-2d88-4788-88b6-88a563797d92",
"flow": "xtls-rprx-vision"
}
],
"tls": {
"enabled": true,
"server_name": "www.apple.com",
"reality": {
"enabled": true,
"handshake": {
"server": "www.apple.com",
"server_port": 443
},
"private_key": "EPIz9emniVi2ETL6RuZGbG7REHa8PBf7mcnorEcl01M",
"short_id": "a1b2c3d4e5f67890",
"max_time_difference": "1m"
}
},
"sniff": true,
"sniff_override_destination": true,
"sniff_timeout": "300ms"
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct-out",
"domain_strategy": "prefer_ipv6"
}
]
}
please explain, is it more secure / better than standard xray no reality, somehow i prefer over xray losten localhost websocket ws setting. and use apache reverse proxy to those.
Fair point — if you're comfortable with the terminal, the script takes 10 minutes. The $99 is for people who aren't, want it done correctly the first time, and don't want to debug why their Reality handshake fails at 2am. Different audience.
Thanks for sharing — that's a solid config. The sniff_override_destination is a nice touch for transparent proxy setups.
Reality borrows the live TLS handshake from a real site (microsoft.com etc.) — to a scanner your server literally is microsoft.com. No web server, no path to probe. Better against active probing (GFW, TSPU), your WS+Apache is fine for basic blocking.
Hysteria2 is not a bad option either. This is what some guys in Iran were using.
This is most likely illegal or atleast grey, so he is actually risking his life and exposing his identity.
Whats difference between hysteria2 and Reality
My favorite way is Rstun+socks5 server( best hev socks5server, microsocks server not bad), udp kind, local net program use rstun local bind port as socks5 server, lightweight and stable.
Hysteria2 is UDP/QUIC, faster and lower latency but UDP gets throttled easily. Reality runs on TCP 443 and looks exactly like HTTPS — harder to block without breaking legit traffic. For China/Russia long-term stability Reality wins, but if UDP isnt throttled on your network Hysteria2 is worth trying.
Share the repos
I don't think people in those countries will be able to afford that. Most of them use shitty free VPNs because they can't even afford a paid one. But good luck with sales.
this way not support mobile now( poor than hy2), run rstun server mode in vps(upstream -> socks server), and start socks server, run rstun client mode in local connect rstun server, listen local tcp port A, browser (or other support socks proxy software) set socks server to local port A.
Only 99$ to setup? nice deal
... and a shill post full of long dash.
What’s the story ? Post shows edited