Welcome to the ultimate guide on configuring Xray-core. Whether you're a beginner setting up your first private proxy or an intermediate user looking to master advanced routing, this tutorial will walk you through every essential step. We'll demystify the JSON configuration, explain the core concepts, and provide practical examples to get you up and running.
Xray-core is a powerful and highly flexible networking tool, a superset of the popular V2Ray-core. Its real strength lies in its modular configuration, which allows for precise control over how network traffic is handled. Proper configuration is key to unlocking its full potential for security, performance, and censorship circumvention. This guide will cover everything from basic inbound/outbound setup to complex routing rules and efficient multi-file management.
The Anatomy of an Xray-core Configuration
At its heart, Xray-core is controlled by a single JSON file, typically named `config.json`. This file defines every aspect of its behavior. Understanding its main components is the first step towards mastery.
Inbounds vs. Outbounds: The Gateway and the Exit
Think of Xray-core as a processing box for your network traffic. Inbounds are the doors where traffic enters the box, and outbounds are the doors where it exits.
- Inbounds: These handlers listen for incoming connections. On a server, an inbound handler accepts connections from clients (e.g., using the VLESS protocol). On a client machine, an inbound handler creates a local proxy (like SOCKS or HTTP) that your applications connect to.
- Outbounds: These handlers are responsible for sending traffic out. On a client machine, the main outbound connects to your remote Xray server. Xray also has two special built-in outbounds: `freedom` (which sends traffic directly to its destination, bypassing any proxy) and `blackhole` (which silently drops traffic).
Protocols: VLESS, VMess, and Trojan
The protocol defines the language spoken between the client and server. Xray-core supports several, but three are most common:
| Protocol | Key Feature | Use Case |
|---|---|---|
| VLESS | High performance, lightweight, and extensible. Does not include encryption by default, relying on a lower-level transport layer like TLS. | The recommended default for most users due to its efficiency and modern design. |
| VMess | The original protocol from V2Ray, highly configurable with built-in encryption. Slightly more overhead than VLESS. | Good for compatibility with older V2Ray clients or specific network environments. |
| Trojan | Designed to mimic the common HTTPS protocol, making it very difficult to detect and block. | Ideal for environments with aggressive deep packet inspection (DPI). |
Routing: The Traffic Director
The `routing` object is the brain of your Xray-core setup. It examines each connection and decides which outbound to send it to based on a set of rules you define. This allows for powerful policies like blocking ads, bypassing domestic websites, or routing specific traffic through different servers.
Setting Up Your First Xray-core Server (Inbound)
Let's create a basic server configuration using the high-performance VLESS protocol with TLS for encryption. This is the most common and recommended setup. You will need a server (VPS) with a registered domain name pointing to its IP address.
Example Server `config.json`
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "YOUR_UUID_HERE", // Generate with `xray uuid`
"flow": "xtls-rprx-direct"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"alpn": ["http/1.1"],
"certificates": [
{
"certificateFile": "/path/to/your/fullchain.pem", // Your SSL cert
"keyFile": "/path/to/your/private.key" // Your SSL key
}
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
}
]
}Configuration Breakdown
- `log`: We set `loglevel` to `warning` to avoid cluttering logs during normal operation.
- `inbounds`: We define one inbound listener on port `443` (the standard HTTPS port).
- `protocol`: `"vless"`: We choose the VLESS protocol.
- `settings.clients`: This array holds the authorized clients. Each client is identified by a unique ID (`UUID`). You must generate your own using the command `xray uuid` or an online generator. `flow` is an advanced performance optimization.
- `streamSettings`: This configures the underlying transport. `network: "tcp"` is standard. `security: "tls"` is crucial; it encrypts the entire connection. The `tlsSettings` object points to your SSL certificate files, which you can obtain for free using Let's Encrypt and Certbot.
- `outbounds`: The server only needs a `freedom` outbound to send traffic to its final destination on the internet.
Connecting to Your Server (Client-Side Outbound)
Now let's configure the client machine (e.g., your laptop or desktop) to connect to the server we just set up. The client configuration has two main parts: an inbound to accept local connections from your apps (like a web browser) and an outbound to send that traffic to your server.
Example Client `config.json`
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"port": 10808,
"listen": "127.0.0.1",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "your.domain.com", // Your server's domain
"port": 443,
"users": [
{
"id": "YOUR_UUID_HERE", // Must match the server's UUID
"flow": "xtls-rprx-direct",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "your.domain.com" // Your server's domain
}
}
},
{
"protocol": "freedom",
"tag": "direct"
}
]
}Configuration Breakdown
- `inbounds`: We create a SOCKS5 proxy listening on port `10808` on the local machine (`127.0.0.1`). This is the proxy address you'll configure in your web browser or system settings. `udp: true` enables UDP forwarding, which is important for some applications.
- `outbounds`: This is where we define the connection to our remote server.
- `settings.vnext`: This array contains the server details. `address` must be your server's domain name, and `port` must match the server's inbound port (`443`).
- `users.id`: This UUID **must be identical** to the one you set in the server's configuration.
- `streamSettings`: These settings must match the server's stream settings. `security` is `tls`, and critically, `tlsSettings.serverName` must be set to your domain to ensure the TLS handshake succeeds.
Mastering Traffic Control with Routing
Simple proxying is useful, but Xray's routing capabilities unlock its true power. By adding a `routing` object to your client's `config.json`, you can create sophisticated rules to handle traffic differently based on its destination.
To use domain and IP-based routing effectively, you'll need the `geoip.dat` and `geosite.dat` files from the official
domain-list-community repository. Place them in the same directory as your Xray executable.Example Client `routing` Configuration
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"ip": ["geoip:private"], // Rule 1: Bypass private/LAN IPs
"outboundTag": "direct"
},
{
"type": "field",
"domain": ["geosite:category-ads-all"], // Rule 2: Block ads
"outboundTag": "blackhole"
},
{
"type": "field",
"domain": ["geosite:cn"], // Rule 3: Bypass Chinese domains
"outboundTag": "direct"
},
{
"type": "field",
"ip": ["geoip:cn"], // Rule 4: Bypass Chinese IPs
"outboundTag": "direct"
}
]
}You would add this `routing` object to your client's `config.json`. Xray processes rules from top to bottom. The first rule that matches a connection is used.
- Bypass Private IPs: The first rule uses `geoip:private` to match any traffic destined for your local network (e.g., accessing your router's admin page) and sends it through the `direct` outbound (which is our `freedom` outbound), bypassing the proxy.
- Block Ads: The second rule uses a pre-defined list of ad-related domains (`geosite:category-ads-all`) and routes them to the `blackhole` outbound, effectively blocking them.
- Bypass Regional Sites: The third and fourth rules use `geosite:cn` and `geoip:cn` to match domains and IPs located in China, sending them `direct`. This improves latency for domestic services while routing all other traffic through your remote server by default.
Organizing Your Configuration with Overrides
As your configuration grows, a single `config.json` file can become unwieldy. Xray-core provides a powerful solution: the ability to split your configuration into multiple files within a directory.
You can start Xray by pointing it to a directory instead of a single file using the `-confdir` flag: `xray -confdir /path/to/config/dir`.
Xray will load all `.json` files in that directory in alphabetical order and merge them. This allows you to separate logical parts of your configuration.
Example Directory Structure
/etc/xray/
├── 00_log.json
├── 05_inbounds.json
├── 06_outbounds.json
└── 99_routing.jsonHere's how it works:
- Merging Objects: Top-level objects like `log` or `routing` are merged. If `99_routing.json` defines a `routing` object, it will be merged with any `routing` object defined in a previous file.
- Appending to Arrays: For arrays like `inbounds`, `outbounds`, and `routing.rules`, the contents of the array in a later file are **appended** to the contents from an earlier file. This allows you to define base outbounds in one file and add more in another.
For example, `05_inbounds.json` would contain only the `inbounds` array, and `99_routing.json` would contain only the `routing` object. This modular approach makes managing complex setups significantly easier and less error-prone.
Enhancing Privacy with Professional Tools
Setting up a personal Xray-core proxy is a fantastic step towards digital privacy. However, for professional use cases like multi-account management, e-commerce, or ad verification, simply hiding your IP address is not enough. Modern websites use sophisticated browser fingerprinting techniques to track users. This is where specialized tools become essential.
Ultimate Anonymity with AntidetectBrowser
By combining your custom Xray-core proxy with a tool like
AntidetectBrowser, you can achieve a superior level of anonymity. AntidetectBrowser allows you to create and manage multiple browser profiles, each with a unique and authentic browser fingerprint (covering everything from WebGL, fonts, and screen resolution to user agents). When you route each profile through your Xray proxy, you create a browsing environment that is not only secure but also appears as a distinct, legitimate user, effectively preventing tracking and linking of your online activities.Hassle-Free, High-Quality Proxies with IPOCTO
While setting up your own server is educational, maintaining it and ensuring high uptime can be time-consuming. For businesses and individuals who need a large, diverse pool of reliable proxies without the setup overhead, a service like
IPOCTO is the ideal solution. IPOCTO provides access to millions of high-quality residential and datacenter IPs, allowing you to select proxies from specific geographic locations on demand. This is perfect for tasks like market research, price comparison, and accessing geo-restricted content at scale.Let content start driving traffic for you
From generation to publishing, fully automated—you just need to click start
Frequently Asked Questions
What's the difference between Xray-core and V2Ray-core?▼
Xray-core is a fork of V2Ray-core created by a former core developer. It aims for better performance and contains exclusive features, most notably the VLESS protocol and various `flow` control enhancements. While largely compatible with V2Ray, Xray is generally considered the more advanced and higher-performance option today.
How do I generate a UUID for my client configuration?▼
The easiest way is to use the Xray executable itself. Run the command `xray uuid` in your terminal, and it will output a new, unique UUID that you can copy and paste into your server and client configurations.
My connection isn't working. How do I debug it?First, check the logs. Set `"loglevel": "info"` in your `log` object on both the client and server to get more detailed output. Common issues include: 1) Firewall blocking the port on the server. 2) Domain name not pointing to the correct IP. 3) System clocks on client and server are not synchronized (crucial for TLS). 4) Mismatched UUIDs or other configuration parameters between client and server.
Can I use Xray-core without a domain name?Yes, you can use your server's IP address directly in the client configuration. However, this means you cannot use TLS for encryption, which is highly discouraged as it makes your traffic easier to identify and inspect. Using a domain name with TLS is the standard and most secure practice.
What is the difference between TCP, WebSocket, and gRPC transports?These are different `network` options in `streamSettings`. TCP is the standard, most efficient transport. WebSocket (WS) and gRPC are designed for camouflage. They wrap your proxy traffic to look like normal web traffic (WebSocket upgrades or gRPC calls), which is essential for bypassing firewalls and Content Delivery Networks (CDNs) like Cloudflare.
Conclusion
You have now journeyed through the fundamentals and advanced features of Xray-core configuration. We've covered the critical roles of inbounds and outbounds, configured a secure VLESS server and client, mastered traffic control with routing rules, and learned how to keep configurations tidy with the override mechanism.
Xray-core is an exceptionally versatile tool, and what we've explored here is just the beginning. We encourage you to experiment with different protocols, transports, and routing rules to tailor a setup that perfectly fits your needs. For further details and an exhaustive list of all options, the
official Xray-core documentation is an invaluable resource. Happy networking!