VLESS Deployment Guide: From Server Setup to Client Optimization

6/14/2026 · 2 min

1. Server-Side Deployment

1.1 Install Xray Core

First, log in to your Linux server (Ubuntu 20.04+ or CentOS 7+ recommended). Use the official script to install Xray:

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

After installation, Xray runs as a systemd service. Check its status with systemctl status xray.

1.2 Configure VLESS Inbound

Edit the Xray configuration file at /usr/local/etc/xray/config.json and add a VLESS inbound. Below is a basic example using Reality:

{
  "inbounds": [
    {
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "your-uuid",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "dest": "www.microsoft.com:443",
          "serverNames": ["www.microsoft.com"],
          "privateKey": "your-private-key",
          "shortIds": ["6ba85179e30d4fc2"]
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "direct"
    }
  ]
}

Key Parameters:

  • id: Unique identifier for the client, generated via xray uuid.
  • flow: Use xtls-rprx-vision for XTLS flow control.
  • [security](/en/blog/vmess-vs-vless-performance-and-security-trade-offs-in-censorship-circumvention-2): reality mode effectively hides proxy characteristics.
  • dest: Target domain for camouflage; choose a large CDN domain.

1.3 Start and Verify

Restart Xray and check logs:

systemctl restart xray
journalctl -u xray -n 20 --no-pager

2. Client Configuration

2.1 Download Client

2.2 Add VLESS Node

Using v2rayN as an example:

  1. Click "Server" -> "Add [VLESS] Server".
  2. Fill in server address, port, UUID, and flow.
  3. Under "Transport", select tcp transport, reality security, and enter the server's public key, shortId, and serverName.
  4. Save and enable the node.

2.3 Test Connection

Visit ip.sb to verify your IP has changed. If unable to connect, check firewall rules for the port (default 443).

3. Performance Optimization

3.1 Enable BBR Congestion Control

BBR significantly improves TCP throughput. Run:

echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p

Verify with sysctl net.ipv4.tcp_congestion_control (should return bbr).

3.2 Adjust Xray Buffer

Add "bufferSize": 64 to the inbound configuration to optimize memory usage.

3.3 Use CDN Relay

If your server IP is throttled, wrap VLESS with WebSocket + TLS and route through Cloudflare CDN. Note: Reality mode cannot be directly proxied via CDN.

4. Common Issues

4.1 Connection Timeout

  • Ensure the firewall allows the port.
  • Synchronize system time (error < 1 minute).
  • Verify serverName matches the dest domain.

4.2 Slow Speed

  • Try changing flow to xtls-rprx-vision.
  • Check server bandwidth usage.
  • Change the camouflage target (dest).

4.3 UUID Conflict

Ensure each client uses a unique UUID to avoid conflicts.

Related reading

Related articles

Building Your Own VPN Node: From VPS Selection to WireGuard Deployment
This article provides a comprehensive guide to building your own VPN node, covering VPS selection, OS choice, WireGuard deployment, and configuration optimization for a secure and high-performance private VPN service.
Read more
VPN Selection Guide for Overseas Work: Technical Decisions from Protocol Performance to Compliance Implementation
This article analyzes key factors for VPN selection in overseas work scenarios from a technical perspective, including protocol performance comparison (WireGuard, OpenVPN, IKEv2), security compliance requirements (GDPR, data localization), network optimization strategies (multipath, smart routing), and deployment architecture choices (cloud-native, hybrid), helping technical decision-makers build efficient, secure, and compliant remote work networks.
Read more
VPN Proxy Protocol Comparison: Performance and Security Analysis of WireGuard vs. VLESS in Cross-Border Scenarios
This article provides an in-depth comparison of WireGuard and VLESS in cross-border scenarios, covering encryption mechanisms, transmission efficiency, anti-interference capabilities, and deployment recommendations to help users choose the optimal solution.
Read more
From SS to VLESS: Technical Rationale and Security Benefits of Protocol Migration in VPN Services
This article provides an in-depth analysis of the technical rationale and security benefits of migrating from Shadowsocks (SS) to VLESS protocol in VPN services, covering protocol evolution, encryption mechanisms, performance comparison, and deployment recommendations.
Read more
Building a Personal VPN from Scratch: A Secure, Stable, and Low-Cost Practical Solution
This article provides a complete guide for beginners to build a personal VPN, covering protocol selection, server deployment, client configuration, and security optimization, enabling secure and stable network connectivity at low cost.
Read more
From VMess to VLESS: Security Trade-offs and Performance Optimizations in the Evolution of V2Ray Protocols
This article provides an in-depth analysis of the evolution from VMess to VLESS, the core protocols of V2Ray. It examines the differences in security mechanisms, performance characteristics, and suitable use cases. VLESS achieves lower latency and higher throughput by removing encryption layers and simplifying handshake procedures, but introduces new security considerations. The article helps readers understand the trade-offs behind protocol design and offers deployment recommendations.
Read more

FAQ

What is the difference between VLESS and VMess?
VLESS is a lightweight transport protocol that removes the encryption layer from VMess, relying on transport security (e.g., TLS/Reality) for better performance and fewer fingerprints.
Does Reality mode require a domain and certificate?
No. Reality leverages TLS 1.3 ECH to encrypt traffic using the camouflage target's certificate, eliminating the need for your own domain or certificate.
How to generate UUID and key pair?
Use `xray uuid` to generate a UUID; use `xray x25519` to generate the public and private keys required for Reality.
Read more