Posted Updated 

V2ray Proxy Tool Configuration

V2ray is a network proxy tool. One possible configuration is to use WebSocket transport along with TLS, so network traffic looks like good normal HTTPS/WSS traffic in public network, very nice and effective against China’s firewall. This can be used along with web servers such as Apache or Nginx for reverse proxy. The entire network route looks like

1
browser <=> v2ray client <=> webserver <=> v2ray server

First, download v2ray binaries for both client and server.

V2ray Client Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
{
  "inbound": {
    "port": <local socks port>,
    "listen": "127.0.0.1",
    "protocol": "socks"
  },
  "outbound": {
    "protocol": "vmess",
    "settings": {
      "vnext": [
        {
          "address": "<server address>",
          "port": 443,
          "users": [
            {
              "id": "<uuid>"
            }
          ]
        }
      ]
    },
    "streamSettings": {
      "network": "ws",
      "security": "tls",
      "wsSettings": {
        "path": "/<path>/"
      }
    },
  "mux": {"enabled": false}
  }
}

Sometimes MUX will cause entire connection to hang if one of them is broken, so I turn off this function.

V2ray Server Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
{
  "log": {
      "access": "<access log file path>",
      "error": "<error log file path>",
      "loglevel": "warning"
  },
  "inbound": {
    "port": <port number>,
    "listen":"127.0.0.1",
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "<uuid>"
        }
      ]
    },
    "streamSettings":{
      "network":"ws",
      "wsSettings": {
         "path": "/<path>/"
     }
    }
  },
  "outbound": {
    "protocol": "freedom",
    "settings": {}
  }
}

Apache Configuration

Webserver needs to have valid TLS certificate, such as getting one from Let’s Encrypt by certbot, to encrypt traffic in public network. The webserver decrypts TLS traffic and “proxypass” the WebSocket content to backend localhost:port number v2ray server.

1
2
3
4
5
6
7
<LocationMatch "<path>">
  ProxyPass ws://127.0.0.1:<port number>/<path>/
  ProxyAddHeaders Off
  ProxyPreserveHost On
  RequestHeader set Host %{HTTP_HOST}s
  RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
</LocationMatch>

Security

To improve security, run v2ray as regular user instead of root, so that possible security vulnerbility in v2ray does not compromise the entire system. Create a Linux user using useradd and configure systemd service to run v2ray with that user and group. Set the port number to be large enough that does not require superuser permission.

Further Steps

V2ray has new features such as QUIC and HTTP/2 transport. Maybe I will try them later.

Links

Recents

Archives

Tags

AMD1
Architecture1
C++1
FRP1
Go2
Google Code Jam2
Graph1
Gtk+2
Hexo2
ICPC1
Javascript1
Linux1
MOSFET1
Misc9
NVIDIA1
OpenGL ES2
Proxy1
PulseAudio1
RLC1
SystemVerilog1
TNP1
Windows1
×