reality.mdx 4.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135
  1. ---
  2. title: REALITY
  3. description: Set up a VLESS + REALITY inbound with XTLS-Vision in 3x-ui — keys, short IDs, SNI, fingerprints, and common pitfalls.
  4. icon: ShieldCheck
  5. ---
  6. **REALITY** is an Xray transport security that disguises your proxy as ordinary
  7. traffic to a real, popular website. Unlike classic TLS, your server needs **no
  8. certificate of its own** — it borrows the TLS handshake of the target site
  9. (`dest`). Combined with the **XTLS-Vision** flow, it is fast and resistant to
  10. deep-packet inspection.
  11. REALITY is used with **VLESS** (and Trojan). The recommended flow is
  12. `xtls-rprx-vision`.
  13. ## Key settings
  14. When you choose **REALITY** as the security mode on a VLESS inbound, 3x-ui
  15. exposes these fields:
  16. | Field | What it is |
  17. | ------------------------ | ------------------------------------------------------------------ |
  18. | **Dest (target)** | A real TLS site to impersonate, e.g. `www.microsoft.com:443`. |
  19. | **SNI / Server Names** | The hostname(s) clients send; must match the target's certificate. |
  20. | **Public / Private key** | An **x25519** keypair. The private key stays on the server. |
  21. | **Short IDs** | Hex strings used to authenticate clients (you can have several). |
  22. | **Flow** | Set to `xtls-rprx-vision`. |
  23. | **Fingerprint (uTLS)** | The client TLS fingerprint to mimic, e.g. `chrome`. |
  24. The private key is generated with Xray's `x25519` utility (the panel can
  25. generate the pair for you):
  26. ```bash title="generate an x25519 keypair"
  27. xray x25519
  28. ```
  29. ## Set it up in the panel
  30. <Steps>
  31. <Step>
  32. ### Create a VLESS inbound
  33. Add a new inbound, choose protocol **VLESS**, and set **Security** to
  34. **reality**.
  35. </Step>
  36. <Step>
  37. ### Choose a target (dest) and SNI
  38. Pick a reputable site that supports TLS 1.3 and HTTP/2 and is reachable from your
  39. server and your clients (for example `www.microsoft.com:443`). Set the server
  40. names / SNI to match that site's certificate.
  41. </Step>
  42. <Step>
  43. ### Generate keys and short IDs
  44. Generate the x25519 keypair and one or more short IDs. Keep the **private key**
  45. secret; clients only ever receive the **public key**.
  46. </Step>
  47. <Step>
  48. ### Set the flow and fingerprint
  49. Use the `xtls-rprx-vision` flow and a common uTLS fingerprint such as `chrome`.
  50. </Step>
  51. <Step>
  52. ### Add a client and share the link
  53. Create a client, then use its share link or QR code in a compatible app
  54. (v2rayNG, Hiddify, Mihomo, and others).
  55. </Step>
  56. </Steps>
  57. ## What the configuration looks like
  58. On the server, a REALITY inbound's `streamSettings` looks roughly like this:
  59. ```json title="server inbound (excerpt)"
  60. {
  61. "network": "tcp",
  62. "security": "reality",
  63. "realitySettings": {
  64. "dest": "www.microsoft.com:443",
  65. "serverNames": ["www.microsoft.com"],
  66. "privateKey": "<x25519 private key>",
  67. "shortIds": ["<hex short id>"],
  68. "fingerprint": "chrome"
  69. }
  70. }
  71. ```
  72. The matching client share link carries the **public** parameters:
  73. ```text title="vless:// (excerpt)"
  74. vless://<uuid>@<server>:443?security=reality&pbk=<public-key>&sid=<short-id>&sni=www.microsoft.com&fp=chrome&spx=%2F&flow=xtls-rprx-vision#my-reality
  75. ```
  76. - `pbk` — REALITY **public** key
  77. - `sid` — short ID (matches one on the server)
  78. - `sni` — server name (matches the target's certificate)
  79. - `fp` — client fingerprint
  80. - `spx` — spiderX path
  81. - `flow` — `xtls-rprx-vision`
  82. ## Common pitfalls
  83. <Callout type="warn">
  84. - **Bad target.** The `dest` must be a real site that supports **TLS 1.3** and
  85. **HTTP/2**, is reachable, and isn't blocked in your region. Pick a site you do
  86. not own and that sees lots of traffic.
  87. - **SNI mismatch.** The SNI / server names must match the target's real
  88. certificate, or the handshake gives the disguise away.
  89. - **Leaked private key.** Only ever distribute the **public** key to clients.
  90. - **Wrong flow.** REALITY + XTLS-Vision needs `flow = xtls-rprx-vision` on both
  91. the inbound client entry and the share link.
  92. </Callout>
  93. ## Generate a config
  94. Use the generator below to create a fresh X25519 keypair, UUID, and short ID,
  95. then copy the server inbound JSON and the client share link. Everything is
  96. computed **in your browser** — no keys or links are sent anywhere.
  97. <RealityConfigGenerator />
  98. <Callout type="info">
  99. The **private key** belongs only on your server. Share the generated
  100. `vless://` link (which contains the **public** key) with clients.
  101. </Callout>