Home VPN (XRay)
Intro
VPNs are primarily designed to create a secure and encrypted connection between your device and a remote server. This connection can be used to protect online privacy, hide your IP address and enhance security when connecting to the internet, especially on public Wi-Fi networks.
So let’s configure our own, home VPN server without a paid cloud. Pay once ;)
Hardware
Raspberry PI looks like a good option, since it’s a powerful mini-computer with all needed interfaces for the fair price.
The best option to buy it - order in China. I’ve used pi4B with 8Gb of RAM as an example, but you can choose simpler model without Ethernet/USB-A and with 2 Gb RAM - it should serve the needs of a couple users just fine.
I suggest to buy a complete set with the housing and a power unit, like this one.
The best choice will be to install there Ubuntu Server with Raspberry PI Imager. Don’t forget to add your ssh key during configuration, and connect Pi to the router via Ethernet.
VPN
The problem is that nowadays it’s pretty easy to sniff the traffic with dpi technologies, detect packets of the popular VPN protocols and block them.
The general solution is to built a proxy based on protocol like Shadowsocks, which is designed to be hard to detect, bypass firewalls and have traffic encryption.
My choice, atm, is XRay (Vless).
XRay (Vless)
VLESS is a lightweight, stateless transport protocol primarily used for secure communication. It is part of Xray, a project that extends and enhances the capabilities of V2Ray. V2Ray can be compared with Shadowsocks protocol and can be called it’s successor (after the original Shadowsocks has been removed from the internet by the call from the government), rather than higher-level vpn/proxy solutions like Outline.
Xray supports VLESS, while V2Ray does not natively include it, making Xray the appropriate choice for this setup.
So, let’s configure XRay server and client.
XRay Server
Install XRay Server:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)"
Generate a client ID:
xray uuid .
You should to it for every new client, and update the server config with the new client entry (see example below).
Create that user id for every unique vpn user.
Generate a self-signed certificate and key:
- install openssl:
sudo apt-get install openssl - generate certificate and key:
sudo openssl req -x509 -nodes -days 99999 -newkey rsa:2048 -keyout /etc/xray/key.key -out /etc/xray/cert.crt -subj "/CN=<ROUTER_PUBLIC_DNS>"
This creates a certificate valid for 99999 days (think of smaller number for real “prod” usage), stored at /etc/xray/cert.crt with the key at /etc/xray/key.key.
Create a config file at /usr/local/etc/xray/config.json:
{
"inbounds": [
{
"listen": "0.0.0.0",
"port": 4443, // or another free port
"protocol": "vless",
"settings": {
"clients": [
{
"id": generated_id,
"level": 0,
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"certificates": [
{
"certificateFile": "/etc/xray/cert.crt",
"keyFile": "/etc/xray/key.key"
}
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
]
}
Start the service: sudo systemctl start xray
Enable it to start on boot: sudo systemctl enable xray
Check the status: sudo systemctl status xray
Or check logs: journalctl -u xray
Don’t forget to setup port forwarding on your router for the specified port (e.g. 4443).
Ensure your firewall allows traffic on a selected port using ufw (allow 4443).
XRay Clients
Mac OS
Install xray client:
brew install xray
Create a config file:
{
"log": {
"loglevel": "debug"
},
"inbounds": [
{
"port": 1080,
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true
}
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": router_ipv4_address,
"port": 4443,
"users": [
{
"id": generated_id,
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": server_name,
"allowInsecure": true
}
}
}
]
}
Here, serverName is the CN that you’ve used during certs generation.
Run the client:
xray -config /usr/local/etc/xray/config.json
Allow proxy in the network settings: go to wifi details –> set SOCKS as 127.0.0.1 and port 1080 –> toggle allow. Don’t forget to disable it back, when you stop xray client.
Mobile
Install v2rayNG from the store.
The simplest way to configure would be just to construct a link and paste into the app:
vless://<generated_id>@<router_public_dns>:<port>?security=tls&flow=xtls-rprx-vision&sni=<router_piblic_dns>&allowInsecure=1#<connection_name>
Where all the args could be taken from the previously created configs. The last one - just a connection name, use any name you want.
Enjoy!