Configure Vless/Vmess with 3X-UI

In general this is some sort of refresh for the old guide but with some minor additions and use of 3X-UI which has english language supported. Pretends to be complete guide for newbies.

Preparations

Step 1: Reach your VPS

Not a secret that in 2025 still not so many ISP gives you IPv6 connectivity. Use #get_ipv6_connectivity in Hax chat to get list of known ways to get it. At the moment of writing post they are:

Cloudflare WARP, some links: official website, generate a wireguard config or use via Hiddify
Avira Phantom VPN – via 3 months trial
Tor – nodes quite often has IPv6 connectivity as well, use via Orbot or InviZible Pro on Android, via binaries bundle for desktop or via Tor browser (socks5 proxy available on port 9150)

Step 2: DNS64 or WARP?

WARP installation on VPS is preferred. That’s why:

DNS64 gives synthetic IPv6 addresses for domains which doesn’t have it, and there’s nothing done for regular IPv4 adresses. This means that even when you reaching IPv4-only domain, your VPS actually reached it via IPv6 connection.

If you don’t have native IPv6 connectivity, this also means that you going to face with DNS issues on your mobile/desktop devices: if device’s DNS set to i.e. 1.1.1.1 and you pass all traffic via vless/vmess proxy, then request will first reach your VPS and then it will try to reach 1.1.1.1, but it won’t be able, because VPS works with IPv6-only traffic.

On the other side WARP creates complete outbound IPv4 interface, so VPS will be able to communicate with both IPv4 and IPv6 without problems.

Step 3: Acquire domain

In this guide I’m using subdomain acquired from DNS Pointing CF, with “CF Proxy” option set to “yes”.

If you’re going to use own domain:

Add it into Cloudflare – it will require to change nameservers, which will take time (from few hours up to 1-2 days)
Open management page. On left side click on “DNS” entry
On the DNS Records page press “Add record”, choose AAAA type, fill your IPv6 for it and enable proxy for it

Install 3X-UI

Project’s repository is available on Github: https://github.com/MHSanaei/3x-ui. You need to run:

bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)

In the beginning it will updata package cache in install necessary tools:

start of 3x-ui installation

In the end it will ask if you want to customize 3X-UI listening port, then give you some generated username, password and admin panel path:

As mentioned in the end, you can run x-ui settings to see your credentials and URL for admin panel:

You’re able to change them either via calling x-ui command in terminal (see for “reset” menu entry) or via admin panel

Configure 3X-UI

Step 1: Get SSL cert

When domain managed via Cloudflare, there’s few states of SSL setting for it:

None: Cloudflare will do nothing, if you have SSL it will be used, if no – it won’t be
Some sort of proxy level: traffic between client and Cloudflare will be covered by SSL, but between Cloudflare and your VPS will go “as is” (the option above)
Full: requires from your VPS to have any (even self-signed) cert configured – traffic between Cloudflare and VPS will be encrypted with it
Strict full: require your VPS to have trusted SSL configured (i.e. acquired from Let’s encrypt or any other world-wide trusted CA)

DNS Pointing CF service from Hax has third state of this setting, which allows us to use self-signed certs, so this guide will use self-signed one.

Make some dir to store it, then generate with openssl tool:

mkdir self-signed
cd self-signed
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname"

There was used default values because it doesn’t really matter for self-signed cert.

P.S.: If you’re using own domain, then don’t forget to configure required SSL/TLS level in Cloudflare dashboard. If you wish to use “strict full” level, then consider acquiring any cert in any known way. You can get one for free with Acme.sh

Step 2: Enable self-signed cert

You probably noticed and IPv4 in this address – don’t use it, because it’s related to Cloudflare WARP installed on VPS. It is outbound only, so you can’t control VPS with it.

Since you’ve got IPv6 connectivity in any way on your phone/desktop, open it directly via IPv6 address. If you’re not sure about IPv6 address and too lazy to open website, use this command – IPv6 address will be on right side of “inet6” word:

ip -6 addr show venet0

Final url should have similar structure:

http://[your ipv6 should be in square brackets]:8443/path_to_admin_panel

Your browser may warn you about inability to reach secured (HTTPS) version, skip it for now and continue with HTTP.

If you have no mistakes, you’ll see next:

Fill your username and password, then on main page you will see notification that connection is not secure. In this step we’re going to fix this.

Open “Panel Settings” and scroll down till the “Listen port” – below you will see such settings for key paths. Fill them as show on image:

P.S.: we was at home dir (which is /root/ for root user) when created self-signed folder and generated keys inside.

cert.pem is public key
key.pem is private key

If you’ve given other names for keys and/or created another dir for them, be sure to specify proper paths.

Now scroll to top, press “Save” button. When it will be saved press “Restart Panel”.

After restart the page will be reloaded and browser will try to open admin panel via HTTPS. You will see security alert, i.e. in Firefox it looks like this:

Right now you need to accept it and continue – admin panel will be loaded on Settings page.

Step 3: Enable your (sub)domain from Cloudflare

As mentioned earlier, I’m using subdomain from Hax in this guide.

Under the “Listen IP” field we have “Listen Domain” – fill it with your domain

Now save settings and restart panel.

This time it won’t be automaticaly redirected, so you will need to manually type your domain instead of IPv6 address (square brackets are not needed anymore). If no mistakes were made, you’ll see login page again. Also this time there won’t be any security alerts: our self-signed cert is being used for traffic between Cloudflare and VPS, however Cloudflare cares traffic from your browser with trusted SSL.

Proxies

Step 1: Creating inbound

Now from overview page click on “Inbounds” in menu. Here you need to launch actual proxies, which you later will use on your mobile/desktop devices.

Press “Add Inbound” button, you’ll see dialog for it’s settings:

Remark is just name of proxy to be displayed in 3X-UI, call it as you want.

DISCLAIMER: author of this guide is not expirienced alot with such kind of software. If you know these things better – try to configure them and if it will work – suggest updates for this guide (if you wish). Below described what I was able to launch successfully.

Step 2: Use the inbound

Now click on “+” near to ID of created inbound – it will open list of clients.

Use icon buttons to gather or update connection details for particular client. There are marked:

QR code for importing on mobile device
“More info” which contains all client details including URL for import, see example below

In my case I was using “Invisible Man Xray” client (it’s feels more “friendly” for me) for final check. It performs “URL test” (as it was called in some other clients) for checking connectivity and everything works fine.

Some final words

All domains, usernames, passwords, paths and so on was changed after writing this guide. Don’t think that it was left as is.

Change admin panel credentials

Open admin panel
Open “Panel Settings”
Switch settings tab from “General” to “Authentication”
Put current credentials and new, then confirm

Some clients for these kinds of proxy

v2rayN (windows)
v2rayNG (android)
Invisible Man Xray (windows)
Hiddify (windows, mac, linux, android, ios)
Exclave (android, fork of SagerNet)