Linux Technology

V2Ray Setup with WebSocket, TLS using Apache

In this post, I will introduce my method to set up a V2Ray service using WebSocket, TLS, and apache. This technique will hide your network traffic just like any other normal https traffic. It will not affect your existing sites on Apache if you configure it right. For further details of this tool, you can find it on the web anywhere.

Before start, we have the following steps to be done in total:

If you already have a VPS, a domain and SSL certificates, you can jump to the configuration part directly.

Get a VPS

I’ve introduced the VPS part in my past post. My setup includes 1 vCore, 2 GB RAM, 20 GB SSD, 40TB traffic, 1000 1000 MBit/s, 1 IPv4 address etc. KVM virtualization and Linux/Ubuntu combination are preferred.

Own a Domain

For buying a domain and setting nameserver, it’s included in my past post as well. You can choose from well-known domain providers like GoDaddy and Namecheap. DNS records need to be set after purchased a domain (your domain should bring you to your server’s IP).

Generate Certificates

This part is also included in my past post where you need to buy a certificate, activate it, and deploy it.

If you only want to use the webserver for V2Ray (no actual site deployed), you can create a free certificate from Let’s Encrypt using script. You can follow the tutorial here to apply a certificate (NB! only valid for 3 months, the certificate path will influence your configuration).

Configure Apache Server

In this section, you need to install Apache on your VPS first. The methods of installing Apache can be searched on the web (for example here). Then, you need to enable the following modules for Apache:

sudo a2enmod ssl
sudo a2enmod proxy
sudo a2enmod proxy_wstunnel
sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo a2enmod headers

Next, you need to create/change your Apache’s site configuration file. Because I have a WordPress site running, I need Apache to handle both V2Ray network and the network connecting to my site (thanks to 90life).

The default configuration file would be 000-default.conf, located at /etc/apache2/sites-available/. If you don’t have a 443 port configuration (https enabled), you have to create one at the location above mentioned and write like the following codes. If you have one, you need to append to your configuration based on the following codes:

<VirtualHost *:443>
    # change your domain
    # you may have a different root
    DocumentRoot /var/www/

    # the SSL configuration enable https for your site and it’s also required by V2Ray
    SSLEngine on
    SSLCertificateFile /path/to/your/cert
    SSLCertificateKeyFile /path/to/your/private/key
    # the following file can be omitted
    SSLCertificateChainFile /key/bundle/file

    SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
    SSLCipherSuite HIGH:!aNULL

    # here configure how apache treat your incoming traffic. 
    # It will redirect websocket traffic to V2ray, but preserve other traffic for your site
    # Note: {port} should change to the same as V2Ray server config.
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*) ws://localhost:{port}/$1 [P,L]

    # {path} must be the same in V2Ray server config
    SSLProxyEngine On
    Proxypass /{path}{port}
    ProxyPassReverse /{path}{port}


Note that you need to change the above configure based on your specific setup (domain, key files, port, path, etc.).

Install and Configure V2Ray Server Side

Before install, you need to make sure that the time on your VPS is calibrated and accurate. V2Ray won’t work if the time difference is greater than 90 seconds (Don’t worry about timezone, V2Ray will convert it automatically).

Then, installing it is as easy as one command:

bash <(curl -L -s

We need to configure our server side:

vim /etc/v2ray/config.json

Write the following JSON script, modified it based on your setup as well as your configuration in Apache:

  "inbounds": [{
    "port": {port}, // set your port (same as apache config)
    "listen":"", // Only listen to local host, avioding other external inspection to your port
    "protocol": "vmess",
    "settings": {
      "clients": [
          "id": "your-own-id-generated-when-installing",
          "alterId": 64
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/{path}" // set your path (same as apache config)
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}

Now, you can start V2Ray service using systemctl provided in Debian.

sudo systemctl start v2ray

Install and configure V2Ray client side

You can install client side application based on your devices. For example, Mac has V2RayX and V2RayU. Normally, you can use GUI to add configuration on your app (set domain, IP, port, ws, tls as configured in server). If you need a JSON configuration on your client, you can use the following template (some settings are not used):

  "inbounds": [
      "port": 1080,
      "listen": "",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      "settings": {
        "auth": "noauth",
        "udp": false
  "outbounds": [
      "protocol": "vmess",
      "settings": {
        "vnext": [
            "address": "", // set domain
            "port": 443, // Note! https port
            "users": [
                "id": "your-own-id-generated-when-installing", // change your id
                "alterId": 64
      "streamSettings": {
        "network": "ws",
        "security": "tls",
        "wsSettings": {
          "path": "/{path}"  // change your path

Recently, Surge app also supports vmess protocol. Hence, we can add one line to the configuration file:

# proxy_name = protocol, domain, port, id, ws, tls
name = vmess, your_domain, 443, username=your_id, ws=true, ws-path=/{path}, tls=1.2

By 533

♥️•🏊•💪🏻 •🐈•📷
•IG: @53333_ @xᴜɴxᴜɴ_ɢʀᴀᴄᴇ
•TW: @SimonNg533

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.