How to Install and Configure XUI for Secure VPN Servers XUI is a powerful, web-based control panel designed to simplify the management of Xray/V2Ray VPN servers. It allows you to create multiple users, manage protocols like VLESS, VMess, and Trojan, and monitor bandwidth through a user-friendly interface.
This guide covers the step-by-step process to install and secure XUI on a Linux server. Prerequisites
Before starting, ensure you have the following components ready:
Server: A VPS running Ubuntu 20.04 or later, or Debian 11 or later. Access: Root access or a user with sudo privileges.
Domain: A registered domain name pointed to your VPS IP address (required for SSL/TLS certificates). Step 1: Update the System and Install Dependencies
Log into your server via SSH. Begin by updating your system packages and installing the necessary core tools, including curl, socat, and acme.sh dependencies.
sudo apt update && sudo apt upgrade -y sudo apt install curl socat acme.sh -y Use code with caution. Step 2: Install the XUI Panel
Several forks of XUI exist, but the 3x-ui fork is widely considered the most actively maintained and secure version. Run the official installation script: bash <(curl -Ls https://githubusercontent.com) Use code with caution.
During the installation process, the script will prompt you to set up your initial login credentials:
Change the default port: Choose a random custom port (e.g., 54321 or 8443) instead of the default to prevent unauthorized scanning. Set a strong username: Avoid basic names like admin.
Set a strong password: Use a mix of letters, numbers, and symbols.
Once finished, the script will automatically start the XUI service. Step 3: Obtain an SSL/TLS Certificate
To secure your traffic and access the panel over HTTPS, you must obtain a free Let’s Encrypt SSL certificate using acme.sh. Register your email with Let’s Encrypt:
/.acme.sh/acme.sh –register-account -m [email protected] Use code with caution.
Issue the certificate using the standalone mode. Ensure your firewall allows traffic on port 80 during this step: /.acme.sh/acme.sh –issue -d yourdomain.com –standalone Use code with caution. Create a dedicated directory to store the certificates: sudo mkdir -p /etc/xui-cert Use code with caution. Install the certificates to the newly created directory:
~/.acme.sh/acme.sh –install-cert -d yourdomain.com–key-file /etc/xui-cert/private.key –fullchain-file /etc/xui-cert/cert.crt Use code with caution. Step 4: Configure the Web Interface
With the certificate installed, you can now securely log into the panel.
Open your web browser and navigate to http://yourdomain.com:YOUR_PORT. Log in using the credentials you created during Step 2. Navigate to Panel Settings (or System Settings).
Locate the SSL configurations and enter the file paths created in the previous step: Public Key Path: /etc/xui-cert/cert.crt Private Key Path: /etc/xui-cert/private.key Save the settings and restart the panel.
Note: From this point forward, you must access the panel using https://yourdomain.com:YOUR_PORT. Step 5: Create a Secure VPN Inbound (VLESS + XTLS/Reality)
For maximum security and censorship circumvention, use the VLESS protocol combined with XTLS-Reality. This setup disguises your VPN traffic as standard HTTPS traffic to a legitimate website.
In the XUI sidebar, click on Inbounds and click Add Inbound. Configure the following basic settings: Remark: Choose a identifying name (e.g., Secure-VLESS). Protocol: Select vless. Port: Use 443 for standard HTTPS camouflage. Scroll down to the Transport or Security section: Security: Select REALITY.
Dest: Enter a legitimate website physically close to your server that uses TLS 1.3 (e.g., ://microsoft.com or ://yahoo.com).
Server Names (SNI): Match the destination website (e.g., ://microsoft.com).
Click Get New Cert to generate the required private and public keys automatically. Click Create to activate the inbound proxy. Step 6: Configure the Server Firewall
Secure your server by closing unused ports and restricting access. If using Ubuntu, manage this easily with ufw:
# Allow standard SSH access sudo ufw allow 22/tcp # Allow your custom XUI web panel port sudo ufw allow YOUR_PORT/tcp # Allow standard VPN traffic ports sudo ufw allow 443/tcp sudo ufw allow 80/tcp # Enable the firewall sudo ufw enable Use code with caution. Step 7: Connect Clients to Your Server Your secure server is now operational. To connect a device: Go back to the Inbounds section in the XUI panel.
Click the QR Code or Info button next to the user client you generated. Copy the configuration URL (begins with vless://).
Paste this URL into a compatible client application, such as v2rayN (Windows), v2rayNG (Android), FoXray (iOS), or Nekoray (macOS/Windows). To help finalize your article or deployment, tell me:
Leave a Reply