Concepts

• XRay is an advanced VPN with a focus on bypassing Internet censorship.
• It's a good VPN solution for countries with Internet restrictions.
• You must install the classic pair of client and server.
• For clients, V2rayN is a good choice for desktop OSes (Linux, Windows). For Android, V2rayTun on the Google store is fine.
• For servers, the 3x-ui docker image (bundling the server / proxy component with a web interface) is what I used.

Setting up the server

• Clone this repository: https://github.com/MHSanaei/3x-ui. As explained, this is a web interface also containing the server part, in a self-contained Docker image.
• Run inside the directory: docker compose up -d
• The default port for the web interface is 2053, and login/password is admin/admin. It's HTTP by default, not HTTPs.
• Important note: the interface only listens on IPv6. It will not work on a computer that only has IPv4 and tries to connect via IPv4.
• It's easy to create a vless configuration on the web interface. Every setting can be left to default; for the security part I chose Reality, and you need to generate a public key / private key.
• The port for the interface AND the port for the vless configuration (for instance, 4443) both need to be opened if you have a firewall. For Rocky Linux 9.3:

firewall-cmd --permanent --add-port=2053/tcp
firewall-cmd --permanent --add-port=4443/tcp
firewall-cmd --reload

Setting up the client

System Proxy

• You must choose "Set system proxy" in v2rayN interface (select box). This will then set the system proxy for your desktop environment (KDE). Many applications rely on this setting, for instance browsers (Chromium, Brave, Firefox). These applications will work instantly with the vless VPN as soon as you activate the system proxy in v2rayN.
• Note that for the system proxy, you can run v2rayN as a normal user (actually, I use the AppImage version of v2rayN that cannot be ran as root).
• For the configuration part it's super easy; just copy the vless link from the 3x-ui interface into the client. It looks like:

vless://7ef83dc3-79ab-4169-8a58-54d382bef4ee@valmar.elvanor.net:PORTNUMBER?type=tcp&security=reality&pbk=PUBLICKEY&fp=chrome&sni=www.bing.com&sid=7db81f&spx=%2F#valmar-elvanor

Global Tunnel (via TUN)

• You can also use XRay with a TUN interface. Normally, v2rayN should automatically setup everything (just check the checkbox in the main interface window). However, on my Gentoo Linux setup with version 7.13.2, it did not work. The main problem I encountered is that the "strict_rule" parameter of sing-box (which handles the TUN setup), when set to true, created an error: starting TUN interface: add rule 0/9: address family not supported by protocol. This error might be due to my particular configuration (in particular the kernel built-in modules), but I did not manage to solve it.
• I tried to workaround this issue by setting strict_rule to false in the interface, changing the stack, but I could never manage to produce a successful setup.
• In the end I configured sing-box directly. You can download the .deb package and extract directly the binary, it will be ok. This is the configuration file that worked:

{
  "log": {"level": "info"},
  "dns": {
    "strategy": "prefer_ipv4",
    "servers": [
      {
        "address": "https://cloudflare-dns.com/dns-query",
        "address_resolver": "dns-direct",
        "tag": "dns-remote",
        "detour": "bypass-tunnel"
      },
      {
        "address": "1.1.1.1",
        "tag": "dns-direct"
      }
    ]
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "tun0",
      "inet4_address": "172.19.0.1/30",
      "stack": "gvisor",
      "auto_route": false,
      "strict_route": false
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "bypass-tunnel"
    },
    {
      "type": "vless",
      "tag": "vless-out",
      "server": "valmar.elvanor.net",
      "server_port": 4443,
      "uuid": "7ef83dc3-79ab-4169-8a58-54d382bef4ee",
      "packet_encoding": "xudp",
      "flow": "",
      "tls": {
        "enabled": true,
        "server_name": "www.bing.com",
        "reality": {
          "enabled": true,
          "public_key": "XXX",
          "short_id": "7db81f"
        },
        "utls": {
          "enabled": true,
          "fingerprint": "chrome"
        }
      }
    }
  ],
  "route": {
    "rules": [
      {
        "domain": ["cloudflare-dns.com"],
        "outbound": "bypass-tunnel"
      },
      {
        "ip_cidr": ["1.1.1.1/32"],
        "outbound": "bypass-tunnel"
      },
      {
        "ip_cidr": ["37.27.52.189/32"],
        "outbound": "dns-out"
      },
      {
        "ip_version": 4,
        "outbound": "vless-out"
      }
    ]
  }
}

• Note that "auto_route" is set to false (I could not get it to work with "auto_route": true). So you have to create the routes manually yourself, like this:

ip route add 1.1.1.1 via 192.168.1.254 # IP of Cloudflare DNS resolver
ip route add 37.27.52.189 via 192.168.1.254 # IP of Valmar
ip route add 104.16.248.249 via 192.168.1.254 # IP of Cloudflare (obtained via dig cloudflare-dns.com +short)
ip route add 104.16.249.249 via 192.168.1.254 # IP of Cloudflare (obtained via dig cloudflare-dns.com +short)
sudo ENABLE_DEPRECATED_TUN_ADDRESS_X=true sing-box run -c /usr/local/opt/sing-box/config.json
ip route replace default dev tun0