Installing v2ray vmess + websocket + TLS using Cloudflare CDN setup

Tutorial on how to:
* Setup v2ray VMESS + WebSocket + TLS using CloudFlare CDN services on VPS (Debian/RHEL based OS only)

Aim of this setup is to hide your server identity (IP Address) on public.
Note: This will not obfuscate your server outgoing connection into CloudFlare CDN.
Actual setup is just normal v2ray installation running as VMess listening on localhost and a Nginx web server frontend for Websocket + TLS client request forwarder.

Prerequisite:

• A own VPS Server with a Public IP Address (must be configured to allow inbound/outbound connections to the following ports: 80,443,10035)(For AWS/Azure/Alibabacloud/GoogleCloud users, make sure provided ports are open on your firewall)
• [For newbies] to avoid some errors, i suggest to run this tutorial to a fresh/newly deployed instance/vps
• A little knowledge about linux commands (knew how to navigate using cd,ls,rm,cp and mv , and also knew how to use nano(text editor)
• Own CloudFlare Account with a domain ready for setup, must be enabled Full SSL/TLS Encryption (no cloudflare or domain account? get them free here: https://phcorner.net/threads/1020514)
• A scratch notepad for taking notes or file-editing

!! Prepare a stable internet connectivity, avoid running same commands twice or more. Avoid too much typographical errors. Follow instructions carefully

1. We need to get the Origin certificates first.
Login to your CloudFlare account (https://dash.cloudflare.com) On your dashboard, goto SSL/TLS >> Origin Server >> then click “Create Certificate”

On Private key type, select ECDSA

and just click “Next”

2. Im using cl1p.net Services as a online clipboard to excess using SFTP or any interactive file transfer on our tutorial.
Go to your browser, add a new tab. we will going to create cl1p.net link, just think some unique lone urlname, then access it as a url.
example: https://cl1p.net/orange-ju-filecert

im using the following URL for my 2 files(you can change it too, save them in a notepad, later i will explain how to use them inside of your vps terminal/shell):
Certificate file: https://cl1p.net/orange-ju-filecert
Certificate key file: https://cl1p.net/orange-ju-filekey

Copy first the origin certificate, then paste it to your Certificate file cl1p URL (mine is https://cl1p.net/orange-ju-filecert)


then click “Paste and Create”.
Same in the private key, paste it to your Certificate key file URL (mine is https://cl1p.net/orange-ju-filekey)


then click “Paste and Create”.
– I set all may clips as “Destroy cl1p when viewed” so if i accidentally visit my clip it will be automatically deleted, also the secure way of sharing some sensitive data in public like certs and priv keys. You can decide on how your cl1ps are going to be deleted (by expiry or by viewing them once)
Just keep all 2 links, dont visit them.
After all of these, go back to our last session on Cloudflare tab, finish it by clicking “OK”
3. Set a hostname for our server, mine is www.orange-ju.ml (you can choose any subdomain you want to your server hostname).To access DNS Management, just find “DNS” on upper navigation of your CloudFlare dashboard and click it.
click “Add record” for new dns record
OR if www is already existed on your record list, click the “Pencil” button to modify it.

Type: A
Name: www
IPv4 Address: <your VPS IP address>
TTL: Auto
Proxy status: Proxied

then click “Save”
4. now we’re leaving CloudFlare dns management dashboard. We’re looking forward now to our VPS, prepare your ssh client and access your VPS root terminal (for sudo users: run su - to access root of your VPS) after logging in to root, run some update/upgrade commands on your package manager to ensure no installation errors appear during v2ray & nginx installation.

Debian/Ubuntu: apt update && apt upgrade -y -f
CentOS/Fedora/RHEL: yum update -y || dnf update -y

5. run v2ray server installer script from fhs-install-v2ray project.
but before that, double check if curl,unzip and nginx package is installed.

Debian/Ubuntu: apt install curl unzip nginx net-tools lsof -y
CentOS/Fedora/RHEL: yum install curl unzip nginx net-tools lsof -y || dnf install curl unzip nginx net-tools lsof -y

If error occured while Installing NGiNX on Debian/Ubuntu, because your package manager attempts to install also nginx-full and nginx-light. try to uninstall nginx-full, nginx-light, nginx-extras.
apt remove --purge nginx-* -y -f
then autoremove nginx install remains:
apt autoremove -y -f
and update your package manager
apt update
lastly, install nginx:
apt install nginx -y

after curl & unzip install, run:

Bash:

bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

wait until it finish

6. Remember our 2 links we created earlier? we’ll going to download them via cURL command then put them inside /usr/local/etc/v2ray directory.
First alternate or change some values here (copy these commands & paste them on your notepad, edit them, change “cl1p.net” into “api.cl1p.net”, then run on your terminal):

Bash:

export CertURL='https://api.cl1p.net/orange-ju-filecert' && export KeyURL='https://api.cl1p.net/orange-ju-filekey'

then run:

Bash:

v2raydir='/usr/local/etc/v2ray' && curl -kL "$CertURL" -o $v2raydir/cert.pem && curl -kL "$KeyURL" -o $v2raydir/key.pem && curl -kL "https://support.cloudflare.com/hc/article_attachments/360037898732/origin_ca_ecc_root.pem" -o $v2raydir/root_ecc.pem

7. After downloading three files, create a fullchain certificate by running this commannd:

Bash:

v2raydir='/usr/local/etc/v2ray' && printf "%b\n" "$(cat $v2raydir/cert.pem)\n$(cat $v2raydir/cert.pem)\n$(cat $v2raydir/root_ecc.pem)" > $v2raydir/fullchain.pem

8. Now generate UUID using this command:

Bash:

v2ctl uuid

copy the output and paste it to your notepad
9. now download my v2ray server config template and modify: change SERVER_DOMAIN to your domain (mine is www.orange-ju.ml) and GENERATE_UUID_CODE to your recent generated UUID (mine is 73bafbda-a33b-4b24-9cd2-60ad898cfec7)
Im using a shortcut here (download from my gist, then modify configs using sed command)
– My v2ray config setup = websocket set (Header/Host: ourdomain.ml ; Path “/”) and security type : “auto” , alter id is 64, server port: 443
(copy these commands & paste them on your notepad, edit them, then run on your terminal):

Bash:

export MyDomain='www.orange-ju.ml' && export MyUUID='73bafbda-a33b-4b24-9cd2-60ad898cfec7'

then run:

Bash:

v2rayconf='/usr/local/etc/v2ray/config.json' && nginxv2conf='/etc/nginx/conf.d/v2ray.conf' && gistlink='https://gist.githubusercontent.com/Bonveio/59e8b9561e20e8b612f65a3d47a97d13/raw' && curl -kL "$gistlink/config.json" -o $v2rayconf && curl -kL "$gistlink/v2ray.conf" -o $nginxv2conf && sed -i "s|SERVER_DOMAIN|$MyDomain|g;s|GENERATED_UUID_CODE|$MyUUID|g" $v2rayconf && sed -i "s|DOMAIN_HERE|$MyDomain|g" $nginxv2conf

10. remove all nginx default configs if we want to just use nginx server as v2ray frontend, run:

Bash:

rm -rf /etc/nginx/{default.d,conf.d/default.conf,sites-*}

Be noted that some default nginx configs have some “server {}” object listening on port 80 inside nginx.conf, just remove by editing using nano /etc/nginx/nginx.conf
Remember to make sure Port 80 and 443 is open and no other services using it (find using netstat -tulnp all services running on 80 and 443 and kill it)
run these command to kill existing 80 and 443 port:

Bash:

for PORT in "80" "443"; do { [ ! -z "$(lsof -ti:${PORT} -s tcp:listen)" ] && kill $(lsof -ti:${PORT}); }; done

then lastly, run these to start v2ray and nginx server

Bash:

systemctl start v2ray &>/dev/null && systemctl restart nginx

double check if our v2ray and nginx server are running

Bash:

netstat -tlnp | grep -E '(:10035|:443|:80)'

11. If you already knew how to setup on client, skip this step, Go to your v2ray client, your app must support “Import from clipboard” feature, use this template client .json config, copy all then goto your v2ray client app, find “Import from clipboard”
modify “SERVER_DOMAIN_HERE.ML” as your server domain and “YOUR_UUID_CODE_HERE” to your generated UUID code earlier

JSON:

{   "dns": {     "servers": [       "8.8.8.8"     ]   },   "inbounds": [     {       "port": 10808,       "protocol": "socks",       "settings": {         "auth": "noauth",         "udp": true,         "userLevel": 8       },       "sniffing": {         "destOverride": [           "http",           "tls"         ],         "enabled": false       },       "tag": "socks"     },     {       "port": 10809,       "protocol": "http",       "settings": {         "userLevel": 8       },       "tag": "http"     }   ],   "log": {     "loglevel": "warning"   },   "outbounds": [     {       "mux": {         "enabled": false       },       "protocol": "vmess",       "settings": {         "vnext": [           {             "address": "SERVER_DOMAIN_HERE.ML",             "port": 443,             "users": [               {                 "alterId": 64,                 "id": "YOUR_UUID_CODE_HERE",                 "level": 8,                 "security": "none"               }             ]           }         ]       },       "streamSettings": {         "network": "ws",         "security": "tls",         "tlsSettings": {           "allowInsecure": true,           "serverName": "SERVER_DOMAIN_HERE.ML"         },         "wsSettings": {           "headers": {             "Host": "SERVER_DOMAIN_HERE.ML"           },           "path": "/"         }       },       "tag": "proxy"     },     {       "protocol": "freedom",       "settings": {},       "tag": "direct"     },     {       "protocol": "blackhole",       "settings": {         "response": {           "type": "http"         }       },       "tag": "block"     }   ],   "policy": {     "levels": {       "8": {         "connIdle": 300,         "downlinkOnly": 1,         "handshake": 4,         "uplinkOnly": 1       }     },     "system": {       "statsOutboundUplink": true,       "statsOutboundDownlink": true     }   },   "routing": {     "domainStrategy": "IPIfNonMatch",     "rules": []   },   "stats": {} }