Since version 1.19, V2Ray introduced transport layer security (TLS) support. If you have not heard that before, you may want to Google it first. Otherwise, these articles are also good introductions:

Brief Intro to SSL/TLS protocol mechanism (opens new window)

(Wikipedia) Transport Layer Security (opens new window)

If you have already registered a domain name, you may skip this step. TLS requires a registered domain, either free or paid are available and usable, so feel free to use a free domain, while in general, a paid domain would be better than a free one. Let's just assume you know how to get a working domain. If not, just simply Google it. There are plenty of better and detailed tutorials out there.

Note that, you need to add an A record points to your server IP address, after you register domain.

The following configuration example will assume the registered domain is mydomian.me. Remember to replace it with your own ones.

TLS is a certificate authentication mechanism, so a certificate is required to enable TLS, and certificates could also be free or paid. In this document, a free certificate is used. The certificate authority is Let's Encrypt (opens new window). There are many ways to generate a certificate. The simpler method is used here: Using acme.sh (opens new window) bash script to generate a certificate. Some of instructions in this section are referred from acme.sh README (opens new window).

There are two types of certificates, one is the ECC certificate (the built-in public key is the ECDSA public key), and the other one is the RSA certificate (the built-in RSA public key). In other words, ECCs of the same length are more secure than RSA, which means that with the same security, the ECC key length is much shorter than RSA (so encryption and decryption will be faster). However, the ECC certificate have worse compatibility compared with the RSA certificate, and it is not supported by Android 4.x and Windows XP. As long as your devices are not unearthed artifacts, you are highly recommended to use an ECC certificate.

Here are methods of generating both type of certificate. You can choose one of them based on your situation.

The certificate generation process is only needed to do on your server-side.

By running the following commands, acme.sh will be installed into ~/.acme.sh.

After installation finished, run source ~/.bashrc to ensure the command is applied to your bash environment.

If errors prompted during installation, probably your system is missing components acme.sh needed, and it is highly possible to be netcat (nc). If so, you can use the following command to install it (Debian-like Distribution only):

To generate certificate, simply run the following command:

The following command will listen on port 80, so make sure it is not occupied by other processes.

-k stands for private key length，whose value can be ec-256 , ec-384, 2048, 3072, 4096, and 8192. Those with ec- prefix means you are generating an ECC certificate, others are RSA certificate. Speaking of security, 256-bit length ECC certificate has an equal security level of 3072-bit RSA certificate.

As the free Let's Encrypt certificate expires every 90 days, at least one renewal is required per 90 days. By default, acme.sh will set up an auto renewal which runs every 60 days. You can also renew certificates manually.

To manually renew an ECC certificate, run:

For RSA certificates, run:

** As we were generating certificates into /etc/v2ray folder, you also need to copy the renewed certificate into /etc/v2ray. **

Place certificate and private key into /etc/v2ray folder:

** NOTE: DO NOT expose or leak your private key (v2ray.key file as above) in ANY circumstances to ANY person. If unfortunately you leaked it, you can use acme.sh to revoke it, and generate a new certificate. Detailed instructions are documented in acme.sh's own tutorials. **

Usually, after doing the above steps, V2Ray client already can connect to the internet, which means the TLS configuration is working. However, with a reliable way to verify if it is enabled will make it more convinced.

There are many ways to validate the TLS, but an easy one is from Qualys SSL Labs's SSL Server Test (opens new window).

** NOTE: Qualys SSL Labs's SSL Server Test runs check on port 443, so you have to configure your server's inbound port to 443. **

Click Qualys SSL Labs's SSL Server Test (opens new window), then input your domain into Hostname; then click submit, after a while, you will able to see the result.

This is an overall scoring to your TLS/SSL configuration, Here I got A, which is nice enough and proves our TLS is working fine.

Here it is your certificate information. In this screenshot, we can see it is valid through Dec 27, 2016, to Mar 27, 2017, and the encryption method used is 256-bit ECC certificate, which is signed by Let's Encrypt. Most importantly, Trusted status is Yes, which means the certificate can be trusted.

** V2Ray is using a REAL TLS implementation rather than cloaking or obfuscation, that's why it needs domain and certificate. Also, the Websocket is REAL as well, which we'll talk about later. **

← HTTP Obfuscation WebSocket →