How to configure whitelist bypass in 3x-ui using vless+xray?
Recently, mobile internet blocking through whitelisted sites has started. I’m wondering if there are simple methods to mask traffic to appear as if it’s going through whitelisted sites to ensure internet connectivity works under jamming conditions. I suspect that the solution might be related to using the SNI of whitelisted sites, but I don’t fully understand the domain resolution mechanism when working with jammers.
3x-ui with VLESS+Xray can be configured to bypass whitelists using the REALITY protocol and SNI spoofing to allowed domains. The main method involves using the xtls-rprx-vision flow with whitelisted domains specified as destination and serverNames, which masks your traffic as regular HTTPS traffic to allowed sites.
Table of Contents
- Bypassing Whitelists: Basics and Principles
- Technical SNI Spoofing Mechanism
- Step-by-Step Setup of 3x-ui with VLESS+REALITY
- Optimal Whitelisted Domains for SNI
- Testing and Troubleshooting
- Additional Bypass Methods
- Security and Recommendations
Bypassing Whitelists: Basics and Principles
A whitelist is an internet censorship mechanism where access is only permitted to specific domains and websites. Under mobile internet blocking conditions, providers use SNI (Server Name Indication) in TLS handshakes to determine the traffic destination. If the SNI matches a domain from the whitelist, the traffic is allowed through; otherwise, it’s blocked.
The bypass principle is based on masking your proxy traffic as traffic to whitelisted domains. When you use VLESS with REALITY and proper SNI configuration, your traffic appears as a regular HTTPS connection to an allowed site, enabling you to bypass blocks.
Important: REALITY is an advanced protocol specifically designed to bypass SNI filtering, which uses cryptographic mechanisms to evade active traffic analysis.
Technical SNI Spoofing Mechanism
SNI spoofing works by replacing the server name in the TLS handshake with an allowed domain. When your client connects to the server via VLESS+REALITY, it sends the SNI specified in the configuration instead of the actual name of your proxy server.
The process works as follows:
- The client sends a TLS ClientHello with a spoofed SNI (whitelisted domain)
- The REALITY server accepts the connection and encrypts the traffic
- The traffic appears as a regular HTTPS connection to the specified domain
- The blocking system sees the allowed SNI and allows the traffic through
Key configuration parameters:
dest: Target domain and port (e.g.,www.google-analytics.com:443)serverNames: Array of allowed SNI (usually the same domain)flow:xtls-rprx-visionfor maximum protection against analysis
Step-by-Step Setup of 3x-ui with VLESS+REALITY
Step 1: Install 3x-ui
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)
After installation, access the panel at https://your_IP:54321 with the login and password specified during installation.
Step 2: Create an Inbound
- Log in to the 3x-ui panel
- Go to “Inbounds” → “Add”
- Fill in the parameters:
- Listen:
0.0.0.0 - Port:
443(or another allowed port) - Protocol:
vless - Settings:
- Clients: Add a new client with UUID
- Decryption:
none
- Stream Settings:
- Network:
tcp - Security:
reality - Reality Settings:
- show:
false - dest:
whitelisted_domain.com:443 - xver:
0 - serverNames:
["whitelisted_domain.com"] - privateKey: Your generated private key
- show:
- Network:
- Listen:
Step 3: Configure Routing
Add routing rules to block unwanted traffic:
{
"log": {
"loglevel": "warning"
},
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"domain": ["geosite:category-ads-all"],
"outboundTag": "block"
},
{
"type": "field",
"ip": ["geoip:cn"],
"outboundTag": "block"
}
]
}
}
Step 4: Client Configuration
Configure your client application (e.g., V2RayN, v2RayTun) with parameters:
- Address: Your server IP address
- Port: 443
- ID: Client UUID
- Flow:
xtls-rprx-vision - Host: whitelisted_domain.com
- TLS:
true, SNI:whitelisted_domain.com
Optimal Whitelisted Domains for SNI
Not all domains are equally effective for SNI spoofing. Optimal options:
Recommended domains:
www.google-analytics.comwww.google.comwww.microsoft.comwww.amazon.comwww.cloudflare.comwww.facebook.comwww.twitter.com
Domain selection criteria:
- High frequency of use: Domains that are actively used in the region
- SSL certificate: Domains with valid SSL certificates
- Stability: Domains that rarely change IP addresses
- Low blocking: Domains that are not blocked by providers
Tip: Regularly update your whitelisted domains list, as some providers may start blocking popular domains for spoofing.
Testing and Troubleshooting
Basic tests to verify operation:
-
Connection test:
bashcurl -v --resolve whitelisted_domain.com:443:your_IP https://whitelisted_domain.com
-
Log analysis:
- In 3x-ui: “Logs” → “Xray Logs”
- Look for TLS or REALITY errors
-
SNI verification:
Use tools likeWiresharkto analyze TLS handshakes
Common issues and solutions:
| Issue | Possible solution |
|---|---|
| Connection doesn’t establish | Check your private key and serverNames |
| Traffic is blocked | Try a different whitelisted domain |
| Slow speed | Ensure port 443 is not overloaded |
| TLS errors | Verify that dest and serverNames match |
Additional Bypass Methods
1. Fallback configuration
Set up fallback to disguise as regular web traffic:
{
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [...],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "whitelisted_domain.com:443",
"xver": 0,
"serverNames": ["whitelisted_domain.com"]
}
},
"sniff": true
}
]
}
2. Hybrid configurations
Use a combination of VLESS+WebSocket or HTTP/2 for additional disguise:
{
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/whitelisted-path"
}
}
}
]
}
3. CDN proxy
Set up proxying through CDN for additional anonymity:
location / {
proxy_pass http://localhost:443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Security and Recommendations
Basic security measures:
- Regular updates: Keep 3x-ui and Xray-core updated
- Monitoring: Set up traffic usage monitoring
- Access restriction: Use IP whitelists
- Encryption: Always use REALITY or other secure protocols
Recommended practices:
- Use unique UUIDs for each client
- Regularly change ports and domains for SNI
- Set up traffic and usage time limits
- Enable logging to monitor suspicious activities
Important: Always check the legality of using such methods in your region. Some countries have strict laws regarding internet censorship bypass.
Sources
- GitHub - MHSanaei/3x-ui: Xray panel supporting multi-protocol multi-user
- GitHub - hxehex/russia-mobile-internet-whitelist: a list of domains that remain accessible in russia during mobile internet throttling
- How does XTLS REALITY break through the whitelist? REALITY source code analysis - ObjShadow’s Blog
- SNI fallback | Project X
- ExtraVM XRay Core | VLESS+Reality Vision VPN - Alexander Goldcheidt
- VLESS + TCP + REALITY | XTLS/Xray-examples | DeepWiki
Conclusion
Setting up whitelist bypass in 3x-ui using VLESS+Xray requires proper REALITY configuration with whitelisted domains. The main steps include installing 3x-ui, configuring inbounds with correct REALITY parameters, and selecting optimal domains for SNI spoofing.
For successful operation:
- Always use up-to-date whitelisted domains
- Configure proper REALITY parameters (dest, serverNames, flow)
- Regularly test connections and analyze logs
- Maintain a balance between bypass effectiveness and security
With proper configuration, this method allows effective bypassing of mobile internet whitelists by masking traffic as regular HTTPS connections to allowed sites.