Install and configure vless with reality or TLS on your linux server by executing a single command!
TUIC and hysteria2 on sing-box is also supported!
This script:
- Installs docker with compose plugin in your server
- Generates docker-compose.yml and sing-box/xray configuration for vless protocol for reality and tls
- Generates docker-compose.yml and sing-box configuration for TUIC protocol with tls
- Generates docker-compose.yml and sing-box configuration for hysteria2 protocol with tls
- Create Cloudflare warp account and configure warp as outbound
- Generates client configuration string and QRcode
- Gets and renews valid certificate from Letsencrypt for TLS encryption
- Fine-tunes kernel tunables
- Is designed by taking security considerations into account to make the server undetectable
- Provides a Telegram bot to manage users from Telegram
Features:
- Generates client configuration string
- Generates client configuration QRcode
- You can choose between xray or sing-box core
- You can choose between reality or TLS security protocol
- You can use a Text-based user interface (TUI)
- You can create multiple user accounts
- You can regenerate configuration and keys
- You can change SNI domain
- You can change transport protocol (tcp, http, grpc, ws)
- You can change tunneling protocol (vless, TUIC, hysteria2)
- You can get valid TLS certificate with Letsencrypt
- You can block malware and adult contents
- Merges your custom advanced configuration
- Use Cloudflare WARP to hide your outbound traffic
- Supports Cloudflare warp+
- Install with a single command
- Telegram bot for user management
- Create backup from users and configuration
- Restore users and configuration from backup
Supported OS:
- Ubuntu 22.04
- Ubuntu 20.04
- Ubuntu 18.04
- Debian 11
- Debian 10
- CentOS Stream 9
- CentOS Stream 8
- CentOS 7
- Fedora 37
You can start using this script with default configuration by copy and paste the line below in terminal.
This command will configure sing-box
with reality
security protocol over tcp
transport protocol on port 443
for www.google.com
SNI domain by default:
bash <(curl -sL https://bit.ly/realityez)
or (if the above command dosen't work):
bash <(curl -sL https://raw.githubusercontent.com/aleskxyz/reality-ezpz/master/reality-ezpz.sh)
After a while you will get configuration string and QR code:
You can run TUI with -m
or --menu
option:
bash <(curl -sL https://bit.ly/realityez) -m
And then you will see management menu in your terminal:
You can also enable Telegram bot with --enable-tgbot
option and manage users from with your Telegram bot (More Info)
Help message of the script:
Usage: reality-ezpz.sh [-t|--transport=tcp|http|grpc|ws|tuic|hysteria2] [-d|--domain=<domain>] [--server=<server>] [--regenerate] [--default]
[-r|--restart] [--enable-safenet=true|false] [--port=<port>] [-c|--core=xray|sing-box]
[--enable-warp=true|false] [--warp-license=<license>] [--security=reality|letsencrypt|selfsigned] [-m|--menu] [--show-server-config]
[--add-user=<username>] [--lists-users] [--show-user=<username>] [--delete-user=<username>] [--backup] [--restore=<url|file>] [-u|--uninstall]
-t, --transport <tcp|http|grpc|ws|tuic|hysteria2> Transport protocol (tcp, http, grpc, ws, tuic, hysteria2, default: tcp)
-d, --domain <domain> Domain to use as SNI (default: www.google.com)
--server <server> IP address or domain name of server (Must be a valid domain if using ws)
--regenerate Regenerate public and private keys
--default Restore default configuration
-r --restart Restart services
-u, --uninstall Uninstall reality
--enable-safenet <true|false> Enable or disable safenet (blocking malware and adult content)
--port <port> Server port (default: 443)
--enable-warp <true|false> Enable or disable Cloudflare warp
--warp-license <warp-license> Add Cloudflare warp+ license
-c --core <sing-box|xray> Select core (xray, sing-box, default: sing-box)
--security <reality|letsencrypt|selfsigned> Select type of TLS encryption (reality, letsencrypt, selfsigned, default: reality)
-m --menu Show menu
--enable-tgbot <true|false> Enable Telegram bot for user management
--tgbot-token <token> Token of Telegram bot
--tgbot-admins <telegram-username> Usernames of telegram bot admins (Comma separated list of usernames without leading '@')
--show-server-config Print server configuration
--add-user <username> Add new user
--list-users List all users
--show-user <username> Shows the config and QR code of the user
--delete-user <username> Delete the user
--backup Backup users and configuration and upload it to keep.sh
--restore <url|file> Restore backup from URL or file
-h, --help Display this help message
- Android
- iOS
- Windows
- Windows, Linux, macOS
This script can configure the service with 3 types of security options:
- reality
- letsencrypt
- selfsigned
By default reality
is configured but you can change the security protocol with --security
option.
The letsencrypt
option will use Letsencrypt to get a valid certificate for you server. So you have to assign a valid domain or subdomain to your server with --server <domain>
option.
The selfsigned
option is same as letsencrypt
but the certificates are self-signed and you don't need to assign a domain or subdomain to your server.
CDN compatibility table:
Cloudflare | ArvanCloud | |
---|---|---|
reality | ❌ | ❌ |
selfsigned | ✔️ | ✔️ |
letsencrypt | ✔️ | ✔️ |
tcp | ❌ | ❌ |
http | ❌ | ✔️ |
grpc | ✔️ | ✔️ |
ws | ✔️ | ✔️ |
tuic | ❌ | ❌ |
hysteria2 | ❌ | ❌ |
- You need to enable
grpc
orwebsocket
in Cloudflare if you want to use the corresponding transport protocols. - You have to configure CDN provider to use HTTPS for connecting to your server.
- The
ws
transport protocol is not compatible withreality
security option. - The
tuic
tunneling protocol is not compatible withreality
security option. - The
tuic
tunneling protocol is only compatible withsing-box
core option. - The
hysteria2
tunneling protocol is not compatible withreality
security option. - The
hysteria2
tunneling protocol is only compatible withsing-box
core option. - Avoid using
tcp
transport protocol withletsencrypt
orselfsigned
security options. - Avoid using
selfsigned
security option. Get a domain and useletsencrypt
option. - Do not change the port to something other than
443
. - The
sing-box
core has better performance. - Using NekoBox for Android is recommended.
You can add, view and delete multiple user account with this script easily!
You can add additional user by using --add-user
option:
bash <(curl -sL https://bit.ly/realityez) --add-user user1
This command will create test1
as a new user.
Notice: Username can only contains A-Z, a-z and 0-9
You can view a list of all users by using --list-users
option:
bash <(curl -sL https://bit.ly/realityez) --list-users
You can get config string and QR code of the user for importing by using --show-user
option:
bash <(curl -sL https://bit.ly/realityez) --show-user user1
This command will print config string and QR code of user1
You can delete a user by using --delete-user
option:
bash <(curl -sL https://bit.ly/realityez) --delete-user user1
This command will delete user1
You can change script defaults by using different arguments.
Your configuration will be saved and restored in each execution. So You can run the script multiple time with out any problem.
Reality protocol will use the public certificate of SNI domain.
Default SNI domain is www.google.com
.
You can change it by using --domain
or -d
options:
bash <(curl -sL https://bit.ly/realityez) -d yahoo.com
Default transport protocol is tcp
.
You can change it by using --transport
or -t
options:
bash <(curl -sL https://bit.ly/realityez) -t http
Valid options are tcp
,http
, grpc
, ws
, tuic
and hysteria2
.
ws
is not compatible with reality protocol. You have to use letsencrypt
or selfsigned
with it.
tuic
is not compatible with reality protocol. You have to use letsencrypt
or selfsigned
with it.
tuic
is compatible with sing-box core only.
hysteria2
is not compatible with reality protocol. You have to use letsencrypt
or selfsigned
with it.
hysteria2
is compatible with sing-box core only.
You can block malware and adult contents by using --enable-safenet
option:
bash <(curl -sL https://bit.ly/realityez) --enable-safenet true
You can disable this feature with --enable-safenet false
option.
You can get the running configuration with --show-server-config
option:
bash <(curl -sL https://bit.ly/realityez) --show-server-config
You can regenerate keys by using --regenerate
option:
bash <(curl -sL https://bit.ly/realityez) --regenerate
All other configuration will be same as before.
You can restart the service by using -r
or --restart
options:
bash <(curl -sL https://bit.ly/realityez) -r
You can restore default configuration by using --default
option.
bash <(curl -sL https://bit.ly/realityez) --default
User account will not change with this option.
You can delete configuration and services by using --uninstall
or -u
options:
bash <(curl -sL https://bit.ly/realityez) -u
Notice: Do not change default port. This may block your IP!
Default port is 443
.
In case of using letsencrypt
security option, port 80
has to be available for Letsencrypt challenge.
You can change it by using --port
option:
bash <(curl -sL https://bit.ly/realityez) --port 8443
Default engine core is sing-box but you can also switch to xray by using --core
or -c
options:
bash <(curl -sL https://bit.ly/realityez) -c xray
Valid options are xray
and sing-box
.
You can create a backup from users and configuration and upload it to free.keep.sh by using --backup
option:
bash <(curl -sL https://bit.ly/realityez) --backup
This command will give you a URL to download you backup file. The URL is only valid for 24h.
You can restore a previously created backup file with --restore
option.
You need to give the path or URL of the backup file to restore:
bash <(curl -sL https://bit.ly/realityez) --restore /path/to/backup.tar.gz
or
bash <(curl -sL https://bit.ly/realityez) --restore "https://www.example.com/backup.tar.gz"
You can migrate users and configuration from one server to another by:
- Create backup in the old server and copy the URL of backup file
- Restore the URL of backup file in the new server
You can also use the TUI for changing the configuration of the service.
To access to TUI you can use -m
or --menu
options:
bash <(curl -sL https://bit.ly/realityez) -m
You can manage users with Telegram Bot.
You should get a Telegram bot token from @BotFather
Telegram account.
Then you can enable Telegram bot by using this command as an example:
bash <(curl -sL https://bit.ly/realityez) --enable-tgbot true --tgbot-token <telegram-bot-token> --tgbot-admins=<your-telegram-username>
In the command above you have to provide a comma separated list of Telegram usernames (without leading '@') which are authorized to use Telegram bot.
You can disable Telegram bot with this command:
bash <(curl -sL https://bit.ly/realityez) --enable-tgbot false
This script uses official Cloudflare WARP client for connecting to Cloudflare network and send all outbound traffic to Cloudflare server. So your servers address will be masked by Cloudflare IPs. This gives you a better web surffing experience due to less captcha challenges and also resolves some websites limitations on your servers IP.
You can enable Cloudflare WARP by using --enable-warp true
option. This script will create and register a free WAPR account and use it.
bash <(curl -sL https://bit.ly/realityez) --enable-warp true
Free account has traffic limitation and lower performance in comparison with WARP+ account which needs license.
You can either buy an WARP+ Unlimited license or get a free WARP+ license from this telegram bot: https://t.me/generatewarpplusbot
After getting a license from that telegram bot, you can use the license for your server with --warp-license
option:
bash <(curl -sL https://bit.ly/realityez) --warp-license aaaaaaaa-bbbbbbbb-cccccccc
You can use each warp+ license on 4 devices only.
You can disable Cloudflare WARP with --enable-warp false
:
bash <(curl -sL https://bit.ly/realityez) --enable-warp false
You can combine different options together.
We want to setup a server with these configurations:
grpc
transport protocolwww.wikipedia.org
as SNI domain- Block adult contents
- Enable Cloudflare WARP
- Set Cloudflare WARP+ license
So we need to execute this command:
bash <(curl -sL https://bit.ly/realityez) --transport=grpc --domain=www.wikipedia.com --enable-safenet=true --enable-warp=true --warp-license=26z9i0ld-WG0wy324-rA703nZ2
Use this feature only if you know exactly what you are doing!
You can override the configuration generated by the script and add your own custom configuration to it.
Write your custom configuration in one of these files based on the engine that you are using:
/opt/reality-ezpz/sing-box.patch
or
/opt/reality-ezpz/xray.patch
And run script to apply your changes.
For example if you want to increase the debug level of sing-box engine, you can create /opt/reality-ezpz/sing-box.patch
with this content:
{
"log": {
"level": "debug",
"timestamp": true
}
}