EQVPS

Your own VLESS/Xray server on a VPS (when WireGuard gets blocked)

Jul 6, 2026 · 4 min read · EQVPS Team

WireGuard is the right answer most of the time: it's fast, simple, and genuinely secure. This isn't a "WireGuard is bad" article — it's the honest next step for the one situation where WireGuard stops working. In some networks, deep packet inspection (DPI) recognizes the WireGuard protocol by its signature and blocks it outright. When that happens, no amount of config-tweaking helps, because the problem isn't your setup — it's that the traffic looks like a VPN. That's the problem VLESS+Reality solves.

The honest fork: WireGuard or Xray?

Decide this first, because the simpler tool is usually the right one:

If you're not being blocked, stop here and use WireGuard. The rest of this is for when you are.

Why this needs a dedicated IP

An Xray server accepts inbound connections — your client dials into it on port 443. That requires a public IP that's addressable and yours. A NAT plan shares one egress IP among customers and gives you no inbound endpoint, so it won't work here. You need a dedicated-IP plan — and since this is a traffic workload rather than a CPU one, the smallest one does the job: Nano-IP at $8/mo (1 vCPU / 1 GB) is plenty. Bigger plans buy you more throughput headroom, not a better tunnel.

Install Xray

Use the official installer — don't hunt for random builds:

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

Generate the two things a Reality config needs — a key pair and a UUID:

xray x25519          # prints a Private key and a Public key
xray uuid            # prints a UUID for the client

Keep the private key for the server config and the public key for the client link. Save both.

The server config, explained

Drop this into /usr/local/etc/xray/config.json, filling in your generated values:

{
  "inbounds": [{
    "listen": "0.0.0.0",
    "port": 443,
    "protocol": "vless",
    "settings": {
      "clients": [{ "id": "YOUR-UUID", "flow": "xtls-rprx-vision" }],
      "decryption": "none"
    },
    "streamSettings": {
      "network": "tcp",
      "security": "reality",
      "realitySettings": {
        "dest": "www.microsoft.com:443",
        "serverNames": ["www.microsoft.com"],
        "privateKey": "YOUR-PRIVATE-KEY",
        "shortIds": [""]
      }
    }
  }],
  "outbounds": [{ "protocol": "freedom" }]
}

What the key fields actually do:

Then enable it:

sudo systemctl enable --now xray
sudo systemctl status xray

Point an open-source client at the server — v2rayN, Hiddify, or any Xray-compatible app. The connection string encodes everything:

vless://YOUR-UUID@YOUR-SERVER-IP:443?type=tcp&security=reality&sni=www.microsoft.com&pbk=YOUR-PUBLIC-KEY&sid=&fp=chrome&flow=xtls-rprx-vision#my-server

The pieces: pbk is the public key, sni matches your serverNames, sid is the short ID (empty here), fp=chrome fakes a browser TLS fingerprint. Paste the link into the client and you're connected.

Honest limits

The bottom line

WireGuard first; Reality when WireGuard is blocked. VLESS+Reality on Xray hides your tunnel inside ordinary-looking TLS to a real site, which is exactly what defeats DPI — and it runs fine on the cheapest $8/mo dedicated-IP plan because it's traffic, not compute. Install via the official script, generate your keys, match dest/serverNames, and point an open-source client at it. Lock the box down first with the security checklist, and keep expectations honest: it beats DPI, it doesn't make you invisible.

FAQ

How is VLESS+Reality different from WireGuard?

WireGuard is a genuine VPN and it's excellent — but its protocol has a recognizable signature, so deep packet inspection (DPI) can detect and block it. VLESS+Reality takes a different approach: it disguises your traffic as an ordinary TLS connection to a real, existing website, so on the wire there's nothing that looks like a VPN to block. If WireGuard works where you are, use it — it's simpler. Reach for Reality when WireGuard gets blocked.

Why do I need a dedicated IP for an Xray server?

Because it accepts inbound connections. Your client connects to the server on port 443, and that requires a public IP that's yours — a NAT plan shares one egress IP and doesn't give you an addressable inbound endpoint. A dedicated-IP plan does. The good news: it's a traffic workload, not CPU, so the cheapest dedicated-IP plan ($8/mo Nano-IP) is enough.

How many people can use one Xray server?

Realistically one to a handful. It's built as your own private endpoint, not a public service. You can add multiple client IDs, but throughput is shared and one small VPS isn't meant to be a public VPN for strangers — that also invites abuse that violates the AUP.

Will my provider see what I'm doing?

The provider sees that traffic flows to and from your server — the volume and timing — but not the contents of your tunneled traffic. Reality's disguise is aimed at the network path to you (DPI), not at the host. As always, it's pseudonymity, not invisibility.

← Back to blogSee plans & pricing →