Proxy Node Deployment: The Ultimate No.1 Guide for Stable and Fast International Access

ByJewelry

This article is a comprehensive guide designed to help users build their own overseas proxy nodes, enabling stable access to the open internet and improved speed when visiting international websites. It covers topics such as server selection, protocol comparisons (including VLESS, Reality, XTLS, etc.), domain name configuration, security strategies, and real-world deployment examples. It is…

A Virtual Private Network (VPN), initially a micro-level concept for secure private network communication within enterprises or teams, has evolved in a broader context into a tool widely used by the public to circumvent the Great Firewall (GFW).

1. Proxy Node Resource Preparation

1.1 Required Resources

  • Overseas VPS: CentOS / Ubuntu
  • Domain Name: Purchased a 10-year domain for ¥50 (6-digit .xyz domain)
  • Cloudflare (private DNS platform), offers a free 15-year SSL certificate

In theory, an SSL certificate is not absolutely necessary. However, disguising HTTP traffic without encryption is easily detected by firewalls, which can lead to IP blocking. Using Cloudflare-issued certificates to encrypt traffic helps avoid such issues and ensures secure and smooth communication.

1.2 Choosing the Right Technical Scheme

Refer to the pros and cons of the following protocols:

FeatureVLESS+Reality+TLSVLESS+WS+TLSVMESS+WS+TLS
Anti-censorshipVery strong (no SNI required)Medium (WS can be identified)Average (VMess is listed)
ObfuscationVery strongStrongAverage
PerformanceVery strong (pure TCP)Average (multiple layers)Average
Client CompatibilityShadowrocket not supportedAll mainstream clientsAll mainstream clients

This article introduces three encapsulation methods.

1.3 Choosing the Right Server-Side Tool

Serversing-boxv2ray
AdvantagesHigh stealth, low resource usageMany tutorials, good compatibility, easy to use
DisadvantagesPoor GUI compatibility, less documentationProject abandoned, high resource usage

2. Environment Preparation

VMess protocol authentication depends on time, so make sure there’s no significant time difference between client and server.

2.1 Synchronize VPS Time

Linux reads time from CMOS at boot. To maintain consistency, Linux periodically writes system time back to CMOS (about every 11 minutes).

# Check current time zone
date -R

# Method 1 to change timezone
tzselect
Asia
China
Beijing
Yes

# Method 2
timedatectl list-timezones | grep Shanghai
timedatectl set-timezone Asia/Shanghai
date -R

# Write time to CMOS
clock -w

2.2 Enable BBR

vim /etc/sysctl.conf

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

sysctl -p

2.3 Verify BBR is Enabled

sysctl net.ipv4.tcp_congestion_control
# Expected output:
net.ipv4.tcp_congestion_control = bbr

lsmod | grep bbr
# Expected output:
tcp_bbr

2.4 Error When Enabling BBR

If you get the error:

sysctl: setting key “net.ipv4.tcp_congestion_control”: No such file or directory

Then:

wget -N --no-check-certificate "https://raw.githubusercontent.com/chiakge/Linux-NetSpeed/master/tcp.sh" 
chmod +x tcp.sh 
./tcp.sh

Follow the script to install the BBRPlus kernel and enable acceleration.

Proxy Node Deployment: The Ultimate No.1 Guide for Stable and Fast International Access

3. Proxy Node Services

3.1 Sing-Box + VLESS + WS + TLS

3.2 Sing-Box + VLESS + WS + TLS

3.3 V2Ray + VMess + WS + TLS

3.3.1 Download Server

curl -O https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh
bash install-release.sh --version v4.34.0

3.3.2 Modify Configuration

vim /usr/local/etc/v2ray/config.json

Make Sure to Configure the Following Parameters Correctly

  • path
  • network
  • protocol
  • port
  • alterId
  • id
    "inbounds": [
        {
            "streamSettings": {
                "wsSettings": {
                    "path": "/ray"
                },
                "network": "ws", 
                "tcpSettings": {
                    "header": {
                        "type": "http",
                        "response": {
                            "status": "200",
                            "headers": {
                                "Transfer-Encoding": [
                                    "chunked"
                                ],
                                "Connection": [
                                    "keep-alive"
                                ],
                                "Content-Type": [
                                    "application/octet-stream",
                                    "application/x-msdownload",
                                    "text/html",
                                    "application/x-shockwave-flash"
                                ],
                                "Pragma": "no-cache"
                            },
                            "reason": "OK",
                            "version": "1.1"
                        }
                    }
                }
            },
            "protocol": "vmess",
            "port": 21001,
            "listen":"127.0.0.1",
            "settings": {
                "clients": [
                    {
                        "alterId": 64,
                        "level": 0,
                        "email": "1000",
                        "id": "eca32fc9-6688-8888-6666-1830996ae393"
                    }
                ]
            }
        },
        {
            "tag": "api",
            "settings": {
                "address": "127.0.0.1"
            },
            "protocol": "dokodemo-door",
            "port": 5001,
            "listen": "127.0.0.1"
        }
    ]

3.3.3 Nginx Reverse Proxy

Sample nginx config: LNMP Installation

Nginx Download: Nginx

nserver {
    listen 443 ssl;
    server_name your_domain;

    ssl_certificate      /your_path/nginx/cert/public.pem;
    ssl_certificate_key  /your_path/nginx/cert/private.key;

    ssl_session_cache   shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location /ray {
        proxy_redirect off;
        proxy_intercept_errors on;
        error_page 400 = your_domain;
        proxy_pass http://127.0.0.1:21001;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

3.3.4 Subscription Configuration

3.3.4.1 V2rayN (JSON Format)

VMess uses BASE64 encoding.

Prepare JSON config:

{"v": "2","ps": "vpnV2","add": "your_domain","port": "443","id": "eca32fc9-6688-8888-6666-1830996ae393","aid": "64","net": "ws","type": "none","path": "/ray","tls": "tls"}

Base64 encode the JSON (no line breaks). Then:

echo 'vmess://<Base64 string>' > v2ray

3.3.4.2 Clash (YAML Format)

Clash uses a YAML file:

proxies:
  - name: "YAML"
    type: vmess
    server: your_domain
    port: 443
    uuid: eca32fc9-6688-8888-6666-1830996ae393
    alterId: 64
    cipher: auto
    tls: true
    skip-cert-verify: false
    network: ws
    ws-opts:
      path: "/ray"

proxy-groups:
  - name: "Auto Select"
    type: url-test
    proxies: ["YAML"]
    url: "http://www.gstatic.com/generate_204"
    interval: 300

rules:
  - DOMAIN-SUFFIX,google.com, Auto Select
  - GEOIP,CN,DIRECT
  - MATCH,Auto Select

Save as clash

3.3.4.3 Unified Subscription File

mkdir -p /your_path/nginx/proxy
mv v2ray clash /your_path/nginx/proxy

3.3.4.4 Complete Nginx Configuration

Add the following under the server block:

location /config1 {
    alias /your_path/nginx/proxy/v2ray;
    default_type text/plain;
}
location /config2 {
    alias /www/nginx/proxy/clash;
    default_type text/plain;
}

3.3.4.5 Testing

Visit:

https://your_domain/config1
https://your_domain/config2

If correct info is returned, the config was successful.