Perfect for bypassing restrictions, setting up a crypto-farm, and other activities.
Have you ever wanted an easy-to-use graphical interface that requires no manual configuration editing or risk of mistakes? Let’s not forget about the "subscription mechanism" that allows clients to automatically connect to new server lists with connection settings.
Take a service like AWS, offering 1/1 CPU/RAM, free for over a year. Such a setup can handle VPN connections for 10 to 50 users with a blazing-fast internet channel! The monthly subscription cost per user ranges from $3 to $15. Now imagine this setup working for 50 users over a whole year—the profit margins nearly match the revenue after covering advertising and website/bot expenses.
Installing and Using the 3X-UI Graphical Panel for the X-Ray Server
Supports everything X-Ray offers: Shadowsocks-2022, VLESS with XTLS, and more.Why 3X-UI?
There are quite a few panels for V2Ray/XRay:
- The original X-UI
- Marzban
- Libertea
- Easy to install via Docker
- Comes in English by default with an option to switch to Russian
- Includes all essential features
- Most importantly, it works!
Update: In late May, the creator of 3X-UI announced in their Telegram channel that they might stop working on the project. However, there’s an alternative: another fork of the original X-UI, also called X-UI, which functions similarly to 3X-UI and works flawlessly.
Installation
Official repositories:- 3X-UI: https://github.com/MHSanaei/3x-ui
- X-UI fork: https://github.com/alireza0/x-ui
- A VPS with IPv4 (IPv6 is optional but helpful)
- Debian or Ubuntu Linux (similar steps apply to other distributions)
- Docker and docker-compose installed (if not, use apt install docker.io docker-compose).
- Git installed.
Steps:
- Clone the source code. It’s best to use the latest stable version from the Releases section on GitHub.
Code:
git clone https://github.com/MHSanaei/3x-ui.git
cd 3x-ui
git checkout v1.4.6For X-UI:
Code:
git clone https://github.com/alireza0/x-ui.git
cd x-ui
git checkout 1.4.12. Start the Docker container:
Code:
docker-compose up -d- That’s it—you’re amazing! Seriously, the panel is installed and operational.
Configuration:
- For 3X-UI, open your browser and navigate to:
Replace yourserverip with your server’s IP or domain name if configured (note: use http://, not https://). - For X-UI, check the panel’s port using:
Code:docker logs x-ui
The First Steps
I recommend doing the following right after installation. Go to "Settings", and there:
- Change the default panel port (2053) to something else (ideally a high number near the end of the range, up to 65535).
- Change the root URL path of the panel from / to something like /mysecretpanelroot/.
- Optionally, switch the language to Russian (keep in mind that the Russian translation has a few inaccuracies that might be confusing).
- In the second tab, "Security Settings", change the default admin password to your own.
All of the above is necessary to protect against script kiddies and random wannabe hackers who might stumble upon your panel during mass address scanning. Additional security tips will be provided at the end of the article.
Creating Connections
Go to the Inbounds menu (in the Russian translation, for some reason, it’s called "Users," which is incorrect and misleading). Click on "Add Inbound" ("Добавить пользователя"):
A nice little window will pop up. Let’s start by enabling connections through Shadowsocks-2022.
- "Remark" ("Примечание") – Enter anything you like; this is just a human-readable name.
- "Protocol" – Select shadowsocks.
- "Listening IP" – (Mistranslated as "Порт IP" in Russian, which is incorrect and confusing.) You can leave this field blank to listen on all IP addresses or specify a particular one if needed.
- "Port" – The panel will assign a random port automatically.
- "Email" – This field doesn’t need to contain an actual email address; any text (like a username) will work. The panel generates a random string by default. If you’re creating multiple users (e.g., to distribute accounts to friends, monitor usage, and revoke access if necessary), it’s better to input something clear and descriptive here.
- "Subscription" – For now, you can use the same username (I’ll explain subscriptions in more detail later).
- "Encryption" – Choose something that starts with "2022". The default option is a good choice.
- "Password" (key) – The panel will automatically generate a password of the correct length for the selected encryption method.
Now let’s move on to configuring VLESS with XTLS-Reality. While this setup is slightly more complex, it’s still fairly straightforward.
- "Remark" ("Примечание") – Enter any name you like.
- "Protocol" – Select vless.
- "Listening IP" – (Mistranslated as "Порт IP" in Russian, though it’s actually an address.) Leave this field blank to listen on all IP addresses, or specify one manually if needed.
- "Port" – Instead of a random port, set it to 443.
Configuring the Client
- "Email" – As in the previous section, it’s best to enter something clear and descriptive.
Important: Users from different connections cannot have the same email (e.g., the new VLESS and the Shadowsocks we created earlier). To avoid conflicts, consider adding a prefix, such as user1vl. - "Subscription" – Here, it’s better if the text matches what you entered for Shadowsocks (more details below).
Note: Unlike 3X-UI, in X-UI the Subscription field is hidden by default. You’ll need to enable the subscription feature in the panel settings first. - "Flow" – Select "xtls-rprx-vision".
Tip: The Flow field will only appear after you check the "Reality" box below. So, the best approach is to enable Reality first, then fill out the user settings.
- "Email" – As in the previous section, it’s best to enter something clear and descriptive.
Transport Settings
- "Reality" – Must be enabled.
- "XTLS" – Must be disabled.
(This can be a bit confusing: although Reality is part of XTLS, in this context, XTLS refers to older protocol versions. In the panel, the "XTLS" and "Reality" options are mutually exclusive.) - "uTLS" – Defaults to "firefox", but I usually choose "chrome". It doesn’t make much difference, though make sure not to select "android" as it may cause client issues.
- "Domain" – This is not an actual domain but the address for connecting to your server. You can leave it blank, and the panel will automatically use the IP or domain you use to access the server panel.
- "ShortIds" – The panel will generate a random ID automatically.
- "Public Key" and "Private Key" – Click "Get new keys" to have the panel generate these for you.
- "Dest" and "Server names" – This is the domain you’ll use for masking. By default, the panel suggests masking as yahoo.com and www.yahoo.com, redirecting traffic to yahoo.com:443. However, it’s better to choose a different domain.
Save the form, and that’s it! Configuration is complete.
After this, the page will display something like this:
If you click the "Menu" button for the desired protocol, you can:- Enable/disable the protocol.
- Reset traffic counters.
- Add users (including bulk generation of N accounts using a template).
- Most importantly, by expanding the user list (with the "+" button), you can view the connection settings for each user, which can then be entered into their client applications.
- By clicking on the QR code icon, the panel will display a QR code that can be scanned with mobile clients like v2rayNG or Nekobox on Android, or Wings X/FoXray or Shadowrocket on iOS.
- By clicking on the information icon (with the letter "i"), you can view the settings for entering them into desktop clients, including the URL, which you can copy and paste.
For desktop clients, I recommend Nekobox (available for Windows, Linux, and community builds for MacOS).
You can also find the "subscription URL" there. This is a specially generated list of connections for clients. Remember when you specified "Subscription" while creating the user? When you query the subscription URL, the server will return the configuration list (servers, keys) for all connections with that ID in the subscription field. Many clients (including v2rayNG, v2rayN, Nekobox, and others) are capable of automatically downloading settings from such URLs or doing so on request, and adding them to their configuration. This means that if you’ve added new protocols or changed the configuration, users can easily fetch the new settings from your server.
Note: Unlike 3X-UI, in X-UI, the Subscription field is hidden by default, and the subscription feature is disabled. You need to activate it in the panel settings.
Additional Settings
In the panel menus, you can find many interesting features. For example, you can:- Restrict clients from downloading torrents (if your server’s bandwidth is limited or if there’s a traffic quota).
- Add a domain filter to block ads.
- Block access to adult websites...
You can also block access through the server to IP addresses and domains of Iran, China, and Russia. This is useful if, for some reason, you’ve configured client access to Russian websites directly, and you want to block them on the server side to prevent accidentally accessing the Russian internet (Runet) through the server due to configuration errors. Improvements and Bugs
Bug
A bug: it's impossible to create multiple inbounds with the same port but different listening IPs—the panel throws an error. Because of this, for example, you cannot implement the classic scheme where XTLS-Reality listens on port 443 on an IPv4 address, and VLESS+Websockets or VLESS+gRPC for CDN access (as a fallback) on an IPv6 address. Hopefully, the authors will fix this eventually.
Improvements
As for things that can be improved during configuration, by default, the panel listens on plain HTTP without encryption. There are a few options to resolve this:- If you have a domain (even a free one from no-ip, freenom, dynu), you can install certbot from Let’s Encrypt, request a certificate for your domain, place it in the ./certs folder (inside the directory where you cloned 3x-ui), or create symlinks to it. Then, specify the path to the keys in the panel as /root/cert/privkey.pem and /root/cert/public.crt. Don’t forget to add a post-update hook to restart the container.
- Another option: change the listen IP in the panel settings to 127.0.0.1. This will make the panel inaccessible "from the outside," but you can still access it via SSH:
bash
ssh -L 8080:localhost:2053 your_server_ip
Then, by entering http://localhost:8080 in your browser, the SSH connection will forward to the local port 2053 of your server, where your panel is listening. - Third option: assign an additional "virtual" IP address to the server’s network interface. Add something like this in /etc/network/interfaces:
bash
iface lo:1 inet static
address 192.88.99.1
network 192.88.99.0
netmask 255.255.255.0
Then, configure the panel to listen only on that IP. In this case, the panel will be inaccessible from the outside, but you can still access it via Shadowsocks/VLESS proxy using that address.
Telegram
And for a fun twist at the end, the panel can work as a Telegram bot!
First, contact the BotFather and ask it to register a new bot:
It will generate an API token for you. You need to insert this token into the panel settings and also specify your admin ID (which you can request from the bot userinfobot).
After that, you can communicate with the panel via Telegram—view statistics, create backups of configurations, etc.
You can sell by creating a simple website or directly in Telegram/Instagram—there are many variations. How to create funnels was covered in the drop-related supplement, but full training on advertising is a whole different story...
Wishing everyone kindness, peace, and prosperity