English

Русский
Deutsch

English

Русский
Deutsch

Appearance

Xray. How the service works

The Xray module in the BeAdmin panel runs a VPN that, to a network operator's equipment, looks like ordinary HTTPS traffic to a popular public website. It uses the VLESS protocol with the REALITY extension — REALITY makes the server's first "hello" indistinguishable from a real visit to a major site. It is the right fit for hostile networks where even handshake masking (as in Amnezia) is no longer enough.

The problem Xray solves

Modern censorship systems can do a great deal more than look at the signature of the first packet. Beyond passive DPI they also run active probing — the equipment itself reaches out to suspicious servers and checks whether they behave the way the claimed site would. WireGuard gives itself away here (it stays silent on unknown traffic); even masked AmneziaWG, in the most aggressive networks, can eventually be flagged.

Xray with REALITY tackles the problem from the opposite side: instead of hiding the VPN under random noise, it makes the first connection look like an ordinary visit to a popular HTTPS site. Anyone looking from outside — including a censor's active probe — sees a "normal" HTTPS counterpart, not a "strange unknown server".

How Xray masks the traffic

The masking rests on three things, all of them serving a single idea — to look like an ordinary website.

A borrowed TLS handshake. When a client connects, the server exchanges with it the TLS certificates of a real major website: to an observer it looks as though the client simply opened that website. No self‑signed certificates, no strange domains — a genuine public site.

A secret key flips the connection into a VPN. Only after the client has presented the server's public key does the connection "turn inwards" into the VPN channel. Anyone without that key continues to see a "regular visit to the website" all the way through and never gets access to the VPN.

Protection against active probing. If a random outsider knocks on the server (for instance, a censor's probe), it gets a perfectly genuine handshake to that same major website. Censorship equipment cannot tell whether it is a VPN server or a mirror of a well‑known resource.

The masking target, the keys, the connection identifiers, and the user UUIDs are picked by the panel for you on install — there is nothing to configure by hand.

One parameter is worth keeping within reach, though — the masquerade domain, the very public site your traffic is masked as ordinary HTTPS visits to. Sites that are "safe" to mask as go stale over time: what passes freely today comes under DPI scrutiny tomorrow (that's what happened to www.microsoft.com, which the panel offered as the default for a long while). So the domain can be changed right in the module settings, without reinstalling it — if connecting over the current domain has stopped working, switch to another one. More on this — in Xray. Managing the module.

Cascade: two installs in a chain

Traffic usually goes device → Xray server → internet, and to the rest of the world the egress IP is your server's IP. Sometimes even a well-masked single server stops working: its REALITY handshake is already recognized by DPI, or its IP has become unreachable. For that case Xray has a multi-hop mode — a chain of two independent BeAdmin installs: device → entry hop → exit hop → internet.

The entry hop looks to the provider like an ordinary REALITY server, while the traffic reaches the internet from the exit hop's IP — on another server, in another network. This splits apart "the point the provider sees" and "the point the internet sees": even if the entry becomes unreachable, the egress address stays out of the way.

This is a separate scenario with its own setup — how to assemble a chain from two servers is described in Xray. Multi-hop mode.

What Xray cannot do

It is worth naming what Xray does not promise — common expectations this protocol does not actually cover.

  • Does not work with ordinary VPN clients. A dedicated app with Xray support is required — Hiddify, Streisand, v2box, and similar. A familiar WireGuard client or the built‑in iOS/Android VPN client will not do.
  • Does not add extra encryption. The traffic is protected by modern cryptography in the same way as ordinary HTTPS — Xray does not layer a second pass of encryption on top.
  • Not Tor or anonymity routing. The masking hides the VPN from the ISP and censorship equipment, but the destination server still sees your server's IP (and in multi-hop mode — the exit hop's IP). Multi-hop adds exactly one intermediate hop to change the egress IP, not a chain of anonymizing relays like Tor.
  • Not magic against every form of censorship. Protection against active probing is strong, but not absolute: a determined adversary can, over time, statistically narrow down the list of suspicious "mirrors". Xray raises the bar significantly, but does not make a tunnel fundamentally undetectable.
  • Does not make VPN legal. If VPN usage is restricted or prohibited in your jurisdiction, masking as HTTPS does not change that. This is a technical tool, not a legal workaround.

Xray in BeAdmin

The Xray module in BeAdmin installs with almost no setup: on install the panel asks only for the port (default 8443) and picks the rest of the masking parameters itself — it chooses the major public website the server "greets" the traffic as, and generates the keys and connection identifiers. There is no need to edit configuration files or work in the command line. The port and the masquerade domain can be changed later, right in the module settings.

Once installed, you can add users straight away. For each user the panel produces a ready connection link and a QR code — the client scans the QR from an app with Xray support (Hiddify, Streisand, v2box, NapsternetV, ClashX, and the like — each operating system has its own selection). No parameters need to be moved manually from the server to the device.

What the server needs: a regular VPS or a physical machine. On container‑based servers (LXC, OpenVZ without full virtualisation) the module will not start — full access to the network stack is required. Modern Ubuntu and Debian are supported.

When to choose Xray

Choose Xray when:

  • Your users connect from networks with active censorship, where the equipment itself probes suspicious servers — plain WireGuard and even Amnezia can no longer get through there.
  • The network only lets TCP through on port 443 (a typical corporate proxy or hotel Wi‑Fi). Xray runs over the ordinary HTTPS port.
  • Your users are willing to install a dedicated app (Hiddify, Streisand, v2box) — Xray does not work with built‑in WireGuard clients.

Xray is not a good fit when:

  • Your users are used to native WireGuard clients and will not install an extra app. Pick WireGuard or Amnezia instead.
  • There is no active censorship in the network. Xray's masking is overkill there — WireGuard is simpler and lighter for the client.

If in doubt — install Xray in BeAdmin and try it for free.

If you don't have a server yet, you can get one from our partners — they offer virtual and dedicated servers with the BeAdmin panel pre‑installed.

Proven over 15 years in hosting. Your VPS with BeAdmin is ready to go out of the box.

  • Germany
  • Netherlands
  • Sweden
  • Switzerland
  • Spain
  • USA
Select server

European reliability made simple. Launch BeAdmin with your VPS in just one click.

  • Germany
  • Netherlands
  • Sweden
  • Estonia
  • Romania
  • Switzerland
  • Spain
  • United Kingdom
  • USA
Sign up

What's next

BeAdmin © 2025. All rights reserved.