Building a Secure Tunnel: Argo Tunnel, Xray, WebSocket, and v2rayNG Setup Guide
This guide outlines the manual configuration of a robust and secure proxy solution using Cloudflare's Argo Tunnel, Xray with VLESS-WebSocket protocol, and v2rayNG for client connectivity. This setup provides a fixed domain, hides your VPS IP, and leverages Cloudflare's global CDN for accelerated and encrypted traffic.
Estimated Time: 30-60 minutes. Basic Linux command-line experience is recommended.
Why This Setup?
- Fixed Domain: Your subdomain (e.g.,
argo.yourdomain.com) remains constant, unaffected by restarts. - WebSocket Protocol: Standard WebSocket ensures seamless compatibility with Cloudflare CDN and Tunnel.
- Argo Tunnel: Conceals your VPS's true IP address, utilizes Cloudflare's global CDN for speed, and eliminates the need to open ports on your VPS.
- TLS Encryption: Cloudflare Edge provides end-to-end TLS encryption for enhanced security.
Prerequisites
Before you begin, ensure you have the following:
- VPS (Virtual Private Server):
- Recommended OS: Ubuntu 22.04 / 24.04 LTS.
- A "clean" IP address (not blocked or censored).
- Minimum specifications: 1 core CPU, 1GB RAM.
- Cloudflare Account and Domain:
- A free Cloudflare account is sufficient.
- Your domain must be added to Cloudflare, and its Name Servers (NS records) must be switched to Cloudflare's.
- Client Device:
- An Android phone with the latest v2rayNG app installed.
- Tools:
- An SSH client to connect to your VPS.
- A text editor (e.g.,
nano) for configuration files.
Technical Steps
Step 1: Cloudflare Dashboard - Create a Fixed Tunnel and Obtain Token
- Log in to your Cloudflare Dashboard.
- Navigate to Zero Trust → Networks → Tunnels.
- Click Create a tunnel.
- Select Cloudflared, provide a tunnel name (e.g.,
fixed-argo-ws), and click Save tunnel. - On the installation page, copy the Tunnel token (a long string starting with
eyJ...) and save it securely. - Click Next to configure the Public Hostname:
- Subdomain: Enter your desired subdomain (e.g.,
argo). - Domain: Select your domain from the dropdown.
- Type: Choose HTTP.
- URL: Enter
localhost:443.
- Subdomain: Enter your desired subdomain (e.g.,
- Click Save tunnel.
Step 2: VPS Setup - Install and Run Cloudflared
- Connect to your VPS via SSH. Update your system:
sudo apt update && sudo apt upgrade -y sudo apt install curl wget sudo -y - Install Cloudflared:
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb sudo dpkg -i cloudflared.deb - Install and start the Cloudflared service using your saved Tunnel token:
sudo cloudflared service install YOUR_FULL_TOKEN_STRING sudo systemctl start cloudflared sudo systemctl enable cloudflared
Step 3: VPS Setup - Install and Configure Xray (VLESS + WebSocket)
- Install Xray:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install - Generate a UUID:
xray uuid - Edit the Xray configuration file:
Paste the following JSON configuration, replacingsudo nano /usr/local/etc/xray/config.jsonYOUR_UUIDwith the one you generated:{ "log": { "loglevel": "info" }, "inbounds": [ { "tag": "vless-ws", "listen": "127.0.0.1", "port": 443, "protocol": "vless", "settings": { "clients": [ { "id": "YOUR_UUID", "flow": "" } ], "decryption": "none" }, "streamSettings": { "network": "ws", "wsSettings": { "path": "/YOUR_UUID-vw" } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls", "quic" ], "metadataOnly": false } } ], "outbounds": [ { "protocol": "freedom", "settings": { "domainStrategy": "UseIPv4" } } ] } - Restart Xray:
sudo systemctl restart xray sudo systemctl enable xray - Enable BBR:
echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.conf sudo sysctl -p
Step 4: Configure v2rayNG Client
- Open v2rayNG and add a VLESS node manually.
- Fill in the following:
- Address: Your Cloudflare subdomain (e.g.,
argo.yourdomain.com). - Port:
443. - User ID: Your UUID.
- Transport Protocol:
ws. - Path:
/YOUR_UUID-vw. - Underlying Transport Security:
tls. - SNI: Your Cloudflare subdomain.
- Address: Your Cloudflare subdomain (e.g.,
- Save and connect.
Troubleshooting
- 502 Bad Gateway: Ensure Xray is running and listening on
127.0.0.1:443. - Tunnel Offline: Check
journalctl -u cloudflaredfor token or connection issues. - Slow Speed: Enable Argo Smart Routing in the Cloudflare dashboard.
Conclusion
This setup provides a highly secure and discreet method for establishing a proxy connection. The combination of a fixed domain, Argo Tunnel, and Xray with VLESS-WebSocket protocol offers excellent resilience against detection.
Stay safe and browse responsibly!
