V2Ray WebSocket+TLS Mode Process of Connection and Troubleshooting

If you setup your VPN server correctly, and you used normally for a period of time, but suddenly can't connect; Or you can connect your server normally, but your friend can't connect your server; Then this troubleshooting guide could help you a lot.

This guide also introduces the process of connection.

The Websocket+TLS configuration in V2Ray clients

v2rayNG (Left) and ShadowRocket (Middle) and v2rayN (Right)

V2Ray client parameter configuration comparison table

(Arrows point to the same parameters. I will use inthe dex number in the following content to let you know what parameter I'm talking about)

Connect to Server

1. Create TCP connection to Address(1):Port(2)

1.1 If the Address(1) is a domain, use DNS to resolve the domain to an IP address.

2. Build a Vmess/VLESS packet

Attache ID(3). Also attach AlterID if the protocol is Vmess.

3. Build a HTTPS packet based on the packet built in the last step, and send it

3.1 Attache Path(6) as the declared path for the packet

3.2 Encrypt via TLS(7)

3.3 Attache Host(5) as the declared destination of the packet 

4. VPS receive the packet

* Depends on whether you use a CDN network or not

4.a Don't use CDN network

In Step 1, the Address(1) is the IP address of VPS.

Or the Address(1) is a domain that can be resolved to the IP address of VPS.

The packet will be sent to the IP address directly, and received by VPS.

4.b Use a CDN network

4.b.1 On Step 1, the Address(1) is the IP address of one server of the CDN network.

OR the Address(1) is a domain that can be resolved to the IP address of one server of the CDN network. Hope that server of the CDN network is the closest and fastest one to you.

The packet will be sent to Address(1) (one server of the CDN network)

4.b.2 After the packet arrived, the CDN network will send it to the correct VPS depending on the Host(5) attached to the packet.

5. VPS process the packet

* What I described below is depending on the way my scripts do. For other scripts, the process may not be the same.

5.1 caddy receive the packet, reverse proxy the packet which has Path(6) to the internal port.

5.2 v2ray receive packet from the internal port, authenticate it by ID(1). Also by AlterID if the protocol is Vmess.


* Please read the content below with the process of connection.

1. Create TCP connection

1.1 Ping Address(1) on your client network 

(for example, your PC, cellphone...)

Can domain be resolved to correct IP address?

Can IP address be reached?

You can use iNetTools on iOS, IP Tools on Android.

1.2 Connect Address(1):Port(2) on your client network 

(Make sure caddy is running on your VPS)

You can use iNetTools on iOS, IP Tools on Android, tcping on PC.

1.3 Connect Address(1):Port(2) on 3rd party sites

Use ping.pe (http://ping.pe/) to ping Address(1)

Use ping.pe to ping an IP address or domain

Use tcp.ping.pe (http://tcp.ping.pe/) to connect Address(1):Port(2)

Use tcp.ping.pe to test IP Address : Port

If Address(1) is a domain and can't be resolved to a correct IP address, please check the DNS settings (maybe on Cloudflare).

If can't ping the IP address, please send support ticket to your VPS provider, or just delete your VPS and reopen another one if you can.

If can't connect to Port(2), please check if your caddy is running. Also check if there is a firewall on your VPS blocked the connection. You can also send support ticket to your VPS provider.

If the 3rd party site can ping Address(1) but you can't, please try using CDN.

If you can't resolve domain correctly, it should be a DNS problem. Please try to change your DNS server or just edit the 'hosts' file or simply use correct IP address as Address(1).

4.b.1 The transmission of packet

If you can connect Address(1):Port(2), but can't get camouflage site via Host(5), the reason could be:

  • You should open CDN setting.
  • GFW detected the Host(5) in the packet, and blocked it.

You can try visiting Host(5) on your VPS to confirm that.
(change the blue part to your Host(5) )

curl https://chacuoganzao.ipv6a.my.id/

A '</html>' at the end of the output means correct. Otherwise, you should check the caddy service on your VPS. 

Use curl to test a https web site

If the problem is Host(5), you can change to another domain or buy a new one.
.xyz domain only takes $0.99 for the first year.
And you can use 'crazypeace' coupon code to get a $1 discount on namesilo.com

If Address(1) is a domain, then you should get camouflage site via Address(1) and get '400 Bad Request' via Address(1)/Path(6).

Use web brower to test https://domain/path get 400 Bad Request result

If you get a DDOS protection page, that means Cloudflare consider your packet as unusual traffic.

Cloudflare DDOS protection page

You should set the firewall of Cloudflare to let traffic to Address(1)/Path(6) pass through.

Your Path(6) should be secret. You should not let it be visible to the public. It is actually as a password, the length and strength should be strong enough to avoid brute-force attack.

So, the traffic to visit Address(1)/Path(6) should only be from the one who know it.


In what situation, Address(1) and Host(5) are not the same?

If you want to use picked IP of CDN network, you can let Address(1) to be one of the server of CDN network. Host(5) remain as your domain.

If your friend don't use the same v2ray client as yours

Please notice that after transferred by QR code or v2ray link, some parameter of configuration may be changed in another v2ray client. You should do a double check.

If your friend is in another location

Please notice that the picked IP of CDN network for you may not suit your friend best.


The Hot3 in Last 30 Days

ClouDNS .asia免费域名 托管到CloudFlare开CDN白嫖Websocket WS通道翻墙 / desec.io

无服务器 自建短链服务 Url-Shorten-Worker 完整的部署教程