V2Fly.orgV2Fly.org
Quick Start
Config Reference
Config Reference (v5, WIP)
Tools
Developer Guide
New concise guide
  • 简体中文
  • English
GitHub
Quick Start
Config Reference
Config Reference (v5, WIP)
Tools
Developer Guide
New concise guide
  • 简体中文
  • English
GitHub
  • Config Reference

    • Configuration File Format (Draft)
    • Inbounds
    • Outbounds
    • Proxy Protocol
    • Stream
      • Supported Streams
      • TLS
        • CertificateObject
      • uTLS
      • SocketConfigObject
    • Service
    • DNS
    • Router
    • Geo
  • Proxy Protocol

    • Blackhole
    • DNS
    • Dokodemo
    • Freedom
    • HTTP
    • Socks
    • VMess
    • VLite
    • Shadowsocks
    • Shadowsocks2022
    • Trojan
    • Hysteria2
    • VLESS
    • Loopback
  • Stream Transport Protocol

    • TCP
    • WebSocket
    • KCP(mKCP)
    • gRPC
    • QUIC
    • Meek
    • HTTPUpgrade
    • Hysteria2
    • mekya
  • Service

    • Stats
    • Policy
    • Browser Forwarder
    • Burst Observatory
    • Background Observatory
    • Tun
    • Subscription Manager
    • File System Storage

Stream

{
  "transport":"tcp",
  "transportSettings":{},
  "security":"none",
  "securitySettings":{}
}

transport: name of <transport>

transportSettings: settings of <transport>

security: name of <security>

It has to be one of supported Security Protocol.

securitySettings: settings of <security>

socketSettings: SocketConfigObject

Supported Streams

  • TCP
  • WebSocket
  • mKCP
  • gRPC
  • QUIC
  • meek
  • httpupgrade
  • Hysteria2

TLS

  • Name: tls
  • Type: Security Protocol
  • ID: security.tls

serverName: string

The server name indication domain name for TLS connection.

nextProtocol : [string]

The ALPN for TLS connections.

disableSystemRoot: true | false

Whether system level Certificate Authority Store should be trusted.

pinnedPeerCertificateChainSha256 : [string]

Pinned Peer Certificate Chain SHA256 Hash. Should be represented in base64 format.

You can generate this value with ./v2ray tls certChainHash --cert <cert.pem> (v5.18.0+)

allowInsecureIfPinnedPeerCertificate : bool

This option allow TLS certificate verification to be turned off if the pinnedPeerCertificateChainSha256 is set. If pinnedPeerCertificateChainSha256 is not set, this option is ignored.

certificate: [CertificateObject]

CertificateObject

usage : string

The purpose of the certificate.

  • "ENCIPHERMENT": The certificate is used for TLS authentication and encryption.
  • "AUTHORITY_VERIFY": The certificate is used to verify the remote TLS certificate. When using this option, the current certificate must be a CA certificate.
  • "AUTHORITY_VERIFY_CLIENT": : The certificate is used to verify the remote TLS client certificate. When using this option, the current certificate must be a CA certificate.
  • "AUTHORITY_ISSUE": The certificate is used to issue other certificates. When using this option, the current certificate must be a CA certificate.

Certificate: string

The Certificate file in PEM format.

Key: string

The Certificate private key file in PEM format.

certificateFile: string

The path for the Certificate file.

keyFile: string

The path for the Certificate private key file.

uTLS

  • Name: utls
  • Type: Security Protocol
  • ID: security.utls

uTLS is a fork of TLS aimed at trying to imitate the client hello fingerprint of popular TLS implementation to hide the client identity of a Go language program. (v5.2.0+)

It is only supports client mode and in certain transports. If you use it in a context where it is not supported, the process will crash.

uTLS is supported in the following transports:

  • TCP
  • WebSocket

When you are using uTLS in some transport, the APLN will be overridden for its correct function. It may be a slightly different fingerprint than specified.

tlsConfig: TLSConfig

The Embedded TLS Setting for uTLS connections. Only some of its field are effective.

Supported Fields:

  • Certificate Authority Settings (allowInsecure is ignored)

imitate: string

The TLS client fingerprint to use for the uTLS connection.

  • randomized
  • randomizedalpn
  • randomizednoalpn
  • firefox_auto
  • firefox_55
  • firefox_56
  • firefox_63
  • firefox_65
  • firefox_99
  • firefox_102
  • firefox_105
  • chrome_auto
  • chrome_58
  • chrome_62
  • chrome_70
  • chrome_72
  • chrome_83
  • chrome_87
  • chrome_96
  • chrome_100
  • chrome_102
  • ios_auto
  • ios_11_1
  • ios_12_1
  • ios_13
  • ios_14
  • android_11_okhttp
  • edge_auto
  • edge_85
  • edge_106
  • safari_auto
  • safari_16_0
  • 360_auto
  • 360_7_5
  • 360_11_0
  • qq_auto
  • qq_11_1

noSNI: bool

Do not send Server Name Indication in the client hello. This may result in failed connection.

forceAlpn : "TRANSPORT_PREFERENCE_TAKE_PRIORITY" | "NO_ALPN" | "UTLS_PRESET"

Controls data source for Application-Layer Protocol Negotiation (ALPN) extension. You can use this setting to make connect resemble the imitated program better. In correct setting will result in connection failure. (v5.3.0+)

  • TRANSPORT_PREFERENCE_TAKE_PRIORITY : Default value. If user have set an ALPN at TLS setting, use that. Otherwise the default from transport will be used.
  • NO_ALPN : Do not send ALPN TLS extension.
  • UTLS_PRESET: Use value from uTLS template.

SocketConfigObject

{
    "mark": 0,
    "tcpFastOpen": false,
    "tcpFastOpenQueueLength": 4096,
    "tproxy": "off",
    "tcpKeepAliveInterval": 0,
    "bindToDevice": "eth0",
    "mptcp": false
}

mark: number

An integer. When its value is non-zero, mark SO_MARK on the outbound connection.

  • Only applicable to Linux systems.
  • Requires CAP_NET_ADMIN permission.

tcpFastOpen: true | false

Whether to enable TCP Fast Open. When its value is true, TFO is forcibly turned on; when its value is false, TFO is forcibly turned off; when this item does not exist, the system default setting is used. Can be used for inbound and outbound connections.

  • Only available in the following versions (or later versions) of the operating system:
    • Windows 10 (1604)
    • Mac OS 10.11 / iOS 9
    • Linux 3.16: The system is turned on by default and no configuration is required.
    • FreeBSD 10.3

tcpFastOpenQueueLength: number

TCP Fast Open queue length for inbound connections. Default value is 4096. Only available in Linux.

tproxy: "redirect" | "tproxy" | "off"

Whether to enable transparent proxy (only for Linux).

  • "redirect": Transparent proxy using Redirect mode. Only TCP/IPv4 and UDP connections are supported.
  • "tproxy": Use TProxy mode transparent proxy. Supports TCP and UDP connections.
  • "off": Turn off the transparent proxy.

Transparent proxy requires Root or CAP_NET_ADMIN authority.

Tips

When followRedirect is specified in Dokodemo-door and sockopt.tproxy is empty, the value of sockopt.tproxy will be set to "redirect".

tcpKeepAliveInterval: number

The interval in seconds between sending TCP keep-alive packets (only for Linux).

0 means keep the default value.

bindToDevice: string

Bind the connection to the specified network device (Linux: v5.0.6+, Windows/Darwin: v5.2.0+).

mptcp: true | false

Whether to enable Multipath TCP (only for Linux).

  • true: MPTCP is turned on. If the host on the other side doesn't support MPTCP, MPTCP will fall back to using TCP.
  • false: MPTCP is turned off.

When this item does not exist, the system default setting is used. Can be used for inbound and outbound connections.

Edit this page on GitHub
Last Updated:
Contributors: Shelikhoo, Kid, Arınç ÜNAL
Prev
Proxy Protocol
Next
Service