Stream

{
  "transport":"tcp",
  "transportSettings":{},
  "security":"none",
  "securitySettings":{}
}

transport: name of <transport>

transportSettings: settings of <transport>

security: name of <security>

It has to be one of supported Security Protocol.

securitySettings: settings of <security>

socketSettings: SocketConfigObject

Supported Streams

• TCP
• WebSocket
• mKCP
• gRPC
• QUIC
• meek
• httpupgrade
• Hysteria2

TLS

• Name: tls
• Type: Security Protocol
• ID: security.tls

serverName: string

The server name indication domain name for TLS connection.

nextProtocol : [string]

The ALPN for TLS connections.

disableSystemRoot: true | false

Whether system level Certificate Authority Store should be trusted.

pinnedPeerCertificateChainSha256 : [string]

Pinned Peer Certificate Chain SHA256 Hash. Should be represented in base64 format.

You can generate this value with ./v2ray tls certChainHash --cert <cert.pem> (v5.18.0+)

allowInsecureIfPinnedPeerCertificate : bool

This option allow TLS certificate verification to be turned off if the pinnedPeerCertificateChainSha256 is set. If pinnedPeerCertificateChainSha256 is not set, this option is ignored.

certificate: [CertificateObject]

CertificateObject

usage : string

The purpose of the certificate.

• "ENCIPHERMENT": The certificate is used for TLS authentication and encryption.
• "AUTHORITY_VERIFY": The certificate is used to verify the remote TLS certificate. When using this option, the current certificate must be a CA certificate.
• "AUTHORITY_VERIFY_CLIENT": : The certificate is used to verify the remote TLS client certificate. When using this option, the current certificate must be a CA certificate.
• "AUTHORITY_ISSUE": The certificate is used to issue other certificates. When using this option, the current certificate must be a CA certificate.

Certificate: string

The Certificate file in PEM format.

Key: string

The Certificate private key file in PEM format.

certificateFile: string

The path for the Certificate file.

keyFile: string

The path for the Certificate private key file.

uTLS

• Name: utls
• Type: Security Protocol
• ID: security.utls

uTLS is a fork of TLS aimed at trying to imitate the client hello fingerprint of popular TLS implementation to hide the client identity of a Go language program. (v5.2.0+)

It is only supports client mode and in certain transports. If you use it in a context where it is not supported, the process will crash.

uTLS is supported in the following transports:

• TCP
• WebSocket

When you are using uTLS in some transport, the APLN will be overridden for its correct function. It may be a slightly different fingerprint than specified.

tlsConfig: TLSConfig

The Embedded TLS Setting for uTLS connections. Only some of its field are effective.

Supported Fields:

• Certificate Authority Settings (allowInsecure is ignored)

imitate: string

The TLS client fingerprint to use for the uTLS connection.

• randomized
• randomizedalpn
• randomizednoalpn
• firefox_auto
• firefox_55
• firefox_56
• firefox_63
• firefox_65
• firefox_99
• firefox_102
• firefox_105
• chrome_auto
• chrome_58
• chrome_62
• chrome_70
• chrome_72
• chrome_83
• chrome_87
• chrome_96
• chrome_100
• chrome_102
• ios_auto
• ios_11_1
• ios_12_1
• ios_13
• ios_14
• android_11_okhttp
• edge_auto
• edge_85
• edge_106
• safari_auto
• safari_16_0
• 360_auto
• 360_7_5
• 360_11_0
• qq_auto
• qq_11_1

noSNI: bool

Do not send Server Name Indication in the client hello. This may result in failed connection.

forceAlpn : "TRANSPORT_PREFERENCE_TAKE_PRIORITY" | "NO_ALPN" | "UTLS_PRESET"

Controls data source for Application-Layer Protocol Negotiation (ALPN) extension. You can use this setting to make connect resemble the imitated program better. In correct setting will result in connection failure. (v5.3.0+)

• TRANSPORT_PREFERENCE_TAKE_PRIORITY : Default value. If user have set an ALPN at TLS setting, use that. Otherwise the default from transport will be used.
• NO_ALPN : Do not send ALPN TLS extension.
• UTLS_PRESET: Use value from uTLS template.

SocketConfigObject

{
    "mark": 0,
    "tcpFastOpen": false,
    "tcpFastOpenQueueLength": 4096,
    "tproxy": "off",
    "tcpKeepAliveInterval": 0,
    "bindToDevice": "eth0",
    "mptcp": false
}

mark: number

An integer. When its value is non-zero, mark SO_MARK on the outbound connection.

• Only applicable to Linux systems.
• Requires CAP_NET_ADMIN permission.

tcpFastOpen: true | false

Whether to enable TCP Fast Open. When its value is true, TFO is forcibly turned on; when its value is false, TFO is forcibly turned off; when this item does not exist, the system default setting is used. Can be used for inbound and outbound connections.

• Only available in the following versions (or later versions) of the operating system:
  • Windows 10 (1604)
  • Mac OS 10.11 / iOS 9
  • Linux 3.16: The system is turned on by default and no configuration is required.
  • FreeBSD 10.3

tcpFastOpenQueueLength: number

TCP Fast Open queue length for inbound connections. Default value is 4096. Only available in Linux.

tproxy: "redirect" | "tproxy" | "off"

Whether to enable transparent proxy (only for Linux).

• "redirect": Transparent proxy using Redirect mode. Only TCP/IPv4 and UDP connections are supported.
• "tproxy": Use TProxy mode transparent proxy. Supports TCP and UDP connections.
• "off": Turn off the transparent proxy.

Transparent proxy requires Root or CAP_NET_ADMIN authority.

tcpKeepAliveInterval: number

The interval in seconds between sending TCP keep-alive packets (only for Linux).

0 means keep the default value.

bindToDevice: string

Bind the connection to the specified network device (Linux: v5.0.6+, Windows/Darwin: v5.2.0+).

mptcp: true | false

Whether to enable Multipath TCP (only for Linux).

• true: MPTCP is turned on. If the host on the other side doesn't support MPTCP, MPTCP will fall back to using TCP.
• false: MPTCP is turned off.

When this item does not exist, the system default setting is used. Can be used for inbound and outbound connections.