Install v2ray on CentOS 7 with websocket support, TLS and website to disguise your VPN server

Install latest CentOS on your VM

http://isoredirect.centos.org/centos/7/isos/x86_64/

All commands should be executed with the root privileges, if you already setup another user account please issue

sudo su

before continuing with this guide. You should run this after each login with your user account

Install your hypervisor system packages if needed. I will install open-vm-tools because I use vmWare ESXi

yum -y install open-vm-tools

Update

yum -y update

Install some tools (you can skip this and use your favorite text editor instead of nano)

yum -y install mc nano wget

Install additional repositories

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum -y install yum-utils epel-release 
yum -y install https://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum -y install https://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm

Install NTP for time synchronization

yum -y install ntp
systemctl enable ntpd
systemctl start ntpd

Install kernel 4.4 (you can skip this)

yum -y --enablerepo=elrepo-kernel install kernel-lt

Update GRUB configuration

Edit /etc/default/grub and set GRUB_DEFAULT=0

 nano /etc/default/grub

Update grub config

grub2-mkconfig -o /boot/grub2/grub.cfg

Reboot and check kernel version

$ uname -r
4.4.176-1.el7.elrepo.x86_64

Configure firewalld

Add your Internet network interface to external zone

firewall-cmd --permanent --zone=external --change-interface=ens160

Allow access to HTTP and HTTPS ports

firewall-cmd --permanent --zone=external --add-service=http
firewall-cmd --permanent --zone=external --add-service=https

Reload firewalld config

firewall-cmd --reload

Install Apache

yum -y install httpd

Install PHP 7.3

yum-config-manager --enable remi-php73
yum -y --enablerepo=remi-php73 install php

Install certbot

yum -y install certbot python2-certbot-apache

V2Ray

Install v2ray

cd ~
wget https://install.direct/go.sh
bash ./go.sh

Output

Installing V2Ray v4.18.0 on x86_64
Downloading V2Ray: https://github.com/v2ray/v2ray-core/releases/download/v4.18.0/v2ray-linux-64.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   608    0   608    0     0    540      0 --:--:--  0:00:01 --:--:--   540
100 10.5M  100 10.5M    0     0   715k      0  0:00:15  0:00:15 --:--:--  663k
Updating software repo
Installing unzip
Extracting V2Ray package to /tmp/v2ray.
Archive:  /tmp/v2ray/v2ray.zip
  inflating: /tmp/v2ray/config.json
   creating: /tmp/v2ray/doc/
  inflating: /tmp/v2ray/doc/readme.md
  inflating: /tmp/v2ray/geoip.dat
  inflating: /tmp/v2ray/geosite.dat
   creating: /tmp/v2ray/systemd/
  inflating: /tmp/v2ray/systemd/v2ray.service
   creating: /tmp/v2ray/systemv/
  inflating: /tmp/v2ray/systemv/v2ray
  inflating: /tmp/v2ray/v2ctl
 extracting: /tmp/v2ray/v2ctl.sig
  inflating: /tmp/v2ray/v2ray
 extracting: /tmp/v2ray/v2ray.sig
  inflating: /tmp/v2ray/vpoint_socks_vmess.json
  inflating: /tmp/v2ray/vpoint_vmess_freedom.json
PORT:xxxxx
UUID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Created symlink from /etc/systemd/system/multi-user.target.wants/v2ray.service to /etc/systemd/system/v2ray.service.
V2Ray v4.18.0 is installed.

Configure v2ray by editing /etc/v2ray/config.json

nano /etc/v2ray/config.json

Here is sample working config. Do not forget to generate UUID for user(s)!

# cat /etc/v2ray/config.json
{
  "log" : {
      "access": "/var/log/v2ray/access.log",
      "error": "/var/log/v2ray/error.log",
      "loglevel": "warning"
  },
  "inbounds": [{
    "port": 35730,
    "listen": "127.0.0.1",
    "protocol": "vmess",
    "settings": {
      "clients": [
        { #User UUID - use https://www.uuidgenerator.net/ to create
          "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
          "level": 1,
          "alterId": 64
        }      
      ]
    },
    "streamSettings": {
        "network": "ws",
        "wsSettings": {
        "path": "/ray"
        }
      }
  }],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  },{
    "protocol": "blackhole",
    "settings": {},
    "tag": "blocked"
  }],
  "routing": {
    "rules": [
      {
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "direct"
      }
    ]
  }
}

Enable and start v2ray

systemctl enable v2ray
systemctl start v2ray

Check v2ray status

# systemctl status v2ray
● v2ray.service - V2Ray Service
   Loaded: *loaded* (/etc/systemd/system/v2ray.service; enabled; vendor preset: disabled)
   Active: *active* (running) since Wed 2033-33-33 33:33:33 UTC; 58s ago
 Main PID: 6327 (v2ray)
   CGroup: /system.slice/v2ray.service
           └─6327 /usr/bin/v2ray/v2ray -config /etc/v2ray/config.json

Configure Apache

Create directory structure for website

mkdir -p /var/www/host.domain.tld/public_html
chown -R apache:apache /var/www/

Create virtual host

 nano /etc/httpd/conf.d/host.domain.tld.conf

Edit file

<VirtualHost *:80>
    ServerName host.domain.tld
    ServerAdmin [email protected]
    DocumentRoot /var/www/host.domain.tld/public_html
    <Directory /var/www/host.domain.tld/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>
    ErrorLog /var/log/httpd/host.domain.tld-error.log
    CustomLog /var/log/httpd/host.domain.tld-access.log combined
</VirtualHost>

Check syntax

httpd -t

Enable and start Apache

systemctl enable httpd
systemctl start httpd

Check website by opening http://host.domain.tld in browser. It should show Apache Test Page

Configure SSL

Request SSL certificate from letsencrypt

 certbot --apache -d host.domain.tld

Enter your email, agree with ToS and decide, would you be willing to share your email address with the Electronic Frontier Foundation and choose no redirect when certbot asks you to choose whether or not to redirect HTTP traffic to HTTPS

Open page https://host.domain.tld and check certificate

Setup renewal procedure

Check if everything is ok

certbot renew --dry-run

Create cron job

crontab -e

Add following line

30 2 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/le-renew.log

Save and exit (it is vim, so press ESC, input :wq and press ENTER)

Configure Apache

Edit host.domain.tld-le-ssl.conf

nano /etc/httpd/conf.d/host.domain.tld-le-ssl.conf

Make it look like this. Change domain name, port number, log and certificate files path according to your requirements

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName host.domain.tld
    ServerAdmin [email protected]
    ErrorLog /var/log/httpd/v2ray_host.domain.tld-error.log
    CustomLog /var/log/httpd/v2ray_host.domain.tld-access.log combined
    Include /etc/letsencrypt/options-ssl-apache.conf

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           ws://localhost:35730/$1 [P,L]
    RewriteCond %{HTTP:Upgrade} !=websocket [NC]
    RewriteRule /(.*)           http://localhost:80/$1 [P,L]

    SSLProxyEngine On
    Proxypass /ray http://127.0.0.1:35730
    ProxyPassReverse /ray http://127.0.0.1:35730

    SSLCertificateFile /etc/letsencrypt/live/host.domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/host.domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/host.domain.tld/chain.pem

</VirtualHost>
</IfModule>

Edit options-ssl-apache.conf

nano /etc/letsencrypt/options-ssl-apache.conf

Change to following

#Disable old SSL protocols and enable TLS1.2 (1.3 is not supported by v2ray)
SSLProtocol             -All +TLSv1.2
#Enable only strong ciphers
SSLCipherSuite          HIGH:!aNULL:!MD5

Check config syntax and restart httpd

httpd -t
systemctl restart httpd

Check again - browse to https://host.domain.tld - it shoud open without any issues

Configure seLinux to allow httpd scripts and modules to connect to the network (need this for websocket)

setsebool -P httpd_can_network_connect 1

TO-DO

Lightweight CMS installation (grav) to better disguise your server as a website

Et voilà - it works! Proceed to client configuration

v2ray: Server install (CentOS 7) - Tualua/v2ray-docs GitHub Wiki

Install v2ray on CentOS 7 with websocket support, TLS and website to disguise your VPN server

Install latest CentOS on your VM

Install your hypervisor system packages if needed. I will install open-vm-tools because I use vmWare ESXi

Update

Install some tools (you can skip this and use your favorite text editor instead of nano)

Install additional repositories

Install NTP for time synchronization

Install kernel 4.4 (you can skip this)

Update GRUB configuration

Configure firewalld

Add your Internet network interface to external zone

Allow access to HTTP and HTTPS ports

Reload firewalld config

Install Apache

Install PHP 7.3

Install certbot

V2Ray

Install v2ray

Output

Configure v2ray by editing /etc/v2ray/config.json

Enable and start v2ray

Check v2ray status

Configure Apache

Create directory structure for website

Create virtual host

Check syntax

Enable and start Apache

Check website by opening http://host.domain.tld in browser. It should show Apache Test Page

Configure SSL

Request SSL certificate from letsencrypt

Open page https://host.domain.tld and check certificate

Setup renewal procedure

Check if everything is ok

Create cron job

Configure Apache

Edit host.domain.tld-le-ssl.conf

Edit options-ssl-apache.conf

Check config syntax and restart httpd

Check again - browse to https://host.domain.tld - it shoud open without any issues

Configure seLinux to allow httpd scripts and modules to connect to the network (need this for websocket)

TO-DO

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️