V2Ray VMess and VLess on Contabo: complete 2026 setup guide

Affiliate disclosure — This article contains Contabo affiliate links. If you order a VPS via our links, we earn a commission at no extra cost to you. Every config below runs in production on our own VPS.

V2Ray (and its Xray-core fork) is today the reference tool for bypassing sophisticated DPI — particularly the Chinese GFW. Where Shadowsocks does opaque encryption and wstunnel does simple WebSocket, V2Ray combines multiple protocols (VMess, VLess, Trojan, Shadowsocks) with multiple transports (TCP, WebSocket, HTTP/2, gRPC, QUIC) and multiple obfuscation layers (TLS, REALITY, XTLS Vision). It's powerful. It's also complex.

This guide covers V2Ray install on a Contabo VPS (Ubuntu 24.04), the VMess vs VLess distinction in 2026, two production-ready JSON configs (VMess + WS + TLS classic, and VLess + REALITY for China), multiplexing to share connections, and the v2rayNG (Android) and Shadowrocket (iOS) mobile clients.

VMess vs VLess vs Xray: picking the right tool

VMess (V2Ray, 2015): the historical protocol. Application-layer encryption inside V2Ray + UUID + alterId for auth. Robust but "marked": its fingerprint eventually became detectable by advanced DPI since 2021.

VLess (V2Ray, 2020): lighter version. No application-layer encryption (we delegate everything to TLS), no alterId, UUID alone for auth. Faster (less compute), stealthier (no characteristic "VMess signature").

Xray-core (RPRX fork, 2021): a more actively maintained V2Ray fork, which introduced XTLS (optimized TLS without double encryption) then REALITY (borrows the cert of a target site). In 2026, Xray-core is technically superior for China.

2026 recommendation:

• New setup, China focus: Xray-core + VLess + REALITY.
• New setup, rest of the world (Iran, Russia, corporate): Xray-core + VLess + WS + TLS (or VMess for compat).
• Maintaining an existing setup: stay on V2Ray + VMess + WS + TLS, it still works very well outside aggressive GFW.

For the rest, we install Xray-core (which supports VMess + VLess + Trojan + SS in the same binary — strictly more complete than V2Ray-core).

Xray-core install on a Contabo VPS

Contabo VPS S (4 vCPU, 8 GB RAM, €4.99/month, see deal) on Ubuntu 24.04. For China, pick the Singapore or Tokyo datacenter; for Iran/Turkey, Düsseldorf or Nuremberg; for Russia, same Europe.

Step 1 — Official install script

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

The script installs Xray in /usr/local/bin/xray, creates a xray.service systemd unit, and drops the default config into /usr/local/etc/xray/config.json. Verify:

xray version
systemctl status xray

Step 2 — Domain and TLS cert (for VMess/VLess + WS + TLS)

Prerequisite: cdn.yourdomain.com pointing to the VPS IP. We use Caddy as reverse proxy for automatic Let's Encrypt management:

apt update && apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
apt update && apt install -y caddy

For REALITY, no domain required — REALITY borrows the cert of a target site. One of the major advantages for fast deployments.

Production config 1: VMess + WebSocket + TLS

This is the "2020–2023 classic" config that still passes very well in 2026 outside of aggressive GFW. Compatible with all historical V2Ray clients.

/usr/local/etc/xray/config.json:

{
  "log": { "loglevel": "warning" },
  "inbounds": [
    {
      "port": 10000,
      "listen": "127.0.0.1",
      "protocol": "vmess",
      "settings": {
        "clients": [
          { "id": "UUID-CLIENT-1-GENERATE", "alterId": 0, "email": "user1@vpnsmith" },
          { "id": "UUID-CLIENT-2-GENERATE", "alterId": 0, "email": "user2@vpnsmith" }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
          "path": "/cdn-static/vmess-ws",
          "headers": { "Host": "cdn.yourdomain.com" }
        }
      }
    }
  ],
  "outbounds": [
    { "protocol": "freedom", "tag": "direct" },
    { "protocol": "blackhole", "tag": "block" }
  ]
}

Generate one UUID per user with xray uuid or uuidgen. Keep each UUID in a secret manager — it's the auth key.

Matching Caddyfile (/etc/caddy/Caddyfile):

cdn.yourdomain.com {
  root * /var/www/html
  file_server

  @vmess {
    path /cdn-static/vmess-ws
    header Connection *Upgrade*
    header Upgrade websocket
  }
  reverse_proxy @vmess 127.0.0.1:10000
}

Drop a dummy HTML site in /var/www/html/index.html (crucial for active-probing camouflage). Start:

systemctl restart xray caddy
journalctl -u xray -f

Production config 2: VLess + REALITY (anti-GFW 2026)

This is the recommended config for mainland China in 2026. REALITY makes your server look exactly like www.microsoft.com (or another popular whitelisted site) from a DPI's point of view.

First generate a REALITY keypair:

xray x25519
# Private key: ...
# Public key: ...

Pick a target site (dest) that responds in TLS 1.3 + HTTP/2 and isn't blacklisted in the target country. For China: www.microsoft.com, dl.microsoft.com, update.microsoft.com are excellent choices.

/usr/local/etc/xray/config.json:

{
  "log": { "loglevel": "warning" },
  "inbounds": [
    {
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "UUID-CLIENT-GENERATE",
            "flow": "xtls-rprx-vision",
            "email": "user1@vpnsmith"
          }
        ],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "www.microsoft.com:443",
          "xver": 0,
          "serverNames": ["www.microsoft.com"],
          "privateKey": "YOUR_X25519_PRIVATE_KEY",
          "shortIds": ["", "a1b2c3d4"]
        }
      }
    }
  ],
  "outbounds": [
    { "protocol": "freedom", "tag": "direct" }
  ]
}

How it works:

• When a REALITY client connects, it sends a TLS 1.3 ClientHello with SNI www.microsoft.com and a shared secret in an extension.
• Xray detects the shared secret, takes over, and establishes the VLess tunnel.
• When a "non-REALITY" client shows up (GFW probe, for instance), Xray does passthrough to www.microsoft.com:443 — the client sees the real Microsoft page, valid cert, normal behavior.
• DPI cannot distinguish your server from a Microsoft cache.

It's the state of the art for anti-DPI in 2026. Hard to blacklist without blacklisting Microsoft.

REALITY limits:

• TCP only (no WS, no HTTP/2). If the firewall throttles generic TCP, REALITY doesn't help.
• Client must support REALITY: v2rayNG ≥ 1.8, Shadowrocket ≥ 2.2.20, sing-box ≥ 1.5. Old SS or VMess WS clients = incompatible.

Multiplexing (mux) to share connections

V2Ray/Xray supports multiplexing: multiple user TCP flows share a single physical TCP connection to the server. Benefits: fewer visible connections (useful against DPI doing connection counting), reduced latency after the first session, TLS handshake savings.

Server side, no config needed — Xray detects automatically.

Client side (v2rayNG, Shadowrocket, sing-box), enable "Mux" with concurrency 8 (recommended value). You'll see your ping improve by 2–5 ms and your parallel throughput stay more stable.

Warning: on unstable networks (4G mobile near the edge of coverage), mux can amplify head-of-line blocking. If you see weird slowdowns, disable mux for that profile.

Clients: v2rayNG (Android), Shadowrocket (iOS), v2rayN (Windows), sing-box (Linux/macOS)

Android — v2rayNG (open source, F-Droid or Play Store): the reference client. For VMess + WS + TLS, import manually with:

• Address: cdn.yourdomain.com
• Port: 443
• ID: your UUID
• Encryption: auto
• Network: ws
• Path: /cdn-static/vmess-ws
• Host: cdn.yourdomain.com
• TLS: tls
• SNI: cdn.yourdomain.com
• Allow insecure: false

For VLess + REALITY:

• Address: VPS IP
• Port: 443
• ID: your UUID
• Flow: xtls-rprx-vision
• Network: tcp
• Security: reality
• SNI: www.microsoft.com
• Fingerprint: chrome
• Public key: your x25519 public key
• Short ID: a1b2c3d4 (one from the server list)

iOS — Shadowrocket ($2.99 one-time on AppStore). Native VMess support, VLess + REALITY since 2.2.20. Import the vless:// or vmess:// URI generated by Xray (xray generate config) or via the UI.

Windows — v2rayN (open source, GitHub). Classic Windows UI, supports the whole V2Ray/Xray ecosystem. Handles system proxy well (System Proxy mode).

Linux/macOS — sing-box (open source, more modern than V2Ray client). JSON configuration. More performant and lighter than V2Ray client. Our choice on our workstations.

Performance and operational cost

Real benchmarks Contabo VPS S Nuremberg, residential fiber client Paris 1 Gbps, median 10 sessions, April 2026.

REALITY wins on all axes — less overhead because XTLS Vision avoids the TLS-then-VLess double encryption.

RAM cost (idle / @ 100 Mbps): 25 MB / 80 MB on the VMess WS+TLS config. On an 8 GB VPS S, you host 20–30 concurrent users no problem.

Hardening

1. Per-user unique UUID auth. NEVER share the same UUID between people. If a UUID leaks (badly handled clipboard, Telegram screenshot), you know whom to revoke.

2. UUID rotation every 3–6 months. Generate new UUIDs, push to users, remove the old from the Xray config. Trivial to script.

3. fail2ban on Caddy 404. As with wstunnel, ban IPs that scan nonexistent paths:

# /etc/fail2ban/jail.d/caddy-404.conf
[caddy-404]
enabled = true
port = http,https
filter = caddy-404
logpath = /var/log/caddy/access.log
maxretry = 10
findtime = 60
bantime = 3600

4. SSH key-only + UFW. Standard. Disable SSH password in /etc/ssh/sshd_config (PasswordAuthentication no), open only 22, 80, 443 in UFW (ufw allow 443/tcp, etc.).

5. Short log retention. In config.json, keep loglevel: warning (not info or debug), and configure logrotate to purge old logs. Ideally: no persistent DNS/connection logs if the jurisdiction is sensitive.

V2Ray vs alternatives — When to move on

If you have fewer than 3 users and never go to mainland China, V2Ray is overkill — prefer wstunnel or WireGuard + Cloak. If you want a turnkey mobile solution with no VPS to manage, check NordVPN with its obfuscated servers.

Common troubleshooting

Symptom: connection established but no traffic flows. Check outbounds — if you forgot freedom, everything black-holes. Add {"protocol": "freedom", "tag": "direct"}.

Symptom: "TLS handshake error" on the client. Wrong client SNI, or expired server cert (check caddy logs or acme.sh status depending on your setup).

Symptom: REALITY doesn't work, client sees the real dest page. The server-side shortIds don't match what the client sends. Verify the client sends a1b2c3d4 (or another valid server-listed value).

Symptom: poor performance despite a good link. Enable mux client-side (concurrency 8). Check the server isn't CPU-bound (top then htop). For 50+ users, move to Cloud VPS 10 (8 vCPU, 30 GB RAM, €13/month).

Further reading

• Self-host VPN on Contabo: complete WireGuard guide 2026
• Shadowsocks vs VPN 2026: technical comparison
• wstunnel: TCP/UDP over WebSocket
• Cloak: TLS obfuscation for self-host VPN

Sources and official docs:

• Xray-core — official GitHub
• Project V (V2Ray) documentation
• REALITY protocol — explained by RPRX
• v2rayNG (Android) GitHub
• GFW Report — live blocking data

Published 2026-06-03. Configs tested on a Contabo VPS S Nuremberg + residential clients in Europe + test accounts in Singapore, March–April 2026. REALITY evolves fast — review the quarterly Xray-core changelogs before critical deployment.

Legal reminder: V2Ray/Xray are open-source tools, legal in the EU, US, Canada, and most countries. Anti-censorship usage in China, Iran, Russia is locally illegal with variable penalties. VPNSmith publishes this guide for educational purposes.