How to Bypass Internet Censorship and Protect Your Online Freedom in 2023

26 min readDec 20, 2022

Internet censorship refers to restricting access to information on the internet. It can take many forms, from blocking particular websites or services to filtering content to remove certain information.

Identifying and preventing access to prohibited content is a priority for some governments. Internet censorship is often justified as a means of protecting national security, preventing the spread of harmful or illegal content, or promoting social values.

Yet, many critics argue that censorship can be used to suppress political dissent and limit freedom of expression.

Technically, internet censorship raises the same issues regardless of who orders it. Whether mandated by a court, an “independent” authority, or the government, censorship limits information access and freedom of expression.

A concern for ethics

Writing about ways to circumvent internet censorship can raise some ethical concerns. Still, people need to have access to this information.

I also understand that some people might worry that discussing these tools could motivate governments to increase their censorship efforts.

Censors are already well-informed about these tools. Ultimately, I decided to publish this article because the benefits of providing this information outweigh the potential risks.

I’m writing this article to share my experiences. I offer advice on using open-source tools to protect your freedom of expression online, even in the face of the strictest internet censorship.

While my examples are based on the internet situation in Iran, the information and advice I provide can be applied to other countries with different levels of censorship.

Sing-Box

This is why I chose it for this article:

Currently, the project is in active development. For a list of Sing-Box recent releases, visit https://github.com/SagerNet/sing-box/releases.
A variety of v2ray protocols and transports are supported.
The software allows simultaneous use as a client and server, which makes setting up multi-hop VPNs a breeze.
The documentation is available in English.
It’s incredibly easy to set up and configure.
Android, Windows, iOS, and Linux compatible clients are available.
The code for the project can be found on GitHub.
It can easily be used as your home router. It is possible to route traffic in a variety of ways.
It is even possible to load-balance multiple protocols.
A VPN gateway can be provided on your LAN by Sing-box.
To use the VPN gateway, you do not need to install any additional software on your devices.
While I’ve been using the latest beta version for two months, it’s surprisingly stable.
It is written in my beloved Go language.
It offers more features than v2ray-core and clash premium.
Sing-Box uses about 70 MB of memory, compared to 240+ MB for v2ray-core.
It outperforms its competitors in every benchmark test.
You can connect Sing-Box to the Tor network.

What you need

In this section, I’ll show you how to set up a transparent VPN gateway at home that allows you to bypass all censorship restrictions.

With this setup, you won’t need to connect or disconnect your VPN to access blocked content or use services like banking. It’s a simple and effective way to enjoy unrestricted access to the internet from the comfort of your home.

To set up a transparent VPN gateway at home, you’ll need the following:

A Linux machine on your local network: This could be a Raspberry Pi, OpenWRT, a virtual machine, or even a docker container on your mikrotik. Having Sing-box as a gateway on your network is the most efficient way to configure it.
You can set up the new gateway on each device without installing additional software. If you don’t have a Linux machine on your local network, you can still set up your VPS server, but you’ll have to install a client on each device.
A VPS server: This is a Linux machine connected to the internet in a place with little to no censorship. This could be a cloud VPS server or a dedicated server. We will access blocked content through this server.
A domain name (Optional): We need to issue valid SSL certificates and point a subdomain to your VPS IP. However, some configurations, such as ShadowTLS, don’t require a domain name.
CDN accounts (Optional): Many CDN providers offer free tier services. We will hide our VPS IP behind the CDN. Only certain configurations require it.

With these things in place, you’ll be ready to set up your transparent VPN gateway.

The environment

My first job in the country was as a technician for an ISP, where I was responsible for setting up ADSL modems at customers’ homes.

In less than six months, I connected more than 2,000 houses to the internet. I set up all those modems to use 192.168.1.1 as their IP address.

I assume that your modem/router also uses 192.168.1.1 as its IP address. If that’s not the case, you’ll need to adjust the instructions accordingly. But for the sake of simplicity, I’ll use 192.168.1.1 as the example in this article.

Local Linux Machine (VPN Gateway):

First, you’ll need to install Ubuntu 22.04 LTS on your Linux machine. Since this machine will be the gateway for every other device on your home network, you’ll need to configure netplan to use a static IP address.

Make sure the IP address you choose is outside of your DHCP range. I used 192.168.1.2 for mine.

Later, we will change the gateway for our LAN to this machine. This will allow us to route all of our internet traffic through the VPN gateway, providing us unrestricted internet access.

VPS Server:

When it comes to buying a VPS server, there are multiple factors to consider:

If you live in the country, buy from a provider that supports cryptocurrency. This will help protect your privacy and reduce the risks associated with using your bank account.

I founded **bitcoinvps.cloud** on top of the Hetzner infrastructure, focusing on users’ privacy. I also offer servers from other providers.

I only ask for your email to send you server details and renewal notifications.
BitcoinVPS.Cloud accepts multiple cryptocurrencies like Bitcoin and Dogecoin. Also my prices are lower than competitors like bitlaunch.io.
The location of the VPS is also an extremely critical factor to consider. The distance between you and the server, also known as “latency,” is measured in milliseconds (ms). The lower the latency, the better.
For Iranian users, Central Europe is usually the best choice. BitcoinVPS.cloud provides VPS servers in Falkenstein and Nuremberg, Germany, which offer low latencies.
You can check the latency from your terminal by running the following commands:

ping nuremberg.bitcoinvps.cloud

ping falkenstein.bitcoinvps.cloud

Additionally, I provide servers in Stockholm, Sweden, and Ashburn, USA. You can check their latency by running the following command:

ping helsinki.bitcoinvps.cloud

ping ashburn.bitcoinvps.cloud

Don’t worry if Hetzner servers are blocked in your region— I’ve got you covered with servers from other providers. Just hit me up if you want to try out a secret location and I’ll hook you up with a test IP.
If you want to choose a provider other than bitcoinvps.cloud, you can ask them for a page often named “Looking-Glass,” where you can check latencies and download speeds.
This will give you a good idea of the overall performance of the provider’s network and help you make an informed decision. We have a looking-glass page at bitcoinvps.cloud where you can check download speeds for our servers in each location.
IPv6 support: Look for a VPS provider who supports IPv6. At BitcoinVPS, we provide free IPv6 with each VPS. By using IPv6, it may be possible to bypass some forms of censorship that are based on blocking specific IPv4 addresses.
(Many streaming services, such as Netflix and Hulu, may block your VPN server by using IPv4 blocks. In addition, it can resolve the issue of appearing captchas on every Google search. )

Once you have selected a VPS provider and a server with low latency, you’re ready to move on to the next step.

For the OS, I prefer Ubuntu 22.04 LTS.

Domain Name:

For registering a domain name, you have a few options. While .ir domains can be used, I prefer registering other cheap TLDs with cryptocurrencies.

Meet Porkbun, the adorable and irresistibly designed pig that brings an **“oddly”** satisfying experience to your life!

I recommend using porkbun.com, as they offer a wide range of TLDs and accept cryptocurrencies. Plus, you can use the coupon code “AWESOMENESS” to get $1 off at checkout.

Porkbun may have a great checkout experience and a user-friendly interface, but let’s be real here — it’s not exactly the kind of place you’d want to entrust with your most important business dealings. In fact, I’d recommend using Porkbun for things like organizing your sock drawer or planning a dinner party, but not for anything that requires a serious level of professionalism. But hey, at least you’ll have some well-organized socks and a killer dinner party to show for it!

I mean, let’s just say that I’ve had a few run-ins with them in the past. First, they suspended my domain name after receiving a fake abuse report from some random dude with a Gmail address. And no, it wasn’t just a one-time thing — it happened twice! I tried to argue my case with Sarah (one of their staff members), but I had already agreed to their one-way EULA, so I was pretty much out of luck. So if you’re thinking of signing up with Porkbun, just be warned that you might end up in a similar situation.

If you prefer, you can use any other domain registrar.

To move forward, I assume you have these ready:

Your domain name has been registered and connected to either Cloudflare or ArvanCDN. This is optional in some configurations.
You have received your Ubuntu VPS login credentials after purchasing the VPS service. (ssh)
(Optional) A machine running Ubuntu LTS at 192.168.1.2 on your LAN will act as your VPN gateway. Alternatively, you can connect to Sing-Box server using a software client without using a VPN gateway.

Thanks for sticking with me through this long read! I appreciate your eyes more than words can say.

Installing Sing-Box:

We can proceed with installing Sing-Box once you have the required tools. Sing-Box can serve as both a client and a server at the same time so it must be installed on both the server and the VPN gateway.

Steps are as below:

Installing gcc is the first step:

sudo su
apt update && apt install -y build-essential

Let’s install the latest version of go (golang):

curl -fsL https://raw.githubusercontent.com/jetsung/golang-install/main/install.sh | bash
source /root/.bashrc

Run the following command to install the dev-next branch of sing-box:

go install -v -tags "with_acme with_ech with_quic with_utls with_v2ray_api with_clash_api with_gvisor with_lwip with_grpc with_quic with_wireguard with_ech with_utls with_gvisor with_shadowsocksr" github.com/sagernet/sing-box/cmd/sing-box@dev-next

Allow a regular user to run sing-box:

cp ~/go/bin/sing-box /usr/local/bin/

Next, create a sing-box directory to store assets and configurations:

mkdir /etc/sing-box/ && cd $_

Creating sing-box systemd service:

Time to install it as a service:

Docker Installation:

Here is the Sing-Box Dockerfile if you prefer using it with docker.

Later in this tutorial, we’ll customize the Sing-Box config file to suit your needs.

We can only enable sing-box service after that.

SING-BOX CONFIG

What is a JSON file?

A JSON file is a text file used to store data in a structured way. This data can be about anything and is organized using key-value pairs (objects) and lists of values (arrays).

JSON files are a convenient way to store data because they are easy to read, write and understand and can be used on any operating system or platform where you have installed Sing-Box. This means that you don’t have to worry about compatibility issues.

There are a few different ways to validate & beautify JSON files. One of the simplest ways to validate a JSON file is to use a tool, such as JSONLint or the JSON Validator. Paste your JSON into the tool, and it will check the syntax and highlight any errors or issues.

You can also use sing-box to check your config file for errors.

To do this run:

cd /etc/sing-box
sing-box check

Empty output means your config.json has been verified.

Sing-Box has provided us with 6 main objects for its config.json:

I will give you a detailed explanation of the configuration file so you can customize it further if you wish.

Log

In config.json, the log field is used to specify the logging options for the Sing-Box server. This can include the level of logging that should be performed and the location where the log files should be saved.

Here is an example of how the log field might be used in a Sing-Box configuration file:

In this example, the Sing-Box server will log all error messages to the file /etc/sing-box/box.log. The log level is set to error, meaning that only error messages and higher will be logged.

The log field is optional in a Sing-Box configuration file, and if it is not included, Sing-Box will use default logging options. It is possible to customize the logging options to suit your specific needs and requirements.

You can also set the log level to any of the following: trace,debug,info,warn,error,fatal or panic.

DNS

This part is only needed on servers that have DNS censorship. Sing-Box can be configured to use a specific DNS server or a list of DNS servers to resolve domain names.

Sing-Box supports various DNS protocols, so you can choose the servers you want to use.

Rather than having no DNS traffic, which is a sign of censorship circumvention, some domains can be queried through your ISP’s DNS.

**This will make your traffic seem more normal to those watching you!**

For example the below configuration uses the DNS server from dci.ir to query all .ir domains, and the rest is sent to Google’s 8.8.8.8 server.

In the above example, the detour refers to where DNS traffic will be sent. If we do not define a detour, specific DNS server traffic will be sent via your default outbound, which will be defined later in the routing section.

The address_resolver is used if the server address contains a domain. This tag identifies another server to resolve the domain name in the address.

As of writing this article, shecan DNS over HTTPS can be used to query blocked domains like twitter.com and instagram.com. By setting it as your default DNS server, you will benefit from its low latency.

Let’s say you choose to route your Google DNS traffic through a VMess tunnel. If a domain must be resolved before connecting, and the DNS rules require the domain to be resolved through Google’s DNS servers, the tunnel will not be able to connect.

So it’s critical to have the DNS traffic routed correctly. Either through a tunnel with an IP address or through a tunnel which uses another DNS server that can be queried before connecting.

The problem is Sing-Box is trying to resolve the subdomain name (which is required to resolve before connecting) through a tunnel that still needs to be connected. It’s like the chicken or the egg paradox.

The sniff function on your specific inbound needs to be enabled in order for sing-box to capture the DNS traffic of your clients. DNS traffic can also be routed through dns-out via the routing section.

Inbounds:

Sing-Box is a powerful, open-source network proxy tool that can be used to establish secure and efficient connections between computers or devices. In Sing-Box, an inbound refers to a connection that is incoming to the local device or network. In other words, it is a connection that is initiated by a remote device or client and directed towards the device or network that is running Sing-Box.

In the Sing-Box configuration file, the inbound section is used to specify the settings for handling incoming connections. This includes the listening port, protocol, and other settings such as authentication methods.

Sing-Box can have multiple inbound connections configured at the same time, each with its own set of parameters and settings.

For example, you might have one inbound connection configured to listen on port 8080 for SOCKS traffic, and another inbound connection configured to listen on port 8443 for HTTP proxy traffic. Each inbound connection can be configured with its own set of rules and filters to control how incoming traffic is handled.

You can also specify different protocols and encryption settings for each inbound connection, allowing you to tailor the inbound connections to your specific needs and requirements. This can be useful if you want to use different protocols or encryption settings for different types of traffic or for different clients.

Sing-Box supports SOCKS and HTTP proxy, Shadowsocks, VMess, Trojan, Naive Proxy, Hysteria, and TUN as inbound types. Here is a complete list of inbound types:

It is important to carefully consider the security and maintenance of any proxy protocol when choosing one for your needs. While some people may believe that VLESS is secure, it is actually unmaintained since 2020. Therefore, many new software tools and platforms, including sing-box, do not support VLESS as inbound.

However, Sing-Box supports VLESS as outbound only for compatibility reasons.

Outbounds:

In addition to configuring multiple inbound connections, Sing-Box also allows you to specify multiple outbound connections, which are used to proxy traffic to other destinations.

In the context of Sing-Box, an outbound is a type of configuration that specifies how traffic should be forwarded to an external destination. It is usually used to establish a connection to a remote server or to send traffic to a specific address.

In addition, to support its inbound types, Sing-Box can connect to ShadowsocksR, Wireguard, VLESS, Tor, and even “SSH.”

Here is the complete list of outbound types supported by Sing-Box:

I include the below outbounds for routing purposes on every server:

Route:

This refers to a set of rules that determines how traffic is forwarded from a client to a server. Depending on the rules, some traffic can be routed through VPN tunnels and some through direct ISP connection.

Using this feature means the hassle of connecting & disconnecting from a VPN is over.

You can use Sing-Box route config to specify more complex routing rules, such as routing traffic based on the domain name, IP, or the port number. You can also use it to route traffic through multiple outbound connections

GEOIP:
/etc/sing-box contains geosite.db and geoip.db files provided by Sing-Box. These compressed domains and IP address lists are used in the routing process.

The geoip.db file is a data file used by Sing-Box to determine the geographic location of an IP address or tags. It contains a database of IP addresses and their corresponding locations, which can be used to route traffic based on the location of the requested service IP location.

For example, you might use a Sing-Box route config to route Iran traffic through your direct outbound connection, or to block traffic to a particular region. To do this, you can use the geoip in the route config to specify the IP range of the country or region that you want to target.

GEOSITE:
It contains a database of domain names and their corresponding tags, which can be used to route traffic based on.

There is a project called “Iran Hosted Domains” on GitHub. Despite the fact that they provide a iran.dat file for V2Ray, it cannot be used with sing-box. With this article, I will ask them if they can provide a sing-box iran.db file. (a list for non.ir Iranian domains)

For someone living in Iran, the route section of the configuration file is already set up correctly, but you may need to customize it according to your specific needs.

The configuration below blocks category-ads-all from the geosite.db, as well as a list of Iranian advertiser and tracker domains.

If you are hosting your server with Hetzner and experiencing a large number of CAPTCHAs while using Google searches, you may be able to resolve this issue by routing Google traffic through your server’s IPv6.

Please visit the official documentation for a complete list of variables you can use to route traffic: https://sing-box.sagernet.org/configuration/route/rule/#structure

Experimental:

It supports both the Clash API and the V2Ray API, which means that it can be used with any web control panel that is compatible with either of these APIs.

Effortless Customization with Our Pre-Configured Sing-Box Config Files:

Are you tired of spending hours trying to configure your VPN server settings? Look no further! I have tested multiple configuration options to ensure that you only have to customize a little in each file to meet your specific needs.

No more frustration or wasted time — just easy and seamless setup for the perfect singing experience.

With my files, you can combine as many inbounds and outbounds as you want — the possibilities are endless! And the best part? I’ve configured them one by one, so all you have to do is customize each file to meet your specific needs. No more struggling with technical details — just fun and easy configuration. So why wait?

It’s really easy to connect using these configurations. You need to customize and match the inbound or outbound section on your VPS server and your VPN gateway machine.

Don’t worry. You’ll have a ready-made config.json file for each party.

Discover the simple steps for thoroughly checking your configuration files!

Once you’ve downloaded and customized the config.json, run the following command before enabling the service. This will allow Sing-box to download geoip and geosite and request TLS certificates from Let’s Encrypt.

If it encounters a problem, it will exit, but the service is set to automatically restart. Therefore, if you have an issue that prevents the issuance of certificates, you may quickly get banned by Let’s Encrypt due to too many requests.

cd /etc/sing-box
sing-box run

Run the following command to enable and start the Sing-Box service on both sides. Easy peasy!

systemctl daemon-reload && systemctl enable --now sing-box

To view the logs of the “Sing-Box” service in real-time, use the following command:

journalctl -xefu sing-box

The journalctl command allows you to view the logs of a specific service on a Linux system. The -xefu options tell it to show all log messages (-x), follow the logs in real-time (-f), show messages from all units (-e), and filter the logs based on the specified unit (in this case, sing-box).

To verify that your VPN connection is working properly, you can use the following command:

curl --proxy "socks5h://127.0.0.1:1080" "ifconfig.me"

This will send a request to the ifconfig.me service using a SOCKS5 proxy running by sing-box on the local machine at port 1080. The output of this command should display the public IP address of the server that the VPN connection is using. This can be used to confirm that the VPN connection is successful.

And let’s be real, this socks service isn’t just magically appearing out of nowhere. I had to put in the work and include it as an inbound option in all my VPN gateway configuration files.

To use Sing-Box as a network gateway for other devices, you’ll need to include the tun inbound in your VPN gateway configurations.

Sing-Box’s auto_detect_interface feature allows it to bind outbound connections to the default network interface card (NIC) by default, which helps prevent routing loops when using the tun.

To set up a VPN connection without using a VPN gateway, you can install a compatible client software on your device and configure it using the settings provided in the configuration file.

This will allow you to manually establish a VPN connection without relying on a pre-configured gateway. Keep in mind that you may need to follow specific instructions for your particular device and VPN client software in order to properly set up the connection.

Easily configure your Sing-Box Config.json

1- ShadowTLS Trojan over TCP:

Use the following command to download the config.json file to your server:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/shadowtls-trojan/server/config.json > /etc/sing-box/config.json

There is no need to alter your server config.json. It can remain unchanged.

You can download the VPN gateway’s config.json file with the following command:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/shadowtls-trojan/client/config.json > /etc/sing-box/config.json

Replace SERVER-IP-ADDRESS with your server’s public IP address.

This can be either an IPv4 or IPv6 address, depending on your server’s configuration and the capabilities of your internet service provider (ISP). To determine whether your ISP supports IPv6, you can check with your ISP or perform an online search to see if IPv6 is available in your area.

Start both Sing-Box instances and ensure that they are enabled:

systemctl daemon-reload && systemctl enable --now sing-box

Verify the server connection from the VPN gateway:

curl --proxy "socks5h://127.0.0.1:1080" "ifconfig.me"

If the output displays the public IP address of your server, you can proceed to connecting other devices to the VPN gateway.

2- ShadowTLS VMess over TCP:

Download the config.json file to your VPS server using the following command::

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/shadowtls-vmess/server/config.json > /etc/sing-box/config.json

Your server config.json does not need to be changed. It can remain as it is.

Using the following command, you can download the VPN gateway’s config.json file:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/shadowtls-vmess/client/config.json > /etc/sing-box/config.json

Change SERVER-IP-ADDRESS to the public IP address of your server.

Your server’s IP address may be either an IPv4 or IPv6 address, depending on your server’s configuration and the capabilities of your internet service provider (ISP). To find out if your ISP supports IPv6, you can contact them or search online to see if IPv6 is available in your region.

Start both Sing-Box instances and ensure that they are enabled:

systemctl daemon-reload && systemctl enable --now sing-box

Verify the server connection from the VPN gateway:

curl --proxy "socks5h://127.0.0.1:1080" "ifconfig.me"

If the output shows your server’s public IP address, you can proceed to connecting other devices to the VPN gateway.

3- ShadowTLS v2.0 Shadowsocks over TCP:

You can download the config.json file by using the following command:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/shadowtls-v2-shadowsocks/server/config.json > /etc/sing-box/config.json

No changes need to be made to your server config.json. You can leave it as it is.

To download the configuration file for the VPN gateway, run the following command:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/shadowtls-v2-shadowsocks/client/config.json > /etc/sing-box/config.json

SERVER-IP-ADDRESS should be set to the public IP address of your server, either IPv4 or IPv6.

Start both instances of Sing-Box and enable its service:

systemctl daemon-reload && systemctl enable --now sing-box

The VPN gateway should be able to connect to the server:

curl --proxy "socks5h://127.0.0.1:1080" "ifconfig.me"

You can proceed to connecting other devices to the VPN gateway if the output shows your server’s public IP address.

4 to 7 — Trojan, VMess, TLS, CDN and Reverse Proxy

I have consolidated the next four methods into a single configuration file. Before discussing them individually, I would like to clarify a few other points first:

Install Nginx (on VPS server):

apt update && apt install -y nginx

We will customize the Nginx configuration file at a later time.

CDN configurations Part 1:

Subdomains
To secure inbound connections that require a TLS certificate, we should create a subdomain and point it to the IP address of our VPS server.
After obtaining the necessary certificates, we will enable the cloud icon for websocket traffic that can be routed over the CDN.
Therefore, for each inbound, create a subdomain like below:
Trojan TLS → trojan.example.com
Trojan TLS Websocket CDN (IPv4) → trojan-ws.example.com
Trojan TLS Websocket CDN (IPv6) → trojan-ws-6.example.com
VMess TLS → vmess.example.com
VMess TLS Websocket CDN (IPv4) → vmess-ws.example.com
VMess TLS Websocket CDN (IPv6) → vmess-ws-6.example.com

It is possible to use your server’s IPv6 address to route traffic through a CDN (Content Delivery Network) even if your Internet Service Provider (ISP) does not support IPv6.

This is because the CDN will act as a proxy, allowing you to use IPv6 for connecting to your server.

If your ISP does support IPv6, you can set up two inbound connections for your server using TLS over TCP, one for IPv4 and one for IPv6:

vmess-4.example.com and vmess-6.example.com for example.

Firewall Rules
With Cloudflare firewall rules, you can restrict inbound connections to certain countries. Create a firewall rule if you provide services to your relatives and friends inside Iran.

Iran-only traffic is allowed. It is important to note that this rule applies to traffic over CDN.

SSL/TLS settings
Choose SSL/TLS settings from the left-hand menu and configure them as shown below:

ArvanCloud CDN:

Subdomains
Like Cloudflare, we need a subdomain for each inbound service. Creating all subdomains with the cloud service off will allow us to request certificates later.
AvanCloud CDN edge servers does not support IPv6.
SSL/TLS settings

Firewall Rule:

Nginx Config:

Let’s configure nginx reverse proxy now. To do this run:

nano /etc/nginx/nginx.conf

Press Ctrl + End to go to the end of the file. Now copy & paste the below code into it. Please edit the subdomains and replace them with the ones you created in the last step.

Press Ctrl + X and then Y to save the config file.

Download Sing-Box Config.json

Now download the sing-box configuration on your server by running:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/vmess-trojan-tls-ws-cdn-nginx/server/config.json > /etc/sing-box/config.json

On your VPN gateway download the config:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/vmess-trojan-tls-ws-cdn-nginx/client/config.json > /etc/sing-box/config.json

These configurations contain multiple inbound and outbound settings.

To customize the configuration files for your setup, you will need to do the following:

On your server, replace the example.com subdomains with the ones you have created and pointed to the server. These can be found under the server_name and domain in the TLS settings. Additionally, replace singbox@example.com with another email in order to get your certificate.
On your VPN gateway, you need to replace SERVER-IP-ADDRESS with your server’s public IP address. You should also change the server_name in the corresponding outbound section to the subdomain you set up on your server’s inbound.

To help you understand the relationship between each server inbound and its corresponding outbound on the VPN gateway, I will provide you an example for each:

4- Trojan TLS over TCP

Trojan TLS over TCP Server Inbound:

Trojan TLS over TCP Outbound:

To import the connection into compatible Trojan clients, use the following link as an example:

trojan://Xa79c9adrudlqoq10afr@trojan.example.com:443?security=tls&alpn=http%2F1.1&type=tcp&headerType=none#trojan-tls

5- Trojan TLS over Websocket

If your VPS provider does not offer IPv6 support, you should remove trojan-ws-6-in from the inbound configuration of the server and trojan-ws-6-out from the outbound configuration of the VPN gateway.

Trojan TLS over Websocket Server Inbound:

Trojan TLS over Websocket Outbound:

By using an IP in server field you are connecting directly to your server’s IP address rather than going through a CDN. If you prefer, you can use the domain name instead of the IP address for the connection to use the CDN but please configure the DNS rules as previously instructed in the DNS section accordingly.

To import the connection into compatible Trojan clients, use the following link as an example:

trojan://Xa79c9adrudlqoq10afr@trojan-ws.example.com:443?security=tls&alpn=http%2F1.1&type=ws&path=%2Ftv#trojan-ws

You can use either an IPv4 or IPv6 address instead of a subdomain in the above link if you prefer not to go through the CDN.

6- VMess TLS over TCP

VMess TLS over TCP server inbound:

VMess TLS over TCP Outbound:

To import the connection into compatible VMess clients, use the following link as an example:

vmess://tcp+tls:18543660-1aa6-49bc-8be6-f6dfc7e87de0-0@vmess.example.com:443/#vmess-tls

7- VMess TLS over Websocket

If your VPS provider does not provide you with IPv6, you should remove vmess-ws-6-in from the inbound configurations on the server and vmess-ws-6-out from the outbound configurations on the VPN gateway.

VMess TLS over Websocket server inbound:

VMess TLS over Websocket Outbound:

If you specify the IP address of your server in the server field, you are establishing a direct connection to that specific server rather than routing your connection through the CDN.

Alternatively, you can use the domain name associated with the inbound in this field, which will route your connection through the CDN.

However, if you choose to use the domain name, you should make sure that you have set up the appropriate DNS rules, as described in the DNS section of the configuration instructions.

To import the connection into compatible VMess clients, use the following link as an example:

vmess://ws+tls:3c1890e2-c768-4247-8a3b-032f6ed13a64-0@vmess-ws.example.com:443/?path=/stream#vmess-ws

You can use either an IPv4 or IPv6 address instead of a subdomain in the above link if you prefer not to go through the CDN.

Getting certificates:

We need to request certificates for your subdomains. Thanks to Sing-Box, certificates can be requested, saved, and even renewed when required.

To request the certificates, we first need to stop the nginx service by running the following:

service nginx stop

Change to the Sing-Box directory:

cd /etc/sing-box

Run Sing-Box:

sing-box run

If you got an error sing-box will exit:

FATAL[0016] start service: initialize inbound/trojan[trojan-ws]: create TLS config: trojan-ws.bitcoinvps.cloud: obtaining certificate: [trojan-ws.bitcoinvps.cloud] Obtain: [trojan-ws.bitcoinvps.cloud] solving challenge: trojan-ws.bitcoinvps.cloud: [trojan-ws.bitcoinvps.cloud] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge (ca=https://acme-v02.api.letsencrypt.org/directory)

Check if you have created the required subdomain correctly.
Check if nginx is stopped.
Read the error.

Your last lines of output should be something like the below:

All is well on your server. Stop the Sing-Box with Ctrl + C.

CDN configurations Part 2:

Cloudflare, the shining beacon of hope that works tirelessly to make the web a better place for all. I respect and appreciate your efforts!

Be sure to enable CDN for Websocket traffic that can be routed through it. Same for any other CDN.

Activate Sing-Box

It’s time to enable Sing-Box on both your VPN gateway and VPS server:

systemctl daemon-reload && systemctl enable --now sing-box

Don’t forget to start NGINX after getting certificates by running:

service nginx start

In the VPN gateway configuration, I have added a special outbound called URLTest as its default outbound. An example of a URLTest outbound for is:

In Sing-Box, an URLTest outbound is a type of outbound configuration that allows you to specify a list of outbound proxies and an URL to use for testing the connectivity and performance of those outbound proxies. The URLTest outbound will periodically send a request to the specified URL using each of the specified outbound proxies, and it will measure the response time and success rate of those requests.

To check specific outbound connections, you can set the default outbound on your VPN gateway by changing the final tag to a specific outbound tag.

The VPN gateway should be able to connect to the server:

curl --proxy "socks5h://127.0.0.1:1080" "ifconfig.me"

You can proceed to connecting other devices to the VPN gateway if the output shows your server’s public IP address.

8- Hysteria over UDP:

Create another subdomain and point it to your server’s public IP address. This could be either an IPv4 or IPv6.

Download ready-made config.json on your server using:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/hysteria-udp/server/config.json > /etc/sing-box/config.json

Hysteria UDP Server Inbound:

Replace the subdomain.example.com with your subdomain in the config.json.

Download the VPN gateway config:

curl https://raw.githubusercontent.com/bitcoinvps/sing-box-easy/main/sing-box-config/hysteria-udp/client/config.json > /etc/sing-box/config.json

Hysteria UDP Outbound:

Replace the subdomain.example.com with your subdomain and add your server’s IP instead of SERVER-IP-ADDRESS in the config.json.

Obtain the necessary certificates and set up the service on both sides, similar to the steps taken for 4–7.

9- VMess Websocket behind CDN on port 80

Connecting Clients/devices to VPN gateway:

Now that you’ve configured your VPN gateway, it’s time to set it up on your devices. This can be done in two ways:

DHCP: This is the easiest and most convenient method. DHCP should give clients 192.168.1.2 as their gateway. From there, every device on your network will have Sing-Box as its gateway.
Manual (Static IP): Each device’s IP configuration must be manually set to static, and the gateway must be set to 192.168.1.2.

Sing-Box will soon be able to act as a DHCP and DNS server, allowing you to turn off your modem’s DHCP server and rely on Sing-Box for network configuration. This will make it easy to manage your local network’s IP addresses and domain name resolution.

Connecting Clients/devices to Sing-Box server directly:

In cases where the VPN gateway is unavailable or you want to connect to the server from outside, you must install a client on your device.

Clients are available for a variety of platforms. All can import server connections via special links.

I only list compatible clients that I have personally tested:

Windows: v2rayN, SingBoxClient

Mac: V2rayU, SingBoxClient

Android: Lucky you! You have many good options to choose from:

Matsuri: Download from GitHub or Google Play.
Sagernet: Download from GitHub or Google Play
v2rayNG: Download from GitHub or Google Play

iPhone: NapsternetV or OneClick or Shadowlink.

Final Words:

Get ready for more awkward and cringeworthy moments — follow me on Medium or GitHub to stay updated on my latest content!

Join me on Twitter for some fun and engaging discussions — I can’t wait to connect with you!

Don’t forget to share this article with your friends and help spread the word about the importance of internet privacy and security. By sharing this information, you can help educate others about the potential risks and threats they face online and the steps they can take to protect themselves.

Whether you share this article on social media, email it to a friend, or simply talk about it with someone you know, your efforts can make a real difference in helping to raise awareness about online safety. So don’t hesitate — to share this article now and help protect your friends and loved ones from the dangers of the Filternet!