Setting up a secure internet circumvention gateway using Xray usually turns into a tedious chore. You have to install Docker, configure the 3x-ui web panel, generate TLS certificates, tweak Reality settings against active probing, and manually set up routing tables.
If you frequently cycle your VPS providers or manage servers for friends, doing this manually every time is a massive waste of time.
Thatโs why I created 3xui-fast-install โ a lightweight, automated bash script that deploys a fully production-ready, security-hardened Xray node in under a minute.
Whatโs Under the Hood? ๐ ๏ธ
This is NOT just a blank panel installation. The script sets up an optimized, batteries-included network ecosystem wrapped in Docker. Here is exactly what gets deployed and configured out of the box:
| Component | Description |
|---|---|
| 3x-ui Panel | Xray web management interface running on custom non-standard ports. |
| VLESS + Reality | Industry-standard transport layer mimicking legitimate TLS handshakes (Port 443). |
| Hysteria 2 | High-performance UDP-based protocol (Port 63000) optimized for unstable or mobile networks. |
| Caddy (Self-Steal) | Acts as a TLS terminator on port 443, handling automated, legitimate Let's Encrypt certificates. |
| Cloudflare WARP | Configured as a local SOCKS5 outbound proxy for specific fallback routing. |
| Opera Proxy & Tor | Additional local SOCKS5 outbounds ready for geo-blocked services and .onion routing. |
| BBR & Security | Automated TCP BBR congestion control activation, UFW firewall configuration, and Fail2ban protection. |
Smart Server-Side Routing Architecture ๐บ๏ธ
One of the highlights of this setup is how it handles outbound traffic directly inside Xray on the server. Instead of just passing everything blindly (direct), the backend follows strict routing rules:
-
Adblock & Malware: Automatically dropped (
blocked) at the server level. -
Domestic/RU Domains & GeoIP: Routed via Cloudflare WARP. Ideally, your clients should use local routing rules (like
roscomvpn-routing) so domestic traffic never leaves their device. However, if a domestic packet does leak to your VPS, WARP intercepts it and routes it out, masking your actual VPS server IP address from domestic logs. -
Streaming & Privacy: Popular global services (like Disney+ or Reddit) are routed via Opera Proxy, while
.onionaddresses go directly through the Tor outbound network.
โ ๏ธ Note on Customization: The outbound routing rules listed above (such as Opera Proxy, Tor, or specific domain rules) are configured as examples to showcase the full capabilities of the script. You can easily modify, remove, or add your own custom routing parameters in the 3x-ui panel settings anytime after the installation is complete.
Prerequisites & Installation ๐
The deployment process requires minimal preparation.
Requirements:
- A clean Ubuntu/Debian VPS.
- A registered domain name with an A-record already pointed to your VPS IP address.
The 1-Command Deployment:
Run the following command on your clean server root terminal:
bash <(curl -sL https://raw.githubusercontent.com/AppsGanin/3xui-fast-install/main/install.sh)
What happens next?
- The script detects and installs Docker/Compose if missing.
- It automatically generates unique, high-entropy credentials and secure ports for your 3x-ui panel dashboard.
- It configures your firewall, opens only the necessary ports (22, 80, 443, 63000 UDP), and locks down the rest.
Once finished, the console will print your ready-to-use admin panel URL, username, and password.
Log in, create your client configs in the web UI, and you are good to go!
Conclusion & Open Source
This setup cuts down deployment time from an hour of manual configuration to literally 60 seconds, while maintaining best-practice security baselines out-of-the-box.
The project is completely open-source. Feel free to review the bash script logic, submit issues, or contribute improvements.
โญ๏ธ Check out the repository on GitHub: ๐ https://github.com/AppsGanin/3xui-fast-install
Top comments (0)