xmr.club
guías EN 中文 ES RU
← all guides

Auto-hospedar un servidor sing-box — lado operador, end-to-end

Running your own proxy server beats renting a subscription on three axes: you control the IP, you pick the protocol, and you don't share infra with thousands of other users (who attract attention as a cohort). Below: a clean path from blank VPS to working VLESS+Reality endpoint in about 30 minutes.

What you'll need

  • A no-KYC VPS. A-grade picks — 1GB RAM is fine, $3-5/mo. Pay in XMR or LN.
  • A domain. Buy one anonymously if that matters; otherwise any registrar works.
  • Basic Linux comfort. ssh, systemd, edit a config file.

Steps

  1. Point your domain at the VPS. A-record → VPS IP. Wait for DNS propagation (5-30 min).
  2. Install sing-box. curl -fsSL https://sing-box.app/install.sh | sh — pulls the latest stable, drops a systemd unit, sets up /etc/sing-box/.
  3. Write a VLESS + Reality config. Generate Reality keys: sing-box generate reality-keypair. Pick a cover domain (a real third-party HTTPS site you can route to as the SNI) — Apple's developer site, Cloudflare, Microsoft Learn all work. Set listen port 443.
  4. Open the firewall. ufw allow 443/tcp. Keep ssh on a non-standard port + key-only auth.
  5. Start the service. systemctl enable --now sing-box. Check journalctl -u sing-box -f for errors.
  6. Build the client subscription. sing-box generate vless-url or compose the vless:// URL by hand. Paste into Shadowrocket / Stash / V2rayNG.

Hardening checklist

  • Disable root SSH login + password auth. Key-only.
  • Move ssh to a non-22 port (cheap fix, cuts 90% of probe traffic).
  • Install fail2ban; default rules cover ssh.
  • Run unattended-upgrades for security patches.
  • Use a dedicated VPS for the proxy — don't co-locate with anything you care about. The proxy IP gets noisy.
  • No tmux sessions left attached as root. The sing-box service should be unprivileged where possible.

When sing-box stops working

Most failures are network-level — the cover domain got hot, port 443 got blocked, your VPS IP got classified. Diagnosis order:

  1. Test from a known-good network. If it works there, your client network blocks it.
  2. Try a different cover domain. Some get classified faster than others.
  3. Try Hysteria2 (UDP) if VLESS over TCP is throttled.
  4. As a last resort: rotate the VPS IP. Most no-KYC providers will issue a new one for free or $1.