What you'll need
- A no-KYC VPS. A-grade picks — 1GB RAM is fine, $3-5/mo. Pay in XMR or LN.
- A domain. Buy one anonymously if that matters; otherwise any registrar works.
- Basic Linux comfort.
ssh,systemd, edit a config file.
Steps
- Point your domain at the VPS. A-record → VPS IP. Wait for DNS propagation (5-30 min).
- Install sing-box.
curl -fsSL https://sing-box.app/install.sh | sh— pulls the latest stable, drops a systemd unit, sets up/etc/sing-box/. - Write a VLESS + Reality config. Generate Reality keys:
sing-box generate reality-keypair. Pick a cover domain (a real third-party HTTPS site you can route to as the SNI) — Apple's developer site, Cloudflare, Microsoft Learn all work. Set listen port 443. - Open the firewall.
ufw allow 443/tcp. Keep ssh on a non-standard port + key-only auth. - Start the service.
systemctl enable --now sing-box. Checkjournalctl -u sing-box -ffor errors. - Build the client subscription.
sing-box generate vless-urlor compose thevless://URL by hand. Paste into Shadowrocket / Stash / V2rayNG.
Hardening checklist
- Disable root SSH login + password auth. Key-only.
- Move ssh to a non-22 port (cheap fix, cuts 90% of probe traffic).
- Install
fail2ban; default rules cover ssh. - Run
unattended-upgradesfor security patches. - Use a dedicated VPS for the proxy — don't co-locate with anything you care about. The proxy IP gets noisy.
- No
tmuxsessions left attached as root. The sing-box service should be unprivileged where possible.
When sing-box stops working
Most failures are network-level — the cover domain got hot, port 443 got blocked, your VPS IP got classified. Diagnosis order:
- Test from a known-good network. If it works there, your client network blocks it.
- Try a different cover domain. Some get classified faster than others.
- Try Hysteria2 (UDP) if VLESS over TCP is throttled.
- As a last resort: rotate the VPS IP. Most no-KYC providers will issue a new one for free or $1.