Encrypting VLESS in transit through CDN #3298

uuonda · 2024-04-22T17:22:18Z

uuonda
Apr 22, 2024

VLESS does not provide its own encryption. CDN terminates TLS at the edge. I assume CDN provider can see which domain/IP I request through VLESS, my inbound user id and my plain text data (like HTTP traffic on port 80). Is this correct?

I can wrap VLESS+TLS in VLESS+TLS-CDN but then it's nested TLS. Should I switch to SS in VLESS?

What would be a good solution?

mmmray · 2024-04-24T14:42:50Z

mmmray
Apr 24, 2024

VLESS does not provide its own encryption. CDN terminates TLS at the edge. I assume CDN provider can see which domain/IP I request through VLESS, my inbound user id and my plain text data (like HTTP traffic on port 80). Is this correct?

yes

I can wrap VLESS+TLS in VLESS+TLS-CDN but then it's nested TLS. Should I switch to SS in VLESS?

If this is a concern, you can remove VLESS and replace it with SS or VMESS. I think "SS-in-VLESS-in-WS/GRPC" sounds overly complicated but I don't know enough to tell whether it is a problem for detectability.

but then it's nested TLS

it is already nested TLS anyway (CDN's TLS and user's TLS), and there's not much you can do about it. vision fixes tls-in-tls by "violating" the outer TLS, the CDN does not allow for that.

4 replies

uuonda Apr 24, 2024
Author

I want to keep using CDN for now. Switching transports and chaining is easy with Xray but I'm not sure about unexpected caveats.

I mentioned [something]-in-VLESS because I assumed VLESS is the most suitable "first layer" protocol for Xray-core clients. Apparently, SS works fine on its own over CDN. I tried some other combinations. Not much of a performance hit even for overly complicated nesting which is great.

it is already nested TLS anyway

Depends on traffic you proxy. Still, majority would be TLS in TLS anyway, true.

uuonda Apr 25, 2024
Author

SS works fine on its own over CDN

Actually scratch that. My initial huntch was correct. It's much less stable even then nested VLESS.

mmmray Apr 25, 2024

I am not sure I understand. Are you saying that you are nesting SS in VLESS, then put that datastream inside websocket/grpc/httpupgrade to funnel it through the CDN? and that this is more stable than SS+WS/GRPC/...?

uuonda Apr 25, 2024
Author

SS+WS or SS in VLESS+WS appears to be less stable then VLESS in VLESS+WS.

YMMV.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Encrypting VLESS in transit through CDN #3298

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Encrypting VLESS in transit through CDN #3298

Uh oh!

Uh oh!

uuonda Apr 22, 2024

Replies: 1 comment · 4 replies

Uh oh!

mmmray Apr 24, 2024

Uh oh!

uuonda Apr 24, 2024 Author

Uh oh!

uuonda Apr 25, 2024 Author

Uh oh!

mmmray Apr 25, 2024

Uh oh!

Uh oh!

uuonda Apr 25, 2024 Author

uuonda
Apr 22, 2024

Replies: 1 comment 4 replies

mmmray
Apr 24, 2024

uuonda Apr 24, 2024
Author

uuonda Apr 25, 2024
Author

uuonda Apr 25, 2024
Author