How to Set Up a VPN Server on a VPS Using XRay Protocols and Marzban Panel

Setting up a VPN server lets you enjoy enhanced online security, bypass geo-restrictions, and take control of your browsing experience. This guide provides detailed steps to install a VPN server using XRay protocols including VMESS, VLESS, Shadowsocks, Trojan and the Marzban panel.

Get ready to unlock the full potential of the unrestricted internet with any of the following options:

1. Get a Preinstalled VPN Server

If you'd prefer to skip the manual server installation, choose a VPS with a preinstalled VPN setup. Our servers support XRay, WireGuard, and OpenVPN protocols.

Advantages:

• Time-Saving: Instantly access your VPN server after purchase.
• No Setup Required: Fully preconfigured for optimal performance.
• Flexible Options: Choose your preferred protocol during setup.

Sign up for a Preinstalled VPN Server here and then setup and configure VPN client.

2. Install and Set Up a VPN Server on a Fresh VPS

If you’re comfortable with Linux commands and want complete control, follow the step-by-step instructions below to set up Marzban on a VPS.

Prerequisites

1. Fresh Ubuntu 22.04 VPS: Ensure the server is up-to-date with at least 1 GB RAM and 10 GB disk space. You can get cheap VPS here.
2. SSH Access: Access your server via a terminal or SSH client.
3. Root or Sudo Privileges: Essential for installations and configurations.

Installation Steps

Step 1: Update the System

Run the following commands to update and upgrade your server packages:

sudo apt update && sudo apt upgrade -y
     

Step 2: Install Docker and Marzban

Marzban uses Docker for deployment, and the installation script automates the entire process.

1. Connect to your VPS as a root, using SSH.
2. Run the following command to install Marzban:

sudo bash -c "$(curl -sL https://github.com/Gozargah/Marzban-scripts/raw/master/marzban.sh)" @ install
     

Step 3: Setup SSL Certificates

We have to install important packages first:

sudo apt install curl wget nano socat -y

Next, download the utility that will automatically generate a certificate upon launch. In this line, replace "your@mail.com" with your email address and replace yourdomain.com with your VPS hostname. You can enter anything, as no confirmation codes will be sent to the provided email address:

curl https://get.acme.sh | sh -s email=your@mail.com

export DOMAIN=yourdomain.com

Launch the SSL certificate utility:

mkdir -p /var/lib/marzban/certs
     ~/.acme.sh/acme.sh \
     --issue --force --standalone -d "$DOMAIN" \
     --fullchain-file "/var/lib/marzban/certs/$DOMAIN.cer" \
     --key-file "/var/lib/marzban/certs/$DOMAIN.cer.key"

After the utility completes its work, two files will be created in the /var/lib/marzban/certs/ folder with the names yourdomain.com.cer and yourdomain.com.cer.key - these are the certificate files.

Connecting the SSL Certificate

Since access to the Marzban dashboard is only possible through a secure connection, we need to link the newly created certificates to enable HTTPS for the panel's site. To do this, open and edit the .env file:

nano /opt/marzban/.env
     

Find the following lines in the .env file, remove the # symbol at the beginning, and insert the path to the certificate files as well as the panel's site address:

UVICORN_SSL_CERTFILE = "/var/lib/marzban/certs/yourdomain.com.cer"
UVICORN_SSL_KEYFILE = "/var/lib/marzban/certs/yourdomain.com.cer.key"
XRAY_SUBSCRIPTION_URL_PREFIX = "https://yourdomain.com"

Pay attention to the first two lines. Do not modify the /var/lib/marzban/certs/ part, as it is the path to the folder containing the certificate files. Replace youword.duckdns.org with your subdomain (or domain, if you have one). In the first line, the file extension is .cer, and in the second line, it is .cer.key.

To save the changes and exit the editor, press CTRL+X, then Y, and hit Enter.

If you have forgotten the names of the certificates, you can view them using this command:

ls /var/lib/marzban/certs/
     

Restart Marzban with:

marzban restart
     

Step 4: Configure Marzban

Once installed, Marzban will be available via its web interface at:

https://yourdomain.com:8000/dashboard/

To login, create a sudo admin account by executing the following command.

marzban cli admin create --sudo

Now you can log in to the Marzban dashboard using the username and password you have set.

To view the Marzban script guide, you can execute the following command:

marzban --help

Step 5: Setting Up Connections

By default, Marzban only supports creating connections using the Shadowsocks protocol. To enable connections via other protocols, click the gear icon in the top-right corner to open the connection settings. Delete all content from the "Configuration" field and replace it with the following code:

{
  "log": {
    "loglevel": "warning"
  },
  "routing": {
    "rules": [
      {
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "BLOCK",
        "type": "field"
      },
      {
        "domain": [
          "domain:connectivitycheck.gstatic.com",
          "full:detectportal.firefox.com",
          "domain:networkcheck.kde.org"
        ],
        "outboundTag": "DIRECT",
        "type": "field"
      },
      {
        "domain": [
          "full:*.ru",
          "full:*.cn",
          "full:*.tr"
        ],
        "outboundTag": "DIRECT",
        "type": "field",
        "ip": [
          "geoip:ru",
          "geoip:cn",
          "geoip:tr"
        ]
      }
    ]
  },
  "inbounds": [
    {
      "tag": "VLESS TCP REALITY",
      "listen": "0.0.0.0",
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [],
        "decryption": "none"
      },
      "streamSettings": {
        "network": "tcp",
        "tcpSettings": {},
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "github.com:443",
          "xver": 0,
          "serverNames": [
            "github.com",
            "code.jquery.com"
          ],
          "privateKey": "Your-Private-Key",
          "shortIds": [
            "Your-Short-ID"
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    },
    {
      "tag": "TROJAN WS TLS",
      "listen": "0.0.0.0",
      "port": 7443,
      "protocol": "trojan",
      "settings": {
        "clients": []
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
          "path": "/"
        },
        "security": "tls",
        "tlsSettings": {
          "serverName": "github.com",
          "certificates": [
            {
              "ocspStapling": 3600,
              "certificateFile": "/var/lib/marzban/certs/yourdomain.com.cer",
              "keyFile": "/var/lib/marzban/certs/yourdomain.com.cer.key"
            }
          ]
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls",
          "quic"
        ]
      }
    },
    {
      "tag": "Shadowsocks TCP",
      "listen": "0.0.0.0",
      "port": 1080,
      "protocol": "shadowsocks",
      "settings": {
        "clients": [
          {
            "id": "271a-e911-f121-a321",
            "password": "some-password",
            "method": "chacha20-ietf-poly1305"
          }
        ],
        "network": "tcp,udp"
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "tag": "DIRECT"
    },
    {
      "protocol": "blackhole",
      "tag": "BLOCK"
    }
  ]
}

This code will enable the creation of connections using the VLESS, TROJAN, and Shadowsocks protocols. Once you’ve entered the configuration, click "Save" and then "Reload Core", close the settings window, and refresh the page. Now you can generate access keys and connect devices. Currently, VLESS and TROJAN protocols work reliably across all regions and devices, so we recommend using one of them.

In VLESS TLS REALITY, Don't forget to replace "certificateFile": "/var/lib/marzban/certs/yourdomain.com.cer" and "keyFile": "/var/lib/marzban/certs/yourdomain.com.cer.key" with the actual key and certificate file names previously created with the SSL utility.

Setting up privateKey and shortIds for VLESS TCP REALITY

In the block responsible for the VLESS TCP REALITY protocol, you need to specify the parameters privateKey and shortIds. To obtain these parameters, use the following commands:

1. Generate the Private Key and Public Key Pair:
   

   docker exec marzban-marzban-1 xray x25519

   This will output something like:

   Private key: YOUR_PRIVATE_KEY  
   Public key: YOUR_PUBLIC_KEY

2. Generate a Short ID:
    

   openssl rand -hex 8
   

   This will generate a random 8-character hexadecimal string that you can use as the shortIds value.

Replace YOUR_PRIVATE_KEY and YOUR_SHORT_ID in the VLESS configuration block with the values obtained from these commands.
Once you’ve completed these steps, your server will be ready to support the listed protocols.

You may also want to check Which is the best VPN protocol to use.

Official Marzban documentation is available on Github.

Step 6: Add VPN Protocols and Users

1. Log in to the Marzban panel using the credentials provided during installation.
2. Add inbounds for your desired protocols (e.g., VMESS, VLESS, Shadowsocks, Trojan).
3. Generate user credentials for client devices.

Final Step: Configure VPN Client

After setting up your server, configure your devices to connect to the VPN using the protocol and credentials you created.

For detailed client setup instructions, refer to our tutorial:

How to Set Up a VPN Client

With Marzban and a VPS, enjoy unparalleled online privacy and security!

Back To Blog Posts

Published on: 22-01-2025