How to Install
⬡ Detecting platform…
curl -fsSL https://x-tunnel.itlinkin.com/install-client.sh | bash
Detects Intel vs Apple Silicon automatically. Installs to
/usr/local/bin/xtunnel. Requires curl.curl -fsSL https://x-tunnel.itlinkin.com/install-client.sh | bash
Detects x86_64 vs aarch64 automatically. Installs to
/usr/local/bin/xtunnel.Transparent proxy (optional)
Route all outbound traffic from this machine — including Docker containers and any process — through the tunnel transparently. No per-app proxy config needed.
# Step 1 — download the script (requires root) sudo curl -fsSL https://x-tunnel.itlinkin.com/install/xtunnel-transparent.sh -o /usr/local/sbin/xtunnel-transparent sudo chmod +x /usr/local/sbin/xtunnel-transparent # Step 2 — install (interactive: prompts for server, token, and connection mode) sudo xtunnel-transparent install # Step 3 — start sudo xtunnel-transparent start
The installer prompts for server address, token, and connection mode:
1) REALITY — fully obfuscated, looks like Apple CDN traffic (recommended)
2) Cloudflare / ECH — server is behind Cloudflare, ECH auto-negotiated
3) Direct VPS + skip cert — self-signed cert, adds
4) Direct VPS + valid cert — valid TLS cert, adds
Uses chinadns-ng for split DNS: CN domains go via your original DNS directly; all others resolve via
1) REALITY — fully obfuscated, looks like Apple CDN traffic (recommended)
2) Cloudflare / ECH — server is behind Cloudflare, ECH auto-negotiated
3) Direct VPS + skip cert — self-signed cert, adds
-insecure4) Direct VPS + valid cert — valid TLS cert, adds
-fallbackUses chinadns-ng for split DNS: CN domains go via your original DNS directly; all others resolve via
tcp://1.1.1.1 through the tunnel.
Docker bridge traffic is intercepted automatically. iptables rules are cleanly removed on stop.
sudo xtunnel-transparent start # start + set DNS → 127.0.0.1 sudo xtunnel-transparent stop # stop + restore original DNS sudo xtunnel-transparent status # service status / exit IP / DNS test sudo xtunnel-transparent restart sudo xtunnel-transparent update # refresh CN domain lists sudo xtunnel-transparent uninstall
irm https://x-tunnel.itlinkin.com/install-client.ps1 | iex
Downloads to
%LOCALAPPDATA%\xtunnel\xtunnel.exe and adds to PATH. Run PowerShell as a normal user — no admin needed.How to Run
Config file (recommended)
xtunnel -c ~/client.json
Create ~/client.json from the sample dropped next to the binary during install. Set forward to your server and token to the shared secret. Run with xtunnel -c ~/client.json.
SOCKS5 proxy (flags)
xtunnel \ -mode client \ -l socks5://127.0.0.1:1080 \ -f reality://your.server.com:8118/api \ -token YOUR_TOKEN \ -bond 4
Starts a local SOCKS5 proxy on 127.0.0.1:1080. Point your browser or system proxy there. -bond 4 allows up to 4 parallel streams per connection, added automatically when throughput plateaus.
Mixed proxy (SOCKS5 + HTTP on one port)
xtunnel \ -mode client \ -l mixed://127.0.0.1:1080 \ -f reality://your.server.com:8118/api \ -token YOUR_TOKEN \ -bond 4
Auto-detects the protocol on the same port: SOCKS5 clients (first byte 0x05) and HTTP CONNECT clients both work on 127.0.0.1:1080.
HTTP CONNECT proxy
xtunnel \ -mode client \ -l http://127.0.0.1:8080 \ -f reality://your.server.com:8118/api \ -token YOUR_TOKEN \ -bond 4
All flags
-f reality://host:8118/api # server address (REALITY transport, recommended) -f wss://host:8118/api # server address (TLS, for Cloudflare-fronted servers) -l socks5://127.0.0.1:1080 # local listener (socks5, http, or mixed) -token TOKEN # must match server token -bond N # max parallel streams per connection (default 8) -max-spare N # spare idle channels (default 2) -ip IP[,IP2,...] # force server IP(s), comma-separated (bypass DNS) -c path/to/client.json # load all flags from a JSON config file