07 Apr 2026 Tutorials 11 min read

VLESS + WS Proxy Tunnel with Localtonet

Set up a VLESS WebSocket proxy tunnel on Localtonet in minutes. Bypass DPI, get a public TLS endpoint, and route traffic without opening any ports.

Proxy Server · VLESS · WebSocket · TLS · 2026

VLESS + WS Proxy Tunnel with Localtonet: Full Setup Guide

Most proxy setups fail the moment your ISP or network admin runs deep packet inspection. Standard protocols get fingerprinted and blocked. VLESS over WebSocket wraps your traffic inside a regular HTTPS connection, making it indistinguishable from browser traffic at the network layer. Localtonet now supports VLESS + WS as a first-class proxy tunnel type, giving you a public TLS endpoint without touching your router, firewall, or ISP settings. This guide walks you through creating and connecting to a VLESS + WS tunnel from start to finish.

🔒 TLS 1.3 encrypted, Chrome-fingerprinted 🌐 Public domain on port 443, no port forwarding ⚡ UDP support included, Xray-compatible

Why Standard Proxies Get Blocked

Corporate networks, university firewalls, and many ISPs block outbound traffic on non-standard ports. Even when they don't block by port, deep packet inspection identifies and drops known proxy protocols like SOCKS5 or raw TCP tunnels by their handshake signatures. The result: your proxy works at home, fails everywhere else.

Port 443 is almost never blocked because it carries all HTTPS web traffic. A proxy that speaks WebSocket over TLS on port 443 is practically invisible to DPI. The connection looks identical to a browser loading a web app.

VLESS + WS is specifically designed for this scenario: high-resistance proxying that survives hostile networks.

What VLESS + WS Actually Does

VLESS is a lightweight proxy protocol from the Xray/V2Ray ecosystem. It has almost no overhead compared to VMess because it drops encryption at the protocol layer and delegates that to TLS instead. Your client sends VLESS frames, they get wrapped in WebSocket, and WebSocket runs inside a TLS connection. The server sees standard HTTPS. The DPI box sees standard HTTPS. Only your client and the tunnel endpoint know what's actually inside.

Localtonet handles the server side automatically. When you create a VLESS + WS tunnel, Localtonet provisions a public subdomain (e.g., pjrcaez2cb.localtonetproxy.com) with a valid TLS certificate on port 443. Your local Xray client connects to that endpoint. Traffic flows through Localtonet's servers without you needing any public IP, open port, or VPS.

🔒 TLS on port 443 All traffic is encrypted with a valid certificate. The Chrome TLS fingerprint is applied by default, which passes browser-mimicry checks used by advanced firewalls.

🌐 No server required You don't need a VPS, a static IP, or a domain. Localtonet provisions the public endpoint and routes traffic to your local Xray process.

⚡ UDP support VLESS + WS on Localtonet supports UDP tunneling, which means DNS queries and UDP-based applications route correctly through the tunnel.

🔑 UUID-based authentication Access is controlled by a UUID that Localtonet generates per tunnel. No username/password pair to rotate. Revoke access by deleting the tunnel.

🛠 Xray/V2Ray compatible The tunnel works with any Xray or V2Ray client: v2rayN (Windows), v2rayNG (Android), NekoBox, Shadowrocket, or a raw Xray binary on Linux.

💻 Server selection Choose which Localtonet server location handles your tunnel, for example CZ-Prague. Latency depends on proximity to that server, not to your machine.

How to Create a VLESS + WS Tunnel in Localtonet: Step-by-Step

Create a free account and copy your token

Download and install the Localtonet agent

Head to Downloads and grab the binary for your OS. Works on Windows, Linux, macOS, Android, and Docker.

Select "VLESS + WS (Support UDP)" as the Proxy Type

In your Localtonet dashboard, click Proxy Server. Click the "Proxy Type" dropdown. You will see five options: HTTP, SOCKS5, ShadowSocks, VLESS + WS, and VLESS + Reality. Select "VLESS + WS (Support UDP)".

Choose your Auth Token and Server location

Select the auth token to associate with this tunnel. Under "Server", pick the Localtonet server closest to your device.

Set a Domain Type and click Create

Choose "Random SubDomain" unless you have a reserved domain on your plan. Click "Create". Localtonet provisions the tunnel instantly and assigns a public subdomain like pjrcaez2cb.localtonetproxy.com on port 443.

Retrieve your UUID from "VLESS Data"

Find your new tunnel in the list. Click the settings icon on the right to open the tunnel detail panel, then click "Manage" next to "Vless Data". A modal appears with your UUID, for example 7b637c36-9dd4-4005-a0cf-1960b31f1fb1 Copy it. You need this in your Xray client.

Configure your Xray client with the VLESS + WS settings

Open your Xray-compatible client (v2rayN, NekoBox, Shadowrocket, or raw Xray). Add a new VLESS outbound using the values below. All fields come directly from the Localtonet tunnel page.

Xray / VLESS + WS — client config values

Address   : pjrcaez2cb.localtonetproxy.com   (your assigned subdomain)
Port      : 443
UUID      : 7b637c36-9dd4-4005-a0cf-1960b31f1fb1  (from VLESS Data modal)
Flow      : (leave empty)
Encryption: none
Network   : ws
TLS       : tls
Fingerprint: chrome
SNI       : (leave empty, server cert covers the subdomain)
Path      : (leave empty)
Allow Insecure: false

Start the tunnel and verify connectivity

Click the Start button on your tunnel row in Localtonet to activate it, then connect from your Xray client.

⚠️ Most tutorials skip this step: the "Is Reserved?" toggle changes what happens on restart

By default, the "Is Reserved?" checkbox in your tunnel's Settings panel is enabled. This means your subdomain stays the same across Localtonet client restarts. If you disable it, every restart assigns a new random subdomain, and you have to update every device using that tunnel. Leave "Is Reserved?" checked unless you specifically want a rotating endpoint.

🔒 Why "Allow Insecure: false" matters here

Localtonet issues a valid TLS certificate for every proxy subdomain under *.localtonetproxy.com. You do not need to disable certificate verification. Setting "Allow Insecure" to false enforces proper certificate checking, which is the correct and more secure configuration. Only set it to true if you are testing a self-signed cert on a private endpoint.

Tips for Getting the Most Out of VLESS + WS

🌐 Pick a server near your exit, not your origin The Localtonet server is your public IP from the client's perspective. If the goal is to appear in a specific region, choose the server in that region regardless of where your machine is.

🔑 Use IP Restriction for sensitive tunnels Open the tunnel settings and click "Manage" next to "IP Restriction". Whitelist specific client IPs to lock down who can initiate a connection, even if the UUID leaks.

⚡ Set Speed Limits if sharing the tunnel The "Speed Limits" setting in the tunnel panel lets you cap bandwidth per connection. Useful when running a shared proxy to prevent one client from saturating the link.

📡 Test UDP routing explicitly UDP support is one of VLESS + WS's advantages over plain HTTP tunnels. Test it by routing DNS through the tunnel (e.g., pointing a client's DNS to 8.8.8.8 via the proxy) and verifying resolution works.

🛠 Use Upstream Setting for chained routing The "Upstream Setting" option in the tunnel panel lets you route traffic from the Localtonet endpoint to a further upstream proxy. This supports multi-hop setups without modifying your Xray config.

💰 Set an Expiration Date for temporary access If you're creating a tunnel for a temporary project or a guest, use "Expiration Date" to auto-disable the tunnel on a specific date. No need to remember to delete it manually.

Frequently Asked Questions

What is the difference between VLESS + WS and VLESS + Reality in Localtonet?

VLESS + WS uses WebSocket as the transport layer wrapped in TLS. It's widely supported by all Xray/V2Ray clients. VLESS + Reality uses a newer TLS camouflage technique that mimics a real website's TLS fingerprint more closely, offering stronger resistance against advanced censorship systems. VLESS + WS is the better starting point for most users due to broader client compatibility.

Do I need to install anything on my machine to use this tunnel?

Yes. The Localtonet client must be running on the machine that receives the tunneled traffic. You also need an Xray-compatible client on each device that sends traffic through the tunnel. The Localtonet client handles the server-side connection; Xray handles the client-side VLESS protocol. Download the Localtonet client at localtonet.com/download.

Which Xray clients work with a Localtonet VLESS + WS tunnel?

Any client that supports VLESS over WebSocket with TLS will work: v2rayN (Windows), v2rayNG (Android), NekoBox (Android/Desktop), Shadowrocket (iOS), Hiddify (cross-platform), and the raw Xray binary on Linux. Use the configuration values from Step 6 above. The "Configuration" field in Shadowrocket and similar clients should be set to "Xray" if the option exists.

Why does the tunnel show as connected but traffic doesn't flow?

The most common cause is a mismatch between the Path field. Localtonet's VLESS + WS endpoint does not require a custom path. If your Xray client has a Path value set (e.g., /ws or /vless), clear it and leave the field empty. A non-empty Path that doesn't match the server will complete the WebSocket handshake but drop all VLESS frames silently.

Can multiple devices share the same VLESS + WS tunnel simultaneously?

Yes. Multiple clients can connect to the same tunnel using the same UUID and domain. All sessions share the tunnel's total bandwidth. If you want per-device access control, use the "Access Control" setting in the tunnel panel, or create a separate tunnel with its own UUID for each device or user group.

Does this work on Android or iOS without a desktop PC?

The Xray client side works on Android (v2rayNG, NekoBox, Hiddify) and iOS (Shadowrocket, Streisand). However, the Localtonet client that receives the inbound tunnel connection must run on a machine that stays online, typically a Linux server, a Windows PC, or a NAS. The Localtonet client is not available as a standalone mobile app for the server-side role.

What does "Is Reserved?" do in the tunnel settings?

When "Is Reserved?" is checked, the tunnel keeps the same subdomain every time the Localtonet client reconnects. This is the default and the correct setting for any tunnel you share with multiple devices, since those devices have the subdomain hardcoded in their Xray config. If "Is Reserved?" is off, the subdomain rotates on each reconnect and every client config must be updated manually.

How much does a VLESS + WS proxy tunnel cost on Localtonet?

VLESS + WS tunnels are available on all Localtonet plans including the free tier. The free plan includes bandwidth limits and non-reserved subdomains by default. Paid plans start with reserved subdomains, higher bandwidth caps, and speed limit controls. Check the current pricing at localtonet.com, as plans are updated periodically.

Ready to set up your first VLESS + WS tunnel?

Create your Localtonet account for free. No credit card needed. Your first proxy tunnel is a few clicks away.

Get Started Free →

Tags: bypass dpi proxy localtonet proxy server localtonet vless proxy tunnel 2026 udp proxy tunnel vless tls tunnel vless websocket localtonet vless websocket proxy vless ws localtonet vless ws tunnel xray vless setup xray ws tls

Localtonet

Localtonet is a secure multi-protocol tunneling and proxy platform designed to expose localhost, devices, private services, and AI agents to the public internet supporting HTTP/HTTPS tunnels, TCP/UDP forwarding, mobile proxy infrastructure, file server publishing, latency-optimized game connectivity, and developer-ready AI agent endpoint exposure from a single unified control plane.

Back to Blog

Blogs

No result found