X-ray VPN implementation in future releases of pfSense+

Sergei_Shablovsky

Dear pfSense Dev Team!

Please share Your position about implementing Xray VPN into future releases of pfSense+.

P.S. Opposite to other modern VPNs, Xray already have great reputation, especially in countries where government regulating/pressure on VPN technology rapidly increased…

patient0

@Sergei_Shablovsky I had a look at their website, it's that one?

Could you share what makes them better than others or better: how did you come to that conclusion?

The app seems neither open source nor existing for very long, it's based in a country (Turkey) I wouldn't trust the government.

They claim to keep no logs (lots do) and double-VPN.

At the end of their terms of service is written

"Please note that this is a sample and should be reviewed and customized according to your specific needs and requirements. It’s also recommended to have a lawyer review your terms of service before publishing them."

... a badly edited template of a terms of service.

Privacy Policy:

"Data Sharing

We do not share your data with any third parties, except in the following circumstances:

• To comply with a legal obligation or court order"

... you want to trust a company which may have to comply with their government, especially theirs?

And further down:

"Jurisdiction and Governing Law

This Privacy Policy is governed by the laws of USA. Any disputes arising from this policy will be resolved in accordance with the laws of USA."

... well, that sounds trustworthy.

I probably ended on the wrong website.

w0w

@patient0
https://github.com/XTLS/Xray-core

patient0

@w0w I found that too, yes. But that's not X-ray VPN, right?

w0w

@patient0 said in X-ray VPN implementation in future releases of pfSense+:

But that's not X-ray VPN

Some kind of analog, not as a paid service, but as functional client-service software.
I think it's about this one, not the one you've mentioned.

stephenw10

Hmm, it does seem kinda shady!

There's no FreeBSD port as far as I can see, though there is one for v2ray which this was forked from.

You are asking about adding it as a client to connect to the xrayvpn service only?

I'm not really seeing any advantages over existing VPN options TBH.

Сергей 3

In some countries, this package is absolutely necessary in pfsense.
I found these instructions
But the topic has stalled there. Is there any way to adapt these instructions for pfsense?
Or could someone explain to the newbies where all these IP addresses come from?

elvisimprsntr

I stay away from any of the so called "privacy" VPNs, especially those promoted by YouTube shills.

"If you are not paying for the product, you are the product."

Youtube Video

stephenw10

@Сергей-3 said in X-ray VPN implementation in future releases of pfSense+:

In some countries, this package is absolutely necessary in pfsense.

I still don't see how this is any better than any other existing VPN provider?

Сергей 3

@stephenw10
You're lucky you don't live in such a country.
Other VPN providers (protocols) are blocked.

stephenw10

Hmm, so the novel protocol used here bypasses state-level filtering?

Сергей 3

@stephenw10
Xray is a Chinese development that bypasses the Great Firewall of China.
I'm not very knowledgeable about networking and would like some tips for setting up Xray in pfSense.
It would be better if pfSense had its own xray package.
Could anyone get the pfSense developers involved in this?

Gertjan

@Сергей-3 said in X-ray VPN implementation in future releases of pfSense+:

Could anyone get the pfSense developers involved in this?

Wouldn't that be a temporary solution ?

I you were working for this company (?) that was mandated by gouvernement of the country you mentioned above, what would be your mission ?
With simple words : Blocking outgoing traffic.
You wouldn't want this government's big boss X... calling you and telling you you did a bad job as he just found out how to bypass your "Great Firewall" - he knows, as he could find it on the Internet ... we're talking about it right now.
The issue with open source is : it is visible to everyone. So, get it integrated, and it will work for a while. And then suddenly, the Great Firewall maintainers block whatever X-Ray is. After all, it's a protocol, so it can be blocked, the usefulness is gone. It becomes yet another type of VPN, like OpenVPN, Wireguard, IPSEC, etc etc. that needs to be supported by the authors of pfSense, Netgate.

And as always, I hope to be wrong

Btw : the oSense already has it ... did you give it a try ? ( it's probably just for some short time anyway )

edit : I'm just a forum poster like you - this is what I think, based of what I've read, and what think I know.

Сергей 3

@Gertjan, Xray disguises traffic as regular HTTPS connections, making it difficult to block.
I provided a link to an implementation of Xray in oSense, but the thread stopped responding to questions. I'm asking knowledgeable people to adapt that instruction for pfSense.

stephenw10

I would first try to make it work in FreeBSD where the package exists.

Сергей 3

@stephenw10
Here are the packages that work on FreeBSD
Xray
Tun2socks
But I don't have the knowledge to configure it manually.
I wish there was a standard package for pfSence.

elvisimprsntr

Is it just me, or does it seem like the KISS (Keep It Simple [redacted]) answer is to install X-Ray on an officially supported platform or a VPS and tunnel traffic through that?

ParSulTang

@stephenw10 said in X-ray VPN implementation in future releases of pfSense+:

I still don't see how this is any better than any other existing VPN provider?

Xray, when using the VLESS protocol with XTLS-REALITY, can fully disguise its traffic as regular HTTPS.

Xray wasn’t originally designed for building virtual networks — it’s mainly aimed at bypassing government censorship, especially in countries like China and Russia, where other protocols are gradually getting blocked by DPI due to their well-known patterns. VLESS doesn’t have that problem; it’s extremely hard to detect, if it’s even possible at all.

The stock Xray-core has a native FreeBSD package: https://github.com/XTLS/Xray-core

I’m surprised that pfSense still doesn’t have not only a separate package, but no built-in Xray support at all. This is an absolutely essential technical feature in 2025.

Сергей 3

I created a combination of x2ray and tun2socks from the OPNSense forum thread.
It didn't work right away, but thanks to the feedback I got it working.
However, this combination requires monitoring two services.
It's easier to use a sing-box. It only requires one service.
It can function as a simple proxy or directly create an interface to which you can configure redirection.
Here's a link to GitHub where you can download the installer for OPNSense and pfSense.
So now I’m in favor of the authors creating a sing-box package

Gertjan

@ParSulTang said in X-ray VPN implementation in future releases of pfSense+:

This is an absolutely essential technical feature in 2025.

All what follows is purely hypothetical, just me thinking here.
What if I had a company based in the US and I create firewalls with VPN support ?
If my client base start to express the need for a 'new' of VPN, I would surely investigate the possibility of implementing it. So, no worries. these forum post have alredy been seen by the 'makers' ^^

As a VPN is a piece of software that goes deep into the system, it has to be reviewed first. Adding a possible unknown flaw into the (a) system that advertises network security will create bad publicity.
And, again, this is me talking, the usage case is clearly mentioned above. This VPN goes clearly against law that exist in certain countries. And we're not talking 'Luxembourg' here. Countries sited above have 'long arms' and are very capable of reacting if some one does something they don't like.

Also, let's face it : you ask this firewall company to do something special for the chinese market ?
Let's say : you see the smile onmy face ? What's in it for them ? [ I mean, more then having the 'firewall' cloned massivily on all low bud dvices coming from these countries ? ]

Btw : using https traffic to hide traffic is, I fully agree, is probably one of the best way of hiding traffic. The only visible thing that is left to see for the IDP tools would be the destination IP and port. If the IP gets known as a xray VPN server, it's game over. If I was working as a "great wall" administrator and I saw loads of https traffic to a server that doesn't host a site with known frequently requested info, using domain names that didn't exist some weeks ago, I would simply block the IP and see what happens.
Typically, the xray vpn server should hide itself behind a big public domain names like ccn.com or microsoft.com (etc) but I'm pretty sure they won't allow this.

@ParSulTang said in X-ray VPN implementation in future releases of pfSense+:

This is an absolutely essential technical feature in 2025.

So, stop waiting. Get a copy of FreeBSD, fire up a VM and install it, add your xray stuff, and done ^^
Maybe counter productive but : don't tell what you are doing. As long as you are 'the only one' doing this, you'll be "flying below the radar" and this VPN will work for you a long time. If the 'secret' comes out for the big public, it will dealt with.
Example : TOR is very known, and guess what : since a year or two, no more news outlets about it. Like "some one" (read : our governement) doesn't care anymore.
This can only maen one thing ....

Forum admins : if there is to much 'politics' in my post, feel free to zap it. I understand.