← Academy/3X-UI

⚡ Setup 3X-UI — Xray Panel

Deploy 3X-UI, a powerful web-based panel for managing Xray and V2Ray proxy protocols with support for multiple inbounds, users, and traffic monitoring.

⚠️ This script is provided for demo and testing purposes only.

📦 Resources & Setup Scripts

Grab the automated bash script from GitHub to follow along.

Automated install script — 3X-UI panel ready in minutes.
View on GitHub

Quick Install:

wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/3x-ui/3x-ui-ubuntu.sh
chmod +x 3x-ui-ubuntu.sh
sudo bash 3x-ui-ubuntu.sh

Tutorial Steps

1 Download & Run the Script

The script installs Docker, pulls the 3X-UI image, and starts the panel with auto-generated admin credentials.

wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/3x-ui/3x-ui-ubuntu.sh
chmod +x 3x-ui-ubuntu.sh
sudo bash 3x-ui-ubuntu.sh

2 Access the Web Panel

Open your browser and navigate to the 3X-UI panel:

http://YOUR-SERVER-IP:2053

3 Login with Generated Credentials

The script displays your admin username and password at the end. Use them to log in and change them immediately in Panel Settings.

4 Add an Inbound

Go to Inbounds → Add Inbound. Choose your protocol (VLESS, VMess, Trojan, Shadowsocks), set a port, and configure users. Share the generated link or QR code with clients.

Ports Used

PortProtocolPurpose
2053TCPWeb UI (Admin Panel)

Files Location

/root/docker/3x-ui/docker-compose.yml

Overview

3X-UI is a feature-rich, web-based panel for managing Xray-core proxy protocols including VLESS, VMess, Trojan, and Shadowsocks. It is the most popular self-hosted proxy panel, widely used for bypassing censorship and building private proxy infrastructure. The panel manages multiple inbounds, user traffic quotas, and expiry dates.

Why Use It

3X-UI gives you a full proxy management platform that you own entirely — no subscriptions, no third-party servers holding your traffic data. It supports the most advanced circumvention protocols (VLESS Reality, XTLS Vision) that are practically undetectable by deep packet inspection. Whether you're running a private VPN for your team or building infrastructure for privacy-conscious users, 3X-UI provides the GUI, user management, and traffic analytics that raw Xray-core config files cannot.

When You Need It

    Who Should Use It

      Real Use Cases

        Main Features

          How to Use After Installation

            Security Best Practices

              Ports and Firewall Notes

              3X-UI uses port 2053 for the admin panel by default — change this immediately. Each inbound you create uses its own port (e.g., 443, 8443, or any custom port). Open only the inbound ports you actively use. Block the panel port at the firewall level and restrict access to your management IP: sudo ufw allow 443/tcp && sudo ufw deny 2053/tcp. If using Cloudflare CDN as a frontend, you only need port 443 or 80 exposed.

              Backup and Maintenance

                Common Mistakes

                  Troubleshooting

                    Alternatives

                    Main alternatives to 3X-UI: Marzban — a more modern Python-based panel with better multi-node support and an API, preferred for large deployments; Hiddify — an all-in-one proxy server with a simpler setup, better suited for non-technical users; x-ui (the original by vaxilu) — the predecessor to 3X-UI, now unmaintained and insecure; Outline Server — much simpler but only supports Shadowsocks with no per-user quotas. For teams that need zero GUI overhead, raw Xray-core with JSON config is always an option.

                    When Not to Use It

                    Avoid 3X-UI if you just need a simple VPN for yourself — WireGuard Easy is far simpler to set up and maintain. If you're in a jurisdiction where running a proxy server is illegal or risky, operating 3X-UI exposes you to legal liability. For enterprise-grade remote access with SSO and audit logs, commercial solutions like Cisco AnyConnect or Zscaler are more appropriate. 3X-UI is also not ideal if your users are non-technical — the client-side configuration (v2rayNG, Nekobox) has a learning curve.

                    PrismaTechWork Professional Help

                    PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.

                      Contact Us

                      Frequently Asked Questions

                      What is the difference between VLESS and VMess?

                      VMess is an older protocol designed by V2Ray with built-in encryption but it is detectable by active probing. VLESS is the newer, leaner protocol that removes redundant encryption (relying on TLS instead) and is harder to fingerprint. For new deployments always choose VLESS with Reality or TLS transport.

                      What is VLESS Reality and why is it the recommended choice?

                      Reality is a transport mode for VLESS that makes your proxy traffic indistinguishable from normal HTTPS traffic to a legitimate domain (like microsoft.com). It achieves this by borrowing the real TLS certificate of the target domain during the handshake while routing your traffic separately. DPI systems cannot tell the difference — making it the most censorship-resistant option available today.

                      Can I run 3X-UI on a VPS inside a heavily censored country?

                      Yes, but the VPS itself must have unrestricted outbound internet access. Most users place the 3X-UI server outside the censored region (e.g., a VPS in Germany or Singapore) and connect from inside the restricted country. Running the server inside the restricted country only moves the problem — clients still need to reach it over a blocked protocol.

                      How do I add users and limit their traffic?

                      Go to Inbounds → click the user icon on an inbound → Add Client. Set a UUID (or generate one), assign a traffic limit in GB, and set an expiry date. The inbound will automatically reject connections from that UUID once the quota or date is exceeded. You can reset the quota from the same dialog.

                      Is it safe to put 3X-UI behind Cloudflare?

                      Yes, for WebSocket-based inbounds (VLESS+WS+TLS or VMess+WS+TLS). Cloudflare proxies WebSocket traffic and hides your server IP. However, Reality protocol does NOT work behind Cloudflare — it must connect directly to your server IP. Choose one approach: Cloudflare CDN for WS inbounds, or direct IP for Reality inbounds.

                      How do I update 3X-UI to the latest version?

                      Run: docker compose -f /root/docker/3x-ui/docker-compose.yml pull && docker compose -f /root/docker/3x-ui/docker-compose.yml up -d. This pulls the latest image from Docker Hub and restarts the container. Your database and settings are stored in the mounted volume and are not affected by updates.

                      Can multiple admins manage the same 3X-UI panel?

                      Yes. 3X-UI supports multiple admin accounts with different permission levels. Go to Panel Settings → Sub Admins to create accounts with restricted access (e.g., an account that can only view inbounds but not modify panel settings). This is useful for teams where different people manage different groups of users.

                      What client apps work with 3X-UI?

                      Android: v2rayNG (most popular), NekoBox. iOS: Streisand, Shadowrocket (paid), FoXray. Windows/Mac/Linux: Hiddify Next, NekoBox, v2rayN (Windows). All clients support subscription URLs — paste the link generated by the panel and it auto-imports all your inbound configurations. Update the subscription periodically to pick up server changes.

                      Related Tutorials

                      WireGuard Easy Headscale NetBird Nginx Proxy Manager