OpenWRT VLESS Client Configuration: Route All Traffic via Xray
Running VLESS at the router level means every device on your network benefits from the proxy β smartphones, smart TVs, IoT devices β without installing any client software. This guide covers xray-core and sing-box installation on OpenWRT.
Last reviewed: March 2026
Table of Contents
Prerequisites
You need an OpenWRT router with at least 16 MB flash and 128 MB RAM. Check your router model on openwrt.org to confirm compatibility. The guide was tested on OpenWRT 23.05 with a GL.iNet router.
Required packages: xray-core (or sing-box as alternative), iptables-nft, dnsmasq-full (replace dnsmasq). SSH access to your router is required.
Install xray-core on OpenWRT
Connect via SSH: ssh root@192.168.1.1. Then install xray-core: opkg update && opkg install xray-core. If xray-core is not in the opkg repository for your build, download the arm/mipsle binary from GitHub and place it in /usr/bin/xray.
Create the config directory: mkdir -p /etc/xray. The main config file will be /etc/xray/config.json.
VLESS Client Configuration
Create /etc/xray/config.json with your VLESS inbound and outbound configuration. The inbound handles local traffic (SOCKS5 on port 1080 + transparent proxy on port 1081), the outbound connects to your VLESS server.
config.json structure
{ "inbounds": [{"port": 1080, "protocol": "socks"}, {"port": 1081, "protocol": "dokodemo-door", "settings": {"followRedirect": true}}], "outbounds": [{"protocol": "vless", "settings": {"vnext": [{"address": "YOUR_SERVER", "port": 443, "users": [{"id": "YOUR_UUID", "encryption": "none", "flow": "xtls-rprx-vision"}]}]}, "streamSettings": {"network": "tcp", "security": "reality", "realitySettings": {"fingerprint": "chrome", "serverName": "YOUR_SNI", "publicKey": "YOUR_PUBKEY"}}}] }Proxy Poland provides dedicated Polish 4G mobile proxies with VLESS/Xray support. Real SIM cards, 1.8s IP rotation, 99.6% uptime.
Routing Rules with iptables
To intercept all TCP/UDP traffic and route through xray, add iptables rules. Create /etc/firewall.user with PREROUTING rules that redirect traffic to port 1081 (dokodemo-door) except for local and reserved IPs.
Add xray to startup: /etc/init.d/xray enable. Start the service: /etc/init.d/xray start. Check logs: logread | grep xray.
DNS Leak Prevention
Without DNS leak prevention, DNS queries bypass the proxy and reveal your real location. Configure dnsmasq to forward all queries through xray's DNS: in /etc/dnsmasq.conf, set server=127.0.0.1#5300 and disable-systemd-resolved.
Add a DNS inbound to xray config on port 5300 that forwards queries through the VLESS outbound. Test with proxypoland.com/tools/dns-leak-test β all DNS servers should show as Polish IPs.
Verification
From any device on your network, visit proxypoland.com/tools/proxy-checker. Your IP should be a Polish Orange LTE IP. Run a speed test β you will typically see 20-40 Mbps through VLESS Reality on a capable router.
Frequently Asked Questions
Which is better for OpenWRT β xray-core or sing-box?
Both support VLESS Reality. xray-core is more mature and widely documented. sing-box has a simpler JSON config format and better UDP performance. For most users starting out, xray-core is easier to find help for.
Does VLESS on OpenWRT slow down my network?
Encryption has a CPU cost. On older MIPS routers, you may see 10-20% throughput reduction. Modern ARM routers (GL.iNet Beryl AX, Banana Pi R4) handle VLESS Reality at full line speed. If speed is critical, use XTLS-Vision flow which offloads some processing.
My OpenWRT router does not have xray-core in opkg. What do I do?
Download the pre-compiled xray binary for your CPU architecture from github.com/XTLS/Xray-core/releases. Match the architecture: MIPS24kc for most older routers, ARM v7/v8 for modern ones. Place in /usr/bin/xray and chmod +x.
Can I route only some devices through VLESS on OpenWRT?
Yes. In the iptables PREROUTING rules, match by source IP or MAC address instead of routing all traffic. Example: add -s 192.168.1.50 to route only one device through VLESS while other devices use the regular internet.
Does Proxy Poland support VLESS protocol?
Yes. Every Proxy Poland plan includes VLESS/Xray protocol access. You receive a VLESS Reality connection string with your subscription. The protocol runs on port 443 with Reality camouflage, making it resistant to deep packet inspection.
Get VLESS Access
Need a VLESS proxy server to connect to?
Proxy Poland provides dedicated Polish 4G mobile proxies with VLESS/Xray support. Real SIM cards, 1.8s IP rotation, 99.6% uptime.