Deploy your own VLESS + XHTTP + REALITY gateway on one VPS.
Free, open source and self-hosted, with guided installation and separate admin and user portals.
Important
NoxRouteNeo is alpha software. Test it on a non-critical VPS before relying on it. It improves connection privacy but does not guarantee anonymity or access through every restricted network.
You need:
- a fresh Ubuntu LTS or Debian VPS with a public IPv4 address;
rootaccess or a user withsudo;- at least 1 GB RAM and 8 GB disk;
- TCP ports
80,443and8443allowed by the VPS provider firewall; - one DuckDNS subdomain and its account token.
Run this single command on the VPS. It installs the pinned v1.0.0-alpha.2 release:
sudo apt-get update && sudo apt-get install -y curl ca-certificates git && sudo curl -fsSL https://raw.githubusercontent.com/drslid/NoxRouteNeo/v1.0.0-alpha.2/install.sh -o /tmp/noxrouteneo-install.sh && sudo env NOXROUTE_REF=v1.0.0-alpha.2 bash /tmp/noxrouteneo-install.shThe installer asks for the interface language, DuckDNS subdomain and DuckDNS token. It then:
- verifies the operating system, architecture, disk, memory and public ports;
- installs Docker Engine and Docker Compose when required;
- updates DuckDNS and obtains the HTTPS certificate;
- generates local secrets and the initial owner account;
- pulls the versioned multi-architecture images from GHCR;
- starts the complete stack and runs health checks.
At completion, the terminal prints the generated credentials once:
Admin URL: https://YOUR_DOMAIN.duckdns.org:8443
VPN endpoint: YOUR_DOMAIN.duckdns.org:443
Owner username: owner
Temporary owner password: generated-once
Sign in, change the temporary password, enable TOTP and create the first VPN user.
Detailed procedure: Installation guide · First sign-in
NoxRouteNeo is a Docker-based, self-hosted VPN management platform for one Ubuntu or Debian VPS. It combines an Xray VLESS + XHTTP + REALITY endpoint with a Next.js portal, PostgreSQL, DuckDNS automation, device credentials and local usage policies.
The VPS hosts the portal, API, database, certificates, traffic gateway and VPN runtime. Browsing destinations and URL history are not recorded.
- Owner and administrator roles for VPN users, limits and instance settings.
- A separate user portal for consumption, devices, QR codes and subscriptions.
- One revocable credential per phone, tablet or desktop.
- Fast, Balanced and Stealth XHTTP connection profiles.
- Data quota, expiry, device count and per-account TCP speed policies.
- Live traffic, CPU, memory, gateway capacity, audit and security views.
- Automatic six-hour bans for repeated login or subscription abuse.
- English, Spanish, French, German, Simplified Chinese, Arabic, Russian, Portuguese, Hindi and Urdu.
- The administrator creates a VPN user and defines its limits.
- The user signs in at the same web URL and opens Devices.
- The user registers one device and selects a connection profile.
- The user imports the subscription in INCY using the direct action, QR code or URL.
- The credential binds to the first compatible INCY HWID that refreshes it.
| Client | Platforms | Link |
|---|---|---|
| INCY | iPhone, iPad, Android | Official downloads |
| INCY Desktop | Windows, Linux, macOS | Latest release |
NoxRouteNeo is not affiliated with INCY. Generic Xray clients may import the generated connection, but device HWID binding is an INCY-specific workflow.
Detailed procedure: Connect a device · User portal · Connection profiles
flowchart LR
Client[VPN client] -->|VLESS + XHTTP + REALITY :443| Xray
Browser[Admin or user browser] -->|HTTPS :8443| Caddy
Caddy --> Web[Next.js portal and API]
Web --> DB[(PostgreSQL)]
Xray --> Gateway[Per-account traffic gateway]
Gateway --> Internet[Internet through the VPS]
Runtime[Runtime Agent] --> Xray
Runtime --> DB
Runtime --> Gateway
PostgreSQL, Xray's API and internal control APIs are private. The public web interface uses 8443 because Xray with REALITY owns public TCP 443; port 80 is used for certificate issuance and HTTP handling.
Read the complete architecture and trust boundaries.
The complete documentation and application walkthroughs live at neo.noxroute.com:
Repository documentation remains available for local development, security reports and contributions.
corepack enable
pnpm install --frozen-lockfile
pnpm checkRun the product and documentation sites locally:
pnpm dev
pnpm website devThe pnpm/Turborepo workspace contains:
apps/web Next.js admin and user application
apps/website Astro/Starlight public documentation
packages/auth Better Auth configuration and permissions
packages/contracts Shared Zod contracts
packages/db Drizzle schema and migrations
packages/ui Shared UI components
services/runtime Xray Runtime Agent
services/security-agent Dedicated nftables IP-ban agent
services/traffic-gateway Per-account traffic gateway
infra Caddy and local infrastructure
- Passwords are managed by Better Auth; subscription tokens are hashed.
- Production cookies are secure and HTTP-only.
- State-changing APIs enforce origin and role checks.
- Containers use reduced capabilities and read-only filesystems where possible.
- Search indexing is disabled for private admin and user portals.
- Secrets, DuckDNS tokens, REALITY private keys and application data must never be committed.
NoxRouteNeo does not include Tor, payments, multi-node orchestration, exit-country selection or domain rotation. NoxRoute is a separate future managed product presented at noxroute.com.
Use NoxRouteNeo only on infrastructure and networks you are authorized to operate. The operator is responsible for provider terms, local law, abuse handling and server security.
NoxRouteNeo is available under the MIT License.

