VLESS — mihomo
mihomo speaks VLESS on both sides. Outbound proxies live under the top-level proxies array (one object per server). Inbounds live under the listeners array. Field names use the proxy: tag convention for outbounds and the inbound: tag convention for listener inbounds.
Outbound
Entry under proxies: with type: vless. The struct embeds BasicOption (common-to-all-outbounds fields: interface-name, routing-mark, ip-version, dialer-proxy, mptcp, …) which is documented on the Proxies page.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (required) | <string> | Unique proxy name used elsewhere in the YAML (proxy-groups, rules). |
server | string | (required) | <host> | Upstream server hostname or IP. |
port | int | (required) | <port> | Upstream server port. |
uuid | string | (required) | <UUID> | User UUID accepted by the server. |
flow | string | (empty) | | xtls-rprx-vision | Flow algorithm. Empty for plain VLESS; `xtls-rprx-vision` enables Vision (requires TLS or REALITY). |
tls | bool | false | true | false | Wrap the stream in TLS. Required for `xtls-rprx-vision`. |
alpn | []string | [] | h2 | http/1.1 | ALPN list offered during the TLS handshake. |
udp | bool | false | true | false | Allow UDP packets to be relayed through this outbound. |
packet-addr | bool | false | true | false | Use the older packet-addr UDP encoding instead of xudp. |
xudp | bool | false | true | false | Use the xudp encoding for UDP packets (modern default). Mutually exclusive with packet-addr. |
packet-encoding | string | (use udp/xudp flags) | packetaddr | xudp | Explicit packet-encoding selector; takes precedence over the boolean flags when set. |
encryption | string | (unset) | none | mlkem768x25519plus.<...> | Optional VLESS encryption suite. `none` (or unset) for the classic mode. |
network | string | tcp | tcp | ws | http | h2 | grpc | xhttp | Underlying transport. The respective `*-opts` block is required when this is non-tcp. |
ech-opts | ECHOptions | (disabled) | ECHOptions | Encrypted Client Hello configuration; see TLS page (Phase 4). |
reality-opts | RealityOptions | (disabled) | RealityOptions | REALITY configuration. Requires `tls: true`. |
http-opts | HTTPOptions | (unset) | HTTPOptions | Settings for `network: http` (HTTP/1.1 disguise). |
h2-opts | HTTP2Options | (unset) | HTTP2Options | Settings for `network: h2`. |
grpc-opts | GrpcOptions | (unset) | GrpcOptions | Settings for `network: grpc`. |
ws-opts | WSOptions | (unset) | WSOptions | Settings for `network: ws`. |
xhttp-opts | XHTTPOptions | (unset) | XHTTPOptions | Settings for `network: xhttp` (XTLS HTTP framing). |
ws-headers | map[string]string | (unset) | {<header>: <value>} | Legacy header-map for WS — prefer the `headers` field inside `ws-opts`. |
skip-cert-verify | bool | false | true | false | Disable TLS verification of the server certificate. Use only for testing. |
fingerprint | string | (unset) | <SHA256 hex> | Pin the server's TLS certificate to this SHA-256 fingerprint. |
certificate | string | (unset) | <PEM file path> | Client certificate (mTLS). |
private-key | string | (unset) | <key file path> | Private key matching `certificate`. |
servername | string | (unset) | <SNI> | Override the TLS SNI sent on the handshake. |
client-fingerprint | string | (global) | chrome | firefox | safari | ios | edge | random | randomized | uTLS client-hello fingerprint. Falls back to `global-client-fingerprint`. |
Source: adapter/outbound/vless.go:50-79 · pinned at v1.19.27 (5184081)
Inbound
Entry under listeners: with type: vless. Embeds BaseOption (common listener fields: listen, port).
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | []VlessUser | (required) | <VlessUser array> | Accepted clients. |
decryption | string | (unset) | none | mlkem768x25519plus.<...> | Encryption mode the inbound expects. `none` or unset accepts plain VLESS. |
ws-path | string | (unset) | /<path> | WebSocket path the inbound serves. |
xhttp-config | XHTTPConfig | (unset) | XHTTPConfig | XHTTP transport settings; required when clients connect over xhttp. |
grpc-service-name | string | (unset) | <service name> | gRPC service name the inbound serves. |
certificate | string | (unset) | <PEM file path> | TLS server certificate (or inline PEM). |
private-key | string | (unset) | <key file path> | TLS private key matching `certificate`. |
client-auth-type | string | (none) | no-client-cert | request-client-cert | require-any-client-cert | verify-client-cert-if-given | require-and-verify-client-cert | Mutual-TLS client-auth mode. |
client-auth-cert | string | (unset) | <PEM file path> | CA bundle accepted as client roots. |
ech-key | string | (unset) | <ECH config> | Encrypted Client Hello configuration material. |
allow-insecure | bool | false | true | false | Skip TLS client-certificate verification on the listener (testing only). |
reality-config | RealityConfig | (disabled) | RealityConfig | REALITY server configuration; see TLS page (Phase 4). |
mux-option | MuxOption | (disabled) | MuxOption | Multiplex settings shared with sing-style mux. |
Source: listener/inbound/vless.go:12-27 · pinned at v1.19.27 (5184081)
users[]
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
username | string | (unset) | <string> | Display name for the user, used in stats and logs. |
uuid | string | (required) | <UUID> | User UUID. |
flow | string | (empty) | | xtls-rprx-vision | Per-user flow algorithm. |
Source: listener/inbound/vless.go:29-33 · pinned at v1.19.27 (5184081)
Examples
Outbound — plain VLESS over WebSocket with TLS:
yaml
proxies:
- name: vless-ws
type: vless
server: example.com
port: 443
uuid: a3482e88-686a-4a58-8126-99c9df64b7bf
network: ws
tls: true
udp: true
servername: example.com
ws-opts:
path: /vl
headers:
Host: example.comOutbound — REALITY + XTLS Vision:
yaml
proxies:
- name: vless-reality
type: vless
server: example.com
port: 443
uuid: a3482e88-686a-4a58-8126-99c9df64b7bf
flow: xtls-rprx-vision
tls: true
udp: true
xudp: true
servername: www.cloudflare.com
client-fingerprint: chrome
reality-opts:
public-key: <reality public key>
short-id: <short id>Inbound under listeners:
yaml
listeners:
- name: vless-in
type: vless
listen: 0.0.0.0
port: 443
users:
- username: alice
uuid: a3482e88-686a-4a58-8126-99c9df64b7bf
flow: xtls-rprx-vision
certificate: /etc/mihomo/server.crt
private-key: /etc/mihomo/server.key
reality-config:
enable: true
dest: www.cloudflare.com:443
short-id: ['', <short id>]Notes
- mihomo accepts two UDP-encoding switches on the outbound: the legacy booleans
udp,packet-addr,xudp, and the modern selectorpacket-encoding: xudp|packetaddr. When the selector is set, the booleans are ignored. - mihomo's
client-fingerprintis mihomo-specific: a per-proxy uTLS fingerprint override. The same value can be set globally viaglobal-client-fingerprint. - The inbound's
mux-optionis sing-style mux compatible with sing-box multiplex clients; not the same wire format as Xray's mux. reality-configon the inbound takes a REALITY server-side bundle (private key, dest target, short-id list). The matching outbound on the other end usesreality-optswith the public-key half.
Cross-core notes
- Xray keeps inbound users in
clients[]withid(UUID), supports a richerfallbackschain, and gates encryption withdecryption/encryptionfields that must be set. See VLESS — Xray-core. - sing-box keeps inbound users in
users[]withuuid, and uses embeddedtls/transport/multiplexblocks shared by every inbound type. See VLESS — sing-box. - mihomo bundles transport, TLS, REALITY, ECH, and UDP-encoding selection into the proxy object itself — there is no separate
streamSettings/tls/transportblock.
Source: adapter/outbound/vless.go:50-79 · v1.19.27 (5184081)