Open-source internet freedom tool

Share secure internet with the people you care about

One command sets up an undetectable proxy server — firewall, TLS, routing, all hardened by default. Share access via QR codes.

Get started Read the docs
Connection page — what your friends receive

What your friends receive — see the demo

MIT Licensed
4 Languages
100% Open Source
How it works

Three steps to secure internet

You need a VPS (any $5/month server) and a terminal on your laptop. Meridian handles everything else.

Step 1 — Install
curl -sSf https://getmeridian.org/install.sh | bash
then
Step 2 — Deploy
meridian deploy

The wizard asks for your server IP and handles the rest. Or pass flags directly — see the CLI reference.

Meridian deploy output

What happens behind the scenes

1
Installs Docker and deploys Xray via the 3x-ui management panel
2
Generates x25519 keypair — unique encryption keys for Reality authentication
3
Hardens the server — UFW firewall (ports 22 + 443 only), SSH key-only auth, BBR congestion control
4
Configures VLESS+Reality on port 443 — impersonates a real TLS server
5
Enables XHTTP transport — additional stealth routed through nginx, no extra port
6
Outputs QR codes and generates an HTML connection page with setup instructions
Safe to re-run anytime. Fully idempotent — credentials preserved, settings updated in place.
Command builder

Build your command

Configure flags interactively and copy the full command. Supports all Meridian CLI operations.

Deploy VLESS+Reality proxy. Configures Docker, Xray, firewall, and TLS automatically.

Your VPS public IPv4 address, or "local" to deploy on this server. Leave empty for interactive mode.
Default: root. Non-root users get sudo automatically.
IP or name of the exit server this relay forwards to. Must be deployed first.
Optional. Adds CDN fallback via Cloudflare and web panel access.
Site that Reality impersonates. Default: www.microsoft.com. Use meridian scan for optimal targets.
Name for the first client. Default: "default".
Label shown on connection pages.
Emoji or image URL for the connection page.
Color palette for the connection page.
Optional friendly name for the relay (e.g. "ru-moscow").
Port on the relay server. Default: 443.
Copies an AI-ready prompt to clipboard for ChatGPT/Claude troubleshooting.
Add --yes flag. For CI/automation or non-interactive SSH sessions. 
meridian deploy

First time? Just run meridian deploy — the interactive wizard guides you through everything.
Technology

Why censors can't detect it

Traditional VPNs have distinctive traffic signatures. VLESS+Reality is indistinguishable from normal web browsing.

Deep Packet Inspection (DPI)

DPI analyzes traffic patterns to identify proxy protocols. VPNs like OpenVPN and WireGuard have distinctive packet signatures that are trivial to block.

VLESS+Reality produces traffic byte-for-byte identical to a normal HTTPS connection. No headers, no patterns, no packet sizes that distinguish it from regular web browsing.

Active probing

Censors connect to suspicious servers and try to fingerprint them. If a server responds differently than the website it claims to be, it gets blocked.

Reality uses the TLS certificate from a real website (e.g., microsoft.com). When a probe connects, your server completes the handshake using Microsoft's actual certificate. The probe sees a legitimate server. Only clients with your private key get the proxy tunnel.

TLS fingerprinting

Every TLS client sends a unique "Client Hello" fingerprint. Censors flag connections where the fingerprint doesn't match the claimed application.

Meridian uses uTLS to impersonate Chrome's exact TLS fingerprint — the same one used by billions of devices. Your traffic is indistinguishable from someone browsing the web with Chrome.

Connect

Scan and go

After deploying, you get a connection page with QR codes. Send it to whoever needs it — they tap once and connect.

ShadowRocket iOS Streisand iOS v2RayTun iOS v2rayNG Android NekoBox Android FlClash All platforms sing-box All platforms Hiddify All platforms Karing All platforms V2Box All platforms Happ All platforms v2rayN Windows Clash Verge Rev Windows
Device clock must be accurate within 30 seconds. Enable automatic date/time in your device settings.
Architecture

Under the hood

Meridian architecture — nginx SNI routing and TLS, Xray Reality
Standalone mode (no domain)

nginx sits on port 443 and routes traffic by TLS SNI using its stream module. Reality connections route to Xray, while nginx's http module handles everything else — serving connection pages over HTTPS with a Let's Encrypt IP certificate (via acme.sh). XHTTP transport runs through nginx via path-based routing — no extra port exposed.

The 3x-ui panel is reverse-proxied by nginx on a secret path — accessible via HTTPS, no SSH tunnel needed.

Domain mode (CDN fallback)

Adds three components on top of standalone:

nginx stream inspects TLS SNI without terminating encryption. nginx http terminates TLS with Let's Encrypt certificates managed by acme.sh. VLESS+WSS provides a CDN fallback through Cloudflare — works even if your server's IP is blocked.

Relay mode (domestic entry point)

A lightweight Realm TCP forwarder on a domestic server relays port 443 to your exit server abroad. All protocols work through the relay with end-to-end encryption — the relay never sees your traffic.

Deploy with meridian relay deploy RELAY_IP. Client connection pages are automatically regenerated with relay routes.

Ready to get started?

Install Meridian, deploy to your server, and share access with the people who need it. The whole process takes about five minutes.

Install Meridian Read the docs