remnawave_selfsteal_guide

Updating entire system and installing curl

Install Docker using the official convenience script

Create the project directory and enter it

Fetch the Docker Compose file

Fetch the sample environment file

Generate JWT secrets used for auth and API token signing

Generate additional secrets for metrics and webhooks

Rotate the Postgres password and keep DATABASE_URL in sync

Search in .env this values

Change "panel.yourdomain.com" & "sub.yourdomain.com" on your domains

Start containers and tail logs with timestamps

Create a file called Caddyfile in the /opt/remnawave/caddy directory.

Paste the following configuration

https://REPLACE_WITH_YOUR_DOMAIN {        reverse_proxy * http://remnawave:3000}:443 {    tls internal    respond 204}https://SUBSCRIPTION_PAGE_DOMAIN {        reverse_proxy * http://remnawave-subscription-page:3010}

Create docker-compose.yml

Paste the following configuration.

services:    caddy:        image: caddy:2.9        container_name: 'caddy'        hostname: caddy        restart: always        ports:            - '0.0.0.0:443:443'            - '0.0.0.0:80:80'        networks:            - remnawave-network        volumes:            - ./Caddyfile:/etc/caddy/Caddyfile            - caddy-ssl-dаta:/datanetworks:    remnawave-network:        name: remnawave-network        driver: bridge        external: truevolumes:    caddy-ssl-dаta:        driver: local        external: false        name: caddy-ssl-data

Start the container

Remnawave Subscription Page

Paste docker-compose.yml file content

services:    remnawave-subscription-page:        image: remnawave/subscription-page:latest        container_name: remnawave-subscription-page        hostname: remnawave-subscription-page        restart: always        environment:            - REMNAWAVE_PANEL_URL=https://panel.com            - APP_PORT=3010            - META_TITLE="Subscription Page Title"            - META_DESCRIPTION="Subscription Page Description"        ports:            - '127.0.0.1:3010:3010'        networks:            - remnawave-networknetworks:    remnawave-network:        driver: bridge        external: true

Start the container

Open your second vps server, for node you created before

Updating entire system and installing curl

Install Docker using the official convenience script

Create project directory

Configure the .env file

.env file content

APP_PORT=2222SSL_CERT=CERT_FROM_MAIN_PANEL

docker-compose.yml file content

services:    remnanode:        container_name: remnanode        hostname: remnanode        image: remnawave/node:latest        restart: always        network_mode: host        env_file:            - .env

Pulling container

Create the working directory and open Caddyfile for editing

Paste the following

{    https_port {$SELF_STEAL_PORT}    default_bind 127.0.0.1    servers {        listener_wrappers {            proxy_protocol {                allow 127.0.0.1/32            }            tls        }    }    auto_https disable_redirects}http://{$SELF_STEAL_DOMAIN} {    bind 0.0.0.0    redir https://{$SELF_STEAL_DOMAIN}{uri} permanent}https://{$SELF_STEAL_DOMAIN} {    root * /var/www/html    try_files {path} /index.html    file_server}:{$SELF_STEAL_PORT} {    tls internal    respond 204}:80 {    bind 0.0.0.0    respond 204}

Configure environment variables

Paste (replace steel.domain.com with your placeholder domain):

Create docker-compose.yml

Paste:

services:  caddy:    image: caddy:2.9.1    container_name: caddy-remnawave    restart: unless-stopped    volumes:      - ./Caddyfile:/etc/caddy/Caddyfile      - ../html:/var/www/html      - ./logs:/var/log/caddy      - caddy_data_selfsteal:/data      - caddy_config_selfsteal:/config    env_file:      - .env    network_mode: "host"volumes:  caddy_data_selfsteal:  caddy_config_selfsteal:

Launch and verify

Create the placeholder site

mkdir -p /opt/htmlprintf '%s\n' '<!doctype html><meta charset="utf-8"><title>Selfsteal</title><h1>It works.</h1>' \  > /opt/html/index.html

Xray config (Reality) — update via Panel

{  "log": {    "loglevel": "info"  },  "inbounds": [    {      "tag": "Shadowsocks",      "port": 1234,      "protocol": "shadowsocks",      "settings": {        "clients": [],        "network": "tcp,udp"      },      "sniffing": {        "enabled": true,        "destOverride": [          "http",          "tls",          "quic"        ]      }    },    {      "tag": "VLESS",      "port": 443,      "listen": "0.0.0.0",      "protocol": "vless",      "settings": {        "clients": [],        "decryption": "none"      },      "sniffing": {        "enabled": true,        "routeOnly": false,        "destOverride": [          "http",          "tls",          "quic",          "fakedns"        ],        "metadataOnly": false      },      "streamSettings": {        "network": "tcp",        "security": "reality",        "tcpSettings": {          "header": {            "type": "none"          },          "acceptProxyProtocol": false        },        "realitySettings": {          "dest": "9443",          "show": false,          "xver": 0,          "spiderX": "/",          "shortIds": [            "CHANGE_ME_SHORTID"          ],          "publicKey": "CHANGE_ME_PUBLIC_KEY",          "privateKey": "CHANGE_ME_PRIVATE_KEY",          "fingerprint": "chrome",          "serverNames": [            "steel.domen.com"          ]        }      }    }  ],  "outbounds": [    {      "tag": "DIRECT",      "protocol": "freedom"    },    {      "tag": "BLOCK",      "protocol": "blackhole"    }  ],  "routing": {    "rules": [      {        "ip": [          "geoip:private"        ],        "type": "field",        "outboundTag": "BLOCK"      },      {        "type": "field",        "domain": [          "geosite:private"        ],        "outboundTag": "BLOCK"      },      {        "type": "field",        "protocol": [          "bittorrent"        ],        "outboundTag": "BLOCK"      }    ]  }}