Complete Guide: Configuring Hax IPv6 VPS with Cloudflare Optimized IP Nodes

This is a comprehensive, no-pitfall guide for setting up Cloudflare Optimized IP nodes on a Hax (IPv6 Only VPS) environment using Yongge (ygkk) scripts.

This process solves three core issues you might encounter:

1. Unable to Download (solved by DNS64)
2. Missing Environment (solved by installing curl/warp)
3. Certificate Application Failure (solved by toggling the Cloudflare Proxy)

Phase One: Basic Environment Repair (The Most Critical Step)

Since Hax is purely IPv6, you must first configure DNS64 to allow it to access GitHub and install basic software.

1. Modify DNS to Google DNS64

Copy and execute the following code block:

echo -e "nameserver 2001:4860:4860::6464\nnameserver 2001:4860:4860::64" > /etc/resolv.conf

2. Update the System and Install curl

After modifying the DNS, the system can find the software repositories:

apt update && apt install -y curl wget

Phase Two: Install WARP (Enable Outbound IPv4)

To allow your VPS to access IPv4 websites (such as downloading scripts or accessing OpenAI), you must install WARP.

1. Run Yongge's WARP Script

bash <(curl -Ls https://raw.githubusercontent.com/yonggekkk/warp-yg/main/CFwarp.sh)

Selection Guide:

• Option: It is recommended to choose 1 (Install/Switch to WARP-GO)
• Mode: Choose 1 (Add IPv4 network for IPv6 machine)
• Priority: It is suggested to choose IPv4 Priority

Phase Three: Prepare the Domain (Prerequisite for Certificate Application)

If you skip this step, the certificate will definitely fail!

1. Log in to the Cloudflare Dashboard
2. Add an AAAA Record: Point your domain (e.g., hax.yourdomain.com) to the VPS's IPv6 address
3. Turn Off the Orange Cloud (Proxy Status: DNS Only): Click the orange cloud to make it gray
   • Reason: Certificate application requires verification of the server's real IP, and having the proxy enabled will cause the verification to fail

Phase Four: Install X-UI and Apply for a Certificate

Now that the network is connected, the environment is set up, and the domain is directly linked, start installing the panel.

1. Run Yongge's X-UI Script

bash <(curl -Ls https://raw.githubusercontent.com/yonggekkk/x-ui-yg/main/install.sh)

2. Key Choices During Installation

• Set Account Password: Set it yourself
• Set Port: If you don't want to complicate things, use the default or set any port (you can change it later in the panel)
• Apply for SSL Certificate: You must select this!
  • Choose "Apply for ACME Certificate"
  • Enter the domain you just resolved (e.g., hax.yourdomain.com)
  • The script will automatically apply for the certificate and store it in /root/ygkkkca/

Phase Five: Configure Nodes and Enable CDN (Final Form)

1. Re-enable Cloudflare Proxy

• After successfully applying for the certificate, immediately go to the CF dashboard and turn on the orange cloud (make it proxied)
• SSL/TLS Settings: Choose Full or Full (Strict)

2. Log in to the X-UI Panel to Configure Nodes

Access http://[your IPv6 address]:port (note that IPv6 addresses need to be enclosed in square brackets, or use the domain you just bound)

Add Inbound Node (Configure as follows):

• Protocol: vmess or vless
• Port: 443 (recommended) or 2053 / 2083 / 8443
• Transport Protocol: ws (WebSocket) — This must be selected
• Path: Enter a complex path, such as /api/data
• TLS: Enabled
• Certificate Path: The script usually fills this in automatically (/root/ygkkkca/cert.crt and private.key)

Phase Six: Client Connection (Using Optimized IP)

This is the final step to get you flying. Enter the following in v2rayNG / Shadowrocket / v2rayN:

• Address (Address): Do not enter your domain! Enter the optimized IP (e.g., icook.hk, www.visa.com.sg, or a CF IP you have scanned)
• Port (Port): The port you set in the panel (e.g., 443)
• Masquerade Domain (Host / SNI): Enter your real domain (hax.yourdomain.com)
• Transport Protocol: ws
• Path: The path you set in the panel (/api/data)
• TLS: Enabled

Summary: How the Traffic Flows

Your Phone (IPv4)
   ⬇️
Cloudflare Optimized Node (IPv4, e.g., icook.hk)
   ⬇️ (via Cloudflare internal tunnel)
Cloudflare Edge Network
   ⬇️ (forwarded to your IPv6)
Hax VPS (X-UI Panel)
   ⬇️ (via WARP outbound)
Target Website (Google/YouTube)

Congratulations! You now have a dual-stack, certified, block-resistant, and optimized for speed permanently free node.

Common Troubleshooting

Common Issue: Unable to Download in Phase One

Solution: Verify if DNS64 is working:

cat /etc/resolv.conf

You should see:

nameserver 2001:4860:4860::6464
nameserver 2001:4860:4860::64

Common Issue: WARP Installation Stuck

Solution: Ensure curl is installed first:

apt install -y curl

Then retry the WARP script.

Common Issue: Certificate Application Failure

Checklist:

1. Is the AAAA record pointing to the correct IPv6 address?
2. Is the Cloudflare proxy turned off (gray)?
3. Wait 5 minutes after adding the AAAA record for the DNS to take effect

Common Issue: Client Cannot Connect

Verification:

1. Can the X-UI panel be accessed from http://[IPv6]:port?
2. Is the certificate path correctly configured in the inbound settings?
3. Are you using the optimized IP (not your domain) in the address?
4. Is TLS enabled in the client configuration?

Advantages of This Solution

✅ Native IPv6 Support - No tunnel overhead, native IPv6 stack ✅ Completely Free - Using Hax free tier + Cloudflare free plan ✅ Automatic Certificate Renewal - ACME handles expiration automatically ✅ Cloudflare Protection - DDoS protection + optimized IP caching ✅ Clean IP - WARP provides residential-grade IPv4 outbound ✅ High-Speed Connection - Low-latency WebSocket + gRPC tunnels