Fix VLESS Not Working in Marzban

(Connected but No Internet, EOL / Closed Pipe Error)

April 23, 2026Last Updated: April 22, 2026
128

VLESS connects but no internet in Marzban? This issue is caused by using IP instead of domain, which breaks WebSocket + TLS routing through Nginx.

Table of Contents

One of my clients recently struggled with a Marzban setup that looked perfectly fine on the surface — but VLESS simply didn’t work.

The dashboard loaded over HTTPS, SSL was valid, and even Shadowsocks worked without any issues. But VLESS connections showed “connected” with no internet. Sometimes the client threw errors like EOL or closed pipe.

Even more confusing — there were no logs in Xray during connection attempts.

This kind of issue is very common in VPS environments where Nginx, TLS, and reverse proxy routing are involved. It typically falls under Cloud & Networking and SSL & DNS Problems, where incorrect endpoints can silently break the entire flow.

Problem Summary

  • VLESS connects but no internet
  • Errors: EOL, closed pipe
  • No logs in Xray during connection
  • Shadowsocks works normally
  • VMess also fails
  • Nginx and SSL appear correctly configured

At this stage, the server looked fine from every angle. But the lack of logs was a strong indicator — traffic wasn’t reaching Xray at all.

So instead of changing random configs, the next step was to trace where the request was getting lost.

Check if Xray is receiving connections

Start by monitoring logs:

				
					docker-compose logs -f marzban

Then try connecting from your client.

Result: no logs appeared.

This confirms the connection is not reaching Xray. So the issue is not inside Xray — it’s somewhere before it.

Due to this, the next logical step is to verify whether Xray is correctly listening.

Confirm Xray is running and listening

Check open ports:

				
					ss -tulnp | grep 10000
Xray Running on port 10000
Xray should be listening on 127.0.0.1:10000.

Then verify the active configuration:

				
					docker exec -it marzban_marzban_1 cat /var/lib/marzban/xray_config.json

Look for:

				
					"network": "ws",
"wsSettings": {
  "path": "/vless"
}

This confirms WebSocket is enabled.

Since Xray is working but not receiving traffic, the problem must be upstream — either Nginx or the client.

Verify Nginx WebSocket proxy

Check your Nginx configuration:

				
					location /vless {
    proxy_pass http://127.0.0.1:10000;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_set_header Host $host;
    proxy_read_timeout 86400;
}

This configuration is required for WebSocket + TLS routing.

At this point:

  • Xray is working
  • Nginx is correctly configured

So the issue must be in how the client connects.

Identify the actual issue

The client was connecting to port 10000 instead of port 443 over the domain, it bypasses Nginx entirely.

In this architecture:

  • Nginx handles HTTPS (port 443)
  • TLS is terminated at Nginx
  • /vless is routed to Xray

By connecting directly to IP:10000:

  • TLS is skipped
  • WebSocket upgrade fails
  • Xray receives invalid traffic
  • No logs are generated

This explains why everything looked correct but nothing worked.

Fix the connection string

Incorrect:

				
					vless://UUID@IP:10000?type=ws&security=tls

Correct:

				
					vless://UUID@domain.com:443?type=ws&security=tls&path=%2Fvless&host=domain.com&sni=domain.com

Important:

  • Always use domain with TLS
  • Use port 443
  • Set correct path (/vless)
  • Match host and SNI

After updating this, the connection worked immediately.

Verification

To confirm the fix:

  • Import the corrected VLESS link
  • Connect again
  • Check internet access

Then monitor logs:

				
					docker-compose logs -f marzban
Marzban Docker Logs
You should now see connection activity, confirming traffic is reaching Xray.

Common Mistakes / Edge Cases

  • Using IP instead of domain for TLS connections
  • Expecting logs when traffic never reaches Xray
  • Misinterpreting 400 Bad Request as an error (normal for WebSocket endpoints)
  • Mismatch between client transport (TCP vs WS) and server configuration

Need Help Fixing Your VPS?

If you’re stuck with server issues and need a reliable fix, I troubleshoot real VPS problems daily — from Nginx errors and SMTP failures to DNS and performance issues.

Instead of guessing, get a proven fix based on real experience.

  • Fix Nginx, Apache, and 502/504 errors
  • Resolve SMTP, email, and SES issues
  • Debug DNS, SSL, and domain problems
  • Optimize performance (CPU, RAM, slow sites)
Fix My Server → Get Help Now

Conclusion

This wasn’t a server-side misconfiguration.

Marzban, Xray, and Nginx were all working correctly.

The issue was using IP:10000 instead of domain:443, which bypassed Nginx and broke the WebSocket + TLS flow.

In setups like this, the domain is required — without it, the connection will fail silently.

Tags
April 23, 2026Last Updated: April 22, 2026
128

Tharindu

Hey!! I'm Tharindu. I'm from Sri Lanka. I'm a part time freelancer and this is my blog where I write about everything I think might be useful to readers. If you read a tutorial here and want to hire me, contact me here.

Related Articles

prosper202 on Nginx VPS

How to Install Prosper202 on Nginx powered VPS

October 23, 2013
Install Virtualmin with Nginx

Install Virtualmin, Nginx 1.16, PHP 7.3, MariaDB 10 on Ubuntu 16.04 Server

August 27, 2016
use-multiple-php-versions-virtualmin-nginx

Use Multiple PHP Versions with Virtualmin and Nginx

June 19, 2018

Install IonCube Loader for PHP on Nginx-Ubuntu Server

October 15, 2014

Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright 2012 - 2026
The terms & logos we've used are registered trademarks for their respective corporations, and used on this site for reference proposes only. Infringing behavior isn't intended.
Made with in Sri Lanka
Back to top button