My working way to set up NetVM via VLESS protocol on sing-box to bypass restrictions:

> ISP -> sys-firewall -> sys-vless -> other cubes/NetVMs

Create an AppVM named "sys-vless", which we want to turn into a NetVM for other cubes. This part is simple, let's continue inside this VM...

Step 1: Download the archive with the appropriate binary here: https://github.com/SagerNet/sing-box/releases I used the latest stable release, v1.12.8, at the time of publication. For later alpha versions of sing-box, you will need to refactor the config file as its structure changes.

wget https://github.com/SagerNet/sing-box/releases/download/v1.12.8/sing-box-1.12.8-linux-amd64.tar.gz
sha256sum sing-box-1.12.8-linux-amd64.tar.gz
b41d9ae438a4367e5fd5c4aa36fe040d0c1bfe5f91f96a072eef31f61d46670c  sing-box-1.12.8-linux-amd64.tar.gz
tar -xf sing-box-1.12.8-linux-amd64.tar.gz
mv sing-box-1.12.8-linux-amd64.tar.gz .
Step 2: Extract the sing-box binary from the downloaded archive and move it here: /usr/local/bin/sing-box

Step 3: Create the config file at: /rw/home/user/config.json

config.json

{
  "log": {
    "disabled": true,
    "level": "warn",
    "output": "box.log",
    "timestamp": true
  },
  "experimental": {
    "cache_file": {
      "enabled": true,
      "path": "clash.db",
      "store_fakeip": false,
      "store_rdrc": false
    }
  },
  "dns": {
    "rules": [
      {
        "server": "fakeip"
      },
      {
        "clash_mode": "Proxy",
        "server": "remote"
      },
      {
        "clash_mode": "Direct",
        "server": "local"
      }
    ],
    "servers": [
      {
        "type": "https",
        "server": "1.1.1.1",
        "detour": "proxy",
        "tag": "remote"
      },
      {
        "type": "https",
        "server": "223.5.5.5",
        "tag": "local"
      },
      {
        "type": "hosts",
        "path": [],
        "predefined": {},
        "tag": "block"
      },
      {
        "type": "local"
      },
      {
        "type": "fakeip",
        "inet4_range": "198.18.0.0/15",
        "inet6_range": "fc00::/18",
        "tag": "fakeip"
      }
    ],
    "strategy": "prefer_ipv4"
  },
  "inbounds": [
    {
      "address": [
        "10.139.1.0/30",
        "fdfe:dcba:9876::1/126"
      ],
      "route_address": [
        "0.0.0.0/1",
        "128.0.0.0/1",
        "::/1",
        "8000::/1"
      ],
      "route_exclude_address": [
        "192.168.0.0/16",
        "172.16.0.0/12",
        "fc00::/7",
        "10.137.0.0/16",
        "10.138.0.0/16",
        "fd09:24ef:4179::a89:0/112",
        "fd09:24ef:4179::a8a:0/112"
      ],
      "stack": "gvisor",
      "auto_route": true,
      "strict_route": true,
      "sniff": true,
      "type": "tun"
    },
    {
      "listen": "127.0.0.1",
      "listen_port": 2333,
      "tag": "mixed-in",
      "type": "mixed",
      "users": []
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "type": "selector",
      "outbounds": [
        "auto",
        "direct",

        "HORDA_619 ยง 0"

      ]
    },
    {
      "tag": "auto",
      "type": "urltest",
      "outbounds": [
        "VLESS"
      ],
      "url": "http://www.gstatic.com/generate_204",
      "interval": "10m",
      "tolerance": 50
    },
    {
      "type": "vless",
      "tag": "VLESS",
      "server": "YOUR_VLESS_SERVER_DOMAIN",
      "server_port": YOUR_PORT,
      "uuid": "YOUR_UUID",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "google.com",
        "utls": {
          "enabled": true,
          "fingerprint": "chrome"
        },
        "reality": {
          "enabled": true,
          "public_key": "YOUR_PUBLIC_KEY",
          "short_id": "YOUR_SHORT_ID"
        }
      },
      "packet_encoding": "xudp"
    },
    {
      "type": "direct",
      "tag": "direct"
    }
  ],
  "route": {
    "auto_detect_interface": true,
    "default_domain_resolver": "local",
    "final": "proxy",
    "rules": [
      {
        "action": "sniff"
      },
      {
        "protocol": "dns",
        "action": "hijack-dns"
      },
      {
        "clash_mode": "Direct",
        "outbound": "direct"
      },
      {
        "clash_mode": "Proxy",
        "outbound": "proxy"
      },
      {
        "ip_is_private": true,
        "outbound": "direct"
      }
    ]
  }
}

Replace the following lines with those provided by your VLESS provider: > YOUR_VLESS_SERVER_DOMAIN > YOUR_PORT > YOUR_UUID > YOUR_PUBLIC_KEY > YOUR_SHORT_ID

Step 4: Run Vasya, run: sudo sing-box run -c /rw/home/user/config.json

Step 5: Set up sing-box to auto-start with the current NetVM: Add the following line to bottom of /rw/config/rc.local:

sing-box run -c /rw/home/user/config.json &

Step 6: The traffic will go to IP 223.5.5.5 and the IP associated with your VLESS server, so configure access only to them through qvm-firewall, everything else should be dropped.

Example firewall rule configuration:

NO  ACTION  HOST         PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  223.5.5.5/32  -         -        -               -         -       -
1   accept  1.2.3.4/32    -         -        -               -         -       -
2   drop    -             -         -        -               -         -       -
VLESS will work!

If anyone has specific suggestions for improving the config, security, or approach, I would be happy to see your comments. Thanks!