Add VLESS server, vision flow and reality TLS

2026-06-25 11:53:11 +03:00 · 2023-02-25 16:24:08 +08:00
parent 21ba99a66b
commit dc5bb1fa9d
40 changed files with 2486 additions and 120 deletions
--- a/transport/vless/client.go
+++ b/transport/vless/client.go
@@ -0,0 +1,204 @@
+package vless
+
+import (
+	"encoding/binary"
+	"io"
+	"net"
+
+	"github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+
+	"github.com/gofrs/uuid"
+)
+
+type Client struct {
+	key  [16]byte
+	flow string
+}
+
+func NewClient(userId string, flow string) (*Client, error) {
+	user := uuid.FromStringOrNil(userId)
+	if user == uuid.Nil {
+		user = uuid.NewV5(user, userId)
+	}
+	switch flow {
+	case "", "xtls-rprx-vision":
+	default:
+		return nil, E.New("unsupported flow: " + flow)
+	}
+	return &Client{user, flow}, nil
+}
+
+func (c *Client) prepareConn(conn net.Conn) (net.Conn, error) {
+	if c.flow == FlowVision {
+		vConn, err := NewVisionConn(conn, c.key)
+		if err != nil {
+			return nil, E.Cause(err, "initialize vision")
+		}
+		conn = vConn
+	}
+	return conn, nil
+}
+
+func (c *Client) DialConn(conn net.Conn, destination M.Socksaddr) (*Conn, error) {
+	vConn, err := c.prepareConn(conn)
+	if err != nil {
+		return nil, err
+	}
+	serverConn := &Conn{Conn: conn, protocolConn: vConn, key: c.key, command: vmess.CommandTCP, destination: destination, flow: c.flow}
+	return serverConn, common.Error(serverConn.Write(nil))
+}
+
+func (c *Client) DialEarlyConn(conn net.Conn, destination M.Socksaddr) (*Conn, error) {
+	vConn, err := c.prepareConn(conn)
+	if err != nil {
+		return nil, err
+	}
+	return &Conn{Conn: conn, protocolConn: vConn, key: c.key, command: vmess.CommandTCP, destination: destination, flow: c.flow}, nil
+}
+
+func (c *Client) DialPacketConn(conn net.Conn, destination M.Socksaddr) (*PacketConn, error) {
+	serverConn := &PacketConn{Conn: conn, key: c.key, destination: destination, flow: c.flow}
+	return serverConn, common.Error(serverConn.Write(nil))
+}
+
+func (c *Client) DialEarlyPacketConn(conn net.Conn, destination M.Socksaddr) (*PacketConn, error) {
+	return &PacketConn{Conn: conn, key: c.key, destination: destination, flow: c.flow}, nil
+}
+
+func (c *Client) DialXUDPPacketConn(conn net.Conn, destination M.Socksaddr) (vmess.PacketConn, error) {
+	serverConn := &Conn{Conn: conn, protocolConn: conn, key: c.key, command: vmess.CommandMux, destination: destination, flow: c.flow}
+	err := common.Error(serverConn.Write(nil))
+	if err != nil {
+		return nil, err
+	}
+	return vmess.NewXUDPConn(serverConn, destination), nil
+}
+
+func (c *Client) DialEarlyXUDPPacketConn(conn net.Conn, destination M.Socksaddr) (vmess.PacketConn, error) {
+	return vmess.NewXUDPConn(&Conn{Conn: conn, protocolConn: conn, key: c.key, command: vmess.CommandMux, destination: destination, flow: c.flow}, destination), nil
+}
+
+type Conn struct {
+	net.Conn
+	protocolConn   net.Conn
+	key            [16]byte
+	command        byte
+	destination    M.Socksaddr
+	flow           string
+	requestWritten bool
+	responseRead   bool
+}
+
+func (c *Conn) Read(b []byte) (n int, err error) {
+	if !c.responseRead {
+		err = ReadResponse(c.Conn)
+		if err != nil {
+			return
+		}
+		c.responseRead = true
+	}
+	return c.protocolConn.Read(b)
+}
+
+func (c *Conn) Write(b []byte) (n int, err error) {
+	if !c.requestWritten {
+		request := Request{c.key, c.command, c.destination, c.flow}
+		if c.protocolConn != nil {
+			err = WriteRequest(c.Conn, request, nil)
+		} else {
+			err = WriteRequest(c.Conn, request, b)
+		}
+		if err == nil {
+			n = len(b)
+		}
+		c.requestWritten = true
+		if c.protocolConn == nil {
+			return
+		}
+	}
+	return c.protocolConn.Write(b)
+}
+
+func (c *Conn) Upstream() any {
+	return c.Conn
+}
+
+type PacketConn struct {
+	net.Conn
+	key            [16]byte
+	destination    M.Socksaddr
+	flow           string
+	requestWritten bool
+	responseRead   bool
+}
+
+func (c *PacketConn) Read(b []byte) (n int, err error) {
+	if !c.responseRead {
+		err = ReadResponse(c.Conn)
+		if err != nil {
+			return
+		}
+		c.responseRead = true
+	}
+	var length uint16
+	err = binary.Read(c.Conn, binary.BigEndian, &length)
+	if err != nil {
+		return
+	}
+	if cap(b) < int(length) {
+		return 0, io.ErrShortBuffer
+	}
+	return io.ReadFull(c.Conn, b[:length])
+}
+
+func (c *PacketConn) Write(b []byte) (n int, err error) {
+	if !c.requestWritten {
+		err = WritePacketRequest(c.Conn, Request{c.key, vmess.CommandUDP, c.destination, c.flow}, nil)
+		if err == nil {
+			n = len(b)
+		}
+		c.requestWritten = true
+	}
+	err = binary.Write(c.Conn, binary.BigEndian, uint16(len(b)))
+	if err != nil {
+		return
+	}
+	return c.Conn.Write(b)
+}
+
+func (c *PacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	defer buffer.Release()
+	dataLen := buffer.Len()
+	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(dataLen))
+	if !c.requestWritten {
+		err := WritePacketRequest(c.Conn, Request{c.key, vmess.CommandUDP, c.destination, c.flow}, buffer.Bytes())
+		c.requestWritten = true
+		return err
+	}
+	return common.Error(c.Conn.Write(buffer.Bytes()))
+}
+
+func (c *PacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	n, err = c.Read(p)
+	if err != nil {
+		return
+	}
+	addr = c.destination.UDPAddr()
+	return
+}
+
+func (c *PacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	return c.Write(p)
+}
+
+func (c *PacketConn) FrontHeadroom() int {
+	return 2
+}
+
+func (c *PacketConn) Upstream() any {
+	return c.Conn
+}
--- a/transport/vless/constant.go
+++ b/transport/vless/constant.go
@@ -0,0 +1,34 @@
+package vless
+
+import (
+	"bytes"
+
+	"github.com/sagernet/sing/common/buf"
+)
+
+var (
+	tls13SupportedVersions  = []byte{0x00, 0x2b, 0x00, 0x02, 0x03, 0x04}
+	tlsClientHandShakeStart = []byte{0x16, 0x03}
+	tlsServerHandShakeStart = []byte{0x16, 0x03, 0x03}
+	tlsApplicationDataStart = []byte{0x17, 0x03, 0x03}
+)
+
+var tls13CipherSuiteDic = map[uint16]string{
+	0x1301: "TLS_AES_128_GCM_SHA256",
+	0x1302: "TLS_AES_256_GCM_SHA384",
+	0x1303: "TLS_CHACHA20_POLY1305_SHA256",
+	0x1304: "TLS_AES_128_CCM_SHA256",
+	0x1305: "TLS_AES_128_CCM_8_SHA256",
+}
+
+func reshapeBuffer(b []byte) []*buf.Buffer {
+	const bufferLimit = 8192 - 21
+	if len(b) < bufferLimit {
+		return []*buf.Buffer{buf.As(b)}
+	}
+	index := int32(bytes.LastIndex(b, tlsApplicationDataStart))
+	if index <= 0 {
+		index = 8192 / 2
+	}
+	return []*buf.Buffer{buf.As(b[:index]), buf.As(b[index:])}
+}
--- a/transport/vless/protocol.go
+++ b/transport/vless/protocol.go
@@ -0,0 +1,241 @@
+package vless
+
+import (
+	"bytes"
+	"encoding/binary"
+	"io"
+
+	"github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/rw"
+)
+
+const (
+	Version    = 0
+	FlowVision = "xtls-rprx-vision"
+)
+
+type Request struct {
+	UUID        [16]byte
+	Command     byte
+	Destination M.Socksaddr
+	Flow        string
+}
+
+func ReadRequest(reader io.Reader) (*Request, error) {
+	var request Request
+
+	var version uint8
+	err := binary.Read(reader, binary.BigEndian, &version)
+	if err != nil {
+		return nil, err
+	}
+	if version != Version {
+		return nil, E.New("unknown version: ", version)
+	}
+
+	_, err = io.ReadFull(reader, request.UUID[:])
+	if err != nil {
+		return nil, err
+	}
+
+	var addonsLen uint8
+	err = binary.Read(reader, binary.BigEndian, &addonsLen)
+	if err != nil {
+		return nil, err
+	}
+
+	if addonsLen > 0 {
+		addonsBytes, err := rw.ReadBytes(reader, int(addonsLen))
+		if err != nil {
+			return nil, err
+		}
+
+		addons, err := readAddons(bytes.NewReader(addonsBytes))
+		if err != nil {
+			return nil, err
+		}
+		request.Flow = addons.Flow
+	}
+
+	err = binary.Read(reader, binary.BigEndian, &request.Command)
+	if err != nil {
+		return nil, err
+	}
+
+	if request.Command != vmess.CommandMux {
+		request.Destination, err = vmess.AddressSerializer.ReadAddrPort(reader)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &request, nil
+}
+
+type Addons struct {
+	Flow string
+	Seed string
+}
+
+func readAddons(reader io.Reader) (*Addons, error) {
+	protoHeader, err := rw.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	if protoHeader != 10 {
+		return nil, E.New("unknown protobuf message header: ", protoHeader)
+	}
+
+	var addons Addons
+
+	flowLen, err := rw.ReadUVariant(reader)
+	if err != nil {
+		if err == io.EOF {
+			return &addons, nil
+		}
+		return nil, err
+	}
+	flowBytes, err := rw.ReadBytes(reader, int(flowLen))
+	if err != nil {
+		return nil, err
+	}
+	addons.Flow = string(flowBytes)
+
+	seedLen, err := rw.ReadUVariant(reader)
+	if err != nil {
+		if err == io.EOF {
+			return &addons, nil
+		}
+		return nil, err
+	}
+	seedBytes, err := rw.ReadBytes(reader, int(seedLen))
+	if err != nil {
+		return nil, err
+	}
+	addons.Seed = string(seedBytes)
+
+	return &addons, nil
+}
+
+func WriteRequest(writer io.Writer, request Request, payload []byte) error {
+	var requestLen int
+	requestLen += 1  // version
+	requestLen += 16 // uuid
+	requestLen += 1  // protobuf length
+
+	var addonsLen int
+	if request.Flow != "" {
+		addonsLen += 1 // protobuf header
+		addonsLen += UvarintLen(uint64(len(request.Flow)))
+		addonsLen += len(request.Flow)
+		requestLen += addonsLen
+	}
+	requestLen += 1 // command
+	if request.Command != vmess.CommandMux {
+		requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
+	}
+	requestLen += len(payload)
+	_buffer := buf.StackNewSize(requestLen)
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	common.Must(
+		buffer.WriteByte(Version),
+		common.Error(buffer.Write(request.UUID[:])),
+		buffer.WriteByte(byte(addonsLen)),
+	)
+	if addonsLen > 0 {
+		common.Must(buffer.WriteByte(10))
+		binary.PutUvarint(buffer.Extend(UvarintLen(uint64(len(request.Flow)))), uint64(len(request.Flow)))
+		common.Must(common.Error(buffer.Write([]byte(request.Flow))))
+	}
+	common.Must(
+		buffer.WriteByte(request.Command),
+	)
+
+	if request.Command != vmess.CommandMux {
+		common.Must(vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination))
+	}
+
+	common.Must1(buffer.Write(payload))
+	return common.Error(writer.Write(buffer.Bytes()))
+}
+
+func WritePacketRequest(writer io.Writer, request Request, payload []byte) error {
+	var requestLen int
+	requestLen += 1  // version
+	requestLen += 16 // uuid
+	requestLen += 1  // protobuf length
+	var addonsLen int
+	/*if request.Flow != "" {
+		addonsLen += 1 // protobuf header
+		addonsLen += UvarintLen(uint64(len(request.Flow)))
+		addonsLen += len(request.Flow)
+		requestLen += addonsLen
+	}*/
+	requestLen += 1 // command
+	requestLen += vmess.AddressSerializer.AddrPortLen(request.Destination)
+	if len(payload) > 0 {
+		requestLen += 2
+		requestLen += len(payload)
+	}
+	_buffer := buf.StackNewSize(requestLen)
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	common.Must(
+		buffer.WriteByte(Version),
+		common.Error(buffer.Write(request.UUID[:])),
+		buffer.WriteByte(byte(addonsLen)),
+	)
+
+	if addonsLen > 0 {
+		common.Must(buffer.WriteByte(10))
+		binary.PutUvarint(buffer.Extend(UvarintLen(uint64(len(request.Flow)))), uint64(len(request.Flow)))
+		common.Must(common.Error(buffer.Write([]byte(request.Flow))))
+	}
+
+	common.Must(
+		buffer.WriteByte(vmess.CommandUDP),
+		vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination),
+	)
+
+	if len(payload) > 0 {
+		common.Must(
+			binary.Write(buffer, binary.BigEndian, uint16(len(payload))),
+			common.Error(buffer.Write(payload)),
+		)
+	}
+
+	return common.Error(writer.Write(buffer.Bytes()))
+}
+
+func ReadResponse(reader io.Reader) error {
+	version, err := rw.ReadByte(reader)
+	if err != nil {
+		return err
+	}
+	if version != Version {
+		return E.New("unknown version: ", version)
+	}
+	protobufLength, err := rw.ReadByte(reader)
+	if err != nil {
+		return err
+	}
+	if protobufLength > 0 {
+		err = rw.SkipN(reader, int(protobufLength))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func UvarintLen(value uint64) int {
+	var buffer [binary.MaxVarintLen64]byte
+	return binary.PutUvarint(buffer[:], value)
+}
--- a/transport/vless/service.go
+++ b/transport/vless/service.go
@@ -0,0 +1,196 @@
+package vless
+
+import (
+	"context"
+	"encoding/binary"
+	"io"
+	"net"
+
+	"github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing/common/auth"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/gofrs/uuid"
+)
+
+type Service[T any] struct {
+	userMap map[[16]byte]T
+	handler Handler
+}
+
+type Handler interface {
+	N.TCPConnectionHandler
+	N.UDPConnectionHandler
+	E.Handler
+}
+
+func NewService[T any](handler Handler) *Service[T] {
+	return &Service[T]{
+		handler: handler,
+	}
+}
+
+func (s *Service[T]) UpdateUsers(userList []T, userUUIDList []string) {
+	userMap := make(map[[16]byte]T)
+	for i, userName := range userList {
+		userID := uuid.FromStringOrNil(userUUIDList[i])
+		if userID == uuid.Nil {
+			userID = uuid.NewV5(uuid.Nil, userUUIDList[i])
+		}
+		userMap[userID] = userName
+	}
+	s.userMap = userMap
+}
+
+var _ N.TCPConnectionHandler = (*Service[int])(nil)
+
+func (s *Service[T]) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	request, err := ReadRequest(conn)
+	if err != nil {
+		return err
+	}
+	user, loaded := s.userMap[request.UUID]
+	if !loaded {
+		return E.New("unknown UUID: ", uuid.FromBytesOrNil(request.UUID[:]))
+	}
+	ctx = auth.ContextWithUser(ctx, user)
+	metadata.Destination = request.Destination
+
+	protocolConn := conn
+	switch request.Flow {
+	case "":
+	case FlowVision:
+		protocolConn, err = NewVisionConn(conn, request.UUID)
+		if err != nil {
+			return E.Cause(err, "initialize vision")
+		}
+	}
+
+	switch request.Command {
+	case vmess.CommandTCP:
+		return s.handler.NewConnection(ctx, &serverConn{Conn: protocolConn, responseWriter: conn}, metadata)
+	case vmess.CommandUDP:
+		return s.handler.NewPacketConnection(ctx, &serverPacketConn{ExtendedConn: bufio.NewExtendedConn(conn), destination: request.Destination}, metadata)
+	case vmess.CommandMux:
+		return vmess.HandleMuxConnection(ctx, &serverConn{Conn: conn}, s.handler)
+	default:
+		return E.New("unknown command: ", request.Command)
+	}
+}
+
+type serverConn struct {
+	net.Conn
+	responseWriter  io.Writer
+	responseWritten bool
+}
+
+func (c *serverConn) Read(b []byte) (n int, err error) {
+	return c.Conn.Read(b)
+}
+
+func (c *serverConn) Write(b []byte) (n int, err error) {
+	if !c.responseWritten {
+		if c.responseWriter == nil {
+			_, err = bufio.WriteVectorised(bufio.NewVectorisedWriter(c.Conn), [][]byte{{Version, 0}, b})
+			if err == nil {
+				n = len(b)
+			}
+			c.responseWritten = true
+			return
+		} else {
+			_, err = c.responseWriter.Write([]byte{Version, 0})
+			if err != nil {
+				return
+			}
+			c.responseWritten = true
+		}
+	}
+	return c.Conn.Write(b)
+}
+
+type serverPacketConn struct {
+	N.ExtendedConn
+	responseWriter  io.Writer
+	responseWritten bool
+	destination     M.Socksaddr
+}
+
+func (c *serverPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	n, err = c.ExtendedConn.Read(p)
+	if err != nil {
+		return
+	}
+	addr = c.destination.UDPAddr()
+	return
+}
+
+func (c *serverPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	if !c.responseWritten {
+		if c.responseWriter == nil {
+			var packetLen [2]byte
+			binary.BigEndian.PutUint16(packetLen[:], uint16(len(p)))
+			_, err = bufio.WriteVectorised(bufio.NewVectorisedWriter(c.ExtendedConn), [][]byte{{Version, 0}, packetLen[:], p})
+			if err == nil {
+				n = len(p)
+			}
+			c.responseWritten = true
+			return
+		} else {
+			_, err = c.responseWriter.Write([]byte{Version, 0})
+			if err != nil {
+				return
+			}
+			c.responseWritten = true
+		}
+	}
+	return c.ExtendedConn.Write(p)
+}
+
+func (c *serverPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	var packetLen uint16
+	err = binary.Read(c.ExtendedConn, binary.BigEndian, &packetLen)
+	if err != nil {
+		return
+	}
+
+	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(packetLen))
+	if err != nil {
+		return
+	}
+
+	destination = c.destination
+	return
+}
+
+func (c *serverPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	if !c.responseWritten {
+		if c.responseWriter == nil {
+			var packetLen [2]byte
+			binary.BigEndian.PutUint16(packetLen[:], uint16(buffer.Len()))
+			err := bufio.NewVectorisedWriter(c.ExtendedConn).WriteVectorised([]*buf.Buffer{buf.As([]byte{Version, 0}), buf.As(packetLen[:]), buffer})
+			c.responseWritten = true
+			return err
+		} else {
+			_, err := c.responseWriter.Write([]byte{Version, 0})
+			if err != nil {
+				return err
+			}
+			c.responseWritten = true
+		}
+	}
+	packetLen := buffer.Len()
+	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(packetLen))
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *serverPacketConn) FrontHeadroom() int {
+	return 2
+}
+
+func (c *serverPacketConn) Upstream() any {
+	return c.ExtendedConn
+}
--- a/transport/vless/vision.go
+++ b/transport/vless/vision.go
@@ -0,0 +1,309 @@
+package vless
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/tls"
+	"io"
+	"math/big"
+	"net"
+	"reflect"
+	"time"
+	"unsafe"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
+)
+
+var tlsRegistry []func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
+		tlsConn, loaded := conn.(*tls.Conn)
+		if !loaded {
+			return
+		}
+		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn).Elem(), uintptr(unsafe.Pointer(tlsConn))
+	})
+}
+
+type VisionConn struct {
+	net.Conn
+	writer   N.VectorisedWriter
+	input    *bytes.Reader
+	rawInput *bytes.Buffer
+	netConn  net.Conn
+
+	userUUID                 [16]byte
+	isTLS                    bool
+	numberOfPacketToFilter   int
+	isTLS12orAbove           bool
+	remainingServerHello     int32
+	cipher                   uint16
+	enableXTLS               bool
+	filterTlsApplicationData bool
+	directWrite              bool
+	writeUUID                bool
+	filterUUID               bool
+	remainingContent         int
+	remainingPadding         int
+	currentCommand           int
+	directRead               bool
+	remainingReader          io.Reader
+}
+
+func NewVisionConn(conn net.Conn, userUUID [16]byte) (*VisionConn, error) {
+	var (
+		loaded         bool
+		reflectType    reflect.Type
+		reflectPointer uintptr
+		netConn        net.Conn
+	)
+	for _, tlsCreator := range tlsRegistry {
+		loaded, netConn, reflectType, reflectPointer = tlsCreator(conn)
+		if loaded {
+			break
+		}
+	}
+	if !loaded {
+		return nil, C.ErrTLSRequired
+	}
+	input, _ := reflectType.FieldByName("input")
+	rawInput, _ := reflectType.FieldByName("rawInput")
+	return &VisionConn{
+		Conn:                     conn,
+		writer:                   bufio.NewVectorisedWriter(conn),
+		input:                    (*bytes.Reader)(unsafe.Pointer(reflectPointer + input.Offset)),
+		rawInput:                 (*bytes.Buffer)(unsafe.Pointer(reflectPointer + rawInput.Offset)),
+		netConn:                  netConn,
+		userUUID:                 userUUID,
+		numberOfPacketToFilter:   8,
+		remainingServerHello:     -1,
+		filterTlsApplicationData: true,
+		writeUUID:                true,
+		filterUUID:               true,
+		remainingContent:         -1,
+		remainingPadding:         -1,
+	}, nil
+}
+
+func (c *VisionConn) Read(p []byte) (n int, err error) {
+	if c.remainingReader != nil {
+		n, err = c.remainingReader.Read(p)
+		if err == io.EOF {
+			c.remainingReader = nil
+			if n > 0 {
+				return
+			}
+		}
+	}
+	if c.directRead {
+		return c.netConn.Read(p)
+	}
+	n, err = c.Conn.Read(p)
+	if err != nil {
+		return
+	}
+	buffer := p[:n]
+	if c.filterUUID && (c.isTLS || c.numberOfPacketToFilter > 0) {
+		buffers := c.unPadding(buffer)
+		if c.remainingContent == 0 && c.remainingPadding == 0 {
+			if c.currentCommand == 1 {
+				c.filterUUID = false
+			} else if c.currentCommand == 2 {
+				c.filterUUID = false
+				c.directRead = true
+
+				inputBuffer, err := io.ReadAll(c.input)
+				if err != nil {
+					return 0, err
+				}
+				buffers = append(buffers, inputBuffer)
+
+				rawInputBuffer, err := io.ReadAll(c.rawInput)
+				if err != nil {
+					return 0, err
+				}
+
+				buffers = append(buffers, rawInputBuffer)
+			} else if c.currentCommand != 0 {
+				return 0, E.New("unknown command ", c.currentCommand)
+			}
+		}
+		if c.numberOfPacketToFilter > 0 {
+			c.filterTLS(buffers)
+		}
+		c.remainingReader = io.MultiReader(common.Map(buffers, func(it []byte) io.Reader { return bytes.NewReader(it) })...)
+		return c.remainingReader.Read(p)
+	} else {
+		if c.numberOfPacketToFilter > 0 {
+			c.filterTLS([][]byte{buffer})
+		}
+		return
+	}
+}
+
+func (c *VisionConn) Write(p []byte) (n int, err error) {
+	if c.numberOfPacketToFilter > 0 {
+		c.filterTLS([][]byte{p})
+	}
+	if c.isTLS && c.filterTlsApplicationData {
+		inputLen := len(p)
+		buffers := reshapeBuffer(p)
+		var specIndex int
+		for i, buffer := range buffers {
+			if buffer.Len() > 6 && bytes.Equal(tlsApplicationDataStart, buffer.To(3)) {
+				var command byte = 1
+				if c.enableXTLS {
+					c.directWrite = true
+					specIndex = i
+					command = 2
+				}
+				c.filterTlsApplicationData = false
+				buffers[i] = c.padding(buffer, command)
+				break
+			} else if !c.isTLS12orAbove && c.numberOfPacketToFilter == 0 {
+				c.filterTlsApplicationData = false
+				buffers[i] = c.padding(buffer, 0x01)
+				break
+			}
+			buffers[i] = c.padding(buffer, 0x00)
+		}
+		if c.directWrite {
+			encryptedBuffer := buffers[:specIndex+1]
+			err = c.writer.WriteVectorised(encryptedBuffer)
+			if err != nil {
+				return
+			}
+			buffers = buffers[specIndex+1:]
+			c.writer = bufio.NewVectorisedWriter(c.netConn)
+			time.Sleep(5 * time.Millisecond) // wtf
+		}
+		err = c.writer.WriteVectorised(buffers)
+		if err == nil {
+			n = inputLen
+		}
+		return
+	}
+	if c.directWrite {
+		return c.netConn.Write(p)
+	} else {
+		return c.Conn.Write(p)
+	}
+}
+
+func (c *VisionConn) filterTLS(buffers [][]byte) {
+	for _, buffer := range buffers {
+		c.numberOfPacketToFilter--
+		if len(buffer) > 6 {
+			if buffer[0] == 22 && buffer[1] == 3 && buffer[2] == 3 {
+				c.isTLS = true
+				if buffer[5] == 2 {
+					c.isTLS12orAbove = true
+					c.remainingServerHello = (int32(buffer[3])<<8 | int32(buffer[4])) + 5
+					if len(buffer) >= 79 && c.remainingServerHello >= 79 {
+						sessionIdLen := int32(buffer[43])
+						cipherSuite := buffer[43+sessionIdLen+1 : 43+sessionIdLen+3]
+						c.cipher = uint16(cipherSuite[0])<<8 | uint16(cipherSuite[1])
+					}
+				}
+			} else if bytes.Equal(tlsClientHandShakeStart, buffer[:2]) && buffer[5] == 1 {
+				c.isTLS = true
+			}
+		}
+		if c.remainingServerHello > 0 {
+			end := int(c.remainingServerHello)
+			if end > len(buffer) {
+				end = len(buffer)
+			}
+			c.remainingServerHello -= int32(end)
+			if bytes.Contains(buffer[:end], tls13SupportedVersions) {
+				cipher, ok := tls13CipherSuiteDic[c.cipher]
+				if ok && cipher != "TLS_AES_128_CCM_8_SHA256" {
+					c.enableXTLS = true
+				}
+				c.numberOfPacketToFilter = 0
+				return
+			} else if c.remainingServerHello == 0 {
+				c.numberOfPacketToFilter = 0
+				return
+			}
+		}
+	}
+}
+
+func (c *VisionConn) padding(buffer *buf.Buffer, command byte) *buf.Buffer {
+	contentLen := 0
+	paddingLen := 0
+	if buffer != nil {
+		contentLen = buffer.Len()
+	}
+	if contentLen < 900 {
+		l, _ := rand.Int(rand.Reader, big.NewInt(500))
+		paddingLen = int(l.Int64()) + 900 - contentLen
+	}
+	newBuffer := buf.New()
+	if c.writeUUID {
+		newBuffer.Write(c.userUUID[:])
+		c.writeUUID = false
+	}
+	newBuffer.Write([]byte{command, byte(contentLen >> 8), byte(contentLen), byte(paddingLen >> 8), byte(paddingLen)})
+	if buffer != nil {
+		newBuffer.Write(buffer.Bytes())
+		buffer.Release()
+	}
+	newBuffer.Extend(paddingLen)
+	return newBuffer
+}
+
+func (c *VisionConn) unPadding(buffer []byte) [][]byte {
+	var bufferIndex int
+	if c.remainingContent == -1 && c.remainingPadding == -1 {
+		if len(buffer) >= 21 && bytes.Equal(c.userUUID[:], buffer[:16]) {
+			bufferIndex = 16
+			c.remainingContent = 0
+			c.remainingPadding = 0
+		}
+	}
+	if c.remainingContent == -1 && c.remainingPadding == -1 {
+		return [][]byte{buffer}
+	}
+	var buffers [][]byte
+	for bufferIndex < len(buffer) {
+		if c.remainingContent <= 0 && c.remainingPadding <= 0 {
+			if c.currentCommand == 1 {
+				buffers = append(buffers, buffer[bufferIndex:])
+				break
+			} else {
+				paddingInfo := buffer[bufferIndex : bufferIndex+5]
+				c.currentCommand = int(paddingInfo[0])
+				c.remainingContent = int(paddingInfo[1])<<8 | int(paddingInfo[2])
+				c.remainingPadding = int(paddingInfo[3])<<8 | int(paddingInfo[4])
+				bufferIndex += 5
+			}
+		} else if c.remainingContent > 0 {
+			end := c.remainingContent
+			if end > len(buffer)-bufferIndex {
+				end = len(buffer) - bufferIndex
+			}
+			buffers = append(buffers, buffer[bufferIndex:bufferIndex+end])
+			c.remainingContent -= end
+			bufferIndex += end
+		} else {
+			end := c.remainingPadding
+			if end > len(buffer)-bufferIndex {
+				end = len(buffer) - bufferIndex
+			}
+			c.remainingPadding -= end
+			bufferIndex += end
+		}
+		if bufferIndex == len(buffer) {
+			break
+		}
+	}
+	return buffers
+}
--- a/transport/vless/vision_reality.go
+++ b/transport/vless/vision_reality.go
@@ -0,0 +1,23 @@
+//go:build with_reality_server
+
+package vless
+
+import (
+	"net"
+	"reflect"
+	"unsafe"
+
+	"github.com/sagernet/sing/common"
+
+	"github.com/nekohasekai/reality"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
+		tlsConn, loaded := common.Cast[*reality.Conn](conn)
+		if !loaded {
+			return
+		}
+		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn).Elem(), uintptr(unsafe.Pointer(tlsConn))
+	})
+}
--- a/transport/vless/vision_utls.go
+++ b/transport/vless/vision_utls.go
@@ -0,0 +1,22 @@
+//go:build with_utls
+
+package vless
+
+import (
+	"net"
+	"reflect"
+	"unsafe"
+
+	"github.com/sagernet/sing/common"
+	utls "github.com/sagernet/utls"
+)
+
+func init() {
+	tlsRegistry = append(tlsRegistry, func(conn net.Conn) (loaded bool, netConn net.Conn, reflectType reflect.Type, reflectPointer uintptr) {
+		tlsConn, loaded := common.Cast[*utls.UConn](conn)
+		if !loaded {
+			return
+		}
+		return true, tlsConn.NetConn(), reflect.TypeOf(tlsConn.Conn).Elem(), uintptr(unsafe.Pointer(tlsConn.Conn))
+	})
+}