Update dependencies

Co-authored-by: chenqixin <chenqixin@bytedance.com>

.github/workflows/build.yml

@@ -468,11 +468,11 @@ jobs:
       - name: Setup Xcode stable
         if: matrix.if && github.ref == 'refs/heads/main-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
+          sudo xcode-select -s /Applications/Xcode_16.4.app
       - name: Setup Xcode beta
         if: matrix.if && github.ref == 'refs/heads/dev-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
+          sudo xcode-select -s /Applications/Xcode_16.4.app
       - name: Set tag
         if: matrix.if
         run: |-

Makefile

@@ -1,6 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls
+TAGS_GO120 = with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls,with_acme
 TAGS_GO121 = with_ech
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120),$(TAGS_GO121)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server

adapter/inbound.go

@@ -42,22 +42,24 @@ type InboundManager interface {
 }
 
 type InboundContext struct {
-	Inbound     string
-	InboundType string
-	IPVersion   uint8
-	Network     string
-	Source      M.Socksaddr
-	Destination M.Socksaddr
-	User        string
-	Outbound    string
+	Inbound           string
+	InboundType       string
+	IPVersion         uint8
+	Network           string
+	Source            M.Socksaddr
+	Destination       M.Socksaddr
+	TunnelSource      string
+	TunnelDestination string
+	User              string
+	Outbound          string
 
 	// sniffer
 
-	Protocol         string
-	Domain           string
-	Client           string
-	SniffContext     any
-	PacketSniffError error
+	Protocol     string
+	Domain       string
+	Client       string
+	SniffContext any
+	SniffError   error
 
 	// cache
 

common/dialer/default.go

@@ -100,10 +100,6 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 			} else if networkManager.AutoDetectInterface() {
 				if platformInterface != nil {
 					networkStrategy = (*C.NetworkStrategy)(options.NetworkStrategy)
-					if networkStrategy == nil {
-						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
-						defaultNetworkStrategy = true
-					}
 					networkType = common.Map(options.NetworkType, option.InterfaceType.Build)
 					fallbackNetworkType = common.Map(options.FallbackNetworkType, option.InterfaceType.Build)
 					if networkStrategy == nil && len(networkType) == 0 && len(fallbackNetworkType) == 0 {
@@ -115,6 +111,10 @@ func NewDefault(ctx context.Context, options option.DialerOptions) (*DefaultDial
 					if networkFallbackDelay == 0 && defaultOptions.FallbackDelay != 0 {
 						networkFallbackDelay = defaultOptions.FallbackDelay
 					}
+					if networkStrategy == nil {
+						networkStrategy = common.Ptr(C.NetworkStrategyDefault)
+						defaultNetworkStrategy = true
+					}
 					bindFunc := networkManager.ProtectFunc()
 					dialer.Control = control.Append(dialer.Control, bindFunc)
 					listener.Control = control.Append(listener.Control, bindFunc)

common/dialer/tfo.go

@@ -10,9 +10,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 
@@ -26,7 +24,9 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
+	done        chan struct{}
 	access      sync.Mutex
+	closeOnce   sync.Once
 	err         error
 }
 
@@ -45,6 +45,7 @@ func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, des
 		network:     network,
 		destination: destination,
 		create:      make(chan struct{}),
+		done:        make(chan struct{}),
 	}, nil
 }
 
@@ -55,8 +56,8 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 			if c.err != nil {
 				return 0, c.err
 			}
-		case <-c.ctx.Done():
-			return 0, c.ctx.Err()
+		case <-c.done:
+			return 0, os.ErrClosed
 		}
 	}
 	return c.conn.Read(b)
@@ -74,12 +75,15 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 			return 0, c.err
 		}
 		return c.conn.Write(b)
+	case <-c.done:
+		return 0, os.ErrClosed
 	default:
 	}
-	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+	conn, err := c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
 	if err != nil {
-		c.conn = nil
-		c.err = E.Cause(err, "dial tcp fast open")
+		c.err = err
+	} else {
+		c.conn = conn
 	}
 	n = len(b)
 	close(c.create)
@@ -87,7 +91,13 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 }
 
 func (c *slowOpenConn) Close() error {
-	return common.Close(c.conn)
+	c.closeOnce.Do(func() {
+		close(c.done)
+		if c.conn != nil {
+			c.conn.Close()
+		}
+	})
+	return nil
 }
 
 func (c *slowOpenConn) LocalAddr() net.Addr {
@@ -152,8 +162,8 @@ func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 			if c.err != nil {
 				return 0, c.err
 			}
-		case <-c.ctx.Done():
-			return 0, c.ctx.Err()
+		case <-c.done:
+			return 0, c.err
 		}
 	}
 	return bufio.Copy(w, c.conn)

common/process/searcher_darwin.go

@@ -76,6 +76,8 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 		// rup8(sizeof(xtcpcb_n))
 		itemSize += 208
 	}
+
+	var fallbackUDPProcess string
 	// skip the first xinpgen(24 bytes) block
 	for i := 24; i+itemSize <= len(buf); i += itemSize {
 		// offset of xinpcb_n and xsocket_n
@@ -90,10 +92,12 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 		flag := buf[inp+44]
 
 		var srcIP netip.Addr
+		srcIsIPv4 := false
 		switch {
 		case flag&0x1 > 0 && isIPv4:
 			// ipv4
 			srcIP = netip.AddrFrom4(*(*[4]byte)(buf[inp+76 : inp+80]))
+			srcIsIPv4 = true
 		case flag&0x2 > 0 && !isIPv4:
 			// ipv6
 			srcIP = netip.AddrFrom16(*(*[16]byte)(buf[inp+64 : inp+80]))
@@ -101,13 +105,21 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 			continue
 		}
 
-		if ip != srcIP {
-			continue
+		if ip == srcIP {
+			// xsocket_n.so_last_pid
+			pid := readNativeUint32(buf[so+68 : so+72])
+			return getExecPathFromPID(pid)
 		}
 
-		// xsocket_n.so_last_pid
-		pid := readNativeUint32(buf[so+68 : so+72])
-		return getExecPathFromPID(pid)
+		// udp packet connection may be not equal with srcIP
+		if network == N.NetworkUDP && srcIP.IsUnspecified() && isIPv4 == srcIsIPv4 {
+			pid := readNativeUint32(buf[so+68 : so+72])
+			fallbackUDPProcess, _ = getExecPathFromPID(pid)
+		}
+	}
+
+	if network == N.NetworkUDP && len(fallbackUDPProcess) > 0 {
+		return fallbackUDPProcess, nil
 	}
 
 	return "", ErrNotFound

common/tls/acme.go

@@ -5,13 +5,13 @@ package tls
 import (
 	"context"
 	"crypto/tls"
-	"os"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/alidns"
@@ -37,7 +37,38 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }
 
-func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
+type acmeLogWriter struct {
+	logger logger.Logger
+}
+
+func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
+	logLine := strings.ReplaceAll(string(p), "	", ": ")
+	switch {
+	case strings.HasPrefix(logLine, "error: "):
+		w.logger.Error(logLine[7:])
+	case strings.HasPrefix(logLine, "warn: "):
+		w.logger.Warn(logLine[6:])
+	case strings.HasPrefix(logLine, "info: "):
+		w.logger.Info(logLine[6:])
+	case strings.HasPrefix(logLine, "debug: "):
+		w.logger.Debug(logLine[7:])
+	default:
+		w.logger.Debug(logLine)
+	}
+	return len(p), nil
+}
+
+func (w *acmeLogWriter) Sync() error {
+	return nil
+}
+
+func encoderConfig() zapcore.EncoderConfig {
+	config := zap.NewProductionEncoderConfig()
+	config.TimeKey = zapcore.OmitKey
+	return config
+}
+
+func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
 	var acmeServer string
 	switch options.Provider {
 	case "", "letsencrypt":
@@ -58,14 +89,15 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 	} else {
 		storage = certmagic.Default.Storage
 	}
+	zapLogger := zap.New(zapcore.NewCore(
+		zapcore.NewConsoleEncoder(encoderConfig()),
+		&acmeLogWriter{logger: logger},
+		zap.DebugLevel,
+	))
 	config := &certmagic.Config{
 		DefaultServerName: options.DefaultServerName,
 		Storage:           storage,
-		Logger: zap.New(zapcore.NewCore(
-			zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),
-			os.Stderr,
-			zap.InfoLevel,
-		)),
+		Logger:            zapLogger,
 	}
 	acmeConfig := certmagic.ACMEIssuer{
 		CA:                      acmeServer,
@@ -75,7 +107,7 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
 		AltHTTPPort:             int(options.AlternativeHTTPPort),
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
-		Logger:                  config.Logger,
+		Logger:                  zapLogger,
 	}
 	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
 		var solver certmagic.DNS01Solver
@@ -103,6 +135,7 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
+		Logger: zapLogger,
 	})
 	config = certmagic.New(cache, *config)
 	var tlsConfig *tls.Config

common/tls/acme_stub.go

@@ -9,8 +9,9 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 )
 
-func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
+func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
 	return nil, nil, E.New(`ACME is not included in this build, rebuild with -tags with_acme`)
 }

common/tls/std_server.go

@@ -157,7 +157,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		//nolint:staticcheck
-		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
+		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
 			return nil, err
 		}

constant/proxy.go

@@ -25,6 +25,8 @@ const (
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
 	TypeHysteria2    = "hysteria2"
+	TypeTunnelClient = "tunnel_client"
+	TypeTunnelServer = "tunnel_server"
 )
 
 const (
@@ -86,6 +88,10 @@ func ProxyDisplayName(proxyType string) string {
 		return "Selector"
 	case TypeURLTest:
 		return "URLTest"
+	case TypeTunnelClient:
+		return "Tunnel Client"
+	case TypeTunnelServer:
+		return "Tunnel Server"
 	default:
 		return "Unknown"
 	}

docs/changelog.md

@@ -2,6 +2,20 @@
 icon: material/alert-decagram
 ---
 
+### 1.11.15
+
+* Fixes and improvements
+
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
+violated the rules (TestFlight users are not affected)._
+
+### 1.11.14
+
+* Fixes and improvements
+
+_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
+violated the rules (TestFlight users are not affected)._
+
 ### 1.11.13
 
 * Fixes and improvements

docs/configuration/experimental/clash-api.md

@@ -63,7 +63,7 @@ icon: material/new-box
     {
       "external_controller": "0.0.0.0:9090",
       "external_ui": "dashboard"
-      // external_ui_download_detour: "direct"
+      // "external_ui_download_detour": "direct"
     }
     ```
 

docs/configuration/experimental/clash-api.zh.md

@@ -63,7 +63,7 @@ icon: material/new-box
     {
       "external_controller": "0.0.0.0:9090",
       "external_ui": "dashboard"
-      // external_ui_download_detour: "direct"
+      // "external_ui_download_detour": "direct"
     }
     ```
 

examples/tunnel/client->server/client.json

@@ -0,0 +1,64 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_client",
+      "tag": "tunnel",
+      "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+      "key": "1c9b2ccf-b0c0-4c26-868d-a55a4edad3fe",
+      "outbound": {
+        "type": "vless",
+        "tag": "vless-out",
+        "server": "0.0.0.0",
+        "server_port": 8000,
+        "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+        "network": "tcp"
+      }
+    }
+  ],
+  "inbounds": [
+    {
+      "type": "mixed",
+      "tag": "mixed-in",
+      "listen_port": 7897
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      },
+      {
+        "outbound": "tunnel",
+        "override_tunnel_destination": "f79f7678-55e7-432d-a15f-6e8ab2b7fe13"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/client->server/server.json

@@ -0,0 +1,62 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_server",
+      "tag": "tunnel",
+      "uuid": "f79f7678-55e7-432d-a15f-6e8ab2b7fe13",
+      "users": [
+        {
+          "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+          "key": "1c9b2ccf-b0c0-4c26-868d-a55a4edad3fe"
+        }
+      ],
+      "inbound": {
+        "type": "vless",
+        "tag": "vless-in",
+        "listen": "0.0.0.0",
+        "listen_port": 8000,
+        "users": [
+          {
+            "name": "vless",
+            "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937"
+          }
+        ]
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/client1->server->client2/client1.json

@@ -0,0 +1,64 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_client",
+      "tag": "tunnel",
+      "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+      "key": "1c9b2ccf-b0c0-4c26-868d-a55a4edad3fe",
+      "outbound": {
+        "type": "vless",
+        "tag": "vless-out",
+        "server": "0.0.0.0",
+        "server_port": 8000,
+        "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+        "network": "tcp"
+      }
+    }
+  ],
+  "inbounds": [
+    {
+      "type": "mixed",
+      "tag": "mixed-in",
+      "listen_port": 7897
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      },
+      {
+        "outbound": "tunnel",
+        "override_tunnel_destination": "487f6073-3300-4819-a07d-39652e45fb4d"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/client1->server->client2/client2.json

@@ -0,0 +1,53 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_client",
+      "tag": "tunnel",
+      "uuid": "487f6073-3300-4819-a07d-39652e45fb4d",
+      "key": "3d74d616-2502-4c17-9cc3-92c366550f4f",
+      "outbound": {
+        "type": "vless",
+        "tag": "vless-out",
+        "server": "0.0.0.0",
+        "server_port": 8000,
+        "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+        "network": "tcp"
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/client1->server->client2/server.json

@@ -0,0 +1,77 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_server",
+      "tag": "tunnel",
+      "uuid": "f79f7678-55e7-432d-a15f-6e8ab2b7fe13",
+      "users": [
+        {
+          "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+          "key": "1c9b2ccf-b0c0-4c26-868d-a55a4edad3fe"
+        },
+        {
+          "uuid": "487f6073-3300-4819-a07d-39652e45fb4d",
+          "key": "3d74d616-2502-4c17-9cc3-92c366550f4f"
+        }
+      ],
+      "inbound": {
+        "type": "vless",
+        "tag": "vless-in",
+        "listen": "0.0.0.0",
+        "listen_port": 8000,
+        "users": [
+          {
+            "name": "vless",
+            "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937"
+          }
+        ]
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      },
+      {
+        "tunnel_source": [
+          "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+          "487f6073-3300-4819-a07d-39652e45fb4d"
+        ],
+        "tunnel_destination": [
+          "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+          "487f6073-3300-4819-a07d-39652e45fb4d"
+        ],
+        "outbound": "tunnel"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/proxy_client->server->tunnel_client/proxy_client.json

@@ -0,0 +1,52 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "inbounds": [
+    {
+      "type": "mixed",
+      "tag": "mixed-in",
+      "listen_port": 7897
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "vless",
+      "tag": "vless-out",
+      "server": "0.0.0.0",
+      "server_port": 8000,
+      "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+      "network": "tcp"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      }
+    ],
+    "final": "vless-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/proxy_client->server->tunnel_client/server.json

@@ -0,0 +1,67 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_server",
+      "tag": "tunnel",
+      "uuid": "f79f7678-55e7-432d-a15f-6e8ab2b7fe13",
+      "users": [
+        {
+          "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+          "key": "1c9b2ccf-b0c0-4c26-868d-a55a4edad3fe"
+        }
+      ],
+      "inbound": {
+        "type": "vless",
+        "tag": "vless-in",
+        "listen": "0.0.0.0",
+        "listen_port": 8000,
+        "users": [
+          {
+            "name": "vless",
+            "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937"
+          }
+        ]
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      },
+      {
+        "inbound": "vless-in",
+        "outbound": "tunnel",
+        "override_tunnel_destination": "9b65b7e1-04c8-4717-8f45-2aa61fd25937"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/proxy_client->server->tunnel_client/tunnel_client.json

@@ -0,0 +1,53 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_client",
+      "tag": "tunnel",
+      "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+      "key": "1c9b2ccf-b0c0-4c26-868d-a55a4edad3fe",
+      "outbound": {
+        "type": "vless",
+        "tag": "vless-out",
+        "server": "0.0.0.0",
+        "server_port": 8000,
+        "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+        "network": "tcp"
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/server->client/client.json

@@ -0,0 +1,53 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_client",
+      "tag": "tunnel",
+      "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+      "key": "1c9b2ccf-b0c0-4c26-868d-a55a4edad3fe",
+      "outbound": {
+        "type": "vless",
+        "tag": "vless-out",
+        "server": "0.0.0.0",
+        "server_port": 8000,
+        "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+        "network": "tcp"
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

examples/tunnel/server->client/server.json

@@ -0,0 +1,73 @@
+{
+  "log": {
+    "level": "error"
+  },
+  "dns": {
+    "servers": [
+      {
+        "address": "local",
+        "detour": "direct"
+      }
+    ]
+  },
+  "endpoints": [
+    {
+      "type": "tunnel_server",
+      "tag": "tunnel",
+      "uuid": "f79f7678-55e7-432d-a15f-6e8ab2b7fe13",
+      "users": [
+        {
+          "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937",
+          "key": "1c9b2ccf-b0c0-4c26-868d-a55a4edad3fe"
+        }
+      ],
+      "inbound": {
+        "type": "vless",
+        "tag": "vless-in",
+        "listen": "0.0.0.0",
+        "listen_port": 8000,
+        "users": [
+          {
+            "name": "vless",
+            "uuid": "9b65b7e1-04c8-4717-8f45-2aa61fd25937"
+          }
+        ]
+      }
+    }
+  ],
+  "inbounds": [
+    {
+      "type": "mixed",
+      "tag": "mixed-in",
+      "listen_port": 7897
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct-out"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "port": 53,
+        "outbound": "dns-out"
+      },
+      {
+        "outbound": "tunnel",
+        "override_tunnel_destination": "9b65b7e1-04c8-4717-8f45-2aa61fd25937"
+      }
+    ],
+    "final": "direct-out",
+    "auto_detect_interface": true
+  }
+}

go.mod

@@ -31,13 +31,13 @@ require (
 	github.com/sagernet/quic-go v0.49.0-beta.1
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
 	github.com/sagernet/sing v0.6.10
-	github.com/sagernet/sing-dns v0.4.5
+	github.com/sagernet/sing-dns v0.4.6
 	github.com/sagernet/sing-mux v0.3.2
-	github.com/sagernet/sing-quic v0.4.3
+	github.com/sagernet/sing-quic v0.4.4
 	github.com/sagernet/sing-shadowsocks v0.2.8
 	github.com/sagernet/sing-shadowsocks2 v0.2.1
 	github.com/sagernet/sing-shadowtls v0.2.0
-	github.com/sagernet/sing-tun v0.6.5
+	github.com/sagernet/sing-tun v0.6.9
 	github.com/sagernet/sing-vmess v0.2.3
 	github.com/sagernet/smux v1.5.34-mod.2
 	github.com/sagernet/utls v1.6.7
@@ -120,6 +120,6 @@ require (
 
 replace github.com/sagernet/wireguard-go => github.com/getlantern/wireguard-go v0.0.1-beta.5.0.20250303165430-793006c422ec
 
-replace github.com/sagernet/sing-dns => github.com/shtorm-7/sing-dns v0.4.5-extended-1.0.0
+replace github.com/sagernet/sing-dns => github.com/shtorm-7/sing-dns v0.4.6-extended-1.0.0
 
 replace github.com/ameshkov/dnscrypt/v2 => github.com/shtorm-7/dnscrypt/v2 v2.4.0-extended-1.0.0

go.sum

@@ -141,16 +141,16 @@ github.com/sagernet/sing v0.6.10 h1:Jey1tePgH9bjFuK1fQI3D9T+bPOQ4SdHMjuS4sYjDv4=
 github.com/sagernet/sing v0.6.10/go.mod h1:ARkL0gM13/Iv5VCZmci/NuoOlePoIsW0m7BWfln/Hak=
 github.com/sagernet/sing-mux v0.3.2 h1:meZVFiiStvHThb/trcpAkCrmtJOuItG5Dzl1RRP5/NE=
 github.com/sagernet/sing-mux v0.3.2/go.mod h1:pht8iFY4c9Xltj7rhVd208npkNaeCxzyXCgulDPLUDA=
-github.com/sagernet/sing-quic v0.4.3 h1:OZ/kGvSzjtYg+t0DY3F606hlT5LeiQQXDxfBopcRryQ=
-github.com/sagernet/sing-quic v0.4.3/go.mod h1:tqPa0/Wqa19MkkSlKVZZX5sHxtiDR9BROcn4ufcbVdY=
+github.com/sagernet/sing-quic v0.4.4 h1:qqOCLnzHbqKkj/wBcXEI3rhSyqoGlqDdv2S6mz2d/JA=
+github.com/sagernet/sing-quic v0.4.4/go.mod h1:tqPa0/Wqa19MkkSlKVZZX5sHxtiDR9BROcn4ufcbVdY=
 github.com/sagernet/sing-shadowsocks v0.2.8 h1:PURj5PRoAkqeHh2ZW205RWzN9E9RtKCVCzByXruQWfE=
 github.com/sagernet/sing-shadowsocks v0.2.8/go.mod h1:lo7TWEMDcN5/h5B8S0ew+r78ZODn6SwVaFhvB6H+PTI=
 github.com/sagernet/sing-shadowsocks2 v0.2.1 h1:dWV9OXCeFPuYGHb6IRqlSptVnSzOelnqqs2gQ2/Qioo=
 github.com/sagernet/sing-shadowsocks2 v0.2.1/go.mod h1:RnXS0lExcDAovvDeniJ4IKa2IuChrdipolPYWBv9hWQ=
 github.com/sagernet/sing-shadowtls v0.2.0 h1:cLKe4OAOFwuhmAIuPLj//CIL7Q9js+pIDardhJ+/osk=
 github.com/sagernet/sing-shadowtls v0.2.0/go.mod h1:agU+Fw5X+xnWVyRHyFthoZCX3MfWKCFPm4JUf+1oaxo=
-github.com/sagernet/sing-tun v0.6.5 h1:nGfD6GNq/r0tEjdZHOV3BS6fydSmd4kBAokU5rffssg=
-github.com/sagernet/sing-tun v0.6.5/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
+github.com/sagernet/sing-tun v0.6.9 h1:uP8O4Q7U9QesjWumgxd2S9fjT3c6aEPWl5RB6uBdVB8=
+github.com/sagernet/sing-tun v0.6.9/go.mod h1:fisFCbC4Vfb6HqQNcwPJi2CDK2bf0Xapyz3j3t4cnHE=
 github.com/sagernet/sing-vmess v0.2.3 h1:z6Ym8dnZG7k1fP3+54vz8G0tvRVJeOoTFFeUPwXTD44=
 github.com/sagernet/sing-vmess v0.2.3/go.mod h1:jDAZ0A0St1zVRkyvhAPRySOFfhC+4SQtO5VYyeFotgA=
 github.com/sagernet/smux v1.5.34-mod.2 h1:gkmBjIjlJ2zQKpLigOkFur5kBKdV6bNRoFu2WkltRQ4=
@@ -161,8 +161,8 @@ github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUG
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854/go.mod h1:LtfoSK3+NG57tvnVEHgcuBW9ujgE8enPSgzgwStwCAA=
 github.com/shtorm-7/dnscrypt/v2 v2.4.0-extended-1.0.0 h1:e5s7RKBd2rIPR0StbvZ2vTVtJ5jDTsTk5wtIIapZTRg=
 github.com/shtorm-7/dnscrypt/v2 v2.4.0-extended-1.0.0/go.mod h1:WpEFV2uhebXb8Jhes/5/fSdpmhGV8TL22RDaeWwV6hI=
-github.com/shtorm-7/sing-dns v0.4.5-extended-1.0.0 h1:iR0BTDEYwuYfQHwiySBhDOUHaipcizGb54OmC1C6Pz0=
-github.com/shtorm-7/sing-dns v0.4.5-extended-1.0.0/go.mod h1:HWuvH9L2ZwuffhzX5J5ZOjrhLQ8DB5qT9ie/YTXW1nU=
+github.com/shtorm-7/sing-dns v0.4.6-extended-1.0.0 h1:/fyqTYciGYTEbDDySW22t9vY5bSr+lCeLZfjVlv9qgw=
+github.com/shtorm-7/sing-dns v0.4.6-extended-1.0.0/go.mod h1:HWuvH9L2ZwuffhzX5J5ZOjrhLQ8DB5qT9ie/YTXW1nU=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=

include/registry.go

@@ -26,6 +26,7 @@ import (
 	"github.com/sagernet/sing-box/protocol/tor"
 	"github.com/sagernet/sing-box/protocol/trojan"
 	"github.com/sagernet/sing-box/protocol/tun"
+	"github.com/sagernet/sing-box/protocol/tunnel"
 	"github.com/sagernet/sing-box/protocol/vless"
 	"github.com/sagernet/sing-box/protocol/vmess"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -88,6 +89,9 @@ func OutboundRegistry() *outbound.Registry {
 func EndpointRegistry() *endpoint.Registry {
 	registry := endpoint.NewRegistry()
 
+	tunnel.RegisterServerEndpoint(registry)
+	tunnel.RegisterClientEndpoint(registry)
+
 	registerWireGuardEndpoint(registry)
 
 	return registry

option/rule.go

@@ -88,6 +88,8 @@ type RawDefaultRule struct {
 	SourcePortRange          badoption.Listable[string]        `json:"source_port_range,omitempty"`
 	Port                     badoption.Listable[uint16]        `json:"port,omitempty"`
 	PortRange                badoption.Listable[string]        `json:"port_range,omitempty"`
+	TunnelSource             badoption.Listable[string]        `json:"tunnel_source,omitempty"`
+	TunnelDestination        badoption.Listable[string]        `json:"tunnel_destination,omitempty"`
 	ProcessName              badoption.Listable[string]        `json:"process_name,omitempty"`
 	ProcessPath              badoption.Listable[string]        `json:"process_path,omitempty"`
 	ProcessPathRegex         badoption.Listable[string]        `json:"process_path_regex,omitempty"`

option/rule_action.go

@@ -142,8 +142,9 @@ type RouteActionOptions struct {
 }
 
 type RawRouteOptionsActionOptions struct {
-	OverrideAddress string `json:"override_address,omitempty"`
-	OverridePort    uint16 `json:"override_port,omitempty"`
+	OverrideAddress           string `json:"override_address,omitempty"`
+	OverridePort              uint16 `json:"override_port,omitempty"`
+	OverrideTunnelDestination string `json:"override_tunnel_destination,omitempty"`
 
 	NetworkStrategy *NetworkStrategy `json:"network_strategy,omitempty"`
 	FallbackDelay   uint32           `json:"fallback_delay,omitempty"`

option/rule_dns.go

@@ -89,6 +89,8 @@ type RawDefaultDNSRule struct {
 	SourcePortRange          badoption.Listable[string]        `json:"source_port_range,omitempty"`
 	Port                     badoption.Listable[uint16]        `json:"port,omitempty"`
 	PortRange                badoption.Listable[string]        `json:"port_range,omitempty"`
+	TunnelSource             badoption.Listable[string]        `json:"tunnel_source,omitempty"`
+	TunnelDestination        badoption.Listable[string]        `json:"tunnel_destination,omitempty"`
 	ProcessName              badoption.Listable[string]        `json:"process_name,omitempty"`
 	ProcessPath              badoption.Listable[string]        `json:"process_path,omitempty"`
 	ProcessPathRegex         badoption.Listable[string]        `json:"process_path_regex,omitempty"`

option/rule_set.go

@@ -194,6 +194,8 @@ type DefaultHeadlessRule struct {
 	SourcePortRange      badoption.Listable[string]        `json:"source_port_range,omitempty"`
 	Port                 badoption.Listable[uint16]        `json:"port,omitempty"`
 	PortRange            badoption.Listable[string]        `json:"port_range,omitempty"`
+	TunnelSource         badoption.Listable[string]        `json:"tunnel_source,omitempty"`
+	TunnelDestination    badoption.Listable[string]        `json:"tunnel_destination,omitempty"`
 	ProcessName          badoption.Listable[string]        `json:"process_name,omitempty"`
 	ProcessPath          badoption.Listable[string]        `json:"process_path,omitempty"`
 	ProcessPathRegex     badoption.Listable[string]        `json:"process_path_regex,omitempty"`

option/tunnel.go

@@ -0,0 +1,21 @@
+package option
+
+import "github.com/sagernet/sing/common/json/badoption"
+
+type TunnelClientEndpointOptions struct {
+	UUID     string   `json:"uuid"`
+	Key      string   `json:"key"`
+	Outbound Outbound `json:"outbound"`
+}
+
+type TunnelServerEndpointOptions struct {
+	UUID           string             `json:"uuid"`
+	Users          []TunnelUser       `json:"users"`
+	Inbound        Inbound            `json:"inbound"`
+	ConnectTimeout badoption.Duration `json:"connect_timeout,omitempty"`
+}
+
+type TunnelUser struct {
+	UUID string `json:"uuid"`
+	Key  string `json:"key"`
+}

protocol/tunnel/client.go

@@ -0,0 +1,152 @@
+package tunnel
+
+import (
+	"context"
+	"net"
+	"os"
+	"time"
+
+	"github.com/gofrs/uuid/v5"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/endpoint"
+	"github.com/sagernet/sing-box/adapter/outbound"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
+)
+
+func RegisterClientEndpoint(registry *endpoint.Registry) {
+	endpoint.Register[option.TunnelClientEndpointOptions](registry, C.TypeTunnelClient, NewClientEndpoint)
+}
+
+type ClientEndpoint struct {
+	outbound.Adapter
+	ctx      context.Context
+	outbound adapter.Outbound
+	router   adapter.ConnectionRouterEx
+	logger   logger.ContextLogger
+	uuid     uuid.UUID
+	key      uuid.UUID
+}
+
+func NewClientEndpoint(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunnelClientEndpointOptions) (adapter.Endpoint, error) {
+	clientUUID, err := uuid.FromString(options.UUID)
+	if err != nil {
+		return nil, err
+	}
+	clientKey, err := uuid.FromString(options.Key)
+	if err != nil {
+		return nil, err
+	}
+	client := &ClientEndpoint{
+		Adapter: outbound.NewAdapter(C.TypeTunnelClient, tag, []string{N.NetworkTCP}, []string{}),
+		ctx:     ctx,
+		router:  router,
+		logger:  logger,
+		uuid:    clientUUID,
+		key:     clientKey,
+	}
+	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
+	outbound, err := outboundRegistry.CreateOutbound(ctx, router, logger, options.Outbound.Tag, options.Outbound.Type, options.Outbound.Options)
+	if err != nil {
+		return nil, err
+	}
+	client.outbound = outbound
+	return client, nil
+}
+
+func (c *ClientEndpoint) Start(stage adapter.StartStage) error {
+	if stage != adapter.StartStatePostStart {
+		return nil
+	}
+	for range 5 {
+		go func() {
+			for {
+				select {
+				case <-c.ctx.Done():
+					return
+				default:
+					err := c.startInboundConn()
+					if err != nil {
+						c.logger.ErrorContext(c.ctx, err)
+						time.Sleep(time.Second * 5)
+					}
+				}
+			}
+		}()
+	}
+	return nil
+}
+
+func (c *ClientEndpoint) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if network != N.NetworkTCP {
+		return nil, os.ErrInvalid
+	}
+	var destinationUUID *uuid.UUID
+	if metadata := adapter.ContextFrom(ctx); metadata != nil {
+		if metadata.TunnelDestination != "" {
+			uuid, err := uuid.FromString(metadata.TunnelDestination)
+			if err != nil {
+				return nil, err
+			}
+			destinationUUID = &uuid
+		}
+	}
+	if destinationUUID == nil {
+		return nil, E.New("tunnel destination not set")
+	}
+	if *destinationUUID == c.uuid {
+		return nil, E.New("routing loop")
+	}
+	conn, err := c.outbound.DialContext(ctx, N.NetworkTCP, Destination)
+	if err != nil {
+		return nil, err
+	}
+	err = WriteRequest(conn, &Request{UUID: c.key, Command: CommandTCP, DestinationUUID: *destinationUUID, Destination: destination})
+	return conn, err
+}
+
+func (c *ClientEndpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}
+
+func (c *ClientEndpoint) Close() error {
+	return common.Close(c.outbound)
+}
+
+func (c *ClientEndpoint) startInboundConn() error {
+	conn, err := c.outbound.DialContext(c.ctx, N.NetworkTCP, Destination)
+	if err != nil {
+		return err
+	}
+	err = WriteRequest(conn, &Request{UUID: c.key, Command: CommandInbound, Destination: Destination})
+	if err != nil {
+		return err
+	}
+	request, err := ReadRequest(conn)
+	if err != nil {
+		return err
+	}
+	go c.connHandler(conn, request)
+	return nil
+}
+
+func (c *ClientEndpoint) connHandler(conn net.Conn, request *Request) {
+	metadata := adapter.InboundContext{
+		Source:      M.ParseSocksaddr(conn.RemoteAddr().String()),
+		Destination: request.Destination,
+	}
+	if request.UUID == c.uuid {
+		c.logger.ErrorContext(c.ctx, "routing loop")
+		conn.Close()
+		return
+	}
+	metadata.TunnelSource = request.UUID.String()
+	c.router.RouteConnectionEx(c.ctx, conn, metadata, func(it error) {})
+}

protocol/tunnel/protocol.go

@@ -0,0 +1,91 @@
+package tunnel
+
+import (
+	"encoding/binary"
+	"io"
+
+	"github.com/gofrs/uuid/v5"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+)
+
+const (
+	Version = 0
+)
+
+const (
+	CommandInbound = 1
+	CommandTCP     = 2
+)
+
+var Destination = M.Socksaddr{
+	Fqdn: "sp.tunnel.sing-box.arpa",
+	Port: 444,
+}
+
+var AddressSerializer = M.NewSerializer(
+	M.AddressFamilyByte(0x01, M.AddressFamilyIPv4),
+	M.AddressFamilyByte(0x03, M.AddressFamilyIPv6),
+	M.AddressFamilyByte(0x02, M.AddressFamilyFqdn),
+	M.PortThenAddress(),
+)
+
+type Request struct {
+	UUID            uuid.UUID
+	Command         byte
+	DestinationUUID uuid.UUID
+	Destination     M.Socksaddr
+}
+
+func ReadRequest(reader io.Reader) (*Request, error) {
+	var request Request
+	var version uint8
+	err := binary.Read(reader, binary.BigEndian, &version)
+	if err != nil {
+		return nil, err
+	}
+	if version != Version {
+		return nil, E.New("unknown version: ", version)
+	}
+	_, err = io.ReadFull(reader, request.UUID[:])
+	if err != nil {
+		return nil, err
+	}
+	err = binary.Read(reader, binary.BigEndian, &request.Command)
+	if err != nil {
+		return nil, err
+	}
+	_, err = io.ReadFull(reader, request.DestinationUUID[:])
+	if err != nil {
+		return nil, err
+	}
+	request.Destination, err = AddressSerializer.ReadAddrPort(reader)
+	if err != nil {
+		return nil, err
+	}
+	return &request, nil
+}
+
+func WriteRequest(writer io.Writer, request *Request) error {
+	var requestLen int
+	requestLen += 1  // version
+	requestLen += 16 // UUID
+	requestLen += 16 // destinationUUID
+	requestLen += 1  // command
+	requestLen += AddressSerializer.AddrPortLen(request.Destination)
+	buffer := buf.NewSize(requestLen)
+	defer buffer.Release()
+	common.Must(
+		buffer.WriteByte(Version),
+		common.Error(buffer.Write(request.UUID[:])),
+		buffer.WriteByte(request.Command),
+		common.Error(buffer.Write(request.DestinationUUID[:])),
+	)
+	err := AddressSerializer.WriteAddrPort(buffer, request.Destination)
+	if err != nil {
+		return err
+	}
+	return common.Error(writer.Write(buffer.Bytes()))
+}

protocol/tunnel/router.go

@@ -0,0 +1,41 @@
+package tunnel
+
+import (
+	"context"
+	"net"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type Router struct {
+	adapter.Router
+	logger  logger.ContextLogger
+	handler func(context.Context, net.Conn, adapter.InboundContext, N.CloseHandlerFunc) error
+}
+
+func NewRouter(router adapter.Router, logger logger.ContextLogger, handler func(context.Context, net.Conn, adapter.InboundContext, N.CloseHandlerFunc) error) *Router {
+	return &Router{Router: router, logger: logger, handler: handler}
+}
+
+func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	return r.handler(ctx, conn, metadata, func(error) {})
+}
+
+func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return os.ErrInvalid
+}
+
+func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	if err := r.handler(ctx, conn, metadata, onClose); err != nil {
+		r.logger.ErrorContext(ctx, err)
+		N.CloseOnHandshakeFailure(conn, onClose, err)
+	}
+}
+
+func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	r.logger.ErrorContext(ctx, os.ErrInvalid)
+	N.CloseOnHandshakeFailure(conn, onClose, os.ErrInvalid)
+}

protocol/tunnel/server.go

@@ -0,0 +1,203 @@
+package tunnel
+
+import (
+	"context"
+	"net"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/gofrs/uuid/v5"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/endpoint"
+	"github.com/sagernet/sing-box/adapter/outbound"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
+)
+
+func RegisterServerEndpoint(registry *endpoint.Registry) {
+	endpoint.Register[option.TunnelServerEndpointOptions](registry, C.TypeTunnelServer, NewServerEndpoint)
+}
+
+type ServerEndpoint struct {
+	outbound.Adapter
+	logger  logger.ContextLogger
+	inbound adapter.Inbound
+	router  adapter.Router
+	uuid    uuid.UUID
+	users   map[uuid.UUID]uuid.UUID
+	keys    map[uuid.UUID]uuid.UUID
+	conns   map[uuid.UUID]chan net.Conn
+	timeout time.Duration
+
+	mtx sync.Mutex
+}
+
+func NewServerEndpoint(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TunnelServerEndpointOptions) (adapter.Endpoint, error) {
+	serverUUID, err := uuid.FromString(options.UUID)
+	if err != nil {
+		return nil, err
+	}
+	server := &ServerEndpoint{
+		Adapter: outbound.NewAdapter(C.TypeTunnelServer, tag, []string{N.NetworkTCP}, []string{}),
+		logger:  logger,
+		router:  router,
+		uuid:    serverUUID,
+	}
+	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
+	inbound, err := inboundRegistry.Create(ctx, NewRouter(router, logger, server.connHandler), logger, options.Inbound.Tag, options.Inbound.Type, options.Inbound.Options)
+	if err != nil {
+		return nil, err
+	}
+	server.inbound = inbound
+	server.users = make(map[uuid.UUID]uuid.UUID, len(options.Users))
+	server.keys = make(map[uuid.UUID]uuid.UUID, len(options.Users))
+	server.conns = make(map[uuid.UUID]chan net.Conn)
+	for _, user := range options.Users {
+		key, err := uuid.FromString(user.Key)
+		if err != nil {
+			return nil, err
+		}
+		uuid, err := uuid.FromString(user.UUID)
+		if err != nil {
+			return nil, err
+		}
+		server.users[key] = uuid
+		server.keys[uuid] = key
+		server.conns[uuid] = make(chan net.Conn, 10)
+	}
+	if options.ConnectTimeout != 0 {
+		server.timeout = time.Duration(options.ConnectTimeout)
+	} else {
+		server.timeout = C.TCPConnectTimeout
+	}
+	return server, nil
+}
+
+func (s *ServerEndpoint) Start(stage adapter.StartStage) error {
+	return s.inbound.Start(stage)
+}
+
+func (s *ServerEndpoint) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if network != N.NetworkTCP {
+		return nil, os.ErrInvalid
+	}
+	var sourceUUID *uuid.UUID
+	var ch chan net.Conn
+	if metadata := adapter.ContextFrom(ctx); metadata != nil {
+		if metadata.TunnelDestination != "" {
+			tunnelDestination, err := uuid.FromString(metadata.TunnelDestination)
+			if err != nil {
+				return nil, err
+			}
+			s.mtx.Lock()
+			var ok bool
+			ch, ok = s.conns[tunnelDestination]
+			if !ok {
+				return nil, E.New("user ", metadata.TunnelDestination, " not found")
+			}
+			s.mtx.Unlock()
+		}
+		if metadata.TunnelSource != "" {
+			tunnelSource, err := uuid.FromString(metadata.TunnelSource)
+			if err != nil {
+				return nil, err
+			}
+			sourceUUID = &tunnelSource
+		}
+	}
+	if ch == nil {
+		return nil, E.New("tunnel destination not set")
+	}
+	if sourceUUID == nil {
+		sourceUUID = &s.uuid
+	}
+	ctx, cancel := context.WithTimeout(ctx, s.timeout)
+	defer cancel()
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		default:
+		}
+		select {
+		case conn := <-ch:
+			err := WriteRequest(conn, &Request{UUID: *sourceUUID, Command: CommandTCP, Destination: destination})
+			if err != nil {
+				s.logger.ErrorContext(ctx, err)
+				continue
+			}
+			return conn, nil
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		}
+	}
+}
+
+func (s *ServerEndpoint) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}
+
+func (s *ServerEndpoint) Close() error {
+	return common.Close(s.inbound)
+}
+
+func (s *ServerEndpoint) connHandler(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) error {
+	if metadata.Destination != Destination {
+		s.router.RouteConnectionEx(ctx, conn, metadata, onClose)
+		return nil
+	}
+	request, err := ReadRequest(conn)
+	if err != nil {
+		return err
+	}
+	if request.Command == CommandInbound {
+		s.mtx.Lock()
+		defer s.mtx.Unlock()
+		uuid, ok := s.users[request.UUID]
+		if !ok {
+			return E.New("key ", request.UUID.String(), " not found")
+		}
+		ch := s.conns[uuid]
+		select {
+		case ch <- conn:
+		default:
+			oldConn := <-ch
+			oldConn.Close()
+			ch <- conn
+		}
+		return nil
+	}
+	if request.Command == CommandTCP {
+		sourceUUID, ok := s.users[request.UUID]
+		if !ok {
+			return E.New("key ", request.UUID, " not found")
+		}
+		if sourceUUID == request.DestinationUUID {
+			return E.New("routing loop on ", sourceUUID)
+		}
+		s.mtx.Lock()
+		if request.DestinationUUID != s.uuid {
+			_, ok = s.keys[request.DestinationUUID]
+			if !ok {
+				return E.New("user ", sourceUUID, " not found")
+			}
+		}
+		s.mtx.Unlock()
+		metadata.Inbound = s.Tag()
+		metadata.InboundType = C.TypeTunnelServer
+		metadata.Destination = request.Destination
+		metadata.TunnelSource = sourceUUID.String()
+		metadata.TunnelDestination = request.DestinationUUID.String()
+		s.router.RouteConnectionEx(ctx, conn, metadata, onClose)
+		return nil
+	}
+	return E.New("command ", request.Command, " not found")
+}

protocol/vless/inbound.go

@@ -205,6 +205,10 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	var metadata adapter.InboundContext
 	metadata.Source = source
 	metadata.Destination = destination
+	//nolint:staticcheck
+	metadata.InboundDetour = h.listener.ListenOptions().Detour
+	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/vmess/inbound.go

@@ -219,6 +219,10 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	var metadata adapter.InboundContext
 	metadata.Source = source
 	metadata.Destination = destination
+	//nolint:staticcheck
+	metadata.InboundDetour = h.listener.ListenOptions().Detour
+	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

route/dns.go

@@ -2,15 +2,14 @@ package route
 
 import (
 	"context"
-	"errors"
 	"net"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	dnsOutbound "github.com/sagernet/sing-box/protocol/dns"
+	R "github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
@@ -31,7 +30,7 @@ func (r *Router) hijackDNSStream(ctx context.Context, conn net.Conn, metadata ad
 	}
 }
 
-func (r *Router) hijackDNSPacket(ctx context.Context, conn N.PacketConn, packetBuffers []*N.PacketBuffer, metadata adapter.InboundContext) {
+func (r *Router) hijackDNSPacket(ctx context.Context, conn N.PacketConn, packetBuffers []*N.PacketBuffer, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
 	if natConn, isNatConn := conn.(udpnat.Conn); isNatConn {
 		metadata.Destination = M.Socksaddr{}
 		for _, packet := range packetBuffers {
@@ -45,10 +44,12 @@ func (r *Router) hijackDNSPacket(ctx context.Context, conn N.PacketConn, packetB
 			conn:     conn,
 			ctx:      ctx,
 			metadata: metadata,
+			onClose:  onClose,
 		})
 		return
 	}
 	err := dnsOutbound.NewDNSPacketConnection(ctx, r, conn, packetBuffers, metadata)
+	N.CloseOnHandshakeFailure(conn, onClose, err)
 	if err != nil && !E.IsClosedOrCanceled(err) {
 		r.dnsLogger.ErrorContext(ctx, E.Cause(err, "process packet connection"))
 	}
@@ -56,7 +57,7 @@ func (r *Router) hijackDNSPacket(ctx context.Context, conn N.PacketConn, packetB
 
 func ExchangeDNSPacket(ctx context.Context, router *Router, conn N.PacketConn, buffer *buf.Buffer, metadata adapter.InboundContext, destination M.Socksaddr) {
 	err := exchangeDNSPacket(ctx, router, conn, buffer, metadata, destination)
-	if err != nil && !errors.Is(err, tun.ErrDrop) && !E.IsClosedOrCanceled(err) {
+	if err != nil && !R.IsRejected(err) && !E.IsClosedOrCanceled(err) {
 		router.dnsLogger.ErrorContext(ctx, E.Cause(err, "process packet connection"))
 	}
 }
@@ -85,8 +86,16 @@ type dnsHijacker struct {
 	conn     N.PacketConn
 	ctx      context.Context
 	metadata adapter.InboundContext
+	onClose  N.CloseHandlerFunc
 }
 
 func (h *dnsHijacker) NewPacketEx(buffer *buf.Buffer, destination M.Socksaddr) {
 	go ExchangeDNSPacket(h.ctx, h.router, h.conn, buffer, h.metadata, destination)
 }
+
+func (h *dnsHijacker) Close() error {
+	if h.onClose != nil {
+		h.onClose(nil)
+	}
+	return nil
+}

route/route.go

@@ -16,7 +16,7 @@ import (
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route/rule"
+	R "github.com/sagernet/sing-box/route/rule"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-mux"
 	"github.com/sagernet/sing-vmess"
@@ -51,7 +51,7 @@ func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata
 	err := r.routeConnection(ctx, conn, metadata, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
-		if E.IsClosedOrCanceled(err) {
+		if E.IsClosedOrCanceled(err) || R.IsRejected(err) {
 			r.logger.DebugContext(ctx, "connection closed: ", err)
 		} else {
 			r.logger.ErrorContext(ctx, err)
@@ -101,7 +101,7 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 	var selectedOutbound adapter.Outbound
 	if selectedRule != nil {
 		switch action := selectedRule.Action().(type) {
-		case *rule.RuleActionRoute:
+		case *R.RuleActionRoute:
 			var loaded bool
 			selectedOutbound, loaded = r.outbound.Outbound(action.Outbound)
 			if !loaded {
@@ -112,15 +112,15 @@ func (r *Router) routeConnection(ctx context.Context, conn net.Conn, metadata ad
 				buf.ReleaseMulti(buffers)
 				return E.New("TCP is not supported by outbound: ", selectedOutbound.Tag())
 			}
-		case *rule.RuleActionReject:
+		case *R.RuleActionReject:
 			buf.ReleaseMulti(buffers)
 			N.CloseOnHandshakeFailure(conn, onClose, action.Error(ctx))
 			return nil
-		case *rule.RuleActionHijackDNS:
+		case *R.RuleActionHijackDNS:
 			for _, buffer := range buffers {
 				conn = bufio.NewCachedConn(conn, buffer)
 			}
-			r.hijackDNSStream(ctx, conn, metadata)
+			N.CloseOnHandshakeFailure(conn, onClose, r.hijackDNSStream(ctx, conn, metadata))
 			return nil
 		}
 	}
@@ -154,7 +154,7 @@ func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, m
 	}))
 	if err != nil {
 		conn.Close()
-		if E.IsClosedOrCanceled(err) {
+		if E.IsClosedOrCanceled(err) || R.IsRejected(err) {
 			r.logger.DebugContext(ctx, "connection closed: ", err)
 		} else {
 			r.logger.ErrorContext(ctx, err)
@@ -171,7 +171,7 @@ func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn,
 	err := r.routePacketConnection(ctx, conn, metadata, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
-		if E.IsClosedOrCanceled(err) {
+		if E.IsClosedOrCanceled(err) || R.IsRejected(err) {
 			r.logger.DebugContext(ctx, "connection closed: ", err)
 		} else {
 			r.logger.ErrorContext(ctx, err)
@@ -217,7 +217,7 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 	var selectReturn bool
 	if selectedRule != nil {
 		switch action := selectedRule.Action().(type) {
-		case *rule.RuleActionRoute:
+		case *R.RuleActionRoute:
 			var loaded bool
 			selectedOutbound, loaded = r.outbound.Outbound(action.Outbound)
 			if !loaded {
@@ -228,12 +228,12 @@ func (r *Router) routePacketConnection(ctx context.Context, conn N.PacketConn, m
 				N.ReleaseMultiPacketBuffer(packetBuffers)
 				return E.New("UDP is not supported by outbound: ", selectedOutbound.Tag())
 			}
-		case *rule.RuleActionReject:
+		case *R.RuleActionReject:
 			N.ReleaseMultiPacketBuffer(packetBuffers)
 			N.CloseOnHandshakeFailure(conn, onClose, action.Error(ctx))
 			return nil
-		case *rule.RuleActionHijackDNS:
-			r.hijackDNSPacket(ctx, conn, packetBuffers, metadata)
+		case *R.RuleActionHijackDNS:
+			r.hijackDNSPacket(ctx, conn, packetBuffers, metadata, onClose)
 			return nil
 		}
 	}
@@ -271,7 +271,7 @@ func (r *Router) PreMatch(metadata adapter.InboundContext) error {
 	if selectedRule == nil {
 		return nil
 	}
-	rejectAction, isReject := selectedRule.Action().(*rule.RuleActionReject)
+	rejectAction, isReject := selectedRule.Action().(*R.RuleActionReject)
 	if !isReject {
 		return nil
 	}
@@ -346,7 +346,7 @@ func (r *Router) matchRule(
 	//nolint:staticcheck
 	if metadata.InboundOptions != common.DefaultValue[option.InboundOptions]() {
 		if !preMatch && metadata.InboundOptions.SniffEnabled {
-			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &rule.RuleActionSniff{
+			newBuffer, newPackerBuffers, newErr := r.actionSniff(ctx, metadata, &R.RuleActionSniff{
 				OverrideDestination: metadata.InboundOptions.SniffOverrideDestination,
 				Timeout:             time.Duration(metadata.InboundOptions.SniffTimeout),
 			}, inputConn, inputPacketConn, nil)
@@ -361,7 +361,7 @@ func (r *Router) matchRule(
 			}
 		}
 		if dns.DomainStrategy(metadata.InboundOptions.DomainStrategy) != dns.DomainStrategyAsIS {
-			fatalErr = r.actionResolve(ctx, metadata, &rule.RuleActionResolve{
+			fatalErr = r.actionResolve(ctx, metadata, &R.RuleActionResolve{
 				Strategy: dns.DomainStrategy(metadata.InboundOptions.DomainStrategy),
 			})
 			if fatalErr != nil {
@@ -398,11 +398,11 @@ match:
 				}
 			}
 		}
-		var routeOptions *rule.RuleActionRouteOptions
+		var routeOptions *R.RuleActionRouteOptions
 		switch action := currentRule.Action().(type) {
-		case *rule.RuleActionRoute:
+		case *R.RuleActionRoute:
 			routeOptions = &action.RuleActionRouteOptions
-		case *rule.RuleActionRouteOptions:
+		case *R.RuleActionRouteOptions:
 			routeOptions = action
 		}
 		if routeOptions != nil {
@@ -425,6 +425,9 @@ match:
 					Fqdn: metadata.Destination.Fqdn,
 				}
 			}
+			if routeOptions.OverrideTunnelDestination != "" {
+				metadata.TunnelDestination = routeOptions.OverrideTunnelDestination
+			}
 			if routeOptions.NetworkStrategy != nil {
 				metadata.NetworkStrategy = routeOptions.NetworkStrategy
 			}
@@ -448,7 +451,7 @@ match:
 			}
 		}
 		switch action := currentRule.Action().(type) {
-		case *rule.RuleActionSniff:
+		case *R.RuleActionSniff:
 			if !preMatch {
 				newBuffer, newPacketBuffers, newErr := r.actionSniff(ctx, metadata, action, inputConn, inputPacketConn, buffers)
 				if newErr != nil {
@@ -465,7 +468,7 @@ match:
 				selectedRuleIndex = currentRuleIndex
 				break match
 			}
-		case *rule.RuleActionResolve:
+		case *R.RuleActionResolve:
 			fatalErr = r.actionResolve(ctx, metadata, action)
 			if fatalErr != nil {
 				return
@@ -485,7 +488,7 @@ match:
 }
 
 func (r *Router) actionSniff(
-	ctx context.Context, metadata *adapter.InboundContext, action *rule.RuleActionSniff,
+	ctx context.Context, metadata *adapter.InboundContext, action *R.RuleActionSniff,
 	inputConn net.Conn, inputPacketConn N.PacketConn, inputBuffers []*buf.Buffer,
 ) (buffer *buf.Buffer, packetBuffers []*N.PacketBuffer, fatalErr error) {
 	if sniff.Skip(metadata) {
@@ -498,6 +501,9 @@ func (r *Router) actionSniff(
 	if inputConn != nil {
 		if len(action.StreamSniffers) == 0 && len(action.PacketSniffers) > 0 {
 			return
+		} else if metadata.SniffError != nil && !errors.Is(metadata.SniffError, sniff.ErrNeedMoreData) {
+			r.logger.DebugContext(ctx, "packet sniff skipped due to previous error: ", metadata.SniffError)
+			return
 		}
 		var streamSniffers []sniff.StreamSniffer
 		if len(action.StreamSniffers) > 0 {
@@ -522,6 +528,7 @@ func (r *Router) actionSniff(
 			action.Timeout,
 			streamSniffers...,
 		)
+		metadata.SniffError = err
 		if err == nil {
 			//goland:noinspection GoDeprecation
 			if action.OverrideDestination && M.IsDomainName(metadata.Domain) {
@@ -546,8 +553,8 @@ func (r *Router) actionSniff(
 	} else if inputPacketConn != nil {
 		if len(action.PacketSniffers) == 0 && len(action.StreamSniffers) > 0 {
 			return
-		} else if metadata.PacketSniffError != nil && !errors.Is(metadata.PacketSniffError, sniff.ErrNeedMoreData) {
-			r.logger.DebugContext(ctx, "packet sniff skipped due to previous error: ", metadata.PacketSniffError)
+		} else if metadata.SniffError != nil && !errors.Is(metadata.SniffError, sniff.ErrNeedMoreData) {
+			r.logger.DebugContext(ctx, "packet sniff skipped due to previous error: ", metadata.SniffError)
 			return
 		}
 		var packetSniffers []sniff.PacketSniffer
@@ -594,7 +601,7 @@ func (r *Router) actionSniff(
 					return
 				}
 			} else {
-				if len(packetBuffers) > 0 || metadata.PacketSniffError != nil {
+				if len(packetBuffers) > 0 || metadata.SniffError != nil {
 					err = sniff.PeekPacket(
 						ctx,
 						metadata,
@@ -614,7 +621,7 @@ func (r *Router) actionSniff(
 					Destination: destination,
 				}
 				packetBuffers = append(packetBuffers, packetBuffer)
-				metadata.PacketSniffError = err
+				metadata.SniffError = err
 				if errors.Is(err, sniff.ErrNeedMoreData) {
 					// TODO: replace with generic message when there are more multi-packet protocols
 					r.logger.DebugContext(ctx, "attempt to sniff fragmented QUIC client hello")
@@ -645,7 +652,7 @@ func (r *Router) actionSniff(
 	return
 }
 
-func (r *Router) actionResolve(ctx context.Context, metadata *adapter.InboundContext, action *rule.RuleActionResolve) error {
+func (r *Router) actionResolve(ctx context.Context, metadata *adapter.InboundContext, action *R.RuleActionResolve) error {
 	if metadata.Destination.IsFqdn() {
 		metadata.DNSServer = action.Server
 		addresses, err := r.Lookup(adapter.WithContext(ctx, metadata), metadata.Destination.Fqdn, action.Strategy)

route/route_dns.go

@@ -170,7 +170,7 @@ func (r *Router) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS.Msg, er
 							Question: []mDNS.Question{message.Question[0]},
 						}, nil
 					case C.RuleActionRejectMethodDrop:
-						return nil, tun.ErrDrop
+						return nil, &R.RejectedError{Cause: tun.ErrDrop}
 					}
 				}
 			}
@@ -289,7 +289,7 @@ func (r *Router) Lookup(ctx context.Context, domain string, strategy dns.DomainS
 					case C.RuleActionRejectMethodDefault:
 						return nil, nil
 					case C.RuleActionRejectMethodDrop:
-						return nil, tun.ErrDrop
+						return nil, &R.RejectedError{Cause: tun.ErrDrop}
 					}
 				}
 			}

route/rule/rule_action.go

@@ -2,6 +2,7 @@ package rule
 
 import (
 	"context"
+	"errors"
 	"net/netip"
 	"strings"
 	"sync"
@@ -33,6 +34,7 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 			RuleActionRouteOptions: RuleActionRouteOptions{
 				OverrideAddress:           M.ParseSocksaddrHostPort(action.RouteOptions.OverrideAddress, 0),
 				OverridePort:              action.RouteOptions.OverridePort,
+				OverrideTunnelDestination: action.RouteOptions.OverrideTunnelDestination,
 				NetworkStrategy:           (*C.NetworkStrategy)(action.RouteOptions.NetworkStrategy),
 				FallbackDelay:             time.Duration(action.RouteOptions.FallbackDelay),
 				UDPDisableDomainUnmapping: action.RouteOptions.UDPDisableDomainUnmapping,
@@ -147,6 +149,7 @@ func (r *RuleActionRoute) String() string {
 type RuleActionRouteOptions struct {
 	OverrideAddress           M.Socksaddr
 	OverridePort              uint16
+	OverrideTunnelDestination string
 	NetworkStrategy           *C.NetworkStrategy
 	NetworkType               []C.InterfaceType
 	FallbackNetworkType       []C.InterfaceType
@@ -168,6 +171,9 @@ func (r *RuleActionRouteOptions) String() string {
 	if r.OverridePort > 0 {
 		descriptions = append(descriptions, F.ToString("override-port=", r.OverridePort))
 	}
+	if r.OverrideTunnelDestination != "" {
+		descriptions = append(descriptions, F.ToString("override-tunnel-destination=", r.OverrideTunnelDestination))
+	}
 	if r.NetworkStrategy != nil {
 		descriptions = append(descriptions, F.ToString("network-strategy=", r.NetworkStrategy))
 	}
@@ -250,6 +256,23 @@ func (r *RuleActionDirect) String() string {
 	return "direct" + r.description
 }
 
+type RejectedError struct {
+	Cause error
+}
+
+func (r *RejectedError) Error() string {
+	return "rejected"
+}
+
+func (r *RejectedError) Unwrap() error {
+	return r.Cause
+}
+
+func IsRejected(err error) bool {
+	var rejected *RejectedError
+	return errors.As(err, &rejected)
+}
+
 type RuleActionReject struct {
 	Method      string
 	NoDrop      bool
@@ -273,9 +296,9 @@ func (r *RuleActionReject) Error(ctx context.Context) error {
 	var returnErr error
 	switch r.Method {
 	case C.RuleActionRejectMethodDefault:
-		returnErr = syscall.ECONNREFUSED
+		returnErr = &RejectedError{syscall.ECONNREFUSED}
 	case C.RuleActionRejectMethodDrop:
-		return tun.ErrDrop
+		return &RejectedError{tun.ErrDrop}
 	default:
 		panic(F.ToString("unknown reject method: ", r.Method))
 	}
@@ -293,7 +316,7 @@ func (r *RuleActionReject) Error(ctx context.Context) error {
 		if ctx != nil {
 			r.logger.DebugContext(ctx, "dropped due to flooding")
 		}
-		return tun.ErrDrop
+		return &RejectedError{tun.ErrDrop}
 	}
 	return returnErr
 }

route/rule/rule_default.go

@@ -189,6 +189,16 @@ func NewDefaultRule(ctx context.Context, logger log.ContextLogger, options optio
 		rule.destinationPortItems = append(rule.destinationPortItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if len(options.TunnelSource) > 0 {
+		item := NewTunnelSourceItem(options.TunnelSource)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.TunnelDestination) > 0 {
+		item := NewTunnelDestinationItem(options.TunnelDestination)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.ProcessName) > 0 {
 		item := NewProcessItem(options.ProcessName)
 		rule.items = append(rule.items, item)

route/rule/rule_dns.go

@@ -180,6 +180,16 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.destinationPortItems = append(rule.destinationPortItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if len(options.TunnelSource) > 0 {
+		item := NewTunnelSourceItem(options.TunnelSource)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.TunnelDestination) > 0 {
+		item := NewTunnelDestinationItem(options.TunnelDestination)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.ProcessName) > 0 {
 		item := NewProcessItem(options.ProcessName)
 		rule.items = append(rule.items, item)

route/rule/rule_headless.go

@@ -121,6 +121,16 @@ func NewDefaultHeadlessRule(ctx context.Context, options option.DefaultHeadlessR
 		rule.destinationPortItems = append(rule.destinationPortItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if len(options.TunnelSource) > 0 {
+		item := NewTunnelSourceItem(options.TunnelSource)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.TunnelDestination) > 0 {
+		item := NewTunnelDestinationItem(options.TunnelDestination)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.ProcessName) > 0 {
 		item := NewProcessItem(options.ProcessName)
 		rule.items = append(rule.items, item)

route/rule/rule_item_tunnel_destination.go

@@ -0,0 +1,35 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*TunnelDestinationItem)(nil)
+
+type TunnelDestinationItem struct {
+	destinations   []string
+	destinationMap map[string]bool
+}
+
+func NewTunnelDestinationItem(destinations []string) *TunnelDestinationItem {
+	rule := &TunnelDestinationItem{destinations, make(map[string]bool)}
+	for _, destination := range destinations {
+		rule.destinationMap[destination] = true
+	}
+	return rule
+}
+
+func (r *TunnelDestinationItem) Match(metadata *adapter.InboundContext) bool {
+	return r.destinationMap[metadata.TunnelDestination]
+}
+
+func (r *TunnelDestinationItem) String() string {
+	if len(r.destinations) == 1 {
+		return F.ToString("tunnel_destination=", r.destinations[0])
+	} else {
+		return F.ToString("tunnel_destination=[", strings.Join(r.destinations, " "), "]")
+	}
+}

route/rule/rule_item_tunnel_source.go

@@ -0,0 +1,35 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*TunnelSourceItem)(nil)
+
+type TunnelSourceItem struct {
+	sources   []string
+	sourceMap map[string]bool
+}
+
+func NewTunnelSourceItem(sources []string) *TunnelSourceItem {
+	rule := &TunnelSourceItem{sources, make(map[string]bool)}
+	for _, source := range sources {
+		rule.sourceMap[source] = true
+	}
+	return rule
+}
+
+func (r *TunnelSourceItem) Match(metadata *adapter.InboundContext) bool {
+	return r.sourceMap[metadata.TunnelSource]
+}
+
+func (r *TunnelSourceItem) String() string {
+	if len(r.sources) == 1 {
+		return F.ToString("tunnel_source=", r.sources[0])
+	} else {
+		return F.ToString("tunnel_source=[", strings.Join(r.sources, " "), "]")
+	}
+}

transport/v2rayhttp/conn.go

@@ -31,6 +31,9 @@ type HTTPConn struct {
 }
 
 func NewHTTP1Conn(conn net.Conn, request *http.Request) *HTTPConn {
+	if request.Header.Get("Host") == "" {
+		request.Header.Set("Host", request.Host)
+	}
 	return &HTTPConn{
 		Conn:    conn,
 		request: request,
@@ -89,9 +92,6 @@ func (c *HTTPConn) writeRequest(payload []byte) error {
 	if err != nil {
 		return err
 	}
-	if c.request.Header.Get("Host") == "" {
-		c.request.Header.Set("Host", c.request.Host)
-	}
 	for key, value := range c.request.Header {
 		_, err = writer.Write([]byte(F.ToString(key, ": ", strings.Join(value, ", "), CRLF)))
 		if err != nil {

transport/v2rayxhttp/client.go

@@ -87,9 +87,7 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 		return xmuxClient.XmuxConn.(DialerClient), xmuxClient
 	}
 	getRequestURL2 := getRequestURL
-	getHTTPClient2 := func() (DialerClient, *XmuxClient) {
-		return nil, nil
-	}
+	getHTTPClient2 := getHTTPClient
 	if options.Download != nil {
 		options2 := options.Download
 		dialer2 := dialer