documentation: Update changelog

Co-authored-by: Hiddify <114227601+hiddify1@users.noreply.github.com>

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@v8
         with:
           stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
           days-before-stale: 60

Dockerfile

@@ -9,7 +9,7 @@ RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
     && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_clash_api,with_acme \
         -o /go/bin/sing-box \
         -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
         ./cmd/sing-box

Makefile

@@ -1,7 +1,7 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
 TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
-TAGS_GO120 = with_quic
+TAGS_GO120 = with_quic,with_ech
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
 
@@ -58,24 +58,103 @@ proto_install:
 	go install -v google.golang.org/protobuf/cmd/protoc-gen-go@latest
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
 
-snapshot:
-	go run ./cmd/internal/build goreleaser release --clean --snapshot || exit 1
-	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 1 nightly dist/release
-	rm -r dist
-
 release:
 	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
 	rm -r dist
 
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
 	go install -v github.com/tcnksm/ghr@latest
 
+update_android_version:
+	go run ./cmd/internal/update_android_version
+
+build_android:
+	cd ../sing-box-for-android && ./gradlew :app:assembleRelease
+
+upload_android:
+	mkdir -p dist/release_android
+	cp ../sing-box-for-android/app/build/outputs/apk/release/*.apk dist/release_android
+	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
+	rm -rf dist/release_android
+
+release_android: lib_android update_android_version build_android upload_android
+
+publish_android:
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease
+
+build_ios:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFI.xcarchive && \
+	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
+
+upload_ios_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist
+
+release_ios: build_ios upload_ios_app_store
+
+build_macos:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFM.xcarchive && \
+	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
+
+upload_macos_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist
+
+release_macos: build_macos upload_macos_app_store
+
+build_macos_independent:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFT.System.xcarchive && \
+	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
+
+notarize_macos_independent:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist
+
+wait_notarize_macos_independent:
+	sleep 60
+
+export_macos_independent:
+	rm -rf dist/SFM
+	mkdir -p dist/SFM
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
+
+upload_macos_independent:
+	cd dist/SFM && \
+	rm -f *.zip && \
+	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
+	ghr --replace --draft --prerelease "v${VERSION}" *.zip
+
+release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
+
+build_tvos:
+	cd ../sing-box-for-apple && \
+	rm -rf build/SFT.xcarchive && \
+	export DEVELOPER_DIR=/Applications/Xcode-beta.app/Contents/Developer && \
+	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
+
+upload_tvos_app_store:
+	cd ../sing-box-for-apple && \
+	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist
+
+release_tvos: build_tvos upload_tvos_app_store
+
+update_apple_version:
+	go run ./cmd/internal/update_apple_version
+
+release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
+	rm -rf dist
+
+release_apple_beta: update_apple_version release_ios release_macos release_tvos
+	rm -rf dist
+
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -88,10 +167,10 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 
-android:
+lib_android:
 	go run ./cmd/internal/build_libbox -target android
 
-ios:
+lib_ios:
 	go run ./cmd/internal/build_libbox -target ios
 
 lib:

adapter/experimental.go

@@ -12,6 +12,7 @@ type ClashServer interface {
 	Service
 	PreStarter
 	Mode() string
+	ModeList() []string
 	StoreSelected() bool
 	StoreFakeIP() bool
 	CacheFile() ClashCacheFile
@@ -21,6 +22,8 @@ type ClashServer interface {
 }
 
 type ClashCacheFile interface {
+	LoadMode() string
+	StoreMode(mode string) error
 	LoadSelected(group string) string
 	StoreSelected(group string, selected string) error
 	LoadGroupExpand(group string) (isExpand bool, loaded bool)

adapter/router.go

@@ -10,6 +10,7 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 
 	mdns "github.com/miekg/dns"
 )
@@ -32,6 +33,7 @@ type Router interface {
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
+	ClearDNSCache()
 
 	InterfaceFinder() control.InterfaceFinder
 	UpdateInterfaces() error
@@ -44,8 +46,6 @@ type Router interface {
 	PackageManager() tun.PackageManager
 	Rules() []Rule
 
-	TimeService
-
 	ClashServer() ClashServer
 	SetClashServer(server ClashServer)
 
@@ -55,18 +55,12 @@ type Router interface {
 	ResetNetwork() error
 }
 
-type routerContextKey struct{}
-
 func ContextWithRouter(ctx context.Context, router Router) context.Context {
-	return context.WithValue(ctx, (*routerContextKey)(nil), router)
+	return service.ContextWith(ctx, router)
 }
 
 func RouterFromContext(ctx context.Context) Router {
-	metadata := ctx.Value((*routerContextKey)(nil))
-	if metadata == nil {
-		return nil
-	}
-	return metadata.(Router)
+	return service.FromContext[Router](ctx)
 }
 
 type Rule interface {

box.go

@@ -19,6 +19,7 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
 
@@ -47,6 +48,7 @@ func New(options Options) (*Box, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
+	ctx = service.ContextWithDefaultRegistry(ctx)
 	ctx = pause.ContextWithDefaultManager(ctx)
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
@@ -145,7 +147,9 @@ func New(options Options) (*Box, error) {
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(experimentalOptions.ClashAPI))
+		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
+		clashAPIOptions.ModeList = experimental.CalculateClashModeList(options.Options)
+		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), clashAPIOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}

cmd/internal/build_shared/tag.go

@@ -2,6 +2,7 @@ package build_shared
 
 import (
 	"github.com/sagernet/sing-box/common/badversion"
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/shell"
 )
 
@@ -21,3 +22,15 @@ func ReadTag() (string, error) {
 	}
 	return version.String() + "-" + shortCommit, nil
 }
+
+func ReadTagVersion() (badversion.Version, error) {
+	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
+	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
+	version := badversion.Parse(currentTagRev[1:])
+	if currentTagRev != currentTag {
+		if version.PreReleaseIdentifier == "" {
+			version.Patch++
+		}
+	}
+	return version, nil
+}

cmd/internal/update_android_version/main.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+)
+
+func main() {
+	newVersion := common.Must1(build_shared.ReadTagVersion())
+	androidPath, err := filepath.Abs("../sing-box-for-android")
+	if err != nil {
+		log.Fatal(err)
+	}
+	common.Must(os.Chdir(androidPath))
+	localProps := common.Must1(os.ReadFile("local.properties"))
+	var propsList [][]string
+	for _, propLine := range strings.Split(string(localProps), "\n") {
+		propsList = append(propsList, strings.Split(propLine, "="))
+	}
+	for _, propPair := range propsList {
+		if propPair[0] == "VERSION_NAME" {
+			if propPair[1] == newVersion.String() {
+				log.Info("version not changed")
+				return
+			}
+			propPair[1] = newVersion.String()
+			log.Info("updated version to ", newVersion.String())
+		}
+	}
+	for _, propPair := range propsList {
+		switch propPair[0] {
+		case "VERSION_CODE":
+			versionCode := common.Must1(strconv.ParseInt(propPair[1], 10, 64))
+			propPair[1] = strconv.Itoa(int(versionCode + 1))
+			log.Info("updated version code to ", propPair[1])
+		case "RELEASE_NOTES":
+			propPair[1] = "sing-box " + newVersion.String()
+		}
+	}
+	var newProps []string
+	for _, propPair := range propsList {
+		newProps = append(newProps, strings.Join(propPair, "="))
+	}
+	common.Must(os.WriteFile("local.properties", []byte(strings.Join(newProps, "\n")), 0o644))
+}

cmd/internal/update_apple_version/main.go

@@ -0,0 +1,80 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/sagernet/sing-box/cmd/internal/build_shared"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+
+	"howett.net/plist"
+)
+
+func main() {
+	newVersion := common.Must1(build_shared.ReadTagVersion())
+	applePath, err := filepath.Abs("../sing-box-for-apple")
+	if err != nil {
+		log.Fatal(err)
+	}
+	common.Must(os.Chdir(applePath))
+	projectFile := common.Must1(os.Open("sing-box.xcodeproj/project.pbxproj"))
+	var project map[string]any
+	decoder := plist.NewDecoder(projectFile)
+	common.Must(decoder.Decode(&project))
+	objectsMap := project["objects"].(map[string]any)
+	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
+	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
+	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
+	if updated0 || updated1 {
+		log.Info("updated version to ", newVersion.VersionString())
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
+	} else {
+		log.Info("version not changed")
+	}
+}
+
+func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDList []string, newVersion string) (string, bool) {
+	objectKeyList := findObjectKey(objectsMap, bundleIDList)
+	var updated bool
+	for _, objectKey := range objectKeyList {
+		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
+		indexes := matchRegexp.FindStringIndex(projectContent)
+		if len(indexes) < 2 {
+			println(projectContent)
+			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
+		}
+		indexStart := indexes[1]
+		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
+		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
+		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
+		version := projectContent[versionStart:versionEnd]
+		if version == newVersion {
+			continue
+		}
+		updated = true
+		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
+	}
+	return projectContent, updated
+}
+
+func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
+	var objectKeyList []string
+	for objectKey, object := range objectsMap {
+		buildSettings := object.(map[string]any)["buildSettings"]
+		if buildSettings == nil {
+			continue
+		}
+		bundleIDObject := buildSettings.(map[string]any)["PRODUCT_BUNDLE_IDENTIFIER"]
+		if bundleIDObject == nil {
+			continue
+		}
+		if common.Contains(bundleIDList, bundleIDObject.(string)) {
+			objectKeyList = append(objectKeyList, objectKey)
+		}
+	}
+	return objectKeyList
+}

cmd/sing-box/cmd_generate_ech.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"os"
+
+	"github.com/sagernet/sing-box/common/tls"
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/spf13/cobra"
+)
+
+var pqSignatureSchemesEnabled bool
+
+var commandGenerateECHKeyPair = &cobra.Command{
+	Use:   "ech-keypair <plain_server_name>",
+	Short: "Generate TLS ECH key pair",
+	Args:  cobra.ExactArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		err := generateECHKeyPair(args[0])
+		if err != nil {
+			log.Fatal(err)
+		}
+	},
+}
+
+func init() {
+	commandGenerateECHKeyPair.Flags().BoolVar(&pqSignatureSchemesEnabled, "pq-signature-schemes-enabled", false, "Enable PQ signature schemes")
+	commandGenerate.AddCommand(commandGenerateECHKeyPair)
+}
+
+func generateECHKeyPair(serverName string) error {
+	configPem, keyPem, err := tls.ECHKeygenDefault(serverName, pqSignatureSchemesEnabled)
+	if err != nil {
+		return err
+	}
+	os.Stdout.WriteString(configPem)
+	os.Stdout.WriteString(keyPem)
+	return nil
+}

common/badversion/version.go

@@ -57,6 +57,10 @@ func (v Version) After(anotherVersion Version) bool {
 	return false
 }
 
+func (v Version) VersionString() string {
+	return F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
+}
+
 func (v Version) String() string {
 	version := F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 	if v.PreReleaseIdentifier != "" {

common/qtls/wrapper.go

@@ -0,0 +1,120 @@
+package qtls
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/http3"
+	M "github.com/sagernet/sing/common/metadata"
+	aTLS "github.com/sagernet/sing/common/tls"
+)
+
+type QUICConfig interface {
+	Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error)
+	DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error)
+	CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper
+}
+
+type QUICServerConfig interface {
+	Listen(conn net.PacketConn, config *quic.Config) (QUICListener, error)
+	ListenEarly(conn net.PacketConn, config *quic.Config) (QUICEarlyListener, error)
+	ConfigureHTTP3()
+}
+
+type QUICListener interface {
+	Accept(ctx context.Context) (quic.Connection, error)
+	Close() error
+	Addr() net.Addr
+}
+
+type QUICEarlyListener interface {
+	Accept(ctx context.Context) (quic.EarlyConnection, error)
+	Close() error
+	Addr() net.Addr
+}
+
+func Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config aTLS.Config, quicConfig *quic.Config) (quic.Connection, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.Dial(ctx, conn, addr, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.Dial(ctx, conn, addr, tlsConfig, quicConfig)
+}
+
+func DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config aTLS.Config, quicConfig *quic.Config) (quic.EarlyConnection, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.DialEarly(ctx, conn, addr, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.DialEarly(ctx, conn, addr, tlsConfig, quicConfig)
+}
+
+func CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, config aTLS.Config, quicConfig *quic.Config, enableDatagrams bool) (http.RoundTripper, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICConfig); isQUICConfig {
+		return quicTLSConfig.CreateTransport(conn, quicConnPtr, serverAddr, quicConfig, enableDatagrams), nil
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return &http3.RoundTripper{
+		TLSClientConfig: tlsConfig,
+		QuicConfig:      quicConfig,
+		EnableDatagrams: enableDatagrams,
+		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
+			if err != nil {
+				return nil, err
+			}
+			*quicConnPtr = quicConn
+			return quicConn, nil
+		},
+	}, nil
+}
+
+func Listen(conn net.PacketConn, config aTLS.ServerConfig, quicConfig *quic.Config) (QUICListener, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		return quicTLSConfig.Listen(conn, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.Listen(conn, tlsConfig, quicConfig)
+}
+
+func ListenEarly(conn net.PacketConn, config aTLS.ServerConfig, quicConfig *quic.Config) (QUICEarlyListener, error) {
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		return quicTLSConfig.ListenEarly(conn, quicConfig)
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return nil, err
+	}
+	return quic.ListenEarly(conn, tlsConfig, quicConfig)
+}
+
+func ConfigureHTTP3(config aTLS.ServerConfig) error {
+	if len(config.NextProtos()) == 0 {
+		config.SetNextProtos([]string{http3.NextProtoH3})
+	}
+	if quicTLSConfig, isQUICConfig := config.(QUICServerConfig); isQUICConfig {
+		quicTLSConfig.ConfigureHTTP3()
+		return nil
+	}
+	tlsConfig, err := config.Config()
+	if err != nil {
+		return err
+	}
+	http3.ConfigureTLSConfig(tlsConfig)
+	return nil
+}

common/settings/proxy_linux.go

@@ -16,10 +16,12 @@ import (
 
 var (
 	hasGSettings bool
+	isKDE5       bool
 	sudoUser     string
 )
 
 func init() {
+	isKDE5 = common.Error(exec.LookPath("kwriteconfig5")) == nil
 	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
@@ -37,32 +39,61 @@ func runAsUser(name string, args ...string) error {
 }
 
 func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	if !hasGSettings {
-		return nil, E.New("unsupported desktop environment")
+	if hasGSettings {
+		err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
+		if err != nil {
+			return nil, err
+		}
+		if isMixed {
+			err = setGnomeProxy(port, "ftp", "http", "https", "socks")
+		} else {
+			err = setGnomeProxy(port, "http", "https")
+		}
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
+		if err != nil {
+			return nil, err
+		}
+		return func() error {
+			return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
+		}, nil
 	}
-	err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
-	if err != nil {
-		return nil, err
+	if isKDE5 {
+		err := runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "1")
+		if err != nil {
+			return nil, err
+		}
+		if isMixed {
+			err = setKDEProxy(port, "ftp", "http", "https", "socks")
+		} else {
+			err = setKDEProxy(port, "http", "https")
+		}
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "Authmode", "0")
+		if err != nil {
+			return nil, err
+		}
+		err = runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return nil, err
+		}
+		return func() error {
+			err = runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "0")
+			if err != nil {
+				return err
+			}
+			return runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		}, nil
 	}
-	if isMixed {
-		err = setGnomeProxy(port, "ftp", "http", "https", "socks")
-	} else {
-		err = setGnomeProxy(port, "http", "https")
-	}
-	if err != nil {
-		return nil, err
-	}
-	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
-	if err != nil {
-		return nil, err
-	}
-	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
-	}, nil
+	return nil, E.New("unsupported desktop environment")
 }
 
 func setGnomeProxy(port uint16, proxyTypes ...string) error {
@@ -78,3 +109,27 @@ func setGnomeProxy(port uint16, proxyTypes ...string) error {
 	}
 	return nil
 }
+
+func setKDEProxy(port uint16, proxyTypes ...string) error {
+	for _, proxyType := range proxyTypes {
+		var proxyUrl string
+		if proxyType == "socks" {
+			proxyUrl = "socks://127.0.0.1:" + F.ToString(port)
+		} else {
+			proxyUrl = "http://127.0.0.1:" + F.ToString(port)
+		}
+		err := runAsUser(
+			"kwriteconfig5",
+			"--file",
+			"kioslaverc",
+			"--group",
+			"'Proxy Settings'",
+			"--key", proxyType+"Proxy",
+			proxyUrl,
+		)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

common/sniff/sniff.go

@@ -22,23 +22,29 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
-	err := conn.SetReadDeadline(time.Now().Add(timeout))
-	if err != nil {
-		return nil, E.Cause(err, "set read deadline")
-	}
-	_, err = buffer.ReadOnceFrom(conn)
-	err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
-	if err != nil {
-		return nil, E.Cause(err, "read payload")
-	}
-	var metadata *adapter.InboundContext
+	deadline := time.Now().Add(timeout)
 	var errors []error
-	for _, sniffer := range sniffers {
-		metadata, err = sniffer(ctx, bytes.NewReader(buffer.Bytes()))
-		if metadata != nil {
-			return metadata, nil
+
+	for i := 0; i < 3; i++ {
+		err := conn.SetReadDeadline(deadline)
+		if err != nil {
+			return nil, E.Cause(err, "set read deadline")
+		}
+		_, err = buffer.ReadOnceFrom(conn)
+		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
+		if err != nil {
+			if i > 0 {
+				break
+			}
+			return nil, E.Cause(err, "read payload")
+		}
+		for _, sniffer := range sniffers {
+			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
+			if metadata != nil {
+				return metadata, nil
+			}
+			errors = append(errors, err)
 		}
-		errors = append(errors, err)
 	}
 	return nil, E.Errors(errors...)
 }

common/tls/client.go

@@ -13,29 +13,29 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+func NewDialerFromOptions(ctx context.Context, router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClient(router, serverAddress, options)
+	config, err := NewClient(ctx, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
 	return NewDialer(dialer, config), nil
 }
 
-func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
 	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHClient(router, serverAddress, options)
+		return NewECHClient(ctx, serverAddress, options)
 	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityClient(router, serverAddress, options)
+		return NewRealityClient(ctx, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
-		return NewUTLSClient(router, serverAddress, options)
+		return NewUTLSClient(ctx, serverAddress, options)
 	} else {
-		return NewSTDClient(router, serverAddress, options)
+		return NewSTDClient(ctx, serverAddress, options)
 	}
 }
 

common/tls/ech_client.go

@@ -7,50 +7,53 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"net"
 	"net/netip"
 	"os"
+	"strings"
 
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 
 	mDNS "github.com/miekg/dns"
 )
 
-type ECHClientConfig struct {
+type echClientConfig struct {
 	config *cftls.Config
 }
 
-func (e *ECHClientConfig) ServerName() string {
-	return e.config.ServerName
+func (c *echClientConfig) ServerName() string {
+	return c.config.ServerName
 }
 
-func (e *ECHClientConfig) SetServerName(serverName string) {
-	e.config.ServerName = serverName
+func (c *echClientConfig) SetServerName(serverName string) {
+	c.config.ServerName = serverName
 }
 
-func (e *ECHClientConfig) NextProtos() []string {
-	return e.config.NextProtos
+func (c *echClientConfig) NextProtos() []string {
+	return c.config.NextProtos
 }
 
-func (e *ECHClientConfig) SetNextProtos(nextProto []string) {
-	e.config.NextProtos = nextProto
+func (c *echClientConfig) SetNextProtos(nextProto []string) {
+	c.config.NextProtos = nextProto
 }
 
-func (e *ECHClientConfig) Config() (*STDConfig, error) {
+func (c *echClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }
 
-func (e *ECHClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, e.config)}, nil
+func (c *echClientConfig) Client(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
 }
 
-func (e *ECHClientConfig) Clone() Config {
-	return &ECHClientConfig{
-		config: e.config.Clone(),
+func (c *echClientConfig) Clone() Config {
+	return &echClientConfig{
+		config: c.config.Clone(),
 	}
 }
 
@@ -80,7 +83,7 @@ func (c *echConnWrapper) Upstream() any {
 	return c.Conn
 }
 
-func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -94,7 +97,7 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 	}
 
 	var tlsConfig cftls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -168,24 +171,36 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-	if options.ECH.Config != "" {
-		clientConfigContent, err := base64.StdEncoding.DecodeString(options.ECH.Config)
+
+	var echConfig []byte
+	if len(options.ECH.Config) > 0 {
+		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
+	} else if options.ECH.ConfigPath != "" {
+		content, err := os.ReadFile(options.ECH.ConfigPath)
 		if err != nil {
-			return nil, err
+			return nil, E.Cause(err, "read key")
 		}
-		clientConfig, err := cftls.UnmarshalECHConfigs(clientConfigContent)
-		if err != nil {
-			return nil, err
-		}
-		tlsConfig.ClientECHConfigs = clientConfig
-	} else {
-		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(router)
+		echConfig = content
 	}
-	return &ECHClientConfig{&tlsConfig}, nil
+
+	if len(echConfig) > 0 {
+		block, rest := pem.Decode(echConfig)
+		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
+			return nil, E.New("invalid ECH configs pem")
+		}
+		echConfigs, err := cftls.UnmarshalECHConfigs(block.Bytes)
+		if err != nil {
+			return nil, E.Cause(err, "parse ECH configs")
+		}
+		tlsConfig.ClientECHConfigs = echConfigs
+	} else {
+		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(ctx)
+	}
+	return &echClientConfig{&tlsConfig}, nil
 }
 
-func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
-	return func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
+func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
+	return func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
@@ -198,7 +213,7 @@ func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serve
 				},
 			},
 		}
-		response, err := router.Exchange(ctx, message)
+		response, err := adapter.RouterFromContext(ctx).Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}

common/tls/ech_keygen.go

@@ -0,0 +1,169 @@
+//go:build with_ech
+
+package tls
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/pem"
+
+	cftls "github.com/sagernet/cloudflare-tls"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"github.com/cloudflare/circl/hpke"
+	"github.com/cloudflare/circl/kem"
+)
+
+func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+	cipherSuites := []echCipherSuite{
+		{
+			kdf:  hpke.KDF_HKDF_SHA256,
+			aead: hpke.AEAD_AES128GCM,
+		}, {
+			kdf:  hpke.KDF_HKDF_SHA256,
+			aead: hpke.AEAD_ChaCha20Poly1305,
+		},
+	}
+
+	keyConfig := []myECHKeyConfig{
+		{id: 0, kem: hpke.KEM_X25519_HKDF_SHA256},
+	}
+	if pqSignatureSchemesEnabled {
+		keyConfig = append(keyConfig, myECHKeyConfig{id: 1, kem: hpke.KEM_X25519_KYBER768_DRAFT00})
+	}
+
+	keyPairs, err := echKeygen(0xfe0d, serverName, keyConfig, cipherSuites)
+	if err != nil {
+		return
+	}
+
+	var configBuffer bytes.Buffer
+	var totalLen uint16
+	for _, keyPair := range keyPairs {
+		totalLen += uint16(len(keyPair.rawConf))
+	}
+	binary.Write(&configBuffer, binary.BigEndian, totalLen)
+	for _, keyPair := range keyPairs {
+		configBuffer.Write(keyPair.rawConf)
+	}
+
+	var keyBuffer bytes.Buffer
+	for _, keyPair := range keyPairs {
+		keyBuffer.Write(keyPair.rawKey)
+	}
+
+	configPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH CONFIGS", Bytes: configBuffer.Bytes()}))
+	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: keyBuffer.Bytes()}))
+	return
+}
+
+type echKeyConfigPair struct {
+	id      uint8
+	key     cftls.EXP_ECHKey
+	rawKey  []byte
+	conf    myECHKeyConfig
+	rawConf []byte
+}
+
+type echCipherSuite struct {
+	kdf  hpke.KDF
+	aead hpke.AEAD
+}
+
+type myECHKeyConfig struct {
+	id   uint8
+	kem  hpke.KEM
+	seed []byte
+}
+
+func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite []echCipherSuite) ([]echKeyConfigPair, error) {
+	be := binary.BigEndian
+	// prepare for future update
+	if version != 0xfe0d {
+		return nil, E.New("unsupported ECH version", version)
+	}
+
+	suiteBuf := make([]byte, 0, len(suite)*4+2)
+	suiteBuf = be.AppendUint16(suiteBuf, uint16(len(suite))*4)
+	for _, s := range suite {
+		if !s.kdf.IsValid() || !s.aead.IsValid() {
+			return nil, E.New("invalid HPKE cipher suite")
+		}
+		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.kdf))
+		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.aead))
+	}
+
+	pairs := []echKeyConfigPair{}
+	for _, c := range conf {
+		pair := echKeyConfigPair{}
+		pair.id = c.id
+		pair.conf = c
+
+		if !c.kem.IsValid() {
+			return nil, E.New("invalid HPKE KEM")
+		}
+
+		kpGenerator := c.kem.Scheme().GenerateKeyPair
+		if len(c.seed) > 0 {
+			kpGenerator = func() (kem.PublicKey, kem.PrivateKey, error) {
+				pub, sec := c.kem.Scheme().DeriveKeyPair(c.seed)
+				return pub, sec, nil
+			}
+			if len(c.seed) < c.kem.Scheme().PrivateKeySize() {
+				return nil, E.New("HPKE KEM seed too short")
+			}
+		}
+
+		pub, sec, err := kpGenerator()
+		if err != nil {
+			return nil, E.Cause(err, "generate ECH config key pair")
+		}
+		b := []byte{}
+		b = be.AppendUint16(b, version)
+		b = be.AppendUint16(b, 0) // length field
+		// contents
+		// key config
+		b = append(b, c.id)
+		b = be.AppendUint16(b, uint16(c.kem))
+		pubBuf, err := pub.MarshalBinary()
+		if err != nil {
+			return nil, E.Cause(err, "serialize ECH public key")
+		}
+		b = be.AppendUint16(b, uint16(len(pubBuf)))
+		b = append(b, pubBuf...)
+
+		b = append(b, suiteBuf...)
+		// end key config
+		// max name len, not supported
+		b = append(b, 0)
+		// server name
+		b = append(b, byte(len(serverName)))
+		b = append(b, []byte(serverName)...)
+		// extensions, not supported
+		b = be.AppendUint16(b, 0)
+
+		be.PutUint16(b[2:], uint16(len(b)-4))
+
+		pair.rawConf = b
+
+		secBuf, err := sec.MarshalBinary()
+		sk := []byte{}
+		sk = be.AppendUint16(sk, uint16(len(secBuf)))
+		sk = append(sk, secBuf...)
+		sk = be.AppendUint16(sk, uint16(len(b)))
+		sk = append(sk, b...)
+
+		cfECHKeys, err := cftls.EXP_UnmarshalECHKeys(sk)
+		if err != nil {
+			return nil, E.Cause(err, "bug: can't parse generated ECH server key")
+		}
+		if len(cfECHKeys) != 1 {
+			return nil, E.New("bug: unexpected server key count")
+		}
+		pair.key = cfECHKeys[0]
+		pair.rawKey = sk
+
+		pairs = append(pairs, pair)
+	}
+	return pairs, nil
+}

common/tls/ech_quic.go

@@ -0,0 +1,56 @@
+//go:build with_quic && with_ech
+
+package tls
+
+import (
+	"context"
+	"net"
+	"net/http"
+
+	"github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/quic-go/ech"
+	"github.com/sagernet/quic-go/http3_ech"
+	"github.com/sagernet/sing-box/common/qtls"
+	M "github.com/sagernet/sing/common/metadata"
+)
+
+var (
+	_ qtls.QUICConfig       = (*echClientConfig)(nil)
+	_ qtls.QUICServerConfig = (*echServerConfig)(nil)
+)
+
+func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
+	return quic.Dial(ctx, conn, addr, c.config, config)
+}
+
+func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error) {
+	return quic.DialEarly(ctx, conn, addr, c.config, config)
+}
+
+func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
+	return &http3.RoundTripper{
+		TLSClientConfig: c.config,
+		QuicConfig:      quicConfig,
+		EnableDatagrams: enableDatagrams,
+		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
+			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
+			if err != nil {
+				return nil, err
+			}
+			*quicConnPtr = quicConn
+			return quicConn, nil
+		},
+	}
+}
+
+func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.QUICListener, error) {
+	return quic.Listen(conn, c.config, config)
+}
+
+func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.QUICEarlyListener, error) {
+	return quic.ListenEarly(conn, c.config, config)
+}
+
+func (c *echServerConfig) ConfigureHTTP3() {
+	http3.ConfigureTLSConfig(c.config)
+}

common/tls/ech_server.go

@@ -0,0 +1,343 @@
+//go:build with_ech
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/pem"
+	"net"
+	"os"
+	"strings"
+
+	cftls "github.com/sagernet/cloudflare-tls"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
+
+	"github.com/fsnotify/fsnotify"
+)
+
+type echServerConfig struct {
+	config          *cftls.Config
+	logger          log.Logger
+	certificate     []byte
+	key             []byte
+	certificatePath string
+	keyPath         string
+	watcher         *fsnotify.Watcher
+	echKeyPath      string
+	echWatcher      *fsnotify.Watcher
+}
+
+func (c *echServerConfig) ServerName() string {
+	return c.config.ServerName
+}
+
+func (c *echServerConfig) SetServerName(serverName string) {
+	c.config.ServerName = serverName
+}
+
+func (c *echServerConfig) NextProtos() []string {
+	return c.config.NextProtos
+}
+
+func (c *echServerConfig) SetNextProtos(nextProto []string) {
+	c.config.NextProtos = nextProto
+}
+
+func (c *echServerConfig) Config() (*STDConfig, error) {
+	return nil, E.New("unsupported usage for ECH")
+}
+
+func (c *echServerConfig) Client(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
+}
+
+func (c *echServerConfig) Server(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Server(conn, c.config)}, nil
+}
+
+func (c *echServerConfig) Clone() Config {
+	return &echServerConfig{
+		config: c.config.Clone(),
+	}
+}
+
+func (c *echServerConfig) Start() error {
+	if c.certificatePath != "" && c.keyPath != "" {
+		err := c.startWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+	}
+	if c.echKeyPath != "" {
+		err := c.startECHWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+	}
+	return nil
+}
+
+func (c *echServerConfig) startWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	if c.certificatePath != "" {
+		err = watcher.Add(c.certificatePath)
+		if err != nil {
+			return err
+		}
+	}
+	if c.keyPath != "" {
+		err = watcher.Add(c.keyPath)
+		if err != nil {
+			return err
+		}
+	}
+	c.watcher = watcher
+	go c.loopUpdate()
+	return nil
+}
+
+func (c *echServerConfig) loopUpdate() {
+	for {
+		select {
+		case event, ok := <-c.watcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadKeyPair()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload TLS key pair"))
+			}
+		case err, ok := <-c.watcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *echServerConfig) reloadKeyPair() error {
+	if c.certificatePath != "" {
+		certificate, err := os.ReadFile(c.certificatePath)
+		if err != nil {
+			return E.Cause(err, "reload certificate from ", c.certificatePath)
+		}
+		c.certificate = certificate
+	}
+	if c.keyPath != "" {
+		key, err := os.ReadFile(c.keyPath)
+		if err != nil {
+			return E.Cause(err, "reload key from ", c.keyPath)
+		}
+		c.key = key
+	}
+	keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
+	if err != nil {
+		return E.Cause(err, "reload key pair")
+	}
+	c.config.Certificates = []cftls.Certificate{keyPair}
+	c.logger.Info("reloaded TLS certificate")
+	return nil
+}
+
+func (c *echServerConfig) startECHWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	err = watcher.Add(c.echKeyPath)
+	if err != nil {
+		return err
+	}
+	c.watcher = watcher
+	go c.loopECHUpdate()
+	return nil
+}
+
+func (c *echServerConfig) loopECHUpdate() {
+	for {
+		select {
+		case event, ok := <-c.echWatcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadECHKey()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload ECH key"))
+			}
+		case err, ok := <-c.watcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *echServerConfig) reloadECHKey() error {
+	echKeyContent, err := os.ReadFile(c.echKeyPath)
+	if err != nil {
+		return err
+	}
+	block, rest := pem.Decode(echKeyContent)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return E.New("invalid ECH keys pem")
+	}
+	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return E.Cause(err, "parse ECH keys")
+	}
+	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
+	if err != nil {
+		return E.Cause(err, "create ECH key set")
+	}
+	c.config.ServerECHProvider = echKeySet
+	c.logger.Info("reloaded ECH keys")
+	return nil
+}
+
+func (c *echServerConfig) Close() error {
+	var err error
+	if c.watcher != nil {
+		err = E.Append(err, c.watcher.Close(), func(err error) error {
+			return E.Cause(err, "close certificate watcher")
+		})
+	}
+	if c.echWatcher != nil {
+		err = E.Append(err, c.echWatcher.Close(), func(err error) error {
+			return E.Cause(err, "close ECH key watcher")
+		})
+	}
+	return err
+}
+
+func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	if !options.Enabled {
+		return nil, nil
+	}
+	var tlsConfig cftls.Config
+	if options.ACME != nil && len(options.ACME.Domain) > 0 {
+		return nil, E.New("acme is unavailable in ech")
+	}
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	if options.ServerName != "" {
+		tlsConfig.ServerName = options.ServerName
+	}
+	if len(options.ALPN) > 0 {
+		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
+	}
+	if options.MinVersion != "" {
+		minVersion, err := ParseTLSVersion(options.MinVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse min_version")
+		}
+		tlsConfig.MinVersion = minVersion
+	}
+	if options.MaxVersion != "" {
+		maxVersion, err := ParseTLSVersion(options.MaxVersion)
+		if err != nil {
+			return nil, E.Cause(err, "parse max_version")
+		}
+		tlsConfig.MaxVersion = maxVersion
+	}
+	if options.CipherSuites != nil {
+	find:
+		for _, cipherSuite := range options.CipherSuites {
+			for _, tlsCipherSuite := range tls.CipherSuites() {
+				if cipherSuite == tlsCipherSuite.Name {
+					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
+					continue find
+				}
+			}
+			return nil, E.New("unknown cipher_suite: ", cipherSuite)
+		}
+	}
+	var certificate []byte
+	var key []byte
+	if len(options.Certificate) > 0 {
+		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	} else if options.CertificatePath != "" {
+		content, err := os.ReadFile(options.CertificatePath)
+		if err != nil {
+			return nil, E.Cause(err, "read certificate")
+		}
+		certificate = content
+	}
+	if len(options.Key) > 0 {
+		key = []byte(strings.Join(options.Key, "\n"))
+	} else if options.KeyPath != "" {
+		content, err := os.ReadFile(options.KeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read key")
+		}
+		key = content
+	}
+
+	if certificate == nil {
+		return nil, E.New("missing certificate")
+	} else if key == nil {
+		return nil, E.New("missing key")
+	}
+
+	keyPair, err := cftls.X509KeyPair(certificate, key)
+	if err != nil {
+		return nil, E.Cause(err, "parse x509 key pair")
+	}
+	tlsConfig.Certificates = []cftls.Certificate{keyPair}
+
+	var echKey []byte
+	if len(options.ECH.Key) > 0 {
+		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
+	} else if options.KeyPath != "" {
+		content, err := os.ReadFile(options.ECH.KeyPath)
+		if err != nil {
+			return nil, E.Cause(err, "read key")
+		}
+		echKey = content
+	} else {
+		return nil, E.New("missing ECH key")
+	}
+
+	block, rest := pem.Decode(echKey)
+	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
+		return nil, E.New("invalid ECH keys pem")
+	}
+
+	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
+	if err != nil {
+		return nil, E.Cause(err, "parse ECH keys")
+	}
+
+	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
+	if err != nil {
+		return nil, E.Cause(err, "create ECH key set")
+	}
+
+	tlsConfig.ECHEnabled = true
+	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
+	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
+	tlsConfig.ServerECHProvider = echKeySet
+
+	return &echServerConfig{
+		config:          &tlsConfig,
+		logger:          logger,
+		certificate:     certificate,
+		key:             key,
+		certificatePath: options.CertificatePath,
+		keyPath:         options.KeyPath,
+		echKeyPath:      options.ECH.KeyPath,
+	}, nil
+}

common/tls/ech_stub.go

@@ -3,11 +3,23 @@
 package tls
 
 import (
-	"github.com/sagernet/sing-box/adapter"
+	"context"
+
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+var errECHNotIncluded = E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
+
+func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+	return nil, errECHNotIncluded
+}
+
+func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, errECHNotIncluded
+}
+
+func ECHKeygenDefault(host string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
+	return "", "", errECHNotIncluded
 }

common/tls/reality_client.go

@@ -26,7 +26,6 @@ import (
 	"time"
 	"unsafe"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -45,12 +44,12 @@ type RealityClientConfig struct {
 	shortID   [8]byte
 }
 
-func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}
 
-	uClient, err := NewUTLSClient(router, serverAddress, options)
+	uClient, err := NewUTLSClient(ctx, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}

common/tls/reality_server.go

@@ -19,6 +19,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 var _ ServerConfigCompat = (*RealityServerConfig)(nil)
@@ -27,13 +28,13 @@ type RealityServerConfig struct {
 	config *reality.Config
 }
 
-func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
 	var tlsConfig reality.Config
 
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -66,10 +67,10 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	if options.Certificate != "" || options.CertificatePath != "" {
+	if len(options.Certificate) > 0 || options.CertificatePath != "" {
 		return nil, E.New("certificate is unavailable in reality")
 	}
-	if options.Key != "" || options.KeyPath != "" {
+	if len(options.Key) > 0 || options.KeyPath != "" {
 		return nil, E.New("key is unavailable in reality")
 	}
 
@@ -101,7 +102,7 @@ func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Log
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer, err := dialer.New(router, options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(adapter.RouterFromContext(ctx), options.Reality.Handshake.DialerOptions)
 	if err != nil {
 		return nil, err
 	}

common/tls/reality_stub.go

@@ -5,12 +5,11 @@ package tls
 import (
 	"context"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	return nil, E.New(`reality server is not included in this build, rebuild with -tags with_reality_server`)
 }

common/tls/server.go

@@ -4,21 +4,22 @@ import (
 	"context"
 	"net"
 
-	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityServer(ctx, router, logger, options)
+	if options.ECH != nil && options.ECH.Enabled {
+		return NewECHServer(ctx, logger, options)
+	} else if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityServer(ctx, logger, options)
 	} else {
-		return NewSTDServer(ctx, router, logger, options)
+		return NewSTDServer(ctx, logger, options)
 	}
 }
 

common/tls/std_client.go

@@ -1,15 +1,16 @@
 package tls
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
 	"net/netip"
 	"os"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 type STDClientConfig struct {
@@ -44,7 +45,7 @@ func (s *STDClientConfig) Clone() Config {
 	return &STDClientConfig{s.config.Clone()}
 }
 
-func NewSTDClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -58,7 +59,7 @@ func NewSTDClient(router adapter.Router, serverAddress string, options option.Ou
 	}
 
 	var tlsConfig tls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {

common/tls/std_server.go

@@ -5,12 +5,14 @@ import (
 	"crypto/tls"
 	"net"
 	"os"
+	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 
 	"github.com/fsnotify/fsnotify"
 )
@@ -156,7 +158,7 @@ func (c *STDServerConfig) Close() error {
 	return nil
 }
 
-func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -175,7 +177,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	} else {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -211,8 +213,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	var certificate []byte
 	var key []byte
 	if acmeService == nil {
-		if options.Certificate != "" {
-			certificate = []byte(options.Certificate)
+		if len(options.Certificate) > 0 {
+			certificate = []byte(strings.Join(options.Certificate, "\n"))
 		} else if options.CertificatePath != "" {
 			content, err := os.ReadFile(options.CertificatePath)
 			if err != nil {
@@ -220,8 +222,8 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 			}
 			certificate = content
 		}
-		if options.Key != "" {
-			key = []byte(options.Key)
+		if len(options.Key) > 0 {
+			key = []byte(strings.Join(options.Key, "\n"))
 		} else if options.KeyPath != "" {
 			content, err := os.ReadFile(options.KeyPath)
 			if err != nil {
@@ -231,7 +233,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateKeyPair(router.TimeFunc(), info.ServerName)
+				return GenerateKeyPair(ntp.TimeFuncFromContext(ctx), info.ServerName)
 			}
 		} else {
 			if certificate == nil {

common/tls/utls_client.go

@@ -11,9 +11,9 @@ import (
 	"net/netip"
 	"os"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/ntp"
 	utls "github.com/sagernet/utls"
 
 	"golang.org/x/net/http2"
@@ -113,7 +113,7 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }
 
-func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -127,7 +127,7 @@ func NewUTLSClient(router adapter.Router, serverAddress string, options option.O
 	}
 
 	var tlsConfig utls.Config
-	tlsConfig.Time = router.TimeFunc()
+	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {

common/tls/utls_stub.go

@@ -3,15 +3,16 @@
 package tls
 
 import (
-	"github.com/sagernet/sing-box/adapter"
+	"context"
+
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }
 
-func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS, which is required by reality client is not included in this build, rebuild with -tags with_utls`)
 }

common/urltest/urltest.go

@@ -10,7 +10,6 @@ import (
 
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
 )
 
 type History struct {
@@ -21,7 +20,7 @@ type History struct {
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*History
-	callbacks    list.List[func()]
+	updateHook   chan<- struct{}
 }
 
 func NewHistoryStorage() *HistoryStorage {
@@ -30,16 +29,8 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }
 
-func (s *HistoryStorage) AddListener(listener func()) *list.Element[func()] {
-	s.access.Lock()
-	defer s.access.Unlock()
-	return s.callbacks.PushBack(listener)
-}
-
-func (s *HistoryStorage) RemoveListener(element *list.Element[func()]) {
-	s.access.Lock()
-	defer s.access.Unlock()
-	s.callbacks.Remove(element)
+func (s *HistoryStorage) SetHook(hook chan<- struct{}) {
+	s.updateHook = hook
 }
 
 func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
@@ -66,13 +57,20 @@ func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
 }
 
 func (s *HistoryStorage) notifyUpdated() {
-	s.access.RLock()
-	defer s.access.RUnlock()
-	for element := s.callbacks.Front(); element != nil; element = element.Next() {
-		element.Value()
+	updateHook := s.updateHook
+	if updateHook != nil {
+		select {
+		case updateHook <- struct{}{}:
+		default:
+		}
 	}
 }
 
+func (s *HistoryStorage) Close() error {
+	s.updateHook = nil
+	return nil
+}
+
 func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err error) {
 	if link == "" {
 		link = "https://www.gstatic.com/generate_204"

constant/proxy.go

@@ -22,6 +22,7 @@ const (
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
+	TypeHysteria2    = "hysteria2"
 )
 
 const (
@@ -65,6 +66,8 @@ func ProxyDisplayName(proxyType string) string {
 		return "VLESS"
 	case TypeTUIC:
 		return "TUIC"
+	case TypeHysteria2:
+		return "Hysteria2"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:

docs/changelog.md

@@ -1,3 +1,73 @@
+#### 1.5.0-beta.2
+
+* Add hysteria2 protocol support **1**
+* Fixes and improvements
+
+**1**:
+
+See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+
+For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
+
+#### 1.5.0-beta.1
+
+* Add TLS [ECH server](/configuration/shared/tls) support
+* Improve TLS TCH client configuration
+* Add TLS ECH key pair generator **1**
+* Add TLS ECH support for QUIC based protocols **2**
+* Add KDE support for the `set_system_proxy` option in HTTP inbound
+
+**1**:
+
+Command: `sing-box generate ech-keypair <plain_server_name> [-pq-signature-schemes-enabled]`
+
+**2**:
+
+All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria`, `TUIC` and `V2ray QUIC transport`.
+
+#### 1.4.1
+
+* Fixes and improvements
+
+#### 1.4.0
+
+* Fix bugs and update dependencies
+
+Important changes since 1.3:
+
+* Add TUIC support **1**
+* Add `udp_over_stream` option for TUIC client **2**
+* Add MultiPath TCP support **3**
+* Add `include_interface` and `exclude_interface` options for tun inbound
+* Pause recurring tasks when no network or device idle
+* Improve Android and Apple platform clients
+
+*1*:
+
+See [TUIC inbound](/configuration/inbound/tuic)
+and [TUIC outbound](/configuration/outbound/tuic)
+
+**2**:
+
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
+another program compatible with the protocol as a server.
+
+This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP
+traffic (basically QUIC streams).
+
+*3*:
+
+Requires sing-box to be compiled with Go 1.21.
+
+#### 1.4.0-rc.3
+
+* Fixes and improvements
+
+#### 1.4.0-rc.2
+
+* Fixes and improvements
+
 #### 1.4.0-rc.1
 
 * Fix TUIC UDP

docs/configuration/experimental/index.md

@@ -12,7 +12,9 @@
       "external_ui_download_detour": "",
       "secret": "",
       "default_mode": "",
+      "store_mode": false,
       "store_selected": false,
+      "store_fakeip": false,
       "cache_file": "",
       "cache_id": ""
     },
@@ -80,6 +82,10 @@ Default mode in clash, `rule` will be used if empty.
 
 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
 
+#### store_mode
+
+Store Clash mode in cache file.
+
 #### store_selected
 
 !!! note ""
@@ -88,6 +94,10 @@ This setting has no direct effect, but can be used in routing and DNS rules via
 
 Store selected outbound for the `Selector` outbound in cache file.
 
+#### store_fakeip
+
+Store fakeip in cache file.
+
 #### cache_file
 
 Cache file path, `cache.db` will be used if empty.

docs/configuration/experimental/index.zh.md

@@ -12,7 +12,9 @@
       "external_ui_download_detour": "",
       "secret": "",
       "default_mode": "",
+      "store_mode": false,
       "store_selected": false,
+      "store_fakeip": false,
       "cache_file": "",
       "cache_id": ""
     },
@@ -78,6 +80,10 @@ Clash 中的默认模式，默认使用 `rule`。
 
 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
 
+#### store_mode
+
+将 Clash 模式存储在缓存文件中。
+
 #### store_selected
 
 !!! note ""
@@ -86,6 +92,10 @@ Clash 中的默认模式，默认使用 `rule`。
 
 将 `Selector` 中出站的选定的目标出站存储在缓存文件中。
 
+#### store_fakeip
+
+将 fakeip 存储在缓存文件中。
+
 #### cache_file
 
 缓存文件路径，默认使用`cache.db`。

docs/configuration/inbound/hysteria2.md

@@ -0,0 +1,85 @@
+### Structure
+
+```json
+{
+  "type": "hysteria2",
+  "tag": "hy2-in",
+  
+  ... // Listen Fields
+
+  "up_mbps": 100,
+  "down_mbps": 100,
+  "obfs": {
+    "type": "salamander",
+    "password": "cry_me_a_r1ver"
+  },
+  "users": [
+    {
+      "name": "tobyxdd",
+      "password": "goofy_ahh_password"
+    }
+  ],
+  "ignore_client_bandwidth": false,
+  "masquerade": "",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+
+### Listen Fields
+
+See [Listen Fields](/configuration/shared/listen) for details.
+
+### Fields
+
+#### up_mbps, down_mbps
+
+Max bandwidth, in Mbps.
+
+Not limited if empty.
+
+Conflict with `ignore_client_bandwidth`.
+
+#### obfs.type
+
+QUIC traffic obfuscator type, only available with `salamander`.
+
+Disabled if empty.
+
+#### obfs.password
+
+QUIC traffic obfuscator password.
+
+#### users
+
+Hysteria2 users
+
+#### users.password
+
+Authentication password
+
+#### ignore_client_bandwidth
+
+Commands the client to use the BBR flow control algorithm instead of Hysteria CC.
+
+Conflict with `up_mbps` and `down_mbps`.
+
+#### masquerade
+
+HTTP3 server behavior when authentication fails.
+
+| Scheme       | Example                 | Description        |
+|--------------|-------------------------|--------------------|
+| `file`       | `file:///var/www`       | As a file server   |
+| `http/https` | `http://127.0.0.1:8080` | As a reverse proxy |
+
+A 404 page will be returned if empty.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

docs/configuration/inbound/hysteria2.zh.md

@@ -0,0 +1,83 @@
+### 结构
+
+```json
+{
+  "type": "hysteria2",
+  "tag": "hy2-in",
+  
+  ... // 监听字段
+
+  "up_mbps": 100,
+  "down_mbps": 100,
+  "obfs": {
+    "type": "salamander",
+    "password": "cry_me_a_r1ver"
+  },
+  "users": [
+    {
+      "name": "tobyxdd",
+      "password": "goofy_ahh_password"
+    }
+  ],
+  "ignore_client_bandwidth": false,
+  "masquerade": "",
+  "tls": {}
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 监听字段
+
+参阅 [监听字段](/zh/configuration/shared/listen/)。
+
+### 字段
+
+#### up_mbps, down_mbps
+
+支持的速率，默认不限制。
+
+与 `ignore_client_bandwidth` 冲突。
+
+#### obfs.type
+
+QUIC 流量混淆器类型，仅可设为 `salamander`。
+
+如果为空则禁用。
+
+#### obfs.password
+
+QUIC 流量混淆器密码.
+
+#### users
+
+Hysteria 用户
+
+#### users.password
+
+认证密码。
+
+#### ignore_client_bandwidth
+
+命令客户端使用 BBR 流量控制算法而不是 Hysteria CC。
+
+与 `up_mbps` 和 `down_mbps` 冲突。
+
+#### masquerade
+
+HTTP3 服务器认证失败时的行为。
+
+| Scheme       | 示例                      | 描述      |
+|--------------|-------------------------|---------|
+| `file`       | `file:///var/www`       | 作为文件服务器 |
+| `http/https` | `http://127.0.0.1:8080` | 作为反向代理  |
+
+如果为空，则返回 404 页。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

docs/configuration/inbound/index.md

@@ -27,6 +27,8 @@
 | `naive`       | [Naive](./naive)             | X          |
 | `hysteria`    | [Hysteria](./hysteria)       | X          |
 | `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP        |
+| `tuic`        | [TUIC](./tuic)               | X          |
+| `hysteria2`   | [Hysteria2](./hysteria2)     | X          |
 | `vless`       | [VLESS](./vless)             | TCP        |
 | `tun`         | [Tun](./tun)                 | X          |
 | `redirect`    | [Redirect](./redirect)       | X          |

docs/configuration/inbound/index.zh.md

@@ -26,6 +26,10 @@
 | `trojan`      | [Trojan](./trojan)           | TCP  |
 | `naive`       | [Naive](./naive)             | X    |
 | `hysteria`    | [Hysteria](./hysteria)       | X    |
+| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP  |
+| `tuic`        | [TUIC](./tuic)               | X    |
+| `hysteria2`   | [Hysteria2](./hysteria2)     | X    |
+| `vless`       | [VLESS](./vless)             | TCP  |
 | `tun`         | [Tun](./tun)                 | X    |
 | `redirect`    | [Redirect](./redirect)       | X    |
 | `tproxy`      | [TProxy](./tproxy)           | X    |

docs/configuration/outbound/hysteria2.md

@@ -0,0 +1,78 @@
+### Structure
+
+```json
+{
+  "type": "hysteria2",
+  "tag": "hy2-out",
+  
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "up_mbps": 100,
+  "down_mbps": 100,
+  "obfs": {
+    "type": "salamander",
+    "password": "cry_me_a_r1ver"
+  },
+  "password": "goofy_ahh_password",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // Dial Fields
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+
+### Fields
+
+#### server
+
+==Required==
+
+The server address.
+
+#### server_port
+
+==Required==
+
+The server port.
+
+#### up_mbps, down_mbps
+
+Max bandwidth, in Mbps.
+
+If empty, the BBR congestion control algorithm will be used instead of Hysteria CC.
+
+#### obfs.type
+
+QUIC traffic obfuscator type, only available with `salamander`.
+
+Disabled if empty.
+
+#### obfs.password
+
+QUIC traffic obfuscator password.
+
+#### password
+
+Authentication password.
+
+#### network
+
+Enabled network
+
+One of `tcp` `udp`.
+
+Both is enabled by default.
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
+
+### Dial Fields
+
+See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/outbound/hysteria2.zh.md

@@ -0,0 +1,79 @@
+### 结构
+
+```json
+{
+  "type": "hysteria2",
+  "tag": "hy2-out",
+
+  "server": "127.0.0.1",
+  "server_port": 1080,
+  "up_mbps": 100,
+  "down_mbps": 100,
+  "obfs": {
+    "type": "salamander",
+    "password": "cry_me_a_r1ver"
+  },
+  "password": "goofy_ahh_password",
+  "network": "tcp",
+  "tls": {},
+  
+  ... // 拨号字段
+}
+```
+
+!!! warning ""
+
+    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
+
+### 字段
+
+#### server
+
+==必填==
+
+服务器地址。
+
+#### server_port
+
+==必填==
+
+服务器端口。
+
+#### up_mbps, down_mbps
+
+最大带宽。
+
+如果为空，将使用 BBR 流量控制算法而不是 Hysteria CC。
+
+#### obfs.type
+
+QUIC 流量混淆器类型，仅可设为 `salamander`。
+
+如果为空则禁用。
+
+#### obfs.password
+
+QUIC 流量混淆器密码.
+
+#### password
+
+认证密码。
+
+#### network
+
+启用的网络协议。
+
+`tcp` 或 `udp`。
+
+默认所有。
+
+#### tls
+
+==必填==
+
+TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
+
+
+### 拨号字段
+
+参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/index.md

@@ -29,6 +29,8 @@
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
 | `shadowtls`    | [ShadowTLS](./shadowtls)       |
+| `tuic`         | [TUIC](./tuic)                 |
+| `hysteria2`    | [Hysteria2](./hysteria2)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |

docs/configuration/outbound/index.zh.md

@@ -28,6 +28,9 @@
 | `hysteria`     | [Hysteria](./hysteria)         |
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
+| `shadowtls`    | [ShadowTLS](./shadowtls)       |
+| `tuic`         | [TUIC](./tuic)                 |
+| `hysteria2`    | [Hysteria2](./hysteria2)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |

docs/configuration/shared/tls.md

@@ -8,9 +8,9 @@
   "min_version": "",
   "max_version": "",
   "cipher_suites": [],
-  "certificate": "",
+  "certificate": [],
   "certificate_path": "",
-  "key": "",
+  "key": [],
   "key_path": "",
   "acme": {
     "domain": [],
@@ -27,6 +27,13 @@
       "mac_key": ""
     }
   },
+  "ech": {
+    "enabled": false,
+    "pq_signature_schemes_enabled": false,
+    "dynamic_record_sizing_disabled": false,
+    "key": [],
+    "key_path": ""
+  },
   "reality": {
     "enabled": false,
     "handshake": {
@@ -62,7 +69,8 @@
     "enabled": false,
     "pq_signature_schemes_enabled": false,
     "dynamic_record_sizing_disabled": false,
-    "config": ""
+    "config": [],
+    "config_path": ""
   },
   "utls": {
     "enabled": false,
@@ -162,7 +170,7 @@ This may change in the future.
 
 #### certificate
 
-The server certificate, in PEM format.
+The server certificate line array, in PEM format.
 
 #### certificate_path
 
@@ -172,7 +180,7 @@ The path to the server certificate, in PEM format.
 
 ==Server only==
 
-The server private key, in PEM format.
+The server private key line array, in PEM format.
 
 #### key_path
 
@@ -180,18 +188,11 @@ The server private key, in PEM format.
 
 The path to the server private key, in PEM format.
 
-#### ech
+## Custom TLS support
 
-==Client only==
+!!! info "QUIC support"
 
-!!! warning ""
-
-    ECH is not included by default, see [Installation](/#installation).
-
-ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
-message.
-
-If you don't know how to fill in the other configuration, just set `enabled`.
+    Only ECH is supported in QUIC.
 
 #### utls
 
@@ -222,6 +223,58 @@ Available fingerprint values:
 
 Chrome fingerprint will be used if empty.
 
+### ECH Fields
+
+!!! warning ""
+
+    ECH is not included by default, see [Installation](/#installation).
+
+ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
+message.
+
+The ECH key and configuration can be generated by `sing-box generate ech-keypair [-pq-signature-schemes-enabled]`.
+
+#### pq_signature_schemes_enabled
+
+Enable support for post-quantum peer certificate signature schemes.
+
+It is recommended to match the parameters of `sing-box generate ech-keypair`.
+
+#### dynamic_record_sizing_disabled
+
+Disables adaptive sizing of TLS records.
+
+When true, the largest possible TLS record size is always used.  
+When false, the size of TLS records may be adjusted in an attempt to improve latency.
+
+#### key
+
+==Server only==
+
+ECH key line array, in PEM format.
+
+#### key_path
+
+==Server only==
+
+The path to ECH key, in PEM format.
+
+#### config
+
+==Client only==
+
+ECH configuration line array, in PEM format.
+
+If empty, load from DNS will be attempted.
+
+#### config_path
+
+==Client only==
+
+The path to ECH configuration, in PEM format.
+
+If empty, load from DNS will be attempted.
+
 ### ACME Fields
 
 !!! warning ""
@@ -345,4 +398,4 @@ Check disabled if empty.
 
 ### Reload
 
-For server configuration, certificate and key will be automatically reloaded if modified.
+For server configuration, certificate, key and ECH key will be automatically reloaded if modified.

docs/configuration/shared/tls.zh.md

@@ -8,9 +8,9 @@
   "min_version": "",
   "max_version": "",
   "cipher_suites": [],
-  "certificate": "",
+  "certificate": [],
   "certificate_path": "",
-  "key": "",
+  "key": [],
   "key_path": "",
   "acme": {
     "domain": [],
@@ -27,6 +27,13 @@
       "mac_key": ""
     }
   },
+  "ech": {
+    "enabled": false,
+    "pq_signature_schemes_enabled": false,
+    "dynamic_record_sizing_disabled": false,
+    "key": [],
+    "key_path": ""
+  },
   "reality": {
     "enabled": false,
     "handshake": {
@@ -56,13 +63,14 @@
   "min_version": "",
   "max_version": "",
   "cipher_suites": [],
-  "certificate": "",
+  "certificate": [],
   "certificate_path": "",
   "ech": {
     "enabled": false,
     "pq_signature_schemes_enabled": false,
     "dynamic_record_sizing_disabled": false,
-    "config": ""
+    "config": [],
+    "config_path": ""
   },
   "utls": {
     "enabled": false,
@@ -162,7 +170,7 @@ TLS 版本值：
 
 #### certificate
 
-服务器 PEM 证书。
+服务器 PEM 证书行数组。
 
 #### certificate_path
 
@@ -172,7 +180,7 @@ TLS 版本值：
 
 ==仅服务器==
 
-服务器 PEM 私钥。
+服务器 PEM 私钥行数组。
 
 #### key_path
 
@@ -180,19 +188,6 @@ TLS 版本值：
 
 服务器 PEM 私钥路径。
 
-#### ech
-
-==仅客户端==
-
-!!! warning ""
-
-    默认安装不包含 ECH, 参阅 [安装](/zh/#_2)。
-
-ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其 ClientHello 的第一部分
-信息。
-
-如果您不知道如何填写其他配置，只需设置 `enabled` 即可。
-
 #### utls
 
 ==仅客户端==
@@ -222,6 +217,59 @@ uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻
 
 默认使用 chrome 指纹。
 
+## ECH 字段
+
+!!! warning ""
+
+    默认安装不包含 ECH, 参阅 [安装](/zh/#_2)。
+
+ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其 ClientHello 的第一部分
+信息。
+
+
+ECH 配置和密钥可以通过 `sing-box generated ech-keypair [-pq-signature-schemes-enabled]` 生成。
+
+#### pq_signature_schemes_enabled
+
+启用对后量子对等证书签名方案的支持。
+
+建议匹配 `sing-box generated ech-keypair` 的参数。
+
+#### dynamic_record_sizing_disabled
+
+禁用 TLS 记录的自适应大小调整。
+
+如果为 true，则始终使用最大可能的 TLS 记录大小。
+如果为 false，则可能会调整 TLS 记录的大小以尝试改善延迟。
+
+#### key
+
+==仅服务器==
+
+ECH PEM 密钥行数组
+
+#### key_path
+
+==仅服务器==
+
+ECH PEM 密钥路径
+
+#### config
+
+==仅客户端==
+
+ECH PEM 配置行数组
+
+如果为空，将尝试从 DNS 加载。
+
+#### config_path
+
+==仅客户端==
+
+ECH PEM 配置路径
+
+如果为空，将尝试从 DNS 加载。
+
 ### ACME 字段
 
 !!! warning ""

experimental/clashapi.go

@@ -7,6 +7,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 )
 
 type ClashServerConstructor = func(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)
@@ -23,3 +24,28 @@ func NewClashServer(ctx context.Context, router adapter.Router, logFactory log.O
 	}
 	return clashServerConstructor(ctx, router, logFactory, options)
 }
+
+func CalculateClashModeList(options option.Options) []string {
+	var clashMode []string
+	for _, dnsRule := range common.PtrValueOrDefault(options.DNS).Rules {
+		if dnsRule.DefaultOptions.ClashMode != "" && !common.Contains(clashMode, dnsRule.DefaultOptions.ClashMode) {
+			clashMode = append(clashMode, dnsRule.DefaultOptions.ClashMode)
+		}
+		for _, defaultRule := range dnsRule.LogicalOptions.Rules {
+			if defaultRule.ClashMode != "" && !common.Contains(clashMode, defaultRule.ClashMode) {
+				clashMode = append(clashMode, defaultRule.ClashMode)
+			}
+		}
+	}
+	for _, rule := range common.PtrValueOrDefault(options.Route).Rules {
+		if rule.DefaultOptions.ClashMode != "" && !common.Contains(clashMode, rule.DefaultOptions.ClashMode) {
+			clashMode = append(clashMode, rule.DefaultOptions.ClashMode)
+		}
+		for _, defaultRule := range rule.LogicalOptions.Rules {
+			if defaultRule.ClashMode != "" && !common.Contains(clashMode, defaultRule.ClashMode) {
+				clashMode = append(clashMode, defaultRule.ClashMode)
+			}
+		}
+	}
+	return clashMode
+}

experimental/clashapi/cachefile/cache.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common"
 
 	"go.etcd.io/bbolt"
 )
@@ -15,6 +16,15 @@ import (
 var (
 	bucketSelected = []byte("selected")
 	bucketExpand   = []byte("group_expand")
+	bucketMode     = []byte("clash_mode")
+
+	bucketNameList = []string{
+		string(bucketSelected),
+		string(bucketExpand),
+		string(bucketMode),
+	}
+
+	cacheIDDefault = []byte("default")
 )
 
 var _ adapter.ClashCacheFile = (*CacheFile)(nil)
@@ -52,14 +62,14 @@ func Open(path string, cacheID string) (*CacheFile, error) {
 			if name[0] == 0 {
 				return b.ForEachBucket(func(k []byte) error {
 					bucketName := string(k)
-					if !(bucketName == string(bucketSelected) || bucketName == string(bucketExpand)) {
+					if !(common.Contains(bucketNameList, bucketName)) {
 						_ = b.DeleteBucket(name)
 					}
 					return nil
 				})
 			} else {
 				bucketName := string(name)
-				if !(bucketName == string(bucketSelected) || bucketName == string(bucketExpand) || strings.HasPrefix(bucketName, fakeipBucketPrefix)) {
+				if !(common.Contains(bucketNameList, bucketName) || strings.HasPrefix(bucketName, fakeipBucketPrefix)) {
 					_ = tx.DeleteBucket(name)
 				}
 			}
@@ -78,6 +88,39 @@ func Open(path string, cacheID string) (*CacheFile, error) {
 	}, nil
 }
 
+func (c *CacheFile) LoadMode() string {
+	var mode string
+	c.DB.View(func(t *bbolt.Tx) error {
+		bucket := t.Bucket(bucketMode)
+		if bucket == nil {
+			return nil
+		}
+		var modeBytes []byte
+		if len(c.cacheID) > 0 {
+			modeBytes = bucket.Get(c.cacheID)
+		} else {
+			modeBytes = bucket.Get(cacheIDDefault)
+		}
+		mode = string(modeBytes)
+		return nil
+	})
+	return mode
+}
+
+func (c *CacheFile) StoreMode(mode string) error {
+	return c.DB.Batch(func(t *bbolt.Tx) error {
+		bucket, err := t.CreateBucketIfNotExists(bucketMode)
+		if err != nil {
+			return err
+		}
+		if len(c.cacheID) > 0 {
+			return bucket.Put(c.cacheID, []byte(mode))
+		} else {
+			return bucket.Put(cacheIDDefault, []byte(mode))
+		}
+	})
+}
+
 func (c *CacheFile) bucket(t *bbolt.Tx, key []byte) *bbolt.Bucket {
 	if c.cacheID == nil {
 		return t.Bucket(key)

experimental/clashapi/configs.go

@@ -2,7 +2,6 @@ package clashapi
 
 import (
 	"net/http"
-	"strings"
 
 	"github.com/sagernet/sing-box/log"
 
@@ -10,11 +9,11 @@ import (
 	"github.com/go-chi/render"
 )
 
-func configRouter(server *Server, logFactory log.Factory, logger log.Logger) http.Handler {
+func configRouter(server *Server, logFactory log.Factory) http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getConfigs(server, logFactory))
 	r.Put("/", updateConfigs)
-	r.Patch("/", patchConfigs(server, logger))
+	r.Patch("/", patchConfigs(server))
 	return r
 }
 
@@ -48,7 +47,7 @@ func getConfigs(server *Server, logFactory log.Factory) func(w http.ResponseWrit
 	}
 }
 
-func patchConfigs(server *Server, logger log.Logger) func(w http.ResponseWriter, r *http.Request) {
+func patchConfigs(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var newConfig configSchema
 		err := render.DecodeJSON(r.Body, &newConfig)
@@ -58,11 +57,7 @@ func patchConfigs(server *Server, logger log.Logger) func(w http.ResponseWriter,
 			return
 		}
 		if newConfig.Mode != "" {
-			mode := strings.ToLower(newConfig.Mode)
-			if server.mode != mode {
-				server.mode = mode
-				logger.Info("updated mode: ", mode)
-			}
+			server.SetMode(newConfig.Mode)
 		}
 		render.NoContent(w, r)
 	}

experimental/clashapi/server.go

@@ -46,6 +46,9 @@ type Server struct {
 	trafficManager *trafficontrol.Manager
 	urlTestHistory *urltest.HistoryStorage
 	mode           string
+	modeList       []string
+	modeUpdateHook chan<- struct{}
+	storeMode      bool
 	storeSelected  bool
 	storeFakeIP    bool
 	cacheFilePath  string
@@ -70,9 +73,10 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 			Handler: chiRouter,
 		},
 		trafficManager:           trafficManager,
-		mode:                     strings.ToLower(options.DefaultMode),
-		storeSelected:            options.StoreSelected,
+		modeList:                 options.ModeList,
 		externalController:       options.ExternalController != "",
+		storeMode:                options.StoreMode,
+		storeSelected:            options.StoreSelected,
 		storeFakeIP:              options.StoreFakeIP,
 		externalUIDownloadURL:    options.ExternalUIDownloadURL,
 		externalUIDownloadDetour: options.ExternalUIDownloadDetour,
@@ -81,10 +85,15 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 	if server.urlTestHistory == nil {
 		server.urlTestHistory = urltest.NewHistoryStorage()
 	}
-	if server.mode == "" {
-		server.mode = "rule"
+	defaultMode := "Rule"
+	if options.DefaultMode != "" {
+		defaultMode = options.DefaultMode
 	}
-	if options.StoreSelected || options.StoreFakeIP || options.ExternalController == "" {
+	if !common.Contains(server.modeList, defaultMode) {
+		server.modeList = append(server.modeList, defaultMode)
+	}
+	server.mode = defaultMode
+	if options.StoreMode || options.StoreSelected || options.StoreFakeIP || options.ExternalController == "" {
 		cachePath := os.ExpandEnv(options.CacheFile)
 		if cachePath == "" {
 			cachePath = "cache.db"
@@ -110,7 +119,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		r.Get("/logs", getLogs(logFactory))
 		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
-		r.Mount("/configs", configRouter(server, logFactory, server.logger))
+		r.Mount("/configs", configRouter(server, logFactory))
 		r.Mount("/proxies", proxyRouter(server, router))
 		r.Mount("/rules", ruleRouter(router))
 		r.Mount("/connections", connectionRouter(router, trafficManager))
@@ -143,6 +152,14 @@ func (s *Server) PreStart() error {
 			return E.Cause(err, "open cache file")
 		}
 		s.cacheFile = cacheFile
+		if s.storeMode {
+			mode := s.cacheFile.LoadMode()
+			if common.Any(s.modeList, func(it string) bool {
+				return strings.EqualFold(it, mode)
+			}) {
+				s.mode = mode
+			}
+		}
 	}
 	return nil
 }
@@ -170,6 +187,7 @@ func (s *Server) Close() error {
 		common.PtrOrNil(s.httpServer),
 		s.trafficManager,
 		s.cacheFile,
+		s.urlTestHistory,
 	)
 }
 
@@ -177,6 +195,43 @@ func (s *Server) Mode() string {
 	return s.mode
 }
 
+func (s *Server) ModeList() []string {
+	return s.modeList
+}
+
+func (s *Server) SetModeUpdateHook(hook chan<- struct{}) {
+	s.modeUpdateHook = hook
+}
+
+func (s *Server) SetMode(newMode string) {
+	if !common.Contains(s.modeList, newMode) {
+		newMode = common.Find(s.modeList, func(it string) bool {
+			return strings.EqualFold(it, newMode)
+		})
+	}
+	if !common.Contains(s.modeList, newMode) {
+		return
+	}
+	if newMode == s.mode {
+		return
+	}
+	s.mode = newMode
+	if s.modeUpdateHook != nil {
+		select {
+		case s.modeUpdateHook <- struct{}{}:
+		default:
+		}
+	}
+	s.router.ClearDNSCache()
+	if s.storeMode {
+		err := s.cacheFile.StoreMode(newMode)
+		if err != nil {
+			s.logger.Error(E.Cause(err, "save mode"))
+		}
+	}
+	s.logger.Info("updated mode: ", newMode)
+}
+
 func (s *Server) StoreSelected() bool {
 	return s.storeSelected
 }

experimental/libbox/command.go

@@ -9,4 +9,6 @@ const (
 	CommandSelectOutbound
 	CommandURLTest
 	CommandGroupExpand
+	CommandClashMode
+	CommandSetClashMode
 )

experimental/libbox/command_clash_mode.go

@@ -0,0 +1,135 @@
+package libbox
+
+import (
+	"encoding/binary"
+	"io"
+	"net"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/experimental/clashapi"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/rw"
+)
+
+func (c *CommandClient) SetClashMode(newMode string) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandSetClashMode))
+	if err != nil {
+		return err
+	}
+	err = rw.WriteVString(conn, newMode)
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleSetClashMode(conn net.Conn) error {
+	defer conn.Close()
+	newMode, err := rw.ReadVString(conn)
+	if err != nil {
+		return err
+	}
+	service := s.service
+	if service == nil {
+		return writeError(conn, E.New("service not ready"))
+	}
+	clashServer := service.instance.Router().ClashServer()
+	if clashServer == nil {
+		return writeError(conn, E.New("Clash API disabled"))
+	}
+	clashServer.(*clashapi.Server).SetMode(newMode)
+	return writeError(conn, nil)
+}
+
+func (c *CommandClient) handleModeConn(conn net.Conn) {
+	defer conn.Close()
+
+	for {
+		newMode, err := rw.ReadVString(conn)
+		if err != nil {
+			c.handler.Disconnected(err.Error())
+			return
+		}
+		c.handler.UpdateClashMode(newMode)
+	}
+}
+
+func (s *CommandServer) handleModeConn(conn net.Conn) error {
+	defer conn.Close()
+	ctx := connKeepAlive(conn)
+	for s.service == nil {
+		select {
+		case <-time.After(time.Second):
+			continue
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	clashServer := s.service.instance.Router().ClashServer()
+	if clashServer == nil {
+		defer conn.Close()
+		return binary.Write(conn, binary.BigEndian, uint16(0))
+	}
+	err := writeClashModeList(conn, clashServer)
+	if err != nil {
+		return err
+	}
+	for {
+		select {
+		case <-s.modeUpdate:
+			err = rw.WriteVString(conn, clashServer.Mode())
+			if err != nil {
+				return err
+			}
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+}
+
+func readClashModeList(reader io.Reader) (modeList []string, currentMode string, err error) {
+	var modeListLength uint16
+	err = binary.Read(reader, binary.BigEndian, &modeListLength)
+	if err != nil {
+		return
+	}
+	if modeListLength == 0 {
+		return
+	}
+	modeList = make([]string, modeListLength)
+	for i := 0; i < int(modeListLength); i++ {
+		modeList[i], err = rw.ReadVString(reader)
+		if err != nil {
+			return
+		}
+	}
+	currentMode, err = rw.ReadVString(reader)
+	return
+}
+
+func writeClashModeList(writer io.Writer, clashServer adapter.ClashServer) error {
+	modeList := clashServer.ModeList()
+	err := binary.Write(writer, binary.BigEndian, uint16(len(modeList)))
+	if err != nil {
+		return err
+	}
+	if len(modeList) > 0 {
+		for _, mode := range modeList {
+			err = rw.WriteVString(writer, mode)
+			if err != nil {
+				return err
+			}
+		}
+		err = rw.WriteVString(writer, clashServer.Mode())
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

experimental/libbox/command_client.go

@@ -3,6 +3,7 @@ package libbox
 import (
 	"encoding/binary"
 	"net"
+	"os"
 	"path/filepath"
 
 	"github.com/sagernet/sing/common"
@@ -26,6 +27,8 @@ type CommandClientHandler interface {
 	WriteLog(message string)
 	WriteStatus(message *StatusMessage)
 	WriteGroups(message OutboundGroupIterator)
+	InitializeClashMode(modeList StringIterator, currentMode string)
+	UpdateClashMode(newMode string)
 }
 
 func NewStandaloneCommandClient() *CommandClient {
@@ -79,6 +82,23 @@ func (c *CommandClient) Connect() error {
 		}
 		c.handler.Connected()
 		go c.handleGroupConn(conn)
+	case CommandClashMode:
+		var (
+			modeList    []string
+			currentMode string
+		)
+		modeList, currentMode, err = readClashModeList(conn)
+		if err != nil {
+			return err
+		}
+		c.handler.Connected()
+		c.handler.InitializeClashMode(newIterator(modeList), currentMode)
+		if len(modeList) == 0 {
+			conn.Close()
+			c.handler.Disconnected(os.ErrInvalid.Error())
+			return nil
+		}
+		go c.handleModeConn(conn)
 	}
 	return nil
 }

experimental/libbox/command_group.go

@@ -199,6 +199,9 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 			}
 			group.items = append(group.items, &item)
 		}
+		if len(group.items) < 2 {
+			continue
+		}
 		groups = append(groups, group)
 	}
 

experimental/libbox/command_server.go

@@ -8,6 +8,7 @@ import (
 	"sync"
 
 	"github.com/sagernet/sing-box/common/urltest"
+	"github.com/sagernet/sing-box/experimental/clashapi"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/debug"
@@ -28,8 +29,8 @@ type CommandServer struct {
 	observer   *observable.Observer[string]
 	service    *BoxService
 
-	urlTestListener *list.Element[func()]
-	urlTestUpdate   chan struct{}
+	urlTestUpdate chan struct{}
+	modeUpdate    chan struct{}
 }
 
 type CommandServerHandler interface {
@@ -43,20 +44,18 @@ func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServ
 		maxLines:      int(maxLines),
 		subscriber:    observable.NewSubscriber[string](128),
 		urlTestUpdate: make(chan struct{}, 1),
+		modeUpdate:    make(chan struct{}, 1),
 	}
 	server.observer = observable.NewObserver[string](server.subscriber, 64)
 	return server
 }
 
 func (s *CommandServer) SetService(newService *BoxService) {
-	if s.service != nil && s.listener != nil {
-		service.PtrFromContext[urltest.HistoryStorage](s.service.ctx).RemoveListener(s.urlTestListener)
-		s.urlTestListener = nil
+	if newService != nil {
+		service.PtrFromContext[urltest.HistoryStorage](newService.ctx).SetHook(s.urlTestUpdate)
+		newService.instance.Router().ClashServer().(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
 	}
 	s.service = newService
-	if newService != nil {
-		s.urlTestListener = service.PtrFromContext[urltest.HistoryStorage](newService.ctx).AddListener(s.notifyURLTestUpdate)
-	}
 	s.notifyURLTestUpdate()
 }
 
@@ -156,6 +155,10 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleURLTest(conn)
 	case CommandGroupExpand:
 		return s.handleSetGroupExpand(conn)
+	case CommandClashMode:
+		return s.handleModeConn(conn)
+	case CommandSetClashMode:
+		return s.handleSetClashMode(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}

experimental/libbox/dns.go

@@ -49,6 +49,9 @@ func (p *platformLocalDNSTransport) Start() error {
 	return nil
 }
 
+func (p *platformLocalDNSTransport) Reset() {
+}
+
 func (p *platformLocalDNSTransport) Close() error {
 	return nil
 }

experimental/libbox/platform.go

@@ -19,6 +19,7 @@ type PlatformInterface interface {
 	UsePlatformInterfaceGetter() bool
 	GetInterfaces() (NetworkInterfaceIterator, error)
 	UnderNetworkExtension() bool
+	ClearDNSCache()
 }
 
 type TunInterface interface {

experimental/libbox/platform/interface.go

@@ -23,6 +23,7 @@ type Interface interface {
 	UsePlatformInterfaceGetter() bool
 	Interfaces() ([]NetworkInterface, error)
 	UnderNetworkExtension() bool
+	ClearDNSCache()
 	process.Searcher
 	io.Writer
 }

experimental/libbox/service.go

@@ -25,10 +25,11 @@ import (
 )
 
 type BoxService struct {
-	ctx          context.Context
-	cancel       context.CancelFunc
-	instance     *box.Box
-	pauseManager pause.Manager
+	ctx                   context.Context
+	cancel                context.CancelFunc
+	instance              *box.Box
+	pauseManager          pause.Manager
+	urlTestHistoryStorage *urltest.HistoryStorage
 }
 
 func NewService(configContent string, platformInterface PlatformInterface) (*BoxService, error) {
@@ -39,9 +40,10 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 	runtimeDebug.FreeOSMemory()
 	ctx, cancel := context.WithCancel(context.Background())
 	ctx = filemanager.WithDefault(ctx, sWorkingPath, sTempPath, sUserID, sGroupID)
-	ctx = service.ContextWithPtr(ctx, urltest.NewHistoryStorage())
-	sleepManager := pause.NewDefaultManager(ctx)
-	ctx = pause.ContextWithManager(ctx, sleepManager)
+	urlTestHistoryStorage := urltest.NewHistoryStorage()
+	ctx = service.ContextWithPtr(ctx, urlTestHistoryStorage)
+	pauseManager := pause.NewDefaultManager(ctx)
+	ctx = pause.ContextWithManager(ctx, pauseManager)
 	instance, err := box.New(box.Options{
 		Context:           ctx,
 		Options:           options,
@@ -53,10 +55,11 @@ func NewService(configContent string, platformInterface PlatformInterface) (*Box
 	}
 	runtimeDebug.FreeOSMemory()
 	return &BoxService{
-		ctx:          ctx,
-		cancel:       cancel,
-		instance:     instance,
-		pauseManager: sleepManager,
+		ctx:                   ctx,
+		cancel:                cancel,
+		instance:              instance,
+		urlTestHistoryStorage: urlTestHistoryStorage,
+		pauseManager:          pauseManager,
 	}, nil
 }
 
@@ -66,6 +69,7 @@ func (s *BoxService) Start() error {
 
 func (s *BoxService) Close() error {
 	s.cancel()
+	s.urlTestHistoryStorage.Close()
 	return s.instance.Close()
 }
 
@@ -194,3 +198,7 @@ func (w *platformInterfaceWrapper) Interfaces() ([]platform.NetworkInterface, er
 func (w *platformInterfaceWrapper) UnderNetworkExtension() bool {
 	return w.iif.UnderNetworkExtension()
 }
+
+func (w *platformInterfaceWrapper) ClearDNSCache() {
+	w.iif.ClearDNSCache()
+}

go.mod

@@ -6,6 +6,7 @@ require (
 	berty.tech/go-libtor v1.0.385
 	github.com/Dreamacro/clash v1.17.0
 	github.com/caddyserver/certmagic v0.19.2
+	github.com/cloudflare/circl v1.3.3
 	github.com/cretz/bine v0.2.0
 	github.com/dustin/go-humanize v1.0.1
 	github.com/fsnotify/fsnotify v1.6.0
@@ -20,14 +21,14 @@ require (
 	github.com/ooni/go-libtor v1.1.8
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/pires/go-proxyproto v0.7.0
-	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0
+	github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a
 	github.com/sagernet/gomobile v0.0.0-20230728014906-3de089147f59
 	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2
-	github.com/sagernet/quic-go v0.0.0-20230824033040-30ef72e3be3e
+	github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.10-0.20230821073500-620f3a3b882d
-	github.com/sagernet/sing-dns v0.1.9-0.20230731012726-ad50da89b659
-	github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c
+	github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c
+	github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1
+	github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8
 	github.com/sagernet/sing-shadowsocks v0.2.4
 	github.com/sagernet/sing-shadowsocks2 v0.1.3
 	github.com/sagernet/sing-shadowtls v0.1.4
@@ -42,7 +43,7 @@ require (
 	github.com/stretchr/testify v1.8.4
 	go.etcd.io/bbolt v1.3.7
 	go.uber.org/zap v1.25.0
-	go4.org/netipx v0.0.0-20230728184502-ec4c8b891b28
+	go4.org/netipx v0.0.0-20230824141953-6213f710f925
 	golang.org/x/crypto v0.12.0
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
 	golang.org/x/net v0.14.0
@@ -50,6 +51,7 @@ require (
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	google.golang.org/grpc v1.57.0
 	google.golang.org/protobuf v1.31.0
+	howett.net/plist v1.0.0
 )
 
 //replace github.com/sagernet/sing => ../sing
@@ -58,11 +60,9 @@ require (
 	github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
-	github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
@@ -77,7 +77,7 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.2 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect

go.sum

@@ -14,8 +14,8 @@ github.com/caddyserver/certmagic v0.19.2/go.mod h1:fsL01NomQ6N+kE2j37ZCnig2MFosG
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c h1:K1VdSnBZiGapczwcUKnE1qcsMBclA84DUOD2NG/78VY=
-github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
+github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
@@ -40,8 +40,6 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEe
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
 github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
-github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
@@ -58,6 +56,7 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d h1:Ka64cclWedOkGzm9M2/XYuwJUdmWRUozmsxW0PyKA3A=
 github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -94,11 +93,11 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.3.2 h1:rRgN3WfnKbyik4dBV8A6girlJVxGand/d+jVKbQq5GI=
-github.com/quic-go/qtls-go1-20 v0.3.2/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
+github.com/quic-go/qtls-go1-20 v0.3.3 h1:17/glZSLI9P9fDAeyCHBFSWSqJcwx1byhLwP5eUIDCM=
+github.com/quic-go/qtls-go1-20 v0.3.3/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0 h1:KyhtFFt1Jtp5vW2ohNvstvQffTOQ/s5vENuGXzdA+TM=
-github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0/go.mod h1:D4SFEOkJK+4W1v86ZhX0jPM0rAL498fyQAChqMtes/I=
+github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a h1:wZHruBxZCsQLXHAozWpnJBL3wJ/XufDpz0qKtgpSnA4=
+github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a/go.mod h1:dNV1ZP9y3qx5ltULeKaQZTZWTLHflgW5DES+Ses7cMI=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/gomobile v0.0.0-20230728014906-3de089147f59 h1:vN4divY6LYHcYmiTsCHNPmGZtEsEKJzh81LyvgAQfEQ=
@@ -107,18 +106,18 @@ github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2 h1:dnkKrzapqtAwjTS
 github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2/go.mod h1:1JUiV7nGuf++YFm9eWZ8q2lrwHmhcUGzptMl/vL1+LA=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.0.0-20230824033040-30ef72e3be3e h1:URg7GQT9Mp0b6m/LXH1NgVT3P/ybVomvy2kkfA6QIHQ=
-github.com/sagernet/quic-go v0.0.0-20230824033040-30ef72e3be3e/go.mod h1:7DXnweBVxZ7CQWsCdc7QAAQ65dFPEtenfz+w6WDESlI=
+github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86 h1:g4TEg9inAtA1FDTXpNrvmx72nN5mTOLQrJce6fVxF9g=
+github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86/go.mod h1:O4Cj7TmMOvqD6S0XMqJRZfcYzA3m0H0ARbbaJFB0p7A=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.10-0.20230821073500-620f3a3b882d h1:4kgoOCE48CuQcBUcoRnE0QTPXkl8yM8i7Nipmzp/978=
-github.com/sagernet/sing v0.2.10-0.20230821073500-620f3a3b882d/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
-github.com/sagernet/sing-dns v0.1.9-0.20230731012726-ad50da89b659 h1:1DAKccGNqTYJ8nsBR765FS0LVBVXfuFlFAHqKsGN3EI=
-github.com/sagernet/sing-dns v0.1.9-0.20230731012726-ad50da89b659/go.mod h1:W7GHTZFS8RkoLI3bA2LFY27/0E+uoQESWtMFLepO/JA=
-github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c h1:35/FowAvt3Z62mck0TXzVc4jS5R5CWq62qcV2P1cp0I=
-github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
+github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c h1:J2ptRncTNy+ZHfcFYSBfTmpvmgNlSEUZz6sDjh1np/Y=
+github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1 h1:5w+jXz8y/8UQAxO74TjftN5okYkpg5mGvVxXunlKdqI=
+github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1/go.mod h1:Kg98PBJEg/08jsNFtmZWmPomhskn9Ausn50ecNm4M+8=
+github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8 h1:UyUkEUEGqfIGqzOJ7OuJry4slgcT/qb0etDJ+89LTAs=
+github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
 github.com/sagernet/sing-shadowsocks v0.2.4 h1:s/CqXlvFAZhlIoHWUwPw5CoNnQ9Ibki9pckjuugtVfY=
 github.com/sagernet/sing-shadowsocks v0.2.4/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
 github.com/sagernet/sing-shadowsocks2 v0.1.3 h1:WXoLvCFi5JTFBRYorf1YePGYIQyJ/zbsBM6Fwbl5kGA=
@@ -155,7 +154,6 @@ github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gV
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
@@ -169,38 +167,26 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
 go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
-go4.org/netipx v0.0.0-20230728184502-ec4c8b891b28 h1:zLxFnORHDFTSkJPawMU7LzsuGQJ4MUFS653jJHpORow=
-go4.org/netipx v0.0.0-20230728184502-ec4c8b891b28/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0EqB4SD6rvKbUdN3ziQ=
+go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -210,7 +196,6 @@ golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
@@ -218,14 +203,9 @@ golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E=
 golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM=
@@ -239,8 +219,11 @@ google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
+howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
 lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=

inbound/builder.go

@@ -46,6 +46,8 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, o
 		return NewVLESS(ctx, router, logger, options.Tag, options.VLESSOptions)
 	case C.TypeTUIC:
 		return NewTUIC(ctx, router, logger, options.Tag, options.TUICOptions)
+	case C.TypeHysteria2:
+		return NewHysteria2(ctx, router, logger, options.Tag, options.Hysteria2Options)
 	default:
 		return nil, E.New("unknown inbound type: ", options.Type)
 	}

inbound/http.go

@@ -44,7 +44,7 @@ func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogge
 		authenticator: auth.NewAuthenticator(options.Users),
 	}
 	if options.TLS != nil {
-		tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}

inbound/hysteria.go

@@ -9,6 +9,7 @@ import (
 	"github.com/sagernet/quic-go"
 	"github.com/sagernet/quic-go/congestion"
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/qtls"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
@@ -35,7 +36,7 @@ type Hysteria struct {
 	xplusKey     []byte
 	sendBPS      uint64
 	recvBPS      uint64
-	listener     *quic.Listener
+	listener     qtls.QUICListener
 	udpAccess    sync.RWMutex
 	udpSessionId uint32
 	udpSessions  map[uint32]chan *hysteria.UDPMessage
@@ -126,7 +127,7 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 	if len(options.TLS.ALPN) == 0 {
 		options.TLS.ALPN = []string{hysteria.DefaultALPN}
 	}
-	tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
+	tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
@@ -147,11 +148,7 @@ func (h *Hysteria) Start() error {
 	if err != nil {
 		return err
 	}
-	rawConfig, err := h.tlsConfig.Config()
-	if err != nil {
-		return err
-	}
-	listener, err := quic.Listen(packetConn, rawConfig, h.quicConfig)
+	listener, err := qtls.Listen(packetConn, h.tlsConfig, h.quicConfig)
 	if err != nil {
 		return err
 	}
@@ -333,7 +330,7 @@ func (h *Hysteria) Close() error {
 	h.udpAccess.Unlock()
 	return common.Close(
 		&h.myInboundAdapter,
-		common.PtrOrNil(h.listener),
+		h.listener,
 		h.tlsConfig,
 	)
 }

inbound/hysteria2.go

@@ -0,0 +1,144 @@
+//go:build with_quic
+
+package inbound
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/tls"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/hysteria2"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/auth"
+	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
+)
+
+var _ adapter.Inbound = (*Hysteria2)(nil)
+
+type Hysteria2 struct {
+	myInboundAdapter
+	tlsConfig tls.ServerConfig
+	server    *hysteria2.Server
+}
+
+func NewHysteria2(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Hysteria2InboundOptions) (*Hysteria2, error) {
+	if options.TLS == nil || !options.TLS.Enabled {
+		return nil, C.ErrTLSRequired
+	}
+	tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
+	if err != nil {
+		return nil, err
+	}
+	var salamanderPassword string
+	if options.Obfs != nil {
+		if options.Obfs.Password == "" {
+			return nil, E.New("missing obfs password")
+		}
+		switch options.Obfs.Type {
+		case hysteria2.ObfsTypeSalamander:
+			salamanderPassword = options.Obfs.Password
+		default:
+			return nil, E.New("unknown obfs type: ", options.Obfs.Type)
+		}
+	}
+	var masqueradeHandler http.Handler
+	if options.Masquerade != "" {
+		masqueradeURL, err := url.Parse(options.Masquerade)
+		if err != nil {
+			return nil, E.Cause(err, "parse masquerade URL")
+		}
+		switch masqueradeURL.Scheme {
+		case "file":
+			masqueradeHandler = http.FileServer(http.Dir(masqueradeURL.Path))
+		case "http", "https":
+			masqueradeHandler = &httputil.ReverseProxy{
+				Rewrite: func(r *httputil.ProxyRequest) {
+					r.SetURL(masqueradeURL)
+					r.Out.Host = r.In.Host
+				},
+				ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
+					w.WriteHeader(http.StatusBadGateway)
+				},
+			}
+		default:
+			return nil, E.New("unknown masquerade URL scheme: ", masqueradeURL.Scheme)
+		}
+	}
+	inbound := &Hysteria2{
+		myInboundAdapter: myInboundAdapter{
+			protocol:      C.TypeHysteria2,
+			network:       []string{N.NetworkUDP},
+			ctx:           ctx,
+			router:        router,
+			logger:        logger,
+			tag:           tag,
+			listenOptions: options.ListenOptions,
+		},
+		tlsConfig: tlsConfig,
+	}
+	server, err := hysteria2.NewServer(hysteria2.ServerOptions{
+		Context:            ctx,
+		Logger:             logger,
+		SendBPS:            uint64(options.UpMbps * 1024 * 1024),
+		ReceiveBPS:         uint64(options.DownMbps * 1024 * 1024),
+		SalamanderPassword: salamanderPassword,
+		TLSConfig:          tlsConfig,
+		Users: common.Map(options.Users, func(it option.Hysteria2User) hysteria2.User {
+			return hysteria2.User(it)
+		}),
+		IgnoreClientBandwidth: options.IgnoreClientBandwidth,
+		Handler:               adapter.NewUpstreamHandler(adapter.InboundContext{}, inbound.newConnection, inbound.newPacketConnection, nil),
+		MasqueradeHandler:     masqueradeHandler,
+	})
+	if err != nil {
+		return nil, err
+	}
+	inbound.server = server
+	return inbound, nil
+}
+
+func (h *Hysteria2) newConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	ctx = log.ContextWithNewID(ctx)
+	h.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
+	metadata = h.createMetadata(conn, metadata)
+	metadata.User, _ = auth.UserFromContext[string](ctx)
+	return h.router.RouteConnection(ctx, conn, metadata)
+}
+
+func (h *Hysteria2) newPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	ctx = log.ContextWithNewID(ctx)
+	metadata = h.createPacketMetadata(conn, metadata)
+	metadata.User, _ = auth.UserFromContext[string](ctx)
+	h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+	return h.router.RoutePacketConnection(ctx, conn, metadata)
+}
+
+func (h *Hysteria2) Start() error {
+	if h.tlsConfig != nil {
+		err := h.tlsConfig.Start()
+		if err != nil {
+			return err
+		}
+	}
+	packetConn, err := h.myInboundAdapter.ListenUDP()
+	if err != nil {
+		return err
+	}
+	return h.server.Start(packetConn)
+}
+
+func (h *Hysteria2) Close() error {
+	return common.Close(
+		&h.myInboundAdapter,
+		h.tlsConfig,
+		common.PtrOrNil(h.server),
+	)
+}

inbound/hysteria_stub.go

@@ -14,3 +14,7 @@ import (
 func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaInboundOptions) (adapter.Inbound, error) {
 	return nil, C.ErrQUICNotIncluded
 }
+
+func NewHysteria2(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Hysteria2InboundOptions) (adapter.Inbound, error) {
+	return nil, C.ErrQUICNotIncluded
+}

inbound/naive.go

@@ -60,7 +60,7 @@ func NewNaive(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		return nil, E.New("missing users")
 	}
 	if options.TLS != nil {
-		tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
@@ -582,7 +582,7 @@ func (c *naiveH2Conn) Close() error {
 }
 
 func (c *naiveH2Conn) LocalAddr() net.Addr {
-	return nil
+	return M.Socksaddr{}
 }
 
 func (c *naiveH2Conn) RemoteAddr() net.Addr {

inbound/naive_quic.go

@@ -3,28 +3,39 @@
 package inbound
 
 import (
+	"github.com/sagernet/quic-go"
 	"github.com/sagernet/quic-go/http3"
+	"github.com/sagernet/sing-box/common/qtls"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
 func (n *Naive) configureHTTP3Listener() error {
-	tlsConfig, err := n.tlsConfig.Config()
+	err := qtls.ConfigureHTTP3(n.tlsConfig)
 	if err != nil {
 		return err
 	}
-	h3Server := &http3.Server{
-		Port:      int(n.listenOptions.ListenPort),
-		TLSConfig: tlsConfig,
-		Handler:   n,
-	}
 
 	udpConn, err := n.ListenUDP()
 	if err != nil {
 		return err
 	}
 
+	quicListener, err := qtls.ListenEarly(udpConn, n.tlsConfig, &quic.Config{
+		MaxIncomingStreams: 1 << 60,
+		Allow0RTT:          true,
+	})
+	if err != nil {
+		udpConn.Close()
+		return err
+	}
+
+	h3Server := &http3.Server{
+		Port:    int(n.listenOptions.ListenPort),
+		Handler: n,
+	}
+
 	go func() {
-		sErr := h3Server.Serve(udpConn)
+		sErr := h3Server.ServeListener(quicListener)
 		udpConn.Close()
 		if sErr != nil && !E.IsClosedOrCanceled(sErr) {
 			n.logger.Error("http3 server serve error: ", sErr)

inbound/shadowsocks.go

@@ -16,6 +16,7 @@ import (
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 func NewShadowsocks(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksInboundOptions) (adapter.Inbound, error) {
@@ -68,7 +69,7 @@ func newShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 	case common.Contains(shadowaead.List, options.Method):
 		inbound.service, err = shadowaead.NewService(options.Method, nil, options.Password, udpTimeout, inbound.upstreamContextHandler())
 	case common.Contains(shadowaead_2022.List, options.Method):
-		inbound.service, err = shadowaead_2022.NewServiceWithPassword(options.Method, options.Password, udpTimeout, inbound.upstreamContextHandler(), router.TimeFunc())
+		inbound.service, err = shadowaead_2022.NewServiceWithPassword(options.Method, options.Password, udpTimeout, inbound.upstreamContextHandler(), ntp.TimeFuncFromContext(ctx))
 	default:
 		err = E.New("unsupported method: ", options.Method)
 	}

inbound/shadowsocks_multi.go

@@ -18,6 +18,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 var (
@@ -61,7 +62,7 @@ func newShadowsocksMulti(ctx context.Context, router adapter.Router, logger log.
 			options.Password,
 			udpTimeout,
 			adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound),
-			router.TimeFunc(),
+			ntp.TimeFuncFromContext(ctx),
 		)
 	} else if common.Contains(shadowaead.List, options.Method) {
 		service, err = shadowaead.NewMultiService[int](

inbound/trojan.go

@@ -49,7 +49,7 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
 		users: options.Users,
 	}
 	if options.TLS != nil {
-		tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}

inbound/tuic.go

@@ -34,11 +34,7 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 	if options.TLS == nil || !options.TLS.Enabled {
 		return nil, C.ErrTLSRequired
 	}
-	tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
-	if err != nil {
-		return nil, err
-	}
-	rawConfig, err := tlsConfig.Config()
+	tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +63,7 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 	server, err := tuic.NewServer(tuic.ServerOptions{
 		Context:           ctx,
 		Logger:            logger,
-		TLSConfig:         rawConfig,
+		TLSConfig:         tlsConfig,
 		Users:             users,
 		CongestionControl: options.CongestionControl,
 		AuthTimeout:       time.Duration(options.AuthTimeout),
@@ -115,6 +111,7 @@ func (h *TUIC) Start() error {
 func (h *TUIC) Close() error {
 	return common.Close(
 		&h.myInboundAdapter,
+		h.tlsConfig,
 		common.PtrOrNil(h.server),
 	)
 }

inbound/vless.go

@@ -61,7 +61,7 @@ func NewVLESS(ctx context.Context, router adapter.Router, logger log.ContextLogg
 	inbound.service = service
 	var err error
 	if options.TLS != nil {
-		inbound.tlsConfig, err = tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
+		inbound.tlsConfig, err = tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}

inbound/vmess.go

@@ -19,6 +19,7 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 var (
@@ -50,7 +51,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		users: options.Users,
 	}
 	var serviceOptions []vmess.ServiceOption
-	if timeFunc := router.TimeFunc(); timeFunc != nil {
+	if timeFunc := ntp.TimeFuncFromContext(ctx); timeFunc != nil {
 		serviceOptions = append(serviceOptions, vmess.ServiceWithTimeFunc(timeFunc))
 	}
 	if options.Transport != nil && options.Transport.Type != "" {
@@ -69,7 +70,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		return nil, err
 	}
 	if options.TLS != nil {
-		inbound.tlsConfig, err = tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
+		inbound.tlsConfig, err = tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}

mkdocs.yml

@@ -87,6 +87,7 @@ nav:
           - ShadowTLS: configuration/inbound/shadowtls.md
           - VLESS: configuration/inbound/vless.md
           - TUIC: configuration/inbound/tuic.md
+          - Hysteria2: configuration/inbound/hysteria2.md
           - Tun: configuration/inbound/tun.md
           - Redirect: configuration/inbound/redirect.md
           - TProxy: configuration/inbound/tproxy.md
@@ -105,6 +106,7 @@ nav:
           - ShadowsocksR: configuration/outbound/shadowsocksr.md
           - VLESS: configuration/outbound/vless.md
           - TUIC: configuration/outbound/tuic.md
+          - Hysteria2: configuration/outbound/hysteria2.md
           - Tor: configuration/outbound/tor.md
           - SSH: configuration/outbound/ssh.md
           - DNS: configuration/outbound/dns.md

ntp/service.go

@@ -18,7 +18,7 @@ import (
 	"github.com/sagernet/sing/common/ntp"
 )
 
-var _ adapter.TimeService = (*Service)(nil)
+var _ ntp.TimeService = (*Service)(nil)
 
 type Service struct {
 	ctx           context.Context

option/clash.go

@@ -7,10 +7,13 @@ type ClashAPIOptions struct {
 	ExternalUIDownloadDetour string `json:"external_ui_download_detour,omitempty"`
 	Secret                   string `json:"secret,omitempty"`
 	DefaultMode              string `json:"default_mode,omitempty"`
+	StoreMode                bool   `json:"store_mode,omitempty"`
 	StoreSelected            bool   `json:"store_selected,omitempty"`
 	StoreFakeIP              bool   `json:"store_fakeip,omitempty"`
 	CacheFile                string `json:"cache_file,omitempty"`
 	CacheID                  string `json:"cache_id,omitempty"`
+
+	ModeList []string `json:"-"`
 }
 
 type SelectorOutboundOptions struct {

option/hysteria2.go

@@ -0,0 +1,33 @@
+package option
+
+type Hysteria2InboundOptions struct {
+	ListenOptions
+	UpMbps                int                `json:"up_mbps,omitempty"`
+	DownMbps              int                `json:"down_mbps,omitempty"`
+	Obfs                  *Hysteria2Obfs     `json:"obfs,omitempty"`
+	Users                 []Hysteria2User    `json:"users,omitempty"`
+	IgnoreClientBandwidth bool               `json:"ignore_client_bandwidth,omitempty"`
+	TLS                   *InboundTLSOptions `json:"tls,omitempty"`
+	Masquerade            string             `json:"masquerade,omitempty"`
+}
+
+type Hysteria2Obfs struct {
+	Type     string `json:"type,omitempty"`
+	Password string `json:"password,omitempty"`
+}
+
+type Hysteria2User struct {
+	Name     string `json:"name,omitempty"`
+	Password string `json:"password,omitempty"`
+}
+
+type Hysteria2OutboundOptions struct {
+	DialerOptions
+	ServerOptions
+	UpMbps   int                 `json:"up_mbps,omitempty"`
+	DownMbps int                 `json:"down_mbps,omitempty"`
+	Obfs     *Hysteria2Obfs      `json:"obfs,omitempty"`
+	Password string              `json:"password,omitempty"`
+	Network  NetworkList         `json:"network,omitempty"`
+	TLS      *OutboundTLSOptions `json:"tls,omitempty"`
+}

option/inbound.go

@@ -24,6 +24,7 @@ type _Inbound struct {
 	ShadowTLSOptions   ShadowTLSInboundOptions   `json:"-"`
 	VLESSOptions       VLESSInboundOptions       `json:"-"`
 	TUICOptions        TUICInboundOptions        `json:"-"`
+	Hysteria2Options   Hysteria2InboundOptions   `json:"-"`
 }
 
 type Inbound _Inbound
@@ -61,6 +62,8 @@ func (h Inbound) MarshalJSON() ([]byte, error) {
 		v = h.VLESSOptions
 	case C.TypeTUIC:
 		v = h.TUICOptions
+	case C.TypeHysteria2:
+		v = h.Hysteria2Options
 	default:
 		return nil, E.New("unknown inbound type: ", h.Type)
 	}
@@ -104,6 +107,8 @@ func (h *Inbound) UnmarshalJSON(bytes []byte) error {
 		v = &h.VLESSOptions
 	case C.TypeTUIC:
 		v = &h.TUICOptions
+	case C.TypeHysteria2:
+		v = &h.Hysteria2Options
 	default:
 		return E.New("unknown inbound type: ", h.Type)
 	}

option/outbound.go

@@ -24,6 +24,7 @@ type _Outbound struct {
 	ShadowsocksROptions ShadowsocksROutboundOptions `json:"-"`
 	VLESSOptions        VLESSOutboundOptions        `json:"-"`
 	TUICOptions         TUICOutboundOptions         `json:"-"`
+	Hysteria2Options    Hysteria2OutboundOptions    `json:"-"`
 	SelectorOptions     SelectorOutboundOptions     `json:"-"`
 	URLTestOptions      URLTestOutboundOptions      `json:"-"`
 }
@@ -63,6 +64,8 @@ func (h Outbound) MarshalJSON() ([]byte, error) {
 		v = h.VLESSOptions
 	case C.TypeTUIC:
 		v = h.TUICOptions
+	case C.TypeHysteria2:
+		v = h.Hysteria2Options
 	case C.TypeSelector:
 		v = h.SelectorOptions
 	case C.TypeURLTest:
@@ -110,6 +113,8 @@ func (h *Outbound) UnmarshalJSON(bytes []byte) error {
 		v = &h.VLESSOptions
 	case C.TypeTUIC:
 		v = &h.TUICOptions
+	case C.TypeHysteria2:
+		v = &h.Hysteria2Options
 	case C.TypeSelector:
 		v = &h.SelectorOptions
 	case C.TypeURLTest:

option/tls.go

@@ -8,11 +8,12 @@ type InboundTLSOptions struct {
 	MinVersion      string                 `json:"min_version,omitempty"`
 	MaxVersion      string                 `json:"max_version,omitempty"`
 	CipherSuites    Listable[string]       `json:"cipher_suites,omitempty"`
-	Certificate     string                 `json:"certificate,omitempty"`
+	Certificate     Listable[string]       `json:"certificate,omitempty"`
 	CertificatePath string                 `json:"certificate_path,omitempty"`
-	Key             string                 `json:"key,omitempty"`
+	Key             Listable[string]       `json:"key,omitempty"`
 	KeyPath         string                 `json:"key_path,omitempty"`
 	ACME            *InboundACMEOptions    `json:"acme,omitempty"`
+	ECH             *InboundECHOptions     `json:"ech,omitempty"`
 	Reality         *InboundRealityOptions `json:"reality,omitempty"`
 }
 
@@ -45,11 +46,20 @@ type InboundRealityHandshakeOptions struct {
 	DialerOptions
 }
 
+type InboundECHOptions struct {
+	Enabled                     bool             `json:"enabled,omitempty"`
+	PQSignatureSchemesEnabled   bool             `json:"pq_signature_schemes_enabled,omitempty"`
+	DynamicRecordSizingDisabled bool             `json:"dynamic_record_sizing_disabled,omitempty"`
+	Key                         Listable[string] `json:"key,omitempty"`
+	KeyPath                     string           `json:"key_path,omitempty"`
+}
+
 type OutboundECHOptions struct {
-	Enabled                     bool   `json:"enabled,omitempty"`
-	PQSignatureSchemesEnabled   bool   `json:"pq_signature_schemes_enabled,omitempty"`
-	DynamicRecordSizingDisabled bool   `json:"dynamic_record_sizing_disabled,omitempty"`
-	Config                      string `json:"config,omitempty"`
+	Enabled                     bool             `json:"enabled,omitempty"`
+	PQSignatureSchemesEnabled   bool             `json:"pq_signature_schemes_enabled,omitempty"`
+	DynamicRecordSizingDisabled bool             `json:"dynamic_record_sizing_disabled,omitempty"`
+	Config                      Listable[string] `json:"config,omitempty"`
+	ConfigPath                  string           `json:"config_path,omitempty"`
 }
 
 type OutboundUTLSOptions struct {

outbound/builder.go

@@ -30,7 +30,7 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, t
 	case C.TypeSOCKS:
 		return NewSocks(router, logger, tag, options.SocksOptions)
 	case C.TypeHTTP:
-		return NewHTTP(router, logger, tag, options.HTTPOptions)
+		return NewHTTP(ctx, router, logger, tag, options.HTTPOptions)
 	case C.TypeShadowsocks:
 		return NewShadowsocks(ctx, router, logger, tag, options.ShadowsocksOptions)
 	case C.TypeVMess:
@@ -53,6 +53,8 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, t
 		return NewVLESS(ctx, router, logger, tag, options.VLESSOptions)
 	case C.TypeTUIC:
 		return NewTUIC(ctx, router, logger, tag, options.TUICOptions)
+	case C.TypeHysteria2:
+		return NewHysteria2(ctx, router, logger, tag, options.Hysteria2Options)
 	case C.TypeSelector:
 		return NewSelector(router, logger, tag, options.SelectorOptions)
 	case C.TypeURLTest:

outbound/http.go

@@ -25,12 +25,12 @@ type HTTP struct {
 	client *sHTTP.Client
 }
 
-func NewHTTP(router adapter.Router, logger log.ContextLogger, tag string, options option.HTTPOutboundOptions) (*HTTP, error) {
+func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HTTPOutboundOptions) (*HTTP, error) {
 	outboundDialer, err := dialer.New(router, options.DialerOptions)
 	if err != nil {
 		return nil, err
 	}
-	detour, err := tls.NewDialerFromOptions(router, outboundDialer, options.Server, common.PtrValueOrDefault(options.TLS))
+	detour, err := tls.NewDialerFromOptions(ctx, router, outboundDialer, options.Server, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}

outbound/hysteria.go

@@ -11,6 +11,7 @@ import (
 	"github.com/sagernet/quic-go/congestion"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/common/qtls"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
@@ -33,7 +34,7 @@ type Hysteria struct {
 	ctx          context.Context
 	dialer       N.Dialer
 	serverAddr   M.Socksaddr
-	tlsConfig    *tls.STDConfig
+	tlsConfig    tls.Config
 	quicConfig   *quic.Config
 	authKey      []byte
 	xplusKey     []byte
@@ -52,17 +53,12 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 	if options.TLS == nil || !options.TLS.Enabled {
 		return nil, C.ErrTLSRequired
 	}
-	abstractTLSConfig, err := tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
+	tlsConfig, err := tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
-	tlsConfig, err := abstractTLSConfig.Config()
-	if err != nil {
-		return nil, err
-	}
-	tlsConfig.MinVersion = tls.VersionTLS13
-	if len(tlsConfig.NextProtos) == 0 {
-		tlsConfig.NextProtos = []string{hysteria.DefaultALPN}
+	if len(tlsConfig.NextProtos()) == 0 {
+		tlsConfig.SetNextProtos([]string{hysteria.DefaultALPN})
 	}
 	quicConfig := &quic.Config{
 		InitialStreamReceiveWindow:     options.ReceiveWindowConn,
@@ -182,7 +178,7 @@ func (h *Hysteria) offerNew(ctx context.Context) (quic.Connection, error) {
 		packetConn = hysteria.NewXPlusPacketConn(packetConn, h.xplusKey)
 	}
 	packetConn = &hysteria.PacketConnWrapper{PacketConn: packetConn}
-	quicConn, err := quic.Dial(h.ctx, packetConn, udpConn.RemoteAddr(), h.tlsConfig, h.quicConfig)
+	quicConn, err := qtls.Dial(h.ctx, packetConn, udpConn.RemoteAddr(), h.tlsConfig, h.quicConfig)
 	if err != nil {
 		packetConn.Close()
 		return nil, err

outbound/hysteria2.go

@@ -0,0 +1,122 @@
+//go:build with_quic
+
+package outbound
+
+import (
+	"context"
+	"net"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
+	"github.com/sagernet/sing-box/common/tls"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/hysteria2"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+var (
+	_ adapter.Outbound                = (*TUIC)(nil)
+	_ adapter.InterfaceUpdateListener = (*TUIC)(nil)
+)
+
+type Hysteria2 struct {
+	myOutboundAdapter
+	client *hysteria2.Client
+}
+
+func NewHysteria2(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Hysteria2OutboundOptions) (*Hysteria2, error) {
+	options.UDPFragmentDefault = true
+	if options.TLS == nil || !options.TLS.Enabled {
+		return nil, C.ErrTLSRequired
+	}
+	tlsConfig, err := tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
+	if err != nil {
+		return nil, err
+	}
+	var salamanderPassword string
+	if options.Obfs != nil {
+		if options.Obfs.Password == "" {
+			return nil, E.New("missing obfs password")
+		}
+		switch options.Obfs.Type {
+		case hysteria2.ObfsTypeSalamander:
+			salamanderPassword = options.Obfs.Password
+		default:
+			return nil, E.New("unknown obfs type: ", options.Obfs.Type)
+		}
+	}
+	outboundDialer, err := dialer.New(router, options.DialerOptions)
+	if err != nil {
+		return nil, err
+	}
+	networkList := options.Network.Build()
+	client, err := hysteria2.NewClient(hysteria2.ClientOptions{
+		Context:            ctx,
+		Dialer:             outboundDialer,
+		ServerAddress:      options.ServerOptions.Build(),
+		SendBPS:            uint64(options.UpMbps * 1024 * 1024),
+		ReceiveBPS:         uint64(options.DownMbps * 1024 * 1024),
+		SalamanderPassword: salamanderPassword,
+		Password:           options.Password,
+		TLSConfig:          tlsConfig,
+		UDPDisabled:        !common.Contains(networkList, N.NetworkUDP),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &Hysteria2{
+		myOutboundAdapter: myOutboundAdapter{
+			protocol:     C.TypeHysteria2,
+			network:      networkList,
+			router:       router,
+			logger:       logger,
+			tag:          tag,
+			dependencies: withDialerDependency(options.DialerOptions),
+		},
+		client: client,
+	}, nil
+}
+
+func (h *Hysteria2) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP:
+		h.logger.InfoContext(ctx, "outbound connection to ", destination)
+		return h.client.DialConn(ctx, destination)
+	case N.NetworkUDP:
+		conn, err := h.ListenPacket(ctx, destination)
+		if err != nil {
+			return nil, err
+		}
+		return bufio.NewBindPacketConn(conn, destination), nil
+	default:
+		return nil, E.New("unsupported network: ", network)
+	}
+}
+
+func (h *Hysteria2) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
+	return h.client.ListenPacket(ctx)
+}
+
+func (h *Hysteria2) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	return NewConnection(ctx, h, conn, metadata)
+}
+
+func (h *Hysteria2) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return NewPacketConnection(ctx, h, conn, metadata)
+}
+
+func (h *Hysteria2) InterfaceUpdated() error {
+	return h.client.CloseWithError(E.New("network changed"))
+}
+
+func (h *Hysteria2) Close() error {
+	return h.client.CloseWithError(os.ErrClosed)
+}

outbound/hysteria_stub.go

@@ -14,3 +14,7 @@ import (
 func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaOutboundOptions) (adapter.Outbound, error) {
 	return nil, C.ErrQUICNotIncluded
 }
+
+func NewHysteria2(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Hysteria2OutboundOptions) (adapter.Outbound, error) {
+	return nil, C.ErrQUICNotIncluded
+}

outbound/shadowsocks.go

@@ -57,7 +57,7 @@ func NewShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 		serverAddr: options.ServerOptions.Build(),
 	}
 	if options.Plugin != "" {
-		outbound.plugin, err = sip003.CreatePlugin(options.Plugin, options.PluginOptions, router, outbound.dialer, outbound.serverAddr)
+		outbound.plugin, err = sip003.CreatePlugin(ctx, options.Plugin, options.PluginOptions, router, outbound.dialer, outbound.serverAddr)
 		if err != nil {
 			return nil, err
 		}

outbound/shadowtls.go

@@ -47,7 +47,7 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 		options.TLS.MinVersion = "1.2"
 		options.TLS.MaxVersion = "1.2"
 	}
-	tlsConfig, err := tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
+	tlsConfig, err := tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}

outbound/trojan.go

@@ -51,7 +51,7 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
 		key:        trojan.Key(options.Password),
 	}
 	if options.TLS != nil {
-		outbound.tlsConfig, err = tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
+		outbound.tlsConfig, err = tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}

outbound/tuic.go

@@ -41,11 +41,7 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 	if options.TLS == nil || !options.TLS.Enabled {
 		return nil, C.ErrTLSRequired
 	}
-	abstractTLSConfig, err := tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
-	if err != nil {
-		return nil, err
-	}
-	tlsConfig, err := abstractTLSConfig.Config()
+	tlsConfig, err := tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}

outbound/vless.go

@@ -53,7 +53,7 @@ func NewVLESS(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		serverAddr: options.ServerOptions.Build(),
 	}
 	if options.TLS != nil {
-		outbound.tlsConfig, err = tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
+		outbound.tlsConfig, err = tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}

outbound/vmess.go

@@ -18,6 +18,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 )
 
 var _ adapter.Outbound = (*VMess)(nil)
@@ -52,7 +53,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		serverAddr: options.ServerOptions.Build(),
 	}
 	if options.TLS != nil {
-		outbound.tlsConfig, err = tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
+		outbound.tlsConfig, err = tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
@@ -77,7 +78,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		return nil, E.New("unknown packet encoding: ", options.PacketEncoding)
 	}
 	var clientOptions []vmess.ClientOption
-	if timeFunc := router.TimeFunc(); timeFunc != nil {
+	if timeFunc := ntp.TimeFuncFromContext(ctx); timeFunc != nil {
 		clientOptions = append(clientOptions, vmess.ClientWithTimeFunc(timeFunc))
 	}
 	if options.GlobalPadding {

route/router.go

@@ -81,7 +81,7 @@ type Router struct {
 	interfaceMonitor                   tun.DefaultInterfaceMonitor
 	packageManager                     tun.PackageManager
 	processSearcher                    process.Searcher
-	timeService                        adapter.TimeService
+	timeService                        *ntp.Service
 	pauseManager                       pause.Manager
 	clashServer                        adapter.ClashServer
 	v2rayServer                        adapter.V2RayServer
@@ -950,13 +950,6 @@ func (r *Router) PackageManager() tun.PackageManager {
 	return r.packageManager
 }
 
-func (r *Router) TimeFunc() func() time.Time {
-	if r.timeService == nil {
-		return nil
-	}
-	return r.timeService.TimeFunc()
-}
-
 func (r *Router) ClashServer() adapter.ClashServer {
 	return r.clashServer
 }
@@ -1005,14 +998,7 @@ func (r *Router) notifyNetworkUpdate(event int) {
 		}
 	}
 
-	conntrack.Close()
-
-	for _, outbound := range r.outbounds {
-		listener, isListener := outbound.(adapter.InterfaceUpdateListener)
-		if isListener {
-			listener.InterfaceUpdated()
-		}
-	}
+	r.ResetNetwork()
 	return
 }
 
@@ -1025,5 +1011,9 @@ func (r *Router) ResetNetwork() error {
 			listener.InterfaceUpdated()
 		}
 	}
+
+	for _, transport := range r.transports {
+		transport.Reset()
+	}
 	return nil
 }

route/router_dns.go

@@ -146,6 +146,13 @@ func (r *Router) LookupDefault(ctx context.Context, domain string) ([]netip.Addr
 	return r.Lookup(ctx, domain, dns.DomainStrategyAsIS)
 }
 
+func (r *Router) ClearDNSCache() {
+	r.dnsClient.ClearCache()
+	if r.platformInterface != nil {
+		r.platformInterface.ClearDNSCache()
+	}
+}
+
 func LogDNSAnswers(logger log.ContextLogger, ctx context.Context, domain string, answers []mDNS.RR) {
 	for _, answer := range answers {
 		logger.InfoContext(ctx, "exchanged ", domain, " ", mDNS.Type(answer.Header().Rrtype).String(), " ", formatQuestion(answer.String()))

route/rule_item_clash_mode.go

@@ -16,7 +16,7 @@ type ClashModeItem struct {
 func NewClashModeItem(router adapter.Router, mode string) *ClashModeItem {
 	return &ClashModeItem{
 		router: router,
-		mode:   strings.ToLower(mode),
+		mode:   mode,
 	}
 }
 
@@ -25,7 +25,7 @@ func (r *ClashModeItem) Match(metadata *adapter.InboundContext) bool {
 	if clashServer == nil {
 		return false
 	}
-	return clashServer.Mode() == r.mode
+	return strings.EqualFold(clashServer.Mode(), r.mode)
 }
 
 func (r *ClashModeItem) String() string {

test/ech_test.go

@@ -0,0 +1,248 @@
+package main
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/sagernet/sing-box/common/tls"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+
+	"github.com/gofrs/uuid/v5"
+)
+
+func TestECH(t *testing.T) {
+	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
+	echConfig, echKey := common.Must2(tls.ECHKeygenDefault("not.example.org", false))
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeMixed,
+				Tag:  "mixed-in",
+				MixedOptions: option.HTTPMixedInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: clientPort,
+					},
+				},
+			},
+			{
+				Type: C.TypeTrojan,
+				TrojanOptions: option.TrojanInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: serverPort,
+					},
+					Users: []option.TrojanUser{
+						{
+							Name:     "sekai",
+							Password: "password",
+						},
+					},
+					TLS: &option.InboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+						KeyPath:         keyPem,
+						ECH: &option.InboundECHOptions{
+							Enabled: true,
+							Key:     []string{echKey},
+						},
+					},
+				},
+			},
+		},
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeDirect,
+			},
+			{
+				Type: C.TypeTrojan,
+				Tag:  "trojan-out",
+				TrojanOptions: option.TrojanOutboundOptions{
+					ServerOptions: option.ServerOptions{
+						Server:     "127.0.0.1",
+						ServerPort: serverPort,
+					},
+					Password: "password",
+					TLS: &option.OutboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+						ECH: &option.OutboundECHOptions{
+							Enabled: true,
+							Config:  []string{echConfig},
+						},
+					},
+				},
+			},
+		},
+		Route: &option.RouteOptions{
+			Rules: []option.Rule{
+				{
+					DefaultOptions: option.DefaultRule{
+						Inbound:  []string{"mixed-in"},
+						Outbound: "trojan-out",
+					},
+				},
+			},
+		},
+	})
+	testSuit(t, clientPort, testPort)
+}
+
+func TestECHQUIC(t *testing.T) {
+	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
+	echConfig, echKey := common.Must2(tls.ECHKeygenDefault("not.example.org", false))
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeMixed,
+				Tag:  "mixed-in",
+				MixedOptions: option.HTTPMixedInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: clientPort,
+					},
+				},
+			},
+			{
+				Type: C.TypeTUIC,
+				TUICOptions: option.TUICInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: serverPort,
+					},
+					Users: []option.TUICUser{{
+						UUID: uuid.Nil.String(),
+					}},
+					TLS: &option.InboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+						KeyPath:         keyPem,
+						ECH: &option.InboundECHOptions{
+							Enabled: true,
+							Key:     []string{echKey},
+						},
+					},
+				},
+			},
+		},
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeDirect,
+			},
+			{
+				Type: C.TypeTUIC,
+				Tag:  "tuic-out",
+				TUICOptions: option.TUICOutboundOptions{
+					ServerOptions: option.ServerOptions{
+						Server:     "127.0.0.1",
+						ServerPort: serverPort,
+					},
+					UUID: uuid.Nil.String(),
+					TLS: &option.OutboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+						ECH: &option.OutboundECHOptions{
+							Enabled: true,
+							Config:  []string{echConfig},
+						},
+					},
+				},
+			},
+		},
+		Route: &option.RouteOptions{
+			Rules: []option.Rule{
+				{
+					DefaultOptions: option.DefaultRule{
+						Inbound:  []string{"mixed-in"},
+						Outbound: "tuic-out",
+					},
+				},
+			},
+		},
+	})
+	testSuitLargeUDP(t, clientPort, testPort)
+}
+
+func TestECHHysteria2(t *testing.T) {
+	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
+	echConfig, echKey := common.Must2(tls.ECHKeygenDefault("not.example.org", false))
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeMixed,
+				Tag:  "mixed-in",
+				MixedOptions: option.HTTPMixedInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: clientPort,
+					},
+				},
+			},
+			{
+				Type: C.TypeHysteria2,
+				Hysteria2Options: option.Hysteria2InboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: serverPort,
+					},
+					Users: []option.Hysteria2User{{
+						Password: "password",
+					}},
+					TLS: &option.InboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+						KeyPath:         keyPem,
+						ECH: &option.InboundECHOptions{
+							Enabled: true,
+							Key:     []string{echKey},
+						},
+					},
+				},
+			},
+		},
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeDirect,
+			},
+			{
+				Type: C.TypeHysteria2,
+				Tag:  "hy2-out",
+				Hysteria2Options: option.Hysteria2OutboundOptions{
+					ServerOptions: option.ServerOptions{
+						Server:     "127.0.0.1",
+						ServerPort: serverPort,
+					},
+					Password: "password",
+					TLS: &option.OutboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+						ECH: &option.OutboundECHOptions{
+							Enabled: true,
+							Config:  []string{echConfig},
+						},
+					},
+				},
+			},
+		},
+		Route: &option.RouteOptions{
+			Rules: []option.Rule{
+				{
+					Type: C.RuleTypeDefault,
+					DefaultOptions: option.DefaultRule{
+						Inbound:  []string{"mixed-in"},
+						Outbound: "hy2-out",
+					},
+				},
+			},
+		},
+	})
+	testSuit(t, clientPort, testPort)
+}

test/go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/docker/docker v24.0.5+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/sagernet/sing v0.2.10-0.20230821073500-620f3a3b882d
+	github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c
 	github.com/sagernet/sing-shadowsocks v0.2.4
 	github.com/sagernet/sing-shadowsocks2 v0.1.3
 	github.com/spyzhov/ajson v0.9.0
@@ -27,7 +27,7 @@ require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/caddyserver/certmagic v0.19.2 // indirect
-	github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/cretz/bine v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
@@ -40,7 +40,6 @@ require (
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
@@ -65,15 +64,15 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.2 // indirect
-	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
+	github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
-	github.com/sagernet/quic-go v0.0.0-20230824033040-30ef72e3be3e // indirect
+	github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86 // indirect
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 // indirect
-	github.com/sagernet/sing-dns v0.1.9-0.20230731012726-ad50da89b659 // indirect
-	github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c // indirect
+	github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1 // indirect
+	github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8 // indirect
 	github.com/sagernet/sing-shadowtls v0.1.4 // indirect
 	github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641 // indirect
 	github.com/sagernet/sing-vmess v0.1.7 // indirect
@@ -89,7 +88,7 @@ require (
 	go.etcd.io/bbolt v1.3.7 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.25.0 // indirect
-	go4.org/netipx v0.0.0-20230728184502-ec4c8b891b28 // indirect
+	go4.org/netipx v0.0.0-20230824141953-6213f710f925 // indirect
 	golang.org/x/crypto v0.12.0 // indirect
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect
 	golang.org/x/mod v0.12.0 // indirect

test/go.sum

@@ -17,8 +17,8 @@ github.com/caddyserver/certmagic v0.19.2/go.mod h1:fsL01NomQ6N+kE2j37ZCnig2MFosG
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c h1:K1VdSnBZiGapczwcUKnE1qcsMBclA84DUOD2NG/78VY=
-github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
+github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
@@ -52,8 +52,6 @@ github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
 github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
@@ -113,28 +111,28 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.3.2 h1:rRgN3WfnKbyik4dBV8A6girlJVxGand/d+jVKbQq5GI=
-github.com/quic-go/qtls-go1-20 v0.3.2/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
-github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0 h1:KyhtFFt1Jtp5vW2ohNvstvQffTOQ/s5vENuGXzdA+TM=
-github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0/go.mod h1:D4SFEOkJK+4W1v86ZhX0jPM0rAL498fyQAChqMtes/I=
+github.com/quic-go/qtls-go1-20 v0.3.3 h1:17/glZSLI9P9fDAeyCHBFSWSqJcwx1byhLwP5eUIDCM=
+github.com/quic-go/qtls-go1-20 v0.3.3/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
+github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a h1:wZHruBxZCsQLXHAozWpnJBL3wJ/XufDpz0qKtgpSnA4=
+github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a/go.mod h1:dNV1ZP9y3qx5ltULeKaQZTZWTLHflgW5DES+Ses7cMI=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2 h1:dnkKrzapqtAwjTSWt6hdPrARORfoYvuUczynvRLrueo=
 github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2/go.mod h1:1JUiV7nGuf++YFm9eWZ8q2lrwHmhcUGzptMl/vL1+LA=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.0.0-20230824033040-30ef72e3be3e h1:URg7GQT9Mp0b6m/LXH1NgVT3P/ybVomvy2kkfA6QIHQ=
-github.com/sagernet/quic-go v0.0.0-20230824033040-30ef72e3be3e/go.mod h1:7DXnweBVxZ7CQWsCdc7QAAQ65dFPEtenfz+w6WDESlI=
+github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86 h1:g4TEg9inAtA1FDTXpNrvmx72nN5mTOLQrJce6fVxF9g=
+github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86/go.mod h1:O4Cj7TmMOvqD6S0XMqJRZfcYzA3m0H0ARbbaJFB0p7A=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.10-0.20230821073500-620f3a3b882d h1:4kgoOCE48CuQcBUcoRnE0QTPXkl8yM8i7Nipmzp/978=
-github.com/sagernet/sing v0.2.10-0.20230821073500-620f3a3b882d/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
-github.com/sagernet/sing-dns v0.1.9-0.20230731012726-ad50da89b659 h1:1DAKccGNqTYJ8nsBR765FS0LVBVXfuFlFAHqKsGN3EI=
-github.com/sagernet/sing-dns v0.1.9-0.20230731012726-ad50da89b659/go.mod h1:W7GHTZFS8RkoLI3bA2LFY27/0E+uoQESWtMFLepO/JA=
-github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c h1:35/FowAvt3Z62mck0TXzVc4jS5R5CWq62qcV2P1cp0I=
-github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
+github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c h1:J2ptRncTNy+ZHfcFYSBfTmpvmgNlSEUZz6sDjh1np/Y=
+github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1 h1:5w+jXz8y/8UQAxO74TjftN5okYkpg5mGvVxXunlKdqI=
+github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1/go.mod h1:Kg98PBJEg/08jsNFtmZWmPomhskn9Ausn50ecNm4M+8=
+github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8 h1:UyUkEUEGqfIGqzOJ7OuJry4slgcT/qb0etDJ+89LTAs=
+github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
 github.com/sagernet/sing-shadowsocks v0.2.4 h1:s/CqXlvFAZhlIoHWUwPw5CoNnQ9Ibki9pckjuugtVfY=
 github.com/sagernet/sing-shadowsocks v0.2.4/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
 github.com/sagernet/sing-shadowsocks2 v0.1.3 h1:WXoLvCFi5JTFBRYorf1YePGYIQyJ/zbsBM6Fwbl5kGA=
@@ -171,7 +169,6 @@ github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695AP
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
 github.com/zeebo/assert v1.1.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
@@ -186,8 +183,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
 go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
-go4.org/netipx v0.0.0-20230728184502-ec4c8b891b28 h1:zLxFnORHDFTSkJPawMU7LzsuGQJ4MUFS653jJHpORow=
-go4.org/netipx v0.0.0-20230728184502-ec4c8b891b28/go.mod h1:TQvodOM+hJTioNQJilmLXu08JNb8i+ccq418+KWu1/Y=
+go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0EqB4SD6rvKbUdN3ziQ=
+go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -199,7 +196,6 @@ golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -207,14 +203,12 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -224,9 +218,7 @@ golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -248,7 +240,6 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E=
 golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

test/hysteria2_test.go

@@ -0,0 +1,97 @@
+package main
+
+import (
+	"net/netip"
+	"testing"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/hysteria2"
+)
+
+func TestHysteria2Self(t *testing.T) {
+	t.Run("self", func(t *testing.T) {
+		testHysteria2Self(t, "")
+	})
+	t.Run("self-salamander", func(t *testing.T) {
+		testHysteria2Self(t, "password")
+	})
+}
+
+func testHysteria2Self(t *testing.T, salamanderPassword string) {
+	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
+	var obfs *option.Hysteria2Obfs
+	if salamanderPassword != "" {
+		obfs = &option.Hysteria2Obfs{
+			Type:     hysteria2.ObfsTypeSalamander,
+			Password: salamanderPassword,
+		}
+	}
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeMixed,
+				Tag:  "mixed-in",
+				MixedOptions: option.HTTPMixedInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: clientPort,
+					},
+				},
+			},
+			{
+				Type: C.TypeHysteria2,
+				Hysteria2Options: option.Hysteria2InboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: serverPort,
+					},
+					Obfs: obfs,
+					Users: []option.Hysteria2User{{
+						Password: "password",
+					}},
+					TLS: &option.InboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+						KeyPath:         keyPem,
+					},
+				},
+			},
+		},
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeDirect,
+			},
+			{
+				Type: C.TypeHysteria2,
+				Tag:  "hy2-out",
+				Hysteria2Options: option.Hysteria2OutboundOptions{
+					ServerOptions: option.ServerOptions{
+						Server:     "127.0.0.1",
+						ServerPort: serverPort,
+					},
+					Obfs:     obfs,
+					Password: "password",
+					TLS: &option.OutboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+					},
+				},
+			},
+		},
+		Route: &option.RouteOptions{
+			Rules: []option.Rule{
+				{
+					Type: C.RuleTypeDefault,
+					DefaultOptions: option.DefaultRule{
+						Inbound:  []string{"mixed-in"},
+						Outbound: "hy2-out",
+					},
+				},
+			},
+		},
+	})
+	testSuit(t, clientPort, testPort)
+}

transport/dhcp/server.go

@@ -85,6 +85,9 @@ func (t *Transport) Start() error {
 	return nil
 }
 
+func (t *Transport) Reset() {
+}
+
 func (t *Transport) Close() error {
 	if t.interfaceCallback != nil {
 		t.router.InterfaceMonitor().UnregisterCallback(t.interfaceCallback)

transport/fakeip/server.go

@@ -54,6 +54,9 @@ func (s *Transport) Start() error {
 	return nil
 }
 
+func (s *Transport) Reset() {
+}
+
 func (s *Transport) Close() error {
 	return nil
 }

transport/hysteria/protocol.go

@@ -394,7 +394,7 @@ func (c *Conn) Read(p []byte) (n int, err error) {
 }
 
 func (c *Conn) LocalAddr() net.Addr {
-	return nil
+	return M.Socksaddr{}
 }
 
 func (c *Conn) RemoteAddr() net.Addr {
@@ -502,7 +502,7 @@ func (c *PacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 }
 
 func (c *PacketConn) LocalAddr() net.Addr {
-	return nil
+	return M.Socksaddr{}
 }
 
 func (c *PacketConn) RemoteAddr() net.Addr {
@@ -526,11 +526,12 @@ func (c *PacketConn) NeedAdditionalReadDeadline() bool {
 }
 
 func (c *PacketConn) Read(b []byte) (n int, err error) {
-	return 0, os.ErrInvalid
+	n, _, err = c.ReadFrom(b)
+	return
 }
 
 func (c *PacketConn) Write(b []byte) (n int, err error) {
-	return 0, os.ErrInvalid
+	return c.WriteTo(b, c.destination)
 }
 
 func (c *PacketConn) Close() error {

transport/hysteria2/client.go

@@ -0,0 +1,306 @@
+package hysteria2
+
+import (
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"runtime"
+	"sync"
+	"time"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/sing-box/common/qtls"
+	"github.com/sagernet/sing-box/common/tls"
+	"github.com/sagernet/sing-box/transport/hysteria2/congestion"
+	"github.com/sagernet/sing-box/transport/hysteria2/internal/protocol"
+	tuicCongestion "github.com/sagernet/sing-box/transport/tuic/congestion"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+const (
+	defaultStreamReceiveWindow = 8388608                            // 8MB
+	defaultConnReceiveWindow   = defaultStreamReceiveWindow * 5 / 2 // 20MB
+	defaultMaxIdleTimeout      = 30 * time.Second
+	defaultKeepAlivePeriod     = 10 * time.Second
+)
+
+type ClientOptions struct {
+	Context            context.Context
+	Dialer             N.Dialer
+	ServerAddress      M.Socksaddr
+	SendBPS            uint64
+	ReceiveBPS         uint64
+	SalamanderPassword string
+	Password           string
+	TLSConfig          tls.Config
+	UDPDisabled        bool
+}
+
+type Client struct {
+	ctx                context.Context
+	dialer             N.Dialer
+	serverAddr         M.Socksaddr
+	sendBPS            uint64
+	receiveBPS         uint64
+	salamanderPassword string
+	password           string
+	tlsConfig          tls.Config
+	quicConfig         *quic.Config
+	udpDisabled        bool
+
+	connAccess sync.RWMutex
+	conn       *clientQUICConnection
+}
+
+func NewClient(options ClientOptions) (*Client, error) {
+	quicConfig := &quic.Config{
+		DisablePathMTUDiscovery:        !(runtime.GOOS == "windows" || runtime.GOOS == "linux" || runtime.GOOS == "android" || runtime.GOOS == "darwin"),
+		MaxDatagramFrameSize:           1400,
+		EnableDatagrams:                true,
+		InitialStreamReceiveWindow:     defaultStreamReceiveWindow,
+		MaxStreamReceiveWindow:         defaultStreamReceiveWindow,
+		InitialConnectionReceiveWindow: defaultConnReceiveWindow,
+		MaxConnectionReceiveWindow:     defaultConnReceiveWindow,
+		MaxIdleTimeout:                 defaultMaxIdleTimeout,
+		KeepAlivePeriod:                defaultKeepAlivePeriod,
+	}
+	return &Client{
+		ctx:                options.Context,
+		dialer:             options.Dialer,
+		serverAddr:         options.ServerAddress,
+		sendBPS:            options.SendBPS,
+		receiveBPS:         options.ReceiveBPS,
+		salamanderPassword: options.SalamanderPassword,
+		password:           options.Password,
+		tlsConfig:          options.TLSConfig,
+		quicConfig:         quicConfig,
+		udpDisabled:        options.UDPDisabled,
+	}, nil
+}
+
+func (c *Client) offer(ctx context.Context) (*clientQUICConnection, error) {
+	conn := c.conn
+	if conn != nil && conn.active() {
+		return conn, nil
+	}
+	c.connAccess.Lock()
+	defer c.connAccess.Unlock()
+	conn = c.conn
+	if conn != nil && conn.active() {
+		return conn, nil
+	}
+	conn, err := c.offerNew(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+func (c *Client) offerNew(ctx context.Context) (*clientQUICConnection, error) {
+	udpConn, err := c.dialer.DialContext(ctx, "udp", c.serverAddr)
+	if err != nil {
+		return nil, err
+	}
+	var packetConn net.PacketConn
+	packetConn = bufio.NewUnbindPacketConn(udpConn)
+	if c.salamanderPassword != "" {
+		packetConn = NewSalamanderConn(packetConn, []byte(c.salamanderPassword))
+	}
+	var quicConn quic.EarlyConnection
+	http3Transport, err := qtls.CreateTransport(packetConn, &quicConn, c.serverAddr, c.tlsConfig, c.quicConfig, true)
+	if err != nil {
+		udpConn.Close()
+		return nil, err
+	}
+	request := &http.Request{
+		Method: http.MethodPost,
+		URL: &url.URL{
+			Scheme: "https",
+			Host:   protocol.URLHost,
+			Path:   protocol.URLPath,
+		},
+		Header: make(http.Header),
+	}
+	protocol.AuthRequestToHeader(request.Header, protocol.AuthRequest{Auth: c.password, Rx: c.receiveBPS})
+	response, err := http3Transport.RoundTrip(request)
+	if err != nil {
+		if quicConn != nil {
+			quicConn.CloseWithError(0, "")
+		}
+		udpConn.Close()
+		return nil, err
+	}
+	if response.StatusCode != protocol.StatusAuthOK {
+		if quicConn != nil {
+			quicConn.CloseWithError(0, "")
+		}
+		udpConn.Close()
+		return nil, E.New("authentication failed, status code: ", response.StatusCode)
+	}
+	response.Body.Close()
+	authResponse := protocol.AuthResponseFromHeader(response.Header)
+	actualTx := authResponse.Rx
+	if actualTx == 0 || actualTx > c.sendBPS {
+		actualTx = c.sendBPS
+	}
+	if !authResponse.RxAuto && actualTx > 0 {
+		quicConn.SetCongestionControl(congestion.NewBrutalSender(actualTx))
+	} else {
+		quicConn.SetCongestionControl(tuicCongestion.NewBBRSender(
+			tuicCongestion.DefaultClock{},
+			tuicCongestion.GetInitialPacketSize(quicConn.RemoteAddr()),
+			tuicCongestion.InitialCongestionWindow*tuicCongestion.InitialMaxDatagramSize,
+			tuicCongestion.DefaultBBRMaxCongestionWindow*tuicCongestion.InitialMaxDatagramSize,
+		))
+	}
+	conn := &clientQUICConnection{
+		quicConn:    quicConn,
+		rawConn:     udpConn,
+		connDone:    make(chan struct{}),
+		udpDisabled: c.udpDisabled || !authResponse.UDPEnabled,
+		udpConnMap:  make(map[uint32]*udpPacketConn),
+	}
+	if !c.udpDisabled {
+		go c.loopMessages(conn)
+	}
+	c.conn = conn
+	return conn, nil
+}
+
+func (c *Client) DialConn(ctx context.Context, destination M.Socksaddr) (net.Conn, error) {
+	conn, err := c.offer(ctx)
+	if err != nil {
+		return nil, err
+	}
+	stream, err := conn.quicConn.OpenStream()
+	if err != nil {
+		return nil, err
+	}
+	return &clientConn{
+		Stream:      stream,
+		destination: destination,
+	}, nil
+}
+
+func (c *Client) ListenPacket(ctx context.Context) (net.PacketConn, error) {
+	if c.udpDisabled {
+		return nil, os.ErrInvalid
+	}
+	conn, err := c.offer(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if conn.udpDisabled {
+		return nil, E.New("UDP disabled by server")
+	}
+	var sessionID uint32
+	clientPacketConn := newUDPPacketConn(ctx, conn.quicConn, func() {
+		conn.udpAccess.Lock()
+		delete(conn.udpConnMap, sessionID)
+		conn.udpAccess.Unlock()
+	})
+	conn.udpAccess.Lock()
+	sessionID = conn.udpSessionID
+	conn.udpSessionID++
+	conn.udpConnMap[sessionID] = clientPacketConn
+	conn.udpAccess.Unlock()
+	clientPacketConn.sessionID = sessionID
+	return clientPacketConn, nil
+}
+
+func (c *Client) CloseWithError(err error) error {
+	conn := c.conn
+	if conn != nil {
+		conn.closeWithError(err)
+	}
+	return nil
+}
+
+type clientQUICConnection struct {
+	quicConn     quic.Connection
+	rawConn      io.Closer
+	closeOnce    sync.Once
+	connDone     chan struct{}
+	connErr      error
+	udpDisabled  bool
+	udpAccess    sync.RWMutex
+	udpConnMap   map[uint32]*udpPacketConn
+	udpSessionID uint32
+}
+
+func (c *clientQUICConnection) active() bool {
+	select {
+	case <-c.quicConn.Context().Done():
+		return false
+	default:
+	}
+	select {
+	case <-c.connDone:
+		return false
+	default:
+	}
+	return true
+}
+
+func (c *clientQUICConnection) closeWithError(err error) {
+	c.closeOnce.Do(func() {
+		c.connErr = err
+		close(c.connDone)
+		c.quicConn.CloseWithError(0, "")
+	})
+}
+
+type clientConn struct {
+	quic.Stream
+	destination    M.Socksaddr
+	requestWritten bool
+	responseRead   bool
+}
+
+func (c *clientConn) NeedHandshake() bool {
+	return !c.requestWritten
+}
+
+func (c *clientConn) Read(p []byte) (n int, err error) {
+	if c.responseRead {
+		return c.Stream.Read(p)
+	}
+	status, errorMessage, err := protocol.ReadTCPResponse(c.Stream)
+	if err != nil {
+		return
+	}
+	if !status {
+		err = E.New("remote error: ", errorMessage)
+		return
+	}
+	c.responseRead = true
+	return c.Stream.Read(p)
+}
+
+func (c *clientConn) Write(p []byte) (n int, err error) {
+	if !c.requestWritten {
+		buffer := protocol.WriteTCPRequest(c.destination.String(), p)
+		defer buffer.Release()
+		_, err = c.Stream.Write(buffer.Bytes())
+		if err != nil {
+			return
+		}
+		c.requestWritten = true
+		return len(p), nil
+	}
+	return c.Stream.Write(p)
+}
+
+func (c *clientConn) LocalAddr() net.Addr {
+	return M.Socksaddr{}
+}
+
+func (c *clientConn) RemoteAddr() net.Addr {
+	return M.Socksaddr{}
+}