From ef185fed095ae794f66c1869174852154921e6f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= <i@sekai.icu>
Date: Mon, 15 Sep 2025 19:52:28 +0800
Subject: [PATCH] Update WireGuard and Tailscale

---
 common/dialer/default.go           | 14 ++------------
 common/dialer/wireguard.go         |  6 +-----
 go.mod                             |  2 +-
 go.sum                             |  4 ++--
 protocol/wireguard/init.go         | 10 ----------
 service/derp/service.go            |  7 ++++---
 transport/wireguard/client_bind.go | 13 ++++++++-----
 transport/wireguard/endpoint.go    |  5 +++--
 8 files changed, 21 insertions(+), 40 deletions(-)
 delete mode 100644 protocol/wireguard/init.go

diff --git a/common/dialer/default.go b/common/dialer/default.go
index 7eac37296..992b3a89b 100644
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -356,18 +356,8 @@ func (d *DefaultDialer) ListenSerialInterfacePacket(ctx context.Context, destina
 	return trackPacketConn(packetConn, nil)
 }
 
-func (d *DefaultDialer) ListenPacketCompat(network, address string) (net.PacketConn, error) {
-	udpListener := d.udpListener
-	udpListener.Control = control.Append(udpListener.Control, func(network, address string, conn syscall.RawConn) error {
-		for _, wgControlFn := range WgControlFns {
-			err := wgControlFn(network, address, conn)
-			if err != nil {
-				return err
-			}
-		}
-		return nil
-	})
-	return udpListener.ListenPacket(context.Background(), network, address)
+func (d *DefaultDialer) WireGuardControl() control.Func {
+	return d.udpListener.Control
 }
 
 func trackConn(conn net.Conn, err error) (net.Conn, error) {
diff --git a/common/dialer/wireguard.go b/common/dialer/wireguard.go
index fbd323d80..8a916a591 100644
--- a/common/dialer/wireguard.go
+++ b/common/dialer/wireguard.go
@@ -1,13 +1,9 @@
 package dialer
 
 import (
-	"net"
-
 	"github.com/sagernet/sing/common/control"
 )
 
 type WireGuardListener interface {
-	ListenPacketCompat(network, address string) (net.PacketConn, error)
+	WireGuardControl() control.Func
 }
-
-var WgControlFns []control.Func
diff --git a/go.mod b/go.mod
index 01e95b630..23cf360b6 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/sagernet/cors v1.2.1
 	github.com/sagernet/fswatch v0.1.1
 	github.com/sagernet/gomobile v0.1.8
-	github.com/sagernet/gvisor v0.0.0-20250909151924-850a370d8506
+	github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1
 	github.com/sagernet/quic-go v0.54.0-sing-box-mod.3
 	github.com/sagernet/sing v0.8.0-beta.6
 	github.com/sagernet/sing-mux v0.3.3
diff --git a/go.sum b/go.sum
index 7965f5a03..58745f914 100644
--- a/go.sum
+++ b/go.sum
@@ -148,8 +148,8 @@ github.com/sagernet/fswatch v0.1.1 h1:YqID+93B7VRfqIH3PArW/XpJv5H4OLEVWDfProGoRQ
 github.com/sagernet/fswatch v0.1.1/go.mod h1:nz85laH0mkQqJfaOrqPpkwtU1znMFNVTpT/5oRsVz/o=
 github.com/sagernet/gomobile v0.1.8 h1:vXgoN0pjsMONAaYCTdsKBX2T1kxuS7sbT/mZ7PElGoo=
 github.com/sagernet/gomobile v0.1.8/go.mod h1:A8l3FlHi2D/+mfcd4HHvk5DGFPW/ShFb9jHP5VmSiDY=
-github.com/sagernet/gvisor v0.0.0-20250909151924-850a370d8506 h1:x/t3XqWshOlWqRuumpvbUvjtEr/6mJuBXAVovPefbUg=
-github.com/sagernet/gvisor v0.0.0-20250909151924-850a370d8506/go.mod h1:QkkPEJLw59/tfxgapHta14UL5qMUah5NXhO0Kw2Kan4=
+github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1 h1:AzCE2RhBjLJ4WIWc/GejpNh+z30d5H1hwaB0nD9eY3o=
+github.com/sagernet/gvisor v0.0.0-20250811.0-sing-box-mod.1/go.mod h1:NJKBtm9nVEK3iyOYWsUlrDQuoGh4zJ4KOPhSYVidvQ4=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a h1:ObwtHN2VpqE0ZNjr6sGeT00J8uU7JF4cNUdb44/Duis=
 github.com/sagernet/netlink v0.0.0-20240612041022-b9a21c07ac6a/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/nftables v0.3.0-beta.4 h1:kbULlAwAC3jvdGAC1P5Fa3GSxVwQJibNenDW2zaXr8I=
diff --git a/protocol/wireguard/init.go b/protocol/wireguard/init.go
deleted file mode 100644
index 848c113be..000000000
--- a/protocol/wireguard/init.go
+++ /dev/null
@@ -1,10 +0,0 @@
-package wireguard
-
-import (
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/wireguard-go/conn"
-)
-
-func init() {
-	dialer.WgControlFns = conn.ControlFns
-}
diff --git a/service/derp/service.go b/service/derp/service.go
index 686afc7c9..049a5e4d4 100644
--- a/service/derp/service.go
+++ b/service/derp/service.go
@@ -36,7 +36,7 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
-	"github.com/sagernet/tailscale/client/tailscale"
+	"github.com/sagernet/tailscale/client/local"
 	"github.com/sagernet/tailscale/derp"
 	"github.com/sagernet/tailscale/derp/derphttp"
 	"github.com/sagernet/tailscale/net/netmon"
@@ -244,7 +244,7 @@ func (d *Service) Start(stage adapter.StartStage) error {
 		}
 	case adapter.StartStatePostStart:
 		if len(d.verifyClientEndpoint) > 0 {
-			var endpoints []*tailscale.LocalClient
+			var endpoints []*local.Client
 			endpointManager := service.FromContext[adapter.EndpointManager](d.ctx)
 			for _, endpointTag := range d.verifyClientEndpoint {
 				endpoint, loaded := endpointManager.Get(endpointTag)
@@ -343,7 +343,8 @@ func (d *Service) startMeshWithHost(derpServer *derp.Server, server *option.DERP
 	})
 	add := func(m derp.PeerPresentMessage) { derpServer.AddPacketForwarder(m.Key, meshClient) }
 	remove := func(m derp.PeerGoneMessage) { derpServer.RemovePacketForwarder(m.Peer, meshClient) }
-	go meshClient.RunWatchConnectionLoop(context.Background(), derpServer.PublicKey(), logf, add, remove)
+	notifyError := func(err error) { d.logger.Error(err) }
+	go meshClient.RunWatchConnectionLoop(context.Background(), derpServer.PublicKey(), logf, add, remove, notifyError)
 	return nil
 }
 
diff --git a/transport/wireguard/client_bind.go b/transport/wireguard/client_bind.go
index f1081855d..54b7be86c 100644
--- a/transport/wireguard/client_bind.go
+++ b/transport/wireguard/client_bind.go
@@ -162,7 +162,7 @@ func (c *ClientBind) SetMark(mark uint32) error {
 	return nil
 }
 
-func (c *ClientBind) Send(bufs [][]byte, ep conn.Endpoint) error {
+func (c *ClientBind) Send(bufs [][]byte, ep conn.Endpoint, offset int) error {
 	udpConn, err := c.connect()
 	if err != nil {
 		c.pauseManager.WaitActive()
@@ -170,15 +170,18 @@ func (c *ClientBind) Send(bufs [][]byte, ep conn.Endpoint) error {
 		return err
 	}
 	destination := netip.AddrPort(ep.(remoteEndpoint))
-	for _, b := range bufs {
-		if len(b) > 3 {
+	for _, buf := range bufs {
+		if offset > 0 {
+			buf = buf[offset:]
+		}
+		if len(buf) > 3 {
 			reserved, loaded := c.reservedForEndpoint[destination]
 			if !loaded {
 				reserved = c.reserved
 			}
-			copy(b[1:4], reserved[:])
+			copy(buf[1:4], reserved[:])
 		}
-		_, err = udpConn.WriteToUDPAddrPort(b, destination)
+		_, err = udpConn.WriteToUDPAddrPort(buf, destination)
 		if err != nil {
 			udpConn.Close()
 			return err
diff --git a/transport/wireguard/endpoint.go b/transport/wireguard/endpoint.go
index 12718b913..dac07c859 100644
--- a/transport/wireguard/endpoint.go
+++ b/transport/wireguard/endpoint.go
@@ -14,6 +14,7 @@ import (
 	"unsafe"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -153,9 +154,9 @@ func (e *Endpoint) Start(resolve bool) error {
 		return nil
 	}
 	var bind conn.Bind
-	wgListener, isWgListener := common.Cast[conn.Listener](e.options.Dialer)
+	wgListener, isWgListener := common.Cast[dialer.WireGuardListener](e.options.Dialer)
 	if isWgListener {
-		bind = conn.NewStdNetBind(wgListener)
+		bind = conn.NewStdNetBind(wgListener.WireGuardControl())
 	} else {
 		var (
 			isConnect   bool