Fix hysteria test

Update documentation
Add multi user support for hysteria inbound
2026-04-11 17:47:20 +10:00 · 2022-11-10 21:10:18 +08:00 · 2022-11-10 16:33:10 +08:00 · 2022-11-09 21:00:08 +08:00 · 2022-11-09 12:15:14 +08:00 · 2022-11-09 11:46:29 +08:00
59 changed files with 987 additions and 388 deletions
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -60,3 +60,7 @@ type DNSRule interface {
 	Rule
 	DisableCache() bool
 }
+
+type InterfaceUpdateListener interface {
+	InterfaceUpdated() error
+}
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -3,7 +3,6 @@ package dialer
 import (
 	"context"
 	"net"
-	"net/netip"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -54,10 +53,13 @@ var warnTFOOnUnsupportedPlatform = warning.New(
 )

 type DefaultDialer struct {
-	dialer      tfo.Dialer
-	udpDialer   net.Dialer
+	dialer4     tfo.Dialer
+	dialer6     tfo.Dialer
+	udpDialer4  net.Dialer
+	udpDialer6  net.Dialer
 	udpListener net.ListenConfig
-	bindUDPAddr string
+	udpAddr4    string
+	udpAddr6    string
 }

 func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDialer {
@@ -120,22 +122,37 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		dialer.Control = control.Append(dialer.Control, control.DisableUDPFragment())
 		listener.Control = control.Append(listener.Control, control.DisableUDPFragment())
 	}
-	var bindUDPAddr string
-	udpDialer := dialer
-	var bindAddress netip.Addr
-	if options.BindAddress != nil {
-		bindAddress = options.BindAddress.Build()
+	var (
+		dialer4    = dialer
+		udpDialer4 = dialer
+		udpAddr4   string
+	)
+	if options.Inet4BindAddress != nil {
+		bindAddr := options.Inet4BindAddress.Build()
+		dialer4.LocalAddr = &net.TCPAddr{IP: bindAddr.AsSlice()}
+		udpDialer4.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
+		udpAddr4 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
-	if bindAddress.IsValid() {
-		dialer.LocalAddr = &net.TCPAddr{
-			IP: bindAddress.AsSlice(),
-		}
-		udpDialer.LocalAddr = &net.UDPAddr{
-			IP: bindAddress.AsSlice(),
-		}
-		bindUDPAddr = M.SocksaddrFrom(bindAddress, 0).String()
+	var (
+		dialer6    = dialer
+		udpDialer6 = dialer
+		udpAddr6   string
+	)
+	if options.Inet6BindAddress != nil {
+		bindAddr := options.Inet6BindAddress.Build()
+		dialer6.LocalAddr = &net.TCPAddr{IP: bindAddr.AsSlice()}
+		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
+		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
+	}
+	return &DefaultDialer{
+		tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen},
+		tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen},
+		udpDialer4,
+		udpDialer6,
+		listener,
+		udpAddr4,
+		udpAddr6,
 	}
-	return &DefaultDialer{tfo.Dialer{Dialer: dialer, DisableTFO: !options.TCPFastOpen}, udpDialer, listener, bindUDPAddr}
 }

 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
@@ -144,11 +161,23 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	}
 	switch N.NetworkName(network) {
 	case N.NetworkUDP:
-		return d.udpDialer.DialContext(ctx, network, address.String())
+		if !address.IsIPv6() {
+			return d.udpDialer4.DialContext(ctx, network, address.String())
+		} else {
+			return d.udpDialer6.DialContext(ctx, network, address.String())
+		}
+	}
+	if !address.IsIPv6() {
+		return DialSlowContext(&d.dialer4, ctx, network, address)
+	} else {
+		return DialSlowContext(&d.dialer6, ctx, network, address)
 	}
-	return DialSlowContext(&d.dialer, ctx, network, address)
 }

 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.bindUDPAddr)
+	if !destination.IsIPv6() {
+		return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4)
+	} else {
+		return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
+	}
 }
--- a/common/mux/protocol.go
+++ b/common/mux/protocol.go
@@ -43,7 +43,7 @@ func ParseProtocol(name string) (Protocol, error) {
 func (p Protocol) newServer(conn net.Conn) (abstractSession, error) {
 	switch p {
 	case ProtocolSMux:
-		session, err := smux.Server(conn, nil)
+		session, err := smux.Server(conn, smuxConfig())
 		if err != nil {
 			return nil, err
 		}
@@ -58,7 +58,7 @@ func (p Protocol) newServer(conn net.Conn) (abstractSession, error) {
 func (p Protocol) newClient(conn net.Conn) (abstractSession, error) {
 	switch p {
 	case ProtocolSMux:
-		session, err := smux.Client(conn, nil)
+		session, err := smux.Client(conn, smuxConfig())
 		if err != nil {
 			return nil, err
 		}
@@ -70,6 +70,12 @@ func (p Protocol) newClient(conn net.Conn) (abstractSession, error) {
 	}
 }

+func smuxConfig() *smux.Config {
+	config := smux.DefaultConfig()
+	config.KeepAliveDisabled = true
+	return config
+}
+
 func yaMuxConfig() *yamux.Config {
 	config := yamux.DefaultConfig()
 	config.LogOutput = io.Discard
--- a/common/process/searcher_darwin.go
+++ b/common/process/searcher_darwin.go
@@ -5,6 +5,8 @@ import (
 	"encoding/binary"
 	"net/netip"
 	"os"
+	"strconv"
+	"strings"
 	"syscall"
 	"unsafe"

@@ -29,6 +31,22 @@ func (d *darwinSearcher) FindProcessInfo(ctx context.Context, network string, so
 	return &Info{ProcessPath: processName, UserId: -1}, nil
 }

+var structSize = func() int {
+	value, _ := syscall.Sysctl("kern.osrelease")
+	major, _, _ := strings.Cut(value, ".")
+	n, _ := strconv.ParseInt(major, 10, 64)
+	switch true {
+	case n >= 22:
+		return 408
+	default:
+		// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
+		// size/offset are round up (aligned) to 8 bytes in darwin
+		// rup8(sizeof(xinpcb_n)) + rup8(sizeof(xsocket_n)) +
+		// 2 * rup8(sizeof(xsockbuf_n)) + rup8(sizeof(xsockstat_n))
+		return 384
+	}
+}()
+
 func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 	var spath string
 	switch network {
@@ -53,7 +71,7 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 	// size/offset are round up (aligned) to 8 bytes in darwin
 	// rup8(sizeof(xinpcb_n)) + rup8(sizeof(xsocket_n)) +
 	// 2 * rup8(sizeof(xsockbuf_n)) + rup8(sizeof(xsockstat_n))
-	itemSize := 384
+	itemSize := structSize
 	if network == N.NetworkTCP {
 		// rup8(sizeof(xtcpcb_n))
 		itemSize += 208
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -24,11 +24,11 @@ func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress

 func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if options.ECH != nil && options.ECH.Enabled {
-		return newECHClient(router, serverAddress, options)
+		return NewECHClient(router, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
-		return newUTLSClient(router, serverAddress, options)
+		return NewUTLSClient(router, serverAddress, options)
 	} else {
-		return newStdClient(serverAddress, options)
+		return NewSTDClient(serverAddress, options)
 	}
 }

--- a/common/tls/config.go
+++ b/common/tls/config.go
@@ -15,10 +15,13 @@ type (
 )

 type Config interface {
+	ServerName() string
+	SetServerName(serverName string)
 	NextProtos() []string
 	SetNextProtos(nextProto []string)
 	Config() (*STDConfig, error)
 	Client(conn net.Conn) Conn
+	Clone() Config
 }

 type ServerConfig interface {
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@@ -20,26 +20,40 @@ import (
 	mDNS "github.com/miekg/dns"
 )

-type echClientConfig struct {
+type ECHClientConfig struct {
 	config *cftls.Config
 }

-func (e *echClientConfig) NextProtos() []string {
+func (e *ECHClientConfig) ServerName() string {
+	return e.config.ServerName
+}
+
+func (e *ECHClientConfig) SetServerName(serverName string) {
+	e.config.ServerName = serverName
+}
+
+func (e *ECHClientConfig) NextProtos() []string {
 	return e.config.NextProtos
 }

-func (e *echClientConfig) SetNextProtos(nextProto []string) {
+func (e *ECHClientConfig) SetNextProtos(nextProto []string) {
 	e.config.NextProtos = nextProto
 }

-func (e *echClientConfig) Config() (*STDConfig, error) {
+func (e *ECHClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }

-func (e *echClientConfig) Client(conn net.Conn) Conn {
+func (e *ECHClientConfig) Client(conn net.Conn) Conn {
 	return &echConnWrapper{cftls.Client(conn, e.config)}
 }

+func (e *ECHClientConfig) Clone() Config {
+	return &ECHClientConfig{
+		config: e.config.Clone(),
+	}
+}
+
 type echConnWrapper struct {
 	*cftls.Conn
 }
@@ -62,7 +76,7 @@ func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
 	}
 }

-func newECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -162,7 +176,7 @@ func newECHClient(router adapter.Router, serverAddress string, options option.Ou
 	} else {
 		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(router)
 	}
-	return &echClientConfig{&tlsConfig}, nil
+	return &ECHClientConfig{&tlsConfig}, nil
 }

 func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
--- a/common/tls/ech_stub.go
+++ b/common/tls/ech_stub.go
@@ -8,6 +8,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func newECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
 }
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -12,7 +12,7 @@ import (
 )

 func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return newSTDServer(ctx, logger, options)
+	return NewSTDServer(ctx, logger, options)
 }

 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -11,11 +11,39 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 )

-type stdClientConfig struct {
+type STDClientConfig struct {
 	config *tls.Config
 }

-func newStdClient(serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func (s *STDClientConfig) ServerName() string {
+	return s.config.ServerName
+}
+
+func (s *STDClientConfig) SetServerName(serverName string) {
+	s.config.ServerName = serverName
+}
+
+func (s *STDClientConfig) NextProtos() []string {
+	return s.config.NextProtos
+}
+
+func (s *STDClientConfig) SetNextProtos(nextProto []string) {
+	s.config.NextProtos = nextProto
+}
+
+func (s *STDClientConfig) Config() (*STDConfig, error) {
+	return s.config, nil
+}
+
+func (s *STDClientConfig) Client(conn net.Conn) Conn {
+	return tls.Client(conn, s.config)
+}
+
+func (s *STDClientConfig) Clone() Config {
+	return &STDClientConfig{s.config.Clone()}
+}
+
+func NewSTDClient(serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -96,21 +124,5 @@ func newStdClient(serverAddress string, options option.OutboundTLSOptions) (Conf
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	return &stdClientConfig{&tlsConfig}, nil
-}
-
-func (s *stdClientConfig) NextProtos() []string {
-	return s.config.NextProtos
-}
-
-func (s *stdClientConfig) SetNextProtos(nextProto []string) {
-	s.config.NextProtos = nextProto
-}
-
-func (s *stdClientConfig) Config() (*STDConfig, error) {
-	return s.config, nil
-}
-
-func (s *stdClientConfig) Client(conn net.Conn) Conn {
-	return tls.Client(conn, s.config)
+	return &STDClientConfig{&tlsConfig}, nil
 }
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -15,6 +15,8 @@ import (
 	"github.com/fsnotify/fsnotify"
 )

+var errInsecureUnused = E.New("tls: insecure unused")
+
 type STDServerConfig struct {
 	config          *tls.Config
 	logger          log.Logger
@@ -26,6 +28,14 @@ type STDServerConfig struct {
 	watcher         *fsnotify.Watcher
 }

+func (c *STDServerConfig) ServerName() string {
+	return c.config.ServerName
+}
+
+func (c *STDServerConfig) SetServerName(serverName string) {
+	c.config.ServerName = serverName
+}
+
 func (c *STDServerConfig) NextProtos() []string {
 	return c.config.NextProtos
 }
@@ -34,9 +44,119 @@ func (c *STDServerConfig) SetNextProtos(nextProto []string) {
 	c.config.NextProtos = nextProto
 }

-var errInsecureUnused = E.New("tls: insecure unused")
+func (c *STDServerConfig) Config() (*STDConfig, error) {
+	return c.config, nil
+}

-func newSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func (c *STDServerConfig) Client(conn net.Conn) Conn {
+	return tls.Client(conn, c.config)
+}
+
+func (c *STDServerConfig) Server(conn net.Conn) Conn {
+	return tls.Server(conn, c.config)
+}
+
+func (c *STDServerConfig) Clone() Config {
+	return &STDServerConfig{
+		config: c.config.Clone(),
+	}
+}
+
+func (c *STDServerConfig) Start() error {
+	if c.acmeService != nil {
+		return c.acmeService.Start()
+	} else {
+		if c.certificatePath == "" && c.keyPath == "" {
+			return nil
+		}
+		err := c.startWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
+		return nil
+	}
+}
+
+func (c *STDServerConfig) startWatcher() error {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return err
+	}
+	if c.certificatePath != "" {
+		err = watcher.Add(c.certificatePath)
+		if err != nil {
+			return err
+		}
+	}
+	if c.keyPath != "" {
+		err = watcher.Add(c.keyPath)
+		if err != nil {
+			return err
+		}
+	}
+	c.watcher = watcher
+	go c.loopUpdate()
+	return nil
+}
+
+func (c *STDServerConfig) loopUpdate() {
+	for {
+		select {
+		case event, ok := <-c.watcher.Events:
+			if !ok {
+				return
+			}
+			if event.Op&fsnotify.Write != fsnotify.Write {
+				continue
+			}
+			err := c.reloadKeyPair()
+			if err != nil {
+				c.logger.Error(E.Cause(err, "reload TLS key pair"))
+			}
+		case err, ok := <-c.watcher.Errors:
+			if !ok {
+				return
+			}
+			c.logger.Error(E.Cause(err, "fsnotify error"))
+		}
+	}
+}
+
+func (c *STDServerConfig) reloadKeyPair() error {
+	if c.certificatePath != "" {
+		certificate, err := os.ReadFile(c.certificatePath)
+		if err != nil {
+			return E.Cause(err, "reload certificate from ", c.certificatePath)
+		}
+		c.certificate = certificate
+	}
+	if c.keyPath != "" {
+		key, err := os.ReadFile(c.keyPath)
+		if err != nil {
+			return E.Cause(err, "reload key from ", c.keyPath)
+		}
+		c.key = key
+	}
+	keyPair, err := tls.X509KeyPair(c.certificate, c.key)
+	if err != nil {
+		return E.Cause(err, "reload key pair")
+	}
+	c.config.Certificates = []tls.Certificate{keyPair}
+	c.logger.Info("reloaded TLS certificate")
+	return nil
+}
+
+func (c *STDServerConfig) Close() error {
+	if c.acmeService != nil {
+		return c.acmeService.Close()
+	}
+	if c.watcher != nil {
+		return c.watcher.Close()
+	}
+	return nil
+}
+
+func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -136,109 +256,3 @@ func newSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		keyPath:         options.KeyPath,
 	}, nil
 }
-
-func (c *STDServerConfig) Config() (*STDConfig, error) {
-	return c.config, nil
-}
-
-func (c *STDServerConfig) Client(conn net.Conn) Conn {
-	return tls.Client(conn, c.config)
-}
-
-func (c *STDServerConfig) Server(conn net.Conn) Conn {
-	return tls.Server(conn, c.config)
-}
-
-func (c *STDServerConfig) Start() error {
-	if c.acmeService != nil {
-		return c.acmeService.Start()
-	} else {
-		if c.certificatePath == "" && c.keyPath == "" {
-			return nil
-		}
-		err := c.startWatcher()
-		if err != nil {
-			c.logger.Warn("create fsnotify watcher: ", err)
-		}
-		return nil
-	}
-}
-
-func (c *STDServerConfig) startWatcher() error {
-	watcher, err := fsnotify.NewWatcher()
-	if err != nil {
-		return err
-	}
-	if c.certificatePath != "" {
-		err = watcher.Add(c.certificatePath)
-		if err != nil {
-			return err
-		}
-	}
-	if c.keyPath != "" {
-		err = watcher.Add(c.keyPath)
-		if err != nil {
-			return err
-		}
-	}
-	c.watcher = watcher
-	go c.loopUpdate()
-	return nil
-}
-
-func (c *STDServerConfig) loopUpdate() {
-	for {
-		select {
-		case event, ok := <-c.watcher.Events:
-			if !ok {
-				return
-			}
-			if event.Op&fsnotify.Write != fsnotify.Write {
-				continue
-			}
-			err := c.reloadKeyPair()
-			if err != nil {
-				c.logger.Error(E.Cause(err, "reload TLS key pair"))
-			}
-		case err, ok := <-c.watcher.Errors:
-			if !ok {
-				return
-			}
-			c.logger.Error(E.Cause(err, "fsnotify error"))
-		}
-	}
-}
-
-func (c *STDServerConfig) reloadKeyPair() error {
-	if c.certificatePath != "" {
-		certificate, err := os.ReadFile(c.certificatePath)
-		if err != nil {
-			return E.Cause(err, "reload certificate from ", c.certificatePath)
-		}
-		c.certificate = certificate
-	}
-	if c.keyPath != "" {
-		key, err := os.ReadFile(c.keyPath)
-		if err != nil {
-			return E.Cause(err, "reload key from ", c.keyPath)
-		}
-		c.key = key
-	}
-	keyPair, err := tls.X509KeyPair(c.certificate, c.key)
-	if err != nil {
-		return E.Cause(err, "reload key pair")
-	}
-	c.config.Certificates = []tls.Certificate{keyPair}
-	c.logger.Info("reloaded TLS certificate")
-	return nil
-}
-
-func (c *STDServerConfig) Close() error {
-	if c.acmeService != nil {
-		return c.acmeService.Close()
-	}
-	if c.watcher != nil {
-		return c.watcher.Close()
-	}
-	return nil
-}
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -14,27 +14,34 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"

 	utls "github.com/refraction-networking/utls"
-	"context"
 )

-type utlsClientConfig struct {
+type UTLSClientConfig struct {
 	config *utls.Config
 	id     utls.ClientHelloID
 }

-func (e *utlsClientConfig) NextProtos() []string {
+func (e *UTLSClientConfig) ServerName() string {
+	return e.config.ServerName
+}
+
+func (e *UTLSClientConfig) SetServerName(serverName string) {
+	e.config.ServerName = serverName
+}
+
+func (e *UTLSClientConfig) NextProtos() []string {
 	return e.config.NextProtos
 }

-func (e *utlsClientConfig) SetNextProtos(nextProto []string) {
+func (e *UTLSClientConfig) SetNextProtos(nextProto []string) {
 	e.config.NextProtos = nextProto
 }

-func (e *utlsClientConfig) Config() (*STDConfig, error) {
+func (e *UTLSClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }

-func (e *utlsClientConfig) Client(conn net.Conn) Conn {
+func (e *UTLSClientConfig) Client(conn net.Conn) Conn {
 	return &utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}
 }

@@ -42,10 +49,6 @@ type utlsConnWrapper struct {
 	*utls.UConn
 }

-func (c *utlsConnWrapper) HandshakeContext(ctx context.Context) error {
-	return c.UConn.HandshakeContext(ctx)
-}
-
 func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
 	state := c.Conn.ConnectionState()
 	return tls.ConnectionState{
@@ -64,7 +67,14 @@ func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
 	}
 }

-func newUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func (e *UTLSClientConfig) Clone() Config {
+	return &UTLSClientConfig{
+		config: e.config.Clone(),
+		id:     e.id,
+	}
+}
+
+func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -157,5 +167,5 @@ func newUTLSClient(router adapter.Router, serverAddress string, options option.O
 	default:
 		return nil, E.New("unknown uTLS fingerprint: ", options.UTLS.Fingerprint)
 	}
-	return &utlsClientConfig{&tlsConfig, id}, nil
+	return &UTLSClientConfig{&tlsConfig, id}, nil
 }
--- a/common/tls/utls_stub.go
+++ b/common/tls/utls_stub.go
@@ -8,6 +8,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func newUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }
--- a/constant/version.go
+++ b/constant/version.go
@@ -1,3 +1,3 @@
 package constant

-var Version = "1.1-beta12"
+var Version = "1.1-beta14"
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,26 @@
+#### 1.1-beta14
+
+* Add multi-user support for hysteria inbound **1**
+* Add custom tls client support for std grpc
+* Fix smux keep alive
+* Fix vmess request buffer
+* Fix default local DNS server behavior
+* Fix h2c transport
+
+*1*:
+
+The `auth` and `auth_str` fields have been replaced by the `users` field.
+
+#### 1.1-beta13
+
+* Add custom worker count option for WireGuard outbound
+* Split bind_address into ipv4 and ipv6
+* Move WFP manipulation to strict route
+* Fix WireGuard outbound panic when close
+* Fix macOS Ventura process name match
+* Fix QUIC connection migration by @HyNetwork
+* Fix handling QUIC client SNI by @HyNetwork
+
 #### 1.1-beta12

 * Fix uTLS config
@@ -58,7 +81,8 @@ The `strict_route` on windows is removed.

 **2**:

-See [ShadowTLS inbound](/configuration/inbound/shadowtls#version) and [ShadowTLS outbound](/configuration/outbound/shadowtls#version)
+See [ShadowTLS inbound](/configuration/inbound/shadowtls#version)
+and [ShadowTLS outbound](/configuration/outbound/shadowtls#version)

 #### 1.1-beta8

--- a/docs/configuration/inbound/hysteria.md
+++ b/docs/configuration/inbound/hysteria.md
@@ -12,8 +12,15 @@
  "down": "100 Mbps",
  "down_mbps": 100,
  "obfs": "fuck me till the daylight",
-  "auth": "",
-  "auth_str": "password",
+
+  "users": [
+    {
+      "name": "sekai",
+      "auth": "",
+      "auth_str": "password"
+    }
+  ],
+  
  "recv_window_conn": 0,
  "recv_window_client": 0,
  "max_conn_client": 0,
@@ -61,11 +68,19 @@ Supported units (case sensitive, b = bits, B = bytes, 8b=1B):

 Obfuscated password.

-#### auth
+#### users
+
+Hysteria users
+
+#### users.auth
+
+==Required if `auth_str` is empty==

 Authentication password, in base64.

-#### auth_str
+#### users.auth_str
+
+==Required if `auth` is empty==

 Authentication password.

--- a/docs/configuration/inbound/hysteria.zh.md
+++ b/docs/configuration/inbound/hysteria.zh.md
@@ -12,8 +12,15 @@
  "down": "100 Mbps",
  "down_mbps": 100,
  "obfs": "fuck me till the daylight",
-  "auth": "",
-  "auth_str": "password",
+
+  "users": [
+    {
+      "name": "sekai",
+      "auth": "",
+      "auth_str": "password"
+    }
+  ],
+
  "recv_window_conn": 0,
  "recv_window_client": 0,
  "max_conn_client": 0,
@@ -61,11 +68,19 @@

 混淆密码。

-#### auth
+#### users
+
+Hysteria 用户
+
+#### users.auth
+
+==与 auth_str 必填一个==

 base64 编码的认证密码。

-#### auth_str
+#### users.auth_str
+
+==与 auth 必填一个==

 认证密码。

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -93,16 +93,23 @@ Set the default route to the Tun.

 #### strict_route

-*In Linux*:
-
 Enforce strict routing rules when `auto_route` is enabled:

+*In Linux*:
+
 * Let unsupported network unreachable
 * Route all connections to tun

 It prevents address leaks and makes DNS hijacking work on Android and Linux with systemd-resolved, but your device will
 not be accessible by others.

+*In Windows*:
+
+* Add firewall rules to prevent DNS leak caused by
+  Windows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
+
+It may prevent some applications (such as VirtualBox) from working properly in certain situations.
+
 #### inet4_route_address

 Use custom routes instead of default when `auto_route` is enabled.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -8,7 +8,6 @@
 {
  "type": "tun",
  "tag": "tun-in",
-
  "interface_name": "tun0",
  "inet4_address": "172.19.0.1/30",
  "inet6_address": "fdfe:dcba:9876::1/126",
@@ -47,8 +46,8 @@
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
-
-  ... // 监听字段
+  ...
+  // 监听字段
 }
 ```

@@ -94,15 +93,23 @@ tun 接口的 IPv6 前缀。

 #### strict_route

-*在 Linux 中*:
-
 启用 `auto_route` 时执行严格的路由规则。

+*在 Linux 中*:
+
 * 让不支持的网络无法到达
 * 将所有连接路由到 tun

 它可以防止地址泄漏，并使 DNS 劫持在 Android 和使用 systemd-resolved 的 Linux 上工作，但你的设备将无法其他设备被访问。

+*在 Windows 中*:
+
+* 添加防火墙规则以阻止 Windows
+  的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
+  造成的 DNS 泄露
+
+它可能会使某些应用程序（如 VirtualBox）在某些情况下无法正常工作。
+
 #### inet4_route_address

 启用 `auto_route` 时使用自定义路由而不是默认路由。
--- a/docs/configuration/outbound/wireguard.md
+++ b/docs/configuration/outbound/wireguard.md
@@ -16,6 +16,7 @@
  "peer_public_key": "Z1XXLsKYkYxuiYjJIkRvtIKFepCYHTgON+GwPq7SOV4=",
  "pre_shared_key": "31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM=",
  "reserved": [0, 0, 0],
+  "workers": 4,
  "mtu": 1408,
  "network": "tcp",

@@ -88,9 +89,17 @@ WireGuard pre-shared key.

 WireGuard reserved field bytes.

+#### workers
+
+WireGuard worker count.
+
+CPU count is used by default.
+
 #### mtu

-WireGuard MTU. 1408 will be used if empty.
+WireGuard MTU.
+
+1408 will be used if empty.

 #### network

--- a/docs/configuration/outbound/wireguard.zh.md
+++ b/docs/configuration/outbound/wireguard.zh.md
@@ -16,6 +16,7 @@
  "peer_public_key": "Z1XXLsKYkYxuiYjJIkRvtIKFepCYHTgON+GwPq7SOV4=",
  "pre_shared_key": "31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM=",
  "reserved": [0, 0, 0],
+  "workers": 4,
  "mtu": 1408,
  "network": "tcp",

@@ -90,9 +91,17 @@ WireGuard 预共享密钥。

 WireGuard 保留字段字节。

+#### workers
+
+WireGuard worker 数量。
+
+默认使用 CPU 数量。
+
 #### mtu

-WireGuard MTU。 默认1408。
+WireGuard MTU。
+
+默认使用 1408。

 #### network

--- a/docs/configuration/shared/dial.md
+++ b/docs/configuration/shared/dial.md
@@ -4,7 +4,8 @@
 {
  "detour": "upstream-out",
  "bind_interface": "en0",
-  "bind_address": "0.0.0.0",
+  "inet4_bind_address": "0.0.0.0",
+  "inet6_bind_address": "::",
  "routing_mark": 1234,
  "reuse_addr": false,
  "connect_timeout": "5s",
@@ -17,9 +18,9 @@

 ### Fields

-| Field                                                                                                               | Available Context |
-|---------------------------------------------------------------------------------------------------------------------|-------------------|
-| `bind_interface` /`bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` not set  |
+| Field                                                                                                                | Available Context |
+|----------------------------------------------------------------------------------------------------------------------|-------------------|
+| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` not set  |

 #### detour

@@ -29,9 +30,13 @@ The tag of the upstream outbound.

 The network interface to bind to.

-#### bind_address
+#### inet4_bind_address

-The address to bind to.
+The IPv4 address to bind to.
+
+#### inet6_bind_address
+
+The IPv6 address to bind to.

 #### routing_mark

--- a/docs/configuration/shared/dial.zh.md
+++ b/docs/configuration/shared/dial.zh.md
@@ -4,7 +4,8 @@
 {
  "detour": "upstream-out",
  "bind_interface": "en0",
-  "bind_address": "0.0.0.0",
+  "inet4_bind_address": "0.0.0.0",
+  "inet6_bind_address": "::",
  "routing_mark": 1234,
  "reuse_addr": false,
  "connect_timeout": "5s",
@@ -17,9 +18,9 @@

 ### 字段

-| 字段                                                                                                                  | 可用上下文        |
-|---------------------------------------------------------------------------------------------------------------------|--------------|
-| `bind_interface` /`bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` 未设置 |
+| 字段                                                                                                                   | 可用上下文        |
+|----------------------------------------------------------------------------------------------------------------------|--------------|
+| `bind_interface` /`*bind_address` /`routing_mark` /`reuse_addr` / `tcp_fast_open`/ `udp_fragment` /`connect_timeout` | `detour` 未设置 |


 #### detour
@@ -32,9 +33,13 @@

 要绑定到的网络接口。

-#### bind_address
+#### inet4_bind_address

-要绑定的地址。
+要绑定的 IPv4 地址。
+
+#### inet6_bind_address
+
+要绑定的 IPv6 地址。

 #### routing_mark

--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.18

 require (
 	berty.tech/go-libtor v1.0.385
-	github.com/Dreamacro/clash v1.11.8
+	github.com/Dreamacro/clash v1.11.12
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/cretz/bine v0.2.0
 	github.com/database64128/tfo-go/v2 v2.0.2
@@ -13,7 +13,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.2
-	github.com/gofrs/uuid v4.3.0+incompatible
+	github.com/gofrs/uuid v4.3.1+incompatible
 	github.com/hashicorp/yamux v0.1.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.0.4
@@ -22,23 +22,24 @@ require (
 	github.com/pires/go-proxyproto v0.6.2
 	github.com/refraction-networking/utls v1.1.5
 	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0
-	github.com/sagernet/quic-go v0.0.0-20221031051350-29d8bb1c8127
+	github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15
 	github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4
 	github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403
 	github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6
-	github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07
-	github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685
+	github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f
+	github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0
 	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e
+	github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c
 	github.com/spf13/cobra v1.6.1
 	github.com/stretchr/testify v1.8.1
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.10.0
 	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
-	golang.org/x/crypto v0.1.0
-	golang.org/x/net v0.1.0
-	golang.org/x/sys v0.1.0
-	golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b
+	golang.org/x/crypto v0.2.0
+	golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f
+	golang.org/x/net v0.2.0
+	golang.org/x/sys v0.2.0
 	google.golang.org/grpc v1.50.1
 	google.golang.org/protobuf v1.28.1
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c
@@ -68,12 +69,10 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
-	golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f // indirect
 	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/text v0.4.0 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
-	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.1.7 // indirect
--- a/go.sum
+++ b/go.sum
@@ -3,8 +3,8 @@ berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+f
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/Dreamacro/clash v1.11.8 h1:t/sy3/tiihRlvV3SsliYFjj8rKpbLw5IJ2PymiHcwS8=
-github.com/Dreamacro/clash v1.11.8/go.mod h1:LsWCcJFoKuL1C5F2c0m/1690wihTHYSU3J+im09yTwQ=
+github.com/Dreamacro/clash v1.11.12 h1:zJ+FUWPHWxhfNl5MK64oezFAPPyGth+SDhjuWEJ/jwM=
+github.com/Dreamacro/clash v1.11.12/go.mod h1:WiRGFHBrOUYP89GXJ9k4KCyZq5i485LWzc4FPsEPlMI=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
@@ -47,8 +47,8 @@ github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg=
 github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI=
+github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
@@ -74,7 +74,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
@@ -128,8 +128,8 @@ github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.0.0-20221031051350-29d8bb1c8127 h1:rraPfWlUy2cdZ61FLXRCFbL0lb7oocScbr4Ac0rIzTU=
-github.com/sagernet/quic-go v0.0.0-20221031051350-29d8bb1c8127/go.mod h1:oWFbojDMm85/Jbm/fyWoo8Pux6dIssxGi3q1r+5642A=
+github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15 h1:l8RQTjz5LlGEFOc49dXAr14ORbj8mTW7nX88Rbm+FiY=
+github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15/go.mod h1:oWFbojDMm85/Jbm/fyWoo8Pux6dIssxGi3q1r+5642A=
 github.com/sagernet/sing v0.0.0-20220812082120-05f9836bff8f/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4 h1:LO7xMvMGhYmjQg2vjhTzsODyzs9/WLYu5Per+/8jIeo=
@@ -138,14 +138,16 @@ github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403 h1:kKDO97rx+JVJ4
 github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403/go.mod h1:cyL9DHbBZ0Xlt/8VD0i6yeiDayH0KzWGNQb8MYhhz7g=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM=
-github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07 h1:zupkkVVFWv0QsLPjxEzlzXlLfDk1hUujK8ctJSIKFCI=
-github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
-github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685 h1:AZzFNRR/ZwMTceUQ1b/mxx6oyKqmFymdMn/yleJmoVM=
-github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
+github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f h1:CXF+nErOb9f7qiHingSgTa2/lJAgmEFtAQ47oVwdRGU=
+github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
+github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0 h1:z3kuD3hPNdEq7/wVy5lwE21f+8ZTazBtR81qswxJoCc=
+github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195/go.mod h1:yedWtra8nyGJ+SyI+ziwuaGMzBatbB10P1IOOZbbSK8=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+VpWamge6o56j2RWk4omF6uLKKxMmcWvs=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
+github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c h1:qP3ZOHnjZalvqbjundbXiv/YrNlo3HOgrKc+S1QGs0U=
+github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
 github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
 github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -184,8 +186,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE=
+golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f h1:Al51T6tzvuh3oiwX11vex3QgJ2XTedFPGmbEVh8cdoc=
 golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
@@ -213,8 +215,8 @@ golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -222,7 +224,7 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde h1:ejfdSekXMDxDLbRrJMwUk6KnSLZ2McaUCVcIKM+N6jc=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -241,11 +243,11 @@ golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
+golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -270,10 +272,6 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b h1:qgrKnOfe1zyURRNdmDlGbN32i38Zjmw0B1+TMdHcOvg=
-golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b/go.mod h1:6y4CqPAy54NwiN4nC8K+R1eMpQDB1P2d25qmunh2RSA=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
--- a/inbound/hysteria.go
+++ b/inbound/hysteria.go
@@ -3,7 +3,6 @@
 package inbound

 import (
-	"bytes"
 	"context"
 	"sync"

@@ -16,9 +15,13 @@ import (
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/hysteria"
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/auth"
 	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+
+	"golang.org/x/exp/slices"
 )

 var _ adapter.Inbound = (*Hysteria)(nil)
@@ -27,7 +30,8 @@ type Hysteria struct {
 	myInboundAdapter
 	quicConfig   *quic.Config
 	tlsConfig    tls.ServerConfig
-	authKey      []byte
+	authKey      []string
+	authUser     []string
 	xplusKey     []byte
 	sendBPS      uint64
 	recvBPS      uint64
@@ -60,12 +64,16 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 	if quicConfig.MaxIncomingStreams == 0 {
 		quicConfig.MaxIncomingStreams = hysteria.DefaultMaxIncomingStreams
 	}
-	var auth []byte
-	if len(options.Auth) > 0 {
-		auth = options.Auth
-	} else {
-		auth = []byte(options.AuthString)
-	}
+	authKey := common.Map(options.Users, func(it option.HysteriaUser) string {
+		if len(it.Auth) > 0 {
+			return string(it.Auth)
+		} else {
+			return it.AuthString
+		}
+	})
+	authUser := common.Map(options.Users, func(it option.HysteriaUser) string {
+		return it.Name
+	})
 	var xplus []byte
 	if options.Obfs != "" {
 		xplus = []byte(options.Obfs)
@@ -104,7 +112,8 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 			listenOptions: options.ListenOptions,
 		},
 		quicConfig:  quicConfig,
-		authKey:     auth,
+		authKey:     authKey,
+		authUser:    authUser,
 		xplusKey:    xplus,
 		sendBPS:     up,
 		recvBPS:     down,
@@ -158,7 +167,6 @@ func (h *Hysteria) acceptLoop() {
 		if err != nil {
 			return
 		}
-		h.logger.InfoContext(ctx, "inbound connection from ", conn.RemoteAddr())
 		go func() {
 			hErr := h.accept(ctx, conn)
 			if hErr != nil {
@@ -178,12 +186,21 @@ func (h *Hysteria) accept(ctx context.Context, conn quic.Connection) error {
 	if err != nil {
 		return err
 	}
-	if !bytes.Equal(clientHello.Auth, h.authKey) {
+	userIndex := slices.Index(h.authKey, string(clientHello.Auth))
+	if userIndex == -1 {
 		err = hysteria.WriteServerHello(controlStream, hysteria.ServerHello{
 			Message: "wrong password",
 		})
 		return E.Errors(E.New("wrong password: ", string(clientHello.Auth)), err)
 	}
+	user := h.authUser[userIndex]
+	if user == "" {
+		user = F.ToString(userIndex)
+	} else {
+		ctx = auth.ContextWithUser(ctx, user)
+	}
+	h.logger.InfoContext(ctx, "[", user, "] inbound connection from ", conn.RemoteAddr())
+	h.logger.DebugContext(ctx, "peer send speed: ", clientHello.SendBPS/1024/1024, " MBps, peer recv speed: ", clientHello.RecvBPS/1024/1024, " MBps")
 	if clientHello.SendBPS == 0 || clientHello.RecvBPS == 0 {
 		return E.New("invalid rate from client")
 	}
--- a/include/quic_stub.go
+++ b/include/quic_stub.go
@@ -23,7 +23,7 @@ func init() {
 		return nil, C.ErrQUICNotIncluded
 	})
 	v2ray.RegisterQUICConstructor(
-		func(ctx context.Context, options option.V2RayQUICOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
+		func(ctx context.Context, options option.V2RayQUICOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
 			return nil, C.ErrQUICNotIncluded
 		},
 		func(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, options option.V2RayQUICOptions, tlsConfig tls.Config) (adapter.V2RayClientTransport, error) {
--- a/option/hysteria.go
+++ b/option/hysteria.go
@@ -7,8 +7,7 @@ type HysteriaInboundOptions struct {
 	Down                string             `json:"down,omitempty"`
 	DownMbps            int                `json:"down_mbps,omitempty"`
 	Obfs                string             `json:"obfs,omitempty"`
-	Auth                []byte             `json:"auth,omitempty"`
-	AuthString          string             `json:"auth_str,omitempty"`
+	Users               []HysteriaUser     `json:"users,omitempty"`
 	ReceiveWindowConn   uint64             `json:"recv_window_conn,omitempty"`
 	ReceiveWindowClient uint64             `json:"recv_window_client,omitempty"`
 	MaxConnClient       int                `json:"max_conn_client,omitempty"`
@@ -16,6 +15,12 @@ type HysteriaInboundOptions struct {
 	TLS                 *InboundTLSOptions `json:"tls,omitempty"`
 }

+type HysteriaUser struct {
+	Name       string `json:"name,omitempty"`
+	Auth       []byte `json:"auth,omitempty"`
+	AuthString string `json:"auth_str,omitempty"`
+}
+
 type HysteriaOutboundOptions struct {
 	DialerOptions
 	ServerOptions
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -122,7 +122,8 @@ func (h *Outbound) UnmarshalJSON(bytes []byte) error {
 type DialerOptions struct {
 	Detour             string         `json:"detour,omitempty"`
 	BindInterface      string         `json:"bind_interface,omitempty"`
-	BindAddress        *ListenAddress `json:"bind_address,omitempty"`
+	Inet4BindAddress   *ListenAddress `json:"inet4_bind_address,omitempty"`
+	Inet6BindAddress   *ListenAddress `json:"inet6_bind_address,omitempty"`
 	ProtectPath        string         `json:"protect_path,omitempty"`
 	RoutingMark        int            `json:"routing_mark,omitempty"`
 	ReuseAddr          bool           `json:"reuse_addr,omitempty"`
--- a/option/wireguard.go
+++ b/option/wireguard.go
@@ -10,6 +10,7 @@ type WireGuardOutboundOptions struct {
 	PeerPublicKey   string                 `json:"peer_public_key"`
 	PreSharedKey    string                 `json:"pre_shared_key,omitempty"`
 	Reserved        []uint8                `json:"reserved,omitempty"`
+	Workers         int                    `json:"workers,omitempty"`
 	MTU             uint32                 `json:"mtu,omitempty"`
 	Network         NetworkList            `json:"network,omitempty"`
 }
--- a/outbound/hysteria.go
+++ b/outbound/hysteria.go
@@ -23,7 +23,10 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )

-var _ adapter.Outbound = (*Hysteria)(nil)
+var (
+	_ adapter.Outbound                = (*Hysteria)(nil)
+	_ adapter.InterfaceUpdateListener = (*Hysteria)(nil)
+)

 type Hysteria struct {
 	myOutboundAdapter
@@ -236,6 +239,11 @@ func (h *Hysteria) udpRecvLoop(conn quic.Connection) {
 	}
 }

+func (h *Hysteria) InterfaceUpdated() error {
+	h.Close()
+	return nil
+}
+
 func (h *Hysteria) Close() error {
 	h.connAccess.Lock()
 	defer h.connAccess.Unlock()
--- a/outbound/ssh.go
+++ b/outbound/ssh.go
@@ -21,7 +21,10 @@ import (
 	"golang.org/x/crypto/ssh"
 )

-var _ adapter.Outbound = (*SSH)(nil)
+var (
+	_ adapter.Outbound                = (*SSH)(nil)
+	_ adapter.InterfaceUpdateListener = (*SSH)(nil)
+)

 type SSH struct {
 	myOutboundAdapter
@@ -149,6 +152,11 @@ func (s *SSH) connect() (*ssh.Client, error) {
 	return client, nil
 }

+func (s *SSH) InterfaceUpdated() error {
+	common.Close(s.clientConn)
+	return nil
+}
+
 func (s *SSH) Close() error {
 	return common.Close(s.clientConn)
 }
--- a/outbound/wireguard.go
+++ b/outbound/wireguard.go
@@ -22,11 +22,13 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	"golang.zx2c4.com/wireguard/device"
+	"github.com/sagernet/wireguard-go/device"
 )

-var _ adapter.Outbound = (*WireGuard)(nil)
+var (
+	_ adapter.Outbound                = (*WireGuard)(nil)
+	_ adapter.InterfaceUpdateListener = (*WireGuard)(nil)
+)

 type WireGuard struct {
 	myOutboundAdapter
@@ -121,7 +123,7 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 		Errorf: func(format string, args ...interface{}) {
 			logger.Error(fmt.Sprintf(strings.ToLower(format), args...))
 		},
-	})
+	}, options.Workers)
 	if debug.Enabled {
 		logger.Trace("created wireguard ipc conf: \n", ipcConf)
 	}
@@ -134,6 +136,11 @@ func NewWireGuard(ctx context.Context, router adapter.Router, logger log.Context
 	return outbound, nil
 }

+func (w *WireGuard) InterfaceUpdated() error {
+	w.bind.Reset()
+	return nil
+}
+
 func (w *WireGuard) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	switch network {
 	case N.NetworkTCP:
--- a/release/local/install_go.sh
+++ b/release/local/install_go.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 set -e -o pipefail
-curl -Lo go.tar.gz https://go.dev/dl/go1.19.2.linux-amd64.tar.gz
+curl -Lo go.tar.gz https://go.dev/dl/go1.19.3.linux-amd64.tar.gz
 sudo rm -rf /usr/local/go
 sudo tar -C /usr/local -xzf go.tar.gz
 rm go.tar.gz
--- a/route/router.go
+++ b/route/router.go
@@ -234,7 +234,7 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 	}
 	if defaultTransport == nil {
 		if len(transports) == 0 {
-			transports = append(transports, dns.NewLocalTransport(dialer.NewRouter(router)))
+			transports = append(transports, dns.NewLocalTransport(N.SystemDialer))
 		}
 		defaultTransport = transports[0]
 	}
@@ -262,20 +262,7 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 		if err != nil {
 			return nil, E.New("auto_detect_interface unsupported on current platform")
 		}
-		interfaceMonitor.RegisterCallback(func(event int) error {
-			if C.IsAndroid {
-				var vpnStatus string
-				if router.interfaceMonitor.AndroidVPNEnabled() {
-					vpnStatus = "enabled"
-				} else {
-					vpnStatus = "disabled"
-				}
-				router.logger.Info("updated default interface ", router.interfaceMonitor.DefaultInterfaceName(netip.IPv4Unspecified()), ", index ", router.interfaceMonitor.DefaultInterfaceIndex(netip.IPv4Unspecified()), ", vpn ", vpnStatus)
-			} else {
-				router.logger.Info("updated default interface ", router.interfaceMonitor.DefaultInterfaceName(netip.IPv4Unspecified()), ", index ", router.interfaceMonitor.DefaultInterfaceIndex(netip.IPv4Unspecified()))
-			}
-			return nil
-		})
+		interfaceMonitor.RegisterCallback(router.notifyNetworkUpdate)
 		router.interfaceMonitor = interfaceMonitor
 	}

@@ -1014,3 +1001,28 @@ func (r *Router) NewError(ctx context.Context, err error) {
 	}
 	r.logger.ErrorContext(ctx, err)
 }
+
+func (r *Router) notifyNetworkUpdate(int) error {
+	if C.IsAndroid {
+		var vpnStatus string
+		if r.interfaceMonitor.AndroidVPNEnabled() {
+			vpnStatus = "enabled"
+		} else {
+			vpnStatus = "disabled"
+		}
+		r.logger.Info("updated default interface ", r.interfaceMonitor.DefaultInterfaceName(netip.IPv4Unspecified()), ", index ", r.interfaceMonitor.DefaultInterfaceIndex(netip.IPv4Unspecified()), ", vpn ", vpnStatus)
+	} else {
+		r.logger.Info("updated default interface ", r.interfaceMonitor.DefaultInterfaceName(netip.IPv4Unspecified()), ", index ", r.interfaceMonitor.DefaultInterfaceIndex(netip.IPv4Unspecified()))
+	}
+
+	for _, outbound := range r.outbounds {
+		listener, isListener := outbound.(adapter.InterfaceUpdateListener)
+		if isListener {
+			err := listener.InterfaceUpdated()
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
--- a/test/go.mod
+++ b/test/go.mod
@@ -9,20 +9,18 @@ replace github.com/sagernet/sing-box => ../
 require (
 	github.com/docker/docker v20.10.18+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/gofrs/uuid v4.3.0+incompatible
+	github.com/gofrs/uuid v4.3.1+incompatible
 	github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4
 	github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6
 	github.com/spyzhov/ajson v0.7.1
 	github.com/stretchr/testify v1.8.1
 	go.uber.org/goleak v1.2.0
-	golang.org/x/net v0.1.0
+	golang.org/x/net v0.2.0
 )

-//replace github.com/sagernet/sing => ../../sing
-
 require (
 	berty.tech/go-libtor v1.0.385 // indirect
-	github.com/Dreamacro/clash v1.11.8 // indirect
+	github.com/Dreamacro/clash v1.11.12 // indirect
 	github.com/Microsoft/go-winio v0.5.1 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
@@ -50,7 +48,7 @@ require (
 	github.com/marten-seemann/qtls-go1-19 v0.1.1 // indirect
 	github.com/mholt/acmez v1.0.4 // indirect
 	github.com/miekg/dns v1.1.50 // indirect
-	github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae // indirect
+	github.com/moby/term v0.0.0-20221105221325-4eb28fa6025c // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
@@ -63,12 +61,13 @@ require (
 	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
-	github.com/sagernet/quic-go v0.0.0-20221031051350-29d8bb1c8127 // indirect
-	github.com/sagernet/sing-dns v0.0.0-20221031051512-3dfca3ccef42 // indirect
-	github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07 // indirect
-	github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685 // indirect
+	github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15 // indirect
+	github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403 // indirect
+	github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f // indirect
+	github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0 // indirect
 	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 // indirect
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e // indirect
+	github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
@@ -76,20 +75,20 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
 	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab // indirect
-	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/crypto v0.2.0 // indirect
 	golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f // indirect
 	golang.org/x/mod v0.6.0 // indirect
-	golang.org/x/sys v0.1.0 // indirect
+	golang.org/x/sys v0.2.0 // indirect
 	golang.org/x/text v0.4.0 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
-	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
-	golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b // indirect
 	google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f // indirect
 	google.golang.org/grpc v1.50.1 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gotest.tools/v3 v3.3.0 // indirect
+	gotest.tools/v3 v3.4.0 // indirect
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c // indirect
 	lukechampine.com/blake3 v1.1.7 // indirect
 )
+
+//replace github.com/sagernet/sing => ../../sing
--- a/test/go.sum
+++ b/test/go.sum
@@ -3,10 +3,9 @@ berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+f
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
-github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/Dreamacro/clash v1.11.8 h1:t/sy3/tiihRlvV3SsliYFjj8rKpbLw5IJ2PymiHcwS8=
-github.com/Dreamacro/clash v1.11.8/go.mod h1:LsWCcJFoKuL1C5F2c0m/1690wihTHYSU3J+im09yTwQ=
+github.com/Dreamacro/clash v1.11.12 h1:zJ+FUWPHWxhfNl5MK64oezFAPPyGth+SDhjuWEJ/jwM=
+github.com/Dreamacro/clash v1.11.12/go.mod h1:WiRGFHBrOUYP89GXJ9k4KCyZq5i485LWzc4FPsEPlMI=
 github.com/Microsoft/go-winio v0.5.1 h1:aPJp2QD7OOrhO5tQXqQoGSJc+DjDtWTGLOmNyAm6FgY=
 github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
@@ -25,7 +24,6 @@ github.com/cloudflare/circl v1.2.1-0.20221019164342-6ab4dfed8f3c/go.mod h1:+CauB
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
@@ -57,8 +55,8 @@ github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg=
 github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI=
+github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -86,7 +84,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
@@ -117,8 +115,8 @@ github.com/mholt/acmez v1.0.4 h1:N3cE4Pek+dSolbsofIkAYz6H1d3pE+2G0os7QHslf80=
 github.com/mholt/acmez v1.0.4/go.mod h1:qFGLZ4u+ehWINeJZjzPlsnjJBCPAADWTcIqE/7DAYQY=
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
-github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae h1:O4SWKdcHVCvYqyDV+9CJA1fcDN2L11Bule0iFy3YlAI=
-github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw=
+github.com/moby/term v0.0.0-20221105221325-4eb28fa6025c h1:RC8WMpjonrBfyAh6VN/POIPtYD5tRAq0qMqCRjQNK+g=
+github.com/moby/term v0.0.0-20221105221325-4eb28fa6025c/go.mod h1:9OcmHNQQUTbk4XCffrLgN1NEKc2mh5u++biHVrvHsSU=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/onsi/ginkgo/v2 v2.3.0 h1:kUMoxMoQG3ogk/QWyKh3zibV7BKZ+xBpWil1cTylVqc=
@@ -148,28 +146,29 @@ github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.0.0-20221031051350-29d8bb1c8127 h1:rraPfWlUy2cdZ61FLXRCFbL0lb7oocScbr4Ac0rIzTU=
-github.com/sagernet/quic-go v0.0.0-20221031051350-29d8bb1c8127/go.mod h1:oWFbojDMm85/Jbm/fyWoo8Pux6dIssxGi3q1r+5642A=
+github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15 h1:l8RQTjz5LlGEFOc49dXAr14ORbj8mTW7nX88Rbm+FiY=
+github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15/go.mod h1:oWFbojDMm85/Jbm/fyWoo8Pux6dIssxGi3q1r+5642A=
 github.com/sagernet/sing v0.0.0-20220812082120-05f9836bff8f/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4 h1:LO7xMvMGhYmjQg2vjhTzsODyzs9/WLYu5Per+/8jIeo=
 github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4/go.mod h1:zvgDYKI+vCAW9RyfyrKTgleI+DOa8lzHMPC7VZo3OL4=
-github.com/sagernet/sing-dns v0.0.0-20221031051512-3dfca3ccef42 h1:Rp0x9hx2lj4QxTC0cZcJDxxzjn5Zz0q8tgwmZ5aFO0M=
-github.com/sagernet/sing-dns v0.0.0-20221031051512-3dfca3ccef42/go.mod h1:cyL9DHbBZ0Xlt/8VD0i6yeiDayH0KzWGNQb8MYhhz7g=
+github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403 h1:kKDO97rx+JVJ4HI1hTWOnCCI6um5clK1LfnIto2DY4M=
+github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403/go.mod h1:cyL9DHbBZ0Xlt/8VD0i6yeiDayH0KzWGNQb8MYhhz7g=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM=
-github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07 h1:zupkkVVFWv0QsLPjxEzlzXlLfDk1hUujK8ctJSIKFCI=
-github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
-github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685 h1:AZzFNRR/ZwMTceUQ1b/mxx6oyKqmFymdMn/yleJmoVM=
-github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
+github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f h1:CXF+nErOb9f7qiHingSgTa2/lJAgmEFtAQ47oVwdRGU=
+github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
+github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0 h1:z3kuD3hPNdEq7/wVy5lwE21f+8ZTazBtR81qswxJoCc=
+github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195/go.mod h1:yedWtra8nyGJ+SyI+ziwuaGMzBatbB10P1IOOZbbSK8=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+VpWamge6o56j2RWk4omF6uLKKxMmcWvs=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
+github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c h1:qP3ZOHnjZalvqbjundbXiv/YrNlo3HOgrKc+S1QGs0U=
+github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spyzhov/ajson v0.7.1 h1:1MDIlPc6x0zjNtpa7tDzRAyFAvRX+X8ZsvtYz5lZg6A=
 github.com/spyzhov/ajson v0.7.1/go.mod h1:63V+CGM6f1Bu/p4nLIN8885ojBdt88TbLoSFzyqMuVA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -210,8 +209,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE=
+golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f h1:Al51T6tzvuh3oiwX11vex3QgJ2XTedFPGmbEVh8cdoc=
 golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
@@ -244,8 +243,8 @@ golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -255,7 +254,7 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde h1:ejfdSekXMDxDLbRrJMwUk6KnSLZ2McaUCVcIKM+N6jc=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -272,7 +271,6 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -280,11 +278,11 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
+golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -299,7 +297,6 @@ golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -313,10 +310,6 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b h1:qgrKnOfe1zyURRNdmDlGbN32i38Zjmw0B1+TMdHcOvg=
-golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b/go.mod h1:6y4CqPAy54NwiN4nC8K+R1eMpQDB1P2d25qmunh2RSA=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -358,9 +351,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
-gotest.tools/v3 v3.3.0 h1:MfDY1b1/0xN1CyMlQDac0ziEy9zJQd9CXBRRDHw2jJo=
-gotest.tools/v3 v3.3.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A=
+gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
+gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
 gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c h1:m5lcgWnL3OElQNVyp3qcncItJ2c0sQlSGjYK2+nJTA4=
 gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/test/hysteria_test.go
+++ b/test/hysteria_test.go
@@ -29,10 +29,12 @@ func TestHysteriaSelf(t *testing.T) {
 						Listen:     option.ListenAddress(netip.IPv4Unspecified()),
 						ListenPort: serverPort,
 					},
-					UpMbps:     100,
-					DownMbps:   100,
-					AuthString: "password",
-					Obfs:       "fuck me till the daylight",
+					UpMbps:   100,
+					DownMbps: 100,
+					Users: []option.HysteriaUser{{
+						AuthString: "password",
+					}},
+					Obfs: "fuck me till the daylight",
 					TLS: &option.InboundTLSOptions{
 						Enabled:         true,
 						ServerName:      "example.org",
@@ -91,10 +93,12 @@ func TestHysteriaInbound(t *testing.T) {
 						Listen:     option.ListenAddress(netip.IPv4Unspecified()),
 						ListenPort: serverPort,
 					},
-					UpMbps:     100,
-					DownMbps:   100,
-					AuthString: "password",
-					Obfs:       "fuck me till the daylight",
+					UpMbps:   100,
+					DownMbps: 100,
+					Users: []option.HysteriaUser{{
+						AuthString: "password",
+					}},
+					Obfs: "fuck me till the daylight",
 					TLS: &option.InboundTLSOptions{
 						Enabled:         true,
 						ServerName:      "example.org",
--- a/transport/v2ray/grpc.go
+++ b/transport/v2ray/grpc.go
@@ -15,7 +15,7 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )

-func NewGRPCServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
+func NewGRPCServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
 	if options.ForceLite {
 		return v2raygrpclite.NewServer(ctx, options, tlsConfig, handler, errorHandler)
 	}
--- a/transport/v2ray/grpc_lite.go
+++ b/transport/v2ray/grpc_lite.go
@@ -14,7 +14,7 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )

-func NewGRPCServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
+func NewGRPCServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
 	return v2raygrpclite.NewServer(ctx, options, tlsConfig, handler, errorHandler)
 }

--- a/transport/v2ray/quic.go
+++ b/transport/v2ray/quic.go
@@ -22,7 +22,7 @@ func RegisterQUICConstructor(server ServerConstructor[option.V2RayQUICOptions],
 	quicClientConstructor = client
 }

-func NewQUICServer(ctx context.Context, options option.V2RayQUICOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
+func NewQUICServer(ctx context.Context, options option.V2RayQUICOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
 	if quicServerConstructor == nil {
 		return nil, os.ErrInvalid
 	}
--- a/transport/v2ray/transport.go
+++ b/transport/v2ray/transport.go
@@ -15,11 +15,11 @@ import (
 )

 type (
-	ServerConstructor[O any] func(ctx context.Context, options O, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error)
+	ServerConstructor[O any] func(ctx context.Context, options O, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error)
 	ClientConstructor[O any] func(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, options O, tlsConfig tls.Config) (adapter.V2RayClientTransport, error)
 )

-func NewServerTransport(ctx context.Context, options option.V2RayTransportOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
+func NewServerTransport(ctx context.Context, options option.V2RayTransportOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
 	if options.Type == "" {
 		return nil, nil
 	}
--- a/transport/v2raygrpc/client.go
+++ b/transport/v2raygrpc/client.go
@@ -13,10 +13,10 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"

+	"golang.org/x/net/http2"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/backoff"
 	"google.golang.org/grpc/connectivity"
-	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )

@@ -35,11 +35,8 @@ type Client struct {
 func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, options option.V2RayGRPCOptions, tlsConfig tls.Config) (adapter.V2RayClientTransport, error) {
 	var dialOptions []grpc.DialOption
 	if tlsConfig != nil {
-		stdConfig, err := tlsConfig.Config()
-		if err != nil {
-			return nil, err
-		}
-		dialOptions = append(dialOptions, grpc.WithTransportCredentials(credentials.NewTLS(stdConfig)))
+		tlsConfig.SetNextProtos([]string{http2.NextProtoTLS})
+		dialOptions = append(dialOptions, grpc.WithTransportCredentials(NewTLSTransportCredentials(tlsConfig)))
 	} else {
 		dialOptions = append(dialOptions, grpc.WithTransportCredentials(insecure.NewCredentials()))
 	}
--- a/transport/v2raygrpc/credentials/credentials.go
+++ b/transport/v2raygrpc/credentials/credentials.go
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2021 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package credentials
+
+import (
+	"context"
+)
+
+// requestInfoKey is a struct to be used as the key to store RequestInfo in a
+// context.
+type requestInfoKey struct{}
+
+// NewRequestInfoContext creates a context with ri.
+func NewRequestInfoContext(ctx context.Context, ri interface{}) context.Context {
+	return context.WithValue(ctx, requestInfoKey{}, ri)
+}
+
+// RequestInfoFromContext extracts the RequestInfo from ctx.
+func RequestInfoFromContext(ctx context.Context) interface{} {
+	return ctx.Value(requestInfoKey{})
+}
+
+// clientHandshakeInfoKey is a struct used as the key to store
+// ClientHandshakeInfo in a context.
+type clientHandshakeInfoKey struct{}
+
+// ClientHandshakeInfoFromContext extracts the ClientHandshakeInfo from ctx.
+func ClientHandshakeInfoFromContext(ctx context.Context) interface{} {
+	return ctx.Value(clientHandshakeInfoKey{})
+}
+
+// NewClientHandshakeInfoContext creates a context with chi.
+func NewClientHandshakeInfoContext(ctx context.Context, chi interface{}) context.Context {
+	return context.WithValue(ctx, clientHandshakeInfoKey{}, chi)
+}
--- a/transport/v2raygrpc/credentials/spiffe.go
+++ b/transport/v2raygrpc/credentials/spiffe.go
@@ -0,0 +1,75 @@
+/*
+ *
+ * Copyright 2020 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// Package credentials defines APIs for parsing SPIFFE ID.
+//
+// All APIs in this package are experimental.
+package credentials
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"net/url"
+
+	"google.golang.org/grpc/grpclog"
+)
+
+var logger = grpclog.Component("credentials")
+
+// SPIFFEIDFromState parses the SPIFFE ID from State. If the SPIFFE ID format
+// is invalid, return nil with warning.
+func SPIFFEIDFromState(state tls.ConnectionState) *url.URL {
+	if len(state.PeerCertificates) == 0 || len(state.PeerCertificates[0].URIs) == 0 {
+		return nil
+	}
+	return SPIFFEIDFromCert(state.PeerCertificates[0])
+}
+
+// SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE
+// ID format is invalid, return nil with warning.
+func SPIFFEIDFromCert(cert *x509.Certificate) *url.URL {
+	if cert == nil || cert.URIs == nil {
+		return nil
+	}
+	var spiffeID *url.URL
+	for _, uri := range cert.URIs {
+		if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") {
+			continue
+		}
+		// From this point, we assume the uri is intended for a SPIFFE ID.
+		if len(uri.String()) > 2048 {
+			logger.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes")
+			return nil
+		}
+		if len(uri.Host) == 0 || len(uri.Path) == 0 {
+			logger.Warning("invalid SPIFFE ID: domain or workload ID is empty")
+			return nil
+		}
+		if len(uri.Host) > 255 {
+			logger.Warning("invalid SPIFFE ID: domain length larger than 255 characters")
+			return nil
+		}
+		// A valid SPIFFE certificate can only have exactly one URI SAN field.
+		if len(cert.URIs) > 1 {
+			logger.Warning("invalid SPIFFE ID: multiple URI SANs")
+			return nil
+		}
+		spiffeID = uri
+	}
+	return spiffeID
+}
--- a/transport/v2raygrpc/credentials/syscallconn.go
+++ b/transport/v2raygrpc/credentials/syscallconn.go
@@ -0,0 +1,58 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package credentials
+
+import (
+	"net"
+	"syscall"
+)
+
+type sysConn = syscall.Conn
+
+// syscallConn keeps reference of rawConn to support syscall.Conn for channelz.
+// SyscallConn() (the method in interface syscall.Conn) is explicitly
+// implemented on this type,
+//
+// Interface syscall.Conn is implemented by most net.Conn implementations (e.g.
+// TCPConn, UnixConn), but is not part of net.Conn interface. So wrapper conns
+// that embed net.Conn don't implement syscall.Conn. (Side note: tls.Conn
+// doesn't embed net.Conn, so even if syscall.Conn is part of net.Conn, it won't
+// help here).
+type syscallConn struct {
+	net.Conn
+	// sysConn is a type alias of syscall.Conn. It's necessary because the name
+	// `Conn` collides with `net.Conn`.
+	sysConn
+}
+
+// WrapSyscallConn tries to wrap rawConn and newConn into a net.Conn that
+// implements syscall.Conn. rawConn will be used to support syscall, and newConn
+// will be used for read/write.
+//
+// This function returns newConn if rawConn doesn't implement syscall.Conn.
+func WrapSyscallConn(rawConn, newConn net.Conn) net.Conn {
+	sysConn, ok := rawConn.(syscall.Conn)
+	if !ok {
+		return newConn
+	}
+	return &syscallConn{
+		Conn:    newConn,
+		sysConn: sysConn,
+	}
+}
--- a/transport/v2raygrpc/credentials/util.go
+++ b/transport/v2raygrpc/credentials/util.go
@@ -0,0 +1,52 @@
+/*
+ *
+ * Copyright 2020 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package credentials
+
+import (
+	"crypto/tls"
+)
+
+const alpnProtoStrH2 = "h2"
+
+// AppendH2ToNextProtos appends h2 to next protos.
+func AppendH2ToNextProtos(ps []string) []string {
+	for _, p := range ps {
+		if p == alpnProtoStrH2 {
+			return ps
+		}
+	}
+	ret := make([]string, 0, len(ps)+1)
+	ret = append(ret, ps...)
+	return append(ret, alpnProtoStrH2)
+}
+
+// CloneTLSConfig returns a shallow clone of the exported
+// fields of cfg, ignoring the unexported sync.Once, which
+// contains a mutex and must not be copied.
+//
+// If cfg is nil, a new zero tls.Config is returned.
+//
+// TODO: inline this function if possible.
+func CloneTLSConfig(cfg *tls.Config) *tls.Config {
+	if cfg == nil {
+		return &tls.Config{}
+	}
+
+	return cfg.Clone()
+}
--- a/transport/v2raygrpc/server.go
+++ b/transport/v2raygrpc/server.go
@@ -13,7 +13,6 @@ import (
 	N "github.com/sagernet/sing/common/network"

 	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
 	gM "google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/peer"
 )
@@ -26,15 +25,11 @@ type Server struct {
 	server  *grpc.Server
 }

-func NewServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler) (*Server, error) {
+func NewServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler) (*Server, error) {
 	var serverOptions []grpc.ServerOption
 	if tlsConfig != nil {
-		stdConfig, err := tlsConfig.Config()
-		if err != nil {
-			return nil, err
-		}
-		stdConfig.NextProtos = []string{"h2"}
-		serverOptions = append(serverOptions, grpc.Creds(credentials.NewTLS(stdConfig)))
+		tlsConfig.SetNextProtos([]string{"h2"})
+		serverOptions = append(serverOptions, grpc.Creds(NewTLSTransportCredentials(tlsConfig)))
 	}
 	server := &Server{ctx, handler, grpc.NewServer(serverOptions...)}
 	RegisterGunServiceCustomNameServer(server.server, server, options.ServiceName)
--- a/transport/v2raygrpc/tls_credentials.go
+++ b/transport/v2raygrpc/tls_credentials.go
@@ -0,0 +1,86 @@
+package v2raygrpc
+
+import (
+	"context"
+	"net"
+	"os"
+
+	"github.com/sagernet/sing-box/common/tls"
+	internal_credentials "github.com/sagernet/sing-box/transport/v2raygrpc/credentials"
+
+	"google.golang.org/grpc/credentials"
+)
+
+type TLSTransportCredentials struct {
+	config tls.Config
+}
+
+func NewTLSTransportCredentials(config tls.Config) credentials.TransportCredentials {
+	return &TLSTransportCredentials{config}
+}
+
+func (c *TLSTransportCredentials) Info() credentials.ProtocolInfo {
+	return credentials.ProtocolInfo{
+		SecurityProtocol: "tls",
+		SecurityVersion:  "1.2",
+		ServerName:       c.config.ServerName(),
+	}
+}
+
+func (c *TLSTransportCredentials) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	cfg := c.config.Clone()
+	if cfg.ServerName() == "" {
+		serverName, _, err := net.SplitHostPort(authority)
+		if err != nil {
+			serverName = authority
+		}
+		cfg.SetServerName(serverName)
+	}
+	conn, err := tls.ClientHandshake(ctx, rawConn, cfg)
+	if err != nil {
+		return nil, nil, err
+	}
+	tlsInfo := credentials.TLSInfo{
+		State: conn.ConnectionState(),
+		CommonAuthInfo: credentials.CommonAuthInfo{
+			SecurityLevel: credentials.PrivacyAndIntegrity,
+		},
+	}
+	id := internal_credentials.SPIFFEIDFromState(conn.ConnectionState())
+	if id != nil {
+		tlsInfo.SPIFFEID = id
+	}
+	return internal_credentials.WrapSyscallConn(rawConn, conn), tlsInfo, nil
+}
+
+func (c *TLSTransportCredentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
+	serverConfig, isServer := c.config.(tls.ServerConfig)
+	if !isServer {
+		return nil, nil, os.ErrInvalid
+	}
+	conn, err := tls.ServerHandshake(context.Background(), rawConn, serverConfig)
+	if err != nil {
+		rawConn.Close()
+		return nil, nil, err
+	}
+	tlsInfo := credentials.TLSInfo{
+		State: conn.ConnectionState(),
+		CommonAuthInfo: credentials.CommonAuthInfo{
+			SecurityLevel: credentials.PrivacyAndIntegrity,
+		},
+	}
+	id := internal_credentials.SPIFFEIDFromState(conn.ConnectionState())
+	if id != nil {
+		tlsInfo.SPIFFEID = id
+	}
+	return internal_credentials.WrapSyscallConn(rawConn, conn), tlsInfo, nil
+}
+
+func (c *TLSTransportCredentials) Clone() credentials.TransportCredentials {
+	return NewTLSTransportCredentials(c.config)
+}
+
+func (c *TLSTransportCredentials) OverrideServerName(serverNameOverride string) error {
+	c.config.SetServerName(serverNameOverride)
+	return nil
+}
--- a/transport/v2raygrpclite/server.go
+++ b/transport/v2raygrpclite/server.go
@@ -19,6 +19,7 @@ import (
 	sHttp "github.com/sagernet/sing/protocol/http"

 	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
 )

 var _ adapter.V2RayServerTransport = (*Server)(nil)
@@ -27,6 +28,8 @@ type Server struct {
 	handler      N.TCPConnectionHandler
 	errorHandler E.Handler
 	httpServer   *http.Server
+	h2Server     *http2.Server
+	h2cHandler   http.Handler
 	path         string
 }

@@ -34,15 +37,17 @@ func (s *Server) Network() []string {
 	return []string{N.NetworkTCP}
 }

-func NewServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (*Server, error) {
+func NewServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (*Server, error) {
 	server := &Server{
 		handler:      handler,
 		errorHandler: errorHandler,
 		path:         fmt.Sprintf("/%s/Tun", url.QueryEscape(options.ServiceName)),
+		h2Server:     new(http2.Server),
 	}
 	server.httpServer = &http.Server{
 		Handler: server,
 	}
+	server.h2cHandler = h2c.NewHandler(server, server.h2Server)
 	if tlsConfig != nil {
 		stdConfig, err := tlsConfig.Config()
 		if err != nil {
@@ -57,7 +62,12 @@ func NewServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig t
 }

 func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
+	if request.Method == "PRI" && len(request.Header) == 0 && request.URL.Path == "*" && request.Proto == "HTTP/2.0" {
+		s.h2cHandler.ServeHTTP(writer, request)
+		return
+	}
 	if request.URL.Path != s.path {
+		request.Write(os.Stdout)
 		writer.WriteHeader(http.StatusNotFound)
 		s.badRequest(request, E.New("bad path: ", request.URL.Path))
 		return
@@ -86,13 +96,13 @@ func (s *Server) badRequest(request *http.Request, err error) {
 }

 func (s *Server) Serve(listener net.Listener) error {
+	err := http2.ConfigureServer(s.httpServer, s.h2Server)
+	if err != nil {
+		return err
+	}
 	if s.httpServer.TLSConfig == nil {
 		return s.httpServer.Serve(listener)
 	} else {
-		err := http2.ConfigureServer(s.httpServer, &http2.Server{})
-		if err != nil {
-			return err
-		}
 		return s.httpServer.ServeTLS(listener, "", "")
 	}
 }
--- a/transport/v2rayhttp/server.go
+++ b/transport/v2rayhttp/server.go
@@ -18,6 +18,7 @@ import (
 	sHttp "github.com/sagernet/sing/protocol/http"

 	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
 )

 var _ adapter.V2RayServerTransport = (*Server)(nil)
@@ -27,6 +28,8 @@ type Server struct {
 	handler      N.TCPConnectionHandler
 	errorHandler E.Handler
 	httpServer   *http.Server
+	h2Server     *http2.Server
+	h2cHandler   http.Handler
 	host         []string
 	path         string
 	method       string
@@ -37,11 +40,12 @@ func (s *Server) Network() []string {
 	return []string{N.NetworkTCP}
 }

-func NewServer(ctx context.Context, options option.V2RayHTTPOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (*Server, error) {
+func NewServer(ctx context.Context, options option.V2RayHTTPOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (*Server, error) {
 	server := &Server{
 		ctx:          ctx,
 		handler:      handler,
 		errorHandler: errorHandler,
+		h2Server:     new(http2.Server),
 		host:         options.Host,
 		path:         options.Path,
 		method:       options.Method,
@@ -61,6 +65,7 @@ func NewServer(ctx context.Context, options option.V2RayHTTPOptions, tlsConfig t
 		ReadHeaderTimeout: C.TCPTimeout,
 		MaxHeaderBytes:    http.DefaultMaxHeaderBytes,
 	}
+	server.h2cHandler = h2c.NewHandler(server, server.h2Server)
 	if tlsConfig != nil {
 		stdConfig, err := tlsConfig.Config()
 		if err != nil {
@@ -72,6 +77,10 @@ func NewServer(ctx context.Context, options option.V2RayHTTPOptions, tlsConfig t
 }

 func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
+	if request.Method == "PRI" && len(request.Header) == 0 && request.URL.Path == "*" && request.Proto == "HTTP/2.0" {
+		s.h2cHandler.ServeHTTP(writer, request)
+		return
+	}
 	host := request.Host
 	if len(s.host) > 0 && !common.Contains(s.host, host) {
 		writer.WriteHeader(http.StatusBadRequest)
@@ -124,13 +133,13 @@ func (s *Server) badRequest(request *http.Request, err error) {
 }

 func (s *Server) Serve(listener net.Listener) error {
+	err := http2.ConfigureServer(s.httpServer, s.h2Server)
+	if err != nil {
+		return err
+	}
 	if s.httpServer.TLSConfig == nil {
 		return s.httpServer.Serve(listener)
 	} else {
-		err := http2.ConfigureServer(s.httpServer, &http2.Server{})
-		if err != nil {
-			return err
-		}
 		return s.httpServer.ServeTLS(listener, "", "")
 	}
 }
--- a/transport/v2rayquic/server.go
+++ b/transport/v2rayquic/server.go
@@ -29,7 +29,7 @@ type Server struct {
 	quicListener quic.Listener
 }

-func NewServer(ctx context.Context, options option.V2RayQUICOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
+func NewServer(ctx context.Context, options option.V2RayQUICOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (adapter.V2RayServerTransport, error) {
 	quicConfig := &quic.Config{
 		DisablePathMTUDiscovery: !C.IsLinux && !C.IsWindows,
 	}
--- a/transport/v2raywebsocket/server.go
+++ b/transport/v2raywebsocket/server.go
@@ -34,7 +34,7 @@ type Server struct {
 	earlyDataHeaderName string
 }

-func NewServer(ctx context.Context, options option.V2RayWebsocketOptions, tlsConfig tls.Config, handler N.TCPConnectionHandler, errorHandler E.Handler) (*Server, error) {
+func NewServer(ctx context.Context, options option.V2RayWebsocketOptions, tlsConfig tls.ServerConfig, handler N.TCPConnectionHandler, errorHandler E.Handler) (*Server, error) {
 	server := &Server{
 		ctx:                 ctx,
 		handler:             handler,
--- a/transport/wireguard/client_bind.go
+++ b/transport/wireguard/client_bind.go
@@ -8,8 +8,7 @@ import (
 	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	"golang.zx2c4.com/wireguard/conn"
+	"github.com/sagernet/wireguard-go/conn"
 )

 var _ conn.Bind = (*ClientBind)(nil)
@@ -100,6 +99,12 @@ func (c *ClientBind) receive(b []byte) (n int, ep conn.Endpoint, err error) {
 	return
 }

+func (c *ClientBind) Reset() {
+	c.connAccess.Lock()
+	defer c.connAccess.Unlock()
+	common.Close(common.PtrOrNil(c.conn))
+}
+
 func (c *ClientBind) Close() error {
 	c.connAccess.Lock()
 	defer c.connAccess.Unlock()
--- a/transport/wireguard/device.go
+++ b/transport/wireguard/device.go
@@ -2,8 +2,7 @@ package wireguard

 import (
 	N "github.com/sagernet/sing/common/network"
-
-	"golang.zx2c4.com/wireguard/tun"
+	"github.com/sagernet/wireguard-go/tun"
 )

 type Device interface {
--- a/transport/wireguard/device_stack.go
+++ b/transport/wireguard/device_stack.go
@@ -11,8 +11,8 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/wireguard-go/tun"

-	"golang.zx2c4.com/wireguard/tun"
 	"gvisor.dev/gvisor/pkg/bufferv2"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
@@ -34,6 +34,7 @@ type StackDevice struct {
 	mtu        uint32
 	events     chan tun.Event
 	outbound   chan *stack.PacketBuffer
+	done       chan struct{}
 	dispatcher stack.NetworkDispatcher
 	addr4      tcpip.Address
 	addr6      tcpip.Address
@@ -50,6 +51,7 @@ func NewStackDevice(localAddresses []netip.Prefix, mtu uint32) (*StackDevice, er
 		mtu:      mtu,
 		events:   make(chan tun.Event, 1),
 		outbound: make(chan *stack.PacketBuffer, 256),
+		done:     make(chan struct{}),
 	}
 	err := ipStack.CreateNIC(defaultNIC, (*wireEndpoint)(tunDevice))
 	if err != nil {
@@ -140,16 +142,20 @@ func (w *StackDevice) File() *os.File {
 }

 func (w *StackDevice) Read(p []byte, offset int) (n int, err error) {
-	packetBuffer, ok := <-w.outbound
-	if !ok {
+	select {
+	case packetBuffer, ok := <-w.outbound:
+		if !ok {
+			return 0, os.ErrClosed
+		}
+		defer packetBuffer.DecRef()
+		p = p[offset:]
+		for _, slice := range packetBuffer.AsSlices() {
+			n += copy(p[n:], slice)
+		}
+		return
+	case <-w.done:
 		return 0, os.ErrClosed
 	}
-	defer packetBuffer.DecRef()
-	p = p[offset:]
-	for _, slice := range packetBuffer.AsSlices() {
-		n += copy(p[n:], slice)
-	}
-	return
 }

 func (w *StackDevice) Write(p []byte, offset int) (n int, err error) {
@@ -201,7 +207,7 @@ func (w *StackDevice) Close() error {
 		endpoint.Abort()
 	}
 	w.stack.Wait()
-	close(w.outbound)
+	close(w.done)
 	return nil
 }

@@ -246,7 +252,11 @@ func (ep *wireEndpoint) AddHeader(buffer *stack.PacketBuffer) {
 func (ep *wireEndpoint) WritePackets(list stack.PacketBufferList) (int, tcpip.Error) {
 	for _, packetBuffer := range list.AsSlice() {
 		packetBuffer.IncRef()
-		ep.outbound <- packetBuffer
+		select {
+		case <-ep.done:
+			return 0, &tcpip.ErrClosedForSend{}
+		case ep.outbound <- packetBuffer:
+		}
 	}
 	return list.Len(), nil
 }
--- a/transport/wireguard/device_system.go
+++ b/transport/wireguard/device_system.go
@@ -12,8 +12,7 @@ import (
 	"github.com/sagernet/sing-tun"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	wgTun "golang.zx2c4.com/wireguard/tun"
+	wgTun "github.com/sagernet/wireguard-go/tun"
 )

 var _ Device = (*SystemDevice)(nil)
--- a/transport/wireguard/endpoint.go
+++ b/transport/wireguard/endpoint.go
@@ -4,8 +4,7 @@ import (
 	"net/netip"

 	M "github.com/sagernet/sing/common/metadata"
-
-	"golang.zx2c4.com/wireguard/conn"
+	"github.com/sagernet/wireguard-go/conn"
 )

 var _ conn.Endpoint = (*Endpoint)(nil)
--- a/transport/wireguard/server_bind.go
+++ b/transport/wireguard/server_bind.go
@@ -7,8 +7,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-
-	"golang.zx2c4.com/wireguard/conn"
+	"github.com/sagernet/wireguard-go/conn"
 )

 var _ conn.Bind = (*ServerBind)(nil)
Author	SHA1	Message	Date
世界	24f4dfea04	Fix hysteria test	2022-11-10 21:10:18 +08:00
世界	2fc1a0a9dd	Update documentation	2022-11-10 16:33:10 +08:00
世界	617aba84e4	Add multi user support for hysteria inbound	2022-11-09 21:00:08 +08:00
世界	5510c474c7	Fix h2c transport	2022-11-09 12:15:14 +08:00
世界	eb2e8a0b40	Add custom tls client support for std grpc	2022-11-09 11:46:29 +08:00
世界	972491c19d	Fix default local DNS server behavior	2022-11-09 10:35:16 +08:00
世界	7358ca4a52	Fix vmess request buffer	2022-11-09 10:16:22 +08:00
世界	61c274045a	Update install go script	2022-11-08 23:19:53 +08:00
世界	f205140b04	Fix smux keep alive	2022-11-08 16:45:38 +08:00
世界	1db8e03c86	Fix format	2022-11-08 14:54:19 +08:00
世界	2ecf86c2bc	Update patched quic-go	2022-11-08 13:54:01 +08:00
世界	999a847e86	Add custom wireguard worker size option	2022-11-08 13:48:14 +08:00
世界	1f63ce5dee	Fix reset outbound	2022-11-06 10:36:19 +08:00
世界	0ad1bbea11	Fix wireguard close	2022-11-06 10:20:23 +08:00
世界	b2cd78d279	Move WFP manipulation to strict route	2022-11-06 10:16:07 +08:00
世界	d5bb58a0b4	Update documentation	2022-11-06 10:16:07 +08:00
世界	7f84936050	Split bind_address	2022-11-06 10:16:07 +08:00
Dreamacro	6adfea0a72	Fix macOS Ventura process name match	2022-11-06 10:16:07 +08:00
Hellojack	10f213bf3d	Adjust uTLS wrapper	2022-11-06 10:16:07 +08:00