Update documentation

Fix close clash cache
Add WorkingDirectory for systemd service
2026-04-12 01:57:18 +10:00 · 2022-12-03 14:38:52 +08:00 · 2022-12-03 13:29:37 +08:00 · 2022-11-28 18:30:50 +08:00 · 2022-11-28 16:06:54 +08:00 · 2022-11-28 13:11:07 +08:00
53 changed files with 1021 additions and 358 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,34 +0,0 @@
-name: Test build
-
-on:
-  pull_request:
-    branches:
-      - main
-      - dev
-      - dev-next
-
-jobs:
-  build:
-    name: Debug build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Get latest go version
-        id: version
-        run: |
-          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ steps.version.outputs.go_version }}
-      - name: Cache go module
-        uses: actions/cache@v2
-        with:
-          path: |
-            ~/go/pkg/mod
-          key: go-${{ hashFiles('**/go.sum') }}
-      - name: Run Test
-        run: make test
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -14,6 +14,7 @@ builds:
      - with_gvisor
      - with_quic
      - with_wireguard
+      - with_utls
      - with_clash_api
    env:
      - CGO_ENABLED=0
--- a/1
+++ b/1
@@ -14,7 +14,6 @@ RUN set -ex \
        ./cmd/sing-box
 FROM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
-RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
 RUN set -ex \
    && apk upgrade \
    && apk add bash tzdata ca-certificates \
--- a/box.go
+++ b/box.go
@@ -97,8 +97,7 @@ func New(ctx context.Context, options option.Options) (*Box, error) {

 	router, err := route.NewRouter(
 		ctx,
-		logFactory.NewLogger("router"),
-		logFactory.NewLogger("dns"),
+		logFactory,
 		common.PtrValueOrDefault(options.Route),
 		common.PtrValueOrDefault(options.DNS),
 		options.Inbounds,
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -69,6 +69,20 @@ func create() (*box.Box, context.CancelFunc, error) {
 		cancel()
 		return nil, nil, E.Cause(err, "create service")
 	}
+
+	osSignals := make(chan os.Signal, 1)
+	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
+	defer func() {
+		signal.Stop(osSignals)
+		close(osSignals)
+	}()
+
+	go func() {
+		_, loaded := <-osSignals
+		if loaded {
+			cancel()
+		}
+	}()
 	err = instance.Start()
 	if err != nil {
 		cancel()
@@ -80,6 +94,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 func run() error {
 	osSignals := make(chan os.Signal, 1)
 	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
+	defer signal.Stop(osSignals)
 	for {
 		instance, cancel, err := create()
 		if err != nil {
--- a/constant/version.go
+++ b/constant/version.go
@@ -1,3 +1,3 @@
 package constant

-var Version = "1.1-beta16"
+var Version = "1.1"
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,68 @@
+#### 1.1
+
+* Fix close clash cache
+
+Important changes since 1.0:
+
+* Add support for use with android VPNService
+* Add tun support for WireGuard outbound
+* Add system tun stack
+* Add comment filter for config
+* Add option for allow optional proxy protocol header
+* Add Clash mode and persistence support
+* Add TLS ECH and uTLS support for outbound TLS options
+* Add internal simple-obfs and v2ray-plugin
+* Add ShadowsocksR outbound
+* Add VLESS outbound and XUDP
+* Skip wait for hysteria tcp handshake response
+* Add v2ray mux support for all inbound
+* Add XUDP support for VMess 
+* Improve websocket writer
+* Refine tproxy write back
+* Fix DNS leak caused by
+  Windows' ordinary multihomed DNS resolution behavior
+* Add sniff_timeout listen option
+* Add custom route support for tun
+* Add option for custom wireguard reserved bytes
+* Split bind_address into ipv4 and ipv6
+* Add ShadowTLS v1 and v2 support
+
+#### 1.1-rc1
+
+* Fix TLS config for h2 server
+* Fix crash when input bad method in shadowsocks multi-user inbound
+* Fix listen UDP
+* Fix check invalid packet on macOS
+
+#### 1.1-beta18
+
+* Enhance defense against active probe for shadowtls server **1**
+
+**1**:
+
+The `fallback_after` option has been removed.
+
+#### 1.1-beta17
+
+* Fix shadowtls server **1**
+
+*1*:
+
+Added [fallback_after](/configuration/inbound/shadowtls#fallback_after) option.
+
+#### 1.0.7
+
+* Add support for new x/h2 deadline
+* Fix copy pipe
+* Fix decrypt xplus packet
+* Fix macOS Ventura process name match
+* Fix smux keepalive
+* Fix vmess request buffer
+* Fix h2c transport
+* Fix tor geoip
+* Fix udp connect for mux client
+* Fix default dns transport strategy
+
 #### 1.1-beta16

 * Improve shadowtls server
--- a/docs/examples/clash-api.md
+++ b/docs/examples/clash-api.md
@@ -0,0 +1,52 @@
+```json
+{
+  "dns": {
+    "rules": [
+      {
+        "domain": [
+          "clash.razord.top",
+          "yacd.haishan.me"
+        ],
+        "server": "local"
+      },
+      {
+        "clash_mode": "direct",
+        "server": "local"
+      }
+    ]
+  },
+  "outbounds": [
+    {
+      "type": "selector",
+      "tag": "default",
+      "outbounds": [
+        "proxy-a",
+        "proxy-b"
+      ]
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "clash_mode": "direct",
+        "outbound": "direct"
+      },
+      {
+        "domain": [
+          "clash.razord.top",
+          "yacd.haishan.me"
+        ],
+        "outbound": "direct"
+      }
+    ],
+    "final": "default"
+  },
+  "experimental": {
+    "clash_api": {
+      "external_controller": "127.0.0.1:9090",
+      "store_selected": true
+    }
+  }
+}
+
+```
--- a/docs/examples/index.md
+++ b/docs/examples/index.md
@@ -3,7 +3,8 @@
 Configuration examples for sing-box.

 * [Linux Server Installation](./linux-server-installation)
-* [Shadowsocks Server](./ss-server)
-* [Shadowsocks Client](./ss-client)
-* [Shadowsocks Tun](./ss-tun)
-* [DNS Hijack](./dns-hijack.md)
+* [Tun](./tun)
+* [DNS Hijack](./dns-hijack.md)
+* [Shadowsocks](./shadowsocks)
+* [ShadowTLS](./shadowtls)
+* [Clash API](./clash-api)
--- a/docs/examples/index.zh.md
+++ b/docs/examples/index.zh.md
@@ -3,7 +3,8 @@
 sing-box 的配置示例。

 * [Linux 服务器安装](./linux-server-installation)
-* [Shadowsocks 服务器](./ss-server)
-* [Shadowsocks 客户端](./ss-client)
-* [Shadowsocks Tun](./ss-tun)
-* [DNS 劫持](./dns-hijack.md)
+* [Tun](./tun)
+* [DNS 劫持](./dns-hijack.md)
+* [Shadowsocks](./shadowsocks)
+* [ShadowTLS](./shadowtls)
+* [Clash API](./clash-api)
--- a/docs/examples/shadowsocks.md
+++ b/docs/examples/shadowsocks.md
@@ -0,0 +1,157 @@
+# Shadowsocks
+
+## Single User
+
+#### Server
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowsocks",
+      "listen": "::",
+      "listen_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    }
+  ]
+}
+```
+
+#### Client
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "mixed",
+      "listen": "::",
+      "listen_port": 2080
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "server": "127.0.0.1",
+      "server_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    }
+  ]
+}
+
+```
+
+## Multiple Users
+
+#### Server
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowsocks",
+      "listen": "::",
+      "listen_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg==",
+      "users": [
+        {
+          "name": "sekai",
+          "password": "BXYxVUXJ9NgF7c7KPLQjkg=="
+        }
+      ]
+    }
+  ]
+}
+```
+
+#### Client
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "mixed",
+      "listen": "::",
+      "listen_port": 2080
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "server": "127.0.0.1",
+      "server_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg==:BXYxVUXJ9NgF7c7KPLQjkg=="
+    }
+  ]
+}
+
+```
+
+## Relay
+
+#### Server
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowsocks",
+      "listen": "::",
+      "listen_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    }
+  ]
+}
+```
+
+#### Relay
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "shadowsocks",
+      "listen": "::",
+      "listen_port": 8081,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "BXYxVUXJ9NgF7c7KPLQjkg==",
+      "destinations": [
+        {
+          "name": "my_server",
+          "password": "8JCsPssfgS8tiRwiMlhARg==",
+          "server": "127.0.0.1",
+          "server_port": 8080
+        }
+      ]
+    }
+  ]
+}
+```
+
+#### Client
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "mixed",
+      "listen": "::",
+      "listen_port": 2080
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "server": "127.0.0.1",
+      "server_port": 8081,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg==:BXYxVUXJ9NgF7c7KPLQjkg=="
+    }
+  ]
+}
+
+```
--- a/docs/examples/shadowtls.md
+++ b/docs/examples/shadowtls.md
@@ -7,6 +7,8 @@
      "type": "shadowtls",
      "listen": "::",
      "listen_port": 4443,
+      "version": 2,
+      "password": "fuck me till the daylight",
      "handshake": {
        "server": "google.com",
        "server_port": 443
@@ -45,6 +47,8 @@
      "tag": "shadowtls-out",
      "server": "127.0.0.1",
      "server_port": 4443,
+      "version": 2,
+      "password": "fuck me till the daylight",
      "tls": {
        "enabled": true,
        "server_name": "google.com"
--- a/docs/examples/ss-client.md
+++ b/docs/examples/ss-client.md
@@ -1,21 +0,0 @@
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "listen": "::",
-      "listen_port": 2080
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "server": "::",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-
-```
--- a/docs/examples/ss-server.md
+++ b/docs/examples/ss-server.md
@@ -1,13 +0,0 @@
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
--- a/docs/examples/ss-tun.md
+++ b/docs/examples/ss-tun.md
@@ -10,9 +10,18 @@
        "tag": "local",
        "address": "223.5.5.5",
        "detour": "direct"
+      },
+      {
+        "tag": "block",
+        "address": "rcode://success"
      }
    ],
    "rules": [
+      {
+        "geosite": "category-ads-all",
+        "server": "block",
+        "disable_cache": true
+      },
      {
        "domain": "mydomain.com",
        "geosite": "cn",
@@ -26,6 +35,7 @@
      "type": "tun",
      "inet4_address": "172.19.0.1/30",
      "auto_route": true,
+      "strict_route": false,
      "sniff": true
    }
  ],
@@ -58,13 +68,16 @@
        "outbound": "dns-out"
      },
      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
+        "geosite": "cn",
+        "geoip": [
+          "private",
+          "cn"
+        ],
+        "outbound": "direct"
      },
      {
-        "geosite": "cn",
-        "geoip": "cn",
-        "outbound": "direct"
+        "geosite": "category-ads-all",
+        "outbound": "block"
      }
    ],
    "auto_detect_interface": true
--- a/docs/faq/known-issues.md
+++ b/docs/faq/known-issues.md
@@ -7,11 +7,11 @@ the public internet.

 ##### on Android

-`auto-route` cannot automatically hijack DNS requests when Android's `Private DNS` is enabled.
+`auto-route` cannot automatically hijack DNS requests when Android's `Private DNS` enabled or `strict_route` disabled.

 ##### on Linux

-`auto-route` cannot automatically hijack DNS requests with `systemd-resolved` enabled, you can switch to NetworkManager.
+`auto-route` cannot automatically hijack DNS requests with `systemd-resolved` enabled and `strict_route` disabled.

 #### System proxy

--- a/docs/faq/known-issues.zh.md
+++ b/docs/faq/known-issues.zh.md
@@ -6,11 +6,11 @@

 ##### Android

-`auto-route` 无法自动劫持 DNS 请求如果 `私人 DNS` 开启.
+`auto-route` 无法自动劫持 DNS 请求如果 `私人 DNS` 开启或 `strict_route` 禁用。

 ##### Linux

-`auto-route` 无法自动劫持 DNS 请求如果 `systemd-resolved` 开启, 您可以切换到 NetworkManager.
+`auto-route` 无法自动劫持 DNS 请求如果 `systemd-resolved` 开启且 `strict_route` 禁用。

 #### 系统代理

--- a/experimental/clashapi/cachefile/cache.go
+++ b/experimental/clashapi/cachefile/cache.go
@@ -59,3 +59,7 @@ func (c *CacheFile) StoreSelected(group, selected string) error {
 		return bucket.Put([]byte(group), []byte(selected))
 	})
 }
+
+func (c *CacheFile) Close() error {
+	return c.DB.Close()
+}
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -43,7 +43,6 @@ type Server struct {
 	trafficManager *trafficontrol.Manager
 	urlTestHistory *urltest.HistoryStorage
 	tcpListener    net.Listener
-	directIO       bool
 	mode           string
 	storeSelected  bool
 	cacheFile      adapter.ClashCacheFile
@@ -61,7 +60,6 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 		},
 		trafficManager: trafficManager,
 		urlTestHistory: urltest.NewHistoryStorage(),
-		directIO:       options.DirectIO,
 		mode:           strings.ToLower(options.DefaultMode),
 	}
 	if server.mode == "" {
@@ -156,7 +154,7 @@ func (s *Server) HistoryStorage() *urltest.HistoryStorage {
 }

 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
-	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule, s.directIO)
+	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
 	return tracker, tracker
 }

--- a/experimental/clashapi/trafficontrol/tracker.go
+++ b/experimental/clashapi/trafficontrol/tracker.go
@@ -74,7 +74,7 @@ func (tt *tcpTracker) WriterReplaceable() bool {
 	return true
 }

-func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router adapter.Router, rule adapter.Rule, directIO bool) *tcpTracker {
+func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router adapter.Router, rule adapter.Rule) *tcpTracker {
 	uuid, _ := uuid.NewV4()

 	var chain []string
@@ -107,7 +107,7 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router ad
 		}, func(n int64) {
 			download.Add(n)
 			manager.PushDownloaded(n)
-		}, directIO),
+		}),
 		manager: manager,
 		trackerInfo: &trackerInfo{
 			UUID:          uuid,
--- a/experimental/trackerconn/conn.go
+++ b/experimental/trackerconn/conn.go
@@ -10,11 +10,11 @@ import (
 	"go.uber.org/atomic"
 )

-func New(conn net.Conn, readCounter []*atomic.Int64, writeCounter []*atomic.Int64, direct bool) *Conn {
+func New(conn net.Conn, readCounter []*atomic.Int64, writeCounter []*atomic.Int64) *Conn {
 	return &Conn{bufio.NewExtendedConn(conn), readCounter, writeCounter}
 }

-func NewHook(conn net.Conn, readCounter func(n int64), writeCounter func(n int64), direct bool) *HookConn {
+func NewHook(conn net.Conn, readCounter func(n int64), writeCounter func(n int64)) *HookConn {
 	return &HookConn{bufio.NewExtendedConn(conn), readCounter, writeCounter}
 }

--- a/experimental/v2rayapi/stats.go
+++ b/experimental/v2rayapi/stats.go
@@ -29,7 +29,6 @@ var (

 type StatsService struct {
 	createdAt time.Time
-	directIO  bool
 	inbounds  map[string]bool
 	outbounds map[string]bool
 	access    sync.Mutex
@@ -50,7 +49,6 @@ func NewStatsService(options option.V2RayStatsServiceOptions) *StatsService {
 	}
 	return &StatsService{
 		createdAt: time.Now(),
-		directIO:  options.DirectIO,
 		inbounds:  inbounds,
 		outbounds: outbounds,
 		counters:  make(map[string]*atomic.Int64),
@@ -75,7 +73,7 @@ func (s *StatsService) RoutedConnection(inbound string, outbound string, conn ne
 		writeCounter = append(writeCounter, s.loadOrCreateCounter("outbound>>>"+outbound+">>>traffic>>>downlink"))
 	}
 	s.access.Unlock()
-	return trackerconn.New(conn, readCounter, writeCounter, s.directIO)
+	return trackerconn.New(conn, readCounter, writeCounter)
 }

 func (s *StatsService) RoutedPacketConnection(inbound string, outbound string, conn N.PacketConn) N.PacketConn {
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.18

 require (
 	berty.tech/go-libtor v1.0.385
-	github.com/Dreamacro/clash v1.11.12
+	github.com/Dreamacro/clash v1.12.0
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/cretz/bine v0.2.0
 	github.com/database64128/tfo-go/v2 v2.0.2
@@ -23,11 +23,11 @@ require (
 	github.com/refraction-networking/utls v1.2.0
 	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0
 	github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15
-	github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4
-	github.com/sagernet/sing-dns v0.0.0-20221113031420-c6aaf2ea4b10
-	github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6
-	github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f
-	github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0
+	github.com/sagernet/sing v0.1.0
+	github.com/sagernet/sing-dns v0.1.0
+	github.com/sagernet/sing-shadowsocks v0.1.0
+	github.com/sagernet/sing-tun v0.1.1-0.20221128044455-b22d9eb41b74
+	github.com/sagernet/sing-vmess v0.1.0
 	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e
 	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
@@ -36,10 +36,10 @@ require (
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.10.0
 	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
-	golang.org/x/crypto v0.3.0
+	golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a
 	golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f
-	golang.org/x/net v0.2.0
-	golang.org/x/sys v0.2.0
+	golang.org/x/net v0.2.1-0.20221117215542-ecf7fda6a59e
+	golang.org/x/sys v0.2.1-0.20221110211117-d684c6f88669
 	google.golang.org/grpc v1.51.0
 	google.golang.org/protobuf v1.28.1
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c
@@ -57,10 +57,12 @@ require (
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/klauspost/compress v1.15.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/marten-seemann/qpack v0.3.0 // indirect
 	github.com/marten-seemann/qtls-go1-18 v0.1.3 // indirect
 	github.com/marten-seemann/qtls-go1-19 v0.1.1 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
@@ -74,6 +76,7 @@ require (
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
 	google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.1.7 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -3,8 +3,8 @@ berty.tech/go-libtor v1.0.385/go.mod h1:9swOOQVb+kmvuAlsgWUK/4c52pm69AdbJsxLzk+f
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/Dreamacro/clash v1.11.12 h1:zJ+FUWPHWxhfNl5MK64oezFAPPyGth+SDhjuWEJ/jwM=
-github.com/Dreamacro/clash v1.11.12/go.mod h1:WiRGFHBrOUYP89GXJ9k4KCyZq5i485LWzc4FPsEPlMI=
+github.com/Dreamacro/clash v1.12.0 h1:Fv10zwTtEo4jN1V+fLK+WEOulFAxlZFPfFQGWmbMDrk=
+github.com/Dreamacro/clash v1.12.0/go.mod h1:KXZNe2ZS9Z7zZYCFENEW8J9OgyrYrwlr/Gj9ZpzcDVU=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
@@ -22,6 +22,7 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cretz/bine v0.1.0/go.mod h1:6PF6fWAvYtwjRGkAuDEJeWNOv3a2hUouSP/yRYXmvHw=
 github.com/cretz/bine v0.2.0 h1:8GiDRGlTgz+o8H9DSnsl+5MeBK4HsExxgl6WgzOCuZo=
 github.com/cretz/bine v0.2.0/go.mod h1:WU4o9QR9wWp8AVKtTM1XD5vUHkEqnf2vVSo6dBqbetI=
@@ -86,11 +87,11 @@ github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrD
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.1.1 h1:t0wUqjowdm8ezddV5k0tLWVklVuvLJpoHeb4WBdydm0=
 github.com/klauspost/cpuid/v2 v2.1.1/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
@@ -105,6 +106,8 @@ github.com/mholt/acmez v1.0.4 h1:N3cE4Pek+dSolbsofIkAYz6H1d3pE+2G0os7QHslf80=
 github.com/mholt/acmez v1.0.4/go.mod h1:qFGLZ4u+ehWINeJZjzPlsnjJBCPAADWTcIqE/7DAYQY=
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.3.0 h1:kUMoxMoQG3ogk/QWyKh3zibV7BKZ+xBpWil1cTylVqc=
 github.com/onsi/gomega v1.22.1 h1:pY8O4lBfsHKZHM/6nrxkhVPUznOlIu3quZcKP/M20KI=
 github.com/oschwald/maxminddb-golang v1.10.0 h1:Xp1u0ZhqkSuopaKmk1WwHtjF0H9Hd9181uj2MQ5Vndg=
@@ -132,16 +135,16 @@ github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15 h1:l8RQTjz5LlGEFO
 github.com/sagernet/quic-go v0.0.0-20221108053023-645bcc4f9b15/go.mod h1:oWFbojDMm85/Jbm/fyWoo8Pux6dIssxGi3q1r+5642A=
 github.com/sagernet/sing v0.0.0-20220812082120-05f9836bff8f/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4 h1:LO7xMvMGhYmjQg2vjhTzsODyzs9/WLYu5Per+/8jIeo=
-github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4/go.mod h1:zvgDYKI+vCAW9RyfyrKTgleI+DOa8lzHMPC7VZo3OL4=
-github.com/sagernet/sing-dns v0.0.0-20221113031420-c6aaf2ea4b10 h1:K84AY2TxNX37ePYXVO6QTD/kgn9kDo4oGpTIn9PF5bo=
-github.com/sagernet/sing-dns v0.0.0-20221113031420-c6aaf2ea4b10/go.mod h1:VAvOT1pyryBIthTGRryFLXAsR1VRQZ05wolMYeQrr/E=
-github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4=
-github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM=
-github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f h1:CXF+nErOb9f7qiHingSgTa2/lJAgmEFtAQ47oVwdRGU=
-github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
-github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0 h1:z3kuD3hPNdEq7/wVy5lwE21f+8ZTazBtR81qswxJoCc=
-github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
+github.com/sagernet/sing v0.1.0 h1:FGmaP2BVPYO2IyC/3R1DaQa/zr+kOKHRgWqrmOF+Gu8=
+github.com/sagernet/sing v0.1.0/go.mod h1:zvgDYKI+vCAW9RyfyrKTgleI+DOa8lzHMPC7VZo3OL4=
+github.com/sagernet/sing-dns v0.1.0 h1:mV8y86KDIXCALTbUxQp/n/eSiSzCDuYaf+EbPndI06U=
+github.com/sagernet/sing-dns v0.1.0/go.mod h1:IXw6t1F25YvzmgCgV2kKySf4XCEKkUJnmLvKCd7jFEc=
+github.com/sagernet/sing-shadowsocks v0.1.0 h1:cDmmOkA11fzVdhyCZQEeI3ozQz+59rj8+rqPb91xux4=
+github.com/sagernet/sing-shadowsocks v0.1.0/go.mod h1:O5LtOs8Ivw686FqLpO0Zu+A0ROVE15VeqEK3yDRRAms=
+github.com/sagernet/sing-tun v0.1.1-0.20221128044455-b22d9eb41b74 h1:T6U4VNWwxQjr80I6RcQA1lTrWgwQ0vMq1UsnlzeqgxI=
+github.com/sagernet/sing-tun v0.1.1-0.20221128044455-b22d9eb41b74/go.mod h1:btUIxuI5vfzUcEDFVrG48aHM2stzg4jcI7mFQeEsei4=
+github.com/sagernet/sing-vmess v0.1.0 h1:x0tYBJRbVi7zVXpMEW45eApGpXIDs9ub3raglouAKMo=
+github.com/sagernet/sing-vmess v0.1.0/go.mod h1:4lwj6EHrUlgRnKhbmtboGbt+wtl5+tHMv96Ez8LZArw=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195/go.mod h1:yedWtra8nyGJ+SyI+ziwuaGMzBatbB10P1IOOZbbSK8=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+VpWamge6o56j2RWk4omF6uLKKxMmcWvs=
@@ -185,8 +188,8 @@ golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
-golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a h1:diz9pEYuTIuLMJLs3rGDkeaTsNyRs6duYdFyPAxzE/U=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f h1:Al51T6tzvuh3oiwX11vex3QgJ2XTedFPGmbEVh8cdoc=
 golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
@@ -212,8 +215,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.2.1-0.20221117215542-ecf7fda6a59e h1:IVOjWZQH/57UDcpX19vSmMz8w3ohroOMWohn8qWpRkg=
+golang.org/x/net v0.2.1-0.20221117215542-ecf7fda6a59e/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -239,8 +242,8 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.1-0.20221110211117-d684c6f88669 h1:pvmSpBoSG0gD2LLPAX15QHPig8xsbU0tu1sSAmResqk=
+golang.org/x/sys v0.2.1-0.20221110211117-d684c6f88669/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
@@ -300,8 +303,9 @@ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/inbound/shadowsocks.go
+++ b/inbound/shadowsocks.go
@@ -70,7 +70,7 @@ func newShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 	case common.Contains(shadowaead_2022.List, options.Method):
 		inbound.service, err = shadowaead_2022.NewServiceWithPassword(options.Method, options.Password, udpTimeout, inbound.upstreamContextHandler())
 	default:
-		err = E.New("shadowsocks: unsupported method: ", options.Method)
+		err = E.New("unsupported method: ", options.Method)
 	}
 	inbound.packetUpstream = inbound.service
 	return inbound, err
--- a/inbound/shadowsocks_multi.go
+++ b/inbound/shadowsocks_multi.go
@@ -13,6 +13,7 @@ import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/auth"
 	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -48,12 +49,18 @@ func newShadowsocksMulti(ctx context.Context, router adapter.Router, logger log.
 	} else {
 		udpTimeout = int64(C.UDPTimeout.Seconds())
 	}
+	if !common.Contains(shadowaead_2022.List, options.Method) {
+		return nil, E.New("unsupported method: " + options.Method)
+	}
 	service, err := shadowaead_2022.NewMultiServiceWithPassword[int](
 		options.Method,
 		options.Password,
 		udpTimeout,
 		adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound),
 	)
+	if err != nil {
+		return nil, err
+	}
 	err = service.UpdateUsersWithPasswords(common.MapIndexed(options.Users, func(index int, user option.ShadowsocksUser) int {
 		return index
 	}), common.Map(options.Users, func(user option.ShadowsocksUser) string {
--- a/inbound/shadowtls.go
+++ b/inbound/shadowtls.go
@@ -29,6 +29,7 @@ type ShadowTLS struct {
 	handshakeAddr   M.Socksaddr
 	v2              bool
 	password        string
+	fallbackAfter   int
 }

 func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowTLSInboundOptions) (*ShadowTLS, error) {
@@ -52,6 +53,11 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 	case 1:
 	case 2:
 		inbound.v2 = true
+		if options.FallbackAfter == nil {
+			inbound.fallbackAfter = 2
+		} else {
+			inbound.fallbackAfter = *options.FallbackAfter
+		}
 	default:
 		return nil, E.New("unknown shadowtls protocol version: ", options.Version)
 	}
@@ -85,7 +91,7 @@ func (s *ShadowTLS) NewConnection(ctx context.Context, conn net.Conn, metadata a
 		hashConn := shadowtls.NewHashWriteConn(conn, s.password)
 		go bufio.Copy(hashConn, handshakeConn)
 		var request *buf.Buffer
-		request, err = s.copyUntilHandshakeFinishedV2(handshakeConn, conn, hashConn)
+		request, err = s.copyUntilHandshakeFinishedV2(ctx, handshakeConn, conn, hashConn, s.fallbackAfter)
 		if err == nil {
 			handshakeConn.Close()
 			return s.newConnection(ctx, bufio.NewCachedConn(shadowtls.NewConn(conn), request), metadata)
@@ -129,10 +135,10 @@ func (s *ShadowTLS) copyUntilHandshakeFinished(dst io.Writer, src io.Reader) err
 	}
 }

-func (s *ShadowTLS) copyUntilHandshakeFinishedV2(dst net.Conn, src io.Reader, hash *shadowtls.HashWriteConn) (*buf.Buffer, error) {
+func (s *ShadowTLS) copyUntilHandshakeFinishedV2(ctx context.Context, dst net.Conn, src io.Reader, hash *shadowtls.HashWriteConn, fallbackAfter int) (*buf.Buffer, error) {
 	const applicationData = 0x17
 	var tlsHdr [5]byte
-	var doFallback bool
+	var applicationDataCount int
 	for {
 		_, err := io.ReadFull(src, tlsHdr[:])
 		if err != nil {
@@ -146,19 +152,28 @@ func (s *ShadowTLS) copyUntilHandshakeFinishedV2(dst net.Conn, src io.Reader, ha
 				data.Release()
 				return nil, err
 			}
-			if length >= 8 && bytes.Equal(data.To(8), hash.Sum()) {
-				data.Advance(8)
-				return data, nil
+			if hash.HasContent() && length >= 8 {
+				checksum := hash.Sum()
+				if bytes.Equal(data.To(8), checksum) {
+					s.logger.TraceContext(ctx, "match current hashcode")
+					data.Advance(8)
+					return data, nil
+				} else if hash.LastSum() != nil && bytes.Equal(data.To(8), hash.LastSum()) {
+					s.logger.TraceContext(ctx, "match last hashcode")
+					data.Advance(8)
+					return data, nil
+				}
 			}
 			_, err = io.Copy(dst, io.MultiReader(bytes.NewReader(tlsHdr[:]), data))
 			data.Release()
-			doFallback = true
+			applicationDataCount++
 		} else {
 			_, err = io.Copy(dst, io.MultiReader(bytes.NewReader(tlsHdr[:]), io.LimitReader(src, int64(length))))
 		}
 		if err != nil {
 			return nil, err
-		} else if doFallback {
+		}
+		if applicationDataCount > fallbackAfter {
 			return nil, os.ErrPermission
 		}
 	}
--- a/inbound/trojan.go
+++ b/inbound/trojan.go
@@ -10,6 +10,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/trojan"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/auth"
@@ -17,7 +18,6 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/protocol/trojan"
 )

 var (
@@ -157,7 +157,7 @@ func (h *Trojan) NewConnection(ctx context.Context, conn net.Conn, metadata adap
 			return err
 		}
 	}
-	return h.service.NewConnection(adapter.WithContext(log.ContextWithNewID(ctx), &metadata), conn, adapter.UpstreamMetadata(metadata))
+	return h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
 }

 func (h *Trojan) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
--- a/include/quic_stub.go
+++ b/include/quic_stub.go
@@ -12,6 +12,7 @@ import (
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -19,7 +20,7 @@ import (
 const WithQUIC = false

 func init() {
-	dns.RegisterTransport([]string{"quic", "h3"}, func(ctx context.Context, dialer N.Dialer, link string) (dns.Transport, error) {
+	dns.RegisterTransport([]string{"quic", "h3"}, func(ctx context.Context, logger logger.ContextLogger, dialer N.Dialer, link string) (dns.Transport, error) {
 		return nil, C.ErrQUICNotIncluded
 	})
 	v2ray.RegisterQUICConstructor(
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -97,11 +97,11 @@ nav:
  - Examples:
      - examples/index.md
      - Linux Server Installation: examples/linux-server-installation.md
-      - Shadowsocks Server: examples/ss-server.md
-      - Shadowsocks Client: examples/ss-client.md
-      - Shadowsocks Tun: examples/ss-tun.md
-      - ShadowTLS: examples/shadowtls.md
+      - Tun: examples/tun.md
      - DNS Hijack: examples/dns-hijack.md
+      - Shadowsocks: examples/shadowsocks.md
+      - ShadowTLS: examples/shadowtls.md
+      - Clash API: examples/clash-api.md
  - Contributing:
      - contributing/index.md
      - Developing:
@@ -168,7 +168,4 @@ plugins:
          Known Issues: 已知问题
          Examples: 示例
          Linux Server Installation: Linux 服务器安装
-          Shadowsocks Server: Shadowsocks 服务器
-          Shadowsocks Client: Shadowsocks 客户端
-          Shadowsocks Tun: Shadowsocks Tun
          DNS Hijack: DNS 劫持
--- a/option/clash.go
+++ b/option/clash.go
@@ -4,7 +4,6 @@ type ClashAPIOptions struct {
 	ExternalController string `json:"external_controller,omitempty"`
 	ExternalUI         string `json:"external_ui,omitempty"`
 	Secret             string `json:"secret,omitempty"`
-	DirectIO           bool   `json:"direct_io,omitempty"`
 	DefaultMode        string `json:"default_mode,omitempty"`
 	StoreSelected      bool   `json:"store_selected,omitempty"`
 	CacheFile          string `json:"cache_file,omitempty"`
--- a/option/shadowsocks.go
+++ b/option/shadowsocks.go
@@ -2,12 +2,11 @@ package option

 type ShadowsocksInboundOptions struct {
 	ListenOptions
-	Network         NetworkList              `json:"network,omitempty"`
-	Method          string                   `json:"method"`
-	Password        string                   `json:"password"`
-	ControlPassword string                   `json:"control_password,omitempty"`
-	Users           []ShadowsocksUser        `json:"users,omitempty"`
-	Destinations    []ShadowsocksDestination `json:"destinations,omitempty"`
+	Network      NetworkList              `json:"network,omitempty"`
+	Method       string                   `json:"method"`
+	Password     string                   `json:"password"`
+	Users        []ShadowsocksUser        `json:"users,omitempty"`
+	Destinations []ShadowsocksDestination `json:"destinations,omitempty"`
 }

 type ShadowsocksUser struct {
--- a/option/shadowtls.go
+++ b/option/shadowtls.go
@@ -2,9 +2,10 @@ package option

 type ShadowTLSInboundOptions struct {
 	ListenOptions
-	Version   int                       `json:"version,omitempty"`
-	Password  string                    `json:"password,omitempty"`
-	Handshake ShadowTLSHandshakeOptions `json:"handshake"`
+	Version       int                       `json:"version,omitempty"`
+	Password      string                    `json:"password,omitempty"`
+	FallbackAfter *int                      `json:"fallback_after,omitempty"`
+	Handshake     ShadowTLSHandshakeOptions `json:"handshake"`
 }

 type ShadowTLSHandshakeOptions struct {
--- a/option/v2ray.go
+++ b/option/v2ray.go
@@ -7,7 +7,6 @@ type V2RayAPIOptions struct {

 type V2RayStatsServiceOptions struct {
 	Enabled   bool     `json:"enabled,omitempty"`
-	DirectIO  bool     `json:"direct_io,omitempty"`
 	Inbounds  []string `json:"inbounds,omitempty"`
 	Outbounds []string `json:"outbounds,omitempty"`
 }
--- a/outbound/default.go
+++ b/outbound/default.go
@@ -78,12 +78,6 @@ func NewEarlyConnection(ctx context.Context, this N.Dialer, conn net.Conn, metad
 }

 func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
-	switch metadata.Protocol {
-	case C.ProtocolQUIC, C.ProtocolDNS:
-		if !metadata.Destination.Addr.IsUnspecified() {
-			return connectPacketConnection(ctx, this, conn, metadata)
-		}
-	}
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.PacketConn
 	var err error
@@ -98,29 +92,12 @@ func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn,
 	switch metadata.Protocol {
 	case C.ProtocolSTUN:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.STUNTimeout)
-	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
-}
-
-func connectPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
-	ctx = adapter.WithContext(ctx, &metadata)
-	var outConn net.Conn
-	var err error
-	if len(metadata.DestinationAddresses) > 0 {
-		outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
-	} else {
-		outConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
-	}
-	if err != nil {
-		return N.HandshakeFailure(conn, err)
-	}
-	switch metadata.Protocol {
 	case C.ProtocolQUIC:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.QUICTimeout)
 	case C.ProtocolDNS:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.DNSTimeout)
 	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewUnbindPacketConn(outConn))
+	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
 }

 func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) error {
--- a/outbound/trojan.go
+++ b/outbound/trojan.go
@@ -11,13 +11,13 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/trojan"
 	"github.com/sagernet/sing-box/transport/v2ray"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/protocol/trojan"
 )

 var _ adapter.Outbound = (*Trojan)(nil)
--- a/release/config/sing-box.service
+++ b/release/config/sing-box.service
@@ -4,6 +4,7 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
+WorkingDirectory=/var/lib/sing-box
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/sing-box run -c /etc/sing-box/config.json
--- a/release/config/sing-box@.service
+++ b/release/config/sing-box@.service
@@ -4,6 +4,7 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
+WorkingDirectory=/var/lib/sing-box-%i
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/sing-box run -c /etc/sing-box/%i.json
--- a/release/local/sing-box.service
+++ b/release/local/sing-box.service
@@ -4,6 +4,7 @@ Documentation=https://sing-box.sagernet.org
 After=network.target nss-lookup.target

 [Service]
+WorkingDirectory=/var/lib/sing-box
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json
--- a/route/router.go
+++ b/route/router.go
@@ -99,7 +99,7 @@ type Router struct {
 	v2rayServer                        adapter.V2RayServer
 }

-func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.ContextLogger, options option.RouteOptions, dnsOptions option.DNSOptions, inbounds []option.Inbound) (*Router, error) {
+func NewRouter(ctx context.Context, logFactory log.Factory, options option.RouteOptions, dnsOptions option.DNSOptions, inbounds []option.Inbound) (*Router, error) {
 	if options.DefaultInterface != "" {
 		warnDefaultInterfaceOnUnsupportedPlatform.Check()
 	}
@@ -112,8 +112,8 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont

 	router := &Router{
 		ctx:                   ctx,
-		logger:                logger,
-		dnsLogger:             dnsLogger,
+		logger:                logFactory.NewLogger("router"),
+		dnsLogger:             logFactory.NewLogger("dns"),
 		outboundByTag:         make(map[string]adapter.Outbound),
 		rules:                 make([]adapter.Rule, 0, len(options.Rules)),
 		dnsRules:              make([]adapter.DNSRule, 0, len(dnsOptions.Rules)),
@@ -130,14 +130,14 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 		defaultMark:           options.DefaultMark,
 	}
 	for i, ruleOptions := range options.Rules {
-		routeRule, err := NewRule(router, logger, ruleOptions)
+		routeRule, err := NewRule(router, router.logger, ruleOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse rule[", i, "]")
 		}
 		router.rules = append(router.rules, routeRule)
 	}
 	for i, dnsRuleOptions := range dnsOptions.Rules {
-		dnsRule, err := NewDNSRule(router, logger, dnsRuleOptions)
+		dnsRule, err := NewDNSRule(router, router.logger, dnsRuleOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse dns rule[", i, "]")
 		}
@@ -197,7 +197,7 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 					return nil, E.New("parse dns server[", tag, "]: missing address_resolver")
 				}
 			}
-			transport, err := dns.CreateTransport(ctx, detour, server.Address)
+			transport, err := dns.CreateTransport(ctx, logFactory.NewLogger(F.ToString("dns/transport[", i, "]")), detour, server.Address)
 			if err != nil {
 				return nil, E.Cause(err, "parse dns server[", tag, "]")
 			}
@@ -279,12 +279,12 @@ func NewRouter(ctx context.Context, logger log.ContextLogger, dnsLogger log.Cont
 	}
 	if needFindProcess {
 		searcher, err := process.NewSearcher(process.Config{
-			Logger:         logger,
+			Logger:         logFactory.NewLogger("router/process"),
 			PackageManager: router.packageManager,
 		})
 		if err != nil {
 			if err != os.ErrInvalid {
-				logger.Warn(E.Cause(err, "create process searcher"))
+				router.logger.Warn(E.Cause(err, "create process searcher"))
 			}
 		} else {
 			router.processSearcher = searcher
--- a/test/go.mod
+++ b/test/go.mod
@@ -39,7 +39,7 @@ require (
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/btree v1.0.1 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/klauspost/compress v1.15.9 // indirect
+	github.com/klauspost/compress v1.15.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/logrusorgru/aurora v2.0.3+incompatible // indirect
@@ -56,7 +56,7 @@ require (
 	github.com/pires/go-proxyproto v0.6.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/refraction-networking/utls v1.1.5 // indirect
+	github.com/refraction-networking/utls v1.2.0 // indirect
 	github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e // indirect
 	github.com/sagernet/cloudflare-tls v0.0.0-20221031050923-d70792f4c3a0 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
@@ -67,7 +67,7 @@ require (
 	github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0 // indirect
 	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 // indirect
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e // indirect
-	github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c // indirect
+	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
@@ -75,7 +75,7 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
 	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab // indirect
-	golang.org/x/crypto v0.2.0 // indirect
+	golang.org/x/crypto v0.3.0 // indirect
 	golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f // indirect
 	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/sys v0.2.0 // indirect
@@ -83,7 +83,7 @@ require (
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
 	google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f // indirect
-	google.golang.org/grpc v1.50.1 // indirect
+	google.golang.org/grpc v1.51.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.4.0 // indirect
--- a/test/go.sum
+++ b/test/go.sum
@@ -91,8 +91,8 @@ github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/klauspost/compress v1.15.12 h1:YClS/PImqYbn+UILDnqxQCZ3RehC9N318SU3kElDUEM=
+github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.1.1 h1:t0wUqjowdm8ezddV5k0tLWVklVuvLJpoHeb4WBdydm0=
 github.com/klauspost/cpuid/v2 v2.1.1/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
@@ -135,8 +135,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/refraction-networking/utls v1.1.5 h1:JtrojoNhbUQkBqEg05sP3gDgDj6hIEAAVKbI9lx4n6w=
-github.com/refraction-networking/utls v1.1.5/go.mod h1:jRQxtYi7nkq1p28HF2lwOH5zQm9aC8rpK0O9lIIzGh8=
+github.com/refraction-networking/utls v1.2.0 h1:U5f8wkij2NVinfLuJdFP3gCMwIHs+EzvhxmYdXgiapo=
+github.com/refraction-networking/utls v1.2.0/go.mod h1:NPq+cVqzH7D1BeOkmOcb5O/8iVewAsiVt2x1/eO0hgQ=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e h1:5CFRo8FJbCuf5s/eTBdZpmMbn8Fe2eSMLNAYfKanA34=
 github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e/go.mod h1:qbt0dWObotCfcjAJJ9AxtFPNSDUfZF+6dCpgKEOBn/g=
@@ -164,8 +164,8 @@ github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195/go.mod h1:yedWtra8nyGJ+SyI+ziwuaGMzBatbB10P1IOOZbbSK8=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e h1:7uw2njHFGE+VpWamge6o56j2RWk4omF6uLKKxMmcWvs=
 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e/go.mod h1:45TUl8+gH4SIKr4ykREbxKWTxkDlSzFENzctB1dVRRY=
-github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c h1:qP3ZOHnjZalvqbjundbXiv/YrNlo3HOgrKc+S1QGs0U=
-github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
+github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
+github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -208,9 +208,8 @@ golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE=
-golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f h1:Al51T6tzvuh3oiwX11vex3QgJ2XTedFPGmbEVh8cdoc=
 golang.org/x/exp v0.0.0-20221028150844-83b7d23a625f/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
@@ -240,9 +239,7 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -275,7 +272,6 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
@@ -325,8 +321,8 @@ google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
-google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY=
-google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
+google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U=
+google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
--- a/transport/clashssr/tools/bufPool.go
+++ b/transport/clashssr/tools/bufPool.go
@@ -1,11 +0,0 @@
-package tools
-
-import (
-	"bytes"
-	"crypto/rand"
-	"io"
-)
-
-func AppendRandBytes(b *bytes.Buffer, length int) {
-	b.ReadFrom(io.LimitReader(rand.Reader, int64(length)))
-}
--- a/transport/clashssr/tools/crypto.go
+++ b/transport/clashssr/tools/crypto.go
@@ -1,33 +0,0 @@
-package tools
-
-import (
-	"crypto/hmac"
-	"crypto/md5"
-	"crypto/sha1"
-)
-
-const HmacSHA1Len = 10
-
-func HmacMD5(key, data []byte) []byte {
-	hmacMD5 := hmac.New(md5.New, key)
-	hmacMD5.Write(data)
-	return hmacMD5.Sum(nil)
-}
-
-func HmacSHA1(key, data []byte) []byte {
-	hmacSHA1 := hmac.New(sha1.New, key)
-	hmacSHA1.Write(data)
-	return hmacSHA1.Sum(nil)
-}
-
-func MD5Sum(b []byte) []byte {
-	h := md5.New()
-	h.Write(b)
-	return h.Sum(nil)
-}
-
-func SHA1Sum(b []byte) []byte {
-	h := sha1.New()
-	h.Write(b)
-	return h.Sum(nil)
-}
--- a/transport/clashssr/tools/random.go
+++ b/transport/clashssr/tools/random.go
@@ -1,57 +0,0 @@
-package tools
-
-import (
-	"encoding/binary"
-
-	"github.com/Dreamacro/clash/common/pool"
-)
-
-// XorShift128Plus - a pseudorandom number generator
-type XorShift128Plus struct {
-	s [2]uint64
-}
-
-func (r *XorShift128Plus) Next() uint64 {
-	x := r.s[0]
-	y := r.s[1]
-	r.s[0] = y
-	x ^= x << 23
-	x ^= y ^ (x >> 17) ^ (y >> 26)
-	r.s[1] = x
-	return x + y
-}
-
-func (r *XorShift128Plus) InitFromBin(bin []byte) {
-	var full []byte
-	if len(bin) < 16 {
-		full := pool.Get(16)[:0]
-		defer pool.Put(full)
-		full = append(full, bin...)
-		for len(full) < 16 {
-			full = append(full, 0)
-		}
-	} else {
-		full = bin
-	}
-	r.s[0] = binary.LittleEndian.Uint64(full[:8])
-	r.s[1] = binary.LittleEndian.Uint64(full[8:16])
-}
-
-func (r *XorShift128Plus) InitFromBinAndLength(bin []byte, length int) {
-	var full []byte
-	if len(bin) < 16 {
-		full := pool.Get(16)[:0]
-		defer pool.Put(full)
-		full = append(full, bin...)
-		for len(full) < 16 {
-			full = append(full, 0)
-		}
-	}
-	full = bin
-	binary.LittleEndian.PutUint16(full, uint16(length))
-	r.s[0] = binary.LittleEndian.Uint64(full[:8])
-	r.s[1] = binary.LittleEndian.Uint64(full[8:16])
-	for i := 0; i < 4; i++ {
-		r.Next()
-	}
-}
--- a/transport/shadowtls/hash.go
+++ b/transport/shadowtls/hash.go
@@ -34,19 +34,25 @@ func (c *HashReadConn) Sum() []byte {

 type HashWriteConn struct {
 	net.Conn
-	hmac hash.Hash
+	hmac       hash.Hash
+	hasContent bool
+	lastSum    []byte
 }

 func NewHashWriteConn(conn net.Conn, password string) *HashWriteConn {
 	return &HashWriteConn{
-		conn,
-		hmac.New(sha1.New, []byte(password)),
+		Conn: conn,
+		hmac: hmac.New(sha1.New, []byte(password)),
 	}
 }

 func (c *HashWriteConn) Write(p []byte) (n int, err error) {
 	if c.hmac != nil {
+		if c.hasContent {
+			c.lastSum = c.Sum()
+		}
 		c.hmac.Write(p)
+		c.hasContent = true
 	}
 	return c.Conn.Write(p)
 }
@@ -55,6 +61,14 @@ func (c *HashWriteConn) Sum() []byte {
 	return c.hmac.Sum(nil)[:8]
 }

+func (c *HashWriteConn) LastSum() []byte {
+	return c.lastSum
+}
+
 func (c *HashWriteConn) Fallback() {
 	c.hmac = nil
 }
+
+func (c *HashWriteConn) HasContent() bool {
+	return c.hasContent
+}
--- a/transport/trojan/mux.go
+++ b/transport/trojan/mux.go
@@ -0,0 +1,66 @@
+package trojan
+
+import (
+	"context"
+	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/task"
+	"github.com/sagernet/smux"
+)
+
+func HandleMuxConnection(ctx context.Context, conn net.Conn, metadata M.Metadata, handler Handler) error {
+	session, err := smux.Server(conn, smuxConfig())
+	if err != nil {
+		return err
+	}
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
+		var stream net.Conn
+		for {
+			stream, err = session.AcceptStream()
+			if err != nil {
+				return err
+			}
+			go newMuxConnection(ctx, stream, metadata, handler)
+		}
+	})
+	group.Cleanup(func() {
+		session.Close()
+	})
+	return group.Run(ctx)
+}
+
+func newMuxConnection(ctx context.Context, stream net.Conn, metadata M.Metadata, handler Handler) {
+	err := newMuxConnection0(ctx, stream, metadata, handler)
+	if err != nil {
+		handler.NewError(ctx, E.Cause(err, "process trojan-go multiplex connection"))
+	}
+}
+
+func newMuxConnection0(ctx context.Context, stream net.Conn, metadata M.Metadata, handler Handler) error {
+	command, err := rw.ReadByte(stream)
+	if err != nil {
+		return E.Cause(err, "read command")
+	}
+	metadata.Destination, err = M.SocksaddrSerializer.ReadAddrPort(stream)
+	if err != nil {
+		return E.Cause(err, "read destination")
+	}
+	switch command {
+	case CommandTCP:
+		return handler.NewConnection(ctx, stream, metadata)
+	case CommandUDP:
+		return handler.NewPacketConnection(ctx, &PacketConn{stream}, metadata)
+	default:
+		return E.New("unknown command ", command)
+	}
+}
+
+func smuxConfig() *smux.Config {
+	config := smux.DefaultConfig()
+	config.KeepAliveDisabled = true
+	return config
+}
--- a/transport/trojan/protocol.go
+++ b/transport/trojan/protocol.go
@@ -0,0 +1,313 @@
+package trojan
+
+import (
+	"crypto/sha256"
+	"encoding/binary"
+	"encoding/hex"
+	"io"
+	"net"
+	"os"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/rw"
+)
+
+const (
+	KeyLength  = 56
+	CommandTCP = 1
+	CommandUDP = 3
+	CommandMux = 0x7f
+)
+
+var CRLF = []byte{'\r', '\n'}
+
+type ClientConn struct {
+	N.ExtendedConn
+	key           [KeyLength]byte
+	destination   M.Socksaddr
+	headerWritten bool
+}
+
+func NewClientConn(conn net.Conn, key [KeyLength]byte, destination M.Socksaddr) *ClientConn {
+	return &ClientConn{
+		ExtendedConn: bufio.NewExtendedConn(conn),
+		key:          key,
+		destination:  destination,
+	}
+}
+
+func (c *ClientConn) Write(p []byte) (n int, err error) {
+	if c.headerWritten {
+		return c.ExtendedConn.Write(p)
+	}
+	err = ClientHandshake(c.ExtendedConn, c.key, c.destination, p)
+	if err != nil {
+		return
+	}
+	n = len(p)
+	c.headerWritten = true
+	return
+}
+
+func (c *ClientConn) WriteBuffer(buffer *buf.Buffer) error {
+	if c.headerWritten {
+		return c.ExtendedConn.WriteBuffer(buffer)
+	}
+	err := ClientHandshakeBuffer(c.ExtendedConn, c.key, c.destination, buffer)
+	if err != nil {
+		return err
+	}
+	c.headerWritten = true
+	return nil
+}
+
+func (c *ClientConn) ReadFrom(r io.Reader) (n int64, err error) {
+	if !c.headerWritten {
+		return bufio.ReadFrom0(c, r)
+	}
+	return bufio.Copy(c.ExtendedConn, r)
+}
+
+func (c *ClientConn) WriteTo(w io.Writer) (n int64, err error) {
+	return bufio.Copy(w, c.ExtendedConn)
+}
+
+func (c *ClientConn) FrontHeadroom() int {
+	if !c.headerWritten {
+		return KeyLength + 5 + M.MaxSocksaddrLength
+	}
+	return 0
+}
+
+func (c *ClientConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+type ClientPacketConn struct {
+	net.Conn
+	key           [KeyLength]byte
+	headerWritten bool
+}
+
+func NewClientPacketConn(conn net.Conn, key [KeyLength]byte) *ClientPacketConn {
+	return &ClientPacketConn{
+		Conn: conn,
+		key:  key,
+	}
+}
+
+func (c *ClientPacketConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
+	return ReadPacket(c.Conn, buffer)
+}
+
+func (c *ClientPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	if !c.headerWritten {
+		err := ClientHandshakePacket(c.Conn, c.key, destination, buffer)
+		c.headerWritten = true
+		return err
+	}
+	return WritePacket(c.Conn, buffer, destination)
+}
+
+func (c *ClientPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	buffer := buf.With(p)
+	destination, err := c.ReadPacket(buffer)
+	if err != nil {
+		return
+	}
+	n = buffer.Len()
+	addr = destination.UDPAddr()
+	return
+}
+
+func (c *ClientPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	return bufio.WritePacket(c, p, addr)
+}
+
+func (c *ClientPacketConn) Read(p []byte) (n int, err error) {
+	n, _, err = c.ReadFrom(p)
+	return
+}
+
+func (c *ClientPacketConn) Write(p []byte) (n int, err error) {
+	return 0, os.ErrInvalid
+}
+
+func (c *ClientPacketConn) FrontHeadroom() int {
+	if !c.headerWritten {
+		return KeyLength + 2*M.MaxSocksaddrLength + 9
+	}
+	return M.MaxSocksaddrLength + 4
+}
+
+func (c *ClientPacketConn) Upstream() any {
+	return c.Conn
+}
+
+func Key(password string) [KeyLength]byte {
+	var key [KeyLength]byte
+	hash := sha256.New224()
+	common.Must1(hash.Write([]byte(password)))
+	hex.Encode(key[:], hash.Sum(nil))
+	return key
+}
+
+func ClientHandshakeRaw(conn net.Conn, key [KeyLength]byte, command byte, destination M.Socksaddr, payload []byte) error {
+	_, err := conn.Write(key[:])
+	if err != nil {
+		return err
+	}
+	_, err = conn.Write(CRLF)
+	if err != nil {
+		return err
+	}
+	_, err = conn.Write([]byte{command})
+	if err != nil {
+		return err
+	}
+	err = M.SocksaddrSerializer.WriteAddrPort(conn, destination)
+	if err != nil {
+		return err
+	}
+	_, err = conn.Write(CRLF)
+	if err != nil {
+		return err
+	}
+	if len(payload) > 0 {
+		_, err = conn.Write(payload)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func ClientHandshake(conn net.Conn, key [KeyLength]byte, destination M.Socksaddr, payload []byte) error {
+	headerLen := KeyLength + M.SocksaddrSerializer.AddrPortLen(destination) + 5
+	var header *buf.Buffer
+	defer header.Release()
+	var writeHeader bool
+	if len(payload) > 0 && headerLen+len(payload) < 65535 {
+		buffer := buf.StackNewSize(headerLen + len(payload))
+		defer common.KeepAlive(buffer)
+		header = common.Dup(buffer)
+	} else {
+		buffer := buf.StackNewSize(headerLen)
+		defer common.KeepAlive(buffer)
+		header = common.Dup(buffer)
+		writeHeader = true
+	}
+	common.Must1(header.Write(key[:]))
+	common.Must1(header.Write(CRLF))
+	common.Must(header.WriteByte(CommandTCP))
+	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	common.Must1(header.Write(CRLF))
+	if !writeHeader {
+		common.Must1(header.Write(payload))
+	}
+
+	_, err := conn.Write(header.Bytes())
+	if err != nil {
+		return E.Cause(err, "write request")
+	}
+
+	if writeHeader {
+		_, err = conn.Write(payload)
+		if err != nil {
+			return E.Cause(err, "write payload")
+		}
+	}
+	return nil
+}
+
+func ClientHandshakeBuffer(conn net.Conn, key [KeyLength]byte, destination M.Socksaddr, payload *buf.Buffer) error {
+	header := buf.With(payload.ExtendHeader(KeyLength + M.SocksaddrSerializer.AddrPortLen(destination) + 5))
+	common.Must1(header.Write(key[:]))
+	common.Must1(header.Write(CRLF))
+	common.Must(header.WriteByte(CommandTCP))
+	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	common.Must1(header.Write(CRLF))
+
+	_, err := conn.Write(payload.Bytes())
+	if err != nil {
+		return E.Cause(err, "write request")
+	}
+	return nil
+}
+
+func ClientHandshakePacket(conn net.Conn, key [KeyLength]byte, destination M.Socksaddr, payload *buf.Buffer) error {
+	headerLen := KeyLength + 2*M.SocksaddrSerializer.AddrPortLen(destination) + 9
+	payloadLen := payload.Len()
+	var header *buf.Buffer
+	defer header.Release()
+	var writeHeader bool
+	if payload.Start() >= headerLen {
+		header = buf.With(payload.ExtendHeader(headerLen))
+	} else {
+		buffer := buf.StackNewSize(headerLen)
+		defer common.KeepAlive(buffer)
+		header = common.Dup(buffer)
+		writeHeader = true
+	}
+	common.Must1(header.Write(key[:]))
+	common.Must1(header.Write(CRLF))
+	common.Must(header.WriteByte(CommandUDP))
+	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	common.Must1(header.Write(CRLF))
+	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	common.Must(binary.Write(header, binary.BigEndian, uint16(payloadLen)))
+	common.Must1(header.Write(CRLF))
+
+	if writeHeader {
+		_, err := conn.Write(header.Bytes())
+		if err != nil {
+			return E.Cause(err, "write request")
+		}
+	}
+
+	_, err := conn.Write(payload.Bytes())
+	if err != nil {
+		return E.Cause(err, "write payload")
+	}
+	return nil
+}
+
+func ReadPacket(conn net.Conn, buffer *buf.Buffer) (M.Socksaddr, error) {
+	destination, err := M.SocksaddrSerializer.ReadAddrPort(conn)
+	if err != nil {
+		return M.Socksaddr{}, E.Cause(err, "read destination")
+	}
+
+	var length uint16
+	err = binary.Read(conn, binary.BigEndian, &length)
+	if err != nil {
+		return M.Socksaddr{}, E.Cause(err, "read chunk length")
+	}
+
+	err = rw.SkipN(conn, 2)
+	if err != nil {
+		return M.Socksaddr{}, E.Cause(err, "skip crlf")
+	}
+
+	_, err = buffer.ReadFullFrom(conn, int(length))
+	return destination, err
+}
+
+func WritePacket(conn net.Conn, buffer *buf.Buffer, destination M.Socksaddr) error {
+	defer buffer.Release()
+	bufferLen := buffer.Len()
+	header := buf.With(buffer.ExtendHeader(M.SocksaddrSerializer.AddrPortLen(destination) + 4))
+	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	common.Must(binary.Write(header, binary.BigEndian, uint16(bufferLen)))
+	common.Must1(header.Write(CRLF))
+	_, err := conn.Write(buffer.Bytes())
+	if err != nil {
+		return E.Cause(err, "write packet")
+	}
+	return nil
+}
--- a/transport/trojan/service.go
+++ b/transport/trojan/service.go
@@ -0,0 +1,138 @@
+package trojan
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/auth"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/rw"
+)
+
+type Handler interface {
+	N.TCPConnectionHandler
+	N.UDPConnectionHandler
+	E.Handler
+}
+
+type Service[K comparable] struct {
+	users           map[K][56]byte
+	keys            map[[56]byte]K
+	handler         Handler
+	fallbackHandler N.TCPConnectionHandler
+}
+
+func NewService[K comparable](handler Handler, fallbackHandler N.TCPConnectionHandler) *Service[K] {
+	return &Service[K]{
+		users:           make(map[K][56]byte),
+		keys:            make(map[[56]byte]K),
+		handler:         handler,
+		fallbackHandler: fallbackHandler,
+	}
+}
+
+var ErrUserExists = E.New("user already exists")
+
+func (s *Service[K]) UpdateUsers(userList []K, passwordList []string) error {
+	users := make(map[K][56]byte)
+	keys := make(map[[56]byte]K)
+	for i, user := range userList {
+		if _, loaded := users[user]; loaded {
+			return ErrUserExists
+		}
+		key := Key(passwordList[i])
+		if oldUser, loaded := keys[key]; loaded {
+			return E.Extend(ErrUserExists, "password used by ", oldUser)
+		}
+		users[user] = key
+		keys[key] = user
+	}
+	s.users = users
+	s.keys = keys
+	return nil
+}
+
+func (s *Service[K]) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	var key [KeyLength]byte
+	n, err := conn.Read(common.Dup(key[:]))
+	if err != nil {
+		return err
+	} else if n != KeyLength {
+		return s.fallback(ctx, conn, metadata, key[:n], E.New("bad request size"))
+	}
+
+	if user, loaded := s.keys[key]; loaded {
+		ctx = auth.ContextWithUser(ctx, user)
+	} else {
+		return s.fallback(ctx, conn, metadata, key[:], E.New("bad request"))
+	}
+
+	err = rw.SkipN(conn, 2)
+	if err != nil {
+		return E.Cause(err, "skip crlf")
+	}
+
+	command, err := rw.ReadByte(conn)
+	if err != nil {
+		return E.Cause(err, "read command")
+	}
+
+	switch command {
+	case CommandTCP, CommandUDP, CommandMux:
+	default:
+		return E.New("unknown command ", command)
+	}
+
+	// var destination M.Socksaddr
+	destination, err := M.SocksaddrSerializer.ReadAddrPort(conn)
+	if err != nil {
+		return E.Cause(err, "read destination")
+	}
+
+	err = rw.SkipN(conn, 2)
+	if err != nil {
+		return E.Cause(err, "skip crlf")
+	}
+
+	metadata.Protocol = "trojan"
+	metadata.Destination = destination
+
+	switch command {
+	case CommandTCP:
+		return s.handler.NewConnection(ctx, conn, metadata)
+	case CommandUDP:
+		return s.handler.NewPacketConnection(ctx, &PacketConn{conn}, metadata)
+	// case CommandMux:
+	default:
+		return HandleMuxConnection(ctx, conn, metadata, s.handler)
+	}
+}
+
+func (s *Service[K]) fallback(ctx context.Context, conn net.Conn, metadata M.Metadata, header []byte, err error) error {
+	if s.fallbackHandler == nil {
+		return E.Extend(err, "fallback disabled")
+	}
+	conn = bufio.NewCachedConn(conn, buf.As(header).ToOwned())
+	return s.fallbackHandler.NewConnection(ctx, conn, metadata)
+}
+
+type PacketConn struct {
+	net.Conn
+}
+
+func (c *PacketConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
+	return ReadPacket(c.Conn, buffer)
+}
+
+func (c *PacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	return WritePacket(c.Conn, buffer, destination)
+}
+
+func (c *PacketConn) FrontHeadroom() int {
+	return M.MaxSocksaddrLength + 4
+}
--- a/transport/v2raygrpclite/conn.go
+++ b/transport/v2raygrpclite/conn.go
@@ -106,31 +106,22 @@ func (c *GunConn) Write(b []byte) (n int, err error) {
 	_, err = bufio.Copy(c.writer, io.MultiReader(bytes.NewReader(grpcHeader), bytes.NewReader(protobufHeader[:varuintLen+1]), bytes.NewReader(b)))
 	c.writeAccess.Unlock()
 	buf.Put(grpcHeader)
-	if c.flusher != nil {
+	if err == nil && c.flusher != nil {
 		c.flusher.Flush()
 	}
 	return len(b), baderror.WrapH2(err)
 }

-func uLen(x uint64) int {
-	i := 0
-	for x >= 0x80 {
-		x >>= 7
-		i++
-	}
-	return i + 1
-}
-
 func (c *GunConn) WriteBuffer(buffer *buf.Buffer) error {
 	defer buffer.Release()
 	dataLen := buffer.Len()
-	varLen := uLen(uint64(dataLen))
+	varLen := rw.UVariantLen(uint64(dataLen))
 	header := buffer.ExtendHeader(6 + varLen)
 	binary.BigEndian.PutUint32(header[1:5], uint32(1+varLen+dataLen))
 	header[5] = 0x0A
 	binary.PutUvarint(header[6:], uint64(dataLen))
 	err := rw.WriteBytes(c.writer, buffer.Bytes())
-	if c.flusher != nil {
+	if err == nil && c.flusher != nil {
 		c.flusher.Flush()
 	}
 	return baderror.WrapH2(err)
@@ -153,31 +144,28 @@ func (c *GunConn) RemoteAddr() net.Addr {
 }

 func (c *GunConn) SetDeadline(t time.Time) error {
-	responseWriter, loaded := c.writer.(interface {
+	if responseWriter, loaded := c.writer.(interface {
 		SetWriteDeadline(time.Time) error
-	})
-	if !loaded {
-		return os.ErrInvalid
+	}); loaded {
+		return responseWriter.SetWriteDeadline(t)
 	}
-	return responseWriter.SetWriteDeadline(t)
+	return os.ErrInvalid
 }

 func (c *GunConn) SetReadDeadline(t time.Time) error {
-	responseWriter, loaded := c.writer.(interface {
+	if responseWriter, loaded := c.writer.(interface {
 		SetReadDeadline(time.Time) error
-	})
-	if !loaded {
-		return os.ErrInvalid
+	}); loaded {
+		return responseWriter.SetReadDeadline(t)
 	}
-	return responseWriter.SetReadDeadline(t)
+	return os.ErrInvalid
 }

 func (c *GunConn) SetWriteDeadline(t time.Time) error {
-	responseWriter, loaded := c.writer.(interface {
+	if responseWriter, loaded := c.writer.(interface {
 		SetWriteDeadline(time.Time) error
-	})
-	if !loaded {
-		return os.ErrInvalid
+	}); loaded {
+		return responseWriter.SetWriteDeadline(t)
 	}
-	return responseWriter.SetWriteDeadline(t)
+	return os.ErrInvalid
 }
--- a/transport/v2raygrpclite/server.go
+++ b/transport/v2raygrpclite/server.go
@@ -53,8 +53,8 @@ func NewServer(ctx context.Context, options option.V2RayGRPCOptions, tlsConfig t
 		if err != nil {
 			return nil, err
 		}
-		if !common.Contains(stdConfig.NextProtos, "h2") {
-			stdConfig.NextProtos = append(stdConfig.NextProtos, "h2")
+		if len(stdConfig.NextProtos) == 0 {
+			stdConfig.NextProtos = []string{http2.NextProtoTLS}
 		}
 		server.httpServer.TLSConfig = stdConfig
 	}
@@ -96,10 +96,14 @@ func (s *Server) badRequest(request *http.Request, err error) {
 }

 func (s *Server) Serve(listener net.Listener) error {
+	fixTLSConfig := s.httpServer.TLSConfig == nil
 	err := http2.ConfigureServer(s.httpServer, s.h2Server)
 	if err != nil {
 		return err
 	}
+	if fixTLSConfig {
+		s.httpServer.TLSConfig = nil
+	}
 	if s.httpServer.TLSConfig == nil {
 		return s.httpServer.Serve(listener)
 	} else {
--- a/transport/v2rayhttp/conn.go
+++ b/transport/v2rayhttp/conn.go
@@ -67,33 +67,30 @@ func (c *HTTPConn) RemoteAddr() net.Addr {
 }

 func (c *HTTPConn) SetDeadline(t time.Time) error {
-	responseWriter, loaded := c.writer.(interface {
+	if responseWriter, loaded := c.writer.(interface {
 		SetWriteDeadline(time.Time) error
-	})
-	if !loaded {
-		return os.ErrInvalid
+	}); loaded {
+		return responseWriter.SetWriteDeadline(t)
 	}
-	return responseWriter.SetWriteDeadline(t)
+	return os.ErrInvalid
 }

 func (c *HTTPConn) SetReadDeadline(t time.Time) error {
-	responseWriter, loaded := c.writer.(interface {
+	if responseWriter, loaded := c.writer.(interface {
 		SetReadDeadline(time.Time) error
-	})
-	if !loaded {
-		return os.ErrInvalid
+	}); loaded {
+		return responseWriter.SetReadDeadline(t)
 	}
-	return responseWriter.SetReadDeadline(t)
+	return os.ErrInvalid
 }

 func (c *HTTPConn) SetWriteDeadline(t time.Time) error {
-	responseWriter, loaded := c.writer.(interface {
+	if responseWriter, loaded := c.writer.(interface {
 		SetWriteDeadline(time.Time) error
-	})
-	if !loaded {
-		return os.ErrInvalid
+	}); loaded {
+		return responseWriter.SetWriteDeadline(t)
 	}
-	return responseWriter.SetWriteDeadline(t)
+	return os.ErrInvalid
 }

 type ServerHTTPConn struct {
--- a/transport/v2rayhttp/server.go
+++ b/transport/v2rayhttp/server.go
@@ -133,10 +133,14 @@ func (s *Server) badRequest(request *http.Request, err error) {
 }

 func (s *Server) Serve(listener net.Listener) error {
+	fixTLSConfig := s.httpServer.TLSConfig == nil
 	err := http2.ConfigureServer(s.httpServer, s.h2Server)
 	if err != nil {
 		return err
 	}
+	if fixTLSConfig {
+		s.httpServer.TLSConfig = nil
+	}
 	if s.httpServer.TLSConfig == nil {
 		return s.httpServer.Serve(listener)
 	} else {
Author	SHA1	Message	Date
世界	7ebbd58b00	Update documentation	2022-12-03 14:38:52 +08:00
世界	d0095fd0f4	Fix close clash cache	2022-12-03 13:29:37 +08:00
世界	66d8d563eb	Add WorkingDirectory for systemd service	2022-11-28 18:30:50 +08:00
世界	4bf96c7eb5	Fix quic stub	2022-11-28 16:06:54 +08:00
世界	f687c25fa9	Update documentation	2022-11-28 13:11:07 +08:00
世界	a92412ecac	Fix router	2022-11-28 13:11:07 +08:00
世界	8dcafa5b33	Add trojan-go multiplex support for trojan inbound	2022-11-28 12:51:23 +08:00
世界	7a02cb83a7	Revert "Fix listen packet on address" This reverts commit `d1fe17a4db`.	2022-11-28 12:51:23 +08:00
世界	51ce672076	Fix crash when input bad method in shadowsocks multi-user inbound	2022-11-28 12:51:23 +08:00
世界	7734afc40c	Update dependencies	2022-11-28 12:51:23 +08:00
世界	ee3cd49aa5	Fix tls config for h2 server	2022-11-26 14:55:51 +08:00
世界	bf20ff84b5	Fix lint	2022-11-26 11:21:24 +08:00
世界	c58302554c	Fix documentation	2022-11-26 11:06:57 +08:00
世界	05ed88aba8	Update documentation	2022-11-25 22:59:30 +08:00
世界	9f5cc0442b	Fix dockerfile	2022-11-25 22:59:30 +08:00
世界	2641a43ad8	Remove test on pull request	2022-11-25 21:12:45 +08:00
世界	4a6ab5e9fd	Fix cancel on start	2022-11-25 21:12:45 +08:00
世界	d1fe17a4db	Fix listen packet on address	2022-11-25 21:12:45 +08:00
世界	7c910165ef	Cleanup code	2022-11-24 12:37:29 +08:00
世界	8c1fddcf8d	Remove connect packet conn	2022-11-24 12:01:25 +08:00
Hellojack	01b4769852	Cleanup gun conn code	2022-11-23 14:56:31 +08:00
世界	a401828ed5	Fix shadowtls server detection	2022-11-22 22:15:38 +08:00
世界	ffd54eef6c	Update documentation	2022-11-21 21:20:44 +08:00
世界	c16e4316d6	Fix shadowtls server	2022-11-21 21:20:44 +08:00
世界	8b7fe20b7f	Include uTLS in release	2022-11-21 15:25:49 +08:00
世界	696c1065b6	Update stable documentation	2022-11-21 14:57:22 +08:00