documentation: Update changelog

Add multi-peer support for wireguard outbound
Add fakeip support
2026-04-12 01:57:18 +10:00 · 2023-04-08 09:37:58 +08:00 · 2023-04-08 09:37:58 +08:00 · 2023-04-08 09:37:58 +08:00 · 2023-04-08 09:17:12 +08:00 · 2023-04-08 09:17:03 +08:00
241 changed files with 4034 additions and 5148 deletions
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -31,6 +31,12 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
+      - name: Cache go module
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go-${{ hashFiles('**/go.sum') }}
      - name: Add cache to Go proxy
        run: |
          version=`git rev-parse HEAD`
@@ -190,6 +196,12 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
+      - name: Cache go module
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go-${{ hashFiles('**/go.sum') }}
      - name: Build
        id: build
        run: make
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -31,6 +31,12 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
+      - name: Cache go module
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/go/pkg/mod
+          key: go-${{ hashFiles('**/go.sum') }}
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -14,7 +14,6 @@ builds:
    tags:
      - with_gvisor
      - with_quic
-      - with_dhcp
      - with_wireguard
      - with_utls
      - with_reality_server
@@ -49,7 +48,6 @@ builds:
    tags:
      - with_gvisor
      - with_quic
-      - with_dhcp
      - with_wireguard
      - with_utls
      - with_clash_api
--- a/2
+++ b/2
@@ -9,7 +9,7 @@ RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
--- a/21
+++ b/21
@@ -1,6 +1,6 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr

 GOHOSTOS = $(shell go env GOHOSTOS)
@@ -22,7 +22,7 @@ install:
 fmt:
 	@gofumpt -l -w .
 	@gofmt -s -w .
-	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
+	@gci write --custom-order -s "standard,prefix(github.com/sagernet/),default" .

 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
@@ -48,14 +48,14 @@ proto_install:
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest

 snapshot:
-	go run ./cmd/internal/build goreleaser release --clean --snapshot || exit 1
+	go run ./cmd/internal/build goreleaser release --rm-dist --snapshot || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 1 nightly dist/release
 	rm -r dist

 release:
-	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
+	go run ./cmd/internal/build goreleaser release --rm-dist --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
@@ -77,20 +77,13 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .

-android:
-	go run ./cmd/internal/build_libbox -target android
-
-ios:
-	go run ./cmd/internal/build_libbox -target ios
-
 lib:
-	go run ./cmd/internal/build_libbox -target android
-	go run ./cmd/internal/build_libbox -target ios
+	go run ./cmd/internal/build_libbox

 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230701084532-493ee2e45182
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230701084532-493ee2e45182
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20221130124640-349ebaa752ca
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20221130124640-349ebaa752ca

 clean:
 	rm -rf bin dist sing-box
--- a/README.md
+++ b/README.md
@@ -8,10 +8,6 @@ The universal proxy platform.

 https://sing-box.sagernet.org

-## Support
-
-https://community.sagernet.org/c/sing-box/
-
 ## License

 ```
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -31,16 +31,10 @@ type Tracker interface {
 }

 type OutboundGroup interface {
-	Outbound
 	Now() string
 	All() []string
 }

-type URLTestGroup interface {
-	OutboundGroup
-	URLTest(ctx context.Context, url string) (map[string]uint16, error)
-}
-
 func OutboundTag(detour Outbound) string {
 	if group, isGroup := detour.(OutboundGroup); isGroup {
 		return group.Now()
--- a/adapter/fakeip.go
+++ b/adapter/fakeip.go
@@ -4,13 +4,12 @@ import (
 	"net/netip"

 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common/logger"
 )

 type FakeIPStore interface {
 	Service
 	Contains(address netip.Addr) bool
-	Create(domain string, isIPv6 bool) (netip.Addr, error)
+	Create(domain string, strategy dns.DomainStrategy) (netip.Addr, error)
 	Lookup(address netip.Addr) (string, bool)
 	Reset() error
 }
@@ -19,13 +18,6 @@ type FakeIPStorage interface {
 	FakeIPMetadata() *FakeIPMetadata
 	FakeIPSaveMetadata(metadata *FakeIPMetadata) error
 	FakeIPStore(address netip.Addr, domain string) error
-	FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger)
 	FakeIPLoad(address netip.Addr) (string, bool)
-	FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool)
 	FakeIPReset() error
 }
-
-type FakeIPTransport interface {
-	dns.Transport
-	Store() FakeIPStore
-}
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -46,7 +46,6 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *process.Info
-	FakeIP               bool

 	// dns cache

--- a/adapter/outbound.go
+++ b/adapter/outbound.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"

+	"github.com/sagernet/sing-tun"
 	N "github.com/sagernet/sing/common/network"
 )

@@ -13,8 +14,12 @@ type Outbound interface {
 	Type() string
 	Tag() string
 	Network() []string
-	Dependencies() []string
 	N.Dialer
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
+
+type IPOutbound interface {
+	Outbound
+	NewIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) (tun.DirectDestination, error)
+}
--- a/adapter/prestart.go
+++ b/adapter/prestart.go
@@ -4,6 +4,12 @@ type PreStarter interface {
 	PreStart() error
 }

-type PostStarter interface {
-	PostStart() error
+func PreStart(starter any) error {
+	if preService, ok := starter.(PreStarter); ok {
+		err := preService.PreStart()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -25,6 +25,9 @@ type Router interface {

 	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	RouteIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) tun.RouteAction
+
+	NatRequired(outbound string) bool

 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -34,7 +37,6 @@ type Router interface {
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)

 	InterfaceFinder() control.InterfaceFinder
-	UpdateInterfaces() error
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	AutoDetectInterfaceFunc() control.Func
@@ -42,7 +44,9 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
+
 	Rules() []Rule
+	IPRules() []IPRule

 	TimeService

@@ -51,8 +55,6 @@ type Router interface {

 	V2RayServer() V2RayServer
 	SetV2RayServer(server V2RayServer)
-
-	ResetNetwork() error
 }

 type routerContextKey struct{}
@@ -84,6 +86,11 @@ type DNSRule interface {
 	RewriteTTL() *uint32
 }

+type IPRule interface {
+	Rule
+	Action() tun.ActionType
+}
+
 type InterfaceUpdateListener interface {
 	InterfaceUpdated() error
 }
--- a/box.go
+++ b/box.go
@@ -62,7 +62,6 @@ func New(options Options) (*Box, error) {
 		defaultLogWriter = io.Discard
 	}
 	logFactory, err := log.New(log.Options{
-		Context:        ctx,
 		Options:        common.PtrValueOrDefault(options.Log),
 		Observable:     needClashAPI,
 		DefaultWriter:  defaultLogWriter,
@@ -134,16 +133,10 @@ func New(options Options) (*Box, error) {
 	if err != nil {
 		return nil, err
 	}
-	if options.PlatformInterface != nil {
-		err = options.PlatformInterface.Initialize(ctx, router)
-		if err != nil {
-			return nil, E.Cause(err, "initialize platform interface")
-		}
-	}
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
+		clashServer, err := experimental.NewClashServer(router, logFactory.(log.ObservableFactory), common.PtrValueOrDefault(options.Experimental.ClashAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
@@ -211,17 +204,26 @@ func (s *Box) Start() error {

 func (s *Box) preStart() error {
 	for serviceName, service := range s.preServices {
-		if preService, isPreService := service.(adapter.PreStarter); isPreService {
-			s.logger.Trace("pre-start ", serviceName)
-			err := preService.PreStart()
-			if err != nil {
-				return E.Cause(err, "pre-starting ", serviceName)
-			}
+		s.logger.Trace("pre-start ", serviceName)
+		err := adapter.PreStart(service)
+		if err != nil {
+			return E.Cause(err, "pre-starting ", serviceName)
 		}
 	}
-	err := s.startOutbounds()
-	if err != nil {
-		return err
+	for i, out := range s.outbounds {
+		var tag string
+		if out.Tag() == "" {
+			tag = F.ToString(i)
+		} else {
+			tag = out.Tag()
+		}
+		if starter, isStarter := out.(common.Starter); isStarter {
+			s.logger.Trace("initializing outbound/", out.Type(), "[", tag, "]")
+			err := starter.Start()
+			if err != nil {
+				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
+			}
+		}
 	}
 	return s.router.Start()
 }
@@ -251,26 +253,13 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-	return nil
-}
-
-func (s *Box) postStart() error {
 	for serviceName, service := range s.postServices {
 		s.logger.Trace("starting ", service)
-		err := service.Start()
+		err = service.Start()
 		if err != nil {
 			return E.Cause(err, "start ", serviceName)
 		}
 	}
-	for serviceName, service := range s.outbounds {
-		if lateService, isLateService := service.(adapter.PostStarter); isLateService {
-			s.logger.Trace("post-starting ", service)
-			err := lateService.PostStart()
-			if err != nil {
-				return E.Cause(err, "post-start ", serviceName)
-			}
-		}
-	}
 	return nil
 }

--- a/box_outbound.go
+++ b/box_outbound.go
@@ -1,79 +0,0 @@
-package box
-
-import (
-	"strings"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
-
-func (s *Box) startOutbounds() error {
-	outboundTags := make(map[adapter.Outbound]string)
-	outbounds := make(map[string]adapter.Outbound)
-	for i, outboundToStart := range s.outbounds {
-		var outboundTag string
-		if outboundToStart.Tag() == "" {
-			outboundTag = F.ToString(i)
-		} else {
-			outboundTag = outboundToStart.Tag()
-		}
-		if _, exists := outbounds[outboundTag]; exists {
-			return E.New("outbound tag ", outboundTag, " duplicated")
-		}
-		outboundTags[outboundToStart] = outboundTag
-		outbounds[outboundTag] = outboundToStart
-	}
-	started := make(map[string]bool)
-	for {
-		canContinue := false
-	startOne:
-		for _, outboundToStart := range s.outbounds {
-			outboundTag := outboundTags[outboundToStart]
-			if started[outboundTag] {
-				continue
-			}
-			dependencies := outboundToStart.Dependencies()
-			for _, dependency := range dependencies {
-				if !started[dependency] {
-					continue startOne
-				}
-			}
-			started[outboundTag] = true
-			canContinue = true
-			if starter, isStarter := outboundToStart.(common.Starter); isStarter {
-				s.logger.Trace("initializing outbound/", outboundToStart.Type(), "[", outboundTag, "]")
-				err := starter.Start()
-				if err != nil {
-					return E.Cause(err, "initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
-				}
-			}
-		}
-		if len(started) == len(s.outbounds) {
-			break
-		}
-		if canContinue {
-			continue
-		}
-		currentOutbound := common.Find(s.outbounds, func(it adapter.Outbound) bool {
-			return !started[outboundTags[it]]
-		})
-		var lintOutbound func(oTree []string, oCurrent adapter.Outbound) error
-		lintOutbound = func(oTree []string, oCurrent adapter.Outbound) error {
-			problemOutboundTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
-				return !started[it]
-			})
-			if common.Contains(oTree, problemOutboundTag) {
-				return E.New("circular outbound dependency: ", strings.Join(oTree, " -> "), " -> ", problemOutboundTag)
-			}
-			problemOutbound := outbounds[problemOutboundTag]
-			if problemOutbound == nil {
-				return E.New("dependency[", problemOutbound, "] not found for outbound[", outboundTags[oCurrent], "]")
-			}
-			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
-		}
-		return lintOutbound([]string{outboundTags[currentOutbound]}, currentOutbound)
-	}
-	return nil
-}
--- a/cmd/internal/build/main.go
+++ b/cmd/internal/build/main.go
@@ -1,7 +1,6 @@
 package main

 import (
-	"go/build"
 	"os"
 	"os/exec"

@@ -12,10 +11,6 @@ import (
 func main() {
 	build_shared.FindSDK()

-	if os.Getenv("build.Default.GOPATH") == "" {
-		os.Setenv("GOPATH", build.Default.GOPATH)
-	}
-
 	command := exec.Command(os.Args[1], os.Args[2:]...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -5,7 +5,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"strings"

 	_ "github.com/sagernet/gomobile/event/key"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
@@ -39,24 +38,18 @@ func main() {
 var (
 	sharedFlags []string
 	debugFlags  []string
-	sharedTags  []string
-	iosTags     []string
-	debugTags   []string
 )

 func init() {
 	sharedFlags = append(sharedFlags, "-trimpath")
 	sharedFlags = append(sharedFlags, "-ldflags")
+
 	currentTag, err := build_shared.ReadTag()
 	if err != nil {
 		currentTag = "unknown"
 	}
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
-
-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
-	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
-	debugTags = append(debugTags, "debug")
 }

 func buildAndroid() {
@@ -77,9 +70,9 @@ func buildAndroid() {

 	args = append(args, "-tags")
 	if !debugEnabled {
-		args = append(args, strings.Join(sharedTags, ","))
+		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api")
 	} else {
-		args = append(args, strings.Join(append(sharedTags, debugTags...), ","))
+		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api,debug")
 	}
 	args = append(args, "./experimental/libbox")

@@ -116,12 +109,11 @@ func buildiOS() {
 		args = append(args, debugFlags...)
 	}

-	tags := append(sharedTags, iosTags...)
 	args = append(args, "-tags")
 	if !debugEnabled {
-		args = append(args, strings.Join(tags, ","))
+		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack")
 	} else {
-		args = append(args, strings.Join(append(tags, debugTags...), ","))
+		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack,debug")
 	}
 	args = append(args, "./experimental/libbox")

@@ -133,7 +125,7 @@ func buildiOS() {
 		log.Fatal(err)
 	}

-	copyPath := filepath.Join("..", "sing-box-for-apple")
+	copyPath := filepath.Join("..", "sing-box-for-ios")
 	if rw.FileExists(copyPath) {
 		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 		targetDir, _ = filepath.Abs(targetDir)
--- a/cmd/sing-box/cmd_generate.go
+++ b/cmd/sing-box/cmd_generate.go
@@ -9,7 +9,7 @@ import (

 	"github.com/sagernet/sing-box/log"

-	"github.com/gofrs/uuid/v5"
+	"github.com/gofrs/uuid"
 	"github.com/spf13/cobra"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
--- a/cmd/sing-box/debug.go
+++ b/cmd/sing-box/debug.go
@@ -0,0 +1,44 @@
+//go:build debug
+
+package main
+
+import (
+	"encoding/json"
+	"net/http"
+	_ "net/http/pprof"
+	"runtime"
+	"runtime/debug"
+
+	"github.com/sagernet/sing-box/common/badjson"
+	"github.com/sagernet/sing-box/log"
+
+	"github.com/dustin/go-humanize"
+)
+
+func init() {
+	http.HandleFunc("/debug/gc", func(writer http.ResponseWriter, request *http.Request) {
+		writer.WriteHeader(http.StatusNoContent)
+		go debug.FreeOSMemory()
+	})
+	http.HandleFunc("/debug/memory", func(writer http.ResponseWriter, request *http.Request) {
+		var memStats runtime.MemStats
+		runtime.ReadMemStats(&memStats)
+
+		var memObject badjson.JSONObject
+		memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
+		memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
+		memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
+		memObject.Put("goroutines", runtime.NumGoroutine())
+		memObject.Put("rss", rusageMaxRSS())
+
+		encoder := json.NewEncoder(writer)
+		encoder.SetIndent("", "  ")
+		encoder.Encode(memObject)
+	})
+	go func() {
+		err := http.ListenAndServe("0.0.0.0:8964", nil)
+		if err != nil {
+			log.Debug(err)
+		}
+	}()
+}
--- a/cmd/sing-box/debug_linux.go
+++ b/cmd/sing-box/debug_linux.go
@@ -1,4 +1,6 @@
-package box
+//go:build debug
+
+package main

 import (
 	"runtime"
--- a/cmd/sing-box/debug_stub.go
+++ b/cmd/sing-box/debug_stub.go
@@ -1,6 +1,6 @@
-//go:build !linux
+//go:build debug && !linux

-package box
+package main

 func rusageMaxRSS() float64 {
 	return -1
--- a/common/baderror/baderror.go
+++ b/common/baderror/baderror.go
@@ -55,7 +55,7 @@ func WrapQUIC(err error) error {
 	if err == nil {
 		return nil
 	}
-	if Contains(err, "canceled by local with error code 0") {
+	if Contains(err, "canceled with error code 0") {
 		return net.ErrClosed
 	}
 	return err
--- a/common/badtls/badtls.go
+++ b/common/badtls/badtls.go
@@ -1,4 +1,4 @@
-//go:build go1.20 && !go1.21
+//go:build go1.19 && !go1.20

 package badtls

@@ -14,60 +14,39 @@ import (
 	"sync/atomic"
 	"unsafe"

-	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
-	aTLS "github.com/sagernet/sing/common/tls"
 )

 type Conn struct {
 	*tls.Conn
-	writer              N.ExtendedWriter
-	isHandshakeComplete *atomic.Bool
-	activeCall          *atomic.Int32
-	closeNotifySent     *bool
-	version             *uint16
-	rand                io.Reader
-	halfAccess          *sync.Mutex
-	halfError           *error
-	cipher              cipher.AEAD
-	explicitNonceLen    int
-	halfPtr             uintptr
-	halfSeq             []byte
-	halfScratchBuf      []byte
+	writer           N.ExtendedWriter
+	activeCall       *int32
+	closeNotifySent  *bool
+	version          *uint16
+	rand             io.Reader
+	halfAccess       *sync.Mutex
+	halfError        *error
+	cipher           cipher.AEAD
+	explicitNonceLen int
+	halfPtr          uintptr
+	halfSeq          []byte
+	halfScratchBuf   []byte
 }

-func TryCreate(conn aTLS.Conn) aTLS.Conn {
-	tlsConn, ok := conn.(*tls.Conn)
-	if !ok {
-		return conn
-	}
-	badConn, err := Create(tlsConn)
-	if err != nil {
-		log.Warn("initialize badtls: ", err)
-		return conn
-	}
-	return badConn
-}
-
-func Create(conn *tls.Conn) (aTLS.Conn, error) {
-	rawConn := reflect.Indirect(reflect.ValueOf(conn))
-	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
-	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
-		return nil, E.New("badtls: invalid isHandshakeComplete")
-	}
-	isHandshakeComplete := (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
-	if !isHandshakeComplete.Load() {
+func Create(conn *tls.Conn) (TLSConn, error) {
+	if !handshakeComplete(conn) {
 		return nil, E.New("handshake not finished")
 	}
+	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawActiveCall := rawConn.FieldByName("activeCall")
-	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
+	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Int32 {
 		return nil, E.New("badtls: invalid active call")
 	}
-	activeCall := (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
+	activeCall := (*int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
 	rawHalfConn := rawConn.FieldByName("out")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@@ -129,20 +108,19 @@ func Create(conn *tls.Conn) (aTLS.Conn, error) {
 	}
 	halfScratchBuf := rawHalfScratchBuf.Bytes()
 	return &Conn{
-		Conn:                conn,
-		writer:              bufio.NewExtendedWriter(conn.NetConn()),
-		isHandshakeComplete: isHandshakeComplete,
-		activeCall:          activeCall,
-		closeNotifySent:     closeNotifySent,
-		version:             version,
-		halfAccess:          halfAccess,
-		halfError:           halfError,
-		cipher:              aeadCipher,
-		explicitNonceLen:    explicitNonceLen,
-		rand:                randReader,
-		halfPtr:             rawHalfConn.UnsafeAddr(),
-		halfSeq:             halfSeq,
-		halfScratchBuf:      halfScratchBuf,
+		Conn:             conn,
+		writer:           bufio.NewExtendedWriter(conn.NetConn()),
+		activeCall:       activeCall,
+		closeNotifySent:  closeNotifySent,
+		version:          version,
+		halfAccess:       halfAccess,
+		halfError:        halfError,
+		cipher:           aeadCipher,
+		explicitNonceLen: explicitNonceLen,
+		rand:             randReader,
+		halfPtr:          rawHalfConn.UnsafeAddr(),
+		halfSeq:          halfSeq,
+		halfScratchBuf:   halfScratchBuf,
 	}, nil
 }

@@ -152,15 +130,15 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 		return common.Error(c.Write(buffer.Bytes()))
 	}
 	for {
-		x := c.activeCall.Load()
+		x := atomic.LoadInt32(c.activeCall)
 		if x&1 != 0 {
 			return net.ErrClosed
 		}
-		if c.activeCall.CompareAndSwap(x, x+2) {
+		if atomic.CompareAndSwapInt32(c.activeCall, x, x+2) {
 			break
 		}
 	}
-	defer c.activeCall.Add(-2)
+	defer atomic.AddInt32(c.activeCall, -2)
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	if err := *c.halfError; err != nil {
@@ -208,7 +186,6 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+c.explicitNonceLen+c.cipher.Overhead()))
 	}
 	incSeq(c.halfPtr)
-	log.Trace("badtls write ", buffer.Len())
 	return c.writer.WriteBuffer(buffer)
 }

--- a/common/badtls/badtls_stub.go
+++ b/common/badtls/badtls_stub.go
@@ -1,4 +1,4 @@
-//go:build !go1.19 || go1.21
+//go:build !go1.19 || go1.20

 package badtls

--- a/common/badtls/conn.go
+++ b/common/badtls/conn.go
@@ -0,0 +1,13 @@
+package badtls
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+)
+
+type TLSConn interface {
+	net.Conn
+	HandshakeContext(ctx context.Context) error
+	ConnectionState() tls.ConnectionState
+}
--- a/common/badtls/link.go
+++ b/common/badtls/link.go
@@ -1,8 +1,9 @@
-//go:build go1.20 && !go.1.21
+//go:build go1.19 && !go.1.20

 package badtls

 import (
+	"crypto/tls"
 	"reflect"
 	_ "unsafe"
 )
@@ -15,6 +16,9 @@ const (
 //go:linkname errShutdown crypto/tls.errShutdown
 var errShutdown error

+//go:linkname handshakeComplete crypto/tls.(*Conn).handshakeComplete
+func handshakeComplete(conn *tls.Conn) bool
+
 //go:linkname incSeq crypto/tls.(*halfConn).incSeq
 func incSeq(conn uintptr)

--- a/common/badversion/version.go
+++ b/common/badversion/version.go
@@ -1,114 +0,0 @@
-package badversion
-
-import (
-	"strconv"
-	"strings"
-
-	F "github.com/sagernet/sing/common/format"
-)
-
-type Version struct {
-	Major                int
-	Minor                int
-	Patch                int
-	PreReleaseIdentifier string
-	PreReleaseVersion    int
-}
-
-func (v Version) After(anotherVersion Version) bool {
-	if v.Major > anotherVersion.Major {
-		return true
-	} else if v.Major < anotherVersion.Major {
-		return false
-	}
-	if v.Minor > anotherVersion.Minor {
-		return true
-	} else if v.Minor < anotherVersion.Minor {
-		return false
-	}
-	if v.Patch > anotherVersion.Patch {
-		return true
-	} else if v.Patch < anotherVersion.Patch {
-		return false
-	}
-	if v.PreReleaseIdentifier == "" && anotherVersion.PreReleaseIdentifier != "" {
-		return true
-	} else if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier == "" {
-		return false
-	}
-	if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier != "" {
-		if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
-			return true
-		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
-			return false
-		}
-		if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
-			return true
-		} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
-			return false
-		}
-	}
-	return false
-}
-
-func (v Version) String() string {
-	version := F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
-	if v.PreReleaseIdentifier != "" {
-		version = F.ToString(version, "-", v.PreReleaseIdentifier, ".", v.PreReleaseVersion)
-	}
-	return version
-}
-
-func (v Version) BadString() string {
-	version := F.ToString(v.Major, ".", v.Minor)
-	if v.Patch > 0 {
-		version = F.ToString(version, ".", v.Patch)
-	}
-	if v.PreReleaseIdentifier != "" {
-		version = F.ToString(version, "-", v.PreReleaseIdentifier)
-		if v.PreReleaseVersion > 0 {
-			version = F.ToString(version, v.PreReleaseVersion)
-		}
-	}
-	return version
-}
-
-func Parse(versionName string) (version Version) {
-	if strings.HasPrefix(versionName, "v") {
-		versionName = versionName[1:]
-	}
-	if strings.Contains(versionName, "-") {
-		parts := strings.Split(versionName, "-")
-		versionName = parts[0]
-		identifier := parts[1]
-		if strings.Contains(identifier, ".") {
-			identifierParts := strings.Split(identifier, ".")
-			version.PreReleaseIdentifier = identifierParts[0]
-			if len(identifierParts) >= 2 {
-				version.PreReleaseVersion, _ = strconv.Atoi(identifierParts[1])
-			}
-		} else {
-			if strings.HasPrefix(identifier, "alpha") {
-				version.PreReleaseIdentifier = "alpha"
-				version.PreReleaseVersion, _ = strconv.Atoi(identifier[5:])
-			} else if strings.HasPrefix(identifier, "beta") {
-				version.PreReleaseIdentifier = "beta"
-				version.PreReleaseVersion, _ = strconv.Atoi(identifier[4:])
-			} else {
-				version.PreReleaseIdentifier = identifier
-			}
-		}
-	}
-	versionElements := strings.Split(versionName, ".")
-	versionLen := len(versionElements)
-	if versionLen >= 1 {
-		version.Major, _ = strconv.Atoi(versionElements[0])
-	}
-	if versionLen >= 2 {
-		version.Minor, _ = strconv.Atoi(versionElements[1])
-	}
-	if versionLen >= 3 {
-		version.Patch, _ = strconv.Atoi(versionElements[2])
-	}
-	return
-}
--- a/common/badversion/version_json.go
+++ b/common/badversion/version_json.go
@@ -1,17 +0,0 @@
-package badversion
-
-import "github.com/sagernet/sing-box/common/json"
-
-func (v Version) MarshalJSON() ([]byte, error) {
-	return json.Marshal(v.String())
-}
-
-func (v *Version) UnmarshalJSON(data []byte) error {
-	var version string
-	err := json.Unmarshal(data, &version)
-	if err != nil {
-		return err
-	}
-	*v = Parse(version)
-	return nil
-}
--- a/common/badversion/version_test.go
+++ b/common/badversion/version_test.go
@@ -1,18 +0,0 @@
-package badversion
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestCompareVersion(t *testing.T) {
-	t.Parallel()
-	require.Equal(t, "1.3.0-beta.1", Parse("v1.3.0-beta1").String())
-	require.Equal(t, "1.3-beta1", Parse("v1.3.0-beta.1").BadString())
-	require.True(t, Parse("1.3.0").After(Parse("1.3-beta1")))
-	require.True(t, Parse("1.3.0").After(Parse("1.3.0-beta1")))
-	require.True(t, Parse("1.3.0-beta1").After(Parse("1.3.0-alpha1")))
-	require.True(t, Parse("1.3.1").After(Parse("1.3.0")))
-	require.True(t, Parse("1.4").After(Parse("1.3")))
-}
--- a/common/debugio/log.go
+++ b/common/debugio/log.go
@@ -0,0 +1,87 @@
+package debugio
+
+import (
+	"net"
+
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type LogConn struct {
+	N.ExtendedConn
+	logger log.Logger
+	prefix string
+}
+
+func NewLogConn(conn net.Conn, logger log.Logger, prefix string) N.ExtendedConn {
+	return &LogConn{bufio.NewExtendedConn(conn), logger, prefix}
+}
+
+func (c *LogConn) Read(p []byte) (n int, err error) {
+	n, err = c.ExtendedConn.Read(p)
+	if n > 0 {
+		c.logger.Debug(c.prefix, " read ", buf.EncodeHexString(p[:n]))
+	}
+	return
+}
+
+func (c *LogConn) Write(p []byte) (n int, err error) {
+	c.logger.Debug(c.prefix, " write ", buf.EncodeHexString(p))
+	return c.ExtendedConn.Write(p)
+}
+
+func (c *LogConn) ReadBuffer(buffer *buf.Buffer) error {
+	err := c.ExtendedConn.ReadBuffer(buffer)
+	if err == nil {
+		c.logger.Debug(c.prefix, " read buffer ", buf.EncodeHexString(buffer.Bytes()))
+	}
+	return err
+}
+
+func (c *LogConn) WriteBuffer(buffer *buf.Buffer) error {
+	c.logger.Debug(c.prefix, " write buffer ", buf.EncodeHexString(buffer.Bytes()))
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *LogConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+type LogPacketConn struct {
+	N.NetPacketConn
+	logger log.Logger
+	prefix string
+}
+
+func NewLogPacketConn(conn net.PacketConn, logger log.Logger, prefix string) N.NetPacketConn {
+	return &LogPacketConn{bufio.NewPacketConn(conn), logger, prefix}
+}
+
+func (c *LogPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	n, addr, err = c.NetPacketConn.ReadFrom(p)
+	if n > 0 {
+		c.logger.Debug(c.prefix, " read from ", addr, " ", buf.EncodeHexString(p[:n]))
+	}
+	return
+}
+
+func (c *LogPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	c.logger.Debug(c.prefix, " write to ", addr, " ", buf.EncodeHexString(p))
+	return c.NetPacketConn.WriteTo(p, addr)
+}
+
+func (c *LogPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	destination, err = c.NetPacketConn.ReadPacket(buffer)
+	if err == nil {
+		c.logger.Debug(c.prefix, " read packet from ", destination, " ", buf.EncodeHexString(buffer.Bytes()))
+	}
+	return
+}
+
+func (c *LogPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	c.logger.Debug(c.prefix, " write packet to ", destination, " ", buf.EncodeHexString(buffer.Bytes()))
+	return c.NetPacketConn.WritePacket(buffer, destination)
+}
--- a/common/debugio/print.go
+++ b/common/debugio/print.go
@@ -0,0 +1,19 @@
+package debugio
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/sagernet/sing/common"
+)
+
+func PrintUpstream(obj any) {
+	for obj != nil {
+		fmt.Println(reflect.TypeOf(obj))
+		if u, ok := obj.(common.WithUpstream); !ok {
+			break
+		} else {
+			obj = u.Upstream()
+		}
+	}
+}
--- a/common/debugio/race.go
+++ b/common/debugio/race.go
@@ -0,0 +1,48 @@
+package debugio
+
+import (
+	"net"
+	"sync"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type RaceConn struct {
+	N.ExtendedConn
+	readAccess  sync.Mutex
+	writeAccess sync.Mutex
+}
+
+func NewRaceConn(conn net.Conn) N.ExtendedConn {
+	return &RaceConn{ExtendedConn: bufio.NewExtendedConn(conn)}
+}
+
+func (c *RaceConn) Read(p []byte) (n int, err error) {
+	c.readAccess.Lock()
+	defer c.readAccess.Unlock()
+	return c.ExtendedConn.Read(p)
+}
+
+func (c *RaceConn) Write(p []byte) (n int, err error) {
+	c.writeAccess.Lock()
+	defer c.writeAccess.Unlock()
+	return c.ExtendedConn.Write(p)
+}
+
+func (c *RaceConn) ReadBuffer(buffer *buf.Buffer) error {
+	c.readAccess.Lock()
+	defer c.readAccess.Unlock()
+	return c.ExtendedConn.ReadBuffer(buffer)
+}
+
+func (c *RaceConn) WriteBuffer(buffer *buf.Buffer) error {
+	c.writeAccess.Lock()
+	defer c.writeAccess.Unlock()
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *RaceConn) Upstream() any {
+	return c.ExtendedConn
+}
--- a/common/dialer/conntrack/conn.go
+++ b/common/dialer/conntrack/conn.go
@@ -12,7 +12,7 @@ type Conn struct {
 	element *list.Element[io.Closer]
 }

-func NewConn(conn net.Conn) (net.Conn, error) {
+func NewConn(conn net.Conn) (*Conn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
--- a/common/dialer/conntrack/packet_conn.go
+++ b/common/dialer/conntrack/packet_conn.go
@@ -4,7 +4,6 @@ import (
 	"io"
 	"net"

-	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/x/list"
 )

@@ -13,7 +12,7 @@ type PacketConn struct {
 	element *list.Element[io.Closer]
 }

-func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
+func NewPacketConn(conn net.PacketConn) (*PacketConn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
@@ -43,7 +42,7 @@ func (c *PacketConn) Close() error {
 }

 func (c *PacketConn) Upstream() any {
-	return bufio.NewPacketConn(c.PacketConn)
+	return c.PacketConn
 }

 func (c *PacketConn) ReaderReplaceable() bool {
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -7,6 +7,7 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer/conntrack"
+	"github.com/sagernet/sing-box/common/warning"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
@@ -16,6 +17,41 @@ import (
 	"github.com/sagernet/tfo-go"
 )

+var warnBindInterfaceOnUnsupportedPlatform = warning.New(
+	func() bool {
+		return !(C.IsLinux || C.IsWindows || C.IsDarwin)
+	},
+	"outbound option `bind_interface` is only supported on Linux and Windows",
+)
+
+var warnRoutingMarkOnUnsupportedPlatform = warning.New(
+	func() bool {
+		return !C.IsLinux
+	},
+	"outbound option `routing_mark` is only supported on Linux",
+)
+
+var warnReuseAdderOnUnsupportedPlatform = warning.New(
+	func() bool {
+		return !(C.IsDarwin || C.IsDragonfly || C.IsFreebsd || C.IsLinux || C.IsNetbsd || C.IsOpenbsd || C.IsSolaris || C.IsWindows)
+	},
+	"outbound option `reuse_addr` is unsupported on current platform",
+)
+
+var warnProtectPathOnNonAndroid = warning.New(
+	func() bool {
+		return !C.IsAndroid
+	},
+	"outbound option `protect_path` is only supported on Android",
+)
+
+var warnTFOOnUnsupportedPlatform = warning.New(
+	func() bool {
+		return !(C.IsDarwin || C.IsFreebsd || C.IsLinux || C.IsWindows)
+	},
+	"outbound option `tcp_fast_open` is unsupported on current platform",
+)
+
 type DefaultDialer struct {
 	dialer4     tfo.Dialer
 	dialer6     tfo.Dialer
@@ -30,6 +66,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
+		warnBindInterfaceOnUnsupportedPlatform.Check()
 		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
@@ -43,6 +80,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
 	if options.RoutingMark != 0 {
+		warnRoutingMarkOnUnsupportedPlatform.Check()
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
 	} else if router.DefaultMark() != 0 {
@@ -50,9 +88,11 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 	}
 	if options.ReuseAddr {
+		warnReuseAdderOnUnsupportedPlatform.Check()
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
 	}
 	if options.ProtectPath != "" {
+		warnProtectPathOnNonAndroid.Check()
 		dialer.Control = control.Append(dialer.Control, control.ProtectPath(options.ProtectPath))
 		listener.Control = control.Append(listener.Control, control.ProtectPath(options.ProtectPath))
 	}
@@ -61,6 +101,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	} else {
 		dialer.Timeout = C.TCPTimeout
 	}
+	if options.TCPFastOpen {
+		warnTFOOnUnsupportedPlatform.Check()
+	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -73,7 +73,7 @@ func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
+	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), destination, M.SocksaddrFrom(destinationAddress, destination.Port)), nil
 }

 func (d *ResolveDialer) Upstream() any {
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -128,6 +128,13 @@ func (c *slowOpenConn) NeedHandshake() bool {
 	return c.conn == nil
 }

+func (c *slowOpenConn) ReadFrom(r io.Reader) (n int64, err error) {
+	if c.conn != nil {
+		return bufio.Copy(c.conn, r)
+	}
+	return bufio.ReadFrom0(c, r)
+}
+
 func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 	if c.conn == nil {
 		select {
--- a/common/mux/client.go
+++ b/common/mux/client.go
@@ -1,21 +1,519 @@
 package mux

 import (
+	"context"
+	"encoding/binary"
+	"io"
+	"net"
+	"sync"
+
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-mux"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/x/list"
 )

-func NewClientWithOptions(dialer N.Dialer, options option.MultiplexOptions) (*Client, error) {
+var _ N.Dialer = (*Client)(nil)
+
+type Client struct {
+	access         sync.Mutex
+	connections    list.List[abstractSession]
+	ctx            context.Context
+	dialer         N.Dialer
+	protocol       Protocol
+	maxConnections int
+	minStreams     int
+	maxStreams     int
+}
+
+func NewClient(ctx context.Context, dialer N.Dialer, protocol Protocol, maxConnections int, minStreams int, maxStreams int) *Client {
+	return &Client{
+		ctx:            ctx,
+		dialer:         dialer,
+		protocol:       protocol,
+		maxConnections: maxConnections,
+		minStreams:     minStreams,
+		maxStreams:     maxStreams,
+	}
+}
+
+func NewClientWithOptions(ctx context.Context, dialer N.Dialer, options option.MultiplexOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	return mux.NewClient(mux.Options{
-		Dialer:         dialer,
-		Protocol:       options.Protocol,
-		MaxConnections: options.MaxConnections,
-		MinStreams:     options.MinStreams,
-		MaxStreams:     options.MaxStreams,
-		Padding:        options.Padding,
-	})
+	if options.MaxConnections == 0 && options.MaxStreams == 0 {
+		options.MinStreams = 8
+	}
+	protocol, err := ParseProtocol(options.Protocol)
+	if err != nil {
+		return nil, err
+	}
+	return NewClient(ctx, dialer, protocol, options.MaxConnections, options.MinStreams, options.MaxStreams), nil
+}
+
+func (c *Client) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP:
+		stream, err := c.openStream()
+		if err != nil {
+			return nil, err
+		}
+		return &ClientConn{Conn: stream, destination: destination}, nil
+	case N.NetworkUDP:
+		stream, err := c.openStream()
+		if err != nil {
+			return nil, err
+		}
+		return bufio.NewUnbindPacketConn(&ClientPacketConn{ExtendedConn: bufio.NewExtendedConn(stream), destination: destination}), nil
+	default:
+		return nil, E.Extend(N.ErrUnknownNetwork, network)
+	}
+}
+
+func (c *Client) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	stream, err := c.openStream()
+	if err != nil {
+		return nil, err
+	}
+	return &ClientPacketAddrConn{ExtendedConn: bufio.NewExtendedConn(stream), destination: destination}, nil
+}
+
+func (c *Client) openStream() (net.Conn, error) {
+	var (
+		session abstractSession
+		stream  net.Conn
+		err     error
+	)
+	for attempts := 0; attempts < 2; attempts++ {
+		session, err = c.offer()
+		if err != nil {
+			continue
+		}
+		stream, err = session.Open()
+		if err != nil {
+			continue
+		}
+		break
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &wrapStream{stream}, nil
+}
+
+func (c *Client) offer() (abstractSession, error) {
+	c.access.Lock()
+	defer c.access.Unlock()
+
+	sessions := make([]abstractSession, 0, c.maxConnections)
+	for element := c.connections.Front(); element != nil; {
+		if element.Value.IsClosed() {
+			nextElement := element.Next()
+			c.connections.Remove(element)
+			element = nextElement
+			continue
+		}
+		sessions = append(sessions, element.Value)
+		element = element.Next()
+	}
+	sLen := len(sessions)
+	if sLen == 0 {
+		return c.offerNew()
+	}
+	session := common.MinBy(sessions, abstractSession.NumStreams)
+	numStreams := session.NumStreams()
+	if numStreams == 0 {
+		return session, nil
+	}
+	if c.maxConnections > 0 {
+		if sLen >= c.maxConnections || numStreams < c.minStreams {
+			return session, nil
+		}
+	} else {
+		if c.maxStreams > 0 && numStreams < c.maxStreams {
+			return session, nil
+		}
+	}
+	return c.offerNew()
+}
+
+func (c *Client) offerNew() (abstractSession, error) {
+	conn, err := c.dialer.DialContext(c.ctx, N.NetworkTCP, Destination)
+	if err != nil {
+		return nil, err
+	}
+	if vectorisedWriter, isVectorised := bufio.CreateVectorisedWriter(conn); isVectorised {
+		conn = &vectorisedProtocolConn{protocolConn{Conn: conn, protocol: c.protocol}, vectorisedWriter}
+	} else {
+		conn = &protocolConn{Conn: conn, protocol: c.protocol}
+	}
+	session, err := c.protocol.newClient(conn)
+	if err != nil {
+		return nil, err
+	}
+	c.connections.PushBack(session)
+	return session, nil
+}
+
+func (c *Client) Close() error {
+	c.access.Lock()
+	defer c.access.Unlock()
+	for _, session := range c.connections.Array() {
+		session.Close()
+	}
+	return nil
+}
+
+type ClientConn struct {
+	net.Conn
+	destination  M.Socksaddr
+	requestWrite bool
+	responseRead bool
+}
+
+func (c *ClientConn) readResponse() error {
+	response, err := ReadStreamResponse(c.Conn)
+	if err != nil {
+		return err
+	}
+	if response.Status == statusError {
+		return E.New("remote error: ", response.Message)
+	}
+	return nil
+}
+
+func (c *ClientConn) Read(b []byte) (n int, err error) {
+	if !c.responseRead {
+		err = c.readResponse()
+		if err != nil {
+			return
+		}
+		c.responseRead = true
+	}
+	return c.Conn.Read(b)
+}
+
+func (c *ClientConn) Write(b []byte) (n int, err error) {
+	if c.requestWrite {
+		return c.Conn.Write(b)
+	}
+	request := StreamRequest{
+		Network:     N.NetworkTCP,
+		Destination: c.destination,
+	}
+	_buffer := buf.StackNewSize(requestLen(request) + len(b))
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	EncodeStreamRequest(request, buffer)
+	buffer.Write(b)
+	_, err = c.Conn.Write(buffer.Bytes())
+	if err != nil {
+		return
+	}
+	c.requestWrite = true
+	return len(b), nil
+}
+
+func (c *ClientConn) ReadFrom(r io.Reader) (n int64, err error) {
+	if !c.requestWrite {
+		return bufio.ReadFrom0(c, r)
+	}
+	return bufio.Copy(c.Conn, r)
+}
+
+func (c *ClientConn) WriteTo(w io.Writer) (n int64, err error) {
+	if !c.responseRead {
+		return bufio.WriteTo0(c, w)
+	}
+	return bufio.Copy(w, c.Conn)
+}
+
+func (c *ClientConn) LocalAddr() net.Addr {
+	return c.Conn.LocalAddr()
+}
+
+func (c *ClientConn) RemoteAddr() net.Addr {
+	return c.destination.TCPAddr()
+}
+
+func (c *ClientConn) ReaderReplaceable() bool {
+	return c.responseRead
+}
+
+func (c *ClientConn) WriterReplaceable() bool {
+	return c.requestWrite
+}
+
+func (c *ClientConn) Upstream() any {
+	return c.Conn
+}
+
+type ClientPacketConn struct {
+	N.ExtendedConn
+	destination  M.Socksaddr
+	requestWrite bool
+	responseRead bool
+}
+
+func (c *ClientPacketConn) readResponse() error {
+	response, err := ReadStreamResponse(c.ExtendedConn)
+	if err != nil {
+		return err
+	}
+	if response.Status == statusError {
+		return E.New("remote error: ", response.Message)
+	}
+	return nil
+}
+
+func (c *ClientPacketConn) Read(b []byte) (n int, err error) {
+	if !c.responseRead {
+		err = c.readResponse()
+		if err != nil {
+			return
+		}
+		c.responseRead = true
+	}
+	var length uint16
+	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
+	if err != nil {
+		return
+	}
+	if cap(b) < int(length) {
+		return 0, io.ErrShortBuffer
+	}
+	return io.ReadFull(c.ExtendedConn, b[:length])
+}
+
+func (c *ClientPacketConn) writeRequest(payload []byte) (n int, err error) {
+	request := StreamRequest{
+		Network:     N.NetworkUDP,
+		Destination: c.destination,
+	}
+	rLen := requestLen(request)
+	if len(payload) > 0 {
+		rLen += 2 + len(payload)
+	}
+	_buffer := buf.StackNewSize(rLen)
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	EncodeStreamRequest(request, buffer)
+	if len(payload) > 0 {
+		common.Must(
+			binary.Write(buffer, binary.BigEndian, uint16(len(payload))),
+			common.Error(buffer.Write(payload)),
+		)
+	}
+	_, err = c.ExtendedConn.Write(buffer.Bytes())
+	if err != nil {
+		return
+	}
+	c.requestWrite = true
+	return len(payload), nil
+}
+
+func (c *ClientPacketConn) Write(b []byte) (n int, err error) {
+	if !c.requestWrite {
+		return c.writeRequest(b)
+	}
+	err = binary.Write(c.ExtendedConn, binary.BigEndian, uint16(len(b)))
+	if err != nil {
+		return
+	}
+	return c.ExtendedConn.Write(b)
+}
+
+func (c *ClientPacketConn) ReadBuffer(buffer *buf.Buffer) (err error) {
+	if !c.responseRead {
+		err = c.readResponse()
+		if err != nil {
+			return
+		}
+		c.responseRead = true
+	}
+	var length uint16
+	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
+	if err != nil {
+		return
+	}
+	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
+	return
+}
+
+func (c *ClientPacketConn) WriteBuffer(buffer *buf.Buffer) error {
+	if !c.requestWrite {
+		defer buffer.Release()
+		return common.Error(c.writeRequest(buffer.Bytes()))
+	}
+	bLen := buffer.Len()
+	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(bLen))
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *ClientPacketConn) FrontHeadroom() int {
+	return 2
+}
+
+func (c *ClientPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	err = c.ReadBuffer(buffer)
+	return
+}
+
+func (c *ClientPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	return c.WriteBuffer(buffer)
+}
+
+func (c *ClientPacketConn) LocalAddr() net.Addr {
+	return c.ExtendedConn.LocalAddr()
+}
+
+func (c *ClientPacketConn) RemoteAddr() net.Addr {
+	return c.destination.UDPAddr()
+}
+
+func (c *ClientPacketConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+var _ N.NetPacketConn = (*ClientPacketAddrConn)(nil)
+
+type ClientPacketAddrConn struct {
+	N.ExtendedConn
+	destination  M.Socksaddr
+	requestWrite bool
+	responseRead bool
+}
+
+func (c *ClientPacketAddrConn) readResponse() error {
+	response, err := ReadStreamResponse(c.ExtendedConn)
+	if err != nil {
+		return err
+	}
+	if response.Status == statusError {
+		return E.New("remote error: ", response.Message)
+	}
+	return nil
+}
+
+func (c *ClientPacketAddrConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	if !c.responseRead {
+		err = c.readResponse()
+		if err != nil {
+			return
+		}
+		c.responseRead = true
+	}
+	destination, err := M.SocksaddrSerializer.ReadAddrPort(c.ExtendedConn)
+	if err != nil {
+		return
+	}
+	addr = destination.UDPAddr()
+	var length uint16
+	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
+	if err != nil {
+		return
+	}
+	if cap(p) < int(length) {
+		return 0, nil, io.ErrShortBuffer
+	}
+	n, err = io.ReadFull(c.ExtendedConn, p[:length])
+	return
+}
+
+func (c *ClientPacketAddrConn) writeRequest(payload []byte, destination M.Socksaddr) (n int, err error) {
+	request := StreamRequest{
+		Network:     N.NetworkUDP,
+		Destination: c.destination,
+		PacketAddr:  true,
+	}
+	rLen := requestLen(request)
+	if len(payload) > 0 {
+		rLen += M.SocksaddrSerializer.AddrPortLen(destination) + 2 + len(payload)
+	}
+	_buffer := buf.StackNewSize(rLen)
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	EncodeStreamRequest(request, buffer)
+	if len(payload) > 0 {
+		common.Must(
+			M.SocksaddrSerializer.WriteAddrPort(buffer, destination),
+			binary.Write(buffer, binary.BigEndian, uint16(len(payload))),
+			common.Error(buffer.Write(payload)),
+		)
+	}
+	_, err = c.ExtendedConn.Write(buffer.Bytes())
+	if err != nil {
+		return
+	}
+	c.requestWrite = true
+	return len(payload), nil
+}
+
+func (c *ClientPacketAddrConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	if !c.requestWrite {
+		return c.writeRequest(p, M.SocksaddrFromNet(addr))
+	}
+	err = M.SocksaddrSerializer.WriteAddrPort(c.ExtendedConn, M.SocksaddrFromNet(addr))
+	if err != nil {
+		return
+	}
+	err = binary.Write(c.ExtendedConn, binary.BigEndian, uint16(len(p)))
+	if err != nil {
+		return
+	}
+	return c.ExtendedConn.Write(p)
+}
+
+func (c *ClientPacketAddrConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	if !c.responseRead {
+		err = c.readResponse()
+		if err != nil {
+			return
+		}
+		c.responseRead = true
+	}
+	destination, err = M.SocksaddrSerializer.ReadAddrPort(c.ExtendedConn)
+	if err != nil {
+		return
+	}
+	var length uint16
+	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
+	if err != nil {
+		return
+	}
+	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
+	return
+}
+
+func (c *ClientPacketAddrConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	if !c.requestWrite {
+		defer buffer.Release()
+		return common.Error(c.writeRequest(buffer.Bytes(), destination))
+	}
+	bLen := buffer.Len()
+	header := buf.With(buffer.ExtendHeader(M.SocksaddrSerializer.AddrPortLen(destination) + 2))
+	common.Must(
+		M.SocksaddrSerializer.WriteAddrPort(header, destination),
+		binary.Write(header, binary.BigEndian, uint16(bLen)),
+	)
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *ClientPacketAddrConn) LocalAddr() net.Addr {
+	return c.ExtendedConn.LocalAddr()
+}
+
+func (c *ClientPacketAddrConn) FrontHeadroom() int {
+	return 2 + M.MaxSocksaddrLength
+}
+
+func (c *ClientPacketAddrConn) Upstream() any {
+	return c.ExtendedConn
 }
--- a/common/mux/protocol.go
+++ b/common/mux/protocol.go
@@ -1,14 +1,240 @@
 package mux

 import (
-	"github.com/sagernet/sing-mux"
+	"encoding/binary"
+	"io"
+	"net"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/smux"
+
+	"github.com/hashicorp/yamux"
 )

-type (
-	Client = mux.Client
+var Destination = M.Socksaddr{
+	Fqdn: "sp.mux.sing-box.arpa",
+	Port: 444,
+}
+
+const (
+	ProtocolSMux Protocol = iota
+	ProtocolYAMux
 )

-var (
-	Destination      = mux.Destination
-	HandleConnection = mux.HandleConnection
+type Protocol byte
+
+func ParseProtocol(name string) (Protocol, error) {
+	switch name {
+	case "", "smux":
+		return ProtocolSMux, nil
+	case "yamux":
+		return ProtocolYAMux, nil
+	default:
+		return ProtocolYAMux, E.New("unknown multiplex protocol: ", name)
+	}
+}
+
+func (p Protocol) newServer(conn net.Conn) (abstractSession, error) {
+	switch p {
+	case ProtocolSMux:
+		session, err := smux.Server(conn, smuxConfig())
+		if err != nil {
+			return nil, err
+		}
+		return &smuxSession{session}, nil
+	case ProtocolYAMux:
+		return yamux.Server(conn, yaMuxConfig())
+	default:
+		panic("unknown protocol")
+	}
+}
+
+func (p Protocol) newClient(conn net.Conn) (abstractSession, error) {
+	switch p {
+	case ProtocolSMux:
+		session, err := smux.Client(conn, smuxConfig())
+		if err != nil {
+			return nil, err
+		}
+		return &smuxSession{session}, nil
+	case ProtocolYAMux:
+		return yamux.Client(conn, yaMuxConfig())
+	default:
+		panic("unknown protocol")
+	}
+}
+
+func smuxConfig() *smux.Config {
+	config := smux.DefaultConfig()
+	config.KeepAliveDisabled = true
+	return config
+}
+
+func yaMuxConfig() *yamux.Config {
+	config := yamux.DefaultConfig()
+	config.LogOutput = io.Discard
+	config.StreamCloseTimeout = C.TCPTimeout
+	config.StreamOpenTimeout = C.TCPTimeout
+	return config
+}
+
+func (p Protocol) String() string {
+	switch p {
+	case ProtocolSMux:
+		return "smux"
+	case ProtocolYAMux:
+		return "yamux"
+	default:
+		return "unknown"
+	}
+}
+
+const (
+	version0 = 0
 )
+
+type Request struct {
+	Protocol Protocol
+}
+
+func ReadRequest(reader io.Reader) (*Request, error) {
+	version, err := rw.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	if version != version0 {
+		return nil, E.New("unsupported version: ", version)
+	}
+	protocol, err := rw.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	if protocol > byte(ProtocolYAMux) {
+		return nil, E.New("unsupported protocol: ", protocol)
+	}
+	return &Request{Protocol: Protocol(protocol)}, nil
+}
+
+func EncodeRequest(buffer *buf.Buffer, request Request) {
+	buffer.WriteByte(version0)
+	buffer.WriteByte(byte(request.Protocol))
+}
+
+const (
+	flagUDP       = 1
+	flagAddr      = 2
+	statusSuccess = 0
+	statusError   = 1
+)
+
+type StreamRequest struct {
+	Network     string
+	Destination M.Socksaddr
+	PacketAddr  bool
+}
+
+func ReadStreamRequest(reader io.Reader) (*StreamRequest, error) {
+	var flags uint16
+	err := binary.Read(reader, binary.BigEndian, &flags)
+	if err != nil {
+		return nil, err
+	}
+	destination, err := M.SocksaddrSerializer.ReadAddrPort(reader)
+	if err != nil {
+		return nil, err
+	}
+	var network string
+	var udpAddr bool
+	if flags&flagUDP == 0 {
+		network = N.NetworkTCP
+	} else {
+		network = N.NetworkUDP
+		udpAddr = flags&flagAddr != 0
+	}
+	return &StreamRequest{network, destination, udpAddr}, nil
+}
+
+func requestLen(request StreamRequest) int {
+	var rLen int
+	rLen += 1 // version
+	rLen += 2 // flags
+	rLen += M.SocksaddrSerializer.AddrPortLen(request.Destination)
+	return rLen
+}
+
+func EncodeStreamRequest(request StreamRequest, buffer *buf.Buffer) {
+	destination := request.Destination
+	var flags uint16
+	if request.Network == N.NetworkUDP {
+		flags |= flagUDP
+	}
+	if request.PacketAddr {
+		flags |= flagAddr
+		if !destination.IsValid() {
+			destination = Destination
+		}
+	}
+	common.Must(
+		binary.Write(buffer, binary.BigEndian, flags),
+		M.SocksaddrSerializer.WriteAddrPort(buffer, destination),
+	)
+}
+
+type StreamResponse struct {
+	Status  uint8
+	Message string
+}
+
+func ReadStreamResponse(reader io.Reader) (*StreamResponse, error) {
+	var response StreamResponse
+	status, err := rw.ReadByte(reader)
+	if err != nil {
+		return nil, err
+	}
+	response.Status = status
+	if status == statusError {
+		response.Message, err = rw.ReadVString(reader)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &response, nil
+}
+
+type wrapStream struct {
+	net.Conn
+}
+
+func (w *wrapStream) Read(p []byte) (n int, err error) {
+	n, err = w.Conn.Read(p)
+	err = wrapError(err)
+	return
+}
+
+func (w *wrapStream) Write(p []byte) (n int, err error) {
+	n, err = w.Conn.Write(p)
+	err = wrapError(err)
+	return
+}
+
+func (w *wrapStream) WriteIsThreadUnsafe() {
+}
+
+func (w *wrapStream) Upstream() any {
+	return w.Conn
+}
+
+func wrapError(err error) error {
+	switch err {
+	case yamux.ErrStreamClosed:
+		return io.EOF
+	default:
+		return err
+	}
+}
--- a/common/mux/service.go
+++ b/common/mux/service.go
@@ -0,0 +1,257 @@
+package mux
+
+import (
+	"context"
+	"encoding/binary"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/rw"
+	"github.com/sagernet/sing/common/task"
+)
+
+func NewConnection(ctx context.Context, router adapter.Router, errorHandler E.Handler, logger log.ContextLogger, conn net.Conn, metadata adapter.InboundContext) error {
+	request, err := ReadRequest(conn)
+	if err != nil {
+		return err
+	}
+	session, err := request.Protocol.newServer(conn)
+	if err != nil {
+		return err
+	}
+	var group task.Group
+	group.Append0(func(ctx context.Context) error {
+		var stream net.Conn
+		for {
+			stream, err = session.Accept()
+			if err != nil {
+				return err
+			}
+			go newConnection(ctx, router, errorHandler, logger, stream, metadata)
+		}
+	})
+	group.Cleanup(func() {
+		session.Close()
+	})
+	return group.Run(ctx)
+}
+
+func newConnection(ctx context.Context, router adapter.Router, errorHandler E.Handler, logger log.ContextLogger, stream net.Conn, metadata adapter.InboundContext) {
+	stream = &wrapStream{stream}
+	request, err := ReadStreamRequest(stream)
+	if err != nil {
+		logger.ErrorContext(ctx, err)
+		return
+	}
+	metadata.Destination = request.Destination
+	if request.Network == N.NetworkTCP {
+		logger.InfoContext(ctx, "inbound multiplex connection to ", metadata.Destination)
+		hErr := router.RouteConnection(ctx, &ServerConn{ExtendedConn: bufio.NewExtendedConn(stream)}, metadata)
+		stream.Close()
+		if hErr != nil {
+			errorHandler.NewError(ctx, hErr)
+		}
+	} else {
+		var packetConn N.PacketConn
+		if !request.PacketAddr {
+			logger.InfoContext(ctx, "inbound multiplex packet connection to ", metadata.Destination)
+			packetConn = &ServerPacketConn{ExtendedConn: bufio.NewExtendedConn(stream), destination: request.Destination}
+		} else {
+			logger.InfoContext(ctx, "inbound multiplex packet connection")
+			packetConn = &ServerPacketAddrConn{ExtendedConn: bufio.NewExtendedConn(stream)}
+		}
+		hErr := router.RoutePacketConnection(ctx, packetConn, metadata)
+		stream.Close()
+		if hErr != nil {
+			errorHandler.NewError(ctx, hErr)
+		}
+	}
+}
+
+var _ N.HandshakeConn = (*ServerConn)(nil)
+
+type ServerConn struct {
+	N.ExtendedConn
+	responseWrite bool
+}
+
+func (c *ServerConn) HandshakeFailure(err error) error {
+	errMessage := err.Error()
+	_buffer := buf.StackNewSize(1 + rw.UVariantLen(uint64(len(errMessage))) + len(errMessage))
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	common.Must(
+		buffer.WriteByte(statusError),
+		rw.WriteVString(_buffer, errMessage),
+	)
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *ServerConn) Write(b []byte) (n int, err error) {
+	if c.responseWrite {
+		return c.ExtendedConn.Write(b)
+	}
+	_buffer := buf.StackNewSize(1 + len(b))
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	common.Must(
+		buffer.WriteByte(statusSuccess),
+		common.Error(buffer.Write(b)),
+	)
+	_, err = c.ExtendedConn.Write(buffer.Bytes())
+	if err != nil {
+		return
+	}
+	c.responseWrite = true
+	return len(b), nil
+}
+
+func (c *ServerConn) WriteBuffer(buffer *buf.Buffer) error {
+	if c.responseWrite {
+		return c.ExtendedConn.WriteBuffer(buffer)
+	}
+	buffer.ExtendHeader(1)[0] = statusSuccess
+	c.responseWrite = true
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *ServerConn) FrontHeadroom() int {
+	if !c.responseWrite {
+		return 1
+	}
+	return 0
+}
+
+func (c *ServerConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+var (
+	_ N.HandshakeConn = (*ServerPacketConn)(nil)
+	_ N.PacketConn    = (*ServerPacketConn)(nil)
+)
+
+type ServerPacketConn struct {
+	N.ExtendedConn
+	destination   M.Socksaddr
+	responseWrite bool
+}
+
+func (c *ServerPacketConn) HandshakeFailure(err error) error {
+	errMessage := err.Error()
+	_buffer := buf.StackNewSize(1 + rw.UVariantLen(uint64(len(errMessage))) + len(errMessage))
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	common.Must(
+		buffer.WriteByte(statusError),
+		rw.WriteVString(_buffer, errMessage),
+	)
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *ServerPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	var length uint16
+	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
+	if err != nil {
+		return
+	}
+	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
+	if err != nil {
+		return
+	}
+	destination = c.destination
+	return
+}
+
+func (c *ServerPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	pLen := buffer.Len()
+	common.Must(binary.Write(buf.With(buffer.ExtendHeader(2)), binary.BigEndian, uint16(pLen)))
+	if !c.responseWrite {
+		buffer.ExtendHeader(1)[0] = statusSuccess
+		c.responseWrite = true
+	}
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *ServerPacketConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+func (c *ServerPacketConn) FrontHeadroom() int {
+	if !c.responseWrite {
+		return 3
+	}
+	return 2
+}
+
+var (
+	_ N.HandshakeConn = (*ServerPacketAddrConn)(nil)
+	_ N.PacketConn    = (*ServerPacketAddrConn)(nil)
+)
+
+type ServerPacketAddrConn struct {
+	N.ExtendedConn
+	responseWrite bool
+}
+
+func (c *ServerPacketAddrConn) HandshakeFailure(err error) error {
+	errMessage := err.Error()
+	_buffer := buf.StackNewSize(1 + rw.UVariantLen(uint64(len(errMessage))) + len(errMessage))
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	common.Must(
+		buffer.WriteByte(statusError),
+		rw.WriteVString(_buffer, errMessage),
+	)
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *ServerPacketAddrConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	destination, err = M.SocksaddrSerializer.ReadAddrPort(c.ExtendedConn)
+	if err != nil {
+		return
+	}
+	var length uint16
+	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
+	if err != nil {
+		return
+	}
+	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
+	if err != nil {
+		return
+	}
+	return
+}
+
+func (c *ServerPacketAddrConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	pLen := buffer.Len()
+	common.Must(binary.Write(buf.With(buffer.ExtendHeader(2)), binary.BigEndian, uint16(pLen)))
+	common.Must(M.SocksaddrSerializer.WriteAddrPort(buf.With(buffer.ExtendHeader(M.SocksaddrSerializer.AddrPortLen(destination))), destination))
+	if !c.responseWrite {
+		buffer.ExtendHeader(1)[0] = statusSuccess
+		c.responseWrite = true
+	}
+	return c.ExtendedConn.WriteBuffer(buffer)
+}
+
+func (c *ServerPacketAddrConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+func (c *ServerPacketAddrConn) FrontHeadroom() int {
+	if !c.responseWrite {
+		return 3 + M.MaxSocksaddrLength
+	}
+	return 2 + M.MaxSocksaddrLength
+}
--- a/common/mux/session.go
+++ b/common/mux/session.go
@@ -0,0 +1,91 @@
+package mux
+
+import (
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/smux"
+)
+
+type abstractSession interface {
+	Open() (net.Conn, error)
+	Accept() (net.Conn, error)
+	NumStreams() int
+	Close() error
+	IsClosed() bool
+}
+
+var _ abstractSession = (*smuxSession)(nil)
+
+type smuxSession struct {
+	*smux.Session
+}
+
+func (s *smuxSession) Open() (net.Conn, error) {
+	return s.OpenStream()
+}
+
+func (s *smuxSession) Accept() (net.Conn, error) {
+	return s.AcceptStream()
+}
+
+type protocolConn struct {
+	net.Conn
+	protocol        Protocol
+	protocolWritten bool
+}
+
+func (c *protocolConn) Write(p []byte) (n int, err error) {
+	if c.protocolWritten {
+		return c.Conn.Write(p)
+	}
+	_buffer := buf.StackNewSize(2 + len(p))
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	EncodeRequest(buffer, Request{
+		Protocol: c.protocol,
+	})
+	common.Must(common.Error(buffer.Write(p)))
+	n, err = c.Conn.Write(buffer.Bytes())
+	if err == nil {
+		n--
+	}
+	c.protocolWritten = true
+	return n, err
+}
+
+func (c *protocolConn) ReadFrom(r io.Reader) (n int64, err error) {
+	if !c.protocolWritten {
+		return bufio.ReadFrom0(c, r)
+	}
+	return bufio.Copy(c.Conn, r)
+}
+
+func (c *protocolConn) Upstream() any {
+	return c.Conn
+}
+
+type vectorisedProtocolConn struct {
+	protocolConn
+	N.VectorisedWriter
+}
+
+func (c *vectorisedProtocolConn) WriteVectorised(buffers []*buf.Buffer) error {
+	if c.protocolWritten {
+		return c.VectorisedWriter.WriteVectorised(buffers)
+	}
+	c.protocolWritten = true
+	_buffer := buf.StackNewSize(2)
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
+	defer buffer.Release()
+	EncodeRequest(buffer, Request{
+		Protocol: c.protocol,
+	})
+	return c.VectorisedWriter.WriteVectorised(append([]*buf.Buffer{buffer}, buffers...))
+}
--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -3,12 +3,10 @@ package process
 import (
 	"context"
 	"net/netip"
-	"os/user"

 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
 )

 type Searcher interface {
@@ -30,15 +28,5 @@ type Info struct {
 }

 func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
-	if err != nil {
-		return nil, err
-	}
-	if info.UserId != -1 {
-		osUser, _ := user.LookupId(F.ToString(info.UserId))
-		if osUser != nil {
-			info.User = osUser.Username
-		}
-	}
-	return info, nil
+	return findProcessInfo(searcher, ctx, network, source, destination)
 }
--- a/common/process/searcher_linux_shared.go
+++ b/common/process/searcher_linux_shared.go
@@ -15,6 +15,7 @@ import (
 	"unicode"
 	"unsafe"

+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -81,7 +82,9 @@ func resolveSocketByNetlink(network string, source netip.AddrPort, destination n
 		return 0, 0, E.Cause(err, "write netlink request")
 	}

-	buffer := buf.New()
+	_buffer := buf.StackNew()
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
 	defer buffer.Release()

 	n, err := syscall.Read(socket, buffer.FreeBytes())
--- a/common/process/searcher_with_name.go
+++ b/common/process/searcher_with_name.go
@@ -0,0 +1,25 @@
+//go:build linux && !android
+
+package process
+
+import (
+	"context"
+	"net/netip"
+	"os/user"
+
+	F "github.com/sagernet/sing/common/format"
+)
+
+func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
+	if err != nil {
+		return nil, err
+	}
+	if info.UserId != -1 {
+		osUser, _ := user.LookupId(F.ToString(info.UserId))
+		if osUser != nil {
+			info.User = osUser.Username
+		}
+	}
+	return info, nil
+}
--- a/common/process/searcher_without_name.go
+++ b/common/process/searcher_without_name.go
@@ -0,0 +1,12 @@
+//go:build !linux || android
+
+package process
+
+import (
+	"context"
+	"net/netip"
+)
+
+func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
+	return searcher.FindProcessInfo(ctx, network, source, destination)
+}
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -26,7 +26,9 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
 	if length == 0 {
 		return nil, os.ErrInvalid
 	}
-	buffer := buf.NewSize(int(length))
+	_buffer := buf.StackNewSize(int(length))
+	defer common.KeepAlive(_buffer)
+	buffer := common.Dup(_buffer)
 	defer buffer.Release()

 	readCtx, cancel := context.WithTimeout(readCtx, time.Millisecond*100)
--- a/common/sniff/http.go
+++ b/common/sniff/http.go
@@ -7,7 +7,6 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/protocol/http"
 )

@@ -16,5 +15,5 @@ func HTTPHost(ctx context.Context, reader io.Reader) (*adapter.InboundContext, e
 	if err != nil {
 		return nil, err
 	}
-	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: M.ParseSocksaddr(request.Host).AddrString()}, nil
+	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: request.Host}, nil
 }
--- a/common/sniff/http_test.go
+++ b/common/sniff/http_test.go
@@ -1,27 +0,0 @@
-package sniff_test
-
-import (
-	"context"
-	"strings"
-	"testing"
-
-	"github.com/sagernet/sing-box/common/sniff"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestSniffHTTP1(t *testing.T) {
-	t.Parallel()
-	pkt := "GET / HTTP/1.1\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n"
-	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
-	require.NoError(t, err)
-	require.Equal(t, metadata.Domain, "www.google.com")
-}
-
-func TestSniffHTTP1WithPort(t *testing.T) {
-	t.Parallel()
-	pkt := "GET / HTTP/1.1\r\nHost: www.gov.cn:8080\r\nAccept: */*\r\n\r\n"
-	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
-	require.NoError(t, err)
-	require.Equal(t, metadata.Domain, "www.gov.cn")
-}
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@@ -24,12 +24,12 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
 	}
 	err := conn.SetReadDeadline(time.Now().Add(timeout))
 	if err != nil {
-		return nil, E.Cause(err, "set read deadline")
+		return nil, err
 	}
 	_, err = buffer.ReadOnceFrom(conn)
 	err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
 	if err != nil {
-		return nil, E.Cause(err, "read payload")
+		return nil, err
 	}
 	var metadata *adapter.InboundContext
 	var errors []error
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -21,7 +21,6 @@ import (
 type acmeWrapper struct {
 	ctx    context.Context
 	cfg    *certmagic.Config
-	cache  *certmagic.Cache
 	domain []string
 }

@@ -30,7 +29,7 @@ func (w *acmeWrapper) Start() error {
 }

 func (w *acmeWrapper) Close() error {
-	w.cache.Stop()
+	w.cfg.Unmanage(w.domain)
 	return nil
 }

@@ -78,11 +77,10 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
 	config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}
-	cache := certmagic.NewCache(certmagic.CacheOptions{
+	config = certmagic.New(certmagic.NewCache(certmagic.CacheOptions{
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
-	})
-	config = certmagic.New(cache, *config)
-	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
+	}), *config)
+	return config.TLSConfig(), &acmeWrapper{ctx, config, options.Domain}, nil
 }
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -111,16 +111,6 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn
 	if err != nil {
 		return nil, err
 	}
-
-	if len(uConfig.NextProtos) > 0 {
-		for _, extension := range uConn.Extensions {
-			if alpnExtension, isALPN := extension.(*utls.ALPNExtension); isALPN {
-				alpnExtension.AlpnProtocols = uConfig.NextProtos
-				break
-			}
-		}
-	}
-
 	hello := uConn.HandshakeState.Hello
 	hello.SessionId = make([]byte, 32)
 	copy(hello.Raw[39:], hello.SessionId)
@@ -135,7 +125,7 @@ func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn

 	hello.SessionId[0] = 1
 	hello.SessionId[1] = 8
-	hello.SessionId[2] = 1
+	hello.SessionId[2] = 0
 	binary.BigEndian.PutUint32(hello.SessionId[4:], uint32(time.Now().Unix()))
 	copy(hello.SessionId[8:], e.shortID[:])

--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -180,7 +180,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 		tlsConfig.ServerName = options.ServerName
 	}
 	if len(options.ALPN) > 0 {
-		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
+		tlsConfig.NextProtos = append(tlsConfig.NextProtos, options.ALPN...)
 	}
 	if options.MinVersion != "" {
 		minVersion, err := ParseTLSVersion(options.MinVersion)
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -3,7 +3,6 @@
 package tls

 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"math/rand"
@@ -48,7 +47,7 @@ func (e *UTLSClientConfig) Config() (*STDConfig, error) {
 }

 func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, e.config.NextProtos}, nil
+	return &utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, nil
 }

 func (e *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
@@ -88,31 +87,6 @@ func (c *utlsConnWrapper) Upstream() any {
 	return c.UConn
 }

-type utlsALPNWrapper struct {
-	utlsConnWrapper
-	nextProtocols []string
-}
-
-func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
-	if len(c.nextProtocols) > 0 {
-		err := c.BuildHandshakeState()
-		if err != nil {
-			return err
-		}
-		for _, extension := range c.Extensions {
-			if alpnExtension, isALPN := extension.(*utls.ALPNExtension); isALPN {
-				alpnExtension.AlpnProtocols = c.nextProtocols
-				err = c.BuildHandshakeState()
-				if err != nil {
-					return err
-				}
-				break
-			}
-		}
-	}
-	return c.UConn.HandshakeContext(ctx)
-}
-
 func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -10,7 +10,6 @@ import (

 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/x/list"
 )

 type History struct {
@@ -21,7 +20,6 @@ type History struct {
 type HistoryStorage struct {
 	access       sync.RWMutex
 	delayHistory map[string]*History
-	callbacks    list.List[func()]
 }

 func NewHistoryStorage() *HistoryStorage {
@@ -30,18 +28,6 @@ func NewHistoryStorage() *HistoryStorage {
 	}
 }

-func (s *HistoryStorage) AddListener(listener func()) *list.Element[func()] {
-	s.access.Lock()
-	defer s.access.Unlock()
-	return s.callbacks.PushBack(listener)
-}
-
-func (s *HistoryStorage) RemoveListener(element *list.Element[func()]) {
-	s.access.Lock()
-	defer s.access.Unlock()
-	s.callbacks.Remove(element)
-}
-
 func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {
 	if s == nil {
 		return nil
@@ -53,30 +39,17 @@ func (s *HistoryStorage) LoadURLTestHistory(tag string) *History {

 func (s *HistoryStorage) DeleteURLTestHistory(tag string) {
 	s.access.Lock()
+	defer s.access.Unlock()
 	delete(s.delayHistory, tag)
-	s.access.Unlock()
-	s.notifyUpdated()
 }

 func (s *HistoryStorage) StoreURLTestHistory(tag string, history *History) {
 	s.access.Lock()
+	defer s.access.Unlock()
 	s.delayHistory[tag] = history
-	s.access.Unlock()
-	s.notifyUpdated()
-}
-
-func (s *HistoryStorage) notifyUpdated() {
-	s.access.RLock()
-	defer s.access.RUnlock()
-	for element := s.callbacks.Front(); element != nil; element = element.Next() {
-		element.Value()
-	}
 }

 func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err error) {
-	if link == "" {
-		link = "https://www.gstatic.com/generate_204"
-	}
 	linkURL, err := url.Parse(link)
 	if err != nil {
 		return
--- a/common/warning/warning.go
+++ b/common/warning/warning.go
@@ -0,0 +1,31 @@
+package warning
+
+import (
+	"sync"
+
+	"github.com/sagernet/sing-box/log"
+)
+
+type Warning struct {
+	logger    log.Logger
+	check     CheckFunc
+	message   string
+	checkOnce sync.Once
+}
+
+type CheckFunc = func() bool
+
+func New(checkFunc CheckFunc, message string) Warning {
+	return Warning{
+		check:   checkFunc,
+		message: message,
+	}
+}
+
+func (w *Warning) Check() {
+	w.checkOnce.Do(func() {
+		if w.check() {
+			log.Warn(w.message)
+		}
+	})
+}
--- a/constant/path.go
+++ b/constant/path.go
@@ -3,13 +3,28 @@ package constant
 import (
 	"os"
 	"path/filepath"
+	"strings"

 	"github.com/sagernet/sing/common/rw"
 )

 const dirName = "sing-box"

-var resourcePaths []string
+var (
+	basePath      string
+	resourcePaths []string
+)
+
+func BasePath(name string) string {
+	if basePath == "" || strings.HasPrefix(name, "/") {
+		return name
+	}
+	return filepath.Join(basePath, name)
+}
+
+func SetBasePath(path string) {
+	basePath = path
+}

 func FindPath(name string) (string, bool) {
 	name = os.ExpandEnv(name)
--- a/debug_go119.go
+++ b/debug_go119.go
@@ -10,7 +10,6 @@ import (
 )

 func applyDebugOptions(options option.DebugOptions) {
-	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
 	}
--- a/debug_go118.go
+++ b/debug_go118.go
@@ -10,7 +10,6 @@ import (
 )

 func applyDebugOptions(options option.DebugOptions) {
-	applyDebugListenOption(options)
 	if options.GCPercent != nil {
 		debug.SetGCPercent(*options.GCPercent)
 	}
--- a/debug_http.go
+++ b/debug_http.go
@@ -1,67 +0,0 @@
-package box
-
-import (
-	"net/http"
-	"net/http/pprof"
-	"runtime"
-	"runtime/debug"
-
-	"github.com/sagernet/sing-box/common/badjson"
-	"github.com/sagernet/sing-box/common/json"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/dustin/go-humanize"
-	"github.com/go-chi/chi/v5"
-)
-
-var debugHTTPServer *http.Server
-
-func applyDebugListenOption(options option.DebugOptions) {
-	if debugHTTPServer != nil {
-		debugHTTPServer.Close()
-		debugHTTPServer = nil
-	}
-	if options.Listen == "" {
-		return
-	}
-	r := chi.NewMux()
-	r.Route("/debug", func(r chi.Router) {
-		r.Get("/gc", func(writer http.ResponseWriter, request *http.Request) {
-			writer.WriteHeader(http.StatusNoContent)
-			go debug.FreeOSMemory()
-		})
-		r.Get("/memory", func(writer http.ResponseWriter, request *http.Request) {
-			var memStats runtime.MemStats
-			runtime.ReadMemStats(&memStats)
-
-			var memObject badjson.JSONObject
-			memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
-			memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
-			memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
-			memObject.Put("goroutines", runtime.NumGoroutine())
-			memObject.Put("rss", rusageMaxRSS())
-
-			encoder := json.NewEncoder(writer)
-			encoder.SetIndent("", "  ")
-			encoder.Encode(memObject)
-		})
-		r.HandleFunc("/pprof", pprof.Index)
-		r.HandleFunc("/pprof/*", pprof.Index)
-		r.HandleFunc("/pprof/cmdline", pprof.Cmdline)
-		r.HandleFunc("/pprof/profile", pprof.Profile)
-		r.HandleFunc("/pprof/symbol", pprof.Symbol)
-		r.HandleFunc("/pprof/trace", pprof.Trace)
-	})
-	debugHTTPServer = &http.Server{
-		Addr:    options.Listen,
-		Handler: r,
-	}
-	go func() {
-		err := debugHTTPServer.ListenAndServe()
-		if err != nil && !E.IsClosed(err) {
-			log.Error(E.Cause(err, "serve debug HTTP server"))
-		}
-	}()
-}
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,182 +1,3 @@
-#### 1.3.4
-
-* Fixes and improvements
-* We're now on the [App Store](https://apps.apple.com/us/app/sing-box/id6451272673), always free! It should be noted that due to stricter and slower review, the release of Store versions will be delayed.
-* We've made a standalone version of the macOS client (the original Application Extension relies on App Store distribution), which you can download as SFM-version-universal.zip in the release artifacts.
-
-#### 1.3.3
-
-* Fixes and improvements
-
-#### 1.3.1-rc.1
-
-* Fix bugs and update dependencies
-
-#### 1.3.1-beta.3
-
-* Introducing our [new iOS](/installation/clients/sfi) and [macOS](/installation/clients/sfm) client applications **1**
-* Fixes and improvements
-
-**1**:
-
-The old testflight link and app are no longer valid.
-
-#### 1.3.1-beta.2
-
-* Fix bugs and update dependencies
-
-#### 1.3.1-beta.1
-
-* Fixes and improvements
-
-#### 1.3.0
-
-* Fix bugs and update dependencies
-
-Important changes since 1.2:
-
-* Add [FakeIP](/configuration/dns/fakeip) support **1**
-* Improve multiplex **2**
-* Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
-* Add `rewrite_ttl` DNS rule action
-* Add `store_fakeip` Clash API option
-* Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
-* Add loopback detect
-* Add Clash.Meta API compatibility for Clash API
-* Download Yacd-meta by default if the specified Clash `external_ui` directory is empty
-* Add path and headers option for HTTP outbound
-* Perform URLTest recheck after network changes
-* Fix `system` tun stack for ios
-* Fix network monitor for android/ios
-* Update VLESS and XUDP protocol
-* Make splice work with traffic statistics systems like Clash API
-* Significantly reduces memory usage of idle connections
-* Improve DNS caching
-* Add `independent_cache` [option](/configuration/dns#independent_cache) for DNS
-* Reimplemented shadowsocks client
-* Add multiplex support for VLESS outbound
-* Automatically add Windows firewall rules in order for the system tun stack to work
-* Fix TLS 1.2 support for shadow-tls client
-* Add `cache_id` [option](/configuration/experimental#cache_id) for Clash cache file
-* Fix `local` DNS transport for Android
-
-*1*:
-
-See [FAQ](/faq/fakeip) for more information.
-
-*2*:
-
-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
-
-#### 1.3-rc2
-
-* Fix `local` DNS transport for Android
-* Fix bugs and update dependencies
-
-#### 1.3-rc1
-
-* Fix bugs and update dependencies
-
-#### 1.3-beta14
-
-* Fixes and improvements
-
-#### 1.3-beta13
-
-* Fix resolving fakeip domains  **1**
-* Deprecate L3 routing
-* Fix bugs and update dependencies
-
-**1**:
-
-If the destination address of the connection is obtained from fakeip, dns rules with server type fakeip will be skipped.
-
-#### 1.3-beta12
-
-* Automatically add Windows firewall rules in order for the system tun stack to work
-* Fix TLS 1.2 support for shadow-tls client
-* Add `cache_id` [option](/configuration/experimental#cache_id) for Clash cache file
-* Fixes and improvements
-
-#### 1.3-beta11
-
-* Fix bugs and update dependencies
-
-#### 1.3-beta10
-
-* Improve direct copy **1**
-* Improve DNS caching
-* Add `independent_cache` [option](/configuration/dns#independent_cache) for DNS
-* Reimplemented shadowsocks client **2**
-* Add multiplex support for VLESS outbound
-* Set TCP keepalive for WireGuard gVisor TCP connections
-* Fixes and improvements
-
-**1**:
-
-* Make splice work with traffic statistics systems like Clash API
-* Significantly reduces memory usage of idle connections
-
-**2**:
-
-Improved performance and reduced memory usage.
-
-#### 1.3-beta9
-
-* Improve multiplex **1**
-* Fixes and improvements
-
-*1*:
-
-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
-
-#### 1.2.6
-
-* Fix bugs and update dependencies
-
-#### 1.3-beta8
-
-* Fix `system` tun stack for ios
-* Fix network monitor for android/ios
-* Update VLESS and XUDP protocol **1**
-* Fixes and improvements
-
-*1:
-
-This is an incompatible update for XUDP in VLESS if vision flow is enabled.
-
-#### 1.3-beta7
-
-* Add `path` and `headers` options for HTTP outbound
-* Add multi-user support for Shadowsocks legacy AEAD inbound
-* Fixes and improvements
-
-#### 1.2.4
-
-* Fixes and improvements
-
-#### 1.3-beta6
-
-* Fix WireGuard reconnect
-* Perform URLTest recheck after network changes
-* Fix bugs and update dependencies
-
-#### 1.3-beta5
-
-* Add Clash.Meta API compatibility for Clash API
-* Download Yacd-meta by default if the specified Clash `external_ui` directory is empty
-* Add path and headers option for HTTP outbound
-* Fixes and improvements
-
-#### 1.3-beta4
-
-* Fix bugs
-
-#### 1.3-beta2
-
-* Download clash-dashboard if the specified Clash `external_ui` directory is empty
-* Fix bugs and update dependencies
-
 #### 1.3-beta1

 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -11,7 +11,6 @@
    "strategy": "",
    "disable_cache": false,
    "disable_expire": false,
-    "independent_cache": false,
    "reverse_mapping": false,
    "fakeip": {}
  }
@@ -49,10 +48,6 @@ Disable dns cache.

 Disable dns cache expire.

-#### independent_cache
-
-Make each DNS server's cache independent for special purposes. If enabled, will slightly degrade performance.
-
 #### reverse_mapping

 Stores a reverse mapping of IP addresses after responding to a DNS query in order to provide domain names when routing.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -11,7 +11,6 @@
    "strategy": "",
    "disable_cache": false,
    "disable_expire": false,
-    "independent_cache": false,
    "reverse_mapping": false,
    "fakeip": {}
  }
@@ -48,10 +47,6 @@

 禁用 DNS 缓存过期。

-#### independent_cache
-
-使每个 DNS 服务器的缓存独立，以满足特殊目的。如果启用，将轻微降低性能。
-
 #### reverse_mapping

 在响应 DNS 查询后存储 IP 地址的反向映射以为路由目的提供域名。
--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@@ -30,18 +30,18 @@ The tag of the dns server.

 The address of the dns server.

-| Protocol                            | Format                        |
-|-------------------------------------|-------------------------------|
-| `System`                            | `local`                       |
-| `TCP`                               | `tcp://1.0.0.1`               |
-| `UDP`                               | `8.8.8.8` `udp://8.8.4.4`     |
-| `TLS`                               | `tls://dns.google`            |
-| `HTTPS`                             | `https://1.1.1.1/dns-query`   |
-| `QUIC`                              | `quic://dns.adguard.com`      |
-| `HTTP3`                             | `h3://8.8.8.8/dns-query`      |
-| `RCode`                             | `rcode://refused`             |
-| `DHCP`                              | `dhcp://auto` or `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                      |
+| Protocol            | Format                        |
+|---------------------|-------------------------------|
+| `System`            | `local`                       |
+| `TCP`               | `tcp://1.0.0.1`               |
+| `UDP`               | `8.8.8.8` `udp://8.8.4.4`     |
+| `TLS`               | `tls://dns.google`            |
+| `HTTPS`             | `https://1.1.1.1/dns-query`   |
+| `QUIC`              | `quic://dns.adguard.com`      |
+| `HTTP3`             | `h3://8.8.8.8/dns-query`      |
+| `RCode`             | `rcode://refused`             |
+| `DHCP`              | `dhcp://auto` or `dhcp://en0` |
+|  [FakeIP](./fakeip) | `fakeip`                      |

 !!! warning ""

@@ -94,4 +94,4 @@ Take no effect if override by other settings.

 Tag of an outbound for connecting to the dns server.

-Default outbound will be used if empty.
+Default outbound will be used if empty.
--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@@ -30,18 +30,18 @@ DNS 服务器的标签。

 DNS 服务器的地址。

-| 协议                                  | 格式                           |
-|-------------------------------------|------------------------------|
-| `System`                            | `local`                      |
-| `TCP`                               | `tcp://1.0.0.1`              |
-| `UDP`                               | `8.8.8.8` `udp://8.8.4.4`    |
-| `TLS`                               | `tls://dns.google`           |
-| `HTTPS`                             | `https://1.1.1.1/dns-query`  |
-| `QUIC`                              | `quic://dns.adguard.com`     |
-| `HTTP3`                             | `h3://8.8.8.8/dns-query`     |
-| `RCode`                             | `rcode://refused`            |
-| `DHCP`                              | `dhcp://auto` 或 `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                     |
+| 协议                 | 格式                           |
+|--------------------|------------------------------|
+| `System`           | `local`                      |
+| `TCP`              | `tcp://1.0.0.1`              |
+| `UDP`              | `8.8.8.8` `udp://8.8.4.4`    |
+| `TLS`              | `tls://dns.google`           |
+| `HTTPS`            | `https://1.1.1.1/dns-query`  |
+| `QUIC`             | `quic://dns.adguard.com`     |
+| `HTTP3`            | `h3://8.8.8.8/dns-query`     |
+| `RCode`            | `rcode://refused`            |
+| `DHCP`             | `dhcp://auto` 或 `dhcp://en0` |
+| [FakeIP](./fakeip) | `fakeip`                     |

 !!! warning ""

--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@@ -7,14 +7,11 @@
  "experimental": {
    "clash_api": {
      "external_controller": "127.0.0.1:9090",
-      "external_ui": "",
-      "external_ui_download_url": "",
-      "external_ui_download_detour": "",
+      "external_ui": "folder",
      "secret": "",
-      "default_mode": "",
+      "default_mode": "rule",
      "store_selected": false,
-      "cache_file": "",
-      "cache_id": ""
+      "cache_file": "cache.db"
    },
    "v2ray_api": {
      "listen": "127.0.0.1:8080",
@@ -56,18 +53,6 @@ A relative path to the configuration directory or an absolute path to a
 directory in which you put some static web resource. sing-box will then
 serve it at `http://{{external-controller}}/ui`.

-#### external_ui_download_url
-
-ZIP download URL for the external UI, will be used if the specified `external_ui` directory is empty.
-
-`https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip` will be used if empty.
-
-#### external_ui_download_detour
-
-The tag of the outbound to download the external UI.
-
-Default outbound will be used if empty.
-
 #### secret

 Secret for the RESTful API (optional)
@@ -92,12 +77,6 @@ Store selected outbound for the `Selector` outbound in cache file.

 Cache file path, `cache.db` will be used if empty.

-#### cache_id
-
-Cache ID.
-
-If not empty, `store_selected` will use a separate store keyed by it.
-
 ### V2Ray API Fields

 !!! error ""
--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@@ -7,14 +7,11 @@
  "experimental": {
    "clash_api": {
      "external_controller": "127.0.0.1:9090",
-      "external_ui": "",
-      "external_ui_download_url": "",
-      "external_ui_download_detour": "",
+      "external_ui": "folder",
      "secret": "",
-      "default_mode": "",
+      "default_mode": "rule",
      "store_selected": false,
-      "cache_file": "",
-      "cache_id": ""
+      "cache_file": "cache.db"
    },
    "v2ray_api": {
      "listen": "127.0.0.1:8080",
@@ -54,18 +51,6 @@ RESTful web API 监听地址。如果为空，则禁用 Clash API。

 到静态网页资源目录的相对路径或绝对路径。sing-box 会在 `http://{{external-controller}}/ui` 下提供它。

-#### external_ui_download_url
-
-静态网页资源的 ZIP 下载 URL，如果指定的 `external_ui` 目录为空，将使用。
-
-默认使用 `https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip`。
-
-#### external_ui_download_detour
-
-用于下载静态网页资源的出站的标签。
-
-如果为空，将使用默认出站。
-
 #### secret

 RESTful API 的密钥（可选）
@@ -90,12 +75,6 @@ Clash 中的默认模式，默认使用 `rule`。

 缓存文件路径，默认使用`cache.db`。

-#### cache_id
-
-缓存 ID。
-
-如果不为空，`store_selected` 将会使用以此为键的独立存储。
-
 ### V2Ray API 字段

 !!! error ""
--- a/docs/configuration/outbound/http.md
+++ b/docs/configuration/outbound/http.md
@@ -11,8 +11,6 @@
  "server_port": 1080,
  "username": "sekai",
  "password": "admin",
-  "path": "",
-  "headers": {},
  "tls": {},
  
  ... // Dial Fields
@@ -41,14 +39,6 @@ Basic authorization username.

 Basic authorization password.

-#### path
-
-Path of HTTP request.
-
-#### headers
-
-Extra headers of HTTP request.
-
 #### tls

 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
--- a/docs/configuration/outbound/http.zh.md
+++ b/docs/configuration/outbound/http.zh.md
@@ -11,8 +11,6 @@
  "server_port": 1080,
  "username": "sekai",
  "password": "admin",
-  "path": "",
-  "headers": {},
  "tls": {},

  ... // 拨号字段
@@ -41,14 +39,6 @@ Basic 认证用户名。

 Basic 认证密码。

-#### path
-
-HTTP 请求路径。
-
-#### headers
-
-HTTP 请求的额外标头。
-
 #### tls

 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
--- a/docs/configuration/outbound/urltest.md
+++ b/docs/configuration/outbound/urltest.md
@@ -10,7 +10,7 @@
    "proxy-b",
    "proxy-c"
  ],
-  "url": "https://www.gstatic.com/generate_204",
+  "url": "http://www.gstatic.com/generate_204",
  "interval": "1m",
  "tolerance": 50
 }
@@ -26,7 +26,7 @@ List of outbound tags to test.

 #### url

-The URL to test. `https://www.gstatic.com/generate_204` will be used if empty.
+The URL to test. `http://www.gstatic.com/generate_204` will be used if empty.

 #### interval

--- a/docs/configuration/outbound/urltest.zh.md
+++ b/docs/configuration/outbound/urltest.zh.md
@@ -10,7 +10,7 @@
    "proxy-b",
    "proxy-c"
  ],
-  "url": "https://www.gstatic.com/generate_204",
+  "url": "http://www.gstatic.com/generate_204",
  "interval": "1m",
  "tolerance": 50
 }
@@ -26,7 +26,7 @@

 #### url

-用于测试的链接。默认使用 `https://www.gstatic.com/generate_204`。
+用于测试的链接。默认使用 `http://www.gstatic.com/generate_204`。

 #### interval

--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@@ -7,6 +7,7 @@
  "route": {
    "geoip": {},
    "geosite": {},
+    "ip_rules": [],
    "rules": [],
    "final": "",
    "auto_detect_interface": false,
@@ -23,6 +24,7 @@
 |------------|------------------------------------|
 | `geoip`    | [GeoIP](./geoip)                   |
 | `geosite`  | [Geosite](./geosite)               |
+| `ip_rules` | List of [IP Route Rule](./ip-rule) |
 | `rules`    | List of [Route Rule](./rule)       |

 #### final
--- a/docs/configuration/shared/multiplex.md
+++ b/docs/configuration/shared/multiplex.md
@@ -10,8 +10,7 @@
  "protocol": "smux",
  "max_connections": 4,
  "min_streams": 4,
-  "max_streams": 0,
-  "padding": false
+  "max_streams": 0
 }
 ```

@@ -29,9 +28,8 @@ Multiplex protocol.
 |----------|------------------------------------|
 | smux     | https://github.com/xtaci/smux      |
 | yamux    | https://github.com/hashicorp/yamux |
-| h2mux    | https://golang.org/x/net/http2     |

-h2mux is used by default.
+SMux is used by default.

 #### max_connections

@@ -50,12 +48,3 @@ Conflict with `max_streams`.
 Maximum multiplexed streams in a connection before opening a new connection.

 Conflict with `max_connections` and `min_streams`.
-
-#### padding
-
-!!! info
-
-    Requires sing-box server version 1.3-beta9 or later.
-
-Enable padding.
-
--- a/docs/configuration/shared/multiplex.zh.md
+++ b/docs/configuration/shared/multiplex.zh.md
@@ -28,9 +28,8 @@
 |-------|------------------------------------|
 | smux  | https://github.com/xtaci/smux      |
 | yamux | https://github.com/hashicorp/yamux |
-| h2mux | https://golang.org/x/net/http2     |

-默认使用 h2mux。
+默认使用 SMux。

 #### max_connections

@@ -48,13 +47,4 @@

 在打开新连接之前，连接中的最大多路复用流数量。

-与 `max_connections` 和 `min_streams` 冲突。
-
-#### padding
-
-!!! info
-
-    需要 sing-box 服务器版本 1.3-beta9 或更高。
-
-启用填充。
-
+与 `max_connections` 和 `min_streams` 冲突。
--- a/docs/examples/fakeip.md
+++ b/docs/examples/fakeip.md
@@ -1,106 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "remote",
-        "address": "fakeip"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      },
-      {
-        "query_type": [
-          "A",
-          "AAAA"
-        ],
-        "server": "remote"
-      }
-    ],
-    "fakeip": {
-      "enabled": true,
-      "inet4_range": "198.18.0.0/15",
-      "inet6_range": "fc00::/18"
-    },
-    "independent_cache": true,
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "domain_strategy": "ipv4_only" // remove this line if you want to resolve the domain remotely (if the server is not sing-box, UDP may not work due to wrong behavior).
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
--- a/docs/examples/fakeip.zh.md
+++ b/docs/examples/fakeip.zh.md
@@ -1,106 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "remote",
-        "address": "fakeip"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      },
-      {
-        "query_type": [
-          "A",
-          "AAAA"
-        ],
-        "server": "remote"
-      }
-    ],
-    "fakeip": {
-      "enabled": true,
-      "inet4_range": "198.18.0.0/15",
-      "inet6_range": "fc00::/18"
-    },
-    "independent_cache": true,
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "domain_strategy": "ipv4_only" // 如果您想在远程解析域，删除此行 (如果服务器程序不为 sing-box，可能由于错误的行为导致 UDP 无法使用)。
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
--- a/docs/examples/index.md
+++ b/docs/examples/index.md
@@ -9,4 +9,3 @@ Configuration examples for sing-box.
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
 * [WireGuard Direct](./wireguard-direct)
-* [FakeIP](./fakeip)
--- a/docs/examples/index.zh.md
+++ b/docs/examples/index.zh.md
@@ -9,4 +9,3 @@ sing-box 的配置示例。
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
 * [WireGuard Direct](./wireguard-direct)
-* [FakeIP](./fakeip)
--- a/docs/faq/fakeip.md
+++ b/docs/faq/fakeip.md
@@ -5,7 +5,8 @@ responds to DNS requests with virtual results and restores mapping when acceptin

 #### Advantage

-*
+* Retrieve the requested domain in places like IP routing (L3) where traffic detection is not possible to assist with routing.
+* Decrease an RTT on the first TCP request to a domain (the most common reason).

 #### Limitation

@@ -14,6 +15,6 @@ responds to DNS requests with virtual results and restores mapping when acceptin

 #### Recommendation

-* Enable `dns.independent_cache` unless you always resolve FakeIP domains remotely.
+* Do not use if you do not need L3 routing.
 * If using tun, make sure FakeIP ranges is included in the tun's routes.
 * Enable `experimental.clash_api.store_fakeip` to persist FakeIP records, or use `dns.rules.rewrite_ttl` to avoid losing records after program restart in DNS cached environments.
--- a/docs/faq/fakeip.zh.md
+++ b/docs/faq/fakeip.zh.md
@@ -4,7 +4,8 @@ FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它

 #### 优点

-*
+* 在像 L3 路由这样无法进行流量探测的地方检索所请求的域名，以协助路由。
+* 减少对一个域的第一个 TCP 请求的 RTT（这是最常见的原因）。

 #### 限制

@@ -13,6 +14,6 @@ FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它

 #### 建议

-* 启用 `dns.independent_cache` 除非您始终远程解析 FakeIP 域。
+* 如果不需要 L3 路由，请勿使用。
 * 如果使用 tun，请确保 tun 路由中包含 FakeIP 地址范围。
 * 启用 `experimental.clash_api.store_fakeip` 以持久化 FakeIP 记录，或者使用 `dns.rules.rewrite_ttl` 避免程序重启后在 DNS 被缓存的环境中丢失记录。
--- a/docs/installation/clients/sfa.md
+++ b/docs/installation/clients/sfa.md
@@ -12,6 +12,5 @@ Experimental Android client for sing-box.

 #### Note

-* User Agent in remote profile request is `SFA/$version ($version_code; sing-box $sing_box_version)`
-* The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
-* Crash logs is located in `$working_directory/stderr.log`
+* Working directory is at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
+* User Agent is `SFA/$version ($version_code; sing-box $sing_box_version)` in the remote profile request
--- a/docs/installation/clients/sfa.zh.md
+++ b/docs/installation/clients/sfa.zh.md
@@ -12,6 +12,5 @@

 #### 注意事项

-* 远程配置文件请求中的 User Agent 为 `SFA/$version ($version_code; sing-box $sing_box_version)`
 * 工作目录位于 `/sdcard/Android/data/io.nekohasekai.sfa/files` (外部文件目录)
-* 崩溃日志位于 `$working_directory/stderr.log`
+* 远程配置文件请求中的 User Agent 为 `SFA/$version ($version_code; sing-box $sing_box_version)`
--- a/docs/installation/clients/sfi.md
+++ b/docs/installation/clients/sfi.md
@@ -9,13 +9,12 @@ Experimental iOS client for sing-box.

 #### Download

-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
+* [TestFlight](https://testflight.apple.com/join/c6ylui2j)

 #### Note

-* User Agent in remote profile request is `SFI/$version ($version_code; sing-box $sing_box_version)`
-* Crash logs is located in `Settings` -> `View Service Log`
+* `system` tun stack not working on iOS
+* User Agent is `SFI/$version ($version_code; sing-box $sing_box_version)` in the remote profile request

 #### Privacy policy

--- a/docs/installation/clients/sfi.zh.md
+++ b/docs/installation/clients/sfi.zh.md
@@ -9,13 +9,12 @@

 #### 下载

-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
+* [TestFlight](https://testflight.apple.com/join/c6ylui2j)

 #### 注意事项

+* `system` tun stack 在 iOS 不工作
 * 远程配置文件请求中的 User Agent 为 `SFI/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `设置` -> `查看服务日志`

 #### 隐私政策

--- a/docs/installation/clients/sfm.md
+++ b/docs/installation/clients/sfm.md
@@ -1,22 +0,0 @@
-# SFM
-
-Experimental macOS client for sing-box.
-
-#### Requirements
-
-* macOS 13.0+
-
-#### Download
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### Note
-
-* User Agent in remote profile request is `SFM/$version ($version_code; sing-box $sing_box_version)`
-* Crash logs is located in `Settings` -> `View Service Log`
-
-#### Privacy policy
-
-* SFI did not collect or share personal data.
-* The data generated by the software is always on your device.
--- a/docs/installation/clients/sfm.zh.md
+++ b/docs/installation/clients/sfm.zh.md
@@ -1,22 +0,0 @@
-# SFM
-
-实验性的 macOS sing-box 客户端。
-
-#### 要求
-
-* macOS 13.0+
-
-#### 下载
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### 注意事项
-
-* 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `设置` -> `查看服务日志`
-
-#### 隐私政策
-
-* SFM 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。
--- a/docs/support.md
+++ b/docs/support.md
@@ -1,4 +1,8 @@
-Github Issue: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)  
-Telegram Notification channel: [@yapnc](https://t.me/yapnc)  
-Telegram User group: [@yapug](https://t.me/yapug)  
-Email: [contact@sagernet.org](mailto:contact@sagernet.org)
+#### Github
+
+Issue: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)
+
+#### Telegram
+
+Notification channel: [@yapnc](https://t.me/yapnc)  
+User group: [@yapug](https://t.me/yapug)
--- a/docs/support.zh.md
+++ b/docs/support.zh.md
@@ -1,4 +1,8 @@
-Github 工单: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)  
-Telegram 通知频道: [@yapnc](https://t.me/yapnc)  
-Telegram 用户组: [@yapug](https://t.me/yapug)  
-Email: [contact@sagernet.org](mailto:contact@sagernet.org)
+#### Github
+
+工单: [Issues · SagerNet/sing-box](https://github.com/SagerNet/sing-box/issues)
+
+#### Telegram
+
+通知频道: [@yapnc](https://t.me/yapnc)  
+用户组: [@yapug](https://t.me/yapug)
--- a/experimental/clashapi.go
+++ b/experimental/clashapi.go
@@ -1,7 +1,6 @@
 package experimental

 import (
-	"context"
 	"os"

 	"github.com/sagernet/sing-box/adapter"
@@ -9,7 +8,7 @@ import (
 	"github.com/sagernet/sing-box/option"
 )

-type ClashServerConstructor = func(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)
+type ClashServerConstructor = func(router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)

 var clashServerConstructor ClashServerConstructor

@@ -17,9 +16,9 @@ func RegisterClashServerConstructor(constructor ClashServerConstructor) {
 	clashServerConstructor = constructor
 }

-func NewClashServer(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
+func NewClashServer(router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
 	if clashServerConstructor == nil {
 		return nil, os.ErrInvalid
 	}
-	return clashServerConstructor(ctx, router, logFactory, options)
+	return clashServerConstructor(router, logFactory, options)
 }
--- a/experimental/clashapi/api_meta.go
+++ b/experimental/clashapi/api_meta.go
@@ -1,78 +0,0 @@
-package clashapi
-
-import (
-	"bytes"
-	"net/http"
-	"time"
-
-	"github.com/sagernet/sing-box/common/json"
-	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
-	"github.com/sagernet/websocket"
-
-	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/render"
-)
-
-// API created by Clash.Meta
-
-func (s *Server) setupMetaAPI(r chi.Router) {
-	r.Get("/memory", memory(s.trafficManager))
-	r.Mount("/group", groupRouter(s))
-}
-
-type Memory struct {
-	Inuse   uint64 `json:"inuse"`
-	OSLimit uint64 `json:"oslimit"` // maybe we need it in the future
-}
-
-func memory(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		var wsConn *websocket.Conn
-		if websocket.IsWebSocketUpgrade(r) {
-			var err error
-			wsConn, err = upgrader.Upgrade(w, r, nil)
-			if err != nil {
-				return
-			}
-		}
-
-		if wsConn == nil {
-			w.Header().Set("Content-Type", "application/json")
-			render.Status(r, http.StatusOK)
-		}
-
-		tick := time.NewTicker(time.Second)
-		defer tick.Stop()
-		buf := &bytes.Buffer{}
-		var err error
-		first := true
-		for range tick.C {
-			buf.Reset()
-
-			inuse := trafficManager.Snapshot().Memory
-
-			// make chat.js begin with zero
-			// this is shit var,but we need output 0 for first time
-			if first {
-				first = false
-				inuse = 0
-			}
-			if err := json.NewEncoder(buf).Encode(Memory{
-				Inuse:   inuse,
-				OSLimit: 0,
-			}); err != nil {
-				break
-			}
-			if wsConn == nil {
-				_, err = w.Write(buf.Bytes())
-				w.(http.Flusher).Flush()
-			} else {
-				err = wsConn.WriteMessage(websocket.TextMessage, buf.Bytes())
-			}
-
-			if err != nil {
-				break
-			}
-		}
-	}
-}
--- a/experimental/clashapi/api_meta_group.go
+++ b/experimental/clashapi/api_meta_group.go
@@ -1,136 +0,0 @@
-package clashapi
-
-import (
-	"context"
-	"net/http"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/badjson"
-	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-box/outbound"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/batch"
-
-	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/render"
-)
-
-func groupRouter(server *Server) http.Handler {
-	r := chi.NewRouter()
-	r.Get("/", getGroups(server))
-	r.Route("/{name}", func(r chi.Router) {
-		r.Use(parseProxyName, findProxyByName(server.router))
-		r.Get("/", getGroup(server))
-		r.Get("/delay", getGroupDelay(server))
-	})
-	return r
-}
-
-func getGroups(server *Server) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		groups := common.Map(common.Filter(server.router.Outbounds(), func(it adapter.Outbound) bool {
-			_, isGroup := it.(adapter.OutboundGroup)
-			return isGroup
-		}), func(it adapter.Outbound) *badjson.JSONObject {
-			return proxyInfo(server, it)
-		})
-		render.JSON(w, r, render.M{
-			"proxies": groups,
-		})
-	}
-}
-
-func getGroup(server *Server) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
-		if _, ok := proxy.(adapter.OutboundGroup); ok {
-			render.JSON(w, r, proxyInfo(server, proxy))
-			return
-		}
-		render.Status(r, http.StatusNotFound)
-		render.JSON(w, r, ErrNotFound)
-	}
-}
-
-func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
-		group, ok := proxy.(adapter.OutboundGroup)
-		if !ok {
-			render.Status(r, http.StatusNotFound)
-			render.JSON(w, r, ErrNotFound)
-			return
-		}
-
-		query := r.URL.Query()
-		url := query.Get("url")
-		if strings.HasPrefix(url, "http://") {
-			url = ""
-		}
-		timeout, err := strconv.ParseInt(query.Get("timeout"), 10, 32)
-		if err != nil {
-			render.Status(r, http.StatusBadRequest)
-			render.JSON(w, r, ErrBadRequest)
-			return
-		}
-
-		ctx, cancel := context.WithTimeout(r.Context(), time.Millisecond*time.Duration(timeout))
-		defer cancel()
-
-		var result map[string]uint16
-		if urlTestGroup, isURLTestGroup := group.(adapter.URLTestGroup); isURLTestGroup {
-			result, err = urlTestGroup.URLTest(ctx, url)
-		} else {
-			outbounds := common.FilterNotNil(common.Map(group.All(), func(it string) adapter.Outbound {
-				itOutbound, _ := server.router.Outbound(it)
-				return itOutbound
-			}))
-			b, _ := batch.New(ctx, batch.WithConcurrencyNum[any](10))
-			checked := make(map[string]bool)
-			result = make(map[string]uint16)
-			var resultAccess sync.Mutex
-			for _, detour := range outbounds {
-				tag := detour.Tag()
-				realTag := outbound.RealTag(detour)
-				if checked[realTag] {
-					continue
-				}
-				checked[realTag] = true
-				p, loaded := server.router.Outbound(realTag)
-				if !loaded {
-					continue
-				}
-				b.Go(realTag, func() (any, error) {
-					t, err := urltest.URLTest(ctx, url, p)
-					if err != nil {
-						server.logger.Debug("outbound ", tag, " unavailable: ", err)
-						server.urlTestHistory.DeleteURLTestHistory(realTag)
-					} else {
-						server.logger.Debug("outbound ", tag, " available: ", t, "ms")
-						server.urlTestHistory.StoreURLTestHistory(realTag, &urltest.History{
-							Time:  time.Now(),
-							Delay: t,
-						})
-						resultAccess.Lock()
-						result[tag] = t
-						resultAccess.Unlock()
-					}
-					return nil, nil
-				})
-			}
-			b.Wait()
-		}
-
-		if err != nil {
-			render.Status(r, http.StatusGatewayTimeout)
-			render.JSON(w, r, newError(err.Error()))
-			return
-		}
-
-		render.JSON(w, r, result)
-	}
-}
--- a/experimental/clashapi/cachefile/cache.go
+++ b/experimental/clashapi/cachefile/cache.go
@@ -1,10 +1,7 @@
 package cachefile

 import (
-	"net/netip"
 	"os"
-	"strings"
-	"sync"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -17,15 +14,10 @@ var bucketSelected = []byte("selected")
 var _ adapter.ClashCacheFile = (*CacheFile)(nil)

 type CacheFile struct {
-	DB           *bbolt.DB
-	cacheID      []byte
-	saveAccess   sync.RWMutex
-	saveDomain   map[netip.Addr]string
-	saveAddress4 map[string]netip.Addr
-	saveAddress6 map[string]netip.Addr
+	DB *bbolt.DB
 }

-func Open(path string, cacheID string) (*CacheFile, error) {
+func Open(path string) (*CacheFile, error) {
 	const fileMode = 0o666
 	options := bbolt.Options{Timeout: time.Second}
 	db, err := bbolt.Open(path, fileMode, &options)
@@ -39,73 +31,13 @@ func Open(path string, cacheID string) (*CacheFile, error) {
 	if err != nil {
 		return nil, err
 	}
-	var cacheIDBytes []byte
-	if cacheID != "" {
-		cacheIDBytes = append([]byte{0}, []byte(cacheID)...)
-	}
-	err = db.Batch(func(tx *bbolt.Tx) error {
-		return tx.ForEach(func(name []byte, b *bbolt.Bucket) error {
-			if name[0] == 0 {
-				return b.ForEachBucket(func(k []byte) error {
-					bucketName := string(k)
-					if !(bucketName == string(bucketSelected)) {
-						delErr := b.DeleteBucket(name)
-						if delErr != nil {
-							return delErr
-						}
-					}
-					return nil
-				})
-			} else {
-				bucketName := string(name)
-				if !(bucketName == string(bucketSelected) || strings.HasPrefix(bucketName, fakeipBucketPrefix)) {
-					delErr := tx.DeleteBucket(name)
-					if delErr != nil {
-						return delErr
-					}
-				}
-			}
-			return nil
-		})
-	})
-	if err != nil {
-		return nil, err
-	}
-	return &CacheFile{
-		DB:           db,
-		cacheID:      cacheIDBytes,
-		saveDomain:   make(map[netip.Addr]string),
-		saveAddress4: make(map[string]netip.Addr),
-		saveAddress6: make(map[string]netip.Addr),
-	}, nil
-}
-
-func (c *CacheFile) bucket(t *bbolt.Tx, key []byte) *bbolt.Bucket {
-	if c.cacheID == nil {
-		return t.Bucket(key)
-	}
-	bucket := t.Bucket(c.cacheID)
-	if bucket == nil {
-		return nil
-	}
-	return bucket.Bucket(key)
-}
-
-func (c *CacheFile) createBucket(t *bbolt.Tx, key []byte) (*bbolt.Bucket, error) {
-	if c.cacheID == nil {
-		return t.CreateBucketIfNotExists(key)
-	}
-	bucket, err := t.CreateBucketIfNotExists(c.cacheID)
-	if bucket == nil {
-		return nil, err
-	}
-	return bucket.CreateBucketIfNotExists(key)
+	return &CacheFile{db}, nil
 }

 func (c *CacheFile) LoadSelected(group string) string {
 	var selected string
 	c.DB.View(func(t *bbolt.Tx) error {
-		bucket := c.bucket(t, bucketSelected)
+		bucket := t.Bucket(bucketSelected)
 		if bucket == nil {
 			return nil
 		}
@@ -120,7 +52,7 @@ func (c *CacheFile) LoadSelected(group string) string {

 func (c *CacheFile) StoreSelected(group, selected string) error {
 	return c.DB.Batch(func(t *bbolt.Tx) error {
-		bucket, err := c.createBucket(t, bucketSelected)
+		bucket, err := t.CreateBucketIfNotExists(bucketSelected)
 		if err != nil {
 			return err
 		}
--- a/experimental/clashapi/cachefile/fakeip.go
+++ b/experimental/clashapi/cachefile/fakeip.go
@@ -5,24 +5,18 @@ import (
 	"os"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"

 	"go.etcd.io/bbolt"
 )

-const fakeipBucketPrefix = "fakeip_"
-
 var (
-	bucketFakeIP        = []byte(fakeipBucketPrefix + "address")
-	bucketFakeIPDomain4 = []byte(fakeipBucketPrefix + "domain4")
-	bucketFakeIPDomain6 = []byte(fakeipBucketPrefix + "domain6")
-	keyMetadata         = []byte(fakeipBucketPrefix + "metadata")
+	bucketFakeIP = []byte("fakeip")
+	keyMetadata  = []byte("metadata")
 )

 func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 	var metadata adapter.FakeIPMetadata
-	err := c.DB.Batch(func(tx *bbolt.Tx) error {
+	err := c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
 		if bucket == nil {
 			return nil
@@ -31,10 +25,6 @@ func (c *CacheFile) FakeIPMetadata() *adapter.FakeIPMetadata {
 		if len(metadataBinary) == 0 {
 			return os.ErrInvalid
 		}
-		err := bucket.Delete(keyMetadata)
-		if err != nil {
-			return err
-		}
 		return metadata.UnmarshalBinary(metadataBinary)
 	})
 	if err != nil {
@@ -63,54 +53,11 @@ func (c *CacheFile) FakeIPStore(address netip.Addr, domain string) error {
 		if err != nil {
 			return err
 		}
-		err = bucket.Put(address.AsSlice(), []byte(domain))
-		if err != nil {
-			return err
-		}
-		if address.Is4() {
-			bucket, err = tx.CreateBucketIfNotExists(bucketFakeIPDomain4)
-		} else {
-			bucket, err = tx.CreateBucketIfNotExists(bucketFakeIPDomain6)
-		}
-		if err != nil {
-			return err
-		}
-		return bucket.Put([]byte(domain), address.AsSlice())
+		return bucket.Put(address.AsSlice(), []byte(domain))
 	})
 }

-func (c *CacheFile) FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger) {
-	c.saveAccess.Lock()
-	c.saveDomain[address] = domain
-	if address.Is4() {
-		c.saveAddress4[domain] = address
-	} else {
-		c.saveAddress6[domain] = address
-	}
-	c.saveAccess.Unlock()
-	go func() {
-		err := c.FakeIPStore(address, domain)
-		if err != nil {
-			logger.Warn("save FakeIP address pair: ", err)
-		}
-		c.saveAccess.Lock()
-		delete(c.saveDomain, address)
-		if address.Is4() {
-			delete(c.saveAddress4, domain)
-		} else {
-			delete(c.saveAddress6, domain)
-		}
-		c.saveAccess.Unlock()
-	}()
-}
-
 func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
-	c.saveAccess.RLock()
-	cachedDomain, cached := c.saveDomain[address]
-	c.saveAccess.RUnlock()
-	if cached {
-		return cachedDomain, true
-	}
 	var domain string
 	_ = c.DB.View(func(tx *bbolt.Tx) error {
 		bucket := tx.Bucket(bucketFakeIP)
@@ -123,48 +70,8 @@ func (c *CacheFile) FakeIPLoad(address netip.Addr) (string, bool) {
 	return domain, domain != ""
 }

-func (c *CacheFile) FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool) {
-	var (
-		cachedAddress netip.Addr
-		cached        bool
-	)
-	c.saveAccess.RLock()
-	if !isIPv6 {
-		cachedAddress, cached = c.saveAddress4[domain]
-	} else {
-		cachedAddress, cached = c.saveAddress6[domain]
-	}
-	c.saveAccess.RUnlock()
-	if cached {
-		return cachedAddress, true
-	}
-	var address netip.Addr
-	_ = c.DB.View(func(tx *bbolt.Tx) error {
-		var bucket *bbolt.Bucket
-		if isIPv6 {
-			bucket = tx.Bucket(bucketFakeIPDomain6)
-		} else {
-			bucket = tx.Bucket(bucketFakeIPDomain4)
-		}
-		if bucket == nil {
-			return nil
-		}
-		address = M.AddrFromIP(bucket.Get([]byte(domain)))
-		return nil
-	})
-	return address, address.IsValid()
-}
-
 func (c *CacheFile) FakeIPReset() error {
 	return c.DB.Batch(func(tx *bbolt.Tx) error {
-		err := tx.DeleteBucket(bucketFakeIP)
-		if err != nil {
-			return err
-		}
-		err = tx.DeleteBucket(bucketFakeIPDomain4)
-		if err != nil {
-			return err
-		}
-		return tx.DeleteBucket(bucketFakeIPDomain6)
+		return tx.DeleteBucket(bucketFakeIP)
 	})
 }
--- a/experimental/clashapi/compatible/map.go
+++ b/experimental/clashapi/compatible/map.go
@@ -7,15 +7,6 @@ type Map[K comparable, V any] struct {
 	m sync.Map
 }

-func (m *Map[K, V]) Len() int {
-	var count int
-	m.m.Range(func(key, value any) bool {
-		count++
-		return true
-	})
-	return count
-}
-
 func (m *Map[K, V]) Load(key K) (V, bool) {
 	v, ok := m.m.Load(key)
 	if !ok {
--- a/experimental/clashapi/connections.go
+++ b/experimental/clashapi/connections.go
@@ -6,7 +6,6 @@ import (
 	"strconv"
 	"time"

-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/json"
 	"github.com/sagernet/sing-box/experimental/clashapi/trafficontrol"
 	"github.com/sagernet/websocket"
@@ -15,10 +14,10 @@ import (
 	"github.com/go-chi/render"
 )

-func connectionRouter(router adapter.Router, trafficManager *trafficontrol.Manager) http.Handler {
+func connectionRouter(trafficManager *trafficontrol.Manager) http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getConnections(trafficManager))
-	r.Delete("/", closeAllConnections(router, trafficManager))
+	r.Delete("/", closeAllConnections(trafficManager))
 	r.Delete("/{id}", closeConnection(trafficManager))
 	return r
 }
@@ -87,13 +86,12 @@ func closeConnection(trafficManager *trafficontrol.Manager) func(w http.Response
 	}
 }

-func closeAllConnections(router adapter.Router, trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
+func closeAllConnections(trafficManager *trafficontrol.Manager) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		snapshot := trafficManager.Snapshot()
 		for _, c := range snapshot.Connections {
 			c.Close()
 		}
-		router.ResetNetwork()
 		render.NoContent(w, r)
 	}
 }
--- a/experimental/clashapi/proxies.go
+++ b/experimental/clashapi/proxies.go
@@ -6,7 +6,6 @@ import (
 	"net/http"
 	"sort"
 	"strconv"
-	"strings"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -134,7 +133,7 @@ func getProxies(server *Server, router adapter.Router) func(w http.ResponseWrite
 			defaultTag = allProxies[0]
 		}

-		sort.SliceStable(allProxies, func(i, j int) bool {
+		sort.Slice(allProxies, func(i, j int) bool {
 			return allProxies[i] == defaultTag
 		})

@@ -215,9 +214,6 @@ func getProxyDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 	return func(w http.ResponseWriter, r *http.Request) {
 		query := r.URL.Query()
 		url := query.Get("url")
-		if strings.HasPrefix(url, "http://") {
-			url = ""
-		}
 		timeout, err := strconv.ParseInt(query.Get("timeout"), 10, 16)
 		if err != nil {
 			render.Status(r, http.StatusBadRequest)
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -23,8 +23,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"
-	"github.com/sagernet/sing/service/filemanager"
 	"github.com/sagernet/websocket"

 	"github.com/go-chi/chi/v5"
@@ -39,7 +37,6 @@ func init() {
 var _ adapter.ClashServer = (*Server)(nil)

 type Server struct {
-	ctx            context.Context
 	router         adapter.Router
 	logger         log.Logger
 	httpServer     *http.Server
@@ -49,35 +46,24 @@ type Server struct {
 	storeSelected  bool
 	storeFakeIP    bool
 	cacheFilePath  string
-	cacheID        string
 	cacheFile      adapter.ClashCacheFile
-
-	externalUI               string
-	externalUIDownloadURL    string
-	externalUIDownloadDetour string
 }

-func NewServer(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
+func NewServer(router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
 	trafficManager := trafficontrol.NewManager()
 	chiRouter := chi.NewRouter()
 	server := &Server{
-		ctx:    ctx,
 		router: router,
 		logger: logFactory.NewLogger("clash-api"),
 		httpServer: &http.Server{
 			Addr:    options.ExternalController,
 			Handler: chiRouter,
 		},
-		trafficManager:           trafficManager,
-		mode:                     strings.ToLower(options.DefaultMode),
-		storeSelected:            options.StoreSelected,
-		storeFakeIP:              options.StoreFakeIP,
-		externalUIDownloadURL:    options.ExternalUIDownloadURL,
-		externalUIDownloadDetour: options.ExternalUIDownloadDetour,
-	}
-	server.urlTestHistory = service.PtrFromContext[urltest.HistoryStorage](ctx)
-	if server.urlTestHistory == nil {
-		server.urlTestHistory = urltest.NewHistoryStorage()
+		trafficManager: trafficManager,
+		urlTestHistory: urltest.NewHistoryStorage(),
+		mode:           strings.ToLower(options.DefaultMode),
+		storeSelected:  options.StoreSelected,
+		storeFakeIP:    options.StoreFakeIP,
 	}
 	if server.mode == "" {
 		server.mode = "rule"
@@ -90,10 +76,9 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		if foundPath, loaded := C.FindPath(cachePath); loaded {
 			cachePath = foundPath
 		} else {
-			cachePath = filemanager.BasePath(ctx, cachePath)
+			cachePath = C.BasePath(cachePath)
 		}
 		server.cacheFilePath = cachePath
-		server.cacheID = options.CacheID
 	}
 	cors := cors.New(cors.Options{
 		AllowedOrigins: []string{"*"},
@@ -111,20 +96,17 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		r.Mount("/configs", configRouter(server, logFactory, server.logger))
 		r.Mount("/proxies", proxyRouter(server, router))
 		r.Mount("/rules", ruleRouter(router))
-		r.Mount("/connections", connectionRouter(router, trafficManager))
+		r.Mount("/connections", connectionRouter(trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
 		r.Mount("/profile", profileRouter())
 		r.Mount("/cache", cacheRouter(router))
 		r.Mount("/dns", dnsRouter(router))
-
-		server.setupMetaAPI(r)
 	})
 	if options.ExternalUI != "" {
-		server.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
 		chiRouter.Group(func(r chi.Router) {
-			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(server.externalUI)))
+			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(C.BasePath(os.ExpandEnv(options.ExternalUI)))))
 			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusTemporaryRedirect).ServeHTTP)
 			r.Get("/ui/*", func(w http.ResponseWriter, r *http.Request) {
 				fs.ServeHTTP(w, r)
@@ -136,7 +118,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ

 func (s *Server) PreStart() error {
 	if s.cacheFilePath != "" {
-		cacheFile, err := cachefile.Open(s.cacheFilePath, s.cacheID)
+		cacheFile, err := cachefile.Open(s.cacheFilePath)
 		if err != nil {
 			return E.Cause(err, "open cache file")
 		}
@@ -146,7 +128,6 @@ func (s *Server) PreStart() error {
 }

 func (s *Server) Start() error {
-	s.checkAndDownloadExternalUI()
 	listener, err := net.Listen("tcp", s.httpServer.Addr)
 	if err != nil {
 		return E.Cause(err, "external controller listen error")
@@ -189,10 +170,6 @@ func (s *Server) HistoryStorage() *urltest.HistoryStorage {
 	return s.urlTestHistory
 }

-func (s *Server) TrafficManager() *trafficontrol.Manager {
-	return s.trafficManager
-}
-
 func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
 	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, castMetadata(metadata), s.router, matchedRule)
 	return tracker, tracker
@@ -421,5 +398,5 @@ func getLogs(logFactory log.ObservableFactory) func(w http.ResponseWriter, r *ht
 }

 func version(w http.ResponseWriter, r *http.Request) {
-	render.JSON(w, r, render.M{"version": "sing-box " + C.Version, "premium": true, "meta": true})
+	render.JSON(w, r, render.M{"version": "sing-box " + C.Version, "premium": true})
 }
--- a/experimental/clashapi/server_resources.go
+++ b/experimental/clashapi/server_resources.go
@@ -1,164 +0,0 @@
-package clashapi
-
-import (
-	"archive/zip"
-	"context"
-	"io"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service/filemanager"
-)
-
-func (s *Server) checkAndDownloadExternalUI() {
-	if s.externalUI == "" {
-		return
-	}
-	entries, err := os.ReadDir(s.externalUI)
-	if err != nil {
-		os.MkdirAll(s.externalUI, 0o755)
-	}
-	if len(entries) == 0 {
-		err = s.downloadExternalUI()
-		if err != nil {
-			s.logger.Error("download external ui error: ", err)
-		}
-	}
-}
-
-func (s *Server) downloadExternalUI() error {
-	var downloadURL string
-	if s.externalUIDownloadURL != "" {
-		downloadURL = s.externalUIDownloadURL
-	} else {
-		downloadURL = "https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip"
-	}
-	s.logger.Info("downloading external ui")
-	var detour adapter.Outbound
-	if s.externalUIDownloadDetour != "" {
-		outbound, loaded := s.router.Outbound(s.externalUIDownloadDetour)
-		if !loaded {
-			return E.New("detour outbound not found: ", s.externalUIDownloadDetour)
-		}
-		detour = outbound
-	} else {
-		detour = s.router.DefaultOutbound(N.NetworkTCP)
-	}
-	httpClient := &http.Client{
-		Transport: &http.Transport{
-			ForceAttemptHTTP2:   true,
-			TLSHandshakeTimeout: 5 * time.Second,
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return detour.DialContext(ctx, network, M.ParseSocksaddr(addr))
-			},
-		},
-	}
-	defer httpClient.CloseIdleConnections()
-	response, err := httpClient.Get(downloadURL)
-	if err != nil {
-		return err
-	}
-	defer response.Body.Close()
-	if response.StatusCode != http.StatusOK {
-		return E.New("download external ui failed: ", response.Status)
-	}
-	err = s.downloadZIP(filepath.Base(downloadURL), response.Body, s.externalUI)
-	if err != nil {
-		removeAllInDirectory(s.externalUI)
-	}
-	return err
-}
-
-func (s *Server) downloadZIP(name string, body io.Reader, output string) error {
-	tempFile, err := filemanager.CreateTemp(s.ctx, name)
-	if err != nil {
-		return err
-	}
-	defer os.Remove(tempFile.Name())
-	_, err = io.Copy(tempFile, body)
-	tempFile.Close()
-	if err != nil {
-		return err
-	}
-	reader, err := zip.OpenReader(tempFile.Name())
-	if err != nil {
-		return err
-	}
-	defer reader.Close()
-	trimDir := zipIsInSingleDirectory(reader.File)
-	for _, file := range reader.File {
-		if file.FileInfo().IsDir() {
-			continue
-		}
-		pathElements := strings.Split(file.Name, "/")
-		if trimDir {
-			pathElements = pathElements[1:]
-		}
-		saveDirectory := output
-		if len(pathElements) > 1 {
-			saveDirectory = filepath.Join(saveDirectory, filepath.Join(pathElements[:len(pathElements)-1]...))
-		}
-		err = os.MkdirAll(saveDirectory, 0o755)
-		if err != nil {
-			return err
-		}
-		savePath := filepath.Join(saveDirectory, pathElements[len(pathElements)-1])
-		err = downloadZIPEntry(s.ctx, file, savePath)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func downloadZIPEntry(ctx context.Context, zipFile *zip.File, savePath string) error {
-	saveFile, err := filemanager.Create(ctx, savePath)
-	if err != nil {
-		return err
-	}
-	defer saveFile.Close()
-	reader, err := zipFile.Open()
-	if err != nil {
-		return err
-	}
-	defer reader.Close()
-	return common.Error(io.Copy(saveFile, reader))
-}
-
-func removeAllInDirectory(directory string) {
-	dirEntries, err := os.ReadDir(directory)
-	if err != nil {
-		return
-	}
-	for _, dirEntry := range dirEntries {
-		os.RemoveAll(filepath.Join(directory, dirEntry.Name()))
-	}
-}
-
-func zipIsInSingleDirectory(files []*zip.File) bool {
-	var singleDirectory string
-	for _, file := range files {
-		if file.FileInfo().IsDir() {
-			continue
-		}
-		pathElements := strings.Split(file.Name, "/")
-		if len(pathElements) == 0 {
-			return false
-		}
-		if singleDirectory == "" {
-			singleDirectory = pathElements[0]
-		} else if singleDirectory != pathElements[0] {
-			return false
-		}
-	}
-	return true
-}
--- a/experimental/clashapi/trafficontrol/manager.go
+++ b/experimental/clashapi/trafficontrol/manager.go
@@ -1,33 +1,35 @@
 package trafficontrol

 import (
-	"runtime"
 	"time"

 	"github.com/sagernet/sing-box/experimental/clashapi/compatible"
-	"github.com/sagernet/sing/common/atomic"
+
+	"go.uber.org/atomic"
 )

 type Manager struct {
-	uploadTemp    atomic.Int64
-	downloadTemp  atomic.Int64
-	uploadBlip    atomic.Int64
-	downloadBlip  atomic.Int64
-	uploadTotal   atomic.Int64
-	downloadTotal atomic.Int64
-
-	connections compatible.Map[string, tracker]
-	ticker      *time.Ticker
-	done        chan struct{}
-	// process     *process.Process
-	memory uint64
+	connections   compatible.Map[string, tracker]
+	uploadTemp    *atomic.Int64
+	downloadTemp  *atomic.Int64
+	uploadBlip    *atomic.Int64
+	downloadBlip  *atomic.Int64
+	uploadTotal   *atomic.Int64
+	downloadTotal *atomic.Int64
+	ticker        *time.Ticker
+	done          chan struct{}
 }

 func NewManager() *Manager {
 	manager := &Manager{
-		ticker: time.NewTicker(time.Second),
-		done:   make(chan struct{}),
-		// process: &process.Process{Pid: int32(os.Getpid())},
+		uploadTemp:    atomic.NewInt64(0),
+		downloadTemp:  atomic.NewInt64(0),
+		uploadBlip:    atomic.NewInt64(0),
+		downloadBlip:  atomic.NewInt64(0),
+		uploadTotal:   atomic.NewInt64(0),
+		downloadTotal: atomic.NewInt64(0),
+		ticker:        time.NewTicker(time.Second),
+		done:          make(chan struct{}),
 	}
 	go manager.handle()
 	return manager
@@ -55,14 +57,6 @@ func (m *Manager) Now() (up int64, down int64) {
 	return m.uploadBlip.Load(), m.downloadBlip.Load()
 }

-func (m *Manager) Total() (up int64, down int64) {
-	return m.uploadTotal.Load(), m.downloadTotal.Load()
-}
-
-func (m *Manager) Connections() int {
-	return m.connections.Len()
-}
-
 func (m *Manager) Snapshot() *Snapshot {
 	var connections []tracker
 	m.connections.Range(func(_ string, value tracker) bool {
@@ -70,18 +64,10 @@ func (m *Manager) Snapshot() *Snapshot {
 		return true
 	})

-	//if memoryInfo, err := m.process.MemoryInfo(); err == nil {
-	//	m.memory = memoryInfo.RSS
-	//} else {
-	var memStats runtime.MemStats
-	runtime.ReadMemStats(&memStats)
-	m.memory = memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased
-
 	return &Snapshot{
 		UploadTotal:   m.uploadTotal.Load(),
 		DownloadTotal: m.downloadTotal.Load(),
 		Connections:   connections,
-		Memory:        m.memory,
 	}
 }

@@ -120,5 +106,4 @@ type Snapshot struct {
 	DownloadTotal int64     `json:"downloadTotal"`
 	UploadTotal   int64     `json:"uploadTotal"`
 	Connections   []tracker `json:"connections"`
-	Memory        uint64    `json:"memory"`
 }
--- a/experimental/clashapi/trafficontrol/tracker.go
+++ b/experimental/clashapi/trafficontrol/tracker.go
@@ -1,18 +1,17 @@
 package trafficontrol

 import (
-	"encoding/json"
 	"net"
 	"net/netip"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/experimental/trackerconn"
 	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/atomic"
-	"github.com/sagernet/sing/common/bufio"
 	N "github.com/sagernet/sing/common/network"

-	"github.com/gofrs/uuid/v5"
+	"github.com/gofrs/uuid"
+	"go.uber.org/atomic"
 )

 type Metadata struct {
@@ -44,19 +43,6 @@ type trackerInfo struct {
 	RulePayload   string        `json:"rulePayload"`
 }

-func (t trackerInfo) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]any{
-		"id":          t.UUID.String(),
-		"metadata":    t.Metadata,
-		"upload":      t.UploadTotal.Load(),
-		"download":    t.DownloadTotal.Load(),
-		"start":       t.Start,
-		"chains":      t.Chain,
-		"rule":        t.Rule,
-		"rulePayload": t.RulePayload,
-	})
-}
-
 type tcpTracker struct {
 	N.ExtendedConn `json:"-"`
 	*trackerInfo
@@ -111,17 +97,17 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata Metadata, router ad
 		next = group.Now()
 	}

-	upload := new(atomic.Int64)
-	download := new(atomic.Int64)
+	upload := atomic.NewInt64(0)
+	download := atomic.NewInt64(0)

 	t := &tcpTracker{
-		ExtendedConn: bufio.NewCounterConn(conn, []N.CountFunc{func(n int64) {
+		ExtendedConn: trackerconn.NewHook(conn, func(n int64) {
 			upload.Add(n)
 			manager.PushUploaded(n)
-		}}, []N.CountFunc{func(n int64) {
+		}, func(n int64) {
 			download.Add(n)
 			manager.PushDownloaded(n)
-		}}),
+		}),
 		manager: manager,
 		trackerInfo: &trackerInfo{
 			UUID:          uuid,
@@ -198,17 +184,17 @@ func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata Metadata, route
 		next = group.Now()
 	}

-	upload := new(atomic.Int64)
-	download := new(atomic.Int64)
+	upload := atomic.NewInt64(0)
+	download := atomic.NewInt64(0)

 	ut := &udpTracker{
-		PacketConn: bufio.NewCounterPacketConn(conn, []N.CountFunc{func(n int64) {
+		PacketConn: trackerconn.NewHookPacket(conn, func(n int64) {
 			upload.Add(n)
 			manager.PushUploaded(n)
-		}}, []N.CountFunc{func(n int64) {
+		}, func(n int64) {
 			download.Add(n)
 			manager.PushDownloaded(n)
-		}}),
+		}),
 		manager: manager,
 		trackerInfo: &trackerInfo{
 			UUID:          uuid,
--- a/experimental/libbox/command.go
+++ b/experimental/libbox/command.go
@@ -3,9 +3,7 @@ package libbox
 const (
 	CommandLog int32 = iota
 	CommandStatus
+	CommandServiceStop
 	CommandServiceReload
 	CommandCloseConnections
-	CommandGroup
-	CommandSelectOutbound
-	CommandURLTest
 )
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -26,13 +26,6 @@ type CommandClientHandler interface {
 	Disconnected(message string)
 	WriteLog(message string)
 	WriteStatus(message *StatusMessage)
-	WriteGroups(message OutboundGroupIterator)
-}
-
-func NewStandaloneCommandClient(sharedDirectory string) *CommandClient {
-	return &CommandClient{
-		sharedDirectory: sharedDirectory,
-	}
 }

 func NewCommandClient(sharedDirectory string, handler CommandClientHandler, options *CommandClientOptions) *CommandClient {
@@ -43,16 +36,16 @@ func NewCommandClient(sharedDirectory string, handler CommandClientHandler, opti
 	}
 }

-func (c *CommandClient) directConnect() (net.Conn, error) {
+func clientConnect(sharedDirectory string) (net.Conn, error) {
 	return net.DialUnix("unix", nil, &net.UnixAddr{
-		Name: filepath.Join(c.sharedDirectory, "command.sock"),
+		Name: filepath.Join(sharedDirectory, "command.sock"),
 		Net:  "unix",
 	})
 }

 func (c *CommandClient) Connect() error {
 	common.Close(c.conn)
-	conn, err := c.directConnect()
+	conn, err := clientConnect(c.sharedDirectory)
 	if err != nil {
 		return err
 	}
@@ -72,13 +65,6 @@ func (c *CommandClient) Connect() error {
 		}
 		c.handler.Connected()
 		go c.handleStatusConn(conn)
-	case CommandGroup:
-		err = binary.Write(conn, binary.BigEndian, c.options.StatusInterval)
-		if err != nil {
-			return E.Cause(err, "write interval")
-		}
-		c.handler.Connected()
-		go c.handleGroupConn(conn)
 	}
 	return nil
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	6d63f9255f	documentation: Update changelog	2023-04-08 09:37:58 +08:00
世界	6f2cc9761d	Add multi-peer support for wireguard outbound	2023-04-08 09:37:58 +08:00
世界	b484d9bca6	Add fakeip support	2023-04-08 09:37:58 +08:00
世界	58c4fd745a	Add L3 routing support	2023-04-08 09:17:12 +08:00
世界	7d1e6affb3	Add dns reverse mapping	2023-04-08 09:17:03 +08:00