documentation: Bump version

Update hysteria docker image for test
Update dependencies
2026-04-16 13:44:41 +10:00 · 2023-09-07 13:01:22 +08:00 · 2023-09-07 13:00:29 +08:00 · 2023-09-07 12:54:52 +08:00 · 2023-09-07 12:54:45 +08:00 · 2023-09-07 12:47:35 +08:00
41 changed files with 793 additions and 285 deletions
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -16,6 +16,7 @@ builds:
      - with_quic
      - with_dhcp
      - with_wireguard
+      - with_ech
      - with_utls
      - with_reality_server
      - with_clash_api
@@ -51,6 +52,7 @@ builds:
      - with_quic
      - with_dhcp
      - with_wireguard
+      - with_ech
      - with_utls
      - with_clash_api
    env:
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -54,7 +54,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)

-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -29,8 +29,7 @@ func main() {
 	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
 	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
-		log.Info("updated version to ", newVersion.VersionString())
-		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
+		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
 		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
 	} else {
 		log.Info("version not changed")
--- a/common/settings/proxy_android.go
+++ b/common/settings/proxy_android.go
@@ -1,43 +1,73 @@
 package settings

 import (
+	"context"
 	"os"
 	"strings"

-	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )

-var (
-	useRish  bool
-	rishPath string
-)
+type AndroidSystemProxy struct {
+	useRish      bool
+	rishPath     string
+	serverAddr   M.Socksaddr
+	supportSOCKS bool
+	isEnabled    bool
+}

-func init() {
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*AndroidSystemProxy, error) {
 	userId := os.Getuid()
+	var (
+		useRish  bool
+		rishPath string
+	)
 	if userId == 0 || userId == 1000 || userId == 2000 {
 		useRish = false
 	} else {
 		rishPath, useRish = C.FindPath("rish")
+		if !useRish {
+			return nil, E.Cause(os.ErrPermission, "root or system (adb) permission is required for set system proxy")
+		}
 	}
-}
-
-func runAndroidShell(name string, args ...string) error {
-	if !useRish {
-		return shell.Exec(name, args...).Attach().Run()
-	} else {
-		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
-	}
-}
-
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	err := runAndroidShell("settings", "put", "global", "http_proxy", F.ToString("127.0.0.1:", port))
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	return &AndroidSystemProxy{
+		useRish:      useRish,
+		rishPath:     rishPath,
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}, nil
 }
+
+func (p *AndroidSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *AndroidSystemProxy) Enable() error {
+	err := p.runAndroidShell("settings", "put", "global", "http_proxy", p.serverAddr.String())
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *AndroidSystemProxy) Disable() error {
+	err := p.runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	if err != nil {
+		return err
+	}
+	p.isEnabled = false
+	return nil
+}
+
+func (p *AndroidSystemProxy) runAndroidShell(name string, args ...string) error {
+	if !p.useRish {
+		return shell.Exec(name, args...).Attach().Run()
+	} else {
+		return shell.Exec("sh", p.rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	}
+}
--- a/common/settings/proxy_darwin.go
+++ b/common/settings/proxy_darwin.go
@@ -1,56 +1,55 @@
 package settings

 import (
+	"context"
 	"net/netip"
 	"strings"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )

-type systemProxy struct {
+type DarwinSystemProxy struct {
 	monitor       tun.DefaultInterfaceMonitor
 	interfaceName string
 	element       *list.Element[tun.DefaultInterfaceUpdateCallback]
-	port          uint16
-	isMixed       bool
+	serverAddr    M.Socksaddr
+	supportSOCKS  bool
+	isEnabled     bool
 }

-func (p *systemProxy) update(event int) {
-	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
-	if p.interfaceName == newInterfaceName {
-		return
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
+	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
+	if interfaceMonitor == nil {
+		return nil, E.New("missing interface monitor")
 	}
-	if p.interfaceName != "" {
-		_ = p.unset()
+	proxy := &DarwinSystemProxy{
+		monitor:      interfaceMonitor,
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}
-	p.interfaceName = newInterfaceName
-	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
-	if err != nil {
-		return
-	}
-	if p.isMixed {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	if err == nil {
-		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	if err == nil {
-		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
-	}
-	return
+	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
+	return proxy, nil
 }

-func (p *systemProxy) unset() error {
+func (p *DarwinSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *DarwinSystemProxy) Enable() error {
+	return p.update0()
+}
+
+func (p *DarwinSystemProxy) Disable() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
-	if p.isMixed {
+	if p.supportSOCKS {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
@@ -59,9 +58,53 @@ func (p *systemProxy) unset() error {
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
+	if err == nil {
+		p.isEnabled = false
+	}
 	return err
 }

+func (p *DarwinSystemProxy) update(event int) {
+	if event&tun.EventInterfaceUpdate == 0 {
+		return
+	}
+	if !p.isEnabled {
+		return
+	}
+	_ = p.update0()
+}
+
+func (p *DarwinSystemProxy) update0() error {
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
+	if p.interfaceName == newInterfaceName {
+		return nil
+	}
+	if p.interfaceName != "" {
+		_ = p.Disable()
+	}
+	p.interfaceName = newInterfaceName
+	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
+	if err != nil {
+		return err
+	}
+	if p.supportSOCKS {
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, p.serverAddr.String()).Attach().Run()
+	}
+	if err != nil {
+		return err
+	}
+	err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, p.serverAddr.String()).Attach().Run()
+	if err != nil {
+		return err
+	}
+	err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, p.serverAddr.String()).Attach().Run()
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
 func getInterfaceDisplayName(name string) (string, error) {
 	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
@@ -77,21 +120,3 @@ func getInterfaceDisplayName(name string) (string, error) {
 	}
 	return "", E.New(name, " not found in networksetup -listallhardwareports")
 }
-
-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	interfaceMonitor := router.InterfaceMonitor()
-	if interfaceMonitor == nil {
-		return nil, E.New("missing interface monitor")
-	}
-	proxy := &systemProxy{
-		monitor: interfaceMonitor,
-		port:    port,
-		isMixed: isMixed,
-	}
-	proxy.update(tun.EventInterfaceUpdate)
-	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
-	return func() error {
-		interfaceMonitor.UnregisterCallback(proxy.element)
-		return proxy.unset()
-	}, nil
-}
--- a/common/settings/proxy_linux.go
+++ b/common/settings/proxy_linux.go
@@ -3,106 +3,137 @@
 package settings

 import (
+	"context"
 	"os"
 	"os/exec"
 	"strings"

-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )

-var (
-	hasGSettings bool
-	isKDE5       bool
-	sudoUser     string
-)
+type LinuxSystemProxy struct {
+	hasGSettings     bool
+	hasKWriteConfig5 bool
+	sudoUser         string
+	serverAddr       M.Socksaddr
+	supportSOCKS     bool
+	isEnabled        bool
+}

-func init() {
-	isKDE5 = common.Error(exec.LookPath("kwriteconfig5")) == nil
-	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
+	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
+	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
+	var sudoUser string
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
+	if !hasGSettings && !hasKWriteConfig5 {
+		return nil, E.New("unsupported desktop environment")
+	}
+	return &LinuxSystemProxy{
+		hasGSettings:     hasGSettings,
+		hasKWriteConfig5: hasKWriteConfig5,
+		sudoUser:         sudoUser,
+		serverAddr:       serverAddr,
+		supportSOCKS:     supportSOCKS,
+	}, nil
 }

-func runAsUser(name string, args ...string) error {
+func (p *LinuxSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *LinuxSystemProxy) Enable() error {
+	if p.hasGSettings {
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
+		if err != nil {
+			return err
+		}
+		if p.supportSOCKS {
+			err = p.setGnomeProxy("ftp", "http", "https", "socks")
+		} else {
+			err = p.setGnomeProxy("http", "https")
+		}
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(p.supportSOCKS))
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
+		if err != nil {
+			return err
+		}
+	}
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "1")
+		if err != nil {
+			return err
+		}
+		if p.supportSOCKS {
+			err = p.setKDEProxy("ftp", "http", "https", "socks")
+		} else {
+			err = p.setKDEProxy("http", "https")
+		}
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "Authmode", "0")
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return err
+		}
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *LinuxSystemProxy) Disable() error {
+	if p.hasGSettings {
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
+		if err != nil {
+			return err
+		}
+	}
+	if p.hasKWriteConfig5 {
+		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "0")
+		if err != nil {
+			return err
+		}
+		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
+		if err != nil {
+			return err
+		}
+	}
+	p.isEnabled = false
+	return nil
+}
+
+func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
 		return shell.Exec(name, args...).Attach().Run()
-	} else if sudoUser != "" {
-		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	} else if p.sudoUser != "" {
+		return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
 }

-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	if hasGSettings {
-		err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
-		if err != nil {
-			return nil, err
-		}
-		if isMixed {
-			err = setGnomeProxy(port, "ftp", "http", "https", "socks")
-		} else {
-			err = setGnomeProxy(port, "http", "https")
-		}
-		if err != nil {
-			return nil, err
-		}
-		err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
-		if err != nil {
-			return nil, err
-		}
-		err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
-		if err != nil {
-			return nil, err
-		}
-		return func() error {
-			return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
-		}, nil
-	}
-	if isKDE5 {
-		err := runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "1")
-		if err != nil {
-			return nil, err
-		}
-		if isMixed {
-			err = setKDEProxy(port, "ftp", "http", "https", "socks")
-		} else {
-			err = setKDEProxy(port, "http", "https")
-		}
-		if err != nil {
-			return nil, err
-		}
-		err = runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "Authmode", "0")
-		if err != nil {
-			return nil, err
-		}
-		err = runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return nil, err
-		}
-		return func() error {
-			err = runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "0")
-			if err != nil {
-				return err
-			}
-			return runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		}, nil
-	}
-	return nil, E.New("unsupported desktop environment")
-}
-
-func setGnomeProxy(port uint16, proxyTypes ...string) error {
+func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
-		err := runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", "127.0.0.1")
+		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", p.serverAddr.AddrString())
 		if err != nil {
 			return err
 		}
-		err = runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(port))
+		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(p.serverAddr.Port))
 		if err != nil {
 			return err
 		}
@@ -110,15 +141,15 @@ func setGnomeProxy(port uint16, proxyTypes ...string) error {
 	return nil
 }

-func setKDEProxy(port uint16, proxyTypes ...string) error {
+func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
 		var proxyUrl string
 		if proxyType == "socks" {
-			proxyUrl = "socks://127.0.0.1:" + F.ToString(port)
+			proxyUrl = "socks://" + p.serverAddr.String()
 		} else {
-			proxyUrl = "http://127.0.0.1:" + F.ToString(port)
+			proxyUrl = "http://" + p.serverAddr.String()
 		}
-		err := runAsUser(
+		err := p.runAsUser(
 			"kwriteconfig5",
 			"--file",
 			"kioslaverc",
--- a/common/settings/proxy_stub.go
+++ b/common/settings/proxy_stub.go
@@ -3,11 +3,12 @@
 package settings

 import (
+	"context"
 	"os"

-	"github.com/sagernet/sing-box/adapter"
+	M "github.com/sagernet/sing/common/metadata"
 )

-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (SystemProxy, error) {
 	return nil, os.ErrInvalid
 }
--- a/common/settings/proxy_windows.go
+++ b/common/settings/proxy_windows.go
@@ -1,17 +1,43 @@
 package settings

 import (
-	"github.com/sagernet/sing-box/adapter"
-	F "github.com/sagernet/sing/common/format"
+	"context"
+
+	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/wininet"
 )

-func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
-	if err != nil {
-		return nil, err
-	}
-	return func() error {
-		return wininet.ClearSystemProxy()
+type WindowsSystemProxy struct {
+	serverAddr   M.Socksaddr
+	supportSOCKS bool
+	isEnabled    bool
+}
+
+func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*WindowsSystemProxy, error) {
+	return &WindowsSystemProxy{
+		serverAddr:   serverAddr,
+		supportSOCKS: supportSOCKS,
 	}, nil
 }
+
+func (p *WindowsSystemProxy) IsEnabled() bool {
+	return p.isEnabled
+}
+
+func (p *WindowsSystemProxy) Enable() error {
+	err := wininet.SetSystemProxy("http://"+p.serverAddr.String(), "")
+	if err != nil {
+		return err
+	}
+	p.isEnabled = true
+	return nil
+}
+
+func (p *WindowsSystemProxy) Disable() error {
+	err := wininet.ClearSystemProxy()
+	if err != nil {
+		return err
+	}
+	p.isEnabled = false
+	return nil
+}
--- a/common/settings/system_proxy.go
+++ b/common/settings/system_proxy.go
@@ -0,0 +1,7 @@
+package settings
+
+type SystemProxy interface {
+	IsEnabled() bool
+	Enable() error
+	Disable() error
+}
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@@ -178,7 +178,7 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	} else if options.ECH.ConfigPath != "" {
 		content, err := os.ReadFile(options.ECH.ConfigPath)
 		if err != nil {
-			return nil, E.Cause(err, "read key")
+			return nil, E.Cause(err, "read ECH config")
 		}
 		echConfig = content
 	}
--- a/common/tls/ech_server.go
+++ b/common/tls/ech_server.go
@@ -159,7 +159,7 @@ func (c *echServerConfig) startECHWatcher() error {
 	if err != nil {
 		return err
 	}
-	c.watcher = watcher
+	c.echWatcher = watcher
 	go c.loopECHUpdate()
 	return nil
 }
@@ -178,7 +178,7 @@ func (c *echServerConfig) loopECHUpdate() {
 			if err != nil {
 				c.logger.Error(E.Cause(err, "reload ECH key"))
 			}
-		case err, ok := <-c.watcher.Errors:
+		case err, ok := <-c.echWatcher.Errors:
 			if !ok {
 				return
 			}
@@ -304,7 +304,7 @@ func NewECHServer(ctx context.Context, logger log.Logger, options option.Inbound
 	} else if options.KeyPath != "" {
 		content, err := os.ReadFile(options.ECH.KeyPath)
 		if err != nil {
-			return nil, E.Cause(err, "read key")
+			return nil, E.Cause(err, "read ECH key")
 		}
 		echKey = content
 	} else {
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,17 @@
+#### 1.5.0-beta.4
+
+* Fixes and improvements
+
+#### 1.5.0-beta.3
+
+* Fixes and improvements
+* Updated Hysteria2 documentation **1**
+
+**1**:
+
+Added notes indicating compatibility issues with the official
+Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.
+
 #### 1.5.0-beta.2

 * Add hysteria2 protocol support **1**
--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@@ -25,6 +25,10 @@
 }
 ```

+!!! warning "Compatibility issues with the official client"
+
+    The use case of `fastOpen=false` or UDP MTU >= 1200 is not supported when using the official client.
+
 !!! warning ""

    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
--- a/docs/configuration/inbound/hysteria2.zh.md
+++ b/docs/configuration/inbound/hysteria2.zh.md
@@ -25,6 +25,10 @@
 }
 ```

+!!! warning "与官方客户端的兼容性问题"
+
+    当使用原始客户端时，不支持 `fastOpen=false` 或者 UDP MTU >= 1200 的用例。
+
 !!! warning ""

    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
--- a/docs/configuration/outbound/hysteria2.md
+++ b/docs/configuration/outbound/hysteria2.md
@@ -21,6 +21,10 @@
 }
 ```

+!!! warning "Compatibility issues with the official server"
+
+    The use case of UDP MTU >= 1200 is not supported when using the official server.
+
 !!! warning ""

    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
--- a/docs/configuration/outbound/hysteria2.zh.md
+++ b/docs/configuration/outbound/hysteria2.zh.md
@@ -21,6 +21,10 @@
 }
 ```

+!!! warning "与官方服务器的兼容性问题"
+
+    当使用原始服务器时，不支持 UDP MTU >= 1200 的用例。
+
 !!! warning ""

    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -227,13 +227,13 @@ ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其
 信息。


-ECH 配置和密钥可以通过 `sing-box generated ech-keypair [-pq-signature-schemes-enabled]` 生成。
+ECH 配置和密钥可以通过 `sing-box generate ech-keypair [-pq-signature-schemes-enabled]` 生成。

 #### pq_signature_schemes_enabled

 启用对后量子对等证书签名方案的支持。

-建议匹配 `sing-box generated ech-keypair` 的参数。
+建议匹配 `sing-box generate ech-keypair` 的参数。

 #### dynamic_record_sizing_disabled

--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@@ -90,7 +90,7 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		defaultMode = options.DefaultMode
 	}
 	if !common.Contains(server.modeList, defaultMode) {
-		server.modeList = append(server.modeList, defaultMode)
+		server.modeList = append([]string{defaultMode}, server.modeList...)
 	}
 	server.mode = defaultMode
 	if options.StoreMode || options.StoreSelected || options.StoreFakeIP || options.ExternalController == "" {
--- a/experimental/libbox/command.go
+++ b/experimental/libbox/command.go
@@ -11,4 +11,6 @@ const (
 	CommandGroupExpand
 	CommandClashMode
 	CommandSetClashMode
+	CommandGetSystemProxyStatus
+	CommandSetSystemProxyEnabled
 )
--- a/experimental/libbox/command_client.go
+++ b/experimental/libbox/command_client.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"time"

 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -53,9 +54,24 @@ func (c *CommandClient) directConnect() (net.Conn, error) {
 	}
 }

+func (c *CommandClient) directConnectWithRetry() (net.Conn, error) {
+	var (
+		conn net.Conn
+		err  error
+	)
+	for i := 0; i < 10; i++ {
+		conn, err = c.directConnect()
+		if err == nil {
+			return conn, nil
+		}
+		time.Sleep(time.Duration(100+i*50) * time.Millisecond)
+	}
+	return nil, err
+}
+
 func (c *CommandClient) Connect() error {
 	common.Close(c.conn)
-	conn, err := c.directConnect()
+	conn, err := c.directConnectWithRetry()
 	if err != nil {
 		return err
 	}
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@@ -35,6 +35,8 @@ type CommandServer struct {

 type CommandServerHandler interface {
 	ServiceReload() error
+	GetSystemProxyStatus() *SystemProxyStatus
+	SetSystemProxyEnabled(isEnabled bool) error
 }

 func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServer {
@@ -159,6 +161,10 @@ func (s *CommandServer) handleConnection(conn net.Conn) error {
 		return s.handleModeConn(conn)
 	case CommandSetClashMode:
 		return s.handleSetClashMode(conn)
+	case CommandGetSystemProxyStatus:
+		return s.handleGetSystemProxyStatus(conn)
+	case CommandSetSystemProxyEnabled:
+		return s.handleSetSystemProxyEnabled(conn)
 	default:
 		return E.New("unknown command: ", command)
 	}
--- a/experimental/libbox/command_system_proxy.go
+++ b/experimental/libbox/command_system_proxy.go
@@ -0,0 +1,82 @@
+package libbox
+
+import (
+	"encoding/binary"
+	"net"
+)
+
+type SystemProxyStatus struct {
+	Available bool
+	Enabled   bool
+}
+
+func (c *CommandClient) GetSystemProxyStatus() (*SystemProxyStatus, error) {
+	conn, err := c.directConnectWithRetry()
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandGetSystemProxyStatus))
+	if err != nil {
+		return nil, err
+	}
+	var status SystemProxyStatus
+	err = binary.Read(conn, binary.BigEndian, &status.Available)
+	if err != nil {
+		return nil, err
+	}
+	if status.Available {
+		err = binary.Read(conn, binary.BigEndian, &status.Enabled)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &status, nil
+}
+
+func (s *CommandServer) handleGetSystemProxyStatus(conn net.Conn) error {
+	defer conn.Close()
+	status := s.handler.GetSystemProxyStatus()
+	err := binary.Write(conn, binary.BigEndian, status.Available)
+	if err != nil {
+		return err
+	}
+	if status.Available {
+		err = binary.Write(conn, binary.BigEndian, status.Enabled)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *CommandClient) SetSystemProxyEnabled(isEnabled bool) error {
+	conn, err := c.directConnect()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+	err = binary.Write(conn, binary.BigEndian, uint8(CommandSetSystemProxyEnabled))
+	if err != nil {
+		return err
+	}
+	err = binary.Write(conn, binary.BigEndian, isEnabled)
+	if err != nil {
+		return err
+	}
+	return readError(conn)
+}
+
+func (s *CommandServer) handleSetSystemProxyEnabled(conn net.Conn) error {
+	defer conn.Close()
+	var isEnabled bool
+	err := binary.Read(conn, binary.BigEndian, &isEnabled)
+	if err != nil {
+		return err
+	}
+	err = s.handler.SetSystemProxyEnabled(isEnabled)
+	if err != nil {
+		return writeError(conn, err)
+	}
+	return writeError(conn, nil)
+}
--- a/experimental/libbox/log.go
+++ b/experimental/libbox/log.go
@@ -4,6 +4,7 @@ package libbox

 import (
 	"os"
+	"runtime"

 	"golang.org/x/sys/unix"
 )
@@ -18,12 +19,14 @@ func RedirectStderr(path string) error {
 	if err != nil {
 		return err
 	}
-	if sUserID > 0 {
-		err = outputFile.Chown(sUserID, sGroupID)
-		if err != nil {
-			outputFile.Close()
-			os.Remove(outputFile.Name())
-			return err
+	if runtime.GOOS != "android" {
+		if sUserID > 0 {
+			err = outputFile.Chown(sUserID, sGroupID)
+			if err != nil {
+				outputFile.Close()
+				os.Remove(outputFile.Name())
+				return err
+			}
 		}
 	}
 	err = unix.Dup2(int(outputFile.Fd()), int(os.Stderr.Fd()))
--- a/go.mod
+++ b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d
+	github.com/insomniacslk/dhcp v0.0.0-20230906122924-c71a6be05968
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.2.0
 	github.com/miekg/dns v1.1.55
@@ -26,14 +26,14 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2
 	github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c
+	github.com/sagernet/sing v0.2.10-0.20230907044649-03c21c0a1205
 	github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1
-	github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8
-	github.com/sagernet/sing-shadowsocks v0.2.4
-	github.com/sagernet/sing-shadowsocks2 v0.1.3
+	github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314
+	github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0
+	github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248
 	github.com/sagernet/sing-shadowtls v0.1.4
 	github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641
-	github.com/sagernet/sing-vmess v0.1.7
+	github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
@@ -44,12 +44,12 @@ require (
 	go.etcd.io/bbolt v1.3.7
 	go.uber.org/zap v1.25.0
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925
-	golang.org/x/crypto v0.12.0
+	golang.org/x/crypto v0.13.0
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
-	golang.org/x/net v0.14.0
-	golang.org/x/sys v0.11.0
+	golang.org/x/net v0.15.0
+	golang.org/x/sys v0.12.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
-	google.golang.org/grpc v1.57.0
+	google.golang.org/grpc v1.58.0
 	google.golang.org/protobuf v1.31.0
 	howett.net/plist v1.0.0
 )
@@ -87,10 +87,10 @@ require (
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -54,8 +54,8 @@ github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbg
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d h1:Ka64cclWedOkGzm9M2/XYuwJUdmWRUozmsxW0PyKA3A=
-github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
+github.com/insomniacslk/dhcp v0.0.0-20230906122924-c71a6be05968 h1:uBiv5/8x42J7myumCdFuDOc5HnEXRK6eOtefwvE6+TQ=
+github.com/insomniacslk/dhcp v0.0.0-20230906122924-c71a6be05968/go.mod h1:zmdm3sTSDP3vOOX3CEWRkkRHtKr1DxBx+J1OQFoDQQs=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -112,22 +112,22 @@ github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byL
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c h1:J2ptRncTNy+ZHfcFYSBfTmpvmgNlSEUZz6sDjh1np/Y=
-github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+github.com/sagernet/sing v0.2.10-0.20230907044649-03c21c0a1205 h1:U/OwMlCH1XFjrDrw5BESGxGsnynT6nDnHvNI9Xv0U78=
+github.com/sagernet/sing v0.2.10-0.20230907044649-03c21c0a1205/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
 github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1 h1:5w+jXz8y/8UQAxO74TjftN5okYkpg5mGvVxXunlKdqI=
 github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1/go.mod h1:Kg98PBJEg/08jsNFtmZWmPomhskn9Ausn50ecNm4M+8=
-github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8 h1:UyUkEUEGqfIGqzOJ7OuJry4slgcT/qb0etDJ+89LTAs=
-github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
-github.com/sagernet/sing-shadowsocks v0.2.4 h1:s/CqXlvFAZhlIoHWUwPw5CoNnQ9Ibki9pckjuugtVfY=
-github.com/sagernet/sing-shadowsocks v0.2.4/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
-github.com/sagernet/sing-shadowsocks2 v0.1.3 h1:WXoLvCFi5JTFBRYorf1YePGYIQyJ/zbsBM6Fwbl5kGA=
-github.com/sagernet/sing-shadowsocks2 v0.1.3/go.mod h1:DOhJc/cLeqRv0wuePrQso+iUmDxOnWF4eT/oMcRzYFw=
+github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314 h1:P5+NZGMH8KSI3L8lKw1znxdRi0tIpWbGYjmv8GrFHrQ=
+github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
+github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0 h1:9wHYWxH+fcs01PM2+DylA8LNNY3ElnZykQo9rysng8U=
+github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
+github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248 h1:JTFfy/LDmVFEK4KZJEujmC1iO8+aoF4unYhhZZRzRq4=
+github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248/go.mod h1:DOhJc/cLeqRv0wuePrQso+iUmDxOnWF4eT/oMcRzYFw=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
 github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641 h1:a8lktNrCWZJisB+nPraW+qB73ZofgPtGmlfqNYcO79g=
 github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641/go.mod h1:+YImslQMLgMQcVgZZ9IK4ue1o/605VSU90amHUcp4hA=
-github.com/sagernet/sing-vmess v0.1.7 h1:TM8FFLsXmlXH9XT8/oDgc6PC5BOzrg6OzyEe01is2r4=
-github.com/sagernet/sing-vmess v0.1.7/go.mod h1:1qkC1L1T2sxnS/NuO6HU72S8TkltV+EXoKGR29m/Yss=
+github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b h1:2ezfJtH5JosiEwJhVa+rimQ6ps/t2+7h+mOzMoiaZnA=
+github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b/go.mod h1:1qkC1L1T2sxnS/NuO6HU72S8TkltV+EXoKGR29m/Yss=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37/go.mod h1:3skNSftZDJWTGVtVaM2jfbce8qHnmH/AGDRe62iNOg0=
 github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6 h1:Px+hN4Vzgx+iCGVnWH5A8eR7JhNnIV3rGQmBxA7cw6Q=
@@ -171,16 +171,16 @@ go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0Eq
 go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
 golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -192,14 +192,14 @@ golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
+golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -208,10 +208,10 @@ golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04Tlq
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
-google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
-google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
+google.golang.org/grpc v1.58.0 h1:32JY8YpPMSR45K+c3o6b8VL73V+rR8k+DeMIr4vRH8o=
+google.golang.org/grpc v1.58.0/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
--- a/inbound/default.go
+++ b/inbound/default.go
@@ -33,8 +33,8 @@ type myInboundAdapter struct {

 	// http mixed

-	setSystemProxy   bool
-	clearSystemProxy func() error
+	setSystemProxy bool
+	systemProxy    settings.SystemProxy

 	// internal

@@ -91,7 +91,19 @@ func (a *myInboundAdapter) Start() error {
 		}
 	}
 	if a.setSystemProxy {
-		a.clearSystemProxy, err = settings.SetSystemProxy(a.router, M.SocksaddrFromNet(a.tcpListener.Addr()).Port, a.protocol == C.TypeMixed)
+		listenPort := M.SocksaddrFromNet(a.tcpListener.Addr()).Port
+		var listenAddrString string
+		listenAddr := a.listenOptions.Listen.Build()
+		if listenAddr.IsUnspecified() {
+			listenAddrString = "127.0.0.1"
+		} else {
+			listenAddrString = listenAddr.String()
+		}
+		a.systemProxy, err = settings.NewSystemProxy(a.ctx, M.ParseSocksaddrHostPort(listenAddrString, listenPort), a.protocol == C.TypeMixed)
+		if err != nil {
+			return E.Cause(err, "initialize system proxy")
+		}
+		err = a.systemProxy.Enable()
 		if err != nil {
 			return E.Cause(err, "set system proxy")
 		}
@@ -102,8 +114,8 @@ func (a *myInboundAdapter) Start() error {
 func (a *myInboundAdapter) Close() error {
 	a.inShutdown.Store(true)
 	var err error
-	if a.clearSystemProxy != nil {
-		err = a.clearSystemProxy()
+	if a.systemProxy != nil && a.systemProxy.IsEnabled() {
+		err = a.systemProxy.Disable()
 	}
 	return E.Errors(err, common.Close(
 		a.tcpListener,
--- a/outbound/default.go
+++ b/outbound/default.go
@@ -70,6 +70,28 @@ func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata a
 	return CopyEarlyConn(ctx, conn, outConn)
 }

+func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dialer, conn net.Conn, metadata adapter.InboundContext) error {
+	ctx = adapter.WithContext(ctx, &metadata)
+	var outConn net.Conn
+	var err error
+	if len(metadata.DestinationAddresses) > 0 {
+		outConn, err = N.DialSerial(ctx, this, N.NetworkTCP, metadata.Destination, metadata.DestinationAddresses)
+	} else if metadata.Destination.IsFqdn() {
+		var destinationAddresses []netip.Addr
+		destinationAddresses, err = router.LookupDefault(ctx, metadata.Destination.Fqdn)
+		if err != nil {
+			return N.HandshakeFailure(conn, err)
+		}
+		outConn, err = N.DialSerial(ctx, this, N.NetworkTCP, metadata.Destination, destinationAddresses)
+	} else {
+		outConn, err = this.DialContext(ctx, N.NetworkTCP, metadata.Destination)
+	}
+	if err != nil {
+		return N.HandshakeFailure(conn, err)
+	}
+	return CopyEarlyConn(ctx, conn, outConn)
+}
+
 func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.PacketConn
@@ -99,6 +121,42 @@ func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn,
 	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
 }

+func NewDirectPacketConnection(ctx context.Context, router adapter.Router, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
+	ctx = adapter.WithContext(ctx, &metadata)
+	var outConn net.PacketConn
+	var destinationAddress netip.Addr
+	var err error
+	if len(metadata.DestinationAddresses) > 0 {
+		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+	} else if metadata.Destination.IsFqdn() {
+		var destinationAddresses []netip.Addr
+		destinationAddresses, err = router.LookupDefault(ctx, metadata.Destination.Fqdn)
+		if err != nil {
+			return N.HandshakeFailure(conn, err)
+		}
+		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, destinationAddresses)
+	} else {
+		outConn, err = this.ListenPacket(ctx, metadata.Destination)
+	}
+	if err != nil {
+		return N.HandshakeFailure(conn, err)
+	}
+	if destinationAddress.IsValid() {
+		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
+			natConn.UpdateDestination(destinationAddress)
+		}
+	}
+	switch metadata.Protocol {
+	case C.ProtocolSTUN:
+		ctx, conn = canceler.NewPacketConn(ctx, conn, C.STUNTimeout)
+	case C.ProtocolQUIC:
+		ctx, conn = canceler.NewPacketConn(ctx, conn, C.QUICTimeout)
+	case C.ProtocolDNS:
+		ctx, conn = canceler.NewPacketConn(ctx, conn, C.DNSTimeout)
+	}
+	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
+}
+
 func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) error {
 	if cachedReader, isCached := conn.(N.CachedReader); isCached {
 		payload := cachedReader.ReadCached()
--- a/outbound/socks.go
+++ b/outbound/socks.go
@@ -80,11 +80,11 @@ func (h *Socks) DialContext(ctx context.Context, network string, destination M.S
 		return nil, E.Extend(N.ErrUnknownNetwork, network)
 	}
 	if h.resolve && destination.IsFqdn() {
-		addrs, err := h.router.LookupDefault(ctx, destination.Fqdn)
+		destinationAddresses, err := h.router.LookupDefault(ctx, destination.Fqdn)
 		if err != nil {
 			return nil, err
 		}
-		return N.DialSerial(ctx, h.client, network, destination, addrs)
+		return N.DialSerial(ctx, h.client, network, destination, destinationAddresses)
 	}
 	return h.client.DialContext(ctx, network, destination)
 }
@@ -97,14 +97,25 @@ func (h *Socks) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.
 		h.logger.InfoContext(ctx, "outbound UoT packet connection to ", destination)
 		return h.uotClient.ListenPacket(ctx, destination)
 	}
+	if h.resolve && destination.IsFqdn() {
+		destinationAddresses, err := h.router.LookupDefault(ctx, destination.Fqdn)
+		if err != nil {
+			return nil, err
+		}
+		packetConn, _, err := N.ListenSerial(ctx, h.client, destination, destinationAddresses)
+		if err != nil {
+			return nil, err
+		}
+		return packetConn, nil
+	}
 	h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	return h.client.ListenPacket(ctx, destination)
 }

 func (h *Socks) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	return NewConnection(ctx, h, conn, metadata)
+	return NewDirectConnection(ctx, h.router, h, conn, metadata)
 }

 func (h *Socks) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	return NewPacketConnection(ctx, h, conn, metadata)
+	return NewDirectPacketConnection(ctx, h.router, h, conn, metadata)
 }
--- a/outbound/wireguard.go
+++ b/outbound/wireguard.go
@@ -202,26 +202,37 @@ func (w *WireGuard) DialContext(ctx context.Context, network string, destination
 		w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
 	}
 	if destination.IsFqdn() {
-		addrs, err := w.router.LookupDefault(ctx, destination.Fqdn)
+		destinationAddresses, err := w.router.LookupDefault(ctx, destination.Fqdn)
 		if err != nil {
 			return nil, err
 		}
-		return N.DialSerial(ctx, w.tunDevice, network, destination, addrs)
+		return N.DialSerial(ctx, w.tunDevice, network, destination, destinationAddresses)
 	}
 	return w.tunDevice.DialContext(ctx, network, destination)
 }

 func (w *WireGuard) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	w.logger.InfoContext(ctx, "outbound packet connection to ", destination)
+	if destination.IsFqdn() {
+		destinationAddresses, err := w.router.LookupDefault(ctx, destination.Fqdn)
+		if err != nil {
+			return nil, err
+		}
+		packetConn, _, err := N.ListenSerial(ctx, w.tunDevice, destination, destinationAddresses)
+		if err != nil {
+			return nil, err
+		}
+		return packetConn, err
+	}
 	return w.tunDevice.ListenPacket(ctx, destination)
 }

 func (w *WireGuard) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	return NewConnection(ctx, w, conn, metadata)
+	return NewDirectConnection(ctx, w.router, w, conn, metadata)
 }

 func (w *WireGuard) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	return NewPacketConnection(ctx, w, conn, metadata)
+	return NewDirectPacketConnection(ctx, w.router, w, conn, metadata)
 }

 func (w *WireGuard) Start() error {
--- a/route/router.go
+++ b/route/router.go
@@ -521,7 +521,7 @@ func (r *Router) Close() error {
 			return E.Cause(err, "close dns transport[", i, "]")
 		})
 	}
-	if r.geositeReader != nil {
+	if r.geoIPReader != nil {
 		r.logger.Trace("closing geoip reader")
 		err = E.Append(err, common.Close(r.geoIPReader), func(err error) error {
 			return E.Cause(err, "close geoip reader")
--- a/test/clash_test.go
+++ b/test/clash_test.go
@@ -32,7 +32,8 @@ const (
 	ImageTrojan                = "trojangfw/trojan:latest"
 	ImageNaive                 = "pocat/naiveproxy:client"
 	ImageBoringTun             = "ghcr.io/ntkme/boringtun:edge"
-	ImageHysteria              = "tobyxdd/hysteria:latest"
+	ImageHysteria              = "tobyxdd/hysteria:v1.3.5"
+	ImageHysteria2             = "tobyxdd/hysteria:v2"
 	ImageNginx                 = "nginx:stable"
 	ImageShadowTLS             = "ghcr.io/ihciah/shadow-tls:latest"
 	ImageShadowsocksR          = "teddysun/shadowsocks-r:latest"
@@ -50,6 +51,7 @@ var allImages = []string{
 	ImageNaive,
 	ImageBoringTun,
 	ImageHysteria,
+	ImageHysteria2,
 	ImageNginx,
 	ImageShadowTLS,
 	ImageShadowsocksR,
@@ -376,7 +378,7 @@ func testLargeDataWithPacketConnSize(t *testing.T, port uint16, chunkSize int, p

 	rAddr := &net.UDPAddr{IP: localIP.AsSlice(), Port: int(port)}

-	times := 50
+	times := 2

 	pingCh, pongCh, test := newLargeDataPair()
 	writeRandData := func(pc net.PacketConn, addr net.Addr) (map[int][]byte, error) {
--- a/test/config/hysteria2-client.yml
+++ b/test/config/hysteria2-client.yml
@@ -0,0 +1,12 @@
+server: 127.0.0.1:10000
+auth: password
+fastOpen: true
+socks5:
+  listen: 127.0.0.1:10001
+tls:
+  sni: example.org
+  ca: /etc/hysteria/ca.pem
+obfs:
+  type: salamander
+  salamander:
+    password: cry_me_a_r1ver
--- a/test/config/hysteria2-server.yml
+++ b/test/config/hysteria2-server.yml
@@ -0,0 +1,13 @@
+listen: 127.0.0.1:10000
+auth:
+  type: password
+  password: password
+fastOpen: true
+tls:
+  sni: example.org
+  cert: /etc/hysteria/cert.pem
+  key: /etc/hysteria/key.pem
+obfs:
+  type: salamander
+  salamander:
+    password: cry_me_a_r1ver
--- a/test/go.mod
+++ b/test/go.mod
@@ -7,16 +7,16 @@ require github.com/sagernet/sing-box v0.0.0
 replace github.com/sagernet/sing-box => ../

 require (
-	github.com/docker/docker v24.0.5+incompatible
+	github.com/docker/docker v24.0.6+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c
-	github.com/sagernet/sing-shadowsocks v0.2.4
-	github.com/sagernet/sing-shadowsocks2 v0.1.3
+	github.com/sagernet/sing v0.2.10-0.20230907044649-03c21c0a1205
+	github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0
+	github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248
 	github.com/spyzhov/ajson v0.9.0
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/goleak v1.2.1
-	golang.org/x/net v0.14.0
+	golang.org/x/net v0.15.0
 )

 require (
@@ -44,7 +44,7 @@ require (
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d // indirect
+	github.com/insomniacslk/dhcp v0.0.0-20230906122924-c71a6be05968 // indirect
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/klauspost/compress v1.15.15 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
@@ -72,10 +72,10 @@ require (
 	github.com/sagernet/quic-go v0.0.0-20230831052420-45809eee2e86 // indirect
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 // indirect
 	github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1 // indirect
-	github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8 // indirect
+	github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314 // indirect
 	github.com/sagernet/sing-shadowtls v0.1.4 // indirect
 	github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641 // indirect
-	github.com/sagernet/sing-vmess v0.1.7 // indirect
+	github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b // indirect
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 // indirect
 	github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6 // indirect
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2 // indirect
@@ -89,15 +89,15 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.25.0 // indirect
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925 // indirect
-	golang.org/x/crypto v0.12.0 // indirect
+	golang.org/x/crypto v0.13.0 // indirect
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
-	google.golang.org/grpc v1.57.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	google.golang.org/grpc v1.58.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.4.0 // indirect
--- a/test/go.sum
+++ b/test/go.sum
@@ -27,8 +27,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.5+incompatible h1:WmgcE4fxyI6EEXxBRxsHnZXrO1pQ3smi0k/jho4HLeY=
-github.com/docker/docker v24.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE=
+github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
@@ -64,8 +64,8 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d h1:Ka64cclWedOkGzm9M2/XYuwJUdmWRUozmsxW0PyKA3A=
-github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
+github.com/insomniacslk/dhcp v0.0.0-20230906122924-c71a6be05968 h1:uBiv5/8x42J7myumCdFuDOc5HnEXRK6eOtefwvE6+TQ=
+github.com/insomniacslk/dhcp v0.0.0-20230906122924-c71a6be05968/go.mod h1:zmdm3sTSDP3vOOX3CEWRkkRHtKr1DxBx+J1OQFoDQQs=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -127,22 +127,22 @@ github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byL
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c h1:J2ptRncTNy+ZHfcFYSBfTmpvmgNlSEUZz6sDjh1np/Y=
-github.com/sagernet/sing v0.2.10-0.20230830132630-30bf19f2833c/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+github.com/sagernet/sing v0.2.10-0.20230907044649-03c21c0a1205 h1:U/OwMlCH1XFjrDrw5BESGxGsnynT6nDnHvNI9Xv0U78=
+github.com/sagernet/sing v0.2.10-0.20230907044649-03c21c0a1205/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
 github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1 h1:5w+jXz8y/8UQAxO74TjftN5okYkpg5mGvVxXunlKdqI=
 github.com/sagernet/sing-dns v0.1.9-0.20230824120133-4d5cbceb40c1/go.mod h1:Kg98PBJEg/08jsNFtmZWmPomhskn9Ausn50ecNm4M+8=
-github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8 h1:UyUkEUEGqfIGqzOJ7OuJry4slgcT/qb0etDJ+89LTAs=
-github.com/sagernet/sing-mux v0.1.3-0.20230830095209-2a10ebd53ba8/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
-github.com/sagernet/sing-shadowsocks v0.2.4 h1:s/CqXlvFAZhlIoHWUwPw5CoNnQ9Ibki9pckjuugtVfY=
-github.com/sagernet/sing-shadowsocks v0.2.4/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
-github.com/sagernet/sing-shadowsocks2 v0.1.3 h1:WXoLvCFi5JTFBRYorf1YePGYIQyJ/zbsBM6Fwbl5kGA=
-github.com/sagernet/sing-shadowsocks2 v0.1.3/go.mod h1:DOhJc/cLeqRv0wuePrQso+iUmDxOnWF4eT/oMcRzYFw=
+github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314 h1:P5+NZGMH8KSI3L8lKw1znxdRi0tIpWbGYjmv8GrFHrQ=
+github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
+github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0 h1:9wHYWxH+fcs01PM2+DylA8LNNY3ElnZykQo9rysng8U=
+github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
+github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248 h1:JTFfy/LDmVFEK4KZJEujmC1iO8+aoF4unYhhZZRzRq4=
+github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248/go.mod h1:DOhJc/cLeqRv0wuePrQso+iUmDxOnWF4eT/oMcRzYFw=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
 github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641 h1:a8lktNrCWZJisB+nPraW+qB73ZofgPtGmlfqNYcO79g=
 github.com/sagernet/sing-tun v0.1.12-0.20230821065522-7545dc2d5641/go.mod h1:+YImslQMLgMQcVgZZ9IK4ue1o/605VSU90amHUcp4hA=
-github.com/sagernet/sing-vmess v0.1.7 h1:TM8FFLsXmlXH9XT8/oDgc6PC5BOzrg6OzyEe01is2r4=
-github.com/sagernet/sing-vmess v0.1.7/go.mod h1:1qkC1L1T2sxnS/NuO6HU72S8TkltV+EXoKGR29m/Yss=
+github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b h1:2ezfJtH5JosiEwJhVa+rimQ6ps/t2+7h+mOzMoiaZnA=
+github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b/go.mod h1:1qkC1L1T2sxnS/NuO6HU72S8TkltV+EXoKGR29m/Yss=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37/go.mod h1:3skNSftZDJWTGVtVaM2jfbce8qHnmH/AGDRe62iNOg0=
 github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6 h1:Px+hN4Vzgx+iCGVnWH5A8eR7JhNnIV3rGQmBxA7cw6Q=
@@ -190,8 +190,8 @@ golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
 golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -204,8 +204,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -224,15 +224,15 @@ golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
+golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -246,10 +246,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
-google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
-google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
+google.golang.org/grpc v1.58.0 h1:32JY8YpPMSR45K+c3o6b8VL73V+rR8k+DeMIr4vRH8o=
+google.golang.org/grpc v1.58.0/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
--- a/test/hysteria2_test.go
+++ b/test/hysteria2_test.go
@@ -95,3 +95,92 @@ func testHysteria2Self(t *testing.T, salamanderPassword string) {
 	})
 	testSuit(t, clientPort, testPort)
 }
+
+func TestHysteria2Inbound(t *testing.T) {
+	caPem, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeHysteria2,
+				Hysteria2Options: option.Hysteria2InboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: serverPort,
+					},
+					Obfs: &option.Hysteria2Obfs{
+						Type:     hysteria2.ObfsTypeSalamander,
+						Password: "cry_me_a_r1ver",
+					},
+					Users: []option.Hysteria2User{{
+						Password: "password",
+					}},
+					TLS: &option.InboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+						KeyPath:         keyPem,
+					},
+				},
+			},
+		},
+	})
+	startDockerContainer(t, DockerOptions{
+		Image: ImageHysteria2,
+		Ports: []uint16{serverPort, clientPort},
+		Cmd:   []string{"client", "-c", "/etc/hysteria/config.yml", "--disable-update-check", "--log-level", "debug"},
+		Bind: map[string]string{
+			"hysteria2-client.yml": "/etc/hysteria/config.yml",
+			caPem:                  "/etc/hysteria/ca.pem",
+		},
+	})
+	testSuit(t, clientPort, testPort)
+}
+
+func TestHysteria2Outbound(t *testing.T) {
+	_, certPem, keyPem := createSelfSignedCertificate(t, "example.org")
+	startDockerContainer(t, DockerOptions{
+		Image: ImageHysteria2,
+		Ports: []uint16{testPort},
+		Cmd:   []string{"server", "-c", "/etc/hysteria/config.yml", "--disable-update-check", "--log-level", "debug"},
+		Bind: map[string]string{
+			"hysteria2-server.yml": "/etc/hysteria/config.yml",
+			certPem:                "/etc/hysteria/cert.pem",
+			keyPem:                 "/etc/hysteria/key.pem",
+		},
+	})
+	startInstance(t, option.Options{
+		Inbounds: []option.Inbound{
+			{
+				Type: C.TypeMixed,
+				MixedOptions: option.HTTPMixedInboundOptions{
+					ListenOptions: option.ListenOptions{
+						Listen:     option.NewListenAddress(netip.IPv4Unspecified()),
+						ListenPort: clientPort,
+					},
+				},
+			},
+		},
+		Outbounds: []option.Outbound{
+			{
+				Type: C.TypeHysteria2,
+				Hysteria2Options: option.Hysteria2OutboundOptions{
+					ServerOptions: option.ServerOptions{
+						Server:     "127.0.0.1",
+						ServerPort: serverPort,
+					},
+					Obfs: &option.Hysteria2Obfs{
+						Type:     hysteria2.ObfsTypeSalamander,
+						Password: "cry_me_a_r1ver",
+					},
+					Password: "password",
+					TLS: &option.OutboundTLSOptions{
+						Enabled:         true,
+						ServerName:      "example.org",
+						CertificatePath: certPem,
+					},
+				},
+			},
+		},
+	})
+	testSuitSimple1(t, clientPort, testPort)
+}
--- a/transport/trojan/protocol.go
+++ b/transport/trojan/protocol.go
@@ -204,10 +204,13 @@ func ClientHandshake(conn net.Conn, key [KeyLength]byte, destination M.Socksaddr
 	common.Must1(header.Write(key[:]))
 	common.Must1(header.Write(CRLF))
 	common.Must(header.WriteByte(CommandTCP))
-	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	err := M.SocksaddrSerializer.WriteAddrPort(header, destination)
+	if err != nil {
+		return err
+	}
 	common.Must1(header.Write(CRLF))
 	common.Must1(header.Write(payload))
-	_, err := conn.Write(header.Bytes())
+	_, err = conn.Write(header.Bytes())
 	if err != nil {
 		return E.Cause(err, "write request")
 	}
@@ -219,10 +222,13 @@ func ClientHandshakeBuffer(conn net.Conn, key [KeyLength]byte, destination M.Soc
 	common.Must1(header.Write(key[:]))
 	common.Must1(header.Write(CRLF))
 	common.Must(header.WriteByte(CommandTCP))
-	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	err := M.SocksaddrSerializer.WriteAddrPort(header, destination)
+	if err != nil {
+		return err
+	}
 	common.Must1(header.Write(CRLF))

-	_, err := conn.Write(payload.Bytes())
+	_, err = conn.Write(payload.Bytes())
 	if err != nil {
 		return E.Cause(err, "write request")
 	}
@@ -244,7 +250,10 @@ func ClientHandshakePacket(conn net.Conn, key [KeyLength]byte, destination M.Soc
 	common.Must1(header.Write(key[:]))
 	common.Must1(header.Write(CRLF))
 	common.Must(header.WriteByte(CommandUDP))
-	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	err := M.SocksaddrSerializer.WriteAddrPort(header, destination)
+	if err != nil {
+		return err
+	}
 	common.Must1(header.Write(CRLF))
 	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
 	common.Must(binary.Write(header, binary.BigEndian, uint16(payloadLen)))
@@ -257,7 +266,7 @@ func ClientHandshakePacket(conn net.Conn, key [KeyLength]byte, destination M.Soc
 		}
 	}

-	_, err := conn.Write(payload.Bytes())
+	_, err = conn.Write(payload.Bytes())
 	if err != nil {
 		return E.Cause(err, "write payload")
 	}
@@ -289,10 +298,13 @@ func WritePacket(conn net.Conn, buffer *buf.Buffer, destination M.Socksaddr) err
 	defer buffer.Release()
 	bufferLen := buffer.Len()
 	header := buf.With(buffer.ExtendHeader(M.SocksaddrSerializer.AddrPortLen(destination) + 4))
-	common.Must(M.SocksaddrSerializer.WriteAddrPort(header, destination))
+	err := M.SocksaddrSerializer.WriteAddrPort(header, destination)
+	if err != nil {
+		return err
+	}
 	common.Must(binary.Write(header, binary.BigEndian, uint16(bufferLen)))
 	common.Must1(header.Write(CRLF))
-	_, err := conn.Write(buffer.Bytes())
+	_, err = conn.Write(buffer.Bytes())
 	if err != nil {
 		return E.Cause(err, "write packet")
 	}
--- a/transport/tuic/client.go
+++ b/transport/tuic/client.go
@@ -274,9 +274,13 @@ func (c *clientConn) Read(b []byte) (n int, err error) {
 func (c *clientConn) Write(b []byte) (n int, err error) {
 	if !c.requestWritten {
 		request := buf.NewSize(2 + addressSerializer.AddrPortLen(c.destination) + len(b))
+		defer request.Release()
 		request.WriteByte(Version)
 		request.WriteByte(CommandConnect)
-		addressSerializer.WriteAddrPort(request, c.destination)
+		err = addressSerializer.WriteAddrPort(request, c.destination)
+		if err != nil {
+			return
+		}
 		request.Write(b)
 		_, err = c.stream.Write(request.Bytes())
 		if err != nil {
--- a/transport/tuic/packet.go
+++ b/transport/tuic/packet.go
@@ -17,6 +17,7 @@ import (
 	"github.com/sagernet/sing/common/atomic"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/cache"
+	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 )

@@ -205,6 +206,9 @@ func (c *udpPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr)
 	if buffer.Len() > 0xffff {
 		return quic.ErrMessageTooLarge(0xffff)
 	}
+	if !destination.IsValid() {
+		return E.New("invalid destination address")
+	}
 	packetId := c.packetId.Add(1)
 	if packetId > math.MaxUint16 {
 		c.packetId.Store(0)
@@ -246,6 +250,10 @@ func (c *udpPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 	if len(p) > 0xffff {
 		return 0, quic.ErrMessageTooLarge(0xffff)
 	}
+	destination := M.SocksaddrFromNet(addr)
+	if !destination.IsValid() {
+		return 0, E.New("invalid destination address")
+	}
 	packetId := c.packetId.Add(1)
 	if packetId > math.MaxUint16 {
 		c.packetId.Store(0)
@@ -256,7 +264,7 @@ func (c *udpPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 		sessionID:     c.sessionID,
 		packetID:      uint16(packetId),
 		fragmentTotal: 1,
-		destination:   M.SocksaddrFromNet(addr),
+		destination:   destination,
 		data:          buf.As(p),
 	}
 	if !c.udpStream && c.needFragment() && len(p) > c.udpMTU {
--- a/transport/vless/client.go
+++ b/transport/vless/client.go
@@ -150,7 +150,10 @@ func (c *Conn) Write(b []byte) (n int, err error) {

 func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 	if !c.requestWritten {
-		EncodeRequest(c.request, buf.With(buffer.ExtendHeader(RequestLen(c.request))))
+		err := EncodeRequest(c.request, buf.With(buffer.ExtendHeader(RequestLen(c.request))))
+		if err != nil {
+			return err
+		}
 		c.requestWritten = true
 	}
 	return c.ExtendedConn.WriteBuffer(buffer)
@@ -159,7 +162,11 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 func (c *Conn) WriteVectorised(buffers []*buf.Buffer) error {
 	if !c.requestWritten {
 		buffer := buf.NewSize(RequestLen(c.request))
-		EncodeRequest(c.request, buffer)
+		err := EncodeRequest(c.request, buffer)
+		if err != nil {
+			buffer.Release()
+			return err
+		}
 		c.requestWritten = true
 		return c.writer.WriteVectorised(append([]*buf.Buffer{buffer}, buffers...))
 	}
--- a/transport/vless/protocol.go
+++ b/transport/vless/protocol.go
@@ -156,14 +156,17 @@ func WriteRequest(writer io.Writer, request Request, payload []byte) error {
 	)

 	if request.Command != vmess.CommandMux {
-		common.Must(vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination))
+		err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
+		if err != nil {
+			return err
+		}
 	}

 	common.Must1(buffer.Write(payload))
 	return common.Error(writer.Write(buffer.Bytes()))
 }

-func EncodeRequest(request Request, buffer *buf.Buffer) {
+func EncodeRequest(request Request, buffer *buf.Buffer) error {
 	var requestLen int
 	requestLen += 1  // version
 	requestLen += 16 // uuid
@@ -195,8 +198,12 @@ func EncodeRequest(request Request, buffer *buf.Buffer) {
 	)

 	if request.Command != vmess.CommandMux {
-		common.Must(vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination))
+		err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
+		if err != nil {
+			return err
+		}
 	}
+	return nil
 }

 func RequestLen(request Request) int {
@@ -251,10 +258,12 @@ func WritePacketRequest(writer io.Writer, request Request, payload []byte) error
 		common.Must(common.Error(buffer.WriteString(request.Flow)))
 	}

-	common.Must(
-		buffer.WriteByte(vmess.CommandUDP),
-		vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination),
-	)
+	common.Must(buffer.WriteByte(vmess.CommandUDP))
+
+	err := vmess.AddressSerializer.WriteAddrPort(buffer, request.Destination)
+	if err != nil {
+		return err
+	}

 	if len(payload) > 0 {
 		common.Must(
Author	SHA1	Message	Date
世界	2aa2320270	documentation: Bump version	2023-09-07 13:01:22 +08:00
世界	a500bdba96	Update hysteria docker image for test	2023-09-07 13:00:29 +08:00
世界	df31e4be91	Update dependencies	2023-09-07 12:54:52 +08:00
世界	d89afcc0b4	Fix router close	2023-09-07 12:54:45 +08:00
世界	d1431b0ad4	Fix "reject invalid connection"	2023-09-07 12:47:35 +08:00
世界	fdd768f5e8	documentation: Fix "Add notes for hysteria2 compatibility"	2023-09-07 09:11:54 +08:00
世界	9ce0a42a3f	documentation: Bump version	2023-09-06 22:50:39 +08:00
世界	f564b54fc7	documentation: Fix ECH generate command	2023-09-06 22:50:39 +08:00
世界	b3f9509810	documentation: Add notes for hysteria2 compatibility issues	2023-09-06 21:59:59 +08:00
世界	70bff53cea	platform: Fix crash on android	2023-09-06 20:28:03 +08:00
世界	4095dcbf05	Reject invalid connection	2023-09-06 19:33:39 +08:00
世界	ebfabf7406	Fix connect domain for IP outbounds	2023-09-06 19:14:31 +08:00
世界	0929f9ea3f	Fix release tags	2023-09-06 19:14:13 +08:00
世界	dc985ed99d	clash-api: Move default mode to first	2023-09-03 21:13:25 +08:00
世界	80d9c93db3	platform: Improve client	2023-09-03 21:06:21 +08:00
世界	7ed699757d	Improve system proxy API	2023-09-03 14:35:41 +08:00
世界	c79b4509bd	Fix ECH server	2023-09-02 20:36:33 +08:00