Fix resolve dialer

android: Fix netlink check
Reject SOCKS4 unauthenticated request
2026-04-12 01:57:18 +10:00 · 2023-09-27 13:20:44 +08:00 · 2023-09-27 13:20:44 +08:00 · 2023-09-25 21:45:58 +08:00 · 2023-09-25 18:29:39 +08:00 · 2023-09-25 18:29:39 +08:00
142 changed files with 4756 additions and 3519 deletions
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -16,7 +16,6 @@ builds:
      - with_quic
      - with_dhcp
      - with_wireguard
-      - with_ech
      - with_utls
      - with_reality_server
      - with_clash_api
@@ -52,7 +51,6 @@ builds:
      - with_quic
      - with_dhcp
      - with_wireguard
-      - with_ech
      - with_utls
      - with_clash_api
    env:
--- a/2
+++ b/2
@@ -9,7 +9,7 @@ RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_clash_api,with_acme \
+    && go build -v -trimpath -tags with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api,with_acme \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
--- a/6
+++ b/6
@@ -1,7 +1,7 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
 TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
-TAGS_GO120 = with_quic,with_ech
+TAGS_GO120 = with_quic
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr

@@ -28,7 +28,7 @@ ci_build:
 	go build $(MAIN_PARAMS) $(MAIN)

 install:
-	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)

 fmt:
 	@gofumpt -l -w .
@@ -84,7 +84,7 @@ upload_android:
 release_android: lib_android update_android_version build_android upload_android

 publish_android:
-	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease
+	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadRelease && ./gradlew --stop

 build_ios:
 	cd ../sing-box-for-apple && \
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -10,7 +10,6 @@ import (
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/service"

 	mdns "github.com/miekg/dns"
 )
@@ -46,6 +45,8 @@ type Router interface {
 	PackageManager() tun.PackageManager
 	Rules() []Rule

+	TimeService
+
 	ClashServer() ClashServer
 	SetClashServer(server ClashServer)

@@ -55,12 +56,18 @@ type Router interface {
 	ResetNetwork() error
 }

+type routerContextKey struct{}
+
 func ContextWithRouter(ctx context.Context, router Router) context.Context {
-	return service.ContextWith(ctx, router)
+	return context.WithValue(ctx, (*routerContextKey)(nil), router)
 }

 func RouterFromContext(ctx context.Context) Router {
-	return service.FromContext[Router](ctx)
+	metadata := ctx.Value((*routerContextKey)(nil))
+	if metadata == nil {
+		return nil
+	}
+	return metadata.(Router)
 }

 type Rule interface {
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@@ -5,6 +5,7 @@ import (
 	"net"

 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )

@@ -18,6 +19,7 @@ type V2RayServerTransport interface {
 type V2RayServerTransportHandler interface {
 	N.TCPConnectionHandler
 	E.Handler
+	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
 }

 type V2RayClientTransport interface {
--- a/box.go
+++ b/box.go
@@ -19,7 +19,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )

@@ -48,7 +47,6 @@ func New(options Options) (*Box, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
-	ctx = service.ContextWithDefaultRegistry(ctx)
 	ctx = pause.ContextWithDefaultManager(ctx)
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -54,7 +54,7 @@ func init() {
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)

-	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
+	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -29,7 +29,8 @@ func main() {
 	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
 	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
-		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
+		log.Info("updated version to ", newVersion.VersionString())
+		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj.bak", []byte(projectContent), 0o644))
 		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
 	} else {
 		log.Info("version not changed")
--- a/cmd/sing-box/cmd_generate_ech.go
+++ b/cmd/sing-box/cmd_generate_ech.go
@@ -1,39 +0,0 @@
-package main
-
-import (
-	"os"
-
-	"github.com/sagernet/sing-box/common/tls"
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/spf13/cobra"
-)
-
-var pqSignatureSchemesEnabled bool
-
-var commandGenerateECHKeyPair = &cobra.Command{
-	Use:   "ech-keypair <plain_server_name>",
-	Short: "Generate TLS ECH key pair",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateECHKeyPair(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerateECHKeyPair.Flags().BoolVar(&pqSignatureSchemesEnabled, "pq-signature-schemes-enabled", false, "Enable PQ signature schemes")
-	commandGenerate.AddCommand(commandGenerateECHKeyPair)
-}
-
-func generateECHKeyPair(serverName string) error {
-	configPem, keyPem, err := tls.ECHKeygenDefault(serverName, pqSignatureSchemesEnabled)
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString(configPem)
-	os.Stdout.WriteString(keyPem)
-	return nil
-}
--- a/cmd/sing-box/cmd_merge.go
+++ b/cmd/sing-box/cmd_merge.go
@@ -1,174 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/sagernet/sing-box/common/json"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/rw"
-
-	"github.com/spf13/cobra"
-)
-
-var commandMerge = &cobra.Command{
-	Use:   "merge [output]",
-	Short: "Merge configurations",
-	Run: func(cmd *cobra.Command, args []string) {
-		err := merge(args[0])
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-	Args: cobra.ExactArgs(1),
-}
-
-func init() {
-	mainCommand.AddCommand(commandMerge)
-}
-
-func merge(outputPath string) error {
-	mergedOptions, err := readConfigAndMerge()
-	if err != nil {
-		return err
-	}
-	err = mergePathResources(&mergedOptions)
-	if err != nil {
-		return err
-	}
-	buffer := new(bytes.Buffer)
-	encoder := json.NewEncoder(buffer)
-	encoder.SetIndent("", "  ")
-	err = encoder.Encode(mergedOptions)
-	if err != nil {
-		return E.Cause(err, "encode config")
-	}
-	if existsContent, err := os.ReadFile(outputPath); err != nil {
-		if string(existsContent) == buffer.String() {
-			return nil
-		}
-	}
-	err = rw.WriteFile(outputPath, buffer.Bytes())
-	if err != nil {
-		return err
-	}
-	outputPath, _ = filepath.Abs(outputPath)
-	os.Stderr.WriteString(outputPath + "\n")
-	return nil
-}
-
-func mergePathResources(options *option.Options) error {
-	for index, inbound := range options.Inbounds {
-		switch inbound.Type {
-		case C.TypeHTTP:
-			inbound.HTTPOptions.TLS = mergeTLSInboundOptions(inbound.HTTPOptions.TLS)
-		case C.TypeMixed:
-			inbound.MixedOptions.TLS = mergeTLSInboundOptions(inbound.MixedOptions.TLS)
-		case C.TypeVMess:
-			inbound.VMessOptions.TLS = mergeTLSInboundOptions(inbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			inbound.TrojanOptions.TLS = mergeTLSInboundOptions(inbound.TrojanOptions.TLS)
-		case C.TypeNaive:
-			inbound.NaiveOptions.TLS = mergeTLSInboundOptions(inbound.NaiveOptions.TLS)
-		case C.TypeHysteria:
-			inbound.HysteriaOptions.TLS = mergeTLSInboundOptions(inbound.HysteriaOptions.TLS)
-		case C.TypeVLESS:
-			inbound.VLESSOptions.TLS = mergeTLSInboundOptions(inbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			inbound.TUICOptions.TLS = mergeTLSInboundOptions(inbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			inbound.Hysteria2Options.TLS = mergeTLSInboundOptions(inbound.Hysteria2Options.TLS)
-		default:
-			continue
-		}
-		options.Inbounds[index] = inbound
-	}
-	for index, outbound := range options.Outbounds {
-		switch outbound.Type {
-		case C.TypeHTTP:
-			outbound.HTTPOptions.TLS = mergeTLSOutboundOptions(outbound.HTTPOptions.TLS)
-		case C.TypeVMess:
-			outbound.VMessOptions.TLS = mergeTLSOutboundOptions(outbound.VMessOptions.TLS)
-		case C.TypeTrojan:
-			outbound.TrojanOptions.TLS = mergeTLSOutboundOptions(outbound.TrojanOptions.TLS)
-		case C.TypeHysteria:
-			outbound.HysteriaOptions.TLS = mergeTLSOutboundOptions(outbound.HysteriaOptions.TLS)
-		case C.TypeSSH:
-			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
-		case C.TypeVLESS:
-			outbound.VLESSOptions.TLS = mergeTLSOutboundOptions(outbound.VLESSOptions.TLS)
-		case C.TypeTUIC:
-			outbound.TUICOptions.TLS = mergeTLSOutboundOptions(outbound.TUICOptions.TLS)
-		case C.TypeHysteria2:
-			outbound.Hysteria2Options.TLS = mergeTLSOutboundOptions(outbound.Hysteria2Options.TLS)
-		default:
-			continue
-		}
-		options.Outbounds[index] = outbound
-	}
-	return nil
-}
-
-func mergeTLSInboundOptions(options *option.InboundTLSOptions) *option.InboundTLSOptions {
-	if options == nil {
-		return nil
-	}
-	if options.CertificatePath != "" {
-		if content, err := os.ReadFile(options.CertificatePath); err == nil {
-			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.KeyPath != "" {
-		if content, err := os.ReadFile(options.KeyPath); err == nil {
-			options.Key = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.ECH != nil {
-		if options.ECH.KeyPath != "" {
-			if content, err := os.ReadFile(options.ECH.KeyPath); err == nil {
-				options.ECH.Key = trimStringArray(strings.Split(string(content), "\n"))
-			}
-		}
-	}
-	return options
-}
-
-func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.OutboundTLSOptions {
-	if options == nil {
-		return nil
-	}
-	if options.CertificatePath != "" {
-		if content, err := os.ReadFile(options.CertificatePath); err == nil {
-			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	if options.ECH != nil {
-		if options.ECH.ConfigPath != "" {
-			if content, err := os.ReadFile(options.ECH.ConfigPath); err == nil {
-				options.ECH.Config = trimStringArray(strings.Split(string(content), "\n"))
-			}
-		}
-	}
-	return options
-}
-
-func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
-	if options.PrivateKeyPath != "" {
-		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
-			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
-		}
-	}
-	return options
-}
-
-func trimStringArray(array []string) []string {
-	return common.Filter(array, func(it string) bool {
-		return strings.TrimSpace(it) != ""
-	})
-}
--- a/common/interrupt/conn.go
+++ b/common/interrupt/conn.go
@@ -1,75 +0,0 @@
-package interrupt
-
-import (
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-/*type GroupedConn interface {
-	MarkAsInternal()
-}
-
-func MarkAsInternal(conn any) {
-	if groupedConn, isGroupConn := common.Cast[GroupedConn](conn); isGroupConn {
-		groupedConn.MarkAsInternal()
-	}
-}*/
-
-type Conn struct {
-	net.Conn
-	group   *Group
-	element *list.Element[*groupConnItem]
-}
-
-/*func (c *Conn) MarkAsInternal() {
-	c.element.Value.internal = true
-}*/
-
-func (c *Conn) Close() error {
-	c.group.access.Lock()
-	defer c.group.access.Unlock()
-	c.group.connections.Remove(c.element)
-	return c.Conn.Close()
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-type PacketConn struct {
-	net.PacketConn
-	group   *Group
-	element *list.Element[*groupConnItem]
-}
-
-/*func (c *PacketConn) MarkAsInternal() {
-	c.element.Value.internal = true
-}*/
-
-func (c *PacketConn) Close() error {
-	c.group.access.Lock()
-	defer c.group.access.Unlock()
-	c.group.connections.Remove(c.element)
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.PacketConn
-}
--- a/common/interrupt/context.go
+++ b/common/interrupt/context.go
@@ -1,13 +0,0 @@
-package interrupt
-
-import "context"
-
-type contextKeyIsExternalConnection struct{}
-
-func ContextWithIsExternalConnection(ctx context.Context) context.Context {
-	return context.WithValue(ctx, contextKeyIsExternalConnection{}, true)
-}
-
-func IsExternalConnectionFromContext(ctx context.Context) bool {
-	return ctx.Value(contextKeyIsExternalConnection{}) != nil
-}
--- a/common/interrupt/group.go
+++ b/common/interrupt/group.go
@@ -1,52 +0,0 @@
-package interrupt
-
-import (
-	"io"
-	"net"
-	"sync"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Group struct {
-	access      sync.Mutex
-	connections list.List[*groupConnItem]
-}
-
-type groupConnItem struct {
-	conn       io.Closer
-	isExternal bool
-}
-
-func NewGroup() *Group {
-	return &Group{}
-}
-
-func (g *Group) NewConn(conn net.Conn, isExternal bool) net.Conn {
-	g.access.Lock()
-	defer g.access.Unlock()
-	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
-	return &Conn{Conn: conn, group: g, element: item}
-}
-
-func (g *Group) NewPacketConn(conn net.PacketConn, isExternal bool) net.PacketConn {
-	g.access.Lock()
-	defer g.access.Unlock()
-	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
-	return &PacketConn{PacketConn: conn, group: g, element: item}
-}
-
-func (g *Group) Interrupt(interruptExternalConnections bool) {
-	g.access.Lock()
-	defer g.access.Unlock()
-	var toDelete []*list.Element[*groupConnItem]
-	for element := g.connections.Front(); element != nil; element = element.Next() {
-		if !element.Value.isExternal || interruptExternalConnections {
-			element.Value.conn.Close()
-			toDelete = append(toDelete, element)
-		}
-	}
-	for _, element := range toDelete {
-		g.connections.Remove(element)
-	}
-}
--- a/common/settings/proxy_android.go
+++ b/common/settings/proxy_android.go
@@ -1,73 +1,43 @@
 package settings

 import (
-	"context"
 	"os"
 	"strings"

+	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )

-type AndroidSystemProxy struct {
-	useRish      bool
-	rishPath     string
-	serverAddr   M.Socksaddr
-	supportSOCKS bool
-	isEnabled    bool
-}
+var (
+	useRish  bool
+	rishPath string
+)

-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*AndroidSystemProxy, error) {
+func init() {
 	userId := os.Getuid()
-	var (
-		useRish  bool
-		rishPath string
-	)
 	if userId == 0 || userId == 1000 || userId == 2000 {
 		useRish = false
 	} else {
 		rishPath, useRish = C.FindPath("rish")
-		if !useRish {
-			return nil, E.Cause(os.ErrPermission, "root or system (adb) permission is required for set system proxy")
-		}
 	}
-	return &AndroidSystemProxy{
-		useRish:      useRish,
-		rishPath:     rishPath,
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
-	}, nil
 }

-func (p *AndroidSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *AndroidSystemProxy) Enable() error {
-	err := p.runAndroidShell("settings", "put", "global", "http_proxy", p.serverAddr.String())
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *AndroidSystemProxy) Disable() error {
-	err := p.runAndroidShell("settings", "put", "global", "http_proxy", ":0")
-	if err != nil {
-		return err
-	}
-	p.isEnabled = false
-	return nil
-}
-
-func (p *AndroidSystemProxy) runAndroidShell(name string, args ...string) error {
-	if !p.useRish {
+func runAndroidShell(name string, args ...string) error {
+	if !useRish {
 		return shell.Exec(name, args...).Attach().Run()
 	} else {
-		return shell.Exec("sh", p.rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }
+
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	err := runAndroidShell("settings", "put", "global", "http_proxy", F.ToString("127.0.0.1:", port))
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return runAndroidShell("settings", "put", "global", "http_proxy", ":0")
+	}, nil
+}
--- a/common/settings/proxy_darwin.go
+++ b/common/settings/proxy_darwin.go
@@ -1,56 +1,56 @@
 package settings

 import (
-	"context"
 	"net/netip"
-	"strconv"
 	"strings"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )

-type DarwinSystemProxy struct {
+type systemProxy struct {
 	monitor       tun.DefaultInterfaceMonitor
 	interfaceName string
 	element       *list.Element[tun.DefaultInterfaceUpdateCallback]
-	serverAddr    M.Socksaddr
-	supportSOCKS  bool
-	isEnabled     bool
+	port          uint16
+	isMixed       bool
 }

-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
-	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
-	if interfaceMonitor == nil {
-		return nil, E.New("missing interface monitor")
+func (p *systemProxy) update(event int) {
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
+	if p.interfaceName == newInterfaceName {
+		return
 	}
-	proxy := &DarwinSystemProxy{
-		monitor:      interfaceMonitor,
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
+	if p.interfaceName != "" {
+		_ = p.unset()
 	}
-	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
-	return proxy, nil
+	p.interfaceName = newInterfaceName
+	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
+	if err != nil {
+		return
+	}
+	if p.isMixed {
+		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	if err == nil {
+		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	if err == nil {
+		_ = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+	}
+	return
 }

-func (p *DarwinSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *DarwinSystemProxy) Enable() error {
-	return p.update0()
-}
-
-func (p *DarwinSystemProxy) Disable() error {
+func (p *systemProxy) unset() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
-	if p.supportSOCKS {
+	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
@@ -59,53 +59,9 @@ func (p *DarwinSystemProxy) Disable() error {
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
-	if err == nil {
-		p.isEnabled = false
-	}
 	return err
 }

-func (p *DarwinSystemProxy) update(event int) {
-	if event&tun.EventInterfaceUpdate == 0 {
-		return
-	}
-	if !p.isEnabled {
-		return
-	}
-	_ = p.update0()
-}
-
-func (p *DarwinSystemProxy) update0() error {
-	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
-	if p.interfaceName == newInterfaceName {
-		return nil
-	}
-	if p.interfaceName != "" {
-		_ = p.Disable()
-	}
-	p.interfaceName = newInterfaceName
-	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
-	if err != nil {
-		return err
-	}
-	if p.supportSOCKS {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	}
-	if err != nil {
-		return err
-	}
-	err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	if err != nil {
-		return err
-	}
-	err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
 func getInterfaceDisplayName(name string) (string, error) {
 	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
@@ -121,3 +77,21 @@ func getInterfaceDisplayName(name string) (string, error) {
 	}
 	return "", E.New(name, " not found in networksetup -listallhardwareports")
 }
+
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	interfaceMonitor := router.InterfaceMonitor()
+	if interfaceMonitor == nil {
+		return nil, E.New("missing interface monitor")
+	}
+	proxy := &systemProxy{
+		monitor: interfaceMonitor,
+		port:    port,
+		isMixed: isMixed,
+	}
+	proxy.update(tun.EventInterfaceUpdate)
+	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
+	return func() error {
+		interfaceMonitor.UnregisterCallback(proxy.element)
+		return proxy.unset()
+	}, nil
+}
--- a/common/settings/proxy_linux.go
+++ b/common/settings/proxy_linux.go
@@ -3,161 +3,75 @@
 package settings

 import (
-	"context"
 	"os"
 	"os/exec"
 	"strings"

+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )

-type LinuxSystemProxy struct {
-	hasGSettings     bool
-	hasKWriteConfig5 bool
-	sudoUser         string
-	serverAddr       M.Socksaddr
-	supportSOCKS     bool
-	isEnabled        bool
-}
+var (
+	hasGSettings bool
+	sudoUser     string
+)

-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
-	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
-	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
-	var sudoUser string
+func init() {
+	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
-	if !hasGSettings && !hasKWriteConfig5 {
-		return nil, E.New("unsupported desktop environment")
-	}
-	return &LinuxSystemProxy{
-		hasGSettings:     hasGSettings,
-		hasKWriteConfig5: hasKWriteConfig5,
-		sudoUser:         sudoUser,
-		serverAddr:       serverAddr,
-		supportSOCKS:     supportSOCKS,
-	}, nil
 }

-func (p *LinuxSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *LinuxSystemProxy) Enable() error {
-	if p.hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
-		if err != nil {
-			return err
-		}
-		if p.supportSOCKS {
-			err = p.setGnomeProxy("ftp", "http", "https", "socks")
-		} else {
-			err = p.setGnomeProxy("http", "https")
-		}
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(p.supportSOCKS))
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
-		if err != nil {
-			return err
-		}
-	}
-	if p.hasKWriteConfig5 {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "1")
-		if err != nil {
-			return err
-		}
-		if p.supportSOCKS {
-			err = p.setKDEProxy("ftp", "http", "https", "socks")
-		} else {
-			err = p.setKDEProxy("http", "https")
-		}
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "Authmode", "0")
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return err
-		}
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *LinuxSystemProxy) Disable() error {
-	if p.hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
-		if err != nil {
-			return err
-		}
-	}
-	if p.hasKWriteConfig5 {
-		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "'Proxy Settings'", "--key", "ProxyType", "0")
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
-		if err != nil {
-			return err
-		}
-	}
-	p.isEnabled = false
-	return nil
-}
-
-func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
+func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
 		return shell.Exec(name, args...).Attach().Run()
-	} else if p.sudoUser != "" {
-		return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+	} else if sudoUser != "" {
+		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
 }

-func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
-	for _, proxyType := range proxyTypes {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", p.serverAddr.AddrString())
-		if err != nil {
-			return err
-		}
-		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(p.serverAddr.Port))
-		if err != nil {
-			return err
-		}
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	if !hasGSettings {
+		return nil, E.New("unsupported desktop environment")
 	}
-	return nil
+	err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
+	if err != nil {
+		return nil, err
+	}
+	if isMixed {
+		err = setGnomeProxy(port, "ftp", "http", "https", "socks")
+	} else {
+		err = setGnomeProxy(port, "http", "https")
+	}
+	if err != nil {
+		return nil, err
+	}
+	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
+	if err != nil {
+		return nil, err
+	}
+	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
+	}, nil
 }

-func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
+func setGnomeProxy(port uint16, proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
-		var proxyUrl string
-		if proxyType == "socks" {
-			proxyUrl = "socks://" + p.serverAddr.String()
-		} else {
-			proxyUrl = "http://" + p.serverAddr.String()
+		err := runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", "127.0.0.1")
+		if err != nil {
+			return err
 		}
-		err := p.runAsUser(
-			"kwriteconfig5",
-			"--file",
-			"kioslaverc",
-			"--group",
-			"Proxy Settings",
-			"--key", proxyType+"Proxy",
-			proxyUrl,
-		)
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(port))
 		if err != nil {
 			return err
 		}
--- a/common/settings/proxy_stub.go
+++ b/common/settings/proxy_stub.go
@@ -3,12 +3,11 @@
 package settings

 import (
-	"context"
 	"os"

-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
 )

-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (SystemProxy, error) {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
 	return nil, os.ErrInvalid
 }
--- a/common/settings/proxy_windows.go
+++ b/common/settings/proxy_windows.go
@@ -1,43 +1,17 @@
 package settings

 import (
-	"context"
-
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/wininet"
 )

-type WindowsSystemProxy struct {
-	serverAddr   M.Socksaddr
-	supportSOCKS bool
-	isEnabled    bool
-}
-
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*WindowsSystemProxy, error) {
-	return &WindowsSystemProxy{
-		serverAddr:   serverAddr,
-		supportSOCKS: supportSOCKS,
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
+	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
+	if err != nil {
+		return nil, err
+	}
+	return func() error {
+		return wininet.ClearSystemProxy()
 	}, nil
 }
-
-func (p *WindowsSystemProxy) IsEnabled() bool {
-	return p.isEnabled
-}
-
-func (p *WindowsSystemProxy) Enable() error {
-	err := wininet.SetSystemProxy("http://"+p.serverAddr.String(), "")
-	if err != nil {
-		return err
-	}
-	p.isEnabled = true
-	return nil
-}
-
-func (p *WindowsSystemProxy) Disable() error {
-	err := wininet.ClearSystemProxy()
-	if err != nil {
-		return err
-	}
-	p.isEnabled = false
-	return nil
-}
--- a/common/settings/system_proxy.go
+++ b/common/settings/system_proxy.go
@@ -1,7 +0,0 @@
-package settings
-
-type SystemProxy interface {
-	IsEnabled() bool
-	Enable() error
-	Disable() error
-}
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -9,13 +9,10 @@ import (
 	"strings"

 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"

 	"github.com/caddyserver/certmagic"
-	"github.com/libdns/alidns"
-	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -77,24 +74,6 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
 		Logger:                  config.Logger,
 	}
-	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
-		var solver certmagic.DNS01Solver
-		switch dnsOptions.Provider {
-		case C.DNSProviderAliDNS:
-			solver.DNSProvider = &alidns.Provider{
-				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
-				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
-				RegionID:     dnsOptions.AliDNSOptions.RegionID,
-			}
-		case C.DNSProviderCloudflare:
-			solver.DNSProvider = &cloudflare.Provider{
-				APIToken: dnsOptions.CloudflareOptions.APIToken,
-			}
-		default:
-			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
-		}
-		acmeConfig.DNS01Solver = &solver
-	}
 	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -13,29 +13,29 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )

-func NewDialerFromOptions(ctx context.Context, router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClient(ctx, serverAddress, options)
+	config, err := NewClient(router, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
 	return NewDialer(dialer, config), nil
 }

-func NewClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
 	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHClient(ctx, serverAddress, options)
+		return NewECHClient(router, serverAddress, options)
 	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityClient(ctx, serverAddress, options)
+		return NewRealityClient(router, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
-		return NewUTLSClient(ctx, serverAddress, options)
+		return NewUTLSClient(router, serverAddress, options)
 	} else {
-		return NewSTDClient(ctx, serverAddress, options)
+		return NewSTDClient(router, serverAddress, options)
 	}
 }

--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@@ -7,53 +7,50 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
-	"encoding/pem"
 	"net"
 	"net/netip"
 	"os"
-	"strings"

 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"

 	mDNS "github.com/miekg/dns"
 )

-type echClientConfig struct {
+type ECHClientConfig struct {
 	config *cftls.Config
 }

-func (c *echClientConfig) ServerName() string {
-	return c.config.ServerName
+func (e *ECHClientConfig) ServerName() string {
+	return e.config.ServerName
 }

-func (c *echClientConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
+func (e *ECHClientConfig) SetServerName(serverName string) {
+	e.config.ServerName = serverName
 }

-func (c *echClientConfig) NextProtos() []string {
-	return c.config.NextProtos
+func (e *ECHClientConfig) NextProtos() []string {
+	return e.config.NextProtos
 }

-func (c *echClientConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
+func (e *ECHClientConfig) SetNextProtos(nextProto []string) {
+	e.config.NextProtos = nextProto
 }

-func (c *echClientConfig) Config() (*STDConfig, error) {
+func (e *ECHClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }

-func (c *echClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
+func (e *ECHClientConfig) Client(conn net.Conn) (Conn, error) {
+	return &echConnWrapper{cftls.Client(conn, e.config)}, nil
 }

-func (c *echClientConfig) Clone() Config {
-	return &echClientConfig{
-		config: c.config.Clone(),
+func (e *ECHClientConfig) Clone() Config {
+	return &ECHClientConfig{
+		config: e.config.Clone(),
 	}
 }

@@ -83,7 +80,7 @@ func (c *echConnWrapper) Upstream() any {
 	return c.Conn
 }

-func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -97,7 +94,7 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	}

 	var tlsConfig cftls.Config
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -149,8 +146,8 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
@@ -171,36 +168,24 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-
-	var echConfig []byte
-	if len(options.ECH.Config) > 0 {
-		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
-	} else if options.ECH.ConfigPath != "" {
-		content, err := os.ReadFile(options.ECH.ConfigPath)
+	if options.ECH.Config != "" {
+		clientConfigContent, err := base64.StdEncoding.DecodeString(options.ECH.Config)
 		if err != nil {
-			return nil, E.Cause(err, "read ECH config")
+			return nil, err
 		}
-		echConfig = content
-	}
-
-	if len(echConfig) > 0 {
-		block, rest := pem.Decode(echConfig)
-		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
-			return nil, E.New("invalid ECH configs pem")
-		}
-		echConfigs, err := cftls.UnmarshalECHConfigs(block.Bytes)
+		clientConfig, err := cftls.UnmarshalECHConfigs(clientConfigContent)
 		if err != nil {
-			return nil, E.Cause(err, "parse ECH configs")
+			return nil, err
 		}
-		tlsConfig.ClientECHConfigs = echConfigs
+		tlsConfig.ClientECHConfigs = clientConfig
 	} else {
-		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(ctx)
+		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(router)
 	}
-	return &echClientConfig{&tlsConfig}, nil
+	return &ECHClientConfig{&tlsConfig}, nil
 }

-func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
-	return func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
+func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
+	return func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
@@ -213,7 +198,7 @@ func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverNam
 				},
 			},
 		}
-		response, err := adapter.RouterFromContext(ctx).Exchange(ctx, message)
+		response, err := router.Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}
--- a/common/tls/ech_keygen.go
+++ b/common/tls/ech_keygen.go
@@ -1,169 +0,0 @@
-//go:build with_ech
-
-package tls
-
-import (
-	"bytes"
-	"encoding/binary"
-	"encoding/pem"
-
-	cftls "github.com/sagernet/cloudflare-tls"
-	E "github.com/sagernet/sing/common/exceptions"
-
-	"github.com/cloudflare/circl/hpke"
-	"github.com/cloudflare/circl/kem"
-)
-
-func ECHKeygenDefault(serverName string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
-	cipherSuites := []echCipherSuite{
-		{
-			kdf:  hpke.KDF_HKDF_SHA256,
-			aead: hpke.AEAD_AES128GCM,
-		}, {
-			kdf:  hpke.KDF_HKDF_SHA256,
-			aead: hpke.AEAD_ChaCha20Poly1305,
-		},
-	}
-
-	keyConfig := []myECHKeyConfig{
-		{id: 0, kem: hpke.KEM_X25519_HKDF_SHA256},
-	}
-	if pqSignatureSchemesEnabled {
-		keyConfig = append(keyConfig, myECHKeyConfig{id: 1, kem: hpke.KEM_X25519_KYBER768_DRAFT00})
-	}
-
-	keyPairs, err := echKeygen(0xfe0d, serverName, keyConfig, cipherSuites)
-	if err != nil {
-		return
-	}
-
-	var configBuffer bytes.Buffer
-	var totalLen uint16
-	for _, keyPair := range keyPairs {
-		totalLen += uint16(len(keyPair.rawConf))
-	}
-	binary.Write(&configBuffer, binary.BigEndian, totalLen)
-	for _, keyPair := range keyPairs {
-		configBuffer.Write(keyPair.rawConf)
-	}
-
-	var keyBuffer bytes.Buffer
-	for _, keyPair := range keyPairs {
-		keyBuffer.Write(keyPair.rawKey)
-	}
-
-	configPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH CONFIGS", Bytes: configBuffer.Bytes()}))
-	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: keyBuffer.Bytes()}))
-	return
-}
-
-type echKeyConfigPair struct {
-	id      uint8
-	key     cftls.EXP_ECHKey
-	rawKey  []byte
-	conf    myECHKeyConfig
-	rawConf []byte
-}
-
-type echCipherSuite struct {
-	kdf  hpke.KDF
-	aead hpke.AEAD
-}
-
-type myECHKeyConfig struct {
-	id   uint8
-	kem  hpke.KEM
-	seed []byte
-}
-
-func echKeygen(version uint16, serverName string, conf []myECHKeyConfig, suite []echCipherSuite) ([]echKeyConfigPair, error) {
-	be := binary.BigEndian
-	// prepare for future update
-	if version != 0xfe0d {
-		return nil, E.New("unsupported ECH version", version)
-	}
-
-	suiteBuf := make([]byte, 0, len(suite)*4+2)
-	suiteBuf = be.AppendUint16(suiteBuf, uint16(len(suite))*4)
-	for _, s := range suite {
-		if !s.kdf.IsValid() || !s.aead.IsValid() {
-			return nil, E.New("invalid HPKE cipher suite")
-		}
-		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.kdf))
-		suiteBuf = be.AppendUint16(suiteBuf, uint16(s.aead))
-	}
-
-	pairs := []echKeyConfigPair{}
-	for _, c := range conf {
-		pair := echKeyConfigPair{}
-		pair.id = c.id
-		pair.conf = c
-
-		if !c.kem.IsValid() {
-			return nil, E.New("invalid HPKE KEM")
-		}
-
-		kpGenerator := c.kem.Scheme().GenerateKeyPair
-		if len(c.seed) > 0 {
-			kpGenerator = func() (kem.PublicKey, kem.PrivateKey, error) {
-				pub, sec := c.kem.Scheme().DeriveKeyPair(c.seed)
-				return pub, sec, nil
-			}
-			if len(c.seed) < c.kem.Scheme().PrivateKeySize() {
-				return nil, E.New("HPKE KEM seed too short")
-			}
-		}
-
-		pub, sec, err := kpGenerator()
-		if err != nil {
-			return nil, E.Cause(err, "generate ECH config key pair")
-		}
-		b := []byte{}
-		b = be.AppendUint16(b, version)
-		b = be.AppendUint16(b, 0) // length field
-		// contents
-		// key config
-		b = append(b, c.id)
-		b = be.AppendUint16(b, uint16(c.kem))
-		pubBuf, err := pub.MarshalBinary()
-		if err != nil {
-			return nil, E.Cause(err, "serialize ECH public key")
-		}
-		b = be.AppendUint16(b, uint16(len(pubBuf)))
-		b = append(b, pubBuf...)
-
-		b = append(b, suiteBuf...)
-		// end key config
-		// max name len, not supported
-		b = append(b, 0)
-		// server name
-		b = append(b, byte(len(serverName)))
-		b = append(b, []byte(serverName)...)
-		// extensions, not supported
-		b = be.AppendUint16(b, 0)
-
-		be.PutUint16(b[2:], uint16(len(b)-4))
-
-		pair.rawConf = b
-
-		secBuf, err := sec.MarshalBinary()
-		sk := []byte{}
-		sk = be.AppendUint16(sk, uint16(len(secBuf)))
-		sk = append(sk, secBuf...)
-		sk = be.AppendUint16(sk, uint16(len(b)))
-		sk = append(sk, b...)
-
-		cfECHKeys, err := cftls.EXP_UnmarshalECHKeys(sk)
-		if err != nil {
-			return nil, E.Cause(err, "bug: can't parse generated ECH server key")
-		}
-		if len(cfECHKeys) != 1 {
-			return nil, E.New("bug: unexpected server key count")
-		}
-		pair.key = cfECHKeys[0]
-		pair.rawKey = sk
-
-		pairs = append(pairs, pair)
-	}
-	return pairs, nil
-}
--- a/common/tls/ech_quic.go
+++ b/common/tls/ech_quic.go
@@ -1,56 +0,0 @@
-//go:build with_quic && with_ech
-
-package tls
-
-import (
-	"context"
-	"net"
-	"net/http"
-
-	"github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/quic-go/ech"
-	"github.com/sagernet/quic-go/http3_ech"
-	"github.com/sagernet/sing-quic"
-	M "github.com/sagernet/sing/common/metadata"
-)
-
-var (
-	_ qtls.Config       = (*echClientConfig)(nil)
-	_ qtls.ServerConfig = (*echServerConfig)(nil)
-)
-
-func (c *echClientConfig) Dial(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.Connection, error) {
-	return quic.Dial(ctx, conn, addr, c.config, config)
-}
-
-func (c *echClientConfig) DialEarly(ctx context.Context, conn net.PacketConn, addr net.Addr, config *quic.Config) (quic.EarlyConnection, error) {
-	return quic.DialEarly(ctx, conn, addr, c.config, config)
-}
-
-func (c *echClientConfig) CreateTransport(conn net.PacketConn, quicConnPtr *quic.EarlyConnection, serverAddr M.Socksaddr, quicConfig *quic.Config, enableDatagrams bool) http.RoundTripper {
-	return &http3.RoundTripper{
-		TLSClientConfig: c.config,
-		QuicConfig:      quicConfig,
-		EnableDatagrams: enableDatagrams,
-		Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
-			quicConn, err := quic.DialEarly(ctx, conn, serverAddr.UDPAddr(), tlsCfg, cfg)
-			if err != nil {
-				return nil, err
-			}
-			*quicConnPtr = quicConn
-			return quicConn, nil
-		},
-	}
-}
-
-func (c *echServerConfig) Listen(conn net.PacketConn, config *quic.Config) (qtls.Listener, error) {
-	return quic.Listen(conn, c.config, config)
-}
-
-func (c *echServerConfig) ListenEarly(conn net.PacketConn, config *quic.Config) (qtls.EarlyListener, error) {
-	return quic.ListenEarly(conn, c.config, config)
-}
-
-func (c *echServerConfig) ConfigureHTTP3() {
-	http3.ConfigureTLSConfig(c.config)
-}
--- a/common/tls/ech_server.go
+++ b/common/tls/ech_server.go
@@ -1,343 +0,0 @@
-//go:build with_ech
-
-package tls
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/pem"
-	"net"
-	"os"
-	"strings"
-
-	cftls "github.com/sagernet/cloudflare-tls"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
-
-	"github.com/fsnotify/fsnotify"
-)
-
-type echServerConfig struct {
-	config          *cftls.Config
-	logger          log.Logger
-	certificate     []byte
-	key             []byte
-	certificatePath string
-	keyPath         string
-	watcher         *fsnotify.Watcher
-	echKeyPath      string
-	echWatcher      *fsnotify.Watcher
-}
-
-func (c *echServerConfig) ServerName() string {
-	return c.config.ServerName
-}
-
-func (c *echServerConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
-}
-
-func (c *echServerConfig) NextProtos() []string {
-	return c.config.NextProtos
-}
-
-func (c *echServerConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
-}
-
-func (c *echServerConfig) Config() (*STDConfig, error) {
-	return nil, E.New("unsupported usage for ECH")
-}
-
-func (c *echServerConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
-}
-
-func (c *echServerConfig) Server(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Server(conn, c.config)}, nil
-}
-
-func (c *echServerConfig) Clone() Config {
-	return &echServerConfig{
-		config: c.config.Clone(),
-	}
-}
-
-func (c *echServerConfig) Start() error {
-	if c.certificatePath != "" && c.keyPath != "" {
-		err := c.startWatcher()
-		if err != nil {
-			c.logger.Warn("create fsnotify watcher: ", err)
-		}
-	}
-	if c.echKeyPath != "" {
-		err := c.startECHWatcher()
-		if err != nil {
-			c.logger.Warn("create fsnotify watcher: ", err)
-		}
-	}
-	return nil
-}
-
-func (c *echServerConfig) startWatcher() error {
-	watcher, err := fsnotify.NewWatcher()
-	if err != nil {
-		return err
-	}
-	if c.certificatePath != "" {
-		err = watcher.Add(c.certificatePath)
-		if err != nil {
-			return err
-		}
-	}
-	if c.keyPath != "" {
-		err = watcher.Add(c.keyPath)
-		if err != nil {
-			return err
-		}
-	}
-	c.watcher = watcher
-	go c.loopUpdate()
-	return nil
-}
-
-func (c *echServerConfig) loopUpdate() {
-	for {
-		select {
-		case event, ok := <-c.watcher.Events:
-			if !ok {
-				return
-			}
-			if event.Op&fsnotify.Write != fsnotify.Write {
-				continue
-			}
-			err := c.reloadKeyPair()
-			if err != nil {
-				c.logger.Error(E.Cause(err, "reload TLS key pair"))
-			}
-		case err, ok := <-c.watcher.Errors:
-			if !ok {
-				return
-			}
-			c.logger.Error(E.Cause(err, "fsnotify error"))
-		}
-	}
-}
-
-func (c *echServerConfig) reloadKeyPair() error {
-	if c.certificatePath != "" {
-		certificate, err := os.ReadFile(c.certificatePath)
-		if err != nil {
-			return E.Cause(err, "reload certificate from ", c.certificatePath)
-		}
-		c.certificate = certificate
-	}
-	if c.keyPath != "" {
-		key, err := os.ReadFile(c.keyPath)
-		if err != nil {
-			return E.Cause(err, "reload key from ", c.keyPath)
-		}
-		c.key = key
-	}
-	keyPair, err := cftls.X509KeyPair(c.certificate, c.key)
-	if err != nil {
-		return E.Cause(err, "reload key pair")
-	}
-	c.config.Certificates = []cftls.Certificate{keyPair}
-	c.logger.Info("reloaded TLS certificate")
-	return nil
-}
-
-func (c *echServerConfig) startECHWatcher() error {
-	watcher, err := fsnotify.NewWatcher()
-	if err != nil {
-		return err
-	}
-	err = watcher.Add(c.echKeyPath)
-	if err != nil {
-		return err
-	}
-	c.echWatcher = watcher
-	go c.loopECHUpdate()
-	return nil
-}
-
-func (c *echServerConfig) loopECHUpdate() {
-	for {
-		select {
-		case event, ok := <-c.echWatcher.Events:
-			if !ok {
-				return
-			}
-			if event.Op&fsnotify.Write != fsnotify.Write {
-				continue
-			}
-			err := c.reloadECHKey()
-			if err != nil {
-				c.logger.Error(E.Cause(err, "reload ECH key"))
-			}
-		case err, ok := <-c.echWatcher.Errors:
-			if !ok {
-				return
-			}
-			c.logger.Error(E.Cause(err, "fsnotify error"))
-		}
-	}
-}
-
-func (c *echServerConfig) reloadECHKey() error {
-	echKeyContent, err := os.ReadFile(c.echKeyPath)
-	if err != nil {
-		return err
-	}
-	block, rest := pem.Decode(echKeyContent)
-	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-		return E.New("invalid ECH keys pem")
-	}
-	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
-	if err != nil {
-		return E.Cause(err, "parse ECH keys")
-	}
-	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
-	if err != nil {
-		return E.Cause(err, "create ECH key set")
-	}
-	c.config.ServerECHProvider = echKeySet
-	c.logger.Info("reloaded ECH keys")
-	return nil
-}
-
-func (c *echServerConfig) Close() error {
-	var err error
-	if c.watcher != nil {
-		err = E.Append(err, c.watcher.Close(), func(err error) error {
-			return E.Cause(err, "close certificate watcher")
-		})
-	}
-	if c.echWatcher != nil {
-		err = E.Append(err, c.echWatcher.Close(), func(err error) error {
-			return E.Cause(err, "close ECH key watcher")
-		})
-	}
-	return err
-}
-
-func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	if !options.Enabled {
-		return nil, nil
-	}
-	var tlsConfig cftls.Config
-	if options.ACME != nil && len(options.ACME.Domain) > 0 {
-		return nil, E.New("acme is unavailable in ech")
-	}
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
-	if options.ServerName != "" {
-		tlsConfig.ServerName = options.ServerName
-	}
-	if len(options.ALPN) > 0 {
-		tlsConfig.NextProtos = append(options.ALPN, tlsConfig.NextProtos...)
-	}
-	if options.MinVersion != "" {
-		minVersion, err := ParseTLSVersion(options.MinVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse min_version")
-		}
-		tlsConfig.MinVersion = minVersion
-	}
-	if options.MaxVersion != "" {
-		maxVersion, err := ParseTLSVersion(options.MaxVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse max_version")
-		}
-		tlsConfig.MaxVersion = maxVersion
-	}
-	if options.CipherSuites != nil {
-	find:
-		for _, cipherSuite := range options.CipherSuites {
-			for _, tlsCipherSuite := range tls.CipherSuites() {
-				if cipherSuite == tlsCipherSuite.Name {
-					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
-					continue find
-				}
-			}
-			return nil, E.New("unknown cipher_suite: ", cipherSuite)
-		}
-	}
-	var certificate []byte
-	var key []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
-	} else if options.CertificatePath != "" {
-		content, err := os.ReadFile(options.CertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read certificate")
-		}
-		certificate = content
-	}
-	if len(options.Key) > 0 {
-		key = []byte(strings.Join(options.Key, "\n"))
-	} else if options.KeyPath != "" {
-		content, err := os.ReadFile(options.KeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read key")
-		}
-		key = content
-	}
-
-	if certificate == nil {
-		return nil, E.New("missing certificate")
-	} else if key == nil {
-		return nil, E.New("missing key")
-	}
-
-	keyPair, err := cftls.X509KeyPair(certificate, key)
-	if err != nil {
-		return nil, E.Cause(err, "parse x509 key pair")
-	}
-	tlsConfig.Certificates = []cftls.Certificate{keyPair}
-
-	var echKey []byte
-	if len(options.ECH.Key) > 0 {
-		echKey = []byte(strings.Join(options.ECH.Key, "\n"))
-	} else if options.KeyPath != "" {
-		content, err := os.ReadFile(options.ECH.KeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read ECH key")
-		}
-		echKey = content
-	} else {
-		return nil, E.New("missing ECH key")
-	}
-
-	block, rest := pem.Decode(echKey)
-	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
-		return nil, E.New("invalid ECH keys pem")
-	}
-
-	echKeys, err := cftls.EXP_UnmarshalECHKeys(block.Bytes)
-	if err != nil {
-		return nil, E.Cause(err, "parse ECH keys")
-	}
-
-	echKeySet, err := cftls.EXP_NewECHKeySet(echKeys)
-	if err != nil {
-		return nil, E.Cause(err, "create ECH key set")
-	}
-
-	tlsConfig.ECHEnabled = true
-	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
-	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-	tlsConfig.ServerECHProvider = echKeySet
-
-	return &echServerConfig{
-		config:          &tlsConfig,
-		logger:          logger,
-		certificate:     certificate,
-		key:             key,
-		certificatePath: options.CertificatePath,
-		keyPath:         options.KeyPath,
-		echKeyPath:      options.ECH.KeyPath,
-	}, nil
-}
--- a/common/tls/ech_stub.go
+++ b/common/tls/ech_stub.go
@@ -3,23 +3,11 @@
 package tls

 import (
-	"context"
-
-	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )

-var errECHNotIncluded = E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
-
-func NewECHServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return nil, errECHNotIncluded
-}
-
-func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, errECHNotIncluded
-}
-
-func ECHKeygenDefault(host string, pqSignatureSchemesEnabled bool) (configPem string, keyPem string, err error) {
-	return "", "", errECHNotIncluded
+func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+	return nil, E.New(`ECH is not included in this build, rebuild with -tags with_ech`)
 }
--- a/common/tls/reality_client.go
+++ b/common/tls/reality_client.go
@@ -26,6 +26,7 @@ import (
 	"time"
 	"unsafe"

+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -44,12 +45,12 @@ type RealityClientConfig struct {
 	shortID   [8]byte
 }

-func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
+func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
 	if options.UTLS == nil || !options.UTLS.Enabled {
 		return nil, E.New("uTLS is required by reality client")
 	}

-	uClient, err := NewUTLSClient(ctx, serverAddress, options)
+	uClient, err := NewUTLSClient(router, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@@ -19,7 +19,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
 )

 var _ ServerConfigCompat = (*RealityServerConfig)(nil)
@@ -28,13 +27,13 @@ type RealityServerConfig struct {
 	config *reality.Config
 }

-func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
+func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
 	var tlsConfig reality.Config

 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		return nil, E.New("acme is unavailable in reality")
 	}
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -67,10 +66,10 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 			return nil, E.New("unknown cipher_suite: ", cipherSuite)
 		}
 	}
-	if len(options.Certificate) > 0 || options.CertificatePath != "" {
+	if options.Certificate != "" || options.CertificatePath != "" {
 		return nil, E.New("certificate is unavailable in reality")
 	}
-	if len(options.Key) > 0 || options.KeyPath != "" {
+	if options.Key != "" || options.KeyPath != "" {
 		return nil, E.New("key is unavailable in reality")
 	}

@@ -102,7 +101,7 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		tlsConfig.ShortIds[shortID] = true
 	}

-	handshakeDialer, err := dialer.New(adapter.RouterFromContext(ctx), options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(router, options.Reality.Handshake.DialerOptions)
 	if err != nil {
 		return nil, err
 	}
--- a/common/tls/reality_stub.go
+++ b/common/tls/reality_stub.go
@@ -5,11 +5,12 @@ package tls
 import (
 	"context"

+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func NewRealityServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	return nil, E.New(`reality server is not included in this build, rebuild with -tags with_reality_server`)
 }
--- a/common/tls/server.go
+++ b/common/tls/server.go
@@ -4,22 +4,21 @@ import (
 	"context"
 	"net"

+	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	aTLS "github.com/sagernet/sing/common/tls"
 )

-func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHServer(ctx, logger, options)
-	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityServer(ctx, logger, options)
+	if options.Reality != nil && options.Reality.Enabled {
+		return NewRealityServer(ctx, router, logger, options)
 	} else {
-		return NewSTDServer(ctx, logger, options)
+		return NewSTDServer(ctx, router, logger, options)
 	}
 }

--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -1,17 +1,15 @@
 package tls

 import (
-	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"net"
 	"net/netip"
 	"os"
-	"strings"

+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
 )

 type STDClientConfig struct {
@@ -46,7 +44,7 @@ func (s *STDClientConfig) Clone() Config {
 	return &STDClientConfig{s.config.Clone()}
 }

-func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewSTDClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -60,7 +58,7 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	}

 	var tlsConfig tls.Config
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -112,8 +110,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -5,14 +5,12 @@ import (
 	"crypto/tls"
 	"net"
 	"os"
-	"strings"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"

 	"github.com/fsnotify/fsnotify"
 )
@@ -158,7 +156,7 @@ func (c *STDServerConfig) Close() error {
 	return nil
 }

-func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -177,7 +175,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 	} else {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -213,8 +211,8 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var certificate []byte
 	var key []byte
 	if acmeService == nil {
-		if len(options.Certificate) > 0 {
-			certificate = []byte(strings.Join(options.Certificate, "\n"))
+		if options.Certificate != "" {
+			certificate = []byte(options.Certificate)
 		} else if options.CertificatePath != "" {
 			content, err := os.ReadFile(options.CertificatePath)
 			if err != nil {
@@ -222,8 +220,8 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 			}
 			certificate = content
 		}
-		if len(options.Key) > 0 {
-			key = []byte(strings.Join(options.Key, "\n"))
+		if options.Key != "" {
+			key = []byte(options.Key)
 		} else if options.KeyPath != "" {
 			content, err := os.ReadFile(options.KeyPath)
 			if err != nil {
@@ -233,7 +231,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateKeyPair(ntp.TimeFuncFromContext(ctx), info.ServerName)
+				return GenerateKeyPair(router.TimeFunc(), info.ServerName)
 			}
 		} else {
 			if certificate == nil {
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -10,11 +10,10 @@ import (
 	"net"
 	"net/netip"
 	"os"
-	"strings"

+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/ntp"
 	utls "github.com/sagernet/utls"

 	"golang.org/x/net/http2"
@@ -114,7 +113,7 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }

-func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
+func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -128,7 +127,7 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	}

 	var tlsConfig utls.Config
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -169,8 +168,8 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+	if options.Certificate != "" {
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
--- a/common/tls/utls_stub.go
+++ b/common/tls/utls_stub.go
@@ -3,16 +3,15 @@
 package tls

 import (
-	"context"
-
+	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )

-func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }

-func NewRealityClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS, which is required by reality client is not included in this build, rebuild with -tags with_utls`)
 }
--- a/common/urltest/urltest.go
+++ b/common/urltest/urltest.go
@@ -8,7 +8,6 @@ import (
 	"sync"
 	"time"

-	"github.com/sagernet/sing/common"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -97,25 +96,33 @@ func URLTest(ctx context.Context, link string, detour N.Dialer) (t uint16, err e
 		return
 	}
 	defer instance.Close()
-	if earlyConn, isEarlyConn := common.Cast[N.EarlyConn](instance); isEarlyConn && earlyConn.NeedHandshake() {
-		start = time.Now()
-	}
+
 	req, err := http.NewRequest(http.MethodHead, link, nil)
 	if err != nil {
 		return
 	}
-	client := http.Client{
-		Transport: &http.Transport{
-			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				return instance, nil
-			},
+	req = req.WithContext(ctx)
+
+	transport := &http.Transport{
+		Dial: func(string, string) (net.Conn, error) {
+			return instance, nil
 		},
+		// from http.DefaultTransport
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+
+	client := http.Client{
+		Transport: transport,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
 	defer client.CloseIdleConnections()
-	resp, err := client.Do(req.WithContext(ctx))
+
+	resp, err := client.Do(req)
 	if err != nil {
 		return
 	}
--- a/constant/dns.go
+++ b/constant/dns.go
@@ -1,6 +0,0 @@
-package constant
-
-const (
-	DNSProviderAliDNS     = "alidns"
-	DNSProviderCloudflare = "cloudflare"
-)
--- a/constant/proxy.go
+++ b/constant/proxy.go
@@ -22,7 +22,6 @@ const (
 	TypeShadowsocksR = "shadowsocksr"
 	TypeVLESS        = "vless"
 	TypeTUIC         = "tuic"
-	TypeHysteria2    = "hysteria2"
 )

 const (
@@ -66,8 +65,6 @@ func ProxyDisplayName(proxyType string) string {
 		return "VLESS"
 	case TypeTUIC:
 		return "TUIC"
-	case TypeHysteria2:
-		return "Hysteria2"
 	case TypeSelector:
 		return "Selector"
 	case TypeURLTest:
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,193 +1,3 @@
-#### 1.5.0
-
-* Fixes and improvements
-
-Important changes since 1.4:
-
-* Add TLS [ECH server](/configuration/shared/tls) support
-* Improve TLS TCH client configuration
-* Add TLS ECH key pair generator **1**
-* Add TLS ECH support for QUIC based protocols **2**
-* Add KDE support for the `set_system_proxy` option in HTTP inbound
-* Add Hysteria2 protocol support **3**
-* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **4**
-* Add DNS01 challenge support for ACME TLS certificate issuer **5**
-* Add `merge` command **6**
-* Mark [Deprecated Features](/deprecated)
-
-**1**:
-
-Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
-
-**2**:
-
-All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria[/2]`, `TUIC` and `V2ray QUIC transport`.
-
-**3**:
-
-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
-
-For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
-
-**4**:
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
-
-**5**:
-
-Only `Alibaba Cloud DNS` and `Cloudflare` are supported, see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
-
-**6**:
-
-This command also parses path resources that appear in the configuration file and replaces them with embedded
-configuration, such as TLS certificates or SSH private keys.
-
-#### 1.5.0-rc.6
-
-* Fixes and improvements
-
-#### 1.4.6
-
-* Fixes and improvements
-
-#### 1.5.0-rc.5
-
-* Fixed an improper authentication vulnerability in the SOCKS5 inbound
-* Fixes and improvements
-
-**Security Advisory**
-
-This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
-attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
-authentication in an insecure environment are advised to update immediately.
-
-此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
-SOCKS 服务器暴露在不安全环境下的用户立更新。
-
-#### 1.4.5
-
-* Fixed an improper authentication vulnerability in the SOCKS5 inbound
-* Fixes and improvements
-
-**Security Advisory**
-
-This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an
-attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user
-authentication in an insecure environment are advised to update immediately.
-
-此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的
-SOCKS 服务器暴露在不安全环境下的用户立更新。
-
-#### 1.5.0-rc.3
-
-* Fixes and improvements
-
-#### 1.5.0-beta.12
-
-* Add `merge` command **1**
-* Fixes and improvements
-
-**1**:
-
-This command also parses path resources that appear in the configuration file and replaces them with embedded
-configuration, such as TLS certificates or SSH private keys.
-
-```
-Merge configurations
-
-Usage:
-  sing-box merge [output] [flags]
-
-Flags:
-  -h, --help   help for merge
-
-Global Flags:
-  -c, --config stringArray             set configuration file path
-  -C, --config-directory stringArray   set configuration directory path
-  -D, --directory string               set working directory
-      --disable-color                  disable color output
-```
-
-#### 1.5.0-beta.11
-
-* Add DNS01 challenge support for ACME TLS certificate issuer **1**
-* Fixes and improvements
-
-**1**:
-
-Only `Alibaba Cloud DNS` and `Cloudflare` are supported,
-see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
-
-#### 1.5.0-beta.10
-
-* Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **1**
-* Fixes and improvements
-
-**1**:
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
-
-#### 1.4.3
-
-* Fixes and improvements
-
-#### 1.5.0-beta.8
-
-* Fixes and improvements
-
-#### 1.4.2
-
-* Fixes and improvements
-
-#### 1.5.0-beta.6
-
-* Fix compatibility issues with official Hysteria2 server and client
-* Fixes and improvements
-* Mark [deprecated features](/deprecated)
-
-#### 1.5.0-beta.3
-
-* Fixes and improvements
-* Updated Hysteria2 documentation **1**
-
-**1**:
-
-Added notes indicating compatibility issues with the official
-Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.
-
-#### 1.5.0-beta.2
-
-* Add hysteria2 protocol support **1**
-* Fixes and improvements
-
-**1**:
-
-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
-
-For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)
-
-#### 1.5.0-beta.1
-
-* Add TLS [ECH server](/configuration/shared/tls) support
-* Improve TLS TCH client configuration
-* Add TLS ECH key pair generator **1**
-* Add TLS ECH support for QUIC based protocols **2**
-* Add KDE support for the `set_system_proxy` option in HTTP inbound
-
-**1**:
-
-Command: `sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]`
-
-**2**:
-
-All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria`, `TUIC` and `V2ray QUIC transport`.
-
 #### 1.4.1

 * Fixes and improvements
--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@@ -78,7 +78,7 @@ ALWAYS set a secret if RESTful API is listening on 0.0.0.0

 #### default_mode

-Default mode in clash, `Rule` will be used if empty.
+Default mode in clash, `rule` will be used if empty.

 This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.

--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@@ -76,7 +76,7 @@ RESTful API 的密钥（可选）

 #### default_mode

-Clash 中的默认模式，默认使用 `Rule`。
+Clash 中的默认模式，默认使用 `rule`。

 此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。

--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@@ -1,85 +0,0 @@
-### Structure
-
-```json
-{
-  "type": "hysteria2",
-  "tag": "hy2-in",
-  
-  ... // Listen Fields
-
-  "up_mbps": 100,
-  "down_mbps": 100,
-  "obfs": {
-    "type": "salamander",
-    "password": "cry_me_a_r1ver"
-  },
-  "users": [
-    {
-      "name": "tobyxdd",
-      "password": "goofy_ahh_password"
-    }
-  ],
-  "ignore_client_bandwidth": false,
-  "masquerade": "",
-  "tls": {}
-}
-```
-
-!!! warning ""
-
-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
-
-### Listen Fields
-
-See [Listen Fields](/configuration/shared/listen) for details.
-
-### Fields
-
-#### up_mbps, down_mbps
-
-Max bandwidth, in Mbps.
-
-Not limited if empty.
-
-Conflict with `ignore_client_bandwidth`.
-
-#### obfs.type
-
-QUIC traffic obfuscator type, only available with `salamander`.
-
-Disabled if empty.
-
-#### obfs.password
-
-QUIC traffic obfuscator password.
-
-#### users
-
-Hysteria2 users
-
-#### users.password
-
-Authentication password
-
-#### ignore_client_bandwidth
-
-Commands the client to use the BBR flow control algorithm instead of Hysteria CC.
-
-Conflict with `up_mbps` and `down_mbps`.
-
-#### masquerade
-
-HTTP3 server behavior when authentication fails.
-
-| Scheme       | Example                 | Description        |
-|--------------|-------------------------|--------------------|
-| `file`       | `file:///var/www`       | As a file server   |
-| `http/https` | `http://127.0.0.1:8080` | As a reverse proxy |
-
-A 404 page will be returned if empty.
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
--- a/docs/configuration/inbound/hysteria2.zh.md
+++ b/docs/configuration/inbound/hysteria2.zh.md
@@ -1,83 +0,0 @@
-### 结构
-
-```json
-{
-  "type": "hysteria2",
-  "tag": "hy2-in",
-  
-  ... // 监听字段
-
-  "up_mbps": 100,
-  "down_mbps": 100,
-  "obfs": {
-    "type": "salamander",
-    "password": "cry_me_a_r1ver"
-  },
-  "users": [
-    {
-      "name": "tobyxdd",
-      "password": "goofy_ahh_password"
-    }
-  ],
-  "ignore_client_bandwidth": false,
-  "masquerade": "",
-  "tls": {}
-}
-```
-
-!!! warning ""
-
-    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
-
-### 监听字段
-
-参阅 [监听字段](/zh/configuration/shared/listen/)。
-
-### 字段
-
-#### up_mbps, down_mbps
-
-支持的速率，默认不限制。
-
-与 `ignore_client_bandwidth` 冲突。
-
-#### obfs.type
-
-QUIC 流量混淆器类型，仅可设为 `salamander`。
-
-如果为空则禁用。
-
-#### obfs.password
-
-QUIC 流量混淆器密码.
-
-#### users
-
-Hysteria 用户
-
-#### users.password
-
-认证密码。
-
-#### ignore_client_bandwidth
-
-命令客户端使用 BBR 流量控制算法而不是 Hysteria CC。
-
-与 `up_mbps` 和 `down_mbps` 冲突。
-
-#### masquerade
-
-HTTP3 服务器认证失败时的行为。
-
-| Scheme       | 示例                      | 描述      |
-|--------------|-------------------------|---------|
-| `file`       | `file:///var/www`       | 作为文件服务器 |
-| `http/https` | `http://127.0.0.1:8080` | 作为反向代理  |
-
-如果为空，则返回 404 页。
-
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
--- a/docs/configuration/inbound/index.md
+++ b/docs/configuration/inbound/index.md
@@ -27,8 +27,6 @@
 | `naive`       | [Naive](./naive)             | X          |
 | `hysteria`    | [Hysteria](./hysteria)       | X          |
 | `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP        |
-| `tuic`        | [TUIC](./tuic)               | X          |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X          |
 | `vless`       | [VLESS](./vless)             | TCP        |
 | `tun`         | [Tun](./tun)                 | X          |
 | `redirect`    | [Redirect](./redirect)       | X          |
--- a/docs/configuration/inbound/index.zh.md
+++ b/docs/configuration/inbound/index.zh.md
@@ -26,10 +26,6 @@
 | `trojan`      | [Trojan](./trojan)           | TCP  |
 | `naive`       | [Naive](./naive)             | X    |
 | `hysteria`    | [Hysteria](./hysteria)       | X    |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP  |
-| `tuic`        | [TUIC](./tuic)               | X    |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X    |
-| `vless`       | [VLESS](./vless)             | TCP  |
 | `tun`         | [Tun](./tun)                 | X    |
 | `redirect`    | [Redirect](./redirect)       | X    |
 | `tproxy`      | [TProxy](./tproxy)           | X    |
--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@@ -31,17 +31,11 @@ sing-box uses JSON for configuration files.
 ### Check

 ```bash
-sing-box check
+$ sing-box check
 ```

 ### Format

 ```bash
-sing-box format -w -c config.json -D config_directory
-```
-
-### Merge
-
-```bash
-sing-box merge output.json -c config.json -D config_directory
+$ sing-box format -w
 ```
--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@@ -29,17 +29,11 @@ sing-box 使用 JSON 作为配置文件格式。
 ### 检查

 ```bash
-sing-box check
+$ sing-box check
 ```

 ### 格式化

 ```bash
-sing-box format -w -c config.json -D config_directory
-```
-
-### 合并
-
-```bash
-sing-box merge output.json -c config.json -D config_directory
+$ sing-box format -w
 ```
--- a/docs/configuration/outbound/hysteria2.md
+++ b/docs/configuration/outbound/hysteria2.md
@@ -1,78 +0,0 @@
-### Structure
-
-```json
-{
-  "type": "hysteria2",
-  "tag": "hy2-out",
-  
-  "server": "127.0.0.1",
-  "server_port": 1080,
-  "up_mbps": 100,
-  "down_mbps": 100,
-  "obfs": {
-    "type": "salamander",
-    "password": "cry_me_a_r1ver"
-  },
-  "password": "goofy_ahh_password",
-  "network": "tcp",
-  "tls": {},
-  
-  ... // Dial Fields
-}
-```
-
-!!! warning ""
-
-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
-
-### Fields
-
-#### server
-
-==Required==
-
-The server address.
-
-#### server_port
-
-==Required==
-
-The server port.
-
-#### up_mbps, down_mbps
-
-Max bandwidth, in Mbps.
-
-If empty, the BBR congestion control algorithm will be used instead of Hysteria CC.
-
-#### obfs.type
-
-QUIC traffic obfuscator type, only available with `salamander`.
-
-Disabled if empty.
-
-#### obfs.password
-
-QUIC traffic obfuscator password.
-
-#### password
-
-Authentication password.
-
-#### network
-
-Enabled network
-
-One of `tcp` `udp`.
-
-Both is enabled by default.
-
-#### tls
-
-==Required==
-
-TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
-
-### Dial Fields
-
-See [Dial Fields](/configuration/shared/dial) for details.
--- a/docs/configuration/outbound/hysteria2.zh.md
+++ b/docs/configuration/outbound/hysteria2.zh.md
@@ -1,79 +0,0 @@
-### 结构
-
-```json
-{
-  "type": "hysteria2",
-  "tag": "hy2-out",
-
-  "server": "127.0.0.1",
-  "server_port": 1080,
-  "up_mbps": 100,
-  "down_mbps": 100,
-  "obfs": {
-    "type": "salamander",
-    "password": "cry_me_a_r1ver"
-  },
-  "password": "goofy_ahh_password",
-  "network": "tcp",
-  "tls": {},
-  
-  ... // 拨号字段
-}
-```
-
-!!! warning ""
-
-    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
-
-### 字段
-
-#### server
-
-==必填==
-
-服务器地址。
-
-#### server_port
-
-==必填==
-
-服务器端口。
-
-#### up_mbps, down_mbps
-
-最大带宽。
-
-如果为空，将使用 BBR 流量控制算法而不是 Hysteria CC。
-
-#### obfs.type
-
-QUIC 流量混淆器类型，仅可设为 `salamander`。
-
-如果为空则禁用。
-
-#### obfs.password
-
-QUIC 流量混淆器密码.
-
-#### password
-
-认证密码。
-
-#### network
-
-启用的网络协议。
-
-`tcp` 或 `udp`。
-
-默认所有。
-
-#### tls
-
-==必填==
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
-
-
-### 拨号字段
-
-参阅 [拨号字段](/zh/configuration/shared/dial/)。
--- a/docs/configuration/outbound/index.md
+++ b/docs/configuration/outbound/index.md
@@ -29,8 +29,6 @@
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
 | `shadowtls`    | [ShadowTLS](./shadowtls)       |
-| `tuic`         | [TUIC](./tuic)                 |
-| `hysteria2`    | [Hysteria2](./hysteria2)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |
--- a/docs/configuration/outbound/index.zh.md
+++ b/docs/configuration/outbound/index.zh.md
@@ -28,9 +28,6 @@
 | `hysteria`     | [Hysteria](./hysteria)         |
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
-| `shadowtls`    | [ShadowTLS](./shadowtls)       |
-| `tuic`         | [TUIC](./tuic)                 |
-| `hysteria2`    | [Hysteria2](./hysteria2)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |
--- a/docs/configuration/outbound/selector.md
+++ b/docs/configuration/outbound/selector.md
@@ -10,8 +10,7 @@
    "proxy-b",
    "proxy-c"
  ],
-  "default": "proxy-c",
-  "interrupt_exist_connections": false
+  "default": "proxy-c"
 }
 ```

@@ -29,10 +28,4 @@ List of outbound tags to select.

 #### default

-The default outbound tag. The first outbound will be used if empty.
-
-#### interrupt_exist_connections
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
+The default outbound tag. The first outbound will be used if empty.
--- a/docs/configuration/outbound/selector.zh.md
+++ b/docs/configuration/outbound/selector.zh.md
@@ -10,8 +10,7 @@
    "proxy-b",
    "proxy-c"
  ],
-  "default": "proxy-c",
-  "interrupt_exist_connections": false
+  "default": "proxy-c"
 }
 ```

@@ -30,9 +29,3 @@
 #### default

 默认的出站标签。默认使用第一个出站。
-
-#### interrupt_exist_connections
-
-当选定的出站发生更改时，中断现有连接。
-
-仅入站连接受此设置影响，内部连接将始终被中断。
--- a/docs/configuration/outbound/urltest.md
+++ b/docs/configuration/outbound/urltest.md
@@ -12,8 +12,7 @@
  ],
  "url": "https://www.gstatic.com/generate_204",
  "interval": "1m",
-  "tolerance": 50,
-  "interrupt_exist_connections": false
+  "tolerance": 50
 }
 ```

@@ -36,9 +35,3 @@ The test interval. `1m` will be used if empty.
 #### tolerance

 The test tolerance in milliseconds. `50` will be used if empty.
-
-#### interrupt_exist_connections
-
-Interrupt existing connections when the selected outbound has changed.
-
-Only inbound connections are affected by this setting, internal connections will always be interrupted.
--- a/docs/configuration/outbound/urltest.zh.md
+++ b/docs/configuration/outbound/urltest.zh.md
@@ -12,8 +12,7 @@
  ],
  "url": "https://www.gstatic.com/generate_204",
  "interval": "1m",
-  "tolerance": 50,
-  "interrupt_exist_connections": false
+  "tolerance": 50
 }
 ```

@@ -36,9 +35,3 @@
 #### tolerance

 以毫秒为单位的测试容差。 默认使用 `50`。
-
-#### interrupt_exist_connections
-
-当选定的出站发生更改时，中断现有连接。
-
-仅入站连接受此设置影响，内部连接将始终被中断。
--- a/docs/configuration/shared/dns01_challenge.md
+++ b/docs/configuration/shared/dns01_challenge.md
@@ -1,31 +0,0 @@
-### Structure
-
-```json
-{
-  "provider": "",
-  
-  ... // Provider Fields
-}
-```
-
-### Provider Fields
-
-#### Alibaba Cloud DNS
-
-```json
-{
-  "provider": "alidns",
-  "access_key_id": "",
-  "access_key_secret": "",
-  "region_id": ""
-}
-```
-
-#### Cloudflare
-
-```json
-{
-  "provider": "cloudflare",
-  "api_token": ""
-}
-```
--- a/docs/configuration/shared/dns01_challenge.zh.md
+++ b/docs/configuration/shared/dns01_challenge.zh.md
@@ -1,31 +0,0 @@
-### 结构
-
-```json
-{
-  "provider": "",
-  
-  ... // 提供商字段
-}
-```
-
-### 提供商字段
-
-#### Alibaba Cloud DNS
-
-```json
-{
-  "provider": "alidns",
-  "access_key_id": "",
-  "access_key_secret": "",
-  "region_id": ""
-}
-```
-
-#### Cloudflare
-
-```json
-{
-  "provider": "cloudflare",
-  "api_token": ""
-}
-```
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -8,9 +8,9 @@
  "min_version": "",
  "max_version": "",
  "cipher_suites": [],
-  "certificate": [],
+  "certificate": "",
  "certificate_path": "",
-  "key": [],
+  "key": "",
  "key_path": "",
  "acme": {
    "domain": [],
@@ -25,15 +25,7 @@
    "external_account": {
      "key_id": "",
      "mac_key": ""
-    },
-    "dns01_challenge": {}
-  },
-  "ech": {
-    "enabled": false,
-    "pq_signature_schemes_enabled": false,
-    "dynamic_record_sizing_disabled": false,
-    "key": [],
-    "key_path": ""
+    }
  },
  "reality": {
    "enabled": false,
@@ -70,8 +62,7 @@
    "enabled": false,
    "pq_signature_schemes_enabled": false,
    "dynamic_record_sizing_disabled": false,
-    "config": [],
-    "config_path": ""
+    "config": ""
  },
  "utls": {
    "enabled": false,
@@ -171,7 +162,7 @@ This may change in the future.

 #### certificate

-The server certificate line array, in PEM format.
+The server certificate, in PEM format.

 #### certificate_path

@@ -181,7 +172,7 @@ The path to the server certificate, in PEM format.

 ==Server only==

-The server private key line array, in PEM format.
+The server private key, in PEM format.

 #### key_path

@@ -189,11 +180,18 @@ The server private key line array, in PEM format.

 The path to the server private key, in PEM format.

-## Custom TLS support
+#### ech

-!!! info "QUIC support"
+==Client only==

-    Only ECH is supported in QUIC.
+!!! warning ""
+
+    ECH is not included by default, see [Installation](/#installation).
+
+ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
+message.
+
+If you don't know how to fill in the other configuration, just set `enabled`.

 #### utls

@@ -224,58 +222,6 @@ Available fingerprint values:

 Chrome fingerprint will be used if empty.

-### ECH Fields
-
-!!! warning ""
-
-    ECH is not included by default, see [Installation](/#installation).
-
-ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
-message.
-
-The ECH key and configuration can be generated by `sing-box generate ech-keypair [--pq-signature-schemes-enabled]`.
-
-#### pq_signature_schemes_enabled
-
-Enable support for post-quantum peer certificate signature schemes.
-
-It is recommended to match the parameters of `sing-box generate ech-keypair`.
-
-#### dynamic_record_sizing_disabled
-
-Disables adaptive sizing of TLS records.
-
-When true, the largest possible TLS record size is always used.  
-When false, the size of TLS records may be adjusted in an attempt to improve latency.
-
-#### key
-
-==Server only==
-
-ECH key line array, in PEM format.
-
-#### key_path
-
-==Server only==
-
-The path to ECH key, in PEM format.
-
-#### config
-
-==Client only==
-
-ECH configuration line array, in PEM format.
-
-If empty, load from DNS will be attempted.
-
-#### config_path
-
-==Client only==
-
-The path to ECH configuration, in PEM format.
-
-If empty, load from DNS will be attempted.
-
 ### ACME Fields

 !!! warning ""
@@ -349,12 +295,6 @@ The key identifier.

 The MAC key.

-#### dns01_challenge
-
-ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
-
-See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge) for details.
-
 ### Reality Fields

 !!! warning ""
@@ -405,4 +345,4 @@ Check disabled if empty.

 ### Reload

-For server configuration, certificate, key and ECH key will be automatically reloaded if modified.
+For server configuration, certificate and key will be automatically reloaded if modified.
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -8,9 +8,9 @@
  "min_version": "",
  "max_version": "",
  "cipher_suites": [],
-  "certificate": [],
+  "certificate": "",
  "certificate_path": "",
-  "key": [],
+  "key": "",
  "key_path": "",
  "acme": {
    "domain": [],
@@ -25,15 +25,7 @@
    "external_account": {
      "key_id": "",
      "mac_key": ""
-    },
-    "dns01_challenge": {}
-  },
-  "ech": {
-    "enabled": false,
-    "pq_signature_schemes_enabled": false,
-    "dynamic_record_sizing_disabled": false,
-    "key": [],
-    "key_path": ""
+    }
  },
  "reality": {
    "enabled": false,
@@ -64,14 +56,13 @@
  "min_version": "",
  "max_version": "",
  "cipher_suites": [],
-  "certificate": [],
+  "certificate": "",
  "certificate_path": "",
  "ech": {
    "enabled": false,
    "pq_signature_schemes_enabled": false,
    "dynamic_record_sizing_disabled": false,
-    "config": [],
-    "config_path": ""
+    "config": ""
  },
  "utls": {
    "enabled": false,
@@ -171,7 +162,7 @@ TLS 版本值：

 #### certificate

-服务器 PEM 证书行数组。
+服务器 PEM 证书。

 #### certificate_path

@@ -181,7 +172,7 @@ TLS 版本值：

 ==仅服务器==

-服务器 PEM 私钥行数组。
+服务器 PEM 私钥。

 #### key_path

@@ -189,6 +180,19 @@ TLS 版本值：

 服务器 PEM 私钥路径。

+#### ech
+
+==仅客户端==
+
+!!! warning ""
+
+    默认安装不包含 ECH, 参阅 [安装](/zh/#_2)。
+
+ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其 ClientHello 的第一部分
+信息。
+
+如果您不知道如何填写其他配置，只需设置 `enabled` 即可。
+
 #### utls

 ==仅客户端==
@@ -218,59 +222,6 @@ uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻

 默认使用 chrome 指纹。

-## ECH 字段
-
-!!! warning ""
-
-    默认安装不包含 ECH, 参阅 [安装](/zh/#_2)。
-
-ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其 ClientHello 的第一部分
-信息。
-
-
-ECH 配置和密钥可以通过 `sing-box generate ech-keypair [--pq-signature-schemes-enabled]` 生成。
-
-#### pq_signature_schemes_enabled
-
-启用对后量子对等证书签名方案的支持。
-
-建议匹配 `sing-box generate ech-keypair` 的参数。
-
-#### dynamic_record_sizing_disabled
-
-禁用 TLS 记录的自适应大小调整。
-
-如果为 true，则始终使用最大可能的 TLS 记录大小。
-如果为 false，则可能会调整 TLS 记录的大小以尝试改善延迟。
-
-#### key
-
-==仅服务器==
-
-ECH PEM 密钥行数组
-
-#### key_path
-
-==仅服务器==
-
-ECH PEM 密钥路径
-
-#### config
-
-==仅客户端==
-
-ECH PEM 配置行数组
-
-如果为空，将尝试从 DNS 加载。
-
-#### config_path
-
-==仅客户端==
-
-ECH PEM 配置路径
-
-如果为空，将尝试从 DNS 加载。
-
 ### ACME 字段

 !!! warning ""
@@ -340,12 +291,6 @@ EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知

 MAC 密钥。

-#### dns01_challenge
-
-ACME DNS01 验证字段。如果配置，将禁用其他验证方法。
-
-参阅 [DNS01 验证字段](/configuration/shared/dns01_challenge)。
-
 ### Reality 字段

 !!! warning ""
--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@@ -1,13 +0,0 @@
-# Deprecated Feature List
-
-The following features will be marked deprecated in 1.5.0 and removed entirely in 1.6.0.
-
-#### ShadowsocksR
-
-ShadowsocksR support has never been enabled by default, since the most commonly used proxy sales panel in the
-illegal industry stopped using this protocol, it does not make sense to continue to maintain it.
-
-#### Proxy Protocol
-
-Proxy Protocol is added by Pull Request, has problems, is only used by the backend of HTTP multiplexers such as nginx,
-is intrusive, and is meaningless for proxy purposes.
--- a/docs/installation/clients/sfi.zh.md
+++ b/docs/installation/clients/sfi.zh.md
@@ -15,7 +15,7 @@
 #### 注意事项

 * 远程配置文件请求中的 User Agent 为 `SFI/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
+* 崩溃日志位于 `设置` -> `查看服务日志`

 #### 隐私政策

--- a/docs/installation/clients/sfm.zh.md
+++ b/docs/installation/clients/sfm.zh.md
@@ -21,7 +21,7 @@
 #### 注意事项

 * 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
+* 崩溃日志位于 `设置` -> `查看服务日志`

 #### 隐私政策

--- a/go.mod
+++ b/go.mod
@@ -6,36 +6,32 @@ require (
 	berty.tech/go-libtor v1.0.385
 	github.com/Dreamacro/clash v1.17.0
 	github.com/caddyserver/certmagic v0.19.2
-	github.com/cloudflare/circl v1.3.3
 	github.com/cretz/bine v0.2.0
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/go-chi/chi/v5 v5.0.10
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.0.0
-	github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a
-	github.com/libdns/alidns v1.0.3
-	github.com/libdns/cloudflare v0.1.0
+	github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mholt/acmez v1.2.0
-	github.com/miekg/dns v1.1.56
+	github.com/miekg/dns v1.1.55
 	github.com/ooni/go-libtor v1.1.8
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a
 	github.com/sagernet/gomobile v0.0.0-20230915142329-c6740b6d2950
 	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2
-	github.com/sagernet/quic-go v0.0.0-20230919101909-0cc6c5dcecee
+	github.com/sagernet/quic-go v0.0.0-20230911082307-390b7c274032
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba
-	github.com/sagernet/sing-dns v0.1.10-0.20230921024525-fc3e4c051ccd
-	github.com/sagernet/sing-mux v0.1.3
-	github.com/sagernet/sing-quic v0.1.1-0.20230922040527-541e66a4a16d
-	github.com/sagernet/sing-shadowsocks v0.2.5
-	github.com/sagernet/sing-shadowsocks2 v0.1.4
+	github.com/sagernet/sing v0.2.10-0.20230925134514-7ce1ab786c10
+	github.com/sagernet/sing-dns v0.1.9-0.20230925101650-9cc09becd01e
+	github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314
+	github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0
+	github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248
 	github.com/sagernet/sing-shadowtls v0.1.4
-	github.com/sagernet/sing-tun v0.1.13-0.20230926093931-2a0a0ab228fc
-	github.com/sagernet/sing-vmess v0.1.8
+	github.com/sagernet/sing-tun v0.1.12-0.20230926093914-0d0ebad6cfa5
+	github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37
 	github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
@@ -44,14 +40,14 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
 	go.etcd.io/bbolt v1.3.7
-	go.uber.org/zap v1.26.0
+	go.uber.org/zap v1.25.0
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925
-	golang.org/x/crypto v0.13.0
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
-	golang.org/x/net v0.15.0
+	golang.org/x/crypto v0.12.0
+	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
+	golang.org/x/net v0.14.0
 	golang.org/x/sys v0.12.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
-	google.golang.org/grpc v1.58.2
+	google.golang.org/grpc v1.57.0
 	google.golang.org/protobuf v1.31.0
 	howett.net/plist v1.0.0
 )
@@ -62,6 +58,7 @@ require (
 	github.com/Dreamacro/protobytes v0.0.0-20230617041236-6500a9f4f158 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
@@ -79,7 +76,7 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.4 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
@@ -89,10 +86,10 @@ require (
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
+	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -8,6 +8,7 @@ github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A=
 github.com/caddyserver/certmagic v0.19.2 h1:HZd1AKLx4592MalEGQS39DKs2ZOAJCEM/xYPMQ2/ui0=
 github.com/caddyserver/certmagic v0.19.2/go.mod h1:fsL01NomQ6N+kE2j37ZCnig2MFosG+MIO4ztnmG/zz8=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -51,8 +52,8 @@ github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbg
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a h1:S33o3djA1nPRd+d/bf7jbbXytXuK/EoXow7+aa76grQ=
-github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a/go.mod h1:zmdm3sTSDP3vOOX3CEWRkkRHtKr1DxBx+J1OQFoDQQs=
+github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d h1:Ka64cclWedOkGzm9M2/XYuwJUdmWRUozmsxW0PyKA3A=
+github.com/insomniacslk/dhcp v0.0.0-20230816195147-b3ca2534940d/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -65,19 +66,14 @@ github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZY
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/libdns/alidns v1.0.3 h1:LFHuGnbseq5+HCeGa1aW8awyX/4M2psB9962fdD2+yQ=
-github.com/libdns/alidns v1.0.3/go.mod h1:e18uAG6GanfRhcJj6/tps2rCMzQJaYVcGKT+ELjdjGE=
-github.com/libdns/cloudflare v0.1.0 h1:93WkJaGaiXCe353LHEP36kAWCUw0YjFqwhkBkU2/iic=
-github.com/libdns/cloudflare v0.1.0/go.mod h1:a44IP6J1YH6nvcNl1PverfJviADgXUnsozR3a7vBKN8=
-github.com/libdns/libdns v0.2.0/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
-github.com/miekg/dns v1.1.56 h1:5imZaSeoRNvpM9SzWNhEcP9QliKiz20/dA2QabIGVnE=
-github.com/miekg/dns v1.1.56/go.mod h1:cRm6Oo2C8TY9ZS/TqsSrseAcncm74lfK5G+ikN2SWWY=
+github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
+github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
@@ -95,8 +91,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.3.4 h1:MfFAPULvst4yoMgY9QmtpYmfij/em7O8UUi+bNVm7Cg=
-github.com/quic-go/qtls-go1-20 v0.3.4/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
+github.com/quic-go/qtls-go1-20 v0.3.3 h1:17/glZSLI9P9fDAeyCHBFSWSqJcwx1byhLwP5eUIDCM=
+github.com/quic-go/qtls-go1-20 v0.3.3/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a h1:wZHruBxZCsQLXHAozWpnJBL3wJ/XufDpz0qKtgpSnA4=
 github.com/sagernet/cloudflare-tls v0.0.0-20230829051644-4a68352d0c4a/go.mod h1:dNV1ZP9y3qx5ltULeKaQZTZWTLHflgW5DES+Ses7cMI=
@@ -108,30 +104,28 @@ github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2 h1:dnkKrzapqtAwjTS
 github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2/go.mod h1:1JUiV7nGuf++YFm9eWZ8q2lrwHmhcUGzptMl/vL1+LA=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/quic-go v0.0.0-20230919101909-0cc6c5dcecee h1:ykuhl9jCS638N+jw1vC9AvT9bbQn6xRNScP2FWPV9dM=
-github.com/sagernet/quic-go v0.0.0-20230919101909-0cc6c5dcecee/go.mod h1:0CfhWwZAeXGYM9+Nkkw1zcQtFHQC8KWjbpeDv7pu8iw=
+github.com/sagernet/quic-go v0.0.0-20230911082307-390b7c274032 h1:J900zKCRGU+0gnPLIj+qXdmun4/AQ3iUmNREJ9fNdHQ=
+github.com/sagernet/quic-go v0.0.0-20230911082307-390b7c274032/go.mod h1:O4Cj7TmMOvqD6S0XMqJRZfcYzA3m0H0ARbbaJFB0p7A=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byLGkEnIYp6grlXfo1QYUfiYFGjewIdc=
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba h1:RTf3zQGQdlmCNNR92cJDJAnLgbPhsM2sLAQ+aMIuVTQ=
-github.com/sagernet/sing v0.2.12-0.20230925124400-0531fd63eaba/go.mod h1:GQ673iPfUnkbK/dIPkfd1Xh1MjOGo36gkl/mkiHY7Jg=
-github.com/sagernet/sing-dns v0.1.10-0.20230921024525-fc3e4c051ccd h1:czixTtZijtdR4bMQYT/0LZy1x5ouiaDBi742YE0zudU=
-github.com/sagernet/sing-dns v0.1.10-0.20230921024525-fc3e4c051ccd/go.mod h1:y76ieq1uilVg6fe5wJWqM2oKjdrn4q0lY1nwAZ86ok0=
-github.com/sagernet/sing-mux v0.1.3 h1:fAf7PZa2A55mCeh0KKM02f1k2Y4vEmxuZZ/51ahkkLA=
-github.com/sagernet/sing-mux v0.1.3/go.mod h1:wGeIeiiFLx4HUM5LAg65wrNZ/X1muOimqK0PEhNbPi0=
-github.com/sagernet/sing-quic v0.1.1-0.20230922040527-541e66a4a16d h1:CzdkTdId4Pa0oY7UrhMIiMh+cY01Rh+B3BXMXLt7REY=
-github.com/sagernet/sing-quic v0.1.1-0.20230922040527-541e66a4a16d/go.mod h1:Inf4N8ihB4+lB5ZDo++GXbq4rKusL7f1s67v7IVeL2I=
-github.com/sagernet/sing-shadowsocks v0.2.5 h1:qxIttos4xu6ii7MTVJYA8EFQR7Q3KG6xMqmLJIFtBaY=
-github.com/sagernet/sing-shadowsocks v0.2.5/go.mod h1:MGWGkcU2xW2G2mfArT9/QqpVLOGU+dBaahZCtPHdt7A=
-github.com/sagernet/sing-shadowsocks2 v0.1.4 h1:vht2M8t3m5DTgXR2j24KbYOygG5aOp+MUhpQnAux728=
-github.com/sagernet/sing-shadowsocks2 v0.1.4/go.mod h1:Mgdee99NxxNd5Zld3ixIs18yVs4x2dI2VTDDE1N14Wc=
+github.com/sagernet/sing v0.2.10-0.20230925134514-7ce1ab786c10 h1:kYu1ScB1dtdGTzSNkC5eMxtK05Q8kYHExq2SlRa5M/s=
+github.com/sagernet/sing v0.2.10-0.20230925134514-7ce1ab786c10/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+github.com/sagernet/sing-dns v0.1.9-0.20230925101650-9cc09becd01e h1:h903oI5Z2dIZv/lGLvQ67cC8O79uaeGrFhdxVssvh5c=
+github.com/sagernet/sing-dns v0.1.9-0.20230925101650-9cc09becd01e/go.mod h1:Kg98PBJEg/08jsNFtmZWmPomhskn9Ausn50ecNm4M+8=
+github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314 h1:P5+NZGMH8KSI3L8lKw1znxdRi0tIpWbGYjmv8GrFHrQ=
+github.com/sagernet/sing-mux v0.1.3-0.20230907005326-7befbadbf314/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
+github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0 h1:9wHYWxH+fcs01PM2+DylA8LNNY3ElnZykQo9rysng8U=
+github.com/sagernet/sing-shadowsocks v0.2.5-0.20230907005610-126234728ca0/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
+github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248 h1:JTFfy/LDmVFEK4KZJEujmC1iO8+aoF4unYhhZZRzRq4=
+github.com/sagernet/sing-shadowsocks2 v0.1.4-0.20230907005906-5d2917b29248/go.mod h1:DOhJc/cLeqRv0wuePrQso+iUmDxOnWF4eT/oMcRzYFw=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
-github.com/sagernet/sing-tun v0.1.13-0.20230926093931-2a0a0ab228fc h1:LyN1pNYqU1+f4Ql0xM8oyYCVoSpGZlyyhpS8cr0/7/w=
-github.com/sagernet/sing-tun v0.1.13-0.20230926093931-2a0a0ab228fc/go.mod h1:7IGpNWXuP0TnxkUiGJRJjewFLquTOhLw1RtfNgxzjJI=
-github.com/sagernet/sing-vmess v0.1.8 h1:XVWad1RpTy9b5tPxdm5MCU8cGfrTGdR8qCq6HV2aCNc=
-github.com/sagernet/sing-vmess v0.1.8/go.mod h1:vhx32UNzTDUkNwOyIjcZQohre1CaytquC5mPplId8uA=
+github.com/sagernet/sing-tun v0.1.12-0.20230926093914-0d0ebad6cfa5 h1:2KpqI83FequwVysUX6SkUCFvR7pmoGzxei/QD0p682M=
+github.com/sagernet/sing-tun v0.1.12-0.20230926093914-0d0ebad6cfa5/go.mod h1:+YImslQMLgMQcVgZZ9IK4ue1o/605VSU90amHUcp4hA=
+github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b h1:2ezfJtH5JosiEwJhVa+rimQ6ps/t2+7h+mOzMoiaZnA=
+github.com/sagernet/sing-vmess v0.1.8-0.20230907010359-161fb0ac716b/go.mod h1:1qkC1L1T2sxnS/NuO6HU72S8TkltV+EXoKGR29m/Yss=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37/go.mod h1:3skNSftZDJWTGVtVaM2jfbce8qHnmH/AGDRe62iNOg0=
 github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6 h1:Px+hN4Vzgx+iCGVnWH5A8eR7JhNnIV3rGQmBxA7cw6Q=
@@ -169,22 +163,22 @@ go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
-go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
+go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c=
+go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk=
 go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0EqB4SD6rvKbUdN3ziQ=
 go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
+golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
 golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
+golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -199,23 +193,23 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
+golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E=
+golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
-google.golang.org/grpc v1.58.2 h1:SXUpjxeVF3FKrTYQI4f4KvbGD5u2xccdYdurwowix5I=
-google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
+google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
--- a/inbound/builder.go
+++ b/inbound/builder.go
@@ -46,8 +46,6 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, o
 		return NewVLESS(ctx, router, logger, options.Tag, options.VLESSOptions)
 	case C.TypeTUIC:
 		return NewTUIC(ctx, router, logger, options.Tag, options.TUICOptions)
-	case C.TypeHysteria2:
-		return NewHysteria2(ctx, router, logger, options.Tag, options.Hysteria2Options)
 	default:
 		return nil, E.New("unknown inbound type: ", options.Type)
 	}
--- a/inbound/default.go
+++ b/inbound/default.go
@@ -33,8 +33,8 @@ type myInboundAdapter struct {

 	// http mixed

-	setSystemProxy bool
-	systemProxy    settings.SystemProxy
+	setSystemProxy   bool
+	clearSystemProxy func() error

 	// internal

@@ -91,24 +91,10 @@ func (a *myInboundAdapter) Start() error {
 		}
 	}
 	if a.setSystemProxy {
-		listenPort := M.SocksaddrFromNet(a.tcpListener.Addr()).Port
-		var listenAddrString string
-		listenAddr := a.listenOptions.Listen.Build()
-		if listenAddr.IsUnspecified() {
-			listenAddrString = "127.0.0.1"
-		} else {
-			listenAddrString = listenAddr.String()
-		}
-		var systemProxy settings.SystemProxy
-		systemProxy, err = settings.NewSystemProxy(a.ctx, M.ParseSocksaddrHostPort(listenAddrString, listenPort), a.protocol == C.TypeMixed)
-		if err != nil {
-			return E.Cause(err, "initialize system proxy")
-		}
-		err = systemProxy.Enable()
+		a.clearSystemProxy, err = settings.SetSystemProxy(a.router, M.SocksaddrFromNet(a.tcpListener.Addr()).Port, a.protocol == C.TypeMixed)
 		if err != nil {
 			return E.Cause(err, "set system proxy")
 		}
-		a.systemProxy = systemProxy
 	}
 	return nil
 }
@@ -116,8 +102,8 @@ func (a *myInboundAdapter) Start() error {
 func (a *myInboundAdapter) Close() error {
 	a.inShutdown.Store(true)
 	var err error
-	if a.systemProxy != nil && a.systemProxy.IsEnabled() {
-		err = a.systemProxy.Disable()
+	if a.clearSystemProxy != nil {
+		err = a.clearSystemProxy()
 	}
 	return E.Errors(err, common.Close(
 		a.tcpListener,
--- a/inbound/default_tcp.go
+++ b/inbound/default_tcp.go
@@ -35,7 +35,7 @@ func (a *myInboundAdapter) ListenTCP() (net.Listener, error) {
 		a.logger.Info("tcp server started at ", tcpListener.Addr())
 	}
 	if a.listenOptions.ProxyProtocol {
-		a.logger.Warn("Proxy Protocol is deprecated, see https://sing-box.sagernet.org/deprecated")
+		a.logger.Debug("proxy protocol enabled")
 		tcpListener = &proxyproto.Listener{Listener: tcpListener, AcceptNoHeader: a.listenOptions.ProxyProtocolAcceptNoHeader}
 	}
 	a.tcpListener = tcpListener
--- a/inbound/http.go
+++ b/inbound/http.go
@@ -44,7 +44,7 @@ func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogge
 		authenticator: auth.NewAuthenticator(options.Users),
 	}
 	if options.TLS != nil {
-		tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
--- a/inbound/hysteria.go
+++ b/inbound/hysteria.go
@@ -7,14 +7,13 @@ import (
 	"sync"

 	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/congestion"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/hysteria"
-	"github.com/sagernet/sing-quic"
-	hyCC "github.com/sagernet/sing-quic/hysteria2/congestion"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/auth"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -36,7 +35,7 @@ type Hysteria struct {
 	xplusKey     []byte
 	sendBPS      uint64
 	recvBPS      uint64
-	listener     qtls.Listener
+	listener     *quic.Listener
 	udpAccess    sync.RWMutex
 	udpSessionId uint32
 	udpSessions  map[uint32]chan *hysteria.UDPMessage
@@ -127,7 +126,7 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 	if len(options.TLS.ALPN) == 0 {
 		options.TLS.ALPN = []string{hysteria.DefaultALPN}
 	}
-	tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
+	tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
@@ -148,7 +147,11 @@ func (h *Hysteria) Start() error {
 	if err != nil {
 		return err
 	}
-	listener, err := qtls.Listen(packetConn, h.tlsConfig, h.quicConfig)
+	rawConfig, err := h.tlsConfig.Config()
+	if err != nil {
+		return err
+	}
+	listener, err := quic.Listen(packetConn, rawConfig, h.quicConfig)
 	if err != nil {
 		return err
 	}
@@ -221,7 +224,7 @@ func (h *Hysteria) accept(ctx context.Context, conn quic.Connection) error {
 	if err != nil {
 		return err
 	}
-	conn.SetCongestionControl(hyCC.NewBrutalSender(serverSendBPS))
+	conn.SetCongestionControl(hysteria.NewBrutalSender(congestion.ByteCount(serverSendBPS)))
 	go h.udpRecvLoop(conn)
 	for {
 		var stream quic.Stream
@@ -330,7 +333,7 @@ func (h *Hysteria) Close() error {
 	h.udpAccess.Unlock()
 	return common.Close(
 		&h.myInboundAdapter,
-		h.listener,
+		common.PtrOrNil(h.listener),
 		h.tlsConfig,
 	)
 }
--- a/inbound/hysteria2.go
+++ b/inbound/hysteria2.go
@@ -1,163 +0,0 @@
-//go:build with_quic
-
-package inbound
-
-import (
-	"context"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tls"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/hysteria"
-	"github.com/sagernet/sing-quic/hysteria2"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/auth"
-	E "github.com/sagernet/sing/common/exceptions"
-	N "github.com/sagernet/sing/common/network"
-)
-
-var _ adapter.Inbound = (*Hysteria2)(nil)
-
-type Hysteria2 struct {
-	myInboundAdapter
-	tlsConfig    tls.ServerConfig
-	service      *hysteria2.Service[int]
-	userNameList []string
-}
-
-func NewHysteria2(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Hysteria2InboundOptions) (*Hysteria2, error) {
-	if options.TLS == nil || !options.TLS.Enabled {
-		return nil, C.ErrTLSRequired
-	}
-	tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
-	if err != nil {
-		return nil, err
-	}
-	var salamanderPassword string
-	if options.Obfs != nil {
-		if options.Obfs.Password == "" {
-			return nil, E.New("missing obfs password")
-		}
-		switch options.Obfs.Type {
-		case hysteria2.ObfsTypeSalamander:
-			salamanderPassword = options.Obfs.Password
-		default:
-			return nil, E.New("unknown obfs type: ", options.Obfs.Type)
-		}
-	}
-	var masqueradeHandler http.Handler
-	if options.Masquerade != "" {
-		masqueradeURL, err := url.Parse(options.Masquerade)
-		if err != nil {
-			return nil, E.Cause(err, "parse masquerade URL")
-		}
-		switch masqueradeURL.Scheme {
-		case "file":
-			masqueradeHandler = http.FileServer(http.Dir(masqueradeURL.Path))
-		case "http", "https":
-			masqueradeHandler = &httputil.ReverseProxy{
-				Rewrite: func(r *httputil.ProxyRequest) {
-					r.SetURL(masqueradeURL)
-					r.Out.Host = r.In.Host
-				},
-				ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
-					w.WriteHeader(http.StatusBadGateway)
-				},
-			}
-		default:
-			return nil, E.New("unknown masquerade URL scheme: ", masqueradeURL.Scheme)
-		}
-	}
-	inbound := &Hysteria2{
-		myInboundAdapter: myInboundAdapter{
-			protocol:      C.TypeHysteria2,
-			network:       []string{N.NetworkUDP},
-			ctx:           ctx,
-			router:        router,
-			logger:        logger,
-			tag:           tag,
-			listenOptions: options.ListenOptions,
-		},
-		tlsConfig: tlsConfig,
-	}
-	service, err := hysteria2.NewService[int](hysteria2.ServiceOptions{
-		Context:               ctx,
-		Logger:                logger,
-		SendBPS:               uint64(options.UpMbps * hysteria.MbpsToBps),
-		ReceiveBPS:            uint64(options.DownMbps * hysteria.MbpsToBps),
-		SalamanderPassword:    salamanderPassword,
-		TLSConfig:             tlsConfig,
-		IgnoreClientBandwidth: options.IgnoreClientBandwidth,
-		Handler:               adapter.NewUpstreamHandler(adapter.InboundContext{}, inbound.newConnection, inbound.newPacketConnection, nil),
-		MasqueradeHandler:     masqueradeHandler,
-	})
-	if err != nil {
-		return nil, err
-	}
-	userList := make([]int, 0, len(options.Users))
-	userNameList := make([]string, 0, len(options.Users))
-	userPasswordList := make([]string, 0, len(options.Users))
-	for index, user := range options.Users {
-		userList = append(userList, index)
-		userNameList = append(userNameList, user.Name)
-		userPasswordList = append(userPasswordList, user.Password)
-	}
-	service.UpdateUsers(userList, userPasswordList)
-	inbound.service = service
-	inbound.userNameList = userNameList
-	return inbound, nil
-}
-
-func (h *Hysteria2) newConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	ctx = log.ContextWithNewID(ctx)
-	metadata = h.createMetadata(conn, metadata)
-	userID, _ := auth.UserFromContext[int](ctx)
-	if userName := h.userNameList[userID]; userName != "" {
-		metadata.User = userName
-		h.logger.InfoContext(ctx, "[", userName, "] inbound connection to ", metadata.Destination)
-	} else {
-		h.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
-	}
-	return h.router.RouteConnection(ctx, conn, metadata)
-}
-
-func (h *Hysteria2) newPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	ctx = log.ContextWithNewID(ctx)
-	metadata = h.createPacketMetadata(conn, metadata)
-	userID, _ := auth.UserFromContext[int](ctx)
-	if userName := h.userNameList[userID]; userName != "" {
-		metadata.User = userName
-		h.logger.InfoContext(ctx, "[", userName, "] inbound packet connection to ", metadata.Destination)
-	} else {
-		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-	}
-	return h.router.RoutePacketConnection(ctx, conn, metadata)
-}
-
-func (h *Hysteria2) Start() error {
-	if h.tlsConfig != nil {
-		err := h.tlsConfig.Start()
-		if err != nil {
-			return err
-		}
-	}
-	packetConn, err := h.myInboundAdapter.ListenUDP()
-	if err != nil {
-		return err
-	}
-	return h.service.Start(packetConn)
-}
-
-func (h *Hysteria2) Close() error {
-	return common.Close(
-		&h.myInboundAdapter,
-		h.tlsConfig,
-		common.PtrOrNil(h.service),
-	)
-}
--- a/inbound/hysteria_stub.go
+++ b/inbound/hysteria_stub.go
@@ -14,7 +14,3 @@ import (
 func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaInboundOptions) (adapter.Inbound, error) {
 	return nil, C.ErrQUICNotIncluded
 }
-
-func NewHysteria2(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Hysteria2InboundOptions) (adapter.Inbound, error) {
-	return nil, C.ErrQUICNotIncluded
-}
--- a/inbound/naive.go
+++ b/inbound/naive.go
@@ -60,7 +60,7 @@ func NewNaive(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		return nil, E.New("missing users")
 	}
 	if options.TLS != nil {
-		tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
--- a/inbound/naive_quic.go
+++ b/inbound/naive_quic.go
@@ -3,39 +3,28 @@
 package inbound

 import (
-	"github.com/sagernet/quic-go"
 	"github.com/sagernet/quic-go/http3"
-	"github.com/sagernet/sing-quic"
 	E "github.com/sagernet/sing/common/exceptions"
 )

 func (n *Naive) configureHTTP3Listener() error {
-	err := qtls.ConfigureHTTP3(n.tlsConfig)
+	tlsConfig, err := n.tlsConfig.Config()
 	if err != nil {
 		return err
 	}
+	h3Server := &http3.Server{
+		Port:      int(n.listenOptions.ListenPort),
+		TLSConfig: tlsConfig,
+		Handler:   n,
+	}

 	udpConn, err := n.ListenUDP()
 	if err != nil {
 		return err
 	}

-	quicListener, err := qtls.ListenEarly(udpConn, n.tlsConfig, &quic.Config{
-		MaxIncomingStreams: 1 << 60,
-		Allow0RTT:          true,
-	})
-	if err != nil {
-		udpConn.Close()
-		return err
-	}
-
-	h3Server := &http3.Server{
-		Port:    int(n.listenOptions.ListenPort),
-		Handler: n,
-	}
-
 	go func() {
-		sErr := h3Server.ServeListener(quicListener)
+		sErr := h3Server.Serve(udpConn)
 		udpConn.Close()
 		if sErr != nil && !E.IsClosedOrCanceled(sErr) {
 			n.logger.Error("http3 server serve error: ", sErr)
--- a/inbound/shadowsocks.go
+++ b/inbound/shadowsocks.go
@@ -16,7 +16,6 @@ import (
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
 )

 func NewShadowsocks(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksInboundOptions) (adapter.Inbound, error) {
@@ -69,7 +68,7 @@ func newShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 	case common.Contains(shadowaead.List, options.Method):
 		inbound.service, err = shadowaead.NewService(options.Method, nil, options.Password, udpTimeout, inbound.upstreamContextHandler())
 	case common.Contains(shadowaead_2022.List, options.Method):
-		inbound.service, err = shadowaead_2022.NewServiceWithPassword(options.Method, options.Password, udpTimeout, inbound.upstreamContextHandler(), ntp.TimeFuncFromContext(ctx))
+		inbound.service, err = shadowaead_2022.NewServiceWithPassword(options.Method, options.Password, udpTimeout, inbound.upstreamContextHandler(), router.TimeFunc())
 	default:
 		err = E.New("unsupported method: ", options.Method)
 	}
--- a/inbound/shadowsocks_multi.go
+++ b/inbound/shadowsocks_multi.go
@@ -18,7 +18,6 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
 )

 var (
@@ -62,7 +61,7 @@ func newShadowsocksMulti(ctx context.Context, router adapter.Router, logger log.
 			options.Password,
 			udpTimeout,
 			adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound),
-			ntp.TimeFuncFromContext(ctx),
+			router.TimeFunc(),
 		)
 	} else if common.Contains(shadowaead.List, options.Method) {
 		service, err = shadowaead.NewMultiService[int](
--- a/inbound/trojan.go
+++ b/inbound/trojan.go
@@ -49,7 +49,7 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
 		users: options.Users,
 	}
 	if options.TLS != nil {
-		tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
@@ -227,3 +227,10 @@ func (t *trojanTransportHandler) NewConnection(ctx context.Context, conn net.Con
 		Destination: metadata.Destination,
 	})
 }
+
+func (t *trojanTransportHandler) FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	return (*Trojan)(t).fallbackConnection(ctx, conn, adapter.InboundContext{
+		Source:      metadata.Source,
+		Destination: metadata.Destination,
+	})
+}
--- a/inbound/tuic.go
+++ b/inbound/tuic.go
@@ -12,7 +12,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-quic/tuic"
+	"github.com/sagernet/sing-box/transport/tuic"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/auth"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -25,9 +25,8 @@ var _ adapter.Inbound = (*TUIC)(nil)

 type TUIC struct {
 	myInboundAdapter
-	tlsConfig    tls.ServerConfig
-	server       *tuic.Service[int]
-	userNameList []string
+	server    *tuic.Server
+	tlsConfig tls.ServerConfig
 }

 func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.TUICInboundOptions) (*TUIC, error) {
@@ -35,10 +34,25 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 	if options.TLS == nil || !options.TLS.Enabled {
 		return nil, C.ErrTLSRequired
 	}
-	tlsConfig, err := tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
+	tlsConfig, err := tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
+	rawConfig, err := tlsConfig.Config()
+	if err != nil {
+		return nil, err
+	}
+	var users []tuic.User
+	for index, user := range options.Users {
+		if user.UUID == "" {
+			return nil, E.New("missing uuid for user ", index)
+		}
+		userUUID, err := uuid.FromString(user.UUID)
+		if err != nil {
+			return nil, E.Cause(err, "invalid uuid for user ", index)
+		}
+		users = append(users, tuic.User{Name: user.Name, UUID: userUUID, Password: user.Password})
+	}
 	inbound := &TUIC{
 		myInboundAdapter: myInboundAdapter{
 			protocol:      C.TypeTUIC,
@@ -50,10 +64,11 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 			listenOptions: options.ListenOptions,
 		},
 	}
-	service, err := tuic.NewService[int](tuic.ServiceOptions{
+	server, err := tuic.NewServer(tuic.ServerOptions{
 		Context:           ctx,
 		Logger:            logger,
-		TLSConfig:         tlsConfig,
+		TLSConfig:         rawConfig,
+		Users:             users,
 		CongestionControl: options.CongestionControl,
 		AuthTimeout:       time.Duration(options.AuthTimeout),
 		ZeroRTTHandshake:  options.ZeroRTTHandshake,
@@ -63,52 +78,22 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 	if err != nil {
 		return nil, err
 	}
-	var userList []int
-	var userNameList []string
-	var userUUIDList [][16]byte
-	var userPasswordList []string
-	for index, user := range options.Users {
-		if user.UUID == "" {
-			return nil, E.New("missing uuid for user ", index)
-		}
-		userUUID, err := uuid.FromString(user.UUID)
-		if err != nil {
-			return nil, E.Cause(err, "invalid uuid for user ", index)
-		}
-		userList = append(userList, index)
-		userNameList = append(userNameList, user.Name)
-		userUUIDList = append(userUUIDList, userUUID)
-		userPasswordList = append(userPasswordList, user.Password)
-	}
-	service.UpdateUsers(userList, userUUIDList, userPasswordList)
-	inbound.server = service
-	inbound.userNameList = userNameList
+	inbound.server = server
 	return inbound, nil
 }

 func (h *TUIC) newConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	ctx = log.ContextWithNewID(ctx)
 	metadata = h.createMetadata(conn, metadata)
-	userID, _ := auth.UserFromContext[int](ctx)
-	if userName := h.userNameList[userID]; userName != "" {
-		metadata.User = userName
-		h.logger.InfoContext(ctx, "[", userName, "] inbound connection to ", metadata.Destination)
-	} else {
-		h.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
-	}
+	metadata.User, _ = auth.UserFromContext[string](ctx)
 	return h.router.RouteConnection(ctx, conn, metadata)
 }

 func (h *TUIC) newPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	ctx = log.ContextWithNewID(ctx)
 	metadata = h.createPacketMetadata(conn, metadata)
-	userID, _ := auth.UserFromContext[int](ctx)
-	if userName := h.userNameList[userID]; userName != "" {
-		metadata.User = userName
-		h.logger.InfoContext(ctx, "[", userName, "] inbound packet connection to ", metadata.Destination)
-	} else {
-		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
-	}
+	metadata.User, _ = auth.UserFromContext[string](ctx)
+	h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
 	return h.router.RoutePacketConnection(ctx, conn, metadata)
 }

@@ -129,7 +114,6 @@ func (h *TUIC) Start() error {
 func (h *TUIC) Close() error {
 	return common.Close(
 		&h.myInboundAdapter,
-		h.tlsConfig,
 		common.PtrOrNil(h.server),
 	)
 }
--- a/inbound/vless.go
+++ b/inbound/vless.go
@@ -61,7 +61,7 @@ func NewVLESS(ctx context.Context, router adapter.Router, logger log.ContextLogg
 	inbound.service = service
 	var err error
 	if options.TLS != nil {
-		inbound.tlsConfig, err = tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
+		inbound.tlsConfig, err = tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
@@ -189,3 +189,7 @@ func (t *vlessTransportHandler) NewConnection(ctx context.Context, conn net.Conn
 		Destination: metadata.Destination,
 	})
 }
+
+func (t *vlessTransportHandler) FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	return os.ErrInvalid
+}
--- a/inbound/vmess.go
+++ b/inbound/vmess.go
@@ -19,7 +19,6 @@ import (
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/ntp"
 )

 var (
@@ -51,7 +50,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		users: options.Users,
 	}
 	var serviceOptions []vmess.ServiceOption
-	if timeFunc := ntp.TimeFuncFromContext(ctx); timeFunc != nil {
+	if timeFunc := router.TimeFunc(); timeFunc != nil {
 		serviceOptions = append(serviceOptions, vmess.ServiceWithTimeFunc(timeFunc))
 	}
 	if options.Transport != nil && options.Transport.Type != "" {
@@ -70,7 +69,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		return nil, err
 	}
 	if options.TLS != nil {
-		inbound.tlsConfig, err = tls.NewServer(ctx, logger, common.PtrValueOrDefault(options.TLS))
+		inbound.tlsConfig, err = tls.NewServer(ctx, router, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
@@ -198,3 +197,7 @@ func (t *vmessTransportHandler) NewConnection(ctx context.Context, conn net.Conn
 		Destination: metadata.Destination,
 	})
 }
+
+func (t *vmessTransportHandler) FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	return os.ErrInvalid
+}
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -30,10 +30,9 @@ theme:
    - navigation.sections
    - header.autohide
 nav:
-  - Home:
+  - Getting Started:
      - index.md
      - Features: features.md
-      - Deprecated: deprecated.md
      - Support: support.md
      - Change Log: changelog.md
  - Installation:
@@ -71,7 +70,6 @@ nav:
          - Listen Fields: configuration/shared/listen.md
          - Dial Fields: configuration/shared/dial.md
          - TLS: configuration/shared/tls.md
-          - DNS01 Challenge Fields: configuration/shared/dns01_challenge.md
          - Multiplex: configuration/shared/multiplex.md
          - V2Ray Transport: configuration/shared/v2ray-transport.md
          - UDP over TCP: configuration/shared/udp-over-tcp.md
@@ -89,7 +87,6 @@ nav:
          - ShadowTLS: configuration/inbound/shadowtls.md
          - VLESS: configuration/inbound/vless.md
          - TUIC: configuration/inbound/tuic.md
-          - Hysteria2: configuration/inbound/hysteria2.md
          - Tun: configuration/inbound/tun.md
          - Redirect: configuration/inbound/redirect.md
          - TProxy: configuration/inbound/tproxy.md
@@ -108,7 +105,6 @@ nav:
          - ShadowsocksR: configuration/outbound/shadowsocksr.md
          - VLESS: configuration/outbound/vless.md
          - TUIC: configuration/outbound/tuic.md
-          - Hysteria2: configuration/outbound/hysteria2.md
          - Tor: configuration/outbound/tor.md
          - SSH: configuration/outbound/ssh.md
          - DNS: configuration/outbound/dns.md
@@ -194,7 +190,6 @@ plugins:
          Shared: 通用
          Listen Fields: 监听字段
          Dial Fields: 拨号字段
-          DNS01 Challenge Fields: DNS01 验证字段
          Multiplex: 多路复用
          V2Ray Transport: V2Ray 传输层

--- a/ntp/service.go
+++ b/ntp/service.go
@@ -18,7 +18,7 @@ import (
 	"github.com/sagernet/sing/common/ntp"
 )

-var _ ntp.TimeService = (*Service)(nil)
+var _ adapter.TimeService = (*Service)(nil)

 type Service struct {
 	ctx           context.Context
--- a/option/clash.go
+++ b/option/clash.go
@@ -17,15 +17,13 @@ type ClashAPIOptions struct {
 }

 type SelectorOutboundOptions struct {
-	Outbounds                 []string `json:"outbounds"`
-	Default                   string   `json:"default,omitempty"`
-	InterruptExistConnections bool     `json:"interrupt_exist_connections,omitempty"`
+	Outbounds []string `json:"outbounds"`
+	Default   string   `json:"default,omitempty"`
 }

 type URLTestOutboundOptions struct {
-	Outbounds                 []string `json:"outbounds"`
-	URL                       string   `json:"url,omitempty"`
-	Interval                  Duration `json:"interval,omitempty"`
-	Tolerance                 uint16   `json:"tolerance,omitempty"`
-	InterruptExistConnections bool     `json:"interrupt_exist_connections,omitempty"`
+	Outbounds []string `json:"outbounds"`
+	URL       string   `json:"url,omitempty"`
+	Interval  Duration `json:"interval,omitempty"`
+	Tolerance uint16   `json:"tolerance,omitempty"`
 }
--- a/option/hysteria2.go
+++ b/option/hysteria2.go
@@ -1,33 +0,0 @@
-package option
-
-type Hysteria2InboundOptions struct {
-	ListenOptions
-	UpMbps                int                `json:"up_mbps,omitempty"`
-	DownMbps              int                `json:"down_mbps,omitempty"`
-	Obfs                  *Hysteria2Obfs     `json:"obfs,omitempty"`
-	Users                 []Hysteria2User    `json:"users,omitempty"`
-	IgnoreClientBandwidth bool               `json:"ignore_client_bandwidth,omitempty"`
-	TLS                   *InboundTLSOptions `json:"tls,omitempty"`
-	Masquerade            string             `json:"masquerade,omitempty"`
-}
-
-type Hysteria2Obfs struct {
-	Type     string `json:"type,omitempty"`
-	Password string `json:"password,omitempty"`
-}
-
-type Hysteria2User struct {
-	Name     string `json:"name,omitempty"`
-	Password string `json:"password,omitempty"`
-}
-
-type Hysteria2OutboundOptions struct {
-	DialerOptions
-	ServerOptions
-	UpMbps   int                 `json:"up_mbps,omitempty"`
-	DownMbps int                 `json:"down_mbps,omitempty"`
-	Obfs     *Hysteria2Obfs      `json:"obfs,omitempty"`
-	Password string              `json:"password,omitempty"`
-	Network  NetworkList         `json:"network,omitempty"`
-	TLS      *OutboundTLSOptions `json:"tls,omitempty"`
-}
--- a/option/inbound.go
+++ b/option/inbound.go
@@ -24,7 +24,6 @@ type _Inbound struct {
 	ShadowTLSOptions   ShadowTLSInboundOptions   `json:"-"`
 	VLESSOptions       VLESSInboundOptions       `json:"-"`
 	TUICOptions        TUICInboundOptions        `json:"-"`
-	Hysteria2Options   Hysteria2InboundOptions   `json:"-"`
 }

 type Inbound _Inbound
@@ -62,8 +61,6 @@ func (h Inbound) MarshalJSON() ([]byte, error) {
 		v = h.VLESSOptions
 	case C.TypeTUIC:
 		v = h.TUICOptions
-	case C.TypeHysteria2:
-		v = h.Hysteria2Options
 	default:
 		return nil, E.New("unknown inbound type: ", h.Type)
 	}
@@ -107,8 +104,6 @@ func (h *Inbound) UnmarshalJSON(bytes []byte) error {
 		v = &h.VLESSOptions
 	case C.TypeTUIC:
 		v = &h.TUICOptions
-	case C.TypeHysteria2:
-		v = &h.Hysteria2Options
 	default:
 		return E.New("unknown inbound type: ", h.Type)
 	}
--- a/option/outbound.go
+++ b/option/outbound.go
@@ -24,7 +24,6 @@ type _Outbound struct {
 	ShadowsocksROptions ShadowsocksROutboundOptions `json:"-"`
 	VLESSOptions        VLESSOutboundOptions        `json:"-"`
 	TUICOptions         TUICOutboundOptions         `json:"-"`
-	Hysteria2Options    Hysteria2OutboundOptions    `json:"-"`
 	SelectorOptions     SelectorOutboundOptions     `json:"-"`
 	URLTestOptions      URLTestOutboundOptions      `json:"-"`
 }
@@ -64,8 +63,6 @@ func (h Outbound) MarshalJSON() ([]byte, error) {
 		v = h.VLESSOptions
 	case C.TypeTUIC:
 		v = h.TUICOptions
-	case C.TypeHysteria2:
-		v = h.Hysteria2Options
 	case C.TypeSelector:
 		v = h.SelectorOptions
 	case C.TypeURLTest:
@@ -113,8 +110,6 @@ func (h *Outbound) UnmarshalJSON(bytes []byte) error {
 		v = &h.VLESSOptions
 	case C.TypeTUIC:
 		v = &h.TUICOptions
-	case C.TypeHysteria2:
-		v = &h.Hysteria2Options
 	case C.TypeSelector:
 		v = &h.SelectorOptions
 	case C.TypeURLTest:
--- a/option/ssh.go
+++ b/option/ssh.go
@@ -5,7 +5,7 @@ type SSHOutboundOptions struct {
 	ServerOptions
 	User                 string           `json:"user,omitempty"`
 	Password             string           `json:"password,omitempty"`
-	PrivateKey           Listable[string] `json:"private_key,omitempty"`
+	PrivateKey           string           `json:"private_key,omitempty"`
 	PrivateKeyPath       string           `json:"private_key_path,omitempty"`
 	PrivateKeyPassphrase string           `json:"private_key_passphrase,omitempty"`
 	HostKey              Listable[string] `json:"host_key,omitempty"`
--- a/option/tls.go
+++ b/option/tls.go
@@ -8,12 +8,11 @@ type InboundTLSOptions struct {
 	MinVersion      string                 `json:"min_version,omitempty"`
 	MaxVersion      string                 `json:"max_version,omitempty"`
 	CipherSuites    Listable[string]       `json:"cipher_suites,omitempty"`
-	Certificate     Listable[string]       `json:"certificate,omitempty"`
+	Certificate     string                 `json:"certificate,omitempty"`
 	CertificatePath string                 `json:"certificate_path,omitempty"`
-	Key             Listable[string]       `json:"key,omitempty"`
+	Key             string                 `json:"key,omitempty"`
 	KeyPath         string                 `json:"key_path,omitempty"`
 	ACME            *InboundACMEOptions    `json:"acme,omitempty"`
-	ECH             *InboundECHOptions     `json:"ech,omitempty"`
 	Reality         *InboundRealityOptions `json:"reality,omitempty"`
 }

@@ -26,7 +25,7 @@ type OutboundTLSOptions struct {
 	MinVersion      string                  `json:"min_version,omitempty"`
 	MaxVersion      string                  `json:"max_version,omitempty"`
 	CipherSuites    Listable[string]        `json:"cipher_suites,omitempty"`
-	Certificate     Listable[string]        `json:"certificate,omitempty"`
+	Certificate     string                  `json:"certificate,omitempty"`
 	CertificatePath string                  `json:"certificate_path,omitempty"`
 	ECH             *OutboundECHOptions     `json:"ech,omitempty"`
 	UTLS            *OutboundUTLSOptions    `json:"utls,omitempty"`
@@ -46,20 +45,11 @@ type InboundRealityHandshakeOptions struct {
 	DialerOptions
 }

-type InboundECHOptions struct {
-	Enabled                     bool             `json:"enabled,omitempty"`
-	PQSignatureSchemesEnabled   bool             `json:"pq_signature_schemes_enabled,omitempty"`
-	DynamicRecordSizingDisabled bool             `json:"dynamic_record_sizing_disabled,omitempty"`
-	Key                         Listable[string] `json:"key,omitempty"`
-	KeyPath                     string           `json:"key_path,omitempty"`
-}
-
 type OutboundECHOptions struct {
-	Enabled                     bool             `json:"enabled,omitempty"`
-	PQSignatureSchemesEnabled   bool             `json:"pq_signature_schemes_enabled,omitempty"`
-	DynamicRecordSizingDisabled bool             `json:"dynamic_record_sizing_disabled,omitempty"`
-	Config                      Listable[string] `json:"config,omitempty"`
-	ConfigPath                  string           `json:"config_path,omitempty"`
+	Enabled                     bool   `json:"enabled,omitempty"`
+	PQSignatureSchemesEnabled   bool   `json:"pq_signature_schemes_enabled,omitempty"`
+	DynamicRecordSizingDisabled bool   `json:"dynamic_record_sizing_disabled,omitempty"`
+	Config                      string `json:"config,omitempty"`
 }

 type OutboundUTLSOptions struct {
--- a/option/tls_acme.go
+++ b/option/tls_acme.go
@@ -1,11 +1,5 @@
 package option

-import (
-	"github.com/sagernet/sing-box/common/json"
-	C "github.com/sagernet/sing-box/constant"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
 type InboundACMEOptions struct {
 	Domain                  Listable[string]            `json:"domain,omitempty"`
 	DataDirectory           string                      `json:"data_directory,omitempty"`
@@ -17,62 +11,9 @@ type InboundACMEOptions struct {
 	AlternativeHTTPPort     uint16                      `json:"alternative_http_port,omitempty"`
 	AlternativeTLSPort      uint16                      `json:"alternative_tls_port,omitempty"`
 	ExternalAccount         *ACMEExternalAccountOptions `json:"external_account,omitempty"`
-	DNS01Challenge          *ACMEDNS01ChallengeOptions  `json:"dns01_challenge,omitempty"`
 }

 type ACMEExternalAccountOptions struct {
 	KeyID  string `json:"key_id,omitempty"`
 	MACKey string `json:"mac_key,omitempty"`
 }
-
-type _ACMEDNS01ChallengeOptions struct {
-	Provider          string                     `json:"provider,omitempty"`
-	AliDNSOptions     ACMEDNS01AliDNSOptions     `json:"-"`
-	CloudflareOptions ACMEDNS01CloudflareOptions `json:"-"`
-}
-
-type ACMEDNS01ChallengeOptions _ACMEDNS01ChallengeOptions
-
-func (o ACMEDNS01ChallengeOptions) MarshalJSON() ([]byte, error) {
-	var v any
-	switch o.Provider {
-	case C.DNSProviderAliDNS:
-		v = o.AliDNSOptions
-	case C.DNSProviderCloudflare:
-		v = o.CloudflareOptions
-	default:
-		return nil, E.New("unknown provider type: " + o.Provider)
-	}
-	return MarshallObjects((_ACMEDNS01ChallengeOptions)(o), v)
-}
-
-func (o *ACMEDNS01ChallengeOptions) UnmarshalJSON(bytes []byte) error {
-	err := json.Unmarshal(bytes, (*_ACMEDNS01ChallengeOptions)(o))
-	if err != nil {
-		return err
-	}
-	var v any
-	switch o.Provider {
-	case C.DNSProviderAliDNS:
-		v = &o.AliDNSOptions
-	case C.DNSProviderCloudflare:
-		v = &o.CloudflareOptions
-	default:
-		return E.New("unknown provider type: " + o.Provider)
-	}
-	err = UnmarshallExcluded(bytes, (*_ACMEDNS01ChallengeOptions)(o), v)
-	if err != nil {
-		return E.Cause(err, "DNS01 challenge options")
-	}
-	return nil
-}
-
-type ACMEDNS01AliDNSOptions struct {
-	AccessKeyID     string `json:"access_key_id,omitempty"`
-	AccessKeySecret string `json:"access_key_secret,omitempty"`
-	RegionID        string `json:"region_id,omitempty"`
-}
-
-type ACMEDNS01CloudflareOptions struct {
-	APIToken string `json:"api_token,omitempty"`
-}
--- a/outbound/builder.go
+++ b/outbound/builder.go
@@ -30,7 +30,7 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, t
 	case C.TypeSOCKS:
 		return NewSocks(router, logger, tag, options.SocksOptions)
 	case C.TypeHTTP:
-		return NewHTTP(ctx, router, logger, tag, options.HTTPOptions)
+		return NewHTTP(router, logger, tag, options.HTTPOptions)
 	case C.TypeShadowsocks:
 		return NewShadowsocks(ctx, router, logger, tag, options.ShadowsocksOptions)
 	case C.TypeVMess:
@@ -53,8 +53,6 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, t
 		return NewVLESS(ctx, router, logger, tag, options.VLESSOptions)
 	case C.TypeTUIC:
 		return NewTUIC(ctx, router, logger, tag, options.TUICOptions)
-	case C.TypeHysteria2:
-		return NewHysteria2(ctx, router, logger, tag, options.Hysteria2Options)
 	case C.TypeSelector:
 		return NewSelector(router, logger, tag, options.SelectorOptions)
 	case C.TypeURLTest:
--- a/outbound/default.go
+++ b/outbound/default.go
@@ -65,11 +65,7 @@ func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata a
 		outConn, err = this.DialContext(ctx, N.NetworkTCP, metadata.Destination)
 	}
 	if err != nil {
-		return N.ReportHandshakeFailure(conn, err)
-	}
-	err = N.ReportHandshakeSuccess(conn)
-	if err != nil {
-		return err
+		return N.HandshakeFailure(conn, err)
 	}
 	return CopyEarlyConn(ctx, conn, outConn)
 }
@@ -84,18 +80,14 @@ func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dial
 		var destinationAddresses []netip.Addr
 		destinationAddresses, err = router.LookupDefault(ctx, metadata.Destination.Fqdn)
 		if err != nil {
-			return N.ReportHandshakeFailure(conn, err)
+			return N.HandshakeFailure(conn, err)
 		}
 		outConn, err = N.DialSerial(ctx, this, N.NetworkTCP, metadata.Destination, destinationAddresses)
 	} else {
 		outConn, err = this.DialContext(ctx, N.NetworkTCP, metadata.Destination)
 	}
 	if err != nil {
-		return N.ReportHandshakeFailure(conn, err)
-	}
-	err = N.ReportHandshakeSuccess(conn)
-	if err != nil {
-		return err
+		return N.HandshakeFailure(conn, err)
 	}
 	return CopyEarlyConn(ctx, conn, outConn)
 }
@@ -111,11 +103,7 @@ func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn,
 		outConn, err = this.ListenPacket(ctx, metadata.Destination)
 	}
 	if err != nil {
-		return N.ReportHandshakeFailure(conn, err)
-	}
-	err = N.ReportHandshakeSuccess(conn)
-	if err != nil {
-		return err
+		return N.HandshakeFailure(conn, err)
 	}
 	if destinationAddress.IsValid() {
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
@@ -144,18 +132,14 @@ func NewDirectPacketConnection(ctx context.Context, router adapter.Router, this
 		var destinationAddresses []netip.Addr
 		destinationAddresses, err = router.LookupDefault(ctx, metadata.Destination.Fqdn)
 		if err != nil {
-			return N.ReportHandshakeFailure(conn, err)
+			return N.HandshakeFailure(conn, err)
 		}
 		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, destinationAddresses)
 	} else {
 		outConn, err = this.ListenPacket(ctx, metadata.Destination)
 	}
 	if err != nil {
-		return N.ReportHandshakeFailure(conn, err)
-	}
-	err = N.ReportHandshakeSuccess(conn)
-	if err != nil {
-		return err
+		return N.HandshakeFailure(conn, err)
 	}
 	if destinationAddress.IsValid() {
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
@@ -207,7 +191,7 @@ func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) erro
 		_, err = serverConn.Write(payload.Bytes())
 		payload.Release()
 		if err != nil {
-			return N.ReportHandshakeFailure(conn, err)
+			return N.HandshakeFailure(conn, err)
 		}
 	}
 	return bufio.CopyConn(ctx, conn, serverConn)
--- a/outbound/http.go
+++ b/outbound/http.go
@@ -25,12 +25,12 @@ type HTTP struct {
 	client *sHTTP.Client
 }

-func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HTTPOutboundOptions) (*HTTP, error) {
+func NewHTTP(router adapter.Router, logger log.ContextLogger, tag string, options option.HTTPOutboundOptions) (*HTTP, error) {
 	outboundDialer, err := dialer.New(router, options.DialerOptions)
 	if err != nil {
 		return nil, err
 	}
-	detour, err := tls.NewDialerFromOptions(ctx, router, outboundDialer, options.Server, common.PtrValueOrDefault(options.TLS))
+	detour, err := tls.NewDialerFromOptions(router, outboundDialer, options.Server, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
--- a/outbound/hysteria.go
+++ b/outbound/hysteria.go
@@ -8,6 +8,7 @@ import (
 	"sync"

 	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/congestion"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/tls"
@@ -15,8 +16,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-box/transport/hysteria"
-	"github.com/sagernet/sing-quic"
-	hyCC "github.com/sagernet/sing-quic/hysteria2/congestion"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -34,7 +33,7 @@ type Hysteria struct {
 	ctx          context.Context
 	dialer       N.Dialer
 	serverAddr   M.Socksaddr
-	tlsConfig    tls.Config
+	tlsConfig    *tls.STDConfig
 	quicConfig   *quic.Config
 	authKey      []byte
 	xplusKey     []byte
@@ -53,12 +52,17 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 	if options.TLS == nil || !options.TLS.Enabled {
 		return nil, C.ErrTLSRequired
 	}
-	tlsConfig, err := tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
+	abstractTLSConfig, err := tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
-	if len(tlsConfig.NextProtos()) == 0 {
-		tlsConfig.SetNextProtos([]string{hysteria.DefaultALPN})
+	tlsConfig, err := abstractTLSConfig.Config()
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig.MinVersion = tls.VersionTLS13
+	if len(tlsConfig.NextProtos) == 0 {
+		tlsConfig.NextProtos = []string{hysteria.DefaultALPN}
 	}
 	quicConfig := &quic.Config{
 		InitialStreamReceiveWindow:     options.ReceiveWindowConn,
@@ -178,7 +182,7 @@ func (h *Hysteria) offerNew(ctx context.Context) (quic.Connection, error) {
 		packetConn = hysteria.NewXPlusPacketConn(packetConn, h.xplusKey)
 	}
 	packetConn = &hysteria.PacketConnWrapper{PacketConn: packetConn}
-	quicConn, err := qtls.Dial(h.ctx, packetConn, udpConn.RemoteAddr(), h.tlsConfig, h.quicConfig)
+	quicConn, err := quic.Dial(h.ctx, packetConn, udpConn.RemoteAddr(), h.tlsConfig, h.quicConfig)
 	if err != nil {
 		packetConn.Close()
 		return nil, err
@@ -206,7 +210,7 @@ func (h *Hysteria) offerNew(ctx context.Context) (quic.Connection, error) {
 		packetConn.Close()
 		return nil, E.New("remote error: ", serverHello.Message)
 	}
-	quicConn.SetCongestionControl(hyCC.NewBrutalSender(serverHello.RecvBPS))
+	quicConn.SetCongestionControl(hysteria.NewBrutalSender(congestion.ByteCount(serverHello.RecvBPS)))
 	h.conn = quicConn
 	h.rawConn = udpConn
 	return quicConn, nil
--- a/outbound/hysteria2.go
+++ b/outbound/hysteria2.go
@@ -1,123 +0,0 @@
-//go:build with_quic
-
-package outbound
-
-import (
-	"context"
-	"net"
-	"os"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/common/tls"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/transport/hysteria"
-	"github.com/sagernet/sing-quic/hysteria2"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/bufio"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-var (
-	_ adapter.Outbound                = (*TUIC)(nil)
-	_ adapter.InterfaceUpdateListener = (*TUIC)(nil)
-)
-
-type Hysteria2 struct {
-	myOutboundAdapter
-	client *hysteria2.Client
-}
-
-func NewHysteria2(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Hysteria2OutboundOptions) (*Hysteria2, error) {
-	options.UDPFragmentDefault = true
-	if options.TLS == nil || !options.TLS.Enabled {
-		return nil, C.ErrTLSRequired
-	}
-	tlsConfig, err := tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
-	if err != nil {
-		return nil, err
-	}
-	var salamanderPassword string
-	if options.Obfs != nil {
-		if options.Obfs.Password == "" {
-			return nil, E.New("missing obfs password")
-		}
-		switch options.Obfs.Type {
-		case hysteria2.ObfsTypeSalamander:
-			salamanderPassword = options.Obfs.Password
-		default:
-			return nil, E.New("unknown obfs type: ", options.Obfs.Type)
-		}
-	}
-	outboundDialer, err := dialer.New(router, options.DialerOptions)
-	if err != nil {
-		return nil, err
-	}
-	networkList := options.Network.Build()
-	client, err := hysteria2.NewClient(hysteria2.ClientOptions{
-		Context:            ctx,
-		Dialer:             outboundDialer,
-		ServerAddress:      options.ServerOptions.Build(),
-		SendBPS:            uint64(options.UpMbps * hysteria.MbpsToBps),
-		ReceiveBPS:         uint64(options.DownMbps * hysteria.MbpsToBps),
-		SalamanderPassword: salamanderPassword,
-		Password:           options.Password,
-		TLSConfig:          tlsConfig,
-		UDPDisabled:        !common.Contains(networkList, N.NetworkUDP),
-	})
-	if err != nil {
-		return nil, err
-	}
-	return &Hysteria2{
-		myOutboundAdapter: myOutboundAdapter{
-			protocol:     C.TypeHysteria2,
-			network:      networkList,
-			router:       router,
-			logger:       logger,
-			tag:          tag,
-			dependencies: withDialerDependency(options.DialerOptions),
-		},
-		client: client,
-	}, nil
-}
-
-func (h *Hysteria2) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch N.NetworkName(network) {
-	case N.NetworkTCP:
-		h.logger.InfoContext(ctx, "outbound connection to ", destination)
-		return h.client.DialConn(ctx, destination)
-	case N.NetworkUDP:
-		conn, err := h.ListenPacket(ctx, destination)
-		if err != nil {
-			return nil, err
-		}
-		return bufio.NewBindPacketConn(conn, destination), nil
-	default:
-		return nil, E.New("unsupported network: ", network)
-	}
-}
-
-func (h *Hysteria2) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	h.logger.InfoContext(ctx, "outbound packet connection to ", destination)
-	return h.client.ListenPacket(ctx)
-}
-
-func (h *Hysteria2) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	return NewConnection(ctx, h, conn, metadata)
-}
-
-func (h *Hysteria2) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	return NewPacketConnection(ctx, h, conn, metadata)
-}
-
-func (h *Hysteria2) InterfaceUpdated() error {
-	return h.client.CloseWithError(E.New("network changed"))
-}
-
-func (h *Hysteria2) Close() error {
-	return h.client.CloseWithError(os.ErrClosed)
-}
--- a/outbound/hysteria_stub.go
+++ b/outbound/hysteria_stub.go
@@ -14,7 +14,3 @@ import (
 func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaOutboundOptions) (adapter.Outbound, error) {
 	return nil, C.ErrQUICNotIncluded
 }
-
-func NewHysteria2(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.Hysteria2OutboundOptions) (adapter.Outbound, error) {
-	return nil, C.ErrQUICNotIncluded
-}
--- a/outbound/selector.go
+++ b/outbound/selector.go
@@ -5,7 +5,6 @@ import (
 	"net"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/interrupt"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -21,12 +20,10 @@ var (

 type Selector struct {
 	myOutboundAdapter
-	tags                         []string
-	defaultTag                   string
-	outbounds                    map[string]adapter.Outbound
-	selected                     adapter.Outbound
-	interruptGroup               *interrupt.Group
-	interruptExternalConnections bool
+	tags       []string
+	defaultTag string
+	outbounds  map[string]adapter.Outbound
+	selected   adapter.Outbound
 }

 func NewSelector(router adapter.Router, logger log.ContextLogger, tag string, options option.SelectorOutboundOptions) (*Selector, error) {
@@ -38,11 +35,9 @@ func NewSelector(router adapter.Router, logger log.ContextLogger, tag string, op
 			tag:          tag,
 			dependencies: options.Outbounds,
 		},
-		tags:                         options.Outbounds,
-		defaultTag:                   options.Default,
-		outbounds:                    make(map[string]adapter.Outbound),
-		interruptGroup:               interrupt.NewGroup(),
-		interruptExternalConnections: options.InterruptExistConnections,
+		tags:       options.Outbounds,
+		defaultTag: options.Default,
+		outbounds:  make(map[string]adapter.Outbound),
 	}
 	if len(outbound.tags) == 0 {
 		return nil, E.New("missing tags")
@@ -105,9 +100,6 @@ func (s *Selector) SelectOutbound(tag string) bool {
 	if !loaded {
 		return false
 	}
-	if s.selected == detour {
-		return true
-	}
 	s.selected = detour
 	if s.tag != "" {
 		if clashServer := s.router.ClashServer(); clashServer != nil && clashServer.StoreSelected() {
@@ -117,33 +109,22 @@ func (s *Selector) SelectOutbound(tag string) bool {
 			}
 		}
 	}
-	s.interruptGroup.Interrupt(s.interruptExternalConnections)
 	return true
 }

 func (s *Selector) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	conn, err := s.selected.DialContext(ctx, network, destination)
-	if err != nil {
-		return nil, err
-	}
-	return s.interruptGroup.NewConn(conn, interrupt.IsExternalConnectionFromContext(ctx)), nil
+	return s.selected.DialContext(ctx, network, destination)
 }

 func (s *Selector) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	conn, err := s.selected.ListenPacket(ctx, destination)
-	if err != nil {
-		return nil, err
-	}
-	return s.interruptGroup.NewPacketConn(conn, interrupt.IsExternalConnectionFromContext(ctx)), nil
+	return s.selected.ListenPacket(ctx, destination)
 }

 func (s *Selector) NewConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	ctx = interrupt.ContextWithIsExternalConnection(ctx)
 	return s.selected.NewConnection(ctx, conn, metadata)
 }

 func (s *Selector) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	ctx = interrupt.ContextWithIsExternalConnection(ctx)
 	return s.selected.NewPacketConnection(ctx, conn, metadata)
 }

--- a/outbound/shadowsocks.go
+++ b/outbound/shadowsocks.go
@@ -57,7 +57,7 @@ func NewShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 		serverAddr: options.ServerOptions.Build(),
 	}
 	if options.Plugin != "" {
-		outbound.plugin, err = sip003.CreatePlugin(ctx, options.Plugin, options.PluginOptions, router, outbound.dialer, outbound.serverAddr)
+		outbound.plugin, err = sip003.CreatePlugin(options.Plugin, options.PluginOptions, router, outbound.dialer, outbound.serverAddr)
 		if err != nil {
 			return nil, err
 		}
--- a/outbound/shadowsocksr.go
+++ b/outbound/shadowsocksr.go
@@ -37,7 +37,6 @@ type ShadowsocksR struct {
 }

 func NewShadowsocksR(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.ShadowsocksROutboundOptions) (*ShadowsocksR, error) {
-	logger.Warn("ShadowsocksR is deprecated, see https://sing-box.sagernet.org/deprecated")
 	outboundDialer, err := dialer.New(router, options.DialerOptions)
 	if err != nil {
 		return nil, err
--- a/outbound/shadowtls.go
+++ b/outbound/shadowtls.go
@@ -47,7 +47,7 @@ func NewShadowTLS(ctx context.Context, router adapter.Router, logger log.Context
 		options.TLS.MinVersion = "1.2"
 		options.TLS.MaxVersion = "1.2"
 	}
-	tlsConfig, err := tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
+	tlsConfig, err := tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
--- a/outbound/ssh.go
+++ b/outbound/ssh.go
@@ -8,7 +8,6 @@ import (
 	"net"
 	"os"
 	"strconv"
-	"strings"
 	"sync"

 	"github.com/sagernet/sing-box/adapter"
@@ -77,10 +76,10 @@ func NewSSH(ctx context.Context, router adapter.Router, logger log.ContextLogger
 	if options.Password != "" {
 		outbound.authMethod = append(outbound.authMethod, ssh.Password(options.Password))
 	}
-	if len(options.PrivateKey) > 0 || options.PrivateKeyPath != "" {
+	if options.PrivateKey != "" || options.PrivateKeyPath != "" {
 		var privateKey []byte
-		if len(options.PrivateKey) > 0 {
-			privateKey = []byte(strings.Join(options.PrivateKey, "\n"))
+		if options.PrivateKey != "" {
+			privateKey = []byte(options.PrivateKey)
 		} else {
 			var err error
 			privateKey, err = os.ReadFile(os.ExpandEnv(options.PrivateKeyPath))
--- a/outbound/trojan.go
+++ b/outbound/trojan.go
@@ -51,7 +51,7 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
 		key:        trojan.Key(options.Password),
 	}
 	if options.TLS != nil {
-		outbound.tlsConfig, err = tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
+		outbound.tlsConfig, err = tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
--- a/outbound/tuic.go
+++ b/outbound/tuic.go
@@ -14,7 +14,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-quic/tuic"
+	"github.com/sagernet/sing-box/transport/tuic"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -41,7 +41,11 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 	if options.TLS == nil || !options.TLS.Enabled {
 		return nil, C.ErrTLSRequired
 	}
-	tlsConfig, err := tls.NewClient(ctx, options.Server, common.PtrValueOrDefault(options.TLS))
+	abstractTLSConfig, err := tls.NewClient(router, options.Server, common.PtrValueOrDefault(options.TLS))
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig, err := abstractTLSConfig.Config()
 	if err != nil {
 		return nil, err
 	}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	8f2ef67e62	Fix resolve dialer	2023-09-27 13:20:44 +08:00
世界	057e564569	android: Fix netlink check	2023-09-27 13:20:44 +08:00
世界	e57207a1bc	Reject SOCKS4 unauthenticated request	2023-09-25 21:45:58 +08:00
世界	77848906c8	Fix payload not return to pool	2023-09-25 18:29:39 +08:00
世界	c21f5fe772	Fix dns log	2023-09-25 18:29:39 +08:00
世界	76f32869e2	Fix shadow-tls user context	2023-09-25 18:29:36 +08:00
世界	57814da0f9	Fix missing context in geo resources download	2023-09-25 18:29:36 +08:00
世界	592f76bb9f	Minor fixes	2023-09-25 18:29:31 +08:00
世界	652ebdf241	Fix debug.SetMemoryLimit usage	2023-09-25 18:28:47 +08:00
世界	b8a0d1fe59	Improve conntrack	2023-09-25 18:28:43 +08:00
renovate[bot]	a184902817	[dependencies] Update github-actions Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2023-09-20 10:16:29 +08:00
世界	f64e25cbb1	Fix v2ray websocket transport	2023-09-20 10:16:29 +08:00
世界	552d0efe13	Fix gomobile build on macOS	2023-09-20 10:16:29 +08:00
世界	448c722aed	Update Makefile	2023-09-20 10:16:29 +08:00