Initialize L3 routing support

2026-04-13 20:28:32 +10:00 · 2023-03-22 01:36:17 +08:00
526 changed files with 11292 additions and 18915 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,67 +1,70 @@
-name: Bug report
+name: Bug Report
-description: "Report sing-box bug"
+description: "Create a report to help us improve."
 body:
-  - type: dropdown
+  - type: checkboxes
    id: terms
    attributes:
-      label: Operating system
+      label: Welcome
      description: Operating system type
      options:
-        - iOS
+        - label: Yes, I'm using the latest major release. Only such installations are supported.
-        - macOS
+          required: true
-        - Apple tvOS
+        - label: Yes, I'm using the latest Golang release. Only such installations are supported.
-        - Android
+          required: true
-        - Windows
+        - label: Yes, I've searched similar issues on GitHub and didn't find any.
-        - Linux
+          required: true
-        - Others
+        - label: Yes, I've included all information below (version, **FULL** config, **FULL** log, etc).
-    validations:
+          required: true
-      required: true
+
  - type: input
    attributes:
      label: System version
      description: Please provide the operating system version
    validations:
      required: true
  - type: dropdown
    attributes:
      label: Installation type
      description: Please provide the sing-box installation type
      options:
        - Original sing-box Command Line
        - sing-box for iOS Graphical Client
        - sing-box for macOS Graphical Client
        - sing-box for Apple tvOS Graphical Client
        - sing-box for Android Graphical Client
        - Third-party graphical clients that advertise themselves as using sing-box (Windows)
        - Third-party graphical clients that advertise themselves as using sing-box (Android)
        - Others
    validations:
      required: true
  - type: input
    attributes:
      description: Graphical client version
      label: If you are using a graphical client, please provide the version of the client.
  - type: textarea
    id: problem
    attributes:
-      label: Version
+      label: Description of the problem
-      description: If you are using the original command line program, please provide the output of the `sing-box version` command.
+      placeholder: Your problem description
      render: shell
  - type: textarea
    attributes:
      label: Description
      description: Please provide a detailed description of the error.
    validations:
      required: true
  - type: textarea
    id: version
    attributes:
-      label: Reproduction
+      label: Version of sing-box
-      description: Please provide the steps to reproduce the error, including the configuration files and procedures that can locally (not dependent on the remote server) reproduce the error using the original command line program of sing-box.
+      value: |-
        <details>
        ```console
        $ sing-box version
        # Paste output here
        ```
        </details>
    validations:
      required: true
  - type: textarea
    id: config
    attributes:
-      label: Logs
+      label: Server and client configuration file
-      description: |-
+      value: |-
-        If you encounter a crash with the graphical client, please provide crash logs.
+        <details>
-        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
+
-        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
+        ```console
-      render: shell
+        # paste json here
        ```
        </details>
    validations:
      required: true
  - type: textarea
    id: log
    attributes:
      label: Server and client log file
      value: |-
        <details>
        ```console
        # paste log here
        ```
        </details>
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/bug_report_zh.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report_zh.yml
@@ -1,81 +0,0 @@
 name: 错误反馈
 description: "提交 sing-box 漏洞"
 body:
  - type: dropdown
    attributes:
      label: 操作系统
      description: 请提供操作系统类型
      options:
        - iOS
        - macOS
        - Apple tvOS
        - Android
        - Windows
        - Linux
        - 其他
    validations:
      required: true
  - type: input
    attributes:
      label: 系统版本
      description: 请提供操作系统版本
    validations:
      required: true
  - type: dropdown
    attributes:
      label: 安装类型
      description: 请提供该 sing-box 安装类型
      options:
        - sing-box 原始命令行程序
        - sing-box for iOS 图形客户端程序
        - sing-box for macOS 图形客户端程序
        - sing-box for Apple tvOS 图形客户端程序
        - sing-box for Android 图形客户端程序
        - 宣传使用 sing-box 的第三方图形客户端程序 (Windows)
        - 宣传使用 sing-box 的第三方图形客户端程序 (Android)
        - 其他
    validations:
      required: true
  - type: input
    attributes:
      description: 图形客户端版本
      label: 如果您使用图形客户端程序，请提供该程序版本。
  - type: textarea
    attributes:
      label: 版本
      description: 如果您使用原始命令行程序，请提供 `sing-box version` 命令的输出。
      render: shell
  - type: textarea
    attributes:
      label: 描述
      description: 请提供错误的详细描述。
    validations:
      required: true
  - type: textarea
    attributes:
      label: 重现方式
      description: 请提供重现错误的步骤，必须包括可以在本地（不依赖与远程服务器）使用 sing-box 原始命令行程序重现错误的配置文件与流程。
    validations:
      required: true
  - type: textarea
    attributes:
      label: 日志
      description: |-
        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
      render: shell
  - type: checkboxes
    attributes:
      label: 完整性要求
      description: 我保证我提供了完整的可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件，否则该 issue 将被关闭。
      options:
        - label: 我保证
          required: true
  - type: checkboxes
    attributes:
      label: 负责性要求
      description: 我保证我阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值，否则该 issue 将被关闭。
      options:
        - label: 我保证
          required: true
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -3,7 +3,6 @@ name: Debug build
 on:
  push:
    branches:
      - stable-next
      - main-next
      - dev-next
    paths-ignore:
@@ -12,7 +11,6 @@ on:
      - '!.github/workflows/debug.yml'
  pull_request:
    branches:
      - stable-next
      - main-next
      - dev-next
@@ -22,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get latest go version
@@ -33,6 +31,12 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
      - name: Add cache to Go proxy
        run: |
          version=`git rev-parse HEAD`
@@ -50,7 +54,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Setup Go
@@ -64,27 +68,7 @@ jobs:
            ~/go/pkg/mod
          key: go118-${{ hashFiles('**/go.sum') }}
      - name: Run Test
-        run: make ci_build_go118
+        run: make
  build_go120:
    name: Debug build (Go 1.20)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@v4
        with:
          go-version: 1.20.7
      - name: Cache go module
        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go118-${{ hashFiles('**/go.sum') }}
      - name: Run Test
        run: make ci_build
  cross:
    strategy:
      matrix:
@@ -201,7 +185,7 @@ jobs:
      TAGS: with_clash_api,with_quic
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get latest go version
@@ -212,6 +196,12 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
      - name: Build
        id: build
        run: make
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -9,20 +9,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@v3
      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v2
      - name: Setup QEMU for Docker Buildx
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v2
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Docker metadata
        id: metadata
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v4
        with:
          images: ghcr.io/sagernet/sing-box
      - name: Get tag to build
@@ -35,12 +35,10 @@ jobs:
            echo "versioned=ghcr.io/sagernet/sing-box:${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
          fi
      - name: Build and release Docker images
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v4
        with:
          platforms: linux/386,linux/amd64,linux/arm64,linux/s390x
          target: dist
          build-args: |
            BUILDKIT_CONTEXT_KEEP_GIT_DIR=1
          tags: |
            ${{ steps.tag.outputs.latest }}
            ${{ steps.tag.outputs.versioned }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,7 +3,6 @@ name: Lint
 on:
  push:
    branches:
      - stable-next
      - main-next
      - dev-next
    paths-ignore:
@@ -12,7 +11,6 @@ on:
      - '!.github/workflows/lint.yml'
  pull_request:
    branches:
      - stable-next
      - main-next
      - dev-next
@@ -22,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Get latest go version
@@ -33,9 +31,13 @@ jobs:
        uses: actions/setup-go@v4
        with:
          go-version: ${{ steps.version.outputs.go_version }}
      - name: Cache go module
        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
          key: go-${{ hashFiles('**/go.sum') }}
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
-          version: latest
+          version: latest
          args: --timeout=30m
          install-mode: binary
--- a/.github/workflows/mkdocs.yml
+++ b/.github/workflows/mkdocs.yml
@@ -0,0 +1,20 @@
 name: Generate Documents
 on:
  push:
    branches:
      - dev
    paths:
      - docs/**
      - .github/workflows/mkdocs.yml
 jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: 3.x
      - run: |
          pip install mkdocs-material=="9.*" mkdocs-static-i18n=="0.53"
      - run: |
          mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v7
        with:
          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
          days-before-stale: 60
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -14,17 +14,13 @@ builds:
    tags:
      - with_gvisor
      - with_quic
      - with_dhcp
      - with_wireguard
      - with_ech
      - with_utls
      - with_reality_server
      - with_acme
      - with_clash_api
    env:
      - CGO_ENABLED=0
    targets:
      - linux_386
      - linux_amd64_v1
      - linux_amd64_v3
      - linux_arm64
@@ -38,36 +34,6 @@ builds:
      - darwin_amd64_v3
      - darwin_arm64
    mod_timestamp: '{{ .CommitTimestamp }}'
  - id: legacy
    main: ./cmd/sing-box
    flags:
      - -v
      - -trimpath
    asmflags:
      - all=-trimpath={{.Env.GOPATH}}
    gcflags:
      - all=-trimpath={{.Env.GOPATH}}
    ldflags:
      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
    tags:
      - with_gvisor
      - with_quic
      - with_dhcp
      - with_wireguard
      - with_ech
      - with_utls
      - with_reality_server
      - with_acme
      - with_clash_api
    env:
      - CGO_ENABLED=0
      - GOROOT=/nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/share/go
    gobinary: /nix/store/kg6i737jjqs923jcijnm003h68c1dghj-go-1.20.11/bin/go
    targets:
      - windows_amd64_v1
      - windows_386
      - darwin_amd64_v1
    mod_timestamp: '{{ .CommitTimestamp }}'
  - id: android
    main: ./cmd/sing-box
    flags:
@@ -82,12 +48,8 @@ builds:
    tags:
      - with_gvisor
      - with_quic
      - with_dhcp
      - with_wireguard
      - with_ech
      - with_utls
      - with_reality_server
      - with_acme
      - with_clash_api
    env:
      - CGO_ENABLED=1
@@ -124,9 +86,6 @@ snapshot:
  name_template: "{{ .Version }}.{{ .ShortCommit }}"
 archives:
  - id: archive
    builds:
      - main
      - android
    format: tar.gz
    format_overrides:
      - goos: windows
@@ -135,17 +94,6 @@ archives:
    files:
      - LICENSE
    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
  - id: archive-legacy
    builds:
      - legacy
    format: tar.gz
    format_overrides:
      - goos: windows
        format: zip
    wrap_in_directory: true
    files:
      - LICENSE
    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}-legacy'
 nfpms:
  - id: package
    package_name: sing-box
@@ -158,7 +106,6 @@ nfpms:
    formats:
      - deb
      - rpm
      - archlinux
    priority: extra
    contents:
      - src: release/config/config.json
@@ -170,6 +117,8 @@ nfpms:
        dst: /etc/systemd/system/sing-box@.service
      - src: LICENSE
        dst: /usr/share/licenses/sing-box/LICENSE
    scripts:
      postremove: release/config/postremove.sh
 source:
  enabled: false
  name_template: '{{ .ProjectName }}-{{ .Version }}.source'
--- a/12
+++ b/12
@@ -1,27 +1,23 @@
-FROM --platform=$BUILDPLATFORM golang:1.21-alpine AS builder
+FROM golang:1.20-alpine AS builder
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 COPY . /go/src/github.com/sagernet/sing-box
 WORKDIR /go/src/github.com/sagernet/sing-box
 ARG TARGETOS TARGETARCH
 ARG GOPROXY=""
 ENV GOPROXY ${GOPROXY}
 ENV CGO_ENABLED=0
 ENV GOOS=$TARGETOS
 ENV GOARCH=$TARGETARCH
 RUN set -ex \
    && apk add git build-base \
    && export COMMIT=$(git rev-parse --short HEAD) \
    && export VERSION=$(go run ./cmd/internal/read_tag) \
-    && go build -v -trimpath -tags \
+    && go build -v -trimpath -tags with_quic,with_wireguard,with_reality_server,with_acme \
        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api" \
        -o /go/bin/sing-box \
        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
        ./cmd/sing-box
-FROM --platform=$TARGETPLATFORM alpine AS dist
+FROM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"
 RUN set -ex \
    && apk upgrade \
    && apk add bash tzdata ca-certificates \
    && rm -rf /var/cache/apk/*
 COPY --from=builder /go/bin/sing-box /usr/local/bin/sing-box
-ENTRYPOINT ["sing-box"]
+ENTRYPOINT ["sing-box"]
--- a/5
+++ b/5
@@ -11,7 +11,4 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
+along with this program. If not, see <http://www.gnu.org/licenses/>.
 In addition, no derivative work may use the name or imply association
 with this application without prior consent.
--- a/147
+++ b/147
@@ -1,39 +1,28 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS_GO118 = with_gvisor,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api
+TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api
-TAGS_GO120 = with_quic,with_ech
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
 TAGS ?= $(TAGS_GO118),$(TAGS_GO120)
 TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server
 GOHOSTOS = $(shell go env GOHOSTOS)
 GOHOSTARCH = $(shell go env GOHOSTARCH)
 VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
-PARAMS = -v -trimpath -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
+PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-X 'github.com/sagernet/sing-box/constant.Version=$(VERSION)' -s -w -buildid="
 MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
-.PHONY: test release docs
+.PHONY: test release
 build:
 	go build $(MAIN_PARAMS) $(MAIN)
 ci_build_go118:
 	go build $(PARAMS) $(MAIN)
 	go build $(PARAMS) -tags "$(TAGS_GO118)" $(MAIN)
 ci_build:
 	go build $(PARAMS) $(MAIN)
 	go build $(MAIN_PARAMS) $(MAIN)
 install:
-	go build -o $(PREFIX)/bin/$(NAME) $(MAIN_PARAMS) $(MAIN)
+	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
 fmt:
 	@gofumpt -l -w .
 	@gofmt -s -w .
-	@gci write --custom-order -s standard -s "prefix(github.com/sagernet/)" -s "default" .
+	@gci write --custom-order -s "standard,prefix(github.com/sagernet/),default" .
 fmt_install:
 	go install -v mvdan.cc/gofumpt@latest
@@ -58,103 +47,24 @@ proto_install:
 	go install -v google.golang.org/protobuf/cmd/protoc-gen-go@latest
 	go install -v google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
-release:
+snapshot:
-	go run ./cmd/internal/build goreleaser release --clean --skip-publish || exit 1
+	go run ./cmd/internal/build goreleaser release --rm-dist --snapshot || exit 1
 	mkdir dist/release
-	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/*.pkg.tar.zst dist/release
+	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
-	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release
+	ghr --delete --draft --prerelease -p 1 nightly dist/release
-	rm -r dist/release
+	rm -r dist
 release:
 	go run ./cmd/internal/build goreleaser release --rm-dist --skip-publish || exit 1
 	mkdir dist/release
 	mv dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/release
 	ghr --delete --draft --prerelease -p 3 $(shell git describe --tags) dist/release
 	rm -r dist
 release_install:
 	go install -v github.com/goreleaser/goreleaser@latest
 	go install -v github.com/tcnksm/ghr@latest
 update_android_version:
 	go run ./cmd/internal/update_android_version
 build_android:
 	cd ../sing-box-for-android && ./gradlew :app:assemblePlayRelease && ./gradlew --stop
 upload_android:
 	mkdir -p dist/release_android
 	cp ../sing-box-for-android/app/build/outputs/apk/play/release/*.apk dist/release_android
 	ghr --replace --draft --prerelease -p 3 "v${VERSION}" dist/release_android
 	rm -rf dist/release_android
 release_android: lib_android update_android_version build_android upload_android
 publish_android:
 	cd ../sing-box-for-android && ./gradlew :app:publishPlayReleaseBundle
 publish_android_appcenter:
 	cd ../sing-box-for-android && ./gradlew :app:appCenterAssembleAndUploadPlayRelease
 build_ios:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFI.xcarchive && \
 	xcodebuild archive -scheme SFI -configuration Release -archivePath build/SFI.xcarchive
 upload_ios_app_store:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath build/SFI.xcarchive -exportOptionsPlist SFI/Upload.plist -allowProvisioningUpdates
 release_ios: build_ios upload_ios_app_store
 build_macos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFM.xcarchive && \
 	xcodebuild archive -scheme SFM -configuration Release -archivePath build/SFM.xcarchive
 upload_macos_app_store:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath build/SFM.xcarchive -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
 release_macos: build_macos upload_macos_app_store
 build_macos_independent:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.System.xcarchive && \
 	xcodebuild archive -scheme SFM.System -configuration Release -archivePath build/SFM.System.xcarchive
 notarize_macos_independent:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath "build/SFM.System.xcarchive" -exportOptionsPlist SFM.System/Upload.plist  -allowProvisioningUpdates
 wait_notarize_macos_independent:
 	sleep 60
 export_macos_independent:
 	rm -rf dist/SFM
 	mkdir -p dist/SFM
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportNotarizedApp -archivePath build/SFM.System.xcarchive -exportPath "../sing-box/dist/SFM"
 upload_macos_independent:
 	cd dist/SFM && \
 	rm -f *.zip && \
 	zip -ry "SFM-${VERSION}-universal.zip" SFM.app && \
 	ghr --replace --draft --prerelease "v${VERSION}" *.zip
 release_macos_independent: build_macos_independent notarize_macos_independent wait_notarize_macos_independent export_macos_independent upload_macos_independent
 build_tvos:
 	cd ../sing-box-for-apple && \
 	rm -rf build/SFT.xcarchive && \
 	xcodebuild archive -scheme SFT -configuration Release -archivePath build/SFT.xcarchive
 upload_tvos_app_store:
 	cd ../sing-box-for-apple && \
 	xcodebuild -exportArchive -archivePath "build/SFT.xcarchive" -exportOptionsPlist SFI/Upload.plist  -allowProvisioningUpdates
 release_tvos: build_tvos upload_tvos_app_store
 update_apple_version:
 	go run ./cmd/internal/update_apple_version
 release_apple: lib_ios update_apple_version release_ios release_macos release_tvos release_macos_independent
 release_apple_beta: update_apple_version release_ios release_macos release_tvos
 test:
 	@go test -v ./... && \
 	cd test && \
@@ -167,29 +77,14 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 lib_android:
 	go run ./cmd/internal/build_libbox -target android
 lib_ios:
 	go run ./cmd/internal/build_libbox -target ios
 lib:
-	go run ./cmd/internal/build_libbox -target android
+	go run ./cmd/internal/build_libbox
 	go run ./cmd/internal/build_libbox -target ios
 lib_install:
 	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20221130124640-349ebaa752ca
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950
+	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20221130124640-349ebaa752ca
 docs:
 	mkdocs serve
 publish_docs:
 	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
 docs_install:
 	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box
--- a/README.md
+++ b/README.md
@@ -8,10 +8,6 @@ The universal proxy platform.
 https://sing-box.sagernet.org
 ## Support
 https://community.sagernet.org/c/sing-box/
 ## License
 ```
@@ -29,7 +25,4 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program. If not, see <http://www.gnu.org/licenses/>.
 In addition, no derivative work may use the name or imply association
 with this application without prior consent.
 ```
--- a/adapter/conn_router.go
+++ b/adapter/conn_router.go
@@ -1,104 +0,0 @@
 package adapter
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type ConnectionRouter interface {
 	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 func NewRouteHandler(
 	metadata InboundContext,
 	router ConnectionRouter,
 	logger logger.ContextLogger,
 ) UpstreamHandlerAdapter {
 	return &routeHandlerWrapper{
 		metadata: metadata,
 		router:   router,
 		logger:   logger,
 	}
 }
 func NewRouteContextHandler(
 	router ConnectionRouter,
 	logger logger.ContextLogger,
 ) UpstreamHandlerAdapter {
 	return &routeContextHandlerWrapper{
 		router: router,
 		logger: logger,
 	}
 }
 var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
 type routeHandlerWrapper struct {
 	metadata InboundContext
 	router   ConnectionRouter
 	logger   logger.ContextLogger
 }
 func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RouteConnection(ctx, conn, myMetadata)
 }
 func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := w.metadata
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
 }
 func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.logger.ErrorContext(ctx, err)
 }
 var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
 type routeContextHandlerWrapper struct {
 	router ConnectionRouter
 	logger logger.ContextLogger
 }
 func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RouteConnection(ctx, conn, *myMetadata)
 }
 func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	myMetadata := ContextFrom(ctx)
 	if metadata.Source.IsValid() {
 		myMetadata.Source = metadata.Source
 	}
 	if metadata.Destination.IsValid() {
 		myMetadata.Destination = metadata.Destination
 	}
 	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
 }
 func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
 	w.logger.ErrorContext(ctx, err)
 }
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@@ -12,9 +12,7 @@ type ClashServer interface {
 	Service
 	PreStarter
 	Mode() string
 	ModeList() []string
 	StoreSelected() bool
 	StoreFakeIP() bool
 	CacheFile() ClashCacheFile
 	HistoryStorage() *urltest.HistoryStorage
 	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule) (net.Conn, Tracker)
@@ -22,13 +20,8 @@ type ClashServer interface {
 }
 type ClashCacheFile interface {
 	LoadMode() string
 	StoreMode(mode string) error
 	LoadSelected(group string) string
 	StoreSelected(group string, selected string) error
 	LoadGroupExpand(group string) (isExpand bool, loaded bool)
 	StoreGroupExpand(group string, expand bool) error
 	FakeIPStorage
 }
 type Tracker interface {
@@ -36,16 +29,10 @@ type Tracker interface {
 }
 type OutboundGroup interface {
 	Outbound
 	Now() string
 	All() []string
 }
 type URLTestGroup interface {
 	OutboundGroup
 	URLTest(ctx context.Context) (map[string]uint16, error)
 }
 func OutboundTag(detour Outbound) string {
 	if group, isGroup := detour.(OutboundGroup); isGroup {
 		return group.Now()
--- a/adapter/fakeip.go
+++ b/adapter/fakeip.go
@@ -1,32 +0,0 @@
 package adapter
 import (
 	"net/netip"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/logger"
 )
 type FakeIPStore interface {
 	Service
 	Contains(address netip.Addr) bool
 	Create(domain string, isIPv6 bool) (netip.Addr, error)
 	Lookup(address netip.Addr) (string, bool)
 	Reset() error
 }
 type FakeIPStorage interface {
 	FakeIPMetadata() *FakeIPMetadata
 	FakeIPSaveMetadata(metadata *FakeIPMetadata) error
 	FakeIPSaveMetadataAsync(metadata *FakeIPMetadata)
 	FakeIPStore(address netip.Addr, domain string) error
 	FakeIPStoreAsync(address netip.Addr, domain string, logger logger.Logger)
 	FakeIPLoad(address netip.Addr) (string, bool)
 	FakeIPLoadDomain(domain string, isIPv6 bool) (netip.Addr, bool)
 	FakeIPReset() error
 }
 type FakeIPTransport interface {
 	dns.Transport
 	Store() FakeIPStore
 }
--- a/adapter/fakeip_metadata.go
+++ b/adapter/fakeip_metadata.go
@@ -1,50 +0,0 @@
 package adapter
 import (
 	"bytes"
 	"encoding"
 	"encoding/binary"
 	"io"
 	"net/netip"
 	"github.com/sagernet/sing/common"
 )
 type FakeIPMetadata struct {
 	Inet4Range   netip.Prefix
 	Inet6Range   netip.Prefix
 	Inet4Current netip.Addr
 	Inet6Current netip.Addr
 }
 func (m *FakeIPMetadata) MarshalBinary() (data []byte, err error) {
 	var buffer bytes.Buffer
 	for _, marshaler := range []encoding.BinaryMarshaler{m.Inet4Range, m.Inet6Range, m.Inet4Current, m.Inet6Current} {
 		data, err = marshaler.MarshalBinary()
 		if err != nil {
 			return
 		}
 		common.Must(binary.Write(&buffer, binary.BigEndian, uint16(len(data))))
 		buffer.Write(data)
 	}
 	data = buffer.Bytes()
 	return
 }
 func (m *FakeIPMetadata) UnmarshalBinary(data []byte) error {
 	reader := bytes.NewReader(data)
 	for _, unmarshaler := range []encoding.BinaryUnmarshaler{&m.Inet4Range, &m.Inet6Range, &m.Inet4Current, &m.Inet6Current} {
 		var length uint16
 		common.Must(binary.Read(reader, binary.BigEndian, &length))
 		element := make([]byte, length)
 		_, err := io.ReadFull(reader, element)
 		if err != nil {
 			return err
 		}
 		err = unmarshaler.UnmarshalBinary(element)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@@ -46,7 +46,6 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *process.Info
 	FakeIP               bool
 	// dns cache
@@ -75,11 +74,3 @@ func AppendContext(ctx context.Context) (context.Context, *InboundContext) {
 	metadata = new(InboundContext)
 	return WithContext(ctx, metadata), metadata
 }
 func ExtendContext(ctx context.Context) (context.Context, *InboundContext) {
 	var newMetadata InboundContext
 	if metadata := ContextFrom(ctx); metadata != nil {
 		newMetadata = *metadata
 	}
 	return WithContext(ctx, &newMetadata), &newMetadata
 }
--- a/adapter/outbound.go
+++ b/adapter/outbound.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	tun "github.com/sagernet/sing-tun"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -13,8 +14,12 @@ type Outbound interface {
 	Type() string
 	Tag() string
 	Network() []string
 	Dependencies() []string
 	N.Dialer
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 type IPOutbound interface {
 	Outbound
 	NewIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) (tun.DirectDestination, error)
 }
--- a/adapter/prestart.go
+++ b/adapter/prestart.go
@@ -4,6 +4,12 @@ type PreStarter interface {
 	PreStart() error
 }
-type PostStarter interface {
+func PreStart(starter any) error {
-	PostStart() error
+	if preService, ok := starter.(PreStarter); ok {
 		err := preService.PreStart()
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/adapter/router.go
+++ b/adapter/router.go
@@ -2,28 +2,30 @@ package adapter
 import (
 	"context"
 	"net"
 	"net/netip"
 	"github.com/sagernet/sing-box/common/geoip"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
-	"github.com/sagernet/sing/service"
+	N "github.com/sagernet/sing/common/network"
 	mdns "github.com/miekg/dns"
 )
 type Router interface {
 	Service
 	PostStarter
 	Outbounds() []Outbound
 	Outbound(tag string) (Outbound, bool)
 	DefaultOutbound(network string) Outbound
-	FakeIPStore() FakeIPStore
+	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 	RouteIPConnection(ctx context.Context, conn tun.RouteContext, metadata InboundContext) tun.RouteAction
-	ConnectionRouter
+	NatRequired(outbound string) bool
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@@ -31,10 +33,8 @@ type Router interface {
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
 	ClearDNSCache()
 	InterfaceFinder() control.InterfaceFinder
 	UpdateInterfaces() error
 	DefaultInterface() string
 	AutoDetectInterface() bool
 	AutoDetectInterfaceFunc() control.Func
@@ -42,24 +42,31 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
-	WIFIState() WIFIState
+
 	Rules() []Rule
 	IPRules() []IPRule
 	TimeService
 	ClashServer() ClashServer
 	SetClashServer(server ClashServer)
 	V2RayServer() V2RayServer
 	SetV2RayServer(server V2RayServer)
 	ResetNetwork() error
 }
 type routerContextKey struct{}
 func ContextWithRouter(ctx context.Context, router Router) context.Context {
-	return service.ContextWith(ctx, router)
+	return context.WithValue(ctx, (*routerContextKey)(nil), router)
 }
 func RouterFromContext(ctx context.Context) Router {
-	return service.FromContext[Router](ctx)
+	metadata := ctx.Value((*routerContextKey)(nil))
 	if metadata == nil {
 		return nil
 	}
 	return metadata.(Router)
 }
 type Rule interface {
@@ -74,14 +81,13 @@ type Rule interface {
 type DNSRule interface {
 	Rule
 	DisableCache() bool
-	RewriteTTL() *uint32
+}
 type IPRule interface {
 	Rule
 	Action() tun.ActionType
 }
 type InterfaceUpdateListener interface {
-	InterfaceUpdated()
+	InterfaceUpdated() error
 }
 type WIFIState struct {
 	SSID  string
 	BSSID string
 }
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
@@ -18,6 +19,7 @@ type V2RayServerTransport interface {
 type V2RayServerTransportHandler interface {
 	N.TCPConnectionHandler
 	E.Handler
 	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
 }
 type V2RayClientTransport interface {
--- a/box.go
+++ b/box.go
@@ -9,6 +9,7 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/inbound"
@@ -19,8 +20,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
 var _ adapter.Service = (*Box)(nil)
@@ -32,51 +31,80 @@ type Box struct {
 	outbounds    []adapter.Outbound
 	logFactory   log.Factory
 	logger       log.ContextLogger
 	logFile      *os.File
 	preServices  map[string]adapter.Service
 	postServices map[string]adapter.Service
 	done         chan struct{}
 }
-type Options struct {
+func New(ctx context.Context, options option.Options, platformInterface platform.Interface) (*Box, error) {
 	option.Options
 	Context           context.Context
 	PlatformInterface platform.Interface
 	PlatformLogWriter log.PlatformWriter
 }
 func New(options Options) (*Box, error) {
 	ctx := options.Context
 	if ctx == nil {
 		ctx = context.Background()
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
 	ctx = pause.ContextWithDefaultManager(ctx)
 	createdAt := time.Now()
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
 	var needClashAPI bool
 	var needV2RayAPI bool
-	if experimentalOptions.ClashAPI != nil || options.PlatformLogWriter != nil {
+	if experimentalOptions.ClashAPI != nil && experimentalOptions.ClashAPI.ExternalController != "" {
 		needClashAPI = true
 	}
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
 		needV2RayAPI = true
 	}
-	var defaultLogWriter io.Writer
+
-	if options.PlatformInterface != nil {
+	logOptions := common.PtrValueOrDefault(options.Log)
-		defaultLogWriter = io.Discard
+
-	}
+	var logFactory log.Factory
-	logFactory, err := log.New(log.Options{
+	var observableLogFactory log.ObservableFactory
-		Context:        ctx,
+	var logFile *os.File
-		Options:        common.PtrValueOrDefault(options.Log),
+	var logWriter io.Writer
-		Observable:     needClashAPI,
+	if logOptions.Disabled {
-		DefaultWriter:  defaultLogWriter,
+		observableLogFactory = log.NewNOPFactory()
-		BaseTime:       createdAt,
+		logFactory = observableLogFactory
-		PlatformWriter: options.PlatformLogWriter,
+	} else {
-	})
+		switch logOptions.Output {
-	if err != nil {
+		case "":
-		return nil, E.Cause(err, "create log factory")
+			if platformInterface != nil {
 				logWriter = io.Discard
 			} else {
 				logWriter = os.Stdout
 			}
 		case "stderr":
 			logWriter = os.Stderr
 		case "stdout":
 			logWriter = os.Stdout
 		default:
 			var err error
 			logFile, err = os.OpenFile(C.BasePath(logOptions.Output), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
 			if err != nil {
 				return nil, err
 			}
 			logWriter = logFile
 		}
 		logFormatter := log.Formatter{
 			BaseTime:         createdAt,
 			DisableColors:    logOptions.DisableColor || logFile != nil,
 			DisableTimestamp: !logOptions.Timestamp && logFile != nil,
 			FullTimestamp:    logOptions.Timestamp,
 			TimestampFormat:  "-0700 2006-01-02 15:04:05",
 		}
 		if needClashAPI {
 			observableLogFactory = log.NewObservableFactory(logFormatter, logWriter, platformInterface)
 			logFactory = observableLogFactory
 		} else {
 			logFactory = log.NewFactory(logFormatter, logWriter, platformInterface)
 		}
 		if logOptions.Level != "" {
 			logLevel, err := log.ParseLevel(logOptions.Level)
 			if err != nil {
 				return nil, E.Cause(err, "parse log level")
 			}
 			logFactory.SetLevel(logLevel)
 		} else {
 			logFactory.SetLevel(log.LevelTrace)
 		}
 	}
 	router, err := route.NewRouter(
 		ctx,
 		logFactory,
@@ -84,7 +112,7 @@ func New(options Options) (*Box, error) {
 		common.PtrValueOrDefault(options.DNS),
 		common.PtrValueOrDefault(options.NTP),
 		options.Inbounds,
-		options.PlatformInterface,
+		platformInterface,
 	)
 	if err != nil {
 		return nil, E.Cause(err, "parse route options")
@@ -104,7 +132,7 @@ func New(options Options) (*Box, error) {
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			inboundOptions,
-			options.PlatformInterface,
+			platformInterface,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse inbound[", i, "]")
@@ -123,7 +151,6 @@ func New(options Options) (*Box, error) {
 			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
 			tag,
 			outboundOptions)
 		if err != nil {
 			return nil, E.Cause(err, "parse outbound[", i, "]")
@@ -131,7 +158,7 @@ func New(options Options) (*Box, error) {
 		outbounds = append(outbounds, out)
 	}
 	err = router.Initialize(inbounds, outbounds, func() adapter.Outbound {
-		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.Outbound{Type: "direct", Tag: "default"})
+		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), option.Outbound{Type: "direct", Tag: "default"})
 		common.Must(oErr)
 		outbounds = append(outbounds, out)
 		return out
@@ -139,18 +166,10 @@ func New(options Options) (*Box, error) {
 	if err != nil {
 		return nil, err
 	}
 	if options.PlatformInterface != nil {
 		err = options.PlatformInterface.Initialize(ctx, router)
 		if err != nil {
 			return nil, E.Cause(err, "initialize platform interface")
 		}
 	}
 	preServices := make(map[string]adapter.Service)
 	postServices := make(map[string]adapter.Service)
 	if needClashAPI {
-		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
+		clashServer, err := experimental.NewClashServer(router, observableLogFactory, common.PtrValueOrDefault(options.Experimental.ClashAPI))
 		clashAPIOptions.ModeList = experimental.CalculateClashModeList(options.Options)
 		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), clashAPIOptions)
 		if err != nil {
 			return nil, E.Cause(err, "create clash api server")
 		}
@@ -158,7 +177,7 @@ func New(options Options) (*Box, error) {
 		preServices["clash api"] = clashServer
 	}
 	if needV2RayAPI {
-		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
+		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(options.Experimental.V2RayAPI))
 		if err != nil {
 			return nil, E.Cause(err, "create v2ray api server")
 		}
@@ -172,6 +191,7 @@ func New(options Options) (*Box, error) {
 		createdAt:    createdAt,
 		logFactory:   logFactory,
 		logger:       logFactory.Logger(),
 		logFile:      logFile,
 		preServices:  preServices,
 		postServices: postServices,
 		done:         make(chan struct{}),
@@ -218,17 +238,26 @@ func (s *Box) Start() error {
 func (s *Box) preStart() error {
 	for serviceName, service := range s.preServices {
-		if preService, isPreService := service.(adapter.PreStarter); isPreService {
+		s.logger.Trace("pre-starting ", serviceName)
-			s.logger.Trace("pre-start ", serviceName)
+		err := adapter.PreStart(service)
-			err := preService.PreStart()
+		if err != nil {
-			if err != nil {
+			return E.Cause(err, "pre-start ", serviceName)
 				return E.Cause(err, "pre-starting ", serviceName)
 			}
 		}
 	}
-	err := s.startOutbounds()
+	for i, out := range s.outbounds {
-	if err != nil {
+		if starter, isStarter := out.(common.Starter); isStarter {
-		return err
+			var tag string
 			if out.Tag() == "" {
 				tag = F.ToString(i)
 			} else {
 				tag = out.Tag()
 			}
 			s.logger.Trace("initializing outbound ", tag)
 			err := starter.Start()
 			if err != nil {
 				return E.Cause(err, "initialize outbound/", out.Type(), "[", tag, "]")
 			}
 		}
 	}
 	return s.router.Start()
 }
@@ -252,34 +281,20 @@ func (s *Box) start() error {
 		} else {
 			tag = in.Tag()
 		}
-		s.logger.Trace("initializing inbound/", in.Type(), "[", tag, "]")
+		s.logger.Trace("initializing inbound ", tag)
 		err = in.Start()
 		if err != nil {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
 	return s.postStart()
 }
 func (s *Box) postStart() error {
 	for serviceName, service := range s.postServices {
-		s.logger.Trace("starting ", service)
+		s.logger.Trace("start ", serviceName)
-		err := service.Start()
+		err = service.Start()
 		if err != nil {
-			return E.Cause(err, "start ", serviceName)
+			return E.Cause(err, "starting ", serviceName)
 		}
 	}
-	for _, outbound := range s.outbounds {
+	return nil
 		if lateOutbound, isLateOutbound := outbound.(adapter.PostStarter); isLateOutbound {
 			s.logger.Trace("post-starting outbound/", outbound.Tag())
 			err := lateOutbound.PostStart()
 			if err != nil {
 				return E.Cause(err, "post-start outbound/", outbound.Tag())
 			}
 		}
 	}
 	s.logger.Trace("post-starting router")
 	return s.router.PostStart()
 }
 func (s *Box) Close() error {
@@ -291,21 +306,33 @@ func (s *Box) Close() error {
 	}
 	var errors error
 	for serviceName, service := range s.postServices {
 		s.logger.Trace("closing ", serviceName)
 		errors = E.Append(errors, service.Close(), func(err error) error {
 			s.logger.Trace("closing ", serviceName)
 			return E.Cause(err, "close ", serviceName)
 		})
 	}
 	for i, in := range s.inbounds {
-		s.logger.Trace("closing inbound/", in.Type(), "[", i, "]")
+		var tag string
 		if in.Tag() == "" {
 			tag = F.ToString(i)
 		} else {
 			tag = in.Tag()
 		}
 		s.logger.Trace("closing inbound ", tag)
 		errors = E.Append(errors, in.Close(), func(err error) error {
 			return E.Cause(err, "close inbound/", in.Type(), "[", i, "]")
 		})
 	}
 	for i, out := range s.outbounds {
-		s.logger.Trace("closing outbound/", out.Type(), "[", i, "]")
+		var tag string
 		if out.Tag() == "" {
 			tag = F.ToString(i)
 		} else {
 			tag = out.Tag()
 		}
 		s.logger.Trace("closing outbound ", tag)
 		errors = E.Append(errors, common.Close(out), func(err error) error {
-			return E.Cause(err, "close outbound/", out.Type(), "[", i, "]")
+			return E.Cause(err, "close inbound/", out.Type(), "[", i, "]")
 		})
 	}
 	s.logger.Trace("closing router")
@@ -320,12 +347,17 @@ func (s *Box) Close() error {
 			return E.Cause(err, "close ", serviceName)
 		})
 	}
-	s.logger.Trace("closing log factory")
+	s.logger.Trace("closing logger")
 	if err := common.Close(s.logFactory); err != nil {
 		errors = E.Append(errors, err, func(err error) error {
 			return E.Cause(err, "close log factory")
 		})
 	}
 	if s.logFile != nil {
 		errors = E.Append(errors, s.logFile.Close(), func(err error) error {
 			return E.Cause(err, "close log file")
 		})
 	}
 	return errors
 }
--- a/box_outbound.go
+++ b/box_outbound.go
@@ -1,79 +0,0 @@
 package box
 import (
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
 func (s *Box) startOutbounds() error {
 	outboundTags := make(map[adapter.Outbound]string)
 	outbounds := make(map[string]adapter.Outbound)
 	for i, outboundToStart := range s.outbounds {
 		var outboundTag string
 		if outboundToStart.Tag() == "" {
 			outboundTag = F.ToString(i)
 		} else {
 			outboundTag = outboundToStart.Tag()
 		}
 		if _, exists := outbounds[outboundTag]; exists {
 			return E.New("outbound tag ", outboundTag, " duplicated")
 		}
 		outboundTags[outboundToStart] = outboundTag
 		outbounds[outboundTag] = outboundToStart
 	}
 	started := make(map[string]bool)
 	for {
 		canContinue := false
 	startOne:
 		for _, outboundToStart := range s.outbounds {
 			outboundTag := outboundTags[outboundToStart]
 			if started[outboundTag] {
 				continue
 			}
 			dependencies := outboundToStart.Dependencies()
 			for _, dependency := range dependencies {
 				if !started[dependency] {
 					continue startOne
 				}
 			}
 			started[outboundTag] = true
 			canContinue = true
 			if starter, isStarter := outboundToStart.(common.Starter); isStarter {
 				s.logger.Trace("initializing outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				err := starter.Start()
 				if err != nil {
 					return E.Cause(err, "initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
 				}
 			}
 		}
 		if len(started) == len(s.outbounds) {
 			break
 		}
 		if canContinue {
 			continue
 		}
 		currentOutbound := common.Find(s.outbounds, func(it adapter.Outbound) bool {
 			return !started[outboundTags[it]]
 		})
 		var lintOutbound func(oTree []string, oCurrent adapter.Outbound) error
 		lintOutbound = func(oTree []string, oCurrent adapter.Outbound) error {
 			problemOutboundTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
 				return !started[it]
 			})
 			if common.Contains(oTree, problemOutboundTag) {
 				return E.New("circular outbound dependency: ", strings.Join(oTree, " -> "), " -> ", problemOutboundTag)
 			}
 			problemOutbound := outbounds[problemOutboundTag]
 			if problemOutbound == nil {
 				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", outboundTags[oCurrent], "]")
 			}
 			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
 		}
 		return lintOutbound([]string{outboundTags[currentOutbound]}, currentOutbound)
 	}
 	return nil
 }
--- a/cmd/internal/build/main.go
+++ b/cmd/internal/build/main.go
@@ -1,7 +1,6 @@
 package main
 import (
 	"go/build"
 	"os"
 	"os/exec"
@@ -12,10 +11,6 @@ import (
 func main() {
 	build_shared.FindSDK()
 	if os.Getenv("GOPATH") == "" {
 		os.Setenv("GOPATH", build.Default.GOPATH)
 	}
 	command := exec.Command(os.Args[1], os.Args[2:]...)
 	command.Stdout = os.Stdout
 	command.Stderr = os.Stderr
--- a/cmd/internal/build_libbox/main.go
+++ b/cmd/internal/build_libbox/main.go
@@ -5,7 +5,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	_ "github.com/sagernet/gomobile/event/key"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
@@ -39,24 +38,18 @@ func main() {
 var (
 	sharedFlags []string
 	debugFlags  []string
 	sharedTags  []string
 	iosTags     []string
 	debugTags   []string
 )
 func init() {
 	sharedFlags = append(sharedFlags, "-trimpath")
 	sharedFlags = append(sharedFlags, "-ldflags")
 	currentTag, err := build_shared.ReadTag()
 	if err != nil {
 		currentTag = "unknown"
 	}
 	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
 	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
 	sharedTags = append(sharedTags, "with_gvisor", "with_quic", "with_wireguard", "with_ech", "with_utls", "with_clash_api")
 	iosTags = append(iosTags, "with_dhcp", "with_low_memory", "with_conntrack")
 	debugTags = append(debugTags, "debug")
 }
 func buildAndroid() {
@@ -77,9 +70,9 @@ func buildAndroid() {
 	args = append(args, "-tags")
 	if !debugEnabled {
-		args = append(args, strings.Join(sharedTags, ","))
+		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api")
 	} else {
-		args = append(args, strings.Join(append(sharedTags, debugTags...), ","))
+		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api,debug")
 	}
 	args = append(args, "./experimental/libbox")
@@ -107,7 +100,7 @@ func buildiOS() {
 	args := []string{
 		"bind",
 		"-v",
-		"-target", "ios,iossimulator,tvos,tvossimulator,macos",
+		"-target", "ios,iossimulator,macos",
 		"-libname=box",
 	}
 	if !debugEnabled {
@@ -116,12 +109,11 @@ func buildiOS() {
 		args = append(args, debugFlags...)
 	}
 	tags := append(sharedTags, iosTags...)
 	args = append(args, "-tags")
 	if !debugEnabled {
-		args = append(args, strings.Join(tags, ","))
+		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack")
 	} else {
-		args = append(args, strings.Join(append(tags, debugTags...), ","))
+		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack,debug")
 	}
 	args = append(args, "./experimental/libbox")
@@ -133,7 +125,7 @@ func buildiOS() {
 		log.Fatal(err)
 	}
-	copyPath := filepath.Join("..", "sing-box-for-apple")
+	copyPath := filepath.Join("..", "sing-box-for-ios")
 	if rw.FileExists(copyPath) {
 		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
 		targetDir, _ = filepath.Abs(targetDir)
--- a/cmd/internal/build_shared/tag.go
+++ b/cmd/internal/build_shared/tag.go
@@ -1,10 +1,6 @@
 package build_shared
-import (
+import "github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing-box/common/badversion"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/shell"
 )
 func ReadTag() (string, error) {
 	currentTag, err := shell.Exec("git", "describe", "--tags").ReadOutput()
@@ -16,18 +12,5 @@ func ReadTag() (string, error) {
 		return currentTag[1:], nil
 	}
 	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
-	version := badversion.Parse(currentTagRev[1:])
+	return currentTagRev[1:] + "-" + shortCommit, nil
 	return version.String() + "-" + shortCommit, nil
 }
 func ReadTagVersion() (badversion.Version, error) {
 	currentTag := common.Must1(shell.Exec("git", "describe", "--tags").ReadOutput())
 	currentTagRev := common.Must1(shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput())
 	version := badversion.Parse(currentTagRev[1:])
 	if currentTagRev != currentTag {
 		if version.PreReleaseIdentifier == "" {
 			version.Patch++
 		}
 	}
 	return version, nil
 }
--- a/cmd/internal/update_android_version/main.go
+++ b/cmd/internal/update_android_version/main.go
@@ -1,51 +0,0 @@
 package main
 import (
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 )
 func main() {
 	newVersion := common.Must1(build_shared.ReadTagVersion())
 	androidPath, err := filepath.Abs("../sing-box-for-android")
 	if err != nil {
 		log.Fatal(err)
 	}
 	common.Must(os.Chdir(androidPath))
 	localProps := common.Must1(os.ReadFile("local.properties"))
 	var propsList [][]string
 	for _, propLine := range strings.Split(string(localProps), "\n") {
 		propsList = append(propsList, strings.Split(propLine, "="))
 	}
 	for _, propPair := range propsList {
 		if propPair[0] == "VERSION_NAME" {
 			if propPair[1] == newVersion.String() {
 				log.Info("version not changed")
 				return
 			}
 			propPair[1] = newVersion.String()
 			log.Info("updated version to ", newVersion.String())
 		}
 	}
 	for _, propPair := range propsList {
 		switch propPair[0] {
 		case "VERSION_CODE":
 			versionCode := common.Must1(strconv.ParseInt(propPair[1], 10, 64))
 			propPair[1] = strconv.Itoa(int(versionCode + 1))
 			log.Info("updated version code to ", propPair[1])
 		case "RELEASE_NOTES":
 			propPair[1] = "sing-box " + newVersion.String()
 		}
 	}
 	var newProps []string
 	for _, propPair := range propsList {
 		newProps = append(newProps, strings.Join(propPair, "="))
 	}
 	common.Must(os.WriteFile("local.properties", []byte(strings.Join(newProps, "\n")), 0o644))
 }
--- a/cmd/internal/update_apple_version/main.go
+++ b/cmd/internal/update_apple_version/main.go
@@ -1,131 +0,0 @@
 package main
 import (
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"howett.net/plist"
 )
 func main() {
 	newVersion := common.Must1(build_shared.ReadTagVersion())
 	applePath, err := filepath.Abs("../sing-box-for-apple")
 	if err != nil {
 		log.Fatal(err)
 	}
 	common.Must(os.Chdir(applePath))
 	projectFile := common.Must1(os.Open("sing-box.xcodeproj/project.pbxproj"))
 	var project map[string]any
 	decoder := plist.NewDecoder(projectFile)
 	common.Must(decoder.Decode(&project))
 	objectsMap := project["objects"].(map[string]any)
 	projectContent := string(common.Must1(os.ReadFile("sing-box.xcodeproj/project.pbxproj")))
 	newContent, updated0 := findAndReplace(objectsMap, projectContent, []string{"io.nekohasekai.sfa"}, newVersion.VersionString())
 	newContent, updated1 := findAndReplace(objectsMap, newContent, []string{"io.nekohasekai.sfa.independent", "io.nekohasekai.sfa.system"}, newVersion.String())
 	if updated0 || updated1 {
 		log.Info("updated version to ", newVersion.VersionString(), " (", newVersion.String(), ")")
 	}
 	var updated2 bool
 	if macProjectVersion := os.Getenv("MACOS_PROJECT_VERSION"); macProjectVersion != "" {
 		newContent, updated2 = findAndReplaceProjectVersion(objectsMap, newContent, []string{"SFM"}, macProjectVersion)
 		if updated2 {
 			log.Info("updated macos project version to ", macProjectVersion)
 		}
 	}
 	if updated0 || updated1 || updated2 {
 		common.Must(os.WriteFile("sing-box.xcodeproj/project.pbxproj", []byte(newContent), 0o644))
 	}
 }
 func findAndReplace(objectsMap map[string]any, projectContent string, bundleIDList []string, newVersion string) (string, bool) {
 	objectKeyList := findObjectKey(objectsMap, bundleIDList)
 	var updated bool
 	for _, objectKey := range objectKeyList {
 		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
 		indexes := matchRegexp.FindStringIndex(projectContent)
 		if len(indexes) < 2 {
 			println(projectContent)
 			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
 		}
 		indexStart := indexes[1]
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "MARKETING_VERSION = ") + 20
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
 		version := projectContent[versionStart:versionEnd]
 		if version == newVersion {
 			continue
 		}
 		updated = true
 		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }
 func findAndReplaceProjectVersion(objectsMap map[string]any, projectContent string, directoryList []string, newVersion string) (string, bool) {
 	objectKeyList := findObjectKeyByDirectory(objectsMap, directoryList)
 	var updated bool
 	for _, objectKey := range objectKeyList {
 		matchRegexp := common.Must1(regexp.Compile(objectKey + ".*= \\{"))
 		indexes := matchRegexp.FindStringIndex(projectContent)
 		if len(indexes) < 2 {
 			println(projectContent)
 			log.Fatal("failed to find object key ", objectKey, ": ", strings.Index(projectContent, objectKey))
 		}
 		indexStart := indexes[1]
 		indexEnd := indexStart + strings.Index(projectContent[indexStart:], "}")
 		versionStart := indexStart + strings.Index(projectContent[indexStart:indexEnd], "CURRENT_PROJECT_VERSION = ") + 26
 		versionEnd := versionStart + strings.Index(projectContent[versionStart:indexEnd], ";")
 		version := projectContent[versionStart:versionEnd]
 		if version == newVersion {
 			continue
 		}
 		updated = true
 		projectContent = projectContent[:versionStart] + newVersion + projectContent[versionEnd:]
 	}
 	return projectContent, updated
 }
 func findObjectKey(objectsMap map[string]any, bundleIDList []string) []string {
 	var objectKeyList []string
 	for objectKey, object := range objectsMap {
 		buildSettings := object.(map[string]any)["buildSettings"]
 		if buildSettings == nil {
 			continue
 		}
 		bundleIDObject := buildSettings.(map[string]any)["PRODUCT_BUNDLE_IDENTIFIER"]
 		if bundleIDObject == nil {
 			continue
 		}
 		if common.Contains(bundleIDList, bundleIDObject.(string)) {
 			objectKeyList = append(objectKeyList, objectKey)
 		}
 	}
 	return objectKeyList
 }
 func findObjectKeyByDirectory(objectsMap map[string]any, directoryList []string) []string {
 	var objectKeyList []string
 	for objectKey, object := range objectsMap {
 		buildSettings := object.(map[string]any)["buildSettings"]
 		if buildSettings == nil {
 			continue
 		}
 		infoPListFile := buildSettings.(map[string]any)["INFOPLIST_FILE"]
 		if infoPListFile == nil {
 			continue
 		}
 		for _, searchDirectory := range directoryList {
 			if strings.HasPrefix(infoPListFile.(string), searchDirectory+"/") {
 				objectKeyList = append(objectKeyList, objectKey)
 			}
 		}
 	}
 	return objectKeyList
 }
--- a/cmd/sing-box/cmd_check.go
+++ b/cmd/sing-box/cmd_check.go
@@ -31,10 +31,7 @@ func check() error {
 		return err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(box.Options{
+	instance, err := box.New(ctx, options, nil)
 		Context: ctx,
 		Options: options,
 	})
 	if err == nil {
 		instance.Close()
 	}
--- a/cmd/sing-box/cmd_generate.go
+++ b/cmd/sing-box/cmd_generate.go
@@ -9,8 +9,9 @@ import (
 	"github.com/sagernet/sing-box/log"
-	"github.com/gofrs/uuid/v5"
+	"github.com/gofrs/uuid"
 	"github.com/spf13/cobra"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 var commandGenerate = &cobra.Command{
@@ -21,7 +22,8 @@ var commandGenerate = &cobra.Command{
 func init() {
 	commandGenerate.AddCommand(commandGenerateUUID)
 	commandGenerate.AddCommand(commandGenerateRandom)
-
+	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
 	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
 	mainCommand.AddCommand(commandGenerate)
 }
@@ -90,3 +92,48 @@ func generateUUID() error {
 	_, err = os.Stdout.WriteString(newUUID.String() + "\n")
 	return err
 }
 var commandGenerateWireGuardKeyPair = &cobra.Command{
 	Use:   "wg-keypair",
 	Short: "Generate WireGuard key pair",
 	Args:  cobra.NoArgs,
 	Run: func(cmd *cobra.Command, args []string) {
 		err := generateWireGuardKey()
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func generateWireGuardKey() error {
 	privateKey, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return err
 	}
 	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
 	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
 	return nil
 }
 var commandGenerateRealityKeyPair = &cobra.Command{
 	Use:   "reality-keypair",
 	Short: "Generate reality key pair",
 	Args:  cobra.NoArgs,
 	Run: func(cmd *cobra.Command, args []string) {
 		err := generateRealityKey()
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func generateRealityKey() error {
 	privateKey, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return err
 	}
 	publicKey := privateKey.PublicKey()
 	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
 	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
 	return nil
 }
--- a/cmd/sing-box/cmd_generate_ech.go
+++ b/cmd/sing-box/cmd_generate_ech.go
@@ -1,39 +0,0 @@
 package main
 import (
 	"os"
 	"github.com/sagernet/sing-box/common/tls"
 	"github.com/sagernet/sing-box/log"
 	"github.com/spf13/cobra"
 )
 var pqSignatureSchemesEnabled bool
 var commandGenerateECHKeyPair = &cobra.Command{
 	Use:   "ech-keypair <plain_server_name>",
 	Short: "Generate TLS ECH key pair",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := generateECHKeyPair(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandGenerateECHKeyPair.Flags().BoolVar(&pqSignatureSchemesEnabled, "pq-signature-schemes-enabled", false, "Enable PQ signature schemes")
 	commandGenerate.AddCommand(commandGenerateECHKeyPair)
 }
 func generateECHKeyPair(serverName string) error {
 	configPem, keyPem, err := tls.ECHKeygenDefault(serverName, pqSignatureSchemesEnabled)
 	if err != nil {
 		return err
 	}
 	os.Stdout.WriteString(configPem)
 	os.Stdout.WriteString(keyPem)
 	return nil
 }
--- a/cmd/sing-box/cmd_generate_tls.go
+++ b/cmd/sing-box/cmd_generate_tls.go
@@ -1,40 +0,0 @@
 package main
 import (
 	"os"
 	"time"
 	"github.com/sagernet/sing-box/common/tls"
 	"github.com/sagernet/sing-box/log"
 	"github.com/spf13/cobra"
 )
 var flagGenerateTLSKeyPairMonths int
 var commandGenerateTLSKeyPair = &cobra.Command{
 	Use:   "tls-keypair <server_name>",
 	Short: "Generate TLS self sign key pair",
 	Args:  cobra.ExactArgs(1),
 	Run: func(cmd *cobra.Command, args []string) {
 		err := generateTLSKeyPair(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandGenerateTLSKeyPair.Flags().IntVarP(&flagGenerateTLSKeyPairMonths, "months", "m", 1, "Valid months")
 	commandGenerate.AddCommand(commandGenerateTLSKeyPair)
 }
 func generateTLSKeyPair(serverName string) error {
 	privateKeyPem, publicKeyPem, err := tls.GenerateKeyPair(time.Now, serverName, time.Now().AddDate(0, flagGenerateTLSKeyPairMonths, 0))
 	if err != nil {
 		return err
 	}
 	os.Stdout.WriteString(string(privateKeyPem) + "\n")
 	os.Stdout.WriteString(string(publicKeyPem) + "\n")
 	return nil
 }
--- a/cmd/sing-box/cmd_generate_vapid.go
+++ b/cmd/sing-box/cmd_generate_vapid.go
@@ -1,40 +0,0 @@
 //go:build go1.20
 package main
 import (
 	"crypto/ecdh"
 	"crypto/rand"
 	"encoding/base64"
 	"os"
 	"github.com/sagernet/sing-box/log"
 	"github.com/spf13/cobra"
 )
 var commandGenerateVAPIDKeyPair = &cobra.Command{
 	Use:   "vapid-keypair",
 	Short: "Generate VAPID key pair",
 	Run: func(cmd *cobra.Command, args []string) {
 		err := generateVAPIDKeyPair()
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func init() {
 	commandGenerate.AddCommand(commandGenerateVAPIDKeyPair)
 }
 func generateVAPIDKeyPair() error {
 	privateKey, err := ecdh.P256().GenerateKey(rand.Reader)
 	if err != nil {
 		return err
 	}
 	publicKey := privateKey.PublicKey()
 	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey.Bytes()) + "\n")
 	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey.Bytes()) + "\n")
 	return nil
 }
--- a/cmd/sing-box/cmd_generate_wireguard.go
+++ b/cmd/sing-box/cmd_generate_wireguard.go
@@ -1,61 +0,0 @@
 package main
 import (
 	"encoding/base64"
 	"os"
 	"github.com/sagernet/sing-box/log"
 	"github.com/spf13/cobra"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 func init() {
 	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
 	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
 }
 var commandGenerateWireGuardKeyPair = &cobra.Command{
 	Use:   "wg-keypair",
 	Short: "Generate WireGuard key pair",
 	Args:  cobra.NoArgs,
 	Run: func(cmd *cobra.Command, args []string) {
 		err := generateWireGuardKey()
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func generateWireGuardKey() error {
 	privateKey, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return err
 	}
 	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
 	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
 	return nil
 }
 var commandGenerateRealityKeyPair = &cobra.Command{
 	Use:   "reality-keypair",
 	Short: "Generate reality key pair",
 	Args:  cobra.NoArgs,
 	Run: func(cmd *cobra.Command, args []string) {
 		err := generateRealityKey()
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 }
 func generateRealityKey() error {
 	privateKey, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return err
 	}
 	publicKey := privateKey.PublicKey()
 	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
 	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
 	return nil
 }
--- a/cmd/sing-box/cmd_merge.go
+++ b/cmd/sing-box/cmd_merge.go
@@ -1,174 +0,0 @@
 package main
 import (
 	"bytes"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/spf13/cobra"
 )
 var commandMerge = &cobra.Command{
 	Use:   "merge [output]",
 	Short: "Merge configurations",
 	Run: func(cmd *cobra.Command, args []string) {
 		err := merge(args[0])
 		if err != nil {
 			log.Fatal(err)
 		}
 	},
 	Args: cobra.ExactArgs(1),
 }
 func init() {
 	mainCommand.AddCommand(commandMerge)
 }
 func merge(outputPath string) error {
 	mergedOptions, err := readConfigAndMerge()
 	if err != nil {
 		return err
 	}
 	err = mergePathResources(&mergedOptions)
 	if err != nil {
 		return err
 	}
 	buffer := new(bytes.Buffer)
 	encoder := json.NewEncoder(buffer)
 	encoder.SetIndent("", "  ")
 	err = encoder.Encode(mergedOptions)
 	if err != nil {
 		return E.Cause(err, "encode config")
 	}
 	if existsContent, err := os.ReadFile(outputPath); err != nil {
 		if string(existsContent) == buffer.String() {
 			return nil
 		}
 	}
 	err = rw.WriteFile(outputPath, buffer.Bytes())
 	if err != nil {
 		return err
 	}
 	outputPath, _ = filepath.Abs(outputPath)
 	os.Stderr.WriteString(outputPath + "\n")
 	return nil
 }
 func mergePathResources(options *option.Options) error {
 	for index, inbound := range options.Inbounds {
 		switch inbound.Type {
 		case C.TypeHTTP:
 			inbound.HTTPOptions.TLS = mergeTLSInboundOptions(inbound.HTTPOptions.TLS)
 		case C.TypeMixed:
 			inbound.MixedOptions.TLS = mergeTLSInboundOptions(inbound.MixedOptions.TLS)
 		case C.TypeVMess:
 			inbound.VMessOptions.TLS = mergeTLSInboundOptions(inbound.VMessOptions.TLS)
 		case C.TypeTrojan:
 			inbound.TrojanOptions.TLS = mergeTLSInboundOptions(inbound.TrojanOptions.TLS)
 		case C.TypeNaive:
 			inbound.NaiveOptions.TLS = mergeTLSInboundOptions(inbound.NaiveOptions.TLS)
 		case C.TypeHysteria:
 			inbound.HysteriaOptions.TLS = mergeTLSInboundOptions(inbound.HysteriaOptions.TLS)
 		case C.TypeVLESS:
 			inbound.VLESSOptions.TLS = mergeTLSInboundOptions(inbound.VLESSOptions.TLS)
 		case C.TypeTUIC:
 			inbound.TUICOptions.TLS = mergeTLSInboundOptions(inbound.TUICOptions.TLS)
 		case C.TypeHysteria2:
 			inbound.Hysteria2Options.TLS = mergeTLSInboundOptions(inbound.Hysteria2Options.TLS)
 		default:
 			continue
 		}
 		options.Inbounds[index] = inbound
 	}
 	for index, outbound := range options.Outbounds {
 		switch outbound.Type {
 		case C.TypeHTTP:
 			outbound.HTTPOptions.TLS = mergeTLSOutboundOptions(outbound.HTTPOptions.TLS)
 		case C.TypeVMess:
 			outbound.VMessOptions.TLS = mergeTLSOutboundOptions(outbound.VMessOptions.TLS)
 		case C.TypeTrojan:
 			outbound.TrojanOptions.TLS = mergeTLSOutboundOptions(outbound.TrojanOptions.TLS)
 		case C.TypeHysteria:
 			outbound.HysteriaOptions.TLS = mergeTLSOutboundOptions(outbound.HysteriaOptions.TLS)
 		case C.TypeSSH:
 			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
 		case C.TypeVLESS:
 			outbound.VLESSOptions.TLS = mergeTLSOutboundOptions(outbound.VLESSOptions.TLS)
 		case C.TypeTUIC:
 			outbound.TUICOptions.TLS = mergeTLSOutboundOptions(outbound.TUICOptions.TLS)
 		case C.TypeHysteria2:
 			outbound.Hysteria2Options.TLS = mergeTLSOutboundOptions(outbound.Hysteria2Options.TLS)
 		default:
 			continue
 		}
 		options.Outbounds[index] = outbound
 	}
 	return nil
 }
 func mergeTLSInboundOptions(options *option.InboundTLSOptions) *option.InboundTLSOptions {
 	if options == nil {
 		return nil
 	}
 	if options.CertificatePath != "" {
 		if content, err := os.ReadFile(options.CertificatePath); err == nil {
 			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
 		}
 	}
 	if options.KeyPath != "" {
 		if content, err := os.ReadFile(options.KeyPath); err == nil {
 			options.Key = trimStringArray(strings.Split(string(content), "\n"))
 		}
 	}
 	if options.ECH != nil {
 		if options.ECH.KeyPath != "" {
 			if content, err := os.ReadFile(options.ECH.KeyPath); err == nil {
 				options.ECH.Key = trimStringArray(strings.Split(string(content), "\n"))
 			}
 		}
 	}
 	return options
 }
 func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.OutboundTLSOptions {
 	if options == nil {
 		return nil
 	}
 	if options.CertificatePath != "" {
 		if content, err := os.ReadFile(options.CertificatePath); err == nil {
 			options.Certificate = trimStringArray(strings.Split(string(content), "\n"))
 		}
 	}
 	if options.ECH != nil {
 		if options.ECH.ConfigPath != "" {
 			if content, err := os.ReadFile(options.ECH.ConfigPath); err == nil {
 				options.ECH.Config = trimStringArray(strings.Split(string(content), "\n"))
 			}
 		}
 	}
 	return options
 }
 func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
 	if options.PrivateKeyPath != "" {
 		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
 			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
 		}
 	}
 	return options
 }
 func trimStringArray(array []string) []string {
 	return common.Filter(array, func(it string) bool {
 		return strings.TrimSpace(it) != ""
 	})
 }
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@@ -10,7 +10,6 @@ import (
 	"sort"
 	"strings"
 	"syscall"
 	"time"
 	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/common/badjsonmerge"
@@ -128,10 +127,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 		options.Log.DisableColor = true
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(box.Options{
+	instance, err := box.New(ctx, options, nil)
 		Context: ctx,
 		Options: options,
 	})
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "create service")
@@ -143,16 +139,14 @@ func create() (*box.Box, context.CancelFunc, error) {
 		signal.Stop(osSignals)
 		close(osSignals)
 	}()
-	startCtx, finishStart := context.WithCancel(context.Background())
+
 	go func() {
 		_, loaded := <-osSignals
 		if loaded {
 			cancel()
 			closeMonitor(startCtx)
 		}
 	}()
 	err = instance.Start()
 	finishStart()
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "start service")
@@ -180,10 +174,7 @@ func run() error {
 				}
 			}
 			cancel()
 			closeCtx, closed := context.WithCancel(context.Background())
 			go closeMonitor(closeCtx)
 			instance.Close()
 			closed()
 			if osSignal != syscall.SIGHUP {
 				return nil
 			}
@@ -191,13 +182,3 @@ func run() error {
 		}
 	}
 }
 func closeMonitor(ctx context.Context) {
 	time.Sleep(3 * time.Second)
 	select {
 	case <-ctx.Done():
 		return
 	default:
 	}
 	log.Fatal("sing-box did not close!")
 }
--- a/cmd/sing-box/cmd_tools.go
+++ b/cmd/sing-box/cmd_tools.go
@@ -1,6 +1,8 @@
 package main
 import (
 	"context"
 	"github.com/sagernet/sing-box"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -25,7 +27,7 @@ func createPreStartedClient() (*box.Box, error) {
 	if err != nil {
 		return nil, err
 	}
-	instance, err := box.New(box.Options{Options: options})
+	instance, err := box.New(context.Background(), options, nil)
 	if err != nil {
 		return nil, E.Cause(err, "create service")
 	}
--- a/cmd/sing-box/debug.go
+++ b/cmd/sing-box/debug.go
@@ -0,0 +1,44 @@
 //go:build debug
 package main
 import (
 	"encoding/json"
 	"net/http"
 	_ "net/http/pprof"
 	"runtime"
 	"runtime/debug"
 	"github.com/sagernet/sing-box/common/badjson"
 	"github.com/sagernet/sing-box/log"
 	"github.com/dustin/go-humanize"
 )
 func init() {
 	http.HandleFunc("/debug/gc", func(writer http.ResponseWriter, request *http.Request) {
 		writer.WriteHeader(http.StatusNoContent)
 		go debug.FreeOSMemory()
 	})
 	http.HandleFunc("/debug/memory", func(writer http.ResponseWriter, request *http.Request) {
 		var memStats runtime.MemStats
 		runtime.ReadMemStats(&memStats)
 		var memObject badjson.JSONObject
 		memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
 		memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
 		memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
 		memObject.Put("goroutines", runtime.NumGoroutine())
 		memObject.Put("rss", rusageMaxRSS())
 		encoder := json.NewEncoder(writer)
 		encoder.SetIndent("", "  ")
 		encoder.Encode(memObject)
 	})
 	go func() {
 		err := http.ListenAndServe("0.0.0.0:8964", nil)
 		if err != nil {
 			log.Debug(err)
 		}
 	}()
 }
--- a/cmd/sing-box/debug_linux.go
+++ b/cmd/sing-box/debug_linux.go
@@ -1,4 +1,6 @@
-package box
+//go:build debug
 package main
 import (
 	"runtime"
--- a/cmd/sing-box/debug_stub.go
+++ b/cmd/sing-box/debug_stub.go
@@ -1,6 +1,6 @@
-//go:build !linux
+//go:build debug && !linux
-package box
+package main
 func rusageMaxRSS() float64 {
 	return -1
--- a/common/baderror/baderror.go
+++ b/common/baderror/baderror.go
@@ -0,0 +1,62 @@
 package baderror
 import (
 	"context"
 	"io"
 	"net"
 	"strings"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 func Contains(err error, msgList ...string) bool {
 	for _, msg := range msgList {
 		if strings.Contains(err.Error(), msg) {
 			return true
 		}
 	}
 	return false
 }
 func WrapH2(err error) error {
 	if err == nil {
 		return nil
 	}
 	err = E.Unwrap(err)
 	if err == io.ErrUnexpectedEOF {
 		return io.EOF
 	}
 	if Contains(err, "client disconnected", "body closed by handler", "response body closed", "; CANCEL") {
 		return net.ErrClosed
 	}
 	return err
 }
 func WrapGRPC(err error) error {
 	// grpc uses stupid internal error types
 	if err == nil {
 		return nil
 	}
 	if Contains(err, "EOF") {
 		return io.EOF
 	}
 	if Contains(err, "Canceled") {
 		return context.Canceled
 	}
 	if Contains(err,
 		"the client connection is closing",
 		"server closed the stream without sending trailers") {
 		return net.ErrClosed
 	}
 	return err
 }
 func WrapQUIC(err error) error {
 	if err == nil {
 		return nil
 	}
 	if Contains(err, "canceled with error code 0") {
 		return net.ErrClosed
 	}
 	return err
 }
--- a/common/badjsonmerge/merge_test.go
+++ b/common/badjsonmerge/merge_test.go
@@ -21,7 +21,7 @@ func TestMergeJSON(t *testing.T) {
 				{
 					Type: C.RuleTypeDefault,
 					DefaultOptions: option.DefaultRule{
-						Network:  []string{N.NetworkTCP},
+						Network:  N.NetworkTCP,
 						Outbound: "direct",
 					},
 				},
@@ -42,7 +42,7 @@ func TestMergeJSON(t *testing.T) {
 				{
 					Type: C.RuleTypeDefault,
 					DefaultOptions: option.DefaultRule{
-						Network:  []string{N.NetworkUDP},
+						Network:  N.NetworkUDP,
 						Outbound: "direct",
 					},
 				},
--- a/common/badtls/badtls.go
+++ b/common/badtls/badtls.go
@@ -1,4 +1,4 @@
-//go:build go1.20 && !go1.21
+//go:build go1.19 && !go1.20
 package badtls
@@ -14,60 +14,39 @@ import (
 	"sync/atomic"
 	"unsafe"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
 type Conn struct {
 	*tls.Conn
-	writer              N.ExtendedWriter
+	writer           N.ExtendedWriter
-	isHandshakeComplete *atomic.Bool
+	activeCall       *int32
-	activeCall          *atomic.Int32
+	closeNotifySent  *bool
-	closeNotifySent     *bool
+	version          *uint16
-	version             *uint16
+	rand             io.Reader
-	rand                io.Reader
+	halfAccess       *sync.Mutex
-	halfAccess          *sync.Mutex
+	halfError        *error
-	halfError           *error
+	cipher           cipher.AEAD
-	cipher              cipher.AEAD
+	explicitNonceLen int
-	explicitNonceLen    int
+	halfPtr          uintptr
-	halfPtr             uintptr
+	halfSeq          []byte
-	halfSeq             []byte
+	halfScratchBuf   []byte
 	halfScratchBuf      []byte
 }
-func TryCreate(conn aTLS.Conn) aTLS.Conn {
+func Create(conn *tls.Conn) (TLSConn, error) {
-	tlsConn, ok := conn.(*tls.Conn)
+	if !handshakeComplete(conn) {
 	if !ok {
 		return conn
 	}
 	badConn, err := Create(tlsConn)
 	if err != nil {
 		log.Warn("initialize badtls: ", err)
 		return conn
 	}
 	return badConn
 }
 func Create(conn *tls.Conn) (aTLS.Conn, error) {
 	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawIsHandshakeComplete := rawConn.FieldByName("isHandshakeComplete")
 	if !rawIsHandshakeComplete.IsValid() || rawIsHandshakeComplete.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid isHandshakeComplete")
 	}
 	isHandshakeComplete := (*atomic.Bool)(unsafe.Pointer(rawIsHandshakeComplete.UnsafeAddr()))
 	if !isHandshakeComplete.Load() {
 		return nil, E.New("handshake not finished")
 	}
 	rawConn := reflect.Indirect(reflect.ValueOf(conn))
 	rawActiveCall := rawConn.FieldByName("activeCall")
-	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Struct {
+	if !rawActiveCall.IsValid() || rawActiveCall.Kind() != reflect.Int32 {
 		return nil, E.New("badtls: invalid active call")
 	}
-	activeCall := (*atomic.Int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
+	activeCall := (*int32)(unsafe.Pointer(rawActiveCall.UnsafeAddr()))
 	rawHalfConn := rawConn.FieldByName("out")
 	if !rawHalfConn.IsValid() || rawHalfConn.Kind() != reflect.Struct {
 		return nil, E.New("badtls: invalid half conn")
@@ -129,20 +108,19 @@ func Create(conn *tls.Conn) (aTLS.Conn, error) {
 	}
 	halfScratchBuf := rawHalfScratchBuf.Bytes()
 	return &Conn{
-		Conn:                conn,
+		Conn:             conn,
-		writer:              bufio.NewExtendedWriter(conn.NetConn()),
+		writer:           bufio.NewExtendedWriter(conn.NetConn()),
-		isHandshakeComplete: isHandshakeComplete,
+		activeCall:       activeCall,
-		activeCall:          activeCall,
+		closeNotifySent:  closeNotifySent,
-		closeNotifySent:     closeNotifySent,
+		version:          version,
-		version:             version,
+		halfAccess:       halfAccess,
-		halfAccess:          halfAccess,
+		halfError:        halfError,
-		halfError:           halfError,
+		cipher:           aeadCipher,
-		cipher:              aeadCipher,
+		explicitNonceLen: explicitNonceLen,
-		explicitNonceLen:    explicitNonceLen,
+		rand:             randReader,
-		rand:                randReader,
+		halfPtr:          rawHalfConn.UnsafeAddr(),
-		halfPtr:             rawHalfConn.UnsafeAddr(),
+		halfSeq:          halfSeq,
-		halfSeq:             halfSeq,
+		halfScratchBuf:   halfScratchBuf,
 		halfScratchBuf:      halfScratchBuf,
 	}, nil
 }
@@ -152,15 +130,15 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 		return common.Error(c.Write(buffer.Bytes()))
 	}
 	for {
-		x := c.activeCall.Load()
+		x := atomic.LoadInt32(c.activeCall)
 		if x&1 != 0 {
 			return net.ErrClosed
 		}
-		if c.activeCall.CompareAndSwap(x, x+2) {
+		if atomic.CompareAndSwapInt32(c.activeCall, x, x+2) {
 			break
 		}
 	}
-	defer c.activeCall.Add(-2)
+	defer atomic.AddInt32(c.activeCall, -2)
 	c.halfAccess.Lock()
 	defer c.halfAccess.Unlock()
 	if err := *c.halfError; err != nil {
@@ -208,7 +186,6 @@ func (c *Conn) WriteBuffer(buffer *buf.Buffer) error {
 		binary.BigEndian.PutUint16(outBuf[3:], uint16(dataLen+c.explicitNonceLen+c.cipher.Overhead()))
 	}
 	incSeq(c.halfPtr)
 	log.Trace("badtls write ", buffer.Len())
 	return c.writer.WriteBuffer(buffer)
 }
--- a/common/badtls/badtls_stub.go
+++ b/common/badtls/badtls_stub.go
@@ -1,14 +1,12 @@
-//go:build !go1.19 || go1.21
+//go:build !go1.19 || go1.20
 package badtls
 import (
 	"crypto/tls"
 	"os"
 	aTLS "github.com/sagernet/sing/common/tls"
 )
-func Create(conn *tls.Conn) (aTLS.Conn, error) {
+func Create(conn *tls.Conn) (TLSConn, error) {
 	return nil, os.ErrInvalid
 }
--- a/common/badtls/conn.go
+++ b/common/badtls/conn.go
@@ -0,0 +1,13 @@
 package badtls
 import (
 	"context"
 	"crypto/tls"
 	"net"
 )
 type TLSConn interface {
 	net.Conn
 	HandshakeContext(ctx context.Context) error
 	ConnectionState() tls.ConnectionState
 }
--- a/common/badtls/link.go
+++ b/common/badtls/link.go
@@ -1,8 +1,9 @@
-//go:build go1.20 && !go.1.21
+//go:build go1.19 && !go.1.20
 package badtls
 import (
 	"crypto/tls"
 	"reflect"
 	_ "unsafe"
 )
@@ -15,6 +16,9 @@ const (
 //go:linkname errShutdown crypto/tls.errShutdown
 var errShutdown error
 //go:linkname handshakeComplete crypto/tls.(*Conn).handshakeComplete
 func handshakeComplete(conn *tls.Conn) bool
 //go:linkname incSeq crypto/tls.(*halfConn).incSeq
 func incSeq(conn uintptr)
--- a/common/badversion/version.go
+++ b/common/badversion/version.go
@@ -1,124 +0,0 @@
 package badversion
 import (
 	"strconv"
 	"strings"
 	F "github.com/sagernet/sing/common/format"
 )
 type Version struct {
 	Major                int
 	Minor                int
 	Patch                int
 	Commit               string
 	PreReleaseIdentifier string
 	PreReleaseVersion    int
 }
 func (v Version) After(anotherVersion Version) bool {
 	if v.Major > anotherVersion.Major {
 		return true
 	} else if v.Major < anotherVersion.Major {
 		return false
 	}
 	if v.Minor > anotherVersion.Minor {
 		return true
 	} else if v.Minor < anotherVersion.Minor {
 		return false
 	}
 	if v.Patch > anotherVersion.Patch {
 		return true
 	} else if v.Patch < anotherVersion.Patch {
 		return false
 	}
 	if v.PreReleaseIdentifier == "" && anotherVersion.PreReleaseIdentifier != "" {
 		return true
 	} else if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier == "" {
 		return false
 	}
 	if v.PreReleaseIdentifier != "" && anotherVersion.PreReleaseIdentifier != "" {
 		if v.PreReleaseIdentifier == anotherVersion.PreReleaseIdentifier {
 			if v.PreReleaseVersion > anotherVersion.PreReleaseVersion {
 				return true
 			} else if v.PreReleaseVersion < anotherVersion.PreReleaseVersion {
 				return false
 			}
 		} else if v.PreReleaseIdentifier == "rc" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return true
 		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "rc" {
 			return false
 		} else if v.PreReleaseIdentifier == "beta" && anotherVersion.PreReleaseIdentifier == "alpha" {
 			return true
 		} else if v.PreReleaseIdentifier == "alpha" && anotherVersion.PreReleaseIdentifier == "beta" {
 			return false
 		}
 	}
 	return false
 }
 func (v Version) VersionString() string {
 	return F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 }
 func (v Version) String() string {
 	version := F.ToString(v.Major, ".", v.Minor, ".", v.Patch)
 	if v.PreReleaseIdentifier != "" {
 		version = F.ToString(version, "-", v.PreReleaseIdentifier, ".", v.PreReleaseVersion)
 	}
 	return version
 }
 func (v Version) BadString() string {
 	version := F.ToString(v.Major, ".", v.Minor)
 	if v.Patch > 0 {
 		version = F.ToString(version, ".", v.Patch)
 	}
 	if v.PreReleaseIdentifier != "" {
 		version = F.ToString(version, "-", v.PreReleaseIdentifier)
 		if v.PreReleaseVersion > 0 {
 			version = F.ToString(version, v.PreReleaseVersion)
 		}
 	}
 	return version
 }
 func Parse(versionName string) (version Version) {
 	if strings.HasPrefix(versionName, "v") {
 		versionName = versionName[1:]
 	}
 	if strings.Contains(versionName, "-") {
 		parts := strings.Split(versionName, "-")
 		versionName = parts[0]
 		identifier := parts[1]
 		if strings.Contains(identifier, ".") {
 			identifierParts := strings.Split(identifier, ".")
 			version.PreReleaseIdentifier = identifierParts[0]
 			if len(identifierParts) >= 2 {
 				version.PreReleaseVersion, _ = strconv.Atoi(identifierParts[1])
 			}
 		} else {
 			if strings.HasPrefix(identifier, "alpha") {
 				version.PreReleaseIdentifier = "alpha"
 				version.PreReleaseVersion, _ = strconv.Atoi(identifier[5:])
 			} else if strings.HasPrefix(identifier, "beta") {
 				version.PreReleaseIdentifier = "beta"
 				version.PreReleaseVersion, _ = strconv.Atoi(identifier[4:])
 			} else {
 				version.Commit = identifier
 			}
 		}
 	}
 	versionElements := strings.Split(versionName, ".")
 	versionLen := len(versionElements)
 	if versionLen >= 1 {
 		version.Major, _ = strconv.Atoi(versionElements[0])
 	}
 	if versionLen >= 2 {
 		version.Minor, _ = strconv.Atoi(versionElements[1])
 	}
 	if versionLen >= 3 {
 		version.Patch, _ = strconv.Atoi(versionElements[2])
 	}
 	return
 }
--- a/common/badversion/version_json.go
+++ b/common/badversion/version_json.go
@@ -1,17 +0,0 @@
 package badversion
 import "github.com/sagernet/sing-box/common/json"
 func (v Version) MarshalJSON() ([]byte, error) {
 	return json.Marshal(v.String())
 }
 func (v *Version) UnmarshalJSON(data []byte) error {
 	var version string
 	err := json.Unmarshal(data, &version)
 	if err != nil {
 		return err
 	}
 	*v = Parse(version)
 	return nil
 }
--- a/common/badversion/version_test.go
+++ b/common/badversion/version_test.go
@@ -1,18 +0,0 @@
 package badversion
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestCompareVersion(t *testing.T) {
 	t.Parallel()
 	require.Equal(t, "1.3.0-beta.1", Parse("v1.3.0-beta1").String())
 	require.Equal(t, "1.3-beta1", Parse("v1.3.0-beta.1").BadString())
 	require.True(t, Parse("1.3.0").After(Parse("1.3-beta1")))
 	require.True(t, Parse("1.3.0").After(Parse("1.3.0-beta1")))
 	require.True(t, Parse("1.3.0-beta1").After(Parse("1.3.0-alpha1")))
 	require.True(t, Parse("1.3.1").After(Parse("1.3.0")))
 	require.True(t, Parse("1.4").After(Parse("1.3")))
 }
--- a/common/canceler/instance.go
+++ b/common/canceler/instance.go
@@ -0,0 +1,48 @@
 package canceler
 import (
 	"context"
 	"time"
 )
 type Instance struct {
 	ctx        context.Context
 	cancelFunc context.CancelFunc
 	timer      *time.Timer
 	timeout    time.Duration
 }
 func New(ctx context.Context, cancelFunc context.CancelFunc, timeout time.Duration) *Instance {
 	instance := &Instance{
 		ctx,
 		cancelFunc,
 		time.NewTimer(timeout),
 		timeout,
 	}
 	go instance.wait()
 	return instance
 }
 func (i *Instance) Update() bool {
 	if !i.timer.Stop() {
 		return false
 	}
 	if !i.timer.Reset(i.timeout) {
 		return false
 	}
 	return true
 }
 func (i *Instance) wait() {
 	select {
 	case <-i.timer.C:
 	case <-i.ctx.Done():
 	}
 	i.Close()
 }
 func (i *Instance) Close() error {
 	i.timer.Stop()
 	i.cancelFunc()
 	return nil
 }
--- a/common/canceler/packet.go
+++ b/common/canceler/packet.go
@@ -0,0 +1,49 @@
 package canceler
 import (
 	"context"
 	"time"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type PacketConn struct {
 	N.PacketConn
 	instance *Instance
 }
 func NewPacketConn(ctx context.Context, conn N.PacketConn, timeout time.Duration) (context.Context, N.PacketConn) {
 	ctx, cancel := context.WithCancel(ctx)
 	instance := New(ctx, cancel, timeout)
 	return ctx, &PacketConn{conn, instance}
 }
 func (c *PacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	destination, err = c.PacketConn.ReadPacket(buffer)
 	if err == nil {
 		c.instance.Update()
 	}
 	return
 }
 func (c *PacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	err := c.PacketConn.WritePacket(buffer, destination)
 	if err == nil {
 		c.instance.Update()
 	}
 	return err
 }
 func (c *PacketConn) Close() error {
 	return common.Close(
 		c.PacketConn,
 		c.instance,
 	)
 }
 func (c *PacketConn) Upstream() any {
 	return c.PacketConn
 }
--- a/common/debugio/log.go
+++ b/common/debugio/log.go
@@ -0,0 +1,87 @@
 package debugio
 import (
 	"net"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type LogConn struct {
 	N.ExtendedConn
 	logger log.Logger
 	prefix string
 }
 func NewLogConn(conn net.Conn, logger log.Logger, prefix string) N.ExtendedConn {
 	return &LogConn{bufio.NewExtendedConn(conn), logger, prefix}
 }
 func (c *LogConn) Read(p []byte) (n int, err error) {
 	n, err = c.ExtendedConn.Read(p)
 	if n > 0 {
 		c.logger.Debug(c.prefix, " read ", buf.EncodeHexString(p[:n]))
 	}
 	return
 }
 func (c *LogConn) Write(p []byte) (n int, err error) {
 	c.logger.Debug(c.prefix, " write ", buf.EncodeHexString(p))
 	return c.ExtendedConn.Write(p)
 }
 func (c *LogConn) ReadBuffer(buffer *buf.Buffer) error {
 	err := c.ExtendedConn.ReadBuffer(buffer)
 	if err == nil {
 		c.logger.Debug(c.prefix, " read buffer ", buf.EncodeHexString(buffer.Bytes()))
 	}
 	return err
 }
 func (c *LogConn) WriteBuffer(buffer *buf.Buffer) error {
 	c.logger.Debug(c.prefix, " write buffer ", buf.EncodeHexString(buffer.Bytes()))
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *LogConn) Upstream() any {
 	return c.ExtendedConn
 }
 type LogPacketConn struct {
 	N.NetPacketConn
 	logger log.Logger
 	prefix string
 }
 func NewLogPacketConn(conn net.PacketConn, logger log.Logger, prefix string) N.NetPacketConn {
 	return &LogPacketConn{bufio.NewPacketConn(conn), logger, prefix}
 }
 func (c *LogPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
 	n, addr, err = c.NetPacketConn.ReadFrom(p)
 	if n > 0 {
 		c.logger.Debug(c.prefix, " read from ", addr, " ", buf.EncodeHexString(p[:n]))
 	}
 	return
 }
 func (c *LogPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 	c.logger.Debug(c.prefix, " write to ", addr, " ", buf.EncodeHexString(p))
 	return c.NetPacketConn.WriteTo(p, addr)
 }
 func (c *LogPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	destination, err = c.NetPacketConn.ReadPacket(buffer)
 	if err == nil {
 		c.logger.Debug(c.prefix, " read packet from ", destination, " ", buf.EncodeHexString(buffer.Bytes()))
 	}
 	return
 }
 func (c *LogPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	c.logger.Debug(c.prefix, " write packet to ", destination, " ", buf.EncodeHexString(buffer.Bytes()))
 	return c.NetPacketConn.WritePacket(buffer, destination)
 }
--- a/common/debugio/print.go
+++ b/common/debugio/print.go
@@ -0,0 +1,19 @@
 package debugio
 import (
 	"fmt"
 	"reflect"
 	"github.com/sagernet/sing/common"
 )
 func PrintUpstream(obj any) {
 	for obj != nil {
 		fmt.Println(reflect.TypeOf(obj))
 		if u, ok := obj.(common.WithUpstream); !ok {
 			break
 		} else {
 			obj = u.Upstream()
 		}
 	}
 }
--- a/common/debugio/race.go
+++ b/common/debugio/race.go
@@ -0,0 +1,48 @@
 package debugio
 import (
 	"net"
 	"sync"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	N "github.com/sagernet/sing/common/network"
 )
 type RaceConn struct {
 	N.ExtendedConn
 	readAccess  sync.Mutex
 	writeAccess sync.Mutex
 }
 func NewRaceConn(conn net.Conn) N.ExtendedConn {
 	return &RaceConn{ExtendedConn: bufio.NewExtendedConn(conn)}
 }
 func (c *RaceConn) Read(p []byte) (n int, err error) {
 	c.readAccess.Lock()
 	defer c.readAccess.Unlock()
 	return c.ExtendedConn.Read(p)
 }
 func (c *RaceConn) Write(p []byte) (n int, err error) {
 	c.writeAccess.Lock()
 	defer c.writeAccess.Unlock()
 	return c.ExtendedConn.Write(p)
 }
 func (c *RaceConn) ReadBuffer(buffer *buf.Buffer) error {
 	c.readAccess.Lock()
 	defer c.readAccess.Unlock()
 	return c.ExtendedConn.ReadBuffer(buffer)
 }
 func (c *RaceConn) WriteBuffer(buffer *buf.Buffer) error {
 	c.writeAccess.Lock()
 	defer c.writeAccess.Unlock()
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *RaceConn) Upstream() any {
 	return c.ExtendedConn
 }
--- a/common/dialer/conntrack/conn.go
+++ b/common/dialer/conntrack/conn.go
@@ -12,12 +12,12 @@ type Conn struct {
 	element *list.Element[io.Closer]
 }
-func NewConn(conn net.Conn) (net.Conn, error) {
+func NewConn(conn net.Conn) (*Conn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := KillerCheck()
+		err := killerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err
--- a/common/dialer/conntrack/killer.go
+++ b/common/dialer/conntrack/killer.go
@@ -1,20 +1,20 @@
 package conntrack
 import (
 	"runtime"
 	runtimeDebug "runtime/debug"
 	"time"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/memory"
 )
 var (
 	KillerEnabled   bool
-	MemoryLimit     uint64
+	MemoryLimit     int64
 	killerLastCheck time.Time
 )
-func KillerCheck() error {
+func killerCheck() error {
 	if !KillerEnabled {
 		return nil
 	}
@@ -23,7 +23,10 @@ func KillerCheck() error {
 		return nil
 	}
 	killerLastCheck = nowTime
-	if memory.Total() > MemoryLimit {
+	var memStats runtime.MemStats
 	runtime.ReadMemStats(&memStats)
 	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
 	if inuseMemory > MemoryLimit {
 		Close()
 		go func() {
 			time.Sleep(time.Second)
--- a/common/dialer/conntrack/packet_conn.go
+++ b/common/dialer/conntrack/packet_conn.go
@@ -4,7 +4,6 @@ import (
 	"io"
 	"net"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/x/list"
 )
@@ -13,12 +12,12 @@ type PacketConn struct {
 	element *list.Element[io.Closer]
 }
-func NewPacketConn(conn net.PacketConn) (net.PacketConn, error) {
+func NewPacketConn(conn net.PacketConn) (*PacketConn, error) {
 	connAccess.Lock()
 	element := openConnection.PushBack(conn)
 	connAccess.Unlock()
 	if KillerEnabled {
-		err := KillerCheck()
+		err := killerCheck()
 		if err != nil {
 			conn.Close()
 			return nil, err
@@ -43,7 +42,7 @@ func (c *PacketConn) Close() error {
 }
 func (c *PacketConn) Upstream() any {
-	return bufio.NewPacketConn(c.PacketConn)
+	return c.PacketConn
 }
 func (c *PacketConn) ReaderReplaceable() bool {
--- a/common/dialer/conntrack/track.go
+++ b/common/dialer/conntrack/track.go
@@ -14,16 +14,10 @@ var (
 )
 func Count() int {
 	if !Enabled {
 		return 0
 	}
 	return openConnection.Len()
 }
 func List() []io.Closer {
 	if !Enabled {
 		return nil
 	}
 	connAccess.RLock()
 	defer connAccess.RUnlock()
 	connList := make([]io.Closer, 0, openConnection.Len())
@@ -34,9 +28,6 @@ func List() []io.Closer {
 }
 func Close() {
 	if !Enabled {
 		return
 	}
 	connAccess.Lock()
 	defer connAccess.Unlock()
 	for element := openConnection.Front(); element != nil; element = element.Next() {
--- a/common/dialer/conntrack/track_disable.go
+++ b/common/dialer/conntrack/track_disable.go
--- a/common/dialer/conntrack/track_enable.go
+++ b/common/dialer/conntrack/track_enable.go
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@@ -6,18 +6,55 @@ import (
 	"time"
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/conntrack"
+	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/common/warning"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing/common/control"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/tfo-go"
 )
 var warnBindInterfaceOnUnsupportedPlatform = warning.New(
 	func() bool {
 		return !(C.IsLinux || C.IsWindows || C.IsDarwin)
 	},
 	"outbound option `bind_interface` is only supported on Linux and Windows",
 )
 var warnRoutingMarkOnUnsupportedPlatform = warning.New(
 	func() bool {
 		return !C.IsLinux
 	},
 	"outbound option `routing_mark` is only supported on Linux",
 )
 var warnReuseAdderOnUnsupportedPlatform = warning.New(
 	func() bool {
 		return !(C.IsDarwin || C.IsDragonfly || C.IsFreebsd || C.IsLinux || C.IsNetbsd || C.IsOpenbsd || C.IsSolaris || C.IsWindows)
 	},
 	"outbound option `reuse_addr` is unsupported on current platform",
 )
 var warnProtectPathOnNonAndroid = warning.New(
 	func() bool {
 		return !C.IsAndroid
 	},
 	"outbound option `protect_path` is only supported on Android",
 )
 var warnTFOOnUnsupportedPlatform = warning.New(
 	func() bool {
 		return !(C.IsDarwin || C.IsFreebsd || C.IsLinux || C.IsWindows)
 	},
 	"outbound option `tcp_fast_open` is unsupported on current platform",
 )
 type DefaultDialer struct {
-	dialer4     tcpDialer
+	dialer4     tfo.Dialer
-	dialer6     tcpDialer
+	dialer6     tfo.Dialer
 	udpDialer4  net.Dialer
 	udpDialer6  net.Dialer
 	udpListener net.ListenConfig
@@ -25,10 +62,11 @@ type DefaultDialer struct {
 	udpAddr6    string
 }
-func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
+func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDialer {
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
 		warnBindInterfaceOnUnsupportedPlatform.Check()
 		bindFunc := control.BindToInterface(router.InterfaceFinder(), options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
@@ -42,6 +80,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
 	if options.RoutingMark != 0 {
 		warnRoutingMarkOnUnsupportedPlatform.Check()
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(options.RoutingMark))
 		listener.Control = control.Append(listener.Control, control.RoutingMark(options.RoutingMark))
 	} else if router.DefaultMark() != 0 {
@@ -49,9 +88,11 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
 	}
 	if options.ReuseAddr {
 		warnReuseAdderOnUnsupportedPlatform.Check()
 		listener.Control = control.Append(listener.Control, control.ReuseAddr())
 	}
 	if options.ProtectPath != "" {
 		warnProtectPathOnNonAndroid.Check()
 		dialer.Control = control.Append(dialer.Control, control.ProtectPath(options.ProtectPath))
 		listener.Control = control.Append(listener.Control, control.ProtectPath(options.ProtectPath))
 	}
@@ -60,6 +101,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 	} else {
 		dialer.Timeout = C.TCPTimeout
 	}
 	if options.TCPFastOpen {
 		warnTFOOnUnsupportedPlatform.Check()
 	}
 	var udpFragment bool
 	if options.UDPFragment != nil {
 		udpFragment = *options.UDPFragment
@@ -92,29 +136,15 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
 	}
 	if options.TCPMultiPath {
 		if !go121Available {
 			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
 		}
 		setMultiPathTCP(&dialer4)
 	}
 	tcpDialer4, err := newTCPDialer(dialer4, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
 	}
 	tcpDialer6, err := newTCPDialer(dialer6, options.TCPFastOpen)
 	if err != nil {
 		return nil, err
 	}
 	return &DefaultDialer{
-		tcpDialer4,
+		tfo.Dialer{Dialer: dialer4, DisableTFO: !options.TCPFastOpen},
-		tcpDialer6,
+		tfo.Dialer{Dialer: dialer6, DisableTFO: !options.TCPFastOpen},
 		udpDialer4,
 		udpDialer6,
 		listener,
 		udpAddr4,
 		udpAddr6,
-	}, nil
+	}
 }
 func (d *DefaultDialer) DialContext(ctx context.Context, network string, address M.Socksaddr) (net.Conn, error) {
@@ -124,9 +154,9 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 	switch N.NetworkName(network) {
 	case N.NetworkUDP:
 		if !address.IsIPv6() {
-			return trackConn(d.udpDialer4.DialContext(ctx, network, address.String()))
+			return d.udpDialer4.DialContext(ctx, network, address.String())
 		} else {
-			return trackConn(d.udpDialer6.DialContext(ctx, network, address.String()))
+			return d.udpDialer6.DialContext(ctx, network, address.String())
 		}
 	}
 	if !address.IsIPv6() {
@@ -137,12 +167,10 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 }
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if destination.IsIPv6() {
+	if !destination.IsIPv6() {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 	} else if destination.IsIPv4() && !destination.Addr.IsUnspecified() {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP+"4", d.udpAddr4))
 	} else {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
 	} else {
 		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
 	}
 }
--- a/common/dialer/default_go1.20.go
+++ b/common/dialer/default_go1.20.go
@@ -1,15 +0,0 @@
 //go:build go1.20
 package dialer
 import (
 	"net"
 	"github.com/sagernet/tfo-go"
 )
 type tcpDialer = tfo.Dialer
 func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
 	return tfo.Dialer{Dialer: dialer, DisableTFO: !tfoEnabled}, nil
 }
--- a/common/dialer/default_go1.21.go
+++ b/common/dialer/default_go1.21.go
@@ -1,11 +0,0 @@
 //go:build go1.21
 package dialer
 import "net"
 const go121Available = true
 func setMultiPathTCP(dialer *net.Dialer) {
 	dialer.SetMultipathTCP(true)
 }
--- a/common/dialer/default_nongo1.20.go
+++ b/common/dialer/default_nongo1.20.go
@@ -1,18 +0,0 @@
 //go:build !go1.20
 package dialer
 import (
 	"net"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 type tcpDialer = net.Dialer
 func newTCPDialer(dialer net.Dialer, tfoEnabled bool) (tcpDialer, error) {
 	if tfoEnabled {
 		return dialer, E.New("TCP Fast Open requires go1.20, please recompile your binary.")
 	}
 	return dialer, nil
 }
--- a/common/dialer/default_nongo1.21.go
+++ b/common/dialer/default_nongo1.21.go
@@ -1,12 +0,0 @@
 //go:build !go1.21
 package dialer
 import (
 	"net"
 )
 const go121Available = false
 func setMultiPathTCP(dialer *net.Dialer) {
 }
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@@ -6,35 +6,19 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )
-func MustNew(router adapter.Router, options option.DialerOptions) N.Dialer {
+func New(router adapter.Router, options option.DialerOptions) N.Dialer {
-	return common.Must1(New(router, options))
+	var dialer N.Dialer
 }
 func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
 	var (
 		dialer N.Dialer
 		err    error
 	)
 	if options.Detour == "" {
-		dialer, err = NewDefault(router, options)
+		dialer = NewDefault(router, options)
 		if err != nil {
 			return nil, err
 		}
 	} else {
 		dialer = NewDetour(router, options.Detour)
 	}
 	domainStrategy := dns.DomainStrategy(options.DomainStrategy)
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
-		dialer = NewResolveDialer(
+		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
 			router,
 			dialer,
 			options.Detour == "" && !options.TCPFastOpen,
 			domainStrategy,
 			time.Duration(options.FallbackDelay))
 	}
-	return dialer, nil
+	return dialer
 }
--- a/common/dialer/resolve.go
+++ b/common/dialer/resolve.go
@@ -9,23 +9,20 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 type ResolveDialer struct {
 	dialer        N.Dialer
 	parallel      bool
 	router        adapter.Router
 	strategy      dns.DomainStrategy
 	fallbackDelay time.Duration
 }
-func NewResolveDialer(router adapter.Router, dialer N.Dialer, parallel bool, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
+func NewResolveDialer(router adapter.Router, dialer N.Dialer, strategy dns.DomainStrategy, fallbackDelay time.Duration) *ResolveDialer {
 	return &ResolveDialer{
 		dialer,
 		parallel,
 		router,
 		strategy,
 		fallbackDelay,
@@ -36,7 +33,7 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if !destination.IsFqdn() {
 		return d.dialer.DialContext(ctx, network, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""
@@ -50,18 +47,14 @@ func (d *ResolveDialer) DialContext(ctx context.Context, network string, destina
 	if err != nil {
 		return nil, err
 	}
-	if d.parallel {
+	return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
 		return N.DialParallel(ctx, d.dialer, network, destination, addresses, d.strategy == dns.DomainStrategyPreferIPv6, d.fallbackDelay)
 	} else {
 		return N.DialSerial(ctx, d.dialer, network, destination, addresses)
 	}
 }
 func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if !destination.IsFqdn() {
 		return d.dialer.ListenPacket(ctx, destination)
 	}
-	ctx, metadata := adapter.ExtendContext(ctx)
+	ctx, metadata := adapter.AppendContext(ctx)
 	ctx = log.ContextWithOverrideLevel(ctx, log.LevelDebug)
 	metadata.Destination = destination
 	metadata.Domain = ""
@@ -75,11 +68,11 @@ func (d *ResolveDialer) ListenPacket(ctx context.Context, destination M.Socksadd
 	if err != nil {
 		return nil, err
 	}
-	conn, destinationAddress, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
+	conn, err := N.ListenSerial(ctx, d.dialer, destination, addresses)
 	if err != nil {
 		return nil, err
 	}
-	return bufio.NewNATPacketConn(bufio.NewPacketConn(conn), M.SocksaddrFrom(destinationAddress, destination.Port), destination), nil
+	return NewResolvePacketConn(ctx, d.router, d.strategy, conn), nil
 }
 func (d *ResolveDialer) Upstream() any {
--- a/common/dialer/resolve_conn.go
+++ b/common/dialer/resolve_conn.go
@@ -0,0 +1,84 @@
 package dialer
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func NewResolvePacketConn(ctx context.Context, router adapter.Router, strategy dns.DomainStrategy, conn net.PacketConn) N.NetPacketConn {
 	if udpConn, ok := conn.(*net.UDPConn); ok {
 		return &ResolveUDPConn{udpConn, ctx, router, strategy}
 	} else {
 		return &ResolvePacketConn{conn, ctx, router, strategy}
 	}
 }
 type ResolveUDPConn struct {
 	*net.UDPConn
 	ctx      context.Context
 	router   adapter.Router
 	strategy dns.DomainStrategy
 }
 func (w *ResolveUDPConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
 	n, addr, err := w.ReadFromUDPAddrPort(buffer.FreeBytes())
 	if err != nil {
 		return M.Socksaddr{}, err
 	}
 	buffer.Truncate(n)
 	return M.SocksaddrFromNetIP(addr), nil
 }
 func (w *ResolveUDPConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	defer buffer.Release()
 	if destination.IsFqdn() {
 		addresses, err := w.router.Lookup(w.ctx, destination.Fqdn, w.strategy)
 		if err != nil {
 			return err
 		}
 		return common.Error(w.UDPConn.WriteToUDPAddrPort(buffer.Bytes(), M.SocksaddrFrom(addresses[0], destination.Port).AddrPort()))
 	}
 	return common.Error(w.UDPConn.WriteToUDPAddrPort(buffer.Bytes(), destination.AddrPort()))
 }
 func (w *ResolveUDPConn) Upstream() any {
 	return w.UDPConn
 }
 type ResolvePacketConn struct {
 	net.PacketConn
 	ctx      context.Context
 	router   adapter.Router
 	strategy dns.DomainStrategy
 }
 func (w *ResolvePacketConn) ReadPacket(buffer *buf.Buffer) (M.Socksaddr, error) {
 	_, addr, err := buffer.ReadPacketFrom(w)
 	if err != nil {
 		return M.Socksaddr{}, err
 	}
 	return M.SocksaddrFromNet(addr), err
 }
 func (w *ResolvePacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	defer buffer.Release()
 	if destination.IsFqdn() {
 		addresses, err := w.router.Lookup(w.ctx, destination.Fqdn, w.strategy)
 		if err != nil {
 			return err
 		}
 		return common.Error(w.WriteTo(buffer.Bytes(), M.SocksaddrFrom(addresses[0], destination.Port).UDPAddr()))
 	}
 	return common.Error(w.WriteTo(buffer.Bytes(), destination.UDPAddr()))
 }
 func (w *ResolvePacketConn) Upstream() any {
 	return w.PacketConn
 }
--- a/common/dialer/tfo.go
+++ b/common/dialer/tfo.go
@@ -1,5 +1,3 @@
 //go:build go1.20
 package dialer
 import (
@@ -7,7 +5,6 @@ import (
 	"io"
 	"net"
 	"os"
 	"sync"
 	"time"
 	"github.com/sagernet/sing/common"
@@ -25,11 +22,10 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
 	access      sync.Mutex
 	err         error
 }
-func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func DialSlowContext(dialer *tfo.Dialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	if dialer.DisableTFO || N.NetworkName(network) != N.NetworkTCP {
 		switch N.NetworkName(network) {
 		case N.NetworkTCP, N.NetworkUDP:
@@ -62,26 +58,15 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 }
 func (c *slowOpenConn) Write(b []byte) (n int, err error) {
-	if c.conn != nil {
+	if c.conn == nil {
-		return c.conn.Write(b)
+		c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
-	}
+		if err != nil {
-	c.access.Lock()
+			c.err = E.Cause(err, "dial tcp fast open")
 	defer c.access.Unlock()
 	select {
 	case <-c.create:
 		if c.err != nil {
 			return 0, c.err
 		}
-		return c.conn.Write(b)
+		close(c.create)
-	default:
+		return
 	}
-	c.conn, err = c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
+	return c.conn.Write(b)
 	if err != nil {
 		c.conn = nil
 		c.err = E.Cause(err, "dial tcp fast open")
 	}
 	close(c.create)
 	return
 }
 func (c *slowOpenConn) Close() error {
@@ -139,8 +124,11 @@ func (c *slowOpenConn) LazyHeadroom() bool {
 	return c.conn == nil
 }
-func (c *slowOpenConn) NeedHandshake() bool {
+func (c *slowOpenConn) ReadFrom(r io.Reader) (n int64, err error) {
-	return c.conn == nil
+	if c.conn != nil {
 		return bufio.Copy(c.conn, r)
 	}
 	return bufio.ReadFrom0(c, r)
 }
 func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
--- a/common/dialer/tfo_stub.go
+++ b/common/dialer/tfo_stub.go
@@ -1,20 +0,0 @@
 //go:build !go1.20
 package dialer
 import (
 	"context"
 	"net"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	switch N.NetworkName(network) {
 	case N.NetworkTCP, N.NetworkUDP:
 		return dialer.DialContext(ctx, network, destination.String())
 	default:
 		return dialer.DialContext(ctx, network, destination.AddrString())
 	}
 }
--- a/common/humanize/bytes.go
+++ b/common/humanize/bytes.go
@@ -1,158 +0,0 @@
 package humanize
 import (
 	"fmt"
 	"math"
 	"strconv"
 	"strings"
 	"unicode"
 )
 // IEC Sizes.
 // kibis of bits
 const (
 	Byte = 1 << (iota * 10)
 	KiByte
 	MiByte
 	GiByte
 	TiByte
 	PiByte
 	EiByte
 )
 // SI Sizes.
 const (
 	IByte = 1
 	KByte = IByte * 1000
 	MByte = KByte * 1000
 	GByte = MByte * 1000
 	TByte = GByte * 1000
 	PByte = TByte * 1000
 	EByte = PByte * 1000
 )
 var defaultSizeTable = map[string]uint64{
 	"b":   Byte,
 	"kib": KiByte,
 	"kb":  KByte,
 	"mib": MiByte,
 	"mb":  MByte,
 	"gib": GiByte,
 	"gb":  GByte,
 	"tib": TiByte,
 	"tb":  TByte,
 	"pib": PiByte,
 	"pb":  PByte,
 	"eib": EiByte,
 	"eb":  EByte,
 	// Without suffix
 	"":   Byte,
 	"ki": KiByte,
 	"k":  KByte,
 	"mi": MiByte,
 	"m":  MByte,
 	"gi": GiByte,
 	"g":  GByte,
 	"ti": TiByte,
 	"t":  TByte,
 	"pi": PiByte,
 	"p":  PByte,
 	"ei": EiByte,
 	"e":  EByte,
 }
 var memorysSizeTable = map[string]uint64{
 	"b":  Byte,
 	"kb": KiByte,
 	"mb": MiByte,
 	"gb": GiByte,
 	"tb": TiByte,
 	"pb": PiByte,
 	"eb": EiByte,
 	"":   Byte,
 	"k":  KiByte,
 	"m":  MiByte,
 	"g":  GiByte,
 	"t":  TiByte,
 	"p":  PiByte,
 	"e":  EiByte,
 }
 var (
 	defaultSizes = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB"}
 	iSizes       = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB"}
 )
 func Bytes(s uint64) string {
 	return humanateBytes(s, 1000, defaultSizes)
 }
 func MemoryBytes(s uint64) string {
 	return humanateBytes(s, 1024, defaultSizes)
 }
 func IBytes(s uint64) string {
 	return humanateBytes(s, 1024, iSizes)
 }
 func logn(n, b float64) float64 {
 	return math.Log(n) / math.Log(b)
 }
 func humanateBytes(s uint64, base float64, sizes []string) string {
 	if s < 10 {
 		return fmt.Sprintf("%d B", s)
 	}
 	e := math.Floor(logn(float64(s), base))
 	suffix := sizes[int(e)]
 	val := math.Floor(float64(s)/math.Pow(base, e)*10+0.5) / 10
 	f := "%.0f %s"
 	if val < 10 {
 		f = "%.1f %s"
 	}
 	return fmt.Sprintf(f, val, suffix)
 }
 func ParseBytes(s string) (uint64, error) {
 	return parseBytes0(s, defaultSizeTable)
 }
 func ParseMemoryBytes(s string) (uint64, error) {
 	return parseBytes0(s, memorysSizeTable)
 }
 func parseBytes0(s string, sizeTable map[string]uint64) (uint64, error) {
 	lastDigit := 0
 	hasComma := false
 	for _, r := range s {
 		if !(unicode.IsDigit(r) || r == '.' || r == ',') {
 			break
 		}
 		if r == ',' {
 			hasComma = true
 		}
 		lastDigit++
 	}
 	num := s[:lastDigit]
 	if hasComma {
 		num = strings.Replace(num, ",", "", -1)
 	}
 	f, err := strconv.ParseFloat(num, 64)
 	if err != nil {
 		return 0, err
 	}
 	extra := strings.ToLower(strings.TrimSpace(s[lastDigit:]))
 	if m, ok := sizeTable[extra]; ok {
 		f *= float64(m)
 		if f >= math.MaxUint64 {
 			return 0, fmt.Errorf("too large: %v", s)
 		}
 		return uint64(f), nil
 	}
 	return 0, fmt.Errorf("unhandled size name: %v", extra)
 }
--- a/common/interrupt/conn.go
+++ b/common/interrupt/conn.go
@@ -1,75 +0,0 @@
 package interrupt
 import (
 	"net"
 	"github.com/sagernet/sing/common/x/list"
 )
 /*type GroupedConn interface {
 	MarkAsInternal()
 }
 func MarkAsInternal(conn any) {
 	if groupedConn, isGroupConn := common.Cast[GroupedConn](conn); isGroupConn {
 		groupedConn.MarkAsInternal()
 	}
 }*/
 type Conn struct {
 	net.Conn
 	group   *Group
 	element *list.Element[*groupConnItem]
 }
 /*func (c *Conn) MarkAsInternal() {
 	c.element.Value.internal = true
 }*/
 func (c *Conn) Close() error {
 	c.group.access.Lock()
 	defer c.group.access.Unlock()
 	c.group.connections.Remove(c.element)
 	return c.Conn.Close()
 }
 func (c *Conn) ReaderReplaceable() bool {
 	return true
 }
 func (c *Conn) WriterReplaceable() bool {
 	return true
 }
 func (c *Conn) Upstream() any {
 	return c.Conn
 }
 type PacketConn struct {
 	net.PacketConn
 	group   *Group
 	element *list.Element[*groupConnItem]
 }
 /*func (c *PacketConn) MarkAsInternal() {
 	c.element.Value.internal = true
 }*/
 func (c *PacketConn) Close() error {
 	c.group.access.Lock()
 	defer c.group.access.Unlock()
 	c.group.connections.Remove(c.element)
 	return c.PacketConn.Close()
 }
 func (c *PacketConn) ReaderReplaceable() bool {
 	return true
 }
 func (c *PacketConn) WriterReplaceable() bool {
 	return true
 }
 func (c *PacketConn) Upstream() any {
 	return c.PacketConn
 }
--- a/common/interrupt/context.go
+++ b/common/interrupt/context.go
@@ -1,13 +0,0 @@
 package interrupt
 import "context"
 type contextKeyIsExternalConnection struct{}
 func ContextWithIsExternalConnection(ctx context.Context) context.Context {
 	return context.WithValue(ctx, contextKeyIsExternalConnection{}, true)
 }
 func IsExternalConnectionFromContext(ctx context.Context) bool {
 	return ctx.Value(contextKeyIsExternalConnection{}) != nil
 }
--- a/common/interrupt/group.go
+++ b/common/interrupt/group.go
@@ -1,52 +0,0 @@
 package interrupt
 import (
 	"io"
 	"net"
 	"sync"
 	"github.com/sagernet/sing/common/x/list"
 )
 type Group struct {
 	access      sync.Mutex
 	connections list.List[*groupConnItem]
 }
 type groupConnItem struct {
 	conn       io.Closer
 	isExternal bool
 }
 func NewGroup() *Group {
 	return &Group{}
 }
 func (g *Group) NewConn(conn net.Conn, isExternal bool) net.Conn {
 	g.access.Lock()
 	defer g.access.Unlock()
 	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
 	return &Conn{Conn: conn, group: g, element: item}
 }
 func (g *Group) NewPacketConn(conn net.PacketConn, isExternal bool) net.PacketConn {
 	g.access.Lock()
 	defer g.access.Unlock()
 	item := g.connections.PushBack(&groupConnItem{conn, isExternal})
 	return &PacketConn{PacketConn: conn, group: g, element: item}
 }
 func (g *Group) Interrupt(interruptExternalConnections bool) {
 	g.access.Lock()
 	defer g.access.Unlock()
 	var toDelete []*list.Element[*groupConnItem]
 	for element := g.connections.Front(); element != nil; element = element.Next() {
 		if !element.Value.isExternal || interruptExternalConnections {
 			element.Value.conn.Close()
 			toDelete = append(toDelete, element)
 		}
 	}
 	for _, element := range toDelete {
 		g.connections.Remove(element)
 	}
 }
--- a/common/mux/client.go
+++ b/common/mux/client.go
@@ -1,42 +1,519 @@
 package mux
 import (
-	C "github.com/sagernet/sing-box/constant"
+	"context"
 	"encoding/binary"
 	"io"
 	"net"
 	"sync"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-mux"
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
 )
-type Client = mux.Client
+var _ N.Dialer = (*Client)(nil)
-func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.OutboundMultiplexOptions) (*Client, error) {
+type Client struct {
 	access         sync.Mutex
 	connections    list.List[abstractSession]
 	ctx            context.Context
 	dialer         N.Dialer
 	protocol       Protocol
 	maxConnections int
 	minStreams     int
 	maxStreams     int
 }
 func NewClient(ctx context.Context, dialer N.Dialer, protocol Protocol, maxConnections int, minStreams int, maxStreams int) *Client {
 	return &Client{
 		ctx:            ctx,
 		dialer:         dialer,
 		protocol:       protocol,
 		maxConnections: maxConnections,
 		minStreams:     minStreams,
 		maxStreams:     maxStreams,
 	}
 }
 func NewClientWithOptions(ctx context.Context, dialer N.Dialer, options option.MultiplexOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	var brutalOptions mux.BrutalOptions
+	if options.MaxConnections == 0 && options.MaxStreams == 0 {
-	if options.Brutal != nil && options.Brutal.Enabled {
+		options.MinStreams = 8
-		brutalOptions = mux.BrutalOptions{
+	}
-			Enabled:    true,
+	protocol, err := ParseProtocol(options.Protocol)
-			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
+	if err != nil {
-			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
+		return nil, err
 	}
 	return NewClient(ctx, dialer, protocol, options.MaxConnections, options.MinStreams, options.MaxStreams), nil
 }
 func (c *Client) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		stream, err := c.openStream()
 		if err != nil {
 			return nil, err
 		}
-		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
+		return &ClientConn{Conn: stream, destination: destination}, nil
-			return nil, E.New("brutal: invalid upload speed")
+	case N.NetworkUDP:
 		stream, err := c.openStream()
 		if err != nil {
 			return nil, err
 		}
-		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
+		return bufio.NewUnbindPacketConn(&ClientPacketConn{ExtendedConn: bufio.NewExtendedConn(stream), destination: destination}), nil
-			return nil, E.New("brutal: invalid download speed")
+	default:
 		return nil, E.Extend(N.ErrUnknownNetwork, network)
 	}
 }
 func (c *Client) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	stream, err := c.openStream()
 	if err != nil {
 		return nil, err
 	}
 	return &ClientPacketAddrConn{ExtendedConn: bufio.NewExtendedConn(stream), destination: destination}, nil
 }
 func (c *Client) openStream() (net.Conn, error) {
 	var (
 		session abstractSession
 		stream  net.Conn
 		err     error
 	)
 	for attempts := 0; attempts < 2; attempts++ {
 		session, err = c.offer()
 		if err != nil {
 			continue
 		}
 		stream, err = session.Open()
 		if err != nil {
 			continue
 		}
 		break
 	}
 	if err != nil {
 		return nil, err
 	}
 	return &wrapStream{stream}, nil
 }
 func (c *Client) offer() (abstractSession, error) {
 	c.access.Lock()
 	defer c.access.Unlock()
 	sessions := make([]abstractSession, 0, c.maxConnections)
 	for element := c.connections.Front(); element != nil; {
 		if element.Value.IsClosed() {
 			nextElement := element.Next()
 			c.connections.Remove(element)
 			element = nextElement
 			continue
 		}
 		sessions = append(sessions, element.Value)
 		element = element.Next()
 	}
 	sLen := len(sessions)
 	if sLen == 0 {
 		return c.offerNew()
 	}
 	session := common.MinBy(sessions, abstractSession.NumStreams)
 	numStreams := session.NumStreams()
 	if numStreams == 0 {
 		return session, nil
 	}
 	if c.maxConnections > 0 {
 		if sLen >= c.maxConnections || numStreams < c.minStreams {
 			return session, nil
 		}
 	} else {
 		if c.maxStreams > 0 && numStreams < c.maxStreams {
 			return session, nil
 		}
 	}
-	return mux.NewClient(mux.Options{
+	return c.offerNew()
-		Dialer:         dialer,
+}
-		Logger:         logger,
+
-		Protocol:       options.Protocol,
+func (c *Client) offerNew() (abstractSession, error) {
-		MaxConnections: options.MaxConnections,
+	conn, err := c.dialer.DialContext(c.ctx, N.NetworkTCP, Destination)
-		MinStreams:     options.MinStreams,
+	if err != nil {
-		MaxStreams:     options.MaxStreams,
+		return nil, err
-		Padding:        options.Padding,
+	}
-		Brutal:         brutalOptions,
+	if vectorisedWriter, isVectorised := bufio.CreateVectorisedWriter(conn); isVectorised {
-	})
+		conn = &vectorisedProtocolConn{protocolConn{Conn: conn, protocol: c.protocol}, vectorisedWriter}
 	} else {
 		conn = &protocolConn{Conn: conn, protocol: c.protocol}
 	}
 	session, err := c.protocol.newClient(conn)
 	if err != nil {
 		return nil, err
 	}
 	c.connections.PushBack(session)
 	return session, nil
 }
 func (c *Client) Close() error {
 	c.access.Lock()
 	defer c.access.Unlock()
 	for _, session := range c.connections.Array() {
 		session.Close()
 	}
 	return nil
 }
 type ClientConn struct {
 	net.Conn
 	destination  M.Socksaddr
 	requestWrite bool
 	responseRead bool
 }
 func (c *ClientConn) readResponse() error {
 	response, err := ReadStreamResponse(c.Conn)
 	if err != nil {
 		return err
 	}
 	if response.Status == statusError {
 		return E.New("remote error: ", response.Message)
 	}
 	return nil
 }
 func (c *ClientConn) Read(b []byte) (n int, err error) {
 	if !c.responseRead {
 		err = c.readResponse()
 		if err != nil {
 			return
 		}
 		c.responseRead = true
 	}
 	return c.Conn.Read(b)
 }
 func (c *ClientConn) Write(b []byte) (n int, err error) {
 	if c.requestWrite {
 		return c.Conn.Write(b)
 	}
 	request := StreamRequest{
 		Network:     N.NetworkTCP,
 		Destination: c.destination,
 	}
 	_buffer := buf.StackNewSize(requestLen(request) + len(b))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	EncodeStreamRequest(request, buffer)
 	buffer.Write(b)
 	_, err = c.Conn.Write(buffer.Bytes())
 	if err != nil {
 		return
 	}
 	c.requestWrite = true
 	return len(b), nil
 }
 func (c *ClientConn) ReadFrom(r io.Reader) (n int64, err error) {
 	if !c.requestWrite {
 		return bufio.ReadFrom0(c, r)
 	}
 	return bufio.Copy(c.Conn, r)
 }
 func (c *ClientConn) WriteTo(w io.Writer) (n int64, err error) {
 	if !c.responseRead {
 		return bufio.WriteTo0(c, w)
 	}
 	return bufio.Copy(w, c.Conn)
 }
 func (c *ClientConn) LocalAddr() net.Addr {
 	return c.Conn.LocalAddr()
 }
 func (c *ClientConn) RemoteAddr() net.Addr {
 	return c.destination.TCPAddr()
 }
 func (c *ClientConn) ReaderReplaceable() bool {
 	return c.responseRead
 }
 func (c *ClientConn) WriterReplaceable() bool {
 	return c.requestWrite
 }
 func (c *ClientConn) Upstream() any {
 	return c.Conn
 }
 type ClientPacketConn struct {
 	N.ExtendedConn
 	destination  M.Socksaddr
 	requestWrite bool
 	responseRead bool
 }
 func (c *ClientPacketConn) readResponse() error {
 	response, err := ReadStreamResponse(c.ExtendedConn)
 	if err != nil {
 		return err
 	}
 	if response.Status == statusError {
 		return E.New("remote error: ", response.Message)
 	}
 	return nil
 }
 func (c *ClientPacketConn) Read(b []byte) (n int, err error) {
 	if !c.responseRead {
 		err = c.readResponse()
 		if err != nil {
 			return
 		}
 		c.responseRead = true
 	}
 	var length uint16
 	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
 	if err != nil {
 		return
 	}
 	if cap(b) < int(length) {
 		return 0, io.ErrShortBuffer
 	}
 	return io.ReadFull(c.ExtendedConn, b[:length])
 }
 func (c *ClientPacketConn) writeRequest(payload []byte) (n int, err error) {
 	request := StreamRequest{
 		Network:     N.NetworkUDP,
 		Destination: c.destination,
 	}
 	rLen := requestLen(request)
 	if len(payload) > 0 {
 		rLen += 2 + len(payload)
 	}
 	_buffer := buf.StackNewSize(rLen)
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	EncodeStreamRequest(request, buffer)
 	if len(payload) > 0 {
 		common.Must(
 			binary.Write(buffer, binary.BigEndian, uint16(len(payload))),
 			common.Error(buffer.Write(payload)),
 		)
 	}
 	_, err = c.ExtendedConn.Write(buffer.Bytes())
 	if err != nil {
 		return
 	}
 	c.requestWrite = true
 	return len(payload), nil
 }
 func (c *ClientPacketConn) Write(b []byte) (n int, err error) {
 	if !c.requestWrite {
 		return c.writeRequest(b)
 	}
 	err = binary.Write(c.ExtendedConn, binary.BigEndian, uint16(len(b)))
 	if err != nil {
 		return
 	}
 	return c.ExtendedConn.Write(b)
 }
 func (c *ClientPacketConn) ReadBuffer(buffer *buf.Buffer) (err error) {
 	if !c.responseRead {
 		err = c.readResponse()
 		if err != nil {
 			return
 		}
 		c.responseRead = true
 	}
 	var length uint16
 	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
 	if err != nil {
 		return
 	}
 	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	return
 }
 func (c *ClientPacketConn) WriteBuffer(buffer *buf.Buffer) error {
 	if !c.requestWrite {
 		defer buffer.Release()
 		return common.Error(c.writeRequest(buffer.Bytes()))
 	}
 	bLen := buffer.Len()
 	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(bLen))
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ClientPacketConn) FrontHeadroom() int {
 	return 2
 }
 func (c *ClientPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	err = c.ReadBuffer(buffer)
 	return
 }
 func (c *ClientPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	return c.WriteBuffer(buffer)
 }
 func (c *ClientPacketConn) LocalAddr() net.Addr {
 	return c.ExtendedConn.LocalAddr()
 }
 func (c *ClientPacketConn) RemoteAddr() net.Addr {
 	return c.destination.UDPAddr()
 }
 func (c *ClientPacketConn) Upstream() any {
 	return c.ExtendedConn
 }
 var _ N.NetPacketConn = (*ClientPacketAddrConn)(nil)
 type ClientPacketAddrConn struct {
 	N.ExtendedConn
 	destination  M.Socksaddr
 	requestWrite bool
 	responseRead bool
 }
 func (c *ClientPacketAddrConn) readResponse() error {
 	response, err := ReadStreamResponse(c.ExtendedConn)
 	if err != nil {
 		return err
 	}
 	if response.Status == statusError {
 		return E.New("remote error: ", response.Message)
 	}
 	return nil
 }
 func (c *ClientPacketAddrConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
 	if !c.responseRead {
 		err = c.readResponse()
 		if err != nil {
 			return
 		}
 		c.responseRead = true
 	}
 	destination, err := M.SocksaddrSerializer.ReadAddrPort(c.ExtendedConn)
 	if err != nil {
 		return
 	}
 	addr = destination.UDPAddr()
 	var length uint16
 	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
 	if err != nil {
 		return
 	}
 	if cap(p) < int(length) {
 		return 0, nil, io.ErrShortBuffer
 	}
 	n, err = io.ReadFull(c.ExtendedConn, p[:length])
 	return
 }
 func (c *ClientPacketAddrConn) writeRequest(payload []byte, destination M.Socksaddr) (n int, err error) {
 	request := StreamRequest{
 		Network:     N.NetworkUDP,
 		Destination: c.destination,
 		PacketAddr:  true,
 	}
 	rLen := requestLen(request)
 	if len(payload) > 0 {
 		rLen += M.SocksaddrSerializer.AddrPortLen(destination) + 2 + len(payload)
 	}
 	_buffer := buf.StackNewSize(rLen)
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	EncodeStreamRequest(request, buffer)
 	if len(payload) > 0 {
 		common.Must(
 			M.SocksaddrSerializer.WriteAddrPort(buffer, destination),
 			binary.Write(buffer, binary.BigEndian, uint16(len(payload))),
 			common.Error(buffer.Write(payload)),
 		)
 	}
 	_, err = c.ExtendedConn.Write(buffer.Bytes())
 	if err != nil {
 		return
 	}
 	c.requestWrite = true
 	return len(payload), nil
 }
 func (c *ClientPacketAddrConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 	if !c.requestWrite {
 		return c.writeRequest(p, M.SocksaddrFromNet(addr))
 	}
 	err = M.SocksaddrSerializer.WriteAddrPort(c.ExtendedConn, M.SocksaddrFromNet(addr))
 	if err != nil {
 		return
 	}
 	err = binary.Write(c.ExtendedConn, binary.BigEndian, uint16(len(p)))
 	if err != nil {
 		return
 	}
 	return c.ExtendedConn.Write(p)
 }
 func (c *ClientPacketAddrConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	if !c.responseRead {
 		err = c.readResponse()
 		if err != nil {
 			return
 		}
 		c.responseRead = true
 	}
 	destination, err = M.SocksaddrSerializer.ReadAddrPort(c.ExtendedConn)
 	if err != nil {
 		return
 	}
 	var length uint16
 	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
 	if err != nil {
 		return
 	}
 	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	return
 }
 func (c *ClientPacketAddrConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	if !c.requestWrite {
 		defer buffer.Release()
 		return common.Error(c.writeRequest(buffer.Bytes(), destination))
 	}
 	bLen := buffer.Len()
 	header := buf.With(buffer.ExtendHeader(M.SocksaddrSerializer.AddrPortLen(destination) + 2))
 	common.Must(
 		M.SocksaddrSerializer.WriteAddrPort(header, destination),
 		binary.Write(header, binary.BigEndian, uint16(bLen)),
 	)
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ClientPacketAddrConn) LocalAddr() net.Addr {
 	return c.ExtendedConn.LocalAddr()
 }
 func (c *ClientPacketAddrConn) FrontHeadroom() int {
 	return 2 + M.MaxSocksaddrLength
 }
 func (c *ClientPacketAddrConn) Upstream() any {
 	return c.ExtendedConn
 }
--- a/common/mux/protocol.go
+++ b/common/mux/protocol.go
@@ -0,0 +1,240 @@
 package mux
 import (
 	"encoding/binary"
 	"io"
 	"net"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/smux"
 	"github.com/hashicorp/yamux"
 )
 var Destination = M.Socksaddr{
 	Fqdn: "sp.mux.sing-box.arpa",
 	Port: 444,
 }
 const (
 	ProtocolSMux Protocol = iota
 	ProtocolYAMux
 )
 type Protocol byte
 func ParseProtocol(name string) (Protocol, error) {
 	switch name {
 	case "", "smux":
 		return ProtocolSMux, nil
 	case "yamux":
 		return ProtocolYAMux, nil
 	default:
 		return ProtocolYAMux, E.New("unknown multiplex protocol: ", name)
 	}
 }
 func (p Protocol) newServer(conn net.Conn) (abstractSession, error) {
 	switch p {
 	case ProtocolSMux:
 		session, err := smux.Server(conn, smuxConfig())
 		if err != nil {
 			return nil, err
 		}
 		return &smuxSession{session}, nil
 	case ProtocolYAMux:
 		return yamux.Server(conn, yaMuxConfig())
 	default:
 		panic("unknown protocol")
 	}
 }
 func (p Protocol) newClient(conn net.Conn) (abstractSession, error) {
 	switch p {
 	case ProtocolSMux:
 		session, err := smux.Client(conn, smuxConfig())
 		if err != nil {
 			return nil, err
 		}
 		return &smuxSession{session}, nil
 	case ProtocolYAMux:
 		return yamux.Client(conn, yaMuxConfig())
 	default:
 		panic("unknown protocol")
 	}
 }
 func smuxConfig() *smux.Config {
 	config := smux.DefaultConfig()
 	config.KeepAliveDisabled = true
 	return config
 }
 func yaMuxConfig() *yamux.Config {
 	config := yamux.DefaultConfig()
 	config.LogOutput = io.Discard
 	config.StreamCloseTimeout = C.TCPTimeout
 	config.StreamOpenTimeout = C.TCPTimeout
 	return config
 }
 func (p Protocol) String() string {
 	switch p {
 	case ProtocolSMux:
 		return "smux"
 	case ProtocolYAMux:
 		return "yamux"
 	default:
 		return "unknown"
 	}
 }
 const (
 	version0 = 0
 )
 type Request struct {
 	Protocol Protocol
 }
 func ReadRequest(reader io.Reader) (*Request, error) {
 	version, err := rw.ReadByte(reader)
 	if err != nil {
 		return nil, err
 	}
 	if version != version0 {
 		return nil, E.New("unsupported version: ", version)
 	}
 	protocol, err := rw.ReadByte(reader)
 	if err != nil {
 		return nil, err
 	}
 	if protocol > byte(ProtocolYAMux) {
 		return nil, E.New("unsupported protocol: ", protocol)
 	}
 	return &Request{Protocol: Protocol(protocol)}, nil
 }
 func EncodeRequest(buffer *buf.Buffer, request Request) {
 	buffer.WriteByte(version0)
 	buffer.WriteByte(byte(request.Protocol))
 }
 const (
 	flagUDP       = 1
 	flagAddr      = 2
 	statusSuccess = 0
 	statusError   = 1
 )
 type StreamRequest struct {
 	Network     string
 	Destination M.Socksaddr
 	PacketAddr  bool
 }
 func ReadStreamRequest(reader io.Reader) (*StreamRequest, error) {
 	var flags uint16
 	err := binary.Read(reader, binary.BigEndian, &flags)
 	if err != nil {
 		return nil, err
 	}
 	destination, err := M.SocksaddrSerializer.ReadAddrPort(reader)
 	if err != nil {
 		return nil, err
 	}
 	var network string
 	var udpAddr bool
 	if flags&flagUDP == 0 {
 		network = N.NetworkTCP
 	} else {
 		network = N.NetworkUDP
 		udpAddr = flags&flagAddr != 0
 	}
 	return &StreamRequest{network, destination, udpAddr}, nil
 }
 func requestLen(request StreamRequest) int {
 	var rLen int
 	rLen += 1 // version
 	rLen += 2 // flags
 	rLen += M.SocksaddrSerializer.AddrPortLen(request.Destination)
 	return rLen
 }
 func EncodeStreamRequest(request StreamRequest, buffer *buf.Buffer) {
 	destination := request.Destination
 	var flags uint16
 	if request.Network == N.NetworkUDP {
 		flags |= flagUDP
 	}
 	if request.PacketAddr {
 		flags |= flagAddr
 		if !destination.IsValid() {
 			destination = Destination
 		}
 	}
 	common.Must(
 		binary.Write(buffer, binary.BigEndian, flags),
 		M.SocksaddrSerializer.WriteAddrPort(buffer, destination),
 	)
 }
 type StreamResponse struct {
 	Status  uint8
 	Message string
 }
 func ReadStreamResponse(reader io.Reader) (*StreamResponse, error) {
 	var response StreamResponse
 	status, err := rw.ReadByte(reader)
 	if err != nil {
 		return nil, err
 	}
 	response.Status = status
 	if status == statusError {
 		response.Message, err = rw.ReadVString(reader)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return &response, nil
 }
 type wrapStream struct {
 	net.Conn
 }
 func (w *wrapStream) Read(p []byte) (n int, err error) {
 	n, err = w.Conn.Read(p)
 	err = wrapError(err)
 	return
 }
 func (w *wrapStream) Write(p []byte) (n int, err error) {
 	n, err = w.Conn.Write(p)
 	err = wrapError(err)
 	return
 }
 func (w *wrapStream) WriteIsThreadUnsafe() {
 }
 func (w *wrapStream) Upstream() any {
 	return w.Conn
 }
 func wrapError(err error) error {
 	switch err {
 	case yamux.ErrStreamClosed:
 		return io.EOF
 	default:
 		return err
 	}
 }
--- a/common/mux/router.go
+++ b/common/mux/router.go
@@ -1,65 +0,0 @@
 package mux
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-mux"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 )
 type Router struct {
 	router  adapter.ConnectionRouter
 	service *mux.Service
 }
 func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
 	if !options.Enabled {
 		return router, nil
 	}
 	var brutalOptions mux.BrutalOptions
 	if options.Brutal != nil && options.Brutal.Enabled {
 		brutalOptions = mux.BrutalOptions{
 			Enabled:    true,
 			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
 			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
 		}
 		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
 			return nil, E.New("brutal: invalid upload speed")
 		}
 		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
 			return nil, E.New("brutal: invalid download speed")
 		}
 	}
 	service, err := mux.NewService(mux.ServiceOptions{
 		NewStreamContext: func(ctx context.Context, conn net.Conn) context.Context {
 			return log.ContextWithNewID(ctx)
 		},
 		Logger:  logger,
 		Handler: adapter.NewRouteContextHandler(router, logger),
 		Padding: options.Padding,
 		Brutal:  brutalOptions,
 	})
 	if err != nil {
 		return nil, err
 	}
 	return &Router{router, service}, nil
 }
 func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if metadata.Destination == mux.Destination {
 		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
 	} else {
 		return r.router.RouteConnection(ctx, conn, metadata)
 	}
 }
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
--- a/common/mux/service.go
+++ b/common/mux/service.go
@@ -0,0 +1,257 @@
 package mux
 import (
 	"context"
 	"encoding/binary"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/common/task"
 )
 func NewConnection(ctx context.Context, router adapter.Router, errorHandler E.Handler, logger log.ContextLogger, conn net.Conn, metadata adapter.InboundContext) error {
 	request, err := ReadRequest(conn)
 	if err != nil {
 		return err
 	}
 	session, err := request.Protocol.newServer(conn)
 	if err != nil {
 		return err
 	}
 	var group task.Group
 	group.Append0(func(ctx context.Context) error {
 		var stream net.Conn
 		for {
 			stream, err = session.Accept()
 			if err != nil {
 				return err
 			}
 			go newConnection(ctx, router, errorHandler, logger, stream, metadata)
 		}
 	})
 	group.Cleanup(func() {
 		session.Close()
 	})
 	return group.Run(ctx)
 }
 func newConnection(ctx context.Context, router adapter.Router, errorHandler E.Handler, logger log.ContextLogger, stream net.Conn, metadata adapter.InboundContext) {
 	stream = &wrapStream{stream}
 	request, err := ReadStreamRequest(stream)
 	if err != nil {
 		logger.ErrorContext(ctx, err)
 		return
 	}
 	metadata.Destination = request.Destination
 	if request.Network == N.NetworkTCP {
 		logger.InfoContext(ctx, "inbound multiplex connection to ", metadata.Destination)
 		hErr := router.RouteConnection(ctx, &ServerConn{ExtendedConn: bufio.NewExtendedConn(stream)}, metadata)
 		stream.Close()
 		if hErr != nil {
 			errorHandler.NewError(ctx, hErr)
 		}
 	} else {
 		var packetConn N.PacketConn
 		if !request.PacketAddr {
 			logger.InfoContext(ctx, "inbound multiplex packet connection to ", metadata.Destination)
 			packetConn = &ServerPacketConn{ExtendedConn: bufio.NewExtendedConn(stream), destination: request.Destination}
 		} else {
 			logger.InfoContext(ctx, "inbound multiplex packet connection")
 			packetConn = &ServerPacketAddrConn{ExtendedConn: bufio.NewExtendedConn(stream)}
 		}
 		hErr := router.RoutePacketConnection(ctx, packetConn, metadata)
 		stream.Close()
 		if hErr != nil {
 			errorHandler.NewError(ctx, hErr)
 		}
 	}
 }
 var _ N.HandshakeConn = (*ServerConn)(nil)
 type ServerConn struct {
 	N.ExtendedConn
 	responseWrite bool
 }
 func (c *ServerConn) HandshakeFailure(err error) error {
 	errMessage := err.Error()
 	_buffer := buf.StackNewSize(1 + rw.UVariantLen(uint64(len(errMessage))) + len(errMessage))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	common.Must(
 		buffer.WriteByte(statusError),
 		rw.WriteVString(_buffer, errMessage),
 	)
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ServerConn) Write(b []byte) (n int, err error) {
 	if c.responseWrite {
 		return c.ExtendedConn.Write(b)
 	}
 	_buffer := buf.StackNewSize(1 + len(b))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	common.Must(
 		buffer.WriteByte(statusSuccess),
 		common.Error(buffer.Write(b)),
 	)
 	_, err = c.ExtendedConn.Write(buffer.Bytes())
 	if err != nil {
 		return
 	}
 	c.responseWrite = true
 	return len(b), nil
 }
 func (c *ServerConn) WriteBuffer(buffer *buf.Buffer) error {
 	if c.responseWrite {
 		return c.ExtendedConn.WriteBuffer(buffer)
 	}
 	buffer.ExtendHeader(1)[0] = statusSuccess
 	c.responseWrite = true
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ServerConn) FrontHeadroom() int {
 	if !c.responseWrite {
 		return 1
 	}
 	return 0
 }
 func (c *ServerConn) Upstream() any {
 	return c.ExtendedConn
 }
 var (
 	_ N.HandshakeConn = (*ServerPacketConn)(nil)
 	_ N.PacketConn    = (*ServerPacketConn)(nil)
 )
 type ServerPacketConn struct {
 	N.ExtendedConn
 	destination   M.Socksaddr
 	responseWrite bool
 }
 func (c *ServerPacketConn) HandshakeFailure(err error) error {
 	errMessage := err.Error()
 	_buffer := buf.StackNewSize(1 + rw.UVariantLen(uint64(len(errMessage))) + len(errMessage))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	common.Must(
 		buffer.WriteByte(statusError),
 		rw.WriteVString(_buffer, errMessage),
 	)
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ServerPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	var length uint16
 	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
 	if err != nil {
 		return
 	}
 	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	if err != nil {
 		return
 	}
 	destination = c.destination
 	return
 }
 func (c *ServerPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	pLen := buffer.Len()
 	common.Must(binary.Write(buf.With(buffer.ExtendHeader(2)), binary.BigEndian, uint16(pLen)))
 	if !c.responseWrite {
 		buffer.ExtendHeader(1)[0] = statusSuccess
 		c.responseWrite = true
 	}
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ServerPacketConn) Upstream() any {
 	return c.ExtendedConn
 }
 func (c *ServerPacketConn) FrontHeadroom() int {
 	if !c.responseWrite {
 		return 3
 	}
 	return 2
 }
 var (
 	_ N.HandshakeConn = (*ServerPacketAddrConn)(nil)
 	_ N.PacketConn    = (*ServerPacketAddrConn)(nil)
 )
 type ServerPacketAddrConn struct {
 	N.ExtendedConn
 	responseWrite bool
 }
 func (c *ServerPacketAddrConn) HandshakeFailure(err error) error {
 	errMessage := err.Error()
 	_buffer := buf.StackNewSize(1 + rw.UVariantLen(uint64(len(errMessage))) + len(errMessage))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	common.Must(
 		buffer.WriteByte(statusError),
 		rw.WriteVString(_buffer, errMessage),
 	)
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ServerPacketAddrConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
 	destination, err = M.SocksaddrSerializer.ReadAddrPort(c.ExtendedConn)
 	if err != nil {
 		return
 	}
 	var length uint16
 	err = binary.Read(c.ExtendedConn, binary.BigEndian, &length)
 	if err != nil {
 		return
 	}
 	_, err = buffer.ReadFullFrom(c.ExtendedConn, int(length))
 	if err != nil {
 		return
 	}
 	return
 }
 func (c *ServerPacketAddrConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
 	pLen := buffer.Len()
 	common.Must(binary.Write(buf.With(buffer.ExtendHeader(2)), binary.BigEndian, uint16(pLen)))
 	common.Must(M.SocksaddrSerializer.WriteAddrPort(buf.With(buffer.ExtendHeader(M.SocksaddrSerializer.AddrPortLen(destination))), destination))
 	if !c.responseWrite {
 		buffer.ExtendHeader(1)[0] = statusSuccess
 		c.responseWrite = true
 	}
 	return c.ExtendedConn.WriteBuffer(buffer)
 }
 func (c *ServerPacketAddrConn) Upstream() any {
 	return c.ExtendedConn
 }
 func (c *ServerPacketAddrConn) FrontHeadroom() int {
 	if !c.responseWrite {
 		return 3 + M.MaxSocksaddrLength
 	}
 	return 2 + M.MaxSocksaddrLength
 }
--- a/common/mux/session.go
+++ b/common/mux/session.go
@@ -0,0 +1,91 @@
 package mux
 import (
 	"io"
 	"net"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/smux"
 )
 type abstractSession interface {
 	Open() (net.Conn, error)
 	Accept() (net.Conn, error)
 	NumStreams() int
 	Close() error
 	IsClosed() bool
 }
 var _ abstractSession = (*smuxSession)(nil)
 type smuxSession struct {
 	*smux.Session
 }
 func (s *smuxSession) Open() (net.Conn, error) {
 	return s.OpenStream()
 }
 func (s *smuxSession) Accept() (net.Conn, error) {
 	return s.AcceptStream()
 }
 type protocolConn struct {
 	net.Conn
 	protocol        Protocol
 	protocolWritten bool
 }
 func (c *protocolConn) Write(p []byte) (n int, err error) {
 	if c.protocolWritten {
 		return c.Conn.Write(p)
 	}
 	_buffer := buf.StackNewSize(2 + len(p))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	EncodeRequest(buffer, Request{
 		Protocol: c.protocol,
 	})
 	common.Must(common.Error(buffer.Write(p)))
 	n, err = c.Conn.Write(buffer.Bytes())
 	if err == nil {
 		n--
 	}
 	c.protocolWritten = true
 	return n, err
 }
 func (c *protocolConn) ReadFrom(r io.Reader) (n int64, err error) {
 	if !c.protocolWritten {
 		return bufio.ReadFrom0(c, r)
 	}
 	return bufio.Copy(c.Conn, r)
 }
 func (c *protocolConn) Upstream() any {
 	return c.Conn
 }
 type vectorisedProtocolConn struct {
 	protocolConn
 	N.VectorisedWriter
 }
 func (c *vectorisedProtocolConn) WriteVectorised(buffers []*buf.Buffer) error {
 	if c.protocolWritten {
 		return c.VectorisedWriter.WriteVectorised(buffers)
 	}
 	c.protocolWritten = true
 	_buffer := buf.StackNewSize(2)
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	EncodeRequest(buffer, Request{
 		Protocol: c.protocol,
 	})
 	return c.VectorisedWriter.WriteVectorised(append([]*buf.Buffer{buffer}, buffers...))
 }
--- a/common/mux/v2ray_legacy.go
+++ b/common/mux/v2ray_legacy.go
@@ -1,32 +0,0 @@
 package mux
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing-box/adapter"
 	vmess "github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 )
 type V2RayLegacyRouter struct {
 	router adapter.ConnectionRouter
 	logger logger.ContextLogger
 }
 func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
 	return &V2RayLegacyRouter{router, logger}
 }
 func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
 		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
 		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
 	}
 	return r.router.RouteConnection(ctx, conn, metadata)
 }
 func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
--- a/common/process/searcher.go
+++ b/common/process/searcher.go
@@ -3,12 +3,10 @@ package process
 import (
 	"context"
 	"net/netip"
 	"os/user"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 )
 type Searcher interface {
@@ -30,15 +28,5 @@ type Info struct {
 }
 func FindProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
-	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
+	return findProcessInfo(searcher, ctx, network, source, destination)
 	if err != nil {
 		return nil, err
 	}
 	if info.UserId != -1 {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
 			info.User = osUser.Username
 		}
 	}
 	return info, nil
 }
--- a/common/process/searcher_linux_shared.go
+++ b/common/process/searcher_linux_shared.go
@@ -15,6 +15,7 @@ import (
 	"unicode"
 	"unsafe"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -81,7 +82,9 @@ func resolveSocketByNetlink(network string, source netip.AddrPort, destination n
 		return 0, 0, E.Cause(err, "write netlink request")
 	}
-	buffer := buf.New()
+	_buffer := buf.StackNew()
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	n, err := syscall.Read(socket, buffer.FreeBytes())
--- a/common/process/searcher_with_name.go
+++ b/common/process/searcher_with_name.go
@@ -0,0 +1,25 @@
 //go:build linux && !android
 package process
 import (
 	"context"
 	"net/netip"
 	"os/user"
 	F "github.com/sagernet/sing/common/format"
 )
 func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
 	info, err := searcher.FindProcessInfo(ctx, network, source, destination)
 	if err != nil {
 		return nil, err
 	}
 	if info.UserId != -1 {
 		osUser, _ := user.LookupId(F.ToString(info.UserId))
 		if osUser != nil {
 			info.User = osUser.Username
 		}
 	}
 	return info, nil
 }
--- a/common/process/searcher_without_name.go
+++ b/common/process/searcher_without_name.go
@@ -0,0 +1,12 @@
 //go:build !linux || android
 package process
 import (
 	"context"
 	"net/netip"
 )
 func findProcessInfo(searcher Searcher, ctx context.Context, network string, source netip.AddrPort, destination netip.AddrPort) (*Info, error) {
 	return searcher.FindProcessInfo(ctx, network, source, destination)
 }
--- a/common/proxyproto/dialer.go
+++ b/common/proxyproto/dialer.go
@@ -0,0 +1,50 @@
 package proxyproto
 import (
 	"context"
 	"net"
 	"net/netip"
 	"github.com/sagernet/sing-box/adapter"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/pires/go-proxyproto"
 )
 var _ N.Dialer = (*Dialer)(nil)
 type Dialer struct {
 	N.Dialer
 }
 func (d *Dialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		conn, err := d.Dialer.DialContext(ctx, network, destination)
 		if err != nil {
 			return nil, err
 		}
 		var source M.Socksaddr
 		metadata := adapter.ContextFrom(ctx)
 		if metadata != nil {
 			source = metadata.Source
 		}
 		if !source.IsValid() {
 			source = M.SocksaddrFromNet(conn.LocalAddr())
 		}
 		if destination.Addr.Is6() {
 			source = M.SocksaddrFrom(netip.AddrFrom16(source.Addr.As16()), source.Port)
 		}
 		h := proxyproto.HeaderProxyFromAddrs(1, source.TCPAddr(), destination.TCPAddr())
 		_, err = h.WriteTo(conn)
 		if err != nil {
 			conn.Close()
 			return nil, E.Cause(err, "write proxy protocol header")
 		}
 		return conn, nil
 	default:
 		return d.Dialer.DialContext(ctx, network, destination)
 	}
 }
--- a/common/proxyproto/listener.go
+++ b/common/proxyproto/listener.go
@@ -0,0 +1,62 @@
 package proxyproto
 import (
 	std_bufio "bufio"
 	"net"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/pires/go-proxyproto"
 )
 type Listener struct {
 	net.Listener
 	AcceptNoHeader bool
 }
 func (l *Listener) Accept() (net.Conn, error) {
 	conn, err := l.Listener.Accept()
 	if err != nil {
 		return nil, err
 	}
 	bufReader := std_bufio.NewReader(conn)
 	header, err := proxyproto.Read(bufReader)
 	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
 		return nil, &Error{err}
 	}
 	if bufReader.Buffered() > 0 {
 		cache := buf.NewSize(bufReader.Buffered())
 		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
 		if err != nil {
 			return nil, &Error{err}
 		}
 		conn = bufio.NewCachedConn(conn, cache)
 	}
 	if header != nil {
 		return &bufio.AddrConn{Conn: conn, Metadata: M.Metadata{
 			Source:      M.SocksaddrFromNet(header.SourceAddr).Unwrap(),
 			Destination: M.SocksaddrFromNet(header.DestinationAddr).Unwrap(),
 		}}, nil
 	}
 	return conn, nil
 }
 var _ net.Error = (*Error)(nil)
 type Error struct {
 	error
 }
 func (e *Error) Unwrap() error {
 	return e.error
 }
 func (e *Error) Timeout() bool {
 	return false
 }
 func (e *Error) Temporary() bool {
 	return true
 }
--- a/common/settings/proxy_android.go
+++ b/common/settings/proxy_android.go
@@ -1,73 +1,43 @@
 package settings
 import (
 	"context"
 	"os"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
-type AndroidSystemProxy struct {
+var (
-	useRish      bool
+	useRish  bool
-	rishPath     string
+	rishPath string
-	serverAddr   M.Socksaddr
+)
 	supportSOCKS bool
 	isEnabled    bool
 }
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*AndroidSystemProxy, error) {
+func init() {
 	userId := os.Getuid()
 	var (
 		useRish  bool
 		rishPath string
 	)
 	if userId == 0 || userId == 1000 || userId == 2000 {
 		useRish = false
 	} else {
 		rishPath, useRish = C.FindPath("rish")
 		if !useRish {
 			return nil, E.Cause(os.ErrPermission, "root or system (adb) permission is required for set system proxy")
 		}
 	}
 	return &AndroidSystemProxy{
 		useRish:      useRish,
 		rishPath:     rishPath,
 		serverAddr:   serverAddr,
 		supportSOCKS: supportSOCKS,
 	}, nil
 }
-func (p *AndroidSystemProxy) IsEnabled() bool {
+func runAndroidShell(name string, args ...string) error {
-	return p.isEnabled
+	if !useRish {
 }
 func (p *AndroidSystemProxy) Enable() error {
 	err := p.runAndroidShell("settings", "put", "global", "http_proxy", p.serverAddr.String())
 	if err != nil {
 		return err
 	}
 	p.isEnabled = true
 	return nil
 }
 func (p *AndroidSystemProxy) Disable() error {
 	err := p.runAndroidShell("settings", "put", "global", "http_proxy", ":0")
 	if err != nil {
 		return err
 	}
 	p.isEnabled = false
 	return nil
 }
 func (p *AndroidSystemProxy) runAndroidShell(name string, args ...string) error {
 	if !p.useRish {
 		return shell.Exec(name, args...).Attach().Run()
 	} else {
-		return shell.Exec("sh", p.rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }
 func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
 	err := runAndroidShell("settings", "put", "global", "http_proxy", F.ToString("127.0.0.1:", port))
 	if err != nil {
 		return nil, err
 	}
 	return func() error {
 		return runAndroidShell("settings", "put", "global", "http_proxy", ":0")
 	}, nil
 }
--- a/common/settings/proxy_darwin.go
+++ b/common/settings/proxy_darwin.go
@@ -1,56 +1,56 @@
 package settings
 import (
 	"context"
 	"net/netip"
 	"strconv"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
 	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )
-type DarwinSystemProxy struct {
+type systemProxy struct {
 	monitor       tun.DefaultInterfaceMonitor
 	interfaceName string
 	element       *list.Element[tun.DefaultInterfaceUpdateCallback]
-	serverAddr    M.Socksaddr
+	port          uint16
-	supportSOCKS  bool
+	isMixed       bool
 	isEnabled     bool
 }
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
+func (p *systemProxy) update(event int) error {
-	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
+	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
-	if interfaceMonitor == nil {
+	if p.interfaceName == newInterfaceName {
-		return nil, E.New("missing interface monitor")
+		return nil
 	}
-	proxy := &DarwinSystemProxy{
+	if p.interfaceName != "" {
-		monitor:      interfaceMonitor,
+		_ = p.unset()
 		serverAddr:   serverAddr,
 		supportSOCKS: supportSOCKS,
 	}
-	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
+	p.interfaceName = newInterfaceName
 	return proxy, nil
 }
 func (p *DarwinSystemProxy) IsEnabled() bool {
 	return p.isEnabled
 }
 func (p *DarwinSystemProxy) Enable() error {
 	return p.update0()
 }
 func (p *DarwinSystemProxy) Disable() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
-	if p.supportSOCKS {
+	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
 		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	return err
 }
 func (p *systemProxy) unset() error {
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
 	if p.isMixed {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
@@ -59,53 +59,9 @@ func (p *DarwinSystemProxy) Disable() error {
 	if err == nil {
 		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
 		p.isEnabled = false
 	}
 	return err
 }
 func (p *DarwinSystemProxy) update(event int) {
 	if event&tun.EventInterfaceUpdate == 0 {
 		return
 	}
 	if !p.isEnabled {
 		return
 	}
 	_ = p.update0()
 }
 func (p *DarwinSystemProxy) update0() error {
 	newInterfaceName := p.monitor.DefaultInterfaceName(netip.IPv4Unspecified())
 	if p.interfaceName == newInterfaceName {
 		return nil
 	}
 	if p.interfaceName != "" {
 		_ = p.Disable()
 	}
 	p.interfaceName = newInterfaceName
 	interfaceDisplayName, err := getInterfaceDisplayName(p.interfaceName)
 	if err != nil {
 		return err
 	}
 	if p.supportSOCKS {
 		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
 	}
 	if err != nil {
 		return err
 	}
 	err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
 	if err != nil {
 		return err
 	}
 	err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, p.serverAddr.AddrString(), strconv.Itoa(int(p.serverAddr.Port))).Attach().Run()
 	if err != nil {
 		return err
 	}
 	p.isEnabled = true
 	return nil
 }
 func getInterfaceDisplayName(name string) (string, error) {
 	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
 	if err != nil {
@@ -121,3 +77,24 @@ func getInterfaceDisplayName(name string) (string, error) {
 	}
 	return "", E.New(name, " not found in networksetup -listallhardwareports")
 }
 func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
 	interfaceMonitor := router.InterfaceMonitor()
 	if interfaceMonitor == nil {
 		return nil, E.New("missing interface monitor")
 	}
 	proxy := &systemProxy{
 		monitor: interfaceMonitor,
 		port:    port,
 		isMixed: isMixed,
 	}
 	err := proxy.update(tun.EventInterfaceUpdate)
 	if err != nil {
 		return nil, err
 	}
 	proxy.element = interfaceMonitor.RegisterCallback(proxy.update)
 	return func() error {
 		interfaceMonitor.UnregisterCallback(proxy.element)
 		return proxy.unset()
 	}, nil
 }
--- a/common/settings/proxy_linux.go
+++ b/common/settings/proxy_linux.go
@@ -3,161 +3,75 @@
 package settings
 import (
 	"context"
 	"os"
 	"os/exec"
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 )
-type LinuxSystemProxy struct {
+var (
-	hasGSettings     bool
+	hasGSettings bool
-	hasKWriteConfig5 bool
+	sudoUser     string
-	sudoUser         string
+)
 	serverAddr       M.Socksaddr
 	supportSOCKS     bool
 	isEnabled        bool
 }
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*LinuxSystemProxy, error) {
+func init() {
-	hasGSettings := common.Error(exec.LookPath("gsettings")) == nil
+	hasGSettings = common.Error(exec.LookPath("gsettings")) == nil
 	hasKWriteConfig5 := common.Error(exec.LookPath("kwriteconfig5")) == nil
 	var sudoUser string
 	if os.Getuid() == 0 {
 		sudoUser = os.Getenv("SUDO_USER")
 	}
 	if !hasGSettings && !hasKWriteConfig5 {
 		return nil, E.New("unsupported desktop environment")
 	}
 	return &LinuxSystemProxy{
 		hasGSettings:     hasGSettings,
 		hasKWriteConfig5: hasKWriteConfig5,
 		sudoUser:         sudoUser,
 		serverAddr:       serverAddr,
 		supportSOCKS:     supportSOCKS,
 	}, nil
 }
-func (p *LinuxSystemProxy) IsEnabled() bool {
+func runAsUser(name string, args ...string) error {
 	return p.isEnabled
 }
 func (p *LinuxSystemProxy) Enable() error {
 	if p.hasGSettings {
 		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
 		if err != nil {
 			return err
 		}
 		if p.supportSOCKS {
 			err = p.setGnomeProxy("ftp", "http", "https", "socks")
 		} else {
 			err = p.setGnomeProxy("http", "https")
 		}
 		if err != nil {
 			return err
 		}
 		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(p.supportSOCKS))
 		if err != nil {
 			return err
 		}
 		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
 		if err != nil {
 			return err
 		}
 	}
 	if p.hasKWriteConfig5 {
 		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "1")
 		if err != nil {
 			return err
 		}
 		if p.supportSOCKS {
 			err = p.setKDEProxy("ftp", "http", "https", "socks")
 		} else {
 			err = p.setKDEProxy("http", "https")
 		}
 		if err != nil {
 			return err
 		}
 		err = p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "Authmode", "0")
 		if err != nil {
 			return err
 		}
 		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
 		if err != nil {
 			return err
 		}
 	}
 	p.isEnabled = true
 	return nil
 }
 func (p *LinuxSystemProxy) Disable() error {
 	if p.hasGSettings {
 		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
 		if err != nil {
 			return err
 		}
 	}
 	if p.hasKWriteConfig5 {
 		err := p.runAsUser("kwriteconfig5", "--file", "kioslaverc", "--group", "Proxy Settings", "--key", "ProxyType", "0")
 		if err != nil {
 			return err
 		}
 		err = p.runAsUser("dbus-send", "--type=signal", "/KIO/Scheduler", "org.kde.KIO.Scheduler.reparseSlaveConfiguration", "string:''")
 		if err != nil {
 			return err
 		}
 	}
 	p.isEnabled = false
 	return nil
 }
 func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
 		return shell.Exec(name, args...).Attach().Run()
-	} else if p.sudoUser != "" {
+	} else if sudoUser != "" {
-		return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}
 }
-func (p *LinuxSystemProxy) setGnomeProxy(proxyTypes ...string) error {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	for _, proxyType := range proxyTypes {
+	if !hasGSettings {
-		err := p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", p.serverAddr.AddrString())
+		return nil, E.New("unsupported desktop environment")
 		if err != nil {
 			return err
 		}
 		err = p.runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(p.serverAddr.Port))
 		if err != nil {
 			return err
 		}
 	}
-	return nil
+	err := runAsUser("gsettings", "set", "org.gnome.system.proxy.http", "enabled", "true")
 	if err != nil {
 		return nil, err
 	}
 	if isMixed {
 		err = setGnomeProxy(port, "ftp", "http", "https", "socks")
 	} else {
 		err = setGnomeProxy(port, "http", "https")
 	}
 	if err != nil {
 		return nil, err
 	}
 	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "use-same-proxy", F.ToString(isMixed))
 	if err != nil {
 		return nil, err
 	}
 	err = runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "manual")
 	if err != nil {
 		return nil, err
 	}
 	return func() error {
 		return runAsUser("gsettings", "set", "org.gnome.system.proxy", "mode", "none")
 	}, nil
 }
-func (p *LinuxSystemProxy) setKDEProxy(proxyTypes ...string) error {
+func setGnomeProxy(port uint16, proxyTypes ...string) error {
 	for _, proxyType := range proxyTypes {
-		var proxyUrl string
+		err := runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "host", "127.0.0.1")
-		if proxyType == "socks" {
+		if err != nil {
-			proxyUrl = "socks://" + p.serverAddr.String()
+			return err
 		} else {
 			proxyUrl = "http://" + p.serverAddr.String()
 		}
-		err := p.runAsUser(
+		err = runAsUser("gsettings", "set", "org.gnome.system.proxy."+proxyType, "port", F.ToString(port))
 			"kwriteconfig5",
 			"--file",
 			"kioslaverc",
 			"--group",
 			"Proxy Settings",
 			"--key", proxyType+"Proxy",
 			proxyUrl,
 		)
 		if err != nil {
 			return err
 		}
--- a/common/settings/proxy_stub.go
+++ b/common/settings/proxy_stub.go
@@ -3,12 +3,11 @@
 package settings
 import (
 	"context"
 	"os"
-	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing-box/adapter"
 )
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (SystemProxy, error) {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
 	return nil, os.ErrInvalid
 }
--- a/common/settings/proxy_windows.go
+++ b/common/settings/proxy_windows.go
@@ -1,43 +1,17 @@
 package settings
 import (
-	"context"
+	"github.com/sagernet/sing-box/adapter"
-
+	F "github.com/sagernet/sing/common/format"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/wininet"
 )
-type WindowsSystemProxy struct {
+func SetSystemProxy(router adapter.Router, port uint16, isMixed bool) (func() error, error) {
-	serverAddr   M.Socksaddr
+	err := wininet.SetSystemProxy(F.ToString("http://127.0.0.1:", port), "")
-	supportSOCKS bool
+	if err != nil {
-	isEnabled    bool
+		return nil, err
-}
+	}
-
+	return func() error {
-func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*WindowsSystemProxy, error) {
+		return wininet.ClearSystemProxy()
 	return &WindowsSystemProxy{
 		serverAddr:   serverAddr,
 		supportSOCKS: supportSOCKS,
 	}, nil
 }
 func (p *WindowsSystemProxy) IsEnabled() bool {
 	return p.isEnabled
 }
 func (p *WindowsSystemProxy) Enable() error {
 	err := wininet.SetSystemProxy("http://"+p.serverAddr.String(), "")
 	if err != nil {
 		return err
 	}
 	p.isEnabled = true
 	return nil
 }
 func (p *WindowsSystemProxy) Disable() error {
 	err := wininet.ClearSystemProxy()
 	if err != nil {
 		return err
 	}
 	p.isEnabled = false
 	return nil
 }
--- a/common/settings/system_proxy.go
+++ b/common/settings/system_proxy.go
@@ -1,7 +0,0 @@
 package settings
 type SystemProxy interface {
 	IsEnabled() bool
 	Enable() error
 	Disable() error
 }
--- a/common/sniff/dns.go
+++ b/common/sniff/dns.go
@@ -26,7 +26,9 @@ func StreamDomainNameQuery(readCtx context.Context, reader io.Reader) (*adapter.
 	if length == 0 {
 		return nil, os.ErrInvalid
 	}
-	buffer := buf.NewSize(int(length))
+	_buffer := buf.StackNewSize(int(length))
 	defer common.KeepAlive(_buffer)
 	buffer := common.Dup(_buffer)
 	defer buffer.Release()
 	readCtx, cancel := context.WithTimeout(readCtx, time.Millisecond*100)
--- a/common/sniff/http.go
+++ b/common/sniff/http.go
@@ -7,7 +7,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/protocol/http"
 )
@@ -16,5 +15,5 @@ func HTTPHost(ctx context.Context, reader io.Reader) (*adapter.InboundContext, e
 	if err != nil {
 		return nil, err
 	}
-	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: M.ParseSocksaddr(request.Host).AddrString()}, nil
+	return &adapter.InboundContext{Protocol: C.ProtocolHTTP, Domain: request.Host}, nil
 }
--- a/common/sniff/http_test.go
+++ b/common/sniff/http_test.go
@@ -1,27 +0,0 @@
 package sniff_test
 import (
 	"context"
 	"strings"
 	"testing"
 	"github.com/sagernet/sing-box/common/sniff"
 	"github.com/stretchr/testify/require"
 )
 func TestSniffHTTP1(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.google.com\r\nAccept: */*\r\n\r\n"
 	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.google.com")
 }
 func TestSniffHTTP1WithPort(t *testing.T) {
 	t.Parallel()
 	pkt := "GET / HTTP/1.1\r\nHost: www.gov.cn:8080\r\nAccept: */*\r\n\r\n"
 	metadata, err := sniff.HTTPHost(context.Background(), strings.NewReader(pkt))
 	require.NoError(t, err)
 	require.Equal(t, metadata.Domain, "www.gov.cn")
 }
--- a/common/sniff/quic.go
+++ b/common/sniff/quic.go
@@ -182,52 +182,11 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 			break
 		}
 		switch frameType {
-		case 0x00: // PADDING
+		case 0x0:
 			continue
-		case 0x01: // PING
+		case 0x1:
 			continue
-		case 0x02, 0x03: // ACK
+		case 0x6:
 			_, err = qtls.ReadUvarint(decryptedReader) // Largest Acknowledged
 			if err != nil {
 				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // ACK Delay
 			if err != nil {
 				return nil, err
 			}
 			ackRangeCount, err := qtls.ReadUvarint(decryptedReader) // ACK Range Count
 			if err != nil {
 				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // First ACK Range
 			if err != nil {
 				return nil, err
 			}
 			for i := 0; i < int(ackRangeCount); i++ {
 				_, err = qtls.ReadUvarint(decryptedReader) // Gap
 				if err != nil {
 					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ACK Range Length
 				if err != nil {
 					return nil, err
 				}
 			}
 			if frameType == 0x03 {
 				_, err = qtls.ReadUvarint(decryptedReader) // ECT0 Count
 				if err != nil {
 					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ECT1 Count
 				if err != nil {
 					return nil, err
 				}
 				_, err = qtls.ReadUvarint(decryptedReader) // ECN-CE Count
 				if err != nil {
 					return nil, err
 				}
 			}
 		case 0x06: // CRYPTO
 			var offset uint64
 			offset, err = qtls.ReadUvarint(decryptedReader)
 			if err != nil {
@@ -249,26 +208,8 @@ func QUICClientHello(ctx context.Context, packet []byte) (*adapter.InboundContex
 			if err != nil {
 				return nil, err
 			}
 		case 0x1c: // CONNECTION_CLOSE
 			_, err = qtls.ReadUvarint(decryptedReader) // Error Code
 			if err != nil {
 				return nil, err
 			}
 			_, err = qtls.ReadUvarint(decryptedReader) // Frame Type
 			if err != nil {
 				return nil, err
 			}
 			var length uint64
 			length, err = qtls.ReadUvarint(decryptedReader) // Reason Phrase Length
 			if err != nil {
 				return nil, err
 			}
 			_, err = decryptedReader.Seek(int64(length), io.SeekCurrent) // Reason Phrase
 			if err != nil {
 				return nil, err
 			}
 		default:
-			return nil, os.ErrInvalid
+			// ignore unknown frame type
 		}
 	}
 	tlsHdr := make([]byte, 5)
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@@ -22,29 +22,23 @@ func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, timeout
 	if timeout == 0 {
 		timeout = C.ReadPayloadTimeout
 	}
-	deadline := time.Now().Add(timeout)
+	err := conn.SetReadDeadline(time.Now().Add(timeout))
 	if err != nil {
 		return nil, err
 	}
 	_, err = buffer.ReadOnceFrom(conn)
 	err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
 	if err != nil {
 		return nil, err
 	}
 	var metadata *adapter.InboundContext
 	var errors []error
-
+	for _, sniffer := range sniffers {
-	for i := 0; i < 3; i++ {
+		metadata, err = sniffer(ctx, bytes.NewReader(buffer.Bytes()))
-		err := conn.SetReadDeadline(deadline)
+		if metadata != nil {
-		if err != nil {
+			return metadata, nil
 			return nil, E.Cause(err, "set read deadline")
 		}
 		_, err = buffer.ReadOnceFrom(conn)
 		err = E.Errors(err, conn.SetReadDeadline(time.Time{}))
 		if err != nil {
 			if i > 0 {
 				break
 			}
 			return nil, E.Cause(err, "read payload")
 		}
 		for _, sniffer := range sniffers {
 			metadata, err := sniffer(ctx, bytes.NewReader(buffer.Bytes()))
 			if metadata != nil {
 				return metadata, nil
 			}
 			errors = append(errors, err)
 		}
 		errors = append(errors, err)
 	}
 	return nil, E.Errors(errors...)
 }
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -9,13 +9,10 @@ import (
 	"strings"
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/alidns"
 	"github.com/libdns/cloudflare"
 	"github.com/mholt/acmez/acme"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
@@ -24,7 +21,6 @@ import (
 type acmeWrapper struct {
 	ctx    context.Context
 	cfg    *certmagic.Config
 	cache  *certmagic.Cache
 	domain []string
 }
@@ -33,7 +29,7 @@ func (w *acmeWrapper) Start() error {
 }
 func (w *acmeWrapper) Close() error {
-	w.cache.Stop()
+	w.cfg.Unmanage(w.domain)
 	return nil
 }
@@ -77,33 +73,14 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
 		Logger:                  config.Logger,
 	}
 	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
 		var solver certmagic.DNS01Solver
 		switch dnsOptions.Provider {
 		case C.DNSProviderAliDNS:
 			solver.DNSProvider = &alidns.Provider{
 				AccKeyID:     dnsOptions.AliDNSOptions.AccessKeyID,
 				AccKeySecret: dnsOptions.AliDNSOptions.AccessKeySecret,
 				RegionID:     dnsOptions.AliDNSOptions.RegionID,
 			}
 		case C.DNSProviderCloudflare:
 			solver.DNSProvider = &cloudflare.Provider{
 				APIToken: dnsOptions.CloudflareOptions.APIToken,
 			}
 		default:
 			return nil, nil, E.New("unsupported ACME DNS01 provider type: " + dnsOptions.Provider)
 		}
 		acmeConfig.DNS01Solver = &solver
 	}
 	if options.ExternalAccount != nil && options.ExternalAccount.KeyID != "" {
 		acmeConfig.ExternalAccount = (*acme.EAB)(options.ExternalAccount)
 	}
 	config.Issuers = []certmagic.Issuer{certmagic.NewACMEIssuer(config, acmeConfig)}
-	cache := certmagic.NewCache(certmagic.CacheOptions{
+	config = certmagic.New(certmagic.NewCache(certmagic.CacheOptions{
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
-	})
+	}), *config)
-	config = certmagic.New(cache, *config)
+	return config.TLSConfig(), &acmeWrapper{ctx, config, options.Domain}, nil
 	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
 }
--- a/common/tls/client.go
+++ b/common/tls/client.go
@@ -13,29 +13,29 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 )
-func NewDialerFromOptions(ctx context.Context, router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
 	if !options.Enabled {
 		return dialer, nil
 	}
-	config, err := NewClient(ctx, serverAddress, options)
+	config, err := NewClient(router, serverAddress, options)
 	if err != nil {
 		return nil, err
 	}
 	return NewDialer(dialer, config), nil
 }
-func NewClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
 	if options.ECH != nil && options.ECH.Enabled {
-		return NewECHClient(ctx, serverAddress, options)
+		return NewECHClient(router, serverAddress, options)
 	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityClient(ctx, serverAddress, options)
+		return NewRealityClient(router, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
-		return NewUTLSClient(ctx, serverAddress, options)
+		return NewUTLSClient(router, serverAddress, options)
 	} else {
-		return NewSTDClient(ctx, serverAddress, options)
+		return NewSTDClient(router, serverAddress, options)
 	}
 }
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@@ -7,53 +7,50 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"net"
 	"net/netip"
 	"os"
 	"strings"
 	cftls "github.com/sagernet/cloudflare-tls"
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 	mDNS "github.com/miekg/dns"
 )
-type echClientConfig struct {
+type ECHClientConfig struct {
 	config *cftls.Config
 }
-func (c *echClientConfig) ServerName() string {
+func (e *ECHClientConfig) ServerName() string {
-	return c.config.ServerName
+	return e.config.ServerName
 }
-func (c *echClientConfig) SetServerName(serverName string) {
+func (e *ECHClientConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
+	e.config.ServerName = serverName
 }
-func (c *echClientConfig) NextProtos() []string {
+func (e *ECHClientConfig) NextProtos() []string {
-	return c.config.NextProtos
+	return e.config.NextProtos
 }
-func (c *echClientConfig) SetNextProtos(nextProto []string) {
+func (e *ECHClientConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
+	e.config.NextProtos = nextProto
 }
-func (c *echClientConfig) Config() (*STDConfig, error) {
+func (e *ECHClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }
-func (c *echClientConfig) Client(conn net.Conn) (Conn, error) {
+func (e *ECHClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, c.config)}, nil
+	return &echConnWrapper{cftls.Client(conn, e.config)}, nil
 }
-func (c *echClientConfig) Clone() Config {
+func (e *ECHClientConfig) Clone() Config {
-	return &echClientConfig{
+	return &ECHClientConfig{
-		config: c.config.Clone(),
+		config: e.config.Clone(),
 	}
 }
@@ -83,7 +80,7 @@ func (c *echConnWrapper) Upstream() any {
 	return c.Conn
 }
-func NewECHClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -97,7 +94,7 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	}
 	var tlsConfig cftls.Config
-	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
+	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -149,8 +146,8 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 	}
 	var certificate []byte
-	if len(options.Certificate) > 0 {
+	if options.Certificate != "" {
-		certificate = []byte(strings.Join(options.Certificate, "\n"))
+		certificate = []byte(options.Certificate)
 	} else if options.CertificatePath != "" {
 		content, err := os.ReadFile(options.CertificatePath)
 		if err != nil {
@@ -171,36 +168,24 @@ func NewECHClient(ctx context.Context, serverAddress string, options option.Outb
 	tlsConfig.ECHEnabled = true
 	tlsConfig.PQSignatureSchemesEnabled = options.ECH.PQSignatureSchemesEnabled
 	tlsConfig.DynamicRecordSizingDisabled = options.ECH.DynamicRecordSizingDisabled
-
+	if options.ECH.Config != "" {
-	var echConfig []byte
+		clientConfigContent, err := base64.StdEncoding.DecodeString(options.ECH.Config)
 	if len(options.ECH.Config) > 0 {
 		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
 	} else if options.ECH.ConfigPath != "" {
 		content, err := os.ReadFile(options.ECH.ConfigPath)
 		if err != nil {
-			return nil, E.Cause(err, "read ECH config")
+			return nil, err
 		}
-		echConfig = content
+		clientConfig, err := cftls.UnmarshalECHConfigs(clientConfigContent)
 	}
 	if len(echConfig) > 0 {
 		block, rest := pem.Decode(echConfig)
 		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
 			return nil, E.New("invalid ECH configs pem")
 		}
 		echConfigs, err := cftls.UnmarshalECHConfigs(block.Bytes)
 		if err != nil {
-			return nil, E.Cause(err, "parse ECH configs")
+			return nil, err
 		}
-		tlsConfig.ClientECHConfigs = echConfigs
+		tlsConfig.ClientECHConfigs = clientConfig
 	} else {
-		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(ctx)
+		tlsConfig.GetClientECHConfigs = fetchECHClientConfig(router)
 	}
-	return &echClientConfig{&tlsConfig}, nil
+	return &ECHClientConfig{&tlsConfig}, nil
 }
-func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
+func fetchECHClientConfig(router adapter.Router) func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
-	return func(_ context.Context, serverName string) ([]cftls.ECHConfig, error) {
+	return func(ctx context.Context, serverName string) ([]cftls.ECHConfig, error) {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
@@ -213,7 +198,7 @@ func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverNam
 				},
 			},
 		}
-		response, err := adapter.RouterFromContext(ctx).Exchange(ctx, message)
+		response, err := router.Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}
--- a/Show More
+++ b/Show More