- Added connection-level activity tracking that counts HTTP/2 control frames (PING, SETTINGS) as activity, ensuring keepalives properly reset idle detection
- Removed application-level idle timeout in favor of PING-based dead connection detection, matching sing-mux behavior for better compatibility
- Added drain timeout for graceful session shutdown
- Updated window sizes to match Go http2 defaults (256KB per stream, 1MB per connection)
- Stream handler tasks are now tracked and aborted when session closes, preventing memory leaks from orphaned tasks
- Added 5-minute stream handler timeout to prevent hung streams (slow DNS, stuck connections) from leaking memory
- Reduced allocations in padding frame generation
- Refactored TCP connection state machine with explicit states (Normal, Close, Closing, Closed) for proper lifecycle management
- Improved connection teardown handling following shadowsocks-rust patterns
H2MUX multiplexes multiple proxy streams over a single HTTP/2 connection, reducing connection overhead and improving performance for many concurrent streams. This is compatible with sing-box's h2mux implementation.
Client configuration (VMess, VLESS, Trojan):
client_chain:
address: "example.com:443"
protocol:
type: tls
protocol:
type: vmess
cipher: aes-128-gcm
user_id: "uuid"
h2mux:
max_connections: 4 # Maximum connections to maintain
min_streams: 4 # Min streams before opening new connection
max_streams: 0 # Max streams per connection (0 = unlimited)
padding: true # Enable padding for traffic obfuscationServer support: H2MUX is auto-detected on the server side for VMess, VLESS, Trojan, Shadowsocks, and Snell protocols. No server configuration changes are needed.
The Go H2MUX library contained a bug that prevents data upload from finishing successfully, see SagerNet/sing-mux#8
sing-box now contains this fix, but other clients (eg mihomo) that depend on sing-mux without this change can have issues.
DNS servers now support a configurable timeout to prevent hanging on unresponsive DNS servers.
- dns_group: my-dns
servers:
- url: "tls://dns.example.com"
timeout_secs: 10 # Default: 5. Set to 0 to disable.- DNS connection timeout: DNS-over-TLS/HTTPS connections now respect a 5-second connection timeout, preventing hangs when DNS servers are unreachable
- Reality server: Improved shutdown handling with proper flush after every forward operation
Server:
protocol:
type: tls
tls_targets:
"example.com":
cert: cert.pem
key: key.pem
protocol:
type: anytls
users:
- name: user1
password: secret123
udp_enabled: true
padding_scheme: ["stop=8", "0=30-30"] # Optional custom padding
fallback: "127.0.0.1:80" # Optional fallbackClient:
client_chain:
address: "example.com:443"
protocol:
type: tls
protocol:
type: anytls
password: secret123Server:
protocol:
type: tls
tls_targets:
"example.com":
cert: cert.pem
key: key.pem
alpn_protocols: ["h2"]
protocol:
type: naiveproxy
users:
- username: user1
password: secret123
padding: true
fallback: "/var/www/html" # Optional static file fallbackClient:
client_chain:
address: "example.com:443"
protocol:
type: tls
alpn_protocols: ["h2"]
protocol:
type: naiveproxy
username: user1
password: secret123Auto-detects HTTP or SOCKS5 protocol.
- address: "0.0.0.0:7890"
protocol:
type: mixed
username: user
password: pass
udp_enabled: true # Enable SOCKS5 UDP ASSOCIATELayer 3 VPN mode using TUN devices for transparent proxying. Supports Linux, Android, and iOS.
- device_name: "tun0"
address: "10.0.0.1"
netmask: "255.255.255.0"
mtu: 1500
tcp_enabled: true
udp_enabled: true
icmp_enabled: true
rules:
- masks: "0.0.0.0/0"
action: allow
client_chain:
address: "proxy.example.com:443"
protocol:
type: vless
user_id: "uuid"Platform support:
- Linux: Creates TUN device with specified name/address (requires root)
- Android: Use
device_fdfromVpnService.Builder.establish() - iOS: Use
device_fdfromNEPacketTunnelProvider.packetFlow
Full UDP support for SOCKS5 servers including UDP ASSOCIATE command. Enable with udp_enabled: true (default).
protocol:
type: socks
udp_enabled: true # Default: trueRoute failed authentication attempts to a fallback destination instead of rejecting them.
protocol:
type: vless
user_id: "uuid"
fallback: "127.0.0.1:80" # Serve web content for invalid clientsRoute Reality fallback (dest) connections through a proxy chain.
reality_targets:
"www.example.com":
private_key: "..."
dest: "www.example.com:443"
dest_client_chain:
address: "proxy.example.com:1080"
protocol:
type: socks
protocol:
type: vless
user_id: "uuid"- UDP routing: Comprehensive rewrite of UDP session routing with better multiplexing support
- Reality: Improved active probing resistance with TLS 1.3 verification
- Performance: Optimized buffer handling and reduced allocations
- QUIC: Better buffer sizing based on quic-go recommendations
- iOS FFI: Added iOS bindings via
NEPacketTunnelProviderintegration - Android FFI: Added Android bindings via
VpnServiceintegration - Library now builds as
rlib,cdylib, andstaticlibfor mobile embedding
Multi-hop proxy chains with load balancing support. Traffic can now be routed through multiple proxies in sequence.
- Multi-hop chains: Route traffic through multiple proxies sequentially (e.g.,
proxy1 -> proxy2 -> target) - Round-robin chains: Specify multiple chains and rotate between them for load distribution
- Pool-based load balancing: At each hop, use a pool of proxies for load balancing
- New config fields:
client_chain(singular) andclient_chains(multiple) - See
examples/multi_hop_chain.yamlfor usage examples
New zero_rtt_handshake option for TUIC v5 servers enables 0-RTT (0.5-RTT for server) handshakes for faster connection establishment.
protocol:
type: tuic
uuid: "..."
password: "..."
zero_rtt_handshake: true # Default: falseNote: 0-RTT is vulnerable to replay attacks. Only enable if the latency benefit outweighs security concerns.
Both Reality server and client now support specifying TLS 1.3 cipher suites.
# Server
reality_targets:
"example.com":
cipher_suites: ["TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"]
...
# Client
protocol:
type: reality
cipher_suites: ["TLS_AES_256_GCM_SHA384"]
...Valid values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
Server-side Reality configuration can now restrict client versions:
reality_targets:
"example.com":
min_client_version: [1, 8, 0] # [major, minor, patch]
max_client_version: [2, 0, 0]
...The client_proxy and client_proxies fields in rule configurations are deprecated in favor of client_chain and client_chains.
Migration: Replace client_proxy: with client_chain: in your configuration files. The old fields still work but will emit a warning and may be removed in a future version.
Before:
rules:
- masks: "0.0.0.0/0"
action: allow
client_proxy: my-proxy-groupAfter:
rules:
- masks: "0.0.0.0/0"
action: allow
client_chain: my-proxy-groupThe force_aead and aead fields in VMess configuration are deprecated. AEAD mode is now always enabled, and non-AEAD (legacy) mode is no longer supported.
Migration: Remove force_aead and aead fields from your VMess configurations. They have no effect and will be ignored.
VMess non-AEAD (legacy) mode is no longer supported. All VMess connections now use AEAD encryption exclusively. This improves security but breaks compatibility with very old VMess clients that don't support AEAD.
- Hysteria2 and TUIC servers now have authentication timeouts (3 seconds by default) to prevent connection hogging
- Improved fragment packet handling with LRU cache eviction
- TUIC server now sends heartbeat packets to maintain connection liveness