Improvements

H2MUX Stability

• Added connection-level activity tracking that counts HTTP/2 control frames (PING, SETTINGS) as activity, ensuring keepalives properly reset idle detection
• Removed application-level idle timeout in favor of PING-based dead connection detection, matching sing-mux behavior for better compatibility
• Added drain timeout for graceful session shutdown
• Updated window sizes to match Go http2 defaults (256KB per stream, 1MB per connection)

AnyTLS Memory Leak Fixes

• Stream handler tasks are now tracked and aborted when session closes, preventing memory leaks from orphaned tasks
• Added 5-minute stream handler timeout to prevent hung streams (slow DNS, stuck connections) from leaking memory
• Reduced allocations in padding frame generation

TUN Connection Tracking

• Refactored TCP connection state machine with explicit states (Normal, Close, Closing, Closed) for proper lifecycle management
• Improved connection teardown handling following shadowsocks-rust patterns

New Features

H2MUX (sing-box Compatible HTTP/2 Multiplexing)

H2MUX multiplexes multiple proxy streams over a single HTTP/2 connection, reducing connection overhead and improving performance for many concurrent streams. This is compatible with sing-box's h2mux implementation.

Server support:

H2MUX is auto-detected on the server side for VMess, VLESS, Trojan, Shadowsocks, and Snell protocols. No server configuration changes are needed.

Client configuration (VMess, VLESS, Trojan):

Note: client-side can connect but is a work-in-progress and does not yet do proper pooling.

client_chain:
  address: "example.com:443"
  protocol:
    type: tls
    protocol:
      type: vmess
      cipher: aes-128-gcm
      user_id: "uuid"
      h2mux:
        max_connections: 4    # Maximum connections to maintain
        min_streams: 4        # Min streams before opening new connection
        max_streams: 0        # Max streams per connection (0 = unlimited)
        padding: true         # Enable padding for traffic obfuscation

H2MUX Client Compatibility

The Go H2MUX library contained a bug that prevents data upload from finishing successfully, see SagerNet/sing-mux#8

sing-box now contains this fix, but other clients (eg mihomo) that depend on sing-mux without this change can have issues.

DNS Resolution Timeout

DNS servers now support a configurable timeout to prevent hanging on unresponsive DNS servers.

- dns_group: my-dns
  servers:
    - url: "tls://dns.example.com"
      timeout_secs: 10      # Default: 5. Set to 0 to disable.

Improvements

• DNS connection timeout: DNS-over-TLS/HTTPS connections now respect a 5-second connection timeout, preventing hangs when DNS servers are unreachable
• Reality server: Improved shutdown handling with proper flush after every forward operation

New Features

AnyTLS Protocol

Server:

protocol:
  type: tls
  tls_targets:
    "example.com":
      cert: cert.pem
      key: key.pem
      protocol:
        type: anytls
        users:
          - name: user1
            password: secret123
        udp_enabled: true
        padding_scheme: ["stop=8", "0=30-30"]  # Optional custom padding
        fallback: "127.0.0.1:80"               # Optional fallback

Client:

client_chain:
  address: "example.com:443"
  protocol:
    type: tls
    protocol:
      type: anytls
      password: secret123

NaiveProxy Protocol

Server:

protocol:
  type: tls
  tls_targets:
    "example.com":
      cert: cert.pem
      key: key.pem
      alpn_protocols: ["h2"]
      protocol:
        type: naiveproxy
        users:
          - username: user1
            password: secret123
        padding: true
        fallback: "/var/www/html"  # Optional static file fallback

Client:

client_chain:
  address: "example.com:443"
  protocol:
    type: tls
    alpn_protocols: ["h2"]
    protocol:
      type: naiveproxy
      username: user1
      password: secret123

Note that the naiveproxy client does not have the Chrome networking stack fingerprint as the original - if that is a requirement, please do not use this client.

Mixed Port (HTTP + SOCKS5)

Auto-detects HTTP or SOCKS5 protocol.

- address: "0.0.0.0:7890"
  protocol:
    type: mixed
    username: user
    password: pass
    udp_enabled: true  # Enable SOCKS5 UDP ASSOCIATE

TUN/VPN Support

Layer 3 VPN mode using TUN devices for transparent proxying. Supports Linux, Android, and iOS.

- device_name: "tun0"
  address: "10.0.0.1"
  netmask: "255.255.255.0"
  mtu: 1500
  tcp_enabled: true
  udp_enabled: true
  icmp_enabled: true
  rules:
    - masks: "0.0.0.0/0"
      action: allow
      client_chain:
        address: "proxy.example.com:443"
        protocol:
          type: vless
          user_id: "uuid"

Platform support:

• Linux: Creates TUN device with specified name/address (requires root)
• Android: Use device_fd from VpnService.Builder.establish()
• iOS: Use device_fd from NEPacketTunnelProvider.packetFlow

SOCKS5 UDP ASSOCIATE

Full UDP support for SOCKS5 servers including UDP ASSOCIATE command. Enable with udp_enabled: true (default).

protocol:
  type: socks
  udp_enabled: true  # Default: true

VLESS Fallback

Route failed authentication attempts to a fallback destination instead of rejecting them.

protocol:
  type: vless
  user_id: "uuid"
  fallback: "127.0.0.1:80"  # Serve web content for invalid clients

Reality dest_client_chain

Route Reality fallback (dest) connections through a proxy chain.

reality_targets:
  "www.example.com":
    private_key: "..."
    dest: "www.example.com:443"
    dest_client_chain:
      address: "proxy.example.com:1080"
      protocol:
        type: socks
    protocol:
      type: vless
      user_id: "uuid"

Improvements

• UDP routing: Comprehensive rewrite of UDP session routing with better multiplexing support
• Reality: Improved active probing resistance with TLS 1.3 verification
• Performance: Optimized buffer handling and reduced allocations
• QUIC: Better buffer sizing based on quic-go recommendations

Mobile Support

• iOS FFI: Added iOS bindings via NEPacketTunnelProvider integration
• Android FFI: Added Android bindings via VpnService integration
• Library now builds as rlib, cdylib, and staticlib for mobile embedding

New Features

Client Chaining (client_chains)

Multi-hop proxy chains with load balancing support. Traffic can now be routed through multiple proxies in sequence.

• Multi-hop chains: Route traffic through multiple proxies sequentially (e.g., proxy1 -> proxy2 -> target)
• Round-robin chains: Specify multiple chains and rotate between them for load distribution
• Pool-based load balancing: At each hop, use a pool of proxies for load balancing
• New config fields: client_chain (singular) and client_chains (multiple)
• See examples/multi_hop_chain.yaml for usage examples

TUIC v5 Zero-RTT Handshake

New zero_rtt_handshake option for TUIC v5 servers enables 0-RTT (0.5-RTT for server) handshakes for faster connection establishment.

protocol:
  type: tuic
  uuid: "..."
  password: "..."
  zero_rtt_handshake: true  # Default: false

Note: 0-RTT is vulnerable to replay attacks. Only enable if the latency benefit outweighs security concerns.

Reality Cipher Suites

Both Reality server and client now support specifying TLS 1.3 cipher suites.

# Server
reality_targets:
  "example.com":
    cipher_suites: ["TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256"]
    ...

# Client
protocol:
  type: reality
  cipher_suites: ["TLS_AES_256_GCM_SHA384"]
  ...

Valid values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256

Reality Client Version Control

Server-side Reality configuration can now restrict client versions:

reality_targets:
  "example.com":
    min_client_version: [1, 8, 0]  # [major, minor, patch]
    max_client_version: [2, 0, 0]
    ...

Deprecations

client_proxy / client_proxies in Rules

The client_proxy and client_proxies fields in rule configurations are deprecated in favor of client_chain and client_chains.

Migration: Replace client_proxy: with client_chain: in your configuration files. The old fields still work but will emit a warning and may be removed in a future version.

Before:

rules:
  - masks: "0.0.0.0/0"
    action: allow
    client_proxy: my-proxy-group

After:

rules:
  - masks: "0.0.0.0/0"
    action: allow
    client_chain: my-proxy-group

VMess force_aead / aead Fields

The force_aead and aead fields in VMess configuration are deprecated. AEAD mode is now always enabled, and non-AEAD (legacy) mode is no longer supported.

Migration: Remove force_aead and aead fields from your VMess configurations. They have no effect and will be ignored.

Removed / Breaking Changes

VMess Non-AEAD Mode Removed

VMess non-AEAD (legacy) mode is no longer supported. All VMess connections now use AEAD encryption exclusively. This improves security but breaks compatibility with very old VMess clients that don't support AEAD.

Other Changes

• Hysteria2 and TUIC servers now have authentication timeouts (3 seconds by default) to prevent connection hogging
• Improved fragment packet handling with LRU cache eviction
• TUIC server now sends heartbeat packets to maintain connection liveness

Added

• Support for XTLS Vision and XTLS Reality
• Support for XUDP for VMess and VLESS
• Support for SagerNet UoT (UDP-over-TCP) for Shadowsocks and SOCKS5

Deprecations

• Server scoped client_proxy_groups is now deprecated, use client_groups instead
• Legacy AlterID VMess is now deprecated, only AEAD is supported

What's Changed

• Dependencies update by @18o in #19
• Update cfb-mode and aes to version 0.8.x by @18o in #21
• support certificate pinning by @cfal in #31
• vmess/sha2.rs: use ring instead of sha2 crate by @cfal in #32
• update dependencies by @cfal in #33
• support client certificates by @cfal in #37
• allow checking server cert fingerprints by @cfal in #38
• CONFIG.md: update by @cfal in #41
• support SO_REUSEPORT for multidirectional UDP by @cfal in #45
• add hysteria2 support by @cfal in #46
• add TUICv5 support by @cfal in #50
• implement shadow tls server by @cfal in #56
• .github/workflows/build.yml: add build workflow by @cfal in #62

New Contributors

• @18o made their first contribution in #19

Full Changelog: v0.1.0...v0.1.7