3.9 KiB
!!! error ""
Only supported on Linux, Windows and macOS.
Structure
{
"inbounds": [
{
"type": "tun",
"tag": "tun-in",
"interface_name": "tun0",
"inet4_address": "172.19.0.1/30",
"inet6_address": "fdfe:dcba:9876::1/128",
"mtu": 1500,
"auto_route": true,
"strict_route": true,
"endpoint_independent_nat": false,
"udp_timeout": 300,
"stack": "gvisor",
"include_uid": [
0
],
"include_uid_range": [
[
"1000-99999"
]
],
"exclude_uid": [
1000
],
"exclude_uid_range": [
"1000-99999"
],
"include_android_user": [
0,
10
],
"include_package": [
"com.android.chrome"
],
"exclude_package": [
"com.android.captiveportallogin"
],
"sniff": true,
"sniff_override_destination": false,
"domain_strategy": "prefer_ipv4"
}
]
}
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
!!! warning ""
If tun is running in non-privileged mode, addresses and MTU will not be configured automatically, please make sure the settings are accurate.
Tun Fields
interface_name
Virtual device name, automatically selected if empty.
inet4_address
==Required==
IPv4 prefix for the tun interface.
inet6_address
IPv6 prefix for the tun interface.
mtu
The maximum transmission unit.
auto_route
Set the default route to the Tun.
!!! error ""
To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`
strict_route
Enforce strict routing rules in Linux when auto_route is enabled:
- Let unsupported network unreachable
- Route all connections to tun
It prevents address leaks and makes DNS hijacking work on Android and Linux with systemd-resolved, but your device will not be accessible by others.
endpoint_independent_nat
Enable endpoint-independent NAT.
Performance may degrade slightly, so it is not recommended to enable on when it is not needed.
udp_timeout
UDP NAT expiration time in seconds, default is 300 (5 minutes).
stack
TCP/IP stack.
| Stack | Upstream | Status |
|---|---|---|
| gVisor (default) | google/gvisor | recommended |
| LWIP | eycorsican/go-tun2socks | upstream archived |
!!! warning ""
The LWIP stack is not included by default, see [Installation](/#installation).
include_uid
!!! error ""
UID rules are only supported on Linux and require auto_route.
Limit users in route. Not limited by default.
include_uid_range
Limit users in route, but in range.
exclude_uid
Exclude users in route.
exclude_uid_range
Exclude users in route, but in range.
include_android_user
!!! error ""
Android user and package rules are only supported on Android and require auto_route.
Limit android users in route.
| Common user | ID |
|---|---|
| Main | 0 |
| Work Profile | 10 |
include_package
Limit android packages in route.
exclude_package
Exclude android packages in route.
Listen Fields
sniff
Enable sniffing.
See Protocol Sniff for details.
sniff_override_destination
Override the connection destination address with the sniffed domain.
If the domain name is invalid (like tor), this will not work.
domain_strategy
One of prefer_ipv4 prefer_ipv6 ipv4_only ipv6_only.
If set, the requested domain name will be resolved to IP before routing.
If sniff_override_destination is in effect, its value will be taken as a fallback.