sing-box/docs/changelog.md

1.5.0-beta.11

• Add DNS01 challenge support for ACME TLS certificate issuer 1
• Fixes and improvements

1:

Only Alibaba Cloud DNS and Cloudflare are supported, see ACME Fields and DNS01 Challenge Fields.

1.5.0-beta.10

• Add interrupt_exist_connections option for Selector and URLTest outbounds 1
• Fixes and improvements

1:

Interrupt existing connections when the selected outbound has changed.

Only inbound connections are affected by this setting, internal connections will always be interrupted.

1.4.3

• Fixes and improvements

1.5.0-beta.8

• Fixes and improvements

1.4.2

• Fixes and improvements

1.5.0-beta.6

• Fix compatibility issues with official Hysteria2 server and client
• Fixes and improvements
• Mark deprecated features

1.5.0-beta.3

• Fixes and improvements
• Updated Hysteria2 documentation 1

1:

Added notes indicating compatibility issues with the official Hysteria2 server and client when using fastOpen=false or UDP MTU >= 1200.

1.5.0-beta.2

• Add hysteria2 protocol support 1
• Fixes and improvements

1:

See Hysteria2 inbound and Hysteria2 outbound

For protocol description, please refer to https://v2.hysteria.network

1.5.0-beta.1

• Add TLS ECH server support
• Improve TLS TCH client configuration
• Add TLS ECH key pair generator 1
• Add TLS ECH support for QUIC based protocols 2
• Add KDE support for the set_system_proxy option in HTTP inbound

1:

Command: sing-box generate ech-keypair <plain_server_name> [-pq-signature-schemes-enabled]

2:

All inbounds and outbounds are supported, including Naiveproxy, Hysteria, TUIC and V2ray QUIC transport.

1.4.1

• Fixes and improvements

1.4.0

• Fix bugs and update dependencies

Important changes since 1.3:

• Add TUIC support 1
• Add udp_over_stream option for TUIC client 2
• Add MultiPath TCP support 3
• Add include_interface and exclude_interface options for tun inbound
• Pause recurring tasks when no network or device idle
• Improve Android and Apple platform clients

1:

See TUIC inbound and TUIC outbound

2:

This is the TUIC port of the UDP over TCP protocol, designed to provide a QUIC stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or another program compatible with the protocol as a server.

This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP traffic (basically QUIC streams).

3:

Requires sing-box to be compiled with Go 1.21.

1.4.0-rc.3

• Fixes and improvements

1.4.0-rc.2

• Fixes and improvements

1.4.0-rc.1

• Fix TUIC UDP

1.4.0-beta.6

• Add udp_over_stream option for TUIC client 1
• Add include_interface and exclude_interface options for tun inbound
• Fixes and improvements

1:

This is the TUIC port of the UDP over TCP protocol, designed to provide a QUIC stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or another program compatible with the protocol as a server.

This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP traffic (basically QUIC streams).

1.4.0-beta.5

• Fixes and improvements

1.4.0-beta.4

• Graphical clients: Persistence group expansion state
• Fixes and improvements

1.4.0-beta.3

• Fixes and improvements

1.4.0-beta.2

• Add MultiPath TCP support 1
• Drop QUIC support for Go 1.18 and 1.19 due to upstream changes
• Fixes and improvements

1:

Requires sing-box to be compiled with Go 1.21.

1.4.0-beta.1

• Add TUIC support 1
• Pause recurring tasks when no network or device idle
• Fixes and improvements

1:

See TUIC inbound and TUIC outbound

1.3.6

• Fixes and improvements

1.3.5

• Fixes and improvements
• Introducing our Apple tvOS client applications 1
• Add per app proxy and app installed/updated trigger support for Android client
• Add profile sharing support for Android/iOS/macOS clients

1:

Due to the requirement of tvOS 17, the app cannot be submitted to the App Store for the time being, and can only be downloaded through TestFlight.

1.3.4

• Fixes and improvements
• We're now on the App Store, always free! It should be noted that due to stricter and slower review, the release of Store versions will be delayed.
• We've made a standalone version of the macOS client (the original Application Extension relies on App Store distribution), which you can download as SFM-version-universal.zip in the release artifacts.

1.3.3

• Fixes and improvements

1.3.1-rc.1

• Fix bugs and update dependencies

1.3.1-beta.3

• Introducing our new iOS and macOS client applications 1
• Fixes and improvements

1:

The old testflight link and app are no longer valid.

1.3.1-beta.2

• Fix bugs and update dependencies

1.3.1-beta.1

• Fixes and improvements

1.3.0

• Fix bugs and update dependencies

Important changes since 1.2:

• Add FakeIP support 1
• Improve multiplex 2
• Add DNS reverse mapping support
• Add rewrite_ttl DNS rule action
• Add store_fakeip Clash API option
• Add multi-peer support for WireGuard outbound
• Add loopback detect
• Add Clash.Meta API compatibility for Clash API
• Download Yacd-meta by default if the specified Clash external_ui directory is empty
• Add path and headers option for HTTP outbound
• Perform URLTest recheck after network changes
• Fix system tun stack for ios
• Fix network monitor for android/ios
• Update VLESS and XUDP protocol
• Make splice work with traffic statistics systems like Clash API
• Significantly reduces memory usage of idle connections
• Improve DNS caching
• Add independent_cache option for DNS
• Reimplemented shadowsocks client
• Add multiplex support for VLESS outbound
• Automatically add Windows firewall rules in order for the system tun stack to work
• Fix TLS 1.2 support for shadow-tls client
• Add cache_id option for Clash cache file
• Fix local DNS transport for Android

1:

See FAQ for more information.

2:

Added new h2mux multiplex protocol and padding multiplex option, see Multiplex.

1.3-rc2

• Fix local DNS transport for Android
• Fix bugs and update dependencies

1.3-rc1

• Fix bugs and update dependencies

1.3-beta14

• Fixes and improvements

1.3-beta13

• Fix resolving fakeip domains 1
• Deprecate L3 routing
• Fix bugs and update dependencies

1:

If the destination address of the connection is obtained from fakeip, dns rules with server type fakeip will be skipped.

1.3-beta12

• Automatically add Windows firewall rules in order for the system tun stack to work
• Fix TLS 1.2 support for shadow-tls client
• Add cache_id option for Clash cache file
• Fixes and improvements

1.3-beta11

• Fix bugs and update dependencies

1.3-beta10

• Improve direct copy 1
• Improve DNS caching
• Add independent_cache option for DNS
• Reimplemented shadowsocks client 2
• Add multiplex support for VLESS outbound
• Set TCP keepalive for WireGuard gVisor TCP connections
• Fixes and improvements

1:

• Make splice work with traffic statistics systems like Clash API
• Significantly reduces memory usage of idle connections

2:

Improved performance and reduced memory usage.

1.3-beta9

• Improve multiplex 1
• Fixes and improvements

1:

Added new h2mux multiplex protocol and padding multiplex option, see Multiplex.

1.2.6

• Fix bugs and update dependencies

1.3-beta8

• Fix system tun stack for ios
• Fix network monitor for android/ios
• Update VLESS and XUDP protocol 1
• Fixes and improvements

*1:

This is an incompatible update for XUDP in VLESS if vision flow is enabled.

1.3-beta7

• Add path and headers options for HTTP outbound
• Add multi-user support for Shadowsocks legacy AEAD inbound
• Fixes and improvements

1.2.4

• Fixes and improvements

1.3-beta6

• Fix WireGuard reconnect
• Perform URLTest recheck after network changes
• Fix bugs and update dependencies

1.3-beta5

• Add Clash.Meta API compatibility for Clash API
• Download Yacd-meta by default if the specified Clash external_ui directory is empty
• Add path and headers option for HTTP outbound
• Fixes and improvements

1.3-beta4

• Fix bugs

1.3-beta2

• Download clash-dashboard if the specified Clash external_ui directory is empty
• Fix bugs and update dependencies

1.3-beta1

• Add DNS reverse mapping support
• Add L3 routing support 1
• Add rewrite_ttl DNS rule action
• Add FakeIP support 2
• Add store_fakeip Clash API option
• Add multi-peer support for WireGuard outbound
• Add loopback detect

1:

It can currently be used to route connections directly to WireGuard or block connections at the IP layer.

2:

See FAQ for more information.

1.2.3

• Introducing our new Android client application
• Improve UDP domain destination NAT
• Update reality protocol
• Fix TTL calculation for DNS response
• Fix v2ray HTTP transport compatibility
• Fix bugs and update dependencies

1.2.2

• Accept any outbound in dns rule 1
• Fix bugs and update dependencies

1:

Now you can use the any outbound rule to match server address queries instead of filling in all server domains to domain rule.

1.2.1

• Fix missing default host in v2ray http transport`s request
• Flush DNS cache for macOS when tun start/close
• Fix tun's DNS hijacking compatibility with systemd-resolved

1.2.0

• Fix bugs and update dependencies

Important changes since 1.1:

• Introducing our new iOS client application
• Introducing UDP over TCP protocol version 2
• Add platform options for tun inbound
• Add ShadowTLS protocol v3
• Add VLESS server and vision support
• Add reality TLS support
• Add NTP service
• Add DHCP DNS server support
• Add SSH host key validation support
• Add query_type DNS rule item
• Add fallback support for v2ray transport
• Add custom TLS server support for http based v2ray transports
• Add health check support for http-based v2ray transports
• Add multiple configuration support

1.2-rc1

• Fix bugs and update dependencies

1.2-beta10

• Add multiple configuration support 1
• Fix bugs and update dependencies

1:

Now you can pass the parameter --config or -c multiple times, or use the new parameter --config-directory or -C to load all configuration files in a directory.

Loaded configuration files are sorted by name. If you want to control the merge order, add a numeric prefix to the file name.

1.1.7

• Improve the stability of the VMESS server
• Fix auto_detect_interface incorrectly identifying the default interface on Windows
• Fix bugs and update dependencies

1.2-beta9

• Introducing the UDP over TCP protocol version 2
• Add health check support for http-based v2ray transports
• Remove length limit on short_id for reality TLS config
• Fix bugs and update dependencies

1.2-beta8

• Update reality and uTLS libraries
• Fix auto_detect_interface incorrectly identifying the default interface on Windows

1.2-beta7

• Fix the compatibility issue between VLESS's vision sub-protocol and the Xray-core client
• Improve the stability of the VMESS server

1.2-beta6

• Introducing our new iOS client application
• Add platform options for tun inbound
• Add custom TLS server support for http based v2ray transports
• Add generate commands
• Enable XUDP by default in VLESS
• Update reality server
• Update vision protocol
• Fixed user flow in vless server
• Bug fixes
• Update dependencies

1.2-beta5

• Add VLESS server and vision support
• Add reality TLS support
• Fix match private address

1.1.6

• Improve vmess request
• Fix ipv6 redirect on Linux
• Fix match geoip private
• Fix parse hysteria UDP message
• Fix socks connect response
• Disable vmess header protection if transport enabled
• Update QUIC v2 version number and initial salt

1.2-beta4

• Add NTP service
• Add Add multiple server names and multi-user support for shadowtls
• Add strict mode support for shadowtls v3
• Add uTLS support for shadowtls v3

1.2-beta3

• Update QUIC v2 version number and initial salt
• Fix shadowtls v3 implementation

1.2-beta2

• Add ShadowTLS protocol v3
• Add fallback support for v2ray transport
• Fix parse hysteria UDP message
• Fix socks connect response
• Disable vmess header protection if transport enabled

1.2-beta1

• Add DHCP DNS server support
• Add SSH host key validation support
• Add query_type DNS rule item
• Add v2ray user stats api
• Add new clash DNS query api
• Improve vmess request
• Fix ipv6 redirect on Linux
• Fix match geoip private

1.1.5

• Add Go 1.20 support
• Fix inbound default DF value
• Fix auth_user route for naive inbound
• Fix gRPC lite header
• Ignore domain case in route rules

1.1.4

• Fix DNS log
• Fix write to h2 conn after closed
• Fix create UDP DNS transport from plain IPv6 address

1.1.2

• Fix http proxy auth
• Fix user from stream packet conn
• Fix DNS response TTL
• Fix override packet conn
• Skip override system proxy bypass list
• Improve DNS log

1.1.1

• Fix acme config
• Fix vmess packet conn
• Suppress quic-go set DF error

1.1

• Fix close clash cache

Important changes since 1.0:

• Add support for use with android VPNService
• Add tun support for WireGuard outbound
• Add system tun stack
• Add comment filter for config
• Add option for allow optional proxy protocol header
• Add Clash mode and persistence support
• Add TLS ECH and uTLS support for outbound TLS options
• Add internal simple-obfs and v2ray-plugin
• Add ShadowsocksR outbound
• Add VLESS outbound and XUDP
• Skip wait for hysteria tcp handshake response
• Add v2ray mux support for all inbound
• Add XUDP support for VMess
• Improve websocket writer
• Refine tproxy write back
• Fix DNS leak caused by Windows' ordinary multihomed DNS resolution behavior
• Add sniff_timeout listen option
• Add custom route support for tun
• Add option for custom wireguard reserved bytes
• Split bind_address into ipv4 and ipv6
• Add ShadowTLS v1 and v2 support

1.1-rc1

• Fix TLS config for h2 server
• Fix crash when input bad method in shadowsocks multi-user inbound
• Fix listen UDP
• Fix check invalid packet on macOS

1.1-beta18

• Enhance defense against active probe for shadowtls server 1

1:

The fallback_after option has been removed.

1.1-beta17

• Fix shadowtls server 1

1:

Added fallback_after option.

1.0.7

• Add support for new x/h2 deadline
• Fix copy pipe
• Fix decrypt xplus packet
• Fix macOS Ventura process name match
• Fix smux keepalive
• Fix vmess request buffer
• Fix h2c transport
• Fix tor geoip
• Fix udp connect for mux client
• Fix default dns transport strategy

1.1-beta16

• Improve shadowtls server
• Fix default dns transport strategy
• Update uTLS to v1.2.0

1.1-beta15

• Add support for new x/h2 deadline
• Fix udp connect for mux client
• Fix dns buffer
• Fix quic dns retry
• Fix create TLS config
• Fix websocket alpn
• Fix tor geoip

1.1-beta14

• Add multi-user support for hysteria inbound 1
• Add custom tls client support for std grpc
• Fix smux keep alive
• Fix vmess request buffer
• Fix default local DNS server behavior
• Fix h2c transport

1:

The auth and auth_str fields have been replaced by the users field.

1.1-beta13

• Add custom worker count option for WireGuard outbound
• Split bind_address into ipv4 and ipv6
• Move WFP manipulation to strict route
• Fix WireGuard outbound panic when close
• Fix macOS Ventura process name match
• Fix QUIC connection migration by @HyNetwork
• Fix handling QUIC client SNI by @HyNetwork

1.1-beta12

• Fix uTLS config
• Update quic-go to v0.30.0
• Update cloudflare-tls to go1.18.7

1.1-beta11

• Add option for custom wireguard reserved bytes
• Fix shadowtls v2
• Fix h3 dns transport
• Fix copy pipe
• Fix decrypt xplus packet
• Fix v2ray api
• Suppress no network error
• Improve local dns transport

1.1-beta10

• Add sniff_timeout listen option
• Add custom route support for tun 1
• Fix interface monitor
• Fix websocket headroom
• Fix uTLS handshake
• Fix ssh outbound
• Fix sniff fragmented quic client hello
• Fix DF for hysteria
• Fix naive overflow
• Check destination before udp connect
• Update uTLS to v1.1.5
• Update tfo-go to v2.0.2
• Update fsnotify to v1.6.0
• Update grpc to v1.50.1

1:

The strict_route on windows is removed.

1.0.6

• Fix ssh outbound
• Fix sniff fragmented quic client hello
• Fix naive overflow
• Check destination before udp connect

1.1-beta9

• Fix windows route 1
• Add v2ray statistics api
• Add ShadowTLS v2 support 2
• Fixes and improvements

1:

• Fix DNS leak caused by Windows' ordinary multihomed DNS resolution behavior
• Flush Windows DNS cache when start/close

2:

See ShadowTLS inbound and ShadowTLS outbound

1.1-beta8

• Fix leaks on close
• Improve websocket writer
• Refine tproxy write back
• Refine 4in6 processing
• Fix shadowsocks plugins
• Fix missing source address from transport connection
• Fix fqdn socks5 outbound connection
• Fix read source address from grpc-go

1.0.5

• Fix missing source address from transport connection
• Fix fqdn socks5 outbound connection
• Fix read source address from grpc-go

1.1-beta7

• Add v2ray mux and XUDP support for VMess inbound
• Add XUDP support for VMess outbound
• Disable DF on direct outbound by default
• Fix bugs in 1.1-beta6

1.1-beta6

• Add URLTest outbound
• Fix bugs in 1.1-beta5

1.1-beta5

• Print tags in version command
• Redirect clash hello to external ui
• Move shadowsocksr implementation to clash
• Make gVisor optional 1
• Refactor to miekg/dns
• Refactor bind control
• Fix build on go1.18
• Fix clash store-selected
• Fix close grpc conn
• Fix port rule match logic
• Fix clash api proxy type

1:

The build tag no_gvisor is replaced by with_gvisor.

The default tun stack is changed to system.

1.0.4

• Fix close grpc conn
• Fix port rule match logic
• Fix clash api proxy type

1.1-beta4

• Add internal simple-obfs and v2ray-plugin Shadowsocks plugins
• Add ShadowsocksR outbound
• Add VLESS outbound and XUDP
• Skip wait for hysteria tcp handshake response
• Fix socks4 client
• Fix hysteria inbound
• Fix concurrent write

1.0.3

• Fix socks4 client
• Fix hysteria inbound
• Fix concurrent write

1.1-beta3

• Fix using custom TLS client in http2 client
• Fix bugs in 1.1-beta2

1.1-beta2

• Add Clash mode and persistence support 1
• Add TLS ECH and uTLS support for outbound TLS options 2
• Fix socks4 request
• Fix processing empty dns result

1:

Switching modes using the Clash API, and store-selected are now supported, see Experimental.

2:

ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello message, see TLS#ECH.

uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance, see TLS#uTLS.

1.0.2

• Fix socks4 request
• Fix processing empty dns result

1.1-beta1

• Add support for use with android VPNService 1
• Add tun support for WireGuard outbound 2
• Add system tun stack 3
• Add comment filter for config 4
• Add option for allow optional proxy protocol header
• Add half close for smux
• Set UDP DF by default 5
• Set default tun mtu to 9000
• Update gVisor to 20220905.0

1:

In previous versions, Android VPN would not work with tun enabled.

The usage of tun over VPN and VPN over tun is now supported, see Tun Inbound.

2:

In previous releases, WireGuard outbound support was backed by the lower performance gVisor virtual interface.

It achieves the same performance as wireguard-go by providing automatic system interface support.

3:

It does not depend on gVisor and has better performance in some cases.

It is less compatible and may not be available in some environments.

4:

Annotated json configuration files are now supported.

5:

UDP fragmentation is now blocked by default.

Including shadowsocks-libev, shadowsocks-rust and quic-go all disable segmentation by default.

See Dial Fields and Listen Fields.

1.0.1

• Fix match 4in6 address in ip_cidr
• Fix clash api log level format error
• Fix clash api unknown proxy type

1.0

• Fix wireguard reconnect
• Fix naive inbound
• Fix json format error message
• Fix processing vmess termination signal
• Fix hysteria stream error
• Fix listener close when proxyproto failed

1.0-rc1

• Fix write log timestamp
• Fix write zero
• Fix dial parallel in direct outbound
• Fix write trojan udp
• Fix DNS routing
• Add attribute support for geosite
• Update documentation for Dial Fields

1.0-beta3

• Add chained inbound support
• Add process_path rule item
• Add macOS redirect support
• Add ShadowTLS Inbound, Outbound and Examples
• Fix search android package in non-owner users
• Fix socksaddr type condition
• Fix smux session status
• Refactor inbound and outbound documentation
• Minor fixes

1.0-beta2

• Add strict_route option for Tun inbound
• Add packetaddr support for VMess outbound
• Add better performing alternative gRPC implementation
• Add docker image
• Fix sniff override destination

1.0-beta1

• Initial release

2022/08/26

• Fix ipv6 route on linux
• Fix read DNS message

2022/08/25

• Let vmess use zero instead of auto if TLS enabled
• Add trojan fallback for ALPN
• Improve ip_cidr rule
• Fix format bind_address
• Fix http proxy with compressed response
• Fix route connections

2022/08/24

• Fix naive padding
• Fix unix search path
• Fix close non-duplex connections
• Add ACME EAB support
• Fix early close on windows and catch any
• Initial zh-CN document translation

2022/08/23

• Add V2Ray Transport support for VMess and Trojan
• Allow plain http request in Naive inbound (It can now be used with nginx)
• Add proxy protocol support
• Free memory after start
• Parse X-Forward-For in HTTP requests
• Handle SIGHUP signal

2022/08/22

• Add strategy setting for each DNS server
• Add bind address to outbound options

2022/08/21

• Add Tor outbound
• Add SSH outbound

2022/08/20

• Attempt to unwrap ip-in-fqdn socksaddr
• Fix read packages in android 12
• Fix route on some android devices
• Improve linux process searcher
• Fix write socks5 username password auth request
• Skip bind connection with private destination to interface
• Add Trojan connection fallback

2022/08/19

• Add Hysteria Inbound and Outbund
• Add ACME TLS certificate issuer
• Allow read config from stdin (-c stdin)
• Update gVisor to 20220815.0

2022/08/18

• Fix find process with lwip stack
• Fix crash on shadowsocks server
• Fix crash on darwin tun
• Fix write log to file

2022/08/17

• Improve async dns transports

2022/08/16

• Add ip_version (route/dns) rule item
• Add WireGuard outbound

2022/08/15

• Add uid, android user and package rules support in Tun routing.

2022/08/13

• Fix dns concurrent write

2022/08/12

• Performance improvements
• Add UoT option for SOCKS outbound

2022/08/11

• Add UoT option for Shadowsocks outbound, UoT support for all inbounds

2022/08/10

• Add full-featured Naive inbound
• Fix default dns server option #9 by iKirby

2022/08/09

No changelog before.