chore: periodically try fallback

chore: update
chore: dual stack fallback
2023-02-26 10:59:25 +08:00 · 2023-02-26 10:44:23 +08:00 · 2023-02-26 10:42:22 +08:00 · 2023-02-26 10:10:38 +08:00 · 2023-02-26 10:07:03 +08:00 · 2023-02-25 22:01:20 +08:00
15 changed files with 969 additions and 603 deletions
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -171,7 +171,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
 	host, _, _ := net.SplitHostPort(v.addr)

-	if v.isXTLSEnabled() && !isH2 {
+	if v.isLegacyXTLSEnabled() && !isH2 {
 		xtlsOpts := vless.XTLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
@ -206,8 +206,8 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 	return conn, nil
 }

-func (v *Vless) isXTLSEnabled() bool {
-	return v.client.Addons != nil
+func (v *Vless) isLegacyXTLSEnabled() bool {
+	return v.client.Addons != nil && v.client.Addons.Flow != vless.XRV
 }

 // DialContext implements C.ProxyAdapter
@ -479,7 +479,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 	if option.Network != "ws" && len(option.Flow) >= 16 {
 		option.Flow = option.Flow[:16]
 		switch option.Flow {
-		case vless.XRO, vless.XRD, vless.XRS:
+		case vless.XRO, vless.XRD, vless.XRS, vless.XRV:
 			addons = &vless.Addons{
 				Flow: option.Flow,
 			}
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@ -5,9 +5,15 @@ import (
 	"github.com/sagernet/sing/common/buf"
 )

+const BufferSize = buf.BufferSize
+
 type Buffer = buf.Buffer

+var New = buf.New
+var StackNew = buf.StackNew
 var StackNewSize = buf.StackNewSize
+var With = buf.With
+
 var KeepAlive = common.KeepAlive

 //go:norace
--- a/common/net/bufconn.go
+++ b/common/net/bufconn.go
@ -27,6 +27,10 @@ func (c *BufferedConn) Reader() *bufio.Reader {
 	return c.r
 }

+func (c *BufferedConn) ResetPeeked() {
+	c.peeked = false
+}
+
 func (c *BufferedConn) Peeked() bool {
 	return c.peeked
 }
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -8,20 +8,19 @@ import (
 	"net/netip"
 	"strings"
 	"sync"
+	"time"

 	"github.com/Dreamacro/clash/component/resolver"
-
-	"go.uber.org/atomic"
 )

 var (
-	dialMux                    sync.Mutex
-	actualSingleDialContext    = singleDialContext
-	actualDualStackDialContext = dualStackDialContext
-	tcpConcurrent              = false
-	DisableIPv6                = false
-	ErrorInvalidedNetworkStack = errors.New("invalided network stack")
-	ErrorDisableIPv6           = errors.New("IPv6 is disabled, dialer cancel")
+	dialMux                      sync.Mutex
+	actualSingleStackDialContext = serialSingleStackDialContext
+	actualDualStackDialContext   = serialDualStackDialContext
+	tcpConcurrent                = false
+	ErrorInvalidedNetworkStack   = errors.New("invalided network stack")
+	ErrorConnTimeout             = errors.New("connect timeout")
+	fallbackTimeout              = 300 * time.Millisecond
 )

 func applyOptions(options ...Option) *option {
@ -56,7 +55,7 @@ func DialContext(ctx context.Context, network, address string, options ...Option

 	switch network {
 	case "tcp4", "tcp6", "udp4", "udp6":
-		return actualSingleDialContext(ctx, network, address, opt)
+		return actualSingleStackDialContext(ctx, network, address, opt)
 	case "tcp", "udp":
 		return actualDualStackDialContext(ctx, network, address, opt)
 	default:
@ -89,11 +88,11 @@ func SetDial(concurrent bool) {
 	dialMux.Lock()
 	tcpConcurrent = concurrent
 	if concurrent {
-		actualSingleDialContext = concurrentSingleDialContext
+		actualSingleStackDialContext = concurrentSingleStackDialContext
 		actualDualStackDialContext = concurrentDualStackDialContext
 	} else {
-		actualSingleDialContext = singleDialContext
-		actualDualStackDialContext = dualStackDialContext
+		actualSingleStackDialContext = serialSingleStackDialContext
+		actualDualStackDialContext = serialDualStackDialContext
 	}

 	dialMux.Unlock()
@ -114,10 +113,6 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 		bindMarkToDialer(opt.routingMark, dialer, network, destination)
 	}

-	if DisableIPv6 && destination.Is6() {
-		return nil, ErrorDisableIPv6
-	}
-
 	address := net.JoinHostPort(destination.String(), port)
 	if opt.tfo {
 		return dialTFO(ctx, *dialer, network, address)
@ -125,289 +120,57 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	return dialer.DialContext(ctx, network, address)
 }

-func singleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
+func serialSingleStackDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
+	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
 	if err != nil {
 		return nil, err
 	}
-
-	var ip netip.Addr
-	switch network {
-	case "tcp4", "udp4":
-		if opt.resolver == nil {
-			ip, err = resolver.ResolveIPv4ProxyServerHost(ctx, host)
-		} else {
-			ip, err = resolver.ResolveIPv4WithResolver(ctx, host, opt.resolver)
-		}
-	default:
-		if opt.resolver == nil {
-			ip, err = resolver.ResolveIPv6ProxyServerHost(ctx, host)
-		} else {
-			ip, err = resolver.ResolveIPv6WithResolver(ctx, host, opt.resolver)
-		}
-	}
-	if err != nil {
-		err = fmt.Errorf("dns resolve failed:%w", err)
-		return nil, err
-	}
-
-	return dialContext(ctx, network, ip, port, opt)
+	return serialDialContext(ctx, network, ips, port, opt)
 }

-func dualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
+func serialDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
+	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
+	if err != nil {
+		return nil, err
+	}
+	return dualStackDialContext(
+		ctx,
+		func(ctx context.Context) (net.Conn, error) { return serialDialContext(ctx, network, ips, port, opt) },
+		func(ctx context.Context) (net.Conn, error) { return serialDialContext(ctx, network, ips, port, opt) },
+		opt.prefer == 4)
+}
+
+func concurrentSingleStackDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
+	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
 	if err != nil {
 		return nil, err
 	}

-	returned := make(chan struct{})
-	defer close(returned)
-
-	type dialResult struct {
-		net.Conn
-		error
-		resolved bool
-		ipv6     bool
-		done     bool
-	}
-	results := make(chan dialResult)
-	var primary, fallback dialResult
-
-	startRacer := func(ctx context.Context, network, host string, r resolver.Resolver, ipv6 bool) {
-		result := dialResult{ipv6: ipv6, done: true}
-		defer func() {
-			select {
-			case results <- result:
-			case <-returned:
-				if result.Conn != nil {
-					_ = result.Conn.Close()
-				}
-			}
-		}()
-
-		var ip netip.Addr
-		if ipv6 {
-			if r == nil {
-				ip, result.error = resolver.ResolveIPv6ProxyServerHost(ctx, host)
-			} else {
-				ip, result.error = resolver.ResolveIPv6WithResolver(ctx, host, r)
-			}
-		} else {
-			if r == nil {
-				ip, result.error = resolver.ResolveIPv4ProxyServerHost(ctx, host)
-			} else {
-				ip, result.error = resolver.ResolveIPv4WithResolver(ctx, host, r)
-			}
-		}
-		if result.error != nil {
-			result.error = fmt.Errorf("dns resolve failed:%w", result.error)
-			return
-		}
-		result.resolved = true
-
-		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
-	}
-
-	go startRacer(ctx, network+"4", host, opt.resolver, false)
-	go startRacer(ctx, network+"6", host, opt.resolver, true)
-
-	count := 2
-	for i := 0; i < count; i++ {
-		select {
-		case res := <-results:
-			if res.error == nil {
-				return res.Conn, nil
-			}
-
-			if !res.ipv6 {
-				primary = res
-			} else {
-				fallback = res
-			}
-
-			if primary.done && fallback.done {
-				if primary.resolved {
-					return nil, primary.error
-				} else if fallback.resolved {
-					return nil, fallback.error
-				} else {
-					return nil, primary.error
-				}
-			}
-		case <-ctx.Done():
-			err = ctx.Err()
-			break
-		}
-	}
-
-	if err == nil {
-		err = fmt.Errorf("dual stack dial failed")
+	if conn, err := parallelDialContext(ctx, network, ips, port, opt); err != nil {
+		return nil, err
 	} else {
-		err = fmt.Errorf("dual stack dial failed:%w", err)
+		return conn, nil
 	}
-	return nil, err
-}
-
-func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
-	returned := make(chan struct{})
-	defer close(returned)
-
-	type dialResult struct {
-		ip netip.Addr
-		net.Conn
-		error
-		isPrimary bool
-		done      bool
-	}
-
-	preferCount := atomic.NewInt32(0)
-	results := make(chan dialResult)
-	tcpRacer := func(ctx context.Context, ip netip.Addr) {
-		result := dialResult{ip: ip, done: true}
-
-		defer func() {
-			select {
-			case results <- result:
-			case <-returned:
-				if result.Conn != nil {
-					_ = result.Conn.Close()
-				}
-			}
-		}()
-		if strings.Contains(network, "tcp") {
-			network = "tcp"
-		} else {
-			network = "udp"
-		}
-
-		if ip.Is6() {
-			network += "6"
-			if opt.prefer != 4 {
-				result.isPrimary = true
-			}
-		}
-
-		if ip.Is4() {
-			network += "4"
-			if opt.prefer != 6 {
-				result.isPrimary = true
-			}
-		}
-
-		if result.isPrimary {
-			preferCount.Add(1)
-		}
-
-		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
-	}
-
-	for _, ip := range ips {
-		go tcpRacer(ctx, ip)
-	}
-
-	connCount := len(ips)
-	var fallback dialResult
-	var primaryError error
-	var finalError error
-	for i := 0; i < connCount; i++ {
-		select {
-		case res := <-results:
-			if res.error == nil {
-				if res.isPrimary {
-					return res.Conn, nil
-				} else {
-					if !fallback.done || fallback.error != nil {
-						fallback = res
-					}
-				}
-			} else {
-				if res.isPrimary {
-					primaryError = res.error
-					preferCount.Add(-1)
-					if preferCount.Load() == 0 && fallback.done && fallback.error == nil {
-						return fallback.Conn, nil
-					}
-				}
-			}
-		case <-ctx.Done():
-			if fallback.done && fallback.error == nil {
-				return fallback.Conn, nil
-			}
-			finalError = ctx.Err()
-			break
-		}
-	}
-
-	if fallback.done && fallback.error == nil {
-		return fallback.Conn, nil
-	}
-
-	if primaryError != nil {
-		return nil, primaryError
-	}
-
-	if fallback.error != nil {
-		return nil, fallback.error
-	}
-
-	if finalError == nil {
-		finalError = fmt.Errorf("all ips %v tcp shake hands failed", ips)
-	} else {
-		finalError = fmt.Errorf("concurrent dial failed:%w", finalError)
-	}
-
-	return nil, finalError
-}
-
-func concurrentSingleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, err
-	}
-
-	var ips []netip.Addr
-	switch network {
-	case "tcp4", "udp4":
-		if opt.resolver == nil {
-			ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
-		} else {
-			ips, err = resolver.LookupIPv4WithResolver(ctx, host, opt.resolver)
-		}
-	default:
-		if opt.resolver == nil {
-			ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
-		} else {
-			ips, err = resolver.LookupIPv6WithResolver(ctx, host, opt.resolver)
-		}
-	}
-
-	if err != nil {
-		err = fmt.Errorf("dns resolve failed:%w", err)
-		return nil, err
-	}
-
-	return concurrentDialContext(ctx, network, ips, port, opt)
 }

 func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
+	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
 	if err != nil {
 		return nil, err
 	}
-
-	var ips []netip.Addr
-	if opt.resolver != nil {
-		ips, err = resolver.LookupIPWithResolver(ctx, host, opt.resolver)
-	} else {
-		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
+	if opt.prefer != 4 && opt.prefer != 6 {
+		return parallelDialContext(ctx, network, ips, port, opt)
 	}
-
-	if err != nil {
-		err = fmt.Errorf("dns resolve failed:%w", err)
-		return nil, err
-	}
-
-	return concurrentDialContext(ctx, network, ips, port, opt)
+	ipv4s, ipv6s := sortationAddr(ips)
+	return dualStackDialContext(
+		ctx,
+		func(ctx context.Context) (net.Conn, error) {
+			return parallelDialContext(ctx, network, ipv4s, port, opt)
+		},
+		func(ctx context.Context) (net.Conn, error) {
+			return parallelDialContext(ctx, network, ipv6s, port, opt)
+		},
+		opt.prefer == 4)
 }

 type Dialer struct {
@ -426,3 +189,162 @@ func NewDialer(options ...Option) Dialer {
 	opt := applyOptions(options...)
 	return Dialer{Opt: *opt}
 }
+
+func dualStackDialContext(
+	ctx context.Context,
+	ipv4DialFn func(ctx context.Context) (net.Conn, error),
+	ipv6DialFn func(ctx context.Context) (net.Conn, error),
+	preferIPv4 bool) (net.Conn, error) {
+	fallbackTicker := time.NewTicker(fallbackTimeout)
+	defer fallbackTicker.Stop()
+	results := make(chan dialResult)
+	returned := make(chan struct{})
+	defer close(returned)
+	racer := func(dial func(ctx context.Context) (net.Conn, error), isPrimary bool) {
+		result := dialResult{isPrimary: isPrimary}
+		defer func() {
+			select {
+			case results <- result:
+			case <-returned:
+				if result.Conn != nil {
+					_ = result.Conn.Close()
+				}
+			}
+		}()
+		result.Conn, result.error = dial(ctx)
+	}
+	go racer(ipv4DialFn, preferIPv4)
+	go racer(ipv6DialFn, !preferIPv4)
+	var fallback dialResult
+	var err error
+	for {
+		select {
+		case <-ctx.Done():
+			if fallback.error == nil && fallback.Conn != nil {
+				return fallback.Conn, nil
+			}
+			return nil, fmt.Errorf("dual stack connect failed: %w", err)
+		case <-fallbackTicker.C:
+			if fallback.error == nil && fallback.Conn != nil {
+				return fallback.Conn, nil
+			}
+		case res := <-results:
+			if res.error == nil {
+				if res.isPrimary {
+					return res.Conn, nil
+				}
+				fallback = res
+			}
+			err = res.error
+		}
+	}
+}
+
+func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	results := make(chan dialResult)
+	returned := make(chan struct{})
+	defer close(returned)
+	tcpRacer := func(ctx context.Context, ip netip.Addr, port string) {
+		result := dialResult{isPrimary: true}
+		defer func() {
+			select {
+			case results <- result:
+			case <-returned:
+				if result.Conn != nil {
+					_ = result.Conn.Close()
+				}
+			}
+		}()
+		result.ip = ip
+		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
+	}
+
+	for _, ip := range ips {
+		go tcpRacer(ctx, ip, port)
+	}
+	var err error
+	for {
+		select {
+		case <-ctx.Done():
+			if err != nil {
+				return nil, err
+			}
+			if ctx.Err() == context.DeadlineExceeded {
+				return nil, ErrorConnTimeout
+			}
+			return nil, ctx.Err()
+		case res := <-results:
+			if res.error == nil {
+				return res.Conn, nil
+			}
+			err = res.error
+		}
+	}
+}
+
+func serialDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	var (
+		conn net.Conn
+		err  error
+		errs []error
+	)
+	for _, ip := range ips {
+		if conn, err = dialContext(ctx, network, ip, port, opt); err == nil {
+			return conn, nil
+		} else {
+			errs = append(errs, err)
+		}
+	}
+	return nil, errors.Join(errs...)
+}
+
+type dialResult struct {
+	ip netip.Addr
+	net.Conn
+	error
+	isPrimary bool
+}
+
+func parseAddr(ctx context.Context, network, address string, preferResolver resolver.Resolver) ([]netip.Addr, string, error) {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return nil, "-1", err
+	}
+
+	var ips []netip.Addr
+	switch network {
+	case "tcp4", "udp4":
+		if preferResolver == nil {
+			ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
+		} else {
+			ips, err = resolver.LookupIPv4WithResolver(ctx, host, preferResolver)
+		}
+	case "tcp6", "udp6":
+		if preferResolver == nil {
+			ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
+		} else {
+			ips, err = resolver.LookupIPv6WithResolver(ctx, host, preferResolver)
+		}
+	default:
+		if preferResolver == nil {
+			ips, err = resolver.LookupIP(ctx, host)
+		} else {
+			ips, err = resolver.LookupIPWithResolver(ctx, host, preferResolver)
+		}
+	}
+	if err != nil {
+		return nil, "-1", fmt.Errorf("dns resolve failed: %w", err)
+	}
+	return ips, port, nil
+}
+
+func sortationAddr(ips []netip.Addr) (ipv4s, ipv6s []netip.Addr) {
+	for _, v := range ips {
+		if v.Is4() || v.Is4In6() {
+			ipv4s = append(ipv4s, v)
+		} else {
+			ipv6s = append(ipv6s, v)
+		}
+	}
+	return
+}
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -11,31 +11,30 @@ import (
 	"strings"
 	"sync"

-	CN "github.com/Dreamacro/clash/common/net"
-
 	xtls "github.com/xtls/go"
 )

-var tlsCertificates = make([]tls.Certificate, 0)
+var trustCert,_ = x509.SystemCertPool()

 var mutex sync.RWMutex
 var errNotMacth error = errors.New("certificate fingerprints do not match")

-func AddCertificate(privateKey, certificate string) error {
+func AddCertificate(certificate string) error {
 	mutex.Lock()
 	defer mutex.Unlock()
-	if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
-		return err
-	} else {
-		tlsCertificates = append(tlsCertificates, cert)
+	if certificate == "" {
+		return fmt.Errorf("certificate is empty")
+	}
+	if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
+		return fmt.Errorf("add certificate failed")
 	}
 	return nil
 }

-func GetCertificates() []tls.Certificate {
-	mutex.RLock()
-	defer mutex.RUnlock()
-	return tlsCertificates
+func ResetCertificate(){
+	mutex.Lock()
+	defer mutex.Unlock()
+	trustCert,_=x509.SystemCertPool()
 }

 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@ -87,10 +86,10 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
 	if tlsConfig == nil {
 		return &tls.Config{
-			Certificates: tlsCertificates,
+			RootCAs: trustCert,
 		}
 	}
-	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
+	tlsConfig.RootCAs = trustCert
 	return tlsConfig
 }

@ -107,29 +106,12 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 }

 func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
-	xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
-	for _, cert := range tlsCertificates {
-		tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
-		for _, ssa := range cert.SupportedSignatureAlgorithms {
-			tlsSsa := xtls.SignatureScheme(ssa)
-			tlsSsaList = append(tlsSsaList, tlsSsa)
-		}
-		xtlsCert := xtls.Certificate{
-			Certificate:                  cert.Certificate,
-			PrivateKey:                   cert.PrivateKey,
-			OCSPStaple:                   cert.OCSPStaple,
-			SignedCertificateTimestamps:  cert.SignedCertificateTimestamps,
-			Leaf:                         cert.Leaf,
-			SupportedSignatureAlgorithms: tlsSsaList,
-		}
-		xtlsCerts = append(xtlsCerts, xtlsCert)
-	}
 	if tlsConfig == nil {
 		return &xtls.Config{
-			Certificates: xtlsCerts,
+			RootCAs: trustCert,
 		}
 	}

-	tlsConfig.Certificates = xtlsCerts
+	tlsConfig.RootCAs = trustCert
 	return tlsConfig
 }
--- a/config/config.go
+++ b/config/config.go
@ -120,13 +120,9 @@ type Profile struct {
 }

 type TLS struct {
-	RawCert         `yaml:",inline"`
-	CustomTrustCert []RawCert `yaml:"custom-certifactes"`
-}
-
-type RawCert struct {
-	Certificate string `yaml:"certificate"`
-	PrivateKey  string `yaml:"private-key"`
+	Certificate     string   `yaml:"certificate"`
+	PrivateKey      string   `yaml:"private-key"`
+	CustomTrustCert []string `yaml:"custom-certifactes"`
 }

 // IPTables config
@ -447,6 +443,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general

+	dialer.DefaultInterface.Store(config.General.Interface)
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -7,22 +7,17 @@ mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口
 # tproxy-port: 7893

 allow-lan: true # 允许局域网连接
-bind-address: "*" # 绑定IP地址，仅作用于 allow-lan 为 true，'*'表示所有地址
+bind-address: "*" # 绑定 IP 地址，仅作用于 allow-lan 为 true，'*'表示所有地址

-#  find-process-mode has 3 values: always, strict, off
+#  find-process-mode has 3 values:always, strict, off
 #  - always, 开启，强制匹配所有进程
-#  - strict, 默认，由clash判断是否开启
+#  - strict, 默认，由 clash 判断是否开启
 #  - off, 不匹配进程，推荐在路由器上使用此模式
 find-process-mode: strict

-#  global-client-fingerprint:全局TLS指纹,优先低于proxy内的 client-fingerprint
-#  accepts "chrome","firefox","safari","ios","random","none" options.
-#  Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
-global-client-fingerprint: chrome
-
 mode: rule

-#自定义 geox-url
+#自定义 geodata url
 geox-url:
  geoip: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat"
  geosite: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat"
@ -32,16 +27,30 @@ log-level: debug # 日志等级 silent/error/warning/info/debug

 ipv6: true # 开启 IPv6 总开关，关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录

+tls:
+  certificate: string # 证书 PEM 格式，或者 证书的路径
+  private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
+  custom-certifactes:
+    - |
+      -----BEGIN CERTIFICATE-----
+      format/pem...
+      -----END CERTIFICATE-----
+
 external-controller: 0.0.0.0:9093 # RESTful API 监听地址
 external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址，需要配置 tls 部分配置文件
-# secret: "123456" # `Authorization: Bearer ${secret}`
+# secret: "123456" # `Authorization:Bearer ${secret}`

-# tcp-concurrent: true # TCP并发连接所有IP, 将使用最快握手的TCP
-external-ui: /path/to/ui/folder # 配置WEB UI目录，使用http://{{external-controller}}/ui 访问
+# tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP
+external-ui: /path/to/ui/folder # 配置 WEB UI 目录，使用 http://{{external-controller}}/ui 访问

 # interface-name: en0 # 设置出口网卡

-# routing-mark: 6666 # 配置 fwmark 仅用于Linux
+# 全局 TLS 指纹，优先低于 proxy 内的 client-fingerprint
+# 可选： "chrome","firefox","safari","ios","random","none" options.
+# Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
+global-client-fingerprint: chrome
+
+# routing-mark:6666 # 配置 fwmark 仅用于 Linux
 experimental:

 # 类似于 /etc/hosts, 仅支持配置单个 IP
@ -50,6 +59,13 @@ hosts:
 # '.dev': 127.0.0.1
 # 'alpha.clash.dev': '::1'

+profile:
+  # 存储 select 选择记录
+  store-selected: false
+
+  # 持久化 fake-ip
+  store-fake-ip: true
+
 # Tun 配置
 tun:
  enable: false
@ -75,10 +91,10 @@ tun:
  #- 1000
  # exclude_uid_range: # 排除路由的的用户范围
  # - 1000-99999
-
+  
  # Android 用户和应用规则仅在 Android 下被支持
  # 并且需要 auto_route
-
+  
  # include_android_user: # 限制被路由的 Android 用户
  # - 0
  # - 10
@ -105,15 +121,13 @@ sniffer:
  # 是否使用嗅探结果作为实际访问，默认 true
  # 全局配置，优先级低于 sniffer.sniff 实际配置
  override-destination: false
-  sniff:
-    # TLS 默认如果不配置 ports 默认嗅探 443
+  sniff: # TLS 默认如果不配置 ports 默认嗅探 443
    TLS:
    #  ports: [443, 8443]
-
+    
    # 默认嗅探 80
-    HTTP:
-      # 需要嗅探的端口
-
+    HTTP: # 需要嗅探的端口
+      
      ports: [80, 8080-8880]
      # 可覆盖 sniffer.override-destination
      override-destination: true
@ -128,7 +142,7 @@ sniffer:
    - tls
    - http
  # 强制对此域名进行嗅探
-
+  
  # 仅对白名单中的端口进行嗅探，默认为 443，80
  # 已废弃，若 sniffer.sniff 配置则此项无效
  port-whitelist:
@ -136,27 +150,8 @@ sniffer:
    - "443"
    # - 8000-9999

-# shadowsocks,vmess 入口配置（传入流量将和socks,mixed等入口一样按照mode所指定的方式进行匹配处理）
-# ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456
-# vmess-config: vmess://1:9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@:12345

-# tuic服务器入口（传入流量将和socks,mixed等入口一样按照mode所指定的方式进行匹配处理）
-#tuic-server:
-#  enable: true
-#  listen: 127.0.0.1:10443
-#  token:
-#    - TOKEN
-#  certificate: ./server.crt
-#  private-key: ./server.key
-#  congestion-controller: bbr
-#  max-idle-time: 15000
-#  authentication-timeout: 1000
-#  alpn:
-#    - h3
-#  max-udp-relay-packet-size: 1500
-
-tunnels:
-  # one line config
+tunnels: # one line config
  - tcp/udp,127.0.0.1:6553,114.114.114.114:53,proxy
  - tcp,127.0.0.1:6666,rds.mysql.com:3306,vpn
  # full yaml config
@ -165,12 +160,6 @@ tunnels:
    target: target.com
    proxy: proxy

-profile:
-  # 存储select选择记录
-  store-selected: false
-
-  # 持久化fake-ip
-  store-fake-ip: true

 # DNS配置
 dns:
@ -178,7 +167,7 @@ dns:
  prefer-h3: true # 开启 DoH 支持 HTTP/3，将并发尝试
  listen: 0.0.0.0:53 # 开启 DNS 服务器监听
  # ipv6: false # false 将返回 AAAA 的空结果
-
+  
  # 用于解析 nameserver，fallback 以及其他DNS服务器配置的，DNS 服务域名
  # 只能使用纯 IP 地址，可使用加密 DNS
  default-nameserver:
@ -187,16 +176,16 @@ dns:
    - tls://1.12.12.12:853
    - tls://223.5.5.5:853
  enhanced-mode: fake-ip # or redir-host
-
+  
  fake-ip-range: 198.18.0.1/16 # fake-ip 池设置
-
+  
  # use-hosts: true # 查询 hosts
-
+  
  # 配置不使用fake-ip的域名
  # fake-ip-filter:
  #   - '*.lan'
  #   - localhost.ptlogin2.qq.com
-
+  
  # DNS主要域名配置
  # 支持 UDP，TCP，DoT，DoH，DoQ
  # 这部分为主要 DNS 配置，影响所有直连，确保使用对大陆解析精准的 DNS
@ -210,20 +199,20 @@ dns:
    - dhcp://en0 # dns from dhcp
    - quic://dns.adguard.com:784 # DNS over QUIC
    # - '8.8.8.8#en0' # 兼容指定DNS出口网卡
-
+  
  # 当配置 fallback 时，会查询 nameserver 中返回的 IP 是否为 CN，非必要配置
  # 当不是 CN，则使用 fallback 中的 DNS 查询结果
  # 确保配置 fallback 时能够正常查询
  # fallback:
  #   - tcp://1.1.1.1
  #   - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询，ProxyGroupName 为策略组名或节点名，过代理配置优先于配置出口网卡，当找不到策略组或节点名则设置为出口网卡
-
+  
  # 专用于节点域名解析的 DNS 服务器，非必要配置项
  # 配置服务器若查询失败将使用 nameserver，非并发查询
  # proxy-server-nameserver:
  # - https://dns.google/dns-query
  # - tls://one.one.one.one
-
+  
  # 配置 fallback 使用条件
  # fallback-filter:
  #   geoip: true # 配置是否使用 geoip
@ -238,14 +227,53 @@ dns:
  #     - '+.google.com'
  #     - '+.facebook.com'
  #     - '+.youtube.com'
-
+  
  # 配置查询域名使用的 DNS 服务器
-  nameserver-policy:
-    #   'www.baidu.com': '114.114.114.114'
+  nameserver-policy: #   'www.baidu.com': '114.114.114.114'
    #   '+.internal.crop.com': '10.0.0.1'
-    "geosite:cn": "https://doh.pub/dns-query"
-    "www.baidu.com": [https://doh.pub/dns-query,https://dns.alidns.com/dns-query]
-proxies:
+    "geosite:cn":
+      - https://doh.pub/dns-query
+      - https://dns.alidns.com/dns-query
+    "www.baidu.com": [https://doh.pub/dns-query, https://dns.alidns.com/dns-query]
+
+proxies: # socks5
+  - name: "socks"
+    type: socks5
+    server: server
+    port: 443
+    # username: username
+    # password: password
+    # tls: true
+    # fingerprint: xxxx
+    # skip-cert-verify: true
+    # udp: true
+    # ip-version: ipv6
+  
+  # http
+  - name: "http"
+    type: http
+    server: server
+    port: 443
+    # username: username
+    # password: password
+    # tls: true # https
+    # skip-cert-verify: true
+    # sni: custom.com
+    # fingerprint: xxxx # 同 experimental.fingerprints 使用 sha256 指纹，配置协议独立的指纹，将忽略 experimental.fingerprints
+    # ip-version: dual
+  
+  # Snell
+  # Beware that there's currently no UDP support yet
+  - name: "snell"
+    type: snell
+    server: server
+    port: 44046
+    psk: yourpsk
+    # version: 2
+    # obfs-opts:
+    # mode: http # or tls
+    # host: bing.com
+    
  # Shadowsocks
  # cipher支持:
  #   aes-128-gcm aes-192-gcm aes-256-gcm
@ -268,6 +296,7 @@ proxies:
    # UDP 则为双栈解析，获取结果中的第一个 IPv4
    # ipv6-prefer 同 ipv4-prefer
    # 现有协议都支持此参数，TCP 效果仅在开启 tcp-concurrent 生效
+
  - name: "ss2"
    type: ss
    server: server
@ -278,7 +307,7 @@ proxies:
    plugin-opts:
      mode: tls # or http
      # host: bing.com
-
+  
  - name: "ss3"
    type: ss
    server: server
@ -288,17 +317,17 @@ proxies:
    plugin: v2ray-plugin
    plugin-opts:
      mode: websocket # no QUIC now
-      # tls: true # wss
-      # 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
-      # 配置指纹将实现 SSL Pining 效果
-      # fingerprint: xxxx
-      # skip-cert-verify: true
-      # host: bing.com
-      # path: "/"
-      # mux: true
-      # headers:
-      #   custom: value
-
+    # tls: true # wss
+    # 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
+    # 配置指纹将实现 SSL Pining 效果
+    # fingerprint: xxxx
+    # skip-cert-verify: true
+    # host: bing.com
+    # path: "/"
+    # mux: true
+    # headers:
+    #   custom: value
+  
  - name: "ss4"
    type: ss
    server: server
@ -309,7 +338,8 @@ proxies:
    plugin-opts:
      host: "cloud.tencent.com"
      password: "shadow_tls_password"
-
+      version: 2 # support 1/2/3
+  
  # vmess
  # cipher支持 auto/aes-128-gcm/chacha20-poly1305/none
  - name: "vmess"
@ -332,7 +362,7 @@ proxies:
    #     Host: v2ray.com
    #   max-early-data: 2048
    #   early-data-header-name: Sec-WebSocket-Protocol
-
+  
  - name: "vmess-h2"
    type: vmess
    server: server
@ -348,7 +378,7 @@ proxies:
        - http.example.com
        - http-alt.example.com
      path: /
-
+  
  - name: "vmess-http"
    type: vmess
    server: server
@ -359,15 +389,15 @@ proxies:
    # udp: true
    # network: http
    # http-opts:
-    #   # method: "GET"
-    #   # path:
-    #   #   - '/'
-    #   #   - '/video'
-    #   # headers:
-    #   #   Connection:
-    #   #     - keep-alive
+    #   method: "GET"
+    #   path:
+    #     - '/'
+    #     - '/video'
+    #   headers:
+    #     Connection:
+    #       - keep-alive
    # ip-version: ipv4 # 设置使用 IP 类型偏好，可选：ipv4，ipv6，dual，默认值：dual
-
+  
  - name: vmess-grpc
    server: server
    port: 443
@ -383,100 +413,7 @@ proxies:
    grpc-opts:
      grpc-service-name: "example"
    # ip-version: ipv4
-
-  # socks5
-  - name: "socks"
-    type: socks5
-    server: server
-    port: 443
-    # username: username
-    # password: password
-    # tls: true
-    # fingerprint: xxxx
-    # skip-cert-verify: true
-    # udp: true
-    # ip-version: ipv6
-
-  # http
-  - name: "http"
-    type: http
-    server: server
-    port: 443
-    # username: username
-    # password: password
-    # tls: true # https
-    # skip-cert-verify: true
-    # sni: custom.com
-    # fingerprint: xxxx # 同 experimental.fingerprints 使用 sha256 指纹，配置协议独立的指纹，将忽略 experimental.fingerprints
-    # ip-version: dual
-
-  # Snell
-  # Beware that there's currently no UDP support yet
-  - name: "snell"
-    type: snell
-    server: server
-    port: 44046
-    psk: yourpsk
-    # version: 2
-    # obfs-opts:
-    # mode: http # or tls
-    # host: bing.com
-
-  # Trojan
-  - name: "trojan"
-    type: trojan
-    server: server
-    port: 443
-    password: yourpsk
-    # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
-    # fingerprint: xxxx
-    # udp: true
-    # sni: example.com # aka server name
-    # alpn:
-    #   - h2
-    #   - http/1.1
-    # skip-cert-verify: true
-
-  - name: trojan-grpc
-    server: server
-    port: 443
-    type: trojan
-    password: "example"
-    network: grpc
-    sni: example.com
-    # skip-cert-verify: true
-    # fingerprint: xxxx
-    udp: true
-    grpc-opts:
-      grpc-service-name: "example"
-
-  - name: trojan-ws
-    server: server
-    port: 443
-    type: trojan
-    password: "example"
-    network: ws
-    sni: example.com
-    # skip-cert-verify: true
-    # fingerprint: xxxx
-    udp: true
-    # ws-opts:
-    # path: /path
-    # headers:
-    #   Host: example.com
-
-  - name: "trojan-xtls"
-    type: trojan
-    server: server
-    port: 443
-    password: yourpsk
-    flow: "xtls-rprx-direct" # xtls-rprx-origin xtls-rprx-direct
-    flow-show: true
-    # udp: true
-    # sni: example.com # aka server name
-    # skip-cert-verify: true
-    # fingerprint: xxxx
-
+  
  # vless
  - name: "vless-tcp"
    type: vless
@ -489,7 +426,21 @@ proxies:
    # skip-cert-verify: true
    # fingerprint: xxxx
    # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
-
+  
+  - name: "vless-vision"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    network: tcp
+    tls: true
+    udp: true
+    xudp: true
+    flow: xtls-rprx-vision # xtls-rprx-origin  # enable XTLS
+    client-fingerprint: chrome
+    # fingerprint: xxxx
+    # skip-cert-verify: true
+  
  - name: "vless-ws"
    type: vless
    server: server
@ -506,6 +457,61 @@ proxies:
      path: "/"
      headers:
        Host: example.com
+  
+  # Trojan
+  - name: "trojan"
+    type: trojan
+    server: server
+    port: 443
+    password: yourpsk
+    # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
+    # fingerprint: xxxx
+    # udp: true
+    # sni: example.com # aka server name
+    # alpn:
+    #   - h2
+    #   - http/1.1
+    # skip-cert-verify: true
+  
+  - name: trojan-grpc
+    server: server
+    port: 443
+    type: trojan
+    password: "example"
+    network: grpc
+    sni: example.com
+    # skip-cert-verify: true
+    # fingerprint: xxxx
+    udp: true
+    grpc-opts:
+      grpc-service-name: "example"
+  
+  - name: trojan-ws
+    server: server
+    port: 443
+    type: trojan
+    password: "example"
+    network: ws
+    sni: example.com
+    # skip-cert-verify: true
+    # fingerprint: xxxx
+    udp: true
+    # ws-opts:
+    # path: /path
+    # headers:
+    #   Host: example.com
+  
+  - name: "trojan-xtls"
+    type: trojan
+    server: server
+    port: 443
+    password: yourpsk
+    flow: "xtls-rprx-direct" # xtls-rprx-origin xtls-rprx-direct
+    flow-show: true
+    # udp: true
+    # sni: example.com # aka server name
+    # skip-cert-verify: true
+    # fingerprint: xxxx

  #hysteria
  - name: "hysteria"
@ -532,7 +538,8 @@ proxies:
    # disable_mtu_discovery: false
    # fingerprint: xxxx
    # fast-open: true # 支持 TCP 快速打开，默认为 false
-
+  
+  # wireguard
  - name: "wg"
    type: wireguard
    server: 162.159.192.1
@ -542,7 +549,9 @@ proxies:
    private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
    udp: true
-  #    reserved: 'U4An'
+    reserved: "U4An"
+  
+  # tuic
  - name: tuic
    server: www.example.com
    port: 10443
@ -551,16 +560,16 @@ proxies:
    # ip: 127.0.0.1 # for overwriting the DNS lookup result of the server address set in option 'server'
    # heartbeat-interval: 10000
    # alpn: [h3]
-    # disable-sni: true
+    disable-sni: true
    reduce-rtt: true
-    # request-timeout: 8000
+    request-timeout: 8000
    udp-relay-mode: native # Available: "native", "quic". Default: "native"
    # congestion-controller: bbr # Available: "cubic", "new_reno", "bbr". Default: "cubic"
    # max-udp-relay-packet-size: 1500
    # fast-open: true
    # skip-cert-verify: true
    # max-open-streams: 20 # default 100, too many open streams may hurt performance
-
+    
  # ShadowsocksR
  # The supported ciphers (encryption methods): all stream ciphers in ss
  # The supported obfses:
@ -581,8 +590,7 @@ proxies:
    # protocol-param: "#"
    # udp: true

-proxy-groups:
-  # 代理链，若落地协议支持 UDP over TCP 则可支持 UDP
+proxy-groups: # 代理链，若落地协议支持 UDP over TCP 则可支持 UDP
  # Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
  - name: "relay"
    type: relay
@ -591,7 +599,7 @@ proxy-groups:
      - vmess
      - ss1
      - ss2
-
+  
  # url-test 将按照 url 测试结果使用延迟最低节点
  - name: "auto"
    type: url-test
@ -603,7 +611,7 @@ proxy-groups:
    # lazy: true
    url: "https://cp.cloudflare.com/generate_204"
    interval: 300
-
+  
  # fallback 将按照 url 测试结果按照节点顺序选择
  - name: "fallback-auto"
    type: fallback
@ -613,7 +621,7 @@ proxy-groups:
      - vmess1
    url: "https://cp.cloudflare.com/generate_204"
    interval: 300
-
+  
  # load-balance 将按照算法随机选择节点
  - name: "load-balance"
    type: load-balance
@ -623,8 +631,8 @@ proxy-groups:
      - vmess1
    url: "https://cp.cloudflare.com/generate_204"
    interval: 300
-    # strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions
-
+  # strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions
+  
  # select 用户自行选择节点
  - name: Proxy
    type: select
@ -634,7 +642,7 @@ proxy-groups:
      - ss2
      - vmess1
      - auto
-
+  
  # 配置指定 interface-name 和 fwmark 的 DIRECT
  - name: en1
    type: select
@ -642,7 +650,7 @@ proxy-groups:
    routing-mark: 6667
    proxies:
      - DIRECT
-
+  
  - name: UseProvider
    type: select
    filter: "HK|TW" # 正则表达式，过滤 provider1 中节点名包含 HK 或 TW
@ -689,7 +697,8 @@ rules:
  - DOMAIN-KEYWORD,google,ss1
  - IP-CIDR,1.1.1.1/32,ss1
  - IP-CIDR6,2409::/64,DIRECT
-  - SUB-RULE,(OR,((NETWORK,TCP),(NETWORK,UDP))),sub-rule-name1 # 当满足条件是 TCP 或 UDP 流量时，使用名为 sub-rule-name1 当规则集
+  # 当满足条件是 TCP 或 UDP 流量时，使用名为 sub-rule-name1 的规则集
+  - SUB-RULE,(OR,((NETWORK,TCP),(NETWORK,UDP))),sub-rule-name1 
  - SUB-RULE,(AND,((NETWORK,UDP))),sub-rule-name2
 # 定义多个子规则集，规则将以分叉匹配，使用 SUB-RULE 使用
 #                                               google.com(not match)--> baidu.com(match)
@ -716,15 +725,6 @@ sub-rules:
    - IP-CIDR,8.8.8.8/32,ss1
    - DOMAIN,dns.alidns.com,REJECT

-tls:
-  certificate: string # 证书 PEM 格式，或者 证书的路径
-  private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
-  # 自定义证书验证，将加入 Clash 证书验证中，绝大多数 TLS 相关支持，如：DNS
-  # 可用于自定义证书的验证
-  custom-certificates:
-    - certificate: string # 证书 PEM 格式，或者 证书的路径
-      private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
-
 # 流量入站
 listeners:
  - name: socks5-in-1
@ -734,14 +734,14 @@ listeners:
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理
    # udp: false # 默认 true
-
+  
  - name: http-in-1
    type: http
    port: 10809
    listen: 0.0.0.0
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
-
+  
  - name: mixed-in-1
    type: mixed #  HTTP(S) 和 SOCKS 代理混合
    port: 10810
@ -749,14 +749,14 @@ listeners:
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
    # udp: false # 默认 true
-
+  
  - name: reidr-in-1
    type: redir
    port: 10811
    listen: 0.0.0.0
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
-
+  
  - name: tproxy-in-1
    type: tproxy
    port: 10812
@ -764,7 +764,7 @@ listeners:
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
    # udp: false # 默认 true
-
+  
  - name: shadowsocks-in-1
    type: shadowsocks
    port: 10813
@ -773,7 +773,7 @@ listeners:
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
    password: vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=
    cipher: 2022-blake3-aes-256-gcm
-
+  
  - name: vmess-in-1
    type: vmess
    port: 10814
@ -784,7 +784,7 @@ listeners:
      - username: 1
        uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68
        alterId: 1
-
+  
  - name: tuic-in-1
    type: tuic
    port: 10815
@ -801,7 +801,7 @@ listeners:
    #  alpn:
    #    - h3
    #  max-udp-relay-packet-size: 1500
-
+  
  - name: tunnel-in-1
    type: tunnel
    port: 10816
@ -810,7 +810,7 @@ listeners:
    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
    network: [tcp, udp]
    target: target.com
-
+  
  - name: tun-in-1
    type: tun
    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
@ -826,25 +826,25 @@ listeners:
    inet6-address: # 必须手动设置ipv6地址段
      - "fdfe:dcba:9877::1/126"
    # strict_route: true # 将所有连接路由到tun来防止泄漏，但你的设备将无法其他设备被访问
-    #    inet4_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
-    #      - 0.0.0.0/1
-    #      - 128.0.0.0/1
-    #    inet6_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
-    #      - "::/1"
-    #      - "8000::/1"
+    #   inet4_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
+    #     - 0.0.0.0/1
+    #     - 128.0.0.0/1
+    #   inet6_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
+    #     - "::/1"
+    #     - "8000::/1"
    # endpoint_independent_nat: false # 启用独立于端点的 NAT
    # include_uid: # UID 规则仅在 Linux 下被支持，并且需要 auto_route
    # - 0
    # include_uid_range: # 限制被路由的的用户范围
    # - 1000-99999
    # exclude_uid: # 排除路由的的用户
-    #- 1000
+    # - 1000
    # exclude_uid_range: # 排除路由的的用户范围
    # - 1000-99999
-
+    
    # Android 用户和应用规则仅在 Android 下被支持
    # 并且需要 auto_route
-
+    
    # include_android_user: # 限制被路由的 Android 用户
    # - 0
    # - 10
@ -852,3 +852,23 @@ listeners:
    # - com.android.chrome
    # exclude_package: # 排除被路由的 Android 应用包名
    # - com.android.captiveportallogin
+
+# 入口配置与 Listener 等价，传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理
+# shadowsocks,vmess 入口配置（传入流量将和socks,mixed等入口一样按照mode所指定的方式进行匹配处理）
+# ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456
+# vmess-config: vmess://1:9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@:12345
+
+# tuic服务器入口（传入流量将和socks,mixed等入口一样按照mode所指定的方式进行匹配处理）
+# tuic-server:
+#  enable: true
+#  listen: 127.0.0.1:10443
+#  token:
+#    - TOKEN
+#  certificate: ./server.crt
+#  private-key: ./server.key
+#  congestion-controller: bbr
+#  max-idle-time: 15000
+#  authentication-timeout: 1000
+#  alpn:
+#    - h3
+#  max-udp-relay-packet-size: 1500
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@ -169,9 +169,11 @@ func updateExperimental(c *config.Config) {
 }

 func preUpdateExperimental(c *config.Config) {
-	CTLS.AddCertificate(c.TLS.PrivateKey, c.TLS.Certificate)
+	CTLS.ResetCertificate()
 	for _, c := range c.TLS.CustomTrustCert {
-		CTLS.AddCertificate(c.PrivateKey, c.Certificate)
+		if err := CTLS.AddCertificate(c); err != nil {
+			log.Warnln("%s\nadd error: %s", c, err.Error())
+		}
 	}
 }

@ -329,11 +331,7 @@ func updateTunnels(tunnels []LC.Tunnel) {
 func updateGeneral(general *config.General) {
 	tunnel.SetMode(general.Mode)
 	tunnel.SetFindProcessMode(general.FindProcessMode)
-	dialer.DisableIPv6 = !general.IPv6
-	if !dialer.DisableIPv6 {
-		log.Infoln("Use IPv6")
-	}
-	resolver.DisableIPv6 = dialer.DisableIPv6
+	resolver.DisableIPv6 =!general.IPv6

 	if general.TCPConcurrent {
 		dialer.SetDial(general.TCPConcurrent)
--- a/transport/vless/conn.go
+++ b/transport/vless/conn.go
@ -1,23 +1,33 @@
 package vless

 import (
+	"bytes"
+	"crypto/subtle"
+	gotls "crypto/tls"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"net"
+	"reflect"
 	"sync"
+	"unsafe"

 	"github.com/Dreamacro/clash/common/buf"
 	N "github.com/Dreamacro/clash/common/net"
+	tlsC "github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/log"

 	"github.com/gofrs/uuid"
+	utls "github.com/sagernet/utls"
 	xtls "github.com/xtls/go"
 	"google.golang.org/protobuf/proto"
 )

 type Conn struct {
-	N.ExtendedConn
+	N.ExtendedWriter
+	N.ExtendedReader
+	net.Conn
 	dst      *DstAddr
 	id       *uuid.UUID
 	addons   *Addons
@ -26,30 +36,143 @@ type Conn struct {
 	handshake      chan struct{}
 	handshakeMutex sync.Mutex
 	err            error
+
+	tlsConn  net.Conn
+	input    *bytes.Reader
+	rawInput *bytes.Buffer
+
+	packetsToFilter            int
+	isTLS                      bool
+	isTLS12orAbove             bool
+	enableXTLS                 bool
+	cipher                     uint16
+	remainingServerHello       uint16
+	readRemainingContent       int
+	readRemainingPadding       int
+	readProcess                bool
+	readFilterUUID             bool
+	readLastCommand            byte
+	writeFilterApplicationData bool
+	writeDirect                bool
 }

 func (vc *Conn) Read(b []byte) (int, error) {
 	if vc.received {
-		return vc.ExtendedConn.Read(b)
+		if vc.readProcess {
+			buffer := buf.With(b)
+			err := vc.ReadBuffer(buffer)
+			return buffer.Len(), err
+		}
+		return vc.ExtendedReader.Read(b)
 	}

 	if err := vc.recvResponse(); err != nil {
 		return 0, err
 	}
 	vc.received = true
-	return vc.ExtendedConn.Read(b)
+	return vc.Read(b)
 }

 func (vc *Conn) ReadBuffer(buffer *buf.Buffer) error {
 	if vc.received {
-		return vc.ExtendedConn.ReadBuffer(buffer)
+		toRead := buffer.FreeBytes()
+		if vc.readRemainingContent > 0 {
+			if vc.readRemainingContent < buffer.FreeLen() {
+				toRead = toRead[:vc.readRemainingContent]
+			}
+			n, err := vc.ExtendedReader.Read(toRead)
+			buffer.Truncate(n)
+			vc.readRemainingContent -= n
+			vc.FilterTLS(toRead)
+			return err
+		}
+		if vc.readRemainingPadding > 0 {
+			_, err := io.CopyN(io.Discard, vc.ExtendedReader, int64(vc.readRemainingPadding))
+			if err != nil {
+				return err
+			}
+			vc.readRemainingPadding = 0
+		}
+		if vc.readProcess {
+			switch vc.readLastCommand {
+			case commandPaddingContinue:
+				//if vc.isTLS || vc.packetsToFilter > 0 {
+				headerUUIDLen := 0
+				if vc.readFilterUUID {
+					headerUUIDLen = uuid.Size
+				}
+				var header []byte
+				if need := headerUUIDLen + paddingHeaderLen; buffer.FreeLen() < need {
+					header = make([]byte, need)
+				} else {
+					header = buffer.FreeBytes()[:need]
+				}
+				_, err := io.ReadFull(vc.ExtendedReader, header)
+				if err != nil {
+					return err
+				}
+				pos := 0
+				if vc.readFilterUUID {
+					vc.readFilterUUID = false
+					pos = uuid.Size
+					if subtle.ConstantTimeCompare(vc.id.Bytes(), header[:uuid.Size]) != 1 {
+						err = fmt.Errorf("XTLS Vision server responded unknown UUID: %s",
+							uuid.FromBytesOrNil(header[:uuid.Size]).String())
+						log.Errorln(err.Error())
+						return err
+					}
+				}
+				vc.readLastCommand = header[pos]
+				vc.readRemainingContent = int(binary.BigEndian.Uint16(header[pos+1:]))
+				vc.readRemainingPadding = int(binary.BigEndian.Uint16(header[pos+3:]))
+				log.Debugln("XTLS Vision read padding: command=%d, payloadLen=%d, paddingLen=%d",
+					vc.readLastCommand, vc.readRemainingContent, vc.readRemainingPadding)
+				return vc.ReadBuffer(buffer)
+				//}
+			case commandPaddingEnd:
+				vc.readProcess = false
+				return vc.ReadBuffer(buffer)
+			case commandPaddingDirect:
+				if vc.input != nil {
+					_, err := buffer.ReadFrom(vc.input)
+					if err != nil {
+						return err
+					}
+					if vc.input.Len() == 0 {
+						vc.input = nil
+					}
+					if buffer.IsFull() {
+						return nil
+					}
+				}
+				if vc.rawInput != nil {
+					_, err := buffer.ReadFrom(vc.rawInput)
+					if err != nil {
+						return err
+					}
+					if vc.rawInput.Len() == 0 {
+						vc.rawInput = nil
+					}
+				}
+				if vc.input == nil && vc.rawInput == nil {
+					vc.readProcess = false
+					vc.ExtendedReader = N.NewExtendedReader(vc.Conn)
+					log.Debugln("XTLS Vision direct read start")
+				}
+			default:
+				err := fmt.Errorf("XTLS Vision read unknown command: %d", vc.readLastCommand)
+				log.Debugln(err.Error())
+				return err
+			}
+		}
+		return vc.ExtendedReader.ReadBuffer(buffer)
 	}

 	if err := vc.recvResponse(); err != nil {
 		return err
 	}
 	vc.received = true
-	return vc.ExtendedConn.ReadBuffer(buffer)
+	return vc.ReadBuffer(buffer)
 }

 func (vc *Conn) Write(p []byte) (int, error) {
@ -66,7 +189,19 @@ func (vc *Conn) Write(p []byte) (int, error) {
 			return 0, vc.err
 		}
 	}
-	return vc.ExtendedConn.Write(p)
+	if vc.writeFilterApplicationData {
+		_buffer := buf.StackNew()
+		defer buf.KeepAlive(_buffer)
+		buffer := buf.Dup(_buffer)
+		defer buffer.Release()
+		buffer.Write(p)
+		err := vc.WriteBuffer(buffer)
+		if err != nil {
+			return 0, err
+		}
+		return len(p), nil
+	}
+	return vc.ExtendedWriter.Write(p)
 }

 func (vc *Conn) WriteBuffer(buffer *buf.Buffer) error {
@ -80,7 +215,64 @@ func (vc *Conn) WriteBuffer(buffer *buf.Buffer) error {
 			return vc.err
 		}
 	}
-	return vc.ExtendedConn.WriteBuffer(buffer)
+	if vc.writeFilterApplicationData {
+		buffer2 := ReshapeBuffer(buffer)
+		defer buffer2.Release()
+		vc.FilterTLS(buffer.Bytes())
+		command := commandPaddingContinue
+		if !vc.isTLS {
+			command = commandPaddingEnd
+
+			// disable XTLS
+			vc.readProcess = false
+			vc.writeFilterApplicationData = false
+			vc.packetsToFilter = 0
+		} else if buffer.Len() > 6 && bytes.Equal(buffer.To(3), tlsApplicationDataStart) || vc.packetsToFilter <= 0 {
+			command = commandPaddingEnd
+			if vc.enableXTLS {
+				command = commandPaddingDirect
+				vc.writeDirect = true
+			}
+			vc.writeFilterApplicationData = false
+		}
+		ApplyPadding(buffer, command, nil)
+		err := vc.ExtendedWriter.WriteBuffer(buffer)
+		if err != nil {
+			return err
+		}
+		if vc.writeDirect {
+			vc.ExtendedWriter = N.NewExtendedWriter(vc.Conn)
+			log.Debugln("XTLS Vision direct write start")
+			//time.Sleep(10 * time.Millisecond)
+		}
+		if buffer2 != nil {
+			if vc.writeDirect || !vc.isTLS {
+				return vc.ExtendedWriter.WriteBuffer(buffer2)
+			}
+			vc.FilterTLS(buffer2.Bytes())
+			command = commandPaddingContinue
+			if buffer2.Len() > 6 && bytes.Equal(buffer2.To(3), tlsApplicationDataStart) || vc.packetsToFilter <= 0 {
+				command = commandPaddingEnd
+				if vc.enableXTLS {
+					command = commandPaddingDirect
+					vc.writeDirect = true
+				}
+				vc.writeFilterApplicationData = false
+			}
+			ApplyPadding(buffer2, command, nil)
+			err = vc.ExtendedWriter.WriteBuffer(buffer2)
+			if vc.writeDirect {
+				vc.ExtendedWriter = N.NewExtendedWriter(vc.Conn)
+				log.Debugln("XTLS Vision direct write start")
+				//time.Sleep(10 * time.Millisecond)
+			}
+		}
+		return err
+	}
+	/*if vc.writeDirect {
+		log.Debugln("XTLS Vision Direct write, payloadLen=%d", buffer.Len())
+	}*/
+	return vc.ExtendedWriter.WriteBuffer(buffer)
 }

 func (vc *Conn) sendRequest(p []byte) bool {
@ -96,9 +288,6 @@ func (vc *Conn) sendRequest(p []byte) bool {
 	}
 	defer close(vc.handshake)

-	requestLen := 1  // protocol version
-	requestLen += 16 // UUID
-	requestLen += 1  // addons length
 	var addonsBytes []byte
 	if vc.addons != nil {
 		addonsBytes, vc.err = proto.Marshal(vc.addons)
@ -106,19 +295,32 @@ func (vc *Conn) sendRequest(p []byte) bool {
 			return true
 		}
 	}
-	requestLen += len(addonsBytes)
-	requestLen += 1 // command
-	if !vc.dst.Mux {
-		requestLen += 2 // port
-		requestLen += 1 // addr type
-		requestLen += len(vc.dst.Addr)
-	}
-	requestLen += len(p)
+	isVision := vc.IsXTLSVisionEnabled()

-	_buffer := buf.StackNewSize(requestLen)
-	defer buf.KeepAlive(_buffer)
-	buffer := buf.Dup(_buffer)
-	defer buffer.Release()
+	var buffer *buf.Buffer
+	if isVision {
+		_buffer := buf.StackNew()
+		defer buf.KeepAlive(_buffer)
+		buffer = buf.Dup(_buffer)
+		defer buffer.Release()
+	} else {
+		requestLen := 1  // protocol version
+		requestLen += 16 // UUID
+		requestLen += 1  // addons length
+		requestLen += len(addonsBytes)
+		requestLen += 1 // command
+		if !vc.dst.Mux {
+			requestLen += 2 // port
+			requestLen += 1 // addr type
+			requestLen += len(vc.dst.Addr)
+		}
+		requestLen += len(p)
+
+		_buffer := buf.StackNewSize(requestLen)
+		defer buf.KeepAlive(_buffer)
+		buffer = buf.Dup(_buffer)
+		defer buffer.Release()
+	}

 	buf.Must(
 		buffer.WriteByte(Version),              // protocol version
@ -143,15 +345,51 @@ func (vc *Conn) sendRequest(p []byte) bool {
 		)
 	}

-	buf.Must(buf.Error(buffer.Write(p)))
+	if isVision && !vc.dst.UDP && !vc.dst.Mux {
+		if len(p) == 0 {
+			WriteWithPadding(buffer, nil, commandPaddingContinue, vc.id)
+		} else {
+			vc.FilterTLS(p)
+			if vc.isTLS {
+				WriteWithPadding(buffer, p, commandPaddingContinue, vc.id)
+			} else {
+				buf.Must(buf.Error(buffer.Write(p)))

-	_, vc.err = vc.ExtendedConn.Write(buffer.Bytes())
+				// disable XTLS
+				vc.readProcess = false
+				vc.writeFilterApplicationData = false
+				vc.packetsToFilter = 0
+			}
+		}
+	} else {
+		buf.Must(buf.Error(buffer.Write(p)))
+	}
+
+	_, vc.err = vc.ExtendedWriter.Write(buffer.Bytes())
+	if vc.err != nil {
+		return true
+	}
+	if isVision {
+		switch underlying := vc.tlsConn.(type) {
+		case *gotls.Conn:
+			if underlying.ConnectionState().Version != gotls.VersionTLS13 {
+				vc.err = ErrNotTLS13
+			}
+		case *utls.UConn:
+			if underlying.ConnectionState().Version != utls.VersionTLS13 {
+				vc.err = ErrNotTLS13
+			}
+		default:
+			vc.err = fmt.Errorf(`failed to use %s, maybe "security" is not "tls" or "utls"`, vc.addons.Flow)
+		}
+		vc.tlsConn = nil
+	}
 	return true
 }

 func (vc *Conn) recvResponse() error {
 	var buf [1]byte
-	_, vc.err = io.ReadFull(vc.ExtendedConn, buf[:])
+	_, vc.err = io.ReadFull(vc.ExtendedReader, buf[:])
 	if vc.err != nil {
 		return vc.err
 	}
@ -160,30 +398,46 @@ func (vc *Conn) recvResponse() error {
 		return errors.New("unexpected response version")
 	}

-	_, vc.err = io.ReadFull(vc.ExtendedConn, buf[:])
+	_, vc.err = io.ReadFull(vc.ExtendedReader, buf[:])
 	if vc.err != nil {
 		return vc.err
 	}

 	length := int64(buf[0])
 	if length != 0 { // addon data length > 0
-		io.CopyN(io.Discard, vc.ExtendedConn, length) // just discard
+		io.CopyN(io.Discard, vc.ExtendedReader, length) // just discard
 	}

 	return nil
 }

+func (vc *Conn) FrontHeadroom() int {
+	if vc.IsXTLSVisionEnabled() {
+		return paddingHeaderLen
+	}
+	return 0
+}
+
 func (vc *Conn) Upstream() any {
-	return vc.ExtendedConn
+	if vc.tlsConn == nil {
+		return vc.Conn
+	}
+	return vc.tlsConn
+}
+
+func (vc *Conn) IsXTLSVisionEnabled() bool {
+	return vc.addons != nil && vc.addons.Flow == XRV
 }

 // newConn return a Conn instance
 func newConn(conn net.Conn, client *Client, dst *DstAddr) (*Conn, error) {
 	c := &Conn{
-		ExtendedConn: N.NewExtendedConn(conn),
-		id:           client.uuid,
-		dst:          dst,
-		handshake:    make(chan struct{}),
+		ExtendedReader: N.NewExtendedReader(conn),
+		ExtendedWriter: N.NewExtendedWriter(conn),
+		Conn:           conn,
+		id:             client.uuid,
+		dst:            dst,
+		handshake:      make(chan struct{}),
 	}

 	if !dst.UDP && client.Addons != nil {
@ -204,15 +458,42 @@ func newConn(conn net.Conn, client *Client, dst *DstAddr) (*Conn, error) {
 			} else {
 				return nil, fmt.Errorf("failed to use %s, maybe \"security\" is not \"xtls\"", client.Addons.Flow)
 			}
+		case XRV:
+			c.packetsToFilter = 6
+			c.readProcess = true
+			c.readFilterUUID = true
+			c.writeFilterApplicationData = true
+			c.addons = client.Addons
+			var t reflect.Type
+			var p uintptr
+			switch underlying := conn.(type) {
+			case *gotls.Conn:
+				c.Conn = underlying.NetConn()
+				c.tlsConn = underlying
+				t = reflect.TypeOf(underlying).Elem()
+				p = uintptr(unsafe.Pointer(underlying))
+			case *utls.UConn:
+				c.Conn = underlying.NetConn()
+				c.tlsConn = underlying
+				t = reflect.TypeOf(underlying.Conn).Elem()
+				p = uintptr(unsafe.Pointer(underlying.Conn))
+			case *tlsC.UConn:
+				c.Conn = underlying.NetConn()
+				c.tlsConn = underlying.UConn
+				t = reflect.TypeOf(underlying.Conn).Elem()
+				p = uintptr(unsafe.Pointer(underlying.Conn))
+			default:
+				return nil, fmt.Errorf(`failed to use %s, maybe "security" is not "tls" or "utls"`, client.Addons.Flow)
+			}
+			i, _ := t.FieldByName("input")
+			r, _ := t.FieldByName("rawInput")
+			c.input = (*bytes.Reader)(unsafe.Pointer(p + i.Offset))
+			c.rawInput = (*bytes.Buffer)(unsafe.Pointer(p + r.Offset))
+			if _, ok := c.Conn.(*net.TCPConn); !ok {
+				log.Debugln("XTLS underlying conn is not *net.TCPConn, got %s", reflect.TypeOf(conn).Name())
+			}
 		}
 	}

-	//go func() {
-	//	select {
-	//	case <-c.handshake:
-	//	case <-time.After(200 * time.Millisecond):
-	//		c.sendRequest(nil)
-	//	}
-	//}()
 	return c, nil
 }
--- a/transport/vless/filter.go
+++ b/transport/vless/filter.go
@ -0,0 +1,79 @@
+package vless
+
+import (
+	"bytes"
+	"encoding/binary"
+
+	log "github.com/sirupsen/logrus"
+)
+
+var (
+	tls13SupportedVersions  = []byte{0x00, 0x2b, 0x00, 0x02, 0x03, 0x04}
+	tlsClientHandshakeStart = []byte{0x16, 0x03}
+	tlsServerHandshakeStart = []byte{0x16, 0x03, 0x03}
+	tlsApplicationDataStart = []byte{0x17, 0x03, 0x03}
+
+	tls13CipherSuiteMap = map[uint16]string{
+		0x1301: "TLS_AES_128_GCM_SHA256",
+		0x1302: "TLS_AES_256_GCM_SHA384",
+		0x1303: "TLS_CHACHA20_POLY1305_SHA256",
+		0x1304: "TLS_AES_128_CCM_SHA256",
+		0x1305: "TLS_AES_128_CCM_8_SHA256",
+	}
+)
+
+const (
+	tlsHandshakeTypeClientHello byte = 0x01
+	tlsHandshakeTypeServerHello byte = 0x02
+)
+
+func (vc *Conn) FilterTLS(p []byte) (index int) {
+	if vc.packetsToFilter <= 0 {
+		return 0
+	}
+	lenP := len(p)
+	vc.packetsToFilter -= 1
+	if index = bytes.Index(p, tlsServerHandshakeStart); index != -1 {
+		if lenP >= index+5 && p[index+5] == tlsHandshakeTypeServerHello {
+			vc.remainingServerHello = binary.BigEndian.Uint16(p[index+3:]) + 5
+			vc.isTLS = true
+			vc.isTLS12orAbove = true
+			if lenP-index >= 79 && vc.remainingServerHello >= 79 {
+				sessionIDLen := int(p[index+43])
+				vc.cipher = binary.BigEndian.Uint16(p[index+43+sessionIDLen+1:])
+			}
+		}
+	} else if index = bytes.Index(p, tlsClientHandshakeStart); index != -1 {
+		if lenP >= index+5 && p[index+5] == tlsHandshakeTypeClientHello {
+			vc.isTLS = true
+		}
+	}
+
+	if vc.remainingServerHello > 0 {
+		end := vc.remainingServerHello
+		vc.remainingServerHello -= end
+		if end > uint16(lenP) {
+			end = uint16(lenP)
+		}
+		if bytes.Contains(p[index:end], tls13SupportedVersions) {
+			// TLS 1.3 Client Hello
+			cs, ok := tls13CipherSuiteMap[vc.cipher]
+			if ok && cs != "TLS_AES_128_CCM_8_SHA256" {
+				vc.enableXTLS = true
+			}
+			log.Debugln("XTLS Vision found TLS 1.3, packetLength=", lenP, ", CipherSuite=", cs)
+			vc.packetsToFilter = 0
+			return
+		} else if vc.remainingServerHello < 0 {
+			log.Debugln("XTLS Vision found TLS 1.2, packetLength=", lenP)
+			vc.packetsToFilter = 0
+			return
+		}
+		log.Debugln("XTLS Vision found inconclusive server hello, packetLength=", lenP,
+			", remainingServerHelloBytes=", vc.remainingServerHello)
+	}
+	if vc.packetsToFilter <= 0 {
+		log.Debugln("XTLS Vision stop filtering")
+	}
+	return
+}
--- a/transport/vless/vision.go
+++ b/transport/vless/vision.go
@ -0,0 +1,69 @@
+package vless
+
+import (
+	"bytes"
+	"encoding/binary"
+	"math/rand"
+
+	"github.com/Dreamacro/clash/common/buf"
+	"github.com/Dreamacro/clash/log"
+
+	"github.com/gofrs/uuid"
+)
+
+const (
+	paddingHeaderLen = 1 + 2 + 2 // =5
+
+	commandPaddingContinue byte = 0x00
+	commandPaddingEnd      byte = 0x01
+	commandPaddingDirect   byte = 0x02
+)
+
+func WriteWithPadding(buffer *buf.Buffer, p []byte, command byte, userUUID *uuid.UUID) {
+	contentLen := int32(len(p))
+	var paddingLen int32
+	if contentLen < 900 {
+		paddingLen = rand.Int31n(500) + 900 - contentLen
+	}
+
+	if userUUID != nil { // unnecessary, but keep the same with Xray
+		buffer.Write(userUUID.Bytes())
+	}
+	buffer.WriteByte(command)
+	binary.BigEndian.PutUint16(buffer.Extend(2), uint16(contentLen))
+	binary.BigEndian.PutUint16(buffer.Extend(2), uint16(paddingLen))
+	buffer.Write(p)
+	buffer.Extend(int(paddingLen))
+	log.Debugln("XTLS Vision write padding1: command=%v, payloadLen=%v, paddingLen=%v", command, contentLen, paddingLen)
+}
+
+func ApplyPadding(buffer *buf.Buffer, command byte, userUUID *uuid.UUID) {
+	contentLen := int32(buffer.Len())
+	var paddingLen int32
+	if contentLen < 900 {
+		paddingLen = rand.Int31n(500) + 900 - contentLen
+	}
+
+	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(paddingLen))
+	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(contentLen))
+	buffer.ExtendHeader(1)[0] = command
+	if userUUID != nil { // unnecessary, but keep the same with Xray
+		copy(buffer.ExtendHeader(uuid.Size), userUUID.Bytes())
+	}
+	buffer.Extend(int(paddingLen))
+	log.Debugln("XTLS Vision write padding2: command=%d, payloadLen=%d, paddingLen=%d", command, contentLen, paddingLen)
+}
+
+func ReshapeBuffer(buffer *buf.Buffer) *buf.Buffer {
+	if buffer.Len() <= buf.BufferSize-paddingHeaderLen {
+		return nil
+	}
+	cutAt := bytes.LastIndex(buffer.Bytes(), tlsApplicationDataStart)
+	if cutAt == -1 {
+		cutAt = buf.BufferSize / 2
+	}
+	buffer2 := buf.New()
+	buffer2.Write(buffer.From(cutAt))
+	buffer.Truncate(cutAt)
+	return buffer2
+}
--- a/transport/vless/vless.go
+++ b/transport/vless/vless.go
@ -12,6 +12,7 @@ const (
 	XRO = "xtls-rprx-origin"
 	XRD = "xtls-rprx-direct"
 	XRS = "xtls-rprx-splice"
+	XRV = "xtls-rprx-vision"

 	Version byte = 0 // protocol version. preview version is 0
 )
--- a/transport/vless/xtls.go
+++ b/transport/vless/xtls.go
@ -2,6 +2,7 @@ package vless

 import (
 	"context"
+	"errors"
 	"net"

 	tlsC "github.com/Dreamacro/clash/component/tls"
@ -9,6 +10,10 @@ import (
 	xtls "github.com/xtls/go"
 )

+var (
+	ErrNotTLS13 = errors.New("XTLS Vision based on TLS 1.3 outer connection")
+)
+
 type XTLSConfig struct {
 	Host           string
 	SkipCertVerify bool
--- a/tunnel/statistic/tracker.go
+++ b/tunnel/statistic/tracker.go
@ -81,7 +81,7 @@ func (tt *tcpTracker) Upstream() any {
 	return tt.Conn
 }

-func NewTCPTracker(conn C.Conn, manager *Manager, metadata *C.Metadata, rule C.Rule) *tcpTracker {
+func NewTCPTracker(conn C.Conn, manager *Manager, metadata *C.Metadata, rule C.Rule, uploadTotal int64, downloadTotal int64) *tcpTracker {
 	uuid, _ := uuid.NewV4()
 	if conn != nil {
 		if tcpAddr, ok := conn.RemoteAddr().(*net.TCPAddr); ok {
@ -100,8 +100,8 @@ func NewTCPTracker(conn C.Conn, manager *Manager, metadata *C.Metadata, rule C.R
 			Metadata:      metadata,
 			Chain:         conn.Chains(),
 			Rule:          "",
-			UploadTotal:   atomic.NewInt64(0),
-			DownloadTotal: atomic.NewInt64(0),
+			UploadTotal:   atomic.NewInt64(uploadTotal),
+			DownloadTotal: atomic.NewInt64(downloadTotal),
 		},
 		extendedReader: N.NewExtendedReader(conn),
 		extendedWriter: N.NewExtendedWriter(conn),
@ -147,7 +147,7 @@ func (ut *udpTracker) Close() error {
 	return ut.PacketConn.Close()
 }

-func NewUDPTracker(conn C.PacketConn, manager *Manager, metadata *C.Metadata, rule C.Rule) *udpTracker {
+func NewUDPTracker(conn C.PacketConn, manager *Manager, metadata *C.Metadata, rule C.Rule, uploadTotal int64, downloadTotal int64) *udpTracker {
 	uuid, _ := uuid.NewV4()
 	metadata.RemoteDst = conn.RemoteDestination()

@ -160,8 +160,8 @@ func NewUDPTracker(conn C.PacketConn, manager *Manager, metadata *C.Metadata, ru
 			Metadata:      metadata,
 			Chain:         conn.Chains(),
 			Rule:          "",
-			UploadTotal:   atomic.NewInt64(0),
-			DownloadTotal: atomic.NewInt64(0),
+			UploadTotal:   atomic.NewInt64(uploadTotal),
+			DownloadTotal: atomic.NewInt64(downloadTotal),
 		},
 	}

--- a/tunnel/tunnel.go
+++ b/tunnel/tunnel.go
@ -322,7 +322,7 @@ func handleUDPConn(packet C.PacketAdapter) {
 		}
 		pCtx.InjectPacketConn(rawPc)

-		pc := statistic.NewUDPTracker(rawPc, statistic.DefaultManager, metadata, rule)
+		pc := statistic.NewUDPTracker(rawPc, statistic.DefaultManager, metadata, rule, 0, 0)

 		switch true {
 		case metadata.SpecialProxy != "":
@ -367,6 +367,7 @@ func handleTCPConn(connCtx C.ConnContext) {
 	}

 	conn := connCtx.Conn()
+	conn.ResetPeeked()
 	if sniffer.Dispatcher.Enable() && sniffingEnable {
 		sniffer.Dispatcher.TCPSniff(conn, metadata)
 	}
@ -400,6 +401,7 @@ func handleTCPConn(connCtx C.ConnContext) {
 	}

 	var peekBytes []byte
+	var peekLen int

 	ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTCPTimeout)
 	defer cancel()
@ -415,7 +417,7 @@ func handleTCPConn(connCtx C.ConnContext) {
 		if err != nil {
 			return nil, err
 		}
-		if peekLen := len(peekBytes); peekLen > 0 {
+		if peekLen = len(peekBytes); peekLen > 0 {
 			_, _ = conn.Discard(peekLen)
 		}
 		return remoteConn, err
@ -436,7 +438,7 @@ func handleTCPConn(connCtx C.ConnContext) {
 		return
 	}

-	remoteConn = statistic.NewTCPTracker(remoteConn, statistic.DefaultManager, metadata, rule)
+	remoteConn = statistic.NewTCPTracker(remoteConn, statistic.DefaultManager, metadata, rule, 0, int64(peekLen))
 	defer func(remoteConn C.Conn) {
 		_ = remoteConn.Close()
 	}(remoteConn)
Author	SHA1	Message	Date
Skyxim	7468d08e4d	chore: periodically try fallback	2023-02-26 10:59:25 +08:00
Skyxim	72ab200faf	chore: update	2023-02-26 10:44:23 +08:00
Skyxim	8df44a7c3d	chore: dual stack fallback	2023-02-26 10:42:22 +08:00
Skyxim	cdd91f5132	chore: remove unsed code	2023-02-26 10:10:38 +08:00
Skyxim	05f877a324	refactor: tcp dial	2023-02-26 10:07:03 +08:00
Skyxim	f565edd76d	chore: add custom ca trust	2023-02-25 22:01:20 +08:00
wwqgtxx	a3b8c9c233	fix: peek not work with some inbound	2023-02-25 19:41:14 +08:00
Hellojack	de92bc0234	fix: Vision filter Client Hello	2023-02-25 19:11:23 +08:00
Larvan2	e6377eac9b	chore: adjust config.yaml.	2023-02-25 17:26:13 +08:00
wwqgtxx	22726c1de8	fix: add version of shadow-tls plugin in docs/config.yaml	2023-02-25 15:05:36 +08:00
Hellojack	bce3aeb218	fix: Vision disable filter for non-TLS connections	2023-02-25 15:00:21 +08:00
Hellojack	81722610d5	feat: Support VLESS XTLS Vision (#406 )	2023-02-25 14:01:59 +08:00