chore: Random only if the certificate and private-key are empty

chore: Reject packet conn implement wait read
fix: handle manually select in url-test
2023-06-03 10:02:31 +00:00 · 2023-06-03 10:01:50 +00:00 · 2023-06-03 09:55:29 +00:00 · 2023-06-03 09:54:25 +00:00 · 2023-06-01 12:36:53 +08:00 · 2023-05-31 15:54:36 +08:00
236 changed files with 8320 additions and 7394 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -0,0 +1,82 @@
+name: Bug report
+description: Create a report to help us improve
+title: "[Bug] "
+body:
+  - type: checkboxes
+    id: ensure
+    attributes:
+      label: Verify steps
+      description: "
+在提交之前，请确认
+Please verify that you've followed these steps
+"
+      options:
+        - label: "
+确保你使用的是**本仓库**最新的的 clash 或 clash Alpha 版本
+Ensure you are using the latest version of Clash or Clash Premium from **this repository**.
+"
+          required: true
+        - label: "
+如果你可以自己 debug 并解决的话，提交 PR 吧
+Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
+"
+          required: false
+        - label: "
+我已经在 [Issue Tracker](……/) 中找过我要提出的问题
+I have searched on the [issue tracker](……/) for a related issue.
+"
+          required: true
+        - label: "
+我已经使用 Alpha 分支版本测试过，问题依旧存在
+I have tested using the dev branch, and the issue still exists.
+"
+          required: true
+        - label: "
+我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法自行解决问题
+I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
+"
+          required: true
+        - label: "
+这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
+This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash.
+"
+          required: true
+  - type: input
+    attributes:
+      label: Clash version
+      description: "use `clash -v`"
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: What OS are you seeing the problem on?
+      multiple: true
+      options:
+        - macOS
+        - Windows
+        - Linux
+        - OpenBSD/FreeBSD
+  - type: textarea
+    attributes:
+      render: yaml
+      label: "Clash config"
+      description: "
+在下方附上 Clash core 配置文件，请确保配置文件中没有敏感信息（比如：服务器地址，密码，端口等）
+Paste the Clash core configuration file below, please make sure that there is no sensitive information in the configuration file (e.g., server address/url, password, port)
+"
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      render: shell
+      label: Clash log
+      description: "
+在下方附上 Clash Core 的日志，log level 使用 DEBUG
+Paste the Clash core log below with the log level set to `DEBUG`.
+"
+  - type: textarea
+    attributes:
+      label: Description
+    validations:
+      required: true
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -0,0 +1,36 @@
+name: Feature request
+description: Suggest an idea for this project
+title: "[Feature] "
+body:
+  - type: checkboxes
+    id: ensure
+    attributes:
+      label: Verify steps
+      description: "
+在提交之前，请确认
+Please verify that you've followed these steps
+"
+      options:
+        - label: "
+我已经在 [Issue Tracker](……/) 中找过我要提出的请求
+I have searched on the [issue tracker](……/) for a related feature request.
+"
+          required: true
+        - label: "
+我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法找到这个功能
+I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
+"
+          required: true
+  - type: textarea
+    attributes:
+      label: Description
+      description: 请详细、清晰地表达你要提出的论述，例如这个问题如何影响到你？你想实现什么功能？目前 Clash Core 的行为是什麽？
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Possible Solution
+      description: "
+此项非必须，但是如果你有想法的话欢迎提出。
+Not obligatory, but suggest a fix/reason for the bug, or ideas how to implement the addition or change
+"
--- a/.github/genReleaseNote.sh
+++ b/.github/genReleaseNote.sh
@ -0,0 +1 @@
+git log --pretty=format:"* %s by @%an" v1.14.x..v1.14.y | sort -f | uniq > release.md
--- a/.github/rename-cgo.sh
+++ b/.github/rename-cgo.sh
@ -15,6 +15,15 @@ do
    elif [[ $FILENAME =~ "windows-4.0-amd64" ]];then
        echo "rename windows amd64 $FILENAME"
        mv $FILENAME clash.meta-windows-amd64-cgo.exe
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-5" ]];then
+        echo "rename clash.meta-linux-arm-5 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv5-cgo
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-6" ]];then
+        echo "rename clash.meta-linux-arm-6 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv6-cgo
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-7" ]];then
+        echo "rename clash.meta-linux-arm-7 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv7-cgo
    elif [[ $FILENAME =~ "linux" ]];then
        echo "rename linux $FILENAME"
        mv $FILENAME $FILENAME-cgo
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -5,17 +5,19 @@ on:
    paths-ignore:
      - "docs/**"
      - "README.md"
+      - ".github/ISSUE_TEMPLATE/**"
    branches:
      - Alpha
-      - Beta
-      - Meta
    tags:
      - "v*"
  pull_request_target:
    branches:
      - Alpha
-      - Beta
-      - Meta
+      
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+  
 env:
  REGISTRY: docker.io
 jobs:
@ -46,26 +48,27 @@ jobs:
              target: "linux-mips-softfloat linux-mips-hardfloat linux-mipsle-softfloat linux-mipsle-hardfloat",
              id: "4",
            }
+          - { type: "WithoutCGO", target: "linux-386 linux-riscv64", id: "5" }
          - {
              type: "WithoutCGO",
              target: "freebsd-386 freebsd-amd64 freebsd-arm64",
-              id: "5",
-            }
-          - {
-              type: "WithoutCGO",
-              target: "windows-amd64-compatible windows-amd64 windows-386",
              id: "6",
            }
          - {
              type: "WithoutCGO",
-              target: "windows-arm64 windows-arm32v7",
+              target: "windows-amd64-compatible windows-amd64 windows-386",
              id: "7",
            }
          - {
              type: "WithoutCGO",
-              target: "darwin-amd64 darwin-arm64 android-arm64",
+              target: "windows-arm64 windows-arm32v7",
              id: "8",
            }
+          - {
+              type: "WithoutCGO",
+              target: "darwin-amd64 darwin-arm64 android-arm64",
+              id: "9",
+            }
          - { type: "WithCGO", target: "windows/*", id: "1" }
          - { type: "WithCGO", target: "linux/386", id: "2" }
          - { type: "WithCGO", target: "linux/amd64", id: "3" }
@ -108,10 +111,11 @@ jobs:

      - name: Set ENV
        run: |
+          sudo timedatectl set-timezone "Asia/Shanghai"
          echo "NAME=clash.meta" >> $GITHUB_ENV
          echo "REPO=${{ github.repository }}" >> $GITHUB_ENV
          echo "ShortSHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
-          echo "BUILDTIME=$(date -u)" >> $GITHUB_ENV
+          echo "BUILDTIME=$(date)" >> $GITHUB_ENV
          echo "BRANCH=$(git rev-parse --abbrev-ref HEAD)" >> $GITHUB_ENV
        shell: bash

@ -122,7 +126,7 @@ jobs:
        shell: bash

      - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
          go-version: "1.20"
          check-latest: true
@ -193,6 +197,10 @@ jobs:
          ls -la
          cd ..

+      - name: Save version
+        run: echo ${VERSION} > bin/version.txt
+        shell: bash
+
      - uses: actions/upload-artifact@v3
        if: ${{  success() }}
        with:
@ -202,7 +210,7 @@ jobs:
  Upload-Prerelease:
    permissions: write-all
    if: ${{ github.ref_type=='branch' }}
-    needs: [ Build ]
+    needs: [Build]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
@ -215,12 +223,17 @@ jobs:
        working-directory: bin

      - name: Delete current release assets
-        uses: andreaswilli/delete-release-assets-action@v2.0.0
+        uses: 8Mi-Tech/delete-release-assets-action@main
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          tag: Prerelease-${{ github.ref_name }}
          deleteOnlyFromDrafts: false

+      - name: Set Env
+        run: |
+          echo "BUILDTIME=$(TZ=Asia/Shanghai date)" >> $GITHUB_ENV
+        shell: bash
+
      - name: Tag Repo
        uses: richardsimko/update-tag@v1.0.6
        with:
@ -228,20 +241,30 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

+      - run: |
+          cat > release.txt << 'EOF'
+          Release created at  ${{ env.BUILDTIME }}
+          Synchronize ${{ github.ref_name }} branch code updates, keeping only the latest version
+          <br>
+          [我应该下载哪个文件? / Which file should I download?](https://github.com/MetaCubeX/Clash.Meta/wiki/FAQ)
+          [查看文档 / Docs](https://metacubex.github.io/Meta-Docs/)
+          EOF
+
      - name: Upload Prerelease
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
-          tag: ${{ github.ref_name }}
          tag_name: Prerelease-${{ github.ref_name }}
-          files: bin/*
+          files: |
+            bin/*
          prerelease: true
          generate_release_notes: true
+          body_path: release.txt

  Upload-Release:
    permissions: write-all
    if: ${{ github.ref_type=='tag' }}
-    needs: [ Build ]
+    needs: [Build]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
@ -257,14 +280,13 @@ jobs:
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
-          tag: ${{ github.ref_name }}
          tag_name: ${{ github.ref_name }}
          files: bin/*
          generate_release_notes: true

  Docker:
    permissions: write-all
-    needs: [ Build ]
+    needs: [Build]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
@ -282,10 +304,10 @@ jobs:
        working-directory: bin

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2

      - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
        with:
          version: latest

@ -293,7 +315,7 @@ jobs:
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_ACCOUNT }}/${{secrets.DOCKERHUB_REPO}}
      - name: Show files
@ -302,7 +324,7 @@ jobs:
          ls bin/
      - name: Log into registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_HUB_USER }}
@ -312,7 +334,7 @@ jobs:
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
        with:
          context: .
          file: ./Dockerfile
@ -321,5 +343,7 @@ jobs:
            linux/386
            linux/amd64
            linux/arm64/v8
+            linux/arm/v7
+          #            linux/riscv64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/delete.yml
+++ b/.github/workflows/delete.yml
@ -0,0 +1,15 @@
+name: Delete old workflow runs
+on:
+  schedule:
+    - cron: "0 0 * * SUN"
+
+jobs:
+  del_runs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete workflow runs
+        uses: GitRML/delete-workflow-runs@main
+        with:
+          token: ${{ secrets.AUTH_PAT }}
+          repository: ${{ github.repository }}
+          retain_days: 30
--- a/4
+++ b/4
@ -1,4 +1,6 @@
 FROM alpine:latest as builder
+ARG TARGETPLATFORM
+RUN echo "I'm building for $TARGETPLATFORM"

 RUN apk add --no-cache gzip && \
    mkdir /clash-config && \
@ -10,7 +12,7 @@ COPY docker/file-name.sh /clash/file-name.sh
 WORKDIR /clash
 COPY bin/ bin/
 RUN FILE_NAME=`sh file-name.sh` && echo $FILE_NAME && \
-    FILE_NAME=`ls bin/ | egrep "$FILE_NAME.*"|awk NR==1` && \
+    FILE_NAME=`ls bin/ | egrep "$FILE_NAME.*"|awk NR==1` && echo $FILE_NAME && \
    mv bin/$FILE_NAME clash.gz && gzip -d clash.gz && echo "$FILE_NAME" > /clash-config/test
 FROM alpine:latest
 LABEL org.opencontainers.image.source="https://github.com/MetaCubeX/Clash.Meta"
--- a/3
+++ b/3
@ -101,6 +101,9 @@ linux-mips64:
 linux-mips64le:
 	GOARCH=mips64le GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

+linux-riscv64:
+	GOARCH=riscv64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 android-arm64:
 	GOARCH=arm64 GOOS=android $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

--- a/README.md
+++ b/README.md
@ -30,8 +30,7 @@
 - Comprehensive HTTP RESTful API controller

 ## Wiki
-
-Documentation and configuring examples are available on [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki) and [Clash.Meta Wiki](https://docs.metacubex.one/).
+Configuration examples can be found at [/docs/config.yaml](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml), while documentation can be found [Clash.Meta Wiki](https://clash-meta.wiki).

 ## Build

--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -4,16 +4,16 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/Dreamacro/clash/common/queue"
-	"github.com/Dreamacro/clash/component/dialer"
-	C "github.com/Dreamacro/clash/constant"
 	"net"
 	"net/http"
 	"net/netip"
 	"net/url"
 	"time"

-	"go.uber.org/atomic"
+	"github.com/Dreamacro/clash/common/atomic"
+	"github.com/Dreamacro/clash/common/queue"
+	"github.com/Dreamacro/clash/component/dialer"
+	C "github.com/Dreamacro/clash/constant"
 )

 var UnifiedDelay = atomic.NewBool(false)
--- a/adapter/inbound/addition.go
+++ b/adapter/inbound/addition.go
@ -16,6 +16,12 @@ func WithInName(name string) Addition {
 	}
 }

+func WithInUser(user string) Addition {
+	return func(metadata *C.Metadata) {
+		metadata.InUser = user
+	}
+}
+
 func WithSpecialRules(specialRules string) Addition {
 	return func(metadata *C.Metadata) {
 		metadata.SpecialRules = specialRules
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -30,19 +30,18 @@ func NewSocket(target socks5.Addr, conn net.Conn, source C.Type, additions ...Ad
 	return context.NewConnContext(conn, metadata)
 }

-func NewInner(conn net.Conn, dst string, host string) *context.ConnContext {
+func NewInner(conn net.Conn, address string) *context.ConnContext {
 	metadata := &C.Metadata{}
 	metadata.NetWork = C.TCP
 	metadata.Type = C.INNER
 	metadata.DNSMode = C.DNSNormal
-	metadata.Host = host
 	metadata.Process = C.ClashName
-	if h, port, err := net.SplitHostPort(dst); err == nil {
+	if h, port, err := net.SplitHostPort(address); err == nil {
 		metadata.DstPort = port
-		if host == "" {
-			if ip, err := netip.ParseAddr(h); err == nil {
-				metadata.DstIP = ip
-			}
+		if ip, err := netip.ParseAddr(h); err == nil {
+			metadata.DstIP = ip
+		} else {
+			metadata.Host = h
 		}
 	}

--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -3,15 +3,14 @@ package outbound
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"net"
 	"strings"
+	"syscall"

 	N "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
-
-	"github.com/gofrs/uuid"
 )

 type Base struct {
@ -35,12 +34,7 @@ func (b *Base) Name() string {
 // Id implements C.ProxyAdapter
 func (b *Base) Id() string {
 	if b.id == "" {
-		id, err := uuid.NewV6()
-		if err != nil {
-			b.id = b.name
-		} else {
-			b.id = id.String()
-		}
+		b.id = utils.NewUUIDV6().String()
 	}

 	return b.id
@ -51,33 +45,33 @@ func (b *Base) Type() C.AdapterType {
 	return b.tp
 }

-// StreamConn implements C.ProxyAdapter
-func (b *Base) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	return c, errors.New("no support")
+// StreamConnContext implements C.ProxyAdapter
+func (b *Base) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	return c, C.ErrNotSupport
 }

 func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // DialContextWithDialer implements C.ProxyAdapter
 func (b *Base) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // ListenPacketContext implements C.ProxyAdapter
 func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (b *Base) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (b *Base) SupportWithDialer() bool {
-	return false
+func (b *Base) SupportWithDialer() C.NetWork {
+	return C.InvalidNet
 }

 // SupportUOT implements C.ProxyAdapter
@ -100,6 +94,11 @@ func (b *Base) SupportTFO() bool {
 	return b.tfo
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (b *Base) IsL3Protocol(metadata *C.Metadata) bool {
+	return false
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (b *Base) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]string{
@ -152,6 +151,7 @@ type BasicOption struct {
 	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
 	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty" group:"ip-version,omitempty"`
+	DialerProxy string `proxy:"dialer-proxy,omitempty"` // don't apply this option into groups, but can set a group name in a proxy
 }

 type BaseOption struct {
@ -204,13 +204,26 @@ func (c *conn) Upstream() any {
 	return c.ExtendedConn
 }

+func (c *conn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *conn) ReaderReplaceable() bool {
+	return true
+}
+
 func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
+	if _, ok := c.(syscall.Conn); !ok { // exclusion system conn like *net.TCPConn
+		c = N.NewDeadlineConn(c) // most conn from outbound can't handle readDeadline correctly
+	}
 	return &conn{N.NewExtendedConn(c), []string{a.Name()}, parseRemoteDestination(a.Addr())}
 }

 type packetConn struct {
-	net.PacketConn
+	N.EnhancePacketConn
 	chain                   C.Chain
+	adapterName             string
+	connID                  string
 	actualRemoteDestination string
 }

@ -228,8 +241,29 @@ func (c *packetConn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }

+func (c *packetConn) LocalAddr() net.Addr {
+	lAddr := c.EnhancePacketConn.LocalAddr()
+	return N.NewCustomAddr(c.adapterName, c.connID, lAddr) // make quic-go's connMultiplexer happy
+}
+
+func (c *packetConn) Upstream() any {
+	return c.EnhancePacketConn
+}
+
+func (c *packetConn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *packetConn) ReaderReplaceable() bool {
+	return true
+}
+
 func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
-	return &packetConn{pc, []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	epc := N.NewEnhancePacketConn(pc)
+	if _, ok := pc.(syscall.Conn); !ok { // exclusion system conn like *net.UDPConn
+		epc = N.NewDeadlineEnhancePacketConn(epc) // most conn from outbound can't handle readDeadline correctly
+	}
+	return &packetConn{epc, []string{a.Name()}, a.Name(), utils.NewUUIDV4().String(), parseRemoteDestination(a.Addr())}
 }

 func parseRemoteDestination(addr string) string {
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@ -2,8 +2,7 @@ package outbound

 import (
 	"context"
-	"net"
-
+	"errors"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
@ -26,16 +25,19 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...

 // ListenPacketContext implements C.ProxyAdapter
 func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
+	// net.UDPConn.WriteTo only working with *net.UDPAddr, so we need a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, resolver.DefaultResolver)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
 	pc, err := dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", metadata.DstIP), "", d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
 	}
-	return newPacketConn(&directPacketConn{pc}, d), nil
-}
-
-type directPacketConn struct {
-	net.PacketConn
+	return newPacketConn(pc, d), nil
 }

 func NewDirect() *Direct {
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@ -10,10 +10,10 @@ import (
 	"io"
 	"net"
 	"net/http"
-	"net/url"
 	"strconv"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 )
@ -40,12 +40,10 @@ type HttpOption struct {
 	Headers        map[string]string `proxy:"headers,omitempty"`
 }

-// StreamConn implements C.ProxyAdapter
-func (h *Http) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
+func (h *Http) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	if h.tlsConfig != nil {
 		cc := tls.Client(c, h.tlsConfig)
-		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
-		defer cancel()
 		err := cc.HandshakeContext(ctx)
 		c = cc
 		if err != nil {
@ -66,6 +64,12 @@ func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata, opts ...di

 // DialContextWithDialer implements C.ProxyAdapter
 func (h *Http) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(h.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(h.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", h.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", h.addr, err)
@ -76,7 +80,7 @@ func (h *Http) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 		safeConnClose(c, err)
 	}(c)

-	c, err = h.StreamConn(c, metadata)
+	c, err = h.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, err
 	}
@ -85,40 +89,42 @@ func (h *Http) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (h *Http) SupportWithDialer() bool {
-	return true
+func (h *Http) SupportWithDialer() C.NetWork {
+	return C.TCP
 }

 func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 	addr := metadata.RemoteAddress()
-	req := &http.Request{
-		Method: http.MethodConnect,
-		URL: &url.URL{
-			Host: addr,
-		},
-		Host: addr,
-		Header: http.Header{
-			"Proxy-Connection": []string{"Keep-Alive"},
-		},
+	HeaderString := "CONNECT " + addr + " HTTP/1.1\r\n"
+	tempHeaders := map[string]string{
+		"Host":             addr,
+		"User-Agent":       "Go-http-client/1.1",
+		"Proxy-Connection": "Keep-Alive",
 	}

-	//增加headers
-	if len(h.option.Headers) != 0 {
-		for key, value := range h.option.Headers {
-			req.Header.Add(key, value)
-		}
+	for key, value := range h.option.Headers {
+		tempHeaders[key] = value
 	}

 	if h.user != "" && h.pass != "" {
 		auth := h.user + ":" + h.pass
-		req.Header.Add("Proxy-Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(auth)))
+		tempHeaders["Proxy-Authorization"] = "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
 	}

-	if err := req.Write(rw); err != nil {
+	for key, value := range tempHeaders {
+		HeaderString += key + ": " + value + "\r\n"
+	}
+
+	HeaderString += "\r\n"
+
+	_, err := rw.Write([]byte(HeaderString))
+
+	if err != nil {
 		return err
 	}

-	resp, err := http.ReadResponse(bufio.NewReader(rw), req)
+	resp, err := http.ReadResponse(bufio.NewReader(rw), nil)
+
 	if err != nil {
 		return err
 	}
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -20,6 +20,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
@ -28,6 +29,7 @@ import (
 	"github.com/Dreamacro/clash/transport/hysteria/obfs"
 	"github.com/Dreamacro/clash/transport/hysteria/pmtud_fix"
 	"github.com/Dreamacro/clash/transport/hysteria/transport"
+	"github.com/Dreamacro/clash/transport/hysteria/utils"
 )

 const (
@ -46,21 +48,12 @@ var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
 type Hysteria struct {
 	*Base

+	option *HysteriaOption
 	client *core.Client
 }

 func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	hdc := hyDialerWithContext{
-		ctx: context.Background(),
-		hyDialer: func(network string) (net.PacketConn, error) {
-			return dialer.ListenPacket(ctx, network, "", h.Base.DialOptions(opts...)...)
-		},
-		remoteAddr: func(addr string) (net.Addr, error) {
-			return resolveUDPAddrWithPrefer(ctx, "udp", addr, h.prefer)
-		},
-	}
-
-	tcpConn, err := h.client.DialTCP(metadata.RemoteAddress(), &hdc)
+	tcpConn, err := h.client.DialTCP(metadata.RemoteAddress(), h.genHdc(ctx, opts...))
 	if err != nil {
 		return nil, err
 	}
@ -69,20 +62,32 @@ func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 }

 func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	hdc := hyDialerWithContext{
+	udpConn, err := h.client.DialUDP(h.genHdc(ctx, opts...))
+	if err != nil {
+		return nil, err
+	}
+	return newPacketConn(&hyPacketConn{udpConn}, h), nil
+}
+
+func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.PacketDialer {
+	return &hyDialerWithContext{
 		ctx: context.Background(),
 		hyDialer: func(network string) (net.PacketConn, error) {
-			return dialer.ListenPacket(ctx, network, "", h.Base.DialOptions(opts...)...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(h.Base.DialOptions(opts...)...)
+			if len(h.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(h.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			rAddrPort, _ := netip.ParseAddrPort(h.Addr())
+			return cDialer.ListenPacket(ctx, network, "", rAddrPort)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
 			return resolveUDPAddrWithPrefer(ctx, "udp", addr, h.prefer)
 		},
 	}
-	udpConn, err := h.client.DialUDP(&hdc)
-	if err != nil {
-		return nil, err
-	}
-	return newPacketConn(&hyPacketConn{udpConn}, h), nil
 }

 type HysteriaOption struct {
@ -258,6 +263,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option: &option,
 		client: client,
 	}, nil
 }
@ -312,6 +318,16 @@ func (c *hyPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
 	return
 }

+func (c *hyPacketConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+	b, addrStr, err := c.UDPConn.ReadFrom()
+	if err != nil {
+		return
+	}
+	data = b
+	addr = M.ParseSocksaddr(addrStr).UDPAddr()
+	return
+}
+
 func (c *hyPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 	err = c.UDPConn.WriteTo(p, M.SocksaddrFromNet(addr).String())
 	if err != nil {
--- a/adapter/outbound/reality.go
+++ b/adapter/outbound/reality.go
@ -0,0 +1,35 @@
+package outbound
+
+import (
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+
+	tlsC "github.com/Dreamacro/clash/component/tls"
+
+	"golang.org/x/crypto/curve25519"
+)
+
+type RealityOptions struct {
+	PublicKey string `proxy:"public-key"`
+	ShortID   string `proxy:"short-id"`
+}
+
+func (o RealityOptions) Parse() (*tlsC.RealityConfig, error) {
+	if o.PublicKey != "" {
+		config := new(tlsC.RealityConfig)
+
+		n, err := base64.RawURLEncoding.Decode(config.PublicKey[:], []byte(o.PublicKey))
+		if err != nil || n != curve25519.ScalarSize {
+			return nil, errors.New("invalid REALITY public key")
+		}
+
+		n, err = hex.Decode(config.ShortID[:], []byte(o.ShortID))
+		if err != nil || n > tlsC.RealityMaxShortIDLen {
+			return nil, errors.New("invalid REALITY short ID")
+		}
+
+		return config, nil
+	}
+	return nil, nil
+}
--- a/adapter/outbound/reject.go
+++ b/adapter/outbound/reject.go
@ -6,6 +6,7 @@ import (
 	"net"
 	"time"

+	"github.com/Dreamacro/clash/common/buf"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 )
@ -16,12 +17,12 @@ type Reject struct {

 // DialContext implements C.ProxyAdapter
 func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	return NewConn(&nopConn{}, r), nil
+	return NewConn(nopConn{}, r), nil
 }

 // ListenPacketContext implements C.ProxyAdapter
 func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return newPacketConn(&nopPacketConn{}, r), nil
+	return newPacketConn(nopPacketConn{}, r), nil
 }

 func NewReject() *Reject {
@ -48,30 +49,40 @@ func NewPass() *Reject {

 type nopConn struct{}

-func (rw *nopConn) Read(b []byte) (int, error) {
+func (rw nopConn) Read(b []byte) (int, error) {
 	return 0, io.EOF
 }

-func (rw *nopConn) Write(b []byte) (int, error) {
-	if len(b) == 0 {
-		return 0, nil
-	}
+func (rw nopConn) ReadBuffer(buffer *buf.Buffer) error {
+	return io.EOF
+}
+
+func (rw nopConn) Write(b []byte) (int, error) {
 	return 0, io.EOF
 }

-func (rw *nopConn) Close() error                     { return nil }
-func (rw *nopConn) LocalAddr() net.Addr              { return nil }
-func (rw *nopConn) RemoteAddr() net.Addr             { return nil }
-func (rw *nopConn) SetDeadline(time.Time) error      { return nil }
-func (rw *nopConn) SetReadDeadline(time.Time) error  { return nil }
-func (rw *nopConn) SetWriteDeadline(time.Time) error { return nil }
+func (rw nopConn) WriteBuffer(buffer *buf.Buffer) error {
+	return io.EOF
+}
+
+func (rw nopConn) Close() error                     { return nil }
+func (rw nopConn) LocalAddr() net.Addr              { return nil }
+func (rw nopConn) RemoteAddr() net.Addr             { return nil }
+func (rw nopConn) SetDeadline(time.Time) error      { return nil }
+func (rw nopConn) SetReadDeadline(time.Time) error  { return nil }
+func (rw nopConn) SetWriteDeadline(time.Time) error { return nil }
+
+var udpAddrIPv4Unspecified = &net.UDPAddr{IP: net.IPv4zero, Port: 0}

 type nopPacketConn struct{}

-func (npc *nopPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) { return len(b), nil }
-func (npc *nopPacketConn) ReadFrom(b []byte) (int, net.Addr, error)           { return 0, nil, io.EOF }
-func (npc *nopPacketConn) Close() error                                       { return nil }
-func (npc *nopPacketConn) LocalAddr() net.Addr                                { return &net.UDPAddr{IP: net.IPv4zero, Port: 0} }
-func (npc *nopPacketConn) SetDeadline(time.Time) error                        { return nil }
-func (npc *nopPacketConn) SetReadDeadline(time.Time) error                    { return nil }
-func (npc *nopPacketConn) SetWriteDeadline(time.Time) error                   { return nil }
+func (npc nopPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) { return len(b), nil }
+func (npc nopPacketConn) ReadFrom(b []byte) (int, net.Addr, error)           { return 0, nil, io.EOF }
+func (npc nopPacketConn) WaitReadFrom() ([]byte, func(), net.Addr, error) {
+	return nil, nil, nil, io.EOF
+}
+func (npc nopPacketConn) Close() error                     { return nil }
+func (npc nopPacketConn) LocalAddr() net.Addr              { return udpAddrIPv4Unspecified }
+func (npc nopPacketConn) SetDeadline(time.Time) error      { return nil }
+func (npc nopPacketConn) SetReadDeadline(time.Time) error  { return nil }
+func (npc nopPacketConn) SetWriteDeadline(time.Time) error { return nil }
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -7,17 +7,19 @@ import (
 	"net"
 	"strconv"

+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
+	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/restls"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	shadowtls "github.com/Dreamacro/clash/transport/sing-shadowtls"
-	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"

-	shadowsocks "github.com/metacubex/sing-shadowsocks"
-	"github.com/metacubex/sing-shadowsocks/shadowimpl"
-	"github.com/sagernet/sing/common/bufio"
+	restlsC "github.com/3andne/restls-client-go"
+	"github.com/metacubex/sing-shadowsocks2"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/uot"
 )
@ -32,19 +34,22 @@ type ShadowSocks struct {
 	obfsOption      *simpleObfsOption
 	v2rayOption     *v2rayObfs.Option
 	shadowTLSOption *shadowtls.ShadowTLSOption
+	restlsConfig    *restlsC.Config
 }

 type ShadowSocksOption struct {
 	BasicOption
-	Name       string         `proxy:"name"`
-	Server     string         `proxy:"server"`
-	Port       int            `proxy:"port"`
-	Password   string         `proxy:"password"`
-	Cipher     string         `proxy:"cipher"`
-	UDP        bool           `proxy:"udp,omitempty"`
-	Plugin     string         `proxy:"plugin,omitempty"`
-	PluginOpts map[string]any `proxy:"plugin-opts,omitempty"`
-	UDPOverTCP bool           `proxy:"udp-over-tcp,omitempty"`
+	Name              string         `proxy:"name"`
+	Server            string         `proxy:"server"`
+	Port              int            `proxy:"port"`
+	Password          string         `proxy:"password"`
+	Cipher            string         `proxy:"cipher"`
+	UDP               bool           `proxy:"udp,omitempty"`
+	Plugin            string         `proxy:"plugin,omitempty"`
+	PluginOpts        map[string]any `proxy:"plugin-opts,omitempty"`
+	UDPOverTCP        bool           `proxy:"udp-over-tcp,omitempty"`
+	UDPOverTCPVersion int            `proxy:"udp-over-tcp-version,omitempty"`
+	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }

 type simpleObfsOption struct {
@ -64,31 +69,23 @@ type v2rayObfsOption struct {
 }

 type shadowTLSOption struct {
-	Password          string `obfs:"password"`
-	Host              string `obfs:"host"`
-	Fingerprint       string `obfs:"fingerprint,omitempty"`
-	ClientFingerprint string `obfs:"client-fingerprint,omitempty"`
-	SkipCertVerify    bool   `obfs:"skip-cert-verify,omitempty"`
-	Version           int    `obfs:"version,omitempty"`
+	Password       string `obfs:"password"`
+	Host           string `obfs:"host"`
+	Fingerprint    string `obfs:"fingerprint,omitempty"`
+	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
+	Version        int    `obfs:"version,omitempty"`
 }

-// StreamConn implements C.ProxyAdapter
-func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	switch ss.obfsMode {
-	case shadowtls.Mode:
-		// fix tls handshake not timeout
-		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
-		defer cancel()
-		var err error
-		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return ss.streamConn(c, metadata)
+type restlsOption struct {
+	Password     string `obfs:"password"`
+	Host         string `obfs:"host"`
+	VersionHint  string `obfs:"version-hint"`
+	RestlsScript string `obfs:"restls-script,omitempty"`
 }

-func (ss *ShadowSocks) streamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
+func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	useEarly := false
 	switch ss.obfsMode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, ss.obfsOption.Host)
@ -97,15 +94,39 @@ func (ss *ShadowSocks) streamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 		c = obfs.NewHTTPObfs(c, ss.obfsOption.Host, port)
 	case "websocket":
 		var err error
-		c, err = v2rayObfs.NewV2rayObfs(c, ss.v2rayOption)
+		c, err = v2rayObfs.NewV2rayObfs(ctx, c, ss.v2rayOption)
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
+	case shadowtls.Mode:
+		var err error
+		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
+		if err != nil {
+			return nil, err
+		}
+		useEarly = true
+	case restls.Mode:
+		var err error
+		c, err = restls.NewRestls(ctx, c, ss.restlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("%s (restls) connect error: %w", ss.addr, err)
+		}
+		useEarly = true
 	}
+	useEarly = useEarly || N.NeedHandshake(c)
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
-		return ss.method.DialEarlyConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443")), nil
+		uotDestination := uot.RequestDestination(uint8(ss.option.UDPOverTCPVersion))
+		if useEarly {
+			return ss.method.DialEarlyConn(c, uotDestination), nil
+		} else {
+			return ss.method.DialConn(c, uotDestination)
+		}
+	}
+	if useEarly {
+		return ss.method.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
+	} else {
+		return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 	}
-	return ss.method.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 }

 // DialContext implements C.ProxyAdapter
@ -115,6 +136,12 @@ func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, op

 // DialContextWithDialer implements C.ProxyAdapter
 func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(ss.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ss.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
@ -125,15 +152,7 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 		safeConnClose(c, err)
 	}(c)

-	switch ss.obfsMode {
-	case shadowtls.Mode:
-		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	c, err = ss.streamConn(c, metadata)
+	c, err = ss.StreamConnContext(ctx, c, metadata)
 	return NewConn(c, ss), err
 }

@ -144,12 +163,18 @@ func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Meta

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if len(ss.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ss.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	if ss.option.UDPOverTCP {
 		tcpConn, err := ss.DialContextWithDialer(ctx, dialer, metadata)
 		if err != nil {
 			return nil, err
 		}
-		return newPacketConn(uot.NewClientConn(tcpConn), ss), nil
+		return ss.ListenPacketOnStreamConn(ctx, tcpConn, metadata)
 	}
 	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
@ -160,21 +185,35 @@ func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dial
 	if err != nil {
 		return nil, err
 	}
-	pc = ss.method.DialPacketConn(&bufio.BindPacketConn{PacketConn: pc, Addr: addr})
+	pc = ss.method.DialPacketConn(N.NewBindPacketConn(pc, addr))
 	return newPacketConn(pc, ss), nil
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (ss *ShadowSocks) SupportWithDialer() bool {
-	return true
+func (ss *ShadowSocks) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
-func (ss *ShadowSocks) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+func (ss *ShadowSocks) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
-		return newPacketConn(uot.NewClientConn(c), ss), nil
+		// ss uot use stream-oriented udp with a special address, so we need a net.UDPAddr
+		if !metadata.Resolved() {
+			ip, err := resolver.ResolveIP(ctx, metadata.Host)
+			if err != nil {
+				return nil, errors.New("can't resolve ip")
+			}
+			metadata.DstIP = ip
+		}
+
+		destination := M.SocksaddrFromNet(metadata.UDPAddr())
+		if ss.option.UDPOverTCPVersion == uot.LegacyVersion {
+			return newPacketConn(uot.NewConn(c, uot.Request{Destination: destination}), ss), nil
+		} else {
+			return newPacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination}), ss), nil
+		}
 	}
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // SupportUOT implements C.ProxyAdapter
@ -184,7 +223,9 @@ func (ss *ShadowSocks) SupportUOT() bool {

 func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-	method, err := shadowimpl.FetchMethod(option.Cipher, option.Password)
+	method, err := shadowsocks.CreateMethod(context.Background(), option.Cipher, shadowsocks.MethodOptions{
+		Password: option.Password,
+	})
 	if err != nil {
 		return nil, fmt.Errorf("ss %s initialize error: %w", addr, err)
 	}
@ -192,6 +233,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	var v2rayOption *v2rayObfs.Option
 	var obfsOption *simpleObfsOption
 	var shadowTLSOpt *shadowtls.ShadowTLSOption
+	var restlsConfig *restlsC.Config
 	obfsMode := ""

 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@ -240,10 +282,30 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			Password:          opt.Password,
 			Host:              opt.Host,
 			Fingerprint:       opt.Fingerprint,
-			ClientFingerprint: opt.ClientFingerprint,
+			ClientFingerprint: option.ClientFingerprint,
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
 		}
+	} else if option.Plugin == restls.Mode {
+		obfsMode = restls.Mode
+		restlsOpt := &restlsOption{}
+		if err := decoder.Decode(option.PluginOpts, restlsOpt); err != nil {
+			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
+		}
+
+		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
+		restlsConfig.SessionTicketsDisabled = true
+		if err != nil {
+			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
+		}
+
+	}
+	switch option.UDPOverTCPVersion {
+	case uot.Version, uot.LegacyVersion:
+	case 0:
+		option.UDPOverTCPVersion = uot.LegacyVersion
+	default:
+		return nil, fmt.Errorf("ss %s unknown udp over tcp protocol version: %d", addr, option.UDPOverTCPVersion)
 	}

 	return &ShadowSocks{
@ -264,38 +326,6 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		v2rayOption:     v2rayOption,
 		obfsOption:      obfsOption,
 		shadowTLSOption: shadowTLSOpt,
+		restlsConfig:    restlsConfig,
 	}, nil
 }
-
-type ssPacketConn struct {
-	net.PacketConn
-	rAddr net.Addr
-}
-
-func (spc *ssPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
-	packet, err := socks5.EncodeUDPPacket(socks5.ParseAddrToSocksAddr(addr), b)
-	if err != nil {
-		return
-	}
-	return spc.PacketConn.WriteTo(packet[3:], spc.rAddr)
-}
-
-func (spc *ssPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
-	n, _, e := spc.PacketConn.ReadFrom(b)
-	if e != nil {
-		return 0, nil, e
-	}
-
-	addr := socks5.SplitAddr(b[:n])
-	if addr == nil {
-		return 0, nil, errors.New("parse addr error")
-	}
-
-	udpAddr := addr.UDPAddr()
-	if udpAddr == nil {
-		return 0, nil, errors.New("parse addr error")
-	}
-
-	copy(b, b[len(addr):])
-	return n - len(addr), udpAddr, e
-}
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@ -2,21 +2,26 @@ package outbound

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"strconv"

+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 	"github.com/Dreamacro/clash/transport/shadowsocks/shadowaead"
 	"github.com/Dreamacro/clash/transport/shadowsocks/shadowstream"
+	"github.com/Dreamacro/clash/transport/socks5"
 	"github.com/Dreamacro/clash/transport/ssr/obfs"
 	"github.com/Dreamacro/clash/transport/ssr/protocol"
 )

 type ShadowSocksR struct {
 	*Base
+	option   *ShadowSocksROption
 	cipher   core.Cipher
 	obfs     obfs.Obfs
 	protocol protocol.Protocol
@ -36,8 +41,8 @@ type ShadowSocksROption struct {
 	UDP           bool   `proxy:"udp,omitempty"`
 }

-// StreamConn implements C.ProxyAdapter
-func (ssr *ShadowSocksR) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
+func (ssr *ShadowSocksR) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	c = ssr.obfs.StreamConn(c)
 	c = ssr.cipher.StreamConn(c)
 	var (
@ -65,6 +70,12 @@ func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata,

 // DialContextWithDialer implements C.ProxyAdapter
 func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(ssr.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ssr.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", ssr.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ssr.addr, err)
@ -75,7 +86,7 @@ func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dia
 		safeConnClose(c, err)
 	}(c)

-	c, err = ssr.StreamConn(c, metadata)
+	c, err = ssr.StreamConnContext(ctx, c, metadata)
 	return NewConn(c, ssr), err
 }

@ -86,6 +97,12 @@ func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Me

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (ssr *ShadowSocksR) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if len(ssr.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ssr.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ssr.addr, ssr.prefer)
 	if err != nil {
 		return nil, err
@ -96,14 +113,14 @@ func (ssr *ShadowSocksR) ListenPacketWithDialer(ctx context.Context, dialer C.Di
 		return nil, err
 	}

-	pc = ssr.cipher.PacketConn(pc)
-	pc = ssr.protocol.PacketConn(pc)
-	return newPacketConn(&ssPacketConn{PacketConn: pc, rAddr: addr}, ssr), nil
+	epc := ssr.cipher.PacketConn(N.NewEnhancePacketConn(pc))
+	epc = ssr.protocol.PacketConn(epc)
+	return newPacketConn(&ssrPacketConn{EnhancePacketConn: epc, rAddr: addr}, ssr), nil
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (ssr *ShadowSocksR) SupportWithDialer() bool {
-	return true
+func (ssr *ShadowSocksR) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
@ -168,8 +185,68 @@ func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option:   &option,
 		cipher:   coreCiph,
 		obfs:     obfs,
 		protocol: protocol,
 	}, nil
 }
+
+type ssrPacketConn struct {
+	N.EnhancePacketConn
+	rAddr net.Addr
+}
+
+func (spc *ssrPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
+	packet, err := socks5.EncodeUDPPacket(socks5.ParseAddrToSocksAddr(addr), b)
+	if err != nil {
+		return
+	}
+	return spc.EnhancePacketConn.WriteTo(packet[3:], spc.rAddr)
+}
+
+func (spc *ssrPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
+	n, _, e := spc.EnhancePacketConn.ReadFrom(b)
+	if e != nil {
+		return 0, nil, e
+	}
+
+	addr := socks5.SplitAddr(b[:n])
+	if addr == nil {
+		return 0, nil, errors.New("parse addr error")
+	}
+
+	udpAddr := addr.UDPAddr()
+	if udpAddr == nil {
+		return 0, nil, errors.New("parse addr error")
+	}
+
+	copy(b, b[len(addr):])
+	return n - len(addr), udpAddr, e
+}
+
+func (spc *ssrPacketConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+	data, put, _, err = spc.EnhancePacketConn.WaitReadFrom()
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	_addr := socks5.SplitAddr(data)
+	if _addr == nil {
+		if put != nil {
+			put()
+		}
+		return nil, nil, nil, errors.New("parse addr error")
+	}
+
+	addr = _addr.UDPAddr()
+	if addr == nil {
+		if put != nil {
+			put()
+		}
+		return nil, nil, nil, errors.New("parse addr error")
+	}
+
+	data = data[len(_addr):]
+	return
+}
--- a/adapter/outbound/singmux.go
+++ b/adapter/outbound/singmux.go
@ -0,0 +1,138 @@
+package outbound
+
+import (
+	"context"
+	"errors"
+	"net"
+	"runtime"
+
+	CN "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
+	"github.com/Dreamacro/clash/component/resolver"
+	C "github.com/Dreamacro/clash/constant"
+
+	mux "github.com/sagernet/sing-mux"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type SingMux struct {
+	C.ProxyAdapter
+	base    ProxyBase
+	client  *mux.Client
+	dialer  *muxSingDialer
+	onlyTcp bool
+}
+
+type SingMuxOption struct {
+	Enabled        bool   `proxy:"enabled,omitempty"`
+	Protocol       string `proxy:"protocol,omitempty"`
+	MaxConnections int    `proxy:"max-connections,omitempty"`
+	MinStreams     int    `proxy:"min-streams,omitempty"`
+	MaxStreams     int    `proxy:"max-streams,omitempty"`
+	Padding        bool   `proxy:"padding,omitempty"`
+	Statistic      bool   `proxy:"statistic,omitempty"`
+	OnlyTcp        bool   `proxy:"only-tcp,omitempty"`
+}
+
+type ProxyBase interface {
+	DialOptions(opts ...dialer.Option) []dialer.Option
+}
+
+type muxSingDialer struct {
+	dialer    dialer.Dialer
+	proxy     C.ProxyAdapter
+	statistic bool
+}
+
+var _ N.Dialer = (*muxSingDialer)(nil)
+
+func (d *muxSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	var cDialer C.Dialer = proxydialer.New(d.proxy, d.dialer, d.statistic)
+	return cDialer.DialContext(ctx, network, destination.String())
+}
+
+func (d *muxSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	var cDialer C.Dialer = proxydialer.New(d.proxy, d.dialer, d.statistic)
+	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
+}
+
+func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+	options := s.base.DialOptions(opts...)
+	s.dialer.dialer = dialer.NewDialer(options...)
+	c, err := s.client.DialContext(ctx, "tcp", M.ParseSocksaddr(metadata.RemoteAddress()))
+	if err != nil {
+		return nil, err
+	}
+	return NewConn(CN.NewRefConn(c, s), s.ProxyAdapter), err
+}
+
+func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	if s.onlyTcp {
+		return s.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+	}
+	options := s.base.DialOptions(opts...)
+	s.dialer.dialer = dialer.NewDialer(options...)
+
+	// sing-mux use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
+	pc, err := s.client.ListenPacket(ctx, M.SocksaddrFromNet(metadata.UDPAddr()))
+	if err != nil {
+		return nil, err
+	}
+	if pc == nil {
+		return nil, E.New("packetConn is nil")
+	}
+	return newPacketConn(CN.NewRefPacketConn(CN.NewThreadSafePacketConn(pc), s), s.ProxyAdapter), nil
+}
+
+func (s *SingMux) SupportUDP() bool {
+	if s.onlyTcp {
+		return s.ProxyAdapter.SupportUOT()
+	}
+	return true
+}
+
+func (s *SingMux) SupportUOT() bool {
+	if s.onlyTcp {
+		return s.ProxyAdapter.SupportUOT()
+	}
+	return true
+}
+
+func closeSingMux(s *SingMux) {
+	_ = s.client.Close()
+}
+
+func NewSingMux(option SingMuxOption, proxy C.ProxyAdapter, base ProxyBase) (C.ProxyAdapter, error) {
+	singDialer := &muxSingDialer{dialer: dialer.NewDialer(), proxy: proxy, statistic: option.Statistic}
+	client, err := mux.NewClient(mux.Options{
+		Dialer:         singDialer,
+		Protocol:       option.Protocol,
+		MaxConnections: option.MaxConnections,
+		MinStreams:     option.MinStreams,
+		MaxStreams:     option.MaxStreams,
+		Padding:        option.Padding,
+	})
+	if err != nil {
+		return nil, err
+	}
+	outbound := &SingMux{
+		ProxyAdapter: proxy,
+		base:         base,
+		client:       client,
+		dialer:       singDialer,
+		onlyTcp:      option.OnlyTcp,
+	}
+	runtime.SetFinalizer(outbound, closeSingMux)
+	return outbound, nil
+}
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@ -8,6 +8,7 @@ import (

 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	C "github.com/Dreamacro/clash/constant"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	"github.com/Dreamacro/clash/transport/snell"
@ -15,6 +16,7 @@ import (

 type Snell struct {
 	*Base
+	option     *SnellOption
 	psk        []byte
 	pool       *snell.Pool
 	obfsOption *simpleObfsOption
@ -50,8 +52,8 @@ func streamConn(c net.Conn, option streamOption) *snell.Snell {
 	return snell.StreamConn(c, option.psk, option.version)
 }

-// StreamConn implements C.ProxyAdapter
-func (s *Snell) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
+func (s *Snell) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
 	if metadata.NetWork == C.UDP {
 		err := snell.WriteUDPHeader(c, s.version)
@ -83,6 +85,12 @@ func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // DialContextWithDialer implements C.ProxyAdapter
 func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(s.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(s.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
@ -93,7 +101,7 @@ func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 		safeConnClose(c, err)
 	}(c)

-	c, err = s.StreamConn(c, metadata)
+	c, err = s.StreamConnContext(ctx, c, metadata)
 	return NewConn(c, s), err
 }

@ -104,6 +112,13 @@ func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.PacketConn, error) {
+	var err error
+	if len(s.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(s.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
 		return nil, err
@ -121,8 +136,8 @@ func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (s *Snell) SupportWithDialer() bool {
-	return true
+func (s *Snell) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // SupportUOT implements C.ProxyAdapter
@ -172,6 +187,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option:     &option,
 		psk:        psk,
 		obfsOption: obfsOption,
 		version:    option.Version,
@ -179,7 +195,15 @@ func NewSnell(option SnellOption) (*Snell, error) {

 	if option.Version == snell.Version2 {
 		s.pool = snell.NewPool(func(ctx context.Context) (*snell.Snell, error) {
-			c, err := dialer.DialContext(ctx, "tcp", addr, s.Base.DialOptions()...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions()...)
+			if len(s.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			c, err := cDialer.DialContext(ctx, "tcp", addr)
 			if err != nil {
 				return nil, err
 			}
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@ -10,6 +10,7 @@ import (
 	"strconv"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
@ -17,6 +18,7 @@ import (

 type Socks5 struct {
 	*Base
+	option         *Socks5Option
 	user           string
 	pass           string
 	tls            bool
@ -37,12 +39,10 @@ type Socks5Option struct {
 	Fingerprint    string `proxy:"fingerprint,omitempty"`
 }

-// StreamConn implements C.ProxyAdapter
-func (ss *Socks5) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
+func (ss *Socks5) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	if ss.tls {
 		cc := tls.Client(c, ss.tlsConfig)
-		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
-		defer cancel()
 		err := cc.HandshakeContext(ctx)
 		c = cc
 		if err != nil {
@ -70,6 +70,12 @@ func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ..

 // DialContextWithDialer implements C.ProxyAdapter
 func (ss *Socks5) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(ss.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ss.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
@ -80,7 +86,7 @@ func (ss *Socks5) DialContextWithDialer(ctx context.Context, dialer C.Dialer, me
 		safeConnClose(c, err)
 	}(c)

-	c, err = ss.StreamConn(c, metadata)
+	c, err = ss.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, err
 	}
@ -89,13 +95,20 @@ func (ss *Socks5) DialContextWithDialer(ctx context.Context, dialer C.Dialer, me
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (ss *Socks5) SupportWithDialer() bool {
-	return true
+func (ss *Socks5) SupportWithDialer() C.NetWork {
+	return C.TCP
 }

 // ListenPacketContext implements C.ProxyAdapter
 func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	c, err := dialer.DialContext(ctx, "tcp", ss.addr, ss.Base.DialOptions(opts...)...)
+	var cDialer C.Dialer = dialer.NewDialer(ss.Base.DialOptions(opts...)...)
+	if len(ss.option.DialerProxy) > 0 {
+		cDialer, err = proxydialer.NewByName(ss.option.DialerProxy, cDialer)
+		if err != nil {
+			return nil, err
+		}
+	}
+	c, err := cDialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		err = fmt.Errorf("%s connect error: %w", ss.addr, err)
 		return
@ -187,6 +200,7 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option:         &option,
 		user:           option.UserName,
 		pass:           option.Password,
 		tls:            option.TLS,
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -8,8 +8,8 @@ import (
 	"net/http"
 	"strconv"

-	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
@ -26,28 +26,31 @@ type Trojan struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
+
+	realityConfig *tlsC.RealityConfig
 }

 type TrojanOption struct {
 	BasicOption
-	Name              string      `proxy:"name"`
-	Server            string      `proxy:"server"`
-	Port              int         `proxy:"port"`
-	Password          string      `proxy:"password"`
-	ALPN              []string    `proxy:"alpn,omitempty"`
-	SNI               string      `proxy:"sni,omitempty"`
-	SkipCertVerify    bool        `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint       string      `proxy:"fingerprint,omitempty"`
-	UDP               bool        `proxy:"udp,omitempty"`
-	Network           string      `proxy:"network,omitempty"`
-	GrpcOpts          GrpcOptions `proxy:"grpc-opts,omitempty"`
-	WSOpts            WSOptions   `proxy:"ws-opts,omitempty"`
-	Flow              string      `proxy:"flow,omitempty"`
-	FlowShow          bool        `proxy:"flow-show,omitempty"`
-	ClientFingerprint string      `proxy:"client-fingerprint,omitempty"`
+	Name              string         `proxy:"name"`
+	Server            string         `proxy:"server"`
+	Port              int            `proxy:"port"`
+	Password          string         `proxy:"password"`
+	ALPN              []string       `proxy:"alpn,omitempty"`
+	SNI               string         `proxy:"sni,omitempty"`
+	SkipCertVerify    bool           `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint       string         `proxy:"fingerprint,omitempty"`
+	UDP               bool           `proxy:"udp,omitempty"`
+	Network           string         `proxy:"network,omitempty"`
+	RealityOpts       RealityOptions `proxy:"reality-opts,omitempty"`
+	GrpcOpts          GrpcOptions    `proxy:"grpc-opts,omitempty"`
+	WSOpts            WSOptions      `proxy:"ws-opts,omitempty"`
+	Flow              string         `proxy:"flow,omitempty"`
+	FlowShow          bool           `proxy:"flow-show,omitempty"`
+	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }

-func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
+func (t *Trojan) plainStream(ctx context.Context, c net.Conn) (net.Conn, error) {
 	if t.option.Network == "ws" {
 		host, port, _ := net.SplitHostPort(t.addr)
 		wsOpts := &trojan.WebsocketOption{
@ -68,14 +71,14 @@ func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
 			wsOpts.Headers = header
 		}

-		return t.instance.StreamWebsocketConn(c, wsOpts)
+		return t.instance.StreamWebsocketConn(ctx, c, wsOpts)
 	}

-	return t.instance.StreamConn(c)
+	return t.instance.StreamConn(ctx, c)
 }

-// StreamConn implements C.ProxyAdapter
-func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
+func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error

 	if tlsC.HaveGlobalFingerprint() && len(t.option.ClientFingerprint) == 0 {
@ -83,9 +86,9 @@ func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error)
 	}

 	if t.transport != nil {
-		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig)
+		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.realityConfig)
 	} else {
-		c, err = t.plainStream(c)
+		c, err = t.plainStream(ctx, c)
 	}

 	if err != nil {
@ -102,7 +105,7 @@ func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error)
 		return c, err
 	}
 	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
-	return N.NewExtendedConn(c), err
+	return c, err
 }

 // DialContext implements C.ProxyAdapter
@ -132,6 +135,12 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...

 // DialContextWithDialer implements C.ProxyAdapter
 func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(t.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(t.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@ -142,7 +151,7 @@ func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, met
 		safeConnClose(c, err)
 	}(c)

-	c, err = t.StreamConn(c, metadata)
+	c, err = t.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, err
 	}
@ -176,6 +185,12 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata,

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if len(t.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(t.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@ -184,7 +199,7 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 		safeConnClose(c, err)
 	}(c)
 	tcpKeepAlive(c)
-	c, err = t.plainStream(c)
+	c, err = t.plainStream(ctx, c)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
@ -199,8 +214,8 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (t *Trojan) SupportWithDialer() bool {
-	return true
+func (t *Trojan) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
@ -259,9 +274,24 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		option:   &option,
 	}

+	var err error
+	t.realityConfig, err = option.RealityOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+	tOption.Reality = t.realityConfig
+
 	if option.Network == "grpc" {
 		dialFn := func(network, addr string) (net.Conn, error) {
-			c, err := dialer.DialContext(context.Background(), "tcp", t.addr, t.Base.DialOptions()...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(t.Base.DialOptions()...)
+			if len(t.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(t.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			c, err := cDialer.DialContext(context.Background(), "tcp", t.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", t.addr, err.Error())
 			}
@ -285,7 +315,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			}
 		}

-		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint)
+		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint, t.realityConfig)

 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -16,6 +16,7 @@ import (
 	"github.com/metacubex/quic-go"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/tuic"
@ -23,6 +24,7 @@ import (

 type Tuic struct {
 	*Base
+	option *TuicOption
 	client *tuic.PoolClient
 }

@ -42,16 +44,17 @@ type TuicOption struct {
 	DisableSni            bool     `proxy:"disable-sni,omitempty"`
 	MaxUdpRelayPacketSize int      `proxy:"max-udp-relay-packet-size,omitempty"`

-	FastOpen            bool   `proxy:"fast-open,omitempty"`
-	MaxOpenStreams      int    `proxy:"max-open-streams,omitempty"`
-	SkipCertVerify      bool   `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint         string `proxy:"fingerprint,omitempty"`
-	CustomCA            string `proxy:"ca,omitempty"`
-	CustomCAString      string `proxy:"ca-str,omitempty"`
-	ReceiveWindowConn   int    `proxy:"recv-window-conn,omitempty"`
-	ReceiveWindow       int    `proxy:"recv-window,omitempty"`
-	DisableMTUDiscovery bool   `proxy:"disable-mtu-discovery,omitempty"`
-	SNI                 string `proxy:"sni,omitempty"`
+	FastOpen             bool   `proxy:"fast-open,omitempty"`
+	MaxOpenStreams       int    `proxy:"max-open-streams,omitempty"`
+	SkipCertVerify       bool   `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint          string `proxy:"fingerprint,omitempty"`
+	CustomCA             string `proxy:"ca,omitempty"`
+	CustomCAString       string `proxy:"ca-str,omitempty"`
+	ReceiveWindowConn    int    `proxy:"recv-window-conn,omitempty"`
+	ReceiveWindow        int    `proxy:"recv-window,omitempty"`
+	DisableMTUDiscovery  bool   `proxy:"disable-mtu-discovery,omitempty"`
+	MaxDatagramFrameSize int    `proxy:"max-datagram-frame-size,omitempty"`
+	SNI                  string `proxy:"sni,omitempty"`
 }

 // DialContext implements C.ProxyAdapter
@ -83,8 +86,8 @@ func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, meta
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (t *Tuic) SupportWithDialer() bool {
-	return true
+func (t *Tuic) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 func (t *Tuic) dial(ctx context.Context, opts ...dialer.Option) (pc net.PacketConn, addr net.Addr, err error) {
@ -92,6 +95,12 @@ func (t *Tuic) dial(ctx context.Context, opts ...dialer.Option) (pc net.PacketCo
 }

 func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (pc net.PacketConn, addr net.Addr, err error) {
+	if len(t.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(t.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
 	udpAddr, err := resolveUDPAddrWithPrefer(ctx, "udp", t.addr, t.prefer)
 	if err != nil {
 		return nil, nil, err
@ -175,6 +184,15 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		option.MaxOpenStreams = 100
 	}

+	if option.MaxDatagramFrameSize == 0 {
+		option.MaxDatagramFrameSize = option.MaxUdpRelayPacketSize + tuic.PacketOverHead
+	}
+
+	if option.MaxDatagramFrameSize > 1400 {
+		option.MaxDatagramFrameSize = 1400
+	}
+	option.MaxUdpRelayPacketSize = option.MaxDatagramFrameSize - tuic.PacketOverHead
+
 	// ensure server's incoming stream can handle correctly, increase to 1.1x
 	quicMaxOpenStreams := int64(option.MaxOpenStreams)
 	quicMaxOpenStreams = quicMaxOpenStreams + int64(math.Ceil(float64(quicMaxOpenStreams)/10.0))
@ -187,6 +205,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		MaxIncomingUniStreams:          quicMaxOpenStreams,
 		KeepAlivePeriod:                time.Duration(option.HeartbeatInterval) * time.Millisecond,
 		DisablePathMTUDiscovery:        option.DisableMTUDiscovery,
+		MaxDatagramFrameSize:           int64(option.MaxDatagramFrameSize),
 		EnableDatagrams:                true,
 	}
 	if option.ReceiveWindowConn == 0 {
@ -219,6 +238,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option: &option,
 	}

 	clientMaxOpenStreams := int64(option.MaxOpenStreams)
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -13,10 +13,13 @@ import (
 	"sync"

 	"github.com/Dreamacro/clash/common/convert"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/socks5"
 	"github.com/Dreamacro/clash/transport/vless"
@ -41,6 +44,8 @@ type Vless struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
+
+	realityConfig *tlsC.RealityConfig
 }

 type VlessOption struct {
@ -57,6 +62,7 @@ type VlessOption struct {
 	XUDP              bool              `proxy:"xudp,omitempty"`
 	PacketEncoding    string            `proxy:"packet-encoding,omitempty"`
 	Network           string            `proxy:"network,omitempty"`
+	RealityOpts       RealityOptions    `proxy:"reality-opts,omitempty"`
 	HTTPOpts          HTTPOptions       `proxy:"http-opts,omitempty"`
 	HTTP2Opts         HTTP2Options      `proxy:"h2-opts,omitempty"`
 	GrpcOpts          GrpcOptions       `proxy:"grpc-opts,omitempty"`
@ -69,7 +75,7 @@ type VlessOption struct {
 	ClientFingerprint string            `proxy:"client-fingerprint,omitempty"`
 }

-func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error

 	if tlsC.HaveGlobalFingerprint() && len(v.option.ClientFingerprint) == 0 {
@ -78,7 +84,6 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 	switch v.option.Network {
 	case "ws":
-
 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &vmess.WebsocketConfig{
 			Host:                host,
@ -124,10 +129,10 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 				convert.SetUserAgent(wsOpts.Headers)
 			}
 		}
-		c, err = vmess.StreamWebsocketConn(c, wsOpts)
+		c, err = vmess.StreamWebsocketConn(ctx, c, wsOpts)
 	case "http":
 		// readability first, so just copy default TLS logic
-		c, err = v.streamTLSOrXTLSConn(c, false)
+		c, err = v.streamTLSOrXTLSConn(ctx, c, false)
 		if err != nil {
 			return nil, err
 		}
@ -142,7 +147,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 		c = vmess.StreamHTTPConn(c, httpOpts)
 	case "h2":
-		c, err = v.streamTLSOrXTLSConn(c, true)
+		c, err = v.streamTLSOrXTLSConn(ctx, c, true)
 		if err != nil {
 			return nil, err
 		}
@ -154,21 +159,49 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 		c, err = vmess.StreamH2Conn(c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 	default:
 		// default tcp network
 		// handle TLS And XTLS
-		c, err = v.streamTLSOrXTLSConn(c, false)
+		c, err = v.streamTLSOrXTLSConn(ctx, c, false)
 	}

 	if err != nil {
 		return nil, err
 	}

-	return v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
+	return v.streamConn(c, metadata)
 }

-func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
+func (v *Vless) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
+	if metadata.NetWork == C.UDP {
+		if v.option.PacketAddr {
+			metadata = &C.Metadata{
+				NetWork: C.UDP,
+				Host:    packetaddr.SeqPacketMagicAddress,
+				DstPort: "443",
+			}
+		} else {
+			metadata = &C.Metadata{ // a clear metadata only contains ip
+				NetWork: C.UDP,
+				DstIP:   metadata.DstIP,
+				DstPort: metadata.DstPort,
+			}
+		}
+		conn, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
+		if v.option.PacketAddr {
+			conn = packetaddr.NewBindConn(conn)
+		}
+	} else {
+		conn, err = v.client.StreamConn(c, parseVlessAddr(metadata, false))
+	}
+	if err != nil {
+		conn = nil
+	}
+	return
+}
+
+func (v *Vless) streamTLSOrXTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (net.Conn, error) {
 	host, _, _ := net.SplitHostPort(v.addr)

 	if v.isLegacyXTLSEnabled() && !isH2 {
@ -182,7 +215,7 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 			xtlsOpts.Host = v.option.ServerName
 		}

-		return vless.StreamXTLSConn(conn, &xtlsOpts)
+		return vless.StreamXTLSConn(ctx, conn, &xtlsOpts)

 	} else if v.option.TLS {
 		tlsOpts := vmess.TLSConfig{
@ -190,6 +223,7 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 			SkipCertVerify:    v.option.SkipCertVerify,
 			FingerPrint:       v.option.Fingerprint,
 			ClientFingerprint: v.option.ClientFingerprint,
+			Reality:           v.realityConfig,
 		}

 		if isH2 {
@ -200,7 +234,7 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 			tlsOpts.Host = v.option.ServerName
 		}

-		return vmess.StreamTLSConn(conn, &tlsOpts)
+		return vmess.StreamTLSConn(ctx, conn, &tlsOpts)
 	}

 	return conn, nil
@ -234,6 +268,12 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // DialContextWithDialer implements C.ProxyAdapter
 func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(v.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(v.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
@ -243,7 +283,7 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 		safeConnClose(c, err)
 	}(c)

-	c, err = v.StreamConn(c, metadata)
+	c, err = v.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
@ -260,7 +300,6 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}
 		metadata.DstIP = ip
 	}
-
 	var c net.Conn
 	// gun transport
 	if v.transport != nil && len(opts) == 0 {
@ -272,27 +311,25 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)

-		if v.option.PacketAddr {
-			packetAddrMetadata := *metadata // make a copy
-			packetAddrMetadata.Host = packetaddr.SeqPacketMagicAddress
-			packetAddrMetadata.DstPort = "443"
-
-			c, err = v.client.StreamConn(c, parseVlessAddr(&packetAddrMetadata, false))
-		} else {
-			c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
-		}
-
+		c, err = v.streamConn(c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vless client error: %v", err)
 		}

-		return v.ListenPacketOnStreamConn(c, metadata)
+		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
 	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
 }

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if len(v.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(v.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
@ -301,6 +338,7 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		}
 		metadata.DstIP = ip
 	}
+
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
@ -310,40 +348,40 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		safeConnClose(c, err)
 	}(c)

-	if v.option.PacketAddr {
-		packetAddrMetadata := *metadata // make a copy
-		packetAddrMetadata.Host = packetaddr.SeqPacketMagicAddress
-		packetAddrMetadata.DstPort = "443"
-
-		c, err = v.StreamConn(c, &packetAddrMetadata)
-	} else {
-		c, err = v.StreamConn(c, metadata)
-	}
-
+	c, err = v.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vless client error: %v", err)
 	}

-	return v.ListenPacketOnStreamConn(c, metadata)
+	return v.ListenPacketOnStreamConn(ctx, c, metadata)
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (v *Vless) SupportWithDialer() bool {
-	return true
+func (v *Vless) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
-func (v *Vless) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+func (v *Vless) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
 	if v.option.XUDP {
-		return newPacketConn(&threadSafePacketConn{
-			PacketConn: vmessSing.NewXUDPConn(c, M.ParseSocksaddr(metadata.RemoteAddress())),
-		}, v), nil
+		return newPacketConn(N.NewThreadSafePacketConn(
+			vmessSing.NewXUDPConn(c, M.SocksaddrFromNet(metadata.UDPAddr())),
+		), v), nil
 	} else if v.option.PacketAddr {
-		return newPacketConn(&threadSafePacketConn{
-			PacketConn: packetaddr.NewConn(&vlessPacketConn{
+		return newPacketConn(N.NewThreadSafePacketConn(
+			packetaddr.NewConn(&vlessPacketConn{
 				Conn: c, rAddr: metadata.UDPAddr(),
-			}, M.ParseSocksaddr(metadata.RemoteAddress())),
-		}, v), nil
+			}, M.SocksaddrFromNet(metadata.UDPAddr())),
+		), v), nil
 	}
 	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
 }
@ -479,7 +517,10 @@ func NewVless(option VlessOption) (*Vless, error) {
 	if option.Network != "ws" && len(option.Flow) >= 16 {
 		option.Flow = option.Flow[:16]
 		switch option.Flow {
-		case vless.XRO, vless.XRD, vless.XRS, vless.XRV:
+		case vless.XRV:
+			log.Warnln("To use %s, ensure your server is upgrade to Xray-core v1.8.0+", vless.XRV)
+			fallthrough
+		case vless.XRO, vless.XRD, vless.XRS:
 			addons = &vless.Addons{
 				Flow: option.Flow,
 			}
@ -497,6 +538,9 @@ func NewVless(option VlessOption) (*Vless, error) {
 			option.XUDP = true
 		}
 	}
+	if option.XUDP {
+		option.PacketAddr = false
+	}

 	client, err := vless.NewClient(option.UUID, addons, option.FlowShow)
 	if err != nil {
@ -519,6 +563,11 @@ func NewVless(option VlessOption) (*Vless, error) {
 		option: &option,
 	}

+	v.realityConfig, err = v.option.RealityOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
@ -526,7 +575,15 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 	case "grpc":
 		dialFn := func(network, addr string) (net.Conn, error) {
-			c, err := dialer.DialContext(context.Background(), "tcp", v.addr, v.Base.DialOptions()...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			if len(v.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			c, err := cDialer.DialContext(context.Background(), "tcp", v.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
@ -539,22 +596,25 @@ func NewVless(option VlessOption) (*Vless, error) {
 			Host:              v.option.ServerName,
 			ClientFingerprint: v.option.ClientFingerprint,
 		}
-		tlsConfig := tlsC.GetGlobalTLSConfig(&tls.Config{
-			InsecureSkipVerify: v.option.SkipCertVerify,
-			ServerName:         v.option.ServerName,
-		})
-
-		if v.option.ServerName == "" {
-			host, _, _ := net.SplitHostPort(v.addr)
-			tlsConfig.ServerName = host
-			gunConfig.Host = host
+		if option.ServerName == "" {
+			gunConfig.Host = v.addr
+		}
+		var tlsConfig *tls.Config
+		if option.TLS {
+			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
+				InsecureSkipVerify: v.option.SkipCertVerify,
+				ServerName:         v.option.ServerName,
+			})
+			if option.ServerName == "" {
+				host, _, _ := net.SplitHostPort(v.addr)
+				tlsConfig.ServerName = host
+			}
 		}

 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig

-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint)
-
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
 	}

 	return v, nil
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -11,7 +11,9 @@ import (
 	"strings"
 	"sync"

+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
@ -34,32 +36,35 @@ type Vmess struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
+
+	realityConfig *tlsC.RealityConfig
 }

 type VmessOption struct {
 	BasicOption
-	Name                string       `proxy:"name"`
-	Server              string       `proxy:"server"`
-	Port                int          `proxy:"port"`
-	UUID                string       `proxy:"uuid"`
-	AlterID             int          `proxy:"alterId"`
-	Cipher              string       `proxy:"cipher"`
-	UDP                 bool         `proxy:"udp,omitempty"`
-	Network             string       `proxy:"network,omitempty"`
-	TLS                 bool         `proxy:"tls,omitempty"`
-	SkipCertVerify      bool         `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint         string       `proxy:"fingerprint,omitempty"`
-	ServerName          string       `proxy:"servername,omitempty"`
-	HTTPOpts            HTTPOptions  `proxy:"http-opts,omitempty"`
-	HTTP2Opts           HTTP2Options `proxy:"h2-opts,omitempty"`
-	GrpcOpts            GrpcOptions  `proxy:"grpc-opts,omitempty"`
-	WSOpts              WSOptions    `proxy:"ws-opts,omitempty"`
-	PacketAddr          bool         `proxy:"packet-addr,omitempty"`
-	XUDP                bool         `proxy:"xudp,omitempty"`
-	PacketEncoding      string       `proxy:"packet-encoding,omitempty"`
-	GlobalPadding       bool         `proxy:"global-padding,omitempty"`
-	AuthenticatedLength bool         `proxy:"authenticated-length,omitempty"`
-	ClientFingerprint   string       `proxy:"client-fingerprint,omitempty"`
+	Name                string         `proxy:"name"`
+	Server              string         `proxy:"server"`
+	Port                int            `proxy:"port"`
+	UUID                string         `proxy:"uuid"`
+	AlterID             int            `proxy:"alterId"`
+	Cipher              string         `proxy:"cipher"`
+	UDP                 bool           `proxy:"udp,omitempty"`
+	Network             string         `proxy:"network,omitempty"`
+	TLS                 bool           `proxy:"tls,omitempty"`
+	SkipCertVerify      bool           `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint         string         `proxy:"fingerprint,omitempty"`
+	ServerName          string         `proxy:"servername,omitempty"`
+	RealityOpts         RealityOptions `proxy:"reality-opts,omitempty"`
+	HTTPOpts            HTTPOptions    `proxy:"http-opts,omitempty"`
+	HTTP2Opts           HTTP2Options   `proxy:"h2-opts,omitempty"`
+	GrpcOpts            GrpcOptions    `proxy:"grpc-opts,omitempty"`
+	WSOpts              WSOptions      `proxy:"ws-opts,omitempty"`
+	PacketAddr          bool           `proxy:"packet-addr,omitempty"`
+	XUDP                bool           `proxy:"xudp,omitempty"`
+	PacketEncoding      string         `proxy:"packet-encoding,omitempty"`
+	GlobalPadding       bool           `proxy:"global-padding,omitempty"`
+	AuthenticatedLength bool           `proxy:"authenticated-length,omitempty"`
+	ClientFingerprint   string         `proxy:"client-fingerprint,omitempty"`
 }

 type HTTPOptions struct {
@ -84,8 +89,8 @@ type WSOptions struct {
 	EarlyDataHeaderName string            `proxy:"early-data-header-name,omitempty"`
 }

-// StreamConn implements C.ProxyAdapter
-func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
+func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error

 	if tlsC.HaveGlobalFingerprint() && (len(v.option.ClientFingerprint) == 0) {
@ -94,7 +99,6 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 	switch v.option.Network {
 	case "ws":
-
 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &clashVMess.WebsocketConfig{
 			Host:                host,
@ -134,7 +138,7 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 				wsOpts.TLSConfig.ServerName = host
 			}
 		}
-		c, err = clashVMess.StreamWebsocketConn(c, wsOpts)
+		c, err = clashVMess.StreamWebsocketConn(ctx, c, wsOpts)
 	case "http":
 		// readability first, so just copy default TLS logic
 		if v.option.TLS {
@ -143,13 +147,13 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 				Host:              host,
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
+				Reality:           v.realityConfig,
 			}

 			if v.option.ServerName != "" {
 				tlsOpts.Host = v.option.ServerName
 			}
-
-			c, err = clashVMess.StreamTLSConn(c, tlsOpts)
+			c, err = clashVMess.StreamTLSConn(ctx, c, tlsOpts)
 			if err != nil {
 				return nil, err
 			}
@ -171,13 +175,14 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			SkipCertVerify:    v.option.SkipCertVerify,
 			NextProtos:        []string{"h2"},
 			ClientFingerprint: v.option.ClientFingerprint,
+			Reality:           v.realityConfig,
 		}

 		if v.option.ServerName != "" {
 			tlsOpts.Host = v.option.ServerName
 		}

-		c, err = clashVMess.StreamTLSConn(c, &tlsOpts)
+		c, err = clashVMess.StreamTLSConn(ctx, c, &tlsOpts)
 		if err != nil {
 			return nil, err
 		}
@ -189,7 +194,7 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 		c, err = clashVMess.StreamH2Conn(c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 	default:
 		// handle TLS
 		if v.option.TLS {
@ -198,28 +203,56 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 				Host:              host,
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
+				Reality:           v.realityConfig,
 			}

 			if v.option.ServerName != "" {
 				tlsOpts.Host = v.option.ServerName
 			}

-			c, err = clashVMess.StreamTLSConn(c, tlsOpts)
+			c, err = clashVMess.StreamTLSConn(ctx, c, tlsOpts)
 		}
 	}

 	if err != nil {
 		return nil, err
 	}
+	return v.streamConn(c, metadata)
+}
+
+func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
 	if metadata.NetWork == C.UDP {
 		if v.option.XUDP {
-			return v.client.DialEarlyXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
+			if N.NeedHandshake(c) {
+				conn = v.client.DialEarlyXUDPPacketConn(c, M.SocksaddrFromNet(metadata.UDPAddr()))
+			} else {
+				conn, err = v.client.DialXUDPPacketConn(c, M.SocksaddrFromNet(metadata.UDPAddr()))
+			}
+		} else if v.option.PacketAddr {
+			if N.NeedHandshake(c) {
+				conn = v.client.DialEarlyPacketConn(c, M.ParseSocksaddrHostPort(packetaddr.SeqPacketMagicAddress, 443))
+			} else {
+				conn, err = v.client.DialPacketConn(c, M.ParseSocksaddrHostPort(packetaddr.SeqPacketMagicAddress, 443))
+			}
+			conn = packetaddr.NewBindConn(conn)
 		} else {
-			return v.client.DialEarlyPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
+			if N.NeedHandshake(c) {
+				conn = v.client.DialEarlyPacketConn(c, M.SocksaddrFromNet(metadata.UDPAddr()))
+			} else {
+				conn, err = v.client.DialPacketConn(c, M.SocksaddrFromNet(metadata.UDPAddr()))
+			}
 		}
 	} else {
-		return v.client.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
+		if N.NeedHandshake(c) {
+			conn = v.client.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+		} else {
+			conn, err = v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+		}
 	}
+	if err != nil {
+		conn = nil
+	}
+	return
 }

 // DialContext implements C.ProxyAdapter
@ -246,6 +279,12 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // DialContextWithDialer implements C.ProxyAdapter
 func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(v.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(v.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
@ -255,7 +294,7 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 		safeConnClose(c, err)
 	}(c)

-	c, err = v.StreamConn(c, metadata)
+	c, err = v.StreamConnContext(ctx, c, metadata)
 	return NewConn(c, v), err
 }

@ -269,14 +308,6 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}
 		metadata.DstIP = ip
 	}
-
-	if v.option.PacketAddr {
-		_metadata := *metadata // make a copy
-		metadata = &_metadata
-		metadata.Host = packetaddr.SeqPacketMagicAddress
-		metadata.DstPort = "443"
-	}
-
 	var c net.Conn
 	// gun transport
 	if v.transport != nil && len(opts) == 0 {
@ -288,22 +319,24 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)

-		if v.option.XUDP {
-			c = v.client.DialEarlyXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
-		} else {
-			c = v.client.DialEarlyPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
-		}
-
+		c, err = v.streamConn(c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vmess client error: %v", err)
 		}
-		return v.ListenPacketOnStreamConn(c, metadata)
+		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
 	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
 }

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if len(v.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(v.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
@ -322,24 +355,31 @@ func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		safeConnClose(c, err)
 	}(c)

-	c, err = v.StreamConn(c, metadata)
+	c, err = v.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vmess client error: %v", err)
 	}
-	return v.ListenPacketOnStreamConn(c, metadata)
+	return v.ListenPacketOnStreamConn(ctx, c, metadata)
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (v *Vmess) SupportWithDialer() bool {
-	return true
+func (v *Vmess) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
-func (v *Vmess) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	if v.option.PacketAddr {
-		return newPacketConn(&threadSafePacketConn{PacketConn: packetaddr.NewBindConn(c)}, v), nil
-	} else if pc, ok := c.(net.PacketConn); ok {
-		return newPacketConn(&threadSafePacketConn{PacketConn: pc}, v), nil
+func (v *Vmess) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
+	if pc, ok := c.(net.PacketConn); ok {
+		return newPacketConn(N.NewThreadSafePacketConn(pc), v), nil
 	}
 	return newPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
 }
@ -373,13 +413,6 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		option.PacketAddr = false
 	}

-	switch option.Network {
-	case "h2", "grpc":
-		if !option.TLS {
-			option.TLS = true
-		}
-	}
-
 	v := &Vmess{
 		Base: &Base{
 			name:   option.Name,
@ -403,7 +436,15 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 	case "grpc":
 		dialFn := func(network, addr string) (net.Conn, error) {
-			c, err := dialer.DialContext(context.Background(), "tcp", v.addr, v.Base.DialOptions()...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			if len(v.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			c, err := cDialer.DialContext(context.Background(), "tcp", v.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
@ -416,37 +457,35 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 			Host:              v.option.ServerName,
 			ClientFingerprint: v.option.ClientFingerprint,
 		}
-		tlsConfig := &tls.Config{
-			InsecureSkipVerify: v.option.SkipCertVerify,
-			ServerName:         v.option.ServerName,
+		if option.ServerName == "" {
+			gunConfig.Host = v.addr
 		}
-
-		if v.option.ServerName == "" {
-			host, _, _ := net.SplitHostPort(v.addr)
-			tlsConfig.ServerName = host
-			gunConfig.Host = host
+		var tlsConfig *tls.Config
+		if option.TLS {
+			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
+				InsecureSkipVerify: v.option.SkipCertVerify,
+				ServerName:         v.option.ServerName,
+			})
+			if option.ServerName == "" {
+				host, _, _ := net.SplitHostPort(v.addr)
+				tlsConfig.ServerName = host
+			}
 		}

 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig

-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint)
-
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
 	}
+
+	v.realityConfig, err = v.option.RealityOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	return v, nil
 }

-type threadSafePacketConn struct {
-	net.PacketConn
-	access sync.Mutex
-}
-
-func (c *threadSafePacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
-	c.access.Lock()
-	defer c.access.Unlock()
-	return c.PacketConn.WriteTo(b, addr)
-}
-
 type vmessPacketConn struct {
 	net.Conn
 	rAddr  net.Addr
@ -456,9 +495,9 @@ type vmessPacketConn struct {
 // WriteTo implments C.PacketConn.WriteTo
 // Since VMess doesn't support full cone NAT by design, we verify if addr matches uc.rAddr, and drop the packet if not.
 func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
-	allowedAddr := uc.rAddr.(*net.UDPAddr)
-	destAddr := addr.(*net.UDPAddr)
-	if !(allowedAddr.IP.Equal(destAddr.IP) && allowedAddr.Port == destAddr.Port) {
+	allowedAddr := uc.rAddr
+	destAddr := addr
+	if allowedAddr.String() != destAddr.String() {
 		return 0, ErrUDPRemoteAddrMismatch
 	}
 	uc.access.Lock()
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@ -15,8 +15,10 @@ import (

 	CN "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/dns"
 	"github.com/Dreamacro/clash/log"

 	wireguard "github.com/metacubex/sing-wireguard"
@ -34,66 +36,100 @@ type WireGuard struct {
 	bind      *wireguard.ClientBind
 	device    *device.Device
 	tunDevice wireguard.Device
-	dialer    *wgDialer
+	dialer    *wgSingDialer
 	startOnce sync.Once
 	startErr  error
+	resolver  *dns.Resolver
+	refP      *refProxyAdapter
 }

 type WireGuardOption struct {
 	BasicOption
-	Name                string  `proxy:"name"`
-	Server              string  `proxy:"server"`
-	Port                int     `proxy:"port"`
-	Ip                  string  `proxy:"ip,omitempty"`
-	Ipv6                string  `proxy:"ipv6,omitempty"`
-	PrivateKey          string  `proxy:"private-key"`
-	PublicKey           string  `proxy:"public-key"`
-	PreSharedKey        string  `proxy:"pre-shared-key,omitempty"`
-	Reserved            []uint8 `proxy:"reserved,omitempty"`
-	Workers             int     `proxy:"workers,omitempty"`
-	MTU                 int     `proxy:"mtu,omitempty"`
-	UDP                 bool    `proxy:"udp,omitempty"`
-	PersistentKeepalive int     `proxy:"persistent-keepalive,omitempty"`
+	WireGuardPeerOption
+	Name                string `proxy:"name"`
+	PrivateKey          string `proxy:"private-key"`
+	Workers             int    `proxy:"workers,omitempty"`
+	MTU                 int    `proxy:"mtu,omitempty"`
+	UDP                 bool   `proxy:"udp,omitempty"`
+	PersistentKeepalive int    `proxy:"persistent-keepalive,omitempty"`
+
+	Peers []WireGuardPeerOption `proxy:"peers,omitempty"`
+
+	RemoteDnsResolve bool     `proxy:"remote-dns-resolve,omitempty"`
+	Dns              []string `proxy:"dns,omitempty"`
 }

-type wgDialer struct {
-	options []dialer.Option
+type WireGuardPeerOption struct {
+	Server       string   `proxy:"server"`
+	Port         int      `proxy:"port"`
+	Ip           string   `proxy:"ip,omitempty"`
+	Ipv6         string   `proxy:"ipv6,omitempty"`
+	PublicKey    string   `proxy:"public-key,omitempty"`
+	PreSharedKey string   `proxy:"pre-shared-key,omitempty"`
+	Reserved     []uint8  `proxy:"reserved,omitempty"`
+	AllowedIPs   []string `proxy:"allowed-ips,omitempty"`
 }

-func (d *wgDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return dialer.DialContext(ctx, network, destination.String(), d.options...)
+type wgSingDialer struct {
+	dialer    dialer.Dialer
+	proxyName string
 }

-func (d *wgDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", destination.Addr), "", d.options...)
-}
+var _ N.Dialer = (*wgSingDialer)(nil)

-func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
-	outbound := &WireGuard{
-		Base: &Base{
-			name:   option.Name,
-			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
-			tp:     C.WireGuard,
-			udp:    option.UDP,
-			iface:  option.Interface,
-			rmark:  option.RoutingMark,
-			prefer: C.NewDNSPrefer(option.IPVersion),
-		},
-		dialer: &wgDialer{},
-	}
-	runtime.SetFinalizer(outbound, closeWireGuard)
-
-	var reserved [3]uint8
-	if len(option.Reserved) > 0 {
-		if len(option.Reserved) != 3 {
-			return nil, E.New("invalid reserved value, required 3 bytes, got ", len(option.Reserved))
+func (d *wgSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	var cDialer C.Dialer = d.dialer
+	if len(d.proxyName) > 0 {
+		pd, err := proxydialer.NewByName(d.proxyName, d.dialer)
+		if err != nil {
+			return nil, err
 		}
-		reserved[0] = uint8(option.Reserved[0])
-		reserved[1] = uint8(option.Reserved[1])
-		reserved[2] = uint8(option.Reserved[2])
+		cDialer = pd
 	}
-	peerAddr := M.ParseSocksaddrHostPort(option.Server, uint16(option.Port))
-	outbound.bind = wireguard.NewClientBind(context.Background(), outbound.dialer, peerAddr, reserved)
+	return cDialer.DialContext(ctx, network, destination.String())
+}
+
+func (d *wgSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	var cDialer C.Dialer = d.dialer
+	if len(d.proxyName) > 0 {
+		pd, err := proxydialer.NewByName(d.proxyName, d.dialer)
+		if err != nil {
+			return nil, err
+		}
+		cDialer = pd
+	}
+	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
+}
+
+type wgSingErrorHandler struct {
+	name string
+}
+
+var _ E.Handler = (*wgSingErrorHandler)(nil)
+
+func (w wgSingErrorHandler) NewError(ctx context.Context, err error) {
+	if E.IsClosedOrCanceled(err) {
+		log.SingLogger.Debug(fmt.Sprintf("[WG](%s) connection closed: %s", w.name, err))
+		return
+	}
+	log.SingLogger.Error(fmt.Sprintf("[WG](%s) %s", w.name, err))
+}
+
+type wgNetDialer struct {
+	tunDevice wireguard.Device
+}
+
+var _ dialer.NetDialer = (*wgNetDialer)(nil)
+
+func (d wgNetDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return d.tunDevice.DialContext(ctx, network, M.ParseSocksaddr(address).Unwrap())
+}
+
+func (option WireGuardPeerOption) Addr() M.Socksaddr {
+	return M.ParseSocksaddrHostPort(option.Server, uint16(option.Port))
+}
+
+func (option WireGuardPeerOption) Prefixes() ([]netip.Prefix, error) {
 	localPrefixes := make([]netip.Prefix, 0, 2)
 	if len(option.Ip) > 0 {
 		if !strings.Contains(option.Ip, "/") {
@ -118,7 +154,46 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	if len(localPrefixes) == 0 {
 		return nil, E.New("missing local address")
 	}
-	var privateKey, peerPublicKey, preSharedKey string
+	return localPrefixes, nil
+}
+
+func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
+	outbound := &WireGuard{
+		Base: &Base{
+			name:   option.Name,
+			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
+			tp:     C.WireGuard,
+			udp:    option.UDP,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+		dialer: &wgSingDialer{dialer: dialer.NewDialer(), proxyName: option.DialerProxy},
+	}
+	runtime.SetFinalizer(outbound, closeWireGuard)
+
+	var reserved [3]uint8
+	if len(option.Reserved) > 0 {
+		if len(option.Reserved) != 3 {
+			return nil, E.New("invalid reserved value, required 3 bytes, got ", len(option.Reserved))
+		}
+		copy(reserved[:], option.Reserved)
+	}
+	var isConnect bool
+	var connectAddr M.Socksaddr
+	if len(option.Peers) < 2 {
+		isConnect = true
+		if len(option.Peers) == 1 {
+			connectAddr = option.Peers[0].Addr()
+		} else {
+			connectAddr = option.Addr()
+		}
+	}
+	outbound.bind = wireguard.NewClientBind(context.Background(), wgSingErrorHandler{outbound.Name()}, outbound.dialer, isConnect, connectAddr, reserved)
+
+	var localPrefixes []netip.Prefix
+
+	var privateKey string
 	{
 		bytes, err := base64.StdEncoding.DecodeString(option.PrivateKey)
 		if err != nil {
@ -126,40 +201,92 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 		}
 		privateKey = hex.EncodeToString(bytes)
 	}
-	{
-		bytes, err := base64.StdEncoding.DecodeString(option.PublicKey)
-		if err != nil {
-			return nil, E.Cause(err, "decode peer public key")
-		}
-		peerPublicKey = hex.EncodeToString(bytes)
-	}
-	if option.PreSharedKey != "" {
-		bytes, err := base64.StdEncoding.DecodeString(option.PreSharedKey)
-		if err != nil {
-			return nil, E.Cause(err, "decode pre shared key")
-		}
-		preSharedKey = hex.EncodeToString(bytes)
-	}
 	ipcConf := "private_key=" + privateKey
-	ipcConf += "\npublic_key=" + peerPublicKey
-	ipcConf += "\nendpoint=" + peerAddr.String()
-	if preSharedKey != "" {
-		ipcConf += "\npreshared_key=" + preSharedKey
-	}
-	var has4, has6 bool
-	for _, address := range localPrefixes {
-		if address.Addr().Is4() {
-			has4 = true
-		} else {
-			has6 = true
+	if peersLen := len(option.Peers); peersLen > 0 {
+		localPrefixes = make([]netip.Prefix, 0, peersLen*2)
+		for i, peer := range option.Peers {
+			var peerPublicKey, preSharedKey string
+			{
+				bytes, err := base64.StdEncoding.DecodeString(peer.PublicKey)
+				if err != nil {
+					return nil, E.Cause(err, "decode public key for peer ", i)
+				}
+				peerPublicKey = hex.EncodeToString(bytes)
+			}
+			if peer.PreSharedKey != "" {
+				bytes, err := base64.StdEncoding.DecodeString(peer.PreSharedKey)
+				if err != nil {
+					return nil, E.Cause(err, "decode pre shared key for peer ", i)
+				}
+				preSharedKey = hex.EncodeToString(bytes)
+			}
+			destination := peer.Addr()
+			ipcConf += "\npublic_key=" + peerPublicKey
+			ipcConf += "\nendpoint=" + destination.String()
+			if preSharedKey != "" {
+				ipcConf += "\npreshared_key=" + preSharedKey
+			}
+			if len(peer.AllowedIPs) == 0 {
+				return nil, E.New("missing allowed_ips for peer ", i)
+			}
+			for _, allowedIP := range peer.AllowedIPs {
+				ipcConf += "\nallowed_ip=" + allowedIP
+			}
+			if len(peer.Reserved) > 0 {
+				if len(peer.Reserved) != 3 {
+					return nil, E.New("invalid reserved value for peer ", i, ", required 3 bytes, got ", len(peer.Reserved))
+				}
+				copy(reserved[:], option.Reserved)
+				outbound.bind.SetReservedForEndpoint(destination, reserved)
+			}
+			prefixes, err := peer.Prefixes()
+			if err != nil {
+				return nil, err
+			}
+			localPrefixes = append(localPrefixes, prefixes...)
+		}
+	} else {
+		var peerPublicKey, preSharedKey string
+		{
+			bytes, err := base64.StdEncoding.DecodeString(option.PublicKey)
+			if err != nil {
+				return nil, E.Cause(err, "decode peer public key")
+			}
+			peerPublicKey = hex.EncodeToString(bytes)
+		}
+		if option.PreSharedKey != "" {
+			bytes, err := base64.StdEncoding.DecodeString(option.PreSharedKey)
+			if err != nil {
+				return nil, E.Cause(err, "decode pre shared key")
+			}
+			preSharedKey = hex.EncodeToString(bytes)
+		}
+		ipcConf += "\npublic_key=" + peerPublicKey
+		ipcConf += "\nendpoint=" + connectAddr.String()
+		if preSharedKey != "" {
+			ipcConf += "\npreshared_key=" + preSharedKey
+		}
+		var err error
+		localPrefixes, err = option.Prefixes()
+		if err != nil {
+			return nil, err
+		}
+		var has4, has6 bool
+		for _, address := range localPrefixes {
+			if address.Addr().Is4() {
+				has4 = true
+			} else {
+				has6 = true
+			}
+		}
+		if has4 {
+			ipcConf += "\nallowed_ip=0.0.0.0/0"
+		}
+		if has6 {
+			ipcConf += "\nallowed_ip=::/0"
 		}
 	}
-	if has4 {
-		ipcConf += "\nallowed_ip=0.0.0.0/0"
-	}
-	if has6 {
-		ipcConf += "\nallowed_ip=::/0"
-	}
+
 	if option.PersistentKeepalive != 0 {
 		ipcConf += fmt.Sprintf("\npersistent_keepalive_interval=%d", option.PersistentKeepalive)
 	}
@ -167,6 +294,9 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	if mtu == 0 {
 		mtu = 1408
 	}
+	if len(localPrefixes) == 0 {
+		return nil, E.New("missing local address")
+	}
 	var err error
 	outbound.tunDevice, err = wireguard.NewStackDevice(localPrefixes, uint32(mtu))
 	if err != nil {
@ -174,20 +304,45 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	}
 	outbound.device = device.NewDevice(outbound.tunDevice, outbound.bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
-			log.SingLogger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
+			log.SingLogger.Debug(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...)))
 		},
 		Errorf: func(format string, args ...interface{}) {
-			log.SingLogger.Error(fmt.Sprintf(strings.ToLower(format), args...))
+			log.SingLogger.Error(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...)))
 		},
 	}, option.Workers)
 	if debug.Enabled {
-		log.SingLogger.Trace("created wireguard ipc conf: \n", ipcConf)
+		log.SingLogger.Trace(fmt.Sprintf("[WG](%s) created wireguard ipc conf: \n %s", option.Name, ipcConf))
 	}
 	err = outbound.device.IpcSet(ipcConf)
 	if err != nil {
 		return nil, E.Cause(err, "setup wireguard")
 	}
 	//err = outbound.tunDevice.Start()
+
+	var has6 bool
+	for _, address := range localPrefixes {
+		if !address.Addr().Unmap().Is4() {
+			has6 = true
+			break
+		}
+	}
+
+	refP := &refProxyAdapter{}
+	outbound.refP = refP
+	if option.RemoteDnsResolve && len(option.Dns) > 0 {
+		nss, err := dns.ParseNameServer(option.Dns)
+		if err != nil {
+			return nil, err
+		}
+		for i := range nss {
+			nss[i].ProxyAdapter = refP
+		}
+		outbound.resolver = dns.NewResolver(dns.Config{
+			Main: nss,
+			IPv6: has6,
+		})
+	}
+
 	return outbound, nil
 }

@ -199,7 +354,8 @@ func closeWireGuard(w *WireGuard) {
 }

 func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	w.dialer.options = opts
+	options := w.Base.DialOptions(opts...)
+	w.dialer.dialer = dialer.NewDialer(options...)
 	var conn net.Conn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
@ -207,16 +363,19 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	if w.startErr != nil {
 		return nil, w.startErr
 	}
-	if !metadata.Resolved() {
-		var addrs []netip.Addr
-		addrs, err = resolver.LookupIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, err
+	if !metadata.Resolved() || w.resolver != nil {
+		r := resolver.DefaultResolver
+		if w.resolver != nil {
+			w.refP.SetProxyAdapter(w)
+			defer w.refP.ClearProxyAdapter()
+			r = w.resolver
 		}
-		conn, err = N.DialSerial(ctx, w.tunDevice, "tcp", M.ParseSocksaddr(metadata.RemoteAddress()), addrs)
+		options = append(options, dialer.WithResolver(r))
+		options = append(options, dialer.WithNetDialer(wgNetDialer{tunDevice: w.tunDevice}))
+		conn, err = dialer.NewDialer(options...).DialContext(ctx, "tcp", metadata.RemoteAddress())
 	} else {
 		port, _ := strconv.Atoi(metadata.DstPort)
-		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, uint16(port)))
+		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, uint16(port)).Unwrap())
 	}
 	if err != nil {
 		return nil, err
@ -228,7 +387,8 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 }

 func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	w.dialer.options = opts
+	options := w.Base.DialOptions(opts...)
+	w.dialer.dialer = dialer.NewDialer(options...)
 	var pc net.PacketConn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
@ -239,15 +399,21 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	if err != nil {
 		return nil, err
 	}
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {
+		r := resolver.DefaultResolver
+		if w.resolver != nil {
+			w.refP.SetProxyAdapter(w)
+			defer w.refP.ClearProxyAdapter()
+			r = w.resolver
+		}
+		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, r)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	port, _ := strconv.Atoi(metadata.DstPort)
-	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, uint16(port)))
+	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, uint16(port)).Unwrap())
 	if err != nil {
 		return nil, err
 	}
@ -256,3 +422,144 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	}
 	return newPacketConn(CN.NewRefPacketConn(pc, w), w), nil
 }
+
+// IsL3Protocol implements C.ProxyAdapter
+func (w *WireGuard) IsL3Protocol(metadata *C.Metadata) bool {
+	return true
+}
+
+type refProxyAdapter struct {
+	proxyAdapter C.ProxyAdapter
+	count        int
+	mutex        sync.Mutex
+}
+
+func (r *refProxyAdapter) SetProxyAdapter(proxyAdapter C.ProxyAdapter) {
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+	r.proxyAdapter = proxyAdapter
+	r.count++
+}
+
+func (r *refProxyAdapter) ClearProxyAdapter() {
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+	r.count--
+	if r.count == 0 {
+		r.proxyAdapter = nil
+	}
+}
+
+func (r *refProxyAdapter) Name() string {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.Name()
+	}
+	return ""
+}
+
+func (r *refProxyAdapter) Type() C.AdapterType {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.Type()
+	}
+	return C.AdapterType(0)
+}
+
+func (r *refProxyAdapter) Addr() string {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.Addr()
+	}
+	return ""
+}
+
+func (r *refProxyAdapter) SupportUDP() bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportUDP()
+	}
+	return false
+}
+
+func (r *refProxyAdapter) SupportXUDP() bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportXUDP()
+	}
+	return false
+}
+
+func (r *refProxyAdapter) SupportTFO() bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportTFO()
+	}
+	return false
+}
+
+func (r *refProxyAdapter) MarshalJSON() ([]byte, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.MarshalJSON()
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.StreamConnContext(ctx, c, metadata)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.DialContext(ctx, metadata, opts...)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) SupportUOT() bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportUOT()
+	}
+	return false
+}
+
+func (r *refProxyAdapter) SupportWithDialer() C.NetWork {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportWithDialer()
+	}
+	return C.InvalidNet
+}
+
+func (r *refProxyAdapter) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.Conn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.DialContextWithDialer(ctx, dialer, metadata)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.PacketConn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.ListenPacketWithDialer(ctx, dialer, metadata)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) IsL3Protocol(metadata *C.Metadata) bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.IsL3Protocol(metadata)
+	}
+	return false
+}
+
+func (r *refProxyAdapter) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.Unwrap(metadata, touch)
+	}
+	return nil
+}
+
+var _ C.ProxyAdapter = (*refProxyAdapter)(nil)
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@ -8,6 +8,7 @@ import (

 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/callback"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
@ -35,15 +36,14 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 		f.onDialFailed(proxy.Type(), err)
 	}

-	c = &callback.FirstWriteCallBackConn{
-		Conn: c,
-		Callback: func(err error) {
+	if N.NeedHandshake(c) {
+		c = callback.NewFirstWriteCallBackConn(c, func(err error) {
 			if err == nil {
 				f.onDialSuccess()
 			} else {
 				f.onDialFailed(proxy.Type(), err)
 			}
-		},
+		})
 	}

 	return c, err
@ -70,6 +70,11 @@ func (f *Fallback) SupportUDP() bool {
 	return proxy.SupportUDP()
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (f *Fallback) IsL3Protocol(metadata *C.Metadata) bool {
+	return f.findAliveProxy(false).IsL3Protocol(metadata)
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (f *Fallback) MarshalJSON() ([]byte, error) {
 	all := []string{}
@ -133,6 +138,10 @@ func (f *Fallback) Set(name string) error {
 	return nil
 }

+func (f *Fallback) ForceSet(name string) {
+	f.selected = name
+}
+
 func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider) *Fallback {
 	return &Fallback{
 		GroupBase: NewGroupBase(GroupBaseOption{
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
+	"github.com/Dreamacro/clash/common/atomic"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	types "github.com/Dreamacro/clash/constant/provider"
@ -15,7 +16,6 @@ import (
 	"github.com/Dreamacro/clash/tunnel"

 	"github.com/dlclark/regexp2"
-	"go.uber.org/atomic"
 )

 type GroupBase struct {
@ -130,10 +130,6 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		}
 	}

-	if len(proxies) == 0 {
-		return append(proxies, tunnel.Proxies()["COMPATIBLE"])
-	}
-
 	if len(gb.providers) > 1 && len(gb.filterRegs) > 1 {
 		var newProxies []C.Proxy
 		proxiesSet := map[string]struct{}{}
@ -189,6 +185,10 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		proxies = newProxies
 	}

+	if len(proxies) == 0 {
+		return append(proxies, tunnel.Proxies()["COMPATIBLE"])
+	}
+
 	return proxies
 }

--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@ -6,12 +6,14 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"sync"
 	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/callback"
 	"github.com/Dreamacro/clash/common/murmur3"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
@ -19,7 +21,7 @@ import (
 	"golang.org/x/net/publicsuffix"
 )

-type strategyFn = func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy
+type strategyFn = func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy

 type LoadBalance struct {
 	*GroupBase
@ -92,16 +94,16 @@ func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, op
 		lb.onDialFailed(proxy.Type(), err)
 	}

-	c = &callback.FirstWriteCallBackConn{
-		Conn: c,
-		Callback: func(err error) {
+	if N.NeedHandshake(c) {
+		c = callback.NewFirstWriteCallBackConn(c, func(err error) {
 			if err == nil {
 				lb.onDialSuccess()
 			} else {
 				lb.onDialFailed(proxy.Type(), err)
 			}
-		},
+		})
 	}
+
 	return
 }

@ -122,23 +124,32 @@ func (lb *LoadBalance) SupportUDP() bool {
 	return !lb.disableUDP
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (lb *LoadBalance) IsL3Protocol(metadata *C.Metadata) bool {
+	return lb.Unwrap(metadata, false).IsL3Protocol(metadata)
+}
+
 func strategyRoundRobin() strategyFn {
-	flag := true
 	idx := 0
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	idxMutex := sync.Mutex{}
+	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
+		idxMutex.Lock()
+		defer idxMutex.Unlock()
+
+		i := 0
 		length := len(proxies)
-		for i := 0; i < length; i++ {
-			flag = !flag
-			if flag {
-				idx = (idx - 1) % length
-			} else {
-				idx = (idx + 2) % length
-			}
-			if idx < 0 {
-				idx = idx + length
-			}
-			proxy := proxies[idx]
+
+		if touch {
+			defer func() {
+				idx = (idx + i) % length
+			}()
+		}
+
+		for ; i < length; i++ {
+			id := (idx + i) % length
+			proxy := proxies[id]
 			if proxy.Alive() {
+				i++
 				return proxy
 			}
 		}
@ -149,7 +160,7 @@ func strategyRoundRobin() strategyFn {

 func strategyConsistentHashing() strategyFn {
 	maxRetry := 5
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
 		key := uint64(murmur3.Sum32([]byte(getKey(metadata))))
 		buckets := int32(len(proxies))
 		for i := 0; i < maxRetry; i, key = i+1, key+1 {
@ -177,7 +188,7 @@ func strategyStickySessions() strategyFn {
 	lruCache := cache.New[uint64, int](
 		cache.WithAge[uint64, int](int64(ttl.Seconds())),
 		cache.WithSize[uint64, int](1000))
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
 		key := uint64(murmur3.Sum32([]byte(getKeyWithSrcAndDst(metadata))))
 		length := len(proxies)
 		idx, has := lruCache.Get(key)
@ -209,7 +220,7 @@ func strategyStickySessions() strategyFn {
 // Unwrap implements C.ProxyAdapter
 func (lb *LoadBalance) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 	proxies := lb.GetProxies(touch)
-	return lb.strategyFn(proxies, metadata)
+	return lb.strategyFn(proxies, metadata, touch)
 }

 // MarshalJSON implements C.ProxyAdapter
--- a/adapter/outboundgroup/relay.go
+++ b/adapter/outboundgroup/relay.go
@ -3,13 +3,9 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
-	"net"
-	"net/netip"
-	"strings"
-
 	"github.com/Dreamacro/clash/adapter/outbound"
-	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 )
@ -18,36 +14,6 @@ type Relay struct {
 	*GroupBase
 }

-type proxyDialer struct {
-	proxy  C.Proxy
-	dialer C.Dialer
-}
-
-func (p proxyDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
-	currentMeta, err := addrToMetadata(address)
-	if err != nil {
-		return nil, err
-	}
-	if strings.Contains(network, "udp") { // should not support this operation
-		currentMeta.NetWork = C.UDP
-		pc, err := p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
-		if err != nil {
-			return nil, err
-		}
-		return N.NewBindPacketConn(pc, currentMeta.UDPAddr()), nil
-	}
-	return p.proxy.DialContextWithDialer(ctx, p.dialer, currentMeta)
-}
-
-func (p proxyDialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	currentMeta, err := addrToMetadata(rAddrPort.String())
-	if err != nil {
-		return nil, err
-	}
-	currentMeta.NetWork = C.UDP
-	return p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
-}
-
 // DialContext implements C.ProxyAdapter
 func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	proxies, chainProxies := r.proxies(metadata, true)
@ -61,10 +27,7 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 	var d C.Dialer
 	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
 	for _, proxy := range proxies[:len(proxies)-1] {
-		d = proxyDialer{
-			proxy:  proxy,
-			dialer: d,
-		}
+		d = proxydialer.New(proxy, d, false)
 	}
 	last := proxies[len(proxies)-1]
 	conn, err := last.DialContextWithDialer(ctx, d, metadata)
@ -95,10 +58,7 @@ func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 	var d C.Dialer
 	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
 	for _, proxy := range proxies[:len(proxies)-1] {
-		d = proxyDialer{
-			proxy:  proxy,
-			dialer: d,
-		}
+		d = proxydialer.New(proxy, d, false)
 	}
 	last := proxies[len(proxies)-1]
 	pc, err := last.ListenPacketWithDialer(ctx, d, metadata)
@ -129,7 +89,10 @@ func (r *Relay) SupportUDP() bool {
 		if proxy.SupportUOT() {
 			return true
 		}
-		if !proxy.SupportWithDialer() {
+		switch proxy.SupportWithDialer() {
+		case C.ALLNet:
+		case C.UDP:
+		default: // C.TCP and C.InvalidNet
 			return false
 		}
 	}
@ -176,7 +139,7 @@ func (r *Relay) proxies(metadata *C.Metadata, touch bool) ([]C.Proxy, []C.Proxy)
 }

 func (r *Relay) Addr() string {
-	proxies, _ := r.proxies(nil, true)
+	proxies, _ := r.proxies(nil, false)
 	return proxies[len(proxies)-1].Addr()
 }

--- a/adapter/outboundgroup/selector.go
+++ b/adapter/outboundgroup/selector.go
@ -44,6 +44,11 @@ func (s *Selector) SupportUDP() bool {
 	return s.selectedProxy(false).SupportUDP()
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (s *Selector) IsL3Protocol(metadata *C.Metadata) bool {
+	return s.selectedProxy(false).IsL3Protocol(metadata)
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (s *Selector) MarshalJSON() ([]byte, error) {
 	all := []string{}
@ -73,6 +78,10 @@ func (s *Selector) Set(name string) error {
 	return errors.New("proxy not exist")
 }

+func (s *Selector) ForceSet(name string) {
+	s.selected = name
+}
+
 // Unwrap implements C.ProxyAdapter
 func (s *Selector) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 	return s.selectedProxy(touch)
--- a/adapter/outboundgroup/urltest.go
+++ b/adapter/outboundgroup/urltest.go
@ -3,10 +3,12 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/callback"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
@ -23,6 +25,8 @@ func urlTestWithTolerance(tolerance uint16) urlTestOption {

 type URLTest struct {
 	*GroupBase
+	selected   string
+	testUrl    string
 	tolerance  uint16
 	disableUDP bool
 	fastNode   C.Proxy
@ -33,6 +37,26 @@ func (u *URLTest) Now() string {
 	return u.fast(false).Name()
 }

+func (u *URLTest) Set(name string) error {
+	var p C.Proxy
+	for _, proxy := range u.GetProxies(false) {
+		if proxy.Name() == name {
+			p = proxy
+			break
+		}
+	}
+	if p == nil {
+		return errors.New("proxy not exist")
+	}
+	u.selected = name
+	u.fast(false)
+	return nil
+}
+
+func (u *URLTest) ForceSet(name string) {
+	u.selected = name
+}
+
 // DialContext implements C.ProxyAdapter
 func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
 	proxy := u.fast(true)
@ -43,16 +67,16 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 		u.onDialFailed(proxy.Type(), err)
 	}

-	c = &callback.FirstWriteCallBackConn{
-		Conn: c,
-		Callback: func(err error) {
+	if N.NeedHandshake(c) {
+		c = callback.NewFirstWriteCallBackConn(c, func(err error) {
 			if err == nil {
 				u.onDialSuccess()
 			} else {
 				u.onDialFailed(proxy.Type(), err)
 			}
-		},
+		})
 	}
+
 	return c, err
 }

@ -72,8 +96,21 @@ func (u *URLTest) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 }

 func (u *URLTest) fast(touch bool) C.Proxy {
+
+	proxies := u.GetProxies(touch)
+	if u.selected != "" {
+		for _, proxy := range proxies {
+			if !proxy.Alive() {
+				continue
+			}
+			if proxy.Name() == u.selected {
+				u.fastNode = proxy
+				return proxy
+			}
+		}
+	}
+
 	elm, _, shared := u.fastSingle.Do(func() (C.Proxy, error) {
-		proxies := u.GetProxies(touch)
 		fast := proxies[0]
 		min := fast.LastDelay()
 		fastNotExist := true
@ -92,13 +129,12 @@ func (u *URLTest) fast(touch bool) C.Proxy {
 				fast = proxy
 				min = delay
 			}
-		}

+		}
 		// tolerance
 		if u.fastNode == nil || fastNotExist || !u.fastNode.Alive() || u.fastNode.LastDelay() > fast.LastDelay()+u.tolerance {
 			u.fastNode = fast
 		}
-
 		return u.fastNode, nil
 	})
 	if shared && touch { // a shared fastSingle.Do() may cause providers untouched, so we touch them again
@ -113,10 +149,14 @@ func (u *URLTest) SupportUDP() bool {
 	if u.disableUDP {
 		return false
 	}
-
 	return u.fast(false).SupportUDP()
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (u *URLTest) IsL3Protocol(metadata *C.Metadata) bool {
+	return u.fast(false).IsL3Protocol(metadata)
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (u *URLTest) MarshalJSON() ([]byte, error) {
 	all := []string{}
@ -160,6 +200,7 @@ func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, o
 		}),
 		fastSingle: singledo.NewSingle[C.Proxy](time.Second * 10),
 		disableUDP: option.DisableUDP,
+		testUrl:    option.URL,
 	}

 	for _, option := range options {
--- a/adapter/outboundgroup/util.go
+++ b/adapter/outboundgroup/util.go
@ -1,37 +1,10 @@
 package outboundgroup

 import (
-	"fmt"
 	"net"
-	"net/netip"
 	"time"
-
-	C "github.com/Dreamacro/clash/constant"
 )

-func addrToMetadata(rawAddress string) (addr *C.Metadata, err error) {
-	host, port, err := net.SplitHostPort(rawAddress)
-	if err != nil {
-		err = fmt.Errorf("addrToMetadata failed: %w", err)
-		return
-	}
-
-	if ip, err := netip.ParseAddr(host); err != nil {
-		addr = &C.Metadata{
-			Host:    host,
-			DstPort: port,
-		}
-	} else {
-		addr = &C.Metadata{
-			Host:    "",
-			DstIP:   ip.Unmap(),
-			DstPort: port,
-		}
-	}
-
-	return
-}
-
 func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
@ -41,4 +14,5 @@ func tcpKeepAlive(c net.Conn) {

 type SelectAble interface {
 	Set(string) error
+	ForceSet(name string)
 }
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -23,7 +23,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 	)
 	switch proxyType {
 	case "ss":
-		ssOption := &outbound.ShadowSocksOption{}
+		ssOption := &outbound.ShadowSocksOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, ssOption)
 		if err != nil {
 			break
@ -56,10 +56,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 				Method: "GET",
 				Path:   []string{"/"},
 			},
-		}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			vmessOption.ClientFingerprint = GlobalUtlsClient
+			ClientFingerprint: tlsC.GetGlobalFingerprint(),
 		}

 		err = decoder.Decode(mapping, vmessOption)
@ -68,12 +65,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
-		vlessOption := &outbound.VlessOption{}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			vlessOption.ClientFingerprint = GlobalUtlsClient
-		}
-
+		vlessOption := &outbound.VlessOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, vlessOption)
 		if err != nil {
 			break
@ -87,12 +79,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewSnell(*snellOption)
 	case "trojan":
-		trojanOption := &outbound.TrojanOption{}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			trojanOption.ClientFingerprint = GlobalUtlsClient
-		}
-
+		trojanOption := &outbound.TrojanOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, trojanOption)
 		if err != nil {
 			break
@ -127,5 +114,19 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		return nil, err
 	}

+	if muxMapping, muxExist := mapping["smux"].(map[string]any); muxExist {
+		muxOption := &outbound.SingMuxOption{}
+		err = decoder.Decode(muxMapping, muxOption)
+		if err != nil {
+			return nil, err
+		}
+		if muxOption.Enabled {
+			proxy, err = outbound.NewSingMux(*muxOption, proxy, proxy.(outbound.ProxyBase))
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
 	return NewProxy(proxy), nil
 }
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -4,13 +4,12 @@ import (
 	"context"
 	"time"

+	"github.com/Dreamacro/clash/common/atomic"
 	"github.com/Dreamacro/clash/common/batch"
 	"github.com/Dreamacro/clash/common/singledo"
+	"github.com/Dreamacro/clash/common/utils"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
-
-	"github.com/gofrs/uuid"
-	"go.uber.org/atomic"
 )

 const (
@ -34,16 +33,15 @@ type HealthCheck struct {

 func (hc *HealthCheck) process() {
 	ticker := time.NewTicker(time.Duration(hc.interval) * time.Second)
-
-	go func() {
-		time.Sleep(30 * time.Second)
-		hc.lazyCheck()
-	}()
-
 	for {
 		select {
 		case <-ticker.C:
-			hc.lazyCheck()
+			now := time.Now().Unix()
+			if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
+				hc.check()
+			} else {
+				log.Debugln("Skip once health check because we are lazy")
+			}
 		case <-hc.done:
 			ticker.Stop()
 			return
@ -51,17 +49,6 @@ func (hc *HealthCheck) process() {
 	}
 }

-func (hc *HealthCheck) lazyCheck() bool {
-	now := time.Now().Unix()
-	if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
-		hc.check()
-		return true
-	} else {
-		log.Debugln("Skip once health check because we are lazy")
-		return false
-	}
-}
-
 func (hc *HealthCheck) setProxy(proxies []C.Proxy) {
 	hc.proxies = proxies
 }
@ -76,10 +63,7 @@ func (hc *HealthCheck) touch() {

 func (hc *HealthCheck) check() {
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
-		id := ""
-		if uid, err := uuid.NewV4(); err == nil {
-			id = uid.String()
-		}
+		id := utils.NewUUIDV4().String()
 		log.Debugln("Start New Health Checking {%s}", id)
 		b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10))
 		for _, proxy := range hc.proxies {
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -28,6 +28,7 @@ type proxyProviderSchema struct {
 	Filter        string            `provider:"filter,omitempty"`
 	ExcludeFilter string            `provider:"exclude-filter,omitempty"`
 	ExcludeType   string            `provider:"exclude-type,omitempty"`
+	DialerProxy   string            `provider:"dialer-proxy,omitempty"`
 	HealthCheck   healthCheckSchema `provider:"health-check,omitempty"`
 }

@ -65,6 +66,7 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	filter := schema.Filter
 	excludeFilter := schema.ExcludeFilter
 	excludeType := schema.ExcludeType
+	dialerProxy := schema.DialerProxy

-	return NewProxySetProvider(name, interval, filter, excludeFilter, excludeType, vehicle, hc)
+	return NewProxySetProvider(name, interval, filter, excludeFilter, excludeType, dialerProxy, vehicle, hc)
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -17,6 +17,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
+	"github.com/Dreamacro/clash/tunnel/statistic"

 	"github.com/dlclark/regexp2"
 	"gopkg.in/yaml.v3"
@ -80,6 +81,8 @@ func (pp *proxySetProvider) Initial() error {
 		return err
 	}
 	pp.OnUpdate(elm)
+	pp.getSubscriptionInfo()
+	pp.closeAllConnections()
 	return nil
 }

@ -99,7 +102,7 @@ func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 	pp.proxies = proxies
 	pp.healthCheck.setProxy(proxies)
 	if pp.healthCheck.auto() {
-		defer func() { go pp.healthCheck.lazyCheck() }()
+		go pp.healthCheck.check()
 	}
 }

@ -137,12 +140,24 @@ func (pp *proxySetProvider) getSubscriptionInfo() {
 	}()
 }

+func (pp *proxySetProvider) closeAllConnections() {
+	snapshot := statistic.DefaultManager.Snapshot()
+	for _, c := range snapshot.Connections {
+		for _, chain := range c.Chains() {
+			if chain == pp.Name() {
+				_ = c.Close()
+				break
+			}
+		}
+	}
+}
+
 func stopProxyProvider(pd *ProxySetProvider) {
 	pd.healthCheck.close()
 	_ = pd.Fetcher.Destroy()
 }

-func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, dialerProxy string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
 	excludeFilterReg, err := regexp2.Compile(excludeFilter, 0)
 	if err != nil {
 		return nil, fmt.Errorf("invalid excludeFilter regex: %w", err)
@ -170,10 +185,8 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc
 		healthCheck: hc,
 	}

-	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
+	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg, dialerProxy), proxiesOnUpdate(pd))
 	pd.Fetcher = fetcher
-
-	pd.getSubscriptionInfo()
 	wrapper := &ProxySetProvider{pd}
 	runtime.SetFinalizer(wrapper, stopProxyProvider)
 	return wrapper, nil
@ -268,7 +281,7 @@ func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	}
 }

-func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray []string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
+func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray []string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp, dialerProxy string) resource.Parser[[]C.Proxy] {
 	return func(buf []byte) ([]C.Proxy, error) {
 		schema := &ProxySchema{}

@ -331,6 +344,9 @@ func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray
 				if _, ok := proxiesSet[name]; ok {
 					continue
 				}
+				if len(dialerProxy) > 0 {
+					mapping["dialer-proxy"] = dialerProxy
+				}
 				proxy, err := adapter.ParseProxy(mapping)
 				if err != nil {
 					return nil, fmt.Errorf("proxy %d error: %w", idx, err)
--- a/common/atomic/type.go
+++ b/common/atomic/type.go
@ -0,0 +1,205 @@
+package atomic
+
+import (
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"sync/atomic"
+)
+
+type Bool struct {
+	atomic.Bool
+}
+
+func NewBool(val bool) *Bool {
+	i := &Bool{}
+	i.Store(val)
+	return i
+}
+
+func (i *Bool) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Bool) UnmarshalJSON(b []byte) error {
+	var v bool
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Bool) String() string {
+	v := i.Load()
+	return strconv.FormatBool(v)
+}
+
+type Pointer[T any] struct {
+	atomic.Pointer[T]
+}
+
+func NewPointer[T any](v *T) *Pointer[T] {
+	var p Pointer[T]
+	if v != nil {
+		p.Store(v)
+	}
+	return &p
+}
+
+func (p *Pointer[T]) MarshalJSON() ([]byte, error) {
+	return json.Marshal(p.Load())
+}
+
+func (p *Pointer[T]) UnmarshalJSON(b []byte) error {
+	var v *T
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	p.Store(v)
+	return nil
+}
+
+func (p *Pointer[T]) String() string {
+	return fmt.Sprint(p.Load())
+}
+
+type Int32 struct {
+	atomic.Int32
+}
+
+func NewInt32(val int32) *Int32 {
+	i := &Int32{}
+	i.Store(val)
+	return i
+}
+
+func (i *Int32) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Int32) UnmarshalJSON(b []byte) error {
+	var v int32
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Int32) String() string {
+	v := i.Load()
+	return strconv.FormatInt(int64(v), 10)
+}
+
+type Int64 struct {
+	atomic.Int64
+}
+
+func NewInt64(val int64) *Int64 {
+	i := &Int64{}
+	i.Store(val)
+	return i
+}
+
+func (i *Int64) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Int64) UnmarshalJSON(b []byte) error {
+	var v int64
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Int64) String() string {
+	v := i.Load()
+	return strconv.FormatInt(int64(v), 10)
+}
+
+type Uint32 struct {
+	atomic.Uint32
+}
+
+func NewUint32(val uint32) *Uint32 {
+	i := &Uint32{}
+	i.Store(val)
+	return i
+}
+
+func (i *Uint32) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Uint32) UnmarshalJSON(b []byte) error {
+	var v uint32
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Uint32) String() string {
+	v := i.Load()
+	return strconv.FormatUint(uint64(v), 10)
+}
+
+type Uint64 struct {
+	atomic.Uint64
+}
+
+func NewUint64(val uint64) *Uint64 {
+	i := &Uint64{}
+	i.Store(val)
+	return i
+}
+
+func (i *Uint64) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Uint64) UnmarshalJSON(b []byte) error {
+	var v uint64
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Uint64) String() string {
+	v := i.Load()
+	return strconv.FormatUint(uint64(v), 10)
+}
+
+type Uintptr struct {
+	atomic.Uintptr
+}
+
+func NewUintptr(val uintptr) *Uintptr {
+	i := &Uintptr{}
+	i.Store(val)
+	return i
+}
+
+func (i *Uintptr) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Uintptr) UnmarshalJSON(b []byte) error {
+	var v uintptr
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Uintptr) String() string {
+	v := i.Load()
+	return strconv.FormatUint(uint64(v), 10)
+}
--- a/common/atomic/value.go
+++ b/common/atomic/value.go
@ -0,0 +1,58 @@
+package atomic
+
+import (
+	"encoding/json"
+	"sync/atomic"
+)
+
+func DefaultValue[T any]() T {
+	var defaultValue T
+	return defaultValue
+}
+
+type TypedValue[T any] struct {
+	value atomic.Value
+}
+
+func (t *TypedValue[T]) Load() T {
+	value := t.value.Load()
+	if value == nil {
+		return DefaultValue[T]()
+	}
+	return value.(T)
+}
+
+func (t *TypedValue[T]) Store(value T) {
+	t.value.Store(value)
+}
+
+func (t *TypedValue[T]) Swap(new T) T {
+	old := t.value.Swap(new)
+	if old == nil {
+		return DefaultValue[T]()
+	}
+	return old.(T)
+}
+
+func (t *TypedValue[T]) CompareAndSwap(old, new T) bool {
+	return t.value.CompareAndSwap(old, new)
+}
+
+func (t *TypedValue[T]) MarshalJSON() ([]byte, error) {
+	return json.Marshal(t.Load())
+}
+
+func (t *TypedValue[T]) UnmarshalJSON(b []byte) error {
+	var v T
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	t.Store(v)
+	return nil
+}
+
+func NewTypedValue[T any](t T) *TypedValue[T] {
+	v := &TypedValue[T]{}
+	v.Store(t)
+	return v
+}
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@ -10,9 +10,11 @@ const BufferSize = buf.BufferSize
 type Buffer = buf.Buffer

 var New = buf.New
+var NewSize = buf.NewSize
 var StackNew = buf.StackNew
 var StackNewSize = buf.StackNewSize
 var With = buf.With
+var As = buf.As

 var KeepAlive = common.KeepAlive

@ -21,5 +23,7 @@ func Dup[T any](obj T) T {
 	return common.Dup(obj)
 }

-var Must = common.Must
-var Error = common.Error
+var (
+	Must  = common.Must
+	Error = common.Error
+)
--- a/common/callback/callback.go
+++ b/common/callback/callback.go
@ -1,25 +1,55 @@
 package callback

 import (
+	"github.com/Dreamacro/clash/common/buf"
+	N "github.com/Dreamacro/clash/common/net"
 	C "github.com/Dreamacro/clash/constant"
 )

-type FirstWriteCallBackConn struct {
+type firstWriteCallBackConn struct {
 	C.Conn
-	Callback func(error)
+	callback func(error)
 	written  bool
 }

-func (c *FirstWriteCallBackConn) Write(b []byte) (n int, err error) {
+func (c *firstWriteCallBackConn) Write(b []byte) (n int, err error) {
 	defer func() {
 		if !c.written {
 			c.written = true
-			c.Callback(err)
+			c.callback(err)
 		}
 	}()
 	return c.Conn.Write(b)
 }

-func (c *FirstWriteCallBackConn) Upstream() any {
+func (c *firstWriteCallBackConn) WriteBuffer(buffer *buf.Buffer) (err error) {
+	defer func() {
+		if !c.written {
+			c.written = true
+			c.callback(err)
+		}
+	}()
+	return c.Conn.WriteBuffer(buffer)
+}
+
+func (c *firstWriteCallBackConn) Upstream() any {
 	return c.Conn
 }
+
+func (c *firstWriteCallBackConn) WriterReplaceable() bool {
+	return c.written
+}
+
+func (c *firstWriteCallBackConn) ReaderReplaceable() bool {
+	return true
+}
+
+var _ N.ExtendedConn = (*firstWriteCallBackConn)(nil)
+
+func NewFirstWriteCallBackConn(c C.Conn, callback func(error)) C.Conn {
+	return &firstWriteCallBackConn{
+		Conn:     c,
+		callback: callback,
+		written:  false,
+	}
+}
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@ -5,10 +5,11 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"github.com/Dreamacro/clash/log"
 	"net/url"
 	"strconv"
 	"strings"
+
+	"github.com/Dreamacro/clash/log"
 )

 // ConvertsV2Ray convert V2Ray subscribe proxies data to clash proxies config
@ -83,7 +84,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			trojan["port"] = urlTrojan.Port()
 			trojan["password"] = urlTrojan.User.Username()
 			trojan["udp"] = true
-			trojan["skip-cert-verify"] = false
+			trojan["skip-cert-verify"], _ = strconv.ParseBool(query.Get("allowInsecure"))

 			sni := query.Get("sni")
 			if sni != "" {
@ -201,7 +202,8 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				vmess["servername"] = sni
 			}

-			network := strings.ToLower(values["net"].(string))
+			network, _ := values["net"].(string)
+			network = strings.ToLower(network)
 			if values["type"] == "http" {
 				network = "http"
 			} else if network == "http" {
@ -209,9 +211,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 			vmess["network"] = network

-			tls := strings.ToLower(values["tls"].(string))
-			if strings.HasSuffix(tls, "tls") {
-				vmess["tls"] = true
+			tls, ok := values["tls"].(string)
+			if ok {
+				tls = strings.ToLower(tls)
+				if strings.HasSuffix(tls, "tls") {
+					vmess["tls"] = true
+				}
 			}

 			switch network {
--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -2,12 +2,14 @@ package convert

 import (
 	"encoding/base64"
-	"github.com/metacubex/sing-shadowsocks/shadowimpl"
-	"math/rand"
 	"net/http"
 	"strings"
+	"time"

-	"github.com/gofrs/uuid"
+	"github.com/Dreamacro/clash/common/utils"
+
+	"github.com/metacubex/sing-shadowsocks/shadowimpl"
+	"github.com/zhangyunhao116/fastrand"
 )

 var hostsSuffix = []string{
@ -292,8 +294,7 @@ var (
 )

 func RandHost() string {
-	id, _ := uuid.NewV4()
-	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(id.Bytes()))
+	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(utils.NewUUIDV4().Bytes()))
 	base = strings.ReplaceAll(base, "-", "")
 	base = strings.ReplaceAll(base, "_", "")
 	buf := []byte(base)
@ -301,11 +302,11 @@ func RandHost() string {
 	prefix += string(buf[6:8]) + "-"
 	prefix += string(buf[len(buf)-8:])

-	return prefix + hostsSuffix[rand.Intn(hostsLen)]
+	return prefix + hostsSuffix[fastrand.Intn(hostsLen)]
 }

 func RandUserAgent() string {
-	return userAgents[rand.Intn(uaLen)]
+	return userAgents[fastrand.Intn(uaLen)]
 }

 func SetUserAgent(header http.Header) {
@ -317,6 +318,6 @@ func SetUserAgent(header http.Header) {
 }

 func VerifyMethod(cipher, password string) (err error) {
-	_, err = shadowimpl.FetchMethod(cipher, password)
+	_, err = shadowimpl.FetchMethod(cipher, password, time.Now)
 	return
 }
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -27,7 +27,7 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	proxy["skip-cert-verify"] = false
 	proxy["tls"] = false
 	tls := strings.ToLower(query.Get("security"))
-	if strings.HasSuffix(tls, "tls") {
+	if strings.HasSuffix(tls, "tls") || tls == "reality" {
 		proxy["tls"] = true
 		if fingerprint := query.Get("fp"); fingerprint == "" {
 			proxy["client-fingerprint"] = "chrome"
@ -38,6 +38,12 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
 	}
+	if realityPublicKey := query.Get("pbk"); realityPublicKey != "" {
+		proxy["reality-opts"] = map[string]any{
+			"public-key": realityPublicKey,
+			"short-id":   query.Get("sid"),
+		}
+	}

 	switch query.Get("packetEncoding") {
 	case "none":
--- a/common/net/addr.go
+++ b/common/net/addr.go
@ -0,0 +1,36 @@
+package net
+
+import (
+	"net"
+)
+
+type CustomAddr interface {
+	net.Addr
+	RawAddr() net.Addr
+}
+
+type customAddr struct {
+	networkStr string
+	addrStr    string
+	rawAddr    net.Addr
+}
+
+func (a customAddr) Network() string {
+	return a.networkStr
+}
+
+func (a customAddr) String() string {
+	return a.addrStr
+}
+
+func (a customAddr) RawAddr() net.Addr {
+	return a.rawAddr
+}
+
+func NewCustomAddr(networkStr string, addrStr string, rawAddr net.Addr) CustomAddr {
+	return customAddr{
+		networkStr: networkStr,
+		addrStr:    addrStr,
+		rawAddr:    rawAddr,
+	}
+}
--- a/common/net/bind.go
+++ b/common/net/bind.go
@ -3,34 +3,43 @@ package net
 import "net"

 type bindPacketConn struct {
-	net.PacketConn
+	EnhancePacketConn
 	rAddr net.Addr
 }

-func (wpc *bindPacketConn) Read(b []byte) (n int, err error) {
-	n, _, err = wpc.PacketConn.ReadFrom(b)
+func (c *bindPacketConn) Read(b []byte) (n int, err error) {
+	n, _, err = c.EnhancePacketConn.ReadFrom(b)
 	return n, err
 }

-func (wpc *bindPacketConn) Write(b []byte) (n int, err error) {
-	return wpc.PacketConn.WriteTo(b, wpc.rAddr)
+func (c *bindPacketConn) WaitRead() (data []byte, put func(), err error) {
+	data, put, _, err = c.EnhancePacketConn.WaitReadFrom()
+	return
 }

-func (wpc *bindPacketConn) RemoteAddr() net.Addr {
-	return wpc.rAddr
+func (c *bindPacketConn) Write(b []byte) (n int, err error) {
+	return c.EnhancePacketConn.WriteTo(b, c.rAddr)
 }

-func (wpc *bindPacketConn) LocalAddr() net.Addr {
-	if wpc.PacketConn.LocalAddr() == nil {
+func (c *bindPacketConn) RemoteAddr() net.Addr {
+	return c.rAddr
+}
+
+func (c *bindPacketConn) LocalAddr() net.Addr {
+	if c.EnhancePacketConn.LocalAddr() == nil {
 		return &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 	} else {
-		return wpc.PacketConn.LocalAddr()
+		return c.EnhancePacketConn.LocalAddr()
 	}
 }

+func (c *bindPacketConn) Upstream() any {
+	return c.EnhancePacketConn
+}
+
 func NewBindPacketConn(pc net.PacketConn, rAddr net.Addr) net.Conn {
 	return &bindPacketConn{
-		PacketConn: pc,
-		rAddr:      rAddr,
+		EnhancePacketConn: NewEnhancePacketConn(pc),
+		rAddr:             rAddr,
 	}
 }
--- a/common/net/bufconn.go
+++ b/common/net/bufconn.go
@ -62,20 +62,35 @@ func (c *BufferedConn) Buffered() int {
 }

 func (c *BufferedConn) ReadBuffer(buffer *buf.Buffer) (err error) {
-	if c.r.Buffered() > 0 {
+	if c.r != nil && c.r.Buffered() > 0 {
 		_, err = buffer.ReadOnceFrom(c.r)
 		return
 	}
 	return c.ExtendedConn.ReadBuffer(buffer)
 }

+func (c *BufferedConn) ReadCached() *buf.Buffer { // call in sing/common/bufio.Copy
+	if c.r != nil && c.r.Buffered() > 0 {
+		length := c.r.Buffered()
+		b, _ := c.r.Peek(length)
+		_, _ = c.r.Discard(length)
+		c.r = nil // drop bufio.Reader to let gc can clean up its internal buf
+		return buf.As(b)
+	}
+	return nil
+}
+
 func (c *BufferedConn) Upstream() any {
 	return c.ExtendedConn
 }

 func (c *BufferedConn) ReaderReplaceable() bool {
-	if c.r.Buffered() > 0 {
+	if c.r != nil && c.r.Buffered() > 0 {
 		return false
 	}
 	return true
 }
+
+func (c *BufferedConn) WriterReplaceable() bool {
+	return true
+}
--- a/common/net/deadline/packet.go
+++ b/common/net/deadline/packet.go
@ -0,0 +1,154 @@
+package deadline
+
+import (
+	"net"
+	"os"
+	"runtime"
+	"time"
+
+	"github.com/Dreamacro/clash/common/atomic"
+	"github.com/Dreamacro/clash/common/net/packet"
+)
+
+type readResult struct {
+	data []byte
+	addr net.Addr
+	err  error
+}
+
+type NetPacketConn struct {
+	net.PacketConn
+	deadline     atomic.TypedValue[time.Time]
+	pipeDeadline pipeDeadline
+	disablePipe  atomic.Bool
+	inRead       atomic.Bool
+	resultCh     chan any
+}
+
+func NewNetPacketConn(pc net.PacketConn) net.PacketConn {
+	npc := &NetPacketConn{
+		PacketConn:   pc,
+		pipeDeadline: makePipeDeadline(),
+		resultCh:     make(chan any, 1),
+	}
+	npc.resultCh <- nil
+	if enhancePC, isEnhance := pc.(packet.EnhancePacketConn); isEnhance {
+		epc := &EnhancePacketConn{
+			NetPacketConn: npc,
+			enhancePacketConn: enhancePacketConn{
+				netPacketConn:     npc,
+				enhancePacketConn: enhancePC,
+			},
+		}
+		if singPC, isSingPC := pc.(packet.SingPacketConn); isSingPC {
+			return &EnhanceSingPacketConn{
+				EnhancePacketConn: epc,
+				singPacketConn: singPacketConn{
+					netPacketConn:  npc,
+					singPacketConn: singPC,
+				},
+			}
+		}
+		return epc
+	}
+	if singPC, isSingPC := pc.(packet.SingPacketConn); isSingPC {
+		return &SingPacketConn{
+			NetPacketConn: npc,
+			singPacketConn: singPacketConn{
+				netPacketConn:  npc,
+				singPacketConn: singPC,
+			},
+		}
+	}
+	return npc
+}
+
+func (c *NetPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+FOR:
+	for {
+		select {
+		case result := <-c.resultCh:
+			if result != nil {
+				if result, ok := result.(*readResult); ok {
+					n = copy(p, result.data)
+					addr = result.addr
+					err = result.err
+					c.resultCh <- nil // finish cache read
+					return
+				}
+				c.resultCh <- result // another type of read
+				runtime.Gosched()    // allowing other goroutines to run
+				continue FOR
+			} else {
+				c.resultCh <- nil
+				break FOR
+			}
+		case <-c.pipeDeadline.wait():
+			return 0, nil, os.ErrDeadlineExceeded
+		}
+	}
+
+	if c.disablePipe.Load() {
+		return c.PacketConn.ReadFrom(p)
+	} else if c.deadline.Load().IsZero() {
+		c.inRead.Store(true)
+		defer c.inRead.Store(false)
+		n, addr, err = c.PacketConn.ReadFrom(p)
+		return
+	}
+
+	<-c.resultCh
+	go c.pipeReadFrom(len(p))
+
+	return c.ReadFrom(p)
+}
+
+func (c *NetPacketConn) pipeReadFrom(size int) {
+	buffer := make([]byte, size)
+	n, addr, err := c.PacketConn.ReadFrom(buffer)
+	buffer = buffer[:n]
+	result := &readResult{}
+	result.data = buffer
+	result.addr = addr
+	result.err = err
+	c.resultCh <- result
+}
+
+func (c *NetPacketConn) SetReadDeadline(t time.Time) error {
+	if c.disablePipe.Load() {
+		return c.PacketConn.SetReadDeadline(t)
+	} else if c.inRead.Load() {
+		c.disablePipe.Store(true)
+		return c.PacketConn.SetReadDeadline(t)
+	}
+	c.deadline.Store(t)
+	c.pipeDeadline.set(t)
+	return nil
+}
+
+func (c *NetPacketConn) ReaderReplaceable() bool {
+	select {
+	case result := <-c.resultCh:
+		c.resultCh <- result
+		if result != nil {
+			return false // cache reading
+		} else {
+			break
+		}
+	default:
+		return false // pipe reading
+	}
+	return c.disablePipe.Load() || c.deadline.Load().IsZero()
+}
+
+func (c *NetPacketConn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *NetPacketConn) Upstream() any {
+	return c.PacketConn
+}
+
+func (c *NetPacketConn) NeedAdditionalReadDeadline() bool {
+	return false
+}
--- a/common/net/deadline/packet_enhance.go
+++ b/common/net/deadline/packet_enhance.go
@ -0,0 +1,83 @@
+package deadline
+
+import (
+	"net"
+	"os"
+	"runtime"
+
+	"github.com/Dreamacro/clash/common/net/packet"
+)
+
+type EnhancePacketConn struct {
+	*NetPacketConn
+	enhancePacketConn
+}
+
+var _ packet.EnhancePacketConn = (*EnhancePacketConn)(nil)
+
+func NewEnhancePacketConn(pc packet.EnhancePacketConn) packet.EnhancePacketConn {
+	return NewNetPacketConn(pc).(packet.EnhancePacketConn)
+}
+
+type enhanceReadResult struct {
+	data []byte
+	put  func()
+	addr net.Addr
+	err  error
+}
+
+type enhancePacketConn struct {
+	netPacketConn     *NetPacketConn
+	enhancePacketConn packet.EnhancePacketConn
+}
+
+func (c *enhancePacketConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+FOR:
+	for {
+		select {
+		case result := <-c.netPacketConn.resultCh:
+			if result != nil {
+				if result, ok := result.(*enhanceReadResult); ok {
+					data = result.data
+					put = result.put
+					addr = result.addr
+					err = result.err
+					c.netPacketConn.resultCh <- nil // finish cache read
+					return
+				}
+				c.netPacketConn.resultCh <- result // another type of read
+				runtime.Gosched()                  // allowing other goroutines to run
+				continue FOR
+			} else {
+				c.netPacketConn.resultCh <- nil
+				break FOR
+			}
+		case <-c.netPacketConn.pipeDeadline.wait():
+			return nil, nil, nil, os.ErrDeadlineExceeded
+		}
+	}
+
+	if c.netPacketConn.disablePipe.Load() {
+		return c.enhancePacketConn.WaitReadFrom()
+	} else if c.netPacketConn.deadline.Load().IsZero() {
+		c.netPacketConn.inRead.Store(true)
+		defer c.netPacketConn.inRead.Store(false)
+		data, put, addr, err = c.enhancePacketConn.WaitReadFrom()
+		return
+	}
+
+	<-c.netPacketConn.resultCh
+	go c.pipeWaitReadFrom()
+
+	return c.WaitReadFrom()
+}
+
+func (c *enhancePacketConn) pipeWaitReadFrom() {
+	data, put, addr, err := c.enhancePacketConn.WaitReadFrom()
+	result := &enhanceReadResult{}
+	result.data = data
+	result.put = put
+	result.addr = addr
+	result.err = err
+	c.netPacketConn.resultCh <- result
+}
--- a/common/net/deadline/packet_sing.go
+++ b/common/net/deadline/packet_sing.go
@ -0,0 +1,177 @@
+package deadline
+
+import (
+	"os"
+	"runtime"
+
+	"github.com/Dreamacro/clash/common/net/packet"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type SingPacketConn struct {
+	*NetPacketConn
+	singPacketConn
+}
+
+var _ packet.SingPacketConn = (*SingPacketConn)(nil)
+
+func NewSingPacketConn(pc packet.SingPacketConn) packet.SingPacketConn {
+	return NewNetPacketConn(pc).(packet.SingPacketConn)
+}
+
+type EnhanceSingPacketConn struct {
+	*EnhancePacketConn
+	singPacketConn
+}
+
+func NewEnhanceSingPacketConn(pc packet.EnhanceSingPacketConn) packet.EnhanceSingPacketConn {
+	return NewNetPacketConn(pc).(packet.EnhanceSingPacketConn)
+}
+
+var _ packet.EnhanceSingPacketConn = (*EnhanceSingPacketConn)(nil)
+
+type singReadResult struct {
+	buffer      *buf.Buffer
+	destination M.Socksaddr
+	err         error
+}
+
+type singPacketConn struct {
+	netPacketConn  *NetPacketConn
+	singPacketConn packet.SingPacketConn
+}
+
+func (c *singPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+FOR:
+	for {
+		select {
+		case result := <-c.netPacketConn.resultCh:
+			if result != nil {
+				if result, ok := result.(*singReadResult); ok {
+					destination = result.destination
+					err = result.err
+					n, _ := buffer.Write(result.buffer.Bytes())
+					result.buffer.Advance(n)
+					if result.buffer.IsEmpty() {
+						result.buffer.Release()
+					}
+					c.netPacketConn.resultCh <- nil // finish cache read
+					return
+				}
+				c.netPacketConn.resultCh <- result // another type of read
+				runtime.Gosched()                  // allowing other goroutines to run
+				continue FOR
+			} else {
+				c.netPacketConn.resultCh <- nil
+				break FOR
+			}
+		case <-c.netPacketConn.pipeDeadline.wait():
+			return M.Socksaddr{}, os.ErrDeadlineExceeded
+		}
+	}
+
+	if c.netPacketConn.disablePipe.Load() {
+		return c.singPacketConn.ReadPacket(buffer)
+	} else if c.netPacketConn.deadline.Load().IsZero() {
+		c.netPacketConn.inRead.Store(true)
+		defer c.netPacketConn.inRead.Store(false)
+		destination, err = c.singPacketConn.ReadPacket(buffer)
+		return
+	}
+
+	<-c.netPacketConn.resultCh
+	go c.pipeReadPacket(buffer.FreeLen())
+
+	return c.ReadPacket(buffer)
+}
+
+func (c *singPacketConn) pipeReadPacket(pLen int) {
+	buffer := buf.NewSize(pLen)
+	destination, err := c.singPacketConn.ReadPacket(buffer)
+	result := &singReadResult{}
+	result.destination = destination
+	result.err = err
+	c.netPacketConn.resultCh <- result
+}
+
+func (c *singPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	return c.singPacketConn.WritePacket(buffer, destination)
+}
+
+func (c *singPacketConn) CreateReadWaiter() (N.PacketReadWaiter, bool) {
+	prw, isReadWaiter := bufio.CreatePacketReadWaiter(c.singPacketConn)
+	if isReadWaiter {
+		return &singPacketReadWaiter{
+			netPacketConn:    c.netPacketConn,
+			packetReadWaiter: prw,
+		}, true
+	}
+	return nil, false
+}
+
+var _ N.PacketReadWaiter = (*singPacketReadWaiter)(nil)
+
+type singPacketReadWaiter struct {
+	netPacketConn    *NetPacketConn
+	packetReadWaiter N.PacketReadWaiter
+}
+
+type singWaitReadResult singReadResult
+
+func (c *singPacketReadWaiter) InitializeReadWaiter(newBuffer func() *buf.Buffer) {
+	c.packetReadWaiter.InitializeReadWaiter(newBuffer)
+}
+
+func (c *singPacketReadWaiter) WaitReadPacket() (destination M.Socksaddr, err error) {
+FOR:
+	for {
+		select {
+		case result := <-c.netPacketConn.resultCh:
+			if result != nil {
+				if result, ok := result.(*singWaitReadResult); ok {
+					destination = result.destination
+					err = result.err
+					c.netPacketConn.resultCh <- nil // finish cache read
+					return
+				}
+				c.netPacketConn.resultCh <- result // another type of read
+				runtime.Gosched()                  // allowing other goroutines to run
+				continue FOR
+			} else {
+				c.netPacketConn.resultCh <- nil
+				break FOR
+			}
+		case <-c.netPacketConn.pipeDeadline.wait():
+			return M.Socksaddr{}, os.ErrDeadlineExceeded
+		}
+	}
+
+	if c.netPacketConn.disablePipe.Load() {
+		return c.packetReadWaiter.WaitReadPacket()
+	} else if c.netPacketConn.deadline.Load().IsZero() {
+		c.netPacketConn.inRead.Store(true)
+		defer c.netPacketConn.inRead.Store(false)
+		destination, err = c.packetReadWaiter.WaitReadPacket()
+		return
+	}
+
+	<-c.netPacketConn.resultCh
+	go c.pipeWaitReadPacket()
+
+	return c.WaitReadPacket()
+}
+
+func (c *singPacketReadWaiter) pipeWaitReadPacket() {
+	destination, err := c.packetReadWaiter.WaitReadPacket()
+	result := &singWaitReadResult{}
+	result.destination = destination
+	result.err = err
+	c.netPacketConn.resultCh <- result
+}
+
+func (c *singPacketReadWaiter) Upstream() any {
+	return c.packetReadWaiter
+}
--- a/common/net/deadline/pipe.go
+++ b/common/net/deadline/pipe.go
@ -0,0 +1,84 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package deadline
+
+import (
+	"sync"
+	"time"
+)
+
+// pipeDeadline is an abstraction for handling timeouts.
+type pipeDeadline struct {
+	mu     sync.Mutex // Guards timer and cancel
+	timer  *time.Timer
+	cancel chan struct{} // Must be non-nil
+}
+
+func makePipeDeadline() pipeDeadline {
+	return pipeDeadline{cancel: make(chan struct{})}
+}
+
+// set sets the point in time when the deadline will time out.
+// A timeout event is signaled by closing the channel returned by waiter.
+// Once a timeout has occurred, the deadline can be refreshed by specifying a
+// t value in the future.
+//
+// A zero value for t prevents timeout.
+func (d *pipeDeadline) set(t time.Time) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	if d.timer != nil && !d.timer.Stop() {
+		<-d.cancel // Wait for the timer callback to finish and close cancel
+	}
+	d.timer = nil
+
+	// Time is zero, then there is no deadline.
+	closed := isClosedChan(d.cancel)
+	if t.IsZero() {
+		if closed {
+			d.cancel = make(chan struct{})
+		}
+		return
+	}
+
+	// Time in the future, setup a timer to cancel in the future.
+	if dur := time.Until(t); dur > 0 {
+		if closed {
+			d.cancel = make(chan struct{})
+		}
+		d.timer = time.AfterFunc(dur, func() {
+			close(d.cancel)
+		})
+		return
+	}
+
+	// Time in the past, so close immediately.
+	if !closed {
+		close(d.cancel)
+	}
+}
+
+// wait returns a channel that is closed when the deadline is exceeded.
+func (d *pipeDeadline) wait() chan struct{} {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	return d.cancel
+}
+
+func isClosedChan(c <-chan struct{}) bool {
+	select {
+	case <-c:
+		return true
+	default:
+		return false
+	}
+}
+
+func makeFilledChan() chan struct{} {
+	ch := make(chan struct{}, 1)
+	ch <- struct{}{}
+	return ch
+}
--- a/common/net/packet.go
+++ b/common/net/packet.go
@ -0,0 +1,18 @@
+package net
+
+import (
+	"github.com/Dreamacro/clash/common/net/deadline"
+	"github.com/Dreamacro/clash/common/net/packet"
+)
+
+type EnhancePacketConn = packet.EnhancePacketConn
+type WaitReadFrom = packet.WaitReadFrom
+
+var NewEnhancePacketConn = packet.NewEnhancePacketConn
+var NewThreadSafePacketConn = packet.NewThreadSafePacketConn
+var NewRefPacketConn = packet.NewRefPacketConn
+
+var NewDeadlineNetPacketConn = deadline.NewNetPacketConn
+var NewDeadlineEnhancePacketConn = deadline.NewEnhancePacketConn
+var NewDeadlineSingPacketConn = deadline.NewSingPacketConn
+var NewDeadlineEnhanceSingPacketConn = deadline.NewEnhanceSingPacketConn
--- a/common/net/packet/packet.go
+++ b/common/net/packet/packet.go
@ -0,0 +1,77 @@
+package packet
+
+import (
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+type WaitReadFrom interface {
+	WaitReadFrom() (data []byte, put func(), addr net.Addr, err error)
+}
+
+type EnhancePacketConn interface {
+	net.PacketConn
+	WaitReadFrom
+}
+
+func NewEnhancePacketConn(pc net.PacketConn) EnhancePacketConn {
+	if udpConn, isUDPConn := pc.(*net.UDPConn); isUDPConn {
+		return &enhanceUDPConn{UDPConn: udpConn}
+	}
+	if enhancePC, isEnhancePC := pc.(EnhancePacketConn); isEnhancePC {
+		return enhancePC
+	}
+	if singPC, isSingPC := pc.(SingPacketConn); isSingPC {
+		return newEnhanceSingPacketConn(singPC)
+	}
+	return &enhancePacketConn{PacketConn: pc}
+}
+
+type enhancePacketConn struct {
+	net.PacketConn
+}
+
+func (c *enhancePacketConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+	return waitReadFrom(c.PacketConn)
+}
+
+func (c *enhancePacketConn) Upstream() any {
+	return c.PacketConn
+}
+
+func (c *enhancePacketConn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *enhancePacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func (c *enhanceUDPConn) Upstream() any {
+	return c.UDPConn
+}
+
+func (c *enhanceUDPConn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *enhanceUDPConn) ReaderReplaceable() bool {
+	return true
+}
+
+func waitReadFrom(pc net.PacketConn) (data []byte, put func(), addr net.Addr, err error) {
+	readBuf := pool.Get(pool.UDPBufferSize)
+	put = func() {
+		_ = pool.Put(readBuf)
+	}
+	var readN int
+	readN, addr, err = pc.ReadFrom(readBuf)
+	if readN > 0 {
+		data = readBuf[:readN]
+	} else {
+		put()
+		put = nil
+	}
+	return
+}
--- a/common/net/packet/packet_posix.go
+++ b/common/net/packet/packet_posix.go
@ -0,0 +1,65 @@
+//go:build !windows
+
+package packet
+
+import (
+	"net"
+	"strconv"
+	"syscall"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+type enhanceUDPConn struct {
+	*net.UDPConn
+	rawConn syscall.RawConn
+}
+
+func (c *enhanceUDPConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+	if c.rawConn == nil {
+		c.rawConn, _ = c.UDPConn.SyscallConn()
+	}
+	var readErr error
+	err = c.rawConn.Read(func(fd uintptr) (done bool) {
+		readBuf := pool.Get(pool.UDPBufferSize)
+		put = func() {
+			_ = pool.Put(readBuf)
+		}
+		var readFrom syscall.Sockaddr
+		var readN int
+		readN, _, _, readFrom, readErr = syscall.Recvmsg(int(fd), readBuf, nil, 0)
+		if readN > 0 {
+			data = readBuf[:readN]
+		} else {
+			put()
+			put = nil
+			data = nil
+		}
+		if readErr == syscall.EAGAIN {
+			return false
+		}
+		if readFrom != nil {
+			switch from := readFrom.(type) {
+			case *syscall.SockaddrInet4:
+				ip := from.Addr // copy from.Addr; ip escapes, so this line allocates 4 bytes
+				addr = &net.UDPAddr{IP: ip[:], Port: from.Port}
+			case *syscall.SockaddrInet6:
+				ip := from.Addr // copy from.Addr; ip escapes, so this line allocates 16 bytes
+				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: strconv.FormatInt(int64(from.ZoneId), 10)}
+			}
+		}
+		// udp should not convert readN == 0 to io.EOF
+		//if readN == 0 {
+		//	readErr = io.EOF
+		//}
+		return true
+	})
+	if err != nil {
+		return
+	}
+	if readErr != nil {
+		err = readErr
+		return
+	}
+	return
+}
--- a/common/net/packet/packet_sing.go
+++ b/common/net/packet/packet_sing.go
@ -0,0 +1,79 @@
+package packet
+
+import (
+	"net"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type SingPacketConn = N.NetPacketConn
+
+type EnhanceSingPacketConn interface {
+	SingPacketConn
+	EnhancePacketConn
+}
+
+type enhanceSingPacketConn struct {
+	SingPacketConn
+	packetReadWaiter N.PacketReadWaiter
+}
+
+func (c *enhanceSingPacketConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+	var buff *buf.Buffer
+	var dest M.Socksaddr
+	newBuffer := func() *buf.Buffer {
+		buff = buf.NewPacket() // do not use stack buffer
+		return buff
+	}
+	if c.packetReadWaiter != nil {
+		c.packetReadWaiter.InitializeReadWaiter(newBuffer)
+		defer c.packetReadWaiter.InitializeReadWaiter(nil)
+		dest, err = c.packetReadWaiter.WaitReadPacket()
+	} else {
+		dest, err = c.SingPacketConn.ReadPacket(newBuffer())
+	}
+	if dest.IsFqdn() {
+		addr = dest
+	} else {
+		addr = dest.UDPAddr()
+	}
+	if err != nil {
+		if buff != nil {
+			buff.Release()
+		}
+		return
+	}
+	if buff == nil {
+		return
+	}
+	if buff.IsEmpty() {
+		buff.Release()
+		return
+	}
+	data = buff.Bytes()
+	put = buff.Release
+	return
+}
+
+func (c *enhanceSingPacketConn) Upstream() any {
+	return c.SingPacketConn
+}
+
+func (c *enhanceSingPacketConn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *enhanceSingPacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func newEnhanceSingPacketConn(conn SingPacketConn) *enhanceSingPacketConn {
+	epc := &enhanceSingPacketConn{SingPacketConn: conn}
+	if readWaiter, isReadWaiter := bufio.CreatePacketReadWaiter(conn); isReadWaiter {
+		epc.packetReadWaiter = readWaiter
+	}
+	return epc
+}
--- a/common/net/packet/packet_windows.go
+++ b/common/net/packet/packet_windows.go
@ -0,0 +1,15 @@
+//go:build windows
+
+package packet
+
+import (
+	"net"
+)
+
+type enhanceUDPConn struct {
+	*net.UDPConn
+}
+
+func (c *enhanceUDPConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+	return waitReadFrom(c.UDPConn)
+}
--- a/common/net/packet/ref.go
+++ b/common/net/packet/ref.go
@ -0,0 +1,75 @@
+package packet
+
+import (
+	"net"
+	"runtime"
+	"time"
+)
+
+type refPacketConn struct {
+	pc  EnhancePacketConn
+	ref any
+}
+
+func (c *refPacketConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
+	defer runtime.KeepAlive(c.ref)
+	return c.pc.WaitReadFrom()
+}
+
+func (c *refPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	defer runtime.KeepAlive(c.ref)
+	return c.pc.ReadFrom(p)
+}
+
+func (c *refPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	defer runtime.KeepAlive(c.ref)
+	return c.pc.WriteTo(p, addr)
+}
+
+func (c *refPacketConn) Close() error {
+	defer runtime.KeepAlive(c.ref)
+	return c.pc.Close()
+}
+
+func (c *refPacketConn) LocalAddr() net.Addr {
+	defer runtime.KeepAlive(c.ref)
+	return c.pc.LocalAddr()
+}
+
+func (c *refPacketConn) SetDeadline(t time.Time) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.pc.SetDeadline(t)
+}
+
+func (c *refPacketConn) SetReadDeadline(t time.Time) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.pc.SetReadDeadline(t)
+}
+
+func (c *refPacketConn) SetWriteDeadline(t time.Time) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.pc.SetWriteDeadline(t)
+}
+
+func (c *refPacketConn) Upstream() any {
+	return c.pc
+}
+
+func (c *refPacketConn) ReaderReplaceable() bool { // Relay() will handle reference
+	return true
+}
+
+func (c *refPacketConn) WriterReplaceable() bool { // Relay() will handle reference
+	return true
+}
+
+func NewRefPacketConn(pc net.PacketConn, ref any) EnhancePacketConn {
+	rPC := &refPacketConn{pc: NewEnhancePacketConn(pc), ref: ref}
+	if singPC, isSingPC := pc.(SingPacketConn); isSingPC {
+		return &refSingPacketConn{
+			refPacketConn:  rPC,
+			singPacketConn: singPC,
+		}
+	}
+	return rPC
+}
--- a/common/net/packet/ref_sing.go
+++ b/common/net/packet/ref_sing.go
@ -0,0 +1,26 @@
+package packet
+
+import (
+	"runtime"
+
+	"github.com/sagernet/sing/common/buf"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type refSingPacketConn struct {
+	*refPacketConn
+	singPacketConn SingPacketConn
+}
+
+var _ N.NetPacketConn = (*refSingPacketConn)(nil)
+
+func (c *refSingPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.singPacketConn.WritePacket(buffer, destination)
+}
+
+func (c *refSingPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	defer runtime.KeepAlive(c.ref)
+	return c.singPacketConn.ReadPacket(buffer)
+}
--- a/common/net/packet/thread.go
+++ b/common/net/packet/thread.go
@ -0,0 +1,36 @@
+package packet
+
+import (
+	"net"
+	"sync"
+)
+
+type threadSafePacketConn struct {
+	EnhancePacketConn
+	access sync.Mutex
+}
+
+func (c *threadSafePacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+	c.access.Lock()
+	defer c.access.Unlock()
+	return c.EnhancePacketConn.WriteTo(b, addr)
+}
+
+func (c *threadSafePacketConn) Upstream() any {
+	return c.EnhancePacketConn
+}
+
+func (c *threadSafePacketConn) ReaderReplaceable() bool {
+	return true
+}
+
+func NewThreadSafePacketConn(pc net.PacketConn) EnhancePacketConn {
+	tsPC := &threadSafePacketConn{EnhancePacketConn: NewEnhancePacketConn(pc)}
+	if singPC, isSingPC := pc.(SingPacketConn); isSingPC {
+		return &threadSafeSingPacketConn{
+			threadSafePacketConn: tsPC,
+			singPacketConn:       singPC,
+		}
+	}
+	return tsPC
+}
--- a/common/net/packet/thread_sing.go
+++ b/common/net/packet/thread_sing.go
@ -0,0 +1,24 @@
+package packet
+
+import (
+	"github.com/sagernet/sing/common/buf"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type threadSafeSingPacketConn struct {
+	*threadSafePacketConn
+	singPacketConn SingPacketConn
+}
+
+var _ N.NetPacketConn = (*threadSafeSingPacketConn)(nil)
+
+func (c *threadSafeSingPacketConn) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	c.access.Lock()
+	defer c.access.Unlock()
+	return c.singPacketConn.WritePacket(buffer, destination)
+}
+
+func (c *threadSafeSingPacketConn) ReadPacket(buffer *buf.Buffer) (destination M.Socksaddr, err error) {
+	return c.singPacketConn.ReadPacket(buffer)
+}
--- a/common/net/refconn.go
+++ b/common/net/refconn.go
@ -4,10 +4,12 @@ import (
 	"net"
 	"runtime"
 	"time"
+
+	"github.com/Dreamacro/clash/common/buf"
 )

 type refConn struct {
-	conn net.Conn
+	conn ExtendedConn
 	ref  any
 }

@ -55,50 +57,26 @@ func (c *refConn) Upstream() any {
 	return c.conn
 }

+func (c *refConn) ReadBuffer(buffer *buf.Buffer) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.ReadBuffer(buffer)
+}
+
+func (c *refConn) WriteBuffer(buffer *buf.Buffer) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.WriteBuffer(buffer)
+}
+
+func (c *refConn) ReaderReplaceable() bool { // Relay() will handle reference
+	return true
+}
+
+func (c *refConn) WriterReplaceable() bool { // Relay() will handle reference
+	return true
+}
+
+var _ ExtendedConn = (*refConn)(nil)
+
 func NewRefConn(conn net.Conn, ref any) net.Conn {
-	return &refConn{conn: conn, ref: ref}
-}
-
-type refPacketConn struct {
-	pc  net.PacketConn
-	ref any
-}
-
-func (pc *refPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
-	defer runtime.KeepAlive(pc.ref)
-	return pc.pc.ReadFrom(p)
-}
-
-func (pc *refPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
-	defer runtime.KeepAlive(pc.ref)
-	return pc.pc.WriteTo(p, addr)
-}
-
-func (pc *refPacketConn) Close() error {
-	defer runtime.KeepAlive(pc.ref)
-	return pc.pc.Close()
-}
-
-func (pc *refPacketConn) LocalAddr() net.Addr {
-	defer runtime.KeepAlive(pc.ref)
-	return pc.pc.LocalAddr()
-}
-
-func (pc *refPacketConn) SetDeadline(t time.Time) error {
-	defer runtime.KeepAlive(pc.ref)
-	return pc.pc.SetDeadline(t)
-}
-
-func (pc *refPacketConn) SetReadDeadline(t time.Time) error {
-	defer runtime.KeepAlive(pc.ref)
-	return pc.pc.SetReadDeadline(t)
-}
-
-func (pc *refPacketConn) SetWriteDeadline(t time.Time) error {
-	defer runtime.KeepAlive(pc.ref)
-	return pc.pc.SetWriteDeadline(t)
-}
-
-func NewRefPacketConn(pc net.PacketConn, ref any) net.PacketConn {
-	return &refPacketConn{pc: pc, ref: ref}
+	return &refConn{conn: NewExtendedConn(conn), ref: ref}
 }
--- a/common/net/sing.go
+++ b/common/net/sing.go
@ -3,8 +3,11 @@ package net
 import (
 	"context"
 	"net"
+	"runtime"

+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/bufio/deadline"
 	"github.com/sagernet/sing/common/network"
 )

@ -16,7 +19,22 @@ type ExtendedConn = network.ExtendedConn
 type ExtendedWriter = network.ExtendedWriter
 type ExtendedReader = network.ExtendedReader

+func NewDeadlineConn(conn net.Conn) ExtendedConn {
+	return deadline.NewFallbackConn(conn)
+}
+
+func NeedHandshake(conn any) bool {
+	if earlyConn, isEarlyConn := common.Cast[network.EarlyConn](conn); isEarlyConn && earlyConn.NeedHandshake() {
+		return true
+	}
+	return false
+}
+
+type CountFunc = network.CountFunc
+
 // Relay copies between left and right bidirectionally.
 func Relay(leftConn, rightConn net.Conn) {
+	defer runtime.KeepAlive(leftConn)
+	defer runtime.KeepAlive(rightConn)
 	_ = bufio.CopyConn(context.TODO(), leftConn, rightConn)
 }
--- a/common/net/tls.go
+++ b/common/net/tls.go
@ -11,7 +11,7 @@ import (
 )

 func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
-	if certificate == "" || privateKey == "" {
+	if certificate == "" && privateKey == "" {
 		return newRandomTLSKeyPair()
 	}
 	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
--- a/common/observable/observable_test.go
+++ b/common/observable/observable_test.go
@ -5,8 +5,9 @@ import (
 	"testing"
 	"time"

+	"github.com/Dreamacro/clash/common/atomic"
+
 	"github.com/stretchr/testify/assert"
-	"go.uber.org/atomic"
 )

 func iterator[T any](item []T) chan T {
@ -44,7 +45,7 @@ func TestObservable_MultiSubscribe(t *testing.T) {
 	wg.Add(2)
 	waitCh := func(ch <-chan int) {
 		for range ch {
-			count.Inc()
+			count.Add(1)
 		}
 		wg.Done()
 	}
--- a/common/pool/alloc_test.go
+++ b/common/pool/alloc_test.go
@ -1,10 +1,10 @@
 package pool

 import (
-	"math/rand"
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/zhangyunhao116/fastrand"
 )

 func TestAllocGet(t *testing.T) {
@ -43,6 +43,6 @@ func TestAllocPutThenGet(t *testing.T) {

 func BenchmarkMSB(b *testing.B) {
 	for i := 0; i < b.N; i++ {
-		msb(rand.Int())
+		msb(fastrand.Int())
 	}
 }
--- a/common/pool/buffer_low_memory.go
+++ b/common/pool/buffer_low_memory.go
@ -0,0 +1,15 @@
+//go:build with_low_memory
+
+package pool
+
+const (
+	// io.Copy default buffer size is 32 KiB
+	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
+	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
+	RelayBufferSize = 16 * 1024
+
+	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
+	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
+	// set to 9000, so the UDP Buffer size set to 16Kib
+	UDPBufferSize = 8 * 1024
+)
--- a/common/pool/buffer_standard.go
+++ b/common/pool/buffer_standard.go
@ -0,0 +1,15 @@
+//go:build !with_low_memory
+
+package pool
+
+const (
+	// io.Copy default buffer size is 32 KiB
+	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
+	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
+	RelayBufferSize = 20 * 1024
+
+	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
+	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
+	// set to 9000, so the UDP Buffer size set to 16Kib
+	UDPBufferSize = 16 * 1024
+)
--- a/common/pool/pool.go
+++ b/common/pool/pool.go
@ -1,17 +1,5 @@
 package pool

-const (
-	// io.Copy default buffer size is 32 KiB
-	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
-	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
-	RelayBufferSize = 20 * 1024
-
-	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
-	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
-	// set to 9000, so the UDP Buffer size set to 16Kib
-	UDPBufferSize = 16 * 1024
-)
-
 func Get(size int) []byte {
 	return defaultAllocator.Get(size)
 }
--- a/common/singledo/singledo_test.go
+++ b/common/singledo/singledo_test.go
@ -5,8 +5,9 @@ import (
 	"testing"
 	"time"

+	"github.com/Dreamacro/clash/common/atomic"
+
 	"github.com/stretchr/testify/assert"
-	"go.uber.org/atomic"
 )

 func TestBasic(t *testing.T) {
@ -26,7 +27,7 @@ func TestBasic(t *testing.T) {
 		go func() {
 			_, _, shard := single.Do(call)
 			if shard {
-				shardCount.Inc()
+				shardCount.Add(1)
 			}
 			wg.Done()
 		}()
--- a/common/utils/must.go
+++ b/common/utils/must.go
@ -0,0 +1,8 @@
+package utils
+
+func MustOK[T any](result T, ok bool) T {
+	if ok {
+		return result
+	}
+	panic("operation failed")
+}
--- a/common/utils/slice.go
+++ b/common/utils/slice.go
@ -0,0 +1,34 @@
+package utils
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+)
+
+func Filter[T comparable](tSlice []T, filter func(t T) bool) []T {
+	result := make([]T, 0)
+	for _, t := range tSlice {
+		if filter(t) {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
+func ToStringSlice(value any) ([]string, error) {
+	strArr := make([]string, 0)
+	switch reflect.TypeOf(value).Kind() {
+	case reflect.Slice, reflect.Array:
+		origin := reflect.ValueOf(value)
+		for i := 0; i < origin.Len(); i++ {
+			item := fmt.Sprintf("%v", origin.Index(i))
+			strArr = append(strArr, item)
+		}
+	case reflect.String:
+		strArr = append(strArr, fmt.Sprintf("%v", value))
+	default:
+		return nil, errors.New("value format error, must be string or array")
+	}
+	return strArr, nil
+}
--- a/common/utils/strings.go
+++ b/common/utils/strings.go
@ -0,0 +1,9 @@
+package utils
+
+func Reverse(s string) string {
+	a := []rune(s)
+	for i, j := 0, len(a)-1; i < j; i, j = i+1, j-1 {
+		a[i], a[j] = a[j], a[i]
+	}
+	return string(a)
+}
--- a/common/utils/uuid.go
+++ b/common/utils/uuid.go
@ -1,16 +1,51 @@
 package utils

 import (
-	"github.com/gofrs/uuid"
+	"github.com/gofrs/uuid/v5"
+	"github.com/zhangyunhao116/fastrand"
 )

-var uuidNamespace, _ = uuid.FromString("00000000-0000-0000-0000-000000000000")
+type fastRandReader struct{}
+
+func (r fastRandReader) Read(p []byte) (int, error) {
+	return fastrand.Read(p)
+}
+
+var UnsafeUUIDGenerator = uuid.NewGenWithOptions(uuid.WithRandomReader(fastRandReader{}))
+
+func NewUUIDV1() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV1() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV3(ns uuid.UUID, name string) uuid.UUID {
+	return UnsafeUUIDGenerator.NewV3(ns, name)
+}
+
+func NewUUIDV4() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV4() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV5(ns uuid.UUID, name string) uuid.UUID {
+	return UnsafeUUIDGenerator.NewV5(ns, name)
+}
+
+func NewUUIDV6() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV6() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV7() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV7() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}

 // UUIDMap https://github.com/XTLS/Xray-core/issues/158#issue-783294090
 func UUIDMap(str string) (uuid.UUID, error) {
 	u, err := uuid.FromString(str)
 	if err != nil {
-		return uuid.NewV5(uuidNamespace, str), nil
+		return NewUUIDV5(uuid.Nil, str), nil
 	}
 	return u, nil
 }
--- a/common/utils/uuid_test.go
+++ b/common/utils/uuid_test.go
@ -1,7 +1,7 @@
 package utils

 import (
-	"github.com/gofrs/uuid"
+	"github.com/gofrs/uuid/v5"
 	"reflect"
 	"testing"
 )
--- a/component/dialer/bind_windows.go
+++ b/component/dialer/bind_windows.go
@ -3,6 +3,7 @@ package dialer
 import (
 	"context"
 	"encoding/binary"
+	"fmt"
 	"net"
 	"net/netip"
 	"syscall"
@ -20,11 +21,19 @@ func bind4(handle syscall.Handle, ifaceIdx int) error {
 	var bytes [4]byte
 	binary.BigEndian.PutUint32(bytes[:], uint32(ifaceIdx))
 	idx := *(*uint32)(unsafe.Pointer(&bytes[0]))
-	return syscall.SetsockoptInt(handle, syscall.IPPROTO_IP, IP_UNICAST_IF, int(idx))
+	err := syscall.SetsockoptInt(handle, syscall.IPPROTO_IP, IP_UNICAST_IF, int(idx))
+	if err != nil {
+		err = fmt.Errorf("bind4: %w", err)
+	}
+	return err
 }

 func bind6(handle syscall.Handle, ifaceIdx int) error {
-	return syscall.SetsockoptInt(handle, syscall.IPPROTO_IPV6, IPV6_UNICAST_IF, ifaceIdx)
+	err := syscall.SetsockoptInt(handle, syscall.IPPROTO_IPV6, IPV6_UNICAST_IF, ifaceIdx)
+	if err != nil {
+		err = fmt.Errorf("bind6: %w", err)
+	}
+	return err
 }

 func bindControl(ifaceIdx int) controlFn {
@ -49,9 +58,9 @@ func bindControl(ifaceIdx int) controlFn {
 				if (!addrPort.Addr().IsValid() || addrPort.Addr().IsUnspecified()) && bind6err != nil {
 					// try bind ipv6, if failed, ignore. it's a workaround for windows disable interface ipv6
 					if bind4err != nil {
-						innerErr = bind6err
+						innerErr = fmt.Errorf("%w (%s)", bind6err, bind4err)
 					} else {
-						innerErr = bind4err
+						innerErr = nil
 					}
 				} else {
 					innerErr = bind6err
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -2,10 +2,10 @@ package dialer

 import (
 	"context"
-	"errors"
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
 	"strings"
 	"sync"
 	"time"
@ -13,13 +13,13 @@ import (
 	"github.com/Dreamacro/clash/component/resolver"
 )

+type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error)
+
 var (
 	dialMux                      sync.Mutex
 	actualSingleStackDialContext = serialSingleStackDialContext
 	actualDualStackDialContext   = serialDualStackDialContext
 	tcpConcurrent                = false
-	ErrorInvalidedNetworkStack   = errors.New("invalided network stack")
-	ErrorConnTimeout             = errors.New("connect timeout")
 	fallbackTimeout              = 300 * time.Millisecond
 )

@ -53,11 +53,16 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 		network = fmt.Sprintf("%s%d", network, opt.network)
 	}

+	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
+	if err != nil {
+		return nil, err
+	}
+
 	switch network {
 	case "tcp4", "tcp6", "udp4", "udp6":
-		return actualSingleStackDialContext(ctx, network, address, opt)
+		return actualSingleStackDialContext(ctx, network, ips, port, opt)
 	case "tcp", "udp":
-		return actualDualStackDialContext(ctx, network, address, opt)
+		return actualDualStackDialContext(ctx, network, ips, port, opt)
 	default:
 		return nil, ErrorInvalidedNetworkStack
 	}
@ -84,8 +89,9 @@ func ListenPacket(ctx context.Context, network, address string, options ...Optio
 	return lc.ListenPacket(ctx, network, address)
 }

-func SetDial(concurrent bool) {
+func SetTcpConcurrent(concurrent bool) {
 	dialMux.Lock()
+	defer dialMux.Unlock()
 	tcpConcurrent = concurrent
 	if concurrent {
 		actualSingleStackDialContext = concurrentSingleStackDialContext
@ -94,16 +100,29 @@ func SetDial(concurrent bool) {
 		actualSingleStackDialContext = serialSingleStackDialContext
 		actualDualStackDialContext = serialDualStackDialContext
 	}
-
-	dialMux.Unlock()
 }

-func GetDial() bool {
+func GetTcpConcurrent() bool {
+	dialMux.Lock()
+	defer dialMux.Unlock()
 	return tcpConcurrent
 }

 func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) {
-	dialer := &net.Dialer{}
+	address := net.JoinHostPort(destination.String(), port)
+
+	netDialer := opt.netDialer
+	switch netDialer.(type) {
+	case nil:
+		netDialer = &net.Dialer{}
+	case *net.Dialer:
+		_netDialer := *netDialer.(*net.Dialer)
+		netDialer = &_netDialer // make a copy
+	default:
+		return netDialer.DialContext(ctx, network, address)
+	}
+
+	dialer := netDialer.(*net.Dialer)
 	if opt.interfaceName != "" {
 		if err := bindIfaceToDialer(opt.interfaceName, dialer, network, destination); err != nil {
 			return nil, err
@ -112,190 +131,137 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	if opt.routingMark != 0 {
 		bindMarkToDialer(opt.routingMark, dialer, network, destination)
 	}
-
-	address := net.JoinHostPort(destination.String(), port)
 	if opt.tfo {
 		return dialTFO(ctx, *dialer, network, address)
 	}
 	return dialer.DialContext(ctx, network, address)
 }

-func serialSingleStackDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
-	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
-	if err != nil {
-		return nil, err
-	}
+func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	return serialDialContext(ctx, network, ips, port, opt)
 }

-func serialDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
-	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
-	if err != nil {
-		return nil, err
-	}
-	return dualStackDialContext(
-		ctx,
-		func(ctx context.Context) (net.Conn, error) { return serialDialContext(ctx, network, ips, port, opt) },
-		func(ctx context.Context) (net.Conn, error) { return serialDialContext(ctx, network, ips, port, opt) },
-		opt.prefer == 4)
+func serialDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	return dualStackDialContext(ctx, serialDialContext, network, ips, port, opt)
 }

-func concurrentSingleStackDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
-	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
-	if err != nil {
-		return nil, err
-	}
-
-	if conn, err := parallelDialContext(ctx, network, ips, port, opt); err != nil {
-		return nil, err
-	} else {
-		return conn, nil
-	}
+func concurrentSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	return parallelDialContext(ctx, network, ips, port, opt)
 }

-func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
-	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
-	if err != nil {
-		return nil, err
-	}
+func concurrentDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	if opt.prefer != 4 && opt.prefer != 6 {
 		return parallelDialContext(ctx, network, ips, port, opt)
 	}
-	ipv4s, ipv6s := sortationAddr(ips)
-	return dualStackDialContext(
-		ctx,
-		func(ctx context.Context) (net.Conn, error) {
-			return parallelDialContext(ctx, network, ipv4s, port, opt)
-		},
-		func(ctx context.Context) (net.Conn, error) {
-			return parallelDialContext(ctx, network, ipv6s, port, opt)
-		},
-		opt.prefer == 4)
+	return dualStackDialContext(ctx, parallelDialContext, network, ips, port, opt)
 }

-type Dialer struct {
-	Opt option
-}
+func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	ipv4s, ipv6s := resolver.SortationAddr(ips)
+	preferIPVersion := opt.prefer

-func (d Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
-	return DialContext(ctx, network, address, WithOption(d.Opt))
-}
-
-func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, WithOption(d.Opt))
-}
-
-func NewDialer(options ...Option) Dialer {
-	opt := applyOptions(options...)
-	return Dialer{Opt: *opt}
-}
-
-func dualStackDialContext(
-	ctx context.Context,
-	ipv4DialFn func(ctx context.Context) (net.Conn, error),
-	ipv6DialFn func(ctx context.Context) (net.Conn, error),
-	preferIPv4 bool) (net.Conn, error) {
 	fallbackTicker := time.NewTicker(fallbackTimeout)
 	defer fallbackTicker.Stop()
 	results := make(chan dialResult)
 	returned := make(chan struct{})
 	defer close(returned)
-	racer := func(dial func(ctx context.Context) (net.Conn, error), isPrimary bool) {
+	racer := func(ips []netip.Addr, isPrimary bool) {
 		result := dialResult{isPrimary: isPrimary}
 		defer func() {
 			select {
 			case results <- result:
 			case <-returned:
-				if result.Conn != nil {
+				if result.Conn != nil && result.error == nil {
 					_ = result.Conn.Close()
 				}
 			}
 		}()
-		result.Conn, result.error = dial(ctx)
+		result.Conn, result.error = dialFn(ctx, network, ips, port, opt)
 	}
-	go racer(ipv4DialFn, preferIPv4)
-	go racer(ipv6DialFn, !preferIPv4)
+	go racer(ipv4s, preferIPVersion != 6)
+	go racer(ipv6s, preferIPVersion != 4)
 	var fallback dialResult
-	var err error
-	for {
+	var errs []error
+	for i := 0; i < 2; {
 		select {
-		case <-ctx.Done():
-			if fallback.error == nil && fallback.Conn != nil {
-				return fallback.Conn, nil
-			}
-			return nil, fmt.Errorf("dual stack connect failed: %w", err)
 		case <-fallbackTicker.C:
 			if fallback.error == nil && fallback.Conn != nil {
 				return fallback.Conn, nil
 			}
 		case res := <-results:
+			i++
 			if res.error == nil {
 				if res.isPrimary {
 					return res.Conn, nil
 				}
 				fallback = res
+			} else {
+				if res.isPrimary {
+					errs = append([]error{fmt.Errorf("connect failed: %w", res.error)}, errs...)
+				} else {
+					errs = append(errs, fmt.Errorf("connect failed: %w", res.error))
+				}
 			}
-			err = res.error
 		}
 	}
+	if fallback.error == nil && fallback.Conn != nil {
+		return fallback.Conn, nil
+	}
+	return nil, errorsJoin(errs...)
 }

 func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	if len(ips) == 0 {
+		return nil, ErrorNoIpAddress
+	}
 	results := make(chan dialResult)
 	returned := make(chan struct{})
 	defer close(returned)
-	tcpRacer := func(ctx context.Context, ip netip.Addr, port string) {
-		result := dialResult{isPrimary: true}
+	racer := func(ctx context.Context, ip netip.Addr) {
+		result := dialResult{isPrimary: true, ip: ip}
 		defer func() {
 			select {
 			case results <- result:
 			case <-returned:
-				if result.Conn != nil {
+				if result.Conn != nil && result.error == nil {
 					_ = result.Conn.Close()
 				}
 			}
 		}()
-		result.ip = ip
 		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
 	}

 	for _, ip := range ips {
-		go tcpRacer(ctx, ip, port)
+		go racer(ctx, ip)
 	}
-	var err error
-	for {
-		select {
-		case <-ctx.Done():
-			if err != nil {
-				return nil, err
-			}
-			if ctx.Err() == context.DeadlineExceeded {
-				return nil, ErrorConnTimeout
-			}
-			return nil, ctx.Err()
-		case res := <-results:
-			if res.error == nil {
-				return res.Conn, nil
-			}
-			err = res.error
+	var errs []error
+	for i := 0; i < len(ips); i++ {
+		res := <-results
+		if res.error == nil {
+			return res.Conn, nil
 		}
+		errs = append(errs, res.error)
 	}
+
+	if len(errs) > 0 {
+		return nil, errorsJoin(errs...)
+	}
+	return nil, os.ErrDeadlineExceeded
 }

 func serialDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
-	var (
-		conn net.Conn
-		err  error
-		errs []error
-	)
+	if len(ips) == 0 {
+		return nil, ErrorNoIpAddress
+	}
+	var errs []error
 	for _, ip := range ips {
-		if conn, err = dialContext(ctx, network, ip, port, opt); err == nil {
+		if conn, err := dialContext(ctx, network, ip, port, opt); err == nil {
 			return conn, nil
 		} else {
 			errs = append(errs, err)
 		}
 	}
-	return nil, errors.Join(errs...)
+	return nil, errorsJoin(errs...)
 }

 type dialResult struct {
@ -327,7 +293,7 @@ func parseAddr(ctx context.Context, network, address string, preferResolver reso
 		}
 	default:
 		if preferResolver == nil {
-			ips, err = resolver.LookupIP(ctx, host)
+			ips, err = resolver.LookupIPProxyServerHost(ctx, host)
 		} else {
 			ips, err = resolver.LookupIPWithResolver(ctx, host, preferResolver)
 		}
@ -335,16 +301,32 @@ func parseAddr(ctx context.Context, network, address string, preferResolver reso
 	if err != nil {
 		return nil, "-1", fmt.Errorf("dns resolve failed: %w", err)
 	}
+	for i, ip := range ips {
+		if ip.Is4In6() {
+			ips[i] = ip.Unmap()
+		}
+	}
 	return ips, port, nil
 }

-func sortationAddr(ips []netip.Addr) (ipv4s, ipv6s []netip.Addr) {
-	for _, v := range ips {
-		if v.Is4() || v.Is4In6() {
-			ipv4s = append(ipv4s, v)
-		} else {
-			ipv6s = append(ipv6s, v)
-		}
-	}
-	return
+type Dialer struct {
+	Opt option
+}
+
+func (d Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return DialContext(ctx, network, address, WithOption(d.Opt))
+}
+
+func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
+	opt := WithOption(d.Opt)
+	if rAddrPort.Addr().Unmap().IsLoopback() {
+		// avoid "The requested address is not valid in its context."
+		opt = WithInterface("")
+	}
+	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, opt)
+}
+
+func NewDialer(options ...Option) Dialer {
+	opt := applyOptions(options...)
+	return Dialer{Opt: *opt}
 }
--- a/component/dialer/error.go
+++ b/component/dialer/error.go
@ -0,0 +1,18 @@
+package dialer
+
+import (
+	"errors"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var (
+	ErrorNoIpAddress           = errors.New("no ip address")
+	ErrorInvalidedNetworkStack = errors.New("invalided network stack")
+)
+
+func errorsJoin(errs ...error) error {
+	// compatibility with golang<1.20
+	// maybe use errors.Join(errs...) is better after we drop the old version's support
+	return E.Errors(errs...)
+}
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@ -1,17 +1,23 @@
 package dialer

 import (
-	"github.com/Dreamacro/clash/component/resolver"
+	"context"
+	"net"

-	"go.uber.org/atomic"
+	"github.com/Dreamacro/clash/common/atomic"
+	"github.com/Dreamacro/clash/component/resolver"
 )

 var (
 	DefaultOptions     []Option
-	DefaultInterface   = atomic.NewString("")
+	DefaultInterface   = atomic.NewTypedValue[string]("")
 	DefaultRoutingMark = atomic.NewInt32(0)
 )

+type NetDialer interface {
+	DialContext(ctx context.Context, network, address string) (net.Conn, error)
+}
+
 type option struct {
 	interfaceName string
 	addrReuse     bool
@ -20,6 +26,7 @@ type option struct {
 	prefer        int
 	tfo           bool
 	resolver      resolver.Resolver
+	netDialer     NetDialer
 }

 type Option func(opt *option)
@ -76,6 +83,12 @@ func WithTFO(tfo bool) Option {
 	}
 }

+func WithNetDialer(netDialer NetDialer) Option {
+	return func(opt *option) {
+		opt.netDialer = netDialer
+	}
+}
+
 func WithOption(o option) Option {
 	return func(opt *option) {
 		*opt = o
--- a/component/dialer/tfo.go
+++ b/component/dialer/tfo.go
@ -18,10 +18,11 @@ type tfoConn struct {
 }

 func (c *tfoConn) Dial(earlyData []byte) (err error) {
-	c.Conn, err = c.dialFn(c.ctx, earlyData)
+	conn, err := c.dialFn(c.ctx, earlyData)
 	if err != nil {
 		return
 	}
+	c.Conn = conn
 	c.dialed <- true
 	return err
 }
@ -105,6 +106,22 @@ func (c *tfoConn) Upstream() any {
 	return c.Conn
 }

+func (c *tfoConn) NeedAdditionalReadDeadline() bool {
+	return c.Conn == nil
+}
+
+func (c *tfoConn) NeedHandshake() bool {
+	return c.Conn == nil
+}
+
+func (c *tfoConn) ReaderReplaceable() bool {
+	return c.Conn != nil
+}
+
+func (c *tfoConn) WriterReplaceable() bool {
+	return c.Conn != nil
+}
+
 func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) {
 	ctx, cancel := context.WithCancel(ctx)
 	dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false}
--- a/component/geodata/geodata.go
+++ b/component/geodata/geodata.go
@ -1,13 +1,10 @@
 package geodata

 import (
-	"errors"
 	"fmt"
-	C "github.com/Dreamacro/clash/constant"
-	"strings"

 	"github.com/Dreamacro/clash/component/geodata/router"
-	"github.com/Dreamacro/clash/log"
+	C "github.com/Dreamacro/clash/constant"
 )

 type loader struct {
@ -15,47 +12,7 @@ type loader struct {
 }

 func (l *loader) LoadGeoSite(list string) ([]*router.Domain, error) {
-	return l.LoadGeoSiteWithAttr(C.GeositeName, list)
-}
-
-func (l *loader) LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error) {
-	parts := strings.Split(siteWithAttr, "@")
-	if len(parts) == 0 {
-		return nil, errors.New("empty rule")
-	}
-	list := strings.TrimSpace(parts[0])
-	attrVal := parts[1:]
-
-	if len(list) == 0 {
-		return nil, fmt.Errorf("empty listname in rule: %s", siteWithAttr)
-	}
-
-	domains, err := l.LoadSiteByPath(file, list)
-	if err != nil {
-		return nil, err
-	}
-
-	attrs := parseAttrs(attrVal)
-	if attrs.IsEmpty() {
-		if strings.Contains(siteWithAttr, "@") {
-			log.Warnln("empty attribute list: %s", siteWithAttr)
-		}
-		return domains, nil
-	}
-
-	filteredDomains := make([]*router.Domain, 0, len(domains))
-	hasAttrMatched := false
-	for _, domain := range domains {
-		if attrs.Match(domain) {
-			hasAttrMatched = true
-			filteredDomains = append(filteredDomains, domain)
-		}
-	}
-	if !hasAttrMatched {
-		log.Warnln("attribute match no rule: geosite: %s", siteWithAttr)
-	}
-
-	return filteredDomains, nil
+	return l.LoadSiteByPath(C.GeositeName, list)
 }

 func (l *loader) LoadGeoIP(country string) ([]*router.CIDR, error) {
--- a/component/geodata/geodataproto.go
+++ b/component/geodata/geodataproto.go
@ -14,6 +14,5 @@ type LoaderImplementation interface {
 type Loader interface {
 	LoaderImplementation
 	LoadGeoSite(list string) ([]*router.Domain, error)
-	LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error)
 	LoadGeoIP(country string) ([]*router.CIDR, error)
 }
--- a/component/geodata/init.go
+++ b/component/geodata/init.go
@ -1,13 +1,17 @@
 package geodata

 import (
+	"context"
 	"fmt"
-	"github.com/Dreamacro/clash/component/mmdb"
-	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/log"
 	"io"
 	"net/http"
 	"os"
+	"time"
+
+	clashHttp "github.com/Dreamacro/clash/component/http"
+	"github.com/Dreamacro/clash/component/mmdb"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
 )

 var initGeoSite bool
@ -38,7 +42,9 @@ func InitGeoSite() error {
 }

 func downloadGeoSite(path string) (err error) {
-	resp, err := http.Get(C.GeoSiteUrl)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, C.GeoSiteUrl, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
 	if err != nil {
 		return
 	}
@ -55,7 +61,9 @@ func downloadGeoSite(path string) (err error) {
 }

 func downloadGeoIP(path string) (err error) {
-	resp, err := http.Get(C.GeoIpUrl)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, C.GeoIpUrl, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
 	if err != nil {
 		return
 	}
--- a/component/geodata/memconservative/cache.go
+++ b/component/geodata/memconservative/cache.go
@ -118,7 +118,7 @@ func (g GeoSiteCache) Unmarshal(filename, code string) (*router.GeoSite, error)

 	case errFailedToReadBytes, errFailedToReadExpectedLenBytes,
 		errInvalidGeodataFile, errInvalidGeodataVarintLength:
-		log.Warnln("failed to decode geoip file: %s%s", filename, ", fallback to the original ReadFile method")
+		log.Warnln("failed to decode geosite file: %s%s", filename, ", fallback to the original ReadFile method")
 		geositeBytes, err = os.ReadFile(asset)
 		if err != nil {
 			return nil, err
--- a/component/geodata/strmatcher/mph_matcher.go
+++ b/component/geodata/strmatcher/mph_matcher.go
@ -234,26 +234,26 @@ tail:
 	case s == 0:
 	case s < 4:
 		h ^= uint64(*(*byte)(p))
-		h ^= uint64(*(*byte)(add(p, s>>1))) << 8
-		h ^= uint64(*(*byte)(add(p, s-1))) << 16
+		h ^= uint64(*(*byte)(unsafe.Add(p, s>>1))) << 8
+		h ^= uint64(*(*byte)(unsafe.Add(p, s-1))) << 16
 		h = rotl31(h*m1) * m2
 	case s <= 8:
 		h ^= uint64(readUnaligned32(p))
-		h ^= uint64(readUnaligned32(add(p, s-4))) << 32
+		h ^= uint64(readUnaligned32(unsafe.Add(p, s-4))) << 32
 		h = rotl31(h*m1) * m2
 	case s <= 16:
 		h ^= readUnaligned64(p)
 		h = rotl31(h*m1) * m2
-		h ^= readUnaligned64(add(p, s-8))
+		h ^= readUnaligned64(unsafe.Add(p, s-8))
 		h = rotl31(h*m1) * m2
 	case s <= 32:
 		h ^= readUnaligned64(p)
 		h = rotl31(h*m1) * m2
-		h ^= readUnaligned64(add(p, 8))
+		h ^= readUnaligned64(unsafe.Add(p, 8))
 		h = rotl31(h*m1) * m2
-		h ^= readUnaligned64(add(p, s-16))
+		h ^= readUnaligned64(unsafe.Add(p, s-16))
 		h = rotl31(h*m1) * m2
-		h ^= readUnaligned64(add(p, s-8))
+		h ^= readUnaligned64(unsafe.Add(p, s-8))
 		h = rotl31(h*m1) * m2
 	default:
 		v1 := h
@ -263,16 +263,16 @@ tail:
 		for s >= 32 {
 			v1 ^= readUnaligned64(p)
 			v1 = rotl31(v1*m1) * m2
-			p = add(p, 8)
+			p = unsafe.Add(p, 8)
 			v2 ^= readUnaligned64(p)
 			v2 = rotl31(v2*m2) * m3
-			p = add(p, 8)
+			p = unsafe.Add(p, 8)
 			v3 ^= readUnaligned64(p)
 			v3 = rotl31(v3*m3) * m4
-			p = add(p, 8)
+			p = unsafe.Add(p, 8)
 			v4 ^= readUnaligned64(p)
 			v4 = rotl31(v4*m4) * m1
-			p = add(p, 8)
+			p = unsafe.Add(p, 8)
 			s -= 32
 		}
 		h = v1 ^ v2 ^ v3 ^ v4
@ -285,10 +285,6 @@ tail:
 	return uintptr(h)
 }

-func add(p unsafe.Pointer, x uintptr) unsafe.Pointer {
-	return unsafe.Pointer(uintptr(p) + x)
-}
-
 func readUnaligned32(p unsafe.Pointer) uint32 {
 	q := (*[4]byte)(p)
 	return uint32(q[0]) | uint32(q[1])<<8 | uint32(q[2])<<16 | uint32(q[3])<<24
--- a/component/geodata/utils.go
+++ b/component/geodata/utils.go
@ -1,9 +1,14 @@
 package geodata

 import (
+	"errors"
 	"fmt"
+	"golang.org/x/sync/singleflight"
+	"strings"
+
 	"github.com/Dreamacro/clash/component/geodata/router"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
 )

 var geoLoaderName = "memconservative"
@ -34,6 +39,8 @@ func Verify(name string) error {
 	}
 }

+var loadGeoSiteMatcherSF = singleflight.Group{}
+
 func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
 	if len(countryCode) == 0 {
 		return nil, 0, fmt.Errorf("country code could not be empty")
@ -44,16 +51,53 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 		not = true
 		countryCode = countryCode[1:]
 	}
+	countryCode = strings.ToLower(countryCode)

-	geoLoader, err := GetGeoDataLoader(geoLoaderName)
-	if err != nil {
-		return nil, 0, err
+	parts := strings.Split(countryCode, "@")
+	if len(parts) == 0 {
+		return nil, 0, errors.New("empty rule")
+	}
+	listName := strings.TrimSpace(parts[0])
+	attrVal := parts[1:]
+
+	if len(listName) == 0 {
+		return nil, 0, fmt.Errorf("empty listname in rule: %s", countryCode)
 	}

-	domains, err := geoLoader.LoadGeoSite(countryCode)
+	v, err, shared := loadGeoSiteMatcherSF.Do(listName, func() (interface{}, error) {
+		geoLoader, err := GetGeoDataLoader(geoLoaderName)
+		if err != nil {
+			return nil, err
+		}
+		return geoLoader.LoadGeoSite(listName)
+	})
 	if err != nil {
+		if !shared {
+			loadGeoSiteMatcherSF.Forget(listName) // don't store the error result
+		}
 		return nil, 0, err
 	}
+	domains := v.([]*router.Domain)
+
+	attrs := parseAttrs(attrVal)
+	if attrs.IsEmpty() {
+		if strings.Contains(countryCode, "@") {
+			log.Warnln("empty attribute list: %s", countryCode)
+		}
+	} else {
+		filteredDomains := make([]*router.Domain, 0, len(domains))
+		hasAttrMatched := false
+		for _, domain := range domains {
+			if attrs.Match(domain) {
+				hasAttrMatched = true
+				filteredDomains = append(filteredDomains, domain)
+			}
+		}
+		if !hasAttrMatched {
+			log.Warnln("attribute match no rule: geosite: %s", countryCode)
+		}
+		domains = filteredDomains
+	}

 	/**
 	linear: linear algorithm
@ -68,25 +112,34 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 	return matcher, len(domains), nil
 }

+var loadGeoIPMatcherSF = singleflight.Group{}
+
 func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
 	if len(country) == 0 {
 		return nil, 0, fmt.Errorf("country code could not be empty")
 	}
-	geoLoader, err := GetGeoDataLoader(geoLoaderName)
-	if err != nil {
-		return nil, 0, err
-	}

 	not := false
 	if country[0] == '!' {
 		not = true
 		country = country[1:]
 	}
+	country = strings.ToLower(country)

-	records, err := geoLoader.LoadGeoIP(country)
+	v, err, shared := loadGeoIPMatcherSF.Do(country, func() (interface{}, error) {
+		geoLoader, err := GetGeoDataLoader(geoLoaderName)
+		if err != nil {
+			return nil, err
+		}
+		return geoLoader.LoadGeoIP(country)
+	})
 	if err != nil {
+		if !shared {
+			loadGeoIPMatcherSF.Forget(country) // don't store the error result
+		}
 		return nil, 0, err
 	}
+	records := v.([]*router.CIDR)

 	geoIP := &router.GeoIP{
 		CountryCode:  country,
@ -98,6 +151,10 @@ func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
 	if err != nil {
 		return nil, 0, err
 	}
-
 	return matcher, len(records), nil
 }
+
+func ClearCache() {
+	loadGeoSiteMatcherSF = singleflight.Group{}
+	loadGeoIPMatcherSF = singleflight.Group{}
+}
--- a/component/http/http.go
+++ b/component/http/http.go
@ -2,14 +2,15 @@ package http

 import (
 	"context"
-	"github.com/Dreamacro/clash/component/tls"
-	"github.com/Dreamacro/clash/listener/inner"
 	"io"
 	"net"
 	"net/http"
 	URL "net/url"
 	"strings"
 	"time"
+
+	"github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/listener/inner"
 )

 const (
@ -52,8 +53,12 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			conn := inner.HandleTcp(address, urlRes.Hostname())
-			return conn, nil
+			if conn, err := inner.HandleTcp(address); err == nil {
+				return conn, nil
+			} else {
+				d := net.Dialer{}
+				return d.DialContext(ctx, network, address)
+			}
 		},
 		TLSClientConfig: tls.GetDefaultTLSConfig(),
 	}
--- a/component/mmdb/mmdb.go
+++ b/component/mmdb/mmdb.go
@ -1,14 +1,18 @@
 package mmdb

 import (
-	"github.com/oschwald/geoip2-golang"
+	"context"
 	"io"
 	"net/http"
 	"os"
 	"sync"
+	"time"

+	clashHttp "github.com/Dreamacro/clash/component/http"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
+
+	"github.com/oschwald/geoip2-golang"
 )

 var (
@ -47,7 +51,9 @@ func Instance() *geoip2.Reader {
 }

 func DownloadMMDB(path string) (err error) {
-	resp, err := http.Get(C.MmdbUrl)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, C.MmdbUrl, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
 	if err != nil {
 		return
 	}
--- a/component/profile/profile.go
+++ b/component/profile/profile.go
@ -1,7 +1,7 @@
 package profile

 import (
-	"go.uber.org/atomic"
+	"github.com/Dreamacro/clash/common/atomic"
 )

 // StoreSelected is a global switch for storing selected proxy to cache
--- a/component/proxydialer/proxydialer.go
+++ b/component/proxydialer/proxydialer.go
@ -0,0 +1,96 @@
+package proxydialer
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"strings"
+
+	N "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/resolver"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/tunnel"
+	"github.com/Dreamacro/clash/tunnel/statistic"
+)
+
+type proxyDialer struct {
+	proxy     C.ProxyAdapter
+	dialer    C.Dialer
+	statistic bool
+}
+
+func New(proxy C.ProxyAdapter, dialer C.Dialer, statistic bool) C.Dialer {
+	return proxyDialer{proxy: proxy, dialer: dialer, statistic: statistic}
+}
+
+func NewByName(proxyName string, dialer C.Dialer) (C.Dialer, error) {
+	proxies := tunnel.Proxies()
+	if proxy, ok := proxies[proxyName]; ok {
+		return New(proxy, dialer, true), nil
+	}
+	return nil, fmt.Errorf("proxyName[%s] not found", proxyName)
+}
+
+func (p proxyDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	currentMeta := &C.Metadata{Type: C.INNER}
+	if err := currentMeta.SetRemoteAddress(address); err != nil {
+		return nil, err
+	}
+	if strings.Contains(network, "udp") { // using in wireguard outbound
+		if !currentMeta.Resolved() {
+			ip, err := resolver.ResolveIP(ctx, currentMeta.Host)
+			if err != nil {
+				return nil, errors.New("can't resolve ip")
+			}
+			currentMeta.DstIP = ip
+		}
+		pc, err := p.listenPacket(ctx, currentMeta)
+		if err != nil {
+			return nil, err
+		}
+		return N.NewBindPacketConn(pc, currentMeta.UDPAddr()), nil
+	}
+	var conn C.Conn
+	var err error
+	if d, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
+		conn, err = p.proxy.DialContext(ctx, currentMeta, dialer.WithOption(d.Opt))
+	} else {
+		conn, err = p.proxy.DialContextWithDialer(ctx, p.dialer, currentMeta)
+	}
+	if err != nil {
+		return nil, err
+	}
+	if p.statistic {
+		conn = statistic.NewTCPTracker(conn, statistic.DefaultManager, currentMeta, nil, 0, 0, false)
+	}
+	return conn, err
+}
+
+func (p proxyDialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
+	currentMeta := &C.Metadata{Type: C.INNER}
+	if err := currentMeta.SetRemoteAddress(rAddrPort.String()); err != nil {
+		return nil, err
+	}
+	return p.listenPacket(ctx, currentMeta)
+}
+
+func (p proxyDialer) listenPacket(ctx context.Context, currentMeta *C.Metadata) (C.PacketConn, error) {
+	var pc C.PacketConn
+	var err error
+	currentMeta.NetWork = C.UDP
+	if d, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
+		pc, err = p.proxy.ListenPacketContext(ctx, currentMeta, dialer.WithOption(d.Opt))
+	} else {
+		pc, err = p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
+	}
+	if err != nil {
+		return nil, err
+	}
+	if p.statistic {
+		pc = statistic.NewUDPTracker(pc, statistic.DefaultManager, currentMeta, nil, 0, 0, false)
+	}
+	return pc, nil
+}
--- a/component/resolver/host.go
+++ b/component/resolver/host.go
@ -0,0 +1,113 @@
+package resolver
+
+import (
+	"errors"
+	"net/netip"
+	"strings"
+
+	"github.com/Dreamacro/clash/common/utils"
+	"github.com/Dreamacro/clash/component/trie"
+	"github.com/zhangyunhao116/fastrand"
+)
+
+type Hosts struct {
+	*trie.DomainTrie[HostValue]
+}
+
+func NewHosts(hosts *trie.DomainTrie[HostValue]) Hosts {
+	return Hosts{
+		hosts,
+	}
+}
+
+// Return the search result and whether to match the parameter `isDomain`
+func (h *Hosts) Search(domain string, isDomain bool) (*HostValue, bool) {
+	value := h.DomainTrie.Search(domain)
+	if value == nil {
+		return nil, false
+	}
+	hostValue := value.Data()
+	for {
+		if isDomain && hostValue.IsDomain {
+			return &hostValue, true
+		} else {
+			if node := h.DomainTrie.Search(hostValue.Domain); node != nil {
+				hostValue = node.Data()
+			} else {
+				break
+			}
+		}
+	}
+	if isDomain == hostValue.IsDomain {
+		return &hostValue, true
+	}
+	return &hostValue, false
+}
+
+type HostValue struct {
+	IsDomain bool
+	IPs      []netip.Addr
+	Domain   string
+}
+
+func NewHostValue(value any) (HostValue, error) {
+	isDomain := true
+	ips := make([]netip.Addr, 0)
+	domain := ""
+	if valueArr, err := utils.ToStringSlice(value); err != nil {
+		return HostValue{}, err
+	} else {
+		if len(valueArr) > 1 {
+			isDomain = false
+			for _, str := range valueArr {
+				if ip, err := netip.ParseAddr(str); err == nil {
+					ips = append(ips, ip)
+				} else {
+					return HostValue{}, err
+				}
+			}
+		} else if len(valueArr) == 1 {
+			host := valueArr[0]
+			if ip, err := netip.ParseAddr(host); err == nil {
+				ips = append(ips, ip)
+				isDomain = false
+			} else {
+				domain = host
+			}
+		}
+	}
+	if isDomain {
+		return NewHostValueByDomain(domain)
+	} else {
+		return NewHostValueByIPs(ips)
+	}
+}
+
+func NewHostValueByIPs(ips []netip.Addr) (HostValue, error) {
+	if len(ips) == 0 {
+		return HostValue{}, errors.New("ip list is empty")
+	}
+	return HostValue{
+		IsDomain: false,
+		IPs:      ips,
+	}, nil
+}
+
+func NewHostValueByDomain(domain string) (HostValue, error) {
+	domain = strings.Trim(domain, ".")
+	item := strings.Split(domain, ".")
+	if len(item) < 2 {
+		return HostValue{}, errors.New("invaild domain")
+	}
+	return HostValue{
+		IsDomain: true,
+		Domain:   domain,
+	}, nil
+}
+
+func (hv HostValue) RandIP() (netip.Addr, error) {
+	if hv.IsDomain {
+		return netip.Addr{}, errors.New("value type is error")
+	}
+	return hv.IPs[fastrand.Intn(len(hv.IPs))], nil
+}
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@ -4,15 +4,16 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"math/rand"
 	"net"
 	"net/netip"
 	"strings"
 	"time"

+	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/trie"

 	"github.com/miekg/dns"
+	"github.com/zhangyunhao116/fastrand"
 )

 var (
@ -27,7 +28,7 @@ var (
 	DisableIPv6 = true

 	// DefaultHosts aim to resolve hosts
-	DefaultHosts = trie.New[netip.Addr]()
+	DefaultHosts = NewHosts(trie.New[HostValue]())

 	// DefaultDNSTimeout defined the default dns request timeout
 	DefaultDNSTimeout = time.Second * 5
@ -43,17 +44,17 @@ type Resolver interface {
 	LookupIP(ctx context.Context, host string) (ips []netip.Addr, err error)
 	LookupIPv4(ctx context.Context, host string) (ips []netip.Addr, err error)
 	LookupIPv6(ctx context.Context, host string) (ips []netip.Addr, err error)
-	ResolveIP(ctx context.Context, host string) (ip netip.Addr, err error)
-	ResolveIPv4(ctx context.Context, host string) (ip netip.Addr, err error)
-	ResolveIPv6(ctx context.Context, host string) (ip netip.Addr, err error)
 	ExchangeContext(ctx context.Context, m *dns.Msg) (msg *dns.Msg, err error)
+	Invalid() bool
 }

 // LookupIPv4WithResolver same as LookupIPv4, but with a resolver
 func LookupIPv4WithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
-	if node := DefaultHosts.Search(host); node != nil {
-		if ip := node.Data(); ip.Is4() {
-			return []netip.Addr{node.Data()}, nil
+	if node, ok := DefaultHosts.Search(host, false); ok {
+		if addrs := utils.Filter(node.IPs, func(ip netip.Addr) bool {
+			return ip.Is4()
+		}); len(addrs) > 0 {
+			return addrs, nil
 		}
 	}

@ -65,14 +66,10 @@ func LookupIPv4WithResolver(ctx context.Context, host string, r Resolver) ([]net
 		return []netip.Addr{}, ErrIPVersion
 	}

-	if r != nil {
+	if r != nil && r.Invalid() {
 		return r.LookupIPv4(ctx, host)
 	}

-	if DefaultResolver != nil {
-		return DefaultResolver.LookupIPv4(ctx, host)
-	}
-
 	ipAddrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip4", host)
 	if err != nil {
 		return nil, err
@ -96,7 +93,7 @@ func ResolveIPv4WithResolver(ctx context.Context, host string, r Resolver) (neti
 	} else if len(ips) == 0 {
 		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return ips[rand.Intn(len(ips))], nil
+	return ips[fastrand.Intn(len(ips))], nil
 }

 // ResolveIPv4 with a host, return ipv4
@ -110,9 +107,11 @@ func LookupIPv6WithResolver(ctx context.Context, host string, r Resolver) ([]net
 		return nil, ErrIPv6Disabled
 	}

-	if node := DefaultHosts.Search(host); node != nil {
-		if ip := node.Data(); ip.Is6() {
-			return []netip.Addr{ip}, nil
+	if node, ok := DefaultHosts.Search(host, false); ok {
+		if addrs := utils.Filter(node.IPs, func(ip netip.Addr) bool {
+			return ip.Is6()
+		}); len(addrs) > 0 {
+			return addrs, nil
 		}
 	}

@ -123,12 +122,9 @@ func LookupIPv6WithResolver(ctx context.Context, host string, r Resolver) ([]net
 		return nil, ErrIPVersion
 	}

-	if r != nil {
+	if r != nil && r.Invalid() {
 		return r.LookupIPv6(ctx, host)
 	}
-	if DefaultResolver != nil {
-		return DefaultResolver.LookupIPv6(ctx, host)
-	}

 	ipAddrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip6", host)
 	if err != nil {
@ -153,7 +149,7 @@ func ResolveIPv6WithResolver(ctx context.Context, host string, r Resolver) (neti
 	} else if len(ips) == 0 {
 		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return ips[rand.Intn(len(ips))], nil
+	return ips[fastrand.Intn(len(ips))], nil
 }

 func ResolveIPv6(ctx context.Context, host string) (netip.Addr, error) {
@ -162,17 +158,17 @@ func ResolveIPv6(ctx context.Context, host string) (netip.Addr, error) {

 // LookupIPWithResolver same as LookupIP, but with a resolver
 func LookupIPWithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
-	if node := DefaultHosts.Search(host); node != nil {
-		return []netip.Addr{node.Data()}, nil
+	if node, ok := DefaultHosts.Search(host, false); ok {
+		return node.IPs, nil
 	}

-	if r != nil {
+	if r != nil && r.Invalid() {
 		if DisableIPv6 {
 			return r.LookupIPv4(ctx, host)
 		}
 		return r.LookupIP(ctx, host)
 	} else if DisableIPv6 {
-		return LookupIPv4(ctx, host)
+		return LookupIPv4WithResolver(ctx, host, r)
 	}

 	if ip, err := netip.ParseAddr(host); err == nil {
@ -202,10 +198,14 @@ func ResolveIPWithResolver(ctx context.Context, host string, r Resolver) (netip.
 	} else if len(ips) == 0 {
 		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return ips[rand.Intn(len(ips))], nil
+	ipv4s, ipv6s := SortationAddr(ips)
+	if len(ipv4s) > 0 {
+		return ipv4s[fastrand.Intn(len(ipv4s))], nil
+	}
+	return ipv6s[fastrand.Intn(len(ipv6s))], nil
 }

-// ResolveIP with a host, return ip
+// ResolveIP with a host, return ip and priority return TypeA
 func ResolveIP(ctx context.Context, host string) (netip.Addr, error) {
 	return ResolveIPWithResolver(ctx, host, DefaultResolver)
 }
@ -266,3 +266,14 @@ func LookupIPProxyServerHost(ctx context.Context, host string) ([]netip.Addr, er
 	}
 	return LookupIP(ctx, host)
 }
+
+func SortationAddr(ips []netip.Addr) (ipv4s, ipv6s []netip.Addr) {
+	for _, v := range ips {
+		if v.Unmap().Is4() {
+			ipv4s = append(ipv4s, v)
+		} else {
+			ipv6s = append(ipv6s, v)
+		}
+	}
+	return
+}
--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@ -26,18 +26,18 @@ var (
 var Dispatcher *SnifferDispatcher

 type SnifferDispatcher struct {
-	enable          bool
-	sniffers        map[sniffer.Sniffer]SnifferConfig
-	forceDomain     *trie.DomainTrie[struct{}]
-	skipSNI         *trie.DomainTrie[struct{}]
-	skipList        *cache.LruCache[string, uint8]
-	rwMux           sync.RWMutex
-	forceDnsMapping bool
-	parsePureIp     bool
+	enable           bool
+	sniffers         map[sniffer.Sniffer]SnifferConfig
+	forceDomain      *trie.DomainSet
+	skipSNI          *trie.DomainSet
+	skipList         *cache.LruCache[string, uint8]
+	rwMux            sync.RWMutex
+	forceDnsMapping  bool
+	parsePureIp      bool
 }

 func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) {
-	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Search(metadata.Host) != nil || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
+	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Has(metadata.Host) || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
 		port, err := strconv.ParseUint(metadata.DstPort, 10, 16)
 		if err != nil {
 			log.Debugln("[Sniffer] Dst port is error")
@ -74,7 +74,7 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%s] to [%s:%s]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
 			return
 		} else {
-			if sd.skipSNI.Search(host) != nil {
+			if sd.skipSNI.Has(host) {
 				log.Debugln("[Sniffer] Skip sni[%s]", host)
 				return
 			}
@ -166,8 +166,8 @@ func NewCloseSnifferDispatcher() (*SnifferDispatcher, error) {
 	return &dispatcher, nil
 }

-func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig, forceDomain *trie.DomainTrie[struct{}],
-	skipSNI *trie.DomainTrie[struct{}],
+func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig,
+	forceDomain *trie.DomainSet, skipSNI *trie.DomainSet,
 	forceDnsMapping bool, parsePureIp bool) (*SnifferDispatcher, error) {
 	dispatcher := SnifferDispatcher{
 		enable:          true,
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -14,8 +14,8 @@ import (
 	xtls "github.com/xtls/go"
 )

-var trustCert,_ = x509.SystemCertPool()
-
+var trustCerts []*x509.Certificate
+var certPool *x509.CertPool
 var mutex sync.RWMutex
 var errNotMacth error = errors.New("certificate fingerprints do not match")

@ -25,16 +25,45 @@ func AddCertificate(certificate string) error {
 	if certificate == "" {
 		return fmt.Errorf("certificate is empty")
 	}
-	if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
+	if cert, err := x509.ParseCertificate([]byte(certificate)); err == nil {
+		trustCerts = append(trustCerts, cert)
+		return nil
+	} else {
 		return fmt.Errorf("add certificate failed")
 	}
-	return nil
 }

-func ResetCertificate(){
+func initializeCertPool() {
+	var err error
+	certPool, err = x509.SystemCertPool()
+	if err != nil {
+		certPool = x509.NewCertPool()
+	}
+	for _, cert := range trustCerts {
+		certPool.AddCert(cert)
+	}
+}
+
+func ResetCertificate() {
 	mutex.Lock()
 	defer mutex.Unlock()
-	trustCert,_=x509.SystemCertPool()
+	trustCerts = nil
+	initializeCertPool()
+}
+
+func getCertPool() *x509.CertPool {
+	if len(trustCerts) == 0 {
+		return nil
+	}
+	if certPool == nil {
+		mutex.Lock()
+		defer mutex.Unlock()
+		if certPool != nil {
+			return certPool
+		}
+		initializeCertPool()
+	}
+	return certPool
 }

 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@ -84,12 +113,13 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 }

 func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
+	certPool := getCertPool()
 	if tlsConfig == nil {
 		return &tls.Config{
-			RootCAs: trustCert,
+			RootCAs: certPool,
 		}
 	}
-	tlsConfig.RootCAs = trustCert
+	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }

@ -106,12 +136,13 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 }

 func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
+	certPool := getCertPool()
 	if tlsConfig == nil {
 		return &xtls.Config{
-			RootCAs: trustCert,
+			RootCAs: certPool,
 		}
 	}

-	tlsConfig.RootCAs = trustCert
+	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }
--- a/component/tls/reality.go
+++ b/component/tls/reality.go
@ -0,0 +1,164 @@
+package tls
+
+import (
+	"bytes"
+	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/ed25519"
+	"crypto/hmac"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/binary"
+	"errors"
+	"net"
+	"net/http"
+	"reflect"
+	"strings"
+	"time"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/common/utils"
+	"github.com/Dreamacro/clash/log"
+
+	utls "github.com/sagernet/utls"
+	"github.com/zhangyunhao116/fastrand"
+	"golang.org/x/crypto/curve25519"
+	"golang.org/x/crypto/hkdf"
+	"golang.org/x/net/http2"
+)
+
+const RealityMaxShortIDLen = 8
+
+type RealityConfig struct {
+	PublicKey [curve25519.ScalarSize]byte
+	ShortID   [RealityMaxShortIDLen]byte
+}
+
+func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string, tlsConfig *tls.Config, realityConfig *RealityConfig) (net.Conn, error) {
+	if fingerprint, exists := GetFingerprint(ClientFingerprint); exists {
+		verifier := &realityVerifier{
+			serverName: tlsConfig.ServerName,
+		}
+		uConfig := &utls.Config{
+			ServerName:             tlsConfig.ServerName,
+			InsecureSkipVerify:     true,
+			SessionTicketsDisabled: true,
+			VerifyPeerCertificate:  verifier.VerifyPeerCertificate,
+		}
+		clientID := utls.ClientHelloID{
+			Client:  fingerprint.Client,
+			Version: fingerprint.Version,
+			Seed:    fingerprint.Seed,
+		}
+		uConn := utls.UClient(conn, uConfig, clientID)
+		verifier.UConn = uConn
+		err := uConn.BuildHandshakeState()
+		if err != nil {
+			return nil, err
+		}
+
+		hello := uConn.HandshakeState.Hello
+		for i := range hello.SessionId { // https://github.com/golang/go/issues/5373
+			hello.SessionId[i] = 0
+		}
+		copy(hello.Raw[39:], hello.SessionId)
+
+		binary.BigEndian.PutUint64(hello.SessionId, uint64(time.Now().Unix()))
+
+		hello.SessionId[0] = 1
+		hello.SessionId[1] = 8
+		hello.SessionId[2] = 0
+		copy(hello.SessionId[8:], realityConfig.ShortID[:])
+
+		//log.Debugln("REALITY hello.sessionId[:16]: %v", hello.SessionId[:16])
+
+		authKey := uConn.HandshakeState.State13.EcdheParams.SharedKey(realityConfig.PublicKey[:])
+		if authKey == nil {
+			return nil, errors.New("nil auth_key")
+		}
+		verifier.authKey = authKey
+		_, err = hkdf.New(sha256.New, authKey, hello.Random[:20], []byte("REALITY")).Read(authKey)
+		if err != nil {
+			return nil, err
+		}
+		aesBlock, _ := aes.NewCipher(authKey)
+		aesGcmCipher, _ := cipher.NewGCM(aesBlock)
+		aesGcmCipher.Seal(hello.SessionId[:0], hello.Random[20:], hello.SessionId[:16], hello.Raw)
+		copy(hello.Raw[39:], hello.SessionId)
+		//log.Debugln("REALITY hello.sessionId: %v", hello.SessionId)
+		//log.Debugln("REALITY uConn.AuthKey: %v", authKey)
+
+		err = uConn.HandshakeContext(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		log.Debugln("REALITY Authentication: %v", verifier.verified)
+
+		if !verifier.verified {
+			go realityClientFallback(uConn, uConfig.ServerName, clientID)
+			return nil, errors.New("REALITY authentication failed")
+		}
+
+		return uConn, nil
+	}
+	return nil, errors.New("unknown uTLS fingerprint")
+}
+
+func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
+	defer uConn.Close()
+	client := http.Client{
+		Transport: &http2.Transport{
+			DialTLSContext: func(ctx context.Context, network, addr string, config *tls.Config) (net.Conn, error) {
+				return uConn, nil
+			},
+		},
+	}
+	request, _ := http.NewRequest("GET", "https://"+serverName, nil)
+	request.Header.Set("User-Agent", fingerprint.Client)
+	request.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", fastrand.Intn(32)+30)})
+	response, err := client.Do(request)
+	if err != nil {
+		return
+	}
+	//_, _ = io.Copy(io.Discard, response.Body)
+	time.Sleep(time.Duration(5+fastrand.Int63n(10)) * time.Second)
+	response.Body.Close()
+	client.CloseIdleConnections()
+}
+
+type realityVerifier struct {
+	*utls.UConn
+	serverName string
+	authKey    []byte
+	verified   bool
+}
+
+var pOffset = utils.MustOK(reflect.TypeOf((*utls.UConn)(nil)).Elem().FieldByName("peerCertificates")).Offset
+
+func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+	//p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
+	certs := *(*[]*x509.Certificate)(unsafe.Add(unsafe.Pointer(c.Conn), pOffset))
+	if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {
+		h := hmac.New(sha512.New, c.authKey)
+		h.Write(pub)
+		if bytes.Equal(h.Sum(nil), certs[0].Signature) {
+			c.verified = true
+			return nil
+		}
+	}
+	opts := x509.VerifyOptions{
+		DNSName:       c.serverName,
+		Intermediates: x509.NewCertPool(),
+	}
+	for _, cert := range certs[1:] {
+		opts.Intermediates.AddCert(cert)
+	}
+	if _, err := certs[0].Verify(opts); err != nil {
+		return err
+	}
+	return nil
+}
--- a/component/tls/utls.go
+++ b/component/tls/utls.go
@ -45,8 +45,13 @@ func GetFingerprint(ClientFingerprint string) (UClientHelloID, bool) {
 	}

 	fingerprint, ok := Fingerprints[ClientFingerprint]
-	log.Debugln("use specified fingerprint:%s", fingerprint.Client)
-	return fingerprint, ok
+	if ok {
+		log.Debugln("use specified fingerprint:%s", fingerprint.Client)
+		return fingerprint, ok
+	} else {
+		log.Warnln("wrong ClientFingerprint:%s", ClientFingerprint)
+		return UClientHelloID{}, false
+	}
 }

 func RollFingerprint() (UClientHelloID, bool) {
@ -67,7 +72,22 @@ var Fingerprints = map[string]UClientHelloID{
 	"firefox":    {&utls.HelloFirefox_Auto},
 	"safari":     {&utls.HelloSafari_Auto},
 	"ios":        {&utls.HelloIOS_Auto},
-	"randomized": {&utls.HelloRandomized},
+	"android":    {&utls.HelloAndroid_11_OkHttp},
+	"edge":       {&utls.HelloEdge_Auto},
+	"360":        {&utls.Hello360_Auto},
+	"qq":         {&utls.HelloQQ_Auto},
+	"random":     {nil},
+	"randomized": {nil},
+}
+
+func init() {
+	weights := utls.DefaultWeights
+	weights.TLSVersMax_Set_VersionTLS13 = 1
+	weights.FirstKeyShare_Set_CurveP256 = 0
+	randomized := utls.HelloRandomized
+	randomized.Seed, _ = utls.NewPRNGSeed()
+	randomized.Weights = &weights
+	Fingerprints["randomized"] = UClientHelloID{&randomized}
 }

 func copyConfig(c *tls.Config) *utls.Config {
@ -112,10 +132,7 @@ func SetGlobalUtlsClient(Client string) {
 }

 func HaveGlobalFingerprint() bool {
-	if len(initUtlsClient) != 0 && initUtlsClient != "none" {
-		return true
-	}
-	return false
+	return len(initUtlsClient) != 0 && initUtlsClient != "none"
 }

 func GetGlobalFingerprint() string {
--- a/component/trie/domain.go
+++ b/component/trie/domain.go
@ -25,7 +25,7 @@ func ValidAndSplitDomain(domain string) ([]string, bool) {
 	if domain != "" && domain[len(domain)-1] == '.' {
 		return nil, false
 	}
-
+	domain = strings.ToLower(domain)
 	parts := strings.Split(domain, domainStep)
 	if len(parts) == 1 {
 		if parts[0] == "" {
@ -123,6 +123,33 @@ func (t *DomainTrie[T]) Optimize() {
 	t.root.optimize()
 }

+func (t *DomainTrie[T]) Foreach(print func(domain string, data T)) {
+	for key, data := range t.root.getChildren() {
+		recursion([]string{key}, data, print)
+		if data != nil && data.inited {
+			print(joinDomain([]string{key}), data.data)
+		}
+	}
+}
+
+func recursion[T any](items []string, node *Node[T], fn func(domain string, data T)) {
+	for key, data := range node.getChildren() {
+		newItems := append([]string{key}, items...)
+		if data != nil && data.inited {
+			domain := joinDomain(newItems)
+			if domain[0] == domainStepByte {
+				domain = complexWildcard + domain
+			}
+			fn(domain, data.Data())
+		}
+		recursion(newItems, data, fn)
+	}
+}
+
+func joinDomain(items []string) string {
+	return strings.Join(items, domainStep)
+}
+
 // New returns a new, empty Trie.
 func New[T any]() *DomainTrie[T] {
 	return &DomainTrie[T]{root: newNode[T]()}
--- a/component/trie/domain_set.go
+++ b/component/trie/domain_set.go
@ -0,0 +1,174 @@
+package trie
+
+// Package succinct provides several succinct data types.
+// Modify from https://github.com/openacid/succinct/blob/d4684c35d123f7528b14e03c24327231723db704/sskv.go
+
+import (
+	"sort"
+	"strings"
+
+	"github.com/Dreamacro/clash/common/utils"
+	"github.com/openacid/low/bitmap"
+)
+
+const (
+	complexWildcardByte = byte('+')
+	wildcardByte        = byte('*')
+	domainStepByte      = byte('.')
+)
+
+type DomainSet struct {
+	leaves, labelBitmap []uint64
+	labels              []byte
+	ranks, selects      []int32
+}
+
+// NewDomainSet creates a new *DomainSet struct, from a DomainTrie.
+func (t *DomainTrie[T]) NewDomainSet() *DomainSet {
+	reserveDomains := make([]string, 0)
+	t.Foreach(func(domain string, data T) {
+		reserveDomains = append(reserveDomains, utils.Reverse(domain))
+	})
+	// ensure that the same prefix is continuous
+	// and according to the ascending sequence of length
+	sort.Strings(reserveDomains)
+	keys := reserveDomains
+	if len(keys) == 0 {
+		return nil
+	}
+	ss := &DomainSet{}
+	lIdx := 0
+
+	type qElt struct{ s, e, col int }
+	queue := []qElt{{0, len(keys), 0}}
+	for i := 0; i < len(queue); i++ {
+		elt := queue[i]
+		if elt.col == len(keys[elt.s]) {
+			elt.s++
+			// a leaf node
+			setBit(&ss.leaves, i, 1)
+		}
+
+		for j := elt.s; j < elt.e; {
+
+			frm := j
+
+			for ; j < elt.e && keys[j][elt.col] == keys[frm][elt.col]; j++ {
+			}
+			queue = append(queue, qElt{frm, j, elt.col + 1})
+			ss.labels = append(ss.labels, keys[frm][elt.col])
+			setBit(&ss.labelBitmap, lIdx, 0)
+			lIdx++
+		}
+		setBit(&ss.labelBitmap, lIdx, 1)
+		lIdx++
+	}
+
+	ss.init()
+	return ss
+}
+
+// Has query for a key and return whether it presents in the DomainSet.
+func (ss *DomainSet) Has(key string) bool {
+	if ss == nil {
+		return false
+	}
+	key = utils.Reverse(key)
+	key = strings.ToLower(key)
+	// no more labels in this node
+	// skip character matching
+	// go to next level
+	nodeId, bmIdx := 0, 0
+	type wildcardCursor struct {
+		bmIdx, index int
+	}
+	stack := make([]wildcardCursor, 0)
+	for i := 0; i < len(key); i++ {
+	RESTART:
+		c := key[i]
+		for ; ; bmIdx++ {
+			if getBit(ss.labelBitmap, bmIdx) != 0 {
+				if len(stack) > 0 {
+					cursor := stack[len(stack)-1]
+					stack = stack[0 : len(stack)-1]
+					// back wildcard and find next node
+					nextNodeId := countZeros(ss.labelBitmap, ss.ranks, cursor.bmIdx+1)
+					nextBmIdx := selectIthOne(ss.labelBitmap, ss.ranks, ss.selects, nextNodeId-1) + 1
+					j := cursor.index
+					for ; j < len(key) && key[j] != domainStepByte; j++ {
+					}
+					if j == len(key) {
+						if getBit(ss.leaves, nextNodeId) != 0 {
+							return true
+						} else {
+							goto RESTART
+						}
+					}
+					for ; nextBmIdx-nextNodeId < len(ss.labels); nextBmIdx++ {
+						if ss.labels[nextBmIdx-nextNodeId] == domainStepByte {
+							bmIdx = nextBmIdx
+							nodeId = nextNodeId
+							i = j
+							goto RESTART
+						}
+					}
+				}
+				return false
+			}
+			// handle wildcard for domain
+			if ss.labels[bmIdx-nodeId] == complexWildcardByte {
+				return true
+			} else if ss.labels[bmIdx-nodeId] == wildcardByte {
+				cursor := wildcardCursor{}
+				cursor.bmIdx = bmIdx
+				cursor.index = i
+				stack = append(stack, cursor)
+			} else if ss.labels[bmIdx-nodeId] == c {
+				break
+			}
+		}
+		nodeId = countZeros(ss.labelBitmap, ss.ranks, bmIdx+1)
+		bmIdx = selectIthOne(ss.labelBitmap, ss.ranks, ss.selects, nodeId-1) + 1
+	}
+
+	return getBit(ss.leaves, nodeId) != 0
+
+}
+
+func setBit(bm *[]uint64, i int, v int) {
+	for i>>6 >= len(*bm) {
+		*bm = append(*bm, 0)
+	}
+	(*bm)[i>>6] |= uint64(v) << uint(i&63)
+}
+
+func getBit(bm []uint64, i int) uint64 {
+	return bm[i>>6] & (1 << uint(i&63))
+}
+
+// init builds pre-calculated cache to speed up rank() and select()
+func (ss *DomainSet) init() {
+	ss.selects, ss.ranks = bitmap.IndexSelect32R64(ss.labelBitmap)
+}
+
+// countZeros counts the number of "0" in a bitmap before the i-th bit(excluding
+// the i-th bit) on behalf of rank index.
+// E.g.:
+//
+//	countZeros("010010", 4) == 3
+//	//          012345
+func countZeros(bm []uint64, ranks []int32, i int) int {
+	a, _ := bitmap.Rank64(bm, ranks, int32(i))
+	return i - int(a)
+}
+
+// selectIthOne returns the index of the i-th "1" in a bitmap, on behalf of rank
+// and select indexes.
+// E.g.:
+//
+//	selectIthOne("010010", 1) == 4
+//	//            012345
+func selectIthOne(bm []uint64, ranks, selects []int32, i int) int {
+	a, _ := bitmap.Select32R64(bm, selects, ranks, int32(i))
+	return int(a)
+}
--- a/component/trie/domain_set_test.go
+++ b/component/trie/domain_set_test.go
@ -0,0 +1,85 @@
+package trie_test
+
+import (
+	"testing"
+
+	"github.com/Dreamacro/clash/component/trie"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDomainSet(t *testing.T) {
+	tree := trie.New[struct{}]()
+	domainSet := []string{
+		"baidu.com",
+		"google.com",
+		"www.google.com",
+		"test.a.net",
+		"test.a.oc",
+		"Mijia Cloud",
+		".qq.com",
+		"+.cn",
+	}
+
+	for _, domain := range domainSet {
+		assert.NoError(t, tree.Insert(domain, struct{}{}))
+	}
+	set := tree.NewDomainSet()
+	assert.NotNil(t, set)
+	assert.True(t, set.Has("test.cn"))
+	assert.True(t, set.Has("cn"))
+	assert.True(t, set.Has("Mijia Cloud"))
+	assert.True(t, set.Has("test.a.net"))
+	assert.True(t, set.Has("www.qq.com"))
+	assert.True(t, set.Has("google.com"))
+	assert.False(t, set.Has("qq.com"))
+	assert.False(t, set.Has("www.baidu.com"))
+}
+
+func TestDomainSetComplexWildcard(t *testing.T) {
+	tree := trie.New[struct{}]()
+	domainSet := []string{
+		"+.baidu.com",
+		"+.a.baidu.com",
+		"www.baidu.com",
+		"+.bb.baidu.com",
+		"test.a.net",
+		"test.a.oc",
+		"www.qq.com",
+	}
+
+	for _, domain := range domainSet {
+		assert.NoError(t, tree.Insert(domain, struct{}{}))
+	}
+	set := tree.NewDomainSet()
+	assert.NotNil(t, set)
+	assert.False(t, set.Has("google.com"))
+	assert.True(t, set.Has("www.baidu.com"))
+	assert.True(t, set.Has("test.test.baidu.com"))
+}
+
+func TestDomainSetWildcard(t *testing.T) {
+	tree := trie.New[struct{}]()
+	domainSet := []string{
+		"*.*.*.baidu.com",
+		"www.baidu.*",
+		"stun.*.*",
+		"*.*.qq.com",
+		"test.*.baidu.com",
+		"*.apple.com",
+	}
+
+	for _, domain := range domainSet {
+		assert.NoError(t, tree.Insert(domain, struct{}{}))
+	}
+	set := tree.NewDomainSet()
+	assert.NotNil(t, set)
+	assert.True(t, set.Has("www.baidu.com"))
+	assert.True(t, set.Has("test.test.baidu.com"))
+	assert.True(t, set.Has("test.test.qq.com"))
+	assert.True(t, set.Has("stun.ab.cd"))
+	assert.False(t, set.Has("test.baidu.com"))
+	assert.False(t, set.Has("www.google.com"))
+	assert.False(t, set.Has("a.www.google.com"))
+	assert.False(t, set.Has("test.qq.com"))
+	assert.False(t, set.Has("test.test.test.qq.com"))
+}
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`git log --pretty=format:"* %s by @%an" v1.14.x..v1.14.y \| sort -f \| uniq > release.md`