Merge branch 'Beta' into Meta

Merge branch 'Alpha' into Beta
chore: adjust makefile
2023-01-12 01:33:56 +08:00 · 2023-01-12 01:33:16 +08:00 · 2023-01-12 01:31:38 +08:00 · 2023-01-12 00:53:42 +08:00 · 2023-01-11 22:01:15 +08:00 · 2023-01-11 10:19:30 +08:00
205 changed files with 11110 additions and 3613 deletions
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@ -1,5 +1,6 @@
 name: Prerelease
 on:
+  workflow_dispatch:
  push:
    branches:
      - Alpha
@ -35,14 +36,16 @@ jobs:
        run: make -j$(($(nproc) + 1)) releases

      - name: Delete current release assets
-        uses: andreaswilli/delete-release-assets-action@v2.0.0
+        uses: mknejp/delete-release-assets@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
-          tag: Prerelease-${{ github.ref_name }}
-          deleteOnlyFromDrafts: false
+          tag_name: Prerelease-${{ github.ref_name }}
+          assets: |
+              *.zip
+              *.gz

      - name: Tag Repo
-        uses: richardsimko/update-tag@v1
+        uses: richardsimko/update-tag@v1.0.6
        with:
          tag_name: Prerelease-${{ github.ref_name }}
        env:
@ -52,7 +55,6 @@ jobs:
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
-          tag: ${{ github.ref_name }}
          tag_name: Prerelease-${{ github.ref_name }}
          files: bin/*
          prerelease: true
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -8,9 +8,10 @@ linters:

 linters-settings:
  gci:
+    custom-order: true
    sections:
      - standard
      - prefix(github.com/Dreamacro/clash)
      - default
  staticcheck:
-    go: '1.18'
+    go: '1.19'
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-NAME=Clash.Meta
+NAME=clash.meta
 BINDIR=bin
 BRANCH=$(shell git branch --show-current)
 ifeq ($(BRANCH),Alpha)
--- a/README.md
+++ b/README.md
@ -34,6 +34,26 @@ Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash

 ## Advanced usage for this branch

+## Build
+
+You should install [golang](https://go.dev) first.
+
+Then get the source code of Clash.Meta:
+```shell
+git clone https://github.com/MetaCubeX/Clash.Meta.git
+cd Clash.Meta && go mod download
+```
+
+If you can't visit github,you should set proxy first:
+```shell
+go env -w GOPROXY=https://goproxy.io,direct
+```
+
+So now you can build it:
+```shell
+go build
+```
+
 ### DNS configuration

 Support `geosite` with `fallback-filter`.
@ -227,6 +247,28 @@ proxies:
    udp: true
 ```

+Support outbound transport protocol `Tuic`
+```yaml
+proxies:
+  - name: "tuic"
+    server: www.example.com
+    port: 10443
+    type: tuic
+    token: TOKEN
+    # ip: 127.0.0.1 # for overwriting the DNS lookup result of the server address set in option 'server'
+    # heartbeat-interval: 10000
+    # alpn: [h3]
+    # disable-sni: true
+    reduce-rtt: true
+    # request-timeout: 8000
+    udp-relay-mode: native # Available: "native", "quic". Default: "native"
+    # congestion-controller: bbr # Available: "cubic", "new_reno", "bbr". Default: "cubic"
+    # max-udp-relay-packet-size: 1500
+    # fast-open: true
+    # skip-cert-verify: true
+
+```
+
 ### IPTABLES configuration
 Work on Linux OS who's supported `iptables`

--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -92,6 +92,7 @@ func (p *Proxy) MarshalJSON() ([]byte, error) {
 	mapping["history"] = p.DelayHistory()
 	mapping["name"] = p.Name()
 	mapping["udp"] = p.SupportUDP()
+	mapping["tfo"] = p.SupportTFO()
 	return json.Marshal(mapping)
 }

--- a/adapter/inbound/addition.go
+++ b/adapter/inbound/addition.go
@ -0,0 +1,29 @@
+package inbound
+
+import (
+	C "github.com/Dreamacro/clash/constant"
+)
+
+type Addition func(metadata *C.Metadata)
+
+func (a Addition) Apply(metadata *C.Metadata) {
+	a(metadata)
+}
+
+func WithInName(name string) Addition {
+	return func(metadata *C.Metadata) {
+		metadata.InName = name
+	}
+}
+
+func WithSpecialRules(specialRules string) Addition {
+	return func(metadata *C.Metadata) {
+		metadata.SpecialRules = specialRules
+	}
+}
+
+func WithSpecialProxy(specialProxy string) Addition {
+	return func(metadata *C.Metadata) {
+		metadata.SpecialProxy = specialProxy
+	}
+}
--- a/adapter/inbound/http.go
+++ b/adapter/inbound/http.go
@ -9,10 +9,13 @@ import (
 )

 // NewHTTP receive normal http request and return HTTPContext
-func NewHTTP(target socks5.Addr, source net.Addr, conn net.Conn) *context.ConnContext {
+func NewHTTP(target socks5.Addr, source net.Addr, conn net.Conn, additions ...Addition) *context.ConnContext {
 	metadata := parseSocksAddr(target)
 	metadata.NetWork = C.TCP
 	metadata.Type = C.HTTP
+	for _, addition := range additions {
+		addition.Apply(metadata)
+	}
 	if ip, port, err := parseAddr(source.String()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
--- a/adapter/inbound/https.go
+++ b/adapter/inbound/https.go
@ -9,9 +9,12 @@ import (
 )

 // NewHTTPS receive CONNECT request and return ConnContext
-func NewHTTPS(request *http.Request, conn net.Conn) *context.ConnContext {
+func NewHTTPS(request *http.Request, conn net.Conn, additions ...Addition) *context.ConnContext {
 	metadata := parseHTTPAddr(request)
 	metadata.Type = C.HTTPS
+	for _, addition := range additions {
+		addition.Apply(metadata)
+	}
 	if ip, port, err := parseAddr(conn.RemoteAddr().String()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
--- a/adapter/inbound/listen.go
+++ b/adapter/inbound/listen.go
@ -0,0 +1,26 @@
+package inbound
+
+import (
+	"context"
+	"net"
+
+	"github.com/database64128/tfo-go/v2"
+)
+
+var (
+	lc = tfo.ListenConfig{
+		DisableTFO: true,
+	}
+)
+
+func SetTfo(open bool) {
+	lc.DisableTFO = !open
+}
+
+func ListenContext(ctx context.Context, network, address string) (net.Listener, error) {
+	return lc.Listen(ctx, network, address)
+}
+
+func Listen(network, address string) (net.Listener, error) {
+	return ListenContext(context.Background(), network, address)
+}
--- a/adapter/inbound/packet.go
+++ b/adapter/inbound/packet.go
@ -17,10 +17,13 @@ func (s *PacketAdapter) Metadata() *C.Metadata {
 }

 // NewPacket is PacketAdapter generator
-func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type) *PacketAdapter {
+func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type, additions ...Addition) C.PacketAdapter {
 	metadata := parseSocksAddr(target)
 	metadata.NetWork = C.UDP
 	metadata.Type = source
+	for _, addition := range additions {
+		addition.Apply(metadata)
+	}
 	if ip, port, err := parseAddr(packet.LocalAddr().String()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
@ -33,7 +36,7 @@ func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type) *PacketAda
 	}

 	return &PacketAdapter{
-		UDPPacket: packet,
-		metadata:  metadata,
+		packet,
+		metadata,
 	}
 }
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -10,11 +10,16 @@ import (
 )

 // NewSocket receive TCP inbound and return ConnContext
-func NewSocket(target socks5.Addr, conn net.Conn, source C.Type) *context.ConnContext {
+func NewSocket(target socks5.Addr, conn net.Conn, source C.Type, additions ...Addition) *context.ConnContext {
 	metadata := parseSocksAddr(target)
 	metadata.NetWork = C.TCP
 	metadata.Type = source
+	for _, addition := range additions {
+		addition.Apply(metadata)
+	}
+
 	remoteAddr := conn.RemoteAddr()
+
 	// Filter when net.Addr interface is nil
 	if remoteAddr != nil {
 		if ip, port, err := parseAddr(remoteAddr.String()); err == nil {
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -18,6 +18,7 @@ type Base struct {
 	iface  string
 	tp     C.AdapterType
 	udp    bool
+	tfo    bool
 	rmark  int
 	id     string
 	prefer C.DNSPrefer
@ -56,16 +57,26 @@ func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata, opts ...di
 	return nil, errors.New("no support")
 }

+// DialContextWithDialer implements C.ProxyAdapter
+func (b *Base) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	return nil, errors.New("no support")
+}
+
 // ListenPacketContext implements C.ProxyAdapter
 func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	return nil, errors.New("no support")
 }

-// ListenPacketOnStreamConn implements C.ProxyAdapter
-func (b *Base) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+// ListenPacketWithDialer implements C.ProxyAdapter
+func (b *Base) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	return nil, errors.New("no support")
 }

+// SupportWithDialer implements C.ProxyAdapter
+func (b *Base) SupportWithDialer() bool {
+	return false
+}
+
 // SupportUOT implements C.ProxyAdapter
 func (b *Base) SupportUOT() bool {
 	return false
@ -76,6 +87,11 @@ func (b *Base) SupportUDP() bool {
 	return b.udp
 }

+// SupportTFO implements C.ProxyAdapter
+func (b *Base) SupportTFO() bool {
+	return b.tfo
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (b *Base) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]string{
@ -130,6 +146,7 @@ type BaseOption struct {
 	Addr        string
 	Type        C.AdapterType
 	UDP         bool
+	TFO         bool
 	Interface   string
 	RoutingMark int
 	Prefer      C.DNSPrefer
@ -141,6 +158,7 @@ func NewBase(opt BaseOption) *Base {
 		addr:   opt.Addr,
 		tp:     opt.Type,
 		udp:    opt.UDP,
+		tfo:    opt.TFO,
 		iface:  opt.Interface,
 		rmark:  opt.RoutingMark,
 		prefer: opt.Prefer,
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@ -5,6 +5,7 @@ import (
 	"net"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 )

@ -14,7 +15,7 @@ type Direct struct {

 // DialContext implements C.ProxyAdapter
 func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	opts = append(opts, dialer.WithDirect())
+	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
 	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
@ -25,8 +26,8 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...

 // ListenPacketContext implements C.ProxyAdapter
 func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	opts = append(opts, dialer.WithDirect())
-	pc, err := dialer.ListenPacket(ctx, "udp", "", d.Base.DialOptions(opts...)...)
+	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
+	pc, err := dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", metadata.DstIP), "", d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
 	}
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@ -44,7 +44,9 @@ type HttpOption struct {
 func (h *Http) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	if h.tlsConfig != nil {
 		cc := tls.Client(c, h.tlsConfig)
-		err := cc.Handshake()
+		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
+		defer cancel()
+		err := cc.HandshakeContext(ctx)
 		c = cc
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", h.addr, err)
@ -59,13 +61,20 @@ func (h *Http) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 // DialContext implements C.ProxyAdapter
 func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	c, err := dialer.DialContext(ctx, "tcp", h.addr, h.Base.DialOptions(opts...)...)
+	return h.DialContextWithDialer(ctx, dialer.NewDialer(h.Base.DialOptions(opts...)...), metadata)
+}
+
+// DialContextWithDialer implements C.ProxyAdapter
+func (h *Http) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", h.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", h.addr, err)
 	}
 	tcpKeepAlive(c)

-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	c, err = h.StreamConn(c, metadata)
 	if err != nil {
@ -75,6 +84,11 @@ func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata, opts ...di
 	return NewConn(c, h), nil
 }

+// SupportWithDialer implements C.ProxyAdapter
+func (h *Http) SupportWithDialer() bool {
+	return true
+}
+
 func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 	addr := metadata.RemoteAddress()
 	req := &http.Request{
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -9,13 +9,14 @@ import (
 	"encoding/pem"
 	"fmt"
 	"net"
+	"net/netip"
 	"os"
 	"regexp"
 	"strconv"
 	"time"

-	"github.com/lucas-clemente/quic-go"
-	"github.com/lucas-clemente/quic-go/congestion"
+	"github.com/metacubex/quic-go"
+	"github.com/metacubex/quic-go/congestion"
 	M "github.com/sagernet/sing/common/metadata"

 	"github.com/Dreamacro/clash/component/dialer"
@ -30,15 +31,14 @@ import (
 )

 const (
-	mbpsToBps   = 125000
-	minSpeedBPS = 16384
+	mbpsToBps = 125000

 	DefaultStreamReceiveWindow     = 15728640 // 15 MB/s
 	DefaultConnectionReceiveWindow = 67108864 // 64 MB/s
-	DefaultMaxIncomingStreams      = 1024

-	DefaultALPN     = "hysteria"
-	DefaultProtocol = "udp"
+	DefaultALPN        = "hysteria"
+	DefaultProtocol    = "udp"
+	DefaultHopInterval = 10
 )

 var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
@ -52,11 +52,11 @@ type Hysteria struct {
 func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	hdc := hyDialerWithContext{
 		ctx: context.Background(),
-		hyDialer: func() (net.PacketConn, error) {
-			return dialer.ListenPacket(ctx, "udp", "", h.Base.DialOptions(opts...)...)
+		hyDialer: func(network string) (net.PacketConn, error) {
+			return dialer.ListenPacket(ctx, network, "", h.Base.DialOptions(opts...)...)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
-			return resolveUDPAddrWithPrefer("udp", addr, h.prefer)
+			return resolveUDPAddrWithPrefer(ctx, "udp", addr, h.prefer)
 		},
 	}

@ -71,11 +71,11 @@ func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	hdc := hyDialerWithContext{
 		ctx: context.Background(),
-		hyDialer: func() (net.PacketConn, error) {
-			return dialer.ListenPacket(ctx, "udp", "", h.Base.DialOptions(opts...)...)
+		hyDialer: func(network string) (net.PacketConn, error) {
+			return dialer.ListenPacket(ctx, network, "", h.Base.DialOptions(opts...)...)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
-			return resolveUDPAddrWithPrefer("udp", addr, h.prefer)
+			return resolveUDPAddrWithPrefer(ctx, "udp", addr, h.prefer)
 		},
 	}
 	udpConn, err := h.client.DialUDP(&hdc)
@ -89,7 +89,8 @@ type HysteriaOption struct {
 	BasicOption
 	Name                string   `proxy:"name"`
 	Server              string   `proxy:"server"`
-	Port                int      `proxy:"port"`
+	Port                int      `proxy:"port,omitempty"`
+	Ports               string   `proxy:"ports,omitempty"`
 	Protocol            string   `proxy:"protocol,omitempty"`
 	ObfsProtocol        string   `proxy:"obfs-protocol,omitempty"` // compatible with Stash
 	Up                  string   `proxy:"up"`
@ -97,17 +98,19 @@ type HysteriaOption struct {
 	Down                string   `proxy:"down"`
 	DownSpeed           int      `proxy:"down-speed,omitempty"` // compatible with Stash
 	Auth                string   `proxy:"auth,omitempty"`
-	AuthString          string   `proxy:"auth_str,omitempty"`
+	AuthString          string   `proxy:"auth-str,omitempty"`
 	Obfs                string   `proxy:"obfs,omitempty"`
 	SNI                 string   `proxy:"sni,omitempty"`
 	SkipCertVerify      bool     `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string   `proxy:"fingerprint,omitempty"`
 	ALPN                []string `proxy:"alpn,omitempty"`
 	CustomCA            string   `proxy:"ca,omitempty"`
-	CustomCAString      string   `proxy:"ca_str,omitempty"`
-	ReceiveWindowConn   int      `proxy:"recv_window_conn,omitempty"`
-	ReceiveWindow       int      `proxy:"recv_window,omitempty"`
-	DisableMTUDiscovery bool     `proxy:"disable_mtu_discovery,omitempty"`
+	CustomCAString      string   `proxy:"ca-str,omitempty"`
+	ReceiveWindowConn   int      `proxy:"recv-window-conn,omitempty"`
+	ReceiveWindow       int      `proxy:"recv-window,omitempty"`
+	DisableMTUDiscovery bool     `proxy:"disable-mtu-discovery,omitempty"`
+	FastOpen            bool     `proxy:"fast-open,omitempty"`
+	HopInterval         int      `proxy:"hop-interval,omitempty"`
 }

 func (c *HysteriaOption) Speed() (uint64, uint64, error) {
@ -131,8 +134,9 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			Timeout: 8 * time.Second,
 		},
 	}
-
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	ports := option.Ports
+
 	serverName := option.Server
 	if option.SNI != "" {
 		serverName = option.SNI
@ -182,7 +186,6 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 	} else {
 		tlsConfig.NextProtos = []string{DefaultALPN}
 	}
-
 	quicConfig := &quic.Config{
 		InitialStreamReceiveWindow:     uint64(option.ReceiveWindowConn),
 		MaxStreamReceiveWindow:         uint64(option.ReceiveWindowConn),
@ -198,7 +201,11 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 	if option.Protocol == "" {
 		option.Protocol = DefaultProtocol
 	}
-	if option.ReceiveWindowConn == 0 {
+	if option.HopInterval == 0 {
+		option.HopInterval = DefaultHopInterval
+	}
+	hopInterval := time.Duration(int64(option.HopInterval)) * time.Second
+	if option.ReceiveWindow == 0 {
 		quicConfig.InitialStreamReceiveWindow = DefaultStreamReceiveWindow / 10
 		quicConfig.MaxStreamReceiveWindow = DefaultStreamReceiveWindow
 	}
@ -233,9 +240,9 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		down = uint64(option.DownSpeed * mbpsToBps)
 	}
 	client, err := core.NewClient(
-		addr, option.Protocol, auth, tlsConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
+		addr, ports, option.Protocol, auth, tlsConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
 			return hyCongestion.NewBrutalSender(congestion.ByteCount(refBPS))
-		}, obfuscator,
+		}, obfuscator, hopInterval, option.FastOpen,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("hysteria %s create error: %w", addr, err)
@ -246,6 +253,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			addr:   addr,
 			tp:     C.Hysteria,
 			udp:    true,
+			tfo:    option.FastOpen,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@ -314,13 +322,17 @@ func (c *hyPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 }

 type hyDialerWithContext struct {
-	hyDialer   func() (net.PacketConn, error)
+	hyDialer   func(network string) (net.PacketConn, error)
 	ctx        context.Context
 	remoteAddr func(host string) (net.Addr, error)
 }

-func (h *hyDialerWithContext) ListenPacket() (net.PacketConn, error) {
-	return h.hyDialer()
+func (h *hyDialerWithContext) ListenPacket(rAddr net.Addr) (net.PacketConn, error) {
+	network := "udp"
+	if addrPort, err := netip.ParseAddrPort(rAddr.String()); err == nil {
+		network = dialer.ParseNetwork(network, addrPort.Addr())
+	}
+	return h.hyDialer(network)
 }

 func (h *hyDialerWithContext) Context() context.Context {
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -2,6 +2,7 @@ package outbound

 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net"
@ -9,12 +10,15 @@ import (

 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/shadowtls"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
-	"github.com/sagernet/sing-shadowsocks"
-	"github.com/sagernet/sing-shadowsocks/shadowimpl"
+
+	shadowsocks "github.com/metacubex/sing-shadowsocks"
+	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/uot"
@ -26,9 +30,11 @@ type ShadowSocks struct {

 	option *ShadowSocksOption
 	// obfs
-	obfsMode    string
-	obfsOption  *simpleObfsOption
-	v2rayOption *v2rayObfs.Option
+	obfsMode        string
+	obfsOption      *simpleObfsOption
+	v2rayOption     *v2rayObfs.Option
+	shadowTLSOption *shadowTLSOption
+	tlsConfig       *tls.Config
 }

 type ShadowSocksOption struct {
@ -60,6 +66,13 @@ type v2rayObfsOption struct {
 	Mux            bool              `obfs:"mux,omitempty"`
 }

+type shadowTLSOption struct {
+	Password       string `obfs:"password"`
+	Host           string `obfs:"host"`
+	Fingerprint    string `obfs:"fingerprint,omitempty"`
+	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
+}
+
 // StreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	switch ss.obfsMode {
@ -74,6 +87,8 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
+	case shadowtls.Mode:
+		c = shadowtls.NewShadowTLS(c, ss.shadowTLSOption.Password, ss.tlsConfig)
 	}
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
 		return ss.method.DialConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443"))
@ -83,13 +98,20 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e

 // DialContext implements C.ProxyAdapter
 func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	c, err := dialer.DialContext(ctx, "tcp", ss.addr, ss.Base.DialOptions(opts...)...)
+	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+}
+
+// DialContextWithDialer implements C.ProxyAdapter
+func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 	}
 	tcpKeepAlive(c)

-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	c, err = ss.StreamConn(c, metadata)
 	return NewConn(c, ss), err
@ -97,27 +119,36 @@ func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, op

 // ListenPacketContext implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+	return ss.ListenPacketWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+}
+
+// ListenPacketWithDialer implements C.ProxyAdapter
+func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
-		tcpConn, err := ss.DialContext(ctx, metadata, opts...)
+		tcpConn, err := ss.DialContextWithDialer(ctx, dialer, metadata)
 		if err != nil {
 			return nil, err
 		}
 		return newPacketConn(uot.NewClientConn(tcpConn), ss), nil
 	}
-	pc, err := dialer.ListenPacket(ctx, "udp", "", ss.Base.DialOptions(opts...)...)
+	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
 		return nil, err
 	}

-	addr, err := resolveUDPAddrWithPrefer("udp", ss.addr, ss.prefer)
+	pc, err := dialer.ListenPacket(ctx, "udp", "", addr.AddrPort())
 	if err != nil {
-		pc.Close()
 		return nil, err
 	}
 	pc = ss.method.DialPacketConn(&bufio.BindPacketConn{PacketConn: pc, Addr: addr})
 	return newPacketConn(pc, ss), nil
 }

+// SupportWithDialer implements C.ProxyAdapter
+func (ss *ShadowSocks) SupportWithDialer() bool {
+	return true
+}
+
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
@ -140,6 +171,8 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {

 	var v2rayOption *v2rayObfs.Option
 	var obfsOption *simpleObfsOption
+	var shadowTLSOpt *shadowTLSOption
+	var tlsConfig *tls.Config
 	obfsMode := ""

 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@ -175,6 +208,27 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			v2rayOption.TLS = true
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
 		}
+	} else if option.Plugin == shadowtls.Mode {
+		obfsMode = shadowtls.Mode
+		shadowTLSOpt = &shadowTLSOption{}
+		if err := decoder.Decode(option.PluginOpts, shadowTLSOpt); err != nil {
+			return nil, fmt.Errorf("ss %s initialize shadow-tls-plugin error: %w", addr, err)
+		}
+
+		tlsConfig = &tls.Config{
+			NextProtos:         shadowtls.DefaultALPN,
+			MinVersion:         tls.VersionTLS12,
+			InsecureSkipVerify: shadowTLSOpt.SkipCertVerify,
+			ServerName:         shadowTLSOpt.Host,
+		}
+
+		if len(shadowTLSOpt.Fingerprint) == 0 {
+			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+		} else {
+			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, shadowTLSOpt.Fingerprint); err != nil {
+				return nil, err
+			}
+		}
 	}

 	return &ShadowSocks{
@ -189,10 +243,12 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		},
 		method: method,

-		option:      &option,
-		obfsMode:    obfsMode,
-		v2rayOption: v2rayOption,
-		obfsOption:  obfsOption,
+		option:          &option,
+		obfsMode:        obfsMode,
+		v2rayOption:     v2rayOption,
+		obfsOption:      obfsOption,
+		shadowTLSOption: shadowTLSOpt,
+		tlsConfig:       tlsConfig,
 	}, nil
 }

--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@ -60,13 +60,20 @@ func (ssr *ShadowSocksR) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn,

 // DialContext implements C.ProxyAdapter
 func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	c, err := dialer.DialContext(ctx, "tcp", ssr.addr, ssr.Base.DialOptions(opts...)...)
+	return ssr.DialContextWithDialer(ctx, dialer.NewDialer(ssr.Base.DialOptions(opts...)...), metadata)
+}
+
+// DialContextWithDialer implements C.ProxyAdapter
+func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", ssr.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ssr.addr, err)
 	}
 	tcpKeepAlive(c)

-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	c, err = ssr.StreamConn(c, metadata)
 	return NewConn(c, ssr), err
@ -74,14 +81,18 @@ func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata,

 // ListenPacketContext implements C.ProxyAdapter
 func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	pc, err := dialer.ListenPacket(ctx, "udp", "", ssr.Base.DialOptions(opts...)...)
+	return ssr.ListenPacketWithDialer(ctx, dialer.NewDialer(ssr.Base.DialOptions(opts...)...), metadata)
+}
+
+// ListenPacketWithDialer implements C.ProxyAdapter
+func (ssr *ShadowSocksR) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ssr.addr, ssr.prefer)
 	if err != nil {
 		return nil, err
 	}

-	addr, err := resolveUDPAddrWithPrefer("udp", ssr.addr, ssr.prefer)
+	pc, err := dialer.ListenPacket(ctx, "udp", "", addr.AddrPort())
 	if err != nil {
-		pc.Close()
 		return nil, err
 	}

@ -90,6 +101,11 @@ func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Me
 	return newPacketConn(&ssPacketConn{PacketConn: pc, rAddr: addr}, ssr), nil
 }

+// SupportWithDialer implements C.ProxyAdapter
+func (ssr *ShadowSocksR) SupportWithDialer() bool {
+	return true
+}
+
 func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
 	// SSR protocol compatibility
 	// https://github.com/Dreamacro/clash/pull/2056
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@ -78,13 +78,20 @@ func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 		return NewConn(c, s), err
 	}

-	c, err := dialer.DialContext(ctx, "tcp", s.addr, s.Base.DialOptions(opts...)...)
+	return s.DialContextWithDialer(ctx, dialer.NewDialer(s.Base.DialOptions(opts...)...), metadata)
+}
+
+// DialContextWithDialer implements C.ProxyAdapter
+func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
 	}
 	tcpKeepAlive(c)

-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	c, err = s.StreamConn(c, metadata)
 	return NewConn(c, s), err
@ -92,7 +99,12 @@ func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // ListenPacketContext implements C.ProxyAdapter
 func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	c, err := dialer.DialContext(ctx, "tcp", s.addr, s.Base.DialOptions(opts...)...)
+	return s.ListenPacketWithDialer(ctx, dialer.NewDialer(s.Base.DialOptions(opts...)...), metadata)
+}
+
+// ListenPacketWithDialer implements C.ProxyAdapter
+func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.PacketConn, error) {
+	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
 		return nil, err
 	}
@ -108,10 +120,9 @@ func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 	return newPacketConn(pc, s), nil
 }

-// ListenPacketOnStreamConn implements C.ProxyAdapter
-func (s *Snell) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	pc := snell.PacketConn(c)
-	return newPacketConn(pc, s), nil
+// SupportWithDialer implements C.ProxyAdapter
+func (s *Snell) SupportWithDialer() bool {
+	return true
 }

 // SupportUOT implements C.ProxyAdapter
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@ -41,7 +41,9 @@ type Socks5Option struct {
 func (ss *Socks5) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	if ss.tls {
 		cc := tls.Client(c, ss.tlsConfig)
-		err := cc.Handshake()
+		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
+		defer cancel()
+		err := cc.HandshakeContext(ctx)
 		c = cc
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
@ -63,13 +65,20 @@ func (ss *Socks5) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error)

 // DialContext implements C.ProxyAdapter
 func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	c, err := dialer.DialContext(ctx, "tcp", ss.addr, ss.Base.DialOptions(opts...)...)
+	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+}
+
+// DialContextWithDialer implements C.ProxyAdapter
+func (ss *Socks5) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 	}
 	tcpKeepAlive(c)

-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	c, err = ss.StreamConn(c, metadata)
 	if err != nil {
@ -79,6 +88,11 @@ func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 	return NewConn(c, ss), nil
 }

+// SupportWithDialer implements C.ProxyAdapter
+func (ss *Socks5) SupportWithDialer() bool {
+	return true
+}
+
 // ListenPacketContext implements C.ProxyAdapter
 func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	c, err := dialer.DialContext(ctx, "tcp", ss.addr, ss.Base.DialOptions(opts...)...)
@ -89,11 +103,15 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,

 	if ss.tls {
 		cc := tls.Client(c, ss.tlsConfig)
-		err = cc.Handshake()
+		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
+		defer cancel()
+		err = cc.HandshakeContext(ctx)
 		c = cc
 	}

-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	tcpKeepAlive(c)
 	var user *socks5.User
@ -110,7 +128,21 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		return
 	}

-	pc, err := dialer.ListenPacket(ctx, "udp", "", ss.Base.DialOptions(opts...)...)
+	// Support unspecified UDP bind address.
+	bindUDPAddr := bindAddr.UDPAddr()
+	if bindUDPAddr == nil {
+		err = errors.New("invalid UDP bind address")
+		return
+	} else if bindUDPAddr.IP.IsUnspecified() {
+		serverAddr, err := resolveUDPAddr(ctx, "udp", ss.Addr())
+		if err != nil {
+			return nil, err
+		}
+
+		bindUDPAddr.IP = serverAddr.IP
+	}
+
+	pc, err := dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", bindUDPAddr.AddrPort().Addr()), "", ss.Base.DialOptions(opts...)...)
 	if err != nil {
 		return
 	}
@ -123,20 +155,6 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		pc.Close()
 	}()

-	// Support unspecified UDP bind address.
-	bindUDPAddr := bindAddr.UDPAddr()
-	if bindUDPAddr == nil {
-		err = errors.New("invalid UDP bind address")
-		return
-	} else if bindUDPAddr.IP.IsUnspecified() {
-		serverAddr, err := resolveUDPAddr("udp", ss.Addr())
-		if err != nil {
-			return nil, err
-		}
-
-		bindUDPAddr.IP = serverAddr.IP
-	}
-
 	return newPacketConn(&socksPacketConn{PacketConn: pc, rAddr: bindUDPAddr, tcpConn: c}, ss), nil
 }

--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -4,12 +4,12 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	tlsC "github.com/Dreamacro/clash/component/tls"
 	"net"
 	"net/http"
 	"strconv"

 	"github.com/Dreamacro/clash/component/dialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/trojan"
@ -120,14 +120,20 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...

 		return NewConn(c, t), nil
 	}
+	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+}

-	c, err := dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
+// DialContextWithDialer implements C.ProxyAdapter
+func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 	tcpKeepAlive(c)

-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	c, err = t.StreamConn(c, metadata)
 	if err != nil {
@ -147,18 +153,33 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 		}
-		defer safeConnClose(c, err)
-	} else {
-		c, err = dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
+		defer func(c net.Conn) {
+			safeConnClose(c, err)
+		}(c)
+		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
-		}
-		defer safeConnClose(c, err)
-		tcpKeepAlive(c)
-		c, err = t.plainStream(c)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+			return nil, err
 		}
+
+		pc := t.instance.PacketConn(c)
+		return newPacketConn(pc, t), err
+	}
+	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+}
+
+// ListenPacketWithDialer implements C.ProxyAdapter
+func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", t.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+	}
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)
+	tcpKeepAlive(c)
+	c, err = t.plainStream(c)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}

 	err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
@ -170,6 +191,11 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	return newPacketConn(pc, t), err
 }

+// SupportWithDialer implements C.ProxyAdapter
+func (t *Trojan) SupportWithDialer() bool {
+	return true
+}
+
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (t *Trojan) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	pc := t.instance.PacketConn(c)
@ -193,13 +219,16 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		Fingerprint:    option.Fingerprint,
 	}

-	if option.Network != "ws" && len(option.Flow) >= 16 {
-		option.Flow = option.Flow[:16]
-		switch option.Flow {
-		case vless.XRO, vless.XRD, vless.XRS:
-			tOption.Flow = option.Flow
-		default:
-			return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
+	switch option.Network {
+	case "", "tcp":
+		if len(option.Flow) >= 16 {
+			option.Flow = option.Flow[:16]
+			switch option.Flow {
+			case vless.XRO, vless.XRD, vless.XRS:
+				tOption.Flow = option.Flow
+			default:
+				return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
+			}
 		}
 	}

@ -247,11 +276,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			}
 		}

-		if t.option.Flow != "" {
-			t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
-		} else {
-			t.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
-		}
+		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig)

 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -0,0 +1,242 @@
+package outbound
+
+import (
+	"context"
+	"crypto/sha256"
+	"crypto/tls"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+	"math"
+	"net"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/metacubex/quic-go"
+
+	"github.com/Dreamacro/clash/component/dialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/tuic"
+)
+
+type Tuic struct {
+	*Base
+	client *tuic.PoolClient
+}
+
+type TuicOption struct {
+	BasicOption
+	Name                  string   `proxy:"name"`
+	Server                string   `proxy:"server"`
+	Port                  int      `proxy:"port"`
+	Token                 string   `proxy:"token"`
+	Ip                    string   `proxy:"ip,omitempty"`
+	HeartbeatInterval     int      `proxy:"heartbeat-interval,omitempty"`
+	ALPN                  []string `proxy:"alpn,omitempty"`
+	ReduceRtt             bool     `proxy:"reduce-rtt,omitempty"`
+	RequestTimeout        int      `proxy:"request-timeout,omitempty"`
+	UdpRelayMode          string   `proxy:"udp-relay-mode,omitempty"`
+	CongestionController  string   `proxy:"congestion-controller,omitempty"`
+	DisableSni            bool     `proxy:"disable-sni,omitempty"`
+	MaxUdpRelayPacketSize int      `proxy:"max-udp-relay-packet-size,omitempty"`
+
+	FastOpen            bool   `proxy:"fast-open,omitempty"`
+	MaxOpenStreams      int    `proxy:"max-open-streams,omitempty"`
+	SkipCertVerify      bool   `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint         string `proxy:"fingerprint,omitempty"`
+	CustomCA            string `proxy:"ca,omitempty"`
+	CustomCAString      string `proxy:"ca-str,omitempty"`
+	ReceiveWindowConn   int    `proxy:"recv-window-conn,omitempty"`
+	ReceiveWindow       int    `proxy:"recv-window,omitempty"`
+	DisableMTUDiscovery bool   `proxy:"disable-mtu-discovery,omitempty"`
+}
+
+// DialContext implements C.ProxyAdapter
+func (t *Tuic) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+}
+
+// DialContextWithDialer implements C.ProxyAdapter
+func (t *Tuic) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.Conn, error) {
+	conn, err := t.client.DialContextWithDialer(ctx, metadata, dialer, t.dialWithDialer)
+	if err != nil {
+		return nil, err
+	}
+	return NewConn(conn, t), err
+}
+
+// ListenPacketContext implements C.ProxyAdapter
+func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+}
+
+// ListenPacketWithDialer implements C.ProxyAdapter
+func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	pc, err := t.client.ListenPacketWithDialer(ctx, metadata, dialer, t.dialWithDialer)
+	if err != nil {
+		return nil, err
+	}
+	return newPacketConn(pc, t), nil
+}
+
+// SupportWithDialer implements C.ProxyAdapter
+func (t *Tuic) SupportWithDialer() bool {
+	return true
+}
+
+func (t *Tuic) dial(ctx context.Context, opts ...dialer.Option) (pc net.PacketConn, addr net.Addr, err error) {
+	return t.dialWithDialer(ctx, dialer.NewDialer(opts...))
+}
+
+func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (pc net.PacketConn, addr net.Addr, err error) {
+	udpAddr, err := resolveUDPAddrWithPrefer(ctx, "udp", t.addr, t.prefer)
+	if err != nil {
+		return nil, nil, err
+	}
+	addr = udpAddr
+	pc, err = dialer.ListenPacket(ctx, "udp", "", udpAddr.AddrPort())
+	if err != nil {
+		return nil, nil, err
+	}
+	return
+}
+
+func NewTuic(option TuicOption) (*Tuic, error) {
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	serverName := option.Server
+
+	tlsConfig := &tls.Config{
+		ServerName:         serverName,
+		InsecureSkipVerify: option.SkipCertVerify,
+		MinVersion:         tls.VersionTLS13,
+	}
+
+	var bs []byte
+	var err error
+	if len(option.CustomCA) > 0 {
+		bs, err = os.ReadFile(option.CustomCA)
+		if err != nil {
+			return nil, fmt.Errorf("tuic %s load ca error: %w", addr, err)
+		}
+	} else if option.CustomCAString != "" {
+		bs = []byte(option.CustomCAString)
+	}
+
+	if len(bs) > 0 {
+		block, _ := pem.Decode(bs)
+		if block == nil {
+			return nil, fmt.Errorf("CA cert is not PEM")
+		}
+
+		fpBytes := sha256.Sum256(block.Bytes)
+		if len(option.Fingerprint) == 0 {
+			option.Fingerprint = hex.EncodeToString(fpBytes[:])
+		}
+	}
+
+	if len(option.Fingerprint) != 0 {
+		var err error
+		tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+	}
+
+	if len(option.ALPN) > 0 {
+		tlsConfig.NextProtos = option.ALPN
+	} else {
+		tlsConfig.NextProtos = []string{"h3"}
+	}
+
+	if option.RequestTimeout == 0 {
+		option.RequestTimeout = 8000
+	}
+
+	if option.HeartbeatInterval <= 0 {
+		option.HeartbeatInterval = 10000
+	}
+
+	if option.UdpRelayMode != "quic" {
+		option.UdpRelayMode = "native"
+	}
+
+	if option.MaxUdpRelayPacketSize == 0 {
+		option.MaxUdpRelayPacketSize = 1500
+	}
+
+	if option.MaxOpenStreams == 0 {
+		option.MaxOpenStreams = 100
+	}
+
+	// ensure server's incoming stream can handle correctly, increase to 1.1x
+	quicMaxOpenStreams := int64(option.MaxOpenStreams)
+	quicMaxOpenStreams = quicMaxOpenStreams + int64(math.Ceil(float64(quicMaxOpenStreams)/10.0))
+	quicConfig := &quic.Config{
+		InitialStreamReceiveWindow:     uint64(option.ReceiveWindowConn),
+		MaxStreamReceiveWindow:         uint64(option.ReceiveWindowConn),
+		InitialConnectionReceiveWindow: uint64(option.ReceiveWindow),
+		MaxConnectionReceiveWindow:     uint64(option.ReceiveWindow),
+		MaxIncomingStreams:             quicMaxOpenStreams,
+		MaxIncomingUniStreams:          quicMaxOpenStreams,
+		KeepAlivePeriod:                time.Duration(option.HeartbeatInterval) * time.Millisecond,
+		DisablePathMTUDiscovery:        option.DisableMTUDiscovery,
+		EnableDatagrams:                true,
+	}
+	if option.ReceiveWindowConn == 0 {
+		quicConfig.InitialStreamReceiveWindow = tuic.DefaultStreamReceiveWindow / 10
+		quicConfig.MaxStreamReceiveWindow = tuic.DefaultStreamReceiveWindow
+	}
+	if option.ReceiveWindow == 0 {
+		quicConfig.InitialConnectionReceiveWindow = tuic.DefaultConnectionReceiveWindow / 10
+		quicConfig.MaxConnectionReceiveWindow = tuic.DefaultConnectionReceiveWindow
+	}
+
+	if len(option.Ip) > 0 {
+		addr = net.JoinHostPort(option.Ip, strconv.Itoa(option.Port))
+	}
+	host := option.Server
+	if option.DisableSni {
+		host = ""
+		tlsConfig.ServerName = ""
+	}
+	tkn := tuic.GenTKN(option.Token)
+
+	t := &Tuic{
+		Base: &Base{
+			name:   option.Name,
+			addr:   addr,
+			tp:     C.Tuic,
+			udp:    true,
+			tfo:    option.FastOpen,
+			iface:  option.Interface,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+	}
+	// to avoid tuic's "too many open streams", decrease to 0.9x
+	clientMaxOpenStreams := int64(option.MaxOpenStreams)
+	clientMaxOpenStreams = clientMaxOpenStreams - int64(math.Ceil(float64(clientMaxOpenStreams)/10.0))
+	if clientMaxOpenStreams < 1 {
+		clientMaxOpenStreams = 1
+	}
+	clientOption := &tuic.ClientOption{
+		TlsConfig:             tlsConfig,
+		QuicConfig:            quicConfig,
+		Host:                  host,
+		Token:                 tkn,
+		UdpRelayMode:          option.UdpRelayMode,
+		CongestionController:  option.CongestionController,
+		ReduceRtt:             option.ReduceRtt,
+		RequestTimeout:        time.Duration(option.RequestTimeout) * time.Millisecond,
+		MaxUdpRelayPacketSize: option.MaxUdpRelayPacketSize,
+		FastOpen:              option.FastOpen,
+		MaxOpenStreams:        clientMaxOpenStreams,
+	}
+
+	t.client = tuic.NewPoolClient(clientOption)
+
+	return t, nil
+}
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@ -2,6 +2,7 @@ package outbound

 import (
 	"bytes"
+	"context"
 	"crypto/tls"
 	xtls "github.com/xtls/go"
 	"net"
@ -63,34 +64,34 @@ func serializesSocksAddr(metadata *C.Metadata) []byte {
 	return bytes.Join(buf, nil)
 }

-func resolveUDPAddr(network, address string) (*net.UDPAddr, error) {
+func resolveUDPAddr(ctx context.Context, network, address string) (*net.UDPAddr, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}

-	ip, err := resolver.ResolveProxyServerHost(host)
+	ip, err := resolver.ResolveProxyServerHost(ctx, host)
 	if err != nil {
 		return nil, err
 	}
 	return net.ResolveUDPAddr(network, net.JoinHostPort(ip.String(), port))
 }

-func resolveUDPAddrWithPrefer(network, address string, prefer C.DNSPrefer) (*net.UDPAddr, error) {
+func resolveUDPAddrWithPrefer(ctx context.Context, network, address string, prefer C.DNSPrefer) (*net.UDPAddr, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ip netip.Addr
+	var fallback netip.Addr
 	switch prefer {
 	case C.IPv4Only:
-		ip, err = resolver.ResolveIPv4ProxyServerHost(host)
+		ip, err = resolver.ResolveIPv4ProxyServerHost(ctx, host)
 	case C.IPv6Only:
-		ip, err = resolver.ResolveIPv6ProxyServerHost(host)
+		ip, err = resolver.ResolveIPv6ProxyServerHost(ctx, host)
 	case C.IPv6Prefer:
 		var ips []netip.Addr
-		ips, err = resolver.ResolveAllIPProxyServerHost(host)
-		var fallback netip.Addr
+		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
 		if err == nil {
 			for _, addr := range ips {
 				if addr.Is6() {
@ -102,13 +103,11 @@ func resolveUDPAddrWithPrefer(network, address string, prefer C.DNSPrefer) (*net
 					}
 				}
 			}
-			ip = fallback
 		}
 	default:
 		// C.IPv4Prefer, C.DualStack and other
 		var ips []netip.Addr
-		ips, err = resolver.ResolveAllIPProxyServerHost(host)
-		var fallback netip.Addr
+		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
 		if err == nil {
 			for _, addr := range ips {
 				if addr.Is4() {
@ -121,12 +120,13 @@ func resolveUDPAddrWithPrefer(network, address string, prefer C.DNSPrefer) (*net
 				}
 			}

-			if !ip.IsValid() && fallback.IsValid() {
-				ip = fallback
-			}
 		}
 	}

+	if !ip.IsValid() && fallback.IsValid() {
+		ip = fallback
+	}
+
 	if err != nil {
 		return nil, err
 	}
@ -134,7 +134,7 @@ func resolveUDPAddrWithPrefer(network, address string, prefer C.DNSPrefer) (*net
 }

 func safeConnClose(c net.Conn, err error) {
-	if err != nil {
+	if err != nil && c != nil {
 		_ = c.Close()
 	}
 }
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -12,6 +12,10 @@ import (
 	"strconv"
 	"sync"

+	vmessSing "github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing-vmess/packetaddr"
+	M "github.com/sagernet/sing/common/metadata"
+
 	"github.com/Dreamacro/clash/common/convert"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
@ -49,6 +53,9 @@ type VlessOption struct {
 	FlowShow       bool              `proxy:"flow-show,omitempty"`
 	TLS            bool              `proxy:"tls,omitempty"`
 	UDP            bool              `proxy:"udp,omitempty"`
+	PacketAddr     bool              `proxy:"packet-addr,omitempty"`
+	XUDP           bool              `proxy:"xudp,omitempty"`
+	PacketEncoding string            `proxy:"packet-encoding,omitempty"`
 	Network        string            `proxy:"network,omitempty"`
 	HTTPOpts       HTTPOptions       `proxy:"http-opts,omitempty"`
 	HTTP2Opts      HTTP2Options      `proxy:"h2-opts,omitempty"`
@ -137,11 +144,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 		c, err = vmess.StreamH2Conn(c, h2Opts)
 	case "grpc":
-		if v.isXTLSEnabled() {
-			c, err = gun.StreamGunWithXTLSConn(c, v.gunTLSConfig, v.gunConfig)
-		} else {
-			c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
-		}
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
 	default:
 		// default tcp network
 		// handle TLS And XTLS
@ -152,21 +155,17 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		return nil, err
 	}

-	return v.client.StreamConn(c, parseVlessAddr(metadata))
+	return v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 }

 func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
 	host, _, _ := net.SplitHostPort(v.addr)

-	if v.isXTLSEnabled() {
+	if v.isXTLSEnabled() && !isH2 {
 		xtlsOpts := vless.XTLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
-			FingerPrint:    v.option.Fingerprint,
-		}
-
-		if isH2 {
-			xtlsOpts.NextProtos = []string{"h2"}
+			Fingerprint:    v.option.Fingerprint,
 		}

 		if v.option.ServerName != "" {
@ -208,22 +207,30 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 		if err != nil {
 			return nil, err
 		}
-		defer safeConnClose(c, err)
+		defer func(c net.Conn) {
+			safeConnClose(c, err)
+		}(c)

-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+		c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 		if err != nil {
 			return nil, err
 		}

 		return NewConn(c, v), nil
 	}
+	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+}

-	c, err := dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
+// DialContextWithDialer implements C.ProxyAdapter
+func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	tcpKeepAlive(c)
-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	c, err = v.StreamConn(c, metadata)
 	return NewConn(c, v), err
@ -233,7 +240,7 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
 	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(metadata.Host)
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
@ -247,17 +254,55 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		if err != nil {
 			return nil, err
 		}
-		defer safeConnClose(c, err)
+		defer func(c net.Conn) {
+			safeConnClose(c, err)
+		}(c)

-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
-	} else {
-		c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+		if v.option.PacketAddr {
+			packetAddrMetadata := *metadata // make a copy
+			packetAddrMetadata.Host = packetaddr.SeqPacketMagicAddress
+			packetAddrMetadata.DstPort = "443"
+
+			c, err = v.client.StreamConn(c, parseVlessAddr(&packetAddrMetadata, false))
+		} else {
+			c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 		}
-		tcpKeepAlive(c)
-		defer safeConnClose(c, err)

+		if err != nil {
+			return nil, fmt.Errorf("new vless client error: %v", err)
+		}
+
+		return v.ListenPacketOnStreamConn(c, metadata)
+	}
+	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+}
+
+// ListenPacketWithDialer implements C.ProxyAdapter
+func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+	c, err := dialer.DialContext(ctx, "tcp", v.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+	}
+	tcpKeepAlive(c)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)
+
+	if v.option.PacketAddr {
+		packetAddrMetadata := *metadata // make a copy
+		packetAddrMetadata.Host = packetaddr.SeqPacketMagicAddress
+		packetAddrMetadata.DstPort = "443"
+
+		c, err = v.StreamConn(c, &packetAddrMetadata)
+	} else {
 		c, err = v.StreamConn(c, metadata)
 	}

@ -268,8 +313,24 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 	return v.ListenPacketOnStreamConn(c, metadata)
 }

+// SupportWithDialer implements C.ProxyAdapter
+func (v *Vless) SupportWithDialer() bool {
+	return true
+}
+
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vless) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if v.option.XUDP {
+		return newPacketConn(&threadSafePacketConn{
+			PacketConn: vmessSing.NewXUDPConn(c, M.ParseSocksaddr(metadata.RemoteAddress())),
+		}, v), nil
+	} else if v.option.PacketAddr {
+		return newPacketConn(&threadSafePacketConn{
+			PacketConn: packetaddr.NewConn(&vlessPacketConn{
+				Conn: c, rAddr: metadata.UDPAddr(),
+			}, M.ParseSocksaddr(metadata.RemoteAddress())),
+		}, v), nil
+	}
 	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
 }

@ -278,7 +339,7 @@ func (v *Vless) SupportUOT() bool {
 	return true
 }

-func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
+func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	var addrType byte
 	var addr []byte
 	switch metadata.AddrType() {
@ -302,7 +363,8 @@ func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
 		UDP:      metadata.NetWork == C.UDP,
 		AddrType: addrType,
 		Addr:     addr,
-		Port:     uint(port),
+		Port:     uint16(port),
+		Mux:      metadata.NetWork == C.UDP && xudp,
 	}
 }

@ -424,12 +486,23 @@ func NewVless(option VlessOption) (*Vless, error) {
 			tp:     C.Vless,
 			udp:    option.UDP,
 			iface:  option.Interface,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		client: client,
 		option: &option,
 	}

+	switch option.PacketEncoding {
+	case "packetaddr", "packet":
+		option.PacketAddr = true
+	case "xudp":
+		option.XUDP = true
+	}
+	if option.XUDP {
+		option.PacketAddr = false
+	}
+
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
@ -462,11 +535,7 @@ func NewVless(option VlessOption) (*Vless, error) {

 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		if v.isXTLSEnabled() {
-			v.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
-		} else {
-			v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
-		}
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
 	}

 	return v, nil
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -18,10 +18,13 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	clashVMess "github.com/Dreamacro/clash/transport/vmess"
+
 	"github.com/sagernet/sing-vmess/packetaddr"
 	M "github.com/sagernet/sing/common/metadata"
 )

+var ErrUDPRemoteAddrMismatch = errors.New("udp packet dropped due to mismatched remote address")
+
 type Vmess struct {
 	*Base
 	client *vmess.Client
@ -113,7 +116,6 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			if len(v.option.Fingerprint) == 0 {
 				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
 			} else {
-				var err error
 				if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil {
 					return nil, err
 				}
@ -218,7 +220,9 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 		if err != nil {
 			return nil, err
 		}
-		defer safeConnClose(c, err)
+		defer func(c net.Conn) {
+			safeConnClose(c, err)
+		}(c)

 		c, err = v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 		if err != nil {
@ -227,13 +231,19 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 		return NewConn(c, v), nil
 	}
+	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+}

-	c, err := dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
+// DialContextWithDialer implements C.ProxyAdapter
+func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	tcpKeepAlive(c)
-	defer safeConnClose(c, err)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)

 	c, err = v.StreamConn(c, metadata)
 	return NewConn(c, v), err
@ -243,7 +253,7 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
 	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(metadata.Host)
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
@ -264,34 +274,54 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		if err != nil {
 			return nil, err
 		}
-		defer safeConnClose(c, err)
+		defer func(c net.Conn) {
+			safeConnClose(c, err)
+		}(c)

 		if v.option.XUDP {
 			c, err = v.client.DialXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 		} else {
 			c, err = v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 		}
-	} else {
-		c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
-		}
-		tcpKeepAlive(c)
-		defer safeConnClose(c, err)

-		c, err = v.StreamConn(c, metadata)
+		if err != nil {
+			return nil, fmt.Errorf("new vmess client error: %v", err)
+		}
+		return v.ListenPacketOnStreamConn(c, metadata)
+	}
+	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+}
+
+// ListenPacketWithDialer implements C.ProxyAdapter
+func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
 	}

+	c, err := dialer.DialContext(ctx, "tcp", v.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+	}
+	tcpKeepAlive(c)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)
+
+	c, err = v.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vmess client error: %v", err)
 	}
+	return v.ListenPacketOnStreamConn(c, metadata)
+}

-	if v.option.PacketAddr {
-		return newPacketConn(&threadSafePacketConn{PacketConn: packetaddr.NewBindConn(c)}, v), nil
-	} else if pc, ok := c.(net.PacketConn); ok {
-		return newPacketConn(&threadSafePacketConn{PacketConn: pc}, v), nil
-	}
-	return newPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+// SupportWithDialer implements C.ProxyAdapter
+func (v *Vmess) SupportWithDialer() bool {
+	return true
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
@ -408,7 +438,14 @@ type vmessPacketConn struct {
 	access sync.Mutex
 }

+// WriteTo implments C.PacketConn.WriteTo
+// Since VMess doesn't support full cone NAT by design, we verify if addr matches uc.rAddr, and drop the packet if not.
 func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+	allowedAddr := uc.rAddr.(*net.UDPAddr)
+	destAddr := addr.(*net.UDPAddr)
+	if !(allowedAddr.IP.Equal(destAddr.IP) && allowedAddr.Port == destAddr.Port) {
+		return 0, ErrUDPRemoteAddrMismatch
+	}
 	uc.access.Lock()
 	defer uc.access.Unlock()
 	return uc.Conn.Write(b)
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@ -12,8 +12,8 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"time"

+	CN "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
@ -36,22 +36,24 @@ type WireGuard struct {
 	tunDevice wireguard.Device
 	dialer    *wgDialer
 	startOnce sync.Once
+	startErr  error
 }

 type WireGuardOption struct {
 	BasicOption
-	Name         string `proxy:"name"`
-	Server       string `proxy:"server"`
-	Port         int    `proxy:"port"`
-	Ip           string `proxy:"ip,omitempty"`
-	Ipv6         string `proxy:"ipv6,omitempty"`
-	PrivateKey   string `proxy:"private-key"`
-	PublicKey    string `proxy:"public-key"`
-	PreSharedKey string `proxy:"pre-shared-key,omitempty"`
-	Reserved     []int  `proxy:"reserved,omitempty"`
-	Workers      int    `proxy:"workers,omitempty"`
-	MTU          int    `proxy:"mtu,omitempty"`
-	UDP          bool   `proxy:"udp,omitempty"`
+	Name                string  `proxy:"name"`
+	Server              string  `proxy:"server"`
+	Port                int     `proxy:"port"`
+	Ip                  string  `proxy:"ip,omitempty"`
+	Ipv6                string  `proxy:"ipv6,omitempty"`
+	PrivateKey          string  `proxy:"private-key"`
+	PublicKey           string  `proxy:"public-key"`
+	PreSharedKey        string  `proxy:"pre-shared-key,omitempty"`
+	Reserved            []uint8 `proxy:"reserved,omitempty"`
+	Workers             int     `proxy:"workers,omitempty"`
+	MTU                 int     `proxy:"mtu,omitempty"`
+	UDP                 bool    `proxy:"udp,omitempty"`
+	PersistentKeepalive int     `proxy:"persistent-keepalive,omitempty"`
 }

 type wgDialer struct {
@ -63,7 +65,7 @@ func (d *wgDialer) DialContext(ctx context.Context, network string, destination
 }

 func (d *wgDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return dialer.ListenPacket(ctx, "udp", "", d.options...)
+	return dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", destination.Addr), "", d.options...)
 }

 func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
@ -90,8 +92,7 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 		reserved[1] = uint8(option.Reserved[1])
 		reserved[2] = uint8(option.Reserved[2])
 	}
-	peerAddr := M.ParseSocksaddr(option.Server)
-	peerAddr.Port = uint16(option.Port)
+	peerAddr := M.ParseSocksaddrHostPort(option.Server, uint16(option.Port))
 	outbound.bind = wireguard.NewClientBind(context.Background(), outbound.dialer, peerAddr, reserved)
 	localPrefixes := make([]netip.Prefix, 0, 2)
 	if len(option.Ip) > 0 {
@ -159,6 +160,9 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	if has6 {
 		ipcConf += "\nallowed_ip=::/0"
 	}
+	if option.PersistentKeepalive != 0 {
+		ipcConf += fmt.Sprintf("\npersistent_keepalive_interval=%d", option.PersistentKeepalive)
+	}
 	mtu := option.MTU
 	if mtu == 0 {
 		mtu = 1408
@ -198,131 +202,57 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	w.dialer.options = opts
 	var conn net.Conn
 	w.startOnce.Do(func() {
-		err = w.tunDevice.Start()
+		w.startErr = w.tunDevice.Start()
 	})
-	if err != nil {
-		return nil, err
+	if w.startErr != nil {
+		return nil, w.startErr
 	}
 	if !metadata.Resolved() {
 		var addrs []netip.Addr
-		addrs, err = resolver.ResolveAllIP(metadata.Host)
+		addrs, err = resolver.LookupIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, err
 		}
 		conn, err = N.DialSerial(ctx, w.tunDevice, "tcp", M.ParseSocksaddr(metadata.RemoteAddress()), addrs)
 	} else {
-		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.ParseSocksaddr(metadata.Pure().RemoteAddress()))
+		port, _ := strconv.Atoi(metadata.DstPort)
+		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, uint16(port)))
 	}
 	if err != nil {
 		return nil, err
 	}
-	return NewConn(&wgConn{conn, w}, w), nil
+	if conn == nil {
+		return nil, E.New("conn is nil")
+	}
+	return NewConn(CN.NewRefConn(conn, w), w), nil
 }

 func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	w.dialer.options = opts
 	var pc net.PacketConn
 	w.startOnce.Do(func() {
-		err = w.tunDevice.Start()
+		w.startErr = w.tunDevice.Start()
 	})
+	if w.startErr != nil {
+		return nil, w.startErr
+	}
 	if err != nil {
 		return nil, err
 	}
 	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(metadata.Host)
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
-	pc, err = w.tunDevice.ListenPacket(ctx, M.ParseSocksaddr(metadata.Pure().RemoteAddress()))
+	port, _ := strconv.Atoi(metadata.DstPort)
+	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, uint16(port)))
 	if err != nil {
 		return nil, err
 	}
-	return newPacketConn(&wgPacketConn{pc, w}, w), nil
-}
-
-type wgConn struct {
-	conn net.Conn
-	wg   *WireGuard
-}
-
-func (c *wgConn) Read(b []byte) (n int, err error) {
-	defer runtime.KeepAlive(c.wg)
-	return c.conn.Read(b)
-}
-
-func (c *wgConn) Write(b []byte) (n int, err error) {
-	defer runtime.KeepAlive(c.wg)
-	return c.conn.Write(b)
-}
-
-func (c *wgConn) Close() error {
-	defer runtime.KeepAlive(c.wg)
-	return c.conn.Close()
-}
-
-func (c *wgConn) LocalAddr() net.Addr {
-	defer runtime.KeepAlive(c.wg)
-	return c.conn.LocalAddr()
-}
-
-func (c *wgConn) RemoteAddr() net.Addr {
-	defer runtime.KeepAlive(c.wg)
-	return c.conn.RemoteAddr()
-}
-
-func (c *wgConn) SetDeadline(t time.Time) error {
-	defer runtime.KeepAlive(c.wg)
-	return c.conn.SetDeadline(t)
-}
-
-func (c *wgConn) SetReadDeadline(t time.Time) error {
-	defer runtime.KeepAlive(c.wg)
-	return c.conn.SetReadDeadline(t)
-}
-
-func (c *wgConn) SetWriteDeadline(t time.Time) error {
-	defer runtime.KeepAlive(c.wg)
-	return c.conn.SetWriteDeadline(t)
-}
-
-type wgPacketConn struct {
-	pc net.PacketConn
-	wg *WireGuard
-}
-
-func (pc *wgPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
-	defer runtime.KeepAlive(pc.wg)
-	return pc.pc.ReadFrom(p)
-}
-
-func (pc *wgPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
-	defer runtime.KeepAlive(pc.wg)
-	return pc.pc.WriteTo(p, addr)
-}
-
-func (pc *wgPacketConn) Close() error {
-	defer runtime.KeepAlive(pc.wg)
-	return pc.pc.Close()
-}
-
-func (pc *wgPacketConn) LocalAddr() net.Addr {
-	defer runtime.KeepAlive(pc.wg)
-	return pc.pc.LocalAddr()
-}
-
-func (pc *wgPacketConn) SetDeadline(t time.Time) error {
-	defer runtime.KeepAlive(pc.wg)
-	return pc.pc.SetDeadline(t)
-}
-
-func (pc *wgPacketConn) SetReadDeadline(t time.Time) error {
-	defer runtime.KeepAlive(pc.wg)
-	return pc.pc.SetReadDeadline(t)
-}
-
-func (pc *wgPacketConn) SetWriteDeadline(t time.Time) error {
-	defer runtime.KeepAlive(pc.wg)
-	return pc.pc.SetWriteDeadline(t)
+	if pc == nil {
+		return nil, E.New("packetConn is nil")
+	}
+	return newPacketConn(CN.NewRefPacketConn(pc, w), w), nil
 }
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@ -4,11 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"time"
+
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
-	"time"
 )

 type Fallback struct {
@ -132,6 +133,7 @@ func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider)
 			},
 			option.Filter,
 			option.ExcludeFilter,
+			option.ExcludeType,
 			providers,
 		}),
 		disableUDP: option.DisableUDP,
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@ -3,23 +3,26 @@ package outboundgroup
 import (
 	"context"
 	"fmt"
+	"strings"
+	"sync"
+	"time"
+
 	"github.com/Dreamacro/clash/adapter/outbound"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel"
+
 	"github.com/dlclark/regexp2"
 	"go.uber.org/atomic"
-	"strings"
-	"sync"
-	"time"
 )

 type GroupBase struct {
 	*outbound.Base
 	filterRegs       []*regexp2.Regexp
 	excludeFilterReg *regexp2.Regexp
+	excludeTypeArray []string
 	providers        []provider.ProxyProvider
 	failedTestMux    sync.Mutex
 	failedTimes      int
@ -33,6 +36,7 @@ type GroupBaseOption struct {
 	outbound.BaseOption
 	filter        string
 	excludeFilter string
+	excludeType   string
 	providers     []provider.ProxyProvider
 }

@ -41,6 +45,10 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 	if opt.excludeFilter != "" {
 		excludeFilterReg = regexp2.MustCompile(opt.excludeFilter, 0)
 	}
+	var excludeTypeArray []string
+	if opt.excludeType != "" {
+		excludeTypeArray = strings.Split(opt.excludeType, "|")
+	}

 	var filterRegs []*regexp2.Regexp
 	if opt.filter != "" {
@ -54,6 +62,7 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 		Base:             outbound.NewBase(opt.BaseOption),
 		filterRegs:       filterRegs,
 		excludeFilterReg: excludeFilterReg,
+		excludeTypeArray: excludeTypeArray,
 		providers:        opt.providers,
 		failedTesting:    atomic.NewBool(false),
 	}
@ -148,6 +157,24 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		}
 		proxies = newProxies
 	}
+	if gb.excludeTypeArray != nil {
+		var newProxies []C.Proxy
+		for _, p := range proxies {
+			mType := p.Type().String()
+			flag := false
+			for i := range gb.excludeTypeArray {
+				if strings.EqualFold(mType, gb.excludeTypeArray[i]) {
+					flag = true
+				}
+
+			}
+			if flag {
+				continue
+			}
+			newProxies = append(newProxies, p)
+		}
+		proxies = newProxies
+	}

 	if gb.excludeFilterReg != nil {
 		var newProxies []C.Proxy
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@ -5,11 +5,11 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/Dreamacro/clash/common/cache"
 	"net"
 	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
+	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/murmur3"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
@ -157,7 +157,7 @@ func strategyConsistentHashing() strategyFn {
 func strategyStickySessions() strategyFn {
 	ttl := time.Minute * 10
 	maxRetry := 5
-	lruCache := cache.NewLRUCache[uint64, int](
+	lruCache := cache.New[uint64, int](
 		cache.WithAge[uint64, int](int64(ttl.Seconds())),
 		cache.WithSize[uint64, int](1000))
 	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
@ -229,6 +229,7 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 			},
 			option.Filter,
 			option.ExcludeFilter,
+			option.ExcludeType,
 			providers,
 		}),
 		strategyFn: strategyFn,
--- a/adapter/outboundgroup/parser.go
+++ b/adapter/outboundgroup/parser.go
@ -31,6 +31,7 @@ type GroupCommonOption struct {
 	DisableUDP    bool     `group:"disable-udp,omitempty"`
 	Filter        string   `group:"filter,omitempty"`
 	ExcludeFilter string   `group:"exclude-filter,omitempty"`
+	ExcludeType   string   `group:"exclude-type,omitempty"`
 }

 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider) (C.ProxyAdapter, error) {
--- a/adapter/outboundgroup/relay.go
+++ b/adapter/outboundgroup/relay.go
@ -3,9 +3,12 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
-	"fmt"
+	"net"
+	"net/netip"
+	"strings"

 	"github.com/Dreamacro/clash/adapter/outbound"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
@ -15,6 +18,36 @@ type Relay struct {
 	*GroupBase
 }

+type proxyDialer struct {
+	proxy  C.Proxy
+	dialer C.Dialer
+}
+
+func (p proxyDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	currentMeta, err := addrToMetadata(address)
+	if err != nil {
+		return nil, err
+	}
+	if strings.Contains(network, "udp") { // should not support this operation
+		currentMeta.NetWork = C.UDP
+		pc, err := p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
+		if err != nil {
+			return nil, err
+		}
+		return N.NewBindPacketConn(pc, currentMeta.UDPAddr()), nil
+	}
+	return p.proxy.DialContextWithDialer(ctx, p.dialer, currentMeta)
+}
+
+func (p proxyDialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
+	currentMeta, err := addrToMetadata(rAddrPort.String())
+	if err != nil {
+		return nil, err
+	}
+	currentMeta.NetWork = C.UDP
+	return p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
+}
+
 // DialContext implements C.ProxyAdapter
 func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	proxies, chainProxies := r.proxies(metadata, true)
@ -25,37 +58,19 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 	case 1:
 		return proxies[0].DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
 	}
-
-	first := proxies[0]
+	var d C.Dialer
+	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
+	for _, proxy := range proxies[:len(proxies)-1] {
+		d = proxyDialer{
+			proxy:  proxy,
+			dialer: d,
+		}
+	}
 	last := proxies[len(proxies)-1]
-
-	c, err := dialer.DialContext(ctx, "tcp", first.Addr(), r.Base.DialOptions(opts...)...)
+	conn, err := last.DialContextWithDialer(ctx, d, metadata)
 	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+		return nil, err
 	}
-	tcpKeepAlive(c)
-
-	var currentMeta *C.Metadata
-	for _, proxy := range proxies[1:] {
-		currentMeta, err = addrToMetadata(proxy.Addr())
-		if err != nil {
-			return nil, err
-		}
-
-		c, err = first.StreamConn(c, currentMeta)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-		}
-
-		first = proxy
-	}
-
-	c, err = last.StreamConn(c, metadata)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", last.Addr(), err)
-	}
-
-	conn := outbound.NewConn(c, last)

 	for i := len(chainProxies) - 2; i >= 0; i-- {
 		conn.AppendToChains(chainProxies[i])
@ -77,39 +92,18 @@ func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		return proxies[0].ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
 	}

-	first := proxies[0]
+	var d C.Dialer
+	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
+	for _, proxy := range proxies[:len(proxies)-1] {
+		d = proxyDialer{
+			proxy:  proxy,
+			dialer: d,
+		}
+	}
 	last := proxies[len(proxies)-1]
-
-	c, err := dialer.DialContext(ctx, "tcp", first.Addr(), r.Base.DialOptions(opts...)...)
+	pc, err := last.ListenPacketWithDialer(ctx, d, metadata)
 	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-	}
-	tcpKeepAlive(c)
-
-	var currentMeta *C.Metadata
-	for _, proxy := range proxies[1:] {
-		currentMeta, err = addrToMetadata(proxy.Addr())
-		if err != nil {
-			return nil, err
-		}
-
-		c, err = first.StreamConn(c, currentMeta)
-		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-		}
-
-		first = proxy
-	}
-
-	c, err = last.StreamConn(c, metadata)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", last.Addr(), err)
-	}
-
-	var pc C.PacketConn
-	pc, err = last.ListenPacketOnStreamConn(c, metadata)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+		return nil, err
 	}

 	for i := len(chainProxies) - 2; i >= 0; i-- {
@ -127,8 +121,19 @@ func (r *Relay) SupportUDP() bool {
 	if len(proxies) == 0 { // C.Direct
 		return true
 	}
-	last := proxies[len(proxies)-1]
-	return last.SupportUDP() && last.SupportUOT()
+	for i := len(proxies) - 1; i >= 0; i-- {
+		proxy := proxies[i]
+		if !proxy.SupportUDP() {
+			return false
+		}
+		if proxy.SupportUOT() {
+			return true
+		}
+		if !proxy.SupportWithDialer() {
+			return false
+		}
+	}
+	return true
 }

 // MarshalJSON implements C.ProxyAdapter
@ -186,6 +191,7 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 			},
 			"",
 			"",
+			"",
 			providers,
 		}),
 	}
--- a/adapter/outboundgroup/selector.go
+++ b/adapter/outboundgroup/selector.go
@ -100,6 +100,7 @@ func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider)
 			},
 			option.Filter,
 			option.ExcludeFilter,
+			option.ExcludeType,
 			providers,
 		}),
 		selected:   "COMPATIBLE",
--- a/adapter/outboundgroup/urltest.go
+++ b/adapter/outboundgroup/urltest.go
@ -144,6 +144,7 @@ func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, o

 			option.Filter,
 			option.ExcludeFilter,
+			option.ExcludeType,
 			providers,
 		}),
 		fastSingle: singledo.NewSingle[C.Proxy](time.Second * 10),
--- a/adapter/outboundgroup/util.go
+++ b/adapter/outboundgroup/util.go
@ -24,7 +24,7 @@ func addrToMetadata(rawAddress string) (addr *C.Metadata, err error) {
 	} else {
 		addr = &C.Metadata{
 			Host:    "",
-			DstIP:   ip,
+			DstIP:   ip.Unmap(),
 			DstPort: port,
 		}
 	}
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -2,14 +2,13 @@ package adapter

 import (
 	"fmt"
-
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/structure"
 	C "github.com/Dreamacro/clash/constant"
 )

 func ParseProxy(mapping map[string]any) (C.Proxy, error) {
-	decoder := structure.NewDecoder(structure.Option{TagName: "proxy", WeaklyTypedInput: true})
+	decoder := structure.NewDecoder(structure.Option{TagName: "proxy", WeaklyTypedInput: true, KeyReplacer: structure.DefaultKeyReplacer})
 	proxyType, existType := mapping["type"].(string)
 	if !existType {
 		return nil, fmt.Errorf("missing type")
@ -89,12 +88,19 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewHysteria(*hyOption)
 	case "wireguard":
-		hyOption := &outbound.WireGuardOption{}
-		err = decoder.Decode(mapping, hyOption)
+		wgOption := &outbound.WireGuardOption{}
+		err = decoder.Decode(mapping, wgOption)
 		if err != nil {
 			break
 		}
-		proxy, err = outbound.NewWireGuard(*hyOption)
+		proxy, err = outbound.NewWireGuard(*wgOption)
+	case "tuic":
+		tuicOption := &outbound.TuicOption{}
+		err = decoder.Decode(mapping, tuicOption)
+		if err != nil {
+			break
+		}
+		proxy, err = outbound.NewTuic(*tuicOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -3,10 +3,10 @@ package provider
 import (
 	"errors"
 	"fmt"
-	"github.com/Dreamacro/clash/component/resource"
 	"time"

 	"github.com/Dreamacro/clash/common/structure"
+	"github.com/Dreamacro/clash/component/resource"
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 )
@ -27,6 +27,7 @@ type proxyProviderSchema struct {
 	Interval      int               `provider:"interval,omitempty"`
 	Filter        string            `provider:"filter,omitempty"`
 	ExcludeFilter string            `provider:"exclude-filter,omitempty"`
+	ExcludeType   string            `provider:"exclude-type,omitempty"`
 	HealthCheck   healthCheckSchema `provider:"health-check,omitempty"`
 }

@ -63,5 +64,7 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	interval := time.Duration(uint(schema.Interval)) * time.Second
 	filter := schema.Filter
 	excludeFilter := schema.ExcludeFilter
-	return NewProxySetProvider(name, interval, filter, excludeFilter, vehicle, hc)
+	excludeType := schema.ExcludeType
+
+	return NewProxySetProvider(name, interval, filter, excludeFilter, excludeType, vehicle, hc)
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -5,20 +5,20 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/Dreamacro/clash/common/convert"
-	clashHttp "github.com/Dreamacro/clash/component/http"
-	"github.com/Dreamacro/clash/component/resource"
-	"github.com/Dreamacro/clash/log"
-	"github.com/dlclark/regexp2"
 	"net/http"
 	"runtime"
 	"strings"
 	"time"

 	"github.com/Dreamacro/clash/adapter"
+	"github.com/Dreamacro/clash/common/convert"
+	clashHttp "github.com/Dreamacro/clash/component/http"
+	"github.com/Dreamacro/clash/component/resource"
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
+	"github.com/Dreamacro/clash/log"

+	"github.com/dlclark/regexp2"
 	"gopkg.in/yaml.v3"
 )

@ -142,11 +142,16 @@ func stopProxyProvider(pd *ProxySetProvider) {
 	_ = pd.Fetcher.Destroy()
 }

-func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
 	excludeFilterReg, err := regexp2.Compile(excludeFilter, 0)
 	if err != nil {
 		return nil, fmt.Errorf("invalid excludeFilter regex: %w", err)
 	}
+	var excludeTypeArray []string
+	if excludeType != "" {
+		excludeTypeArray = strings.Split(excludeType, "|")
+	}
+
 	var filterRegs []*regexp2.Regexp
 	for _, filter := range strings.Split(filter, "`") {
 		filterReg, err := regexp2.Compile(filter, 0)
@ -165,7 +170,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc
 		healthCheck: hc,
 	}

-	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
+	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
 	pd.Fetcher = fetcher

 	pd.getSubscriptionInfo()
@ -263,7 +268,7 @@ func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	}
 }

-func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
+func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray []string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
 	return func(buf []byte) ([]C.Proxy, error) {
 		schema := &ProxySchema{}

@ -283,6 +288,27 @@ func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*re
 		proxiesSet := map[string]struct{}{}
 		for _, filterReg := range filterRegs {
 			for idx, mapping := range schema.Proxies {
+				if nil != excludeTypeArray && len(excludeTypeArray) > 0 {
+					mType, ok := mapping["type"]
+					if !ok {
+						continue
+					}
+					pType, ok := mType.(string)
+					if !ok {
+						continue
+					}
+					flag := false
+					for i := range excludeTypeArray {
+						if strings.EqualFold(pType, excludeTypeArray[i]) {
+							flag = true
+						}
+
+					}
+					if flag {
+						continue
+					}
+
+				}
 				mName, ok := mapping["name"]
 				if !ok {
 					continue
--- a/common/cache/cache.go
+++ b/common/cache/cache.go
@ -1,106 +0,0 @@
-package cache
-
-import (
-	"runtime"
-	"sync"
-	"time"
-)
-
-// Cache store element with a expired time
-type Cache[K comparable, V any] struct {
-	*cache[K, V]
-}
-
-type cache[K comparable, V any] struct {
-	mapping sync.Map
-	janitor *janitor[K, V]
-}
-
-type element[V any] struct {
-	Expired time.Time
-	Payload V
-}
-
-// Put element in Cache with its ttl
-func (c *cache[K, V]) Put(key K, payload V, ttl time.Duration) {
-	c.mapping.Store(key, &element[V]{
-		Payload: payload,
-		Expired: time.Now().Add(ttl),
-	})
-}
-
-// Get element in Cache, and drop when it expired
-func (c *cache[K, V]) Get(key K) V {
-	item, exist := c.mapping.Load(key)
-	if !exist {
-		return getZero[V]()
-	}
-	elm := item.(*element[V])
-	// expired
-	if time.Since(elm.Expired) > 0 {
-		c.mapping.Delete(key)
-		return getZero[V]()
-	}
-	return elm.Payload
-}
-
-// GetWithExpire element in Cache with Expire Time
-func (c *cache[K, V]) GetWithExpire(key K) (payload V, expired time.Time) {
-	item, exist := c.mapping.Load(key)
-	if !exist {
-		return
-	}
-	elm := item.(*element[V])
-	// expired
-	if time.Since(elm.Expired) > 0 {
-		c.mapping.Delete(key)
-		return
-	}
-	return elm.Payload, elm.Expired
-}
-
-func (c *cache[K, V]) cleanup() {
-	c.mapping.Range(func(k, v any) bool {
-		key := k.(string)
-		elm := v.(*element[V])
-		if time.Since(elm.Expired) > 0 {
-			c.mapping.Delete(key)
-		}
-		return true
-	})
-}
-
-type janitor[K comparable, V any] struct {
-	interval time.Duration
-	stop     chan struct{}
-}
-
-func (j *janitor[K, V]) process(c *cache[K, V]) {
-	ticker := time.NewTicker(j.interval)
-	for {
-		select {
-		case <-ticker.C:
-			c.cleanup()
-		case <-j.stop:
-			ticker.Stop()
-			return
-		}
-	}
-}
-
-func stopJanitor[K comparable, V any](c *Cache[K, V]) {
-	c.janitor.stop <- struct{}{}
-}
-
-// New return *Cache
-func New[K comparable, V any](interval time.Duration) *Cache[K, V] {
-	j := &janitor[K, V]{
-		interval: interval,
-		stop:     make(chan struct{}),
-	}
-	c := &cache[K, V]{janitor: j}
-	go j.process(c)
-	C := &Cache[K, V]{c}
-	runtime.SetFinalizer(C, stopJanitor[K, V])
-	return C
-}
--- a/common/cache/cache_test.go
+++ b/common/cache/cache_test.go
@ -1,72 +0,0 @@
-package cache
-
-import (
-	"runtime"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestCache_Basic(t *testing.T) {
-	interval := 200 * time.Millisecond
-	ttl := 20 * time.Millisecond
-	c := New[string, int](interval)
-	c.Put("int", 1, ttl)
-
-	d := New[string, string](interval)
-	d.Put("string", "a", ttl)
-
-	i := c.Get("int")
-	assert.Equal(t, i, 1, "should recv 1")
-
-	s := d.Get("string")
-	assert.Equal(t, s, "a", "should recv 'a'")
-}
-
-func TestCache_TTL(t *testing.T) {
-	interval := 200 * time.Millisecond
-	ttl := 20 * time.Millisecond
-	now := time.Now()
-	c := New[string, int](interval)
-	c.Put("int", 1, ttl)
-	c.Put("int2", 2, ttl)
-
-	i := c.Get("int")
-	_, expired := c.GetWithExpire("int2")
-	assert.Equal(t, i, 1, "should recv 1")
-	assert.True(t, now.Before(expired))
-
-	time.Sleep(ttl * 2)
-	i = c.Get("int")
-	j, _ := c.GetWithExpire("int2")
-	assert.True(t, i == 0, "should recv 0")
-	assert.True(t, j == 0, "should recv 0")
-}
-
-func TestCache_AutoCleanup(t *testing.T) {
-	interval := 10 * time.Millisecond
-	ttl := 15 * time.Millisecond
-	c := New[string, int](interval)
-	c.Put("int", 1, ttl)
-
-	time.Sleep(ttl * 2)
-	i := c.Get("int")
-	j, _ := c.GetWithExpire("int")
-	assert.True(t, i == 0, "should recv 0")
-	assert.True(t, j == 0, "should recv 0")
-}
-
-func TestCache_AutoGC(t *testing.T) {
-	sign := make(chan struct{})
-	go func() {
-		interval := 10 * time.Millisecond
-		ttl := 15 * time.Millisecond
-		c := New[string, int](interval)
-		c.Put("int", 1, ttl)
-		sign <- struct{}{}
-	}()
-
-	<-sign
-	runtime.GC()
-}
--- a/common/cache/lrucache.go
+++ b/common/cache/lrucache.go
@ -65,8 +65,8 @@ type LruCache[K comparable, V any] struct {
 	onEvict        EvictCallback[K, V]
 }

-// NewLRUCache creates an LruCache
-func NewLRUCache[K comparable, V any](options ...Option[K, V]) *LruCache[K, V] {
+// New creates an LruCache
+func New[K comparable, V any](options ...Option[K, V]) *LruCache[K, V] {
 	lc := &LruCache[K, V]{
 		lru:   list.New[*entry[K, V]](),
 		cache: make(map[K]*list.Element[*entry[K, V]]),
--- a/common/cache/lrucache_test.go
+++ b/common/cache/lrucache_test.go
@ -19,7 +19,7 @@ var entries = []struct {
 }

 func TestLRUCache(t *testing.T) {
-	c := NewLRUCache[string, string]()
+	c := New[string, string]()

 	for _, e := range entries {
 		c.Set(e.key, e.value)
@ -45,7 +45,7 @@ func TestLRUCache(t *testing.T) {
 }

 func TestLRUMaxAge(t *testing.T) {
-	c := NewLRUCache[string, string](WithAge[string, string](86400))
+	c := New[string, string](WithAge[string, string](86400))

 	now := time.Now().Unix()
 	expected := now + 86400
@ -88,7 +88,7 @@ func TestLRUMaxAge(t *testing.T) {
 }

 func TestLRUpdateOnGet(t *testing.T) {
-	c := NewLRUCache[string, string](WithAge[string, string](86400), WithUpdateAgeOnGet[string, string]())
+	c := New[string, string](WithAge[string, string](86400), WithUpdateAgeOnGet[string, string]())

 	now := time.Now().Unix()
 	expires := now + 86400/2
@ -103,7 +103,7 @@ func TestLRUpdateOnGet(t *testing.T) {
 }

 func TestMaxSize(t *testing.T) {
-	c := NewLRUCache[string, string](WithSize[string, string](2))
+	c := New[string, string](WithSize[string, string](2))
 	// Add one expired entry
 	c.Set("foo", "bar")
 	_, ok := c.Get("foo")
@ -117,7 +117,7 @@ func TestMaxSize(t *testing.T) {
 }

 func TestExist(t *testing.T) {
-	c := NewLRUCache[int, int](WithSize[int, int](1))
+	c := New[int, int](WithSize[int, int](1))
 	c.Set(1, 2)
 	assert.True(t, c.Exist(1))
 	c.Set(2, 3)
@ -130,7 +130,7 @@ func TestEvict(t *testing.T) {
 		temp = key + value
 	}

-	c := NewLRUCache[int, int](WithEvict[int, int](evict), WithSize[int, int](1))
+	c := New[int, int](WithEvict[int, int](evict), WithSize[int, int](1))
 	c.Set(1, 2)
 	c.Set(2, 3)

@ -138,7 +138,7 @@ func TestEvict(t *testing.T) {
 }

 func TestSetWithExpire(t *testing.T) {
-	c := NewLRUCache[int, *struct{}](WithAge[int, *struct{}](1))
+	c := New[int, *struct{}](WithAge[int, *struct{}](1))
 	now := time.Now().Unix()

 	tenSecBefore := time.Unix(now-10, 0)
@ -153,7 +153,7 @@ func TestSetWithExpire(t *testing.T) {
 }

 func TestStale(t *testing.T) {
-	c := NewLRUCache[int, int](WithAge[int, int](1), WithStale[int, int](true))
+	c := New[int, int](WithAge[int, int](1), WithStale[int, int](true))
 	now := time.Now().Unix()

 	tenSecBefore := time.Unix(now-10, 0)
@ -166,11 +166,11 @@ func TestStale(t *testing.T) {
 }

 func TestCloneTo(t *testing.T) {
-	o := NewLRUCache[string, int](WithSize[string, int](10))
+	o := New[string, int](WithSize[string, int](10))
 	o.Set("1", 1)
 	o.Set("2", 2)

-	n := NewLRUCache[string, int](WithSize[string, int](2))
+	n := New[string, int](WithSize[string, int](2))
 	n.Set("3", 3)
 	n.Set("4", 4)

--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@ -144,14 +144,6 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				if encryption := query.Get("encryption"); encryption != "" {
 					vmess["cipher"] = encryption
 				}
-				if packetEncoding := query.Get("packetEncoding"); packetEncoding != "" {
-					switch packetEncoding {
-					case "packet":
-						vmess["packet-addr"] = true
-					case "xudp":
-						vmess["xudp"] = true
-					}
-				}
 				proxies = append(proxies, vmess)
 				continue
 			}
@ -162,8 +154,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			if jsonDc.Decode(&values) != nil {
 				continue
 			}
-
-			name := uniqueName(names, values["ps"].(string))
+			tempName, ok := values["ps"].(string)
+			if !ok {
+				continue
+			}
+			name := uniqueName(names, tempName)
 			vmess := make(map[string]any, 20)

 			vmess["name"] = name
@ -177,6 +172,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				vmess["alterId"] = 0
 			}
 			vmess["udp"] = true
+			vmess["xudp"] = true
 			vmess["tls"] = false
 			vmess["skip-cert-verify"] = false

@ -272,19 +268,22 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}

 			var (
-				cipher   = urlSS.User.Username()
-				password string
+				cipherRaw = urlSS.User.Username()
+				cipher    string
+				password  string
 			)

 			if password, found = urlSS.User.Password(); !found {
-				dcBuf, _ := enc.DecodeString(cipher)
-				if !strings.Contains(string(dcBuf), "2022-blake3") {
-					dcBuf, _ = encRaw.DecodeString(cipher)
-				}
+				dcBuf, _ := enc.DecodeString(cipherRaw)
 				cipher, password, found = strings.Cut(string(dcBuf), ":")
 				if !found {
 					continue
 				}
+				err := VerifyMethod(cipher, password)
+				if err != nil {
+					dcBuf, _ := encRaw.DecodeString(cipherRaw)
+					cipher, password, found = strings.Cut(string(dcBuf), ":")
+				}
 			}

 			ss := make(map[string]any, 10)
--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -2,6 +2,7 @@ package convert

 import (
 	"encoding/base64"
+	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"math/rand"
 	"net/http"
 	"strings"
@ -314,3 +315,8 @@ func SetUserAgent(header http.Header) {
 	userAgent := RandUserAgent()
 	header.Set("User-Agent", userAgent)
 }
+
+func VerifyMethod(cipher, password string) (err error) {
+	_, err = shadowimpl.FetchMethod(cipher, password)
+	return
+}
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -25,6 +25,14 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		proxy["servername"] = sni
 	}

+	switch query.Get("packetEncoding") {
+	case "none":
+	case "packet":
+		proxy["packet-addr"] = true
+	default:
+		proxy["xudp"] = true
+	}
+
 	network := strings.ToLower(query.Get("type"))
 	if network == "" {
 		network = "tcp"
--- a/common/net/bind.go
+++ b/common/net/bind.go
@ -0,0 +1,36 @@
+package net
+
+import "net"
+
+type bindPacketConn struct {
+	net.PacketConn
+	rAddr net.Addr
+}
+
+func (wpc *bindPacketConn) Read(b []byte) (n int, err error) {
+	n, _, err = wpc.PacketConn.ReadFrom(b)
+	return n, err
+}
+
+func (wpc *bindPacketConn) Write(b []byte) (n int, err error) {
+	return wpc.PacketConn.WriteTo(b, wpc.rAddr)
+}
+
+func (wpc *bindPacketConn) RemoteAddr() net.Addr {
+	return wpc.rAddr
+}
+
+func (wpc *bindPacketConn) LocalAddr() net.Addr {
+	if wpc.PacketConn.LocalAddr() == nil {
+		return &net.UDPAddr{IP: net.IPv4zero, Port: 0}
+	} else {
+		return wpc.PacketConn.LocalAddr()
+	}
+}
+
+func NewBindPacketConn(pc net.PacketConn, rAddr net.Addr) net.Conn {
+	return &bindPacketConn{
+		PacketConn: pc,
+		rAddr:      rAddr,
+	}
+}
--- a/common/net/refconn.go
+++ b/common/net/refconn.go
@ -0,0 +1,100 @@
+package net
+
+import (
+	"net"
+	"runtime"
+	"time"
+)
+
+type refConn struct {
+	conn net.Conn
+	ref  any
+}
+
+func (c *refConn) Read(b []byte) (n int, err error) {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.Read(b)
+}
+
+func (c *refConn) Write(b []byte) (n int, err error) {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.Write(b)
+}
+
+func (c *refConn) Close() error {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.Close()
+}
+
+func (c *refConn) LocalAddr() net.Addr {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.LocalAddr()
+}
+
+func (c *refConn) RemoteAddr() net.Addr {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.RemoteAddr()
+}
+
+func (c *refConn) SetDeadline(t time.Time) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.SetDeadline(t)
+}
+
+func (c *refConn) SetReadDeadline(t time.Time) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.SetReadDeadline(t)
+}
+
+func (c *refConn) SetWriteDeadline(t time.Time) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.SetWriteDeadline(t)
+}
+
+func NewRefConn(conn net.Conn, ref any) net.Conn {
+	return &refConn{conn: conn, ref: ref}
+}
+
+type refPacketConn struct {
+	pc  net.PacketConn
+	ref any
+}
+
+func (pc *refPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	defer runtime.KeepAlive(pc.ref)
+	return pc.pc.ReadFrom(p)
+}
+
+func (pc *refPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	defer runtime.KeepAlive(pc.ref)
+	return pc.pc.WriteTo(p, addr)
+}
+
+func (pc *refPacketConn) Close() error {
+	defer runtime.KeepAlive(pc.ref)
+	return pc.pc.Close()
+}
+
+func (pc *refPacketConn) LocalAddr() net.Addr {
+	defer runtime.KeepAlive(pc.ref)
+	return pc.pc.LocalAddr()
+}
+
+func (pc *refPacketConn) SetDeadline(t time.Time) error {
+	defer runtime.KeepAlive(pc.ref)
+	return pc.pc.SetDeadline(t)
+}
+
+func (pc *refPacketConn) SetReadDeadline(t time.Time) error {
+	defer runtime.KeepAlive(pc.ref)
+	return pc.pc.SetReadDeadline(t)
+}
+
+func (pc *refPacketConn) SetWriteDeadline(t time.Time) error {
+	defer runtime.KeepAlive(pc.ref)
+	return pc.pc.SetWriteDeadline(t)
+}
+
+func NewRefPacketConn(pc net.PacketConn, ref any) net.PacketConn {
+	return &refPacketConn{pc: pc, ref: ref}
+}
--- a/common/net/tls.go
+++ b/common/net/tls.go
@ -0,0 +1,19 @@
+package net
+
+import (
+	"crypto/tls"
+	"fmt"
+)
+
+func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
+	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
+	if painTextErr == nil {
+		return cert, nil
+	}
+
+	cert, loadErr := tls.LoadX509KeyPair(certificate, privateKey)
+	if loadErr != nil {
+		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
+	}
+	return cert, nil
+}
--- a/common/structure/structure.go
+++ b/common/structure/structure.go
@ -3,6 +3,7 @@ package structure
 // references: https://github.com/mitchellh/mapstructure

 import (
+	"encoding/base64"
 	"fmt"
 	"reflect"
 	"strconv"
@ -13,8 +14,11 @@ import (
 type Option struct {
 	TagName          string
 	WeaklyTypedInput bool
+	KeyReplacer      *strings.Replacer
 }

+var DefaultKeyReplacer = strings.NewReplacer("_", "-")
+
 // Decoder is the core of structure
 type Decoder struct {
 	option *Option
@ -49,6 +53,23 @@ func (d *Decoder) Decode(src map[string]any, dst any) error {
 		omitempty := found && omitKey == "omitempty"

 		value, ok := src[key]
+		if !ok {
+			if d.option.KeyReplacer != nil {
+				key = d.option.KeyReplacer.Replace(key)
+			}
+
+			for _strKey := range src {
+				strKey := _strKey
+				if d.option.KeyReplacer != nil {
+					strKey = d.option.KeyReplacer.Replace(strKey)
+				}
+				if strings.EqualFold(key, strKey) {
+					value = src[_strKey]
+					ok = true
+					break
+				}
+			}
+		}
 		if !ok || value == nil {
 			if omitempty {
 				continue
@ -65,9 +86,16 @@ func (d *Decoder) Decode(src map[string]any, dst any) error {
 }

 func (d *Decoder) decode(name string, data any, val reflect.Value) error {
-	switch val.Kind() {
-	case reflect.Int:
+	kind := val.Kind()
+	switch {
+	case isInt(kind):
 		return d.decodeInt(name, data, val)
+	case isUint(kind):
+		return d.decodeUint(name, data, val)
+	case isFloat(kind):
+		return d.decodeFloat(name, data, val)
+	}
+	switch kind {
 	case reflect.String:
 		return d.decodeString(name, data, val)
 	case reflect.Bool:
@ -85,13 +113,42 @@ func (d *Decoder) decode(name string, data any, val reflect.Value) error {
 	}
 }

+func isInt(kind reflect.Kind) bool {
+	switch kind {
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return true
+	default:
+		return false
+	}
+}
+
+func isUint(kind reflect.Kind) bool {
+	switch kind {
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return true
+	default:
+		return false
+	}
+}
+
+func isFloat(kind reflect.Kind) bool {
+	switch kind {
+	case reflect.Float32, reflect.Float64:
+		return true
+	default:
+		return false
+	}
+}
+
 func (d *Decoder) decodeInt(name string, data any, val reflect.Value) (err error) {
 	dataVal := reflect.ValueOf(data)
 	kind := dataVal.Kind()
 	switch {
-	case kind == reflect.Int:
+	case isInt(kind):
 		val.SetInt(dataVal.Int())
-	case kind == reflect.Float64 && d.option.WeaklyTypedInput:
+	case isUint(kind) && d.option.WeaklyTypedInput:
+		val.SetInt(int64(dataVal.Uint()))
+	case isFloat(kind) && d.option.WeaklyTypedInput:
 		val.SetInt(int64(dataVal.Float()))
 	case kind == reflect.String && d.option.WeaklyTypedInput:
 		var i int64
@ -110,14 +167,72 @@ func (d *Decoder) decodeInt(name string, data any, val reflect.Value) (err error
 	return err
 }

+func (d *Decoder) decodeUint(name string, data any, val reflect.Value) (err error) {
+	dataVal := reflect.ValueOf(data)
+	kind := dataVal.Kind()
+	switch {
+	case isUint(kind):
+		val.SetUint(dataVal.Uint())
+	case isInt(kind) && d.option.WeaklyTypedInput:
+		val.SetUint(uint64(dataVal.Int()))
+	case isFloat(kind) && d.option.WeaklyTypedInput:
+		val.SetUint(uint64(dataVal.Float()))
+	case kind == reflect.String && d.option.WeaklyTypedInput:
+		var i uint64
+		i, err = strconv.ParseUint(dataVal.String(), 0, val.Type().Bits())
+		if err == nil {
+			val.SetUint(i)
+		} else {
+			err = fmt.Errorf("cannot parse '%s' as int: %s", name, err)
+		}
+	default:
+		err = fmt.Errorf(
+			"'%s' expected type '%s', got unconvertible type '%s'",
+			name, val.Type(), dataVal.Type(),
+		)
+	}
+	return err
+}
+
+func (d *Decoder) decodeFloat(name string, data any, val reflect.Value) (err error) {
+	dataVal := reflect.ValueOf(data)
+	kind := dataVal.Kind()
+	switch {
+	case isFloat(kind):
+		val.SetFloat(dataVal.Float())
+	case isUint(kind):
+		val.SetFloat(float64(dataVal.Uint()))
+	case isInt(kind) && d.option.WeaklyTypedInput:
+		val.SetFloat(float64(dataVal.Int()))
+	case kind == reflect.String && d.option.WeaklyTypedInput:
+		var i float64
+		i, err = strconv.ParseFloat(dataVal.String(), val.Type().Bits())
+		if err == nil {
+			val.SetFloat(i)
+		} else {
+			err = fmt.Errorf("cannot parse '%s' as int: %s", name, err)
+		}
+	default:
+		err = fmt.Errorf(
+			"'%s' expected type '%s', got unconvertible type '%s'",
+			name, val.Type(), dataVal.Type(),
+		)
+	}
+	return err
+}
+
 func (d *Decoder) decodeString(name string, data any, val reflect.Value) (err error) {
 	dataVal := reflect.ValueOf(data)
 	kind := dataVal.Kind()
 	switch {
 	case kind == reflect.String:
 		val.SetString(dataVal.String())
-	case kind == reflect.Int && d.option.WeaklyTypedInput:
+	case isInt(kind) && d.option.WeaklyTypedInput:
 		val.SetString(strconv.FormatInt(dataVal.Int(), 10))
+	case isUint(kind) && d.option.WeaklyTypedInput:
+		val.SetString(strconv.FormatUint(dataVal.Uint(), 10))
+	case isFloat(kind) && d.option.WeaklyTypedInput:
+		val.SetString(strconv.FormatFloat(dataVal.Float(), 'E', -1, dataVal.Type().Bits()))
 	default:
 		err = fmt.Errorf(
 			"'%s' expected type '%s', got unconvertible type '%s'",
@ -133,8 +248,10 @@ func (d *Decoder) decodeBool(name string, data any, val reflect.Value) (err erro
 	switch {
 	case kind == reflect.Bool:
 		val.SetBool(dataVal.Bool())
-	case kind == reflect.Int && d.option.WeaklyTypedInput:
+	case isInt(kind) && d.option.WeaklyTypedInput:
 		val.SetBool(dataVal.Int() != 0)
+	case isUint(kind) && d.option.WeaklyTypedInput:
+		val.SetString(strconv.FormatUint(dataVal.Uint(), 10))
 	default:
 		err = fmt.Errorf(
 			"'%s' expected type '%s', got unconvertible type '%s'",
@ -149,6 +266,17 @@ func (d *Decoder) decodeSlice(name string, data any, val reflect.Value) error {
 	valType := val.Type()
 	valElemType := valType.Elem()

+	if dataVal.Kind() == reflect.String && valElemType.Kind() == reflect.Uint8 { // from encoding/json
+		s := []byte(dataVal.String())
+		b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
+		n, err := base64.StdEncoding.Decode(b, s)
+		if err != nil {
+			return fmt.Errorf("try decode '%s' by base64 error: %w", name, err)
+		}
+		val.SetBytes(b[:n])
+		return nil
+	}
+
 	if dataVal.Kind() != reflect.Slice {
 		return fmt.Errorf("'%s' is not a slice", name)
 	}
@ -353,12 +481,18 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		if !rawMapVal.IsValid() {
 			// Do a slower search by iterating over each key and
 			// doing case-insensitive search.
+			if d.option.KeyReplacer != nil {
+				fieldName = d.option.KeyReplacer.Replace(fieldName)
+			}
 			for dataValKey := range dataValKeys {
 				mK, ok := dataValKey.Interface().(string)
 				if !ok {
 					// Not a string key
 					continue
 				}
+				if d.option.KeyReplacer != nil {
+					mK = d.option.KeyReplacer.Replace(mK)
+				}

 				if strings.EqualFold(mK, fieldName) {
 					rawMapKey = dataValKey
--- a/common/structure/structure_test.go
+++ b/common/structure/structure_test.go
@ -137,3 +137,45 @@ func TestStructure_Nest(t *testing.T) {
 	assert.Nil(t, err)
 	assert.Equal(t, s.BazOptional, goal)
 }
+
+func TestStructure_SliceNilValue(t *testing.T) {
+	rawMap := map[string]any{
+		"foo": 1,
+		"bar": []any{"bar", nil},
+	}
+
+	goal := &BazSlice{
+		Foo: 1,
+		Bar: []string{"bar", ""},
+	}
+
+	s := &BazSlice{}
+	err := weakTypeDecoder.Decode(rawMap, s)
+	assert.Nil(t, err)
+	assert.Equal(t, goal.Bar, s.Bar)
+
+	s = &BazSlice{}
+	err = decoder.Decode(rawMap, s)
+	assert.NotNil(t, err)
+}
+
+func TestStructure_SliceNilValueComplex(t *testing.T) {
+	rawMap := map[string]any{
+		"bar": []any{map[string]any{"bar": "foo"}, nil},
+	}
+
+	s := &struct {
+		Bar []map[string]any `test:"bar"`
+	}{}
+
+	err := decoder.Decode(rawMap, s)
+	assert.Nil(t, err)
+	assert.Nil(t, s.Bar[1])
+
+	ss := &struct {
+		Bar []Baz `test:"bar"`
+	}{}
+
+	err = decoder.Decode(rawMap, ss)
+	assert.NotNil(t, err)
+}
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -4,12 +4,15 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/Dreamacro/clash/component/resolver"
-	"go.uber.org/atomic"
 	"net"
 	"net/netip"
+	"runtime"
 	"strings"
 	"sync"
+
+	"github.com/Dreamacro/clash/component/resolver"
+
+	"go.uber.org/atomic"
 )

 var (
@ -22,7 +25,18 @@ var (
 	ErrorDisableIPv6           = errors.New("IPv6 is disabled, dialer cancel")
 )

-func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
+func ParseNetwork(network string, addr netip.Addr) string {
+	if runtime.GOOS == "windows" { // fix bindIfaceToListenConfig() in windows force bind to an ipv4 address
+		if !strings.HasSuffix(network, "4") &&
+			!strings.HasSuffix(network, "6") &&
+			addr.Unmap().Is6() {
+			network += "6"
+		}
+	}
+	return network
+}
+
+func applyOptions(options ...Option) *option {
 	opt := &option{
 		interfaceName: DefaultInterface.Load(),
 		routingMark:   int(DefaultRoutingMark.Load()),
@ -36,6 +50,12 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 		o(opt)
 	}

+	return opt
+}
+
+func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
+	opt := applyOptions(options...)
+
 	if opt.network == 4 || opt.network == 6 {
 		if strings.Contains(network, "tcp") {
 			network = "tcp"
@ -143,7 +163,7 @@ func dualStackDialContext(ctx context.Context, network, address string, opt *opt
 	results := make(chan dialResult)
 	var primary, fallback dialResult

-	startRacer := func(ctx context.Context, network, host string, direct bool, ipv6 bool) {
+	startRacer := func(ctx context.Context, network, host string, r resolver.Resolver, ipv6 bool) {
 		result := dialResult{ipv6: ipv6, done: true}
 		defer func() {
 			select {
@ -157,16 +177,16 @@ func dualStackDialContext(ctx context.Context, network, address string, opt *opt

 		var ip netip.Addr
 		if ipv6 {
-			if !direct {
-				ip, result.error = resolver.ResolveIPv6ProxyServerHost(host)
+			if r == nil {
+				ip, result.error = resolver.ResolveIPv6ProxyServerHost(ctx, host)
 			} else {
-				ip, result.error = resolver.ResolveIPv6(host)
+				ip, result.error = resolver.ResolveIPv6WithResolver(ctx, host, r)
 			}
 		} else {
-			if !direct {
-				ip, result.error = resolver.ResolveIPv4ProxyServerHost(host)
+			if r == nil {
+				ip, result.error = resolver.ResolveIPv4ProxyServerHost(ctx, host)
 			} else {
-				ip, result.error = resolver.ResolveIPv4(host)
+				ip, result.error = resolver.ResolveIPv4WithResolver(ctx, host, r)
 			}
 		}
 		if result.error != nil {
@ -177,8 +197,8 @@ func dualStackDialContext(ctx context.Context, network, address string, opt *opt
 		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
 	}

-	go startRacer(ctx, network+"4", host, opt.direct, false)
-	go startRacer(ctx, network+"6", host, opt.direct, true)
+	go startRacer(ctx, network+"4", host, opt.resolver, false)
+	go startRacer(ctx, network+"6", host, opt.resolver, true)

 	count := 2
 	for i := 0; i < count; i++ {
@ -204,11 +224,17 @@ func dualStackDialContext(ctx context.Context, network, address string, opt *opt
 				}
 			}
 		case <-ctx.Done():
+			err = ctx.Err()
 			break
 		}
 	}

-	return nil, errors.New("dual stack tcp shake hands failed")
+	if err == nil {
+		err = fmt.Errorf("dual stack dial failed")
+	} else {
+		err = fmt.Errorf("dual stack dial failed:%w", err)
+	}
+	return nil, err
 }

 func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
@ -218,10 +244,10 @@ func concurrentDualStackDialContext(ctx context.Context, network, address string
 	}

 	var ips []netip.Addr
-	if opt.direct {
-		ips, err = resolver.ResolveAllIP(host)
+	if opt.resolver != nil {
+		ips, err = resolver.LookupIPWithResolver(ctx, host, opt.resolver)
 	} else {
-		ips, err = resolver.ResolveAllIPProxyServerHost(host)
+		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
 	}

 	if err != nil {
@ -291,6 +317,7 @@ func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr
 	connCount := len(ips)
 	var fallback dialResult
 	var primaryError error
+	var finalError error
 	for i := 0; i < connCount; i++ {
 		select {
 		case res := <-results:
@ -315,6 +342,7 @@ func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr
 			if fallback.done && fallback.error == nil {
 				return fallback.Conn, nil
 			}
+			finalError = ctx.Err()
 			break
 		}
 	}
@ -331,7 +359,13 @@ func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr
 		return nil, fallback.error
 	}

-	return nil, fmt.Errorf("all ips %v tcp shake hands failed", ips)
+	if finalError == nil {
+		finalError = fmt.Errorf("all ips %v tcp shake hands failed", ips)
+	} else {
+		finalError = fmt.Errorf("concurrent dial failed:%w", finalError)
+	}
+
+	return nil, finalError
 }

 func singleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
@ -343,16 +377,16 @@ func singleDialContext(ctx context.Context, network string, address string, opt
 	var ip netip.Addr
 	switch network {
 	case "tcp4", "udp4":
-		if !opt.direct {
-			ip, err = resolver.ResolveIPv4ProxyServerHost(host)
+		if opt.resolver == nil {
+			ip, err = resolver.ResolveIPv4ProxyServerHost(ctx, host)
 		} else {
-			ip, err = resolver.ResolveIPv4(host)
+			ip, err = resolver.ResolveIPv4WithResolver(ctx, host, opt.resolver)
 		}
 	default:
-		if !opt.direct {
-			ip, err = resolver.ResolveIPv6ProxyServerHost(host)
+		if opt.resolver == nil {
+			ip, err = resolver.ResolveIPv6ProxyServerHost(ctx, host)
 		} else {
-			ip, err = resolver.ResolveIPv6(host)
+			ip, err = resolver.ResolveIPv6WithResolver(ctx, host, opt.resolver)
 		}
 	}
 	if err != nil {
@ -378,10 +412,10 @@ func concurrentIPv4DialContext(ctx context.Context, network, address string, opt
 	}

 	var ips []netip.Addr
-	if !opt.direct {
-		ips, err = resolver.ResolveAllIPv4ProxyServerHost(host)
+	if opt.resolver == nil {
+		ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
 	} else {
-		ips, err = resolver.ResolveAllIPv4(host)
+		ips, err = resolver.LookupIPv4WithResolver(ctx, host, opt.resolver)
 	}

 	if err != nil {
@ -398,10 +432,10 @@ func concurrentIPv6DialContext(ctx context.Context, network, address string, opt
 	}

 	var ips []netip.Addr
-	if !opt.direct {
-		ips, err = resolver.ResolveAllIPv6ProxyServerHost(host)
+	if opt.resolver == nil {
+		ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
 	} else {
-		ips, err = resolver.ResolveAllIPv6(host)
+		ips, err = resolver.LookupIPv6WithResolver(ctx, host, opt.resolver)
 	}

 	if err != nil {
@ -410,3 +444,20 @@ func concurrentIPv6DialContext(ctx context.Context, network, address string, opt

 	return concurrentDialContext(ctx, network, ips, port, opt)
 }
+
+type Dialer struct {
+	Opt option
+}
+
+func (d Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return DialContext(ctx, network, address, WithOption(d.Opt))
+}
+
+func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
+	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, WithOption(d.Opt))
+}
+
+func NewDialer(options ...Option) Dialer {
+	opt := applyOptions(options...)
+	return Dialer{Opt: *opt}
+}
--- a/component/dialer/mark_linux.go
+++ b/component/dialer/mark_linux.go
@ -29,13 +29,13 @@ func bindMarkToControl(mark int, chain controlFn) controlFn {
 			return
 		}

-		return c.Control(func(fd uintptr) {
-			switch network {
-			case "tcp4", "udp4":
-				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, mark)
-			case "tcp6", "udp6":
-				_ = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, mark)
-			}
+		var innerErr error
+		err = c.Control(func(fd uintptr) {
+			innerErr = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, mark)
 		})
+		if innerErr != nil {
+			err = innerErr
+		}
+		return
 	}
 }
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@ -1,6 +1,8 @@
 package dialer

 import (
+	"github.com/Dreamacro/clash/component/resolver"
+
 	"go.uber.org/atomic"
 )

@ -14,9 +16,9 @@ type option struct {
 	interfaceName string
 	addrReuse     bool
 	routingMark   int
-	direct        bool
 	network       int
 	prefer        int
+	resolver      resolver.Resolver
 }

 type Option func(opt *option)
@ -39,9 +41,9 @@ func WithRoutingMark(mark int) Option {
 	}
 }

-func WithDirect() Option {
+func WithResolver(r resolver.Resolver) Option {
 	return func(opt *option) {
-		opt.direct = true
+		opt.resolver = r
 	}
 }

@ -66,3 +68,9 @@ func WithOnlySingleStack(isIPv4 bool) Option {
 		}
 	}
 }
+
+func WithOption(o option) Option {
+	return func(opt *option) {
+		*opt = o
+	}
+}
--- a/component/fakeip/memory.go
+++ b/component/fakeip/memory.go
@ -73,7 +73,7 @@ func (m *memoryStore) FlushFakeIP() error {

 func newMemoryStore(size int) *memoryStore {
 	return &memoryStore{
-		cacheIP:   cache.NewLRUCache[string, netip.Addr](cache.WithSize[string, netip.Addr](size)),
-		cacheHost: cache.NewLRUCache[netip.Addr, string](cache.WithSize[netip.Addr, string](size)),
+		cacheIP:   cache.New[string, netip.Addr](cache.WithSize[string, netip.Addr](size)),
+		cacheHost: cache.New[netip.Addr, string](cache.WithSize[netip.Addr, string](size)),
 	}
 }
--- a/component/fakeip/pool.go
+++ b/component/fakeip/pool.go
@ -3,6 +3,7 @@ package fakeip
 import (
 	"errors"
 	"net/netip"
+	"strings"
 	"sync"

 	"github.com/Dreamacro/clash/common/nnip"
@ -26,7 +27,7 @@ type store interface {
 	FlushFakeIP() error
 }

-// Pool is a implementation about fake ip generator without storage
+// Pool is an implementation about fake ip generator without storage
 type Pool struct {
 	gateway netip.Addr
 	first   netip.Addr
@ -43,6 +44,9 @@ type Pool struct {
 func (p *Pool) Lookup(host string) netip.Addr {
 	p.mux.Lock()
 	defer p.mux.Unlock()
+
+	// RFC4343: DNS Case Insensitive, we SHOULD return result with all cases.
+	host = strings.ToLower(host)
 	if ip, exist := p.store.GetByHost(host); exist {
 		return ip
 	}
--- a/component/fakeip/pool_test.go
+++ b/component/fakeip/pool_test.go
@ -104,6 +104,27 @@ func TestPool_BasicV6(t *testing.T) {
 	}
 }

+func TestPool_Case_Insensitive(t *testing.T) {
+	ipnet := netip.MustParsePrefix("192.168.0.1/29")
+	pools, tempfile, err := createPools(Options{
+		IPNet: &ipnet,
+		Size:  10,
+	})
+	assert.Nil(t, err)
+	defer os.Remove(tempfile)
+
+	for _, pool := range pools {
+		first := pool.Lookup("foo.com")
+		last := pool.Lookup("Foo.Com")
+		foo, exist := pool.LookBack(last)
+
+		assert.Equal(t, first, pool.Lookup("Foo.Com"))
+		assert.Equal(t, pool.Lookup("fOo.cOM"), first)
+		assert.True(t, exist)
+		assert.Equal(t, foo, "foo.com")
+	}
+}
+
 func TestPool_CycleUsed(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.16/28")
 	pools, tempfile, err := createPools(Options{
--- a/component/geodata/init.go
+++ b/component/geodata/init.go
@ -2,6 +2,7 @@ package geodata

 import (
 	"fmt"
+	"github.com/Dreamacro/clash/component/mmdb"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"io"
@ -9,7 +10,8 @@ import (
 	"os"
 )

-var initFlag bool
+var initGeoSite bool
+var initGeoIP int

 func InitGeoSite() error {
 	if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) {
@ -18,8 +20,9 @@ func InitGeoSite() error {
 			return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
 		}
 		log.Infoln("Download GeoSite.dat finish")
+		initGeoSite = false
 	}
-	if !initFlag {
+	if !initGeoSite {
 		if err := Verify(C.GeositeName); err != nil {
 			log.Warnln("GeoSite.dat invalid, remove and download: %s", err)
 			if err := os.Remove(C.Path.GeoSite()); err != nil {
@ -29,7 +32,7 @@ func InitGeoSite() error {
 				return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
 			}
 		}
-		initFlag = true
+		initGeoSite = true
 	}
 	return nil
 }
@ -50,3 +53,68 @@ func downloadGeoSite(path string) (err error) {

 	return err
 }
+
+func downloadGeoIP(path string) (err error) {
+	resp, err := http.Get(C.GeoIpUrl)
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	_, err = io.Copy(f, resp.Body)
+
+	return err
+}
+
+func InitGeoIP() error {
+	if C.GeodataMode {
+		if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) {
+			log.Infoln("Can't find GeoIP.dat, start download")
+			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
+				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
+			}
+			log.Infoln("Download GeoIP.dat finish")
+			initGeoIP = 0
+		}
+
+		if initGeoIP != 1 {
+			if err := Verify(C.GeoipName); err != nil {
+				log.Warnln("GeoIP.dat invalid, remove and download: %s", err)
+				if err := os.Remove(C.Path.GeoIP()); err != nil {
+					return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error())
+				}
+				if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
+					return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
+				}
+			}
+			initGeoIP = 1
+		}
+		return nil
+	}
+
+	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
+		log.Infoln("Can't find MMDB, start download")
+		if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil {
+			return fmt.Errorf("can't download MMDB: %s", err.Error())
+		}
+	}
+
+	if initGeoIP != 2 {
+		if !mmdb.Verify() {
+			log.Warnln("MMDB invalid, remove and download")
+			if err := os.Remove(C.Path.MMDB()); err != nil {
+				return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
+			}
+			if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil {
+				return fmt.Errorf("can't download MMDB: %s", err.Error())
+			}
+		}
+		initGeoIP = 2
+	}
+	return nil
+}
--- a/component/mmdb/mmdb.go
+++ b/component/mmdb/mmdb.go
@ -2,6 +2,9 @@ package mmdb

 import (
 	"github.com/oschwald/geoip2-golang"
+	"io"
+	"net/http"
+	"os"
 	"sync"

 	C "github.com/Dreamacro/clash/constant"
@ -42,3 +45,20 @@ func Instance() *geoip2.Reader {

 	return mmdb
 }
+
+func DownloadMMDB(path string) (err error) {
+	resp, err := http.Get(C.MmdbUrl)
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	_, err = io.Copy(f, resp.Body)
+
+	return err
+}
--- a/component/process/find_process_mode.go
+++ b/component/process/find_process_mode.go
@ -0,0 +1,57 @@
+package process
+
+import (
+	"encoding/json"
+	"errors"
+	"strings"
+)
+
+const (
+	FindProcessAlways = "always"
+	FindProcessStrict = "strict"
+	FindProcessOff    = "off"
+)
+
+var (
+	validModes = map[string]struct{}{
+		FindProcessAlways: {},
+		FindProcessOff:    {},
+		FindProcessStrict: {},
+	}
+)
+
+type FindProcessMode string
+
+func (m FindProcessMode) Always() bool {
+	return m == FindProcessAlways
+}
+
+func (m FindProcessMode) Off() bool {
+	return m == FindProcessOff
+}
+
+func (m *FindProcessMode) UnmarshalYAML(unmarshal func(any) error) error {
+	var tp string
+	if err := unmarshal(&tp); err != nil {
+		return err
+	}
+	return m.Set(tp)
+}
+
+func (m *FindProcessMode) UnmarshalJSON(data []byte) error {
+	var tp string
+	if err := json.Unmarshal(data, &tp); err != nil {
+		return err
+	}
+	return m.Set(tp)
+}
+
+func (m *FindProcessMode) Set(value string) error {
+	mode := strings.ToLower(value)
+	_, exist := validModes[mode]
+	if !exist {
+		return errors.New("invalid find process mode")
+	}
+	*m = FindProcessMode(mode)
+	return nil
+}
--- a/component/process/process.go
+++ b/component/process/process.go
@ -16,14 +16,14 @@ const (
 	UDP = "udp"
 )

-func FindProcessName(network string, srcIP netip.Addr, srcPort int) (int32, string, error) {
+func FindProcessName(network string, srcIP netip.Addr, srcPort int) (*uint32, string, error) {
 	return findProcessName(network, srcIP, srcPort)
 }

-func FindUid(network string, srcIP netip.Addr, srcPort int) (int32, error) {
+func FindUid(network string, srcIP netip.Addr, srcPort int) (*uint32, error) {
 	_, uid, err := resolveSocketByNetlink(network, srcIP, srcPort)
 	if err != nil {
-		return -1, err
+		return nil, err
 	}
-	return uid, nil
+	return &uid, nil
 }
--- a/component/process/process_darwin.go
+++ b/component/process/process_darwin.go
@ -33,11 +33,11 @@ var structSize = func() int {
 	}
 }()

-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
 	return 0, 0, ErrPlatformNotSupport
 }

-func findProcessName(network string, ip netip.Addr, port int) (int32, string, error) {
+func findProcessName(network string, ip netip.Addr, port int) (*uint32, string, error) {
 	var spath string
 	switch network {
 	case TCP:
@ -45,14 +45,14 @@ func findProcessName(network string, ip netip.Addr, port int) (int32, string, er
 	case UDP:
 		spath = "net.inet.udp.pcblist_n"
 	default:
-		return -1, "", ErrInvalidNetwork
+		return nil, "", ErrInvalidNetwork
 	}

 	isIPv4 := ip.Is4()

 	value, err := syscall.Sysctl(spath)
 	if err != nil {
-		return -1, "", err
+		return nil, "", err
 	}

 	buf := []byte(value)
@ -96,7 +96,7 @@ func findProcessName(network string, ip netip.Addr, port int) (int32, string, er
 			// xsocket_n.so_last_pid
 			pid := readNativeUint32(buf[so+68 : so+72])
 			pp, err := getExecPathFromPID(pid)
-			return -1, pp, err
+			return nil, pp, err
 		}

 		// udp packet connection may be not equal with srcIP
@ -106,10 +106,10 @@ func findProcessName(network string, ip netip.Addr, port int) (int32, string, er
 	}

 	if network == UDP && fallbackUDPProcess != "" {
-		return -1, fallbackUDPProcess, nil
+		return nil, fallbackUDPProcess, nil
 	}

-	return -1, "", ErrNotFound
+	return nil, "", ErrNotFound
 }

 func getExecPathFromPID(pid uint32) (string, error) {
--- a/component/process/process_freebsd_amd64.go
+++ b/component/process/process_freebsd_amd64.go
@ -21,11 +21,11 @@ var (
 	once sync.Once
 )

-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
 	return 0, 0, ErrPlatformNotSupport
 }

-func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
 	once.Do(func() {
 		if err := initSearcher(); err != nil {
 			log.Errorln("Initialize PROCESS-NAME failed: %s", err.Error())
@ -35,7 +35,7 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string,
 	})

 	if defaultSearcher == nil {
-		return -1, "", ErrPlatformNotSupport
+		return nil, "", ErrPlatformNotSupport
 	}

 	var spath string
@ -46,22 +46,22 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string,
 	case UDP:
 		spath = "net.inet.udp.pcblist"
 	default:
-		return -1, "", ErrInvalidNetwork
+		return nil, "", ErrInvalidNetwork
 	}

 	value, err := syscall.Sysctl(spath)
 	if err != nil {
-		return -1, "", err
+		return nil, "", err
 	}

 	buf := []byte(value)
 	pid, err := defaultSearcher.Search(buf, ip, uint16(srcPort), isTCP)
 	if err != nil {
-		return -1, "", err
+		return nil, "", err
 	}

 	pp, err := getExecPathFromPID(pid)
-	return -1, pp, err
+	return nil, pp, err
 }

 func getExecPathFromPID(pid uint32) (string, error) {
--- a/component/process/process_linux.go
+++ b/component/process/process_linux.go
@ -4,7 +4,6 @@ import (
 	"bytes"
 	"encoding/binary"
 	"fmt"
-	"net"
 	"net/netip"
 	"os"
 	"path"
@ -15,162 +14,125 @@ import (
 	"unicode"
 	"unsafe"

-	"github.com/Dreamacro/clash/common/pool"
+	"github.com/mdlayher/netlink"
+	"golang.org/x/sys/unix"
 )

-// from https://github.com/vishvananda/netlink/blob/bca67dfc8220b44ef582c9da4e9172bf1c9ec973/nl/nl_linux.go#L52-L62
-var nativeEndian = func() binary.ByteOrder {
-	var x uint32 = 0x01020304
-	if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
-		return binary.BigEndian
-	}
-
-	return binary.LittleEndian
-}()
-
 const (
-	sizeOfSocketDiagRequest = syscall.SizeofNlMsghdr + 8 + 48
-	socketDiagByFamily      = 20
-	pathProc                = "/proc"
+	SOCK_DIAG_BY_FAMILY  = 20
+	inetDiagRequestSize  = int(unsafe.Sizeof(inetDiagRequest{}))
+	inetDiagResponseSize = int(unsafe.Sizeof(inetDiagResponse{}))
 )

-func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string, error) {
+type inetDiagRequest struct {
+	Family   byte
+	Protocol byte
+	Ext      byte
+	Pad      byte
+	States   uint32
+
+	SrcPort [2]byte
+	DstPort [2]byte
+	Src     [16]byte
+	Dst     [16]byte
+	If      uint32
+	Cookie  [2]uint32
+}
+
+type inetDiagResponse struct {
+	Family  byte
+	State   byte
+	Timer   byte
+	ReTrans byte
+
+	SrcPort [2]byte
+	DstPort [2]byte
+	Src     [16]byte
+	Dst     [16]byte
+	If      uint32
+	Cookie  [2]uint32
+
+	Expires uint32
+	RQueue  uint32
+	WQueue  uint32
+	UID     uint32
+	INode   uint32
+}
+
+func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
 	inode, uid, err := resolveSocketByNetlink(network, ip, srcPort)
 	if err != nil {
-		return -1, "", err
+		return nil, "", err
 	}

 	pp, err := resolveProcessNameByProcSearch(inode, uid)
-	return uid, pp, err
+	return &uid, pp, err
 }

-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
-	var family byte
-	var protocol byte
-
-	switch network {
-	case TCP:
-		protocol = syscall.IPPROTO_TCP
-	case UDP:
-		protocol = syscall.IPPROTO_UDP
-	default:
-		return 0, 0, ErrInvalidNetwork
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
+	request := &inetDiagRequest{
+		States: 0xffffffff,
+		Cookie: [2]uint32{0xffffffff, 0xffffffff},
 	}

 	if ip.Is4() {
-		family = syscall.AF_INET
+		request.Family = unix.AF_INET
 	} else {
-		family = syscall.AF_INET6
+		request.Family = unix.AF_INET6
 	}

-	req := packSocketDiagRequest(family, protocol, ip, uint16(srcPort))
+	if strings.HasPrefix(network, "tcp") {
+		request.Protocol = unix.IPPROTO_TCP
+	} else if strings.HasPrefix(network, "udp") {
+		request.Protocol = unix.IPPROTO_UDP
+	} else {
+		return 0, 0, ErrInvalidNetwork
+	}

-	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
+	copy(request.Src[:], ip.AsSlice())
+
+	binary.BigEndian.PutUint16(request.SrcPort[:], uint16(srcPort))
+
+	conn, err := netlink.Dial(unix.NETLINK_INET_DIAG, nil)
 	if err != nil {
-		return 0, 0, fmt.Errorf("dial netlink: %w", err)
+		return 0, 0, err
 	}
-	defer func() {
-		_ = syscall.Close(socket)
-	}()
+	defer conn.Close()

-	_ = syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 100})
-	_ = syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 100})
+	message := netlink.Message{
+		Header: netlink.Header{
+			Type:  SOCK_DIAG_BY_FAMILY,
+			Flags: netlink.Request | netlink.Dump,
+		},
+		Data: (*(*[inetDiagRequestSize]byte)(unsafe.Pointer(request)))[:],
+	}

-	if err := syscall.Connect(socket, &syscall.SockaddrNetlink{
-		Family: syscall.AF_NETLINK,
-		Pad:    0,
-		Pid:    0,
-		Groups: 0,
-	}); err != nil {
+	messages, err := conn.Execute(message)
+	if err != nil {
 		return 0, 0, err
 	}

-	if _, err := syscall.Write(socket, req); err != nil {
-		return 0, 0, fmt.Errorf("write request: %w", err)
+	for _, msg := range messages {
+		if len(msg.Data) < inetDiagResponseSize {
+			continue
+		}
+
+		response := (*inetDiagResponse)(unsafe.Pointer(&msg.Data[0]))
+
+		return response.INode, response.UID, nil
 	}

-	rb := pool.Get(pool.RelayBufferSize)
-	defer func() {
-		_ = pool.Put(rb)
-	}()
-
-	n, err := syscall.Read(socket, rb)
-	if err != nil {
-		return 0, 0, fmt.Errorf("read response: %w", err)
-	}
-
-	messages, err := syscall.ParseNetlinkMessage(rb[:n])
-	if err != nil {
-		return 0, 0, fmt.Errorf("parse netlink message: %w", err)
-	} else if len(messages) == 0 {
-		return 0, 0, fmt.Errorf("unexcepted netlink response")
-	}
-
-	message := messages[0]
-	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
-		return 0, 0, fmt.Errorf("netlink message: NLMSG_ERROR")
-	}
-
-	inode, uid := unpackSocketDiagResponse(&messages[0])
-	if inode < 0 || uid < 0 {
-		return 0, 0, fmt.Errorf("invalid inode(%d) or uid(%d)", inode, uid)
-	}
-
-	return inode, uid, nil
+	return 0, 0, ErrNotFound
 }

-func packSocketDiagRequest(family, protocol byte, source netip.Addr, sourcePort uint16) []byte {
-	s := make([]byte, 16)
-
-	copy(s, source.AsSlice())
-
-	buf := make([]byte, sizeOfSocketDiagRequest)
-
-	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
-	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
-	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
-	nativeEndian.PutUint32(buf[8:12], 0)
-	nativeEndian.PutUint32(buf[12:16], 0)
-
-	buf[16] = family
-	buf[17] = protocol
-	buf[18] = 0
-	buf[19] = 0
-	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
-
-	binary.BigEndian.PutUint16(buf[24:26], sourcePort)
-	binary.BigEndian.PutUint16(buf[26:28], 0)
-
-	copy(buf[28:44], s)
-	copy(buf[44:60], net.IPv6zero)
-
-	nativeEndian.PutUint32(buf[60:64], 0)
-	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
-
-	return buf
-}
-
-func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid int32) {
-	if len(msg.Data) < 72 {
-		return 0, 0
-	}
-
-	data := msg.Data
-
-	uid = int32(nativeEndian.Uint32(data[64:68]))
-	inode = int32(nativeEndian.Uint32(data[68:72]))
-
-	return
-}
-
-func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
-	files, err := os.ReadDir(pathProc)
+func resolveProcessNameByProcSearch(inode, uid uint32) (string, error) {
+	files, err := os.ReadDir("/proc")
 	if err != nil {
 		return "", err
 	}

-	buffer := make([]byte, syscall.PathMax)
-	socket := []byte(fmt.Sprintf("socket:[%d]", inode))
+	buffer := make([]byte, unix.PathMax)
+	socket := fmt.Appendf(nil, "socket:[%d]", inode)

 	for _, f := range files {
 		if !f.IsDir() || !isPid(f.Name()) {
@ -181,12 +143,12 @@ func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
 		if err != nil {
 			return "", err
 		}
-		if info.Sys().(*syscall.Stat_t).Uid != uint32(uid) {
+		if info.Sys().(*syscall.Stat_t).Uid != uid {
 			continue
 		}

-		processPath := path.Join(pathProc, f.Name())
-		fdPath := path.Join(processPath, "fd")
+		processPath := filepath.Join("/proc", f.Name())
+		fdPath := filepath.Join(processPath, "fd")

 		fds, err := os.ReadDir(fdPath)
 		if err != nil {
@ -194,7 +156,7 @@ func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
 		}

 		for _, fd := range fds {
-			n, err := syscall.Readlink(path.Join(fdPath, fd.Name()), buffer)
+			n, err := unix.Readlink(filepath.Join(fdPath, fd.Name()), buffer)
 			if err != nil {
 				continue
 			}
@ -209,9 +171,10 @@ func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
 				}
 			} else {
 				if bytes.Equal(buffer[:n], socket) {
-					return os.Readlink(path.Join(processPath, "exe"))
+					return os.Readlink(filepath.Join(processPath, "exe"))
 				}
 			}
+
 		}
 	}

@ -222,7 +185,7 @@ func splitCmdline(cmdline []byte) string {
 	cmdline = bytes.Trim(cmdline, " ")

 	idx := bytes.IndexFunc(cmdline, func(r rune) bool {
-		return unicode.IsControl(r) || unicode.IsSpace(r)
+		return unicode.IsControl(r) || unicode.IsSpace(r) || r == ':'
 	})

 	if idx == -1 {
--- a/component/process/process_other.go
+++ b/component/process/process_other.go
@ -4,10 +4,10 @@ package process

 import "net/netip"

-func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string, error) {
-	return -1, "", ErrPlatformNotSupport
+func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
+	return nil, "", ErrPlatformNotSupport
 }

-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
 	return 0, 0, ErrPlatformNotSupport
 }
--- a/component/process/process_windows.go
+++ b/component/process/process_windows.go
@ -29,7 +29,7 @@ var (
 	once sync.Once
 )

-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
 	return 0, 0, ErrPlatformNotSupport
 }

@ -62,7 +62,7 @@ func initWin32API() error {
 	return nil
 }

-func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
 	once.Do(func() {
 		err := initWin32API()
 		if err != nil {
@ -86,22 +86,22 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string,
 		fn = getExUDPTable
 		class = udpTablePid
 	default:
-		return -1, "", ErrInvalidNetwork
+		return nil, "", ErrInvalidNetwork
 	}

 	buf, err := getTransportTable(fn, family, class)
 	if err != nil {
-		return -1, "", err
+		return nil, "", err
 	}

 	s := newSearcher(family == windows.AF_INET, network == TCP)

 	pid, err := s.Search(buf, ip, uint16(srcPort))
 	if err != nil {
-		return -1, "", err
+		return nil, "", err
 	}
 	pp, err := getExecPathFromPID(pid)
-	return -1, pp, err
+	return nil, pp, err
 }

 type searcher struct {
@ -220,7 +220,8 @@ func getExecPathFromPID(pid uint32) (string, error) {
 		uintptr(h),
 		uintptr(1),
 		uintptr(unsafe.Pointer(&buf[0])),
-		uintptr(unsafe.Pointer(&size)))
+		uintptr(unsafe.Pointer(&size)),
+	)
 	if r1 == 0 {
 		return "", err
 	}
--- a/component/resolver/local.go
+++ b/component/resolver/local.go
@ -1,17 +1,21 @@
 package resolver

-import D "github.com/miekg/dns"
+import (
+	"context"
+
+	D "github.com/miekg/dns"
+)

 var DefaultLocalServer LocalServer

 type LocalServer interface {
-	ServeMsg(msg *D.Msg) (*D.Msg, error)
+	ServeMsg(ctx context.Context, msg *D.Msg) (*D.Msg, error)
 }

 // ServeMsg with a dns.Msg, return resolve dns.Msg
-func ServeMsg(msg *D.Msg) (*D.Msg, error) {
+func ServeMsg(ctx context.Context, msg *D.Msg) (*D.Msg, error) {
 	if server := DefaultLocalServer; server != nil {
-		return server.ServeMsg(msg)
+		return server.ServeMsg(ctx, msg)
 	}

 	return nil, ErrIPNotFound
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@ -3,12 +3,13 @@ package resolver
 import (
 	"context"
 	"errors"
+	"fmt"
 	"math/rand"
 	"net"
 	"net/netip"
+	"strings"
 	"time"

-	"github.com/Dreamacro/clash/common/nnip"
 	"github.com/Dreamacro/clash/component/trie"
 )

@ -37,137 +38,16 @@ var (
 )

 type Resolver interface {
-	ResolveIP(host string) (ip netip.Addr, err error)
-	ResolveIPv4(host string) (ip netip.Addr, err error)
-	ResolveIPv6(host string) (ip netip.Addr, err error)
-	ResolveAllIP(host string) (ip []netip.Addr, err error)
-	ResolveAllIPv4(host string) (ips []netip.Addr, err error)
-	ResolveAllIPv6(host string) (ips []netip.Addr, err error)
+	LookupIP(ctx context.Context, host string) (ips []netip.Addr, err error)
+	LookupIPv4(ctx context.Context, host string) (ips []netip.Addr, err error)
+	LookupIPv6(ctx context.Context, host string) (ips []netip.Addr, err error)
+	ResolveIP(ctx context.Context, host string) (ip netip.Addr, err error)
+	ResolveIPv4(ctx context.Context, host string) (ip netip.Addr, err error)
+	ResolveIPv6(ctx context.Context, host string) (ip netip.Addr, err error)
 }

-// ResolveIPv4 with a host, return ipv4
-func ResolveIPv4(host string) (netip.Addr, error) {
-	return ResolveIPv4WithResolver(host, DefaultResolver)
-}
-
-func ResolveIPv4WithResolver(host string, r Resolver) (netip.Addr, error) {
-	if ips, err := ResolveAllIPv4WithResolver(host, r); err == nil {
-		return ips[rand.Intn(len(ips))], nil
-	} else {
-		return netip.Addr{}, err
-	}
-}
-
-// ResolveIPv6 with a host, return ipv6
-func ResolveIPv6(host string) (netip.Addr, error) {
-	return ResolveIPv6WithResolver(host, DefaultResolver)
-}
-
-func ResolveIPv6WithResolver(host string, r Resolver) (netip.Addr, error) {
-	if ips, err := ResolveAllIPv6WithResolver(host, r); err == nil {
-		return ips[rand.Intn(len(ips))], nil
-	} else {
-		return netip.Addr{}, err
-	}
-}
-
-// ResolveIPWithResolver same as ResolveIP, but with a resolver
-func ResolveIPWithResolver(host string, r Resolver) (netip.Addr, error) {
-	if ip, err := ResolveIPv4WithResolver(host, r); err == nil {
-		return ip, nil
-	} else {
-		return ResolveIPv6WithResolver(host, r)
-	}
-}
-
-// ResolveIP with a host, return ip
-func ResolveIP(host string) (netip.Addr, error) {
-	return ResolveIPWithResolver(host, DefaultResolver)
-}
-
-// ResolveIPv4ProxyServerHost proxies server host only
-func ResolveIPv4ProxyServerHost(host string) (netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		if ip, err := ResolveIPv4WithResolver(host, ProxyServerHostResolver); err != nil {
-			return ResolveIPv4(host)
-		} else {
-			return ip, nil
-		}
-	}
-	return ResolveIPv4(host)
-}
-
-// ResolveIPv6ProxyServerHost proxies server host only
-func ResolveIPv6ProxyServerHost(host string) (netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		if ip, err := ResolveIPv6WithResolver(host, ProxyServerHostResolver); err != nil {
-			return ResolveIPv6(host)
-		} else {
-			return ip, nil
-		}
-	}
-	return ResolveIPv6(host)
-}
-
-// ResolveProxyServerHost proxies server host only
-func ResolveProxyServerHost(host string) (netip.Addr, error) {
-	if ProxyServerHostResolver != nil {
-		if ip, err := ResolveIPWithResolver(host, ProxyServerHostResolver); err != nil {
-			return ResolveIP(host)
-		} else {
-			return ip, err
-		}
-	}
-	return ResolveIP(host)
-}
-
-func ResolveAllIPv6WithResolver(host string, r Resolver) ([]netip.Addr, error) {
-	if DisableIPv6 {
-		return []netip.Addr{}, ErrIPv6Disabled
-	}
-
-	if node := DefaultHosts.Search(host); node != nil {
-		if ip := node.Data(); ip.Is6() {
-			return []netip.Addr{ip}, nil
-		}
-	}
-
-	ip, err := netip.ParseAddr(host)
-	if err == nil {
-		if ip.Is6() {
-			return []netip.Addr{ip}, nil
-		}
-		return []netip.Addr{}, ErrIPVersion
-	}
-
-	if r != nil {
-		return r.ResolveAllIPv6(host)
-	}
-
-	if DefaultResolver == nil {
-		ctx, cancel := context.WithTimeout(context.Background(), DefaultDNSTimeout)
-		defer cancel()
-		ipAddrs, err := net.DefaultResolver.LookupIP(ctx, "ip6", host)
-		if err != nil {
-			return []netip.Addr{}, err
-		} else if len(ipAddrs) == 0 {
-			return []netip.Addr{}, ErrIPNotFound
-		}
-
-		addrs := make([]netip.Addr, 0, len(ipAddrs))
-		for _, ipAddr := range ipAddrs {
-			addrs = append(addrs, nnip.IpToAddr(ipAddr))
-		}
-
-		rand.Shuffle(len(addrs), func(i, j int) {
-			addrs[i], addrs[j] = addrs[j], addrs[i]
-		})
-		return addrs, nil
-	}
-	return []netip.Addr{}, ErrIPNotFound
-}
-
-func ResolveAllIPv4WithResolver(host string, r Resolver) ([]netip.Addr, error) {
+// LookupIPv4WithResolver same as LookupIPv4, but with a resolver
+func LookupIPv4WithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
 	if node := DefaultHosts.Search(host); node != nil {
 		if ip := node.Data(); ip.Is4() {
 			return []netip.Addr{node.Data()}, nil
@ -183,101 +63,203 @@ func ResolveAllIPv4WithResolver(host string, r Resolver) ([]netip.Addr, error) {
 	}

 	if r != nil {
-		return r.ResolveAllIPv4(host)
+		return r.LookupIPv4(ctx, host)
 	}

-	if DefaultResolver == nil {
-		ctx, cancel := context.WithTimeout(context.Background(), DefaultDNSTimeout)
-		defer cancel()
-		ipAddrs, err := net.DefaultResolver.LookupIP(ctx, "ip4", host)
-		if err != nil {
-			return []netip.Addr{}, err
-		} else if len(ipAddrs) == 0 {
-			return []netip.Addr{}, ErrIPNotFound
-		}
-
-		addrs := make([]netip.Addr, 0, len(ipAddrs))
-		for _, ipAddr := range ipAddrs {
-			addrs = append(addrs, nnip.IpToAddr(ipAddr))
-		}
-
-		rand.Shuffle(len(addrs), func(i, j int) {
-			addrs[i], addrs[j] = addrs[j], addrs[i]
-		})
-		return addrs, nil
+	if DefaultResolver != nil {
+		return DefaultResolver.LookupIPv4(ctx, host)
 	}
-	return []netip.Addr{}, ErrIPNotFound
+
+	ipAddrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip4", host)
+	if err != nil {
+		return nil, err
+	} else if len(ipAddrs) == 0 {
+		return nil, ErrIPNotFound
+	}
+
+	return ipAddrs, nil
 }

-func ResolveAllIPWithResolver(host string, r Resolver) ([]netip.Addr, error) {
+// LookupIPv4 with a host, return ipv4 list
+func LookupIPv4(ctx context.Context, host string) ([]netip.Addr, error) {
+	return LookupIPv4WithResolver(ctx, host, DefaultResolver)
+}
+
+// ResolveIPv4WithResolver same as ResolveIPv4, but with a resolver
+func ResolveIPv4WithResolver(ctx context.Context, host string, r Resolver) (netip.Addr, error) {
+	ips, err := LookupIPv4WithResolver(ctx, host, r)
+	if err != nil {
+		return netip.Addr{}, err
+	} else if len(ips) == 0 {
+		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
+	}
+	return ips[rand.Intn(len(ips))], nil
+}
+
+// ResolveIPv4 with a host, return ipv4
+func ResolveIPv4(ctx context.Context, host string) (netip.Addr, error) {
+	return ResolveIPv4WithResolver(ctx, host, DefaultResolver)
+}
+
+// LookupIPv6WithResolver same as LookupIPv6, but with a resolver
+func LookupIPv6WithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
+	if DisableIPv6 {
+		return nil, ErrIPv6Disabled
+	}
+
+	if node := DefaultHosts.Search(host); node != nil {
+		if ip := node.Data(); ip.Is6() {
+			return []netip.Addr{ip}, nil
+		}
+	}
+
+	if ip, err := netip.ParseAddr(host); err == nil {
+		if strings.Contains(host, ":") {
+			return []netip.Addr{ip}, nil
+		}
+		return nil, ErrIPVersion
+	}
+
+	if r != nil {
+		return r.LookupIPv6(ctx, host)
+	}
+	if DefaultResolver != nil {
+		return DefaultResolver.LookupIPv6(ctx, host)
+	}
+
+	ipAddrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip6", host)
+	if err != nil {
+		return nil, err
+	} else if len(ipAddrs) == 0 {
+		return nil, ErrIPNotFound
+	}
+
+	return ipAddrs, nil
+}
+
+// LookupIPv6 with a host, return ipv6 list
+func LookupIPv6(ctx context.Context, host string) ([]netip.Addr, error) {
+	return LookupIPv6WithResolver(ctx, host, DefaultResolver)
+}
+
+// ResolveIPv6WithResolver same as ResolveIPv6, but with a resolver
+func ResolveIPv6WithResolver(ctx context.Context, host string, r Resolver) (netip.Addr, error) {
+	ips, err := LookupIPv6WithResolver(ctx, host, r)
+	if err != nil {
+		return netip.Addr{}, err
+	} else if len(ips) == 0 {
+		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
+	}
+	return ips[rand.Intn(len(ips))], nil
+}
+
+func ResolveIPv6(ctx context.Context, host string) (netip.Addr, error) {
+	return ResolveIPv6WithResolver(ctx, host, DefaultResolver)
+}
+
+// LookupIPWithResolver same as LookupIP, but with a resolver
+func LookupIPWithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
 	if node := DefaultHosts.Search(host); node != nil {
 		return []netip.Addr{node.Data()}, nil
 	}

-	ip, err := netip.ParseAddr(host)
-	if err == nil {
+	if r != nil {
+		if DisableIPv6 {
+			return r.LookupIPv4(ctx, host)
+		}
+		return r.LookupIP(ctx, host)
+	} else if DisableIPv6 {
+		return LookupIPv4(ctx, host)
+	}
+
+	if ip, err := netip.ParseAddr(host); err == nil {
 		return []netip.Addr{ip}, nil
 	}

-	if r != nil {
-		if DisableIPv6 {
-			return r.ResolveAllIPv4(host)
-		}
-
-		return r.ResolveAllIP(host)
-	} else if DisableIPv6 {
-		return ResolveAllIPv4(host)
+	ips, err := net.DefaultResolver.LookupNetIP(ctx, "ip", host)
+	if err != nil {
+		return nil, err
+	} else if len(ips) == 0 {
+		return nil, ErrIPNotFound
 	}

-	if DefaultResolver == nil {
-		ipAddrs, err := net.DefaultResolver.LookupIP(context.Background(), "ip", host)
-		if err != nil {
-			return []netip.Addr{}, err
-		} else if len(ipAddrs) == 0 {
-			return []netip.Addr{}, ErrIPNotFound
-		}
-		addrs := make([]netip.Addr, 0, len(ipAddrs))
-		for _, ipAddr := range ipAddrs {
-			addrs = append(addrs, nnip.IpToAddr(ipAddr))
-		}
+	return ips, nil
+}

-		rand.Shuffle(len(addrs), func(i, j int) {
-			addrs[i], addrs[j] = addrs[j], addrs[i]
-		})
-		return addrs, nil
+// LookupIP with a host, return ip
+func LookupIP(ctx context.Context, host string) ([]netip.Addr, error) {
+	return LookupIPWithResolver(ctx, host, DefaultResolver)
+}
+
+// ResolveIPWithResolver same as ResolveIP, but with a resolver
+func ResolveIPWithResolver(ctx context.Context, host string, r Resolver) (netip.Addr, error) {
+	ips, err := LookupIPWithResolver(ctx, host, r)
+	if err != nil {
+		return netip.Addr{}, err
+	} else if len(ips) == 0 {
+		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return []netip.Addr{}, ErrIPNotFound
+	return ips[rand.Intn(len(ips))], nil
 }

-func ResolveAllIP(host string) ([]netip.Addr, error) {
-	return ResolveAllIPWithResolver(host, DefaultResolver)
+// ResolveIP with a host, return ip
+func ResolveIP(ctx context.Context, host string) (netip.Addr, error) {
+	return ResolveIPWithResolver(ctx, host, DefaultResolver)
 }

-func ResolveAllIPv4(host string) ([]netip.Addr, error) {
-	return ResolveAllIPv4WithResolver(host, DefaultResolver)
-}
-
-func ResolveAllIPv6(host string) ([]netip.Addr, error) {
-	return ResolveAllIPv6WithResolver(host, DefaultResolver)
-}
-
-func ResolveAllIPv6ProxyServerHost(host string) ([]netip.Addr, error) {
+// ResolveIPv4ProxyServerHost proxies server host only
+func ResolveIPv4ProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		return ResolveAllIPv6WithResolver(host, ProxyServerHostResolver)
+		if ip, err := ResolveIPv4WithResolver(ctx, host, ProxyServerHostResolver); err != nil {
+			return ResolveIPv4(ctx, host)
+		} else {
+			return ip, nil
+		}
 	}
-	return ResolveAllIPv6(host)
+	return ResolveIPv4(ctx, host)
 }

-func ResolveAllIPv4ProxyServerHost(host string) ([]netip.Addr, error) {
+// ResolveIPv6ProxyServerHost proxies server host only
+func ResolveIPv6ProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		return ResolveAllIPv4WithResolver(host, ProxyServerHostResolver)
+		if ip, err := ResolveIPv6WithResolver(ctx, host, ProxyServerHostResolver); err != nil {
+			return ResolveIPv6(ctx, host)
+		} else {
+			return ip, nil
+		}
 	}
-	return ResolveAllIPv4(host)
+	return ResolveIPv6(ctx, host)
 }

-func ResolveAllIPProxyServerHost(host string) ([]netip.Addr, error) {
+// ResolveProxyServerHost proxies server host only
+func ResolveProxyServerHost(ctx context.Context, host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		return ResolveAllIPWithResolver(host, ProxyServerHostResolver)
+		if ip, err := ResolveIPWithResolver(ctx, host, ProxyServerHostResolver); err != nil {
+			return ResolveIP(ctx, host)
+		} else {
+			return ip, err
+		}
 	}
-	return ResolveAllIP(host)
+	return ResolveIP(ctx, host)
+}
+
+func LookupIPv6ProxyServerHost(ctx context.Context, host string) ([]netip.Addr, error) {
+	if ProxyServerHostResolver != nil {
+		return LookupIPv6WithResolver(ctx, host, ProxyServerHostResolver)
+	}
+	return LookupIPv6(ctx, host)
+}
+
+func LookupIPv4ProxyServerHost(ctx context.Context, host string) ([]netip.Addr, error) {
+	if ProxyServerHostResolver != nil {
+		return LookupIPv4WithResolver(ctx, host, ProxyServerHostResolver)
+	}
+	return LookupIPv4(ctx, host)
+}
+
+func LookupIPProxyServerHost(ctx context.Context, host string) ([]netip.Addr, error) {
+	if ProxyServerHostResolver != nil {
+		return LookupIPWithResolver(ctx, host, ProxyServerHostResolver)
+	}
+	return LookupIP(ctx, host)
 }
--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@ -190,7 +190,7 @@ func NewSnifferDispatcher(needSniffer []sniffer.Type, forceDomain *trie.DomainTr
 		forceDomain:     forceDomain,
 		skipSNI:         skipSNI,
 		portRanges:      ports,
-		skipList:        cache.NewLRUCache[string, uint8](cache.WithSize[string, uint8](128), cache.WithAge[string, uint8](600)),
+		skipList:        cache.New[string, uint8](cache.WithSize[string, uint8](128), cache.WithAge[string, uint8](600)),
 		forceDnsMapping: forceDnsMapping,
 		parsePureIp:     parsePureIp,
 	}
--- a/component/trie/domain.go
+++ b/component/trie/domain.go
@ -73,11 +73,7 @@ func (t *DomainTrie[T]) insert(parts []string, data T) {
 	// reverse storage domain part to save space
 	for i := len(parts) - 1; i >= 0; i-- {
 		part := parts[i]
-		if !node.hasChild(part) {
-			node.addChild(part, newNode[T]())
-		}
-
-		node = node.getChild(part)
+		node = node.getOrNewChild(part)
 	}

 	node.setData(data)
@ -123,6 +119,10 @@ func (t *DomainTrie[T]) search(node *Node[T], parts []string) *Node[T] {
 	return node.getChild(dotWildcard)
 }

+func (t *DomainTrie[T]) Optimize() {
+	t.root.optimize()
+}
+
 // New returns a new, empty Trie.
 func New[T any]() *DomainTrie[T] {
 	return &DomainTrie[T]{root: newNode[T]()}
--- a/component/trie/node.go
+++ b/component/trie/node.go
@ -1,14 +1,24 @@
 package trie

+import "strings"
+
 // Node is the trie's node
 type Node[T any] struct {
-	children map[string]*Node[T]
-	inited   bool
-	data     T
+	childMap  map[string]*Node[T]
+	childNode *Node[T] // optimize for only one child
+	childStr  string
+	inited    bool
+	data      T
 }

 func (n *Node[T]) getChild(s string) *Node[T] {
-	return n.children[s]
+	if n.childMap == nil {
+		if n.childNode != nil && n.childStr == s {
+			return n.childNode
+		}
+		return nil
+	}
+	return n.childMap[s]
 }

 func (n *Node[T]) hasChild(s string) bool {
@ -16,7 +26,82 @@ func (n *Node[T]) hasChild(s string) bool {
 }

 func (n *Node[T]) addChild(s string, child *Node[T]) {
-	n.children[s] = child
+	if n.childMap == nil {
+		if n.childNode == nil {
+			n.childStr = s
+			n.childNode = child
+			return
+		}
+		n.childMap = map[string]*Node[T]{}
+		if n.childNode != nil {
+			n.childMap[n.childStr] = n.childNode
+		}
+		n.childStr = ""
+		n.childNode = nil
+	}
+
+	n.childMap[s] = child
+}
+
+func (n *Node[T]) getOrNewChild(s string) *Node[T] {
+	node := n.getChild(s)
+	if node == nil {
+		node = newNode[T]()
+		n.addChild(s, node)
+	}
+	return node
+}
+
+func (n *Node[T]) optimize() {
+	if len(n.childStr) > 0 {
+		n.childStr = strClone(n.childStr)
+	}
+	if n.childNode != nil {
+		n.childNode.optimize()
+	}
+	if n.childMap == nil {
+		return
+	}
+	switch len(n.childMap) {
+	case 0:
+		n.childMap = nil
+		return
+	case 1:
+		for key := range n.childMap {
+			n.childStr = key
+			n.childNode = n.childMap[key]
+		}
+		n.childMap = nil
+		n.optimize()
+		return
+	}
+	children := make(map[string]*Node[T], len(n.childMap)) // avoid map reallocate memory
+	for key := range n.childMap {
+		child := n.childMap[key]
+		if child == nil {
+			continue
+		}
+		key = strClone(key)
+		children[key] = child
+		child.optimize()
+	}
+	n.childMap = children
+}
+
+func strClone(key string) string {
+	switch key { // try to save string's memory
+	case wildcard:
+		key = wildcard
+	case dotWildcard:
+		key = dotWildcard
+	case complexWildcard:
+		key = complexWildcard
+	case domainStep:
+		key = domainStep
+	default:
+		key = strings.Clone(key)
+	}
+	return key
 }

 func (n *Node[T]) isEmpty() bool {
@ -36,14 +121,5 @@ func (n *Node[T]) Data() T {
 }

 func newNode[T any]() *Node[T] {
-	return &Node[T]{
-		children: map[string]*Node[T]{},
-		inited:   false,
-		data:     getZero[T](),
-	}
-}
-
-func getZero[T any]() T {
-	var result T
-	return result
+	return &Node[T]{}
 }
--- a/config/config.go
+++ b/config/config.go
@ -2,9 +2,9 @@ package config

 import (
 	"container/list"
-	"encoding/json"
 	"errors"
 	"fmt"
+	P "github.com/Dreamacro/clash/component/process"
 	"net"
 	"net/netip"
 	"net/url"
@ -14,14 +14,11 @@ import (
 	"strings"
 	"time"

-	"github.com/Dreamacro/clash/common/utils"
-	R "github.com/Dreamacro/clash/rules"
-	RP "github.com/Dreamacro/clash/rules/provider"
-
 	"github.com/Dreamacro/clash/adapter"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/adapter/provider"
+	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/auth"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/fakeip"
@ -30,10 +27,13 @@ import (
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
 	providerTypes "github.com/Dreamacro/clash/constant/provider"
-	"github.com/Dreamacro/clash/constant/sniffer"
 	snifferTypes "github.com/Dreamacro/clash/constant/sniffer"
 	"github.com/Dreamacro/clash/dns"
+	L "github.com/Dreamacro/clash/listener"
+	LC "github.com/Dreamacro/clash/listener/config"
 	"github.com/Dreamacro/clash/log"
+	R "github.com/Dreamacro/clash/rules"
+	RP "github.com/Dreamacro/clash/rules/provider"
 	T "github.com/Dreamacro/clash/tunnel"

 	"gopkg.in/yaml.v3"
@ -43,43 +43,44 @@ import (
 type General struct {
 	Inbound
 	Controller
-	Mode          T.TunnelMode `json:"mode"`
-	UnifiedDelay  bool
-	LogLevel      log.LogLevel `json:"log-level"`
-	IPv6          bool         `json:"ipv6"`
-	Interface     string       `json:"interface-name"`
-	RoutingMark   int          `json:"-"`
-	GeodataMode   bool         `json:"geodata-mode"`
-	GeodataLoader string       `json:"geodata-loader"`
-	TCPConcurrent bool         `json:"tcp-concurrent"`
-	EnableProcess bool         `json:"enable-process"`
-	Tun           Tun          `json:"tun"`
-	Sniffing      bool         `json:"sniffing"`
-	EBpf          EBpf         `json:"-"`
+	Mode            T.TunnelMode `json:"mode"`
+	UnifiedDelay    bool
+	LogLevel        log.LogLevel      `json:"log-level"`
+	IPv6            bool              `json:"ipv6"`
+	Interface       string            `json:"interface-name"`
+	RoutingMark     int               `json:"-"`
+	GeodataMode     bool              `json:"geodata-mode"`
+	GeodataLoader   string            `json:"geodata-loader"`
+	TCPConcurrent   bool              `json:"tcp-concurrent"`
+	EnableProcess   bool              `json:"enable-process"`
+	FindProcessMode P.FindProcessMode `json:"find-process-mode"`
+	Sniffing        bool              `json:"sniffing"`
+	EBpf            EBpf              `json:"-"`
 }

 // Inbound config
 type Inbound struct {
-	Port              int      `json:"port"`
-	SocksPort         int      `json:"socks-port"`
-	RedirPort         int      `json:"redir-port"`
-	TProxyPort        int      `json:"tproxy-port"`
-	MixedPort         int      `json:"mixed-port"`
-	ShadowSocksConfig string   `json:"ss-config"`
-	VmessConfig       string   `json:"vmess-config"`
-	TcpTunConfig      string   `json:"tcptun-config"`
-	UdpTunConfig      string   `json:"udptun-config"`
-	Authentication    []string `json:"authentication"`
-	AllowLan          bool     `json:"allow-lan"`
-	BindAddress       string   `json:"bind-address"`
-	InboundTfo        bool     `json:"inbound-tfo"`
+	Port              int           `json:"port"`
+	SocksPort         int           `json:"socks-port"`
+	RedirPort         int           `json:"redir-port"`
+	TProxyPort        int           `json:"tproxy-port"`
+	MixedPort         int           `json:"mixed-port"`
+	Tun               LC.Tun        `json:"tun"`
+	TuicServer        LC.TuicServer `json:"tuic-server"`
+	ShadowSocksConfig string        `json:"ss-config"`
+	VmessConfig       string        `json:"vmess-config"`
+	Authentication    []string      `json:"authentication"`
+	AllowLan          bool          `json:"allow-lan"`
+	BindAddress       string        `json:"bind-address"`
+	InboundTfo        bool          `json:"inbound-tfo"`
 }

 // Controller config
 type Controller struct {
-	ExternalController string `json:"-"`
-	ExternalUI         string `json:"-"`
-	Secret             string `json:"-"`
+	ExternalController    string `json:"-"`
+	ExternalControllerTLS string `json:"-"`
+	ExternalUI            string `json:"-"`
+	Secret                string `json:"-"`
 }

 // DNS config
@ -114,81 +115,9 @@ type Profile struct {
 	StoreFakeIP   bool `yaml:"store-fake-ip"`
 }

-// Tun config
-type Tun struct {
-	Enable              bool             `yaml:"enable" json:"enable"`
-	Device              string           `yaml:"device" json:"device"`
-	Stack               C.TUNStack       `yaml:"stack" json:"stack"`
-	DNSHijack           []netip.AddrPort `yaml:"dns-hijack" json:"dns-hijack"`
-	AutoRoute           bool             `yaml:"auto-route" json:"auto-route"`
-	AutoDetectInterface bool             `yaml:"auto-detect-interface" json:"auto-detect-interface"`
-	RedirectToTun       []string         `yaml:"-" json:"-"`
-
-	MTU                    uint32         `yaml:"mtu" json:"mtu,omitempty"`
-	Inet4Address           []ListenPrefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
-	Inet6Address           []ListenPrefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
-	StrictRoute            bool           `yaml:"strict-route" json:"strict-route,omitempty"`
-	Inet4RouteAddress      []ListenPrefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
-	Inet6RouteAddress      []ListenPrefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
-	IncludeUID             []uint32       `yaml:"include-uid" json:"include-uid,omitempty"`
-	IncludeUIDRange        []string       `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
-	ExcludeUID             []uint32       `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
-	ExcludeUIDRange        []string       `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
-	IncludeAndroidUser     []int          `yaml:"include-android-user" json:"include-android-user,omitempty"`
-	IncludePackage         []string       `yaml:"include-package" json:"include-package,omitempty"`
-	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
-	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
-	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
-}
-
-type ListenPrefix netip.Prefix
-
-func (p ListenPrefix) MarshalJSON() ([]byte, error) {
-	prefix := netip.Prefix(p)
-	if !prefix.IsValid() {
-		return json.Marshal(nil)
-	}
-	return json.Marshal(prefix.String())
-}
-
-func (p ListenPrefix) MarshalYAML() (interface{}, error) {
-	prefix := netip.Prefix(p)
-	if !prefix.IsValid() {
-		return nil, nil
-	}
-	return prefix.String(), nil
-}
-
-func (p *ListenPrefix) UnmarshalJSON(bytes []byte) error {
-	var value string
-	err := json.Unmarshal(bytes, &value)
-	if err != nil {
-		return err
-	}
-	prefix, err := netip.ParsePrefix(value)
-	if err != nil {
-		return err
-	}
-	*p = ListenPrefix(prefix)
-	return nil
-}
-
-func (p *ListenPrefix) UnmarshalYAML(node *yaml.Node) error {
-	var value string
-	err := node.Decode(&value)
-	if err != nil {
-		return err
-	}
-	prefix, err := netip.ParsePrefix(value)
-	if err != nil {
-		return err
-	}
-	*p = ListenPrefix(prefix)
-	return nil
-}
-
-func (p ListenPrefix) Build() netip.Prefix {
-	return netip.Prefix(p)
+type TLS struct {
+	Certificate string `yaml:"certificate"`
+	PrivateKey  string `yaml:"private-key"`
 }

 // IPTables config
@ -200,7 +129,7 @@ type IPTables struct {

 type Sniffer struct {
 	Enable          bool
-	Sniffers        []sniffer.Type
+	Sniffers        []snifferTypes.Type
 	Reverses        *trie.DomainTrie[struct{}]
 	ForceDomain     *trie.DomainTrie[struct{}]
 	SkipDomain      *trie.DomainTrie[struct{}]
@ -223,12 +152,15 @@ type Config struct {
 	Hosts         *trie.DomainTrie[netip.Addr]
 	Profile       *Profile
 	Rules         []C.Rule
-	SubRules      *map[string][]C.Rule
+	SubRules      map[string][]C.Rule
 	Users         []auth.AuthUser
 	Proxies       map[string]C.Proxy
+	Listeners     map[string]C.InboundListener
 	Providers     map[string]providerTypes.ProxyProvider
 	RuleProviders map[string]providerTypes.RuleProvider
+	Tunnels       []LC.Tunnel
 	Sniffer       *Sniffer
+	TLS           *TLS
 }

 type RawDNS struct {
@ -266,49 +198,63 @@ type RawTun struct {
 	RedirectToTun       []string   `yaml:"-" json:"-"`

 	MTU uint32 `yaml:"mtu" json:"mtu,omitempty"`
-	//Inet4Address           []ListenPrefix `yaml:"inet4-address" json:"inet4_address,omitempty"`
-	Inet6Address           []ListenPrefix `yaml:"inet6-address" json:"inet6_address,omitempty"`
-	StrictRoute            bool           `yaml:"strict-route" json:"strict_route,omitempty"`
-	Inet4RouteAddress      []ListenPrefix `yaml:"inet4_route_address" json:"inet4_route_address,omitempty"`
-	Inet6RouteAddress      []ListenPrefix `yaml:"inet6_route_address" json:"inet6_route_address,omitempty"`
-	IncludeUID             []uint32       `yaml:"include-uid" json:"include_uid,omitempty"`
-	IncludeUIDRange        []string       `yaml:"include-uid-range" json:"include_uid_range,omitempty"`
-	ExcludeUID             []uint32       `yaml:"exclude-uid" json:"exclude_uid,omitempty"`
-	ExcludeUIDRange        []string       `yaml:"exclude-uid-range" json:"exclude_uid_range,omitempty"`
-	IncludeAndroidUser     []int          `yaml:"include-android-user" json:"include_android_user,omitempty"`
-	IncludePackage         []string       `yaml:"include-package" json:"include_package,omitempty"`
-	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude_package,omitempty"`
-	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
-	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
+	//Inet4Address           []LC.ListenPrefix `yaml:"inet4-address" json:"inet4_address,omitempty"`
+	Inet6Address           []LC.ListenPrefix `yaml:"inet6-address" json:"inet6_address,omitempty"`
+	StrictRoute            bool              `yaml:"strict-route" json:"strict_route,omitempty"`
+	Inet4RouteAddress      []LC.ListenPrefix `yaml:"inet4_route_address" json:"inet4_route_address,omitempty"`
+	Inet6RouteAddress      []LC.ListenPrefix `yaml:"inet6_route_address" json:"inet6_route_address,omitempty"`
+	IncludeUID             []uint32          `yaml:"include-uid" json:"include_uid,omitempty"`
+	IncludeUIDRange        []string          `yaml:"include-uid-range" json:"include_uid_range,omitempty"`
+	ExcludeUID             []uint32          `yaml:"exclude-uid" json:"exclude_uid,omitempty"`
+	ExcludeUIDRange        []string          `yaml:"exclude-uid-range" json:"exclude_uid_range,omitempty"`
+	IncludeAndroidUser     []int             `yaml:"include-android-user" json:"include_android_user,omitempty"`
+	IncludePackage         []string          `yaml:"include-package" json:"include_package,omitempty"`
+	ExcludePackage         []string          `yaml:"exclude-package" json:"exclude_package,omitempty"`
+	EndpointIndependentNat bool              `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
+	UDPTimeout             int64             `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
+}
+
+type RawTuicServer struct {
+	Enable                bool     `yaml:"enable" json:"enable"`
+	Listen                string   `yaml:"listen" json:"listen"`
+	Token                 []string `yaml:"token" json:"token"`
+	Certificate           string   `yaml:"certificate" json:"certificate"`
+	PrivateKey            string   `yaml:"private-key" json:"private-key"`
+	CongestionController  string   `yaml:"congestion-controller" json:"congestion-controller,omitempty"`
+	MaxIdleTime           int      `yaml:"max-idle-time" json:"max-idle-time,omitempty"`
+	AuthenticationTimeout int      `yaml:"authentication-timeout" json:"authentication-timeout,omitempty"`
+	ALPN                  []string `yaml:"alpn" json:"alpn,omitempty"`
+	MaxUdpRelayPacketSize int      `yaml:"max-udp-relay-packet-size" json:"max-udp-relay-packet-size,omitempty"`
 }

 type RawConfig struct {
-	Port               int          `yaml:"port"`
-	SocksPort          int          `yaml:"socks-port"`
-	RedirPort          int          `yaml:"redir-port"`
-	TProxyPort         int          `yaml:"tproxy-port"`
-	MixedPort          int          `yaml:"mixed-port"`
-	ShadowSocksConfig  string       `yaml:"ss-config"`
-	VmessConfig        string       `yaml:"vmess-config"`
-	TcpTunConfig       string       `yaml:"tcptun-config"`
-	UdpTunConfig       string       `yaml:"udptun-config"`
-	InboundTfo         bool         `yaml:"inbound-tfo"`
-	Authentication     []string     `yaml:"authentication"`
-	AllowLan           bool         `yaml:"allow-lan"`
-	BindAddress        string       `yaml:"bind-address"`
-	Mode               T.TunnelMode `yaml:"mode"`
-	UnifiedDelay       bool         `yaml:"unified-delay"`
-	LogLevel           log.LogLevel `yaml:"log-level"`
-	IPv6               bool         `yaml:"ipv6"`
-	ExternalController string       `yaml:"external-controller"`
-	ExternalUI         string       `yaml:"external-ui"`
-	Secret             string       `yaml:"secret"`
-	Interface          string       `yaml:"interface-name"`
-	RoutingMark        int          `yaml:"routing-mark"`
-	GeodataMode        bool         `yaml:"geodata-mode"`
-	GeodataLoader      string       `yaml:"geodata-loader"`
-	TCPConcurrent      bool         `yaml:"tcp-concurrent" json:"tcp-concurrent"`
-	EnableProcess      bool         `yaml:"enable-process" json:"enable-process"`
+	Port                  int               `yaml:"port"`
+	SocksPort             int               `yaml:"socks-port"`
+	RedirPort             int               `yaml:"redir-port"`
+	TProxyPort            int               `yaml:"tproxy-port"`
+	MixedPort             int               `yaml:"mixed-port"`
+	ShadowSocksConfig     string            `yaml:"ss-config"`
+	VmessConfig           string            `yaml:"vmess-config"`
+	InboundTfo            bool              `yaml:"inbound-tfo"`
+	Authentication        []string          `yaml:"authentication"`
+	AllowLan              bool              `yaml:"allow-lan"`
+	BindAddress           string            `yaml:"bind-address"`
+	Mode                  T.TunnelMode      `yaml:"mode"`
+	UnifiedDelay          bool              `yaml:"unified-delay"`
+	LogLevel              log.LogLevel      `yaml:"log-level"`
+	IPv6                  bool              `yaml:"ipv6"`
+	ExternalController    string            `yaml:"external-controller"`
+	ExternalControllerTLS string            `yaml:"external-controller-tls"`
+	ExternalUI            string            `yaml:"external-ui"`
+	Secret                string            `yaml:"secret"`
+	Interface             string            `yaml:"interface-name"`
+	RoutingMark           int               `yaml:"routing-mark"`
+	Tunnels               []LC.Tunnel       `yaml:"tunnels"`
+	GeodataMode           bool              `yaml:"geodata-mode"`
+	GeodataLoader         string            `yaml:"geodata-loader"`
+	TCPConcurrent         bool              `yaml:"tcp-concurrent" json:"tcp-concurrent"`
+	EnableProcess         bool              `yaml:"enable-process" json:"enable-process"`
+	FindProcessMode       P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"`

 	Sniffer       RawSniffer                `yaml:"sniffer"`
 	ProxyProvider map[string]map[string]any `yaml:"proxy-providers"`
@ -316,6 +262,7 @@ type RawConfig struct {
 	Hosts         map[string]string         `yaml:"hosts"`
 	DNS           RawDNS                    `yaml:"dns"`
 	Tun           RawTun                    `yaml:"tun"`
+	TuicServer    RawTuicServer             `yaml:"tuic-server"`
 	EBpf          EBpf                      `yaml:"ebpf"`
 	IPTables      IPTables                  `yaml:"iptables"`
 	Experimental  Experimental              `yaml:"experimental"`
@ -325,6 +272,8 @@ type RawConfig struct {
 	ProxyGroup    []map[string]any          `yaml:"proxy-groups"`
 	Rule          []string                  `yaml:"rules"`
 	SubRules      map[string][]string       `yaml:"sub-rules"`
+	RawTLS        TLS                       `yaml:"tls"`
+	Listeners     []map[string]any          `yaml:"listeners"`
 }

 type RawGeoXUrl struct {
@ -368,21 +317,22 @@ func Parse(buf []byte) (*Config, error) {
 func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 	// config with default value
 	rawCfg := &RawConfig{
-		AllowLan:       false,
-		BindAddress:    "*",
-		IPv6:           true,
-		Mode:           T.Rule,
-		GeodataMode:    C.GeodataMode,
-		GeodataLoader:  "memconservative",
-		UnifiedDelay:   false,
-		Authentication: []string{},
-		LogLevel:       log.INFO,
-		Hosts:          map[string]string{},
-		Rule:           []string{},
-		Proxy:          []map[string]any{},
-		ProxyGroup:     []map[string]any{},
-		TCPConcurrent:  false,
-		EnableProcess:  false,
+		AllowLan:        false,
+		BindAddress:     "*",
+		IPv6:            true,
+		Mode:            T.Rule,
+		GeodataMode:     C.GeodataMode,
+		GeodataLoader:   "memconservative",
+		UnifiedDelay:    false,
+		Authentication:  []string{},
+		LogLevel:        log.INFO,
+		Hosts:           map[string]string{},
+		Rule:            []string{},
+		Proxy:           []map[string]any{},
+		ProxyGroup:      []map[string]any{},
+		TCPConcurrent:   false,
+		EnableProcess:   false,
+		FindProcessMode: P.FindProcessStrict,
 		Tun: RawTun{
 			Enable:              false,
 			Device:              "",
@ -390,7 +340,19 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			DNSHijack:           []string{"0.0.0.0:53"}, // default hijack all dns query
 			AutoRoute:           true,
 			AutoDetectInterface: true,
-			Inet6Address:        []ListenPrefix{ListenPrefix(netip.MustParsePrefix("fdfe:dcba:9876::1/126"))},
+			Inet6Address:        []LC.ListenPrefix{LC.ListenPrefix(netip.MustParsePrefix("fdfe:dcba:9876::1/126"))},
+		},
+		TuicServer: RawTuicServer{
+			Enable:                false,
+			Token:                 nil,
+			Certificate:           "",
+			PrivateKey:            "",
+			Listen:                "",
+			CongestionController:  "",
+			MaxIdleTime:           15000,
+			AuthenticationTimeout: 1000,
+			ALPN:                  []string{"h3"},
+			MaxUdpRelayPacketSize: 1500,
 		},
 		EBpf: EBpf{
 			RedirectToTun: []string{},
@ -462,6 +424,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	config.Experimental = &rawCfg.Experimental
 	config.Profile = &rawCfg.Profile
 	config.IPTables = &rawCfg.IPTables
+	config.TLS = &rawCfg.RawTLS

 	general, err := parseGeneral(rawCfg)
 	if err != nil {
@ -470,7 +433,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	config.General = general

 	dialer.DefaultInterface.Store(config.General.Interface)
-
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
@ -478,14 +440,26 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	config.Proxies = proxies
 	config.Providers = providers

-	subRules, ruleProviders, err := parseSubRules(rawCfg, proxies)
+	listener, err := parseListeners(rawCfg)
+	if err != nil {
+		return nil, err
+	}
+	config.Listeners = listener
+
+	log.Infoln("Geodata Loader mode: %s", geodata.LoaderName())
+	ruleProviders, err := parseRuleProviders(rawCfg)
+	if err != nil {
+		return nil, err
+	}
+	config.RuleProviders = ruleProviders
+
+	subRules, err := parseSubRules(rawCfg, proxies)
 	if err != nil {
 		return nil, err
 	}
 	config.SubRules = subRules
-	config.RuleProviders = ruleProviders

-	rules, err := parseRules(rawCfg, proxies, subRules)
+	rules, err := parseRules(rawCfg.Rule, proxies, subRules, "rules")
 	if err != nil {
 		return nil, err
 	}
@ -508,8 +482,23 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 		return nil, err
 	}

+	err = parseTuicServer(rawCfg.TuicServer, config.General)
+	if err != nil {
+		return nil, err
+	}
+
 	config.Users = parseAuthentication(rawCfg.Authentication)

+	config.Tunnels = rawCfg.Tunnels
+	// verify tunnels
+	for _, t := range config.Tunnels {
+		if len(t.Proxy) > 0 {
+			if _, ok := config.Proxies[t.Proxy]; !ok {
+				return nil, fmt.Errorf("tunnel proxy %s not found", t.Proxy)
+			}
+		}
+	}
+
 	config.Sniffer, err = parseSniffer(rawCfg.Sniffer)
 	if err != nil {
 		return nil, err
@ -517,6 +506,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {

 	elapsedTime := time.Since(startTime) / time.Millisecond                     // duration in ms
 	log.Infoln("Initial configuration complete, total time: %dms", elapsedTime) //Segment finished in xxm
+
 	return config, nil
 }

@ -526,7 +516,6 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 	// checkout externalUI exist
 	if externalUI != "" {
 		externalUI = C.Path.Resolve(externalUI)
-
 		if _, err := os.Stat(externalUI); os.IsNotExist(err) {
 			return nil, fmt.Errorf("external-ui: %s not exist", externalUI)
 		}
@ -541,28 +530,28 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			MixedPort:         cfg.MixedPort,
 			ShadowSocksConfig: cfg.ShadowSocksConfig,
 			VmessConfig:       cfg.VmessConfig,
-			TcpTunConfig:      cfg.TcpTunConfig,
-			UdpTunConfig:      cfg.UdpTunConfig,
 			AllowLan:          cfg.AllowLan,
 			BindAddress:       cfg.BindAddress,
 			InboundTfo:        cfg.InboundTfo,
 		},
 		Controller: Controller{
-			ExternalController: cfg.ExternalController,
-			ExternalUI:         cfg.ExternalUI,
-			Secret:             cfg.Secret,
+			ExternalController:    cfg.ExternalController,
+			ExternalUI:            cfg.ExternalUI,
+			Secret:                cfg.Secret,
+			ExternalControllerTLS: cfg.ExternalControllerTLS,
 		},
-		UnifiedDelay:  cfg.UnifiedDelay,
-		Mode:          cfg.Mode,
-		LogLevel:      cfg.LogLevel,
-		IPv6:          cfg.IPv6,
-		Interface:     cfg.Interface,
-		RoutingMark:   cfg.RoutingMark,
-		GeodataMode:   cfg.GeodataMode,
-		GeodataLoader: cfg.GeodataLoader,
-		TCPConcurrent: cfg.TCPConcurrent,
-		EnableProcess: cfg.EnableProcess,
-		EBpf:          cfg.EBpf,
+		UnifiedDelay:    cfg.UnifiedDelay,
+		Mode:            cfg.Mode,
+		LogLevel:        cfg.LogLevel,
+		IPv6:            cfg.IPv6,
+		Interface:       cfg.Interface,
+		RoutingMark:     cfg.RoutingMark,
+		GeodataMode:     cfg.GeodataMode,
+		GeodataLoader:   cfg.GeodataLoader,
+		TCPConcurrent:   cfg.TCPConcurrent,
+		EnableProcess:   cfg.EnableProcess,
+		FindProcessMode: cfg.FindProcessMode,
+		EBpf:            cfg.EBpf,
 	}, nil
 }

@ -669,79 +658,62 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 	return proxies, providersMap, nil
 }

-func parseSubRules(cfg *RawConfig, proxies map[string]C.Proxy) (subRules *map[string][]C.Rule, ruleProviders map[string]providerTypes.RuleProvider, err error) {
+func parseListeners(cfg *RawConfig) (listeners map[string]C.InboundListener, err error) {
+	listeners = make(map[string]C.InboundListener)
+	for index, mapping := range cfg.Listeners {
+		listener, err := L.ParseListener(mapping)
+		if err != nil {
+			return nil, fmt.Errorf("proxy %d: %w", index, err)
+		}
+
+		if _, exist := mapping[listener.Name()]; exist {
+			return nil, fmt.Errorf("listener %s is the duplicate name", listener.Name())
+		}
+
+		listeners[listener.Name()] = listener
+
+	}
+	return
+}
+
+func parseRuleProviders(cfg *RawConfig) (ruleProviders map[string]providerTypes.RuleProvider, err error) {
 	ruleProviders = map[string]providerTypes.RuleProvider{}
-	subRules = &map[string][]C.Rule{}
-	log.Infoln("Geodata Loader mode: %s", geodata.LoaderName())
 	// parse rule provider
 	for name, mapping := range cfg.RuleProvider {
 		rp, err := RP.ParseRuleProvider(name, mapping, R.ParseRule)
 		if err != nil {
-			return nil, nil, err
+			return nil, err
 		}

 		ruleProviders[name] = rp
 		RP.SetRuleProvider(rp)
 	}
+	return
+}

+func parseSubRules(cfg *RawConfig, proxies map[string]C.Proxy) (subRules map[string][]C.Rule, err error) {
+	subRules = map[string][]C.Rule{}
 	for name, rawRules := range cfg.SubRules {
-		var rules []C.Rule
-		for idx, line := range rawRules {
-			rawRule := trimArr(strings.Split(line, ","))
-			var (
-				payload  string
-				target   string
-				params   []string
-				ruleName = strings.ToUpper(rawRule[0])
-			)
-
-			l := len(rawRule)
-
-			if ruleName == "NOT" || ruleName == "OR" || ruleName == "AND" || ruleName == "SUB-RULE" {
-				target = rawRule[l-1]
-				payload = strings.Join(rawRule[1:l-1], ",")
-			} else {
-				if l < 2 {
-					return nil, nil, fmt.Errorf("sub-rules[%d] [%s] error: format invalid", idx, line)
-				}
-				if l < 4 {
-					rawRule = append(rawRule, make([]string, 4-l)...)
-				}
-				if ruleName == "MATCH" {
-					l = 2
-				}
-				if l >= 3 {
-					l = 3
-					payload = rawRule[1]
-				}
-				target = rawRule[l-1]
-				params = rawRule[l:]
-			}
-
-			if _, ok := proxies[target]; !ok && ruleName != "SUB-RULE" {
-				return nil, nil, fmt.Errorf("sub-rules[%d:%s] [%s] error: proxy [%s] not found", idx, name, line, target)
-			}
-
-			params = trimArr(params)
-			parsed, parseErr := R.ParseRule(ruleName, payload, target, params, subRules)
-			if parseErr != nil {
-				return nil, nil, fmt.Errorf("sub-rules[%d] [%s] error: %s", idx, line, parseErr.Error())
-			}
-
-			rules = append(rules, parsed)
+		if len(name) == 0 {
+			return nil, fmt.Errorf("sub-rule name is empty")
 		}
-		(*subRules)[name] = rules
+		var rules []C.Rule
+		rules, err = parseRules(rawRules, proxies, subRules, fmt.Sprintf("sub-rules[%s]", name))
+		if err != nil {
+			return nil, err
+		}
+		subRules[name] = rules
 	}

 	if err = verifySubRule(subRules); err != nil {
-		return nil, nil, err
+		return nil, err
 	}

 	return
 }

-func verifySubRule(subRules *map[string][]C.Rule) error {
-	for name := range *subRules {
+func verifySubRule(subRules map[string][]C.Rule) error {
+	for name := range subRules {
 		err := verifySubRuleCircularReferences(name, subRules, []string{})
 		if err != nil {
 			return err
@ -750,7 +722,7 @@ func verifySubRule(subRules *map[string][]C.Rule) error {
 	return nil
 }

-func verifySubRuleCircularReferences(n string, subRules *map[string][]C.Rule, arr []string) error {
+func verifySubRuleCircularReferences(n string, subRules map[string][]C.Rule, arr []string) error {
 	isInArray := func(v string, array []string) bool {
 		for _, c := range array {
 			if v == c {
@ -761,9 +733,9 @@ func verifySubRuleCircularReferences(n string, subRules *map[string][]C.Rule, ar
 	}

 	arr = append(arr, n)
-	for i, rule := range (*subRules)[n] {
+	for i, rule := range subRules[n] {
 		if rule.RuleType() == C.SubRules {
-			if _, ok := (*subRules)[rule.Adapter()]; !ok {
+			if _, ok := subRules[rule.Adapter()]; !ok {
 				return fmt.Errorf("sub-rule[%d:%s] error: [%s] not found", i, n, rule.Adapter())
 			}
 			if isInArray(rule.Adapter(), arr) {
@ -779,9 +751,8 @@ func verifySubRuleCircularReferences(n string, subRules *map[string][]C.Rule, ar
 	return nil
 }

-func parseRules(cfg *RawConfig, proxies map[string]C.Proxy, subRules *map[string][]C.Rule) ([]C.Rule, error) {
+func parseRules(rulesConfig []string, proxies map[string]C.Proxy, subRules map[string][]C.Rule, format string) ([]C.Rule, error) {
 	var rules []C.Rule
-	rulesConfig := cfg.Rule

 	// parse rules
 	for idx, line := range rulesConfig {
@ -800,7 +771,7 @@ func parseRules(cfg *RawConfig, proxies map[string]C.Proxy, subRules *map[string
 			payload = strings.Join(rule[1:l-1], ",")
 		} else {
 			if l < 2 {
-				return nil, fmt.Errorf("rules[%d] [%s] error: format invalid", idx, line)
+				return nil, fmt.Errorf("%s[%d] [%s] error: format invalid", format, idx, line)
 			}
 			if l < 4 {
 				rule = append(rule, make([]string, 4-l)...)
@ -817,16 +788,16 @@ func parseRules(cfg *RawConfig, proxies map[string]C.Proxy, subRules *map[string
 		}
 		if _, ok := proxies[target]; !ok {
 			if ruleName != "SUB-RULE" {
-				return nil, fmt.Errorf("rules[%d] [%s] error: proxy [%s] not found", idx, line, target)
-			} else if _, ok = (*subRules)[target]; !ok {
-				return nil, fmt.Errorf("rules[%d] [%s] error: sub-rule [%s] not found", idx, line, target)
+				return nil, fmt.Errorf("%s[%d] [%s] error: proxy [%s] not found", format, idx, line, target)
+			} else if _, ok = subRules[target]; !ok {
+				return nil, fmt.Errorf("%s[%d] [%s] error: sub-rule [%s] not found", format, idx, line, target)
 			}
 		}

 		params = trimArr(params)
 		parsed, parseErr := R.ParseRule(ruleName, payload, target, params, subRules)
 		if parseErr != nil {
-			return nil, fmt.Errorf("rules[%d] [%s] error: %s", idx, line, parseErr.Error())
+			return nil, fmt.Errorf("%s[%d] [%s] error: %s", format, idx, line, parseErr.Error())
 		}

 		rules = append(rules, parsed)
@ -854,6 +825,7 @@ func parseHosts(cfg *RawConfig) (*trie.DomainTrie[netip.Addr], error) {
 			_ = tree.Insert(domain, ip)
 		}
 	}
+	tree.Optimize()

 	return tree, nil
 }
@ -888,7 +860,9 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 			return nil, fmt.Errorf("DNS NameServer[%d] format error: %s", idx, err.Error())
 		}

-		var addr, dnsNetType, proxyAdapter string
+		proxyAdapter := u.Fragment
+
+		var addr, dnsNetType string
 		params := map[string]string{}
 		switch u.Scheme {
 		case "udp":
@ -902,11 +876,12 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 			dnsNetType = "tcp-tls" // DNS over TLS
 		case "https":
 			host := u.Host
+			proxyAdapter = ""
 			if _, _, err := net.SplitHostPort(host); err != nil && strings.Contains(err.Error(), "missing port in address") {
 				host = net.JoinHostPort(host, "443")
 			} else {
-				if err!=nil{
-					return nil,err
+				if err != nil {
+					return nil, err
 				}
 			}
 			clearURL := url.URL{Scheme: "https", Host: host, Path: u.Path}
@ -1088,6 +1063,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.R
 			for _, domain := range cfg.FakeIPFilter {
 				_ = host.Insert(domain, struct{}{})
 			}
+			host.Optimize()
 		}

 		if len(dnsCfg.Fallback) != 0 {
@ -1100,6 +1076,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.R
 				}
 				_ = host.Insert(fb.Addr, struct{}{})
 			}
+			host.Optimize()
 		}

 		pool, err := fakeip.New(fakeip.Options{
@ -1147,38 +1124,27 @@ func parseAuthentication(rawRecords []string) []auth.AuthUser {
 }

 func parseTun(rawTun RawTun, general *General) error {
-	var dnsHijack []netip.AddrPort
-
-	for _, d := range rawTun.DNSHijack {
-		if _, after, ok := strings.Cut(d, "://"); ok {
-			d = after
-		}
-		d = strings.Replace(d, "any", "0.0.0.0", 1)
-		addrPort, err := netip.ParseAddrPort(d)
-		if err != nil {
-			return fmt.Errorf("parse dns-hijack url error: %w", err)
-		}
-
-		dnsHijack = append(dnsHijack, addrPort)
-	}
-
 	tunAddressPrefix := T.FakeIPRange()
 	if !tunAddressPrefix.IsValid() {
 		tunAddressPrefix = netip.MustParsePrefix("198.18.0.1/16")
 	}
 	tunAddressPrefix = netip.PrefixFrom(tunAddressPrefix.Addr(), 30)

-	general.Tun = Tun{
+	if !general.IPv6 || !verifyIP6() {
+		rawTun.Inet6Address = nil
+	}
+
+	general.Tun = LC.Tun{
 		Enable:              rawTun.Enable,
 		Device:              rawTun.Device,
 		Stack:               rawTun.Stack,
-		DNSHijack:           dnsHijack,
+		DNSHijack:           rawTun.DNSHijack,
 		AutoRoute:           rawTun.AutoRoute,
 		AutoDetectInterface: rawTun.AutoDetectInterface,
 		RedirectToTun:       rawTun.RedirectToTun,

 		MTU:                    rawTun.MTU,
-		Inet4Address:           []ListenPrefix{ListenPrefix(tunAddressPrefix)},
+		Inet4Address:           []LC.ListenPrefix{LC.ListenPrefix(tunAddressPrefix)},
 		Inet6Address:           rawTun.Inet6Address,
 		StrictRoute:            rawTun.StrictRoute,
 		Inet4RouteAddress:      rawTun.Inet4RouteAddress,
@ -1197,6 +1163,22 @@ func parseTun(rawTun RawTun, general *General) error {
 	return nil
 }

+func parseTuicServer(rawTuic RawTuicServer, general *General) error {
+	general.TuicServer = LC.TuicServer{
+		Enable:                rawTuic.Enable,
+		Listen:                rawTuic.Listen,
+		Token:                 rawTuic.Token,
+		Certificate:           rawTuic.Certificate,
+		PrivateKey:            rawTuic.PrivateKey,
+		CongestionController:  rawTuic.CongestionController,
+		MaxIdleTime:           rawTuic.MaxIdleTime,
+		AuthenticationTimeout: rawTuic.AuthenticationTimeout,
+		ALPN:                  rawTuic.ALPN,
+		MaxUdpRelayPacketSize: rawTuic.MaxUdpRelayPacketSize,
+	}
+	return nil
+}
+
 func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 	sniffer := &Sniffer{
 		Enable:          snifferRaw.Enable,
@ -1259,6 +1241,7 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 			return nil, fmt.Errorf("error domian[%s] in force-domain, error:%v", domain, err)
 		}
 	}
+	sniffer.ForceDomain.Optimize()

 	sniffer.SkipDomain = trie.New[struct{}]()
 	for _, domain := range snifferRaw.SkipDomain {
@ -1267,6 +1250,7 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 			return nil, fmt.Errorf("error domian[%s] in force-domain, error:%v", domain, err)
 		}
 	}
+	sniffer.SkipDomain.Optimize()

 	return sniffer, nil
 }
--- a/config/initial.go
+++ b/config/initial.go
@ -3,92 +3,12 @@ package config
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/component/geodata"
-	"github.com/Dreamacro/clash/component/mmdb"
-	"io"
-	"net/http"
 	"os"

 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 )

-func downloadMMDB(path string) (err error) {
-	resp, err := http.Get(C.MmdbUrl)
-	if err != nil {
-		return
-	}
-	defer resp.Body.Close()
-
-	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	_, err = io.Copy(f, resp.Body)
-
-	return err
-}
-
-func downloadGeoIP(path string) (err error) {
-	resp, err := http.Get(C.GeoIpUrl)
-	if err != nil {
-		return
-	}
-	defer resp.Body.Close()
-
-	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-	_, err = io.Copy(f, resp.Body)
-
-	return err
-}
-
-func initGeoIP() error {
-	if C.GeodataMode {
-		if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) {
-			log.Infoln("Can't find GeoIP.dat, start download")
-			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
-				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
-			}
-			log.Infoln("Download GeoIP.dat finish")
-		}
-
-		if err := geodata.Verify(C.GeoipName); err != nil {
-			log.Warnln("GeoIP.dat invalid, remove and download: %s", err)
-			if err := os.Remove(C.Path.GeoIP()); err != nil {
-				return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error())
-			}
-			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
-				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
-			}
-		}
-		return nil
-	}
-
-	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
-		log.Infoln("Can't find MMDB, start download")
-		if err := downloadMMDB(C.Path.MMDB()); err != nil {
-			return fmt.Errorf("can't download MMDB: %s", err.Error())
-		}
-	}
-
-	if !mmdb.Verify() {
-		log.Warnln("MMDB invalid, remove and download")
-		if err := os.Remove(C.Path.MMDB()); err != nil {
-			return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
-		}
-
-		if err := downloadMMDB(C.Path.MMDB()); err != nil {
-			return fmt.Errorf("can't download MMDB: %s", err.Error())
-		}
-	}
-
-	return nil
-}
-
 // Init prepare necessary files
 func Init(dir string) error {
 	// initial homedir
@ -122,7 +42,7 @@ func Init(dir string) error {
 	C.GeoSiteUrl = rawCfg.GeoXUrl.GeoSite
 	C.MmdbUrl = rawCfg.GeoXUrl.Mmdb
 	// initial GeoIP
-	if err := initGeoIP(); err != nil {
+	if err := geodata.InitGeoIP(); err != nil {
 		return fmt.Errorf("can't initial GeoIP: %w", err)
 	}

--- a/config/utils.go
+++ b/config/utils.go
@ -2,6 +2,7 @@ package config

 import (
 	"fmt"
+	"net"
 	"strings"

 	"github.com/Dreamacro/clash/adapter/outboundgroup"
@ -146,3 +147,25 @@ func proxyGroupsDagSort(groupsConfig []map[string]any) error {
 	}
 	return fmt.Errorf("loop is detected in ProxyGroup, please check following ProxyGroups: %v", loopElements)
 }
+
+func verifyIP6() bool {
+	addrs, err := net.InterfaceAddrs()
+	if err != nil {
+		return false
+	}
+	for _, addr := range addrs {
+		ipNet, isIpNet := addr.(*net.IPNet)
+		if isIpNet && !ipNet.IP.IsLoopback() {
+			if ipNet.IP.To16() != nil {
+				s := ipNet.IP.String()
+				for i := 0; i < len(s); i++ {
+					switch s[i] {
+					case ':':
+						return true
+					}
+				}
+			}
+		}
+	}
+	return false
+}
--- a/constant/adapters.go
+++ b/constant/adapters.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 	"time"

 	"github.com/Dreamacro/clash/component/dialer"
@ -32,6 +33,7 @@ const (
 	Trojan
 	Hysteria
 	WireGuard
+	Tuic
 )

 const (
@ -80,13 +82,20 @@ type PacketConn interface {
 	// WriteWithMetadata(p []byte, metadata *Metadata) (n int, err error)
 }

+type Dialer interface {
+	DialContext(ctx context.Context, network, address string) (net.Conn, error)
+	ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error)
+}
+
 type ProxyAdapter interface {
 	Name() string
 	Type() AdapterType
 	Addr() string
 	SupportUDP() bool
+	SupportTFO() bool
 	MarshalJSON() ([]byte, error)

+	// Deprecated: use DialContextWithDialer and ListenPacketWithDialer instead.
 	// StreamConn wraps a protocol around net.Conn with Metadata.
 	//
 	// Examples:
@ -104,7 +113,10 @@ type ProxyAdapter interface {

 	// SupportUOT return UDP over TCP support
 	SupportUOT() bool
-	ListenPacketOnStreamConn(c net.Conn, metadata *Metadata) (PacketConn, error)
+
+	SupportWithDialer() bool
+	DialContextWithDialer(ctx context.Context, dialer Dialer, metadata *Metadata) (Conn, error)
+	ListenPacketWithDialer(ctx context.Context, dialer Dialer, metadata *Metadata) (PacketConn, error)

 	// Unwrap extracts the proxy from a proxy-group. It returns nil when nothing to extract.
 	Unwrap(metadata *Metadata, touch bool) Proxy
@ -168,6 +180,8 @@ func (at AdapterType) String() string {
 		return "Hysteria"
 	case WireGuard:
 		return "WireGuard"
+	case Tuic:
+		return "Tuic"

 	case Relay:
 		return "Relay"
@ -206,3 +220,9 @@ type UDPPacket interface {
 type UDPPacketInAddr interface {
 	InAddr() net.Addr
 }
+
+// PacketAdapter is a UDP Packet adapter for socks/redir/tun
+type PacketAdapter interface {
+	UDPPacket
+	Metadata() *Metadata
+}
--- a/constant/listener.go
+++ b/constant/listener.go
@ -8,8 +8,22 @@ type Listener interface {
 	Close() error
 }

-type AdvanceListener interface {
-	Close()
+type MultiAddrListener interface {
+	Close() error
 	Config() string
-	HandleConn(conn net.Conn, in chan<- ConnContext)
+	AddrList() (addrList []net.Addr)
+}
+
+type InboundListener interface {
+	Name() string
+	Listen(tcpIn chan<- ConnContext, udpIn chan<- PacketAdapter) error
+	Close() error
+	Address() string
+	RawAddress() string
+	Config() InboundConfig
+}
+
+type InboundConfig interface {
+	Name() string
+	Equal(config InboundConfig) bool
 }
--- a/constant/metadata.go
+++ b/constant/metadata.go
@ -24,9 +24,9 @@ const (
 	VMESS
 	REDIR
 	TPROXY
-	TCPTUN
-	UDPTUN
+	TUNNEL
 	TUN
+	TUIC
 	INNER
 )

@ -65,12 +65,12 @@ func (t Type) String() string {
 		return "Redir"
 	case TPROXY:
 		return "TProxy"
-	case TCPTUN:
-		return "TcpTun"
-	case UDPTUN:
-		return "UdpTun"
+	case TUNNEL:
+		return "Tunnel"
 	case TUN:
 		return "Tun"
+	case TUIC:
+		return "Tuic"
 	case INNER:
 		return "Inner"
 	default:
@ -89,12 +89,20 @@ func ParseType(t string) (*Type, error) {
 		res = SOCKS4
 	case "SOCKS5":
 		res = SOCKS5
+	case "SHADOWSOCKS":
+		res = SHADOWSOCKS
+	case "VMESS":
+		res = VMESS
 	case "REDIR":
 		res = REDIR
 	case "TPROXY":
 		res = TPROXY
+	case "TUNNEL":
+		res = TUNNEL
 	case "TUN":
 		res = TUN
+	case "TUIC":
+		res = TUIC
 	case "INNER":
 		res = INNER
 	default:
@ -109,20 +117,23 @@ func (t Type) MarshalJSON() ([]byte, error) {

 // Metadata is used to store connection address
 type Metadata struct {
-	NetWork     NetWork    `json:"network"`
-	Type        Type       `json:"type"`
-	SrcIP       netip.Addr `json:"sourceIP"`
-	DstIP       netip.Addr `json:"destinationIP"`
-	SrcPort     string     `json:"sourcePort"`
-	DstPort     string     `json:"destinationPort"`
-	InIP        netip.Addr `json:"inboundIP"`
-	InPort      string     `json:"inboundPort"`
-	Host        string     `json:"host"`
-	DNSMode     DNSMode    `json:"dnsMode"`
-	Uid         *int32     `json:"uid"`
-	Process     string     `json:"process"`
-	ProcessPath string     `json:"processPath"`
-	RemoteDst   string     `json:"remoteDestination"`
+	NetWork      NetWork    `json:"network"`
+	Type         Type       `json:"type"`
+	SrcIP        netip.Addr `json:"sourceIP"`
+	DstIP        netip.Addr `json:"destinationIP"`
+	SrcPort      string     `json:"sourcePort"`
+	DstPort      string     `json:"destinationPort"`
+	InIP         netip.Addr `json:"inboundIP"`
+	InPort       string     `json:"inboundPort"`
+	InName       string     `json:"inboundName"`
+	Host         string     `json:"host"`
+	DNSMode      DNSMode    `json:"dnsMode"`
+	Uid          *uint32    `json:"uid"`
+	Process      string     `json:"process"`
+	ProcessPath  string     `json:"processPath"`
+	SpecialProxy string     `json:"specialProxy"`
+	SpecialRules string     `json:"specialRules"`
+	RemoteDst    string     `json:"remoteDestination"`
 }

 func (m *Metadata) RemoteAddress() string {
--- a/constant/mime/mime.go
+++ b/constant/mime/mime.go
@ -1,16 +0,0 @@
-package mime
-
-import (
-	"mime"
-)
-
-var consensusMimes = map[string]string{
-	// rfc4329: text/javascript is obsolete, so we need to overwrite mime's builtin
-	".js": "application/javascript; charset=utf-8",
-}
-
-func init() {
-	for ext, typ := range consensusMimes {
-		mime.AddExtensionType(ext, typ)
-	}
-}
--- a/constant/provider/interface.go
+++ b/constant/provider/interface.go
@ -1,7 +1,7 @@
 package provider

 import (
-	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/constant"
 )

 // Vehicle Type
@ -65,7 +65,9 @@ type Provider interface {
 // ProxyProvider interface
 type ProxyProvider interface {
 	Provider
-	Proxies() []C.Proxy
+	Proxies() []constant.Proxy
+	// Touch is used to inform the provider that the proxy is actually being used while getting the list of proxies.
+	// Commonly used in DialContext and DialPacketConn
 	Touch()
 	HealthCheck()
 	Version() uint32
@ -98,7 +100,7 @@ func (rt RuleType) String() string {
 type RuleProvider interface {
 	Provider
 	Behavior() RuleType
-	Match(*C.Metadata) bool
+	Match(*constant.Metadata) bool
 	ShouldResolveIP() bool
-	AsRule(adaptor string) C.Rule
+	AsRule(adaptor string) constant.Rule
 }
--- a/context/dns.go
+++ b/context/dns.go
@ -1,6 +1,8 @@
 package context

 import (
+	"context"
+
 	"github.com/gofrs/uuid"
 	"github.com/miekg/dns"
 )
@ -12,14 +14,18 @@ const (
 )

 type DNSContext struct {
+	context.Context
+
 	id  uuid.UUID
 	msg *dns.Msg
 	tp  string
 }

-func NewDNSContext(msg *dns.Msg) *DNSContext {
+func NewDNSContext(ctx context.Context, msg *dns.Msg) *DNSContext {
 	id, _ := uuid.NewV4()
 	return &DNSContext{
+		Context: ctx,
+
 		id:  id,
 		msg: msg,
 	}
--- a/dns/client.go
+++ b/dns/client.go
@ -6,6 +6,7 @@ import (
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"go.uber.org/atomic"
+	"math/rand"
 	"net"
 	"net/netip"
 	"strings"
@ -34,15 +35,19 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 		ip  netip.Addr
 		err error
 	)
-	if ip, err = netip.ParseAddr(c.host); err != nil {
-		if c.r == nil {
+	if c.r == nil {
+		// a default ip dns
+		if ip, err = netip.ParseAddr(c.host); err != nil {
 			return nil, fmt.Errorf("dns %s not a valid ip", c.host)
-		} else {
-			if ip, err = resolver.ResolveIPWithResolver(c.host, c.r); err != nil {
-				return nil, fmt.Errorf("use default dns resolve failed: %w", err)
-			}
-			c.host = ip.String()
 		}
+	} else {
+		ips, err := resolver.LookupIPWithResolver(ctx, c.host, c.r)
+		if err != nil {
+			return nil, fmt.Errorf("use default dns resolve failed: %w", err)
+		} else if len(ips) == 0 {
+			return nil, fmt.Errorf("%w: %s", resolver.ErrIPNotFound, c.host)
+		}
+		ip = ips[rand.Intn(len(ips))]
 	}

 	network := "udp"
@ -55,13 +60,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 		options = append(options, dialer.WithInterface(c.iface.Load()))
 	}

-	var conn net.Conn
-	if c.proxyAdapter != "" {
-		conn, err = dialContextExtra(ctx, c.proxyAdapter, network, ip, c.port, options...)
-	} else {
-		conn, err = dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), c.port), options...)
-	}
-
+	conn, err := getDialHandler(c.r, c.proxyAdapter, options...)(ctx, network, net.JoinHostPort(ip.String(), c.port))
 	if err != nil {
 		return nil, err
 	}
--- a/dns/dhcp.go
+++ b/dns/dhcp.go
@ -30,7 +30,7 @@ type dhcpClient struct {

 	ifaceAddr *netip.Prefix
 	done      chan struct{}
-	resolver  *Resolver
+	clients   []dnsClient
 	err       error
 }

@ -42,15 +42,15 @@ func (d *dhcpClient) Exchange(m *D.Msg) (msg *D.Msg, err error) {
 }

 func (d *dhcpClient) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
-	res, err := d.resolve(ctx)
+	clients, err := d.resolve(ctx)
 	if err != nil {
 		return nil, err
 	}

-	return res.ExchangeContext(ctx, m)
+	return batchExchange(ctx, clients, m)
 }

-func (d *dhcpClient) resolve(ctx context.Context) (*Resolver, error) {
+func (d *dhcpClient) resolve(ctx context.Context) ([]dnsClient, error) {
 	d.lock.Lock()

 	invalidated, err := d.invalidate()
@ -65,8 +65,9 @@ func (d *dhcpClient) resolve(ctx context.Context) (*Resolver, error) {
 			ctx, cancel := context.WithTimeout(context.Background(), DHCPTimeout)
 			defer cancel()

-			var res *Resolver
+			var res []dnsClient
 			dns, err := dhcp.ResolveDNSFromDHCP(ctx, d.ifaceName)
+			// dns never empty if err is nil
 			if err == nil {
 				nameserver := make([]NameServer, 0, len(dns))
 				for _, item := range dns {
@ -76,9 +77,7 @@ func (d *dhcpClient) resolve(ctx context.Context) (*Resolver, error) {
 					})
 				}

-				res = NewResolver(Config{
-					Main: nameserver,
-				})
+				res = transform(nameserver, nil)
 			}

 			d.lock.Lock()
@ -87,7 +86,7 @@ func (d *dhcpClient) resolve(ctx context.Context) (*Resolver, error) {
 			close(done)

 			d.done = nil
-			d.resolver = res
+			d.clients = res
 			d.err = err
 		}()
 	}
@ -97,7 +96,7 @@ func (d *dhcpClient) resolve(ctx context.Context) (*Resolver, error) {
 	for {
 		d.lock.Lock()

-		res, err, done := d.resolver, d.err, d.done
+		res, err, done := d.clients, d.err, d.done

 		d.lock.Unlock()

--- a/dns/doh.go
+++ b/dns/doh.go
@ -15,13 +15,11 @@ import (
 	"sync"
 	"time"

-	"github.com/Dreamacro/clash/component/dialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
-	"github.com/lucas-clemente/quic-go"
-	"github.com/lucas-clemente/quic-go/http3"
-	"github.com/miekg/dns"
+	"github.com/metacubex/quic-go"
+	"github.com/metacubex/quic-go/http3"
 	D "github.com/miekg/dns"
 	"golang.org/x/net/http2"
 )
@ -84,8 +82,9 @@ func newDoHClient(urlString string, r *Resolver, preferH3 bool, params map[strin
 	}

 	doh := &dnsOverHTTPS{
-		url: u,
-		r:   r,
+		url:          u,
+		r:            r,
+		proxyAdapter: proxyAdapter,
 		quicConfig: &quic.Config{
 			KeepAlivePeriod: QUICKeepAlivePeriod,
 			TokenStore:      newQUICTokenStore(),
@ -99,8 +98,8 @@ func newDoHClient(urlString string, r *Resolver, preferH3 bool, params map[strin
 }

 // Address implements the Upstream interface for *dnsOverHTTPS.
-func (p *dnsOverHTTPS) Address() string { return p.url.String() }
-func (p *dnsOverHTTPS) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
+func (doh *dnsOverHTTPS) Address() string { return doh.url.String() }
+func (doh *dnsOverHTTPS) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
 	// Quote from https://www.rfc-editor.org/rfc/rfc8484.html:
 	// In order to maximize HTTP cache friendliness, DoH clients using media
 	// formats that include the ID field from the DNS message header, such
@ -118,61 +117,61 @@ func (p *dnsOverHTTPS) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Ms

 	// Check if there was already an active client before sending the request.
 	// We'll only attempt to re-connect if there was one.
-	client, isCached, err := p.getClient()
+	client, isCached, err := doh.getClient(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to init http client: %w", err)
 	}

 	// Make the first attempt to send the DNS query.
-	msg, err = p.exchangeHTTPS(ctx, client, m)
+	msg, err = doh.exchangeHTTPS(ctx, client, m)

 	// Make up to 2 attempts to re-create the HTTP client and send the request
 	// again.  There are several cases (mostly, with QUIC) where this workaround
 	// is necessary to make HTTP client usable.  We need to make 2 attempts in
 	// the case when the connection was closed (due to inactivity for example)
 	// AND the server refuses to open a 0-RTT connection.
-	for i := 0; isCached && p.shouldRetry(err) && i < 2; i++ {
-		client, err = p.resetClient(err)
+	for i := 0; isCached && doh.shouldRetry(err) && i < 2; i++ {
+		client, err = doh.resetClient(ctx, err)
 		if err != nil {
 			return nil, fmt.Errorf("failed to reset http client: %w", err)
 		}

-		msg, err = p.exchangeHTTPS(ctx, client, m)
+		msg, err = doh.exchangeHTTPS(ctx, client, m)
 	}

-	if err != nil {
+	if err != nil && !errors.Is(err, context.Canceled) && !errors.Is(err, context.DeadlineExceeded) {
 		// If the request failed anyway, make sure we don't use this client.
-		_, resErr := p.resetClient(err)
+		_, resErr := doh.resetClient(ctx, err)

-		return nil, fmt.Errorf("err:%v,resErr:%v", err, resErr)
+		return nil, fmt.Errorf("%w (resErr:%v)", err, resErr)
 	}

 	return msg, err
 }

 // Exchange implements the Upstream interface for *dnsOverHTTPS.
-func (p *dnsOverHTTPS) Exchange(m *dns.Msg) (*dns.Msg, error) {
-	return p.ExchangeContext(context.Background(), m)
+func (doh *dnsOverHTTPS) Exchange(m *D.Msg) (*D.Msg, error) {
+	return doh.ExchangeContext(context.Background(), m)
 }

 // Close implements the Upstream interface for *dnsOverHTTPS.
-func (p *dnsOverHTTPS) Close() (err error) {
-	p.clientMu.Lock()
-	defer p.clientMu.Unlock()
+func (doh *dnsOverHTTPS) Close() (err error) {
+	doh.clientMu.Lock()
+	defer doh.clientMu.Unlock()

-	runtime.SetFinalizer(p, nil)
+	runtime.SetFinalizer(doh, nil)

-	if p.client == nil {
+	if doh.client == nil {
 		return nil
 	}

-	return p.closeClient(p.client)
+	return doh.closeClient(doh.client)
 }

 // closeClient cleans up resources used by client if necessary.  Note, that at
 // this point it should only be done for HTTP/3 as it may leak due to keep-alive
 // connections.
-func (p *dnsOverHTTPS) closeClient(client *http.Client) (err error) {
+func (doh *dnsOverHTTPS) closeClient(client *http.Client) (err error) {
 	if isHTTP3(client) {
 		return client.Transport.(io.Closer).Close()
 	}
@ -181,19 +180,18 @@ func (p *dnsOverHTTPS) closeClient(client *http.Client) (err error) {
 }

 // exchangeHTTPS logs the request and its result and calls exchangeHTTPSClient.
-func (p *dnsOverHTTPS) exchangeHTTPS(ctx context.Context, client *http.Client, req *dns.Msg) (resp *dns.Msg, err error) {
-	resp, err = p.exchangeHTTPSClient(ctx, client, req)
-
+func (doh *dnsOverHTTPS) exchangeHTTPS(ctx context.Context, client *http.Client, req *D.Msg) (resp *D.Msg, err error) {
+	resp, err = doh.exchangeHTTPSClient(ctx, client, req)
 	return resp, err
 }

 // exchangeHTTPSClient sends the DNS query to a DoH resolver using the specified
 // http.Client instance.
-func (p *dnsOverHTTPS) exchangeHTTPSClient(
+func (doh *dnsOverHTTPS) exchangeHTTPSClient(
 	ctx context.Context,
 	client *http.Client,
-	req *dns.Msg,
-) (resp *dns.Msg, err error) {
+	req *D.Msg,
+) (resp *D.Msg, err error) {
 	buf, err := req.Pack()
 	if err != nil {
 		return nil, fmt.Errorf("packing message: %w", err)
@ -207,24 +205,24 @@ func (p *dnsOverHTTPS) exchangeHTTPSClient(
 		method = http3.MethodGet0RTT
 	}

-	p.url.RawQuery = fmt.Sprintf("dns=%s", base64.RawURLEncoding.EncodeToString(buf))
-	httpReq, err := http.NewRequest(method, p.url.String(), nil)
+	url := doh.url
+	url.RawQuery = fmt.Sprintf("dns=%s", base64.RawURLEncoding.EncodeToString(buf))
+	httpReq, err := http.NewRequestWithContext(ctx, method, url.String(), nil)
 	if err != nil {
-		return nil, fmt.Errorf("creating http request to %s: %w", p.url, err)
+		return nil, fmt.Errorf("creating http request to %s: %w", url, err)
 	}

 	httpReq.Header.Set("Accept", "application/dns-message")
 	httpReq.Header.Set("User-Agent", "")
-	_ = httpReq.WithContext(ctx)
 	httpResp, err := client.Do(httpReq)
 	if err != nil {
-		return nil, fmt.Errorf("requesting %s: %w", p.url, err)
+		return nil, fmt.Errorf("requesting %s: %w", url, err)
 	}
 	defer httpResp.Body.Close()

 	body, err := io.ReadAll(httpResp.Body)
 	if err != nil {
-		return nil, fmt.Errorf("reading %s: %w", p.url, err)
+		return nil, fmt.Errorf("reading %s: %w", url, err)
 	}

 	if httpResp.StatusCode != http.StatusOK {
@ -233,23 +231,23 @@ func (p *dnsOverHTTPS) exchangeHTTPSClient(
 				"expected status %d, got %d from %s",
 				http.StatusOK,
 				httpResp.StatusCode,
-				p.url,
+				url,
 			)
 	}

-	resp = &dns.Msg{}
+	resp = &D.Msg{}
 	err = resp.Unpack(body)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"unpacking response from %s: body is %s: %w",
-			p.url,
+			url,
 			body,
 			err,
 		)
 	}

 	if resp.Id != req.Id {
-		err = dns.ErrId
+		err = D.ErrId
 	}

 	return resp, err
@ -257,7 +255,7 @@ func (p *dnsOverHTTPS) exchangeHTTPSClient(

 // shouldRetry checks what error we have received and returns true if we should
 // re-create the HTTP client and retry the request.
-func (p *dnsOverHTTPS) shouldRetry(err error) (ok bool) {
+func (doh *dnsOverHTTPS) shouldRetry(err error) (ok bool) {
 	if err == nil {
 		return false
 	}
@ -282,57 +280,57 @@ func (p *dnsOverHTTPS) shouldRetry(err error) (ok bool) {
 // resetClient triggers re-creation of the *http.Client that is used by this
 // upstream.  This method accepts the error that caused resetting client as
 // depending on the error we may also reset the QUIC config.
-func (p *dnsOverHTTPS) resetClient(resetErr error) (client *http.Client, err error) {
-	p.clientMu.Lock()
-	defer p.clientMu.Unlock()
+func (doh *dnsOverHTTPS) resetClient(ctx context.Context, resetErr error) (client *http.Client, err error) {
+	doh.clientMu.Lock()
+	defer doh.clientMu.Unlock()

 	if errors.Is(resetErr, quic.Err0RTTRejected) {
 		// Reset the TokenStore only if 0-RTT was rejected.
-		p.resetQUICConfig()
+		doh.resetQUICConfig()
 	}

-	oldClient := p.client
+	oldClient := doh.client
 	if oldClient != nil {
-		closeErr := p.closeClient(oldClient)
+		closeErr := doh.closeClient(oldClient)
 		if closeErr != nil {
 			log.Warnln("warning: failed to close the old http client: %v", closeErr)
 		}
 	}

 	log.Debugln("re-creating the http client due to %v", resetErr)
-	p.client, err = p.createClient()
+	doh.client, err = doh.createClient(ctx)

-	return p.client, err
+	return doh.client, err
 }

 // getQUICConfig returns the QUIC config in a thread-safe manner.  Note, that
 // this method returns a pointer, it is forbidden to change its properties.
-func (p *dnsOverHTTPS) getQUICConfig() (c *quic.Config) {
-	p.quicConfigGuard.Lock()
-	defer p.quicConfigGuard.Unlock()
+func (doh *dnsOverHTTPS) getQUICConfig() (c *quic.Config) {
+	doh.quicConfigGuard.Lock()
+	defer doh.quicConfigGuard.Unlock()

-	return p.quicConfig
+	return doh.quicConfig
 }

 // resetQUICConfig Re-create the token store to make sure we're not trying to
 // use invalid for 0-RTT.
-func (p *dnsOverHTTPS) resetQUICConfig() {
-	p.quicConfigGuard.Lock()
-	defer p.quicConfigGuard.Unlock()
+func (doh *dnsOverHTTPS) resetQUICConfig() {
+	doh.quicConfigGuard.Lock()
+	defer doh.quicConfigGuard.Unlock()

-	p.quicConfig = p.quicConfig.Clone()
-	p.quicConfig.TokenStore = newQUICTokenStore()
+	doh.quicConfig = doh.quicConfig.Clone()
+	doh.quicConfig.TokenStore = newQUICTokenStore()
 }

 // getClient gets or lazily initializes an HTTP client (and transport) that will
 // be used for this DoH resolver.
-func (p *dnsOverHTTPS) getClient() (c *http.Client, isCached bool, err error) {
+func (doh *dnsOverHTTPS) getClient(ctx context.Context) (c *http.Client, isCached bool, err error) {
 	startTime := time.Now()

-	p.clientMu.Lock()
-	defer p.clientMu.Unlock()
-	if p.client != nil {
-		return p.client, true, nil
+	doh.clientMu.Lock()
+	defer doh.clientMu.Unlock()
+	if doh.client != nil {
+		return doh.client, true, nil
 	}

 	// Timeout can be exceeded while waiting for the lock. This happens quite
@ -343,19 +341,19 @@ func (p *dnsOverHTTPS) getClient() (c *http.Client, isCached bool, err error) {
 	}

 	log.Debugln("creating a new http client")
-	p.client, err = p.createClient()
+	doh.client, err = doh.createClient(ctx)

-	return p.client, false, err
+	return doh.client, false, err
 }

 // createClient creates a new *http.Client instance.  The HTTP protocol version
 // will depend on whether HTTP3 is allowed and provided by this upstream.  Note,
 // that we'll attempt to establish a QUIC connection when creating the client in
 // order to check whether HTTP3 is supported.
-func (p *dnsOverHTTPS) createClient() (*http.Client, error) {
-	transport, err := p.createTransport()
+func (doh *dnsOverHTTPS) createClient(ctx context.Context) (*http.Client, error) {
+	transport, err := doh.createTransport(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("initializing http transport: %w", err)
+		return nil, fmt.Errorf("[%s] initializing http transport: %w", doh.url.String(), err)
 	}

 	client := &http.Client{
@ -364,9 +362,9 @@ func (p *dnsOverHTTPS) createClient() (*http.Client, error) {
 		Jar:       nil,
 	}

-	p.client = client
+	doh.client = client

-	return p.client, nil
+	return doh.client, nil
 }

 // createTransport initializes an HTTP transport that will be used specifically
@ -375,7 +373,7 @@ func (p *dnsOverHTTPS) createClient() (*http.Client, error) {
 // that this function will first attempt to establish a QUIC connection (if
 // HTTP3 is enabled in the upstream options).  If this attempt is successful,
 // it returns an HTTP3 transport, otherwise it returns the H1/H2 transport.
-func (p *dnsOverHTTPS) createTransport() (t http.RoundTripper, err error) {
+func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripper, err error) {
 	tlsConfig := tlsC.GetGlobalFingerprintTLCConfig(
 		&tls.Config{
 			InsecureSkipVerify:     false,
@ -383,23 +381,23 @@ func (p *dnsOverHTTPS) createTransport() (t http.RoundTripper, err error) {
 			SessionTicketsDisabled: false,
 		})
 	var nextProtos []string
-	for _, v := range p.httpVersions {
+	for _, v := range doh.httpVersions {
 		nextProtos = append(nextProtos, string(v))
 	}
 	tlsConfig.NextProtos = nextProtos
-	dialContext := getDialHandler(p.r, p.proxyAdapter)
+	dialContext := getDialHandler(doh.r, doh.proxyAdapter)
 	// First, we attempt to create an HTTP3 transport.  If the probe QUIC
 	// connection is established successfully, we'll be using HTTP3 for this
 	// upstream.
-	transportH3, err := p.createTransportH3(tlsConfig, dialContext)
+	transportH3, err := doh.createTransportH3(ctx, tlsConfig, dialContext)
 	if err == nil {
-		log.Debugln("using HTTP/3 for this upstream: QUIC was faster")
+		log.Debugln("[%s] using HTTP/3 for this upstream: QUIC was faster", doh.url.String())
 		return transportH3, nil
 	}

-	log.Debugln("using HTTP/2 for this upstream: %v", err)
+	log.Debugln("[%s] using HTTP/2 for this upstream: %v", doh.url.String(), err)

-	if !p.supportsHTTP() {
+	if !doh.supportsHTTP() {
 		return nil, errors.New("HTTP1/1 and HTTP2 are not supported by this upstream")
 	}

@ -484,6 +482,7 @@ func (h *http3Transport) Close() (err error) {
 // in parallel (one for TLS, the other one for QUIC) and if QUIC is faster it
 // will create the *http3.RoundTripper instance.
 func (doh *dnsOverHTTPS) createTransportH3(
+	ctx context.Context,
 	tlsConfig *tls.Config,
 	dialContext dialHandler,
 ) (roundTripper http.RoundTripper, err error) {
@ -491,7 +490,7 @@ func (doh *dnsOverHTTPS) createTransportH3(
 		return nil, errors.New("HTTP3 support is not enabled")
 	}

-	addr, err := doh.probeH3(tlsConfig, dialContext)
+	addr, err := doh.probeH3(ctx, tlsConfig, dialContext)
 	if err != nil {
 		return nil, err
 	}
@ -529,22 +528,9 @@ func (doh *dnsOverHTTPS) dialQuic(ctx context.Context, addr string, tlsCfg *tls.
 		IP:   net.ParseIP(ip),
 		Port: portInt,
 	}
-	var conn net.PacketConn
-	if doh.proxyAdapter == "" {
-		conn, err = dialer.ListenPacket(ctx, "udp", "")
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		if wrapConn, err := dialContextExtra(ctx, doh.proxyAdapter, "udp", udpAddr.AddrPort().Addr(), port); err == nil {
-			if pc, ok := wrapConn.(*wrapPacketConn); ok {
-				conn = pc
-			} else {
-				return nil, fmt.Errorf("conn isn't wrapPacketConn")
-			}
-		} else {
-			return nil, err
-		}
+	conn, err := listenPacket(ctx, doh.proxyAdapter, "udp", addr, doh.r)
+	if err != nil {
+		return nil, err
 	}
 	return quic.DialEarlyContext(ctx, conn, &udpAddr, doh.url.Host, tlsCfg, cfg)
 }
@ -552,29 +538,24 @@ func (doh *dnsOverHTTPS) dialQuic(ctx context.Context, addr string, tlsCfg *tls.
 // probeH3 runs a test to check whether QUIC is faster than TLS for this
 // upstream.  If the test is successful it will return the address that we
 // should use to establish the QUIC connections.
-func (p *dnsOverHTTPS) probeH3(
+func (doh *dnsOverHTTPS) probeH3(
+	ctx context.Context,
 	tlsConfig *tls.Config,
 	dialContext dialHandler,
 ) (addr string, err error) {
 	// We're using bootstrapped address instead of what's passed to the function
 	// it does not create an actual connection, but it helps us determine
 	// what IP is actually reachable (when there are v4/v6 addresses).
-	rawConn, err := dialContext(context.Background(), "udp", p.url.Host)
+	rawConn, err := dialContext(ctx, "udp", doh.url.Host)
 	if err != nil {
 		return "", fmt.Errorf("failed to dial: %w", err)
 	}
+	addr = rawConn.RemoteAddr().String()
 	// It's never actually used.
 	_ = rawConn.Close()

-	udpConn, ok := rawConn.(*net.UDPConn)
-	if !ok {
-		return "", fmt.Errorf("not a UDP connection to %s", p.Address())
-	}
-
-	addr = udpConn.RemoteAddr().String()
-
 	// Avoid spending time on probing if this upstream only supports HTTP/3.
-	if p.supportsH3() && !p.supportsHTTP() {
+	if doh.supportsH3() && !doh.supportsHTTP() {
 		return addr, nil
 	}

@ -594,8 +575,8 @@ func (p *dnsOverHTTPS) probeH3(
 	// Run probeQUIC and probeTLS in parallel and see which one is faster.
 	chQuic := make(chan error, 1)
 	chTLS := make(chan error, 1)
-	go p.probeQUIC(addr, probeTLSCfg, chQuic)
-	go p.probeTLS(dialContext, probeTLSCfg, chTLS)
+	go doh.probeQUIC(ctx, addr, probeTLSCfg, chQuic)
+	go doh.probeTLS(ctx, dialContext, probeTLSCfg, chTLS)

 	select {
 	case quicErr := <-chQuic:
@ -619,16 +600,11 @@ func (p *dnsOverHTTPS) probeH3(

 // probeQUIC attempts to establish a QUIC connection to the specified address.
 // We run probeQUIC and probeTLS in parallel and see which one is faster.
-func (p *dnsOverHTTPS) probeQUIC(addr string, tlsConfig *tls.Config, ch chan error) {
+func (doh *dnsOverHTTPS) probeQUIC(ctx context.Context, addr string, tlsConfig *tls.Config, ch chan error) {
 	startTime := time.Now()
-
-	timeout := DefaultTimeout
-	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(timeout))
-	defer cancel()
-
-	conn, err := p.dialQuic(ctx, addr, tlsConfig, p.getQUICConfig())
+	conn, err := doh.dialQuic(ctx, addr, tlsConfig, doh.getQUICConfig())
 	if err != nil {
-		ch <- fmt.Errorf("opening QUIC connection to %s: %w", p.Address(), err)
+		ch <- fmt.Errorf("opening QUIC connection to %s: %w", doh.Address(), err)
 		return
 	}

@ -643,10 +619,10 @@ func (p *dnsOverHTTPS) probeQUIC(addr string, tlsConfig *tls.Config, ch chan err

 // probeTLS attempts to establish a TLS connection to the specified address. We
 // run probeQUIC and probeTLS in parallel and see which one is faster.
-func (p *dnsOverHTTPS) probeTLS(dialContext dialHandler, tlsConfig *tls.Config, ch chan error) {
+func (doh *dnsOverHTTPS) probeTLS(ctx context.Context, dialContext dialHandler, tlsConfig *tls.Config, ch chan error) {
 	startTime := time.Now()

-	conn, err := p.tlsDial(dialContext, "tcp", tlsConfig)
+	conn, err := doh.tlsDial(ctx, dialContext, "tcp", tlsConfig)
 	if err != nil {
 		ch <- fmt.Errorf("opening TLS connection: %w", err)
 		return
@ -662,8 +638,8 @@ func (p *dnsOverHTTPS) probeTLS(dialContext dialHandler, tlsConfig *tls.Config,
 }

 // supportsH3 returns true if HTTP/3 is supported by this upstream.
-func (p *dnsOverHTTPS) supportsH3() (ok bool) {
-	for _, v := range p.supportedHTTPVersions() {
+func (doh *dnsOverHTTPS) supportsH3() (ok bool) {
+	for _, v := range doh.supportedHTTPVersions() {
 		if v == C.HTTPVersion3 {
 			return true
 		}
@ -673,8 +649,8 @@ func (p *dnsOverHTTPS) supportsH3() (ok bool) {
 }

 // supportsHTTP returns true if HTTP/1.1 or HTTP2 is supported by this upstream.
-func (p *dnsOverHTTPS) supportsHTTP() (ok bool) {
-	for _, v := range p.supportedHTTPVersions() {
+func (doh *dnsOverHTTPS) supportsHTTP() (ok bool) {
+	for _, v := range doh.supportedHTTPVersions() {
 		if v == C.HTTPVersion11 || v == C.HTTPVersion2 {
 			return true
 		}
@ -684,8 +660,8 @@ func (p *dnsOverHTTPS) supportsHTTP() (ok bool) {
 }

 // supportedHTTPVersions returns the list of supported HTTP versions.
-func (p *dnsOverHTTPS) supportedHTTPVersions() (v []C.HTTPVersion) {
-	v = p.httpVersions
+func (doh *dnsOverHTTPS) supportedHTTPVersions() (v []C.HTTPVersion) {
+	v = doh.httpVersions
 	if v == nil {
 		v = DefaultHTTPVersions
 	}
@ -702,10 +678,10 @@ func isHTTP3(client *http.Client) (ok bool) {

 // tlsDial is basically the same as tls.DialWithDialer, but we will call our own
 // dialContext function to get connection.
-func (doh *dnsOverHTTPS) tlsDial(dialContext dialHandler, network string, config *tls.Config) (*tls.Conn, error) {
+func (doh *dnsOverHTTPS) tlsDial(ctx context.Context, dialContext dialHandler, network string, config *tls.Config) (*tls.Conn, error) {
 	// We're using bootstrapped address instead of what's passed
 	// to the function.
-	rawConn, err := dialContext(context.Background(), network, doh.url.Host)
+	rawConn, err := dialContext(ctx, network, doh.url.Host)
 	if err != nil {
 		return nil, err
 	}
--- a/dns/doq.go
+++ b/dns/doq.go
@ -7,15 +7,13 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"net/netip"
 	"runtime"
 	"strconv"
 	"sync"
 	"time"

-	"github.com/Dreamacro/clash/component/dialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
-	"github.com/lucas-clemente/quic-go"
+	"github.com/metacubex/quic-go"

 	"github.com/Dreamacro/clash/log"
 	D "github.com/miekg/dns"
@ -34,15 +32,13 @@ const (
 	// controls the period with with keep-alive frames are being sent to the
 	// connection. We set it to 20s as it would be in the quic-go@v0.27.1 with
 	// KeepAlive field set to true This value is specified in
-	// https://pkg.go.dev/github.com/lucas-clemente/quic-go/internal/protocol#MaxKeepAliveInterval.
+	// https://pkg.go.dev/github.com/metacubex/quic-go/internal/protocol#MaxKeepAliveInterval.
 	//
 	// TODO(ameshkov):  Consider making it configurable.
 	QUICKeepAlivePeriod = time.Second * 20
 	DefaultTimeout      = time.Second * 5
 )

-type dialHandler func(ctx context.Context, network, addr string) (net.Conn, error)
-
 // dnsOverQUIC is a struct that implements the Upstream interface for the
 // DNS-over-QUIC protocol (spec: https://www.rfc-editor.org/rfc/rfc9250.html).
 type dnsOverQUIC struct {
@ -88,9 +84,9 @@ func newDoQ(resolver *Resolver, addr string, adapter string) (dnsClient, error)
 }

 // Address implements the Upstream interface for *dnsOverQUIC.
-func (p *dnsOverQUIC) Address() string { return p.addr }
+func (doq *dnsOverQUIC) Address() string { return doq.addr }

-func (p *dnsOverQUIC) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
+func (doq *dnsOverQUIC) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
 	// When sending queries over a QUIC connection, the DNS Message ID MUST be
 	// set to zero.
 	id := m.Id
@ -105,49 +101,49 @@ func (p *dnsOverQUIC) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg

 	// Check if there was already an active conn before sending the request.
 	// We'll only attempt to re-connect if there was one.
-	hasConnection := p.hasConnection()
+	hasConnection := doq.hasConnection()

 	// Make the first attempt to send the DNS query.
-	msg, err = p.exchangeQUIC(ctx, m)
+	msg, err = doq.exchangeQUIC(ctx, m)

 	// Make up to 2 attempts to re-open the QUIC connection and send the request
 	// again.  There are several cases where this workaround is necessary to
 	// make DoQ usable.  We need to make 2 attempts in the case when the
 	// connection was closed (due to inactivity for example) AND the server
 	// refuses to open a 0-RTT connection.
-	for i := 0; hasConnection && p.shouldRetry(err) && i < 2; i++ {
+	for i := 0; hasConnection && doq.shouldRetry(err) && i < 2; i++ {
 		log.Debugln("re-creating the QUIC connection and retrying due to %v", err)

 		// Close the active connection to make sure we'll try to re-connect.
-		p.closeConnWithError(err)
+		doq.closeConnWithError(err)

 		// Retry sending the request.
-		msg, err = p.exchangeQUIC(ctx, m)
+		msg, err = doq.exchangeQUIC(ctx, m)
 	}

 	if err != nil {
 		// If we're unable to exchange messages, make sure the connection is
 		// closed and signal about an internal error.
-		p.closeConnWithError(err)
+		doq.closeConnWithError(err)
 	}

 	return msg, err
 }

 // Exchange implements the Upstream interface for *dnsOverQUIC.
-func (p *dnsOverQUIC) Exchange(m *D.Msg) (msg *D.Msg, err error) {
-	return p.ExchangeContext(context.Background(), m)
+func (doq *dnsOverQUIC) Exchange(m *D.Msg) (msg *D.Msg, err error) {
+	return doq.ExchangeContext(context.Background(), m)
 }

 // Close implements the Upstream interface for *dnsOverQUIC.
-func (p *dnsOverQUIC) Close() (err error) {
-	p.connMu.Lock()
-	defer p.connMu.Unlock()
+func (doq *dnsOverQUIC) Close() (err error) {
+	doq.connMu.Lock()
+	defer doq.connMu.Unlock()

-	runtime.SetFinalizer(p, nil)
+	runtime.SetFinalizer(doq, nil)

-	if p.conn != nil {
-		err = p.conn.CloseWithError(QUICCodeNoError, "")
+	if doq.conn != nil {
+		err = doq.conn.CloseWithError(QUICCodeNoError, "")
 	}

 	return err
@ -155,9 +151,9 @@ func (p *dnsOverQUIC) Close() (err error) {

 // exchangeQUIC attempts to open a QUIC connection, send the DNS message
 // through it and return the response it got from the server.
-func (p *dnsOverQUIC) exchangeQUIC(ctx context.Context, msg *D.Msg) (resp *D.Msg, err error) {
+func (doq *dnsOverQUIC) exchangeQUIC(ctx context.Context, msg *D.Msg) (resp *D.Msg, err error) {
 	var conn quic.Connection
-	conn, err = p.getConnection(true)
+	conn, err = doq.getConnection(ctx, true)
 	if err != nil {
 		return nil, err
 	}
@ -169,7 +165,7 @@ func (p *dnsOverQUIC) exchangeQUIC(ctx context.Context, msg *D.Msg) (resp *D.Msg
 	}

 	var stream quic.Stream
-	stream, err = p.openStream(ctx, conn)
+	stream, err = doq.openStream(ctx, conn)
 	if err != nil {
 		return nil, err
 	}
@ -185,7 +181,7 @@ func (p *dnsOverQUIC) exchangeQUIC(ctx context.Context, msg *D.Msg) (resp *D.Msg
 	// write-direction of the stream, but does not prevent reading from it.
 	_ = stream.Close()

-	return p.readMsg(stream)
+	return doq.readMsg(stream)
 }

 // AddPrefix adds a 2-byte prefix with the DNS message length.
@ -199,17 +195,17 @@ func AddPrefix(b []byte) (m []byte) {

 // shouldRetry checks what error we received and decides whether it is required
 // to re-open the connection and retry sending the request.
-func (p *dnsOverQUIC) shouldRetry(err error) (ok bool) {
+func (doq *dnsOverQUIC) shouldRetry(err error) (ok bool) {
 	return isQUICRetryError(err)
 }

 // getBytesPool returns (creates if needed) a pool we store byte buffers in.
-func (p *dnsOverQUIC) getBytesPool() (pool *sync.Pool) {
-	p.bytesPoolGuard.Lock()
-	defer p.bytesPoolGuard.Unlock()
+func (doq *dnsOverQUIC) getBytesPool() (pool *sync.Pool) {
+	doq.bytesPoolGuard.Lock()
+	defer doq.bytesPoolGuard.Unlock()

-	if p.bytesPool == nil {
-		p.bytesPool = &sync.Pool{
+	if doq.bytesPool == nil {
+		doq.bytesPool = &sync.Pool{
 			New: func() interface{} {
 				b := make([]byte, MaxMsgSize)

@ -218,19 +214,19 @@ func (p *dnsOverQUIC) getBytesPool() (pool *sync.Pool) {
 		}
 	}

-	return p.bytesPool
+	return doq.bytesPool
 }

 // getConnection opens or returns an existing quic.Connection. useCached
 // argument controls whether we should try to use the existing cached
 // connection.  If it is false, we will forcibly create a new connection and
 // close the existing one if needed.
-func (p *dnsOverQUIC) getConnection(useCached bool) (quic.Connection, error) {
+func (doq *dnsOverQUIC) getConnection(ctx context.Context, useCached bool) (quic.Connection, error) {
 	var conn quic.Connection
-	p.connMu.RLock()
-	conn = p.conn
+	doq.connMu.RLock()
+	conn = doq.conn
 	if conn != nil && useCached {
-		p.connMu.RUnlock()
+		doq.connMu.RUnlock()

 		return conn, nil
 	}
@ -238,50 +234,50 @@ func (p *dnsOverQUIC) getConnection(useCached bool) (quic.Connection, error) {
 		// we're recreating the connection, let's create a new one.
 		_ = conn.CloseWithError(QUICCodeNoError, "")
 	}
-	p.connMu.RUnlock()
+	doq.connMu.RUnlock()

-	p.connMu.Lock()
-	defer p.connMu.Unlock()
+	doq.connMu.Lock()
+	defer doq.connMu.Unlock()

 	var err error
-	conn, err = p.openConnection()
+	conn, err = doq.openConnection(ctx)
 	if err != nil {
 		return nil, err
 	}
-	p.conn = conn
+	doq.conn = conn

 	return conn, nil
 }

 // hasConnection returns true if there's an active QUIC connection.
-func (p *dnsOverQUIC) hasConnection() (ok bool) {
-	p.connMu.Lock()
-	defer p.connMu.Unlock()
+func (doq *dnsOverQUIC) hasConnection() (ok bool) {
+	doq.connMu.Lock()
+	defer doq.connMu.Unlock()

-	return p.conn != nil
+	return doq.conn != nil
 }

 // getQUICConfig returns the QUIC config in a thread-safe manner.  Note, that
 // this method returns a pointer, it is forbidden to change its properties.
-func (p *dnsOverQUIC) getQUICConfig() (c *quic.Config) {
-	p.quicConfigGuard.Lock()
-	defer p.quicConfigGuard.Unlock()
+func (doq *dnsOverQUIC) getQUICConfig() (c *quic.Config) {
+	doq.quicConfigGuard.Lock()
+	defer doq.quicConfigGuard.Unlock()

-	return p.quicConfig
+	return doq.quicConfig
 }

 // resetQUICConfig re-creates the tokens store as we may need to use a new one
 // if we failed to connect.
-func (p *dnsOverQUIC) resetQUICConfig() {
-	p.quicConfigGuard.Lock()
-	defer p.quicConfigGuard.Unlock()
+func (doq *dnsOverQUIC) resetQUICConfig() {
+	doq.quicConfigGuard.Lock()
+	defer doq.quicConfigGuard.Unlock()

-	p.quicConfig = p.quicConfig.Clone()
-	p.quicConfig.TokenStore = newQUICTokenStore()
+	doq.quicConfig = doq.quicConfig.Clone()
+	doq.quicConfig.TokenStore = newQUICTokenStore()
 }

 // openStream opens a new QUIC stream for the specified connection.
-func (p *dnsOverQUIC) openStream(ctx context.Context, conn quic.Connection) (quic.Stream, error) {
+func (doq *dnsOverQUIC) openStream(ctx context.Context, conn quic.Connection) (quic.Stream, error) {
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()

@ -292,7 +288,7 @@ func (p *dnsOverQUIC) openStream(ctx context.Context, conn quic.Connection) (qui

 	// We can get here if the old QUIC connection is not valid anymore.  We
 	// should try to re-create the connection again in this case.
-	newConn, err := p.getConnection(false)
+	newConn, err := doq.getConnection(ctx, false)
 	if err != nil {
 		return nil, err
 	}
@ -301,7 +297,7 @@ func (p *dnsOverQUIC) openStream(ctx context.Context, conn quic.Connection) (qui
 }

 // openConnection opens a new QUIC connection.
-func (doq *dnsOverQUIC) openConnection() (conn quic.Connection, err error) {
+func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connection, err error) {
 	tlsConfig := tlsC.GetGlobalFingerprintTLCConfig(
 		&tls.Config{
 			InsecureSkipVerify: false,
@ -313,21 +309,13 @@ func (doq *dnsOverQUIC) openConnection() (conn quic.Connection, err error) {
 	// we're using bootstrapped address instead of what's passed to the function
 	// it does not create an actual connection, but it helps us determine
 	// what IP is actually reachable (when there're v4/v6 addresses).
-	ctx, cancel := context.WithTimeout(context.Background(), DefaultTimeout)
 	rawConn, err := getDialHandler(doq.r, doq.proxyAdapter)(ctx, "udp", doq.addr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open a QUIC connection: %w", err)
 	}
+	addr := rawConn.RemoteAddr().String()
 	// It's never actually used
 	_ = rawConn.Close()
-	cancel()
-
-	udpConn, ok := rawConn.(*net.UDPConn)
-	if !ok {
-		return nil, fmt.Errorf("failed to open connection to %s", doq.addr)
-	}
-
-	addr := udpConn.RemoteAddr().String()

 	ip, port, err := net.SplitHostPort(addr)
 	if err != nil {
@ -336,33 +324,11 @@ func (doq *dnsOverQUIC) openConnection() (conn quic.Connection, err error) {

 	p, err := strconv.Atoi(port)
 	udpAddr := net.UDPAddr{IP: net.ParseIP(ip), Port: p}
-	var udp net.PacketConn
-	if doq.proxyAdapter == "" {
-		udp, err = dialer.ListenPacket(ctx, "udp", "")
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		ipAddr, err := netip.ParseAddr(ip)
-		if err != nil {
-			return nil, err
-		}
-		
-		conn, err := dialContextExtra(ctx, doq.proxyAdapter, "udp", ipAddr, port)
-		if err != nil {
-			return nil, err
-		}
-
-		wrapConn, ok := conn.(*wrapPacketConn)
-		if !ok {
-			return nil, fmt.Errorf("quic create packet failed")
-		}
-
-		udp = wrapConn
+	udp, err := listenPacket(ctx, doq.proxyAdapter, "udp", addr, doq.r)
+	if err != nil {
+		return nil, err
 	}

-	ctx, cancel = context.WithTimeout(context.Background(), DefaultTimeout)
-	defer cancel()
 	host, _, err := net.SplitHostPort(doq.addr)
 	if err != nil {
 		return nil, err
@ -379,11 +345,11 @@ func (doq *dnsOverQUIC) openConnection() (conn quic.Connection, err error) {
 // closeConnWithError closes the active connection with error to make sure that
 // new queries were processed in another connection.  We can do that in the case
 // of a fatal error.
-func (p *dnsOverQUIC) closeConnWithError(err error) {
-	p.connMu.Lock()
-	defer p.connMu.Unlock()
+func (doq *dnsOverQUIC) closeConnWithError(err error) {
+	doq.connMu.Lock()
+	defer doq.connMu.Unlock()

-	if p.conn == nil {
+	if doq.conn == nil {
 		// Do nothing, there's no active conn anyways.
 		return
 	}
@ -395,19 +361,19 @@ func (p *dnsOverQUIC) closeConnWithError(err error) {

 	if errors.Is(err, quic.Err0RTTRejected) {
 		// Reset the TokenStore only if 0-RTT was rejected.
-		p.resetQUICConfig()
+		doq.resetQUICConfig()
 	}

-	err = p.conn.CloseWithError(code, "")
+	err = doq.conn.CloseWithError(code, "")
 	if err != nil {
 		log.Errorln("failed to close the conn: %v", err)
 	}
-	p.conn = nil
+	doq.conn = nil
 }

 // readMsg reads the incoming DNS message from the QUIC stream.
-func (p *dnsOverQUIC) readMsg(stream quic.Stream) (m *D.Msg, err error) {
-	pool := p.getBytesPool()
+func (doq *dnsOverQUIC) readMsg(stream quic.Stream) (m *D.Msg, err error) {
+	pool := doq.getBytesPool()
 	bufPtr := pool.Get().(*[]byte)

 	defer pool.Put(bufPtr)
@ -415,7 +381,7 @@ func (p *dnsOverQUIC) readMsg(stream quic.Stream) (m *D.Msg, err error) {
 	respBuf := *bufPtr
 	n, err := stream.Read(respBuf)
 	if err != nil && n == 0 {
-		return nil, fmt.Errorf("reading response from %s: %w", p.Address(), err)
+		return nil, fmt.Errorf("reading response from %s: %w", doq.Address(), err)
 	}

 	// All DNS messages (queries and responses) sent over DoQ connections MUST
@ -426,7 +392,7 @@ func (p *dnsOverQUIC) readMsg(stream quic.Stream) (m *D.Msg, err error) {
 	m = new(D.Msg)
 	err = m.Unpack(respBuf[2:])
 	if err != nil {
-		return nil, fmt.Errorf("unpacking response from %s: %w", p.Address(), err)
+		return nil, fmt.Errorf("unpacking response from %s: %w", doq.Address(), err)
 	}

 	return m, nil
@ -455,7 +421,7 @@ func isQUICRetryError(err error) (ok bool) {
 		// and that's why one can run into this.
 		// In addition to that, quic-go HTTP3 client implementation does not
 		// clean up dead connections (this one is specific to DoH3 upstream):
-		// https://github.com/lucas-clemente/quic-go/issues/765
+		// https://github.com/metacubex/quic-go/issues/765
 		return true
 	}

@ -498,21 +464,3 @@ func isQUICRetryError(err error) (ok bool) {

 	return false
 }
-
-func getDialHandler(r *Resolver, proxyAdapter string) dialHandler {
-	return func(ctx context.Context, network, addr string) (net.Conn, error) {
-		host, port, err := net.SplitHostPort(addr)
-		if err != nil {
-			return nil, err
-		}
-		ip, err := r.ResolveIP(host)
-		if err != nil {
-			return nil, err
-		}
-		if len(proxyAdapter) == 0 {
-			return dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), port), dialer.WithDirect())
-		} else {
-			return dialContextExtra(ctx, proxyAdapter, network, ip.Unmap(), port, dialer.WithDirect())
-		}
-	}
-}
--- a/dns/enhancer.go
+++ b/dns/enhancer.go
@ -109,7 +109,7 @@ func NewEnhancer(cfg Config) *ResolverEnhancer {

 	if cfg.EnhancedMode != C.DNSNormal {
 		fakePool = cfg.Pool
-		mapping = cache.NewLRUCache[netip.Addr, string](cache.WithSize[netip.Addr, string](4096), cache.WithStale[netip.Addr, string](true))
+		mapping = cache.New[netip.Addr, string](cache.WithSize[netip.Addr, string](4096), cache.WithStale[netip.Addr, string](true))
 	}

 	return &ResolverEnhancer{
--- a/dns/filters.go
+++ b/dns/filters.go
@ -79,6 +79,7 @@ func NewDomainFilter(domains []string) *domainFilter {
 	for _, domain := range domains {
 		_ = df.tree.Insert(domain, struct{}{})
 	}
+	df.tree.Optimize()
 	return &df
 }

--- a/dns/middleware.go
+++ b/dns/middleware.go
@ -156,7 +156,7 @@ func withResolver(resolver *Resolver) handler {
 			return handleMsgWithEmptyAnswer(r), nil
 		}

-		msg, err := resolver.Exchange(r)
+		msg, err := resolver.ExchangeContext(ctx, r)
 		if err != nil {
 			log.Debugln("[DNS Server] Exchange %s failed: %v", q.String(), err)
 			return msg, err
--- a/dns/patch.go
+++ b/dns/patch.go
@ -1,14 +1,18 @@
 package dns

-import D "github.com/miekg/dns"
+import (
+	"context"
+
+	D "github.com/miekg/dns"
+)

 type LocalServer struct {
 	handler handler
 }

 // ServeMsg implement resolver.LocalServer ResolveMsg
-func (s *LocalServer) ServeMsg(msg *D.Msg) (*D.Msg, error) {
-	return handlerWithContext(s.handler, msg)
+func (s *LocalServer) ServeMsg(ctx context.Context, msg *D.Msg) (*D.Msg, error) {
+	return handlerWithContext(ctx, s.handler, msg)
 }

 func NewLocalServer(resolver *Resolver, mapper *ResolverEnhancer) *LocalServer {
--- a/dns/resolver.go
+++ b/dns/resolver.go
@ -10,7 +10,6 @@ import (
 	"time"

 	"github.com/Dreamacro/clash/common/cache"
-	"github.com/Dreamacro/clash/common/picker"
 	"github.com/Dreamacro/clash/component/fakeip"
 	"github.com/Dreamacro/clash/component/geodata/router"
 	"github.com/Dreamacro/clash/component/resolver"
@ -44,18 +43,18 @@ type Resolver struct {
 	proxyServer           []dnsClient
 }

-func (r *Resolver) ResolveAllIPPrimaryIPv4(host string) (ips []netip.Addr, err error) {
+func (r *Resolver) LookupIPPrimaryIPv4(ctx context.Context, host string) (ips []netip.Addr, err error) {
 	ch := make(chan []netip.Addr, 1)
 	go func() {
 		defer close(ch)
-		ip, err := r.resolveIP(host, D.TypeAAAA)
+		ip, err := r.lookupIP(ctx, host, D.TypeAAAA)
 		if err != nil {
 			return
 		}
 		ch <- ip
 	}()

-	ips, err = r.resolveIP(host, D.TypeA)
+	ips, err = r.lookupIP(ctx, host, D.TypeA)
 	if err == nil {
 		return
 	}
@ -68,11 +67,11 @@ func (r *Resolver) ResolveAllIPPrimaryIPv4(host string) (ips []netip.Addr, err e
 	return ip, nil
 }

-func (r *Resolver) ResolveAllIP(host string) (ips []netip.Addr, err error) {
+func (r *Resolver) LookupIP(ctx context.Context, host string) (ips []netip.Addr, err error) {
 	ch := make(chan []netip.Addr, 1)
 	go func() {
 		defer close(ch)
-		ip, err := r.resolveIP(host, D.TypeAAAA)
+		ip, err := r.lookupIP(ctx, host, D.TypeAAAA)
 		if err != nil {
 			return
 		}
@ -80,7 +79,7 @@ func (r *Resolver) ResolveAllIP(host string) (ips []netip.Addr, err error) {
 		ch <- ip
 	}()

-	ips, err = r.resolveIP(host, D.TypeA)
+	ips, err = r.lookupIP(ctx, host, D.TypeA)

 	select {
 	case ipv6s, open := <-ch:
@ -95,39 +94,47 @@ func (r *Resolver) ResolveAllIP(host string) (ips []netip.Addr, err error) {
 	return ips, nil
 }

-func (r *Resolver) ResolveAllIPv4(host string) (ips []netip.Addr, err error) {
-	return r.resolveIP(host, D.TypeA)
-}
-
-func (r *Resolver) ResolveAllIPv6(host string) (ips []netip.Addr, err error) {
-	return r.resolveIP(host, D.TypeAAAA)
-}
-
 // ResolveIP request with TypeA and TypeAAAA, priority return TypeA
-func (r *Resolver) ResolveIP(host string) (ip netip.Addr, err error) {
-	if ips, err := r.ResolveAllIPPrimaryIPv4(host); err == nil {
-		return ips[rand.Intn(len(ips))], nil
-	} else {
+func (r *Resolver) ResolveIP(ctx context.Context, host string) (ip netip.Addr, err error) {
+	ips, err := r.LookupIPPrimaryIPv4(ctx, host)
+	if err != nil {
 		return netip.Addr{}, err
+	} else if len(ips) == 0 {
+		return netip.Addr{}, fmt.Errorf("%w: %s", resolver.ErrIPNotFound, host)
 	}
+	return ips[rand.Intn(len(ips))], nil
+}
+
+// LookupIPv4 request with TypeA
+func (r *Resolver) LookupIPv4(ctx context.Context, host string) ([]netip.Addr, error) {
+	return r.lookupIP(ctx, host, D.TypeA)
 }

 // ResolveIPv4 request with TypeA
-func (r *Resolver) ResolveIPv4(host string) (ip netip.Addr, err error) {
-	if ips, err := r.ResolveAllIPv4(host); err == nil {
-		return ips[rand.Intn(len(ips))], nil
-	} else {
+func (r *Resolver) ResolveIPv4(ctx context.Context, host string) (ip netip.Addr, err error) {
+	ips, err := r.lookupIP(ctx, host, D.TypeA)
+	if err != nil {
 		return netip.Addr{}, err
+	} else if len(ips) == 0 {
+		return netip.Addr{}, fmt.Errorf("%w: %s", resolver.ErrIPNotFound, host)
 	}
+	return ips[rand.Intn(len(ips))], nil
+}
+
+// LookupIPv6 request with TypeAAAA
+func (r *Resolver) LookupIPv6(ctx context.Context, host string) ([]netip.Addr, error) {
+	return r.lookupIP(ctx, host, D.TypeAAAA)
 }

 // ResolveIPv6 request with TypeAAAA
-func (r *Resolver) ResolveIPv6(host string) (ip netip.Addr, err error) {
-	if ips, err := r.ResolveAllIPv6(host); err == nil {
-		return ips[rand.Intn(len(ips))], nil
-	} else {
+func (r *Resolver) ResolveIPv6(ctx context.Context, host string) (ip netip.Addr, err error) {
+	ips, err := r.lookupIP(ctx, host, D.TypeAAAA)
+	if err != nil {
 		return netip.Addr{}, err
+	} else if len(ips) == 0 {
+		return netip.Addr{}, fmt.Errorf("%w: %s", resolver.ErrIPNotFound, host)
 	}
+	return ips[rand.Intn(len(ips))], nil
 }

 func (r *Resolver) shouldIPFallback(ip netip.Addr) bool {
@ -149,6 +156,16 @@ func (r *Resolver) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, e
 	if len(m.Question) == 0 {
 		return nil, errors.New("should have one question at least")
 	}
+	continueFetch := false
+	defer func() {
+		if continueFetch || errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) {
+			go func() {
+				ctx, cancel := context.WithTimeout(context.Background(), resolver.DefaultDNSTimeout)
+				defer cancel()
+				_, _ = r.exchangeWithoutCache(ctx, m) // ignore result, just for putMsgToCache
+			}()
+		}
+	}()

 	q := m.Question[0]
 	cacheM, expireTime, hit := r.lruCache.GetWithExpire(q.String())
@ -157,7 +174,7 @@ func (r *Resolver) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, e
 		msg = cacheM.Copy()
 		if expireTime.Before(now) {
 			setMsgTTL(msg, uint32(1)) // Continue fetch
-			go r.exchangeWithoutCache(ctx, m)
+			continueFetch = true
 		} else {
 			setMsgTTL(msg, uint32(time.Until(expireTime).Seconds()))
 		}
@ -170,9 +187,16 @@ func (r *Resolver) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, e
 func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
 	q := m.Question[0]

-	ret, err, shared := r.group.Do(q.String(), func() (result any, err error) {
+	retryNum := 0
+	retryMax := 3
+	fn := func() (result any, err error) {
+		ctx, cancel := context.WithTimeout(context.Background(), resolver.DefaultDNSTimeout) // reset timeout in singleflight
+		defer cancel()
+
 		defer func() {
 			if err != nil {
+				result = retryNum
+				retryNum++
 				return
 			}

@ -190,7 +214,35 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M
 			return r.batchExchange(ctx, matched, m)
 		}
 		return r.batchExchange(ctx, r.main, m)
-	})
+	}
+
+	ch := r.group.DoChan(q.String(), fn)
+
+	var result singleflight.Result
+
+	select {
+	case result = <-ch:
+		break
+	case <-ctx.Done():
+		select {
+		case result = <-ch: // maybe ctxDone and chFinish in same time, get DoChan's result as much as possible
+			break
+		default:
+			go func() { // start a retrying monitor in background
+				result := <-ch
+				ret, err, shared := result.Val, result.Err, result.Shared
+				if err != nil && !shared && ret.(int) < retryMax { // retry
+					r.group.DoChan(q.String(), fn)
+				}
+			}()
+			return nil, ctx.Err()
+		}
+	}
+
+	ret, err, shared := result.Val, result.Err, result.Shared
+	if err != nil && !shared && ret.(int) < retryMax { // retry
+		r.group.DoChan(q.String(), fn)
+	}

 	if err == nil {
 		msg = ret.(*D.Msg)
@ -203,31 +255,10 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M
 }

 func (r *Resolver) batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.Msg, err error) {
-	fast, ctx := picker.WithTimeout[*D.Msg](ctx, resolver.DefaultDNSTimeout)
-	for _, client := range clients {
-		r := client
-		fast.Go(func() (*D.Msg, error) {
-			m, err := r.ExchangeContext(ctx, m)
-			if err != nil {
-				return nil, err
-			} else if m.Rcode == D.RcodeServerFailure || m.Rcode == D.RcodeRefused {
-				return nil, errors.New("server failure")
-			}
-			return m, nil
-		})
-	}
+	ctx, cancel := context.WithTimeout(ctx, resolver.DefaultDNSTimeout)
+	defer cancel()

-	elm := fast.Wait()
-	if elm == nil {
-		err := errors.New("all DNS requests failed")
-		if fErr := fast.Error(); fErr != nil {
-			err = fmt.Errorf("%w, first error: %s", err, fErr.Error())
-		}
-		return nil, err
-	}
-
-	msg = elm
-	return
+	return batchExchange(ctx, clients, m)
 }

 func (r *Resolver) matchPolicy(m *D.Msg) []dnsClient {
@ -305,7 +336,7 @@ func (r *Resolver) ipExchange(ctx context.Context, m *D.Msg) (msg *D.Msg, err er
 	return
 }

-func (r *Resolver) resolveIP(host string, dnsType uint16) (ips []netip.Addr, err error) {
+func (r *Resolver) lookupIP(ctx context.Context, host string, dnsType uint16) (ips []netip.Addr, err error) {
 	ip, err := netip.ParseAddr(host)
 	if err == nil {
 		isIPv4 := ip.Is4()
@ -321,7 +352,7 @@ func (r *Resolver) resolveIP(host string, dnsType uint16) (ips []netip.Addr, err
 	query := &D.Msg{}
 	query.SetQuestion(D.Fqdn(host), dnsType)

-	msg, err := r.Exchange(query)
+	msg, err := r.ExchangeContext(ctx, query)
 	if err != nil {
 		return []netip.Addr{}, err
 	}
@ -381,13 +412,13 @@ type Config struct {
 func NewResolver(config Config) *Resolver {
 	defaultResolver := &Resolver{
 		main:     transform(config.Default, nil),
-		lruCache: cache.NewLRUCache[string, *D.Msg](cache.WithSize[string, *D.Msg](4096), cache.WithStale[string, *D.Msg](true)),
+		lruCache: cache.New[string, *D.Msg](cache.WithSize[string, *D.Msg](4096), cache.WithStale[string, *D.Msg](true)),
 	}

 	r := &Resolver{
 		ipv6:     config.IPv6,
 		main:     transform(config.Main, defaultResolver),
-		lruCache: cache.NewLRUCache[string, *D.Msg](cache.WithSize[string, *D.Msg](4096), cache.WithStale[string, *D.Msg](true)),
+		lruCache: cache.New[string, *D.Msg](cache.WithSize[string, *D.Msg](4096), cache.WithStale[string, *D.Msg](true)),
 		hosts:    config.Hosts,
 	}

@ -404,6 +435,7 @@ func NewResolver(config Config) *Resolver {
 		for domain, nameserver := range config.Policy {
 			_ = r.policy.Insert(domain, NewPolicy(transform([]NameServer{nameserver}, defaultResolver)))
 		}
+		r.policy.Optimize()
 	}

 	fallbackIPFilters := []fallbackIPFilter{}
--- a/dns/server.go
+++ b/dns/server.go
@ -1,6 +1,7 @@
 package dns

 import (
+	stdContext "context"
 	"errors"
 	"net"

@ -25,7 +26,7 @@ type Server struct {

 // ServeDNS implement D.Handler ServeDNS
 func (s *Server) ServeDNS(w D.ResponseWriter, r *D.Msg) {
-	msg, err := handlerWithContext(s.handler, r)
+	msg, err := handlerWithContext(stdContext.Background(), s.handler, r)
 	if err != nil {
 		D.HandleFailed(w, r)
 		return
@ -34,12 +35,12 @@ func (s *Server) ServeDNS(w D.ResponseWriter, r *D.Msg) {
 	w.WriteMsg(msg)
 }

-func handlerWithContext(handler handler, msg *D.Msg) (*D.Msg, error) {
+func handlerWithContext(stdCtx stdContext.Context, handler handler, msg *D.Msg) (*D.Msg, error) {
 	if len(msg.Question) == 0 {
 		return nil, errors.New("at least one question is required")
 	}

-	ctx := context.NewDNSContext(msg)
+	ctx := context.NewDNSContext(stdCtx, msg)
 	return handler(ctx, msg)
 }

--- a/dns/util.go
+++ b/dns/util.go
@ -3,6 +3,7 @@ package dns
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 	"net/netip"
@ -10,8 +11,11 @@ import (
 	"time"

 	"github.com/Dreamacro/clash/common/cache"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/nnip"
+	"github.com/Dreamacro/clash/common/picker"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel"
@ -24,6 +28,13 @@ const (
 )

 func putMsgToCache(c *cache.LruCache[string, *D.Msg], key string, msg *D.Msg) {
+	// skip dns cache for acme challenge
+	if len(msg.Question) != 0 {
+		if q := msg.Question[0]; q.Qtype == D.TypeTXT && strings.HasPrefix(q.Name, "_acme-challenge") {
+			log.Debugln("[DNS] dns cache ignored because of acme challenge for: %s", q.Name)
+			return
+		}
+	}
 	var ttl uint32
 	switch {
 	case len(msg.Answer) != 0:
@ -71,8 +82,8 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 		case "quic":
 			if doq, err := newDoQ(resolver, s.Addr, s.ProxyAdapter); err == nil {
 				ret = append(ret, doq)
-			}else{
-				log.Fatalln("DoQ format error: %v",err)
+			} else {
+				log.Fatalln("DoQ format error: %v", err)
 			}
 			continue
 		}
@ -131,80 +142,121 @@ func msgToDomain(msg *D.Msg) string {
 	return ""
 }

-type wrapPacketConn struct {
-	net.PacketConn
-	rAddr net.Addr
-}
+type dialHandler func(ctx context.Context, network, addr string) (net.Conn, error)

-func (wpc *wrapPacketConn) Read(b []byte) (n int, err error) {
-	n, _, err = wpc.PacketConn.ReadFrom(b)
-	return n, err
-}
+func getDialHandler(r *Resolver, proxyAdapter string, opts ...dialer.Option) dialHandler {
+	return func(ctx context.Context, network, addr string) (net.Conn, error) {
+		if len(proxyAdapter) == 0 {
+			opts = append(opts, dialer.WithResolver(r))
+			return dialer.DialContext(ctx, network, addr, opts...)
+		} else {
+			host, port, err := net.SplitHostPort(addr)
+			if err != nil {
+				return nil, err
+			}
+			adapter, ok := tunnel.Proxies()[proxyAdapter]
+			if !ok {
+				opts = append(opts, dialer.WithInterface(proxyAdapter))
+			}
+			if strings.Contains(network, "tcp") {
+				// tcp can resolve host by remote
+				metadata := &C.Metadata{
+					NetWork: C.TCP,
+					Host:    host,
+					DstPort: port,
+				}
+				if ok {
+					return adapter.DialContext(ctx, metadata, opts...)
+				}
+				opts = append(opts, dialer.WithResolver(r))
+				return dialer.DialContext(ctx, network, addr, opts...)
+			} else {
+				// udp must resolve host first
+				dstIP, err := resolver.ResolveIPWithResolver(ctx, host, r)
+				if err != nil {
+					return nil, err
+				}
+				metadata := &C.Metadata{
+					NetWork: C.UDP,
+					Host:    "",
+					DstIP:   dstIP,
+					DstPort: port,
+				}
+				if !ok {
+					return dialer.DialContext(ctx, network, addr, opts...)
+				}

-func (wpc *wrapPacketConn) Write(b []byte) (n int, err error) {
-	return wpc.PacketConn.WriteTo(b, wpc.rAddr)
-}
+				if !adapter.SupportUDP() {
+					return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", proxyAdapter)
+				}

-func (wpc *wrapPacketConn) RemoteAddr() net.Addr {
-	return wpc.rAddr
-}
+				packetConn, err := adapter.ListenPacketContext(ctx, metadata, opts...)
+				if err != nil {
+					return nil, err
+				}

-func (wpc *wrapPacketConn) LocalAddr() net.Addr {
-	if wpc.PacketConn.LocalAddr() == nil {
-		return &net.UDPAddr{IP: net.IPv4zero, Port: 0}
-	} else {
-		return wpc.PacketConn.LocalAddr()
+				return N.NewBindPacketConn(packetConn, metadata.UDPAddr()), nil
+			}
+		}
 	}
 }

-func dialContextExtra(ctx context.Context, adapterName string, network string, dstIP netip.Addr, port string, opts ...dialer.Option) (net.Conn, error) {
-	networkType := C.TCP
-	if network == "udp" {
-
-		networkType = C.UDP
+func listenPacket(ctx context.Context, proxyAdapter string, network string, addr string, r *Resolver, opts ...dialer.Option) (net.PacketConn, error) {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, err
+	}
+	adapter, ok := tunnel.Proxies()[proxyAdapter]
+	if !ok && len(proxyAdapter) != 0 {
+		opts = append(opts, dialer.WithInterface(proxyAdapter))
 	}

+	// udp must resolve host first
+	dstIP, err := resolver.ResolveIPWithResolver(ctx, host, r)
+	if err != nil {
+		return nil, err
+	}
 	metadata := &C.Metadata{
-		NetWork: networkType,
+		NetWork: C.UDP,
 		Host:    "",
 		DstIP:   dstIP,
 		DstPort: port,
 	}
-
-	adapter, ok := tunnel.Proxies()[adapterName]
 	if !ok {
-		opts = append(opts, dialer.WithInterface(adapterName))
-		if C.TCP == networkType {
-			return dialer.DialContext(ctx, network, dstIP.String()+":"+port, opts...)
-		} else {
-			packetConn, err := dialer.ListenPacket(ctx, network, dstIP.String()+":"+port, opts...)
+		return dialer.ListenPacket(ctx, dialer.ParseNetwork(network, dstIP), "", opts...)
+	}
+
+	if !adapter.SupportUDP() {
+		return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", proxyAdapter)
+	}
+
+	return adapter.ListenPacketContext(ctx, metadata, opts...)
+}
+
+func batchExchange(ctx context.Context, clients []dnsClient, m *D.Msg) (msg *D.Msg, err error) {
+	fast, ctx := picker.WithTimeout[*D.Msg](ctx, resolver.DefaultDNSTimeout)
+	for _, client := range clients {
+		r := client
+		fast.Go(func() (*D.Msg, error) {
+			m, err := r.ExchangeContext(ctx, m)
 			if err != nil {
 				return nil, err
+			} else if m.Rcode == D.RcodeServerFailure || m.Rcode == D.RcodeRefused {
+				return nil, errors.New("server failure")
 			}
+			return m, nil
+		})
+	}

-			return &wrapPacketConn{
-				PacketConn: packetConn,
-				rAddr:      metadata.UDPAddr(),
-			}, nil
-
+	elm := fast.Wait()
+	if elm == nil {
+		err := errors.New("all DNS requests failed")
+		if fErr := fast.Error(); fErr != nil {
+			err = fmt.Errorf("%w, first error: %s", err, fErr.Error())
 		}
+		return nil, err
 	}

-	if networkType == C.UDP && !adapter.SupportUDP() {
-		return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", adapterName)
-	}
-
-	if networkType == C.UDP {
-		packetConn, err := adapter.ListenPacketContext(ctx, metadata, opts...)
-		if err != nil {
-			return nil, err
-		}
-
-		return &wrapPacketConn{
-			PacketConn: packetConn,
-			rAddr:      metadata.UDPAddr(),
-		}, nil
-	}
-
-	return adapter.DialContext(ctx, metadata, opts...)
+	msg = elm
+	return
 }
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -16,7 +16,7 @@ log-level: debug # 日志等级 silent/error/warning/info/debug
 ipv6: true # 开启 IPv6 总开关，关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录

 external-controller: 0.0.0.0:9093 # RESTful API 监听地址
-
+external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址，需要配置 tls 部分配置文件
 # secret: "123456" # `Authorization: Bearer ${secret}`

 # tcp-concurrent: true # TCP并发连接所有IP, 将使用最快握手的TCP
@ -51,29 +51,29 @@ tun:
    - 0.0.0.0/1
    - 128.0.0.0/1
  inet6_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
-    - '::/1'
-    - '8000::/1'
+    - "::/1"
+    - "8000::/1"
  # endpoint_independent_nat: false # 启用独立于端点的 NAT
  # include_uid: # UID 规则仅在 Linux 下被支持，并且需要 auto_route
-    # - 0
+  # - 0
  # include_uid_range: # 限制被路由的的用户范围
-    # - 1000-99999
+  # - 1000-99999
  # exclude_uid: # 排除路由的的用户
-    #- 1000
+  #- 1000
  # exclude_uid_range: # 排除路由的的用户范围
-    # - 1000-99999
-    
+  # - 1000-99999
+
  # Android 用户和应用规则仅在 Android 下被支持
  # 并且需要 auto_route
-  
+
  # include_android_user: # 限制被路由的 Android 用户
-    # - 0
-    # - 10
+  # - 0
+  # - 10
  # include_package: # 限制被路由的 Android 应用包名
-    # - com.android.chrome
+  # - com.android.chrome
  # exclude_package: # 排除被路由的 Android 应用包名
-    # - com.android.captiveportallogin
-  
+  # - com.android.captiveportallogin
+
 #ebpf配置
 ebpf:
  auto-redir: # redirect 模式，仅支持 TCP
@ -97,6 +97,35 @@ sniffer:
    - "443"
    # - 8000-9999

+# shadowsocks,vmess 入口配置（传入流量将和socks,mixed等入口一样按照mode所指定的方式进行匹配处理）
+# ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456
+# vmess-config: vmess://1:9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@:12345
+
+# tuic服务器入口（传入流量将和socks,mixed等入口一样按照mode所指定的方式进行匹配处理）
+#tuic-server:
+#  enable: true
+#  listen: 127.0.0.1:10443
+#  token:
+#    - TOKEN
+#  certificate: ./server.crt
+#  private-key: ./server.key
+#  congestion-controller: bbr
+#  max-idle-time: 15000
+#  authentication-timeout: 1000
+#  alpn:
+#    - h3
+#  max-udp-relay-packet-size: 1500
+
+tunnels:
+  # one line config
+  - tcp/udp,127.0.0.1:6553,114.114.114.114:53,proxy
+  - tcp,127.0.0.1:6666,rds.mysql.com:3306,vpn
+  # full yaml config
+  - network: [ tcp, udp ]
+    address: 127.0.0.1:7777
+    target: target.com
+    proxy: proxy
+
 profile:
  # 存储select选择记录
  store-selected: false
@ -107,6 +136,7 @@ profile:
 # DNS配置
 dns:
  enable: false # 关闭将使用系统 DNS
+  prefer-h3: true # 开启 DoH 支持 HTTP/3，将并发尝试
  listen: 0.0.0.0:53 # 开启 DNS 服务器监听
  # ipv6: false # false 将返回 AAAA 的空结果

@ -136,7 +166,7 @@ dns:
    - 8.8.8.8 # default value
    - tls://223.5.5.5:853 # DNS over TLS
    - https://doh.pub/dns-query # DNS over HTTPS
-    - https://dns.alidns.com/dns-query#h3=true # 强制HTTP/3
+    - https://dns.alidns.com/dns-query#h3=true # 强制 HTTP/3，与 perfer-h3 无关，强制开启 DoH 的 HTTP/3 支持，若不支持将无法使用
    - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
    - dhcp://en0 # dns from dhcp
    - quic://dns.adguard.com:784 # DNS over QUIC
@ -189,7 +219,8 @@ proxies:
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
-    password: "password"
+    password:
+      "password"
      # udp: true
      # udp-over-tcp: false
      # ip-version: ipv4 # 设置节点使用 IP 版本，可选：dual，ipv4，ipv6，ipv4-prefer，ipv6-prefer。默认使用 dual
@ -227,6 +258,17 @@ proxies:
      # headers:
      #   custom: value

+  - name: "ss4"
+    type: ss
+    server: server
+    port: 443
+    cipher: chacha20-ietf-poly1305
+    password: "password"
+    plugin: shadow-tls
+    plugin-opts:
+      host: "cloud.tencent.com"
+      password: "shadow_tls_password"
+
  # vmess
  # cipher支持 auto/aes-128-gcm/chacha20-poly1305/none
  - name: "vmess"
@ -419,27 +461,32 @@ proxies:
      path: "/"
      headers:
        Host: example.com
-  
+
  #hysteria
  - name: "hysteria"
    type: hysteria
    server: server.com
    port: 443
-    auth_str: yourpassword
+    auth_str: yourpassword # 将会在未来某个时候删除
+    # auth-str: yourpassword
    # obfs: obfs_str
    # alpn:
    #   - h3
    protocol: udp # 支持 udp/wechat-video/faketcp
    up: "30 Mbps" # 若不写单位，默认为 Mbps
    down: "200 Mbps" # 若不写单位，默认为 Mbps
-    #sni: server.com
-    #skip-cert-verify: false
-    #recv_window_conn: 12582912
-    #recv_window: 52428800
-    #ca: "./my.ca"
-    #ca_str: "xyz"
-    #disable_mtu_discovery: false
+    # sni: server.com
+    # skip-cert-verify: false
+    # recv_window_conn: 12582912 # 将会在未来某个时候删除
+    # recv-window-conn: 12582912
+    # recv_window: 52428800 # 将会在未来某个时候删除
+    # recv-window: 52428800
+    # ca: "./my.ca"
+    # ca_str: "xyz" # 将会在未来某个时候删除
+    # ca-str: "xyz"
+    # disable_mtu_discovery: false
    # fingerprint: xxxx
+    # fast-open: true # 支持 TCP 快速打开，默认为 false

  - name: "wg"
    type: wireguard
@ -451,6 +498,23 @@ proxies:
    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
    udp: true

+  - name: tuic
+    server: www.example.com
+    port: 10443
+    type: tuic
+    token: TOKEN
+    # ip: 127.0.0.1 # for overwriting the DNS lookup result of the server address set in option 'server'
+    # heartbeat-interval: 10000
+    # alpn: [h3]
+    # disable-sni: true
+    reduce-rtt: true
+    # request-timeout: 8000
+    udp-relay-mode: native # Available: "native", "quic". Default: "native"
+    # congestion-controller: bbr # Available: "cubic", "new_reno", "bbr". Default: "cubic"
+    # max-udp-relay-packet-size: 1500
+    # fast-open: true
+    # skip-cert-verify: true
+
  # ShadowsocksR
  # The supported ciphers (encryption methods): all stream ciphers in ss
  # The supported obfses:
@ -605,3 +669,136 @@ sub-rules:
    - IP-CIDR,1.1.1.1/32,REJECT
    - IP-CIDR,8.8.8.8/32,ss1
    - DOMAIN,dns.alidns.com,REJECT
+
+tls:
+  certificate: string # 证书 PEM 格式，或者 证书的路径
+  private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
+
+# 流量入站
+listeners:
+  - name: socks5-in-1
+    type: socks
+    port: 10808
+    #listen: 0.0.0.0 # 默认监听 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理
+    # udp: false # 默认 true
+
+  - name: http-in-1
+    type: http
+    port: 10809
+    listen: 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+
+  - name: mixed-in-1
+    type: mixed #  HTTP(S) 和 SOCKS 代理混合
+    port: 10810
+    listen: 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # udp: false # 默认 true
+
+  - name: reidr-in-1
+    type: redir
+    port: 10811
+    listen: 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+
+  - name: tproxy-in-1
+    type: tproxy
+    port: 10812
+    listen: 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    # udp: false # 默认 true
+
+  - name: shadowsocks-in-1
+    type: shadowsocks
+    port: 10813
+    listen: 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    password: vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=
+    cipher: 2022-blake3-aes-256-gcm
+
+  - name: vmess-in-1
+    type: vmess
+    port: 10814
+    listen: 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    users:
+      - username: 1
+        uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68
+        alterId: 1
+
+  - name: tuic-in-1
+    type: tuic
+    port: 10815
+    listen: 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    #  token:
+    #    - TOKEN
+    #  certificate: ./server.crt
+    #  private-key: ./server.key
+    #  congestion-controller: bbr
+    #  max-idle-time: 15000
+    #  authentication-timeout: 1000
+    #  alpn:
+    #    - h3
+    #  max-udp-relay-packet-size: 1500
+
+  - name: tunnel-in-1
+    type: tunnel
+    port: 10816
+    listen: 0.0.0.0
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    network: [ tcp, udp ]
+    target: target.com
+
+  - name: tun-in-1
+    type: tun
+    # rule: sub-rule-name1 # 默认使用 rules，如果未找到 sub-rule 则直接使用 rules
+    # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时，这里的proxy名称必须合法，否则会出错)
+    stack: system # gvisor / lwip
+    dns-hijack:
+      - 0.0.0.0:53 # 需要劫持的 DNS
+    # auto-detect-interface: false # 自动识别出口网卡
+    # auto-route: false # 配置路由表
+    # mtu: 9000 # 最大传输单元
+    inet4-address: # 必须手动设置ipv4地址段
+      - 198.19.0.1/30
+    inet6-address: # 必须手动设置ipv6地址段
+      - "fdfe:dcba:9877::1/126"
+    # strict_route: true # 将所有连接路由到tun来防止泄漏，但你的设备将无法其他设备被访问
+    #    inet4_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
+    #      - 0.0.0.0/1
+    #      - 128.0.0.0/1
+    #    inet6_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
+    #      - "::/1"
+    #      - "8000::/1"
+    # endpoint_independent_nat: false # 启用独立于端点的 NAT
+    # include_uid: # UID 规则仅在 Linux 下被支持，并且需要 auto_route
+    # - 0
+    # include_uid_range: # 限制被路由的的用户范围
+    # - 1000-99999
+    # exclude_uid: # 排除路由的的用户
+    #- 1000
+    # exclude_uid_range: # 排除路由的的用户范围
+    # - 1000-99999
+
+    # Android 用户和应用规则仅在 Android 下被支持
+    # 并且需要 auto_route
+
+    # include_android_user: # 限制被路由的 Android 用户
+    # - 0
+    # - 10
+    # include_package: # 限制被路由的 Android 应用包名
+    # - com.android.chrome
+    # exclude_package: # 排除被路由的 Android 应用包名
+    # - com.android.captiveportallogin
+
--- a/flake.lock
+++ b/flake.lock
@ -2,11 +2,11 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1664705630,
-        "narHash": "sha256-MLi1J9tIZQFj8v9RKmG89HJAE5ja3z4ui4Tf9+wG/bM=",
+        "lastModified": 1671072901,
+        "narHash": "sha256-eyFdLtfxYyZnbJorRiZ2kP2kW4gEU76hLzpZGW9mcZg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f71b215225dec75df6266ff7764d54c2e44ef226",
+        "rev": "69ce4fbad877f91d4b9bc4cfedfb0ff1fe5043d5",
        "type": "github"
      },
      "original": {
@ -24,11 +24,11 @@
    },
    "utils": {
      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -23,12 +23,12 @@
      {
        overlay = final: prev: {

-          clash-meta = final.buildGoModule {
+          clash-meta = final.buildGo119Module {
            pname = "clash-meta";
            inherit version;
            src = ./.;

-            vendorSha256 = "sha256-yhq4WHQcS4CrdcO6KJ5tSn4m7l5g1lNgE9/2BWd9Iys=";
+            vendorSha256 = "sha256-8cbcE9gKJjU14DNTLPc6nneEPZg7Akt+FlSDlPRvG5k=";

            # Do not build testing suit
            excludedPackages = [ "./test" ];
--- a/go.mod
+++ b/go.mod
@ -3,73 +3,76 @@ module github.com/Dreamacro/clash
 go 1.19

 require (
+	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da
 	github.com/cilium/ebpf v0.9.3
 	github.com/coreos/go-iptables v0.6.0
-	github.com/database64128/tfo-go v1.1.2
+	github.com/database64128/tfo-go/v2 v2.0.2
 	github.com/dlclark/regexp2 v1.7.0
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.2
-	github.com/gofrs/uuid v4.3.0+incompatible
+	github.com/gofrs/uuid v4.3.1+incompatible
 	github.com/google/gopacket v1.1.19
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/insomniacslk/dhcp v0.0.0-20221001123530-5308ebe5334c
-	github.com/lucas-clemente/quic-go v0.29.1
+	github.com/jpillora/backoff v1.0.0
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
+	github.com/mdlayher/netlink v1.7.0
+	github.com/metacubex/quic-go v0.31.1-0.20221127023445-9f0ce65a734e
+	github.com/metacubex/sing-shadowsocks v0.1.0
+	github.com/metacubex/sing-tun v0.1.0
 	github.com/metacubex/sing-wireguard v0.0.0-20221109114053-16c22adda03c
 	github.com/miekg/dns v1.1.50
 	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
-	github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4
-	github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6
-	github.com/sagernet/sing-tun v0.0.0-20221012082254-488c3b75f6fd
-	github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0
+	github.com/sagernet/sing v0.1.0
+	github.com/sagernet/sing-vmess v0.1.0
 	github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c
+	github.com/samber/lo v1.35.0
 	github.com/sirupsen/logrus v1.9.0
-	github.com/stretchr/testify v1.8.0
+	github.com/stretchr/testify v1.8.1
 	github.com/xtls/go v0.0.0-20220914232946-0441cf4cf837
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.10.0
 	go.uber.org/automaxprocs v1.5.1
-	golang.org/x/crypto v0.1.0
+	golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a
 	golang.org/x/exp v0.0.0-20220930202632-ec3f01382ef9
-	golang.org/x/net v0.1.0
-	golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0
-	golang.org/x/sys v0.1.0
+	golang.org/x/net v0.2.1-0.20221117215542-ecf7fda6a59e
+	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.2.1-0.20221110211117-d684c6f88669
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.1
-
+	lukechampine.com/blake3 v1.1.7
 )

-replace github.com/lucas-clemente/quic-go => github.com/HyNetwork/quic-go v0.30.1-0.20221105180419-83715d7269a8
-
-replace github.com/sagernet/sing-tun => github.com/MetaCubeX/sing-tun v0.0.0-20221105124245-542e9b56a6dc
-
 require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/golang/mock v1.6.0 // indirect
-	github.com/google/btree v1.1.2 // indirect
+	github.com/google/btree v1.0.1 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
-	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
+	github.com/josharian/native v1.0.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.0.12 // indirect
 	github.com/marten-seemann/qpack v0.3.0 // indirect
 	github.com/marten-seemann/qtls-go1-18 v0.1.3 // indirect
 	github.com/marten-seemann/qtls-go1-19 v0.1.1 // indirect
+	github.com/mdlayher/socket v0.4.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.2.0 // indirect
 	github.com/oschwald/maxminddb-golang v1.10.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/sagernet/abx-go v0.0.0-20220819185957-dba1257d738e // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
-	github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 // indirect
-	github.com/vishvananda/netns v0.0.0-20220913150850-18c4f4234207 // indirect
+	github.com/u-root/uio v0.0.0-20210528114334-82958018845c // indirect
+	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/text v0.4.0 // indirect
-	golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect
+	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
 	golang.org/x/tools v0.1.12 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c // indirect
-	lukechampine.com/blake3 v1.1.7 // indirect
 )
+
+replace gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c => github.com/metacubex/gvisor v0.0.0-20221217030112-bdcd835fd60e
--- a/go.sum
+++ b/go.sum
@ -1,7 +1,5 @@
-github.com/HyNetwork/quic-go v0.30.1-0.20221105180419-83715d7269a8 h1:FBo40lMrk1bZZzJRJx8U+bQUPhLDGTUJ/Q5NV5BbO4Q=
-github.com/HyNetwork/quic-go v0.30.1-0.20221105180419-83715d7269a8/go.mod h1:ssOrRsOmdxa768Wr78vnh2B8JozgLsMzG/g+0qEC7uk=
-github.com/MetaCubeX/sing-tun v0.0.0-20221105124245-542e9b56a6dc h1:B1vmR4cwDjJQ6YM8NkuXmt9vIYOdV/+qA+F3UAFE3YY=
-github.com/MetaCubeX/sing-tun v0.0.0-20221105124245-542e9b56a6dc/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
+github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
+github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@ -11,8 +9,8 @@ github.com/cilium/ebpf v0.9.3 h1:5KtxXZU+scyERvkJMEm16TbScVvuuMrlhPly78ZMbSc=
 github.com/cilium/ebpf v0.9.3/go.mod h1:w27N4UjpaQ9X/DGrSugxUG+H+NhgntDuPb5lCzxCn8A=
 github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
 github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/database64128/tfo-go v1.1.2 h1:GwxtJp09BdUTVEoeT421t231eNZoGOCRkklbl4WI1kU=
-github.com/database64128/tfo-go v1.1.2/go.mod h1:jgrSUPyOvTGQyn6irCOpk7L2W/q/0VLZZcovQiMi+bI=
+github.com/database64128/tfo-go/v2 v2.0.2 h1:5rGgkJeLEKlNaqredfrPQNLnctn1b+1fq/8tdKdOzJg=
+github.com/database64128/tfo-go/v2 v2.0.2/go.mod h1:FDdt4JaAsRU66wsYHxSVytYimPkKIHupVsxM+5DhvjY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -20,8 +18,8 @@ github.com/dlclark/regexp2 v1.7.0 h1:7lJfhqlPssTb1WQx4yvTHN0uElPEv52sbaECrAQxjAo
 github.com/dlclark/regexp2 v1.7.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
-github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
-github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
+github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
 github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
 github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
@ -30,21 +28,22 @@ github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg=
 github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI=
+github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
-github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
-github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
@ -58,14 +57,18 @@ github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Go
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/insomniacslk/dhcp v0.0.0-20221001123530-5308ebe5334c h1:OCFM4+DXTWfNlyeoddrTwdup/ztkGSyAMR2UGcPckNQ=
 github.com/insomniacslk/dhcp v0.0.0-20221001123530-5308ebe5334c/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
+github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
+github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
 github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
 github.com/jsimonetti/rtnetlink v0.0.0-20201110080708-d2c240429e6c/go.mod h1:huN4d1phzjhlOsNIjFsw2SVRbwIHj3fJDMEU2SDPTmg=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.1.1 h1:t0wUqjowdm8ezddV5k0tLWVklVuvLJpoHeb4WBdydm0=
-github.com/klauspost/cpuid/v2 v2.1.1/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
+github.com/klauspost/cpuid/v2 v2.0.12 h1:p9dKCg8i4gmOxtv35DvrYoWqYzQrvEVdjQ762Y0OqZE=
+github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc=
@ -81,12 +84,25 @@ github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE
 github.com/mdlayher/netlink v1.0.0/go.mod h1:KxeJAFOFLG6AjpyDkQ/iIhxygIUKD+vcwqcnu43w/+M=
 github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY=
 github.com/mdlayher/netlink v1.1.1/go.mod h1:WTYpFb/WTvlRJAyKhZL5/uy69TDDpHHu2VZmb2XgV7o=
+github.com/mdlayher/netlink v1.7.0 h1:ZNGI4V7i1fJ94DPYtWhI/R85i/Q7ZxnuhUJQcJMoodI=
+github.com/mdlayher/netlink v1.7.0/go.mod h1:nKO5CSjE/DJjVhk/TNp6vCE1ktVxEA8VEh8drhZzxsQ=
 github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
+github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw=
+github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc=
+github.com/metacubex/gvisor v0.0.0-20221217030112-bdcd835fd60e h1:3PHqNvIAwYbv9cOQbRFIUgzJ+K6fhV1HHj+Vpg8U7g8=
+github.com/metacubex/gvisor v0.0.0-20221217030112-bdcd835fd60e/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
+github.com/metacubex/quic-go v0.31.1-0.20221127023445-9f0ce65a734e h1:RnfC6+sShJ3biU2Q2wuh4FxZ8/3fp1QG+1zAfswVehA=
+github.com/metacubex/quic-go v0.31.1-0.20221127023445-9f0ce65a734e/go.mod h1:7NPWVTLiX2Ss9q9gBNZaNHsPqZ3Tg/ApyrXxxUYbl78=
+github.com/metacubex/sing-shadowsocks v0.1.0 h1:uGBtNkpy4QFlofaNkJf+iFegeLU11VzTUlkC46FHF8A=
+github.com/metacubex/sing-shadowsocks v0.1.0/go.mod h1:8pBSYDKVxTtqUtGZyEh4ZpFJXwP6wBVVKrs6oQiOwmQ=
+github.com/metacubex/sing-tun v0.1.0 h1:iQj0+0WjJynSKAtfv87wOZlVKWl3w9RvkOSkVe9zuMg=
+github.com/metacubex/sing-tun v0.1.0/go.mod h1:l4JyI6RTrlHLQz5vSakg+wxA+LwGVI0Mz5ZtlOv67dA=
 github.com/metacubex/sing-wireguard v0.0.0-20221109114053-16c22adda03c h1:VHtXDny/TNOF7YDT9d9Qkr+x6K1O4cejXLlyPUXDeXQ=
 github.com/metacubex/sing-wireguard v0.0.0-20221109114053-16c22adda03c/go.mod h1:fULJ451x1/XlpIhl+Oo+EPGKla9tFZaqT5dKLrZ+NvM=
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
 github.com/onsi/ginkgo/v2 v2.2.0/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
 github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
@ -105,31 +121,33 @@ github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4 h1:LO7xMvMGhYmjQg2vjhTzsODyzs9/WLYu5Per+/8jIeo=
-github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4/go.mod h1:zvgDYKI+vCAW9RyfyrKTgleI+DOa8lzHMPC7VZo3OL4=
-github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4=
-github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM=
-github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0 h1:z3kuD3hPNdEq7/wVy5lwE21f+8ZTazBtR81qswxJoCc=
-github.com/sagernet/sing-vmess v0.0.0-20221109021549-b446d5bdddf0/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
+github.com/sagernet/sing v0.1.0 h1:FGmaP2BVPYO2IyC/3R1DaQa/zr+kOKHRgWqrmOF+Gu8=
+github.com/sagernet/sing v0.1.0/go.mod h1:zvgDYKI+vCAW9RyfyrKTgleI+DOa8lzHMPC7VZo3OL4=
+github.com/sagernet/sing-vmess v0.1.0 h1:x0tYBJRbVi7zVXpMEW45eApGpXIDs9ub3raglouAKMo=
+github.com/sagernet/sing-vmess v0.1.0/go.mod h1:4lwj6EHrUlgRnKhbmtboGbt+wtl5+tHMv96Ez8LZArw=
 github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c h1:qP3ZOHnjZalvqbjundbXiv/YrNlo3HOgrKc+S1QGs0U=
 github.com/sagernet/wireguard-go v0.0.0-20221108054404-7c2acadba17c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
+github.com/samber/lo v1.35.0 h1:GlT8CV1GE+v97Y7MLF1wXvX6mjoxZ+hi61tj/ZcQwY0=
+github.com/samber/lo v1.35.0/go.mod h1:HLeWcJRRyLKp3+/XBJvOrerCQn9mhdKMHyd7IRlgeQ8=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/thoas/go-funk v0.9.1 h1:O549iLZqPpTUQ10ykd26sZhzD+rmR5pWhuElrhbC20M=
+github.com/u-root/uio v0.0.0-20210528114334-82958018845c h1:BFvcl34IGnw8yvJi8hlqLFo9EshRInwWBs2M5fGWzQA=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
-github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 h1:hl6sK6aFgTLISijk6xIzeqnPzQcsLqqvL6vEfTPinME=
-github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
-github.com/vishvananda/netns v0.0.0-20220913150850-18c4f4234207 h1:nn7SOQy8xCu3iXNv7oiBhhEQtbWdnEOMnuKBlHvrqIM=
-github.com/vishvananda/netns v0.0.0-20220913150850-18c4f4234207/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
+github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/xtls/go v0.0.0-20220914232946-0441cf4cf837 h1:AHhUwwFJGl27E46OpdJHplZkK09m7aETNBNzhT6t15M=
 github.com/xtls/go v0.0.0-20220914232946-0441cf4cf837/go.mod h1:YJTRELIWrGxR1s8xcEBgxcxBfwQfMGjdvNLTjN9XFgY=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@ -142,8 +160,8 @@ go.uber.org/automaxprocs v1.5.1/go.mod h1:BF4eumQw0P9GtnuxxovUd06vwm1o18oMzFtK66
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a h1:diz9pEYuTIuLMJLs3rGDkeaTsNyRs6duYdFyPAxzE/U=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20220930202632-ec3f01382ef9 h1:RjggHMcaTVp0LOVZcW0bo8alwHrOaCrGUDgfWUHhnN4=
 golang.org/x/exp v0.0.0-20220930202632-ec3f01382ef9/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
@ -163,12 +181,12 @@ golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.1-0.20221117215542-ecf7fda6a59e h1:IVOjWZQH/57UDcpX19vSmMz8w3ohroOMWohn8qWpRkg=
+golang.org/x/net v0.2.1-0.20221117215542-ecf7fda6a59e/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 h1:cu5kTvlzcw1Q5S9f5ip1/cpiB4nXvw1XYzFPGgzLUOY=
-golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -190,20 +208,19 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.1-0.20221110211117-d684c6f88669 h1:pvmSpBoSG0gD2LLPAX15QHPig8xsbU0tu1sSAmResqk=
+golang.org/x/sys v0.2.1-0.20221110211117-d684c6f88669/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/time v0.0.0-20220922220347-f3bd1da661af h1:Yx9k8YCG3dvF87UAn2tu2HQLf2dt/eR1bXxpLMWeH+Y=
-golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@ -220,13 +237,10 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c h1:m5lcgWnL3OElQNVyp3qcncItJ2c0sQlSGjYK2+nJTA4=
-gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
 lukechampine.com/blake3 v1.1.7 h1:GgRMhmdsuK8+ii6UZFDL8Nb+VyMwadAgcJyfYHxG6n0=
 lukechampine.com/blake3 v1.1.7/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@ -2,14 +2,13 @@ package executor

 import (
 	"fmt"
-	"github.com/Dreamacro/clash/component/tls"
-	"github.com/Dreamacro/clash/listener/inner"
 	"net/netip"
 	"os"
 	"runtime"
 	"sync"

 	"github.com/Dreamacro/clash/adapter"
+	"github.com/Dreamacro/clash/adapter/inbound"
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/component/auth"
 	"github.com/Dreamacro/clash/component/dialer"
@ -19,13 +18,16 @@ import (
 	"github.com/Dreamacro/clash/component/profile/cachefile"
 	"github.com/Dreamacro/clash/component/resolver"
 	SNI "github.com/Dreamacro/clash/component/sniffer"
+	"github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/component/trie"
 	"github.com/Dreamacro/clash/config"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/dns"
-	P "github.com/Dreamacro/clash/listener"
+	"github.com/Dreamacro/clash/listener"
 	authStore "github.com/Dreamacro/clash/listener/auth"
+	LC "github.com/Dreamacro/clash/listener/config"
+	"github.com/Dreamacro/clash/listener/inner"
 	"github.com/Dreamacro/clash/listener/tproxy"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel"
@ -76,7 +78,7 @@ func ApplyConfig(cfg *config.Config, force bool) {
 	preUpdateExperimental(cfg)
 	updateUsers(cfg.Users)
 	updateProxies(cfg.Proxies, cfg.Providers)
-	updateRules(cfg.Rules, cfg.RuleProviders)
+	updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders)
 	updateSniffer(cfg.Sniffer)
 	updateHosts(cfg.Hosts)
 	initInnerTcp()
@ -85,9 +87,11 @@ func ApplyConfig(cfg *config.Config, force bool) {
 	updateProfile(cfg)
 	loadRuleProvider(cfg.RuleProviders)
 	updateGeneral(cfg.General, force)
+	updateListeners(cfg.Listeners)
 	updateIPTables(cfg)
 	updateTun(cfg.General)
 	updateExperimental(cfg)
+	updateTunnels(cfg.Tunnels)

 	log.SetLevel(cfg.General.LogLevel)
 }
@ -97,7 +101,7 @@ func initInnerTcp() {
 }

 func GetGeneral() *config.General {
-	ports := P.GetPorts()
+	ports := listener.GetPorts()
 	var authenticator []string
 	if auth := authStore.Authenticator(); auth != nil {
 		authenticator = auth.Users()
@ -110,19 +114,18 @@ func GetGeneral() *config.General {
 			RedirPort:         ports.RedirPort,
 			TProxyPort:        ports.TProxyPort,
 			MixedPort:         ports.MixedPort,
+			Tun:               listener.GetTunConf(),
+			TuicServer:        listener.GetTuicConf(),
 			ShadowSocksConfig: ports.ShadowSocksConfig,
 			VmessConfig:       ports.VmessConfig,
-			TcpTunConfig:      ports.TcpTunConfig,
-			UdpTunConfig:      ports.UdpTunConfig,
 			Authentication:    authenticator,
-			AllowLan:          P.AllowLan(),
-			BindAddress:       P.BindAddress(),
+			AllowLan:          listener.AllowLan(),
+			BindAddress:       listener.BindAddress(),
 		},
 		Mode:          tunnel.Mode(),
 		LogLevel:      log.Level(),
 		IPv6:          !resolver.DisableIPv6,
 		GeodataLoader: G.LoaderName(),
-		Tun:           P.GetTunConf(),
 		Interface:     dialer.DefaultInterface.Load(),
 		Sniffing:      tunnel.IsSniffing(),
 		TCPConcurrent: dialer.GetDial(),
@ -131,6 +134,13 @@ func GetGeneral() *config.General {
 	return general
 }

+func updateListeners(listeners map[string]C.InboundListener) {
+	tcpIn := tunnel.TCPIn()
+	udpIn := tunnel.UDPIn()
+
+	listener.PatchInboundListeners(listeners, tcpIn, udpIn, true)
+}
+
 func updateExperimental(c *config.Config) {
 	runtime.GC()
 }
@ -202,8 +212,8 @@ func updateProxies(proxies map[string]C.Proxy, providers map[string]provider.Pro
 	tunnel.UpdateProxies(proxies, providers)
 }

-func updateRules(rules []C.Rule, ruleProviders map[string]provider.RuleProvider) {
-	tunnel.UpdateRules(rules, ruleProviders)
+func updateRules(rules []C.Rule, subRules map[string][]C.Rule, ruleProviders map[string]provider.RuleProvider) {
+	tunnel.UpdateRules(rules, subRules, ruleProviders)
 }

 func loadProvider(pv provider.Provider) {
@ -266,8 +276,8 @@ func updateTun(general *config.General) {
 	if general == nil {
 		return
 	}
-	P.ReCreateTun(general.Tun, tunnel.TCPIn(), tunnel.UDPIn())
-	P.ReCreateRedirToTun(general.Tun.RedirectToTun)
+	listener.ReCreateTun(LC.Tun(general.Tun), tunnel.TCPIn(), tunnel.UDPIn())
+	listener.ReCreateRedirToTun(general.Tun.RedirectToTun)
 }

 func updateSniffer(sniffer *config.Sniffer) {
@ -293,9 +303,13 @@ func updateSniffer(sniffer *config.Sniffer) {
 	}
 }

+func updateTunnels(tunnels []LC.Tunnel) {
+	listener.PatchTunnel(tunnels, tunnel.TCPIn(), tunnel.UDPIn())
+}
+
 func updateGeneral(general *config.General, force bool) {
 	tunnel.SetMode(general.Mode)
-	tunnel.SetAlwaysFindProcess(general.EnableProcess)
+	tunnel.SetFindProcessMode(general.EnableProcess, general.FindProcessMode)
 	dialer.DisableIPv6 = !general.IPv6
 	if !dialer.DisableIPv6 {
 		log.Infoln("Use IPv6")
@ -330,26 +344,25 @@ func updateGeneral(general *config.General, force bool) {
 	G.SetLoader(geodataLoader)

 	allowLan := general.AllowLan
-	P.SetAllowLan(allowLan)
+	listener.SetAllowLan(allowLan)

 	bindAddress := general.BindAddress
-	P.SetBindAddress(bindAddress)
+	listener.SetBindAddress(bindAddress)

-	P.SetInboundTfo(general.InboundTfo)
+	inbound.SetTfo(general.InboundTfo)

 	tcpIn := tunnel.TCPIn()
 	udpIn := tunnel.UDPIn()

-	P.ReCreateHTTP(general.Port, tcpIn)
-	P.ReCreateSocks(general.SocksPort, tcpIn, udpIn)
-	P.ReCreateRedir(general.RedirPort, tcpIn, udpIn)
-	P.ReCreateAutoRedir(general.EBpf.AutoRedir, tcpIn, udpIn)
-	P.ReCreateTProxy(general.TProxyPort, tcpIn, udpIn)
-	P.ReCreateMixed(general.MixedPort, tcpIn, udpIn)
-	P.ReCreateShadowSocks(general.ShadowSocksConfig, tcpIn, udpIn)
-	P.ReCreateVmess(general.VmessConfig, tcpIn, udpIn)
-	P.ReCreateTcpTun(general.TcpTunConfig, tcpIn, udpIn)
-	P.ReCreateUdpTun(general.UdpTunConfig, tcpIn, udpIn)
+	listener.ReCreateHTTP(general.Port, tcpIn)
+	listener.ReCreateSocks(general.SocksPort, tcpIn, udpIn)
+	listener.ReCreateRedir(general.RedirPort, tcpIn, udpIn)
+	listener.ReCreateAutoRedir(general.EBpf.AutoRedir, tcpIn, udpIn)
+	listener.ReCreateTProxy(general.TProxyPort, tcpIn, udpIn)
+	listener.ReCreateMixed(general.MixedPort, tcpIn, udpIn)
+	listener.ReCreateShadowSocks(general.ShadowSocksConfig, tcpIn, udpIn)
+	listener.ReCreateVmess(general.VmessConfig, tcpIn, udpIn)
+	listener.ReCreateTuic(LC.TuicServer(general.TuicServer), tcpIn, udpIn)
 }

 func updateUsers(users []auth.AuthUser) {
@ -456,7 +469,7 @@ func updateIPTables(cfg *config.Config) {
 }

 func Shutdown() {
-	P.Cleanup(false)
+	listener.Cleanup(false)
 	tproxy.CleanupTProxyIPTables()
 	resolver.StoreFakePoolState()

--- a/hub/hub.go
+++ b/hub/hub.go
@ -42,7 +42,8 @@ func Parse(options ...Option) error {
 	}

 	if cfg.General.ExternalController != "" {
-		go route.Start(cfg.General.ExternalController, cfg.General.Secret)
+		go route.Start(cfg.General.ExternalController,cfg.General.ExternalControllerTLS, 
+			cfg.General.Secret,cfg.TLS.Certificate,cfg.TLS.PrivateKey)
 	}

 	executor.ApplyConfig(cfg, true)
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@ -2,7 +2,6 @@ package route

 import (
 	"net/http"
-	"net/netip"
 	"path/filepath"
 	"sync"

@ -13,6 +12,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/hub/executor"
 	P "github.com/Dreamacro/clash/listener"
+	LC "github.com/Dreamacro/clash/listener/config"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel"

@ -41,6 +41,7 @@ type configSchema struct {
 	TProxyPort        *int               `json:"tproxy-port"`
 	MixedPort         *int               `json:"mixed-port"`
 	Tun               *tunSchema         `json:"tun"`
+	TuicServer        *tuicServerSchema  `json:"tuic-server"`
 	ShadowSocksConfig *string            `json:"ss-config"`
 	VmessConfig       *string            `json:"vmess-config"`
 	TcptunConfig      *string            `json:"tcptun-config"`
@ -56,29 +57,42 @@ type configSchema struct {
 }

 type tunSchema struct {
-	Enable              bool              `yaml:"enable" json:"enable"`
-	Device              *string           `yaml:"device" json:"device"`
-	Stack               *C.TUNStack       `yaml:"stack" json:"stack"`
-	DNSHijack           *[]netip.AddrPort `yaml:"dns-hijack" json:"dns-hijack"`
-	AutoRoute           *bool             `yaml:"auto-route" json:"auto-route"`
-	AutoDetectInterface *bool             `yaml:"auto-detect-interface" json:"auto-detect-interface"`
+	Enable              bool        `yaml:"enable" json:"enable"`
+	Device              *string     `yaml:"device" json:"device"`
+	Stack               *C.TUNStack `yaml:"stack" json:"stack"`
+	DNSHijack           *[]string   `yaml:"dns-hijack" json:"dns-hijack"`
+	AutoRoute           *bool       `yaml:"auto-route" json:"auto-route"`
+	AutoDetectInterface *bool       `yaml:"auto-detect-interface" json:"auto-detect-interface"`
 	//RedirectToTun       []string   		  `yaml:"-" json:"-"`

 	MTU *uint32 `yaml:"mtu" json:"mtu,omitempty"`
 	//Inet4Address           *[]config.ListenPrefix `yaml:"inet4-address" json:"inet4-address,omitempty"`
-	Inet6Address           *[]config.ListenPrefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
-	StrictRoute            *bool                  `yaml:"strict-route" json:"strict-route,omitempty"`
-	Inet4RouteAddress      *[]config.ListenPrefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
-	Inet6RouteAddress      *[]config.ListenPrefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
-	IncludeUID             *[]uint32              `yaml:"include-uid" json:"include-uid,omitempty"`
-	IncludeUIDRange        *[]string              `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
-	ExcludeUID             *[]uint32              `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
-	ExcludeUIDRange        *[]string              `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
-	IncludeAndroidUser     *[]int                 `yaml:"include-android-user" json:"include-android-user,omitempty"`
-	IncludePackage         *[]string              `yaml:"include-package" json:"include-package,omitempty"`
-	ExcludePackage         *[]string              `yaml:"exclude-package" json:"exclude-package,omitempty"`
-	EndpointIndependentNat *bool                  `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
-	UDPTimeout             *int64                 `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	Inet6Address           *[]LC.ListenPrefix `yaml:"inet6-address" json:"inet6-address,omitempty"`
+	StrictRoute            *bool              `yaml:"strict-route" json:"strict-route,omitempty"`
+	Inet4RouteAddress      *[]LC.ListenPrefix `yaml:"inet4-route-address" json:"inet4-route-address,omitempty"`
+	Inet6RouteAddress      *[]LC.ListenPrefix `yaml:"inet6-route-address" json:"inet6-route-address,omitempty"`
+	IncludeUID             *[]uint32          `yaml:"include-uid" json:"include-uid,omitempty"`
+	IncludeUIDRange        *[]string          `yaml:"include-uid-range" json:"include-uid-range,omitempty"`
+	ExcludeUID             *[]uint32          `yaml:"exclude-uid" json:"exclude-uid,omitempty"`
+	ExcludeUIDRange        *[]string          `yaml:"exclude-uid-range" json:"exclude-uid-range,omitempty"`
+	IncludeAndroidUser     *[]int             `yaml:"include-android-user" json:"include-android-user,omitempty"`
+	IncludePackage         *[]string          `yaml:"include-package" json:"include-package,omitempty"`
+	ExcludePackage         *[]string          `yaml:"exclude-package" json:"exclude-package,omitempty"`
+	EndpointIndependentNat *bool              `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
+	UDPTimeout             *int64             `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+}
+
+type tuicServerSchema struct {
+	Enable                bool      `yaml:"enable" json:"enable"`
+	Listen                *string   `yaml:"listen" json:"listen"`
+	Token                 *[]string `yaml:"token" json:"token"`
+	Certificate           *string   `yaml:"certificate" json:"certificate"`
+	PrivateKey            *string   `yaml:"private-key" json:"private-key"`
+	CongestionController  *string   `yaml:"congestion-controller" json:"congestion-controller,omitempty"`
+	MaxIdleTime           *int      `yaml:"max-idle-time" json:"max-idle-time,omitempty"`
+	AuthenticationTimeout *int      `yaml:"authentication-timeout" json:"authentication-timeout,omitempty"`
+	ALPN                  *[]string `yaml:"alpn" json:"alpn,omitempty"`
+	MaxUdpRelayPacketSize *int      `yaml:"max-udp-relay-packet-size" json:"max-udp-relay-packet-size,omitempty"`
 }

 func getConfigs(w http.ResponseWriter, r *http.Request) {
@ -102,7 +116,7 @@ func pointerOrDefaultString(p *string, def string) string {
 	return def
 }

-func pointerOrDefaultTun(p *tunSchema, def config.Tun) config.Tun {
+func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 	if p != nil {
 		def.Enable = p.Enable
 		if p.Device != nil {
@ -160,6 +174,40 @@ func pointerOrDefaultTun(p *tunSchema, def config.Tun) config.Tun {
 	return def
 }

+func pointerOrDefaultTuicServer(p *tuicServerSchema, def LC.TuicServer) LC.TuicServer {
+	if p != nil {
+		def.Enable = p.Enable
+		if p.Listen != nil {
+			def.Listen = *p.Listen
+		}
+		if p.Token != nil {
+			def.Token = *p.Token
+		}
+		if p.Certificate != nil {
+			def.Certificate = *p.Certificate
+		}
+		if p.PrivateKey != nil {
+			def.PrivateKey = *p.PrivateKey
+		}
+		if p.CongestionController != nil {
+			def.CongestionController = *p.CongestionController
+		}
+		if p.MaxIdleTime != nil {
+			def.MaxIdleTime = *p.MaxIdleTime
+		}
+		if p.AuthenticationTimeout != nil {
+			def.AuthenticationTimeout = *p.AuthenticationTimeout
+		}
+		if p.ALPN != nil {
+			def.ALPN = *p.ALPN
+		}
+		if p.MaxUdpRelayPacketSize != nil {
+			def.MaxUdpRelayPacketSize = *p.MaxUdpRelayPacketSize
+		}
+	}
+	return def
+}
+
 func patchConfigs(w http.ResponseWriter, r *http.Request) {
 	general := &configSchema{}
 	if err := render.DecodeJSON(r.Body, general); err != nil {
@ -201,8 +249,7 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) {
 	P.ReCreateTun(pointerOrDefaultTun(general.Tun, P.LastTunConf), tcpIn, udpIn)
 	P.ReCreateShadowSocks(pointerOrDefaultString(general.ShadowSocksConfig, ports.ShadowSocksConfig), tcpIn, udpIn)
 	P.ReCreateVmess(pointerOrDefaultString(general.VmessConfig, ports.VmessConfig), tcpIn, udpIn)
-	P.ReCreateTcpTun(pointerOrDefaultString(general.TcptunConfig, ports.TcpTunConfig), tcpIn, udpIn)
-	P.ReCreateUdpTun(pointerOrDefaultString(general.UdptunConfig, ports.UdpTunConfig), tcpIn, udpIn)
+	P.ReCreateTuic(pointerOrDefaultTuicServer(general.TuicServer, P.LastTuicConf), tcpIn, udpIn)

 	if general.Mode != nil {
 		tunnel.SetMode(*general.Mode)
--- a/hub/route/server.go
+++ b/hub/route/server.go
@ -2,14 +2,15 @@ package route

 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
-	"net"
 	"net/http"
 	"strings"
 	"time"

+	"github.com/Dreamacro/clash/adapter/inbound"
+	CN "github.com/Dreamacro/clash/common/net"
 	C "github.com/Dreamacro/clash/constant"
-	_ "github.com/Dreamacro/clash/constant/mime"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel/statistic"

@ -41,7 +42,8 @@ func SetUIPath(path string) {
 	uiPath = C.Path.Resolve(path)
 }

-func Start(addr string, secret string) {
+func Start(addr string, tlsAddr string, secret string,
+	certificat, privateKey string) {
 	if serverAddr != "" {
 		return
 	}
@ -50,18 +52,15 @@ func Start(addr string, secret string) {
 	serverSecret = secret

 	r := chi.NewRouter()
-
 	corsM := cors.New(cors.Options{
 		AllowedOrigins: []string{"*"},
 		AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE"},
 		AllowedHeaders: []string{"Content-Type", "Authorization"},
 		MaxAge:         300,
 	})
-
 	r.Use(corsM.Handler)
 	r.Group(func(r chi.Router) {
 		r.Use(authentication)
-
 		r.Get("/", hello)
 		r.Get("/logs", getLogs)
 		r.Get("/traffic", traffic)
@ -86,16 +85,46 @@ func Start(addr string, secret string) {
 		})
 	}

-	l, err := net.Listen("tcp", addr)
+	if len(tlsAddr) > 0 {
+		go func() {
+			c, err := CN.ParseCert(certificat, privateKey)
+			if err != nil {
+				log.Errorln("External controller tls listen error: %s", err)
+				return
+			}
+
+			l, err := inbound.Listen("tcp", tlsAddr)
+			if err != nil {
+				log.Errorln("External controller tls listen error: %s", err)
+				return
+			}
+
+			serverAddr = l.Addr().String()
+			log.Infoln("RESTful API tls listening at: %s", serverAddr)
+			tlsServe := &http.Server{
+				Handler: r,
+				TLSConfig: &tls.Config{
+					Certificates: []tls.Certificate{c},
+				},
+			}
+			if err = tlsServe.ServeTLS(l, "", ""); err != nil {
+				log.Errorln("External controller tls serve error: %s", err)
+			}
+		}()
+	}
+
+	l, err := inbound.Listen("tcp", addr)
 	if err != nil {
 		log.Errorln("External controller listen error: %s", err)
 		return
 	}
 	serverAddr = l.Addr().String()
 	log.Infoln("RESTful API listening at: %s", serverAddr)
+
 	if err = http.Serve(l, r); err != nil {
 		log.Errorln("External controller serve error: %s", err)
 	}
+
 }

 func authentication(next http.Handler) http.Handler {
@ -211,16 +240,26 @@ func getLogs(w http.ResponseWriter, r *http.Request) {
 		render.Status(r, http.StatusOK)
 	}

+	ch := make(chan log.Event, 1024)
 	sub := log.Subscribe()
 	defer log.UnSubscribe(sub)
 	buf := &bytes.Buffer{}
-	var err error
-	for elm := range sub {
-		buf.Reset()
-		logM := elm
+
+	go func() {
+		for logM := range sub {
+			select {
+			case ch <- logM:
+			default:
+			}
+		}
+		close(ch)
+	}()
+
+	for logM := range ch {
 		if logM.LogLevel < level {
 			continue
 		}
+		buf.Reset()

 		if err := json.NewEncoder(buf).Encode(Log{
 			Type:    logM.Type(),
@ -229,6 +268,7 @@ func getLogs(w http.ResponseWriter, r *http.Request) {
 			break
 		}

+		var err error
 		if wsConn == nil {
 			_, err = w.Write(buf.Bytes())
 			w.(http.Flusher).Flush()
--- a/listener/autoredir/tcp.go
+++ b/listener/autoredir/tcp.go
@ -14,6 +14,7 @@ type Listener struct {
 	listener   net.Listener
 	addr       string
 	closed     bool
+	additions  []inbound.Addition
 	lookupFunc func(netip.AddrPort) (socks5.Addr, error)
 }

@ -56,17 +57,24 @@ func (l *Listener) handleRedir(conn net.Conn, in chan<- C.ConnContext) {

 	_ = conn.(*net.TCPConn).SetKeepAlive(true)

-	in <- inbound.NewSocket(target, conn, C.REDIR)
+	in <- inbound.NewSocket(target, conn, C.REDIR, l.additions...)
 }

-func New(addr string, in chan<- C.ConnContext) (*Listener, error) {
+func New(addr string, in chan<- C.ConnContext, additions ...inbound.Addition) (*Listener, error) {
+	if len(additions) == 0 {
+		additions = []inbound.Addition{
+			inbound.WithInName("DEFAULT-REDIR"),
+			inbound.WithSpecialRules(""),
+		}
+	}
 	l, err := net.Listen("tcp", addr)
 	if err != nil {
 		return nil, err
 	}
 	rl := &Listener{
-		listener: l,
-		addr:     addr,
+		listener:  l,
+		addr:      addr,
+		additions: additions,
 	}

 	go func() {
--- a/listener/config/shadowsocks.go
+++ b/listener/config/shadowsocks.go
@ -0,0 +1,17 @@
+package config
+
+import (
+	"encoding/json"
+)
+
+type ShadowsocksServer struct {
+	Enable   bool
+	Listen   string
+	Password string
+	Cipher   string
+}
+
+func (t ShadowsocksServer) String() string {
+	b, _ := json.Marshal(t)
+	return string(b)
+}
--- a/listener/config/tuic.go
+++ b/listener/config/tuic.go
@ -0,0 +1,23 @@
+package config
+
+import (
+	"encoding/json"
+)
+
+type TuicServer struct {
+	Enable                bool     `yaml:"enable" json:"enable"`
+	Listen                string   `yaml:"listen" json:"listen"`
+	Token                 []string `yaml:"token" json:"token"`
+	Certificate           string   `yaml:"certificate" json:"certificate"`
+	PrivateKey            string   `yaml:"private-key" json:"private-key"`
+	CongestionController  string   `yaml:"congestion-controller" json:"congestion-controller,omitempty"`
+	MaxIdleTime           int      `yaml:"max-idle-time" json:"max-idle-time,omitempty"`
+	AuthenticationTimeout int      `yaml:"authentication-timeout" json:"authentication-timeout,omitempty"`
+	ALPN                  []string `yaml:"alpn" json:"alpn,omitempty"`
+	MaxUdpRelayPacketSize int      `yaml:"max-udp-relay-packet-size" json:"max-udp-relay-packet-size,omitempty"`
+}
+
+func (t TuicServer) String() string {
+	b, _ := json.Marshal(t)
+	return string(b)
+}
--- a/Show More
+++ b/Show More