fix: wildcard matching problem (#536 )

chore: update genReleaseNote.sh
Merge branch 'Alpha' into Meta
2023-04-29 01:10:55 +08:00 · 2023-04-28 07:29:58 +00:00 · 2023-04-28 07:05:21 +00:00 · 2023-04-27 22:18:09 +08:00 · 2023-04-27 12:19:59 +00:00 · 2023-04-27 07:06:53 +00:00
265 changed files with 10028 additions and 3233 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -0,0 +1,82 @@
+name: Bug report
+description: Create a report to help us improve
+title: "[Bug] "
+body:
+  - type: checkboxes
+    id: ensure
+    attributes:
+      label: Verify steps
+      description: "
+在提交之前，请确认
+Please verify that you've followed these steps
+"
+      options:
+        - label: "
+确保你使用的是**本仓库**最新的的 clash 或 clash Alpha 版本
+Ensure you are using the latest version of Clash or Clash Premium from **this repository**.
+"
+          required: true
+        - label: "
+如果你可以自己 debug 并解决的话，提交 PR 吧
+Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
+"
+          required: false
+        - label: "
+我已经在 [Issue Tracker](……/) 中找过我要提出的问题
+I have searched on the [issue tracker](……/) for a related issue.
+"
+          required: true
+        - label: "
+我已经使用 Alpha 分支版本测试过，问题依旧存在
+I have tested using the dev branch, and the issue still exists.
+"
+          required: true
+        - label: "
+我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法自行解决问题
+I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
+"
+          required: true
+        - label: "
+这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
+This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash.
+"
+          required: true
+  - type: input
+    attributes:
+      label: Clash version
+      description: "use `clash -v`"
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: What OS are you seeing the problem on?
+      multiple: true
+      options:
+        - macOS
+        - Windows
+        - Linux
+        - OpenBSD/FreeBSD
+  - type: textarea
+    attributes:
+      render: yaml
+      label: "Clash config"
+      description: "
+在下方附上 Clash core 配置文件，请确保配置文件中没有敏感信息（比如：服务器地址，密码，端口等）
+Paste the Clash core configuration file below, please make sure that there is no sensitive information in the configuration file (e.g., server address/url, password, port)
+"
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      render: shell
+      label: Clash log
+      description: "
+在下方附上 Clash Core 的日志，log level 使用 DEBUG
+Paste the Clash core log below with the log level set to `DEBUG`.
+"
+  - type: textarea
+    attributes:
+      label: Description
+    validations:
+      required: true
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -0,0 +1,36 @@
+name: Feature request
+description: Suggest an idea for this project
+title: "[Feature] "
+body:
+  - type: checkboxes
+    id: ensure
+    attributes:
+      label: Verify steps
+      description: "
+在提交之前，请确认
+Please verify that you've followed these steps
+"
+      options:
+        - label: "
+我已经在 [Issue Tracker](……/) 中找过我要提出的请求
+I have searched on the [issue tracker](……/) for a related feature request.
+"
+          required: true
+        - label: "
+我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法找到这个功能
+I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
+"
+          required: true
+  - type: textarea
+    attributes:
+      label: Description
+      description: 请详细、清晰地表达你要提出的论述，例如这个问题如何影响到你？你想实现什么功能？目前 Clash Core 的行为是什麽？
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Possible Solution
+      description: "
+此项非必须，但是如果你有想法的话欢迎提出。
+Not obligatory, but suggest a fix/reason for the bug, or ideas how to implement the addition or change
+"
--- a/.github/genReleaseNote.sh
+++ b/.github/genReleaseNote.sh
@ -0,0 +1 @@
+git log --pretty=format:"* %s by @%an" v1.14.x..v1.14.y | sort -f | uniq > release.md
--- a/.github/release.sh
+++ b/.github/release.sh
@ -0,0 +1,26 @@
+#!/bin/bash
+
+FILENAMES=$(ls)
+for FILENAME in $FILENAMES
+do
+    if [[ ! ($FILENAME =~ ".exe" || $FILENAME =~ ".sh")]];then
+        gzip -S ".gz" $FILENAME
+    elif [[ $FILENAME =~ ".exe" ]];then
+        zip -m ${FILENAME%.*}.zip $FILENAME
+    else echo "skip $FILENAME"
+    fi
+done
+
+FILENAMES=$(ls)
+for FILENAME in $FILENAMES
+do
+    if [[ $FILENAME =~ ".zip" ]];then
+        echo "rename $FILENAME"
+        mv $FILENAME ${FILENAME%.*}-${VERSION}.zip
+    elif [[ $FILENAME =~ ".gz" ]];then
+        echo "rename $FILENAME"
+        mv $FILENAME ${FILENAME%.*}-${VERSION}.gz
+    else
+        echo "skip $FILENAME"
+    fi
+done
--- a/.github/rename-cgo.sh
+++ b/.github/rename-cgo.sh
@ -0,0 +1,35 @@
+#!/bin/bash
+
+FILENAMES=$(ls)
+for FILENAME in $FILENAMES
+do
+    if [[ $FILENAME =~ "darwin-10.16-arm64" ]];then
+        echo "rename darwin-10.16-arm64 $FILENAME"
+        mv $FILENAME clash.meta-darwin-arm64-cgo
+    elif [[ $FILENAME =~ "darwin-10.16-amd64" ]];then
+        echo "rename darwin-10.16-amd64 $FILENAME"
+        mv $FILENAME clash.meta-darwin-amd64-cgo
+    elif [[ $FILENAME =~ "windows-4.0-386" ]];then
+        echo "rename windows 386 $FILENAME"
+        mv $FILENAME clash.meta-windows-386-cgo.exe
+    elif [[ $FILENAME =~ "windows-4.0-amd64" ]];then
+        echo "rename windows amd64 $FILENAME"
+        mv $FILENAME clash.meta-windows-amd64-cgo.exe
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-5" ]];then
+        echo "rename clash.meta-linux-arm-5 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv5-cgo
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-6" ]];then
+        echo "rename clash.meta-linux-arm-6 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv6-cgo
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-7" ]];then
+        echo "rename clash.meta-linux-arm-7 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv7-cgo
+    elif [[ $FILENAME =~ "linux" ]];then
+        echo "rename linux $FILENAME"
+        mv $FILENAME $FILENAME-cgo
+    elif [[ $FILENAME =~ "android" ]];then
+        echo "rename android $FILENAME"
+        mv $FILENAME $FILENAME-cgo
+    else echo "skip $FILENAME"
+    fi
+done
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -1,22 +0,0 @@
-name: Build All
-on:
-  workflow_dispatch:
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: '1.19'
-          check-latest: true
-          cache: true
-      - name: Build
-        run: make all
-      - name: Release
-        uses: softprops/action-gh-release@v1
-        with:
-          files: bin/*
-          draft: true
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,354 @@
+name: Build
+on:
+  workflow_dispatch:
+  push:
+    paths-ignore:
+      - "docs/**"
+      - "README.md"
+      - ".github/ISSUE_TEMPLATE/**"
+    branches:
+      - Alpha
+    tags:
+      - "v*"
+  pull_request_target:
+    branches:
+      - Alpha
+      
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+  
+env:
+  REGISTRY: docker.io
+jobs:
+  Build:
+    permissions: write-all
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - {
+              type: "WithoutCGO",
+              target: "linux-amd64 linux-amd64-compatible",
+              id: "1",
+            }
+          - {
+              type: "WithoutCGO",
+              target: "linux-armv5 linux-armv6 linux-armv7",
+              id: "2",
+            }
+          - {
+              type: "WithoutCGO",
+              target: "linux-arm64 linux-mips64 linux-mips64le",
+              id: "3",
+            }
+          - {
+              type: "WithoutCGO",
+              target: "linux-mips-softfloat linux-mips-hardfloat linux-mipsle-softfloat linux-mipsle-hardfloat",
+              id: "4",
+            }
+          - { type: "WithoutCGO", target: "linux-386 linux-riscv64", id: "5" }
+          - {
+              type: "WithoutCGO",
+              target: "freebsd-386 freebsd-amd64 freebsd-arm64",
+              id: "6",
+            }
+          - {
+              type: "WithoutCGO",
+              target: "windows-amd64-compatible windows-amd64 windows-386",
+              id: "7",
+            }
+          - {
+              type: "WithoutCGO",
+              target: "windows-arm64 windows-arm32v7",
+              id: "8",
+            }
+          - {
+              type: "WithoutCGO",
+              target: "darwin-amd64 darwin-arm64 android-arm64",
+              id: "9",
+            }
+          - { type: "WithCGO", target: "windows/*", id: "1" }
+          - { type: "WithCGO", target: "linux/386", id: "2" }
+          - { type: "WithCGO", target: "linux/amd64", id: "3" }
+          - { type: "WithCGO", target: "linux/arm64,linux/riscv64", id: "4" }
+          - { type: "WithCGO", target: "linux/arm,", id: "5" }
+          - { type: "WithCGO", target: "linux/arm-6,linux/arm-7", id: "6" }
+          - { type: "WithCGO", target: "linux/mips,linux/mipsle", id: "7" }
+          - { type: "WithCGO", target: "linux/mips64", id: "8" }
+          - { type: "WithCGO", target: "linux/mips64le", id: "9" }
+          - { type: "WithCGO", target: "darwin-10.16/*", id: "10" }
+          - { type: "WithCGO", target: "android", id: "11" }
+
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
+      - name: Set variables
+        run: echo "VERSION=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Set variables
+        if: ${{github.ref_name=='Alpha'}}
+        run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Set variables
+        if: ${{github.ref_name=='Beta'}}
+        run: echo "VERSION=beta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Set variables
+        if: ${{github.ref_name=='Meta'}}
+        run: echo "VERSION=meta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Set variables
+        if: ${{github.ref_name=='' || github.ref_type=='tag'}}
+        run: echo "VERSION=$(git describe --tags)" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Set ENV
+        run: |
+          sudo timedatectl set-timezone "Asia/Shanghai"
+          echo "NAME=clash.meta" >> $GITHUB_ENV
+          echo "REPO=${{ github.repository }}" >> $GITHUB_ENV
+          echo "ShortSHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
+          echo "BUILDTIME=$(date)" >> $GITHUB_ENV
+          echo "BRANCH=$(git rev-parse --abbrev-ref HEAD)" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Set ENV
+        run: |
+          echo "TAGS=with_gvisor,with_lwip" >> $GITHUB_ENV
+          echo "LDFLAGS=-X 'github.com/Dreamacro/clash/constant.Version=${VERSION}' -X 'github.com/Dreamacro/clash/constant.BuildTime=${BUILDTIME}' -w -s -buildid=" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.20"
+          check-latest: true
+
+      - name: Test
+        if: ${{ matrix.job.id=='1' && matrix.job.type=='WithoutCGO' }}
+        run: |
+          go test ./...
+
+      - name: Build WithoutCGO
+        if: ${{ matrix.job.type=='WithoutCGO' }}
+        env:
+          NAME: Clash.Meta
+          BINDIR: bin
+        run: make -j$(($(nproc) + 1)) ${{ matrix.job.target }}
+
+      - uses: nttld/setup-ndk@v1
+        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
+        id: setup-ndk
+        with:
+          ndk-version: r25b
+          add-to-path: false
+          local-cache: true
+
+      - name: Build Android
+        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
+        env:
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+        run: |
+          mkdir bin
+          CC=${ANDROID_NDK_HOME}/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android33-clang
+          CGO_ENABLED=1 CC=${CC} GOARCH=arm64 GOOS=android go build -tags ${TAGS} -trimpath -ldflags "${LDFLAGS}" -o bin/${NAME}-android-arm64
+
+      - name: Set up xgo
+        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target!='android' }}
+        run: |
+          docker pull techknowlogick/xgo:latest
+          go install src.techknowlogick.com/xgo@latest
+
+      - name: Build by xgo
+        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target!='android' }}
+        env:
+          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
+        run: |
+          mkdir bin
+          xgo --targets="${{ matrix.job.target }}" --tags="${TAGS}" -ldflags="${LDFLAGS}" --out bin/${NAME} ./
+
+      - name: Rename
+        if: ${{ matrix.job.type=='WithCGO' }}
+        run: |
+          cd bin
+          ls -la
+          cp ../.github/rename-cgo.sh ./
+          bash ./rename-cgo.sh
+          rm ./rename-cgo.sh
+          ls -la
+          cd ..
+
+      - name: Zip
+        if: ${{  success() }}
+        run: |
+          cd bin
+          ls -la
+          chmod +x *
+          cp ../.github/release.sh ./
+          bash ./release.sh
+          rm ./release.sh
+          ls -la
+          cd ..
+
+      - name: Save version
+        run: echo ${VERSION} > bin/version.txt
+        shell: bash
+
+      - uses: actions/upload-artifact@v3
+        if: ${{  success() }}
+        with:
+          name: artifact
+          path: bin/
+
+  Upload-Prerelease:
+    permissions: write-all
+    if: ${{ github.ref_type=='branch' }}
+    needs: [Build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: artifact
+          path: bin/
+
+      - name: Display structure of downloaded files
+        run: ls -R
+        working-directory: bin
+
+      - name: Delete current release assets
+        uses: andreaswilli/delete-release-assets-action@v2.0.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: Prerelease-${{ github.ref_name }}
+          deleteOnlyFromDrafts: false
+
+      - name: Set Env
+        run: |
+          echo "BUILDTIME=$(TZ=Asia/Shanghai date)" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Tag Repo
+        uses: richardsimko/update-tag@v1.0.6
+        with:
+          tag_name: Prerelease-${{ github.ref_name }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: |
+          cat > release.txt << 'EOF'
+          Release created at  ${{ env.BUILDTIME }}
+          Synchronize ${{ github.ref_name }} branch code updates, keeping only the latest version
+          <br>
+          ### release version
+          `default(not specified in file name)`: compiled with GOAMD64=v3
+          `cgo`: support lwip tun stack, compiled with GOAMD64=v1
+          `compatible`: compiled with GOAMD64=v1
+          Check details between different architectural levels [here](https://github.com/golang/go/wiki/MinimumRequirements#amd64).
+          EOF
+
+      - name: Upload Prerelease
+        uses: softprops/action-gh-release@v1
+        if: ${{  success() }}
+        with:
+          tag: ${{ github.ref_name }}
+          tag_name: Prerelease-${{ github.ref_name }}
+          files: |
+            bin/*
+          prerelease: true
+          generate_release_notes: true
+          body_path: release.txt
+
+  Upload-Release:
+    permissions: write-all
+    if: ${{ github.ref_type=='tag' }}
+    needs: [Build]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: artifact
+          path: bin/
+
+      - name: Display structure of downloaded files
+        run: ls -R
+        working-directory: bin
+
+      - name: Upload Release
+        uses: softprops/action-gh-release@v1
+        if: ${{  success() }}
+        with:
+          tag: ${{ github.ref_name }}
+          tag_name: ${{ github.ref_name }}
+          files: bin/*
+          generate_release_notes: true
+
+  Docker:
+    permissions: write-all
+    needs: [Build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: artifact
+          path: bin/
+
+      - name: Display structure of downloaded files
+        run: ls -R
+        working-directory: bin
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          version: latest
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_ACCOUNT }}/${{secrets.DOCKERHUB_REPO}}
+      - name: Show files
+        run: |
+          ls .
+          ls bin/
+      - name: Log into registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          platforms: |
+            linux/386
+            linux/amd64
+            linux/arm64/v8
+            linux/arm/v7
+          #            linux/riscv64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/delete.yml
+++ b/.github/workflows/delete.yml
@ -0,0 +1,15 @@
+name: Delete old workflow runs
+on:
+  schedule:
+    - cron: "0 0 * * SUN"
+
+jobs:
+  del_runs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete workflow runs
+        uses: GitRML/delete-workflow-runs@main
+        with:
+          token: ${{ secrets.AUTH_PAT }}
+          repository: ${{ github.repository }}
+          retain_days: 30
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@ -1,61 +0,0 @@
-name: Docker
-
-on:
-  push:
-    branches:
-      - Beta
-    tags:
-      - "v*"
-env:
-  REGISTRY: docker.io
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          version: latest
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          images: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_ACCOUNT }}/${{secrets.DOCKERHUB_REPO}}
-
-      - name: Log into registry
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.DOCKER_HUB_USER }}
-          password: ${{ secrets.DOCKER_HUB_TOKEN }}
-
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build-and-push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          file: ./Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
-          platforms: |
-            linux/386
-            linux/amd64
-            linux/arm64/v8
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@ -1,61 +0,0 @@
-name: Prerelease
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - Alpha
-      - Beta
-  pull_request:
-    branches:
-      - Alpha
-      - Beta
-jobs:
-  Build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: '1.19'
-          check-latest: true
-          cache: true
-
-      - name: Test
-        if: ${{github.ref_name=='Beta'}}
-        run: |
-          go test ./...
-
-      - name: Build
-        if: success()
-        env:
-          NAME: Clash.Meta
-          BINDIR: bin
-        run: make -j$(($(nproc) + 1)) releases
-
-      - name: Delete current release assets
-        uses: mknejp/delete-release-assets@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          tag_name: Prerelease-${{ github.ref_name }}
-          assets: |
-              *.zip
-              *.gz
-
-      - name: Tag Repo
-        uses: richardsimko/update-tag@v1.0.6
-        with:
-          tag_name: Prerelease-${{ github.ref_name }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload Alpha
-        uses: softprops/action-gh-release@v1
-        if: ${{  success() }}
-        with:
-          tag_name: Prerelease-${{ github.ref_name }}
-          files: bin/*
-          prerelease: true
-          generate_release_notes: true
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,36 +0,0 @@
-name: Release
-on:
-  push:
-    tags:
-      - "v*"
-jobs:
-  Build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: '1.19'
-          check-latest: true
-          cache: true
-
-      - name: Test
-        run: |
-          go test ./...
-      - name: Build
-        if: success()
-        env:
-          NAME: Clash.Meta
-          BINDIR: bin
-        run: make -j$(($(nproc) + 1)) releases
-
-      - name: Upload Release
-        uses: softprops/action-gh-release@v1
-        if: ${{ success() && startsWith(github.ref, 'refs/tags/')}}
-        with:
-          tag: ${{ github.ref }}
-          files: bin/*
-          generate_release_notes: true
--- a/.gitignore
+++ b/.gitignore
@ -24,4 +24,5 @@ vendor
 # test suite
 test/config/cache*
 /output
-/.vscode
+.vscode/
+.fleet/
--- a/21
+++ b/21
@ -1,18 +1,19 @@
-FROM golang:alpine as builder
+FROM alpine:latest as builder
+ARG TARGETPLATFORM
+RUN echo "I'm building for $TARGETPLATFORM"

-RUN apk add --no-cache make git && \
+RUN apk add --no-cache gzip && \
    mkdir /clash-config && \
    wget -O /clash-config/Country.mmdb https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb && \
    wget -O /clash-config/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat && \
    wget -O /clash-config/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat

-
-COPY . /clash-src
-WORKDIR /clash-src
-RUN go mod download &&\
-    make docker &&\
-    mv ./bin/Clash.Meta-docker /clash
-
+COPY docker/file-name.sh /clash/file-name.sh
+WORKDIR /clash
+COPY bin/ bin/
+RUN FILE_NAME=`sh file-name.sh` && echo $FILE_NAME && \
+    FILE_NAME=`ls bin/ | egrep "$FILE_NAME.*"|awk NR==1` && echo $FILE_NAME && \
+    mv bin/$FILE_NAME clash.gz && gzip -d clash.gz && echo "$FILE_NAME" > /clash-config/test
 FROM alpine:latest
 LABEL org.opencontainers.image.source="https://github.com/MetaCubeX/Clash.Meta"

@ -21,6 +22,6 @@ RUN apk add --no-cache ca-certificates tzdata iptables
 VOLUME ["/root/.config/clash/"]

 COPY --from=builder /clash-config/ /root/.config/clash/
-COPY --from=builder /clash /clash
+COPY --from=builder /clash/clash /clash
 RUN chmod +x /clash
 ENTRYPOINT [ "/clash" ]
--- a/18
+++ b/18
@ -1,4 +1,4 @@
-NAME=Clash.Meta
+NAME=clash.meta
 BINDIR=bin
 BRANCH=$(shell git branch --show-current)
 ifeq ($(BRANCH),Alpha)
@ -47,14 +47,17 @@ all:linux-amd64 linux-arm64\
 	darwin-amd64 darwin-arm64\
 	windows-amd64 windows-arm64\

+
+darwin-all: darwin-amd64 darwin-arm64
+
 docker:
-	GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 darwin-amd64:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 darwin-amd64-compatible:
-	GOARCH=amd64 GOOS=darwin GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOARCH=amd64 GOOS=darwin GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 darwin-arm64:
 	GOARCH=arm64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
@ -66,7 +69,7 @@ linux-amd64:
 	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 linux-amd64-compatible:
-	GOARCH=amd64 GOOS=linux GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOARCH=amd64 GOOS=linux GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 linux-arm64:
 	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
@ -98,6 +101,9 @@ linux-mips64:
 linux-mips64le:
 	GOARCH=mips64le GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

+linux-riscv64:
+	GOARCH=riscv64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 android-arm64:
 	GOARCH=arm64 GOOS=android $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

@ -117,7 +123,7 @@ windows-amd64:
 	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe

 windows-amd64-compatible:
-	GOARCH=amd64 GOOS=windows GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+	GOARCH=amd64 GOOS=windows GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe

 windows-arm64:
 	GOARCH=arm64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
@ -154,4 +160,4 @@ CFLAGS := -O2 -g -Wall -Werror $(CFLAGS)
 ebpf: export BPF_CLANG := $(CLANG)
 ebpf: export BPF_CFLAGS := $(CFLAGS)
 ebpf:
-	cd component/ebpf/ && go generate ./...
+	cd component/ebpf/ && go generate ./...
--- a/README.md
+++ b/README.md
@ -29,32 +29,41 @@
 - Netfilter TCP redirecting. Deploy Clash on your Internet gateway with `iptables`.
 - Comprehensive HTTP RESTful API controller

-## Getting Started
-Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash/wiki).
-
-## Advanced usage for this branch
+## Wiki
+Configuration examples can be found at [/docs/config.yaml](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml), while documentation can be found [Clash.Meta Wiki](https://clash-meta.wiki).

 ## Build

 You should install [golang](https://go.dev) first.

 Then get the source code of Clash.Meta:
+
 ```shell
 git clone https://github.com/MetaCubeX/Clash.Meta.git
 cd Clash.Meta && go mod download
 ```

 If you can't visit github,you should set proxy first:
+
 ```shell
 go env -w GOPROXY=https://goproxy.io,direct
 ```

-So now you can build it:
+Now you can build it:
+
 ```shell
 go build
 ```

-### DNS configuration
+If you need gvisor for tun stack, build with:
+
+```shell
+go build -tags with_gvisor
+```
+
+<!-- ## Advanced usage of this fork -->
+
+<!-- ### DNS configuration

 Support `geosite` with `fallback-filter`.

@ -64,7 +73,6 @@ Support resolve ip with a `Proxy Tunnel`.

 ```yaml
 proxy-groups:
-
  - name: DNS
    type: url-test
    use:
@ -73,6 +81,7 @@ proxy-groups:
    interval: 180
    lazy: true
 ```
+
 ```yaml
 dns:
  enable: true
@ -88,12 +97,12 @@ dns:
    - https://doh.pub/dns-query
    - tls://223.5.5.5:853
  fallback:
-    - 'https://1.0.0.1/dns-query#DNS'  # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
-    - 'tls://8.8.4.4:853#DNS'
+    - "https://1.0.0.1/dns-query#DNS" # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
+    - "tls://8.8.4.4:853#DNS"
  fallback-filter:
    geoip: false
    geosite:
-      - gfw  # `geosite` filter only use fallback server to resolve ip, prevent DNS leaks to unsafe DNS providers.
+      - gfw # `geosite` filter only use fallback server to resolve ip, prevent DNS leaks to unsafe DNS providers.
    domain:
      - +.example.com
    ipcidr:
@ -110,28 +119,30 @@ Built-in [Wintun](https://www.wintun.net) driver.
 # Enable the TUN listener
 tun:
  enable: true
-  stack: gvisor #  only gvisor
-  dns-hijack: 
+  stack: system #   system/gvisor
+  dns-hijack:
    - 0.0.0.0:53 # additional dns server listen on TUN
  auto-route: true # auto set global route
 ```
+
 ### Rules configuration
+
 - Support rule `GEOSITE`.
 - Support rule-providers `RULE-SET`.
 - Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`.
 - Support `network` condition for all rules.
 - Support source IPCIDR condition for all rules, just append to the end.
 - The `GEOSITE` databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
+
 ```yaml
 rules:
-
  # network(tcp/udp) condition for all rules
  - DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
  - DOMAIN-SUFFIX,bilibili.com,REJECT,udp
-    
+
  # multiport condition for rules SRC-PORT and DST-PORT
  - DST-PORT,123/136/137-139,DIRECT,udp
-  
+
  # rule GEOSITE
  - GEOSITE,category-ads-all,REJECT
  - GEOSITE,icloud@cn,DIRECT
@ -142,18 +153,17 @@ rules:
  - GEOSITE,youtube,PROXY
  - GEOSITE,geolocation-cn,DIRECT
  - GEOSITE,geolocation-!cn,PROXY
-    
+
  # source IPCIDR condition for all rules in gateway proxy
  #- GEOSITE,geolocation-!cn,REJECT,192.168.1.88/32,192.168.1.99/32

  - GEOIP,telegram,PROXY,no-resolve
  - GEOIP,private,DIRECT,no-resolve
  - GEOIP,cn,DIRECT
-  
+
  - MATCH,PROXY
 ```

-
 ### Proxies configuration

 Active health detection `urltest / fallback` (based on tcp handshake, multiple failures within a limited time will actively trigger health detection to use the node)
@ -162,18 +172,17 @@ Support `Policy Group Filter`

 ```yaml
 proxy-groups:
-
  - name: 🚀 HK Group
    type: select
    use:
      - ALL
-    filter: 'HK'
+    filter: "HK"

  - name: 🚀 US Group
    type: select
    use:
      - ALL
-    filter: 'US'
+    filter: "US"

 proxy-providers:
  ALL:
@ -185,14 +194,12 @@ proxy-providers:
      enable: true
      interval: 600
      url: http://www.gstatic.com/generate_204
-
 ```

-
-
 Support outbound transport protocol `VLESS`.

 The XTLS support (TCP/UDP) transport by the XRAY-CORE.
+
 ```yaml
 proxies:
  - name: "vless"
@ -203,7 +210,7 @@ proxies:
    servername: example.com # AKA SNI
    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
    # skip-cert-verify: true
-    
+
  - name: "vless-ws"
    type: vless
    server: server
@ -228,12 +235,12 @@ proxies:
    network: grpc
    servername: example.com # priority over wss host
    # skip-cert-verify: true
-    grpc-opts: 
+    grpc-opts:
      grpc-service-name: grpcname
 ```

-
 Support outbound transport protocol `Wireguard`
+
 ```yaml
 proxies:
  - name: "wg"
@ -248,6 +255,7 @@ proxies:
 ```

 Support outbound transport protocol `Tuic`
+
 ```yaml
 proxies:
  - name: "tuic"
@ -266,11 +274,11 @@ proxies:
    # max-udp-relay-packet-size: 1500
    # fast-open: true
    # skip-cert-verify: true
-
-```
+``` -->

 ### IPTABLES configuration
-Work on Linux OS who's supported `iptables`
+
+Work on Linux OS which supported `iptables`

 ```yaml
 # Enable the TPROXY listener
@ -281,17 +289,15 @@ iptables:
  inbound-interface: eth0 # detect the inbound interface, default is 'lo'
 ```

+### General installation guide for Linux

-### General installation guide for Linux  
-+ Create user given name `clash-meta`
+- Create user given name `clash-meta`

-+ Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)  
-
-+ Rename executable file to `Clash-Meta` and move to `/usr/local/bin/` 
-
-+ Create folder `/etc/Clash-Meta/` as working directory 
+- Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)

+- Rename executable file to `Clash-Meta` and move to `/usr/local/bin/`

+- Create folder `/etc/Clash-Meta/` as working directory

 Run Meta Kernel by user `clash-meta` as a daemon.

@ -317,10 +323,13 @@ ExecStart=/usr/local/bin/Clash-Meta -d /etc/Clash-Meta
 [Install]
 WantedBy=multi-user.target
 ```
+
 Launch clashd on system startup with:
+
 ```shell
 $ systemctl enable Clash-Meta
 ```
+
 Launch clashd immediately with:

 ```shell
@ -331,23 +340,29 @@ $ systemctl start Clash-Meta

 Clash add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.

-To display process name in GUI please use [Dashboard For Meta](https://github.com/MetaCubeX/clash-dashboard).
+To display process name in GUI please use [Razord-meta](https://github.com/MetaCubeX/Razord-meta).

-![img.png](https://github.com/Clash-Mini/Dashboard/raw/master/View/Dashboard-Process.png)
+### Dashboard
+
+We also made a custom fork of yacd provide better support for this project, check it out at [Yacd-meta](https://github.com/MetaCubeX/Yacd-meta)

 ## Development

 If you want to build an application that uses clash as a library, check out the
 the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)

+## Debugging
+Check [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki/How-to-use-debug-api) to get an instruction on using debug API.
+
+
 ## Credits

-* [Dreamacro/clash](https://github.com/Dreamacro/clash)
-* [SagerNet/sing-box](https://github.com/SagerNet/sing-box)
-* [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
-* [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
-* [WireGuard/wireguard-go](https://github.com/WireGuard/wireguard-go)
-* [yaling888/clash-plus-pro](https://github.com/yaling888/clash)
+- [Dreamacro/clash](https://github.com/Dreamacro/clash)
+- [SagerNet/sing-box](https://github.com/SagerNet/sing-box)
+- [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
+- [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
+- [WireGuard/wireguard-go](https://github.com/WireGuard/wireguard-go)
+- [yaling888/clash-plus-pro](https://github.com/yaling888/clash)

 ## License

--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -4,16 +4,16 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/Dreamacro/clash/common/queue"
-	"github.com/Dreamacro/clash/component/dialer"
-	C "github.com/Dreamacro/clash/constant"
 	"net"
 	"net/http"
 	"net/netip"
 	"net/url"
 	"time"

-	"go.uber.org/atomic"
+	"github.com/Dreamacro/clash/common/atomic"
+	"github.com/Dreamacro/clash/common/queue"
+	"github.com/Dreamacro/clash/component/dialer"
+	C "github.com/Dreamacro/clash/constant"
 )

 var UnifiedDelay = atomic.NewBool(false)
@ -92,6 +92,7 @@ func (p *Proxy) MarshalJSON() ([]byte, error) {
 	mapping["history"] = p.DelayHistory()
 	mapping["name"] = p.Name()
 	mapping["udp"] = p.SupportUDP()
+	mapping["xudp"] = p.SupportXUDP()
 	mapping["tfo"] = p.SupportTFO()
 	return json.Marshal(mapping)
 }
--- a/adapter/inbound/http.go
+++ b/adapter/inbound/http.go
@ -16,11 +16,11 @@ func NewHTTP(target socks5.Addr, source net.Addr, conn net.Conn, additions ...Ad
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(source.String()); err == nil {
+	if ip, port, err := parseAddr(source); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
-	if ip, port, err := parseAddr(conn.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
 		metadata.InIP = ip
 		metadata.InPort = port
 	}
--- a/adapter/inbound/https.go
+++ b/adapter/inbound/https.go
@ -15,11 +15,11 @@ func NewHTTPS(request *http.Request, conn net.Conn, additions ...Addition) *cont
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(conn.RemoteAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.RemoteAddr()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
-	if ip, port, err := parseAddr(conn.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
 		metadata.InIP = ip
 		metadata.InPort = port
 	}
--- a/adapter/inbound/listen.go
+++ b/adapter/inbound/listen.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"net"

-	"github.com/database64128/tfo-go/v2"
+	"github.com/sagernet/tfo-go"
 )

 var (
--- a/adapter/inbound/packet.go
+++ b/adapter/inbound/packet.go
@ -24,12 +24,12 @@ func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type, additions
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(packet.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(packet.LocalAddr()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
 	if p, ok := packet.(C.UDPPacketInAddr); ok {
-		if ip, port, err := parseAddr(p.InAddr().String()); err == nil {
+		if ip, port, err := parseAddr(p.InAddr()); err == nil {
 			metadata.InIP = ip
 			metadata.InPort = port
 		}
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -18,22 +18,13 @@ func NewSocket(target socks5.Addr, conn net.Conn, source C.Type, additions ...Ad
 		addition.Apply(metadata)
 	}

-	remoteAddr := conn.RemoteAddr()
-
-	// Filter when net.Addr interface is nil
-	if remoteAddr != nil {
-		if ip, port, err := parseAddr(remoteAddr.String()); err == nil {
-			metadata.SrcIP = ip
-			metadata.SrcPort = port
-		}
+	if ip, port, err := parseAddr(conn.RemoteAddr()); err == nil {
+		metadata.SrcIP = ip
+		metadata.SrcPort = port
 	}
-	localAddr := conn.LocalAddr()
-	// Filter when net.Addr interface is nil
-	if localAddr != nil {
-		if ip, port, err := parseAddr(localAddr.String()); err == nil {
-			metadata.InIP = ip
-			metadata.InPort = port
-		}
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
+		metadata.InIP = ip
+		metadata.InPort = port
 	}

 	return context.NewConnContext(conn, metadata)
@ -43,7 +34,7 @@ func NewInner(conn net.Conn, dst string, host string) *context.ConnContext {
 	metadata := &C.Metadata{}
 	metadata.NetWork = C.TCP
 	metadata.Type = C.INNER
-	metadata.DNSMode = C.DNSMapping
+	metadata.DNSMode = C.DNSNormal
 	metadata.Host = host
 	metadata.Process = C.ClashName
 	if h, port, err := net.SplitHostPort(dst); err == nil {
@ -51,6 +42,8 @@ func NewInner(conn net.Conn, dst string, host string) *context.ConnContext {
 		if host == "" {
 			if ip, err := netip.ParseAddr(h); err == nil {
 				metadata.DstIP = ip
+			} else {
+				metadata.Host = h
 			}
 		}
 	}
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@ -1,13 +1,14 @@
 package inbound

 import (
-	"github.com/Dreamacro/clash/common/nnip"
+	"errors"
 	"net"
 	"net/http"
 	"net/netip"
 	"strconv"
 	"strings"

+	"github.com/Dreamacro/clash/common/nnip"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
@ -57,8 +58,19 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 	return metadata
 }

-func parseAddr(addr string) (netip.Addr, string, error) {
-	host, port, err := net.SplitHostPort(addr)
+func parseAddr(addr net.Addr) (netip.Addr, string, error) {
+	// Filter when net.Addr interface is nil
+	if addr == nil {
+		return netip.Addr{}, "", errors.New("nil addr")
+	}
+	if rawAddr, ok := addr.(interface{ RawAddr() net.Addr }); ok {
+		ip, port, err := parseAddr(rawAddr.RawAddr())
+		if err == nil {
+			return ip, port, err
+		}
+	}
+	addrStr := addr.String()
+	host, port, err := net.SplitHostPort(addrStr)
 	if err != nil {
 		return netip.Addr{}, "", err
 	}
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -3,11 +3,12 @@ package outbound
 import (
 	"context"
 	"encoding/json"
-	"errors"
-	"github.com/gofrs/uuid"
 	"net"
 	"strings"
+	"syscall"

+	N "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 )
@ -18,6 +19,7 @@ type Base struct {
 	iface  string
 	tp     C.AdapterType
 	udp    bool
+	xudp   bool
 	tfo    bool
 	rmark  int
 	id     string
@ -32,12 +34,7 @@ func (b *Base) Name() string {
 // Id implements C.ProxyAdapter
 func (b *Base) Id() string {
 	if b.id == "" {
-		id, err := uuid.NewV6()
-		if err != nil {
-			b.id = b.name
-		} else {
-			b.id = id.String()
-		}
+		b.id = utils.NewUUIDV6().String()
 	}

 	return b.id
@ -50,31 +47,31 @@ func (b *Base) Type() C.AdapterType {

 // StreamConn implements C.ProxyAdapter
 func (b *Base) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	return c, errors.New("no support")
+	return c, C.ErrNotSupport
 }

 func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // DialContextWithDialer implements C.ProxyAdapter
 func (b *Base) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // ListenPacketContext implements C.ProxyAdapter
 func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (b *Base) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (b *Base) SupportWithDialer() bool {
-	return false
+func (b *Base) SupportWithDialer() C.NetWork {
+	return C.InvalidNet
 }

 // SupportUOT implements C.ProxyAdapter
@ -87,11 +84,21 @@ func (b *Base) SupportUDP() bool {
 	return b.udp
 }

+// SupportXUDP implements C.ProxyAdapter
+func (b *Base) SupportXUDP() bool {
+	return b.xudp
+}
+
 // SupportTFO implements C.ProxyAdapter
 func (b *Base) SupportTFO() bool {
 	return b.tfo
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (b *Base) IsL3Protocol(metadata *C.Metadata) bool {
+	return false
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (b *Base) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]string{
@ -132,13 +139,19 @@ func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
 	default:
 	}

+	if b.tfo {
+		opts = append(opts, dialer.WithTFO(true))
+	}
+
 	return opts
 }

 type BasicOption struct {
+	TFO         bool   `proxy:"tfo,omitempty" group:"tfo,omitempty"`
 	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
 	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty" group:"ip-version,omitempty"`
+	DialerProxy string `proxy:"dialer-proxy,omitempty"` // don't apply this option into groups, but can set a group name in a proxy
 }

 type BaseOption struct {
@ -146,6 +159,7 @@ type BaseOption struct {
 	Addr        string
 	Type        C.AdapterType
 	UDP         bool
+	XUDP        bool
 	TFO         bool
 	Interface   string
 	RoutingMark int
@ -158,6 +172,7 @@ func NewBase(opt BaseOption) *Base {
 		addr:   opt.Addr,
 		tp:     opt.Type,
 		udp:    opt.UDP,
+		xudp:   opt.XUDP,
 		tfo:    opt.TFO,
 		iface:  opt.Interface,
 		rmark:  opt.RoutingMark,
@ -166,7 +181,7 @@ func NewBase(opt BaseOption) *Base {
 }

 type conn struct {
-	net.Conn
+	N.ExtendedConn
 	chain                   C.Chain
 	actualRemoteDestination string
 }
@ -185,13 +200,30 @@ func (c *conn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }

+func (c *conn) Upstream() any {
+	return c.ExtendedConn
+}
+
+func (c *conn) WriterReplaceable() bool {
+	return true
+}
+
+func (c *conn) ReaderReplaceable() bool {
+	return true
+}
+
 func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
-	return &conn{c, []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	if _, ok := c.(syscall.Conn); !ok { // exclusion system conn like *net.TCPConn
+		c = N.NewDeadlineConn(c) // most conn from outbound can't handle readDeadline correctly
+	}
+	return &conn{N.NewExtendedConn(c), []string{a.Name()}, parseRemoteDestination(a.Addr())}
 }

 type packetConn struct {
 	net.PacketConn
 	chain                   C.Chain
+	adapterName             string
+	connID                  string
 	actualRemoteDestination string
 }

@ -209,8 +241,16 @@ func (c *packetConn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }

+func (c *packetConn) LocalAddr() net.Addr {
+	lAddr := c.PacketConn.LocalAddr()
+	return N.NewCustomAddr(c.adapterName, c.connID, lAddr) // make quic-go's connMultiplexer happy
+}
+
 func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
-	return &packetConn{pc, []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	if _, ok := pc.(syscall.Conn); !ok { // exclusion system conn like *net.UDPConn
+		pc = N.NewDeadlinePacketConn(pc) // most conn from outbound can't handle readDeadline correctly
+	}
+	return &packetConn{pc, []string{a.Name()}, a.Name(), utils.NewUUIDV4().String(), parseRemoteDestination(a.Addr())}
 }

 func parseRemoteDestination(addr string) string {
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@ -2,6 +2,7 @@ package outbound

 import (
 	"context"
+	"errors"
 	"net"

 	"github.com/Dreamacro/clash/component/dialer"
@ -26,7 +27,14 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...

 // ListenPacketContext implements C.ProxyAdapter
 func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
+	// net.UDPConn.WriteTo only working with *net.UDPAddr, so we need a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, resolver.DefaultResolver)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
 	pc, err := dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", metadata.DstIP), "", d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@ -7,7 +7,6 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"net/http"
@ -15,6 +14,8 @@ import (
 	"strconv"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 )

@ -66,6 +67,12 @@ func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata, opts ...di

 // DialContextWithDialer implements C.ProxyAdapter
 func (h *Http) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(h.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(h.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", h.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", h.addr, err)
@ -85,8 +92,8 @@ func (h *Http) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (h *Http) SupportWithDialer() bool {
-	return true
+func (h *Http) SupportWithDialer() C.NetWork {
+	return C.TCP
 }

 func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
@ -150,7 +157,7 @@ func NewHttp(option HttpOption) (*Http, error) {
 			sni = option.SNI
 		}
 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{
+			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
 				InsecureSkipVerify: option.SkipCertVerify,
 				ServerName:         sni,
 			})
@ -170,6 +177,7 @@ func NewHttp(option HttpOption) (*Http, error) {
 			name:   option.Name,
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Http,
+			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -20,6 +20,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
@ -28,6 +29,7 @@ import (
 	"github.com/Dreamacro/clash/transport/hysteria/obfs"
 	"github.com/Dreamacro/clash/transport/hysteria/pmtud_fix"
 	"github.com/Dreamacro/clash/transport/hysteria/transport"
+	"github.com/Dreamacro/clash/transport/hysteria/utils"
 )

 const (
@ -46,21 +48,12 @@ var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
 type Hysteria struct {
 	*Base

+	option *HysteriaOption
 	client *core.Client
 }

 func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	hdc := hyDialerWithContext{
-		ctx: context.Background(),
-		hyDialer: func(network string) (net.PacketConn, error) {
-			return dialer.ListenPacket(ctx, network, "", h.Base.DialOptions(opts...)...)
-		},
-		remoteAddr: func(addr string) (net.Addr, error) {
-			return resolveUDPAddrWithPrefer(ctx, "udp", addr, h.prefer)
-		},
-	}
-
-	tcpConn, err := h.client.DialTCP(metadata.RemoteAddress(), &hdc)
+	tcpConn, err := h.client.DialTCP(metadata.RemoteAddress(), h.genHdc(ctx, opts...))
 	if err != nil {
 		return nil, err
 	}
@ -69,20 +62,32 @@ func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 }

 func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	hdc := hyDialerWithContext{
+	udpConn, err := h.client.DialUDP(h.genHdc(ctx, opts...))
+	if err != nil {
+		return nil, err
+	}
+	return newPacketConn(&hyPacketConn{udpConn}, h), nil
+}
+
+func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.PacketDialer {
+	return &hyDialerWithContext{
 		ctx: context.Background(),
 		hyDialer: func(network string) (net.PacketConn, error) {
-			return dialer.ListenPacket(ctx, network, "", h.Base.DialOptions(opts...)...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(h.Base.DialOptions(opts...)...)
+			if len(h.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(h.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			rAddrPort, _ := netip.ParseAddrPort(h.Addr())
+			return cDialer.ListenPacket(ctx, network, "", rAddrPort)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
 			return resolveUDPAddrWithPrefer(ctx, "udp", addr, h.prefer)
 		},
 	}
-	udpConn, err := h.client.DialUDP(&hdc)
-	if err != nil {
-		return nil, err
-	}
-	return newPacketConn(&hyPacketConn{udpConn}, h), nil
 }

 type HysteriaOption struct {
@ -178,7 +183,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			return nil, err
 		}
 	} else {
-		tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}

 	if len(option.ALPN) > 0 {
@ -258,6 +263,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option: &option,
 		client: client,
 	}, nil
 }
--- a/adapter/outbound/reality.go
+++ b/adapter/outbound/reality.go
@ -0,0 +1,35 @@
+package outbound
+
+import (
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+
+	tlsC "github.com/Dreamacro/clash/component/tls"
+
+	"golang.org/x/crypto/curve25519"
+)
+
+type RealityOptions struct {
+	PublicKey string `proxy:"public-key"`
+	ShortID   string `proxy:"short-id"`
+}
+
+func (o RealityOptions) Parse() (*tlsC.RealityConfig, error) {
+	if o.PublicKey != "" {
+		config := new(tlsC.RealityConfig)
+
+		n, err := base64.RawURLEncoding.Decode(config.PublicKey[:], []byte(o.PublicKey))
+		if err != nil || n != curve25519.ScalarSize {
+			return nil, errors.New("invalid REALITY public key")
+		}
+
+		n, err = hex.Decode(config.ShortID[:], []byte(o.ShortID))
+		if err != nil || n > tlsC.RealityMaxShortIDLen {
+			return nil, errors.New("invalid REALITY short ID")
+		}
+
+		return config, nil
+	}
+	return nil, nil
+}
--- a/adapter/outbound/reject.go
+++ b/adapter/outbound/reject.go
@ -6,6 +6,7 @@ import (
 	"net"
 	"time"

+	"github.com/Dreamacro/clash/common/buf"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 )
@ -16,12 +17,12 @@ type Reject struct {

 // DialContext implements C.ProxyAdapter
 func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	return NewConn(&nopConn{}, r), nil
+	return NewConn(nopConn{}, r), nil
 }

 // ListenPacketContext implements C.ProxyAdapter
 func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return newPacketConn(&nopPacketConn{}, r), nil
+	return newPacketConn(nopPacketConn{}, r), nil
 }

 func NewReject() *Reject {
@ -48,27 +49,37 @@ func NewPass() *Reject {

 type nopConn struct{}

-func (rw *nopConn) Read(b []byte) (int, error) {
+func (rw nopConn) Read(b []byte) (int, error) {
 	return 0, io.EOF
 }

-func (rw *nopConn) Write(b []byte) (int, error) {
+func (rw nopConn) ReadBuffer(buffer *buf.Buffer) error {
+	return io.EOF
+}
+
+func (rw nopConn) Write(b []byte) (int, error) {
 	return 0, io.EOF
 }

-func (rw *nopConn) Close() error                     { return nil }
-func (rw *nopConn) LocalAddr() net.Addr              { return nil }
-func (rw *nopConn) RemoteAddr() net.Addr             { return nil }
-func (rw *nopConn) SetDeadline(time.Time) error      { return nil }
-func (rw *nopConn) SetReadDeadline(time.Time) error  { return nil }
-func (rw *nopConn) SetWriteDeadline(time.Time) error { return nil }
+func (rw nopConn) WriteBuffer(buffer *buf.Buffer) error {
+	return io.EOF
+}
+
+func (rw nopConn) Close() error                     { return nil }
+func (rw nopConn) LocalAddr() net.Addr              { return nil }
+func (rw nopConn) RemoteAddr() net.Addr             { return nil }
+func (rw nopConn) SetDeadline(time.Time) error      { return nil }
+func (rw nopConn) SetReadDeadline(time.Time) error  { return nil }
+func (rw nopConn) SetWriteDeadline(time.Time) error { return nil }
+
+var udpAddrIPv4Unspecified = &net.UDPAddr{IP: net.IPv4zero, Port: 0}

 type nopPacketConn struct{}

-func (npc *nopPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) { return len(b), nil }
-func (npc *nopPacketConn) ReadFrom(b []byte) (int, net.Addr, error)           { return 0, nil, io.EOF }
-func (npc *nopPacketConn) Close() error                                       { return nil }
-func (npc *nopPacketConn) LocalAddr() net.Addr                                { return &net.UDPAddr{IP: net.IPv4zero, Port: 0} }
-func (npc *nopPacketConn) SetDeadline(time.Time) error                        { return nil }
-func (npc *nopPacketConn) SetReadDeadline(time.Time) error                    { return nil }
-func (npc *nopPacketConn) SetWriteDeadline(time.Time) error                   { return nil }
+func (npc nopPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) { return len(b), nil }
+func (npc nopPacketConn) ReadFrom(b []byte) (int, net.Addr, error)           { return 0, nil, io.EOF }
+func (npc nopPacketConn) Close() error                                       { return nil }
+func (npc nopPacketConn) LocalAddr() net.Addr                                { return udpAddrIPv4Unspecified }
+func (npc nopPacketConn) SetDeadline(time.Time) error                        { return nil }
+func (npc nopPacketConn) SetReadDeadline(time.Time) error                    { return nil }
+func (npc nopPacketConn) SetWriteDeadline(time.Time) error                   { return nil }
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -6,15 +6,22 @@ import (
 	"fmt"
 	"net"
 	"strconv"
+	"time"

+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
+	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/restls"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
+	shadowtls "github.com/Dreamacro/clash/transport/sing-shadowtls"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"

-	"github.com/metacubex/sing-shadowsocks"
+	restlsC "github.com/3andne/restls-client-go"
+	shadowsocks "github.com/metacubex/sing-shadowsocks"
 	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
@ -27,22 +34,26 @@ type ShadowSocks struct {

 	option *ShadowSocksOption
 	// obfs
-	obfsMode    string
-	obfsOption  *simpleObfsOption
-	v2rayOption *v2rayObfs.Option
+	obfsMode        string
+	obfsOption      *simpleObfsOption
+	v2rayOption     *v2rayObfs.Option
+	shadowTLSOption *shadowtls.ShadowTLSOption
+	restlsConfig    *restlsC.Config
 }

 type ShadowSocksOption struct {
 	BasicOption
-	Name       string         `proxy:"name"`
-	Server     string         `proxy:"server"`
-	Port       int            `proxy:"port"`
-	Password   string         `proxy:"password"`
-	Cipher     string         `proxy:"cipher"`
-	UDP        bool           `proxy:"udp,omitempty"`
-	Plugin     string         `proxy:"plugin,omitempty"`
-	PluginOpts map[string]any `proxy:"plugin-opts,omitempty"`
-	UDPOverTCP bool           `proxy:"udp-over-tcp,omitempty"`
+	Name              string         `proxy:"name"`
+	Server            string         `proxy:"server"`
+	Port              int            `proxy:"port"`
+	Password          string         `proxy:"password"`
+	Cipher            string         `proxy:"cipher"`
+	UDP               bool           `proxy:"udp,omitempty"`
+	Plugin            string         `proxy:"plugin,omitempty"`
+	PluginOpts        map[string]any `proxy:"plugin-opts,omitempty"`
+	UDPOverTCP        bool           `proxy:"udp-over-tcp,omitempty"`
+	UDPOverTCPVersion int            `proxy:"udp-over-tcp-version,omitempty"`
+	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }

 type simpleObfsOption struct {
@ -61,8 +72,31 @@ type v2rayObfsOption struct {
 	Mux            bool              `obfs:"mux,omitempty"`
 }

+type shadowTLSOption struct {
+	Password       string `obfs:"password"`
+	Host           string `obfs:"host"`
+	Fingerprint    string `obfs:"fingerprint,omitempty"`
+	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
+	Version        int    `obfs:"version,omitempty"`
+}
+
+type restlsOption struct {
+	Password     string `obfs:"password"`
+	Host         string `obfs:"host"`
+	VersionHint  string `obfs:"version-hint"`
+	RestlsScript string `obfs:"restls-script,omitempty"`
+}
+
 // StreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	// fix tls handshake not timeout
+	ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
+	defer cancel()
+	return ss.StreamConnContext(ctx, c, metadata)
+}
+
+func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	useEarly := false
 	switch ss.obfsMode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, ss.obfsOption.Host)
@ -75,11 +109,35 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
+	case shadowtls.Mode:
+		var err error
+		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
+		if err != nil {
+			return nil, err
+		}
+		useEarly = true
+	case restls.Mode:
+		var err error
+		c, err = restls.NewRestls(ctx, c, ss.restlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("%s (restls) connect error: %w", ss.addr, err)
+		}
+		useEarly = true
 	}
+	useEarly = useEarly || N.NeedHandshake(c)
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
-		return ss.method.DialConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443"))
+		uotDestination := uot.RequestDestination(uint8(ss.option.UDPOverTCPVersion))
+		if useEarly {
+			return ss.method.DialEarlyConn(c, uotDestination), nil
+		} else {
+			return ss.method.DialConn(c, uotDestination)
+		}
+	}
+	if useEarly {
+		return ss.method.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
+	} else {
+		return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 	}
-	return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 }

 // DialContext implements C.ProxyAdapter
@ -89,6 +147,12 @@ func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, op

 // DialContextWithDialer implements C.ProxyAdapter
 func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(ss.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ss.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
@ -99,7 +163,7 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 		safeConnClose(c, err)
 	}(c)

-	c, err = ss.StreamConn(c, metadata)
+	c, err = ss.StreamConnContext(ctx, c, metadata)
 	return NewConn(c, ss), err
 }

@ -110,12 +174,18 @@ func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Meta

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if len(ss.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ss.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	if ss.option.UDPOverTCP {
 		tcpConn, err := ss.DialContextWithDialer(ctx, dialer, metadata)
 		if err != nil {
 			return nil, err
 		}
-		return newPacketConn(uot.NewClientConn(tcpConn), ss), nil
+		return ss.ListenPacketOnStreamConn(ctx, tcpConn, metadata)
 	}
 	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
@ -126,21 +196,35 @@ func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dial
 	if err != nil {
 		return nil, err
 	}
-	pc = ss.method.DialPacketConn(&bufio.BindPacketConn{PacketConn: pc, Addr: addr})
+	pc = ss.method.DialPacketConn(bufio.NewBindPacketConn(pc, addr))
 	return newPacketConn(pc, ss), nil
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (ss *ShadowSocks) SupportWithDialer() bool {
-	return true
+func (ss *ShadowSocks) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
-func (ss *ShadowSocks) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+func (ss *ShadowSocks) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
-		return newPacketConn(uot.NewClientConn(c), ss), nil
+		// ss uot use stream-oriented udp with a special address, so we need a net.UDPAddr
+		if !metadata.Resolved() {
+			ip, err := resolver.ResolveIP(ctx, metadata.Host)
+			if err != nil {
+				return nil, errors.New("can't resolve ip")
+			}
+			metadata.DstIP = ip
+		}
+
+		destination := M.SocksaddrFromNet(metadata.UDPAddr())
+		if ss.option.UDPOverTCPVersion == uot.LegacyVersion {
+			return newPacketConn(uot.NewConn(c, uot.Request{Destination: destination}), ss), nil
+		} else {
+			return newPacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination}), ss), nil
+		}
 	}
-	return nil, errors.New("no support")
+	return nil, C.ErrNotSupport
 }

 // SupportUOT implements C.ProxyAdapter
@ -150,13 +234,15 @@ func (ss *ShadowSocks) SupportUOT() bool {

 func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-	method, err := shadowimpl.FetchMethod(option.Cipher, option.Password)
+	method, err := shadowimpl.FetchMethod(option.Cipher, option.Password, time.Now)
 	if err != nil {
 		return nil, fmt.Errorf("ss %s initialize error: %w", addr, err)
 	}

 	var v2rayOption *v2rayObfs.Option
 	var obfsOption *simpleObfsOption
+	var shadowTLSOpt *shadowtls.ShadowTLSOption
+	var restlsConfig *restlsC.Config
 	obfsMode := ""

 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@ -192,6 +278,43 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			v2rayOption.TLS = true
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
 		}
+	} else if option.Plugin == shadowtls.Mode {
+		obfsMode = shadowtls.Mode
+		opt := &shadowTLSOption{
+			Version: 2,
+		}
+		if err := decoder.Decode(option.PluginOpts, opt); err != nil {
+			return nil, fmt.Errorf("ss %s initialize shadow-tls-plugin error: %w", addr, err)
+		}
+
+		shadowTLSOpt = &shadowtls.ShadowTLSOption{
+			Password:          opt.Password,
+			Host:              opt.Host,
+			Fingerprint:       opt.Fingerprint,
+			ClientFingerprint: option.ClientFingerprint,
+			SkipCertVerify:    opt.SkipCertVerify,
+			Version:           opt.Version,
+		}
+	} else if option.Plugin == restls.Mode {
+		obfsMode = restls.Mode
+		restlsOpt := &restlsOption{}
+		if err := decoder.Decode(option.PluginOpts, restlsOpt); err != nil {
+			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
+		}
+
+		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
+		restlsConfig.SessionTicketsDisabled = true
+		if err != nil {
+			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
+		}
+
+	}
+	switch option.UDPOverTCPVersion {
+	case uot.Version, uot.LegacyVersion:
+	case 0:
+		option.UDPOverTCPVersion = uot.Version
+	default:
+		return nil, fmt.Errorf("ss %s unknown udp over tcp protocol version: %d", addr, option.UDPOverTCPVersion)
 	}

 	return &ShadowSocks{
@ -200,16 +323,19 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			addr:   addr,
 			tp:     C.Shadowsocks,
 			udp:    option.UDP,
+			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		method: method,

-		option:      &option,
-		obfsMode:    obfsMode,
-		v2rayOption: v2rayOption,
-		obfsOption:  obfsOption,
+		option:          &option,
+		obfsMode:        obfsMode,
+		v2rayOption:     v2rayOption,
+		obfsOption:      obfsOption,
+		shadowTLSOption: shadowTLSOpt,
+		restlsConfig:    restlsConfig,
 	}, nil
 }

--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@ -7,6 +7,7 @@ import (
 	"strconv"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 	"github.com/Dreamacro/clash/transport/shadowsocks/shadowaead"
@ -17,6 +18,7 @@ import (

 type ShadowSocksR struct {
 	*Base
+	option   *ShadowSocksROption
 	cipher   core.Cipher
 	obfs     obfs.Obfs
 	protocol protocol.Protocol
@ -65,6 +67,12 @@ func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata,

 // DialContextWithDialer implements C.ProxyAdapter
 func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(ssr.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ssr.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", ssr.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ssr.addr, err)
@ -86,6 +94,12 @@ func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Me

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (ssr *ShadowSocksR) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if len(ssr.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ssr.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ssr.addr, ssr.prefer)
 	if err != nil {
 		return nil, err
@ -102,8 +116,8 @@ func (ssr *ShadowSocksR) ListenPacketWithDialer(ctx context.Context, dialer C.Di
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (ssr *ShadowSocksR) SupportWithDialer() bool {
-	return true
+func (ssr *ShadowSocksR) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
@ -163,10 +177,12 @@ func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
 			addr:   addr,
 			tp:     C.ShadowsocksR,
 			udp:    option.UDP,
+			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option:   &option,
 		cipher:   coreCiph,
 		obfs:     obfs,
 		protocol: protocol,
--- a/adapter/outbound/singmux.go
+++ b/adapter/outbound/singmux.go
@ -0,0 +1,138 @@
+package outbound
+
+import (
+	"context"
+	"errors"
+	"net"
+	"runtime"
+
+	CN "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
+	"github.com/Dreamacro/clash/component/resolver"
+	C "github.com/Dreamacro/clash/constant"
+
+	mux "github.com/sagernet/sing-mux"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type SingMux struct {
+	C.ProxyAdapter
+	base    ProxyBase
+	client  *mux.Client
+	dialer  *muxSingDialer
+	onlyTcp bool
+}
+
+type SingMuxOption struct {
+	Enabled        bool   `proxy:"enabled,omitempty"`
+	Protocol       string `proxy:"protocol,omitempty"`
+	MaxConnections int    `proxy:"max-connections,omitempty"`
+	MinStreams     int    `proxy:"min-streams,omitempty"`
+	MaxStreams     int    `proxy:"max-streams,omitempty"`
+	Padding        bool   `proxy:"padding,omitempty"`
+	Statistic      bool   `proxy:"statistic,omitempty"`
+	OnlyTcp        bool   `proxy:"only-tcp,omitempty"`
+}
+
+type ProxyBase interface {
+	DialOptions(opts ...dialer.Option) []dialer.Option
+}
+
+type muxSingDialer struct {
+	dialer    dialer.Dialer
+	proxy     C.ProxyAdapter
+	statistic bool
+}
+
+var _ N.Dialer = (*muxSingDialer)(nil)
+
+func (d *muxSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	var cDialer C.Dialer = proxydialer.New(d.proxy, d.dialer, d.statistic)
+	return cDialer.DialContext(ctx, network, destination.String())
+}
+
+func (d *muxSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	var cDialer C.Dialer = proxydialer.New(d.proxy, d.dialer, d.statistic)
+	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
+}
+
+func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+	options := s.base.DialOptions(opts...)
+	s.dialer.dialer = dialer.NewDialer(options...)
+	c, err := s.client.DialContext(ctx, "tcp", M.ParseSocksaddr(metadata.RemoteAddress()))
+	if err != nil {
+		return nil, err
+	}
+	return NewConn(CN.NewRefConn(c, s), s.ProxyAdapter), err
+}
+
+func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	if s.onlyTcp {
+		return s.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+	}
+	options := s.base.DialOptions(opts...)
+	s.dialer.dialer = dialer.NewDialer(options...)
+
+	// sing-mux use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
+	pc, err := s.client.ListenPacket(ctx, M.SocksaddrFromNet(metadata.UDPAddr()))
+	if err != nil {
+		return nil, err
+	}
+	if pc == nil {
+		return nil, E.New("packetConn is nil")
+	}
+	return newPacketConn(CN.NewRefPacketConn(pc, s), s.ProxyAdapter), nil
+}
+
+func (s *SingMux) SupportUDP() bool {
+	if s.onlyTcp {
+		return s.ProxyAdapter.SupportUOT()
+	}
+	return true
+}
+
+func (s *SingMux) SupportUOT() bool {
+	if s.onlyTcp {
+		return s.ProxyAdapter.SupportUOT()
+	}
+	return true
+}
+
+func closeSingMux(s *SingMux) {
+	_ = s.client.Close()
+}
+
+func NewSingMux(option SingMuxOption, proxy C.ProxyAdapter, base ProxyBase) (C.ProxyAdapter, error) {
+	singDialer := &muxSingDialer{dialer: dialer.NewDialer(), proxy: proxy, statistic: option.Statistic}
+	client, err := mux.NewClient(mux.Options{
+		Dialer:         singDialer,
+		Protocol:       option.Protocol,
+		MaxConnections: option.MaxConnections,
+		MinStreams:     option.MinStreams,
+		MaxStreams:     option.MaxStreams,
+		Padding:        option.Padding,
+	})
+	if err != nil {
+		return nil, err
+	}
+	outbound := &SingMux{
+		ProxyAdapter: proxy,
+		base:         base,
+		client:       client,
+		dialer:       singDialer,
+		onlyTcp:      option.OnlyTcp,
+	}
+	runtime.SetFinalizer(outbound, closeSingMux)
+	return outbound, nil
+}
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@ -8,6 +8,7 @@ import (

 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	C "github.com/Dreamacro/clash/constant"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	"github.com/Dreamacro/clash/transport/snell"
@ -15,6 +16,7 @@ import (

 type Snell struct {
 	*Base
+	option     *SnellOption
 	psk        []byte
 	pool       *snell.Pool
 	obfsOption *simpleObfsOption
@ -83,6 +85,12 @@ func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // DialContextWithDialer implements C.ProxyAdapter
 func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(s.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(s.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
@ -104,6 +112,13 @@ func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.PacketConn, error) {
+	var err error
+	if len(s.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(s.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
 		return nil, err
@ -121,8 +136,8 @@ func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (s *Snell) SupportWithDialer() bool {
-	return true
+func (s *Snell) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // SupportUOT implements C.ProxyAdapter
@ -167,10 +182,12 @@ func NewSnell(option SnellOption) (*Snell, error) {
 			addr:   addr,
 			tp:     C.Snell,
 			udp:    option.UDP,
+			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option:     &option,
 		psk:        psk,
 		obfsOption: obfsOption,
 		version:    option.Version,
@ -178,7 +195,15 @@ func NewSnell(option SnellOption) (*Snell, error) {

 	if option.Version == snell.Version2 {
 		s.pool = snell.NewPool(func(ctx context.Context) (*snell.Snell, error) {
-			c, err := dialer.DialContext(ctx, "tcp", addr, s.Base.DialOptions()...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions()...)
+			if len(s.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			c, err := cDialer.DialContext(ctx, "tcp", addr)
 			if err != nil {
 				return nil, err
 			}
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@ -5,18 +5,20 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"strconv"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )

 type Socks5 struct {
 	*Base
+	option         *Socks5Option
 	user           string
 	pass           string
 	tls            bool
@ -70,6 +72,12 @@ func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ..

 // DialContextWithDialer implements C.ProxyAdapter
 func (ss *Socks5) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(ss.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(ss.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
@ -89,13 +97,20 @@ func (ss *Socks5) DialContextWithDialer(ctx context.Context, dialer C.Dialer, me
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (ss *Socks5) SupportWithDialer() bool {
-	return true
+func (ss *Socks5) SupportWithDialer() C.NetWork {
+	return C.TCP
 }

 // ListenPacketContext implements C.ProxyAdapter
 func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	c, err := dialer.DialContext(ctx, "tcp", ss.addr, ss.Base.DialOptions(opts...)...)
+	var cDialer C.Dialer = dialer.NewDialer(ss.Base.DialOptions(opts...)...)
+	if len(ss.option.DialerProxy) > 0 {
+		cDialer, err = proxydialer.NewByName(ss.option.DialerProxy, cDialer)
+		if err != nil {
+			return nil, err
+		}
+	}
+	c, err := cDialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		err = fmt.Errorf("%s connect error: %w", ss.addr, err)
 		return
@ -167,7 +182,7 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 		}

 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
@ -182,10 +197,12 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Socks5,
 			udp:    option.UDP,
+			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option:         &option,
 		user:           option.UserName,
 		pass:           option.Password,
 		tls:            option.TLS,
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -4,12 +4,13 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	tlsC "github.com/Dreamacro/clash/component/tls"
 	"net"
 	"net/http"
 	"strconv"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/trojan"
@ -25,24 +26,28 @@ type Trojan struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
+
+	realityConfig *tlsC.RealityConfig
 }

 type TrojanOption struct {
 	BasicOption
-	Name           string      `proxy:"name"`
-	Server         string      `proxy:"server"`
-	Port           int         `proxy:"port"`
-	Password       string      `proxy:"password"`
-	ALPN           []string    `proxy:"alpn,omitempty"`
-	SNI            string      `proxy:"sni,omitempty"`
-	SkipCertVerify bool        `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint    string      `proxy:"fingerprint,omitempty"`
-	UDP            bool        `proxy:"udp,omitempty"`
-	Network        string      `proxy:"network,omitempty"`
-	GrpcOpts       GrpcOptions `proxy:"grpc-opts,omitempty"`
-	WSOpts         WSOptions   `proxy:"ws-opts,omitempty"`
-	Flow           string      `proxy:"flow,omitempty"`
-	FlowShow       bool        `proxy:"flow-show,omitempty"`
+	Name              string         `proxy:"name"`
+	Server            string         `proxy:"server"`
+	Port              int            `proxy:"port"`
+	Password          string         `proxy:"password"`
+	ALPN              []string       `proxy:"alpn,omitempty"`
+	SNI               string         `proxy:"sni,omitempty"`
+	SkipCertVerify    bool           `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint       string         `proxy:"fingerprint,omitempty"`
+	UDP               bool           `proxy:"udp,omitempty"`
+	Network           string         `proxy:"network,omitempty"`
+	RealityOpts       RealityOptions `proxy:"reality-opts,omitempty"`
+	GrpcOpts          GrpcOptions    `proxy:"grpc-opts,omitempty"`
+	WSOpts            WSOptions      `proxy:"ws-opts,omitempty"`
+	Flow              string         `proxy:"flow,omitempty"`
+	FlowShow          bool           `proxy:"flow-show,omitempty"`
+	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }

 func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
@ -75,8 +80,13 @@ func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
 // StreamConn implements C.ProxyAdapter
 func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
+
+	if tlsC.HaveGlobalFingerprint() && len(t.option.ClientFingerprint) == 0 {
+		t.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
+	}
+
 	if t.transport != nil {
-		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig)
+		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.realityConfig)
 	} else {
 		c, err = t.plainStream(c)
 	}
@ -125,6 +135,12 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...

 // DialContextWithDialer implements C.ProxyAdapter
 func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(t.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(t.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@ -169,6 +185,12 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata,

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if len(t.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(t.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@ -192,8 +214,8 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (t *Trojan) SupportWithDialer() bool {
-	return true
+func (t *Trojan) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
@ -211,21 +233,25 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))

 	tOption := &trojan.Option{
-		Password:       option.Password,
-		ALPN:           option.ALPN,
-		ServerName:     option.Server,
-		SkipCertVerify: option.SkipCertVerify,
-		FlowShow:       option.FlowShow,
-		Fingerprint:    option.Fingerprint,
+		Password:          option.Password,
+		ALPN:              option.ALPN,
+		ServerName:        option.Server,
+		SkipCertVerify:    option.SkipCertVerify,
+		FlowShow:          option.FlowShow,
+		Fingerprint:       option.Fingerprint,
+		ClientFingerprint: option.ClientFingerprint,
 	}

-	if option.Network != "ws" && len(option.Flow) >= 16 {
-		option.Flow = option.Flow[:16]
-		switch option.Flow {
-		case vless.XRO, vless.XRD, vless.XRS:
-			tOption.Flow = option.Flow
-		default:
-			return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
+	switch option.Network {
+	case "", "tcp":
+		if len(option.Flow) >= 16 {
+			option.Flow = option.Flow[:16]
+			switch option.Flow {
+			case vless.XRO, vless.XRD, vless.XRS:
+				tOption.Flow = option.Flow
+			default:
+				return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
+			}
 		}
 	}

@ -239,6 +265,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			addr:   addr,
 			tp:     C.Trojan,
 			udp:    option.UDP,
+			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@ -247,9 +274,24 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		option:   &option,
 	}

+	var err error
+	t.realityConfig, err = option.RealityOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+	tOption.Reality = t.realityConfig
+
 	if option.Network == "grpc" {
 		dialFn := func(network, addr string) (net.Conn, error) {
-			c, err := dialer.DialContext(context.Background(), "tcp", t.addr, t.Base.DialOptions()...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(t.Base.DialOptions()...)
+			if len(t.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(t.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			c, err := cDialer.DialContext(context.Background(), "tcp", t.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", t.addr, err.Error())
 			}
@ -265,7 +307,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		}

 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
@ -273,11 +315,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			}
 		}

-		if t.option.Flow != "" {
-			t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
-		} else {
-			t.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
-		}
+		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint, t.realityConfig)

 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -16,6 +16,7 @@ import (
 	"github.com/metacubex/quic-go"

 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/tuic"
@ -23,6 +24,7 @@ import (

 type Tuic struct {
 	*Base
+	option *TuicOption
 	client *tuic.PoolClient
 }

@ -42,15 +44,17 @@ type TuicOption struct {
 	DisableSni            bool     `proxy:"disable-sni,omitempty"`
 	MaxUdpRelayPacketSize int      `proxy:"max-udp-relay-packet-size,omitempty"`

-	FastOpen            bool   `proxy:"fast-open,omitempty"`
-	MaxOpenStreams      int    `proxy:"max-open-streams,omitempty"`
-	SkipCertVerify      bool   `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint         string `proxy:"fingerprint,omitempty"`
-	CustomCA            string `proxy:"ca,omitempty"`
-	CustomCAString      string `proxy:"ca-str,omitempty"`
-	ReceiveWindowConn   int    `proxy:"recv-window-conn,omitempty"`
-	ReceiveWindow       int    `proxy:"recv-window,omitempty"`
-	DisableMTUDiscovery bool   `proxy:"disable-mtu-discovery,omitempty"`
+	FastOpen             bool   `proxy:"fast-open,omitempty"`
+	MaxOpenStreams       int    `proxy:"max-open-streams,omitempty"`
+	SkipCertVerify       bool   `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint          string `proxy:"fingerprint,omitempty"`
+	CustomCA             string `proxy:"ca,omitempty"`
+	CustomCAString       string `proxy:"ca-str,omitempty"`
+	ReceiveWindowConn    int    `proxy:"recv-window-conn,omitempty"`
+	ReceiveWindow        int    `proxy:"recv-window,omitempty"`
+	DisableMTUDiscovery  bool   `proxy:"disable-mtu-discovery,omitempty"`
+	MaxDatagramFrameSize int    `proxy:"max-datagram-frame-size,omitempty"`
+	SNI                  string `proxy:"sni,omitempty"`
 }

 // DialContext implements C.ProxyAdapter
@ -82,8 +86,8 @@ func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, meta
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (t *Tuic) SupportWithDialer() bool {
-	return true
+func (t *Tuic) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 func (t *Tuic) dial(ctx context.Context, opts ...dialer.Option) (pc net.PacketConn, addr net.Addr, err error) {
@ -91,6 +95,12 @@ func (t *Tuic) dial(ctx context.Context, opts ...dialer.Option) (pc net.PacketCo
 }

 func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (pc net.PacketConn, addr net.Addr, err error) {
+	if len(t.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(t.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
 	udpAddr, err := resolveUDPAddrWithPrefer(ctx, "udp", t.addr, t.prefer)
 	if err != nil {
 		return nil, nil, err
@ -106,12 +116,14 @@ func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (pc net.Pack
 func NewTuic(option TuicOption) (*Tuic, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	serverName := option.Server
-
 	tlsConfig := &tls.Config{
 		ServerName:         serverName,
 		InsecureSkipVerify: option.SkipCertVerify,
 		MinVersion:         tls.VersionTLS13,
 	}
+	if option.SNI != "" {
+		tlsConfig.ServerName = option.SNI
+	}

 	var bs []byte
 	var err error
@ -143,7 +155,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			return nil, err
 		}
 	} else {
-		tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}

 	if len(option.ALPN) > 0 {
@ -165,13 +177,22 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 	}

 	if option.MaxUdpRelayPacketSize == 0 {
-		option.MaxUdpRelayPacketSize = 1500
+		option.MaxUdpRelayPacketSize = 1252
 	}

 	if option.MaxOpenStreams == 0 {
 		option.MaxOpenStreams = 100
 	}

+	if option.MaxDatagramFrameSize == 0 {
+		option.MaxDatagramFrameSize = option.MaxUdpRelayPacketSize + tuic.PacketOverHead
+	}
+
+	if option.MaxDatagramFrameSize > 1400 {
+		option.MaxDatagramFrameSize = 1400
+	}
+	option.MaxUdpRelayPacketSize = option.MaxDatagramFrameSize - tuic.PacketOverHead
+
 	// ensure server's incoming stream can handle correctly, increase to 1.1x
 	quicMaxOpenStreams := int64(option.MaxOpenStreams)
 	quicMaxOpenStreams = quicMaxOpenStreams + int64(math.Ceil(float64(quicMaxOpenStreams)/10.0))
@ -184,6 +205,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		MaxIncomingUniStreams:          quicMaxOpenStreams,
 		KeepAlivePeriod:                time.Duration(option.HeartbeatInterval) * time.Millisecond,
 		DisablePathMTUDiscovery:        option.DisableMTUDiscovery,
+		MaxDatagramFrameSize:           int64(option.MaxDatagramFrameSize),
 		EnableDatagrams:                true,
 	}
 	if option.ReceiveWindowConn == 0 {
@ -213,12 +235,19 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			udp:    true,
 			tfo:    option.FastOpen,
 			iface:  option.Interface,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
+		option: &option,
 	}
-	// to avoid tuic's "too many open streams", decrease to 0.9x
+
 	clientMaxOpenStreams := int64(option.MaxOpenStreams)
-	clientMaxOpenStreams = clientMaxOpenStreams - int64(math.Ceil(float64(clientMaxOpenStreams)/10.0))
+
+	// to avoid tuic's "too many open streams", decrease to 0.9x
+	if clientMaxOpenStreams == 100 {
+		clientMaxOpenStreams = clientMaxOpenStreams - int64(math.Ceil(float64(clientMaxOpenStreams)/10.0))
+	}
+
 	if clientMaxOpenStreams < 1 {
 		clientMaxOpenStreams = 1
 	}
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -14,13 +14,19 @@ import (

 	"github.com/Dreamacro/clash/common/convert"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/socks5"
 	"github.com/Dreamacro/clash/transport/vless"
 	"github.com/Dreamacro/clash/transport/vmess"
+
+	vmessSing "github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing-vmess/packetaddr"
+	M "github.com/sagernet/sing/common/metadata"
 )

 const (
@ -37,35 +43,46 @@ type Vless struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
+
+	realityConfig *tlsC.RealityConfig
 }

 type VlessOption struct {
 	BasicOption
-	Name           string            `proxy:"name"`
-	Server         string            `proxy:"server"`
-	Port           int               `proxy:"port"`
-	UUID           string            `proxy:"uuid"`
-	Flow           string            `proxy:"flow,omitempty"`
-	FlowShow       bool              `proxy:"flow-show,omitempty"`
-	TLS            bool              `proxy:"tls,omitempty"`
-	UDP            bool              `proxy:"udp,omitempty"`
-	Network        string            `proxy:"network,omitempty"`
-	HTTPOpts       HTTPOptions       `proxy:"http-opts,omitempty"`
-	HTTP2Opts      HTTP2Options      `proxy:"h2-opts,omitempty"`
-	GrpcOpts       GrpcOptions       `proxy:"grpc-opts,omitempty"`
-	WSOpts         WSOptions         `proxy:"ws-opts,omitempty"`
-	WSPath         string            `proxy:"ws-path,omitempty"`
-	WSHeaders      map[string]string `proxy:"ws-headers,omitempty"`
-	SkipCertVerify bool              `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint    string            `proxy:"fingerprint,omitempty"`
-	ServerName     string            `proxy:"servername,omitempty"`
+	Name              string            `proxy:"name"`
+	Server            string            `proxy:"server"`
+	Port              int               `proxy:"port"`
+	UUID              string            `proxy:"uuid"`
+	Flow              string            `proxy:"flow,omitempty"`
+	FlowShow          bool              `proxy:"flow-show,omitempty"`
+	TLS               bool              `proxy:"tls,omitempty"`
+	UDP               bool              `proxy:"udp,omitempty"`
+	PacketAddr        bool              `proxy:"packet-addr,omitempty"`
+	XUDP              bool              `proxy:"xudp,omitempty"`
+	PacketEncoding    string            `proxy:"packet-encoding,omitempty"`
+	Network           string            `proxy:"network,omitempty"`
+	RealityOpts       RealityOptions    `proxy:"reality-opts,omitempty"`
+	HTTPOpts          HTTPOptions       `proxy:"http-opts,omitempty"`
+	HTTP2Opts         HTTP2Options      `proxy:"h2-opts,omitempty"`
+	GrpcOpts          GrpcOptions       `proxy:"grpc-opts,omitempty"`
+	WSOpts            WSOptions         `proxy:"ws-opts,omitempty"`
+	WSPath            string            `proxy:"ws-path,omitempty"`
+	WSHeaders         map[string]string `proxy:"ws-headers,omitempty"`
+	SkipCertVerify    bool              `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint       string            `proxy:"fingerprint,omitempty"`
+	ServerName        string            `proxy:"servername,omitempty"`
+	ClientFingerprint string            `proxy:"client-fingerprint,omitempty"`
 }

 func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
+
+	if tlsC.HaveGlobalFingerprint() && len(v.option.ClientFingerprint) == 0 {
+		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
+	}
+
 	switch v.option.Network {
 	case "ws":
-
 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &vmess.WebsocketConfig{
 			Host:                host,
@ -73,6 +90,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
+			ClientFingerprint:   v.option.ClientFingerprint,
 			Headers:             http.Header{},
 		}

@ -91,9 +109,12 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			}

 			if len(v.option.Fingerprint) == 0 {
-				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 			} else {
 				wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
+				if err != nil {
+					return nil, err
+				}
 			}

 			if v.option.ServerName != "" {
@ -137,11 +158,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 		c, err = vmess.StreamH2Conn(c, h2Opts)
 	case "grpc":
-		if v.isXTLSEnabled() {
-			c, err = gun.StreamGunWithXTLSConn(c, v.gunTLSConfig, v.gunConfig)
-		} else {
-			c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
-		}
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 	default:
 		// default tcp network
 		// handle TLS And XTLS
@ -152,21 +169,45 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		return nil, err
 	}

-	return v.client.StreamConn(c, parseVlessAddr(metadata))
+	return v.streamConn(c, metadata)
+}
+
+func (v *Vless) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
+	if metadata.NetWork == C.UDP {
+		if v.option.PacketAddr {
+			metadata = &C.Metadata{
+				NetWork: C.UDP,
+				Host:    packetaddr.SeqPacketMagicAddress,
+				DstPort: "443",
+			}
+		} else {
+			metadata = &C.Metadata{ // a clear metadata only contains ip
+				NetWork: C.UDP,
+				DstIP:   metadata.DstIP,
+				DstPort: metadata.DstPort,
+			}
+		}
+		conn, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
+		if v.option.PacketAddr {
+			conn = packetaddr.NewBindConn(conn)
+		}
+	} else {
+		conn, err = v.client.StreamConn(c, parseVlessAddr(metadata, false))
+	}
+	if err != nil {
+		conn = nil
+	}
+	return
 }

 func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
 	host, _, _ := net.SplitHostPort(v.addr)

-	if v.isXTLSEnabled() {
+	if v.isLegacyXTLSEnabled() && !isH2 {
 		xtlsOpts := vless.XTLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
-			FingerPrint:    v.option.Fingerprint,
-		}
-
-		if isH2 {
-			xtlsOpts.NextProtos = []string{"h2"}
+			Fingerprint:    v.option.Fingerprint,
 		}

 		if v.option.ServerName != "" {
@ -177,9 +218,11 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)

 	} else if v.option.TLS {
 		tlsOpts := vmess.TLSConfig{
-			Host:           host,
-			SkipCertVerify: v.option.SkipCertVerify,
-			FingerPrint:    v.option.Fingerprint,
+			Host:              host,
+			SkipCertVerify:    v.option.SkipCertVerify,
+			FingerPrint:       v.option.Fingerprint,
+			ClientFingerprint: v.option.ClientFingerprint,
+			Reality:           v.realityConfig,
 		}

 		if isH2 {
@ -196,8 +239,8 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 	return conn, nil
 }

-func (v *Vless) isXTLSEnabled() bool {
-	return v.client.Addons != nil
+func (v *Vless) isLegacyXTLSEnabled() bool {
+	return v.client.Addons != nil && v.client.Addons.Flow != vless.XRV
 }

 // DialContext implements C.ProxyAdapter
@ -212,7 +255,7 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			safeConnClose(c, err)
 		}(c)

-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+		c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 		if err != nil {
 			return nil, err
 		}
@ -224,6 +267,12 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // DialContextWithDialer implements C.ProxyAdapter
 func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(v.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(v.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
@ -234,12 +283,15 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	}(c)

 	c, err = v.StreamConn(c, metadata)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+	}
 	return NewConn(c, v), err
 }

 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -247,7 +299,6 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}
 		metadata.DstIP = ip
 	}
-
 	var c net.Conn
 	// gun transport
 	if v.transport != nil && len(opts) == 0 {
@ -259,20 +310,26 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)

-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
-
+		c, err = v.streamConn(c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vless client error: %v", err)
 		}

-		return v.ListenPacketOnStreamConn(c, metadata)
+		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
 	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
 }

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if len(v.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(v.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -280,6 +337,7 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		}
 		metadata.DstIP = ip
 	}
+
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
@ -290,21 +348,40 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	}(c)

 	c, err = v.StreamConn(c, metadata)
-
 	if err != nil {
 		return nil, fmt.Errorf("new vless client error: %v", err)
 	}

-	return v.ListenPacketOnStreamConn(c, metadata)
+	return v.ListenPacketOnStreamConn(ctx, c, metadata)
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (v *Vless) SupportWithDialer() bool {
-	return true
+func (v *Vless) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
-func (v *Vless) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+func (v *Vless) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
+	if v.option.XUDP {
+		return newPacketConn(&threadSafePacketConn{
+			PacketConn: vmessSing.NewXUDPConn(c, M.SocksaddrFromNet(metadata.UDPAddr())),
+		}, v), nil
+	} else if v.option.PacketAddr {
+		return newPacketConn(&threadSafePacketConn{
+			PacketConn: packetaddr.NewConn(&vlessPacketConn{
+				Conn: c, rAddr: metadata.UDPAddr(),
+			}, M.SocksaddrFromNet(metadata.UDPAddr())),
+		}, v), nil
+	}
 	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
 }

@ -313,7 +390,7 @@ func (v *Vless) SupportUOT() bool {
 	return true
 }

-func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
+func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	var addrType byte
 	var addr []byte
 	switch metadata.AddrType() {
@ -337,7 +414,8 @@ func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
 		UDP:      metadata.NetWork == C.UDP,
 		AddrType: addrType,
 		Addr:     addr,
-		Port:     uint(port),
+		Port:     uint16(port),
+		Mux:      metadata.NetWork == C.UDP && xudp,
 	}
 }

@ -438,6 +516,9 @@ func NewVless(option VlessOption) (*Vless, error) {
 	if option.Network != "ws" && len(option.Flow) >= 16 {
 		option.Flow = option.Flow[:16]
 		switch option.Flow {
+		case vless.XRV:
+			log.Warnln("To use %s, ensure your server is upgrade to Xray-core v1.8.0+", vless.XRV)
+			fallthrough
 		case vless.XRO, vless.XRD, vless.XRS:
 			addons = &vless.Addons{
 				Flow: option.Flow,
@ -447,6 +528,19 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 	}

+	switch option.PacketEncoding {
+	case "packetaddr", "packet":
+		option.PacketAddr = true
+		option.XUDP = false
+	default: // https://github.com/XTLS/Xray-core/pull/1567#issuecomment-1407305458
+		if !option.PacketAddr {
+			option.XUDP = true
+		}
+	}
+	if option.XUDP {
+		option.PacketAddr = false
+	}
+
 	client, err := vless.NewClient(option.UUID, addons, option.FlowShow)
 	if err != nil {
 		return nil, err
@ -458,13 +552,21 @@ func NewVless(option VlessOption) (*Vless, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Vless,
 			udp:    option.UDP,
+			xudp:   option.XUDP,
+			tfo:    option.TFO,
 			iface:  option.Interface,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		client: client,
 		option: &option,
 	}

+	v.realityConfig, err = v.option.RealityOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
@ -472,7 +574,15 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 	case "grpc":
 		dialFn := func(network, addr string) (net.Conn, error) {
-			c, err := dialer.DialContext(context.Background(), "tcp", v.addr, v.Base.DialOptions()...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			if len(v.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			c, err := cDialer.DialContext(context.Background(), "tcp", v.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
@ -481,10 +591,11 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}

 		gunConfig := &gun.Config{
-			ServiceName: v.option.GrpcOpts.GrpcServiceName,
-			Host:        v.option.ServerName,
+			ServiceName:       v.option.GrpcOpts.GrpcServiceName,
+			Host:              v.option.ServerName,
+			ClientFingerprint: v.option.ClientFingerprint,
 		}
-		tlsConfig := tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{
+		tlsConfig := tlsC.GetGlobalTLSConfig(&tls.Config{
 			InsecureSkipVerify: v.option.SkipCertVerify,
 			ServerName:         v.option.ServerName,
 		})
@ -497,11 +608,8 @@ func NewVless(option VlessOption) (*Vless, error) {

 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		if v.isXTLSEnabled() {
-			v.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
-		} else {
-			v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
-		}
+
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
 	}

 	return v, nil
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -5,20 +5,22 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
-	tlsC "github.com/Dreamacro/clash/component/tls"
-	vmess "github.com/sagernet/sing-vmess"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"

+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	clashVMess "github.com/Dreamacro/clash/transport/vmess"

+	vmess "github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	M "github.com/sagernet/sing/common/metadata"
 )
@ -34,31 +36,35 @@ type Vmess struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
+
+	realityConfig *tlsC.RealityConfig
 }

 type VmessOption struct {
 	BasicOption
-	Name                string       `proxy:"name"`
-	Server              string       `proxy:"server"`
-	Port                int          `proxy:"port"`
-	UUID                string       `proxy:"uuid"`
-	AlterID             int          `proxy:"alterId"`
-	Cipher              string       `proxy:"cipher"`
-	UDP                 bool         `proxy:"udp,omitempty"`
-	Network             string       `proxy:"network,omitempty"`
-	TLS                 bool         `proxy:"tls,omitempty"`
-	SkipCertVerify      bool         `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint         string       `proxy:"fingerprint,omitempty"`
-	ServerName          string       `proxy:"servername,omitempty"`
-	HTTPOpts            HTTPOptions  `proxy:"http-opts,omitempty"`
-	HTTP2Opts           HTTP2Options `proxy:"h2-opts,omitempty"`
-	GrpcOpts            GrpcOptions  `proxy:"grpc-opts,omitempty"`
-	WSOpts              WSOptions    `proxy:"ws-opts,omitempty"`
-	PacketAddr          bool         `proxy:"packet-addr,omitempty"`
-	XUDP                bool         `proxy:"xudp,omitempty"`
-	PacketEncoding      string       `proxy:"packet-encoding,omitempty"`
-	GlobalPadding       bool         `proxy:"global-padding,omitempty"`
-	AuthenticatedLength bool         `proxy:"authenticated-length,omitempty"`
+	Name                string         `proxy:"name"`
+	Server              string         `proxy:"server"`
+	Port                int            `proxy:"port"`
+	UUID                string         `proxy:"uuid"`
+	AlterID             int            `proxy:"alterId"`
+	Cipher              string         `proxy:"cipher"`
+	UDP                 bool           `proxy:"udp,omitempty"`
+	Network             string         `proxy:"network,omitempty"`
+	TLS                 bool           `proxy:"tls,omitempty"`
+	SkipCertVerify      bool           `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint         string         `proxy:"fingerprint,omitempty"`
+	ServerName          string         `proxy:"servername,omitempty"`
+	RealityOpts         RealityOptions `proxy:"reality-opts,omitempty"`
+	HTTPOpts            HTTPOptions    `proxy:"http-opts,omitempty"`
+	HTTP2Opts           HTTP2Options   `proxy:"h2-opts,omitempty"`
+	GrpcOpts            GrpcOptions    `proxy:"grpc-opts,omitempty"`
+	WSOpts              WSOptions      `proxy:"ws-opts,omitempty"`
+	PacketAddr          bool           `proxy:"packet-addr,omitempty"`
+	XUDP                bool           `proxy:"xudp,omitempty"`
+	PacketEncoding      string         `proxy:"packet-encoding,omitempty"`
+	GlobalPadding       bool           `proxy:"global-padding,omitempty"`
+	AuthenticatedLength bool           `proxy:"authenticated-length,omitempty"`
+	ClientFingerprint   string         `proxy:"client-fingerprint,omitempty"`
 }

 type HTTPOptions struct {
@ -86,9 +92,13 @@ type WSOptions struct {
 // StreamConn implements C.ProxyAdapter
 func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
+
+	if tlsC.HaveGlobalFingerprint() && (len(v.option.ClientFingerprint) == 0) {
+		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
+	}
+
 	switch v.option.Network {
 	case "ws":
-
 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &clashVMess.WebsocketConfig{
 			Host:                host,
@ -96,6 +106,7 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
+			ClientFingerprint:   v.option.ClientFingerprint,
 			Headers:             http.Header{},
 		}

@ -114,9 +125,8 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			}

 			if len(v.option.Fingerprint) == 0 {
-				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 			} else {
-				var err error
 				if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil {
 					return nil, err
 				}
@ -134,14 +144,15 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		if v.option.TLS {
 			host, _, _ := net.SplitHostPort(v.addr)
 			tlsOpts := &clashVMess.TLSConfig{
-				Host:           host,
-				SkipCertVerify: v.option.SkipCertVerify,
+				Host:              host,
+				SkipCertVerify:    v.option.SkipCertVerify,
+				ClientFingerprint: v.option.ClientFingerprint,
+				Reality:           v.realityConfig,
 			}

 			if v.option.ServerName != "" {
 				tlsOpts.Host = v.option.ServerName
 			}
-
 			c, err = clashVMess.StreamTLSConn(c, tlsOpts)
 			if err != nil {
 				return nil, err
@ -160,9 +171,11 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	case "h2":
 		host, _, _ := net.SplitHostPort(v.addr)
 		tlsOpts := clashVMess.TLSConfig{
-			Host:           host,
-			SkipCertVerify: v.option.SkipCertVerify,
-			NextProtos:     []string{"h2"},
+			Host:              host,
+			SkipCertVerify:    v.option.SkipCertVerify,
+			NextProtos:        []string{"h2"},
+			ClientFingerprint: v.option.ClientFingerprint,
+			Reality:           v.realityConfig,
 		}

 		if v.option.ServerName != "" {
@ -181,14 +194,16 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {

 		c, err = clashVMess.StreamH2Conn(c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 	default:
 		// handle TLS
 		if v.option.TLS {
 			host, _, _ := net.SplitHostPort(v.addr)
 			tlsOpts := &clashVMess.TLSConfig{
-				Host:           host,
-				SkipCertVerify: v.option.SkipCertVerify,
+				Host:              host,
+				SkipCertVerify:    v.option.SkipCertVerify,
+				ClientFingerprint: v.option.ClientFingerprint,
+				Reality:           v.realityConfig,
 			}

 			if v.option.ServerName != "" {
@ -202,15 +217,42 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	if err != nil {
 		return nil, err
 	}
+	return v.streamConn(c, metadata)
+}
+
+func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
 	if metadata.NetWork == C.UDP {
 		if v.option.XUDP {
-			return v.client.DialXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+			if N.NeedHandshake(c) {
+				conn = v.client.DialEarlyXUDPPacketConn(c, M.SocksaddrFromNet(metadata.UDPAddr()))
+			} else {
+				conn, err = v.client.DialXUDPPacketConn(c, M.SocksaddrFromNet(metadata.UDPAddr()))
+			}
+		} else if v.option.PacketAddr {
+			if N.NeedHandshake(c) {
+				conn = v.client.DialEarlyPacketConn(c, M.ParseSocksaddrHostPort(packetaddr.SeqPacketMagicAddress, 443))
+			} else {
+				conn, err = v.client.DialPacketConn(c, M.ParseSocksaddrHostPort(packetaddr.SeqPacketMagicAddress, 443))
+			}
+			conn = packetaddr.NewBindConn(conn)
 		} else {
-			return v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+			if N.NeedHandshake(c) {
+				conn = v.client.DialEarlyPacketConn(c, M.SocksaddrFromNet(metadata.UDPAddr()))
+			} else {
+				conn, err = v.client.DialPacketConn(c, M.SocksaddrFromNet(metadata.UDPAddr()))
+			}
 		}
 	} else {
-		return v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+		if N.NeedHandshake(c) {
+			conn = v.client.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+		} else {
+			conn, err = v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+		}
 	}
+	if err != nil {
+		conn = nil
+	}
+	return
 }

 // DialContext implements C.ProxyAdapter
@ -237,6 +279,12 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // DialContextWithDialer implements C.ProxyAdapter
 func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
+	if len(v.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(v.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
@ -252,7 +300,7 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta

 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -260,14 +308,6 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}
 		metadata.DstIP = ip
 	}
-
-	if v.option.PacketAddr {
-		_metadata := *metadata // make a copy
-		metadata = &_metadata
-		metadata.Host = packetaddr.SeqPacketMagicAddress
-		metadata.DstPort = "443"
-	}
-
 	var c net.Conn
 	// gun transport
 	if v.transport != nil && len(opts) == 0 {
@ -279,33 +319,25 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)

-		if v.option.XUDP {
-			c, err = v.client.DialXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
-		} else {
-			c, err = v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
-		}
-
+		c, err = v.streamConn(c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vmess client error: %v", err)
 		}
-		return v.ListenPacketOnStreamConn(c, metadata)
+		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
-	c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
-	}
-	tcpKeepAlive(c)
-	defer func(c net.Conn) {
-		safeConnClose(c, err)
-	}(c)
-
-	c, err = v.StreamConn(c, metadata)
 	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
 }

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if len(v.option.DialerProxy) > 0 {
+		dialer, err = proxydialer.NewByName(v.option.DialerProxy, dialer)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -315,23 +347,38 @@ func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	}

 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+	}
+	tcpKeepAlive(c)
+	defer func(c net.Conn) {
+		safeConnClose(c, err)
+	}(c)
+
+	c, err = v.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vmess client error: %v", err)
 	}
-
-	return v.ListenPacketOnStreamConn(c, metadata)
+	return v.ListenPacketOnStreamConn(ctx, c, metadata)
 }

 // SupportWithDialer implements C.ProxyAdapter
-func (v *Vmess) SupportWithDialer() bool {
-	return true
+func (v *Vmess) SupportWithDialer() C.NetWork {
+	return C.ALLNet
 }

 // ListenPacketOnStreamConn implements C.ProxyAdapter
-func (v *Vmess) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	if v.option.PacketAddr {
-		return newPacketConn(&threadSafePacketConn{PacketConn: packetaddr.NewBindConn(c)}, v), nil
-	} else if pc, ok := c.(net.PacketConn); ok {
+func (v *Vmess) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
+	if pc, ok := c.(net.PacketConn); ok {
 		return newPacketConn(&threadSafePacketConn{PacketConn: pc}, v), nil
 	}
 	return newPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
@ -369,7 +416,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 	switch option.Network {
 	case "h2", "grpc":
 		if !option.TLS {
-			return nil, fmt.Errorf("TLS must be true with h2/grpc network")
+			option.TLS = true
 		}
 	}

@ -379,6 +426,8 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Vmess,
 			udp:    option.UDP,
+			xudp:   option.XUDP,
+			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@ -394,7 +443,15 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 	case "grpc":
 		dialFn := func(network, addr string) (net.Conn, error) {
-			c, err := dialer.DialContext(context.Background(), "tcp", v.addr, v.Base.DialOptions()...)
+			var err error
+			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			if len(v.option.DialerProxy) > 0 {
+				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
+				if err != nil {
+					return nil, err
+				}
+			}
+			c, err := cDialer.DialContext(context.Background(), "tcp", v.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
@ -403,8 +460,9 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}

 		gunConfig := &gun.Config{
-			ServiceName: v.option.GrpcOpts.GrpcServiceName,
-			Host:        v.option.ServerName,
+			ServiceName:       v.option.GrpcOpts.GrpcServiceName,
+			Host:              v.option.ServerName,
+			ClientFingerprint: v.option.ClientFingerprint,
 		}
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: v.option.SkipCertVerify,
@ -419,8 +477,15 @@ func NewVmess(option VmessOption) (*Vmess, error) {

 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
+
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
 	}
+
+	v.realityConfig, err = v.option.RealityOpts.Parse()
+	if err != nil {
+		return nil, err
+	}
+
 	return v, nil
 }

@ -444,9 +509,9 @@ type vmessPacketConn struct {
 // WriteTo implments C.PacketConn.WriteTo
 // Since VMess doesn't support full cone NAT by design, we verify if addr matches uc.rAddr, and drop the packet if not.
 func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
-	allowedAddr := uc.rAddr.(*net.UDPAddr)
-	destAddr := addr.(*net.UDPAddr)
-	if !(allowedAddr.IP.Equal(destAddr.IP) && allowedAddr.Port == destAddr.Port) {
+	allowedAddr := uc.rAddr
+	destAddr := addr
+	if allowedAddr.String() != destAddr.String() {
 		return 0, ErrUDPRemoteAddrMismatch
 	}
 	uc.access.Lock()
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@ -15,9 +15,11 @@ import (

 	CN "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/listener/sing"
+	"github.com/Dreamacro/clash/dns"
+	"github.com/Dreamacro/clash/log"

 	wireguard "github.com/metacubex/sing-wireguard"

@ -34,66 +36,100 @@ type WireGuard struct {
 	bind      *wireguard.ClientBind
 	device    *device.Device
 	tunDevice wireguard.Device
-	dialer    *wgDialer
+	dialer    *wgSingDialer
 	startOnce sync.Once
 	startErr  error
+	resolver  *dns.Resolver
+	refP      *refProxyAdapter
 }

 type WireGuardOption struct {
 	BasicOption
-	Name                string  `proxy:"name"`
-	Server              string  `proxy:"server"`
-	Port                int     `proxy:"port"`
-	Ip                  string  `proxy:"ip,omitempty"`
-	Ipv6                string  `proxy:"ipv6,omitempty"`
-	PrivateKey          string  `proxy:"private-key"`
-	PublicKey           string  `proxy:"public-key"`
-	PreSharedKey        string  `proxy:"pre-shared-key,omitempty"`
-	Reserved            []uint8 `proxy:"reserved,omitempty"`
-	Workers             int     `proxy:"workers,omitempty"`
-	MTU                 int     `proxy:"mtu,omitempty"`
-	UDP                 bool    `proxy:"udp,omitempty"`
-	PersistentKeepalive int     `proxy:"persistent-keepalive,omitempty"`
+	WireGuardPeerOption
+	Name                string `proxy:"name"`
+	PrivateKey          string `proxy:"private-key"`
+	Workers             int    `proxy:"workers,omitempty"`
+	MTU                 int    `proxy:"mtu,omitempty"`
+	UDP                 bool   `proxy:"udp,omitempty"`
+	PersistentKeepalive int    `proxy:"persistent-keepalive,omitempty"`
+
+	Peers []WireGuardPeerOption `proxy:"peers,omitempty"`
+
+	RemoteDnsResolve bool     `proxy:"remote-dns-resolve,omitempty"`
+	Dns              []string `proxy:"dns,omitempty"`
 }

-type wgDialer struct {
-	options []dialer.Option
+type WireGuardPeerOption struct {
+	Server       string   `proxy:"server"`
+	Port         int      `proxy:"port"`
+	Ip           string   `proxy:"ip,omitempty"`
+	Ipv6         string   `proxy:"ipv6,omitempty"`
+	PublicKey    string   `proxy:"public-key,omitempty"`
+	PreSharedKey string   `proxy:"pre-shared-key,omitempty"`
+	Reserved     []uint8  `proxy:"reserved,omitempty"`
+	AllowedIPs   []string `proxy:"allowed_ips,omitempty"`
 }

-func (d *wgDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return dialer.DialContext(ctx, network, destination.String(), d.options...)
+type wgSingDialer struct {
+	dialer    dialer.Dialer
+	proxyName string
 }

-func (d *wgDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", destination.Addr), "", d.options...)
-}
+var _ N.Dialer = (*wgSingDialer)(nil)

-func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
-	outbound := &WireGuard{
-		Base: &Base{
-			name:   option.Name,
-			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
-			tp:     C.WireGuard,
-			udp:    option.UDP,
-			iface:  option.Interface,
-			rmark:  option.RoutingMark,
-			prefer: C.NewDNSPrefer(option.IPVersion),
-		},
-		dialer: &wgDialer{},
-	}
-	runtime.SetFinalizer(outbound, closeWireGuard)
-
-	var reserved [3]uint8
-	if len(option.Reserved) > 0 {
-		if len(option.Reserved) != 3 {
-			return nil, E.New("invalid reserved value, required 3 bytes, got ", len(option.Reserved))
+func (d *wgSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	var cDialer C.Dialer = d.dialer
+	if len(d.proxyName) > 0 {
+		pd, err := proxydialer.NewByName(d.proxyName, d.dialer)
+		if err != nil {
+			return nil, err
 		}
-		reserved[0] = uint8(option.Reserved[0])
-		reserved[1] = uint8(option.Reserved[1])
-		reserved[2] = uint8(option.Reserved[2])
+		cDialer = pd
 	}
-	peerAddr := M.ParseSocksaddrHostPort(option.Server, uint16(option.Port))
-	outbound.bind = wireguard.NewClientBind(context.Background(), outbound.dialer, peerAddr, reserved)
+	return cDialer.DialContext(ctx, network, destination.String())
+}
+
+func (d *wgSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	var cDialer C.Dialer = d.dialer
+	if len(d.proxyName) > 0 {
+		pd, err := proxydialer.NewByName(d.proxyName, d.dialer)
+		if err != nil {
+			return nil, err
+		}
+		cDialer = pd
+	}
+	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
+}
+
+type wgSingErrorHandler struct {
+	name string
+}
+
+var _ E.Handler = (*wgSingErrorHandler)(nil)
+
+func (w wgSingErrorHandler) NewError(ctx context.Context, err error) {
+	if E.IsClosedOrCanceled(err) {
+		log.SingLogger.Debug(fmt.Sprintf("[WG](%s) connection closed: %s", w.name, err))
+		return
+	}
+	log.SingLogger.Error(fmt.Sprintf("[WG](%s) %s", w.name, err))
+}
+
+type wgNetDialer struct {
+	tunDevice wireguard.Device
+}
+
+var _ dialer.NetDialer = (*wgNetDialer)(nil)
+
+func (d wgNetDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return d.tunDevice.DialContext(ctx, network, M.ParseSocksaddr(address).Unwrap())
+}
+
+func (option WireGuardPeerOption) Addr() M.Socksaddr {
+	return M.ParseSocksaddrHostPort(option.Server, uint16(option.Port))
+}
+
+func (option WireGuardPeerOption) Prefixes() ([]netip.Prefix, error) {
 	localPrefixes := make([]netip.Prefix, 0, 2)
 	if len(option.Ip) > 0 {
 		if !strings.Contains(option.Ip, "/") {
@ -118,7 +154,46 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	if len(localPrefixes) == 0 {
 		return nil, E.New("missing local address")
 	}
-	var privateKey, peerPublicKey, preSharedKey string
+	return localPrefixes, nil
+}
+
+func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
+	outbound := &WireGuard{
+		Base: &Base{
+			name:   option.Name,
+			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
+			tp:     C.WireGuard,
+			udp:    option.UDP,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+		dialer: &wgSingDialer{dialer: dialer.NewDialer(), proxyName: option.DialerProxy},
+	}
+	runtime.SetFinalizer(outbound, closeWireGuard)
+
+	var reserved [3]uint8
+	if len(option.Reserved) > 0 {
+		if len(option.Reserved) != 3 {
+			return nil, E.New("invalid reserved value, required 3 bytes, got ", len(option.Reserved))
+		}
+		copy(reserved[:], option.Reserved)
+	}
+	var isConnect bool
+	var connectAddr M.Socksaddr
+	if len(option.Peers) < 2 {
+		isConnect = true
+		if len(option.Peers) == 1 {
+			connectAddr = option.Peers[0].Addr()
+		} else {
+			connectAddr = option.Addr()
+		}
+	}
+	outbound.bind = wireguard.NewClientBind(context.Background(), wgSingErrorHandler{outbound.Name()}, outbound.dialer, isConnect, connectAddr, reserved)
+
+	var localPrefixes []netip.Prefix
+
+	var privateKey string
 	{
 		bytes, err := base64.StdEncoding.DecodeString(option.PrivateKey)
 		if err != nil {
@ -126,40 +201,92 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 		}
 		privateKey = hex.EncodeToString(bytes)
 	}
-	{
-		bytes, err := base64.StdEncoding.DecodeString(option.PublicKey)
-		if err != nil {
-			return nil, E.Cause(err, "decode peer public key")
-		}
-		peerPublicKey = hex.EncodeToString(bytes)
-	}
-	if option.PreSharedKey != "" {
-		bytes, err := base64.StdEncoding.DecodeString(option.PreSharedKey)
-		if err != nil {
-			return nil, E.Cause(err, "decode pre shared key")
-		}
-		preSharedKey = hex.EncodeToString(bytes)
-	}
 	ipcConf := "private_key=" + privateKey
-	ipcConf += "\npublic_key=" + peerPublicKey
-	ipcConf += "\nendpoint=" + peerAddr.String()
-	if preSharedKey != "" {
-		ipcConf += "\npreshared_key=" + preSharedKey
-	}
-	var has4, has6 bool
-	for _, address := range localPrefixes {
-		if address.Addr().Is4() {
-			has4 = true
-		} else {
-			has6 = true
+	if peersLen := len(option.Peers); peersLen > 0 {
+		localPrefixes = make([]netip.Prefix, 0, peersLen*2)
+		for i, peer := range option.Peers {
+			var peerPublicKey, preSharedKey string
+			{
+				bytes, err := base64.StdEncoding.DecodeString(peer.PublicKey)
+				if err != nil {
+					return nil, E.Cause(err, "decode public key for peer ", i)
+				}
+				peerPublicKey = hex.EncodeToString(bytes)
+			}
+			if peer.PreSharedKey != "" {
+				bytes, err := base64.StdEncoding.DecodeString(peer.PreSharedKey)
+				if err != nil {
+					return nil, E.Cause(err, "decode pre shared key for peer ", i)
+				}
+				preSharedKey = hex.EncodeToString(bytes)
+			}
+			destination := peer.Addr()
+			ipcConf += "\npublic_key=" + peerPublicKey
+			ipcConf += "\nendpoint=" + destination.String()
+			if preSharedKey != "" {
+				ipcConf += "\npreshared_key=" + preSharedKey
+			}
+			if len(peer.AllowedIPs) == 0 {
+				return nil, E.New("missing allowed_ips for peer ", i)
+			}
+			for _, allowedIP := range peer.AllowedIPs {
+				ipcConf += "\nallowed_ip=" + allowedIP
+			}
+			if len(peer.Reserved) > 0 {
+				if len(peer.Reserved) != 3 {
+					return nil, E.New("invalid reserved value for peer ", i, ", required 3 bytes, got ", len(peer.Reserved))
+				}
+				copy(reserved[:], option.Reserved)
+				outbound.bind.SetReservedForEndpoint(destination, reserved)
+			}
+			prefixes, err := peer.Prefixes()
+			if err != nil {
+				return nil, err
+			}
+			localPrefixes = append(localPrefixes, prefixes...)
+		}
+	} else {
+		var peerPublicKey, preSharedKey string
+		{
+			bytes, err := base64.StdEncoding.DecodeString(option.PublicKey)
+			if err != nil {
+				return nil, E.Cause(err, "decode peer public key")
+			}
+			peerPublicKey = hex.EncodeToString(bytes)
+		}
+		if option.PreSharedKey != "" {
+			bytes, err := base64.StdEncoding.DecodeString(option.PreSharedKey)
+			if err != nil {
+				return nil, E.Cause(err, "decode pre shared key")
+			}
+			preSharedKey = hex.EncodeToString(bytes)
+		}
+		ipcConf += "\npublic_key=" + peerPublicKey
+		ipcConf += "\nendpoint=" + connectAddr.String()
+		if preSharedKey != "" {
+			ipcConf += "\npreshared_key=" + preSharedKey
+		}
+		var err error
+		localPrefixes, err = option.Prefixes()
+		if err != nil {
+			return nil, err
+		}
+		var has4, has6 bool
+		for _, address := range localPrefixes {
+			if address.Addr().Is4() {
+				has4 = true
+			} else {
+				has6 = true
+			}
+		}
+		if has4 {
+			ipcConf += "\nallowed_ip=0.0.0.0/0"
+		}
+		if has6 {
+			ipcConf += "\nallowed_ip=::/0"
 		}
 	}
-	if has4 {
-		ipcConf += "\nallowed_ip=0.0.0.0/0"
-	}
-	if has6 {
-		ipcConf += "\nallowed_ip=::/0"
-	}
+
 	if option.PersistentKeepalive != 0 {
 		ipcConf += fmt.Sprintf("\npersistent_keepalive_interval=%d", option.PersistentKeepalive)
 	}
@ -167,6 +294,9 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	if mtu == 0 {
 		mtu = 1408
 	}
+	if len(localPrefixes) == 0 {
+		return nil, E.New("missing local address")
+	}
 	var err error
 	outbound.tunDevice, err = wireguard.NewStackDevice(localPrefixes, uint32(mtu))
 	if err != nil {
@ -174,20 +304,45 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	}
 	outbound.device = device.NewDevice(outbound.tunDevice, outbound.bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
-			sing.Logger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
+			log.SingLogger.Debug(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...)))
 		},
 		Errorf: func(format string, args ...interface{}) {
-			sing.Logger.Error(fmt.Sprintf(strings.ToLower(format), args...))
+			log.SingLogger.Error(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...)))
 		},
 	}, option.Workers)
 	if debug.Enabled {
-		sing.Logger.Trace("created wireguard ipc conf: \n", ipcConf)
+		log.SingLogger.Trace(fmt.Sprintf("[WG](%s) created wireguard ipc conf: \n %s", option.Name, ipcConf))
 	}
 	err = outbound.device.IpcSet(ipcConf)
 	if err != nil {
 		return nil, E.Cause(err, "setup wireguard")
 	}
 	//err = outbound.tunDevice.Start()
+
+	var has6 bool
+	for _, address := range localPrefixes {
+		if !address.Addr().Unmap().Is4() {
+			has6 = true
+			break
+		}
+	}
+
+	refP := &refProxyAdapter{}
+	outbound.refP = refP
+	if option.RemoteDnsResolve && len(option.Dns) > 0 {
+		nss, err := dns.ParseNameServer(option.Dns)
+		if err != nil {
+			return nil, err
+		}
+		for i := range nss {
+			nss[i].ProxyAdapter = refP
+		}
+		outbound.resolver = dns.NewResolver(dns.Config{
+			Main: nss,
+			IPv6: has6,
+		})
+	}
+
 	return outbound, nil
 }

@ -199,7 +354,8 @@ func closeWireGuard(w *WireGuard) {
 }

 func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	w.dialer.options = opts
+	options := w.Base.DialOptions(opts...)
+	w.dialer.dialer = dialer.NewDialer(options...)
 	var conn net.Conn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
@ -207,16 +363,19 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	if w.startErr != nil {
 		return nil, w.startErr
 	}
-	if !metadata.Resolved() {
-		var addrs []netip.Addr
-		addrs, err = resolver.LookupIP(ctx, metadata.Host)
-		if err != nil {
-			return nil, err
+	if !metadata.Resolved() || w.resolver != nil {
+		r := resolver.DefaultResolver
+		if w.resolver != nil {
+			w.refP.SetProxyAdapter(w)
+			defer w.refP.ClearProxyAdapter()
+			r = w.resolver
 		}
-		conn, err = N.DialSerial(ctx, w.tunDevice, "tcp", M.ParseSocksaddr(metadata.RemoteAddress()), addrs)
+		options = append(options, dialer.WithResolver(r))
+		options = append(options, dialer.WithNetDialer(wgNetDialer{tunDevice: w.tunDevice}))
+		conn, err = dialer.NewDialer(options...).DialContext(ctx, "tcp", metadata.RemoteAddress())
 	} else {
 		port, _ := strconv.Atoi(metadata.DstPort)
-		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, uint16(port)))
+		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, uint16(port)).Unwrap())
 	}
 	if err != nil {
 		return nil, err
@ -228,7 +387,8 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 }

 func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	w.dialer.options = opts
+	options := w.Base.DialOptions(opts...)
+	w.dialer.dialer = dialer.NewDialer(options...)
 	var pc net.PacketConn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
@ -239,15 +399,21 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	if err != nil {
 		return nil, err
 	}
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(ctx, metadata.Host)
+	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {
+		r := resolver.DefaultResolver
+		if w.resolver != nil {
+			w.refP.SetProxyAdapter(w)
+			defer w.refP.ClearProxyAdapter()
+			r = w.resolver
+		}
+		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, r)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	port, _ := strconv.Atoi(metadata.DstPort)
-	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, uint16(port)))
+	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, uint16(port)).Unwrap())
 	if err != nil {
 		return nil, err
 	}
@ -256,3 +422,144 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	}
 	return newPacketConn(CN.NewRefPacketConn(pc, w), w), nil
 }
+
+// IsL3Protocol implements C.ProxyAdapter
+func (w *WireGuard) IsL3Protocol(metadata *C.Metadata) bool {
+	return true
+}
+
+type refProxyAdapter struct {
+	proxyAdapter C.ProxyAdapter
+	count        int
+	mutex        sync.Mutex
+}
+
+func (r *refProxyAdapter) SetProxyAdapter(proxyAdapter C.ProxyAdapter) {
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+	r.proxyAdapter = proxyAdapter
+	r.count++
+}
+
+func (r *refProxyAdapter) ClearProxyAdapter() {
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+	r.count--
+	if r.count == 0 {
+		r.proxyAdapter = nil
+	}
+}
+
+func (r *refProxyAdapter) Name() string {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.Name()
+	}
+	return ""
+}
+
+func (r *refProxyAdapter) Type() C.AdapterType {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.Type()
+	}
+	return C.AdapterType(0)
+}
+
+func (r *refProxyAdapter) Addr() string {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.Addr()
+	}
+	return ""
+}
+
+func (r *refProxyAdapter) SupportUDP() bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportUDP()
+	}
+	return false
+}
+
+func (r *refProxyAdapter) SupportXUDP() bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportXUDP()
+	}
+	return false
+}
+
+func (r *refProxyAdapter) SupportTFO() bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportTFO()
+	}
+	return false
+}
+
+func (r *refProxyAdapter) MarshalJSON() ([]byte, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.MarshalJSON()
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.StreamConn(c, metadata)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.DialContext(ctx, metadata, opts...)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) SupportUOT() bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportUOT()
+	}
+	return false
+}
+
+func (r *refProxyAdapter) SupportWithDialer() C.NetWork {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.SupportWithDialer()
+	}
+	return C.InvalidNet
+}
+
+func (r *refProxyAdapter) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.Conn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.DialContextWithDialer(ctx, dialer, metadata)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.PacketConn, error) {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.ListenPacketWithDialer(ctx, dialer, metadata)
+	}
+	return nil, C.ErrNotSupport
+}
+
+func (r *refProxyAdapter) IsL3Protocol(metadata *C.Metadata) bool {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.IsL3Protocol(metadata)
+	}
+	return false
+}
+
+func (r *refProxyAdapter) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
+	if r.proxyAdapter != nil {
+		return r.proxyAdapter.Unwrap(metadata, touch)
+	}
+	return nil
+}
+
+var _ C.ProxyAdapter = (*refProxyAdapter)(nil)
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@ -4,11 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"time"
+
 	"github.com/Dreamacro/clash/adapter/outbound"
+	"github.com/Dreamacro/clash/common/callback"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
-	"time"
 )

 type Fallback struct {
@ -29,11 +32,20 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 	c, err := proxy.DialContext(ctx, metadata, f.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(f)
-		f.onDialSuccess()
 	} else {
 		f.onDialFailed(proxy.Type(), err)
 	}

+	if N.NeedHandshake(c) {
+		c = callback.NewFirstWriteCallBackConn(c, func(err error) {
+			if err == nil {
+				f.onDialSuccess()
+			} else {
+				f.onDialFailed(proxy.Type(), err)
+			}
+		})
+	}
+
 	return c, err
 }

@ -58,6 +70,11 @@ func (f *Fallback) SupportUDP() bool {
 	return proxy.SupportUDP()
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (f *Fallback) IsL3Protocol(metadata *C.Metadata) bool {
+	return f.findAliveProxy(false).IsL3Protocol(metadata)
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (f *Fallback) MarshalJSON() ([]byte, error) {
 	all := []string{}
@ -121,6 +138,10 @@ func (f *Fallback) Set(name string) error {
 	return nil
 }

+func (f *Fallback) ForceSet(name string) {
+	f.selected = name
+}
+
 func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider) *Fallback {
 	return &Fallback{
 		GroupBase: NewGroupBase(GroupBaseOption{
@ -132,6 +153,7 @@ func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider)
 			},
 			option.Filter,
 			option.ExcludeFilter,
+			option.ExcludeType,
 			providers,
 		}),
 		disableUDP: option.DisableUDP,
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@ -3,23 +3,26 @@ package outboundgroup
 import (
 	"context"
 	"fmt"
+	"strings"
+	"sync"
+	"time"
+
 	"github.com/Dreamacro/clash/adapter/outbound"
+	"github.com/Dreamacro/clash/common/atomic"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel"
+
 	"github.com/dlclark/regexp2"
-	"go.uber.org/atomic"
-	"strings"
-	"sync"
-	"time"
 )

 type GroupBase struct {
 	*outbound.Base
 	filterRegs       []*regexp2.Regexp
 	excludeFilterReg *regexp2.Regexp
+	excludeTypeArray []string
 	providers        []provider.ProxyProvider
 	failedTestMux    sync.Mutex
 	failedTimes      int
@ -33,6 +36,7 @@ type GroupBaseOption struct {
 	outbound.BaseOption
 	filter        string
 	excludeFilter string
+	excludeType   string
 	providers     []provider.ProxyProvider
 }

@ -41,6 +45,10 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 	if opt.excludeFilter != "" {
 		excludeFilterReg = regexp2.MustCompile(opt.excludeFilter, 0)
 	}
+	var excludeTypeArray []string
+	if opt.excludeType != "" {
+		excludeTypeArray = strings.Split(opt.excludeType, "|")
+	}

 	var filterRegs []*regexp2.Regexp
 	if opt.filter != "" {
@ -54,6 +62,7 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 		Base:             outbound.NewBase(opt.BaseOption),
 		filterRegs:       filterRegs,
 		excludeFilterReg: excludeFilterReg,
+		excludeTypeArray: excludeTypeArray,
 		providers:        opt.providers,
 		failedTesting:    atomic.NewBool(false),
 	}
@ -148,6 +157,25 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		}
 		proxies = newProxies
 	}
+	if gb.excludeTypeArray != nil {
+		var newProxies []C.Proxy
+		for _, p := range proxies {
+			mType := p.Type().String()
+			flag := false
+			for i := range gb.excludeTypeArray {
+				if strings.EqualFold(mType, gb.excludeTypeArray[i]) {
+					flag = true
+					break
+				}
+
+			}
+			if flag {
+				continue
+			}
+			newProxies = append(newProxies, p)
+		}
+		proxies = newProxies
+	}

 	if gb.excludeFilterReg != nil {
 		var newProxies []C.Proxy
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@ -5,12 +5,15 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/Dreamacro/clash/common/cache"
 	"net"
+	"sync"
 	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
+	"github.com/Dreamacro/clash/common/cache"
+	"github.com/Dreamacro/clash/common/callback"
 	"github.com/Dreamacro/clash/common/murmur3"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
@ -18,7 +21,7 @@ import (
 	"golang.org/x/net/publicsuffix"
 )

-type strategyFn = func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy
+type strategyFn = func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy

 type LoadBalance struct {
 	*GroupBase
@ -83,17 +86,24 @@ func jumpHash(key uint64, buckets int32) int32 {
 // DialContext implements C.ProxyAdapter
 func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
 	proxy := lb.Unwrap(metadata, true)
-
-	defer func() {
-		if err == nil {
-			c.AppendToChains(lb)
-			lb.onDialSuccess()
-		} else {
-			lb.onDialFailed(proxy.Type(), err)
-		}
-	}()
-
 	c, err = proxy.DialContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
+
+	if err == nil {
+		c.AppendToChains(lb)
+	} else {
+		lb.onDialFailed(proxy.Type(), err)
+	}
+
+	if N.NeedHandshake(c) {
+		c = callback.NewFirstWriteCallBackConn(c, func(err error) {
+			if err == nil {
+				lb.onDialSuccess()
+			} else {
+				lb.onDialFailed(proxy.Type(), err)
+			}
+		})
+	}
+
 	return
 }

@ -114,14 +124,32 @@ func (lb *LoadBalance) SupportUDP() bool {
 	return !lb.disableUDP
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (lb *LoadBalance) IsL3Protocol(metadata *C.Metadata) bool {
+	return lb.Unwrap(metadata, false).IsL3Protocol(metadata)
+}
+
 func strategyRoundRobin() strategyFn {
 	idx := 0
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	idxMutex := sync.Mutex{}
+	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
+		idxMutex.Lock()
+		defer idxMutex.Unlock()
+
+		i := 0
 		length := len(proxies)
-		for i := 0; i < length; i++ {
-			idx = (idx + 1) % length
-			proxy := proxies[idx]
+
+		if touch {
+			defer func() {
+				idx = (idx + i) % length
+			}()
+		}
+
+		for ; i < length; i++ {
+			id := (idx + i) % length
+			proxy := proxies[id]
 			if proxy.Alive() {
+				i++
 				return proxy
 			}
 		}
@ -132,7 +160,7 @@ func strategyRoundRobin() strategyFn {

 func strategyConsistentHashing() strategyFn {
 	maxRetry := 5
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
 		key := uint64(murmur3.Sum32([]byte(getKey(metadata))))
 		buckets := int32(len(proxies))
 		for i := 0; i < maxRetry; i, key = i+1, key+1 {
@ -160,7 +188,7 @@ func strategyStickySessions() strategyFn {
 	lruCache := cache.New[uint64, int](
 		cache.WithAge[uint64, int](int64(ttl.Seconds())),
 		cache.WithSize[uint64, int](1000))
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
 		key := uint64(murmur3.Sum32([]byte(getKeyWithSrcAndDst(metadata))))
 		length := len(proxies)
 		idx, has := lruCache.Get(key)
@ -192,7 +220,7 @@ func strategyStickySessions() strategyFn {
 // Unwrap implements C.ProxyAdapter
 func (lb *LoadBalance) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 	proxies := lb.GetProxies(touch)
-	return lb.strategyFn(proxies, metadata)
+	return lb.strategyFn(proxies, metadata, touch)
 }

 // MarshalJSON implements C.ProxyAdapter
@ -229,6 +257,7 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 			},
 			option.Filter,
 			option.ExcludeFilter,
+			option.ExcludeType,
 			providers,
 		}),
 		strategyFn: strategyFn,
--- a/adapter/outboundgroup/parser.go
+++ b/adapter/outboundgroup/parser.go
@ -31,6 +31,7 @@ type GroupCommonOption struct {
 	DisableUDP    bool     `group:"disable-udp,omitempty"`
 	Filter        string   `group:"filter,omitempty"`
 	ExcludeFilter string   `group:"exclude-filter,omitempty"`
+	ExcludeType   string   `group:"exclude-type,omitempty"`
 }

 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider) (C.ProxyAdapter, error) {
@ -77,7 +78,7 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 			providersMap[groupName] = pd
 		} else {
 			if groupOption.URL == "" {
-				groupOption.URL = "http://www.gstatic.com/generate_204"
+				groupOption.URL = "https://cp.cloudflare.com/generate_204"
 			}

 			if groupOption.Interval == 0 {
--- a/adapter/outboundgroup/relay.go
+++ b/adapter/outboundgroup/relay.go
@ -3,13 +3,9 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
-	"net"
-	"net/netip"
-	"strings"
-
 	"github.com/Dreamacro/clash/adapter/outbound"
-	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 )
@ -18,36 +14,6 @@ type Relay struct {
 	*GroupBase
 }

-type proxyDialer struct {
-	proxy  C.Proxy
-	dialer C.Dialer
-}
-
-func (p proxyDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
-	currentMeta, err := addrToMetadata(address)
-	if err != nil {
-		return nil, err
-	}
-	if strings.Contains(network, "udp") { // should not support this operation
-		currentMeta.NetWork = C.UDP
-		pc, err := p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
-		if err != nil {
-			return nil, err
-		}
-		return N.NewBindPacketConn(pc, currentMeta.UDPAddr()), nil
-	}
-	return p.proxy.DialContextWithDialer(ctx, p.dialer, currentMeta)
-}
-
-func (p proxyDialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	currentMeta, err := addrToMetadata(rAddrPort.String())
-	if err != nil {
-		return nil, err
-	}
-	currentMeta.NetWork = C.UDP
-	return p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
-}
-
 // DialContext implements C.ProxyAdapter
 func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	proxies, chainProxies := r.proxies(metadata, true)
@ -61,10 +27,7 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 	var d C.Dialer
 	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
 	for _, proxy := range proxies[:len(proxies)-1] {
-		d = proxyDialer{
-			proxy:  proxy,
-			dialer: d,
-		}
+		d = proxydialer.New(proxy, d, false)
 	}
 	last := proxies[len(proxies)-1]
 	conn, err := last.DialContextWithDialer(ctx, d, metadata)
@ -95,10 +58,7 @@ func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 	var d C.Dialer
 	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
 	for _, proxy := range proxies[:len(proxies)-1] {
-		d = proxyDialer{
-			proxy:  proxy,
-			dialer: d,
-		}
+		d = proxydialer.New(proxy, d, false)
 	}
 	last := proxies[len(proxies)-1]
 	pc, err := last.ListenPacketWithDialer(ctx, d, metadata)
@ -129,7 +89,10 @@ func (r *Relay) SupportUDP() bool {
 		if proxy.SupportUOT() {
 			return true
 		}
-		if !proxy.SupportWithDialer() {
+		switch proxy.SupportWithDialer() {
+		case C.ALLNet:
+		case C.UDP:
+		default: // C.TCP and C.InvalidNet
 			return false
 		}
 	}
@ -176,7 +139,7 @@ func (r *Relay) proxies(metadata *C.Metadata, touch bool) ([]C.Proxy, []C.Proxy)
 }

 func (r *Relay) Addr() string {
-	proxies, _ := r.proxies(nil, true)
+	proxies, _ := r.proxies(nil, false)
 	return proxies[len(proxies)-1].Addr()
 }

@ -191,6 +154,7 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 			},
 			"",
 			"",
+			"",
 			providers,
 		}),
 	}
--- a/adapter/outboundgroup/selector.go
+++ b/adapter/outboundgroup/selector.go
@ -44,6 +44,11 @@ func (s *Selector) SupportUDP() bool {
 	return s.selectedProxy(false).SupportUDP()
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (s *Selector) IsL3Protocol(metadata *C.Metadata) bool {
+	return s.selectedProxy(false).IsL3Protocol(metadata)
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (s *Selector) MarshalJSON() ([]byte, error) {
 	all := []string{}
@ -73,6 +78,10 @@ func (s *Selector) Set(name string) error {
 	return errors.New("proxy not exist")
 }

+func (s *Selector) ForceSet(name string) {
+	s.selected = name
+}
+
 // Unwrap implements C.ProxyAdapter
 func (s *Selector) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 	return s.selectedProxy(touch)
@ -100,6 +109,7 @@ func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider)
 			},
 			option.Filter,
 			option.ExcludeFilter,
+			option.ExcludeType,
 			providers,
 		}),
 		selected:   "COMPATIBLE",
--- a/adapter/outboundgroup/urltest.go
+++ b/adapter/outboundgroup/urltest.go
@ -3,9 +3,12 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
+	"github.com/Dreamacro/clash/common/callback"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
@ -22,6 +25,8 @@ func urlTestWithTolerance(tolerance uint16) urlTestOption {

 type URLTest struct {
 	*GroupBase
+	selected   string
+	testUrl    string
 	tolerance  uint16
 	disableUDP bool
 	fastNode   C.Proxy
@ -32,16 +37,46 @@ func (u *URLTest) Now() string {
 	return u.fast(false).Name()
 }

+func (u *URLTest) Set(name string) error {
+	var p C.Proxy
+	for _, proxy := range u.GetProxies(false) {
+		if proxy.Name() == name {
+			p = proxy
+			break
+		}
+	}
+	if p == nil {
+		return errors.New("proxy not exist")
+	}
+	u.selected = name
+	u.fast(false)
+	return nil
+}
+
+func (u *URLTest) ForceSet(name string) {
+	u.selected = name
+}
+
 // DialContext implements C.ProxyAdapter
 func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
 	proxy := u.fast(true)
 	c, err = proxy.DialContext(ctx, metadata, u.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(u)
-		u.onDialSuccess()
 	} else {
 		u.onDialFailed(proxy.Type(), err)
 	}
+
+	if N.NeedHandshake(c) {
+		c = callback.NewFirstWriteCallBackConn(c, func(err error) {
+			if err == nil {
+				u.onDialSuccess()
+			} else {
+				u.onDialFailed(proxy.Type(), err)
+			}
+		})
+	}
+
 	return c, err
 }

@ -62,16 +97,24 @@ func (u *URLTest) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {

 func (u *URLTest) fast(touch bool) C.Proxy {
 	elm, _, shared := u.fastSingle.Do(func() (C.Proxy, error) {
+		var s C.Proxy
 		proxies := u.GetProxies(touch)
 		fast := proxies[0]
+		if fast.Name() == u.selected {
+			s = fast
+		}
 		min := fast.LastDelay()
 		fastNotExist := true

 		for _, proxy := range proxies[1:] {
+
 			if u.fastNode != nil && proxy.Name() == u.fastNode.Name() {
 				fastNotExist = false
 			}

+			if proxy.Name() == u.selected {
+				s = proxy
+			}
 			if !proxy.Alive() {
 				continue
 			}
@ -82,12 +125,15 @@ func (u *URLTest) fast(touch bool) C.Proxy {
 				min = delay
 			}
 		}
-
 		// tolerance
 		if u.fastNode == nil || fastNotExist || !u.fastNode.Alive() || u.fastNode.LastDelay() > fast.LastDelay()+u.tolerance {
 			u.fastNode = fast
 		}
-
+		if s != nil {
+			if s.Alive() && s.LastDelay() < fast.LastDelay()+u.tolerance {
+				u.fastNode = s
+			}
+		}
 		return u.fastNode, nil
 	})
 	if shared && touch { // a shared fastSingle.Do() may cause providers untouched, so we touch them again
@ -102,10 +148,14 @@ func (u *URLTest) SupportUDP() bool {
 	if u.disableUDP {
 		return false
 	}
-
 	return u.fast(false).SupportUDP()
 }

+// IsL3Protocol implements C.ProxyAdapter
+func (u *URLTest) IsL3Protocol(metadata *C.Metadata) bool {
+	return u.fast(false).IsL3Protocol(metadata)
+}
+
 // MarshalJSON implements C.ProxyAdapter
 func (u *URLTest) MarshalJSON() ([]byte, error) {
 	all := []string{}
@ -144,10 +194,12 @@ func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, o

 			option.Filter,
 			option.ExcludeFilter,
+			option.ExcludeType,
 			providers,
 		}),
 		fastSingle: singledo.NewSingle[C.Proxy](time.Second * 10),
 		disableUDP: option.DisableUDP,
+		testUrl:    option.URL,
 	}

 	for _, option := range options {
--- a/adapter/outboundgroup/util.go
+++ b/adapter/outboundgroup/util.go
@ -1,37 +1,10 @@
 package outboundgroup

 import (
-	"fmt"
 	"net"
-	"net/netip"
 	"time"
-
-	C "github.com/Dreamacro/clash/constant"
 )

-func addrToMetadata(rawAddress string) (addr *C.Metadata, err error) {
-	host, port, err := net.SplitHostPort(rawAddress)
-	if err != nil {
-		err = fmt.Errorf("addrToMetadata failed: %w", err)
-		return
-	}
-
-	if ip, err := netip.ParseAddr(host); err != nil {
-		addr = &C.Metadata{
-			Host:    host,
-			DstPort: port,
-		}
-	} else {
-		addr = &C.Metadata{
-			Host:    "",
-			DstIP:   ip.Unmap(),
-			DstPort: port,
-		}
-	}
-
-	return
-}
-
 func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
@ -41,4 +14,5 @@ func tcpKeepAlive(c net.Conn) {

 type SelectAble interface {
 	Set(string) error
+	ForceSet(name string)
 }
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -2,6 +2,9 @@ package adapter

 import (
 	"fmt"
+
+	tlsC "github.com/Dreamacro/clash/component/tls"
+
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/structure"
 	C "github.com/Dreamacro/clash/constant"
@ -20,7 +23,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 	)
 	switch proxyType {
 	case "ss":
-		ssOption := &outbound.ShadowSocksOption{}
+		ssOption := &outbound.ShadowSocksOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, ssOption)
 		if err != nil {
 			break
@ -53,14 +56,16 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 				Method: "GET",
 				Path:   []string{"/"},
 			},
+			ClientFingerprint: tlsC.GetGlobalFingerprint(),
 		}
+
 		err = decoder.Decode(mapping, vmessOption)
 		if err != nil {
 			break
 		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
-		vlessOption := &outbound.VlessOption{}
+		vlessOption := &outbound.VlessOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, vlessOption)
 		if err != nil {
 			break
@ -74,7 +79,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewSnell(*snellOption)
 	case "trojan":
-		trojanOption := &outbound.TrojanOption{}
+		trojanOption := &outbound.TrojanOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, trojanOption)
 		if err != nil {
 			break
@ -109,5 +114,19 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		return nil, err
 	}

+	if muxMapping, muxExist := mapping["smux"].(map[string]any); muxExist {
+		muxOption := &outbound.SingMuxOption{}
+		err = decoder.Decode(muxMapping, muxOption)
+		if err != nil {
+			return nil, err
+		}
+		if muxOption.Enabled {
+			proxy, err = outbound.NewSingMux(*muxOption, proxy, proxy.(outbound.ProxyBase))
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
 	return NewProxy(proxy), nil
 }
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -4,13 +4,12 @@ import (
 	"context"
 	"time"

+	"github.com/Dreamacro/clash/common/atomic"
 	"github.com/Dreamacro/clash/common/batch"
 	"github.com/Dreamacro/clash/common/singledo"
+	"github.com/Dreamacro/clash/common/utils"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
-
-	"github.com/gofrs/uuid"
-	"go.uber.org/atomic"
 )

 const (
@ -34,16 +33,15 @@ type HealthCheck struct {

 func (hc *HealthCheck) process() {
 	ticker := time.NewTicker(time.Duration(hc.interval) * time.Second)
-
-	go func() {
-		time.Sleep(30 * time.Second)
-		hc.lazyCheck()
-	}()
-
 	for {
 		select {
 		case <-ticker.C:
-			hc.lazyCheck()
+			now := time.Now().Unix()
+			if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
+				hc.check()
+			} else {
+				log.Debugln("Skip once health check because we are lazy")
+			}
 		case <-hc.done:
 			ticker.Stop()
 			return
@ -51,17 +49,6 @@ func (hc *HealthCheck) process() {
 	}
 }

-func (hc *HealthCheck) lazyCheck() bool {
-	now := time.Now().Unix()
-	if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
-		hc.check()
-		return true
-	} else {
-		log.Debugln("Skip once health check because we are lazy")
-		return false
-	}
-}
-
 func (hc *HealthCheck) setProxy(proxies []C.Proxy) {
 	hc.proxies = proxies
 }
@ -76,10 +63,7 @@ func (hc *HealthCheck) touch() {

 func (hc *HealthCheck) check() {
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
-		id := ""
-		if uid, err := uuid.NewV4(); err == nil {
-			id = uid.String()
-		}
+		id := utils.NewUUIDV4().String()
 		log.Debugln("Start New Health Checking {%s}", id)
 		b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10))
 		for _, proxy := range hc.proxies {
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -3,10 +3,10 @@ package provider
 import (
 	"errors"
 	"fmt"
-	"github.com/Dreamacro/clash/component/resource"
 	"time"

 	"github.com/Dreamacro/clash/common/structure"
+	"github.com/Dreamacro/clash/component/resource"
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 )
@ -27,6 +27,8 @@ type proxyProviderSchema struct {
 	Interval      int               `provider:"interval,omitempty"`
 	Filter        string            `provider:"filter,omitempty"`
 	ExcludeFilter string            `provider:"exclude-filter,omitempty"`
+	ExcludeType   string            `provider:"exclude-type,omitempty"`
+	DialerProxy   string            `provider:"dialer-proxy,omitempty"`
 	HealthCheck   healthCheckSchema `provider:"health-check,omitempty"`
 }

@ -63,5 +65,8 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	interval := time.Duration(uint(schema.Interval)) * time.Second
 	filter := schema.Filter
 	excludeFilter := schema.ExcludeFilter
-	return NewProxySetProvider(name, interval, filter, excludeFilter, vehicle, hc)
+	excludeType := schema.ExcludeType
+	dialerProxy := schema.DialerProxy
+
+	return NewProxySetProvider(name, interval, filter, excludeFilter, excludeType, dialerProxy, vehicle, hc)
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/dlclark/regexp2"
-	"gopkg.in/yaml.v3"
 	"net/http"
 	"runtime"
 	"strings"
@ -19,6 +17,10 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
+	"github.com/Dreamacro/clash/tunnel/statistic"
+
+	"github.com/dlclark/regexp2"
+	"gopkg.in/yaml.v3"
 )

 const (
@ -79,6 +81,8 @@ func (pp *proxySetProvider) Initial() error {
 		return err
 	}
 	pp.OnUpdate(elm)
+	pp.getSubscriptionInfo()
+	pp.closeAllConnections()
 	return nil
 }

@ -98,7 +102,7 @@ func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 	pp.proxies = proxies
 	pp.healthCheck.setProxy(proxies)
 	if pp.healthCheck.auto() {
-		defer func() { go pp.healthCheck.lazyCheck() }()
+		go pp.healthCheck.check()
 	}
 }

@ -136,16 +140,33 @@ func (pp *proxySetProvider) getSubscriptionInfo() {
 	}()
 }

+func (pp *proxySetProvider) closeAllConnections() {
+	snapshot := statistic.DefaultManager.Snapshot()
+	for _, c := range snapshot.Connections {
+		for _, chain := range c.Chains() {
+			if chain == pp.Name() {
+				_ = c.Close()
+				break
+			}
+		}
+	}
+}
+
 func stopProxyProvider(pd *ProxySetProvider) {
 	pd.healthCheck.close()
 	_ = pd.Fetcher.Destroy()
 }

-func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, dialerProxy string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
 	excludeFilterReg, err := regexp2.Compile(excludeFilter, 0)
 	if err != nil {
 		return nil, fmt.Errorf("invalid excludeFilter regex: %w", err)
 	}
+	var excludeTypeArray []string
+	if excludeType != "" {
+		excludeTypeArray = strings.Split(excludeType, "|")
+	}
+
 	var filterRegs []*regexp2.Regexp
 	for _, filter := range strings.Split(filter, "`") {
 		filterReg, err := regexp2.Compile(filter, 0)
@ -164,10 +185,8 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc
 		healthCheck: hc,
 	}

-	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
+	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg, dialerProxy), proxiesOnUpdate(pd))
 	pd.Fetcher = fetcher
-
-	pd.getSubscriptionInfo()
 	wrapper := &ProxySetProvider{pd}
 	runtime.SetFinalizer(wrapper, stopProxyProvider)
 	return wrapper, nil
@ -262,7 +281,7 @@ func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	}
 }

-func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
+func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray []string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp, dialerProxy string) resource.Parser[[]C.Proxy] {
 	return func(buf []byte) ([]C.Proxy, error) {
 		schema := &ProxySchema{}

@ -282,6 +301,28 @@ func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*re
 		proxiesSet := map[string]struct{}{}
 		for _, filterReg := range filterRegs {
 			for idx, mapping := range schema.Proxies {
+				if nil != excludeTypeArray && len(excludeTypeArray) > 0 {
+					mType, ok := mapping["type"]
+					if !ok {
+						continue
+					}
+					pType, ok := mType.(string)
+					if !ok {
+						continue
+					}
+					flag := false
+					for i := range excludeTypeArray {
+						if strings.EqualFold(pType, excludeTypeArray[i]) {
+							flag = true
+							break
+						}
+
+					}
+					if flag {
+						continue
+					}
+
+				}
 				mName, ok := mapping["name"]
 				if !ok {
 					continue
@ -303,6 +344,9 @@ func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*re
 				if _, ok := proxiesSet[name]; ok {
 					continue
 				}
+				if len(dialerProxy) > 0 {
+					mapping["dialer-proxy"] = dialerProxy
+				}
 				proxy, err := adapter.ParseProxy(mapping)
 				if err != nil {
 					return nil, fmt.Errorf("proxy %d error: %w", idx, err)
--- a/common/atomic/type.go
+++ b/common/atomic/type.go
@ -0,0 +1,205 @@
+package atomic
+
+import (
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"sync/atomic"
+)
+
+type Bool struct {
+	atomic.Bool
+}
+
+func NewBool(val bool) *Bool {
+	i := &Bool{}
+	i.Store(val)
+	return i
+}
+
+func (i *Bool) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Bool) UnmarshalJSON(b []byte) error {
+	var v bool
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Bool) String() string {
+	v := i.Load()
+	return strconv.FormatBool(v)
+}
+
+type Pointer[T any] struct {
+	atomic.Pointer[T]
+}
+
+func NewPointer[T any](v *T) *Pointer[T] {
+	var p Pointer[T]
+	if v != nil {
+		p.Store(v)
+	}
+	return &p
+}
+
+func (p *Pointer[T]) MarshalJSON() ([]byte, error) {
+	return json.Marshal(p.Load())
+}
+
+func (p *Pointer[T]) UnmarshalJSON(b []byte) error {
+	var v *T
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	p.Store(v)
+	return nil
+}
+
+func (p *Pointer[T]) String() string {
+	return fmt.Sprint(p.Load())
+}
+
+type Int32 struct {
+	atomic.Int32
+}
+
+func NewInt32(val int32) *Int32 {
+	i := &Int32{}
+	i.Store(val)
+	return i
+}
+
+func (i *Int32) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Int32) UnmarshalJSON(b []byte) error {
+	var v int32
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Int32) String() string {
+	v := i.Load()
+	return strconv.FormatInt(int64(v), 10)
+}
+
+type Int64 struct {
+	atomic.Int64
+}
+
+func NewInt64(val int64) *Int64 {
+	i := &Int64{}
+	i.Store(val)
+	return i
+}
+
+func (i *Int64) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Int64) UnmarshalJSON(b []byte) error {
+	var v int64
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Int64) String() string {
+	v := i.Load()
+	return strconv.FormatInt(int64(v), 10)
+}
+
+type Uint32 struct {
+	atomic.Uint32
+}
+
+func NewUint32(val uint32) *Uint32 {
+	i := &Uint32{}
+	i.Store(val)
+	return i
+}
+
+func (i *Uint32) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Uint32) UnmarshalJSON(b []byte) error {
+	var v uint32
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Uint32) String() string {
+	v := i.Load()
+	return strconv.FormatUint(uint64(v), 10)
+}
+
+type Uint64 struct {
+	atomic.Uint64
+}
+
+func NewUint64(val uint64) *Uint64 {
+	i := &Uint64{}
+	i.Store(val)
+	return i
+}
+
+func (i *Uint64) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Uint64) UnmarshalJSON(b []byte) error {
+	var v uint64
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Uint64) String() string {
+	v := i.Load()
+	return strconv.FormatUint(uint64(v), 10)
+}
+
+type Uintptr struct {
+	atomic.Uintptr
+}
+
+func NewUintptr(val uintptr) *Uintptr {
+	i := &Uintptr{}
+	i.Store(val)
+	return i
+}
+
+func (i *Uintptr) MarshalJSON() ([]byte, error) {
+	return json.Marshal(i.Load())
+}
+
+func (i *Uintptr) UnmarshalJSON(b []byte) error {
+	var v uintptr
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	i.Store(v)
+	return nil
+}
+
+func (i *Uintptr) String() string {
+	v := i.Load()
+	return strconv.FormatUint(uint64(v), 10)
+}
--- a/common/atomic/value.go
+++ b/common/atomic/value.go
@ -0,0 +1,58 @@
+package atomic
+
+import (
+	"encoding/json"
+	"sync/atomic"
+)
+
+func DefaultValue[T any]() T {
+	var defaultValue T
+	return defaultValue
+}
+
+type TypedValue[T any] struct {
+	value atomic.Value
+}
+
+func (t *TypedValue[T]) Load() T {
+	value := t.value.Load()
+	if value == nil {
+		return DefaultValue[T]()
+	}
+	return value.(T)
+}
+
+func (t *TypedValue[T]) Store(value T) {
+	t.value.Store(value)
+}
+
+func (t *TypedValue[T]) Swap(new T) T {
+	old := t.value.Swap(new)
+	if old == nil {
+		return DefaultValue[T]()
+	}
+	return old.(T)
+}
+
+func (t *TypedValue[T]) CompareAndSwap(old, new T) bool {
+	return t.value.CompareAndSwap(old, new)
+}
+
+func (t *TypedValue[T]) MarshalJSON() ([]byte, error) {
+	return json.Marshal(t.Load())
+}
+
+func (t *TypedValue[T]) UnmarshalJSON(b []byte) error {
+	var v T
+	if err := json.Unmarshal(b, &v); err != nil {
+		return err
+	}
+	t.Store(v)
+	return nil
+}
+
+func NewTypedValue[T any](t T) *TypedValue[T] {
+	v := &TypedValue[T]{}
+	v.Store(t)
+	return v
+}
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@ -0,0 +1,29 @@
+package buf
+
+import (
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
+)
+
+const BufferSize = buf.BufferSize
+
+type Buffer = buf.Buffer
+
+var New = buf.New
+var NewSize = buf.NewSize
+var StackNew = buf.StackNew
+var StackNewSize = buf.StackNewSize
+var With = buf.With
+var As = buf.As
+
+var KeepAlive = common.KeepAlive
+
+//go:norace
+func Dup[T any](obj T) T {
+	return common.Dup(obj)
+}
+
+var (
+	Must  = common.Must
+	Error = common.Error
+)
--- a/common/callback/callback.go
+++ b/common/callback/callback.go
@ -0,0 +1,55 @@
+package callback
+
+import (
+	"github.com/Dreamacro/clash/common/buf"
+	N "github.com/Dreamacro/clash/common/net"
+	C "github.com/Dreamacro/clash/constant"
+)
+
+type firstWriteCallBackConn struct {
+	C.Conn
+	callback func(error)
+	written  bool
+}
+
+func (c *firstWriteCallBackConn) Write(b []byte) (n int, err error) {
+	defer func() {
+		if !c.written {
+			c.written = true
+			c.callback(err)
+		}
+	}()
+	return c.Conn.Write(b)
+}
+
+func (c *firstWriteCallBackConn) WriteBuffer(buffer *buf.Buffer) (err error) {
+	defer func() {
+		if !c.written {
+			c.written = true
+			c.callback(err)
+		}
+	}()
+	return c.Conn.WriteBuffer(buffer)
+}
+
+func (c *firstWriteCallBackConn) Upstream() any {
+	return c.Conn
+}
+
+func (c *firstWriteCallBackConn) WriterReplaceable() bool {
+	return c.written
+}
+
+func (c *firstWriteCallBackConn) ReaderReplaceable() bool {
+	return true
+}
+
+var _ N.ExtendedConn = (*firstWriteCallBackConn)(nil)
+
+func NewFirstWriteCallBackConn(c C.Conn, callback func(error)) C.Conn {
+	return &firstWriteCallBackConn{
+		Conn:     c,
+		callback: callback,
+		written:  false,
+	}
+}
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@ -2,11 +2,14 @@ package convert

 import (
 	"bytes"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/url"
 	"strconv"
 	"strings"
+
+	"github.com/Dreamacro/clash/log"
 )

 // ConvertsV2Ray convert V2Ray subscribe proxies data to clash proxies config
@ -81,7 +84,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			trojan["port"] = urlTrojan.Port()
 			trojan["password"] = urlTrojan.User.Username()
 			trojan["udp"] = true
-			trojan["skip-cert-verify"] = false
+			trojan["skip-cert-verify"], _ = strconv.ParseBool(query.Get("allowInsecure"))

 			sni := query.Get("sni")
 			if sni != "" {
@ -111,6 +114,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				trojan["grpc-opts"] = grpcOpts
 			}

+			if fingerprint := query.Get("fp"); fingerprint == "" {
+				trojan["client-fingerprint"] = "chrome"
+			} else {
+				trojan["client-fingerprint"] = fingerprint
+			}
+
 			proxies = append(proxies, trojan)

 		case "vless":
@ -120,7 +129,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 			query := urlVLess.Query()
 			vless := make(map[string]any, 20)
-			handleVShareLink(names, urlVLess, scheme, vless)
+			err = handleVShareLink(names, urlVLess, scheme, vless)
+			if err != nil {
+				log.Warnln("error:%s line:%s", err.Error(), line)
+				continue
+			}
 			if flow := query.Get("flow"); flow != "" {
 				vless["flow"] = strings.ToLower(flow)
 			}
@ -138,20 +151,16 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				}
 				query := urlVMess.Query()
 				vmess := make(map[string]any, 20)
-				handleVShareLink(names, urlVMess, scheme, vmess)
+				err = handleVShareLink(names, urlVMess, scheme, vmess)
+				if err != nil {
+					log.Warnln("error:%s line:%s", err.Error(), line)
+					continue
+				}
 				vmess["alterId"] = 0
 				vmess["cipher"] = "auto"
 				if encryption := query.Get("encryption"); encryption != "" {
 					vmess["cipher"] = encryption
 				}
-				if packetEncoding := query.Get("packetEncoding"); packetEncoding != "" {
-					switch packetEncoding {
-					case "packet":
-						vmess["packet-addr"] = true
-					case "xudp":
-						vmess["xudp"] = true
-					}
-				}
 				proxies = append(proxies, vmess)
 				continue
 			}
@ -162,8 +171,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			if jsonDc.Decode(&values) != nil {
 				continue
 			}
-
-			name := uniqueName(names, values["ps"].(string))
+			tempName, ok := values["ps"].(string)
+			if !ok {
+				continue
+			}
+			name := uniqueName(names, tempName)
 			vmess := make(map[string]any, 20)

 			vmess["name"] = name
@ -177,6 +189,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				vmess["alterId"] = 0
 			}
 			vmess["udp"] = true
+			vmess["xudp"] = true
 			vmess["tls"] = false
 			vmess["skip-cert-verify"] = false

@ -189,7 +202,8 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				vmess["servername"] = sni
 			}

-			network := strings.ToLower(values["net"].(string))
+			network, _ := values["net"].(string)
+			network = strings.ToLower(network)
 			if values["type"] == "http" {
 				network = "http"
 			} else if network == "http" {
@ -197,9 +211,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 			vmess["network"] = network

-			tls := strings.ToLower(values["tls"].(string))
-			if strings.HasSuffix(tls, "tls") {
-				vmess["tls"] = true
+			tls, ok := values["tls"].(string)
+			if ok {
+				tls = strings.ToLower(tls)
+				if strings.HasSuffix(tls, "tls") {
+					vmess["tls"] = true
+				}
 			}

 			switch network {
@ -272,19 +289,25 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}

 			var (
-				cipher   = urlSS.User.Username()
-				password string
+				cipherRaw = urlSS.User.Username()
+				cipher    string
+				password  string
 			)
-
+			cipher = cipherRaw
 			if password, found = urlSS.User.Password(); !found {
-				dcBuf, _ := enc.DecodeString(cipher)
-				if !strings.Contains(string(dcBuf), "2022-blake3") {
-					dcBuf, _ = encRaw.DecodeString(cipher)
+				dcBuf, err := base64.RawURLEncoding.DecodeString(cipherRaw)
+				if err != nil {
+					dcBuf, _ = enc.DecodeString(cipherRaw)
 				}
 				cipher, password, found = strings.Cut(string(dcBuf), ":")
 				if !found {
 					continue
 				}
+				err = VerifyMethod(cipher, password)
+				if err != nil {
+					dcBuf, _ = encRaw.DecodeString(cipherRaw)
+					cipher, password, found = strings.Cut(string(dcBuf), ":")
+				}
 			}

 			ss := make(map[string]any, 10)
--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -2,11 +2,14 @@ package convert

 import (
 	"encoding/base64"
-	"math/rand"
 	"net/http"
 	"strings"
+	"time"

-	"github.com/gofrs/uuid"
+	"github.com/Dreamacro/clash/common/utils"
+
+	"github.com/metacubex/sing-shadowsocks/shadowimpl"
+	"github.com/zhangyunhao116/fastrand"
 )

 var hostsSuffix = []string{
@ -291,8 +294,7 @@ var (
 )

 func RandHost() string {
-	id, _ := uuid.NewV4()
-	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(id.Bytes()))
+	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(utils.NewUUIDV4().Bytes()))
 	base = strings.ReplaceAll(base, "-", "")
 	base = strings.ReplaceAll(base, "_", "")
 	buf := []byte(base)
@ -300,11 +302,11 @@ func RandHost() string {
 	prefix += string(buf[6:8]) + "-"
 	prefix += string(buf[len(buf)-8:])

-	return prefix + hostsSuffix[rand.Intn(hostsLen)]
+	return prefix + hostsSuffix[fastrand.Intn(hostsLen)]
 }

 func RandUserAgent() string {
-	return userAgents[rand.Intn(uaLen)]
+	return userAgents[fastrand.Intn(uaLen)]
 }

 func SetUserAgent(header http.Header) {
@ -314,3 +316,8 @@ func SetUserAgent(header http.Header) {
 	userAgent := RandUserAgent()
 	header.Set("User-Agent", userAgent)
 }
+
+func VerifyMethod(cipher, password string) (err error) {
+	_, err = shadowimpl.FetchMethod(cipher, password, time.Now)
+	return
+}
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -1,15 +1,24 @@
 package convert

 import (
+	"errors"
+	"fmt"
 	"net/url"
+	"strconv"
 	"strings"
 )

-func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy map[string]any) {
+func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy map[string]any) error {
 	// Xray VMessAEAD / VLESS share link standard
 	// https://github.com/XTLS/Xray-core/discussions/716
 	query := url.Query()
 	proxy["name"] = uniqueName(names, url.Fragment)
+	if url.Hostname() == "" {
+		return errors.New("url.Hostname() is empty")
+	}
+	if url.Port() == "" {
+		return errors.New("url.Port() is empty")
+	}
 	proxy["type"] = scheme
 	proxy["server"] = url.Hostname()
 	proxy["port"] = url.Port()
@ -18,12 +27,31 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	proxy["skip-cert-verify"] = false
 	proxy["tls"] = false
 	tls := strings.ToLower(query.Get("security"))
-	if strings.HasSuffix(tls, "tls") {
+	if strings.HasSuffix(tls, "tls") || tls == "reality" {
 		proxy["tls"] = true
+		if fingerprint := query.Get("fp"); fingerprint == "" {
+			proxy["client-fingerprint"] = "chrome"
+		} else {
+			proxy["client-fingerprint"] = fingerprint
+		}
 	}
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
 	}
+	if realityPublicKey := query.Get("pbk"); realityPublicKey != "" {
+		proxy["reality-opts"] = map[string]any{
+			"public-key": realityPublicKey,
+			"short-id":   query.Get("sid"),
+		}
+	}
+
+	switch query.Get("packetEncoding") {
+	case "none":
+	case "packet":
+		proxy["packet-addr"] = true
+	default:
+		proxy["xudp"] = true
+	}

 	network := strings.ToLower(query.Get("type"))
 	if network == "" {
@ -79,6 +107,17 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		wsOpts["path"] = query.Get("path")
 		wsOpts["headers"] = headers

+		if earlyData := query.Get("ed"); earlyData != "" {
+			med, err := strconv.Atoi(earlyData)
+			if err != nil {
+				return fmt.Errorf("bad WebSocket max early data size: %v", err)
+			}
+			wsOpts["max-early-data"] = med
+		}
+		if earlyDataHeader := query.Get("eh"); earlyDataHeader != "" {
+			wsOpts["early-data-header-name"] = earlyDataHeader
+		}
+
 		proxy["ws-opts"] = wsOpts

 	case "grpc":
@ -86,4 +125,5 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		grpcOpts["grpc-service-name"] = query.Get("serviceName")
 		proxy["grpc-opts"] = grpcOpts
 	}
+	return nil
 }
--- a/common/generics/list/list.go
+++ b/common/generics/list/list.go
@ -5,10 +5,10 @@
 // Package list implements a doubly linked list.
 //
 // To iterate over a list (where l is a *List):
+//
 //	for e := l.Front(); e != nil; e = e.Next() {
 //		// do something with e.Value
 //	}
-//
 package list

 // Element is an element of a linked list.
--- a/common/net/addr.go
+++ b/common/net/addr.go
@ -0,0 +1,36 @@
+package net
+
+import (
+	"net"
+)
+
+type CustomAddr interface {
+	net.Addr
+	RawAddr() net.Addr
+}
+
+type customAddr struct {
+	networkStr string
+	addrStr    string
+	rawAddr    net.Addr
+}
+
+func (a customAddr) Network() string {
+	return a.networkStr
+}
+
+func (a customAddr) String() string {
+	return a.addrStr
+}
+
+func (a customAddr) RawAddr() net.Addr {
+	return a.rawAddr
+}
+
+func NewCustomAddr(networkStr string, addrStr string, rawAddr net.Addr) CustomAddr {
+	return customAddr{
+		networkStr: networkStr,
+		addrStr:    addrStr,
+		rawAddr:    rawAddr,
+	}
+}
--- a/common/net/bufconn.go
+++ b/common/net/bufconn.go
@ -3,18 +3,23 @@ package net
 import (
 	"bufio"
 	"net"
+
+	"github.com/Dreamacro/clash/common/buf"
 )

+var _ ExtendedConn = (*BufferedConn)(nil)
+
 type BufferedConn struct {
 	r *bufio.Reader
-	net.Conn
+	ExtendedConn
+	peeked bool
 }

 func NewBufferedConn(c net.Conn) *BufferedConn {
 	if bc, ok := c.(*BufferedConn); ok {
 		return bc
 	}
-	return &BufferedConn{bufio.NewReader(c), c}
+	return &BufferedConn{bufio.NewReader(c), NewExtendedConn(c), false}
 }

 // Reader returns the internal bufio.Reader.
@ -22,11 +27,24 @@ func (c *BufferedConn) Reader() *bufio.Reader {
 	return c.r
 }

+func (c *BufferedConn) ResetPeeked() {
+	c.peeked = false
+}
+
+func (c *BufferedConn) Peeked() bool {
+	return c.peeked
+}
+
 // Peek returns the next n bytes without advancing the reader.
 func (c *BufferedConn) Peek(n int) ([]byte, error) {
+	c.peeked = true
 	return c.r.Peek(n)
 }

+func (c *BufferedConn) Discard(n int) (discarded int, err error) {
+	return c.r.Discard(n)
+}
+
 func (c *BufferedConn) Read(p []byte) (int, error) {
 	return c.r.Read(p)
 }
@ -42,3 +60,36 @@ func (c *BufferedConn) UnreadByte() error {
 func (c *BufferedConn) Buffered() int {
 	return c.r.Buffered()
 }
+
+func (c *BufferedConn) ReadBuffer(buffer *buf.Buffer) (err error) {
+	if c.r.Buffered() > 0 {
+		_, err = buffer.ReadOnceFrom(c.r)
+		return
+	}
+	return c.ExtendedConn.ReadBuffer(buffer)
+}
+
+func (c *BufferedConn) ReadCached() *buf.Buffer { // call in sing/common/bufio.Copy
+	if c.r.Buffered() > 0 {
+		length := c.r.Buffered()
+		b, _ := c.r.Peek(length)
+		_, _ = c.r.Discard(length)
+		return buf.As(b)
+	}
+	return nil
+}
+
+func (c *BufferedConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+func (c *BufferedConn) ReaderReplaceable() bool {
+	if c.r.Buffered() > 0 {
+		return false
+	}
+	return true
+}
+
+func (c *BufferedConn) WriterReplaceable() bool {
+	return true
+}
--- a/common/net/refconn.go
+++ b/common/net/refconn.go
@ -4,10 +4,12 @@ import (
 	"net"
 	"runtime"
 	"time"
+
+	"github.com/Dreamacro/clash/common/buf"
 )

 type refConn struct {
-	conn net.Conn
+	conn ExtendedConn
 	ref  any
 }

@ -51,8 +53,32 @@ func (c *refConn) SetWriteDeadline(t time.Time) error {
 	return c.conn.SetWriteDeadline(t)
 }

+func (c *refConn) Upstream() any {
+	return c.conn
+}
+
+func (c *refConn) ReadBuffer(buffer *buf.Buffer) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.ReadBuffer(buffer)
+}
+
+func (c *refConn) WriteBuffer(buffer *buf.Buffer) error {
+	defer runtime.KeepAlive(c.ref)
+	return c.conn.WriteBuffer(buffer)
+}
+
+func (c *refConn) ReaderReplaceable() bool { // Relay() will handle reference
+	return true
+}
+
+func (c *refConn) WriterReplaceable() bool { // Relay() will handle reference
+	return true
+}
+
+var _ ExtendedConn = (*refConn)(nil)
+
 func NewRefConn(conn net.Conn, ref any) net.Conn {
-	return &refConn{conn: conn, ref: ref}
+	return &refConn{conn: NewExtendedConn(conn), ref: ref}
 }

 type refPacketConn struct {
--- a/common/net/relay.go
+++ b/common/net/relay.go
@ -1,24 +1,24 @@
 package net

-import (
-	"io"
-	"net"
-	"time"
-)
-
-// Relay copies between left and right bidirectionally.
-func Relay(leftConn, rightConn net.Conn) {
-	ch := make(chan error)
-
-	go func() {
-		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
-		// See also https://github.com/Dreamacro/clash/pull/1209
-		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
-		leftConn.SetReadDeadline(time.Now())
-		ch <- err
-	}()
-
-	_, _ = io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
-	rightConn.SetReadDeadline(time.Now())
-	<-ch
-}
+//import (
+//	"io"
+//	"net"
+//	"time"
+//)
+//
+//// Relay copies between left and right bidirectionally.
+//func Relay(leftConn, rightConn net.Conn) {
+//	ch := make(chan error)
+//
+//	go func() {
+//		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
+//		// See also https://github.com/Dreamacro/clash/pull/1209
+//		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
+//		leftConn.SetReadDeadline(time.Now())
+//		ch <- err
+//	}()
+//
+//	_, _ = io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
+//	rightConn.SetReadDeadline(time.Now())
+//	<-ch
+//}
--- a/common/net/sing.go
+++ b/common/net/sing.go
@ -0,0 +1,44 @@
+package net
+
+import (
+	"context"
+	"net"
+	"runtime"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/bufio/deadline"
+	"github.com/sagernet/sing/common/network"
+)
+
+var NewExtendedConn = bufio.NewExtendedConn
+var NewExtendedWriter = bufio.NewExtendedWriter
+var NewExtendedReader = bufio.NewExtendedReader
+
+type ExtendedConn = network.ExtendedConn
+type ExtendedWriter = network.ExtendedWriter
+type ExtendedReader = network.ExtendedReader
+
+func NewDeadlineConn(conn net.Conn) ExtendedConn {
+	return deadline.NewFallbackConn(conn)
+}
+
+func NewDeadlinePacketConn(pc net.PacketConn) net.PacketConn {
+	return deadline.NewFallbackPacketConn(bufio.NewPacketConn(pc))
+}
+
+func NeedHandshake(conn any) bool {
+	if earlyConn, isEarlyConn := common.Cast[network.EarlyConn](conn); isEarlyConn && earlyConn.NeedHandshake() {
+		return true
+	}
+	return false
+}
+
+type CountFunc = network.CountFunc
+
+// Relay copies between left and right bidirectionally.
+func Relay(leftConn, rightConn net.Conn) {
+	defer runtime.KeepAlive(leftConn)
+	defer runtime.KeepAlive(rightConn)
+	_ = bufio.CopyConn(context.TODO(), leftConn, rightConn)
+}
--- a/common/net/tls.go
+++ b/common/net/tls.go
@ -1,11 +1,19 @@
 package net

 import (
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
+	"math/big"
 )

 func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
+	if certificate == "" || privateKey == "" {
+		return newRandomTLSKeyPair()
+	}
 	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
 	if painTextErr == nil {
 		return cert, nil
@ -17,3 +25,28 @@ func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
 	}
 	return cert, nil
 }
+
+func newRandomTLSKeyPair() (tls.Certificate, error) {
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+	certDER, err := x509.CreateCertificate(
+		rand.Reader,
+		&template,
+		&template,
+		&key.PublicKey,
+		key)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	return tlsCert, nil
+}
--- a/common/net/websocket.go
+++ b/common/net/websocket.go
@ -0,0 +1,131 @@
+package net
+
+import (
+	"encoding/binary"
+	"math/bits"
+)
+
+// kanged from https://github.com/nhooyr/websocket/blob/master/frame.go
+// License: MIT
+
+// MaskWebSocket applies the WebSocket masking algorithm to p
+// with the given key.
+// See https://tools.ietf.org/html/rfc6455#section-5.3
+//
+// The returned value is the correctly rotated key to
+// to continue to mask/unmask the message.
+//
+// It is optimized for LittleEndian and expects the key
+// to be in little endian.
+//
+// See https://github.com/golang/go/issues/31586
+func MaskWebSocket(key uint32, b []byte) uint32 {
+	if len(b) >= 8 {
+		key64 := uint64(key)<<32 | uint64(key)
+
+		// At some point in the future we can clean these unrolled loops up.
+		// See https://github.com/golang/go/issues/31586#issuecomment-487436401
+
+		// Then we xor until b is less than 128 bytes.
+		for len(b) >= 128 {
+			v := binary.LittleEndian.Uint64(b)
+			binary.LittleEndian.PutUint64(b, v^key64)
+			v = binary.LittleEndian.Uint64(b[8:16])
+			binary.LittleEndian.PutUint64(b[8:16], v^key64)
+			v = binary.LittleEndian.Uint64(b[16:24])
+			binary.LittleEndian.PutUint64(b[16:24], v^key64)
+			v = binary.LittleEndian.Uint64(b[24:32])
+			binary.LittleEndian.PutUint64(b[24:32], v^key64)
+			v = binary.LittleEndian.Uint64(b[32:40])
+			binary.LittleEndian.PutUint64(b[32:40], v^key64)
+			v = binary.LittleEndian.Uint64(b[40:48])
+			binary.LittleEndian.PutUint64(b[40:48], v^key64)
+			v = binary.LittleEndian.Uint64(b[48:56])
+			binary.LittleEndian.PutUint64(b[48:56], v^key64)
+			v = binary.LittleEndian.Uint64(b[56:64])
+			binary.LittleEndian.PutUint64(b[56:64], v^key64)
+			v = binary.LittleEndian.Uint64(b[64:72])
+			binary.LittleEndian.PutUint64(b[64:72], v^key64)
+			v = binary.LittleEndian.Uint64(b[72:80])
+			binary.LittleEndian.PutUint64(b[72:80], v^key64)
+			v = binary.LittleEndian.Uint64(b[80:88])
+			binary.LittleEndian.PutUint64(b[80:88], v^key64)
+			v = binary.LittleEndian.Uint64(b[88:96])
+			binary.LittleEndian.PutUint64(b[88:96], v^key64)
+			v = binary.LittleEndian.Uint64(b[96:104])
+			binary.LittleEndian.PutUint64(b[96:104], v^key64)
+			v = binary.LittleEndian.Uint64(b[104:112])
+			binary.LittleEndian.PutUint64(b[104:112], v^key64)
+			v = binary.LittleEndian.Uint64(b[112:120])
+			binary.LittleEndian.PutUint64(b[112:120], v^key64)
+			v = binary.LittleEndian.Uint64(b[120:128])
+			binary.LittleEndian.PutUint64(b[120:128], v^key64)
+			b = b[128:]
+		}
+
+		// Then we xor until b is less than 64 bytes.
+		for len(b) >= 64 {
+			v := binary.LittleEndian.Uint64(b)
+			binary.LittleEndian.PutUint64(b, v^key64)
+			v = binary.LittleEndian.Uint64(b[8:16])
+			binary.LittleEndian.PutUint64(b[8:16], v^key64)
+			v = binary.LittleEndian.Uint64(b[16:24])
+			binary.LittleEndian.PutUint64(b[16:24], v^key64)
+			v = binary.LittleEndian.Uint64(b[24:32])
+			binary.LittleEndian.PutUint64(b[24:32], v^key64)
+			v = binary.LittleEndian.Uint64(b[32:40])
+			binary.LittleEndian.PutUint64(b[32:40], v^key64)
+			v = binary.LittleEndian.Uint64(b[40:48])
+			binary.LittleEndian.PutUint64(b[40:48], v^key64)
+			v = binary.LittleEndian.Uint64(b[48:56])
+			binary.LittleEndian.PutUint64(b[48:56], v^key64)
+			v = binary.LittleEndian.Uint64(b[56:64])
+			binary.LittleEndian.PutUint64(b[56:64], v^key64)
+			b = b[64:]
+		}
+
+		// Then we xor until b is less than 32 bytes.
+		for len(b) >= 32 {
+			v := binary.LittleEndian.Uint64(b)
+			binary.LittleEndian.PutUint64(b, v^key64)
+			v = binary.LittleEndian.Uint64(b[8:16])
+			binary.LittleEndian.PutUint64(b[8:16], v^key64)
+			v = binary.LittleEndian.Uint64(b[16:24])
+			binary.LittleEndian.PutUint64(b[16:24], v^key64)
+			v = binary.LittleEndian.Uint64(b[24:32])
+			binary.LittleEndian.PutUint64(b[24:32], v^key64)
+			b = b[32:]
+		}
+
+		// Then we xor until b is less than 16 bytes.
+		for len(b) >= 16 {
+			v := binary.LittleEndian.Uint64(b)
+			binary.LittleEndian.PutUint64(b, v^key64)
+			v = binary.LittleEndian.Uint64(b[8:16])
+			binary.LittleEndian.PutUint64(b[8:16], v^key64)
+			b = b[16:]
+		}
+
+		// Then we xor until b is less than 8 bytes.
+		for len(b) >= 8 {
+			v := binary.LittleEndian.Uint64(b)
+			binary.LittleEndian.PutUint64(b, v^key64)
+			b = b[8:]
+		}
+	}
+
+	// Then we xor until b is less than 4 bytes.
+	for len(b) >= 4 {
+		v := binary.LittleEndian.Uint32(b)
+		binary.LittleEndian.PutUint32(b, v^key)
+		b = b[4:]
+	}
+
+	// xor remaining bytes.
+	for i := range b {
+		b[i] ^= byte(key)
+		key = bits.RotateLeft32(key, -8)
+	}
+
+	return key
+}
--- a/common/observable/observable_test.go
+++ b/common/observable/observable_test.go
@ -5,8 +5,9 @@ import (
 	"testing"
 	"time"

+	"github.com/Dreamacro/clash/common/atomic"
+
 	"github.com/stretchr/testify/assert"
-	"go.uber.org/atomic"
 )

 func iterator[T any](item []T) chan T {
@ -44,7 +45,7 @@ func TestObservable_MultiSubscribe(t *testing.T) {
 	wg.Add(2)
 	waitCh := func(ch <-chan int) {
 		for range ch {
-			count.Inc()
+			count.Add(1)
 		}
 		wg.Done()
 	}
--- a/common/pool/alloc_test.go
+++ b/common/pool/alloc_test.go
@ -1,10 +1,10 @@
 package pool

 import (
-	"math/rand"
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/zhangyunhao116/fastrand"
 )

 func TestAllocGet(t *testing.T) {
@ -43,6 +43,6 @@ func TestAllocPutThenGet(t *testing.T) {

 func BenchmarkMSB(b *testing.B) {
 	for i := 0; i < b.N; i++ {
-		msb(rand.Int())
+		msb(fastrand.Int())
 	}
 }
--- a/common/pool/buffer_low_memory.go
+++ b/common/pool/buffer_low_memory.go
@ -0,0 +1,15 @@
+//go:build with_low_memory
+
+package pool
+
+const (
+	// io.Copy default buffer size is 32 KiB
+	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
+	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
+	RelayBufferSize = 16 * 1024
+
+	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
+	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
+	// set to 9000, so the UDP Buffer size set to 16Kib
+	UDPBufferSize = 8 * 1024
+)
--- a/common/pool/buffer_standard.go
+++ b/common/pool/buffer_standard.go
@ -0,0 +1,15 @@
+//go:build !with_low_memory
+
+package pool
+
+const (
+	// io.Copy default buffer size is 32 KiB
+	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
+	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
+	RelayBufferSize = 20 * 1024
+
+	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
+	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
+	// set to 9000, so the UDP Buffer size set to 16Kib
+	UDPBufferSize = 16 * 1024
+)
--- a/common/pool/pool.go
+++ b/common/pool/pool.go
@ -1,17 +1,5 @@
 package pool

-const (
-	// io.Copy default buffer size is 32 KiB
-	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
-	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
-	RelayBufferSize = 20 * 1024
-
-	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
-	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
-	// set to 9000, so the UDP Buffer size set to 16Kib
-	UDPBufferSize = 16 * 1024
-)
-
 func Get(size int) []byte {
 	return defaultAllocator.Get(size)
 }
--- a/common/singledo/singledo_test.go
+++ b/common/singledo/singledo_test.go
@ -5,8 +5,9 @@ import (
 	"testing"
 	"time"

+	"github.com/Dreamacro/clash/common/atomic"
+
 	"github.com/stretchr/testify/assert"
-	"go.uber.org/atomic"
 )

 func TestBasic(t *testing.T) {
@ -26,7 +27,7 @@ func TestBasic(t *testing.T) {
 		go func() {
 			_, _, shard := single.Do(call)
 			if shard {
-				shardCount.Inc()
+				shardCount.Add(1)
 			}
 			wg.Done()
 		}()
--- a/common/utils/must.go
+++ b/common/utils/must.go
@ -0,0 +1,8 @@
+package utils
+
+func MustOK[T any](result T, ok bool) T {
+	if ok {
+		return result
+	}
+	panic("operation failed")
+}
--- a/common/utils/slice.go
+++ b/common/utils/slice.go
@ -0,0 +1,34 @@
+package utils
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+)
+
+func Filter[T comparable](tSlice []T, filter func(t T) bool) []T {
+	result := make([]T, 0)
+	for _, t := range tSlice {
+		if filter(t) {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
+func ToStringSlice(value any) ([]string, error) {
+	strArr := make([]string, 0)
+	switch reflect.TypeOf(value).Kind() {
+	case reflect.Slice, reflect.Array:
+		origin := reflect.ValueOf(value)
+		for i := 0; i < origin.Len(); i++ {
+			item := fmt.Sprintf("%v", origin.Index(i))
+			strArr = append(strArr, item)
+		}
+	case reflect.String:
+		strArr = append(strArr, fmt.Sprintf("%v", value))
+	default:
+		return nil, errors.New("value format error, must be string or array")
+	}
+	return strArr, nil
+}
--- a/common/utils/strings.go
+++ b/common/utils/strings.go
@ -0,0 +1,9 @@
+package utils
+
+func Reverse(s string) string {
+	a := []rune(s)
+	for i, j := 0, len(a)-1; i < j; i, j = i+1, j-1 {
+		a[i], a[j] = a[j], a[i]
+	}
+	return string(a)
+}
--- a/common/utils/uuid.go
+++ b/common/utils/uuid.go
@ -1,16 +1,51 @@
 package utils

 import (
-	"github.com/gofrs/uuid"
+	"github.com/gofrs/uuid/v5"
+	"github.com/zhangyunhao116/fastrand"
 )

-var uuidNamespace, _ = uuid.FromString("00000000-0000-0000-0000-000000000000")
+type fastRandReader struct{}
+
+func (r fastRandReader) Read(p []byte) (int, error) {
+	return fastrand.Read(p)
+}
+
+var UnsafeUUIDGenerator = uuid.NewGenWithOptions(uuid.WithRandomReader(fastRandReader{}))
+
+func NewUUIDV1() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV1() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV3(ns uuid.UUID, name string) uuid.UUID {
+	return UnsafeUUIDGenerator.NewV3(ns, name)
+}
+
+func NewUUIDV4() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV4() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV5(ns uuid.UUID, name string) uuid.UUID {
+	return UnsafeUUIDGenerator.NewV5(ns, name)
+}
+
+func NewUUIDV6() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV6() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV7() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV7() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}

 // UUIDMap https://github.com/XTLS/Xray-core/issues/158#issue-783294090
 func UUIDMap(str string) (uuid.UUID, error) {
 	u, err := uuid.FromString(str)
 	if err != nil {
-		return uuid.NewV5(uuidNamespace, str), nil
+		return NewUUIDV5(uuid.Nil, str), nil
 	}
 	return u, nil
 }
--- a/common/utils/uuid_test.go
+++ b/common/utils/uuid_test.go
@ -1,7 +1,7 @@
 package utils

 import (
-	"github.com/gofrs/uuid"
+	"github.com/gofrs/uuid/v5"
 	"reflect"
 	"testing"
 )
--- a/component/dialer/bind_darwin.go
+++ b/component/dialer/bind_darwin.go
@ -1,6 +1,7 @@
 package dialer

 import (
+	"context"
 	"net"
 	"net/netip"
 	"syscall"
@ -10,16 +11,8 @@ import (
 	"golang.org/x/sys/unix"
 )

-type controlFn = func(network, address string, c syscall.RawConn) error
-
-func bindControl(ifaceIdx int, chain controlFn) controlFn {
-	return func(network, address string, c syscall.RawConn) (err error) {
-		defer func() {
-			if err == nil && chain != nil {
-				err = chain(network, address, c)
-			}
-		}()
-
+func bindControl(ifaceIdx int) controlFn {
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
 			return
@ -49,7 +42,7 @@ func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.A
 		return err
 	}

-	dialer.Control = bindControl(ifaceObj.Index, dialer.Control)
+	addControlToDialer(dialer, bindControl(ifaceObj.Index))
 	return nil
 }

@ -59,6 +52,10 @@ func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address
 		return "", err
 	}

-	lc.Control = bindControl(ifaceObj.Index, lc.Control)
+	addControlToListenConfig(lc, bindControl(ifaceObj.Index))
 	return address, nil
 }
+
+func ParseNetwork(network string, addr netip.Addr) string {
+	return network
+}
--- a/component/dialer/bind_linux.go
+++ b/component/dialer/bind_linux.go
@ -1,6 +1,7 @@
 package dialer

 import (
+	"context"
 	"net"
 	"net/netip"
 	"syscall"
@ -8,16 +9,8 @@ import (
 	"golang.org/x/sys/unix"
 )

-type controlFn = func(network, address string, c syscall.RawConn) error
-
-func bindControl(ifaceName string, chain controlFn) controlFn {
-	return func(network, address string, c syscall.RawConn) (err error) {
-		defer func() {
-			if err == nil && chain != nil {
-				err = chain(network, address, c)
-			}
-		}()
-
+func bindControl(ifaceName string) controlFn {
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
 			return
@ -37,13 +30,17 @@ func bindControl(ifaceName string, chain controlFn) controlFn {
 }

 func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.Addr) error {
-	dialer.Control = bindControl(ifaceName, dialer.Control)
+	addControlToDialer(dialer, bindControl(ifaceName))

 	return nil
 }

 func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
-	lc.Control = bindControl(ifaceName, lc.Control)
+	addControlToListenConfig(lc, bindControl(ifaceName))

 	return address, nil
 }
+
+func ParseNetwork(network string, addr netip.Addr) string {
+	return network
+}
--- a/component/dialer/bind_others.go
+++ b/component/dialer/bind_others.go
@ -1,4 +1,4 @@
-//go:build !linux && !darwin
+//go:build !linux && !darwin && !windows

 package dialer

@ -91,3 +91,13 @@ func bindIfaceToListenConfig(ifaceName string, _ *net.ListenConfig, network, add

 	return addr.String(), nil
 }
+
+func ParseNetwork(network string, addr netip.Addr) string {
+	// fix bindIfaceToListenConfig() force bind to an ipv4 address
+	if !strings.HasSuffix(network, "4") &&
+		!strings.HasSuffix(network, "6") &&
+		addr.Unmap().Is6() {
+		network += "6"
+	}
+	return network
+}
--- a/component/dialer/bind_windows.go
+++ b/component/dialer/bind_windows.go
@ -0,0 +1,101 @@
+package dialer
+
+import (
+	"context"
+	"encoding/binary"
+	"fmt"
+	"net"
+	"net/netip"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/component/iface"
+)
+
+const (
+	IP_UNICAST_IF   = 31
+	IPV6_UNICAST_IF = 31
+)
+
+func bind4(handle syscall.Handle, ifaceIdx int) error {
+	var bytes [4]byte
+	binary.BigEndian.PutUint32(bytes[:], uint32(ifaceIdx))
+	idx := *(*uint32)(unsafe.Pointer(&bytes[0]))
+	err := syscall.SetsockoptInt(handle, syscall.IPPROTO_IP, IP_UNICAST_IF, int(idx))
+	if err != nil {
+		err = fmt.Errorf("bind4: %w", err)
+	}
+	return err
+}
+
+func bind6(handle syscall.Handle, ifaceIdx int) error {
+	err := syscall.SetsockoptInt(handle, syscall.IPPROTO_IPV6, IPV6_UNICAST_IF, ifaceIdx)
+	if err != nil {
+		err = fmt.Errorf("bind6: %w", err)
+	}
+	return err
+}
+
+func bindControl(ifaceIdx int) controlFn {
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
+		addrPort, err := netip.ParseAddrPort(address)
+		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
+			return
+		}
+
+		var innerErr error
+		err = c.Control(func(fd uintptr) {
+			handle := syscall.Handle(fd)
+			bind6err := bind6(handle, ifaceIdx)
+			bind4err := bind4(handle, ifaceIdx)
+			switch network {
+			case "ip6", "tcp6":
+				innerErr = bind6err
+			case "ip4", "tcp4", "udp4":
+				innerErr = bind4err
+			case "udp6":
+				// golang will set network to udp6 when listenUDP on wildcard ip (eg: ":0", "")
+				if (!addrPort.Addr().IsValid() || addrPort.Addr().IsUnspecified()) && bind6err != nil {
+					// try bind ipv6, if failed, ignore. it's a workaround for windows disable interface ipv6
+					if bind4err != nil {
+						innerErr = fmt.Errorf("%w (%s)", bind6err, bind4err)
+					} else {
+						innerErr = nil
+					}
+				} else {
+					innerErr = bind6err
+				}
+			}
+		})
+
+		if innerErr != nil {
+			err = innerErr
+		}
+
+		return
+	}
+}
+
+func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.Addr) error {
+	ifaceObj, err := iface.ResolveInterface(ifaceName)
+	if err != nil {
+		return err
+	}
+
+	addControlToDialer(dialer, bindControl(ifaceObj.Index))
+	return nil
+}
+
+func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
+	ifaceObj, err := iface.ResolveInterface(ifaceName)
+	if err != nil {
+		return "", err
+	}
+
+	addControlToListenConfig(lc, bindControl(ifaceObj.Index))
+	return address, nil
+}
+
+func ParseNetwork(network string, addr netip.Addr) string {
+	return network
+}
--- a/component/dialer/control.go
+++ b/component/dialer/control.go
@ -0,0 +1,22 @@
+package dialer
+
+import (
+	"context"
+	"net"
+	"syscall"
+)
+
+type controlFn = func(ctx context.Context, network, address string, c syscall.RawConn) error
+
+func addControlToListenConfig(lc *net.ListenConfig, fn controlFn) {
+	llc := *lc
+	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
+		switch {
+		case llc.Control != nil:
+			if err = llc.Control(network, address, c); err != nil {
+				return
+			}
+		}
+		return fn(context.Background(), network, address, c)
+	}
+}
--- a/component/dialer/control_go119.go
+++ b/component/dialer/control_go119.go
@ -0,0 +1,22 @@
+//go:build !go1.20
+
+package dialer
+
+import (
+	"context"
+	"net"
+	"syscall"
+)
+
+func addControlToDialer(d *net.Dialer, fn controlFn) {
+	ld := *d
+	d.Control = func(network, address string, c syscall.RawConn) (err error) {
+		switch {
+		case ld.Control != nil:
+			if err = ld.Control(network, address, c); err != nil {
+				return
+			}
+		}
+		return fn(context.Background(), network, address, c)
+	}
+}
--- a/component/dialer/control_go120.go
+++ b/component/dialer/control_go120.go
@ -0,0 +1,26 @@
+//go:build go1.20
+
+package dialer
+
+import (
+	"context"
+	"net"
+	"syscall"
+)
+
+func addControlToDialer(d *net.Dialer, fn controlFn) {
+	ld := *d
+	d.ControlContext = func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
+		switch {
+		case ld.ControlContext != nil:
+			if err = ld.ControlContext(ctx, network, address, c); err != nil {
+				return
+			}
+		case ld.Control != nil:
+			if err = ld.Control(network, address, c); err != nil {
+				return
+			}
+		}
+		return fn(ctx, network, address, c)
+	}
+}
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -2,40 +2,27 @@ package dialer

 import (
 	"context"
-	"errors"
 	"fmt"
 	"net"
 	"net/netip"
-	"runtime"
+	"os"
 	"strings"
 	"sync"
+	"time"

 	"github.com/Dreamacro/clash/component/resolver"
-
-	"go.uber.org/atomic"
 )

+type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error)
+
 var (
-	dialMux                    sync.Mutex
-	actualSingleDialContext    = singleDialContext
-	actualDualStackDialContext = dualStackDialContext
-	tcpConcurrent              = false
-	DisableIPv6                = false
-	ErrorInvalidedNetworkStack = errors.New("invalided network stack")
-	ErrorDisableIPv6           = errors.New("IPv6 is disabled, dialer cancel")
+	dialMux                      sync.Mutex
+	actualSingleStackDialContext = serialSingleStackDialContext
+	actualDualStackDialContext   = serialDualStackDialContext
+	tcpConcurrent                = false
+	fallbackTimeout              = 300 * time.Millisecond
 )

-func ParseNetwork(network string, addr netip.Addr) string {
-	if runtime.GOOS == "windows" { // fix bindIfaceToListenConfig() in windows force bind to an ipv4 address
-		if !strings.HasSuffix(network, "4") &&
-			!strings.HasSuffix(network, "6") &&
-			addr.Unmap().Is6() {
-			network += "6"
-		}
-	}
-	return network
-}
-
 func applyOptions(options ...Option) *option {
 	opt := &option{
 		interfaceName: DefaultInterface.Load(),
@ -66,29 +53,23 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 		network = fmt.Sprintf("%s%d", network, opt.network)
 	}

+	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
+	if err != nil {
+		return nil, err
+	}
+
 	switch network {
 	case "tcp4", "tcp6", "udp4", "udp6":
-		return actualSingleDialContext(ctx, network, address, opt)
+		return actualSingleStackDialContext(ctx, network, ips, port, opt)
 	case "tcp", "udp":
-		return actualDualStackDialContext(ctx, network, address, opt)
+		return actualDualStackDialContext(ctx, network, ips, port, opt)
 	default:
 		return nil, ErrorInvalidedNetworkStack
 	}
 }

 func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) {
-	cfg := &option{
-		interfaceName: DefaultInterface.Load(),
-		routingMark:   int(DefaultRoutingMark.Load()),
-	}
-
-	for _, o := range DefaultOptions {
-		o(cfg)
-	}
-
-	for _, o := range options {
-		o(cfg)
-	}
+	cfg := applyOptions(options...)

 	lc := &net.ListenConfig{}
 	if cfg.interfaceName != "" {
@ -108,26 +89,40 @@ func ListenPacket(ctx context.Context, network, address string, options ...Optio
 	return lc.ListenPacket(ctx, network, address)
 }

-func SetDial(concurrent bool) {
+func SetTcpConcurrent(concurrent bool) {
 	dialMux.Lock()
+	defer dialMux.Unlock()
 	tcpConcurrent = concurrent
 	if concurrent {
-		actualSingleDialContext = concurrentSingleDialContext
+		actualSingleStackDialContext = concurrentSingleStackDialContext
 		actualDualStackDialContext = concurrentDualStackDialContext
 	} else {
-		actualSingleDialContext = singleDialContext
-		actualDualStackDialContext = dualStackDialContext
+		actualSingleStackDialContext = serialSingleStackDialContext
+		actualDualStackDialContext = serialDualStackDialContext
 	}
-
-	dialMux.Unlock()
 }

-func GetDial() bool {
+func GetTcpConcurrent() bool {
+	dialMux.Lock()
+	defer dialMux.Unlock()
 	return tcpConcurrent
 }

 func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) {
-	dialer := &net.Dialer{}
+	address := net.JoinHostPort(destination.String(), port)
+
+	netDialer := opt.netDialer
+	switch netDialer.(type) {
+	case nil:
+		netDialer = &net.Dialer{}
+	case *net.Dialer:
+		_netDialer := *netDialer.(*net.Dialer)
+		netDialer = &_netDialer // make a copy
+	default:
+		return netDialer.DialContext(ctx, network, address)
+	}
+
+	dialer := netDialer.(*net.Dialer)
 	if opt.interfaceName != "" {
 		if err := bindIfaceToDialer(opt.interfaceName, dialer, network, destination); err != nil {
 			return nil, err
@ -136,313 +131,182 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	if opt.routingMark != 0 {
 		bindMarkToDialer(opt.routingMark, dialer, network, destination)
 	}
-
-	if DisableIPv6 && destination.Is6() {
-		return nil, ErrorDisableIPv6
+	if opt.tfo {
+		return dialTFO(ctx, *dialer, network, address)
 	}
-
-	return dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port))
+	return dialer.DialContext(ctx, network, address)
 }

-func dualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, err
-	}
+func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	return serialDialContext(ctx, network, ips, port, opt)
+}

+func serialDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	return dualStackDialContext(ctx, serialDialContext, network, ips, port, opt)
+}
+
+func concurrentSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	return parallelDialContext(ctx, network, ips, port, opt)
+}
+
+func concurrentDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	if opt.prefer != 4 && opt.prefer != 6 {
+		return parallelDialContext(ctx, network, ips, port, opt)
+	}
+	return dualStackDialContext(ctx, parallelDialContext, network, ips, port, opt)
+}
+
+func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	ipv4s, ipv6s := resolver.SortationAddr(ips)
+	preferIPVersion := opt.prefer
+
+	fallbackTicker := time.NewTicker(fallbackTimeout)
+	defer fallbackTicker.Stop()
+	results := make(chan dialResult)
 	returned := make(chan struct{})
 	defer close(returned)
-
-	type dialResult struct {
-		net.Conn
-		error
-		resolved bool
-		ipv6     bool
-		done     bool
-	}
-	results := make(chan dialResult)
-	var primary, fallback dialResult
-
-	startRacer := func(ctx context.Context, network, host string, r resolver.Resolver, ipv6 bool) {
-		result := dialResult{ipv6: ipv6, done: true}
+	racer := func(ips []netip.Addr, isPrimary bool) {
+		result := dialResult{isPrimary: isPrimary}
 		defer func() {
 			select {
 			case results <- result:
 			case <-returned:
-				if result.Conn != nil {
+				if result.Conn != nil && result.error == nil {
 					_ = result.Conn.Close()
 				}
 			}
 		}()
-
-		var ip netip.Addr
-		if ipv6 {
-			if r == nil {
-				ip, result.error = resolver.ResolveIPv6ProxyServerHost(ctx, host)
-			} else {
-				ip, result.error = resolver.ResolveIPv6WithResolver(ctx, host, r)
-			}
-		} else {
-			if r == nil {
-				ip, result.error = resolver.ResolveIPv4ProxyServerHost(ctx, host)
-			} else {
-				ip, result.error = resolver.ResolveIPv4WithResolver(ctx, host, r)
-			}
-		}
-		if result.error != nil {
-			return
-		}
-		result.resolved = true
-
-		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
+		result.Conn, result.error = dialFn(ctx, network, ips, port, opt)
 	}
-
-	go startRacer(ctx, network+"4", host, opt.resolver, false)
-	go startRacer(ctx, network+"6", host, opt.resolver, true)
-
-	count := 2
-	for i := 0; i < count; i++ {
+	go racer(ipv4s, preferIPVersion != 6)
+	go racer(ipv6s, preferIPVersion != 4)
+	var fallback dialResult
+	var errs []error
+	for i := 0; i < 2; {
 		select {
+		case <-fallbackTicker.C:
+			if fallback.error == nil && fallback.Conn != nil {
+				return fallback.Conn, nil
+			}
 		case res := <-results:
+			i++
 			if res.error == nil {
-				return res.Conn, nil
-			}
-
-			if !res.ipv6 {
-				primary = res
-			} else {
+				if res.isPrimary {
+					return res.Conn, nil
+				}
 				fallback = res
-			}
-
-			if primary.done && fallback.done {
-				if primary.resolved {
-					return nil, primary.error
-				} else if fallback.resolved {
-					return nil, fallback.error
+			} else {
+				if res.isPrimary {
+					errs = append([]error{fmt.Errorf("connect failed: %w", res.error)}, errs...)
 				} else {
-					return nil, primary.error
+					errs = append(errs, fmt.Errorf("connect failed: %w", res.error))
 				}
 			}
-		case <-ctx.Done():
-			err = ctx.Err()
-			break
 		}
 	}
-
-	if err == nil {
-		err = fmt.Errorf("dual stack dial failed")
-	} else {
-		err = fmt.Errorf("dual stack dial failed:%w", err)
+	if fallback.error == nil && fallback.Conn != nil {
+		return fallback.Conn, nil
 	}
-	return nil, err
+	return nil, errorsJoin(errs...)
 }

-func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, err
+func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	if len(ips) == 0 {
+		return nil, ErrorNoIpAddress
 	}
-
-	var ips []netip.Addr
-	if opt.resolver != nil {
-		ips, err = resolver.LookupIPWithResolver(ctx, host, opt.resolver)
-	} else {
-		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	return concurrentDialContext(ctx, network, ips, port, opt)
-}
-
-func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	results := make(chan dialResult)
 	returned := make(chan struct{})
 	defer close(returned)
-
-	type dialResult struct {
-		ip netip.Addr
-		net.Conn
-		error
-		isPrimary bool
-		done      bool
-	}
-
-	preferCount := atomic.NewInt32(0)
-	results := make(chan dialResult)
-	tcpRacer := func(ctx context.Context, ip netip.Addr) {
-		result := dialResult{ip: ip, done: true}
-
+	racer := func(ctx context.Context, ip netip.Addr) {
+		result := dialResult{isPrimary: true, ip: ip}
 		defer func() {
 			select {
 			case results <- result:
 			case <-returned:
-				if result.Conn != nil {
+				if result.Conn != nil && result.error == nil {
 					_ = result.Conn.Close()
 				}
 			}
 		}()
-		if strings.Contains(network, "tcp") {
-			network = "tcp"
-		} else {
-			network = "udp"
-		}
-
-		if ip.Is6() {
-			network += "6"
-			if opt.prefer != 4 {
-				result.isPrimary = true
-			}
-		}
-
-		if ip.Is4() {
-			network += "4"
-			if opt.prefer != 6 {
-				result.isPrimary = true
-			}
-		}
-
-		if result.isPrimary {
-			preferCount.Add(1)
-		}
-
 		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
 	}

 	for _, ip := range ips {
-		go tcpRacer(ctx, ip)
+		go racer(ctx, ip)
 	}
-
-	connCount := len(ips)
-	var fallback dialResult
-	var primaryError error
-	var finalError error
-	for i := 0; i < connCount; i++ {
-		select {
-		case res := <-results:
-			if res.error == nil {
-				if res.isPrimary {
-					return res.Conn, nil
-				} else {
-					if !fallback.done || fallback.error != nil {
-						fallback = res
-					}
-				}
-			} else {
-				if res.isPrimary {
-					primaryError = res.error
-					preferCount.Add(-1)
-					if preferCount.Load() == 0 && fallback.done && fallback.error == nil {
-						return fallback.Conn, nil
-					}
-				}
-			}
-		case <-ctx.Done():
-			if fallback.done && fallback.error == nil {
-				return fallback.Conn, nil
-			}
-			finalError = ctx.Err()
-			break
+	var errs []error
+	for i := 0; i < len(ips); i++ {
+		res := <-results
+		if res.error == nil {
+			return res.Conn, nil
 		}
+		errs = append(errs, res.error)
 	}

-	if fallback.done && fallback.error == nil {
-		return fallback.Conn, nil
+	if len(errs) > 0 {
+		return nil, errorsJoin(errs...)
 	}
-
-	if primaryError != nil {
-		return nil, primaryError
-	}
-
-	if fallback.error != nil {
-		return nil, fallback.error
-	}
-
-	if finalError == nil {
-		finalError = fmt.Errorf("all ips %v tcp shake hands failed", ips)
-	} else {
-		finalError = fmt.Errorf("concurrent dial failed:%w", finalError)
-	}
-
-	return nil, finalError
+	return nil, os.ErrDeadlineExceeded
 }

-func singleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
+func serialDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	if len(ips) == 0 {
+		return nil, ErrorNoIpAddress
+	}
+	var errs []error
+	for _, ip := range ips {
+		if conn, err := dialContext(ctx, network, ip, port, opt); err == nil {
+			return conn, nil
+		} else {
+			errs = append(errs, err)
+		}
+	}
+	return nil, errorsJoin(errs...)
+}
+
+type dialResult struct {
+	ip netip.Addr
+	net.Conn
+	error
+	isPrimary bool
+}
+
+func parseAddr(ctx context.Context, network, address string, preferResolver resolver.Resolver) ([]netip.Addr, string, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
-		return nil, err
-	}
-
-	var ip netip.Addr
-	switch network {
-	case "tcp4", "udp4":
-		if opt.resolver == nil {
-			ip, err = resolver.ResolveIPv4ProxyServerHost(ctx, host)
-		} else {
-			ip, err = resolver.ResolveIPv4WithResolver(ctx, host, opt.resolver)
-		}
-	default:
-		if opt.resolver == nil {
-			ip, err = resolver.ResolveIPv6ProxyServerHost(ctx, host)
-		} else {
-			ip, err = resolver.ResolveIPv6WithResolver(ctx, host, opt.resolver)
-		}
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	return dialContext(ctx, network, ip, port, opt)
-}
-
-func concurrentSingleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
-	switch network {
-	case "tcp4", "udp4":
-		return concurrentIPv4DialContext(ctx, network, address, opt)
-	default:
-		return concurrentIPv6DialContext(ctx, network, address, opt)
-	}
-}
-
-func concurrentIPv4DialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, err
+		return nil, "-1", err
 	}

 	var ips []netip.Addr
-	if opt.resolver == nil {
-		ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
-	} else {
-		ips, err = resolver.LookupIPv4WithResolver(ctx, host, opt.resolver)
+	switch network {
+	case "tcp4", "udp4":
+		if preferResolver == nil {
+			ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
+		} else {
+			ips, err = resolver.LookupIPv4WithResolver(ctx, host, preferResolver)
+		}
+	case "tcp6", "udp6":
+		if preferResolver == nil {
+			ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
+		} else {
+			ips, err = resolver.LookupIPv6WithResolver(ctx, host, preferResolver)
+		}
+	default:
+		if preferResolver == nil {
+			ips, err = resolver.LookupIPProxyServerHost(ctx, host)
+		} else {
+			ips, err = resolver.LookupIPWithResolver(ctx, host, preferResolver)
+		}
 	}
-
 	if err != nil {
-		return nil, err
+		return nil, "-1", fmt.Errorf("dns resolve failed: %w", err)
 	}
-
-	return concurrentDialContext(ctx, network, ips, port, opt)
-}
-
-func concurrentIPv6DialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, err
+	for i, ip := range ips {
+		if ip.Is4In6() {
+			ips[i] = ip.Unmap()
+		}
 	}
-
-	var ips []netip.Addr
-	if opt.resolver == nil {
-		ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
-	} else {
-		ips, err = resolver.LookupIPv6WithResolver(ctx, host, opt.resolver)
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	return concurrentDialContext(ctx, network, ips, port, opt)
+	return ips, port, nil
 }

 type Dialer struct {
@ -454,7 +318,12 @@ func (d Dialer) DialContext(ctx context.Context, network, address string) (net.C
 }

 func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, WithOption(d.Opt))
+	opt := WithOption(d.Opt)
+	if rAddrPort.Addr().Unmap().IsLoopback() {
+		// avoid "The requested address is not valid in its context."
+		opt = WithInterface("")
+	}
+	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, opt)
 }

 func NewDialer(options ...Option) Dialer {
--- a/component/dialer/error.go
+++ b/component/dialer/error.go
@ -0,0 +1,18 @@
+package dialer
+
+import (
+	"errors"
+
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var (
+	ErrorNoIpAddress           = errors.New("no ip address")
+	ErrorInvalidedNetworkStack = errors.New("invalided network stack")
+)
+
+func errorsJoin(errs ...error) error {
+	// compatibility with golang<1.20
+	// maybe use errors.Join(errs...) is better after we drop the old version's support
+	return E.Errors(errs...)
+}
--- a/component/dialer/mark_linux.go
+++ b/component/dialer/mark_linux.go
@ -3,26 +3,22 @@
 package dialer

 import (
+	"context"
 	"net"
 	"net/netip"
 	"syscall"
 )

 func bindMarkToDialer(mark int, dialer *net.Dialer, _ string, _ netip.Addr) {
-	dialer.Control = bindMarkToControl(mark, dialer.Control)
+	addControlToDialer(dialer, bindMarkToControl(mark))
 }

 func bindMarkToListenConfig(mark int, lc *net.ListenConfig, _, _ string) {
-	lc.Control = bindMarkToControl(mark, lc.Control)
+	addControlToListenConfig(lc, bindMarkToControl(mark))
 }

-func bindMarkToControl(mark int, chain controlFn) controlFn {
-	return func(network, address string, c syscall.RawConn) (err error) {
-		defer func() {
-			if err == nil && chain != nil {
-				err = chain(network, address, c)
-			}
-		}()
+func bindMarkToControl(mark int) controlFn {
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {

 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@ -1,24 +1,32 @@
 package dialer

 import (
-	"github.com/Dreamacro/clash/component/resolver"
+	"context"
+	"net"

-	"go.uber.org/atomic"
+	"github.com/Dreamacro/clash/common/atomic"
+	"github.com/Dreamacro/clash/component/resolver"
 )

 var (
 	DefaultOptions     []Option
-	DefaultInterface   = atomic.NewString("")
+	DefaultInterface   = atomic.NewTypedValue[string]("")
 	DefaultRoutingMark = atomic.NewInt32(0)
 )

+type NetDialer interface {
+	DialContext(ctx context.Context, network, address string) (net.Conn, error)
+}
+
 type option struct {
 	interfaceName string
 	addrReuse     bool
 	routingMark   int
 	network       int
 	prefer        int
+	tfo           bool
 	resolver      resolver.Resolver
+	netDialer     NetDialer
 }

 type Option func(opt *option)
@ -69,6 +77,18 @@ func WithOnlySingleStack(isIPv4 bool) Option {
 	}
 }

+func WithTFO(tfo bool) Option {
+	return func(opt *option) {
+		opt.tfo = tfo
+	}
+}
+
+func WithNetDialer(netDialer NetDialer) Option {
+	return func(opt *option) {
+		opt.netDialer = netDialer
+	}
+}
+
 func WithOption(o option) Option {
 	return func(opt *option) {
 		*opt = o
--- a/component/dialer/reuse_unix.go
+++ b/component/dialer/reuse_unix.go
@ -3,6 +3,7 @@
 package dialer

 import (
+	"context"
 	"net"
 	"syscall"

@ -10,18 +11,10 @@ import (
 )

 func addrReuseToListenConfig(lc *net.ListenConfig) {
-	chain := lc.Control
-
-	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
-		defer func() {
-			if err == nil && chain != nil {
-				err = chain(network, address, c)
-			}
-		}()
-
+	addControlToListenConfig(lc, func(ctx context.Context, network, address string, c syscall.RawConn) error {
 		return c.Control(func(fd uintptr) {
 			unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEADDR, 1)
 			unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1)
 		})
-	}
+	})
 }
--- a/component/dialer/reuse_windows.go
+++ b/component/dialer/reuse_windows.go
@ -1,6 +1,7 @@
 package dialer

 import (
+	"context"
 	"net"
 	"syscall"

@ -8,17 +9,9 @@ import (
 )

 func addrReuseToListenConfig(lc *net.ListenConfig) {
-	chain := lc.Control
-
-	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
-		defer func() {
-			if err == nil && chain != nil {
-				err = chain(network, address, c)
-			}
-		}()
-
+	addControlToListenConfig(lc, func(ctx context.Context, network, address string, c syscall.RawConn) error {
 		return c.Control(func(fd uintptr) {
 			windows.SetsockoptInt(windows.Handle(fd), windows.SOL_SOCKET, windows.SO_REUSEADDR, 1)
 		})
-	}
+	})
 }
--- a/component/dialer/tfo.go
+++ b/component/dialer/tfo.go
@ -0,0 +1,135 @@
+package dialer
+
+import (
+	"context"
+	"github.com/sagernet/tfo-go"
+	"io"
+	"net"
+	"time"
+)
+
+type tfoConn struct {
+	net.Conn
+	closed bool
+	dialed chan bool
+	cancel context.CancelFunc
+	ctx    context.Context
+	dialFn func(ctx context.Context, earlyData []byte) (net.Conn, error)
+}
+
+func (c *tfoConn) Dial(earlyData []byte) (err error) {
+	c.Conn, err = c.dialFn(c.ctx, earlyData)
+	if err != nil {
+		return
+	}
+	c.dialed <- true
+	return err
+}
+
+func (c *tfoConn) Read(b []byte) (n int, err error) {
+	if c.closed {
+		return 0, io.ErrClosedPipe
+	}
+	if c.Conn == nil {
+		select {
+		case <-c.ctx.Done():
+			return 0, io.ErrUnexpectedEOF
+		case <-c.dialed:
+		}
+	}
+	return c.Conn.Read(b)
+}
+
+func (c *tfoConn) Write(b []byte) (n int, err error) {
+	if c.closed {
+		return 0, io.ErrClosedPipe
+	}
+	if c.Conn == nil {
+		if err := c.Dial(b); err != nil {
+			return 0, err
+		}
+		return len(b), nil
+	}
+
+	return c.Conn.Write(b)
+}
+
+func (c *tfoConn) Close() error {
+	c.closed = true
+	c.cancel()
+	if c.Conn == nil {
+		return nil
+	}
+	return c.Conn.Close()
+}
+
+func (c *tfoConn) LocalAddr() net.Addr {
+	if c.Conn == nil {
+		return nil
+	}
+	return c.Conn.LocalAddr()
+}
+
+func (c *tfoConn) RemoteAddr() net.Addr {
+	if c.Conn == nil {
+		return nil
+	}
+	return c.Conn.RemoteAddr()
+}
+
+func (c *tfoConn) SetDeadline(t time.Time) error {
+	if err := c.SetReadDeadline(t); err != nil {
+		return err
+	}
+	return c.SetWriteDeadline(t)
+}
+
+func (c *tfoConn) SetReadDeadline(t time.Time) error {
+	if c.Conn == nil {
+		return nil
+	}
+	return c.Conn.SetReadDeadline(t)
+}
+
+func (c *tfoConn) SetWriteDeadline(t time.Time) error {
+	if c.Conn == nil {
+		return nil
+	}
+	return c.Conn.SetWriteDeadline(t)
+}
+
+func (c *tfoConn) Upstream() any {
+	if c.Conn == nil { // ensure return a nil interface not an interface with nil value
+		return nil
+	}
+	return c.Conn
+}
+
+func (c *tfoConn) NeedAdditionalReadDeadline() bool {
+	return c.Conn == nil
+}
+
+func (c *tfoConn) NeedHandshake() bool {
+	return c.Conn == nil
+}
+
+func (c *tfoConn) ReaderReplaceable() bool {
+	return c.Conn != nil
+}
+
+func (c *tfoConn) WriterReplaceable() bool {
+	return c.Conn != nil
+}
+
+func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) {
+	ctx, cancel := context.WithCancel(ctx)
+	dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false}
+	return &tfoConn{
+		dialed: make(chan bool, 1),
+		cancel: cancel,
+		ctx:    ctx,
+		dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) {
+			return dialer.DialContext(ctx, network, address, earlyData)
+		},
+	}, nil
+}
--- a/component/ebpf/redir/bpf_bpfeb.go
+++ b/component/ebpf/redir/bpf_bpfeb.go
@ -41,9 +41,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) {
 //
 // The following types are suitable as obj argument:
 //
-//     *bpfObjects
-//     *bpfPrograms
-//     *bpfMaps
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
@ -134,5 +134,6 @@ func _BpfClose(closers ...io.Closer) error {
 }

 // Do not access this directly.
+//
 //go:embed bpf_bpfeb.o
 var _BpfBytes []byte
--- a/component/ebpf/redir/bpf_bpfel.go
+++ b/component/ebpf/redir/bpf_bpfel.go
@ -41,9 +41,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) {
 //
 // The following types are suitable as obj argument:
 //
-//     *bpfObjects
-//     *bpfPrograms
-//     *bpfMaps
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
@ -134,5 +134,6 @@ func _BpfClose(closers ...io.Closer) error {
 }

 // Do not access this directly.
+//
 //go:embed bpf_bpfel.o
 var _BpfBytes []byte
--- a/component/ebpf/tc/bpf_bpfeb.go
+++ b/component/ebpf/tc/bpf_bpfeb.go
@ -28,9 +28,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) {
 //
 // The following types are suitable as obj argument:
 //
-//     *bpfObjects
-//     *bpfPrograms
-//     *bpfMaps
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
@ -115,5 +115,6 @@ func _BpfClose(closers ...io.Closer) error {
 }

 // Do not access this directly.
+//
 //go:embed bpf_bpfeb.o
 var _BpfBytes []byte
--- a/component/ebpf/tc/bpf_bpfel.go
+++ b/component/ebpf/tc/bpf_bpfel.go
@ -28,9 +28,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) {
 //
 // The following types are suitable as obj argument:
 //
-//     *bpfObjects
-//     *bpfPrograms
-//     *bpfMaps
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
@ -115,5 +115,6 @@ func _BpfClose(closers ...io.Closer) error {
 }

 // Do not access this directly.
+//
 //go:embed bpf_bpfel.o
 var _BpfBytes []byte
--- a/component/geodata/geodata.go
+++ b/component/geodata/geodata.go
@ -1,13 +1,10 @@
 package geodata

 import (
-	"errors"
 	"fmt"
-	C "github.com/Dreamacro/clash/constant"
-	"strings"

 	"github.com/Dreamacro/clash/component/geodata/router"
-	"github.com/Dreamacro/clash/log"
+	C "github.com/Dreamacro/clash/constant"
 )

 type loader struct {
@ -15,47 +12,7 @@ type loader struct {
 }

 func (l *loader) LoadGeoSite(list string) ([]*router.Domain, error) {
-	return l.LoadGeoSiteWithAttr(C.GeositeName, list)
-}
-
-func (l *loader) LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error) {
-	parts := strings.Split(siteWithAttr, "@")
-	if len(parts) == 0 {
-		return nil, errors.New("empty rule")
-	}
-	list := strings.TrimSpace(parts[0])
-	attrVal := parts[1:]
-
-	if len(list) == 0 {
-		return nil, fmt.Errorf("empty listname in rule: %s", siteWithAttr)
-	}
-
-	domains, err := l.LoadSiteByPath(file, list)
-	if err != nil {
-		return nil, err
-	}
-
-	attrs := parseAttrs(attrVal)
-	if attrs.IsEmpty() {
-		if strings.Contains(siteWithAttr, "@") {
-			log.Warnln("empty attribute list: %s", siteWithAttr)
-		}
-		return domains, nil
-	}
-
-	filteredDomains := make([]*router.Domain, 0, len(domains))
-	hasAttrMatched := false
-	for _, domain := range domains {
-		if attrs.Match(domain) {
-			hasAttrMatched = true
-			filteredDomains = append(filteredDomains, domain)
-		}
-	}
-	if !hasAttrMatched {
-		log.Warnln("attribute match no rule: geosite: %s", siteWithAttr)
-	}
-
-	return filteredDomains, nil
+	return l.LoadSiteByPath(C.GeositeName, list)
 }

 func (l *loader) LoadGeoIP(country string) ([]*router.CIDR, error) {
--- a/component/geodata/geodataproto.go
+++ b/component/geodata/geodataproto.go
@ -14,6 +14,5 @@ type LoaderImplementation interface {
 type Loader interface {
 	LoaderImplementation
 	LoadGeoSite(list string) ([]*router.Domain, error)
-	LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error)
 	LoadGeoIP(country string) ([]*router.CIDR, error)
 }
--- a/component/geodata/init.go
+++ b/component/geodata/init.go
@ -1,15 +1,21 @@
 package geodata

 import (
+	"context"
 	"fmt"
-	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/log"
 	"io"
 	"net/http"
 	"os"
+	"time"
+
+	clashHttp "github.com/Dreamacro/clash/component/http"
+	"github.com/Dreamacro/clash/component/mmdb"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
 )

-var initFlag bool
+var initGeoSite bool
+var initGeoIP int

 func InitGeoSite() error {
 	if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) {
@ -18,8 +24,9 @@ func InitGeoSite() error {
 			return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
 		}
 		log.Infoln("Download GeoSite.dat finish")
+		initGeoSite = false
 	}
-	if !initFlag {
+	if !initGeoSite {
 		if err := Verify(C.GeositeName); err != nil {
 			log.Warnln("GeoSite.dat invalid, remove and download: %s", err)
 			if err := os.Remove(C.Path.GeoSite()); err != nil {
@ -29,13 +36,15 @@ func InitGeoSite() error {
 				return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
 			}
 		}
-		initFlag = true
+		initGeoSite = true
 	}
 	return nil
 }

 func downloadGeoSite(path string) (err error) {
-	resp, err := http.Get(C.GeoSiteUrl)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, C.GeoSiteUrl, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
 	if err != nil {
 		return
 	}
@ -50,3 +59,70 @@ func downloadGeoSite(path string) (err error) {

 	return err
 }
+
+func downloadGeoIP(path string) (err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, C.GeoIpUrl, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	_, err = io.Copy(f, resp.Body)
+
+	return err
+}
+
+func InitGeoIP() error {
+	if C.GeodataMode {
+		if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) {
+			log.Infoln("Can't find GeoIP.dat, start download")
+			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
+				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
+			}
+			log.Infoln("Download GeoIP.dat finish")
+			initGeoIP = 0
+		}
+
+		if initGeoIP != 1 {
+			if err := Verify(C.GeoipName); err != nil {
+				log.Warnln("GeoIP.dat invalid, remove and download: %s", err)
+				if err := os.Remove(C.Path.GeoIP()); err != nil {
+					return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error())
+				}
+				if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
+					return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
+				}
+			}
+			initGeoIP = 1
+		}
+		return nil
+	}
+
+	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
+		log.Infoln("Can't find MMDB, start download")
+		if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil {
+			return fmt.Errorf("can't download MMDB: %s", err.Error())
+		}
+	}
+
+	if initGeoIP != 2 {
+		if !mmdb.Verify() {
+			log.Warnln("MMDB invalid, remove and download")
+			if err := os.Remove(C.Path.MMDB()); err != nil {
+				return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
+			}
+			if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil {
+				return fmt.Errorf("can't download MMDB: %s", err.Error())
+			}
+		}
+		initGeoIP = 2
+	}
+	return nil
+}
--- a/component/geodata/memconservative/cache.go
+++ b/component/geodata/memconservative/cache.go
@ -118,7 +118,7 @@ func (g GeoSiteCache) Unmarshal(filename, code string) (*router.GeoSite, error)

 	case errFailedToReadBytes, errFailedToReadExpectedLenBytes,
 		errInvalidGeodataFile, errInvalidGeodataVarintLength:
-		log.Warnln("failed to decode geoip file: %s%s", filename, ", fallback to the original ReadFile method")
+		log.Warnln("failed to decode geosite file: %s%s", filename, ", fallback to the original ReadFile method")
 		geositeBytes, err = os.ReadFile(asset)
 		if err != nil {
 			return nil, err
--- a/component/geodata/utils.go
+++ b/component/geodata/utils.go
@ -1,9 +1,14 @@
 package geodata

 import (
+	"errors"
 	"fmt"
+	"golang.org/x/sync/singleflight"
+	"strings"
+
 	"github.com/Dreamacro/clash/component/geodata/router"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
 )

 var geoLoaderName = "memconservative"
@ -34,6 +39,8 @@ func Verify(name string) error {
 	}
 }

+var loadGeoSiteMatcherSF = singleflight.Group{}
+
 func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
 	if len(countryCode) == 0 {
 		return nil, 0, fmt.Errorf("country code could not be empty")
@ -44,16 +51,53 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 		not = true
 		countryCode = countryCode[1:]
 	}
+	countryCode = strings.ToLower(countryCode)

-	geoLoader, err := GetGeoDataLoader(geoLoaderName)
-	if err != nil {
-		return nil, 0, err
+	parts := strings.Split(countryCode, "@")
+	if len(parts) == 0 {
+		return nil, 0, errors.New("empty rule")
+	}
+	listName := strings.TrimSpace(parts[0])
+	attrVal := parts[1:]
+
+	if len(listName) == 0 {
+		return nil, 0, fmt.Errorf("empty listname in rule: %s", countryCode)
 	}

-	domains, err := geoLoader.LoadGeoSite(countryCode)
+	v, err, shared := loadGeoSiteMatcherSF.Do(listName, func() (interface{}, error) {
+		geoLoader, err := GetGeoDataLoader(geoLoaderName)
+		if err != nil {
+			return nil, err
+		}
+		return geoLoader.LoadGeoSite(listName)
+	})
 	if err != nil {
+		if !shared {
+			loadGeoSiteMatcherSF.Forget(listName) // don't store the error result
+		}
 		return nil, 0, err
 	}
+	domains := v.([]*router.Domain)
+
+	attrs := parseAttrs(attrVal)
+	if attrs.IsEmpty() {
+		if strings.Contains(countryCode, "@") {
+			log.Warnln("empty attribute list: %s", countryCode)
+		}
+	} else {
+		filteredDomains := make([]*router.Domain, 0, len(domains))
+		hasAttrMatched := false
+		for _, domain := range domains {
+			if attrs.Match(domain) {
+				hasAttrMatched = true
+				filteredDomains = append(filteredDomains, domain)
+			}
+		}
+		if !hasAttrMatched {
+			log.Warnln("attribute match no rule: geosite: %s", countryCode)
+		}
+		domains = filteredDomains
+	}

 	/**
 	linear: linear algorithm
@ -68,25 +112,34 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 	return matcher, len(domains), nil
 }

+var loadGeoIPMatcherSF = singleflight.Group{}
+
 func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
 	if len(country) == 0 {
 		return nil, 0, fmt.Errorf("country code could not be empty")
 	}
-	geoLoader, err := GetGeoDataLoader(geoLoaderName)
-	if err != nil {
-		return nil, 0, err
-	}

 	not := false
 	if country[0] == '!' {
 		not = true
 		country = country[1:]
 	}
+	country = strings.ToLower(country)

-	records, err := geoLoader.LoadGeoIP(country)
+	v, err, shared := loadGeoIPMatcherSF.Do(country, func() (interface{}, error) {
+		geoLoader, err := GetGeoDataLoader(geoLoaderName)
+		if err != nil {
+			return nil, err
+		}
+		return geoLoader.LoadGeoIP(country)
+	})
 	if err != nil {
+		if !shared {
+			loadGeoIPMatcherSF.Forget(country) // don't store the error result
+		}
 		return nil, 0, err
 	}
+	records := v.([]*router.CIDR)

 	geoIP := &router.GeoIP{
 		CountryCode:  country,
@ -98,6 +151,10 @@ func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
 	if err != nil {
 		return nil, 0, err
 	}
-
 	return matcher, len(records), nil
 }
+
+func ClearCache() {
+	loadGeoSiteMatcherSF = singleflight.Group{}
+	loadGeoIPMatcherSF = singleflight.Group{}
+}
--- a/component/http/http.go
+++ b/component/http/http.go
@ -2,18 +2,19 @@ package http

 import (
 	"context"
-	"github.com/Dreamacro/clash/component/tls"
-	"github.com/Dreamacro/clash/listener/inner"
 	"io"
 	"net"
 	"net/http"
 	URL "net/url"
 	"strings"
 	"time"
+
+	"github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/listener/inner"
 )

 const (
-	UA = "Clash"
+	UA = "clash.meta"
 )

 func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
@ -52,7 +53,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			conn := inner.HandleTcp(address, urlRes.Hostname())
+			conn := inner.HandleTcp(address, "")
 			return conn, nil
 		},
 		TLSClientConfig: tls.GetDefaultTLSConfig(),
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`git log --pretty=format:"* %s by @%an" v1.14.x..v1.14.y \| sort -f \| uniq > release.md`