Android: patch

chore: support v2ray http upgrade server too
fix: avoid tls panic
2023-11-03 05:59:14 +00:00 · 2023-11-03 13:58:53 +08:00 · 2023-11-03 12:04:22 +08:00 · 2023-11-03 11:50:25 +08:00 · 2023-11-03 11:50:25 +08:00 · 2023-11-03 11:50:25 +08:00
216 changed files with 7447 additions and 2551 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -0,0 +1,83 @@
+name: Bug report
+description: Create a report to help us improve
+title: "[Bug] "
+labels: ["bug"]
+body:
+  - type: checkboxes
+    id: ensure
+    attributes:
+      label: Verify steps
+      description: "
+在提交之前，请确认
+Please verify that you've followed these steps
+"
+      options:
+        - label: "
+确保你使用的是**本仓库**最新的的 clash 或 clash Alpha 版本
+Ensure you are using the latest version of Clash or Clash Premium from **this repository**.
+"
+          required: true
+        - label: "
+如果你可以自己 debug 并解决的话，提交 PR 吧
+Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
+"
+          required: false
+        - label: "
+我已经在 [Issue Tracker](……/) 中找过我要提出的问题
+I have searched on the [issue tracker](……/) for a related issue.
+"
+          required: true
+        - label: "
+我已经使用 Alpha 分支版本测试过，问题依旧存在
+I have tested using the dev branch, and the issue still exists.
+"
+          required: true
+        - label: "
+我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法自行解决问题
+I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
+"
+          required: true
+        - label: "
+这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
+This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash.
+"
+          required: true
+  - type: input
+    attributes:
+      label: Clash version
+      description: "use `clash -v`"
+    validations:
+      required: true
+  - type: dropdown
+    id: os
+    attributes:
+      label: What OS are you seeing the problem on?
+      multiple: true
+      options:
+        - macOS
+        - Windows
+        - Linux
+        - OpenBSD/FreeBSD
+  - type: textarea
+    attributes:
+      render: yaml
+      label: "Clash config"
+      description: "
+在下方附上 Clash core 配置文件，请确保配置文件中没有敏感信息（比如：服务器地址，密码，端口等）
+Paste the Clash core configuration file below, please make sure that there is no sensitive information in the configuration file (e.g., server address/url, password, port)
+"
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      render: shell
+      label: Clash log
+      description: "
+在下方附上 Clash Core 的日志，log level 使用 DEBUG
+Paste the Clash core log below with the log level set to `DEBUG`.
+"
+  - type: textarea
+    attributes:
+      label: Description
+    validations:
+      required: true
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Clash.Meta Community Support
+    url: https://github.com/MetaCubeX/Clash.Meta/discussions
+    about: Please ask and answer questions about Clash.Meta here.
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -0,0 +1,37 @@
+name: Feature request
+description: Suggest an idea for this project
+title: "[Feature] "
+labels: ["enhancement"]
+body:
+  - type: checkboxes
+    id: ensure
+    attributes:
+      label: Verify steps
+      description: "
+在提交之前，请确认
+Please verify that you've followed these steps
+"
+      options:
+        - label: "
+我已经在 [Issue Tracker](……/) 中找过我要提出的请求
+I have searched on the [issue tracker](……/) for a related feature request.
+"
+          required: true
+        - label: "
+我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法找到这个功能
+I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
+"
+          required: true
+  - type: textarea
+    attributes:
+      label: Description
+      description: 请详细、清晰地表达你要提出的论述，例如这个问题如何影响到你？你想实现什么功能？目前 Clash Core 的行为是什麽？
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Possible Solution
+      description: "
+此项非必须，但是如果你有想法的话欢迎提出。
+Not obligatory, but suggest a fix/reason for the bug, or ideas how to implement the addition or change
+"
--- a/.github/rename-go120.sh
+++ b/.github/rename-go120.sh
@ -0,0 +1,12 @@
+#!/bin/bash
+
+FILENAMES=$(ls)
+for FILENAME in $FILENAMES
+do
+    if [[ ! ($FILENAME =~ ".exe" || $FILENAME =~ ".sh")]];then
+        mv $FILENAME ${FILENAME}-go120
+    elif [[ $FILENAME =~ ".exe" ]];then
+        mv $FILENAME ${FILENAME%.*}-go120.exe
+    else echo "skip $FILENAME"
+    fi
+done
--- a/.github/workflows/android-branch-auto-sync.yml
+++ b/.github/workflows/android-branch-auto-sync.yml
@ -0,0 +1,69 @@
+name: Android Branch Auto Sync
+on:
+  workflow_dispatch:
+  push:
+    paths-ignore:
+      - "docs/**"
+      - "README.md"
+      - ".github/ISSUE_TEMPLATE/**"
+    branches:
+      - Alpha
+      - android-open
+    tags:
+      - "v*"
+  pull_request_target:
+    branches:
+      - Alpha
+      - android-open
+      
+jobs:
+  update-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      
+      - name: Configure Git
+        run: |
+          git config --global user.name 'GitHub Action'
+          git config --global user.email 'action@github.com'
+      
+      - name: Sync android-real with Alpha rebase android-open
+        run: |
+          git fetch origin
+          git checkout origin/Alpha -b android-real
+          git merge --squash origin/android-open
+          git commit -m "Android: patch"
+      
+      - name: Check for conflicts
+        run: |
+          CONFLICTS=$(git diff --name-only --diff-filter=U)
+          if [ ! -z "$CONFLICTS" ]; then
+            echo "There are conflicts in the following files:"
+            echo $CONFLICTS
+            exit 1
+          fi
+      
+      - name: Push changes
+        run: |
+          git push origin android-real --force
+  
+  # Send "core-updated" to MetaCubeX/ClashMetaForAndroid to trigger update-dependencies
+  trigger-CMFA-update:
+    needs: update-dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - uses: tibdex/github-app-token@v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.MAINTAINER_APPID }}
+          private_key: ${{ secrets.MAINTAINER_APP_PRIVATE_KEY }}
+      
+      - name: Trigger update-dependencies
+        run: |
+          curl -X POST https://api.github.com/repos/MetaCubeX/ClashMetaForAndroid/dispatches \
+            -H "Accept: application/vnd.github.everest-preview+json" \
+            -H "Authorization: token ${{ steps.generate-token.outputs.token }}" \
+            -d '{"event_type": "core-updated"}'
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -69,6 +69,12 @@ jobs:
              target: "darwin-amd64 darwin-arm64 android-arm64",
              id: "9",
            }
+          # only for test
+          - { type: "WithoutCGO-GO120", target: "linux-amd64 linux-amd64-compatible",id: "1" }
+          # Go 1.20 is the last release that will run on any release of Windows 7, 8, Server 2008 and Server 2012. Go 1.21 will require at least Windows 10 or Server 2016.
+          - { type: "WithoutCGO-GO120", target: "windows-amd64-compatible windows-amd64 windows-386",id: "2" }
+          # Go 1.20 is the last release that will run on macOS 10.13 High Sierra or 10.14 Mojave. Go 1.21 will require macOS 10.15 Catalina or later.
+          - { type: "WithoutCGO-GO120", target: "darwin-amd64 darwin-arm64 android-arm64",id: "3" }
          - { type: "WithCGO", target: "windows/*", id: "1" }
          - { type: "WithCGO", target: "linux/386", id: "2" }
          - { type: "WithCGO", target: "linux/amd64", id: "3" }
@ -126,18 +132,26 @@ jobs:
        shell: bash

      - name: Setup Go
+        if: ${{ matrix.job.type!='WithoutCGO-GO120' }}
        uses: actions/setup-go@v4
        with:
          go-version: "1.21"
          check-latest: true

+      - name: Setup Go
+        if: ${{ matrix.job.type=='WithoutCGO-GO120' }}
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.20"
+          check-latest: true
+
      - name: Test
-        if: ${{ matrix.job.id=='1' && matrix.job.type=='WithoutCGO' }}
+        if: ${{ matrix.job.id=='1' && matrix.job.type!='WithCGO' }}
        run: |
          go test ./...

      - name: Build WithoutCGO
-        if: ${{ matrix.job.type=='WithoutCGO' }}
+        if: ${{ matrix.job.type!='WithCGO' }}
        env:
          NAME: Clash.Meta
          BINDIR: bin
@ -147,7 +161,7 @@ jobs:
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
        id: setup-ndk
        with:
-          ndk-version: r25b
+          ndk-version: r26
          add-to-path: false
          local-cache: true

@ -185,6 +199,17 @@ jobs:
          ls -la
          cd ..

+      - name: Rename
+        if: ${{ matrix.job.type=='WithoutCGO-GO120' }}
+        run: |
+          cd bin
+          ls -la
+          cp ../.github/rename-go120.sh ./
+          bash ./rename-go120.sh
+          rm ./rename-go120.sh
+          ls -la
+          cd ..
+
      - name: Zip
        if: ${{  success() }}
        run: |
@ -209,7 +234,7 @@ jobs:

  Upload-Prerelease:
    permissions: write-all
-    if: ${{ github.ref_type=='branch' }}
+    if: ${{ github.ref_type=='branch' && github.event_name != 'pull_request' }}
    needs: [Build]
    runs-on: ubuntu-latest
    steps:
--- a/README.md
+++ b/README.md
@ -21,261 +21,52 @@
 ## Features

 - Local HTTP/HTTPS/SOCKS server with authentication support
- VMess, Shadowsocks, Trojan, Snell protocol support for remote connections
+- VMess, VLESS, Shadowsocks, Trojan, Snell, TUIC, Hysteria protocol support
 - Built-in DNS server that aims to minimize DNS pollution attack impact, supports DoH/DoT upstream and fake IP.
 - Rules based off domains, GEOIP, IPCIDR or Process to forward packets to different nodes
- Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency
- Remote providers, allowing users to get node lists remotely instead of hardcoding in config
+- Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node
+  based off latency
+- Remote providers, allowing users to get node lists remotely instead of hard-coding in config
 - Netfilter TCP redirecting. Deploy Clash on your Internet gateway with `iptables`.
 - Comprehensive HTTP RESTful API controller

-## Wiki
-Configuration examples can be found at [/docs/config.yaml](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml), while documentation can be found [Clash.Meta Wiki](https://clash-meta.wiki).
+## Dashboard

-## Build
+A web dashboard with first-class support for this project has been created; it can be checked out at [metacubexd](https://github.com/MetaCubeX/metacubexd).

-You should install [golang](https://go.dev) first.
+## Configration example

-Then get the source code of Clash.Meta:
+Configuration example is located at [/docs/config.yaml](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml).
+
+## Docs
+
+Documentation can be found in [Clash.Meta Docs](https://clash-meta.wiki).
+
+## For development
+
+Requirements:
+[Go 1.20 or newer](https://go.dev/dl/)
+
+Build Clash.Meta:

 ```shell
 git clone https://github.com/MetaCubeX/Clash.Meta.git
 cd Clash.Meta && go mod download
+go build
 ```

-If you can't visit github,you should set proxy first:
+Set go proxy if a connection to GitHub is not possible:

 ```shell
 go env -w GOPROXY=https://goproxy.io,direct
 ```

-Now you can build it:
-
-```shell
-go build
-```
-
-If you need gvisor for tun stack, build with:
+Build with gvisor tun stack:

 ```shell
 go build -tags with_gvisor
 ```

-<!-- ## Advanced usage of this fork -->
-
-<!-- ### DNS configuration
-
-Support `geosite` with `fallback-filter`.
-
-Restore `Redir remote resolution`.
-
-Support resolve ip with a `Proxy Tunnel`.
-
-```yaml
-proxy-groups:
-  - name: DNS
-    type: url-test
-    use:
-      - HK
-    url: http://cp.cloudflare.com
-    interval: 180
-    lazy: true
-```
-
-```yaml
-dns:
-  enable: true
-  use-hosts: true
-  ipv6: false
-  enhanced-mode: redir-host
-  fake-ip-range: 198.18.0.1/16
-  listen: 127.0.0.1:6868
-  default-nameserver:
-    - 119.29.29.29
-    - 114.114.114.114
-  nameserver:
-    - https://doh.pub/dns-query
-    - tls://223.5.5.5:853
-  fallback:
-    - "https://1.0.0.1/dns-query#DNS" # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
-    - "tls://8.8.4.4:853#DNS"
-  fallback-filter:
-    geoip: false
-    geosite:
-      - gfw # `geosite` filter only use fallback server to resolve ip, prevent DNS leaks to unsafe DNS providers.
-    domain:
-      - +.example.com
-    ipcidr:
-      - 0.0.0.0/32
-```
-
-### TUN configuration
-
-Supports macOS, Linux and Windows.
-
-Built-in [Wintun](https://www.wintun.net) driver.
-
-```yaml
-# Enable the TUN listener
-tun:
-  enable: true
-  stack: system #   system/gvisor
-  dns-hijack:
-    - 0.0.0.0:53 # additional dns server listen on TUN
-  auto-route: true # auto set global route
-```
-
-### Rules configuration
-
- Support rule `GEOSITE`.
- Support rule-providers `RULE-SET`.
- Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`.
- Support `network` condition for all rules.
- Support source IPCIDR condition for all rules, just append to the end.
- The `GEOSITE` databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
-
-```yaml
-rules:
-  # network(tcp/udp) condition for all rules
-  - DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
-  - DOMAIN-SUFFIX,bilibili.com,REJECT,udp
-
-  # multiport condition for rules SRC-PORT and DST-PORT
-  - DST-PORT,123/136/137-139,DIRECT,udp
-
-  # rule GEOSITE
-  - GEOSITE,category-ads-all,REJECT
-  - GEOSITE,icloud@cn,DIRECT
-  - GEOSITE,apple@cn,DIRECT
-  - GEOSITE,apple-cn,DIRECT
-  - GEOSITE,microsoft@cn,DIRECT
-  - GEOSITE,facebook,PROXY
-  - GEOSITE,youtube,PROXY
-  - GEOSITE,geolocation-cn,DIRECT
-  - GEOSITE,geolocation-!cn,PROXY
-
-  # source IPCIDR condition for all rules in gateway proxy
-  #- GEOSITE,geolocation-!cn,REJECT,192.168.1.88/32,192.168.1.99/32
-
-  - GEOIP,telegram,PROXY,no-resolve
-  - GEOIP,private,DIRECT,no-resolve
-  - GEOIP,cn,DIRECT
-
-  - MATCH,PROXY
-```
-
-### Proxies configuration
-
-Active health detection `urltest / fallback` (based on tcp handshake, multiple failures within a limited time will actively trigger health detection to use the node)
-
-Support `Policy Group Filter`
-
-```yaml
-proxy-groups:
-  - name: 🚀 HK Group
-    type: select
-    use:
-      - ALL
-    filter: "HK"
-
-  - name: 🚀 US Group
-    type: select
-    use:
-      - ALL
-    filter: "US"
-
-proxy-providers:
-  ALL:
-    type: http
-    url: "xxxxx"
-    interval: 3600
-    path: "xxxxx"
-    health-check:
-      enable: true
-      interval: 600
-      url: http://www.gstatic.com/generate_204
-```
-
-Support outbound transport protocol `VLESS`.
-
-The XTLS support (TCP/UDP) transport by the XRAY-CORE.
-
-```yaml
-proxies:
-  - name: "vless"
-    type: vless
-    server: server
-    port: 443
-    uuid: uuid
-    servername: example.com # AKA SNI
-    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
-    # skip-cert-verify: true
-
-  - name: "vless-ws"
-    type: vless
-    server: server
-    port: 443
-    uuid: uuid
-    tls: true
-    udp: true
-    network: ws
-    servername: example.com # priority over wss host
-    # skip-cert-verify: true
-    ws-opts:
-      path: /path
-      headers: { Host: example.com, Edge: "12a00c4.fm.huawei.com:82897" }
-
-  - name: "vless-grpc"
-    type: vless
-    server: server
-    port: 443
-    uuid: uuid
-    tls: true
-    udp: true
-    network: grpc
-    servername: example.com # priority over wss host
-    # skip-cert-verify: true
-    grpc-opts:
-      grpc-service-name: grpcname
-```
-
-Support outbound transport protocol `Wireguard`
-
-```yaml
-proxies:
-  - name: "wg"
-    type: wireguard
-    server: 162.159.192.1
-    port: 2480
-    ip: 172.16.0.2
-    ipv6: fd01:5ca1:ab1e:80fa:ab85:6eea:213f:f4a5
-    private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
-    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
-    udp: true
-```
-
-Support outbound transport protocol `Tuic`
-
-```yaml
-proxies:
-  - name: "tuic"
-    server: www.example.com
-    port: 10443
-    type: tuic
-    token: TOKEN
-    # ip: 127.0.0.1 # for overwriting the DNS lookup result of the server address set in option 'server'
-    # heartbeat-interval: 10000
-    # alpn: [h3]
-    # disable-sni: true
-    reduce-rtt: true
-    # request-timeout: 8000
-    udp-relay-mode: native # Available: "native", "quic". Default: "native"
-    # congestion-controller: bbr # Available: "cubic", "new_reno", "bbr". Default: "cubic"
-    # max-udp-relay-packet-size: 1500
-    # fast-open: true
-    # skip-cert-verify: true
-``` -->
-
 ### IPTABLES configuration

 Work on Linux OS which supported `iptables`
@ -289,71 +80,10 @@ iptables:
  inbound-interface: eth0 # detect the inbound interface, default is 'lo'
 ```

-### General installation guide for Linux
-
- Create user given name `clash-meta`
-
- Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)
-
- Rename executable file to `Clash-Meta` and move to `/usr/local/bin/`
-
- Create folder `/etc/Clash-Meta/` as working directory
-
-Run Meta Kernel by user `clash-meta` as a daemon.
-
-Create the systemd configuration file at `/etc/systemd/system/Clash-Meta.service`:
-
-```
-[Unit]
-Description=Clash-Meta Daemon, Another Clash Kernel.
-After=network.target NetworkManager.service systemd-networkd.service iwd.service
-
-[Service]
-Type=simple
-User=clash-meta
-Group=clash-meta
-LimitNPROC=500
-LimitNOFILE=1000000
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
-Restart=always
-ExecStartPre=/usr/bin/sleep 1s
-ExecStart=/usr/local/bin/Clash-Meta -d /etc/Clash-Meta
-
-[Install]
-WantedBy=multi-user.target
-```
-
-Launch clashd on system startup with:
-
-```shell
-$ systemctl enable Clash-Meta
-```
-
-Launch clashd immediately with:
-
-```shell
-$ systemctl start Clash-Meta
-```
-
-### Display Process name
-
-Clash add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.
-
-To display process name in GUI please use [Razord-meta](https://github.com/MetaCubeX/Razord-meta).
-
-### Dashboard
-
-We also made a custom fork of yacd provide better support for this project, check it out at [Yacd-meta](https://github.com/MetaCubeX/Yacd-meta)
-
-## Development
-
-If you want to build an application that uses clash as a library, check out the
-the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)
-
 ## Debugging
-Check [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki/How-to-use-debug-api) to get an instruction on using debug API.

+Check [wiki](https://wiki.metacubex.one/api/#debug) to get an instruction on using debug
+API.

 ## Credits

--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -18,6 +18,8 @@ import (
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
+
+	"github.com/puzpuzpuz/xsync/v2"
 )

 var UnifiedDelay = atomic.NewBool(false)
@ -28,15 +30,15 @@ const (

 type extraProxyState struct {
 	history *queue.Queue[C.DelayHistory]
-	alive   *atomic.Bool
+	alive   atomic.Bool
 }

 type Proxy struct {
 	C.ProxyAdapter
 	history *queue.Queue[C.DelayHistory]
-	alive   *atomic.Bool
+	alive   atomic.Bool
 	url     string
-	extra   map[string]*extraProxyState
+	extra   *xsync.MapOf[string, *extraProxyState]
 }

 // Alive implements C.Proxy
@ -46,10 +48,8 @@ func (p *Proxy) Alive() bool {

 // AliveForTestUrl implements C.Proxy
 func (p *Proxy) AliveForTestUrl(url string) bool {
-	if p.extra != nil {
-		if state, ok := p.extra[url]; ok {
-			return state.alive.Load()
-		}
+	if state, ok := p.extra.Load(url); ok {
+		return state.alive.Load()
 	}

 	return p.alive.Load()
@ -88,16 +88,16 @@ func (p *Proxy) DelayHistory() []C.DelayHistory {
 	for _, item := range queueM {
 		histories = append(histories, item)
 	}
+
 	return histories
 }

 // DelayHistoryForTestUrl implements C.Proxy
 func (p *Proxy) DelayHistoryForTestUrl(url string) []C.DelayHistory {
 	var queueM []C.DelayHistory
-	if p.extra != nil {
-		if state, ok := p.extra[url]; ok {
-			queueM = state.history.Copy()
-		}
+
+	if state, ok := p.extra.Load(url); ok {
+		queueM = state.history.Copy()
 	}

 	if queueM == nil {
@ -112,19 +112,25 @@ func (p *Proxy) DelayHistoryForTestUrl(url string) []C.DelayHistory {
 }

 func (p *Proxy) ExtraDelayHistory() map[string][]C.DelayHistory {
-	extra := map[string][]C.DelayHistory{}
-	if p.extra != nil && len(p.extra) != 0 {
-		for testUrl, option := range p.extra {
-			histories := []C.DelayHistory{}
-			queueM := option.history.Copy()
-			for _, item := range queueM {
-				histories = append(histories, item)
-			}
+	extraHistory := map[string][]C.DelayHistory{}

-			extra[testUrl] = histories
+	p.extra.Range(func(k string, v *extraProxyState) bool {
+
+		testUrl := k
+		state := v
+
+		histories := []C.DelayHistory{}
+		queueM := state.history.Copy()
+
+		for _, item := range queueM {
+			histories = append(histories, item)
 		}
-	}
-	return extra
+
+		extraHistory[testUrl] = histories
+
+		return true
+	})
+	return extraHistory
 }

 // LastDelay return last history record. if proxy is not alive, return the max value of uint16.
@ -149,11 +155,9 @@ func (p *Proxy) LastDelayForTestUrl(url string) (delay uint16) {
 	alive := p.alive.Load()
 	history := p.history.Last()

-	if p.extra != nil {
-		if state, ok := p.extra[url]; ok {
-			alive = state.alive.Load()
-			history = state.history.Last()
-		}
+	if state, ok := p.extra.Load(url); ok {
+		alive = state.alive.Load()
+		history = state.history.Last()
 	}

 	if !alive {
@ -213,18 +217,18 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 			if alive {
 				record.Delay = t
 			}
-
-			if p.extra == nil {
-				p.extra = map[string]*extraProxyState{}
+			p.history.Put(record)
+			if p.history.Len() > defaultHistoriesNum {
+				p.history.Pop()
 			}

-			state, ok := p.extra[url]
+			state, ok := p.extra.Load(url)
 			if !ok {
 				state = &extraProxyState{
 					history: queue.New[C.DelayHistory](defaultHistoriesNum),
 					alive:   atomic.NewBool(true),
 				}
-				p.extra[url] = state
+				p.extra.Store(url, state)
 			}

 			state.alive.Store(alive)
@ -307,7 +311,12 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 }

 func NewProxy(adapter C.ProxyAdapter) *Proxy {
-	return &Proxy{adapter, queue.New[C.DelayHistory](defaultHistoriesNum), atomic.NewBool(true), "", map[string]*extraProxyState{}}
+	return &Proxy{
+		ProxyAdapter: adapter,
+		history:      queue.New[C.DelayHistory](defaultHistoriesNum),
+		alive:        atomic.NewBool(true),
+		url:          "",
+		extra:        xsync.NewMapOf[*extraProxyState]()}
 }

 func urlToMetadata(rawURL string) (addr C.Metadata, err error) {
@ -350,14 +359,14 @@ func (p *Proxy) determineFinalStoreType(store C.DelayHistoryStoreType, url strin
 		return C.OriginalHistory
 	}

-	if p.extra == nil {
-		store = C.ExtraHistory
-	} else {
-		if _, ok := p.extra[url]; ok {
-			store = C.ExtraHistory
-		} else if len(p.extra) < 2*C.DefaultMaxHealthCheckUrlNum {
-			store = C.ExtraHistory
-		}
+	if p.extra.Size() < 2*C.DefaultMaxHealthCheckUrlNum {
+		return C.ExtraHistory
 	}
+
+	_, ok := p.extra.Load(url)
+	if ok {
+		return C.ExtraHistory
+	}
+
 	return store
 }
--- a/adapter/inbound/addition.go
+++ b/adapter/inbound/addition.go
@ -1,13 +1,17 @@
 package inbound

 import (
+	"net"
+
 	C "github.com/Dreamacro/clash/constant"
 )

 type Addition func(metadata *C.Metadata)

-func (a Addition) Apply(metadata *C.Metadata) {
-	a(metadata)
+func ApplyAdditions(metadata *C.Metadata, additions ...Addition) {
+	for _, addition := range additions {
+		addition(metadata)
+	}
 }

 func WithInName(name string) Addition {
@ -33,3 +37,29 @@ func WithSpecialProxy(specialProxy string) Addition {
 		metadata.SpecialProxy = specialProxy
 	}
 }
+
+func WithDstAddr(addr net.Addr) Addition {
+	return func(metadata *C.Metadata) {
+		_ = metadata.SetRemoteAddr(addr)
+	}
+}
+
+func WithSrcAddr(addr net.Addr) Addition {
+	return func(metadata *C.Metadata) {
+		m := C.Metadata{}
+		if err := m.SetRemoteAddr(addr);err ==nil{
+			metadata.SrcIP = m.DstIP
+			metadata.SrcPort = m.DstPort
+		}
+	}
+}
+
+func WithInAddr(addr net.Addr) Addition {
+	return func(metadata *C.Metadata) {
+		m := C.Metadata{}
+		if err := m.SetRemoteAddr(addr);err ==nil{
+			metadata.InIP = m.DstIP
+			metadata.InPort = m.DstPort
+		}
+	}
+}
--- a/adapter/inbound/auth.go
+++ b/adapter/inbound/auth.go
@ -0,0 +1,45 @@
+package inbound
+
+import (
+	"net"
+	"net/netip"
+
+	C "github.com/Dreamacro/clash/constant"
+)
+
+var skipAuthPrefixes []netip.Prefix
+
+func SetSkipAuthPrefixes(prefixes []netip.Prefix) {
+	skipAuthPrefixes = prefixes
+}
+
+func SkipAuthPrefixes() []netip.Prefix {
+	return skipAuthPrefixes
+}
+
+func SkipAuthRemoteAddr(addr net.Addr) bool {
+	m := C.Metadata{}
+	if err := m.SetRemoteAddr(addr); err != nil {
+		return false
+	}
+	return skipAuth(m.AddrPort().Addr())
+}
+
+func SkipAuthRemoteAddress(addr string) bool {
+	m := C.Metadata{}
+	if err := m.SetRemoteAddress(addr); err != nil {
+		return false
+	}
+	return skipAuth(m.AddrPort().Addr())
+}
+
+func skipAuth(addr netip.Addr) bool {
+	if addr.IsValid() {
+		for _, prefix := range skipAuthPrefixes {
+			if prefix.Contains(addr.Unmap()) {
+				return true
+			}
+		}
+	}
+	return false
+}
--- a/adapter/inbound/http.go
+++ b/adapter/inbound/http.go
@ -4,25 +4,17 @@ import (
 	"net"

 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/context"
 	"github.com/Dreamacro/clash/transport/socks5"
 )

 // NewHTTP receive normal http request and return HTTPContext
-func NewHTTP(target socks5.Addr, source net.Addr, conn net.Conn, additions ...Addition) *context.ConnContext {
+func NewHTTP(target socks5.Addr, srcConn net.Conn, conn net.Conn, additions ...Addition) (net.Conn, *C.Metadata) {
 	metadata := parseSocksAddr(target)
 	metadata.NetWork = C.TCP
 	metadata.Type = C.HTTP
-	for _, addition := range additions {
-		addition.Apply(metadata)
-	}
-	if ip, port, err := parseAddr(source); err == nil {
-		metadata.SrcIP = ip
-		metadata.SrcPort = port
-	}
-	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
-		metadata.InIP = ip
-		metadata.InPort = port
-	}
-	return context.NewConnContext(conn, metadata)
+	metadata.RawSrcAddr = srcConn.RemoteAddr()
+	metadata.RawDstAddr = srcConn.LocalAddr()
+	ApplyAdditions(metadata, WithSrcAddr(srcConn.RemoteAddr()), WithInAddr(conn.LocalAddr()))
+	ApplyAdditions(metadata, additions...)
+	return conn, metadata
 }
--- a/adapter/inbound/https.go
+++ b/adapter/inbound/https.go
@ -5,23 +5,13 @@ import (
 	"net/http"

 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/context"
 )

 // NewHTTPS receive CONNECT request and return ConnContext
-func NewHTTPS(request *http.Request, conn net.Conn, additions ...Addition) *context.ConnContext {
+func NewHTTPS(request *http.Request, conn net.Conn, additions ...Addition) (net.Conn, *C.Metadata) {
 	metadata := parseHTTPAddr(request)
 	metadata.Type = C.HTTPS
-	for _, addition := range additions {
-		addition.Apply(metadata)
-	}
-	if ip, port, err := parseAddr(conn.RemoteAddr()); err == nil {
-		metadata.SrcIP = ip
-		metadata.SrcPort = port
-	}
-	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
-		metadata.InIP = ip
-		metadata.InPort = port
-	}
-	return context.NewConnContext(conn, metadata)
+	ApplyAdditions(metadata, WithSrcAddr(conn.RemoteAddr()), WithInAddr(conn.LocalAddr()))
+	ApplyAdditions(metadata, additions...)
+	return conn, metadata
 }
--- a/adapter/inbound/packet.go
+++ b/adapter/inbound/packet.go
@ -5,38 +5,18 @@ import (
 	"github.com/Dreamacro/clash/transport/socks5"
 )

-// PacketAdapter is a UDP Packet adapter for socks/redir/tun
-type PacketAdapter struct {
-	C.UDPPacket
-	metadata *C.Metadata
-}
-
-// Metadata returns destination metadata
-func (s *PacketAdapter) Metadata() *C.Metadata {
-	return s.metadata
-}
-
 // NewPacket is PacketAdapter generator
-func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type, additions ...Addition) C.PacketAdapter {
+func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type, additions ...Addition) (C.UDPPacket, *C.Metadata) {
 	metadata := parseSocksAddr(target)
 	metadata.NetWork = C.UDP
 	metadata.Type = source
-	for _, addition := range additions {
-		addition.Apply(metadata)
-	}
-	if ip, port, err := parseAddr(packet.LocalAddr()); err == nil {
-		metadata.SrcIP = ip
-		metadata.SrcPort = port
-	}
+	metadata.RawSrcAddr = packet.LocalAddr()
+	metadata.RawDstAddr = metadata.UDPAddr()
+	ApplyAdditions(metadata, WithSrcAddr(packet.LocalAddr()))
 	if p, ok := packet.(C.UDPPacketInAddr); ok {
-		if ip, port, err := parseAddr(p.InAddr()); err == nil {
-			metadata.InIP = ip
-			metadata.InPort = port
-		}
+		ApplyAdditions(metadata, WithInAddr(p.InAddr()))
 	}
+	ApplyAdditions(metadata, additions...)

-	return &PacketAdapter{
-		packet,
-		metadata,
-	}
+	return packet, metadata
 }
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -2,51 +2,17 @@ package inbound

 import (
 	"net"
-	"net/netip"
-	"strconv"

 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/context"
 	"github.com/Dreamacro/clash/transport/socks5"
 )

 // NewSocket receive TCP inbound and return ConnContext
-func NewSocket(target socks5.Addr, conn net.Conn, source C.Type, additions ...Addition) *context.ConnContext {
+func NewSocket(target socks5.Addr, conn net.Conn, source C.Type, additions ...Addition) (net.Conn, *C.Metadata) {
 	metadata := parseSocksAddr(target)
 	metadata.NetWork = C.TCP
 	metadata.Type = source
-	for _, addition := range additions {
-		addition.Apply(metadata)
-	}
-
-	if ip, port, err := parseAddr(conn.RemoteAddr()); err == nil {
-		metadata.SrcIP = ip
-		metadata.SrcPort = port
-	}
-	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
-		metadata.InIP = ip
-		metadata.InPort = port
-	}
-
-	return context.NewConnContext(conn, metadata)
-}
-
-func NewInner(conn net.Conn, address string) *context.ConnContext {
-	metadata := &C.Metadata{}
-	metadata.NetWork = C.TCP
-	metadata.Type = C.INNER
-	metadata.DNSMode = C.DNSNormal
-	metadata.Process = C.ClashName
-	if h, port, err := net.SplitHostPort(address); err == nil {
-		if port, err := strconv.ParseUint(port, 10, 16); err == nil {
-			metadata.DstPort = uint16(port)
-		}
-		if ip, err := netip.ParseAddr(h); err == nil {
-			metadata.DstIP = ip
-		} else {
-			metadata.Host = h
-		}
-	}
-
-	return context.NewConnContext(conn, metadata)
+	ApplyAdditions(metadata, WithSrcAddr(conn.RemoteAddr()), WithInAddr(conn.LocalAddr()))
+	ApplyAdditions(metadata, additions...)
+	return conn, metadata
 }
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@ -1,7 +1,6 @@
 package inbound

 import (
-	"errors"
 	"net"
 	"net/http"
 	"net/netip"
@ -62,29 +61,3 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {

 	return metadata
 }
-
-func parseAddr(addr net.Addr) (netip.Addr, uint16, error) {
-	// Filter when net.Addr interface is nil
-	if addr == nil {
-		return netip.Addr{}, 0, errors.New("nil addr")
-	}
-	if rawAddr, ok := addr.(interface{ RawAddr() net.Addr }); ok {
-		ip, port, err := parseAddr(rawAddr.RawAddr())
-		if err == nil {
-			return ip, port, err
-		}
-	}
-	addrStr := addr.String()
-	host, port, err := net.SplitHostPort(addrStr)
-	if err != nil {
-		return netip.Addr{}, 0, err
-	}
-
-	var uint16Port uint16
-	if port, err := strconv.ParseUint(port, 10, 16); err == nil {
-		uint16Port = uint16(port)
-	}
-
-	ip, err := netip.ParseAddr(host)
-	return ip, uint16Port, err
-}
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@ -3,6 +3,9 @@ package outbound
 import (
 	"context"
 	"errors"
+	"net/netip"
+
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
@ -12,6 +15,11 @@ type Direct struct {
 	*Base
 }

+type DirectOption struct {
+	BasicOption
+	Name string `proxy:"name"`
+}
+
 // DialContext implements C.ProxyAdapter
 func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	opts = append(opts, dialer.WithResolver(resolver.DefaultResolver))
@ -19,7 +27,7 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 	if err != nil {
 		return nil, err
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)
 	return NewConn(c, d), nil
 }

@ -33,13 +41,28 @@ func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		}
 		metadata.DstIP = ip
 	}
-	pc, err := dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", metadata.DstIP), "", d.Base.DialOptions(opts...)...)
+	pc, err := dialer.NewDialer(d.Base.DialOptions(opts...)...).ListenPacket(ctx, "udp", "", netip.AddrPortFrom(metadata.DstIP, metadata.DstPort))
 	if err != nil {
 		return nil, err
 	}
 	return newPacketConn(pc, d), nil
 }

+func NewDirectWithOption(option DirectOption) *Direct {
+	return &Direct{
+		Base: &Base{
+			name:   option.Name,
+			tp:     C.Direct,
+			udp:    true,
+			tfo:    option.TFO,
+			mpTcp:  option.MPTCP,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+	}
+}
+
 func NewDirect() *Direct {
 	return &Direct{
 		Base: &Base{
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@ -7,14 +7,16 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+
 	"io"
 	"net"
 	"net/http"
 	"strconv"

+	N "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
-	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 )

@ -74,7 +76,7 @@ func (h *Http) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", h.addr, err)
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)

 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@ -155,19 +157,13 @@ func NewHttp(option HttpOption) (*Http, error) {
 		if option.SNI != "" {
 			sni = option.SNI
 		}
-		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
-				InsecureSkipVerify: option.SkipCertVerify,
-				ServerName:         sni,
-			})
-		} else {
-			var err error
-			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(&tls.Config{
-				InsecureSkipVerify: option.SkipCertVerify,
-				ServerName:         sni,
-			}, option.Fingerprint); err != nil {
-				return nil, err
-			}
+		var err error
+		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
+			InsecureSkipVerify: option.SkipCertVerify,
+			ServerName:         sni,
+		}, option.Fingerprint)
+		if err != nil {
+			return nil, err
 		}
 	}

--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -2,16 +2,11 @@ package outbound

 import (
 	"context"
-	"crypto/sha256"
 	"crypto/tls"
 	"encoding/base64"
-	"encoding/hex"
-	"encoding/pem"
 	"fmt"
 	"net"
 	"net/netip"
-	"os"
-	"regexp"
 	"strconv"
 	"time"

@ -19,9 +14,9 @@ import (
 	"github.com/metacubex/quic-go/congestion"
 	M "github.com/sagernet/sing/common/metadata"

+	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
-	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	hyCongestion "github.com/Dreamacro/clash/transport/hysteria/congestion"
@ -43,8 +38,6 @@ const (
 	DefaultHopInterval = 10
 )

-var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
-
 type Hysteria struct {
 	*Base

@ -53,7 +46,7 @@ type Hysteria struct {
 }

 func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	tcpConn, err := h.client.DialTCP(metadata.RemoteAddress(), h.genHdc(ctx, opts...))
+	tcpConn, err := h.client.DialTCP(metadata.String(), metadata.DstPort, h.genHdc(ctx, opts...))
 	if err != nil {
 		return nil, err
 	}
@ -120,12 +113,12 @@ type HysteriaOption struct {

 func (c *HysteriaOption) Speed() (uint64, uint64, error) {
 	var up, down uint64
-	up = stringToBps(c.Up)
+	up = StringToBps(c.Up)
 	if up == 0 {
 		return 0, 0, fmt.Errorf("invaild upload speed: %s", c.Up)
 	}

-	down = stringToBps(c.Down)
+	down = StringToBps(c.Down)
 	if down == 0 {
 		return 0, 0, fmt.Errorf("invaild download speed: %s", c.Down)
 	}
@ -153,37 +146,10 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		MinVersion:         tls.VersionTLS13,
 	}

-	var bs []byte
 	var err error
-	if len(option.CustomCA) > 0 {
-		bs, err = os.ReadFile(option.CustomCA)
-		if err != nil {
-			return nil, fmt.Errorf("hysteria %s load ca error: %w", addr, err)
-		}
-	} else if option.CustomCAString != "" {
-		bs = []byte(option.CustomCAString)
-	}
-
-	if len(bs) > 0 {
-		block, _ := pem.Decode(bs)
-		if block == nil {
-			return nil, fmt.Errorf("CA cert is not PEM")
-		}
-
-		fpBytes := sha256.Sum256(block.Bytes)
-		if len(option.Fingerprint) == 0 {
-			option.Fingerprint = hex.EncodeToString(fpBytes[:])
-		}
-	}
-
-	if len(option.Fingerprint) != 0 {
-		var err error
-		tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
+	if err != nil {
+		return nil, err
 	}

 	if len(option.ALPN) > 0 {
@ -268,42 +234,6 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 	}, nil
 }

-func stringToBps(s string) uint64 {
-	if s == "" {
-		return 0
-	}
-
-	// when have not unit, use Mbps
-	if v, err := strconv.Atoi(s); err == nil {
-		return stringToBps(fmt.Sprintf("%d Mbps", v))
-	}
-
-	m := rateStringRegexp.FindStringSubmatch(s)
-	if m == nil {
-		return 0
-	}
-	var n uint64
-	switch m[2] {
-	case "K":
-		n = 1 << 10
-	case "M":
-		n = 1 << 20
-	case "G":
-		n = 1 << 30
-	case "T":
-		n = 1 << 40
-	default:
-		n = 1
-	}
-	v, _ := strconv.ParseUint(m[1], 10, 64)
-	n = v * n
-	if m[3] == "b" {
-		// Bits, need to convert to bytes
-		n = n >> 3
-	}
-	return n
-}
-
 type hyPacketConn struct {
 	core.UDPConn
 }
--- a/adapter/outbound/hysteria2.go
+++ b/adapter/outbound/hysteria2.go
@ -0,0 +1,157 @@
+package outbound
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"runtime"
+	"strconv"
+
+	CN "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/component/ca"
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/proxydialer"
+	C "github.com/Dreamacro/clash/constant"
+	tuicCommon "github.com/Dreamacro/clash/transport/tuic/common"
+
+	"github.com/metacubex/sing-quic/hysteria2"
+
+	M "github.com/sagernet/sing/common/metadata"
+)
+
+func init() {
+	hysteria2.SetCongestionController = tuicCommon.SetCongestionController
+}
+
+type Hysteria2 struct {
+	*Base
+
+	option *Hysteria2Option
+	client *hysteria2.Client
+	dialer proxydialer.SingDialer
+}
+
+type Hysteria2Option struct {
+	BasicOption
+	Name           string   `proxy:"name"`
+	Server         string   `proxy:"server"`
+	Port           int      `proxy:"port"`
+	Up             string   `proxy:"up,omitempty"`
+	Down           string   `proxy:"down,omitempty"`
+	Password       string   `proxy:"password,omitempty"`
+	Obfs           string   `proxy:"obfs,omitempty"`
+	ObfsPassword   string   `proxy:"obfs-password,omitempty"`
+	SNI            string   `proxy:"sni,omitempty"`
+	SkipCertVerify bool     `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint    string   `proxy:"fingerprint,omitempty"`
+	ALPN           []string `proxy:"alpn,omitempty"`
+	CustomCA       string   `proxy:"ca,omitempty"`
+	CustomCAString string   `proxy:"ca-str,omitempty"`
+	CWND           int      `proxy:"cwnd,omitempty"`
+}
+
+func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+	options := h.Base.DialOptions(opts...)
+	h.dialer.SetDialer(dialer.NewDialer(options...))
+	c, err := h.client.DialConn(ctx, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
+	if err != nil {
+		return nil, err
+	}
+	return NewConn(CN.NewRefConn(c, h), h), nil
+}
+
+func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	options := h.Base.DialOptions(opts...)
+	h.dialer.SetDialer(dialer.NewDialer(options...))
+	pc, err := h.client.ListenPacket(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if pc == nil {
+		return nil, errors.New("packetConn is nil")
+	}
+	return newPacketConn(CN.NewRefPacketConn(CN.NewThreadSafePacketConn(pc), h), h), nil
+}
+
+func closeHysteria2(h *Hysteria2) {
+	if h.client != nil {
+		_ = h.client.CloseWithError(errors.New("proxy removed"))
+	}
+}
+
+func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	var salamanderPassword string
+	if len(option.Obfs) > 0 {
+		if option.ObfsPassword == "" {
+			return nil, errors.New("missing obfs password")
+		}
+		switch option.Obfs {
+		case hysteria2.ObfsTypeSalamander:
+			salamanderPassword = option.ObfsPassword
+		default:
+			return nil, fmt.Errorf("unknown obfs type: %s", option.Obfs)
+		}
+	}
+
+	serverName := option.Server
+	if option.SNI != "" {
+		serverName = option.SNI
+	}
+
+	tlsConfig := &tls.Config{
+		ServerName:         serverName,
+		InsecureSkipVerify: option.SkipCertVerify,
+		MinVersion:         tls.VersionTLS13,
+	}
+
+	var err error
+	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(option.ALPN) > 0 {
+		tlsConfig.NextProtos = option.ALPN
+	}
+
+	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer())
+
+	clientOptions := hysteria2.ClientOptions{
+		Context:            context.TODO(),
+		Dialer:             singDialer,
+		ServerAddress:      M.ParseSocksaddrHostPort(option.Server, uint16(option.Port)),
+		SendBPS:            StringToBps(option.Up),
+		ReceiveBPS:         StringToBps(option.Down),
+		SalamanderPassword: salamanderPassword,
+		Password:           option.Password,
+		TLSConfig:          tlsConfig,
+		UDPDisabled:        false,
+		CWND:               option.CWND,
+	}
+
+	client, err := hysteria2.NewClient(clientOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	outbound := &Hysteria2{
+		Base: &Base{
+			name:   option.Name,
+			addr:   addr,
+			tp:     C.Hysteria2,
+			udp:    true,
+			iface:  option.Interface,
+			rmark:  option.RoutingMark,
+			prefer: C.NewDNSPrefer(option.IPVersion),
+		},
+		option: &option,
+		client: client,
+		dialer: singDialer,
+	}
+	runtime.SetFinalizer(outbound, closeHysteria2)
+
+	return outbound, nil
+}
--- a/adapter/outbound/reject.go
+++ b/adapter/outbound/reject.go
@ -15,6 +15,10 @@ type Reject struct {
 	*Base
 }

+type RejectOption struct {
+	Name string `proxy:"name"`
+}
+
 // DialContext implements C.ProxyAdapter
 func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	return NewConn(nopConn{}, r), nil
@ -25,6 +29,16 @@ func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	return newPacketConn(nopPacketConn{}, r), nil
 }

+func NewRejectWithOption(option RejectOption) *Reject {
+	return &Reject{
+		Base: &Base{
+			name: option.Name,
+			tp:   C.Direct,
+			udp:  true,
+		},
+	}
+}
+
 func NewReject() *Reject {
 	return &Reject{
 		Base: &Base{
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -19,7 +19,7 @@ import (
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"

 	restlsC "github.com/3andne/restls-client-go"
-	"github.com/metacubex/sing-shadowsocks2"
+	shadowsocks "github.com/metacubex/sing-shadowsocks2"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/uot"
 )
@ -58,14 +58,15 @@ type simpleObfsOption struct {
 }

 type v2rayObfsOption struct {
-	Mode           string            `obfs:"mode"`
-	Host           string            `obfs:"host,omitempty"`
-	Path           string            `obfs:"path,omitempty"`
-	TLS            bool              `obfs:"tls,omitempty"`
-	Fingerprint    string            `obfs:"fingerprint,omitempty"`
-	Headers        map[string]string `obfs:"headers,omitempty"`
-	SkipCertVerify bool              `obfs:"skip-cert-verify,omitempty"`
-	Mux            bool              `obfs:"mux,omitempty"`
+	Mode             string            `obfs:"mode"`
+	Host             string            `obfs:"host,omitempty"`
+	Path             string            `obfs:"path,omitempty"`
+	TLS              bool              `obfs:"tls,omitempty"`
+	Fingerprint      string            `obfs:"fingerprint,omitempty"`
+	Headers          map[string]string `obfs:"headers,omitempty"`
+	SkipCertVerify   bool              `obfs:"skip-cert-verify,omitempty"`
+	Mux              bool              `obfs:"mux,omitempty"`
+	V2rayHttpUpgrade bool              `obfs:"v2ray-http-upgrade,omitempty"`
 }

 type shadowTLSOption struct {
@ -123,9 +124,9 @@ func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metada
 		}
 	}
 	if useEarly {
-		return ss.method.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
+		return ss.method.DialEarlyConn(c, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort)), nil
 	} else {
-		return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+		return ss.method.DialConn(c, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	}
 }

@ -146,7 +147,7 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)

 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@ -259,10 +260,11 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		}
 		obfsMode = opts.Mode
 		v2rayOption = &v2rayObfs.Option{
-			Host:    opts.Host,
-			Path:    opts.Path,
-			Headers: opts.Headers,
-			Mux:     opts.Mux,
+			Host:             opts.Host,
+			Path:             opts.Path,
+			Headers:          opts.Headers,
+			Mux:              opts.Mux,
+			V2rayHttpUpgrade: opts.V2rayHttpUpgrade,
 		}

 		if opts.TLS {
@ -294,7 +296,6 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		}

 		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
-		restlsConfig.SessionTicketsDisabled = true
 		if err != nil {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@ -80,7 +80,7 @@ func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dia
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ssr.addr, err)
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)

 	defer func(c net.Conn) {
 		safeConnClose(c, err)
--- a/adapter/outbound/singmux.go
+++ b/adapter/outbound/singmux.go
@ -3,7 +3,6 @@ package outbound
 import (
 	"context"
 	"errors"
-	"net"
 	"runtime"

 	CN "github.com/Dreamacro/clash/common/net"
@ -15,14 +14,13 @@ import (
 	mux "github.com/sagernet/sing-mux"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 )

 type SingMux struct {
 	C.ProxyAdapter
 	base    ProxyBase
 	client  *mux.Client
-	dialer  *muxSingDialer
+	dialer  proxydialer.SingDialer
 	onlyTcp bool
 }

@ -41,28 +39,10 @@ type ProxyBase interface {
 	DialOptions(opts ...dialer.Option) []dialer.Option
 }

-type muxSingDialer struct {
-	dialer    dialer.Dialer
-	proxy     C.ProxyAdapter
-	statistic bool
-}
-
-var _ N.Dialer = (*muxSingDialer)(nil)
-
-func (d *muxSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	var cDialer C.Dialer = proxydialer.New(d.proxy, d.dialer, d.statistic)
-	return cDialer.DialContext(ctx, network, destination.String())
-}
-
-func (d *muxSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	var cDialer C.Dialer = proxydialer.New(d.proxy, d.dialer, d.statistic)
-	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
-}
-
 func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	options := s.base.DialOptions(opts...)
-	s.dialer.dialer = dialer.NewDialer(options...)
-	c, err := s.client.DialContext(ctx, "tcp", M.ParseSocksaddr(metadata.RemoteAddress()))
+	s.dialer.SetDialer(dialer.NewDialer(options...))
+	c, err := s.client.DialContext(ctx, "tcp", M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
 	}
@ -74,7 +54,7 @@ func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		return s.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
 	}
 	options := s.base.DialOptions(opts...)
-	s.dialer.dialer = dialer.NewDialer(options...)
+	s.dialer.SetDialer(dialer.NewDialer(options...))

 	// sing-mux use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
@ -114,7 +94,7 @@ func closeSingMux(s *SingMux) {
 }

 func NewSingMux(option SingMuxOption, proxy C.ProxyAdapter, base ProxyBase) (C.ProxyAdapter, error) {
-	singDialer := &muxSingDialer{dialer: dialer.NewDialer(), proxy: proxy, statistic: option.Statistic}
+	singDialer := proxydialer.NewSingDialer(proxy, dialer.NewDialer(), option.Statistic)
 	client, err := mux.NewClient(mux.Options{
 		Dialer:         singDialer,
 		Protocol:       option.Protocol,
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@ -6,6 +6,7 @@ import (
 	"net"
 	"strconv"

+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
@ -93,7 +94,7 @@ func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)

 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@ -121,7 +122,7 @@ func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, err
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)
 	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})

 	err = snell.WriteUDPHeader(c, s.version)
@ -207,7 +208,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 				return nil, err
 			}

-			tcpKeepAlive(c)
+			N.TCPKeepAlive(c)
 			return streamConn(c, streamOption{psk, option.Version, addr, obfsOption}), nil
 		})
 	}
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@ -7,11 +7,13 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"strconv"

+	N "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
-	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
@ -80,7 +82,7 @@ func (ss *Socks5) DialContextWithDialer(ctx context.Context, dialer C.Dialer, me
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)

 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@ -126,7 +128,7 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		safeConnClose(c, err)
 	}(c)

-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)
 	var user *socks5.User
 	if ss.user != "" {
 		user = &socks5.User{
@ -135,7 +137,8 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		}
 	}

-	bindAddr, err := socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdUDPAssociate, user)
+	udpAssocateAddr := socks5.AddrFromStdAddrPort(netip.AddrPortFrom(netip.IPv4Unspecified(), 0))
+	bindAddr, err := socks5.ClientHandshake(c, udpAssocateAddr, socks5.CmdUDPAssociate, user)
 	if err != nil {
 		err = fmt.Errorf("client hanshake error: %w", err)
 		return
@ -155,7 +158,7 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		bindUDPAddr.IP = serverAddr.IP
 	}

-	pc, err := dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", bindUDPAddr.AddrPort().Addr()), "", ss.Base.DialOptions(opts...)...)
+	pc, err := cDialer.ListenPacket(ctx, "udp", "", bindUDPAddr.AddrPort())
 	if err != nil {
 		return
 	}
@ -179,13 +182,10 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 			ServerName:         option.Server,
 		}

-		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
-		} else {
-			var err error
-			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
-				return nil, err
-			}
+		var err error
+		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
+		if err != nil {
+			return nil, err
 		}
 	}

--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -8,6 +8,8 @@ import (
 	"net/http"
 	"strconv"

+	N "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
@ -51,9 +53,10 @@ func (t *Trojan) plainStream(ctx context.Context, c net.Conn) (net.Conn, error)
 	if t.option.Network == "ws" {
 		host, port, _ := net.SplitHostPort(t.addr)
 		wsOpts := &trojan.WebsocketOption{
-			Host: host,
-			Port: port,
-			Path: t.option.WSOpts.Path,
+			Host:             host,
+			Port:             port,
+			Path:             t.option.WSOpts.Path,
+			V2rayHttpUpgrade: t.option.WSOpts.V2rayHttpUpgrade,
 		}

 		if t.option.SNI != "" {
@ -131,7 +134,7 @@ func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)

 	defer func(c net.Conn) {
 		safeConnClose(c, err)
@ -184,7 +187,7 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)
 	c, err = t.plainStream(ctx, c)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@ -268,7 +271,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", t.addr, err.Error())
 			}
-			tcpKeepAlive(c)
+			N.TCPKeepAlive(c)
 			return c, nil
 		}

@ -279,13 +282,10 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			ServerName:         tOption.ServerName,
 		}

-		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
-		} else {
-			var err error
-			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
-				return nil, err
-			}
+		var err error
+		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
+		if err != nil {
+			return nil, err
 		}

 		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint, t.realityConfig)
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -2,25 +2,25 @@ package outbound

 import (
 	"context"
-	"crypto/sha256"
 	"crypto/tls"
-	"encoding/hex"
-	"encoding/pem"
+	"errors"
 	"fmt"
 	"math"
 	"net"
-	"os"
 	"strconv"
 	"time"

+	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
-	tlsC "github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/tuic"

 	"github.com/gofrs/uuid/v5"
 	"github.com/metacubex/quic-go"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/sagernet/sing/common/uot"
 )

 type Tuic struct {
@ -59,6 +59,9 @@ type TuicOption struct {
 	DisableMTUDiscovery  bool   `proxy:"disable-mtu-discovery,omitempty"`
 	MaxDatagramFrameSize int    `proxy:"max-datagram-frame-size,omitempty"`
 	SNI                  string `proxy:"sni,omitempty"`
+
+	UDPOverStream        bool `proxy:"udp-over-stream,omitempty"`
+	UDPOverStreamVersion int  `proxy:"udp-over-stream-version,omitempty"`
 }

 // DialContext implements C.ProxyAdapter
@ -82,6 +85,32 @@ func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata, op

 // ListenPacketWithDialer implements C.ProxyAdapter
 func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	if t.option.UDPOverStream {
+		uotDestination := uot.RequestDestination(uint8(t.option.UDPOverStreamVersion))
+		uotMetadata := *metadata
+		uotMetadata.Host = uotDestination.Fqdn
+		uotMetadata.DstPort = uotDestination.Port
+		c, err := t.DialContextWithDialer(ctx, dialer, &uotMetadata)
+		if err != nil {
+			return nil, err
+		}
+
+		// tuic uos use stream-oriented udp with a special address, so we need a net.UDPAddr
+		if !metadata.Resolved() {
+			ip, err := resolver.ResolveIP(ctx, metadata.Host)
+			if err != nil {
+				return nil, errors.New("can't resolve ip")
+			}
+			metadata.DstIP = ip
+		}
+
+		destination := M.SocksaddrFromNet(metadata.UDPAddr())
+		if t.option.UDPOverStreamVersion == uot.LegacyVersion {
+			return newPacketConn(uot.NewConn(c, uot.Request{Destination: destination}), t), nil
+		} else {
+			return newPacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination}), t), nil
+		}
+	}
 	pc, err := t.client.ListenPacketWithDialer(ctx, metadata, dialer, t.dialWithDialer)
 	if err != nil {
 		return nil, err
@ -129,37 +158,10 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		tlsConfig.ServerName = option.SNI
 	}

-	var bs []byte
 	var err error
-	if len(option.CustomCA) > 0 {
-		bs, err = os.ReadFile(option.CustomCA)
-		if err != nil {
-			return nil, fmt.Errorf("tuic %s load ca error: %w", addr, err)
-		}
-	} else if option.CustomCAString != "" {
-		bs = []byte(option.CustomCAString)
-	}
-
-	if len(bs) > 0 {
-		block, _ := pem.Decode(bs)
-		if block == nil {
-			return nil, fmt.Errorf("CA cert is not PEM")
-		}
-
-		fpBytes := sha256.Sum256(block.Bytes)
-		if len(option.Fingerprint) == 0 {
-			option.Fingerprint = hex.EncodeToString(fpBytes[:])
-		}
-	}
-
-	if len(option.Fingerprint) != 0 {
-		var err error
-		tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
+	if err != nil {
+		return nil, err
 	}

 	if option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
@ -239,6 +241,14 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		tlsConfig.InsecureSkipVerify = true // tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
 	}

+	switch option.UDPOverStreamVersion {
+	case uot.Version, uot.LegacyVersion:
+	case 0:
+		option.UDPOverStreamVersion = uot.LegacyVersion
+	default:
+		return nil, fmt.Errorf("tuic %s unknown udp over stream protocol version: %d", addr, option.UDPOverStreamVersion)
+	}
+
 	t := &Tuic{
 		Base: &Base{
 			name:   option.Name,
@ -282,6 +292,10 @@ func NewTuic(option TuicOption) (*Tuic, error) {

 		t.client = tuic.NewPoolClientV4(clientOption)
 	} else {
+		maxUdpRelayPacketSize := option.MaxUdpRelayPacketSize
+		if maxUdpRelayPacketSize > tuic.MaxFragSizeV5 {
+			maxUdpRelayPacketSize = tuic.MaxFragSizeV5
+		}
 		clientOption := &tuic.ClientOptionV5{
 			TlsConfig:             tlsConfig,
 			QuicConfig:            quicConfig,
@ -290,7 +304,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			UdpRelayMode:          udpRelayMode,
 			CongestionController:  option.CongestionController,
 			ReduceRtt:             option.ReduceRtt,
-			MaxUdpRelayPacketSize: option.MaxUdpRelayPacketSize,
+			MaxUdpRelayPacketSize: maxUdpRelayPacketSize,
 			MaxOpenStreams:        clientMaxOpenStreams,
 			CWND:                  option.CWND,
 		}
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@ -4,10 +4,12 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"fmt"
 	"net"
 	"net/netip"
+	"regexp"
+	"strconv"
 	"sync"
-	"time"

 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
@ -19,13 +21,6 @@ var (
 	once                     sync.Once
 )

-func tcpKeepAlive(c net.Conn) {
-	if tcp, ok := c.(*net.TCPConn); ok {
-		_ = tcp.SetKeepAlive(true)
-		_ = tcp.SetKeepAlivePeriod(30 * time.Second)
-	}
-}
-
 func getClientSessionCache() tls.ClientSessionCache {
 	once.Do(func() {
 		globalClientSessionCache = tls.NewLRUClientSessionCache(128)
@ -128,3 +123,41 @@ func safeConnClose(c net.Conn, err error) {
 		_ = c.Close()
 	}
 }
+
+var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
+
+func StringToBps(s string) uint64 {
+	if s == "" {
+		return 0
+	}
+
+	// when have not unit, use Mbps
+	if v, err := strconv.Atoi(s); err == nil {
+		return StringToBps(fmt.Sprintf("%d Mbps", v))
+	}
+
+	m := rateStringRegexp.FindStringSubmatch(s)
+	if m == nil {
+		return 0
+	}
+	var n uint64
+	switch m[2] {
+	case "K":
+		n = 1 << 10
+	case "M":
+		n = 1 << 20
+	case "G":
+		n = 1 << 30
+	case "T":
+		n = 1 << 40
+	default:
+		n = 1
+	}
+	v, _ := strconv.ParseUint(m[1], 10, 64)
+	n = v * n
+	if m[3] == "b" {
+		// Bits, need to convert to bytes
+		n = n >> 3
+	}
+	return n
+}
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -15,6 +15,7 @@ import (
 	"github.com/Dreamacro/clash/common/convert"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
+	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
@ -57,6 +58,7 @@ type VlessOption struct {
 	UUID              string            `proxy:"uuid"`
 	Flow              string            `proxy:"flow,omitempty"`
 	TLS               bool              `proxy:"tls,omitempty"`
+	ALPN              []string          `proxy:"alpn,omitempty"`
 	UDP               bool              `proxy:"udp,omitempty"`
 	PacketAddr        bool              `proxy:"packet-addr,omitempty"`
 	XUDP              bool              `proxy:"xudp,omitempty"`
@ -91,6 +93,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
+			V2rayHttpUpgrade:    v.option.WSOpts.V2rayHttpUpgrade,
 			ClientFingerprint:   v.option.ClientFingerprint,
 			Headers:             http.Header{},
 		}
@ -109,13 +112,9 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				NextProtos:         []string{"http/1.1"},
 			}

-			if len(v.option.Fingerprint) == 0 {
-				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
-			} else {
-				wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
-				if err != nil {
-					return nil, err
-				}
+			wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
+			if err != nil {
+				return nil, err
 			}

 			if v.option.ServerName != "" {
@ -211,6 +210,7 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 			FingerPrint:       v.option.Fingerprint,
 			ClientFingerprint: v.option.ClientFingerprint,
 			Reality:           v.realityConfig,
+			NextProtos:        v.option.ALPN,
 		}

 		if isH2 {
@ -261,7 +261,7 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@ -326,7 +326,7 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@ -576,7 +576,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
-			tcpKeepAlive(c)
+			N.TCPKeepAlive(c)
 			return c, nil
 		}

@ -590,7 +590,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
+			tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				ServerName:         v.option.ServerName,
 			})
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -13,11 +13,13 @@ import (

 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
+	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/ntp"
 	"github.com/Dreamacro/clash/transport/gun"
 	clashVMess "github.com/Dreamacro/clash/transport/vmess"

@ -52,6 +54,7 @@ type VmessOption struct {
 	UDP                 bool           `proxy:"udp,omitempty"`
 	Network             string         `proxy:"network,omitempty"`
 	TLS                 bool           `proxy:"tls,omitempty"`
+	ALPN                []string       `proxy:"alpn,omitempty"`
 	SkipCertVerify      bool           `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string         `proxy:"fingerprint,omitempty"`
 	ServerName          string         `proxy:"servername,omitempty"`
@ -88,6 +91,7 @@ type WSOptions struct {
 	Headers             map[string]string `proxy:"headers,omitempty"`
 	MaxEarlyData        int               `proxy:"max-early-data,omitempty"`
 	EarlyDataHeaderName string            `proxy:"early-data-header-name,omitempty"`
+	V2rayHttpUpgrade    bool              `proxy:"v2ray-http-upgrade,omitempty"`
 }

 // StreamConnContext implements C.ProxyAdapter
@ -107,6 +111,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
+			V2rayHttpUpgrade:    v.option.WSOpts.V2rayHttpUpgrade,
 			ClientFingerprint:   v.option.ClientFingerprint,
 			Headers:             http.Header{},
 		}
@ -125,12 +130,9 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				NextProtos:         []string{"http/1.1"},
 			}

-			if len(v.option.Fingerprint) == 0 {
-				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
-			} else {
-				if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil {
-					return nil, err
-				}
+			wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
+			if err != nil {
+				return nil, err
 			}

 			if v.option.ServerName != "" {
@ -149,6 +151,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 				Reality:           v.realityConfig,
+				NextProtos:        v.option.ALPN,
 			}

 			if v.option.ServerName != "" {
@ -205,6 +208,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 				Reality:           v.realityConfig,
+				NextProtos:        v.option.ALPN,
 			}

 			if v.option.ServerName != "" {
@ -258,10 +262,10 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 	} else {
 		if N.NeedHandshake(c) {
 			conn = v.client.DialEarlyConn(c,
-				M.ParseSocksaddr(metadata.RemoteAddress()))
+				M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 		} else {
 			conn, err = v.client.DialConn(c,
-				M.ParseSocksaddr(metadata.RemoteAddress()))
+				M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 		}
 	}
 	if err != nil {
@ -282,7 +286,7 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			safeConnClose(c, err)
 		}(c)

-		c, err = v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+		c, err = v.client.DialConn(c, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 		if err != nil {
 			return nil, err
 		}
@ -304,7 +308,7 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@ -365,7 +369,7 @@ func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
-	tcpKeepAlive(c)
+	N.TCPKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
@ -413,6 +417,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 	if option.AuthenticatedLength {
 		options = append(options, vmess.ClientWithAuthenticatedLength())
 	}
+	options = append(options, vmess.ClientWithTimeFunc(ntp.Now))
 	client, err := vmess.NewClient(option.UUID, security, option.AlterID, options...)
 	if err != nil {
 		return nil, err
@ -464,7 +469,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
-			tcpKeepAlive(c)
+			N.TCPKeepAlive(c)
 			return c, nil
 		}

@ -478,7 +483,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
+			tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				ServerName:         v.option.ServerName,
 			})
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@ -27,7 +27,6 @@ import (
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/wireguard-go/device"
 )

@ -36,7 +35,7 @@ type WireGuard struct {
 	bind      *wireguard.ClientBind
 	device    *device.Device
 	tunDevice wireguard.Device
-	dialer    *wgSingDialer
+	dialer    proxydialer.SingDialer
 	startOnce sync.Once
 	startErr  error
 	resolver  *dns.Resolver
@ -70,37 +69,6 @@ type WireGuardPeerOption struct {
 	AllowedIPs   []string `proxy:"allowed-ips,omitempty"`
 }

-type wgSingDialer struct {
-	dialer    dialer.Dialer
-	proxyName string
-}
-
-var _ N.Dialer = (*wgSingDialer)(nil)
-
-func (d *wgSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	var cDialer C.Dialer = d.dialer
-	if len(d.proxyName) > 0 {
-		pd, err := proxydialer.NewByName(d.proxyName, d.dialer)
-		if err != nil {
-			return nil, err
-		}
-		cDialer = pd
-	}
-	return cDialer.DialContext(ctx, network, destination.String())
-}
-
-func (d *wgSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	var cDialer C.Dialer = d.dialer
-	if len(d.proxyName) > 0 {
-		pd, err := proxydialer.NewByName(d.proxyName, d.dialer)
-		if err != nil {
-			return nil, err
-		}
-		cDialer = pd
-	}
-	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
-}
-
 type wgSingErrorHandler struct {
 	name string
 }
@ -168,7 +136,7 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		dialer: &wgSingDialer{dialer: dialer.NewDialer(), proxyName: option.DialerProxy},
+		dialer: proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer()),
 	}
 	runtime.SetFinalizer(outbound, closeWireGuard)

@ -302,7 +270,7 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	if err != nil {
 		return nil, E.Cause(err, "create WireGuard device")
 	}
-	outbound.device = device.NewDevice(outbound.tunDevice, outbound.bind, &device.Logger{
+	outbound.device = device.NewDevice(context.Background(), outbound.tunDevice, outbound.bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
 			log.SingLogger.Debug(fmt.Sprintf("[WG](%s) %s", option.Name, fmt.Sprintf(format, args...)))
 		},
@ -355,7 +323,7 @@ func closeWireGuard(w *WireGuard) {

 func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	options := w.Base.DialOptions(opts...)
-	w.dialer.dialer = dialer.NewDialer(options...)
+	w.dialer.SetDialer(dialer.NewDialer(options...))
 	var conn net.Conn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
@ -387,7 +355,7 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts

 func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	options := w.Base.DialOptions(opts...)
-	w.dialer.dialer = dialer.NewDialer(options...)
+	w.dialer.SetDialer(dialer.NewDialer(options...))
 	var pc net.PacketConn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@ -28,7 +28,7 @@ type GroupBase struct {
 	failedTestMux    sync.Mutex
 	failedTimes      int
 	failedTime       time.Time
-	failedTesting    *atomic.Bool
+	failedTesting    atomic.Bool
 	proxies          [][]C.Proxy
 	versions         []atomic.Uint32
 }
--- a/adapter/outboundgroup/patch.go
+++ b/adapter/outboundgroup/patch.go
@ -0,0 +1,62 @@
+package outboundgroup
+
+import (
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/constant/provider"
+)
+
+type ProxyGroup interface {
+	C.ProxyAdapter
+
+	Providers() []provider.ProxyProvider
+	Proxies() []C.Proxy
+	Now() string
+}
+
+func (f *Fallback) Providers() []provider.ProxyProvider {
+	return f.providers
+}
+
+func (lb *LoadBalance) Providers() []provider.ProxyProvider {
+	return lb.providers
+}
+
+func (f *Fallback) Proxies() []C.Proxy {
+	return f.GetProxies(false)
+}
+
+func (lb *LoadBalance) Proxies() []C.Proxy {
+	return lb.GetProxies(false)
+}
+
+func (lb *LoadBalance) Now() string {
+	return ""
+}
+
+func (r *Relay) Providers() []provider.ProxyProvider {
+	return r.providers
+}
+
+func (r *Relay) Proxies() []C.Proxy {
+	return r.GetProxies(false)
+}
+
+func (r *Relay) Now() string {
+	return ""
+}
+
+func (s *Selector) Providers() []provider.ProxyProvider {
+	return s.providers
+}
+
+func (s *Selector) Proxies() []C.Proxy {
+	return s.GetProxies(false)
+}
+
+func (u *URLTest) Providers() []provider.ProxyProvider {
+	return u.providers
+}
+
+func (u *URLTest) Proxies() []C.Proxy {
+	return u.GetProxies(false)
+}
--- a/adapter/outboundgroup/util.go
+++ b/adapter/outboundgroup/util.go
@ -1,17 +1,5 @@
 package outboundgroup

-import (
-	"net"
-	"time"
-)
-
-func tcpKeepAlive(c net.Conn) {
-	if tcp, ok := c.(*net.TCPConn); ok {
-		_ = tcp.SetKeepAlive(true)
-		_ = tcp.SetKeepAlivePeriod(30 * time.Second)
-	}
-}
-
 type SelectAble interface {
 	Set(string) error
 	ForceSet(name string)
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -92,6 +92,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewHysteria(*hyOption)
+	case "hysteria2":
+		hyOption := &outbound.Hysteria2Option{}
+		err = decoder.Decode(mapping, hyOption)
+		if err != nil {
+			break
+		}
+		proxy, err = outbound.NewHysteria2(*hyOption)
 	case "wireguard":
 		wgOption := &outbound.WireGuardOption{}
 		err = decoder.Decode(mapping, wgOption)
@ -106,6 +113,20 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewTuic(*tuicOption)
+	case "direct":
+		directOption := &outbound.DirectOption{}
+		err = decoder.Decode(mapping, directOption)
+		if err != nil {
+			break
+		}
+		proxy = outbound.NewDirectWithOption(*directOption)
+	case "reject":
+		rejectOption := &outbound.RejectOption{}
+		err = decoder.Decode(mapping, rejectOption)
+		if err != nil {
+			break
+		}
+		proxy = outbound.NewRejectWithOption(*rejectOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -18,6 +18,7 @@ import (

 const (
 	defaultURLTestTimeout = time.Second * 5
+	defaultURLTestURL     = "https://www.gstatic.com/generate_204"
 )

 type HealthCheckOption struct {
@ -34,12 +35,12 @@ type HealthCheck struct {
 	url            string
 	extra          map[string]*extraOption
 	mu             sync.Mutex
-	started        *atomic.Bool
+	started        atomic.Bool
 	proxies        []C.Proxy
-	interval       uint
+	interval       time.Duration
 	lazy           bool
 	expectedStatus utils.IntRanges[uint16]
-	lastTouch      *atomic.Int64
+	lastTouch      atomic.TypedValue[time.Time]
 	done           chan struct{}
 	singleDo       *singledo.Single[struct{}]
 }
@ -50,13 +51,14 @@ func (hc *HealthCheck) process() {
 		return
 	}

-	ticker := time.NewTicker(time.Duration(hc.interval) * time.Second)
+	ticker := time.NewTicker(hc.interval)
 	hc.start()
 	for {
 		select {
 		case <-ticker.C:
-			now := time.Now().Unix()
-			if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
+			lastTouch := hc.lastTouch.Load()
+			since := time.Since(lastTouch)
+			if !hc.lazy || since < hc.interval {
 				hc.check()
 			} else {
 				log.Debugln("Skip once health check because we are lazy")
@ -85,7 +87,7 @@ func (hc *HealthCheck) registerHealthCheckTask(url string, expectedStatus utils.

 	// if the provider has not set up health checks, then modify it to be the same as the group's interval
 	if hc.interval == 0 {
-		hc.interval = interval
+		hc.interval = time.Duration(interval) * time.Second
 	}

 	if hc.extra == nil {
@ -135,7 +137,7 @@ func (hc *HealthCheck) auto() bool {
 }

 func (hc *HealthCheck) touch() {
-	hc.lastTouch.Store(time.Now().Unix())
+	hc.lastTouch.Store(time.Now())
 }

 func (hc *HealthCheck) start() {
@ -147,6 +149,11 @@ func (hc *HealthCheck) stop() {
 }

 func (hc *HealthCheck) check() {
+
+	if len(hc.proxies) == 0 {
+		return
+	}
+
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
 		id := utils.NewUUIDV4().String()
 		log.Debugln("Start New Health Checking {%s}", id)
@ -222,17 +229,16 @@ func NewHealthCheck(proxies []C.Proxy, url string, interval uint, lazy bool, exp
 	if len(url) == 0 {
 		interval = 0
 		expectedStatus = nil
+		url = defaultURLTestURL
 	}

 	return &HealthCheck{
 		proxies:        proxies,
 		url:            url,
 		extra:          map[string]*extraOption{},
-		started:        atomic.NewBool(false),
-		interval:       interval,
+		interval:       time.Duration(interval) * time.Second,
 		lazy:           lazy,
 		expectedStatus: expectedStatus,
-		lastTouch:      atomic.NewInt64(0),
 		done:           make(chan struct{}, 1),
 		singleDo:       singledo.NewSingle[struct{}](time.Second),
 	}
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -68,9 +68,6 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	case "http":
 		if schema.Path != "" {
 			path := C.Path.Resolve(schema.Path)
-			if !C.Path.IsSafePath(path) {
-				return nil, fmt.Errorf("%w: %s", errSubPath, path)
-			}
 			vehicle = resource.NewHTTPVehicle(schema.URL, path)
 		} else {
 			path := C.Path.GetPathByHash("proxies", schema.URL)
--- a/adapter/provider/patch.go
+++ b/adapter/provider/patch.go
@ -0,0 +1,34 @@
+package provider
+
+import (
+	"time"
+)
+
+var (
+	suspended bool
+)
+
+type UpdatableProvider interface {
+	UpdatedAt() time.Time
+}
+
+func (pp *proxySetProvider) UpdatedAt() time.Time {
+	return pp.Fetcher.UpdatedAt
+}
+
+func (pp *proxySetProvider) Close() error {
+	pp.healthCheck.close()
+	pp.Fetcher.Destroy()
+
+	return nil
+}
+
+func (cp *compatibleProvider) Close() error {
+	cp.healthCheck.close()
+
+	return nil
+}
+
+func Suspend(s bool) {
+	suspended = s
+}
--- a/adapter/provider/subscription_info.go
+++ b/adapter/provider/subscription_info.go
@ -1,7 +1,6 @@
 package provider

 import (
-	"github.com/dlclark/regexp2"
 	"strconv"
 	"strings"
 )
@ -13,45 +12,24 @@ type SubscriptionInfo struct {
 	Expire   int64
 }

-func NewSubscriptionInfo(str string) (si *SubscriptionInfo, err error) {
-	si = &SubscriptionInfo{}
-	str = strings.ToLower(str)
-	reTraffic := regexp2.MustCompile("upload=(\\d+); download=(\\d+); total=(\\d+)", 0)
-	reExpire := regexp2.MustCompile("expire=(\\d+)", 0)
-
-	match, err := reTraffic.FindStringMatch(str)
-	if err != nil || match == nil {
-		return nil, err
-	}
-	group := match.Groups()
-	si.Upload, err = str2uint64(group[1].String())
-	if err != nil {
-		return nil, err
-	}
-
-	si.Download, err = str2uint64(group[2].String())
-	if err != nil {
-		return nil, err
-	}
-
-	si.Total, err = str2uint64(group[3].String())
-	if err != nil {
-		return nil, err
-	}
-
-	match, _ = reExpire.FindStringMatch(str)
-	if match != nil {
-		group = match.Groups()
-		si.Expire, err = str2uint64(group[1].String())
+func NewSubscriptionInfo(userinfo string) (si *SubscriptionInfo, err error) {
+	userinfo = strings.ToLower(userinfo)
+	userinfo = strings.ReplaceAll(userinfo, " ", "")
+	si = new(SubscriptionInfo)
+	for _, field := range strings.Split(userinfo, ";") {
+		switch name, value, _ := strings.Cut(field, "="); name {
+		case "upload":
+			si.Upload, err = strconv.ParseInt(value, 10, 64)
+		case "download":
+			si.Download, err = strconv.ParseInt(value, 10, 64)
+		case "total":
+			si.Total, err = strconv.ParseInt(value, 10, 64)
+		case "expire":
+			si.Expire, err = strconv.ParseInt(value, 10, 64)
+		}
 		if err != nil {
-			return nil, err
+			return
 		}
 	}
-
 	return
 }
-
-func str2uint64(str string) (int64, error) {
-	i, err := strconv.ParseInt(str, 10, 64)
-	return i, err
-}
--- a/common/atomic/type.go
+++ b/common/atomic/type.go
@ -11,10 +11,9 @@ type Bool struct {
 	atomic.Bool
 }

-func NewBool(val bool) *Bool {
-	i := &Bool{}
+func NewBool(val bool) (i Bool) {
 	i.Store(val)
-	return i
+	return
 }

 func (i *Bool) MarshalJSON() ([]byte, error) {
@ -39,12 +38,11 @@ type Pointer[T any] struct {
 	atomic.Pointer[T]
 }

-func NewPointer[T any](v *T) *Pointer[T] {
-	var p Pointer[T]
+func NewPointer[T any](v *T) (p Pointer[T]) {
 	if v != nil {
 		p.Store(v)
 	}
-	return &p
+	return
 }

 func (p *Pointer[T]) MarshalJSON() ([]byte, error) {
@ -68,10 +66,9 @@ type Int32 struct {
 	atomic.Int32
 }

-func NewInt32(val int32) *Int32 {
-	i := &Int32{}
+func NewInt32(val int32) (i Int32) {
 	i.Store(val)
-	return i
+	return
 }

 func (i *Int32) MarshalJSON() ([]byte, error) {
@ -96,10 +93,9 @@ type Int64 struct {
 	atomic.Int64
 }

-func NewInt64(val int64) *Int64 {
-	i := &Int64{}
+func NewInt64(val int64) (i Int64) {
 	i.Store(val)
-	return i
+	return
 }

 func (i *Int64) MarshalJSON() ([]byte, error) {
@ -124,10 +120,9 @@ type Uint32 struct {
 	atomic.Uint32
 }

-func NewUint32(val uint32) *Uint32 {
-	i := &Uint32{}
+func NewUint32(val uint32) (i Uint32) {
 	i.Store(val)
-	return i
+	return
 }

 func (i *Uint32) MarshalJSON() ([]byte, error) {
@ -152,10 +147,9 @@ type Uint64 struct {
 	atomic.Uint64
 }

-func NewUint64(val uint64) *Uint64 {
-	i := &Uint64{}
+func NewUint64(val uint64) (i Uint64) {
 	i.Store(val)
-	return i
+	return
 }

 func (i *Uint64) MarshalJSON() ([]byte, error) {
@ -180,10 +174,9 @@ type Uintptr struct {
 	atomic.Uintptr
 }

-func NewUintptr(val uintptr) *Uintptr {
-	i := &Uintptr{}
+func NewUintptr(val uintptr) (i Uintptr) {
 	i.Store(val)
-	return i
+	return
 }

 func (i *Uintptr) MarshalJSON() ([]byte, error) {
--- a/common/atomic/value.go
+++ b/common/atomic/value.go
@ -12,6 +12,7 @@ func DefaultValue[T any]() T {

 type TypedValue[T any] struct {
 	value atomic.Value
+	_     noCopy
 }

 func (t *TypedValue[T]) Load() T {
@ -51,8 +52,13 @@ func (t *TypedValue[T]) UnmarshalJSON(b []byte) error {
 	return nil
 }

-func NewTypedValue[T any](t T) *TypedValue[T] {
-	v := &TypedValue[T]{}
+func NewTypedValue[T any](t T) (v TypedValue[T]) {
 	v.Store(t)
-	return v
+	return
 }
+
+type noCopy struct{}
+
+// Lock is a no-op used by -copylocks checker from `go vet`.
+func (*noCopy) Lock()   {}
+func (*noCopy) Unlock() {}
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@ -10,17 +10,11 @@ const BufferSize = buf.BufferSize
 type Buffer = buf.Buffer

 var New = buf.New
+var NewPacket = buf.NewPacket
 var NewSize = buf.NewSize
 var With = buf.With
 var As = buf.As

-var KeepAlive = common.KeepAlive
-
-//go:norace
-func Dup[T any](obj T) T {
-	return common.Dup(obj)
-}
-
 var (
 	Must  = common.Must
 	Error = common.Error
--- a/common/cache/lrucache.go
+++ b/common/cache/lrucache.go
@ -7,6 +7,8 @@ import (
 	"time"

 	"github.com/Dreamacro/clash/common/generics/list"
+
+	"github.com/samber/lo"
 )

 // Option is part of Functional Options Pattern
@ -87,7 +89,7 @@ func (c *LruCache[K, V]) Get(key K) (V, bool) {

 	el := c.get(key)
 	if el == nil {
-		return getZero[V](), false
+		return lo.Empty[V](), false
 	}
 	value := el.value

@ -119,7 +121,7 @@ func (c *LruCache[K, V]) GetWithExpire(key K) (V, time.Time, bool) {

 	el := c.get(key)
 	if el == nil {
-		return getZero[V](), time.Time{}, false
+		return lo.Empty[V](), time.Time{}, false
 	}

 	return el.value, time.Unix(el.expires, 0), true
@ -259,8 +261,3 @@ type entry[K comparable, V any] struct {
 	value   V
 	expires int64
 }
-
-func getZero[T any]() T {
-	var result T
-	return result
-}
--- a/common/cmd/cmd_test.go
+++ b/common/cmd/cmd_test.go
@ -21,7 +21,7 @@ func TestSplitArgs(t *testing.T) {

 func TestExecCmd(t *testing.T) {
 	if runtime.GOOS == "windows" {
-		_, err := ExecCmd("dir")
+		_, err := ExecCmd("cmd -c 'dir'")
 		assert.Nil(t, err)
 		return
 	}
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@ -50,7 +50,9 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			hysteria["port"] = urlHysteria.Port()
 			hysteria["sni"] = query.Get("peer")
 			hysteria["obfs"] = query.Get("obfs")
-			hysteria["alpn"] = []string{query.Get("alpn")}
+			if alpn := query.Get("alpn"); alpn != "" {
+				hysteria["alpn"] = strings.Split(alpn, ",")
+			}
 			hysteria["auth_str"] = query.Get("auth")
 			hysteria["protocol"] = query.Get("protocol")
 			up := query.Get("up")
@ -66,6 +68,79 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			hysteria["skip-cert-verify"], _ = strconv.ParseBool(query.Get("insecure"))

 			proxies = append(proxies, hysteria)
+		case "hysteria2":
+			urlHysteria2, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+
+			query := urlHysteria2.Query()
+			name := uniqueName(names, urlHysteria2.Fragment)
+			hysteria2 := make(map[string]any, 20)
+
+			hysteria2["name"] = name
+			hysteria2["type"] = scheme
+			hysteria2["server"] = urlHysteria2.Hostname()
+			if port := urlHysteria2.Port(); port != "" {
+				hysteria2["port"] = port
+			} else {
+				hysteria2["port"] = "443"
+			}
+			hysteria2["obfs"] = query.Get("obfs")
+			hysteria2["obfs-password"] = query.Get("obfs-password")
+			hysteria2["sni"] = query.Get("sni")
+			hysteria2["skip-cert-verify"], _ = strconv.ParseBool(query.Get("insecure"))
+			if alpn := query.Get("alpn"); alpn != "" {
+				hysteria2["alpn"] = strings.Split(alpn, ",")
+			}
+			if auth := urlHysteria2.User.String(); auth != "" {
+				hysteria2["password"] = auth
+			}
+			hysteria2["fingerprint"] = query.Get("pinSHA256")
+			hysteria2["down"] = query.Get("down")
+			hysteria2["up"] = query.Get("up")
+
+			proxies = append(proxies, hysteria2)
+		case "tuic":
+			// A temporary unofficial TUIC share link standard
+			// Modified from https://github.com/daeuniverse/dae/discussions/182
+			// Changes:
+			//   1. Support TUICv4, just replace uuid:password with token
+			//   2. Remove `allow_insecure` field
+			urlTUIC, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+			query := urlTUIC.Query()
+
+			tuic := make(map[string]any, 20)
+			tuic["name"] = uniqueName(names, urlTUIC.Fragment)
+			tuic["type"] = scheme
+			tuic["server"] = urlTUIC.Hostname()
+			tuic["port"] = urlTUIC.Port()
+			tuic["udp"] = true
+			password, v5 := urlTUIC.User.Password()
+			if v5 {
+				tuic["uuid"] = urlTUIC.User.Username()
+				tuic["password"] = password
+			} else {
+				tuic["token"] = urlTUIC.User.Username()
+			}
+			if cc := query.Get("congestion_control"); cc != "" {
+				tuic["congestion-controller"] = cc
+			}
+			if alpn := query.Get("alpn"); alpn != "" {
+				tuic["alpn"] = strings.Split(alpn, ",")
+			}
+			if sni := query.Get("sni"); sni != "" {
+				tuic["sni"] = sni
+			}
+			if query.Get("disable_sni") == "1" {
+				tuic["disable-sni"] = true
+			}
+			if udpRelayMode := query.Get("udp_relay_mode"); udpRelayMode != "" {
+				tuic["udp-relay-mode"] = udpRelayMode
+			}

 		case "trojan":
 			urlTrojan, err := url.Parse(line)
@ -86,10 +161,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			trojan["udp"] = true
 			trojan["skip-cert-verify"], _ = strconv.ParseBool(query.Get("allowInsecure"))

-			sni := query.Get("sni")
-			if sni != "" {
+			if sni := query.Get("sni"); sni != "" {
 				trojan["sni"] = sni
 			}
+			if alpn := query.Get("alpn"); alpn != "" {
+				trojan["alpn"] = strings.Split(alpn, ",")
+			}

 			network := strings.ToLower(query.Get("type"))
 			if network != "" {
@ -217,6 +294,9 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				if strings.HasSuffix(tls, "tls") {
 					vmess["tls"] = true
 				}
+				if alpn, ok := values["alpn"].(string); ok {
+					vmess["alpn"] = strings.Split(alpn, ",")
+				}
 			}

 			switch network {
@ -332,6 +412,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				}
 			}
 			proxies = append(proxies, ss)
+
 		case "ssr":
 			dcBuf, err := encRaw.DecodeString(body)
 			if err != nil {
--- a/common/convert/converter_test.go
+++ b/common/convert/converter_test.go
@ -0,0 +1,35 @@
+package convert
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// https://v2.hysteria.network/zh/docs/developers/URI-Scheme/
+func TestConvertsV2Ray_normal(t *testing.T) {
+	hy2test := "hysteria2://letmein@example.com:8443/?insecure=1&obfs=salamander&obfs-password=gawrgura&pinSHA256=deadbeef&sni=real.example.com&up=114&down=514&alpn=h3,h4#hy2test"
+
+	expected := []map[string]interface{}{
+		{
+			"name":             "hy2test",
+			"type":             "hysteria2",
+			"server":           "example.com",
+			"port":             "8443",
+			"sni":              "real.example.com",
+			"obfs":             "salamander",
+			"obfs-password":    "gawrgura",
+			"alpn":             []string{"h3", "h4"},
+			"password":         "letmein",
+			"up":               "114",
+			"down":             "514",
+			"skip-cert-verify": true,
+			"fingerprint":      "deadbeef",
+		},
+	}
+
+	proxies, err := ConvertsV2Ray([]byte(hy2test))
+
+	assert.Nil(t, err)
+	assert.Equal(t, expected, proxies)
+}
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -24,8 +24,6 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	proxy["port"] = url.Port()
 	proxy["uuid"] = url.User.Username()
 	proxy["udp"] = true
-	proxy["skip-cert-verify"] = false
-	proxy["tls"] = false
 	tls := strings.ToLower(query.Get("security"))
 	if strings.HasSuffix(tls, "tls") || tls == "reality" {
 		proxy["tls"] = true
@ -34,6 +32,9 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		} else {
 			proxy["client-fingerprint"] = fingerprint
 		}
+		if alpn := query.Get("alpn"); alpn != "" {
+			proxy["alpn"] = strings.Split(alpn, ",")
+		}
 	}
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
--- a/common/net/bufconn.go
+++ b/common/net/bufconn.go
@ -22,6 +22,16 @@ func NewBufferedConn(c net.Conn) *BufferedConn {
 	return &BufferedConn{bufio.NewReader(c), NewExtendedConn(c), false}
 }

+func WarpConnWithBioReader(c net.Conn, br *bufio.Reader) net.Conn {
+	if br != nil && br.Buffered() > 0 {
+		if bc, ok := c.(*BufferedConn); ok && bc.r == br {
+			return bc
+		}
+		return &BufferedConn{br, NewExtendedConn(c), true}
+	}
+	return c
+}
+
 // Reader returns the internal bufio.Reader.
 func (c *BufferedConn) Reader() *bufio.Reader {
 	return c.r
--- a/common/net/cached.go
+++ b/common/net/cached.go
@ -0,0 +1,49 @@
+package net
+
+import (
+	"net"
+
+	"github.com/Dreamacro/clash/common/buf"
+)
+
+var _ ExtendedConn = (*CachedConn)(nil)
+
+type CachedConn struct {
+	ExtendedConn
+	data []byte
+}
+
+func NewCachedConn(c net.Conn, data []byte) *CachedConn {
+	return &CachedConn{NewExtendedConn(c), data}
+}
+
+func (c *CachedConn) Read(b []byte) (n int, err error) {
+	if len(c.data) > 0 {
+		n = copy(b, c.data)
+		c.data = c.data[n:]
+		return
+	}
+	return c.ExtendedConn.Read(b)
+}
+
+func (c *CachedConn) ReadCached() *buf.Buffer { // call in sing/common/bufio.Copy
+	if len(c.data) > 0 {
+		return buf.As(c.data)
+	}
+	return nil
+}
+
+func (c *CachedConn) Upstream() any {
+	return c.ExtendedConn
+}
+
+func (c *CachedConn) ReaderReplaceable() bool {
+	if len(c.data) > 0 {
+		return false
+	}
+	return true
+}
+
+func (c *CachedConn) WriterReplaceable() bool {
+	return true
+}
--- a/common/net/context.go
+++ b/common/net/context.go
@ -0,0 +1,31 @@
+package net
+
+import (
+	"context"
+	"net"
+)
+
+// SetupContextForConn is a helper function that starts connection I/O interrupter goroutine.
+func SetupContextForConn(ctx context.Context, conn net.Conn) (done func(*error)) {
+	var (
+		quit      = make(chan struct{})
+		interrupt = make(chan error, 1)
+	)
+	go func() {
+		select {
+		case <-quit:
+			interrupt <- nil
+		case <-ctx.Done():
+			// Close the connection, discarding the error
+			_ = conn.Close()
+			interrupt <- ctx.Err()
+		}
+	}()
+	return func(inputErr *error) {
+		close(quit)
+		if ctxErr := <-interrupt; ctxErr != nil && inputErr != nil {
+			// Return context error to user.
+			inputErr = &ctxErr
+		}
+	}
+}
--- a/common/net/tcpip.go
+++ b/common/net/tcpip.go
@ -4,8 +4,11 @@ import (
 	"fmt"
 	"net"
 	"strings"
+	"time"
 )

+var KeepAliveInterval = 15 * time.Second
+
 func SplitNetworkType(s string) (string, string, error) {
 	var (
 		shecme   string
@ -44,3 +47,10 @@ func SplitHostPort(s string) (host, port string, hasPort bool, err error) {
 	host, port, err = net.SplitHostPort(temp)
 	return
 }
+
+func TCPKeepAlive(c net.Conn) {
+	if tcp, ok := c.(*net.TCPConn); ok {
+		_ = tcp.SetKeepAlive(true)
+		_ = tcp.SetKeepAlivePeriod(KeepAliveInterval)
+	}
+}
--- a/common/net/tls.go
+++ b/common/net/tls.go
@ -10,7 +10,11 @@ import (
 	"math/big"
 )

-func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
+type Path interface {
+	Resolve(path string) string
+}
+
+func ParseCert(certificate, privateKey string, path Path) (tls.Certificate, error) {
 	if certificate == "" && privateKey == "" {
 		return newRandomTLSKeyPair()
 	}
@ -19,6 +23,8 @@ func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
 		return cert, nil
 	}

+	certificate = path.Resolve(certificate)
+	privateKey = path.Resolve(privateKey)
 	cert, loadErr := tls.LoadX509KeyPair(certificate, privateKey)
 	if loadErr != nil {
 		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
--- a/common/picker/picker_test.go
+++ b/common/picker/picker_test.go
@ -5,6 +5,7 @@ import (
 	"testing"
 	"time"

+	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 )

@ -15,7 +16,7 @@ func sleepAndSend[T any](ctx context.Context, delay int, input T) func() (T, err
 		case <-timer.C:
 			return input, nil
 		case <-ctx.Done():
-			return getZero[T](), ctx.Err()
+			return lo.Empty[T](), ctx.Err()
 		}
 	}
 }
@ -35,11 +36,6 @@ func TestPicker_Timeout(t *testing.T) {
 	picker.Go(sleepAndSend(ctx, 20, 1))

 	number := picker.Wait()
-	assert.Equal(t, number, getZero[int]())
+	assert.Equal(t, number, lo.Empty[int]())
 	assert.NotNil(t, picker.Error())
 }
-
-func getZero[T any]() T {
-	var result T
-	return result
-}
--- a/common/queue/queue.go
+++ b/common/queue/queue.go
@ -2,6 +2,8 @@ package queue

 import (
 	"sync"
+
+	"github.com/samber/lo"
 )

 // Queue is a simple concurrent safe queue
@ -24,7 +26,7 @@ func (q *Queue[T]) Put(items ...T) {
 // Pop returns the head of items.
 func (q *Queue[T]) Pop() T {
 	if len(q.items) == 0 {
-		return GetZero[T]()
+		return lo.Empty[T]()
 	}

 	q.lock.Lock()
@ -37,7 +39,7 @@ func (q *Queue[T]) Pop() T {
 // Last returns the last of item.
 func (q *Queue[T]) Last() T {
 	if len(q.items) == 0 {
-		return GetZero[T]()
+		return lo.Empty[T]()
 	}

 	q.lock.RLock()
@ -69,8 +71,3 @@ func New[T any](hint int64) *Queue[T] {
 		items: make([]T, 0, hint),
 	}
 }
-
-func GetZero[T any]() T {
-	var result T
-	return result
-}
--- a/common/util/manipulation.go
+++ b/common/util/manipulation.go
@ -0,0 +1,8 @@
+package util
+
+import "github.com/samber/lo"
+
+func EmptyOr[T comparable](v T, def T) T {
+	ret, _ := lo.Coalesce(v, def)
+	return ret
+}
--- a/component/auth/auth.go
+++ b/component/auth/auth.go
@ -1,9 +1,5 @@
 package auth

-import (
-	"sync"
-)
-
 type Authenticator interface {
 	Verify(user string, pass string) bool
 	Users() []string
@ -15,12 +11,12 @@ type AuthUser struct {
 }

 type inMemoryAuthenticator struct {
-	storage   *sync.Map
+	storage   map[string]string
 	usernames []string
 }

 func (au *inMemoryAuthenticator) Verify(user string, pass string) bool {
-	realPass, ok := au.storage.Load(user)
+	realPass, ok := au.storage[user]
 	return ok && realPass == pass
 }

@ -30,17 +26,13 @@ func NewAuthenticator(users []AuthUser) Authenticator {
 	if len(users) == 0 {
 		return nil
 	}
-
-	au := &inMemoryAuthenticator{storage: &sync.Map{}}
-	for _, user := range users {
-		au.storage.Store(user.User, user.Pass)
+	au := &inMemoryAuthenticator{
+		storage:   make(map[string]string),
+		usernames: make([]string, 0, len(users)),
+	}
+	for _, user := range users {
+		au.storage[user.User] = user.Pass
+		au.usernames = append(au.usernames, user.User)
 	}
-	usernames := make([]string, 0, len(users))
-	au.storage.Range(func(key, value any) bool {
-		usernames = append(usernames, key.(string))
-		return true
-	})
-	au.usernames = usernames
-
 	return au
 }
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -1,4 +1,4 @@
-package tls
+package ca

 import (
 	"bytes"
@ -8,12 +8,13 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"os"
 	"strings"
 	"sync"
 )

 var trustCerts []*x509.Certificate
-var certPool *x509.CertPool
+var globalCertPool *x509.CertPool
 var mutex sync.RWMutex
 var errNotMatch = errors.New("certificate fingerprints do not match")

@ -33,12 +34,12 @@ func AddCertificate(certificate string) error {

 func initializeCertPool() {
 	var err error
-	certPool, err = x509.SystemCertPool()
+	globalCertPool, err = x509.SystemCertPool()
 	if err != nil {
-		certPool = x509.NewCertPool()
+		globalCertPool = x509.NewCertPool()
 	}
 	for _, cert := range trustCerts {
-		certPool.AddCert(cert)
+		globalCertPool.AddCert(cert)
 	}
 }

@ -53,15 +54,15 @@ func getCertPool() *x509.CertPool {
 	if len(trustCerts) == 0 {
 		return nil
 	}
-	if certPool == nil {
+	if globalCertPool == nil {
 		mutex.Lock()
 		defer mutex.Unlock()
-		if certPool != nil {
-			return certPool
+		if globalCertPool != nil {
+			return globalCertPool
 		}
 		initializeCertPool()
 	}
-	return certPool
+	return globalCertPool
 }

 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@ -94,29 +95,49 @@ func convertFingerprint(fingerprint string) (*[32]byte, error) {
 	return (*[32]byte)(fpByte), nil
 }

-func GetDefaultTLSConfig() *tls.Config {
-	return GetGlobalTLSConfig(nil)
+// GetTLSConfig specified fingerprint, customCA and customCAString
+func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (*tls.Config, error) {
+	if tlsConfig == nil {
+		tlsConfig = &tls.Config{}
+	}
+	var certificate []byte
+	var err error
+	if len(customCA) > 0 {
+		certificate, err = os.ReadFile(customCA)
+		if err != nil {
+			return nil, fmt.Errorf("load ca error: %w", err)
+		}
+	} else if customCAString != "" {
+		certificate = []byte(customCAString)
+	}
+	if len(certificate) > 0 {
+		certPool := x509.NewCertPool()
+		if !certPool.AppendCertsFromPEM(certificate) {
+			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
+		}
+		tlsConfig.RootCAs = certPool
+	} else {
+		tlsConfig.RootCAs = getCertPool()
+	}
+	if len(fingerprint) > 0 {
+		var fingerprintBytes *[32]byte
+		fingerprintBytes, err = convertFingerprint(fingerprint)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig = GetGlobalTLSConfig(tlsConfig)
+		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
+		tlsConfig.InsecureSkipVerify = true
+	}
+	return tlsConfig, nil
 }

 // GetSpecifiedFingerprintTLSConfig specified fingerprint
 func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
-	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
-		return nil, err
-	} else {
-		tlsConfig = GetGlobalTLSConfig(tlsConfig)
-		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
-		tlsConfig.InsecureSkipVerify = true
-		return tlsConfig, nil
-	}
+	return GetTLSConfig(tlsConfig, fingerprint, "", "")
 }

 func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
-	certPool := getCertPool()
-	if tlsConfig == nil {
-		return &tls.Config{
-			RootCAs: certPool,
-		}
-	}
-	tlsConfig.RootCAs = certPool
+	tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "")
 	return tlsConfig
 }
--- a/component/dhcp/conn.go
+++ b/component/dhcp/conn.go
@ -14,5 +14,15 @@ func ListenDHCPClient(ctx context.Context, ifaceName string) (net.PacketConn, er
 		listenAddr = "255.255.255.255:68"
 	}

-	return dialer.ListenPacket(ctx, "udp4", listenAddr, dialer.WithInterface(ifaceName), dialer.WithAddrReuse(true))
+	options := []dialer.Option{
+		dialer.WithInterface(ifaceName),
+		dialer.WithAddrReuse(true),
+	}
+
+	// fallback bind on windows, because syscall bind can not receive broadcast
+	if runtime.GOOS == "windows" {
+		options = append(options, dialer.WithFallbackBind(true))
+	}
+
+	return dialer.ListenPacket(ctx, "udp4", listenAddr, options...)
 }
--- a/component/dialer/bind.go
+++ b/component/dialer/bind.go
@ -3,6 +3,7 @@ package dialer
 import (
 	"net"
 	"net/netip"
+	"strconv"
 	"strings"

 	"github.com/Dreamacro/clash/component/iface"
@ -14,7 +15,7 @@ func LookupLocalAddrFromIfaceName(ifaceName string, network string, destination
 		return nil, err
 	}

-	var addr *netip.Prefix
+	var addr netip.Prefix
 	switch network {
 	case "udp4", "tcp4":
 		addr, err = ifaceObj.PickIPv4Addr(destination)
@ -49,3 +50,52 @@ func LookupLocalAddrFromIfaceName(ifaceName string, network string, destination

 	return nil, iface.ErrAddrNotFound
 }
+
+func fallbackBindIfaceToDialer(ifaceName string, dialer *net.Dialer, network string, destination netip.Addr) error {
+	if !destination.IsGlobalUnicast() {
+		return nil
+	}
+
+	local := uint64(0)
+	if dialer.LocalAddr != nil {
+		_, port, err := net.SplitHostPort(dialer.LocalAddr.String())
+		if err == nil {
+			local, _ = strconv.ParseUint(port, 10, 16)
+		}
+	}
+
+	addr, err := LookupLocalAddrFromIfaceName(ifaceName, network, destination, int(local))
+	if err != nil {
+		return err
+	}
+
+	dialer.LocalAddr = addr
+
+	return nil
+}
+
+func fallbackBindIfaceToListenConfig(ifaceName string, _ *net.ListenConfig, network, address string) (string, error) {
+	_, port, err := net.SplitHostPort(address)
+	if err != nil {
+		port = "0"
+	}
+
+	local, _ := strconv.ParseUint(port, 10, 16)
+
+	addr, err := LookupLocalAddrFromIfaceName(ifaceName, network, netip.Addr{}, int(local))
+	if err != nil {
+		return "", err
+	}
+
+	return addr.String(), nil
+}
+
+func fallbackParseNetwork(network string, addr netip.Addr) string {
+	// fix fallbackBindIfaceToListenConfig() force bind to an ipv4 address
+	if !strings.HasSuffix(network, "4") &&
+		!strings.HasSuffix(network, "6") &&
+		addr.Unmap().Is6() {
+		network += "6"
+	}
+	return network
+}
--- a/component/dialer/bind_others.go
+++ b/component/dialer/bind_others.go
@ -5,55 +5,16 @@ package dialer
 import (
 	"net"
 	"net/netip"
-	"strconv"
-	"strings"
 )

 func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, network string, destination netip.Addr) error {
-	if !destination.IsGlobalUnicast() {
-		return nil
-	}
-
-	local := uint64(0)
-	if dialer.LocalAddr != nil {
-		_, port, err := net.SplitHostPort(dialer.LocalAddr.String())
-		if err == nil {
-			local, _ = strconv.ParseUint(port, 10, 16)
-		}
-	}
-
-	addr, err := LookupLocalAddrFromIfaceName(ifaceName, network, destination, int(local))
-	if err != nil {
-		return err
-	}
-
-	dialer.LocalAddr = addr
-
-	return nil
+	return fallbackBindIfaceToDialer(ifaceName, dialer, network, destination)
 }

-func bindIfaceToListenConfig(ifaceName string, _ *net.ListenConfig, network, address string) (string, error) {
-	_, port, err := net.SplitHostPort(address)
-	if err != nil {
-		port = "0"
-	}
-
-	local, _ := strconv.ParseUint(port, 10, 16)
-
-	addr, err := LookupLocalAddrFromIfaceName(ifaceName, network, netip.Addr{}, int(local))
-	if err != nil {
-		return "", err
-	}
-
-	return addr.String(), nil
+func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, network, address string) (string, error) {
+	return fallbackBindIfaceToListenConfig(ifaceName, lc, network, address)
 }

 func ParseNetwork(network string, addr netip.Addr) string {
-	// fix bindIfaceToListenConfig() force bind to an ipv4 address
-	if !strings.HasSuffix(network, "4") &&
-		!strings.HasSuffix(network, "6") &&
-		addr.Unmap().Is6() {
-		network += "6"
-	}
-	return network
+	return fallbackParseNetwork(network, addr)
 }
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -70,11 +70,18 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 }

 func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) {
+	if DefaultSocketHook != nil {
+		return listenPacketHooked(ctx, network, address)
+	}
 	cfg := applyOptions(options...)

 	lc := &net.ListenConfig{}
 	if cfg.interfaceName != "" {
-		addr, err := bindIfaceToListenConfig(cfg.interfaceName, lc, network, address)
+		bind := bindIfaceToListenConfig
+		if cfg.fallbackBind {
+			bind = fallbackBindIfaceToListenConfig
+		}
+		addr, err := bind(cfg.interfaceName, lc, network, address)
 		if err != nil {
 			return nil, err
 		}
@ -110,6 +117,9 @@ func GetTcpConcurrent() bool {
 }

 func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) {
+	if DefaultSocketHook != nil {
+		return dialContextHooked(ctx, network, destination, port)
+	}
 	address := net.JoinHostPort(destination.String(), port)

 	netDialer := opt.netDialer
@ -125,7 +135,11 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po

 	dialer := netDialer.(*net.Dialer)
 	if opt.interfaceName != "" {
-		if err := bindIfaceToDialer(opt.interfaceName, dialer, network, destination); err != nil {
+		bind := bindIfaceToDialer
+		if opt.fallbackBind {
+			bind = fallbackBindIfaceToDialer
+		}
+		if err := bind(opt.interfaceName, dialer, network, destination); err != nil {
 			return nil, err
 		}
 	}
@ -162,14 +176,22 @@ func concurrentDualStackDialContext(ctx context.Context, network string, ips []n

 func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	ipv4s, ipv6s := resolver.SortationAddr(ips)
-	preferIPVersion := opt.prefer
+	if len(ipv4s) == 0 && len(ipv6s) == 0 {
+		return nil, ErrorNoIpAddress
+	}

+	preferIPVersion := opt.prefer
 	fallbackTicker := time.NewTicker(fallbackTimeout)
 	defer fallbackTicker.Stop()
+
 	results := make(chan dialResult)
 	returned := make(chan struct{})
 	defer close(returned)
+
+	var wg sync.WaitGroup
+
 	racer := func(ips []netip.Addr, isPrimary bool) {
+		defer wg.Done()
 		result := dialResult{isPrimary: isPrimary}
 		defer func() {
 			select {
@ -182,18 +204,36 @@ func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string,
 		}()
 		result.Conn, result.error = dialFn(ctx, network, ips, port, opt)
 	}
-	go racer(ipv4s, preferIPVersion != 6)
-	go racer(ipv6s, preferIPVersion != 4)
+
+	if len(ipv4s) != 0 {
+		wg.Add(1)
+		go racer(ipv4s, preferIPVersion != 6)
+	}
+
+	if len(ipv6s) != 0 {
+		wg.Add(1)
+		go racer(ipv6s, preferIPVersion != 4)
+	}
+
+	go func() {
+		wg.Wait()
+		close(results)
+	}()
+
 	var fallback dialResult
 	var errs []error
-	for i := 0; i < 2; {
+
+loop:
+	for {
 		select {
 		case <-fallbackTicker.C:
 			if fallback.error == nil && fallback.Conn != nil {
 				return fallback.Conn, nil
 			}
-		case res := <-results:
-			i++
+		case res, ok := <-results:
+			if !ok {
+				break loop
+			}
 			if res.error == nil {
 				if res.isPrimary {
 					return res.Conn, nil
@ -208,6 +248,7 @@ func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string,
 			}
 		}
 	}
+
 	if fallback.error == nil && fallback.Conn != nil {
 		return fallback.Conn, nil
 	}
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@ -20,6 +20,7 @@ type NetDialer interface {

 type option struct {
 	interfaceName string
+	fallbackBind  bool
 	addrReuse     bool
 	routingMark   int
 	network       int
@ -38,6 +39,12 @@ func WithInterface(name string) Option {
 	}
 }

+func WithFallbackBind(fallback bool) Option {
+	return func(opt *option) {
+		opt.fallbackBind = fallback
+	}
+}
+
 func WithAddrReuse(reuse bool) Option {
 	return func(opt *option) {
 		opt.addrReuse = reuse
--- a/component/dialer/patch.go
+++ b/component/dialer/patch.go
@ -0,0 +1,37 @@
+package dialer
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"syscall"
+)
+
+type SocketControl func(network, address string, conn syscall.RawConn) error
+
+var DefaultSocketHook SocketControl
+
+func dialContextHooked(ctx context.Context, network string, destination netip.Addr, port string) (net.Conn, error) {
+	dialer := &net.Dialer{
+		Control: DefaultSocketHook,
+	}
+
+	conn, err := dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port))
+	if err != nil {
+		return nil, err
+	}
+
+	if t, ok := conn.(*net.TCPConn); ok {
+		t.SetKeepAlive(false)
+	}
+
+	return conn, nil
+}
+
+func listenPacketHooked(ctx context.Context, network, address string) (net.PacketConn, error) {
+	lc := &net.ListenConfig{
+		Control: DefaultSocketHook,
+	}
+
+	return lc.ListenPacket(ctx, network, address)
+}
--- a/component/fakeip/pool.go
+++ b/component/fakeip/pool.go
@ -36,7 +36,7 @@ type Pool struct {
 	cycle   bool
 	mux     sync.Mutex
 	host    *trie.DomainTrie[struct{}]
-	ipnet   *netip.Prefix
+	ipnet   netip.Prefix
 	store   store
 }

@ -91,7 +91,7 @@ func (p *Pool) Broadcast() netip.Addr {
 }

 // IPNet return raw ipnet
-func (p *Pool) IPNet() *netip.Prefix {
+func (p *Pool) IPNet() netip.Prefix {
 	return p.ipnet
 }

@ -153,7 +153,7 @@ func (p *Pool) restoreState() {
 }

 type Options struct {
-	IPNet *netip.Prefix
+	IPNet netip.Prefix
 	Host  *trie.DomainTrie[struct{}]

 	// Size sets the maximum number of entries in memory
@ -171,7 +171,7 @@ func New(options Options) (*Pool, error) {
 		hostAddr = options.IPNet.Masked().Addr()
 		gateway  = hostAddr.Next()
 		first    = gateway.Next().Next().Next() // default start with 198.18.0.4
-		last     = nnip.UnMasked(*options.IPNet)
+		last     = nnip.UnMasked(options.IPNet)
 	)

 	if !options.IPNet.IsValid() || !first.IsValid() || !first.Less(last) {
--- a/component/fakeip/pool_test.go
+++ b/component/fakeip/pool_test.go
@ -51,7 +51,7 @@ func createCachefileStore(options Options) (*Pool, string, error) {
 func TestPool_Basic(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.0/28")
 	pools, tempfile, err := createPools(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  10,
 	})
 	assert.Nil(t, err)
@ -79,7 +79,7 @@ func TestPool_Basic(t *testing.T) {
 func TestPool_BasicV6(t *testing.T) {
 	ipnet := netip.MustParsePrefix("2001:4860:4860::8888/118")
 	pools, tempfile, err := createPools(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  10,
 	})
 	assert.Nil(t, err)
@ -107,7 +107,7 @@ func TestPool_BasicV6(t *testing.T) {
 func TestPool_Case_Insensitive(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.1/29")
 	pools, tempfile, err := createPools(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  10,
 	})
 	assert.Nil(t, err)
@ -128,7 +128,7 @@ func TestPool_Case_Insensitive(t *testing.T) {
 func TestPool_CycleUsed(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.16/28")
 	pools, tempfile, err := createPools(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  10,
 	})
 	assert.Nil(t, err)
@ -152,7 +152,7 @@ func TestPool_Skip(t *testing.T) {
 	tree := trie.New[struct{}]()
 	tree.Insert("example.com", struct{}{})
 	pools, tempfile, err := createPools(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  10,
 		Host:  tree,
 	})
@ -168,7 +168,7 @@ func TestPool_Skip(t *testing.T) {
 func TestPool_MaxCacheSize(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.1/24")
 	pool, _ := New(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  2,
 	})

@ -183,7 +183,7 @@ func TestPool_MaxCacheSize(t *testing.T) {
 func TestPool_DoubleMapping(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.1/24")
 	pool, _ := New(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  2,
 	})

@ -213,7 +213,7 @@ func TestPool_DoubleMapping(t *testing.T) {
 func TestPool_Clone(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.1/24")
 	pool, _ := New(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  2,
 	})

@ -223,7 +223,7 @@ func TestPool_Clone(t *testing.T) {
 	assert.True(t, last == netip.AddrFrom4([4]byte{192, 168, 0, 5}))

 	newPool, _ := New(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  2,
 	})
 	newPool.CloneFrom(pool)
@ -236,7 +236,7 @@ func TestPool_Clone(t *testing.T) {
 func TestPool_Error(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.1/31")
 	_, err := New(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  10,
 	})

@ -246,7 +246,7 @@ func TestPool_Error(t *testing.T) {
 func TestPool_FlushFileCache(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.1/28")
 	pools, tempfile, err := createPools(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  10,
 	})
 	assert.Nil(t, err)
@ -278,7 +278,7 @@ func TestPool_FlushFileCache(t *testing.T) {
 func TestPool_FlushMemoryCache(t *testing.T) {
 	ipnet := netip.MustParsePrefix("192.168.0.1/28")
 	pool, _ := New(Options{
-		IPNet: &ipnet,
+		IPNet: ipnet,
 		Size:  10,
 	})

--- a/component/http/http.go
+++ b/component/http/http.go
@ -2,22 +2,22 @@ package http

 import (
 	"context"
+	"crypto/tls"
 	"io"
 	"net"
 	"net/http"
 	URL "net/url"
+	"runtime"
 	"strings"
 	"time"

-	"github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/component/ca"
+	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/listener/inner"
 )

-const (
-	UA = "clash.meta"
-)
-
 func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
+	UA := C.UA
 	method = strings.ToUpper(method)
 	urlRes, err := URL.Parse(url)
 	if err != nil {
@ -48,6 +48,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st

 	transport := &http.Transport{
 		// from http.DefaultTransport
+		DisableKeepAlives:     runtime.GOOS == "android",
 		MaxIdleConns:          100,
 		IdleConnTimeout:       30 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
@ -60,7 +61,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 				return d.DialContext(ctx, network, address)
 			}
 		},
-		TLSClientConfig: tls.GetDefaultTLSConfig(),
+		TLSClientConfig: ca.GetGlobalTLSConfig(&tls.Config{}),
 	}

 	client := http.Client{Transport: transport}
--- a/component/iface/iface.go
+++ b/component/iface/iface.go
@ -13,7 +13,7 @@ import (
 type Interface struct {
 	Index        int
 	Name         string
-	Addrs        []*netip.Prefix
+	Addrs        []netip.Prefix
 	HardwareAddr net.HardwareAddr
 }

@ -43,7 +43,7 @@ func ResolveInterface(name string) (*Interface, error) {
 				continue
 			}

-			ipNets := make([]*netip.Prefix, 0, len(addrs))
+			ipNets := make([]netip.Prefix, 0, len(addrs))
 			for _, addr := range addrs {
 				ipNet := addr.(*net.IPNet)
 				ip, _ := netip.AddrFromSlice(ipNet.IP)
@ -59,7 +59,7 @@ func ResolveInterface(name string) (*Interface, error) {
 				}

 				pf := netip.PrefixFrom(ip, ones)
-				ipNets = append(ipNets, &pf)
+				ipNets = append(ipNets, pf)
 			}

 			r[iface.Name] = &Interface{
@ -89,27 +89,27 @@ func FlushCache() {
 	interfaces.Reset()
 }

-func (iface *Interface) PickIPv4Addr(destination netip.Addr) (*netip.Prefix, error) {
-	return iface.pickIPAddr(destination, func(addr *netip.Prefix) bool {
+func (iface *Interface) PickIPv4Addr(destination netip.Addr) (netip.Prefix, error) {
+	return iface.pickIPAddr(destination, func(addr netip.Prefix) bool {
 		return addr.Addr().Is4()
 	})
 }

-func (iface *Interface) PickIPv6Addr(destination netip.Addr) (*netip.Prefix, error) {
-	return iface.pickIPAddr(destination, func(addr *netip.Prefix) bool {
+func (iface *Interface) PickIPv6Addr(destination netip.Addr) (netip.Prefix, error) {
+	return iface.pickIPAddr(destination, func(addr netip.Prefix) bool {
 		return addr.Addr().Is6()
 	})
 }

-func (iface *Interface) pickIPAddr(destination netip.Addr, accept func(addr *netip.Prefix) bool) (*netip.Prefix, error) {
-	var fallback *netip.Prefix
+func (iface *Interface) pickIPAddr(destination netip.Addr, accept func(addr netip.Prefix) bool) (netip.Prefix, error) {
+	var fallback netip.Prefix

 	for _, addr := range iface.Addrs {
 		if !accept(addr) {
 			continue
 		}

-		if fallback == nil && !addr.Addr().IsLinkLocalUnicast() {
+		if !fallback.IsValid() && !addr.Addr().IsLinkLocalUnicast() {
 			fallback = addr

 			if !destination.IsValid() {
@ -122,8 +122,8 @@ func (iface *Interface) pickIPAddr(destination netip.Addr, accept func(addr *net
 		}
 	}

-	if fallback == nil {
-		return nil, ErrAddrNotFound
+	if !fallback.IsValid() {
+		return netip.Prefix{}, ErrAddrNotFound
 	}

 	return fallback, nil
--- a/component/mmdb/patch.go
+++ b/component/mmdb/patch.go
@ -0,0 +1,16 @@
+package mmdb
+
+import "github.com/oschwald/maxminddb-golang"
+
+func InstallOverride(override *maxminddb.Reader) {
+	newReader := Reader{Reader: override}
+	switch override.Metadata.DatabaseType {
+	case "sing-geoip":
+		reader.databaseType = typeSing
+	case "Meta-geoip0":
+		reader.databaseType = typeMetaV0
+	default:
+		reader.databaseType = typeMaxmind
+	}
+	reader = newReader
+}
--- a/component/nat/table.go
+++ b/component/nat/table.go
@ -5,23 +5,28 @@ import (
 	"sync"

 	C "github.com/Dreamacro/clash/constant"
+
+	"github.com/puzpuzpuz/xsync/v2"
 )

 type Table struct {
-	mapping sync.Map
+	mapping *xsync.MapOf[string, *Entry]
+	lockMap *xsync.MapOf[string, *sync.Cond]
 }

 type Entry struct {
 	PacketConn      C.PacketConn
 	WriteBackProxy  C.WriteBackProxy
-	LocalUDPConnMap sync.Map
+	LocalUDPConnMap *xsync.MapOf[string, *net.UDPConn]
+	LocalLockMap    *xsync.MapOf[string, *sync.Cond]
 }

 func (t *Table) Set(key string, e C.PacketConn, w C.WriteBackProxy) {
 	t.mapping.Store(key, &Entry{
 		PacketConn:      e,
 		WriteBackProxy:  w,
-		LocalUDPConnMap: sync.Map{},
+		LocalUDPConnMap: xsync.NewMapOf[*net.UDPConn](),
+		LocalLockMap:    xsync.NewMapOf[*sync.Cond](),
 	})
 }

@ -34,15 +39,19 @@ func (t *Table) Get(key string) (C.PacketConn, C.WriteBackProxy) {
 }

 func (t *Table) GetOrCreateLock(key string) (*sync.Cond, bool) {
-	item, loaded := t.mapping.LoadOrStore(key, sync.NewCond(&sync.Mutex{}))
-	return item.(*sync.Cond), loaded
+	item, loaded := t.lockMap.LoadOrCompute(key, makeLock)
+	return item, loaded
 }

 func (t *Table) Delete(key string) {
 	t.mapping.Delete(key)
 }

-func (t *Table) GetLocalConn(lAddr, rAddr string) *net.UDPConn {
+func (t *Table) DeleteLock(lockKey string) {
+	t.lockMap.Delete(lockKey)
+}
+
+func (t *Table) GetForLocalConn(lAddr, rAddr string) *net.UDPConn {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return nil
@ -51,10 +60,10 @@ func (t *Table) GetLocalConn(lAddr, rAddr string) *net.UDPConn {
 	if !exist {
 		return nil
 	}
-	return item.(*net.UDPConn)
+	return item
 }

-func (t *Table) AddLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool {
+func (t *Table) AddForLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return false
@ -63,7 +72,7 @@ func (t *Table) AddLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool {
 	return true
 }

-func (t *Table) RangeLocalConn(lAddr string, f func(key, value any) bool) {
+func (t *Table) RangeForLocalConn(lAddr string, f func(key string, value *net.UDPConn) bool) {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return
@ -76,11 +85,11 @@ func (t *Table) GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool
 	if !loaded {
 		return nil, false
 	}
-	item, loaded := entry.LocalUDPConnMap.LoadOrStore(key, sync.NewCond(&sync.Mutex{}))
-	return item.(*sync.Cond), loaded
+	item, loaded := entry.LocalLockMap.LoadOrCompute(key, makeLock)
+	return item, loaded
 }

-func (t *Table) DeleteLocalConnMap(lAddr, key string) {
+func (t *Table) DeleteForLocalConn(lAddr, key string) {
 	entry, loaded := t.getEntry(lAddr)
 	if !loaded {
 		return
@ -88,17 +97,26 @@ func (t *Table) DeleteLocalConnMap(lAddr, key string) {
 	entry.LocalUDPConnMap.Delete(key)
 }

-func (t *Table) getEntry(key string) (*Entry, bool) {
-	item, ok := t.mapping.Load(key)
-	// This should not happen usually since this function called after PacketConn created
-	if !ok {
-		return nil, false
+func (t *Table) DeleteLockForLocalConn(lAddr, key string) {
+	entry, loaded := t.getEntry(lAddr)
+	if !loaded {
+		return
 	}
-	entry, ok := item.(*Entry)
-	return entry, ok
+	entry.LocalLockMap.Delete(key)
+}
+
+func (t *Table) getEntry(key string) (*Entry, bool) {
+	return t.mapping.Load(key)
+}
+
+func makeLock() *sync.Cond {
+	return sync.NewCond(&sync.Mutex{})
 }

 // New return *Cache
 func New() *Table {
-	return &Table{}
+	return &Table{
+		mapping: xsync.NewMapOf[*Entry](),
+		lockMap: xsync.NewMapOf[*sync.Cond](),
+	}
 }
--- a/component/process/patch.go
+++ b/component/process/patch.go
@ -0,0 +1,14 @@
+package process
+
+import "github.com/Dreamacro/clash/constant"
+
+type PackageNameResolver func(metadata *constant.Metadata) (string, error)
+
+var DefaultPackageNameResolver PackageNameResolver
+
+func FindPackageName(metadata *constant.Metadata) (string, error) {
+	if resolver := DefaultPackageNameResolver; resolver != nil {
+		return resolver(metadata)
+	}
+	return "", ErrPlatformNotSupport
+}
--- a/component/proxydialer/proxydialer.go
+++ b/component/proxydialer/proxydialer.go
@ -70,10 +70,7 @@ func (p proxyDialer) DialContext(ctx context.Context, network, address string) (
 }

 func (p proxyDialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	currentMeta := &C.Metadata{Type: C.INNER}
-	if err := currentMeta.SetRemoteAddress(rAddrPort.String()); err != nil {
-		return nil, err
-	}
+	currentMeta := &C.Metadata{Type: C.INNER, DstIP: rAddrPort.Addr(), DstPort: rAddrPort.Port()}
 	return p.listenPacket(ctx, currentMeta)
 }

--- a/component/proxydialer/sing.go
+++ b/component/proxydialer/sing.go
@ -0,0 +1,82 @@
+package proxydialer
+
+import (
+	"context"
+	"net"
+
+	C "github.com/Dreamacro/clash/constant"
+
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type SingDialer interface {
+	N.Dialer
+	SetDialer(dialer C.Dialer)
+}
+
+type singDialer proxyDialer
+
+var _ N.Dialer = (*singDialer)(nil)
+
+func (d *singDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	return (*proxyDialer)(d).DialContext(ctx, network, destination.String())
+}
+
+func (d *singDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return (*proxyDialer)(d).ListenPacket(ctx, "udp", "", destination.AddrPort())
+}
+
+func (d *singDialer) SetDialer(dialer C.Dialer) {
+	(*proxyDialer)(d).dialer = dialer
+}
+
+func NewSingDialer(proxy C.ProxyAdapter, dialer C.Dialer, statistic bool) SingDialer {
+	return (*singDialer)(&proxyDialer{
+		proxy:     proxy,
+		dialer:    dialer,
+		statistic: statistic,
+	})
+}
+
+type byNameSingDialer struct {
+	dialer    C.Dialer
+	proxyName string
+}
+
+var _ N.Dialer = (*byNameSingDialer)(nil)
+
+func (d *byNameSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	var cDialer C.Dialer = d.dialer
+	if len(d.proxyName) > 0 {
+		pd, err := NewByName(d.proxyName, d.dialer)
+		if err != nil {
+			return nil, err
+		}
+		cDialer = pd
+	}
+	return cDialer.DialContext(ctx, network, destination.String())
+}
+
+func (d *byNameSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	var cDialer C.Dialer = d.dialer
+	if len(d.proxyName) > 0 {
+		pd, err := NewByName(d.proxyName, d.dialer)
+		if err != nil {
+			return nil, err
+		}
+		cDialer = pd
+	}
+	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
+}
+
+func (d *byNameSingDialer) SetDialer(dialer C.Dialer) {
+	d.dialer = dialer
+}
+
+func NewByNameSingDialer(proxyName string, dialer C.Dialer) SingDialer {
+	return &byNameSingDialer{
+		dialer:    dialer,
+		proxyName: proxyName,
+	}
+}
--- a/component/resolver/host.go
+++ b/component/resolver/host.go
@ -4,6 +4,7 @@ import (
 	"errors"
 	"net/netip"
 	"strings"
+	_ "unsafe"

 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/trie"
@ -20,28 +21,39 @@ func NewHosts(hosts *trie.DomainTrie[HostValue]) Hosts {
 	}
 }

+// lookupStaticHost looks up the addresses and the canonical name for the given host from /etc/hosts.
+//
+//go:linkname lookupStaticHost net.lookupStaticHost
+func lookupStaticHost(host string) ([]string, string)
+
 // Return the search result and whether to match the parameter `isDomain`
 func (h *Hosts) Search(domain string, isDomain bool) (*HostValue, bool) {
-	value := h.DomainTrie.Search(domain)
-	if value == nil {
-		return nil, false
-	}
-	hostValue := value.Data()
-	for {
-		if isDomain && hostValue.IsDomain {
-			return &hostValue, true
-		} else {
-			if node := h.DomainTrie.Search(hostValue.Domain); node != nil {
-				hostValue = node.Data()
+	if value := h.DomainTrie.Search(domain); value != nil {
+		hostValue := value.Data()
+		for {
+			if isDomain && hostValue.IsDomain {
+				return &hostValue, true
 			} else {
-				break
+				if node := h.DomainTrie.Search(hostValue.Domain); node != nil {
+					hostValue = node.Data()
+				} else {
+					break
+				}
 			}
 		}
+		if isDomain == hostValue.IsDomain {
+			return &hostValue, true
+		}
+
+		return &hostValue, false
 	}
-	if isDomain == hostValue.IsDomain {
-		return &hostValue, true
+	if !isDomain {
+		addr, _ := lookupStaticHost(domain)
+		if hostValue, err := NewHostValue(addr); err == nil {
+			return &hostValue, true
+		}
 	}
-	return &hostValue, false
+	return nil, false
 }

 type HostValue struct {
--- a/component/resolver/host_windows.go
+++ b/component/resolver/host_windows.go
@ -0,0 +1,19 @@
+//go:build !go1.22
+
+// a simple standard lib fix from: https://github.com/golang/go/commit/33d4a5105cf2b2d549922e909e9239a48b8cefcc
+
+package resolver
+
+import (
+	"golang.org/x/sys/windows"
+	_ "unsafe"
+)
+
+//go:linkname testHookHostsPath net.testHookHostsPath
+var testHookHostsPath string
+
+func init() {
+	if dir, err := windows.GetSystemDirectory(); err == nil {
+		testHookHostsPath = dir + "/Drivers/etc/hosts"
+	}
+}
--- a/component/resource/fetcher.go
+++ b/component/resource/fetcher.go
@ -9,6 +9,12 @@ import (

 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
+
+	"github.com/samber/lo"
+)
+
+const (
+	minInterval = time.Minute * 5
 )

 var (
@ -22,8 +28,7 @@ type Fetcher[V any] struct {
 	resourceType string
 	name         string
 	vehicle      types.Vehicle
-	UpdatedAt    *time.Time
-	ticker       *time.Ticker
+	UpdatedAt    time.Time
 	done         chan struct{}
 	hash         [16]byte
 	parser       Parser[V]
@ -54,7 +59,7 @@ func (f *Fetcher[V]) Initial() (V, error) {
 	if stat, fErr := os.Stat(f.vehicle.Path()); fErr == nil {
 		buf, err = os.ReadFile(f.vehicle.Path())
 		modTime := stat.ModTime()
-		f.UpdatedAt = &modTime
+		f.UpdatedAt = modTime
 		isLocal = true
 		if f.interval != 0 && modTime.Add(f.interval).Before(time.Now()) {
 			log.Warnln("[Provider] %s not updated for a long time, force refresh", f.Name())
@ -62,10 +67,11 @@ func (f *Fetcher[V]) Initial() (V, error) {
 		}
 	} else {
 		buf, err = f.vehicle.Read()
+		f.UpdatedAt = time.Now()
 	}

 	if err != nil {
-		return getZero[V](), err
+		return lo.Empty[V](), err
 	}

 	var contents V
@ -85,18 +91,18 @@ func (f *Fetcher[V]) Initial() (V, error) {

 	if err != nil {
 		if !isLocal {
-			return getZero[V](), err
+			return lo.Empty[V](), err
 		}

 		// parse local file error, fallback to remote
 		buf, err = f.vehicle.Read()
 		if err != nil {
-			return getZero[V](), err
+			return lo.Empty[V](), err
 		}

 		contents, err = f.parser(buf)
 		if err != nil {
-			return getZero[V](), err
+			return lo.Empty[V](), err
 		}

 		isLocal = false
@ -104,14 +110,14 @@ func (f *Fetcher[V]) Initial() (V, error) {

 	if f.vehicle.Type() != types.File && !isLocal {
 		if err := safeWrite(f.vehicle.Path(), buf); err != nil {
-			return getZero[V](), err
+			return lo.Empty[V](), err
 		}
 	}

 	f.hash = md5.Sum(buf)

 	// pull contents automatically
-	if f.ticker != nil {
+	if f.interval > 0 {
 		go f.pullLoop()
 	}

@ -121,45 +127,53 @@ func (f *Fetcher[V]) Initial() (V, error) {
 func (f *Fetcher[V]) Update() (V, bool, error) {
 	buf, err := f.vehicle.Read()
 	if err != nil {
-		return getZero[V](), false, err
+		return lo.Empty[V](), false, err
 	}

 	now := time.Now()
 	hash := md5.Sum(buf)
 	if bytes.Equal(f.hash[:], hash[:]) {
-		f.UpdatedAt = &now
+		f.UpdatedAt = now
 		_ = os.Chtimes(f.vehicle.Path(), now, now)
-		return getZero[V](), true, nil
+		return lo.Empty[V](), true, nil
 	}

 	contents, err := f.parser(buf)
 	if err != nil {
-		return getZero[V](), false, err
+		return lo.Empty[V](), false, err
 	}

 	if f.vehicle.Type() != types.File {
 		if err := safeWrite(f.vehicle.Path(), buf); err != nil {
-			return getZero[V](), false, err
+			return lo.Empty[V](), false, err
 		}
 	}

-	f.UpdatedAt = &now
+	f.UpdatedAt = now
 	f.hash = hash

 	return contents, false, nil
 }

 func (f *Fetcher[V]) Destroy() error {
-	if f.ticker != nil {
+	if f.interval > 0 {
 		f.done <- struct{}{}
 	}
 	return nil
 }

 func (f *Fetcher[V]) pullLoop() {
+	initialInterval := f.interval - time.Since(f.UpdatedAt)
+	if initialInterval < minInterval {
+		initialInterval = minInterval
+	}
+
+	timer := time.NewTimer(initialInterval)
+	defer timer.Stop()
 	for {
 		select {
-		case <-f.ticker.C:
+		case <-timer.C:
+			timer.Reset(f.interval)
 			elm, same, err := f.Update()
 			if err != nil {
 				log.Errorln("[Provider] %s pull error: %s", f.Name(), err.Error())
@ -176,7 +190,6 @@ func (f *Fetcher[V]) pullLoop() {
 				f.OnUpdate(elm)
 			}
 		case <-f.done:
-			f.ticker.Stop()
 			return
 		}
 	}
@ -195,23 +208,13 @@ func safeWrite(path string, buf []byte) error {
 }

 func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicle, parser Parser[V], onUpdate func(V)) *Fetcher[V] {
-	var ticker *time.Ticker
-	if interval != 0 {
-		ticker = time.NewTicker(interval)
-	}

 	return &Fetcher[V]{
 		name:     name,
-		ticker:   ticker,
 		vehicle:  vehicle,
 		parser:   parser,
-		done:     make(chan struct{}, 1),
+		done:     make(chan struct{}, 8),
 		OnUpdate: onUpdate,
 		interval: interval,
 	}
 }
-
-func getZero[V any]() V {
-	var result V
-	return result
-}
--- a/component/sniffer/base_sniffer.go
+++ b/component/sniffer/base_sniffer.go
@ -23,8 +23,8 @@ func (*BaseSniffer) Protocol() string {
 	return "unknown"
 }

-// SniffTCP implements sniffer.Sniffer
-func (*BaseSniffer) SniffTCP(bytes []byte) (string, error) {
+// SniffData implements sniffer.Sniffer
+func (*BaseSniffer) SniffData(bytes []byte) (string, error) {
 	return "", errors.New("TODO")
 }

--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@ -35,8 +35,40 @@ type SnifferDispatcher struct {
 	parsePureIp     bool
 }

-func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) {
-	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Has(metadata.Host) || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
+func (sd *SnifferDispatcher) shouldOverride(metadata *C.Metadata) bool {
+	return (metadata.Host == "" && sd.parsePureIp) ||
+		sd.forceDomain.Has(metadata.Host) ||
+		(metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping)
+}
+
+func (sd *SnifferDispatcher) UDPSniff(packet C.PacketAdapter) bool {
+	metadata := packet.Metadata()
+
+	if sd.shouldOverride(packet.Metadata()) {
+		for sniffer, config := range sd.sniffers {
+			if sniffer.SupportNetwork() == C.UDP || sniffer.SupportNetwork() == C.ALLNet {
+				inWhitelist := sniffer.SupportPort(metadata.DstPort)
+				overrideDest := config.OverrideDest
+
+				if inWhitelist {
+					host, err := sniffer.SniffData(packet.Data())
+					if err != nil {
+						continue
+					}
+
+					sd.replaceDomain(metadata, host, overrideDest)
+					return true
+				}
+			}
+		}
+	}
+
+	return false
+}
+
+// TCPSniff returns true if the connection is sniffed to have a domain
+func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) bool {
+	if sd.shouldOverride(metadata) {
 		inWhitelist := false
 		overrideDest := false
 		for sniffer, config := range sd.sniffers {
@ -50,7 +82,7 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 		}

 		if !inWhitelist {
-			return
+			return false
 		}

 		sd.rwMux.RLock()
@ -58,18 +90,18 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 		if count, ok := sd.skipList.Get(dst); ok && count > 5 {
 			log.Debugln("[Sniffer] Skip sniffing[%s] due to multiple failures", dst)
 			defer sd.rwMux.RUnlock()
-			return
+			return false
 		}
 		sd.rwMux.RUnlock()

 		if host, err := sd.sniffDomain(conn, metadata); err != nil {
 			sd.cacheSniffFailed(metadata)
 			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%d] to [%s:%d]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
-			return
+			return false
 		} else {
 			if sd.skipSNI.Has(host) {
 				log.Debugln("[Sniffer] Skip sni[%s]", host)
-				return
+				return false
 			}

 			sd.rwMux.RLock()
@ -77,20 +109,24 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 			sd.rwMux.RUnlock()

 			sd.replaceDomain(metadata, host, overrideDest)
+			return true
 		}
 	}
+	return false
 }

 func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) {
+	// show log early, since the following code may mutate `metadata.Host`
+	log.Debugln("[Sniffer] Sniff %s [%s]-->[%s] success, replace domain [%s]-->[%s]",
+		metadata.NetWork,
+		metadata.SourceDetail(),
+		metadata.RemoteAddress(),
+		metadata.Host, host)
 	metadata.SniffHost = host
 	if overrideDest {
 		metadata.Host = host
 	}
 	metadata.DNSMode = C.DNSNormal
-	log.Debugln("[Sniffer] Sniff TCP [%s]-->[%s] success, replace domain [%s]-->[%s]",
-		metadata.SourceDetail(),
-		metadata.RemoteAddress(),
-		metadata.Host, host)
 }

 func (sd *SnifferDispatcher) Enable() bool {
@ -121,7 +157,7 @@ func (sd *SnifferDispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metad
 				continue
 			}

-			host, err := s.SniffTCP(bytes)
+			host, err := s.SniffData(bytes)
 			if err != nil {
 				//log.Debugln("[Sniffer] [%s] Sniff data failed %s", s.Protocol(), metadata.DstIP)
 				continue
@ -190,6 +226,8 @@ func NewSniffer(name sniffer.Type, snifferConfig SnifferConfig) (sniffer.Sniffer
 		return NewTLSSniffer(snifferConfig)
 	case sniffer.HTTP:
 		return NewHTTPSniffer(snifferConfig)
+	case sniffer.QUIC:
+		return NewQuicSniffer(snifferConfig)
 	default:
 		return nil, ErrorUnsupportedSniffer
 	}
--- a/component/sniffer/http_sniffer.go
+++ b/component/sniffer/http_sniffer.go
@ -58,7 +58,7 @@ func (http *HTTPSniffer) SupportNetwork() C.NetWork {
 	return C.TCP
 }

-func (http *HTTPSniffer) SniffTCP(bytes []byte) (string, error) {
+func (http *HTTPSniffer) SniffData(bytes []byte) (string, error) {
 	domain, err := SniffHTTP(bytes)
 	if err == nil {
 		return *domain, nil
--- a/component/sniffer/quic_sniffer.go
+++ b/component/sniffer/quic_sniffer.go
@ -1,3 +1,287 @@
 package sniffer

-//TODO
+import (
+	"crypto"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+	"io"
+
+	"github.com/Dreamacro/clash/common/buf"
+	"github.com/Dreamacro/clash/common/utils"
+	C "github.com/Dreamacro/clash/constant"
+
+	"github.com/metacubex/quic-go/quicvarint"
+	"golang.org/x/crypto/hkdf"
+)
+
+// Modified from https://github.com/v2fly/v2ray-core/blob/master/common/protocol/quic/sniff.go
+
+const (
+	versionDraft29 uint32 = 0xff00001d
+	version1       uint32 = 0x1
+)
+
+var (
+	quicSaltOld       = []byte{0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99}
+	quicSalt          = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
+	errNotQuic        = errors.New("not QUIC")
+	errNotQuicInitial = errors.New("not QUIC initial packet")
+)
+
+type QuicSniffer struct {
+	*BaseSniffer
+}
+
+func NewQuicSniffer(snifferConfig SnifferConfig) (*QuicSniffer, error) {
+	ports := snifferConfig.Ports
+	if len(ports) == 0 {
+		ports = utils.IntRanges[uint16]{utils.NewRange[uint16](443, 443)}
+	}
+	return &QuicSniffer{
+		BaseSniffer: NewBaseSniffer(ports, C.UDP),
+	}, nil
+}
+
+func (quic QuicSniffer) Protocol() string {
+	return "quic"
+}
+
+func (quic QuicSniffer) SupportNetwork() C.NetWork {
+	return C.UDP
+}
+
+func (quic QuicSniffer) SniffData(b []byte) (string, error) {
+	buffer := buf.As(b)
+	typeByte, err := buffer.ReadByte()
+	if err != nil {
+		return "", errNotQuic
+	}
+	isLongHeader := typeByte&0x80 > 0
+	if !isLongHeader || typeByte&0x40 == 0 {
+		return "", errNotQuicInitial
+	}
+
+	vb, err := buffer.ReadBytes(4)
+	if err != nil {
+		return "", errNotQuic
+	}
+
+	versionNumber := binary.BigEndian.Uint32(vb)
+
+	if versionNumber != 0 && typeByte&0x40 == 0 {
+		return "", errNotQuic
+	} else if versionNumber != versionDraft29 && versionNumber != version1 {
+		return "", errNotQuic
+	}
+
+	if (typeByte&0x30)>>4 != 0x0 {
+		return "", errNotQuicInitial
+	}
+
+	var destConnID []byte
+	if l, err := buffer.ReadByte(); err != nil {
+		return "", errNotQuic
+	} else if destConnID, err = buffer.ReadBytes(int(l)); err != nil {
+		return "", errNotQuic
+	}
+
+	if l, err := buffer.ReadByte(); err != nil {
+		return "", errNotQuic
+	} else if _, err := buffer.ReadBytes(int(l)); err != nil {
+		return "", errNotQuic
+	}
+
+	tokenLen, err := quicvarint.Read(buffer)
+	if err != nil || tokenLen > uint64(len(b)) {
+		return "", errNotQuic
+	}
+
+	if _, err = buffer.ReadBytes(int(tokenLen)); err != nil {
+		return "", errNotQuic
+	}
+
+	packetLen, err := quicvarint.Read(buffer)
+	if err != nil {
+		return "", errNotQuic
+	}
+
+	hdrLen := len(b) - buffer.Len()
+
+	var salt []byte
+	if versionNumber == version1 {
+		salt = quicSalt
+	} else {
+		salt = quicSaltOld
+	}
+	initialSecret := hkdf.Extract(crypto.SHA256.New, destConnID, salt)
+	secret := hkdfExpandLabel(crypto.SHA256, initialSecret, []byte{}, "client in", crypto.SHA256.Size())
+	hpKey := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic hp", 16)
+	block, err := aes.NewCipher(hpKey)
+	if err != nil {
+		return "", err
+	}
+
+	cache := buf.NewPacket()
+	defer cache.Release()
+
+	mask := cache.Extend(block.BlockSize())
+	block.Encrypt(mask, b[hdrLen+4:hdrLen+4+16])
+	firstByte := b[0]
+	// Encrypt/decrypt first byte.
+	if isLongHeader {
+		// Long header: 4 bits masked
+		// High 4 bits are not protected.
+		firstByte ^= mask[0] & 0x0f
+	} else {
+		// Short header: 5 bits masked
+		// High 3 bits are not protected.
+		firstByte ^= mask[0] & 0x1f
+	}
+	packetNumberLength := int(firstByte&0x3 + 1) // max = 4 (64-bit sequence number)
+	extHdrLen := hdrLen + packetNumberLength
+
+	// copy to avoid modify origin data
+	extHdr := cache.Extend(extHdrLen)
+	copy(extHdr, b)
+	extHdr[0] = firstByte
+
+	packetNumber := extHdr[hdrLen:extHdrLen]
+	// Encrypt/decrypt packet number.
+	for i := range packetNumber {
+		packetNumber[i] ^= mask[1+i]
+	}
+
+	if packetNumber[0] != 0 && packetNumber[0] != 1 {
+		return "", errNotQuicInitial
+	}
+
+	data := b[extHdrLen : int(packetLen)+hdrLen]
+
+	key := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic key", 16)
+	iv := hkdfExpandLabel(crypto.SHA256, secret, []byte{}, "quic iv", 12)
+	aesCipher, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+	aead, err := cipher.NewGCM(aesCipher)
+	if err != nil {
+		return "", err
+	}
+	// We only decrypt once, so we do not need to XOR it back.
+	// https://github.com/quic-go/qtls-go1-20/blob/e132a0e6cb45e20ac0b705454849a11d09ba5a54/cipher_suites.go#L496
+	for i, b := range packetNumber {
+		iv[len(iv)-len(packetNumber)+i] ^= b
+	}
+	dst := cache.Extend(len(data))
+	decrypted, err := aead.Open(dst[:0], iv, data, extHdr)
+	if err != nil {
+		return "", err
+	}
+	buffer = buf.As(decrypted)
+
+	cryptoLen := uint(0)
+	cryptoData := cache.Extend(buffer.Len())
+	for i := 0; !buffer.IsEmpty(); i++ {
+		frameType := byte(0x0) // Default to PADDING frame
+		for frameType == 0x0 && !buffer.IsEmpty() {
+			frameType, _ = buffer.ReadByte()
+		}
+		switch frameType {
+		case 0x00: // PADDING frame
+		case 0x01: // PING frame
+		case 0x02, 0x03: // ACK frame
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: Largest Acknowledged
+				return "", io.ErrUnexpectedEOF
+			}
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Delay
+				return "", io.ErrUnexpectedEOF
+			}
+			ackRangeCount, err := quicvarint.Read(buffer) // Field: ACK Range Count
+			if err != nil {
+				return "", io.ErrUnexpectedEOF
+			}
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: First ACK Range
+				return "", io.ErrUnexpectedEOF
+			}
+			for i := 0; i < int(ackRangeCount); i++ { // Field: ACK Range
+				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> Gap
+					return "", io.ErrUnexpectedEOF
+				}
+				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> ACK Range Length
+					return "", io.ErrUnexpectedEOF
+				}
+			}
+			if frameType == 0x03 {
+				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT0 Count
+					return "", io.ErrUnexpectedEOF
+				}
+				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT1 Count
+					return "", io.ErrUnexpectedEOF
+				}
+				if _, err = quicvarint.Read(buffer); err != nil { //nolint:misspell // Field: ECN Counts -> ECT-CE Count
+					return "", io.ErrUnexpectedEOF
+				}
+			}
+		case 0x06: // CRYPTO frame, we will use this frame
+			offset, err := quicvarint.Read(buffer) // Field: Offset
+			if err != nil {
+				return "", io.ErrUnexpectedEOF
+			}
+			length, err := quicvarint.Read(buffer) // Field: Length
+			if err != nil || length > uint64(buffer.Len()) {
+				return "", io.ErrUnexpectedEOF
+			}
+			if cryptoLen < uint(offset+length) {
+				cryptoLen = uint(offset + length)
+			}
+			if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
+				return "", io.ErrUnexpectedEOF
+			}
+		case 0x1c: // CONNECTION_CLOSE frame, only 0x1c is permitted in initial packet
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: Error Code
+				return "", io.ErrUnexpectedEOF
+			}
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: Frame Type
+				return "", io.ErrUnexpectedEOF
+			}
+			length, err := quicvarint.Read(buffer) // Field: Reason Phrase Length
+			if err != nil {
+				return "", io.ErrUnexpectedEOF
+			}
+			if _, err := buffer.ReadBytes(int(length)); err != nil { // Field: Reason Phrase
+				return "", io.ErrUnexpectedEOF
+			}
+		default:
+			// Only above frame types are permitted in initial packet.
+			// See https://www.rfc-editor.org/rfc/rfc9000.html#section-17.2.2-8
+			return "", errNotQuicInitial
+		}
+	}
+
+	domain, err := ReadClientHello(cryptoData[:cryptoLen])
+	if err != nil {
+		return "", err
+	}
+
+	return *domain, nil
+}
+
+func hkdfExpandLabel(hash crypto.Hash, secret, context []byte, label string, length int) []byte {
+	b := make([]byte, 3, 3+6+len(label)+1+len(context))
+	binary.BigEndian.PutUint16(b, uint16(length))
+	b[2] = uint8(6 + len(label))
+	b = append(b, []byte("tls13 ")...)
+	b = append(b, []byte(label)...)
+	b = b[:3+6+len(label)+1]
+	b[3+6+len(label)] = uint8(len(context))
+	b = append(b, context...)
+
+	out := make([]byte, length)
+	n, err := hkdf.Expand(hash.New, secret, b).Read(out)
+	if err != nil || n != length {
+		panic("quic: HKDF-Expand-Label invocation failed unexpectedly")
+	}
+	return out
+}
--- a/component/sniffer/sniff_test.go
+++ b/component/sniffer/sniff_test.go
@ -1,9 +1,40 @@
 package sniffer

 import (
+	"bytes"
+	"encoding/hex"
+	"github.com/stretchr/testify/assert"
 	"testing"
 )

+func TestQuicHeaders(t *testing.T) {
+	cases := []struct {
+		input  string
+		domain string
+	}{
+		{
+			input:  "cd0000000108f1fb7bcc78aa5e7203a8f86400421531fe825b19541876db6c55c38890cd73149d267a084afee6087304095417a3033df6a81bbb71d8512e7a3e16df1e277cae5df3182cb214b8fe982ba3fdffbaa9ffec474547d55945f0fddbeadfb0b5243890b2fa3da45169e2bd34ec04b2e29382f48d612b28432a559757504d158e9e505407a77dd34f4b60b8d3b555ee85aacd6648686802f4de25e7216b19e54c5f78e8a5963380c742d861306db4c16e4f7fc94957aa50b9578a0b61f1e406b2ad5f0cd3cd271c4d99476409797b0c3cb3efec256118912d4b7e4fd79d9cb9016b6e5eaa4f5e57b637b217755daf8968a4092bed0ed5413f5d04904b3a61e4064f9211b2629e5b52a89c7b19f37a713e41e27743ea6dfa736dfa1bb0a4b2bc8c8dc632c6ce963493a20c550e6fdb2475213665e9a85cfc394da9cec0cf41f0c8abed3fc83be5245b2b5aa5e825d29349f721d30774ef5bf965b540f3d8d98febe20956b1fc8fa047e10e7d2f921c9c6622389e02322e80621a1cf5264e245b7276966eb02932584e3f7038bd36aa908766ad3fb98344025dec18670d6db43a1c5daac00937fce7b7c7d61ff4e6efd01a2bdee0ee183108b926393df4f3d74bbcbb015f240e7e346b7d01c41111a401225ce3b095ab4623a5836169bf9599eeca79d1d2e9b2202b5960a09211e978058d6fc0484eff3e91ce4649a5e3ba15b906d334cf66e28d9ff575406e1ae1ac2febafd72870b6f5d58fc5fb949cb1f40feb7c1d9ce5e71b",
+			domain: "www.google.com",
+		},
+		{
+			input:  "c3000000011266f50524e8d0fe88cbf51e3ad71a13198235000044c82dc5d943fb34cc6d5c5e433610dc7a44f5951935c2c1d14ac641b02472340a892c4492dbfe3f8262109108fc36d96bdc1e9e46b5f1f6ef6104add2aafbfd8e79246eb3b4637541aaed7d195571724e642ab4d31c909f1db86e7d8516117ce8716bd1e3acb664c499086b0f3bc7258595420e7bb969f934457d195e832ffff4ffddf11123eeadacc48190e356c8f0f6abc381deb7e285e3b0613a795b19bddb9f002ffdf6fd70f0ff2072302b33d2421aac6540bb9f0e85c7237af0dd56225b2264d769160febab952e64bd5155f23e58c6113891143f946591032b41816aed3ac54f521f60605f86791de24c5765b664c1348cc53d5d631b4bbefe1915f2b21fefafb47badeb72d8ba1fd5c3cfeb0ba9d0112396f170e94cd33952c4fa87997b870931bf1a300e8e127f530815ff087815b4f9d004cbcd17013ac143847572a1655a5b36e054e8b9951d747c2c6ff25d7b2edb13a2a6b8074062332f2191f6830cf435a4ed9db5d9c4eb43a143bf3edf0c48f6f9435dafad4afb743a5a33990379df953ecd388e848aff0ebba9ccc052b8303c0bd1fee7e7553af1894e81b7772818bb69249540ccb8cfb47b1517abaf71c81c3bd271f1a5f1b66465f850f377c9db682b8e543c3d0c10fcd2dee263630889b7d1d521d1d27e866ea4ab5f43790d6a7f76ceefd5783678ca92cc131fa42fc4a01e2a81cad734ddf17a53e1bda8e0a21afc9e8c1118c9459b13519f5b3c3d9692c92234f01129d47ae8ec70625170847472801190b46d36f73b868f55f5a18a3cb05af6d38610e0829e4fbf13ddcc202341702e43dcf33be76ff4afe327e5783287c137aad075752940b41e7d9f5146e36d908897c6d7a9fdc343fde2d9c9d6e6a6b237669bd3e6abe0a732861a679eadfa29a876c6a646953c9361830811b012b26b31c9e7158f8de9c9a108346ddee3dd3886da6258364c1281bff8e055f6384e3a23e198b5e6b726fa7f811b3338072019d4b5fd05891770d11e3ed6ab5f7ed33db1c6220c5aa8fa1909949ac55d5435b75982e17aa80940fa574f0aba4dc340129cad491fdf1f5e05c4e83e36ad29ff38f15e1c9436c792024442f57f07583d671dd05446c84ea20b471303f6ae4e5e13f244d671e0ebe94d3d5c17d3f3f378cdd51fa8a6d2c977c78a2397dd1e251cd979803d617d45f575e5d9db0a28b3c4c25fe2af24af5bddac09786b6d6d8aa19cfbd5409bdbfed7d518ef5c863f3ee757bd9d37cddc546cc57d2e52b6ae58789f297a300f1d76c3842603eae4b1224de31a939a68875c86e697aeebf7ebc65568f43fc681bacab830ac4a2164d324e90067125bad702192d01cb3cb3d2689ae681967e86fd7ac93a25cf2e905c88ca5ad7d11962f021754cf3f61224517bd3411d5b5a83955bcea79d702466d073a6eaadc1202b3693e555b051a5b19457023a01e7f943742bb7f5f8aeba8d4e363973aebdccfb12479619cfb93e833be702a307e796dc7431a48abd9b755b392c510b98cd20ef778e2ac88d6a04f23ba8a253d7eb7c13e0c88c3a21f7e23857c58704d139703a47e0965bf2dc8810dc36894ac1f3da73c155e271c106a718b2d184e4e5637c820fe909984642960edfc9e62ac50af5dd3feee6bc560ced7bda676d4e290c9c5916fad52180bbc83d3483e95c79bac15c209936f21042dc2b6253eefdac06e7f4745044eaa0acedabf1d1c8cd9402738",
+			domain: "cloudflare-dns.com",
+		},
+	}
+	q, err := NewQuicSniffer(SnifferConfig{})
+	assert.NoError(t, err)
+
+	for _, test := range cases {
+		pkt, err := hex.DecodeString(test.input)
+		assert.NoError(t, err)
+		oriPkt := bytes.Clone(pkt)
+		domain, err := q.SniffData(pkt)
+		assert.NoError(t, err)
+		assert.Equal(t, test.domain, domain)
+		assert.Equal(t, oriPkt, pkt) // ensure input data not changed
+	}
+}
+
 func TestTLSHeaders(t *testing.T) {
 	cases := []struct {
 		input  []byte
@ -142,6 +173,7 @@ func TestTLSHeaders(t *testing.T) {
 	}

 	for _, test := range cases {
+		input := bytes.Clone(test.input)
 		domain, err := SniffTLS(test.input)
 		if test.err {
 			if err == nil {
@ -155,5 +187,6 @@ func TestTLSHeaders(t *testing.T) {
 				t.Error("expect domain ", test.domain, " but got ", domain)
 			}
 		}
+		assert.Equal(t, input, test.input)
 	}
 }
--- a/component/sniffer/tls_sniffer.go
+++ b/component/sniffer/tls_sniffer.go
@ -39,7 +39,7 @@ func (tls *TLSSniffer) SupportNetwork() C.NetWork {
 	return C.TCP
 }

-func (tls *TLSSniffer) SniffTCP(bytes []byte) (string, error) {
+func (tls *TLSSniffer) SniffData(bytes []byte) (string, error) {
 	domain, err := SniffTLS(bytes)
 	if err == nil {
 		return *domain, nil
--- a/component/tls/reality.go
+++ b/component/tls/reality.go
@ -22,6 +22,7 @@ import (

 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/log"
+	"github.com/Dreamacro/clash/ntp"

 	utls "github.com/sagernet/utls"
 	"github.com/zhangyunhao116/fastrand"
@ -42,7 +43,8 @@ type RealityConfig struct {
 func aesgcmPreferred(ciphers []uint16) bool

 func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string, tlsConfig *tls.Config, realityConfig *RealityConfig) (net.Conn, error) {
-	if fingerprint, exists := GetFingerprint(ClientFingerprint); exists {
+	retry := 0
+	for fingerprint, exists := GetFingerprint(ClientFingerprint); exists; retry++ {
 		verifier := &realityVerifier{
 			serverName: tlsConfig.ServerName,
 		}
@ -70,7 +72,7 @@ func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string
 			rawSessionID[i] = 0
 		}

-		binary.BigEndian.PutUint64(hello.SessionId, uint64(time.Now().Unix()))
+		binary.BigEndian.PutUint64(hello.SessionId, uint64(ntp.Now().Unix()))

 		copy(hello.SessionId[8:], realityConfig.ShortID[:])
 		hello.SessionId[0] = 1
@ -79,7 +81,15 @@ func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string

 		//log.Debugln("REALITY hello.sessionId[:16]: %v", hello.SessionId[:16])

-		authKey := uConn.HandshakeState.State13.EcdheParams.SharedKey(realityConfig.PublicKey[:])
+		ecdheParams := uConn.HandshakeState.State13.EcdheParams
+		if ecdheParams == nil {
+			// WTF???
+			if retry > 2 {
+				return nil, errors.New("nil ecdheParams")
+			}
+			continue // retry
+		}
+		authKey := ecdheParams.SharedKey(realityConfig.PublicKey[:])
 		if authKey == nil {
 			return nil, errors.New("nil auth_key")
 		}
--- a/component/tls/utls.go
+++ b/component/tls/utls.go
@ -21,7 +21,7 @@ type UClientHelloID struct {
 var initRandomFingerprint UClientHelloID
 var initUtlsClient string

-func UClient(c net.Conn, config *tls.Config, fingerprint UClientHelloID) net.Conn {
+func UClient(c net.Conn, config *tls.Config, fingerprint UClientHelloID) *UConn {
 	utlsConn := utls.UClient(c, copyConfig(config), utls.ClientHelloID{
 		Client:  fingerprint.Client,
 		Version: fingerprint.Version,
@ -99,10 +99,9 @@ func copyConfig(c *tls.Config) *utls.Config {
 	}
 }

-// WebsocketHandshake basically calls UConn.Handshake inside it but it will only send
-// http/1.1 in its ALPN.
+// BuildWebsocketHandshakeState it will only send http/1.1 in its ALPN.
 // Copy from https://github.com/XTLS/Xray-core/blob/main/transport/internet/tls/tls.go
-func (c *UConn) WebsocketHandshake() error {
+func (c *UConn) BuildWebsocketHandshakeState() error {
 	// Build the handshake state. This will apply every variable of the TLS of the
 	// fingerprint in the UConn
 	if err := c.BuildHandshakeState(); err != nil {
@ -120,11 +119,11 @@ func (c *UConn) WebsocketHandshake() error {
 	if !hasALPNExtension { // Append extension if doesn't exists
 		c.Extensions = append(c.Extensions, &utls.ALPNExtension{AlpnProtocols: []string{"http/1.1"}})
 	}
-	// Rebuild the client hello and do the handshake
+	// Rebuild the client hello
 	if err := c.BuildHandshakeState(); err != nil {
 		return err
 	}
-	return c.Handshake()
+	return nil
 }

 func SetGlobalUtlsClient(Client string) {
--- a/config/config.go
+++ b/config/config.go
@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
+	"path"
 	"regexp"
 	"strings"
 	"time"
@ -16,9 +17,9 @@ import (
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/adapter/provider"
+	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/auth"
-	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/fakeip"
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/geodata/router"
@ -57,26 +58,27 @@ type General struct {
 	TCPConcurrent           bool              `json:"tcp-concurrent"`
 	FindProcessMode         P.FindProcessMode `json:"find-process-mode"`
 	Sniffing                bool              `json:"sniffing"`
-	EBpf                    EBpf              `json:"-"`
 	GlobalClientFingerprint string            `json:"global-client-fingerprint"`
+	GlobalUA                string            `json:"global-ua"`
 }

 // Inbound config
 type Inbound struct {
-	Port              int           `json:"port"`
-	SocksPort         int           `json:"socks-port"`
-	RedirPort         int           `json:"redir-port"`
-	TProxyPort        int           `json:"tproxy-port"`
-	MixedPort         int           `json:"mixed-port"`
-	Tun               LC.Tun        `json:"tun"`
-	TuicServer        LC.TuicServer `json:"tuic-server"`
-	ShadowSocksConfig string        `json:"ss-config"`
-	VmessConfig       string        `json:"vmess-config"`
-	Authentication    []string      `json:"authentication"`
-	AllowLan          bool          `json:"allow-lan"`
-	BindAddress       string        `json:"bind-address"`
-	InboundTfo        bool          `json:"inbound-tfo"`
-	InboundMPTCP      bool          `json:"inbound-mptcp"`
+	Port              int            `json:"port"`
+	SocksPort         int            `json:"socks-port"`
+	RedirPort         int            `json:"redir-port"`
+	TProxyPort        int            `json:"tproxy-port"`
+	MixedPort         int            `json:"mixed-port"`
+	Tun               LC.Tun         `json:"tun"`
+	TuicServer        LC.TuicServer  `json:"tuic-server"`
+	ShadowSocksConfig string         `json:"ss-config"`
+	VmessConfig       string         `json:"vmess-config"`
+	Authentication    []string       `json:"authentication"`
+	SkipAuthPrefixes  []netip.Prefix `json:"skip-auth-prefixes"`
+	AllowLan          bool           `json:"allow-lan"`
+	BindAddress       string         `json:"bind-address"`
+	InboundTfo        bool           `json:"inbound-tfo"`
+	InboundMPTCP      bool           `json:"inbound-mptcp"`
 }

 // Controller config
@ -87,6 +89,16 @@ type Controller struct {
 	Secret                string `json:"-"`
 }

+// NTP config
+type NTP struct {
+	Enable        bool   `yaml:"enable"`
+	Server        string `yaml:"server"`
+	Port          int    `yaml:"port"`
+	Interval      int    `yaml:"interval"`
+	DialerProxy   string `yaml:"dialer-proxy"`
+	WriteToSystem bool   `yaml:"write-to-system"`
+}
+
 // DNS config
 type DNS struct {
 	Enable                bool             `yaml:"enable"`
@ -109,7 +121,7 @@ type DNS struct {
 type FallbackFilter struct {
 	GeoIP     bool                    `yaml:"geoip"`
 	GeoIPCode string                  `yaml:"geoip-code"`
-	IPCIDR    []*netip.Prefix         `yaml:"ipcidr"`
+	IPCIDR    []netip.Prefix          `yaml:"ipcidr"`
 	Domain    []string                `yaml:"domain"`
 	GeoSite   []*router.DomainMatcher `yaml:"geosite"`
 }
@ -144,13 +156,16 @@ type Sniffer struct {

 // Experimental config
 type Experimental struct {
-	Fingerprints []string `yaml:"fingerprints"`
+	Fingerprints     []string `yaml:"fingerprints"`
+	QUICGoDisableGSO bool     `yaml:"quic-go-disable-gso"`
+	QUICGoDisableECN bool     `yaml:"quic-go-disable-ecn"`
 }

 // Config is clash config manager
 type Config struct {
 	General       *General
 	IPTables      *IPTables
+	NTP           *NTP
 	DNS           *DNS
 	Experimental  *Experimental
 	Hosts         *trie.DomainTrie[resolver.HostValue]
@ -167,30 +182,44 @@ type Config struct {
 	TLS           *TLS
 }

+type RawNTP struct {
+	Enable        bool   `yaml:"enable"`
+	Server        string `yaml:"server"`
+	ServerPort    int    `yaml:"server-port"`
+	Interval      int    `yaml:"interval"`
+	DialerProxy   string `yaml:"dialer-proxy"`
+	WriteToSystem bool   `yaml:"write-to-system"`
+}
+
 type RawDNS struct {
-	Enable                bool              `yaml:"enable"`
-	PreferH3              bool              `yaml:"prefer-h3"`
-	IPv6                  bool              `yaml:"ipv6"`
-	IPv6Timeout           uint              `yaml:"ipv6-timeout"`
-	UseHosts              bool              `yaml:"use-hosts"`
-	NameServer            []string          `yaml:"nameserver"`
-	Fallback              []string          `yaml:"fallback"`
-	FallbackFilter        RawFallbackFilter `yaml:"fallback-filter"`
-	Listen                string            `yaml:"listen"`
-	EnhancedMode          C.DNSMode         `yaml:"enhanced-mode"`
-	FakeIPRange           string            `yaml:"fake-ip-range"`
-	FakeIPFilter          []string          `yaml:"fake-ip-filter"`
-	DefaultNameserver     []string          `yaml:"default-nameserver"`
-	NameServerPolicy      map[string]any    `yaml:"nameserver-policy"`
-	ProxyServerNameserver []string          `yaml:"proxy-server-nameserver"`
+	Enable                bool              `yaml:"enable" json:"enable"`
+	PreferH3              bool              `yaml:"prefer-h3" json:"prefer-h3"`
+	IPv6                  bool              `yaml:"ipv6" json:"ipv6"`
+	IPv6Timeout           uint              `yaml:"ipv6-timeout" json:"ipv6-timeout"`
+	UseHosts              bool              `yaml:"use-hosts" json:"use-hosts"`
+	NameServer            []string          `yaml:"nameserver" json:"nameserver"`
+	Fallback              []string          `yaml:"fallback" json:"fallback"`
+	FallbackFilter        RawFallbackFilter `yaml:"fallback-filter" json:"fallback-filter"`
+	Listen                string            `yaml:"listen" json:"listen"`
+	EnhancedMode          C.DNSMode         `yaml:"enhanced-mode" json:"enhanced-mode"`
+	FakeIPRange           string            `yaml:"fake-ip-range" json:"fake-ip-range"`
+	FakeIPFilter          []string          `yaml:"fake-ip-filter" json:"fake-ip-filter"`
+	DefaultNameserver     []string          `yaml:"default-nameserver" json:"default-nameserver"`
+	NameServerPolicy      map[string]any    `yaml:"nameserver-policy" json:"nameserver-policy"`
+	ProxyServerNameserver []string          `yaml:"proxy-server-nameserver" json:"proxy-server-nameserver"`
 }

 type RawFallbackFilter struct {
-	GeoIP     bool     `yaml:"geoip"`
-	GeoIPCode string   `yaml:"geoip-code"`
-	IPCIDR    []string `yaml:"ipcidr"`
-	Domain    []string `yaml:"domain"`
-	GeoSite   []string `yaml:"geosite"`
+	GeoIP     bool     `yaml:"geoip" json:"geoip"`
+	GeoIPCode string   `yaml:"geoip-code" json:"geoip-code"`
+	IPCIDR    []string `yaml:"ipcidr" json:"ipcidr"`
+	Domain    []string `yaml:"domain" json:"domain"`
+	GeoSite   []string `yaml:"geosite" json:"geosite"`
+}
+
+type RawClashForAndroid struct {
+	AppendSystemDNS   bool   `yaml:"append-system-dns" json:"append-system-dns"`
+	UiSubtitlePattern string `yaml:"ui-subtitle-pattern" json:"ui-subtitle-pattern"`
 }

 type RawTun struct {
@ -203,21 +232,23 @@ type RawTun struct {
 	RedirectToTun       []string   `yaml:"-" json:"-"`

 	MTU uint32 `yaml:"mtu" json:"mtu,omitempty"`
-	//Inet4Address           []LC.ListenPrefix `yaml:"inet4-address" json:"inet4_address,omitempty"`
-	Inet6Address           []LC.ListenPrefix `yaml:"inet6-address" json:"inet6_address,omitempty"`
-	StrictRoute            bool              `yaml:"strict-route" json:"strict_route,omitempty"`
-	Inet4RouteAddress      []LC.ListenPrefix `yaml:"inet4_route_address" json:"inet4_route_address,omitempty"`
-	Inet6RouteAddress      []LC.ListenPrefix `yaml:"inet6_route_address" json:"inet6_route_address,omitempty"`
-	IncludeUID             []uint32          `yaml:"include-uid" json:"include_uid,omitempty"`
-	IncludeUIDRange        []string          `yaml:"include-uid-range" json:"include_uid_range,omitempty"`
-	ExcludeUID             []uint32          `yaml:"exclude-uid" json:"exclude_uid,omitempty"`
-	ExcludeUIDRange        []string          `yaml:"exclude-uid-range" json:"exclude_uid_range,omitempty"`
-	IncludeAndroidUser     []int             `yaml:"include-android-user" json:"include_android_user,omitempty"`
-	IncludePackage         []string          `yaml:"include-package" json:"include_package,omitempty"`
-	ExcludePackage         []string          `yaml:"exclude-package" json:"exclude_package,omitempty"`
-	EndpointIndependentNat bool              `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
-	UDPTimeout             int64             `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
-	FileDescriptor         int               `yaml:"file-descriptor" json:"file-descriptor"`
+	//Inet4Address           []netip.Prefix `yaml:"inet4-address" json:"inet4_address,omitempty"`
+	Inet6Address             []netip.Prefix `yaml:"inet6-address" json:"inet6_address,omitempty"`
+	StrictRoute              bool           `yaml:"strict-route" json:"strict_route,omitempty"`
+	Inet4RouteAddress        []netip.Prefix `yaml:"inet4-route-address" json:"inet4_route_address,omitempty"`
+	Inet6RouteAddress        []netip.Prefix `yaml:"inet6-route-address" json:"inet6_route_address,omitempty"`
+	Inet4RouteExcludeAddress []netip.Prefix `yaml:"inet4-route-exclude-address" json:"inet4_route_exclude_address,omitempty"`
+	Inet6RouteExcludeAddress []netip.Prefix `yaml:"inet6-route-exclude-address" json:"inet6_route_exclude_address,omitempty"`
+	IncludeUID               []uint32       `yaml:"include-uid" json:"include_uid,omitempty"`
+	IncludeUIDRange          []string       `yaml:"include-uid-range" json:"include_uid_range,omitempty"`
+	ExcludeUID               []uint32       `yaml:"exclude-uid" json:"exclude_uid,omitempty"`
+	ExcludeUIDRange          []string       `yaml:"exclude-uid-range" json:"exclude_uid_range,omitempty"`
+	IncludeAndroidUser       []int          `yaml:"include-android-user" json:"include_android_user,omitempty"`
+	IncludePackage           []string       `yaml:"include-package" json:"include_package,omitempty"`
+	ExcludePackage           []string       `yaml:"exclude-package" json:"exclude_package,omitempty"`
+	EndpointIndependentNat   bool           `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
+	UDPTimeout               int64          `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
+	FileDescriptor           int            `yaml:"file-descriptor" json:"file-descriptor"`
 }

 type RawTuicServer struct {
@ -236,40 +267,46 @@ type RawTuicServer struct {
 }

 type RawConfig struct {
-	Port                    int               `yaml:"port"`
-	SocksPort               int               `yaml:"socks-port"`
-	RedirPort               int               `yaml:"redir-port"`
-	TProxyPort              int               `yaml:"tproxy-port"`
-	MixedPort               int               `yaml:"mixed-port"`
+	Port                    int               `yaml:"port" json:"port"`
+	SocksPort               int               `yaml:"socks-port" json:"socks-port"`
+	RedirPort               int               `yaml:"redir-port" json:"redir-port"`
+	TProxyPort              int               `yaml:"tproxy-port" json:"tproxy-port"`
+	MixedPort               int               `yaml:"mixed-port" json:"mixed-port"`
 	ShadowSocksConfig       string            `yaml:"ss-config"`
 	VmessConfig             string            `yaml:"vmess-config"`
 	InboundTfo              bool              `yaml:"inbound-tfo"`
 	InboundMPTCP            bool              `yaml:"inbound-mptcp"`
-	Authentication          []string          `yaml:"authentication"`
-	AllowLan                bool              `yaml:"allow-lan"`
-	BindAddress             string            `yaml:"bind-address"`
-	Mode                    T.TunnelMode      `yaml:"mode"`
-	UnifiedDelay            bool              `yaml:"unified-delay"`
-	LogLevel                log.LogLevel      `yaml:"log-level"`
-	IPv6                    bool              `yaml:"ipv6"`
+	Authentication          []string          `yaml:"authentication" json:"authentication"`
+	SkipAuthPrefixes        []netip.Prefix    `yaml:"skip-auth-prefixes"`
+	AllowLan                bool              `yaml:"allow-lan" json:"allow-lan"`
+	BindAddress             string            `yaml:"bind-address" json:"bind-address"`
+	Mode                    T.TunnelMode      `yaml:"mode" json:"mode"`
+	UnifiedDelay            bool              `yaml:"unified-delay" json:"unified-delay"`
+	LogLevel                log.LogLevel      `yaml:"log-level" json:"log-level"`
+	IPv6                    bool              `yaml:"ipv6" json:"ipv6"`
 	ExternalController      string            `yaml:"external-controller"`
 	ExternalControllerTLS   string            `yaml:"external-controller-tls"`
 	ExternalUI              string            `yaml:"external-ui"`
+	ExternalUIURL           string            `yaml:"external-ui-url" json:"external-ui-url"`
+	ExternalUIName          string            `yaml:"external-ui-name" json:"external-ui-name"`
 	Secret                  string            `yaml:"secret"`
 	Interface               string            `yaml:"interface-name"`
 	RoutingMark             int               `yaml:"routing-mark"`
 	Tunnels                 []LC.Tunnel       `yaml:"tunnels"`
-	GeodataMode             bool              `yaml:"geodata-mode"`
-	GeodataLoader           string            `yaml:"geodata-loader"`
+	GeodataMode             bool              `yaml:"geodata-mode" json:"geodata-mode"`
+	GeodataLoader           string            `yaml:"geodata-loader" json:"geodata-loader"`
 	TCPConcurrent           bool              `yaml:"tcp-concurrent" json:"tcp-concurrent"`
 	FindProcessMode         P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"`
 	GlobalClientFingerprint string            `yaml:"global-client-fingerprint"`
+	GlobalUA                string            `yaml:"global-ua"`
+	KeepAliveInterval       int               `yaml:"keep-alive-interval"`

-	Sniffer       RawSniffer                `yaml:"sniffer"`
+	Sniffer       RawSniffer                `yaml:"sniffer" json:"sniffer"`
 	ProxyProvider map[string]map[string]any `yaml:"proxy-providers"`
 	RuleProvider  map[string]map[string]any `yaml:"rule-providers"`
-	Hosts         map[string]any            `yaml:"hosts"`
-	DNS           RawDNS                    `yaml:"dns"`
+	Hosts         map[string]any            `yaml:"hosts" json:"hosts"`
+	NTP           RawNTP                    `yaml:"ntp" json:"ntp"`
+	DNS           RawDNS                    `yaml:"dns" json:"dns"`
 	Tun           RawTun                    `yaml:"tun"`
 	TuicServer    RawTuicServer             `yaml:"tuic-server"`
 	EBpf          EBpf                      `yaml:"ebpf"`
@ -283,6 +320,8 @@ type RawConfig struct {
 	SubRules      map[string][]string       `yaml:"sub-rules"`
 	RawTLS        TLS                       `yaml:"tls"`
 	Listeners     []map[string]any          `yaml:"listeners"`
+
+	ClashForAndroid RawClashForAndroid `yaml:"clash-for-android" json:"clash-for-android"`
 }

 type GeoXUrl struct {
@ -348,6 +387,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		ProxyGroup:      []map[string]any{},
 		TCPConcurrent:   false,
 		FindProcessMode: P.FindProcessStrict,
+		GlobalUA:        "clash.meta",
 		Tun: RawTun{
 			Enable:              false,
 			Device:              "",
@ -355,7 +395,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			DNSHijack:           []string{"0.0.0.0:53"}, // default hijack all dns query
 			AutoRoute:           true,
 			AutoDetectInterface: true,
-			Inet6Address:        []LC.ListenPrefix{LC.ListenPrefix(netip.MustParsePrefix("fdfe:dcba:9876::1/126"))},
+			Inet6Address:        []netip.Prefix{netip.MustParsePrefix("fdfe:dcba:9876::1/126")},
 		},
 		TuicServer: RawTuicServer{
 			Enable:                false,
@ -379,6 +419,13 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			InboundInterface: "lo",
 			Bypass:           []string{},
 		},
+		NTP: RawNTP{
+			Enable:        false,
+			WriteToSystem: false,
+			Server:        "time.apple.com",
+			ServerPort:    123,
+			Interval:      30,
+		},
 		DNS: RawDNS{
 			Enable:       false,
 			IPv6:         false,
@ -422,10 +469,11 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			StoreSelected: true,
 		},
 		GeoXUrl: GeoXUrl{
-			Mmdb:    "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb",
-			GeoIp:   "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat",
-			GeoSite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat",
+			Mmdb:    "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.metadb",
+			GeoIp:   "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat",
+			GeoSite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat",
 		},
+		ExternalUIURL: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip",
 	}

 	if err := yaml.Unmarshal(buf, rawCfg); err != nil {
@ -441,7 +489,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	startTime := time.Now()
 	config.Experimental = &rawCfg.Experimental
 	config.Profile = &rawCfg.Profile
-	config.IPTables = &rawCfg.IPTables
 	config.TLS = &rawCfg.RawTLS

 	general, err := parseGeneral(rawCfg)
@ -493,17 +540,15 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.Hosts = hosts

+	ntpCfg := paresNTP(rawCfg)
+	config.NTP = ntpCfg
+
 	dnsCfg, err := parseDNS(rawCfg, hosts, rules, ruleProviders)
 	if err != nil {
 		return nil, err
 	}
 	config.DNS = dnsCfg

-	err = parseTun(rawCfg.Tun, config.General)
-	if err != nil {
-		return nil, err
-	}
-
 	err = parseTuicServer(rawCfg.TuicServer, config.General)
 	if err != nil {
 		return nil, err
@ -533,19 +578,40 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 }

 func parseGeneral(cfg *RawConfig) (*General, error) {
-	externalUI := cfg.ExternalUI
 	geodata.SetLoader(cfg.GeodataLoader)
 	C.GeoIpUrl = cfg.GeoXUrl.GeoIp
 	C.GeoSiteUrl = cfg.GeoXUrl.GeoSite
 	C.MmdbUrl = cfg.GeoXUrl.Mmdb
 	C.GeodataMode = cfg.GeodataMode
+	C.UA = cfg.GlobalUA
+	if cfg.KeepAliveInterval != 0 {
+		N.KeepAliveInterval = time.Duration(cfg.KeepAliveInterval) * time.Second
+	}
+
+	ExternalUIPath = cfg.ExternalUI
 	// checkout externalUI exist
-	if externalUI != "" {
-		externalUI = C.Path.Resolve(externalUI)
-		if _, err := os.Stat(externalUI); os.IsNotExist(err) {
-			return nil, fmt.Errorf("external-ui: %s not exist", externalUI)
+	if ExternalUIPath != "" {
+		ExternalUIPath = C.Path.Resolve(ExternalUIPath)
+		if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) {
+			defaultUIpath := path.Join(C.Path.HomeDir(), "ui")
+			log.Warnln("external-ui: %s does not exist, creating folder in %s", ExternalUIPath, defaultUIpath)
+			if err := os.MkdirAll(defaultUIpath, os.ModePerm); err != nil {
+				return nil, err
+			}
+			ExternalUIPath = defaultUIpath
+			cfg.ExternalUI = defaultUIpath
 		}
 	}
+	// checkout UIpath/name exist
+	if cfg.ExternalUIName != "" {
+		ExternalUIName = cfg.ExternalUIName
+	} else {
+		ExternalUIFolder = ExternalUIPath
+	}
+	if cfg.ExternalUIURL != "" {
+		ExternalUIURL = cfg.ExternalUIURL
+	}
+
 	cfg.Tun.RedirectToTun = cfg.EBpf.RedirectToTun
 	return &General{
 		Inbound: Inbound{
@ -557,6 +623,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			ShadowSocksConfig: cfg.ShadowSocksConfig,
 			VmessConfig:       cfg.VmessConfig,
 			AllowLan:          cfg.AllowLan,
+			SkipAuthPrefixes:  cfg.SkipAuthPrefixes,
 			BindAddress:       cfg.BindAddress,
 			InboundTfo:        cfg.InboundTfo,
 			InboundMPTCP:      cfg.InboundMPTCP,
@ -578,8 +645,8 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		GeodataLoader:           cfg.GeodataLoader,
 		TCPConcurrent:           cfg.TCPConcurrent,
 		FindProcessMode:         cfg.FindProcessMode,
-		EBpf:                    cfg.EBpf,
 		GlobalClientFingerprint: cfg.GlobalClientFingerprint,
+		GlobalUA:                cfg.GlobalUA,
 	}, nil
 }

@ -981,7 +1048,6 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 				Net:       dnsNetType,
 				Addr:      addr,
 				ProxyName: proxyName,
-				Interface: dialer.DefaultInterface,
 				Params:    params,
 				PreferH3:  preferH3,
 			},
@ -1083,15 +1149,15 @@ func parseNameServerPolicy(nsPolicy map[string]any, ruleProviders map[string]pro
 	return policy, nil
 }

-func parseFallbackIPCIDR(ips []string) ([]*netip.Prefix, error) {
-	var ipNets []*netip.Prefix
+func parseFallbackIPCIDR(ips []string) ([]netip.Prefix, error) {
+	var ipNets []netip.Prefix

 	for idx, ip := range ips {
 		ipnet, err := netip.ParsePrefix(ip)
 		if err != nil {
 			return nil, fmt.Errorf("DNS FallbackIP[%d] format error: %s", idx, err.Error())
 		}
-		ipNets = append(ipNets, &ipnet)
+		ipNets = append(ipNets, ipnet)
 	}

 	return ipNets, nil
@ -1132,6 +1198,19 @@ func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainM
 	return sites, nil
 }

+func paresNTP(rawCfg *RawConfig) *NTP {
+	cfg := rawCfg.NTP
+	ntpCfg := &NTP{
+		Enable:        cfg.Enable,
+		Server:        cfg.Server,
+		Port:          cfg.ServerPort,
+		Interval:      cfg.Interval,
+		DialerProxy:   cfg.DialerProxy,
+		WriteToSystem: cfg.WriteToSystem,
+	}
+	return ntpCfg
+}
+
 func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) {
 	cfg := rawCfg.DNS
 	if cfg.Enable && len(cfg.NameServer) == 0 {
@ -1146,7 +1225,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul
 		IPv6:         cfg.IPv6,
 		EnhancedMode: cfg.EnhancedMode,
 		FallbackFilter: FallbackFilter{
-			IPCIDR:  []*netip.Prefix{},
+			IPCIDR:  []netip.Prefix{},
 			GeoSite: []*router.DomainMatcher{},
 		},
 	}
@ -1220,7 +1299,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rul
 		}

 		pool, err := fakeip.New(fakeip.Options{
-			IPNet:       &fakeIPRange,
+			IPNet:       fakeIPRange,
 			Size:        1000,
 			Host:        host,
 			Persistence: rawCfg.Profile.StoreFakeIP,
@ -1283,22 +1362,24 @@ func parseTun(rawTun RawTun, general *General) error {
 		AutoDetectInterface: rawTun.AutoDetectInterface,
 		RedirectToTun:       rawTun.RedirectToTun,

-		MTU:                    rawTun.MTU,
-		Inet4Address:           []LC.ListenPrefix{LC.ListenPrefix(tunAddressPrefix)},
-		Inet6Address:           rawTun.Inet6Address,
-		StrictRoute:            rawTun.StrictRoute,
-		Inet4RouteAddress:      rawTun.Inet4RouteAddress,
-		Inet6RouteAddress:      rawTun.Inet6RouteAddress,
-		IncludeUID:             rawTun.IncludeUID,
-		IncludeUIDRange:        rawTun.IncludeUIDRange,
-		ExcludeUID:             rawTun.ExcludeUID,
-		ExcludeUIDRange:        rawTun.ExcludeUIDRange,
-		IncludeAndroidUser:     rawTun.IncludeAndroidUser,
-		IncludePackage:         rawTun.IncludePackage,
-		ExcludePackage:         rawTun.ExcludePackage,
-		EndpointIndependentNat: rawTun.EndpointIndependentNat,
-		UDPTimeout:             rawTun.UDPTimeout,
-		FileDescriptor:         rawTun.FileDescriptor,
+		MTU:                      rawTun.MTU,
+		Inet4Address:             []netip.Prefix{tunAddressPrefix},
+		Inet6Address:             rawTun.Inet6Address,
+		StrictRoute:              rawTun.StrictRoute,
+		Inet4RouteAddress:        rawTun.Inet4RouteAddress,
+		Inet6RouteAddress:        rawTun.Inet6RouteAddress,
+		Inet4RouteExcludeAddress: rawTun.Inet4RouteExcludeAddress,
+		Inet6RouteExcludeAddress: rawTun.Inet6RouteExcludeAddress,
+		IncludeUID:               rawTun.IncludeUID,
+		IncludeUIDRange:          rawTun.IncludeUIDRange,
+		ExcludeUID:               rawTun.ExcludeUID,
+		ExcludeUIDRange:          rawTun.ExcludeUIDRange,
+		IncludeAndroidUser:       rawTun.IncludeAndroidUser,
+		IncludePackage:           rawTun.IncludePackage,
+		ExcludePackage:           rawTun.ExcludePackage,
+		EndpointIndependentNat:   rawTun.EndpointIndependentNat,
+		UDPTimeout:               rawTun.UDPTimeout,
+		FileDescriptor:           rawTun.FileDescriptor,
 	}

 	return nil
--- a/config/update_geo.go
+++ b/config/update_geo.go
@ -1,17 +1,11 @@
 package config

 import (
-	"context"
 	"fmt"
-	"io"
-	"net/http"
-	"os"
 	"runtime"
-	"time"

 	"github.com/Dreamacro/clash/component/geodata"
 	_ "github.com/Dreamacro/clash/component/geodata/standard"
-	clashHttp "github.com/Dreamacro/clash/component/http"
 	C "github.com/Dreamacro/clash/constant"

 	"github.com/oschwald/maxminddb-golang"
@ -72,19 +66,3 @@ func UpdateGeoDatabases() error {

 	return nil
 }
-
-func downloadForBytes(url string) ([]byte, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
-	defer cancel()
-	resp, err := clashHttp.HttpRequest(ctx, url, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	return io.ReadAll(resp.Body)
-}
-
-func saveFile(bytes []byte, path string) error {
-	return os.WriteFile(path, bytes, 0o644)
-}
--- a/config/update_ui.go
+++ b/config/update_ui.go
@ -0,0 +1,145 @@
+package config
+
+import (
+	"archive/zip"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	C "github.com/Dreamacro/clash/constant"
+)
+
+var (
+	ExternalUIURL    string
+	ExternalUIPath   string
+	ExternalUIFolder string
+	ExternalUIName   string
+)
+var (
+	ErrIncompleteConf = errors.New("ExternalUI configure incomplete")
+)
+var xdMutex sync.Mutex
+
+func UpdateUI() error {
+	xdMutex.Lock()
+	defer xdMutex.Unlock()
+
+	err := prepare()
+	if err != nil {
+		return err
+	}
+
+	data, err := downloadForBytes(ExternalUIURL)
+	if err != nil {
+		return fmt.Errorf("can't download  file: %w", err)
+	}
+
+	saved := path.Join(C.Path.HomeDir(), "download.zip")
+	if saveFile(data, saved) != nil {
+		return fmt.Errorf("can't save zip file: %w", err)
+	}
+	defer os.Remove(saved)
+
+	err = cleanup(ExternalUIFolder)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return fmt.Errorf("cleanup exist file error: %w", err)
+		}
+	}
+
+	unzipFolder, err := unzip(saved, C.Path.HomeDir())
+	if err != nil {
+		return fmt.Errorf("can't extract zip file: %w", err)
+	}
+
+	err = os.Rename(unzipFolder, ExternalUIFolder)
+	if err != nil {
+		return fmt.Errorf("can't rename folder: %w", err)
+	}
+	return nil
+}
+
+func prepare() error {
+	if ExternalUIPath == "" || ExternalUIURL == "" {
+		return ErrIncompleteConf
+	}
+
+	if ExternalUIName != "" {
+		ExternalUIFolder = filepath.Clean(path.Join(ExternalUIPath, ExternalUIName))
+		if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) {
+			if err := os.MkdirAll(ExternalUIPath, os.ModePerm); err != nil {
+				return err
+			}
+		}
+	} else {
+		ExternalUIFolder = ExternalUIPath
+	}
+
+	return nil
+}
+
+func unzip(src, dest string) (string, error) {
+	r, err := zip.OpenReader(src)
+	if err != nil {
+		return "", err
+	}
+	defer r.Close()
+	var extractedFolder string
+	for _, f := range r.File {
+		fpath := filepath.Join(dest, f.Name)
+		if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
+			return "", fmt.Errorf("invalid file path: %s", fpath)
+		}
+		if f.FileInfo().IsDir() {
+			os.MkdirAll(fpath, os.ModePerm)
+			continue
+		}
+		if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
+			return "", err
+		}
+		outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
+		if err != nil {
+			return "", err
+		}
+		rc, err := f.Open()
+		if err != nil {
+			return "", err
+		}
+		_, err = io.Copy(outFile, rc)
+		outFile.Close()
+		rc.Close()
+		if err != nil {
+			return "", err
+		}
+		if extractedFolder == "" {
+			extractedFolder = filepath.Dir(fpath)
+		}
+	}
+	return extractedFolder, nil
+}
+
+func cleanup(root string) error {
+	if _, err := os.Stat(root); os.IsNotExist(err) {
+		return nil
+	}
+	return filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			if err := os.RemoveAll(path); err != nil {
+				return err
+			}
+		} else {
+			if err := os.Remove(path); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
--- a/config/utils.go
+++ b/config/utils.go
@ -1,15 +1,37 @@
 package config

 import (
+	"context"
 	"fmt"
+	"io"
 	"net"
+	"net/http"
 	"net/netip"
+	"os"
 	"strings"
+	"time"

 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/common/structure"
+	clashHttp "github.com/Dreamacro/clash/component/http"
 )

+func downloadForBytes(url string) ([]byte, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, url, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return io.ReadAll(resp.Body)
+}
+
+func saveFile(bytes []byte, path string) error {
+	return os.WriteFile(path, bytes, 0o644)
+}
+
 func trimArr(arr []string) (r []string) {
 	for _, e := range arr {
 		r = append(r, strings.Trim(e, " "))
--- a/constant/adapters.go
+++ b/constant/adapters.go
@ -36,6 +36,7 @@ const (
 	Vless
 	Trojan
 	Hysteria
+	Hysteria2
 	WireGuard
 	Tuic
 )
@ -200,6 +201,8 @@ func (at AdapterType) String() string {
 		return "Trojan"
 	case Hysteria:
 		return "Hysteria"
+	case Hysteria2:
+		return "Hysteria2"
 	case WireGuard:
 		return "WireGuard"
 	case Tuic:
@ -249,6 +252,23 @@ type PacketAdapter interface {
 	Metadata() *Metadata
 }

+type packetAdapter struct {
+	UDPPacket
+	metadata *Metadata
+}
+
+// Metadata returns destination metadata
+func (s *packetAdapter) Metadata() *Metadata {
+	return s.metadata
+}
+
+func NewPacketAdapter(packet UDPPacket, metadata *Metadata) PacketAdapter {
+	return &packetAdapter{
+		packet,
+		metadata,
+	}
+}
+
 type WriteBack interface {
 	WriteBack(b []byte, addr net.Addr) (n int, err error)
 }
@ -267,13 +287,17 @@ type NatTable interface {

 	Delete(key string)

-	GetLocalConn(lAddr, rAddr string) *net.UDPConn
+	DeleteLock(key string)

-	AddLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool
+	GetForLocalConn(lAddr, rAddr string) *net.UDPConn

-	RangeLocalConn(lAddr string, f func(key, value any) bool)
+	AddForLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool

-	GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool)
+	RangeForLocalConn(lAddr string, f func(key string, value *net.UDPConn) bool)

-	DeleteLocalConnMap(lAddr, key string)
+	GetOrCreateLockForLocalConn(lAddr string, key string) (*sync.Cond, bool)
+
+	DeleteForLocalConn(lAddr, key string)
+
+	DeleteLockForLocalConn(lAddr, key string)
 }
--- a/constant/geodata.go
+++ b/constant/geodata.go
@ -2,7 +2,7 @@ package constant

 var (
 	GeodataMode bool
-	GeoIpUrl    string
-	MmdbUrl     string
-	GeoSiteUrl  string
+	GeoIpUrl    = "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
+	MmdbUrl     = "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"
+	GeoSiteUrl  = "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
 )
--- a/constant/http.go
+++ b/constant/http.go
@ -0,0 +1,5 @@
+package constant
+
+var (
+	UA string
+)
--- a/constant/listener.go
+++ b/constant/listener.go
@ -16,7 +16,7 @@ type MultiAddrListener interface {

 type InboundListener interface {
 	Name() string
-	Listen(tcpIn chan<- ConnContext, udpIn chan<- PacketAdapter, natTable NatTable) error
+	Listen(tunnel Tunnel) error
 	Close() error
 	Address() string
 	RawAddress() string
--- a/constant/metadata.go
+++ b/constant/metadata.go
@ -30,6 +30,7 @@ const (
 	TUNNEL
 	TUN
 	TUIC
+	HYSTERIA2
 	INNER
 )

@ -78,6 +79,8 @@ func (t Type) String() string {
 		return "Tun"
 	case TUIC:
 		return "Tuic"
+	case HYSTERIA2:
+		return "Hysteria2"
 	case INNER:
 		return "Inner"
 	default:
@ -110,6 +113,8 @@ func ParseType(t string) (*Type, error) {
 		res = TUN
 	case "TUIC":
 		res = TUIC
+	case "HYSTERIA2":
+		res = HYSTERIA2
 	case "INNER":
 		res = INNER
 	default:
@ -142,6 +147,9 @@ type Metadata struct {
 	SpecialProxy string     `json:"specialProxy"`
 	SpecialRules string     `json:"specialRules"`
 	RemoteDst    string     `json:"remoteDestination"`
+
+	RawSrcAddr net.Addr `json:"-"`
+	RawDstAddr net.Addr `json:"-"`
 	// Only domain rule
 	SniffHost string `json:"sniffHost"`
 }
@ -235,6 +243,34 @@ func (m *Metadata) Valid() bool {
 	return m.Host != "" || m.DstIP.IsValid()
 }

+func (m *Metadata) SetRemoteAddr(addr net.Addr) error {
+	if addr == nil {
+		return nil
+	}
+	if rawAddr, ok := addr.(interface{ RawAddr() net.Addr }); ok {
+		if rawAddr := rawAddr.RawAddr(); rawAddr != nil {
+			if err := m.SetRemoteAddr(rawAddr); err == nil {
+				return nil
+			}
+		}
+	}
+	if addr, ok := addr.(interface{ AddrPort() netip.AddrPort }); ok { // *net.TCPAddr, *net.UDPAddr, M.Socksaddr
+		if addrPort := addr.AddrPort(); addrPort.Port() != 0 {
+			m.DstPort = addrPort.Port()
+			if addrPort.IsValid() { // sing's M.Socksaddr maybe return an invalid AddrPort if it's a DomainName
+				m.DstIP = addrPort.Addr().Unmap()
+				return nil
+			} else {
+				if addr, ok := addr.(interface{ AddrString() string }); ok { // must be sing's M.Socksaddr
+					m.Host = addr.AddrString() // actually is M.Socksaddr.Fqdn
+					return nil
+				}
+			}
+		}
+	}
+	return m.SetRemoteAddress(addr.String())
+}
+
 func (m *Metadata) SetRemoteAddress(rawAddress string) error {
 	host, port, err := net.SplitHostPort(rawAddress)
 	if err != nil {
--- a/constant/path.go
+++ b/constant/path.go
@ -18,6 +18,9 @@ var (
 )

 // Path is used to get the configuration path
+//
+// on Unix systems, `$HOME/.config/clash`.
+// on Windows, `%USERPROFILE%/.config/clash`.
 var Path = func() *path {
 	homeDir, err := os.UserHomeDir()
 	if err != nil {
@ -25,6 +28,13 @@ var Path = func() *path {
 	}
 	allowUnsafePath, _ := strconv.ParseBool(os.Getenv("SKIP_SAFE_PATH_CHECK"))
 	homeDir = P.Join(homeDir, ".config", Name)
+
+	if _, err = os.Stat(homeDir); err != nil {
+		if configHome, ok := os.LookupEnv("XDG_CONFIG_HOME"); ok {
+			homeDir = P.Join(configHome, Name)
+		}
+	}
+
 	return &path{homeDir: homeDir, configFile: "config.yaml", allowUnsafePath: allowUnsafePath}
 }()

--- a/constant/sniffer/sniffer.go
+++ b/constant/sniffer/sniffer.go
@ -4,7 +4,8 @@ import "github.com/Dreamacro/clash/constant"

 type Sniffer interface {
 	SupportNetwork() constant.NetWork
-	SniffTCP(bytes []byte) (string, error)
+	// SniffData must not change input bytes
+	SniffData(bytes []byte) (string, error)
 	Protocol() string
 	SupportPort(port uint16) bool
 }
@ -12,10 +13,11 @@ type Sniffer interface {
 const (
 	TLS Type = iota
 	HTTP
+	QUIC
 )

 var (
-	List = []Type{TLS, HTTP}
+	List = []Type{TLS, HTTP, QUIC}
 )

 type Type int
@ -26,6 +28,8 @@ func (rt Type) String() string {
 		return "TLS"
 	case HTTP:
 		return "HTTP"
+	case QUIC:
+		return "QUIC"
 	default:
 		return "Unknown"
 	}
--- a/constant/tunnel.go
+++ b/constant/tunnel.go
@ -0,0 +1,12 @@
+package constant
+
+import "net"
+
+type Tunnel interface {
+	// HandleTCPConn will handle a tcp connection blocking
+	HandleTCPConn(conn net.Conn, metadata *Metadata)
+	// HandleUDPPacket will handle a udp packet nonblocking
+	HandleUDPPacket(packet UDPPacket, metadata *Metadata)
+	// NatTable return nat table
+	NatTable() NatTable
+}
--- a/dns/client.go
+++ b/dns/client.go
@ -8,10 +8,9 @@ import (
 	"net/netip"
 	"strings"

-	"github.com/Dreamacro/clash/common/atomic"
+	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
-	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"

 	D "github.com/miekg/dns"
@ -23,7 +22,7 @@ type client struct {
 	r            *Resolver
 	port         string
 	host         string
-	iface        *atomic.TypedValue[string]
+	iface        string
 	proxyAdapter C.ProxyAdapter
 	proxyName    string
 	addr         string
@ -48,10 +47,6 @@ func (c *client) Address() string {
 	return c.addr
 }

-func (c *client) Exchange(m *D.Msg) (*D.Msg, error) {
-	return c.ExchangeContext(context.Background(), m)
-}
-
 func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error) {
 	var (
 		ip  netip.Addr
@ -77,9 +72,9 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 		network = "tcp"
 	}

-	options := []dialer.Option{}
-	if c.iface != nil && c.iface.Load() != "" {
-		options = append(options, dialer.WithInterface(c.iface.Load()))
+	var options []dialer.Option
+	if c.iface != "" {
+		options = append(options, dialer.WithInterface(c.iface))
 	}

 	conn, err := getDialHandler(c.r, c.proxyAdapter, c.proxyName, options...)(ctx, network, net.JoinHostPort(ip.String(), c.port))
@ -99,7 +94,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 	ch := make(chan result, 1)
 	go func() {
 		if strings.HasSuffix(c.Client.Net, "tls") {
-			conn = tls.Client(conn, tlsC.GetGlobalTLSConfig(c.Client.TLSConfig))
+			conn = tls.Client(conn, ca.GetGlobalTLSConfig(c.Client.TLSConfig))
 		}

 		msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{
--- a/dns/dhcp.go
+++ b/dns/dhcp.go
@ -1,3 +1,6 @@
+//go:build disabled
+// +build disabled
+
 package dns

 import (
@ -8,11 +11,8 @@ import (
 	"sync"
 	"time"

-	"github.com/Dreamacro/clash/common/atomic"
 	"github.com/Dreamacro/clash/component/dhcp"
 	"github.com/Dreamacro/clash/component/iface"
-	"github.com/Dreamacro/clash/component/resolver"
-
 	D "github.com/miekg/dns"
 )

@ -29,7 +29,7 @@ type dhcpClient struct {
 	ifaceInvalidate time.Time
 	dnsInvalidate   time.Time

-	ifaceAddr *netip.Prefix
+	ifaceAddr netip.Prefix
 	done      chan struct{}
 	clients   []dnsClient
 	err       error
@ -46,13 +46,6 @@ func (d *dhcpClient) Address() string {
 	return strings.Join(addrs, ",")
 }

-func (d *dhcpClient) Exchange(m *D.Msg) (msg *D.Msg, err error) {
-	ctx, cancel := context.WithTimeout(context.Background(), resolver.DefaultDNSTimeout)
-	defer cancel()
-
-	return d.ExchangeContext(ctx, m)
-}
-
 func (d *dhcpClient) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
 	clients, err := d.resolve(ctx)
 	if err != nil {
@ -86,7 +79,7 @@ func (d *dhcpClient) resolve(ctx context.Context) ([]dnsClient, error) {
 				for _, item := range dns {
 					nameserver = append(nameserver, NameServer{
 						Addr:      net.JoinHostPort(item.String(), "53"),
-						Interface: atomic.NewTypedValue(d.ifaceName),
+						Interface: d.ifaceName,
 					})
 				}

--- a/dns/doh.go
+++ b/dns/doh.go
@ -15,7 +15,7 @@ import (
 	"sync"
 	"time"

-	tlsC "github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/component/ca"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/metacubex/quic-go"
@ -157,11 +157,6 @@ func (doh *dnsOverHTTPS) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.
 	return msg, err
 }

-// Exchange implements the Upstream interface for *dnsOverHTTPS.
-func (doh *dnsOverHTTPS) Exchange(m *D.Msg) (*D.Msg, error) {
-	return doh.ExchangeContext(context.Background(), m)
-}
-
 // Close implements the Upstream interface for *dnsOverHTTPS.
 func (doh *dnsOverHTTPS) Close() (err error) {
 	doh.clientMu.Lock()
@ -382,7 +377,7 @@ func (doh *dnsOverHTTPS) createClient(ctx context.Context) (*http.Client, error)
 // HTTP3 is enabled in the upstream options).  If this attempt is successful,
 // it returns an HTTP3 transport, otherwise it returns the H1/H2 transport.
 func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripper, err error) {
-	tlsConfig := tlsC.GetGlobalTLSConfig(
+	tlsConfig := ca.GetGlobalTLSConfig(
 		&tls.Config{
 			InsecureSkipVerify:     false,
 			MinVersion:             tls.VersionTLS12,
--- a/dns/doq.go
+++ b/dns/doq.go
@ -12,7 +12,7 @@ import (
 	"sync"
 	"time"

-	tlsC "github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/component/ca"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/metacubex/quic-go"
@ -134,11 +134,6 @@ func (doq *dnsOverQUIC) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.M
 	return msg, err
 }

-// Exchange implements the Upstream interface for *dnsOverQUIC.
-func (doq *dnsOverQUIC) Exchange(m *D.Msg) (msg *D.Msg, err error) {
-	return doq.ExchangeContext(context.Background(), m)
-}
-
 // Close implements the Upstream interface for *dnsOverQUIC.
 func (doq *dnsOverQUIC) Close() (err error) {
 	doq.connMu.Lock()
@ -330,7 +325,7 @@ func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connectio
 		return nil, err
 	}

-	tlsConfig := tlsC.GetGlobalTLSConfig(
+	tlsConfig := ca.GetGlobalTLSConfig(
 		&tls.Config{
 			ServerName:         host,
 			InsecureSkipVerify: false,
--- a/dns/filters.go
+++ b/dns/filters.go
@ -45,7 +45,7 @@ func (gf *geoipFilter) Match(ip netip.Addr) bool {
 }

 type ipnetFilter struct {
-	ipnet *netip.Prefix
+	ipnet netip.Prefix
 }

 func (inf *ipnetFilter) Match(ip netip.Addr) bool {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
GitHub Action	807d41f57b	Android: patch	2023-11-03 05:59:14 +00:00
wwqgtxx	8c3557e96b	chore: support v2ray http upgrade server too	2023-11-03 13:58:53 +08:00
wwqgtxx	228990472d	fix: avoid tls panic	2023-11-03 12:04:22 +08:00
wwqgtxx	09e7866a5c	fix: gvisor panic	2023-11-03 11:50:25 +08:00
wwqgtxx	665ba7f9f1	chore: do websocket client upgrade directly instead of gobwas/ws	2023-11-03 11:50:25 +08:00
wwqgtxx	ee3038d5e4	chore: add SetupContextForConn for common/net	2023-11-03 11:50:25 +08:00
wwqgtxx	885ee7a820	fix: v2ray http upgrade `Hosts` header not working	2023-11-03 11:50:25 +08:00
Steve Johnson	ef303b11f2	action: trigger CMFA PR update in every commit	2023-11-02 16:01:35 +08:00
wwqgtxx	a82ce85707	chore: add route exclude support	2023-11-02 11:37:40 +08:00
wwqgtxx	5bfe7ba169	chore: better tls handshake	2023-11-02 11:22:01 +08:00
wwqgtxx	ceac5bfaa4	feat: add `v2ray-http-upgrade` support	2023-11-02 11:11:35 +08:00
wwqgtxx	b0638cfc49	chore: better bufio.Reader warp	2023-11-02 11:11:35 +08:00
Skyxim	96220aa8ea	feat: cancel RULE-SET nested SUB-RULE restrictions	2023-10-31 11:10:38 +00:00
HolgerHuo	8ff476a3a1	fix: remote logic rules cannot be parsed (#837 )	2023-10-31 19:07:01 +08:00
Steve Johnson	261b6e8dce	action: small fix to cmfa core-update trigger	2023-10-30 20:00:15 +08:00
xishang0128	2b9141e0e5	chore: geo link replaced with github	2023-10-30 19:46:56 +08:00
xishang0128	55255faa52	chore: modify configuration fields	2023-10-27 17:49:12 +08:00
Steve Johnson	d42e3f74ad	action: add question issue guidance	2023-10-26 19:08:42 +08:00
wwqgtxx	81a8a63861	build: more go120 build	2023-10-26 11:39:54 +08:00
wwqgtxx	c3a61e2db5	build: add go120 build for win7/8.1	2023-10-26 11:09:19 +08:00
wwqgtxx	bffe47a974	chore: netip.Prefix should not using pointer	2023-10-26 11:02:53 +08:00
wwqgtxx	4314b37d04	fix: dhcp not working on windows	2023-10-26 10:27:38 +08:00
wwqgtxx	cf93f69f40	chore: cleanup error using of dialer.DefaultInterface	2023-10-26 09:07:49 +08:00
wwqgtxx	55f626424f	chore: better dns batchExchange	2023-10-25 20:16:44 +08:00
wwqgtxx	431d52f250	chore: system resolver can autoupdate	2023-10-25 19:21:20 +08:00
wwqgtxx	c1f24d8f0e	chore: code cleanup	2023-10-25 18:07:45 +08:00
Steve Johnson	fc5a3cf80c	action: ban black issues	2023-10-25 18:06:10 +08:00
wwqgtxx	e1e999180a	chore: inMemoryAuthenticator unneed sync map	2023-10-24 21:25:03 +08:00
wwqgtxx	8755618910	fix: reality panic	2023-10-23 23:33:59 +08:00
Steve Johnson	aede97571f	Merge branch 'Alpha' of https://github.com/MetaCubeX/Clash.Meta into Alpha	2023-10-23 17:02:08 +08:00
Steve Johnson	01bc84db02	chore: add labels to issue template	2023-10-23 17:02:04 +08:00
wwqgtxx	3564e96a00	chore: share some code	2023-10-23 16:45:22 +08:00
wwqgtxx	f6f8f27668	action: update sync	2023-10-23 15:39:56 +08:00
Steve Johnson	dff54464c6	Add auto sync Alpha rebase android-open -> android-real (#817 ) * chore: add android branch auto sync * chore: fix * chore: fix missing * chore: fix actions * chore: write branch auto sync	2023-10-23 15:39:56 +08:00
Steve Johnson	e987cdaaae	chore: add CMFA auto update-dependencies trigger	2023-10-23 15:39:56 +08:00
wwqgtxx	6cd0e58fd0	fix: ssr panic	2023-10-23 15:39:56 +08:00
wwqgtxx	f794c090a5	chore: update sing-tun	2023-10-23 15:39:56 +08:00
xishang0128	0d3197e437	chore: fix sniffer log error	2023-10-20 22:36:29 +08:00
wwqgtxx	150bf7fc65	chore: decrease memory copy in sing listener	2023-10-20 08:39:04 +08:00
Larvan2	51004b14d9	docs: update readme.md	2023-10-20 00:34:10 +08:00
wwqgtxx	ea7e15b447	chore: decrease memory copy in quic sniffer	2023-10-19 23:51:37 +08:00
wwqgtxx	8e637a2ec7	chore: code cleanup	2023-10-19 20:44:49 +08:00
Larvan2	96d886380a	Merge pull request #810 from 5aaee9/Alpha feat: add quic sniffer	2023-10-19 19:34:45 +08:00
5aaee9	981c69040f	docs: update about quic sniffer	2023-10-19 19:09:13 +08:00
5aaee9	de90c276af	feat(sniffer): add quic sniffer	2023-10-19 18:30:20 +08:00
wwqgtxx	0129a8579f	chore: merge some quic-go fix	2023-10-19 11:08:14 +08:00
wwqgtxx	11ed4a56bd	chore: code cleanup	2023-10-17 12:46:41 +08:00
wwqgtxx	d75a0e69a0	chore: Update dependencies	2023-10-16 09:56:41 +08:00
Dreamacro	1faad73381	fix: socks5 udp associate	2023-10-16 09:27:55 +08:00
septs	d2499cd69d	feature: add xdg base support (#2913 )	2023-10-16 09:23:31 +08:00
septs	98df77439c	feature: add environs startup option support (#2909 )	2023-10-16 09:22:16 +08:00
Jiahao Lu	81bbbe4eec	fix: DNS NCACHE TTL and OPT RRs (#2900 ) * Fix: DNS NCACHE TTL and OPT RRs 1. DNS NCACHE was not correctly implemented. 2. OPT RRs must not be cached or forwarded. Closes #2889.	2023-10-16 09:21:06 +08:00
sduoduo233	9f530525d7	fix: method in vmess http-opts is not used	2023-10-16 09:16:36 +08:00
wwqgtxx	129283066f	chore: code cleanup	2023-10-11 22:54:19 +08:00
wwqgtxx	0dc6a726c1	fix: unmap 4in6 ip	2023-10-11 18:17:39 +08:00
wwqgtxx	4636499439	chore: support reject proxy type	2023-10-11 13:01:14 +08:00
wwqgtxx	9a16eb2895	fix: BBR memory leak from: `7c46e845a6`	2023-10-11 11:01:17 +08:00
wwqgtxx	270a080b55	fix: sing listener panic	2023-10-11 10:55:12 +08:00
wwqgtxx	1cf9a55e3e	chore: code cleanup	2023-10-10 21:29:12 +08:00
wwqgtxx	6bcd91a801	feat: add `skip-auth-prefixes`	2023-10-10 21:29:12 +08:00
wwqgtxx	7ed25ddc74	chore: better atomic using	2023-10-10 21:28:46 +08:00
wwqgtxx	ae557c30d3	fix: quic-go min MTU	2023-10-08 13:15:17 +08:00
wwqgtxx	5a1800d642	fix: BBR bandwidth estimation edge case from `89429598bf`	2023-10-08 07:26:28 +08:00
wwqgtxx	d8fe7a52d6	feat: add `certificate` and `private-key` to vmess listener	2023-10-08 07:26:28 +08:00
wwqgtxx	791ecfbb32	feat: add `ws-path` to vmess listener	2023-10-08 07:26:28 +08:00
wwqgtxx	5ff4473083	chore: migrate from gorilla/websocket to gobwas/ws	2023-10-06 17:44:36 +08:00
wwqgtxx	d1e88a30cb	fix: gVisor UDP 6to4 check	2023-10-03 16:00:03 +08:00
wwqgtxx	7eae7756f5	chore: update gvisor	2023-10-01 19:15:26 +08:00
wwqgtxx	4e3cd01aad	chore: merge some quic-go fix	2023-10-01 13:44:56 +08:00
Larvan2	dbaee284e4	fix: hy2/tuic inbound cert isn't path Co-authored-by: wwqgtxx <wwqgtxx@gmail.com>	2023-10-01 12:04:34 +08:00
wwqgtxx	8253bfe2e0	add `quic-go-disable-ecn` to experimental	2023-10-01 09:10:11 +08:00
wwqgtxx	828b5ad8bb	chore: add new bbr implementation	2023-10-01 00:01:32 +08:00
Larvan2	fedad26c13	chore: support relative path for hy2/tuic inbound cert	2023-10-01 00:01:32 +08:00
wwqgtxx	a526bb70ea	chore: fix bbr bugs	2023-09-30 13:40:07 +08:00
yaling888	5f6de610e1	Fix: should check all ips need to fallback (#2915 )	2023-09-29 13:42:22 +08:00
Larvan2	02397868fc	docs: support reload in service	2023-09-29 13:26:59 +08:00
Kiva	265a6b9b68	chore: reduce string split immediately after string concat (#773 )	2023-09-29 08:51:13 +08:00
NyaMisty	10e7c533d7	feat: support clash premium's structured log stream (#735 ) * feat: support clash premium's structured log stream New version of Clash for Windows uses `ws://external-controller/logs?token=&level=info&format=structured` to get real time log. When Clash Premium Core reveices `format=structured`, it returns a different form of JSON log entry. Supporting this feature will allow better Clash for Windows integration Signed-off-by: Misty <gyc990326@gmail.com>	2023-09-29 08:50:50 +08:00
septs	0ed3c5a5ec	chore: improve subscription userinfo parsing (#781 ) do not use regex parsing for `Subscription-UserInfo` header field	2023-09-29 08:42:57 +08:00
Andrei Shevchuk	c2b06a02bf	feat: add reload signal support (#780 ) Backport Clash feature by @septs, see Dreamacro/clash#2908	2023-09-29 08:36:25 +08:00
wwqgtxx	e0458a8fde	chore: decrease goroutine used in core tunnel	2023-09-28 18:59:31 +08:00
wwqgtxx	21fb5f75b8	fix: gvisor panic	2023-09-26 09:06:00 +08:00
wwqgtxx	fb99412193	chore: update quic-go to 0.39.0	2023-09-26 08:51:25 +08:00
Larvan2	fdd327d58d	fix: fail to set KeepAliveIntervall #715	2023-09-25 14:05:13 +08:00
wwqgtxx	0dfe696300	chore: ntp service support `dialer-proxy`	2023-09-25 09:11:35 +08:00
wwqgtxx	c0ba798708	chore: share N.dialer code	2023-09-25 09:11:35 +08:00
Kiva	67d7e53f7a	feat: recovering `preHandleMetadata` failure from sniffing (#769 )	2023-09-24 19:27:55 +08:00
Larvan2	e6366f7442	chore: fix typo	2023-09-24 19:00:51 +08:00
汐殇	89d9cb0539	Merge pull request #767 from PuerNya/fix-delay chore: handle provider proxies in proxies api	2023-09-24 15:55:33 +08:00
PuerNya	0d300a3540	chore: handle provider proxies in proxies api	2023-09-24 15:39:14 +08:00
xishang0128	7c59916c22	chore: update provider proxies api	2023-09-24 00:19:10 +08:00
Larvan2	8f515ecc05	chore: updateUI API return 501 when config incomplete	2023-09-23 18:00:07 +08:00
xishang0128	34f62a0919	feat: add provider proxies api	2023-09-23 17:54:20 +08:00
wwqgtxx	0207a7ac96	chore: resolver read system hosts file	2023-09-23 14:01:18 +08:00
wwqgtxx	bf619d8586	fix: socks5 udp not working on loopback	2023-09-22 23:33:24 +08:00
wwqgtxx	d48f9c2a6c	chore: rebuild ca parsing	2023-09-22 14:45:34 +08:00
wwqgtxx	90a5aa609a	fix: uot read failed	2023-09-22 00:11:57 +08:00
wwqgtxx	4fe7a463c5	chore: limit tuicv5's maxUdpRelayPacketSize up to 1200-PacketOverHead	2023-09-21 23:49:45 +08:00
wwqgtxx	7f49c91267	fix: hy2 udp not working	2023-09-21 23:36:40 +08:00
Larvan2	f6bf9c0857	feat: converter support hysteria2	2023-09-21 17:25:15 +08:00
wwqgtxx	da24810da2	chore: support set cwnd for hy2 too	2023-09-21 16:41:31 +08:00
wwqgtxx	ee3213c28f	fix: tuicv5 panic in ReadFrom	2023-09-21 15:10:35 +08:00
wwqgtxx	233eeb0b38	feat: inbound support Hysteria2	2023-09-21 15:10:35 +08:00
wwqgtxx	6c3b973748	doc: add Hysteria2 doc	2023-09-21 10:43:45 +08:00
wwqgtxx	9b8e2d9343	feat: support Hysteria2	2023-09-21 10:28:28 +08:00
wwqgtxx	24fd577767	chore: Update dependencies	2023-09-21 08:57:38 +08:00
wwqgtxx	42b85de83e	chore: Restore go1.20 support	2023-09-21 08:29:28 +08:00
wwqgtxx	62266010ac	Revert "migration: go 1.21" This reverts commit `33d41338ef`.	2023-09-21 08:29:28 +08:00
xishang0128	0d7a57fa9d	Chore: update github issue template	2023-09-21 03:40:46 +08:00
汐殇	f909b3c0dc	chore: Update android-ndk	2023-09-20 15:26:36 +08:00
xishang0128	8b518161a3	chore: update external-ui	2023-09-20 14:23:58 +08:00
Larvan2	20fafdca65	chore: cleanup code	2023-09-18 19:42:08 +08:00
Larvan2	fd96efd456	chore: ignore PR when Pre-releasing	2023-09-18 19:36:11 +08:00
Larvan2	7c21768e99	feat: update external-ui	2023-09-18 19:21:30 +08:00
Larvan2	6a5a94f48f	chore: DNS cache policy follow upstream	2023-09-17 17:18:35 +08:00
Larvan2	33d41338ef	migration: go 1.21	2023-09-17 17:05:13 +08:00
Skyxim	2d3b9364bf	fix: caceh dns result	2023-09-16 12:30:11 +08:00
Larvan2	fa49fd7ba2	chore: use cmp in go 1.21 Co-authored-by: H1JK <hell0jack@protonmail.com>	2023-09-16 12:06:58 +08:00
Larvan2	c3d72f6883	feat: download/upgrade XD to external-ui	2023-09-16 11:44:15 +08:00
kunish	af99b52527	docs(README): update dashboard section	2023-09-09 13:06:49 +08:00
H1JK	f241e1f81a	chore: Update dependencies	2023-09-09 09:53:14 +08:00
H1JK	90acce7fa1	feat: Add disable quic-go GSO to experimental	2023-09-08 22:58:59 +08:00
xishang0128	7286391883	feat: support users to customize download ua	2023-09-07 18:44:58 +08:00
riolu.rs	a1eab125ee	fix: ntp service panic	2023-09-04 18:35:06 +08:00
Larvan2	1d4af2d92b	chore: TCPKeepAlive interval set to 15s by default	2023-09-03 20:42:54 +08:00
riolu.rs	d6cf2a837f	chore: ntp service dep with sing, optional synchronize system time	2023-09-03 17:49:56 +08:00
H1JK	d6b80acfbc	chore: Use xsync provided map size calculation	2023-09-02 20:17:43 +08:00
wwqgtxx	1cad615b25	chore: using xsync.MapOf replace sync.Map	2023-09-02 16:54:48 +08:00
Larvan2	73fa79bf3f	feat: configurable TCPKeepAlive interval	2023-09-02 16:45:16 +08:00
Larvan2	d79c13064e	chore: cleanup codes	2023-09-02 14:12:53 +08:00
YanceyChiew	427a377c2a	refactor: Decouple .Cleanup from ReCreateTun The listener.Cleanup method will be called during executor.Shutdown and route.restart, so it should serve all kinds of listeners rather than a single tun device. Currently listener.ReCreateTun will call it to handle some internal affairs, This should be decoupled. In this way, the cleanup tasks for data outside the process life cycle that other listeners will add here in the future will not be accidentally triggered by configuring tun.	2023-09-02 14:12:53 +08:00
YanceyChiew	9feb4d6668	fix: RESTful api missing TunConf.device In commit `54fee7b`, due to failure to take into account that not all required parameters of `sing_tun.server.New` have default values provided by `LC.Tun`, the name of the tun device cannot be obtained when `TunConf.device` is not explicitly configured. This commit fixed the issue.	2023-09-02 14:12:53 +08:00
wwqgtxx	a366e9a4b5	fix: ntp service panic	2023-09-02 12:37:43 +08:00
riolu.rs	cbdf33c42c	feat: ntp service	2023-09-02 02:15:46 +08:00
Larvan2	9ceaf20584	fix: concurrent map writes #707	2023-09-01 10:43:04 +08:00
YanceyChiew	54fee7bd3a	Improve: nicer tun info for RESTful api Let the restful api still get TunConf even when tun is off. Otherwise the api will return the default values, instead of the values that actually take effect after enable. * Due to this problem, yacd changes the displayed value back to gvisor immediately after the user selects tun stack.	2023-08-30 21:13:32 +08:00
Larvan2	414d8f2162	chore: use WaitGroup in dualStackDialContext	2023-08-30 17:28:36 +08:00
Mitt	86cf1dd54b	fix: dualStack confusing error on ipv4 failed connect	2023-08-30 17:28:36 +08:00
Larvan2	d099375200	chore: rename func name	2023-08-30 15:52:41 +08:00
Alpha	9536372cfb	fix: call shutdown before restart (#709 )	2023-08-30 15:49:28 +08:00
Larvan2	630a17cf90	chore: cleanup codes	2023-08-26 21:20:20 +08:00
wwqgtxx	0a7b7894bd	feat: proxies support `direct` type	2023-08-24 23:33:03 +08:00
wwqgtxx	3a9fc39cd9	chore: update quic-go to 0.38.0	2023-08-21 16:18:56 +08:00
wwqgtxx	1181fd4560	feat: add `udp-over-stream` for tuic only work with meta tuic server or sing-box 1.4.0-beta.6	2023-08-21 12:37:39 +08:00
Larvan2	b8a60261ef	chore: restore unselected clear selected node in outboundgoup/URLtest when getGroupDelay triggered	2023-08-18 22:17:07 +08:00
wwqgtxx	db68d55a0e	fix: sing-vmess panic	2023-08-17 22:33:07 +08:00
wwqgtxx	574efb4526	chore: Update dependencies	2023-08-16 21:30:12 +08:00
3andne	03b0252589	feat: bump restls to v0.1.6 (utls v1.4.3) (#692 ) * feat: bump restls to v0.1.5 (utls v1.4.3) * fix: rm dependency go-quic	2023-08-16 11:41:58 +08:00
H1JK	ed09df4e13	fix: TLS ALPN support	2023-08-14 15:48:13 +08:00
H1JK	f89ecd97d6	feat: Converter unofficial TUIC share link support	2023-08-14 15:11:33 +08:00