documentation: Bump version & Refactor docs

Makefile

@@ -14,7 +14,7 @@ MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)
 
-.PHONY: test release
+.PHONY: test release docs
 
 build:
 	go build $(MAIN_PARAMS) $(MAIN)
@@ -182,6 +182,14 @@ lib_install:
 	go install -v github.com/sagernet/gomobile/cmd/[email protected]
 	go install -v github.com/sagernet/gomobile/cmd/[email protected]
 
+docs:
+	mkdocs serve
+
+publish_docs:
+	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+
+docs_install:
+	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box

docs/changelog.md

@@ -1,27 +1,86 @@
+---
+icon: material/alert-decagram
+---
+
+# ChangeLog
+
+#### 1.7.0-rc.3
+
+* Fixes and improvements
+
 #### 1.6.7
 
 * macOS: Add button for uninstall SystemExtension in the standalone graphical client
 * Fix missing UDP user context on TUIC/Hysteria2 inbounds
 * Fixes and improvements
 
+#### 1.7.0-rc.2
+
+* Fix missing UDP user context on TUIC/Hysteria2 inbounds
+* macOS: Add button for uninstall SystemExtension in the standalone graphical client
+
 #### 1.6.6
 
 * Fixes and improvements
 
+#### 1.7.0-rc.1
+
+* Fixes and improvements
+
+#### 1.7.0-beta.5
+
+* Update gVisor to 20231113.0
+* Fixes and improvements
+
+#### 1.7.0-beta.4
+
+* Add `wifi_ssid` and `wifi_bssid` route and DNS rules **1**
+* Fixes and improvements
+
+**1**:
+
+Only supported in graphical clients on Android and iOS.
+
+#### 1.7.0-beta.3
+
+* Fix zero TTL was incorrectly reset
+* Fixes and improvements
+
 #### 1.6.5
 
 * Fix crash if TUIC inbound authentication failed
 * Fixes and improvements
 
+#### 1.7.0-beta.2
+
+* Fix crash if TUIC inbound authentication failed
+* Update quic-go to v0.40.0
+* Fixes and improvements
+
 #### 1.6.4
 
 * Fixes and improvements
 
+#### 1.7.0-beta.1
+
+* Fixes and improvements
+
 #### 1.6.3
 
 * iOS/Android: Fix profile auto update
 * Fixes and improvements
 
+#### 1.7.0-alpha.11
+
+* iOS/Android: Fix profile auto update
+* Fixes and improvements
+
+#### 1.7.0-alpha.10
+
+* Fix tcp-brutal not working with TLS
+* Fix Android client not closing in some cases
+* Fixes and improvements
+
 #### 1.6.2
 
 * Fixes and improvements
@@ -31,6 +90,34 @@
 * Our [Android client](/installation/clients/sfa) is now available in the Google Play Store ▶️
 * Fixes and improvements
 
+#### 1.7.0-alpha.6
+
+* Fixes and improvements
+
+#### 1.7.0-alpha.4
+
+* Migrate multiplex and UoT server to inbound **1**
+* Add TCP Brutal support for multiplex **2**
+
+**1**:
+
+Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
+
+**2**
+
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+
+#### 1.7.0-alpha.3
+
+* Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **1**
+* Fixes and improvements
+
+**1**:
+
+Introduced in V2Ray 5.10.0.
+
+The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
+
 #### 1.6.0
 
 * Fixes and improvements
@@ -55,6 +142,23 @@ This update is intended to address the multi-send defects of the old implementat
 Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
 the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
 
+#### 1.7.0-alpha.2
+
+* Fix bugs introduced in 1.7.0-alpha.1
+
+#### 1.7.0-alpha.1
+
+* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Fixes and improvements
+
+**1**:
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.
 
 #### 1.5.5
 
@@ -116,6 +220,24 @@ the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
 * Update golang.org/x/net to v0.17.0
 * Fixes and improvements
 
+#### 1.6.0-beta.3
+
+* Update the legacy Hysteria protocol **1**
+* Fixes and improvements
+
+**1**
+
+Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
+the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
+
+#### 1.6.0-beta.2
+
+* Add TLS self sign key pair generate command
+* Update brutal congestion control for Hysteria2
+* Fix Clash cache crash on arm32 devices
+* Update golang.org/x/net to v0.17.0
+* Fixes and improvements
+
 #### 1.5.3
 
 * Fix compatibility with Android 14

docs/clients/android/features.md

@@ -0,0 +1,64 @@
+# :material-decagram: Features
+
+#### UI options
+
+* Display realtime network speed in the notification
+
+#### Service
+
+SFA allows you to run sing-box through ForegroundService or VpnService (when TUN is required).
+
+#### TUN
+
+SFA provides an unprivileged TUN implementation through Android VpnService.
+
+| TUN inbound option            | Available        | Note               |
+|-------------------------------|------------------|--------------------|
+| `interface_name`              | :material-close: | Managed by Android |
+| `inet4_address`               | :material-check: | /                  |
+| `inet6_address`               | :material-check: | /                  |
+| `mtu`                         | :material-check: | /                  |
+| `auto_route`                  | :material-check: | /                  |
+| `strict_route`                | :material-close: | Not implemented    |
+| `inet4_route_address`         | :material-check: | /                  |
+| `inet6_route_address`         | :material-check: | /                  |
+| `inet4_route_exclude_address` | :material-check: | /                  |
+| `inet6_route_exclude_address` | :material-check: | /                  |
+| `endpoint_independent_nat`    | :material-check: | /                  |
+| `stack`                       | :material-check: | /                  |
+| `include_interface`           | :material-close: | No permission      |
+| `exclude_interface`           | :material-close: | No permission      |
+| `include_uid`                 | :material-close: | No permission      |
+| `exclude_uid`                 | :material-close: | No permission      |
+| `include_android_user`        | :material-close: | No permission      |
+| `include_package`             | :material-check: | /                  |
+| `exclude_package`             | :material-check: | /                  |
+| `platform`                    | :material-check: | /                  |
+
+| Route/DNS rule option | Available        | Note                              |
+|-----------------------|------------------|-----------------------------------|
+| `process_name`        | :material-close: | No permission                     |
+| `process_path`        | :material-close: | No permission                     |
+| `package_name`        | :material-check: | /                                 |
+| `user`                | :material-close: | Use `package_name` instead        |
+| `user_id`             | :material-close: | Use `package_name` instead        |
+| `wifi_ssid`           | :material-check: | Fine location permission required |
+| `wifi_bssid`          | :material-check: | Fine location permission required |
+
+### Override
+
+Overrides profile configuration items with platform-specific values.
+
+#### Per-app proxy
+
+SFA allows you to select a list of Android apps that require proxying or bypassing in the graphical interface to
+override the `include_package` and `exclude_package` configuration items.
+
+In particular, the selector also provides the “China apps” scanning feature, providing Chinese users with an excellent
+experience to bypass apps that do not require a proxy. Specifically, by scanning China application or SDK
+characteristics through dex class path and other means, there will be almost no missed reports.
+
+### Chore
+
+* The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
+* Crash logs is located in `$working_directory/stderr.log`

docs/clients/android/index.md

@@ -0,0 +1,22 @@
+---
+icon: material/android
+---
+
+# sing-box for Android
+
+SFA allows users to manage and run local or remote sing-box configuration files, and provides
+platform-specific function implementation, such as TUN transparent proxy implementation.
+
+## :material-graph: Requirements
+
+* Android 5.0+
+
+## :material-download: Download
+
+* [Play Store](https://play.google.com/store/apps/details?id=io.nekohasekai.sfa)
+* [Play Store (Beta)](https://play.google.com/apps/testing/io.nekohasekai.sfa)
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+
+## :material-source-repository: Source code
+
+* [GitHub](https://github.com/SagerNet/sing-box-for-android)

docs/clients/apple/features.md

@@ -0,0 +1,52 @@
+# :material-decagram: Features
+
+#### UI options
+
+* Always On
+* Include All Networks (Proxy traffic for LAN and cellular services)
+* (Apple tvOS) Import profile from iPhone/iPad
+
+#### Service
+
+SFI/SFM/SFT allows you to run sing-box through NetworkExtension with Application Extension or System Extension.
+
+#### TUN
+
+SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension.
+
+| TUN inbound option            | Available | Note              |
+|-------------------------------|-----------|-------------------|
+| `interface_name`              | ✖️        | Managed by Darwin |
+| `inet4_address`               | ✔️        | /                 |
+| `inet6_address`               | ✔️        | /                 |
+| `mtu`                         | ✔️        | /                 |
+| `auto_route`                  | ✔️        | /                 |
+| `strict_route`                | ✖️        | Not implemented   |
+| `inet4_route_address`         | ✔️        | /                 |
+| `inet6_route_address`         | ✔️        | /                 |
+| `inet4_route_exclude_address` | ✔️        | /                 |
+| `inet6_route_exclude_address` | ✔️        | /                 |
+| `endpoint_independent_nat`    | ✔️        | /                 |
+| `stack`                       | ✔️        | /                 |
+| `include_interface`           | ✖️        | Not implemented   |
+| `exclude_interface`           | ✖️        | Not implemented   |
+| `include_uid`                 | ✖️        | Not implemented   |
+| `exclude_uid`                 | ✖️        | Not implemented   |
+| `include_android_user`        | ✖️        | Not implemented   |
+| `include_package`             | ✖️        | Not implemented   |
+| `exclude_package`             | ✖️        | Not implemented   |
+| `platform`                    | ✔️        | /                 |
+
+| Route/DNS rule option | Available        | Note                  |
+|-----------------------|------------------|-----------------------|
+| `process_name`        | :material-close: | No permission         |
+| `process_path`        | :material-close: | No permission         |
+| `package_name`        | :material-close: | /                     |
+| `user`                | :material-close: | No permission         |
+| `user_id`             | :material-close: | No permission         |
+| `wifi_ssid`           | :material-alert: | Only supported on iOS |
+| `wifi_bssid`          | :material-alert: | Only supported on iOS |
+
+### Chore
+
+* Crash logs is located in `Settings` -> `View Service Log`

docs/clients/apple/index.md

@@ -0,0 +1,32 @@
+---
+icon: material/apple
+---
+
+# sing-box for Apple platforms
+
+SFI/SFM/SFT allows users to manage and run local or remote sing-box configuration files, and provides
+platform-specific function implementation, such as TUN transparent proxy implementation.
+
+## :material-graph: Requirements
+
+* iOS 15.0+ / macOS 13.0+ / Apple tvOS 17.0+
+* An Apple account outside of mainland China
+
+## :material-download: Download
+
+* [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
+* [TestFlight (Beta)](https://testflight.apple.com/join/AcqO44FH)
+
+## :material-file-download: Download (macOS standalone version)
+
+* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
+
+```bash
+brew install sfm
+```
+
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+
+## :material-source-repository: Source code
+
+* [GitHub](https://github.com/SagerNet/sing-box-for-apple)

docs/clients/general.md

@@ -0,0 +1,63 @@
+---
+icon: material/pencil-ruler
+---
+
+# General
+
+Describes and explains the functions implemented uniformly by sing-box graphical clients.
+
+### Profile
+
+Profile describes a sing-box configuration file and its state.
+
+#### Local
+
+* Local Profile represents a local sing-box configuration with minimal state
+* The graphical client must provide an editor to modify configuration content
+
+#### iCloud (on iOS and macOS)
+
+* iCloud Profile represents a remote sing-box configuration with iCloud as the update source
+* The configuration file is stored in the sing-box folder under iCloud
+* The graphical client must provide an editor to modify configuration content
+
+#### Remote
+
+* Remote Profile represents a remote sing-box configuration with a URL as the update source.
+* The graphical client should provide a configuration content viewer
+* The graphical client must implement automatic profile update (default interval is 60 minutes) and HTTP Basic
+  authorization.
+
+At the same time, the graphical client must provide support for importing remote profiles
+through a specific URL Scheme. The URL is defined as follows:
+
+```
+sing-box://import-remote-profile?url=urlEncodedURL#urlEncodedName
+```
+
+### Dashboard
+
+While the sing-box service is running, the graphical client should provide a Dashboard interface to manage the service.
+
+#### Status
+
+Dashboard should display status information such as memory, connection, and traffic.
+
+#### Mode
+
+Dashboard should provide a Mode selector for switching when the configuration uses at least two `clash_mode` values.
+
+#### Groups
+
+When the configuration includes group outbounds (specifically, Selector or URLTest),
+the dashboard should provide a Group selector for status display or switching.
+
+### Chore
+
+#### Core
+
+Graphical clients should provide a Core region:
+
+* Display the current sing-box version
+* Provides a button to clean the working directory
+* Provides a memory limiter switch

docs/clients/index.md

@@ -0,0 +1,13 @@
+# :material-cellphone-link: Graphical Clients
+
+Maintained by Project S to provide a unified experience and platform-specific functionality.
+
+| Platform                              | Client                                  |
+|---------------------------------------|-----------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-laptop: Desktop             | Working in progress                     |
+
+Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core
+motivation of the maintainers of such projects is to acquire more users, and even though they provide friendly VPN
+client features, the code is usually of poor quality and contains ads.

docs/clients/index.zh.md

@@ -0,0 +1,12 @@
+# :material-cellphone-link: 图形界面客户端
+
+由 Project S 维护，提供统一的体验与平台特定的功能。
+
+| 平台                                    | 客户端                                     |
+|---------------------------------------|-----------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-laptop: Desktop             | 施工中                                     |
+
+此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
+VPN 客户端功能， 但代码质量很差且包含广告。

docs/clients/privacy.md

@@ -0,0 +1,8 @@
+---
+icon: material/security
+---
+
+# Privacy policy
+
+sing-box and official graphics clients do not collect or share personal data,
+and the data generated by the software is always on your device.

docs/configuration/dns/rule.md

@@ -79,6 +79,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": [
           "direct"
@@ -188,7 +194,7 @@ Match port range.
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -196,7 +202,7 @@ Match process name.
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -208,7 +214,7 @@ Match android package name.
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -216,7 +222,7 @@ Match user name.
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -226,6 +232,24 @@ Match user id.
 
 Match Clash mode.
 
+#### wifi_ssid
+
+<!-- md:version 1.7.0-beta.4 -->
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi SSID.
+
+#### wifi_bssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi BSSID.
+
 #### invert
 
 Invert match result.

docs/configuration/dns/rule.zh.md

@@ -78,6 +78,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": [
           "direct"
@@ -185,7 +191,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS.
 
@@ -193,7 +199,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS.
 
@@ -205,7 +211,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 
@@ -213,7 +219,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 
@@ -223,6 +229,22 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 匹配 Clash 模式。
 
+#### wifi_ssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi SSID。
+
+#### wifi_bssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi BSSID。
+
 #### invert
 
 反选匹配结果。

docs/configuration/dns/server.md

@@ -49,7 +49,7 @@ The address of the dns server.
 
 !!! warning ""
 
-    QUIC and HTTP3 transport is not included by default, see [Installation](/#installation).
+    QUIC and HTTP3 transport is not included by default, see [Installation](./#installation).
 
 !!! info ""
 
@@ -57,7 +57,7 @@ The address of the dns server.
 
 !!! warning ""
 
-    DHCP transport is not included by default, see [Installation](/#installation).
+    DHCP transport is not included by default, see [Installation](./#installation).
 
 | RCode             | Description           | 
 |-------------------|-----------------------|

docs/configuration/experimental/index.md

@@ -44,9 +44,9 @@
 
 ### Clash API Fields
 
-!!! error ""
+!!! quote ""
 
-    Clash API is not included by default, see [Installation](/#installation).
+    Clash API is not included by default, see [Installation](./#installation).
 
 #### external_controller
 
@@ -110,9 +110,9 @@ If not empty, `store_selected` will use a separate store keyed by it.
 
 ### V2Ray API Fields
 
-!!! error ""
+!!! quote ""
 
-    V2Ray API is not included by default, see [Installation](/#installation).
+    V2Ray API is not included by default, see [Installation](./#installation).
 
 #### listen
 

docs/configuration/experimental/index.zh.md

@@ -44,7 +44,7 @@
 
 ### Clash API 字段
 
-!!! error ""
+!!! quote ""
 
     默认安装不包含 Clash API，参阅 [安装](/zh/#_2)。
 
@@ -108,7 +108,7 @@ Clash 中的默认模式，默认使用 `Rule`。
 
 ### V2Ray API 字段
 
-!!! error ""
+!!! quote ""
 
     默认安装不包含 V2Ray API，参阅 [安装](/zh/#_2)。
 

docs/configuration/inbound/http.md

@@ -36,7 +36,7 @@ No authentication required if empty.
 
 #### set_system_proxy
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Android, Windows, and macOS.
 

docs/configuration/inbound/http.zh.md

@@ -36,7 +36,7 @@ HTTP 用户
 
 #### set_system_proxy
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Android、Windows 和 macOS。
 

docs/configuration/inbound/hysteria.md

@@ -31,7 +31,7 @@
 
 !!! warning ""
 
-    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
+    QUIC, which is required by hysteria is not included by default, see [Installation](./#installation).
 
 ### Listen Fields
 

docs/configuration/inbound/hysteria2.md

@@ -4,8 +4,8 @@
 {
   "type": "hysteria2",
   "tag": "hy2-in",
-  
-  ... // Listen Fields
+  ...
+  // Listen Fields
 
   "up_mbps": 100,
   "down_mbps": 100,
@@ -28,7 +28,14 @@
 
 !!! warning ""
 
-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](./#installation).
+
+!!! warning "Difference from official Hysteria2"
+
+    The official program supports an authentication method called **userpass**,
+    which essentially uses a combination of `<username>:<password>` as the actual password,
+    while sing-box does not provide this alias.
+    To use sing-box with the official program, you need to fill in that combination as the actual password.
 
 ### Listen Fields
 

docs/configuration/inbound/hysteria2.zh.md

@@ -4,8 +4,8 @@
 {
   "type": "hysteria2",
   "tag": "hy2-in",
-  
-  ... // 监听字段
+  ...
+  // 监听字段
 
   "up_mbps": 100,
   "down_mbps": 100,
@@ -30,6 +30,12 @@
 
     默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
 
+!!! warning "与官方 Hysteria2 的区别"
+
+    官方程序支持一种名为 **userpass** 的验证方式，
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
+
 ### 监听字段
 
 参阅 [监听字段](/zh/configuration/shared/listen/)。

docs/configuration/inbound/mixed.md

@@ -33,7 +33,7 @@ No authentication required if empty.
 
 #### set_system_proxy
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Android, Windows, and macOS.
 

docs/configuration/inbound/mixed.zh.md

@@ -33,7 +33,7 @@ SOCKS 和 HTTP 用户
 
 #### set_system_proxy
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Android、Windows 和 macOS。
 

docs/configuration/inbound/naive.md

@@ -20,7 +20,7 @@
 
 !!! warning ""
 
-    HTTP3 transport is not included by default, see [Installation](/#installation).
+    HTTP3 transport is not included by default, see [Installation](./#installation).
 
 ### Listen Fields
 

docs/configuration/inbound/redirect.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     Only supported on Linux and macOS.
 

docs/configuration/inbound/redirect.zh.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     仅支持 Linux 和 macOS。
 

docs/configuration/inbound/tproxy.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 

docs/configuration/inbound/tproxy.zh.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 

docs/configuration/inbound/trojan.md

@@ -47,7 +47,7 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
 
 #### fallback
 
-!!! error ""
+!!! quote ""
 
     There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.
 

docs/configuration/inbound/trojan.zh.md

@@ -49,7 +49,7 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
 
 #### fallback
 
-!!! error ""
+!!! quote ""
 
     没有证据表明 GFW 基于 HTTP 响应检测并阻止 Trojan 服务器，并且在服务器上打开标准 http/s 端口是一个更大的特征。
 

docs/configuration/inbound/tuic.md

@@ -24,7 +24,7 @@
 
 !!! warning ""
 
-    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+    QUIC, which is required by TUIC is not included by default, see [Installation](./#installation).
 
 ### Listen Fields
 

docs/configuration/inbound/tun.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows and macOS.
 
@@ -102,7 +102,7 @@ The maximum transmission unit.
 
 Set the default route to the Tun.
 
-!!! error ""
+!!! quote ""
 
     To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`
 
@@ -171,11 +171,11 @@ TCP/IP stack.
 
 !!! warning ""
 
-    gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
+    gVisor and LWIP stacks is not included by default, see [Installation](./#installation).
 
 #### include_interface
 
-!!! error ""
+!!! quote ""
 
     Interface rules are only supported on Linux and require auto_route.
 
@@ -191,7 +191,7 @@ Conflict with `include_interface`.
 
 #### include_uid
 
-!!! error ""
+!!! quote ""
 
     UID rules are only supported on Linux and require auto_route.
 
@@ -211,7 +211,7 @@ Exclude users in route, but in range.
 
 #### include_android_user
 
-!!! error ""
+!!! quote ""
 
     Android user and package rules are only supported on Android and require auto_route.
 

docs/configuration/inbound/tun.zh.md

@@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS。
 
@@ -102,7 +102,7 @@ tun 接口的 IPv6 前缀。
 
 设置到 Tun 的默认路由。
 
-!!! error ""
+!!! quote ""
 
     为避免流量环回，请设置 `route.auto_detect_interface` 或 `route.default_interface` 或 `outbound.bind_interface`。
 
@@ -171,7 +171,7 @@ TCP/IP 栈。
 
 #### include_interface
 
-!!! error ""
+!!! quote ""
 
     接口规则仅在 Linux 下被支持，并且需要 `auto_route`。
 
@@ -187,7 +187,7 @@ TCP/IP 栈。
 
 #### include_uid
 
-!!! error ""
+!!! quote ""
 
     UID 规则仅在 Linux 下被支持，并且需要 `auto_route`。
 
@@ -207,7 +207,7 @@ TCP/IP 栈。
 
 #### include_android_user
 
-!!! error ""
+!!! quote ""
 
     Android 用户和应用规则仅在 Android 下被支持，并且需要 `auto_route`。
 

docs/configuration/outbound/hysteria.md

@@ -26,7 +26,7 @@
 
 !!! warning ""
 
-    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
+    QUIC, which is required by hysteria is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/outbound/hysteria2.md

@@ -24,7 +24,15 @@
 
 !!! warning ""
 
-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](./#installation).
+
+!!! warning "Difference from official Hysteria2"
+
+    The official Hysteria2 supports an authentication method called **userpass**,
+    which essentially uses a combination of `<username>:<password>` as the actual password,
+    while sing-box does not provide this alias.
+    If you are planning to use sing-box with the official program,
+    please note that you will need to fill the combination as the password.
 
 ### Fields
 

docs/configuration/outbound/hysteria2.zh.md

@@ -26,6 +26,12 @@
 
     默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。
 
+!!! warning "与官方 Hysteria2 的区别"
+
+    官方程序支持一种名为 **userpass** 的验证方式，
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
+
 ### 字段
 
 #### server

docs/configuration/outbound/selector.md

@@ -15,7 +15,7 @@
 }
 ```
 
-!!! error ""
+!!! quote ""
 
     The selector can only be controlled through the [Clash API](/configuration/experimental#clash-api-fields) currently.
 

docs/configuration/outbound/selector.zh.md

@@ -15,7 +15,7 @@
 }
 ```
 
-!!! error ""
+!!! quote ""
 
     选择器目前只能通过 [Clash API](/zh/configuration/experimental#clash-api) 来控制。
 

docs/configuration/outbound/shadowsocksr.md

@@ -25,7 +25,7 @@
 
 !!! warning ""
 
-    ShadowsocksR is not included by default, see [Installation](/#installation).
+    ShadowsocksR is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/outbound/tor.md

@@ -18,7 +18,7 @@
 
 !!! info ""
 
-    Embedded tor is not included by default, see [Installation](/#installation).
+    Embedded tor is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/outbound/tuic.md

@@ -23,7 +23,7 @@
 
 !!! warning ""
 
-    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+    QUIC, which is required by TUIC is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/outbound/wireguard.md

@@ -38,11 +38,11 @@
 
 !!! warning ""
 
-    WireGuard is not included by default, see [Installation](/#installation).
+    WireGuard is not included by default, see [Installation](./#installation).
 
 !!! warning ""
 
-    gVisor, which is required by the unprivileged WireGuard is not included by default, see [Installation](/#installation).
+    gVisor, which is required by the unprivileged WireGuard is not included by default, see [Installation](./#installation).
 
 ### Fields
 

docs/configuration/route/index.md

@@ -31,7 +31,7 @@ Default outbound tag. the first outbound will be used if empty.
 
 #### auto_detect_interface
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows and macOS.
 
@@ -41,7 +41,7 @@ Takes no effect if `outbound.bind_interface` is set.
 
 #### override_android_vpn
 
-!!! error ""
+!!! quote ""
 
     Only supported on Android.
 
@@ -49,7 +49,7 @@ Accept Android VPN as upstream NIC when `auto_detect_interface` enabled.
 
 #### default_interface
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows and macOS.
 
@@ -59,7 +59,7 @@ Takes no effect if `auto_detect_interface` is set.
 
 #### default_mark
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 

docs/configuration/route/index.zh.md

@@ -32,7 +32,7 @@
 
 #### auto_detect_interface
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS。
 
@@ -42,7 +42,7 @@
 
 #### override_android_vpn
 
-!!! error ""
+!!! quote ""
 
     仅支持 Android。
 
@@ -50,7 +50,7 @@
 
 #### default_interface
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS。
 
@@ -60,7 +60,7 @@
 
 #### default_mark
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 

docs/configuration/route/rule.md

@@ -83,6 +83,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": "direct"
       },
@@ -190,7 +196,7 @@ Match port range.
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -198,7 +204,7 @@ Match process name.
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux, Windows, and macOS.
 
@@ -210,7 +216,7 @@ Match android package name.
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -218,7 +224,7 @@ Match user name.
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 
@@ -228,6 +234,22 @@ Match user id.
 
 Match Clash mode.
 
+#### wifi_ssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi SSID.
+
+#### wifi_bssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi BSSID.
+
 #### invert
 
 Invert match result.

docs/configuration/route/rule.zh.md

@@ -81,6 +81,12 @@
           1000
         ],
         "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
         "invert": false,
         "outbound": "direct"
       },
@@ -188,7 +194,7 @@
 
 #### process_name
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS。
 
@@ -196,7 +202,7 @@
 
 #### process_path
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux、Windows 和 macOS.
 
@@ -208,7 +214,7 @@
 
 #### user
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux.
 
@@ -216,7 +222,7 @@
 
 #### user_id
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux.
 
@@ -226,6 +232,22 @@
 
 匹配 Clash 模式。
 
+#### wifi_ssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi SSID。
+
+#### wifi_bssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi BSSID。
+
 #### invert
 
 反选匹配结果。

docs/configuration/shared/dial.md

@@ -41,7 +41,7 @@ The IPv6 address to bind to.
 
 #### routing_mark
 
-!!! error ""
+!!! quote ""
 
     Only supported on Linux.
 

docs/configuration/shared/dial.zh.md

@@ -44,7 +44,7 @@
 
 #### routing_mark
 
-!!! error ""
+!!! quote ""
 
     仅支持 Linux。
 

docs/configuration/shared/tls.md

@@ -201,7 +201,7 @@ The path to the server private key, in PEM format.
 
 !!! warning ""
 
-    uTLS is not included by default, see [Installation](/#installation).
+    uTLS is not included by default, see [Installation](./#installation).
 
 !!! note ""
 
@@ -228,7 +228,7 @@ Chrome fingerprint will be used if empty.
 
 !!! warning ""
 
-    ECH is not included by default, see [Installation](/#installation).
+    ECH is not included by default, see [Installation](./#installation).
 
 ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
 message.
@@ -280,7 +280,7 @@ If empty, load from DNS will be attempted.
 
 !!! warning ""
 
-    ACME is not included by default, see [Installation](/#installation).
+    ACME is not included by default, see [Installation](./#installation).
 
 #### domain
 
@@ -359,11 +359,11 @@ See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge) for details.
 
 !!! warning ""
 
-    reality server is not included by default, see [Installation](/#installation).
+    reality server is not included by default, see [Installation](./#installation).
 
 !!! warning ""
 
-    uTLS, which is required by reality client is not included by default, see [Installation](/#installation).
+    uTLS, which is required by reality client is not included by default, see [Installation](./#installation).
 
 #### handshake
 

docs/configuration/shared/v2ray-transport.md

@@ -131,7 +131,7 @@ It needs to be consistent with the server.
 
 !!! warning ""
 
-    QUIC is not included by default, see [Installation](/#installation).
+    QUIC is not included by default, see [Installation](./#installation).
 
 !!! warning "Difference from v2ray-core"
 
@@ -142,7 +142,7 @@ It needs to be consistent with the server.
 
 !!! note ""
 
-    standard gRPC has good compatibility but poor performance and is not included by default, see [Installation](/#installation).
+    standard gRPC has good compatibility but poor performance and is not included by default, see [Installation](./#installation).
 
 ```json
 {

docs/contributing/environment.md

@@ -1,50 +0,0 @@
-# Development environment
-
-#### For the documentation
-
-##### Setup
-
-You need to configure python3 and pip first.
-
-```shell
-pip install mkdocs-material mkdocs-static-i18n
-```
-
-##### Run the site locally
-
-```shell
-mkdocs serve
-```
-
-or
-
-```shell
-python3 -m mkdocs serve
-```
-
-#### For the project
-
-By default you have the latest Go installed (currently 1.19), and added `GOPATH/bin` to the PATH environment variable.
-
-##### Setup
-
-```shell
-make fmt_insalll
-make lint_install
-```
-
-This installs the formatting and lint tools, which can be used via `make fmt` and `make lint`.
-
-For ProtoBuffer changes, you also need `make proto_install` and `make proto`.
-
-##### Build binary to the project directory
-
-```shell
-make
-```
-
-##### Install binary to GOPATH/bin
-
-```shell
-make install
-```

docs/contributing/index.md

@@ -1,17 +0,0 @@
-# Contributing to sing-box
-
-An introduction to contributing to the sing-box project.
-
-The sing-box project welcomes, and depends, on contributions from developers and users in the open source community.
-Contributions can be made in a number of ways, a few examples are:
-
-* Code patches via pull requests
-* Documentation improvements
-* Bug reports and patch reviews
-
-### Reporting an Issue?
-
-Please follow
-the [issue template](https://github.com/SagerNet/sing-box/issues/new?assignees=&labels=&template=bug_report.yml) to
-submit bugs. Always include **FULL** log content, especially if you don't understand the code that generates it.
-

docs/contributing/sub-projects.md

@@ -1,67 +0,0 @@
-The sing-box uses the following projects which also need to be maintained:
-
-#### sing
-
-Link: [GitHub repository](https://github.com/SagerNet/sing)
-
-As a base tool library, there are no dependencies other than `golang.org/x/sys`.
-
-#### sing-dns
-
-Link: [GitHub repository](https://github.com/SagerNet/sing-dns)
-
-Handles DNS lookups and caching.
-
-#### sing-tun
-
-Link: [GitHub repository](https://github.com/SagerNet/sing-tun)
-
-Handle Tun traffic forwarding, configure routing, monitor network and routing.
-
-This library needs to periodically update its dependency gVisor (according to tags), including checking for changes to
-the used parts of the code and updating its usage. If you are involved in maintenance, you also need to check that if it
-works or contains memory leaks.
-
-#### sing-shadowsocks
-
-Link: [GitHub repository](https://github.com/SagerNet/sing-shadowsocks)
-
-Provides Shadowsocks client and server
-
-#### sing-vmess
-
-Link: [GitHub repository](https://github.com/SagerNet/sing-vmess)
-
-Provides VMess client and server
-
-#### netlink
-
-Link: [GitHub repository](https://github.com/SagerNet/netlink)
-
-Fork of `vishvananda/netlink`, with some rule fixes.
-
-The library needs to be updated with the upstream.
-
-#### quic-go
-
-Link: [GitHub repository](https://github.com/SagerNet/quic-go)
-
-Fork of `lucas-clemente/quic-go`  and `HyNetwork/quic-go`, contains quic flow control and other fixes used by Hysteria.
-
-Since the author of Hysteria does not follow the upstream updates in time, and the provided fork needs to use replace,
-we need to do this.
-
-The library needs to be updated with the upstream.
-
-#### smux
-
-Link: [GitHub repository](https://github.com/SagerNet/smux)
-
-Fork of `xtaci/smux`
-
-Modify the code to support the writev it uses internally and unify the buffer pool, which prevents it from allocating
-64k buffers for per connection and improves performance.
-
-Upstream doesn't seem to be updated anymore, maybe a replacement is needed.
-
-Note: while yamux is still actively maintained and better known, it seems to be less performant.

docs/deprecated.md

@@ -1,5 +1,11 @@
+---
+icon: material/delete-alert
+---
+
 # Deprecated Feature List
 
+### 1.6.0
+
 The following features will be marked deprecated in 1.5.0 and removed entirely in 1.6.0.
 
 #### ShadowsocksR

docs/deprecated.zh.md

@@ -0,0 +1,17 @@
+---
+icon: material/delete-alert
+---
+
+# 废弃功能列表
+
+### 1.6.0
+
+下列功能已在 1.5.0 中标记为已弃用，并在 1.6.0 中完全删除。
+
+#### ShadowsocksR
+
+ShadowsocksR 支持从未默认启用，自从常用的黑产代理销售面板停止使用该协议，继续维护它是没有意义的。
+
+#### Proxy Protocol
+
+Proxy Protocol 支持由 Pull Request 添加，存在问题且仅由 HTTP 多路复用器（如 nginx）的后端使用，具有侵入性，对于代理目的毫无意义。

docs/examples/clash-api.md

@@ -1,52 +0,0 @@
-```json
-{
-  "dns": {
-    "rules": [
-      {
-        "domain": [
-          "clash.razord.top",
-          "yacd.haishan.me"
-        ],
-        "server": "local"
-      },
-      {
-        "clash_mode": "direct",
-        "server": "local"
-      }
-    ]
-  },
-  "outbounds": [
-    {
-      "type": "selector",
-      "tag": "default",
-      "outbounds": [
-        "proxy-a",
-        "proxy-b"
-      ]
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "clash_mode": "direct",
-        "outbound": "direct"
-      },
-      {
-        "domain": [
-          "clash.razord.top",
-          "yacd.haishan.me"
-        ],
-        "outbound": "direct"
-      }
-    ],
-    "final": "default"
-  },
-  "experimental": {
-    "clash_api": {
-      "external_controller": "127.0.0.1:9090",
-      "store_selected": true
-    }
-  }
-}
-
-```

docs/examples/dns-hijack.md

@@ -1,65 +0,0 @@
-#### Sniff Mode
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true // required
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
-
-#### Port Mode
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true // not required
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "port": 53,
-        "outbound": "dns-out"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/examples/dns-hijack.zh.md

@@ -1,65 +0,0 @@
-#### 探测模式
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true // 必须
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
-
-#### 端口模式
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true // 非必须
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "port": 53,
-        "outbound": "dns-out"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/examples/fakeip.md

@@ -1,106 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "remote",
-        "address": "fakeip"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      },
-      {
-        "query_type": [
-          "A",
-          "AAAA"
-        ],
-        "server": "remote"
-      }
-    ],
-    "fakeip": {
-      "enabled": true,
-      "inet4_range": "198.18.0.0/15",
-      "inet6_range": "fc00::/18"
-    },
-    "independent_cache": true,
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "domain_strategy": "ipv4_only" // remove this line if you want to resolve the domain remotely (if the server is not sing-box, UDP may not work due to wrong behavior).
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/examples/fakeip.zh.md

@@ -1,106 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "remote",
-        "address": "fakeip"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      },
-      {
-        "query_type": [
-          "A",
-          "AAAA"
-        ],
-        "server": "remote"
-      }
-    ],
-    "fakeip": {
-      "enabled": true,
-      "inet4_range": "198.18.0.0/15",
-      "inet6_range": "fc00::/18"
-    },
-    "independent_cache": true,
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "domain_strategy": "ipv4_only" // 如果您想在远程解析域，删除此行 (如果服务器程序不为 sing-box，可能由于错误的行为导致 UDP 无法使用)。
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/examples/index.md

@@ -1,11 +0,0 @@
-# Examples
-
-Configuration examples for sing-box.
-
-* [Linux Server Installation](./linux-server-installation)
-* [Tun](./tun)
-* [DNS Hijack](./dns-hijack.md)
-* [Shadowsocks](./shadowsocks)
-* [ShadowTLS](./shadowtls)
-* [Clash API](./clash-api)
-* [FakeIP](./fakeip)

docs/examples/index.zh.md

@@ -1,11 +0,0 @@
-# 示例
-
-sing-box 的配置示例。
-
-* [Linux 服务器安装](./linux-server-installation)
-* [Tun](./tun)
-* [DNS 劫持](./dns-hijack.md)
-* [Shadowsocks](./shadowsocks)
-* [ShadowTLS](./shadowtls)
-* [Clash API](./clash-api)
-* [FakeIP](./fakeip)

docs/examples/linux-server-installation.md

@@ -1,38 +0,0 @@
-#### Requirements
-
-* Linux & Systemd
-* Git
-* C compiler environment
-
-#### Install
-
-```shell
-git clone -b main https://github.com/SagerNet/sing-box
-cd sing-box
-./release/local/install_go.sh # skip if you have golang already installed
-./release/local/install.sh
-```
-
-Edit configuration file in `/usr/local/etc/sing-box/config.json`
-
-```shell
-./release/local/enable.sh
-```
-
-#### Update
-
-```shell
-./release/local/update.sh
-```
-
-#### Other commands
-
-| Operation | Command                                       |
-|-----------|-----------------------------------------------|
-| Start     | `sudo systemctl start sing-box`               |
-| Stop      | `sudo systemctl stop sing-box`                |
-| Kill      | `sudo systemctl kill sing-box`                |
-| Restart   | `sudo systemctl restart sing-box`             |
-| Logs      | `sudo journalctl -u sing-box --output cat -e` |
-| New Logs  | `sudo journalctl -u sing-box --output cat -f` |
-| Uninstall | `./release/local/uninstall.sh`                |

docs/examples/linux-server-installation.zh.md

@@ -1,38 +0,0 @@
-#### 依赖
-
-* Linux & Systemd
-* Git
-* C 编译器环境
-
-#### 安装
-
-```shell
-git clone -b main https://github.com/SagerNet/sing-box
-cd sing-box
-./release/local/install_go.sh # 如果已安装 golang 则跳过
-./release/local/install.sh
-```
-
-编辑配置文件 `/usr/local/etc/sing-box/config.json`
-
-```shell
-./release/local/enable.sh
-```
-
-#### 更新
-
-```shell
-./release/local/update.sh
-```
-
-#### 其他命令
-
-| 操作   | 命令                                            |
-|------|-----------------------------------------------|
-| 启动   | `sudo systemctl start sing-box`               |
-| 停止   | `sudo systemctl stop sing-box`                |
-| 强制停止 | `sudo systemctl kill sing-box`                |
-| 重启   | `sudo systemctl restart sing-box`             |
-| 查看日志 | `sudo journalctl -u sing-box --output cat -e` |
-| 实时日志 | `sudo journalctl -u sing-box --output cat -f` |
-| 卸载   | `./release/local/uninstall.sh`                |

docs/examples/shadowsocks.md

@@ -1,163 +0,0 @@
-# Shadowsocks
-
-!!! warning ""
-
-    For censorship bypass usage in China, we recommend using UDP over TCP and disabling UDP on the server.
-
-## Single User
-
-#### Server
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8080,
-      "network": "tcp",
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
-
-#### Client
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "listen": "::",
-      "listen_port": 2080
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "server": "127.0.0.1",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "udp_over_tcp": true
-    }
-  ]
-}
-
-```
-
-## Multiple Users
-
-#### Server
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "users": [
-        {
-          "name": "sekai",
-          "password": "BXYxVUXJ9NgF7c7KPLQjkg=="
-        }
-      ]
-    }
-  ]
-}
-```
-
-#### Client
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "listen": "::",
-      "listen_port": 2080
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "server": "127.0.0.1",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==:BXYxVUXJ9NgF7c7KPLQjkg=="
-    }
-  ]
-}
-
-```
-
-## Relay
-
-#### Server
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
-
-#### Relay
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8081,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "BXYxVUXJ9NgF7c7KPLQjkg==",
-      "destinations": [
-        {
-          "name": "my_server",
-          "password": "8JCsPssfgS8tiRwiMlhARg==",
-          "server": "127.0.0.1",
-          "server_port": 8080
-        }
-      ]
-    }
-  ]
-}
-```
-
-#### Client
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "listen": "::",
-      "listen_port": 2080
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "server": "127.0.0.1",
-      "server_port": 8081,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==:BXYxVUXJ9NgF7c7KPLQjkg=="
-    }
-  ]
-}
-
-```

docs/examples/shadowtls.md

@@ -1,70 +0,0 @@
-#### Server
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowtls",
-      "listen": "::",
-      "listen_port": 4443,
-      "version": 3,
-      "users": [
-        {
-          "name": "sekai",
-          "password": "8JCsPssfgS8tiRwiMlhARg=="
-        }
-      ],
-      "handshake": {
-        "server": "google.com",
-        "server_port": 443
-      },
-      "detour": "shadowsocks-in"
-    },
-    {
-      "type": "shadowsocks",
-      "tag": "shadowsocks-in",
-      "listen": "127.0.0.1",
-      "network": "tcp",
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
-
-#### Client
-
-```json
-{
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "detour": "shadowtls-out",
-      "multiplex": {
-        "enabled": true,
-        "max_connections": 4,
-        "min_streams": 4
-      }
-      // or "udp_over_tcp": true
-    },
-    {
-      "type": "shadowtls",
-      "tag": "shadowtls-out",
-      "server": "127.0.0.1",
-      "server_port": 4443,
-      "version": 3,
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "tls": {
-        "enabled": true,
-        "server_name": "google.com",
-        "utls": {
-          "enabled": true,
-          "fingerprint": "chrome"
-        }
-      }
-    }
-  ]
-}
-```

docs/examples/tun.md

@@ -1,89 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      }
-    ],
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "strict_route": false,
-      "sniff": true
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```

docs/faq/fakeip.md

@@ -1,19 +0,0 @@
-# FakeIP
-
-FakeIP refers to a type of behavior in a program that simultaneously hijacks both DNS and connection requests. It
-responds to DNS requests with virtual results and restores mapping when accepting connections.
-
-#### Advantage
-
-*
-
-#### Limitation
-
-* Its mechanism breaks applications that depend on returning correct remote addresses.
-* Only A and AAAA (IP) requests are supported, which may break applications that rely on other requests.
-
-#### Recommendation
-
-* Enable `dns.independent_cache` unless you always resolve FakeIP domains remotely.
-* If using tun, make sure FakeIP ranges is included in the tun's routes.
-* Enable `experimental.clash_api.store_fakeip` to persist FakeIP records, or use `dns.rules.rewrite_ttl` to avoid losing records after program restart in DNS cached environments.

docs/faq/fakeip.zh.md

@@ -1,18 +0,0 @@
-# FakeIP
-
-FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它通过虚拟结果响应 DNS 请求，在接受连接时恢复映射。
-
-#### 优点
-
-*
-
-#### 限制
-
-* 它的机制会破坏依赖于返回正确远程地址的应用程序。
-* 仅支持 A 和 AAAA（IP）请求，这可能会破坏依赖于其他请求的应用程序。
-
-#### 建议
-
-* 启用 `dns.independent_cache` 除非您始终远程解析 FakeIP 域。
-* 如果使用 tun，请确保 tun 路由中包含 FakeIP 地址范围。
-* 启用 `experimental.clash_api.store_fakeip` 以持久化 FakeIP 记录，或者使用 `dns.rules.rewrite_ttl` 避免程序重启后在 DNS 被缓存的环境中丢失记录。

docs/faq/index.md

@@ -1,58 +0,0 @@
-# Frequently Asked Questions (FAQ)
-
-## Design
-
-#### Why does sing-box not have feature X?
-
-Every program contains novel features and omits someone's favorite feature. sing-box is designed with an eye to the
-needs of performance, lightweight, usability, modularity, and code quality. Your favorite feature may be missing because
-it doesn't fit, because it compromises performance or design clarity, or because it's a bad idea.
-
-If it bothers you that sing-box is missing feature X, please forgive us and investigate the features that sing-box does
-have. You might find that they compensate in interesting ways for the lack of X.
-
-#### Naive outbound
-
-NaïveProxy's main function is chromium's network stack, and it makes no sense to implement only its transport protocol.
-
-#### Protocol combinations
-
-The "underlying transport" in v2ray-core is actually a combination of a number of proprietary protocols and uses the
-names of their upstream protocols, resulting in a great deal of Linguistic corruption.
-
-For example, Trojan with v2ray's proprietary gRPC protocol, called Trojan gRPC by the v2ray community, is not actually a
-protocol and has no role outside of abusing CDNs.
-
-## Tun
-
-#### What is tun?
-
-tun is a virtual network device in unix systems, and in windows there is wintun developed by WireGuard as an
-alternative. The tun module of sing-box includes traffic processing, automatic routing, and network device listening,
-and is mainly used as a transparent proxy.
-
-#### How is it different from system proxy?
-
-System proxy usually only supports TCP and is not accepted by all applications, but tun can handle all traffic.
-
-#### How is it different from traditional transparent proxy?
-
-They are usually only supported under Linux and require manipulation of firewalls like iptables, while tun only modifies
-the routing table.
-
-The tproxy UDP is considered to have poor performance due to the need to create a new connection every write back in
-v2ray and clash, but it is optimized in sing-box so you can still use it if needed.
-
-#### How does it handle DNS?
-
-In traditional transparent proxies, it is usually necessary to manually hijack port 53 to the DNS proxy server, while
-tun is more flexible.
-
-sing-box's `auto_route` will hijack all DNS requests except on [macOS and Android](./known-issues#dns).
-
-You need to manually configure how to handle tun hijacked DNS traffic, see [Hijack DNS](/examples/dns-hijack).
-
-#### Why I can't use it with other local proxies (e.g. via socks)?
-
-Tun will hijack all traffic, including other proxy applications. In order to make tun work with other applications, you
-need to create an inbound to proxy traffic from other applications or make them bypass the route.

docs/faq/index.zh.md

@@ -1,50 +0,0 @@
-# 常见问题
-
-## 设计
-
-#### 为什么 sing-box 没有功能 X？
-
-每个程序都包含新颖的功能并省略了某人最喜欢的功能。 sing-box 的设计着眼于高性能、轻量、可用性、模块化和代码质量的需求。
-您最喜欢的功能可能会丢失，因为它不适合，因为它会影响性能或设计清晰度，或者因为它是一个坏主意。
-
-如果 sing-box 缺少功能 X 让您感到困扰，请原谅我们并调查 sing-box 确实有的功能。 您可能会发现它们以有趣的方式弥补了 X 的缺失。
-
-#### Naive 出站
-
-NaïveProxy 的主要功能是 chromium 的网络栈，仅实现它的传输协议是舍本逐末的。
-
-#### 协议组合
-
-v2ray-core 中的 "底层传输协议" 实际上是一些专有协议的组合，并使用其上游协议的名称，造成了大量的语言腐败。
-
-例如，v2ray 社区将 v2ray 专有的 gRPC 协议称为 Trojan gRPC，其实并不是一个 协议，在滥用 CDN 之外没有任何作用。
-
-## Tun
-
-#### 什么是 tun？
-
-tun 是 unix 系统中的虚拟网络设备，在 windows 中有 WireGuard 开发的 wintun 作为替代。
-sing-box 的 tun 模块包括流量处理、自动路由和网络设备监听，并主要用作透明代理。
-
-#### 它与系统代理有什么不同？
-
-系统代理通常只支持 TCP，且不被所有应用程序接受，但 tun 可以处理所有流量。
-
-#### 它与传统的透明代理有什么不同？
-
-它们通常仅支持 Linux，并且需要操作防火墙像 iptables，而 tun 仅修改路由表。
-
-tproxy UDP 被认为性能很差，因为在 v2ray 和 clash 中每次回写都需要创建一个新连接，但 sing-box 进行了优化，因此您仍然可以在需要时使用它。
-
-#### 它如何处理 DNS？
-
-在传统的透明代理中，通常需要手动劫持 53 端口到 DNS 代理服务器，而 tun 更灵活。
-
-sing-box 的 `auto_route` 将劫持所有 DNS 请求，除了 [特殊情况](./known-issues#dns)。
-
-您需要手动配置以处理 tun 劫持的 DNS 流量，请参阅 [DNS劫持](/zh/examples/dns-hijack)。
-
-#### 为什么我不能将它与其他本地代理一起使用（例如通过 socks）？
-
-tun 将劫持所有流量，包括其他代理应用程序。
-为了使 tun 与其他应用程序一起工作，您需要创建入站以代理来自其他程序的流量或让它们绕过路由。

docs/faq/known-issues.md

@@ -1,20 +0,0 @@
-#### DNS
-
-##### on macOS
-
-`auto-route` cannot automatically hijack DNS requests sent to the LAN, so it's need to manually set DNS to servers on
-the public internet.
-
-##### on Android
-
-`auto-route` cannot automatically hijack DNS requests when Android's `Private DNS` enabled or `strict_route` disabled.
-
-#### System proxy
-
-##### on Linux
-
-Usually only browsers and GNOME applications accept GNOME proxy settings.
-
-##### on Android
-
-With the system proxy enabled, some applications will error out (usually from China).

docs/faq/known-issues.zh.md

@@ -1,19 +0,0 @@
-#### DNS
-
-##### macOS
-
-`auto-route` 无法自动劫持发往局域网的 DNS 请求，需要手动设置位于公网的 DNS 服务器。
-
-##### Android
-
-`auto-route` 无法自动劫持 DNS 请求如果 `私人 DNS` 开启或 `strict_route` 禁用。
-
-#### 系统代理
-
-##### Linux
-
-通常只有浏览器和 GNOME 应用程序接受 GNOME 代理设置。
-
-##### Android
-
-启用系统代理后，某些应用程序会出错（通常来自中国）。

docs/features.md

@@ -1,121 +0,0 @@
-#### Server
-
-| Feature                                                    | v2ray-core | clash |
-|------------------------------------------------------------|------------|-------|
-| Direct inbound                                             | ✔          | X     |
-| SOCKS4a inbound                                            | ✔          | X     |
-| Mixed (http/socks) inbound                                 | X          | ✔     |
-| Shadowsocks AEAD 2022 single-user/multi-user/relay inbound | X          | X     |
-| VMess/Trojan inbound                                       | ✔          | X     |
-| Naive/Hysteria inbound                                     | X          | X     |
-| Resolve incoming domain names using custom policy          | X          | X     |
-| Set system proxy on Windows/Linux/macOS/Android            | X          | X     |
-| TLS certificate auto reload                                | X          | X     |
-| TLS ACME certificate issuer                                | X          | X     |
-
-#### Client
-
-| Feature                                                | v2ray-core                         | clash    |
-|--------------------------------------------------------|------------------------------------|----------|
-| Set upstream client (proxy chain)                      | TCP only, and has poor performance | TCP only |
-| Bind to network interface                              | Linux only                         | ✔        |
-| Custom dns strategy for resolving server address       | X                                  | X        |
-| Fast fallback (RFC 6555) support for connect to server | X                                  | X        |
-| SOCKS4/4a outbound                                     | added by me                        | X        |
-| Shadowsocks AEAD 2022 outbound                         | X                                  | X        |
-| Shadowsocks UDP over TCP                               | X                                  | X        |
-| Multiplex (smux/yamux)                                 | mux.cool                           | X        |
-| Tor/WireGuard/Hysteria outbound                        | X                                  | X        |
-| Selector outbound and Clash API                        | X                                  | ✔        |
-
-#### Sniffing
-
-| Protocol         | v2ray-core  | clash-premium |
-|------------------|-------------|---------------|
-| HTTP Host        | ✔           | X             |
-| QUIC ClientHello | added by me | added by me   |
-| STUN             | X           | X             |
-
-| Feature                                 | v2ray-core                | clash-premium |
-|-----------------------------------------|---------------------------|---------------|
-| For routing only                        | added by me               | X             |
-| No performance impact (like TCP splice) | no general splice support | X             |
-| Set separately for each server          | ✔                         | X             |
-
-#### Routing
-
-| Feature                    | v2ray-core | clash-premium |
-|----------------------------|------------|---------------|
-| Auto detect interface      | X          | tun only      |
-| Set default interface name | X          | tun only      |
-| Set default firewall mark  | X          | X             |
-
-#### Routing Rule
-
-| Rule                 | v2ray-core                 | clash |
-|----------------------|----------------------------|-------|
-| Inbound              | ✔                          | X     |
-| IP Version           | X                          | X     |
-| User from inbound    | vmess and shadowsocks only | X     |
-| Sniffed protocol     | ✔                          | X     |
-| GeoSite              | ✔                          | X     |
-| Process name         | X                          | ✔     |
-| Android package name | X                          | X     |
-| Linux user/user id   | X                          | X     |
-| Invert rule          | X                          | X     |
-| Logical rule         | X                          | X     |
-
-#### DNS
-
-| Feature                            | v2ray-core  | clash |
-|------------------------------------|-------------|-------|
-| DNS proxy                          | A/AAAA only | ✔     |
-| DNS cache                          | A/AAAA only | X     |
-| DNS routing                        | X           | X     |
-| DNS Over QUIC                      | ✔           | X     |
-| DNS Over HTTP3                     | X           | X     |
-| Fake dns response with custom code | X           | X     |
-
-#### Tun
-
-| Feature                                   | clash-premium |
-|-------------------------------------------|---------------|
-| Full IPv6 support                         | X             |
-| Auto route on Linux/Windows/macOS/Android | ✔             |
-| Embed windows driver                      | X             |
-| Custom address/mtu                        | X             |
-| Limit uid (Linux) in routing              | X             |
-| Limit android user in routing             | X             |
-| Limit android package in routing          | X             |
-
-#### Memory usage
-
-| GeoSite code      | sing-box | v2ray-core |
-|-------------------|----------|------------|
-| cn                | 17.8M    | 140.3M     |
-| cn (Loyalsoldier) | 74.3M    | 246.7M     |
-
-#### Benchmark
-
-##### Shadowsocks
-
-| /                                  |   none    | aes-128-gcm | 2022-blake3-aes-128-gcm |
-|------------------------------------|:---------:|:-----------:|:-----------------------:|
-| v2ray-core (5.0.7)                 | 13.0 Gbps |  5.02 Gbps  |            /            |
-| shadowsocks-rust (v1.15.0-alpha.5) | 10.7 Gbps |      /      |        9.36 Gbps        |
-| sing-box                           | 29.0 Gbps |      /      |        11.8 Gbps        |
-
-##### VMess
-
-| /                  |    TCP    |   HTTP    |  H2 TLS   | WebSocket TLS | gRPC TLS  |
-|--------------------|:---------:|:---------:|:---------:|:-------------:|:---------:|
-| v2ray-core (5.1.0) | 7.86 GBps | 2.86 Gbps | 1.83 Gbps |   2.36 Gbps   | 2.43 Gbps |
-| sing-box           | 7.96 Gbps | 8.09 Gbps | 6.11 Gbps |   8.02 Gbps   | 6.35 Gbps |
-
-#### License
-
-| /          | License                           |
-|------------|-----------------------------------|
-| sing-box   | GPLv3 or later (Full open-source) |
-| v2ray-core | MIT (Full open-source)            |
-| clash      | GPLv3                             |

docs/index.md

@@ -2,7 +2,7 @@
 description: Welcome to the wiki page for the sing-box project.
 ---
 
-# Home
+# :material-home: Home
 
 Welcome to the wiki page for the sing-box project.
 

docs/index.zh.md

@@ -2,7 +2,7 @@
 description: 欢迎来到该 sing-box 项目的文档页。
 ---
 
-# 开始
+# :material-home: 开始
 
 欢迎来到该 sing-box 项目的文档页。
 

docs/installation/build-from-source.md

@@ -0,0 +1,63 @@
+---
+icon: material/file-code
+---
+
+# Build from source
+
+## :material-graph: Requirements
+
+Before sing-box 1.4.0:
+
+* Go 1.18.5 - 1.20.x
+
+Since sing-box 1.4.0:
+
+* Go 1.18.5 - ~
+* Go 1.20.0 - ~ if `with_quic` tag enabled
+
+You can download and install Go from: https://go.dev/doc/install, latest version is recommended.
+
+## :material-fast-forward: Simple Build
+
+```bash
+make
+```
+
+Or build and install binary to `GOBIN`:
+
+```bash
+make install
+```
+
+## :material-cog: Custom Build
+
+```bash
+TAGS="tag_a tag_b" make
+```
+
+or
+
+```bash
+go build -tags "tag_a tag_b" ./cmd/sing-box
+```
+
+## :material-folder-settings: Build Tags
+
+| Build Tag                          | Enabled by default | Description                                                                                                                                                                                                                                                                                                                |
+|------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `with_quic`                        | ✔                  | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server), [Naive inbound](/configuration/inbound/naive), [Hysteria Inbound](/configuration/inbound/hysteria), [Hysteria Outbound](/configuration/outbound/hysteria) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
+| `with_grpc`                        | ✖️                 | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
+| `with_dhcp`                        | ✔                  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server).                                                                                                                                                                                                                                              |
+| `with_wireguard`                   | ✔                  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard).                                                                                                                                                                                                                                 |
+| `with_ech`                         | ✔                  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
+| `with_utls`                        | ✔                  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
+| `with_reality_server`              | ✔                  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                              |
+| `with_acme`                        | ✔                  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                      |
+| `with_clash_api`                   | ✔                  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
+| `with_v2ray_api`                   | ✖️                 | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
+| `with_gvisor`                      | ✔                  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
+| `with_embedded_tor` (CGO required) | ✖️                 | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor).                                                                                                                                                                                                                                          |
+| `with_lwip` (CGO required)         | ✖️                 | Build with LWIP Tun stack support, see [Tun inbound](/configuration/inbound/tun#stack).                                                                                                                                                                                                                                    |
+
+
+It is not recommended to change the default build tag list unless you really know what you are adding.

docs/installation/clients/sfa.md

@@ -1,23 +0,0 @@
-# SFA
-
-Experimental Android client for sing-box.
-
-#### Requirements
-
-* Android 5.0+
-
-#### Download
-
-* [Play Store](https://play.google.com/store/apps/details?id=io.nekohasekai.sfa)
-* [Github Releases](https://github.com/SagerNet/sing-box/releases)
-
-#### Note
-
-* User Agent in remote profile request is `SFA/$version ($version_code; sing-box $sing_box_version)`
-* The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
-* Crash logs is located in `$working_directory/stderr.log`
-
-#### Privacy policy
-
-* SFA did not collect or share personal data.
-* The data generated by the software is always on your device.

docs/installation/clients/sfa.zh.md

@@ -1,23 +0,0 @@
-# SFA
-
-实验性的 Android sing-box 客户端。
-
-#### 要求
-
-* Android 5.0+
-
-#### 下载
-
-* [AppCenter](https://install.appcenter.ms/users/nekohasekai/apps/sfa/distribution_groups/publictest)
-* [Github Releases](https://github.com/SagerNet/sing-box/releases)
-
-#### 注意事项
-
-* 远程配置文件请求中的 User Agent 为 `SFA/$version ($version_code; sing-box $sing_box_version)`
-* 工作目录位于 `/sdcard/Android/data/io.nekohasekai.sfa/files` (外部文件目录)
-* 崩溃日志位于 `$working_directory/stderr.log`
-
-#### 隐私政策
-
-* SFA 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

docs/installation/clients/sfi.md

@@ -1,23 +0,0 @@
-# SFI
-
-Experimental iOS client for sing-box.
-
-#### Requirements
-
-* iOS 15.0+
-* An Apple account outside of mainland China
-
-#### Download
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### Note
-
-* User Agent in remote profile request is `SFI/$version ($version_code; sing-box $sing_box_version)`
-* Crash logs is located in `Settings` -> `View Service Log`
-
-#### Privacy policy
-
-* SFI did not collect or share personal data.
-* The data generated by the software is always on your device.

docs/installation/clients/sfi.zh.md

@@ -1,23 +0,0 @@
-# SFI
-
-实验性的 iOS sing-box 客户端。
-
-#### 要求
-
-* iOS 15.0+
-* 一个非中国大陆地区的 Apple 账号
-
-#### 下载
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### 注意事项
-
-* 远程配置文件请求中的 User Agent 为 `SFI/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
-
-#### 隐私政策
-
-* SFI 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

docs/installation/clients/sfm.md

@@ -1,29 +0,0 @@
-# SFM
-
-Experimental macOS client for sing-box.
-
-#### Requirements
-
-* macOS 13.0+
-* An Apple account outside of mainland China (App Store Version)
-
-#### Download (App Store Version)
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### Download (Independent Version)
-
-* [GitHub Release](https://github.com/SagerNet/sing-box/releases/latest)
-* Homebrew (Cask): `brew install sfm`
-* Homebrew (Tap): `brew tap sagernet/sing-box && brew install sagernet/sing-box/sfm`
-
-#### Note
-
-* User Agent in remote profile request is `SFM/$version ($version_code; sing-box $sing_box_version)`
-* Crash logs is located in `Settings` -> `View Service Log`
-
-#### Privacy policy
-
-* SFM did not collect or share personal data.
-* The data generated by the software is always on your device.

docs/installation/clients/sfm.zh.md

@@ -1,29 +0,0 @@
-# SFM
-
-实验性的 macOS sing-box 客户端。
-
-#### 要求
-
-* macOS 13.0+
-* 一个非中国大陆地区的 Apple 账号 (商店版本)
-
-#### 下载 (商店版本)
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### 下载 (独立版本)
-
-* [GitHub Release](https://github.com/SagerNet/sing-box/releases/latest)
-* Homebrew (Cask): `brew install sfm`
-* Homebrew (Tap): `brew tap sagernet/sing-box && brew install sagernet/sing-box/sfm`
-
-#### 注意事项
-
-* 远程配置文件请求中的 User Agent 为 `SFM/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
-
-#### 隐私政策
-
-* SFM 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

docs/installation/clients/sft.md

@@ -1,30 +0,0 @@
-# SFT
-
-Experimental Apple tvOS client for sing-box.
-
-#### Requirements
-
-* tvOS 17.0+
-
-#### Download
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### Features
-
-Full functionality, except for:
-
-* Only remote configuration files can be created manually
-* You need to update SFI to the latest version to import profiles from iPhone/iPad
-* No iCloud profile support
-
-#### Note
-
-* User Agent in remote profile request is `SFT/$version ($version_code; sing-box $sing_box_version)`
-* Crash logs is located in `Settings` -> `View Service Log`
-
-#### Privacy policy
-
-* SFT did not collect or share personal data.
-* The data generated by the software is always on your device.

docs/installation/clients/sft.zh.md

@@ -1,31 +0,0 @@
-# SFI
-
-实验性的 Apple tvOS sing-box 客户端。
-
-#### 要求
-
-* tvOS 17.0+
-* 一个非中国大陆地区的 Apple 账号
-
-#### 下载
-
-* [AppStore](https://apps.apple.com/us/app/sing-box/id6451272673)
-* [TestFlight](https://testflight.apple.com/join/AcqO44FH)
-
-#### 特性
-
-完整的功能，除了：
-
-* 只能手动创建远程配置文件
-* 您需要将 SFI 更新到最新版本才能从 iPhone/iPad 导入配置文件
-* 没有 iCloud 配置文件支持
-
-#### 注意事项
-
-* 远程配置文件请求中的 User Agent 为 `SFT/$version ($version_code; sing-box $sing_box_version)`
-* 崩溃日志位于 `Settings` -> `View Service Log`
-
-#### 隐私政策
-
-* SFT 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

docs/installation/clients/specification.md

@@ -1,25 +0,0 @@
-# Specification
-
-## Profile
-
-Profile defines a sing-box configuration with metadata in a GUI client.
-
-## Profile Types
-
-### Local
-
-Create a empty configuration or import from a local file.
-
-### iCloud (on Apple platforms)
-
-Create a new configuration or use an existing configuration on iCloud. 
-
-### Remote
-
-Use a remote URL as the configuration source, with HTTP basic authentication and automatic update support.
-
-#### URL specification
-
-```
-sing-box://import-remote-profile?url=urlEncodedURL#urlEncodedName
-```

docs/installation/docker.md

@@ -0,0 +1,31 @@
+---
+icon: material/docker
+---
+
+# Docker
+
+## :material-console: Command
+
+```bash
+docker run -d \
+  -v /etc/sing-box:/etc/sing-box/ \
+  --name=sing-box \
+  --restart=always \
+  ghcr.io/sagernet/sing-box \
+  -D /var/lib/sing-box \
+  -C /etc/sing-box/ run
+```
+
+## :material-box-shadow: Compose
+
+```yaml
+version: "3.8"
+services:
+  sing-box:
+    image: ghcr.io/sagernet/sing-box
+    container_name: sing-box
+    restart: always
+    volumes:
+      - /etc/sing-box:/etc/sing-box/
+    command: -D /var/lib/sing-box -C /etc/sing-box/ run
+```

docs/installation/from-source.md

@@ -1,50 +0,0 @@
-# Install from source
-
-## Requirements
-
-Before sing-box 1.4.0:
-
-* Go 1.18.5 - 1.20.x
-
-Since sing-box 1.4.0:
-
-* Go 1.18.5 - ~
-* Go 1.20.0 - ~ if `with_quic` tag enabled
-
-## Installation
-
-```bash
-go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-Install with options:
-
-```bash
-go install -v -tags with_quic,with_wireguard github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-| Build Tag                          | Description                                                                                                                                                                                                                                                                                                                |
-|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server), [Naive inbound](/configuration/inbound/naive), [Hysteria Inbound](/configuration/inbound/hysteria), [Hysteria Outbound](/configuration/outbound/hysteria) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
-| `with_dhcp`                        | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server).                                                                                                                                                                                                                                              |
-| `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard).                                                                                                                                                                                                                                 |
-| `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](/configuration/outbound/shadowsocksr).                                                                                                                                                                                                                        |
-| `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
-| `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
-| `with_reality_server`              | Build with reality TLS server support,  see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                              |
-| `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                      |
-| `with_clash_api`                   | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
-| `with_v2ray_api`                   | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
-| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
-| `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor).                                                                                                                                                                                                                                          |
-| `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](/configuration/inbound/tun#stack).                                                                                                                                                                                                                                    |
-
-The binary is built under $GOPATH/bin
-
-```bash
-sing-box version
-```
-
-It is also recommended to use systemd to manage sing-box service,
-see [Linux server installation example](/examples/linux-server-installation).

docs/installation/from-source.zh.md

@@ -1,39 +0,0 @@
-# 从源代码安装
-
-sing-box 需要 Golang **1.18.5** 或更高版本。
-
-```bash
-go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-自定义安装：
-
-```bash
-go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-| 构建标志                         | 描述                                                                                                                                                                                                                                                                      |
-|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](/configuration/dns/server)，[Naive 入站](/configuration/inbound/naive)，[Hysteria 入站](/configuration/inbound/hysteria)，[Hysteria 出站](/configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](/configuration/shared/v2ray-transport#quic)。 |
-| `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](/configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                           |
-| `with_dhcp`                  | 启用 DHCP 支持，参阅 [DHCP DNS 传输层](/configuration/dns/server)。                                                                                                                                                                                                                |
-| `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](/configuration/outbound/wireguard)。                                                                                                                                                                                                   |
-| `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](/configuration/outbound/shadowsocksr)。                                                                                                                                                                                          |
-| `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](/configuration/shared/tls#ech)。                                                                                                                                                                                                                |
-| `with_utls`                  | 启用 [uTLS](https://github.com/refraction-networking/utls) 支持，参阅 [TLS](/configuration/shared/tls#utls)。                                                                                                                                                                   |
-| `with_reality_server`        | 启用 reality TLS 服务器支持，参阅 [TLS](/configuration/shared/tls)。                                                                                                                                                                                                               |
-| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](/configuration/shared/tls)。                                                                                                                                                                                                                 |
-| `with_clash_api`             | 启用 Clash API 支持，参阅 [实验性](/configuration/experimental#clash-api-fields)。                                                                                                                                                                                                 |
-| `with_v2ray_api`             | 启用 V2Ray API 支持，参阅 [实验性](/configuration/experimental#v2ray-api-fields)。                                                                                                                                                                                                 |
-| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](/configuration/inbound/tun#stack) 和 [WireGuard 出站](/configuration/outbound/wireguard#system_interface)。                                                                                                                                        |
-| `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](/configuration/outbound/tor)。                                                                                                                                                                                                                 |
-| `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](/configuration/inbound/tun#stack)。                                                                                                                                                                                                          |
-
-二进制文件将被构建在 `$GOPATH/bin` 下。
-
-```bash
-sing-box version
-```
-
-同时推荐使用 systemd 来管理 sing-box 服务器实例。
-参阅 [Linux 服务器安装示例](/examples/linux-server-installation)。

docs/installation/package-manager.md

@@ -0,0 +1,90 @@
+---
+icon: material/package
+---
+
+# Package Manager
+
+## :material-download-box: Manual Installation
+
+=== ":material-debian: Debian / DEB"
+
+    ```bash
+    bash <(curl -fsSL https://sing-box.app/deb-install.sh)
+    ```
+
+=== ":material-redhat: Redhat / RPM"
+
+    ```bash
+    bash <(curl -fsSL https://sing-box.app/rpm-install.sh)
+    ```
+
+=== ":simple-archlinux: Archlinux / PKG"
+
+    ```bash
+    bash <(curl -fsSL https://sing-box.app/arch-install.sh)
+    ```
+
+## :material-book-lock-open: Managed Installation
+
+=== ":material-linux: Linux"
+
+    | Type     | Platform           | Link                | Command                      | Actively maintained |
+    |----------|--------------------|---------------------|------------------------------|---------------------|
+    | AUR      | (Linux) Arch Linux | [sing-box][aur] ᴬᵁᴿ | `? -S sing-box`              | :material-check:    |
+    | nixpkgs  | (Linux) NixOS      | [sing-box][nixpkgs] | `nix-env -iA nixos.sing-box` | :material-check:    |
+    | Homebrew | macOS / Linux      | [sing-box][brew]    | `brew install sing-box`      | :material-check:    |
+    | Alpine   | (Linux) Alpine     | [sing-box][alpine]  | `apk add sing-box`           | :material-alert:    |
+
+=== ":material-apple: macOS"
+
+    | Type     | Platform      | Link             | Command                 | Actively maintained |
+    |----------|---------------|------------------|-------------------------|---------------------|
+    | Homebrew | macOS / Linux | [sing-box][brew] | `brew install sing-box` | :material-check:    |
+
+=== ":material-microsoft-windows: Windows"
+
+    | Type       | Platform           | Link                | Command                      | Actively maintained |
+    |------------|--------------------|---------------------|------------------------------|---------------------|
+    | Scoop      | Windows            | [sing-box][scoop]   | `scoop install sing-box`     | :material-check:    |
+    | Chocolatey | Windows            | [sing-box][choco]   | `choco install sing-box`     | :material-check:    |
+    | winget     | Windows            | [sing-box][winget]  | `winget install sing-box`    | :material-alert:    |
+
+=== ":material-android: Android"
+
+    | Type       | Platform           | Link                | Command                      | Actively maintained |
+    |------------|--------------------|---------------------|------------------------------|---------------------|
+    | Termux     | Android            | [sing-box][termux]  | `pkg add sing-box`           | :material-check:    |
+
+## :material-book-multiple: Service Management
+
+For Linux systems with [systemd][systemd], usually the installation already includes a sing-box service,
+you can manage the service using the following command:
+
+| Operation | Command                                       |
+|-----------|-----------------------------------------------|
+| Enable    | `sudo systemctl enable sing-box`              |
+| Disable   | `sudo systemctl disable sing-box`             |
+| Start     | `sudo systemctl start sing-box`               |
+| Stop      | `sudo systemctl stop sing-box`                |
+| Kill      | `sudo systemctl kill sing-box`                |
+| Restart   | `sudo systemctl restart sing-box`             |
+| Logs      | `sudo journalctl -u sing-box --output cat -e` |
+| New Logs  | `sudo journalctl -u sing-box --output cat -f` |
+
+[alpine]: https://pkgs.alpinelinux.org/packages?name=sing-box
+
+[aur]: https://aur.archlinux.org/packages/sing-box
+
+[nixpkgs]: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/tools/networking/sing-box/default.nix
+
+[termux]: https://github.com/termux/termux-packages/tree/master/packages/sing-box
+
+[brew]: https://formulae.brew.sh/formula/sing-box
+
+[choco]: https://chocolatey.org/packages/sing-box
+
+[scoop]: https://github.com/ScoopInstaller/Main/blob/master/bucket/sing-box.json
+
+[winget]: https://github.com/microsoft/winget-pkgs/tree/master/manifests/s/SagerNet/sing-box
+
+[systemd]: https://systemd.io/

docs/installation/package-manager/android.md

@@ -1,7 +0,0 @@
-# Android
-
-## Termux
-
-```shell
-pkg add sing-box
-```

docs/installation/package-manager/macOS.md

@@ -1,14 +0,0 @@
-# macOS
-
-## Homebrew (core)
-
-```shell
-brew install sing-box
-```
-
-## Homebrew (Tap)
-
-```shell
-brew tap sagernet/sing-box
-brew install sagernet/sing-box/sing-box
-```

docs/installation/package-manager/windows.md

@@ -1,13 +0,0 @@
-# Windows
-
-## Chocolatey
-
-```shell
-choco install sing-box
-```
-
-## winget
-
-```shell
-winget install sing-box
-```

docs/installation/scripts/arch-install.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+ARCH_RAW=$(uname -m)
+case "${ARCH_RAW}" in
+    'x86_64')    ARCH='amd64';;
+    'x86' | 'i686' | 'i386')     ARCH='386';;
+    'aarch64' | 'arm64') ARCH='arm64';;
+    'armv7l')   ARCH='armv7';;
+    's390x')    ARCH='s390x';;
+    *)          echo "Unsupported architecture: ${ARCH_RAW}"; exit 1;;
+esac
+
+VERSION=$(curl -s https://api.github.com/repos/SagerNet/sing-box/releases/latest \
+    | grep tag_name \
+    | cut -d ":" -f2 \
+    | sed 's/\"//g;s/\,//g;s/\ //g;s/v//')
+
+curl -Lo sing-box.pkg.tar.zst "https://github.com/SagerNet/sing-box/releases/download/v${VERSION}/sing-box_${VERSION}_linux_${ARCH}.pkg.tar.zst"
+sudo pacman -U sing-box.pkg.tar.zst
+rm sing-box.pkg.tar.zst

docs/installation/scripts/deb-install.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+ARCH_RAW=$(uname -m)
+case "${ARCH_RAW}" in
+    'x86_64')    ARCH='amd64';;
+    'x86' | 'i686' | 'i386')     ARCH='386';;
+    'aarch64' | 'arm64') ARCH='arm64';;
+    'armv7l')   ARCH='armv7';;
+    's390x')    ARCH='s390x';;
+    *)          echo "Unsupported architecture: ${ARCH_RAW}"; exit 1;;
+esac
+
+VERSION=$(curl -s https://api.github.com/repos/SagerNet/sing-box/releases/latest \
+    | grep tag_name \
+    | cut -d ":" -f2 \
+    | sed 's/\"//g;s/\,//g;s/\ //g;s/v//')
+
+curl -Lo sing-box.deb "https://github.com/SagerNet/sing-box/releases/download/v${VERSION}/sing-box_${VERSION}_linux_${ARCH}.deb"
+sudo dpkg -i sing-box.deb
+rm sing-box.deb
+

docs/installation/scripts/rpm-install.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e -o pipefail
+
+ARCH_RAW=$(uname -m)
+case "${ARCH_RAW}" in
+    'x86_64')    ARCH='amd64';;
+    'x86' | 'i686' | 'i386')     ARCH='386';;
+    'aarch64' | 'arm64') ARCH='arm64';;
+    'armv7l')   ARCH='armv7';;
+    's390x')    ARCH='s390x';;
+    *)          echo "Unsupported architecture: ${ARCH_RAW}"; exit 1;;
+esac
+
+VERSION=$(curl -s https://api.github.com/repos/SagerNet/sing-box/releases/latest \
+    | grep tag_name \
+    | cut -d ":" -f2 \
+    | sed 's/\"//g;s/\,//g;s/\ //g;s/v//')
+
+curl -Lo sing-box.rpm "https://github.com/SagerNet/sing-box/releases/download/v${VERSION}/sing-box_${VERSION}_linux_${ARCH}.rpm"
+sudo rpm -i sing-box.rpm
+rm sing-box.rpm

docs/manual/proxy-protocol/hysteria2.md

@@ -0,0 +1,211 @@
+---
+icon: material/lightning-bolt
+---
+
+# Hysteria 2
+
+The most popular Chinese-made simple protocol based on QUIC, the selling point is Brutal,
+a congestion control algorithm that can resist packet loss by manually specifying the required rate by the user.
+
+!!! warning
+
+    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
+
+| Specification                                                             | Binary Characteristics | Active Detect Hiddenness |
+|---------------------------------------------------------------------------|------------------------|--------------------------|
+| [hysteria.network](https://v2.hysteria.network/docs/developers/Protocol/) | :material-alert:       | :material-check:         |
+
+## :material-text-box-check: Password Generator
+
+| Generate Password          | Action                                                          |
+|----------------------------|-----------------------------------------------------------------|
+| <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
+
+<script>
+    function generate() {
+        const array = new Uint8Array(16);
+        window.crypto.getRandomValues(array);
+        document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
+    }
+    generate();
+</script>
+
+## :material-alert: Difference from official Hysteria
+
+The official program supports an authentication method called **userpass**,
+which essentially uses a combination of `<username>:<password>` as the actual password,
+while sing-box does not provide this alias.
+To use sing-box with the official program, you need to fill in that combination as the actual password.
+
+## :material-server: Server Example
+
+!!! info ""
+
+    Replace `up_mbps` and `down_mbps` values with the actual bandwidth of your server.
+
+=== ":material-harddisk: With local certificate"
+    
+    ```json
+     {
+      "inbounds": [
+        {
+          "type": "hysteria2",
+          "listen": "::",
+          "listen_port": 8080,
+          "up_mbps": 100,
+          "down_mbps": 100,
+          "users": [
+            {
+              "name": "sekai",
+              "password": "<password>"
+            }
+          ],
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "key_path": "/path/to/key.pem",
+            "certificate_path": "/path/to/certificate.pem"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-auto-fix: With ACME"
+
+    ```json
+     {
+      "inbounds": [
+        {
+          "type": "hysteria2",
+          "listen": "::",
+          "listen_port": 8080,
+          "up_mbps": 100,
+          "down_mbps": 100,
+          "users": [
+            {
+              "name": "sekai",
+              "password": "<password>"
+            }
+          ],
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "[email protected]"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-cloud: With ACME and Cloudflare API"
+
+    ```json
+     {
+      "inbounds": [
+        {
+          "type": "hysteria2",
+          "listen": "::",
+          "listen_port": 8080,
+          "up_mbps": 100,
+          "down_mbps": 100,
+          "users": [
+            {
+              "name": "sekai",
+              "password": "<password>"
+            }
+          ],
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "[email protected]",
+              "dns01_challenge": {
+                "provider": "cloudflare",
+                "api_token": "my_token"
+              }
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+## :material-cellphone-link: Client Example
+
+!!! info ""
+
+    Replace `up_mbps` and `down_mbps` values with the actual bandwidth of your client.
+
+=== ":material-web-check: With valid certificate"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "hysteria2",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "up_mbps": 100,
+          "down_mbps": 100,
+          "password": "<password>",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-check: With self-sign certificate"
+
+    !!! info "Tip"
+        
+        Use `sing-box merge` command to merge configuration and certificate into one file.
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "hysteria2",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "up_mbps": 100,
+          "down_mbps": 100,
+          "password": "<password>",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "certificate_path": "/path/to/certificate.pem"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-alert: Ignore certificate verification"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "hysteria2",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "up_mbps": 100,
+          "down_mbps": 100,
+          "password": "<password>",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "insecure": true
+          }
+        }
+      ]
+    }
+    ```

docs/manual/proxy-protocol/shadowsocks.md

@@ -0,0 +1,126 @@
+---
+icon: material/send
+---
+
+# Shadowsocks
+
+As the most well-known Chinese-made proxy protocol,
+Shadowsocks exists in multiple versions,
+but only AEAD 2022 ciphers TCP with multiplexing is recommended.
+
+| Ciphers        | Specification                                              | Cryptographic Security | Binary Characteristics | Active Detect Hiddenness |
+|----------------|------------------------------------------------------------|------------------------|------------------------|--------------------------|
+| Stream Ciphers | [shadowsocks.org](https://shadowsocks.org/doc/stream.html) | :material-alert:       | :material-alert:       | :material-alert:         |
+| AEAD           | [shadowsocks.org](https://shadowsocks.org/doc/aead.html)   | :material-check:       | :material-alert:       | :material-alert:         |
+| AEAD 2022      | [shadowsocks.org](https://shadowsocks.org/doc/sip022.html) | :material-check:       | :material-check:       | :material-help:          |
+
+## :material-text-box-check: Password Generator
+
+| For `2022-blake3-aes-128-gcm` cipher | For other ciphers             | Action                                                          |
+|--------------------------------------|-------------------------------|-----------------------------------------------------------------|
+| <code id="password_16"><code>        | <code id="password_32"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
+
+<script>
+    function generatePassword(element, length) {
+        const array = new Uint8Array(length);
+        window.crypto.getRandomValues(array);
+        document.getElementById(element).textContent = btoa(String.fromCharCode.apply(null, array));
+    }
+    function generate() {
+      generatePassword("password_16", 16);
+      generatePassword("password_32", 32);
+    }
+    generate();
+</script>
+
+## :material-server: Server Example
+
+!!! info ""
+
+    Password of cipher `2022-blake3-aes-128-gcm` can be generated by command `sing-box generate rand 16 --base64`
+
+=== ":material-account: Single-user"
+
+    ```json
+     {
+      "inbounds": [
+        {
+          "type": "shadowsocks",
+          "listen": "::",
+          "listen_port": 8080,
+          "network": "tcp",
+          "method": "2022-blake3-aes-128-gcm",
+          "password": "<password>",
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-account-multiple: Multi-user"
+
+    ```json
+     {
+      "inbounds": [
+        {
+          "type": "shadowsocks",
+          "listen": "::",
+          "listen_port": 8080,
+          "network": "tcp",
+          "method": "2022-blake3-aes-128-gcm",
+          "password": "<server_password>",
+          "users": [
+            {
+              "name": "sekai",
+              "password": "<user_password>"
+            }
+          ],
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+
+## :material-cellphone-link: Client Example
+
+=== ":material-account: Single-user"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "shadowsocks",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "method": "2022-blake3-aes-128-gcm",
+          "password": "<pasword>",
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-account-multiple: Multi-user"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "shadowsocks",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "method": "2022-blake3-aes-128-gcm",
+          "password": "<server_pasword>:<user_password>",
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```

docs/manual/proxy-protocol/trojan.md

@@ -0,0 +1,214 @@
+---
+icon: material/horse
+---
+
+# Trojan
+
+As the most commonly used TLS proxy made in China, Trojan can be used in various combinations,
+but only the combination of uTLS and multiplexing is recommended.
+
+| Protocol and implementation combination | Specification                                                        | Binary Characteristics | Active Detect Hiddenness |
+|-----------------------------------------|----------------------------------------------------------------------|------------------------|--------------------------|
+| Origin / trojan-gfw                     | [trojan-gfw.github.io](https://trojan-gfw.github.io/trojan/protocol) | :material-check:       | :material-check:         |
+| Basic Go implementation                 | /                                                                    | :material-alert:       | :material-check:         |
+| with privates transport by V2Ray        | No formal definition                                                 | :material-alert:       | :material-alert:         |
+| with uTLS enabled                       | No formal definition                                                 | :material-help:        | :material-check:         |                             
+
+## :material-text-box-check: Password Generator
+
+| Generate Password          | Action                                                          |
+|----------------------------|-----------------------------------------------------------------|
+| <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
+
+<script>
+    function generate() {
+        const array = new Uint8Array(16);
+        window.crypto.getRandomValues(array);
+        document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
+    }
+    generate();
+</script>
+
+## :material-server: Server Example
+
+=== ":material-harddisk: With local certificate"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "trojan",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "example",
+              "password": "password"
+            }
+          ],
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "key_path": "/path/to/key.pem",
+            "certificate_path": "/path/to/certificate.pem"
+          },
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-auto-fix: With ACME"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "trojan",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "example",
+              "password": "password"
+            }
+          ],
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "[email protected]"
+            }
+          },
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-cloud: With ACME and Cloudflare API"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "trojan",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "example",
+              "password": "password"
+            }
+          ],
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "[email protected]",
+              "dns01_challenge": {
+                "provider": "cloudflare",
+                "api_token": "my_token"
+              }
+            }
+          },
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+
+## :material-cellphone-link: Client Example
+
+=== ":material-web-check: With valid certificate"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "trojan",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "password": "password",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
+          },
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-check: With self-sign certificate"
+
+    !!! info "Tip"
+        
+        Use `sing-box merge` command to merge configuration and certificate into one file.
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "trojan",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "password": "password",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "certificate_path": "/path/to/certificate.pem",
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
+          },
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-alert: Ignore certificate verification"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "trojan",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "password": "password",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "insecure": true,
+            "utls": {
+              "enabled": true,
+              "fingerprint": "firefox"
+            }
+          },
+          "multiplex": {
+            "enabled": true
+          }
+        }
+      ]
+    }
+    ```
+

docs/manual/proxy-protocol/tuic.md

@@ -0,0 +1,208 @@
+---
+icon: material/alpha-t-box
+---
+
+# TUIC
+
+A recently popular Chinese-made simple protocol based on QUIC, the selling point is the BBR congestion control algorithm.
+
+!!! warning
+
+    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
+
+| Specification                                             | Binary Characteristics | Active Detect Hiddenness |
+|-----------------------------------------------------------|------------------------|--------------------------|
+| [GitHub](https://github.com/EAimTY/tuic/blob/dev/SPEC.md) | :material-alert:       | :material-check:         | 
+
+## Password Generator
+
+| Generated UUID         | Generated  Password        | Action                                                          |
+|------------------------|----------------------------|-----------------------------------------------------------------|
+| <code id="uuid"><code> | <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
+
+<script>
+    function generateUUID() {
+        const uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
+            let r = Math.random() * 16 | 0,
+            v = c === 'x' ? r : (r & 0x3 | 0x8);
+            return v.toString(16);
+        });
+        document.getElementById("uuid").textContent = uuid;
+    }
+    function generatePassword() {
+        const array = new Uint8Array(16);
+        window.crypto.getRandomValues(array);
+        document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
+    }
+    function generate() {
+        generateUUID();
+        generatePassword();
+    }
+    generate();
+</script>
+
+## :material-server: Server Example
+
+=== ":material-harddisk: With local certificate"
+
+    ```json
+     {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "key_path": "/path/to/key.pem",
+            "certificate_path": "/path/to/certificate.pem"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-auto-fix: With ACME"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "[email protected]"
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-cloud: With ACME and Cloudflare API"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "tuic",
+          "listen": "::",
+          "listen_port": 8080,
+          "users": [
+            {
+              "name": "sekai",
+              "uuid": "<uuid>",
+              "password": "<password>"
+            }
+          ],
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "acme": {
+              "domain": "example.org",
+              "email": "[email protected]",
+              "dns01_challenge": {
+                "provider": "cloudflare",
+                "api_token": "my_token"
+              }
+            }
+          }
+        }
+      ]
+    }
+    ```
+
+## :material-cellphone-link: Client Example
+
+=== ":material-web-check: With valid certificate"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-check: With self-sign certificate"
+
+    !!! info "Tip"
+        
+        Use `sing-box merge` command to merge configuration and certificate into one file.
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "certificate_path": "/path/to/certificate.pem"
+          }
+        }
+      ]
+    }
+    ```
+
+=== ":material-alert: Ignore certificate verification"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "tuic",
+          "server": "127.0.0.1",
+          "server_port": 8080,
+          "uuid": "<uuid>",
+          "password": "<password>",
+          "congestion_control": "bbr",
+          "tls": {
+            "enabled": true,
+            "server_name": "example.org",
+            "insecure": true
+          }
+        }
+      ]
+    }
+    ```
+

docs/manual/proxy/client.md

@@ -0,0 +1,425 @@
+---
+icon: material/cellphone-link
+---
+
+# Client
+
+### :material-ray-start: Introduction
+
+For a long time, the modern usage and principles of proxy clients
+for graphical operating systems have not been clearly described.
+However, we can categorize them into three types:
+system proxy, firewall redirection, and virtual interface.
+
+### :material-web-refresh: System Proxy
+
+Almost all graphical environments support system-level proxies,
+which are essentially ordinary HTTP proxies that only support TCP.
+
+| Operating System / Desktop Environment       | System Proxy                         | Application Support |
+|:---------------------------------------------|:-------------------------------------|:--------------------|
+| Windows                                      | :material-check:                     | :material-check:    |
+| macOS                                        | :material-check:                     | :material-check:    |
+| GNOME/KDE                                    | :material-check:                     | :material-check:    |
+| Android                                      | ROOT or adb (permission) is required | :material-check:    |
+| Android/iOS (with sing-box graphical client) | via `tun.platform.http_proxy`        | :material-check:    |
+
+As one of the most well-known proxy methods, it has many shortcomings:
+many TCP clients that are not based on HTTP do not check and use the system proxy.
+Moreover, UDP and ICMP traffics bypass the proxy.
+
+```mermaid
+flowchart LR
+    dns[DNS query] -- Is HTTP request? --> proxy[HTTP proxy]
+    dns --> leak[Leak]
+    tcp[TCP connection] -- Is HTTP request? --> proxy
+    tcp -- Check and use HTTP CONNECT? --> proxy
+    tcp --> leak
+    udp[UDP packet] --> leak
+```
+
+### :material-wall-fire: Firewall Redirection
+
+This type of usage typically relies on the firewall or hook interface provided by the operating system,
+such as Windows’ WFP, Linux’s redirect, TProxy and eBPF, and macOS’s pf.
+Although it is intrusive and cumbersome to configure,
+it remains popular within the community of amateur proxy open source projects like V2Ray,
+due to the low technical requirements it imposes on the software.
+
+### :material-expansion-card: Virtual Interface
+
+All L2/L3 proxies (seriously defined VPNs, such as OpenVPN, WireGuard) are based on virtual network interfaces,
+which is also the only way for all L4 proxies to work as VPNs on mobile platforms like Android, iOS.
+
+The sing-box inherits and develops clash-premium’s TUN inbound (L3 to L4 conversion)
+as the most reasonable method for performing transparent proxying.
+
+```mermaid
+flowchart TB
+    packet[IP Packet]
+    packet --> windows[Windows / macOS]
+    packet --> linux[Linux]
+    tun[TUN interface]
+    windows -. route .-> tun
+    linux -. iproute2 route/rule .-> tun
+    tun --> gvisor[gVisor TUN stack]
+    tun --> system[system TUN stack]
+    assemble([L3 to L4 assemble])
+    gvisor --> assemble
+    system --> assemble
+    assemble --> conn[TCP and UDP connections]
+    conn --> router[sing-box Router]
+    router --> direct[Direct outbound]
+    router --> proxy[Proxy outbounds]
+    router -- DNS hijack --> dns_out[DNS outbound]
+    dns_out --> dns_router[DNS router]
+    dns_router --> router
+    direct --> adi([auto detect interface])
+    proxy --> adi
+    adi --> default[Default network interface in the system]
+    default --> destination[Destination server]
+    default --> proxy_server[Proxy server]
+    proxy_server --> destination
+```
+
+## :material-cellphone-link: Examples
+
+### Basic TUN usage for Chinese users
+
+=== ":material-numeric-4-box: IPv4 only"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "tag": "google",
+            "address": "tls://8.8.8.8"
+          },
+          {
+            "tag": "local",
+            "address": "223.5.5.5",
+            "detour": "direct"
+          }
+        ],
+        "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
+          }
+        ],
+        "strategy": "ipv4_only"
+      },
+      "inbounds": [
+        {
+          "type": "tun",
+          "inet4_address": "172.19.0.1/30",
+          "auto_route": true,
+          "strict_route": false
+        }
+      ],
+      "outbounds": [
+        // ...
+        {
+          "type": "direct",
+          "tag": "direct"
+        },
+        {
+          "type": "dns",
+          "tag": "dns-out"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "protocol": "dns",
+            "outbound": "dns-out"
+          },
+          {
+            "geoip": [
+              "private"
+            ],
+            "outbound": "direct"
+          }
+        ],
+        "auto_detect_interface": true
+      }
+    }
+    ```
+
+=== ":material-numeric-6-box: IPv4 & IPv6"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "tag": "google",
+            "address": "tls://8.8.8.8"
+          },
+          {
+            "tag": "local",
+            "address": "223.5.5.5",
+            "detour": "direct"
+          }
+        ],
+        "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
+          }
+        ]
+      },
+      "inbounds": [
+        {
+          "type": "tun",
+          "inet4_address": "172.19.0.1/30",
+          "inet6_address": "fdfe:dcba:9876::1/126",
+          "auto_route": true,
+          "strict_route": false
+        }
+      ],
+      "outbounds": [
+        // ...
+        {
+          "type": "direct",
+          "tag": "direct"
+        },
+        {
+          "type": "dns",
+          "tag": "dns-out"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "protocol": "dns",
+            "outbound": "dns-out"
+          },
+          {
+            "geoip": [
+              "private"
+            ],
+            "outbound": "direct"
+          }
+        ],
+        "auto_detect_interface": true
+      }
+    }
+    ```
+
+=== ":material-domain-switch: FakeIP"
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "tag": "google",
+            "address": "tls://8.8.8.8"
+          },
+          {
+            "tag": "local",
+            "address": "223.5.5.5",
+            "detour": "direct"
+          },
+          {
+            "tag": "remote",
+            "address": "fakeip"
+          }
+        ],
+        "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
+          },
+          {
+            "query_type": [
+              "A",
+              "AAAA"
+            ],
+            "server": "remote"
+          }
+        ],
+        "fakeip": {
+          "enabled": true,
+          "inet4_range": "198.18.0.0/15",
+          "inet6_range": "fc00::/18"
+        },
+        "independent_cache": true
+      },
+      "inbounds": [
+        {
+          "type": "tun",
+          "inet4_address": "172.19.0.1/30",
+          "inet6_address": "fdfe:dcba:9876::1/126",
+          "auto_route": true,
+          "strict_route": true
+        }
+      ],
+      "outbounds": [
+        // ...
+        {
+          "type": "direct",
+          "tag": "direct"
+        },
+        {
+          "type": "dns",
+          "tag": "dns-out"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "protocol": "dns",
+            "outbound": "dns-out"
+          },
+          {
+            "geoip": [
+              "private"
+            ],
+            "outbound": "direct"
+          }
+        ],
+        "auto_detect_interface": true
+      }
+    }
+    ```
+
+### Traffic bypass usage for Chinese users
+
+=== ":material-dns: DNS rules"
+
+    !!! info
+    
+        DNS rules are optional if FakeIP is used.
+
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "tag": "google",
+            "address": "tls://8.8.8.8"
+          },
+          {
+            "tag": "local",
+            "address": "223.5.5.5",
+            "detour": "direct"
+          }
+        ],
+        "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
+          },
+          {
+            "clash_mode": "Direct",
+            "server": "local"
+          },
+          {
+            "clash_mode": "Global",
+            "server": "google"
+          },
+          {
+            "type": "logical",
+            "mode": "and",
+            "rules": [
+              {
+                "geosite": "geolocation-!cn",
+                "invert": true
+              },
+              {
+                "geosite": [
+                  "cn",
+                  "category-companies@cn"
+                ],
+              }
+            ],
+            "server": "local"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-router-network: Route rules"
+
+    ```json
+    {
+      "outbounds": [
+        {
+          "type": "direct",
+          "tag": "direct"
+        },
+        {
+          "type": "block",
+          "tag": "block"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "type": "logical",
+            "mode": "or",
+            "rules": [
+              {
+                "protocol": "dns"
+              },
+              {
+                "port": 53
+              }
+            ],
+            "outbound": "dns"
+          },
+          {
+            "geoip": "private",
+            "outbound": "direct"
+          },
+          {
+            "clash_mode": "Direct",
+            "outbound": "direct"
+          },
+          {
+            "clash_mode": "Global",
+            "outbound": "default"
+          },
+          {
+            "type": "logical",
+            "mode": "or",
+            "rules": [
+              {
+                "port": 853
+              },
+              {
+                "network": "udp",
+                "port": 443
+              },
+              {
+                "protocol": "stun"
+              }
+            ],
+            "outbound": "block"
+          },
+          {
+            "type": "logical",
+            "mode": "and",
+            "rules": [
+              {
+                "geosite": "geolocation-!cn",
+                "invert": true
+              },
+              {
+                "geosite": [
+                  "cn",
+                  "category-companies@cn"
+                ],
+                "geoip": "cn"
+              }
+            ],
+            "outbound": "direct"
+          }
+        ]
+      }
+    }
+    ```