Acasă Explorează Ajutor
Înregistrare Autentificare
Apq
/
sing-box
oglindă de https://github.com/SagerNet/sing-box.git
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Arbore: c4b6d0eadb
Ramuri Etichete
sing-box
/
docs
/
configuration
/
inbound
/
tun.md

tun.md 12 KB
Istoric Crud

icon: material/alert-decagram

!!! quote "Changes in sing-box 1.11.0"

:material-delete-alert: [gso](#gso)

!!! quote "Changes in sing-box 1.10.0"

:material-plus: [address](#address)  
:material-delete-clock: [inet4_address](#inet4_address)  
:material-delete-clock: [inet6_address](#inet6_address)  
:material-plus: [route_address](#route_address)  
:material-delete-clock: [inet4_route_address](#inet4_route_address)  
:material-delete-clock: [inet6_route_address](#inet6_route_address)  
:material-plus: [route_exclude_address](#route_address)  
:material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)  
:material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)  
:material-plus: [iproute2_table_index](#iproute2_table_index)  
:material-plus: [iproute2_rule_index](#iproute2_table_index)  
:material-plus: [auto_redirect](#auto_redirect)  
:material-plus: [auto_redirect_input_mark](#auto_redirect_input_mark)  
:material-plus: [auto_redirect_output_mark](#auto_redirect_output_mark)  
:material-plus: [route_address_set](#route_address_set)  
:material-plus: [route_exclude_address_set](#route_address_set)

!!! quote "Changes in sing-box 1.9.0"

:material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
:material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)

!!! quote "Changes in sing-box 1.8.0"

:material-plus: [gso](#gso)  
:material-alert-decagram: [stack](#stack)

!!! quote ""

Only supported on Linux, Windows and macOS.

Structure

{
  "type": "tun",
  "tag": "tun-in",
  "interface_name": "tun0",
  "address": [
    "172.18.0.1/30",
    "fdfe:dcba:9876::1/126"
  ],
  "mtu": 9000,
  "auto_route": true,
  "iproute2_table_index": 2022,
  "iproute2_rule_index": 9000,
  "auto_redirect": false,
  "auto_redirect_input_mark": "0x2023",
  "auto_redirect_output_mark": "0x2024",
  "strict_route": true,
  "route_address": [
    "0.0.0.0/1",
    "128.0.0.0/1",
    "::/1",
    "8000::/1"
  ],
  
  "route_exclude_address": [
    "192.168.0.0/16",
    "fc00::/7"
  ],
  "route_address_set": [
    "geoip-cloudflare"
  ],
  "route_exclude_address_set": [
    "geoip-cn"
  ],
  "endpoint_independent_nat": false,
  "udp_timeout": "5m",
  "stack": "system",
  "include_interface": [
    "lan0"
  ],
  "exclude_interface": [
    "lan1"
  ],
  "include_uid": [
    0
  ],
  "include_uid_range": [
    "1000:99999"
  ],
  "exclude_uid": [
    1000
  ],
  "exclude_uid_range": [
    "1000:99999"
  ],
  "include_android_user": [
    0,
    10
  ],
  "include_package": [
    "com.android.chrome"
  ],
  "exclude_package": [
    "com.android.captiveportallogin"
  ],
  "platform": {
    "http_proxy": {
      "enabled": false,
      "server": "127.0.0.1",
      "server_port": 8080,
      "bypass_domain": [],
      "match_domain": []
    }
  },

  // Deprecated
  "gso": false,
  "inet4_address": [
    "172.19.0.1/30"
  ],
  "inet6_address": [
    "fdfe:dcba:9876::1/126"
  ],
  "inet4_route_address": [
    "0.0.0.0/1",
    "128.0.0.0/1"
  ],
  "inet6_route_address": [
    "::/1",
    "8000::/1"
  ],
  "inet4_route_exclude_address": [
    "192.168.0.0/16"
  ],
  "inet6_route_exclude_address": [
    "fc00::/7"
  ],
  
  ... // Listen Fields
}

!!! note ""

You can ignore the JSON Array [] tag when the content is only one item

!!! warning ""

If tun is running in non-privileged mode, addresses and MTU will not be configured automatically, please make sure the settings are accurate.

Fields

interface_name

Virtual device name, automatically selected if empty.

address

!!! question "Since sing-box 1.10.0"

IPv4 and IPv6 prefix for the tun interface.

inet4_address

!!! failure "Deprecated in sing-box 1.10.0"

`inet4_address` is merged to `address` and will be removed in sing-box 1.12.0.

IPv4 prefix for the tun interface.

inet6_address

!!! failure "Deprecated in sing-box 1.10.0"

`inet6_address` is merged to `address` and will be removed in sing-box 1.12.0.

IPv6 prefix for the tun interface.

mtu

The maximum transmission unit.

gso

!!! failure "Deprecated in sing-box 1.11.0"

GSO has no advantages for transparent proxy scenarios, is deprecated and no longer works, and will be removed in sing-box 1.12.0.

!!! question "Since sing-box 1.8.0"

!!! quote ""

Only supported on Linux with `auto_route` enabled.

Enable generic segmentation offload.

auto_route

Set the default route to the Tun.

!!! quote ""

To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`

!!! note "Use with Android VPN"

By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.

iproute2_table_index

!!! question "Since sing-box 1.10.0"

Linux iproute2 table index generated by auto_route.

2022 is used by default.

iproute2_rule_index

!!! question "Since sing-box 1.10.0"

Linux iproute2 rule start index generated by auto_route.

9000 is used by default.

auto_redirect

!!! question "Since sing-box 1.10.0"

!!! quote ""

Only supported on Linux with `auto_route` enabled.

Automatically configure iptables/nftables to redirect connections.

*In Android*:

Only local IPv4 connections are forwarded. To share your VPN connection over hotspot or repeater, use VPNHotspot.

In Linux:

auto_route with auto_redirect works as expected on routers without intervention.

auto_redirect_input_mark

!!! question "Since sing-box 1.10.0"

Connection input mark used by route_address_set and route_exclude_address_set.

0x2023 is used by default.

auto_redirect_output_mark

!!! question "Since sing-box 1.10.0"

Connection output mark used by route_address_set and route_exclude_address_set.

0x2024 is used by default.

strict_route

Enforce strict routing rules when auto_route is enabled:

In Linux:

  • Let unsupported network unreachable
  • Make ICMP traffic route to tun instead of upstream interfaces
  • Route all connections to tun

It prevents IP address leaks and makes DNS hijacking work on Android.

In Windows:

It may prevent some applications (such as VirtualBox) from working properly in certain situations.

route_address

!!! question "Since sing-box 1.10.0"

Use custom routes instead of default when auto_route is enabled.

inet4_route_address

!!! failure "Deprecated in sing-box 1.10.0"

inet4_route_address is deprecated and will be removed in sing-box 1.12.0, please use route_address instead.

Use custom routes instead of default when auto_route is enabled.

inet6_route_address

!!! failure "Deprecated in sing-box 1.10.0"

inet6_route_address is deprecated and will be removed in sing-box 1.12.0, please use route_address instead.

Use custom routes instead of default when auto_route is enabled.

route_exclude_address

!!! question "Since sing-box 1.10.0"

Exclude custom routes when auto_route is enabled.

inet4_route_exclude_address

!!! failure "Deprecated in sing-box 1.10.0"

inet4_route_exclude_address is deprecated and will be removed in sing-box 1.12.0, please use route_exclude_address instead.

Exclude custom routes when auto_route is enabled.

inet6_route_exclude_address

!!! failure "Deprecated in sing-box 1.10.0"

inet6_route_exclude_address is deprecated and will be removed in sing-box 1.12.0, please use route_exclude_address instead.

Exclude custom routes when auto_route is enabled.

route_address_set

!!! question "Since sing-box 1.10.0"

!!! quote ""

Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.

Add the destination IP CIDR rules in the specified rule-sets to the firewall. Unmatched traffic will bypass the sing-box routes.

Conflict with route.default_mark and [dialOptions].routing_mark.

route_exclude_address_set

!!! question "Since sing-box 1.10.0"

!!! quote ""

Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.

Add the destination IP CIDR rules in the specified rule-sets to the firewall. Matched traffic will bypass the sing-box routes.

Conflict with route.default_mark and [dialOptions].routing_mark.

endpoint_independent_nat

!!! info ""

This item is only available on the gvisor stack, other stacks are endpoint-independent NAT by default.

Enable endpoint-independent NAT.

Performance may degrade slightly, so it is not recommended to enable on when it is not needed.

udp_timeout

UDP NAT expiration time.

5m will be used by default.

stack

!!! quote "Changes in sing-box 1.8.0"

:material-delete-alert: The legacy LWIP stack has been deprecated and removed.

TCP/IP stack.

| Stack | Description | |----------|-------------------------------------------------------------------------------------------------------| | system | Perform L3 to L4 translation using the system network stack | | gvisor | Perform L3 to L4 translation using gVisor's virtual network stack | | mixed | Mixed system TCP stack and gvisor UDP stack |

Defaults to the mixed stack if the gVisor build tag is enabled, otherwise defaults to the system stack.

include_interface

!!! quote ""

Interface rules are only supported on Linux and require auto_route.

Limit interfaces in route. Not limited by default.

Conflict with exclude_interface.

exclude_interface

!!! warning ""

When `strict_route` enabled, return traffic to excluded interfaces will not be automatically excluded, so add them as well (example: `br-lan` and `pppoe-wan`).

Exclude interfaces in route.

Conflict with include_interface.

include_uid

!!! quote ""

UID rules are only supported on Linux and require auto_route.

Limit users in route. Not limited by default.

include_uid_range

Limit users in route, but in range.

exclude_uid

Exclude users in route.

exclude_uid_range

Exclude users in route, but in range.

include_android_user

!!! quote ""

Android user and package rules are only supported on Android and require auto_route.

Limit android users in route.

Common user ID
Main 0
Work Profile 10

include_package

Limit android packages in route.

exclude_package

Exclude android packages in route.

platform

Platform-specific settings, provided by client applications.

platform.http_proxy

System HTTP proxy settings.

platform.http_proxy.enabled

Enable system HTTP proxy.

platform.http_proxy.server

==Required==

HTTP proxy server address.

platform.http_proxy.server_port

==Required==

HTTP proxy server port.

platform.http_proxy.bypass_domain

!!! note ""

On Apple platforms, `bypass_domain` items matches hostname **suffixes**.

Hostnames that bypass the HTTP proxy.

platform.http_proxy.match_domain

!!! quote ""

Only supported in graphical clients on Apple platforms.

Hostnames that use the HTTP proxy.

Listen Fields

See Listen Fields for details.