ignore_client_bandwidth behavior update 11:
When up_mbps and down_mbps are set, ignore_client_bandwidth instead denies clients from using BBR CC.
See Hysteria2.
1:
See Hysteria2.
1:
When auto_redirect is not enabled, directly add route[_exclude]_address_set
to tun routes (equivalent to route[_exclude]_address).
Note that it doesn't work on the Android graphical client due to the Android VpnService not being able to handle a large number of routes (DeadSystemException), but otherwise it works fine on all command line clients and Apple platforms.
See route_address_set and route_exclude_address_set.
rule-set merge command1:
See Hysteria2.
1:
See Rule Action.
1:
For WireGuard outbound and endpoint, GSO will be automatically enabled when available, see WireGuard Outbound.
For TUN, GSO has been removed, see Deprecated.
1:
The new WireGuard endpoint combines inbound and outbound capabilities, and the old outbound will be removed in sing-box 1.13.0.
See Endpoint, WireGuard Endpoint and Migrate WireGuard outbound fields to route options.
cache_capacity DNS option 1override_address and override_port route options 21:
See DNS.
2:
See Rule Action and Migrate destination override fields to route options.
1:
New options allow you to configure the network strategy flexibly.
See Dial Fields, Rule Action and Route.
1:
Similar to Surge's strategy.
New options allow you to connect using multiple network interfaces, prefer or only use one type of interface, and configure a timeout to fallback to other interfaces.
See Dial Fields, Rule Action and Route.
network_type, network_is_expensive and network_is_constrainted rule items 21:
Route options in DNS route actions will no longer be considered deprecated, see DNS Route Action.
Also, now udp_disable_domain_unmapping and udp_connect can also be configured in route action,
see Route Action.
2:
When using in graphical clients, new routing rule items allow you to match on network type (WIFI, cellular, etc.), whether the network is expensive, and whether Low Data Mode is enabled.
See Route Rule, DNS Route Rule and Headless Rule.
1:
When gvisor tun stack is enabled, even if the request passes routing,
if the outbound connection establishment fails,
the connection still does not need to be established and a TCP RST is replied.
1:
New rule actions replace legacy inbound fields and special outbound fields, and can be used for pre-matching 2.
See Rule, Rule Action, DNS Rule and DNS Rule Action.
For migration, see Migrate legacy special outbounds to rule actions, Migrate legacy inbound fields to rule actions and Migrate legacy DNS route options to rule actions.
2:
Similar to Surge's pre-matching.
Specifically, new rule actions allow you to reject connections with TCP RST (for TCP connections) and ICMP port unreachable (for UDP packets) before connection established to improve tun's compatibility.
See Rule Action.
Important changes since 1.9:
auto-route and auto-redirect 4inline rule-set type 7rule_set_ip_cidr_accept_empty DNS address filter rule item 9rule-set match commandrule-set decompile commandprocess_path_regex rule item1:
The new auto-redirect feature allows TUN to automatically configure connection redirection to improve proxy performance.
When auto-redirect is enabled, new route address set options will allow you to automatically configure destination IP CIDR rules from a specified rule set to the firewall.
Specified or unspecified destinations will bypass the sing-box routes to get better performance (for example, keep hardware offloading of direct traffics on the router).
See TUN.
2:
The new feature allows you to use AdGuard DNS Filter lists in a sing-box without AdGuard Home.
See AdGuard DNS Filter.
3:
See Migration.
4:
See iproute2_table_index, iproute2_rule_index, auto_redirect_input_mark and auto_redirect_output_mark.
5:
Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
6:
BitTorrent, DTLS, RDP, SSH sniffers are added.
Now the QUIC sniffer can correctly extract the server name from Chromium requests and can identify common QUIC clients, including Chromium, Safari, Firefox, quic-go (including uquic disguised as Chrome).
7:
The new rule-set type inline (which also becomes the default type) allows you to write headless rules directly without creating a rule-set file.
8:
With new access control options, not only can you allow Clash dashboards to access the Clash API on your local network, you can also manually limit the websites that can access the API instead of allowing everyone.
See Clash API.
9:
See DNS Rule.
10:
sing-box now uses fsnotify correctly and will not cancel watching
if the target file is deleted or recreated via rename (e.g. mv).
This affects all path options that support reload, including
tls.certificate_path, tls.key_path, tls.ech.key_path and rule_set.path.
11:
Some legacy chrome fingerprints have been removed and will fallback to chrome, see utls.
12:
See Source Format.
1:
Some legacy chrome fingerprints have been removed and will fallback to chrome, see utls.
process_path_regex rule itemThe macOS standalone versions of sing-box (>=1.9.5/<1.10.0-beta.11) now silently fail and require manual granting of the Full Disk Access permission to system extension to start, probably due to Apple's changed security policy. We will prompt users about this in feature versions.
1:
See Migration.
We are still working on getting all sing-box apps back on the App Store, which should be completed within a week (SFI on the App Store and others on TestFlight are already available).
With the help of a netizen, we are in the process of getting sing-box apps back on the App Store, which should be completed within a month (TestFlight is already available).
domain_suffixDue to problems with our Apple developer account, sing-box apps on Apple platforms are temporarily unavailable for download or update. If your company or organization is willing to help us return to the App Store, please contact us.
1:
The new feature allows you to use AdGuard DNS Filter lists in a sing-box without AdGuard Home.
See AdGuard DNS Filter.
1:
Now the QUIC sniffer can correctly extract the server name from Chromium requests and can identify common QUIC clients, including Chromium, Safari, Firefox, quic-go (including uquic disguised as Chrome).
See Protocol Sniff and Route Rule.
1:
See Source Format.
rule-set decompile commandrule-set match commandinline rule-set type 11:
The new rule-set type inline (which also becomes the default type) allows you to write headless rules directly without creating a rule-set file.
2:
sing-box now uses fsnotify correctly and will not cancel watching
if the target file is deleted or recreated via rename (e.g. mv).
This affects all path options that support reload, including
tls.certificate_path, tls.key_path, tls.ech.key_path and rule_set.path.
rule_set_ipcidr_match_source rule items are renamed 2rule_set_ip_cidr_accept_empty DNS address filter rule item 31:
Something may be broken, please actively report problems with this version.
2:
rule_set_ipcidr_match_source route and DNS rule items are renamed to
rule_set_ip_cidr_match_source and will be remove in sing-box 1.11.0.
3:
See DNS Rule.
auto-route and auto-redirect 11:
See iproute2_table_index, iproute2_rule_index, auto_redirect_input_mark and auto_redirect_output_mark.
1:
See Migration.
2:
The new feature will allow you to configure the destination IP CIDR rules in the specified rule-sets to the firewall automatically.
Specified or unspecified destinations will bypass the sing-box routes to get better performance (for example, keep hardware offloading of direct traffics on the router).
See route_address_set and route_exclude_address_set.
1:
Due to maintenance difficulties, sing-box 1.10.0 requires at least Go 1.20 to compile.
1:
nftables support and DNS hijacking has been added.
Tun inbounds with auto_route and auto_redirect now works as expected on routers without intervention.
1:
Tun inbounds with auto_route and auto_redirect now works as expected on routers.
2:
Tun inbounds with auto_route and strict_route now works as expected on routers and servers,
but the usages of exclude_interface need to be updated.
1:
Linux support are added.
See Tun.
1:
It allows you to use redirect inbound in the sing-box Android client and automatically configures IPv4 TCP redirection via su.
This may alleviate the symptoms of some OCD patients who think that redirect can effectively save power compared to the system HTTP Proxy.
See Redirect.
2:
See Protocol Sniff.
Important changes since 1.8:
domain_suffix behavior update 1process_path format update on Windows 2client-subnet DNS options 4bypass_domain and search_domain platform HTTP proxy options 6rule_set_ipcidr_match_source item in DNS rules 7dns.independent_cache disabled1:
See Migration.
2:
See Migration.
3:
The new DNS feature allows you to more precisely bypass Chinese websites via DNS leaks. Do not use plain local DNS if using this method.
Client example updated.
4:
See DNS, DNS Server and DNS Rules.
Since this feature makes the scenario mentioned in alpha.1 no longer leak DNS requests,
the Client example has been updated.
5:
The new feature allows you to cache the check results of Address filter DNS rule items until expiration.
6:
See TUN inbound.
7:
See DNS Rule.
8:
See TunnelVision.
*_route_address in linux auto-route*_route_address in darwin auto-routestore_rdrc corrupted1:
See TunnelVision.
1:
Including stable and beta versions, see https://sing-box.sagernet.org/installation/package-manager/
quic-go to v0.42.0Our Testflight distribution has been temporarily blocked by Apple (possibly due to too many beta versions) and you cannot join the test, install or update the sing-box beta app right now. Please wait patiently for processing.
1:
Fixed an issue where address filter DNS rule was incorrectly rejected under certain circumstances.
If you have enabled store_rdrc to save results, consider clearing the cache file.
dns.independent_cache disabledrule_set_ipcidr_match_source item in DNS rules 11:
See DNS Rule.
bypass_domain and search_domain platform HTTP proxy options 11:
See TUN inbound.
1:
The new feature allows you to cache the check results of Address filter DNS rule items until expiration.
quic-go to v0.41.0client-subnet DNS options 11:
See DNS, DNS Server and DNS Rules.
Since this feature makes the scenario mentioned in alpha.1 no longer leak DNS requests,
the Client example has been updated.
domain_suffix behavior update 1process_path format update on Windows 21:
See Migration.
2:
See Migration.
3:
The new DNS feature allows you to more precisely bypass Chinese websites via DNS leaks. Do not use plain local DNS if using this method.
Client example updated.
Important changes since 1.7:
sing-box geoip, sing-box geosite and sing-box rule-set commands 3source_ip_is_private and ip_is_private rules 5idle_timeout for URLTest outbound 91:
See Cache File and Migration.
2:
rule-set is independent collections of rules that can be compiled into binaries to improve performance. Compared to legacy GeoIP and Geosite resources, it can include more types of rules, load faster, use less memory, and update automatically.
See Route#rule_set, Route Rule, DNS Rule, rule-set, Source Format and Headless Rule.
For GEO resources migration, see Migrate GeoIP to rule-sets and Migrate Geosite to rule-sets.
3:
New commands manage GeoIP, Geosite and rule-set resources, and help you migrate GEO resources to rule-sets.
4:
Logical rules in route rules, DNS rules, and the new headless rule now allow nesting of logical rules.
5:
The private GeoIP country never existed and was actually implemented inside V2Ray.
Since GeoIP was deprecated, we made this rule independent, see Migration.
6:
JSON parse errors will now include the current key path. Only takes effect when compiled with Go 1.21+.
7:
All internal DNS queries now skip DNS rules with server type fakeip,
and the default DNS server can no longer be fakeip.
This change is intended to break incorrect usage and essentially requires no action.
8:
See TUN inbound and WireGuard outbound.
9:
When URLTest is idle for a certain period of time, the scheduled delay test will be paused.
10:
Added some new fingerprints. Also, starting with this release, uTLS requires at least Go 1.20.
11:
Updated cloudflare-tls, gomobile, smux, tfo-go and wireguard-go to latest, quic-go to 0.40.1 and  gvisor
to 20231204.0
path validation behavior 11:
See V2Ray transport.
path validation behavior 11:
See V2Ray transport.
1:
See TUN inbound and WireGuard outbound.
2:
Added some new fingerprints. Also, starting with this release, uTLS requires at least Go 1.20.
3:
Updated cloudflare-tls, gomobile, smux, tfo-go and wireguard-go to latest, and gvisor to 20231204.0
This may break something, good luck!
Due to the long waiting time, this version is no longer waiting for approval by the Apple App Store, so updates to Apple Platforms will be delayed.
1:
Designed to optimize memory usage of idle connections, may take effect on the following protocols:
| Protocol | TCP | UDP | 
|---|---|---|
| HTTP proxy server | :material-check: | / | 
| SOCKS5 | :material-close: | :material-check: | 
| Shadowsocks none/AEAD/AEAD2022 | :material-check: | :material-check: | 
| Trojan | / | :material-check: | 
| TUIC/Hysteria/Hysteria2 | :material-close: | :material-check: | 
| Multiplex | :material-close: | :material-check: | 
| Plain TLS (Trojan/VLESS without extra sub-protocols) | :material-check: | / | 
| Other protocols | :material-close: | :material-close: | 
At the same time, everything existing may be broken, please actively report problems with this version.
idle_timeout for URLTest outbound 11:
When URLTest is idle for a certain period of time, the scheduled delay test will be paused.
1:
JSON parse errors will now include the current key path. Only takes effect when compiled with Go 1.21+.
2:
All internal DNS queries now skip DNS rules with server type fakeip,
and the default DNS server can no longer be fakeip.
This change is intended to break incorrect usage and essentially requires no action.
1:
Now the rules in the rule_set rule item can be logically considered to be merged into the rule using rule-sets,
rather than completely following the AND logic.
source_ip_is_private and ip_is_private rules 11:
The private GeoIP country never existed and was actually implemented inside V2Ray.
Since GeoIP was deprecated, we made this rule independent, see Migration.
sing-box geoip, sing-box geosite and sing-box rule-set commands 31:
See Cache File and Migration.
2:
rule-set is independent collections of rules that can be compiled into binaries to improve performance. Compared to legacy GeoIP and Geosite resources, it can include more types of rules, load faster, use less memory, and update automatically.
See Route#rule_set, Route Rule, DNS Rule, rule-set, Source Format and Headless Rule.
For GEO resources migration, see Migrate GeoIP to rule-sets and Migrate Geosite to rule-sets.
3:
New commands manage GeoIP, Geosite and rule-set resources, and help you migrate GEO resources to rule-sets.
4:
Logical rules in route rules, DNS rules, and the new headless rule now allow nesting of logical rules.
Important changes since 1.6:
udp_disable_domain_unmapping inbound listen option 1wifi_ssid and wifi_bssid route and DNS rules 51:
If enabled, for UDP proxy requests addressed to a domain, the original packet address will be sent in the response instead of the mapped domain.
This option is used for compatibility with clients that do not support receiving UDP packets with domain addresses, such as Surge.
2:
Introduced in V2Ray 5.10.0.
The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
3:
Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
4
Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see TCP Brutal for details.
5:
Only supported in graphical clients on Android and Apple platforms.
wifi_ssid and wifi_bssid route and DNS rules 11:
Only supported in graphical clients on Android and Apple platforms.
1:
Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
2
Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see TCP Brutal for details.
1:
Introduced in V2Ray 5.10.0.
The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
Important changes since 1.5:
brutal_debug option for Hysteria21:
None of the existing Golang BBR congestion control implementations have been reviewed or unit tested. This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
2
Based on discussions with the original author, the brutal CC and QUIC protocol parameters of the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
udp_disable_domain_unmapping inbound listen option 11:
If enabled, for UDP proxy requests addressed to a domain, the original packet address will be sent in the response instead of the mapped domain.
This option is used for compatibility with clients that do not support receiving UDP packets with domain addresses, such as Surge.
auto_route for Linux 11:
When auto_route is enabled and strict_route is disabled, the device can now be reached from external IPv6 addresses.
2:
Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
1:
Built using Go 1.20, the last version that will run on Windows 7, 8, Server 2008, Server 2012 and macOS 10.13 High Sierra, 10.14 Mojave.
auto_route for Linux 11:
When auto_route is enabled and strict_route is disabled, the device can now be reached from external IPv6 addresses.
1
Based on discussions with the original author, the brutal CC and QUIC protocol parameters of the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
1
Based on discussions with the original author, the brutal CC and QUIC protocol parameters of the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
1:
None of the existing Golang BBR congestion control implementations have been reviewed or unit tested. This update is intended to fix a memory leak flaw in the new implementation introduced in 1.6.0-alpha.1 and may introduce new issues.
brutal_debug option for Hysteria21:
None of the existing Golang BBR congestion control implementations have been reviewed or unit tested. This update is intended to address the multi-send defects of the old implementation and may introduce new issues.
Important changes since 1.4:
set_system_proxy option in HTTP inboundinterrupt_exist_connections option for Selector and URLTest outbounds 4merge command 61:
Command: sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]
2:
All inbounds and outbounds are supported, including Naiveproxy, Hysteria[/2], TUIC and V2ray QUIC transport.
3:
See Hysteria2 inbound and Hysteria2 outbound
For protocol description, please refer to https://v2.hysteria.network
4:
Interrupt existing connections when the selected outbound has changed.
Only inbound connections are affected by this setting, internal connections will always be interrupted.
5:
Only Alibaba Cloud DNS and Cloudflare are supported, see ACME Fields
and DNS01 Challenge Fields.
6:
This command also parses path resources that appear in the configuration file and replaces them with embedded configuration, such as TLS certificates or SSH private keys.
Security Advisory
This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user authentication in an insecure environment are advised to update immediately.
此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的 SOCKS 服务器暴露在不安全环境下的用户立更新。
Security Advisory
This update fixes an improper authentication vulnerability in the sing-box SOCKS inbound. This vulnerability allows an attacker to craft special requests to bypass user authentication. All users exposing SOCKS servers with user authentication in an insecure environment are advised to update immediately.
此更新修复了 sing-box SOCKS 入站中的一个不正确身份验证漏洞。 该漏洞允许攻击者制作特殊请求来绕过用户身份验证。建议所有将使用用户认证的 SOCKS 服务器暴露在不安全环境下的用户立更新。
merge command 11:
This command also parses path resources that appear in the configuration file and replaces them with embedded configuration, such as TLS certificates or SSH private keys.
Merge configurations
Usage:
  sing-box merge [output] [flags]
Flags:
  -h, --help   help for merge
Global Flags:
  -c, --config stringArray             set configuration file path
  -C, --config-directory stringArray   set configuration directory path
  -D, --directory string               set working directory
      --disable-color                  disable color output
1:
Only Alibaba Cloud DNS and Cloudflare are supported,
see ACME Fields
and DNS01 Challenge Fields.
interrupt_exist_connections option for Selector and URLTest outbounds 11:
Interrupt existing connections when the selected outbound has changed.
Only inbound connections are affected by this setting, internal connections will always be interrupted.
1:
Added notes indicating compatibility issues with the official
Hysteria2 server and client when using fastOpen=false or UDP MTU >= 1200.
1:
See Hysteria2 inbound and Hysteria2 outbound
For protocol description, please refer to https://v2.hysteria.network
set_system_proxy option in HTTP inbound1:
Command: sing-box generate ech-keypair <plain_server_name> [--pq-signature-schemes-enabled]
2:
All inbounds and outbounds are supported, including Naiveproxy, Hysteria, TUIC and V2ray QUIC transport.
Important changes since 1.3:
udp_over_stream option for TUIC client 2include_interface and exclude_interface options for tun inbound1:
See TUIC inbound and TUIC outbound
2:
This is the TUIC port of the UDP over TCP protocol, designed to provide a QUIC stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or another program compatible with the protocol as a server.
This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP traffic (basically QUIC streams).
3:
Requires sing-box to be compiled with Go 1.21.
udp_over_stream option for TUIC client 1include_interface and exclude_interface options for tun inbound1:
This is the TUIC port of the UDP over TCP protocol, designed to provide a QUIC stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or another program compatible with the protocol as a server.
This mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP traffic (basically QUIC streams).
1:
Requires sing-box to be compiled with Go 1.21.
1:
See TUIC inbound and TUIC outbound
1:
Due to the requirement of tvOS 17, the app cannot be submitted to the App Store for the time being, and can only be downloaded through TestFlight.
1:
The old testflight link and app are no longer valid.
Important changes since 1.2:
rewrite_ttl DNS rule actionstore_fakeip Clash API optionexternal_ui directory is emptysystem tun stack for iosindependent_cache option for DNScache_id option for Clash cache filelocal DNS transport for Android1:
See FAQ for more information.
2:
Added new h2mux multiplex protocol and padding multiplex option, see Multiplex.
local DNS transport for Android1:
If the destination address of the connection is obtained from fakeip, dns rules with server type fakeip will be skipped.
cache_id option for Clash cache fileindependent_cache option for DNS1:
2:
Improved performance and reduced memory usage.
1:
Added new h2mux multiplex protocol and padding multiplex option, see Multiplex.
system tun stack for ios*1:
This is an incompatible update for XUDP in VLESS if vision flow is enabled.
path and headers options for HTTP outboundexternal_ui directory is emptyexternal_ui directory is emptyrewrite_ttl DNS rule actionstore_fakeip Clash API option1:
It can currently be used to route connections directly to WireGuard or block connections at the IP layer.
2:
See FAQ for more information.
any outbound in dns rule 11:
Now you can use the any outbound rule to match server address queries instead of filling in all server domains
to domain rule.
Important changes since 1.1:
1:
Now you can pass the parameter --config or -c multiple times, or use the new parameter --config-directory or -C
to load all configuration files in a directory.
Loaded configuration files are sorted by name. If you want to control the merge order, add a numeric prefix to the file name.
auto_detect_interface incorrectly identifying the default interface on Windowsauto_detect_interface incorrectly identifying the default interface on WindowsImportant changes since 1.0:
1:
The fallback_after option has been removed.
1:
Added fallback_after option.
1:
The auth and auth_str fields have been replaced by the users field.
1:
The strict_route on windows is removed.
1:
2:
See ShadowTLS inbound and ShadowTLS outbound
1:
The build tag no_gvisor is replaced by with_gvisor.
The default tun stack is changed to system.
1:
Switching modes using the Clash API, and store-selected are now supported,
see Experimental.
2:
ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello message, see TLS#ECH.
uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance, see TLS#uTLS.
1:
In previous versions, Android VPN would not work with tun enabled.
The usage of tun over VPN and VPN over tun is now supported, see Tun Inbound.
2:
In previous releases, WireGuard outbound support was backed by the lower performance gVisor virtual interface.
It achieves the same performance as wireguard-go by providing automatic system interface support.
3:
It does not depend on gVisor and has better performance in some cases.
It is less compatible and may not be available in some environments.
4:
Annotated json configuration files are now supported.
5:
UDP fragmentation is now blocked by default.
Including shadowsocks-libev, shadowsocks-rust and quic-go all disable segmentation by default.
See Dial Fields and Listen Fields.
No changelog before.