v1.14.3

What's Changed

Configs example

REALITY is experimental support and may have compatibility issues

• feat: support set tun file-descriptor in config file by @wwqgtxx
• feat: Support Restls-V1 in Clash.Meta (#441) by @3andne
• feat: Update UoT protocol by @nekohasekai
• feat: Converter support REALITY share standard by @H1JK
• feat: REALITY use proxy servername by @H1JK
• feat: Support REALITY protocol by @H1JK
• feat: Support VLESS XTLS Vision (#406) by @H1JK
• feat: add sni field for tuic by @Skyxim
• feat: add upgrade api by @Larvan2
• feat: nameserver-policy support multiple keys by @Larvan2
• feta: add hosts support domain and mulitple ip (#439) by @Skyxim
• refactor: tcp dial (#412) by @Skyxim

Maintenance

• chore: Better REJECT conn by @H1JK
• chore: Chore: adjust the loading order, and then load the resource at last by @Skyxim
• chore: Cleanup REALITY code by @H1JK
• chore: Generate UUID from fastrand by @H1JK
• chore: Improve REALITY handshake by @H1JK
• chore: Remove useless mutex in Vision by @H1JK
• chore: Update dependencies by @wwqgtxx
• chore: Vision padding upgrade by @H1JK
• chore: proxy-server-nameserver does not follow the nameserver-policy by @Skyxim
• chore: add /restart to restful api by @wwqgtxx
• chore: add comment by @Skyxim
• chore: add custom ca trust by @Skyxim
• chore: add early conn interface to decrease unneeded write by @wwqgtxx
• chore: add more utls fingerprints by @wwqgtxx
• chore: add pprof api, when log-level is debug by @Skyxim
• chore: add reality-grpc by @Larvan2
• chore: add release branch by @Larvan2
• chore: add sni of tuic in demo by @Skyxim
• chore: adjust error log by @Skyxim
• chore: adjust log by @Skyxim
• chore: adjust the configuration loading order by @Skyxim
• chore: adjust trust cert by @Skyxim
• chore: better REJECT process by @wwqgtxx
• chore: better TunnelStatus define by @wwqgtxx
• chore: better geodata shared by @wwqgtxx
• chore: better release notes by @Larvan2
• chore: better release notes by @kunish
• chore: better rename by @Larvan2
• chore: better restls by @wwqgtxx
• chore: better uuid using by @wwqgtxx
• chore: better windows bind error handle by @wwqgtxx
• chore: better workflow by @Larvan2
• chore: better workflow by @MetaCubeX
• chore: better workflow by @wwqgtxx
• chore: change default geo* url by @Larvan2
• chore: change internal tcp traffic type by @Skyxim
• chore: clean up code by @Larvan2
• chore: clean up code by @wwqgtxx
• chore: cleanup code by @wwqgtxx
• chore: cleanup dialer's code by @wwqgtxx
• chore: code cleanup by @wwqgtxx
• chore: disconnect when suspended by @Skyxim
• chore: do not apply padding for nonTLS packet with contentLen over 900 by @Larvan2
• chore: do not modify ALPN in utls by @Larvan2
• chore: exposure ipv6 wait time by @Skyxim
• chore: fix issues #440 by @Larvan2
• chore: format code by @Skyxim
• chore: keep existing connections by @Skyxim
• chore: move sing-tun's udpTimeout fix to there lib by @wwqgtxx
• chore: parse the allowInsecure field for the trojan uri scheme by @MetaCubeX
• chore: push latest alpha core to MetaCubeX/AlphaBinary by @Larvan2
• chore: rename delete.yml by @Larvan2
• chore: reset tunName in macos when it isn't startWith "utun" by @wwqgtxx
• chore: Simplify VLESS handshake lock by @H1JK
• chore: set prerelease notes timezone of release create time to Asia/Shanghai by @kunish
• chore: shadowsocks listener support the "udp" setting by @wwqgtxx
• chore: share the same geodata in different rule by @wwqgtxx
• chore: skip restart when update error by @Larvan2
• chore: support TFO for outbounds by @wwqgtxx
• chore: try to fix slice out of bound. by @Larvan2
• chore: Update flake.nix (#452) by @yaoshiu
• chore: update for testing the updater by @Larvan2
• chore: update quic-go by @wwqgtxx
• chore: update quic-go to release unused buffer when error by @wwqgtxx
• chore: update readme by @Larvan2
• chore: update utls library by @wwqgtxx
• chore: update xray-core version by @Larvan2
• chore: use early conn to support real ws 0-rtt by @wwqgtxx
• chore: use fastrand to replace math/rand by @wwqgtxx
• chore: use inner for upgrade core by @Larvan2
• chore: using sing-shadowtls to support shadowtls v1/2/3 by @wwqgtxx
• chore: wireguard using internal dialer by @wwqgtxx

BUG & Fix

• fix: ALPN not applied in uTLS/REALITY by @H1JK
• fix: Adjust the timing of subscription information acquisition by @Skyxim
• fix: Converter REALITY security type by @H1JK
• fix: Filter slice index out of bounds by @H1JK
• fix: REALITY with gRPC transport by @H1JK
• fix: SA4001 for net.UDPAddr copy by @wwqgtxx
• fix: SA4001 for netDialer copy by @wwqgtxx
• fix: The default interface is actually configured incorrectly by @Skyxim
• fix: ToLower first by @Larvan2
• fix: Vision disable filter for non-TLS connections by @H1JK
• fix: Vision filter Client Hello by @H1JK
• fix: Vision filter TLS 1.2 by @H1JK
• fix: Vision filter TLS 1.2 by @wwqgtxx
• fix: add "dns resolve failed" error in dialer by @wwqgtxx
• fix: add version of shadow-tls plugin in docs/config.yaml by @wwqgtxx
• fix: add xtls-rprx-vision server version warning to user by @wwqgtxx
• fix: checkTunName mistake by @wwqgtxx
• fix: dial panic by @Skyxim
• fix: dialer dual stack panic by @Skyxim
• fix: dns resolve in dialer by @wwqgtxx
• fix: dns resolver by @wwqgtxx
• fix: don't return a non-nil interface containing nil pointer by @wwqgtxx
• fix: dual stack serial dial by @Skyxim
• fix: ensure peekMutex is locked before handleSocket by @wwqgtxx
• fix: ensure restart api return ok by @wwqgtxx
• fix: ensure wireguard inner use dialer with DefaultResolver by @wwqgtxx
• fix: geosite of nameserver-policy cannot be loaded correctly by @MetaCubeX
• fix: global-client-fingerprint is now work by @Larvan2
• fix: golang1.19 can't compile by @wwqgtxx
• fix: handle no IP address by @Skyxim
• fix: incorrect time to set interface name by @Skyxim
• fix: inner http use host of address by @Skyxim
• fix: ip version prefer not working by @Skyxim
• fix: let quic-go works on outbound's packetConn by @wwqgtxx
• fix: load-balance's touch not effected by @wwqgtxx
• fix: loadbalance panic by @wwqgtxx
• fix: log typo by @MetaCubeX
• fix: optimize health check by @Skyxim
• fix: peek not work with some inbound by @wwqgtxx
• fix: rand ip error and clash remove loopback ip by @Skyxim
• fix: reject's dial warning by @wwqgtxx
• fix: replace self define "connect timeout" to os.ErrDeadlineExceeded by @wwqgtxx
• fix: sing-vmess listener‘s "cipher: message authentication failed" by @wwqgtxx
• fix: sing_tun apply udpTimeout when using gvisor stack by @wwqgtxx
• fix: strategyRoundRobin not begin with zero by @wwqgtxx
• fix: tproxy listener cannot listen udp by @Skyxim
• fix: tuic missing routing mark by @wwqgtxx
• fix: tuic relay tuic by @wwqgtxx
• fix: tuic server close with error message by @wwqgtxx
• fix: tuic server set authentication timeout after quic handshake complete by @wwqgtxx
• fix: tuic udp native mode can't relay packetSize>1200 by @wwqgtxx
• fix: tunnel's inboundTFO missing by @wwqgtxx
• fix: udp loopback show "The requested address is not valid in its context." by @wwqgtxx
• fix: unmap 4in6 address in dialer and wireguard by @wwqgtxx
• fix: uot client's WriteTo mistake by @wwqgtxx
• fix: upgrade backup by @Larvan2
• fix: vless NeedHandshake mistake by @wwqgtxx

New Contributors

• @3andne made their first contribution in #441
• @yaoshiu made their first contribution in #452

Full Changelog: v1.14.2...v1.14.3

v1.14.2

What's Changed

• fix: skip-cert-verify is true by default by @3andero in #333
• chore: Refine process code by @cubemaze
• chore: adjust the case of Program names and HttpRequest UA by @cubemaze
• Fix: TLS defaults to true for h2/grpc networks by @cubemaze
• refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning by @Skyxim
• fix: ss converter cipher missing by @cubemaze
• fix: config parse error by @Skyxim
• chore: better workflow by @wwqgtxx
• refactor: Implement extended IO by @H1JK
• chore: tuic decrease unneeded copy by @wwqgtxx
• chore: decrease direct depend on the sing package by @wwqgtxx
• fix: addr panic by @wwqgtxx
• adjust: Improve WebSocket mask by @H1JK
• feat: gRPC gun implement extended writer by @H1JK
• chore: Update BBR config by @Larvan2
• fix: tuic server's SetCongestionController by @wwqgtxx
• fix: tuic server's MaxIncomingStreams by @wwqgtxx
• fix: tcpTracker's upload by @wwqgtxx
• chore: new Random TLS KeyPair when empty input by @wwqgtxx
• Fix: Remove EnableProcess from config.go and enable-process from config.yaml. FindProcess is now enabled by default when the rule set contains process-name rules by @Larvan2
• fix: ShadowTLS header use array instead by @H1JK
• feat: better config for sniffer by @Skyxim
• feat: add override-destination for sniffer by @Skyxim
• make ConvertsV2Ray more robust by @ag2s20150909 in #349
• Chore: Decrease the default MaxUdpRelayPacketSize to 1252 to avoid the relay UDP exceeding the size of the QUIC's datagram. ClientMaxOpenStreams now follows the config.yaml option by @Larvan2
• chore: better source address by @Skyxim
• feat: Converter support WS early data parameters by @H1JK
• fix: sub-rule condition don't work by @Skyxim
• chore: better parse udp dns by @Skyxim
• Chore: Add GEO data url configuration by @Larvan2
• Chore: Change default latency test url to HTTPS by @Larvan2
• Chore: Better parsing pure IPv6 UDP DNS by @Larvan2
• chore: better parsing pure UDP DNS by @Larvan2
• feature: geosite-based nameserver policy by @i40e
• chore: restful api display xudp for VLESS and VMess by @cubemaze
• chore: adjust keyword for geosite-based nameserver policy by @cubemaze
• adjust: VLESS enable XUDP by default by @H1JK
• docs(README.md): remove missing image link, mention Yacd-meta by @kunish in #356
• fix: get tlsconfig err not handle, return nil pointer #358 by @tgNotHouse in #360
• feat: Add utls for client's fingerprint. by @Larvan2 in #361
• chore: fix mips atomic panic by @wwqgtxx
• feat: nameserver policy support multiple server by @Skyxim
• fix: Converter Shadowsocks password parse by @H1JK
• chore: override-destination default value is true by @Skyxim
• feat: add global-client-fingerprint by @Larvan2
• fix: sniff domain don't match geosite when override-destination valuE is false by @Skyxim
• chore: do not use extra pointer in UClient by @wwqgtxx
• chore: avoid repeated wrapper by @Skyxim
• fix: tun udp with 4in6 ip by @wwqgtxx
• chore: better bind in windows by @wwqgtxx
• fix: RoundRobin strategy of load balance when called multiple times by @Ovear in #390
• feat: introduce a new robust approach to handle tproxy udp by @Ovear in #389
• style: run go fmt on every .go file by @kunish in #392
• fix: parsing ipv6 doh error by @Skyxim
• chore: Considering remove GOAMD64=v2 of linux-amd64-compatible by @wwqgtxx
• fix: websocket headroom by @wwqgtxx
• fix: disable header protection in vmess server by @wwqgtxx

Config changes

#  全局TLS指纹,优先低于proxy内的 client-fingerprint
#  可选："chrome","firefox","safari","ios","random","none" options.
#  Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
global-client-fingerprint: chrome

# DNS 分流支持 GeoSite
dns:
    #此处省略部分设置#
  nameserver-policy:
    "geosite:cn": 
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query
      
  nameserver:
  - https://dns.google/dns-query
  - https://dns.cloudflare.com/dns-query
  - https://doh.opendns.com/dns-query
  - https://doh.dns.sb/dns-query

# 嗅探域名 
sniffer:
  enable: false
  ## 对 redir-host 类型识别的流量进行强制嗅探
  ## 如：Tun、Redir 和 TProxy 并 DNS 为 redir-host 皆属于
  # force-dns-mapping: false
  ## 对所有未获取到域名的流量进行强制嗅探
  # parse-pure-ip: false
  # 是否使用嗅探结果作为实际访问，默认 true
  # 全局配置，优先级低于 sniffer.sniff 实际配置
  override-destination: false
  sniff:
    # TLS 默认如果不配置 ports 默认嗅探 443
    TLS:
    #  ports: [443, 8443]

    # 默认嗅探 80
    HTTP:
      # 需要嗅探的端口

      ports: [80, 8080-8880]
      # 可覆盖 sniffer.override-destination
      override-destination: true
  force-domain:
    - +.v2ex.com
  ## 对嗅探结果进行跳过
  # skip-domain:
  #   - Mijia Cloud

proxies:
  #此处省略部分设置#
  # vmess
  - name: "vmess"
    type: vmess/vless/trojan
    client-fingerprint: chrome   
    #  可选："chrome","firefox","safari","ios","random","none" options.
    #  Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.

New Contributors

• @kunish made their first contribution in #356
• @tgNotHouse made their first contribution in #360
• @Ovear made their first contribution in #390

Full Changelog: v1.14.1...v1.14.2

v1.14.1

What's Changed

• Chore: proxy-provider and proxy-groups support exclude node by node type by @ag2s20150909
• Fix: Process rule is not work in classical rule-set by @Skyxim
• Fix #322: add option general.find-process-mode, user can turn off findProcess feature in router by @chain710
• Fix: geoip mmdb/geodata init by @cubemaze
• Fix: vless RoutingMark bind by @cubemaze
• Fix: vmess udp by @wwqgtxx
• Chore: vemss converter xudp is true by default by @cubemaze
• Fix: ss2022 converter password decode error by @cubemaze
• Chore: Refine converter packet encoding parse by @H1JK
• Fix: Converter VMess XUDP not enabled by default when using v2rayN style share linkby @H1JK
• Chore: ss2022 converter method verify by @cubemaze
• Feat: Support ShadowTLS v2 as Shadowsocks plugin by @3andero
• Fix: dns cache index out of range by @wwqgtxx
• Feat: VLESS support packet encodings by @H1JK
• Refactor: VLESS with packet encodings by @H1JK
• Fix: Deprecate TCPMSS by @Larvan2

New Contributors

• @ag2s20150909 made their first contribution in #321
• @Rasphino made their first contribution in #327
• @Larvan2 made their first contribution in #336

Full Changelog: v1.14.0...v1.14.1

v1.14.0

What's Changed

• Chore: add exclude-filter to ProxyGroup by @wwqgtxx
• Chore: support wireguard outbound by @wwqgtxx (doc)
• Chore: add vmess, shadowsocks, tcptun and udptun listener by @wwqgtxx (doc)
• Chore: support IN-PORT rule by @wwqgtxx
• Featrue: DoH and DoQ are implemented using AdGuardTeam/dnsProxy, DoH support perfer and force http3 @Skyxim
• Chore: better dns background fetch retrying by @wwqgtxx
• Chore: Update tfo to v2, ss and vmess inbound add tfo by @zhudan
• Chore: support old chacha20 by @wwqgtxx
• Chore: add retry in tunnel dial by @wwqgtxx
• Chore: add tuic outbound by @wwqgtxx (doc)
• Feat: support fast_open for hysteria, and unified parameter naming by @Skyxim
• Chore: decrease DomainTrie's memory use by @wwqgtxx
• Fix: a temporary solution for error reporting when enabling tun for devices that do not have an ipv6 environment by @cubemaze
• Feat: add tls port for RESTful api and external controller by @Skyxim (doc)
• Feat: add listeners by @Skyxim (doc, doc)
• Chore: listeners support tuic/shadowsocks/vmess/tunnel/tun by @wwqgtxx (doc)
• Chore: Android version supports child processes following the main process rules by @cubemaze
• Chore: wireguard's reserved support base64 input by @wwqgtxx
• Chore: support relay native udp when using ss and ssr protocol by @wwqgtxx
• Chore: rebuild relay by @wwqgtxx
• Chore: linux ipv6 REDIRECT by @embeddedlove in #311
• Fix: trying to let hysteria's port hopping work by @wwqgtxx
• Update README.md by @tdjnodj in #282
• Fix nix build fail by @oluceps in #302

New Contributors

• @tdjnodj made their first contribution in #282
• @embeddedlove made their first contribution in #311

Full Changelog: v1.13.2...v1.14.0

v1.13.2

What's Changed

• Add iptables package to docker by @sjtuross in #189
• Chore: compatible with Stash hysteria config by @StashNetworks in #191
• add: flake.nix and other required files for nix build by @oluceps in #201
• Refactor flake by @oluceps in #202
• add: current version and BuildTime for nix build by @oluceps in #203
• Update vendorSha256 by @oluceps in #206
• add: with_gvisor tag for nix build by @oluceps in #207
• docker: add iptables package by @sjtuross
• fix: when connection refused active health test by @Skyxim
• chore: Cache and skip multiple failed addresses @Skyxim
• chore: add global-padding support for vmess by @H1JK
• chore: add xudp and packet-encoding support for vmess by @wwqgtxx
• chore: use sing-tun to replace old tun_adapter (support IPV6 in tun now) by @wwqgtxx
• chore: add parse-pure-ip and force-dns-mapping in sniffer by @wwqgtxx
• chore: parse user's hosts before remoteDial by @wwqgtxx
• chore: support multi filter like subconverter in ProxyProvider and GroupBase and add exclude-filter to ProxyProvider by @wwqgtxx

New Contributors

• @sjtuross made their first contribution in #189
• @StashNetworks made their first contribution in #191

Full Changelog: v1.13.1...v1.13.2

v1.13.1

What's Changed

• 入站增加TFO支持(默认不开启) by @zhudan in #129
• support ebpf by @zhudan in #144
• fix: Converter error when VMess aid field not exists by @H1JK in #151
• feat: Update Converter by @H1JK in #167
• Alpha by @zhudan in #174
• Add ip-version param for proxy, wiki @Skyxim

New Contributors

• @H1JK made their first contribution in #151

Full Changelog: v1.12.0...v1.13.0

v1.12.0

Feature

• Hysteria协议支持

  # 部分配置
   - name: hysteria-node
     type: hysteria
     server: server
     port: port
     auth_str: pass
     protocol: udp
     up: 40 #默认为Mbps
     down: 400
  

• Shadowsocks-2022加密方式支持

  • 2022-blake3-aes-128-gcm
  • 2022-blake3-aes-256-gcm
  • 2022-blake3-chacha20-poly1305

  Shadowsocks-2022采用预共享密钥方式作为密码，不同加密方式对密钥长度有要求，可参考 Xray

• Shadowsocks 支持UDP over TCP(Xray-core v1.5.7)

  udp-over-tcp: true
  

v1.11.2

• Proxy Provider允许通用订阅格式(V2ray URL形式)

ss://xxx
ssr://xxx
trojan://xxx

• IP-SUFFIX规则，用于匹配源IP后缀(可用于EUI-64)
• 添加更多RESTful Api支持，用于WebUI临时调整设置
• 其他Bug修复和依赖升级

v1.11.1

• 调整DOQ过代理问题 #59
• 调整主动健康检测触发逻辑
• 修复Android的auto-detect-interface
• 修正Rule-Set没有正常判断是否解析IP
• 添加Rule-Set的no-resolve参数

实验性添加负载均衡算法

  - name: "load-balance"
     type: load-balance
     strategy: sticky-sessions
     proxies:
       - trojan
       - ss
     url: 'http://www.gstatic.com/generate_204'
     interval: 600

v1.11.0

增加域名嗅探

域名嗅探，用于嗅探TCP请求中实际的域名

sniffer:
    enable: true #控制开关
    sniffing:
        - tls
        - http
    port-whitelist: #目的端口白名单，嗅探器只会嗅探白名单中的端口，默认0-65535，推荐设置成常见端口
        - 80
        - 443
        - 8000-9000
    skip-domain: # 嗅探的域名结果如果在此名单则不会生效
        - baidu.com
        - google.com
    force-domain: # 需要嗅探的域名，这里域名是clash原有逻辑获取的域名，如为空则只会嗅探IP请求，如填写'+'则嗅探所有请求     
        - +.qq.com

添加TCP并发连接

TCP并发连接将使用所有IP进行TCP握手，并使用最先握手的IP进行后续请求

tcp-concurrent: true #默认为false

完善Relay策略组

Relay策略可以利用udp over tcp的协议作为落地协议从而使其支持UDP

  - name: RelayTest
    type: relay
    proxies:
      - Chains
      - Trojan # Vmess Snell...

策略组过滤节点优化

优化节点过滤逻辑，当前将不会每次请求进行一次过滤匹配，减少无意义的消耗

其他

• IPv6

  ipv6: false 将完全关闭IPv6请求，不允许IPv6请求连接，包括纯IPv6

• DOQ

  DOQ环流问题优化

• 支持UUID Map
  详情见 XTLS/Xray-core#158

• 稳定性优化