sing-box 1.12.0-rc.3 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-rc.3

sing-box 1.12.0-rc.4 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-rc.4

sing-box 1.12.0 has been released.

Important changes since 1.11:

* Refactor DNS servers 1
* Add domain resolver options2
* Add TLS fragment/record fragment support to route options and outbound TLS options 3
* Add certificate options 4
* Add Tailscale endpoint and DNS server 5
* Drop support for go1.22 6
* Add AnyTLS protocol 7
* Migrate to stdlib ECH implementation 8
* Add NTP sniffer 9
* Add wildcard SNI support for ShadowTLS inbound 10
* Improve auto_redirect 11
* Add control options for listeners 12
* Add DERP service 13
* Add Resolved service and DNS server 14
* Add SSM API service 15
* Add loopback address support for tun 16
* Improve tun performance on Apple platforms 17
* Update quic-go to v0.52.0
* Update gVisor to 20250319.0
* Update the status of graphical clients in stores 18

1:

DNS servers are refactored for better performance and scalability.

See DNS server.

For migration, see Migrate to new DNS server formats.

Compatibility for old formats will be removed in sing-box 1.14.0.

2:

Legacy outbound DNS rules are deprecated and can be replaced by the new domain_resolver option.

See Dial Fields and Route.

For migration,
see Migrate outbound DNS rule items to domain resolver.

3:

See Route Action and TLS.

4:

New certificate options allow you to manage the default list of trusted X509 CA certificates.

For the system certificate list, fixed Go not reading Android trusted certificates correctly.

You can also use the Mozilla Included List instead, or add trusted certificates yourself.

See Certificate.

5:

See Tailscale.

6:

Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.

For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from MetaCubeX/go.

7:

The new AnyTLS protocol claims to mitigate TLS proxy traffic characteristics and comes with a new multiplexing scheme.

See AnyTLS Inbound and AnyTLS Outbound.

8:

See TLS.

The build tag with_ech is no longer needed and has been removed.

9:

See Protocol Sniff.

10:

See ShadowTLS.

11:

Now auto_redirect fixes compatibility issues between tun and Docker bridge networks, see Tun.

12:

You can now set bind_interface, routing_mark and reuse_addr in Listen Fields.

See Listen Fields.

13:

DERP service is a Tailscale DERP server, similar to derper.

See DERP Service.

14:

Resolved service is a fake systemd-resolved DBUS service to receive DNS settings from other programs (e.g. NetworkManager) and provide DNS resolution.

See Resolved Service and Resolved DNS Server.

15:

SSM API service is a RESTful API server for managing Shadowsocks servers.

See SSM API Service.

16:

TUN now implements SideStore's StosVPN.

See Tun.

17:

We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.

18:

We continue to experience issues updating our sing-box apps on the App Store and Play Store. Until we rewrite and resubmit the apps, they are considered irrecoverable. Therefore, after this release, we will not be repeating this notice unless there is new information.

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0

sing-box 1.12.1 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.1

sing-box 1.13.0-alpha.1 has been released.

* Add interface address rule items 1
* Fixes and improvements

1:

New interface address rules allow you to dynamically adjust rules based on your network environment.

See Route Rule, DNS Route Rule and Headless Rule.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.1

sing-box 1.13.0-alpha.2 has been released.

* Add preferred_by rule item 1
* Fixes and improvements

1:

The new preferred_by routing rule item allows you to match preferred domains and addresses for specific outbounds.

See Route Rule.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.2

sing-box 1.13.0-alpha.6 has been released.

* Add proxy support for ICMP echo request 1
* Fixes and improvements

1:

You can now match ICMP echo (ping) requests using the new icmp network in routing rules.

Such traffic originates from TUN, WireGuard, and Tailscale inbounds and can be routed to Direct, WireGuard, and Tailscale outbounds.

See Route Rule.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.6

sing-box 1.13.0-alpha.7 has been released.

* Add reject support for ICMP echo supports 1
* Fixes and improvements

1:

You can now reject, drop, or directly reply to ICMP echo (ping) requests using reject Route Action.

See Route Action.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.7

sing-box 1.13.0-alpha.9 has been released.

* Add kTLS support 1
* Fixes and improvements

1:

See TLS.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.9

sing-box 1.13.0-alpha.10 has been released.

* Improve kTLS support 1
* Fixes and improvements

1:

kTLS is now compatible with custom TLS implementations other than uTLS.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.10

sing-box 1.13.0-alpha.15 has been released.

* Update quic-go to v0.54.0
* Update gVisor to v20250811
* Update Tailscale to v1.86.5
* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.15

sing-box 1.12.10 and 1.13.0-alpha.22 have been released.

* Update uTLS to v1.8.1 1
* Fixes and improvements

1:

This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
see https://github.com/refraction-networking/utls/pull/375.

https://github.com/SagerNet/sing-box/releases/tag/v1.12.10
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.22

sing-box 1.13.0-alpha.23 has been released.

* Fix compatibility with MPTCP 1
* Fixes and improvements

1:

auto_redirect now rejects MPTCP connections by default to fix compatibility issues, but you can change it to bypass the sing-box via the new exclude_mptcp option.

See TUN.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.23

sing-box 1.13.0-alpha.26 has been released.

* Update quic-go to v0.55.0
* Fix memory leak in hysteria2
* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.26

sing-box 1.12.13 has been released.

* Fix naive inbound
* Fixes and improvements

* Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client: because system extensions require signatures to function, we have had to temporarily halt its release.
We plan to fix the App Store release issue and launch a new standalone desktop client, but until then, only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).

https://github.com/SagerNet/sing-box/releases/tag/v1.12.13

sing-box 1.13.0-alpha.28 has been released.

* Add naiveproxy outbound 1
* Add disable_tcp_keep_alive, tcp_keep_alive and tcp_keep_alive_interval options for dial fields 2
* Update default TCP keep-alive initial period from 10 minutes to 5 minutes
* Update quic-go to v0.57.1
* Fixes and improvements

1:

Only available on Apple platforms, Android, Windows and some Linux architectures.

See NaiveProxy outbound.

2:

See Dial Fields.

* Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client: because system extensions require signatures to function, we have had to temporarily halt its release.
We plan to fix the App Store release issue and launch a new standalone desktop client, but until then, only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.28

sing-box 1.13.0-alpha.29 has been released.

* Add UDP over TCP support for naiveproxy outbound 1
* Fixes and improvements

1:

See NaiveProxy outbound.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.29

sing-box 1.13.0-alpha.30 has been released.

* Add ECH support for NaiveProxy outbound 1
* Add tls.ech.query_server_name option 2
* Fix NaiveProxy outbound on Windows 3
* Add OpenAI Codex Multiplexer service 4
* Fixes and improvements

1:

See NaiveProxy outbound.

2:

See TLS.

3:

Each Windows release now includes libcronet.dll.
Ensure this file is in the same directory as sing-box.exe or in a directory listed in PATH.

4:

See OCM.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.30

sing-box 1.13.0-alpha.31 has been released.

* Add QUIC support for NaiveProxy outbound 1
* Add QUIC congestion control option for NaiveProxy 2
* Fixes and improvements

1:

NaiveProxy outbound now supports QUIC.

See NaiveProxy outbound.

2:

NaiveProxy inbound and outbound now supports configurable QUIC congestion control algorithms, including BBR and BBRv2.

See NaiveProxy inbound and NaiveProxy outbound.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.31

sing-box 1.13.0-alpha.32 has been released.


* Remove certificate_public_key_sha256 option for NaiveProxy outbound 1
* Fixes and improvements

1:

Self-signed certificates change traffic behavior significantly, which defeats the purpose of NaiveProxy's design to resist traffic analysis.
For this reason, and due to maintenance costs, there is no reason to continue supporting certificate_public_key_sha256, which was designed to simplify the use of self-signed certificates.

https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.32