sing-box 1.13.0-alpha.35 has been released.
* Add pre-match support for
* Fixes and improvements
1:
A new rule action
This feature requires Linux with
See Pre-match and Rule Action.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.35
* Add pre-match support for
auto_redirect 1* Fixes and improvements
1:
auto_redirect now allows you to bypass sing-box for connections based on routing rules.A new rule action
bypass is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.This feature requires Linux with
auto_redirect enabled.See Pre-match and Rule Action.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.35
sing-box 1.13.0-alpha.36 has been released.
* Downgrade quic-go to v0.57.1
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.36
* Downgrade quic-go to v0.57.1
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-alpha.36
sing-box 1.13.0-beta.1 has been released.
* Add system interface support for Tailscale endpoint 1
* Fixes and improvements
1:
Tailscale endpoint can now create a system TUN interface to handle traffic directly.
See Tailscale endpoint.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-beta.1
* Add system interface support for Tailscale endpoint 1
* Fixes and improvements
1:
Tailscale endpoint can now create a system TUN interface to handle traffic directly.
See Tailscale endpoint.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-beta.1
sing-box 1.13.0-beta.2 has been released.
* Add
* Fixes and improvements
1:
Adds the Linux socket option
This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
See Dial Fields.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-beta.2
* Add
bind_address_no_port option for dial fields 1* Fixes and improvements
1:
Adds the Linux socket option
IP_BIND_ADDRESS_NO_PORT support when explicitly binding to a source address.This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
See Dial Fields.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-beta.2
sing-box 1.13.0-beta.4 has been released.
* Apple/Android: Add support for sharing configurations via QRS
* Android: Add support for resisting VPN detection via Xposed
* Update quic-go to v0.59.0
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-beta.4
* Apple/Android: Add support for sharing configurations via QRS
* Android: Add support for resisting VPN detection via Xposed
* Update quic-go to v0.59.0
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-beta.4
sing-box 1.12.7 and 1.13.0-beta.6 has been released.
* Update uTLS to v1.8.2 1
* Fixes and improvements
1:
This update fixes missing padding extension for Chrome 120+ fingerprints.
Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
use NaiveProxy instead for TLS fingerprint resistance.
https://github.com/SagerNet/sing-box/releases/tag/v1.12.17
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-beta.6
* Update uTLS to v1.8.2 1
* Fixes and improvements
1:
This update fixes missing padding extension for Chrome 120+ fingerprints.
Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
use NaiveProxy instead for TLS fingerprint resistance.
https://github.com/SagerNet/sing-box/releases/tag/v1.12.17
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-beta.6
sing-box 1.12.22 and 1.13.0-rc.4 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.12.22
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-rc.4
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.12.22
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0-rc.4
sing-box 1.13.0 has been released.
Important changes since 1.12:
* Add NaiveProxy outbound 1
* Add pre-match support for
* Improve
* Add Chrome Root Store certificate option 4
* Add new options for ACME DNS-01 challenge providers 5
* Add Wi-Fi state support for Linux and Windows 6
* Add curve preferences, pinned public key SHA256, mTLS and ECH
* Add kTLS support 8
* Add ICMP echo (ping) proxy support 9
* Add
* Add
* Improve
* Add
* Add
* Add system interface and relay server options for Tailscale endpoint 15
* Add Claude Code Multiplexer service 16
* Add OpenAI Codex Multiplexer service 17
* Apple/Android: Refactor GUI
* Apple/Android: Add support for sharing configurations via QRS
* Android: Add support for resisting VPN detection via Xposed
* Drop support for go1.23 18
* Drop support for Android 5.0 19
* Update uTLS to v1.8.2 20
* Update quic-go to v0.59.0
* Update gVisor to v20250811
* Update Tailscale to v1.92.4
1:
NaiveProxy outbound now supports QUIC, ECH, UDP over TCP, and configurable QUIC congestion control.
Only available on Apple platforms, Android, Windows and some Linux architectures.
Each Windows release includes
ensure this file is in the same directory as
See NaiveProxy outbound.
2:
A new rule action
This feature requires Linux with
See Pre-match and Rule Action.
3:
You can change it to bypass sing-box via the new
Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
ensuring traffic is routed to the sing-box table when no route is found in system tables.
The rule index can be customized via
See TUN.
4:
Adds
Both stores filter out China-based CA certificates.
See Certificate.
5:
See DNS-01 Challenge.
6:
sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on
See Wi-Fi State.
7:
See TLS.
8:
Adds
Enables kernel-level TLS offloading via
See TLS.
9:
sing-box can now proxy ICMP echo (ping) requests.
A new
Supported from TUN, WireGuard and Tailscale inbounds to Direct, WireGuard and Tailscale outbounds.
The
10:
New rule items for matching based on interface IP addresses, available in route rules, DNS rules and rule-sets.
Important changes since 1.12:
* Add NaiveProxy outbound 1
* Add pre-match support for
auto_redirect 2* Improve
auto_redirect 3* Add Chrome Root Store certificate option 4
* Add new options for ACME DNS-01 challenge providers 5
* Add Wi-Fi state support for Linux and Windows 6
* Add curve preferences, pinned public key SHA256, mTLS and ECH
query_server_name for TLS options 7* Add kTLS support 8
* Add ICMP echo (ping) proxy support 9
* Add
interface_address, network_interface_address and default_interface_address rule items 10* Add
preferred_by route rule item 11* Improve
local DNS server 12* Add
disable_tcp_keep_alive, tcp_keep_alive and tcp_keep_alive_interval options for listen and dial fields 13* Add
bind_address_no_port option for dial fields 14* Add system interface and relay server options for Tailscale endpoint 15
* Add Claude Code Multiplexer service 16
* Add OpenAI Codex Multiplexer service 17
* Apple/Android: Refactor GUI
* Apple/Android: Add support for sharing configurations via QRS
* Android: Add support for resisting VPN detection via Xposed
* Drop support for go1.23 18
* Drop support for Android 5.0 19
* Update uTLS to v1.8.2 20
* Update quic-go to v0.59.0
* Update gVisor to v20250811
* Update Tailscale to v1.92.4
1:
NaiveProxy outbound now supports QUIC, ECH, UDP over TCP, and configurable QUIC congestion control.
Only available on Apple platforms, Android, Windows and some Linux architectures.
Each Windows release includes
libcronet.dll —ensure this file is in the same directory as
sing-box.exe or in a directory listed in PATH.See NaiveProxy outbound.
2:
auto_redirect now allows you to bypass sing-box for connections based on routing rules.A new rule action
bypass is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.This feature requires Linux with
auto_redirect enabled.See Pre-match and Rule Action.
3:
auto_redirect now rejects MPTCP connections by default to fix compatibility issues.You can change it to bypass sing-box via the new
exclude_mptcp option.Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
ensuring traffic is routed to the sing-box table when no route is found in system tables.
The rule index can be customized via
auto_redirect_iproute2_fallback_rule_index (default: 32768).See TUN.
4:
Adds
chrome as a new certificate store option alongside mozilla.Both stores filter out China-based CA certificates.
See Certificate.
5:
See DNS-01 Challenge.
6:
sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on
wifi_ssid and wifi_bssid.See Wi-Fi State.
7:
See TLS.
8:
Adds
kernel_tx and kernel_rx options for TLS inbound.Enables kernel-level TLS offloading via
splice(2) on Linux 5.1+ with TLS 1.3.See TLS.
9:
sing-box can now proxy ICMP echo (ping) requests.
A new
icmp network type is available for route rules.Supported from TUN, WireGuard and Tailscale inbounds to Direct, WireGuard and Tailscale outbounds.
The
reject action can also reply to ICMP echo requests.10:
New rule items for matching based on interface IP addresses, available in route rules, DNS rules and rule-sets.
11:
Matches outbounds' preferred routes.
For Tailscale: MagicDNS domains and peers' allowed IPs. For WireGuard: peers' allowed IPs.
12:
The local DNS server now uses platform-native resolution:
A new prefer_go option is available to opt out.
See Local DNS.
13:
The default TCP keep-alive initial period has been updated from 10 minutes to 5 minutes.
See Dial Fields.
14:
Adds the Linux socket option IP_BIND_ADDRESS_NO_PORT support when explicitly binding to a source address.
This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
See Dial Fields.
15:
Tailscale endpoint can now create a system TUN interface to handle traffic directly.
New relay_server_port and relay_server_static_endpoints options for incoming relay connections.
See Tailscale endpoint.
16:
CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
See CCM.
17:
See OCM.
18:
Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
19:
Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
and only through a separate legacy build (with -legacy-android-5 suffix).
For standalone binaries, the minimum Android version has been raised to Android 6.0,
since Termux requires Android 7.0 or later.
20:
This update fixes missing padding extension for Chrome 120+ fingerprints.
Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
use NaiveProxy instead for TLS fingerprint resistance.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0
Matches outbounds' preferred routes.
For Tailscale: MagicDNS domains and peers' allowed IPs. For WireGuard: peers' allowed IPs.
12:
The local DNS server now uses platform-native resolution:
getaddrinfo/libresolv on Apple platforms, systemd-resolved DBus on Linux.A new prefer_go option is available to opt out.
See Local DNS.
13:
The default TCP keep-alive initial period has been updated from 10 minutes to 5 minutes.
See Dial Fields.
14:
Adds the Linux socket option IP_BIND_ADDRESS_NO_PORT support when explicitly binding to a source address.
This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
See Dial Fields.
15:
Tailscale endpoint can now create a system TUN interface to handle traffic directly.
New relay_server_port and relay_server_static_endpoints options for incoming relay connections.
See Tailscale endpoint.
16:
CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
See CCM.
17:
See OCM.
18:
Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
19:
Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
and only through a separate legacy build (with -legacy-android-5 suffix).
For standalone binaries, the minimum Android version has been raised to Android 6.0,
since Termux requires Android 7.0 or later.
20:
This update fixes missing padding extension for Chrome 120+ fingerprints.
Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
use NaiveProxy instead for TLS fingerprint resistance.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.0
sing-box 1.12.24 and 1.13.1 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.12.24
https://github.com/SagerNet/sing-box/releases/tag/v1.13.1
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.12.24
https://github.com/SagerNet/sing-box/releases/tag/v1.13.1
sing-box 1.13.2 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.2
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.2
sing-box 1.14.0-alpha.1 has been released.
* Add source_mac_address and source_hostname rule items 1
* Add include_mac_address and exclude_mac_address TUN options 2
* Update NaiveProxy to 145.0.7632.159 3
* Fixes and improvements
1:
New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
Supported on Linux, macOS, or in graphical clients on Android and macOS.
See Route Rule, DNS Rule and Neighbor Resolution.
2:
Limit or exclude devices from TUN routing by MAC address.
Only supported on Linux with auto_route and auto_redirect enabled.
See TUN.
3:
This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.1
* Add source_mac_address and source_hostname rule items 1
* Add include_mac_address and exclude_mac_address TUN options 2
* Update NaiveProxy to 145.0.7632.159 3
* Fixes and improvements
1:
New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
Supported on Linux, macOS, or in graphical clients on Android and macOS.
See Route Rule, DNS Rule and Neighbor Resolution.
2:
Limit or exclude devices from TUN routing by MAC address.
Only supported on Linux with auto_route and auto_redirect enabled.
See TUN.
3:
This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.1
sing-box 1.13.3-beta.1 and 1.14.0-alpha.2 has been released.
* Add OpenWrt and Alpine APK packages to release 1
* Backport to macOS 10.13 High Sierra 2
* OCM service: Add WebSocket support for Responses API 3
* Fixes and improvements
1:
Alpine APK files use linux in the filename to distinguish from OpenWrt APKs which use the openwrt prefix:
- OpenWrt: sing-box_{version}_openwrt_{architecture}.apk
- Alpine: sing-box_{version}_linux_{architecture}.apk
2:
Legacy macOS binaries (with -legacy-macos-10.13 suffix) now support
macOS 10.13 High Sierra, built using Go 1.25 with patches
from SagerNet/go.
3:
See OCM.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.3-beta.1
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.2
* Add OpenWrt and Alpine APK packages to release 1
* Backport to macOS 10.13 High Sierra 2
* OCM service: Add WebSocket support for Responses API 3
* Fixes and improvements
1:
Alpine APK files use linux in the filename to distinguish from OpenWrt APKs which use the openwrt prefix:
- OpenWrt: sing-box_{version}_openwrt_{architecture}.apk
- Alpine: sing-box_{version}_linux_{architecture}.apk
2:
Legacy macOS binaries (with -legacy-macos-10.13 suffix) now support
macOS 10.13 High Sierra, built using Go 1.25 with patches
from SagerNet/go.
3:
See OCM.
https://github.com/SagerNet/sing-box/releases/tag/v1.13.3-beta.1
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.2
sing-box 1.12.25, 1.13.3 and 1.14.0-alpha.3 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.12.25
https://github.com/SagerNet/sing-box/releases/tag/v1.13.3
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.3
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.12.25
https://github.com/SagerNet/sing-box/releases/tag/v1.13.3
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.3
sing-box 1.13.4-beta.1 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.4-beta.1
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.4-beta.1
sing-box 1.14.0-alpha.4 has been released.
* Refactor ACME support to certificate provider system 1
* Add Cloudflare Origin CA certificate provider 2
* Add Tailscale certificate provider 3
* Fixes and improvements
1:
See Certificate Provider and Migration.
2:
See Cloudflare Origin CA.
3:
See Tailscale.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.4
* Refactor ACME support to certificate provider system 1
* Add Cloudflare Origin CA certificate provider 2
* Add Tailscale certificate provider 3
* Fixes and improvements
1:
See Certificate Provider and Migration.
2:
See Cloudflare Origin CA.
3:
See Tailscale.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.4
sing-box 1.13.4 and 1.14.0-alpha.7 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.4
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.7
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.4
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.7
sing-box 1.13.5 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.5
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.5
sing-box 1.14.0-alpha.8 has been released.
* Add BBR profile and hop interval randomization for Hysteria2 1
* Fixes and improvements
1:
See Hysteria2 Inbound and Hysteria2 Outbound.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.8
* Add BBR profile and hop interval randomization for Hysteria2 1
* Fixes and improvements
1:
See Hysteria2 Inbound and Hysteria2 Outbound.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.8
sing-box 1.13.6 and 1.14.0-alpha.9 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.6
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.9
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.6
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.9
sing-box 1.14.0-alpha.10 has been released.
* Add
*
* Add
* Add cloudflared inbound 4
* Fixes and improvements
1:
Response Match Fields (response_rcode, response_answer, response_ns, and response_extra) match the evaluated DNS response. They are gated by the new match_response field and populated by a preceding evaluate DNS rule action; the evaluated response can also be returned directly by a respond action.
This deprecates the Legacy Address Filter Fields (
2:
3:
See Route Rule, DNS Rule and Headless Rule.
4:
See Cloudflared.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.10
* Add
evaluate DNS rule action and Response Match Fields 1*
ip_version and query_type now also take effect on internal DNS lookups 2* Add
package_name_regex route, DNS and headless rule item 3* Add cloudflared inbound 4
* Fixes and improvements
1:
Response Match Fields (response_rcode, response_answer, response_ns, and response_extra) match the evaluated DNS response. They are gated by the new match_response field and populated by a preceding evaluate DNS rule action; the evaluated response can also be returned directly by a respond action.
This deprecates the Legacy Address Filter Fields (
ip_cidr, ip_is_private without match_response) in DNS rules, the Legacy strategy DNS rule action option, and the Legacy rule_set_ip_cidr_accept_empty DNS rule item; all three will be removed in sing-box 1.16.0. See Migration.2:
ip_version and query_type in DNS rules, together with query_type in referenced rule-sets, now take effect on every DNS rule evaluation, including matches from internal domain resolutions that do not target a specific DNS server (for example a resolve route rule action without server set). In earlier versions they were silently ignored in that path. Combining these fields with any of the legacy DNS fields deprecated in 1 in the same DNS configuration is no longer supported and is rejected at startup. See Migration.3:
See Route Rule, DNS Rule and Headless Rule.
4:
See Cloudflared.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.10