sing-box 1.12.25, 1.13.3 and 1.14.0-alpha.3 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.12.25
https://github.com/SagerNet/sing-box/releases/tag/v1.13.3
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.3
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.12.25
https://github.com/SagerNet/sing-box/releases/tag/v1.13.3
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.3
sing-box 1.13.4-beta.1 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.4-beta.1
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.4-beta.1
sing-box 1.14.0-alpha.4 has been released.
* Refactor ACME support to certificate provider system 1
* Add Cloudflare Origin CA certificate provider 2
* Add Tailscale certificate provider 3
* Fixes and improvements
1:
See Certificate Provider and Migration.
2:
See Cloudflare Origin CA.
3:
See Tailscale.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.4
* Refactor ACME support to certificate provider system 1
* Add Cloudflare Origin CA certificate provider 2
* Add Tailscale certificate provider 3
* Fixes and improvements
1:
See Certificate Provider and Migration.
2:
See Cloudflare Origin CA.
3:
See Tailscale.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.4
sing-box 1.13.4 and 1.14.0-alpha.7 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.4
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.7
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.4
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.7
sing-box 1.13.5 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.5
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.5
sing-box 1.14.0-alpha.8 has been released.
* Add BBR profile and hop interval randomization for Hysteria2 1
* Fixes and improvements
1:
See Hysteria2 Inbound and Hysteria2 Outbound.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.8
* Add BBR profile and hop interval randomization for Hysteria2 1
* Fixes and improvements
1:
See Hysteria2 Inbound and Hysteria2 Outbound.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.8
sing-box 1.13.6 and 1.14.0-alpha.9 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.6
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.9
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.6
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.9
sing-box 1.14.0-alpha.10 has been released.
* Add
*
* Add
* Add cloudflared inbound 4
* Fixes and improvements
1:
Response Match Fields (response_rcode, response_answer, response_ns, and response_extra) match the evaluated DNS response. They are gated by the new match_response field and populated by a preceding evaluate DNS rule action; the evaluated response can also be returned directly by a respond action.
This deprecates the Legacy Address Filter Fields (
2:
3:
See Route Rule, DNS Rule and Headless Rule.
4:
See Cloudflared.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.10
* Add
evaluate DNS rule action and Response Match Fields 1*
ip_version and query_type now also take effect on internal DNS lookups 2* Add
package_name_regex route, DNS and headless rule item 3* Add cloudflared inbound 4
* Fixes and improvements
1:
Response Match Fields (response_rcode, response_answer, response_ns, and response_extra) match the evaluated DNS response. They are gated by the new match_response field and populated by a preceding evaluate DNS rule action; the evaluated response can also be returned directly by a respond action.
This deprecates the Legacy Address Filter Fields (
ip_cidr, ip_is_private without match_response) in DNS rules, the Legacy strategy DNS rule action option, and the Legacy rule_set_ip_cidr_accept_empty DNS rule item; all three will be removed in sing-box 1.16.0. See Migration.2:
ip_version and query_type in DNS rules, together with query_type in referenced rule-sets, now take effect on every DNS rule evaluation, including matches from internal domain resolutions that do not target a specific DNS server (for example a resolve route rule action without server set). In earlier versions they were silently ignored in that path. Combining these fields with any of the legacy DNS fields deprecated in 1 in the same DNS configuration is no longer supported and is rejected at startup. See Migration.3:
See Route Rule, DNS Rule and Headless Rule.
4:
See Cloudflared.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.10
sing-box 1.14.0-alpha.11 has been released.
* Add optimistic DNS cache 1
* Update NaiveProxy to 147.0.7727.49
* Fixes and improvements
1:
Optimistic DNS cache returns an expired cached response immediately while refreshing it in the background, reducing tail latency for repeated queries. Enabled via optimistic in DNS options, and can be persisted across restarts with the new store_dns cache file option. A per-query disable_optimistic_cache field is also available on DNS rule actions and the
This deprecates the
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.11
* Add optimistic DNS cache 1
* Update NaiveProxy to 147.0.7727.49
* Fixes and improvements
1:
Optimistic DNS cache returns an expired cached response immediately while refreshing it in the background, reducing tail latency for repeated queries. Enabled via optimistic in DNS options, and can be persisted across restarts with the new store_dns cache file option. A per-query disable_optimistic_cache field is also available on DNS rule actions and the
resolve route rule action.This deprecates the
independent_cache DNS option (the DNS cache now always keys by transport) and the store_rdrc cache file option (replaced by store_dns); both will be removed in sing-box 1.16.0. See Migration.https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.11
sing-box 1.13.8 and 1.14.0-alpha.12 has been released.
* Fix fake-ip DNS server should return SUCCESS when address type is not configured
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.8
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.12
* Fix fake-ip DNS server should return SUCCESS when address type is not configured
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.8
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.12
sing-box 1.14.0-alpha.13 has been released.
* Unify HTTP client 1
* Add Apple HTTP and TLS engines 2
* Unify HTTP/2 and QUIC parameters 3
* Add TLS spoof 4
* Fixes and improvements
1:
The new top-level http_clients option defines reusable HTTP clients (engine, version, dialer, TLS, HTTP/2 and QUIC parameters). Components that make outbound HTTP requests — remote rule-sets, ACME and Cloudflare Origin CA certificate providers, DERP verify_client_url, and the Tailscale control_http_client — now accept an inline HTTP client object or the tag of an http_clients entry, replacing the dial and TLS fields previously inlined in each component. When the field is omitted, ACME, Cloudflare Origin CA, DERP and Tailscale dial direct (their existing default).
Remote rule-sets are the only HTTP-using component whose default for an omitted http_client has historically resolved to the default outbound, not to direct, and a typical configuration contains many of them. To avoid repeating the same http_client block in every rule-set, route.default_http_client selects a default rule-set client by tag and is the only field that consults it. If default_http_client is empty and http_clients is non-empty, the first entry is used automatically. The legacy fallback (use the default outbound when http_clients is empty altogether) is preserved with a deprecation warning and will be removed in sing-box 1.16.0, together with the legacy download_detour remote rule-set option and the legacy dialer fields on Tailscale endpoints.
2:
A new apple engine is available on Apple platforms in two independent places:
* HTTP client engine — routes HTTP requests through NSURLSession.
* Outbound TLS engine — routes the TLS handshake through Network.framework for direct TCP TLS client connections.
The default remains go. Both engines come with additional CGO and framework memory overhead and platform restrictions documented on each field.
3:
HTTP/2 and QUIC parameters (
This deprecates the Hysteria v1 tuning fields recv_window_conn, recv_window, recv_window_client, max_conn_client and disable_mtu_discovery; they will be removed in sing-box 1.16.0.
4:
Added outbound TLS spoof and spoof_method fields. When enabled, a forged ClientHello carrying a whitelisted SNI is sent before the real handshake to fool SNI-filtering middleboxes. Requires CAP_NET_RAW + CAP_NET_ADMIN or root on Linux and macOS, and Administrator privileges on Windows (ARM64 is not supported). IP-literal server names are rejected.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.13
* Unify HTTP client 1
* Add Apple HTTP and TLS engines 2
* Unify HTTP/2 and QUIC parameters 3
* Add TLS spoof 4
* Fixes and improvements
1:
The new top-level http_clients option defines reusable HTTP clients (engine, version, dialer, TLS, HTTP/2 and QUIC parameters). Components that make outbound HTTP requests — remote rule-sets, ACME and Cloudflare Origin CA certificate providers, DERP verify_client_url, and the Tailscale control_http_client — now accept an inline HTTP client object or the tag of an http_clients entry, replacing the dial and TLS fields previously inlined in each component. When the field is omitted, ACME, Cloudflare Origin CA, DERP and Tailscale dial direct (their existing default).
Remote rule-sets are the only HTTP-using component whose default for an omitted http_client has historically resolved to the default outbound, not to direct, and a typical configuration contains many of them. To avoid repeating the same http_client block in every rule-set, route.default_http_client selects a default rule-set client by tag and is the only field that consults it. If default_http_client is empty and http_clients is non-empty, the first entry is used automatically. The legacy fallback (use the default outbound when http_clients is empty altogether) is preserved with a deprecation warning and will be removed in sing-box 1.16.0, together with the legacy download_detour remote rule-set option and the legacy dialer fields on Tailscale endpoints.
2:
A new apple engine is available on Apple platforms in two independent places:
* HTTP client engine — routes HTTP requests through NSURLSession.
* Outbound TLS engine — routes the TLS handshake through Network.framework for direct TCP TLS client connections.
The default remains go. Both engines come with additional CGO and framework memory overhead and platform restrictions documented on each field.
3:
HTTP/2 and QUIC parameters (
idle_timeout, keep_alive_period, stream_receive_window, connection_receive_window, max_concurrent_streams, initial_packet_size, disable_path_mtu_discovery) are now shared across QUIC-based outbounds (Hysteria, Hysteria2, TUIC) and HTTP clients running HTTP/2 or HTTP/3.This deprecates the Hysteria v1 tuning fields recv_window_conn, recv_window, recv_window_client, max_conn_client and disable_mtu_discovery; they will be removed in sing-box 1.16.0.
4:
Added outbound TLS spoof and spoof_method fields. When enabled, a forged ClientHello carrying a whitelisted SNI is sent before the real handshake to fool SNI-filtering middleboxes. Requires CAP_NET_RAW + CAP_NET_ADMIN or root on Linux and macOS, and Administrator privileges on Windows (ARM64 is not supported). IP-literal server names are rejected.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.13
sing-box 1.14.0-alpha.14 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.14
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.14
sing-box 1.13.9 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.9
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.13.9
sing-box 1.14.0-alpha.15 has been released.
* Add search domain support for Tailscale DNS 1
* Fixes and improvements
1:
See Tailscale DNS Server.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.15
* Add search domain support for Tailscale DNS 1
* Fixes and improvements
1:
See Tailscale DNS Server.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.15
sing-box 1.14.0-alpha.18 has been released.
* Add Windows TLS engine 1
* Fixes and improvements
1:
The new
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.18
* Add Windows TLS engine 1
* Fixes and improvements
1:
The new
windows value for outbound TLS engine routes the TLS handshake through Schannel via SSPI. Only available on Windows build 17763 or later (Windows 10 version 1809, Windows Server 2019, or newer); TLS 1.3 is only negotiated on Windows 11 or Windows Server 2022 and newer.https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.18
sing-box 1.14.0-alpha.19 has been released.
* Preserve comments between formatting
* Add cipher, MAC, and key exchange algorithm options for SSH outbound 1
* Add DNS query timeout options 2
* Fixes and improvements
1:
See SSH.
2:
Adds dns.timeout, with per-query overrides via DNS rule action and resolve route rule action, and a
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.19
* Preserve comments between formatting
* Add cipher, MAC, and key exchange algorithm options for SSH outbound 1
* Add DNS query timeout options 2
* Fixes and improvements
1:
See SSH.
2:
Adds dns.timeout, with per-query overrides via DNS rule action and resolve route rule action, and a
timeout field on domain_resolver.https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.19
sing-box 1.14.0-alpha.22 has been released.
* Add Hysteria Realm service and Hysteria2 NAT traversal support 1
* Fixes and improvements
1:
The new Hysteria Realm service is a rendezvous service for Hysteria2 NAT traversal. A Hysteria2 server behind NAT registers its STUN-discovered public addresses on a stable realm endpoint via the new realm inbound field; clients query the realm via the new realm outbound field to learn the server's current addresses and perform UDP hole-punching to establish a direct QUIC connection. Once hole-punching succeeds, all proxy traffic flows directly between client and server.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.22
* Add Hysteria Realm service and Hysteria2 NAT traversal support 1
* Fixes and improvements
1:
The new Hysteria Realm service is a rendezvous service for Hysteria2 NAT traversal. A Hysteria2 server behind NAT registers its STUN-discovered public addresses on a stable realm endpoint via the new realm inbound field; clients query the realm via the new realm outbound field to learn the server's current addresses and perform UDP hole-punching to establish a direct QUIC connection. Once hole-punching succeeds, all proxy traffic flows directly between client and server.
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.22
sing-box 1.14.0-alpha.23 has been released.
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.23
* Fixes and improvements
https://github.com/SagerNet/sing-box/releases/tag/v1.14.0-alpha.23