chore: more unmap for 4in6 address

fix: vmess listener error
fix: quic sniffer should consider skipDomain
2026-03-03 20:27:31 +00:00 · 2025-05-29 10:14:06 +08:00 · 2025-05-28 21:33:44 +08:00 · 2025-05-28 10:06:53 +08:00 · 2025-05-28 09:22:28 +08:00 · 2025-05-27 22:47:21 +08:00
247 changed files with 11262 additions and 3405 deletions
--- a/.github/release/.fpm_systemd
+++ b/.github/release/.fpm_systemd
@@ -0,0 +1,18 @@
 -s dir
 --name mihomo
 --category net
 --license GPL-3.0-or-later
 --description "The universal proxy platform."
 --url "https://wiki.metacubex.one/"
 --maintainer "MetaCubeX <none@example.com>"
 --deb-field "Bug: https://github.com/MetaCubeX/mihomo/issues"
 --no-deb-generate-changes
 --config-files /etc/mihomo/config.yaml
 .github/release/config.yaml=/etc/mihomo/config.yaml
 .github/release/mihomo.service=/usr/lib/systemd/system/mihomo.service
 .github/release/mihomo@.service=/usr/lib/systemd/system/mihomo@.service
 LICENSE=/usr/share/licenses/mihomo/LICENSE
--- a/.github/release/config.yaml
+++ b/.github/release/config.yaml
@@ -0,0 +1,15 @@
 mixed-port: 7890
 dns:
  enable: true
  ipv6: true
  enhanced-mode: fake-ip
  fake-ip-filter:
    - "*"
    - "+.lan"
    - "+.local"
  nameserver:
    - system
 rules:
  - MATCH,DIRECT
--- a/.github/release/mihomo.service
+++ b/.github/release/mihomo.service
@@ -1,17 +1,17 @@
 [Unit]
 Description=mihomo Daemon, Another Clash Kernel.
-After=network.target NetworkManager.service systemd-networkd.service iwd.service
+Documentation=https://wiki.metacubex.one
 After=network.target nss-lookup.target network-online.target
 [Service]
 Type=simple
 LimitNPROC=500
 LimitNOFILE=1000000
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
 Restart=always
 ExecStartPre=/usr/bin/sleep 2s
 ExecStart=/usr/bin/mihomo -d /etc/mihomo
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
 RestartSec=10
 LimitNOFILE=infinity
 [Install]
 WantedBy=multi-user.target
--- a/.github/release/mihomo@.service
+++ b/.github/release/mihomo@.service
@@ -0,0 +1,17 @@
 [Unit]
 Description=mihomo Daemon, Another Clash Kernel.
 Documentation=https://wiki.metacubex.one
 After=network.target nss-lookup.target network-online.target
 [Service]
 Type=simple
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_TIME CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
 ExecStart=/usr/bin/mihomo -d /etc/mihomo
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
 RestartSec=10
 LimitNOFILE=infinity
 [Install]
 WantedBy=multi-user.target
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -14,7 +14,7 @@ on:
      - Alpha
    tags:
      - "v*"
-  pull_request_target:
+  pull_request:
    branches:
      - Alpha
 concurrency:
@@ -33,28 +33,29 @@ jobs:
          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible }
          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64 }
-          - { goos: linux, goarch: '386', output: '386' }
+          - { goos: linux, goarch: '386', go386: sse2, output: '386', debian: i386, rpm: i386}
          - { goos: linux, goarch: '386', go386: softfloat, output: '386-softfloat' }
          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible, test: test }
-          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64 }
+          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64, debian: amd64, rpm: x86_64, pacman: x86_64}
-          - { goos: linux, goarch: arm64, output: arm64 }
+          - { goos: linux, goarch: arm64, output: arm64, debian: arm64, rpm: aarch64, pacman: aarch64}  
          - { goos: linux, goarch: arm, goarm: '5', output: armv5 }
-          - { goos: linux, goarch: arm, goarm: '6', output: armv6 }
+          - { goos: linux, goarch: arm, goarm: '6', output: armv6, debian: armel, rpm: armv6hl} 
-          - { goos: linux, goarch: arm, goarm: '7', output: armv7 }
+          - { goos: linux, goarch: arm, goarm: '7', output: armv7, debian: armhf, rpm: armv7hl, pacman: armv7hl}
          - { goos: linux, goarch: mips, gomips: hardfloat, output: mips-hardfloat }
          - { goos: linux, goarch: mips, gomips: softfloat, output: mips-softfloat }
          - { goos: linux, goarch: mipsle, gomips: hardfloat, output: mipsle-hardfloat }
          - { goos: linux, goarch: mipsle, gomips: softfloat, output: mipsle-softfloat }
          - { goos: linux, goarch: mips64, output: mips64 }
-          - { goos: linux, goarch: mips64le, output: mips64le }
+          - { goos: linux, goarch: mips64le, output: mips64le, debian: mips64el, rpm: mips64el }
-          - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1' }
+          - { goos: linux, goarch: loong64, output: loong64-abi1, abi: '1', debian: loongarch64, rpm: loongarch64 }
-          - { goos: linux, goarch: loong64, output: loong64-abi2, abi: '2' }
+          - { goos: linux, goarch: loong64, output: loong64-abi2, abi: '2', debian: loong64, rpm: loong64 }
-          - { goos: linux, goarch: riscv64, output: riscv64 }
+          - { goos: linux, goarch: riscv64, output: riscv64, debian: riscv64, rpm: riscv64 }
-          - { goos: linux, goarch: s390x, output: s390x }
+          - { goos: linux, goarch: s390x, output: s390x, debian: s390x, rpm: s390x }
          - { goos: linux, goarch: ppc64le, output: ppc64le, debian: ppc64el, rpm: ppc64le }
          - { goos: windows, goarch: '386', output: '386' }
          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64 }
          - { goos: windows, goarch: arm, goarm: '7', output: armv7 }
          - { goos: windows, goarch: arm64, output: arm64 }
          - { goos: freebsd, goarch: '386', output: '386' }
@@ -67,6 +68,12 @@ jobs:
          - { goos: android, goarch: arm, ndk: armv7a-linux-androideabi34, output: armv7 }
          - { goos: android, goarch: arm64, ndk: aarch64-linux-android34, output: arm64-v8 }
          # Go 1.23 with special patch can work on Windows 7
          # https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
          - { goos: windows, goarch: '386', output: '386-go123', goversion: '1.23' }
          - { goos: windows, goarch: amd64, goamd64: v1, output: amd64-compatible-go123, goversion: '1.23' }
          - { goos: windows, goarch: amd64, goamd64: v3, output: amd64-go123, goversion: '1.23' }
          # Go 1.22 with special patch can work on Windows 7
          # https://github.com/MetaCubeX/go/commits/release-branch.go1.22/
          - { goos: windows, goarch: '386', output: '386-go122', goversion: '1.22' }
@@ -95,6 +102,11 @@ jobs:
          - { goos: darwin, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20' }
          - { goos: darwin, goarch: amd64, goamd64: v3, output: amd64-go120, goversion: '1.20' }
          # Go 1.23 is the last release that requires Linux kernel version 2.6.32 or later. Go 1.24 will require Linux kernel version 3.2 or later.
          - { goos: linux, goarch: '386', output: '386-go123', goversion: '1.23' }
          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go123, goversion: '1.23', test: test }
          - { goos: linux, goarch: amd64, goamd64: v3, output: amd64-go123, goversion: '1.23' }
          # only for test
          - { goos: linux, goarch: '386', output: '386-go120', goversion: '1.20' }
          - { goos: linux, goarch: amd64, goamd64: v1, output: amd64-compatible-go120, goversion: '1.20', test: test }
@@ -107,7 +119,7 @@ jobs:
      if: ${{ matrix.jobs.goversion == '' && matrix.jobs.abi != '1' }}
      uses: actions/setup-go@v5
      with:
-        go-version: '1.23'
+        go-version: '1.24'
    - name: Set up Go
      if: ${{ matrix.jobs.goversion != '' && matrix.jobs.abi != '1' }}
@@ -115,13 +127,31 @@ jobs:
      with:
        go-version: ${{ matrix.jobs.goversion }}
-    - name: Set up Go1.23 loongarch abi1
+    - name: Set up Go1.24 loongarch abi1
      if: ${{ matrix.jobs.goarch == 'loong64' && matrix.jobs.abi == '1' }}
      run: |
-        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.23.0/go1.23.0.linux-amd64-abi1.tar.gz
+        wget -q https://github.com/MetaCubeX/loongarch64-golang/releases/download/1.24.0/go1.24.0.linux-amd64-abi1.tar.gz
-        sudo tar zxf go1.23.0.linux-amd64-abi1.tar.gz -C /usr/local
+        sudo tar zxf go1.24.0.linux-amd64-abi1.tar.gz -C /usr/local
        echo "/usr/local/go/bin" >> $GITHUB_PATH
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.24.x
      # that means after golang1.25 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
      # revert:
      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
    - name: Revert Golang1.24 commit for Windows7/8
      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
      run: |
        cd $(go env GOROOT)
        curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/979d6d8bab3823ff572ace26767fd2ce3cf351ae.diff | patch --verbose -p 1
        curl https://github.com/MetaCubeX/go/commit/ac3e93c061779dfefc0dd13a5b6e6f764a25621e.diff | patch --verbose -p 1
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.23.x
      # that means after golang1.24 release it must be changed
@@ -132,7 +162,7 @@ jobs:
      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
    - name: Revert Golang1.23 commit for Windows7/8
-      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '' }}
+      if: ${{ matrix.jobs.goos == 'windows' && matrix.jobs.goversion == '1.23' }}
      run: |
        cd $(go env GOROOT)
        curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
@@ -166,17 +196,16 @@ jobs:
        curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
    - name: Set variables
      if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.version != '' }}
      run: echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
      shell: bash
    - name: Set variables
      if: ${{ github.event_name != 'workflow_dispatch' && github.ref_name == 'Alpha' }}
      run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
      shell: bash
    - name: Set Time Variable
      run: |
        VERSION="${GITHUB_REF_NAME,,}-$(git rev-parse --short HEAD)"
        PackageVersion="$(curl -s "https://api.github.com/repos/MetaCubeX/mihomo/releases/latest" | jq -r '.tag_name' | sed 's/v//g' | awk -F '.' '{$NF = $NF + 1; print}' OFS='.').${VERSION/-/.}"
        if [ -n "${{ github.event.inputs.version }}" ]; then
          VERSION=${{ github.event.inputs.version }}
          PackageVersion="${VERSION#v}" >> $GITHUB_ENV
        fi
        echo "VERSION=${VERSION}" >> $GITHUB_ENV
        echo "PackageVersion=${PackageVersion}" >> $GITHUB_ENV
        echo "BUILDTIME=$(date)" >> $GITHUB_ENV
        echo "CGO_ENABLED=0" >> $GITHUB_ENV
        echo "BUILDTAG=-extldflags --static" >> $GITHUB_ENV
@@ -187,7 +216,7 @@ jobs:
      uses: nttld/setup-ndk@v1
      id: setup-ndk
      with:
-        ndk-version: r28-beta1
+        ndk-version: r29-beta1
    - name: Set NDK path
      if: ${{ matrix.jobs.goos == 'android' }}
@@ -205,7 +234,7 @@ jobs:
    - name: Update CA
      run: |
-        sudo apt-get install ca-certificates
+        sudo apt-get update && sudo apt-get install ca-certificates
        sudo update-ca-certificates
        cp -f /etc/ssl/certs/ca-certificates.crt component/ca/ca-certificates.crt
@@ -214,6 +243,7 @@ jobs:
        GOOS: ${{matrix.jobs.goos}}
        GOARCH: ${{matrix.jobs.goarch}}
        GOAMD64: ${{matrix.jobs.goamd64}}
        GO386: ${{matrix.jobs.go386}}
        GOARM: ${{matrix.jobs.goarm}}
        GOMIPS: ${{matrix.jobs.gomips}}
      run: |
@@ -228,71 +258,45 @@ jobs:
          rm mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}
        fi
-    - name: Create DEB package
+    - name: Package DEB
-      if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') }}
+      if: matrix.jobs.debian != ''
      run: |
-        sudo apt-get install dpkg
+        set -xeuo pipefail
-        if [ "${{matrix.jobs.abi}}" = "1" ]; then
+        sudo gem install fpm
-          ARCH=loongarch64
+        cp .github/release/.fpm_systemd .fpm
        elif [ "${{matrix.jobs.goarm}}" = "7" ]; then
          ARCH=armhf
        elif [ "${{matrix.jobs.goarch}}" = "arm" ]; then
          ARCH=armel
        else
          ARCH=${{matrix.jobs.goarch}}
        fi
        PackageVersion=$(curl -s "https://api.github.com/repos/MetaCubeX/mihomo/releases/latest" | grep -o '"tag_name": "[^"]*' | grep -o '[^"]*$' | sed 's/v//g' )
        if [ $(git branch | awk -F ' ' '{print $2}') = "Alpha" ]; then
          PackageVersion="$(echo "${PackageVersion}" | awk -F '.' '{$NF = $NF + 1; print}' OFS='.')-${VERSION}"
        fi
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN
+        fpm -t deb \
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/bin
+          -v "${PackageVersion}" \
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/mihomo
+          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb" \
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/systemd/system/
+          --architecture ${{ matrix.jobs.debian }} \
-        mkdir -p mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/share/licenses/mihomo
+          mihomo=/usr/bin/mihomo
-        cp mihomo mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/bin/mihomo
+    - name: Package RPM
-        cp LICENSE mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/usr/share/licenses/mihomo/
+      if: matrix.jobs.rpm != ''
        cp .github/mihomo.service mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/systemd/system/
        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/etc/mihomo/config.yaml <<EOF
        mixed-port: 7890
        external-controller: 127.0.0.1:9090
        EOF
        cat > mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}/DEBIAN/control <<EOF
        Package: mihomo
        Version: ${PackageVersion}
        Section:
        Priority: extra
        Architecture: ${ARCH}
        Maintainer: MetaCubeX <none@example.com>
        Homepage: https://wiki.metacubex.one/
        Description: The universal proxy platform.
        EOF
        dpkg-deb -Z gzip --build mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}
    - name: Convert DEB to RPM
      if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') }}
      run: |
-        sudo apt-get install -y alien
+        set -xeuo pipefail
-        alien --to-rpm --scripts mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb
+        sudo gem install fpm
-        mv mihomo*.rpm mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.rpm
+        cp .github/release/.fpm_systemd .fpm
-    # - name: Convert DEB to PKG
+        fpm -t rpm \
-    #   if: ${{ matrix.jobs.goos == 'linux' && !contains(matrix.jobs.goarch, 'mips') && !contains(matrix.jobs.goarch, 'loong64') }}
+          -v "${PackageVersion}" \
-    #   run: |
+          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.rpm" \
-    #     docker pull archlinux
+          --architecture ${{ matrix.jobs.rpm }} \
-    #     docker run --rm -v ./:/mnt archlinux bash -c "
+          mihomo=/usr/bin/mihomo
-    #       pacman -Syu pkgfile base-devel --noconfirm
+
-    #       curl -L https://github.com/helixarch/debtap/raw/master/debtap > /usr/bin/debtap
+    - name: Package Pacman
-    #       chmod 755 /usr/bin/debtap
+      if: matrix.jobs.pacman != ''
-    #       debtap -u 
+      run: |
-    #       debtap -Q /mnt/mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.deb
+        set -xeuo pipefail
-    #     "
+        sudo gem install fpm
-    #     mv mihomo*.pkg.tar.zst mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.pkg.tar.zst
+        sudo apt-get update && sudo apt-get install -y libarchive-tools
        cp .github/release/.fpm_systemd .fpm
        fpm -t pacman \
          -v "${PackageVersion}" \
          -p "mihomo-${{matrix.jobs.goos}}-${{matrix.jobs.output}}-${VERSION}.pkg.tar.zst" \
          --architecture ${{ matrix.jobs.pacman }} \
          mihomo=/usr/bin/mihomo
    - name: Save version
      run: |
@@ -307,8 +311,10 @@ jobs:
          mihomo*.gz
          mihomo*.deb
          mihomo*.rpm
          mihomo*.pkg.tar.zst
          mihomo*.zip
          version.txt
          checksums.txt
  Upload-Prerelease:
    permissions: write-all
@@ -322,6 +328,13 @@ jobs:
        path: bin/
        merge-multiple: true
    - name: Calculate checksums
      run: |
        cd bin/
        find . -type f -not -name "checksums.*" -not -name "version.txt" | sort | xargs sha256sum > checksums.txt
        cat checksums.txt
      shell: bash
    - name: Delete current release assets
      uses: 8Mi-Tech/delete-release-assets-action@main
      with:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,115 @@
 name: Test
 on:
  push:
    paths-ignore:
      - "docs/**"
      - "README.md"
      - ".github/ISSUE_TEMPLATE/**"
    branches:
      - Alpha
    tags:
      - "v*"
  pull_request:
    branches:
      - Alpha
 jobs:
  test:
    strategy:
      matrix:
        os:
          - 'ubuntu-latest' # amd64 linux
          - 'windows-latest' # amd64 windows
          - 'macos-latest' # arm64 macos
          - 'ubuntu-24.04-arm' # arm64 linux
          - 'macos-13' # amd64 macos
        go-version:
          - '1.24'
          - '1.23'
          - '1.22'
          - '1.21'
          - '1.20'
      fail-fast: false
    runs-on: ${{ matrix.os }}
    defaults:
      run:
        shell: bash
    env:
      CGO_ENABLED: 0
      GOTOOLCHAIN: local
      # Fix mingw trying to be smart and converting paths https://github.com/moby/moby/issues/24029#issuecomment-250412919
      MSYS_NO_PATHCONV: true
    steps:
      - uses: actions/checkout@v4
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ matrix.go-version }}
      # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      # this patch file only works on golang1.24.x
      # that means after golang1.25 release it must be changed
      # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.24/
      # revert:
      # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
      # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
      # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
      # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
      - name: Revert Golang1.24 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.24' }}
        run: |
          cd $(go env GOROOT)
          curl https://github.com/MetaCubeX/go/commit/2a406dc9f1ea7323d6ca9fccb2fe9ddebb6b1cc8.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/7b1fd7d39c6be0185fbe1d929578ab372ac5c632.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/979d6d8bab3823ff572ace26767fd2ce3cf351ae.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/ac3e93c061779dfefc0dd13a5b6e6f764a25621e.diff | patch --verbose -p 1
        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
        # this patch file only works on golang1.23.x
        # that means after golang1.24 release it must be changed
        # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.23/
        # revert:
        # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
        # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
        # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
        # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
      - name: Revert Golang1.23 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.23' }}
        run: |
          cd $(go env GOROOT)
          curl https://github.com/MetaCubeX/go/commit/9ac42137ef6730e8b7daca016ece831297a1d75b.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/21290de8a4c91408de7c2b5b68757b1e90af49dd.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/6a31d3fa8e47ddabc10bd97bff10d9a85f4cfb76.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/69e2eed6dd0f6d815ebf15797761c13f31213dd6.diff | patch --verbose -p 1
        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
        # this patch file only works on golang1.22.x
        # that means after golang1.23 release it must be changed
        # see: https://github.com/MetaCubeX/go/commits/release-branch.go1.22/
        # revert:
        # 693def151adff1af707d82d28f55dba81ceb08e1: "crypto/rand,runtime: switch RtlGenRandom for ProcessPrng"
        # 7c1157f9544922e96945196b47b95664b1e39108: "net: remove sysSocket fallback for Windows 7"
        # 48042aa09c2f878c4faa576948b07fe625c4707a: "syscall: remove Windows 7 console handle workaround"
        # a17d959debdb04cd550016a3501dd09d50cd62e7: "runtime: always use LoadLibraryEx to load system libraries"
      - name: Revert Golang1.22 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.22' }}
        run: |
          cd $(go env GOROOT)
          curl https://github.com/MetaCubeX/go/commit/9779155f18b6556a034f7bb79fb7fb2aad1e26a9.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/ef0606261340e608017860b423ffae5c1ce78239.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/7f83badcb925a7e743188041cb6e561fc9b5b642.diff | patch --verbose -p 1
          curl https://github.com/MetaCubeX/go/commit/83ff9782e024cb328b690cbf0da4e7848a327f4f.diff | patch --verbose -p 1
        # modify from https://github.com/restic/restic/issues/4636#issuecomment-1896455557
      - name: Revert Golang1.21 commit for Windows7/8
        if: ${{ runner.os == 'Windows' && matrix.go-version == '1.21' }}
        run: |
          cd $(go env GOROOT)
          curl https://github.com/golang/go/commit/9e43850a3298a9b8b1162ba0033d4c53f8637571.diff | patch --verbose -R -p 1
      - name: Test
        run: go test ./... -v -count=1
      - name: Test with tag with_gvisor
        run: go test ./... -v -count=1 -tags "with_gvisor"
--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@@ -7,9 +7,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
 	"net/netip"
 	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -17,7 +15,6 @@ import (
 	"github.com/metacubex/mihomo/common/queue"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	"github.com/puzpuzpuz/xsync/v3"
@@ -63,8 +60,8 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 }
 // DialContext implements C.ProxyAdapter
-func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	conn, err := p.ProxyAdapter.DialContext(ctx, metadata, opts...)
+	conn, err := p.ProxyAdapter.DialContext(ctx, metadata)
 	return conn, err
 }
@@ -76,8 +73,8 @@ func (p *Proxy) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (p *Proxy) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (p *Proxy) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata)
 	return pc, err
 }
@@ -290,6 +287,7 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 	t = uint16(time.Since(start) / time.Millisecond)
 	return
 }
 func NewProxy(adapter C.ProxyAdapter) *Proxy {
 	return &Proxy{
 		ProxyAdapter: adapter,
@@ -316,15 +314,7 @@ func urlToMetadata(rawURL string) (addr C.Metadata, err error) {
 			return
 		}
 	}
 	uintPort, err := strconv.ParseUint(port, 10, 16)
 	if err != nil {
 		return
 	}
-	addr = C.Metadata{
+	err = addr.SetRemoteAddress(net.JoinHostPort(u.Hostname(), port))
 		Host:    u.Hostname(),
 		DstIP:   netip.Addr{},
 		DstPort: uint16(uintPort),
 	}
 	return
 }
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@@ -4,10 +4,8 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
 	"strconv"
 	"strings"
 	"github.com/metacubex/mihomo/common/nnip"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/socks5"
 )
@@ -21,13 +19,13 @@ func parseSocksAddr(target socks5.Addr) *C.Metadata {
 		metadata.Host = strings.TrimRight(string(target[2:2+target[1]]), ".")
 		metadata.DstPort = uint16((int(target[2+target[1]]) << 8) | int(target[2+target[1]+1]))
 	case socks5.AtypIPv4:
-		metadata.DstIP = nnip.IpToAddr(net.IP(target[1 : 1+net.IPv4len]))
+		metadata.DstIP, _ = netip.AddrFromSlice(target[1 : 1+net.IPv4len])
 		metadata.DstPort = uint16((int(target[1+net.IPv4len]) << 8) | int(target[1+net.IPv4len+1]))
 	case socks5.AtypIPv6:
-		ip6, _ := netip.AddrFromSlice(target[1 : 1+net.IPv6len])
+		metadata.DstIP, _ = netip.AddrFromSlice(target[1 : 1+net.IPv6len])
 		metadata.DstIP = ip6.Unmap()
 		metadata.DstPort = uint16((int(target[1+net.IPv6len]) << 8) | int(target[1+net.IPv6len+1]))
 	}
 	metadata.DstIP = metadata.DstIP.Unmap()
 	return metadata
 }
@@ -42,23 +40,8 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 	// trim FQDN (#737)
 	host = strings.TrimRight(host, ".")
-	var uint16Port uint16
+	metadata := &C.Metadata{}
-	if port, err := strconv.ParseUint(port, 10, 16); err == nil {
+	_ = metadata.SetRemoteAddress(net.JoinHostPort(host, port))
 		uint16Port = uint16(port)
 	}
 	metadata := &C.Metadata{
 		NetWork: C.TCP,
 		Host:    host,
 		DstIP:   netip.Addr{},
 		DstPort: uint16Port,
 	}
 	ip, err := netip.ParseAddr(host)
 	if err == nil {
 		metadata.DstIP = ip
 	}
 	return metadata
 }
--- a/adapter/outbound/anytls.go
+++ b/adapter/outbound/anytls.go
@@ -0,0 +1,135 @@
 package outbound
 import (
 	"context"
 	"net"
 	"strconv"
 	"time"
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/anytls"
 	"github.com/metacubex/mihomo/transport/vmess"
 	M "github.com/metacubex/sing/common/metadata"
 	"github.com/metacubex/sing/common/uot"
 )
 type AnyTLS struct {
 	*Base
 	client *anytls.Client
 	dialer proxydialer.SingDialer
 	option *AnyTLSOption
 }
 type AnyTLSOption struct {
 	BasicOption
 	Name                     string     `proxy:"name"`
 	Server                   string     `proxy:"server"`
 	Port                     int        `proxy:"port"`
 	Password                 string     `proxy:"password"`
 	ALPN                     []string   `proxy:"alpn,omitempty"`
 	SNI                      string     `proxy:"sni,omitempty"`
 	ECHOpts                  ECHOptions `proxy:"ech-opts,omitempty"`
 	ClientFingerprint        string     `proxy:"client-fingerprint,omitempty"`
 	SkipCertVerify           bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint              string     `proxy:"fingerprint,omitempty"`
 	UDP                      bool       `proxy:"udp,omitempty"`
 	IdleSessionCheckInterval int        `proxy:"idle-session-check-interval,omitempty"`
 	IdleSessionTimeout       int        `proxy:"idle-session-timeout,omitempty"`
 	MinIdleSession           int        `proxy:"min-idle-session,omitempty"`
 }
 func (t *AnyTLS) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	c, err := t.client.CreateProxy(ctx, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
 	}
 	return NewConn(c, t), nil
 }
 func (t *AnyTLS) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if err = t.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	// create tcp
 	c, err := t.client.CreateProxy(ctx, uot.RequestDestination(2))
 	if err != nil {
 		return nil, err
 	}
 	// create uot on tcp
 	destination := M.SocksaddrFromNet(metadata.UDPAddr())
 	return newPacketConn(CN.NewThreadSafePacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination})), t), nil
 }
 // SupportUOT implements C.ProxyAdapter
 func (t *AnyTLS) SupportUOT() bool {
 	return true
 }
 // ProxyInfo implements C.ProxyAdapter
 func (t *AnyTLS) ProxyInfo() C.ProxyInfo {
 	info := t.Base.ProxyInfo()
 	info.DialerProxy = t.option.DialerProxy
 	return info
 }
 // Close implements C.ProxyAdapter
 func (t *AnyTLS) Close() error {
 	return t.client.Close()
 }
 func NewAnyTLS(option AnyTLSOption) (*AnyTLS, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	outbound := &AnyTLS{
 		Base: &Base{
 			name:   option.Name,
 			addr:   addr,
 			tp:     C.AnyTLS,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			mpTcp:  option.MPTCP,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		option: &option,
 	}
 	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...))
 	outbound.dialer = singDialer
 	tOption := anytls.ClientConfig{
 		Password:                 option.Password,
 		Server:                   M.ParseSocksaddrHostPort(option.Server, uint16(option.Port)),
 		Dialer:                   singDialer,
 		IdleSessionCheckInterval: time.Duration(option.IdleSessionCheckInterval) * time.Second,
 		IdleSessionTimeout:       time.Duration(option.IdleSessionTimeout) * time.Second,
 		MinIdleSession:           option.MinIdleSession,
 	}
 	echConfig, err := option.ECHOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	tlsConfig := &vmess.TLSConfig{
 		Host:              option.SNI,
 		SkipCertVerify:    option.SkipCertVerify,
 		NextProtos:        option.ALPN,
 		FingerPrint:       option.Fingerprint,
 		ClientFingerprint: option.ClientFingerprint,
 		ECH:               echConfig,
 	}
 	if tlsConfig.Host == "" {
 		tlsConfig.Host = option.Server
 	}
 	tOption.TLSConfig = tlsConfig
 	client := anytls.NewClient(context.TODO(), tOption)
 	outbound.client = client
 	return outbound, nil
 }
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@@ -3,16 +3,26 @@ package outbound
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"net"
-	"strings"
+	"runtime"
 	"sync"
 	"syscall"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 )
 type ProxyAdapter interface {
 	C.ProxyAdapter
 	DialOptions() []dialer.Option
 	ResolveUDP(ctx context.Context, metadata *C.Metadata) error
 }
 type Base struct {
 	name   string
 	addr   string
@@ -51,7 +61,7 @@ func (b *Base) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Me
 	return c, C.ErrNotSupport
 }
-func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	return nil, C.ErrNotSupport
 }
@@ -61,7 +71,7 @@ func (b *Base) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	return nil, C.ErrNotSupport
 }
@@ -120,7 +130,7 @@ func (b *Base) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 }
 // DialOptions return []dialer.Option from struct
-func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
+func (b *Base) DialOptions() (opts []dialer.Option) {
 	if b.iface != "" {
 		opts = append(opts, dialer.WithInterface(b.iface))
 	}
@@ -152,11 +162,26 @@ func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
 	return opts
 }
 func (b *Base) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return fmt.Errorf("can't resolve ip: %w", err)
 		}
 		metadata.DstIP = ip
 	}
 	return nil
 }
 func (b *Base) Close() error {
 	return nil
 }
 type BasicOption struct {
 	TFO         bool   `proxy:"tfo,omitempty"`
 	MPTCP       bool   `proxy:"mptcp,omitempty"`
-	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
+	Interface   string `proxy:"interface-name,omitempty"`
-	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
+	RoutingMark int    `proxy:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty"`
 	DialerProxy string `proxy:"dialer-proxy,omitempty"` // don't apply this option into groups, but can set a group name in a proxy
 }
@@ -191,12 +216,21 @@ func NewBase(opt BaseOption) *Base {
 type conn struct {
 	N.ExtendedConn
-	chain                   C.Chain
+	chain       C.Chain
-	actualRemoteDestination string
+	adapterAddr string
 }
 func (c *conn) RemoteDestination() string {
-	return c.actualRemoteDestination
+	if remoteAddr := c.RemoteAddr(); remoteAddr != nil {
 		m := C.Metadata{}
 		if err := m.SetRemoteAddr(remoteAddr); err != nil {
 			if m.Valid() {
 				return m.String()
 			}
 		}
 	}
 	host, _, _ := net.SplitHostPort(c.adapterAddr)
 	return host
 }
 // Chains implements C.Connection
@@ -221,23 +255,33 @@ func (c *conn) ReaderReplaceable() bool {
 	return true
 }
 func (c *conn) AddRef(ref any) {
 	c.ExtendedConn = N.NewRefConn(c.ExtendedConn, ref) // add ref for autoCloseProxyAdapter
 }
 func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
 	if _, ok := c.(syscall.Conn); !ok { // exclusion system conn like *net.TCPConn
 		c = N.NewDeadlineConn(c) // most conn from outbound can't handle readDeadline correctly
 	}
-	return &conn{N.NewExtendedConn(c), []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	return &conn{N.NewExtendedConn(c), []string{a.Name()}, a.Addr()}
 }
 type packetConn struct {
 	N.EnhancePacketConn
-	chain                   C.Chain
+	chain       C.Chain
-	adapterName             string
+	adapterName string
-	connID                  string
+	connID      string
-	actualRemoteDestination string
+	adapterAddr string
 	resolveUDP  func(ctx context.Context, metadata *C.Metadata) error
 }
 func (c *packetConn) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
 	return c.resolveUDP(ctx, metadata)
 }
 func (c *packetConn) RemoteDestination() string {
-	return c.actualRemoteDestination
+	host, _, _ := net.SplitHostPort(c.adapterAddr)
 	return host
 }
 // Chains implements C.Connection
@@ -267,22 +311,86 @@ func (c *packetConn) ReaderReplaceable() bool {
 	return true
 }
-func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
+func (c *packetConn) AddRef(ref any) {
 	c.EnhancePacketConn = N.NewRefPacketConn(c.EnhancePacketConn, ref) // add ref for autoCloseProxyAdapter
 }
 func newPacketConn(pc net.PacketConn, a ProxyAdapter) C.PacketConn {
 	epc := N.NewEnhancePacketConn(pc)
 	if _, ok := pc.(syscall.Conn); !ok { // exclusion system conn like *net.UDPConn
 		epc = N.NewDeadlineEnhancePacketConn(epc) // most conn from outbound can't handle readDeadline correctly
 	}
-	return &packetConn{epc, []string{a.Name()}, a.Name(), utils.NewUUIDV4().String(), parseRemoteDestination(a.Addr())}
+	return &packetConn{epc, []string{a.Name()}, a.Name(), utils.NewUUIDV4().String(), a.Addr(), a.ResolveUDP}
 }
-func parseRemoteDestination(addr string) string {
+type AddRef interface {
-	if dst, _, err := net.SplitHostPort(addr); err == nil {
+	AddRef(ref any)
-		return dst
+}
-	} else {
+
-		if addrError, ok := err.(*net.AddrError); ok && strings.Contains(addrError.Err, "missing port") {
+type autoCloseProxyAdapter struct {
-			return dst
+	ProxyAdapter
-		} else {
+	closeOnce sync.Once
-			return ""
+	closeErr  error
-		}
+}
-	}
+
 func (p *autoCloseProxyAdapter) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	c, err := p.ProxyAdapter.DialContext(ctx, metadata)
 	if err != nil {
 		return nil, err
 	}
 	if c, ok := c.(AddRef); ok {
 		c.AddRef(p)
 	}
 	return c, nil
 }
 func (p *autoCloseProxyAdapter) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.Conn, err error) {
 	c, err := p.ProxyAdapter.DialContextWithDialer(ctx, dialer, metadata)
 	if err != nil {
 		return nil, err
 	}
 	if c, ok := c.(AddRef); ok {
 		c.AddRef(p)
 	}
 	return c, nil
 }
 func (p *autoCloseProxyAdapter) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata)
 	if err != nil {
 		return nil, err
 	}
 	if pc, ok := pc.(AddRef); ok {
 		pc.AddRef(p)
 	}
 	return pc, nil
 }
 func (p *autoCloseProxyAdapter) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	pc, err := p.ProxyAdapter.ListenPacketWithDialer(ctx, dialer, metadata)
 	if err != nil {
 		return nil, err
 	}
 	if pc, ok := pc.(AddRef); ok {
 		pc.AddRef(p)
 	}
 	return pc, nil
 }
 func (p *autoCloseProxyAdapter) Close() error {
 	p.closeOnce.Do(func() {
 		log.Debugln("Closing outdated proxy [%s]", p.Name())
 		runtime.SetFinalizer(p, nil)
 		p.closeErr = p.ProxyAdapter.Close()
 	})
 	return p.closeErr
 }
 func NewAutoCloseProxyAdapter(adapter ProxyAdapter) ProxyAdapter {
 	proxy := &autoCloseProxyAdapter{
 		ProxyAdapter: adapter,
 	}
 	// auto close ProxyAdapter
 	runtime.SetFinalizer(proxy, (*autoCloseProxyAdapter).Close)
 	return proxy
 }
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@@ -2,7 +2,8 @@ package outbound
 import (
 	"context"
-	"errors"
+	"fmt"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/loopback"
 	"github.com/metacubex/mihomo/component/resolver"
@@ -20,12 +21,13 @@ type DirectOption struct {
 }
 // DialContext implements C.ProxyAdapter
-func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	if err := d.loopBack.CheckConn(metadata); err != nil {
 		return nil, err
 	}
 	opts := d.DialOptions()
 	opts = append(opts, dialer.WithResolver(resolver.DirectHostResolver))
-	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), d.Base.DialOptions(opts...)...)
+	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -33,25 +35,31 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	if err := d.loopBack.CheckPacketConn(metadata); err != nil {
 		return nil, err
 	}
-	// net.UDPConn.WriteTo only working with *net.UDPAddr, so we need a net.UDPAddr
+	if err := d.ResolveUDP(ctx, metadata); err != nil {
-	if !metadata.Resolved() {
+		return nil, err
 		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, resolver.DirectHostResolver)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
-	pc, err := dialer.NewDialer(d.Base.DialOptions(opts...)...).ListenPacket(ctx, "udp", "", metadata.AddrPort())
+	pc, err := dialer.NewDialer(d.DialOptions()...).ListenPacket(ctx, "udp", "", metadata.AddrPort())
 	if err != nil {
 		return nil, err
 	}
 	return d.loopBack.NewPacketConn(newPacketConn(pc, d)), nil
 }
 func (d *Direct) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
 	if (!metadata.Resolved() || resolver.DirectHostResolver != resolver.DefaultResolver) && metadata.Host != "" {
 		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, resolver.DirectHostResolver)
 		if err != nil {
 			return fmt.Errorf("can't resolve ip: %w", err)
 		}
 		metadata.DstIP = ip
 	}
 	return nil
 }
 func (d *Direct) IsL3Protocol(metadata *C.Metadata) bool {
 	return true // tell DNSDialer don't send domain to DialContext, avoid lookback to DefaultResolver
 }
--- a/adapter/outbound/dns.go
+++ b/adapter/outbound/dns.go
@@ -3,11 +3,11 @@ package outbound
 import (
 	"context"
 	"net"
 	"net/netip"
 	"time"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/pool"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
@@ -23,15 +23,18 @@ type DnsOption struct {
 }
 // DialContext implements C.ProxyAdapter
-func (d *Dns) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (d *Dns) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	left, right := N.Pipe()
 	go resolver.RelayDnsConn(context.Background(), right, 0)
 	return NewConn(left, d), nil
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	log.Debugln("[DNS] hijack udp:%s from %s", metadata.RemoteAddress(), metadata.SourceAddrPort())
 	if err := d.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
@@ -42,6 +45,13 @@ func (d *Dns) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opt
 	}, d), nil
 }
 func (d *Dns) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
 	if !metadata.Resolved() {
 		metadata.DstIP = netip.AddrFrom4([4]byte{127, 0, 0, 2})
 	}
 	return nil
 }
 type dnsPacket struct {
 	data []byte
 	put  func()
--- a/adapter/outbound/ech.go
+++ b/adapter/outbound/ech.go
@@ -0,0 +1,36 @@
 package outbound
 import (
 	"context"
 	"encoding/base64"
 	"fmt"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/resolver"
 )
 type ECHOptions struct {
 	Enable bool   `proxy:"enable,omitempty" obfs:"enable,omitempty"`
 	Config string `proxy:"config,omitempty" obfs:"config,omitempty"`
 }
 func (o ECHOptions) Parse() (*ech.Config, error) {
 	if !o.Enable {
 		return nil, nil
 	}
 	echConfig := &ech.Config{}
 	if o.Config != "" {
 		list, err := base64.StdEncoding.DecodeString(o.Config)
 		if err != nil {
 			return nil, fmt.Errorf("base64 decode ech config string failed: %v", err)
 		}
 		echConfig.GetEncryptedClientHelloConfigList = func(ctx context.Context, serverName string) ([]byte, error) {
 			return list, nil
 		}
 	} else {
 		echConfig.GetEncryptedClientHelloConfigList = func(ctx context.Context, serverName string) ([]byte, error) {
 			return resolver.ResolveECHWithResolver(ctx, serverName, resolver.ProxyServerHostResolver)
 		}
 	}
 	return echConfig, nil
 }
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@@ -7,11 +7,11 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"strconv"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
@@ -51,15 +51,15 @@ func (h *Http) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Me
 		}
 	}
-	if err := h.shakeHand(metadata, c); err != nil {
+	if err := h.shakeHandContext(ctx, c, metadata); err != nil {
 		return nil, err
 	}
 	return c, nil
 }
 // DialContext implements C.ProxyAdapter
-func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	return h.DialContextWithDialer(ctx, dialer.NewDialer(h.Base.DialOptions(opts...)...), metadata)
+	return h.DialContextWithDialer(ctx, dialer.NewDialer(h.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -99,7 +99,12 @@ func (h *Http) ProxyInfo() C.ProxyInfo {
 	return info
 }
-func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
+func (h *Http) shakeHandContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (err error) {
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	addr := metadata.RemoteAddress()
 	HeaderString := "CONNECT " + addr + " HTTP/1.1\r\n"
 	tempHeaders := map[string]string{
@@ -123,13 +128,13 @@ func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 	HeaderString += "\r\n"
-	_, err := rw.Write([]byte(HeaderString))
+	_, err = c.Write([]byte(HeaderString))
 	if err != nil {
 		return err
 	}
-	resp, err := http.ReadResponse(bufio.NewReader(rw), nil)
+	resp, err := http.ReadResponse(bufio.NewReader(c), nil)
 	if err != nil {
 		return err
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@@ -7,18 +7,14 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
 	"runtime"
 	"strconv"
 	"time"
 	"github.com/metacubex/quic-go"
 	"github.com/metacubex/quic-go/congestion"
 	M "github.com/sagernet/sing/common/metadata"
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	hyCongestion "github.com/metacubex/mihomo/transport/hysteria/congestion"
@@ -27,6 +23,10 @@ import (
 	"github.com/metacubex/mihomo/transport/hysteria/pmtud_fix"
 	"github.com/metacubex/mihomo/transport/hysteria/transport"
 	"github.com/metacubex/mihomo/transport/hysteria/utils"
 	"github.com/metacubex/quic-go"
 	"github.com/metacubex/quic-go/congestion"
 	M "github.com/metacubex/sing/common/metadata"
 )
 const (
@@ -46,32 +46,36 @@ type Hysteria struct {
 	option *HysteriaOption
 	client *core.Client
-	closeCh chan struct{} // for test
+	tlsConfig *tlsC.Config
 	echConfig *ech.Config
 }
-func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	tcpConn, err := h.client.DialTCP(metadata.String(), metadata.DstPort, h.genHdc(ctx, opts...))
+	tcpConn, err := h.client.DialTCP(metadata.String(), metadata.DstPort, h.genHdc(ctx))
 	if err != nil {
 		return nil, err
 	}
-	return NewConn(CN.NewRefConn(tcpConn, h), h), nil
+	return NewConn(tcpConn, h), nil
 }
-func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	udpConn, err := h.client.DialUDP(h.genHdc(ctx, opts...))
+	if err := h.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	udpConn, err := h.client.DialUDP(h.genHdc(ctx))
 	if err != nil {
 		return nil, err
 	}
-	return newPacketConn(CN.NewRefPacketConn(&hyPacketConn{udpConn}, h), h), nil
+	return newPacketConn(&hyPacketConn{udpConn}, h), nil
 }
-func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.PacketDialer {
+func (h *Hysteria) genHdc(ctx context.Context) utils.PacketDialer {
 	return &hyDialerWithContext{
 		ctx: context.Background(),
 		hyDialer: func(network string, rAddr net.Addr) (net.PacketConn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(h.Base.DialOptions(opts...)...)
+			var cDialer C.Dialer = dialer.NewDialer(h.DialOptions()...)
 			if len(h.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(h.option.DialerProxy, cDialer)
 				if err != nil {
@@ -82,7 +86,15 @@ func (h *Hysteria) genHdc(ctx context.Context, opts ...dialer.Option) utils.Pack
 			return cDialer.ListenPacket(ctx, network, "", rAddrPort)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
-			return resolveUDPAddrWithPrefer(ctx, "udp", addr, h.prefer)
+			udpAddr, err := resolveUDPAddr(ctx, "udp", addr, h.prefer)
 			if err != nil {
 				return nil, err
 			}
 			err = h.echConfig.ClientHandle(ctx, h.tlsConfig)
 			if err != nil {
 				return nil, err
 			}
 			return udpAddr, nil
 		},
 	}
 }
@@ -96,30 +108,31 @@ func (h *Hysteria) ProxyInfo() C.ProxyInfo {
 type HysteriaOption struct {
 	BasicOption
-	Name                string   `proxy:"name"`
+	Name                string     `proxy:"name"`
-	Server              string   `proxy:"server"`
+	Server              string     `proxy:"server"`
-	Port                int      `proxy:"port,omitempty"`
+	Port                int        `proxy:"port,omitempty"`
-	Ports               string   `proxy:"ports,omitempty"`
+	Ports               string     `proxy:"ports,omitempty"`
-	Protocol            string   `proxy:"protocol,omitempty"`
+	Protocol            string     `proxy:"protocol,omitempty"`
-	ObfsProtocol        string   `proxy:"obfs-protocol,omitempty"` // compatible with Stash
+	ObfsProtocol        string     `proxy:"obfs-protocol,omitempty"` // compatible with Stash
-	Up                  string   `proxy:"up"`
+	Up                  string     `proxy:"up"`
-	UpSpeed             int      `proxy:"up-speed,omitempty"` // compatible with Stash
+	UpSpeed             int        `proxy:"up-speed,omitempty"` // compatible with Stash
-	Down                string   `proxy:"down"`
+	Down                string     `proxy:"down"`
-	DownSpeed           int      `proxy:"down-speed,omitempty"` // compatible with Stash
+	DownSpeed           int        `proxy:"down-speed,omitempty"` // compatible with Stash
-	Auth                string   `proxy:"auth,omitempty"`
+	Auth                string     `proxy:"auth,omitempty"`
-	AuthString          string   `proxy:"auth-str,omitempty"`
+	AuthString          string     `proxy:"auth-str,omitempty"`
-	Obfs                string   `proxy:"obfs,omitempty"`
+	Obfs                string     `proxy:"obfs,omitempty"`
-	SNI                 string   `proxy:"sni,omitempty"`
+	SNI                 string     `proxy:"sni,omitempty"`
-	SkipCertVerify      bool     `proxy:"skip-cert-verify,omitempty"`
+	ECHOpts             ECHOptions `proxy:"ech-opts,omitempty"`
-	Fingerprint         string   `proxy:"fingerprint,omitempty"`
+	SkipCertVerify      bool       `proxy:"skip-cert-verify,omitempty"`
-	ALPN                []string `proxy:"alpn,omitempty"`
+	Fingerprint         string     `proxy:"fingerprint,omitempty"`
-	CustomCA            string   `proxy:"ca,omitempty"`
+	ALPN                []string   `proxy:"alpn,omitempty"`
-	CustomCAString      string   `proxy:"ca-str,omitempty"`
+	CustomCA            string     `proxy:"ca,omitempty"`
-	ReceiveWindowConn   int      `proxy:"recv-window-conn,omitempty"`
+	CustomCAString      string     `proxy:"ca-str,omitempty"`
-	ReceiveWindow       int      `proxy:"recv-window,omitempty"`
+	ReceiveWindowConn   int        `proxy:"recv-window-conn,omitempty"`
-	DisableMTUDiscovery bool     `proxy:"disable-mtu-discovery,omitempty"`
+	ReceiveWindow       int        `proxy:"recv-window,omitempty"`
-	FastOpen            bool     `proxy:"fast-open,omitempty"`
+	DisableMTUDiscovery bool       `proxy:"disable-mtu-discovery,omitempty"`
-	HopInterval         int      `proxy:"hop-interval,omitempty"`
+	FastOpen            bool       `proxy:"fast-open,omitempty"`
 	HopInterval         int        `proxy:"hop-interval,omitempty"`
 }
 func (c *HysteriaOption) Speed() (uint64, uint64, error) {
@@ -164,6 +177,13 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 	} else {
 		tlsConfig.NextProtos = []string{DefaultALPN}
 	}
 	echConfig, err := option.ECHOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	tlsClientConfig := tlsC.UConfig(tlsConfig)
 	quicConfig := &quic.Config{
 		InitialStreamReceiveWindow:     uint64(option.ReceiveWindowConn),
 		MaxStreamReceiveWindow:         uint64(option.ReceiveWindowConn),
@@ -218,7 +238,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		down = uint64(option.DownSpeed * mbpsToBps)
 	}
 	client, err := core.NewClient(
-		addr, ports, option.Protocol, auth, tlsConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
+		addr, ports, option.Protocol, auth, tlsClientConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
 			return hyCongestion.NewBrutalSender(congestion.ByteCount(refBPS))
 		}, obfuscator, hopInterval, option.FastOpen,
 	)
@@ -236,21 +256,21 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		option: &option,
+		option:    &option,
-		client: client,
+		client:    client,
 		tlsConfig: tlsClientConfig,
 		echConfig: echConfig,
 	}
 	runtime.SetFinalizer(outbound, closeHysteria)
 	return outbound, nil
 }
-func closeHysteria(h *Hysteria) {
+// Close implements C.ProxyAdapter
 func (h *Hysteria) Close() error {
 	if h.client != nil {
-		_ = h.client.Close()
+		return h.client.Close()
 	}
 	if h.closeCh != nil {
 		close(h.closeCh)
 	}
 	return nil
 }
 type hyPacketConn struct {
--- a/adapter/outbound/hysteria2.go
+++ b/adapter/outbound/hysteria2.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"net"
 	"runtime"
 	"strconv"
 	"time"
@@ -15,15 +14,14 @@ import (
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	tuicCommon "github.com/metacubex/mihomo/transport/tuic/common"
 	"github.com/metacubex/sing-quic/hysteria2"
 	"github.com/metacubex/quic-go"
-	"github.com/metacubex/randv2"
+	"github.com/metacubex/sing-quic/hysteria2"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 func init() {
@@ -39,30 +37,29 @@ type Hysteria2 struct {
 	option *Hysteria2Option
 	client *hysteria2.Client
 	dialer proxydialer.SingDialer
 	closeCh chan struct{} // for test
 }
 type Hysteria2Option struct {
 	BasicOption
-	Name           string   `proxy:"name"`
+	Name           string     `proxy:"name"`
-	Server         string   `proxy:"server"`
+	Server         string     `proxy:"server"`
-	Port           int      `proxy:"port,omitempty"`
+	Port           int        `proxy:"port,omitempty"`
-	Ports          string   `proxy:"ports,omitempty"`
+	Ports          string     `proxy:"ports,omitempty"`
-	HopInterval    int      `proxy:"hop-interval,omitempty"`
+	HopInterval    int        `proxy:"hop-interval,omitempty"`
-	Up             string   `proxy:"up,omitempty"`
+	Up             string     `proxy:"up,omitempty"`
-	Down           string   `proxy:"down,omitempty"`
+	Down           string     `proxy:"down,omitempty"`
-	Password       string   `proxy:"password,omitempty"`
+	Password       string     `proxy:"password,omitempty"`
-	Obfs           string   `proxy:"obfs,omitempty"`
+	Obfs           string     `proxy:"obfs,omitempty"`
-	ObfsPassword   string   `proxy:"obfs-password,omitempty"`
+	ObfsPassword   string     `proxy:"obfs-password,omitempty"`
-	SNI            string   `proxy:"sni,omitempty"`
+	SNI            string     `proxy:"sni,omitempty"`
-	SkipCertVerify bool     `proxy:"skip-cert-verify,omitempty"`
+	ECHOpts        ECHOptions `proxy:"ech-opts,omitempty"`
-	Fingerprint    string   `proxy:"fingerprint,omitempty"`
+	SkipCertVerify bool       `proxy:"skip-cert-verify,omitempty"`
-	ALPN           []string `proxy:"alpn,omitempty"`
+	Fingerprint    string     `proxy:"fingerprint,omitempty"`
-	CustomCA       string   `proxy:"ca,omitempty"`
+	ALPN           []string   `proxy:"alpn,omitempty"`
-	CustomCAString string   `proxy:"ca-str,omitempty"`
+	CustomCA       string     `proxy:"ca,omitempty"`
-	CWND           int      `proxy:"cwnd,omitempty"`
+	CustomCAString string     `proxy:"ca-str,omitempty"`
-	UdpMTU         int      `proxy:"udp-mtu,omitempty"`
+	CWND           int        `proxy:"cwnd,omitempty"`
 	UdpMTU         int        `proxy:"udp-mtu,omitempty"`
 	// quic-go special config
 	InitialStreamReceiveWindow     uint64 `proxy:"initial-stream-receive-window,omitempty"`
@@ -71,19 +68,18 @@ type Hysteria2Option struct {
 	MaxConnectionReceiveWindow     uint64 `proxy:"max-connection-receive-window,omitempty"`
 }
-func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	options := h.Base.DialOptions(opts...)
 	h.dialer.SetDialer(dialer.NewDialer(options...))
 	c, err := h.client.DialConn(ctx, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
 	}
-	return NewConn(CN.NewRefConn(c, h), h), nil
+	return NewConn(c, h), nil
 }
-func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	options := h.Base.DialOptions(opts...)
+	if err = h.ResolveUDP(ctx, metadata); err != nil {
-	h.dialer.SetDialer(dialer.NewDialer(options...))
+		return nil, err
 	}
 	pc, err := h.client.ListenPacket(ctx)
 	if err != nil {
 		return nil, err
@@ -91,16 +87,15 @@ func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	if pc == nil {
 		return nil, errors.New("packetConn is nil")
 	}
-	return newPacketConn(CN.NewRefPacketConn(CN.NewThreadSafePacketConn(pc), h), h), nil
+	return newPacketConn(CN.NewThreadSafePacketConn(pc), h), nil
 }
-func closeHysteria2(h *Hysteria2) {
+// Close implements C.ProxyAdapter
 func (h *Hysteria2) Close() error {
 	if h.client != nil {
-		_ = h.client.CloseWithError(errors.New("proxy removed"))
+		return h.client.CloseWithError(errors.New("proxy removed"))
 	}
 	if h.closeCh != nil {
 		close(h.closeCh)
 	}
 	return nil
 }
 // ProxyInfo implements C.ProxyAdapter
@@ -112,6 +107,22 @@ func (h *Hysteria2) ProxyInfo() C.ProxyInfo {
 func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	outbound := &Hysteria2{
 		Base: &Base{
 			name:   option.Name,
 			addr:   addr,
 			tp:     C.Hysteria2,
 			udp:    true,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		option: &option,
 	}
 	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...))
 	outbound.dialer = singDialer
 	var salamanderPassword string
 	if len(option.Obfs) > 0 {
 		if option.ObfsPassword == "" {
@@ -146,6 +157,12 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		tlsConfig.NextProtos = option.ALPN
 	}
 	tlsClientConfig := tlsC.UConfig(tlsConfig)
 	echConfig, err := option.ECHOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	if option.UdpMTU == 0 {
 		// "1200" from quic-go's MaxDatagramSize
 		// "-3" from quic-go's DatagramFrame.MaxDataLen
@@ -159,8 +176,6 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		MaxConnectionReceiveWindow:     option.MaxConnectionReceiveWindow,
 	}
 	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer())
 	clientOptions := hysteria2.ClientOptions{
 		Context:            context.TODO(),
 		Dialer:             singDialer,
@@ -169,41 +184,46 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 		ReceiveBPS:         StringToBps(option.Down),
 		SalamanderPassword: salamanderPassword,
 		Password:           option.Password,
-		TLSConfig:          tlsConfig,
+		TLSConfig:          tlsClientConfig,
 		QUICConfig:         quicConfig,
 		UDPDisabled:        false,
 		CWND:               option.CWND,
 		UdpMTU:             option.UdpMTU,
 		ServerAddress: func(ctx context.Context) (*net.UDPAddr, error) {
-			return resolveUDPAddrWithPrefer(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
+			udpAddr, err := resolveUDPAddr(ctx, "udp", addr, C.NewDNSPrefer(option.IPVersion))
 			if err != nil {
 				return nil, err
 			}
 			err = echConfig.ClientHandle(ctx, tlsClientConfig)
 			if err != nil {
 				return nil, err
 			}
 			return udpAddr, nil
 		},
 	}
 	var ranges utils.IntRanges[uint16]
-	var serverAddress []string
+	var serverPorts []uint16
 	if option.Ports != "" {
 		ranges, err = utils.NewUnsignedRanges[uint16](option.Ports)
 		if err != nil {
 			return nil, err
 		}
 		ranges.Range(func(port uint16) bool {
-			serverAddress = append(serverAddress, net.JoinHostPort(option.Server, strconv.Itoa(int(port))))
+			serverPorts = append(serverPorts, port)
 			return true
 		})
-		if len(serverAddress) > 0 {
+		if len(serverPorts) > 0 {
 			clientOptions.ServerAddress = func(ctx context.Context) (*net.UDPAddr, error) {
 				return resolveUDPAddrWithPrefer(ctx, "udp", serverAddress[randv2.IntN(len(serverAddress))], C.NewDNSPrefer(option.IPVersion))
 			}
 			if option.HopInterval == 0 {
 				option.HopInterval = defaultHopInterval
 			} else if option.HopInterval < minHopInterval {
 				option.HopInterval = minHopInterval
 			}
 			clientOptions.HopInterval = time.Duration(option.HopInterval) * time.Second
 			clientOptions.ServerPorts = serverPorts
 		}
 	}
-	if option.Port == 0 && len(serverAddress) == 0 {
+	if option.Port == 0 && len(serverPorts) == 0 {
 		return nil, errors.New("invalid port")
 	}
@@ -211,22 +231,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	outbound.client = client
 	outbound := &Hysteria2{
 		Base: &Base{
 			name:   option.Name,
 			addr:   addr,
 			tp:     C.Hysteria2,
 			udp:    true,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		option: &option,
 		client: client,
 		dialer: singDialer,
 	}
 	runtime.SetFinalizer(outbound, closeHysteria2)
 	return outbound, nil
 }
--- a/adapter/outbound/hysteria2_test.go
+++ b/adapter/outbound/hysteria2_test.go
@@ -1,38 +0,0 @@
 package outbound
 import (
 	"context"
 	"runtime"
 	"testing"
 	"time"
 )
 func TestHysteria2GC(t *testing.T) {
 	option := Hysteria2Option{}
 	option.Server = "127.0.0.1"
 	option.Ports = "200,204,401-429,501-503"
 	option.HopInterval = 30
 	option.Password = "password"
 	option.Obfs = "salamander"
 	option.ObfsPassword = "password"
 	option.SNI = "example.com"
 	option.ALPN = []string{"h3"}
 	hy, err := NewHysteria2(option)
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	closeCh := make(chan struct{})
 	hy.closeCh = closeCh
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
 	hy = nil
 	runtime.GC()
 	select {
 	case <-closeCh:
 		return
 	case <-ctx.Done():
 		t.Error("timeout not GC")
 	}
 }
--- a/adapter/outbound/hysteria_test.go
+++ b/adapter/outbound/hysteria_test.go
@@ -1,39 +0,0 @@
 package outbound
 import (
 	"context"
 	"runtime"
 	"testing"
 	"time"
 )
 func TestHysteriaGC(t *testing.T) {
 	option := HysteriaOption{}
 	option.Server = "127.0.0.1"
 	option.Ports = "200,204,401-429,501-503"
 	option.Protocol = "udp"
 	option.Up = "1Mbps"
 	option.Down = "1Mbps"
 	option.HopInterval = 30
 	option.Obfs = "salamander"
 	option.SNI = "example.com"
 	option.ALPN = []string{"h3"}
 	hy, err := NewHysteria(option)
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	closeCh := make(chan struct{})
 	hy.closeCh = closeCh
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
 	hy = nil
 	runtime.GC()
 	select {
 	case <-closeCh:
 		return
 	case <-ctx.Done():
 		t.Error("timeout not GC")
 	}
 }
--- a/adapter/outbound/mieru.go
+++ b/adapter/outbound/mieru.go
@@ -4,15 +4,16 @@ import (
 	"context"
 	"fmt"
 	"net"
 	"runtime"
 	"strconv"
 	"sync"
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	C "github.com/metacubex/mihomo/constant"
 	mieruclient "github.com/enfein/mieru/v3/apis/client"
 	mierucommon "github.com/enfein/mieru/v3/apis/common"
 	mierumodel "github.com/enfein/mieru/v3/apis/model"
 	mierupb "github.com/enfein/mieru/v3/pkg/appctl/appctlpb"
 	"google.golang.org/protobuf/proto"
@@ -32,14 +33,15 @@ type MieruOption struct {
 	Port         int    `proxy:"port,omitempty"`
 	PortRange    string `proxy:"port-range,omitempty"`
 	Transport    string `proxy:"transport"`
 	UDP          bool   `proxy:"udp,omitempty"`
 	UserName     string `proxy:"username"`
 	Password     string `proxy:"password"`
 	Multiplexing string `proxy:"multiplexing,omitempty"`
 }
 // DialContext implements C.ProxyAdapter
-func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	if err := m.ensureClientIsRunning(opts...); err != nil {
+	if err := m.ensureClientIsRunning(); err != nil {
 		return nil, err
 	}
 	addr := metadataToMieruNetAddrSpec(metadata)
@@ -50,6 +52,26 @@ func (m *Mieru) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 	return NewConn(c, m), nil
 }
 // ListenPacketContext implements C.ProxyAdapter
 func (m *Mieru) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if err = m.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	if err := m.ensureClientIsRunning(); err != nil {
 		return nil, err
 	}
 	c, err := m.client.DialContext(ctx, metadata.UDPAddr())
 	if err != nil {
 		return nil, fmt.Errorf("dial to %s failed: %w", metadata.UDPAddr(), err)
 	}
 	return newPacketConn(CN.NewThreadSafePacketConn(mierucommon.NewUDPAssociateWrapper(mierucommon.NewPacketOverStreamTunnel(c))), m), nil
 }
 // SupportUOT implements C.ProxyAdapter
 func (m *Mieru) SupportUOT() bool {
 	return true
 }
 // ProxyInfo implements C.ProxyAdapter
 func (m *Mieru) ProxyInfo() C.ProxyInfo {
 	info := m.Base.ProxyInfo()
@@ -57,7 +79,7 @@ func (m *Mieru) ProxyInfo() C.ProxyInfo {
 	return info
 }
-func (m *Mieru) ensureClientIsRunning(opts ...dialer.Option) error {
+func (m *Mieru) ensureClientIsRunning() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
@@ -66,7 +88,7 @@ func (m *Mieru) ensureClientIsRunning(opts ...dialer.Option) error {
 	}
 	// Create a dialer and add it to the client config, before starting the client.
-	var dialer C.Dialer = dialer.NewDialer(m.Base.DialOptions(opts...)...)
+	var dialer C.Dialer = dialer.NewDialer(m.DialOptions()...)
 	var err error
 	if len(m.option.DialerProxy) > 0 {
 		dialer, err = proxydialer.NewByName(m.option.DialerProxy, dialer)
@@ -113,7 +135,7 @@ func NewMieru(option MieruOption) (*Mieru, error) {
 			addr:   addr,
 			iface:  option.Interface,
 			tp:     C.Mieru,
-			udp:    false,
+			udp:    option.UDP,
 			xudp:   false,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@@ -121,16 +143,17 @@ func NewMieru(option MieruOption) (*Mieru, error) {
 		option: &option,
 		client: c,
 	}
 	runtime.SetFinalizer(outbound, closeMieru)
 	return outbound, nil
 }
-func closeMieru(m *Mieru) {
+// Close implements C.ProxyAdapter
 func (m *Mieru) Close() error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	if m.client != nil && m.client.IsRunning() {
-		m.client.Stop()
+		return m.client.Stop()
 	}
 	return nil
 }
 func metadataToMieruNetAddrSpec(metadata *C.Metadata) mierumodel.NetAddrSpec {
--- a/adapter/outbound/reality.go
+++ b/adapter/outbound/reality.go
@@ -13,23 +13,29 @@ import (
 type RealityOptions struct {
 	PublicKey string `proxy:"public-key"`
 	ShortID   string `proxy:"short-id"`
 	SupportX25519MLKEM768 bool `proxy:"support-x25519mlkem768"`
 }
 func (o RealityOptions) Parse() (*tlsC.RealityConfig, error) {
 	if o.PublicKey != "" {
 		config := new(tlsC.RealityConfig)
 		config.SupportX25519MLKEM768 = o.SupportX25519MLKEM768
 		const x25519ScalarSize = 32
-		var publicKey [x25519ScalarSize]byte
+		publicKey, err := base64.RawURLEncoding.DecodeString(o.PublicKey)
-		n, err := base64.RawURLEncoding.Decode(publicKey[:], []byte(o.PublicKey))
+		if err != nil || len(publicKey) != x25519ScalarSize {
 		if err != nil || n != x25519ScalarSize {
 			return nil, errors.New("invalid REALITY public key")
 		}
-		config.PublicKey, err = ecdh.X25519().NewPublicKey(publicKey[:])
+		config.PublicKey, err = ecdh.X25519().NewPublicKey(publicKey)
 		if err != nil {
 			return nil, fmt.Errorf("fail to create REALITY public key: %w", err)
 		}
 		n := hex.DecodedLen(len(o.ShortID))
 		if n > tlsC.RealityMaxShortIDLen {
 			return nil, errors.New("invalid REALITY short id")
 		}
 		n, err = hex.Decode(config.ShortID[:], []byte(o.ShortID))
 		if err != nil || n > tlsC.RealityMaxShortIDLen {
 			return nil, errors.New("invalid REALITY short ID")
--- a/adapter/outbound/reject.go
+++ b/adapter/outbound/reject.go
@@ -4,10 +4,10 @@ import (
 	"context"
 	"io"
 	"net"
 	"net/netip"
 	"time"
 	"github.com/metacubex/mihomo/common/buf"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 )
@@ -21,7 +21,7 @@ type RejectOption struct {
 }
 // DialContext implements C.ProxyAdapter
-func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	if r.drop {
 		return NewConn(dropConn{}, r), nil
 	}
@@ -29,10 +29,20 @@ func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	if err := r.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	return newPacketConn(&nopPacketConn{}, r), nil
 }
 func (r *Reject) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
 	if !metadata.Resolved() {
 		metadata.DstIP = netip.IPv4Unspecified()
 	}
 	return nil
 }
 func NewRejectWithOption(option RejectOption) *Reject {
 	return &Reject{
 		Base: &Base{
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@@ -2,7 +2,6 @@ package outbound
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"strconv"
@@ -11,18 +10,17 @@ import (
 	"github.com/metacubex/mihomo/common/structure"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	gost "github.com/metacubex/mihomo/transport/gost-plugin"
 	"github.com/metacubex/mihomo/transport/restls"
 	obfs "github.com/metacubex/mihomo/transport/simple-obfs"
 	shadowtls "github.com/metacubex/mihomo/transport/sing-shadowtls"
 	v2rayObfs "github.com/metacubex/mihomo/transport/v2ray-plugin"
 	restlsC "github.com/3andne/restls-client-go"
 	shadowsocks "github.com/metacubex/sing-shadowsocks2"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	"github.com/sagernet/sing/common/uot"
+	"github.com/metacubex/sing/common/uot"
 )
 type ShadowSocks struct {
@@ -34,8 +32,9 @@ type ShadowSocks struct {
 	obfsMode        string
 	obfsOption      *simpleObfsOption
 	v2rayOption     *v2rayObfs.Option
 	gostOption      *gost.Option
 	shadowTLSOption *shadowtls.ShadowTLSOption
-	restlsConfig    *restlsC.Config
+	restlsConfig    *restls.Config
 }
 type ShadowSocksOption struct {
@@ -63,6 +62,7 @@ type v2rayObfsOption struct {
 	Host                     string            `obfs:"host,omitempty"`
 	Path                     string            `obfs:"path,omitempty"`
 	TLS                      bool              `obfs:"tls,omitempty"`
 	ECHOpts                  ECHOptions        `obfs:"ech-opts,omitempty"`
 	Fingerprint              string            `obfs:"fingerprint,omitempty"`
 	Headers                  map[string]string `obfs:"headers,omitempty"`
 	SkipCertVerify           bool              `obfs:"skip-cert-verify,omitempty"`
@@ -71,12 +71,25 @@ type v2rayObfsOption struct {
 	V2rayHttpUpgradeFastOpen bool              `obfs:"v2ray-http-upgrade-fast-open,omitempty"`
 }
 type gostObfsOption struct {
 	Mode           string            `obfs:"mode"`
 	Host           string            `obfs:"host,omitempty"`
 	Path           string            `obfs:"path,omitempty"`
 	TLS            bool              `obfs:"tls,omitempty"`
 	ECHOpts        ECHOptions        `obfs:"ech-opts,omitempty"`
 	Fingerprint    string            `obfs:"fingerprint,omitempty"`
 	Headers        map[string]string `obfs:"headers,omitempty"`
 	SkipCertVerify bool              `obfs:"skip-cert-verify,omitempty"`
 	Mux            bool              `obfs:"mux,omitempty"`
 }
 type shadowTLSOption struct {
-	Password       string `obfs:"password"`
+	Password       string   `obfs:"password,omitempty"`
-	Host           string `obfs:"host"`
+	Host           string   `obfs:"host"`
-	Fingerprint    string `obfs:"fingerprint,omitempty"`
+	Fingerprint    string   `obfs:"fingerprint,omitempty"`
-	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
+	SkipCertVerify bool     `obfs:"skip-cert-verify,omitempty"`
-	Version        int    `obfs:"version,omitempty"`
+	Version        int      `obfs:"version,omitempty"`
 	ALPN           []string `obfs:"alpn,omitempty"`
 }
 type restlsOption struct {
@@ -87,7 +100,7 @@ type restlsOption struct {
 }
 // StreamConnContext implements C.ProxyAdapter
-func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	useEarly := false
 	switch ss.obfsMode {
 	case "tls":
@@ -96,20 +109,23 @@ func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metada
 		_, port, _ := net.SplitHostPort(ss.addr)
 		c = obfs.NewHTTPObfs(c, ss.obfsOption.Host, port)
 	case "websocket":
-		var err error
+		if ss.v2rayOption != nil {
-		c, err = v2rayObfs.NewV2rayObfs(ctx, c, ss.v2rayOption)
+			c, err = v2rayObfs.NewV2rayObfs(ctx, c, ss.v2rayOption)
 		} else if ss.gostOption != nil {
 			c, err = gost.NewGostWebsocket(ctx, c, ss.gostOption)
 		} else {
 			return nil, fmt.Errorf("plugin options is required")
 		}
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
 	case shadowtls.Mode:
 		var err error
 		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
 		if err != nil {
 			return nil, err
 		}
 		useEarly = true
 	case restls.Mode:
 		var err error
 		c, err = restls.NewRestls(ctx, c, ss.restlsConfig)
 		if err != nil {
 			return nil, fmt.Errorf("%s (restls) connect error: %w", ss.addr, err)
@@ -117,6 +133,12 @@ func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metada
 		useEarly = true
 	}
 	useEarly = useEarly || N.NeedHandshake(c)
 	if !useEarly {
 		if ctx.Done() != nil {
 			done := N.SetupContextForConn(ctx, c)
 			defer done(&err)
 		}
 	}
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
 		uotDestination := uot.RequestDestination(uint8(ss.option.UDPOverTCPVersion))
 		if useEarly {
@@ -133,8 +155,8 @@ func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metada
 }
 // DialContext implements C.ProxyAdapter
-func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -159,8 +181,8 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	return ss.ListenPacketWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+	return ss.ListenPacketWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -178,7 +200,10 @@ func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dial
 			return nil, err
 		}
 	}
-	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ss.addr, ss.prefer)
+	if err = ss.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	addr, err := resolveUDPAddr(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
 		return nil, err
 	}
@@ -206,15 +231,9 @@ func (ss *ShadowSocks) ProxyInfo() C.ProxyInfo {
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
-		// ss uot use stream-oriented udp with a special address, so we need a net.UDPAddr
+		if err = ss.ResolveUDP(ctx, metadata); err != nil {
-		if !metadata.Resolved() {
+			return nil, err
 			ip, err := resolver.ResolveIP(ctx, metadata.Host)
 			if err != nil {
 				return nil, errors.New("can't resolve ip")
 			}
 			metadata.DstIP = ip
 		}
 		destination := M.SocksaddrFromNet(metadata.UDPAddr())
 		if ss.option.UDPOverTCPVersion == uot.LegacyVersion {
 			return newPacketConn(N.NewThreadSafePacketConn(uot.NewConn(c, uot.Request{Destination: destination})), ss), nil
@@ -240,9 +259,10 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	}
 	var v2rayOption *v2rayObfs.Option
 	var gostOption *gost.Option
 	var obfsOption *simpleObfsOption
 	var shadowTLSOpt *shadowtls.ShadowTLSOption
-	var restlsConfig *restlsC.Config
+	var restlsConfig *restls.Config
 	obfsMode := ""
 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@@ -280,6 +300,40 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			v2rayOption.TLS = true
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
 			v2rayOption.Fingerprint = opts.Fingerprint
 			echConfig, err := opts.ECHOpts.Parse()
 			if err != nil {
 				return nil, fmt.Errorf("ss %s initialize v2ray-plugin error: %w", addr, err)
 			}
 			v2rayOption.ECHConfig = echConfig
 		}
 	} else if option.Plugin == "gost-plugin" {
 		opts := gostObfsOption{Host: "bing.com", Mux: true}
 		if err := decoder.Decode(option.PluginOpts, &opts); err != nil {
 			return nil, fmt.Errorf("ss %s initialize gost-plugin error: %w", addr, err)
 		}
 		if opts.Mode != "websocket" {
 			return nil, fmt.Errorf("ss %s obfs mode error: %s", addr, opts.Mode)
 		}
 		obfsMode = opts.Mode
 		gostOption = &gost.Option{
 			Host:    opts.Host,
 			Path:    opts.Path,
 			Headers: opts.Headers,
 			Mux:     opts.Mux,
 		}
 		if opts.TLS {
 			gostOption.TLS = true
 			gostOption.SkipCertVerify = opts.SkipCertVerify
 			gostOption.Fingerprint = opts.Fingerprint
 			echConfig, err := opts.ECHOpts.Parse()
 			if err != nil {
 				return nil, fmt.Errorf("ss %s initialize gost-plugin error: %w", addr, err)
 			}
 			gostOption.ECHConfig = echConfig
 		}
 	} else if option.Plugin == shadowtls.Mode {
 		obfsMode = shadowtls.Mode
@@ -298,6 +352,12 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
 		}
 		if opt.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
 			shadowTLSOpt.ALPN = opt.ALPN
 		} else {
 			shadowTLSOpt.ALPN = shadowtls.DefaultALPN
 		}
 	} else if option.Plugin == restls.Mode {
 		obfsMode = restls.Mode
 		restlsOpt := &restlsOption{}
@@ -305,7 +365,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
-		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
+		restlsConfig, err = restls.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
 		if err != nil {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
@@ -336,6 +396,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		option:          &option,
 		obfsMode:        obfsMode,
 		v2rayOption:     v2rayOption,
 		gostOption:      gostOption,
 		obfsOption:      obfsOption,
 		shadowTLSOption: shadowTLSOpt,
 		restlsConfig:    restlsConfig,
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@@ -42,12 +42,15 @@ type ShadowSocksROption struct {
 }
 // StreamConnContext implements C.ProxyAdapter
-func (ssr *ShadowSocksR) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (ssr *ShadowSocksR) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	c = ssr.obfs.StreamConn(c)
 	c = ssr.cipher.StreamConn(c)
 	var (
-		iv  []byte
+		iv []byte
 		err error
 	)
 	switch conn := c.(type) {
 	case *shadowstream.Conn:
@@ -64,8 +67,8 @@ func (ssr *ShadowSocksR) StreamConnContext(ctx context.Context, c net.Conn, meta
 }
 // DialContext implements C.ProxyAdapter
-func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	return ssr.DialContextWithDialer(ctx, dialer.NewDialer(ssr.Base.DialOptions(opts...)...), metadata)
+	return ssr.DialContextWithDialer(ctx, dialer.NewDialer(ssr.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -90,8 +93,8 @@ func (ssr *ShadowSocksR) DialContextWithDialer(ctx context.Context, dialer C.Dia
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	return ssr.ListenPacketWithDialer(ctx, dialer.NewDialer(ssr.Base.DialOptions(opts...)...), metadata)
+	return ssr.ListenPacketWithDialer(ctx, dialer.NewDialer(ssr.DialOptions()...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -102,7 +105,10 @@ func (ssr *ShadowSocksR) ListenPacketWithDialer(ctx context.Context, dialer C.Di
 			return nil, err
 		}
 	}
-	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ssr.addr, ssr.prefer)
+	if err = ssr.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	addr, err := resolveUDPAddr(ctx, "udp", ssr.addr, ssr.prefer)
 	if err != nil {
 		return nil, err
 	}
--- a/adapter/outbound/singmux.go
+++ b/adapter/outbound/singmux.go
@@ -2,24 +2,20 @@ package outbound
 import (
 	"context"
 	"errors"
 	"runtime"
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
-	mux "github.com/sagernet/sing-mux"
+	mux "github.com/metacubex/sing-mux"
-	E "github.com/sagernet/sing/common/exceptions"
+	E "github.com/metacubex/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 type SingMux struct {
-	C.ProxyAdapter
+	ProxyAdapter
 	base    ProxyBase
 	client  *mux.Client
 	dialer  proxydialer.SingDialer
 	onlyTcp bool
@@ -43,36 +39,21 @@ type BrutalOption struct {
 	Down    string `proxy:"down,omitempty"`
 }
-type ProxyBase interface {
+func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	DialOptions(opts ...dialer.Option) []dialer.Option
 }
 func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	options := s.base.DialOptions(opts...)
 	s.dialer.SetDialer(dialer.NewDialer(options...))
 	c, err := s.client.DialContext(ctx, "tcp", M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 	if err != nil {
 		return nil, err
 	}
-	return NewConn(CN.NewRefConn(c, s), s.ProxyAdapter), err
+	return NewConn(c, s), err
 }
-func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if s.onlyTcp {
-		return s.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
+		return s.ProxyAdapter.ListenPacketContext(ctx, metadata)
 	}
-	options := s.base.DialOptions(opts...)
+	if err = s.ProxyAdapter.ResolveUDP(ctx, metadata); err != nil {
-	s.dialer.SetDialer(dialer.NewDialer(options...))
+		return nil, err
 	// sing-mux use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	pc, err := s.client.ListenPacket(ctx, M.SocksaddrFromNet(metadata.UDPAddr()))
 	if err != nil {
 		return nil, err
@@ -80,7 +61,7 @@ func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	if pc == nil {
 		return nil, E.New("packetConn is nil")
 	}
-	return newPacketConn(CN.NewRefPacketConn(CN.NewThreadSafePacketConn(pc), s), s.ProxyAdapter), nil
+	return newPacketConn(CN.NewThreadSafePacketConn(pc), s), nil
 }
 func (s *SingMux) SupportUDP() bool {
@@ -103,15 +84,19 @@ func (s *SingMux) ProxyInfo() C.ProxyInfo {
 	return info
 }
-func closeSingMux(s *SingMux) {
+// Close implements C.ProxyAdapter
-	_ = s.client.Close()
+func (s *SingMux) Close() error {
 	if s.client != nil {
 		_ = s.client.Close()
 	}
 	return s.ProxyAdapter.Close()
 }
-func NewSingMux(option SingMuxOption, proxy C.ProxyAdapter, base ProxyBase) (C.ProxyAdapter, error) {
+func NewSingMux(option SingMuxOption, proxy ProxyAdapter) (ProxyAdapter, error) {
 	// TODO
 	// "TCP Brutal is only supported on Linux-based systems"
-	singDialer := proxydialer.NewSingDialer(proxy, dialer.NewDialer(), option.Statistic)
+	singDialer := proxydialer.NewSingDialer(proxy, dialer.NewDialer(proxy.DialOptions()...), option.Statistic)
 	client, err := mux.NewClient(mux.Options{
 		Dialer:         singDialer,
 		Logger:         log.SingLogger,
@@ -131,11 +116,9 @@ func NewSingMux(option SingMuxOption, proxy C.ProxyAdapter, base ProxyBase) (C.P
 	}
 	outbound := &SingMux{
 		ProxyAdapter: proxy,
 		base:         base,
 		client:       client,
 		dialer:       singDialer,
 		onlyTcp:      option.OnlyTcp,
 	}
 	runtime.SetFinalizer(outbound, closeSingMux)
 	return outbound, nil
 }
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"strconv"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/structure"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
@@ -41,7 +42,7 @@ type streamOption struct {
 	obfsOption *simpleObfsOption
 }
-func streamConn(c net.Conn, option streamOption) *snell.Snell {
+func snellStreamConn(c net.Conn, option streamOption) *snell.Snell {
 	switch option.obfsOption.Mode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, option.obfsOption.Host)
@@ -54,31 +55,41 @@ func streamConn(c net.Conn, option streamOption) *snell.Snell {
 // StreamConnContext implements C.ProxyAdapter
 func (s *Snell) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
+	c = snellStreamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
-	if metadata.NetWork == C.UDP {
+	err := s.writeHeaderContext(ctx, c, metadata)
 		err := snell.WriteUDPHeader(c, s.version)
 		return c, err
 	}
 	err := snell.WriteHeader(c, metadata.String(), uint(metadata.DstPort), s.version)
 	return c, err
 }
 func (s *Snell) writeHeaderContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (err error) {
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	if metadata.NetWork == C.UDP {
 		err = snell.WriteUDPHeader(c, s.version)
 		return
 	}
 	err = snell.WriteHeader(c, metadata.String(), uint(metadata.DstPort), s.version)
 	return
 }
 // DialContext implements C.ProxyAdapter
-func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	if s.version == snell.Version2 && len(opts) == 0 {
+	if s.version == snell.Version2 {
 		c, err := s.pool.Get()
 		if err != nil {
 			return nil, err
 		}
-		if err = snell.WriteHeader(c, metadata.String(), uint(metadata.DstPort), s.version); err != nil {
+		if err = s.writeHeaderContext(ctx, c, metadata); err != nil {
-			c.Close()
+			_ = c.Close()
 			return nil, err
 		}
 		return NewConn(c, s), err
 	}
-	return s.DialContextWithDialer(ctx, dialer.NewDialer(s.Base.DialOptions(opts...)...), metadata)
+	return s.DialContextWithDialer(ctx, dialer.NewDialer(s.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -103,8 +114,8 @@ func (s *Snell) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	return s.ListenPacketWithDialer(ctx, dialer.NewDialer(s.Base.DialOptions(opts...)...), metadata)
+	return s.ListenPacketWithDialer(ctx, dialer.NewDialer(s.DialOptions()...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -116,16 +127,15 @@ func (s *Snell) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 			return nil, err
 		}
 	}
 	if err = s.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
 		return nil, err
 	}
 	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
-	err = snell.WriteUDPHeader(c, s.version)
+	c, err = s.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, err
 	}
 	pc := snell.PacketConn(c)
 	return newPacketConn(pc, s), nil
@@ -200,7 +210,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 	if option.Version == snell.Version2 {
 		s.pool = snell.NewPool(func(ctx context.Context) (*snell.Snell, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(s.DialOptions()...)
 			if len(s.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
 				if err != nil {
@@ -212,7 +222,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 				return nil, err
 			}
-			return streamConn(c, streamOption{psk, option.Version, addr, obfsOption}), nil
+			return snellStreamConn(c, streamOption{psk, option.Version, addr, obfsOption}), nil
 		})
 	}
 	return s, nil
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@@ -10,6 +10,7 @@ import (
 	"net/netip"
 	"strconv"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
@@ -58,15 +59,15 @@ func (ss *Socks5) StreamConnContext(ctx context.Context, c net.Conn, metadata *C
 			Password: ss.pass,
 		}
 	}
-	if _, err := socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdConnect, user); err != nil {
+	if _, err := ss.clientHandshakeContext(ctx, c, serializesSocksAddr(metadata), socks5.CmdConnect, user); err != nil {
 		return nil, err
 	}
 	return c, nil
 }
 // DialContext implements C.ProxyAdapter
-func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.Base.DialOptions(opts...)...), metadata)
+	return ss.DialContextWithDialer(ctx, dialer.NewDialer(ss.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -100,14 +101,17 @@ func (ss *Socks5) SupportWithDialer() C.NetWork {
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	var cDialer C.Dialer = dialer.NewDialer(ss.Base.DialOptions(opts...)...)
+	var cDialer C.Dialer = dialer.NewDialer(ss.DialOptions()...)
 	if len(ss.option.DialerProxy) > 0 {
 		cDialer, err = proxydialer.NewByName(ss.option.DialerProxy, cDialer)
 		if err != nil {
 			return nil, err
 		}
 	}
 	if err = ss.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	c, err := cDialer.DialContext(ctx, "tcp", ss.addr)
 	if err != nil {
 		err = fmt.Errorf("%s connect error: %w", ss.addr, err)
@@ -135,7 +139,7 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	}
 	udpAssocateAddr := socks5.AddrFromStdAddrPort(netip.AddrPortFrom(netip.IPv4Unspecified(), 0))
-	bindAddr, err := socks5.ClientHandshake(c, udpAssocateAddr, socks5.CmdUDPAssociate, user)
+	bindAddr, err := ss.clientHandshakeContext(ctx, c, udpAssocateAddr, socks5.CmdUDPAssociate, user)
 	if err != nil {
 		err = fmt.Errorf("client hanshake error: %w", err)
 		return
@@ -147,7 +151,7 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		err = errors.New("invalid UDP bind address")
 		return
 	} else if bindUDPAddr.IP.IsUnspecified() {
-		serverAddr, err := resolveUDPAddr(ctx, "udp", ss.Addr())
+		serverAddr, err := resolveUDPAddr(ctx, "udp", ss.Addr(), C.IPv4Prefer)
 		if err != nil {
 			return nil, err
 		}
@@ -178,6 +182,14 @@ func (ss *Socks5) ProxyInfo() C.ProxyInfo {
 	return info
 }
 func (ss *Socks5) clientHandshakeContext(ctx context.Context, c net.Conn, addr socks5.Addr, command socks5.Command, user *socks5.User) (_ socks5.Addr, err error) {
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	return socks5.ClientHandshake(c, addr, command, user)
 }
 func NewSocks5(option Socks5Option) (*Socks5, error) {
 	var tlsConfig *tls.Config
 	if option.TLS {
--- a/adapter/outbound/ssh.go
+++ b/adapter/outbound/ssh.go
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net"
 	"os"
 	"runtime"
 	"strconv"
 	"strings"
 	"sync"
@@ -25,7 +24,10 @@ type Ssh struct {
 	*Base
 	option *SshOption
-	client *sshClient // using a standalone struct to avoid its inner loop invalidate the Finalizer
+
 	config *ssh.ClientConfig
 	client *ssh.Client
 	cMutex sync.Mutex
 }
 type SshOption struct {
@@ -41,15 +43,15 @@ type SshOption struct {
 	HostKeyAlgorithms    []string `proxy:"host-key-algorithms,omitempty"`
 }
-func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
-	var cDialer C.Dialer = dialer.NewDialer(s.Base.DialOptions(opts...)...)
+	var cDialer C.Dialer = dialer.NewDialer(s.DialOptions()...)
 	if len(s.option.DialerProxy) > 0 {
 		cDialer, err = proxydialer.NewByName(s.option.DialerProxy, cDialer)
 		if err != nil {
 			return nil, err
 		}
 	}
-	client, err := s.client.connect(ctx, cDialer, s.addr)
+	client, err := s.connect(ctx, cDialer, s.addr)
 	if err != nil {
 		return nil, err
 	}
@@ -58,16 +60,10 @@ func (s *Ssh) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dia
 		return nil, err
 	}
-	return NewConn(N.NewRefConn(c, s), s), nil
+	return NewConn(c, s), nil
 }
-type sshClient struct {
+func (s *Ssh) connect(ctx context.Context, cDialer C.Dialer, addr string) (client *ssh.Client, err error) {
 	config *ssh.ClientConfig
 	client *ssh.Client
 	cMutex sync.Mutex
 }
 func (s *sshClient) connect(ctx context.Context, cDialer C.Dialer, addr string) (client *ssh.Client, err error) {
 	s.cMutex.Lock()
 	defer s.cMutex.Unlock()
 	if s.client != nil {
@@ -108,7 +104,15 @@ func (s *sshClient) connect(ctx context.Context, cDialer C.Dialer, addr string)
 	return client, nil
 }
-func (s *sshClient) Close() error {
+// ProxyInfo implements C.ProxyAdapter
 func (s *Ssh) ProxyInfo() C.ProxyInfo {
 	info := s.Base.ProxyInfo()
 	info.DialerProxy = s.option.DialerProxy
 	return info
 }
 // Close implements C.ProxyAdapter
 func (s *Ssh) Close() error {
 	s.cMutex.Lock()
 	defer s.cMutex.Unlock()
 	if s.client != nil {
@@ -117,17 +121,6 @@ func (s *sshClient) Close() error {
 	return nil
 }
 func closeSsh(s *Ssh) {
 	_ = s.client.Close()
 }
 // ProxyInfo implements C.ProxyAdapter
 func (s *Ssh) ProxyInfo() C.ProxyInfo {
 	info := s.Base.ProxyInfo()
 	info.DialerProxy = s.option.DialerProxy
 	return info
 }
 func NewSsh(option SshOption) (*Ssh, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
@@ -143,7 +136,11 @@ func NewSsh(option SshOption) (*Ssh, error) {
 		if strings.Contains(option.PrivateKey, "PRIVATE KEY") {
 			b = []byte(option.PrivateKey)
 		} else {
-			b, err = os.ReadFile(C.Path.Resolve(option.PrivateKey))
+			path := C.Path.Resolve(option.PrivateKey)
 			if !C.Path.IsSafePath(path) {
 				return nil, C.Path.ErrNotSafePath(path)
 			}
 			b, err = os.ReadFile(path)
 			if err != nil {
 				return nil, err
 			}
@@ -204,11 +201,8 @@ func NewSsh(option SshOption) (*Ssh, error) {
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		option: &option,
-		client: &sshClient{
+		config: &config,
 			config: &config,
 		},
 	}
 	runtime.SetFinalizer(outbound, closeSsh)
 	return outbound, nil
 }
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@@ -9,20 +9,23 @@ import (
 	"net/http"
 	"strconv"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/gun"
 	"github.com/metacubex/mihomo/transport/shadowsocks/core"
 	"github.com/metacubex/mihomo/transport/trojan"
 	"github.com/metacubex/mihomo/transport/vmess"
 )
 type Trojan struct {
 	*Base
-	instance *trojan.Trojan
+	option      *TrojanOption
-	option   *TrojanOption
+	hexPassword [trojan.KeyLength]byte
 	// for gun mux
 	gunTLSConfig *tls.Config
@@ -30,6 +33,7 @@ type Trojan struct {
 	transport    *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 	echConfig     *ech.Config
 	ssCipher core.Cipher
 }
@@ -46,6 +50,7 @@ type TrojanOption struct {
 	Fingerprint       string         `proxy:"fingerprint,omitempty"`
 	UDP               bool           `proxy:"udp,omitempty"`
 	Network           string         `proxy:"network,omitempty"`
 	ECHOpts           ECHOptions     `proxy:"ech-opts,omitempty"`
 	RealityOpts       RealityOptions `proxy:"reality-opts,omitempty"`
 	GrpcOpts          GrpcOptions    `proxy:"grpc-opts,omitempty"`
 	WSOpts            WSOptions      `proxy:"ws-opts,omitempty"`
@@ -60,15 +65,22 @@ type TrojanSSOption struct {
 	Password string `proxy:"password,omitempty"`
 }
-func (t *Trojan) plainStream(ctx context.Context, c net.Conn) (net.Conn, error) {
+// StreamConnContext implements C.ProxyAdapter
-	if t.option.Network == "ws" {
+func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	switch t.option.Network {
 	case "ws":
 		host, port, _ := net.SplitHostPort(t.addr)
-		wsOpts := &trojan.WebsocketOption{
+
 		wsOpts := &vmess.WebsocketConfig{
 			Host:                     host,
 			Port:                     port,
 			Path:                     t.option.WSOpts.Path,
 			MaxEarlyData:             t.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName:      t.option.WSOpts.EarlyDataHeaderName,
 			V2rayHttpUpgrade:         t.option.WSOpts.V2rayHttpUpgrade,
 			V2rayHttpUpgradeFastOpen: t.option.WSOpts.V2rayHttpUpgradeFastOpen,
 			ClientFingerprint:        t.option.ClientFingerprint,
 			ECHConfig:                t.echConfig,
 			Headers:                  http.Header{},
 		}
@@ -82,63 +94,102 @@ func (t *Trojan) plainStream(ctx context.Context, c net.Conn) (net.Conn, error)
 			}
 		}
-		return t.instance.StreamWebsocketConn(ctx, c, wsOpts)
+		alpn := trojan.DefaultWebsocketALPN
-	}
+		if len(t.option.ALPN) != 0 {
 			alpn = t.option.ALPN
 		}
-	return t.instance.StreamConn(ctx, c)
+		wsOpts.TLS = true
-}
+		tlsConfig := &tls.Config{
 			NextProtos:         alpn,
 			MinVersion:         tls.VersionTLS12,
 			InsecureSkipVerify: t.option.SkipCertVerify,
 			ServerName:         t.option.SNI,
 		}
-// StreamConnContext implements C.ProxyAdapter
+		wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint)
 func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && len(t.option.ClientFingerprint) == 0 {
 		t.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	if t.transport != nil {
 		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.realityConfig)
 	} else {
 		c, err = t.plainStream(ctx, c)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 	if t.ssCipher != nil {
 		c = t.ssCipher.StreamConn(c)
 	}
 	if metadata.NetWork == C.UDP {
 		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		return c, err
 	}
 	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
 	return c, err
 }
 // DialContext implements C.ProxyAdapter
 func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	// gun transport
 	if t.transport != nil && len(opts) == 0 {
 		c, err := gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, err
 		}
-		if t.ssCipher != nil {
+		c, err = vmess.StreamWebsocketConn(ctx, c, wsOpts)
-			c = t.ssCipher.StreamConn(c)
+	case "grpc":
 		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.echConfig, t.realityConfig)
 	default:
 		// default tcp network
 		// handle TLS
 		alpn := trojan.DefaultALPN
 		if len(t.option.ALPN) != 0 {
 			alpn = t.option.ALPN
 		}
 		c, err = vmess.StreamTLSConn(ctx, c, &vmess.TLSConfig{
 			Host:              t.option.SNI,
 			SkipCertVerify:    t.option.SkipCertVerify,
 			FingerPrint:       t.option.Fingerprint,
 			ClientFingerprint: t.option.ClientFingerprint,
 			NextProtos:        alpn,
 			ECH:               t.echConfig,
 			Reality:           t.realityConfig,
 		})
 	}
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
-		if err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata)); err != nil {
+	return t.streamConnContext(ctx, c, metadata)
-			c.Close()
+}
 func (t *Trojan) streamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	if t.ssCipher != nil {
 		c = t.ssCipher.StreamConn(c)
 	}
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	command := trojan.CommandTCP
 	if metadata.NetWork == C.UDP {
 		command = trojan.CommandUDP
 	}
 	err = trojan.WriteHeader(c, t.hexPassword, command, serializesSocksAddr(metadata))
 	return c, err
 }
 func (t *Trojan) writeHeaderContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (err error) {
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	command := trojan.CommandTCP
 	if metadata.NetWork == C.UDP {
 		command = trojan.CommandUDP
 	}
 	err = trojan.WriteHeader(c, t.hexPassword, command, serializesSocksAddr(metadata))
 	return err
 }
 // DialContext implements C.ProxyAdapter
 func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
 	if t.transport != nil {
 		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, err
 		}
 		defer func(c net.Conn) {
 			safeConnClose(c, err)
 		}(c)
 		c, err = t.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 		return NewConn(c, t), nil
 	}
-	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -167,11 +218,15 @@ func (t *Trojan) DialContextWithDialer(ctx context.Context, dialer C.Dialer, met
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if err = t.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	var c net.Conn
 	// grpc transport
-	if t.transport != nil && len(opts) == 0 {
+	if t.transport != nil {
 		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@@ -180,19 +235,15 @@ func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 			safeConnClose(c, err)
 		}(c)
-		if t.ssCipher != nil {
+		c, err = t.streamConnContext(ctx, c, metadata)
 			c = t.ssCipher.StreamConn(c)
 		}
 		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		if err != nil {
 			return nil, err
 		}
-		pc := t.instance.PacketConn(c)
+		pc := trojan.NewPacketConn(c)
 		return newPacketConn(pc, t), err
 	}
-	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -203,6 +254,9 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 			return nil, err
 		}
 	}
 	if err = t.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	c, err := dialer.DialContext(ctx, "tcp", t.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
@@ -210,21 +264,12 @@ func (t *Trojan) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, me
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
-	c, err = t.plainStream(ctx, c)
+	c, err = t.StreamConnContext(ctx, c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
 	if t.ssCipher != nil {
 		c = t.ssCipher.StreamConn(c)
 	}
 	err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 	if err != nil {
 		return nil, err
 	}
-	pc := t.instance.PacketConn(c)
+	pc := trojan.NewPacketConn(c)
 	return newPacketConn(pc, t), err
 }
@@ -233,12 +278,6 @@ func (t *Trojan) SupportWithDialer() C.NetWork {
 	return C.ALLNet
 }
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (t *Trojan) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	pc := t.instance.PacketConn(c)
 	return newPacketConn(pc, t), err
 }
 // SupportUOT implements C.ProxyAdapter
 func (t *Trojan) SupportUOT() bool {
 	return true
@@ -251,20 +290,19 @@ func (t *Trojan) ProxyInfo() C.ProxyInfo {
 	return info
 }
 // Close implements C.ProxyAdapter
 func (t *Trojan) Close() error {
 	if t.transport != nil {
 		return t.transport.Close()
 	}
 	return nil
 }
 func NewTrojan(option TrojanOption) (*Trojan, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-	tOption := &trojan.Option{
+	if option.SNI == "" {
-		Password:          option.Password,
+		option.SNI = option.Server
 		ALPN:              option.ALPN,
 		ServerName:        option.Server,
 		SkipCertVerify:    option.SkipCertVerify,
 		Fingerprint:       option.Fingerprint,
 		ClientFingerprint: option.ClientFingerprint,
 	}
 	if option.SNI != "" {
 		tOption.ServerName = option.SNI
 	}
 	t := &Trojan{
@@ -279,8 +317,8 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		instance: trojan.New(tOption),
+		option:      &option,
-		option:   &option,
+		hexPassword: trojan.Key(option.Password),
 	}
 	var err error
@@ -288,7 +326,11 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	if err != nil {
 		return nil, err
 	}
-	tOption.Reality = t.realityConfig
+
 	t.echConfig, err = option.ECHOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	if option.SSOpts.Enabled {
 		if option.SSOpts.Password == "" {
@@ -305,16 +347,16 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	}
 	if option.Network == "grpc" {
-		dialFn := func(network, addr string) (net.Conn, error) {
+		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(t.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(t.DialOptions()...)
 			if len(t.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(t.option.DialerProxy, cDialer)
 				if err != nil {
 					return nil, err
 				}
 			}
-			c, err := cDialer.DialContext(context.Background(), "tcp", t.addr)
+			c, err := cDialer.DialContext(ctx, "tcp", t.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", t.addr, err.Error())
 			}
@@ -324,8 +366,8 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		tlsConfig := &tls.Config{
 			NextProtos:         option.ALPN,
 			MinVersion:         tls.VersionTLS12,
-			InsecureSkipVerify: tOption.SkipCertVerify,
+			InsecureSkipVerify: option.SkipCertVerify,
-			ServerName:         tOption.ServerName,
+			ServerName:         option.SNI,
 		}
 		var err error
@@ -334,12 +376,13 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			return nil, err
 		}
-		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint, t.realityConfig)
+		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, option.ClientFingerprint, t.echConfig, t.realityConfig)
 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
-			ServiceName: option.GrpcOpts.GrpcServiceName,
+			ServiceName:       option.GrpcOpts.GrpcServiceName,
-			Host:        tOption.ServerName,
+			Host:              option.SNI,
 			ClientFingerprint: option.ClientFingerprint,
 		}
 	}
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@@ -3,7 +3,6 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
 	"errors"
 	"fmt"
 	"math"
 	"net"
@@ -12,21 +11,25 @@ import (
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
-	"github.com/metacubex/mihomo/component/resolver"
+	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/tuic"
 	"github.com/gofrs/uuid/v5"
 	"github.com/metacubex/quic-go"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	"github.com/sagernet/sing/common/uot"
+	"github.com/metacubex/sing/common/uot"
 )
 type Tuic struct {
 	*Base
 	option *TuicOption
 	client *tuic.PoolClient
 	tlsConfig *tlsC.Config
 	echConfig *ech.Config
 }
 type TuicOption struct {
@@ -47,26 +50,27 @@ type TuicOption struct {
 	DisableSni            bool     `proxy:"disable-sni,omitempty"`
 	MaxUdpRelayPacketSize int      `proxy:"max-udp-relay-packet-size,omitempty"`
-	FastOpen             bool   `proxy:"fast-open,omitempty"`
+	FastOpen             bool       `proxy:"fast-open,omitempty"`
-	MaxOpenStreams       int    `proxy:"max-open-streams,omitempty"`
+	MaxOpenStreams       int        `proxy:"max-open-streams,omitempty"`
-	CWND                 int    `proxy:"cwnd,omitempty"`
+	CWND                 int        `proxy:"cwnd,omitempty"`
-	SkipCertVerify       bool   `proxy:"skip-cert-verify,omitempty"`
+	SkipCertVerify       bool       `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint          string `proxy:"fingerprint,omitempty"`
+	Fingerprint          string     `proxy:"fingerprint,omitempty"`
-	CustomCA             string `proxy:"ca,omitempty"`
+	CustomCA             string     `proxy:"ca,omitempty"`
-	CustomCAString       string `proxy:"ca-str,omitempty"`
+	CustomCAString       string     `proxy:"ca-str,omitempty"`
-	ReceiveWindowConn    int    `proxy:"recv-window-conn,omitempty"`
+	ReceiveWindowConn    int        `proxy:"recv-window-conn,omitempty"`
-	ReceiveWindow        int    `proxy:"recv-window,omitempty"`
+	ReceiveWindow        int        `proxy:"recv-window,omitempty"`
-	DisableMTUDiscovery  bool   `proxy:"disable-mtu-discovery,omitempty"`
+	DisableMTUDiscovery  bool       `proxy:"disable-mtu-discovery,omitempty"`
-	MaxDatagramFrameSize int    `proxy:"max-datagram-frame-size,omitempty"`
+	MaxDatagramFrameSize int        `proxy:"max-datagram-frame-size,omitempty"`
-	SNI                  string `proxy:"sni,omitempty"`
+	SNI                  string     `proxy:"sni,omitempty"`
 	ECHOpts              ECHOptions `proxy:"ech-opts,omitempty"`
 	UDPOverStream        bool `proxy:"udp-over-stream,omitempty"`
 	UDPOverStreamVersion int  `proxy:"udp-over-stream-version,omitempty"`
 }
 // DialContext implements C.ProxyAdapter
-func (t *Tuic) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (t *Tuic) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.DialContextWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -79,12 +83,16 @@ func (t *Tuic) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metad
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (t *Tuic) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.Base.DialOptions(opts...)...), metadata)
+	return t.ListenPacketWithDialer(ctx, dialer.NewDialer(t.DialOptions()...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
 func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if err = t.ResolveUDP(ctx, metadata); err != nil {
 		return nil, err
 	}
 	if t.option.UDPOverStream {
 		uotDestination := uot.RequestDestination(uint8(t.option.UDPOverStreamVersion))
 		uotMetadata := *metadata
@@ -96,13 +104,6 @@ func (t *Tuic) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, meta
 		}
 		// tuic uos use stream-oriented udp with a special address, so we need a net.UDPAddr
 		if !metadata.Resolved() {
 			ip, err := resolver.ResolveIP(ctx, metadata.Host)
 			if err != nil {
 				return nil, errors.New("can't resolve ip")
 			}
 			metadata.DstIP = ip
 		}
 		destination := M.SocksaddrFromNet(metadata.UDPAddr())
 		if t.option.UDPOverStreamVersion == uot.LegacyVersion {
@@ -130,7 +131,11 @@ func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (transport *
 			return nil, nil, err
 		}
 	}
-	udpAddr, err := resolveUDPAddrWithPrefer(ctx, "udp", t.addr, t.prefer)
+	udpAddr, err := resolveUDPAddr(ctx, "udp", t.addr, t.prefer)
 	if err != nil {
 		return nil, nil, err
 	}
 	err = t.echConfig.ClientHandle(ctx, t.tlsConfig)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -248,6 +253,12 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		tlsConfig.InsecureSkipVerify = true // tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config
 	}
 	tlsClientConfig := tlsC.UConfig(tlsConfig)
 	echConfig, err := option.ECHOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	switch option.UDPOverStreamVersion {
 	case uot.Version, uot.LegacyVersion:
 	case 0:
@@ -267,7 +278,9 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		option: &option,
+		option:    &option,
 		tlsConfig: tlsClientConfig,
 		echConfig: echConfig,
 	}
 	clientMaxOpenStreams := int64(option.MaxOpenStreams)
@@ -284,7 +297,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 	if len(option.Token) > 0 {
 		tkn := tuic.GenTKN(option.Token)
 		clientOption := &tuic.ClientOptionV4{
-			TlsConfig:             tlsConfig,
+			TlsConfig:             tlsClientConfig,
 			QuicConfig:            quicConfig,
 			Token:                 tkn,
 			UdpRelayMode:          udpRelayMode,
@@ -304,7 +317,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			maxUdpRelayPacketSize = tuic.MaxFragSizeV5
 		}
 		clientOption := &tuic.ClientOptionV5{
-			TlsConfig:             tlsConfig,
+			TlsConfig:             tlsClientConfig,
 			QuicConfig:            quicConfig,
 			Uuid:                  uuid.FromStringOrNil(option.UUID),
 			Password:              option.Password,
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@@ -3,118 +3,59 @@ package outbound
 import (
 	"bytes"
 	"context"
 	"crypto/tls"
 	"fmt"
 	"net"
 	"net/netip"
 	"regexp"
 	"strconv"
 	"sync"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/socks5"
 )
 var (
 	globalClientSessionCache tls.ClientSessionCache
 	once                     sync.Once
 )
 func getClientSessionCache() tls.ClientSessionCache {
 	once.Do(func() {
 		globalClientSessionCache = tls.NewLRUClientSessionCache(128)
 	})
 	return globalClientSessionCache
 }
 func serializesSocksAddr(metadata *C.Metadata) []byte {
 	var buf [][]byte
 	addrType := metadata.AddrType()
 	aType := uint8(addrType)
 	p := uint(metadata.DstPort)
 	port := []byte{uint8(p >> 8), uint8(p & 0xff)}
 	switch addrType {
-	case socks5.AtypDomainName:
+	case C.AtypDomainName:
 		lenM := uint8(len(metadata.Host))
 		host := []byte(metadata.Host)
-		buf = [][]byte{{aType, lenM}, host, port}
+		buf = [][]byte{{socks5.AtypDomainName, lenM}, host, port}
-	case socks5.AtypIPv4:
+	case C.AtypIPv4:
 		host := metadata.DstIP.AsSlice()
-		buf = [][]byte{{aType}, host, port}
+		buf = [][]byte{{socks5.AtypIPv4}, host, port}
-	case socks5.AtypIPv6:
+	case C.AtypIPv6:
 		host := metadata.DstIP.AsSlice()
-		buf = [][]byte{{aType}, host, port}
+		buf = [][]byte{{socks5.AtypIPv6}, host, port}
 	}
 	return bytes.Join(buf, nil)
 }
-func resolveUDPAddr(ctx context.Context, network, address string) (*net.UDPAddr, error) {
+func resolveUDPAddr(ctx context.Context, network, address string, prefer C.DNSPrefer) (*net.UDPAddr, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	ip, err := resolver.ResolveIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
 	if err != nil {
 		return nil, err
 	}
 	return net.ResolveUDPAddr(network, net.JoinHostPort(ip.String(), port))
 }
 func resolveUDPAddrWithPrefer(ctx context.Context, network, address string, prefer C.DNSPrefer) (*net.UDPAddr, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ip netip.Addr
 	var fallback netip.Addr
 	switch prefer {
 	case C.IPv4Only:
 		ip, err = resolver.ResolveIPv4WithResolver(ctx, host, resolver.ProxyServerHostResolver)
 	case C.IPv6Only:
 		ip, err = resolver.ResolveIPv6WithResolver(ctx, host, resolver.ProxyServerHostResolver)
 	case C.IPv6Prefer:
-		var ips []netip.Addr
+		ip, err = resolver.ResolveIPPrefer6WithResolver(ctx, host, resolver.ProxyServerHostResolver)
 		ips, err = resolver.LookupIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
 		if err == nil {
 			for _, addr := range ips {
 				if addr.Is6() {
 					ip = addr
 					break
 				} else {
 					if !fallback.IsValid() {
 						fallback = addr
 					}
 				}
 			}
 		}
 	default:
-		// C.IPv4Prefer, C.DualStack and other
+		ip, err = resolver.ResolveIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
 		var ips []netip.Addr
 		ips, err = resolver.LookupIPWithResolver(ctx, host, resolver.ProxyServerHostResolver)
 		if err == nil {
 			for _, addr := range ips {
 				if addr.Is4() {
 					ip = addr
 					break
 				} else {
 					if !fallback.IsValid() {
 						fallback = addr
 					}
 				}
 			}
 		}
 	}
 	if !ip.IsValid() && fallback.IsValid() {
 		ip = fallback
 	}
 	if err != nil {
 		return nil, err
 	}
 	ip, port = resolver.LookupIP4P(ip, port)
 	return net.ResolveUDPAddr(network, net.JoinHostPort(ip.String(), port))
 }
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@@ -17,18 +17,17 @@ import (
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/transport/gun"
 	"github.com/metacubex/mihomo/transport/socks5"
 	"github.com/metacubex/mihomo/transport/vless"
 	"github.com/metacubex/mihomo/transport/vmess"
 	vmessSing "github.com/metacubex/sing-vmess"
 	"github.com/metacubex/sing-vmess/packetaddr"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 const (
@@ -47,6 +46,7 @@ type Vless struct {
 	transport    *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 	echConfig     *ech.Config
 }
 type VlessOption struct {
@@ -63,6 +63,7 @@ type VlessOption struct {
 	XUDP              bool              `proxy:"xudp,omitempty"`
 	PacketEncoding    string            `proxy:"packet-encoding,omitempty"`
 	Network           string            `proxy:"network,omitempty"`
 	ECHOpts           ECHOptions        `proxy:"ech-opts,omitempty"`
 	RealityOpts       RealityOptions    `proxy:"reality-opts,omitempty"`
 	HTTPOpts          HTTPOptions       `proxy:"http-opts,omitempty"`
 	HTTP2Opts         HTTP2Options      `proxy:"h2-opts,omitempty"`
@@ -76,13 +77,7 @@ type VlessOption struct {
 	ClientFingerprint string            `proxy:"client-fingerprint,omitempty"`
 }
-func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && len(v.option.ClientFingerprint) == 0 {
 		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	switch v.option.Network {
 	case "ws":
 		host, port, _ := net.SplitHostPort(v.addr)
@@ -95,6 +90,7 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			V2rayHttpUpgrade:         v.option.WSOpts.V2rayHttpUpgrade,
 			V2rayHttpUpgradeFastOpen: v.option.WSOpts.V2rayHttpUpgradeFastOpen,
 			ClientFingerprint:        v.option.ClientFingerprint,
 			ECHConfig:                v.echConfig,
 			Headers:                  http.Header{},
 		}
@@ -156,9 +152,9 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			Path:  v.option.HTTP2Opts.Path,
 		}
-		c, err = vmess.StreamH2Conn(c, h2Opts)
+		c, err = vmess.StreamH2Conn(ctx, c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.echConfig, v.realityConfig)
 	default:
 		// default tcp network
 		// handle TLS
@@ -169,10 +165,14 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 		return nil, err
 	}
-	return v.streamConn(c, metadata)
+	return v.streamConnContext(ctx, c, metadata)
 }
-func (v *Vless) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
+func (v *Vless) streamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, c)
 		defer done(&err)
 	}
 	if metadata.NetWork == C.UDP {
 		if v.option.PacketAddr {
 			metadata = &C.Metadata{
@@ -209,6 +209,7 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 			SkipCertVerify:    v.option.SkipCertVerify,
 			FingerPrint:       v.option.Fingerprint,
 			ClientFingerprint: v.option.ClientFingerprint,
 			ECH:               v.echConfig,
 			Reality:           v.realityConfig,
 			NextProtos:        v.option.ALPN,
 		}
@@ -228,10 +229,11 @@ func (v *Vless) streamTLSConn(ctx context.Context, conn net.Conn, isH2 bool) (ne
 }
 // DialContext implements C.ProxyAdapter
-func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && len(opts) == 0 {
+	if v.transport != nil {
-		c, err := gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
 		}
@@ -239,14 +241,14 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			safeConnClose(c, err)
 		}(c)
-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
+		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 		return NewConn(c, v), nil
 	}
-	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -273,18 +275,13 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
-	if !metadata.Resolved() {
+		return nil, err
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && len(opts) == 0 {
+	if v.transport != nil {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -293,14 +290,14 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)
-		c, err = v.streamConn(c, metadata)
+		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vless client error: %v", err)
 		}
 		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
-	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -312,13 +309,8 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		}
 	}
-	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
-	if !metadata.Resolved() {
+		return nil, err
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
@@ -344,13 +336,8 @@ func (v *Vless) SupportWithDialer() C.NetWork {
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vless) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
-	if !metadata.Resolved() {
+		return nil, err
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	if v.option.XUDP {
@@ -385,19 +372,27 @@ func (v *Vless) ProxyInfo() C.ProxyInfo {
 	return info
 }
 // Close implements C.ProxyAdapter
 func (v *Vless) Close() error {
 	if v.transport != nil {
 		return v.transport.Close()
 	}
 	return nil
 }
 func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	var addrType byte
 	var addr []byte
 	switch metadata.AddrType() {
-	case socks5.AtypIPv4:
+	case C.AtypIPv4:
 		addrType = vless.AtypIPv4
 		addr = make([]byte, net.IPv4len)
 		copy(addr[:], metadata.DstIP.AsSlice())
-	case socks5.AtypIPv6:
+	case C.AtypIPv6:
 		addrType = vless.AtypIPv6
 		addr = make([]byte, net.IPv6len)
 		copy(addr[:], metadata.DstIP.AsSlice())
-	case socks5.AtypDomainName:
+	case C.AtypDomainName:
 		addrType = vless.AtypDomainName
 		addr = make([]byte, len(metadata.Host)+1)
 		addr[0] = byte(len(metadata.Host))
@@ -557,22 +552,27 @@ func NewVless(option VlessOption) (*Vless, error) {
 		return nil, err
 	}
 	v.echConfig, err = v.option.ECHOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
 			option.HTTP2Opts.Host = append(option.HTTP2Opts.Host, "www.example.com")
 		}
 	case "grpc":
-		dialFn := func(network, addr string) (net.Conn, error) {
+		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(v.DialOptions()...)
 			if len(v.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
 				if err != nil {
 					return nil, err
 				}
 			}
-			c, err := cDialer.DialContext(context.Background(), "tcp", v.addr)
+			c, err := cDialer.DialContext(ctx, "tcp", v.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
@@ -589,10 +589,13 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{
+			tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				ServerName:         v.option.ServerName,
-			})
+			}, v.option.Fingerprint)
 			if err != nil {
 				return nil, err
 			}
 			if option.ServerName == "" {
 				host, _, _ := net.SplitHostPort(v.addr)
 				tlsConfig.ServerName = host
@@ -602,7 +605,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.echConfig, v.realityConfig)
 	}
 	return v, nil
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@@ -15,8 +15,8 @@ import (
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/ca"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/ntp"
@@ -25,7 +25,7 @@ import (
 	vmess "github.com/metacubex/sing-vmess"
 	"github.com/metacubex/sing-vmess/packetaddr"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 var ErrUDPRemoteAddrMismatch = errors.New("udp packet dropped due to mismatched remote address")
@@ -41,6 +41,7 @@ type Vmess struct {
 	transport    *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 	echConfig     *ech.Config
 }
 type VmessOption struct {
@@ -58,6 +59,7 @@ type VmessOption struct {
 	SkipCertVerify      bool           `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string         `proxy:"fingerprint,omitempty"`
 	ServerName          string         `proxy:"servername,omitempty"`
 	ECHOpts             ECHOptions     `proxy:"ech-opts,omitempty"`
 	RealityOpts         RealityOptions `proxy:"reality-opts,omitempty"`
 	HTTPOpts            HTTPOptions    `proxy:"http-opts,omitempty"`
 	HTTP2Opts           HTTP2Options   `proxy:"h2-opts,omitempty"`
@@ -96,13 +98,7 @@ type WSOptions struct {
 }
 // StreamConnContext implements C.ProxyAdapter
-func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ net.Conn, err error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && (len(v.option.ClientFingerprint) == 0) {
 		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	switch v.option.Network {
 	case "ws":
 		host, port, _ := net.SplitHostPort(v.addr)
@@ -115,6 +111,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			V2rayHttpUpgrade:         v.option.WSOpts.V2rayHttpUpgrade,
 			V2rayHttpUpgradeFastOpen: v.option.WSOpts.V2rayHttpUpgradeFastOpen,
 			ClientFingerprint:        v.option.ClientFingerprint,
 			ECHConfig:                v.echConfig,
 			Headers:                  http.Header{},
 		}
@@ -152,6 +149,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				Host:              host,
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 				ECH:               v.echConfig,
 				Reality:           v.realityConfig,
 				NextProtos:        v.option.ALPN,
 			}
@@ -199,9 +197,9 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 			Path:  v.option.HTTP2Opts.Path,
 		}
-		c, err = mihomoVMess.StreamH2Conn(c, h2Opts)
+		c, err = mihomoVMess.StreamH2Conn(ctx, c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.echConfig, v.realityConfig)
 	default:
 		// handle TLS
 		if v.option.TLS {
@@ -211,6 +209,7 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				SkipCertVerify:    v.option.SkipCertVerify,
 				FingerPrint:       v.option.Fingerprint,
 				ClientFingerprint: v.option.ClientFingerprint,
 				ECH:               v.echConfig,
 				Reality:           v.realityConfig,
 				NextProtos:        v.option.ALPN,
 			}
@@ -226,17 +225,24 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 	if err != nil {
 		return nil, err
 	}
-	return v.streamConn(c, metadata)
+	return v.streamConnContext(ctx, c, metadata)
 }
-func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
+func (v *Vmess) streamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (conn net.Conn, err error) {
 	useEarly := N.NeedHandshake(c)
 	if !useEarly {
 		if ctx.Done() != nil {
 			done := N.SetupContextForConn(ctx, c)
 			defer done(&err)
 		}
 	}
 	if metadata.NetWork == C.UDP {
 		if v.option.XUDP {
 			var globalID [8]byte
 			if metadata.SourceValid() {
 				globalID = utils.GlobalID(metadata.SourceAddress())
 			}
-			if N.NeedHandshake(c) {
+			if useEarly {
 				conn = v.client.DialEarlyXUDPPacketConn(c,
 					globalID,
 					M.SocksaddrFromNet(metadata.UDPAddr()))
@@ -246,7 +252,7 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 					M.SocksaddrFromNet(metadata.UDPAddr()))
 			}
 		} else if v.option.PacketAddr {
-			if N.NeedHandshake(c) {
+			if useEarly {
 				conn = v.client.DialEarlyPacketConn(c,
 					M.ParseSocksaddrHostPort(packetaddr.SeqPacketMagicAddress, 443))
 			} else {
@@ -255,7 +261,7 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 			}
 			conn = packetaddr.NewBindConn(conn)
 		} else {
-			if N.NeedHandshake(c) {
+			if useEarly {
 				conn = v.client.DialEarlyPacketConn(c,
 					M.SocksaddrFromNet(metadata.UDPAddr()))
 			} else {
@@ -264,7 +270,7 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 			}
 		}
 	} else {
-		if N.NeedHandshake(c) {
+		if useEarly {
 			conn = v.client.DialEarlyConn(c,
 				M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
 		} else {
@@ -279,10 +285,11 @@ func (v *Vmess) streamConn(c net.Conn, metadata *C.Metadata) (conn net.Conn, err
 }
 // DialContext implements C.ProxyAdapter
-func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && len(opts) == 0 {
+	if v.transport != nil {
-		c, err := gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
 		}
@@ -290,14 +297,14 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			safeConnClose(c, err)
 		}(c)
-		c, err = v.client.DialConn(c, M.ParseSocksaddrHostPort(metadata.String(), metadata.DstPort))
+		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, err
 		}
 		return NewConn(c, v), nil
 	}
-	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.DialContextWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 // DialContextWithDialer implements C.ProxyAdapter
@@ -321,18 +328,13 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
-	if !metadata.Resolved() {
+		return nil, err
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	var c net.Conn
 	// gun transport
-	if v.transport != nil && len(opts) == 0 {
+	if v.transport != nil {
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@@ -341,13 +343,13 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)
-		c, err = v.streamConn(c, metadata)
+		c, err = v.streamConnContext(ctx, c, metadata)
 		if err != nil {
 			return nil, fmt.Errorf("new vmess client error: %v", err)
 		}
 		return v.ListenPacketOnStreamConn(ctx, c, metadata)
 	}
-	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
+	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.DialOptions()...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
@@ -359,13 +361,8 @@ func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		}
 	}
-	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
-	if !metadata.Resolved() {
+		return nil, err
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
@@ -395,15 +392,18 @@ func (v *Vmess) ProxyInfo() C.ProxyInfo {
 	return info
 }
 // Close implements C.ProxyAdapter
 func (v *Vmess) Close() error {
 	if v.transport != nil {
 		return v.transport.Close()
 	}
 	return nil
 }
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vmess) ListenPacketOnStreamConn(ctx context.Context, c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
+	if err = v.ResolveUDP(ctx, metadata); err != nil {
-	if !metadata.Resolved() {
+		return nil, err
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	if pc, ok := c.(net.PacketConn); ok {
@@ -459,22 +459,32 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		option: &option,
 	}
 	v.realityConfig, err = v.option.RealityOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	v.echConfig, err = v.option.ECHOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
 			option.HTTP2Opts.Host = append(option.HTTP2Opts.Host, "www.example.com")
 		}
 	case "grpc":
-		dialFn := func(network, addr string) (net.Conn, error) {
+		dialFn := func(ctx context.Context, network, addr string) (net.Conn, error) {
 			var err error
-			var cDialer C.Dialer = dialer.NewDialer(v.Base.DialOptions()...)
+			var cDialer C.Dialer = dialer.NewDialer(v.DialOptions()...)
 			if len(v.option.DialerProxy) > 0 {
 				cDialer, err = proxydialer.NewByName(v.option.DialerProxy, cDialer)
 				if err != nil {
 					return nil, err
 				}
 			}
-			c, err := cDialer.DialContext(context.Background(), "tcp", v.addr)
+			c, err := cDialer.DialContext(ctx, "tcp", v.addr)
 			if err != nil {
 				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 			}
@@ -491,10 +501,13 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{
+			tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				ServerName:         v.option.ServerName,
-			})
+			}, v.option.Fingerprint)
 			if err != nil {
 				return nil, err
 			}
 			if option.ServerName == "" {
 				host, _, _ := net.SplitHostPort(v.addr)
 				tlsConfig.ServerName = host
@@ -504,12 +517,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.echConfig, v.realityConfig)
 	}
 	v.realityConfig, err = v.option.RealityOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	return v, nil
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@@ -4,18 +4,15 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"net"
 	"net/netip"
 	"runtime"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/metacubex/mihomo/common/atomic"
 	CN "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/proxydialer"
 	"github.com/metacubex/mihomo/component/resolver"
@@ -28,9 +25,9 @@ import (
 	wireguard "github.com/metacubex/sing-wireguard"
 	"github.com/metacubex/wireguard-go/device"
-	"github.com/sagernet/sing/common/debug"
+	"github.com/metacubex/sing/common/debug"
-	E "github.com/sagernet/sing/common/exceptions"
+	E "github.com/metacubex/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 type wireguardGoDevice interface {
@@ -45,7 +42,6 @@ type WireGuard struct {
 	tunDevice wireguard.Device
 	dialer    proxydialer.SingDialer
 	resolver  resolver.Resolver
 	refP      *refProxyAdapter
 	initOk        atomic.Bool
 	initMutex     sync.Mutex
@@ -57,8 +53,6 @@ type WireGuard struct {
 	serverAddrMap   map[M.Socksaddr]netip.AddrPort
 	serverAddrTime  atomic.TypedValue[time.Time]
 	serverAddrMutex sync.Mutex
 	closeCh chan struct{} // for test
 }
 type WireGuardOption struct {
@@ -171,9 +165,9 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		dialer: proxydialer.NewSlowDownSingDialer(proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer()), slowdown.New()),
 	}
-	runtime.SetFinalizer(outbound, closeWireGuard)
+	singDialer := proxydialer.NewSlowDownSingDialer(proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer(outbound.DialOptions()...)), slowdown.New())
 	outbound.dialer = singDialer
 	var reserved [3]uint8
 	if len(option.Reserved) > 0 {
@@ -286,15 +280,13 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 		}
 	}
 	refP := &refProxyAdapter{}
 	outbound.refP = refP
 	if option.RemoteDnsResolve && len(option.Dns) > 0 {
 		nss, err := dns.ParseNameServer(option.Dns)
 		if err != nil {
 			return nil, err
 		}
 		for i := range nss {
-			nss[i].ProxyAdapter = refP
+			nss[i].ProxyAdapter = outbound
 		}
 		outbound.resolver = dns.NewResolver(dns.Config{
 			Main: nss,
@@ -309,7 +301,7 @@ func (w *WireGuard) resolve(ctx context.Context, address M.Socksaddr) (netip.Add
 	if address.Addr.IsValid() {
 		return address.AddrPort(), nil
 	}
-	udpAddr, err := resolveUDPAddrWithPrefer(ctx, "udp", address.String(), w.prefer)
+	udpAddr, err := resolveUDPAddr(ctx, "udp", address.String(), w.prefer)
 	if err != nil {
 		return netip.AddrPort{}, err
 	}
@@ -488,18 +480,15 @@ func (w *WireGuard) genIpcConf(ctx context.Context, updateOnly bool) (string, er
 	return ipcConf, nil
 }
-func closeWireGuard(w *WireGuard) {
+// Close implements C.ProxyAdapter
 func (w *WireGuard) Close() error {
 	if w.device != nil {
 		w.device.Close()
 	}
-	if w.closeCh != nil {
+	return nil
 		close(w.closeCh)
 	}
 }
-func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata) (_ C.Conn, err error) {
 	options := w.Base.DialOptions(opts...)
 	w.dialer.SetDialer(dialer.NewDialer(options...))
 	var conn net.Conn
 	if err = w.init(ctx); err != nil {
 		return nil, err
@@ -507,10 +496,9 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	if !metadata.Resolved() || w.resolver != nil {
 		r := resolver.DefaultResolver
 		if w.resolver != nil {
 			w.refP.SetProxyAdapter(w)
 			defer w.refP.ClearProxyAdapter()
 			r = w.resolver
 		}
 		options := w.DialOptions()
 		options = append(options, dialer.WithResolver(r))
 		options = append(options, dialer.WithNetDialer(wgNetDialer{tunDevice: w.tunDevice}))
 		conn, err = dialer.NewDialer(options...).DialContext(ctx, "tcp", metadata.RemoteAddress())
@@ -523,28 +511,16 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 	if conn == nil {
 		return nil, E.New("conn is nil")
 	}
-	return NewConn(CN.NewRefConn(conn, w), w), nil
+	return NewConn(conn, w), nil
 }
-func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	options := w.Base.DialOptions(opts...)
 	w.dialer.SetDialer(dialer.NewDialer(options...))
 	var pc net.PacketConn
 	if err = w.init(ctx); err != nil {
 		return nil, err
 	}
-	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {
+	if err = w.ResolveUDP(ctx, metadata); err != nil {
-		r := resolver.DefaultResolver
+		return nil, err
 		if w.resolver != nil {
 			w.refP.SetProxyAdapter(w)
 			defer w.refP.ClearProxyAdapter()
 			r = w.resolver
 		}
 		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, r)
 		if err != nil {
 			return nil, errors.New("can't resolve ip")
 		}
 		metadata.DstIP = ip
 	}
 	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, metadata.DstPort).Unwrap())
 	if err != nil {
@@ -553,139 +529,25 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 	if pc == nil {
 		return nil, E.New("packetConn is nil")
 	}
-	return newPacketConn(CN.NewRefPacketConn(pc, w), w), nil
+	return newPacketConn(pc, w), nil
 }
 func (w *WireGuard) ResolveUDP(ctx context.Context, metadata *C.Metadata) error {
 	if (!metadata.Resolved() || w.resolver != nil) && metadata.Host != "" {
 		r := resolver.DefaultResolver
 		if w.resolver != nil {
 			r = w.resolver
 		}
 		ip, err := resolver.ResolveIPWithResolver(ctx, metadata.Host, r)
 		if err != nil {
 			return fmt.Errorf("can't resolve ip: %w", err)
 		}
 		metadata.DstIP = ip
 	}
 	return nil
 }
 // IsL3Protocol implements C.ProxyAdapter
 func (w *WireGuard) IsL3Protocol(metadata *C.Metadata) bool {
 	return true
 }
 type refProxyAdapter struct {
 	proxyAdapter C.ProxyAdapter
 	count        int
 	mutex        sync.Mutex
 }
 func (r *refProxyAdapter) SetProxyAdapter(proxyAdapter C.ProxyAdapter) {
 	r.mutex.Lock()
 	defer r.mutex.Unlock()
 	r.proxyAdapter = proxyAdapter
 	r.count++
 }
 func (r *refProxyAdapter) ClearProxyAdapter() {
 	r.mutex.Lock()
 	defer r.mutex.Unlock()
 	r.count--
 	if r.count == 0 {
 		r.proxyAdapter = nil
 	}
 }
 func (r *refProxyAdapter) Name() string {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.Name()
 	}
 	return ""
 }
 func (r *refProxyAdapter) Type() C.AdapterType {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.Type()
 	}
 	return C.AdapterType(0)
 }
 func (r *refProxyAdapter) Addr() string {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.Addr()
 	}
 	return ""
 }
 func (r *refProxyAdapter) SupportUDP() bool {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.SupportUDP()
 	}
 	return false
 }
 func (r *refProxyAdapter) ProxyInfo() C.ProxyInfo {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.ProxyInfo()
 	}
 	return C.ProxyInfo{}
 }
 func (r *refProxyAdapter) MarshalJSON() ([]byte, error) {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.MarshalJSON()
 	}
 	return nil, C.ErrNotSupport
 }
 func (r *refProxyAdapter) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.StreamConnContext(ctx, c, metadata)
 	}
 	return nil, C.ErrNotSupport
 }
 func (r *refProxyAdapter) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.DialContext(ctx, metadata, opts...)
 	}
 	return nil, C.ErrNotSupport
 }
 func (r *refProxyAdapter) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.ListenPacketContext(ctx, metadata, opts...)
 	}
 	return nil, C.ErrNotSupport
 }
 func (r *refProxyAdapter) SupportUOT() bool {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.SupportUOT()
 	}
 	return false
 }
 func (r *refProxyAdapter) SupportWithDialer() C.NetWork {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.SupportWithDialer()
 	}
 	return C.InvalidNet
 }
 func (r *refProxyAdapter) DialContextWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.Conn, error) {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.DialContextWithDialer(ctx, dialer, metadata)
 	}
 	return nil, C.ErrNotSupport
 }
 func (r *refProxyAdapter) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (C.PacketConn, error) {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.ListenPacketWithDialer(ctx, dialer, metadata)
 	}
 	return nil, C.ErrNotSupport
 }
 func (r *refProxyAdapter) IsL3Protocol(metadata *C.Metadata) bool {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.IsL3Protocol(metadata)
 	}
 	return false
 }
 func (r *refProxyAdapter) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 	if r.proxyAdapter != nil {
 		return r.proxyAdapter.Unwrap(metadata, touch)
 	}
 	return nil
 }
 var _ C.ProxyAdapter = (*refProxyAdapter)(nil)
--- a/adapter/outbound/wireguard_test.go
+++ b/adapter/outbound/wireguard_test.go
@@ -1,45 +0,0 @@
 //go:build with_gvisor
 package outbound
 import (
 	"context"
 	"runtime"
 	"testing"
 	"time"
 )
 func TestWireGuardGC(t *testing.T) {
 	option := WireGuardOption{}
 	option.Server = "162.159.192.1"
 	option.Port = 2408
 	option.PrivateKey = "iOx7749AdqH3IqluG7+0YbGKd0m1mcEXAfGRzpy9rG8="
 	option.PublicKey = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
 	option.Ip = "172.16.0.2"
 	option.Ipv6 = "2606:4700:110:8d29:be92:3a6a:f4:c437"
 	option.Reserved = []uint8{51, 69, 125}
 	wg, err := NewWireGuard(option)
 	if err != nil {
 		t.Error(err)
 	}
 	closeCh := make(chan struct{})
 	wg.closeCh = closeCh
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
 	err = wg.init(ctx)
 	if err != nil {
 		t.Error(err)
 		return
 	}
 	// must do a small sleep before test GC
 	// because it maybe deadlocks if w.device.Close call too fast after w.device.Start
 	time.Sleep(10 * time.Millisecond)
 	wg = nil
 	runtime.GC()
 	select {
 	case <-closeCh:
 		return
 	case <-ctx.Done():
 		t.Error("timeout not GC")
 	}
 }
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@@ -6,11 +6,9 @@ import (
 	"errors"
 	"time"
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -31,13 +29,13 @@ func (f *Fallback) Now() string {
 }
 // DialContext implements C.ProxyAdapter
-func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	proxy := f.findAliveProxy(true)
-	c, err := proxy.DialContext(ctx, metadata, f.Base.DialOptions(opts...)...)
+	c, err := proxy.DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(f)
 	} else {
-		f.onDialFailed(proxy.Type(), err)
+		f.onDialFailed(proxy.Type(), err, f.healthCheck)
 	}
 	if N.NeedHandshake(c) {
@@ -45,7 +43,7 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 			if err == nil {
 				f.onDialSuccess()
 			} else {
-				f.onDialFailed(proxy.Type(), err)
+				f.onDialFailed(proxy.Type(), err, f.healthCheck)
 			}
 		})
 	}
@@ -54,9 +52,9 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (f *Fallback) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (f *Fallback) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
 	proxy := f.findAliveProxy(true)
-	pc, err := proxy.ListenPacketContext(ctx, metadata, f.Base.DialOptions(opts...)...)
+	pc, err := proxy.ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(f)
 	}
@@ -155,18 +153,14 @@ func (f *Fallback) ForceSet(name string) {
 func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider) *Fallback {
 	return &Fallback{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:           option.Name,
-				Name:        option.Name,
+			Type:           C.Fallback,
-				Type:        C.Fallback,
+			Filter:         option.Filter,
-				Interface:   option.Interface,
+			ExcludeFilter:  option.ExcludeFilter,
-				RoutingMark: option.RoutingMark,
+			ExcludeType:    option.ExcludeType,
-			},
+			TestTimeout:    option.TestTimeout,
-			option.Filter,
+			MaxFailedTimes: option.MaxFailedTimes,
-			option.ExcludeFilter,
+			Providers:      providers,
 			option.ExcludeType,
 			option.TestTimeout,
 			option.MaxFailedTimes,
 			providers,
 		}),
 		disableUDP:     option.DisableUDP,
 		testUrl:        option.URL,
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@@ -2,6 +2,7 @@ package outboundgroup
 import (
 	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"sync"
@@ -17,68 +18,70 @@ import (
 	"github.com/metacubex/mihomo/tunnel"
 	"github.com/dlclark/regexp2"
 	"golang.org/x/exp/slices"
 )
 type GroupBase struct {
 	*outbound.Base
-	filterRegs       []*regexp2.Regexp
+	filterRegs        []*regexp2.Regexp
-	excludeFilterReg *regexp2.Regexp
+	excludeFilterRegs []*regexp2.Regexp
-	excludeTypeArray []string
+	excludeTypeArray  []string
-	providers        []provider.ProxyProvider
+	providers         []provider.ProxyProvider
-	failedTestMux    sync.Mutex
+	failedTestMux     sync.Mutex
-	failedTimes      int
+	failedTimes       int
-	failedTime       time.Time
+	failedTime        time.Time
-	failedTesting    atomic.Bool
+	failedTesting     atomic.Bool
-	proxies          [][]C.Proxy
+	TestTimeout       int
-	versions         []atomic.Uint32
+	maxFailedTimes    int
-	TestTimeout      int
+
-	maxFailedTimes   int
+	// for GetProxies
 	getProxiesMutex  sync.Mutex
 	providerVersions []uint32
 	providerProxies  []C.Proxy
 }
 type GroupBaseOption struct {
-	outbound.BaseOption
+	Name           string
-	filter         string
+	Type           C.AdapterType
-	excludeFilter  string
+	Filter         string
-	excludeType    string
+	ExcludeFilter  string
 	ExcludeType    string
 	TestTimeout    int
-	maxFailedTimes int
+	MaxFailedTimes int
-	providers      []provider.ProxyProvider
+	Providers      []provider.ProxyProvider
 }
 func NewGroupBase(opt GroupBaseOption) *GroupBase {
-	if opt.RoutingMark != 0 {
+	var excludeTypeArray []string
-		log.Warnln("The group [%s] with routing-mark configuration is deprecated, please set it directly on the proxy instead", opt.Name)
+	if opt.ExcludeType != "" {
-	}
+		excludeTypeArray = strings.Split(opt.ExcludeType, "|")
 	if opt.Interface != "" {
 		log.Warnln("The group [%s] with interface-name configuration is deprecated, please set it directly on the proxy instead", opt.Name)
 	}
-	var excludeFilterReg *regexp2.Regexp
+	var excludeFilterRegs []*regexp2.Regexp
-	if opt.excludeFilter != "" {
+	if opt.ExcludeFilter != "" {
-		excludeFilterReg = regexp2.MustCompile(opt.excludeFilter, regexp2.None)
+		for _, excludeFilter := range strings.Split(opt.ExcludeFilter, "`") {
-	}
+			excludeFilterReg := regexp2.MustCompile(excludeFilter, regexp2.None)
-	var excludeTypeArray []string
+			excludeFilterRegs = append(excludeFilterRegs, excludeFilterReg)
-	if opt.excludeType != "" {
+		}
 		excludeTypeArray = strings.Split(opt.excludeType, "|")
 	}
 	var filterRegs []*regexp2.Regexp
-	if opt.filter != "" {
+	if opt.Filter != "" {
-		for _, filter := range strings.Split(opt.filter, "`") {
+		for _, filter := range strings.Split(opt.Filter, "`") {
 			filterReg := regexp2.MustCompile(filter, regexp2.None)
 			filterRegs = append(filterRegs, filterReg)
 		}
 	}
 	gb := &GroupBase{
-		Base:             outbound.NewBase(opt.BaseOption),
+		Base:              outbound.NewBase(outbound.BaseOption{Name: opt.Name, Type: opt.Type}),
-		filterRegs:       filterRegs,
+		filterRegs:        filterRegs,
-		excludeFilterReg: excludeFilterReg,
+		excludeFilterRegs: excludeFilterRegs,
-		excludeTypeArray: excludeTypeArray,
+		excludeTypeArray:  excludeTypeArray,
-		providers:        opt.providers,
+		providers:         opt.Providers,
-		failedTesting:    atomic.NewBool(false),
+		failedTesting:     atomic.NewBool(false),
-		TestTimeout:      opt.TestTimeout,
+		TestTimeout:       opt.TestTimeout,
-		maxFailedTimes:   opt.maxFailedTimes,
+		maxFailedTimes:    opt.MaxFailedTimes,
 	}
 	if gb.TestTimeout == 0 {
@@ -88,9 +91,6 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 		gb.maxFailedTimes = 5
 	}
 	gb.proxies = make([][]C.Proxy, len(opt.providers))
 	gb.versions = make([]atomic.Uint32, len(opt.providers))
 	return gb
 }
@@ -101,56 +101,55 @@ func (gb *GroupBase) Touch() {
 }
 func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 	providerVersions := make([]uint32, len(gb.providers))
 	for i, pd := range gb.providers {
 		if touch { // touch first
 			pd.Touch()
 		}
 		providerVersions[i] = pd.Version()
 	}
 	// thread safe
 	gb.getProxiesMutex.Lock()
 	defer gb.getProxiesMutex.Unlock()
 	// return the cached proxies if version not changed
 	if slices.Equal(providerVersions, gb.providerVersions) {
 		return gb.providerProxies
 	}
 	var proxies []C.Proxy
 	if len(gb.filterRegs) == 0 {
 		for _, pd := range gb.providers {
 			if touch {
 				pd.Touch()
 			}
 			proxies = append(proxies, pd.Proxies()...)
 		}
 	} else {
-		for i, pd := range gb.providers {
+		for _, pd := range gb.providers {
-			if touch {
+			if pd.VehicleType() == types.Compatible { // compatible provider unneeded filter
-				pd.Touch()
+				proxies = append(proxies, pd.Proxies()...)
 			}
 			if pd.VehicleType() == types.Compatible {
 				gb.versions[i].Store(pd.Version())
 				gb.proxies[i] = pd.Proxies()
 				continue
 			}
-			version := gb.versions[i].Load()
+			var newProxies []C.Proxy
-			if version != pd.Version() && gb.versions[i].CompareAndSwap(version, pd.Version()) {
+			proxiesSet := map[string]struct{}{}
-				var (
+			for _, filterReg := range gb.filterRegs {
-					proxies    []C.Proxy
+				for _, p := range pd.Proxies() {
-					newProxies []C.Proxy
+					name := p.Name()
-				)
+					if mat, _ := filterReg.MatchString(name); mat {
-
+						if _, ok := proxiesSet[name]; !ok {
-				proxies = pd.Proxies()
+							proxiesSet[name] = struct{}{}
-				proxiesSet := map[string]struct{}{}
+							newProxies = append(newProxies, p)
 				for _, filterReg := range gb.filterRegs {
 					for _, p := range proxies {
 						name := p.Name()
 						if mat, _ := filterReg.MatchString(name); mat {
 							if _, ok := proxiesSet[name]; !ok {
 								proxiesSet[name] = struct{}{}
 								newProxies = append(newProxies, p)
 							}
 						}
 					}
 				}
 				gb.proxies[i] = newProxies
 			}
-		}
+			proxies = append(proxies, newProxies...)
 		for _, p := range gb.proxies {
 			proxies = append(proxies, p...)
 		}
 	}
 	// Multiple filers means that proxies are sorted in the order in which the filers appear.
 	// Although the filter has been performed once in the previous process,
 	// when there are multiple providers, the array needs to be reordered as a whole.
 	if len(gb.providers) > 1 && len(gb.filterRegs) > 1 {
 		var newProxies []C.Proxy
 		proxiesSet := map[string]struct{}{}
@@ -174,32 +173,31 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		}
 		proxies = newProxies
 	}
 	if gb.excludeTypeArray != nil {
 		var newProxies []C.Proxy
 		for _, p := range proxies {
 			mType := p.Type().String()
 			flag := false
 			for i := range gb.excludeTypeArray {
 				if strings.EqualFold(mType, gb.excludeTypeArray[i]) {
 					flag = true
 					break
 				}
-			}
+	if len(gb.excludeFilterRegs) > 0 {
-			if flag {
+		var newProxies []C.Proxy
-				continue
+	LOOP1:
 		for _, p := range proxies {
 			name := p.Name()
 			for _, excludeFilterReg := range gb.excludeFilterRegs {
 				if mat, _ := excludeFilterReg.MatchString(name); mat {
 					continue LOOP1
 				}
 			}
 			newProxies = append(newProxies, p)
 		}
 		proxies = newProxies
 	}
-	if gb.excludeFilterReg != nil {
+	if gb.excludeTypeArray != nil {
 		var newProxies []C.Proxy
 	LOOP2:
 		for _, p := range proxies {
-			name := p.Name()
+			mType := p.Type().String()
-			if mat, _ := gb.excludeFilterReg.MatchString(name); mat {
+			for _, excludeType := range gb.excludeTypeArray {
-				continue
+				if strings.EqualFold(mType, excludeType) {
 					continue LOOP2
 				}
 			}
 			newProxies = append(newProxies, p)
 		}
@@ -207,9 +205,13 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 	}
 	if len(proxies) == 0 {
-		return append(proxies, tunnel.Proxies()["COMPATIBLE"])
+		return []C.Proxy{tunnel.Proxies()["COMPATIBLE"]}
 	}
 	// only cache when proxies not empty
 	gb.providerVersions = providerVersions
 	gb.providerProxies = proxies
 	return proxies
 }
@@ -241,17 +243,21 @@ func (gb *GroupBase) URLTest(ctx context.Context, url string, expectedStatus uti
 	}
 }
-func (gb *GroupBase) onDialFailed(adapterType C.AdapterType, err error) {
+func (gb *GroupBase) onDialFailed(adapterType C.AdapterType, err error, fn func()) {
 	if adapterType == C.Direct || adapterType == C.Compatible || adapterType == C.Reject || adapterType == C.Pass || adapterType == C.RejectDrop {
 		return
 	}
-	if strings.Contains(err.Error(), "connection refused") {
+	if errors.Is(err, C.ErrNotSupport) {
 		go gb.healthCheck()
 		return
 	}
 	go func() {
 		if strings.Contains(err.Error(), "connection refused") {
 			fn()
 			return
 		}
 		gb.failedTestMux.Lock()
 		defer gb.failedTestMux.Unlock()
@@ -268,7 +274,7 @@ func (gb *GroupBase) onDialFailed(adapterType C.AdapterType, err error) {
 			log.Debugln("ProxyGroup: %s failed count: %d", gb.Name(), gb.failedTimes)
 			if gb.failedTimes >= gb.maxFailedTimes {
 				log.Warnln("because %s failed multiple times, active health check", gb.Name())
-				gb.healthCheck()
+				fn()
 			}
 		}
 	}()
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@@ -9,12 +9,10 @@ import (
 	"sync"
 	"time"
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	"github.com/metacubex/mihomo/common/lru"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
@@ -88,14 +86,14 @@ func jumpHash(key uint64, buckets int32) int32 {
 }
 // DialContext implements C.ProxyAdapter
-func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
+func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata) (c C.Conn, err error) {
 	proxy := lb.Unwrap(metadata, true)
-	c, err = proxy.DialContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
+	c, err = proxy.DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(lb)
 	} else {
-		lb.onDialFailed(proxy.Type(), err)
+		lb.onDialFailed(proxy.Type(), err, lb.healthCheck)
 	}
 	if N.NeedHandshake(c) {
@@ -103,7 +101,7 @@ func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, op
 			if err == nil {
 				lb.onDialSuccess()
 			} else {
-				lb.onDialFailed(proxy.Type(), err)
+				lb.onDialFailed(proxy.Type(), err, lb.healthCheck)
 			}
 		})
 	}
@@ -112,7 +110,7 @@ func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, op
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (pc C.PacketConn, err error) {
+func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (pc C.PacketConn, err error) {
 	defer func() {
 		if err == nil {
 			pc.AppendToChains(lb)
@@ -120,7 +118,7 @@ func (lb *LoadBalance) ListenPacketContext(ctx context.Context, metadata *C.Meta
 	}()
 	proxy := lb.Unwrap(metadata, true)
-	return proxy.ListenPacketContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
+	return proxy.ListenPacketContext(ctx, metadata)
 }
 // SupportUDP implements C.ProxyAdapter
@@ -255,18 +253,14 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 	}
 	return &LoadBalance{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:           option.Name,
-				Name:        option.Name,
+			Type:           C.LoadBalance,
-				Type:        C.LoadBalance,
+			Filter:         option.Filter,
-				Interface:   option.Interface,
+			ExcludeFilter:  option.ExcludeFilter,
-				RoutingMark: option.RoutingMark,
+			ExcludeType:    option.ExcludeType,
-			},
+			TestTimeout:    option.TestTimeout,
-			option.Filter,
+			MaxFailedTimes: option.MaxFailedTimes,
-			option.ExcludeFilter,
+			Providers:      providers,
 			option.ExcludeType,
 			option.TestTimeout,
 			option.MaxFailedTimes,
 			providers,
 		}),
 		strategyFn:     strategyFn,
 		disableUDP:     option.DisableUDP,
--- a/adapter/outboundgroup/parser.go
+++ b/adapter/outboundgroup/parser.go
@@ -7,12 +7,12 @@ import (
 	"github.com/dlclark/regexp2"
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/adapter/provider"
 	"github.com/metacubex/mihomo/common/structure"
 	"github.com/metacubex/mihomo/common/utils"
 	C "github.com/metacubex/mihomo/constant"
 	types "github.com/metacubex/mihomo/constant/provider"
 	"github.com/metacubex/mihomo/log"
 )
 var (
@@ -23,7 +23,6 @@ var (
 )
 type GroupCommonOption struct {
 	outbound.BasicOption
 	Name                string   `group:"name"`
 	Type                string   `group:"type"`
 	Proxies             []string `group:"proxies,omitempty"`
@@ -43,6 +42,10 @@ type GroupCommonOption struct {
 	IncludeAllProviders bool     `group:"include-all-providers,omitempty"`
 	Hidden              bool     `group:"hidden,omitempty"`
 	Icon                string   `group:"icon,omitempty"`
 	// removed configs, only for error logging
 	Interface   string `group:"interface-name,omitempty"`
 	RoutingMark int    `group:"routing-mark,omitempty"`
 }
 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider, AllProxies []string, AllProviders []string) (C.ProxyAdapter, error) {
@@ -59,6 +62,13 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 		return nil, errFormat
 	}
 	if groupOption.RoutingMark != 0 {
 		log.Errorln("The group [%s] with routing-mark configuration was removed, please set it directly on the proxy instead", groupOption.Name)
 	}
 	if groupOption.Interface != "" {
 		log.Errorln("The group [%s] with interface-name configuration was removed, please set it directly on the proxy instead", groupOption.Name)
 	}
 	groupName := groupOption.Name
 	providers := []types.ProxyProvider{}
--- a/adapter/outboundgroup/relay.go
+++ b/adapter/outboundgroup/relay.go
@@ -19,17 +19,17 @@ type Relay struct {
 }
 // DialContext implements C.ProxyAdapter
-func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	proxies, chainProxies := r.proxies(metadata, true)
 	switch len(proxies) {
 	case 0:
-		return outbound.NewDirect().DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return outbound.NewDirect().DialContext(ctx, metadata)
 	case 1:
-		return proxies[0].DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return proxies[0].DialContext(ctx, metadata)
 	}
 	var d C.Dialer
-	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
+	d = dialer.NewDialer()
 	for _, proxy := range proxies[:len(proxies)-1] {
 		d = proxydialer.New(proxy, d, false)
 	}
@@ -49,18 +49,18 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	proxies, chainProxies := r.proxies(metadata, true)
 	switch len(proxies) {
 	case 0:
-		return outbound.NewDirect().ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return outbound.NewDirect().ListenPacketContext(ctx, metadata)
 	case 1:
-		return proxies[0].ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return proxies[0].ListenPacketContext(ctx, metadata)
 	}
 	var d C.Dialer
-	d = dialer.NewDialer(r.Base.DialOptions(opts...)...)
+	d = dialer.NewDialer()
 	for _, proxy := range proxies[:len(proxies)-1] {
 		d = proxydialer.New(proxy, d, false)
 	}
@@ -153,18 +153,9 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 	log.Warnln("The group [%s] with relay type is deprecated, please using dialer-proxy instead", option.Name)
 	return &Relay{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:      option.Name,
-				Name:        option.Name,
+			Type:      C.Relay,
-				Type:        C.Relay,
+			Providers: providers,
 				Interface:   option.Interface,
 				RoutingMark: option.RoutingMark,
 			},
 			"",
 			"",
 			"",
 			5000,
 			5,
 			providers,
 		}),
 		Hidden: option.Hidden,
 		Icon:   option.Icon,
--- a/adapter/outboundgroup/selector.go
+++ b/adapter/outboundgroup/selector.go
@@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -15,13 +13,14 @@ type Selector struct {
 	*GroupBase
 	disableUDP bool
 	selected   string
 	testUrl    string
 	Hidden     bool
 	Icon       string
 }
 // DialContext implements C.ProxyAdapter
-func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	c, err := s.selectedProxy(true).DialContext(ctx, metadata, s.Base.DialOptions(opts...)...)
+	c, err := s.selectedProxy(true).DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(s)
 	}
@@ -29,8 +28,8 @@ func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (s *Selector) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (s *Selector) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	pc, err := s.selectedProxy(true).ListenPacketContext(ctx, metadata, s.Base.DialOptions(opts...)...)
+	pc, err := s.selectedProxy(true).ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(s)
 	}
@@ -57,13 +56,20 @@ func (s *Selector) MarshalJSON() ([]byte, error) {
 	for _, proxy := range s.GetProxies(false) {
 		all = append(all, proxy.Name())
 	}
 	// When testurl is the default value
 	// do not append a value to ensure that the web dashboard follows the settings of the dashboard
 	var url string
 	if s.testUrl != C.DefaultTestURL {
 		url = s.testUrl
 	}
 	return json.Marshal(map[string]any{
-		"type":   s.Type().String(),
+		"type":    s.Type().String(),
-		"now":    s.Now(),
+		"now":     s.Now(),
-		"all":    all,
+		"all":     all,
-		"hidden": s.Hidden,
+		"testUrl": url,
-		"icon":   s.Icon,
+		"hidden":  s.Hidden,
 		"icon":    s.Icon,
 	})
 }
@@ -105,21 +111,18 @@ func (s *Selector) selectedProxy(touch bool) C.Proxy {
 func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider) *Selector {
 	return &Selector{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:           option.Name,
-				Name:        option.Name,
+			Type:           C.Selector,
-				Type:        C.Selector,
+			Filter:         option.Filter,
-				Interface:   option.Interface,
+			ExcludeFilter:  option.ExcludeFilter,
-				RoutingMark: option.RoutingMark,
+			ExcludeType:    option.ExcludeType,
-			},
+			TestTimeout:    option.TestTimeout,
-			option.Filter,
+			MaxFailedTimes: option.MaxFailedTimes,
-			option.ExcludeFilter,
+			Providers:      providers,
 			option.ExcludeType,
 			option.TestTimeout,
 			option.MaxFailedTimes,
 			providers,
 		}),
 		selected:   "COMPATIBLE",
 		disableUDP: option.DisableUDP,
 		testUrl:    option.URL,
 		Hidden:     option.Hidden,
 		Icon:       option.Icon,
 	}
--- a/adapter/outboundgroup/urltest.go
+++ b/adapter/outboundgroup/urltest.go
@@ -4,16 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"sync"
 	"time"
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/callback"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/common/singledo"
 	"github.com/metacubex/mihomo/common/utils"
 	"github.com/metacubex/mihomo/component/dialer"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/provider"
 )
@@ -54,23 +50,23 @@ func (u *URLTest) Set(name string) error {
 	if p == nil {
 		return errors.New("proxy not exist")
 	}
-	u.selected = name
+	u.ForceSet(name)
 	u.fast(false)
 	return nil
 }
 func (u *URLTest) ForceSet(name string) {
 	u.selected = name
 	u.fastSingle.Reset()
 }
 // DialContext implements C.ProxyAdapter
-func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
+func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata) (c C.Conn, err error) {
 	proxy := u.fast(true)
-	c, err = proxy.DialContext(ctx, metadata, u.Base.DialOptions(opts...)...)
+	c, err = proxy.DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(u)
 	} else {
-		u.onDialFailed(proxy.Type(), err)
+		u.onDialFailed(proxy.Type(), err, u.healthCheck)
 	}
 	if N.NeedHandshake(c) {
@@ -78,7 +74,7 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 			if err == nil {
 				u.onDialSuccess()
 			} else {
-				u.onDialFailed(proxy.Type(), err)
+				u.onDialFailed(proxy.Type(), err, u.healthCheck)
 			}
 		})
 	}
@@ -87,10 +83,13 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 }
 // ListenPacketContext implements C.ProxyAdapter
-func (u *URLTest) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (u *URLTest) ListenPacketContext(ctx context.Context, metadata *C.Metadata) (C.PacketConn, error) {
-	pc, err := u.fast(true).ListenPacketContext(ctx, metadata, u.Base.DialOptions(opts...)...)
+	proxy := u.fast(true)
 	pc, err := proxy.ListenPacketContext(ctx, metadata)
 	if err == nil {
 		pc.AppendToChains(u)
 	} else {
 		u.onDialFailed(proxy.Type(), err, u.healthCheck)
 	}
 	return pc, err
@@ -101,22 +100,27 @@ func (u *URLTest) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 	return u.fast(touch)
 }
-func (u *URLTest) fast(touch bool) C.Proxy {
+func (u *URLTest) healthCheck() {
 	u.fastSingle.Reset()
 	u.GroupBase.healthCheck()
 	u.fastSingle.Reset()
 }
-	proxies := u.GetProxies(touch)
+func (u *URLTest) fast(touch bool) C.Proxy {
-	if u.selected != "" {
+	elm, _, shared := u.fastSingle.Do(func() (C.Proxy, error) {
-		for _, proxy := range proxies {
+		proxies := u.GetProxies(touch)
-			if !proxy.AliveForTestUrl(u.testUrl) {
+		if u.selected != "" {
-				continue
+			for _, proxy := range proxies {
-			}
+				if !proxy.AliveForTestUrl(u.testUrl) {
-			if proxy.Name() == u.selected {
+					continue
-				u.fastNode = proxy
+				}
-				return proxy
+				if proxy.Name() == u.selected {
 					u.fastNode = proxy
 					return proxy, nil
 				}
 			}
 		}
 	}
 	elm, _, shared := u.fastSingle.Do(func() (C.Proxy, error) {
 		fast := proxies[0]
 		minDelay := fast.LastDelayForTestUrl(u.testUrl)
 		fastNotExist := true
@@ -182,31 +186,7 @@ func (u *URLTest) MarshalJSON() ([]byte, error) {
 }
 func (u *URLTest) URLTest(ctx context.Context, url string, expectedStatus utils.IntRanges[uint16]) (map[string]uint16, error) {
-	var wg sync.WaitGroup
+	return u.GroupBase.URLTest(ctx, u.testUrl, expectedStatus)
 	var lock sync.Mutex
 	mp := map[string]uint16{}
 	proxies := u.GetProxies(false)
 	for _, proxy := range proxies {
 		proxy := proxy
 		wg.Add(1)
 		go func() {
 			delay, err := proxy.URLTest(ctx, u.testUrl, expectedStatus)
 			if err == nil {
 				lock.Lock()
 				mp[proxy.Name()] = delay
 				lock.Unlock()
 			}
 			wg.Done()
 		}()
 	}
 	wg.Wait()
 	if len(mp) == 0 {
 		return mp, fmt.Errorf("get delay: all proxies timeout")
 	} else {
 		return mp, nil
 	}
 }
 func parseURLTestOption(config map[string]any) []urlTestOption {
@@ -225,19 +205,14 @@ func parseURLTestOption(config map[string]any) []urlTestOption {
 func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, options ...urlTestOption) *URLTest {
 	urlTest := &URLTest{
 		GroupBase: NewGroupBase(GroupBaseOption{
-			outbound.BaseOption{
+			Name:           option.Name,
-				Name:        option.Name,
+			Type:           C.URLTest,
-				Type:        C.URLTest,
+			Filter:         option.Filter,
-				Interface:   option.Interface,
+			ExcludeFilter:  option.ExcludeFilter,
-				RoutingMark: option.RoutingMark,
+			ExcludeType:    option.ExcludeType,
-			},
+			TestTimeout:    option.TestTimeout,
-
+			MaxFailedTimes: option.MaxFailedTimes,
-			option.Filter,
+			Providers:      providers,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			option.TestTimeout,
 			option.MaxFailedTimes,
 			providers,
 		}),
 		fastSingle:     singledo.NewSingle[C.Proxy](time.Second * 10),
 		disableUDP:     option.DisableUDP,
--- a/adapter/parser.go
+++ b/adapter/parser.go
@@ -3,8 +3,6 @@ package adapter
 import (
 	"fmt"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	"github.com/metacubex/mihomo/adapter/outbound"
 	"github.com/metacubex/mihomo/common/structure"
 	C "github.com/metacubex/mihomo/constant"
@@ -18,12 +16,12 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 	}
 	var (
-		proxy C.ProxyAdapter
+		proxy outbound.ProxyAdapter
 		err   error
 	)
 	switch proxyType {
 	case "ss":
-		ssOption := &outbound.ShadowSocksOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
+		ssOption := &outbound.ShadowSocksOption{}
 		err = decoder.Decode(mapping, ssOption)
 		if err != nil {
 			break
@@ -56,7 +54,6 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 				Method: "GET",
 				Path:   []string{"/"},
 			},
 			ClientFingerprint: tlsC.GetGlobalFingerprint(),
 		}
 		err = decoder.Decode(mapping, vmessOption)
@@ -65,7 +62,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
-		vlessOption := &outbound.VlessOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
+		vlessOption := &outbound.VlessOption{}
 		err = decoder.Decode(mapping, vlessOption)
 		if err != nil {
 			break
@@ -79,7 +76,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewSnell(*snellOption)
 	case "trojan":
-		trojanOption := &outbound.TrojanOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
+		trojanOption := &outbound.TrojanOption{}
 		err = decoder.Decode(mapping, trojanOption)
 		if err != nil {
 			break
@@ -148,6 +145,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewMieru(*mieruOption)
 	case "anytls":
 		anytlsOption := &outbound.AnyTLSOption{}
 		err = decoder.Decode(mapping, anytlsOption)
 		if err != nil {
 			break
 		}
 		proxy, err = outbound.NewAnyTLS(*anytlsOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
@@ -163,12 +167,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			return nil, err
 		}
 		if muxOption.Enabled {
-			proxy, err = outbound.NewSingMux(*muxOption, proxy, proxy.(outbound.ProxyBase))
+			proxy, err = outbound.NewSingMux(*muxOption, proxy)
 			if err != nil {
 				return nil, err
 			}
 		}
 	}
 	proxy = outbound.NewAutoCloseProxyAdapter(proxy)
 	return NewProxy(proxy), nil
 }
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@@ -7,13 +7,13 @@ import (
 	"time"
 	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/common/batch"
 	"github.com/metacubex/mihomo/common/singledo"
 	"github.com/metacubex/mihomo/common/utils"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/log"
 	"github.com/dlclark/regexp2"
 	"golang.org/x/sync/errgroup"
 )
 type HealthCheckOption struct {
@@ -32,7 +32,6 @@ type HealthCheck struct {
 	url            string
 	extra          map[string]*extraOption
 	mu             sync.Mutex
 	started        atomic.Bool
 	proxies        []C.Proxy
 	interval       time.Duration
 	lazy           bool
@@ -43,13 +42,8 @@ type HealthCheck struct {
 }
 func (hc *HealthCheck) process() {
 	if hc.started.Load() {
 		log.Warnln("Skip start health check timer due to it's started")
 		return
 	}
 	ticker := time.NewTicker(hc.interval)
-	hc.start()
+	go hc.check()
 	for {
 		select {
 		case <-ticker.C:
@@ -62,13 +56,12 @@ func (hc *HealthCheck) process() {
 			}
 		case <-hc.ctx.Done():
 			ticker.Stop()
 			hc.stop()
 			return
 		}
 	}
 }
-func (hc *HealthCheck) setProxy(proxies []C.Proxy) {
+func (hc *HealthCheck) setProxies(proxies []C.Proxy) {
 	hc.proxies = proxies
 }
@@ -105,10 +98,6 @@ func (hc *HealthCheck) registerHealthCheckTask(url string, expectedStatus utils.
 	option := &extraOption{filters: map[string]struct{}{}, expectedStatus: expectedStatus}
 	splitAndAddFiltersToExtra(filter, option)
 	hc.extra[url] = option
 	if hc.auto() && !hc.started.Load() {
 		go hc.process()
 	}
 }
 func splitAndAddFiltersToExtra(filter string, option *extraOption) {
@@ -131,14 +120,6 @@ func (hc *HealthCheck) touch() {
 	hc.lastTouch.Store(time.Now())
 }
 func (hc *HealthCheck) start() {
 	hc.started.Store(true)
 }
 func (hc *HealthCheck) stop() {
 	hc.started.Store(false)
 }
 func (hc *HealthCheck) check() {
 	if len(hc.proxies) == 0 {
 		return
@@ -147,7 +128,8 @@ func (hc *HealthCheck) check() {
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
 		id := utils.NewUUIDV4().String()
 		log.Debugln("Start New Health Checking {%s}", id)
-		b, _ := batch.New[bool](hc.ctx, batch.WithConcurrencyNum[bool](10))
+		b := new(errgroup.Group)
 		b.SetLimit(10)
 		// execute default health check
 		option := &extraOption{filters: nil, expectedStatus: hc.expectedStatus}
@@ -159,13 +141,13 @@ func (hc *HealthCheck) check() {
 				hc.execute(b, url, id, option)
 			}
 		}
-		b.Wait()
+		_ = b.Wait()
 		log.Debugln("Finish A Health Checking {%s}", id)
 		return struct{}{}, nil
 	})
 }
-func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *extraOption) {
+func (hc *HealthCheck) execute(b *errgroup.Group, url, uid string, option *extraOption) {
 	url = strings.TrimSpace(url)
 	if len(url) == 0 {
 		log.Debugln("Health Check has been skipped due to testUrl is empty, {%s}", uid)
@@ -195,13 +177,13 @@ func (hc *HealthCheck) execute(b *batch.Batch[bool], url, uid string, option *ex
 		}
 		p := proxy
-		b.Go(p.Name(), func() (bool, error) {
+		b.Go(func() error {
 			ctx, cancel := context.WithTimeout(hc.ctx, hc.timeout)
 			defer cancel()
 			log.Debugln("Health Checking, proxy: %s, url: %s, id: {%s}", p.Name(), url, uid)
 			_, _ = p.URLTest(ctx, url, expectedStatus)
 			log.Debugln("Health Checked, proxy: %s, url: %s, alive: %t, delay: %d ms uid: {%s}", p.Name(), url, p.AliveForTestUrl(url), p.LastDelayForTestUrl(url), uid)
-			return false, nil
+			return nil
 		})
 	}
 }
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@@ -17,7 +17,6 @@ import (
 var (
 	errVehicleType = errors.New("unsupport vehicle type")
 	errSubPath     = errors.New("path is not subpath of home directory")
 )
 type healthCheckSchema struct {
@@ -115,7 +114,7 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 		if schema.Path != "" {
 			path = C.Path.Resolve(schema.Path)
 			if !C.Path.IsSafePath(path) {
-				return nil, fmt.Errorf("%w: %s", errSubPath, path)
+				return nil, C.Path.ErrNotSafePath(path)
 			}
 		}
 		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, schema.Header, resource.DefaultHttpTimeout, schema.SizeLimit)
@@ -127,5 +126,5 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	interval := time.Duration(uint(schema.Interval)) * time.Second
-	return NewProxySetProvider(name, interval, parser, vehicle, hc)
+	return NewProxySetProvider(name, interval, schema.Payload, parser, vehicle, hc)
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@@ -57,6 +57,13 @@ func (bp *baseProvider) Version() uint32 {
 	return bp.version
 }
 func (bp *baseProvider) Initial() error {
 	if bp.healthCheck.auto() {
 		go bp.healthCheck.process()
 	}
 	return nil
 }
 func (bp *baseProvider) HealthCheck() {
 	bp.healthCheck.check()
 }
@@ -87,7 +94,8 @@ func (bp *baseProvider) RegisterHealthCheckTask(url string, expectedStatus utils
 func (bp *baseProvider) setProxies(proxies []C.Proxy) {
 	bp.proxies = proxies
-	bp.healthCheck.setProxy(proxies)
+	bp.version += 1
 	bp.healthCheck.setProxies(proxies)
 	if bp.healthCheck.auto() {
 		go bp.healthCheck.check()
 	}
@@ -132,6 +140,9 @@ func (pp *proxySetProvider) Update() error {
 }
 func (pp *proxySetProvider) Initial() error {
 	if err := pp.baseProvider.Initial(); err != nil {
 		return err
 	}
 	_, err := pp.Fetcher.Initial()
 	if err != nil {
 		return err
@@ -160,11 +171,7 @@ func (pp *proxySetProvider) Close() error {
 	return pp.Fetcher.Close()
 }
-func NewProxySetProvider(name string, interval time.Duration, parser resource.Parser[[]C.Proxy], vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, payload []map[string]any, parser resource.Parser[[]C.Proxy], vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
 	if hc.auto() {
 		go hc.process()
 	}
 	pd := &proxySetProvider{
 		baseProvider: baseProvider{
 			name:        name,
@@ -173,7 +180,22 @@ func NewProxySetProvider(name string, interval time.Duration, parser resource.Pa
 		},
 	}
-	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, parser, proxiesOnUpdate(pd))
+	if len(payload) > 0 { // using as fallback proxies
 		ps := ProxySchema{Proxies: payload}
 		buf, err := yaml.Marshal(ps)
 		if err != nil {
 			return nil, err
 		}
 		proxies, err := parser(buf)
 		if err != nil {
 			return nil, err
 		}
 		pd.proxies = proxies
 		// direct call setProxies on hc to avoid starting a health check process immediately, it should be done by Initial()
 		hc.setProxies(proxies)
 	}
 	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, parser, pd.setProxies)
 	pd.Fetcher = fetcher
 	if httpVehicle, ok := vehicle.(*resource.HTTPVehicle); ok {
 		httpVehicle.SetInRead(func(resp *http.Response) {
@@ -220,10 +242,6 @@ func (ip *inlineProvider) VehicleType() types.VehicleType {
 	return types.Inline
 }
 func (ip *inlineProvider) Initial() error {
 	return nil
 }
 func (ip *inlineProvider) Update() error {
 	// make api update happy
 	ip.updateAt = time.Now()
@@ -231,10 +249,6 @@ func (ip *inlineProvider) Update() error {
 }
 func NewInlineProvider(name string, payload []map[string]any, parser resource.Parser[[]C.Proxy], hc *HealthCheck) (*InlineProvider, error) {
 	if hc.auto() {
 		go hc.process()
 	}
 	ps := ProxySchema{Proxies: payload}
 	buf, err := yaml.Marshal(ps)
 	if err != nil {
@@ -244,6 +258,8 @@ func NewInlineProvider(name string, payload []map[string]any, parser resource.Pa
 	if err != nil {
 		return nil, err
 	}
 	// direct call setProxies on hc to avoid starting a health check process immediately, it should be done by Initial()
 	hc.setProxies(proxies)
 	ip := &inlineProvider{
 		baseProvider: baseProvider{
@@ -287,13 +303,6 @@ func (cp *compatibleProvider) Update() error {
 	return nil
 }
 func (cp *compatibleProvider) Initial() error {
 	if cp.healthCheck.interval != 0 && cp.healthCheck.url != "" {
 		cp.HealthCheck()
 	}
 	return nil
 }
 func (cp *compatibleProvider) VehicleType() types.VehicleType {
 	return types.Compatible
 }
@@ -303,10 +312,6 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co
 		return nil, errors.New("provider need one proxy at least")
 	}
 	if hc.auto() {
 		go hc.process()
 	}
 	pd := &compatibleProvider{
 		baseProvider: baseProvider{
 			name:        name,
@@ -325,13 +330,6 @@ func (cp *CompatibleProvider) Close() error {
 	return cp.compatibleProvider.Close()
 }
 func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	return func(elm []C.Proxy) {
 		pd.setProxies(elm)
 		pd.version += 1
 	}
 }
 func NewProxiesParser(filter string, excludeFilter string, excludeType string, dialerProxy string, override OverrideSchema) (resource.Parser[[]C.Proxy], error) {
 	excludeFilterReg, err := regexp2.Compile(excludeFilter, regexp2.None)
 	if err != nil {
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@@ -1,8 +1,8 @@
 package buf
 import (
-	"github.com/sagernet/sing/common"
+	"github.com/metacubex/sing/common"
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
 )
 const BufferSize = buf.BufferSize
--- a/common/contextutils/afterfunc_compact.go
+++ b/common/contextutils/afterfunc_compact.go
@@ -0,0 +1,31 @@
 package contextutils
 import (
 	"context"
 	"sync"
 )
 func afterFunc(ctx context.Context, f func()) (stop func() bool) {
 	stopc := make(chan struct{})
 	once := sync.Once{} // either starts running f or stops f from running
 	if ctx.Done() != nil {
 		go func() {
 			select {
 			case <-ctx.Done():
 				once.Do(func() {
 					go f()
 				})
 			case <-stopc:
 			}
 		}()
 	}
 	return func() bool {
 		stopped := false
 		once.Do(func() {
 			stopped = true
 			close(stopc)
 		})
 		return stopped
 	}
 }
--- a/common/contextutils/afterfunc_go120.go
+++ b/common/contextutils/afterfunc_go120.go
@@ -0,0 +1,11 @@
 //go:build !go1.21
 package contextutils
 import (
 	"context"
 )
 func AfterFunc(ctx context.Context, f func()) (stop func() bool) {
 	return afterFunc(ctx, f)
 }
--- a/common/contextutils/afterfunc_go121.go
+++ b/common/contextutils/afterfunc_go121.go
@@ -0,0 +1,9 @@
 //go:build go1.21
 package contextutils
 import "context"
 func AfterFunc(ctx context.Context, f func()) (stop func() bool) {
 	return context.AfterFunc(ctx, f)
 }
--- a/common/contextutils/afterfunc_test.go
+++ b/common/contextutils/afterfunc_test.go
@@ -0,0 +1,100 @@
 package contextutils
 import (
 	"context"
 	"testing"
 	"time"
 )
 const (
 	shortDuration    = 1 * time.Millisecond // a reasonable duration to block in a test
 	veryLongDuration = 1000 * time.Hour     // an arbitrary upper bound on the test's running time
 )
 func TestAfterFuncCalledAfterCancel(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	donec := make(chan struct{})
 	stop := afterFunc(ctx, func() {
 		close(donec)
 	})
 	select {
 	case <-donec:
 		t.Fatalf("AfterFunc called before context is done")
 	case <-time.After(shortDuration):
 	}
 	cancel()
 	select {
 	case <-donec:
 	case <-time.After(veryLongDuration):
 		t.Fatalf("AfterFunc not called after context is canceled")
 	}
 	if stop() {
 		t.Fatalf("stop() = true, want false")
 	}
 }
 func TestAfterFuncCalledAfterTimeout(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), shortDuration)
 	defer cancel()
 	donec := make(chan struct{})
 	afterFunc(ctx, func() {
 		close(donec)
 	})
 	select {
 	case <-donec:
 	case <-time.After(veryLongDuration):
 		t.Fatalf("AfterFunc not called after context is canceled")
 	}
 }
 func TestAfterFuncCalledImmediately(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	cancel()
 	donec := make(chan struct{})
 	afterFunc(ctx, func() {
 		close(donec)
 	})
 	select {
 	case <-donec:
 	case <-time.After(veryLongDuration):
 		t.Fatalf("AfterFunc not called for already-canceled context")
 	}
 }
 func TestAfterFuncNotCalledAfterStop(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	donec := make(chan struct{})
 	stop := afterFunc(ctx, func() {
 		close(donec)
 	})
 	if !stop() {
 		t.Fatalf("stop() = false, want true")
 	}
 	cancel()
 	select {
 	case <-donec:
 		t.Fatalf("AfterFunc called for already-canceled context")
 	case <-time.After(shortDuration):
 	}
 	if stop() {
 		t.Fatalf("stop() = true, want false")
 	}
 }
 // This test verifies that canceling a context does not block waiting for AfterFuncs to finish.
 func TestAfterFuncCalledAsynchronously(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	donec := make(chan struct{})
 	stop := afterFunc(ctx, func() {
 		// The channel send blocks until donec is read from.
 		donec <- struct{}{}
 	})
 	defer stop()
 	cancel()
 	// After cancel returns, read from donec and unblock the AfterFunc.
 	select {
 	case <-donec:
 	case <-time.After(veryLongDuration):
 		t.Fatalf("AfterFunc not called after context is canceled")
 	}
 }
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@@ -275,22 +275,24 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			vmess["skip-cert-verify"] = false
 			vmess["cipher"] = "auto"
-			if cipher, ok := values["scy"]; ok && cipher != "" {
+			if cipher, ok := values["scy"].(string); ok && cipher != "" {
 				vmess["cipher"] = cipher
 			}
-			if sni, ok := values["sni"]; ok && sni != "" {
+			if sni, ok := values["sni"].(string); ok && sni != "" {
 				vmess["servername"] = sni
 			}
-			network, _ := values["net"].(string)
+			network, ok := values["net"].(string)
-			network = strings.ToLower(network)
+			if ok {
-			if values["type"] == "http" {
+				network = strings.ToLower(network)
-				network = "http"
+				if values["type"] == "http" {
-			} else if network == "http" {
+					network = "http"
-				network = "h2"
+				} else if network == "http" {
 					network = "h2"
 				}
 				vmess["network"] = network
 			}
 			vmess["network"] = network
 			tls, ok := values["tls"].(string)
 			if ok {
@@ -307,12 +309,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			case "http":
 				headers := make(map[string]any)
 				httpOpts := make(map[string]any)
-				if host, ok := values["host"]; ok && host != "" {
+				if host, ok := values["host"].(string); ok && host != "" {
-					headers["Host"] = []string{host.(string)}
+					headers["Host"] = []string{host}
 				}
 				httpOpts["path"] = []string{"/"}
-				if path, ok := values["path"]; ok && path != "" {
+				if path, ok := values["path"].(string); ok && path != "" {
-					httpOpts["path"] = []string{path.(string)}
+					httpOpts["path"] = []string{path}
 				}
 				httpOpts["headers"] = headers
@@ -321,8 +323,8 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			case "h2":
 				headers := make(map[string]any)
 				h2Opts := make(map[string]any)
-				if host, ok := values["host"]; ok && host != "" {
+				if host, ok := values["host"].(string); ok && host != "" {
-					headers["Host"] = []string{host.(string)}
+					headers["Host"] = []string{host}
 				}
 				h2Opts["path"] = values["path"]
@@ -334,11 +336,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)
 				wsOpts["path"] = "/"
-				if host, ok := values["host"]; ok && host != "" {
+				if host, ok := values["host"].(string); ok && host != "" {
-					headers["Host"] = host.(string)
+					headers["Host"] = host
 				}
-				if path, ok := values["path"]; ok && path != "" {
+				if path, ok := values["path"].(string); ok && path != "" {
-					path := path.(string)
+					path := path
 					pathURL, err := url.Parse(path)
 					if err == nil {
 						query := pathURL.Query()
--- a/common/net/context.go
+++ b/common/net/context.go
@@ -3,29 +3,37 @@ package net
 import (
 	"context"
 	"net"
 	"github.com/metacubex/mihomo/common/contextutils"
 )
-// SetupContextForConn is a helper function that starts connection I/O interrupter goroutine.
+// SetupContextForConn is a helper function that starts connection I/O interrupter.
 // if ctx be canceled before done called, it will close the connection.
 // should use like this:
 //
 //	func streamConn(ctx context.Context, conn net.Conn) (_ net.Conn, err error) {
 //		if ctx.Done() != nil {
 //			done := N.SetupContextForConn(ctx, conn)
 //			defer done(&err)
 //		}
 //		conn, err := xxx
 //		return conn, err
 //	}
 func SetupContextForConn(ctx context.Context, conn net.Conn) (done func(*error)) {
-	var (
+	stopc := make(chan struct{})
-		quit      = make(chan struct{})
+	stop := contextutils.AfterFunc(ctx, func() {
-		interrupt = make(chan error, 1)
+		// Close the connection, discarding the error
-	)
+		_ = conn.Close()
-	go func() {
+		close(stopc)
-		select {
+	})
 		case <-quit:
 			interrupt <- nil
 		case <-ctx.Done():
 			// Close the connection, discarding the error
 			_ = conn.Close()
 			interrupt <- ctx.Err()
 		}
 	}()
 	return func(inputErr *error) {
-		close(quit)
+		if !stop() {
-		if ctxErr := <-interrupt; ctxErr != nil && inputErr != nil {
+			// The AfterFunc was started, wait for it to complete.
-			// Return context error to user.
+			<-stopc
-			inputErr = &ctxErr
+			if ctxErr := ctx.Err(); ctxErr != nil && inputErr != nil {
 				// Return context error to user.
 				*inputErr = ctxErr
 			}
 		}
 	}
 }
--- a/common/net/context_test.go
+++ b/common/net/context_test.go
@@ -0,0 +1,103 @@
 package net_test
 import (
 	"context"
 	"errors"
 	"net"
 	"testing"
 	"time"
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/stretchr/testify/assert"
 )
 func testRead(ctx context.Context, conn net.Conn) (err error) {
 	if ctx.Done() != nil {
 		done := N.SetupContextForConn(ctx, conn)
 		defer done(&err)
 	}
 	_, err = conn.Read(make([]byte, 1))
 	return err
 }
 func TestSetupContextForConnWithCancel(t *testing.T) {
 	t.Parallel()
 	c1, c2 := N.Pipe()
 	defer c1.Close()
 	defer c2.Close()
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	errc := make(chan error)
 	go func() {
 		errc <- testRead(ctx, c1)
 	}()
 	select {
 	case <-errc:
 		t.Fatal("conn closed before cancel")
 	case <-time.After(100 * time.Millisecond):
 		cancel()
 	}
 	select {
 	case err := <-errc:
 		assert.ErrorIs(t, err, context.Canceled)
 	case <-time.After(100 * time.Millisecond):
 		t.Fatal("conn not be canceled")
 	}
 }
 func TestSetupContextForConnWithTimeout1(t *testing.T) {
 	t.Parallel()
 	c1, c2 := N.Pipe()
 	defer c1.Close()
 	defer c2.Close()
 	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
 	defer cancel()
 	errc := make(chan error)
 	go func() {
 		errc <- testRead(ctx, c1)
 	}()
 	select {
 	case err := <-errc:
 		if !errors.Is(ctx.Err(), context.DeadlineExceeded) {
 			t.Fatal("conn closed before timeout")
 		}
 		assert.ErrorIs(t, err, context.DeadlineExceeded)
 	case <-time.After(200 * time.Millisecond):
 		t.Fatal("conn not be canceled")
 	}
 }
 func TestSetupContextForConnWithTimeout2(t *testing.T) {
 	t.Parallel()
 	c1, c2 := N.Pipe()
 	defer c1.Close()
 	defer c2.Close()
 	ctx, cancel := context.WithTimeout(context.Background(), 200*time.Millisecond)
 	defer cancel()
 	errc := make(chan error)
 	go func() {
 		errc <- testRead(ctx, c1)
 	}()
 	select {
 	case <-errc:
 		t.Fatal("conn closed before cancel")
 	case <-time.After(100 * time.Millisecond):
 		c2.Write(make([]byte, 1))
 	}
 	select {
 	case err := <-errc:
 		assert.Nil(t, ctx.Err())
 		assert.Nil(t, err)
 	case <-time.After(200 * time.Millisecond):
 		t.Fatal("conn not be canceled")
 	}
 }
--- a/common/net/deadline/conn.go
+++ b/common/net/deadline/conn.go
@@ -7,9 +7,9 @@ import (
 	"github.com/metacubex/mihomo/common/atomic"
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	"github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/network"
 )
 type connReadResult struct {
@@ -20,7 +20,7 @@ type connReadResult struct {
 type Conn struct {
 	network.ExtendedConn
 	deadline     atomic.TypedValue[time.Time]
-	pipeDeadline pipeDeadline
+	pipeDeadline PipeDeadline
 	disablePipe  atomic.Bool
 	inRead       atomic.Bool
 	resultCh     chan *connReadResult
@@ -34,7 +34,7 @@ func IsConn(conn any) bool {
 func NewConn(conn net.Conn) *Conn {
 	c := &Conn{
 		ExtendedConn: bufio.NewExtendedConn(conn),
-		pipeDeadline: makePipeDeadline(),
+		pipeDeadline: MakePipeDeadline(),
 		resultCh:     make(chan *connReadResult, 1),
 	}
 	c.resultCh <- nil
@@ -58,7 +58,7 @@ func (c *Conn) Read(p []byte) (n int, err error) {
 			c.resultCh <- nil
 			break
 		}
-	case <-c.pipeDeadline.wait():
+	case <-c.pipeDeadline.Wait():
 		return 0, os.ErrDeadlineExceeded
 	}
@@ -104,7 +104,7 @@ func (c *Conn) ReadBuffer(buffer *buf.Buffer) (err error) {
 			c.resultCh <- nil
 			break
 		}
-	case <-c.pipeDeadline.wait():
+	case <-c.pipeDeadline.Wait():
 		return os.ErrDeadlineExceeded
 	}
@@ -130,7 +130,7 @@ func (c *Conn) SetReadDeadline(t time.Time) error {
 		return c.ExtendedConn.SetReadDeadline(t)
 	}
 	c.deadline.Store(t)
-	c.pipeDeadline.set(t)
+	c.pipeDeadline.Set(t)
 	return nil
 }
--- a/common/net/deadline/packet.go
+++ b/common/net/deadline/packet.go
@@ -19,7 +19,7 @@ type readResult struct {
 type NetPacketConn struct {
 	net.PacketConn
 	deadline     atomic.TypedValue[time.Time]
-	pipeDeadline pipeDeadline
+	pipeDeadline PipeDeadline
 	disablePipe  atomic.Bool
 	inRead       atomic.Bool
 	resultCh     chan any
@@ -28,7 +28,7 @@ type NetPacketConn struct {
 func NewNetPacketConn(pc net.PacketConn) net.PacketConn {
 	npc := &NetPacketConn{
 		PacketConn:   pc,
-		pipeDeadline: makePipeDeadline(),
+		pipeDeadline: MakePipeDeadline(),
 		resultCh:     make(chan any, 1),
 	}
 	npc.resultCh <- nil
@@ -83,7 +83,7 @@ FOR:
 				c.resultCh <- nil
 				break FOR
 			}
-		case <-c.pipeDeadline.wait():
+		case <-c.pipeDeadline.Wait():
 			return 0, nil, os.ErrDeadlineExceeded
 		}
 	}
@@ -122,7 +122,7 @@ func (c *NetPacketConn) SetReadDeadline(t time.Time) error {
 		return c.PacketConn.SetReadDeadline(t)
 	}
 	c.deadline.Store(t)
-	c.pipeDeadline.set(t)
+	c.pipeDeadline.Set(t)
 	return nil
 }
--- a/common/net/deadline/packet_enhance.go
+++ b/common/net/deadline/packet_enhance.go
@@ -52,7 +52,7 @@ FOR:
 				c.netPacketConn.resultCh <- nil
 				break FOR
 			}
-		case <-c.netPacketConn.pipeDeadline.wait():
+		case <-c.netPacketConn.pipeDeadline.Wait():
 			return nil, nil, nil, os.ErrDeadlineExceeded
 		}
 	}
--- a/common/net/deadline/packet_sing.go
+++ b/common/net/deadline/packet_sing.go
@@ -6,10 +6,10 @@ import (
 	"github.com/metacubex/mihomo/common/net/packet"
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 type SingPacketConn struct {
@@ -69,7 +69,7 @@ FOR:
 				c.netPacketConn.resultCh <- nil
 				break FOR
 			}
-		case <-c.netPacketConn.pipeDeadline.wait():
+		case <-c.netPacketConn.pipeDeadline.Wait():
 			return M.Socksaddr{}, os.ErrDeadlineExceeded
 		}
 	}
@@ -146,7 +146,7 @@ FOR:
 				c.netPacketConn.resultCh <- nil
 				break FOR
 			}
-		case <-c.netPacketConn.pipeDeadline.wait():
+		case <-c.netPacketConn.pipeDeadline.Wait():
 			return nil, M.Socksaddr{}, os.ErrDeadlineExceeded
 		}
 	}
--- a/common/net/deadline/pipe.go
+++ b/common/net/deadline/pipe.go
@@ -9,24 +9,24 @@ import (
 	"time"
 )
-// pipeDeadline is an abstraction for handling timeouts.
+// PipeDeadline is an abstraction for handling timeouts.
-type pipeDeadline struct {
+type PipeDeadline struct {
 	mu     sync.Mutex // Guards timer and cancel
 	timer  *time.Timer
 	cancel chan struct{} // Must be non-nil
 }
-func makePipeDeadline() pipeDeadline {
+func MakePipeDeadline() PipeDeadline {
-	return pipeDeadline{cancel: make(chan struct{})}
+	return PipeDeadline{cancel: make(chan struct{})}
 }
-// set sets the point in time when the deadline will time out.
+// Set sets the point in time when the deadline will time out.
 // A timeout event is signaled by closing the channel returned by waiter.
 // Once a timeout has occurred, the deadline can be refreshed by specifying a
 // t value in the future.
 //
 // A zero value for t prevents timeout.
-func (d *pipeDeadline) set(t time.Time) {
+func (d *PipeDeadline) Set(t time.Time) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
@@ -61,8 +61,8 @@ func (d *pipeDeadline) set(t time.Time) {
 	}
 }
-// wait returns a channel that is closed when the deadline is exceeded.
+// Wait returns a channel that is closed when the deadline is exceeded.
-func (d *pipeDeadline) wait() chan struct{} {
+func (d *PipeDeadline) Wait() chan struct{} {
 	d.mu.Lock()
 	defer d.mu.Unlock()
 	return d.cancel
--- a/common/net/deadline/pipe_sing.go
+++ b/common/net/deadline/pipe_sing.go
@@ -7,8 +7,8 @@ import (
 	"sync"
 	"time"
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 type pipeAddr struct{}
@@ -33,8 +33,8 @@ type pipe struct {
 	localDone  chan struct{}
 	remoteDone <-chan struct{}
-	readDeadline  pipeDeadline
+	readDeadline  PipeDeadline
-	writeDeadline pipeDeadline
+	writeDeadline PipeDeadline
 	readWaitOptions N.ReadWaitOptions
 }
@@ -56,15 +56,15 @@ func Pipe() (net.Conn, net.Conn) {
 		rdRx: cb1, rdTx: cn1,
 		wrTx: cb2, wrRx: cn2,
 		localDone: done1, remoteDone: done2,
-		readDeadline:  makePipeDeadline(),
+		readDeadline:  MakePipeDeadline(),
-		writeDeadline: makePipeDeadline(),
+		writeDeadline: MakePipeDeadline(),
 	}
 	p2 := &pipe{
 		rdRx: cb2, rdTx: cn2,
 		wrTx: cb1, wrRx: cn1,
 		localDone: done2, remoteDone: done1,
-		readDeadline:  makePipeDeadline(),
+		readDeadline:  MakePipeDeadline(),
-		writeDeadline: makePipeDeadline(),
+		writeDeadline: MakePipeDeadline(),
 	}
 	return p1, p2
 }
@@ -86,7 +86,7 @@ func (p *pipe) read(b []byte) (n int, err error) {
 		return 0, io.ErrClosedPipe
 	case isClosedChan(p.remoteDone):
 		return 0, io.EOF
-	case isClosedChan(p.readDeadline.wait()):
+	case isClosedChan(p.readDeadline.Wait()):
 		return 0, os.ErrDeadlineExceeded
 	}
@@ -99,7 +99,7 @@ func (p *pipe) read(b []byte) (n int, err error) {
 		return 0, io.ErrClosedPipe
 	case <-p.remoteDone:
 		return 0, io.EOF
-	case <-p.readDeadline.wait():
+	case <-p.readDeadline.Wait():
 		return 0, os.ErrDeadlineExceeded
 	}
 }
@@ -118,7 +118,7 @@ func (p *pipe) write(b []byte) (n int, err error) {
 		return 0, io.ErrClosedPipe
 	case isClosedChan(p.remoteDone):
 		return 0, io.ErrClosedPipe
-	case isClosedChan(p.writeDeadline.wait()):
+	case isClosedChan(p.writeDeadline.Wait()):
 		return 0, os.ErrDeadlineExceeded
 	}
@@ -134,7 +134,7 @@ func (p *pipe) write(b []byte) (n int, err error) {
 			return n, io.ErrClosedPipe
 		case <-p.remoteDone:
 			return n, io.ErrClosedPipe
-		case <-p.writeDeadline.wait():
+		case <-p.writeDeadline.Wait():
 			return n, os.ErrDeadlineExceeded
 		}
 	}
@@ -145,8 +145,8 @@ func (p *pipe) SetDeadline(t time.Time) error {
 	if isClosedChan(p.localDone) || isClosedChan(p.remoteDone) {
 		return io.ErrClosedPipe
 	}
-	p.readDeadline.set(t)
+	p.readDeadline.Set(t)
-	p.writeDeadline.set(t)
+	p.writeDeadline.Set(t)
 	return nil
 }
@@ -154,7 +154,7 @@ func (p *pipe) SetReadDeadline(t time.Time) error {
 	if isClosedChan(p.localDone) || isClosedChan(p.remoteDone) {
 		return io.ErrClosedPipe
 	}
-	p.readDeadline.set(t)
+	p.readDeadline.Set(t)
 	return nil
 }
@@ -162,7 +162,7 @@ func (p *pipe) SetWriteDeadline(t time.Time) error {
 	if isClosedChan(p.localDone) || isClosedChan(p.remoteDone) {
 		return io.ErrClosedPipe
 	}
-	p.writeDeadline.set(t)
+	p.writeDeadline.Set(t)
 	return nil
 }
@@ -192,7 +192,7 @@ func (p *pipe) waitReadBuffer() (buffer *buf.Buffer, err error) {
 		return nil, io.ErrClosedPipe
 	case isClosedChan(p.remoteDone):
 		return nil, io.EOF
-	case isClosedChan(p.readDeadline.wait()):
+	case isClosedChan(p.readDeadline.Wait()):
 		return nil, os.ErrDeadlineExceeded
 	}
 	select {
@@ -211,7 +211,7 @@ func (p *pipe) waitReadBuffer() (buffer *buf.Buffer, err error) {
 		return nil, io.ErrClosedPipe
 	case <-p.remoteDone:
 		return nil, io.EOF
-	case <-p.readDeadline.wait():
+	case <-p.readDeadline.Wait():
 		return nil, os.ErrDeadlineExceeded
 	}
 }
--- a/common/net/listener.go
+++ b/common/net/listener.go
@@ -0,0 +1,90 @@
 package net
 import (
 	"context"
 	"net"
 	"sync"
 )
 type handleContextListener struct {
 	net.Listener
 	ctx      context.Context
 	cancel   context.CancelFunc
 	conns    chan net.Conn
 	err      error
 	once     sync.Once
 	handle   func(context.Context, net.Conn) (net.Conn, error)
 	panicLog func(any)
 }
 func (l *handleContextListener) init() {
 	go func() {
 		for {
 			c, err := l.Listener.Accept()
 			if err != nil {
 				l.err = err
 				close(l.conns)
 				return
 			}
 			go func() {
 				defer func() {
 					if r := recover(); r != nil {
 						if l.panicLog != nil {
 							l.panicLog(r)
 						}
 					}
 				}()
 				if conn, err := l.handle(l.ctx, c); err == nil {
 					l.conns <- conn
 				} else {
 					// handle failed, close the underlying connection.
 					_ = c.Close()
 				}
 			}()
 		}
 	}()
 }
 func (l *handleContextListener) Accept() (net.Conn, error) {
 	l.once.Do(l.init)
 	if c, ok := <-l.conns; ok {
 		return c, nil
 	}
 	return nil, l.err
 }
 func (l *handleContextListener) Close() error {
 	l.cancel()
 	l.once.Do(func() { // l.init has not been called yet, so close related resources directly.
 		l.err = net.ErrClosed
 		close(l.conns)
 	})
 	defer func() {
 		// at here, listener has been closed, so we should close all connections in the channel
 		for c := range l.conns {
 			go func(c net.Conn) {
 				defer func() {
 					if r := recover(); r != nil {
 						if l.panicLog != nil {
 							l.panicLog(r)
 						}
 					}
 				}()
 				_ = c.Close()
 			}(c)
 		}
 	}()
 	return l.Listener.Close()
 }
 func NewHandleContextListener(ctx context.Context, l net.Listener, handle func(context.Context, net.Conn) (net.Conn, error), panicLog func(any)) net.Listener {
 	ctx, cancel := context.WithCancel(ctx)
 	return &handleContextListener{
 		Listener: l,
 		ctx:      ctx,
 		cancel:   cancel,
 		conns:    make(chan net.Conn),
 		handle:   handle,
 		panicLog: panicLog,
 	}
 }
--- a/common/net/packet/packet_posix.go
+++ b/common/net/packet/packet_posix.go
@@ -45,7 +45,11 @@ func (c *enhanceUDPConn) WaitReadFrom() (data []byte, put func(), addr net.Addr,
 				addr = &net.UDPAddr{IP: ip[:], Port: from.Port}
 			case *syscall.SockaddrInet6:
 				ip := from.Addr // copy from.Addr; ip escapes, so this line allocates 16 bytes
-				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: strconv.FormatInt(int64(from.ZoneId), 10)}
+				zone := ""
 				if from.ZoneId != 0 {
 					zone = strconv.FormatInt(int64(from.ZoneId), 10)
 				}
 				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: zone}
 			}
 		}
 		// udp should not convert readN == 0 to io.EOF
--- a/common/net/packet/packet_sing.go
+++ b/common/net/packet/packet_sing.go
@@ -3,10 +3,10 @@ package packet
 import (
 	"net"
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 type SingPacketConn = N.NetPacketConn
--- a/common/net/packet/packet_windows.go
+++ b/common/net/packet/packet_windows.go
@@ -54,7 +54,11 @@ func (c *enhanceUDPConn) WaitReadFrom() (data []byte, put func(), addr net.Addr,
 				addr = &net.UDPAddr{IP: ip[:], Port: from.Port}
 			case *windows.SockaddrInet6:
 				ip := from.Addr // copy from.Addr; ip escapes, so this line allocates 16 bytes
-				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: strconv.FormatInt(int64(from.ZoneId), 10)}
+				zone := ""
 				if from.ZoneId != 0 {
 					zone = strconv.FormatInt(int64(from.ZoneId), 10)
 				}
 				addr = &net.UDPAddr{IP: ip[:], Port: from.Port, Zone: zone}
 			}
 		}
 		// udp should not convert readN == 0 to io.EOF
--- a/common/net/packet/ref_sing.go
+++ b/common/net/packet/ref_sing.go
@@ -3,9 +3,9 @@ package packet
 import (
 	"runtime"
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 type refSingPacketConn struct {
--- a/common/net/packet/thread_sing.go
+++ b/common/net/packet/thread_sing.go
@@ -1,9 +1,9 @@
 package packet
 import (
-	"github.com/sagernet/sing/common/buf"
+	"github.com/metacubex/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 type threadSafeSingPacketConn struct {
--- a/common/net/refconn.go
+++ b/common/net/refconn.go
@@ -77,6 +77,6 @@ func (c *refConn) WriterReplaceable() bool { // Relay() will handle reference
 var _ ExtendedConn = (*refConn)(nil)
-func NewRefConn(conn net.Conn, ref any) net.Conn {
+func NewRefConn(conn net.Conn, ref any) ExtendedConn {
 	return &refConn{conn: NewExtendedConn(conn), ref: ref}
 }
--- a/common/net/sing.go
+++ b/common/net/sing.go
@@ -7,9 +7,9 @@ import (
 	"github.com/metacubex/mihomo/common/net/deadline"
-	"github.com/sagernet/sing/common"
+	"github.com/metacubex/sing/common"
-	"github.com/sagernet/sing/common/bufio"
+	"github.com/metacubex/sing/common/bufio"
-	"github.com/sagernet/sing/common/network"
+	"github.com/metacubex/sing/common/network"
 )
 var NewExtendedConn = bufio.NewExtendedConn
--- a/common/net/tls.go
+++ b/common/net/tls.go
@@ -1,58 +0,0 @@
 package net
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 )
 type Path interface {
 	Resolve(path string) string
 }
 func ParseCert(certificate, privateKey string, path Path) (tls.Certificate, error) {
 	if certificate == "" && privateKey == "" {
 		return newRandomTLSKeyPair()
 	}
 	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
 	if painTextErr == nil {
 		return cert, nil
 	}
 	certificate = path.Resolve(certificate)
 	privateKey = path.Resolve(privateKey)
 	cert, loadErr := tls.LoadX509KeyPair(certificate, privateKey)
 	if loadErr != nil {
 		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
 	}
 	return cert, nil
 }
 func newRandomTLSKeyPair() (tls.Certificate, error) {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	template := x509.Certificate{SerialNumber: big.NewInt(1)}
 	certDER, err := x509.CreateCertificate(
 		rand.Reader,
 		&template,
 		&template,
 		&key.PublicKey,
 		key)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
 	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	return tlsCert, nil
 }
--- a/common/nnip/netip.go
+++ b/common/nnip/netip.go
@@ -1,73 +0,0 @@
 package nnip
 import (
 	"encoding/binary"
 	"net"
 	"net/netip"
 )
 // IpToAddr converts the net.IP to netip.Addr.
 // If slice's length is not 4 or 16, IpToAddr returns netip.Addr{}
 func IpToAddr(slice net.IP) netip.Addr {
 	ip := slice
 	if len(ip) != 4 {
 		if ip = slice.To4(); ip == nil {
 			ip = slice
 		}
 	}
 	if addr, ok := netip.AddrFromSlice(ip); ok {
 		return addr
 	}
 	return netip.Addr{}
 }
 // UnMasked returns p's last IP address.
 // If p is invalid, UnMasked returns netip.Addr{}
 func UnMasked(p netip.Prefix) netip.Addr {
 	if !p.IsValid() {
 		return netip.Addr{}
 	}
 	buf := p.Addr().As16()
 	hi := binary.BigEndian.Uint64(buf[:8])
 	lo := binary.BigEndian.Uint64(buf[8:])
 	bits := p.Bits()
 	if bits <= 32 {
 		bits += 96
 	}
 	hi = hi | ^uint64(0)>>bits
 	lo = lo | ^(^uint64(0) << (128 - bits))
 	binary.BigEndian.PutUint64(buf[:8], hi)
 	binary.BigEndian.PutUint64(buf[8:], lo)
 	addr := netip.AddrFrom16(buf)
 	if p.Addr().Is4() {
 		return addr.Unmap()
 	}
 	return addr
 }
 // PrefixCompare returns an integer comparing two prefixes.
 // The result will be 0 if p == p2, -1 if p < p2, and +1 if p > p2.
 // modify from https://github.com/golang/go/issues/61642#issuecomment-1848587909
 func PrefixCompare(p, p2 netip.Prefix) int {
 	// compare by validity, address family and prefix base address
 	if c := p.Masked().Addr().Compare(p2.Masked().Addr()); c != 0 {
 		return c
 	}
 	// compare by prefix length
 	f1, f2 := p.Bits(), p2.Bits()
 	if f1 < f2 {
 		return -1
 	}
 	if f1 > f2 {
 		return 1
 	}
 	// compare by prefix address
 	return p.Addr().Compare(p2.Addr())
 }
--- a/common/observable/observable.go
+++ b/common/observable/observable.go
@@ -10,6 +10,7 @@ type Observable[T any] struct {
 	listener map[Subscription[T]]*Subscriber[T]
 	mux      sync.Mutex
 	done     bool
 	stopCh   chan struct{}
 }
 func (o *Observable[T]) process() {
@@ -31,6 +32,7 @@ func (o *Observable[T]) close() {
 	for _, sub := range o.listener {
 		sub.Close()
 	}
 	close(o.stopCh)
 }
 func (o *Observable[T]) Subscribe() (Subscription[T], error) {
@@ -59,6 +61,7 @@ func NewObservable[T any](iter Iterable[T]) *Observable[T] {
 	observable := &Observable[T]{
 		iterable: iter,
 		listener: map[Subscription[T]]*Subscriber[T]{},
 		stopCh:   make(chan struct{}),
 	}
 	go observable.process()
 	return observable
--- a/common/observable/observable_test.go
+++ b/common/observable/observable_test.go
@@ -70,9 +70,11 @@ func TestObservable_SubscribeClosedSource(t *testing.T) {
 	src := NewObservable[int](iter)
 	data, _ := src.Subscribe()
 	<-data
-
+	select {
-	_, closed := src.Subscribe()
+	case <-src.stopCh:
-	assert.NotNil(t, closed)
+	case <-time.After(time.Second):
 		assert.Fail(t, "timeout not stop")
 	}
 }
 func TestObservable_UnSubscribeWithNotExistSubscription(t *testing.T) {
--- a/common/once/oncefunc.go
+++ b/common/once/oncefunc.go
@@ -0,0 +1,102 @@
 // Copyright 2022 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package once
 import "sync"
 // OnceFunc returns a function that invokes f only once. The returned function
 // may be called concurrently.
 //
 // If f panics, the returned function will panic with the same value on every call.
 func OnceFunc(f func()) func() {
 	var (
 		once  sync.Once
 		valid bool
 		p     any
 	)
 	// Construct the inner closure just once to reduce costs on the fast path.
 	g := func() {
 		defer func() {
 			p = recover()
 			if !valid {
 				// Re-panic immediately so on the first call the user gets a
 				// complete stack trace into f.
 				panic(p)
 			}
 		}()
 		f()
 		f = nil      // Do not keep f alive after invoking it.
 		valid = true // Set only if f does not panic.
 	}
 	return func() {
 		once.Do(g)
 		if !valid {
 			panic(p)
 		}
 	}
 }
 // OnceValue returns a function that invokes f only once and returns the value
 // returned by f. The returned function may be called concurrently.
 //
 // If f panics, the returned function will panic with the same value on every call.
 func OnceValue[T any](f func() T) func() T {
 	var (
 		once   sync.Once
 		valid  bool
 		p      any
 		result T
 	)
 	g := func() {
 		defer func() {
 			p = recover()
 			if !valid {
 				panic(p)
 			}
 		}()
 		result = f()
 		f = nil
 		valid = true
 	}
 	return func() T {
 		once.Do(g)
 		if !valid {
 			panic(p)
 		}
 		return result
 	}
 }
 // OnceValues returns a function that invokes f only once and returns the values
 // returned by f. The returned function may be called concurrently.
 //
 // If f panics, the returned function will panic with the same value on every call.
 func OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
 	var (
 		once  sync.Once
 		valid bool
 		p     any
 		r1    T1
 		r2    T2
 	)
 	g := func() {
 		defer func() {
 			p = recover()
 			if !valid {
 				panic(p)
 			}
 		}()
 		r1, r2 = f()
 		f = nil
 		valid = true
 	}
 	return func() (T1, T2) {
 		once.Do(g)
 		if !valid {
 			panic(p)
 		}
 		return r1, r2
 	}
 }
--- a/common/picker/picker_test.go
+++ b/common/picker/picker_test.go
@@ -22,9 +22,10 @@ func sleepAndSend[T any](ctx context.Context, delay int, input T) func() (T, err
 }
 func TestPicker_Basic(t *testing.T) {
 	t.Parallel()
 	picker, ctx := WithContext[int](context.Background())
-	picker.Go(sleepAndSend(ctx, 30, 2))
+	picker.Go(sleepAndSend(ctx, 200, 2))
-	picker.Go(sleepAndSend(ctx, 20, 1))
+	picker.Go(sleepAndSend(ctx, 100, 1))
 	number := picker.Wait()
 	assert.NotNil(t, number)
@@ -32,8 +33,9 @@ func TestPicker_Basic(t *testing.T) {
 }
 func TestPicker_Timeout(t *testing.T) {
 	t.Parallel()
 	picker, ctx := WithTimeout[int](context.Background(), time.Millisecond*5)
-	picker.Go(sleepAndSend(ctx, 20, 1))
+	picker.Go(sleepAndSend(ctx, 100, 1))
 	number := picker.Wait()
 	assert.Equal(t, number, lo.Empty[int]())
--- a/common/pool/sing.go
+++ b/common/pool/sing.go
@@ -1,6 +1,6 @@
 package pool
-import "github.com/sagernet/sing/common/buf"
+import "github.com/metacubex/sing/common/buf"
 func init() {
 	buf.DefaultAllocator = defaultAllocator
--- a/common/singledo/singledo.go
+++ b/common/singledo/singledo.go
@@ -13,25 +13,26 @@ type call[T any] struct {
 type Single[T any] struct {
 	mux    sync.Mutex
 	last   time.Time
 	wait   time.Duration
 	call   *call[T]
 	result *Result[T]
 }
 type Result[T any] struct {
-	Val T
+	Val  T
-	Err error
+	Err  error
 	Time time.Time
 }
 // Do single.Do likes sync.singleFlight
 func (s *Single[T]) Do(fn func() (T, error)) (v T, err error, shared bool) {
 	s.mux.Lock()
-	now := time.Now()
+	result := s.result
-	if now.Before(s.last.Add(s.wait)) {
+	if result != nil && time.Since(result.Time) < s.wait {
 		s.mux.Unlock()
-		return s.result.Val, s.result.Err, true
+		return result.Val, result.Err, true
 	}
 	s.result = nil // The result has expired, clear it
 	if callM := s.call; callM != nil {
 		s.mux.Unlock()
@@ -47,15 +48,19 @@ func (s *Single[T]) Do(fn func() (T, error)) (v T, err error, shared bool) {
 	callM.wg.Done()
 	s.mux.Lock()
-	s.call = nil
+	if s.call == callM { // maybe reset when fn is running
-	s.result = &Result[T]{callM.val, callM.err}
+		s.call = nil
-	s.last = now
+		s.result = &Result[T]{callM.val, callM.err, time.Now()}
 	}
 	s.mux.Unlock()
 	return callM.val, callM.err, false
 }
 func (s *Single[T]) Reset() {
-	s.last = time.Time{}
+	s.mux.Lock()
 	s.call = nil
 	s.result = nil
 	s.mux.Unlock()
 }
 func NewSingle[T any](wait time.Duration) *Single[T] {
--- a/common/singledo/singledo_test.go
+++ b/common/singledo/singledo_test.go
@@ -11,12 +11,13 @@ import (
 )
 func TestBasic(t *testing.T) {
-	single := NewSingle[int](time.Millisecond * 30)
+	t.Parallel()
 	single := NewSingle[int](time.Millisecond * 200)
 	foo := 0
 	shardCount := atomic.NewInt32(0)
 	call := func() (int, error) {
 		foo++
-		time.Sleep(time.Millisecond * 5)
+		time.Sleep(time.Millisecond * 20)
 		return 0, nil
 	}
@@ -39,7 +40,8 @@ func TestBasic(t *testing.T) {
 }
 func TestTimer(t *testing.T) {
-	single := NewSingle[int](time.Millisecond * 30)
+	t.Parallel()
 	single := NewSingle[int](time.Millisecond * 200)
 	foo := 0
 	callM := func() (int, error) {
 		foo++
@@ -47,7 +49,7 @@ func TestTimer(t *testing.T) {
 	}
 	_, _, _ = single.Do(callM)
-	time.Sleep(10 * time.Millisecond)
+	time.Sleep(100 * time.Millisecond)
 	_, _, shard := single.Do(callM)
 	assert.Equal(t, 1, foo)
@@ -55,7 +57,8 @@ func TestTimer(t *testing.T) {
 }
 func TestReset(t *testing.T) {
-	single := NewSingle[int](time.Millisecond * 30)
+	t.Parallel()
 	single := NewSingle[int](time.Millisecond * 200)
 	foo := 0
 	callM := func() (int, error) {
 		foo++
--- a/common/utils/ranges.go
+++ b/common/utils/ranges.go
@@ -3,6 +3,7 @@ package utils
 import (
 	"errors"
 	"fmt"
 	"sort"
 	"strconv"
 	"strings"
@@ -139,10 +140,34 @@ func (ranges IntRanges[T]) Range(f func(t T) bool) {
 	}
 	for _, r := range ranges {
-		for i := r.Start(); i <= r.End(); i++ {
+		for i := r.Start(); i <= r.End() && i >= r.Start(); i++ {
 			if !f(i) {
 				return
 			}
 			if i+1 < i { // integer overflow
 				break
 			}
 		}
 	}
 }
 func (ranges IntRanges[T]) Merge() (mergedRanges IntRanges[T]) {
 	if len(ranges) == 0 {
 		return
 	}
 	sort.Slice(ranges, func(i, j int) bool {
 		return ranges[i].Start() < ranges[j].Start()
 	})
 	mergedRanges = ranges[:1]
 	var rangeIndex int
 	for _, r := range ranges[1:] {
 		if mergedRanges[rangeIndex].End()+1 > mergedRanges[rangeIndex].End() && // integer overflow
 			r.Start() > mergedRanges[rangeIndex].End()+1 {
 			mergedRanges = append(mergedRanges, r)
 			rangeIndex++
 		} else if r.End() > mergedRanges[rangeIndex].End() {
 			mergedRanges[rangeIndex].end = r.End()
 		}
 	}
 	return
 }
--- a/common/utils/ranges_test.go
+++ b/common/utils/ranges_test.go
@@ -0,0 +1,82 @@
 package utils
 import (
 	"github.com/stretchr/testify/assert"
 	"testing"
 )
 func TestMergeRanges(t *testing.T) {
 	t.Parallel()
 	for _, testRange := range []struct {
 		ranges   IntRanges[uint16]
 		expected IntRanges[uint16]
 	}{
 		{
 			ranges: IntRanges[uint16]{
 				NewRange[uint16](0, 1),
 				NewRange[uint16](1, 2),
 			},
 			expected: IntRanges[uint16]{
 				NewRange[uint16](0, 2),
 			},
 		},
 		{
 			ranges: IntRanges[uint16]{
 				NewRange[uint16](0, 3),
 				NewRange[uint16](5, 7),
 				NewRange[uint16](8, 9),
 				NewRange[uint16](10, 10),
 			},
 			expected: IntRanges[uint16]{
 				NewRange[uint16](0, 3),
 				NewRange[uint16](5, 10),
 			},
 		},
 		{
 			ranges: IntRanges[uint16]{
 				NewRange[uint16](1, 3),
 				NewRange[uint16](2, 6),
 				NewRange[uint16](8, 10),
 				NewRange[uint16](15, 18),
 			},
 			expected: IntRanges[uint16]{
 				NewRange[uint16](1, 6),
 				NewRange[uint16](8, 10),
 				NewRange[uint16](15, 18),
 			},
 		},
 		{
 			ranges: IntRanges[uint16]{
 				NewRange[uint16](1, 3),
 				NewRange[uint16](2, 7),
 				NewRange[uint16](2, 6),
 			},
 			expected: IntRanges[uint16]{
 				NewRange[uint16](1, 7),
 			},
 		},
 		{
 			ranges: IntRanges[uint16]{
 				NewRange[uint16](1, 3),
 				NewRange[uint16](2, 6),
 				NewRange[uint16](2, 7),
 			},
 			expected: IntRanges[uint16]{
 				NewRange[uint16](1, 7),
 			},
 		},
 		{
 			ranges: IntRanges[uint16]{
 				NewRange[uint16](1, 3),
 				NewRange[uint16](2, 65535),
 				NewRange[uint16](2, 7),
 				NewRange[uint16](3, 16),
 			},
 			expected: IntRanges[uint16]{
 				NewRange[uint16](1, 65535),
 			},
 		},
 	} {
 		assert.Equal(t, testRange.expected, testRange.ranges.Merge())
 	}
 }
--- a/common/utils/slice.go
+++ b/common/utils/slice.go
@@ -16,6 +16,17 @@ func Filter[T comparable](tSlice []T, filter func(t T) bool) []T {
 	return result
 }
 func Map[T any, N any](arr []T, block func(it T) N) []N {
 	if arr == nil { // keep nil
 		return nil
 	}
 	retArr := make([]N, 0, len(arr))
 	for index := range arr {
 		retArr = append(retArr, block(arr[index]))
 	}
 	return retArr
 }
 func ToStringSlice(value any) ([]string, error) {
 	strArr := make([]string, 0)
 	switch reflect.TypeOf(value).Kind() {
--- a/component/ca/config.go
+++ b/component/ca/config.go
@@ -1,17 +1,13 @@
 package ca
 import (
 	"bytes"
 	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	_ "embed"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"os"
 	"strconv"
 	"strings"
 	"sync"
 	C "github.com/metacubex/mihomo/constant"
@@ -81,45 +77,15 @@ func getCertPool() *x509.CertPool {
 	return globalCertPool
 }
-func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 		// ssl pining
 		for i := range rawCerts {
 			rawCert := rawCerts[i]
 			cert, err := x509.ParseCertificate(rawCert)
 			if err == nil {
 				hash := sha256.Sum256(cert.Raw)
 				if bytes.Equal(fingerprint[:], hash[:]) {
 					return nil
 				}
 			}
 		}
 		return errNotMatch
 	}
 }
 func convertFingerprint(fingerprint string) (*[32]byte, error) {
 	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
 	fpByte, err := hex.DecodeString(fingerprint)
 	if err != nil {
 		return nil, err
 	}
 	if len(fpByte) != 32 {
 		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
 	}
 	return (*[32]byte)(fpByte), nil
 }
 // GetTLSConfig specified fingerprint, customCA and customCAString
 func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (*tls.Config, error) {
 	if tlsConfig == nil {
 		tlsConfig = &tls.Config{}
 	}
 	var certificate []byte
 	var err error
 	if len(customCA) > 0 {
-		certificate, err = os.ReadFile(C.Path.Resolve(customCA))
+		path := C.Path.Resolve(customCA)
 		if !C.Path.IsSafePath(path) {
 			return nil, C.Path.ErrNotSafePath(path)
 		}
 		certificate, err = os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("load ca error: %w", err)
 		}
@@ -131,18 +97,27 @@ func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, cu
 		if !certPool.AppendCertsFromPEM(certificate) {
 			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
 		}
-		tlsConfig.RootCAs = certPool
+		return certPool, nil
 	} else {
-		tlsConfig.RootCAs = getCertPool()
+		return getCertPool(), nil
 	}
 }
 // GetTLSConfig specified fingerprint, customCA and customCAString
 func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) {
 	if tlsConfig == nil {
 		tlsConfig = &tls.Config{}
 	}
 	tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString)
 	if err != nil {
 		return nil, err
 	}
 	if len(fingerprint) > 0 {
-		var fingerprintBytes *[32]byte
+		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint)
 		fingerprintBytes, err = convertFingerprint(fingerprint)
 		if err != nil {
 			return nil, err
 		}
 		tlsConfig = GetGlobalTLSConfig(tlsConfig)
 		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
 		tlsConfig.InsecureSkipVerify = true
 	}
 	return tlsConfig, nil
--- a/component/ca/fingerprint.go
+++ b/component/ca/fingerprint.go
@@ -0,0 +1,44 @@
 package ca
 import (
 	"bytes"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
 	"fmt"
 	"strings"
 )
 // NewFingerprintVerifier returns a function that verifies whether a certificate's SHA-256 fingerprint matches the given one.
 func NewFingerprintVerifier(fingerprint string) (func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, error) {
 	switch fingerprint {
 	case "chrome", "firefox", "safari", "ios", "android", "edge", "360", "qq", "random", "randomized": // WTF???
 		return nil, fmt.Errorf("`fingerprint` is used for TLS certificate pinning. If you need to specify the browser fingerprint, use `client-fingerprint`")
 	}
 	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
 	fpByte, err := hex.DecodeString(fingerprint)
 	if err != nil {
 		return nil, fmt.Errorf("fingerprint string decode error: %w", err)
 	}
 	if len(fpByte) != 32 {
 		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
 	}
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 		// ssl pining
 		for _, rawCert := range rawCerts {
 			hash := sha256.Sum256(rawCert)
 			if bytes.Equal(fpByte, hash[:]) {
 				return nil
 			}
 		}
 		return errNotMatch
 	}, nil
 }
 // CalculateFingerprint computes the SHA-256 fingerprint of the given DER-encoded certificate and returns it as a hex string.
 func CalculateFingerprint(certDER []byte) string {
 	hash := sha256.Sum256(certDER)
 	return hex.EncodeToString(hash[:])
 }
--- a/component/ca/keypair.go
+++ b/component/ca/keypair.go
@@ -0,0 +1,101 @@
 package ca
 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 )
 type Path interface {
 	Resolve(path string) string
 	IsSafePath(path string) bool
 	ErrNotSafePath(path string) error
 }
 // LoadTLSKeyPair loads a TLS key pair from the provided certificate and private key data or file paths, supporting fallback resolution.
 // Returns a tls.Certificate and an error, where the error indicates issues during parsing or file loading.
 // If both certificate and privateKey are empty, generates a random TLS RSA key pair.
 // Accepts a Path interface for resolving file paths when necessary.
 func LoadTLSKeyPair(certificate, privateKey string, path Path) (tls.Certificate, error) {
 	if certificate == "" && privateKey == "" {
 		var err error
 		certificate, privateKey, _, err = NewRandomTLSKeyPair(KeyPairTypeRSA)
 		if err != nil {
 			return tls.Certificate{}, err
 		}
 	}
 	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
 	if painTextErr == nil {
 		return cert, nil
 	}
 	if path == nil {
 		return tls.Certificate{}, painTextErr
 	}
 	certificate = path.Resolve(certificate)
 	privateKey = path.Resolve(privateKey)
 	var loadErr error
 	if !path.IsSafePath(certificate) {
 		loadErr = path.ErrNotSafePath(certificate)
 	} else if !path.IsSafePath(privateKey) {
 		loadErr = path.ErrNotSafePath(privateKey)
 	} else {
 		cert, loadErr = tls.LoadX509KeyPair(certificate, privateKey)
 	}
 	if loadErr != nil {
 		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
 	}
 	return cert, nil
 }
 type KeyPairType string
 const (
 	KeyPairTypeRSA     KeyPairType = "rsa"
 	KeyPairTypeP256    KeyPairType = "p256"
 	KeyPairTypeP384    KeyPairType = "p384"
 	KeyPairTypeEd25519 KeyPairType = "ed25519"
 )
 // NewRandomTLSKeyPair generates a random TLS key pair based on the specified KeyPairType and returns it with a SHA256 fingerprint.
 // Note: Most browsers do not support KeyPairTypeEd25519 type of certificate, and utls.UConn will also reject this type of certificate.
 func NewRandomTLSKeyPair(keyPairType KeyPairType) (certificate string, privateKey string, fingerprint string, err error) {
 	var key crypto.Signer
 	switch keyPairType {
 	case KeyPairTypeRSA:
 		key, err = rsa.GenerateKey(rand.Reader, 2048)
 	case KeyPairTypeP256:
 		key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	case KeyPairTypeP384:
 		key, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
 	case KeyPairTypeEd25519:
 		_, key, err = ed25519.GenerateKey(rand.Reader)
 	default: // fallback to KeyPairTypeRSA
 		key, err = rsa.GenerateKey(rand.Reader, 2048)
 	}
 	if err != nil {
 		return
 	}
 	template := x509.Certificate{SerialNumber: big.NewInt(1)}
 	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
 	if err != nil {
 		return
 	}
 	privBytes, err := x509.MarshalPKCS8PrivateKey(key)
 	if err != nil {
 		return
 	}
 	fingerprint = CalculateFingerprint(certDER)
 	privateKey = string(pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}))
 	certificate = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}))
 	return
 }
--- a/component/dhcp/dhcp.go
+++ b/component/dhcp/dhcp.go
@@ -6,7 +6,6 @@ import (
 	"net"
 	"net/netip"
 	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/component/iface"
 	"github.com/insomniacslk/dhcp/dhcpv4"
@@ -86,12 +85,14 @@ func receiveOffer(conn net.PacketConn, id dhcpv4.TransactionID, result chan<- []
 			return
 		}
-		dnsAddr := make([]netip.Addr, l)
+		results := make([]netip.Addr, 0, len(dns))
-		for i := 0; i < l; i++ {
+		for _, ip := range dns {
-			dnsAddr[i] = nnip.IpToAddr(dns[i])
+			if addr, ok := netip.AddrFromSlice(ip); ok {
 				results = append(results, addr.Unmap())
 			}
 		}
-		result <- dnsAddr
+		result <- results
 		return
 	}
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@@ -7,14 +7,12 @@ import (
 	"net"
 	"net/netip"
 	"os"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/metacubex/mihomo/component/keepalive"
 	"github.com/metacubex/mihomo/component/resolver"
 	"github.com/metacubex/mihomo/log"
 )
 const (
@@ -22,34 +20,16 @@ const (
 	DefaultUDPTimeout = DefaultTCPTimeout
 )
-type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error)
+type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error)
 var (
 	dialMux                      sync.Mutex
 	IP4PEnable                   bool
 	actualSingleStackDialContext = serialSingleStackDialContext
 	actualDualStackDialContext   = serialDualStackDialContext
 	tcpConcurrent                = false
 	fallbackTimeout              = 300 * time.Millisecond
 )
 func applyOptions(options ...Option) *option {
 	opt := &option{
 		interfaceName: DefaultInterface.Load(),
 		routingMark:   int(DefaultRoutingMark.Load()),
 	}
 	for _, o := range DefaultOptions {
 		o(opt)
 	}
 	for _, o := range options {
 		o(opt)
 	}
 	return opt
 }
 func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
 	opt := applyOptions(options...)
@@ -79,28 +59,43 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 }
 func ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort, options ...Option) (net.PacketConn, error) {
-	cfg := applyOptions(options...)
+	opt := applyOptions(options...)
 	lc := &net.ListenConfig{}
-	if cfg.addrReuse {
+	if opt.addrReuse {
 		addrReuseToListenConfig(lc)
 	}
 	if DefaultSocketHook != nil { // ignore interfaceName, routingMark when DefaultSocketHook not null (in CMFA)
 		socketHookToListenConfig(lc)
 	} else {
-		if cfg.interfaceName != "" {
+		if opt.interfaceName == "" {
 			opt.interfaceName = DefaultInterface.Load()
 		}
 		if opt.interfaceName == "" {
 			if finder := DefaultInterfaceFinder.Load(); finder != nil {
 				opt.interfaceName = finder.FindInterfaceName(rAddrPort.Addr().Unmap())
 			}
 		}
 		if rAddrPort.Addr().Unmap().IsLoopback() {
 			// avoid "The requested address is not valid in its context."
 			opt.interfaceName = ""
 		}
 		if opt.interfaceName != "" {
 			bind := bindIfaceToListenConfig
-			if cfg.fallbackBind {
+			if opt.fallbackBind {
 				bind = fallbackBindIfaceToListenConfig
 			}
-			addr, err := bind(cfg.interfaceName, lc, network, address, rAddrPort)
+			addr, err := bind(opt.interfaceName, lc, network, address, rAddrPort)
 			if err != nil {
 				return nil, err
 			}
 			address = addr
 		}
-		if cfg.routingMark != 0 {
+		if opt.routingMark == 0 {
-			bindMarkToListenConfig(cfg.routingMark, lc, network, address)
+			opt.routingMark = int(DefaultRoutingMark.Load())
 		}
 		if opt.routingMark != 0 {
 			bindMarkToListenConfig(opt.routingMark, lc, network, address)
 		}
 	}
@@ -126,11 +121,9 @@ func GetTcpConcurrent() bool {
 	return tcpConcurrent
 }
-func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) {
+func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt option) (net.Conn, error) {
 	var address string
-	if IP4PEnable {
+	destination, port = resolver.LookupIP4P(destination, port)
 		destination, port = lookupIP4P(destination, port)
 	}
 	address = net.JoinHostPort(destination.String(), port)
 	netDialer := opt.netDialer
@@ -153,6 +146,14 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	if DefaultSocketHook != nil { // ignore interfaceName, routingMark and tfo when DefaultSocketHook not null (in CMFA)
 		socketHookToToDialer(dialer)
 	} else {
 		if opt.interfaceName == "" {
 			opt.interfaceName = DefaultInterface.Load()
 		}
 		if opt.interfaceName == "" {
 			if finder := DefaultInterfaceFinder.Load(); finder != nil {
 				opt.interfaceName = finder.FindInterfaceName(destination)
 			}
 		}
 		if opt.interfaceName != "" {
 			bind := bindIfaceToDialer
 			if opt.fallbackBind {
@@ -162,6 +163,9 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 				return nil, err
 			}
 		}
 		if opt.routingMark == 0 {
 			opt.routingMark = int(DefaultRoutingMark.Load())
 		}
 		if opt.routingMark != 0 {
 			bindMarkToDialer(opt.routingMark, dialer, network, destination)
 		}
@@ -173,26 +177,26 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	return dialer.DialContext(ctx, network, address)
 }
-func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return serialDialContext(ctx, network, ips, port, opt)
 }
-func serialDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func serialDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return dualStackDialContext(ctx, serialDialContext, network, ips, port, opt)
 }
-func concurrentSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func concurrentSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	return parallelDialContext(ctx, network, ips, port, opt)
 }
-func concurrentDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func concurrentDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	if opt.prefer != 4 && opt.prefer != 6 {
 		return parallelDialContext(ctx, network, ips, port, opt)
 	}
 	return dualStackDialContext(ctx, parallelDialContext, network, ips, port, opt)
 }
-func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	ipv4s, ipv6s := resolver.SortationAddr(ips)
 	if len(ipv4s) == 0 && len(ipv6s) == 0 {
 		return nil, ErrorNoIpAddress
@@ -273,7 +277,7 @@ loop:
 	return nil, errors.Join(errs...)
 }
-func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	if len(ips) == 0 {
 		return nil, ErrorNoIpAddress
 	}
@@ -312,7 +316,7 @@ func parallelDialContext(ctx context.Context, network string, ips []netip.Addr,
 	return nil, os.ErrDeadlineExceeded
 }
-func serialDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+func serialDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt option) (net.Conn, error) {
 	if len(ips) == 0 {
 		return nil, ErrorNoIpAddress
 	}
@@ -373,33 +377,10 @@ func (d Dialer) DialContext(ctx context.Context, network, address string) (net.C
 }
 func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	opt := d.Opt // make a copy
+	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, rAddrPort, WithOption(d.Opt))
 	if rAddrPort.Addr().Unmap().IsLoopback() {
 		// avoid "The requested address is not valid in its context."
 		WithInterface("")(&opt)
 	}
 	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, rAddrPort, WithOption(opt))
 }
 func NewDialer(options ...Option) Dialer {
 	opt := applyOptions(options...)
-	return Dialer{Opt: *opt}
+	return Dialer{Opt: opt}
 }
 func GetIP4PEnable(enableIP4PConvert bool) {
 	IP4PEnable = enableIP4PConvert
 }
 // kanged from https://github.com/heiher/frp/blob/ip4p/client/ip4p.go
 func lookupIP4P(addr netip.Addr, port string) (netip.Addr, string) {
 	ip := addr.AsSlice()
 	if ip[0] == 0x20 && ip[1] == 0x01 &&
 		ip[2] == 0x00 && ip[3] == 0x00 {
 		addr = netip.AddrFrom4([4]byte{ip[12], ip[13], ip[14], ip[15]})
 		port = strconv.Itoa(int(ip[10])<<8 + int(ip[11]))
 		log.Debugln("Convert IP4P address %s to %s", ip, net.JoinHostPort(addr.String(), port))
 		return addr, port
 	}
 	return addr, port
 }
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@@ -3,17 +3,23 @@ package dialer
 import (
 	"context"
 	"net"
 	"net/netip"
 	"github.com/metacubex/mihomo/common/atomic"
 	"github.com/metacubex/mihomo/component/resolver"
 )
 var (
 	DefaultOptions     []Option
 	DefaultInterface   = atomic.NewTypedValue[string]("")
 	DefaultRoutingMark = atomic.NewInt32(0)
 	DefaultInterfaceFinder = atomic.NewTypedValue[InterfaceFinder](nil)
 )
 type InterfaceFinder interface {
 	FindInterfaceName(destination netip.Addr) string
 }
 type NetDialer interface {
 	DialContext(ctx context.Context, network, address string) (net.Conn, error)
 }
@@ -108,3 +114,15 @@ func WithOption(o option) Option {
 		*opt = o
 	}
 }
 func IsZeroOptions(opts []Option) bool {
 	return applyOptions(opts...) == option{}
 }
 func applyOptions(options ...Option) option {
 	opt := option{}
 	for _, o := range options {
 		o(&opt)
 	}
 	return opt
 }
--- a/component/ech/ech.go
+++ b/component/ech/ech.go
@@ -0,0 +1,31 @@
 package ech
 import (
 	"context"
 	"fmt"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 )
 type Config struct {
 	GetEncryptedClientHelloConfigList func(ctx context.Context, serverName string) ([]byte, error)
 }
 func (cfg *Config) ClientHandle(ctx context.Context, tlsConfig *tlsC.Config) (err error) {
 	if cfg == nil {
 		return nil
 	}
 	echConfigList, err := cfg.GetEncryptedClientHelloConfigList(ctx, tlsConfig.ServerName)
 	if err != nil {
 		return fmt.Errorf("resolve ECH config error: %w", err)
 	}
 	tlsConfig.EncryptedClientHelloConfigList = echConfigList
 	if tlsConfig.MinVersion != 0 && tlsConfig.MinVersion < tlsC.VersionTLS13 {
 		tlsConfig.MinVersion = tlsC.VersionTLS13
 	}
 	if tlsConfig.MaxVersion != 0 && tlsConfig.MaxVersion < tlsC.VersionTLS13 {
 		tlsConfig.MaxVersion = tlsC.VersionTLS13
 	}
 	return nil
 }
--- a/component/ech/key.go
+++ b/component/ech/key.go
@@ -0,0 +1,143 @@
 package ech
 import (
 	"crypto/ecdh"
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
 	"github.com/metacubex/mihomo/component/ca"
 	tlsC "github.com/metacubex/mihomo/component/tls"
 	"golang.org/x/crypto/cryptobyte"
 )
 const (
 	AEAD_AES_128_GCM      = 0x0001
 	AEAD_AES_256_GCM      = 0x0002
 	AEAD_ChaCha20Poly1305 = 0x0003
 )
 const extensionEncryptedClientHello = 0xfe0d
 const DHKEM_X25519_HKDF_SHA256 = 0x0020
 const KDF_HKDF_SHA256 = 0x0001
 // sortedSupportedAEADs is just a sorted version of hpke.SupportedAEADS.
 // We need this so that when we insert them into ECHConfigs the ordering
 // is stable.
 var sortedSupportedAEADs = []uint16{AEAD_AES_128_GCM, AEAD_AES_256_GCM, AEAD_ChaCha20Poly1305}
 func marshalECHConfig(id uint8, pubKey []byte, publicName string, maxNameLen uint8) []byte {
 	builder := cryptobyte.NewBuilder(nil)
 	builder.AddUint16(extensionEncryptedClientHello)
 	builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
 		builder.AddUint8(id)
 		builder.AddUint16(DHKEM_X25519_HKDF_SHA256) // The only DHKEM we support
 		builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
 			builder.AddBytes(pubKey)
 		})
 		builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
 			for _, aeadID := range sortedSupportedAEADs {
 				builder.AddUint16(KDF_HKDF_SHA256) // The only KDF we support
 				builder.AddUint16(aeadID)
 			}
 		})
 		builder.AddUint8(maxNameLen)
 		builder.AddUint8LengthPrefixed(func(builder *cryptobyte.Builder) {
 			builder.AddBytes([]byte(publicName))
 		})
 		builder.AddUint16(0) // extensions
 	})
 	return builder.BytesOrPanic()
 }
 func GenECHConfig(publicName string) (configBase64 string, keyPem string, err error) {
 	echKey, err := ecdh.X25519().GenerateKey(rand.Reader)
 	if err != nil {
 		return
 	}
 	echConfig := marshalECHConfig(0, echKey.PublicKey().Bytes(), publicName, 0)
 	builder := cryptobyte.NewBuilder(nil)
 	builder.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
 		builder.AddBytes(echConfig)
 	})
 	echConfigList := builder.BytesOrPanic()
 	builder2 := cryptobyte.NewBuilder(nil)
 	builder2.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
 		builder.AddBytes(echKey.Bytes())
 	})
 	builder2.AddUint16LengthPrefixed(func(builder *cryptobyte.Builder) {
 		builder.AddBytes(echConfig)
 	})
 	echConfigKeys := builder2.BytesOrPanic()
 	configBase64 = base64.StdEncoding.EncodeToString(echConfigList)
 	keyPem = string(pem.EncodeToMemory(&pem.Block{Type: "ECH KEYS", Bytes: echConfigKeys}))
 	return
 }
 func UnmarshalECHKeys(raw []byte) ([]tlsC.EncryptedClientHelloKey, error) {
 	var keys []tlsC.EncryptedClientHelloKey
 	rawString := cryptobyte.String(raw)
 	for !rawString.Empty() {
 		var key tlsC.EncryptedClientHelloKey
 		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.PrivateKey)) {
 			return nil, errors.New("error parsing private key")
 		}
 		if !rawString.ReadUint16LengthPrefixed((*cryptobyte.String)(&key.Config)) {
 			return nil, errors.New("error parsing config")
 		}
 		keys = append(keys, key)
 	}
 	if len(keys) == 0 {
 		return nil, errors.New("empty ECH keys")
 	}
 	return keys, nil
 }
 func LoadECHKey(key string, tlsConfig *tlsC.Config, path ca.Path) error {
 	if key == "" {
 		return nil
 	}
 	painTextErr := loadECHKey([]byte(key), tlsConfig)
 	if painTextErr == nil {
 		return nil
 	}
 	key = path.Resolve(key)
 	var loadErr error
 	if !path.IsSafePath(key) {
 		loadErr = path.ErrNotSafePath(key)
 	} else {
 		var echKey []byte
 		echKey, loadErr = os.ReadFile(key)
 		if loadErr == nil {
 			loadErr = loadECHKey(echKey, tlsConfig)
 		}
 	}
 	if loadErr != nil {
 		return fmt.Errorf("parse ECH keys failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
 	}
 	return nil
 }
 func loadECHKey(echKey []byte, tlsConfig *tlsC.Config) error {
 	block, rest := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" || len(rest) > 0 {
 		return errors.New("invalid ECH keys pem")
 	}
 	echKeys, err := UnmarshalECHKeys(block.Bytes)
 	if err != nil {
 		return fmt.Errorf("parse ECH keys: %w", err)
 	}
 	tlsConfig.EncryptedClientHelloKeys = echKeys
 	return nil
 }
--- a/component/fakeip/pool.go
+++ b/component/fakeip/pool.go
@@ -6,9 +6,10 @@ import (
 	"strings"
 	"sync"
 	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/component/profile/cachefile"
 	C "github.com/metacubex/mihomo/constant"
 	"go4.org/netipx"
 )
 const (
@@ -183,7 +184,7 @@ func New(options Options) (*Pool, error) {
 		hostAddr = options.IPNet.Masked().Addr()
 		gateway  = hostAddr.Next()
 		first    = gateway.Next().Next().Next() // default start with 198.18.0.4
-		last     = nnip.UnMasked(options.IPNet)
+		last     = netipx.PrefixLastIP(options.IPNet)
 	)
 	if !options.IPNet.IsValid() || !first.IsValid() || !first.Less(last) {
--- a/component/generater/cmd.go
+++ b/component/generater/cmd.go
@@ -4,12 +4,14 @@ import (
 	"encoding/base64"
 	"fmt"
 	"github.com/metacubex/mihomo/component/ech"
 	"github.com/gofrs/uuid/v5"
 )
 func Main(args []string) {
 	if len(args) < 1 {
-		panic("Using: generate uuid/reality-keypair/wg-keypair")
+		panic("Using: generate uuid/reality-keypair/wg-keypair/ech-keypair")
 	}
 	switch args[0] {
 	case "uuid":
@@ -33,5 +35,15 @@ func Main(args []string) {
 		}
 		fmt.Println("PrivateKey: " + privateKey.String())
 		fmt.Println("PublicKey: " + privateKey.PublicKey().String())
 	case "ech-keypair":
 		if len(args) < 2 {
 			panic("Using: generate ech-keypair <plain_server_name>")
 		}
 		configBase64, keyPem, err := ech.GenECHConfig(args[1])
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("Config:", configBase64)
 		fmt.Println("Key:", keyPem)
 	}
 }
--- a/component/http/http.go
+++ b/component/http/http.go
@@ -69,7 +69,7 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			if conn, err := inner.HandleTcp(address, specialProxy); err == nil {
+			if conn, err := inner.HandleTcp(inner.GetTunnel(), address, specialProxy); err == nil {
 				return conn, nil
 			} else {
 				return dialer.DialContext(ctx, network, address)
--- a/component/iface/iface.go
+++ b/component/iface/iface.go
@@ -7,15 +7,17 @@ import (
 	"time"
 	"github.com/metacubex/mihomo/common/singledo"
 	"github.com/metacubex/bart"
 )
 type Interface struct {
 	Index        int
 	MTU          int
 	Name         string
 	Addresses    []netip.Prefix
 	HardwareAddr net.HardwareAddr
 	Flags        net.Flags
 	Addresses    []netip.Prefix
 }
 var (
@@ -23,16 +25,25 @@ var (
 	ErrAddrNotFound  = errors.New("addr not found")
 )
-var interfaces = singledo.NewSingle[map[string]*Interface](time.Second * 20)
+type ifaceCache struct {
 	ifMapByName map[string]*Interface
 	ifMapByAddr map[netip.Addr]*Interface
 	ifTable     bart.Table[*Interface]
 }
-func Interfaces() (map[string]*Interface, error) {
+var caches = singledo.NewSingle[*ifaceCache](time.Second * 20)
-	value, err, _ := interfaces.Do(func() (map[string]*Interface, error) {
+
 func getCache() (*ifaceCache, error) {
 	value, err, _ := caches.Do(func() (*ifaceCache, error) {
 		ifaces, err := net.Interfaces()
 		if err != nil {
 			return nil, err
 		}
-		r := map[string]*Interface{}
+		cache := &ifaceCache{
 			ifMapByName: make(map[string]*Interface),
 			ifMapByAddr: make(map[netip.Addr]*Interface),
 		}
 		for _, iface := range ifaces {
 			addrs, err := iface.Addrs()
@@ -61,21 +72,38 @@ func Interfaces() (map[string]*Interface, error) {
 				}
 			}
-			r[iface.Name] = &Interface{
+			ifaceObj := &Interface{
 				Index:        iface.Index,
 				MTU:          iface.MTU,
 				Name:         iface.Name,
 				Addresses:    ipNets,
 				HardwareAddr: iface.HardwareAddr,
 				Flags:        iface.Flags,
 				Addresses:    ipNets,
 			}
 			cache.ifMapByName[iface.Name] = ifaceObj
 			if iface.Flags&net.FlagUp == 0 {
 				continue // interface down
 			}
 			for _, prefix := range ipNets {
 				cache.ifMapByAddr[prefix.Addr()] = ifaceObj
 				cache.ifTable.Insert(prefix, ifaceObj)
 			}
 		}
-		return r, nil
+		return cache, nil
 	})
 	return value, err
 }
 func Interfaces() (map[string]*Interface, error) {
 	cache, err := getCache()
 	if err != nil {
 		return nil, err
 	}
 	return cache.ifMapByName, nil
 }
 func ResolveInterface(name string) (*Interface, error) {
 	ifaces, err := Interfaces()
 	if err != nil {
@@ -90,23 +118,35 @@ func ResolveInterface(name string) (*Interface, error) {
 	return iface, nil
 }
-func IsLocalIp(ip netip.Addr) (bool, error) {
+func ResolveInterfaceByAddr(addr netip.Addr) (*Interface, error) {
-	ifaces, err := Interfaces()
+	cache, err := getCache()
 	if err != nil {
 		return nil, err
 	}
 	// maybe two interfaces have the same prefix but different address
 	// so direct check address equal before do a route lookup (longest prefix match)
 	if iface, ok := cache.ifMapByAddr[addr]; ok {
 		return iface, nil
 	}
 	iface, ok := cache.ifTable.Lookup(addr)
 	if !ok {
 		return nil, ErrIfaceNotFound
 	}
 	return iface, nil
 }
 func IsLocalIp(addr netip.Addr) (bool, error) {
 	cache, err := getCache()
 	if err != nil {
 		return false, err
 	}
-	for _, iface := range ifaces {
+	_, ok := cache.ifMapByAddr[addr]
-		for _, addr := range iface.Addresses {
+	return ok, nil
 			if addr.Contains(ip) {
 				return true, nil
 			}
 		}
 	}
 	return false, nil
 }
 func FlushCache() {
-	interfaces.Reset()
+	caches.Reset()
 }
 func (iface *Interface) PickIPv4Addr(destination netip.Addr) (netip.Prefix, error) {
--- a/component/keepalive/tcp_keepalive.go
+++ b/component/keepalive/tcp_keepalive.go
@@ -59,7 +59,7 @@ func SetNetListenConfig(lc *net.ListenConfig) {
 }
 func TCPKeepAlive(c net.Conn) {
-	if tcp, ok := c.(*net.TCPConn); ok && tcp != nil {
+	if tcp, ok := c.(TCPConn); ok && tcp != nil {
 		tcpKeepAlive(tcp)
 	}
 }
--- a/component/keepalive/tcp_keepalive_go122.go
+++ b/component/keepalive/tcp_keepalive_go122.go
@@ -2,9 +2,18 @@
 package keepalive
-import "net"
+import (
 	"net"
 	"time"
 )
-func tcpKeepAlive(tcp *net.TCPConn) {
+type TCPConn interface {
 	net.Conn
 	SetKeepAlive(keepalive bool) error
 	SetKeepAlivePeriod(d time.Duration) error
 }
 func tcpKeepAlive(tcp TCPConn) {
 	if DisableKeepAlive() {
 		_ = tcp.SetKeepAlive(false)
 	} else {
--- a/component/keepalive/tcp_keepalive_go123.go
+++ b/component/keepalive/tcp_keepalive_go123.go
@@ -4,6 +4,12 @@ package keepalive
 import "net"
 type TCPConn interface {
 	net.Conn
 	SetKeepAlive(keepalive bool) error
 	SetKeepAliveConfig(config net.KeepAliveConfig) error
 }
 func keepAliveConfig() net.KeepAliveConfig {
 	config := net.KeepAliveConfig{
 		Enable:   true,
@@ -18,7 +24,7 @@ func keepAliveConfig() net.KeepAliveConfig {
 	return config
 }
-func tcpKeepAlive(tcp *net.TCPConn) {
+func tcpKeepAlive(tcp TCPConn) {
 	if DisableKeepAlive() {
 		_ = tcp.SetKeepAlive(false)
 	} else {
--- a/component/process/process_darwin.go
+++ b/component/process/process_darwin.go
@@ -87,6 +87,7 @@ func findProcessName(network string, ip netip.Addr, port int) (uint32, string, e
 		default:
 			continue
 		}
 		srcIP = srcIP.Unmap()
 		if ip == srcIP {
 			// xsocket_n.so_last_pid
--- a/component/process/process_freebsd_amd64.go
+++ b/component/process/process_freebsd_amd64.go
@@ -10,7 +10,6 @@ import (
 	"syscall"
 	"unsafe"
 	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/log"
 )
@@ -136,13 +135,14 @@ func (s *searcher) Search(buf []byte, ip netip.Addr, port uint16, isTCP bool) (u
 		switch {
 		case flag&0x1 > 0 && isIPv4:
 			// ipv4
-			srcIP = nnip.IpToAddr(buf[inp+s.ip : inp+s.ip+4])
+			srcIP, _ = netip.AddrFromSlice(buf[inp+s.ip : inp+s.ip+4])
 		case flag&0x2 > 0 && !isIPv4:
 			// ipv6
-			srcIP = nnip.IpToAddr(buf[inp+s.ip-12 : inp+s.ip+4])
+			srcIP, _ = netip.AddrFromSlice(buf[inp+s.ip-12 : inp+s.ip+4])
 		default:
 			continue
 		}
 		srcIP = srcIP.Unmap()
 		if ip != srcIP {
 			continue
--- a/component/process/process_windows.go
+++ b/component/process/process_windows.go
@@ -7,7 +7,6 @@ import (
 	"syscall"
 	"unsafe"
 	"github.com/metacubex/mihomo/common/nnip"
 	"github.com/metacubex/mihomo/log"
 	"golang.org/x/sys/windows"
@@ -137,7 +136,8 @@ func (s *searcher) Search(b []byte, ip netip.Addr, port uint16) (uint32, error)
 			continue
 		}
-		srcIP := nnip.IpToAddr(row[s.ip : s.ip+s.ipSize])
+		srcIP, _ := netip.AddrFromSlice(row[s.ip : s.ip+s.ipSize])
 		srcIP = srcIP.Unmap()
 		// windows binds an unbound udp socket to 0.0.0.0/[::] while first sendto
 		if ip != srcIP && (!srcIP.IsUnspecified() || s.tcpState != -1) {
 			continue
--- a/component/proxydialer/proxydialer.go
+++ b/component/proxydialer/proxydialer.go
@@ -2,7 +2,6 @@ package proxydialer
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"net/netip"
@@ -10,7 +9,6 @@ import (
 	N "github.com/metacubex/mihomo/common/net"
 	"github.com/metacubex/mihomo/component/dialer"
 	"github.com/metacubex/mihomo/component/resolver"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/tunnel"
 	"github.com/metacubex/mihomo/tunnel/statistic"
@@ -40,23 +38,22 @@ func (p proxyDialer) DialContext(ctx context.Context, network, address string) (
 		return nil, err
 	}
 	if strings.Contains(network, "udp") { // using in wireguard outbound
 		if !currentMeta.Resolved() {
 			ip, err := resolver.ResolveIP(ctx, currentMeta.Host)
 			if err != nil {
 				return nil, errors.New("can't resolve ip")
 			}
 			currentMeta.DstIP = ip
 		}
 		pc, err := p.listenPacket(ctx, currentMeta)
 		if err != nil {
 			return nil, err
 		}
 		if !currentMeta.Resolved() { // should not happen, maybe by a wrongly implemented proxy, but we can handle this (:
 			err = pc.ResolveUDP(ctx, currentMeta)
 			if err != nil {
 				return nil, err
 			}
 		}
 		return N.NewBindPacketConn(pc, currentMeta.UDPAddr()), nil
 	}
 	var conn C.Conn
 	var err error
-	if d, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
+	if _, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
-		conn, err = p.proxy.DialContext(ctx, currentMeta, dialer.WithOption(d.Opt))
+		conn, err = p.proxy.DialContext(ctx, currentMeta)
 	} else {
 		conn, err = p.proxy.DialContextWithDialer(ctx, p.dialer, currentMeta)
 	}
@@ -78,8 +75,8 @@ func (p proxyDialer) listenPacket(ctx context.Context, currentMeta *C.Metadata)
 	var pc C.PacketConn
 	var err error
 	currentMeta.NetWork = C.UDP
-	if d, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
+	if _, ok := p.dialer.(dialer.Dialer); ok { // first using old function to let mux work
-		pc, err = p.proxy.ListenPacketContext(ctx, currentMeta, dialer.WithOption(d.Opt))
+		pc, err = p.proxy.ListenPacketContext(ctx, currentMeta)
 	} else {
 		pc, err = p.proxy.ListenPacketWithDialer(ctx, p.dialer, currentMeta)
 	}
--- a/component/proxydialer/sing.go
+++ b/component/proxydialer/sing.go
@@ -6,8 +6,8 @@ import (
 	C "github.com/metacubex/mihomo/constant"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
+	N "github.com/metacubex/sing/common/network"
 )
 type SingDialer interface {
--- a/component/proxydialer/slowdown_sing.go
+++ b/component/proxydialer/slowdown_sing.go
@@ -5,7 +5,7 @@ import (
 	"net"
 	"github.com/metacubex/mihomo/component/slowdown"
-	M "github.com/sagernet/sing/common/metadata"
+	M "github.com/metacubex/sing/common/metadata"
 )
 type SlowDownSingDialer struct {
--- a/Show More
+++ b/Show More