github.com/sagernet/sing-box@v1.9.0-rc.20/docs/configuration/inbound/tun.md

github.com/sagernet/sing-box@v1.9.0-rc.20/docs/configuration/inbound/tun.md (about)

     1  ---
     2  icon: material/new-box
     3  ---
     4  
     5  !!! quote "Changes in sing-box 1.9.0"
     6  
     7      :material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)  
     8      :material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)  
     9  
    10  !!! quote "Changes in sing-box 1.8.0"
    11  
    12      :material-plus: [gso](#gso)  
    13      :material-alert-decagram: [stack](#stack)
    14  
    15  !!! quote ""
    16  
    17      Only supported on Linux, Windows and macOS.
    18  
    19  ### Structure
    20  
    21  ```json
    22  {
    23    "type": "tun",
    24    "tag": "tun-in",
    25    "interface_name": "tun0",
    26    "inet4_address": "172.19.0.1/30",
    27    "inet6_address": "fdfe:dcba:9876::1/126",
    28    "mtu": 9000,
    29    "gso": false,
    30    "auto_route": true,
    31    "strict_route": true,
    32    "inet4_route_address": [
    33      "0.0.0.0/1",
    34      "128.0.0.0/1"
    35    ],
    36    "inet6_route_address": [
    37      "::/1",
    38      "8000::/1"
    39    ],
    40    "inet4_route_exclude_address": [
    41      "192.168.0.0/16"
    42    ],
    43    "inet6_route_exclude_address": [
    44      "fc00::/7"
    45    ],
    46    "endpoint_independent_nat": false,
    47    "udp_timeout": "5m",
    48    "stack": "system",
    49    "include_interface": [
    50      "lan0"
    51    ],
    52    "exclude_interface": [
    53      "lan1"
    54    ],
    55    "include_uid": [
    56      0
    57    ],
    58    "include_uid_range": [
    59      "1000-99999"
    60    ],
    61    "exclude_uid": [
    62      1000
    63    ],
    64    "exclude_uid_range": [
    65      "1000-99999"
    66    ],
    67    "include_android_user": [
    68      0,
    69      10
    70    ],
    71    "include_package": [
    72      "com.android.chrome"
    73    ],
    74    "exclude_package": [
    75      "com.android.captiveportallogin"
    76    ],
    77    "platform": {
    78      "http_proxy": {
    79        "enabled": false,
    80        "server": "127.0.0.1",
    81        "server_port": 8080,
    82        "bypass_domain": [],
    83        "match_domain": []
    84      }
    85    },
    86    
    87    ... // Listen Fields
    88  }
    89  ```
    90  
    91  !!! note ""
    92  
    93      You can ignore the JSON Array [] tag when the content is only one item
    94  
    95  !!! warning ""
    96  
    97      If tun is running in non-privileged mode, addresses and MTU will not be configured automatically, please make sure the settings are accurate.
    98  
    99  ### Fields
   100  
   101  #### interface_name
   102  
   103  Virtual device name, automatically selected if empty.
   104  
   105  #### inet4_address
   106  
   107  ==Required==
   108  
   109  IPv4 prefix for the tun interface.
   110  
   111  #### inet6_address
   112  
   113  IPv6 prefix for the tun interface.
   114  
   115  #### mtu
   116  
   117  The maximum transmission unit.
   118  
   119  #### gso
   120  
   121  !!! question "Since sing-box 1.8.0"
   122  
   123  !!! quote ""
   124  
   125      Only supported on Linux.
   126  
   127  Enable generic segmentation offload.
   128  
   129  #### auto_route
   130  
   131  Set the default route to the Tun.
   132  
   133  !!! quote ""
   134  
   135      To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`
   136  
   137  !!! note "Use with Android VPN"
   138  
   139      By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.
   140  
   141  #### strict_route
   142  
   143  Enforce strict routing rules when `auto_route` is enabled:
   144  
   145  *In Linux*:
   146  
   147  * Let unsupported network unreachable
   148  * Route all connections to tun
   149  
   150  It prevents address leaks and makes DNS hijacking work on Android.
   151  
   152  *In Windows*:
   153  
   154  * Add firewall rules to prevent DNS leak caused by
   155    Windows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
   156  
   157  It may prevent some applications (such as VirtualBox) from working properly in certain situations.
   158  
   159  #### inet4_route_address
   160  
   161  Use custom routes instead of default when `auto_route` is enabled.
   162  
   163  #### inet6_route_address
   164  
   165  Use custom routes instead of default when `auto_route` is enabled.
   166  
   167  #### inet4_route_exclude_address
   168  
   169  Exclude custom routes when `auto_route` is enabled.
   170  
   171  #### inet6_route_exclude_address
   172  
   173  Exclude custom routes when `auto_route` is enabled.
   174  
   175  #### endpoint_independent_nat
   176  
   177  !!! info ""
   178  
   179      This item is only available on the gvisor stack, other stacks are endpoint-independent NAT by default.
   180  
   181  Enable endpoint-independent NAT.
   182  
   183  Performance may degrade slightly, so it is not recommended to enable on when it is not needed.
   184  
   185  #### udp_timeout
   186  
   187  UDP NAT expiration time in seconds, default is 300 (5 minutes).
   188  
   189  #### stack
   190  
   191  !!! quote "Changes in sing-box 1.8.0"
   192  
   193      :material-delete-alert: The legacy LWIP stack has been deprecated and removed.
   194  
   195  TCP/IP stack.
   196  
   197  | Stack    | Description                                                                                           | 
   198  |----------|-------------------------------------------------------------------------------------------------------|
   199  | `system` | Perform L3 to L4 translation using the system network stack                                           |
   200  | `gvisor` | Perform L3 to L4 translation using [gVisor](https://github.com/google/gvisor)'s virtual network stack |
   201  | `mixed`  | Mixed `system` TCP stack and `gvisor` UDP stack                                                       |
   202  
   203  Defaults to the `mixed` stack if the gVisor build tag is enabled, otherwise defaults to the `system` stack.
   204  
   205  #### include_interface
   206  
   207  !!! quote ""
   208  
   209      Interface rules are only supported on Linux and require auto_route.
   210  
   211  Limit interfaces in route. Not limited by default.
   212  
   213  Conflict with `exclude_interface`.
   214  
   215  #### exclude_interface
   216  
   217  Exclude interfaces in route.
   218  
   219  Conflict with `include_interface`.
   220  
   221  #### include_uid
   222  
   223  !!! quote ""
   224  
   225      UID rules are only supported on Linux and require auto_route.
   226  
   227  Limit users in route. Not limited by default.
   228  
   229  #### include_uid_range
   230  
   231  Limit users in route, but in range.
   232  
   233  #### exclude_uid
   234  
   235  Exclude users in route.
   236  
   237  #### exclude_uid_range
   238  
   239  Exclude users in route, but in range.
   240  
   241  #### include_android_user
   242  
   243  !!! quote ""
   244  
   245      Android user and package rules are only supported on Android and require auto_route.
   246  
   247  Limit android users in route.
   248  
   249  | Common user  | ID |
   250  |--------------|----|
   251  | Main         | 0  |
   252  | Work Profile | 10 |
   253  
   254  #### include_package
   255  
   256  Limit android packages in route.
   257  
   258  #### exclude_package
   259  
   260  Exclude android packages in route.
   261  
   262  #### platform
   263  
   264  Platform-specific settings, provided by client applications.
   265  
   266  #### platform.http_proxy
   267  
   268  System HTTP proxy settings.
   269  
   270  #### platform.http_proxy.enabled
   271  
   272  Enable system HTTP proxy.
   273  
   274  #### platform.http_proxy.server
   275  
   276  ==Required==
   277  
   278  HTTP proxy server address.
   279  
   280  #### platform.http_proxy.server_port
   281  
   282  ==Required==
   283  
   284  HTTP proxy server port.
   285  
   286  #### platform.http_proxy.bypass_domain
   287  
   288  !!! note ""
   289  
   290      On Apple platforms, `bypass_domain` items matches hostname **suffixes**.
   291  
   292  Hostnames that bypass the HTTP proxy.
   293  
   294  #### platform.http_proxy.match_domain
   295  
   296  !!! quote ""
   297  
   298      Only supported in graphical clients on Apple platforms.
   299  
   300  Hostnames that use the HTTP proxy.
   301  
   302  ### Listen Fields
   303  
   304  See [Listen Fields](/configuration/shared/listen/) for details.