github.com/sagernet/sing-box@v1.9.0-rc.20/docs/manual/proxy/client.md (about) 1 --- 2 icon: material/cellphone-link 3 --- 4 5 # Client 6 7 ### :material-ray-start: Introduction 8 9 For a long time, the modern usage and principles of proxy clients 10 for graphical operating systems have not been clearly described. 11 However, we can categorize them into three types: 12 system proxy, firewall redirection, and virtual interface. 13 14 ### :material-web-refresh: System Proxy 15 16 Almost all graphical environments support system-level proxies, 17 which are essentially ordinary HTTP proxies that only support TCP. 18 19 | Operating System / Desktop Environment | System Proxy | Application Support | 20 |:---------------------------------------------|:-------------------------------------|:--------------------| 21 | Windows | :material-check: | :material-check: | 22 | macOS | :material-check: | :material-check: | 23 | GNOME/KDE | :material-check: | :material-check: | 24 | Android | ROOT or adb (permission) is required | :material-check: | 25 | Android/iOS (with sing-box graphical client) | via `tun.platform.http_proxy` | :material-check: | 26 27 As one of the most well-known proxy methods, it has many shortcomings: 28 many TCP clients that are not based on HTTP do not check and use the system proxy. 29 Moreover, UDP and ICMP traffics bypass the proxy. 30 31 ```mermaid 32 flowchart LR 33 dns[DNS query] -- Is HTTP request? --> proxy[HTTP proxy] 34 dns --> leak[Leak] 35 tcp[TCP connection] -- Is HTTP request? --> proxy 36 tcp -- Check and use HTTP CONNECT? --> proxy 37 tcp --> leak 38 udp[UDP packet] --> leak 39 ``` 40 41 ### :material-wall-fire: Firewall Redirection 42 43 This type of usage typically relies on the firewall or hook interface provided by the operating system, 44 such as Windows’ WFP, Linux’s redirect, TProxy and eBPF, and macOS’s pf. 45 Although it is intrusive and cumbersome to configure, 46 it remains popular within the community of amateur proxy open source projects like V2Ray, 47 due to the low technical requirements it imposes on the software. 48 49 ### :material-expansion-card: Virtual Interface 50 51 All L2/L3 proxies (seriously defined VPNs, such as OpenVPN, WireGuard) are based on virtual network interfaces, 52 which is also the only way for all L4 proxies to work as VPNs on mobile platforms like Android, iOS. 53 54 The sing-box inherits and develops clash-premium’s TUN inbound (L3 to L4 conversion) 55 as the most reasonable method for performing transparent proxying. 56 57 ```mermaid 58 flowchart TB 59 packet[IP Packet] 60 packet --> windows[Windows / macOS] 61 packet --> linux[Linux] 62 tun[TUN interface] 63 windows -. route .-> tun 64 linux -. iproute2 route/rule .-> tun 65 tun --> gvisor[gVisor TUN stack] 66 tun --> system[system TUN stack] 67 assemble([L3 to L4 assemble]) 68 gvisor --> assemble 69 system --> assemble 70 assemble --> conn[TCP and UDP connections] 71 conn --> router[sing-box Router] 72 router --> direct[Direct outbound] 73 router --> proxy[Proxy outbounds] 74 router -- DNS hijack --> dns_out[DNS outbound] 75 dns_out --> dns_router[DNS router] 76 dns_router --> router 77 direct --> adi([auto detect interface]) 78 proxy --> adi 79 adi --> default[Default network interface in the system] 80 default --> destination[Destination server] 81 default --> proxy_server[Proxy server] 82 proxy_server --> destination 83 ``` 84 85 ## :material-cellphone-link: Examples 86 87 ### Basic TUN usage for Chinese users 88 89 === ":material-numeric-4-box: IPv4 only" 90 91 ```json 92 { 93 "dns": { 94 "servers": [ 95 { 96 "tag": "google", 97 "address": "tls://8.8.8.8" 98 }, 99 { 100 "tag": "local", 101 "address": "223.5.5.5", 102 "detour": "direct" 103 } 104 ], 105 "rules": [ 106 { 107 "outbound": "any", 108 "server": "local" 109 } 110 ], 111 "strategy": "ipv4_only" 112 }, 113 "inbounds": [ 114 { 115 "type": "tun", 116 "inet4_address": "172.19.0.1/30", 117 "auto_route": true, 118 "strict_route": false 119 } 120 ], 121 "outbounds": [ 122 // ... 123 { 124 "type": "direct", 125 "tag": "direct" 126 }, 127 { 128 "type": "dns", 129 "tag": "dns-out" 130 } 131 ], 132 "route": { 133 "rules": [ 134 { 135 "protocol": "dns", 136 "outbound": "dns-out" 137 }, 138 { 139 "geoip": [ 140 "private" 141 ], 142 "outbound": "direct" 143 } 144 ], 145 "auto_detect_interface": true 146 } 147 } 148 ``` 149 150 === ":material-numeric-6-box: IPv4 & IPv6" 151 152 ```json 153 { 154 "dns": { 155 "servers": [ 156 { 157 "tag": "google", 158 "address": "tls://8.8.8.8" 159 }, 160 { 161 "tag": "local", 162 "address": "223.5.5.5", 163 "detour": "direct" 164 } 165 ], 166 "rules": [ 167 { 168 "outbound": "any", 169 "server": "local" 170 } 171 ] 172 }, 173 "inbounds": [ 174 { 175 "type": "tun", 176 "inet4_address": "172.19.0.1/30", 177 "inet6_address": "fdfe:dcba:9876::1/126", 178 "auto_route": true, 179 "strict_route": false 180 } 181 ], 182 "outbounds": [ 183 // ... 184 { 185 "type": "direct", 186 "tag": "direct" 187 }, 188 { 189 "type": "dns", 190 "tag": "dns-out" 191 } 192 ], 193 "route": { 194 "rules": [ 195 { 196 "protocol": "dns", 197 "outbound": "dns-out" 198 }, 199 { 200 "geoip": [ 201 "private" 202 ], 203 "outbound": "direct" 204 } 205 ], 206 "auto_detect_interface": true 207 } 208 } 209 ``` 210 211 === ":material-domain-switch: FakeIP" 212 213 ```json 214 { 215 "dns": { 216 "servers": [ 217 { 218 "tag": "google", 219 "address": "tls://8.8.8.8" 220 }, 221 { 222 "tag": "local", 223 "address": "223.5.5.5", 224 "detour": "direct" 225 }, 226 { 227 "tag": "remote", 228 "address": "fakeip" 229 } 230 ], 231 "rules": [ 232 { 233 "outbound": "any", 234 "server": "local" 235 }, 236 { 237 "query_type": [ 238 "A", 239 "AAAA" 240 ], 241 "server": "remote" 242 } 243 ], 244 "fakeip": { 245 "enabled": true, 246 "inet4_range": "198.18.0.0/15", 247 "inet6_range": "fc00::/18" 248 }, 249 "independent_cache": true 250 }, 251 "inbounds": [ 252 { 253 "type": "tun", 254 "inet4_address": "172.19.0.1/30", 255 "inet6_address": "fdfe:dcba:9876::1/126", 256 "auto_route": true, 257 "strict_route": true 258 } 259 ], 260 "outbounds": [ 261 // ... 262 { 263 "type": "direct", 264 "tag": "direct" 265 }, 266 { 267 "type": "dns", 268 "tag": "dns-out" 269 } 270 ], 271 "route": { 272 "rules": [ 273 { 274 "protocol": "dns", 275 "outbound": "dns-out" 276 }, 277 { 278 "geoip": [ 279 "private" 280 ], 281 "outbound": "direct" 282 } 283 ], 284 "auto_detect_interface": true 285 } 286 } 287 ``` 288 289 ### Traffic bypass usage for Chinese users 290 291 === ":material-dns: DNS rules" 292 293 ```json 294 { 295 "dns": { 296 "servers": [ 297 { 298 "tag": "google", 299 "address": "tls://8.8.8.8" 300 }, 301 { 302 "tag": "local", 303 "address": "223.5.5.5", 304 "detour": "direct" 305 } 306 ], 307 "rules": [ 308 { 309 "outbound": "any", 310 "server": "local" 311 }, 312 { 313 "clash_mode": "Direct", 314 "server": "local" 315 }, 316 { 317 "clash_mode": "Global", 318 "server": "google" 319 }, 320 { 321 "rule_set": "geosite-geolocation-cn", 322 "server": "local" 323 } 324 ] 325 }, 326 "route": { 327 "rule_set": [ 328 { 329 "type": "remote", 330 "tag": "geosite-geolocation-cn", 331 "format": "binary", 332 "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs" 333 } 334 ] 335 } 336 } 337 ``` 338 339 === ":material-dns: DNS rules (Enhanced, but slower) (1.9.0+)" 340 341 === ":material-shield-off: With DNS leaks" 342 343 ```json 344 { 345 "dns": { 346 "servers": [ 347 { 348 "tag": "google", 349 "address": "tls://8.8.8.8" 350 }, 351 { 352 "tag": "local", 353 "address": "https://223.5.5.5/dns-query", 354 "detour": "direct" 355 } 356 ], 357 "rules": [ 358 { 359 "outbound": "any", 360 "server": "local" 361 }, 362 { 363 "clash_mode": "Direct", 364 "server": "local" 365 }, 366 { 367 "clash_mode": "Global", 368 "server": "google" 369 }, 370 { 371 "rule_set": "geosite-geolocation-cn", 372 "server": "local" 373 }, 374 { 375 "clash_mode": "Default", 376 "server": "google" 377 }, 378 { 379 "type": "logical", 380 "mode": "and", 381 "rules": [ 382 { 383 "rule_set": "geosite-geolocation-!cn", 384 "invert": true 385 }, 386 { 387 "rule_set": "geoip-cn" 388 } 389 ], 390 "server": "local" 391 } 392 ] 393 }, 394 "route": { 395 "rule_set": [ 396 { 397 "type": "remote", 398 "tag": "geosite-geolocation-cn", 399 "format": "binary", 400 "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs" 401 }, 402 { 403 "type": "remote", 404 "tag": "geosite-geolocation-!cn", 405 "format": "binary", 406 "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs" 407 }, 408 { 409 "type": "remote", 410 "tag": "geoip-cn", 411 "format": "binary", 412 "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs" 413 } 414 ] 415 }, 416 "experimental": { 417 "cache_file": { 418 "enabled": true, 419 "store_rdrc": true 420 }, 421 "clash_api": { 422 "default_mode": "Enhanced" 423 } 424 } 425 } 426 ``` 427 428 === ":material-security: Without DNS leaks, but slower (1.9.0-alpha.2+)" 429 430 ```json 431 { 432 "dns": { 433 "servers": [ 434 { 435 "tag": "google", 436 "address": "tls://8.8.8.8" 437 }, 438 { 439 "tag": "local", 440 "address": "https://223.5.5.5/dns-query", 441 "detour": "direct" 442 } 443 ], 444 "rules": [ 445 { 446 "outbound": "any", 447 "server": "local" 448 }, 449 { 450 "clash_mode": "Direct", 451 "server": "local" 452 }, 453 { 454 "clash_mode": "Global", 455 "server": "google" 456 }, 457 { 458 "rule_set": "geosite-geolocation-cn", 459 "server": "local" 460 }, 461 { 462 "type": "logical", 463 "mode": "and", 464 "rules": [ 465 { 466 "rule_set": "geosite-geolocation-!cn", 467 "invert": true 468 }, 469 { 470 "rule_set": "geoip-cn" 471 } 472 ], 473 "server": "google", 474 "client_subnet": "114.114.114.114/24" // Any China client IP address 475 } 476 ] 477 }, 478 "route": { 479 "rule_set": [ 480 { 481 "type": "remote", 482 "tag": "geosite-geolocation-cn", 483 "format": "binary", 484 "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs" 485 }, 486 { 487 "type": "remote", 488 "tag": "geosite-geolocation-!cn", 489 "format": "binary", 490 "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs" 491 }, 492 { 493 "type": "remote", 494 "tag": "geoip-cn", 495 "format": "binary", 496 "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs" 497 } 498 ] 499 }, 500 "experimental": { 501 "cache_file": { 502 "enabled": true, 503 "store_rdrc": true 504 }, 505 "clash_api": { 506 "default_mode": "Enhanced" 507 } 508 } 509 } 510 ``` 511 512 === ":material-router-network: Route rules" 513 514 ```json 515 { 516 "outbounds": [ 517 { 518 "type": "direct", 519 "tag": "direct" 520 }, 521 { 522 "type": "block", 523 "tag": "block" 524 } 525 ], 526 "route": { 527 "rules": [ 528 { 529 "type": "logical", 530 "mode": "or", 531 "rules": [ 532 { 533 "protocol": "dns" 534 }, 535 { 536 "port": 53 537 } 538 ], 539 "outbound": "dns" 540 }, 541 { 542 "ip_is_private": true, 543 "outbound": "direct" 544 }, 545 { 546 "clash_mode": "Direct", 547 "outbound": "direct" 548 }, 549 { 550 "clash_mode": "Global", 551 "outbound": "default" 552 }, 553 { 554 "type": "logical", 555 "mode": "or", 556 "rules": [ 557 { 558 "port": 853 559 }, 560 { 561 "network": "udp", 562 "port": 443 563 }, 564 { 565 "protocol": "stun" 566 } 567 ], 568 "outbound": "block" 569 }, 570 { 571 "rule_set": [ 572 "geoip-cn", 573 "geosite-geolocation-cn" 574 ], 575 "outbound": "direct" 576 } 577 ], 578 "rule_set": [ 579 { 580 "type": "remote", 581 "tag": "geoip-cn", 582 "format": "binary", 583 "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs" 584 }, 585 { 586 "type": "remote", 587 "tag": "geosite-geolocation-cn", 588 "format": "binary", 589 "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs" 590 } 591 ] 592 } 593 } 594 ```