sing-box 1.11.0-beta.23 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.11.0-beta.23

sing-box 1.11.0-beta.24 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.11.0-beta.24

sing-box 1.11.0-rc.1 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.11.0-rc.1

sing-box 1.11.0 has been released.

Important changes since 1.10:

* Introducing rule actions 1
* Improve tun compatibility 3
* Merge route options to route actions 4
* Add network_type, network_is_expensive and network_is_constrainted rule items 5
* Add multi network dialing 6
* Add cache_capacity DNS option 7
* Add override_address and override_port route options 8
* Upgrade WireGuard outbound to endpoint 9
* Add UDP GSO support for WireGuard
* Make GSO adaptive 10
* Add UDP timeout route option 11
* Add more masquerade options for hysteria2 12
* Add rule-set merge command
* Add port hopping support for Hysteria2 13
* Hysteria2 ignore_client_bandwidth behavior update 14

1:

New rule actions replace legacy inbound fields and special outbound fields,
and can be used for pre-matching 2.

See Rule, Rule Action, DNS Rule and DNS Rule Action.

For migration, see Migrate legacy special outbounds to rule actions, Migrate legacy inbound fields to rule actions and Migrate legacy DNS route options to rule actions.

2:

Similar to Surge's pre-matching.

Specifically, new rule actions allow you to reject connections with TCP RST (for TCP connections) and ICMP port unreachable (for UDP packets) before connection established to improve tun's compatibility.

See Rule Action.

3:

When gvisor tun stack is enabled, even if the request passes routing, if the outbound connection establishment fails, the connection still does not need to be established and a TCP RST is replied.

4:

Route options in DNS route actions will no longer be considered deprecated, see DNS Route Action.

Also, now udp_disable_domain_unmapping and udp_connect can also be configured in route action, see Route Action.

5:

When using in graphical clients, new routing rule items allow you to match on network type (WIFI, cellular, etc.), whether the network is expensive, and whether Low Data Mode is enabled.

See Route Rule, DNS Route Rule and Headless Rule.

6:

Similar to Surge's strategy.

New options allow you to connect using multiple network interfaces, prefer or only use one type of interface, configure a timeout to fallback to other interfaces.

See Dial Fields, Rule Action and Route.

7:

See DNS.

8:

See Rule Action and
Migrate destination override fields to route options.

9:

The new WireGuard endpoint combines inbound and outbound capabilities,
and the old outbound will be removed in sing-box 1.13.0.

See Endpoint, WireGuard Endpoint
and Migrate WireGuard outbound fields to route options.

10:

For WireGuard outbound and endpoint, GSO will be automatically enabled when available, see WireGuard Outbound.

For TUN, GSO has been removed, see Deprecated.

11:

See Rule Action.

12:

See Hysteria2.

13:

See Hysteria2.

14:

When up_mbps and down_mbps are set, ignore_client_bandwidth instead denies clients from using BBR CC.

https://github.com/SagerNet/sing-box/releases/tag/v1.11.0

sing-box 1.12.0-alpha.1 has been released.

* Refactor DNS servers 1
* Add domain resolver options2
* Add TLS fragment route options 3
* Add certificate options 4

1:

DNS servers are refactored for better performance and scalability.

See DNS server.

For migration, see Migrate to new DNS server formats.

Compatibility for old formats will be removed in sing-box 1.14.0.

2:

Legacy outbound DNS rules are deprecated
and can be replaced by the new domain_resolver option.

See Dial Fields and Route.

For migration, see Migrate outbound DNS rule items to domain resolver.

3:

The new TLS fragment route options allow you to fragment TLS handshakes to bypass firewalls.

This feature is intended to circumvent simple firewalls based on plaintext packet matching, and should not be used to circumvent real censorship.

Since it is not designed for performance, it should not be applied to all connections, but only to server names that are known to be blocked.

See Route Action.

4:

New certificate options allow you to manage the default list of trusted X509 CA certificates.

For the system certificate list, fixed Go not reading Android trusted certificates correctly.

You can also use the Mozilla Included List instead, or add trusted certificates yourself.

See Certificate.

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.1

sing-box 1.12.0-alpha.2 has been released.

* Update quic-go to v0.49.0
* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.2

sing-box 1.11.1 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.11.1

sing-box 1.12.0-alpha.3 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.3

sing-box 1.12.0-alpha.4 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.4

sing-box 1.11.2 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.11.2

sing-box 1.12.0-alpha.5 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.5

sing-box 1.12.0-alpha.6 has been released.

* Add Tailscale endpoint 1
* Drop support for go1.22 2
* Fixes and improvements

1:

See Tailscale.

2:

Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.

For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from MetaCubeX/go.

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.6

sing-box 1.12.0-alpha.7 has been released.

* Add Tailscale DNS server 1
* Fixes and improvements

1:

See Tailscale.

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.7

sing-box 1.12.0-alpha.8 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.8

sing-box 1.12.0-alpha.10 has been released.

* Add AnyTLS protocol 1
* Improve resolve route action 2
* Migrate to stdlib ECH implementation 3
* Fixes and improvements

1:

The new AnyTLS protocol claims to mitigate TLS proxy traffic characteristics and comes with a new multiplexing scheme.

See AnyTLS Inbound and AnyTLS Outbound.

2:

resolve route action now accepts disable_cache and other options like in DNS route actions, see Route Action.

3:

See TLS.

The build tag with_ech is no longer needed and has been removed.

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.10

sing-box 1.12.0-alpha.11 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.11

sing-box 1.11.4 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.11.4

sing-box 1.12.0-alpha.12 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.12

sing-box 1.11.5 has been released.

* Fixes and improvements

We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected).

https://github.com/SagerNet/sing-box/releases/tag/v1.11.5

sing-box 1.12.0-alpha.14 has been released.

* Fixes and improvements

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.14

sing-box 1.12.0-alpha.16 has been released.

* Update domain_resolver behavior 1
* Fixes and improvements

1:

route.default_domain_resolver or outbound.domain_resolver is now optional when only one DNS server is configured.

See Dial Fields.

https://github.com/SagerNet/sing-box/releases/tag/v1.12.0-alpha.16