Proxies
Configuration for proxies, supporting the following protocols: Shadowsocks, Snell, Trojan, AnyTLS, Hysteria2, TUIC, SOCKS5, SOCKS5 over TLS, SSH, HTTP, HTTPS, Vmess, Vless, WireGuard. All optional fields of type bool default to false.
Shadowsocks
-
name (string), Required
The proxy name, which must be globally unique.
-
method (string), Required
Encryption method.
AEAD-2022:
2022-blake3-aes-128-gcm,2022-blake3-aes-256-gcm,2022-blake3-chacha20-poly1305AEAD:
chacha20-poly1305,aes-256-gcm,aes-128-gcmStream:
none,table,rc4,rc4-md5,aes-128-cfb,aes-192-cfb,aes-256-cfb,aes-128-ctr,aes-192-ctr,aes-256-ctr,bf-cfb,camellia-128-cfb,camellia-192-cfb,camellia-256-cfb,cast5-cfb,des-cfb,idea-cfb,rc2-cfb,seed-cfb,salsa20,chacha20,chacha20-ietf -
password (string), Required
The password. Shadowsocks 2022 uses a Base64-encoded key.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
udp_port (integer), Optional
Dedicated UDP port. Used when the server listens on different ports for TCP and UDP.
-
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
udp_relay (bool), Optional
Whether to enable UDP relay.
-
obfs (string), Optional
Obfuscation method. Possible values:
http,tls. -
obfs_host (string), Optional
The hostname used for obfuscation.
-
obfs_uri (string), Optional
The URI path used for obfuscation.
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, Shadowsocks defaults tofalse(allow QUIC). -
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
shadowsocks:
name: "my-ss"
method: "aes-256-gcm"
password: "mypassword"
server: "1.2.3.4"
port: 8388
tfo: true
udp_relay: false
obfs: "http"
obfs_host: "example.com"
obfs_uri: "/path"
Snell
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
psk (string), Required
The pre-shared key.
-
version (integer), Optional
Protocol version, one of
1/2/3/4/5. Defaults to1; v5 is implemented as v4. -
udp_relay (bool), Optional
Whether to enable UDP relay. Only available on v3/v4.
-
reuse (bool), Optional
Whether to enable connection reuse. Only effective on v4; v2 always reuses.
-
obfs (string), Optional
Obfuscation method. Possible values:
http,tls. -
obfs_host (string), Optional
The hostname used for obfuscation. Defaults to
bing.com. -
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, Snell defaults tofalse(allow QUIC). -
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
snell:
name: "my-snell"
server: "1.2.3.4"
port: 8388
psk: "mypassword"
version: 4
udp_relay: true
obfs: "http"
obfs_host: "example.com"
Trojan
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
sni (string), Optional
The Server Name Indication (SNI) used for TLS. Defaults to the value of the
serverfield. -
password (string), Required
The password for the Trojan protocol.
-
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
udp_relay (bool), Optional
Whether to enable UDP relay.
-
skip_tls_verify (bool), Optional
Whether to skip TLS certificate verification.
-
fingerprint_sha256 (string), Optional
SHA-256 fingerprint of the server's leaf certificate (hex, case-insensitive;
:or-separators allowed). When set, the leaf certificate's DER SHA-256 is pinned and CA-chain verification is bypassed. Mutually exclusive withskip_tls_verify, which is ignored when this field is set. -
reality (object), Optional
REALITY configuration (mutually exclusive with plain TLS). When set, REALITY replaces plain TLS as the security layer: it borrows a real site's certificate to complete the handshake and carries its own authentication, so
skip_tls_verifyandfingerprint_sha256are ignored.-
public_key (string), Required
The server Reality public key (Base64 URL-safe encoded).
-
short_id (string), Optional
The short ID (hexadecimal string).
-
-
websocket (object), Optional
WebSocket configuration for Trojan:
-
path (string), Required
The WebSocket path.
-
host (string), Optional
The Host header for the WebSocket.
-
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, Trojan defaults totrue(block QUIC). -
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
trojan:
name: "my-trojan"
server: "trojan.example.com"
port: 443
sni: "trojan.example.com"
password: "trojanpass"
tfo: true
udp_relay: true
skip_tls_verify: true
websocket:
path: "/ws"
host: "trojan.example.com"
AnyTLS
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
password (string), Required
The authentication password.
-
sni (string), Optional
The Server Name Indication (SNI) used for TLS. Defaults to the value of the
serverfield. -
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
udp_relay (bool), Optional
Whether to enable UDP relay (UDP over TCP).
-
fingerprint_sha256 (string), Optional
SHA-256 fingerprint of the server's leaf certificate (hex, case-insensitive;
:or-separators allowed). When set, the leaf certificate's DER SHA-256 is pinned to verify the server's identity in place of CA-chain verification. -
reality (object), Optional
REALITY configuration (mutually exclusive with plain TLS). When set, REALITY replaces plain TLS as the security layer: it borrows a real site's certificate to complete the handshake and carries its own authentication, so
fingerprint_sha256is ignored.-
public_key (string), Required
The server Reality public key (Base64 URL-safe encoded).
-
short_id (string), Optional
The short ID (hexadecimal string).
-
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, AnyTLS defaults totrue(block QUIC). -
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
anytls:
name: "my-anytls"
server: "anytls.example.com"
port: 443
password: "mypassword"
sni: "anytls.example.com"
udp_relay: true
Hysteria2
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
auth (string), Required
The authentication password or token for Hysteria2.
-
sni (string), Optional
The Server Name Indication (SNI) used for TLS.
-
obfs (string), Optional
Obfuscation method. Possible values:
salamander. -
obfs_password (string), Optional
The obfuscation password.
-
skip_tls_verify (bool), Optional
Whether to skip TLS certificate verification.
-
fingerprint_sha256 (string), Optional
SHA-256 fingerprint of the server's leaf certificate (hex, case-insensitive;
:or-separators allowed). When set, the leaf certificate's DER SHA-256 is pinned and CA-chain verification is bypassed. Mutually exclusive withskip_tls_verify, which is ignored when this field is set. -
port_hopping (string), Optional
Port hopping configuration string. Supports a single port
8080, a port range20000-30000, or a mixed format1234,5000-6000,8080. The client will randomly select a port from the specified set for connection. -
port_hopping_interval (integer), Optional
Port hopping interval (in seconds). After a connection is established, the client switches to a new random port every specified number of seconds.
-
bandwidth (integer), Optional
Upload bandwidth (Mbps). When configured, the Brutal congestion control algorithm will be enabled to send data at the target bandwidth. It is recommended to set this to 80%-90% of the actual available bandwidth.
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, Hysteria2 defaults tofalse(allow QUIC). -
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
hysteria2:
name: "my-hysteria2"
server: "hysteria.example.com"
port: 443
auth: "my_auth_token"
sni: "hysteria.example.com"
obfs: "salamander"
obfs_password: "myobfspass"
skip_tls_verify: true
port_hopping: "20000-30000"
port_hopping_interval: 30
bandwidth: 100
TUIC
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
uuid (string), Required
The UUID.
-
password (string), Required
The password.
-
udp_relay_mode (string), Optional
UDP relay mode.
native(native UDP relay, default),quic(transmit UDP datagrams over QUIC streams). -
alpn (array of string), Optional
The ALPN list for TLS. Common values:
h3. -
sni (string), Optional
The Server Name Indication (SNI) used for TLS.
-
skip_tls_verify (bool), Optional
Whether to skip TLS certificate verification.
-
fingerprint_sha256 (string), Optional
SHA-256 fingerprint of the server's leaf certificate (hex, case-insensitive;
:or-separators allowed). When set, the leaf certificate's DER SHA-256 is pinned and CA-chain verification is bypassed. Mutually exclusive withskip_tls_verify, which is ignored when this field is set. -
port_hopping (string), Optional
Port hopping configuration string. Supports a single port
8080, a port range20000-30000, or a mixed format1234,5000-6000,8080. -
port_hopping_interval (integer), Optional
Port hopping interval (in seconds).
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, TUIC defaults tofalse(allow QUIC). -
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
tuic:
name: "my-tuic"
server: "tuic.example.com"
port: 443
uuid: "22222222-2222-2222-2222-222222222222"
password: "tuicpass"
udp_relay_mode: "native"
alpn:
- "h3"
sni: "tuic.example.com"
skip_tls_verify: true
port_hopping: "443,445,447"
port_hopping_interval: 30
SOCKS5
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
username (string), Optional
The username.
-
password (string), Optional
The password.
-
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
udp_relay (bool), Optional
Whether to enable UDP relay.
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, SOCKS5 defaults tofalse(allow QUIC). -
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
socks5:
name: "my-socks5"
server: "1.2.3.4"
port: 1080
username: "user"
password: "pass"
tfo: false
udp_relay: true
SOCKS5 over TLS
SOCKS5 wrapped in a TLS layer: the client first completes a TLS handshake with the server, then performs the SOCKS5 handshake and relays traffic inside the encrypted channel. This is the TLS variant of socks5, just as https is to http.
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
username (string), Optional
The username.
-
password (string), Optional
The password.
-
sni (string), Optional
TLS SNI (Server Name Indication). Defaults to the value of the
serverfield. -
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
udp_relay (bool), Optional
Whether to enable UDP relay.
-
skip_tls_verify (bool), Optional
Whether to skip TLS certificate verification.
-
fingerprint_sha256 (string), Optional
SHA-256 fingerprint of the server's leaf certificate (hex, case-insensitive;
:or-separators allowed). When set, the leaf certificate's DER SHA-256 is pinned and CA-chain verification is bypassed. Mutually exclusive withskip_tls_verify, which is ignored when this field is set. -
reality (object), Optional
REALITY configuration (mutually exclusive with plain TLS). When set, REALITY replaces plain TLS as the security layer: it borrows a real site's certificate to complete the handshake and carries its own authentication, so
skip_tls_verifyandfingerprint_sha256are ignored.-
public_key (string), Required
The server Reality public key (Base64 URL-safe encoded).
-
short_id (string), Optional
The short ID (hexadecimal string).
-
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, SOCKS5 over TLS defaults tofalse(allow QUIC). -
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
socks5_tls:
name: "my-socks5-tls"
server: "1.2.3.4"
port: 443
username: "user"
password: "pass"
sni: "example.com"
udp_relay: true
SSH
Tunnels TCP connections through an SSH server's direct-tcpip channel (similar to ssh -L), multiplexing all connections over a single SSH session. SSH has no datagram channel, so UDP is not relayed.
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port (SSH default is 22).
-
username (string), Required
The SSH login username.
-
password (string), Optional
The login password. Provide a password and/or a private key; when both are present, the private key is tried first.
-
private_key (string), Optional
Inline private key contents in PEM/OpenSSH format (the key itself, not a file path).
-
host_keys (array of string), Optional
Accepted server host keys. Each entry is a full
known_hostspublic key line, i.e.<type> <base64-key>(e.g.ssh-ed25519 AAAAC3Nza...), optionally with a trailing comment. When set, the server's host key is pinned and verified, and the connection is refused on mismatch. When left empty, host key verification is skipped. -
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, SSH defaults totrue(block QUIC), since SSH cannot relay UDP. -
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
ssh:
name: "my-ssh"
server: "ssh.example.com"
port: 22
username: "root"
# Authenticate with an inline private key (PEM/OpenSSH format)...
private_key: |
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
# ...and/or with a password
password: "mypassword"
# Optional: pin the server's host key (a full known_hosts public key line)
host_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"
HTTP
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
username (string), Optional
The username for the HTTP proxy.
-
password (string), Optional
The password for the HTTP proxy.
-
headers (object), Optional
Custom HTTP request headers.
-
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
http:
name: "my-http"
server: "5.6.7.8"
port: 8080
username: "user"
password: "pass"
tfo: false
HTTPS
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
username (string), Optional
The username for the HTTPS proxy.
-
password (string), Optional
The password for the HTTPS proxy.
-
headers (object), Optional
Custom HTTP request headers.
-
sni (string), Optional
TLS SNI (Server Name Indication). Defaults to the value of the
serverfield. -
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
skip_tls_verify (bool), Optional
Whether to skip TLS certificate verification.
-
fingerprint_sha256 (string), Optional
SHA-256 fingerprint of the server's leaf certificate (hex, case-insensitive;
:or-separators allowed). When set, the leaf certificate's DER SHA-256 is pinned and CA-chain verification is bypassed. Mutually exclusive withskip_tls_verify, which is ignored when this field is set. -
reality (object), Optional
REALITY configuration (mutually exclusive with plain TLS). When set, REALITY replaces plain TLS as the security layer: it borrows a real site's certificate to complete the handshake and carries its own authentication, so
skip_tls_verifyandfingerprint_sha256are ignored.-
public_key (string), Required
The server Reality public key (Base64 URL-safe encoded).
-
short_id (string), Optional
The short ID (hexadecimal string).
-
-
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
https:
name: "my-https"
server: "proxy.example.com"
port: 443
username: "user"
password: "pass"
sni: "proxy.example.com"
Vmess
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
user_id (string), Required
The Vmess user ID (UUID).
-
security (string), Required
Encryption method.
auto(automatic selection, default),aes-128-gcm,chacha20-poly1305,none,zero -
legacy (bool), Optional
Whether to use the legacy Vmess protocol format (not recommended).
-
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
udp_relay (bool), Optional
Whether to enable UDP relay.
-
transport (object), Optional
Transport configuration. See Vmess Transport for details.
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, Vmess defaults totrue(block QUIC). -
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
vmess:
name: "my-vmess"
server: "vmess.example.com"
port: 443
user_id: "00000000-0000-0000-0000-000000000000"
security: "auto"
legacy: false
tfo: true
udp_relay: true
transport:
ws:
path: "/myws"
headers:
Host: "vmess.example.com"
Vless
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
user_id (string), Required
The Vless user ID (UUID).
-
tfo (bool), Optional
Whether to enable TCP Fast Open.
-
udp_relay (bool), Optional
Whether to enable UDP relay.
-
flow (string), Optional
Flow control mode. Supports
xtls-rprx-vision. -
transport (object), Optional
Transport configuration. See Vmess Transport for details.
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, Vless defaults totrue(block QUIC). -
shadow_tls (object), Optional
ShadowTLS transport configuration. See ShadowTLS for details.
-
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
vless:
name: "my-vless"
server: "vless.example.com"
port: 443
user_id: "11111111-1111-1111-1111-111111111111"
flow: xtls-rprx-vision
tfo: true
udp_relay: false
transport:
tls:
sni: www.microsoft.com
reality:
public_key: "base64_encoded_public_key"
short_id: "abc123"
WireGuard
-
name (string), Required
The proxy name, which must be globally unique.
-
server (string), Required
The server address, which can be an IP or domain name.
-
port (integer), Required
The server port.
-
private_key (string), Required
The local private key (Base64-encoded, 32-byte X25519 key).
-
peer_public_key (string), Required
The peer public key (Base64-encoded, 32-byte X25519 public key).
-
preshared_key (string), Optional
The preshared key (Base64-encoded).
-
reserved (array of integer), Optional
The reserved field (3-byte array). Used for client identification in services such as Cloudflare WARP. Format:
[byte1, byte2, byte3]. -
local_ipv4 (string), Optional
The local IPv4 address. Supports CIDR notation (e.g.,
172.16.0.2/32) or a plain IP. At least one oflocal_ipv4orlocal_ipv6must be set. -
local_ipv6 (string), Optional
The local IPv6 address. Supports CIDR notation (e.g.,
fd01:5ca1:ab1e::2/128) or a plain IP. -
dns_servers (array of string), Optional
The list of DNS servers used internally by WireGuard.
-
mtu (integer), Optional
MTU (Maximum Transmission Unit).
-
keepalive (integer), Optional
Keepalive interval (in seconds).
-
block_quic (bool), Optional
Whether to block the QUIC protocol. When set to
true, connections using this proxy will not use QUIC/HTTP3. This setting takes the highest priority, overriding both policy group and globalblock_quic. When not set, the policy group and global settings are used in order; if none are set, WireGuard defaults tofalse(allow QUIC). -
prev_hop (string), Optional
The name of the preceding proxy, used to build a proxy chain. Traffic path: local machine -> preceding proxy -> current proxy -> destination.
-
ip_version (string), Optional
IP version strategy applied when
serveris a domain that requires DNS resolution; it has no effect on an IP-literalserver. One ofdual_stack(default),v4_only,v6_only,v4_prefer,v6_prefer.
Configuration Example
wireguard:
name: "WARP"
server: engage.cloudflareclient.com
port: 2408
private_key: "base64_encoded_private_key"
peer_public_key: "base64_encoded_public_key"
local_ipv4: 172.16.0.2/32
local_ipv6: "fd01:5ca1:ab1e::2/128"
reserved: [1, 2, 3]
mtu: 1280
keepalive: 25
Vmess Transport
Used in the transport field of Vmess and Vless proxy types. The available options and example configurations are as follows:
HTTP 1
Disguises proxy traffic as HTTP/1.1 requests.
transport:
http1:
method: "GET"
path: "/"
headers:
User-Agent: "curl/7.77.0"
Accept: "*/*"
HTTP 2
Transmits proxy traffic over HTTP/2 multiplexing.
transport:
http2:
method: "GET"
path: "/"
headers:
User-Agent: "curl/7.77.0"
Accept: "*/*"
sni: "example.com"
skip_tls_verify: true
fingerprint_sha256: "aa:bb:cc:..."
The fingerprint_sha256 field accepts a SHA-256 fingerprint of the server's leaf certificate (hex, case-insensitive; : or - separators allowed). When set, the leaf certificate's DER SHA-256 is pinned and skip_tls_verify is ignored.
TLS
Transmits traffic directly over TLS encryption. Supports Reality configuration.
transport:
tls:
sni: "my-sni.example.com"
skip_tls_verify: true
fingerprint_sha256: "aa:bb:cc:..."
The fingerprint_sha256 field behaves the same as in HTTP 2.
Reality Configuration
transport:
tls:
sni: www.microsoft.com
reality:
public_key: "base64_encoded_public_key"
short_id: "abc123"
- public_key (string), Required - The server Reality public key (Base64 URL-safe encoded).
- short_id (string), Optional - The short ID (hexadecimal string).
WSS
Encapsulates proxy traffic in WebSocket and transmits it over TLS encryption.
transport:
wss:
path: "/websocket"
headers:
Host: "myhost.example.com"
sni: "my-sni.example.com"
skip_tls_verify: false
fingerprint_sha256: "aa:bb:cc:..."
The fingerprint_sha256 field behaves the same as in HTTP 2.
WS
Encapsulates proxy traffic in WebSocket (without TLS encryption).
transport:
ws:
path: "/ws"
headers:
Host: "myhost.example.com"
gRPC
Encapsulates proxy traffic in a gRPC bidirectional stream, carried over TLS with ALPN h2. The TLS layer is always applied, so gRPC traffic is always encrypted.
transport:
grpc:
service_name: "GunService"
sni: "example.com"
skip_tls_verify: false
fingerprint_sha256: "aa:bb:cc:..."
- service_name (string), Optional - The gRPC service name (e.g.
GunService); it must match the server. A value starting with/switches to custom-path mode (e.g./your/path/Tun). - user_agent (string), Optional - Custom User-Agent. Defaults to a Chrome User-Agent for traffic camouflage.
- sni (string), Optional - TLS SNI. Defaults to the server address.
- skip_tls_verify (bool), Optional - Whether to skip TLS certificate verification.
- fingerprint_sha256 (string), Optional - Behaves the same as in HTTP 2.
gRPC can also run over REALITY instead of plain TLS by adding a reality block (same fields as the TLS transport):
transport:
grpc:
service_name: "grpc"
sni: www.microsoft.com
reality:
public_key: "base64_encoded_public_key"
short_id: "abc123"
ShadowTLS
ShadowTLS transport configuration, available for use in Shadowsocks, Trojan, AnyTLS, SOCKS5, SOCKS5 over TLS, SSH, HTTP, HTTPS, Vmess, and Vless proxy types.
-
password (string), Required
The ShadowTLS authentication password.
-
sni (string), Optional
TLS SNI (used for disguise, e.g.,
www.microsoft.com).
Configuration Example
shadowsocks:
name: "SS with ShadowTLS"
server: example.com
port: 443
method: aes-256-gcm
password: ss_password
shadow_tls:
password: shadow_tls_password
sni: www.microsoft.com