XTLS Vision: Add testpre (outbound pre-connect) and testseed (outbound & inbound) #5270

本次重点更新内容：

1. XTLS Vision 加了试验性的“预连接”以消除延迟，开放用户自定义配置最关键的四个 padding 相关参数，详见 #5270
2. 服务端 sockopt 加了 trustedXForwardedFor 以防止 XHTTP、WS、HU 客户端伪造源 IP，详见 #5331
3. VLESS inbound 开了 Reverse Proxy 的 UUID 将默认被拒绝使用正向代理，更加安全，详见 #5101 (comment)
4. @Meo597 对 DNS 和路由模块进行了一些重构、优化、功能新增，详见下方 change log

Sponsors

Sponsor Xray-core

Donation & NFTs

Collect a Project X NFT to support the development of Project X!

• TRX(Tron)/USDT/USDC: TNrDh5VSfwd4RPrwsohr6poyNTfFefNYan
• TON: UQApeV-u2gm43aC1uP76xAC1m6vCylstaN1gpfBmre_5IyTH
• BTC: 1JpqcziZZuqv3QQJhZGNGBVdCBrGgkL6cT
• XMR: 4ABHQZ3yJZkBnLoqiKvb3f8eqUnX4iMPb6wdant5ZLGQELctcerceSGEfJnoCk6nnyRZm73wrwSgvZ2WmjYLng6R7sR67nq
• SOL/USDT/USDC: 3x5NuXHzB5APG6vRinPZcsUv5ukWUY1tBGRSJiEJWtZa
• ETH/USDT/USDC: 0xDc3Fe44F0f25D13CACb1C4896CD0D321df3146Ee
• Project X NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1
• VLESS NFT: https://opensea.io/collection/vless
• REALITY NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2
• Related links: VLESS Post-Quantum Encryption, XHTTP: Beyond REALITY, Announcement of NFTs by Project X

该版本升级了一些依赖，并使用 Go 1.25.5 拉满 inline 编译，已 tag v1.251208.0，感谢所有贡献者，详见下方 change log

What's Changed

• REALITY config: Return error when short id is too long by @Fangliding @RPRX in #5276
• Fix wireguard not discarding broken connection on android by @Exclude0122 in #5304
• README.md: Add Remnawave & Happ to Sponsors by @RPRX in 4e8ee30
• README.md: Add TRX & TON & BTC & XMR & SOL to Donation & NFTs by @RPRX in 8a4b0a9
• README.md: Add v2rayN to macOS & Linux Clients by @alen420 in #5271
• Socks: Fix buffer full panic when encoding large UDP packets by @vemneyy @Fangliding in #5252
• Docker: Use more aggressive inlining for higher efficiency by @Meo597 in #5242
• Refactor WrapLink logic by @Fangliding in #5288
• HTTP outbound: Read negotiated protocol from uTLS by @hax0r31337 in #5251
• DNS: Fix wrong protocol parse by @vanserox @Fangliding in #5232
• refactor(dns): enhance cache safety, optimize performance, and refactor query logic by @Meo597 in #5248
• perf(GeoIPMatcher): faster heuristic matching with reduced memory usage by @Meo597 in #5289
• perf(router): adjust the order of rules to optimize performance by @Meo597 in #5267
• perf(dns): cache network capability check by @Meo597 in #5244
• feat(dns): add optimistic caching by @Meo597 in #5237
• feat(dns): add parallel query by @Meo597 in #5239
• Router: Remove the deprecated UseIP option by @Meo597 in #5323
• Sockopt config: Add trustedXForwardedFor (for XHTTP, WS, HU inbounds) by @RPRX in #5331
• VLESS Reverse Proxy: Forbid reverse-proxy UUID using forward-proxy, enabled by default by @RPRX in a83253f
• fix(dns): inheritance issue with disableCache by @Meo597 in #5351
• XTLS Vision: Check TLS record isComplete by @yuhan6665 in #5179
• XTLS Vision: Add testpre (outbound pre-connect) and testseed (outbound & inbound) by @RPRX @Fangliding in #5270
• XTLS Vision: Fix IsCompleteRecord() by @Fangliding in #5365
• XTLS Vision: Discard expired pre-connect conn automatically by @RPRX in c123f16
• XTLS Vision: Fix enabled uplink splice flag by mistake by @yuhan6665 in #5391
• XTLS Vision: LogInfo() -> LogDebug() by @RPRX in bd7503d
• Chore: Remove ctlcmd and leftover envvar by @KobeArthurScofield in #5392

New Contributors

• @Exclude0122 made their first contribution in #5304
• @alen420 made their first contribution in #5271
• @vemneyy made their first contribution in #5252
• @vanserox made their first contribution in #5232

Full Changelog: v25.10.15...v25.12.8

See https://github.com/XTLS/Xray-core/releases/tag/v25.12.8

See https://github.com/XTLS/Xray-core/releases/tag/v25.12.8

VLESS Reverse Proxy: Transfer real Source & Local (IP & port), enabled by default #5101 (comment)

本次重点更新内容：

1. VLESS Reverse Proxy 默认加了传递公网端的 Source & Local (IP & port) 到内网端，详见 #5101 (comment)
2. 升级了 uTLS 库以修复 Chrome 指纹的问题，客户端应当尽快升级，详见 #5230 (comment)
3. 看到很多小白不会配置 XHTTP XMUX 还抱怨测速不理想，索性把 maxConcurrency 默认改为了 1 试试
4. @KobeArthurScofield 参考 VLESS 出站简化了所有协议的出站配置，并且现在每个出站只能有一个 end point 和 user

VLESS NFT

VLESS NFT 自成一个系列，每个图片都不同且只有一个，你可以选择自己喜欢的图片来收藏，先到先得

https://opensea.io/collection/vless 首发放出了二十个不同的 VLESS NFT 图片

本次还放出了两个稀缺的 Project X NFT，如果你有余力，请支持一下：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本升级了一些依赖，并使用 Go 1.25.3 拉满 inline 编译，已 tag v1.251015.0，感谢所有贡献者，详见下方 change log

What's Changed

• app/dispatcher/default.go: Add comment on run-time rejecting non-existent outbound tag by @RPRX in 5148c57
• app/dispatcher/default.go: Close link when routedDispatch() failed by @patterniha in #5131
• Config: Outbound proxy config no need to be nested by @KobeArthurScofield in #5124
• Outbound: One endpoint and at most one user only by @KobeArthurScofield in #5144
• Fix vless reverse panic in vision by @Fangliding in #5189
• External config: Add unix socket HTTP loader support by @kastov in #5200
• fix: darwin arm64 always has AESGCMHardwareSupport by @wwqgtxx in #5176
• Fix shadowsocks2022 memory leak by @Fangliding in #5166
• transport/internet/reality/reality.go: Safely get negotiated CurveID in VerifyPeerCertificate() by @RPRX in 40f0a54
• README.md: Add PasarGuard to Web Panels by @M03ED in #5224
• Router: Use built-in-dns only once for all rules (in "IPOnDemand"/"IPIfNonMatch" mode) by @patterniha in #5210
• XHTTP client: Change default maxConcurrency to 1 for speed testing by @RPRX in 9cc7907
• VLESS Reverse Proxy: Transfer real Source & Local (IP & port), enabled by default by @RPRX in 12f4a01

New Contributors

• @wwqgtxx made their first contribution in #5176

Full Changelog: v25.9.11...v25.10.15

VLESS protocol: Add Reverse Proxy (4) Command and extremely simple config #5101

Xray-core v25.9.11 极大程度上简化了反向代理 / 内网穿透、VLESS 出站的配置，极简配置示例与安全注意事项详见 #5101

这个 PR 的目的就是为了让 Xray 更适合做反向代理 / 内网穿透，独特的优势是你可以直接复用拿来翻墙的那台 VPS、复用 REALITY 的抗量子加密且防封，因为 REALITY 不仅可以稳定地穿透 GFW，也可以穿透公司网络那些奇奇怪怪的审计

内网端可以设 CDN 等多条冗余线路均为 "reverse": { "tag": "yyy" } 对应公网端多个相同的 "reverse": { "tag": "xxx" }，这也是 Xray-core / VLESS 做反向代理 / 内网穿透的优势之一，后续可能加哪条线路更优先等设置

不会有路由问题，公网端多个入站 reverse tag 相同也只会产生一个出站，目前是多条线路同时存在、每次使用随机选择
现在有的功能是，假如某个线路不通了，比如说内网端没连上来，可用池中就不会有这条线路，流量会自动走其它线路

VLESS NFT

VLESS NFT 自成一个系列，每个图片都不同且只有一个，你可以选择自己喜欢的图片来收藏，先到先得

https://opensea.io/collection/vless 首发放出了二十个不同的 VLESS NFT 图片

本次还放出了两个稀缺的 Project X NFT，如果你有余力，请支持一下：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本升级了一些依赖，并使用 Go 1.25.1 拉满 inline 编译，已 tag v1.250911.0，感谢所有贡献者，详见下方 change log

What's Changed

• app/reverse/bridge.go: Fix DispatchLink() returns immediately by @RPRX in 6ec0291
• app/reverse/portal.go: Fix HandleConnection() returns immediately (from DispatchLink() with configured domain) by @RPRX in 4b0ee28
• app/reverse/portal.go: Fix goroutine leak & Add EndpointOverride by @patterniha in #5100
• Commands: Fix "with SNI" printing fixed port 443 for tls ping by @AndyChiang888 in #5099
• mKCP: Fix key derivation for obfuscation by @Fangliding in #5106
• VMess: Returns clearer error in AuthIDDecoderHolder by @Fangliding in #5090
• VLESS protocol: Add Reverse Proxy (4) Command and extremely simple config by @RPRX in #5101
• README.md: Add X-Panel to Web Panels by @xeefei in #5094
• Update github.com/xtls/reality to 20250904214705 by @RPRX in 4ae4971
• TPROXY: Prevent TCP loopback by @Fangliding in #5114
• MUX: Prevent goroutine leak by @patterniha in #5110
• Fix #5114 (comment) by @Fangliding in #5118
• app/reverse/bridge.go: Add timer nil check by @patterniha in #5119

New Contributors

• @AndyChiang888 made their first contribution in #5099
• @xeefei made their first contribution in #5094

Full Changelog: v25.9.5...v25.9.11

See https://github.com/XTLS/Xray-core/releases/tag/v25.9.11

VLESS protocol: Add lightweight, Post-Quantum ML-KEM-768-based PFS 1-RTT / anti-replay 0-RTT AEAD Encryption #5067

Xray-core v25.9.5 未来已来，本次重点更新内容：

过于先进的 VLESS Post-Quantum Encryption：

• 抗量子的密钥交换与身份认证、前向安全、客户端配置安全、0-RTT
• 无需对时、完美的重放防护、无需多次尝试解密以确定用户、无需额外 AEAD length 故性能更优
• 建议开 XTLS 避免二次加解密（native/xorpub 可自动 ReadV/Splice），可再叠上 XHTTP、WS 等传输层，详见 #5067

适合机场的 VLESS Route：

• 允许在分享给客户端的 UUID 中自定义第 7、8 个字节
• 服务端路由设置 vleesRoute 以匹配它们、分流不同出口，详见 https://xtls.github.io/config/routing.html#ruleobject

利好 iOS 的 客户端性能提升：

• Tunnel/Socks/HTTP 入站去掉了 pipe 及其内置缓存，Xray-core 运行效率更高、占用内存更少，详见 #5067 (comment)

Xray-core v25.9.5 相较于 v25.8.31：

• 修复了延迟问题 fd54b10 、用户流量统计问题 d20397c
• VLESS 入站也去掉了 pipe 及其内置缓存 #5076
• 新增了 ./xray vlessenc 指令 #5078
• 以及其它的一些修复与改进

VLESS NFT

VLESS NFT 自成一个系列，每个图片都不同且只有一个，你可以选择自己喜欢的图片来收藏，先到先得

https://opensea.io/collection/vless 首发放出了二十个不同的 VLESS NFT 图片

本次还放出了两个稀缺的 Project X NFT，如果你有余力，请支持一下：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本升级了一些依赖，并使用 Go 1.25.1 拉满 inline 编译，已 tag v1.250905.0，感谢所有贡献者，详见下方 change log

What's Changed

• API: Fix user online map remain 1 after connection dropped by @LjhAUMEM in #4982
• feat(api): update timestamp for existing IPs in AddIP instead of skipping by @LjhAUMEM in #4989
• Router: Add localIP and localPort; Add sourceIP as an alias of source by @patterniha in #4992
• Freedom: Add maxSplit fragment option; Add applyTo noises option by @patterniha in #4998
• Refine must2 and apply NewAesGcm() to all usage by @Fangliding in #5011
• Chore: Migrate to Go 1.25 by @Fangliding in #5024
• common/buf/multi_buffer.go: Fix Compact() by @Fangliding @patterniha in #5015
• XHTTP client: Fix edge-case issue for packet-up mode by @Fangliding in #5020
• Outbound: Add targetStrategy; Fix mux does not close link.Reader; Fix origin does not work on UDP; Add logs by @patterniha in #5006
• VLESS inbound: Add option to set default flow by @Jolymmiles in #5023
• Build: Use more aggressive inlining for higher efficiency by @KobeArthurScofield in #5026
• Direct/Freedom config: Add targetStrategy as an alias of domainStrategy; Routing config: Remove domainMatcher, "linear" and type by @patterniha in #5027
• DNS outbound: Set "reject" as the default value for nonIPQuery by @RPRX in de23e51
• VLESS practice: Use user-sent VLESS UUID's last byte as vlessRoute for routing rules by @RPRX in 105b306
• Wireguard inbound: Fix context sharing problem by @yuhan6665 in #4988
• XTLS Vision inbound: Use user-sent VLESS UUID for NewTrafficState() by @RPRX in 5464862
• VLESS practice: Use user-sent VLESS UUID's 7th<<8 | 8th bytes as vlessRoute instead by @RPRX in 7f300db
• Issues template: Refine requirements by @Fangliding in 573300b
• Chore: Optimize .gitignore by @Skh-web6982 in #5029
• Some refines related to direct/freedom and targetStrategy; More intelligent "useIP"/"ForceIP", enhance "origin" functionality by @patterniha in #5030
• Commands: Add -outpbfile for convert pb by @KobeArthurScofield in #5048
• common/signal/timer.go: Refator to use sync.Once by @Fangliding in #5052
• WireGuard outbound: Fix close closed by @Fangliding in #5054
• checkSystemNetwork(): Use c.root-servers.net by @xqzr in #5059
• Test_parseResponse(t *testing.T): Use dns.google for IPv6 by @xqzr in #5060
• VLESS protocol: Add lightweight, Post-Quantum ML-KEM-768-based PFS 1-RTT / anti-replay 0-RTT AEAD Encryption by @RPRX in #5067
• README.md: Update Donation & NFTs by @RPRX in 702d2c0
• Update github.com/xtls/reality to 20250828044527 by @RPRX in 12b077f
• Socks/HTTP inbound: Fix unexpected rawConn copy by @Fangliding in #5041
• First step of upcoming refactor for Xray-core: Add TimeoutWrapperReader; Use DispatchLink() in Tunnel/Socks/HTTP inbounds by @RPRX in 56a45ad
• VLESS Encryption: Re-add automatically ChaCha20-Poly1305 by @RPRX in 82ea7a3
• Trojan-UoT & UDP-nameserver: Fix forgotten release buffer; UDP dispatcher: Simplified and optimized by @patterniha in #5050
• Trojan UoT: Fix memory/goroutine leak by @patterniha in #5064
• common/buf/buffer.go: Replace copy zero with clear() by @Fangliding @SkrideOne in #5071
• Commands/run: Try all suffixes for default config by @RPRX in a31842f
• Chore: Fix tests by @RPRX in fbb0ecf
• VLESS Encryption: Add customizable 1-RTT padding parameters; Decrease memory using; Chores by @RPRX @wwqgtxx in e8b02cd
• VLESS Encryption: Switch to "probability-from-to" format for customizable 1-RTT padding parameters by @RPRX in 6768a22
• TimeoutWrapperReader: Fix latency issue by @RPRX in fd54b10
• VLESS Encryption: Server checks one specific zero-bit in the peer-sent X25519 public key in relays by @RPRX in 4c6fd94
• Direct/Freedom outbound: Use proxy.IsRAWTransport(conn) by @yuhan6665 in #5074
• XTLS Vision: Refactor code to use DispatchLink() in VLESS inbound by @yuhan6665 in #5076
• proxy/proxy.go: IsRAWTransport() -> IsRAWTransportWithoutSecurity() by @RPRX in e943de5
• VLESS Encryption: Randomize seconds in ticket and simplify expiration mechanism by @RPRX in 19f8907
• DispatchLink(): Fix user stats by @RPRX in d20397c
• VLESS Encryption: Improve server-side tickets' expiration mechanism by @RPRX in cbade89
• Commands: Add vlessenc (generate complete json pair directly) by @Fangliding @RPRX in #5078
• DNS outbound: Fix some issues by @patterniha in #5081

New Contributors

• @LjhAUMEM made their first contribution in #4982
• @Skh-web6982 made their first contribution in #5029

Full Changelog: v25.8.3...v25.9.5

See https://github.com/XTLS/Xray-core/releases/tag/v25.9.5

See https://github.com/XTLS/Xray-core/releases/tag/v25.9.5

Tunnel inbound: Add portMap config (local listening port -> remote specified address/port) 146b14a #4968 & TLS ECH client improvements #4973 #4949

*ray 一直支持“隧道”即“通过代理协议来端口转发”功能，此前主要由于命名原因（任意门）导致该功能被忽略，现在更名为了 tunnel、为原有的 address/port 参数设置了默认值、新增了优先级更高的 portMap 参数，简化配置后一个入站即可将本地多个端口通过代理协议转发到服务端对应的端口，或指定的地址/端口，详情见 #4968

这也提醒各位记得在服务端 block "geoip:private"，防止用户通过代理直接穿透到服务端的内网

补充：Xray-core v25.8.3 顺便给 freedom 加了别名 direct、blackhole 加了别名 block 以追求直观

TLS ECH client：@Fangliding 新增了 echForceQuery 参数以支持三种需求 #4973 ，@patterniha 复制了 Xray-core 内置 DoH 已有的特性：Chrome 指纹、header & body padding、"h2c"、echSockopt #4949 ，文档见 TLSObject

Xray-core 根配置新增 version 参数，以限制该配置文件适用的最低、最高 Xray 版本：#4970

"version": {
    "min": "25.8.3",
    "max": ""
}

NFT

本次久违地放出了一些 REALITY NFT 和几个 Project X NFT

请支持一个 REALITY NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2

如果你有余力，请支持一个 Project X NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本使用 Go 1.24.5 编译，已 tag v1.250803.0，感谢所有贡献者，详见下方 change log

What's Changed

• Update readme by @yuhan6665 in c569f47
• Dokodemo-door: Add simple tunnel config (alias and default values) by @RPRX in #4968
• TLS ECH client: Add echForceQuery config by @Fangliding in #4947
• Tunnel inbound: Add portMap config (local listening port -> remote specified address/port) by @RPRX in 146b14a
• TLS ECH client: Use chrome-fingerprint and add padding; Add "h2c" and echSockopt; Fix some issues by @patterniha in #4949
• Root config: Add version config (min and max) by @patterniha in #4970
• TLS ECH client: echForceQuery "full" / "half" / "none" (default) by @Fangliding in #4973
• app/proxyman/inbound/inbound.go: Fix ListHandlers() by @Fangliding in #4976
• UDS: Check address before listen by @Fangliding in #4945

Full Changelog: v25.7.26...v25.8.3