📝 Release Notes
- Fixes and improvements
Important changes since 1.12:
- Add NaiveProxy outbound 1
- Add pre-match support for
auto_redirect2 - Improve
auto_redirect3 - Add Chrome Root Store certificate option 4
- Add new options for ACME DNS-01 challenge providers 5
- Add Wi-Fi state support for Linux and Windows 6
- Add curve preferences, pinned public key SHA256, mTLS and ECH
query_server_namefor TLS options 7 - Add
disable_tcp_keep_alive,tcp_keep_aliveandtcp_keep_alive_intervaloptions for dial fields 8 - Add
bind_address_no_portoption for dial fields 9 - Add system interface support for Tailscale endpoint 10
- Add Claude Code Multiplexer service 11
- Add OpenAI Codex Multiplexer service 12
- Apple/Android: Refactor GUI
- Apple/Android: Add support for sharing configurations via QRS
- Android: Add support for resisting VPN detection via Xposed
- Drop support for go1.23 13
- Drop support for Android 5.0 14
- Update uTLS to v1.8.2 15
- Update quic-go to v0.59.0
- Update gVisor to v20250811
- Update Tailscale to v1.92.4
1:
NaiveProxy outbound now supports QUIC, ECH, UDP over TCP, and configurable QUIC congestion control.
Only available on Apple platforms, Android, Windows and some Linux architectures.
Each Windows release includes libcronet.dll —
ensure this file is in the same directory as sing-box.exe or in a directory listed in PATH.
See NaiveProxy outbound.
2:
auto_redirect now allows you to bypass sing-box for connections based on routing rules.
A new rule action bypass is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.
This feature requires Linux with auto_redirect enabled.
See Pre-match and Rule Action.
3:
auto_redirect now rejects MPTCP connections by default to fix compatibility issues.
You can change it to bypass sing-box via the new exclude_mptcp option.
Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
ensuring traffic is routed to the sing-box table when no route is found in system tables.
The rule index can be customized via auto_redirect_iproute2_fallback_rule_index (default: 32768).
See TUN.
4:
Adds chrome as a new certificate store option alongside mozilla.
Both stores filter out China-based CA certificates.
See Certificate.
5:
See DNS-01 Challenge.
6:
sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on wifi_ssid and wifi_bssid.
See Wi-Fi State.
7:
See TLS.
8:
The default TCP keep-alive initial period has been updated from 10 minutes to 5 minutes.
See Dial Fields.
9:
Adds the Linux socket option IP_BIND_ADDRESS_NO_PORT support when explicitly binding to a source address.
This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
See Dial Fields.
10:
Tailscale endpoint can now create a system TUN interface to handle traffic directly.
See Tailscale endpoint.
11:
CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
See CCM.
12:
See OCM.
13:
Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
14:
Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
and only through a separate legacy build (with -legacy-android-5 suffix).
For standalone binaries, the minimum Android version has been raised to Android 6.0,
since Termux requires Android 7.0 or later.
15:
This update fixes missing padding extension for Chrome 120+ fingerprints.
Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
use NaiveProxy instead for TLS fingerprint resistance.