Tunnel inbound: Add portMap config (local listening port -> remote specified address/port) 146b14a #4968 & TLS ECH client improvements #4973 #4949

*ray 一直支持“隧道”即“通过代理协议来端口转发”功能，此前主要由于命名原因（任意门）导致该功能被忽略，现在更名为了 tunnel、为原有的 address/port 参数设置了默认值、新增了优先级更高的 portMap 参数，简化配置后一个入站即可将本地多个端口通过代理协议转发到服务端对应的端口，或指定的地址/端口，详情见 #4968

这也提醒各位记得在服务端 block "geoip:private"，防止用户通过代理直接穿透到服务端的内网

TLS ECH client：@Fangliding 新增了 echForceQuery 参数以支持三种需求 #4973 ，@patterniha 复制了 Xray-core 内置 DoH 已有的特性：Chrome 指纹、header & body padding、"h2c"、echSockopt #4949 ，文档见 TLSObject

Xray-core 根配置新增 version 参数，以限制该配置文件适用的最低、最高 Xray 版本：#4970

"version": {
    "min": "25.8.3",
    "max": ""
}

NFT

本次久违地放出了一些 REALITY NFT 和几个 Project X NFT

请支持一个 REALITY NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2

如果你有余力，请支持一个 Project X NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本使用 Go 1.24.5 编译，已 tag v1.250803.0，感谢所有贡献者，详见下方 change log

What's Changed

• Update readme by @yuhan6665 in c569f47
• Dokodemo-door: Add simple tunnel config (alias and default values) by @RPRX in #4968
• TLS ECH client: Add echForceQuery config by @Fangliding in #4947
• Tunnel inbound: Add portMap config (local listening port -> remote specified address/port) by @RPRX in 146b14a
• TLS ECH client: Use chrome-fingerprint and add padding; Add "h2c" and echSockopt; Fix some issues by @patterniha in #4949
• Root config: Add version config (min and max) by @patterniha in #4970
• TLS ECH client: echForceQuery "full" / "half" / "none" (default) by @Fangliding in #4973
• app/proxyman/inbound/inbound.go: Fix ListHandlers() by @Fangliding in #4976
• UDS: Check address before listen by @Fangliding in #4945

Full Changelog: v25.7.26...v25.8.3

REALITY protocol: Add optional Post-Quantum ML-DSA-65 verification for cert's ExtraExtensions #4915 & TLS client & server: Support ECH #3813

REALITY 抗量子更新第二弹来袭！本次更新为 REALITY 协议加上了可选的、抗量子的 ML-DSA-65 签名验签机制，向后兼容，详情见 #4915 ，注意目标网站证书链总长度需 3500+，VLESS 分享链接标准 #716 已更新 REALITY pqv

该版本修复了 post-handshake records 的日志问题 #4845 、端口范围问题 #4843 ，将启动时探测改为并发并优化了缓存机制 XTLS/REALITY@e62c4ae 、改为用三种 ALPN 进行探测 XTLS/REALITY@05a351a ，已经 cover 绝大多数客户端指纹

时机成熟后，该版本终于合并了 TLS ECH 功能 #3813 ，文档见 TLSObject ，VLESS 分享链接标准 #716 已更新 TLS ech

该版本还新增了一些功能，比如 @Fangliding 给 DNS 出站的 nonIPQuery 加了 "reject" 以对非 IP 查询回复拒绝包 #4824 ，该版本还含有大量修复，据 @patterniha 称 Serverless-for-Iran-Anti-Sanctions 终于等齐了所有新功能和修复，即将更新

NFT

本次久违地放出了一些 REALITY NFT 和几个 Project X NFT

请支持一个 REALITY NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2

如果你有余力，请支持一个 Project X NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本升级了一些依赖，并使用 Go 1.24.5 编译，已 tag v1.250726.0，感谢所有贡献者，详见下方 change log

What's Changed

• BurstObservatory: add option to set http method for burst check by @Jolymmiles @Fangliding in #4835
• API: Fix issue with inbounduser not finding emails with uppercase letters by @fL1pSt3r in #4818
• DNS: Add new nonIPQuery "reject" by @Fangliding in #4824
• common: fix task leak in timer by @isluckys in #4831
• API: add option to fetch only tags from ListInbounds by @Jolymmiles in #4870
• Bump quic-go to v0.53.0 & update codes by @xDragonZ in #4906
• REALITY server: Three types of ALPN for post-handshake records detection & imitation; Two fixes by @RPRX in 1785178
• README.md: Add AnyPortal to GUI Clients by @AnyPortal in #4902
• VLESS fallbacks: dest defaults to "127.0.0.1" -> "localhost" by @xqzr in #4840
• Commands: Display Post-Quantum key exchange in tls ping by @Fangliding in #4857
• Stats API: Return status "not found" instead of "unknown" by @M03ED in #4860
• Workflows: Cleaner Docker builds, support for manual exec and pre-release by @Meo597 in #4809
• DNS outbound: Prevent panic from rejecting invalid domain by @Fangliding in #4903
• REALITY protocol: Add optional Post-Quantum ML-DSA-65 verification for cert's ExtraExtensions by @RPRX in #4915
• Freedom: Cache UDP resolve result by @Fangliding in #4804
• Freedom: Fix UDP reply mismatch-address by @patterniha in #4816
• MUX: Refine and Fix some occasional problems by @patterniha in #4861
• Reverse: portal-worker should not be closed before making sure there is at least one other active worker by @patterniha in #4869
• UDP: Fix removeRay will close a connEntry that not belongs to it by @Fangliding in #4899
• DNS hosts: Support returning RCode by @j2rong4cn in #4681
• README.md: Add Happ to macOS x64 & tvOS Clients by @mangustyura @RPRX in #4921
• README.md: Add GoXRay to macOS & Linux Clients by @garstas @RPRX in #4260
• README.md: Add Project X NFT's image & link by @RPRX in a196a16
• Update github.com/xtls/reality to 20250723121014 by @RPRX in 4433641
• Chore: Three small fixes by @patterniha in #4922
• REALITY config: Allow mldsa65 fields to be empty by @Fangliding in #4924
• REALITY config: Convert mldsa65Seed to its private key later by @RPRX in 31b508d
• README.md: Update Donation & NFTs by @RPRX in 26de589
• REALITY client: Fix log when printing "is using X25519MLKEM768..." by @Fangliding in #4929
• Commands: Output certificate chain's total length in tls ping by @Fangliding @RPRX in #4933
• Inbounds & Outbounds: TCP KeepAlive better default value by @Fangliding in #4931
• Update github.com/xtls/reality to 20250725142056 by @RPRX in caee152
• UDP: Remove removeRay()'s error log by @Fangliding in #4936
• Workflows: Fix github.ref_name sometimes is empty when building Docker images by @Meo597 in #4937
• UDP listener: Allow listening on "localhost" by @Fangliding in #4940
• Freedom UDP: Fix some cone uses like STUN,... when address is domain by @patterniha in #4942
• REALITY config: mldsa65Seed and privateKey can not be the same value by @RPRX in 5f93ff6
• Commands: Add adu/rmu inbound user management to API by @vrnobody in #4943
• TLS client & server: Support Encrypted Client Hello (ECH) by @Fangliding @yuhan6665 in #3813

New Contributors

• @Jolymmiles made their first contribution in #4835
• @fL1pSt3r made their first contribution in #4818
• @xDragonZ made their first contribution in #4906
• @AnyPortal made their first contribution in #4902
• @M03ED made their first contribution in #4860
• @garstas made their first contribution in #4260

Full Changelog: v25.6.8...v25.7.26

See https://github.com/XTLS/Xray-core/releases/tag/v25.7.26

See https://github.com/XTLS/Xray-core/releases/tag/v25.7.26

See https://github.com/XTLS/Xray-core/releases/tag/v25.7.26

REALITY practice: Detect & imitate target's post-handshake records

#4778 提到 @ban6cat6 发布了检测工具 Aparecium，通过检测“未模仿 OpenSSL 握手后发的两个 NewSessionTicket”来检测 REALITY、ShadowTLS 等可以“偷别人”的协议，对此，Xray 团队迅速响应，研究并着手修复该问题

该版本 REALITY 服务端启动后会自动用 Chrome 指纹探测 target 的 post-handshake records 长度，耗时半分钟左右（期间会阻塞代理请求），并在后续的 REALITY 连接中模仿发送这些 records，从而初步修复了上述问题，请大家尽快升级服务端

再次感谢 @ban6cat6 的发现，与此同时，Xray 团队对这类问题的响应与修复速度也非常值得骄傲

该版本还重点修复了上个版本中 REALITY 服务端未用上 AES-NI 硬件加速导致性能下降的问题 #4741 ，以及合并了 REALITY 回落限速、Docker 镜像重构、Happy Eyeballs、DNS New Features 等重要 PR，Serverless-for-Iran 预计会有更新

请支持一个 REALITY NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2

如果你有余力，请支持一个 Project X NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本升级了一些依赖，并使用 Go 1.24.4 编译，已 tag v1.250608.0，感谢所有贡献者，详见下方 change log

What's Changed

• README.md: Rename FoXray to OneXray in GUI Clients by @yiguodev in #4754
• Update reality to 20250527 by @yuhan6665 in 84c8e24
• BurstObservatory: Fix nil panic when pingConfig is missing by @Fangliding in #4757
• Core: Export the running bool by @codewithtamim in #4775
• Workflows: Refactor docker by @Meo597 in #4738
• API: Add ListInbounds and ListOutbounds by @gsergey418 in #4723
• Outbound: Fix sendthrough srcip precheck by @ImAubrey @RPRX in #4750
• DNS New Features: disableCache, finalQuery, unexpectedIPs, "*", UseSystem-queryStrategy, useSystemHosts by @patterniha in #4666
• README.md: Add Amnezia VPN to Others by @yuhan6665 in #4718
• REALITY practice: Detect & imitate target's post-handshake records by @RPRX in ab0b9a6
• Sniffer-destOverride: Remove fakedns+others option by @patterniha in #4739
• README.md: Add VPainLess to One Click by @vpainless @RPRX in #4782
• README.md: Add SimpleXray to Android Clients by @lhear in #4761
• Update github.com/xtls/reality to 20250607105625 by @RPRX in bfbccc2
• New feature: Happy Eyeballs (RFC 8305) by @patterniha in #4667
• Tests: Fix TestCommanderListHandlers by @Meo597 in #4789
• Tests: Real fix for TestCommanderListHandlers by @Meo597 in #4792
• Docker: Fix geodata directory permissions issue by @Meo597 in #4790
• README.md: Add DeepWiki badge to Contributing by @TonyMa1 @RPRX in #4777
• RAW transport hub.go: Call REALITY's DetectPostHandshakeRecordsLens() in advance by @RPRX in e011b74
• REALITY: Add rate limiting to fallback handling via token bucket by @Meo597 in #4553
• README.md: Add xtls-sdk to Xray Wrapper by @kastov in #4793
• README.md: Add GorzRay to Linux Clients by @ketetefid in #4767

New Contributors

• @codewithtamim made their first contribution in #4775
• @gsergey418 made their first contribution in #4723
• @vpainless made their first contribution in #4782
• @lhear made their first contribution in #4761
• @TonyMa1 made their first contribution in #4777
• @kastov made their first contribution in #4793
• @ketetefid made their first contribution in #4767

Full Changelog: v25.5.16...v25.6.8

See https://github.com/XTLS/Xray-core/releases/tag/v25.6.8

REALITY practice: Support X25519MLKEM768 for TLS' communication

REALITY 抗量子更新第一弹来袭！升级服务端、客户端至该版本，REALITY target 支持 X25519MLKEM768 时将自动启用

X25519MLKEM768 可有效预防被“现在记录、以后拿量子计算机解密 TLS 流量”，此外 #3813 (comment)

最近有越来越多的网站开始支持 X25519MLKEM768 了，所以服务端一定要及时升级，避免新版客户端连不上

感谢 @yuhan6665 对 REALITY 仓库的维护，以及 @mingyech @BRUHItsABunny 对 uTLS 仓库的维护

有人觉得这次是 breaking，其实不尽然，因为我发得早，现在已经支持 X25519MLKEM768 的就技术前沿像 CF、Google 这样的，它们都没人偷，等一两个月后其它网站陆续开始支持了，大家的服务端早就升级、兼容了，所以我必须让 v25.5.16 成为新的稳定版

Shadowrocket TF 版已支持 XHTTP，大家可以测测，如果有问题请反馈过去

此外从上个版本开始，auto mode 的 XHTTP TLS 默认改为 packet-up，XHTTP REALITY 默认仍为 stream-one

请支持一个 REALITY NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2

如果你有余力，请支持一个 Project X NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本升级了一些依赖，并使用 Go 1.24.3 编译，已 tag v1.250516.0，感谢所有贡献者，详见下方 change log

What's Changed

• README.md: Add Remnawave to Web Panels by @iambabyninja in #4498
• API: Fix data race in online ipList by @Fangliding in #4513
• DNS: Ensure order for DNS server match by @Fangliding in #4510
• DNS: Add allowUnexpectedIPs for DnsServerObject by @patterniha in #4497
• DNS: Add tag for DnsServerObject by @Fangliding in #4515
• DNS: Retry with EDNS0 when response is truncated by @Fangliding in #4516
• DNS: Add timeoutMs for DnsServerObject by @patterniha in #4523
• Sockopt: Fix Windows UDP interface bind; Allow Linux customSockopt work for UDP by @Fangliding in #4504
• DNS DoH: Use EDNS0 with 100-300 padding by default (body padding) by @RPRX in 607c2a6
• Env: Add XRAY_LOCATION_CERT variable by @patterniha @RPRX in #4536
• DNS: Support returning upstream TTL to clients by @Meo597 in #4526
• DNS: Add expectedIPs as an alias of expectIPs by @patterniha in #4551
• HTTP inbound: Directly forward plain HTTP 1xx response header by @Fangliding in #4547
• Chore: Optimize .gitignore by @Pk-web6936 in #4564
• DNS: Use cache for NXDOMAIN (rcode 3 error) by @patterniha in #4560
• Sockopt: Fix Windows Multicast interface bind by @xqzr in #4568
• WireGuard: Improve config error handling; Prevent panic in case of errors during server initialization by @IlyaGulya in #4566
• Dialer: Do not use ListenSystemPacket() when dialing UDP by @RPRX in 8284a0e
• Sockopt: Fix Darwin (macOS, iOS...) UDP interface bind by @92613hjh in #4530
• Sockopt: Allow listen v6only work for Windows & Darwin by @xqzr @RPRX in #4571
• Config: Implement missing MarshalJSON for structs having custom UnmarshalJSON by @ragavpr in #4585
• Sockopt: Use Windows syscall by @xqzr in #4581
• Fix issues related to android client by @Cl-He-O in #4616
• Sockopt: Allow customSockopt work for Windows & Darwin by @Fangliding in #4576
• README.md: Add Loon to Others by @RPRX in 8212325
• README.md: Rename Clash.Meta to mihomo in Others by @RPRX in 2916b1b
• XHTTP client: Set packet-up as the default mode (auto) when using TLS by @RPRX in 0995fa4
• Sockopt: Fix Windows IP_MULTICAST_IF & IPV6_MULTICAST_IF by @xqzr in #4627
• DNS log: Optimize IP address display by @ddatsh in #4630
• uTLS: Add new fingerprints by @yuhan6665 in a608c5a
• QUIC sniffer: Full support for handling multiple initial packets by @j2rong4cn @RPRX @Vigilans @xiaokangwang @dyhkwong in #4642
• buffer.go: Ensure extended part by Extend() & Resize() are all-zero by @RPRX in 2eed70e
• QUIC sniffer: Optimize the code by @j2rong4cn in #4655
• Sockopt: Fix some domainStrategy & dialerProxy bugs by @patterniha in #4661
• DNS: Fix some bugs; Refactors; Optimizations by @patterniha in #4659
• Workflows: Build Android(7+) using NDK; Add Android(7+) amd64 build by @j2rong4cn in #4664
• Chore: Update gVisor to the latest version; Fmt .go files by @Pk-web6936 in #4663
• Improve random IP compatibility: support IPv4, add srcip option, and sync client source IP via sendthrough by @ImAubrey in #4671
• DNS: Extend hosts Abilities by @patterniha in #4673
• Workflows: Authenticating the GitHub API call with GitHub token by @yin1999 in #4703
• DNS-Hosts: appending matched-results again by @patterniha @Fangliding in #4702
• Workflows: Ensure Geodat exists by @Meo597 in #4680
• Removing code that was not being executed and should not be executed. by @patterniha in #4721
• REALITY practice: Support X25519MLKEM768 for TLS' communication by @RPRX in 7ddc4a2
• REALITY protocol: Remove ChaCha20-Poly1305 support for REALITY's session id auth by @RPRX in 09d84c4
• Sniffer: Fix potential infinite loop by @patterniha @Fangliding in #4726
• QUIC sniffer: Fix potential slice panic by @Fangliding in #4732

New Contributors

• @Meo597 made their first contribution in #4526
• @Pk-web6936 made their first contribution in #4564
• @IlyaGulya made their first contribution in #4566
• @92613hjh made their first contribution in #4530
• @ragavpr made their first contribution in #4585
• @Cl-He-O made their first contribution in #4616
• @ddatsh made their first contribution in #4630
• @j2rong4cn made their first contribution in #4642

Full Changelog: v25.3.6...v25.5.16

Xray-core 四月累积更新版本，主要包含大量修复，以及 XHTTP TLS 默认改为 packet-up，XHTTP REALITY 默认仍为 stream-one

Xray-core v25.4.30 已转为 latest 以触发更大范围的测试，目前的发布策略是即使没有 release notes，每两个版本标一个 latest，有 release notes 时再标 v1.250306.0 这样的兼容性 tag

小火箭 TF 版已支持 XHTTP，大家可以测测，如果有问题请反馈过去

Full Changelog: v25.3.31...v25.4.30

Xray-core 三月累积更新版本，主要包含大量针对 DNS 和 sockopt 的增强，以及其它几处修复，感谢各位贡献者

https://xtls.github.io/config/dns.html#dnsserverobject

Full Changelog: v25.3.6...v25.3.31