Releases: XTLS/Xray-core
Releases · XTLS/Xray-core
Xray-core v26.2.6
XHTTP transport: New options for bypassing CDN's potential detection #5414 & Finalmask: Add XICMP, XDNS (relies on mKCP, like DNSTT), header-*, mkcp-*
为了捍卫通信自由,本次重点更新内容:
- XHTTP 新增了一些选项,以绕过潜在的 CDN 检测(尚未定型,不建议第三方实现现在跟进),详见 #5414
- Xray-core HTTP 请求的 User-Agent 均由 Go 改为动态 Chrome(可被 headers 等配置覆写),详见 #5658
- Finalmask UDP 新增了 XICMP、XDNS、header-*、mkcp-*,分享链接标准 #716 已更新
fm、pcs、vcn - Finalmask UDP 支持了 WireGuard、SS AEAD/2022 等代理层协议产生的 UDP 流量,详见 #5643
- TLS 移除了
allowInsecure配置项,请使用pinnedPeerCertSha256和verifyPeerCertByName代替,详见 2c92339 - 进一步降低了 Xray-core 启动时的瞬时内存占用 #5581 ,对于 iOS/router 请测试 #5505
- v26.2.6 包含一些 v26.1.23 新增功能的配置项变更、重要修复,请及时升级 Xray-core 以及 GUI 客户端
https://t.me/projectXtls/1464 此外我们将于下个月推出 XDRIVE 传输层与 XICMP 伪装层,前者可利用网盘、S3 stores 等服务传输数据,不需要自有公网 IP,而是通过潜在的白名单 IP 进行代理,
或者境外能访问到境内的服务也行
https://t.me/projectXtls/1473 定义已经清晰,“最终伪装层”是最底层的一个“不可靠的传输层”,比如对于 UDP 它只做每个包的伪装而不会确保可靠传输(依赖上层 mKCP/QUIC/WG,或者代理协议就是想要原生 UDP 特性),另一方面它放的那些东西天马行空、不具备抗检测的鲁棒性但可能就是有奇效,比如现在已有的 XICMP、XDNS、header-*、mkcp-*、Salamander,后续还会把 TCP/TLS fragment、UDP noises 移过来,它们都支持分享,以及据称有用的 ASCII、gfw-killer 想要的在 TCP 流开头加自定义数据等,
还可能加 MC 等游戏伪装,如果你有天马行空的 idea 也可以提出分两种情况,一种是只加 header 一种是真的通过那个东西传输数据,第一种会被命名为 header-*,第二种会被命名为 X*,
懒得起名了,另外 TCP 的那些伪装可以通过 VLESS fallbacks offload 给别的程序
https://t.me/projectXtls/1478 不在乎主动探测的话其实最简单的方法就是 REALITY 加随便填 SNI,服务端允许的值和客户端填写的值对得上就行,不需要自签再 pin 那么麻烦,且几乎所有客户端都支持 REALITY 及其分享,
这不比自签强吗
https://t.me/projectXtls/1490 为了给少数机场一些迁移时间,今天的版本将 allowInsecure 设为了延时自动禁用(UTC 2026.6.1 00:00),请联系你的机场主为 allowInsecure 的订阅配置加上 pcs/vcn,即可同时兼容新旧版本
这和明文 HTTP 面板一样是 *ray 一开始就有的安全设计问题,可以允许自签但从一开始就不该给出完全不验证证书的选项,然后又错误地被越来越多的代理软件学去,GFW 一个主动探测就知道你能被 MITM
毕竟现在的代理已经越来越多地转向 VLESS、Trojan、Hy2 等内层明文、依赖 TLS 层安全的协议,所以在已知 GFW 拥有完备的 MITM 能力且在其它国家进行过大规模尝试后,这个问题必须得到纠正
Sponsors
Donation & NFTs
Collect a Project X NFT to support the development of Project X!
- TRX(Tron)/USDT/USDC:
TNrDh5VSfwd4RPrwsohr6poyNTfFefNYan - TON:
UQApeV-u2gm43aC1uP76xAC1m6vCylstaN1gpfBmre_5IyTH - BTC:
1JpqcziZZuqv3QQJhZGNGBVdCBrGgkL6cT - XMR:
4ABHQZ3yJZkBnLoqiKvb3f8eqUnX4iMPb6wdant5ZLGQELctcerceSGEfJnoCk6nnyRZm73wrwSgvZ2WmjYLng6R7sR67nq - SOL/USDT/USDC:
3x5NuXHzB5APG6vRinPZcsUv5ukWUY1tBGRSJiEJWtZa - ETH/USDT/USDC:
0xDc3Fe44F0f25D13CACb1C4896CD0D321df3146Ee - Project X NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1
- VLESS NFT: https://opensea.io/collection/vless
- REALITY NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2
- Related links: VLESS Post-Quantum Encryption, XHTTP: Beyond REALITY, Announcement of NFTs by Project X
该版本升级了一些依赖,并使用 Go 1.25.7 拉满 inline 编译,已 tag v1.260206.0,感谢所有贡献者,详见下方 change log
What's Changed
- TUN inbound: Disable RACK/TLP recovery to fix connection stalls by @KiGamji in #5600
- TUN inbound: Enhance Darwin interface support by @Owersun in #5598
- Hysteria transport: Support range & random for
intervalinudphopas well by @LjhAUMEM in #5603 - Geodat: Reduce peak memory usage by @Meo597 in #5581
- TUN inbound: Add iOS support by @evozi-team in #5612
- VMess inbound: Optimize replay filter by @Fangliding in #5562
- README.md: Add Egern & Quantumult X to Others by @nasaboy in #5624
- Upgrade gVisor to latest version v0.0.0-20260122175437-89a5d21be8f0 by @RPRX in 9c46a2d
- TLS config:
allowInsecure->pinnedPeerCertSha256;verifyPeerCertInNames->verifyPeerCertByNameby @RPRX in 2c92339 - Commands: Print leaf cert's SHA256 in
tls pingby @Fangliding @RPRX in #5628 - MPH domian matcher: Support building & using cache directly (instead of building from geosite.dat when Xray starts) by @hossinasaadi in #5505
- XHTTP transport: New options for bypassing CDN's potential detection by @paqx @Fangliding in #5414
- Finalmask: Add XDNS (relies on mKCP, like DNSTT), header-*, mkcp-* by @LjhAUMEM in #5560
- XHTTP transport: Fix "auto" mode with REALITY by @paqx in #5638
- Finalmask: Add XICMP (relies on mKCP/QUIC or WireGuard) by @LjhAUMEM in #5633
- Chore: Generate *.pb.go files with protoc v6.33.5 by @RPRX in d14767d
- Commands: Print CA cert's SHA256 in
tls pingby @Fangliding in #5644 - Finalmask UDP: Support WireGuard & Shadowsocks AEAD/2022 by @LjhAUMEM in #5643
- Xray-core: Dynamic Chrome User-Agent for all HTTP requests by default (overwriteable through config) by @RPRX @Fangliding in b7a22c7
- TLS client: Simplify cert's verification code by @Fangliding in #5656
- Workflows: Add simple consistency check for *.pb.go files to test.yml by @Fangliding in #5646
- XICMP finalmask: Refine seq by @LjhAUMEM in #5652
New Contributors
- @KiGamji made their first contribution in #5600
- @evozi-team made their first contribution in #5612
- @nasaboy made their first contribution in #5624
- @paqx made their first contribution in #5414
Full Changelog: v26.1.23...v26.2.6
Contributors
Owersun, nasaboy, and 8 other contributors
Assets 68
- 19.6 MB
2026-02-06T10:10:41Z - 299 Bytes
2026-02-06T10:10:40Z - 18.6 MB
2026-02-06T10:10:12Z - 299 Bytes
2026-02-06T10:10:11Z - 18.4 MB
2026-02-06T10:10:10Z - 299 Bytes
2026-02-06T10:10:09Z - 19.1 MB
2026-02-06T10:08:54Z - 299 Bytes
2026-02-06T10:08:53Z - 18.3 MB
2026-02-06T10:08:49Z - 299 Bytes
2026-02-06T10:08:49Z -
2026-02-06T09:42:41Z -
2026-02-06T09:42:41Z - Loading
Xray-core v26.2.4
Xray-core v26.2.2
Xray-core v26.1.31
Xray-core v26.1.23
Proxy: Add TUN inbound for Windows & Linux, including Android #5464 #5509 & Proxy: Add Hysteria outbound & transport (version 2, udphop) and Salamander udpmask #5508
新年好!2026 第一版 Xray-core 重点更新内容:
- 新增 TUN 入站(Windows、Linux、Android、macOS)#5464 ,默认 UDP FullCone 与 XUDP UoT Migration #5509
- 新增
process路由规则(Windows、Linux),匹配进程名/绝对路径/文件夹,支持任何入站 #5496 - 新增 Hysteria 2 出站、Hysteria 2 传输层(支持端口跳跃)、Salamander 伪装层,完整配置示例详见 #5508
- 新增“最终伪装层”概念 https://t.me/projectXtls/1354 ,比 TLS/QUIC 更底层,下一步计划 #5508 (comment)
- TLS 客户端使用
pinnedPeerCertSha256取代原有两项参数 #5154 #5532 760223a ,分享链接标准 #716 已更新pcs - REALITY 客户端收到目标网站的真证书时打印出更加明确的警报(potential MITM or redirection)#5427
- 为废弃特性/过时协议提醒迁移 cd8aab9 ,创建了 SECURITY.md 1cf5662 以明确安全漏洞/协议识别问题提交途径
为了使用 TUN,配置文件需要以下修改,以 Windows 为例:
- 配置文件加一个 "tun" 入站,无需
settings,加一个 "direct" 作为默认出站 - 为所有出站设置
sockopt"interface": "WLAN"或 "以太网" 防止出站回流 Xray-core - 设置
routing比如"process": ["NatTypeTester.exe"]导向代理协议出站 - 浏览器会有 QUIC,注意设置路由 block UDP/443,或为
sniffing启用 "quic"
TUN 尚未支持“自动修改系统路由表”,目前需要手动设置:
- 以管理员权限启动 Xray-core,静置数秒等 Windows 自动为 TUN 分配 IP
- 执行
ipconfig与route print查看 Xray TUN 的 IPv4 地址与 interface ID - 以管理员权限执行
route add 0.0.0.0 mask 0.0.0.0 *.*.*.* if **新增系统路由
感谢 @Owersun @yuhan6665 @Fangliding @KobeArthurScofield @RPRX @osypai 为支持 TUN 所作出的贡献!
@Meo597 将 https://xtls.github.io/ 升级至了 VitePress,本次更新内容也会陆续更新至文档中
由于伊朗目前完全断网,致力于内存优化的贡献者 @hossinasaadi 已有半个月没有活动,盼望他早日回归!
Sponsors
Donation & NFTs
Collect a Project X NFT to support the development of Project X!
- TRX(Tron)/USDT/USDC:
TNrDh5VSfwd4RPrwsohr6poyNTfFefNYan - TON:
UQApeV-u2gm43aC1uP76xAC1m6vCylstaN1gpfBmre_5IyTH - BTC:
1JpqcziZZuqv3QQJhZGNGBVdCBrGgkL6cT - XMR:
4ABHQZ3yJZkBnLoqiKvb3f8eqUnX4iMPb6wdant5ZLGQELctcerceSGEfJnoCk6nnyRZm73wrwSgvZ2WmjYLng6R7sR67nq - SOL/USDT/USDC:
3x5NuXHzB5APG6vRinPZcsUv5ukWUY1tBGRSJiEJWtZa - ETH/USDT/USDC:
0xDc3Fe44F0f25D13CACb1C4896CD0D321df3146Ee - Project X NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1
- VLESS NFT: https://opensea.io/collection/vless
- REALITY NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2
- Related links: VLESS Post-Quantum Encryption, XHTTP: Beyond REALITY, Announcement of NFTs by Project X
该版本升级了一些依赖,并使用 Go 1.25.6 拉满 inline 编译,已 tag v1.260123.0,感谢所有贡献者,详见下方 change log
What's Changed
- Chore: Remove all double gonet import by @Fangliding in #5402
- Wireguard: Decouple server endpoint DNS from address option by @Meo597 in #5417
- VLESS inbound: Print invalid UUID string by @xtlsee @RPRX in #5426
- REALITY client: Clearer log when receiving real certificate by @ari-ahm @RPRX in #5427
- TLS ECH: Increase DOH timeout by @patterniha @Fangliding in #5455
- Tunnel/Dokodemo: Fix stats conn unwrap by @Fangliding in #5440
- DomainMatcher: Prevent illegal rules from causing core startup failures by @Meo597 in #5430
- common/uuid: fix panic when parsing 32-len invalid UUID string. by @ari-ahm in #5468
- API: Add GetAllOnlineUsers RPC to StatsService for retrieving online users by @mr1cloud in #5080
- Geofiles: Implement mmap in filesystem to reduce ram usage by @hossinasaadi in #5480
- Remove redundant stats in mux and bridge dispatcher by @yuhan6665 in #5466
- XHTTP server: Fix ScStreamUpServerSecs' non-default value by @fanymagnet in #5486
- Routing config: Add
processNameby @Fangliding in #5489 - README.md: Re-add 3X-UI to Web Panels by @RPRX in b38a412
- Routing: Reduce peak memory usage by @hossinasaadi in #5488
- DNS: Fix parse domain and geoip by @hossinasaadi in #5499
- README.md: Add TX-UI to Web Panels by @Incognito-Coder in #4981
- transport/pipe/impl.go: Remove runtime.Gosched() in WriteMultiBuffer() by @Fangliding in #5467
- Routing config: Replace
processNamewithprocess(full-name/abs-path/abs-folder) by @Fangliding in #5496 - GitHub Actions: Add wintun.dll into Windows zips; Workflow refinement by @KobeArthurScofield in #5501
- Proxy: Add TUN inbound for Windows & Linux, including Android by @Owersun @yuhan6665 in #5464
- Tests: Improve geosite & geoip tests by @hossinasaadi in #5502
- TLS config: Add
pinnedPeerCertSha256; RemovepinnedPeerCertificateChainSha256andpinnedPeerCertificatePublicKeySha256by @Fangliding @RPRX in #5154 - DNS: Check err for UDP dns.PackMessage(req.msg) by @Fangliding in #5512
- TUN inbound: Implement UDP FullCone NAT by @RPRX @Fangliding @Owersun in #5509
- TUN inbound: Fix log, CanSpliceCopy, tag, sniffing, and port config issues by @RPRX in #5522
- TUN inbound: Make udp_fullcone pure side effect free udp connection by @Owersun @RPRX in #5526
- Upgrade gVisor to latest version v0.0.0-20260109181451-4be7c433dae2 by @Owersun in #5527
- Proxy: Add Hysteria outbound & transport (version 2, udphop) and Salamander udpmask by @LjhAUMEM in #5508
- TUN inbound: Close connection when handling is done by @Owersun in #5531
- TLS client: Verify leaf cert (name, time) when pinning self-signed CA by @Fangliding in #5532
- Hysteria: Fix transport's "udphop without salamander" dialing issue; Require
"version": 2in outbound'ssettingsas well by @LjhAUMEM in #5537 - SS2022 outbound: Fix UDP leak by @Fangliding in #5544
- README.md: Add Happ RU to iOS & macOS Clients by @mangustyura in #5551
- Commands: "xray run -dump" supports reading JSON from STDIN by @vrnobody in #5550
- TLS client: Skip TLS' built-in verification when using
pinnedPeerCertSha256; Fixes by @RPRX in 760223a - TLS client: Add pin_test.go for leaf and CA by @Fangliding in #5553
- Geofiles: Revert related changes for now, waiting for better changes by @Fangliding in #5557
- Hysteria transport: Add
congestionconfig (""/"reno"/"bbr"/"brutal"/"force-brutal") by @LjhAUMEM in #5549 - TUN inbound: Add macOS support by @osypai in #5559
- Config: Add Warning for deprecated features (allowInsecure, Shadowsocks, VMess, Trojan, VLESS without flow) by @RPRX in 5836f36
- Hysteria outbound: Fix ContextWithRequireDatagram() by @LjhAUMEM in #5558
- Create SECURITY.md by @RPRX in 1cf5662
- TUN inbound: Cancel ctx when handling is done by @patterniha @RPRX in #5565
- Tests: Reduce RAM usage by @Fangliding in #5577
- README.md: Update links for PassWall & PassWall 2 by @gamekiller0010 in #5572
- Router: Fix panic in ProcessNameMatcher when source IPs are empty by @Fangliding in...
Contributors
yuhan6665, Owersun, and 17 other contributors
Assets 68
Xray-core v26.1.18
Xray-core v26.1.13
Xray-core v25.12.8
XTLS Vision: Add testpre (outbound pre-connect) and testseed (outbound & inbound) #5270
本次重点更新内容:
- XTLS Vision 加了试验性的“预连接”以消除延迟,开放用户自定义配置最关键的四个 padding 相关参数,详见 #5270
- 服务端 sockopt 加了
trustedXForwardedFor以防止 XHTTP、WS、HU 客户端伪造源 IP,详见 #5331 - VLESS inbound 开了 Reverse Proxy 的 UUID 将默认被拒绝使用正向代理,更加安全,详见 #5101 (comment)
- @Meo597 对 DNS 和路由模块进行了一些重构、优化、功能新增,详见下方 change log
Sponsors
Donation & NFTs
Collect a Project X NFT to support the development of Project X!
- TRX(Tron)/USDT/USDC:
TNrDh5VSfwd4RPrwsohr6poyNTfFefNYan - TON:
UQApeV-u2gm43aC1uP76xAC1m6vCylstaN1gpfBmre_5IyTH - BTC:
1JpqcziZZuqv3QQJhZGNGBVdCBrGgkL6cT - XMR:
4ABHQZ3yJZkBnLoqiKvb3f8eqUnX4iMPb6wdant5ZLGQELctcerceSGEfJnoCk6nnyRZm73wrwSgvZ2WmjYLng6R7sR67nq - SOL/USDT/USDC:
3x5NuXHzB5APG6vRinPZcsUv5ukWUY1tBGRSJiEJWtZa - ETH/USDT/USDC:
0xDc3Fe44F0f25D13CACb1C4896CD0D321df3146Ee - Project X NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1
- VLESS NFT: https://opensea.io/collection/vless
- REALITY NFT: https://opensea.io/item/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2
- Related links: VLESS Post-Quantum Encryption, XHTTP: Beyond REALITY, Announcement of NFTs by Project X
该版本升级了一些依赖,并使用 Go 1.25.5 拉满 inline 编译,已 tag v1.251208.0,感谢所有贡献者,详见下方 change log
What's Changed
- REALITY config: Return error when short id is too long by @Fangliding @RPRX in #5276
- Fix wireguard not discarding broken connection on android by @Exclude0122 in #5304
- README.md: Add Remnawave & Happ to Sponsors by @RPRX in 4e8ee30
- README.md: Add TRX & TON & BTC & XMR & SOL to Donation & NFTs by @RPRX in 8a4b0a9
- README.md: Add v2rayN to macOS & Linux Clients by @alen420 in #5271
- Socks: Fix buffer full panic when encoding large UDP packets by @vemneyy @Fangliding in #5252
- Docker: Use more aggressive inlining for higher efficiency by @Meo597 in #5242
- Refactor WrapLink logic by @Fangliding in #5288
- HTTP outbound: Read negotiated protocol from uTLS by @hax0r31337 in #5251
- DNS: Fix wrong protocol parse by @vanserox @Fangliding in #5232
- refactor(dns): enhance cache safety, optimize performance, and refactor query logic by @Meo597 in #5248
- perf(GeoIPMatcher): faster heuristic matching with reduced memory usage by @Meo597 in #5289
- perf(router): adjust the order of rules to optimize performance by @Meo597 in #5267
- perf(dns): cache network capability check by @Meo597 in #5244
- feat(dns): add optimistic caching by @Meo597 in #5237
- feat(dns): add parallel query by @Meo597 in #5239
- Router: Remove the deprecated UseIP option by @Meo597 in #5323
- Sockopt config: Add
trustedXForwardedFor(for XHTTP, WS, HU inbounds) by @RPRX in #5331 - VLESS Reverse Proxy: Forbid reverse-proxy UUID using forward-proxy, enabled by default by @RPRX in a83253f
- fix(dns): inheritance issue with disableCache by @Meo597 in #5351
- XTLS Vision: Check TLS record isComplete by @yuhan6665 in #5179
- XTLS Vision: Add
testpre(outbound pre-connect) andtestseed(outbound & inbound) by @RPRX @Fangliding in #5270 - XTLS Vision: Fix IsCompleteRecord() by @Fangliding in #5365
- XTLS Vision: Discard expired pre-connect conn automatically by @RPRX in c123f16
- XTLS Vision: Fix enabled uplink splice flag by mistake by @yuhan6665 in #5391
- XTLS Vision: LogInfo() -> LogDebug() by @RPRX in bd7503d
- Chore: Remove ctlcmd and leftover envvar by @KobeArthurScofield in #5392
New Contributors
- @Exclude0122 made their first contribution in #5304
- @alen420 made their first contribution in #5271
- @vemneyy made their first contribution in #5252
- @vanserox made their first contribution in #5232
Full Changelog: v25.10.15...v25.12.8
Contributors
yuhan6665, KobeArthurScofield, and 8 other contributors