4.8 KiB
!!! error ""
Only supported on Linux, Windows and macOS.
Structure
{
"type": "tun",
"tag": "tun-in",
"interface_name": "tun0",
"inet4_address": "172.19.0.1/30",
"inet6_address": "fdfe:dcba:9876::1/126",
"mtu": 9000,
"auto_route": true,
"strict_route": true,
"inet4_route_address": [
"0.0.0.0/1",
"128.0.0.0/1"
],
"inet6_route_address": [
"::/1",
"8000::/1"
],
"endpoint_independent_nat": false,
"stack": "system",
"include_uid": [
0
],
"include_uid_range": [
"1000-99999"
],
"exclude_uid": [
1000
],
"exclude_uid_range": [
"1000-99999"
],
"include_android_user": [
0,
10
],
"include_package": [
"com.android.chrome"
],
"exclude_package": [
"com.android.captiveportallogin"
],
"platform": {
"http_proxy": {
"enabled": false,
"server": "127.0.0.1",
"server_port": 8080
}
},
"experimental_fix_windows_firewall": false,
...
// Listen Fields
}
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
!!! warning ""
If tun is running in non-privileged mode, addresses and MTU will not be configured automatically, please make sure the settings are accurate.
Fields
interface_name
Virtual device name, automatically selected if empty.
inet4_address
==Required==
IPv4 prefix for the tun interface.
inet6_address
IPv6 prefix for the tun interface.
mtu
The maximum transmission unit.
auto_route
Set the default route to the Tun.
!!! error ""
To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`
!!! note "Use with Android VPN"
By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.
strict_route
Enforce strict routing rules when auto_route is enabled:
In Linux:
- Let unsupported network unreachable
- Route all connections to tun
It prevents address leaks and makes DNS hijacking work on Android, but your device will not be accessible by others.
In Windows:
- Add firewall rules to prevent DNS leak caused by Windows' ordinary multihomed DNS resolution behavior
It may prevent some applications (such as VirtualBox) from working properly in certain situations.
inet4_route_address
Use custom routes instead of default when auto_route is enabled.
inet6_route_address
Use custom routes instead of default when auto_route is enabled.
endpoint_independent_nat
!!! info ""
This item is only available on the gvisor stack, other stacks are endpoint-independent NAT by default.
Enable endpoint-independent NAT.
Performance may degrade slightly, so it is not recommended to enable on when it is not needed.
udp_timeout
UDP NAT expiration time in seconds, default is 300 (5 minutes).
stack
TCP/IP stack.
| Stack | Description | Status |
|---|---|---|
| system (default) | Sometimes better performance | recommended |
| gVisor | Better compatibility, based on google/gvisor | recommended |
| LWIP | Based on eycorsican/go-tun2socks | upstream archived |
!!! warning ""
gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
include_uid
!!! error ""
UID rules are only supported on Linux and require auto_route.
Limit users in route. Not limited by default.
include_uid_range
Limit users in route, but in range.
exclude_uid
Exclude users in route.
exclude_uid_range
Exclude users in route, but in range.
include_android_user
!!! error ""
Android user and package rules are only supported on Android and require auto_route.
Limit android users in route.
| Common user | ID |
|---|---|
| Main | 0 |
| Work Profile | 10 |
include_package
Limit android packages in route.
exclude_package
Exclude android packages in route.
platform
Platform-specific settings, provided by client applications.
platform.http_proxy
System HTTP proxy settings.
experimental_fix_windows_firewall
Automatically add Windows firewall rules in order for the system stack to work.
This causes some start delays and does not work with existing firewall rules.
Listen Fields
See Listen Fields for details.