v1.0.0

2025-04-30 01:08:33 +00:00 · 2020-11-25 19:01:53 +08:00 · 2020-11-25 19:01:53 +08:00 · c7f7c08ead
commit c7f7c08ead
parent 47d23e9972
711 changed files with 82154 additions and 2 deletions
--- a/proxy/vless/account.go
+++ b/proxy/vless/account.go
@ -0,0 +1,40 @@
+// +build !confonly
+
+package vless
+
+import (
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/common/uuid"
+)
+
+// AsAccount implements protocol.Account.AsAccount().
+func (a *Account) AsAccount() (protocol.Account, error) {
+	id, err := uuid.ParseString(a.Id)
+	if err != nil {
+		return nil, newError("failed to parse ID").Base(err).AtError()
+	}
+	return &MemoryAccount{
+		ID:         protocol.NewID(id),
+		Flow:       a.Flow,       // needs parser here?
+		Encryption: a.Encryption, // needs parser here?
+	}, nil
+}
+
+// MemoryAccount is an in-memory form of VLess account.
+type MemoryAccount struct {
+	// ID of the account.
+	ID *protocol.ID
+	// Flow of the account. May be "xtls-rprx-direct".
+	Flow string
+	// Encryption of the account. Used for client connections, and only accepts "none" for now.
+	Encryption string
+}
+
+// Equals implements protocol.Account.Equals().
+func (a *MemoryAccount) Equals(account protocol.Account) bool {
+	vlessAccount, ok := account.(*MemoryAccount)
+	if !ok {
+		return false
+	}
+	return a.ID.Equals(vlessAccount.ID)
+}
--- a/proxy/vless/account.pb.go
+++ b/proxy/vless/account.pb.go
@ -0,0 +1,174 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.14.0
+// source: proxy/vless/account.proto
+
+package vless
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type Account struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// ID of the account, in the form of a UUID, e.g., "66ad4540-b58c-4ad2-9926-ea63445a9b57".
+	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	// Flow settings. May be "xtls-rprx-direct".
+	Flow string `protobuf:"bytes,2,opt,name=flow,proto3" json:"flow,omitempty"`
+	// Encryption settings. Only applies to client side, and only accepts "none" for now.
+	Encryption string `protobuf:"bytes,3,opt,name=encryption,proto3" json:"encryption,omitempty"`
+}
+
+func (x *Account) Reset() {
+	*x = Account{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_proxy_vless_account_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Account) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Account) ProtoMessage() {}
+
+func (x *Account) ProtoReflect() protoreflect.Message {
+	mi := &file_proxy_vless_account_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Account.ProtoReflect.Descriptor instead.
+func (*Account) Descriptor() ([]byte, []int) {
+	return file_proxy_vless_account_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Account) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
+func (x *Account) GetFlow() string {
+	if x != nil {
+		return x.Flow
+	}
+	return ""
+}
+
+func (x *Account) GetEncryption() string {
+	if x != nil {
+		return x.Encryption
+	}
+	return ""
+}
+
+var File_proxy_vless_account_proto protoreflect.FileDescriptor
+
+var file_proxy_vless_account_proto_rawDesc = []byte{
+	0x0a, 0x19, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x76, 0x6c, 0x65, 0x73, 0x73, 0x2f, 0x61, 0x63,
+	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x78, 0x72, 0x61,
+	0x79, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x76, 0x6c, 0x65, 0x73, 0x73, 0x22, 0x4d, 0x0a,
+	0x07, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x6c, 0x6f, 0x77,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x6c, 0x6f, 0x77, 0x12, 0x1e, 0x0a, 0x0a,
+	0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x55, 0x0a, 0x14,
+	0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x76,
+	0x6c, 0x65, 0x73, 0x73, 0x50, 0x01, 0x5a, 0x28, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72,
+	0x65, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x76, 0x6c, 0x65, 0x73, 0x73,
+	0xaa, 0x02, 0x10, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x56, 0x6c,
+	0x65, 0x73, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_proxy_vless_account_proto_rawDescOnce sync.Once
+	file_proxy_vless_account_proto_rawDescData = file_proxy_vless_account_proto_rawDesc
+)
+
+func file_proxy_vless_account_proto_rawDescGZIP() []byte {
+	file_proxy_vless_account_proto_rawDescOnce.Do(func() {
+		file_proxy_vless_account_proto_rawDescData = protoimpl.X.CompressGZIP(file_proxy_vless_account_proto_rawDescData)
+	})
+	return file_proxy_vless_account_proto_rawDescData
+}
+
+var file_proxy_vless_account_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_proxy_vless_account_proto_goTypes = []interface{}{
+	(*Account)(nil), // 0: xray.proxy.vless.Account
+}
+var file_proxy_vless_account_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_proxy_vless_account_proto_init() }
+func file_proxy_vless_account_proto_init() {
+	if File_proxy_vless_account_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_proxy_vless_account_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Account); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_proxy_vless_account_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_proxy_vless_account_proto_goTypes,
+		DependencyIndexes: file_proxy_vless_account_proto_depIdxs,
+		MessageInfos:      file_proxy_vless_account_proto_msgTypes,
+	}.Build()
+	File_proxy_vless_account_proto = out.File
+	file_proxy_vless_account_proto_rawDesc = nil
+	file_proxy_vless_account_proto_goTypes = nil
+	file_proxy_vless_account_proto_depIdxs = nil
+}
--- a/proxy/vless/account.proto
+++ b/proxy/vless/account.proto
@ -0,0 +1,16 @@
+syntax = "proto3";
+
+package xray.proxy.vless;
+option csharp_namespace = "Xray.Proxy.Vless";
+option go_package = "github.com/xtls/xray-core/v1/proxy/vless";
+option java_package = "com.xray.proxy.vless";
+option java_multiple_files = true;
+
+message Account {
+  // ID of the account, in the form of a UUID, e.g., "66ad4540-b58c-4ad2-9926-ea63445a9b57".
+  string id = 1;
+  // Flow settings. May be "xtls-rprx-direct".
+  string flow = 2;
+  // Encryption settings. Only applies to client side, and only accepts "none" for now.
+  string encryption = 3;
+}
--- a/proxy/vless/encoding/addons.go
+++ b/proxy/vless/encoding/addons.go
@ -0,0 +1,189 @@
+// +build !confonly
+
+package encoding
+
+import (
+	"io"
+
+	"github.com/golang/protobuf/proto"
+
+	"github.com/xtls/xray-core/v1/common/buf"
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/proxy/vless"
+)
+
+func EncodeHeaderAddons(buffer *buf.Buffer, addons *Addons) error {
+	switch addons.Flow {
+	case vless.XRO, vless.XRD:
+		bytes, err := proto.Marshal(addons)
+		if err != nil {
+			return newError("failed to marshal addons protobuf value").Base(err)
+		}
+		if err := buffer.WriteByte(byte(len(bytes))); err != nil {
+			return newError("failed to write addons protobuf length").Base(err)
+		}
+		if _, err := buffer.Write(bytes); err != nil {
+			return newError("failed to write addons protobuf value").Base(err)
+		}
+	default:
+		if err := buffer.WriteByte(0); err != nil {
+			return newError("failed to write addons protobuf length").Base(err)
+		}
+	}
+
+	return nil
+}
+
+func DecodeHeaderAddons(buffer *buf.Buffer, reader io.Reader) (*Addons, error) {
+	addons := new(Addons)
+	buffer.Clear()
+	if _, err := buffer.ReadFullFrom(reader, 1); err != nil {
+		return nil, newError("failed to read addons protobuf length").Base(err)
+	}
+
+	if length := int32(buffer.Byte(0)); length != 0 {
+		buffer.Clear()
+		if _, err := buffer.ReadFullFrom(reader, length); err != nil {
+			return nil, newError("failed to read addons protobuf value").Base(err)
+		}
+
+		if err := proto.Unmarshal(buffer.Bytes(), addons); err != nil {
+			return nil, newError("failed to unmarshal addons protobuf value").Base(err)
+		}
+
+		// Verification.
+		switch addons.Flow {
+		default:
+		}
+	}
+
+	return addons, nil
+}
+
+// EncodeBodyAddons returns a Writer that auto-encrypt content written by caller.
+func EncodeBodyAddons(writer io.Writer, request *protocol.RequestHeader, addons *Addons) buf.Writer {
+	switch addons.Flow {
+	default:
+		if request.Command == protocol.RequestCommandUDP {
+			return NewMultiLengthPacketWriter(writer.(buf.Writer))
+		}
+	}
+	return buf.NewWriter(writer)
+}
+
+// DecodeBodyAddons returns a Reader from which caller can fetch decrypted body.
+func DecodeBodyAddons(reader io.Reader, request *protocol.RequestHeader, addons *Addons) buf.Reader {
+	switch addons.Flow {
+	default:
+		if request.Command == protocol.RequestCommandUDP {
+			return NewLengthPacketReader(reader)
+		}
+	}
+	return buf.NewReader(reader)
+}
+
+func NewMultiLengthPacketWriter(writer buf.Writer) *MultiLengthPacketWriter {
+	return &MultiLengthPacketWriter{
+		Writer: writer,
+	}
+}
+
+type MultiLengthPacketWriter struct {
+	buf.Writer
+}
+
+func (w *MultiLengthPacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
+	defer buf.ReleaseMulti(mb)
+	mb2Write := make(buf.MultiBuffer, 0, len(mb)+1)
+	for _, b := range mb {
+		length := b.Len()
+		if length == 0 || length+2 > buf.Size {
+			continue
+		}
+		eb := buf.New()
+		if err := eb.WriteByte(byte(length >> 8)); err != nil {
+			eb.Release()
+			continue
+		}
+		if err := eb.WriteByte(byte(length)); err != nil {
+			eb.Release()
+			continue
+		}
+		if _, err := eb.Write(b.Bytes()); err != nil {
+			eb.Release()
+			continue
+		}
+		mb2Write = append(mb2Write, eb)
+	}
+	if mb2Write.IsEmpty() {
+		return nil
+	}
+	return w.Writer.WriteMultiBuffer(mb2Write)
+}
+
+func NewLengthPacketWriter(writer io.Writer) *LengthPacketWriter {
+	return &LengthPacketWriter{
+		Writer: writer,
+		cache:  make([]byte, 0, 65536),
+	}
+}
+
+type LengthPacketWriter struct {
+	io.Writer
+	cache []byte
+}
+
+func (w *LengthPacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
+	length := mb.Len() // none of mb is nil
+	// fmt.Println("Write", length)
+	if length == 0 {
+		return nil
+	}
+	defer func() {
+		w.cache = w.cache[:0]
+	}()
+	w.cache = append(w.cache, byte(length>>8), byte(length))
+	for i, b := range mb {
+		w.cache = append(w.cache, b.Bytes()...)
+		b.Release()
+		mb[i] = nil
+	}
+	if _, err := w.Write(w.cache); err != nil {
+		return newError("failed to write a packet").Base(err)
+	}
+	return nil
+}
+
+func NewLengthPacketReader(reader io.Reader) *LengthPacketReader {
+	return &LengthPacketReader{
+		Reader: reader,
+		cache:  make([]byte, 2),
+	}
+}
+
+type LengthPacketReader struct {
+	io.Reader
+	cache []byte
+}
+
+func (r *LengthPacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
+	if _, err := io.ReadFull(r.Reader, r.cache); err != nil { // maybe EOF
+		return nil, newError("failed to read packet length").Base(err)
+	}
+	length := int32(r.cache[0])<<8 | int32(r.cache[1])
+	// fmt.Println("Read", length)
+	mb := make(buf.MultiBuffer, 0, length/buf.Size+1)
+	for length > 0 {
+		size := length
+		if size > buf.Size {
+			size = buf.Size
+		}
+		length -= size
+		b := buf.New()
+		if _, err := b.ReadFullFrom(r.Reader, size); err != nil {
+			return nil, newError("failed to read packet payload").Base(err)
+		}
+		mb = append(mb, b)
+	}
+	return mb, nil
+}
--- a/proxy/vless/encoding/addons.pb.go
+++ b/proxy/vless/encoding/addons.pb.go
@ -0,0 +1,384 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: proxy/vless/encoding/addons.proto
+
+package encoding
+
+import (
+	fmt "fmt"
+	proto "github.com/golang/protobuf/proto"
+	io "io"
+	math "math"
+	math_bits "math/bits"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
+
+type Addons struct {
+	Flow                 string   `protobuf:"bytes,1,opt,name=Flow,proto3" json:"Flow,omitempty"`
+	Seed                 []byte   `protobuf:"bytes,2,opt,name=Seed,proto3" json:"Seed,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *Addons) Reset()         { *m = Addons{} }
+func (m *Addons) String() string { return proto.CompactTextString(m) }
+func (*Addons) ProtoMessage()    {}
+func (*Addons) Descriptor() ([]byte, []int) {
+	return fileDescriptor_75ab671b0ca8b1cc, []int{0}
+}
+func (m *Addons) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *Addons) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	if deterministic {
+		return xxx_messageInfo_Addons.Marshal(b, m, deterministic)
+	} else {
+		b = b[:cap(b)]
+		n, err := m.MarshalToSizedBuffer(b)
+		if err != nil {
+			return nil, err
+		}
+		return b[:n], nil
+	}
+}
+func (m *Addons) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Addons.Merge(m, src)
+}
+func (m *Addons) XXX_Size() int {
+	return m.Size()
+}
+func (m *Addons) XXX_DiscardUnknown() {
+	xxx_messageInfo_Addons.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Addons proto.InternalMessageInfo
+
+func (m *Addons) GetFlow() string {
+	if m != nil {
+		return m.Flow
+	}
+	return ""
+}
+
+func (m *Addons) GetSeed() []byte {
+	if m != nil {
+		return m.Seed
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Addons)(nil), "xray.proxy.vless.encoding.Addons")
+}
+
+func init() { proto.RegisterFile("proxy/vless/encoding/addons.proto", fileDescriptor_75ab671b0ca8b1cc) }
+
+var fileDescriptor_75ab671b0ca8b1cc = []byte{
+	// 195 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x52, 0x2c, 0x28, 0xca, 0xaf,
+	0xa8, 0xd4, 0x2f, 0xcb, 0x49, 0x2d, 0x2e, 0xd6, 0x4f, 0xcd, 0x4b, 0xce, 0x4f, 0xc9, 0xcc, 0x4b,
+	0xd7, 0x4f, 0x4c, 0x49, 0xc9, 0xcf, 0x2b, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x92, 0xac,
+	0x28, 0x4a, 0xac, 0xd4, 0x03, 0xab, 0xd3, 0x03, 0xab, 0xd3, 0x83, 0xa9, 0x53, 0x32, 0xe0, 0x62,
+	0x73, 0x04, 0x2b, 0x15, 0x12, 0xe2, 0x62, 0x71, 0xcb, 0xc9, 0x2f, 0x97, 0x60, 0x54, 0x60, 0xd4,
+	0xe0, 0x0c, 0x02, 0xb3, 0x41, 0x62, 0xc1, 0xa9, 0xa9, 0x29, 0x12, 0x4c, 0x0a, 0x8c, 0x1a, 0x3c,
+	0x41, 0x60, 0xb6, 0x53, 0x03, 0xe3, 0x89, 0x47, 0x72, 0x8c, 0x17, 0x1e, 0xc9, 0x31, 0x3e, 0x78,
+	0x24, 0xc7, 0x38, 0xe3, 0xb1, 0x1c, 0x03, 0x97, 0x6c, 0x72, 0x7e, 0xae, 0x1e, 0x4e, 0x3b, 0x02,
+	0x18, 0xa3, 0x0c, 0xd3, 0x33, 0x4b, 0x32, 0x4a, 0x93, 0xf4, 0x92, 0xf3, 0x73, 0xf5, 0x2b, 0x4a,
+	0x72, 0x8a, 0xf5, 0x41, 0x8a, 0x75, 0x93, 0xf3, 0x8b, 0x52, 0xf5, 0xcb, 0x0c, 0xf5, 0xb1, 0x79,
+	0x60, 0x15, 0x93, 0x64, 0x04, 0xc8, 0xc0, 0x00, 0xb0, 0x81, 0x61, 0x60, 0x03, 0x5d, 0xa1, 0x72,
+	0x49, 0x6c, 0x60, 0x6f, 0x19, 0x03, 0x02, 0x00, 0x00, 0xff, 0xff, 0xda, 0x20, 0x32, 0x3e, 0xfb,
+	0x00, 0x00, 0x00,
+}
+
+func (m *Addons) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Addons) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *Addons) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.XXX_unrecognized != nil {
+		i -= len(m.XXX_unrecognized)
+		copy(dAtA[i:], m.XXX_unrecognized)
+	}
+	if len(m.Seed) > 0 {
+		i -= len(m.Seed)
+		copy(dAtA[i:], m.Seed)
+		i = encodeVarintAddons(dAtA, i, uint64(len(m.Seed)))
+		i--
+		dAtA[i] = 0x12
+	}
+	if len(m.Flow) > 0 {
+		i -= len(m.Flow)
+		copy(dAtA[i:], m.Flow)
+		i = encodeVarintAddons(dAtA, i, uint64(len(m.Flow)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
+func encodeVarintAddons(dAtA []byte, offset int, v uint64) int {
+	offset -= sovAddons(v)
+	base := offset
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return base
+}
+func (m *Addons) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Flow)
+	if l > 0 {
+		n += 1 + l + sovAddons(uint64(l))
+	}
+	l = len(m.Seed)
+	if l > 0 {
+		n += 1 + l + sovAddons(uint64(l))
+	}
+	if m.XXX_unrecognized != nil {
+		n += len(m.XXX_unrecognized)
+	}
+	return n
+}
+
+func sovAddons(x uint64) (n int) {
+	return (math_bits.Len64(x|1) + 6) / 7
+}
+func sozAddons(x uint64) (n int) {
+	return sovAddons(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *Addons) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAddons
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Addons: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Addons: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Flow", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAddons
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAddons
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthAddons
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Flow = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Seed", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAddons
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthAddons
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex < 0 {
+				return ErrInvalidLengthAddons
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Seed = append(m.Seed[:0], dAtA[iNdEx:postIndex]...)
+			if m.Seed == nil {
+				m.Seed = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAddons(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAddons
+			}
+			if (iNdEx + skippy) < 0 {
+				return ErrInvalidLengthAddons
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipAddons(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	depth := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowAddons
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAddons
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+		case 1:
+			iNdEx += 8
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAddons
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if length < 0 {
+				return 0, ErrInvalidLengthAddons
+			}
+			iNdEx += length
+		case 3:
+			depth++
+		case 4:
+			if depth == 0 {
+				return 0, ErrUnexpectedEndOfGroupAddons
+			}
+			depth--
+		case 5:
+			iNdEx += 4
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+		if iNdEx < 0 {
+			return 0, ErrInvalidLengthAddons
+		}
+		if depth == 0 {
+			return iNdEx, nil
+		}
+	}
+	return 0, io.ErrUnexpectedEOF
+}
+
+var (
+	ErrInvalidLengthAddons        = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowAddons          = fmt.Errorf("proto: integer overflow")
+	ErrUnexpectedEndOfGroupAddons = fmt.Errorf("proto: unexpected end of group")
+)
--- a/proxy/vless/encoding/addons.proto
+++ b/proxy/vless/encoding/addons.proto
@ -0,0 +1,12 @@
+syntax = "proto3";
+
+package xray.proxy.vless.encoding;
+option csharp_namespace = "Xray.Proxy.Vless.Encoding";
+option go_package = "github.com/xtls/xray-core/v1/proxy/vless/encoding";
+option java_package = "com.xray.proxy.vless.encoding";
+option java_multiple_files = true;
+
+message Addons {
+  string Flow = 1;
+  bytes Seed = 2;
+}
--- a/proxy/vless/encoding/encoding.go
+++ b/proxy/vless/encoding/encoding.go
@ -0,0 +1,208 @@
+// +build !confonly
+
+package encoding
+
+//go:generate go run github.com/xtls/xray-core/v1/common/errors/errorgen
+
+import (
+	"fmt"
+	"io"
+	"syscall"
+
+	"github.com/xtls/xray-core/v1/common/buf"
+	"github.com/xtls/xray-core/v1/common/errors"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/common/signal"
+	"github.com/xtls/xray-core/v1/features/stats"
+	"github.com/xtls/xray-core/v1/proxy/vless"
+	"github.com/xtls/xray-core/v1/transport/internet/xtls"
+)
+
+const (
+	Version = byte(0)
+)
+
+var addrParser = protocol.NewAddressParser(
+	protocol.AddressFamilyByte(byte(protocol.AddressTypeIPv4), net.AddressFamilyIPv4),
+	protocol.AddressFamilyByte(byte(protocol.AddressTypeDomain), net.AddressFamilyDomain),
+	protocol.AddressFamilyByte(byte(protocol.AddressTypeIPv6), net.AddressFamilyIPv6),
+	protocol.PortThenAddress(),
+)
+
+// EncodeRequestHeader writes encoded request header into the given writer.
+func EncodeRequestHeader(writer io.Writer, request *protocol.RequestHeader, requestAddons *Addons) error {
+	buffer := buf.StackNew()
+	defer buffer.Release()
+
+	if err := buffer.WriteByte(request.Version); err != nil {
+		return newError("failed to write request version").Base(err)
+	}
+
+	if _, err := buffer.Write(request.User.Account.(*vless.MemoryAccount).ID.Bytes()); err != nil {
+		return newError("failed to write request user id").Base(err)
+	}
+
+	if err := EncodeHeaderAddons(&buffer, requestAddons); err != nil {
+		return newError("failed to encode request header addons").Base(err)
+	}
+
+	if err := buffer.WriteByte(byte(request.Command)); err != nil {
+		return newError("failed to write request command").Base(err)
+	}
+
+	if request.Command != protocol.RequestCommandMux {
+		if err := addrParser.WriteAddressPort(&buffer, request.Address, request.Port); err != nil {
+			return newError("failed to write request address and port").Base(err)
+		}
+	}
+
+	if _, err := writer.Write(buffer.Bytes()); err != nil {
+		return newError("failed to write request header").Base(err)
+	}
+
+	return nil
+}
+
+// DecodeRequestHeader decodes and returns (if successful) a RequestHeader from an input stream.
+func DecodeRequestHeader(isfb bool, first *buf.Buffer, reader io.Reader, validator *vless.Validator) (*protocol.RequestHeader, *Addons, bool, error) {
+	buffer := buf.StackNew()
+	defer buffer.Release()
+
+	request := new(protocol.RequestHeader)
+
+	if isfb {
+		request.Version = first.Byte(0)
+	} else {
+		if _, err := buffer.ReadFullFrom(reader, 1); err != nil {
+			return nil, nil, false, newError("failed to read request version").Base(err)
+		}
+		request.Version = buffer.Byte(0)
+	}
+
+	switch request.Version {
+	case 0:
+
+		var id [16]byte
+
+		if isfb {
+			copy(id[:], first.BytesRange(1, 17))
+		} else {
+			buffer.Clear()
+			if _, err := buffer.ReadFullFrom(reader, 16); err != nil {
+				return nil, nil, false, newError("failed to read request user id").Base(err)
+			}
+			copy(id[:], buffer.Bytes())
+		}
+
+		if request.User = validator.Get(id); request.User == nil {
+			return nil, nil, isfb, newError("invalid request user id")
+		}
+
+		if isfb {
+			first.Advance(17)
+		}
+
+		requestAddons, err := DecodeHeaderAddons(&buffer, reader)
+		if err != nil {
+			return nil, nil, false, newError("failed to decode request header addons").Base(err)
+		}
+
+		buffer.Clear()
+		if _, err := buffer.ReadFullFrom(reader, 1); err != nil {
+			return nil, nil, false, newError("failed to read request command").Base(err)
+		}
+
+		request.Command = protocol.RequestCommand(buffer.Byte(0))
+		switch request.Command {
+		case protocol.RequestCommandMux:
+			request.Address = net.DomainAddress("v1.mux.cool")
+			request.Port = 0
+		case protocol.RequestCommandTCP, protocol.RequestCommandUDP:
+			if addr, port, err := addrParser.ReadAddressPort(&buffer, reader); err == nil {
+				request.Address = addr
+				request.Port = port
+			}
+		}
+		if request.Address == nil {
+			return nil, nil, false, newError("invalid request address")
+		}
+		return request, requestAddons, false, nil
+	default:
+		return nil, nil, isfb, newError("invalid request version")
+	}
+}
+
+// EncodeResponseHeader writes encoded response header into the given writer.
+func EncodeResponseHeader(writer io.Writer, request *protocol.RequestHeader, responseAddons *Addons) error {
+	buffer := buf.StackNew()
+	defer buffer.Release()
+
+	if err := buffer.WriteByte(request.Version); err != nil {
+		return newError("failed to write response version").Base(err)
+	}
+
+	if err := EncodeHeaderAddons(&buffer, responseAddons); err != nil {
+		return newError("failed to encode response header addons").Base(err)
+	}
+
+	if _, err := writer.Write(buffer.Bytes()); err != nil {
+		return newError("failed to write response header").Base(err)
+	}
+
+	return nil
+}
+
+// DecodeResponseHeader decodes and returns (if successful) a ResponseHeader from an input stream.
+func DecodeResponseHeader(reader io.Reader, request *protocol.RequestHeader) (*Addons, error) {
+	buffer := buf.StackNew()
+	defer buffer.Release()
+
+	if _, err := buffer.ReadFullFrom(reader, 1); err != nil {
+		return nil, newError("failed to read response version").Base(err)
+	}
+
+	if buffer.Byte(0) != request.Version {
+		return nil, newError("unexpected response version. Expecting ", int(request.Version), " but actually ", int(buffer.Byte(0)))
+	}
+
+	responseAddons, err := DecodeHeaderAddons(&buffer, reader)
+	if err != nil {
+		return nil, newError("failed to decode response header addons").Base(err)
+	}
+
+	return responseAddons, nil
+}
+
+func ReadV(reader buf.Reader, writer buf.Writer, timer signal.ActivityUpdater, conn *xtls.Conn, rawConn syscall.RawConn, counter stats.Counter) error {
+	err := func() error {
+		var ct stats.Counter
+		for {
+			if conn.DirectIn {
+				conn.DirectIn = false
+				reader = buf.NewReadVReader(conn.Connection, rawConn)
+				ct = counter
+				if conn.SHOW {
+					fmt.Println(conn.MARK, "ReadV")
+				}
+			}
+			buffer, err := reader.ReadMultiBuffer()
+			if !buffer.IsEmpty() {
+				if ct != nil {
+					ct.Add(int64(buffer.Len()))
+				}
+				timer.Update()
+				if werr := writer.WriteMultiBuffer(buffer); werr != nil {
+					return werr
+				}
+			}
+			if err != nil {
+				return err
+			}
+		}
+	}()
+	if err != nil && errors.Cause(err) != io.EOF {
+		return err
+	}
+	return nil
+}
--- a/proxy/vless/encoding/encoding_test.go
+++ b/proxy/vless/encoding/encoding_test.go
@ -0,0 +1,126 @@
+package encoding_test
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/buf"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/common/uuid"
+	"github.com/xtls/xray-core/v1/proxy/vless"
+	. "github.com/xtls/xray-core/v1/proxy/vless/encoding"
+)
+
+func toAccount(a *vless.Account) protocol.Account {
+	account, err := a.AsAccount()
+	common.Must(err)
+	return account
+}
+
+func TestRequestSerialization(t *testing.T) {
+	user := &protocol.MemoryUser{
+		Level: 0,
+		Email: "test@example.com",
+	}
+	id := uuid.New()
+	account := &vless.Account{
+		Id: id.String(),
+	}
+	user.Account = toAccount(account)
+
+	expectedRequest := &protocol.RequestHeader{
+		Version: Version,
+		User:    user,
+		Command: protocol.RequestCommandTCP,
+		Address: net.DomainAddress("www.example.com"),
+		Port:    net.Port(443),
+	}
+	expectedAddons := &Addons{}
+
+	buffer := buf.StackNew()
+	common.Must(EncodeRequestHeader(&buffer, expectedRequest, expectedAddons))
+
+	Validator := new(vless.Validator)
+	Validator.Add(user)
+
+	actualRequest, actualAddons, _, err := DecodeRequestHeader(false, nil, &buffer, Validator)
+	common.Must(err)
+
+	if r := cmp.Diff(actualRequest, expectedRequest, cmp.AllowUnexported(protocol.ID{})); r != "" {
+		t.Error(r)
+	}
+	if r := cmp.Diff(actualAddons, expectedAddons); r != "" {
+		t.Error(r)
+	}
+}
+
+func TestInvalidRequest(t *testing.T) {
+	user := &protocol.MemoryUser{
+		Level: 0,
+		Email: "test@example.com",
+	}
+	id := uuid.New()
+	account := &vless.Account{
+		Id: id.String(),
+	}
+	user.Account = toAccount(account)
+
+	expectedRequest := &protocol.RequestHeader{
+		Version: Version,
+		User:    user,
+		Command: protocol.RequestCommand(100),
+		Address: net.DomainAddress("www.example.com"),
+		Port:    net.Port(443),
+	}
+	expectedAddons := &Addons{}
+
+	buffer := buf.StackNew()
+	common.Must(EncodeRequestHeader(&buffer, expectedRequest, expectedAddons))
+
+	Validator := new(vless.Validator)
+	Validator.Add(user)
+
+	_, _, _, err := DecodeRequestHeader(false, nil, &buffer, Validator)
+	if err == nil {
+		t.Error("nil error")
+	}
+}
+
+func TestMuxRequest(t *testing.T) {
+	user := &protocol.MemoryUser{
+		Level: 0,
+		Email: "test@example.com",
+	}
+	id := uuid.New()
+	account := &vless.Account{
+		Id: id.String(),
+	}
+	user.Account = toAccount(account)
+
+	expectedRequest := &protocol.RequestHeader{
+		Version: Version,
+		User:    user,
+		Command: protocol.RequestCommandMux,
+		Address: net.DomainAddress("v1.mux.cool"),
+	}
+	expectedAddons := &Addons{}
+
+	buffer := buf.StackNew()
+	common.Must(EncodeRequestHeader(&buffer, expectedRequest, expectedAddons))
+
+	Validator := new(vless.Validator)
+	Validator.Add(user)
+
+	actualRequest, actualAddons, _, err := DecodeRequestHeader(false, nil, &buffer, Validator)
+	common.Must(err)
+
+	if r := cmp.Diff(actualRequest, expectedRequest, cmp.AllowUnexported(protocol.ID{})); r != "" {
+		t.Error(r)
+	}
+	if r := cmp.Diff(actualAddons, expectedAddons); r != "" {
+		t.Error(r)
+	}
+}
--- a/proxy/vless/encoding/errors.generated.go
+++ b/proxy/vless/encoding/errors.generated.go
@ -0,0 +1,9 @@
+package encoding
+
+import "github.com/xtls/xray-core/v1/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}
--- a/proxy/vless/errors.generated.go
+++ b/proxy/vless/errors.generated.go
@ -0,0 +1,9 @@
+package vless
+
+import "github.com/xtls/xray-core/v1/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}
--- a/proxy/vless/inbound/config.go
+++ b/proxy/vless/inbound/config.go
@ -0,0 +1,3 @@
+// +build !confonly
+
+package inbound
--- a/proxy/vless/inbound/config.pb.go
+++ b/proxy/vless/inbound/config.pb.go
@ -0,0 +1,286 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.14.0
+// source: proxy/vless/inbound/config.proto
+
+package inbound
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	protocol "github.com/xtls/xray-core/v1/common/protocol"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type Fallback struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Alpn string `protobuf:"bytes,1,opt,name=alpn,proto3" json:"alpn,omitempty"`
+	Path string `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
+	Type string `protobuf:"bytes,3,opt,name=type,proto3" json:"type,omitempty"`
+	Dest string `protobuf:"bytes,4,opt,name=dest,proto3" json:"dest,omitempty"`
+	Xver uint64 `protobuf:"varint,5,opt,name=xver,proto3" json:"xver,omitempty"`
+}
+
+func (x *Fallback) Reset() {
+	*x = Fallback{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_proxy_vless_inbound_config_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Fallback) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Fallback) ProtoMessage() {}
+
+func (x *Fallback) ProtoReflect() protoreflect.Message {
+	mi := &file_proxy_vless_inbound_config_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Fallback.ProtoReflect.Descriptor instead.
+func (*Fallback) Descriptor() ([]byte, []int) {
+	return file_proxy_vless_inbound_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Fallback) GetAlpn() string {
+	if x != nil {
+		return x.Alpn
+	}
+	return ""
+}
+
+func (x *Fallback) GetPath() string {
+	if x != nil {
+		return x.Path
+	}
+	return ""
+}
+
+func (x *Fallback) GetType() string {
+	if x != nil {
+		return x.Type
+	}
+	return ""
+}
+
+func (x *Fallback) GetDest() string {
+	if x != nil {
+		return x.Dest
+	}
+	return ""
+}
+
+func (x *Fallback) GetXver() uint64 {
+	if x != nil {
+		return x.Xver
+	}
+	return 0
+}
+
+type Config struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Clients []*protocol.User `protobuf:"bytes,1,rep,name=clients,proto3" json:"clients,omitempty"`
+	// Decryption settings. Only applies to server side, and only accepts "none"
+	// for now.
+	Decryption string      `protobuf:"bytes,2,opt,name=decryption,proto3" json:"decryption,omitempty"`
+	Fallbacks  []*Fallback `protobuf:"bytes,3,rep,name=fallbacks,proto3" json:"fallbacks,omitempty"`
+}
+
+func (x *Config) Reset() {
+	*x = Config{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_proxy_vless_inbound_config_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Config) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Config) ProtoMessage() {}
+
+func (x *Config) ProtoReflect() protoreflect.Message {
+	mi := &file_proxy_vless_inbound_config_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Config.ProtoReflect.Descriptor instead.
+func (*Config) Descriptor() ([]byte, []int) {
+	return file_proxy_vless_inbound_config_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *Config) GetClients() []*protocol.User {
+	if x != nil {
+		return x.Clients
+	}
+	return nil
+}
+
+func (x *Config) GetDecryption() string {
+	if x != nil {
+		return x.Decryption
+	}
+	return ""
+}
+
+func (x *Config) GetFallbacks() []*Fallback {
+	if x != nil {
+		return x.Fallbacks
+	}
+	return nil
+}
+
+var File_proxy_vless_inbound_config_proto protoreflect.FileDescriptor
+
+var file_proxy_vless_inbound_config_proto_rawDesc = []byte{
+	0x0a, 0x20, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x76, 0x6c, 0x65, 0x73, 0x73, 0x2f, 0x69, 0x6e,
+	0x62, 0x6f, 0x75, 0x6e, 0x64, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x12, 0x18, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x76,
+	0x6c, 0x65, 0x73, 0x73, 0x2e, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x1a, 0x1a, 0x63, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x75, 0x73,
+	0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x6e, 0x0a, 0x08, 0x46, 0x61, 0x6c, 0x6c,
+	0x62, 0x61, 0x63, 0x6b, 0x12, 0x12, 0x0a, 0x04, 0x61, 0x6c, 0x70, 0x6e, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x04, 0x61, 0x6c, 0x70, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a, 0x04,
+	0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65,
+	0x12, 0x12, 0x0a, 0x04, 0x64, 0x65, 0x73, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x64, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x78, 0x76, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x04, 0x52, 0x04, 0x78, 0x76, 0x65, 0x72, 0x22, 0xa0, 0x01, 0x0a, 0x06, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x12, 0x34, 0x0a, 0x07, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x01,
+	0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
+	0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2e, 0x55, 0x73, 0x65, 0x72,
+	0x52, 0x07, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x1e, 0x0a, 0x0a, 0x64, 0x65, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x64,
+	0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x40, 0x0a, 0x09, 0x66, 0x61, 0x6c,
+	0x6c, 0x62, 0x61, 0x63, 0x6b, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x78,
+	0x72, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x76, 0x6c, 0x65, 0x73, 0x73, 0x2e,
+	0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x2e, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b,
+	0x52, 0x09, 0x66, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63, 0x6b, 0x73, 0x42, 0x6d, 0x0a, 0x1c, 0x63,
+	0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x76, 0x6c,
+	0x65, 0x73, 0x73, 0x2e, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x50, 0x01, 0x5a, 0x30, 0x67,
+	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78,
+	0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x6f, 0x78,
+	0x79, 0x2f, 0x76, 0x6c, 0x65, 0x73, 0x73, 0x2f, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0xaa,
+	0x02, 0x18, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x56, 0x6c, 0x65,
+	0x73, 0x73, 0x2e, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
+}
+
+var (
+	file_proxy_vless_inbound_config_proto_rawDescOnce sync.Once
+	file_proxy_vless_inbound_config_proto_rawDescData = file_proxy_vless_inbound_config_proto_rawDesc
+)
+
+func file_proxy_vless_inbound_config_proto_rawDescGZIP() []byte {
+	file_proxy_vless_inbound_config_proto_rawDescOnce.Do(func() {
+		file_proxy_vless_inbound_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_proxy_vless_inbound_config_proto_rawDescData)
+	})
+	return file_proxy_vless_inbound_config_proto_rawDescData
+}
+
+var file_proxy_vless_inbound_config_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_proxy_vless_inbound_config_proto_goTypes = []interface{}{
+	(*Fallback)(nil),      // 0: xray.proxy.vless.inbound.Fallback
+	(*Config)(nil),        // 1: xray.proxy.vless.inbound.Config
+	(*protocol.User)(nil), // 2: xray.common.protocol.User
+}
+var file_proxy_vless_inbound_config_proto_depIdxs = []int32{
+	2, // 0: xray.proxy.vless.inbound.Config.clients:type_name -> xray.common.protocol.User
+	0, // 1: xray.proxy.vless.inbound.Config.fallbacks:type_name -> xray.proxy.vless.inbound.Fallback
+	2, // [2:2] is the sub-list for method output_type
+	2, // [2:2] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
+}
+
+func init() { file_proxy_vless_inbound_config_proto_init() }
+func file_proxy_vless_inbound_config_proto_init() {
+	if File_proxy_vless_inbound_config_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_proxy_vless_inbound_config_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Fallback); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_proxy_vless_inbound_config_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Config); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_proxy_vless_inbound_config_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_proxy_vless_inbound_config_proto_goTypes,
+		DependencyIndexes: file_proxy_vless_inbound_config_proto_depIdxs,
+		MessageInfos:      file_proxy_vless_inbound_config_proto_msgTypes,
+	}.Build()
+	File_proxy_vless_inbound_config_proto = out.File
+	file_proxy_vless_inbound_config_proto_rawDesc = nil
+	file_proxy_vless_inbound_config_proto_goTypes = nil
+	file_proxy_vless_inbound_config_proto_depIdxs = nil
+}
--- a/proxy/vless/inbound/config.proto
+++ b/proxy/vless/inbound/config.proto
@ -0,0 +1,25 @@
+syntax = "proto3";
+
+package xray.proxy.vless.inbound;
+option csharp_namespace = "Xray.Proxy.Vless.Inbound";
+option go_package = "github.com/xtls/xray-core/v1/proxy/vless/inbound";
+option java_package = "com.xray.proxy.vless.inbound";
+option java_multiple_files = true;
+
+import "common/protocol/user.proto";
+
+message Fallback {
+  string alpn = 1;
+  string path = 2;
+  string type = 3;
+  string dest = 4;
+  uint64 xver = 5;
+}
+
+message Config {
+  repeated xray.common.protocol.User clients = 1;
+  // Decryption settings. Only applies to server side, and only accepts "none"
+  // for now.
+  string decryption = 2;
+  repeated Fallback fallbacks = 3;
+}
--- a/proxy/vless/inbound/errors.generated.go
+++ b/proxy/vless/inbound/errors.generated.go
@ -0,0 +1,9 @@
+package inbound
+
+import "github.com/xtls/xray-core/v1/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}
--- a/proxy/vless/inbound/inbound.go
+++ b/proxy/vless/inbound/inbound.go
@ -0,0 +1,506 @@
+// +build !confonly
+
+package inbound
+
+//go:generate go run github.com/xtls/xray-core/v1/common/errors/errorgen
+
+import (
+	"context"
+	"io"
+	"strconv"
+	"syscall"
+	"time"
+
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/buf"
+	"github.com/xtls/xray-core/v1/common/errors"
+	"github.com/xtls/xray-core/v1/common/log"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/platform"
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/common/retry"
+	"github.com/xtls/xray-core/v1/common/session"
+	"github.com/xtls/xray-core/v1/common/signal"
+	"github.com/xtls/xray-core/v1/common/task"
+	core "github.com/xtls/xray-core/v1/core"
+	"github.com/xtls/xray-core/v1/features/dns"
+	feature_inbound "github.com/xtls/xray-core/v1/features/inbound"
+	"github.com/xtls/xray-core/v1/features/policy"
+	"github.com/xtls/xray-core/v1/features/routing"
+	"github.com/xtls/xray-core/v1/features/stats"
+	"github.com/xtls/xray-core/v1/proxy/vless"
+	"github.com/xtls/xray-core/v1/proxy/vless/encoding"
+	"github.com/xtls/xray-core/v1/transport/internet"
+	"github.com/xtls/xray-core/v1/transport/internet/tls"
+	"github.com/xtls/xray-core/v1/transport/internet/xtls"
+)
+
+var (
+	xtls_show = false
+)
+
+func init() {
+	common.Must(common.RegisterConfig((*Config)(nil), func(ctx context.Context, config interface{}) (interface{}, error) {
+		var dc dns.Client
+		if err := core.RequireFeatures(ctx, func(d dns.Client) error {
+			dc = d
+			return nil
+		}); err != nil {
+			return nil, err
+		}
+		return New(ctx, config.(*Config), dc)
+	}))
+
+	const defaultFlagValue = "NOT_DEFINED_AT_ALL"
+
+	xtlsShow := platform.NewEnvFlag("xray.vless.xtls.show").GetValue(func() string { return defaultFlagValue })
+	if xtlsShow == "true" {
+		xtls_show = true
+	}
+}
+
+// Handler is an inbound connection handler that handles messages in VLess protocol.
+type Handler struct {
+	inboundHandlerManager feature_inbound.Manager
+	policyManager         policy.Manager
+	validator             *vless.Validator
+	dns                   dns.Client
+	fallbacks             map[string]map[string]*Fallback // or nil
+	// regexps               map[string]*regexp.Regexp       // or nil
+}
+
+// New creates a new VLess inbound handler.
+func New(ctx context.Context, config *Config, dc dns.Client) (*Handler, error) {
+	v := core.MustFromContext(ctx)
+	handler := &Handler{
+		inboundHandlerManager: v.GetFeature(feature_inbound.ManagerType()).(feature_inbound.Manager),
+		policyManager:         v.GetFeature(policy.ManagerType()).(policy.Manager),
+		validator:             new(vless.Validator),
+		dns:                   dc,
+	}
+
+	for _, user := range config.Clients {
+		u, err := user.ToMemoryUser()
+		if err != nil {
+			return nil, newError("failed to get VLESS user").Base(err).AtError()
+		}
+		if err := handler.AddUser(ctx, u); err != nil {
+			return nil, newError("failed to initiate user").Base(err).AtError()
+		}
+	}
+
+	if config.Fallbacks != nil {
+		handler.fallbacks = make(map[string]map[string]*Fallback)
+		// handler.regexps = make(map[string]*regexp.Regexp)
+		for _, fb := range config.Fallbacks {
+			if handler.fallbacks[fb.Alpn] == nil {
+				handler.fallbacks[fb.Alpn] = make(map[string]*Fallback)
+			}
+			handler.fallbacks[fb.Alpn][fb.Path] = fb
+			/*
+				if fb.Path != "" {
+					if r, err := regexp.Compile(fb.Path); err != nil {
+						return nil, newError("invalid path regexp").Base(err).AtError()
+					} else {
+						handler.regexps[fb.Path] = r
+					}
+				}
+			*/
+		}
+		if handler.fallbacks[""] != nil {
+			for alpn, pfb := range handler.fallbacks {
+				if alpn != "" { // && alpn != "h2" {
+					for path, fb := range handler.fallbacks[""] {
+						if pfb[path] == nil {
+							pfb[path] = fb
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return handler, nil
+}
+
+// Close implements common.Closable.Close().
+func (h *Handler) Close() error {
+	return errors.Combine(common.Close(h.validator))
+}
+
+// AddUser implements proxy.UserManager.AddUser().
+func (h *Handler) AddUser(ctx context.Context, u *protocol.MemoryUser) error {
+	return h.validator.Add(u)
+}
+
+// RemoveUser implements proxy.UserManager.RemoveUser().
+func (h *Handler) RemoveUser(ctx context.Context, e string) error {
+	return h.validator.Del(e)
+}
+
+// Network implements proxy.Inbound.Network().
+func (*Handler) Network() []net.Network {
+	return []net.Network{net.Network_TCP, net.Network_UNIX}
+}
+
+// Process implements proxy.Inbound.Process().
+func (h *Handler) Process(ctx context.Context, network net.Network, connection internet.Connection, dispatcher routing.Dispatcher) error {
+	sid := session.ExportIDToError(ctx)
+
+	iConn := connection
+	statConn, ok := iConn.(*internet.StatCouterConnection)
+	if ok {
+		iConn = statConn.Connection
+	}
+
+	sessionPolicy := h.policyManager.ForLevel(0)
+	if err := connection.SetReadDeadline(time.Now().Add(sessionPolicy.Timeouts.Handshake)); err != nil {
+		return newError("unable to set read deadline").Base(err).AtWarning()
+	}
+
+	first := buf.New()
+	defer first.Release()
+
+	firstLen, _ := first.ReadFrom(connection)
+	newError("firstLen = ", firstLen).AtInfo().WriteToLog(sid)
+
+	reader := &buf.BufferedReader{
+		Reader: buf.NewReader(connection),
+		Buffer: buf.MultiBuffer{first},
+	}
+
+	var request *protocol.RequestHeader
+	var requestAddons *encoding.Addons
+	var err error
+
+	apfb := h.fallbacks
+	isfb := apfb != nil
+
+	if isfb && firstLen < 18 {
+		err = newError("fallback directly")
+	} else {
+		request, requestAddons, isfb, err = encoding.DecodeRequestHeader(isfb, first, reader, h.validator)
+	}
+
+	if err != nil {
+		if isfb {
+			if err := connection.SetReadDeadline(time.Time{}); err != nil {
+				newError("unable to set back read deadline").Base(err).AtWarning().WriteToLog(sid)
+			}
+			newError("fallback starts").Base(err).AtInfo().WriteToLog(sid)
+
+			alpn := ""
+			if len(apfb) > 1 || apfb[""] == nil {
+				if tlsConn, ok := iConn.(*tls.Conn); ok {
+					alpn = tlsConn.ConnectionState().NegotiatedProtocol
+					newError("realAlpn = " + alpn).AtInfo().WriteToLog(sid)
+				} else if xtlsConn, ok := iConn.(*xtls.Conn); ok {
+					alpn = xtlsConn.ConnectionState().NegotiatedProtocol
+					newError("realAlpn = " + alpn).AtInfo().WriteToLog(sid)
+				}
+				if apfb[alpn] == nil {
+					alpn = ""
+				}
+			}
+			pfb := apfb[alpn]
+			if pfb == nil {
+				return newError(`failed to find the default "alpn" config`).AtWarning()
+			}
+
+			path := ""
+			if len(pfb) > 1 || pfb[""] == nil {
+				/*
+					if lines := bytes.Split(firstBytes, []byte{'\r', '\n'}); len(lines) > 1 {
+						if s := bytes.Split(lines[0], []byte{' '}); len(s) == 3 {
+							if len(s[0]) < 8 && len(s[1]) > 0 && len(s[2]) == 8 {
+								newError("realPath = " + string(s[1])).AtInfo().WriteToLog(sid)
+								for _, fb := range pfb {
+									if fb.Path != "" && h.regexps[fb.Path].Match(s[1]) {
+										path = fb.Path
+										break
+									}
+								}
+							}
+						}
+					}
+				*/
+				if firstLen >= 18 && first.Byte(4) != '*' { // not h2c
+					firstBytes := first.Bytes()
+					for i := 4; i <= 8; i++ { // 5 -> 9
+						if firstBytes[i] == '/' && firstBytes[i-1] == ' ' {
+							search := len(firstBytes)
+							if search > 64 {
+								search = 64 // up to about 60
+							}
+							for j := i + 1; j < search; j++ {
+								k := firstBytes[j]
+								if k == '\r' || k == '\n' { // avoid logging \r or \n
+									break
+								}
+								if k == ' ' {
+									path = string(firstBytes[i:j])
+									newError("realPath = " + path).AtInfo().WriteToLog(sid)
+									if pfb[path] == nil {
+										path = ""
+									}
+									break
+								}
+							}
+							break
+						}
+					}
+				}
+			}
+			fb := pfb[path]
+			if fb == nil {
+				return newError(`failed to find the default "path" config`).AtWarning()
+			}
+
+			ctx, cancel := context.WithCancel(ctx)
+			timer := signal.CancelAfterInactivity(ctx, cancel, sessionPolicy.Timeouts.ConnectionIdle)
+			ctx = policy.ContextWithBufferPolicy(ctx, sessionPolicy.Buffer)
+
+			var conn net.Conn
+			if err := retry.ExponentialBackoff(5, 100).On(func() error {
+				var dialer net.Dialer
+				conn, err = dialer.DialContext(ctx, fb.Type, fb.Dest)
+				if err != nil {
+					return err
+				}
+				return nil
+			}); err != nil {
+				return newError("failed to dial to " + fb.Dest).Base(err).AtWarning()
+			}
+			defer conn.Close()
+
+			serverReader := buf.NewReader(conn)
+			serverWriter := buf.NewWriter(conn)
+
+			postRequest := func() error {
+				defer timer.SetTimeout(sessionPolicy.Timeouts.DownlinkOnly)
+				if fb.Xver != 0 {
+					remoteAddr, remotePort, err := net.SplitHostPort(connection.RemoteAddr().String())
+					if err != nil {
+						return err
+					}
+					localAddr, localPort, err := net.SplitHostPort(connection.LocalAddr().String())
+					if err != nil {
+						return err
+					}
+					ipv4 := true
+					for i := 0; i < len(remoteAddr); i++ {
+						if remoteAddr[i] == ':' {
+							ipv4 = false
+							break
+						}
+					}
+					pro := buf.New()
+					defer pro.Release()
+					switch fb.Xver {
+					case 1:
+						if ipv4 {
+							pro.Write([]byte("PROXY TCP4 " + remoteAddr + " " + localAddr + " " + remotePort + " " + localPort + "\r\n"))
+						} else {
+							pro.Write([]byte("PROXY TCP6 " + remoteAddr + " " + localAddr + " " + remotePort + " " + localPort + "\r\n"))
+						}
+
+					case 2:
+						pro.Write([]byte("\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x21")) // signature + v2 + PROXY
+						if ipv4 {
+							pro.Write([]byte("\x11\x00\x0C")) // AF_INET + STREAM + 12 bytes
+							pro.Write(net.ParseIP(remoteAddr).To4())
+							pro.Write(net.ParseIP(localAddr).To4())
+						} else {
+							pro.Write([]byte("\x21\x00\x24")) // AF_INET6 + STREAM + 36 bytes
+							pro.Write(net.ParseIP(remoteAddr).To16())
+							pro.Write(net.ParseIP(localAddr).To16())
+						}
+						p1, _ := strconv.ParseUint(remotePort, 10, 16)
+						p2, _ := strconv.ParseUint(localPort, 10, 16)
+						pro.Write([]byte{byte(p1 >> 8), byte(p1), byte(p2 >> 8), byte(p2)})
+					}
+					if err := serverWriter.WriteMultiBuffer(buf.MultiBuffer{pro}); err != nil {
+						return newError("failed to set PROXY protocol v", fb.Xver).Base(err).AtWarning()
+					}
+				}
+				if err := buf.Copy(reader, serverWriter, buf.UpdateActivity(timer)); err != nil {
+					return newError("failed to fallback request payload").Base(err).AtInfo()
+				}
+				return nil
+			}
+
+			writer := buf.NewWriter(connection)
+
+			getResponse := func() error {
+				defer timer.SetTimeout(sessionPolicy.Timeouts.UplinkOnly)
+				if err := buf.Copy(serverReader, writer, buf.UpdateActivity(timer)); err != nil {
+					return newError("failed to deliver response payload").Base(err).AtInfo()
+				}
+				return nil
+			}
+
+			if err := task.Run(ctx, task.OnSuccess(postRequest, task.Close(serverWriter)), task.OnSuccess(getResponse, task.Close(writer))); err != nil {
+				common.Interrupt(serverReader)
+				common.Interrupt(serverWriter)
+				return newError("fallback ends").Base(err).AtInfo()
+			}
+			return nil
+		}
+
+		if errors.Cause(err) != io.EOF {
+			log.Record(&log.AccessMessage{
+				From:   connection.RemoteAddr(),
+				To:     "",
+				Status: log.AccessRejected,
+				Reason: err,
+			})
+			err = newError("invalid request from ", connection.RemoteAddr()).Base(err).AtInfo()
+		}
+		return err
+	}
+
+	if err := connection.SetReadDeadline(time.Time{}); err != nil {
+		newError("unable to set back read deadline").Base(err).AtWarning().WriteToLog(sid)
+	}
+	newError("received request for ", request.Destination()).AtInfo().WriteToLog(sid)
+
+	inbound := session.InboundFromContext(ctx)
+	if inbound == nil {
+		panic("no inbound metadata")
+	}
+	inbound.User = request.User
+
+	account := request.User.Account.(*vless.MemoryAccount)
+
+	responseAddons := &encoding.Addons{
+		// Flow: requestAddons.Flow,
+	}
+
+	var rawConn syscall.RawConn
+
+	switch requestAddons.Flow {
+	case vless.XRO, vless.XRD:
+		if account.Flow == requestAddons.Flow {
+			switch request.Command {
+			case protocol.RequestCommandMux:
+				return newError(requestAddons.Flow + " doesn't support Mux").AtWarning()
+			case protocol.RequestCommandUDP:
+				return newError(requestAddons.Flow + " doesn't support UDP").AtWarning()
+			case protocol.RequestCommandTCP:
+				if xtlsConn, ok := iConn.(*xtls.Conn); ok {
+					xtlsConn.RPRX = true
+					xtlsConn.SHOW = xtls_show
+					xtlsConn.MARK = "XTLS"
+					if requestAddons.Flow == vless.XRD {
+						xtlsConn.DirectMode = true
+						if sc, ok := xtlsConn.Connection.(syscall.Conn); ok {
+							rawConn, _ = sc.SyscallConn()
+						}
+					}
+				} else {
+					return newError(`failed to use ` + requestAddons.Flow + `, maybe "security" is not "xtls"`).AtWarning()
+				}
+			}
+		} else {
+			return newError(account.ID.String() + " is not able to use " + requestAddons.Flow).AtWarning()
+		}
+	case "":
+	default:
+		return newError("unknown request flow " + requestAddons.Flow).AtWarning()
+	}
+
+	if request.Command != protocol.RequestCommandMux {
+		ctx = log.ContextWithAccessMessage(ctx, &log.AccessMessage{
+			From:   connection.RemoteAddr(),
+			To:     request.Destination(),
+			Status: log.AccessAccepted,
+			Reason: "",
+			Email:  request.User.Email,
+		})
+	}
+
+	sessionPolicy = h.policyManager.ForLevel(request.User.Level)
+	ctx, cancel := context.WithCancel(ctx)
+	timer := signal.CancelAfterInactivity(ctx, cancel, sessionPolicy.Timeouts.ConnectionIdle)
+	ctx = policy.ContextWithBufferPolicy(ctx, sessionPolicy.Buffer)
+
+	link, err := dispatcher.Dispatch(ctx, request.Destination())
+	if err != nil {
+		return newError("failed to dispatch request to ", request.Destination()).Base(err).AtWarning()
+	}
+
+	serverReader := link.Reader // .(*pipe.Reader)
+	serverWriter := link.Writer // .(*pipe.Writer)
+
+	postRequest := func() error {
+		defer timer.SetTimeout(sessionPolicy.Timeouts.DownlinkOnly)
+
+		// default: clientReader := reader
+		clientReader := encoding.DecodeBodyAddons(reader, request, requestAddons)
+
+		var err error
+
+		if rawConn != nil {
+			var counter stats.Counter
+			if statConn != nil {
+				counter = statConn.ReadCounter
+			}
+			err = encoding.ReadV(clientReader, serverWriter, timer, iConn.(*xtls.Conn), rawConn, counter)
+		} else {
+			// from clientReader.ReadMultiBuffer to serverWriter.WriteMultiBufer
+			err = buf.Copy(clientReader, serverWriter, buf.UpdateActivity(timer))
+		}
+
+		if err != nil {
+			return newError("failed to transfer request payload").Base(err).AtInfo()
+		}
+
+		return nil
+	}
+
+	getResponse := func() error {
+		defer timer.SetTimeout(sessionPolicy.Timeouts.UplinkOnly)
+
+		bufferWriter := buf.NewBufferedWriter(buf.NewWriter(connection))
+		if err := encoding.EncodeResponseHeader(bufferWriter, request, responseAddons); err != nil {
+			return newError("failed to encode response header").Base(err).AtWarning()
+		}
+
+		// default: clientWriter := bufferWriter
+		clientWriter := encoding.EncodeBodyAddons(bufferWriter, request, responseAddons)
+		{
+			multiBuffer, err := serverReader.ReadMultiBuffer()
+			if err != nil {
+				return err // ...
+			}
+			if err := clientWriter.WriteMultiBuffer(multiBuffer); err != nil {
+				return err // ...
+			}
+		}
+
+		// Flush; bufferWriter.WriteMultiBufer now is bufferWriter.writer.WriteMultiBuffer
+		if err := bufferWriter.SetBuffered(false); err != nil {
+			return newError("failed to write A response payload").Base(err).AtWarning()
+		}
+
+		// from serverReader.ReadMultiBuffer to clientWriter.WriteMultiBufer
+		if err := buf.Copy(serverReader, clientWriter, buf.UpdateActivity(timer)); err != nil {
+			return newError("failed to transfer response payload").Base(err).AtInfo()
+		}
+
+		// Indicates the end of response payload.
+		switch responseAddons.Flow {
+		default:
+		}
+
+		return nil
+	}
+
+	if err := task.Run(ctx, task.OnSuccess(postRequest, task.Close(serverWriter)), getResponse); err != nil {
+		common.Interrupt(serverReader)
+		common.Interrupt(serverWriter)
+		return newError("connection ends").Base(err).AtInfo()
+	}
+
+	return nil
+}
--- a/proxy/vless/outbound/config.go
+++ b/proxy/vless/outbound/config.go
@ -0,0 +1,3 @@
+// +build !confonly
+
+package outbound
--- a/proxy/vless/outbound/config.pb.go
+++ b/proxy/vless/outbound/config.pb.go
@ -0,0 +1,163 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.14.0
+// source: proxy/vless/outbound/config.proto
+
+package outbound
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	protocol "github.com/xtls/xray-core/v1/common/protocol"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type Config struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Vnext []*protocol.ServerEndpoint `protobuf:"bytes,1,rep,name=vnext,proto3" json:"vnext,omitempty"`
+}
+
+func (x *Config) Reset() {
+	*x = Config{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_proxy_vless_outbound_config_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Config) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Config) ProtoMessage() {}
+
+func (x *Config) ProtoReflect() protoreflect.Message {
+	mi := &file_proxy_vless_outbound_config_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Config.ProtoReflect.Descriptor instead.
+func (*Config) Descriptor() ([]byte, []int) {
+	return file_proxy_vless_outbound_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Config) GetVnext() []*protocol.ServerEndpoint {
+	if x != nil {
+		return x.Vnext
+	}
+	return nil
+}
+
+var File_proxy_vless_outbound_config_proto protoreflect.FileDescriptor
+
+var file_proxy_vless_outbound_config_proto_rawDesc = []byte{
+	0x0a, 0x21, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x76, 0x6c, 0x65, 0x73, 0x73, 0x2f, 0x6f, 0x75,
+	0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x12, 0x19, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e,
+	0x76, 0x6c, 0x65, 0x73, 0x73, 0x2e, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x1a, 0x21,
+	0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f,
+	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x22, 0x44, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3a, 0x0a, 0x05, 0x76,
+	0x6e, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x78, 0x72, 0x61,
+	0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+	0x52, 0x05, 0x76, 0x6e, 0x65, 0x78, 0x74, 0x42, 0x70, 0x0a, 0x1d, 0x63, 0x6f, 0x6d, 0x2e, 0x78,
+	0x72, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x76, 0x6c, 0x65, 0x73, 0x73, 0x2e,
+	0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x50, 0x01, 0x5a, 0x31, 0x67, 0x69, 0x74, 0x68,
+	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79,
+	0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2f, 0x76,
+	0x6c, 0x65, 0x73, 0x73, 0x2f, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0xaa, 0x02, 0x19,
+	0x58, 0x72, 0x61, 0x79, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x56, 0x6c, 0x65, 0x73, 0x73,
+	0x2e, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x33,
+}
+
+var (
+	file_proxy_vless_outbound_config_proto_rawDescOnce sync.Once
+	file_proxy_vless_outbound_config_proto_rawDescData = file_proxy_vless_outbound_config_proto_rawDesc
+)
+
+func file_proxy_vless_outbound_config_proto_rawDescGZIP() []byte {
+	file_proxy_vless_outbound_config_proto_rawDescOnce.Do(func() {
+		file_proxy_vless_outbound_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_proxy_vless_outbound_config_proto_rawDescData)
+	})
+	return file_proxy_vless_outbound_config_proto_rawDescData
+}
+
+var file_proxy_vless_outbound_config_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_proxy_vless_outbound_config_proto_goTypes = []interface{}{
+	(*Config)(nil),                  // 0: xray.proxy.vless.outbound.Config
+	(*protocol.ServerEndpoint)(nil), // 1: xray.common.protocol.ServerEndpoint
+}
+var file_proxy_vless_outbound_config_proto_depIdxs = []int32{
+	1, // 0: xray.proxy.vless.outbound.Config.vnext:type_name -> xray.common.protocol.ServerEndpoint
+	1, // [1:1] is the sub-list for method output_type
+	1, // [1:1] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
+}
+
+func init() { file_proxy_vless_outbound_config_proto_init() }
+func file_proxy_vless_outbound_config_proto_init() {
+	if File_proxy_vless_outbound_config_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_proxy_vless_outbound_config_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Config); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_proxy_vless_outbound_config_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_proxy_vless_outbound_config_proto_goTypes,
+		DependencyIndexes: file_proxy_vless_outbound_config_proto_depIdxs,
+		MessageInfos:      file_proxy_vless_outbound_config_proto_msgTypes,
+	}.Build()
+	File_proxy_vless_outbound_config_proto = out.File
+	file_proxy_vless_outbound_config_proto_rawDesc = nil
+	file_proxy_vless_outbound_config_proto_goTypes = nil
+	file_proxy_vless_outbound_config_proto_depIdxs = nil
+}
--- a/proxy/vless/outbound/config.proto
+++ b/proxy/vless/outbound/config.proto
@ -0,0 +1,13 @@
+syntax = "proto3";
+
+package xray.proxy.vless.outbound;
+option csharp_namespace = "Xray.Proxy.Vless.Outbound";
+option go_package = "github.com/xtls/xray-core/v1/proxy/vless/outbound";
+option java_package = "com.xray.proxy.vless.outbound";
+option java_multiple_files = true;
+
+import "common/protocol/server_spec.proto";
+
+message Config {
+  repeated xray.common.protocol.ServerEndpoint vnext = 1;
+}
--- a/proxy/vless/outbound/errors.generated.go
+++ b/proxy/vless/outbound/errors.generated.go
@ -0,0 +1,9 @@
+package outbound
+
+import "github.com/xtls/xray-core/v1/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}
--- a/proxy/vless/outbound/outbound.go
+++ b/proxy/vless/outbound/outbound.go
@ -0,0 +1,240 @@
+// +build !confonly
+
+package outbound
+
+//go:generate go run github.com/xtls/xray-core/v1/common/errors/errorgen
+
+import (
+	"context"
+	"syscall"
+	"time"
+
+	"github.com/xtls/xray-core/v1/common"
+	"github.com/xtls/xray-core/v1/common/buf"
+	"github.com/xtls/xray-core/v1/common/net"
+	"github.com/xtls/xray-core/v1/common/platform"
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/common/retry"
+	"github.com/xtls/xray-core/v1/common/session"
+	"github.com/xtls/xray-core/v1/common/signal"
+	"github.com/xtls/xray-core/v1/common/task"
+	core "github.com/xtls/xray-core/v1/core"
+	"github.com/xtls/xray-core/v1/features/policy"
+	"github.com/xtls/xray-core/v1/features/stats"
+	"github.com/xtls/xray-core/v1/proxy/vless"
+	"github.com/xtls/xray-core/v1/proxy/vless/encoding"
+	"github.com/xtls/xray-core/v1/transport"
+	"github.com/xtls/xray-core/v1/transport/internet"
+	"github.com/xtls/xray-core/v1/transport/internet/xtls"
+)
+
+var (
+	xtls_show = false
+)
+
+func init() {
+	common.Must(common.RegisterConfig((*Config)(nil), func(ctx context.Context, config interface{}) (interface{}, error) {
+		return New(ctx, config.(*Config))
+	}))
+
+	const defaultFlagValue = "NOT_DEFINED_AT_ALL"
+
+	xtlsShow := platform.NewEnvFlag("xray.vless.xtls.show").GetValue(func() string { return defaultFlagValue })
+	if xtlsShow == "true" {
+		xtls_show = true
+	}
+}
+
+// Handler is an outbound connection handler for VLess protocol.
+type Handler struct {
+	serverList    *protocol.ServerList
+	serverPicker  protocol.ServerPicker
+	policyManager policy.Manager
+}
+
+// New creates a new VLess outbound handler.
+func New(ctx context.Context, config *Config) (*Handler, error) {
+	serverList := protocol.NewServerList()
+	for _, rec := range config.Vnext {
+		s, err := protocol.NewServerSpecFromPB(rec)
+		if err != nil {
+			return nil, newError("failed to parse server spec").Base(err).AtError()
+		}
+		serverList.AddServer(s)
+	}
+
+	v := core.MustFromContext(ctx)
+	handler := &Handler{
+		serverList:    serverList,
+		serverPicker:  protocol.NewRoundRobinServerPicker(serverList),
+		policyManager: v.GetFeature(policy.ManagerType()).(policy.Manager),
+	}
+
+	return handler, nil
+}
+
+// Process implements proxy.Outbound.Process().
+func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer internet.Dialer) error {
+	var rec *protocol.ServerSpec
+	var conn internet.Connection
+
+	if err := retry.ExponentialBackoff(5, 200).On(func() error {
+		rec = h.serverPicker.PickServer()
+		var err error
+		conn, err = dialer.Dial(ctx, rec.Destination())
+		if err != nil {
+			return err
+		}
+		return nil
+	}); err != nil {
+		return newError("failed to find an available destination").Base(err).AtWarning()
+	}
+	defer conn.Close()
+
+	iConn := conn
+	statConn, ok := iConn.(*internet.StatCouterConnection)
+	if ok {
+		iConn = statConn.Connection
+	}
+
+	outbound := session.OutboundFromContext(ctx)
+	if outbound == nil || !outbound.Target.IsValid() {
+		return newError("target not specified").AtError()
+	}
+
+	target := outbound.Target
+	newError("tunneling request to ", target, " via ", rec.Destination()).AtInfo().WriteToLog(session.ExportIDToError(ctx))
+
+	command := protocol.RequestCommandTCP
+	if target.Network == net.Network_UDP {
+		command = protocol.RequestCommandUDP
+	}
+	if target.Address.Family().IsDomain() && target.Address.Domain() == "v1.mux.cool" {
+		command = protocol.RequestCommandMux
+	}
+
+	request := &protocol.RequestHeader{
+		Version: encoding.Version,
+		User:    rec.PickUser(),
+		Command: command,
+		Address: target.Address,
+		Port:    target.Port,
+	}
+
+	account := request.User.Account.(*vless.MemoryAccount)
+
+	requestAddons := &encoding.Addons{
+		Flow: account.Flow,
+	}
+
+	var rawConn syscall.RawConn
+
+	allowUDP443 := false
+	switch requestAddons.Flow {
+	case vless.XRO + "-udp443", vless.XRD + "-udp443":
+		allowUDP443 = true
+		requestAddons.Flow = requestAddons.Flow[:16]
+		fallthrough
+	case vless.XRO, vless.XRD:
+		switch request.Command {
+		case protocol.RequestCommandMux:
+			return newError(requestAddons.Flow + " doesn't support Mux").AtWarning()
+		case protocol.RequestCommandUDP:
+			if !allowUDP443 && request.Port == 443 {
+				return newError(requestAddons.Flow + " stopped UDP/443").AtInfo()
+			}
+			requestAddons.Flow = ""
+		case protocol.RequestCommandTCP:
+			if xtlsConn, ok := iConn.(*xtls.Conn); ok {
+				xtlsConn.RPRX = true
+				xtlsConn.SHOW = xtls_show
+				xtlsConn.MARK = "XTLS"
+				if requestAddons.Flow == vless.XRD {
+					xtlsConn.DirectMode = true
+					if sc, ok := xtlsConn.Connection.(syscall.Conn); ok {
+						rawConn, _ = sc.SyscallConn()
+					}
+				}
+			} else {
+				return newError(`failed to use ` + requestAddons.Flow + `, maybe "security" is not "xtls"`).AtWarning()
+			}
+		}
+	default:
+		if _, ok := iConn.(*xtls.Conn); ok {
+			panic(`To avoid misunderstanding, you must fill in VLESS "flow" when using XTLS.`)
+		}
+	}
+
+	sessionPolicy := h.policyManager.ForLevel(request.User.Level)
+	ctx, cancel := context.WithCancel(ctx)
+	timer := signal.CancelAfterInactivity(ctx, cancel, sessionPolicy.Timeouts.ConnectionIdle)
+
+	clientReader := link.Reader // .(*pipe.Reader)
+	clientWriter := link.Writer // .(*pipe.Writer)
+
+	postRequest := func() error {
+		defer timer.SetTimeout(sessionPolicy.Timeouts.DownlinkOnly)
+
+		bufferWriter := buf.NewBufferedWriter(buf.NewWriter(conn))
+		if err := encoding.EncodeRequestHeader(bufferWriter, request, requestAddons); err != nil {
+			return newError("failed to encode request header").Base(err).AtWarning()
+		}
+
+		// default: serverWriter := bufferWriter
+		serverWriter := encoding.EncodeBodyAddons(bufferWriter, request, requestAddons)
+		if err := buf.CopyOnceTimeout(clientReader, serverWriter, time.Millisecond*100); err != nil && err != buf.ErrNotTimeoutReader && err != buf.ErrReadTimeout {
+			return err // ...
+		}
+
+		// Flush; bufferWriter.WriteMultiBufer now is bufferWriter.writer.WriteMultiBuffer
+		if err := bufferWriter.SetBuffered(false); err != nil {
+			return newError("failed to write A request payload").Base(err).AtWarning()
+		}
+
+		// from clientReader.ReadMultiBuffer to serverWriter.WriteMultiBufer
+		if err := buf.Copy(clientReader, serverWriter, buf.UpdateActivity(timer)); err != nil {
+			return newError("failed to transfer request payload").Base(err).AtInfo()
+		}
+
+		// Indicates the end of request payload.
+		switch requestAddons.Flow {
+		default:
+		}
+		return nil
+	}
+
+	getResponse := func() error {
+		defer timer.SetTimeout(sessionPolicy.Timeouts.UplinkOnly)
+
+		responseAddons, err := encoding.DecodeResponseHeader(conn, request)
+		if err != nil {
+			return newError("failed to decode response header").Base(err).AtInfo()
+		}
+
+		// default: serverReader := buf.NewReader(conn)
+		serverReader := encoding.DecodeBodyAddons(conn, request, responseAddons)
+
+		if rawConn != nil {
+			var counter stats.Counter
+			if statConn != nil {
+				counter = statConn.ReadCounter
+			}
+			err = encoding.ReadV(serverReader, clientWriter, timer, iConn.(*xtls.Conn), rawConn, counter)
+		} else {
+			// from serverReader.ReadMultiBuffer to clientWriter.WriteMultiBufer
+			err = buf.Copy(serverReader, clientWriter, buf.UpdateActivity(timer))
+		}
+
+		if err != nil {
+			return newError("failed to transfer response payload").Base(err).AtInfo()
+		}
+
+		return nil
+	}
+
+	if err := task.Run(ctx, postRequest, task.OnSuccess(getResponse, task.Close(clientWriter))); err != nil {
+		return newError("connection ends").Base(err).AtInfo()
+	}
+
+	return nil
+}
--- a/proxy/vless/validator.go
+++ b/proxy/vless/validator.go
@ -0,0 +1,54 @@
+// +build !confonly
+
+package vless
+
+import (
+	"strings"
+	"sync"
+
+	"github.com/xtls/xray-core/v1/common/protocol"
+	"github.com/xtls/xray-core/v1/common/uuid"
+)
+
+// Validator stores valid VLESS users.
+type Validator struct {
+	// Considering email's usage here, map + sync.Mutex/RWMutex may have better performance.
+	email sync.Map
+	users sync.Map
+}
+
+// Add a VLESS user, Email must be empty or unique.
+func (v *Validator) Add(u *protocol.MemoryUser) error {
+	if u.Email != "" {
+		_, loaded := v.email.LoadOrStore(strings.ToLower(u.Email), u)
+		if loaded {
+			return newError("User ", u.Email, " already exists.")
+		}
+	}
+	v.users.Store(u.Account.(*MemoryAccount).ID.UUID(), u)
+	return nil
+}
+
+// Del a VLESS user with a non-empty Email.
+func (v *Validator) Del(e string) error {
+	if e == "" {
+		return newError("Email must not be empty.")
+	}
+	le := strings.ToLower(e)
+	u, _ := v.email.Load(le)
+	if u == nil {
+		return newError("User ", e, " not found.")
+	}
+	v.email.Delete(le)
+	v.users.Delete(u.(*protocol.MemoryUser).Account.(*MemoryAccount).ID.UUID())
+	return nil
+}
+
+// Get a VLESS user with UUID, nil if user doesn't exist.
+func (v *Validator) Get(id uuid.UUID) *protocol.MemoryUser {
+	u, _ := v.users.Load(id)
+	if u != nil {
+		return u.(*protocol.MemoryUser)
+	}
+	return nil
+}
--- a/proxy/vless/vless.go
+++ b/proxy/vless/vless.go
@ -0,0 +1,13 @@
+// Package vless contains the implementation of VLess protocol and transportation.
+//
+// VLess contains both inbound and outbound connections. VLess inbound is usually used on servers
+// together with 'freedom' to talk to final destination, while VLess outbound is usually used on
+// clients with 'socks' for proxying.
+package vless
+
+//go:generate go run github.com/xtls/xray-core/v1/common/errors/errorgen
+
+const (
+	XRO = "xtls-rprx-origin"
+	XRD = "xtls-rprx-direct"
+)