5. Inbounds and Traffic Capture#
Inbounds determine how traffic enters Link1. This chapter introduces them from basic to advanced.
Inbound Overview#
| Field/Config | Type | Use Case | Requires Explicit Client Configuration |
|---|---|---|---|
mixed-port | HTTP + SOCKS5 mixed proxy | Local browsers, system proxy, manual LAN proxy | Yes |
port | HTTP proxy | Clients that only need an HTTP proxy | Yes |
socks-port | SOCKS5 proxy | Clients that support SOCKS5 | Yes |
redir-port | Linux REDIRECT transparent proxy | Router-based transparent TCP capture | No |
tproxy-port | Linux TPROXY transparent proxy | Router-based transparent TCP/UDP capture | No |
tun | Virtual network interface | Global capture on desktop/router/mobile | No, or configured by the system VPN/TUN |
app-proxy | Application transparent proxy | Desktop per-application/process capture | No, or authorized by the platform |
listeners | Protocol server | Link1 as a VLESS/Hysteria2 server | Remote clients must configure the protocol |
Explicit Proxy Entrances#
mixed-port#
mixed-port: 7890Meaning: accepts both HTTP proxy and SOCKS5 requests on the same port.
Practical impact:
- Best for beginners and desktop users.
- Works with browsers, system proxy settings, and curl.
- SOCKS5 clients can also connect to this port.
port#
port: 7891Meaning: enables only an HTTP proxy entrance.
Practical impact:
- Clients must use the HTTP proxy protocol.
- HTTPS sites are tunneled through HTTP CONNECT.
socks-port#
socks-port: 7892Meaning: enables only a SOCKS5 entrance.
Practical impact:
- Clients can either resolve DNS locally or pass domain names to SOCKS5.
- If the client passes IP addresses to Link1, domain-based rules may not match.
Listen Address and LAN Access#
allow-lan: true
bind-address: '*'
authentication:
- alice:password
skip-auth-prefixes:
- 127.0.0.1/32
lan-allowed-ips:
- 192.168.0.0/16
lan-disallowed-ips:
- 192.168.9.99/32Field impact:
| Field | Meaning | Practical Impact |
|---|---|---|
allow-lan | Whether to allow LAN access to explicit proxy entrances | false is safer; true is required for other devices to use them |
bind-address | Listen address | 127.0.0.1 only listens locally; * / 0.0.0.0 exposes all interfaces |
authentication | HTTP/SOCKS username and password list | Clients must provide authentication in user:pass format |
skip-auth-prefixes | Source IP ranges that skip authentication | Commonly used for localhost or trusted intranets |
lan-allowed-ips | Source IP ranges allowed to access | Reduces exposure |
lan-disallowed-ips | Source IP ranges denied access | A denylist used to exclude devices, with priority |
Transparent Proxy Entrances#
Transparent proxying sends traffic into Link1 through system routes or firewall rules, without requiring clients to configure a proxy manually.
redir-port#
redir-port: 7893Meaning: Linux REDIRECT TCP transparent proxy entrance.
Practical impact:
- Commonly used for TCP transparent proxying on OpenWrt/routers.
- Requires iptables/nftables rules to redirect TCP traffic to this port.
- Mainly handles TCP and is not the preferred choice for UDP.
tproxy-port#
tproxy-port: 7894Meaning: Linux TPROXY transparent proxy entrance.
Practical impact:
- Better suited for TCP + UDP transparent proxying.
- Requires Linux policy routing together with iptables/nftables.
- Non-Linux platforms reject it at compile time.
Conflict with TUN#
If TUN auto-route or auto-redirect is enabled while redir-port/tproxy-port is also used, the same traffic may be captured twice. Link1 checks for these conflicts during configuration compilation.
Application Transparent Proxy app-proxy#
app-proxy:
enable: true
bypass-self: true
fail-open: trueapp-proxy is a per-application transparent proxy entrance for desktop systems. It uses platform capabilities to capture traffic initiated by applications, passes metadata such as destination address, process name, process path, and Bundle ID to the Link1 core, and then lets normal rules decide which policy group or outbound to use.
User configuration only exposes the app-proxy concept. You do not need to, and cannot, specify the underlying backend. Link1 selects the internal implementation by runtime platform: Network Extension on macOS/Darwin, WinDivert on Windows, and NFQUEUE on Linux. The platform capture layer only passes traffic and process metadata to the core; it does not maintain a second rule engine.
macOS App Proxy requires the host App/Extension to have the relevant Apple Network Extension entitlements, such as the App Proxy capability under com.apple.developer.networking.networkextension. The Go core in the current repository already provides app-proxy integration, metadata passthrough, and fallback protection for self-traffic. Actual Network Extension installation/authorization still depends on macOS app packaging and developer account configuration.
Field impact:
| Field | Meaning | Default/Limit |
|---|---|---|
enable | Enables application transparent proxying | Available on desktop platforms; actual capture capability depends on whether the platform bridge is linked into the build |
bypass-self | Enables fallback protection for Link1's own traffic | Default true; the platform layer should still actually exclude self-traffic |
fail-open | Prefer restoring direct connectivity/network availability when the platform bridge fails | Default true; exact behavior depends on the platform bridge |
Practical impact:
- Suitable for desktop scenarios where you do not want global TUN but still want transparent per-application capture.
- Process matching is still written in
rules, such asPROCESS-NAMEandPROCESS-PATH; the platform layer does not maintain a second rule engine.
- Cannot be enabled together with
tun, to avoid capturing the same traffic twice.
bypass-selfis a core-side fallback against recursion: if the platform bridge misses Link1's own traffic, Link1 rejects such self-captured flows to avoid infinite recursion. Truly transparent bypass still requires the platform bridge to exclude the Link1 process.
- Windows uses WinDivert for packet rewrite and then forwards traffic into the local app-proxy relay; administrator privileges and a loadable WinDivert driver/DLL are required.
- Linux uses NFQUEUE + mark + REDIRECT and then forwards traffic into the local app-proxy relay; root/CAP_NET_ADMIN, kernel NFQUEUE support, and available
iptablesare required.
TUN Inbound#
TUN creates a virtual network interface and lets the system hand IP packets to Link1.
Explicit proxies only capture applications that are willing to use a proxy. TUN is more like inserting a virtual network interface into the system. The system first sends IP packets originally destined for the internet to this virtual interface, and Link1 then decides how to send them out based on DNS, Sniffer, rules, and policy groups. It is suitable for applications that do not support proxy settings, global capture on mobile/desktop, and router gateway mode.
Why TUN Often Needs DNS Hijacking and Fake-IP#
The most common beginner issue is: TUN is enabled and websites load, but DOMAIN-SUFFIX rules do not match. The reason is that the TUN layer naturally sees IP packets, which usually only contain the "destination IP:port" and may not contain the original domain name.
DNS hijacking and Fake-IP can be understood like this:
The app queries www.example.com
-> Link1 DNS returns a Fake-IP, for example 198.18.1.23
-> The app connects to 198.18.1.23:443
-> TUN hands the connection to Link1
-> Link1 maps the Fake-IP back to www.example.com
-> Domain rules can matchIf DNS is not captured, the application may first obtain a real IP from the system DNS and then send that real IP directly into TUN. Link1 can still handle it with IP-based rules, and it can also try to recover the domain name from TLS SNI/HTTP Host/QUIC SNI using Sniffer. However, this is not reliable for every connection: some applications encrypt SNI, reuse connections, access IPs directly, or cause sniffing to fail during the UDP/QUIC phase.
Therefore, the recommended TUN combination is:
dns.enable: true: let Link1 handle DNS.
dns.enhanced-mode: fake-ip: establish mappings between domains and Fake-IP addresses.
tun.dns-hijack: [any:53]: route DNS queries from the device into Link1.
sniffer.enable: true: use connection content as a supplement to help recover domain names, but do not treat it as a replacement for DNS.
Domains that are not suitable for Fake-IP should be added to fake-ip-filter, such as router management domains, LAN discovery, printers, casting, .local / .lan, and similar names. Otherwise, applications may fail to complete LAN discovery after receiving a Fake-IP.
Minimal TUN Example#
dns:
enable: true
enhanced-mode: fake-ip
fake-ip-range: 198.18.0.1/16
tun:
enable: true
backend: auto
auto-route: true
auto-detect-interface: true
dns-hijack:
- any:53Core TUN Fields#
| Field | Meaning | Practical Impact |
|---|---|---|
enable | Enables TUN | Creates/uses a virtual network interface to capture IP traffic |
backend | TUN backend, auto/native/packet-tunnel | auto selects by platform; packet-tunnel is only suitable for Darwin platforms |
device | TUN device name | Commonly used on Linux/native; the platform may auto-name it when empty |
mtu | Virtual interface MTU | Default 1500; values too large or too small affect fragmentation and throughput |
auto-route | Automatically configures routes | Sends the system default route into TUN |
auto-detect-interface | Automatically detects the outbound interface | Reduces the need to manually specify the physical interface name |
strict-route | Applies stricter route constraints | Reduces traffic leak risk but may affect LAN access |
dns-hijack | Hijacks DNS queries | Sends device DNS into Link1 and improves domain rule match rate |
udp-timeout | UDP NAT mapping timeout, in seconds | Default 300; affects UDP session retention |
endpoint-independent-nat | Endpoint-independent NAT | Changes UDP NAT reuse semantics |
TUN Routing Fields#
| Field | Meaning | Practical Impact |
|---|---|---|
route-address | CIDRs to capture | Only routes these destination networks into TUN |
route-exclude-address | CIDRs to exclude | Prevents intranet, reserved addresses, or special services from going through TUN |
route-address-set | References an ipcidr rule set as captured networks | Suitable for maintaining many CIDRs |
route-exclude-address-set | References an ipcidr rule set as excluded networks | Suitable for maintaining many excluded CIDRs |
inet4-address / inet6-address | TUN interface's own address | If IPv4 is not specified, it is derived from the Fake-IP range |
inet4-route-address / inet6-route-address | Captured routes by IP family | Controls IPv4/IPv6 separately |
inet4-route-exclude-address / inet6-route-exclude-address | Excluded routes by IP family | Controls IPv4/IPv6 exclusions separately |
Default exclusions protect common intranet/reserved addresses, such as 10.0.0.0/8, 192.168.0.0/16, and 127.0.0.0/8, to avoid incorrectly sending management traffic into TUN.
TUN Selector Fields#
These fields only affect which local traffic enters TUN and are mainly used on Linux/Android:
| Field | Meaning |
|---|---|
include-interface / exclude-interface | Include/exclude by network interface |
include-uid / include-uid-range | Include by UID |
exclude-uid / exclude-uid-range | Exclude by UID |
exclude-src-port / exclude-src-port-range | Exclude by source port |
exclude-dst-port / exclude-dst-port-range | Exclude by destination port |
include-android-user | Include Android user ID |
include-package / exclude-package | Include/exclude by Android package name |
If auto-route=false, these route selectors are reset to zero or do not take effect, because Link1 is not responsible for automatic routing.
Linux Policy Routing Fields#
| Field | Meaning | Default/Limit |
|---|---|---|
iproute2-table-index | Linux routing table number | Default 2022; reserved tables 253/254/255 cannot be used |
iproute2-rule-index | Linux rule priority | Default 9000 |
auto-redirect | Automatic redirect rules | Linux/Android related |
auto-redirect-input-mark | Inbound mark | Default is related to the table index |
auto-redirect-output-mark | Outbound mark | Default is related to the table index |
auto-redirect-iproute2-fallback-rule-index | fallback rule index | Must be less than iproute2-rule-index |
Sniffer#
Sniffer identifies domain names from connection content.
sniffer:
enable: true
override-destination: true
force-dns-mapping: true
parse-pure-ip: true
sniff:
HTTP:
ports: [80, 8080]
override-destination: true
TLS:
ports: [443]
QUIC:
ports: [443]
force-domain:
- '+.example.com'
skip-domain:
- '+.lan'
skip-src-address:
- 192.168.0.0/16Field impact:
| Field | Meaning |
|---|---|
enable | Enables sniffing |
override-destination | Whether to rewrite the actual outbound destination after a domain is sniffed; when disabled, SniffHost can still be recorded for rules/observability |
force-dns-mapping | Tries to recover domains using DNS mappings |
parse-pure-ip | Whether to parse pure-IP destinations |
sniffing | Compatibility field that declares enabled sniffing protocols |
port-whitelist | Only sniff on specified ports |
sniff.HTTP/TLS/QUIC.ports | Specifies ports per protocol |
force-domain | Domain patterns that force sniffing even when a target host already exists; does not bypass override-destination |
skip-domain | Domain patterns to skip sniffing |
skip-src-address | Skip by source address |
skip-dst-address | Skip by destination address |
Protocol Listeners#
listeners lets Link1 act as a server and accept protocol connections. Current configuration validation accepts: mixed, http, socks, redir, tproxy, tun, vless, and hysteria2. The main server-side protocols are VLESS and Hysteria2.
For details, see Outbound Protocol Configuration: Inbound Protocol Listeners.