Merge pull request #4999 from fatedier/dev

bump version
bump version to v0.65.0 and update release notes (#4998 )
2025-09-25 20:23:42 +08:00 · 2025-09-25 20:11:17 +08:00 · 2025-09-25 16:50:14 +08:00 · 2025-09-25 16:47:33 +08:00 · 2025-09-25 10:19:19 +08:00 · 2025-09-23 00:18:49 +08:00
86 changed files with 2158 additions and 592 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2
 jobs:
  go-version-latest:
    docker:
-    - image: cimg/go:1.23-node
+    - image: cimg/go:1.24-node
    resource_class: large
    steps:
    - checkout
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -17,26 +17,10 @@ jobs:
    - uses: actions/checkout@v4
    - uses: actions/setup-go@v5
      with:
-        go-version: '1.23'
+        go-version: '1.24'
        cache: false
    - name: golangci-lint
-      uses: golangci/golangci-lint-action@v4
+      uses: golangci/golangci-lint-action@v8
      with:
        # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-        version: v1.61
+        version: v2.3
        # Optional: golangci-lint command line arguments.
        # args: --issues-exit-code=0
        # Optional: show only new issues if it's a pull request. The default value is `false`.
        # only-new-issues: true
        # Optional: if set to true then the all caching functionality will be complete disabled,
        #           takes precedence over all other caching options.
        # skip-cache: true
        # Optional: if set to true then the action don't cache or restore ~/go/pkg.
        # skip-pkg-cache: true
        # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
        # skip-build-cache: true
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -15,7 +15,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.23'
+          go-version: '1.24'
      - name: Make All
        run: |
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,4 +1,4 @@
-name: "Close stale issues"
+name: "Close stale issues and PRs"
 on:
  schedule:
  - cron: "20 0 * * *"
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,6 @@ client.key
 # Cache
 *.swp
 # AI
 CLAUDE.md
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,139 +1,115 @@
-service:
+version: "2"
  golangci-lint-version: 1.61.x # use the fixed version to not introduce new linters unexpectedly
 run:
  concurrency: 4
  # timeout for analysis, e.g. 30s, 5m, default is 1m
  timeout: 20m
  build-tags:
  - integ
  - integfuzz
 linters:
-  disable-all: true
+  default: none
  enable:
-  - unused
+  - asciicheck
  - errcheck
  - copyloopvar
  - errcheck
  - gocritic
-  - gofumpt
+  - gosec
  - goimports
  - revive
  - gosimple
  - govet
  - ineffassign
  - lll
  - makezero
  - misspell
  - staticcheck
  - stylecheck
  - typecheck
  - unconvert
  - unparam
  - gci
  - gosec
  - asciicheck
  - prealloc
  - predeclared
-  - makezero
+  - revive
-  fast: false
+  - staticcheck
-
+  - unconvert
-linters-settings:
+  - unparam
-  errcheck:
+  - unused
-    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
+  settings:
-    # default is false: such cases aren't reported by default.
+    errcheck:
-    check-type-assertions: false
+      check-type-assertions: false
-
+      check-blank: false
-    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
+    gocritic:
-    # default is false: such cases aren't reported by default.
+      disabled-checks:
-    check-blank: false
+      - exitAfterDefer
-  govet:
+    gosec:
-    # report about shadowed variables
+      excludes:
-    disable:
+      - G401
-    - shadow
+      - G402
-  maligned:
+      - G404
-    # print struct with more effective memory layout or not, false by default
+      - G501
-    suggest-new: true
+      - G115
-  misspell:
+      severity: low
-    # Correct spellings using locale preferences for US or UK.
+      confidence: low
-    # Default is to use a neutral variety of English.
+    govet:
-    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
+      disable:
-    locale: US
+      - shadow
-    ignore-words:
+    lll:
-    - cancelled
+      line-length: 160
-    - marshalled
+      tab-width: 1
-  lll:
+    misspell:
-    # max line length, lines longer will be reported. Default is 120.
+      locale: US
-    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+      ignore-rules:
-    line-length: 160
+      - cancelled
-    # tab width in spaces. Default to 1.
+      - marshalled
-    tab-width: 1
+    unparam:
-  gocritic:
+      check-exported: false
-    disabled-checks:
+  exclusions:
-    - exitAfterDefer
+    generated: lax
-  unused:
+    presets:
-    check-exported: false
+    - comments
-  unparam:
+    - common-false-positives
-    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
+    - legacy
-    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
+    - std-error-handling
-    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
+    rules:
-    # with golangci-lint call it on a directory with the changed file.
+    - linters:
-    check-exported: false
+      - errcheck
-  gci:
+      - maligned
-    sections:
+      path: _test\.go$|^tests/|^samples/
-    - standard
+    - linters:
-    - default
+      - revive
-    - prefix(github.com/fatedier/frp/)
+      - staticcheck
-  gosec:
+      text: use underscores in Go names
-    severity: "low"
+    - linters:
-    confidence: "low"
+      - revive
-    excludes:
+      text: unused-parameter
-    - G401
+    - linters:
-    - G402
+      - revive
-    - G404
+      text: "avoid meaningless package names"
-    - G501
+    - linters:
-    - G115 # integer overflow conversion
+      - unparam
-
+      text: is always false
    paths:
    - .*\.pb\.go
    - .*\.gen\.go
    - genfiles$
    - vendor$
    - bin$
    - third_party$
    - builtin$
    - examples$
 formatters:
  enable:
  - gci
  - gofumpt
  - goimports
  settings:
    gci:
      sections:
      - standard
      - default
      - prefix(github.com/fatedier/frp/)
  exclusions:
    generated: lax
    paths:
    - .*\.pb\.go
    - .*\.gen\.go
    - genfiles$
    - vendor$
    - bin$
    - third_party$
    - builtin$
    - examples$
 issues:
-  # List of regexps of issue texts to exclude, empty list by default.
+  max-issues-per-linter: 0
  # But independently from this option we use default exclude patterns,
  # it can be disabled by `exclude-use-default: false`. To list all
  # excluded by default patterns execute `golangci-lint run --help`
  # exclude:
  #  - composite literal uses unkeyed fields
  exclude-rules:
  # Exclude some linters from running on test files.
  - path: _test\.go$|^tests/|^samples/
    linters:
    - errcheck
    - maligned
  - linters:
    - revive
    - stylecheck
    text: "use underscores in Go names"
  - linters:
    - revive
    text: "unused-parameter"
  - linters:
    - unparam
    text: "is always false"
  exclude-dirs:
  - genfiles$
  - vendor$
  - bin$
  exclude-files:
  - ".*\\.pb\\.go"
  - ".*\\.gen\\.go"
  # Independently from option `exclude` we use default exclude patterns,
  # it can be disabled by this option. To list all
  # excluded by default patterns execute `golangci-lint run --help`.
  # Default value for this option is true.
  exclude-use-default: true
  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
  max-per-linter: 0
  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
  max-same-issues: 0
--- a/Makefile.cross-compiles
+++ b/Makefile.cross-compiles
@@ -2,7 +2,7 @@ export PATH := $(PATH):`go env GOPATH`/bin
 export GO111MODULE=on
 LDFLAGS := -s -w
-os-archs=darwin:amd64 darwin:arm64 freebsd:amd64 linux:amd64 linux:arm:7 linux:arm:5 linux:arm64 windows:amd64 windows:arm64 linux:mips64 linux:mips64le linux:mips:softfloat linux:mipsle:softfloat linux:riscv64 linux:loong64 android:arm64
+os-archs=darwin:amd64 darwin:arm64 freebsd:amd64 openbsd:amd64 linux:amd64 linux:arm:7 linux:arm:5 linux:arm64 windows:amd64 windows:arm64 linux:mips64 linux:mips64le linux:mips:softfloat linux:mipsle:softfloat linux:riscv64 linux:loong64 android:arm64
 all: build
--- a/README.md
+++ b/README.md
@@ -13,19 +13,43 @@ frp is an open source project with its ongoing development made possible entirel
 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
 <p align="center">
  <a href="https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp" target="_blank">
    <b>Recall.ai - API for meeting recordings</b><br>
    <br>
    <sup>If you're looking for a meeting recording API, consider checking out Recall.ai, an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.</sup>
  </a>
 </p>
 <p align="center">
  <a href="https://go.warp.dev/frp" target="_blank">
    <img width="360px" src="https://raw.githubusercontent.com/warpdotdev/brand-assets/refs/heads/main/Github/Sponsor/Warp-Github-LG-01.png">
    <br>
    <b>Warp, built for collaborating with AI Agents</b>
    <br>
 	<sub>Available for macOS, Linux and Windows</sub>
  </a>
 </p>
 <p align="center">
  <a href="https://jb.gg/frp" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
 	<br>
 	<b>The complete IDE crafted for professional Go developers</b>
  </a>
 </p>
 <p align="center">
  <a href="https://github.com/daytonaio/daytona" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_daytona.png">
 	<br>
 	<b>Secure and Elastic Infrastructure for Running Your AI-Generated Code</b>
  </a>
 </p>
 <p align="center">
  <a href="https://github.com/beclab/Olares" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
 	<br>
 	<b>The sovereign cloud that puts you in control</b>
 	<br>
 	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
  </a>
 </p>
 <!--gold sponsors end-->
@@ -502,7 +526,7 @@ name = "ssh"
 type = "tcp"
 localIP = "127.0.0.1"
 localPort = 22
-remotePort = "{{ .Envs.FRP_SSH_REMOTE_PORT }}"
+remotePort = {{ .Envs.FRP_SSH_REMOTE_PORT }}
 ```
 With the config above, variables can be passed into `frpc` program like this:
@@ -612,6 +636,21 @@ When specifying `auth.method = "token"` in `frpc.toml` and `frps.toml` - token b
 Make sure to specify the same `auth.token` in `frps.toml` and `frpc.toml` for frpc to pass frps validation
 ##### Token Source
 frp supports reading authentication tokens from external sources using the `tokenSource` configuration. Currently, file-based token source is supported.
 **File-based token source:**
 ```toml
 # frpc.toml
 auth.method = "token"
 auth.tokenSource.type = "file"
 auth.tokenSource.file.path = "/path/to/token/file"
 ```
 The token will be read from the specified file at startup. This is useful for scenarios where tokens are managed by external systems or need to be kept separate from configuration files for security reasons.
 #### OIDC Authentication
 When specifying `auth.method = "oidc"` in `frpc.toml` and `frps.toml` - OIDC based authentication will be used.
@@ -1025,7 +1064,7 @@ You can get user's real IP from HTTP request headers `X-Forwarded-For`.
 #### Proxy Protocol
-frp supports Proxy Protocol to send user's real IP to local services. It support all types except UDP.
+frp supports Proxy Protocol to send user's real IP to local services.
 Here is an example for https service:
@@ -1283,9 +1322,7 @@ frp supports feature gates to enable or disable experimental features. This allo
 To enable an experimental feature, add the feature gate to your configuration:
 ```toml
-featureGates = {
+featureGates = { VirtualNet = true }
  VirtualNet = true
 }
 ```
 ### Feature Lifecycle
--- a/README_zh.md
+++ b/README_zh.md
@@ -15,19 +15,43 @@ frp 是一个完全开源的项目，我们的开发工作完全依靠赞助者
 <h3 align="center">Gold Sponsors</h3>
 <!--gold sponsors start-->
 <p align="center">
  <a href="https://www.recall.ai/?utm_source=github&utm_medium=sponsorship&utm_campaign=fatedier-frp" target="_blank">
    <b>Recall.ai - API for meeting recordings</b><br>
    <br>
    <sup>If you're looking for a meeting recording API, consider checking out Recall.ai, an API that records Zoom, Google Meet, Microsoft Teams, in-person meetings, and more.</sup>
  </a>
 </p>
 <p align="center">
  <a href="https://go.warp.dev/frp" target="_blank">
    <img width="360px" src="https://raw.githubusercontent.com/warpdotdev/brand-assets/refs/heads/main/Github/Sponsor/Warp-Github-LG-01.png">
    <br>
    <b>Warp, built for collaborating with AI Agents</b>
    <br>
 	<sub>Available for macOS, Linux and Windows</sub>
  </a>
 </p>
 <p align="center">
  <a href="https://jb.gg/frp" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_jetbrains.jpg">
 	<br>
 	<b>The complete IDE crafted for professional Go developers</b>
  </a>
 </p>
 <p align="center">
  <a href="https://github.com/daytonaio/daytona" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_daytona.png">
 	<br>
 	<b>Secure and Elastic Infrastructure for Running Your AI-Generated Code</b>
  </a>
 </p>
 <p align="center">
  <a href="https://github.com/beclab/Olares" target="_blank">
    <img width="420px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_olares.jpeg">
 	<br>
 	<b>The sovereign cloud that puts you in control</b>
 	<br>
 	<sub>An open source, self-hosted alternative to public clouds, built for data ownership and privacy</sub>
  </a>
 </p>
 <!--gold sponsors end-->
--- a/Release.md
+++ b/Release.md
@@ -1,8 +1,5 @@
-### Notes
+## Features
-*   **Feature Gates Introduced:** This version introduces a new experimental mechanism called Feature Gates. This allows users to enable or disable specific experimental features before they become generally available. Feature gates can be configured in the `featureGates` map within the configuration file.
+* Add NAT traversal configuration options for XTCP proxies and visitors. Support disabling assisted addresses to avoid using slow VPN connections during NAT hole punching.
-*   **VirtualNet Feature Gate:** The first available feature gate is `VirtualNet`, which enables the experimental Virtual Network functionality (currently in Alpha stage).
+* Enhanced OIDC client configuration with support for custom TLS certificate verification and proxy settings. Added `trustedCaFile`, `insecureSkipVerify`, and `proxyURL` options for OIDC token endpoint connections.
-
+* Added detailed Prometheus metrics with `proxy_counts_detailed` metric that includes both proxy type and proxy name labels, enabling monitoring of individual proxy connections instead of just aggregate counts.
 ### Features
 *   **Virtual Network (VirtualNet):** Introduce experimental virtual network capabilities (Alpha). This allows creating a TUN device managed by frp, enabling Layer 3 connectivity between different clients within the frp network. Requires root/admin privileges and is currently supported on Linux and macOS. Configuration is done via the `virtualNet` section and the `virtual_net` plugin. Enable with feature gate `VirtualNet`. **Note: As an Alpha feature, configuration details may change in future releases.**
--- a/client/admin_api.go
+++ b/client/admin_api.go
@@ -165,9 +165,9 @@ func (svr *Service) apiStatus(w http.ResponseWriter, _ *http.Request) {
 		res StatusResp = make(map[string][]ProxyStatusResp)
 	)
-	log.Infof("Http request [/api/status]")
+	log.Infof("http request [/api/status]")
 	defer func() {
-		log.Infof("Http response [/api/status]")
+		log.Infof("http response [/api/status]")
 		buf, _ = json.Marshal(&res)
 		_, _ = w.Write(buf)
 	}()
@@ -198,9 +198,9 @@ func (svr *Service) apiStatus(w http.ResponseWriter, _ *http.Request) {
 func (svr *Service) apiGetConfig(w http.ResponseWriter, _ *http.Request) {
 	res := GeneralResponse{Code: 200}
-	log.Infof("Http get request [/api/config]")
+	log.Infof("http get request [/api/config]")
 	defer func() {
-		log.Infof("Http get response [/api/config], code [%d]", res.Code)
+		log.Infof("http get response [/api/config], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
@@ -228,9 +228,9 @@ func (svr *Service) apiGetConfig(w http.ResponseWriter, _ *http.Request) {
 func (svr *Service) apiPutConfig(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
-	log.Infof("Http put request [/api/config]")
+	log.Infof("http put request [/api/config]")
 	defer func() {
-		log.Infof("Http put response [/api/config], code [%d]", res.Code)
+		log.Infof("http put response [/api/config], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
--- a/client/connector.go
+++ b/client/connector.go
@@ -17,7 +17,6 @@ package client
 import (
 	"context"
 	"crypto/tls"
 	"io"
 	"net"
 	"strconv"
 	"strings"
@@ -48,7 +47,7 @@ type defaultConnectorImpl struct {
 	cfg *v1.ClientCommonConfig
 	muxSession *fmux.Session
-	quicConn   quic.Connection
+	quicConn   *quic.Conn
 	closeOnce  sync.Once
 }
@@ -115,7 +114,8 @@ func (c *defaultConnectorImpl) Open() error {
 	fmuxCfg := fmux.DefaultConfig()
 	fmuxCfg.KeepAliveInterval = time.Duration(c.cfg.Transport.TCPMuxKeepaliveInterval) * time.Second
-	fmuxCfg.LogOutput = io.Discard
+	// Use trace level for yamux logs
 	fmuxCfg.LogOutput = xlog.NewTraceWriter(xl)
 	fmuxCfg.MaxStreamWindowSize = 6 * 1024 * 1024
 	session, err := fmux.Client(conn, fmuxCfg)
 	if err != nil {
--- a/client/control.go
+++ b/client/control.go
@@ -189,7 +189,7 @@ func (ctl *Control) handlePong(m msg.Message) {
 	inMsg := m.(*msg.Pong)
 	if inMsg.Error != "" {
-		xl.Errorf("Pong message contains error: %s", inMsg.Error)
+		xl.Errorf("pong message contains error: %s", inMsg.Error)
 		ctl.closeSession()
 		return
 	}
@@ -276,10 +276,12 @@ func (ctl *Control) heartbeatWorker() {
 }
 func (ctl *Control) worker() {
 	xl := ctl.xl
 	go ctl.heartbeatWorker()
 	go ctl.msgDispatcher.Run()
 	<-ctl.msgDispatcher.Done()
 	xl.Debugf("control message dispatcher exited")
 	ctl.closeSession()
 	ctl.pm.Close()
--- a/client/proxy/proxy.go
+++ b/client/proxy/proxy.go
@@ -20,13 +20,11 @@ import (
 	"net"
 	"reflect"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	libio "github.com/fatedier/golib/io"
 	libnet "github.com/fatedier/golib/net"
 	pp "github.com/pires/go-proxyproto"
 	"golang.org/x/time/rate"
 	"github.com/fatedier/frp/pkg/config/types"
@@ -35,6 +33,7 @@ import (
 	plugin "github.com/fatedier/frp/pkg/plugin/client"
 	"github.com/fatedier/frp/pkg/transport"
 	"github.com/fatedier/frp/pkg/util/limit"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 	"github.com/fatedier/frp/pkg/util/xlog"
 	"github.com/fatedier/frp/pkg/vnet"
 )
@@ -176,24 +175,9 @@ func (pxy *BaseProxy) HandleTCPWorkConnection(workConn net.Conn, m *msg.StartWor
 	}
 	if baseCfg.Transport.ProxyProtocolVersion != "" && m.SrcAddr != "" && m.SrcPort != 0 {
-		h := &pp.Header{
+		// Use the common proxy protocol builder function
-			Command:         pp.PROXY,
+		header := netpkg.BuildProxyProtocolHeaderStruct(connInfo.SrcAddr, connInfo.DstAddr, baseCfg.Transport.ProxyProtocolVersion)
-			SourceAddr:      connInfo.SrcAddr,
+		connInfo.ProxyProtocolHeader = header
 			DestinationAddr: connInfo.DstAddr,
 		}
 		if strings.Contains(m.SrcAddr, ".") {
 			h.TransportProtocol = pp.TCPv4
 		} else {
 			h.TransportProtocol = pp.TCPv6
 		}
 		if baseCfg.Transport.ProxyProtocolVersion == "v1" {
 			h.Version = 1
 		} else if baseCfg.Transport.ProxyProtocolVersion == "v2" {
 			h.Version = 2
 		}
 		connInfo.ProxyProtocolHeader = h
 	}
 	connInfo.Conn = remote
 	connInfo.UnderlyingConn = workConn
--- a/client/proxy/sudp.go
+++ b/client/proxy/sudp.go
@@ -205,5 +205,5 @@ func (pxy *SUDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 	go workConnReaderFn(workConn, readCh)
 	go heartbeatFn(sendCh)
-	udp.Forwarder(pxy.localAddr, readCh, sendCh, int(pxy.clientCfg.UDPPacketSize))
+	udp.Forwarder(pxy.localAddr, readCh, sendCh, int(pxy.clientCfg.UDPPacketSize), pxy.cfg.Transport.ProxyProtocolVersion)
 }
--- a/client/proxy/udp.go
+++ b/client/proxy/udp.go
@@ -171,5 +171,7 @@ func (pxy *UDPProxy) InWorkConn(conn net.Conn, _ *msg.StartWorkConn) {
 	go workConnSenderFn(pxy.workConn, pxy.sendCh)
 	go workConnReaderFn(pxy.workConn, pxy.readCh)
 	go heartbeatFn(pxy.sendCh)
-	udp.Forwarder(pxy.localAddr, pxy.readCh, pxy.sendCh, int(pxy.clientCfg.UDPPacketSize))
+
 	// Call Forwarder with proxy protocol version (empty string means no proxy protocol)
 	udp.Forwarder(pxy.localAddr, pxy.readCh, pxy.sendCh, int(pxy.clientCfg.UDPPacketSize), pxy.cfg.Transport.ProxyProtocolVersion)
 }
--- a/client/proxy/xtcp.go
+++ b/client/proxy/xtcp.go
@@ -64,11 +64,19 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
 	}
 	xl.Tracef("nathole prepare start")
-	prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer})
+
 	// Prepare NAT traversal options
 	var opts nathole.PrepareOptions
 	if pxy.cfg.NatTraversal != nil && pxy.cfg.NatTraversal.DisableAssistedAddrs {
 		opts.DisableAssistedAddrs = true
 	}
 	prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer}, opts)
 	if err != nil {
 		xl.Warnf("nathole prepare error: %v", err)
 		return
 	}
 	xl.Infof("nathole prepare success, nat type: %s, behavior: %s, addresses: %v, assistedAddresses: %v",
 		prepareResult.NatType, prepareResult.Behavior, prepareResult.Addrs, prepareResult.AssistedAddrs)
 	defer prepareResult.ListenConn.Close()
--- a/client/service.go
+++ b/client/service.go
@@ -88,13 +88,16 @@ type ServiceOptions struct {
 }
 // setServiceOptionsDefault sets the default values for ServiceOptions.
-func setServiceOptionsDefault(options *ServiceOptions) {
+func setServiceOptionsDefault(options *ServiceOptions) error {
 	if options.Common != nil {
-		options.Common.Complete()
+		if err := options.Common.Complete(); err != nil {
 			return err
 		}
 	}
 	if options.ConnectorCreator == nil {
 		options.ConnectorCreator = NewConnector
 	}
 	return nil
 }
 // Service is the client service that connects to frps and provides proxy services.
@@ -134,7 +137,9 @@ type Service struct {
 }
 func NewService(options ServiceOptions) (*Service, error) {
-	setServiceOptionsDefault(&options)
+	if err := setServiceOptionsDefault(&options); err != nil {
 		return nil, err
 	}
 	var webServer *httppkg.Server
 	if options.Common.WebServer.Port > 0 {
@@ -144,9 +149,15 @@ func NewService(options ServiceOptions) (*Service, error) {
 		}
 		webServer = ws
 	}
 	authSetter, err := auth.NewAuthSetter(options.Common.Auth)
 	if err != nil {
 		return nil, err
 	}
 	s := &Service{
 		ctx:              context.Background(),
-		authSetter:       auth.NewAuthSetter(options.Common.Auth),
+		authSetter:       authSetter,
 		webServer:        webServer,
 		common:           options.Common,
 		configFilePath:   options.ConfigFilePath,
@@ -325,10 +336,9 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 		proxyCfgs := svr.proxyCfgs
 		visitorCfgs := svr.visitorCfgs
 		svr.cfgMu.RUnlock()
-		connEncrypted := true
+
-		if svr.clientSpec != nil && svr.clientSpec.Type == "ssh-tunnel" {
+		connEncrypted := svr.clientSpec == nil || svr.clientSpec.Type != "ssh-tunnel"
-			connEncrypted = false
+
 		}
 		sessionCtx := &SessionContext{
 			Common:         svr.common,
 			RunID:          svr.runID,
@@ -341,7 +351,7 @@ func (svr *Service) loopLoginUntilSuccess(maxInterval time.Duration, firstLoginE
 		ctl, err := NewControl(svr.ctx, sessionCtx)
 		if err != nil {
 			conn.Close()
-			xl.Errorf("NewControl error: %v", err)
+			xl.Errorf("new control error: %v", err)
 			return false, err
 		}
 		ctl.SetInWorkConnCallback(svr.handleWorkConnCb)
@@ -399,6 +409,10 @@ func (svr *Service) stop() {
 		svr.ctl.GracefulClose(svr.gracefulShutdownDuration)
 		svr.ctl = nil
 	}
 	if svr.webServer != nil {
 		svr.webServer.Close()
 		svr.webServer = nil
 	}
 }
 func (svr *Service) getProxyStatus(name string) (*proxy.WorkingStatus, bool) {
--- a/client/visitor/xtcp.go
+++ b/client/visitor/xtcp.go
@@ -145,7 +145,7 @@ func (sv *XTCPVisitor) keepTunnelOpenWorker() {
 			return
 		case <-ticker.C:
 			xl.Debugf("keepTunnelOpenWorker try to check tunnel...")
-			conn, err := sv.getTunnelConn()
+			conn, err := sv.getTunnelConn(sv.ctx)
 			if err != nil {
 				xl.Warnf("keepTunnelOpenWorker get tunnel connection error: %v", err)
 				_ = sv.retryLimiter.Wait(sv.ctx)
@@ -161,9 +161,9 @@ func (sv *XTCPVisitor) keepTunnelOpenWorker() {
 func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	xl := xlog.FromContextSafe(sv.ctx)
-	isConnTransfered := false
+	isConnTransferred := false
 	defer func() {
-		if !isConnTransfered {
+		if !isConnTransferred {
 			userConn.Close()
 		}
 	}()
@@ -172,7 +172,7 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 	// Open a tunnel connection to the server. If there is already a successful hole-punching connection,
 	// it will be reused. Otherwise, it will block and wait for a successful hole-punching connection until timeout.
-	ctx := context.Background()
+	ctx := sv.ctx
 	if sv.cfg.FallbackTo != "" {
 		timeoutCtx, cancel := context.WithTimeout(ctx, time.Duration(sv.cfg.FallbackTimeoutMs)*time.Millisecond)
 		defer cancel()
@@ -191,7 +191,7 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 			xl.Errorf("transfer connection to visitor %s error: %v", sv.cfg.FallbackTo, err)
 			return
 		}
-		isConnTransfered = true
+		isConnTransferred = true
 		return
 	}
@@ -219,40 +219,37 @@ func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
 // openTunnel will open a tunnel connection to the target server.
 func (sv *XTCPVisitor) openTunnel(ctx context.Context) (conn net.Conn, err error) {
 	xl := xlog.FromContextSafe(sv.ctx)
-	ticker := time.NewTicker(500 * time.Millisecond)
+	ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
-	defer ticker.Stop()
+	defer cancel()
-	timeoutC := time.After(20 * time.Second)
+	timer := time.NewTimer(0)
-	immediateTrigger := make(chan struct{}, 1)
+	defer timer.Stop()
 	defer close(immediateTrigger)
 	immediateTrigger <- struct{}{}
 	for {
 		select {
 		case <-sv.ctx.Done():
 			return nil, sv.ctx.Err()
 		case <-ctx.Done():
-			return nil, ctx.Err()
+			if errors.Is(ctx.Err(), context.DeadlineExceeded) {
-		case <-immediateTrigger:
+				return nil, fmt.Errorf("open tunnel timeout")
 			conn, err = sv.getTunnelConn()
 		case <-ticker.C:
 			conn, err = sv.getTunnelConn()
 		case <-timeoutC:
 			return nil, fmt.Errorf("open tunnel timeout")
 		}
 		if err != nil {
 			if err != ErrNoTunnelSession {
 				xl.Warnf("get tunnel connection error: %v", err)
 			}
-			continue
+			return nil, ctx.Err()
 		case <-timer.C:
 			conn, err = sv.getTunnelConn(ctx)
 			if err != nil {
 				if !errors.Is(err, ErrNoTunnelSession) {
 					xl.Warnf("get tunnel connection error: %v", err)
 				}
 				timer.Reset(500 * time.Millisecond)
 				continue
 			}
 			return conn, nil
 		}
 		return conn, nil
 	}
 }
-func (sv *XTCPVisitor) getTunnelConn() (net.Conn, error) {
+func (sv *XTCPVisitor) getTunnelConn(ctx context.Context) (net.Conn, error) {
-	conn, err := sv.session.OpenConn(sv.ctx)
+	conn, err := sv.session.OpenConn(ctx)
 	if err == nil {
 		return conn, nil
 	}
@@ -279,11 +276,19 @@ func (sv *XTCPVisitor) makeNatHole() {
 	}
 	xl.Tracef("nathole prepare start")
-	prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer})
+
 	// Prepare NAT traversal options
 	var opts nathole.PrepareOptions
 	if sv.cfg.NatTraversal != nil && sv.cfg.NatTraversal.DisableAssistedAddrs {
 		opts.DisableAssistedAddrs = true
 	}
 	prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer}, opts)
 	if err != nil {
 		xl.Warnf("nathole prepare error: %v", err)
 		return
 	}
 	xl.Infof("nathole prepare success, nat type: %s, behavior: %s, addresses: %v, assistedAddresses: %v",
 		prepareResult.NatType, prepareResult.Behavior, prepareResult.Addrs, prepareResult.AssistedAddrs)
@@ -398,7 +403,7 @@ func (ks *KCPTunnelSession) Close() {
 }
 type QUICTunnelSession struct {
-	session    quic.Connection
+	session    *quic.Conn
 	listenConn *net.UDPConn
 	mu         sync.RWMutex
--- a/cmd/frpc/sub/nathole.go
+++ b/cmd/frpc/sub/nathole.go
@@ -51,7 +51,10 @@ var natholeDiscoveryCmd = &cobra.Command{
 		cfg, _, _, _, err := config.LoadClientConfig(cfgFile, strictConfigMode)
 		if err != nil {
 			cfg = &v1.ClientCommonConfig{}
-			cfg.Complete()
+			if err := cfg.Complete(); err != nil {
 				fmt.Printf("failed to complete config: %v\n", err)
 				os.Exit(1)
 			}
 		}
 		if natHoleSTUNServer != "" {
 			cfg.NatHoleSTUNServer = natHoleSTUNServer
--- a/cmd/frpc/sub/proxy.go
+++ b/cmd/frpc/sub/proxy.go
@@ -73,7 +73,10 @@ func NewProxyCommand(name string, c v1.ProxyConfigurer, clientCfg *v1.ClientComm
 		Use:   name,
 		Short: fmt.Sprintf("Run frpc with a single %s proxy", name),
 		Run: func(cmd *cobra.Command, args []string) {
-			clientCfg.Complete()
+			if err := clientCfg.Complete(); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
 			if _, err := validation.ValidateClientCommonConfig(clientCfg); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
@@ -99,7 +102,10 @@ func NewVisitorCommand(name string, c v1.VisitorConfigurer, clientCfg *v1.Client
 		Use:   "visitor",
 		Short: fmt.Sprintf("Run frpc with a single %s visitor", name),
 		Run: func(cmd *cobra.Command, args []string) {
-			clientCfg.Complete()
+			if err := clientCfg.Complete(); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
 			if _, err := validation.ValidateClientCommonConfig(clientCfg); err != nil {
 				fmt.Println(err)
 				os.Exit(1)
--- a/cmd/frps/root.go
+++ b/cmd/frps/root.go
@@ -70,7 +70,10 @@ var rootCmd = &cobra.Command{
 					"please use yaml/json/toml format instead!\n")
 			}
 		} else {
-			serverCfg.Complete()
+			if err := serverCfg.Complete(); err != nil {
 				fmt.Printf("failed to complete server config: %v\n", err)
 				os.Exit(1)
 			}
 			svrCfg = &serverCfg
 		}
--- a/conf/frpc_full_example.toml
+++ b/conf/frpc_full_example.toml
@@ -32,6 +32,11 @@ auth.method = "token"
 # auth token
 auth.token = "12345678"
 # alternatively, you can use tokenSource to load the token from a file
 # this is mutually exclusive with auth.token
 # auth.tokenSource.type = "file"
 # auth.tokenSource.file.path = "/etc/frp/token"
 # oidc.clientID specifies the client ID to use to get a token in OIDC authentication.
 # auth.oidc.clientID = ""
 # oidc.clientSecret specifies the client secret to use to get a token in OIDC authentication.
@@ -50,6 +55,20 @@ auth.token = "12345678"
 # auth.oidc.additionalEndpointParams.audience = "https://dev.auth.com/api/v2/"
 # auth.oidc.additionalEndpointParams.var1 = "foobar"
 # OIDC TLS and proxy configuration
 # Specify a custom CA certificate file for verifying the OIDC token endpoint's TLS certificate.
 # This is useful when the OIDC provider uses a self-signed certificate or a custom CA.
 # auth.oidc.trustedCaFile = "/path/to/ca.crt"
 # Skip TLS certificate verification for the OIDC token endpoint.
 # INSECURE: Only use this for debugging purposes, not recommended for production.
 # auth.oidc.insecureSkipVerify = false
 # Specify a proxy server for OIDC token endpoint connections.
 # Supports http, https, socks5, and socks5h proxy protocols.
 # If not specified, no proxy is used for OIDC connections.
 # auth.oidc.proxyURL = "http://proxy.example.com:8080"
 # Set admin address for control frpc's action by http api such as reload
 webServer.addr = "127.0.0.1"
 webServer.port = 7400
@@ -367,6 +386,14 @@ localPort = 22
 # Otherwise, visitors from same user can connect. '*' means allow all users.
 allowUsers = ["user1", "user2"]
 # NAT traversal configuration (optional)
 [proxies.natTraversal]
 # Disable the use of local network interfaces (assisted addresses) for NAT traversal.
 # When enabled, only STUN-discovered public addresses will be used.
 # This can improve performance when you have slow VPN connections.
 # Default: false
 disableAssistedAddrs = false
 [[proxies]]
 name = "vnet-server"
 type = "stcp"
@@ -406,6 +433,13 @@ minRetryInterval = 90
 # fallbackTo = "stcp_visitor"
 # fallbackTimeoutMs = 500
 # NAT traversal configuration (optional)
 [visitors.natTraversal]
 # Disable the use of local network interfaces (assisted addresses) for NAT traversal.
 # When enabled, only STUN-discovered public addresses will be used.
 # Default: false
 disableAssistedAddrs = false
 [[visitors]]
 name = "vnet-visitor"
 type = "stcp"
--- a/conf/frps_full_example.toml
+++ b/conf/frps_full_example.toml
@@ -105,6 +105,11 @@ auth.method = "token"
 # auth token
 auth.token = "12345678"
 # alternatively, you can use tokenSource to load the token from a file
 # this is mutually exclusive with auth.token
 # auth.tokenSource.type = "file"
 # auth.tokenSource.file.path = "/etc/frp/token"
 # oidc issuer specifies the issuer to verify OIDC tokens with.
 auth.oidc.issuer = ""
 # oidc audience specifies the audience OIDC tokens should contain when validated.
--- a/doc/server_plugin.md
+++ b/doc/server_plugin.md
@@ -121,7 +121,7 @@ Create new proxy
        // http and https only
        "custom_domains": []<string>,
        "subdomain": <string>,
-        "locations": <string>,
+        "locations": []<string>,
        "http_user": <string>,
        "http_pwd": <string>,
        "host_header_rewrite": <string>,
--- a/doc/virtual_net.md
+++ b/doc/virtual_net.md
@@ -49,9 +49,7 @@ type = "virtual_net"
 # frpc.toml (client side)
 serverAddr = "x.x.x.x"
 serverPort = 7000
-featureGates = {
+featureGates = { VirtualNet = true }
  VirtualNet = true
 }
 # Configure the virtual network interface
 virtualNet.address = "100.86.0.2/24"
--- a/dockerfiles/Dockerfile-for-frpc
+++ b/dockerfiles/Dockerfile-for-frpc
@@ -1,4 +1,4 @@
-FROM golang:1.23 AS building
+FROM golang:1.24 AS building
 COPY . /building
 WORKDIR /building
--- a/dockerfiles/Dockerfile-for-frps
+++ b/dockerfiles/Dockerfile-for-frps
@@ -1,4 +1,4 @@
-FROM golang:1.23 AS building
+FROM golang:1.24 AS building
 COPY . /building
 WORKDIR /building
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/fatedier/frp
-go 1.23.0
+go 1.24.0
 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
@@ -10,13 +10,13 @@ require (
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/yamux v0.1.1
-	github.com/onsi/ginkgo/v2 v2.22.0
+	github.com/onsi/ginkgo/v2 v2.23.4
-	github.com/onsi/gomega v1.34.2
+	github.com/onsi/gomega v1.36.3
 	github.com/pelletier/go-toml/v2 v2.2.0
 	github.com/pion/stun/v2 v2.0.0
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.19.1
-	github.com/quic-go/quic-go v0.48.2
+	github.com/quic-go/quic-go v0.53.0
 	github.com/rodaine/table v1.2.0
 	github.com/samber/lo v1.47.0
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
@@ -46,12 +46,11 @@ require (
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/pprof v0.0.0-20241206021119-61a79c692802 // indirect
+	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/klauspost/reedsolomon v1.12.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/pion/dtls/v2 v2.2.7 // indirect
 	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/transport/v2 v2.2.1 // indirect
@@ -67,14 +66,14 @@ require (
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/exp v0.0.0-20241204233417-43b7b7cde48d // indirect
+	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
 	golang.org/x/sys v0.32.0 // indirect
 	golang.org/x/text v0.24.0 // indirect
-	golang.org/x/tools v0.28.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
@@ -83,4 +82,4 @@ require (
 )
 // TODO(fatedier): Temporary use the modified version, update to the official version after merging into the official repository.
-replace github.com/hashicorp/yamux => github.com/fatedier/yamux v0.0.0-20230628132301-7aca4898904d
+replace github.com/hashicorp/yamux => github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6
--- a/go.sum
+++ b/go.sum
@@ -14,7 +14,6 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX
 github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
 github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -23,8 +22,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatedier/golib v0.5.1 h1:hcKAnaw5mdI/1KWRGejxR+i1Hn/NvbY5UsMKDr7o13M=
 github.com/fatedier/golib v0.5.1/go.mod h1:W6kIYkIFxHsTzbgqg5piCxIiDo4LzwgTY6R5W8l9NFQ=
-github.com/fatedier/yamux v0.0.0-20230628132301-7aca4898904d h1:ynk1ra0RUqDWQfvFi5KtMiSobkVQ3cNc0ODb8CfIETo=
+github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6 h1:u92UUy6FURPmNsMBUuongRWC0rBqN6gd01Dzu+D21NE=
-github.com/fatedier/yamux v0.0.0-20230628132301-7aca4898904d/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
+github.com/fatedier/yamux v0.0.0-20250825093530-d0154be01cd6/go.mod h1:c5/tk6G0dSpXGzJN7Wk1OEie8grdSJAmeawId9Zvd34=
 github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
 github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
@@ -50,10 +49,11 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/pprof v0.0.0-20241206021119-61a79c692802 h1:US08AXzP0bLurpzFUV3Poa9ZijrRdd1zAIOVtoHEiS8=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/pprof v0.0.0-20241206021119-61a79c692802/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
@@ -72,10 +72,10 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
-github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
+github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
-github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
+github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
 github.com/pelletier/go-toml/v2 v2.2.0 h1:QLgLl2yMN7N+ruc31VynXs1vhMZa7CeHHejIeBAsoHo=
 github.com/pelletier/go-toml/v2 v2.2.0/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
 github.com/pion/dtls/v2 v2.2.7 h1:cSUBsETxepsCSFSxC3mc/aDo14qQLMSL+O6IjG28yV8=
@@ -94,6 +94,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
 github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -103,8 +105,8 @@ github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSz
 github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/quic-go/quic-go v0.48.2 h1:wsKXZPeGWpMpCGSWqOcqpW2wZYic/8T3aqiOID0/KWE=
+github.com/quic-go/quic-go v0.53.0 h1:QHX46sISpG2S03dPeZBgVIZp8dGagIaiu2FiVYvpCZI=
-github.com/quic-go/quic-go v0.48.2/go.mod h1:yBgs3rWBOADpga7F+jJsb6Ybg1LSYiQvwWlLX+/6HMs=
+github.com/quic-go/quic-go v0.53.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rodaine/table v1.2.0 h1:38HEnwK4mKSHQJIkavVj+bst1TEY7j9zhLMWu4QJrMA=
@@ -152,6 +154,8 @@ github.com/xtaci/kcp-go/v5 v5.6.13/go.mod h1:75S1AKYYzNUSXIv30h+jPKJYZUwqpfvLshu
 github.com/xtaci/lossyconn v0.0.0-20200209145036-adba10fffc37 h1:EWU6Pktpas0n8lLQwDsRyZfmkPeRbdgPtW609es+/9E=
 github.com/xtaci/lossyconn v0.0.0-20200209145036-adba10fffc37/go.mod h1:HpMP7DB2CyokmAh4lp0EQnnWhmycP/TvwBGzvuie+H0=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
 go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -163,15 +167,13 @@ golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98y
 golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
 golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20241204233417-43b7b7cde48d h1:0olWaB5pg3+oychR51GUVCEsGkeCU/2JxjBgIo4f3M0=
 golang.org/x/exp v0.0.0-20241204233417-43b7b7cde48d/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -239,8 +241,8 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
-golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
+golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
@@ -261,8 +263,8 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/hack/run-e2e.sh
+++ b/hack/run-e2e.sh
@@ -3,10 +3,10 @@
 SCRIPT=$(readlink -f "$0")
 ROOT=$(unset CDPATH && cd "$(dirname "$SCRIPT")/.." && pwd)
-ginkgo_command=$(which ginkgo 2>/dev/null)
+# Check if ginkgo is available
-if [ -z "$ginkgo_command" ]; then
+if ! command -v ginkgo >/dev/null 2>&1; then
    echo "ginkgo not found, try to install..."
-    go install github.com/onsi/ginkgo/v2/ginkgo@v2.17.1
+    go install github.com/onsi/ginkgo/v2/ginkgo@v2.23.4
 fi
 debug=false
--- a/package.sh
+++ b/package.sh
@@ -17,7 +17,7 @@ make -f ./Makefile.cross-compiles
 rm -rf ./release/packages
 mkdir -p ./release/packages
-os_all='linux windows darwin freebsd android'
+os_all='linux windows darwin freebsd openbsd android'
 arch_all='386 amd64 arm arm64 mips64 mips64le mips mipsle riscv64 loong64'
 extra_all='_ hf'
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -27,16 +27,19 @@ type Setter interface {
 	SetNewWorkConn(*msg.NewWorkConn) error
 }
-func NewAuthSetter(cfg v1.AuthClientConfig) (authProvider Setter) {
+func NewAuthSetter(cfg v1.AuthClientConfig) (authProvider Setter, err error) {
 	switch cfg.Method {
 	case v1.AuthMethodToken:
 		authProvider = NewTokenAuth(cfg.AdditionalScopes, cfg.Token)
 	case v1.AuthMethodOIDC:
-		authProvider = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC)
+		authProvider, err = NewOidcAuthSetter(cfg.AdditionalScopes, cfg.OIDC)
 		if err != nil {
 			return nil, err
 		}
 	default:
-		panic(fmt.Sprintf("wrong method: '%s'", cfg.Method))
+		return nil, fmt.Errorf("unsupported auth method: %s", cfg.Method)
 	}
-	return authProvider
+	return authProvider, nil
 }
 type Verifier interface {
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@@ -16,23 +16,72 @@ package auth
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"slices"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 )
 // createOIDCHTTPClient creates an HTTP client with custom TLS and proxy configuration for OIDC token requests
 func createOIDCHTTPClient(trustedCAFile string, insecureSkipVerify bool, proxyURL string) (*http.Client, error) {
 	// Clone the default transport to get all reasonable defaults
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	// Configure TLS settings
 	if trustedCAFile != "" || insecureSkipVerify {
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: insecureSkipVerify,
 		}
 		if trustedCAFile != "" && !insecureSkipVerify {
 			caCert, err := os.ReadFile(trustedCAFile)
 			if err != nil {
 				return nil, fmt.Errorf("failed to read OIDC CA certificate file %q: %w", trustedCAFile, err)
 			}
 			caCertPool := x509.NewCertPool()
 			if !caCertPool.AppendCertsFromPEM(caCert) {
 				return nil, fmt.Errorf("failed to parse OIDC CA certificate from file %q", trustedCAFile)
 			}
 			tlsConfig.RootCAs = caCertPool
 		}
 		transport.TLSClientConfig = tlsConfig
 	}
 	// Configure proxy settings
 	if proxyURL != "" {
 		parsedURL, err := url.Parse(proxyURL)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse OIDC proxy URL %q: %w", proxyURL, err)
 		}
 		transport.Proxy = http.ProxyURL(parsedURL)
 	} else {
 		// Explicitly disable proxy to override DefaultTransport's ProxyFromEnvironment
 		transport.Proxy = nil
 	}
 	return &http.Client{Transport: transport}, nil
 }
 type OidcAuthProvider struct {
 	additionalAuthScopes []v1.AuthScope
 	tokenGenerator *clientcredentials.Config
 	httpClient     *http.Client
 }
-func NewOidcAuthSetter(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCClientConfig) *OidcAuthProvider {
+func NewOidcAuthSetter(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCClientConfig) (*OidcAuthProvider, error) {
 	eps := make(map[string][]string)
 	for k, v := range cfg.AdditionalEndpointParams {
 		eps[k] = []string{v}
@@ -50,14 +99,30 @@ func NewOidcAuthSetter(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCClien
 		EndpointParams: eps,
 	}
 	// Create custom HTTP client if needed
 	var httpClient *http.Client
 	if cfg.TrustedCaFile != "" || cfg.InsecureSkipVerify || cfg.ProxyURL != "" {
 		var err error
 		httpClient, err = createOIDCHTTPClient(cfg.TrustedCaFile, cfg.InsecureSkipVerify, cfg.ProxyURL)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create OIDC HTTP client: %w", err)
 		}
 	}
 	return &OidcAuthProvider{
 		additionalAuthScopes: additionalAuthScopes,
 		tokenGenerator:       tokenGenerator,
-	}
+		httpClient:           httpClient,
 	}, nil
 }
 func (auth *OidcAuthProvider) generateAccessToken() (accessToken string, err error) {
-	tokenObj, err := auth.tokenGenerator.Token(context.Background())
+	ctx := context.Background()
 	if auth.httpClient != nil {
 		ctx = context.WithValue(ctx, oauth2.HTTPClient, auth.httpClient)
 	}
 	tokenObj, err := auth.tokenGenerator.Token(ctx)
 	if err != nil {
 		return "", fmt.Errorf("couldn't generate OIDC token for login: %v", err)
 	}
--- a/pkg/config/legacy/client.go
+++ b/pkg/config/legacy/client.go
@@ -194,7 +194,7 @@ func UnmarshalClientConfFromIni(source any) (ClientCommonConf, error) {
 	}
 	common.Metas = GetMapWithoutPrefix(s.KeysHash(), "meta_")
-	common.ClientConfig.OidcAdditionalEndpointParams = GetMapWithoutPrefix(s.KeysHash(), "oidc_additional_")
+	common.OidcAdditionalEndpointParams = GetMapWithoutPrefix(s.KeysHash(), "oidc_additional_")
 	return common, nil
 }
@@ -229,10 +229,7 @@ func LoadAllProxyConfsFromIni(
 		startProxy[s] = struct{}{}
 	}
-	startAll := true
+	startAll := len(startProxy) == 0
 	if len(startProxy) > 0 {
 		startAll = false
 	}
 	// Build template sections from range section And append to ini.File.
 	rangeSections := make([]*ini.Section, 0)
--- a/pkg/config/legacy/conversion.go
+++ b/pkg/config/legacy/conversion.go
@@ -26,20 +26,20 @@ import (
 func Convert_ClientCommonConf_To_v1(conf *ClientCommonConf) *v1.ClientCommonConfig {
 	out := &v1.ClientCommonConfig{}
 	out.User = conf.User
-	out.Auth.Method = v1.AuthMethod(conf.ClientConfig.AuthenticationMethod)
+	out.Auth.Method = v1.AuthMethod(conf.AuthenticationMethod)
-	out.Auth.Token = conf.ClientConfig.Token
+	out.Auth.Token = conf.Token
-	if conf.ClientConfig.AuthenticateHeartBeats {
+	if conf.AuthenticateHeartBeats {
 		out.Auth.AdditionalScopes = append(out.Auth.AdditionalScopes, v1.AuthScopeHeartBeats)
 	}
-	if conf.ClientConfig.AuthenticateNewWorkConns {
+	if conf.AuthenticateNewWorkConns {
 		out.Auth.AdditionalScopes = append(out.Auth.AdditionalScopes, v1.AuthScopeNewWorkConns)
 	}
-	out.Auth.OIDC.ClientID = conf.ClientConfig.OidcClientID
+	out.Auth.OIDC.ClientID = conf.OidcClientID
-	out.Auth.OIDC.ClientSecret = conf.ClientConfig.OidcClientSecret
+	out.Auth.OIDC.ClientSecret = conf.OidcClientSecret
-	out.Auth.OIDC.Audience = conf.ClientConfig.OidcAudience
+	out.Auth.OIDC.Audience = conf.OidcAudience
-	out.Auth.OIDC.Scope = conf.ClientConfig.OidcScope
+	out.Auth.OIDC.Scope = conf.OidcScope
-	out.Auth.OIDC.TokenEndpointURL = conf.ClientConfig.OidcTokenEndpointURL
+	out.Auth.OIDC.TokenEndpointURL = conf.OidcTokenEndpointURL
-	out.Auth.OIDC.AdditionalEndpointParams = conf.ClientConfig.OidcAdditionalEndpointParams
+	out.Auth.OIDC.AdditionalEndpointParams = conf.OidcAdditionalEndpointParams
 	out.ServerAddr = conf.ServerAddr
 	out.ServerPort = conf.ServerPort
@@ -59,10 +59,10 @@ func Convert_ClientCommonConf_To_v1(conf *ClientCommonConf) *v1.ClientCommonConf
 	out.Transport.QUIC.MaxIncomingStreams = conf.QUICMaxIncomingStreams
 	out.Transport.TLS.Enable = lo.ToPtr(conf.TLSEnable)
 	out.Transport.TLS.DisableCustomTLSFirstByte = lo.ToPtr(conf.DisableCustomTLSFirstByte)
-	out.Transport.TLS.TLSConfig.CertFile = conf.TLSCertFile
+	out.Transport.TLS.CertFile = conf.TLSCertFile
-	out.Transport.TLS.TLSConfig.KeyFile = conf.TLSKeyFile
+	out.Transport.TLS.KeyFile = conf.TLSKeyFile
-	out.Transport.TLS.TLSConfig.TrustedCaFile = conf.TLSTrustedCaFile
+	out.Transport.TLS.TrustedCaFile = conf.TLSTrustedCaFile
-	out.Transport.TLS.TLSConfig.ServerName = conf.TLSServerName
+	out.Transport.TLS.ServerName = conf.TLSServerName
 	out.Log.To = conf.LogFile
 	out.Log.Level = conf.LogLevel
@@ -87,18 +87,18 @@ func Convert_ClientCommonConf_To_v1(conf *ClientCommonConf) *v1.ClientCommonConf
 func Convert_ServerCommonConf_To_v1(conf *ServerCommonConf) *v1.ServerConfig {
 	out := &v1.ServerConfig{}
-	out.Auth.Method = v1.AuthMethod(conf.ServerConfig.AuthenticationMethod)
+	out.Auth.Method = v1.AuthMethod(conf.AuthenticationMethod)
-	out.Auth.Token = conf.ServerConfig.Token
+	out.Auth.Token = conf.Token
-	if conf.ServerConfig.AuthenticateHeartBeats {
+	if conf.AuthenticateHeartBeats {
 		out.Auth.AdditionalScopes = append(out.Auth.AdditionalScopes, v1.AuthScopeHeartBeats)
 	}
-	if conf.ServerConfig.AuthenticateNewWorkConns {
+	if conf.AuthenticateNewWorkConns {
 		out.Auth.AdditionalScopes = append(out.Auth.AdditionalScopes, v1.AuthScopeNewWorkConns)
 	}
-	out.Auth.OIDC.Audience = conf.ServerConfig.OidcAudience
+	out.Auth.OIDC.Audience = conf.OidcAudience
-	out.Auth.OIDC.Issuer = conf.ServerConfig.OidcIssuer
+	out.Auth.OIDC.Issuer = conf.OidcIssuer
-	out.Auth.OIDC.SkipExpiryCheck = conf.ServerConfig.OidcSkipExpiryCheck
+	out.Auth.OIDC.SkipExpiryCheck = conf.OidcSkipExpiryCheck
-	out.Auth.OIDC.SkipIssuerCheck = conf.ServerConfig.OidcSkipIssuerCheck
+	out.Auth.OIDC.SkipIssuerCheck = conf.OidcSkipIssuerCheck
 	out.BindAddr = conf.BindAddr
 	out.BindPort = conf.BindPort
--- a/pkg/config/legacy/proxy.go
+++ b/pkg/config/legacy/proxy.go
@@ -206,7 +206,7 @@ func (cfg *BaseProxyConf) decorate(_ string, name string, section *ini.Section)
 	}
 	// plugin_xxx
-	cfg.LocalSvrConf.PluginParams = GetMapByPrefix(section.KeysHash(), "plugin_")
+	cfg.PluginParams = GetMapByPrefix(section.KeysHash(), "plugin_")
 	return nil
 }
--- a/pkg/config/load.go
+++ b/pkg/config/load.go
@@ -111,6 +111,33 @@ func LoadConfigureFromFile(path string, c any, strict bool) error {
 	return LoadConfigure(content, c, strict)
 }
 // parseYAMLWithDotFieldsHandling parses YAML with dot-prefixed fields handling
 // This function handles both cases efficiently: with or without dot fields
 func parseYAMLWithDotFieldsHandling(content []byte, target any) error {
 	var temp any
 	if err := yaml.Unmarshal(content, &temp); err != nil {
 		return err
 	}
 	// Remove dot fields if it's a map
 	if tempMap, ok := temp.(map[string]any); ok {
 		for key := range tempMap {
 			if strings.HasPrefix(key, ".") {
 				delete(tempMap, key)
 			}
 		}
 	}
 	// Convert to JSON and decode with strict validation
 	jsonBytes, err := json.Marshal(temp)
 	if err != nil {
 		return err
 	}
 	decoder := json.NewDecoder(bytes.NewReader(jsonBytes))
 	decoder.DisallowUnknownFields()
 	return decoder.Decode(target)
 }
 // LoadConfigure loads configuration from bytes and unmarshal into c.
 // Now it supports json, yaml and toml format.
 func LoadConfigure(b []byte, c any, strict bool) error {
@@ -134,10 +161,13 @@ func LoadConfigure(b []byte, c any, strict bool) error {
 		}
 		return decoder.Decode(c)
 	}
-	// It wasn't JSON. Unmarshal as YAML.
+
 	// Handle YAML content
 	if strict {
-		return yaml.UnmarshalStrict(b, c)
+		// In strict mode, always use our custom handler to support YAML merge
 		return parseYAMLWithDotFieldsHandling(b, c)
 	}
 	// Non-strict mode, parse normally
 	return yaml.Unmarshal(b, c)
 }
@@ -182,7 +212,9 @@ func LoadServerConfig(path string, strict bool) (*v1.ServerConfig, bool, error)
 		}
 	}
 	if svrCfg != nil {
-		svrCfg.Complete()
+		if err := svrCfg.Complete(); err != nil {
 			return nil, isLegacyFormat, err
 		}
 	}
 	return svrCfg, isLegacyFormat, nil
 }
@@ -250,7 +282,9 @@ func LoadClientConfig(path string, strict bool) (
 	}
 	if cliCfg != nil {
-		cliCfg.Complete()
+		if err := cliCfg.Complete(); err != nil {
 			return nil, nil, nil, isLegacyFormat, err
 		}
 	}
 	for _, c := range proxyCfgs {
 		c.Complete(cliCfg.User)
--- a/pkg/config/load_test.go
+++ b/pkg/config/load_test.go
@@ -187,3 +187,122 @@ unixPath = "/tmp/uds.sock"
 	err = LoadConfigure([]byte(pluginStr), &clientCfg, true)
 	require.Error(err)
 }
 // TestYAMLMergeInStrictMode tests that YAML merge functionality works
 // even in strict mode by properly handling dot-prefixed fields
 func TestYAMLMergeInStrictMode(t *testing.T) {
 	require := require.New(t)
 	yamlContent := `
 serverAddr: "127.0.0.1"
 serverPort: 7000
 .common: &common
  type: stcp
  secretKey: "test-secret"
  localIP: 127.0.0.1
  transport:
    useEncryption: true
    useCompression: true
 proxies:
 - name: ssh
  localPort: 22
  <<: *common
 - name: web
  localPort: 80
  <<: *common
 `
 	clientCfg := v1.ClientConfig{}
 	// This should work in strict mode
 	err := LoadConfigure([]byte(yamlContent), &clientCfg, true)
 	require.NoError(err)
 	// Verify the merge worked correctly
 	require.Equal("127.0.0.1", clientCfg.ServerAddr)
 	require.Equal(7000, clientCfg.ServerPort)
 	require.Len(clientCfg.Proxies, 2)
 	// Check first proxy
 	sshProxy := clientCfg.Proxies[0].ProxyConfigurer
 	require.Equal("ssh", sshProxy.GetBaseConfig().Name)
 	require.Equal("stcp", sshProxy.GetBaseConfig().Type)
 	// Check second proxy
 	webProxy := clientCfg.Proxies[1].ProxyConfigurer
 	require.Equal("web", webProxy.GetBaseConfig().Name)
 	require.Equal("stcp", webProxy.GetBaseConfig().Type)
 }
 // TestOptimizedYAMLProcessing tests the optimization logic for YAML processing
 func TestOptimizedYAMLProcessing(t *testing.T) {
 	require := require.New(t)
 	yamlWithDotFields := []byte(`
 serverAddr: "127.0.0.1"
 .common: &common
  type: stcp
 proxies:
 - name: test
  <<: *common
 `)
 	yamlWithoutDotFields := []byte(`
 serverAddr: "127.0.0.1"
 proxies:
 - name: test
  type: tcp
  localPort: 22
 `)
 	// Test that YAML without dot fields works in strict mode
 	clientCfg := v1.ClientConfig{}
 	err := LoadConfigure(yamlWithoutDotFields, &clientCfg, true)
 	require.NoError(err)
 	require.Equal("127.0.0.1", clientCfg.ServerAddr)
 	require.Len(clientCfg.Proxies, 1)
 	require.Equal("test", clientCfg.Proxies[0].ProxyConfigurer.GetBaseConfig().Name)
 	// Test that YAML with dot fields still works in strict mode
 	err = LoadConfigure(yamlWithDotFields, &clientCfg, true)
 	require.NoError(err)
 	require.Equal("127.0.0.1", clientCfg.ServerAddr)
 	require.Len(clientCfg.Proxies, 1)
 	require.Equal("test", clientCfg.Proxies[0].ProxyConfigurer.GetBaseConfig().Name)
 	require.Equal("stcp", clientCfg.Proxies[0].ProxyConfigurer.GetBaseConfig().Type)
 }
 // TestYAMLEdgeCases tests edge cases for YAML parsing, including non-map types
 func TestYAMLEdgeCases(t *testing.T) {
 	require := require.New(t)
 	// Test array at root (should fail for frp config)
 	arrayYAML := []byte(`
 - item1
 - item2
 `)
 	clientCfg := v1.ClientConfig{}
 	err := LoadConfigure(arrayYAML, &clientCfg, true)
 	require.Error(err) // Should fail because ClientConfig expects an object
 	// Test scalar at root (should fail for frp config)
 	scalarYAML := []byte(`"just a string"`)
 	err = LoadConfigure(scalarYAML, &clientCfg, true)
 	require.Error(err) // Should fail because ClientConfig expects an object
 	// Test empty object (should work)
 	emptyYAML := []byte(`{}`)
 	err = LoadConfigure(emptyYAML, &clientCfg, true)
 	require.NoError(err)
 	// Test nested structure without dots (should work)
 	nestedYAML := []byte(`
 serverAddr: "127.0.0.1"
 serverPort: 7000
 `)
 	err = LoadConfigure(nestedYAML, &clientCfg, true)
 	require.NoError(err)
 	require.Equal("127.0.0.1", clientCfg.ServerAddr)
 	require.Equal(7000, clientCfg.ServerPort)
 }
--- a/pkg/config/v1/client.go
+++ b/pkg/config/v1/client.go
@@ -15,6 +15,8 @@
 package v1
 import (
 	"context"
 	"fmt"
 	"os"
 	"github.com/samber/lo"
@@ -77,18 +79,21 @@ type ClientCommonConfig struct {
 	IncludeConfigFiles []string `json:"includes,omitempty"`
 }
-func (c *ClientCommonConfig) Complete() {
+func (c *ClientCommonConfig) Complete() error {
 	c.ServerAddr = util.EmptyOr(c.ServerAddr, "0.0.0.0")
 	c.ServerPort = util.EmptyOr(c.ServerPort, 7000)
 	c.LoginFailExit = util.EmptyOr(c.LoginFailExit, lo.ToPtr(true))
 	c.NatHoleSTUNServer = util.EmptyOr(c.NatHoleSTUNServer, "stun.easyvoip.com:3478")
-	c.Auth.Complete()
+	if err := c.Auth.Complete(); err != nil {
 		return err
 	}
 	c.Log.Complete()
 	c.Transport.Complete()
 	c.WebServer.Complete()
 	c.UDPPacketSize = util.EmptyOr(c.UDPPacketSize, 1500)
 	return nil
 }
 type ClientTransportConfig struct {
@@ -184,12 +189,27 @@ type AuthClientConfig struct {
 	// Token specifies the authorization token used to create keys to be sent
 	// to the server. The server must have a matching token for authorization
 	// to succeed.  By default, this value is "".
-	Token string               `json:"token,omitempty"`
+	Token string `json:"token,omitempty"`
-	OIDC  AuthOIDCClientConfig `json:"oidc,omitempty"`
+	// TokenSource specifies a dynamic source for the authorization token.
 	// This is mutually exclusive with Token field.
 	TokenSource *ValueSource         `json:"tokenSource,omitempty"`
 	OIDC        AuthOIDCClientConfig `json:"oidc,omitempty"`
 }
-func (c *AuthClientConfig) Complete() {
+func (c *AuthClientConfig) Complete() error {
 	c.Method = util.EmptyOr(c.Method, "token")
 	// Resolve tokenSource during configuration loading
 	if c.Method == AuthMethodToken && c.TokenSource != nil {
 		token, err := c.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		// Move the resolved token to the Token field and clear TokenSource
 		c.Token = token
 		c.TokenSource = nil
 	}
 	return nil
 }
 type AuthOIDCClientConfig struct {
@@ -208,6 +228,17 @@ type AuthOIDCClientConfig struct {
 	// AdditionalEndpointParams specifies additional parameters to be sent
 	// this field will be transfer to map[string][]string in OIDC token generator.
 	AdditionalEndpointParams map[string]string `json:"additionalEndpointParams,omitempty"`
 	// TrustedCaFile specifies the path to a custom CA certificate file
 	// for verifying the OIDC token endpoint's TLS certificate.
 	TrustedCaFile string `json:"trustedCaFile,omitempty"`
 	// InsecureSkipVerify disables TLS certificate verification for the
 	// OIDC token endpoint. Only use this for debugging, not recommended for production.
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
 	// ProxyURL specifies a proxy to use when connecting to the OIDC token endpoint.
 	// Supports http, https, socks5, and socks5h proxy protocols.
 	// If empty, no proxy is used for OIDC connections.
 	ProxyURL string `json:"proxyURL,omitempty"`
 }
 type VirtualNetConfig struct {
--- a/pkg/config/v1/client_test.go
+++ b/pkg/config/v1/client_test.go
@@ -15,6 +15,8 @@
 package v1
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/samber/lo"
@@ -24,7 +26,8 @@ import (
 func TestClientConfigComplete(t *testing.T) {
 	require := require.New(t)
 	c := &ClientConfig{}
-	c.Complete()
+	err := c.Complete()
 	require.NoError(err)
 	require.EqualValues("token", c.Auth.Method)
 	require.Equal(true, lo.FromPtr(c.Transport.TCPMux))
@@ -33,3 +36,70 @@ func TestClientConfigComplete(t *testing.T) {
 	require.Equal(true, lo.FromPtr(c.Transport.TLS.DisableCustomTLSFirstByte))
 	require.NotEmpty(c.NatHoleSTUNServer)
 }
 func TestAuthClientConfig_Complete(t *testing.T) {
 	// Create a temporary file for testing
 	tmpDir := t.TempDir()
 	testFile := filepath.Join(tmpDir, "test_token")
 	testContent := "client-token-value"
 	err := os.WriteFile(testFile, []byte(testContent), 0o600)
 	require.NoError(t, err)
 	tests := []struct {
 		name        string
 		config      AuthClientConfig
 		expectToken string
 		expectPanic bool
 	}{
 		{
 			name: "tokenSource resolved to token",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: testFile,
 					},
 				},
 			},
 			expectToken: testContent,
 			expectPanic: false,
 		},
 		{
 			name: "direct token unchanged",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				Token:  "direct-token",
 			},
 			expectToken: "direct-token",
 			expectPanic: false,
 		},
 		{
 			name: "invalid tokenSource should panic",
 			config: AuthClientConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: "/non/existent/file",
 					},
 				},
 			},
 			expectPanic: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.expectPanic {
 				err := tt.config.Complete()
 				require.Error(t, err)
 			} else {
 				err := tt.config.Complete()
 				require.NoError(t, err)
 				require.Equal(t, tt.expectToken, tt.config.Token)
 				require.Nil(t, tt.config.TokenSource, "TokenSource should be cleared after resolution")
 			}
 		})
 	}
 }
--- a/pkg/config/v1/common.go
+++ b/pkg/config/v1/common.go
@@ -85,9 +85,9 @@ func (c *WebServerConfig) Complete() {
 }
 type TLSConfig struct {
-	// CertPath specifies the path of the cert file that client will load.
+	// CertFile specifies the path of the cert file that client will load.
 	CertFile string `json:"certFile,omitempty"`
-	// KeyPath specifies the path of the secret key file that client will load.
+	// KeyFile specifies the path of the secret key file that client will load.
 	KeyFile string `json:"keyFile,omitempty"`
 	// TrustedCaFile specifies the path of the trusted ca file that will load.
 	TrustedCaFile string `json:"trustedCaFile,omitempty"`
@@ -96,6 +96,14 @@ type TLSConfig struct {
 	ServerName string `json:"serverName,omitempty"`
 }
 // NatTraversalConfig defines configuration options for NAT traversal
 type NatTraversalConfig struct {
 	// DisableAssistedAddrs disables the use of local network interfaces
 	// for assisted connections during NAT traversal. When enabled,
 	// only STUN-discovered public addresses will be used.
 	DisableAssistedAddrs bool `json:"disableAssistedAddrs,omitempty"`
 }
 type LogConfig struct {
 	// This is destination where frp should write the logs.
 	// If "console" is used, logs will be printed to stdout, otherwise,
--- a/pkg/config/v1/proxy.go
+++ b/pkg/config/v1/proxy.go
@@ -129,7 +129,7 @@ func (c *ProxyBaseConfig) Complete(namePrefix string) {
 	c.Transport.BandwidthLimitMode = util.EmptyOr(c.Transport.BandwidthLimitMode, types.BandwidthLimitModeClient)
 	if c.Plugin.ClientPluginOptions != nil {
-		c.Plugin.ClientPluginOptions.Complete()
+		c.Plugin.Complete()
 	}
 }
@@ -422,6 +422,9 @@ type XTCPProxyConfig struct {
 	Secretkey  string   `json:"secretKey,omitempty"`
 	AllowUsers []string `json:"allowUsers,omitempty"`
 	// NatTraversal configuration for NAT traversal
 	NatTraversal *NatTraversalConfig `json:"natTraversal,omitempty"`
 }
 func (c *XTCPProxyConfig) MarshalToMsg(m *msg.NewProxy) {
--- a/pkg/config/v1/server.go
+++ b/pkg/config/v1/server.go
@@ -15,6 +15,9 @@
 package v1
 import (
 	"context"
 	"fmt"
 	"github.com/samber/lo"
 	"github.com/fatedier/frp/pkg/config/types"
@@ -98,8 +101,10 @@ type ServerConfig struct {
 	HTTPPlugins []HTTPPluginOptions `json:"httpPlugins,omitempty"`
 }
-func (c *ServerConfig) Complete() {
+func (c *ServerConfig) Complete() error {
-	c.Auth.Complete()
+	if err := c.Auth.Complete(); err != nil {
 		return err
 	}
 	c.Log.Complete()
 	c.Transport.Complete()
 	c.WebServer.Complete()
@@ -120,17 +125,31 @@ func (c *ServerConfig) Complete() {
 	c.UserConnTimeout = util.EmptyOr(c.UserConnTimeout, 10)
 	c.UDPPacketSize = util.EmptyOr(c.UDPPacketSize, 1500)
 	c.NatHoleAnalysisDataReserveHours = util.EmptyOr(c.NatHoleAnalysisDataReserveHours, 7*24)
 	return nil
 }
 type AuthServerConfig struct {
 	Method           AuthMethod           `json:"method,omitempty"`
 	AdditionalScopes []AuthScope          `json:"additionalScopes,omitempty"`
 	Token            string               `json:"token,omitempty"`
 	TokenSource      *ValueSource         `json:"tokenSource,omitempty"`
 	OIDC             AuthOIDCServerConfig `json:"oidc,omitempty"`
 }
-func (c *AuthServerConfig) Complete() {
+func (c *AuthServerConfig) Complete() error {
 	c.Method = util.EmptyOr(c.Method, "token")
 	// Resolve tokenSource during configuration loading
 	if c.Method == AuthMethodToken && c.TokenSource != nil {
 		token, err := c.TokenSource.Resolve(context.Background())
 		if err != nil {
 			return fmt.Errorf("failed to resolve auth.tokenSource: %w", err)
 		}
 		// Move the resolved token to the Token field and clear TokenSource
 		c.Token = token
 		c.TokenSource = nil
 	}
 	return nil
 }
 type AuthOIDCServerConfig struct {
--- a/pkg/config/v1/server_test.go
+++ b/pkg/config/v1/server_test.go
@@ -15,6 +15,8 @@
 package v1
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/samber/lo"
@@ -24,9 +26,77 @@ import (
 func TestServerConfigComplete(t *testing.T) {
 	require := require.New(t)
 	c := &ServerConfig{}
-	c.Complete()
+	err := c.Complete()
 	require.NoError(err)
 	require.EqualValues("token", c.Auth.Method)
 	require.Equal(true, lo.FromPtr(c.Transport.TCPMux))
 	require.Equal(true, lo.FromPtr(c.DetailedErrorsToClient))
 }
 func TestAuthServerConfig_Complete(t *testing.T) {
 	// Create a temporary file for testing
 	tmpDir := t.TempDir()
 	testFile := filepath.Join(tmpDir, "test_token")
 	testContent := "file-token-value"
 	err := os.WriteFile(testFile, []byte(testContent), 0o600)
 	require.NoError(t, err)
 	tests := []struct {
 		name        string
 		config      AuthServerConfig
 		expectToken string
 		expectPanic bool
 	}{
 		{
 			name: "tokenSource resolved to token",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: testFile,
 					},
 				},
 			},
 			expectToken: testContent,
 			expectPanic: false,
 		},
 		{
 			name: "direct token unchanged",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				Token:  "direct-token",
 			},
 			expectToken: "direct-token",
 			expectPanic: false,
 		},
 		{
 			name: "invalid tokenSource should panic",
 			config: AuthServerConfig{
 				Method: AuthMethodToken,
 				TokenSource: &ValueSource{
 					Type: "file",
 					File: &FileSource{
 						Path: "/non/existent/file",
 					},
 				},
 			},
 			expectPanic: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.expectPanic {
 				err := tt.config.Complete()
 				require.Error(t, err)
 			} else {
 				err := tt.config.Complete()
 				require.NoError(t, err)
 				require.Equal(t, tt.expectToken, tt.config.Token)
 				require.Nil(t, tt.config.TokenSource, "TokenSource should be cleared after resolution")
 			}
 		})
 	}
 }
--- a/pkg/config/v1/validation/client.go
+++ b/pkg/config/v1/validation/client.go
@@ -45,6 +45,18 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 		errs = AppendError(errs, fmt.Errorf("invalid auth additional scopes, optional values are %v", SupportedAuthAdditionalScopes))
 	}
 	// Validate token/tokenSource mutual exclusivity
 	if c.Auth.Token != "" && c.Auth.TokenSource != nil {
 		errs = AppendError(errs, fmt.Errorf("cannot specify both auth.token and auth.tokenSource"))
 	}
 	// Validate tokenSource if specified
 	if c.Auth.TokenSource != nil {
 		if err := c.Auth.TokenSource.Validate(); err != nil {
 			errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
 		}
 	}
 	if err := validateLogConfig(&c.Log); err != nil {
 		errs = AppendError(errs, err)
 	}
--- a/pkg/config/v1/validation/server.go
+++ b/pkg/config/v1/validation/server.go
@@ -35,6 +35,18 @@ func ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
 		errs = AppendError(errs, fmt.Errorf("invalid auth additional scopes, optional values are %v", SupportedAuthAdditionalScopes))
 	}
 	// Validate token/tokenSource mutual exclusivity
 	if c.Auth.Token != "" && c.Auth.TokenSource != nil {
 		errs = AppendError(errs, fmt.Errorf("cannot specify both auth.token and auth.tokenSource"))
 	}
 	// Validate tokenSource if specified
 	if c.Auth.TokenSource != nil {
 		if err := c.Auth.TokenSource.Validate(); err != nil {
 			errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
 		}
 	}
 	if err := validateLogConfig(&c.Log); err != nil {
 		errs = AppendError(errs, err)
 	}
--- a/pkg/config/v1/value_source.go
+++ b/pkg/config/v1/value_source.go
@@ -0,0 +1,93 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package v1
 import (
 	"context"
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 )
 // ValueSource provides a way to dynamically resolve configuration values
 // from various sources like files, environment variables, or external services.
 type ValueSource struct {
 	Type string      `json:"type"`
 	File *FileSource `json:"file,omitempty"`
 }
 // FileSource specifies how to load a value from a file.
 type FileSource struct {
 	Path string `json:"path"`
 }
 // Validate validates the ValueSource configuration.
 func (v *ValueSource) Validate() error {
 	if v == nil {
 		return errors.New("valueSource cannot be nil")
 	}
 	switch v.Type {
 	case "file":
 		if v.File == nil {
 			return errors.New("file configuration is required when type is 'file'")
 		}
 		return v.File.Validate()
 	default:
 		return fmt.Errorf("unsupported value source type: %s (only 'file' is supported)", v.Type)
 	}
 }
 // Resolve resolves the value from the configured source.
 func (v *ValueSource) Resolve(ctx context.Context) (string, error) {
 	if err := v.Validate(); err != nil {
 		return "", err
 	}
 	switch v.Type {
 	case "file":
 		return v.File.Resolve(ctx)
 	default:
 		return "", fmt.Errorf("unsupported value source type: %s", v.Type)
 	}
 }
 // Validate validates the FileSource configuration.
 func (f *FileSource) Validate() error {
 	if f == nil {
 		return errors.New("fileSource cannot be nil")
 	}
 	if f.Path == "" {
 		return errors.New("file path cannot be empty")
 	}
 	return nil
 }
 // Resolve reads and returns the content from the specified file.
 func (f *FileSource) Resolve(_ context.Context) (string, error) {
 	if err := f.Validate(); err != nil {
 		return "", err
 	}
 	content, err := os.ReadFile(f.Path)
 	if err != nil {
 		return "", fmt.Errorf("failed to read file %s: %v", f.Path, err)
 	}
 	// Trim whitespace, which is important for file-based tokens
 	return strings.TrimSpace(string(content)), nil
 }
--- a/pkg/config/v1/value_source_test.go
+++ b/pkg/config/v1/value_source_test.go
@@ -0,0 +1,246 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package v1
 import (
 	"context"
 	"os"
 	"path/filepath"
 	"testing"
 )
 func TestValueSource_Validate(t *testing.T) {
 	tests := []struct {
 		name    string
 		vs      *ValueSource
 		wantErr bool
 	}{
 		{
 			name:    "nil valueSource",
 			vs:      nil,
 			wantErr: true,
 		},
 		{
 			name: "unsupported type",
 			vs: &ValueSource{
 				Type: "unsupported",
 			},
 			wantErr: true,
 		},
 		{
 			name: "file type without file config",
 			vs: &ValueSource{
 				Type: "file",
 				File: nil,
 			},
 			wantErr: true,
 		},
 		{
 			name: "valid file type with absolute path",
 			vs: &ValueSource{
 				Type: "file",
 				File: &FileSource{
 					Path: "/tmp/test",
 				},
 			},
 			wantErr: false,
 		},
 		{
 			name: "valid file type with relative path",
 			vs: &ValueSource{
 				Type: "file",
 				File: &FileSource{
 					Path: "configs/token",
 				},
 			},
 			wantErr: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := tt.vs.Validate()
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ValueSource.Validate() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
 func TestFileSource_Validate(t *testing.T) {
 	tests := []struct {
 		name    string
 		fs      *FileSource
 		wantErr bool
 	}{
 		{
 			name:    "nil fileSource",
 			fs:      nil,
 			wantErr: true,
 		},
 		{
 			name: "empty path",
 			fs: &FileSource{
 				Path: "",
 			},
 			wantErr: true,
 		},
 		{
 			name: "relative path (allowed)",
 			fs: &FileSource{
 				Path: "relative/path",
 			},
 			wantErr: false,
 		},
 		{
 			name: "absolute path",
 			fs: &FileSource{
 				Path: "/absolute/path",
 			},
 			wantErr: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := tt.fs.Validate()
 			if (err != nil) != tt.wantErr {
 				t.Errorf("FileSource.Validate() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
 func TestFileSource_Resolve(t *testing.T) {
 	// Create a temporary file for testing
 	tmpDir := t.TempDir()
 	testFile := filepath.Join(tmpDir, "test_token")
 	testContent := "test-token-value\n\t "
 	expectedContent := "test-token-value"
 	err := os.WriteFile(testFile, []byte(testContent), 0o600)
 	if err != nil {
 		t.Fatalf("failed to create test file: %v", err)
 	}
 	tests := []struct {
 		name    string
 		fs      *FileSource
 		want    string
 		wantErr bool
 	}{
 		{
 			name: "valid file path",
 			fs: &FileSource{
 				Path: testFile,
 			},
 			want:    expectedContent,
 			wantErr: false,
 		},
 		{
 			name: "non-existent file",
 			fs: &FileSource{
 				Path: "/non/existent/file",
 			},
 			want:    "",
 			wantErr: true,
 		},
 		{
 			name: "path traversal attempt (should fail validation)",
 			fs: &FileSource{
 				Path: "../../../etc/passwd",
 			},
 			want:    "",
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := tt.fs.Resolve(context.Background())
 			if (err != nil) != tt.wantErr {
 				t.Errorf("FileSource.Resolve() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if got != tt.want {
 				t.Errorf("FileSource.Resolve() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 func TestValueSource_Resolve(t *testing.T) {
 	// Create a temporary file for testing
 	tmpDir := t.TempDir()
 	testFile := filepath.Join(tmpDir, "test_token")
 	testContent := "test-token-value"
 	err := os.WriteFile(testFile, []byte(testContent), 0o600)
 	if err != nil {
 		t.Fatalf("failed to create test file: %v", err)
 	}
 	tests := []struct {
 		name    string
 		vs      *ValueSource
 		want    string
 		wantErr bool
 	}{
 		{
 			name: "valid file type",
 			vs: &ValueSource{
 				Type: "file",
 				File: &FileSource{
 					Path: testFile,
 				},
 			},
 			want:    testContent,
 			wantErr: false,
 		},
 		{
 			name: "unsupported type",
 			vs: &ValueSource{
 				Type: "unsupported",
 			},
 			want:    "",
 			wantErr: true,
 		},
 		{
 			name: "file type with path traversal",
 			vs: &ValueSource{
 				Type: "file",
 				File: &FileSource{
 					Path: "../../../etc/passwd",
 				},
 			},
 			want:    "",
 			wantErr: true,
 		},
 	}
 	ctx := context.Background()
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := tt.vs.Resolve(ctx)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ValueSource.Resolve() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if got != tt.want {
 				t.Errorf("ValueSource.Resolve() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
--- a/pkg/config/v1/visitor.go
+++ b/pkg/config/v1/visitor.go
@@ -160,6 +160,9 @@ type XTCPVisitorConfig struct {
 	MinRetryInterval  int    `json:"minRetryInterval,omitempty"`
 	FallbackTo        string `json:"fallbackTo,omitempty"`
 	FallbackTimeoutMs int    `json:"fallbackTimeoutMs,omitempty"`
 	// NatTraversal configuration for NAT traversal
 	NatTraversal *NatTraversalConfig `json:"natTraversal,omitempty"`
 }
 func (c *XTCPVisitorConfig) Complete(g *ClientCommonConfig) {
--- a/pkg/metrics/mem/server.go
+++ b/pkg/metrics/mem/server.go
@@ -109,7 +109,7 @@ func (m *serverMetrics) NewProxy(name string, proxyType string) {
 	m.info.ProxyTypeCounts[proxyType] = counter
 	proxyStats, ok := m.info.ProxyStatistics[name]
-	if !(ok && proxyStats.ProxyType == proxyType) {
+	if !ok || proxyStats.ProxyType != proxyType {
 		proxyStats = &ProxyStatistics{
 			Name:       name,
 			ProxyType:  proxyType,
--- a/pkg/metrics/prometheus/server.go
+++ b/pkg/metrics/prometheus/server.go
@@ -14,11 +14,12 @@ const (
 var ServerMetrics metrics.ServerMetrics = newServerMetrics()
 type serverMetrics struct {
-	clientCount     prometheus.Gauge
+	clientCount        prometheus.Gauge
-	proxyCount      *prometheus.GaugeVec
+	proxyCount         *prometheus.GaugeVec
-	connectionCount *prometheus.GaugeVec
+	proxyCountDetailed *prometheus.GaugeVec
-	trafficIn       *prometheus.CounterVec
+	connectionCount    *prometheus.GaugeVec
-	trafficOut      *prometheus.CounterVec
+	trafficIn          *prometheus.CounterVec
 	trafficOut         *prometheus.CounterVec
 }
 func (m *serverMetrics) NewClient() {
@@ -29,12 +30,14 @@ func (m *serverMetrics) CloseClient() {
 	m.clientCount.Dec()
 }
-func (m *serverMetrics) NewProxy(_ string, proxyType string) {
+func (m *serverMetrics) NewProxy(name string, proxyType string) {
 	m.proxyCount.WithLabelValues(proxyType).Inc()
 	m.proxyCountDetailed.WithLabelValues(proxyType, name).Inc()
 }
-func (m *serverMetrics) CloseProxy(_ string, proxyType string) {
+func (m *serverMetrics) CloseProxy(name string, proxyType string) {
 	m.proxyCount.WithLabelValues(proxyType).Dec()
 	m.proxyCountDetailed.WithLabelValues(proxyType, name).Dec()
 }
 func (m *serverMetrics) OpenConnection(name string, proxyType string) {
@@ -67,6 +70,12 @@ func newServerMetrics() *serverMetrics {
 			Name:      "proxy_counts",
 			Help:      "The current proxy counts",
 		}, []string{"type"}),
 		proxyCountDetailed: prometheus.NewGaugeVec(prometheus.GaugeOpts{
 			Namespace: namespace,
 			Subsystem: serverSubsystem,
 			Name:      "proxy_counts_detailed",
 			Help:      "The current number of proxies grouped by type and name",
 		}, []string{"type", "name"}),
 		connectionCount: prometheus.NewGaugeVec(prometheus.GaugeOpts{
 			Namespace: namespace,
 			Subsystem: serverSubsystem,
@@ -88,6 +97,7 @@ func newServerMetrics() *serverMetrics {
 	}
 	prometheus.MustRegister(m.clientCount)
 	prometheus.MustRegister(m.proxyCount)
 	prometheus.MustRegister(m.proxyCountDetailed)
 	prometheus.MustRegister(m.connectionCount)
 	prometheus.MustRegister(m.trafficIn)
 	prometheus.MustRegister(m.trafficOut)
--- a/pkg/nathole/nathole.go
+++ b/pkg/nathole/nathole.go
@@ -68,6 +68,13 @@ var (
 	DetectRoleReceiver = "receiver"
 )
 // PrepareOptions defines options for NAT traversal preparation
 type PrepareOptions struct {
 	// DisableAssistedAddrs disables the use of local network interfaces
 	// for assisted connections during NAT traversal
 	DisableAssistedAddrs bool
 }
 type PrepareResult struct {
 	Addrs         []string
 	AssistedAddrs []string
@@ -108,7 +115,7 @@ func PreCheck(
 }
 // Prepare is used to do some preparation work before penetration.
-func Prepare(stunServers []string) (*PrepareResult, error) {
+func Prepare(stunServers []string, opts PrepareOptions) (*PrepareResult, error) {
 	// discover for Nat type
 	addrs, localAddr, err := Discover(stunServers, "")
 	if err != nil {
@@ -133,9 +140,13 @@ func Prepare(stunServers []string) (*PrepareResult, error) {
 		return nil, fmt.Errorf("listen local udp addr error: %v", err)
 	}
-	assistedAddrs := make([]string, 0, len(localIPs))
+	// Apply NAT traversal options
-	for _, ip := range localIPs {
+	var assistedAddrs []string
-		assistedAddrs = append(assistedAddrs, net.JoinHostPort(ip, strconv.Itoa(laddr.Port)))
+	if !opts.DisableAssistedAddrs {
 		assistedAddrs = make([]string, 0, len(localIPs))
 		for _, ip := range localIPs {
 			assistedAddrs = append(assistedAddrs, net.JoinHostPort(ip, strconv.Itoa(laddr.Port)))
 		}
 	}
 	return &PrepareResult{
 		Addrs:         addrs,
--- a/pkg/plugin/client/virtual_net.go
+++ b/pkg/plugin/client/virtual_net.go
@@ -18,9 +18,10 @@ package client
 import (
 	"context"
 	"io"
 	"sync"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/util/xlog"
 )
 func init() {
@@ -30,6 +31,8 @@ func init() {
 type VirtualNetPlugin struct {
 	pluginCtx PluginContext
 	opts      *v1.VirtualNetPluginOptions
 	mu        sync.Mutex
 	conns     map[io.ReadWriteCloser]struct{}
 }
 func NewVirtualNetPlugin(pluginCtx PluginContext, options v1.ClientPluginOptions) (Plugin, error) {
@@ -43,19 +46,32 @@ func NewVirtualNetPlugin(pluginCtx PluginContext, options v1.ClientPluginOptions
 }
 func (p *VirtualNetPlugin) Handle(ctx context.Context, connInfo *ConnectionInfo) {
 	xl := xlog.FromContextSafe(ctx)
 	// Verify if virtual network controller is available
 	if p.pluginCtx.VnetController == nil {
 		return
 	}
-	// Register the connection with the controller
+	// Add the connection before starting the read loop to avoid race condition
-	routeName := p.pluginCtx.Name
+	// where RemoveConn might be called before the connection is added.
-	err := p.pluginCtx.VnetController.RegisterServerConn(ctx, routeName, connInfo.Conn)
+	p.mu.Lock()
-	if err != nil {
+	if p.conns == nil {
-		xl.Errorf("virtual net failed to register server connection: %v", err)
+		p.conns = make(map[io.ReadWriteCloser]struct{})
-		return
+	}
 	p.conns[connInfo.Conn] = struct{}{}
 	p.mu.Unlock()
 	// Register the connection with the controller and pass the cleanup function
 	p.pluginCtx.VnetController.StartServerConnReadLoop(ctx, connInfo.Conn, func() {
 		p.RemoveConn(connInfo.Conn)
 	})
 }
 func (p *VirtualNetPlugin) RemoveConn(conn io.ReadWriteCloser) {
 	p.mu.Lock()
 	defer p.mu.Unlock()
 	// Check if the map exists, as Close might have set it to nil concurrently
 	if p.conns != nil {
 		delete(p.conns, conn)
 	}
 }
@@ -64,8 +80,13 @@ func (p *VirtualNetPlugin) Name() string {
 }
 func (p *VirtualNetPlugin) Close() error {
-	if p.pluginCtx.VnetController != nil {
+	p.mu.Lock()
-		p.pluginCtx.VnetController.UnregisterServerConn(p.pluginCtx.Name)
+	defer p.mu.Unlock()
 	// Close any remaining connections
 	for conn := range p.conns {
 		_ = conn.Close()
 	}
 	p.conns = nil
 	return nil
 }
--- a/pkg/plugin/visitor/virtual_net.go
+++ b/pkg/plugin/visitor/virtual_net.go
@@ -60,7 +60,7 @@ func NewVirtualNetPlugin(pluginCtx PluginContext, options v1.VisitorPluginOption
 		return nil, errors.New("destinationIP is required")
 	}
-	// Parse DestinationIP as a single IP and create a host route
+	// Parse DestinationIP and create a host route.
 	ip := net.ParseIP(opts.DestinationIP)
 	if ip == nil {
 		return nil, fmt.Errorf("invalid destination IP address [%s]", opts.DestinationIP)
@@ -91,7 +91,7 @@ func (p *VirtualNetPlugin) Start() {
 	if len(p.routes) > 0 {
 		routeStr = p.routes[0].String()
 	}
-	xl.Infof("Starting VirtualNetPlugin for visitor [%s], attempting to register routes for %s", p.pluginCtx.Name, routeStr)
+	xl.Infof("starting VirtualNetPlugin for visitor [%s], attempting to register routes for %s", p.pluginCtx.Name, routeStr)
 	go p.run()
 }
@@ -101,10 +101,8 @@ func (p *VirtualNetPlugin) run() {
 	reconnectDelay := 10 * time.Second
 	for {
 		// Create a signal channel for this connection attempt
 		currentCloseSignal := make(chan struct{})
 		// Store the signal channel under lock
 		p.mu.Lock()
 		p.closeSignal = currentCloseSignal
 		p.mu.Unlock()
@@ -112,7 +110,6 @@ func (p *VirtualNetPlugin) run() {
 		select {
 		case <-p.ctx.Done():
 			xl.Infof("VirtualNetPlugin run loop for visitor [%s] stopping (context cancelled before pipe creation).", p.pluginCtx.Name)
 			// Ensure controllerConn from previous loop is cleaned up if necessary
 			p.cleanupControllerConn(xl)
 			return
 		default:
@@ -120,65 +117,43 @@ func (p *VirtualNetPlugin) run() {
 		controllerConn, pluginConn := net.Pipe()
 		// Store controllerConn under lock for cleanup purposes
 		p.mu.Lock()
 		p.controllerConn = controllerConn
 		p.mu.Unlock()
 		// Wrap pluginConn using CloseNotifyConn
 		pluginNotifyConn := netutil.WrapCloseNotifyConn(pluginConn, func() {
-			close(currentCloseSignal) // Signal the run loop
+			close(currentCloseSignal) // Signal the run loop on close.
 		})
-		xl.Infof("Attempting to register client route for visitor [%s]", p.pluginCtx.Name)
+		xl.Infof("attempting to register client route for visitor [%s]", p.pluginCtx.Name)
-		err := p.pluginCtx.VnetController.RegisterClientRoute(p.ctx, p.pluginCtx.Name, p.routes, controllerConn)
+		p.pluginCtx.VnetController.RegisterClientRoute(p.ctx, p.pluginCtx.Name, p.routes, controllerConn)
-		if err != nil {
+		xl.Infof("successfully registered client route for visitor [%s]. Starting connection handler with CloseNotifyConn.", p.pluginCtx.Name)
 			xl.Errorf("Failed to register client route for visitor [%s]: %v. Retrying after %v", p.pluginCtx.Name, err, reconnectDelay)
 			p.cleanupPipePair(xl, controllerConn, pluginConn) // Close both ends on registration failure
 			// Wait before retrying registration, unless context is cancelled
 			select {
 			case <-time.After(reconnectDelay):
 				continue // Retry the loop
 			case <-p.ctx.Done():
 				xl.Infof("VirtualNetPlugin registration retry wait interrupted for visitor [%s]", p.pluginCtx.Name)
 				return // Exit loop if context is cancelled during wait
 			}
 		}
 		xl.Infof("Successfully registered client route for visitor [%s]. Starting connection handler with CloseNotifyConn.", p.pluginCtx.Name)
 		// Pass the CloseNotifyConn to HandleConn.
 		// HandleConn is responsible for calling Close() on pluginNotifyConn.
 		p.pluginCtx.HandleConn(pluginNotifyConn)
-		// Wait for either the plugin context to be cancelled or the wrapper's Close() to be called via the signal channel.
+		// Wait for context cancellation or connection close.
 		select {
 		case <-p.ctx.Done():
 			xl.Infof("VirtualNetPlugin run loop stopping for visitor [%s] (context cancelled while waiting).", p.pluginCtx.Name)
 			// Context cancelled, ensure controller side is closed if HandleConn didn't close its side yet.
 			p.cleanupControllerConn(xl)
 			return
 		case <-currentCloseSignal:
-			xl.Infof("Detected connection closed via CloseNotifyConn for visitor [%s].", p.pluginCtx.Name)
+			xl.Infof("detected connection closed via CloseNotifyConn for visitor [%s].", p.pluginCtx.Name)
-			// HandleConn closed the plugin side (pluginNotifyConn). The closeFn was called, closing currentCloseSignal.
+			// HandleConn closed the plugin side. Close the controller side.
 			// We still need to close the controller side.
 			p.cleanupControllerConn(xl)
-			// Add a delay before attempting to reconnect, respecting context cancellation.
+			xl.Infof("waiting %v before attempting reconnection for visitor [%s]...", reconnectDelay, p.pluginCtx.Name)
 			xl.Infof("Waiting %v before attempting reconnection for visitor [%s]...", reconnectDelay, p.pluginCtx.Name)
 			select {
 			case <-time.After(reconnectDelay):
 				// Delay completed, loop will continue.
 			case <-p.ctx.Done():
 				xl.Infof("VirtualNetPlugin reconnection delay interrupted for visitor [%s]", p.pluginCtx.Name)
-				return // Exit loop if context is cancelled during wait
+				return
 			}
 			// Loop will continue to reconnect.
 		}
-		// Loop will restart, context check at the beginning of the loop is sufficient.
+		xl.Infof("re-establishing virtual connection for visitor [%s]...", p.pluginCtx.Name)
 		xl.Infof("Re-establishing virtual connection for visitor [%s]...", p.pluginCtx.Name)
 	}
 }
@@ -187,46 +162,31 @@ func (p *VirtualNetPlugin) cleanupControllerConn(xl *xlog.Logger) {
 	p.mu.Lock()
 	defer p.mu.Unlock()
 	if p.controllerConn != nil {
-		xl.Debugf("Cleaning up controllerConn for visitor [%s]", p.pluginCtx.Name)
+		xl.Debugf("cleaning up controllerConn for visitor [%s]", p.pluginCtx.Name)
 		p.controllerConn.Close()
 		p.controllerConn = nil
 	}
 	// Also clear the closeSignal reference for the completed/cancelled connection attempt
 	p.closeSignal = nil
 }
 // cleanupPipePair closes both ends of a pipe, used typically when registration fails.
 func (p *VirtualNetPlugin) cleanupPipePair(xl *xlog.Logger, controllerConn, pluginConn net.Conn) {
 	xl.Debugf("Cleaning up pipe pair for visitor [%s] after registration failure", p.pluginCtx.Name)
 	controllerConn.Close()
 	pluginConn.Close()
 	p.mu.Lock()
 	p.controllerConn = nil // Ensure field is nil if it was briefly set
 	p.closeSignal = nil    // Ensure field is nil if it was briefly set
 	p.mu.Unlock()
 }
 // Close initiates the plugin shutdown.
 func (p *VirtualNetPlugin) Close() error {
-	xl := xlog.FromContextSafe(p.pluginCtx.Ctx) // Use base context for close logging
+	xl := xlog.FromContextSafe(p.pluginCtx.Ctx)
-	xl.Infof("Closing VirtualNetPlugin for visitor [%s]", p.pluginCtx.Name)
+	xl.Infof("closing VirtualNetPlugin for visitor [%s]", p.pluginCtx.Name)
-	// 1. Signal the run loop goroutine to stop via context cancellation.
+	// Signal the run loop goroutine to stop.
 	p.cancel()
-	// 2. Unregister the route from the controller.
+	// Unregister the route from the controller.
 	// This might implicitly cause the VnetController to close its end of the pipe (controllerConn).
 	if p.pluginCtx.VnetController != nil {
 		p.pluginCtx.VnetController.UnregisterClientRoute(p.pluginCtx.Name)
-		xl.Infof("Unregistered client route for visitor [%s]", p.pluginCtx.Name)
+		xl.Infof("unregistered client route for visitor [%s]", p.pluginCtx.Name)
 	} else {
 		xl.Warnf("VnetController is nil during close for visitor [%s], cannot unregister route", p.pluginCtx.Name)
 	}
-	// 3. Explicitly close the controller side of the pipe managed by this plugin.
+	// Explicitly close the controller side of the pipe.
 	// This ensures the pipe is broken even if the run loop is stuck or HandleConn hasn't closed its end.
 	p.cleanupControllerConn(xl)
-	xl.Infof("Finished cleaning up connections during close for visitor [%s]", p.pluginCtx.Name)
+	xl.Infof("finished cleaning up connections during close for visitor [%s]", p.pluginCtx.Name)
 	return nil
 }
--- a/pkg/proto/udp/udp.go
+++ b/pkg/proto/udp/udp.go
@@ -24,6 +24,7 @@ import (
 	"github.com/fatedier/golib/pool"
 	"github.com/fatedier/frp/pkg/msg"
 	netpkg "github.com/fatedier/frp/pkg/util/net"
 )
 func NewUDPPacket(buf []byte, laddr, raddr *net.UDPAddr) *msg.UDPPacket {
@@ -69,7 +70,7 @@ func ForwardUserConn(udpConn *net.UDPConn, readCh <-chan *msg.UDPPacket, sendCh
 	}
 }
-func Forwarder(dstAddr *net.UDPAddr, readCh <-chan *msg.UDPPacket, sendCh chan<- msg.Message, bufSize int) {
+func Forwarder(dstAddr *net.UDPAddr, readCh <-chan *msg.UDPPacket, sendCh chan<- msg.Message, bufSize int, proxyProtocolVersion string) {
 	var mu sync.RWMutex
 	udpConnMap := make(map[string]*net.UDPConn)
@@ -110,6 +111,7 @@ func Forwarder(dstAddr *net.UDPAddr, readCh <-chan *msg.UDPPacket, sendCh chan<-
 			if err != nil {
 				continue
 			}
 			mu.Lock()
 			udpConn, ok := udpConnMap[udpMsg.RemoteAddr.String()]
 			if !ok {
@@ -122,6 +124,18 @@ func Forwarder(dstAddr *net.UDPAddr, readCh <-chan *msg.UDPPacket, sendCh chan<-
 			}
 			mu.Unlock()
 			// Add proxy protocol header if configured
 			if proxyProtocolVersion != "" && udpMsg.RemoteAddr != nil {
 				ppBuf, err := netpkg.BuildProxyProtocolHeader(udpMsg.RemoteAddr, dstAddr, proxyProtocolVersion)
 				if err == nil {
 					// Prepend proxy protocol header to the UDP payload
 					finalBuf := make([]byte, len(ppBuf)+len(buf))
 					copy(finalBuf, ppBuf)
 					copy(finalBuf[len(ppBuf):], buf)
 					buf = finalBuf
 				}
 			}
 			_, err = udpConn.Write(buf)
 			if err != nil {
 				udpConn.Close()
--- a/pkg/proto/udp/udp_test.go
+++ b/pkg/proto/udp/udp_test.go
@@ -3,16 +3,16 @@ package udp
 import (
 	"testing"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 func TestUdpPacket(t *testing.T) {
-	assert := assert.New(t)
+	require := require.New(t)
 	buf := []byte("hello world")
 	udpMsg := NewUDPPacket(buf, nil, nil)
 	newBuf, err := GetContent(udpMsg)
-	assert.NoError(err)
+	require.NoError(err)
-	assert.EqualValues(buf, newBuf)
+	require.EqualValues(buf, newBuf)
 }
--- a/pkg/ssh/server.go
+++ b/pkg/ssh/server.go
@@ -105,7 +105,10 @@ func (s *TunnelServer) Run() error {
 		s.writeToClient(err.Error())
 		return fmt.Errorf("parse flags from ssh client error: %v", err)
 	}
-	clientCfg.Complete()
+	if err := clientCfg.Complete(); err != nil {
 		s.writeToClient(fmt.Sprintf("failed to complete client config: %v", err))
 		return fmt.Errorf("complete client config error: %v", err)
 	}
 	if sshConn.Permissions != nil {
 		clientCfg.User = util.EmptyOr(sshConn.Permissions.Extensions["user"], clientCfg.User)
 	}
--- a/pkg/transport/tls.go
+++ b/pkg/transport/tls.go
@@ -22,6 +22,7 @@ import (
 	"encoding/pem"
 	"math/big"
 	"os"
 	"time"
 )
 func newCustomTLSKeyPair(certfile, keyfile string) (*tls.Certificate, error) {
@@ -32,12 +33,30 @@ func newCustomTLSKeyPair(certfile, keyfile string) (*tls.Certificate, error) {
 	return &tlsCert, nil
 }
-func newRandomTLSKeyPair() *tls.Certificate {
+func newRandomTLSKeyPair() (*tls.Certificate, error) {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}
-	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+
 	// Generate a random positive serial number with 128 bits of entropy.
 	// RFC 5280 requires serial numbers to be positive integers (not zero).
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {
 		return nil, err
 	}
 	// Ensure serial number is positive (not zero)
 	if serialNumber.Sign() == 0 {
 		serialNumber = big.NewInt(1)
 	}
 	template := x509.Certificate{
 		SerialNumber: serialNumber,
 		NotBefore:    time.Now().Add(-1 * time.Hour),
 		NotAfter:     time.Now().Add(365 * 24 * time.Hour * 10),
 	}
 	certDER, err := x509.CreateCertificate(
 		rand.Reader,
 		&template,
@@ -45,16 +64,16 @@ func newRandomTLSKeyPair() *tls.Certificate {
 		&key.PublicKey,
 		key)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}
 	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
 	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
-		panic(err)
+		return nil, err
 	}
-	return &tlsCert
+	return &tlsCert, nil
 }
 // Only support one ca file to add
@@ -76,7 +95,10 @@ func NewServerTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
 	if certPath == "" || keyPath == "" {
 		// server will generate tls conf by itself
-		cert := newRandomTLSKeyPair()
+		cert, err := newRandomTLSKeyPair()
 		if err != nil {
 			return nil, err
 		}
 		base.Certificates = []tls.Certificate{*cert}
 	} else {
 		cert, err := newCustomTLSKeyPair(certPath, keyPath)
--- a/pkg/util/metric/counter_test.go
+++ b/pkg/util/metric/counter_test.go
@@ -3,21 +3,21 @@ package metric
 import (
 	"testing"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 func TestCounter(t *testing.T) {
-	assert := assert.New(t)
+	require := require.New(t)
 	c := NewCounter()
 	c.Inc(10)
-	assert.EqualValues(10, c.Count())
+	require.EqualValues(10, c.Count())
 	c.Dec(5)
-	assert.EqualValues(5, c.Count())
+	require.EqualValues(5, c.Count())
 	cTmp := c.Snapshot()
-	assert.EqualValues(5, cTmp.Count())
+	require.EqualValues(5, cTmp.Count())
 	c.Clear()
-	assert.EqualValues(0, c.Count())
+	require.EqualValues(0, c.Count())
 }
--- a/pkg/util/metric/date_counter_test.go
+++ b/pkg/util/metric/date_counter_test.go
@@ -3,25 +3,25 @@ package metric
 import (
 	"testing"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 func TestDateCounter(t *testing.T) {
-	assert := assert.New(t)
+	require := require.New(t)
 	dc := NewDateCounter(3)
 	dc.Inc(10)
-	assert.EqualValues(10, dc.TodayCount())
+	require.EqualValues(10, dc.TodayCount())
 	dc.Dec(5)
-	assert.EqualValues(5, dc.TodayCount())
+	require.EqualValues(5, dc.TodayCount())
 	counts := dc.GetLastDaysCount(3)
-	assert.EqualValues(3, len(counts))
+	require.EqualValues(3, len(counts))
-	assert.EqualValues(5, counts[0])
+	require.EqualValues(5, counts[0])
-	assert.EqualValues(0, counts[1])
+	require.EqualValues(0, counts[1])
-	assert.EqualValues(0, counts[2])
+	require.EqualValues(0, counts[2])
 	dcTmp := dc.Snapshot()
-	assert.EqualValues(5, dcTmp.TodayCount())
+	require.EqualValues(5, dcTmp.TodayCount())
 }
--- a/pkg/util/net/conn.go
+++ b/pkg/util/net/conn.go
@@ -197,11 +197,11 @@ func (statsConn *StatsConn) Close() (err error) {
 }
 type wrapQuicStream struct {
-	quic.Stream
+	*quic.Stream
-	c quic.Connection
+	c *quic.Conn
 }
-func QuicStreamToNetConn(s quic.Stream, c quic.Connection) net.Conn {
+func QuicStreamToNetConn(s *quic.Stream, c *quic.Conn) net.Conn {
 	return &wrapQuicStream{
 		Stream: s,
 		c:      c,
@@ -223,7 +223,7 @@ func (conn *wrapQuicStream) RemoteAddr() net.Addr {
 }
 func (conn *wrapQuicStream) Close() error {
-	conn.Stream.CancelRead(0)
+	conn.CancelRead(0)
 	return conn.Stream.Close()
 }
--- a/pkg/util/net/proxyprotocol.go
+++ b/pkg/util/net/proxyprotocol.go
@@ -0,0 +1,45 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package net
 import (
 	"bytes"
 	"fmt"
 	"net"
 	pp "github.com/pires/go-proxyproto"
 )
 func BuildProxyProtocolHeaderStruct(srcAddr, dstAddr net.Addr, version string) *pp.Header {
 	var versionByte byte
 	if version == "v1" {
 		versionByte = 1
 	} else {
 		versionByte = 2 // default to v2
 	}
 	return pp.HeaderProxyFromAddrs(versionByte, srcAddr, dstAddr)
 }
 func BuildProxyProtocolHeader(srcAddr, dstAddr net.Addr, version string) ([]byte, error) {
 	h := BuildProxyProtocolHeaderStruct(srcAddr, dstAddr, version)
 	// Convert header to bytes using a buffer
 	var buf bytes.Buffer
 	_, err := h.WriteTo(&buf)
 	if err != nil {
 		return nil, fmt.Errorf("failed to write proxy protocol header: %v", err)
 	}
 	return buf.Bytes(), nil
 }
--- a/pkg/util/net/proxyprotocol_test.go
+++ b/pkg/util/net/proxyprotocol_test.go
@@ -0,0 +1,178 @@
 package net
 import (
 	"net"
 	"testing"
 	pp "github.com/pires/go-proxyproto"
 	"github.com/stretchr/testify/require"
 )
 func TestBuildProxyProtocolHeader(t *testing.T) {
 	require := require.New(t)
 	tests := []struct {
 		name        string
 		srcAddr     net.Addr
 		dstAddr     net.Addr
 		version     string
 		expectError bool
 	}{
 		{
 			name:        "UDP IPv4 v2",
 			srcAddr:     &net.UDPAddr{IP: net.ParseIP("192.168.1.100"), Port: 12345},
 			dstAddr:     &net.UDPAddr{IP: net.ParseIP("10.0.0.1"), Port: 3306},
 			version:     "v2",
 			expectError: false,
 		},
 		{
 			name:        "TCP IPv4 v1",
 			srcAddr:     &net.TCPAddr{IP: net.ParseIP("192.168.1.100"), Port: 12345},
 			dstAddr:     &net.TCPAddr{IP: net.ParseIP("10.0.0.1"), Port: 80},
 			version:     "v1",
 			expectError: false,
 		},
 		{
 			name:        "UDP IPv6 v2",
 			srcAddr:     &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 12345},
 			dstAddr:     &net.UDPAddr{IP: net.ParseIP("::1"), Port: 3306},
 			version:     "v2",
 			expectError: false,
 		},
 		{
 			name:        "TCP IPv6 v1",
 			srcAddr:     &net.TCPAddr{IP: net.ParseIP("::1"), Port: 12345},
 			dstAddr:     &net.TCPAddr{IP: net.ParseIP("2001:db8::1"), Port: 80},
 			version:     "v1",
 			expectError: false,
 		},
 		{
 			name:        "nil source address",
 			srcAddr:     nil,
 			dstAddr:     &net.UDPAddr{IP: net.ParseIP("10.0.0.1"), Port: 3306},
 			version:     "v2",
 			expectError: false,
 		},
 		{
 			name:        "nil destination address",
 			srcAddr:     &net.TCPAddr{IP: net.ParseIP("192.168.1.100"), Port: 12345},
 			dstAddr:     nil,
 			version:     "v2",
 			expectError: false,
 		},
 		{
 			name:        "unsupported address type",
 			srcAddr:     &net.UnixAddr{Name: "/tmp/test.sock", Net: "unix"},
 			dstAddr:     &net.UDPAddr{IP: net.ParseIP("10.0.0.1"), Port: 3306},
 			version:     "v2",
 			expectError: false,
 		},
 	}
 	for _, tt := range tests {
 		header, err := BuildProxyProtocolHeader(tt.srcAddr, tt.dstAddr, tt.version)
 		if tt.expectError {
 			require.Error(err, "test case: %s", tt.name)
 			continue
 		}
 		require.NoError(err, "test case: %s", tt.name)
 		require.NotEmpty(header, "test case: %s", tt.name)
 	}
 }
 func TestBuildProxyProtocolHeaderStruct(t *testing.T) {
 	require := require.New(t)
 	tests := []struct {
 		name               string
 		srcAddr            net.Addr
 		dstAddr            net.Addr
 		version            string
 		expectedProtocol   pp.AddressFamilyAndProtocol
 		expectedVersion    byte
 		expectedCommand    pp.ProtocolVersionAndCommand
 		expectedSourceAddr net.Addr
 		expectedDestAddr   net.Addr
 	}{
 		{
 			name:               "TCP IPv4 v2",
 			srcAddr:            &net.TCPAddr{IP: net.ParseIP("192.168.1.100"), Port: 12345},
 			dstAddr:            &net.TCPAddr{IP: net.ParseIP("10.0.0.1"), Port: 80},
 			version:            "v2",
 			expectedProtocol:   pp.TCPv4,
 			expectedVersion:    2,
 			expectedCommand:    pp.PROXY,
 			expectedSourceAddr: &net.TCPAddr{IP: net.ParseIP("192.168.1.100"), Port: 12345},
 			expectedDestAddr:   &net.TCPAddr{IP: net.ParseIP("10.0.0.1"), Port: 80},
 		},
 		{
 			name:               "UDP IPv6 v1",
 			srcAddr:            &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 12345},
 			dstAddr:            &net.UDPAddr{IP: net.ParseIP("::1"), Port: 3306},
 			version:            "v1",
 			expectedProtocol:   pp.UDPv6,
 			expectedVersion:    1,
 			expectedCommand:    pp.PROXY,
 			expectedSourceAddr: &net.UDPAddr{IP: net.ParseIP("2001:db8::1"), Port: 12345},
 			expectedDestAddr:   &net.UDPAddr{IP: net.ParseIP("::1"), Port: 3306},
 		},
 		{
 			name:               "TCP IPv6 default version",
 			srcAddr:            &net.TCPAddr{IP: net.ParseIP("::1"), Port: 12345},
 			dstAddr:            &net.TCPAddr{IP: net.ParseIP("2001:db8::1"), Port: 80},
 			version:            "",
 			expectedProtocol:   pp.TCPv6,
 			expectedVersion:    2, // default to v2
 			expectedCommand:    pp.PROXY,
 			expectedSourceAddr: &net.TCPAddr{IP: net.ParseIP("::1"), Port: 12345},
 			expectedDestAddr:   &net.TCPAddr{IP: net.ParseIP("2001:db8::1"), Port: 80},
 		},
 		{
 			name:               "nil source address",
 			srcAddr:            nil,
 			dstAddr:            &net.UDPAddr{IP: net.ParseIP("10.0.0.1"), Port: 3306},
 			version:            "v2",
 			expectedProtocol:   pp.UNSPEC,
 			expectedVersion:    2,
 			expectedCommand:    pp.LOCAL,
 			expectedSourceAddr: nil, // go-proxyproto sets both to nil when srcAddr is nil
 			expectedDestAddr:   nil,
 		},
 		{
 			name:               "nil destination address",
 			srcAddr:            &net.TCPAddr{IP: net.ParseIP("192.168.1.100"), Port: 12345},
 			dstAddr:            nil,
 			version:            "v2",
 			expectedProtocol:   pp.UNSPEC,
 			expectedVersion:    2,
 			expectedCommand:    pp.LOCAL,
 			expectedSourceAddr: nil, // go-proxyproto sets both to nil when dstAddr is nil
 			expectedDestAddr:   nil,
 		},
 		{
 			name:               "unsupported address type",
 			srcAddr:            &net.UnixAddr{Name: "/tmp/test.sock", Net: "unix"},
 			dstAddr:            &net.UDPAddr{IP: net.ParseIP("10.0.0.1"), Port: 3306},
 			version:            "v2",
 			expectedProtocol:   pp.UNSPEC,
 			expectedVersion:    2,
 			expectedCommand:    pp.LOCAL,
 			expectedSourceAddr: nil, // go-proxyproto sets both to nil for unsupported types
 			expectedDestAddr:   nil,
 		},
 	}
 	for _, tt := range tests {
 		header := BuildProxyProtocolHeaderStruct(tt.srcAddr, tt.dstAddr, tt.version)
 		require.NotNil(header, "test case: %s", tt.name)
 		require.Equal(tt.expectedCommand, header.Command, "test case: %s", tt.name)
 		require.Equal(tt.expectedSourceAddr, header.SourceAddr, "test case: %s", tt.name)
 		require.Equal(tt.expectedDestAddr, header.DestinationAddr, "test case: %s", tt.name)
 		require.Equal(tt.expectedProtocol, header.TransportProtocol, "test case: %s", tt.name)
 		require.Equal(tt.expectedVersion, header.Version, "test case: %s", tt.name)
 	}
 }
--- a/pkg/util/util/util_test.go
+++ b/pkg/util/util/util_test.go
@@ -3,45 +3,41 @@ package util
 import (
 	"testing"
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 func TestRandId(t *testing.T) {
-	assert := assert.New(t)
+	require := require.New(t)
 	id, err := RandID()
-	assert.NoError(err)
+	require.NoError(err)
 	t.Log(id)
-	assert.Equal(16, len(id))
+	require.Equal(16, len(id))
 }
 func TestGetAuthKey(t *testing.T) {
-	assert := assert.New(t)
+	require := require.New(t)
 	key := GetAuthKey("1234", 1488720000)
-	assert.Equal("6df41a43725f0c770fd56379e12acf8c", key)
+	require.Equal("6df41a43725f0c770fd56379e12acf8c", key)
 }
 func TestParseRangeNumbers(t *testing.T) {
-	assert := assert.New(t)
+	require := require.New(t)
 	numbers, err := ParseRangeNumbers("2-5")
-	if assert.NoError(err) {
+	require.NoError(err)
-		assert.Equal([]int64{2, 3, 4, 5}, numbers)
+	require.Equal([]int64{2, 3, 4, 5}, numbers)
 	}
 	numbers, err = ParseRangeNumbers("1")
-	if assert.NoError(err) {
+	require.NoError(err)
-		assert.Equal([]int64{1}, numbers)
+	require.Equal([]int64{1}, numbers)
 	}
 	numbers, err = ParseRangeNumbers("3-5,8")
-	if assert.NoError(err) {
+	require.NoError(err)
-		assert.Equal([]int64{3, 4, 5, 8}, numbers)
+	require.Equal([]int64{3, 4, 5, 8}, numbers)
 	}
 	numbers, err = ParseRangeNumbers(" 3-5,8, 10-12 ")
-	if assert.NoError(err) {
+	require.NoError(err)
-		assert.Equal([]int64{3, 4, 5, 8, 10, 11, 12}, numbers)
+	require.Equal([]int64{3, 4, 5, 8, 10, 11, 12}, numbers)
 	}
 	_, err = ParseRangeNumbers("3-a")
-	assert.Error(err)
+	require.Error(err)
 }
--- a/pkg/util/version/version.go
+++ b/pkg/util/version/version.go
@@ -14,7 +14,7 @@
 package version
-var version = "0.62.0"
+var version = "0.65.0"
 func Full() string {
 	return version
--- a/pkg/util/vhost/http.go
+++ b/pkg/util/vhost/http.go
@@ -162,7 +162,7 @@ func (rp *HTTPReverseProxy) UnRegister(routeCfg RouteConfig) {
 func (rp *HTTPReverseProxy) GetRouteConfig(domain, location, routeByHTTPUser string) *RouteConfig {
 	vr, ok := rp.getVhost(domain, location, routeByHTTPUser)
 	if ok {
-		log.Debugf("get new HTTP request host [%s] path [%s] httpuser [%s]", domain, location, routeByHTTPUser)
+		log.Debugf("get new http request host [%s] path [%s] httpuser [%s]", domain, location, routeByHTTPUser)
 		return vr.payload.(*RouteConfig)
 	}
 	return nil
@@ -225,11 +225,7 @@ func (rp *HTTPReverseProxy) getVhost(domain, location, routeByHTTPUser string) (
 	// *.example.com
 	// *.com
 	domainSplit := strings.Split(domain, ".")
-	for {
+	for len(domainSplit) >= 3 {
 		if len(domainSplit) < 3 {
 			break
 		}
 		domainSplit[0] = "*"
 		domain = strings.Join(domainSplit, ".")
 		vr, ok = findRouter(domain, location, routeByHTTPUser)
--- a/pkg/util/vhost/vhost.go
+++ b/pkg/util/vhost/vhost.go
@@ -169,11 +169,7 @@ func (v *Muxer) getListener(name, path, httpUser string) (*Listener, bool) {
 	}
 	domainSplit := strings.Split(name, ".")
-	for {
+	for len(domainSplit) >= 3 {
 		if len(domainSplit) < 3 {
 			break
 		}
 		domainSplit[0] = "*"
 		name = strings.Join(domainSplit, ".")
@@ -275,7 +271,7 @@ func (l *Listener) Accept() (net.Conn, error) {
 	xl := xlog.FromContextSafe(l.ctx)
 	conn, ok := <-l.accept
 	if !ok {
-		return nil, fmt.Errorf("Listener closed")
+		return nil, fmt.Errorf("listener closed")
 	}
 	// if rewriteHost func is exist
--- a/pkg/util/xlog/log_writer.go
+++ b/pkg/util/xlog/log_writer.go
@@ -0,0 +1,65 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package xlog
 import "strings"
 // LogWriter forwards writes to frp's logger at configurable level.
 // It is safe for concurrent use as long as the underlying Logger is thread-safe.
 type LogWriter struct {
 	xl      *Logger
 	logFunc func(string)
 }
 func (w LogWriter) Write(p []byte) (n int, err error) {
 	msg := strings.TrimSpace(string(p))
 	w.logFunc(msg)
 	return len(p), nil
 }
 func NewTraceWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Tracef("%s", msg) },
 	}
 }
 func NewDebugWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Debugf("%s", msg) },
 	}
 }
 func NewInfoWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Infof("%s", msg) },
 	}
 }
 func NewWarnWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Warnf("%s", msg) },
 	}
 }
 func NewErrorWriter(xl *Logger) LogWriter {
 	return LogWriter{
 		xl:      xl,
 		logFunc: func(msg string) { xl.Errorf("%s", msg) },
 	}
 }
--- a/pkg/virtual/client.go
+++ b/pkg/virtual/client.go
@@ -37,7 +37,9 @@ type Client struct {
 func NewClient(options ClientOptions) (*Client, error) {
 	if options.Common != nil {
-		options.Common.Complete()
+		if err := options.Common.Complete(); err != nil {
 			return nil, err
 		}
 	}
 	ln := netpkg.NewInternalListener()
--- a/pkg/vnet/controller.go
+++ b/pkg/vnet/controller.go
@@ -87,7 +87,7 @@ func (c *Controller) handlePacket(buf []byte) {
 	case waterutil.IsIPv4(buf):
 		header, err := ipv4.ParseHeader(buf)
 		if err != nil {
-			log.Warnf("parse ipv4 header error:", err)
+			log.Warnf("parse ipv4 header error: %v", err)
 			return
 		}
 		src = header.Src
@@ -98,7 +98,7 @@ func (c *Controller) handlePacket(buf []byte) {
 	case waterutil.IsIPv6(buf):
 		header, err := ipv6.ParseHeader(buf)
 		if err != nil {
-			log.Warnf("parse ipv6 header error:", err)
+			log.Warnf("parse ipv6 header error: %v", err)
 			return
 		}
 		src = header.Src
@@ -137,6 +137,12 @@ func (c *Controller) Stop() error {
 // Client connection read loop
 func (c *Controller) readLoopClient(ctx context.Context, conn io.ReadWriteCloser) {
 	xl := xlog.FromContextSafe(ctx)
 	defer func() {
 		// Remove the route when read loop ends (connection closed)
 		c.clientRouter.removeConnRoute(conn)
 		conn.Close()
 	}()
 	for {
 		data, err := ReadMessage(conn)
 		if err != nil {
@@ -181,8 +187,18 @@ func (c *Controller) readLoopClient(ctx context.Context, conn io.ReadWriteCloser
 }
 // Server connection read loop
-func (c *Controller) readLoopServer(ctx context.Context, conn io.ReadWriteCloser) {
+func (c *Controller) readLoopServer(ctx context.Context, conn io.ReadWriteCloser, onClose func()) {
 	xl := xlog.FromContextSafe(ctx)
 	defer func() {
 		// Clean up all IP mappings associated with this connection when it closes
 		c.serverRouter.cleanupConnIPs(conn)
 		// Call the provided callback upon closure
 		if onClose != nil {
 			onClose()
 		}
 		conn.Close()
 	}()
 	for {
 		data, err := ReadMessage(conn)
 		if err != nil {
@@ -220,27 +236,11 @@ func (c *Controller) readLoopServer(ctx context.Context, conn io.ReadWriteCloser
 	}
 }
-// RegisterClientRoute Register client route (based on destination IP CIDR)
+// RegisterClientRoute registers a client route (based on destination IP CIDR)
-func (c *Controller) RegisterClientRoute(ctx context.Context, name string, routes []net.IPNet, conn io.ReadWriteCloser) error {
+// and starts the read loop
-	if err := c.clientRouter.addRoute(name, routes, conn); err != nil {
+func (c *Controller) RegisterClientRoute(ctx context.Context, name string, routes []net.IPNet, conn io.ReadWriteCloser) {
-		return err
+	c.clientRouter.addRoute(name, routes, conn)
 	}
 	go c.readLoopClient(ctx, conn)
 	return nil
 }
 // RegisterServerConn Register server connection (dynamically associates with source IPs)
 func (c *Controller) RegisterServerConn(ctx context.Context, name string, conn io.ReadWriteCloser) error {
 	if err := c.serverRouter.addConn(name, conn); err != nil {
 		return err
 	}
 	go c.readLoopServer(ctx, conn)
 	return nil
 }
 // UnregisterServerConn Remove server connection from routing table
 func (c *Controller) UnregisterServerConn(name string) {
 	c.serverRouter.delConn(name)
 }
 // UnregisterClientRoute Remove client route from routing table
@@ -248,6 +248,12 @@ func (c *Controller) UnregisterClientRoute(name string) {
 	c.clientRouter.delRoute(name)
 }
 // StartServerConnReadLoop starts the read loop for a server connection
 // (dynamically associates with source IPs)
 func (c *Controller) StartServerConnReadLoop(ctx context.Context, conn io.ReadWriteCloser, onClose func()) {
 	go c.readLoopServer(ctx, conn, onClose)
 }
 // ParseRoutes Convert route strings to IPNet objects
 func ParseRoutes(routeStrings []string) ([]net.IPNet, error) {
 	routes := make([]net.IPNet, 0, len(routeStrings))
@@ -273,7 +279,7 @@ func newClientRouter() *clientRouter {
 	}
 }
-func (r *clientRouter) addRoute(name string, routes []net.IPNet, conn io.ReadWriteCloser) error {
+func (r *clientRouter) addRoute(name string, routes []net.IPNet, conn io.ReadWriteCloser) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 	r.routes[name] = &routeElement{
@@ -281,7 +287,6 @@ func (r *clientRouter) addRoute(name string, routes []net.IPNet, conn io.ReadWri
 		routes: routes,
 		conn:   conn,
 	}
 	return nil
 }
 func (r *clientRouter) findConn(dst net.IP) (io.Writer, error) {
@@ -303,32 +308,29 @@ func (r *clientRouter) delRoute(name string) {
 	delete(r.routes, name)
 }
-// Server router (based on source IP routing)
+func (r *clientRouter) removeConnRoute(conn io.Writer) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 	for name, re := range r.routes {
 		if re.conn == conn {
 			delete(r.routes, name)
 			return
 		}
 	}
 }
 // Server router (based solely on source IP routing)
 type serverRouter struct {
-	namedConns map[string]io.ReadWriteCloser // Name to connection mapping
+	srcIPConns map[string]io.Writer // Source IP string to connection mapping
 	srcIPConns map[string]io.Writer          // Source IP string to connection mapping
 	mu         sync.RWMutex
 }
 func newServerRouter() *serverRouter {
 	return &serverRouter{
 		namedConns: make(map[string]io.ReadWriteCloser),
 		srcIPConns: make(map[string]io.Writer),
 	}
 }
 func (r *serverRouter) addConn(name string, conn io.ReadWriteCloser) error {
 	r.mu.Lock()
 	original, ok := r.namedConns[name]
 	r.namedConns[name] = conn
 	r.mu.Unlock()
 	if ok {
 		// Close the original connection if it exists
 		_ = original.Close()
 	}
 	return nil
 }
 func (r *serverRouter) findConnBySrc(src net.IP) (io.Writer, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
@@ -340,17 +342,41 @@ func (r *serverRouter) findConnBySrc(src net.IP) (io.Writer, error) {
 }
 func (r *serverRouter) registerSrcIP(src net.IP, conn io.Writer) {
 	key := src.String()
 	r.mu.RLock()
 	existingConn, ok := r.srcIPConns[key]
 	r.mu.RUnlock()
 	// If the entry exists and the connection is the same, no need to do anything.
 	if ok && existingConn == conn {
 		return
 	}
 	// Acquire write lock to update the map.
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	r.srcIPConns[src.String()] = conn
+
 	// Double-check after acquiring the write lock to handle potential race conditions.
 	existingConn, ok = r.srcIPConns[key]
 	if ok && existingConn == conn {
 		return
 	}
 	r.srcIPConns[key] = conn
 }
-func (r *serverRouter) delConn(name string) {
+// cleanupConnIPs removes all IP mappings associated with the specified connection
 func (r *serverRouter) cleanupConnIPs(conn io.Writer) {
 	r.mu.Lock()
 	defer r.mu.Unlock()
-	delete(r.namedConns, name)
+
-	// Note: We don't delete mappings from srcIPConns because we don't know which source IPs are associated with this connection
+	// Find and delete all IP mappings pointing to this connection
-	// This might cause dangling references, but they will be overwritten on new connections or restart
+	for ip, mappedConn := range r.srcIPConns {
 		if mappedConn == conn {
 			delete(r.srcIPConns, ip)
 		}
 	}
 }
 type routeElement struct {
--- a/pkg/vnet/message.go
+++ b/pkg/vnet/message.go
@@ -33,7 +33,7 @@ func ReadMessage(r io.Reader) ([]byte, error) {
 	var length uint32
 	err := binary.Read(r, binary.LittleEndian, &length)
 	if err != nil {
-		return nil, fmt.Errorf("read message length error: %v", err)
+		return nil, fmt.Errorf("read message length error: %w", err)
 	}
 	// Check length to prevent DoS
@@ -48,7 +48,7 @@ func ReadMessage(r io.Reader) ([]byte, error) {
 	data := make([]byte, length)
 	_, err = io.ReadFull(r, data)
 	if err != nil {
-		return nil, fmt.Errorf("read message data error: %v", err)
+		return nil, fmt.Errorf("read message data error: %w", err)
 	}
 	return data, nil
@@ -68,13 +68,13 @@ func WriteMessage(w io.Writer, data []byte) error {
 	// Write length
 	err := binary.Write(w, binary.LittleEndian, length)
 	if err != nil {
-		return fmt.Errorf("write message length error: %v", err)
+		return fmt.Errorf("write message length error: %w", err)
 	}
 	// Write message data
 	_, err = w.Write(data)
 	if err != nil {
-		return fmt.Errorf("write message data error: %v", err)
+		return fmt.Errorf("write message data error: %w", err)
 	}
 	return nil
--- a/pkg/vnet/tun.go
+++ b/pkg/vnet/tun.go
@@ -23,7 +23,8 @@ import (
 )
 const (
-	offset = 16
+	offset            = 16
 	defaultPacketSize = 1420
 )
 type TunDevice interface {
@@ -35,20 +36,45 @@ func OpenTun(ctx context.Context, addr string) (TunDevice, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &tunDeviceWrapper{dev: td}, nil
+
 	mtu, err := td.MTU()
 	if err != nil {
 		mtu = defaultPacketSize
 	}
 	bufferSize := max(mtu, defaultPacketSize)
 	batchSize := td.BatchSize()
 	device := &tunDeviceWrapper{
 		dev:         td,
 		bufferSize:  bufferSize,
 		readBuffers: make([][]byte, batchSize),
 		sizeBuffer:  make([]int, batchSize),
 	}
 	for i := range device.readBuffers {
 		device.readBuffers[i] = make([]byte, offset+bufferSize)
 	}
 	return device, nil
 }
 type tunDeviceWrapper struct {
-	dev tun.Device
+	dev           tun.Device
 	bufferSize    int
 	readBuffers   [][]byte
 	packetBuffers [][]byte
 	sizeBuffer    []int
 }
 func (d *tunDeviceWrapper) Read(p []byte) (int, error) {
-	buf := pool.GetBuf(len(p) + offset)
+	if len(d.packetBuffers) > 0 {
-	defer pool.PutBuf(buf)
+		n := copy(p, d.packetBuffers[0])
 		d.packetBuffers = d.packetBuffers[1:]
 		return n, nil
 	}
-	sz := make([]int, 1)
+	n, err := d.dev.Read(d.readBuffers, d.sizeBuffer, offset)
 	n, err := d.dev.Read([][]byte{buf}, sz, offset)
 	if err != nil {
 		return 0, err
 	}
@@ -56,20 +82,26 @@ func (d *tunDeviceWrapper) Read(p []byte) (int, error) {
 		return 0, io.EOF
 	}
-	dataSize := sz[0]
+	for i := range n {
-	if dataSize > len(p) {
+		if d.sizeBuffer[i] <= 0 {
-		dataSize = len(p)
+			continue
 		}
 		d.packetBuffers = append(d.packetBuffers, d.readBuffers[i][offset:offset+d.sizeBuffer[i]])
 	}
-	copy(p, buf[offset:offset+dataSize])
+
 	dataSize := copy(p, d.packetBuffers[0])
 	d.packetBuffers = d.packetBuffers[1:]
 	return dataSize, nil
 }
 func (d *tunDeviceWrapper) Write(p []byte) (int, error) {
-	buf := pool.GetBuf(len(p) + offset)
+	buf := pool.GetBuf(offset + d.bufferSize)
 	defer pool.PutBuf(buf)
-	copy(buf[offset:], p)
+	n := copy(buf[offset:], p)
-	return d.dev.Write([][]byte{buf}, offset)
+	_, err := d.dev.Write([][]byte{buf[:offset+n]}, offset)
 	return n, err
 }
 func (d *tunDeviceWrapper) Close() error {
--- a/pkg/vnet/tun_linux.go
+++ b/pkg/vnet/tun_linux.go
@@ -16,35 +16,44 @@ package vnet
 import (
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
 	"net"
 	"strconv"
 	"strings"
 	"github.com/vishvananda/netlink"
 	"golang.zx2c4.com/wireguard/tun"
 )
 const (
-	defaultTunName = "utun"
+	baseTunName = "utun"
-	defaultMTU     = 1420
+	defaultMTU  = 1420
 )
 func openTun(_ context.Context, addr string) (tun.Device, error) {
-	dev, err := tun.CreateTUN(defaultTunName, defaultMTU)
+	name, err := findNextTunName(baseTunName)
 	if err != nil {
 		name = getFallbackTunName(baseTunName, addr)
 	}
 	tunDevice, err := tun.CreateTUN(name, defaultMTU)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create TUN device '%s': %w", name, err)
 	}
 	actualName, err := tunDevice.Name()
 	if err != nil {
 		return nil, err
 	}
-	name, err := dev.Name()
+	ifn, err := net.InterfaceByName(actualName)
 	if err != nil {
 		return nil, err
 	}
-	ifn, err := net.InterfaceByName(name)
+	link, err := netlink.LinkByName(actualName)
 	if err != nil {
 		return nil, err
 	}
 	link, err := netlink.LinkByName(name)
 	if err != nil {
 		return nil, err
 	}
@@ -69,7 +78,34 @@ func openTun(_ context.Context, addr string) (tun.Device, error) {
 	if err = addRoutes(ifn, cidr); err != nil {
 		return nil, err
 	}
-	return dev, nil
+	return tunDevice, nil
 }
 func findNextTunName(basename string) (string, error) {
 	interfaces, err := net.Interfaces()
 	if err != nil {
 		return "", fmt.Errorf("failed to get network interfaces: %w", err)
 	}
 	maxSuffix := -1
 	for _, iface := range interfaces {
 		name := iface.Name
 		if strings.HasPrefix(name, basename) {
 			suffix := name[len(basename):]
 			if suffix == "" {
 				continue
 			}
 			numSuffix, err := strconv.Atoi(suffix)
 			if err == nil && numSuffix > maxSuffix {
 				maxSuffix = numSuffix
 			}
 		}
 	}
 	nextSuffix := maxSuffix + 1
 	name := fmt.Sprintf("%s%d", basename, nextSuffix)
 	return name, nil
 }
 func addRoutes(ifn *net.Interface, cidr *net.IPNet) error {
@@ -82,3 +118,14 @@ func addRoutes(ifn *net.Interface, cidr *net.IPNet) error {
 	}
 	return nil
 }
 // getFallbackTunName generates a deterministic fallback TUN device name
 // based on the base name and the provided address string using a hash.
 func getFallbackTunName(baseName, addr string) string {
 	hasher := sha256.New()
 	hasher.Write([]byte(addr))
 	hashBytes := hasher.Sum(nil)
 	// Use first 4 bytes -> 8 hex chars for brevity, respecting IFNAMSIZ limit.
 	shortHash := hex.EncodeToString(hashBytes[:4])
 	return fmt.Sprintf("%s%s", baseName, shortHash)
 }
--- a/server/control.go
+++ b/server/control.go
@@ -224,7 +224,7 @@ func (ctl *Control) Close() error {
 func (ctl *Control) Replaced(newCtl *Control) {
 	xl := ctl.xl
-	xl.Infof("Replaced by client [%s]", newCtl.runID)
+	xl.Infof("replaced by client [%s]", newCtl.runID)
 	ctl.runID = ""
 	ctl.conn.Close()
 }
--- a/server/dashboard_api.go
+++ b/server/dashboard_api.go
@@ -97,14 +97,14 @@ func (svr *Service) healthz(w http.ResponseWriter, _ *http.Request) {
 func (svr *Service) apiServerInfo(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
 	defer func() {
-		log.Infof("Http response [%s]: code [%d]", r.URL.Path, res.Code)
+		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
-	log.Infof("Http request: [%s]", r.URL.Path)
+	log.Infof("http request: [%s]", r.URL.Path)
 	serverStats := mem.StatsCollector.GetServer()
 	svrResp := serverInfoResp{
 		Version:               version.Full(),
@@ -218,13 +218,13 @@ func (svr *Service) apiProxyByType(w http.ResponseWriter, r *http.Request) {
 	proxyType := params["type"]
 	defer func() {
-		log.Infof("Http response [%s]: code [%d]", r.URL.Path, res.Code)
+		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
-	log.Infof("Http request: [%s]", r.URL.Path)
+	log.Infof("http request: [%s]", r.URL.Path)
 	proxyInfoResp := GetProxyInfoResp{}
 	proxyInfoResp.Proxies = svr.getProxyStatsByType(proxyType)
@@ -290,13 +290,13 @@ func (svr *Service) apiProxyByTypeAndName(w http.ResponseWriter, r *http.Request
 	name := params["name"]
 	defer func() {
-		log.Infof("Http response [%s]: code [%d]", r.URL.Path, res.Code)
+		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
-	log.Infof("Http request: [%s]", r.URL.Path)
+	log.Infof("http request: [%s]", r.URL.Path)
 	var proxyStatsResp GetProxyStatsResp
 	proxyStatsResp, res.Code, res.Msg = svr.getProxyStatsByTypeAndName(proxyType, name)
@@ -358,13 +358,13 @@ func (svr *Service) apiProxyTraffic(w http.ResponseWriter, r *http.Request) {
 	name := params["name"]
 	defer func() {
-		log.Infof("Http response [%s]: code [%d]", r.URL.Path, res.Code)
+		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()
-	log.Infof("Http request: [%s]", r.URL.Path)
+	log.Infof("http request: [%s]", r.URL.Path)
 	trafficResp := GetProxyTrafficResp{}
 	trafficResp.Name = name
@@ -386,9 +386,9 @@ func (svr *Service) apiProxyTraffic(w http.ResponseWriter, r *http.Request) {
 func (svr *Service) deleteProxies(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}
-	log.Infof("Http request: [%s]", r.URL.Path)
+	log.Infof("http request: [%s]", r.URL.Path)
 	defer func() {
-		log.Infof("Http response [%s]: code [%d]", r.URL.Path, res.Code)
+		log.Infof("http response [%s]: code [%d]", r.URL.Path, res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
 			_, _ = w.Write([]byte(res.Msg))
--- a/server/service.go
+++ b/server/service.go
@@ -19,7 +19,6 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"os"
@@ -262,7 +261,7 @@ func NewService(cfg *v1.ServerConfig) (*Service, error) {
 	}
 	if cfg.SSHTunnelGateway.BindPort > 0 {
-		sshGateway, err := ssh.NewGateway(cfg.SSHTunnelGateway, cfg.ProxyBindAddr, svr.sshTunnelListener)
+		sshGateway, err := ssh.NewGateway(cfg.SSHTunnelGateway, cfg.BindAddr, svr.sshTunnelListener)
 		if err != nil {
 			return nil, fmt.Errorf("create ssh gateway error: %v", err)
 		}
@@ -427,7 +426,7 @@ func (svr *Service) handleConnection(ctx context.Context, conn net.Conn, interna
 	_ = conn.SetReadDeadline(time.Now().Add(connReadTimeout))
 	if rawMsg, err = msg.ReadMsg(conn); err != nil {
-		log.Tracef("Failed to read message: %v", err)
+		log.Tracef("failed to read message: %v", err)
 		conn.Close()
 		return
 	}
@@ -475,7 +474,7 @@ func (svr *Service) handleConnection(ctx context.Context, conn net.Conn, interna
 			})
 		}
 	default:
-		log.Warnf("Error message type for the new connection [%s]", conn.RemoteAddr().String())
+		log.Warnf("error message type for the new connection [%s]", conn.RemoteAddr().String())
 		conn.Close()
 	}
 }
@@ -488,7 +487,7 @@ func (svr *Service) HandleListener(l net.Listener, internal bool) {
 	for {
 		c, err := l.Accept()
 		if err != nil {
-			log.Warnf("Listener for incoming connections from client closed")
+			log.Warnf("listener for incoming connections from client closed")
 			return
 		}
 		// inject xlog object into net.Conn context
@@ -504,7 +503,7 @@ func (svr *Service) HandleListener(l net.Listener, internal bool) {
 			var isTLS, custom bool
 			c, isTLS, custom, err = netpkg.CheckAndEnableTLSServerConnWithTimeout(c, svr.tlsConfig, forceTLS, connReadTimeout)
 			if err != nil {
-				log.Warnf("CheckAndEnableTLSServerConnWithTimeout error: %v", err)
+				log.Warnf("checkAndEnableTLSServerConnWithTimeout error: %v", err)
 				originConn.Close()
 				continue
 			}
@@ -516,11 +515,12 @@ func (svr *Service) HandleListener(l net.Listener, internal bool) {
 			if lo.FromPtr(svr.cfg.Transport.TCPMux) && !internal {
 				fmuxCfg := fmux.DefaultConfig()
 				fmuxCfg.KeepAliveInterval = time.Duration(svr.cfg.Transport.TCPMuxKeepaliveInterval) * time.Second
-				fmuxCfg.LogOutput = io.Discard
+				// Use trace level for yamux logs
 				fmuxCfg.LogOutput = xlog.NewTraceWriter(xlog.FromContextSafe(ctx))
 				fmuxCfg.MaxStreamWindowSize = 6 * 1024 * 1024
 				session, err := fmux.Server(frpConn, fmuxCfg)
 				if err != nil {
-					log.Warnf("Failed to create mux connection: %v", err)
+					log.Warnf("failed to create mux connection: %v", err)
 					frpConn.Close()
 					return
 				}
@@ -528,7 +528,7 @@ func (svr *Service) HandleListener(l net.Listener, internal bool) {
 				for {
 					stream, err := session.AcceptStream()
 					if err != nil {
-						log.Debugf("Accept new mux stream error: %v", err)
+						log.Debugf("accept new mux stream error: %v", err)
 						session.Close()
 						return
 					}
@@ -546,15 +546,15 @@ func (svr *Service) HandleQUICListener(l *quic.Listener) {
 	for {
 		c, err := l.Accept(context.Background())
 		if err != nil {
-			log.Warnf("QUICListener for incoming connections from client closed")
+			log.Warnf("quic listener for incoming connections from client closed")
 			return
 		}
 		// Start a new goroutine to handle connection.
-		go func(ctx context.Context, frpConn quic.Connection) {
+		go func(ctx context.Context, frpConn *quic.Conn) {
 			for {
 				stream, err := frpConn.AcceptStream(context.Background())
 				if err != nil {
-					log.Debugf("Accept new quic mux stream error: %v", err)
+					log.Debugf("accept new quic mux stream error: %v", err)
 					_ = frpConn.CloseWithError(0, "")
 					return
 				}
@@ -620,7 +620,7 @@ func (svr *Service) RegisterWorkConn(workConn net.Conn, newMsg *msg.NewWorkConn)
 	xl := netpkg.NewLogFromConn(workConn)
 	ctl, exist := svr.ctlManager.GetByID(newMsg.RunID)
 	if !exist {
-		xl.Warnf("No client control found for run id [%s]", newMsg.RunID)
+		xl.Warnf("no client control found for run id [%s]", newMsg.RunID)
 		return fmt.Errorf("no client control found for run id [%s]", newMsg.RunID)
 	}
 	// server plugin hook
--- a/test/e2e/e2e.go
+++ b/test/e2e/e2e.go
@@ -38,7 +38,7 @@ func RunE2ETests(t *testing.T) {
 	// Randomize specs as well as suites
 	suiteConfig.RandomizeAllSpecs = true
-	log.Infof("Starting e2e run %q on Ginkgo node %d of total %d",
+	log.Infof("starting e2e run %q on Ginkgo node %d of total %d",
 		framework.RunID, suiteConfig.ParallelProcess, suiteConfig.ParallelTotal)
 	ginkgo.RunSpecs(t, "frp e2e suite", suiteConfig, reporterConfig)
 }
--- a/test/e2e/framework/request.go
+++ b/test/e2e/framework/request.go
@@ -20,7 +20,7 @@ func ExpectResponseCode(code int) EnsureFunc {
 		if resp.Code == code {
 			return true
 		}
-		flog.Warnf("Expect code %d, but got %d", code, resp.Code)
+		flog.Warnf("expect code %d, but got %d", code, resp.Code)
 		return false
 	}
 }
@@ -111,14 +111,14 @@ func (e *RequestExpect) Ensure(fns ...EnsureFunc) {
 	if len(fns) == 0 {
 		if !bytes.Equal(e.expectResp, ret.Content) {
-			flog.Tracef("Response info: %+v", ret)
+			flog.Tracef("response info: %+v", ret)
 		}
 		ExpectEqualValuesWithOffset(1, string(ret.Content), string(e.expectResp), e.explain...)
 	} else {
 		for _, fn := range fns {
 			ok := fn(ret)
 			if !ok {
-				flog.Tracef("Response info: %+v", ret)
+				flog.Tracef("response info: %+v", ret)
 			}
 			ExpectTrueWithOffset(1, ok, e.explain...)
 		}
--- a/test/e2e/legacy/basic/client_server.go
+++ b/test/e2e/legacy/basic/client_server.go
@@ -24,12 +24,14 @@ type generalTestConfigures struct {
 }
 func renderBindPortConfig(protocol string) string {
-	if protocol == "kcp" {
+	switch protocol {
 	case "kcp":
 		return fmt.Sprintf(`kcp_bind_port = {{ .%s }}`, consts.PortServerName)
-	} else if protocol == "quic" {
+	case "quic":
 		return fmt.Sprintf(`quic_bind_port = {{ .%s }}`, consts.PortServerName)
 	default:
 		return ""
 	}
 	return ""
 }
 func runClientServerTest(f *framework.Framework, configures *generalTestConfigures) {
--- a/test/e2e/legacy/features/real_ip.go
+++ b/test/e2e/legacy/features/real_ip.go
@@ -93,7 +93,7 @@ var _ = ginkgo.Describe("[Feature: Real IP]", func() {
 			f.RunProcesses([]string{serverConf}, []string{clientConf})
 			framework.NewRequestExpect(f).Port(remotePort).Ensure(func(resp *request.Response) bool {
-				log.Tracef("ProxyProtocol get SourceAddr: %s", string(resp.Content))
+				log.Tracef("proxy protocol get SourceAddr: %s", string(resp.Content))
 				addr, err := net.ResolveTCPAddr("tcp", string(resp.Content))
 				if err != nil {
 					return false
@@ -142,7 +142,7 @@ var _ = ginkgo.Describe("[Feature: Real IP]", func() {
 				r.HTTP().HTTPHost("normal.example.com")
 			}).Ensure(framework.ExpectResponseCode(404))
-			log.Tracef("ProxyProtocol get SourceAddr: %s", srcAddrRecord)
+			log.Tracef("proxy protocol get SourceAddr: %s", srcAddrRecord)
 			addr, err := net.ResolveTCPAddr("tcp", srcAddrRecord)
 			framework.ExpectNoError(err, srcAddrRecord)
 			framework.ExpectEqualValues("127.0.0.1", addr.IP.String())
--- a/test/e2e/legacy/plugin/server.go
+++ b/test/e2e/legacy/plugin/server.go
@@ -223,7 +223,7 @@ var _ = ginkgo.Describe("[Feature: Server-Plugins]", func() {
 			handler := func(req *plugin.Request) *plugin.Response {
 				var ret plugin.Response
 				content := req.Content.(*plugin.PingContent)
-				record = content.Ping.PrivilegeKey
+				record = content.PrivilegeKey
 				ret.Unchange = true
 				return &ret
 			}
@@ -273,7 +273,7 @@ var _ = ginkgo.Describe("[Feature: Server-Plugins]", func() {
 			handler := func(req *plugin.Request) *plugin.Response {
 				var ret plugin.Response
 				content := req.Content.(*plugin.NewWorkConnContent)
-				record = content.NewWorkConn.RunID
+				record = content.RunID
 				ret.Unchange = true
 				return &ret
 			}
--- a/test/e2e/v1/basic/client_server.go
+++ b/test/e2e/v1/basic/client_server.go
@@ -24,12 +24,14 @@ type generalTestConfigures struct {
 }
 func renderBindPortConfig(protocol string) string {
-	if protocol == "kcp" {
+	switch protocol {
 	case "kcp":
 		return fmt.Sprintf(`kcpBindPort = {{ .%s }}`, consts.PortServerName)
-	} else if protocol == "quic" {
+	case "quic":
 		return fmt.Sprintf(`quicBindPort = {{ .%s }}`, consts.PortServerName)
 	default:
 		return ""
 	}
 	return ""
 }
 func runClientServerTest(f *framework.Framework, configures *generalTestConfigures) {
--- a/test/e2e/v1/basic/token_source.go
+++ b/test/e2e/v1/basic/token_source.go
@@ -0,0 +1,217 @@
 // Copyright 2025 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package basic
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/onsi/ginkgo/v2"
 	"github.com/fatedier/frp/test/e2e/framework"
 	"github.com/fatedier/frp/test/e2e/framework/consts"
 	"github.com/fatedier/frp/test/e2e/pkg/port"
 )
 var _ = ginkgo.Describe("[Feature: TokenSource]", func() {
 	f := framework.NewDefaultFramework()
 	ginkgo.Describe("File-based token loading", func() {
 		ginkgo.It("should work with file tokenSource", func() {
 			// Create a temporary token file
 			tmpDir := f.TempDirectory
 			tokenFile := filepath.Join(tmpDir, "test_token")
 			tokenContent := "test-token-123"
 			err := os.WriteFile(tokenFile, []byte(tokenContent), 0o600)
 			framework.ExpectNoError(err)
 			serverConf := consts.DefaultServerConfig
 			clientConf := consts.DefaultClientConfig
 			portName := port.GenName("TCP")
 			// Server config with tokenSource
 			serverConf += fmt.Sprintf(`
 auth.tokenSource.type = "file"
 auth.tokenSource.file.path = "%s"
 `, tokenFile)
 			// Client config with matching token
 			clientConf += fmt.Sprintf(`
 auth.token = "%s"
 [[proxies]]
 name = "tcp"
 type = "tcp"
 localPort = {{ .%s }}
 remotePort = {{ .%s }}
 `, tokenContent, framework.TCPEchoServerPort, portName)
 			f.RunProcesses([]string{serverConf}, []string{clientConf})
 			framework.NewRequestExpect(f).PortName(portName).Ensure()
 		})
 		ginkgo.It("should work with client tokenSource", func() {
 			// Create a temporary token file
 			tmpDir := f.TempDirectory
 			tokenFile := filepath.Join(tmpDir, "client_token")
 			tokenContent := "client-token-456"
 			err := os.WriteFile(tokenFile, []byte(tokenContent), 0o600)
 			framework.ExpectNoError(err)
 			serverConf := consts.DefaultServerConfig
 			clientConf := consts.DefaultClientConfig
 			portName := port.GenName("TCP")
 			// Server config with matching token
 			serverConf += fmt.Sprintf(`
 auth.token = "%s"
 `, tokenContent)
 			// Client config with tokenSource
 			clientConf += fmt.Sprintf(`
 auth.tokenSource.type = "file"
 auth.tokenSource.file.path = "%s"
 [[proxies]]
 name = "tcp"
 type = "tcp"
 localPort = {{ .%s }}
 remotePort = {{ .%s }}
 `, tokenFile, framework.TCPEchoServerPort, portName)
 			f.RunProcesses([]string{serverConf}, []string{clientConf})
 			framework.NewRequestExpect(f).PortName(portName).Ensure()
 		})
 		ginkgo.It("should work with both server and client tokenSource", func() {
 			// Create temporary token files
 			tmpDir := f.TempDirectory
 			serverTokenFile := filepath.Join(tmpDir, "server_token")
 			clientTokenFile := filepath.Join(tmpDir, "client_token")
 			tokenContent := "shared-token-789"
 			err := os.WriteFile(serverTokenFile, []byte(tokenContent), 0o600)
 			framework.ExpectNoError(err)
 			err = os.WriteFile(clientTokenFile, []byte(tokenContent), 0o600)
 			framework.ExpectNoError(err)
 			serverConf := consts.DefaultServerConfig
 			clientConf := consts.DefaultClientConfig
 			portName := port.GenName("TCP")
 			// Server config with tokenSource
 			serverConf += fmt.Sprintf(`
 auth.tokenSource.type = "file"
 auth.tokenSource.file.path = "%s"
 `, serverTokenFile)
 			// Client config with tokenSource
 			clientConf += fmt.Sprintf(`
 auth.tokenSource.type = "file"
 auth.tokenSource.file.path = "%s"
 [[proxies]]
 name = "tcp"
 type = "tcp"
 localPort = {{ .%s }}
 remotePort = {{ .%s }}
 `, clientTokenFile, framework.TCPEchoServerPort, portName)
 			f.RunProcesses([]string{serverConf}, []string{clientConf})
 			framework.NewRequestExpect(f).PortName(portName).Ensure()
 		})
 		ginkgo.It("should fail with mismatched tokens", func() {
 			// Create temporary token files with different content
 			tmpDir := f.TempDirectory
 			serverTokenFile := filepath.Join(tmpDir, "server_token")
 			clientTokenFile := filepath.Join(tmpDir, "client_token")
 			err := os.WriteFile(serverTokenFile, []byte("server-token"), 0o600)
 			framework.ExpectNoError(err)
 			err = os.WriteFile(clientTokenFile, []byte("client-token"), 0o600)
 			framework.ExpectNoError(err)
 			serverConf := consts.DefaultServerConfig
 			clientConf := consts.DefaultClientConfig
 			portName := port.GenName("TCP")
 			// Server config with tokenSource
 			serverConf += fmt.Sprintf(`
 auth.tokenSource.type = "file"
 auth.tokenSource.file.path = "%s"
 `, serverTokenFile)
 			// Client config with different tokenSource
 			clientConf += fmt.Sprintf(`
 auth.tokenSource.type = "file"
 auth.tokenSource.file.path = "%s"
 [[proxies]]
 name = "tcp"
 type = "tcp"
 localPort = {{ .%s }}
 remotePort = {{ .%s }}
 `, clientTokenFile, framework.TCPEchoServerPort, portName)
 			f.RunProcesses([]string{serverConf}, []string{clientConf})
 			// This should fail due to token mismatch - the client should not be able to connect
 			// We expect the request to fail because the proxy tunnel is not established
 			framework.NewRequestExpect(f).PortName(portName).ExpectError(true).Ensure()
 		})
 		ginkgo.It("should fail with non-existent token file", func() {
 			// This test verifies that server fails to start when tokenSource points to non-existent file
 			// We'll verify this by checking that the configuration loading itself fails
 			// Create a config that references a non-existent file
 			tmpDir := f.TempDirectory
 			nonExistentFile := filepath.Join(tmpDir, "non_existent_token")
 			serverConf := consts.DefaultServerConfig
 			// Server config with non-existent tokenSource file
 			serverConf += fmt.Sprintf(`
 auth.tokenSource.type = "file"
 auth.tokenSource.file.path = "%s"
 `, nonExistentFile)
 			// The test expectation is that this will fail during the RunProcesses call
 			// because the server cannot load the configuration due to missing token file
 			defer func() {
 				if r := recover(); r != nil {
 					// Expected: server should fail to start due to missing file
 					ginkgo.By(fmt.Sprintf("Server correctly failed to start: %v", r))
 				}
 			}()
 			// This should cause a panic or error during server startup
 			f.RunProcesses([]string{serverConf}, []string{})
 		})
 	})
 })
--- a/test/e2e/v1/features/real_ip.go
+++ b/test/e2e/v1/features/real_ip.go
@@ -215,7 +215,7 @@ var _ = ginkgo.Describe("[Feature: Real IP]", func() {
 			f.RunProcesses([]string{serverConf}, []string{clientConf})
 			framework.NewRequestExpect(f).Port(remotePort).Ensure(func(resp *request.Response) bool {
-				log.Tracef("ProxyProtocol get SourceAddr: %s", string(resp.Content))
+				log.Tracef("proxy protocol get SourceAddr: %s", string(resp.Content))
 				addr, err := net.ResolveTCPAddr("tcp", string(resp.Content))
 				if err != nil {
 					return false
@@ -227,6 +227,56 @@ var _ = ginkgo.Describe("[Feature: Real IP]", func() {
 			})
 		})
 		ginkgo.It("UDP", func() {
 			serverConf := consts.DefaultServerConfig
 			clientConf := consts.DefaultClientConfig
 			localPort := f.AllocPort()
 			localServer := streamserver.New(streamserver.UDP, streamserver.WithBindPort(localPort),
 				streamserver.WithCustomHandler(func(c net.Conn) {
 					defer c.Close()
 					rd := bufio.NewReader(c)
 					ppHeader, err := pp.Read(rd)
 					if err != nil {
 						log.Errorf("read proxy protocol error: %v", err)
 						return
 					}
 					// Read the actual UDP content after proxy protocol header
 					if _, err := rpc.ReadBytes(rd); err != nil {
 						return
 					}
 					buf := []byte(ppHeader.SourceAddr.String())
 					_, _ = rpc.WriteBytes(c, buf)
 				}))
 			f.RunServer("", localServer)
 			remotePort := f.AllocPort()
 			clientConf += fmt.Sprintf(`
 			[[proxies]]
 			name = "udp"
 			type = "udp"
 			localPort = %d
 			remotePort = %d
 			transport.proxyProtocolVersion = "v2"
 			`, localPort, remotePort)
 			f.RunProcesses([]string{serverConf}, []string{clientConf})
 			framework.NewRequestExpect(f).Protocol("udp").Port(remotePort).Ensure(func(resp *request.Response) bool {
 				log.Tracef("udp proxy protocol get SourceAddr: %s", string(resp.Content))
 				addr, err := net.ResolveUDPAddr("udp", string(resp.Content))
 				if err != nil {
 					return false
 				}
 				if addr.IP.String() != "127.0.0.1" {
 					return false
 				}
 				return true
 			})
 		})
 		ginkgo.It("HTTP", func() {
 			vhostHTTPPort := f.AllocPort()
 			serverConf := consts.DefaultServerConfig + fmt.Sprintf(`
@@ -265,7 +315,7 @@ var _ = ginkgo.Describe("[Feature: Real IP]", func() {
 				r.HTTP().HTTPHost("normal.example.com")
 			}).Ensure(framework.ExpectResponseCode(404))
-			log.Tracef("ProxyProtocol get SourceAddr: %s", srcAddrRecord)
+			log.Tracef("proxy protocol get SourceAddr: %s", srcAddrRecord)
 			addr, err := net.ResolveTCPAddr("tcp", srcAddrRecord)
 			framework.ExpectNoError(err, srcAddrRecord)
 			framework.ExpectEqualValues("127.0.0.1", addr.IP.String())
--- a/test/e2e/v1/plugin/server.go
+++ b/test/e2e/v1/plugin/server.go
@@ -232,7 +232,7 @@ var _ = ginkgo.Describe("[Feature: Server-Plugins]", func() {
 			handler := func(req *plugin.Request) *plugin.Response {
 				var ret plugin.Response
 				content := req.Content.(*plugin.PingContent)
-				record = content.Ping.PrivilegeKey
+				record = content.PrivilegeKey
 				ret.Unchange = true
 				return &ret
 			}
@@ -284,7 +284,7 @@ var _ = ginkgo.Describe("[Feature: Server-Plugins]", func() {
 			handler := func(req *plugin.Request) *plugin.Response {
 				var ret plugin.Response
 				content := req.Content.(*plugin.NewWorkConnContent)
-				record = content.NewWorkConn.RunID
+				record = content.RunID
 				ret.Unchange = true
 				return &ret
 			}
Author	SHA1	Message	Date
fatedier	2f5e1f7945	Merge pull request #4999 from fatedier/dev bump version	2025-09-25 20:23:42 +08:00
fatedier	b5e90c03a1	bump version to v0.65.0 and update release notes (#4998 )	2025-09-25 20:11:17 +08:00
fatedier	b642a6323c	update sponsors info (#4997 )	2025-09-25 16:50:14 +08:00
juejinyuxitu	6561107945	chore: fix struct field name in comment (#4993 ) Signed-off-by: juejinyuxitu <juejinyuxitu@outlook.com>	2025-09-25 16:47:33 +08:00
fatedier	abf4942e8a	auth: enhance OIDC client with TLS and proxy configuration options (#4990 )	2025-09-25 10:19:19 +08:00
Charlie Blevins	7cfa546b55	add proxy name label to the proxy_count prometheus metric (#4985 ) * add proxy name label to the proxy_count metric * undo label addition in favor of a new metric - this change should not break existing queries * also register this new metric * add type label to proxy_counts_detailed * Update pkg/metrics/prometheus/server.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-09-23 00:18:49 +08:00
fatedier	0a798a7a69	update go version to 1.24 (#4960 )	2025-08-27 15:10:36 +08:00
fatedier	604700cea5	update README (#4957 )	2025-08-27 11:07:18 +08:00
fatedier	610e5ed479	improve yamux logging (#4952 )	2025-08-25 17:52:58 +08:00
fatedier	80d3f332e1	xtcp: add configuration to disable assisted addresses in NAT traversal (#4951 )	2025-08-25 15:52:52 +08:00
immomo808	14253afe2f	remove quotes (#4938 )	2025-08-15 16:11:06 +08:00
fatedier	024c334d9d	Merge pull request #4928 from fatedier/xtcp improve context and polling logic in xtcp visitor	2025-08-12 01:48:26 +08:00
fatedier	22ae8166d3	Merge pull request #4925 from fatedier/dev bump version	2025-08-10 23:26:32 +08:00
fatedier	f795950742	bump version to v0.64.0 (#4924 )	2025-08-10 23:11:50 +08:00
fatedier	024e4f5f1d	improve random TLS certificate generation (#4923 )	2025-08-10 22:59:28 +08:00
fatedier	dc3bc9182c	update sponsor info (#4917 )	2025-08-08 22:28:17 +08:00
fatedier	e6dacf3a67	Fix SSH tunnel gateway binding address issue #4900 (#4902 ) - Fix SSH tunnel gateway incorrectly binding to proxyBindAddr instead of bindAddr - This caused external connections to fail when proxyBindAddr was set to 127.0.0.1 - SSH tunnel gateway now correctly binds to bindAddr for external accessibility - Update Release.md with bug fix description Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>	2025-07-28 15:19:56 +08:00
fatedier	7fe295f4f4	update golangci-lint version (#4897 )	2025-07-25 17:10:32 +08:00
maguowei	c3bf952d8f	fix webserver port not being released on frpc svr.Close() (#4896 )	2025-07-24 10:16:44 +08:00
fatedier	f9065a6a78	add tokenSource support for auth configuration (#4865 )	2025-07-03 13:17:21 +08:00
fatedier	61330d4d79	Update quic-go dependency from v0.48.2 to v0.53.0 (#4862 ) - Update go.mod to use github.com/quic-go/quic-go v0.53.0 - Replace quic.Connection interface with quic.Conn struct - Replace quic.Stream interface with quic.Stream struct - Update all affected files to use new API: - pkg/util/net/conn.go: Update QuicStreamToNetConn function and wrapQuicStream struct - server/service.go: Update HandleQUICListener function parameter - client/visitor/xtcp.go: Update QUICTunnelSession struct field - client/connector.go: Update defaultConnectorImpl struct field Fixes #4852 Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>	2025-07-01 18:56:46 +08:00
fatedier	af6bc6369d	Merge pull request #4849 from fatedier/dev bump version	2025-06-25 11:51:19 +08:00
fatedier	c777891f75	update .golangci.yml (#4848 )	2025-06-25 11:40:23 +08:00
fatedier	43cf1688e4	update golangci-lint version (#4817 )	2025-06-25 11:40:23 +08:00
fatedier	720c09c06b	update test package (#4814 )	2025-06-25 11:40:23 +08:00
fatedier	3fa76b72f3	add proxy protocol support for UDP proxies (#4810 )	2025-06-25 11:40:23 +08:00
fatedier	8eb525a648	feat: support YAML merge in strict configuration mode (#4809 )	2025-06-25 11:40:23 +08:00
scientificworld	077ba80ba3	fix: type error in server_plugin doc (#4799 )	2025-06-25 11:40:23 +08:00
CrynTox	c99986fa28	build: add x64 openbsd (#4780 ) Co-authored-by: CrynTox <>	2025-06-25 11:40:23 +08:00
fatedier	b41d8f8e40	update release notes (#4772 )	2025-04-27 15:46:22 +08:00
fatedier	3c8d648ddc	vnet: fix issues (#4771 )	2025-04-27 15:46:22 +08:00
fatedier	27f66baf54	update feature gates doc (#4755 )	2025-04-27 15:46:22 +08:00