// Use when generating a new sing-box configuration file from scratch, when asked to create a sing-box client or server config, when setting up a TUN-based proxy client with DNS/route rules, or when generating a clashtui sing-box template with ${} placeholders.
| name | generating-sing-box-configs |
| description | Use when generating a new sing-box configuration file from scratch, when asked to create a sing-box client or server config, when setting up a TUN-based proxy client with DNS/route rules, or when generating a clashtui sing-box template with ${} placeholders. |
Generate complete, valid sing-box configs tailored to the user's needs. Always ask 4 mandatory questions before generating anything. Verify with sing-box check. Reference community examples and official docs when available.
Before generating ANY config, ask ALL 4 questions at once:
Do NOT generate anything until all 4 are answered. If the user is unsure, explain the tradeoffs.
Ask: "ๆฏๅฆ้่ฆ็ๆ clashtui ็ sing-box ๆจกๆฟ้ ็ฝฎ?"
Clashtui templates use ${PPG.<group>} and ${PGG.<name>} placeholders for dynamic outbound expansion. If yes, follow the clashtui template section below.
If unsure about clashtui, see the clashtui project source for reference templates (e.g. src/functions/file/template/testdata/singbox_common_tpl.json).
auto_route: true, strict_route: true for automatic routingdomain_resolver on outbounds for transparent resolutionstore_fakeip: truedomain_resolver with strategy set per-outbound to avoid extra resolution hopssystem on Linux/Windows, gvisor on Androidsniff enabled with caching via sniff_override_destination: falseindependent_cache if on older version (auto in 1.14+)action: reject for bittorrent protocolsniff_override_destination: true for strict domain-based routing{
"log": { "level": "info", "timestamp": true },
"dns": {
"servers": [
{ "tag": "dns-remote", "type": "tls", "server": "8.8.8.8", "detour": "proxy" },
{ "tag": "dns-direct", "type": "https", "server": "dns.alidns.com", "detour": "direct", "domain_resolver": "dns-local" },
{ "tag": "dns-local", "type": "local" },
{ "tag": "dns-fake", "type": "fakeip", "inet4_range": "198.18.0.0/15" }
],
"rules": [
{ "rule_set": "geosite-cn", "server": "dns-direct" },
{ "query_type": ["A", "AAAA"], "server": "dns-fake" },
{ "server": "dns-direct" }
],
"strategy": "prefer_ipv4"
},
"inbounds": [
{ "type": "mixed", "tag": "mixed-in", "listen": "127.0.0.1", "listen_port": 7890 },
{ "type": "tun", "tag": "tun-in", "address": ["172.19.0.1/30"],
"mtu": 9000, "auto_route": true, "strict_route": true,
"auto_redirect": true, "stack": "system" }
],
"outbounds": [
{ "type": "selector", "tag": "proxy", "outbounds": ["auto", "node1"],
"default": "auto" },
{ "type": "urltest", "tag": "auto", "outbounds": ["node1"],
"url": "https://www.gstatic.com/generate_204", "interval": "5m", "tolerance": 50 },
{ "type": "direct", "tag": "direct" }
],
"route": {
"rule_set": [
{ "type": "remote", "tag": "geoip-cn", "format": "binary",
"url": "https://github.com/SagerNet/sing-geoip/raw/rule-set/geoip-cn.srs",
"download_detour": "direct", "update_interval": "7d" },
{ "type": "remote", "tag": "geosite-cn", "format": "binary",
"url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-geolocation-cn.srs",
"download_detour": "direct", "update_interval": "7d" }
],
"rules": [
{ "action": "sniff" },
{ "protocol": "dns", "action": "hijack-dns" },
{ "rule_set": "geosite-cn", "outbound": "direct" },
{ "rule_set": "geoip-cn", "outbound": "direct" },
{ "ip_is_private": true, "outbound": "direct" },
{ "protocol": "bittorrent", "outbound": "direct" }
],
"default_domain_resolver": "dns-direct",
"auto_detect_interface": true,
"final": "proxy"
},
"experimental": {
"clash_api": { "external_controller": "127.0.0.1:9090", "external_ui": "dashboard", "secret": "", "default_mode": "Rule" },
"cache_file": { "enabled": true, "path": "cache.db", "store_fakeip": true }
}
}
Server configs are minimalist โ just one protocol inbound + direct outbound:
{
"log": { "level": "info" },
"inbounds": [{
"type": "hysteria2", "tag": "hysteria-in",
"listen": "::", "listen_port": 443,
"up_mbps": 100, "down_mbps": 100,
"tls": { "enabled": true, "server_name": "example.com",
"acme": { "domain": ["example.com"], "email": "admin@example.com" } },
"users": [{ "password": "your-password" }]
}],
"outbounds": [{ "type": "direct", "tag": "direct" }]
}
Note: For 1.14+, tls.acme โ tls.certificate_provider (see migrating-sing-box-configs skill).
Common server protocols from community examples at https://github.com/SagerNet/sing-box-examples:
Shadowsocks, Trojan, VMess, VLESS (Vision+REALITY, gRPC, HTTP2), Hysteria2, TUIC, ShadowTLS, Naive.
| Strategy | Use case | Config pattern |
|---|---|---|
| Real DNS only | Privacy focus, no FakeIP complexity | Remote + direct DNS servers, geosite rules for split |
| FakeIP | PC client, zero DNS leak | Add fakeip server, rule: A/AAAAโfakeip |
| Redirect (legacy) | Old Android clients | address_resolver on remote servers |
| Local DNS only | Server side | type: local, or none if not needed |
DNS server types (1.12+): local, udp, tcp, tls, https, quic, h3, dhcp, fakeip, hosts.
| Stack | Platform | Notes |
|---|---|---|
system | Linux, Windows | Best performance, native TUN |
gvisor | Android, cross-platform | Pure Go userspace stack, more compatible |
mixed | Windows | system TCP + gVisor UDP, good Windows default |
TUN addresses: ["172.19.0.1/30"] (IPv4 only), ["172.19.0.1/30", "fdfe:dcba:9876::1/126"] (dual-stack).
After generating, ensure syntax matches the target version. Key differences:
certificate_providers[], store_dns not store_rdrc, remove independent_cache, DNS rules use evaluate+match_response for GeoIP in DNStype+server, domain_resolver not domain_strategy, default_domain_resolver in routeaction: "sniff"/"hijack-dns"/"reject" instead of legacy inbound fields and special outboundsaddress merged array (not inet4_address/inet6_address)rule_set not geoip/geosite in route rulesREQUIRED SUB-SKILL: Use migrating-sing-box-configs skill for detailed migration steps if the version doesn't match.
When the user wants a clashtui template, use ${...} placeholders for dynamic outbound expansion:
| Placeholder | Meaning |
|---|---|
${PPG.<group>} | All proxy-provider names in a group |
${PGG.<name>} | All generated proxy-group tags matching <name> |
expand_group_with: ["${PPG.<group>}"] | Expand one outbound copy per provider in the group |
Template pattern โ place these in outbounds:
{ "type": "selector", "tag": "Entry", "outbounds": ["${PGG.Auto}", "${PPG.pvd}"], "default": "Auto-pvd" },
{ "type": "urltest", "tag": "Auto", "expand_group_with": ["${PPG.pvd}"],
"url": "https://www.gstatic.com/generate_204", "interval": "5m", "tolerance": 50 }
Reference full template from the clashtui project source code (e.g. src/functions/file/template/testdata/singbox_common_tpl.json)
Templates go in sing-box/templates/, proxy-providers in sing-box/template_proxy_providers.
After writing the config, run:
sing-box check -c /path/to/config.json
If sing-box binary is not found, ask the user to provide the path or install it. Never skip verification.
If check fails:
Ask the user for:
https://github.com/SagerNet/sing-box)https://sing-box.sagernet.org โ use WebFetch for current docshttps://github.com/SagerNet/sing-box-examples for reference configsNever guess config field names. Look them up in:
https://sing-box.sagernet.org/configuration/https://github.com/SagerNet/sing-box-examplesdomain_strategy, sniff on inbound, address with URI prefixes in DNS, geoip/geosite in route โ all deprecated in recent versions.default_domain_resolver in 1.12+ configs with TUN.gvisor for Android, system for Linux/Windows.domain_resolver on remote DNS servers. DoH servers need domain_resolver pointing to a bootstrap DNS server for initial resolution.experimental.cache_file.enabled: true when using rule_set or clash_api.sing-box check after writing โ the config is unverified