diff --git a/frontend/src/lib/xray/inbound-form-adapter.ts b/frontend/src/lib/xray/inbound-form-adapter.ts
index 3488111f..07b3c75a 100644
--- a/frontend/src/lib/xray/inbound-form-adapter.ts
+++ b/frontend/src/lib/xray/inbound-form-adapter.ts
@@ -10,6 +10,7 @@ import {
 import type { StreamSettings } from '@/schemas/api/inbound';
 import type { Sniffing } from '@/schemas/primitives';
 import type { z } from 'zod';
+import { normalizeStreamSettingsForWire } from '@/lib/xray/stream-wire-normalize';
 
 // Plain-data adapter between the panel's stored inbound row shape and
 // the typed InboundFormValues that Form.useForm<T> carries inside
@@ -279,10 +280,13 @@ export function formValuesToWirePayload(values: InboundFormValues): WireInboundP
   if (Array.isArray(settingsPruned.clients)) {
     settingsPruned.clients = normalizeClients(values.protocol, settingsPruned.clients);
   }
-  const streamPruned = values.streamSettings
+  let streamPruned = values.streamSettings
     ? ((pruneEmpty(values.streamSettings) ?? {}) as Record<string, unknown>)
     : undefined;
-  if (streamPruned) stripTlsCertUseFile(streamPruned);
+  if (streamPruned) {
+    streamPruned = normalizeStreamSettingsForWire(streamPruned, { side: 'inbound' });
+    stripTlsCertUseFile(streamPruned);
+  }
   dropLegacyOptionalEmpties(settingsPruned, streamPruned);
   const payload: WireInboundPayload = {
     up: values.up,
diff --git a/frontend/src/lib/xray/outbound-form-adapter.ts b/frontend/src/lib/xray/outbound-form-adapter.ts
index cfee7284..4caf2d52 100644
--- a/frontend/src/lib/xray/outbound-form-adapter.ts
+++ b/frontend/src/lib/xray/outbound-form-adapter.ts
@@ -1,4 +1,5 @@
 import { XHttpXmuxSchema } from '@/schemas/protocols/stream/xhttp';
+import { normalizeStreamSettingsForWire } from '@/lib/xray/stream-wire-normalize';
 import { Wireguard } from '@/utils';
 
 import type {
@@ -519,8 +520,8 @@ function freedomToWire(s: FreedomOutboundFormSettings) {
     userLevel: s.userLevel || undefined,
     proxyProtocol: s.proxyProtocol || undefined,
     fragment: fragmentEnabled ? Object.fromEntries(fragmentEntries) : undefined,
-    noises: s.noises.length > 0 ? s.noises : undefined,
-    finalRules: s.finalRules.length > 0
+    noises: s.noises && s.noises.length > 0 ? s.noises : undefined,
+    finalRules: s.finalRules && s.finalRules.length > 0
       ? s.finalRules.map((r) => ({
           action: r.action,
           network: r.network || undefined,
@@ -588,7 +589,7 @@ function stripUiOnlyStreamFields(stream: unknown): Raw {
     if (!xmuxEnabled) delete cleaned.xmux;
     next.xhttpSettings = dropEmptyStrings(cleaned);
   }
-  return next;
+  return normalizeStreamSettingsForWire(next, { side: 'outbound' }) as Raw;
 }
 
 function muxAllowed(values: OutboundFormValues): boolean {
diff --git a/frontend/src/lib/xray/stream-wire-normalize.ts b/frontend/src/lib/xray/stream-wire-normalize.ts
new file mode 100644
index 00000000..f18b47af
--- /dev/null
+++ b/frontend/src/lib/xray/stream-wire-normalize.ts
@@ -0,0 +1,225 @@
+// Shapes the streamSettings subtree that 3x-ui persists to match what
+// xray-core actually consumes. The panel's Zod defaults mirror the full
+// SplitHTTPConfig / SockoptObject schema, but many fields are mode-specific
+// (packet-up vs stream-one) or side-specific (inbound vs outbound). Emitting
+// them anyway bloats configs and — for sockopt — can inject doc-example
+// values like tcpWindowClamp: 600 that throttle throughput.
+
+export type StreamWireSide = 'inbound' | 'outbound';
+
+const PACKET_UP_FIELDS = [
+  'scMaxEachPostBytes',
+  'scMinPostsIntervalMs',
+  'scMaxBufferedPosts',
+] as const;
+
+const STREAM_UP_SERVER_FIELDS = ['scStreamUpServerSecs'] as const;
+
+const PLACEMENT_STRING_FIELDS = [
+  'sessionPlacement',
+  'sessionKey',
+  'seqPlacement',
+  'seqKey',
+  'uplinkDataPlacement',
+  'uplinkDataKey',
+  'uplinkHTTPMethod',
+  'xPaddingKey',
+  'xPaddingHeader',
+  'xPaddingPlacement',
+  'xPaddingMethod',
+] as const;
+
+function isRecord(v: unknown): v is Record<string, unknown> {
+  return v != null && typeof v === 'object' && !Array.isArray(v);
+}
+
+function nonEmptyString(v: unknown): v is string {
+  return typeof v === 'string' && v.trim() !== '';
+}
+
+function hasMeaningfulHeaders(headers: unknown): boolean {
+  return isRecord(headers) && Object.keys(headers).length > 0;
+}
+
+/** Validates REALITY inbound `target` / `dest` (must include a port). */
+export function validateRealityTarget(target: string): string | undefined {
+  const trimmed = target.trim();
+  if (!trimmed) {
+    return 'pages.inbounds.form.realityTargetRequired';
+  }
+
+  // Unix socket destinations (rare, but valid in xray-core).
+  if (trimmed.startsWith('/') || trimmed.startsWith('@')) {
+    return undefined;
+  }
+
+  // Pure port → localhost:port in xray-core.
+  if (/^\d+$/.test(trimmed)) {
+    const port = Number(trimmed);
+    if (port >= 1 && port <= 65535) return undefined;
+    return 'pages.inbounds.form.realityTargetInvalidPort';
+  }
+
+  const lastColon = trimmed.lastIndexOf(':');
+  if (lastColon <= 0 || lastColon === trimmed.length - 1) {
+    return 'pages.inbounds.form.realityTargetNeedsPort';
+  }
+
+  const portPart = trimmed.slice(lastColon + 1);
+  if (!/^\d+$/.test(portPart)) {
+    return 'pages.inbounds.form.realityTargetInvalidPort';
+  }
+  const port = Number(portPart);
+  if (port < 1 || port > 65535) {
+    return 'pages.inbounds.form.realityTargetInvalidPort';
+  }
+  return undefined;
+}
+
+function dropEmptyStrings(obj: Record<string, unknown>, keys: readonly string[]): void {
+  for (const key of keys) {
+    const v = obj[key];
+    if (v === '' || v == null) delete obj[key];
+  }
+}
+
+function dropFalseFlags(obj: Record<string, unknown>, keys: readonly string[]): void {
+  for (const key of keys) {
+    if (obj[key] === false) delete obj[key];
+  }
+}
+
+function dropZeroNumbers(obj: Record<string, unknown>, keys: readonly string[]): void {
+  for (const key of keys) {
+    if (obj[key] === 0) delete obj[key];
+  }
+}
+
+export function normalizeXhttpForWire(
+  raw: Record<string, unknown>,
+  side: StreamWireSide,
+): Record<string, unknown> {
+  const out: Record<string, unknown> = { ...raw };
+  const mode = typeof out.mode === 'string' && out.mode !== '' ? out.mode : 'auto';
+
+  delete out.enableXmux;
+
+  if (side === 'inbound') {
+    delete out.xmux;
+    delete out.scMinPostsIntervalMs;
+    delete out.uplinkChunkSize;
+  }
+
+  dropEmptyStrings(out, PLACEMENT_STRING_FIELDS);
+
+  if (!hasMeaningfulHeaders(out.headers)) {
+    delete out.headers;
+  }
+
+  if (out.xPaddingObfsMode !== true) {
+    delete out.xPaddingObfsMode;
+    dropEmptyStrings(out, [
+      'xPaddingKey',
+      'xPaddingHeader',
+      'xPaddingPlacement',
+      'xPaddingMethod',
+    ]);
+  }
+
+  if (out.noGRPCHeader !== true) delete out.noGRPCHeader;
+  if (out.noSSEHeader !== true) delete out.noSSEHeader;
+  if (out.serverMaxHeaderBytes === 0) delete out.serverMaxHeaderBytes;
+  if (out.uplinkChunkSize === 0) delete out.uplinkChunkSize;
+
+  if (mode === 'stream-one') {
+    for (const key of PACKET_UP_FIELDS) delete out[key];
+    for (const key of STREAM_UP_SERVER_FIELDS) delete out[key];
+  } else if (mode === 'stream-up') {
+    for (const key of PACKET_UP_FIELDS) delete out[key];
+    if (side === 'outbound') {
+      delete out.scStreamUpServerSecs;
+    }
+  } else if (mode === 'packet-up') {
+    delete out.scStreamUpServerSecs;
+  }
+
+  return out;
+}
+
+export function normalizeSockoptForWire(
+  raw: Record<string, unknown>,
+): Record<string, unknown> | undefined {
+  const out: Record<string, unknown> = { ...raw };
+
+  dropZeroNumbers(out, [
+    'tcpWindowClamp',
+    'tcpMaxSeg',
+    'tcpUserTimeout',
+    'tcpKeepAliveIdle',
+    'tcpKeepAliveInterval',
+    'mark',
+  ]);
+
+  dropFalseFlags(out, [
+    'acceptProxyProtocol',
+    'tcpFastOpen',
+    'tcpMptcp',
+    'penetrate',
+    'V6Only',
+  ]);
+
+  if (out.tproxy === 'off') delete out.tproxy;
+  if (out.domainStrategy === 'AsIs') delete out.domainStrategy;
+  if (out.addressPortStrategy === 'none') delete out.addressPortStrategy;
+  if (nonEmptyString(out.dialerProxy) === false) delete out.dialerProxy;
+  if (nonEmptyString(out.interface) === false) delete out.interface;
+  if (Array.isArray(out.trustedXForwardedFor) && out.trustedXForwardedFor.length === 0) {
+    delete out.trustedXForwardedFor;
+  }
+  if (Array.isArray(out.customSockopt) && out.customSockopt.length === 0) {
+    delete out.customSockopt;
+  }
+
+  const he = out.happyEyeballs;
+  if (isRecord(he)) {
+    const heOut: Record<string, unknown> = { ...he };
+    if (heOut.tryDelayMs === 0) delete heOut.tryDelayMs;
+    if (heOut.prioritizeIPv6 === false) delete heOut.prioritizeIPv6;
+    if (heOut.interleave === 1) delete heOut.interleave;
+    if (heOut.maxConcurrentTry === 4) delete heOut.maxConcurrentTry;
+    if (Object.keys(heOut).length === 0) {
+      delete out.happyEyeballs;
+    } else {
+      out.happyEyeballs = heOut;
+    }
+  }
+
+  if (nonEmptyString(out.tcpcongestion) === false) delete out.tcpcongestion;
+
+  if (Object.keys(out).length === 0) return undefined;
+  return out;
+}
+
+export function normalizeStreamSettingsForWire(
+  stream: Record<string, unknown>,
+  opts: { side: StreamWireSide },
+): Record<string, unknown> {
+  const out: Record<string, unknown> = { ...stream };
+
+  const xhttp = out.xhttpSettings;
+  if (isRecord(xhttp)) {
+    out.xhttpSettings = normalizeXhttpForWire(xhttp, opts.side);
+  }
+
+  const sockopt = out.sockopt;
+  if (isRecord(sockopt)) {
+    const normalized = normalizeSockoptForWire(sockopt);
+    if (normalized) {
+      out.sockopt = normalized;
+    } else {
+      delete out.sockopt;
+    }
+  }
+
+  return out;
+}
diff --git a/frontend/src/pages/inbounds/form/security/reality.tsx b/frontend/src/pages/inbounds/form/security/reality.tsx
index fa33cdf3..fd500622 100644
--- a/frontend/src/pages/inbounds/form/security/reality.tsx
+++ b/frontend/src/pages/inbounds/form/security/reality.tsx
@@ -3,6 +3,7 @@ import { Button, Form, Input, InputNumber, Select, Space, Switch } from 'antd';
 import { ReloadOutlined } from '@ant-design/icons';
 
 import { UTLS_FINGERPRINT } from '@/schemas/primitives';
+import { validateRealityTarget } from '@/lib/xray/stream-wire-normalize';
 
 interface RealityFormProps {
   saving: boolean;
@@ -44,10 +45,24 @@ export default function RealityForm({
           options={Object.values(UTLS_FINGERPRINT).map((fp) => ({ value: fp, label: fp }))}
         />
       </Form.Item>
-      <Form.Item label={t('pages.inbounds.form.target')}>
+      <Form.Item
+        label={t('pages.inbounds.form.target')}
+        extra={t('pages.inbounds.form.realityTargetHint')}
+      >
         <Space.Compact block>
-          <Form.Item name={['streamSettings', 'realitySettings', 'target']} noStyle>
-            <Input style={{ width: 'calc(100% - 32px)' }} />
+          <Form.Item
+            name={['streamSettings', 'realitySettings', 'target']}
+            noStyle
+            rules={[
+              {
+                validator: async (_, value) => {
+                  const errKey = validateRealityTarget(typeof value === 'string' ? value : '');
+                  if (errKey) throw new Error(t(errKey));
+                },
+              },
+            ]}
+          >
+            <Input style={{ width: 'calc(100% - 32px)' }} placeholder="example.com:443" />
           </Form.Item>
           <Button icon={<ReloadOutlined />} onClick={randomizeRealityTarget} />
         </Space.Compact>
diff --git a/frontend/src/pages/inbounds/form/transport/sockopt.tsx b/frontend/src/pages/inbounds/form/transport/sockopt.tsx
index 7adca1f3..dcff60cc 100644
--- a/frontend/src/pages/inbounds/form/transport/sockopt.tsx
+++ b/frontend/src/pages/inbounds/form/transport/sockopt.tsx
@@ -60,6 +60,7 @@ export default function SockoptForm({
                 <Form.Item
                   name={['streamSettings', 'sockopt', 'tcpWindowClamp']}
                   label={t('pages.inbounds.form.tcpWindowClamp')}
+                  tooltip={t('pages.inbounds.form.tcpWindowClampHint')}
                 >
                   <InputNumber min={0} />
                 </Form.Item>
diff --git a/frontend/src/pages/xray/basics/BasicsTab.tsx b/frontend/src/pages/xray/basics/BasicsTab.tsx
index d630abfd..c0038017 100644
--- a/frontend/src/pages/xray/basics/BasicsTab.tsx
+++ b/frontend/src/pages/xray/basics/BasicsTab.tsx
@@ -10,6 +10,7 @@ import {
 } from '@ant-design/icons';
 
 import { OutboundDomainStrategies } from '@/schemas/primitives';
+import { HappyEyeballsSchema } from '@/schemas/protocols/stream/sockopt';
 import { SettingListItem } from '@/components/ui';
 import { useMediaQuery } from '@/hooks/useMediaQuery';
 import { catTabLabel } from '@/pages/settings/catTabLabel';
@@ -84,6 +85,49 @@ export default function BasicsTab({
       | { domainStrategy?: string }
       | undefined)?.domainStrategy ?? 'AsIs';
 
+  const directFreedomOutbound = templateSettings?.outbounds?.find(
+    (o) => o?.protocol === 'freedom' && o?.tag === 'direct',
+  );
+  const directHappyEyeballs = (() => {
+    const sockopt = (directFreedomOutbound?.streamSettings as { sockopt?: { happyEyeballs?: unknown } } | undefined)
+      ?.sockopt;
+    const raw = sockopt?.happyEyeballs;
+    if (raw == null || typeof raw !== 'object') return null;
+    return HappyEyeballsSchema.parse(raw);
+  })();
+
+  const setDirectHappyEyeballs = useCallback(
+    (next: ReturnType<typeof HappyEyeballsSchema.parse> | null) => {
+      mutate((tt) => {
+        if (!tt.outbounds) tt.outbounds = [];
+        let idx = tt.outbounds.findIndex((o) => o?.protocol === 'freedom' && o?.tag === 'direct');
+        if (idx < 0) {
+          tt.outbounds.push({ protocol: 'freedom', tag: 'direct', settings: {} });
+          idx = tt.outbounds.length - 1;
+        }
+        const ob = tt.outbounds[idx];
+        const stream = (ob.streamSettings ?? {}) as Record<string, unknown>;
+        const sockopt = (stream.sockopt ?? {}) as Record<string, unknown>;
+        if (next == null) {
+          delete sockopt.happyEyeballs;
+        } else {
+          sockopt.happyEyeballs = next;
+        }
+        if (Object.keys(sockopt).length === 0) {
+          delete stream.sockopt;
+        } else {
+          stream.sockopt = sockopt;
+        }
+        if (Object.keys(stream).length === 0) {
+          delete ob.streamSettings;
+        } else {
+          ob.streamSettings = stream;
+        }
+      });
+    },
+    [mutate],
+  );
+
   const routingStrategy = templateSettings?.routing?.domainStrategy ?? 'AsIs';
   const log = (templateSettings?.log || {}) as Record<string, unknown>;
   const policy = (templateSettings?.policy?.system || {}) as Record<string, boolean>;
@@ -124,6 +168,53 @@ export default function BasicsTab({
               />
             }
           />
+          <SettingListItem
+            title={t('pages.xray.FreedomHappyEyeballs')}
+            description={t('pages.xray.FreedomHappyEyeballsDesc')}
+            paddings="small"
+            control={
+              <Switch
+                checked={directHappyEyeballs != null}
+                onChange={(checked) => {
+                  setDirectHappyEyeballs(checked ? HappyEyeballsSchema.parse({}) : null);
+                }}
+              />
+            }
+          />
+          {directHappyEyeballs != null && (
+            <>
+              <SettingListItem
+                title={t('pages.inbounds.form.tryDelayMs')}
+                description={t('pages.xray.FreedomHappyEyeballsTryDelayDesc')}
+                paddings="small"
+                control={
+                  <InputNumber
+                    min={0}
+                    style={{ width: '100%' }}
+                    value={directHappyEyeballs.tryDelayMs}
+                    placeholder="150"
+                    onChange={(v) => setDirectHappyEyeballs({
+                      ...directHappyEyeballs,
+                      tryDelayMs: typeof v === 'number' ? v : 0,
+                    })}
+                  />
+                }
+              />
+              <SettingListItem
+                title={t('pages.inbounds.form.prioritizeIPv6')}
+                paddings="small"
+                control={
+                  <Switch
+                    checked={directHappyEyeballs.prioritizeIPv6}
+                    onChange={(checked) => setDirectHappyEyeballs({
+                      ...directHappyEyeballs,
+                      prioritizeIPv6: checked,
+                    })}
+                  />
+                }
+              />
+            </>
+          )}
           <SettingListItem
             title={t('pages.xray.RoutingStrategy')}
             description={t('pages.xray.RoutingStrategyDesc')}
diff --git a/frontend/src/pages/xray/outbounds/transport/sockopt.tsx b/frontend/src/pages/xray/outbounds/transport/sockopt.tsx
index 001e9c4a..ff664815 100644
--- a/frontend/src/pages/xray/outbounds/transport/sockopt.tsx
+++ b/frontend/src/pages/xray/outbounds/transport/sockopt.tsx
@@ -171,6 +171,7 @@ export default function SockoptForm({
                 <Form.Item
                   label={t('pages.inbounds.form.tcpWindowClamp')}
                   name={['streamSettings', 'sockopt', 'tcpWindowClamp']}
+                  tooltip={t('pages.inbounds.form.tcpWindowClampHint')}
                 >
                   <InputNumber min={0} style={{ width: '100%' }} />
                 </Form.Item>
diff --git a/frontend/src/schemas/protocols/stream/sockopt.ts b/frontend/src/schemas/protocols/stream/sockopt.ts
index 7242bc97..877b776a 100644
--- a/frontend/src/schemas/protocols/stream/sockopt.ts
+++ b/frontend/src/schemas/protocols/stream/sockopt.ts
@@ -57,14 +57,18 @@ export const SockoptStreamSettingsSchema = z.object({
   tcpMptcp: z.boolean().default(false),
   penetrate: z.boolean().default(false),
   domainStrategy: SockoptDomainStrategySchema.default('AsIs'),
-  tcpMaxSeg: z.number().int().min(0).default(1440),
+  // 0 = omit on the wire; xray-core skips sockopt fields <= 0 and uses OS defaults.
+  // Non-zero defaults here previously came from the xray docs *example* (clamp 600,
+  // maxSeg 1440, userTimeout 10000) and were written into every config when the
+  // panel sockopt switch was enabled, throttling long-haul links.
+  tcpMaxSeg: z.number().int().min(0).default(0),
   dialerProxy: z.string().default(''),
-  tcpKeepAliveInterval: z.number().int().min(0).default(45),
-  tcpKeepAliveIdle: z.number().int().min(0).default(45),
-  tcpUserTimeout: z.number().int().min(0).default(10000),
+  tcpKeepAliveInterval: z.number().int().min(0).default(0),
+  tcpKeepAliveIdle: z.number().int().min(0).default(0),
+  tcpUserTimeout: z.number().int().min(0).default(0),
   tcpcongestion: TcpCongestionSchema.default('bbr'),
   V6Only: z.boolean().default(false),
-  tcpWindowClamp: z.number().int().min(0).default(600),
+  tcpWindowClamp: z.number().int().min(0).default(0),
   interface: z.string().default(''),
   trustedXForwardedFor: z.array(z.string()).default([]),
   addressPortStrategy: AddressPortStrategySchema.default('none'),
diff --git a/frontend/src/test/__snapshots__/sockopt.test.ts.snap b/frontend/src/test/__snapshots__/sockopt.test.ts.snap
index 1d47990d..e9ead449 100644
--- a/frontend/src/test/__snapshots__/sockopt.test.ts.snap
+++ b/frontend/src/test/__snapshots__/sockopt.test.ts.snap
@@ -12,12 +12,12 @@ exports[`SockoptStreamSettingsSchema fixtures > parses defaults byte-stably 1`]
   "mark": 0,
   "penetrate": false,
   "tcpFastOpen": false,
-  "tcpKeepAliveIdle": 45,
-  "tcpKeepAliveInterval": 45,
-  "tcpMaxSeg": 1440,
+  "tcpKeepAliveIdle": 0,
+  "tcpKeepAliveInterval": 0,
+  "tcpMaxSeg": 0,
   "tcpMptcp": false,
-  "tcpUserTimeout": 10000,
-  "tcpWindowClamp": 600,
+  "tcpUserTimeout": 0,
+  "tcpWindowClamp": 0,
   "tcpcongestion": "bbr",
   "tproxy": "off",
   "trustedXForwardedFor": [],
@@ -87,12 +87,12 @@ exports[`SockoptStreamSettingsSchema fixtures > parses tproxy byte-stably 1`] =
   "mark": 255,
   "penetrate": true,
   "tcpFastOpen": false,
-  "tcpKeepAliveIdle": 45,
-  "tcpKeepAliveInterval": 45,
-  "tcpMaxSeg": 1440,
+  "tcpKeepAliveIdle": 0,
+  "tcpKeepAliveInterval": 0,
+  "tcpMaxSeg": 0,
   "tcpMptcp": false,
-  "tcpUserTimeout": 10000,
-  "tcpWindowClamp": 600,
+  "tcpUserTimeout": 0,
+  "tcpWindowClamp": 0,
   "tcpcongestion": "bbr",
   "tproxy": "tproxy",
   "trustedXForwardedFor": [],
diff --git a/frontend/src/test/stream-wire-normalize.test.ts b/frontend/src/test/stream-wire-normalize.test.ts
new file mode 100644
index 00000000..d40e49d5
--- /dev/null
+++ b/frontend/src/test/stream-wire-normalize.test.ts
@@ -0,0 +1,243 @@
+/// <reference types="vite/client" />
+import { describe, expect, it } from 'vitest';
+
+import { formValuesToWirePayload } from '@/lib/xray/inbound-form-adapter';
+import { formValuesToWirePayload as outboundToWire } from '@/lib/xray/outbound-form-adapter';
+import {
+  normalizeSockoptForWire,
+  normalizeStreamSettingsForWire,
+  normalizeXhttpForWire,
+  validateRealityTarget,
+} from '@/lib/xray/stream-wire-normalize';
+import type { InboundFormValues } from '@/schemas/forms/inbound-form';
+
+describe('validateRealityTarget', () => {
+  it('accepts host:port and bare port', () => {
+    expect(validateRealityTarget('play.google.com:443')).toBeUndefined();
+    expect(validateRealityTarget('443')).toBeUndefined();
+  });
+
+  it('rejects host without port', () => {
+    expect(validateRealityTarget('play.google.com')).toBe('pages.inbounds.form.realityTargetNeedsPort');
+    expect(validateRealityTarget('')).toBe('pages.inbounds.form.realityTargetRequired');
+  });
+});
+
+describe('normalizeXhttpForWire stream-one', () => {
+  it('drops packet-up and stream-up-only fields on inbound', () => {
+    const out = normalizeXhttpForWire({
+      path: '/app',
+      host: 'play.google.com',
+      mode: 'stream-one',
+      xPaddingBytes: '100-1000',
+      scMaxEachPostBytes: '1000000',
+      scMinPostsIntervalMs: '30',
+      scMaxBufferedPosts: 30,
+      scStreamUpServerSecs: '20-80',
+      enableXmux: false,
+      headers: {},
+    }, 'inbound');
+
+    expect(out).toMatchObject({
+      path: '/app',
+      host: 'play.google.com',
+      mode: 'stream-one',
+      xPaddingBytes: '100-1000',
+    });
+    expect(out).not.toHaveProperty('scMaxEachPostBytes');
+    expect(out).not.toHaveProperty('scMinPostsIntervalMs');
+    expect(out).not.toHaveProperty('scMaxBufferedPosts');
+    expect(out).not.toHaveProperty('scStreamUpServerSecs');
+    expect(out).not.toHaveProperty('enableXmux');
+    expect(out).not.toHaveProperty('headers');
+  });
+
+  it('keeps xmux on outbound stream-one', () => {
+    const out = normalizeXhttpForWire({
+      path: '/app',
+      mode: 'stream-one',
+      xPaddingBytes: '100-1000',
+      xmux: { maxConcurrency: '16-32' },
+      scMaxEachPostBytes: '1000000',
+    }, 'outbound');
+
+    expect(out.xmux).toEqual({ maxConcurrency: '16-32' });
+    expect(out).not.toHaveProperty('scMaxEachPostBytes');
+  });
+});
+
+describe('normalizeSockoptForWire', () => {
+  it('omits doc-example defaults that throttle throughput', () => {
+    const out = normalizeSockoptForWire({
+      tcpWindowClamp: 0,
+      tcpMaxSeg: 0,
+      tcpUserTimeout: 0,
+      tcpFastOpen: true,
+      tcpcongestion: 'bbr',
+      domainStrategy: 'AsIs',
+      tproxy: 'off',
+      mark: 0,
+    });
+
+    expect(out).toEqual({
+      tcpFastOpen: true,
+      tcpcongestion: 'bbr',
+    });
+  });
+
+  it('preserves happyEyeballs on freedom-style outbound', () => {
+    const out = normalizeSockoptForWire({
+      domainStrategy: 'UseIP',
+      happyEyeballs: {
+        tryDelayMs: 150,
+        prioritizeIPv6: true,
+        interleave: 1,
+        maxConcurrentTry: 4,
+      },
+    });
+
+    expect(out?.happyEyeballs).toMatchObject({
+      tryDelayMs: 150,
+      prioritizeIPv6: true,
+    });
+    expect(out?.domainStrategy).toBe('UseIP');
+  });
+});
+
+describe('normalizeStreamSettingsForWire reality', () => {
+  it('preserves the nested client settings on inbound (share links read publicKey from there)', () => {
+    const out = normalizeStreamSettingsForWire({
+      network: 'xhttp',
+      security: 'reality',
+      realitySettings: {
+        target: 'play.google.com:443',
+        privateKey: 'priv',
+        serverNames: ['play.google.com'],
+        shortIds: ['abcd'],
+        settings: {
+          publicKey: 'pub',
+          fingerprint: 'chrome',
+          spiderX: '/',
+        },
+      },
+    }, { side: 'inbound' });
+
+    const reality = out.realitySettings as Record<string, unknown>;
+    expect(reality.target).toBe('play.google.com:443');
+    expect(reality.privateKey).toBe('priv');
+    const settings = reality.settings as Record<string, unknown>;
+    expect(settings.publicKey).toBe('pub');
+    expect(settings.spiderX).toBe('/');
+  });
+
+  it('passes client realitySettings through unchanged on outbound', () => {
+    const out = normalizeStreamSettingsForWire({
+      network: 'xhttp',
+      security: 'reality',
+      realitySettings: {
+        publicKey: 'pub',
+        fingerprint: 'chrome',
+        serverName: 'play.google.com',
+        shortId: 'abcd',
+        spiderX: '/x',
+      },
+    }, { side: 'outbound' });
+
+    const reality = out.realitySettings as Record<string, unknown>;
+    expect(reality.publicKey).toBe('pub');
+    expect(reality.serverName).toBe('play.google.com');
+    expect(reality.spiderX).toBe('/x');
+  });
+});
+
+describe('inbound formValuesToWirePayload integration', () => {
+  it('emits lean stream-one xhttp + sockopt on save', () => {
+    const values = {
+      remark: 't',
+      enable: true,
+      port: 443,
+      listen: '0.0.0.0',
+      tag: 'in-443',
+      expiryTime: 0,
+      sniffing: { enabled: false },
+      up: 0,
+      down: 0,
+      total: 0,
+      trafficReset: 'never',
+      lastTrafficResetTime: 0,
+      nodeId: null,
+      protocol: 'vless',
+      settings: { clients: [{ id: '7eeb09ed-ae97-400d-a1ce-2485fb904407', email: 'n' }], decryption: 'none' },
+      streamSettings: {
+        network: 'xhttp',
+        security: 'reality',
+        realitySettings: {
+          target: 'play.google.com:443',
+          privateKey: 'priv',
+          serverNames: ['play.google.com'],
+          shortIds: ['44003d86dc1e'],
+          settings: { publicKey: 'pub', fingerprint: 'chrome', spiderX: '/' },
+        },
+        xhttpSettings: {
+          path: '/app',
+          host: 'play.google.com',
+          mode: 'stream-one',
+          xPaddingBytes: '100-1000',
+          scMaxEachPostBytes: '1000000',
+          scMinPostsIntervalMs: '30',
+          enableXmux: false,
+        },
+        sockopt: {
+          tcpWindowClamp: 0,
+          tcpMaxSeg: 0,
+          tcpUserTimeout: 0,
+          tcpFastOpen: true,
+          tcpcongestion: 'bbr',
+        },
+      },
+    } as InboundFormValues;
+
+    const payload = formValuesToWirePayload(values);
+    const stream = JSON.parse(payload.streamSettings) as Record<string, unknown>;
+    const xhttp = stream.xhttpSettings as Record<string, unknown>;
+    const sockopt = stream.sockopt as Record<string, unknown>;
+    const reality = stream.realitySettings as Record<string, unknown>;
+
+    expect(xhttp).not.toHaveProperty('scMaxEachPostBytes');
+    expect(sockopt).not.toHaveProperty('tcpWindowClamp');
+    expect(sockopt.tcpFastOpen).toBe(true);
+    const realitySettings = reality.settings as Record<string, unknown>;
+    expect(realitySettings.publicKey).toBe('pub');
+  });
+});
+
+describe('freedom outbound sockopt wire payload', () => {
+  it('preserves happyEyeballs on direct freedom outbound', () => {
+    const wire = outboundToWire({
+      protocol: 'freedom',
+      tag: 'direct',
+      settings: { domainStrategy: 'UseIP' },
+      streamSettings: {
+        sockopt: {
+          domainStrategy: 'UseIP',
+          happyEyeballs: {
+            tryDelayMs: 150,
+            prioritizeIPv6: true,
+            interleave: 1,
+            maxConcurrentTry: 4,
+          },
+        },
+      },
+    } as Parameters<typeof outboundToWire>[0]);
+
+    expect(wire.streamSettings).toMatchObject({
+      sockopt: {
+        domainStrategy: 'UseIP',
+        happyEyeballs: {
+          tryDelayMs: 150,
+          prioritizeIPv6: true,
+        },
+      },
+    });
+  });
+});
diff --git a/web/translation/en-US.json b/web/translation/en-US.json
index da0ecd4e..3790d5bb 100644
--- a/web/translation/en-US.json
+++ b/web/translation/en-US.json
@@ -560,6 +560,7 @@
         "tcpMaxSeg": "TCP Max Seg",
         "tcpUserTimeout": "TCP User Timeout",
         "tcpWindowClamp": "TCP Window Clamp",
+        "tcpWindowClampHint": "Leave 0 to use the OS default. Non-zero values cap the advertised TCP receive window; values like 600 (from the Xray docs example) can collapse throughput on high-latency links.",
         "tcpFastOpen": "TCP Fast Open",
         "multipathTcp": "Multipath TCP",
         "penetrate": "Penetrate",
@@ -598,6 +599,10 @@
         "minClientVer": "Min Client Ver",
         "maxClientVer": "Max Client Ver",
         "shortIds": "Short IDs",
+        "realityTargetHint": "Required. Must include a port (e.g. example.com:443). Without a port Xray-core refuses to start.",
+        "realityTargetRequired": "REALITY target is required",
+        "realityTargetNeedsPort": "REALITY target must include a port (e.g. example.com:443)",
+        "realityTargetInvalidPort": "REALITY target has an invalid port",
         "spiderX": "SpiderX",
         "getNewCert": "Get New Cert",
         "mldsa65Seed": "mldsa65 Seed",
@@ -1178,6 +1183,9 @@
       "TemplateDesc": "The final Xray config file will be generated based on this template.",
       "FreedomStrategy": "Freedom Protocol Strategy",
       "FreedomStrategyDesc": "Set the output strategy for the network in the Freedom Protocol.",
+      "FreedomHappyEyeballs": "Freedom Happy Eyeballs (IPv4/IPv6)",
+      "FreedomHappyEyeballsDesc": "Dual-stack dialing for the direct (freedom) outbound — useful on exit servers with both IPv4 and IPv6.",
+      "FreedomHappyEyeballsTryDelayDesc": "Milliseconds before trying the alternate address family. 150–250 ms is a good starting point.",
       "RoutingStrategy": "Overall Routing Strategy",
       "RoutingStrategyDesc": "Set the overall traffic routing strategy for resolving all requests.",
       "outboundTestUrl": "Outbound Test URL",