From 6ed6f57b5ce0548c4bb857fd68055ed6f3ceddcf Mon Sep 17 00:00:00 2001
From: nima1024m <114405577+nima1024m@users.noreply.github.com>
Date: Sat, 6 Jun 2026 04:10:32 +0330
Subject: [PATCH] fix(panel): normalize XHTTP/sockopt/Reality wire output and
 validate REALITY target (#4988)

* fix(panel): normalize XHTTP/sockopt/Reality wire output and validate REALITY target

Strip mode-specific XHTTP fields for stream-one, reset harmful sockopt defaults
to 0, split server/client Reality fields on save, validate target host:port in
the inbound form, and expose Happy Eyeballs for the direct freedom outbound.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(panel): keep REALITY public key on the wire, guard freedom noises

The REALITY server/client wire split deleted realitySettings.settings on save, but the panel stores the REALITY public key there and every share-link / subscription generator reads it back from that path (frontend inbound-link.ts, Go subService/subJsonService/subClashService). Stripping it produced empty pbk= links, breaking client connectivity after save+reload.

Revert the reality normalization (drop normalizeRealityForWire and the key sets), restore the inbound REALITY form fields (uTLS, spiderX, publicKey, mldsa65Verify) while keeping the new validated target field, and restore the mldsa65Verify clear handler.

Also guard freedomToWire against undefined noises/finalRules (same defensive treatment as the existing fragment guard, issue #4686) which the new freedom-outbound test surfaced as a crash. Tests now assert the public key is preserved.

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: MHSanaei <ho3ein.sanaei@gmail.com>
---
 frontend/src/lib/xray/inbound-form-adapter.ts |   8 +-
 .../src/lib/xray/outbound-form-adapter.ts     |   7 +-
 .../src/lib/xray/stream-wire-normalize.ts     | 225 ++++++++++++++++
 .../pages/inbounds/form/security/reality.tsx  |  21 +-
 .../pages/inbounds/form/transport/sockopt.tsx |   1 +
 frontend/src/pages/xray/basics/BasicsTab.tsx  |  91 +++++++
 .../xray/outbounds/transport/sockopt.tsx      |   1 +
 .../src/schemas/protocols/stream/sockopt.ts   |  14 +-
 .../test/__snapshots__/sockopt.test.ts.snap   |  20 +-
 .../src/test/stream-wire-normalize.test.ts    | 243 ++++++++++++++++++
 web/translation/en-US.json                    |   8 +
 11 files changed, 616 insertions(+), 23 deletions(-)
 create mode 100644 frontend/src/lib/xray/stream-wire-normalize.ts
 create mode 100644 frontend/src/test/stream-wire-normalize.test.ts

diff --git a/frontend/src/lib/xray/inbound-form-adapter.ts b/frontend/src/lib/xray/inbound-form-adapter.ts
index 3488111f..07b3c75a 100644
--- a/frontend/src/lib/xray/inbound-form-adapter.ts
+++ b/frontend/src/lib/xray/inbound-form-adapter.ts
@@ -10,6 +10,7 @@ import {
 import type { StreamSettings } from '@/schemas/api/inbound';
 import type { Sniffing } from '@/schemas/primitives';
 import type { z } from 'zod';
+import { normalizeStreamSettingsForWire } from '@/lib/xray/stream-wire-normalize';
 
 // Plain-data adapter between the panel's stored inbound row shape and
 // the typed InboundFormValues that Form.useForm<T> carries inside
@@ -279,10 +280,13 @@ export function formValuesToWirePayload(values: InboundFormValues): WireInboundP
   if (Array.isArray(settingsPruned.clients)) {
     settingsPruned.clients = normalizeClients(values.protocol, settingsPruned.clients);
   }
-  const streamPruned = values.streamSettings
+  let streamPruned = values.streamSettings
     ? ((pruneEmpty(values.streamSettings) ?? {}) as Record<string, unknown>)
     : undefined;
-  if (streamPruned) stripTlsCertUseFile(streamPruned);
+  if (streamPruned) {
+    streamPruned = normalizeStreamSettingsForWire(streamPruned, { side: 'inbound' });
+    stripTlsCertUseFile(streamPruned);
+  }
   dropLegacyOptionalEmpties(settingsPruned, streamPruned);
   const payload: WireInboundPayload = {
     up: values.up,
diff --git a/frontend/src/lib/xray/outbound-form-adapter.ts b/frontend/src/lib/xray/outbound-form-adapter.ts
index cfee7284..4caf2d52 100644
--- a/frontend/src/lib/xray/outbound-form-adapter.ts
+++ b/frontend/src/lib/xray/outbound-form-adapter.ts
@@ -1,4 +1,5 @@
 import { XHttpXmuxSchema } from '@/schemas/protocols/stream/xhttp';
+import { normalizeStreamSettingsForWire } from '@/lib/xray/stream-wire-normalize';
 import { Wireguard } from '@/utils';
 
 import type {
@@ -519,8 +520,8 @@ function freedomToWire(s: FreedomOutboundFormSettings) {
     userLevel: s.userLevel || undefined,
     proxyProtocol: s.proxyProtocol || undefined,
     fragment: fragmentEnabled ? Object.fromEntries(fragmentEntries) : undefined,
-    noises: s.noises.length > 0 ? s.noises : undefined,
-    finalRules: s.finalRules.length > 0
+    noises: s.noises && s.noises.length > 0 ? s.noises : undefined,
+    finalRules: s.finalRules && s.finalRules.length > 0
       ? s.finalRules.map((r) => ({
           action: r.action,
           network: r.network || undefined,
@@ -588,7 +589,7 @@ function stripUiOnlyStreamFields(stream: unknown): Raw {
     if (!xmuxEnabled) delete cleaned.xmux;
     next.xhttpSettings = dropEmptyStrings(cleaned);
   }
-  return next;
+  return normalizeStreamSettingsForWire(next, { side: 'outbound' }) as Raw;
 }
 
 function muxAllowed(values: OutboundFormValues): boolean {
diff --git a/frontend/src/lib/xray/stream-wire-normalize.ts b/frontend/src/lib/xray/stream-wire-normalize.ts
new file mode 100644
index 00000000..f18b47af
--- /dev/null
+++ b/frontend/src/lib/xray/stream-wire-normalize.ts
@@ -0,0 +1,225 @@
+// Shapes the streamSettings subtree that 3x-ui persists to match what
+// xray-core actually consumes. The panel's Zod defaults mirror the full
+// SplitHTTPConfig / SockoptObject schema, but many fields are mode-specific
+// (packet-up vs stream-one) or side-specific (inbound vs outbound). Emitting
+// them anyway bloats configs and — for sockopt — can inject doc-example
+// values like tcpWindowClamp: 600 that throttle throughput.
+
+export type StreamWireSide = 'inbound' | 'outbound';
+
+const PACKET_UP_FIELDS = [
+  'scMaxEachPostBytes',
+  'scMinPostsIntervalMs',
+  'scMaxBufferedPosts',
+] as const;
+
+const STREAM_UP_SERVER_FIELDS = ['scStreamUpServerSecs'] as const;
+
+const PLACEMENT_STRING_FIELDS = [
+  'sessionPlacement',
+  'sessionKey',
+  'seqPlacement',
+  'seqKey',
+  'uplinkDataPlacement',
+  'uplinkDataKey',
+  'uplinkHTTPMethod',
+  'xPaddingKey',
+  'xPaddingHeader',
+  'xPaddingPlacement',
+  'xPaddingMethod',
+] as const;
+
+function isRecord(v: unknown): v is Record<string, unknown> {
+  return v != null && typeof v === 'object' && !Array.isArray(v);
+}
+
+function nonEmptyString(v: unknown): v is string {
+  return typeof v === 'string' && v.trim() !== '';
+}
+
+function hasMeaningfulHeaders(headers: unknown): boolean {
+  return isRecord(headers) && Object.keys(headers).length > 0;
+}
+
+/** Validates REALITY inbound `target` / `dest` (must include a port). */
+export function validateRealityTarget(target: string): string | undefined {
+  const trimmed = target.trim();
+  if (!trimmed) {
+    return 'pages.inbounds.form.realityTargetRequired';
+  }
+
+  // Unix socket destinations (rare, but valid in xray-core).
+  if (trimmed.startsWith('/') || trimmed.startsWith('@')) {
+    return undefined;
+  }
+
+  // Pure port → localhost:port in xray-core.
+  if (/^\d+$/.test(trimmed)) {
+    const port = Number(trimmed);
+    if (port >= 1 && port <= 65535) return undefined;
+    return 'pages.inbounds.form.realityTargetInvalidPort';
+  }
+
+  const lastColon = trimmed.lastIndexOf(':');
+  if (lastColon <= 0 || lastColon === trimmed.length - 1) {
+    return 'pages.inbounds.form.realityTargetNeedsPort';
+  }
+
+  const portPart = trimmed.slice(lastColon + 1);
+  if (!/^\d+$/.test(portPart)) {
+    return 'pages.inbounds.form.realityTargetInvalidPort';
+  }
+  const port = Number(portPart);
+  if (port < 1 || port > 65535) {
+    return 'pages.inbounds.form.realityTargetInvalidPort';
+  }
+  return undefined;
+}
+
+function dropEmptyStrings(obj: Record<string, unknown>, keys: readonly string[]): void {
+  for (const key of keys) {
+    const v = obj[key];
+    if (v === '' || v == null) delete obj[key];
+  }
+}
+
+function dropFalseFlags(obj: Record<string, unknown>, keys: readonly string[]): void {
+  for (const key of keys) {
+    if (obj[key] === false) delete obj[key];
+  }
+}
+
+function dropZeroNumbers(obj: Record<string, unknown>, keys: readonly string[]): void {
+  for (const key of keys) {
+    if (obj[key] === 0) delete obj[key];
+  }
+}
+
+export function normalizeXhttpForWire(
+  raw: Record<string, unknown>,
+  side: StreamWireSide,
+): Record<string, unknown> {
+  const out: Record<string, unknown> = { ...raw };
+  const mode = typeof out.mode === 'string' && out.mode !== '' ? out.mode : 'auto';
+
+  delete out.enableXmux;
+
+  if (side === 'inbound') {
+    delete out.xmux;
+    delete out.scMinPostsIntervalMs;
+    delete out.uplinkChunkSize;
+  }
+
+  dropEmptyStrings(out, PLACEMENT_STRING_FIELDS);
+
+  if (!hasMeaningfulHeaders(out.headers)) {
+    delete out.headers;
+  }
+
+  if (out.xPaddingObfsMode !== true) {
+    delete out.xPaddingObfsMode;
+    dropEmptyStrings(out, [
+      'xPaddingKey',
+      'xPaddingHeader',
+      'xPaddingPlacement',
+      'xPaddingMethod',
+    ]);
+  }
+
+  if (out.noGRPCHeader !== true) delete out.noGRPCHeader;
+  if (out.noSSEHeader !== true) delete out.noSSEHeader;
+  if (out.serverMaxHeaderBytes === 0) delete out.serverMaxHeaderBytes;
+  if (out.uplinkChunkSize === 0) delete out.uplinkChunkSize;
+
+  if (mode === 'stream-one') {
+    for (const key of PACKET_UP_FIELDS) delete out[key];
+    for (const key of STREAM_UP_SERVER_FIELDS) delete out[key];
+  } else if (mode === 'stream-up') {
+    for (const key of PACKET_UP_FIELDS) delete out[key];
+    if (side === 'outbound') {
+      delete out.scStreamUpServerSecs;
+    }
+  } else if (mode === 'packet-up') {
+    delete out.scStreamUpServerSecs;
+  }
+
+  return out;
+}
+
+export function normalizeSockoptForWire(
+  raw: Record<string, unknown>,
+): Record<string, unknown> | undefined {
+  const out: Record<string, unknown> = { ...raw };
+
+  dropZeroNumbers(out, [
+    'tcpWindowClamp',
+    'tcpMaxSeg',
+    'tcpUserTimeout',
+    'tcpKeepAliveIdle',
+    'tcpKeepAliveInterval',
+    'mark',
+  ]);
+
+  dropFalseFlags(out, [
+    'acceptProxyProtocol',
+    'tcpFastOpen',
+    'tcpMptcp',
+    'penetrate',
+    'V6Only',
+  ]);
+
+  if (out.tproxy === 'off') delete out.tproxy;
+  if (out.domainStrategy === 'AsIs') delete out.domainStrategy;
+  if (out.addressPortStrategy === 'none') delete out.addressPortStrategy;
+  if (nonEmptyString(out.dialerProxy) === false) delete out.dialerProxy;
+  if (nonEmptyString(out.interface) === false) delete out.interface;
+  if (Array.isArray(out.trustedXForwardedFor) && out.trustedXForwardedFor.length === 0) {
+    delete out.trustedXForwardedFor;
+  }
+  if (Array.isArray(out.customSockopt) && out.customSockopt.length === 0) {
+    delete out.customSockopt;
+  }
+
+  const he = out.happyEyeballs;
+  if (isRecord(he)) {
+    const heOut: Record<string, unknown> = { ...he };
+    if (heOut.tryDelayMs === 0) delete heOut.tryDelayMs;
+    if (heOut.prioritizeIPv6 === false) delete heOut.prioritizeIPv6;
+    if (heOut.interleave === 1) delete heOut.interleave;
+    if (heOut.maxConcurrentTry === 4) delete heOut.maxConcurrentTry;
+    if (Object.keys(heOut).length === 0) {
+      delete out.happyEyeballs;
+    } else {
+      out.happyEyeballs = heOut;
+    }
+  }
+
+  if (nonEmptyString(out.tcpcongestion) === false) delete out.tcpcongestion;
+
+  if (Object.keys(out).length === 0) return undefined;
+  return out;
+}
+
+export function normalizeStreamSettingsForWire(
+  stream: Record<string, unknown>,
+  opts: { side: StreamWireSide },
+): Record<string, unknown> {
+  const out: Record<string, unknown> = { ...stream };
+
+  const xhttp = out.xhttpSettings;
+  if (isRecord(xhttp)) {
+    out.xhttpSettings = normalizeXhttpForWire(xhttp, opts.side);
+  }
+
+  const sockopt = out.sockopt;
+  if (isRecord(sockopt)) {
+    const normalized = normalizeSockoptForWire(sockopt);
+    if (normalized) {
+      out.sockopt = normalized;
+    } else {
+      delete out.sockopt;
+    }
+  }
+
+  return out;
+}
diff --git a/frontend/src/pages/inbounds/form/security/reality.tsx b/frontend/src/pages/inbounds/form/security/reality.tsx
index fa33cdf3..fd500622 100644
--- a/frontend/src/pages/inbounds/form/security/reality.tsx
+++ b/frontend/src/pages/inbounds/form/security/reality.tsx
@@ -3,6 +3,7 @@ import { Button, Form, Input, InputNumber, Select, Space, Switch } from 'antd';
 import { ReloadOutlined } from '@ant-design/icons';
 
 import { UTLS_FINGERPRINT } from '@/schemas/primitives';
+import { validateRealityTarget } from '@/lib/xray/stream-wire-normalize';
 
 interface RealityFormProps {
   saving: boolean;
@@ -44,10 +45,24 @@ export default function RealityForm({
           options={Object.values(UTLS_FINGERPRINT).map((fp) => ({ value: fp, label: fp }))}
         />
       </Form.Item>
-      <Form.Item label={t('pages.inbounds.form.target')}>
+      <Form.Item
+        label={t('pages.inbounds.form.target')}
+        extra={t('pages.inbounds.form.realityTargetHint')}
+      >
         <Space.Compact block>
-          <Form.Item name={['streamSettings', 'realitySettings', 'target']} noStyle>
-            <Input style={{ width: 'calc(100% - 32px)' }} />
+          <Form.Item
+            name={['streamSettings', 'realitySettings', 'target']}
+            noStyle
+            rules={[
+              {
+                validator: async (_, value) => {
+                  const errKey = validateRealityTarget(typeof value === 'string' ? value : '');
+                  if (errKey) throw new Error(t(errKey));
+                },
+              },
+            ]}
+          >
+            <Input style={{ width: 'calc(100% - 32px)' }} placeholder="example.com:443" />
           </Form.Item>
           <Button icon={<ReloadOutlined />} onClick={randomizeRealityTarget} />
         </Space.Compact>
diff --git a/frontend/src/pages/inbounds/form/transport/sockopt.tsx b/frontend/src/pages/inbounds/form/transport/sockopt.tsx
index 7adca1f3..dcff60cc 100644
--- a/frontend/src/pages/inbounds/form/transport/sockopt.tsx
+++ b/frontend/src/pages/inbounds/form/transport/sockopt.tsx
@@ -60,6 +60,7 @@ export default function SockoptForm({
                 <Form.Item
                   name={['streamSettings', 'sockopt', 'tcpWindowClamp']}
                   label={t('pages.inbounds.form.tcpWindowClamp')}
+                  tooltip={t('pages.inbounds.form.tcpWindowClampHint')}
                 >
                   <InputNumber min={0} />
                 </Form.Item>
diff --git a/frontend/src/pages/xray/basics/BasicsTab.tsx b/frontend/src/pages/xray/basics/BasicsTab.tsx
index d630abfd..c0038017 100644
--- a/frontend/src/pages/xray/basics/BasicsTab.tsx
+++ b/frontend/src/pages/xray/basics/BasicsTab.tsx
@@ -10,6 +10,7 @@ import {
 } from '@ant-design/icons';
 
 import { OutboundDomainStrategies } from '@/schemas/primitives';
+import { HappyEyeballsSchema } from '@/schemas/protocols/stream/sockopt';
 import { SettingListItem } from '@/components/ui';
 import { useMediaQuery } from '@/hooks/useMediaQuery';
 import { catTabLabel } from '@/pages/settings/catTabLabel';
@@ -84,6 +85,49 @@ export default function BasicsTab({
       | { domainStrategy?: string }
       | undefined)?.domainStrategy ?? 'AsIs';
 
+  const directFreedomOutbound = templateSettings?.outbounds?.find(
+    (o) => o?.protocol === 'freedom' && o?.tag === 'direct',
+  );
+  const directHappyEyeballs = (() => {
+    const sockopt = (directFreedomOutbound?.streamSettings as { sockopt?: { happyEyeballs?: unknown } } | undefined)
+      ?.sockopt;
+    const raw = sockopt?.happyEyeballs;
+    if (raw == null || typeof raw !== 'object') return null;
+    return HappyEyeballsSchema.parse(raw);
+  })();
+
+  const setDirectHappyEyeballs = useCallback(
+    (next: ReturnType<typeof HappyEyeballsSchema.parse> | null) => {
+      mutate((tt) => {
+        if (!tt.outbounds) tt.outbounds = [];
+        let idx = tt.outbounds.findIndex((o) => o?.protocol === 'freedom' && o?.tag === 'direct');
+        if (idx < 0) {
+          tt.outbounds.push({ protocol: 'freedom', tag: 'direct', settings: {} });
+          idx = tt.outbounds.length - 1;
+        }
+        const ob = tt.outbounds[idx];
+        const stream = (ob.streamSettings ?? {}) as Record<string, unknown>;
+        const sockopt = (stream.sockopt ?? {}) as Record<string, unknown>;
+        if (next == null) {
+          delete sockopt.happyEyeballs;
+        } else {
+          sockopt.happyEyeballs = next;
+        }
+        if (Object.keys(sockopt).length === 0) {
+          delete stream.sockopt;
+        } else {
+          stream.sockopt = sockopt;
+        }
+        if (Object.keys(stream).length === 0) {
+          delete ob.streamSettings;
+        } else {
+          ob.streamSettings = stream;
+        }
+      });
+    },
+    [mutate],
+  );
+
   const routingStrategy = templateSettings?.routing?.domainStrategy ?? 'AsIs';
   const log = (templateSettings?.log || {}) as Record<string, unknown>;
   const policy = (templateSettings?.policy?.system || {}) as Record<string, boolean>;
@@ -124,6 +168,53 @@ export default function BasicsTab({
               />
             }
           />
+          <SettingListItem
+            title={t('pages.xray.FreedomHappyEyeballs')}
+            description={t('pages.xray.FreedomHappyEyeballsDesc')}
+            paddings="small"
+            control={
+              <Switch
+                checked={directHappyEyeballs != null}
+                onChange={(checked) => {
+                  setDirectHappyEyeballs(checked ? HappyEyeballsSchema.parse({}) : null);
+                }}
+              />
+            }
+          />
+          {directHappyEyeballs != null && (
+            <>
+              <SettingListItem
+                title={t('pages.inbounds.form.tryDelayMs')}
+                description={t('pages.xray.FreedomHappyEyeballsTryDelayDesc')}
+                paddings="small"
+                control={
+                  <InputNumber
+                    min={0}
+                    style={{ width: '100%' }}
+                    value={directHappyEyeballs.tryDelayMs}
+                    placeholder="150"
+                    onChange={(v) => setDirectHappyEyeballs({
+                      ...directHappyEyeballs,
+                      tryDelayMs: typeof v === 'number' ? v : 0,
+                    })}
+                  />
+                }
+              />
+              <SettingListItem
+                title={t('pages.inbounds.form.prioritizeIPv6')}
+                paddings="small"
+                control={
+                  <Switch
+                    checked={directHappyEyeballs.prioritizeIPv6}
+                    onChange={(checked) => setDirectHappyEyeballs({
+                      ...directHappyEyeballs,
+                      prioritizeIPv6: checked,
+                    })}
+                  />
+                }
+              />
+            </>
+          )}
           <SettingListItem
             title={t('pages.xray.RoutingStrategy')}
             description={t('pages.xray.RoutingStrategyDesc')}
diff --git a/frontend/src/pages/xray/outbounds/transport/sockopt.tsx b/frontend/src/pages/xray/outbounds/transport/sockopt.tsx
index 001e9c4a..ff664815 100644
--- a/frontend/src/pages/xray/outbounds/transport/sockopt.tsx
+++ b/frontend/src/pages/xray/outbounds/transport/sockopt.tsx
@@ -171,6 +171,7 @@ export default function SockoptForm({
                 <Form.Item
                   label={t('pages.inbounds.form.tcpWindowClamp')}
                   name={['streamSettings', 'sockopt', 'tcpWindowClamp']}
+                  tooltip={t('pages.inbounds.form.tcpWindowClampHint')}
                 >
                   <InputNumber min={0} style={{ width: '100%' }} />
                 </Form.Item>
diff --git a/frontend/src/schemas/protocols/stream/sockopt.ts b/frontend/src/schemas/protocols/stream/sockopt.ts
index 7242bc97..877b776a 100644
--- a/frontend/src/schemas/protocols/stream/sockopt.ts
+++ b/frontend/src/schemas/protocols/stream/sockopt.ts
@@ -57,14 +57,18 @@ export const SockoptStreamSettingsSchema = z.object({
   tcpMptcp: z.boolean().default(false),
   penetrate: z.boolean().default(false),
   domainStrategy: SockoptDomainStrategySchema.default('AsIs'),
-  tcpMaxSeg: z.number().int().min(0).default(1440),
+  // 0 = omit on the wire; xray-core skips sockopt fields <= 0 and uses OS defaults.
+  // Non-zero defaults here previously came from the xray docs *example* (clamp 600,
+  // maxSeg 1440, userTimeout 10000) and were written into every config when the
+  // panel sockopt switch was enabled, throttling long-haul links.
+  tcpMaxSeg: z.number().int().min(0).default(0),
   dialerProxy: z.string().default(''),
-  tcpKeepAliveInterval: z.number().int().min(0).default(45),
-  tcpKeepAliveIdle: z.number().int().min(0).default(45),
-  tcpUserTimeout: z.number().int().min(0).default(10000),
+  tcpKeepAliveInterval: z.number().int().min(0).default(0),
+  tcpKeepAliveIdle: z.number().int().min(0).default(0),
+  tcpUserTimeout: z.number().int().min(0).default(0),
   tcpcongestion: TcpCongestionSchema.default('bbr'),
   V6Only: z.boolean().default(false),
-  tcpWindowClamp: z.number().int().min(0).default(600),
+  tcpWindowClamp: z.number().int().min(0).default(0),
   interface: z.string().default(''),
   trustedXForwardedFor: z.array(z.string()).default([]),
   addressPortStrategy: AddressPortStrategySchema.default('none'),
diff --git a/frontend/src/test/__snapshots__/sockopt.test.ts.snap b/frontend/src/test/__snapshots__/sockopt.test.ts.snap
index 1d47990d..e9ead449 100644
--- a/frontend/src/test/__snapshots__/sockopt.test.ts.snap
+++ b/frontend/src/test/__snapshots__/sockopt.test.ts.snap
@@ -12,12 +12,12 @@ exports[`SockoptStreamSettingsSchema fixtures > parses defaults byte-stably 1`]
   "mark": 0,
   "penetrate": false,
   "tcpFastOpen": false,
-  "tcpKeepAliveIdle": 45,
-  "tcpKeepAliveInterval": 45,
-  "tcpMaxSeg": 1440,
+  "tcpKeepAliveIdle": 0,
+  "tcpKeepAliveInterval": 0,
+  "tcpMaxSeg": 0,
   "tcpMptcp": false,
-  "tcpUserTimeout": 10000,
-  "tcpWindowClamp": 600,
+  "tcpUserTimeout": 0,
+  "tcpWindowClamp": 0,
   "tcpcongestion": "bbr",
   "tproxy": "off",
   "trustedXForwardedFor": [],
@@ -87,12 +87,12 @@ exports[`SockoptStreamSettingsSchema fixtures > parses tproxy byte-stably 1`] =
   "mark": 255,
   "penetrate": true,
   "tcpFastOpen": false,
-  "tcpKeepAliveIdle": 45,
-  "tcpKeepAliveInterval": 45,
-  "tcpMaxSeg": 1440,
+  "tcpKeepAliveIdle": 0,
+  "tcpKeepAliveInterval": 0,
+  "tcpMaxSeg": 0,
   "tcpMptcp": false,
-  "tcpUserTimeout": 10000,
-  "tcpWindowClamp": 600,
+  "tcpUserTimeout": 0,
+  "tcpWindowClamp": 0,
   "tcpcongestion": "bbr",
   "tproxy": "tproxy",
   "trustedXForwardedFor": [],
diff --git a/frontend/src/test/stream-wire-normalize.test.ts b/frontend/src/test/stream-wire-normalize.test.ts
new file mode 100644
index 00000000..d40e49d5
--- /dev/null
+++ b/frontend/src/test/stream-wire-normalize.test.ts
@@ -0,0 +1,243 @@
+/// <reference types="vite/client" />
+import { describe, expect, it } from 'vitest';
+
+import { formValuesToWirePayload } from '@/lib/xray/inbound-form-adapter';
+import { formValuesToWirePayload as outboundToWire } from '@/lib/xray/outbound-form-adapter';
+import {
+  normalizeSockoptForWire,
+  normalizeStreamSettingsForWire,
+  normalizeXhttpForWire,
+  validateRealityTarget,
+} from '@/lib/xray/stream-wire-normalize';
+import type { InboundFormValues } from '@/schemas/forms/inbound-form';
+
+describe('validateRealityTarget', () => {
+  it('accepts host:port and bare port', () => {
+    expect(validateRealityTarget('play.google.com:443')).toBeUndefined();
+    expect(validateRealityTarget('443')).toBeUndefined();
+  });
+
+  it('rejects host without port', () => {
+    expect(validateRealityTarget('play.google.com')).toBe('pages.inbounds.form.realityTargetNeedsPort');
+    expect(validateRealityTarget('')).toBe('pages.inbounds.form.realityTargetRequired');
+  });
+});
+
+describe('normalizeXhttpForWire stream-one', () => {
+  it('drops packet-up and stream-up-only fields on inbound', () => {
+    const out = normalizeXhttpForWire({
+      path: '/app',
+      host: 'play.google.com',
+      mode: 'stream-one',
+      xPaddingBytes: '100-1000',
+      scMaxEachPostBytes: '1000000',
+      scMinPostsIntervalMs: '30',
+      scMaxBufferedPosts: 30,
+      scStreamUpServerSecs: '20-80',
+      enableXmux: false,
+      headers: {},
+    }, 'inbound');
+
+    expect(out).toMatchObject({
+      path: '/app',
+      host: 'play.google.com',
+      mode: 'stream-one',
+      xPaddingBytes: '100-1000',
+    });
+    expect(out).not.toHaveProperty('scMaxEachPostBytes');
+    expect(out).not.toHaveProperty('scMinPostsIntervalMs');
+    expect(out).not.toHaveProperty('scMaxBufferedPosts');
+    expect(out).not.toHaveProperty('scStreamUpServerSecs');
+    expect(out).not.toHaveProperty('enableXmux');
+    expect(out).not.toHaveProperty('headers');
+  });
+
+  it('keeps xmux on outbound stream-one', () => {
+    const out = normalizeXhttpForWire({
+      path: '/app',
+      mode: 'stream-one',
+      xPaddingBytes: '100-1000',
+      xmux: { maxConcurrency: '16-32' },
+      scMaxEachPostBytes: '1000000',
+    }, 'outbound');
+
+    expect(out.xmux).toEqual({ maxConcurrency: '16-32' });
+    expect(out).not.toHaveProperty('scMaxEachPostBytes');
+  });
+});
+
+describe('normalizeSockoptForWire', () => {
+  it('omits doc-example defaults that throttle throughput', () => {
+    const out = normalizeSockoptForWire({
+      tcpWindowClamp: 0,
+      tcpMaxSeg: 0,
+      tcpUserTimeout: 0,
+      tcpFastOpen: true,
+      tcpcongestion: 'bbr',
+      domainStrategy: 'AsIs',
+      tproxy: 'off',
+      mark: 0,
+    });
+
+    expect(out).toEqual({
+      tcpFastOpen: true,
+      tcpcongestion: 'bbr',
+    });
+  });
+
+  it('preserves happyEyeballs on freedom-style outbound', () => {
+    const out = normalizeSockoptForWire({
+      domainStrategy: 'UseIP',
+      happyEyeballs: {
+        tryDelayMs: 150,
+        prioritizeIPv6: true,
+        interleave: 1,
+        maxConcurrentTry: 4,
+      },
+    });
+
+    expect(out?.happyEyeballs).toMatchObject({
+      tryDelayMs: 150,
+      prioritizeIPv6: true,
+    });
+    expect(out?.domainStrategy).toBe('UseIP');
+  });
+});
+
+describe('normalizeStreamSettingsForWire reality', () => {
+  it('preserves the nested client settings on inbound (share links read publicKey from there)', () => {
+    const out = normalizeStreamSettingsForWire({
+      network: 'xhttp',
+      security: 'reality',
+      realitySettings: {
+        target: 'play.google.com:443',
+        privateKey: 'priv',
+        serverNames: ['play.google.com'],
+        shortIds: ['abcd'],
+        settings: {
+          publicKey: 'pub',
+          fingerprint: 'chrome',
+          spiderX: '/',
+        },
+      },
+    }, { side: 'inbound' });
+
+    const reality = out.realitySettings as Record<string, unknown>;
+    expect(reality.target).toBe('play.google.com:443');
+    expect(reality.privateKey).toBe('priv');
+    const settings = reality.settings as Record<string, unknown>;
+    expect(settings.publicKey).toBe('pub');
+    expect(settings.spiderX).toBe('/');
+  });
+
+  it('passes client realitySettings through unchanged on outbound', () => {
+    const out = normalizeStreamSettingsForWire({
+      network: 'xhttp',
+      security: 'reality',
+      realitySettings: {
+        publicKey: 'pub',
+        fingerprint: 'chrome',
+        serverName: 'play.google.com',
+        shortId: 'abcd',
+        spiderX: '/x',
+      },
+    }, { side: 'outbound' });
+
+    const reality = out.realitySettings as Record<string, unknown>;
+    expect(reality.publicKey).toBe('pub');
+    expect(reality.serverName).toBe('play.google.com');
+    expect(reality.spiderX).toBe('/x');
+  });
+});
+
+describe('inbound formValuesToWirePayload integration', () => {
+  it('emits lean stream-one xhttp + sockopt on save', () => {
+    const values = {
+      remark: 't',
+      enable: true,
+      port: 443,
+      listen: '0.0.0.0',
+      tag: 'in-443',
+      expiryTime: 0,
+      sniffing: { enabled: false },
+      up: 0,
+      down: 0,
+      total: 0,
+      trafficReset: 'never',
+      lastTrafficResetTime: 0,
+      nodeId: null,
+      protocol: 'vless',
+      settings: { clients: [{ id: '7eeb09ed-ae97-400d-a1ce-2485fb904407', email: 'n' }], decryption: 'none' },
+      streamSettings: {
+        network: 'xhttp',
+        security: 'reality',
+        realitySettings: {
+          target: 'play.google.com:443',
+          privateKey: 'priv',
+          serverNames: ['play.google.com'],
+          shortIds: ['44003d86dc1e'],
+          settings: { publicKey: 'pub', fingerprint: 'chrome', spiderX: '/' },
+        },
+        xhttpSettings: {
+          path: '/app',
+          host: 'play.google.com',
+          mode: 'stream-one',
+          xPaddingBytes: '100-1000',
+          scMaxEachPostBytes: '1000000',
+          scMinPostsIntervalMs: '30',
+          enableXmux: false,
+        },
+        sockopt: {
+          tcpWindowClamp: 0,
+          tcpMaxSeg: 0,
+          tcpUserTimeout: 0,
+          tcpFastOpen: true,
+          tcpcongestion: 'bbr',
+        },
+      },
+    } as InboundFormValues;
+
+    const payload = formValuesToWirePayload(values);
+    const stream = JSON.parse(payload.streamSettings) as Record<string, unknown>;
+    const xhttp = stream.xhttpSettings as Record<string, unknown>;
+    const sockopt = stream.sockopt as Record<string, unknown>;
+    const reality = stream.realitySettings as Record<string, unknown>;
+
+    expect(xhttp).not.toHaveProperty('scMaxEachPostBytes');
+    expect(sockopt).not.toHaveProperty('tcpWindowClamp');
+    expect(sockopt.tcpFastOpen).toBe(true);
+    const realitySettings = reality.settings as Record<string, unknown>;
+    expect(realitySettings.publicKey).toBe('pub');
+  });
+});
+
+describe('freedom outbound sockopt wire payload', () => {
+  it('preserves happyEyeballs on direct freedom outbound', () => {
+    const wire = outboundToWire({
+      protocol: 'freedom',
+      tag: 'direct',
+      settings: { domainStrategy: 'UseIP' },
+      streamSettings: {
+        sockopt: {
+          domainStrategy: 'UseIP',
+          happyEyeballs: {
+            tryDelayMs: 150,
+            prioritizeIPv6: true,
+            interleave: 1,
+            maxConcurrentTry: 4,
+          },
+        },
+      },
+    } as Parameters<typeof outboundToWire>[0]);
+
+    expect(wire.streamSettings).toMatchObject({
+      sockopt: {
+        domainStrategy: 'UseIP',
+        happyEyeballs: {
+          tryDelayMs: 150,
+          prioritizeIPv6: true,
+        },
+      },
+    });
+  });
+});
diff --git a/web/translation/en-US.json b/web/translation/en-US.json
index da0ecd4e..3790d5bb 100644
--- a/web/translation/en-US.json
+++ b/web/translation/en-US.json
@@ -560,6 +560,7 @@
         "tcpMaxSeg": "TCP Max Seg",
         "tcpUserTimeout": "TCP User Timeout",
         "tcpWindowClamp": "TCP Window Clamp",
+        "tcpWindowClampHint": "Leave 0 to use the OS default. Non-zero values cap the advertised TCP receive window; values like 600 (from the Xray docs example) can collapse throughput on high-latency links.",
         "tcpFastOpen": "TCP Fast Open",
         "multipathTcp": "Multipath TCP",
         "penetrate": "Penetrate",
@@ -598,6 +599,10 @@
         "minClientVer": "Min Client Ver",
         "maxClientVer": "Max Client Ver",
         "shortIds": "Short IDs",
+        "realityTargetHint": "Required. Must include a port (e.g. example.com:443). Without a port Xray-core refuses to start.",
+        "realityTargetRequired": "REALITY target is required",
+        "realityTargetNeedsPort": "REALITY target must include a port (e.g. example.com:443)",
+        "realityTargetInvalidPort": "REALITY target has an invalid port",
         "spiderX": "SpiderX",
         "getNewCert": "Get New Cert",
         "mldsa65Seed": "mldsa65 Seed",
@@ -1178,6 +1183,9 @@
       "TemplateDesc": "The final Xray config file will be generated based on this template.",
       "FreedomStrategy": "Freedom Protocol Strategy",
       "FreedomStrategyDesc": "Set the output strategy for the network in the Freedom Protocol.",
+      "FreedomHappyEyeballs": "Freedom Happy Eyeballs (IPv4/IPv6)",
+      "FreedomHappyEyeballsDesc": "Dual-stack dialing for the direct (freedom) outbound — useful on exit servers with both IPv4 and IPv6.",
+      "FreedomHappyEyeballsTryDelayDesc": "Milliseconds before trying the alternate address family. 150–250 ms is a good starting point.",
       "RoutingStrategy": "Overall Routing Strategy",
       "RoutingStrategyDesc": "Set the overall traffic routing strategy for resolving all requests.",
       "outboundTestUrl": "Outbound Test URL",