Merge pull request #3499 from fatedier/dev

release v0.50.0
add release notes for v0.50.0 (#3498 )
2025-07-27 15:45:39 +00:00 · 2023-06-26 17:03:56 +08:00 · 2023-06-26 16:48:14 +08:00 · 2023-06-26 00:10:27 +08:00 · 2023-06-16 00:41:06 +08:00 · 2023-06-16 00:14:19 +08:00
347 changed files with 28401 additions and 37477 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -0,0 +1,25 @@
+version: 2
+jobs:
+  go-version-latest:
+    docker:
+      - image: cimg/go:1.20-node
+    resource_class: large
+    steps:
+      - checkout
+      - run: make
+      - run: make alltest
+  go-version-last:
+    docker:
+      - image: cimg/go:1.19-node
+    resource_class: large
+    steps:
+      - checkout
+      - run: make
+      - run: make alltest
+
+workflows:
+  version: 2
+  build_and_test:
+    jobs:
+      - go-version-latest
+      - go-version-last
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [fatedier]
--- a/.github/ISSUE_TEMPLATE
+++ b/.github/ISSUE_TEMPLATE
@@ -1,32 +0,0 @@
-Issue is only used for submiting bug report and documents typo. If there are same issues or answers can be found in documents, we will close it directly.
-(为了节约时间，提高处理问题的效率，不按照格式填写的 issue 将会直接关闭。)
-(请不要在 issue 评论中出现无意义的 **加1**，**我也是** 等内容，将会被直接删除。)
-(由于个人精力有限，和系统环境，网络环境等相关的求助问题请转至其他论坛或社交平台。)
-
-Use the commands below to provide key information from your environment:
-You do NOT have to include this information if this is a FEATURE REQUEST
-
-**What version of frp are you using (./frpc -v or ./frps -v)?**
-
-
-**What operating system and processor architecture are you using (`go env`)?**
-
-
-**Configures you used:**
-
-
-**Steps to reproduce the issue:**
-1.
-2.
-3.
-
-**Describe the results you received:**
-
-
-**Describe the results you expected:**
-
-
-**Additional information you deem important (e.g. issue happens only occasionally):**
-
-
-**Can you point out what caused this issue (optional)**
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -0,0 +1,77 @@
+name: Bug report
+description: Report a bug to help us improve frp
+
+body:
+- type: markdown
+  attributes:
+    value: |
+      Thanks for taking the time to fill out this bug report!
+- type: textarea
+  id: bug-description
+  attributes:
+    label: Bug Description
+    description: Tell us what issues you ran into
+    placeholder: Include information about what you tried, what you expected to happen, and what actually happened. The more details, the better!
+  validations:
+    required: true
+- type: input
+  id: frpc-version
+  attributes:
+    label: frpc Version
+    description: Include the output of `frpc -v`
+  validations:
+    required: true
+- type: input
+  id: frps-version
+  attributes:
+    label: frps Version
+    description: Include the output of `frps -v`
+  validations:
+    required: true
+- type: input
+  id: system-architecture
+  attributes:
+    label: System Architecture
+    description: Include which architecture you used, such as `linux/amd64`, `windows/amd64`
+  validations:
+    required: true
+- type: textarea
+  id: config
+  attributes:
+    label: Configurations
+    description: Include what configurrations you used and ran into this problem
+    placeholder: Pay attention to hiding the token and password in your output
+  validations:
+    required: true
+- type: textarea
+  id: log
+  attributes:
+    label: Logs
+    description: Prefer you providing releated error logs here
+    placeholder: Pay attention to hiding your personal informations
+- type: textarea
+  id: steps-to-reproduce
+  attributes:
+    label: Steps to reproduce
+    description: How to reproduce it? It's important for us to find the bug
+    value: |
+      1. 
+      2. 
+      3. 
+      ...
+- type: checkboxes
+  id: area
+  attributes:
+    label: Affected area
+    options:
+    - label: "Docs"
+    - label: "Installation"
+    - label: "Performance and Scalability"
+    - label: "Security"
+    - label: "User Experience"
+    - label: "Test and Release"
+    - label: "Developer Infrastructure"
+    - label: "Client Plugin"
+    - label: "Server Plugin"
+    - label: "Extensions"
+    - label: "Others"
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1 @@
+blank_issues_enabled: false
--- a/.github/ISSUE_TEMPLATE/feature_request.yaml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yaml
@@ -0,0 +1,36 @@
+name: Feature Request
+description: Suggest an idea to improve frp
+title: "[Feature Request] "
+
+body:
+- type: markdown
+  attributes:
+    value: |
+      This is only used to request new product features.
+- type: textarea
+  id: feature-request
+  attributes:
+    label: Describe the feature request
+    description: Tell us what's you want and why it should be added in frp.
+  validations:
+    required: true
+- type: textarea
+  id: alternatives
+  attributes:
+    label: Describe alternatives you've considered
+- type: checkboxes
+  id: area
+  attributes:
+    label: Affected area
+    options:
+    - label: "Docs"
+    - label: "Installation"
+    - label: "Performance and Scalability"
+    - label: "Security"
+    - label: "User Experience"
+    - label: "Test and Release"
+    - label: "Developer Infrastructure"
+    - label: "Client Plugin"
+    - label: "Server Plugin"
+    - label: "Extensions"
+    - label: "Others"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -0,0 +1,10 @@
+### Summary
+
+copilot:summary
+
+### WHY
+<!-- author to complete -->
+
+### Walkthrough
+
+copilot:walkthrough
--- a/.github/workflows/build-and-push-image.yml
+++ b/.github/workflows/build-and-push-image.yml
@@ -0,0 +1,83 @@
+name: Build Image and Publish to Dockerhub & GPR
+
+on:
+  release:
+    types: [ created ]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Image tag'
+        required: true
+        default: 'test'
+permissions:
+  contents: read
+
+jobs:
+  image:
+    name: Build Image from Dockerfile and binaries
+    runs-on: ubuntu-latest
+    steps:
+      # environment
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: '0'
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      # get image tag name
+      - name: Get Image Tag Name
+        run: |
+          if [ x${{ github.event.inputs.tag }} == x"" ]; then
+            echo "TAG_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+          else
+            echo "TAG_NAME=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
+          fi
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Login to the GPR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GPR_TOKEN }}
+
+      # prepare image tags
+      - name: Prepare Image Tags
+        run: |
+          echo "DOCKERFILE_FRPC_PATH=dockerfiles/Dockerfile-for-frpc" >> $GITHUB_ENV
+          echo "DOCKERFILE_FRPS_PATH=dockerfiles/Dockerfile-for-frps" >> $GITHUB_ENV
+          echo "TAG_FRPC=fatedier/frpc:${{ env.TAG_NAME }}" >> $GITHUB_ENV
+          echo "TAG_FRPS=fatedier/frps:${{ env.TAG_NAME }}" >> $GITHUB_ENV
+          echo "TAG_FRPC_GPR=ghcr.io/fatedier/frpc:${{ env.TAG_NAME }}" >> $GITHUB_ENV
+          echo "TAG_FRPS_GPR=ghcr.io/fatedier/frps:${{ env.TAG_NAME }}" >> $GITHUB_ENV
+
+      - name: Build and push frpc
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: ./dockerfiles/Dockerfile-for-frpc
+          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
+          push: true
+          tags: |
+            ${{ env.TAG_FRPC }}
+            ${{ env.TAG_FRPC_GPR }}
+
+      - name: Build and push frps
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: ./dockerfiles/Dockerfile-for-frps
+          platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
+          push: true
+          tags: |
+            ${{ env.TAG_FRPS }}
+            ${{ env.TAG_FRPS_GPR }}
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -0,0 +1,41 @@
+name: golangci-lint
+on:
+  push:
+    branches:
+    - master
+    - dev
+  pull_request:
+permissions:
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '1.20'
+      - uses: actions/checkout@v3
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
+          version: v1.51
+
+          # Optional: golangci-lint command line arguments.
+          # args: --issues-exit-code=0
+
+          # Optional: show only new issues if it's a pull request. The default value is `false`.
+          # only-new-issues: true
+
+          # Optional: if set to true then the all caching functionality will be complete disabled,
+          #           takes precedence over all other caching options.
+          # skip-cache: true
+
+          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
+          # skip-pkg-cache: true
+
+          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
+          # skip-build-cache: true
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -0,0 +1,30 @@
+name: goreleaser
+
+on:
+  workflow_dispatch:
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.20'
+          
+      - name: Make All
+        run: |
+          ./package.sh
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: latest
+          args: release --rm-dist --release-notes=./Release.md
+        env:
+          GITHUB_TOKEN: ${{ secrets.GPR_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,34 @@
+name: "Close stale issues"
+on:
+  schedule:
+  - cron: "20 0 * * *"
+  workflow_dispatch:
+    inputs:
+      debug-only:
+        description: 'In debug mod'
+        required: false
+        default: 'false'
+permissions:
+  contents: read
+
+jobs:
+  stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/stale@v6
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.'
+        stale-pr-message: "PRs go stale after 30d of inactivity. Stale PRs rot after an additional 7d of inactivity and eventually close."
+        stale-issue-label: 'lifecycle/stale'
+        exempt-issue-labels: 'bug,doc,enhancement,future,proposal,question,testing,todo,easy,help wanted,assigned'
+        stale-pr-label: 'lifecycle/stale'
+        exempt-pr-labels: 'bug,doc,enhancement,future,proposal,question,testing,todo,easy,help wanted,assigned'
+        days-before-stale: 30
+        days-before-close: 7
+        debug-only: ${{ github.event.inputs.debug-only }}
+        exempt-all-pr-milestones: true
+        exempt-all-pr-assignees: true
--- a/.gitignore
+++ b/.gitignore
@@ -26,8 +26,13 @@ _testmain.go
 # Self
 bin/
 packages/
+release/
 test/bin/
 vendor/
+lastversion/
+dist/
+.idea/
+.vscode/

 # Cache
 *.swp
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,144 @@
+service:
+  golangci-lint-version: 1.51.x # use the fixed version to not introduce new linters unexpectedly
+  
+run:
+  concurrency: 4
+  # timeout for analysis, e.g. 30s, 5m, default is 1m
+  deadline: 20m
+  build-tags:
+  - integ
+  - integfuzz
+  # which dirs to skip: they won't be analyzed;
+  # can use regexp here: generated.*, regexp is applied on full path;
+  # default value is empty list, but next dirs are always skipped independently
+  # from this option's value:
+  #       vendor$, third_party$, testdata$, examples$, Godeps$, builtin$
+  skip-dirs:
+    - genfiles$
+    - vendor$
+    - bin$
+
+  # which files to skip: they will be analyzed, but issues from them
+  # won't be reported. Default value is empty list, but there is
+  # no need to include all autogenerated files, we confidently recognize
+  # autogenerated files. If it's not please let us know.
+  skip-files:
+    - ".*\\.pb\\.go"
+    - ".*\\.gen\\.go"
+
+linters:
+  disable-all: true
+  enable:
+  - unused
+  - errcheck
+  - exportloopref
+  - gocritic
+  - gofumpt
+  - goimports
+  - revive
+  - gosimple
+  - govet
+  - ineffassign
+  - lll
+  - misspell
+  - staticcheck
+  - stylecheck
+  - typecheck
+  - unconvert
+  - unparam
+  - gci
+  - gosec
+  - asciicheck
+  - prealloc
+  - predeclared
+  - makezero
+  fast: false
+
+linters-settings:
+  errcheck:
+    # report about not checking of errors in type assetions: `a := b.(MyStruct)`;
+    # default is false: such cases aren't reported by default.
+    check-type-assertions: false
+
+    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
+    # default is false: such cases aren't reported by default.
+    check-blank: false
+  govet:
+    # report about shadowed variables
+    check-shadowing: false
+  maligned:
+    # print struct with more effective memory layout or not, false by default
+    suggest-new: true
+  misspell:
+    # Correct spellings using locale preferences for US or UK.
+    # Default is to use a neutral variety of English.
+    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
+    locale: US
+    ignore-words:
+    - cancelled
+    - marshalled
+  lll:
+    # max line length, lines longer will be reported. Default is 120.
+    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+    line-length: 160
+    # tab width in spaces. Default to 1.
+    tab-width: 1
+  gocritic:
+    disabled-checks:
+    - exitAfterDefer
+  unused:
+    check-exported: false
+  unparam:
+    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
+    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
+    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
+    # with golangci-lint call it on a directory with the changed file.
+    check-exported: false
+  gci:
+    sections:
+    - standard
+    - default
+    - prefix(github.com/fatedier/frp/)
+  gosec:
+    severity: "low"
+    confidence: "low"
+    excludes:
+    - G102
+    - G112
+    - G306
+    - G401
+    - G402
+    - G404
+    - G501
+
+issues:
+  # List of regexps of issue texts to exclude, empty list by default.
+  # But independently from this option we use default exclude patterns,
+  # it can be disabled by `exclude-use-default: false`. To list all
+  # excluded by default patterns execute `golangci-lint run --help`
+  # exclude:
+  #  - composite literal uses unkeyed fields
+
+  exclude-rules:
+    # Exclude some linters from running on test files.
+    - path: _test\.go$|^tests/|^samples/
+      linters:
+        - errcheck
+        - maligned
+
+    # keep it until we only support go1.20
+    - linters:
+        - staticcheck
+      text: "SA1019: rand.Seed has been deprecated"
+
+  # Independently from option `exclude` we use default exclude patterns,
+  # it can be disabled by this option. To list all
+  # excluded by default patterns execute `golangci-lint run --help`.
+  # Default value for this option is true.
+  exclude-use-default: true
+
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -0,0 +1,22 @@
+builds:
+  - skip: true
+checksum:
+  name_template: '{{ .ProjectName }}_sha256_checksums.txt'
+  algorithm: sha256
+  extra_files:
+  - glob: ./release/packages/*
+release:
+  # Same as for github
+  # Note: it can only be one: either github, gitlab or gitea
+  github:
+    owner: fatedier
+    name: frp
+
+  draft: false
+
+  # You can add extra pre-existing files to the release.
+  # The filename on the release will be the last part of the path (base). If
+  # another file with the same name exists, the latest one found will be used.
+  # Defaults to empty.
+  extra_files:
+    - glob: ./release/packages/*
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,12 +0,0 @@
-sudo: false
-language: go
-
-go:
-    - 1.12.x
-    - 1.13.x
-
-install:
-    - make
-
-script:
-    - make alltest
--- a/46
+++ b/46
@@ -1,5 +1,6 @@
 export PATH := $(GOPATH)/bin:$(PATH)
 export GO111MODULE=on
+LDFLAGS := -s -w

 all: fmt build

@@ -11,34 +12,57 @@ file:
 	rm -rf ./assets/frpc/static/*
 	cp -rf ./web/frps/dist/* ./assets/frps/static
 	cp -rf ./web/frpc/dist/* ./assets/frpc/static
-	rm -rf ./assets/frps/statik
-	rm -rf ./assets/frpc/statik
-	go generate ./assets/...

 fmt:
 	go fmt ./...

+fmt-more:
+	gofumpt -l -w .
+
+gci:
+	gci write -s standard -s default -s "prefix(github.com/fatedier/frp/)" ./
+
+vet:
+	go vet ./...
+
 frps:
-	go build -o bin/frps ./cmd/frps
+	env CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o bin/frps ./cmd/frps

 frpc:
-	go build -o bin/frpc ./cmd/frpc
+	env CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o bin/frpc ./cmd/frpc

 test: gotest

 gotest:
 	go test -v --cover ./assets/...
-	go test -v --cover ./client/...
 	go test -v --cover ./cmd/...
-	go test -v --cover ./models/...
+	go test -v --cover ./client/...
 	go test -v --cover ./server/...
-	go test -v --cover ./utils/...
+	go test -v --cover ./pkg/...

-ci:
-	go test -count=1 -p=1 -v ./tests/...
+e2e:
+	./hack/run-e2e.sh

-alltest: gotest ci
+e2e-trace:
+	DEBUG=true LOG_LEVEL=trace ./hack/run-e2e.sh
+
+e2e-compatibility-last-frpc:
+	if [ ! -d "./lastversion" ]; then \
+		TARGET_DIRNAME=lastversion ./hack/download.sh; \
+	fi
+	FRPC_PATH="`pwd`/lastversion/frpc" ./hack/run-e2e.sh
+	rm -r ./lastversion
+
+e2e-compatibility-last-frps:
+	if [ ! -d "./lastversion" ]; then \
+		TARGET_DIRNAME=lastversion ./hack/download.sh; \
+	fi
+	FRPS_PATH="`pwd`/lastversion/frps" ./hack/run-e2e.sh
+	rm -r ./lastversion
+
+alltest: vet gotest e2e
 	
 clean:
 	rm -f ./bin/frpc
 	rm -f ./bin/frps
+	rm -rf ./lastversion
--- a/Makefile.cross-compiles
+++ b/Makefile.cross-compiles
@@ -1,37 +1,27 @@
 export PATH := $(GOPATH)/bin:$(PATH)
+export GO111MODULE=on
 LDFLAGS := -s -w

+os-archs=darwin:amd64 darwin:arm64 freebsd:386 freebsd:amd64 linux:386 linux:amd64 linux:arm linux:arm64 windows:386 windows:amd64 windows:arm64 linux:mips64 linux:mips64le linux:mips:softfloat linux:mipsle:softfloat linux:riscv64
+
 all: build

 build: app

 app:
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frpc_darwin_amd64 ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frps_darwin_amd64 ./cmd/frps
-	env CGO_ENABLED=0 GOOS=freebsd GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frpc_freebsd_386 ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=freebsd GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frps_freebsd_386 ./cmd/frps
-	env CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frpc_freebsd_amd64 ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frps_freebsd_amd64 ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_386 ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frps_linux_386 ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_amd64 ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frps_linux_amd64 ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=arm go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_arm ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=arm go build -ldflags "$(LDFLAGS)" -o ./frps_linux_arm ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_arm64 ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o ./frps_linux_arm64 ./cmd/frps
-	env CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frpc_windows_386.exe ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -ldflags "$(LDFLAGS)" -o ./frps_windows_386.exe ./cmd/frps
-	env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frpc_windows_amd64.exe ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frps_windows_amd64.exe ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mips64 go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mips64 ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mips64 go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mips64 ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mips64le ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mips64le go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mips64le ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mips ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mips ./cmd/frps
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat go build -ldflags "$(LDFLAGS)" -o ./frpc_linux_mipsle ./cmd/frpc
-	env CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat go build -ldflags "$(LDFLAGS)" -o ./frps_linux_mipsle ./cmd/frps
-
-temp:
-	env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o ./frps_linux_amd64 ./cmd/frps
+	@$(foreach n, $(os-archs),\
+		os=$(shell echo "$(n)" | cut -d : -f 1);\
+		arch=$(shell echo "$(n)" | cut -d : -f 2);\
+		gomips=$(shell echo "$(n)" | cut -d : -f 3);\
+		target_suffix=$${os}_$${arch};\
+		echo "Build $${os}-$${arch}...";\
+		env CGO_ENABLED=0 GOOS=$${os} GOARCH=$${arch} GOMIPS=$${gomips} go build -trimpath -ldflags "$(LDFLAGS)" -o ./release/frpc_$${target_suffix} ./cmd/frpc;\
+		env CGO_ENABLED=0 GOOS=$${os} GOARCH=$${arch} GOMIPS=$${gomips} go build -trimpath -ldflags "$(LDFLAGS)" -o ./release/frps_$${target_suffix} ./cmd/frps;\
+		echo "Build $${os}-$${arch} done";\
+	)
+	@mv ./release/frpc_windows_386 ./release/frpc_windows_386.exe
+	@mv ./release/frps_windows_386 ./release/frps_windows_386.exe
+	@mv ./release/frpc_windows_amd64 ./release/frpc_windows_amd64.exe
+	@mv ./release/frps_windows_amd64 ./release/frps_windows_amd64.exe
+	@mv ./release/frpc_windows_arm64 ./release/frpc_windows_arm64.exe
+	@mv ./release/frps_windows_arm64 ./release/frps_windows_arm64.exe
--- a/README.md
+++ b/README.md
@@ -1,14 +1,24 @@
 # frp

-[![Build Status](https://travis-ci.org/fatedier/frp.svg?branch=master)](https://travis-ci.org/fatedier/frp)
+[![Build Status](https://circleci.com/gh/fatedier/frp.svg?style=shield)](https://circleci.com/gh/fatedier/frp)
+[![GitHub release](https://img.shields.io/github/tag/fatedier/frp.svg?label=release)](https://github.com/fatedier/frp/releases)

 [README](README.md) | [中文文档](README_zh.md)

+<h3 align="center">Gold Sponsors</h3>
+<!--gold sponsors start-->
+<p align="center">
+  <a href="https://workos.com/?utm_campaign=github_repo&utm_medium=referral&utm_content=frp&utm_source=github" target="_blank">
+    <img width="350px" src="https://raw.githubusercontent.com/fatedier/frp/dev/doc/pic/sponsor_workos.png">
+  </a>
+</p>
+<!--gold sponsors end-->
+
 ## What is frp?

-frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. As of now, it supports **TCP** and **UDP**, as well as **HTTP** and **HTTPS** protocols, where requests can be forwarded to internal services by domain name.
+frp is a fast reverse proxy that allows you to expose a local server located behind a NAT or firewall to the Internet. It currently supports **TCP** and **UDP**, as well as **HTTP** and **HTTPS** protocols, enabling requests to be forwarded to internal services via domain name.

-frp also has a P2P connect mode.
+frp also offers a P2P connect mode.

 ## Table of Contents

@@ -17,17 +27,18 @@ frp also has a P2P connect mode.
 * [Development Status](#development-status)
 * [Architecture](#architecture)
 * [Example Usage](#example-usage)
-    * [Access your computer in LAN by SSH](#access-your-computer-in-lan-by-ssh)
-    * [Visit your web service in LAN by custom domains](#visit-your-web-service-in-lan-by-custom-domains)
-    * [Forward DNS query request](#forward-dns-query-request)
-    * [Forward Unix domain socket](#forward-unix-domain-socket)
+    * [Access your computer in a LAN network via SSH](#access-your-computer-in-a-lan-network-via-ssh)
+    * [Accessing Internal Web Services with Custom Domains in LAN](#accessing-internal-web-services-with-custom-domains-in-lan)
+    * [Forward DNS query requests](#forward-dns-query-requests)
+    * [Forward Unix Domain Socket](#forward-unix-domain-socket)
    * [Expose a simple HTTP file server](#expose-a-simple-http-file-server)
-    * [Enable HTTPS for local HTTP service](#enable-https-for-local-http-service)
+    * [Enable HTTPS for a local HTTP(S) service](#enable-https-for-a-local-https-service)
    * [Expose your service privately](#expose-your-service-privately)
    * [P2P Mode](#p2p-mode)
 * [Features](#features)
    * [Configuration Files](#configuration-files)
    * [Using Environment Variables](#using-environment-variables)
+    * [Split Configures Into Different Files](#split-configures-into-different-files)
    * [Dashboard](#dashboard)
    * [Admin UI](#admin-ui)
    * [Monitor](#monitor)
@@ -45,6 +56,7 @@ frp also has a P2P connect mode.
        * [For Each Proxy](#for-each-proxy)
    * [TCP Stream Multiplexing](#tcp-stream-multiplexing)
    * [Support KCP Protocol](#support-kcp-protocol)
+    * [Support QUIC Protocol](#support-quic-protocol)
    * [Connection Pooling](#connection-pooling)
    * [Load balancing](#load-balancing)
    * [Service Health Check](#service-health-check)
@@ -64,17 +76,18 @@ frp also has a P2P connect mode.
 * [Development Plan](#development-plan)
 * [Contributing](#contributing)
 * [Donation](#donation)
-    * [AliPay](#alipay)
-    * [Wechat Pay](#wechat-pay)
-    * [Paypal](#paypal)
+    * [GitHub Sponsors](#github-sponsors)
+    * [PayPal](#paypal)

 <!-- vim-markdown-toc -->

 ## Development Status

-frp is under development. Try the latest release version in the `master` branch, or use the `dev` branch for the version in development.
+frp is currently under development. You can try the latest release version in the `master` branch, or use the `dev` branch to access the version currently in development.

-**The protocol might change at a release and we don't promise backwards compatibility. Please check the release log when upgrading the client and the server.**
+We are currently working on version 2 and attempting to perform some code refactoring and improvements. However, please note that it will not be compatible with version 1.
+
+We will transition from version 0 to version 1 at the appropriate time and will only accept bug fixes and improvements, rather than big feature requests.

 ## Architecture

@@ -82,15 +95,15 @@ frp is under development. Try the latest release version in the `master` branch,

 ## Example Usage

-Firstly, download the latest programs from [Release](https://github.com/fatedier/frp/releases) page according to your operating system and architecture.
+To begin, download the latest program for your operating system and architecture from the [Release](https://github.com/fatedier/frp/releases) page.

-Put `frps` and `frps.ini` onto your server A with public IP.
+Next, place the `frps` binary and `frps.ini` configuration file on Server A, which has a public IP address.

-Put `frpc` and `frpc.ini` onto your server B in LAN (that can't be connected from public Internet).
+Finally, place the `frpc` binary and `frpc.ini` configuration file on Server B, which is located on a LAN that cannot be directly accessed from the public internet.

-### Access your computer in LAN by SSH
+### Access your computer in a LAN network via SSH

-1. Modify `frps.ini` on server A:
+1. Modify `frps.ini` on server A by setting the `bind_port` for frp clients to connect to:

  ```ini
  # frps.ini
@@ -102,7 +115,7 @@ Put `frpc` and `frpc.ini` onto your server B in LAN (that can't be connected fro

  `./frps -c ./frps.ini`

-3. On server B, modify `frpc.ini` to put in your `frps` server public IP as `server_addr` field:
+3. Modify `frpc.ini` on server B and set the `server_addr` field to the public IP address of your frps server:

  ```ini
  # frpc.ini
@@ -117,21 +130,23 @@ Put `frpc` and `frpc.ini` onto your server B in LAN (that can't be connected fro
  remote_port = 6000
  ```

+Note that the `local_port` (listened on the client) and `remote_port` (exposed on the server) are used for traffic going in and out of the frp system, while the `server_port` is used for communication between frps and frpc.
+
 4. Start `frpc` on server B:

  `./frpc -c ./frpc.ini`

-5. From another machine, SSH to server B like this (assuming that username is `test`):
+5. To access server B from another machine through server A via SSH (assuming the username is `test`), use the following command:

  `ssh -oPort=6000 test@x.x.x.x`

-### Visit your web service in LAN by custom domains
+### Accessing Internal Web Services with Custom Domains in LAN

-Sometimes we want to expose a local web service behind a NAT network to others for testing with your own domain name and unfortunately we can't resolve a domain name to a local IP.
+Sometimes we need to expose a local web service behind a NAT network to others for testing purposes with our own domain name.

-However, we can expose an HTTP(S) service using frp.
+Unfortunately, we cannot resolve a domain name to a local IP. However, we can use frp to expose an HTTP(S) service.

-1. Modify `frps.ini`, set the vhost HTTP port to 8080:
+1. Modify `frps.ini` and set the HTTP port for vhost to 8080:

  ```ini
  # frps.ini
@@ -144,7 +159,7 @@ However, we can expose an HTTP(S) service using frp.

  `./frps -c ./frps.ini`

-3. Modify `frpc.ini` and set `server_addr` to the IP address of the remote frps server. The `local_port` is the port of your web service:
+3. Modify `frpc.ini` and set `server_addr` to the IP address of the remote frps server. Specify the `local_port` of your web service:

  ```ini
  # frpc.ini
@@ -162,11 +177,11 @@ However, we can expose an HTTP(S) service using frp.

  `./frpc -c ./frpc.ini`

-5. Resolve A record of `www.example.com` to the public IP of the remote frps server or CNAME record to your origin domain.
+5. Map the A record of `www.example.com` to either the public IP of the remote frps server or a CNAME record pointing to your original domain.

-6. Now visit your local web service using url `http://www.example.com:8080`.
+6. Visit your local web service using url `http://www.example.com:8080`.

-### Forward DNS query request
+### Forward DNS query requests

 1. Modify `frps.ini`:

@@ -180,7 +195,7 @@ However, we can expose an HTTP(S) service using frp.

  `./frps -c ./frps.ini`

-3. Modify `frpc.ini` and set `server_addr` to the IP address of the remote frps server, forward DNS query request to Google Public DNS server `8.8.8.8:53`:
+3. Modify `frpc.ini` and set `server_addr` to the IP address of the remote frps server. Forward DNS query requests to the Google Public DNS server `8.8.8.8:53`:

  ```ini
  # frpc.ini
@@ -199,17 +214,17 @@ However, we can expose an HTTP(S) service using frp.

  `./frpc -c ./frpc.ini`

-5. Test DNS resolution using `dig` command:
+5. Test DNS resolution using the `dig` command:

  `dig @x.x.x.x -p 6000 www.google.com`

-### Forward Unix domain socket
+### Forward Unix Domain Socket

 Expose a Unix domain socket (e.g. the Docker daemon socket) as TCP.

-Configure `frps` same as above.
+Configure `frps` as above.

-1. Start `frpc` with configuration:
+1. Start `frpc` with the following configuration:

  ```ini
  # frpc.ini
@@ -224,17 +239,17 @@ Configure `frps` same as above.
  plugin_unix_path = /var/run/docker.sock
  ```

-2. Test: Get Docker version using `curl`:
+2. Test the configuration by getting the docker version using `curl`:

  `curl http://x.x.x.x:6000/version`

 ### Expose a simple HTTP file server

-Browser your files stored in the LAN, from public Internet.
+Expose a simple HTTP file server to access files stored in the LAN from the public Internet.

-Configure `frps` same as above.
+Configure `frps` as described above, then:

-1. Start `frpc` with configuration:
+1. Start `frpc` with the following configuration:

  ```ini
  # frpc.ini
@@ -252,11 +267,13 @@ Configure `frps` same as above.
  plugin_http_passwd = abc
  ```

-2. Visit `http://x.x.x.x:6000/static/` from your browser and specify correct user and password to view files in `/tmp/files` on the `frpc` machine.
+2. Visit `http://x.x.x.x:6000/static/` from your browser and specify correct username and password to view files in `/tmp/files` on the `frpc` machine.

-### Enable HTTPS for local HTTP service
+### Enable HTTPS for a local HTTP(S) service

-1. Start `frpc` with configuration:
+You may substitute `https2https` for the plugin, and point the `plugin_local_addr` to a HTTPS endpoint.
+
+1. Start `frpc` with the following configuration:

  ```ini
  # frpc.ini
@@ -280,7 +297,7 @@ Configure `frps` same as above.

 ### Expose your service privately

-Some services will be at risk if exposed directly to the public network. With **STCP** (secret TCP) mode, a preshared key is needed to access the service from another client.
+To mitigate risks associated with exposing certain services directly to the public network, STCP (Secret TCP) mode requires a preshared key to be used for access to the service from other clients.

 Configure `frps` same as above.

@@ -322,24 +339,19 @@ Configure `frps` same as above.

 ### P2P Mode

-**xtcp** is designed for transmitting large amounts of data directly between clients. A frps server is still needed, as P2P here only refers the actual data transmission.
+**xtcp** is designed to transmit large amounts of data directly between clients. A frps server is still needed, as P2P here only refers to the actual data transmission.

-Note it can't penetrate all types of NAT devices. You might want to fallback to **stcp** if **xtcp** doesn't work.
+Note that it may not work with all types of NAT devices. You might want to fallback to stcp if xtcp doesn't work.

-1. In `frps.ini` configure a UDP port for xtcp:
-
-  ```ini
-  # frps.ini
-  bind_udp_port = 7001
-  ```
-
-2. Start `frpc` on machine B, expose the SSH port. Note that `remote_port` field is removed:
+1. Start `frpc` on machine B, and expose the SSH port. Note that the `remote_port` field is removed:

  ```ini
  # frpc.ini
  [common]
  server_addr = x.x.x.x
  server_port = 7000
+  # set up a new stun server if the default one is not available.
+  # nat_hole_stun_server = xxx

  [p2p_ssh]
  type = xtcp
@@ -348,13 +360,15 @@ Note it can't penetrate all types of NAT devices. You might want to fallback to
  local_port = 22
  ```

-3. Start another `frpc` (typically on another machine C) with the config to connect to SSH using P2P mode:
+2. Start another `frpc` (typically on another machine C) with the configuration to connect to SSH using P2P mode:

  ```ini
  # frpc.ini
  [common]
  server_addr = x.x.x.x
  server_port = 7000
+  # set up a new stun server if the default one is not available.
+  # nat_hole_stun_server = xxx

  [p2p_ssh_visitor]
  type = xtcp
@@ -363,9 +377,11 @@ Note it can't penetrate all types of NAT devices. You might want to fallback to
  sk = abcdefg
  bind_addr = 127.0.0.1
  bind_port = 6000
+  # when automatic tunnel persistence is required, set it to true
+  keep_tunnel_open = false
  ```

-4. On machine C, connect to SSH on machine B, using this command:
+3. On machine C, connect to SSH on machine B, using this command:

  `ssh -oPort=6000 127.0.0.1`

@@ -406,6 +422,27 @@ export FRP_SSH_REMOTE_PORT="6000"

 `frpc` will render configuration file template using OS environment variables. Remember to prefix your reference with `.Envs`.

+### Split Configures Into Different Files
+
+You can split multiple proxy configs into different files and include them in the main file.
+
+```ini
+# frpc.ini
+[common]
+server_addr = x.x.x.x
+server_port = 7000
+includes=./confd/*.ini
+```
+
+```ini
+# ./confd/test.ini
+[ssh]
+type = tcp
+local_ip = 127.0.0.1
+local_port = 22
+remote_port = 6000
+```
+
 ### Dashboard

 Check frp's status and proxies' statistics information by Dashboard.
@@ -415,12 +452,27 @@ Configure a port for dashboard to enable this feature:
 ```ini
 [common]
 dashboard_port = 7500
-# dashboard's username and password are both optional，if not set, default is admin.
+# dashboard's username and password are both optional
 dashboard_user = admin
 dashboard_pwd = admin
 ```

-Then visit `http://[server_addr]:7500` to see the dashboard, with username and password both being `admin` by default.
+Then visit `http://[server_addr]:7500` to see the dashboard, with username and password both being `admin`.
+
+Additionally, you can use HTTPS port by using your domains wildcard or normal SSL certificate:
+
+```ini
+[common]
+dashboard_port = 7500
+# dashboard's username and password are both optional
+dashboard_user = admin
+dashboard_pwd = admin
+dashboard_tls_mode = true
+dashboard_tls_cert_file = server.crt
+dashboard_tls_key_file = server.key
+```
+
+Then visit `https://[server_addr]:7500` to see the dashboard in secure HTTPS connection, with username and password both being `admin`.

 ![dashboard](/doc/pic/dashboard.png)

@@ -438,7 +490,7 @@ admin_user = admin
 admin_pwd = admin
 ```

-Then visit `http://127.0.0.1:7400` to see admin UI, with username and password both being `admin` by default.
+Then visit `http://127.0.0.1:7400` to see admin UI, with username and password both being `admin`.

 ### Monitor

@@ -510,13 +562,99 @@ use_compression = true

 #### TLS

-frp supports the TLS protocol between `frpc` and `frps` since v0.25.0.
+Since v0.50.0, the default value of `tls_enable` and `disable_custom_tls_first_byte` has been changed to true, and tls is enabled by default.

-Config `tls_enable = true` in the `[common]` section to `frpc.ini` to enable this feature.
+For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection. This only takes effect when you set `disable_custom_tls_first_byte` to false.

-For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection.
+To **enforce** `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`. **This is optional.**

-To enforce `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`.
+**`frpc` TLS settings (under the `[common]` section):**
+```ini
+tls_enable = true
+tls_cert_file = certificate.crt
+tls_key_file = certificate.key
+tls_trusted_ca_file = ca.crt
+```
+
+**`frps` TLS settings (under the `[common]` section):**
+```ini
+tls_only = true
+tls_cert_file = certificate.crt
+tls_key_file = certificate.key
+tls_trusted_ca_file = ca.crt
+```
+
+You will need **a root CA cert** and **at least one SSL/TLS certificate**. It **can** be self-signed or regular (such as Let's Encrypt or another SSL/TLS certificate provider).
+
+If you using `frp` via IP address and not hostname, make sure to set the appropriate IP address in the Subject Alternative Name (SAN) area when generating SSL/TLS Certificates.
+
+Given an example:
+
+* Prepare openssl config file. It exists at `/etc/pki/tls/openssl.cnf` in Linux System and `/System/Library/OpenSSL/openssl.cnf` in MacOS, and you can copy it to current path, like `cp /etc/pki/tls/openssl.cnf ./my-openssl.cnf`. If not, you can build it by yourself, like:
+```
+cat > my-openssl.cnf << EOF
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+x509_extensions = usr_cert
+[ req ]
+default_bits        = 2048
+default_md          = sha256
+default_keyfile     = privkey.pem
+distinguished_name  = req_distinguished_name
+attributes          = req_attributes
+x509_extensions     = v3_ca
+string_mask         = utf8only
+[ req_distinguished_name ]
+[ req_attributes ]
+[ usr_cert ]
+basicConstraints       = CA:FALSE
+nsComment              = "OpenSSL Generated Certificate"
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer
+[ v3_ca ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints       = CA:true
+EOF
+```
+
+* build ca certificates:
+```
+openssl genrsa -out ca.key 2048
+openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt
+```
+
+* build frps certificates:
+```
+openssl genrsa -out server.key 2048
+
+openssl req -new -sha256 -key server.key \
+    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \
+    -reqexts SAN \
+    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com")) \
+    -out server.csr
+
+openssl x509 -req -days 365 -sha256 \
+	-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
+	-extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com") \
+	-out server.crt
+```
+
+* build frpc certificates：
+```
+openssl genrsa -out client.key 2048
+openssl req -new -sha256 -key client.key \
+    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \
+    -reqexts SAN \
+    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:client.com,DNS:example.client.com")) \
+    -out client.csr
+
+openssl x509 -req -days 365 -sha256 \
+    -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
+	-extfile <(printf "subjectAltName=DNS:client.com,DNS:example.client.com") \
+	-out client.crt
+```

 ### Hot-Reloading frpc configuration

@@ -529,10 +667,12 @@ admin_addr = 127.0.0.1
 admin_port = 7400
 ```

-Then run command `frpc reload -c ./frpc.ini` and wait for about 10 seconds to let `frpc` create or update or delete proxies.
+Then run command `frpc reload -c ./frpc.ini` and wait for about 10 seconds to let `frpc` create or update or remove proxies.

 **Note that parameters in [common] section won't be modified except 'start'.**

+You can run command `frpc verify -c ./frpc.ini` before reloading to check if there are config errors.
+
 ### Get proxy status from client

 Use `frpc status -c ./frpc.ini` to get status of all proxies. The `admin_addr` and `admin_port` fields are required for enabling HTTP API.
@@ -570,6 +710,8 @@ bandwidth_limit = 1MB

 Set `bandwidth_limit` in each proxy's configure to enable this feature. Supported units are `MB` and `KB`.

+Set `bandwidth_limit_mode` to `client` or `server` to limit bandwidth on the client or server side. Default is `client`.
+
 ### TCP Stream Multiplexing

 frp supports tcp stream multiplexing since v0.10.0 like HTTP2 Multiplexing, in which case all logic connections to the same frpc are multiplexed into the same TCP connection.
@@ -611,6 +753,35 @@ KCP mode uses UDP as the underlying transport. Using KCP in frp:
  protocol = kcp
  ```

+### Support QUIC Protocol
+
+QUIC is a new multiplexed transport built on top of UDP.
+
+Using QUIC in frp:
+
+1. Enable QUIC in frps:
+
+  ```ini
+  # frps.ini
+  [common]
+  bind_port = 7000
+  # Specify a UDP port for QUIC.
+  quic_bind_port = 7000
+  ```
+
+  The `quic_bind_port` number can be the same number as `bind_port`, since `bind_port` field specifies a TCP port.
+
+2. Configure `frpc.ini` to use QUIC to connect to frps:
+
+  ```ini
+  # frpc.ini
+  [common]
+  server_addr = x.x.x.x
+  # Same as the 'quic_bind_port' in frps.ini
+  server_port = 7000
+  protocol = quic
+  ```
+
 ### Connection Pooling

 By default, frps creates a new frpc connection to the backend service upon a user request. With connection pooling, frps keeps a certain number of pre-established connections, reducing the time needed to establish a connection.
@@ -637,7 +808,7 @@ This feature is suitable for a large number of short connections.

 Load balancing is supported by `group`.

-This feature is only available for types `tcp` and `http` now.
+This feature is only available for types `tcp`, `http`, `tcpmux` now.

 ```ini
 # frpc.ini
@@ -722,7 +893,7 @@ custom_domains = test.example.com
 host_header_rewrite = dev.example.com
 ```

-The HTTP request will have the the `Host` header rewritten to `Host: dev.example.com` when it reaches the actual web server, although the request from the browser probably has `Host: test.example.com`.
+The HTTP request will have the `Host` header rewritten to `Host: dev.example.com` when it reaches the actual web server, although the request from the browser probably has `Host: test.example.com`.

 ### Setting other HTTP Headers

@@ -748,7 +919,7 @@ In this example, it will set header `X-From-Where: frp` in the HTTP request.

 This feature is for http proxy only.

-You can get user's real IP from HTTP request headers `X-Forwarded-For` and `X-Real-IP`.
+You can get user's real IP from HTTP request headers `X-Forwarded-For`.

 #### Proxy Protocol

@@ -864,11 +1035,13 @@ server_port = 7000
 type = tcpmux
 multiplexer = httpconnect
 custom_domains = test1
+local_port = 80

 [proxy2]
 type = tcpmux
 multiplexer = httpconnect
 custom_domains = test2
+local_port = 8080
 ```

 In the above configuration - frps can be contacted on port 1337 with a HTTP CONNECT header such as:
@@ -911,7 +1084,7 @@ frpc will generate 8 proxies like `test_tcp_0`, `test_tcp_1`, ..., `test_tcp_7`.

 frpc only forwards requests to local TCP or UDP ports by default.

-Plugins are used for providing rich features. There are built-in plugins such as `unix_domain_socket`, `http_proxy`, `socks5`, `static_file` and you can see [example usage](#example-usage).
+Plugins are used for providing rich features. There are built-in plugins such as `unix_domain_socket`, `http_proxy`, `socks5`, `static_file`, `http2https`, `https2http`, `https2https` and you can see [example usage](#example-usage).

 Specify which plugin to use with the `plugin` parameter. Configuration parameters of plugin should be started with `plugin_`. `local_ip` and `local_port` are not used for plugin.

@@ -933,6 +1106,8 @@ plugin_http_passwd = abc

 Read the [document](/doc/server_plugin.md).

+Find more plugins in [gofrp/plugin](https://github.com/gofrp/plugin).
+
 ## Development Plan

 * Log HTTP request information in frps.
@@ -952,16 +1127,12 @@ Interested in getting involved? We would like to help you!

 If frp helps you a lot, you can support us by:

-frp QQ group: 606194980
+### GitHub Sponsors

-### AliPay
+Support us by [Github Sponsors](https://github.com/sponsors/fatedier).

-![donation-alipay](/doc/pic/donate-alipay.png)
+You can have your company's logo placed on README file of this project.

-### Wechat Pay
+### PayPal

-![donation-wechatpay](/doc/pic/donate-wechatpay.png)
-
-### Paypal
-
-Donate money by [paypal](https://www.paypal.me/fatedier) to my account **fatedier@gmail.com**.
+Donate money by [PayPal](https://www.paypal.me/fatedier) to my account **fatedier@gmail.com**.
--- a/README_zh.md
+++ b/README_zh.md
--- a/Release.md
+++ b/Release.md
@@ -0,0 +1,18 @@
+## Notes
+
+**For enhanced security, the default values for `tls_enable` and `disable_custom_tls_first_byte` have been set to true.**
+
+If you wish to revert to the previous default values, you need to manually set the values of these two parameters to false.
+
+### Features
+
+* Added support for `allow_users` in stcp, sudp, xtcp. By default, only the same user is allowed to access. Use `*` to allow access from any user. The visitor configuration now supports `server_user` to connect to proxies of other users.
+* Added fallback support to a specified alternative visitor when xtcp connection fails.
+
+### Improvements
+
+* Increased the default value of `MaxStreamWindowSize` for yamux to 6MB, improving traffic forwarding rate in high-latency scenarios.
+
+### Fixes
+
+* Fixed an issue where having proxies with the same name would cause previously working proxies to become ineffective in `xtcp`.
--- a/assets/assets.go
+++ b/assets/assets.go
@@ -14,22 +14,15 @@

 package assets

-//go:generate statik -src=./frps/static -dest=./frps
-//go:generate statik -src=./frpc/static -dest=./frpc
-//go:generate go fmt ./frps/statik/statik.go
-//go:generate go fmt ./frpc/statik/statik.go
-
 import (
-	"io/ioutil"
+	"io/fs"
 	"net/http"
-	"os"
-	"path"
-
-	"github.com/rakyll/statik/fs"
 )

 var (
-	// store static files in memory by statik
+	// read-only filesystem created by "embed" for embedded files
+	content fs.FS
+
 	FileSystem http.FileSystem

 	// if prefix is not empty, we get file content from disk
@@ -38,40 +31,18 @@ var (

 // if path is empty, load assets in memory
 // or set FileSystem using disk files
-func Load(path string) (err error) {
+func Load(path string) {
 	prefixPath = path
 	if prefixPath != "" {
 		FileSystem = http.Dir(prefixPath)
-		return nil
 	} else {
-		FileSystem, err = fs.New()
+		FileSystem = http.FS(content)
 	}
-	return err
 }

-func ReadFile(file string) (content string, err error) {
-	if prefixPath == "" {
-		file, err := FileSystem.Open(path.Join("/", file))
-		if err != nil {
-			return content, err
-		}
-		defer file.Close()
-		buf, err := ioutil.ReadAll(file)
-		if err != nil {
-			return content, err
-		}
-		content = string(buf)
-	} else {
-		file, err := os.Open(path.Join(prefixPath, file))
-		if err != nil {
-			return content, err
-		}
-		defer file.Close()
-		buf, err := ioutil.ReadAll(file)
-		if err != nil {
-			return content, err
-		}
-		content = string(buf)
+func Register(fileSystem fs.FS) {
+	subFs, err := fs.Sub(fileSystem, "static")
+	if err == nil {
+		content = subFs
 	}
-	return content, err
 }
--- a/assets/frpc/embed.go
+++ b/assets/frpc/embed.go
@@ -0,0 +1,14 @@
+package frpc
+
+import (
+	"embed"
+
+	"github.com/fatedier/frp/assets"
+)
+
+//go:embed static/*
+var content embed.FS
+
+func init() {
+	assets.Register(content)
+}
--- a/assets/frpc/static/6f0a76321d30f3c8120915e57f7bd77e.ttf
+++ b/assets/frpc/static/6f0a76321d30f3c8120915e57f7bd77e.ttf
--- a/assets/frpc/static/index-1c7ed8b0.js
+++ b/assets/frpc/static/index-1c7ed8b0.js
--- a/assets/frpc/static/index-1e2a7ce0.css
+++ b/assets/frpc/static/index-1e2a7ce0.css
--- a/assets/frpc/static/index.html
+++ b/assets/frpc/static/index.html
@@ -1 +1,16 @@
-<!doctype html> <html lang=en> <head> <meta charset=utf-8> <title>frp client admin UI</title> <link rel="shortcut icon" href="favicon.ico"></head> <body> <div id=app></div> <script type="text/javascript" src="manifest.js?d2cd6337d30c7b22e836"></script><script type="text/javascript" src="vendor.js?edb271e1d9c81f857840"></script></body> </html> 
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="utf-8">
+    <title>frp client admin UI</title>
+  <script type="module" crossorigin src="./index-1c7ed8b0.js"></script>
+  <link rel="stylesheet" href="./index-1e2a7ce0.css">
+</head>
+
+<body>
+    <div id="app"></div>
+    
+</body>
+
+</html>
--- a/assets/frpc/static/manifest.js
+++ b/assets/frpc/static/manifest.js
@@ -1 +0,0 @@
-!function(e){function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}var r=window.webpackJsonp;window.webpackJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length;l++)a=t[l],o[a]&&s.push(o[a][0]),o[a]=0;for(i in c)Object.prototype.hasOwnProperty.call(c,i)&&(e[i]=c[i]);for(r&&r(t,c,u);s.length;)s.shift()();if(u)for(l=0;l<u.length;l++)f=n(n.s=u[l]);return f};var t={},o={1:0};n.e=function(e){function r(){i.onerror=i.onload=null,clearTimeout(a);var n=o[e];0!==n&&(n&&n[1](new Error("Loading chunk "+e+" failed.")),o[e]=void 0)}var t=o[e];if(0===t)return new Promise(function(e){e()});if(t)return t[2];var c=new Promise(function(n,r){t=o[e]=[n,r]});t[2]=c;var u=document.getElementsByTagName("head")[0],i=document.createElement("script");i.type="text/javascript",i.charset="utf-8",i.async=!0,i.timeout=12e4,n.nc&&i.setAttribute("nonce",n.nc),i.src=n.p+""+e+".js?"+{0:"edb271e1d9c81f857840"}[e];var a=setTimeout(r,12e4);return i.onerror=i.onload=r,u.appendChild(i),c},n.m=e,n.c=t,n.i=function(e){return e},n.d=function(e,r,t){n.o(e,r)||Object.defineProperty(e,r,{configurable:!1,enumerable:!0,get:t})},n.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(r,"a",r),r},n.o=function(e,n){return Object.prototype.hasOwnProperty.call(e,n)},n.p="",n.oe=function(e){throw console.error(e),e}}([]);
--- a/assets/frpc/static/vendor.js
+++ b/assets/frpc/static/vendor.js
--- a/assets/frpc/statik/statik.go
+++ b/assets/frpc/statik/statik.go
--- a/assets/frps/embed.go
+++ b/assets/frps/embed.go
@@ -0,0 +1,14 @@
+package frpc
+
+import (
+	"embed"
+
+	"github.com/fatedier/frp/assets"
+)
+
+//go:embed static/*
+var content embed.FS
+
+func init() {
+	assets.Register(content)
+}
--- a/assets/frps/static/6f0a76321d30f3c8120915e57f7bd77e.ttf
+++ b/assets/frps/static/6f0a76321d30f3c8120915e57f7bd77e.ttf
--- a/assets/frps/static/index-1e0c7400.css
+++ b/assets/frps/static/index-1e0c7400.css
--- a/assets/frps/static/index-ea3edf22.js
+++ b/assets/frps/static/index-ea3edf22.js
--- a/assets/frps/static/index.html
+++ b/assets/frps/static/index.html
@@ -1 +1,16 @@
-<!DOCTYPE html> <html lang=en> <head> <meta charset=utf-8> <title>frps dashboard</title> <link rel="shortcut icon" href="favicon.ico"></head> <body> <div id=app></div> <script type="text/javascript" src="manifest.js?14bea8276eef86cc7c61"></script><script type="text/javascript" src="vendor.js?51925ec1a77936b64d61"></script></body> </html> 
+<!DOCTYPE html>
+<html lang="en" class="dark">
+
+<head>
+    <meta charset="utf-8">
+    <title>frps dashboard</title>
+  <script type="module" crossorigin src="./index-ea3edf22.js"></script>
+  <link rel="stylesheet" href="./index-1e0c7400.css">
+</head>
+
+<body>
+    <div id="app"></div>
+    
+</body>
+
+</html>
--- a/assets/frps/static/manifest.js
+++ b/assets/frps/static/manifest.js
@@ -1 +0,0 @@
-!function(e){function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}var r=window.webpackJsonp;window.webpackJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length;l++)a=t[l],o[a]&&s.push(o[a][0]),o[a]=0;for(i in c)Object.prototype.hasOwnProperty.call(c,i)&&(e[i]=c[i]);for(r&&r(t,c,u);s.length;)s.shift()();if(u)for(l=0;l<u.length;l++)f=n(n.s=u[l]);return f};var t={},o={1:0};n.e=function(e){function r(){i.onerror=i.onload=null,clearTimeout(a);var n=o[e];0!==n&&(n&&n[1](new Error("Loading chunk "+e+" failed.")),o[e]=void 0)}var t=o[e];if(0===t)return new Promise(function(e){e()});if(t)return t[2];var c=new Promise(function(n,r){t=o[e]=[n,r]});t[2]=c;var u=document.getElementsByTagName("head")[0],i=document.createElement("script");i.type="text/javascript",i.charset="utf-8",i.async=!0,i.timeout=12e4,n.nc&&i.setAttribute("nonce",n.nc),i.src=n.p+""+e+".js?"+{0:"51925ec1a77936b64d61"}[e];var a=setTimeout(r,12e4);return i.onerror=i.onload=r,u.appendChild(i),c},n.m=e,n.c=t,n.i=function(e){return e},n.d=function(e,r,t){n.o(e,r)||Object.defineProperty(e,r,{configurable:!1,enumerable:!0,get:t})},n.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(r,"a",r),r},n.o=function(e,n){return Object.prototype.hasOwnProperty.call(e,n)},n.p="",n.oe=function(e){throw console.error(e),e}}([]);
--- a/assets/frps/static/vendor.js
+++ b/assets/frps/static/vendor.js
--- a/assets/frps/statik/statik.go
+++ b/assets/frps/statik/statik.go
--- a/client/admin.go
+++ b/client/admin.go
@@ -15,43 +15,54 @@
 package client

 import (
-	"fmt"
 	"net"
 	"net/http"
+	"net/http/pprof"
 	"time"

-	"github.com/fatedier/frp/assets"
-	frpNet "github.com/fatedier/frp/utils/net"
-
 	"github.com/gorilla/mux"
+
+	"github.com/fatedier/frp/assets"
+	utilnet "github.com/fatedier/frp/pkg/util/net"
 )

 var (
-	httpServerReadTimeout  = 10 * time.Second
-	httpServerWriteTimeout = 10 * time.Second
+	httpServerReadTimeout  = 60 * time.Second
+	httpServerWriteTimeout = 60 * time.Second
 )

-func (svr *Service) RunAdminServer(addr string, port int) (err error) {
+func (svr *Service) RunAdminServer(address string) (err error) {
 	// url router
 	router := mux.NewRouter()

-	user, passwd := svr.cfg.AdminUser, svr.cfg.AdminPwd
-	router.Use(frpNet.NewHttpAuthMiddleware(user, passwd).Middleware)
+	router.HandleFunc("/healthz", svr.healthz)

-	// api, see dashboard_api.go
-	router.HandleFunc("/api/reload", svr.apiReload).Methods("GET")
-	router.HandleFunc("/api/status", svr.apiStatus).Methods("GET")
-	router.HandleFunc("/api/config", svr.apiGetConfig).Methods("GET")
-	router.HandleFunc("/api/config", svr.apiPutConfig).Methods("PUT")
+	// debug
+	if svr.cfg.PprofEnable {
+		router.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+		router.HandleFunc("/debug/pprof/profile", pprof.Profile)
+		router.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+		router.HandleFunc("/debug/pprof/trace", pprof.Trace)
+		router.PathPrefix("/debug/pprof/").HandlerFunc(pprof.Index)
+	}
+
+	subRouter := router.NewRoute().Subrouter()
+	user, passwd := svr.cfg.AdminUser, svr.cfg.AdminPwd
+	subRouter.Use(utilnet.NewHTTPAuthMiddleware(user, passwd).SetAuthFailDelay(200 * time.Millisecond).Middleware)
+
+	// api, see admin_api.go
+	subRouter.HandleFunc("/api/reload", svr.apiReload).Methods("GET")
+	subRouter.HandleFunc("/api/status", svr.apiStatus).Methods("GET")
+	subRouter.HandleFunc("/api/config", svr.apiGetConfig).Methods("GET")
+	subRouter.HandleFunc("/api/config", svr.apiPutConfig).Methods("PUT")

 	// view
-	router.Handle("/favicon.ico", http.FileServer(assets.FileSystem)).Methods("GET")
-	router.PathPrefix("/static/").Handler(frpNet.MakeHttpGzipHandler(http.StripPrefix("/static/", http.FileServer(assets.FileSystem)))).Methods("GET")
-	router.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+	subRouter.Handle("/favicon.ico", http.FileServer(assets.FileSystem)).Methods("GET")
+	subRouter.PathPrefix("/static/").Handler(utilnet.MakeHTTPGzipHandler(http.StripPrefix("/static/", http.FileServer(assets.FileSystem)))).Methods("GET")
+	subRouter.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/static/", http.StatusMovedPermanently)
 	})

-	address := fmt.Sprintf("%s:%d", addr, port)
 	server := &http.Server{
 		Addr:         address,
 		Handler:      router,
@@ -66,6 +77,8 @@ func (svr *Service) RunAdminServer(addr string, port int) (err error) {
 		return err
 	}

-	go server.Serve(ln)
+	go func() {
+		_ = server.Serve(ln)
+	}()
 	return
 }
--- a/client/admin_api.go
+++ b/client/admin_api.go
@@ -17,14 +17,19 @@ package client
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
+	"net"
 	"net/http"
+	"os"
 	"sort"
+	"strconv"
 	"strings"

+	"github.com/samber/lo"
+
 	"github.com/fatedier/frp/client/proxy"
-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/utils/log"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/util/log"
 )

 type GeneralResponse struct {
@@ -32,37 +37,25 @@ type GeneralResponse struct {
 	Msg  string
 }

-// GET api/reload
+// /healthz
+func (svr *Service) healthz(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(200)
+}

+// GET api/reload
 func (svr *Service) apiReload(w http.ResponseWriter, r *http.Request) {
 	res := GeneralResponse{Code: 200}

-	log.Info("Http request [/api/reload]")
+	log.Info("api request [/api/reload]")
 	defer func() {
-		log.Info("Http response [/api/reload], code [%d]", res.Code)
+		log.Info("api response [/api/reload], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
-			w.Write([]byte(res.Msg))
+			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()

-	content, err := config.GetRenderedConfFromFile(svr.cfgFile)
-	if err != nil {
-		res.Code = 400
-		res.Msg = err.Error()
-		log.Warn("reload frpc config file error: %s", res.Msg)
-		return
-	}
-
-	newCommonCfg, err := config.UnmarshalClientConfFromIni(content)
-	if err != nil {
-		res.Code = 400
-		res.Msg = err.Error()
-		log.Warn("reload frpc common section error: %s", res.Msg)
-		return
-	}
-
-	pxyCfgs, visitorCfgs, err := config.LoadAllConfFromIni(svr.cfg.User, content, newCommonCfg.Start)
+	_, pxyCfgs, visitorCfgs, err := config.ParseClientConfig(svr.cfgFile)
 	if err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
@@ -70,25 +63,16 @@ func (svr *Service) apiReload(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	err = svr.ReloadConf(pxyCfgs, visitorCfgs)
-	if err != nil {
+	if err = svr.ReloadConf(pxyCfgs, visitorCfgs); err != nil {
 		res.Code = 500
 		res.Msg = err.Error()
 		log.Warn("reload frpc proxy config error: %s", res.Msg)
 		return
 	}
 	log.Info("success reload conf")
-	return
 }

-type StatusResp struct {
-	Tcp   []ProxyStatusResp `json:"tcp"`
-	Udp   []ProxyStatusResp `json:"udp"`
-	Http  []ProxyStatusResp `json:"http"`
-	Https []ProxyStatusResp `json:"https"`
-	Stcp  []ProxyStatusResp `json:"stcp"`
-	Xtcp  []ProxyStatusResp `json:"xtcp"`
-}
+type StatusResp map[string][]ProxyStatusResp

 type ProxyStatusResp struct {
 	Name       string `json:"name"`
@@ -100,61 +84,24 @@ type ProxyStatusResp struct {
 	RemoteAddr string `json:"remote_addr"`
 }

-type ByProxyStatusResp []ProxyStatusResp
-
-func (a ByProxyStatusResp) Len() int           { return len(a) }
-func (a ByProxyStatusResp) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
-func (a ByProxyStatusResp) Less(i, j int) bool { return strings.Compare(a[i].Name, a[j].Name) < 0 }
-
-func NewProxyStatusResp(status *proxy.ProxyStatus, serverAddr string) ProxyStatusResp {
+func NewProxyStatusResp(status *proxy.WorkingStatus, serverAddr string) ProxyStatusResp {
 	psr := ProxyStatusResp{
 		Name:   status.Name,
 		Type:   status.Type,
-		Status: status.Status,
+		Status: status.Phase,
 		Err:    status.Err,
 	}
-	switch cfg := status.Cfg.(type) {
-	case *config.TcpProxyConf:
-		if cfg.LocalPort != 0 {
-			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
-		}
-		psr.Plugin = cfg.Plugin
-		if status.Err != "" {
-			psr.RemoteAddr = fmt.Sprintf("%s:%d", serverAddr, cfg.RemotePort)
-		} else {
-			psr.RemoteAddr = serverAddr + status.RemoteAddr
-		}
-	case *config.UdpProxyConf:
-		if cfg.LocalPort != 0 {
-			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
-		}
-		if status.Err != "" {
-			psr.RemoteAddr = fmt.Sprintf("%s:%d", serverAddr, cfg.RemotePort)
-		} else {
-			psr.RemoteAddr = serverAddr + status.RemoteAddr
-		}
-	case *config.HttpProxyConf:
-		if cfg.LocalPort != 0 {
-			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
-		}
-		psr.Plugin = cfg.Plugin
+	baseCfg := status.Cfg.GetBaseConfig()
+	if baseCfg.LocalPort != 0 {
+		psr.LocalAddr = net.JoinHostPort(baseCfg.LocalIP, strconv.Itoa(baseCfg.LocalPort))
+	}
+	psr.Plugin = baseCfg.Plugin
+
+	if status.Err == "" {
 		psr.RemoteAddr = status.RemoteAddr
-	case *config.HttpsProxyConf:
-		if cfg.LocalPort != 0 {
-			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
+		if lo.Contains([]string{"tcp", "udp"}, status.Type) {
+			psr.RemoteAddr = serverAddr + psr.RemoteAddr
 		}
-		psr.Plugin = cfg.Plugin
-		psr.RemoteAddr = status.RemoteAddr
-	case *config.StcpProxyConf:
-		if cfg.LocalPort != 0 {
-			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
-		}
-		psr.Plugin = cfg.Plugin
-	case *config.XtcpProxyConf:
-		if cfg.LocalPort != 0 {
-			psr.LocalAddr = fmt.Sprintf("%s:%d", cfg.LocalIp, cfg.LocalPort)
-		}
-		psr.Plugin = cfg.Plugin
 	}
 	return psr
 }
@@ -163,46 +110,29 @@ func NewProxyStatusResp(status *proxy.ProxyStatus, serverAddr string) ProxyStatu
 func (svr *Service) apiStatus(w http.ResponseWriter, r *http.Request) {
 	var (
 		buf []byte
-		res StatusResp
+		res StatusResp = make(map[string][]ProxyStatusResp)
 	)
-	res.Tcp = make([]ProxyStatusResp, 0)
-	res.Udp = make([]ProxyStatusResp, 0)
-	res.Http = make([]ProxyStatusResp, 0)
-	res.Https = make([]ProxyStatusResp, 0)
-	res.Stcp = make([]ProxyStatusResp, 0)
-	res.Xtcp = make([]ProxyStatusResp, 0)

 	log.Info("Http request [/api/status]")
 	defer func() {
 		log.Info("Http response [/api/status]")
 		buf, _ = json.Marshal(&res)
-		w.Write(buf)
+		_, _ = w.Write(buf)
 	}()

 	ps := svr.ctl.pm.GetAllProxyStatus()
 	for _, status := range ps {
-		switch status.Type {
-		case "tcp":
-			res.Tcp = append(res.Tcp, NewProxyStatusResp(status, svr.cfg.ServerAddr))
-		case "udp":
-			res.Udp = append(res.Udp, NewProxyStatusResp(status, svr.cfg.ServerAddr))
-		case "http":
-			res.Http = append(res.Http, NewProxyStatusResp(status, svr.cfg.ServerAddr))
-		case "https":
-			res.Https = append(res.Https, NewProxyStatusResp(status, svr.cfg.ServerAddr))
-		case "stcp":
-			res.Stcp = append(res.Stcp, NewProxyStatusResp(status, svr.cfg.ServerAddr))
-		case "xtcp":
-			res.Xtcp = append(res.Xtcp, NewProxyStatusResp(status, svr.cfg.ServerAddr))
-		}
+		res[status.Type] = append(res[status.Type], NewProxyStatusResp(status, svr.cfg.ServerAddr))
+	}
+
+	for _, arrs := range res {
+		if len(arrs) <= 1 {
+			continue
+		}
+		sort.Slice(arrs, func(i, j int) bool {
+			return strings.Compare(arrs[i].Name, arrs[j].Name) < 0
+		})
 	}
-	sort.Sort(ByProxyStatusResp(res.Tcp))
-	sort.Sort(ByProxyStatusResp(res.Udp))
-	sort.Sort(ByProxyStatusResp(res.Http))
-	sort.Sort(ByProxyStatusResp(res.Https))
-	sort.Sort(ByProxyStatusResp(res.Stcp))
-	sort.Sort(ByProxyStatusResp(res.Xtcp))
-	return
 }

 // GET api/config
@@ -214,7 +144,7 @@ func (svr *Service) apiGetConfig(w http.ResponseWriter, r *http.Request) {
 		log.Info("Http get response [/api/config], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
-			w.Write([]byte(res.Msg))
+			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()

@@ -233,7 +163,7 @@ func (svr *Service) apiGetConfig(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	rows := strings.Split(content, "\n")
+	rows := strings.Split(string(content), "\n")
 	newRows := make([]string, 0, len(rows))
 	for _, row := range rows {
 		row = strings.TrimSpace(row)
@@ -254,12 +184,12 @@ func (svr *Service) apiPutConfig(w http.ResponseWriter, r *http.Request) {
 		log.Info("Http put response [/api/config], code [%d]", res.Code)
 		w.WriteHeader(res.Code)
 		if len(res.Msg) > 0 {
-			w.Write([]byte(res.Msg))
+			_, _ = w.Write([]byte(res.Msg))
 		}
 	}()

 	// get new config content
-	body, err := ioutil.ReadAll(r.Body)
+	body, err := io.ReadAll(r.Body)
 	if err != nil {
 		res.Code = 400
 		res.Msg = fmt.Sprintf("read request body error: %v", err)
@@ -276,7 +206,7 @@ func (svr *Service) apiPutConfig(w http.ResponseWriter, r *http.Request) {

 	// get token from origin content
 	token := ""
-	b, err := ioutil.ReadFile(svr.cfgFile)
+	b, err := os.ReadFile(svr.cfgFile)
 	if err != nil {
 		res.Code = 400
 		res.Msg = err.Error()
@@ -315,7 +245,7 @@ func (svr *Service) apiPutConfig(w http.ResponseWriter, r *http.Request) {
 	}
 	content = strings.Join(newRows, "\n")

-	err = ioutil.WriteFile(svr.cfgFile, []byte(content), 0644)
+	err = os.WriteFile(svr.cfgFile, []byte(content), 0o644)
 	if err != nil {
 		res.Code = 500
 		res.Msg = fmt.Sprintf("write content to frpc config file error: %v", err)
--- a/client/control.go
+++ b/client/control.go
@@ -16,42 +16,43 @@ package client

 import (
 	"context"
-	"crypto/tls"
-	"fmt"
 	"io"
 	"net"
 	"runtime/debug"
-	"sync"
 	"time"

-	"github.com/fatedier/frp/client/proxy"
-	"github.com/fatedier/frp/models/auth"
-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/msg"
-	frpNet "github.com/fatedier/frp/utils/net"
-	"github.com/fatedier/frp/utils/xlog"
-
 	"github.com/fatedier/golib/control/shutdown"
 	"github.com/fatedier/golib/crypto"
-	fmux "github.com/hashicorp/yamux"
+
+	"github.com/fatedier/frp/client/proxy"
+	"github.com/fatedier/frp/client/visitor"
+	"github.com/fatedier/frp/pkg/auth"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/transport"
+	"github.com/fatedier/frp/pkg/util/xlog"
 )

 type Control struct {
-	// uniq id got from frps, attach it in loginMsg
-	runId string
+	// service context
+	ctx context.Context
+	xl  *xlog.Logger
+
+	// Unique ID obtained from frps.
+	// It should be attached to the login message when reconnecting.
+	runID string

 	// manage all proxies
 	pxyCfgs map[string]config.ProxyConf
-	pm      *proxy.ProxyManager
+	pm      *proxy.Manager

 	// manage all visitors
-	vm *VisitorManager
+	vm *visitor.Manager

 	// control connection
 	conn net.Conn

-	// tcp stream multiplexing, if enabled
-	session *fmux.Session
+	cm *ConnectionManager

 	// put a message in this channel to send it over control connection to server
 	sendCh chan (msg.Message)
@@ -74,32 +75,26 @@ type Control struct {
 	writerShutdown     *shutdown.Shutdown
 	msgHandlerShutdown *shutdown.Shutdown

-	// The UDP port that the server is listening on
-	serverUDPPort int
-
-	mu sync.RWMutex
-
-	xl *xlog.Logger
-
-	// service context
-	ctx context.Context
-
 	// sets authentication based on selected method
 	authSetter auth.Setter
+
+	msgTransporter transport.MessageTransporter
 }

-func NewControl(ctx context.Context, runId string, conn net.Conn, session *fmux.Session,
+func NewControl(
+	ctx context.Context, runID string, conn net.Conn, cm *ConnectionManager,
 	clientCfg config.ClientCommonConf,
 	pxyCfgs map[string]config.ProxyConf,
 	visitorCfgs map[string]config.VisitorConf,
-	serverUDPPort int,
-	authSetter auth.Setter) *Control {
-
+	authSetter auth.Setter,
+) *Control {
 	// new xlog instance
 	ctl := &Control{
-		runId:              runId,
+		ctx:                ctx,
+		xl:                 xlog.FromContextSafe(ctx),
+		runID:              runID,
 		conn:               conn,
-		session:            session,
+		cm:                 cm,
 		pxyCfgs:            pxyCfgs,
 		sendCh:             make(chan msg.Message, 100),
 		readCh:             make(chan msg.Message, 100),
@@ -109,14 +104,12 @@ func NewControl(ctx context.Context, runId string, conn net.Conn, session *fmux.
 		readerShutdown:     shutdown.New(),
 		writerShutdown:     shutdown.New(),
 		msgHandlerShutdown: shutdown.New(),
-		serverUDPPort:      serverUDPPort,
-		xl:                 xlog.FromContextSafe(ctx),
-		ctx:                ctx,
 		authSetter:         authSetter,
 	}
-	ctl.pm = proxy.NewProxyManager(ctl.ctx, ctl.sendCh, clientCfg, serverUDPPort)
+	ctl.msgTransporter = transport.NewMessageTransporter(ctl.sendCh)
+	ctl.pm = proxy.NewManager(ctl.ctx, clientCfg, ctl.msgTransporter)

-	ctl.vm = NewVisitorManager(ctl.ctx, ctl)
+	ctl.vm = visitor.NewManager(ctl.ctx, ctl.runID, ctl.clientCfg, ctl.connectServer, ctl.msgTransporter)
 	ctl.vm.Reload(visitorCfgs)
 	return ctl
 }
@@ -129,18 +122,18 @@ func (ctl *Control) Run() {

 	// start all visitors
 	go ctl.vm.Run()
-	return
 }

 func (ctl *Control) HandleReqWorkConn(inMsg *msg.ReqWorkConn) {
 	xl := ctl.xl
 	workConn, err := ctl.connectServer()
 	if err != nil {
+		xl.Warn("start new connection to server error: %v", err)
 		return
 	}

 	m := &msg.NewWorkConn{
-		RunId: ctl.runId,
+		RunID: ctl.runID,
 	}
 	if err = ctl.authSetter.SetNewWorkConn(m); err != nil {
 		xl.Warn("error during NewWorkConn authentication: %v", err)
@@ -154,7 +147,7 @@ func (ctl *Control) HandleReqWorkConn(inMsg *msg.ReqWorkConn) {

 	var startMsg msg.StartWorkConn
 	if err = msg.ReadMsgInto(workConn, &startMsg); err != nil {
-		xl.Error("work connection closed before response StartWorkConn message: %v", err)
+		xl.Trace("work connection closed before response StartWorkConn message: %v", err)
 		workConn.Close()
 		return
 	}
@@ -180,46 +173,39 @@ func (ctl *Control) HandleNewProxyResp(inMsg *msg.NewProxyResp) {
 	}
 }

-func (ctl *Control) Close() error {
-	ctl.pm.Close()
-	ctl.conn.Close()
-	if ctl.session != nil {
-		ctl.session.Close()
+func (ctl *Control) HandleNatHoleResp(inMsg *msg.NatHoleResp) {
+	xl := ctl.xl
+
+	// Dispatch the NatHoleResp message to the related proxy.
+	ok := ctl.msgTransporter.DispatchWithType(inMsg, msg.TypeNameNatHoleResp, inMsg.TransactionID)
+	if !ok {
+		xl.Trace("dispatch NatHoleResp message to related proxy error")
 	}
+}
+
+func (ctl *Control) Close() error {
+	return ctl.GracefulClose(0)
+}
+
+func (ctl *Control) GracefulClose(d time.Duration) error {
+	ctl.pm.Close()
+	ctl.vm.Close()
+
+	time.Sleep(d)
+
+	ctl.conn.Close()
+	ctl.cm.Close()
 	return nil
 }

-// ClosedDoneCh returns a channel which will be closed after all resources are released
+// ClosedDoneCh returns a channel that will be closed after all resources are released
 func (ctl *Control) ClosedDoneCh() <-chan struct{} {
 	return ctl.closedDoneCh
 }

 // connectServer return a new connection to frps
 func (ctl *Control) connectServer() (conn net.Conn, err error) {
-	xl := ctl.xl
-	if ctl.clientCfg.TcpMux {
-		stream, errRet := ctl.session.OpenStream()
-		if errRet != nil {
-			err = errRet
-			xl.Warn("start new connection to server error: %v", err)
-			return
-		}
-		conn = stream
-	} else {
-		var tlsConfig *tls.Config
-		if ctl.clientCfg.TLSEnable {
-			tlsConfig = &tls.Config{
-				InsecureSkipVerify: true,
-			}
-		}
-		conn, err = frpNet.ConnectServerByProxyWithTLS(ctl.clientCfg.HttpProxy, ctl.clientCfg.Protocol,
-			fmt.Sprintf("%s:%d", ctl.clientCfg.ServerAddr, ctl.clientCfg.ServerPort), tlsConfig)
-		if err != nil {
-			xl.Warn("start new connection to server error: %v", err)
-			return
-		}
-	}
-	return
+	return ctl.cm.Connect()
 }

 // reader read all messages from frps and send to readCh
@@ -236,18 +222,17 @@ func (ctl *Control) reader() {

 	encReader := crypto.NewReader(ctl.conn, []byte(ctl.clientCfg.Token))
 	for {
-		if m, err := msg.ReadMsg(encReader); err != nil {
+		m, err := msg.ReadMsg(encReader)
+		if err != nil {
 			if err == io.EOF {
 				xl.Debug("read from control connection EOF")
 				return
-			} else {
-				xl.Warn("read error: %v", err)
-				ctl.conn.Close()
-				return
 			}
-		} else {
-			ctl.readCh <- m
+			xl.Warn("read error: %v", err)
+			ctl.conn.Close()
+			return
 		}
+		ctl.readCh <- m
 	}
 }

@@ -262,19 +247,20 @@ func (ctl *Control) writer() {
 		return
 	}
 	for {
-		if m, ok := <-ctl.sendCh; !ok {
+		m, ok := <-ctl.sendCh
+		if !ok {
 			xl.Info("control writer is closing")
 			return
-		} else {
-			if err := msg.WriteMsg(encWriter, m); err != nil {
-				xl.Warn("write message to control connection error: %v", err)
-				return
-			}
+		}
+
+		if err := msg.WriteMsg(encWriter, m); err != nil {
+			xl.Warn("write message to control connection error: %v", err)
+			return
 		}
 	}
 }

-// msgHandler handles all channel events and do corresponding operations.
+// msgHandler handles all channel events and performs corresponding operations.
 func (ctl *Control) msgHandler() {
 	xl := ctl.xl
 	defer func() {
@@ -285,16 +271,27 @@ func (ctl *Control) msgHandler() {
 	}()
 	defer ctl.msgHandlerShutdown.Done()

-	hbSend := time.NewTicker(time.Duration(ctl.clientCfg.HeartBeatInterval) * time.Second)
-	defer hbSend.Stop()
-	hbCheck := time.NewTicker(time.Second)
-	defer hbCheck.Stop()
+	var hbSendCh <-chan time.Time
+	// TODO(fatedier): disable heartbeat if TCPMux is enabled.
+	// Just keep it here to keep compatible with old version frps.
+	if ctl.clientCfg.HeartbeatInterval > 0 {
+		hbSend := time.NewTicker(time.Duration(ctl.clientCfg.HeartbeatInterval) * time.Second)
+		defer hbSend.Stop()
+		hbSendCh = hbSend.C
+	}
+
+	var hbCheckCh <-chan time.Time
+	// Check heartbeat timeout only if TCPMux is not enabled and users don't disable heartbeat feature.
+	if ctl.clientCfg.HeartbeatInterval > 0 && ctl.clientCfg.HeartbeatTimeout > 0 && !ctl.clientCfg.TCPMux {
+		hbCheck := time.NewTicker(time.Second)
+		defer hbCheck.Stop()
+		hbCheckCh = hbCheck.C
+	}

 	ctl.lastPong = time.Now()
-
 	for {
 		select {
-		case <-hbSend.C:
+		case <-hbSendCh:
 			// send heartbeat to server
 			xl.Debug("send heartbeat to server")
 			pingMsg := &msg.Ping{}
@@ -303,8 +300,8 @@ func (ctl *Control) msgHandler() {
 				return
 			}
 			ctl.sendCh <- pingMsg
-		case <-hbCheck.C:
-			if time.Since(ctl.lastPong) > time.Duration(ctl.clientCfg.HeartBeatTimeout)*time.Second {
+		case <-hbCheckCh:
+			if time.Since(ctl.lastPong) > time.Duration(ctl.clientCfg.HeartbeatTimeout)*time.Second {
 				xl.Warn("heartbeat timeout")
 				// let reader() stop
 				ctl.conn.Close()
@@ -320,6 +317,8 @@ func (ctl *Control) msgHandler() {
 				go ctl.HandleReqWorkConn(m)
 			case *msg.NewProxyResp:
 				ctl.HandleNewProxyResp(m)
+			case *msg.NatHoleResp:
+				ctl.HandleNatHoleResp(m)
 			case *msg.Pong:
 				if m.Error != "" {
 					xl.Error("Pong contains error: %s", m.Error)
@@ -339,25 +338,20 @@ func (ctl *Control) worker() {
 	go ctl.reader()
 	go ctl.writer()

-	select {
-	case <-ctl.closedCh:
-		// close related channels and wait until other goroutines done
-		close(ctl.readCh)
-		ctl.readerShutdown.WaitDone()
-		ctl.msgHandlerShutdown.WaitDone()
+	<-ctl.closedCh
+	// close related channels and wait until other goroutines done
+	close(ctl.readCh)
+	ctl.readerShutdown.WaitDone()
+	ctl.msgHandlerShutdown.WaitDone()

-		close(ctl.sendCh)
-		ctl.writerShutdown.WaitDone()
+	close(ctl.sendCh)
+	ctl.writerShutdown.WaitDone()

-		ctl.pm.Close()
-		ctl.vm.Close()
+	ctl.pm.Close()
+	ctl.vm.Close()

-		close(ctl.closedDoneCh)
-		if ctl.session != nil {
-			ctl.session.Close()
-		}
-		return
-	}
+	close(ctl.closedDoneCh)
+	ctl.cm.Close()
 }

 func (ctl *Control) ReloadConf(pxyCfgs map[string]config.ProxyConf, visitorCfgs map[string]config.VisitorConf) error {
--- a/client/event/event.go
+++ b/client/event/event.go
@@ -3,21 +3,12 @@ package event
 import (
 	"errors"

-	"github.com/fatedier/frp/models/msg"
+	"github.com/fatedier/frp/pkg/msg"
 )

-type EventType int
+var ErrPayloadType = errors.New("error payload type")

-const (
-	EvStartProxy EventType = iota
-	EvCloseProxy
-)
-
-var (
-	ErrPayloadType = errors.New("error payload type")
-)
-
-type EventHandler func(evType EventType, payload interface{}) error
+type Handler func(payload interface{}) error

 type StartProxyPayload struct {
 	NewProxyMsg *msg.NewProxy
--- a/client/health/health.go
+++ b/client/health/health.go
@@ -19,19 +19,16 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"time"

-	"github.com/fatedier/frp/utils/xlog"
+	"github.com/fatedier/frp/pkg/util/xlog"
 )

-var (
-	ErrHealthCheckType = errors.New("error health check type")
-)
+var ErrHealthCheckType = errors.New("error health check type")

-type HealthCheckMonitor struct {
+type Monitor struct {
 	checkType      string
 	interval       time.Duration
 	timeout        time.Duration
@@ -52,11 +49,11 @@ type HealthCheckMonitor struct {
 	cancel context.CancelFunc
 }

-func NewHealthCheckMonitor(ctx context.Context, checkType string,
+func NewMonitor(ctx context.Context, checkType string,
 	intervalS int, timeoutS int, maxFailedTimes int,
 	addr string, url string,
-	statusNormalFn func(), statusFailedFn func()) *HealthCheckMonitor {
-
+	statusNormalFn func(), statusFailedFn func(),
+) *Monitor {
 	if intervalS <= 0 {
 		intervalS = 10
 	}
@@ -67,7 +64,7 @@ func NewHealthCheckMonitor(ctx context.Context, checkType string,
 		maxFailedTimes = 1
 	}
 	newctx, cancel := context.WithCancel(ctx)
-	return &HealthCheckMonitor{
+	return &Monitor{
 		checkType:      checkType,
 		interval:       time.Duration(intervalS) * time.Second,
 		timeout:        time.Duration(timeoutS) * time.Second,
@@ -82,15 +79,15 @@ func NewHealthCheckMonitor(ctx context.Context, checkType string,
 	}
 }

-func (monitor *HealthCheckMonitor) Start() {
+func (monitor *Monitor) Start() {
 	go monitor.checkWorker()
 }

-func (monitor *HealthCheckMonitor) Stop() {
+func (monitor *Monitor) Stop() {
 	monitor.cancel()
 }

-func (monitor *HealthCheckMonitor) checkWorker() {
+func (monitor *Monitor) checkWorker() {
 	xl := xlog.FromContextSafe(monitor.ctx)
 	for {
 		doCtx, cancel := context.WithDeadline(monitor.ctx, time.Now().Add(monitor.timeout))
@@ -126,18 +123,18 @@ func (monitor *HealthCheckMonitor) checkWorker() {
 	}
 }

-func (monitor *HealthCheckMonitor) doCheck(ctx context.Context) error {
+func (monitor *Monitor) doCheck(ctx context.Context) error {
 	switch monitor.checkType {
 	case "tcp":
-		return monitor.doTcpCheck(ctx)
+		return monitor.doTCPCheck(ctx)
 	case "http":
-		return monitor.doHttpCheck(ctx)
+		return monitor.doHTTPCheck(ctx)
 	default:
 		return ErrHealthCheckType
 	}
 }

-func (monitor *HealthCheckMonitor) doTcpCheck(ctx context.Context) error {
+func (monitor *Monitor) doTCPCheck(ctx context.Context) error {
 	// if tcp address is not specified, always return nil
 	if monitor.addr == "" {
 		return nil
@@ -152,8 +149,8 @@ func (monitor *HealthCheckMonitor) doTcpCheck(ctx context.Context) error {
 	return nil
 }

-func (monitor *HealthCheckMonitor) doHttpCheck(ctx context.Context) error {
-	req, err := http.NewRequest("GET", monitor.url, nil)
+func (monitor *Monitor) doHTTPCheck(ctx context.Context) error {
+	req, err := http.NewRequestWithContext(ctx, "GET", monitor.url, nil)
 	if err != nil {
 		return err
 	}
@@ -162,7 +159,7 @@ func (monitor *HealthCheckMonitor) doHttpCheck(ctx context.Context) error {
 		return err
 	}
 	defer resp.Body.Close()
-	io.Copy(ioutil.Discard, resp.Body)
+	_, _ = io.Copy(io.Discard, resp.Body)

 	if resp.StatusCode/100 != 2 {
 		return fmt.Errorf("do http health check, StatusCode is [%d] not 2xx", resp.StatusCode)
--- a/client/proxy/general_tcp.go
+++ b/client/proxy/general_tcp.go
@@ -0,0 +1,47 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package proxy
+
+import (
+	"reflect"
+
+	"github.com/fatedier/frp/pkg/config"
+)
+
+func init() {
+	pxyConfs := []config.ProxyConf{
+		&config.TCPProxyConf{},
+		&config.HTTPProxyConf{},
+		&config.HTTPSProxyConf{},
+		&config.STCPProxyConf{},
+		&config.TCPMuxProxyConf{},
+	}
+	for _, cfg := range pxyConfs {
+		RegisterProxyFactory(reflect.TypeOf(cfg), NewGeneralTCPProxy)
+	}
+}
+
+// GeneralTCPProxy is a general implementation of Proxy interface for TCP protocol.
+// If the default GeneralTCPProxy cannot meet the requirements, you can customize
+// the implementation of the Proxy interface.
+type GeneralTCPProxy struct {
+	*BaseProxy
+}
+
+func NewGeneralTCPProxy(baseProxy *BaseProxy, cfg config.ProxyConf) Proxy {
+	return &GeneralTCPProxy{
+		BaseProxy: baseProxy,
+	}
+}
--- a/client/proxy/proxy.go
+++ b/client/proxy/proxy.go
@@ -17,31 +17,33 @@ package proxy
 import (
 	"bytes"
 	"context"
-	"fmt"
 	"io"
-	"io/ioutil"
 	"net"
+	"reflect"
 	"strconv"
 	"strings"
 	"sync"
 	"time"

-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/msg"
-	plugin "github.com/fatedier/frp/models/plugin/client"
-	"github.com/fatedier/frp/models/proto/udp"
-	"github.com/fatedier/frp/utils/limit"
-	frpNet "github.com/fatedier/frp/utils/net"
-	"github.com/fatedier/frp/utils/xlog"
-
-	"github.com/fatedier/golib/errors"
-	frpIo "github.com/fatedier/golib/io"
-	"github.com/fatedier/golib/pool"
-	fmux "github.com/hashicorp/yamux"
+	libio "github.com/fatedier/golib/io"
+	libdial "github.com/fatedier/golib/net/dial"
 	pp "github.com/pires/go-proxyproto"
 	"golang.org/x/time/rate"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	plugin "github.com/fatedier/frp/pkg/plugin/client"
+	"github.com/fatedier/frp/pkg/transport"
+	"github.com/fatedier/frp/pkg/util/limit"
+	"github.com/fatedier/frp/pkg/util/xlog"
 )

+var proxyFactoryRegistry = map[reflect.Type]func(*BaseProxy, config.ProxyConf) Proxy{}
+
+func RegisterProxyFactory(proxyConfType reflect.Type, factory func(*BaseProxy, config.ProxyConf) Proxy) {
+	proxyFactoryRegistry[proxyConfType] = factory
+}
+
 // Proxy defines how to handle work connections for different proxy type.
 type Proxy interface {
 	Run() error
@@ -52,536 +54,111 @@ type Proxy interface {
 	Close()
 }

-func NewProxy(ctx context.Context, pxyConf config.ProxyConf, clientCfg config.ClientCommonConf, serverUDPPort int) (pxy Proxy) {
+func NewProxy(
+	ctx context.Context,
+	pxyConf config.ProxyConf,
+	clientCfg config.ClientCommonConf,
+	msgTransporter transport.MessageTransporter,
+) (pxy Proxy) {
 	var limiter *rate.Limiter
-	limitBytes := pxyConf.GetBaseInfo().BandwidthLimit.Bytes()
-	if limitBytes > 0 {
+	limitBytes := pxyConf.GetBaseConfig().BandwidthLimit.Bytes()
+	if limitBytes > 0 && pxyConf.GetBaseConfig().BandwidthLimitMode == config.BandwidthLimitModeClient {
 		limiter = rate.NewLimiter(rate.Limit(float64(limitBytes)), int(limitBytes))
 	}

 	baseProxy := BaseProxy{
-		clientCfg:     clientCfg,
-		serverUDPPort: serverUDPPort,
-		limiter:       limiter,
-		xl:            xlog.FromContextSafe(ctx),
-		ctx:           ctx,
+		baseProxyConfig: pxyConf.GetBaseConfig(),
+		clientCfg:       clientCfg,
+		limiter:         limiter,
+		msgTransporter:  msgTransporter,
+		xl:              xlog.FromContextSafe(ctx),
+		ctx:             ctx,
 	}
-	switch cfg := pxyConf.(type) {
-	case *config.TcpProxyConf:
-		pxy = &TcpProxy{
-			BaseProxy: &baseProxy,
-			cfg:       cfg,
-		}
-	case *config.TcpMuxProxyConf:
-		pxy = &TcpMuxProxy{
-			BaseProxy: &baseProxy,
-			cfg:       cfg,
-		}
-	case *config.UdpProxyConf:
-		pxy = &UdpProxy{
-			BaseProxy: &baseProxy,
-			cfg:       cfg,
-		}
-	case *config.HttpProxyConf:
-		pxy = &HttpProxy{
-			BaseProxy: &baseProxy,
-			cfg:       cfg,
-		}
-	case *config.HttpsProxyConf:
-		pxy = &HttpsProxy{
-			BaseProxy: &baseProxy,
-			cfg:       cfg,
-		}
-	case *config.StcpProxyConf:
-		pxy = &StcpProxy{
-			BaseProxy: &baseProxy,
-			cfg:       cfg,
-		}
-	case *config.XtcpProxyConf:
-		pxy = &XtcpProxy{
-			BaseProxy: &baseProxy,
-			cfg:       cfg,
-		}
+
+	factory := proxyFactoryRegistry[reflect.TypeOf(pxyConf)]
+	if factory == nil {
+		return nil
 	}
-	return
+	return factory(&baseProxy, pxyConf)
 }

 type BaseProxy struct {
-	closed        bool
-	clientCfg     config.ClientCommonConf
-	serverUDPPort int
-	limiter       *rate.Limiter
+	baseProxyConfig *config.BaseProxyConf
+	clientCfg       config.ClientCommonConf
+	msgTransporter  transport.MessageTransporter
+	limiter         *rate.Limiter
+	// proxyPlugin is used to handle connections instead of dialing to local service.
+	// It's only validate for TCP protocol now.
+	proxyPlugin plugin.Plugin

 	mu  sync.RWMutex
 	xl  *xlog.Logger
 	ctx context.Context
 }

-// TCP
-type TcpProxy struct {
-	*BaseProxy
-
-	cfg         *config.TcpProxyConf
-	proxyPlugin plugin.Plugin
-}
-
-func (pxy *TcpProxy) Run() (err error) {
-	if pxy.cfg.Plugin != "" {
-		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
+func (pxy *BaseProxy) Run() error {
+	if pxy.baseProxyConfig.Plugin != "" {
+		p, err := plugin.Create(pxy.baseProxyConfig.Plugin, pxy.baseProxyConfig.PluginParams)
 		if err != nil {
-			return
+			return err
 		}
+		pxy.proxyPlugin = p
 	}
-	return
-}
-
-func (pxy *TcpProxy) Close() {
-	if pxy.proxyPlugin != nil {
-		pxy.proxyPlugin.Close()
-	}
-}
-
-func (pxy *TcpProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
-	HandleTcpWorkConnection(pxy.ctx, &pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, pxy.limiter,
-		conn, []byte(pxy.clientCfg.Token), m)
-}
-
-// TCP Multiplexer
-type TcpMuxProxy struct {
-	*BaseProxy
-
-	cfg         *config.TcpMuxProxyConf
-	proxyPlugin plugin.Plugin
-}
-
-func (pxy *TcpMuxProxy) Run() (err error) {
-	if pxy.cfg.Plugin != "" {
-		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
-		if err != nil {
-			return
-		}
-	}
-	return
-}
-
-func (pxy *TcpMuxProxy) Close() {
-	if pxy.proxyPlugin != nil {
-		pxy.proxyPlugin.Close()
-	}
-}
-
-func (pxy *TcpMuxProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
-	HandleTcpWorkConnection(pxy.ctx, &pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, pxy.limiter,
-		conn, []byte(pxy.clientCfg.Token), m)
-}
-
-// HTTP
-type HttpProxy struct {
-	*BaseProxy
-
-	cfg         *config.HttpProxyConf
-	proxyPlugin plugin.Plugin
-}
-
-func (pxy *HttpProxy) Run() (err error) {
-	if pxy.cfg.Plugin != "" {
-		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
-		if err != nil {
-			return
-		}
-	}
-	return
-}
-
-func (pxy *HttpProxy) Close() {
-	if pxy.proxyPlugin != nil {
-		pxy.proxyPlugin.Close()
-	}
-}
-
-func (pxy *HttpProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
-	HandleTcpWorkConnection(pxy.ctx, &pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, pxy.limiter,
-		conn, []byte(pxy.clientCfg.Token), m)
-}
-
-// HTTPS
-type HttpsProxy struct {
-	*BaseProxy
-
-	cfg         *config.HttpsProxyConf
-	proxyPlugin plugin.Plugin
-}
-
-func (pxy *HttpsProxy) Run() (err error) {
-	if pxy.cfg.Plugin != "" {
-		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
-		if err != nil {
-			return
-		}
-	}
-	return
-}
-
-func (pxy *HttpsProxy) Close() {
-	if pxy.proxyPlugin != nil {
-		pxy.proxyPlugin.Close()
-	}
-}
-
-func (pxy *HttpsProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
-	HandleTcpWorkConnection(pxy.ctx, &pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, pxy.limiter,
-		conn, []byte(pxy.clientCfg.Token), m)
-}
-
-// STCP
-type StcpProxy struct {
-	*BaseProxy
-
-	cfg         *config.StcpProxyConf
-	proxyPlugin plugin.Plugin
-}
-
-func (pxy *StcpProxy) Run() (err error) {
-	if pxy.cfg.Plugin != "" {
-		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
-		if err != nil {
-			return
-		}
-	}
-	return
-}
-
-func (pxy *StcpProxy) Close() {
-	if pxy.proxyPlugin != nil {
-		pxy.proxyPlugin.Close()
-	}
-}
-
-func (pxy *StcpProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
-	HandleTcpWorkConnection(pxy.ctx, &pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, pxy.limiter,
-		conn, []byte(pxy.clientCfg.Token), m)
-}
-
-// XTCP
-type XtcpProxy struct {
-	*BaseProxy
-
-	cfg         *config.XtcpProxyConf
-	proxyPlugin plugin.Plugin
-}
-
-func (pxy *XtcpProxy) Run() (err error) {
-	if pxy.cfg.Plugin != "" {
-		pxy.proxyPlugin, err = plugin.Create(pxy.cfg.Plugin, pxy.cfg.PluginParams)
-		if err != nil {
-			return
-		}
-	}
-	return
-}
-
-func (pxy *XtcpProxy) Close() {
-	if pxy.proxyPlugin != nil {
-		pxy.proxyPlugin.Close()
-	}
-}
-
-func (pxy *XtcpProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
-	xl := pxy.xl
-	defer conn.Close()
-	var natHoleSidMsg msg.NatHoleSid
-	err := msg.ReadMsgInto(conn, &natHoleSidMsg)
-	if err != nil {
-		xl.Error("xtcp read from workConn error: %v", err)
-		return
-	}
-
-	natHoleClientMsg := &msg.NatHoleClient{
-		ProxyName: pxy.cfg.ProxyName,
-		Sid:       natHoleSidMsg.Sid,
-	}
-	raddr, _ := net.ResolveUDPAddr("udp",
-		fmt.Sprintf("%s:%d", pxy.clientCfg.ServerAddr, pxy.serverUDPPort))
-	clientConn, err := net.DialUDP("udp", nil, raddr)
-	defer clientConn.Close()
-
-	err = msg.WriteMsg(clientConn, natHoleClientMsg)
-	if err != nil {
-		xl.Error("send natHoleClientMsg to server error: %v", err)
-		return
-	}
-
-	// Wait for client address at most 5 seconds.
-	var natHoleRespMsg msg.NatHoleResp
-	clientConn.SetReadDeadline(time.Now().Add(5 * time.Second))
-
-	buf := pool.GetBuf(1024)
-	n, err := clientConn.Read(buf)
-	if err != nil {
-		xl.Error("get natHoleRespMsg error: %v", err)
-		return
-	}
-	err = msg.ReadMsgInto(bytes.NewReader(buf[:n]), &natHoleRespMsg)
-	if err != nil {
-		xl.Error("get natHoleRespMsg error: %v", err)
-		return
-	}
-	clientConn.SetReadDeadline(time.Time{})
-	clientConn.Close()
-
-	if natHoleRespMsg.Error != "" {
-		xl.Error("natHoleRespMsg get error info: %s", natHoleRespMsg.Error)
-		return
-	}
-
-	xl.Trace("get natHoleRespMsg, sid [%s], client address [%s] visitor address [%s]", natHoleRespMsg.Sid, natHoleRespMsg.ClientAddr, natHoleRespMsg.VisitorAddr)
-
-	// Send detect message
-	array := strings.Split(natHoleRespMsg.VisitorAddr, ":")
-	if len(array) <= 1 {
-		xl.Error("get NatHoleResp visitor address error: %v", natHoleRespMsg.VisitorAddr)
-	}
-	laddr, _ := net.ResolveUDPAddr("udp", clientConn.LocalAddr().String())
-	/*
-		for i := 1000; i < 65000; i++ {
-			pxy.sendDetectMsg(array[0], int64(i), laddr, "a")
-		}
-	*/
-	port, err := strconv.ParseInt(array[1], 10, 64)
-	if err != nil {
-		xl.Error("get natHoleResp visitor address error: %v", natHoleRespMsg.VisitorAddr)
-		return
-	}
-	pxy.sendDetectMsg(array[0], int(port), laddr, []byte(natHoleRespMsg.Sid))
-	xl.Trace("send all detect msg done")
-
-	msg.WriteMsg(conn, &msg.NatHoleClientDetectOK{})
-
-	// Listen for clientConn's address and wait for visitor connection
-	lConn, err := net.ListenUDP("udp", laddr)
-	if err != nil {
-		xl.Error("listen on visitorConn's local adress error: %v", err)
-		return
-	}
-	defer lConn.Close()
-
-	lConn.SetReadDeadline(time.Now().Add(8 * time.Second))
-	sidBuf := pool.GetBuf(1024)
-	var uAddr *net.UDPAddr
-	n, uAddr, err = lConn.ReadFromUDP(sidBuf)
-	if err != nil {
-		xl.Warn("get sid from visitor error: %v", err)
-		return
-	}
-	lConn.SetReadDeadline(time.Time{})
-	if string(sidBuf[:n]) != natHoleRespMsg.Sid {
-		xl.Warn("incorrect sid from visitor")
-		return
-	}
-	pool.PutBuf(sidBuf)
-	xl.Info("nat hole connection make success, sid [%s]", natHoleRespMsg.Sid)
-
-	lConn.WriteToUDP(sidBuf[:n], uAddr)
-
-	kcpConn, err := frpNet.NewKcpConnFromUdp(lConn, false, uAddr.String())
-	if err != nil {
-		xl.Error("create kcp connection from udp connection error: %v", err)
-		return
-	}
-
-	fmuxCfg := fmux.DefaultConfig()
-	fmuxCfg.KeepAliveInterval = 5 * time.Second
-	fmuxCfg.LogOutput = ioutil.Discard
-	sess, err := fmux.Server(kcpConn, fmuxCfg)
-	if err != nil {
-		xl.Error("create yamux server from kcp connection error: %v", err)
-		return
-	}
-	defer sess.Close()
-	muxConn, err := sess.Accept()
-	if err != nil {
-		xl.Error("accept for yamux connection error: %v", err)
-		return
-	}
-
-	HandleTcpWorkConnection(pxy.ctx, &pxy.cfg.LocalSvrConf, pxy.proxyPlugin, &pxy.cfg.BaseProxyConf, pxy.limiter,
-		muxConn, []byte(pxy.cfg.Sk), m)
-}
-
-func (pxy *XtcpProxy) sendDetectMsg(addr string, port int, laddr *net.UDPAddr, content []byte) (err error) {
-	daddr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", addr, port))
-	if err != nil {
-		return err
-	}
-
-	tConn, err := net.DialUDP("udp", laddr, daddr)
-	if err != nil {
-		return err
-	}
-
-	//uConn := ipv4.NewConn(tConn)
-	//uConn.SetTTL(3)
-
-	tConn.Write(content)
-	tConn.Close()
 	return nil
 }

-// UDP
-type UdpProxy struct {
-	*BaseProxy
-
-	cfg *config.UdpProxyConf
-
-	localAddr *net.UDPAddr
-	readCh    chan *msg.UdpPacket
-
-	// include msg.UdpPacket and msg.Ping
-	sendCh   chan msg.Message
-	workConn net.Conn
-}
-
-func (pxy *UdpProxy) Run() (err error) {
-	pxy.localAddr, err = net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pxy.cfg.LocalIp, pxy.cfg.LocalPort))
-	if err != nil {
-		return
-	}
-	return
-}
-
-func (pxy *UdpProxy) Close() {
-	pxy.mu.Lock()
-	defer pxy.mu.Unlock()
-
-	if !pxy.closed {
-		pxy.closed = true
-		if pxy.workConn != nil {
-			pxy.workConn.Close()
-		}
-		if pxy.readCh != nil {
-			close(pxy.readCh)
-		}
-		if pxy.sendCh != nil {
-			close(pxy.sendCh)
-		}
+func (pxy *BaseProxy) Close() {
+	if pxy.proxyPlugin != nil {
+		pxy.proxyPlugin.Close()
 	}
 }

-func (pxy *UdpProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
-	xl := pxy.xl
-	xl.Info("incoming a new work connection for udp proxy, %s", conn.RemoteAddr().String())
-	// close resources releated with old workConn
-	pxy.Close()
-
-	if pxy.limiter != nil {
-		rwc := frpIo.WrapReadWriteCloser(limit.NewReader(conn, pxy.limiter), limit.NewWriter(conn, pxy.limiter), func() error {
-			return conn.Close()
-		})
-		conn = frpNet.WrapReadWriteCloserToConn(rwc, conn)
-	}
-
-	pxy.mu.Lock()
-	pxy.workConn = conn
-	pxy.readCh = make(chan *msg.UdpPacket, 1024)
-	pxy.sendCh = make(chan msg.Message, 1024)
-	pxy.closed = false
-	pxy.mu.Unlock()
-
-	workConnReaderFn := func(conn net.Conn, readCh chan *msg.UdpPacket) {
-		for {
-			var udpMsg msg.UdpPacket
-			if errRet := msg.ReadMsgInto(conn, &udpMsg); errRet != nil {
-				xl.Warn("read from workConn for udp error: %v", errRet)
-				return
-			}
-			if errRet := errors.PanicToError(func() {
-				xl.Trace("get udp package from workConn: %s", udpMsg.Content)
-				readCh <- &udpMsg
-			}); errRet != nil {
-				xl.Info("reader goroutine for udp work connection closed: %v", errRet)
-				return
-			}
-		}
-	}
-	workConnSenderFn := func(conn net.Conn, sendCh chan msg.Message) {
-		defer func() {
-			xl.Info("writer goroutine for udp work connection closed")
-		}()
-		var errRet error
-		for rawMsg := range sendCh {
-			switch m := rawMsg.(type) {
-			case *msg.UdpPacket:
-				xl.Trace("send udp package to workConn: %s", m.Content)
-			case *msg.Ping:
-				xl.Trace("send ping message to udp workConn")
-			}
-			if errRet = msg.WriteMsg(conn, rawMsg); errRet != nil {
-				xl.Error("udp work write error: %v", errRet)
-				return
-			}
-		}
-	}
-	heartbeatFn := func(conn net.Conn, sendCh chan msg.Message) {
-		var errRet error
-		for {
-			time.Sleep(time.Duration(30) * time.Second)
-			if errRet = errors.PanicToError(func() {
-				sendCh <- &msg.Ping{}
-			}); errRet != nil {
-				xl.Trace("heartbeat goroutine for udp work connection closed")
-				break
-			}
-		}
-	}
-
-	go workConnSenderFn(pxy.workConn, pxy.sendCh)
-	go workConnReaderFn(pxy.workConn, pxy.readCh)
-	go heartbeatFn(pxy.workConn, pxy.sendCh)
-	udp.Forwarder(pxy.localAddr, pxy.readCh, pxy.sendCh)
+func (pxy *BaseProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
+	pxy.HandleTCPWorkConnection(conn, m, []byte(pxy.clientCfg.Token))
 }

 // Common handler for tcp work connections.
-func HandleTcpWorkConnection(ctx context.Context, localInfo *config.LocalSvrConf, proxyPlugin plugin.Plugin,
-	baseInfo *config.BaseProxyConf, limiter *rate.Limiter, workConn net.Conn, encKey []byte, m *msg.StartWorkConn) {
-	xl := xlog.FromContextSafe(ctx)
+func (pxy *BaseProxy) HandleTCPWorkConnection(workConn net.Conn, m *msg.StartWorkConn, encKey []byte) {
+	xl := pxy.xl
+	baseConfig := pxy.baseProxyConfig
 	var (
 		remote io.ReadWriteCloser
 		err    error
 	)
 	remote = workConn
-	if limiter != nil {
-		remote = frpIo.WrapReadWriteCloser(limit.NewReader(workConn, limiter), limit.NewWriter(workConn, limiter), func() error {
+	if pxy.limiter != nil {
+		remote = libio.WrapReadWriteCloser(limit.NewReader(workConn, pxy.limiter), limit.NewWriter(workConn, pxy.limiter), func() error {
 			return workConn.Close()
 		})
 	}

 	xl.Trace("handle tcp work connection, use_encryption: %t, use_compression: %t",
-		baseInfo.UseEncryption, baseInfo.UseCompression)
-	if baseInfo.UseEncryption {
-		remote, err = frpIo.WithEncryption(remote, encKey)
+		baseConfig.UseEncryption, baseConfig.UseCompression)
+	if baseConfig.UseEncryption {
+		remote, err = libio.WithEncryption(remote, encKey)
 		if err != nil {
 			workConn.Close()
 			xl.Error("create encryption stream error: %v", err)
 			return
 		}
 	}
-	if baseInfo.UseCompression {
-		remote = frpIo.WithCompression(remote)
+	if baseConfig.UseCompression {
+		remote = libio.WithCompression(remote)
 	}

 	// check if we need to send proxy protocol info
 	var extraInfo []byte
-	if baseInfo.ProxyProtocolVersion != "" {
+	if baseConfig.ProxyProtocolVersion != "" {
 		if m.SrcAddr != "" && m.SrcPort != 0 {
 			if m.DstAddr == "" {
 				m.DstAddr = "127.0.0.1"
 			}
+			srcAddr, _ := net.ResolveTCPAddr("tcp", net.JoinHostPort(m.SrcAddr, strconv.Itoa(int(m.SrcPort))))
+			dstAddr, _ := net.ResolveTCPAddr("tcp", net.JoinHostPort(m.DstAddr, strconv.Itoa(int(m.DstPort))))
 			h := &pp.Header{
-				Command:            pp.PROXY,
-				SourceAddress:      net.ParseIP(m.SrcAddr),
-				SourcePort:         m.SrcPort,
-				DestinationAddress: net.ParseIP(m.DstAddr),
-				DestinationPort:    m.DstPort,
+				Command:         pp.PROXY,
+				SourceAddr:      srcAddr,
+				DestinationAddr: dstAddr,
 			}

 			if strings.Contains(m.SrcAddr, ".") {
@@ -590,40 +167,50 @@ func HandleTcpWorkConnection(ctx context.Context, localInfo *config.LocalSvrConf
 				h.TransportProtocol = pp.TCPv6
 			}

-			if baseInfo.ProxyProtocolVersion == "v1" {
+			if baseConfig.ProxyProtocolVersion == "v1" {
 				h.Version = 1
-			} else if baseInfo.ProxyProtocolVersion == "v2" {
+			} else if baseConfig.ProxyProtocolVersion == "v2" {
 				h.Version = 2
 			}

 			buf := bytes.NewBuffer(nil)
-			h.WriteTo(buf)
+			_, _ = h.WriteTo(buf)
 			extraInfo = buf.Bytes()
 		}
 	}

-	if proxyPlugin != nil {
-		// if plugin is set, let plugin handle connections first
-		xl.Debug("handle by plugin: %s", proxyPlugin.Name())
-		proxyPlugin.Handle(remote, workConn, extraInfo)
+	if pxy.proxyPlugin != nil {
+		// if plugin is set, let plugin handle connection first
+		xl.Debug("handle by plugin: %s", pxy.proxyPlugin.Name())
+		pxy.proxyPlugin.Handle(remote, workConn, extraInfo)
 		xl.Debug("handle by plugin finished")
 		return
-	} else {
-		localConn, err := frpNet.ConnectServer("tcp", fmt.Sprintf("%s:%d", localInfo.LocalIp, localInfo.LocalPort))
-		if err != nil {
+	}
+
+	localConn, err := libdial.Dial(
+		net.JoinHostPort(baseConfig.LocalIP, strconv.Itoa(baseConfig.LocalPort)),
+		libdial.WithTimeout(10*time.Second),
+	)
+	if err != nil {
+		workConn.Close()
+		xl.Error("connect to local service [%s:%d] error: %v", baseConfig.LocalIP, baseConfig.LocalPort, err)
+		return
+	}
+
+	xl.Debug("join connections, localConn(l[%s] r[%s]) workConn(l[%s] r[%s])", localConn.LocalAddr().String(),
+		localConn.RemoteAddr().String(), workConn.LocalAddr().String(), workConn.RemoteAddr().String())
+
+	if len(extraInfo) > 0 {
+		if _, err := localConn.Write(extraInfo); err != nil {
 			workConn.Close()
-			xl.Error("connect to local service [%s:%d] error: %v", localInfo.LocalIp, localInfo.LocalPort, err)
+			xl.Error("write extraInfo to local conn error: %v", err)
 			return
 		}
+	}

-		xl.Debug("join connections, localConn(l[%s] r[%s]) workConn(l[%s] r[%s])", localConn.LocalAddr().String(),
-			localConn.RemoteAddr().String(), workConn.LocalAddr().String(), workConn.RemoteAddr().String())
-
-		if len(extraInfo) > 0 {
-			localConn.Write(extraInfo)
-		}
-
-		frpIo.Join(localConn, remote)
-		xl.Debug("join connections closed")
+	_, _, errs := libio.Join(localConn, remote)
+	xl.Debug("join connections closed")
+	if len(errs) > 0 {
+		xl.Trace("join connections errors: %v", errs)
 	}
 }
--- a/client/proxy/proxy_manager.go
+++ b/client/proxy/proxy_manager.go
@@ -1,46 +1,60 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package proxy

 import (
 	"context"
 	"fmt"
 	"net"
+	"reflect"
 	"sync"

 	"github.com/fatedier/frp/client/event"
-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/msg"
-	"github.com/fatedier/frp/utils/xlog"
-
-	"github.com/fatedier/golib/errors"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/transport"
+	"github.com/fatedier/frp/pkg/util/xlog"
 )

-type ProxyManager struct {
-	sendCh  chan (msg.Message)
-	proxies map[string]*ProxyWrapper
+type Manager struct {
+	proxies        map[string]*Wrapper
+	msgTransporter transport.MessageTransporter

 	closed bool
 	mu     sync.RWMutex

 	clientCfg config.ClientCommonConf

-	// The UDP port that the server is listening on
-	serverUDPPort int
-
 	ctx context.Context
 }

-func NewProxyManager(ctx context.Context, msgSendCh chan (msg.Message), clientCfg config.ClientCommonConf, serverUDPPort int) *ProxyManager {
-	return &ProxyManager{
-		sendCh:        msgSendCh,
-		proxies:       make(map[string]*ProxyWrapper),
-		closed:        false,
-		clientCfg:     clientCfg,
-		serverUDPPort: serverUDPPort,
-		ctx:           ctx,
+func NewManager(
+	ctx context.Context,
+	clientCfg config.ClientCommonConf,
+	msgTransporter transport.MessageTransporter,
+) *Manager {
+	return &Manager{
+		proxies:        make(map[string]*Wrapper),
+		msgTransporter: msgTransporter,
+		closed:         false,
+		clientCfg:      clientCfg,
+		ctx:            ctx,
 	}
 }

-func (pm *ProxyManager) StartProxy(name string, remoteAddr string, serverRespErr string) error {
+func (pm *Manager) StartProxy(name string, remoteAddr string, serverRespErr string) error {
 	pm.mu.RLock()
 	pxy, ok := pm.proxies[name]
 	pm.mu.RUnlock()
@@ -55,16 +69,16 @@ func (pm *ProxyManager) StartProxy(name string, remoteAddr string, serverRespErr
 	return nil
 }

-func (pm *ProxyManager) Close() {
+func (pm *Manager) Close() {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 	for _, pxy := range pm.proxies {
 		pxy.Stop()
 	}
-	pm.proxies = make(map[string]*ProxyWrapper)
+	pm.proxies = make(map[string]*Wrapper)
 }

-func (pm *ProxyManager) HandleWorkConn(name string, workConn net.Conn, m *msg.StartWorkConn) {
+func (pm *Manager) HandleWorkConn(name string, workConn net.Conn, m *msg.StartWorkConn) {
 	pm.mu.RLock()
 	pw, ok := pm.proxies[name]
 	pm.mu.RUnlock()
@@ -75,7 +89,7 @@ func (pm *ProxyManager) HandleWorkConn(name string, workConn net.Conn, m *msg.St
 	}
 }

-func (pm *ProxyManager) HandleEvent(evType event.EventType, payload interface{}) error {
+func (pm *Manager) HandleEvent(payload interface{}) error {
 	var m msg.Message
 	switch e := payload.(type) {
 	case *event.StartProxyPayload:
@@ -86,14 +100,11 @@ func (pm *ProxyManager) HandleEvent(evType event.EventType, payload interface{})
 		return event.ErrPayloadType
 	}

-	err := errors.PanicToError(func() {
-		pm.sendCh <- m
-	})
-	return err
+	return pm.msgTransporter.Send(m)
 }

-func (pm *ProxyManager) GetAllProxyStatus() []*ProxyStatus {
-	ps := make([]*ProxyStatus, 0)
+func (pm *Manager) GetAllProxyStatus() []*WorkingStatus {
+	ps := make([]*WorkingStatus, 0)
 	pm.mu.RLock()
 	defer pm.mu.RUnlock()
 	for _, pxy := range pm.proxies {
@@ -102,7 +113,7 @@ func (pm *ProxyManager) GetAllProxyStatus() []*ProxyStatus {
 	return ps
 }

-func (pm *ProxyManager) Reload(pxyCfgs map[string]config.ProxyConf) {
+func (pm *Manager) Reload(pxyCfgs map[string]config.ProxyConf) {
 	xl := xlog.FromContextSafe(pm.ctx)
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
@@ -111,29 +122,24 @@ func (pm *ProxyManager) Reload(pxyCfgs map[string]config.ProxyConf) {
 	for name, pxy := range pm.proxies {
 		del := false
 		cfg, ok := pxyCfgs[name]
-		if !ok {
+		if !ok || !reflect.DeepEqual(pxy.Cfg, cfg) {
 			del = true
-		} else {
-			if !pxy.Cfg.Compare(cfg) {
-				del = true
-			}
 		}

 		if del {
 			delPxyNames = append(delPxyNames, name)
 			delete(pm.proxies, name)
-
 			pxy.Stop()
 		}
 	}
 	if len(delPxyNames) > 0 {
-		xl.Info("proxy removed: %v", delPxyNames)
+		xl.Info("proxy removed: %s", delPxyNames)
 	}

 	addPxyNames := make([]string, 0)
 	for name, cfg := range pxyCfgs {
 		if _, ok := pm.proxies[name]; !ok {
-			pxy := NewProxyWrapper(pm.ctx, cfg, pm.clientCfg, pm.HandleEvent, pm.serverUDPPort)
+			pxy := NewWrapper(pm.ctx, cfg, pm.clientCfg, pm.HandleEvent, pm.msgTransporter)
 			pm.proxies[name] = pxy
 			addPxyNames = append(addPxyNames, name)

@@ -141,6 +147,6 @@ func (pm *ProxyManager) Reload(pxyCfgs map[string]config.ProxyConf) {
 		}
 	}
 	if len(addPxyNames) > 0 {
-		xl.Info("proxy added: %v", addPxyNames)
+		xl.Info("proxy added: %s", addPxyNames)
 	}
 }
--- a/client/proxy/proxy_wrapper.go
+++ b/client/proxy/proxy_wrapper.go
@@ -1,3 +1,17 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package proxy

 import (
@@ -8,53 +22,56 @@ import (
 	"sync/atomic"
 	"time"

+	"github.com/fatedier/golib/errors"
+
 	"github.com/fatedier/frp/client/event"
 	"github.com/fatedier/frp/client/health"
-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/msg"
-	"github.com/fatedier/frp/utils/xlog"
-
-	"github.com/fatedier/golib/errors"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/transport"
+	"github.com/fatedier/frp/pkg/util/xlog"
 )

 const (
-	ProxyStatusNew         = "new"
-	ProxyStatusWaitStart   = "wait start"
-	ProxyStatusStartErr    = "start error"
-	ProxyStatusRunning     = "running"
-	ProxyStatusCheckFailed = "check failed"
-	ProxyStatusClosed      = "closed"
+	ProxyPhaseNew         = "new"
+	ProxyPhaseWaitStart   = "wait start"
+	ProxyPhaseStartErr    = "start error"
+	ProxyPhaseRunning     = "running"
+	ProxyPhaseCheckFailed = "check failed"
+	ProxyPhaseClosed      = "closed"
 )

 var (
-	statusCheckInterval time.Duration = 3 * time.Second
-	waitResponseTimeout               = 20 * time.Second
-	startErrTimeout                   = 30 * time.Second
+	statusCheckInterval = 3 * time.Second
+	waitResponseTimeout = 20 * time.Second
+	startErrTimeout     = 30 * time.Second
 )

-type ProxyStatus struct {
-	Name   string           `json:"name"`
-	Type   string           `json:"type"`
-	Status string           `json:"status"`
-	Err    string           `json:"err"`
-	Cfg    config.ProxyConf `json:"cfg"`
+type WorkingStatus struct {
+	Name  string           `json:"name"`
+	Type  string           `json:"type"`
+	Phase string           `json:"status"`
+	Err   string           `json:"err"`
+	Cfg   config.ProxyConf `json:"cfg"`

 	// Got from server.
 	RemoteAddr string `json:"remote_addr"`
 }

-type ProxyWrapper struct {
-	ProxyStatus
+type Wrapper struct {
+	WorkingStatus

 	// underlying proxy
 	pxy Proxy

 	// if ProxyConf has healcheck config
 	// monitor will watch if it is alive
-	monitor *health.HealthCheckMonitor
+	monitor *health.Monitor

 	// event handler
-	handler event.EventHandler
+	handler event.Handler
+
+	msgTransporter transport.MessageTransporter

 	health           uint32
 	lastSendStartMsg time.Time
@@ -67,45 +84,52 @@ type ProxyWrapper struct {
 	ctx context.Context
 }

-func NewProxyWrapper(ctx context.Context, cfg config.ProxyConf, clientCfg config.ClientCommonConf, eventHandler event.EventHandler, serverUDPPort int) *ProxyWrapper {
-	baseInfo := cfg.GetBaseInfo()
+func NewWrapper(
+	ctx context.Context,
+	cfg config.ProxyConf,
+	clientCfg config.ClientCommonConf,
+	eventHandler event.Handler,
+	msgTransporter transport.MessageTransporter,
+) *Wrapper {
+	baseInfo := cfg.GetBaseConfig()
 	xl := xlog.FromContextSafe(ctx).Spawn().AppendPrefix(baseInfo.ProxyName)
-	pw := &ProxyWrapper{
-		ProxyStatus: ProxyStatus{
-			Name:   baseInfo.ProxyName,
-			Type:   baseInfo.ProxyType,
-			Status: ProxyStatusNew,
-			Cfg:    cfg,
+	pw := &Wrapper{
+		WorkingStatus: WorkingStatus{
+			Name:  baseInfo.ProxyName,
+			Type:  baseInfo.ProxyType,
+			Phase: ProxyPhaseNew,
+			Cfg:   cfg,
 		},
 		closeCh:        make(chan struct{}),
 		healthNotifyCh: make(chan struct{}),
 		handler:        eventHandler,
+		msgTransporter: msgTransporter,
 		xl:             xl,
 		ctx:            xlog.NewContext(ctx, xl),
 	}

 	if baseInfo.HealthCheckType != "" {
 		pw.health = 1 // means failed
-		pw.monitor = health.NewHealthCheckMonitor(pw.ctx, baseInfo.HealthCheckType, baseInfo.HealthCheckIntervalS,
+		pw.monitor = health.NewMonitor(pw.ctx, baseInfo.HealthCheckType, baseInfo.HealthCheckIntervalS,
 			baseInfo.HealthCheckTimeoutS, baseInfo.HealthCheckMaxFailed, baseInfo.HealthCheckAddr,
-			baseInfo.HealthCheckUrl, pw.statusNormalCallback, pw.statusFailedCallback)
+			baseInfo.HealthCheckURL, pw.statusNormalCallback, pw.statusFailedCallback)
 		xl.Trace("enable health check monitor")
 	}

-	pw.pxy = NewProxy(pw.ctx, pw.Cfg, clientCfg, serverUDPPort)
+	pw.pxy = NewProxy(pw.ctx, pw.Cfg, clientCfg, pw.msgTransporter)
 	return pw
 }

-func (pw *ProxyWrapper) SetRunningStatus(remoteAddr string, respErr string) error {
+func (pw *Wrapper) SetRunningStatus(remoteAddr string, respErr string) error {
 	pw.mu.Lock()
 	defer pw.mu.Unlock()
-	if pw.Status != ProxyStatusWaitStart {
+	if pw.Phase != ProxyPhaseWaitStart {
 		return fmt.Errorf("status not wait start, ignore start message")
 	}

 	pw.RemoteAddr = remoteAddr
 	if respErr != "" {
-		pw.Status = ProxyStatusStartErr
+		pw.Phase = ProxyPhaseStartErr
 		pw.Err = respErr
 		pw.lastStartErr = time.Now()
 		return fmt.Errorf(pw.Err)
@@ -113,25 +137,25 @@ func (pw *ProxyWrapper) SetRunningStatus(remoteAddr string, respErr string) erro

 	if err := pw.pxy.Run(); err != nil {
 		pw.close()
-		pw.Status = ProxyStatusStartErr
+		pw.Phase = ProxyPhaseStartErr
 		pw.Err = err.Error()
 		pw.lastStartErr = time.Now()
 		return err
 	}

-	pw.Status = ProxyStatusRunning
+	pw.Phase = ProxyPhaseRunning
 	pw.Err = ""
 	return nil
 }

-func (pw *ProxyWrapper) Start() {
+func (pw *Wrapper) Start() {
 	go pw.checkWorker()
 	if pw.monitor != nil {
 		go pw.monitor.Start()
 	}
 }

-func (pw *ProxyWrapper) Stop() {
+func (pw *Wrapper) Stop() {
 	pw.mu.Lock()
 	defer pw.mu.Unlock()
 	close(pw.closeCh)
@@ -140,19 +164,19 @@ func (pw *ProxyWrapper) Stop() {
 	if pw.monitor != nil {
 		pw.monitor.Stop()
 	}
-	pw.Status = ProxyStatusClosed
+	pw.Phase = ProxyPhaseClosed
 	pw.close()
 }

-func (pw *ProxyWrapper) close() {
-	pw.handler(event.EvCloseProxy, &event.CloseProxyPayload{
+func (pw *Wrapper) close() {
+	_ = pw.handler(&event.CloseProxyPayload{
 		CloseProxyMsg: &msg.CloseProxy{
 			ProxyName: pw.Name,
 		},
 	})
 }

-func (pw *ProxyWrapper) checkWorker() {
+func (pw *Wrapper) checkWorker() {
 	xl := pw.xl
 	if pw.monitor != nil {
 		// let monitor do check request first
@@ -163,28 +187,28 @@ func (pw *ProxyWrapper) checkWorker() {
 		now := time.Now()
 		if atomic.LoadUint32(&pw.health) == 0 {
 			pw.mu.Lock()
-			if pw.Status == ProxyStatusNew ||
-				pw.Status == ProxyStatusCheckFailed ||
-				(pw.Status == ProxyStatusWaitStart && now.After(pw.lastSendStartMsg.Add(waitResponseTimeout))) ||
-				(pw.Status == ProxyStatusStartErr && now.After(pw.lastStartErr.Add(startErrTimeout))) {
+			if pw.Phase == ProxyPhaseNew ||
+				pw.Phase == ProxyPhaseCheckFailed ||
+				(pw.Phase == ProxyPhaseWaitStart && now.After(pw.lastSendStartMsg.Add(waitResponseTimeout))) ||
+				(pw.Phase == ProxyPhaseStartErr && now.After(pw.lastStartErr.Add(startErrTimeout))) {

-				xl.Trace("change status from [%s] to [%s]", pw.Status, ProxyStatusWaitStart)
-				pw.Status = ProxyStatusWaitStart
+				xl.Trace("change status from [%s] to [%s]", pw.Phase, ProxyPhaseWaitStart)
+				pw.Phase = ProxyPhaseWaitStart

 				var newProxyMsg msg.NewProxy
 				pw.Cfg.MarshalToMsg(&newProxyMsg)
 				pw.lastSendStartMsg = now
-				pw.handler(event.EvStartProxy, &event.StartProxyPayload{
+				_ = pw.handler(&event.StartProxyPayload{
 					NewProxyMsg: &newProxyMsg,
 				})
 			}
 			pw.mu.Unlock()
 		} else {
 			pw.mu.Lock()
-			if pw.Status == ProxyStatusRunning || pw.Status == ProxyStatusWaitStart {
+			if pw.Phase == ProxyPhaseRunning || pw.Phase == ProxyPhaseWaitStart {
 				pw.close()
-				xl.Trace("change status from [%s] to [%s]", pw.Status, ProxyStatusCheckFailed)
-				pw.Status = ProxyStatusCheckFailed
+				xl.Trace("change status from [%s] to [%s]", pw.Phase, ProxyPhaseCheckFailed)
+				pw.Phase = ProxyPhaseCheckFailed
 			}
 			pw.mu.Unlock()
 		}
@@ -198,10 +222,10 @@ func (pw *ProxyWrapper) checkWorker() {
 	}
 }

-func (pw *ProxyWrapper) statusNormalCallback() {
+func (pw *Wrapper) statusNormalCallback() {
 	xl := pw.xl
 	atomic.StoreUint32(&pw.health, 0)
-	errors.PanicToError(func() {
+	_ = errors.PanicToError(func() {
 		select {
 		case pw.healthNotifyCh <- struct{}{}:
 		default:
@@ -210,10 +234,10 @@ func (pw *ProxyWrapper) statusNormalCallback() {
 	xl.Info("health check success")
 }

-func (pw *ProxyWrapper) statusFailedCallback() {
+func (pw *Wrapper) statusFailedCallback() {
 	xl := pw.xl
 	atomic.StoreUint32(&pw.health, 1)
-	errors.PanicToError(func() {
+	_ = errors.PanicToError(func() {
 		select {
 		case pw.healthNotifyCh <- struct{}{}:
 		default:
@@ -222,12 +246,12 @@ func (pw *ProxyWrapper) statusFailedCallback() {
 	xl.Info("health check failed")
 }

-func (pw *ProxyWrapper) InWorkConn(workConn net.Conn, m *msg.StartWorkConn) {
+func (pw *Wrapper) InWorkConn(workConn net.Conn, m *msg.StartWorkConn) {
 	xl := pw.xl
 	pw.mu.RLock()
 	pxy := pw.pxy
 	pw.mu.RUnlock()
-	if pxy != nil {
+	if pxy != nil && pw.Phase == ProxyPhaseRunning {
 		xl.Debug("start a new work connection, localAddr: %s remoteAddr: %s", workConn.LocalAddr().String(), workConn.RemoteAddr().String())
 		go pxy.InWorkConn(workConn, m)
 	} else {
@@ -235,13 +259,13 @@ func (pw *ProxyWrapper) InWorkConn(workConn net.Conn, m *msg.StartWorkConn) {
 	}
 }

-func (pw *ProxyWrapper) GetStatus() *ProxyStatus {
+func (pw *Wrapper) GetStatus() *WorkingStatus {
 	pw.mu.RLock()
 	defer pw.mu.RUnlock()
-	ps := &ProxyStatus{
+	ps := &WorkingStatus{
 		Name:       pw.Name,
 		Type:       pw.Type,
-		Status:     pw.Status,
+		Phase:      pw.Phase,
 		Err:        pw.Err,
 		Cfg:        pw.Cfg,
 		RemoteAddr: pw.RemoteAddr,
--- a/client/proxy/sudp.go
+++ b/client/proxy/sudp.go
@@ -0,0 +1,207 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package proxy
+
+import (
+	"io"
+	"net"
+	"reflect"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/fatedier/golib/errors"
+	libio "github.com/fatedier/golib/io"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/proto/udp"
+	"github.com/fatedier/frp/pkg/util/limit"
+	utilnet "github.com/fatedier/frp/pkg/util/net"
+)
+
+func init() {
+	RegisterProxyFactory(reflect.TypeOf(&config.SUDPProxyConf{}), NewSUDPProxy)
+}
+
+type SUDPProxy struct {
+	*BaseProxy
+
+	cfg *config.SUDPProxyConf
+
+	localAddr *net.UDPAddr
+
+	closeCh chan struct{}
+}
+
+func NewSUDPProxy(baseProxy *BaseProxy, cfg config.ProxyConf) Proxy {
+	unwrapped, ok := cfg.(*config.SUDPProxyConf)
+	if !ok {
+		return nil
+	}
+	return &SUDPProxy{
+		BaseProxy: baseProxy,
+		cfg:       unwrapped,
+		closeCh:   make(chan struct{}),
+	}
+}
+
+func (pxy *SUDPProxy) Run() (err error) {
+	pxy.localAddr, err = net.ResolveUDPAddr("udp", net.JoinHostPort(pxy.cfg.LocalIP, strconv.Itoa(pxy.cfg.LocalPort)))
+	if err != nil {
+		return
+	}
+	return
+}
+
+func (pxy *SUDPProxy) Close() {
+	pxy.mu.Lock()
+	defer pxy.mu.Unlock()
+	select {
+	case <-pxy.closeCh:
+		return
+	default:
+		close(pxy.closeCh)
+	}
+}
+
+func (pxy *SUDPProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
+	xl := pxy.xl
+	xl.Info("incoming a new work connection for sudp proxy, %s", conn.RemoteAddr().String())
+
+	var rwc io.ReadWriteCloser = conn
+	var err error
+	if pxy.limiter != nil {
+		rwc = libio.WrapReadWriteCloser(limit.NewReader(conn, pxy.limiter), limit.NewWriter(conn, pxy.limiter), func() error {
+			return conn.Close()
+		})
+	}
+	if pxy.cfg.UseEncryption {
+		rwc, err = libio.WithEncryption(rwc, []byte(pxy.clientCfg.Token))
+		if err != nil {
+			conn.Close()
+			xl.Error("create encryption stream error: %v", err)
+			return
+		}
+	}
+	if pxy.cfg.UseCompression {
+		rwc = libio.WithCompression(rwc)
+	}
+	conn = utilnet.WrapReadWriteCloserToConn(rwc, conn)
+
+	workConn := conn
+	readCh := make(chan *msg.UDPPacket, 1024)
+	sendCh := make(chan msg.Message, 1024)
+	isClose := false
+
+	mu := &sync.Mutex{}
+
+	closeFn := func() {
+		mu.Lock()
+		defer mu.Unlock()
+		if isClose {
+			return
+		}
+
+		isClose = true
+		if workConn != nil {
+			workConn.Close()
+		}
+		close(readCh)
+		close(sendCh)
+	}
+
+	// udp service <- frpc <- frps <- frpc visitor <- user
+	workConnReaderFn := func(conn net.Conn, readCh chan *msg.UDPPacket) {
+		defer closeFn()
+
+		for {
+			// first to check sudp proxy is closed or not
+			select {
+			case <-pxy.closeCh:
+				xl.Trace("frpc sudp proxy is closed")
+				return
+			default:
+			}
+
+			var udpMsg msg.UDPPacket
+			if errRet := msg.ReadMsgInto(conn, &udpMsg); errRet != nil {
+				xl.Warn("read from workConn for sudp error: %v", errRet)
+				return
+			}
+
+			if errRet := errors.PanicToError(func() {
+				readCh <- &udpMsg
+			}); errRet != nil {
+				xl.Warn("reader goroutine for sudp work connection closed: %v", errRet)
+				return
+			}
+		}
+	}
+
+	// udp service -> frpc -> frps -> frpc visitor -> user
+	workConnSenderFn := func(conn net.Conn, sendCh chan msg.Message) {
+		defer func() {
+			closeFn()
+			xl.Info("writer goroutine for sudp work connection closed")
+		}()
+
+		var errRet error
+		for rawMsg := range sendCh {
+			switch m := rawMsg.(type) {
+			case *msg.UDPPacket:
+				xl.Trace("frpc send udp package to frpc visitor, [udp local: %v, remote: %v], [tcp work conn local: %v, remote: %v]",
+					m.LocalAddr.String(), m.RemoteAddr.String(), conn.LocalAddr().String(), conn.RemoteAddr().String())
+			case *msg.Ping:
+				xl.Trace("frpc send ping message to frpc visitor")
+			}
+
+			if errRet = msg.WriteMsg(conn, rawMsg); errRet != nil {
+				xl.Error("sudp work write error: %v", errRet)
+				return
+			}
+		}
+	}
+
+	heartbeatFn := func(sendCh chan msg.Message) {
+		ticker := time.NewTicker(30 * time.Second)
+		defer func() {
+			ticker.Stop()
+			closeFn()
+		}()
+
+		var errRet error
+		for {
+			select {
+			case <-ticker.C:
+				if errRet = errors.PanicToError(func() {
+					sendCh <- &msg.Ping{}
+				}); errRet != nil {
+					xl.Warn("heartbeat goroutine for sudp work connection closed")
+					return
+				}
+			case <-pxy.closeCh:
+				xl.Trace("frpc sudp proxy is closed")
+				return
+			}
+		}
+	}
+
+	go workConnSenderFn(workConn, sendCh)
+	go workConnReaderFn(workConn, readCh)
+	go heartbeatFn(sendCh)
+
+	udp.Forwarder(pxy.localAddr, readCh, sendCh, int(pxy.clientCfg.UDPPacketSize))
+}
--- a/client/proxy/udp.go
+++ b/client/proxy/udp.go
@@ -0,0 +1,173 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package proxy
+
+import (
+	"io"
+	"net"
+	"reflect"
+	"strconv"
+	"time"
+
+	"github.com/fatedier/golib/errors"
+	libio "github.com/fatedier/golib/io"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/proto/udp"
+	"github.com/fatedier/frp/pkg/util/limit"
+	utilnet "github.com/fatedier/frp/pkg/util/net"
+)
+
+func init() {
+	RegisterProxyFactory(reflect.TypeOf(&config.UDPProxyConf{}), NewUDPProxy)
+}
+
+type UDPProxy struct {
+	*BaseProxy
+
+	cfg *config.UDPProxyConf
+
+	localAddr *net.UDPAddr
+	readCh    chan *msg.UDPPacket
+
+	// include msg.UDPPacket and msg.Ping
+	sendCh   chan msg.Message
+	workConn net.Conn
+	closed   bool
+}
+
+func NewUDPProxy(baseProxy *BaseProxy, cfg config.ProxyConf) Proxy {
+	unwrapped, ok := cfg.(*config.UDPProxyConf)
+	if !ok {
+		return nil
+	}
+	return &UDPProxy{
+		BaseProxy: baseProxy,
+		cfg:       unwrapped,
+	}
+}
+
+func (pxy *UDPProxy) Run() (err error) {
+	pxy.localAddr, err = net.ResolveUDPAddr("udp", net.JoinHostPort(pxy.cfg.LocalIP, strconv.Itoa(pxy.cfg.LocalPort)))
+	if err != nil {
+		return
+	}
+	return
+}
+
+func (pxy *UDPProxy) Close() {
+	pxy.mu.Lock()
+	defer pxy.mu.Unlock()
+
+	if !pxy.closed {
+		pxy.closed = true
+		if pxy.workConn != nil {
+			pxy.workConn.Close()
+		}
+		if pxy.readCh != nil {
+			close(pxy.readCh)
+		}
+		if pxy.sendCh != nil {
+			close(pxy.sendCh)
+		}
+	}
+}
+
+func (pxy *UDPProxy) InWorkConn(conn net.Conn, m *msg.StartWorkConn) {
+	xl := pxy.xl
+	xl.Info("incoming a new work connection for udp proxy, %s", conn.RemoteAddr().String())
+	// close resources releated with old workConn
+	pxy.Close()
+
+	var rwc io.ReadWriteCloser = conn
+	var err error
+	if pxy.limiter != nil {
+		rwc = libio.WrapReadWriteCloser(limit.NewReader(conn, pxy.limiter), limit.NewWriter(conn, pxy.limiter), func() error {
+			return conn.Close()
+		})
+	}
+	if pxy.cfg.UseEncryption {
+		rwc, err = libio.WithEncryption(rwc, []byte(pxy.clientCfg.Token))
+		if err != nil {
+			conn.Close()
+			xl.Error("create encryption stream error: %v", err)
+			return
+		}
+	}
+	if pxy.cfg.UseCompression {
+		rwc = libio.WithCompression(rwc)
+	}
+	conn = utilnet.WrapReadWriteCloserToConn(rwc, conn)
+
+	pxy.mu.Lock()
+	pxy.workConn = conn
+	pxy.readCh = make(chan *msg.UDPPacket, 1024)
+	pxy.sendCh = make(chan msg.Message, 1024)
+	pxy.closed = false
+	pxy.mu.Unlock()
+
+	workConnReaderFn := func(conn net.Conn, readCh chan *msg.UDPPacket) {
+		for {
+			var udpMsg msg.UDPPacket
+			if errRet := msg.ReadMsgInto(conn, &udpMsg); errRet != nil {
+				xl.Warn("read from workConn for udp error: %v", errRet)
+				return
+			}
+			if errRet := errors.PanicToError(func() {
+				xl.Trace("get udp package from workConn: %s", udpMsg.Content)
+				readCh <- &udpMsg
+			}); errRet != nil {
+				xl.Info("reader goroutine for udp work connection closed: %v", errRet)
+				return
+			}
+		}
+	}
+	workConnSenderFn := func(conn net.Conn, sendCh chan msg.Message) {
+		defer func() {
+			xl.Info("writer goroutine for udp work connection closed")
+		}()
+		var errRet error
+		for rawMsg := range sendCh {
+			switch m := rawMsg.(type) {
+			case *msg.UDPPacket:
+				xl.Trace("send udp package to workConn: %s", m.Content)
+			case *msg.Ping:
+				xl.Trace("send ping message to udp workConn")
+			}
+			if errRet = msg.WriteMsg(conn, rawMsg); errRet != nil {
+				xl.Error("udp work write error: %v", errRet)
+				return
+			}
+		}
+	}
+	heartbeatFn := func(sendCh chan msg.Message) {
+		var errRet error
+		for {
+			time.Sleep(time.Duration(30) * time.Second)
+			if errRet = errors.PanicToError(func() {
+				sendCh <- &msg.Ping{}
+			}); errRet != nil {
+				xl.Trace("heartbeat goroutine for udp work connection closed")
+				break
+			}
+		}
+	}
+
+	go workConnSenderFn(pxy.workConn, pxy.sendCh)
+	go workConnReaderFn(pxy.workConn, pxy.readCh)
+	go heartbeatFn(pxy.sendCh)
+	udp.Forwarder(pxy.localAddr, pxy.readCh, pxy.sendCh, int(pxy.clientCfg.UDPPacketSize))
+}
--- a/client/proxy/xtcp.go
+++ b/client/proxy/xtcp.go
@@ -0,0 +1,197 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package proxy
+
+import (
+	"io"
+	"net"
+	"reflect"
+	"time"
+
+	fmux "github.com/hashicorp/yamux"
+	"github.com/quic-go/quic-go"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/nathole"
+	"github.com/fatedier/frp/pkg/transport"
+	utilnet "github.com/fatedier/frp/pkg/util/net"
+)
+
+func init() {
+	RegisterProxyFactory(reflect.TypeOf(&config.XTCPProxyConf{}), NewXTCPProxy)
+}
+
+type XTCPProxy struct {
+	*BaseProxy
+
+	cfg *config.XTCPProxyConf
+}
+
+func NewXTCPProxy(baseProxy *BaseProxy, cfg config.ProxyConf) Proxy {
+	unwrapped, ok := cfg.(*config.XTCPProxyConf)
+	if !ok {
+		return nil
+	}
+	return &XTCPProxy{
+		BaseProxy: baseProxy,
+		cfg:       unwrapped,
+	}
+}
+
+func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkConn) {
+	xl := pxy.xl
+	defer conn.Close()
+	var natHoleSidMsg msg.NatHoleSid
+	err := msg.ReadMsgInto(conn, &natHoleSidMsg)
+	if err != nil {
+		xl.Error("xtcp read from workConn error: %v", err)
+		return
+	}
+
+	xl.Trace("nathole prepare start")
+	prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer})
+	if err != nil {
+		xl.Warn("nathole prepare error: %v", err)
+		return
+	}
+	xl.Info("nathole prepare success, nat type: %s, behavior: %s, addresses: %v, assistedAddresses: %v",
+		prepareResult.NatType, prepareResult.Behavior, prepareResult.Addrs, prepareResult.AssistedAddrs)
+	defer prepareResult.ListenConn.Close()
+
+	// send NatHoleClient msg to server
+	transactionID := nathole.NewTransactionID()
+	natHoleClientMsg := &msg.NatHoleClient{
+		TransactionID: transactionID,
+		ProxyName:     pxy.cfg.ProxyName,
+		Sid:           natHoleSidMsg.Sid,
+		MappedAddrs:   prepareResult.Addrs,
+		AssistedAddrs: prepareResult.AssistedAddrs,
+	}
+
+	xl.Trace("nathole exchange info start")
+	natHoleRespMsg, err := nathole.ExchangeInfo(pxy.ctx, pxy.msgTransporter, transactionID, natHoleClientMsg, 5*time.Second)
+	if err != nil {
+		xl.Warn("nathole exchange info error: %v", err)
+		return
+	}
+
+	xl.Info("get natHoleRespMsg, sid [%s], protocol [%s], candidate address %v, assisted address %v, detectBehavior: %+v",
+		natHoleRespMsg.Sid, natHoleRespMsg.Protocol, natHoleRespMsg.CandidateAddrs,
+		natHoleRespMsg.AssistedAddrs, natHoleRespMsg.DetectBehavior)
+
+	listenConn := prepareResult.ListenConn
+	newListenConn, raddr, err := nathole.MakeHole(pxy.ctx, listenConn, natHoleRespMsg, []byte(pxy.cfg.Sk))
+	if err != nil {
+		listenConn.Close()
+		xl.Warn("make hole error: %v", err)
+		_ = pxy.msgTransporter.Send(&msg.NatHoleReport{
+			Sid:     natHoleRespMsg.Sid,
+			Success: false,
+		})
+		return
+	}
+	listenConn = newListenConn
+	xl.Info("establishing nat hole connection successful, sid [%s], remoteAddr [%s]", natHoleRespMsg.Sid, raddr)
+
+	_ = pxy.msgTransporter.Send(&msg.NatHoleReport{
+		Sid:     natHoleRespMsg.Sid,
+		Success: true,
+	})
+
+	if natHoleRespMsg.Protocol == "kcp" {
+		pxy.listenByKCP(listenConn, raddr, startWorkConnMsg)
+		return
+	}
+
+	// default is quic
+	pxy.listenByQUIC(listenConn, raddr, startWorkConnMsg)
+}
+
+func (pxy *XTCPProxy) listenByKCP(listenConn *net.UDPConn, raddr *net.UDPAddr, startWorkConnMsg *msg.StartWorkConn) {
+	xl := pxy.xl
+	listenConn.Close()
+	laddr, _ := net.ResolveUDPAddr("udp", listenConn.LocalAddr().String())
+	lConn, err := net.DialUDP("udp", laddr, raddr)
+	if err != nil {
+		xl.Warn("dial udp error: %v", err)
+		return
+	}
+	defer lConn.Close()
+
+	remote, err := utilnet.NewKCPConnFromUDP(lConn, true, raddr.String())
+	if err != nil {
+		xl.Warn("create kcp connection from udp connection error: %v", err)
+		return
+	}
+
+	fmuxCfg := fmux.DefaultConfig()
+	fmuxCfg.KeepAliveInterval = 10 * time.Second
+	fmuxCfg.MaxStreamWindowSize = 6 * 1024 * 1024
+	fmuxCfg.LogOutput = io.Discard
+	session, err := fmux.Server(remote, fmuxCfg)
+	if err != nil {
+		xl.Error("create mux session error: %v", err)
+		return
+	}
+	defer session.Close()
+
+	for {
+		muxConn, err := session.Accept()
+		if err != nil {
+			xl.Error("accept connection error: %v", err)
+			return
+		}
+		go pxy.HandleTCPWorkConnection(muxConn, startWorkConnMsg, []byte(pxy.cfg.Sk))
+	}
+}
+
+func (pxy *XTCPProxy) listenByQUIC(listenConn *net.UDPConn, _ *net.UDPAddr, startWorkConnMsg *msg.StartWorkConn) {
+	xl := pxy.xl
+	defer listenConn.Close()
+
+	tlsConfig, err := transport.NewServerTLSConfig("", "", "")
+	if err != nil {
+		xl.Warn("create tls config error: %v", err)
+		return
+	}
+	tlsConfig.NextProtos = []string{"frp"}
+	quicListener, err := quic.Listen(listenConn, tlsConfig,
+		&quic.Config{
+			MaxIdleTimeout:     time.Duration(pxy.clientCfg.QUICMaxIdleTimeout) * time.Second,
+			MaxIncomingStreams: int64(pxy.clientCfg.QUICMaxIncomingStreams),
+			KeepAlivePeriod:    time.Duration(pxy.clientCfg.QUICKeepalivePeriod) * time.Second,
+		},
+	)
+	if err != nil {
+		xl.Warn("dial quic error: %v", err)
+		return
+	}
+	// only accept one connection from raddr
+	c, err := quicListener.Accept(pxy.ctx)
+	if err != nil {
+		xl.Error("quic accept connection error: %v", err)
+		return
+	}
+	for {
+		stream, err := c.AcceptStream(pxy.ctx)
+		if err != nil {
+			xl.Debug("quic accept stream error: %v", err)
+			_ = c.CloseWithError(0, "")
+			return
+		}
+		go pxy.HandleTCPWorkConnection(utilnet.QuicStreamToNetConn(stream, c), startWorkConnMsg, []byte(pxy.cfg.Sk))
+	}
+}
--- a/client/service.go
+++ b/client/service.go
@@ -18,29 +18,43 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"io/ioutil"
+	"io"
+	"math/rand"
 	"net"
 	"runtime"
+	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"

-	"github.com/fatedier/frp/assets"
-	"github.com/fatedier/frp/models/auth"
-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/msg"
-	"github.com/fatedier/frp/utils/log"
-	frpNet "github.com/fatedier/frp/utils/net"
-	"github.com/fatedier/frp/utils/version"
-	"github.com/fatedier/frp/utils/xlog"
-
+	"github.com/fatedier/golib/crypto"
+	libdial "github.com/fatedier/golib/net/dial"
 	fmux "github.com/hashicorp/yamux"
+	quic "github.com/quic-go/quic-go"
+
+	"github.com/fatedier/frp/assets"
+	"github.com/fatedier/frp/pkg/auth"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/transport"
+	"github.com/fatedier/frp/pkg/util/log"
+	utilnet "github.com/fatedier/frp/pkg/util/net"
+	"github.com/fatedier/frp/pkg/util/util"
+	"github.com/fatedier/frp/pkg/util/version"
+	"github.com/fatedier/frp/pkg/util/xlog"
 )

+func init() {
+	crypto.DefaultSalt = "frp"
+	// TODO: remove this when we drop support for go1.19
+	rand.Seed(time.Now().UnixNano())
+}
+
 // Service is a client service.
 type Service struct {
 	// uniq id got from frps, attach it in loginMsg
-	runId string
+	runID string

 	// manager control connection with server
 	ctl   *Control
@@ -58,9 +72,6 @@ type Service struct {
 	// string if no configuration file was used.
 	cfgFile string

-	// This is configured by the login response from frps
-	serverUDPPort int
-
 	exit uint32 // 0 means not exit

 	// service context
@@ -69,11 +80,15 @@ type Service struct {
 	cancel context.CancelFunc
 }

-func NewService(cfg config.ClientCommonConf, pxyCfgs map[string]config.ProxyConf, visitorCfgs map[string]config.VisitorConf, cfgFile string) (svr *Service, err error) {
-
+func NewService(
+	cfg config.ClientCommonConf,
+	pxyCfgs map[string]config.ProxyConf,
+	visitorCfgs map[string]config.VisitorConf,
+	cfgFile string,
+) (svr *Service, err error) {
 	ctx, cancel := context.WithCancel(context.Background())
 	svr = &Service{
-		authSetter:  auth.NewAuthSetter(cfg.AuthClientConfig),
+		authSetter:  auth.NewAuthSetter(cfg.ClientConfig),
 		cfg:         cfg,
 		cfgFile:     cfgFile,
 		pxyCfgs:     pxyCfgs,
@@ -94,9 +109,24 @@ func (svr *Service) GetController() *Control {
 func (svr *Service) Run() error {
 	xl := xlog.FromContextSafe(svr.ctx)

+	// set custom DNSServer
+	if svr.cfg.DNSServer != "" {
+		dnsAddr := svr.cfg.DNSServer
+		if _, _, err := net.SplitHostPort(dnsAddr); err != nil {
+			dnsAddr = net.JoinHostPort(dnsAddr, "53")
+		}
+		// Change default dns server for frpc
+		net.DefaultResolver = &net.Resolver{
+			PreferGo: true,
+			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
+				return net.Dial("udp", dnsAddr)
+			},
+		}
+	}
+
 	// login to frps
 	for {
-		conn, session, err := svr.login()
+		conn, cm, err := svr.login()
 		if err != nil {
 			xl.Warn("login to server failed: %v", err)

@@ -104,12 +134,11 @@ func (svr *Service) Run() error {
 			// otherwise sleep a while and try again to connect to server
 			if svr.cfg.LoginFailExit {
 				return err
-			} else {
-				time.Sleep(10 * time.Second)
 			}
+			util.RandomSleep(10*time.Second, 0.9, 1.1)
 		} else {
 			// login success
-			ctl := NewControl(svr.ctx, svr.runId, conn, session, svr.cfg, svr.pxyCfgs, svr.visitorCfgs, svr.serverUDPPort, svr.authSetter)
+			ctl := NewControl(svr.ctx, svr.runID, conn, cm, svr.cfg, svr.pxyCfgs, svr.visitorCfgs, svr.authSetter)
 			ctl.Run()
 			svr.ctlMu.Lock()
 			svr.ctl = ctl
@@ -122,12 +151,10 @@ func (svr *Service) Run() error {

 	if svr.cfg.AdminPort != 0 {
 		// Init admin server assets
-		err := assets.Load(svr.cfg.AssetsDir)
-		if err != nil {
-			return fmt.Errorf("Load assets error: %v", err)
-		}
+		assets.Load(svr.cfg.AssetsDir)

-		err = svr.RunAdminServer(svr.cfg.AdminAddr, svr.cfg.AdminPort)
+		address := net.JoinHostPort(svr.cfg.AdminAddr, strconv.Itoa(svr.cfg.AdminPort))
+		err := svr.RunAdminServer(address)
 		if err != nil {
 			log.Warn("run admin server error: %v", err)
 		}
@@ -142,19 +169,49 @@ func (svr *Service) keepControllerWorking() {
 	maxDelayTime := 20 * time.Second
 	delayTime := time.Second

+	// if frpc reconnect frps, we need to limit retry times in 1min
+	// current retry logic is sleep 0s, 0s, 0s, 1s, 2s, 4s, 8s, ...
+	// when exceed 1min, we will reset delay and counts
+	cutoffTime := time.Now().Add(time.Minute)
+	reconnectDelay := time.Second
+	reconnectCounts := 1
+
 	for {
 		<-svr.ctl.ClosedDoneCh()
 		if atomic.LoadUint32(&svr.exit) != 0 {
 			return
 		}

+		// the first three retry with no delay
+		if reconnectCounts > 3 {
+			util.RandomSleep(reconnectDelay, 0.9, 1.1)
+			xl.Info("wait %v to reconnect", reconnectDelay)
+			reconnectDelay *= 2
+		} else {
+			util.RandomSleep(time.Second, 0, 0.5)
+		}
+		reconnectCounts++
+
+		now := time.Now()
+		if now.After(cutoffTime) {
+			// reset
+			cutoffTime = now.Add(time.Minute)
+			reconnectDelay = time.Second
+			reconnectCounts = 1
+		}
+
 		for {
+			if atomic.LoadUint32(&svr.exit) != 0 {
+				return
+			}
+
 			xl.Info("try to reconnect to server...")
-			conn, session, err := svr.login()
+			conn, cm, err := svr.login()
 			if err != nil {
-				xl.Warn("reconnect to server error: %v", err)
-				time.Sleep(delayTime)
-				delayTime = delayTime * 2
+				xl.Warn("reconnect to server error: %v, wait %v for another retry", err, delayTime)
+				util.RandomSleep(delayTime, 0.9, 1.1)
+
+				delayTime *= 2
 				if delayTime > maxDelayTime {
 					delayTime = maxDelayTime
 				}
@@ -163,9 +220,12 @@ func (svr *Service) keepControllerWorking() {
 			// reconnect success, init delayTime
 			delayTime = time.Second

-			ctl := NewControl(svr.ctx, svr.runId, conn, session, svr.cfg, svr.pxyCfgs, svr.visitorCfgs, svr.serverUDPPort, svr.authSetter)
+			ctl := NewControl(svr.ctx, svr.runID, conn, cm, svr.cfg, svr.pxyCfgs, svr.visitorCfgs, svr.authSetter)
 			ctl.Run()
 			svr.ctlMu.Lock()
+			if svr.ctl != nil {
+				svr.ctl.Close()
+			}
 			svr.ctl = ctl
 			svr.ctlMu.Unlock()
 			break
@@ -176,44 +236,23 @@ func (svr *Service) keepControllerWorking() {
 // login creates a connection to frps and registers it self as a client
 // conn: control connection
 // session: if it's not nil, using tcp mux
-func (svr *Service) login() (conn net.Conn, session *fmux.Session, err error) {
+func (svr *Service) login() (conn net.Conn, cm *ConnectionManager, err error) {
 	xl := xlog.FromContextSafe(svr.ctx)
-	var tlsConfig *tls.Config
-	if svr.cfg.TLSEnable {
-		tlsConfig = &tls.Config{
-			InsecureSkipVerify: true,
-		}
-	}
-	conn, err = frpNet.ConnectServerByProxyWithTLS(svr.cfg.HttpProxy, svr.cfg.Protocol,
-		fmt.Sprintf("%s:%d", svr.cfg.ServerAddr, svr.cfg.ServerPort), tlsConfig)
-	if err != nil {
-		return
+	cm = NewConnectionManager(svr.ctx, &svr.cfg)
+
+	if err = cm.OpenConnection(); err != nil {
+		return nil, nil, err
 	}

 	defer func() {
 		if err != nil {
-			conn.Close()
-			if session != nil {
-				session.Close()
-			}
+			cm.Close()
 		}
 	}()

-	if svr.cfg.TcpMux {
-		fmuxCfg := fmux.DefaultConfig()
-		fmuxCfg.KeepAliveInterval = 20 * time.Second
-		fmuxCfg.LogOutput = ioutil.Discard
-		session, err = fmux.Client(conn, fmuxCfg)
-		if err != nil {
-			return
-		}
-		stream, errRet := session.OpenStream()
-		if errRet != nil {
-			session.Close()
-			err = errRet
-			return
-		}
-		conn = stream
+	conn, err = cm.Connect()
+	if err != nil {
+		return
 	}

 	loginMsg := &msg.Login{
@@ -223,7 +262,7 @@ func (svr *Service) login() (conn net.Conn, session *fmux.Session, err error) {
 		User:      svr.cfg.User,
 		Version:   version.Full(),
 		Timestamp: time.Now().Unix(),
-		RunId:     svr.runId,
+		RunID:     svr.runID,
 		Metas:     svr.cfg.Metas,
 	}

@@ -237,11 +276,11 @@ func (svr *Service) login() (conn net.Conn, session *fmux.Session, err error) {
 	}

 	var loginRespMsg msg.LoginResp
-	conn.SetReadDeadline(time.Now().Add(10 * time.Second))
+	_ = conn.SetReadDeadline(time.Now().Add(10 * time.Second))
 	if err = msg.ReadMsgInto(conn, &loginRespMsg); err != nil {
 		return
 	}
-	conn.SetReadDeadline(time.Time{})
+	_ = conn.SetReadDeadline(time.Time{})

 	if loginRespMsg.Error != "" {
 		err = fmt.Errorf("%s", loginRespMsg.Error)
@@ -249,12 +288,11 @@ func (svr *Service) login() (conn net.Conn, session *fmux.Session, err error) {
 		return
 	}

-	svr.runId = loginRespMsg.RunId
+	svr.runID = loginRespMsg.RunID
 	xl.ResetPrefixes()
-	xl.AppendPrefix(svr.runId)
+	xl.AppendPrefix(svr.runID)

-	svr.serverUDPPort = loginRespMsg.ServerUdpPort
-	xl.Info("login to server success, get run id [%s], server udp port [%d]", loginRespMsg.RunId, loginRespMsg.ServerUdpPort)
+	xl.Info("login to server success, get run id [%s]", loginRespMsg.RunID)
 	return
 }

@@ -264,11 +302,187 @@ func (svr *Service) ReloadConf(pxyCfgs map[string]config.ProxyConf, visitorCfgs
 	svr.visitorCfgs = visitorCfgs
 	svr.cfgMu.Unlock()

-	return svr.ctl.ReloadConf(pxyCfgs, visitorCfgs)
+	svr.ctlMu.RLock()
+	ctl := svr.ctl
+	svr.ctlMu.RUnlock()
+
+	if ctl != nil {
+		return svr.ctl.ReloadConf(pxyCfgs, visitorCfgs)
+	}
+	return nil
 }

 func (svr *Service) Close() {
+	svr.GracefulClose(time.Duration(0))
+}
+
+func (svr *Service) GracefulClose(d time.Duration) {
 	atomic.StoreUint32(&svr.exit, 1)
-	svr.ctl.Close()
+
+	svr.ctlMu.RLock()
+	if svr.ctl != nil {
+		svr.ctl.GracefulClose(d)
+	}
+	svr.ctlMu.RUnlock()
+
 	svr.cancel()
 }
+
+type ConnectionManager struct {
+	ctx context.Context
+	cfg *config.ClientCommonConf
+
+	muxSession *fmux.Session
+	quicConn   quic.Connection
+}
+
+func NewConnectionManager(ctx context.Context, cfg *config.ClientCommonConf) *ConnectionManager {
+	return &ConnectionManager{
+		ctx: ctx,
+		cfg: cfg,
+	}
+}
+
+func (cm *ConnectionManager) OpenConnection() error {
+	xl := xlog.FromContextSafe(cm.ctx)
+
+	// special for quic
+	if strings.EqualFold(cm.cfg.Protocol, "quic") {
+		var tlsConfig *tls.Config
+		var err error
+		sn := cm.cfg.TLSServerName
+		if sn == "" {
+			sn = cm.cfg.ServerAddr
+		}
+		if cm.cfg.TLSEnable {
+			tlsConfig, err = transport.NewClientTLSConfig(
+				cm.cfg.TLSCertFile,
+				cm.cfg.TLSKeyFile,
+				cm.cfg.TLSTrustedCaFile,
+				sn)
+		} else {
+			tlsConfig, err = transport.NewClientTLSConfig("", "", "", sn)
+		}
+		if err != nil {
+			xl.Warn("fail to build tls configuration, err: %v", err)
+			return err
+		}
+		tlsConfig.NextProtos = []string{"frp"}
+
+		conn, err := quic.DialAddrContext(
+			cm.ctx,
+			net.JoinHostPort(cm.cfg.ServerAddr, strconv.Itoa(cm.cfg.ServerPort)),
+			tlsConfig, &quic.Config{
+				MaxIdleTimeout:     time.Duration(cm.cfg.QUICMaxIdleTimeout) * time.Second,
+				MaxIncomingStreams: int64(cm.cfg.QUICMaxIncomingStreams),
+				KeepAlivePeriod:    time.Duration(cm.cfg.QUICKeepalivePeriod) * time.Second,
+			})
+		if err != nil {
+			return err
+		}
+		cm.quicConn = conn
+		return nil
+	}
+
+	if !cm.cfg.TCPMux {
+		return nil
+	}
+
+	conn, err := cm.realConnect()
+	if err != nil {
+		return err
+	}
+
+	fmuxCfg := fmux.DefaultConfig()
+	fmuxCfg.KeepAliveInterval = time.Duration(cm.cfg.TCPMuxKeepaliveInterval) * time.Second
+	fmuxCfg.LogOutput = io.Discard
+	fmuxCfg.MaxStreamWindowSize = 6 * 1024 * 1024
+	session, err := fmux.Client(conn, fmuxCfg)
+	if err != nil {
+		return err
+	}
+	cm.muxSession = session
+	return nil
+}
+
+func (cm *ConnectionManager) Connect() (net.Conn, error) {
+	if cm.quicConn != nil {
+		stream, err := cm.quicConn.OpenStreamSync(context.Background())
+		if err != nil {
+			return nil, err
+		}
+		return utilnet.QuicStreamToNetConn(stream, cm.quicConn), nil
+	} else if cm.muxSession != nil {
+		stream, err := cm.muxSession.OpenStream()
+		if err != nil {
+			return nil, err
+		}
+		return stream, nil
+	}
+
+	return cm.realConnect()
+}
+
+func (cm *ConnectionManager) realConnect() (net.Conn, error) {
+	xl := xlog.FromContextSafe(cm.ctx)
+	var tlsConfig *tls.Config
+	var err error
+	if cm.cfg.TLSEnable {
+		sn := cm.cfg.TLSServerName
+		if sn == "" {
+			sn = cm.cfg.ServerAddr
+		}
+
+		tlsConfig, err = transport.NewClientTLSConfig(
+			cm.cfg.TLSCertFile,
+			cm.cfg.TLSKeyFile,
+			cm.cfg.TLSTrustedCaFile,
+			sn)
+		if err != nil {
+			xl.Warn("fail to build tls configuration, err: %v", err)
+			return nil, err
+		}
+	}
+
+	proxyType, addr, auth, err := libdial.ParseProxyURL(cm.cfg.HTTPProxy)
+	if err != nil {
+		xl.Error("fail to parse proxy url")
+		return nil, err
+	}
+	dialOptions := []libdial.DialOption{}
+	protocol := cm.cfg.Protocol
+	if protocol == "websocket" {
+		protocol = "tcp"
+		dialOptions = append(dialOptions, libdial.WithAfterHook(libdial.AfterHook{Hook: utilnet.DialHookWebsocket()}))
+	}
+	if cm.cfg.ConnectServerLocalIP != "" {
+		dialOptions = append(dialOptions, libdial.WithLocalAddr(cm.cfg.ConnectServerLocalIP))
+	}
+	dialOptions = append(dialOptions,
+		libdial.WithProtocol(protocol),
+		libdial.WithTimeout(time.Duration(cm.cfg.DialServerTimeout)*time.Second),
+		libdial.WithKeepAlive(time.Duration(cm.cfg.DialServerKeepAlive)*time.Second),
+		libdial.WithProxy(proxyType, addr),
+		libdial.WithProxyAuth(auth),
+		libdial.WithTLSConfig(tlsConfig),
+		libdial.WithAfterHook(libdial.AfterHook{
+			Hook: utilnet.DialHookCustomTLSHeadByte(tlsConfig != nil, cm.cfg.DisableCustomTLSFirstByte),
+		}),
+	)
+	conn, err := libdial.DialContext(
+		cm.ctx,
+		net.JoinHostPort(cm.cfg.ServerAddr, strconv.Itoa(cm.cfg.ServerPort)),
+		dialOptions...,
+	)
+	return conn, err
+}
+
+func (cm *ConnectionManager) Close() error {
+	if cm.quicConn != nil {
+		_ = cm.quicConn.CloseWithError(0, "")
+	}
+	if cm.muxSession != nil {
+		_ = cm.muxSession.Close()
+	}
+	return nil
+}
--- a/client/visitor.go
+++ b/client/visitor.go
@@ -1,330 +0,0 @@
-// Copyright 2017 fatedier, fatedier@gmail.com
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package client
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net"
-	"sync"
-	"time"
-
-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/msg"
-	frpNet "github.com/fatedier/frp/utils/net"
-	"github.com/fatedier/frp/utils/util"
-	"github.com/fatedier/frp/utils/xlog"
-
-	frpIo "github.com/fatedier/golib/io"
-	"github.com/fatedier/golib/pool"
-	fmux "github.com/hashicorp/yamux"
-)
-
-// Visitor is used for forward traffics from local port tot remote service.
-type Visitor interface {
-	Run() error
-	Close()
-}
-
-func NewVisitor(ctx context.Context, ctl *Control, cfg config.VisitorConf) (visitor Visitor) {
-	xl := xlog.FromContextSafe(ctx).Spawn().AppendPrefix(cfg.GetBaseInfo().ProxyName)
-	baseVisitor := BaseVisitor{
-		ctl: ctl,
-		ctx: xlog.NewContext(ctx, xl),
-	}
-	switch cfg := cfg.(type) {
-	case *config.StcpVisitorConf:
-		visitor = &StcpVisitor{
-			BaseVisitor: &baseVisitor,
-			cfg:         cfg,
-		}
-	case *config.XtcpVisitorConf:
-		visitor = &XtcpVisitor{
-			BaseVisitor: &baseVisitor,
-			cfg:         cfg,
-		}
-	}
-	return
-}
-
-type BaseVisitor struct {
-	ctl    *Control
-	l      net.Listener
-	closed bool
-
-	mu  sync.RWMutex
-	ctx context.Context
-}
-
-type StcpVisitor struct {
-	*BaseVisitor
-
-	cfg *config.StcpVisitorConf
-}
-
-func (sv *StcpVisitor) Run() (err error) {
-	sv.l, err = net.Listen("tcp", fmt.Sprintf("%s:%d", sv.cfg.BindAddr, sv.cfg.BindPort))
-	if err != nil {
-		return
-	}
-
-	go sv.worker()
-	return
-}
-
-func (sv *StcpVisitor) Close() {
-	sv.l.Close()
-}
-
-func (sv *StcpVisitor) worker() {
-	xl := xlog.FromContextSafe(sv.ctx)
-	for {
-		conn, err := sv.l.Accept()
-		if err != nil {
-			xl.Warn("stcp local listener closed")
-			return
-		}
-
-		go sv.handleConn(conn)
-	}
-}
-
-func (sv *StcpVisitor) handleConn(userConn net.Conn) {
-	xl := xlog.FromContextSafe(sv.ctx)
-	defer userConn.Close()
-
-	xl.Debug("get a new stcp user connection")
-	visitorConn, err := sv.ctl.connectServer()
-	if err != nil {
-		return
-	}
-	defer visitorConn.Close()
-
-	now := time.Now().Unix()
-	newVisitorConnMsg := &msg.NewVisitorConn{
-		ProxyName:      sv.cfg.ServerName,
-		SignKey:        util.GetAuthKey(sv.cfg.Sk, now),
-		Timestamp:      now,
-		UseEncryption:  sv.cfg.UseEncryption,
-		UseCompression: sv.cfg.UseCompression,
-	}
-	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
-	if err != nil {
-		xl.Warn("send newVisitorConnMsg to server error: %v", err)
-		return
-	}
-
-	var newVisitorConnRespMsg msg.NewVisitorConnResp
-	visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
-	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
-	if err != nil {
-		xl.Warn("get newVisitorConnRespMsg error: %v", err)
-		return
-	}
-	visitorConn.SetReadDeadline(time.Time{})
-
-	if newVisitorConnRespMsg.Error != "" {
-		xl.Warn("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
-		return
-	}
-
-	var remote io.ReadWriteCloser
-	remote = visitorConn
-	if sv.cfg.UseEncryption {
-		remote, err = frpIo.WithEncryption(remote, []byte(sv.cfg.Sk))
-		if err != nil {
-			xl.Error("create encryption stream error: %v", err)
-			return
-		}
-	}
-
-	if sv.cfg.UseCompression {
-		remote = frpIo.WithCompression(remote)
-	}
-
-	frpIo.Join(userConn, remote)
-}
-
-type XtcpVisitor struct {
-	*BaseVisitor
-
-	cfg *config.XtcpVisitorConf
-}
-
-func (sv *XtcpVisitor) Run() (err error) {
-	sv.l, err = net.Listen("tcp", fmt.Sprintf("%s:%d", sv.cfg.BindAddr, sv.cfg.BindPort))
-	if err != nil {
-		return
-	}
-
-	go sv.worker()
-	return
-}
-
-func (sv *XtcpVisitor) Close() {
-	sv.l.Close()
-}
-
-func (sv *XtcpVisitor) worker() {
-	xl := xlog.FromContextSafe(sv.ctx)
-	for {
-		conn, err := sv.l.Accept()
-		if err != nil {
-			xl.Warn("xtcp local listener closed")
-			return
-		}
-
-		go sv.handleConn(conn)
-	}
-}
-
-func (sv *XtcpVisitor) handleConn(userConn net.Conn) {
-	xl := xlog.FromContextSafe(sv.ctx)
-	defer userConn.Close()
-
-	xl.Debug("get a new xtcp user connection")
-	if sv.ctl.serverUDPPort == 0 {
-		xl.Error("xtcp is not supported by server")
-		return
-	}
-
-	raddr, err := net.ResolveUDPAddr("udp",
-		fmt.Sprintf("%s:%d", sv.ctl.clientCfg.ServerAddr, sv.ctl.serverUDPPort))
-	if err != nil {
-		xl.Error("resolve server UDP addr error")
-		return
-	}
-
-	visitorConn, err := net.DialUDP("udp", nil, raddr)
-	if err != nil {
-		xl.Warn("dial server udp addr error: %v", err)
-		return
-	}
-	defer visitorConn.Close()
-
-	now := time.Now().Unix()
-	natHoleVisitorMsg := &msg.NatHoleVisitor{
-		ProxyName: sv.cfg.ServerName,
-		SignKey:   util.GetAuthKey(sv.cfg.Sk, now),
-		Timestamp: now,
-	}
-	err = msg.WriteMsg(visitorConn, natHoleVisitorMsg)
-	if err != nil {
-		xl.Warn("send natHoleVisitorMsg to server error: %v", err)
-		return
-	}
-
-	// Wait for client address at most 10 seconds.
-	var natHoleRespMsg msg.NatHoleResp
-	visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
-	buf := pool.GetBuf(1024)
-	n, err := visitorConn.Read(buf)
-	if err != nil {
-		xl.Warn("get natHoleRespMsg error: %v", err)
-		return
-	}
-
-	err = msg.ReadMsgInto(bytes.NewReader(buf[:n]), &natHoleRespMsg)
-	if err != nil {
-		xl.Warn("get natHoleRespMsg error: %v", err)
-		return
-	}
-	visitorConn.SetReadDeadline(time.Time{})
-	pool.PutBuf(buf)
-
-	if natHoleRespMsg.Error != "" {
-		xl.Error("natHoleRespMsg get error info: %s", natHoleRespMsg.Error)
-		return
-	}
-
-	xl.Trace("get natHoleRespMsg, sid [%s], client address [%s], visitor address [%s]", natHoleRespMsg.Sid, natHoleRespMsg.ClientAddr, natHoleRespMsg.VisitorAddr)
-
-	// Close visitorConn, so we can use it's local address.
-	visitorConn.Close()
-
-	// send sid message to client
-	laddr, _ := net.ResolveUDPAddr("udp", visitorConn.LocalAddr().String())
-	daddr, err := net.ResolveUDPAddr("udp", natHoleRespMsg.ClientAddr)
-	if err != nil {
-		xl.Error("resolve client udp address error: %v", err)
-		return
-	}
-	lConn, err := net.DialUDP("udp", laddr, daddr)
-	if err != nil {
-		xl.Error("dial client udp address error: %v", err)
-		return
-	}
-	defer lConn.Close()
-
-	lConn.Write([]byte(natHoleRespMsg.Sid))
-
-	// read ack sid from client
-	sidBuf := pool.GetBuf(1024)
-	lConn.SetReadDeadline(time.Now().Add(8 * time.Second))
-	n, err = lConn.Read(sidBuf)
-	if err != nil {
-		xl.Warn("get sid from client error: %v", err)
-		return
-	}
-	lConn.SetReadDeadline(time.Time{})
-	if string(sidBuf[:n]) != natHoleRespMsg.Sid {
-		xl.Warn("incorrect sid from client")
-		return
-	}
-	pool.PutBuf(sidBuf)
-
-	xl.Info("nat hole connection make success, sid [%s]", natHoleRespMsg.Sid)
-
-	// wrap kcp connection
-	var remote io.ReadWriteCloser
-	remote, err = frpNet.NewKcpConnFromUdp(lConn, true, natHoleRespMsg.ClientAddr)
-	if err != nil {
-		xl.Error("create kcp connection from udp connection error: %v", err)
-		return
-	}
-
-	fmuxCfg := fmux.DefaultConfig()
-	fmuxCfg.KeepAliveInterval = 5 * time.Second
-	fmuxCfg.LogOutput = ioutil.Discard
-	sess, err := fmux.Client(remote, fmuxCfg)
-	if err != nil {
-		xl.Error("create yamux session error: %v", err)
-		return
-	}
-	defer sess.Close()
-	muxConn, err := sess.Open()
-	if err != nil {
-		xl.Error("open yamux stream error: %v", err)
-		return
-	}
-
-	var muxConnRWCloser io.ReadWriteCloser = muxConn
-	if sv.cfg.UseEncryption {
-		muxConnRWCloser, err = frpIo.WithEncryption(muxConnRWCloser, []byte(sv.cfg.Sk))
-		if err != nil {
-			xl.Error("create encryption stream error: %v", err)
-			return
-		}
-	}
-	if sv.cfg.UseCompression {
-		muxConnRWCloser = frpIo.WithCompression(muxConnRWCloser)
-	}
-
-	frpIo.Join(userConn, muxConnRWCloser)
-	xl.Debug("join connections closed")
-}
--- a/client/visitor/stcp.go
+++ b/client/visitor/stcp.go
@@ -0,0 +1,133 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package visitor
+
+import (
+	"io"
+	"net"
+	"strconv"
+	"time"
+
+	libio "github.com/fatedier/golib/io"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/util/util"
+	"github.com/fatedier/frp/pkg/util/xlog"
+)
+
+type STCPVisitor struct {
+	*BaseVisitor
+
+	cfg *config.STCPVisitorConf
+}
+
+func (sv *STCPVisitor) Run() (err error) {
+	if sv.cfg.BindPort > 0 {
+		sv.l, err = net.Listen("tcp", net.JoinHostPort(sv.cfg.BindAddr, strconv.Itoa(sv.cfg.BindPort)))
+		if err != nil {
+			return
+		}
+		go sv.worker()
+	}
+
+	go sv.internalConnWorker()
+	return
+}
+
+func (sv *STCPVisitor) Close() {
+	sv.BaseVisitor.Close()
+}
+
+func (sv *STCPVisitor) worker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	for {
+		conn, err := sv.l.Accept()
+		if err != nil {
+			xl.Warn("stcp local listener closed")
+			return
+		}
+		go sv.handleConn(conn)
+	}
+}
+
+func (sv *STCPVisitor) internalConnWorker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	for {
+		conn, err := sv.internalLn.Accept()
+		if err != nil {
+			xl.Warn("stcp internal listener closed")
+			return
+		}
+		go sv.handleConn(conn)
+	}
+}
+
+func (sv *STCPVisitor) handleConn(userConn net.Conn) {
+	xl := xlog.FromContextSafe(sv.ctx)
+	defer userConn.Close()
+
+	xl.Debug("get a new stcp user connection")
+	visitorConn, err := sv.helper.ConnectServer()
+	if err != nil {
+		return
+	}
+	defer visitorConn.Close()
+
+	now := time.Now().Unix()
+	newVisitorConnMsg := &msg.NewVisitorConn{
+		RunID:          sv.helper.RunID(),
+		ProxyName:      sv.cfg.ServerName,
+		SignKey:        util.GetAuthKey(sv.cfg.Sk, now),
+		Timestamp:      now,
+		UseEncryption:  sv.cfg.UseEncryption,
+		UseCompression: sv.cfg.UseCompression,
+	}
+	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
+	if err != nil {
+		xl.Warn("send newVisitorConnMsg to server error: %v", err)
+		return
+	}
+
+	var newVisitorConnRespMsg msg.NewVisitorConnResp
+	_ = visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
+	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
+	if err != nil {
+		xl.Warn("get newVisitorConnRespMsg error: %v", err)
+		return
+	}
+	_ = visitorConn.SetReadDeadline(time.Time{})
+
+	if newVisitorConnRespMsg.Error != "" {
+		xl.Warn("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
+		return
+	}
+
+	var remote io.ReadWriteCloser
+	remote = visitorConn
+	if sv.cfg.UseEncryption {
+		remote, err = libio.WithEncryption(remote, []byte(sv.cfg.Sk))
+		if err != nil {
+			xl.Error("create encryption stream error: %v", err)
+			return
+		}
+	}
+
+	if sv.cfg.UseCompression {
+		remote = libio.WithCompression(remote)
+	}
+
+	libio.Join(userConn, remote)
+}
--- a/client/visitor/sudp.go
+++ b/client/visitor/sudp.go
@@ -0,0 +1,264 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package visitor
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/fatedier/golib/errors"
+	libio "github.com/fatedier/golib/io"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/proto/udp"
+	utilnet "github.com/fatedier/frp/pkg/util/net"
+	"github.com/fatedier/frp/pkg/util/util"
+	"github.com/fatedier/frp/pkg/util/xlog"
+)
+
+type SUDPVisitor struct {
+	*BaseVisitor
+
+	checkCloseCh chan struct{}
+	// udpConn is the listener of udp packet
+	udpConn *net.UDPConn
+	readCh  chan *msg.UDPPacket
+	sendCh  chan *msg.UDPPacket
+
+	cfg *config.SUDPVisitorConf
+}
+
+// SUDP Run start listen a udp port
+func (sv *SUDPVisitor) Run() (err error) {
+	xl := xlog.FromContextSafe(sv.ctx)
+
+	addr, err := net.ResolveUDPAddr("udp", net.JoinHostPort(sv.cfg.BindAddr, strconv.Itoa(sv.cfg.BindPort)))
+	if err != nil {
+		return fmt.Errorf("sudp ResolveUDPAddr error: %v", err)
+	}
+
+	sv.udpConn, err = net.ListenUDP("udp", addr)
+	if err != nil {
+		return fmt.Errorf("listen udp port %s error: %v", addr.String(), err)
+	}
+
+	sv.sendCh = make(chan *msg.UDPPacket, 1024)
+	sv.readCh = make(chan *msg.UDPPacket, 1024)
+
+	xl.Info("sudp start to work, listen on %s", addr)
+
+	go sv.dispatcher()
+	go udp.ForwardUserConn(sv.udpConn, sv.readCh, sv.sendCh, int(sv.clientCfg.UDPPacketSize))
+
+	return
+}
+
+func (sv *SUDPVisitor) dispatcher() {
+	xl := xlog.FromContextSafe(sv.ctx)
+
+	var (
+		visitorConn net.Conn
+		err         error
+
+		firstPacket *msg.UDPPacket
+	)
+
+	for {
+		select {
+		case firstPacket = <-sv.sendCh:
+			if firstPacket == nil {
+				xl.Info("frpc sudp visitor proxy is closed")
+				return
+			}
+		case <-sv.checkCloseCh:
+			xl.Info("frpc sudp visitor proxy is closed")
+			return
+		}
+
+		visitorConn, err = sv.getNewVisitorConn()
+		if err != nil {
+			xl.Warn("newVisitorConn to frps error: %v, try to reconnect", err)
+			continue
+		}
+
+		// visitorConn always be closed when worker done.
+		sv.worker(visitorConn, firstPacket)
+
+		select {
+		case <-sv.checkCloseCh:
+			return
+		default:
+		}
+	}
+}
+
+func (sv *SUDPVisitor) worker(workConn net.Conn, firstPacket *msg.UDPPacket) {
+	xl := xlog.FromContextSafe(sv.ctx)
+	xl.Debug("starting sudp proxy worker")
+
+	wg := &sync.WaitGroup{}
+	wg.Add(2)
+	closeCh := make(chan struct{})
+
+	// udp service -> frpc -> frps -> frpc visitor -> user
+	workConnReaderFn := func(conn net.Conn) {
+		defer func() {
+			conn.Close()
+			close(closeCh)
+			wg.Done()
+		}()
+
+		for {
+			var (
+				rawMsg msg.Message
+				errRet error
+			)
+
+			// frpc will send heartbeat in workConn to frpc visitor for keeping alive
+			_ = conn.SetReadDeadline(time.Now().Add(60 * time.Second))
+			if rawMsg, errRet = msg.ReadMsg(conn); errRet != nil {
+				xl.Warn("read from workconn for user udp conn error: %v", errRet)
+				return
+			}
+
+			_ = conn.SetReadDeadline(time.Time{})
+			switch m := rawMsg.(type) {
+			case *msg.Ping:
+				xl.Debug("frpc visitor get ping message from frpc")
+				continue
+			case *msg.UDPPacket:
+				if errRet := errors.PanicToError(func() {
+					sv.readCh <- m
+					xl.Trace("frpc visitor get udp packet from workConn: %s", m.Content)
+				}); errRet != nil {
+					xl.Info("reader goroutine for udp work connection closed")
+					return
+				}
+			}
+		}
+	}
+
+	// udp service <- frpc <- frps <- frpc visitor <- user
+	workConnSenderFn := func(conn net.Conn) {
+		defer func() {
+			conn.Close()
+			wg.Done()
+		}()
+
+		var errRet error
+		if firstPacket != nil {
+			if errRet = msg.WriteMsg(conn, firstPacket); errRet != nil {
+				xl.Warn("sender goroutine for udp work connection closed: %v", errRet)
+				return
+			}
+			xl.Trace("send udp package to workConn: %s", firstPacket.Content)
+		}
+
+		for {
+			select {
+			case udpMsg, ok := <-sv.sendCh:
+				if !ok {
+					xl.Info("sender goroutine for udp work connection closed")
+					return
+				}
+
+				if errRet = msg.WriteMsg(conn, udpMsg); errRet != nil {
+					xl.Warn("sender goroutine for udp work connection closed: %v", errRet)
+					return
+				}
+				xl.Trace("send udp package to workConn: %s", udpMsg.Content)
+			case <-closeCh:
+				return
+			}
+		}
+	}
+
+	go workConnReaderFn(workConn)
+	go workConnSenderFn(workConn)
+
+	wg.Wait()
+	xl.Info("sudp worker is closed")
+}
+
+func (sv *SUDPVisitor) getNewVisitorConn() (net.Conn, error) {
+	xl := xlog.FromContextSafe(sv.ctx)
+	visitorConn, err := sv.helper.ConnectServer()
+	if err != nil {
+		return nil, fmt.Errorf("frpc connect frps error: %v", err)
+	}
+
+	now := time.Now().Unix()
+	newVisitorConnMsg := &msg.NewVisitorConn{
+		RunID:          sv.helper.RunID(),
+		ProxyName:      sv.cfg.ServerName,
+		SignKey:        util.GetAuthKey(sv.cfg.Sk, now),
+		Timestamp:      now,
+		UseEncryption:  sv.cfg.UseEncryption,
+		UseCompression: sv.cfg.UseCompression,
+	}
+	err = msg.WriteMsg(visitorConn, newVisitorConnMsg)
+	if err != nil {
+		return nil, fmt.Errorf("frpc send newVisitorConnMsg to frps error: %v", err)
+	}
+
+	var newVisitorConnRespMsg msg.NewVisitorConnResp
+	_ = visitorConn.SetReadDeadline(time.Now().Add(10 * time.Second))
+	err = msg.ReadMsgInto(visitorConn, &newVisitorConnRespMsg)
+	if err != nil {
+		return nil, fmt.Errorf("frpc read newVisitorConnRespMsg error: %v", err)
+	}
+	_ = visitorConn.SetReadDeadline(time.Time{})
+
+	if newVisitorConnRespMsg.Error != "" {
+		return nil, fmt.Errorf("start new visitor connection error: %s", newVisitorConnRespMsg.Error)
+	}
+
+	var remote io.ReadWriteCloser
+	remote = visitorConn
+	if sv.cfg.UseEncryption {
+		remote, err = libio.WithEncryption(remote, []byte(sv.cfg.Sk))
+		if err != nil {
+			xl.Error("create encryption stream error: %v", err)
+			return nil, err
+		}
+	}
+	if sv.cfg.UseCompression {
+		remote = libio.WithCompression(remote)
+	}
+	return utilnet.WrapReadWriteCloserToConn(remote, visitorConn), nil
+}
+
+func (sv *SUDPVisitor) Close() {
+	sv.mu.Lock()
+	defer sv.mu.Unlock()
+
+	select {
+	case <-sv.checkCloseCh:
+		return
+	default:
+		close(sv.checkCloseCh)
+	}
+	sv.BaseVisitor.Close()
+	if sv.udpConn != nil {
+		sv.udpConn.Close()
+	}
+	close(sv.readCh)
+	close(sv.sendCh)
+}
--- a/client/visitor/visitor.go
+++ b/client/visitor/visitor.go
@@ -0,0 +1,104 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package visitor
+
+import (
+	"context"
+	"net"
+	"sync"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/transport"
+	utilnet "github.com/fatedier/frp/pkg/util/net"
+	"github.com/fatedier/frp/pkg/util/xlog"
+)
+
+// Helper wrapps some functions for visitor to use.
+type Helper interface {
+	// ConnectServer directly connects to the frp server.
+	ConnectServer() (net.Conn, error)
+	// TransferConn transfers the connection to another visitor.
+	TransferConn(string, net.Conn) error
+	// MsgTransporter returns the message transporter that is used to send and receive messages
+	// to the frp server through the controller.
+	MsgTransporter() transport.MessageTransporter
+	// RunID returns the run id of current controller.
+	RunID() string
+}
+
+// Visitor is used for forward traffics from local port tot remote service.
+type Visitor interface {
+	Run() error
+	AcceptConn(conn net.Conn) error
+	Close()
+}
+
+func NewVisitor(
+	ctx context.Context,
+	cfg config.VisitorConf,
+	clientCfg config.ClientCommonConf,
+	helper Helper,
+) (visitor Visitor) {
+	xl := xlog.FromContextSafe(ctx).Spawn().AppendPrefix(cfg.GetBaseConfig().ProxyName)
+	baseVisitor := BaseVisitor{
+		clientCfg:  clientCfg,
+		helper:     helper,
+		ctx:        xlog.NewContext(ctx, xl),
+		internalLn: utilnet.NewInternalListener(),
+	}
+	switch cfg := cfg.(type) {
+	case *config.STCPVisitorConf:
+		visitor = &STCPVisitor{
+			BaseVisitor: &baseVisitor,
+			cfg:         cfg,
+		}
+	case *config.XTCPVisitorConf:
+		visitor = &XTCPVisitor{
+			BaseVisitor:   &baseVisitor,
+			cfg:           cfg,
+			startTunnelCh: make(chan struct{}),
+		}
+	case *config.SUDPVisitorConf:
+		visitor = &SUDPVisitor{
+			BaseVisitor:  &baseVisitor,
+			cfg:          cfg,
+			checkCloseCh: make(chan struct{}),
+		}
+	}
+	return
+}
+
+type BaseVisitor struct {
+	clientCfg  config.ClientCommonConf
+	helper     Helper
+	l          net.Listener
+	internalLn *utilnet.InternalListener
+
+	mu  sync.RWMutex
+	ctx context.Context
+}
+
+func (v *BaseVisitor) AcceptConn(conn net.Conn) error {
+	return v.internalLn.PutConn(conn)
+}
+
+func (v *BaseVisitor) Close() {
+	if v.l != nil {
+		v.l.Close()
+	}
+	if v.internalLn != nil {
+		v.internalLn.Close()
+	}
+}
--- a/client/visitor/visitor_manager.go
+++ b/client/visitor/visitor_manager.go
@@ -0,0 +1,192 @@
+// Copyright 2018 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package visitor
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"reflect"
+	"sync"
+	"time"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/transport"
+	"github.com/fatedier/frp/pkg/util/xlog"
+)
+
+type Manager struct {
+	clientCfg config.ClientCommonConf
+	cfgs      map[string]config.VisitorConf
+	visitors  map[string]Visitor
+	helper    Helper
+
+	checkInterval time.Duration
+
+	mu  sync.RWMutex
+	ctx context.Context
+
+	stopCh chan struct{}
+}
+
+func NewManager(
+	ctx context.Context,
+	runID string,
+	clientCfg config.ClientCommonConf,
+	connectServer func() (net.Conn, error),
+	msgTransporter transport.MessageTransporter,
+) *Manager {
+	m := &Manager{
+		clientCfg:     clientCfg,
+		cfgs:          make(map[string]config.VisitorConf),
+		visitors:      make(map[string]Visitor),
+		checkInterval: 10 * time.Second,
+		ctx:           ctx,
+		stopCh:        make(chan struct{}),
+	}
+	m.helper = &visitorHelperImpl{
+		connectServerFn: connectServer,
+		msgTransporter:  msgTransporter,
+		transferConnFn:  m.TransferConn,
+		runID:           runID,
+	}
+	return m
+}
+
+func (vm *Manager) Run() {
+	xl := xlog.FromContextSafe(vm.ctx)
+
+	ticker := time.NewTicker(vm.checkInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-vm.stopCh:
+			xl.Info("gracefully shutdown visitor manager")
+			return
+		case <-ticker.C:
+			vm.mu.Lock()
+			for _, cfg := range vm.cfgs {
+				name := cfg.GetBaseConfig().ProxyName
+				if _, exist := vm.visitors[name]; !exist {
+					xl.Info("try to start visitor [%s]", name)
+					_ = vm.startVisitor(cfg)
+				}
+			}
+			vm.mu.Unlock()
+		}
+	}
+}
+
+func (vm *Manager) Close() {
+	vm.mu.Lock()
+	defer vm.mu.Unlock()
+	for _, v := range vm.visitors {
+		v.Close()
+	}
+	select {
+	case <-vm.stopCh:
+	default:
+		close(vm.stopCh)
+	}
+}
+
+// Hold lock before calling this function.
+func (vm *Manager) startVisitor(cfg config.VisitorConf) (err error) {
+	xl := xlog.FromContextSafe(vm.ctx)
+	name := cfg.GetBaseConfig().ProxyName
+	visitor := NewVisitor(vm.ctx, cfg, vm.clientCfg, vm.helper)
+	err = visitor.Run()
+	if err != nil {
+		xl.Warn("start error: %v", err)
+	} else {
+		vm.visitors[name] = visitor
+		xl.Info("start visitor success")
+	}
+	return
+}
+
+func (vm *Manager) Reload(cfgs map[string]config.VisitorConf) {
+	xl := xlog.FromContextSafe(vm.ctx)
+	vm.mu.Lock()
+	defer vm.mu.Unlock()
+
+	delNames := make([]string, 0)
+	for name, oldCfg := range vm.cfgs {
+		del := false
+		cfg, ok := cfgs[name]
+		if !ok || !reflect.DeepEqual(oldCfg, cfg) {
+			del = true
+		}
+
+		if del {
+			delNames = append(delNames, name)
+			delete(vm.cfgs, name)
+			if visitor, ok := vm.visitors[name]; ok {
+				visitor.Close()
+			}
+			delete(vm.visitors, name)
+		}
+	}
+	if len(delNames) > 0 {
+		xl.Info("visitor removed: %v", delNames)
+	}
+
+	addNames := make([]string, 0)
+	for name, cfg := range cfgs {
+		if _, ok := vm.cfgs[name]; !ok {
+			vm.cfgs[name] = cfg
+			addNames = append(addNames, name)
+			_ = vm.startVisitor(cfg)
+		}
+	}
+	if len(addNames) > 0 {
+		xl.Info("visitor added: %v", addNames)
+	}
+}
+
+// TransferConn transfers a connection to a visitor.
+func (vm *Manager) TransferConn(name string, conn net.Conn) error {
+	vm.mu.RLock()
+	defer vm.mu.RUnlock()
+	v, ok := vm.visitors[name]
+	if !ok {
+		return fmt.Errorf("visitor [%s] not found", name)
+	}
+	return v.AcceptConn(conn)
+}
+
+type visitorHelperImpl struct {
+	connectServerFn func() (net.Conn, error)
+	msgTransporter  transport.MessageTransporter
+	transferConnFn  func(name string, conn net.Conn) error
+	runID           string
+}
+
+func (v *visitorHelperImpl) ConnectServer() (net.Conn, error) {
+	return v.connectServerFn()
+}
+
+func (v *visitorHelperImpl) TransferConn(name string, conn net.Conn) error {
+	return v.transferConnFn(name, conn)
+}
+
+func (v *visitorHelperImpl) MsgTransporter() transport.MessageTransporter {
+	return v.msgTransporter
+}
+
+func (v *visitorHelperImpl) RunID() string {
+	return v.runID
+}
--- a/client/visitor/xtcp.go
+++ b/client/visitor/xtcp.go
@@ -0,0 +1,455 @@
+// Copyright 2017 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package visitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"sync"
+	"time"
+
+	libio "github.com/fatedier/golib/io"
+	fmux "github.com/hashicorp/yamux"
+	quic "github.com/quic-go/quic-go"
+	"golang.org/x/time/rate"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/msg"
+	"github.com/fatedier/frp/pkg/nathole"
+	"github.com/fatedier/frp/pkg/transport"
+	utilnet "github.com/fatedier/frp/pkg/util/net"
+	"github.com/fatedier/frp/pkg/util/util"
+	"github.com/fatedier/frp/pkg/util/xlog"
+)
+
+var ErrNoTunnelSession = errors.New("no tunnel session")
+
+type XTCPVisitor struct {
+	*BaseVisitor
+	session       TunnelSession
+	startTunnelCh chan struct{}
+	retryLimiter  *rate.Limiter
+	cancel        context.CancelFunc
+
+	cfg *config.XTCPVisitorConf
+}
+
+func (sv *XTCPVisitor) Run() (err error) {
+	sv.ctx, sv.cancel = context.WithCancel(sv.ctx)
+
+	if sv.cfg.Protocol == "kcp" {
+		sv.session = NewKCPTunnelSession()
+	} else {
+		sv.session = NewQUICTunnelSession(&sv.clientCfg)
+	}
+
+	if sv.cfg.BindPort > 0 {
+		sv.l, err = net.Listen("tcp", net.JoinHostPort(sv.cfg.BindAddr, strconv.Itoa(sv.cfg.BindPort)))
+		if err != nil {
+			return
+		}
+		go sv.worker()
+	}
+
+	go sv.internalConnWorker()
+	go sv.processTunnelStartEvents()
+	if sv.cfg.KeepTunnelOpen {
+		sv.retryLimiter = rate.NewLimiter(rate.Every(time.Hour/time.Duration(sv.cfg.MaxRetriesAnHour)), sv.cfg.MaxRetriesAnHour)
+		go sv.keepTunnelOpenWorker()
+	}
+	return
+}
+
+func (sv *XTCPVisitor) Close() {
+	sv.mu.Lock()
+	defer sv.mu.Unlock()
+	sv.BaseVisitor.Close()
+	if sv.cancel != nil {
+		sv.cancel()
+	}
+	if sv.session != nil {
+		sv.session.Close()
+	}
+}
+
+func (sv *XTCPVisitor) worker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	for {
+		conn, err := sv.l.Accept()
+		if err != nil {
+			xl.Warn("xtcp local listener closed")
+			return
+		}
+		go sv.handleConn(conn)
+	}
+}
+
+func (sv *XTCPVisitor) internalConnWorker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	for {
+		conn, err := sv.internalLn.Accept()
+		if err != nil {
+			xl.Warn("xtcp internal listener closed")
+			return
+		}
+		go sv.handleConn(conn)
+	}
+}
+
+func (sv *XTCPVisitor) processTunnelStartEvents() {
+	for {
+		select {
+		case <-sv.ctx.Done():
+			return
+		case <-sv.startTunnelCh:
+			start := time.Now()
+			sv.makeNatHole()
+			duration := time.Since(start)
+			// avoid too frequently
+			if duration < 10*time.Second {
+				time.Sleep(10*time.Second - duration)
+			}
+		}
+	}
+}
+
+func (sv *XTCPVisitor) keepTunnelOpenWorker() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	ticker := time.NewTicker(time.Duration(sv.cfg.MinRetryInterval) * time.Second)
+	defer ticker.Stop()
+
+	sv.startTunnelCh <- struct{}{}
+	for {
+		select {
+		case <-sv.ctx.Done():
+			return
+		case <-ticker.C:
+			xl.Debug("keepTunnelOpenWorker try to check tunnel...")
+			conn, err := sv.getTunnelConn()
+			if err != nil {
+				xl.Warn("keepTunnelOpenWorker get tunnel connection error: %v", err)
+				_ = sv.retryLimiter.Wait(sv.ctx)
+				continue
+			}
+			xl.Debug("keepTunnelOpenWorker check success")
+			if conn != nil {
+				conn.Close()
+			}
+		}
+	}
+}
+
+func (sv *XTCPVisitor) handleConn(userConn net.Conn) {
+	xl := xlog.FromContextSafe(sv.ctx)
+	isConnTrasfered := false
+	defer func() {
+		if !isConnTrasfered {
+			userConn.Close()
+		}
+	}()
+
+	xl.Debug("get a new xtcp user connection")
+
+	// Open a tunnel connection to the server. If there is already a successful hole-punching connection,
+	// it will be reused. Otherwise, it will block and wait for a successful hole-punching connection until timeout.
+	ctx := context.Background()
+	if sv.cfg.FallbackTo != "" {
+		timeoutCtx, cancel := context.WithTimeout(ctx, time.Duration(sv.cfg.FallbackTimeoutMs)*time.Millisecond)
+		defer cancel()
+		ctx = timeoutCtx
+	}
+	tunnelConn, err := sv.openTunnel(ctx)
+	if err != nil {
+		xl.Error("open tunnel error: %v", err)
+		// no fallback, just return
+		if sv.cfg.FallbackTo == "" {
+			return
+		}
+
+		xl.Debug("try to transfer connection to visitor: %s", sv.cfg.FallbackTo)
+		if err := sv.helper.TransferConn(sv.cfg.FallbackTo, userConn); err != nil {
+			xl.Error("transfer connection to visitor %s error: %v", sv.cfg.FallbackTo, err)
+			return
+		}
+		isConnTrasfered = true
+		return
+	}
+
+	var muxConnRWCloser io.ReadWriteCloser = tunnelConn
+	if sv.cfg.UseEncryption {
+		muxConnRWCloser, err = libio.WithEncryption(muxConnRWCloser, []byte(sv.cfg.Sk))
+		if err != nil {
+			xl.Error("create encryption stream error: %v", err)
+			return
+		}
+	}
+	if sv.cfg.UseCompression {
+		muxConnRWCloser = libio.WithCompression(muxConnRWCloser)
+	}
+
+	_, _, errs := libio.Join(userConn, muxConnRWCloser)
+	xl.Debug("join connections closed")
+	if len(errs) > 0 {
+		xl.Trace("join connections errors: %v", errs)
+	}
+}
+
+// openTunnel will open a tunnel connection to the target server.
+func (sv *XTCPVisitor) openTunnel(ctx context.Context) (conn net.Conn, err error) {
+	xl := xlog.FromContextSafe(sv.ctx)
+	ticker := time.NewTicker(500 * time.Millisecond)
+	defer ticker.Stop()
+
+	timeoutC := time.After(20 * time.Second)
+	immediateTrigger := make(chan struct{}, 1)
+	defer close(immediateTrigger)
+	immediateTrigger <- struct{}{}
+
+	for {
+		select {
+		case <-sv.ctx.Done():
+			return nil, sv.ctx.Err()
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-immediateTrigger:
+			conn, err = sv.getTunnelConn()
+		case <-ticker.C:
+			conn, err = sv.getTunnelConn()
+		case <-timeoutC:
+			return nil, fmt.Errorf("open tunnel timeout")
+		}
+
+		if err != nil {
+			if err != ErrNoTunnelSession {
+				xl.Warn("get tunnel connection error: %v", err)
+			}
+			continue
+		}
+		return conn, nil
+	}
+}
+
+func (sv *XTCPVisitor) getTunnelConn() (net.Conn, error) {
+	conn, err := sv.session.OpenConn(sv.ctx)
+	if err == nil {
+		return conn, nil
+	}
+	sv.session.Close()
+
+	select {
+	case sv.startTunnelCh <- struct{}{}:
+	default:
+	}
+	return nil, err
+}
+
+// 0. PreCheck
+// 1. Prepare
+// 2. ExchangeInfo
+// 3. MakeNATHole
+// 4. Create a tunnel session using an underlying UDP connection.
+func (sv *XTCPVisitor) makeNatHole() {
+	xl := xlog.FromContextSafe(sv.ctx)
+	xl.Trace("makeNatHole start")
+	if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil {
+		xl.Warn("nathole precheck error: %v", err)
+		return
+	}
+
+	xl.Trace("nathole prepare start")
+	prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer})
+	if err != nil {
+		xl.Warn("nathole prepare error: %v", err)
+		return
+	}
+	xl.Info("nathole prepare success, nat type: %s, behavior: %s, addresses: %v, assistedAddresses: %v",
+		prepareResult.NatType, prepareResult.Behavior, prepareResult.Addrs, prepareResult.AssistedAddrs)
+
+	listenConn := prepareResult.ListenConn
+
+	// send NatHoleVisitor to server
+	now := time.Now().Unix()
+	transactionID := nathole.NewTransactionID()
+	natHoleVisitorMsg := &msg.NatHoleVisitor{
+		TransactionID: transactionID,
+		ProxyName:     sv.cfg.ServerName,
+		Protocol:      sv.cfg.Protocol,
+		SignKey:       util.GetAuthKey(sv.cfg.Sk, now),
+		Timestamp:     now,
+		MappedAddrs:   prepareResult.Addrs,
+		AssistedAddrs: prepareResult.AssistedAddrs,
+	}
+
+	xl.Trace("nathole exchange info start")
+	natHoleRespMsg, err := nathole.ExchangeInfo(sv.ctx, sv.helper.MsgTransporter(), transactionID, natHoleVisitorMsg, 5*time.Second)
+	if err != nil {
+		listenConn.Close()
+		xl.Warn("nathole exchange info error: %v", err)
+		return
+	}
+
+	xl.Info("get natHoleRespMsg, sid [%s], protocol [%s], candidate address %v, assisted address %v, detectBehavior: %+v",
+		natHoleRespMsg.Sid, natHoleRespMsg.Protocol, natHoleRespMsg.CandidateAddrs,
+		natHoleRespMsg.AssistedAddrs, natHoleRespMsg.DetectBehavior)
+
+	newListenConn, raddr, err := nathole.MakeHole(sv.ctx, listenConn, natHoleRespMsg, []byte(sv.cfg.Sk))
+	if err != nil {
+		listenConn.Close()
+		xl.Warn("make hole error: %v", err)
+		return
+	}
+	listenConn = newListenConn
+	xl.Info("establishing nat hole connection successful, sid [%s], remoteAddr [%s]", natHoleRespMsg.Sid, raddr)
+
+	if err := sv.session.Init(listenConn, raddr); err != nil {
+		listenConn.Close()
+		xl.Warn("init tunnel session error: %v", err)
+		return
+	}
+}
+
+type TunnelSession interface {
+	Init(listenConn *net.UDPConn, raddr *net.UDPAddr) error
+	OpenConn(context.Context) (net.Conn, error)
+	Close()
+}
+
+type KCPTunnelSession struct {
+	session *fmux.Session
+	lConn   *net.UDPConn
+	mu      sync.RWMutex
+}
+
+func NewKCPTunnelSession() TunnelSession {
+	return &KCPTunnelSession{}
+}
+
+func (ks *KCPTunnelSession) Init(listenConn *net.UDPConn, raddr *net.UDPAddr) error {
+	listenConn.Close()
+	laddr, _ := net.ResolveUDPAddr("udp", listenConn.LocalAddr().String())
+	lConn, err := net.DialUDP("udp", laddr, raddr)
+	if err != nil {
+		return fmt.Errorf("dial udp error: %v", err)
+	}
+	remote, err := utilnet.NewKCPConnFromUDP(lConn, true, raddr.String())
+	if err != nil {
+		return fmt.Errorf("create kcp connection from udp connection error: %v", err)
+	}
+
+	fmuxCfg := fmux.DefaultConfig()
+	fmuxCfg.KeepAliveInterval = 10 * time.Second
+	fmuxCfg.MaxStreamWindowSize = 6 * 1024 * 1024
+	fmuxCfg.LogOutput = io.Discard
+	session, err := fmux.Client(remote, fmuxCfg)
+	if err != nil {
+		remote.Close()
+		return fmt.Errorf("initial client session error: %v", err)
+	}
+	ks.mu.Lock()
+	ks.session = session
+	ks.lConn = lConn
+	ks.mu.Unlock()
+	return nil
+}
+
+func (ks *KCPTunnelSession) OpenConn(ctx context.Context) (net.Conn, error) {
+	ks.mu.RLock()
+	defer ks.mu.RUnlock()
+	session := ks.session
+	if session == nil {
+		return nil, ErrNoTunnelSession
+	}
+	return session.Open()
+}
+
+func (ks *KCPTunnelSession) Close() {
+	ks.mu.Lock()
+	defer ks.mu.Unlock()
+	if ks.session != nil {
+		_ = ks.session.Close()
+		ks.session = nil
+	}
+	if ks.lConn != nil {
+		_ = ks.lConn.Close()
+		ks.lConn = nil
+	}
+}
+
+type QUICTunnelSession struct {
+	session    quic.Connection
+	listenConn *net.UDPConn
+	mu         sync.RWMutex
+
+	clientCfg *config.ClientCommonConf
+}
+
+func NewQUICTunnelSession(clientCfg *config.ClientCommonConf) TunnelSession {
+	return &QUICTunnelSession{
+		clientCfg: clientCfg,
+	}
+}
+
+func (qs *QUICTunnelSession) Init(listenConn *net.UDPConn, raddr *net.UDPAddr) error {
+	tlsConfig, err := transport.NewClientTLSConfig("", "", "", raddr.String())
+	if err != nil {
+		return fmt.Errorf("create tls config error: %v", err)
+	}
+	tlsConfig.NextProtos = []string{"frp"}
+	quicConn, err := quic.Dial(listenConn, raddr, raddr.String(), tlsConfig,
+		&quic.Config{
+			MaxIdleTimeout:     time.Duration(qs.clientCfg.QUICMaxIdleTimeout) * time.Second,
+			MaxIncomingStreams: int64(qs.clientCfg.QUICMaxIncomingStreams),
+			KeepAlivePeriod:    time.Duration(qs.clientCfg.QUICKeepalivePeriod) * time.Second,
+		})
+	if err != nil {
+		return fmt.Errorf("dial quic error: %v", err)
+	}
+	qs.mu.Lock()
+	qs.session = quicConn
+	qs.listenConn = listenConn
+	qs.mu.Unlock()
+	return nil
+}
+
+func (qs *QUICTunnelSession) OpenConn(ctx context.Context) (net.Conn, error) {
+	qs.mu.RLock()
+	defer qs.mu.RUnlock()
+	session := qs.session
+	if session == nil {
+		return nil, ErrNoTunnelSession
+	}
+	stream, err := session.OpenStreamSync(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return utilnet.QuicStreamToNetConn(stream, session), nil
+}
+
+func (qs *QUICTunnelSession) Close() {
+	qs.mu.Lock()
+	defer qs.mu.Unlock()
+	if qs.session != nil {
+		_ = qs.session.CloseWithError(0, "")
+		qs.session = nil
+	}
+	if qs.listenConn != nil {
+		_ = qs.listenConn.Close()
+		qs.listenConn = nil
+	}
+}
--- a/client/visitor_manager.go
+++ b/client/visitor_manager.go
@@ -1,129 +0,0 @@
-// Copyright 2018 fatedier, fatedier@gmail.com
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package client
-
-import (
-	"context"
-	"sync"
-	"time"
-
-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/utils/xlog"
-)
-
-type VisitorManager struct {
-	ctl *Control
-
-	cfgs     map[string]config.VisitorConf
-	visitors map[string]Visitor
-
-	checkInterval time.Duration
-
-	mu  sync.Mutex
-	ctx context.Context
-}
-
-func NewVisitorManager(ctx context.Context, ctl *Control) *VisitorManager {
-	return &VisitorManager{
-		ctl:           ctl,
-		cfgs:          make(map[string]config.VisitorConf),
-		visitors:      make(map[string]Visitor),
-		checkInterval: 10 * time.Second,
-		ctx:           ctx,
-	}
-}
-
-func (vm *VisitorManager) Run() {
-	xl := xlog.FromContextSafe(vm.ctx)
-	for {
-		time.Sleep(vm.checkInterval)
-		vm.mu.Lock()
-		for _, cfg := range vm.cfgs {
-			name := cfg.GetBaseInfo().ProxyName
-			if _, exist := vm.visitors[name]; !exist {
-				xl.Info("try to start visitor [%s]", name)
-				vm.startVisitor(cfg)
-			}
-		}
-		vm.mu.Unlock()
-	}
-}
-
-// Hold lock before calling this function.
-func (vm *VisitorManager) startVisitor(cfg config.VisitorConf) (err error) {
-	xl := xlog.FromContextSafe(vm.ctx)
-	name := cfg.GetBaseInfo().ProxyName
-	visitor := NewVisitor(vm.ctx, vm.ctl, cfg)
-	err = visitor.Run()
-	if err != nil {
-		xl.Warn("start error: %v", err)
-	} else {
-		vm.visitors[name] = visitor
-		xl.Info("start visitor success")
-	}
-	return
-}
-
-func (vm *VisitorManager) Reload(cfgs map[string]config.VisitorConf) {
-	xl := xlog.FromContextSafe(vm.ctx)
-	vm.mu.Lock()
-	defer vm.mu.Unlock()
-
-	delNames := make([]string, 0)
-	for name, oldCfg := range vm.cfgs {
-		del := false
-		cfg, ok := cfgs[name]
-		if !ok {
-			del = true
-		} else {
-			if !oldCfg.Compare(cfg) {
-				del = true
-			}
-		}
-
-		if del {
-			delNames = append(delNames, name)
-			delete(vm.cfgs, name)
-			if visitor, ok := vm.visitors[name]; ok {
-				visitor.Close()
-			}
-			delete(vm.visitors, name)
-		}
-	}
-	if len(delNames) > 0 {
-		xl.Info("visitor removed: %v", delNames)
-	}
-
-	addNames := make([]string, 0)
-	for name, cfg := range cfgs {
-		if _, ok := vm.cfgs[name]; !ok {
-			vm.cfgs[name] = cfg
-			addNames = append(addNames, name)
-			vm.startVisitor(cfg)
-		}
-	}
-	if len(addNames) > 0 {
-		xl.Info("visitor added: %v", addNames)
-	}
-	return
-}
-
-func (vm *VisitorManager) Close() {
-	vm.mu.Lock()
-	defer vm.mu.Unlock()
-	for _, v := range vm.visitors {
-		v.Close()
-	}
-}
--- a/cmd/frpc/main.go
+++ b/cmd/frpc/main.go
@@ -15,18 +15,10 @@
 package main

 import (
-	"math/rand"
-	"time"
-
-	_ "github.com/fatedier/frp/assets/frpc/statik"
+	_ "github.com/fatedier/frp/assets/frpc"
 	"github.com/fatedier/frp/cmd/frpc/sub"
-
-	"github.com/fatedier/golib/crypto"
 )

 func main() {
-	crypto.DefaultSalt = "frp"
-	rand.Seed(time.Now().UnixNano())
-
 	sub.Execute()
 }
--- a/cmd/frpc/sub/http.go
+++ b/cmd/frpc/sub/http.go
@@ -21,22 +21,15 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/consts"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/consts"
 )

 func init() {
-	httpCmd.PersistentFlags().StringVarP(&serverAddr, "server_addr", "s", "127.0.0.1:7000", "frp server's address")
-	httpCmd.PersistentFlags().StringVarP(&user, "user", "u", "", "user")
-	httpCmd.PersistentFlags().StringVarP(&protocol, "protocol", "p", "tcp", "tcp or kcp or websocket")
-	httpCmd.PersistentFlags().StringVarP(&token, "token", "t", "", "auth token")
-	httpCmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
-	httpCmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
-	httpCmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
-	httpCmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
+	RegisterCommonFlags(httpCmd)

 	httpCmd.PersistentFlags().StringVarP(&proxyName, "proxy_name", "n", "", "proxy name")
-	httpCmd.PersistentFlags().StringVarP(&localIp, "local_ip", "i", "127.0.0.1", "local ip")
+	httpCmd.PersistentFlags().StringVarP(&localIP, "local_ip", "i", "127.0.0.1", "local ip")
 	httpCmd.PersistentFlags().IntVarP(&localPort, "local_port", "l", 0, "local port")
 	httpCmd.PersistentFlags().StringVarP(&customDomains, "custom_domain", "d", "", "custom domain")
 	httpCmd.PersistentFlags().StringVarP(&subDomain, "sd", "", "", "sub domain")
@@ -46,6 +39,8 @@ func init() {
 	httpCmd.PersistentFlags().StringVarP(&hostHeaderRewrite, "host_header_rewrite", "", "", "host header rewrite")
 	httpCmd.PersistentFlags().BoolVarP(&useEncryption, "ue", "", false, "use encryption")
 	httpCmd.PersistentFlags().BoolVarP(&useCompression, "uc", "", false, "use compression")
+	httpCmd.PersistentFlags().StringVarP(&bandwidthLimit, "bandwidth_limit", "", "", "bandwidth limit")
+	httpCmd.PersistentFlags().StringVarP(&bandwidthLimitMode, "bandwidth_limit_mode", "", config.BandwidthLimitModeClient, "bandwidth limit mode")

 	rootCmd.AddCommand(httpCmd)
 }
@@ -54,31 +49,37 @@ var httpCmd = &cobra.Command{
 	Use:   "http",
 	Short: "Run frpc with a single http proxy",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		clientCfg, err := parseClientCommonCfg(CfgFileTypeCmd, "")
+		clientCfg, err := parseClientCommonCfgFromCmd()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}

-		cfg := &config.HttpProxyConf{}
+		cfg := &config.HTTPProxyConf{}
 		var prefix string
 		if user != "" {
 			prefix = user + "."
 		}
 		cfg.ProxyName = prefix + proxyName
-		cfg.ProxyType = consts.HttpProxy
-		cfg.LocalIp = localIp
+		cfg.ProxyType = consts.HTTPProxy
+		cfg.LocalIP = localIP
 		cfg.LocalPort = localPort
 		cfg.CustomDomains = strings.Split(customDomains, ",")
 		cfg.SubDomain = subDomain
 		cfg.Locations = strings.Split(locations, ",")
-		cfg.HttpUser = httpUser
-		cfg.HttpPwd = httpPwd
+		cfg.HTTPUser = httpUser
+		cfg.HTTPPwd = httpPwd
 		cfg.HostHeaderRewrite = hostHeaderRewrite
 		cfg.UseEncryption = useEncryption
 		cfg.UseCompression = useCompression
+		cfg.BandwidthLimit, err = config.NewBandwidthQuantity(bandwidthLimit)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+		cfg.BandwidthLimitMode = bandwidthLimitMode

-		err = cfg.CheckForCli()
+		err = cfg.ValidateForClient()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
--- a/cmd/frpc/sub/https.go
+++ b/cmd/frpc/sub/https.go
@@ -21,27 +21,22 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/consts"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/consts"
 )

 func init() {
-	httpsCmd.PersistentFlags().StringVarP(&serverAddr, "server_addr", "s", "127.0.0.1:7000", "frp server's address")
-	httpsCmd.PersistentFlags().StringVarP(&user, "user", "u", "", "user")
-	httpsCmd.PersistentFlags().StringVarP(&protocol, "protocol", "p", "tcp", "tcp or kcp or websocket")
-	httpsCmd.PersistentFlags().StringVarP(&token, "token", "t", "", "auth token")
-	httpsCmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
-	httpsCmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
-	httpsCmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
-	httpsCmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
+	RegisterCommonFlags(httpsCmd)

 	httpsCmd.PersistentFlags().StringVarP(&proxyName, "proxy_name", "n", "", "proxy name")
-	httpsCmd.PersistentFlags().StringVarP(&localIp, "local_ip", "i", "127.0.0.1", "local ip")
+	httpsCmd.PersistentFlags().StringVarP(&localIP, "local_ip", "i", "127.0.0.1", "local ip")
 	httpsCmd.PersistentFlags().IntVarP(&localPort, "local_port", "l", 0, "local port")
 	httpsCmd.PersistentFlags().StringVarP(&customDomains, "custom_domain", "d", "", "custom domain")
 	httpsCmd.PersistentFlags().StringVarP(&subDomain, "sd", "", "", "sub domain")
 	httpsCmd.PersistentFlags().BoolVarP(&useEncryption, "ue", "", false, "use encryption")
 	httpsCmd.PersistentFlags().BoolVarP(&useCompression, "uc", "", false, "use compression")
+	httpsCmd.PersistentFlags().StringVarP(&bandwidthLimit, "bandwidth_limit", "", "", "bandwidth limit")
+	httpsCmd.PersistentFlags().StringVarP(&bandwidthLimitMode, "bandwidth_limit_mode", "", config.BandwidthLimitModeClient, "bandwidth limit mode")

 	rootCmd.AddCommand(httpsCmd)
 }
@@ -50,27 +45,33 @@ var httpsCmd = &cobra.Command{
 	Use:   "https",
 	Short: "Run frpc with a single https proxy",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		clientCfg, err := parseClientCommonCfg(CfgFileTypeCmd, "")
+		clientCfg, err := parseClientCommonCfgFromCmd()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}

-		cfg := &config.HttpsProxyConf{}
+		cfg := &config.HTTPSProxyConf{}
 		var prefix string
 		if user != "" {
 			prefix = user + "."
 		}
 		cfg.ProxyName = prefix + proxyName
-		cfg.ProxyType = consts.HttpsProxy
-		cfg.LocalIp = localIp
+		cfg.ProxyType = consts.HTTPSProxy
+		cfg.LocalIP = localIP
 		cfg.LocalPort = localPort
 		cfg.CustomDomains = strings.Split(customDomains, ",")
 		cfg.SubDomain = subDomain
 		cfg.UseEncryption = useEncryption
 		cfg.UseCompression = useCompression
+		cfg.BandwidthLimit, err = config.NewBandwidthQuantity(bandwidthLimit)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+		cfg.BandwidthLimitMode = bandwidthLimitMode

-		err = cfg.CheckForCli()
+		err = cfg.ValidateForClient()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
--- a/cmd/frpc/sub/nathole.go
+++ b/cmd/frpc/sub/nathole.go
@@ -0,0 +1,97 @@
+// Copyright 2023 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sub
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/nathole"
+)
+
+var (
+	natHoleSTUNServer string
+	natHoleLocalAddr  string
+)
+
+func init() {
+	RegisterCommonFlags(natholeCmd)
+
+	rootCmd.AddCommand(natholeCmd)
+	natholeCmd.AddCommand(natholeDiscoveryCmd)
+
+	natholeCmd.PersistentFlags().StringVarP(&natHoleSTUNServer, "nat_hole_stun_server", "", "", "STUN server address for nathole")
+	natholeCmd.PersistentFlags().StringVarP(&natHoleLocalAddr, "nat_hole_local_addr", "l", "", "local address to connect STUN server")
+}
+
+var natholeCmd = &cobra.Command{
+	Use:   "nathole",
+	Short: "Actions about nathole",
+}
+
+var natholeDiscoveryCmd = &cobra.Command{
+	Use:   "discover",
+	Short: "Discover nathole information from stun server",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		// ignore error here, because we can use command line pameters
+		cfg, _, _, err := config.ParseClientConfig(cfgFile)
+		if err != nil {
+			cfg = config.GetDefaultClientConf()
+		}
+		if natHoleSTUNServer != "" {
+			cfg.NatHoleSTUNServer = natHoleSTUNServer
+		}
+
+		if err := validateForNatHoleDiscovery(cfg); err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+
+		addrs, localAddr, err := nathole.Discover([]string{cfg.NatHoleSTUNServer}, natHoleLocalAddr)
+		if err != nil {
+			fmt.Println("discover error:", err)
+			os.Exit(1)
+		}
+		if len(addrs) < 2 {
+			fmt.Printf("discover error: can not get enough addresses, need 2, got: %v\n", addrs)
+			os.Exit(1)
+		}
+
+		localIPs, _ := nathole.ListLocalIPsForNatHole(10)
+
+		natFeature, err := nathole.ClassifyNATFeature(addrs, localIPs)
+		if err != nil {
+			fmt.Println("classify nat feature error:", err)
+			os.Exit(1)
+		}
+		fmt.Println("STUN server:", cfg.NatHoleSTUNServer)
+		fmt.Println("Your NAT type is:", natFeature.NatType)
+		fmt.Println("Behavior is:", natFeature.Behavior)
+		fmt.Println("External address is:", addrs)
+		fmt.Println("Local address is:", localAddr.String())
+		fmt.Println("Public Network:", natFeature.PublicNetwork)
+		return nil
+	},
+}
+
+func validateForNatHoleDiscovery(cfg config.ClientCommonConf) error {
+	if cfg.NatHoleSTUNServer == "" {
+		return fmt.Errorf("nat_hole_stun_server can not be empty")
+	}
+	return nil
+}
--- a/cmd/frpc/sub/reload.go
+++ b/cmd/frpc/sub/reload.go
@@ -17,14 +17,14 @@ package sub
 import (
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"strings"

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/config"
+	"github.com/fatedier/frp/pkg/config"
 )

 func init() {
@@ -35,19 +35,13 @@ var reloadCmd = &cobra.Command{
 	Use:   "reload",
 	Short: "Hot-Reload frpc configuration",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		iniContent, err := config.GetRenderedConfFromFile(cfgFile)
+		cfg, _, _, err := config.ParseClientConfig(cfgFile)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}

-		clientCfg, err := parseClientCommonCfg(CfgFileTypeIni, iniContent)
-		if err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-
-		err = reload(clientCfg)
+		err = reload(cfg)
 		if err != nil {
 			fmt.Printf("frpc reload error: %v\n", err)
 			os.Exit(1)
@@ -82,7 +76,7 @@ func reload(clientCfg config.ClientCommonConf) error {
 		return nil
 	}

-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return err
 	}
--- a/cmd/frpc/sub/root.go
+++ b/cmd/frpc/sub/root.go
@@ -15,23 +15,24 @@
 package sub

 import (
-	"context"
 	"fmt"
+	"io/fs"
 	"net"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"strconv"
-	"strings"
+	"sync"
 	"syscall"
 	"time"

 	"github.com/spf13/cobra"

 	"github.com/fatedier/frp/client"
-	"github.com/fatedier/frp/models/auth"
-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/utils/log"
-	"github.com/fatedier/frp/utils/version"
+	"github.com/fatedier/frp/pkg/auth"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/util/log"
+	"github.com/fatedier/frp/pkg/util/version"
 )

 const (
@@ -41,6 +42,7 @@ const (

 var (
 	cfgFile     string
+	cfgDir      string
 	showVersion bool

 	serverAddr      string
@@ -51,34 +53,49 @@ var (
 	logFile         string
 	logMaxDays      int
 	disableLogColor bool
+	dnsServer       string

-	proxyName         string
-	localIp           string
-	localPort         int
-	remotePort        int
-	useEncryption     bool
-	useCompression    bool
-	customDomains     string
-	subDomain         string
-	httpUser          string
-	httpPwd           string
-	locations         string
-	hostHeaderRewrite string
-	role              string
-	sk                string
-	multiplexer       string
-	serverName        string
-	bindAddr          string
-	bindPort          int
+	proxyName          string
+	localIP            string
+	localPort          int
+	remotePort         int
+	useEncryption      bool
+	useCompression     bool
+	bandwidthLimit     string
+	bandwidthLimitMode string
+	customDomains      string
+	subDomain          string
+	httpUser           string
+	httpPwd            string
+	locations          string
+	hostHeaderRewrite  string
+	role               string
+	sk                 string
+	multiplexer        string
+	serverName         string
+	bindAddr           string
+	bindPort           int

-	kcpDoneCh chan struct{}
+	tlsEnable bool
 )

 func init() {
 	rootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "c", "./frpc.ini", "config file of frpc")
+	rootCmd.PersistentFlags().StringVarP(&cfgDir, "config_dir", "", "", "config directory, run one frpc service for each file in config directory")
 	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frpc")
+}

-	kcpDoneCh = make(chan struct{})
+func RegisterCommonFlags(cmd *cobra.Command) {
+	cmd.PersistentFlags().StringVarP(&serverAddr, "server_addr", "s", "127.0.0.1:7000", "frp server's address")
+	cmd.PersistentFlags().StringVarP(&user, "user", "u", "", "user")
+	cmd.PersistentFlags().StringVarP(&protocol, "protocol", "p", "tcp", "tcp or kcp or websocket")
+	cmd.PersistentFlags().StringVarP(&token, "token", "t", "", "auth token")
+	cmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
+	cmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
+	cmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
+	cmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
+	cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", true, "enable frpc tls")
+	cmd.PersistentFlags().StringVarP(&dnsServer, "dns_server", "", "", "specify dns server instead of using system default one")
 }

 var rootCmd = &cobra.Command{
@@ -90,70 +107,70 @@ var rootCmd = &cobra.Command{
 			return nil
 		}

+		// If cfgDir is not empty, run multiple frpc service for each config file in cfgDir.
+		// Note that it's only designed for testing. It's not guaranteed to be stable.
+		if cfgDir != "" {
+			_ = runMultipleClients(cfgDir)
+			return nil
+		}
+
 		// Do not show command usage here.
 		err := runClient(cfgFile)
 		if err != nil {
-			fmt.Println(err)
 			os.Exit(1)
 		}
 		return nil
 	},
 }

+func runMultipleClients(cfgDir string) error {
+	var wg sync.WaitGroup
+	err := filepath.WalkDir(cfgDir, func(path string, d fs.DirEntry, err error) error {
+		if err != nil || d.IsDir() {
+			return nil
+		}
+		wg.Add(1)
+		time.Sleep(time.Millisecond)
+		go func() {
+			defer wg.Done()
+			err := runClient(path)
+			if err != nil {
+				fmt.Printf("frpc service error for config file [%s]\n", path)
+			}
+		}()
+		return nil
+	})
+	wg.Wait()
+	return err
+}
+
 func Execute() {
 	if err := rootCmd.Execute(); err != nil {
 		os.Exit(1)
 	}
 }

-func handleSignal(svr *client.Service) {
-	ch := make(chan os.Signal)
+func handleSignal(svr *client.Service, doneCh chan struct{}) {
+	ch := make(chan os.Signal, 1)
 	signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
 	<-ch
-	svr.Close()
-	time.Sleep(250 * time.Millisecond)
-	close(kcpDoneCh)
-}
-
-func parseClientCommonCfg(fileType int, content string) (cfg config.ClientCommonConf, err error) {
-	if fileType == CfgFileTypeIni {
-		cfg, err = parseClientCommonCfgFromIni(content)
-	} else if fileType == CfgFileTypeCmd {
-		cfg, err = parseClientCommonCfgFromCmd()
-	}
-	if err != nil {
-		return
-	}
-
-	err = cfg.Check()
-	if err != nil {
-		return
-	}
-	return
-}
-
-func parseClientCommonCfgFromIni(content string) (config.ClientCommonConf, error) {
-	cfg, err := config.UnmarshalClientConfFromIni(content)
-	if err != nil {
-		return config.ClientCommonConf{}, err
-	}
-	return cfg, err
+	svr.GracefulClose(500 * time.Millisecond)
+	close(doneCh)
 }

 func parseClientCommonCfgFromCmd() (cfg config.ClientCommonConf, err error) {
 	cfg = config.GetDefaultClientConf()

-	strs := strings.Split(serverAddr, ":")
-	if len(strs) < 2 {
-		err = fmt.Errorf("invalid server_addr")
+	ipStr, portStr, err := net.SplitHostPort(serverAddr)
+	if err != nil {
+		err = fmt.Errorf("invalid server_addr: %v", err)
 		return
 	}
-	if strs[0] != "" {
-		cfg.ServerAddr = strs[0]
-	}
-	cfg.ServerPort, err = strconv.Atoi(strs[1])
+
+	cfg.ServerAddr = ipStr
+	cfg.ServerPort, err = strconv.Atoi(portStr)
 	if err != nil {
-		err = fmt.Errorf("invalid server_addr")
+		err = fmt.Errorf("invalid server_addr: %v", err)
 		return
 	}

@@ -162,57 +179,43 @@ func parseClientCommonCfgFromCmd() (cfg config.ClientCommonConf, err error) {
 	cfg.LogLevel = logLevel
 	cfg.LogFile = logFile
 	cfg.LogMaxDays = int64(logMaxDays)
-	if logFile == "console" {
-		cfg.LogWay = "console"
-	} else {
-		cfg.LogWay = "file"
-	}
 	cfg.DisableLogColor = disableLogColor
+	cfg.DNSServer = dnsServer

 	// Only token authentication is supported in cmd mode
-	cfg.AuthClientConfig = auth.GetDefaultAuthClientConf()
+	cfg.ClientConfig = auth.GetDefaultClientConf()
 	cfg.Token = token
+	cfg.TLSEnable = tlsEnable

+	cfg.Complete()
+	if err = cfg.Validate(); err != nil {
+		err = fmt.Errorf("parse config error: %v", err)
+		return
+	}
 	return
 }

-func runClient(cfgFilePath string) (err error) {
-	var content string
-	content, err = config.GetRenderedConfFromFile(cfgFilePath)
-	if err != nil {
-		return
-	}
-
-	cfg, err := parseClientCommonCfg(CfgFileTypeIni, content)
-	if err != nil {
-		return
-	}
-
-	pxyCfgs, visitorCfgs, err := config.LoadAllConfFromIni(cfg.User, content, cfg.Start)
+func runClient(cfgFilePath string) error {
+	cfg, pxyCfgs, visitorCfgs, err := config.ParseClientConfig(cfgFilePath)
 	if err != nil {
+		fmt.Println(err)
 		return err
 	}
-
-	err = startService(cfg, pxyCfgs, visitorCfgs, cfgFilePath)
-	return
+	return startService(cfg, pxyCfgs, visitorCfgs, cfgFilePath)
 }

-func startService(cfg config.ClientCommonConf, pxyCfgs map[string]config.ProxyConf, visitorCfgs map[string]config.VisitorConf, cfgFile string) (err error) {
+func startService(
+	cfg config.ClientCommonConf,
+	pxyCfgs map[string]config.ProxyConf,
+	visitorCfgs map[string]config.VisitorConf,
+	cfgFile string,
+) (err error) {
 	log.InitLog(cfg.LogWay, cfg.LogFile, cfg.LogLevel,
 		cfg.LogMaxDays, cfg.DisableLogColor)

-	if cfg.DnsServer != "" {
-		s := cfg.DnsServer
-		if !strings.Contains(s, ":") {
-			s += ":53"
-		}
-		// Change default dns server for frpc
-		net.DefaultResolver = &net.Resolver{
-			PreferGo: true,
-			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
-				return net.Dial("udp", s)
-			},
-		}
+	if cfgFile != "" {
+		log.Info("start frpc service for config file [%s]", cfgFile)
+		defer log.Info("frpc service for config file [%s] stopped", cfgFile)
 	}
 	svr, errRet := client.NewService(cfg, pxyCfgs, visitorCfgs, cfgFile)
 	if errRet != nil {
@@ -220,14 +223,16 @@ func startService(cfg config.ClientCommonConf, pxyCfgs map[string]config.ProxyCo
 		return
 	}

-	// Capture the exit signal if we use kcp.
-	if cfg.Protocol == "kcp" {
-		go handleSignal(svr)
+	closedDoneCh := make(chan struct{})
+	shouldGracefulClose := cfg.Protocol == "kcp" || cfg.Protocol == "quic"
+	// Capture the exit signal if we use kcp or quic.
+	if shouldGracefulClose {
+		go handleSignal(svr, closedDoneCh)
 	}

 	err = svr.Run()
-	if cfg.Protocol == "kcp" {
-		<-kcpDoneCh
+	if err == nil && shouldGracefulClose {
+		<-closedDoneCh
 	}
 	return
 }
--- a/cmd/frpc/sub/status.go
+++ b/cmd/frpc/sub/status.go
@@ -18,7 +18,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"strings"
@@ -27,7 +27,7 @@ import (
 	"github.com/spf13/cobra"

 	"github.com/fatedier/frp/client"
-	"github.com/fatedier/frp/models/config"
+	"github.com/fatedier/frp/pkg/config"
 )

 func init() {
@@ -38,20 +38,13 @@ var statusCmd = &cobra.Command{
 	Use:   "status",
 	Short: "Overview of all proxies status",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		iniContent, err := config.GetRenderedConfFromFile(cfgFile)
+		cfg, _, _, err := config.ParseClientConfig(cfgFile)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}

-		clientCfg, err := parseClientCommonCfg(CfgFileTypeIni, iniContent)
-		if err != nil {
-			fmt.Println(err)
-			os.Exit(1)
-		}
-
-		err = status(clientCfg)
-		if err != nil {
+		if err = status(cfg); err != nil {
 			fmt.Printf("frpc get status error: %v\n", err)
 			os.Exit(1)
 		}
@@ -84,71 +77,31 @@ func status(clientCfg config.ClientCommonConf) error {
 		return fmt.Errorf("admin api status code [%d]", resp.StatusCode)
 	}

-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return err
 	}
-	res := &client.StatusResp{}
+	res := make(client.StatusResp)
 	err = json.Unmarshal(body, &res)
 	if err != nil {
 		return fmt.Errorf("unmarshal http response error: %s", strings.TrimSpace(string(body)))
 	}

 	fmt.Println("Proxy Status...")
-	if len(res.Tcp) > 0 {
-		fmt.Printf("TCP")
-		tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
-		for _, ps := range res.Tcp {
-			tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
+	types := []string{"tcp", "udp", "tcpmux", "http", "https", "stcp", "sudp", "xtcp"}
+	for _, pxyType := range types {
+		arrs := res[pxyType]
+		if len(arrs) == 0 {
+			continue
 		}
-		tbl.Print()
-		fmt.Println("")
-	}
-	if len(res.Udp) > 0 {
-		fmt.Printf("UDP")
-		tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
-		for _, ps := range res.Udp {
-			tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
-		}
-		tbl.Print()
-		fmt.Println("")
-	}
-	if len(res.Http) > 0 {
-		fmt.Printf("HTTP")
-		tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
-		for _, ps := range res.Http {
-			tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
-		}
-		tbl.Print()
-		fmt.Println("")
-	}
-	if len(res.Https) > 0 {
-		fmt.Printf("HTTPS")
-		tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
-		for _, ps := range res.Https {
-			tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
-		}
-		tbl.Print()
-		fmt.Println("")
-	}
-	if len(res.Stcp) > 0 {
-		fmt.Printf("STCP")
-		tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
-		for _, ps := range res.Stcp {
-			tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
-		}
-		tbl.Print()
-		fmt.Println("")
-	}
-	if len(res.Xtcp) > 0 {
-		fmt.Printf("XTCP")
-		tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
-		for _, ps := range res.Xtcp {
-			tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
-		}
-		tbl.Print()
-		fmt.Println("")
-	}

+		fmt.Println(strings.ToUpper(pxyType))
+		tbl := table.New("Name", "Status", "LocalAddr", "Plugin", "RemoteAddr", "Error")
+		for _, ps := range arrs {
+			tbl.AddRow(ps.Name, ps.Status, ps.LocalAddr, ps.Plugin, ps.RemoteAddr, ps.Err)
+		}
+		tbl.Print()
+		fmt.Println("")
+	}
 	return nil
 }
--- a/cmd/frpc/sub/stcp.go
+++ b/cmd/frpc/sub/stcp.go
@@ -20,30 +20,25 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/consts"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/consts"
 )

 func init() {
-	stcpCmd.PersistentFlags().StringVarP(&serverAddr, "server_addr", "s", "127.0.0.1:7000", "frp server's address")
-	stcpCmd.PersistentFlags().StringVarP(&user, "user", "u", "", "user")
-	stcpCmd.PersistentFlags().StringVarP(&protocol, "protocol", "p", "tcp", "tcp or kcp or websocket")
-	stcpCmd.PersistentFlags().StringVarP(&token, "token", "t", "", "auth token")
-	stcpCmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
-	stcpCmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
-	stcpCmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
-	stcpCmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
+	RegisterCommonFlags(stcpCmd)

 	stcpCmd.PersistentFlags().StringVarP(&proxyName, "proxy_name", "n", "", "proxy name")
 	stcpCmd.PersistentFlags().StringVarP(&role, "role", "", "server", "role")
 	stcpCmd.PersistentFlags().StringVarP(&sk, "sk", "", "", "secret key")
 	stcpCmd.PersistentFlags().StringVarP(&serverName, "server_name", "", "", "server name")
-	stcpCmd.PersistentFlags().StringVarP(&localIp, "local_ip", "i", "127.0.0.1", "local ip")
+	stcpCmd.PersistentFlags().StringVarP(&localIP, "local_ip", "i", "127.0.0.1", "local ip")
 	stcpCmd.PersistentFlags().IntVarP(&localPort, "local_port", "l", 0, "local port")
 	stcpCmd.PersistentFlags().StringVarP(&bindAddr, "bind_addr", "", "", "bind addr")
 	stcpCmd.PersistentFlags().IntVarP(&bindPort, "bind_port", "", 0, "bind port")
 	stcpCmd.PersistentFlags().BoolVarP(&useEncryption, "ue", "", false, "use encryption")
 	stcpCmd.PersistentFlags().BoolVarP(&useCompression, "uc", "", false, "use compression")
+	stcpCmd.PersistentFlags().StringVarP(&bandwidthLimit, "bandwidth_limit", "", "", "bandwidth limit")
+	stcpCmd.PersistentFlags().StringVarP(&bandwidthLimitMode, "bandwidth_limit_mode", "", config.BandwidthLimitModeClient, "bandwidth limit mode")

 	rootCmd.AddCommand(stcpCmd)
 }
@@ -52,7 +47,7 @@ var stcpCmd = &cobra.Command{
 	Use:   "stcp",
 	Short: "Run frpc with a single stcp proxy",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		clientCfg, err := parseClientCommonCfg(CfgFileTypeCmd, "")
+		clientCfg, err := parseClientCommonCfgFromCmd()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
@@ -66,26 +61,33 @@ var stcpCmd = &cobra.Command{
 			prefix = user + "."
 		}

-		if role == "server" {
-			cfg := &config.StcpProxyConf{}
+		switch role {
+		case "server":
+			cfg := &config.STCPProxyConf{}
 			cfg.ProxyName = prefix + proxyName
-			cfg.ProxyType = consts.StcpProxy
+			cfg.ProxyType = consts.STCPProxy
 			cfg.UseEncryption = useEncryption
 			cfg.UseCompression = useCompression
 			cfg.Role = role
 			cfg.Sk = sk
-			cfg.LocalIp = localIp
+			cfg.LocalIP = localIP
 			cfg.LocalPort = localPort
-			err = cfg.CheckForCli()
+			cfg.BandwidthLimit, err = config.NewBandwidthQuantity(bandwidthLimit)
+			if err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+			cfg.BandwidthLimitMode = bandwidthLimitMode
+			err = cfg.ValidateForClient()
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
 			proxyConfs[cfg.ProxyName] = cfg
-		} else if role == "visitor" {
-			cfg := &config.StcpVisitorConf{}
+		case "visitor":
+			cfg := &config.STCPVisitorConf{}
 			cfg.ProxyName = prefix + proxyName
-			cfg.ProxyType = consts.StcpProxy
+			cfg.ProxyType = consts.STCPProxy
 			cfg.UseEncryption = useEncryption
 			cfg.UseCompression = useCompression
 			cfg.Role = role
@@ -93,13 +95,13 @@ var stcpCmd = &cobra.Command{
 			cfg.ServerName = serverName
 			cfg.BindAddr = bindAddr
 			cfg.BindPort = bindPort
-			err = cfg.Check()
+			err = cfg.Validate()
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
 			visitorConfs[cfg.ProxyName] = cfg
-		} else {
+		default:
 			fmt.Println("invalid role")
 			os.Exit(1)
 		}
--- a/cmd/frpc/sub/sudp.go
+++ b/cmd/frpc/sub/sudp.go
@@ -0,0 +1,115 @@
+// Copyright 2018 fatedier, fatedier@gmail.com
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sub
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/consts"
+)
+
+func init() {
+	RegisterCommonFlags(sudpCmd)
+
+	sudpCmd.PersistentFlags().StringVarP(&proxyName, "proxy_name", "n", "", "proxy name")
+	sudpCmd.PersistentFlags().StringVarP(&role, "role", "", "server", "role")
+	sudpCmd.PersistentFlags().StringVarP(&sk, "sk", "", "", "secret key")
+	sudpCmd.PersistentFlags().StringVarP(&serverName, "server_name", "", "", "server name")
+	sudpCmd.PersistentFlags().StringVarP(&localIP, "local_ip", "i", "127.0.0.1", "local ip")
+	sudpCmd.PersistentFlags().IntVarP(&localPort, "local_port", "l", 0, "local port")
+	sudpCmd.PersistentFlags().StringVarP(&bindAddr, "bind_addr", "", "", "bind addr")
+	sudpCmd.PersistentFlags().IntVarP(&bindPort, "bind_port", "", 0, "bind port")
+	sudpCmd.PersistentFlags().BoolVarP(&useEncryption, "ue", "", false, "use encryption")
+	sudpCmd.PersistentFlags().BoolVarP(&useCompression, "uc", "", false, "use compression")
+	sudpCmd.PersistentFlags().StringVarP(&bandwidthLimit, "bandwidth_limit", "", "", "bandwidth limit")
+	sudpCmd.PersistentFlags().StringVarP(&bandwidthLimitMode, "bandwidth_limit_mode", "", config.BandwidthLimitModeClient, "bandwidth limit mode")
+
+	rootCmd.AddCommand(sudpCmd)
+}
+
+var sudpCmd = &cobra.Command{
+	Use:   "sudp",
+	Short: "Run frpc with a single sudp proxy",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		clientCfg, err := parseClientCommonCfgFromCmd()
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+
+		proxyConfs := make(map[string]config.ProxyConf)
+		visitorConfs := make(map[string]config.VisitorConf)
+
+		var prefix string
+		if user != "" {
+			prefix = user + "."
+		}
+
+		switch role {
+		case "server":
+			cfg := &config.SUDPProxyConf{}
+			cfg.ProxyName = prefix + proxyName
+			cfg.ProxyType = consts.SUDPProxy
+			cfg.UseEncryption = useEncryption
+			cfg.UseCompression = useCompression
+			cfg.Role = role
+			cfg.Sk = sk
+			cfg.LocalIP = localIP
+			cfg.LocalPort = localPort
+			cfg.BandwidthLimit, err = config.NewBandwidthQuantity(bandwidthLimit)
+			if err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+			cfg.BandwidthLimitMode = bandwidthLimitMode
+			err = cfg.ValidateForClient()
+			if err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+			proxyConfs[cfg.ProxyName] = cfg
+		case "visitor":
+			cfg := &config.SUDPVisitorConf{}
+			cfg.ProxyName = prefix + proxyName
+			cfg.ProxyType = consts.SUDPProxy
+			cfg.UseEncryption = useEncryption
+			cfg.UseCompression = useCompression
+			cfg.Role = role
+			cfg.Sk = sk
+			cfg.ServerName = serverName
+			cfg.BindAddr = bindAddr
+			cfg.BindPort = bindPort
+			err = cfg.Validate()
+			if err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+			visitorConfs[cfg.ProxyName] = cfg
+		default:
+			fmt.Println("invalid role")
+			os.Exit(1)
+		}
+
+		err = startService(clientCfg, proxyConfs, visitorConfs, "")
+		if err != nil {
+			os.Exit(1)
+		}
+		return nil
+	},
+}
--- a/cmd/frpc/sub/tcp.go
+++ b/cmd/frpc/sub/tcp.go
@@ -20,26 +20,21 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/consts"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/consts"
 )

 func init() {
-	tcpCmd.PersistentFlags().StringVarP(&serverAddr, "server_addr", "s", "127.0.0.1:7000", "frp server's address")
-	tcpCmd.PersistentFlags().StringVarP(&user, "user", "u", "", "user")
-	tcpCmd.PersistentFlags().StringVarP(&protocol, "protocol", "p", "tcp", "tcp or kcp")
-	tcpCmd.PersistentFlags().StringVarP(&token, "token", "t", "", "auth token")
-	tcpCmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
-	tcpCmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
-	tcpCmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
-	tcpCmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
+	RegisterCommonFlags(tcpCmd)

 	tcpCmd.PersistentFlags().StringVarP(&proxyName, "proxy_name", "n", "", "proxy name")
-	tcpCmd.PersistentFlags().StringVarP(&localIp, "local_ip", "i", "127.0.0.1", "local ip")
+	tcpCmd.PersistentFlags().StringVarP(&localIP, "local_ip", "i", "127.0.0.1", "local ip")
 	tcpCmd.PersistentFlags().IntVarP(&localPort, "local_port", "l", 0, "local port")
 	tcpCmd.PersistentFlags().IntVarP(&remotePort, "remote_port", "r", 0, "remote port")
 	tcpCmd.PersistentFlags().BoolVarP(&useEncryption, "ue", "", false, "use encryption")
 	tcpCmd.PersistentFlags().BoolVarP(&useCompression, "uc", "", false, "use compression")
+	tcpCmd.PersistentFlags().StringVarP(&bandwidthLimit, "bandwidth_limit", "", "", "bandwidth limit")
+	tcpCmd.PersistentFlags().StringVarP(&bandwidthLimitMode, "bandwidth_limit_mode", "", config.BandwidthLimitModeClient, "bandwidth limit mode")

 	rootCmd.AddCommand(tcpCmd)
 }
@@ -48,26 +43,32 @@ var tcpCmd = &cobra.Command{
 	Use:   "tcp",
 	Short: "Run frpc with a single tcp proxy",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		clientCfg, err := parseClientCommonCfg(CfgFileTypeCmd, "")
+		clientCfg, err := parseClientCommonCfgFromCmd()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}

-		cfg := &config.TcpProxyConf{}
+		cfg := &config.TCPProxyConf{}
 		var prefix string
 		if user != "" {
 			prefix = user + "."
 		}
 		cfg.ProxyName = prefix + proxyName
-		cfg.ProxyType = consts.TcpProxy
-		cfg.LocalIp = localIp
+		cfg.ProxyType = consts.TCPProxy
+		cfg.LocalIP = localIP
 		cfg.LocalPort = localPort
 		cfg.RemotePort = remotePort
 		cfg.UseEncryption = useEncryption
 		cfg.UseCompression = useCompression
+		cfg.BandwidthLimit, err = config.NewBandwidthQuantity(bandwidthLimit)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+		cfg.BandwidthLimitMode = bandwidthLimitMode

-		err = cfg.CheckForCli()
+		err = cfg.ValidateForClient()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
--- a/cmd/frpc/sub/tcpmux.go
+++ b/cmd/frpc/sub/tcpmux.go
@@ -21,28 +21,23 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/consts"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/consts"
 )

 func init() {
-	tcpMuxCmd.PersistentFlags().StringVarP(&serverAddr, "server_addr", "s", "127.0.0.1:7000", "frp server's address")
-	tcpMuxCmd.PersistentFlags().StringVarP(&user, "user", "u", "", "user")
-	tcpMuxCmd.PersistentFlags().StringVarP(&protocol, "protocol", "p", "tcp", "tcp or kcp or websocket")
-	tcpMuxCmd.PersistentFlags().StringVarP(&token, "token", "t", "", "auth token")
-	tcpMuxCmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
-	tcpMuxCmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
-	tcpMuxCmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
-	tcpMuxCmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
+	RegisterCommonFlags(tcpMuxCmd)

 	tcpMuxCmd.PersistentFlags().StringVarP(&proxyName, "proxy_name", "n", "", "proxy name")
-	tcpMuxCmd.PersistentFlags().StringVarP(&localIp, "local_ip", "i", "127.0.0.1", "local ip")
+	tcpMuxCmd.PersistentFlags().StringVarP(&localIP, "local_ip", "i", "127.0.0.1", "local ip")
 	tcpMuxCmd.PersistentFlags().IntVarP(&localPort, "local_port", "l", 0, "local port")
 	tcpMuxCmd.PersistentFlags().StringVarP(&customDomains, "custom_domain", "d", "", "custom domain")
 	tcpMuxCmd.PersistentFlags().StringVarP(&subDomain, "sd", "", "", "sub domain")
 	tcpMuxCmd.PersistentFlags().StringVarP(&multiplexer, "mux", "", "", "multiplexer")
 	tcpMuxCmd.PersistentFlags().BoolVarP(&useEncryption, "ue", "", false, "use encryption")
 	tcpMuxCmd.PersistentFlags().BoolVarP(&useCompression, "uc", "", false, "use compression")
+	tcpMuxCmd.PersistentFlags().StringVarP(&bandwidthLimit, "bandwidth_limit", "", "", "bandwidth limit")
+	tcpMuxCmd.PersistentFlags().StringVarP(&bandwidthLimitMode, "bandwidth_limit_mode", "", config.BandwidthLimitModeClient, "bandwidth limit mode")

 	rootCmd.AddCommand(tcpMuxCmd)
 }
@@ -51,28 +46,34 @@ var tcpMuxCmd = &cobra.Command{
 	Use:   "tcpmux",
 	Short: "Run frpc with a single tcpmux proxy",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		clientCfg, err := parseClientCommonCfg(CfgFileTypeCmd, "")
+		clientCfg, err := parseClientCommonCfgFromCmd()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}

-		cfg := &config.TcpMuxProxyConf{}
+		cfg := &config.TCPMuxProxyConf{}
 		var prefix string
 		if user != "" {
 			prefix = user + "."
 		}
 		cfg.ProxyName = prefix + proxyName
-		cfg.ProxyType = consts.TcpMuxProxy
-		cfg.LocalIp = localIp
+		cfg.ProxyType = consts.TCPMuxProxy
+		cfg.LocalIP = localIP
 		cfg.LocalPort = localPort
 		cfg.CustomDomains = strings.Split(customDomains, ",")
 		cfg.SubDomain = subDomain
 		cfg.Multiplexer = multiplexer
 		cfg.UseEncryption = useEncryption
 		cfg.UseCompression = useCompression
+		cfg.BandwidthLimit, err = config.NewBandwidthQuantity(bandwidthLimit)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+		cfg.BandwidthLimitMode = bandwidthLimitMode

-		err = cfg.CheckForCli()
+		err = cfg.ValidateForClient()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
--- a/cmd/frpc/sub/udp.go
+++ b/cmd/frpc/sub/udp.go
@@ -20,26 +20,21 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/consts"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/consts"
 )

 func init() {
-	udpCmd.PersistentFlags().StringVarP(&serverAddr, "server_addr", "s", "127.0.0.1:7000", "frp server's address")
-	udpCmd.PersistentFlags().StringVarP(&user, "user", "u", "", "user")
-	udpCmd.PersistentFlags().StringVarP(&protocol, "protocol", "p", "tcp", "tcp or kcp or websocket")
-	udpCmd.PersistentFlags().StringVarP(&token, "token", "t", "", "auth token")
-	udpCmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
-	udpCmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
-	udpCmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
-	udpCmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
+	RegisterCommonFlags(udpCmd)

 	udpCmd.PersistentFlags().StringVarP(&proxyName, "proxy_name", "n", "", "proxy name")
-	udpCmd.PersistentFlags().StringVarP(&localIp, "local_ip", "i", "127.0.0.1", "local ip")
+	udpCmd.PersistentFlags().StringVarP(&localIP, "local_ip", "i", "127.0.0.1", "local ip")
 	udpCmd.PersistentFlags().IntVarP(&localPort, "local_port", "l", 0, "local port")
 	udpCmd.PersistentFlags().IntVarP(&remotePort, "remote_port", "r", 0, "remote port")
 	udpCmd.PersistentFlags().BoolVarP(&useEncryption, "ue", "", false, "use encryption")
 	udpCmd.PersistentFlags().BoolVarP(&useCompression, "uc", "", false, "use compression")
+	udpCmd.PersistentFlags().StringVarP(&bandwidthLimit, "bandwidth_limit", "", "", "bandwidth limit")
+	udpCmd.PersistentFlags().StringVarP(&bandwidthLimitMode, "bandwidth_limit_mode", "", config.BandwidthLimitModeClient, "bandwidth limit mode")

 	rootCmd.AddCommand(udpCmd)
 }
@@ -48,26 +43,32 @@ var udpCmd = &cobra.Command{
 	Use:   "udp",
 	Short: "Run frpc with a single udp proxy",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		clientCfg, err := parseClientCommonCfg(CfgFileTypeCmd, "")
+		clientCfg, err := parseClientCommonCfgFromCmd()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
 		}

-		cfg := &config.UdpProxyConf{}
+		cfg := &config.UDPProxyConf{}
 		var prefix string
 		if user != "" {
 			prefix = user + "."
 		}
 		cfg.ProxyName = prefix + proxyName
-		cfg.ProxyType = consts.UdpProxy
-		cfg.LocalIp = localIp
+		cfg.ProxyType = consts.UDPProxy
+		cfg.LocalIP = localIP
 		cfg.LocalPort = localPort
 		cfg.RemotePort = remotePort
 		cfg.UseEncryption = useEncryption
 		cfg.UseCompression = useCompression
+		cfg.BandwidthLimit, err = config.NewBandwidthQuantity(bandwidthLimit)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+		cfg.BandwidthLimitMode = bandwidthLimitMode

-		err = cfg.CheckForCli()
+		err = cfg.ValidateForClient()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
--- a/cmd/frpc/sub/verify.go
+++ b/cmd/frpc/sub/verify.go
@@ -1,4 +1,4 @@
-// Copyright 2020 guylewin, guy@lewin.co.il
+// Copyright 2021 The frp Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,33 +12,32 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package util
+package sub

 import (
-	"net/http"
-	"strings"
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/fatedier/frp/pkg/config"
 )

-func OkResponse() *http.Response {
-	header := make(http.Header)
-
-	res := &http.Response{
-		Status:     "OK",
-		StatusCode: 200,
-		Proto:      "HTTP/1.1",
-		ProtoMajor: 1,
-		ProtoMinor: 1,
-		Header:     header,
-	}
-	return res
+func init() {
+	rootCmd.AddCommand(verifyCmd)
 }

-func GetHostFromAddr(addr string) (host string) {
-	strs := strings.Split(addr, ":")
-	if len(strs) > 1 {
-		host = strs[0]
-	} else {
-		host = addr
-	}
-	return
+var verifyCmd = &cobra.Command{
+	Use:   "verify",
+	Short: "Verify that the configures is valid",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		_, _, _, err := config.ParseClientConfig(cfgFile)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+
+		fmt.Printf("frpc: the configuration file %s syntax is ok\n", cfgFile)
+		return nil
+	},
 }
--- a/cmd/frpc/sub/xtcp.go
+++ b/cmd/frpc/sub/xtcp.go
@@ -20,30 +20,25 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/config"
-	"github.com/fatedier/frp/models/consts"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/consts"
 )

 func init() {
-	xtcpCmd.PersistentFlags().StringVarP(&serverAddr, "server_addr", "s", "127.0.0.1:7000", "frp server's address")
-	xtcpCmd.PersistentFlags().StringVarP(&user, "user", "u", "", "user")
-	xtcpCmd.PersistentFlags().StringVarP(&protocol, "protocol", "p", "tcp", "tcp or kcp or websocket")
-	xtcpCmd.PersistentFlags().StringVarP(&token, "token", "t", "", "auth token")
-	xtcpCmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
-	xtcpCmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
-	xtcpCmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
-	xtcpCmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
+	RegisterCommonFlags(xtcpCmd)

 	xtcpCmd.PersistentFlags().StringVarP(&proxyName, "proxy_name", "n", "", "proxy name")
 	xtcpCmd.PersistentFlags().StringVarP(&role, "role", "", "server", "role")
 	xtcpCmd.PersistentFlags().StringVarP(&sk, "sk", "", "", "secret key")
 	xtcpCmd.PersistentFlags().StringVarP(&serverName, "server_name", "", "", "server name")
-	xtcpCmd.PersistentFlags().StringVarP(&localIp, "local_ip", "i", "127.0.0.1", "local ip")
+	xtcpCmd.PersistentFlags().StringVarP(&localIP, "local_ip", "i", "127.0.0.1", "local ip")
 	xtcpCmd.PersistentFlags().IntVarP(&localPort, "local_port", "l", 0, "local port")
 	xtcpCmd.PersistentFlags().StringVarP(&bindAddr, "bind_addr", "", "", "bind addr")
 	xtcpCmd.PersistentFlags().IntVarP(&bindPort, "bind_port", "", 0, "bind port")
 	xtcpCmd.PersistentFlags().BoolVarP(&useEncryption, "ue", "", false, "use encryption")
 	xtcpCmd.PersistentFlags().BoolVarP(&useCompression, "uc", "", false, "use compression")
+	xtcpCmd.PersistentFlags().StringVarP(&bandwidthLimit, "bandwidth_limit", "", "", "bandwidth limit")
+	xtcpCmd.PersistentFlags().StringVarP(&bandwidthLimitMode, "bandwidth_limit_mode", "", config.BandwidthLimitModeClient, "bandwidth limit mode")

 	rootCmd.AddCommand(xtcpCmd)
 }
@@ -52,7 +47,7 @@ var xtcpCmd = &cobra.Command{
 	Use:   "xtcp",
 	Short: "Run frpc with a single xtcp proxy",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		clientCfg, err := parseClientCommonCfg(CfgFileTypeCmd, "")
+		clientCfg, err := parseClientCommonCfgFromCmd()
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
@@ -66,26 +61,33 @@ var xtcpCmd = &cobra.Command{
 			prefix = user + "."
 		}

-		if role == "server" {
-			cfg := &config.XtcpProxyConf{}
+		switch role {
+		case "server":
+			cfg := &config.XTCPProxyConf{}
 			cfg.ProxyName = prefix + proxyName
-			cfg.ProxyType = consts.XtcpProxy
+			cfg.ProxyType = consts.XTCPProxy
 			cfg.UseEncryption = useEncryption
 			cfg.UseCompression = useCompression
 			cfg.Role = role
 			cfg.Sk = sk
-			cfg.LocalIp = localIp
+			cfg.LocalIP = localIP
 			cfg.LocalPort = localPort
-			err = cfg.CheckForCli()
+			cfg.BandwidthLimit, err = config.NewBandwidthQuantity(bandwidthLimit)
+			if err != nil {
+				fmt.Println(err)
+				os.Exit(1)
+			}
+			cfg.BandwidthLimitMode = bandwidthLimitMode
+			err = cfg.ValidateForClient()
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
 			proxyConfs[cfg.ProxyName] = cfg
-		} else if role == "visitor" {
-			cfg := &config.XtcpVisitorConf{}
+		case "visitor":
+			cfg := &config.XTCPVisitorConf{}
 			cfg.ProxyName = prefix + proxyName
-			cfg.ProxyType = consts.XtcpProxy
+			cfg.ProxyType = consts.XTCPProxy
 			cfg.UseEncryption = useEncryption
 			cfg.UseCompression = useCompression
 			cfg.Role = role
@@ -93,13 +95,13 @@ var xtcpCmd = &cobra.Command{
 			cfg.ServerName = serverName
 			cfg.BindAddr = bindAddr
 			cfg.BindPort = bindPort
-			err = cfg.Check()
+			err = cfg.Validate()
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
 			}
 			visitorConfs[cfg.ProxyName] = cfg
-		} else {
+		default:
 			fmt.Println("invalid role")
 			os.Exit(1)
 		}
--- a/cmd/frps/main.go
+++ b/cmd/frps/main.go
@@ -20,12 +20,13 @@ import (

 	"github.com/fatedier/golib/crypto"

-	_ "github.com/fatedier/frp/assets/frps/statik"
-	_ "github.com/fatedier/frp/models/metrics"
+	_ "github.com/fatedier/frp/assets/frps"
+	_ "github.com/fatedier/frp/pkg/metrics"
 )

 func main() {
 	crypto.DefaultSalt = "frp"
+	// TODO: remove this when we drop support for go1.19
 	rand.Seed(time.Now().UnixNano())

 	Execute()
--- a/cmd/frps/root.go
+++ b/cmd/frps/root.go
@@ -20,12 +20,12 @@ import (

 	"github.com/spf13/cobra"

-	"github.com/fatedier/frp/models/auth"
-	"github.com/fatedier/frp/models/config"
+	"github.com/fatedier/frp/pkg/auth"
+	"github.com/fatedier/frp/pkg/config"
+	"github.com/fatedier/frp/pkg/util/log"
+	"github.com/fatedier/frp/pkg/util/util"
+	"github.com/fatedier/frp/pkg/util/version"
 	"github.com/fatedier/frp/server"
-	"github.com/fatedier/frp/utils/log"
-	"github.com/fatedier/frp/utils/util"
-	"github.com/fatedier/frp/utils/version"
 )

 const (
@@ -37,47 +37,48 @@ var (
 	cfgFile     string
 	showVersion bool

-	bindAddr          string
-	bindPort          int
-	bindUdpPort       int
-	kcpBindPort       int
-	proxyBindAddr     string
-	vhostHttpPort     int
-	vhostHttpsPort    int
-	vhostHttpTimeout  int64
-	dashboardAddr     string
-	dashboardPort     int
-	dashboardUser     string
-	dashboardPwd      string
-	assetsDir         string
-	logFile           string
-	logLevel          string
-	logMaxDays        int64
-	disableLogColor   bool
-	token             string
-	subDomainHost     string
-	tcpMux            bool
-	allowPorts        string
-	maxPoolCount      int64
-	maxPortsPerClient int64
+	bindAddr             string
+	bindPort             int
+	kcpBindPort          int
+	proxyBindAddr        string
+	vhostHTTPPort        int
+	vhostHTTPSPort       int
+	vhostHTTPTimeout     int64
+	dashboardAddr        string
+	dashboardPort        int
+	dashboardUser        string
+	dashboardPwd         string
+	enablePrometheus     bool
+	logFile              string
+	logLevel             string
+	logMaxDays           int64
+	disableLogColor      bool
+	token                string
+	subDomainHost        string
+	allowPorts           string
+	maxPortsPerClient    int64
+	tlsOnly              bool
+	dashboardTLSMode     bool
+	dashboardTLSCertFile string
+	dashboardTLSKeyFile  string
 )

 func init() {
 	rootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "c", "", "config file of frps")
-	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frpc")
+	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frps")

 	rootCmd.PersistentFlags().StringVarP(&bindAddr, "bind_addr", "", "0.0.0.0", "bind address")
 	rootCmd.PersistentFlags().IntVarP(&bindPort, "bind_port", "p", 7000, "bind port")
-	rootCmd.PersistentFlags().IntVarP(&bindUdpPort, "bind_udp_port", "", 0, "bind udp port")
 	rootCmd.PersistentFlags().IntVarP(&kcpBindPort, "kcp_bind_port", "", 0, "kcp bind udp port")
 	rootCmd.PersistentFlags().StringVarP(&proxyBindAddr, "proxy_bind_addr", "", "0.0.0.0", "proxy bind address")
-	rootCmd.PersistentFlags().IntVarP(&vhostHttpPort, "vhost_http_port", "", 0, "vhost http port")
-	rootCmd.PersistentFlags().IntVarP(&vhostHttpsPort, "vhost_https_port", "", 0, "vhost https port")
-	rootCmd.PersistentFlags().Int64VarP(&vhostHttpTimeout, "vhost_http_timeout", "", 60, "vhost http response header timeout")
-	rootCmd.PersistentFlags().StringVarP(&dashboardAddr, "dashboard_addr", "", "0.0.0.0", "dasboard address")
+	rootCmd.PersistentFlags().IntVarP(&vhostHTTPPort, "vhost_http_port", "", 0, "vhost http port")
+	rootCmd.PersistentFlags().IntVarP(&vhostHTTPSPort, "vhost_https_port", "", 0, "vhost https port")
+	rootCmd.PersistentFlags().Int64VarP(&vhostHTTPTimeout, "vhost_http_timeout", "", 60, "vhost http response header timeout")
+	rootCmd.PersistentFlags().StringVarP(&dashboardAddr, "dashboard_addr", "", "0.0.0.0", "dashboard address")
 	rootCmd.PersistentFlags().IntVarP(&dashboardPort, "dashboard_port", "", 0, "dashboard port")
 	rootCmd.PersistentFlags().StringVarP(&dashboardUser, "dashboard_user", "", "admin", "dashboard user")
 	rootCmd.PersistentFlags().StringVarP(&dashboardPwd, "dashboard_pwd", "", "admin", "dashboard password")
+	rootCmd.PersistentFlags().BoolVarP(&enablePrometheus, "enable_prometheus", "", false, "enable prometheus dashboard")
 	rootCmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "log file")
 	rootCmd.PersistentFlags().StringVarP(&logLevel, "log_level", "", "info", "log level")
 	rootCmd.PersistentFlags().Int64VarP(&logMaxDays, "log_max_days", "", 3, "log max days")
@@ -87,6 +88,10 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&subDomainHost, "subdomain_host", "", "", "subdomain host")
 	rootCmd.PersistentFlags().StringVarP(&allowPorts, "allow_ports", "", "", "allow ports")
 	rootCmd.PersistentFlags().Int64VarP(&maxPortsPerClient, "max_ports_per_client", "", 0, "max ports per client")
+	rootCmd.PersistentFlags().BoolVarP(&tlsOnly, "tls_only", "", false, "frps tls only")
+	rootCmd.PersistentFlags().BoolVarP(&dashboardTLSMode, "dashboard_tls_mode", "", false, "dashboard tls mode")
+	rootCmd.PersistentFlags().StringVarP(&dashboardTLSCertFile, "dashboard_tls_cert_file", "", "", "dashboard tls cert file")
+	rootCmd.PersistentFlags().StringVarP(&dashboardTLSKeyFile, "dashboard_tls_key_file", "", "", "dashboard tls key file")
 }

 var rootCmd = &cobra.Command{
@@ -101,14 +106,14 @@ var rootCmd = &cobra.Command{
 		var cfg config.ServerCommonConf
 		var err error
 		if cfgFile != "" {
-			var content string
+			var content []byte
 			content, err = config.GetRenderedConfFromFile(cfgFile)
 			if err != nil {
 				return err
 			}
 			cfg, err = parseServerCommonCfg(CfgFileTypeIni, content)
 		} else {
-			cfg, err = parseServerCommonCfg(CfgFileTypeCmd, "")
+			cfg, err = parseServerCommonCfg(CfgFileTypeCmd, nil)
 		}
 		if err != nil {
 			return err
@@ -129,59 +134,56 @@ func Execute() {
 	}
 }

-func parseServerCommonCfg(fileType int, content string) (cfg config.ServerCommonConf, err error) {
+func parseServerCommonCfg(fileType int, source []byte) (cfg config.ServerCommonConf, err error) {
 	if fileType == CfgFileTypeIni {
-		cfg, err = parseServerCommonCfgFromIni(content)
+		cfg, err = config.UnmarshalServerConfFromIni(source)
 	} else if fileType == CfgFileTypeCmd {
 		cfg, err = parseServerCommonCfgFromCmd()
 	}
 	if err != nil {
 		return
 	}
-
-	err = cfg.Check()
+	cfg.Complete()
+	err = cfg.Validate()
 	if err != nil {
+		err = fmt.Errorf("parse config error: %v", err)
 		return
 	}
 	return
 }

-func parseServerCommonCfgFromIni(content string) (config.ServerCommonConf, error) {
-	cfg, err := config.UnmarshalServerConfFromIni(content)
-	if err != nil {
-		return config.ServerCommonConf{}, err
-	}
-	return cfg, nil
-}
-
 func parseServerCommonCfgFromCmd() (cfg config.ServerCommonConf, err error) {
 	cfg = config.GetDefaultServerConf()

 	cfg.BindAddr = bindAddr
 	cfg.BindPort = bindPort
-	cfg.BindUdpPort = bindUdpPort
-	cfg.KcpBindPort = kcpBindPort
+	cfg.KCPBindPort = kcpBindPort
 	cfg.ProxyBindAddr = proxyBindAddr
-	cfg.VhostHttpPort = vhostHttpPort
-	cfg.VhostHttpsPort = vhostHttpsPort
-	cfg.VhostHttpTimeout = vhostHttpTimeout
+	cfg.VhostHTTPPort = vhostHTTPPort
+	cfg.VhostHTTPSPort = vhostHTTPSPort
+	cfg.VhostHTTPTimeout = vhostHTTPTimeout
 	cfg.DashboardAddr = dashboardAddr
 	cfg.DashboardPort = dashboardPort
 	cfg.DashboardUser = dashboardUser
 	cfg.DashboardPwd = dashboardPwd
+	cfg.EnablePrometheus = enablePrometheus
+	cfg.DashboardTLSCertFile = dashboardTLSCertFile
+	cfg.DashboardTLSKeyFile = dashboardTLSKeyFile
+	cfg.DashboardTLSMode = dashboardTLSMode
 	cfg.LogFile = logFile
 	cfg.LogLevel = logLevel
 	cfg.LogMaxDays = logMaxDays
 	cfg.SubDomainHost = subDomainHost
+	cfg.TLSOnly = tlsOnly

 	// Only token authentication is supported in cmd mode
-	cfg.AuthServerConfig = auth.GetDefaultAuthServerConf()
+	cfg.ServerConfig = auth.GetDefaultServerConf()
 	cfg.Token = token
 	if len(allowPorts) > 0 {
 		// e.g. 1000-2000,2001,2002,3000-4000
 		ports, errRet := util.ParseRangeNumbers(allowPorts)
 		if errRet != nil {
-			err = fmt.Errorf("Parse conf error: allow_ports: %v", errRet)
+			err = fmt.Errorf("parse conf error: allow_ports: %v", errRet)
 			return
 		}

@@ -190,23 +192,24 @@ func parseServerCommonCfgFromCmd() (cfg config.ServerCommonConf, err error) {
 		}
 	}
 	cfg.MaxPortsPerClient = maxPortsPerClient
-
-	if logFile == "console" {
-		cfg.LogWay = "console"
-	} else {
-		cfg.LogWay = "file"
-	}
 	cfg.DisableLogColor = disableLogColor
 	return
 }

 func runServer(cfg config.ServerCommonConf) (err error) {
 	log.InitLog(cfg.LogWay, cfg.LogFile, cfg.LogLevel, cfg.LogMaxDays, cfg.DisableLogColor)
+
+	if cfgFile != "" {
+		log.Info("frps uses config file: %s", cfgFile)
+	} else {
+		log.Info("frps uses command line arguments for config")
+	}
+
 	svr, err := server.NewService(cfg)
 	if err != nil {
 		return err
 	}
-	log.Info("start frps success")
+	log.Info("frps started successfully")
 	svr.Run()
 	return
 }
--- a/cmd/frps/verify.go
+++ b/cmd/frps/verify.go
@@ -0,0 +1,53 @@
+// Copyright 2021 The frp Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"github.com/fatedier/frp/pkg/config"
+)
+
+func init() {
+	rootCmd.AddCommand(verifyCmd)
+}
+
+var verifyCmd = &cobra.Command{
+	Use:   "verify",
+	Short: "Verify that the configures is valid",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if cfgFile == "" {
+			fmt.Println("no config file is specified")
+			return nil
+		}
+		iniContent, err := config.GetRenderedConfFromFile(cfgFile)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+
+		_, err = parseServerCommonCfg(CfgFileTypeIni, iniContent)
+		if err != nil {
+			fmt.Println(err)
+			os.Exit(1)
+		}
+
+		fmt.Printf("frps: the configuration file %s syntax is ok\n", cfgFile)
+		return nil
+	},
+}
--- a/conf/frpc_full.ini
+++ b/conf/frpc_full.ini
@@ -2,13 +2,25 @@
 [common]
 # A literal address or host name for IPv6 must be enclosed
 # in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
+# For single "server_addr" field, no need square brackets, like "server_addr = ::".
 server_addr = 0.0.0.0
 server_port = 7000

-# if you want to connect frps by http proxy or socks5 proxy, you can set http_proxy here or in global environment variables
+# STUN server to help penetrate NAT hole.
+# nat_hole_stun_server = stun.easyvoip.com:3478
+
+# The maximum amount of time a dial to server will wait for a connect to complete. Default value is 10 seconds.
+# dial_server_timeout = 10
+
+# dial_server_keepalive specifies the interval between keep-alive probes for an active network connection between frpc and frps.
+# If negative, keep-alive probes are disabled.
+# dial_server_keepalive = 7200
+
+# if you want to connect frps by http proxy or socks5 proxy or ntlm proxy, you can set http_proxy here or in global environment variables
 # it only works when protocol is tcp
 # http_proxy = http://user:passwd@192.168.1.128:8080
 # http_proxy = socks5://user:passwd@192.168.1.128:1080
+# http_proxy = ntlm://user:passwd@192.168.1.128:2080

 # console or real logFile path like ./frpc.log
 log_file = ./frpc.log
@@ -21,9 +33,42 @@ log_max_days = 3
 # disable log colors when log_file is console, default is false
 disable_log_color = false

-# for authentication
+# for authentication, should be same as your frps.ini
+# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
+authenticate_heartbeats = false
+
+# authenticate_new_work_conns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.
+authenticate_new_work_conns = false
+
+# auth token
 token = 12345678

+authentication_method = 
+
+# oidc_client_id specifies the client ID to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
+# By default, this value is "".
+oidc_client_id =
+
+# oidc_client_secret specifies the client secret to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
+# By default, this value is "".
+oidc_client_secret =
+
+# oidc_audience specifies the audience of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
+oidc_audience =
+
+# oidc_scope specifies the permisssions of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
+oidc_scope =
+
+# oidc_token_endpoint_url specifies the URL which implements OIDC Token Endpoint.
+# It will be used to get an OIDC token if AuthenticationMethod == "oidc". By default, this value is "".
+oidc_token_endpoint_url =
+
+# oidc_additional_xxx specifies additional parameters to be sent to the OIDC Token Endpoint.
+# For example, if you want to specify the "audience" parameter, you can set as follow.
+# frp will add "audience=<value>" "var1=<value>" to the additional parameters.
+# oidc_additional_audience = https://dev.auth.com/api/v2/
+# oidc_additional_var1 = foobar
+
 # set admin address for control frpc's action by http api such as reload
 admin_addr = 127.0.0.1
 admin_port = 7400
@@ -36,7 +81,11 @@ admin_pwd = admin
 pool_count = 5

 # if tcp stream multiplexing is used, default is true, it must be same with frps
-tcp_mux = true
+# tcp_mux = true
+
+# specify keep alive interval for tcp mux.
+# only valid if tcp_mux is true.
+# tcp_mux_keepalive_interval = 60

 # your proxy name will be changed to {user}.{proxy}
 user = your_name
@@ -46,21 +95,37 @@ user = your_name
 login_fail_exit = true

 # communication protocol used to connect to server
-# now it supports tcp and kcp and websocket, default is tcp
+# supports tcp, kcp, quic and websocket now, default is tcp
 protocol = tcp

-# if tls_enable is true, frpc will connect frps by tls
+# set client binding ip when connect server, default is empty.
+# only when protocol = tcp or websocket, the value will be used.
+connect_server_local_ip = 0.0.0.0
+
+# quic protocol options
+# quic_keepalive_period = 10
+# quic_max_idle_timeout = 30
+# quic_max_incoming_streams = 100000
+
+# If tls_enable is true, frpc will connect frps by tls.
+# Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
 tls_enable = true

+# tls_cert_file = client.crt
+# tls_key_file = client.key
+# tls_trusted_ca_file = ca.crt
+# tls_server_name = example.com
+
 # specify a dns server, so frpc will use this instead of default one
 # dns_server = 8.8.8.8

-# proxy names you want to start seperated by ','
+# proxy names you want to start separated by ','
 # default is empty, means all proxies
 # start = ssh,dns

 # heartbeat configure, it's not recommended to modify the default value
-# the default value of heartbeat_interval is 10 and heartbeat_timeout is 90
+# The default value of heartbeat_interval is 10 and heartbeat_timeout is 90. Set negative value
+# to disable it.
 # heartbeat_interval = 30
 # heartbeat_timeout = 90

@@ -68,6 +133,23 @@ tls_enable = true
 meta_var1 = 123
 meta_var2 = 234

+# specify udp packet size, unit is byte. If not set, the default value is 1500.
+# This parameter should be same between client and server.
+# It affects the udp and sudp proxy.
+udp_packet_size = 1500
+
+# include other config files for proxies.
+# includes = ./confd/*.ini
+
+# If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
+# first custom byte when tls is enabled.
+# Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
+disable_custom_tls_first_byte = true
+
+# Enable golang pprof handlers in admin listener.
+# Admin port must be set first.
+pprof_enable = false
+
 # 'ssh' is the unique proxy name
 # if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
 [ssh]
@@ -77,6 +159,8 @@ local_ip = 127.0.0.1
 local_port = 22
 # limit bandwidth for this proxy, unit is KB and MB
 bandwidth_limit = 1MB
+# where to limit bandwidth, can be 'client' or 'server', default is 'client'
+bandwidth_limit_mode = client
 # true or false, if true, messages between frps and frpc will be encrypted, default is false
 use_encryption = false
 # if true, message will be compressed
@@ -144,11 +228,13 @@ use_compression = true
 # if not set, you can access this custom_domains without certification
 http_user = admin
 http_pwd = admin
-# if domain for frps is frps.com, then you can access [web01] proxy by URL http://test.frps.com
+# if domain for frps is frps.com, then you can access [web01] proxy by URL http://web01.frps.com
 subdomain = web01
-custom_domains = web02.yourdomain.com
+custom_domains = web01.yourdomain.com
 # locations is only available for http type
 locations = /,/pic
+# route requests to this service if http basic auto user is abc
+# route_by_http_user = abc
 host_header_rewrite = example.com
 # params with prefix "header_" will be used to update http request headers
 header_X-From-Where = frp
@@ -166,7 +252,7 @@ local_ip = 127.0.0.1
 local_port = 8000
 use_encryption = false
 use_compression = false
-subdomain = web01
+subdomain = web02
 custom_domains = web02.yourdomain.com
 # if not empty, frpc will use proxy protocol to transfer connection info to your local service
 # v1 or v2 or empty
@@ -214,6 +300,16 @@ plugin_key_path = ./server.key
 plugin_host_header_rewrite = 127.0.0.1
 plugin_header_X-From-Where = frp

+[plugin_https2https]
+type = https
+custom_domains = test.yourdomain.com
+plugin = https2https
+plugin_local_addr = 127.0.0.1:443
+plugin_crt_path = ./server.crt
+plugin_key_path = ./server.key
+plugin_host_header_rewrite = 127.0.0.1
+plugin_header_X-From-Where = frp
+
 [plugin_http2https]
 type = http
 custom_domains = test.yourdomain.com
@@ -232,6 +328,9 @@ local_ip = 127.0.0.1
 local_port = 22
 use_encryption = false
 use_compression = false
+# If not empty, only visitors from specified users can connect.
+# Otherwise, visitors from same user can connect. '*' means allow all users.
+allow_users = *

 # user of frpc should be same in both stcp server and stcp visitor
 [secret_tcp_visitor]
@@ -243,6 +342,8 @@ server_name = secret_tcp
 sk = abcdefg
 # connect this address to visitor stcp server
 bind_addr = 127.0.0.1
+# bind_port can be less than 0, it means don't bind to the port and only receive connections redirected from
+# other visitors. (This is not supported for SUDP now)
 bind_port = 9000
 use_encryption = false
 use_compression = false
@@ -254,16 +355,30 @@ local_ip = 127.0.0.1
 local_port = 22
 use_encryption = false
 use_compression = false
+# If not empty, only visitors from specified users can connect.
+# Otherwise, visitors from same user can connect. '*' means allow all users.
+allow_users = user1, user2

 [p2p_tcp_visitor]
 role = visitor
 type = xtcp
+# if the server user is not set, it defaults to the current user
+server_user = user1
 server_name = p2p_tcp
 sk = abcdefg
 bind_addr = 127.0.0.1
+# bind_port can be less than 0, it means don't bind to the port and only receive connections redirected from
+# other visitors. (This is not supported for SUDP now)
 bind_port = 9001
 use_encryption = false
 use_compression = false
+# when automatic tunnel persistence is required, set it to true
+keep_tunnel_open = false
+# effective when keep_tunnel_open is set to true, the number of attempts to punch through per hour
+max_retries_an_hour = 8
+min_retry_interval = 90
+# fallback_to = stcp_visitor
+# fallback_timeout_ms = 500

 [tcpmuxhttpconnect]
 type = tcpmux
@@ -271,3 +386,4 @@ multiplexer = httpconnect
 local_ip = 127.0.0.1
 local_port = 10701
 custom_domains = tunnel1
+# route_by_http_user = user1
--- a/conf/frps_full.ini
+++ b/conf/frps_full.ini
@@ -2,16 +2,22 @@
 [common]
 # A literal address or host name for IPv6 must be enclosed
 # in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
+# For single "bind_addr" field, no need square brackets, like "bind_addr = ::".
 bind_addr = 0.0.0.0
 bind_port = 7000

-# udp port to help make udp hole to penetrate nat
-bind_udp_port = 7001
-
-# udp port used for kcp protocol, it can be same with 'bind_port'
-# if not set, kcp is disabled in frps
+# udp port used for kcp protocol, it can be same with 'bind_port'.
+# if not set, kcp is disabled in frps.
 kcp_bind_port = 7000

+# udp port used for quic protocol.
+# if not set, quic is disabled in frps.
+# quic_bind_port = 7002
+# quic protocol options
+# quic_keepalive_period = 10
+# quic_max_idle_timeout = 30
+# quic_max_incoming_streams = 100000
+
 # specify which address proxy will listen for, default value is same with bind_addr
 # proxy_bind_addr = 127.0.0.1

@@ -23,27 +29,36 @@ vhost_https_port = 443
 # response header timeout(seconds) for vhost http server, default is 60s
 # vhost_http_timeout = 60

-# TcpMuxHttpConnectPort specifies the port that the server listens for TCP
+# tcpmux_httpconnect_port specifies the port that the server listens for TCP
 # HTTP CONNECT requests. If the value is 0, the server will not multiplex TCP
 # requests on one single port. If it's not - it will listen on this value for
 # HTTP CONNECT requests. By default, this value is 0.
 # tcpmux_httpconnect_port = 1337

+# If tcpmux_passthrough is true, frps won't do any update on traffic.
+# tcpmux_passthrough = false
+
 # set dashboard_addr and dashboard_port to view dashboard of frps
 # dashboard_addr's default value is same with bind_addr
 # dashboard is available only if dashboard_port is set
 dashboard_addr = 0.0.0.0
 dashboard_port = 7500

-# dashboard user and passwd for basic auth protect, if not set, both default value is admin
+# dashboard user and passwd for basic auth protect
 dashboard_user = admin
 dashboard_pwd = admin

+# dashboard TLS mode
+dashboard_tls_mode = false
+# dashboard_tls_cert_file = server.crt
+# dashboard_tls_key_file = server.key
+
 # enable_prometheus will export prometheus metrics on {dashboard_addr}:{dashboard_port} in /metrics api.
 enable_prometheus = true

 # dashboard assets directory(only for debug mode)
 # assets_dir = ./static
+
 # console or real logFile path like ./frps.log
 log_file = ./frps.log

@@ -58,12 +73,12 @@ disable_log_color = false
 # DetailedErrorsToClient defines whether to send the specific error (with debug info) to frpc. By default, this value is true.
 detailed_errors_to_client = true

-# AuthenticationMethod specifies what authentication method to use authenticate frpc with frps.
+# authentication_method specifies what authentication method to use authenticate frpc with frps.
 # If "token" is specified - token will be read into login message.
 # If "oidc" is specified - OIDC (Open ID Connect) token will be issued using OIDC settings. By default, this value is "token".
 authentication_method = token

-# AuthenticateHeartBeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
+# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
 authenticate_heartbeats = false

 # AuthenticateNewWorkConns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.
@@ -72,25 +87,30 @@ authenticate_new_work_conns = false
 # auth token
 token = 12345678

-# OidcClientId specifies the client ID to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
+# oidc_issuer specifies the issuer to verify OIDC tokens with.
 # By default, this value is "".
-oidc_client_id =
+oidc_issuer =

-# OidcClientSecret specifies the client secret to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
+# oidc_audience specifies the audience OIDC tokens should contain when validated.
 # By default, this value is "".
-oidc_client_secret = 
+oidc_audience =

-# OidcAudience specifies the audience of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
-oidc_audience = 
+# oidc_skip_expiry_check specifies whether to skip checking if the OIDC token is expired.
+# By default, this value is false.
+oidc_skip_expiry_check = false

-# OidcTokenEndpointUrl specifies the URL which implements OIDC Token Endpoint.
-# It will be used to get an OIDC token if AuthenticationMethod == "oidc". By default, this value is "".
-oidc_token_endpoint_url = 
+# oidc_skip_issuer_check specifies whether to skip checking if the OIDC token's issuer claim matches the issuer specified in OidcIssuer.
+# By default, this value is false.
+oidc_skip_issuer_check = false

 # heartbeat configure, it's not recommended to modify the default value
-# the default value of heartbeat_timeout is 90
+# the default value of heartbeat_timeout is 90. Set negative value to disable it.
 # heartbeat_timeout = 90

+# user_conn_timeout configure, it's not recommended to modify the default value
+# the default value of user_conn_timeout is 10
+# user_conn_timeout = 10
+
 # only allow frpc to bind ports you list, if you set nothing, there won't be any limit
 allow_ports = 2000-3000,3001,3003,4000-50000

@@ -100,19 +120,43 @@ max_pool_count = 5
 # max ports can be used for each client, default value is 0 means no limit
 max_ports_per_client = 0

-# TlsOnly specifies whether to only accept TLS-encrypted connections. By default, the value is false.
+# tls_only specifies whether to only accept TLS-encrypted connections. By default, the value is false.
 tls_only = false

+# tls_cert_file = server.crt
+# tls_key_file = server.key
+# tls_trusted_ca_file = ca.crt
+
 # if subdomain_host is not empty, you can set subdomain when type is http or https in frpc's configure file
 # when subdomain is test, the host used by routing is test.frps.com
 subdomain_host = frps.com

 # if tcp stream multiplexing is used, default is true
-tcp_mux = true
+# tcp_mux = true
+
+# specify keep alive interval for tcp mux.
+# only valid if tcp_mux is true.
+# tcp_mux_keepalive_interval = 60
+
+# tcp_keepalive specifies the interval between keep-alive probes for an active network connection between frpc and frps.
+# If negative, keep-alive probes are disabled.
+# tcp_keepalive = 7200

 # custom 404 page for HTTP requests
 # custom_404_page = /path/to/404.html

+# specify udp packet size, unit is byte. If not set, the default value is 1500.
+# This parameter should be same between client and server.
+# It affects the udp and sudp proxy.
+udp_packet_size = 1500
+
+# Enable golang pprof handlers in dashboard listener.
+# Dashboard port must be set first
+pprof_enable = false
+
+# Retention time for NAT hole punching strategy data.
+nat_hole_analysis_data_reserve_hours = 168
+
 [plugin.user-manager]
 addr = 127.0.0.1:9000
 path = /handler
--- a/conf/systemd/frpc.service
+++ b/conf/systemd/frpc.service
@@ -1,14 +0,0 @@
-[Unit]
-Description=Frp Client Service
-After=network.target
-
-[Service]
-Type=simple
-User=nobody
-Restart=on-failure
-RestartSec=5s
-ExecStart=/usr/bin/frpc -c /etc/frp/frpc.ini
-ExecReload=/usr/bin/frpc reload -c /etc/frp/frpc.ini
-
-[Install]
-WantedBy=multi-user.target
--- a/conf/systemd/frpc@.service
+++ b/conf/systemd/frpc@.service
@@ -1,14 +0,0 @@
-[Unit]
-Description=Frp Client Service
-After=network.target
-
-[Service]
-Type=idle
-User=nobody
-Restart=on-failure
-RestartSec=5s
-ExecStart=/usr/bin/frpc -c /etc/frp/%i.ini
-ExecReload=/usr/bin/frpc reload -c /etc/frp/%i.ini
-
-[Install]
-WantedBy=multi-user.target
--- a/conf/systemd/frps.service
+++ b/conf/systemd/frps.service
@@ -1,13 +0,0 @@
-[Unit]
-Description=Frp Server Service
-After=network.target
-
-[Service]
-Type=simple
-User=nobody
-Restart=on-failure
-RestartSec=5s
-ExecStart=/usr/bin/frps -c /etc/frp/frps.ini
-
-[Install]
-WantedBy=multi-user.target
--- a/conf/systemd/frps@.service
+++ b/conf/systemd/frps@.service
@@ -1,13 +0,0 @@
-[Unit]
-Description=Frp Server Service
-After=network.target
-
-[Service]
-Type=simple
-User=nobody
-Restart=on-failure
-RestartSec=5s
-ExecStart=/usr/bin/frps -c /etc/frp/%i.ini
-
-[Install]
-WantedBy=multi-user.target
--- a/doc/pic/sponsor_asocks.jpg
+++ b/doc/pic/sponsor_asocks.jpg
--- a/doc/pic/sponsor_doppler.png
+++ b/doc/pic/sponsor_doppler.png
--- a/doc/pic/sponsor_workos.png
+++ b/doc/pic/sponsor_workos.png
--- a/doc/server_plugin.md
+++ b/doc/server_plugin.md
@@ -1,27 +1,28 @@
-### Manage Plugin
+### Server Plugin

-frp manage plugin is aim to extend frp's ability without modifing self code.
+frp server plugin is aimed to extend frp's ability without modifying the Golang code.

-It runs as a process and listen on a port to provide RPC interface. Before frps doing some operations, frps will send RPC requests to manage plugin and do operations by it's response.
+An external server should run in a different process receiving RPC calls from frps.
+Before frps is doing some operations, it will send RPC requests to notify the external RPC server and act according to its response.

 ### RPC request

-Support HTTP first.
+RPC requests are based on JSON over HTTP.

-When manage plugin accept the operation request, it can give three different responses.
+When a server plugin accepts an operation request, it can respond with three different responses:

-* Reject operation and return the reason.
+* Reject operation and return a reason.
 * Allow operation and keep original content.
 * Allow operation and return modified content.

 ### Interface

-HTTP path can be configured for each manage plugin in frps. Assume here is `/handler`.
+HTTP path can be configured for each manage plugin in frps. We'll assume for this example that it's `/handler`.

-Request
+A request to the RPC server will look like:

 ```
-POST /handler
+POST /handler?version=0.1.0&op=Login
 {
    "version": "0.1.0",
    "op": "Login",
@@ -30,15 +31,15 @@ POST /handler
    }
 }

-Request Header
+Request Header:
 X-Frp-Reqid: for tracing
 ```

-Response
+The response can look like any of the following:

-Error if not return 200 http code.
+* Non-200 HTTP response status code (this will automatically tell frps that the request should fail)

-Reject opeartion
+* Reject operation:

 ```
 {
@@ -47,7 +48,7 @@ Reject opeartion
 }
 ```

-Allow operation and keep original content
+* Allow operation and keep original content:

 ```
 {
@@ -56,7 +57,7 @@ Allow operation and keep original content
 }
 ```

-Allow opeartion and modify content
+* Allow operation and modify content

 ```
 {
@@ -69,7 +70,7 @@ Allow opeartion and modify content

 ### Operation

-Now it supports `Login` and `NewProxy`.
+Currently `Login`, `NewProxy`, `CloseProxy`, `Ping`, `NewWorkConn` and `NewUserConn` operations are supported.

 #### Login

@@ -87,7 +88,8 @@ Client login operation
        "privilege_key": <string>,
        "run_id": <string>,
        "pool_count": <int>,
-        "metas": map<string>string
+        "metas": map<string>string,
+        "client_address": <string>
    }
 }
 ```
@@ -102,11 +104,14 @@ Create new proxy
        "user": {
            "user": <string>,
            "metas": map<string>string
+            "run_id": <string>
        },
        "proxy_name": <string>,
        "proxy_type": <string>,
        "use_encryption": <bool>,
        "use_compression": <bool>,
+        "bandwidth_limit": <string>,
+        "bandwidth_limit_mode": <string>,
        "group": <string>,
        "group_key": <string>,

@@ -122,14 +127,97 @@ Create new proxy
        "host_header_rewrite": <string>,
        "headers": map<string>string,

+        // stcp only
+        "sk": <string>,
+
+        // tcpmux only
+        "multiplexer": <string>
+
        "metas": map<string>string
    }
 }
 ```

-### manage plugin configure
+#### CloseProxy
+
+A previously created proxy is closed.
+
+Please note that one request will be sent for every proxy that is closed, do **NOT** use this
+if you have too many proxies bound to a single client, as this may exhaust the server's resources.
+
+```
+{
+    "content": {
+        "user": {
+            "user": <string>,
+            "metas": map<string>string
+            "run_id": <string>
+        },
+        "proxy_name": <string>
+    }
+}
+```
+
+#### Ping
+
+Heartbeat from frpc
+
+```
+{
+    "content": {
+        "user": {
+            "user": <string>,
+            "metas": map<string>string
+            "run_id": <string>
+        },
+        "timestamp": <int64>,
+        "privilege_key": <string>
+    }
+}
+```
+
+#### NewWorkConn
+
+New work connection received from frpc (RPC sent after `run_id` is matched with an existing frp connection)
+
+```
+{
+    "content": {
+        "user": {
+            "user": <string>,
+            "metas": map<string>string
+            "run_id": <string>
+        },
+        "run_id": <string>
+        "timestamp": <int64>,
+        "privilege_key": <string>
+    }
+}
+```
+
+#### NewUserConn
+
+New user connection received from proxy (support `tcp`, `stcp`, `https` and `tcpmux`) .
+
+```
+{
+    "content": {
+        "user": {
+            "user": <string>,
+            "metas": map<string>string
+            "run_id": <string>
+        },
+        "proxy_name": <string>,
+        "proxy_type": <string>,
+        "remote_addr": <string>
+    }
+}
+```
+
+### Server Plugin Configuration

 ```ini
+# frps.ini
 [common]
 bind_port = 7000

@@ -144,15 +232,20 @@ path = /handler
 ops = NewProxy
 ```

-addr: plugin listen on.
-path: http request url path.
-ops: opeartions plugin needs handle.
+- addr: the address where the external RPC service listens. Defaults to http. For https, specify the schema: `addr = https://127.0.0.1:9001`.
+- path: http request url path for the POST request.
+- ops: operations plugin needs to handle (e.g. "Login", "NewProxy", ...).
+- tls_verify: When the schema is https, we verify by default. Set this value to false if you want to skip verification.

-### meta data
+### Metadata

-Meta data will be sent to manage plugin in each RCP request.
+Metadata will be sent to the server plugin in each RPC request.

-Meta data start with `meta_`. It can be configured in `common` and each proxy.
+There are 2 types of metadata entries - 1 under `[common]` and the other under each proxy configuration.
+Metadata entries under `[common]` will be sent in `Login` under the key `metas`, and in any other RPC request under `user.metas`.
+Metadata entries under each proxy configuration will be sent in `NewProxy` op only, under `metas`.
+
+Metadata entries start with `meta_`. This is an example of metadata entries in `[common]` and under the proxy named `[ssh]`:

 ```
 # frpc.ini
--- a/doc/server_plugin_zh.md
+++ b/doc/server_plugin_zh.md
@@ -1,171 +0,0 @@
-### 服务端管理插件
-
-frp 管理插件的作用是在不侵入自身代码的前提下，扩展 frp 服务端的能力。
-
-frp 管理插件会以单独进程的形式运行，并且监听在一个端口上，对外提供 RPC 接口，响应 frps 的请求。
-
-frps 在执行某些操作前，会根据配置向管理插件发送 RPC 请求，根据管理插件的响应来执行相应的操作。
-
-### RPC 请求
-
-管理插件接收到操作请求后，可以给出三种回应。
-
-* 拒绝操作，需要返回拒绝操作的原因。
-* 允许操作，不需要修改操作内容。
-* 允许操作，对操作请求进行修改后，返回修改后的内容。
-
-### 接口
-
-接口路径可以在 frps 配置中为每个插件单独配置，这里以 `/handler` 为例。
-
-Request
-
-```
-POST /handler
-{
-    "version": "0.1.0",
-    "op": "Login",
-    "content": {
-        ... // 具体的操作信息
-    }
-}
-
-请求 Header
-X-Frp-Reqid: 用于追踪请求
-```
-
-Response
-
-非 200 的返回都认为是请求异常。
-
-拒绝执行操作
-
-```
-{
-   "reject": true,
-   "reject_reason": "invalid user"
-}
-```
-
-允许且内容不需要变动
-
-```
-{
-    "reject": false,
-    "unchange": true
-}
-```
-
-允许且需要替换操作内容
-
-```
-{
-    "unchange": "false",
-    "content": {
-        ... // 替换后的操作信息，格式必须和请求时的一致
-    }
-}
-```
-
-### 操作类型
-
-目前插件支持管理的操作类型有 `Login` 和 `NewProxy`。
-
-#### Login
-
-用户登录操作信息
-
-```
-{
-    "content": {
-        "version": <string>,
-        "hostname": <string>,
-        "os": <string>,
-        "arch": <string>,
-        "user": <string>,
-        "timestamp": <int64>,
-        "privilege_key": <string>,
-        "run_id": <string>,
-        "pool_count": <int>,
-        "metas": map<string>string
-    }
-}
-```
-
-#### NewProxy
-
-创建代理的相关信息
-
-```
-{
-    "content": {
-        "user": {
-            "user": <string>,
-            "metas": map<string>string
-        },
-        "proxy_name": <string>,
-        "proxy_type": <string>,
-        "use_encryption": <bool>,
-        "use_compression": <bool>,
-        "group": <string>,
-        "group_key": <string>,
-
-        // tcp and udp only
-        "remote_port": <int>,
-
-        // http and https only
-        "custom_domains": []<string>,
-        "subdomain": <string>,
-        "locations": <string>,
-        "http_user": <string>,
-        "http_pwd": <string>,
-        "host_header_rewrite": <string>,
-        "headers": map<string>string,
-
-        "metas": map<string>string
-    }
-}
-```
-
-### frps 中插件配置
-
-```ini
-[common]
-bind_port = 7000
-
-[plugin.user-manager]
-addr = 127.0.0.1:9000
-path = /handler
-ops = Login
-
-[plugin.port-manager]
-addr = 127.0.0.1:9001
-path = /handler
-ops = NewProxy
-```
-
-addr: 插件监听的网络地址。
-path: 插件监听的 HTTP 请求路径。
-ops: 插件需要处理的操作列表，多个 op 以英文逗号分隔。
-
-### 元数据
-
-为了减少 frps 的代码修改，同时提高管理插件的扩展能力，在 frpc 的配置文件中引入自定义元数据的概念。元数据会在调用 RPC 请求时发送给插件。
-
-元数据以 `meta_` 开头，可以配置多个，元数据分为两种，一种配置在 `common` 下，一种配置在各个 proxy 中。
-
-```
-# frpc.ini
-[common]
-server_addr = 127.0.0.1
-server_port = 7000
-user = fake
-meta_token = fake
-meta_version = 1.0.0
-
-[ssh]
-type = tcp
-local_port = 22
-remote_port = 6000
-meta_id = 123
-```
--- a/dockerfiles/Dockerfile-for-frpc
+++ b/dockerfiles/Dockerfile-for-frpc
@@ -0,0 +1,12 @@
+FROM golang:1.20 AS building
+
+COPY . /building
+WORKDIR /building
+
+RUN make frpc
+
+FROM alpine:3
+
+COPY --from=building /building/bin/frpc /usr/bin/frpc
+
+ENTRYPOINT ["/usr/bin/frpc"]
--- a/dockerfiles/Dockerfile-for-frps
+++ b/dockerfiles/Dockerfile-for-frps
@@ -0,0 +1,12 @@
+FROM golang:1.20 AS building
+
+COPY . /building
+WORKDIR /building
+
+RUN make frps
+
+FROM alpine:3
+
+COPY --from=building /building/bin/frps /usr/bin/frps
+
+ENTRYPOINT ["/usr/bin/frps"]
--- a/go.mod
+++ b/go.mod
@@ -1,37 +1,77 @@
 module github.com/fatedier/frp

-go 1.12
+go 1.20

 require (
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
-	github.com/coreos/go-oidc v2.2.1+incompatible
+	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/fatedier/beego v0.0.0-20171024143340-6c6a4f5bd5eb
-	github.com/fatedier/golib v0.0.0-20181107124048-ff8cd814b049
+	github.com/fatedier/golib v0.1.1-0.20230320133937-a7edcc8c793d
 	github.com/fatedier/kcp-go v2.0.4-0.20190803094908-fe8645b0a904+incompatible
-	github.com/golang/snappy v0.0.0-20170215233205-553a64147049 // indirect
-	github.com/gorilla/mux v1.7.3
-	github.com/gorilla/websocket v1.4.0
-	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/klauspost/cpuid v1.2.0 // indirect
-	github.com/klauspost/reedsolomon v1.9.1 // indirect
-	github.com/mattn/go-runewidth v0.0.4 // indirect
-	github.com/pires/go-proxyproto v0.0.0-20190111085350-4d51b51e3bfc
-	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/prometheus/client_golang v1.4.1
-	github.com/rakyll/statik v0.1.1
-	github.com/rodaine/table v1.0.0
-	github.com/spf13/cobra v0.0.3
-	github.com/spf13/pflag v1.0.1 // indirect
-	github.com/stretchr/testify v1.4.0
-	github.com/templexxx/cpufeat v0.0.0-20170927014610-3794dfbfb047 // indirect
-	github.com/templexxx/xor v0.0.0-20170926022130-0af8e873c554 // indirect
-	github.com/tjfoc/gmsm v0.0.0-20171124023159-98aa888b79d8 // indirect
-	github.com/vaughan0/go-ini v0.0.0-20130923145212-a98ad7ee00ec
-	github.com/xtaci/lossyconn v0.0.0-20190602105132-8df528c0c9ae // indirect
-	golang.org/x/net v0.0.0-20190724013045-ca1201d0de80
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/text v0.3.2 // indirect
-	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
-	gopkg.in/square/go-jose.v2 v2.4.1 // indirect
+	github.com/go-playground/validator/v10 v10.11.0
+	github.com/google/uuid v1.3.0
+	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/websocket v1.5.0
+	github.com/hashicorp/yamux v0.1.1
+	github.com/onsi/ginkgo/v2 v2.8.3
+	github.com/onsi/gomega v1.27.0
+	github.com/pion/stun v0.4.0
+	github.com/pires/go-proxyproto v0.6.2
+	github.com/prometheus/client_golang v1.13.0
+	github.com/quic-go/quic-go v0.34.0
+	github.com/rodaine/table v1.0.1
+	github.com/samber/lo v1.38.1
+	github.com/spf13/cobra v1.1.3
+	github.com/stretchr/testify v1.8.1
+	golang.org/x/net v0.7.0
+	golang.org/x/oauth2 v0.3.0
+	golang.org/x/sync v0.1.0
+	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8
+	gopkg.in/ini.v1 v1.67.0
+	k8s.io/apimachinery v0.26.1
+	k8s.io/client-go v0.26.1
+)
+
+require (
+	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-playground/locales v0.14.0 // indirect
+	github.com/go-playground/universal-translator v0.18.0 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.3 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.0.6 // indirect
+	github.com/klauspost/reedsolomon v1.9.15 // indirect
+	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/pion/transport/v2 v2.0.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.37.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
+	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/templexxx/cpufeat v0.0.0-20180724012125-cef66df7f161 // indirect
+	github.com/templexxx/xor v0.0.0-20191217153810-f85b25db303b // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	golang.org/x/crypto v0.4.0 // indirect
+	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/hack/download.sh
+++ b/hack/download.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+
+OS="$(go env GOOS)"
+ARCH="$(go env GOARCH)"
+
+if [ "${TARGET_OS}" ]; then
+  OS="${TARGET_OS}"
+fi
+if [ "${TARGET_ARCH}" ]; then
+  ARCH="${TARGET_ARCH}"
+fi
+
+# Determine the latest version by version number ignoring alpha, beta, and rc versions.
+if [ "${FRP_VERSION}" = "" ] ; then
+  FRP_VERSION="$(curl -sL https://github.com/fatedier/frp/releases | \
+                  grep -o 'releases/tag/v[0-9]*.[0-9]*.[0-9]*"' | sort -V | \
+                  tail -1 | awk -F'/' '{ print $3}')"
+  FRP_VERSION="${FRP_VERSION%?}"
+  FRP_VERSION="${FRP_VERSION#?}"
+fi
+
+if [ "${FRP_VERSION}" = "" ] ; then
+  printf "Unable to get latest frp version. Set FRP_VERSION env var and re-run. For example: export FRP_VERSION=1.0.0"
+  exit 1;
+fi
+
+SUFFIX=".tar.gz"
+if [ "${OS}" = "windows" ] ; then
+  SUFFIX=".zip"
+fi
+NAME="frp_${FRP_VERSION}_${OS}_${ARCH}${SUFFIX}"
+DIR_NAME="frp_${FRP_VERSION}_${OS}_${ARCH}"
+URL="https://github.com/fatedier/frp/releases/download/v${FRP_VERSION}/${NAME}"
+
+download_and_extract() {
+  printf "Downloading %s from %s ...\n" "$NAME" "${URL}"
+  if ! curl -o /dev/null -sIf "${URL}"; then
+    printf "\n%s is not found, please specify a valid FRP_VERSION\n" "${URL}"
+    exit 1
+  fi
+  curl -fsLO "${URL}"
+  filename=$NAME
+
+  if [ "${OS}" = "windows" ]; then
+    unzip "${filename}"
+  else
+    tar -xzf "${filename}"
+  fi
+  rm "${filename}"
+
+  if [ "${TARGET_DIRNAME}" ]; then
+    mv "${DIR_NAME}" "${TARGET_DIRNAME}"
+    DIR_NAME="${TARGET_DIRNAME}"
+  fi
+}
+
+download_and_extract
+
+printf ""
+printf "\nfrp %s Download Complete!\n" "$FRP_VERSION"
+printf "\n"
+printf "frp has been successfully downloaded into the %s folder on your system.\n" "$DIR_NAME"
+printf "\n"
--- a/hack/run-e2e.sh
+++ b/hack/run-e2e.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+SCRIPT=$(readlink -f "$0")
+ROOT=$(unset CDPATH && cd "$(dirname "$SCRIPT")/.." && pwd)
+
+ginkgo_command=$(which ginkgo 2>/dev/null)
+if [ -z "$ginkgo_command" ]; then
+    echo "ginkgo not found, try to install..."
+    go install github.com/onsi/ginkgo/v2/ginkgo@v2.8.3
+fi
+
+debug=false
+if [ "x${DEBUG}" = "xtrue" ]; then
+    debug=true
+fi
+logLevel=debug
+if [ "${LOG_LEVEL}" ]; then
+    logLevel="${LOG_LEVEL}"
+fi
+
+frpcPath=${ROOT}/bin/frpc
+if [ "${FRPC_PATH}" ]; then
+    frpcPath="${FRPC_PATH}"
+fi
+frpsPath=${ROOT}/bin/frps
+if [ "${FRPS_PATH}" ]; then
+    frpsPath="${FRPS_PATH}"
+fi
+
+ginkgo -nodes=8 --poll-progress-after=60s ${ROOT}/test/e2e -- -frpc-path=${frpcPath} -frps-path=${frpsPath} -log-level=${logLevel} -debug=${debug}
--- a/models/auth/auth.go
+++ b/models/auth/auth.go
@@ -1,151 +0,0 @@
-// Copyright 2020 guylewin, guy@lewin.co.il
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package auth
-
-import (
-	"fmt"
-
-	"github.com/fatedier/frp/models/consts"
-	"github.com/fatedier/frp/models/msg"
-
-	"github.com/vaughan0/go-ini"
-)
-
-type baseConfig struct {
-	// AuthenticationMethod specifies what authentication method to use to
-	// authenticate frpc with frps. If "token" is specified - token will be
-	// read into login message. If "oidc" is specified - OIDC (Open ID Connect)
-	// token will be issued using OIDC settings. By default, this value is "token".
-	AuthenticationMethod string `json:"authentication_method"`
-	// AuthenticateHeartBeats specifies whether to include authentication token in
-	// heartbeats sent to frps. By default, this value is false.
-	AuthenticateHeartBeats bool `json:"authenticate_heartbeats"`
-	// AuthenticateNewWorkConns specifies whether to include authentication token in
-	// new work connections sent to frps. By default, this value is false.
-	AuthenticateNewWorkConns bool `json:"authenticate_new_work_conns"`
-}
-
-func getDefaultBaseConf() baseConfig {
-	return baseConfig{
-		AuthenticationMethod:     "token",
-		AuthenticateHeartBeats:   false,
-		AuthenticateNewWorkConns: false,
-	}
-}
-
-func unmarshalBaseConfFromIni(conf ini.File) baseConfig {
-	var (
-		tmpStr string
-		ok     bool
-	)
-
-	cfg := getDefaultBaseConf()
-
-	if tmpStr, ok = conf.Get("common", "authentication_method"); ok {
-		cfg.AuthenticationMethod = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "authenticate_heartbeats"); ok && tmpStr == "true" {
-		cfg.AuthenticateHeartBeats = true
-	} else {
-		cfg.AuthenticateHeartBeats = false
-	}
-
-	if tmpStr, ok = conf.Get("common", "authenticate_new_work_conns"); ok && tmpStr == "true" {
-		cfg.AuthenticateNewWorkConns = true
-	} else {
-		cfg.AuthenticateNewWorkConns = false
-	}
-
-	return cfg
-}
-
-type AuthClientConfig struct {
-	baseConfig
-	oidcClientConfig
-	tokenConfig
-}
-
-func GetDefaultAuthClientConf() AuthClientConfig {
-	return AuthClientConfig{
-		baseConfig:       getDefaultBaseConf(),
-		oidcClientConfig: getDefaultOidcClientConf(),
-		tokenConfig:      getDefaultTokenConf(),
-	}
-}
-
-func UnmarshalAuthClientConfFromIni(conf ini.File) (cfg AuthClientConfig) {
-	cfg.baseConfig = unmarshalBaseConfFromIni(conf)
-	cfg.oidcClientConfig = unmarshalOidcClientConfFromIni(conf)
-	cfg.tokenConfig = unmarshalTokenConfFromIni(conf)
-	return cfg
-}
-
-type AuthServerConfig struct {
-	baseConfig
-	oidcServerConfig
-	tokenConfig
-}
-
-func GetDefaultAuthServerConf() AuthServerConfig {
-	return AuthServerConfig{
-		baseConfig:       getDefaultBaseConf(),
-		oidcServerConfig: getDefaultOidcServerConf(),
-		tokenConfig:      getDefaultTokenConf(),
-	}
-}
-
-func UnmarshalAuthServerConfFromIni(conf ini.File) (cfg AuthServerConfig) {
-	cfg.baseConfig = unmarshalBaseConfFromIni(conf)
-	cfg.oidcServerConfig = unmarshalOidcServerConfFromIni(conf)
-	cfg.tokenConfig = unmarshalTokenConfFromIni(conf)
-	return cfg
-}
-
-type Setter interface {
-	SetLogin(*msg.Login) error
-	SetPing(*msg.Ping) error
-	SetNewWorkConn(*msg.NewWorkConn) error
-}
-
-func NewAuthSetter(cfg AuthClientConfig) (authProvider Setter) {
-	switch cfg.AuthenticationMethod {
-	case consts.TokenAuthMethod:
-		authProvider = NewTokenAuth(cfg.baseConfig, cfg.tokenConfig)
-	case consts.OidcAuthMethod:
-		authProvider = NewOidcAuthSetter(cfg.baseConfig, cfg.oidcClientConfig)
-	default:
-		panic(fmt.Sprintf("wrong authentication method: '%s'", cfg.AuthenticationMethod))
-	}
-
-	return authProvider
-}
-
-type Verifier interface {
-	VerifyLogin(*msg.Login) error
-	VerifyPing(*msg.Ping) error
-	VerifyNewWorkConn(*msg.NewWorkConn) error
-}
-
-func NewAuthVerifier(cfg AuthServerConfig) (authVerifier Verifier) {
-	switch cfg.AuthenticationMethod {
-	case consts.TokenAuthMethod:
-		authVerifier = NewTokenAuth(cfg.baseConfig, cfg.tokenConfig)
-	case consts.OidcAuthMethod:
-		authVerifier = NewOidcAuthVerifier(cfg.baseConfig, cfg.oidcServerConfig)
-	}
-
-	return authVerifier
-}
--- a/models/config/client_common.go
+++ b/models/config/client_common.go
@@ -1,315 +0,0 @@
-// Copyright 2016 fatedier, fatedier@gmail.com
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package config
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-	"strings"
-
-	ini "github.com/vaughan0/go-ini"
-
-	"github.com/fatedier/frp/models/auth"
-)
-
-// ClientCommonConf contains information for a client service. It is
-// recommended to use GetDefaultClientConf instead of creating this object
-// directly, so that all unspecified fields have reasonable default values.
-type ClientCommonConf struct {
-	auth.AuthClientConfig
-	// ServerAddr specifies the address of the server to connect to. By
-	// default, this value is "0.0.0.0".
-	ServerAddr string `json:"server_addr"`
-	// ServerPort specifies the port to connect to the server on. By default,
-	// this value is 7000.
-	ServerPort int `json:"server_port"`
-	// HttpProxy specifies a proxy address to connect to the server through. If
-	// this value is "", the server will be connected to directly. By default,
-	// this value is read from the "http_proxy" environment variable.
-	HttpProxy string `json:"http_proxy"`
-	// LogFile specifies a file where logs will be written to. This value will
-	// only be used if LogWay is set appropriately. By default, this value is
-	// "console".
-	LogFile string `json:"log_file"`
-	// LogWay specifies the way logging is managed. Valid values are "console"
-	// or "file". If "console" is used, logs will be printed to stdout. If
-	// "file" is used, logs will be printed to LogFile. By default, this value
-	// is "console".
-	LogWay string `json:"log_way"`
-	// LogLevel specifies the minimum log level. Valid values are "trace",
-	// "debug", "info", "warn", and "error". By default, this value is "info".
-	LogLevel string `json:"log_level"`
-	// LogMaxDays specifies the maximum number of days to store log information
-	// before deletion. This is only used if LogWay == "file". By default, this
-	// value is 0.
-	LogMaxDays int64 `json:"log_max_days"`
-	// DisableLogColor disables log colors when LogWay == "console" when set to
-	// true. By default, this value is false.
-	DisableLogColor bool `json:"disable_log_color"`
-	// AdminAddr specifies the address that the admin server binds to. By
-	// default, this value is "127.0.0.1".
-	AdminAddr string `json:"admin_addr"`
-	// AdminPort specifies the port for the admin server to listen on. If this
-	// value is 0, the admin server will not be started. By default, this value
-	// is 0.
-	AdminPort int `json:"admin_port"`
-	// AdminUser specifies the username that the admin server will use for
-	// login. By default, this value is "admin".
-	AdminUser string `json:"admin_user"`
-	// AdminPwd specifies the password that the admin server will use for
-	// login. By default, this value is "admin".
-	AdminPwd string `json:"admin_pwd"`
-	// AssetsDir specifies the local directory that the admin server will load
-	// resources from. If this value is "", assets will be loaded from the
-	// bundled executable using statik. By default, this value is "".
-	AssetsDir string `json:"assets_dir"`
-	// PoolCount specifies the number of connections the client will make to
-	// the server in advance. By default, this value is 0.
-	PoolCount int `json:"pool_count"`
-	// TcpMux toggles TCP stream multiplexing. This allows multiple requests
-	// from a client to share a single TCP connection. If this value is true,
-	// the server must have TCP multiplexing enabled as well. By default, this
-	// value is true.
-	TcpMux bool `json:"tcp_mux"`
-	// User specifies a prefix for proxy names to distinguish them from other
-	// clients. If this value is not "", proxy names will automatically be
-	// changed to "{user}.{proxy_name}". By default, this value is "".
-	User string `json:"user"`
-	// DnsServer specifies a DNS server address for FRPC to use. If this value
-	// is "", the default DNS will be used. By default, this value is "".
-	DnsServer string `json:"dns_server"`
-	// LoginFailExit controls whether or not the client should exit after a
-	// failed login attempt. If false, the client will retry until a login
-	// attempt succeeds. By default, this value is true.
-	LoginFailExit bool `json:"login_fail_exit"`
-	// Start specifies a set of enabled proxies by name. If this set is empty,
-	// all supplied proxies are enabled. By default, this value is an empty
-	// set.
-	Start map[string]struct{} `json:"start"`
-	// Protocol specifies the protocol to use when interacting with the server.
-	// Valid values are "tcp", "kcp", and "websocket". By default, this value
-	// is "tcp".
-	Protocol string `json:"protocol"`
-	// TLSEnable specifies whether or not TLS should be used when communicating
-	// with the server.
-	TLSEnable bool `json:"tls_enable"`
-	// HeartBeatInterval specifies at what interval heartbeats are sent to the
-	// server, in seconds. It is not recommended to change this value. By
-	// default, this value is 30.
-	HeartBeatInterval int64 `json:"heartbeat_interval"`
-	// HeartBeatTimeout specifies the maximum allowed heartbeat response delay
-	// before the connection is terminated, in seconds. It is not recommended
-	// to change this value. By default, this value is 90.
-	HeartBeatTimeout int64 `json:"heartbeat_timeout"`
-	// Client meta info
-	Metas map[string]string `json:"metas"`
-}
-
-// GetDefaultClientConf returns a client configuration with default values.
-func GetDefaultClientConf() ClientCommonConf {
-	return ClientCommonConf{
-		ServerAddr:        "0.0.0.0",
-		ServerPort:        7000,
-		HttpProxy:         os.Getenv("http_proxy"),
-		LogFile:           "console",
-		LogWay:            "console",
-		LogLevel:          "info",
-		LogMaxDays:        3,
-		DisableLogColor:   false,
-		AdminAddr:         "127.0.0.1",
-		AdminPort:         0,
-		AdminUser:         "",
-		AdminPwd:          "",
-		AssetsDir:         "",
-		PoolCount:         1,
-		TcpMux:            true,
-		User:              "",
-		DnsServer:         "",
-		LoginFailExit:     true,
-		Start:             make(map[string]struct{}),
-		Protocol:          "tcp",
-		TLSEnable:         false,
-		HeartBeatInterval: 30,
-		HeartBeatTimeout:  90,
-		Metas:             make(map[string]string),
-	}
-}
-
-func UnmarshalClientConfFromIni(content string) (cfg ClientCommonConf, err error) {
-	cfg = GetDefaultClientConf()
-
-	conf, err := ini.Load(strings.NewReader(content))
-	if err != nil {
-		return ClientCommonConf{}, fmt.Errorf("parse ini conf file error: %v", err)
-	}
-
-	cfg.AuthClientConfig = auth.UnmarshalAuthClientConfFromIni(conf)
-
-	var (
-		tmpStr string
-		ok     bool
-		v      int64
-	)
-	if tmpStr, ok = conf.Get("common", "server_addr"); ok {
-		cfg.ServerAddr = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "server_port"); ok {
-		v, err = strconv.ParseInt(tmpStr, 10, 64)
-		if err != nil {
-			err = fmt.Errorf("Parse conf error: invalid server_port")
-			return
-		}
-		cfg.ServerPort = int(v)
-	}
-
-	if tmpStr, ok = conf.Get("common", "disable_log_color"); ok && tmpStr == "true" {
-		cfg.DisableLogColor = true
-	}
-
-	if tmpStr, ok = conf.Get("common", "http_proxy"); ok {
-		cfg.HttpProxy = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "log_file"); ok {
-		cfg.LogFile = tmpStr
-		if cfg.LogFile == "console" {
-			cfg.LogWay = "console"
-		} else {
-			cfg.LogWay = "file"
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "log_level"); ok {
-		cfg.LogLevel = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "log_max_days"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err == nil {
-			cfg.LogMaxDays = v
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "admin_addr"); ok {
-		cfg.AdminAddr = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "admin_port"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err == nil {
-			cfg.AdminPort = int(v)
-		} else {
-			err = fmt.Errorf("Parse conf error: invalid admin_port")
-			return
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "admin_user"); ok {
-		cfg.AdminUser = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "admin_pwd"); ok {
-		cfg.AdminPwd = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "assets_dir"); ok {
-		cfg.AssetsDir = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "pool_count"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err == nil {
-			cfg.PoolCount = int(v)
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "tcp_mux"); ok && tmpStr == "false" {
-		cfg.TcpMux = false
-	} else {
-		cfg.TcpMux = true
-	}
-
-	if tmpStr, ok = conf.Get("common", "user"); ok {
-		cfg.User = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "dns_server"); ok {
-		cfg.DnsServer = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "start"); ok {
-		proxyNames := strings.Split(tmpStr, ",")
-		for _, name := range proxyNames {
-			cfg.Start[strings.TrimSpace(name)] = struct{}{}
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "login_fail_exit"); ok && tmpStr == "false" {
-		cfg.LoginFailExit = false
-	} else {
-		cfg.LoginFailExit = true
-	}
-
-	if tmpStr, ok = conf.Get("common", "protocol"); ok {
-		// Now it only support tcp and kcp and websocket.
-		if tmpStr != "tcp" && tmpStr != "kcp" && tmpStr != "websocket" {
-			err = fmt.Errorf("Parse conf error: invalid protocol")
-			return
-		}
-		cfg.Protocol = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "tls_enable"); ok && tmpStr == "true" {
-		cfg.TLSEnable = true
-	} else {
-		cfg.TLSEnable = false
-	}
-
-	if tmpStr, ok = conf.Get("common", "heartbeat_timeout"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid heartbeat_timeout")
-			return
-		} else {
-			cfg.HeartBeatTimeout = v
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "heartbeat_interval"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid heartbeat_interval")
-			return
-		} else {
-			cfg.HeartBeatInterval = v
-		}
-	}
-	for k, v := range conf.Section("common") {
-		if strings.HasPrefix(k, "meta_") {
-			cfg.Metas[strings.TrimPrefix(k, "meta_")] = v
-		}
-	}
-	return
-}
-
-func (cfg *ClientCommonConf) Check() (err error) {
-	if cfg.HeartBeatInterval <= 0 {
-		err = fmt.Errorf("Parse conf error: invalid heartbeat_interval")
-		return
-	}
-
-	if cfg.HeartBeatTimeout < cfg.HeartBeatInterval {
-		err = fmt.Errorf("Parse conf error: invalid heartbeat_timeout, heartbeat_timeout is less than heartbeat_interval")
-		return
-	}
-	return
-}
--- a/models/config/proxy.go
+++ b/models/config/proxy.go
--- a/models/config/server_common.go
+++ b/models/config/server_common.go
@@ -1,442 +0,0 @@
-// Copyright 2016 fatedier, fatedier@gmail.com
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package config
-
-import (
-	"fmt"
-	"strconv"
-	"strings"
-
-	ini "github.com/vaughan0/go-ini"
-
-	"github.com/fatedier/frp/models/auth"
-	plugin "github.com/fatedier/frp/models/plugin/server"
-	"github.com/fatedier/frp/utils/util"
-)
-
-// ServerCommonConf contains information for a server service. It is
-// recommended to use GetDefaultServerConf instead of creating this object
-// directly, so that all unspecified fields have reasonable default values.
-type ServerCommonConf struct {
-	auth.AuthServerConfig
-	// BindAddr specifies the address that the server binds to. By default,
-	// this value is "0.0.0.0".
-	BindAddr string `json:"bind_addr"`
-	// BindPort specifies the port that the server listens on. By default, this
-	// value is 7000.
-	BindPort int `json:"bind_port"`
-	// BindUdpPort specifies the UDP port that the server listens on. If this
-	// value is 0, the server will not listen for UDP connections. By default,
-	// this value is 0
-	BindUdpPort int `json:"bind_udp_port"`
-	// BindKcpPort specifies the KCP port that the server listens on. If this
-	// value is 0, the server will not listen for KCP connections. By default,
-	// this value is 0.
-	KcpBindPort int `json:"kcp_bind_port"`
-	// ProxyBindAddr specifies the address that the proxy binds to. This value
-	// may be the same as BindAddr. By default, this value is "0.0.0.0".
-	ProxyBindAddr string `json:"proxy_bind_addr"`
-	// VhostHttpPort specifies the port that the server listens for HTTP Vhost
-	// requests. If this value is 0, the server will not listen for HTTP
-	// requests. By default, this value is 0.
-	VhostHttpPort int `json:"vhost_http_port"`
-	// VhostHttpsPort specifies the port that the server listens for HTTPS
-	// Vhost requests. If this value is 0, the server will not listen for HTTPS
-	// requests. By default, this value is 0.
-	VhostHttpsPort int `json:"vhost_https_port"`
-	// TcpMuxHttpConnectPort specifies the port that the server listens for TCP
-	// HTTP CONNECT requests. If the value is 0, the server will not multiplex TCP
-	// requests on one single port. If it's not - it will listen on this value for
-	// HTTP CONNECT requests. By default, this value is 0.
-	TcpMuxHttpConnectPort int `json:"tcpmux_httpconnect_port"`
-	// VhostHttpTimeout specifies the response header timeout for the Vhost
-	// HTTP server, in seconds. By default, this value is 60.
-	VhostHttpTimeout int64 `json:"vhost_http_timeout"`
-	// DashboardAddr specifies the address that the dashboard binds to. By
-	// default, this value is "0.0.0.0".
-	DashboardAddr string `json:"dashboard_addr"`
-	// DashboardPort specifies the port that the dashboard listens on. If this
-	// value is 0, the dashboard will not be started. By default, this value is
-	// 0.
-	DashboardPort int `json:"dashboard_port"`
-	// DashboardUser specifies the username that the dashboard will use for
-	// login. By default, this value is "admin".
-	DashboardUser string `json:"dashboard_user"`
-	// DashboardUser specifies the password that the dashboard will use for
-	// login. By default, this value is "admin".
-	DashboardPwd string `json:"dashboard_pwd"`
-	// EnablePrometheus will export prometheus metrics on {dashboard_addr}:{dashboard_port}
-	// in /metrics api.
-	EnablePrometheus bool `json:"enable_prometheus"`
-	// AssetsDir specifies the local directory that the dashboard will load
-	// resources from. If this value is "", assets will be loaded from the
-	// bundled executable using statik. By default, this value is "".
-	AssetsDir string `json:"asserts_dir"`
-	// LogFile specifies a file where logs will be written to. This value will
-	// only be used if LogWay is set appropriately. By default, this value is
-	// "console".
-	LogFile string `json:"log_file"`
-	// LogWay specifies the way logging is managed. Valid values are "console"
-	// or "file". If "console" is used, logs will be printed to stdout. If
-	// "file" is used, logs will be printed to LogFile. By default, this value
-	// is "console".
-	LogWay string `json:"log_way"`
-	// LogLevel specifies the minimum log level. Valid values are "trace",
-	// "debug", "info", "warn", and "error". By default, this value is "info".
-	LogLevel string `json:"log_level"`
-	// LogMaxDays specifies the maximum number of days to store log information
-	// before deletion. This is only used if LogWay == "file". By default, this
-	// value is 0.
-	LogMaxDays int64 `json:"log_max_days"`
-	// DisableLogColor disables log colors when LogWay == "console" when set to
-	// true. By default, this value is false.
-	DisableLogColor bool `json:"disable_log_color"`
-	// DetailedErrorsToClient defines whether to send the specific error (with
-	// debug info) to frpc. By default, this value is true.
-	DetailedErrorsToClient bool `json:"detailed_errors_to_client"`
-
-	// SubDomainHost specifies the domain that will be attached to sub-domains
-	// requested by the client when using Vhost proxying. For example, if this
-	// value is set to "frps.com" and the client requested the subdomain
-	// "test", the resulting URL would be "test.frps.com". By default, this
-	// value is "".
-	SubDomainHost string `json:"subdomain_host"`
-	// TcpMux toggles TCP stream multiplexing. This allows multiple requests
-	// from a client to share a single TCP connection. By default, this value
-	// is true.
-	TcpMux bool `json:"tcp_mux"`
-	// Custom404Page specifies a path to a custom 404 page to display. If this
-	// value is "", a default page will be displayed. By default, this value is
-	// "".
-	Custom404Page string `json:"custom_404_page"`
-
-	// AllowPorts specifies a set of ports that clients are able to proxy to.
-	// If the length of this value is 0, all ports are allowed. By default,
-	// this value is an empty set.
-	AllowPorts map[int]struct{}
-	// MaxPoolCount specifies the maximum pool size for each proxy. By default,
-	// this value is 5.
-	MaxPoolCount int64 `json:"max_pool_count"`
-	// MaxPortsPerClient specifies the maximum number of ports a single client
-	// may proxy to. If this value is 0, no limit will be applied. By default,
-	// this value is 0.
-	MaxPortsPerClient int64 `json:"max_ports_per_client"`
-	// TlsOnly specifies whether to only accept TLS-encrypted connections. By
-	// default, the value is false.
-	TlsOnly bool `json:"tls_only"`
-	// HeartBeatTimeout specifies the maximum time to wait for a heartbeat
-	// before terminating the connection. It is not recommended to change this
-	// value. By default, this value is 90.
-	HeartBeatTimeout int64 `json:"heart_beat_timeout"`
-	// UserConnTimeout specifies the maximum time to wait for a work
-	// connection. By default, this value is 10.
-	UserConnTimeout int64 `json:"user_conn_timeout"`
-	// HTTPPlugins specify the server plugins support HTTP protocol.
-	HTTPPlugins map[string]plugin.HTTPPluginOptions `json:"http_plugins"`
-}
-
-// GetDefaultServerConf returns a server configuration with reasonable
-// defaults.
-func GetDefaultServerConf() ServerCommonConf {
-	return ServerCommonConf{
-		BindAddr:               "0.0.0.0",
-		BindPort:               7000,
-		BindUdpPort:            0,
-		KcpBindPort:            0,
-		ProxyBindAddr:          "0.0.0.0",
-		VhostHttpPort:          0,
-		VhostHttpsPort:         0,
-		TcpMuxHttpConnectPort:  0,
-		VhostHttpTimeout:       60,
-		DashboardAddr:          "0.0.0.0",
-		DashboardPort:          0,
-		DashboardUser:          "admin",
-		DashboardPwd:           "admin",
-		EnablePrometheus:       false,
-		AssetsDir:              "",
-		LogFile:                "console",
-		LogWay:                 "console",
-		LogLevel:               "info",
-		LogMaxDays:             3,
-		DisableLogColor:        false,
-		DetailedErrorsToClient: true,
-		SubDomainHost:          "",
-		TcpMux:                 true,
-		AllowPorts:             make(map[int]struct{}),
-		MaxPoolCount:           5,
-		MaxPortsPerClient:      0,
-		TlsOnly:                false,
-		HeartBeatTimeout:       90,
-		UserConnTimeout:        10,
-		Custom404Page:          "",
-		HTTPPlugins:            make(map[string]plugin.HTTPPluginOptions),
-	}
-}
-
-// UnmarshalServerConfFromIni parses the contents of a server configuration ini
-// file and returns the resulting server configuration.
-func UnmarshalServerConfFromIni(content string) (cfg ServerCommonConf, err error) {
-	cfg = GetDefaultServerConf()
-
-	conf, err := ini.Load(strings.NewReader(content))
-	if err != nil {
-		err = fmt.Errorf("parse ini conf file error: %v", err)
-		return ServerCommonConf{}, err
-	}
-
-	UnmarshalPluginsFromIni(conf, &cfg)
-
-	cfg.AuthServerConfig = auth.UnmarshalAuthServerConfFromIni(conf)
-
-	var (
-		tmpStr string
-		ok     bool
-		v      int64
-	)
-	if tmpStr, ok = conf.Get("common", "bind_addr"); ok {
-		cfg.BindAddr = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "bind_port"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid bind_port")
-			return
-		} else {
-			cfg.BindPort = int(v)
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "bind_udp_port"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid bind_udp_port")
-			return
-		} else {
-			cfg.BindUdpPort = int(v)
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "kcp_bind_port"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid kcp_bind_port")
-			return
-		} else {
-			cfg.KcpBindPort = int(v)
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "proxy_bind_addr"); ok {
-		cfg.ProxyBindAddr = tmpStr
-	} else {
-		cfg.ProxyBindAddr = cfg.BindAddr
-	}
-
-	if tmpStr, ok = conf.Get("common", "vhost_http_port"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid vhost_http_port")
-			return
-		} else {
-			cfg.VhostHttpPort = int(v)
-		}
-	} else {
-		cfg.VhostHttpPort = 0
-	}
-
-	if tmpStr, ok = conf.Get("common", "vhost_https_port"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid vhost_https_port")
-			return
-		} else {
-			cfg.VhostHttpsPort = int(v)
-		}
-	} else {
-		cfg.VhostHttpsPort = 0
-	}
-
-	if tmpStr, ok = conf.Get("common", "tcpmux_httpconnect_port"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid tcpmux_httpconnect_port")
-			return
-		} else {
-			cfg.TcpMuxHttpConnectPort = int(v)
-		}
-	} else {
-		cfg.TcpMuxHttpConnectPort = 0
-	}
-
-	if tmpStr, ok = conf.Get("common", "vhost_http_timeout"); ok {
-		v, errRet := strconv.ParseInt(tmpStr, 10, 64)
-		if errRet != nil || v < 0 {
-			err = fmt.Errorf("Parse conf error: invalid vhost_http_timeout")
-			return
-		} else {
-			cfg.VhostHttpTimeout = v
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "dashboard_addr"); ok {
-		cfg.DashboardAddr = tmpStr
-	} else {
-		cfg.DashboardAddr = cfg.BindAddr
-	}
-
-	if tmpStr, ok = conf.Get("common", "dashboard_port"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid dashboard_port")
-			return
-		} else {
-			cfg.DashboardPort = int(v)
-		}
-	} else {
-		cfg.DashboardPort = 0
-	}
-
-	if tmpStr, ok = conf.Get("common", "dashboard_user"); ok {
-		cfg.DashboardUser = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "dashboard_pwd"); ok {
-		cfg.DashboardPwd = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "enable_prometheus"); ok && tmpStr == "true" {
-		cfg.EnablePrometheus = true
-	}
-
-	if tmpStr, ok = conf.Get("common", "assets_dir"); ok {
-		cfg.AssetsDir = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "log_file"); ok {
-		cfg.LogFile = tmpStr
-		if cfg.LogFile == "console" {
-			cfg.LogWay = "console"
-		} else {
-			cfg.LogWay = "file"
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "log_level"); ok {
-		cfg.LogLevel = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "log_max_days"); ok {
-		v, err = strconv.ParseInt(tmpStr, 10, 64)
-		if err == nil {
-			cfg.LogMaxDays = v
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "disable_log_color"); ok && tmpStr == "true" {
-		cfg.DisableLogColor = true
-	}
-
-	if tmpStr, ok = conf.Get("common", "detailed_errors_to_client"); ok && tmpStr == "false" {
-		cfg.DetailedErrorsToClient = false
-	} else {
-		cfg.DetailedErrorsToClient = true
-	}
-
-	if allowPortsStr, ok := conf.Get("common", "allow_ports"); ok {
-		// e.g. 1000-2000,2001,2002,3000-4000
-		ports, errRet := util.ParseRangeNumbers(allowPortsStr)
-		if errRet != nil {
-			err = fmt.Errorf("Parse conf error: allow_ports: %v", errRet)
-			return
-		}
-
-		for _, port := range ports {
-			cfg.AllowPorts[int(port)] = struct{}{}
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "max_pool_count"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid max_pool_count")
-			return
-		} else {
-			if v < 0 {
-				err = fmt.Errorf("Parse conf error: invalid max_pool_count")
-				return
-			}
-			cfg.MaxPoolCount = v
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "max_ports_per_client"); ok {
-		if v, err = strconv.ParseInt(tmpStr, 10, 64); err != nil {
-			err = fmt.Errorf("Parse conf error: invalid max_ports_per_client")
-			return
-		} else {
-			if v < 0 {
-				err = fmt.Errorf("Parse conf error: invalid max_ports_per_client")
-				return
-			}
-			cfg.MaxPortsPerClient = v
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "subdomain_host"); ok {
-		cfg.SubDomainHost = strings.ToLower(strings.TrimSpace(tmpStr))
-	}
-
-	if tmpStr, ok = conf.Get("common", "tcp_mux"); ok && tmpStr == "false" {
-		cfg.TcpMux = false
-	} else {
-		cfg.TcpMux = true
-	}
-
-	if tmpStr, ok = conf.Get("common", "custom_404_page"); ok {
-		cfg.Custom404Page = tmpStr
-	}
-
-	if tmpStr, ok = conf.Get("common", "heartbeat_timeout"); ok {
-		v, errRet := strconv.ParseInt(tmpStr, 10, 64)
-		if errRet != nil {
-			err = fmt.Errorf("Parse conf error: heartbeat_timeout is incorrect")
-			return
-		} else {
-			cfg.HeartBeatTimeout = v
-		}
-	}
-
-	if tmpStr, ok = conf.Get("common", "tls_only"); ok && tmpStr == "true" {
-		cfg.TlsOnly = true
-	} else {
-		cfg.TlsOnly = false
-	}
-	return
-}
-
-func UnmarshalPluginsFromIni(sections ini.File, cfg *ServerCommonConf) {
-	for name, section := range sections {
-		if strings.HasPrefix(name, "plugin.") {
-			name = strings.TrimSpace(strings.TrimPrefix(name, "plugin."))
-			options := plugin.HTTPPluginOptions{
-				Name: name,
-				Addr: section["addr"],
-				Path: section["path"],
-				Ops:  strings.Split(section["ops"], ","),
-			}
-			for i, _ := range options.Ops {
-				options.Ops[i] = strings.TrimSpace(options.Ops[i])
-			}
-			cfg.HTTPPlugins[name] = options
-		}
-	}
-}
-
-func (cfg *ServerCommonConf) Check() (err error) {
-	return
-}
--- a/models/config/value.go
+++ b/models/config/value.go
@@ -1,64 +0,0 @@
-package config
-
-import (
-	"bytes"
-	"io/ioutil"
-	"os"
-	"strings"
-	"text/template"
-)
-
-var (
-	glbEnvs map[string]string
-)
-
-func init() {
-	glbEnvs = make(map[string]string)
-	envs := os.Environ()
-	for _, env := range envs {
-		kv := strings.Split(env, "=")
-		if len(kv) != 2 {
-			continue
-		}
-		glbEnvs[kv[0]] = kv[1]
-	}
-}
-
-type Values struct {
-	Envs map[string]string // environment vars
-}
-
-func GetValues() *Values {
-	return &Values{
-		Envs: glbEnvs,
-	}
-}
-
-func RenderContent(in string) (out string, err error) {
-	tmpl, errRet := template.New("frp").Parse(in)
-	if errRet != nil {
-		err = errRet
-		return
-	}
-
-	buffer := bytes.NewBufferString("")
-	v := GetValues()
-	err = tmpl.Execute(buffer, v)
-	if err != nil {
-		return
-	}
-	out = buffer.String()
-	return
-}
-
-func GetRenderedConfFromFile(path string) (out string, err error) {
-	var b []byte
-	b, err = ioutil.ReadFile(path)
-	if err != nil {
-		return
-	}
-	content := string(b)
-
-	out, err = RenderContent(content)
-	return
-}
--- a/models/config/visitor.go
+++ b/models/config/visitor.go
@@ -1,213 +0,0 @@
-// Copyright 2018 fatedier, fatedier@gmail.com
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package config
-
-import (
-	"fmt"
-	"reflect"
-	"strconv"
-
-	"github.com/fatedier/frp/models/consts"
-
-	ini "github.com/vaughan0/go-ini"
-)
-
-var (
-	visitorConfTypeMap map[string]reflect.Type
-)
-
-func init() {
-	visitorConfTypeMap = make(map[string]reflect.Type)
-	visitorConfTypeMap[consts.StcpProxy] = reflect.TypeOf(StcpVisitorConf{})
-	visitorConfTypeMap[consts.XtcpProxy] = reflect.TypeOf(XtcpVisitorConf{})
-}
-
-type VisitorConf interface {
-	GetBaseInfo() *BaseVisitorConf
-	Compare(cmp VisitorConf) bool
-	UnmarshalFromIni(prefix string, name string, section ini.Section) error
-	Check() error
-}
-
-func NewVisitorConfByType(cfgType string) VisitorConf {
-	v, ok := visitorConfTypeMap[cfgType]
-	if !ok {
-		return nil
-	}
-	cfg := reflect.New(v).Interface().(VisitorConf)
-	return cfg
-}
-
-func NewVisitorConfFromIni(prefix string, name string, section ini.Section) (cfg VisitorConf, err error) {
-	cfgType := section["type"]
-	if cfgType == "" {
-		err = fmt.Errorf("visitor [%s] type shouldn't be empty", name)
-		return
-	}
-	cfg = NewVisitorConfByType(cfgType)
-	if cfg == nil {
-		err = fmt.Errorf("visitor [%s] type [%s] error", name, cfgType)
-		return
-	}
-	if err = cfg.UnmarshalFromIni(prefix, name, section); err != nil {
-		return
-	}
-	if err = cfg.Check(); err != nil {
-		return
-	}
-	return
-}
-
-type BaseVisitorConf struct {
-	ProxyName      string `json:"proxy_name"`
-	ProxyType      string `json:"proxy_type"`
-	UseEncryption  bool   `json:"use_encryption"`
-	UseCompression bool   `json:"use_compression"`
-	Role           string `json:"role"`
-	Sk             string `json:"sk"`
-	ServerName     string `json:"server_name"`
-	BindAddr       string `json:"bind_addr"`
-	BindPort       int    `json:"bind_port"`
-}
-
-func (cfg *BaseVisitorConf) GetBaseInfo() *BaseVisitorConf {
-	return cfg
-}
-
-func (cfg *BaseVisitorConf) compare(cmp *BaseVisitorConf) bool {
-	if cfg.ProxyName != cmp.ProxyName ||
-		cfg.ProxyType != cmp.ProxyType ||
-		cfg.UseEncryption != cmp.UseEncryption ||
-		cfg.UseCompression != cmp.UseCompression ||
-		cfg.Role != cmp.Role ||
-		cfg.Sk != cmp.Sk ||
-		cfg.ServerName != cmp.ServerName ||
-		cfg.BindAddr != cmp.BindAddr ||
-		cfg.BindPort != cmp.BindPort {
-		return false
-	}
-	return true
-}
-
-func (cfg *BaseVisitorConf) check() (err error) {
-	if cfg.Role != "visitor" {
-		err = fmt.Errorf("invalid role")
-		return
-	}
-	if cfg.BindAddr == "" {
-		err = fmt.Errorf("bind_addr shouldn't be empty")
-		return
-	}
-	if cfg.BindPort <= 0 {
-		err = fmt.Errorf("bind_port is required")
-		return
-	}
-	return
-}
-
-func (cfg *BaseVisitorConf) UnmarshalFromIni(prefix string, name string, section ini.Section) (err error) {
-	var (
-		tmpStr string
-		ok     bool
-	)
-	cfg.ProxyName = prefix + name
-	cfg.ProxyType = section["type"]
-
-	if tmpStr, ok = section["use_encryption"]; ok && tmpStr == "true" {
-		cfg.UseEncryption = true
-	}
-	if tmpStr, ok = section["use_compression"]; ok && tmpStr == "true" {
-		cfg.UseCompression = true
-	}
-
-	cfg.Role = section["role"]
-	if cfg.Role != "visitor" {
-		return fmt.Errorf("Parse conf error: proxy [%s] incorrect role [%s]", name, cfg.Role)
-	}
-	cfg.Sk = section["sk"]
-	cfg.ServerName = prefix + section["server_name"]
-	if cfg.BindAddr = section["bind_addr"]; cfg.BindAddr == "" {
-		cfg.BindAddr = "127.0.0.1"
-	}
-
-	if tmpStr, ok = section["bind_port"]; ok {
-		if cfg.BindPort, err = strconv.Atoi(tmpStr); err != nil {
-			return fmt.Errorf("Parse conf error: proxy [%s] bind_port incorrect", name)
-		}
-	} else {
-		return fmt.Errorf("Parse conf error: proxy [%s] bind_port not found", name)
-	}
-	return nil
-}
-
-type StcpVisitorConf struct {
-	BaseVisitorConf
-}
-
-func (cfg *StcpVisitorConf) Compare(cmp VisitorConf) bool {
-	cmpConf, ok := cmp.(*StcpVisitorConf)
-	if !ok {
-		return false
-	}
-
-	if !cfg.BaseVisitorConf.compare(&cmpConf.BaseVisitorConf) {
-		return false
-	}
-	return true
-}
-
-func (cfg *StcpVisitorConf) UnmarshalFromIni(prefix string, name string, section ini.Section) (err error) {
-	if err = cfg.BaseVisitorConf.UnmarshalFromIni(prefix, name, section); err != nil {
-		return
-	}
-	return
-}
-
-func (cfg *StcpVisitorConf) Check() (err error) {
-	if err = cfg.BaseVisitorConf.check(); err != nil {
-		return
-	}
-	return
-}
-
-type XtcpVisitorConf struct {
-	BaseVisitorConf
-}
-
-func (cfg *XtcpVisitorConf) Compare(cmp VisitorConf) bool {
-	cmpConf, ok := cmp.(*XtcpVisitorConf)
-	if !ok {
-		return false
-	}
-
-	if !cfg.BaseVisitorConf.compare(&cmpConf.BaseVisitorConf) {
-		return false
-	}
-	return true
-}
-
-func (cfg *XtcpVisitorConf) UnmarshalFromIni(prefix string, name string, section ini.Section) (err error) {
-	if err = cfg.BaseVisitorConf.UnmarshalFromIni(prefix, name, section); err != nil {
-		return
-	}
-	return
-}
-
-func (cfg *XtcpVisitorConf) Check() (err error) {
-	if err = cfg.BaseVisitorConf.check(); err != nil {
-		return
-	}
-	return
-}
--- a/models/metrics/metrics.go
+++ b/models/metrics/metrics.go
@@ -1,8 +0,0 @@
-package metrics
-
-import (
-	"github.com/fatedier/frp/models/metrics/aggregate"
-)
-
-var EnableMem = aggregate.EnableMem
-var EnablePrometheus = aggregate.EnablePrometheus
--- a/models/msg/msg.go
+++ b/models/msg/msg.go
@@ -1,194 +0,0 @@
-// Copyright 2016 fatedier, fatedier@gmail.com
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package msg
-
-import "net"
-
-const (
-	TypeLogin                 = 'o'
-	TypeLoginResp             = '1'
-	TypeNewProxy              = 'p'
-	TypeNewProxyResp          = '2'
-	TypeCloseProxy            = 'c'
-	TypeNewWorkConn           = 'w'
-	TypeReqWorkConn           = 'r'
-	TypeStartWorkConn         = 's'
-	TypeNewVisitorConn        = 'v'
-	TypeNewVisitorConnResp    = '3'
-	TypePing                  = 'h'
-	TypePong                  = '4'
-	TypeUdpPacket             = 'u'
-	TypeNatHoleVisitor        = 'i'
-	TypeNatHoleClient         = 'n'
-	TypeNatHoleResp           = 'm'
-	TypeNatHoleClientDetectOK = 'd'
-	TypeNatHoleSid            = '5'
-)
-
-var (
-	msgTypeMap = map[byte]interface{}{
-		TypeLogin:                 Login{},
-		TypeLoginResp:             LoginResp{},
-		TypeNewProxy:              NewProxy{},
-		TypeNewProxyResp:          NewProxyResp{},
-		TypeCloseProxy:            CloseProxy{},
-		TypeNewWorkConn:           NewWorkConn{},
-		TypeReqWorkConn:           ReqWorkConn{},
-		TypeStartWorkConn:         StartWorkConn{},
-		TypeNewVisitorConn:        NewVisitorConn{},
-		TypeNewVisitorConnResp:    NewVisitorConnResp{},
-		TypePing:                  Ping{},
-		TypePong:                  Pong{},
-		TypeUdpPacket:             UdpPacket{},
-		TypeNatHoleVisitor:        NatHoleVisitor{},
-		TypeNatHoleClient:         NatHoleClient{},
-		TypeNatHoleResp:           NatHoleResp{},
-		TypeNatHoleClientDetectOK: NatHoleClientDetectOK{},
-		TypeNatHoleSid:            NatHoleSid{},
-	}
-)
-
-// When frpc start, client send this message to login to server.
-type Login struct {
-	Version      string            `json:"version"`
-	Hostname     string            `json:"hostname"`
-	Os           string            `json:"os"`
-	Arch         string            `json:"arch"`
-	User         string            `json:"user"`
-	PrivilegeKey string            `json:"privilege_key"`
-	Timestamp    int64             `json:"timestamp"`
-	RunId        string            `json:"run_id"`
-	Metas        map[string]string `json:"metas"`
-
-	// Some global configures.
-	PoolCount int `json:"pool_count"`
-}
-
-type LoginResp struct {
-	Version       string `json:"version"`
-	RunId         string `json:"run_id"`
-	ServerUdpPort int    `json:"server_udp_port"`
-	Error         string `json:"error"`
-}
-
-// When frpc login success, send this message to frps for running a new proxy.
-type NewProxy struct {
-	ProxyName      string            `json:"proxy_name"`
-	ProxyType      string            `json:"proxy_type"`
-	UseEncryption  bool              `json:"use_encryption"`
-	UseCompression bool              `json:"use_compression"`
-	Group          string            `json:"group"`
-	GroupKey       string            `json:"group_key"`
-	Metas          map[string]string `json:"metas"`
-
-	// tcp and udp only
-	RemotePort int `json:"remote_port"`
-
-	// http and https only
-	CustomDomains     []string          `json:"custom_domains"`
-	SubDomain         string            `json:"subdomain"`
-	Locations         []string          `json:"locations"`
-	HttpUser          string            `json:"http_user"`
-	HttpPwd           string            `json:"http_pwd"`
-	HostHeaderRewrite string            `json:"host_header_rewrite"`
-	Headers           map[string]string `json:"headers"`
-
-	// stcp
-	Sk string `json:"sk"`
-
-	// tcpmux
-	Multiplexer string `json:"multiplexer"`
-}
-
-type NewProxyResp struct {
-	ProxyName  string `json:"proxy_name"`
-	RemoteAddr string `json:"remote_addr"`
-	Error      string `json:"error"`
-}
-
-type CloseProxy struct {
-	ProxyName string `json:"proxy_name"`
-}
-
-type NewWorkConn struct {
-	RunId        string `json:"run_id"`
-	PrivilegeKey string `json:"privilege_key"`
-	Timestamp    int64  `json:"timestamp"`
-}
-
-type ReqWorkConn struct {
-}
-
-type StartWorkConn struct {
-	ProxyName string `json:"proxy_name"`
-	SrcAddr   string `json:"src_addr"`
-	DstAddr   string `json:"dst_addr"`
-	SrcPort   uint16 `json:"src_port"`
-	DstPort   uint16 `json:"dst_port"`
-	Error     string `json:"error"`
-}
-
-type NewVisitorConn struct {
-	ProxyName      string `json:"proxy_name"`
-	SignKey        string `json:"sign_key"`
-	Timestamp      int64  `json:"timestamp"`
-	UseEncryption  bool   `json:"use_encryption"`
-	UseCompression bool   `json:"use_compression"`
-}
-
-type NewVisitorConnResp struct {
-	ProxyName string `json:"proxy_name"`
-	Error     string `json:"error"`
-}
-
-type Ping struct {
-	PrivilegeKey string `json:"privilege_key"`
-	Timestamp    int64  `json:"timestamp"`
-}
-
-type Pong struct {
-	Error string `json:"error"`
-}
-
-type UdpPacket struct {
-	Content    string       `json:"c"`
-	LocalAddr  *net.UDPAddr `json:"l"`
-	RemoteAddr *net.UDPAddr `json:"r"`
-}
-
-type NatHoleVisitor struct {
-	ProxyName string `json:"proxy_name"`
-	SignKey   string `json:"sign_key"`
-	Timestamp int64  `json:"timestamp"`
-}
-
-type NatHoleClient struct {
-	ProxyName string `json:"proxy_name"`
-	Sid       string `json:"sid"`
-}
-
-type NatHoleResp struct {
-	Sid         string `json:"sid"`
-	VisitorAddr string `json:"visitor_addr"`
-	ClientAddr  string `json:"client_addr"`
-	Error       string `json:"error"`
-}
-
-type NatHoleClientDetectOK struct {
-}
-
-type NatHoleSid struct {
-	Sid string `json:"sid"`
-}
--- a/models/nathole/nathole.go
+++ b/models/nathole/nathole.go
@@ -1,212 +0,0 @@
-package nathole
-
-import (
-	"bytes"
-	"fmt"
-	"net"
-	"sync"
-	"time"
-
-	"github.com/fatedier/frp/models/msg"
-	"github.com/fatedier/frp/utils/log"
-	"github.com/fatedier/frp/utils/util"
-
-	"github.com/fatedier/golib/errors"
-	"github.com/fatedier/golib/pool"
-)
-
-// Timeout seconds.
-var NatHoleTimeout int64 = 10
-
-type SidRequest struct {
-	Sid      string
-	NotifyCh chan struct{}
-}
-
-type NatHoleController struct {
-	listener *net.UDPConn
-
-	clientCfgs map[string]*NatHoleClientCfg
-	sessions   map[string]*NatHoleSession
-
-	mu sync.RWMutex
-}
-
-func NewNatHoleController(udpBindAddr string) (nc *NatHoleController, err error) {
-	addr, err := net.ResolveUDPAddr("udp", udpBindAddr)
-	if err != nil {
-		return nil, err
-	}
-	lconn, err := net.ListenUDP("udp", addr)
-	if err != nil {
-		return nil, err
-	}
-	nc = &NatHoleController{
-		listener:   lconn,
-		clientCfgs: make(map[string]*NatHoleClientCfg),
-		sessions:   make(map[string]*NatHoleSession),
-	}
-	return nc, nil
-}
-
-func (nc *NatHoleController) ListenClient(name string, sk string) (sidCh chan *SidRequest) {
-	clientCfg := &NatHoleClientCfg{
-		Name:  name,
-		Sk:    sk,
-		SidCh: make(chan *SidRequest),
-	}
-	nc.mu.Lock()
-	nc.clientCfgs[name] = clientCfg
-	nc.mu.Unlock()
-	return clientCfg.SidCh
-}
-
-func (nc *NatHoleController) CloseClient(name string) {
-	nc.mu.Lock()
-	defer nc.mu.Unlock()
-	delete(nc.clientCfgs, name)
-}
-
-func (nc *NatHoleController) Run() {
-	for {
-		buf := pool.GetBuf(1024)
-		n, raddr, err := nc.listener.ReadFromUDP(buf)
-		if err != nil {
-			log.Trace("nat hole listener read from udp error: %v", err)
-			return
-		}
-
-		rd := bytes.NewReader(buf[:n])
-		rawMsg, err := msg.ReadMsg(rd)
-		if err != nil {
-			log.Trace("read nat hole message error: %v", err)
-			continue
-		}
-
-		switch m := rawMsg.(type) {
-		case *msg.NatHoleVisitor:
-			go nc.HandleVisitor(m, raddr)
-		case *msg.NatHoleClient:
-			go nc.HandleClient(m, raddr)
-		default:
-			log.Trace("error nat hole message type")
-			continue
-		}
-		pool.PutBuf(buf)
-	}
-}
-
-func (nc *NatHoleController) GenSid() string {
-	t := time.Now().Unix()
-	id, _ := util.RandId()
-	return fmt.Sprintf("%d%s", t, id)
-}
-
-func (nc *NatHoleController) HandleVisitor(m *msg.NatHoleVisitor, raddr *net.UDPAddr) {
-	sid := nc.GenSid()
-	session := &NatHoleSession{
-		Sid:         sid,
-		VisitorAddr: raddr,
-		NotifyCh:    make(chan struct{}, 0),
-	}
-	nc.mu.Lock()
-	clientCfg, ok := nc.clientCfgs[m.ProxyName]
-	if !ok {
-		nc.mu.Unlock()
-		errInfo := fmt.Sprintf("xtcp server for [%s] doesn't exist", m.ProxyName)
-		log.Debug(errInfo)
-		nc.listener.WriteToUDP(nc.GenNatHoleResponse(nil, errInfo), raddr)
-		return
-	}
-	if m.SignKey != util.GetAuthKey(clientCfg.Sk, m.Timestamp) {
-		nc.mu.Unlock()
-		errInfo := fmt.Sprintf("xtcp connection of [%s] auth failed", m.ProxyName)
-		log.Debug(errInfo)
-		nc.listener.WriteToUDP(nc.GenNatHoleResponse(nil, errInfo), raddr)
-		return
-	}
-
-	nc.sessions[sid] = session
-	nc.mu.Unlock()
-	log.Trace("handle visitor message, sid [%s]", sid)
-
-	defer func() {
-		nc.mu.Lock()
-		delete(nc.sessions, sid)
-		nc.mu.Unlock()
-	}()
-
-	err := errors.PanicToError(func() {
-		clientCfg.SidCh <- &SidRequest{
-			Sid:      sid,
-			NotifyCh: session.NotifyCh,
-		}
-	})
-	if err != nil {
-		return
-	}
-
-	// Wait client connections.
-	select {
-	case <-session.NotifyCh:
-		resp := nc.GenNatHoleResponse(session, "")
-		log.Trace("send nat hole response to visitor")
-		nc.listener.WriteToUDP(resp, raddr)
-	case <-time.After(time.Duration(NatHoleTimeout) * time.Second):
-		return
-	}
-}
-
-func (nc *NatHoleController) HandleClient(m *msg.NatHoleClient, raddr *net.UDPAddr) {
-	nc.mu.RLock()
-	session, ok := nc.sessions[m.Sid]
-	nc.mu.RUnlock()
-	if !ok {
-		return
-	}
-	log.Trace("handle client message, sid [%s]", session.Sid)
-	session.ClientAddr = raddr
-
-	resp := nc.GenNatHoleResponse(session, "")
-	log.Trace("send nat hole response to client")
-	nc.listener.WriteToUDP(resp, raddr)
-}
-
-func (nc *NatHoleController) GenNatHoleResponse(session *NatHoleSession, errInfo string) []byte {
-	var (
-		sid         string
-		visitorAddr string
-		clientAddr  string
-	)
-	if session != nil {
-		sid = session.Sid
-		visitorAddr = session.VisitorAddr.String()
-		clientAddr = session.ClientAddr.String()
-	}
-	m := &msg.NatHoleResp{
-		Sid:         sid,
-		VisitorAddr: visitorAddr,
-		ClientAddr:  clientAddr,
-		Error:       errInfo,
-	}
-	b := bytes.NewBuffer(nil)
-	err := msg.WriteMsg(b, m)
-	if err != nil {
-		return []byte("")
-	}
-	return b.Bytes()
-}
-
-type NatHoleSession struct {
-	Sid         string
-	VisitorAddr *net.UDPAddr
-	ClientAddr  *net.UDPAddr
-
-	NotifyCh chan struct{}
-}
-
-type NatHoleClientCfg struct {
-	Name  string
-	Sk    string
-	SidCh chan *SidRequest
-}
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				!function(e){function n(r){if(t[r])return t[r].exports;var o=t[r]={i:r,l:!1,exports:{}};return e[r].call(o.exports,o,o.exports,n),o.l=!0,o.exports}var r=window.webpackJsonp;window.webpackJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length;l++)a=t[l],o[a]&&s.push(o[a][0]),o[a]=0;for(i in c)Object.prototype.hasOwnProperty.call(c,i)&&(e[i]=c[i]);for(r&&r(t,c,u);s.length;)s.shift()();if(u)for(l=0;l<u.length;l++)f=n(n.s=u[l]);return f};var t={},o={1:0};n.e=function(e){function r(){i.onerror=i.onload=null,clearTimeout(a);var n=o[e];0!==n&&(n&&n[1](new Error("Loading chunk "+e+" failed.")),o[e]=void 0)}var t=o[e];if(0===t)return new Promise(function(e){e()});if(t)return t[2];var c=new Promise(function(n,r){t=o[e]=[n,r]});t[2]=c;var u=document.getElementsByTagName("head")[0],i=document.createElement("script");i.type="text/javascript",i.charset="utf-8",i.async=!0,i.timeout=12e4,n.nc&&i.setAttribute("nonce",n.nc),i.src=n.p+""+e+".js?"+{0:"edb271e1d9c81f857840"}[e];var a=setTimeout(r,12e4);return i.onerror=i.onload=r,u.appendChild(i),c},n.m=e,n.c=t,n.i=function(e){return e},n.d=function(e,r,t){n.o(e,r)\|\|Object.defineProperty(e,r,{configurable:!1,enumerable:!0,get:t})},n.n=function(e){var r=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(r,"a",r),r},n.o=function(e,n){return Object.prototype.hasOwnProperty.call(e,n)},n.p="",n.oe=function(e){throw console.error(e),e}}([]);