Sing-box: setup and connection — complete guide 2026
Sing-box: setup and connection — complete guide 2026 If you are holding a config or a subscription link and don't know what to do with them — you are in the right place. Sing-box: setup and connection takes from five to fifteen minutes depending on the platform, and below I will break down each step
Sing-box: setup and connection — complete guide 2026
If you are holding a config or a subscription link and don't know what to do with them — you are in the right place. Sing-box: setup and connection takes from five to fifteen minutes depending on the platform, and below I will break down each step without fluff. The application can do what most other clients cannot: a full TUN mode, flexible routing, and support for VLESS+Reality — a protocol that in 2026 passes through the DPI of Roskomnadzor more stably than others.
What is Sing-box and why is it needed
Sing-box is not a VPN service. It is a core and at the same time a client that needs an external server: your own VPS or a subscription from a provider. The application itself is free and open-source (MIT), the repository on GitHub is github.com/SagerNet/sing-box. Without a config, it simply won't start.
Sing-box as a universal client
Out of the box, it supports VLESS, VMess, Reality, Shadowsocks, Trojan, Hysteria2, TUIC, and WireGuard. This is not a marketing list — each protocol actually works in one configuration. You can set up multiple servers with automatic switching based on latency.
How it differs from v2rayNG, Nekobox, and Hiddify
v2rayNG uses an old xray core and does not natively support some new protocols like Hysteria2. Nekobox is a good alternative for Android, the interface is a bit more familiar. Hiddify is the simplest entry point for beginners, with fewer settings. Sing-box is the most flexible, but requires a bit more understanding of what goes where.
When Sing-box better bypasses DPI and throttling
Providers in Russia use TSPU (technical means of countering threats) — equipment on highways that inspects packets and cuts or throttles protocols. Sing-box in TUN mode captures all traffic at the network interface level, preventing the system from "leaking" past the tunnel. This is especially important for YouTube: Chrome and apps often bypass the system proxy.
Where to get a config or subscription for Sing-box
The config is either provided by the VPN provider or you set up a server on a VPS yourself. Public configs from Telegram channels work today or tomorrow, then the server goes down or gets blocked. Use them only for testing the application, not for permanent use.
Format of subscription link and JSON config
Subscription URL is a regular https link that hides the current list of servers. The application downloads and updates the config on a schedule. JSON config is a complete settings file that you edit manually. For most users, a subscription is more convenient: if the server moves, the link updates automatically.
NvoVPN, for example, provides a ready-made subscription in a format compatible with Sing-box — just copy one link into the profile. Outline services and most commercial VLESS providers work similarly.
Import from vless://, ss://, trojan://, and QR code
Links of the formvless://uuid@host:port?... can be inserted directly into the import field. The QR code works through the camera directly in the application. If the server provided a JSON file — it needs to be either hosted at some URL or added via "Import from file" on Android/Desktop.
Checking the config before connecting
Before turning on the tunnel, check the date and time on the device — they must match the real ones. Reality and TLS-based protocols drop the connection if the discrepancy is more than 90 seconds. This is one of the most common reasons for "handshake failed" among new users.
Setting up Sing-box on Android
Download the APK from GitHub Releases or from Google Play (the app is called sing-box, publisher SagerNet). At the time of writing, the current version is 1.10.x. F-Droid is also available, but updates with a delay.
Installing the sing-box application for Android
After installation, open the application. You will see three tabs at the bottom: Dashboard, Profiles, Logs. Profiles are your starting point. Click "+" in the upper right corner.
Importing a profile via link and clipboard
Select "New Profile" → "Remote" if you have a subscription URL. Paste the link, set a name, choose the update interval (I set it to 24 hours). Click Save — the application will download the config. If you have a single vless:// link — use "Import from clipboard" or scan the QR code using the camera icon on the same page.
Enabling TUN mode and selecting the outgoing profile
Go to the Dashboard. Select the desired profile from the list, then click the large start button. Android will ask for permission to create a VPN connection — this is mandatory, without it the tunnel will not start. If there are multiple servers in the config, swipe down on the Dashboard to see the list — there you can also switch between nodes.
TUN mode in Sing-box is enabled at the config level (section"tun"). If the subscription is from a provider, this is already set up. If the config is custom-made — check that there is a tun block with"auto_route": true.
Check: open YouTube, Instagram, Telegram
After connecting, go to youtube.com or open the YouTube app. If the video loads without delays — everything works. The test for Instagram and Telegram is similar. If pages do not open while showing "Connected" status — read the section about common errors below.
Setting up Sing-box on iPhone/iOS
Here immediately about the main problem: the sing-box application has been unavailable in the Russian App Store since 2022. You need to either change your Apple ID region to another country (Kazakhstan, USA, UK) or use an alternative client — Shadowrocket (paid, $2.99), Streisand, or Hiddify.
Installation from the App Store (region and availability)
To change the region: Settings → [your name] → Media & Purchases → View Account → Country/Region. The Kazakhstan region opens without problems with a Russian Mir card through an intermediary or without a card (some applications are free). After changing the region, search for "sing-box" in the App Store.
Important: changing the region affects all purchases and subscriptions in the App Store. If you have active purchases — change the region after they are completed.
Importing subscription and profile on iOS
After installation, the mechanics are similar to Android: Profiles → "+" → paste subscription URL or vless:// link. On iOS, importing via QR code using the app's camera also works. The config downloads and appears in the profile list.
Differences in iOS: on-demand, background mode restrictions
iOS aggressively kills background processes. If you turn off the screen and find that the VPN has disconnected after 10 minutes — this is not a bug of Sing-box, it's iOS. Enable "On Demand" in the profile settings: then the system will reconnect itself when accessing the network. Another point: there is no TUN mode on iOS in the sense that there is on Android. It works through the built-in VPN API, which slightly limits routing flexibility.
VPN profile permission in iPhone settings
Upon first launch, iOS will ask to add a VPN configuration. Click "Allow," enter the unlock code. The profile will appear in Settings → General → VPN & Device Management. If a corporate or MDM profile prohibits adding VPN — nothing will work without removing MDM. This is a known limitation of work iPhones.
Setting up Sing-box on Windows and Mac
On desktop, there are two paths: GUI wrappers (Hiddify Desktop can run the sing-box core, there is a GUI client NekoRay/NekoBox for PC) or a clean launchsing-box.exe run -c config.jsonin the terminal. For most tasks, GUI is more convenient.
Installing the desktop client (GUI and sing-box core)
Download the binary from github.com/SagerNet/sing-box/releases — take the version for your architecture (windows-amd64, darwin-amd64, or darwin-arm64 for Apple Silicon). Hiddify Desktop (hiddify.com) uses the sing-box core under the hood and provides a normal interface — a good option for Windows.
Importing config.json and launching via TUN
If you have a config file — place it next to the binary and runsing-box run -c config.json. TUN mode on Windows and Mac requires administrator rights: on Windows, run CMD as administrator, on Mac via sudo. Without this, the TUN interface will not be created and all traffic will not go through the tunnel.
The difference between system proxy and TUN: system proxy intercepts HTTP/HTTPS traffic from the browser but ignores applications that connect directly (games, Telegram desktop, Windows updates). TUN captures everything. For stable circumvention of blocks — TUN.
Autostart and system proxy vs TUN
On Windows, you can add a startup via Task Scheduler with the trigger "at logon." On Mac — via launchd (plist in ~/Library/LaunchAgents). If you want a simple solution — Hiddify Desktop can autostart through the app settings, no need to touch system tools.
Bypassing blocks and DPI: how to check and improve
Let's talk honestly about how it works — without magic and exaggerations.
Why VLESS+Reality bypasses the provider's DPI
The DPI looks at protocol signatures: characteristic patterns of the TLS handshake, headers, connection behavior. Reality mimics legitimate TLS traffic to a real site (for example, to microsoft.com or some CDN) — the equipment sees regular HTTPS and lets it through. This is a fundamentally different approach than obfuscation in Shadowsocks, which gets cut more often.
What to do if YouTube slows down even with VPN
If YouTube is lagging with Sing-box turned on — the first thing to check: is the video going through the tunnel at all. In the routing rules of the config, YouTube should be in the tunnel. If there are no rules or they are written incorrectly, the traffic goes directly and falls under the provider's throttling. The second — an overloaded server. Switch to another node and check the ping.
Testing real speed and connection stability
The methodology is simple: open speedtest.net before turning on the tunnel, record the speed. Turn on Sing-box, run speedtest again. The difference should not be catastrophic — a good server gives 70-80% of the base speed. Then open youtube.com and try to switch the quality to 1080p60 — if there is no buffering for 30 seconds in a row, the connection is stable. No "we promise 500 Mbps" — a real test on your specific hardware and provider.
Routing rules: what to send through the tunnel and what to bypass
A typical mistake is to send all traffic through the tunnel, including Russian sites. This slows down VKontakte, State Services, Ozon, and banking applications. A well-structured config has routing rules: Russian IP ranges (CIDR lists, which can be taken from the antifilter.download repository) go directly, the rest — through the tunnel. Many ready-made subscriptions already include such rules.
Common mistakes and what to do if it won't connect
Here are specific symptoms and their causes — without "try reinstalling."
Timeout / handshake failed error
First: check the time on the device. Reality completes the TLS handshake only if the client and server times differ by less than 90 seconds. Enable automatic time synchronization in the OS settings. Second: the provider may have blocked a specific server IP or port. Try another server from the subscription, or ask the provider (VPN provider) to change the port.
Double NAT and CGNAT with mobile operators (especially with virtual operators) sometimes breaks Hysteria2 and QUIC-based protocols — they work over UDP, which CGNAT cuts. In this case, switch to TCP-based VLESS.
Connection exists, but websites do not open
The status "Connected" only means that the tunnel is up. But if the application is running in system proxy mode, not TUN — UDP traffic and applications without proxy support go bypass. Enable TUN mode. Also, check DNS: if the config specifies a DNS that does not resolve — pages will not open even with a working tunnel.
The config is outdated or the subscription is not updating
The Subscription URL may have changed on the provider's side, or the server is downloading the config with an expired SSL certificate. Open the link in a browser — if it returns JSON, everything is fine; if 404 or an error — ask the provider for a new link. In Sing-box on Android, force update the subscription: Profiles → long press on the profile → Update.
DNS leaks and how to close them
A DNS leak means that website name requests go through the DNS provider instead of through the tunnel. The provider sees that you are requesting youtube.com — even if the traffic is going through a VPN. Check: dnsleaktest.com with the tunnel enabled. If you see the DNS provider — you need to add a dns section in the Sing-box config with the server 1.1.1.1 or 8.8.8.8 inside the tunnel and specify"strategy": "ipv4_only" if IPv6 is not needed. Most ready-made subscriptions already configure this.
Is Sing-box free?
The application itself and the core are free, MIT license, the source code is open. But you need a server — either your own VPS (from $3-5 per month at Hetzner or DigitalOcean), or a subscription with a VPN provider. Free public configs from Telegram are unstable, last for a day or two, and you don't know who sees your traffic on the other end.
How is Sing-box better than v2rayNG or Hiddify?
Sing-box is a modern core with support for Hysteria2, TUIC, Reality, and flexible routing in one config. v2rayNG is based on xray and lags behind in new protocols. Hiddify is the simplest for beginners, there’s less to break. If you need flexibility and are willing to spend 20 minutes understanding the config — Sing-box. If simplicity is important — Hiddify is just as good.
Which protocol to choose for bypassing blocks in 2026?
VLESS+Reality is currently the most stable — it mimics regular TLS, and TSPU does not detect it properly. Shadowsocks is easier to configure but is often cut off by Russian providers — especially with simple ciphers. WireGuard is fast and has low latency, but its UDP traffic is visible and is already slowing down with some providers. Hysteria2 is good for unstable connections but requires UDP and works poorly through CGNAT.
Why is YouTube still lagging with Sing-box enabled?
Three main reasons. First: routing rules direct YouTube directly, bypassing the tunnel — then TSPU slows it down as usual. Second: the server is overloaded or geographically far away — switch to another node. Third: the application operates in system proxy mode, and the YouTube app on Android ignores the system proxy — enable TUN mode.
Is it legal to use Sing-box in Russia?
The use of encryption tools and access to your own accounts in services is not prohibited by Russian legislation. Legislation in this area is changing, so keep an eye on current norms. The application should be used for work tasks, education, access to your own data — these are legal scenarios.
Does Sing-box work on routers, Smart TVs, and Apple TVs?
On the router — yes, if the firmware supports running Linux binaries (OpenWrt, Keenetic with OPKG). The Sing-box core runs as a service and all home traffic goes through the tunnel. On Android TV — there is an APK, installed like on a phone. On Apple TV, it's more complicated: tvOS is limited like iOS, but nothing can be installed without the App Store. A workaround is to set up the tunnel on the router, and all devices on the network will automatically bypass blocks. For Tizen (Samsung) and webOS (LG), Sing-box cannot be installed — only through the router.
Related articles
You might also like
OpenConnect: setup and connection in 2026
OpenConnect: настройка и подключение в 2026 If you have a config from an ocserv server in your hands...
Read moreTUIC: setting up and connecting VPN in 2026
TUIC: setting up and connecting VPN in 2026 If you have already tried VLESS and Shadowsocks, but the...
Read moreCloak obfuscation: setup and connection in 2026
Cloak obfuscation: setup and connection in 2026 If the provider cuts WireGuard or OpenVPN by DPI — a...
Read more