diff --git a/release/config/config.json b/release/config/config.json
index c518d18bd9..71f2d8bf14 100644
--- a/release/config/config.json
+++ b/release/config/config.json
@@ -1,7 +1,4 @@
 {
-  "log": {
-    "level": "info"
-  },
   "dns": {
     "servers": [
       {
@@ -11,29 +8,38 @@
   },
   "inbounds": [
     {
-      "type": "shadowsocks",
       "listen": "::",
       "listen_port": 8080,
-      "sniff": true,
-      "network": "tcp",
       "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
+      "multiplex": {
+        "enabled": true
+      },
+      "network": "tcp",
+      "password": "8JCsPssfgS8tiRwiMlhARg==",
+      "sniff": true,
+      "tcp_fast_open": true,
+      "tcp_multi_path": true,
+      "type": "shadowsocks",
+      "udp_fragment": true
     }
   ],
+  "log": {
+    "level": "info"
+  },
   "outbounds": [
     {
       "type": "direct"
     },
     {
-      "type": "dns",
-      "tag": "dns-out"
+      "tag": "dns-out",
+      "type": "dns"
     }
   ],
   "route": {
     "rules": [
       {
-        "protocol": "dns",
-        "outbound": "dns-out"
+        "outbound": "dns-out",
+        "protocol": "dns"
       }
     ]
   }
diff --git a/release/config/sing-box.service b/release/config/sing-box.service
deleted file mode 100644
index 7b7a13a855..0000000000
--- a/release/config/sing-box.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=sing-box service
-Documentation=https://sing-box.sagernet.org
-After=network.target nss-lookup.target network-online.target
-
-[Service]
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
-ExecStart=/usr/bin/sing-box -D /var/lib/sing-box -C /etc/sing-box run
-ExecReload=/bin/kill -HUP $MAINPID
-Restart=on-failure
-RestartSec=10s
-LimitNOFILE=infinity
-
-[Install]
-WantedBy=multi-user.target
diff --git a/release/config/sing-box@.service b/release/config/sing-box@.service
deleted file mode 100644
index 578ebd1cb5..0000000000
--- a/release/config/sing-box@.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=sing-box service
-Documentation=https://sing-box.sagernet.org
-After=network.target nss-lookup.target network-online.target
-
-[Service]
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
-ExecStart=/usr/bin/sing-box -D /var/lib/sing-box-%i -c /etc/sing-box/%i.json run
-ExecReload=/bin/kill -HUP $MAINPID
-Restart=on-failure
-RestartSec=10s
-LimitNOFILE=infinity
-
-[Install]
-WantedBy=multi-user.target
diff --git a/release/config/system/sing-box.service b/release/config/system/sing-box.service
new file mode 100644
index 0000000000..28b837f589
--- /dev/null
+++ b/release/config/system/sing-box.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=sing-box service
+Documentation=https://sing-box.sagernet.org
+After=network.target nss-lookup.target network-online.target
+
+[Service]
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+ConfigurationDirectory=sing-box
+DynamicUser=true
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run
+LimitNOFILE=infinity
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=full
+Restart=on-failure
+RestartSec=10s
+RestrictNamespaces=true
+RestrictRealtime=true
+StateDirectory=sing-box
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
diff --git a/release/config/system/sing-box@.service b/release/config/system/sing-box@.service
new file mode 100644
index 0000000000..83cdf302bd
--- /dev/null
+++ b/release/config/system/sing-box@.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=sing-box service (%i)
+Documentation=https://sing-box.sagernet.org
+After=network.target nss-lookup.target network-online.target
+
+[Service]
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+ConfigurationDirectory=sing-box
+DynamicUser=true
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run
+LimitNOFILE=infinity
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=full
+Restart=on-failure
+RestartSec=10s
+RestrictNamespaces=true
+RestrictRealtime=true
+StateDirectory=sing-box-%i
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
+DefaultInstance=sing-box.service
diff --git a/release/config/user/sing-box.service b/release/config/user/sing-box.service
new file mode 100644
index 0000000000..9d9e455354
--- /dev/null
+++ b/release/config/user/sing-box.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=sing-box user service
+Documentation=https://sing-box.sagernet.org
+After=basic.target
+
+[Service]
+ConfigurationDirectory=sing-box
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -C ${CONFIGURATION_DIRECTORY} run
+LimitNOFILE=infinity
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectProc=noaccess
+Restart=on-failure
+RestartSec=10s
+RestrictNamespaces=true
+RestrictRealtime=true
+StateDirectory=sing-box
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=default.target
diff --git a/release/config/user/sing-box@.service b/release/config/user/sing-box@.service
new file mode 100644
index 0000000000..5b30147c07
--- /dev/null
+++ b/release/config/user/sing-box@.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=sing-box user service (%i)
+Documentation=https://sing-box.sagernet.org
+After=basic.target
+
+[Service]
+ConfigurationDirectory=sing-box
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/sing-box -D ${STATE_DIRECTORY} -c ${CONFIGURATION_DIRECTORY}/%i.json run
+LimitNOFILE=infinity
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectProc=noaccess
+Restart=on-failure
+RestartSec=10s
+RestrictNamespaces=true
+RestrictRealtime=true
+StateDirectory=sing-box-%i
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=default.target
+DefaultInstance=sing-box.service