An Advanced Web Panel • Built on SagerNet/Sing-Box
S-UI Next is a downstream project that continues the original sing-box panel design while adding a versioned API, mobile apps, stronger authentication, richer analytics, and safer WireGuard management. The additions maintained here are listed first so the differences from the upstream project are immediately visible.
- Android arm64 and iPhone arm64 management apps with visual and raw JSON editors.
- Versioned
/apiv3API covering resources, users, usage/statistics, logs, audit history, backup, and everyday tools. - Cloudflare Zero Trust friendly custom headers in the app connection profile.
- User/date/search filters for usage, statistics, logs, audit records, and parsed connection details by user, inbound, outbound, endpoint, and destination.
- Searchable multi-level system logs and administrator change history in both Web and App.
- Granular subscription user-info controls for upload, download, quota, expiry, and node-name remaining quota.
- Per-client random subscription IDs, so public subscription URLs no longer expose or accept guessable usernames.
- OIDC single sign-on, TOTP two-factor authentication with one-time recovery codes, and WebAuthn passkeys.
- bcrypt password storage with automatic migration from legacy plaintext records after successful login.
- Web/App navigation parity: users, resources, TLS, core configuration, analytics, logs, administration, settings, and tools.
- Visual editors backed by optional raw JSON editing, including fields introduced by newer sing-box versions.
- Historical traffic views that remain stable until refreshed, plus an explicit real-time mode.
- Reworked WireGuard Endpoint management with separate server peer ownership and client routing fields, secure PSK generation/redaction, safe split-tunnel defaults, IPv4/IPv6 validation, explicit exported Endpoint host/port, controlled client configuration export, managed hub forwarding/site-gateway routes, and save/apply rollback.
- Localized Web and App interfaces in English, Farsi, Vietnamese, Simplified Chinese, Traditional Chinese, Russian, Japanese, French, and Latin.
- Tag-aware release filenames and seven intended GitHub Actions entries: five upstream workflows plus mobile CI and mobile application builds.
Mobile source is available in
mobile/. Android arm64 and unsigned iPhone arm64 artifacts are built remotely by GitHub Actions. The app uses/apiv3, supports arbitrary request headers, and pre-fills Cloudflare Access Service Token headers.
- Stable mobile API and secure token lifecycle.
- Android arm64 and unsigned iPhone arm64 CI/release builds.
- Visual editors and raw JSON fallback across Web and App.
- Filterable analytics, structured logs, and dotted traffic charts.
- OIDC, TOTP/2FA, recovery codes, and passkey management.
- Safe WireGuard Endpoint editing, PSK/key handling, client export, managed hub/site routing, validation, and transactional apply.
- Seven-workflow GitHub Actions layout: five upstream workflows plus mobile CI and mobile release builds.
Tag builds include the tag in every downloadable filename, for example s-ui-next-v1.2.0-linux-amd64.tar.gz, s-ui-next-v1.2.0-windows-amd64.zip, s-ui-next-v1.2.0-android-arm64.apk, and s-ui-next-v1.2.0-iphone-arm64-unsigned.ipa.
Disclaimer: This project is only for personal learning and communication, please do not use it for illegal purposes, please do not use it in a production environment
If you think this project is helpful to you, you may wish to give a🌟
Want to contribute? See CONTRIBUTING.md for development setup, coding conventions, testing, and the pull request process.
| Features | Enable? |
|---|---|
| Multi-Protocol | ✔️ |
| Multi-Language | ✔️ |
| Multi-Client/Inbound | ✔️ |
| Advanced Traffic Routing Interface | ✔️ |
| Client & Traffic & System Status | ✔️ |
| Subscription Link (link/json/clash + info) | ✔️ |
| Dark/Light Theme | ✔️ |
| Versioned API + Mobile Apps | ✔️ |
| OIDC, TOTP and Passkeys | ✔️ |
| Filtered Usage, Statistics and Logs | ✔️ |
| Platform | Architecture | Status |
|---|---|---|
| Linux | amd64, arm64, armv7, armv6, armv5, 386, s390x | ✅ Supported |
| Windows | amd64, 386, arm64 | ✅ Supported |
| macOS | amd64, arm64 | 🚧 Experimental |
Authentication features are configured from Settings → Login & identity and Admins → Login security. When the panel is behind a reverse proxy or Cloudflare Zero Trust, use the public HTTPS URL that users actually open in the browser.
Enable OIDC, then configure the issuer URL, client ID, client secret, scopes, username claim, and allowed identities. The redirect URL must exactly match the URL registered with the OIDC provider. For the default Web Path this is usually:
https://panel.example.com/app/api/oidc-callback
If you changed the Web Path, keep that path in the callback URL, for example https://panel.example.com/custom-path/api/oidc-callback. The username claim defaults to preferred_username, then falls back to email and sub. Identities not matching an existing admin username must be listed in the allowed identities field.
TOTP is managed from Admins → Login security. Enabling it shows an authenticator URI/secret and one-time recovery codes. Store the recovery codes immediately; each code can be used once when the normal 6-digit authenticator code is unavailable.
Enable passkeys in Settings → Login & identity, then add passkeys from Admins → Login security. RP ID and allowed origins can normally be left blank: S-UI Next auto-detects the current management domain from the browser origin and reverse-proxy headers such as Forwarded, X-Forwarded-Host, and X-Forwarded-Proto.
Manual configuration is still available for unusual proxy layouts. RP ID should be only the domain, for example panel.example.com; allowed origins should include full scheme origins, for example https://panel.example.com. Passkeys require HTTPS except for localhost-style development origins. The Web UI gives a best-effort automatic name such as iCloud Keychain, Google Password Manager, Windows Hello, or Security key; names can be renamed afterwards.
The WireGuard editor follows the field semantics of the embedded sing-box v1.13.12 Endpoint implementation:
- Server Endpoint addresses identify the S-UI Next side itself and should normally be an IPv4
/32and/or IPv6/128, such as10.66.66.1/32andfd66:66:66::1/128. - Virtual network prefixes are allocation ranges, such as
10.66.66.0/24andfd66:66:66::/64. They are not written into the Endpointaddressfield. - Server peer allowed IPs assign source addresses to one peer and therefore use unique host routes such as
/32and/128. - Client AllowedIPs choose destination traffic sent through the client tunnel. New peers default to the WireGuard virtual networks;
0.0.0.0/0and::/0are only emitted after explicitly selecting the full-tunnel preset. - Client Endpoint host/port must identify the real public WireGuard UDP entrypoint. It is deliberately independent from the Web panel hostname, which may be behind Cloudflare Access or an HTTP reverse proxy.
- Regular clients have no sing-box runtime peer address/port. WireGuard learns the current endpoint from handshakes, so this is suitable for phones, laptops, and NATed devices.
- Fixed remote nodes use a known remote WireGuard address and UDP port. Their server-side AllowedIPs normally remain the node’s own
/32and/or/128. - Site gateways represent a remote gateway plus one or more LAN prefixes behind it. The server runtime peer AllowedIPs include the gateway tunnel address plus the remote site CIDRs. The exported client configuration includes the S-UI Next WireGuard virtual networks and configured local site CIDRs, not the remote site’s own LAN.
- PSK and private keys are generated with backend secure randomness, hidden in ordinary API resource responses, preserved when saving redacted forms, and revealed only through explicit generation/copy/export actions.
- Device forwarding through S-UI Next is stored in a dedicated managed-route table and injected when the runtime configuration is generated. It means traffic is forwarded by this S-UI Next server between devices in the same Endpoint; it is not a direct device-to-device tunnel or NAT traversal feature. Equivalent user rules are not duplicated, and disabling the feature never deletes a user-authored rule.
- Site-to-site routing requires a return path on the local or remote LAN. If NAT is not configured separately, add a route such as
192.168.50.0/24 via <WireGuard gateway>on the relevant network; otherwise only one-way traffic may be visible.
Use Save to keep a validated change without altering the current runtime. Save & apply validates the complete generated configuration, restarts the embedded core synchronously, checks the running state, and restores the previous runtime if application fails. Existing Endpoint JSON remains readable; the database migration adds only the managed-route table, while WireGuard editor metadata is stored compatibly in the existing Endpoint options.
- Panel Port: 2095
- Panel Path: /app/
- Subscription Port: 2096
- Subscription Path: /sub/
- User/Password: admin
bash <(curl -Ls https://raw.githubusercontent.com/ciallothu/s-ui-next/master/install.sh)- Download the latest Windows release from GitHub Releases
- Extract the ZIP file
- Run
install-windows.batas Administrator - Follow the installation wizard
Step 1: To install your desired legacy version, add the version to the end of the installation command. e.g., ver 1.0.0:
VERSION=1.0.0 && bash <(curl -Ls https://raw.githubusercontent.com/ciallothu/s-ui-next/$VERSION/install.sh) $VERSION- Get the latest version of S-UI Next based on your OS/Architecture from GitHub: https://github.com/ciallothu/s-ui-next/releases/latest
- OPTIONAL Get the latest version of
s-ui-next.shhttps://raw.githubusercontent.com/ciallothu/s-ui-next/master/s-ui-next.sh - OPTIONAL Copy
s-ui-next.shto /usr/bin/ and runchmod +x /usr/bin/s-ui-next. - Extract s-ui-next tar.gz file to a directory of your choice and navigate to the directory where you extracted the tar.gz file.
- Copy *.service files to /etc/systemd/system/ and run
systemctl daemon-reload. - Enable autostart and start S-UI Next service using
systemctl enable s-ui-next --now - Start sing-box service using
systemctl enable sing-box --now
- Get the latest Windows version from GitHub: https://github.com/ciallothu/s-ui-next/releases/latest
- Download the appropriate Windows package (e.g.,
s-ui-next-windows-amd64.zip) - Extract the ZIP file to a directory of your choice
- Run
install-windows.batas Administrator - Follow the installation wizard
- Access the panel at http://localhost:2095/app
sudo -i
systemctl disable s-ui-next --now
rm -f /etc/systemd/system/sing-box.service
systemctl daemon-reload
rm -fr /usr/local/s-ui-next
rm /usr/bin/s-ui-nextClick for details
Step 1: Install Docker
curl -fsSL https://get.docker.com | shStep 2: Install S-UI Next
Docker compose method
mkdir s-ui-next && cd s-ui-next
wget -q https://raw.githubusercontent.com/ciallothu/s-ui-next/master/docker-compose.yml
docker compose up -dUse docker
mkdir s-ui-next && cd s-ui-next
docker run -itd \
-p 2095:2095 -p 2096:2096 -p 443:443 -p 80:80 \
-v $PWD/db/:/app/db/ \
-v $PWD/cert/:/root/cert/ \
--name s-ui-next --restart=unless-stopped \
ghcr.io/ciallothu/s-ui-next:latestBuild your own image
git clone https://github.com/ciallothu/s-ui-next
git submodule update --init --recursive
docker build -t s-ui-next .Click for details
./runSUI.sh# clone repository
git clone https://github.com/ciallothu/s-ui-next
# clone submodules
git submodule update --init --recursiveVisit s-ui-next-frontend for frontend code
Please build frontend once before!
To build backend:
# remove old frontend compiled files
rm -fr web/html/*
# apply new frontend compiled files
cp -R frontend/dist/ web/html/
# build
go build -o sui main.goTo run backend (from root folder of repository):
./sui- English
- Farsi
- Vietnamese
- Chinese (Simplified)
- Chinese (Traditional)
- Japanese
- French
- Latin
- Russian
- Supported protocols:
- General: Mixed, SOCKS, HTTP, HTTPS, Direct, Redirect, TProxy
- V2Ray based: VLESS, VMess, Trojan, Shadowsocks
- Other protocols: ShadowTLS, Hysteria, Hysteria2, Naive, TUIC
- Supports XTLS protocols
- An advanced interface for routing traffic, incorporating PROXY Protocol, External, and Transparent Proxy, SSL Certificate, and Port
- An advanced interface for inbound and outbound configuration
- Clients’ traffic cap and expiration date
- Displays online clients, inbounds and outbounds with traffic statistics, and system status monitoring
- Subscription service with ability to add external links and subscription
- HTTPS for secure access to the web panel and subscription service (self-provided domain + SSL certificate)
- Dark/Light theme
Click for details
| Variable | Type | Default |
|---|---|---|
| SUI_LOG_LEVEL | "debug" | "info" | "warn" | "error" |
"info" |
| SUI_DEBUG | boolean |
false |
| SUI_BIN_FOLDER | string |
"bin" |
| SUI_DB_FOLDER | string |
"db" |
| SINGBOX_API | string |
- |
Click for details
snap install core; snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot certonly --standalone --register-unsafely-without-email --non-interactive --agree-tos -d <Your Domain Name>