add plugins

internal/client/plugin/cache.go

@@ -0,0 +1,114 @@
+package plugin
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/gotunnel/pkg/plugin"
+)
+
+// CachedPlugin 缓存的 plugin 信息
+type CachedPlugin struct {
+	Metadata plugin.PluginMetadata
+	Path     string
+	LoadedAt time.Time
+}
+
+// Cache 管理本地 plugin 存储
+type Cache struct {
+	dir     string
+	plugins map[string]*CachedPlugin
+	mu      sync.RWMutex
+}
+
+// NewCache 创建 plugin 缓存
+func NewCache(cacheDir string) (*Cache, error) {
+	if err := os.MkdirAll(cacheDir, 0755); err != nil {
+		return nil, err
+	}
+
+	return &Cache{
+		dir:     cacheDir,
+		plugins: make(map[string]*CachedPlugin),
+	}, nil
+}
+
+// Get 返回缓存的 plugin（如果有效）
+func (c *Cache) Get(name, version, checksum string) (*CachedPlugin, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	cached, ok := c.plugins[name]
+	if !ok {
+		return nil, nil
+	}
+
+	// 验证版本和 checksum
+	if cached.Metadata.Version != version {
+		return nil, nil
+	}
+	if checksum != "" && cached.Metadata.Checksum != checksum {
+		return nil, nil
+	}
+
+	return cached, nil
+}
+
+// Store 保存 plugin 到缓存
+func (c *Cache) Store(meta plugin.PluginMetadata, wasmData []byte) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	// 验证 checksum
+	hash := sha256.Sum256(wasmData)
+	checksum := hex.EncodeToString(hash[:])
+	if meta.Checksum != "" && meta.Checksum != checksum {
+		return fmt.Errorf("checksum mismatch")
+	}
+	meta.Checksum = checksum
+
+	// 写入文件
+	path := filepath.Join(c.dir, meta.Name+".wasm")
+	if err := os.WriteFile(path, wasmData, 0644); err != nil {
+		return err
+	}
+
+	c.plugins[meta.Name] = &CachedPlugin{
+		Metadata: meta,
+		Path:     path,
+		LoadedAt: time.Now(),
+	}
+	return nil
+}
+
+// Remove 删除缓存的 plugin
+func (c *Cache) Remove(name string) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	cached, ok := c.plugins[name]
+	if !ok {
+		return nil
+	}
+
+	os.Remove(cached.Path)
+	delete(c.plugins, name)
+	return nil
+}
+
+// List 返回所有缓存的 plugins
+func (c *Cache) List() []plugin.PluginMetadata {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	var result []plugin.PluginMetadata
+	for _, cached := range c.plugins {
+		result = append(result, cached.Metadata)
+	}
+	return result
+}

internal/client/plugin/manager.go

@@ -0,0 +1,70 @@
+package plugin
+
+import (
+	"context"
+	"log"
+	"sync"
+
+	"github.com/gotunnel/pkg/plugin"
+	"github.com/gotunnel/pkg/plugin/builtin"
+	"github.com/gotunnel/pkg/plugin/wasm"
+)
+
+// Manager 客户端 plugin 管理器
+type Manager struct {
+	registry *plugin.Registry
+	cache    *Cache
+	runtime  *wasm.Runtime
+	mu       sync.RWMutex
+}
+
+// NewManager 创建客户端 plugin 管理器
+func NewManager(cacheDir string) (*Manager, error) {
+	ctx := context.Background()
+
+	cache, err := NewCache(cacheDir)
+	if err != nil {
+		return nil, err
+	}
+
+	runtime, err := wasm.NewRuntime(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	registry := plugin.NewRegistry()
+
+	m := &Manager{
+		registry: registry,
+		cache:    cache,
+		runtime:  runtime,
+	}
+
+	// 注册内置 plugins
+	if err := m.registerBuiltins(); err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// registerBuiltins 注册内置 plugins
+// 注意: tcp, udp, http, https 是内置类型，直接在 tunnel 中处理
+func (m *Manager) registerBuiltins() error {
+	// 注册 SOCKS5 plugin
+	if err := m.registry.RegisterBuiltin(builtin.NewSOCKS5Plugin()); err != nil {
+		return err
+	}
+	log.Println("[Plugin] Builtin plugins registered: socks5")
+	return nil
+}
+
+// GetHandler 返回指定代理类型的 handler
+func (m *Manager) GetHandler(proxyType string) (plugin.ProxyHandler, error) {
+	return m.registry.Get(proxyType)
+}
+
+// Close 关闭管理器
+func (m *Manager) Close(ctx context.Context) error {
+	return m.runtime.Close(ctx)
+}

internal/client/tunnel/client.go

@@ -14,6 +14,16 @@ import (
 	"github.com/hashicorp/yamux"
 )
 
+// 客户端常量
+const (
+	dialTimeout      = 10 * time.Second
+	localDialTimeout = 5 * time.Second
+	udpTimeout       = 10 * time.Second
+	reconnectDelay   = 5 * time.Second
+	disconnectDelay  = 3 * time.Second
+	udpBufferSize    = 65535
+)
+
 // Client 隧道客户端
 type Client struct {
 	ServerAddr string
@@ -43,14 +53,14 @@ func (c *Client) Run() error {
 	for {
 		if err := c.connect(); err != nil {
 			log.Printf("[Client] Connect error: %v", err)
-			log.Printf("[Client] Reconnecting in 5s...")
-			time.Sleep(5 * time.Second)
+			log.Printf("[Client] Reconnecting in %v...", reconnectDelay)
+			time.Sleep(reconnectDelay)
 			continue
 		}
 
 		c.handleSession()
 		log.Printf("[Client] Disconnected, reconnecting...")
-		time.Sleep(3 * time.Second)
+		time.Sleep(disconnectDelay)
 	}
 }
 
@@ -60,10 +70,10 @@ func (c *Client) connect() error {
 	var err error
 
 	if c.TLSEnabled && c.TLSConfig != nil {
-		dialer := &net.Dialer{Timeout: 10 * time.Second}
+		dialer := &net.Dialer{Timeout: dialTimeout}
 		conn, err = tls.DialWithDialer(dialer, "tcp", c.ServerAddr, c.TLSConfig)
 	} else {
-		conn, err = net.DialTimeout("tcp", c.ServerAddr, 10*time.Second)
+		conn, err = net.DialTimeout("tcp", c.ServerAddr, dialTimeout)
 	}
 	if err != nil {
 		return err
@@ -83,7 +93,10 @@ func (c *Client) connect() error {
 	}
 
 	var authResp protocol.AuthResponse
-	resp.ParsePayload(&authResp)
+	if err := resp.ParsePayload(&authResp); err != nil {
+		conn.Close()
+		return fmt.Errorf("parse auth response: %w", err)
+	}
 	if !authResp.Success {
 		conn.Close()
 		return fmt.Errorf("auth failed: %s", authResp.Message)
@@ -137,13 +150,18 @@ func (c *Client) handleStream(stream net.Conn) {
 		c.handleHeartbeat(stream)
 	case protocol.MsgTypeProxyConnect:
 		c.handleProxyConnect(stream, msg)
+	case protocol.MsgTypeUDPData:
+		c.handleUDPData(stream, msg)
 	}
 }
 
 // handleProxyConfig 处理代理配置
 func (c *Client) handleProxyConfig(msg *protocol.Message) {
 	var cfg protocol.ProxyConfig
-	msg.ParsePayload(&cfg)
+	if err := msg.ParsePayload(&cfg); err != nil {
+		log.Printf("[Client] Parse proxy config error: %v", err)
+		return
+	}
 
 	c.mu.Lock()
 	c.rules = cfg.Rules
@@ -158,7 +176,10 @@ func (c *Client) handleProxyConfig(msg *protocol.Message) {
 // handleNewProxy 处理新代理请求
 func (c *Client) handleNewProxy(stream net.Conn, msg *protocol.Message) {
 	var req protocol.NewProxyRequest
-	msg.ParsePayload(&req)
+	if err := msg.ParsePayload(&req); err != nil {
+		log.Printf("[Client] Parse new proxy request error: %v", err)
+		return
+	}
 
 	var rule *protocol.ProxyRule
 	c.mu.RLock()
@@ -176,7 +197,7 @@ func (c *Client) handleNewProxy(stream net.Conn, msg *protocol.Message) {
 	}
 
 	localAddr := fmt.Sprintf("%s:%d", rule.LocalIP, rule.LocalPort)
-	localConn, err := net.DialTimeout("tcp", localAddr, 5*time.Second)
+	localConn, err := net.DialTimeout("tcp", localAddr, localDialTimeout)
 	if err != nil {
 		log.Printf("[Client] Connect %s error: %v", localAddr, err)
 		return
@@ -202,7 +223,7 @@ func (c *Client) handleProxyConnect(stream net.Conn, msg *protocol.Message) {
 	}
 
 	// 连接目标地址
-	targetConn, err := net.DialTimeout("tcp", req.Target, 10*time.Second)
+	targetConn, err := net.DialTimeout("tcp", req.Target, dialTimeout)
 	if err != nil {
 		c.sendProxyResult(stream, false, err.Error())
 		return
@@ -224,3 +245,62 @@ func (c *Client) sendProxyResult(stream net.Conn, success bool, message string)
 	msg, _ := protocol.NewMessage(protocol.MsgTypeProxyResult, result)
 	return protocol.WriteMessage(stream, msg)
 }
+
+// handleUDPData 处理 UDP 数据
+func (c *Client) handleUDPData(stream net.Conn, msg *protocol.Message) {
+	defer stream.Close()
+
+	var packet protocol.UDPPacket
+	if err := msg.ParsePayload(&packet); err != nil {
+		return
+	}
+
+	// 查找对应的规则
+	rule := c.findRuleByPort(packet.RemotePort)
+	if rule == nil {
+		return
+	}
+
+	// 连接本地 UDP 服务
+	target := fmt.Sprintf("%s:%d", rule.LocalIP, rule.LocalPort)
+	conn, err := net.DialTimeout("udp", target, localDialTimeout)
+	if err != nil {
+		return
+	}
+	defer conn.Close()
+
+	// 发送数据到本地服务
+	conn.SetDeadline(time.Now().Add(udpTimeout))
+	if _, err := conn.Write(packet.Data); err != nil {
+		return
+	}
+
+	// 读取响应
+	buf := make([]byte, udpBufferSize)
+	n, err := conn.Read(buf)
+	if err != nil {
+		return
+	}
+
+	// 发送响应回服务端
+	respPacket := protocol.UDPPacket{
+		RemotePort: packet.RemotePort,
+		ClientAddr: packet.ClientAddr,
+		Data:       buf[:n],
+	}
+	respMsg, _ := protocol.NewMessage(protocol.MsgTypeUDPData, respPacket)
+	protocol.WriteMessage(stream, respMsg)
+}
+
+// findRuleByPort 根据端口查找规则
+func (c *Client) findRuleByPort(port int) *protocol.ProxyRule {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	for i := range c.rules {
+		if c.rules[i].RemotePort == port {
+			return &c.rules[i]
+		}
+	}
+	return nil
+}

internal/server/app/app.go

@@ -86,26 +86,12 @@ func (w *WebServer) RunWithAuth(addr, username, password string) error {
 	}
 	r.Handle("/", spaHandler{fs: http.FS(staticFS)})
 
-	handler := &authMiddleware{username, password, r.Handler()}
+	auth := &router.AuthConfig{Username: username, Password: password}
+	handler := router.BasicAuthMiddleware(auth, r.Handler())
 	log.Printf("[Web] Console listening on %s (auth enabled)", addr)
 	return http.ListenAndServe(addr, handler)
 }
 
-type authMiddleware struct {
-	username, password string
-	handler            http.Handler
-}
-
-func (a *authMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	user, pass, ok := r.BasicAuth()
-	if !ok || user != a.username || pass != a.password {
-		w.Header().Set("WWW-Authenticate", `Basic realm="GoTunnel"`)
-		http.Error(w, "Unauthorized", http.StatusUnauthorized)
-		return
-	}
-	a.handler.ServeHTTP(w, r)
-}
-
 // GetClientStore 获取客户端存储
 func (w *WebServer) GetClientStore() db.ClientStore {
 	return w.ClientStore

internal/server/plugin/manager.go

@@ -0,0 +1,137 @@
+package plugin
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"log"
+	"sync"
+
+	"github.com/gotunnel/pkg/plugin"
+	"github.com/gotunnel/pkg/plugin/builtin"
+	"github.com/gotunnel/pkg/plugin/store"
+	"github.com/gotunnel/pkg/plugin/wasm"
+)
+
+// Manager 服务端 plugin 管理器
+type Manager struct {
+	registry *plugin.Registry
+	store    store.PluginStore
+	runtime  *wasm.Runtime
+	mu       sync.RWMutex
+}
+
+// NewManager 创建 plugin 管理器
+func NewManager(pluginStore store.PluginStore) (*Manager, error) {
+	ctx := context.Background()
+
+	runtime, err := wasm.NewRuntime(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("create wasm runtime: %w", err)
+	}
+
+	registry := plugin.NewRegistry()
+
+	m := &Manager{
+		registry: registry,
+		store:    pluginStore,
+		runtime:  runtime,
+	}
+
+	// 注册内置 plugins
+	if err := m.registerBuiltins(); err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// registerBuiltins 注册内置 plugins
+// 注意: tcp, udp, http, https 是内置类型，直接在 tunnel 中处理
+// 这里只注册需要通过 plugin 系统提供的协议
+func (m *Manager) registerBuiltins() error {
+	// 注册 SOCKS5 plugin
+	if err := m.registry.RegisterBuiltin(builtin.NewSOCKS5Plugin()); err != nil {
+		return fmt.Errorf("register socks5: %w", err)
+	}
+
+	log.Println("[Plugin] Builtin plugins registered: socks5")
+	return nil
+}
+
+// LoadStoredPlugins 从数据库加载所有 plugins
+func (m *Manager) LoadStoredPlugins(ctx context.Context) error {
+	if m.store == nil {
+		return nil
+	}
+
+	plugins, err := m.store.GetAllPlugins()
+	if err != nil {
+		return err
+	}
+
+	for _, meta := range plugins {
+		data, err := m.store.GetPluginData(meta.Name)
+		if err != nil {
+			log.Printf("[Plugin] Failed to load %s: %v", meta.Name, err)
+			continue
+		}
+
+		if err := m.loadWASMPlugin(ctx, meta.Name, data); err != nil {
+			log.Printf("[Plugin] Failed to init %s: %v", meta.Name, err)
+		}
+	}
+
+	return nil
+}
+
+// loadWASMPlugin 加载 WASM plugin
+func (m *Manager) loadWASMPlugin(ctx context.Context, name string, data []byte) error {
+	_, err := m.runtime.LoadModule(ctx, name, data)
+	if err != nil {
+		return err
+	}
+	log.Printf("[Plugin] WASM plugin loaded: %s", name)
+	return nil
+}
+
+// InstallPlugin 安装新的 WASM plugin
+func (m *Manager) InstallPlugin(ctx context.Context, meta plugin.PluginMetadata, wasmData []byte) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	// 验证 checksum
+	hash := sha256.Sum256(wasmData)
+	checksum := hex.EncodeToString(hash[:])
+	if meta.Checksum != "" && meta.Checksum != checksum {
+		return fmt.Errorf("checksum mismatch")
+	}
+	meta.Checksum = checksum
+	meta.Size = int64(len(wasmData))
+
+	// 存储到数据库
+	if m.store != nil {
+		if err := m.store.SavePlugin(meta, wasmData); err != nil {
+			return err
+		}
+	}
+
+	// 加载到运行时
+	return m.loadWASMPlugin(ctx, meta.Name, wasmData)
+}
+
+// GetHandler 返回指定代理类型的 handler
+func (m *Manager) GetHandler(proxyType string) (plugin.ProxyHandler, error) {
+	return m.registry.Get(proxyType)
+}
+
+// ListPlugins 返回所有可用的 plugins
+func (m *Manager) ListPlugins() []plugin.PluginInfo {
+	return m.registry.List()
+}
+
+// Close 关闭管理器
+func (m *Manager) Close(ctx context.Context) error {
+	return m.runtime.Close(ctx)
+}

internal/server/router/api.go

@@ -3,12 +3,21 @@ package router
 import (
 	"encoding/json"
 	"net/http"
+	"regexp"
 
 	"github.com/gotunnel/internal/server/config"
 	"github.com/gotunnel/internal/server/db"
 	"github.com/gotunnel/pkg/protocol"
 )
 
+// 客户端 ID 验证规则
+var clientIDRegex = regexp.MustCompile(`^[a-zA-Z0-9_-]{1,64}$`)
+
+// validateClientID 验证客户端 ID 格式
+func validateClientID(id string) bool {
+	return clientIDRegex.MatchString(id)
+}
+
 // ClientStatus 客户端状态
 type ClientStatus struct {
 	ID        string `json:"id"`
@@ -122,6 +131,10 @@ func (h *APIHandler) addClient(rw http.ResponseWriter, r *http.Request) {
 		http.Error(rw, "client id required", http.StatusBadRequest)
 		return
 	}
+	if !validateClientID(req.ID) {
+		http.Error(rw, "invalid client id: must be 1-64 alphanumeric characters, underscore or hyphen", http.StatusBadRequest)
+		return
+	}
 
 	exists, _ := h.clientStore.ClientExists(req.ID)
 	if exists {
@@ -218,11 +231,16 @@ func (h *APIHandler) handleConfig(rw http.ResponseWriter, r *http.Request) {
 
 func (h *APIHandler) getConfig(rw http.ResponseWriter) {
 	cfg := h.app.GetConfig()
+	// Token 脱敏处理，只显示前4位
+	maskedToken := cfg.Server.Token
+	if len(maskedToken) > 4 {
+		maskedToken = maskedToken[:4] + "****"
+	}
 	h.jsonResponse(rw, map[string]interface{}{
 		"server": map[string]interface{}{
 			"bind_addr":         cfg.Server.BindAddr,
 			"bind_port":         cfg.Server.BindPort,
-			"token":             cfg.Server.Token,
+			"token":             maskedToken,
 			"heartbeat_sec":     cfg.Server.HeartbeatSec,
 			"heartbeat_timeout": cfg.Server.HeartbeatTimeout,
 		},
@@ -231,7 +249,7 @@ func (h *APIHandler) getConfig(rw http.ResponseWriter) {
 			"bind_addr": cfg.Web.BindAddr,
 			"bind_port": cfg.Web.BindPort,
 			"username":  cfg.Web.Username,
-			"password":  cfg.Web.Password,
+			"password":  "****",
 		},
 	})
 }

internal/server/router/router.go

@@ -1,6 +1,7 @@
 package router
 
 import (
+	"crypto/subtle"
 	"net/http"
 )
 
@@ -9,6 +10,12 @@ type Router struct {
 	mux *http.ServeMux
 }
 
+// AuthConfig 认证配置
+type AuthConfig struct {
+	Username string
+	Password string
+}
+
 // New 创建路由管理器
 func New() *Router {
 	return &Router{
@@ -49,3 +56,31 @@ func (g *RouteGroup) HandleFunc(pattern string, handler http.HandlerFunc) {
 func (r *Router) Handler() http.Handler {
 	return r.mux
 }
+
+// BasicAuthMiddleware 基础认证中间件
+func BasicAuthMiddleware(auth *AuthConfig, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if auth == nil || (auth.Username == "" && auth.Password == "") {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		user, pass, ok := r.BasicAuth()
+		if !ok {
+			w.Header().Set("WWW-Authenticate", `Basic realm="GoTunnel"`)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		userMatch := subtle.ConstantTimeCompare([]byte(user), []byte(auth.Username)) == 1
+		passMatch := subtle.ConstantTimeCompare([]byte(pass), []byte(auth.Password)) == 1
+
+		if !userMatch || !passMatch {
+			w.Header().Set("WWW-Authenticate", `Basic realm="GoTunnel"`)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}

internal/server/tunnel/server.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/gotunnel/internal/server/db"
+	"github.com/gotunnel/pkg/plugin"
 	"github.com/gotunnel/pkg/protocol"
 	"github.com/gotunnel/pkg/proxy"
 	"github.com/gotunnel/pkg/relay"
@@ -16,28 +17,37 @@ import (
 	"github.com/hashicorp/yamux"
 )
 
+// 服务端常量
+const (
+	authTimeout       = 10 * time.Second
+	heartbeatTimeout  = 10 * time.Second
+	udpBufferSize     = 65535
+)
+
 // Server 隧道服务端
 type Server struct {
-	clientStore db.ClientStore
-	bindAddr    string
-	bindPort    int
-	token       string
-	heartbeat   int
-	hbTimeout   int
-	portManager *utils.PortManager
-	clients     map[string]*ClientSession
-	mu          sync.RWMutex
-	tlsConfig   *tls.Config
+	clientStore    db.ClientStore
+	bindAddr       string
+	bindPort       int
+	token          string
+	heartbeat      int
+	hbTimeout      int
+	portManager    *utils.PortManager
+	clients        map[string]*ClientSession
+	mu             sync.RWMutex
+	tlsConfig      *tls.Config
+	pluginRegistry *plugin.Registry
 }
 
 // ClientSession 客户端会话
 type ClientSession struct {
-	ID        string
-	Session   *yamux.Session
-	Rules     []protocol.ProxyRule
-	Listeners map[int]net.Listener
-	LastPing  time.Time
-	mu        sync.Mutex
+	ID          string
+	Session     *yamux.Session
+	Rules       []protocol.ProxyRule
+	Listeners   map[int]net.Listener
+	UDPConns    map[int]*net.UDPConn // UDP 连接
+	LastPing    time.Time
+	mu          sync.Mutex
 }
 
 // NewServer 创建服务端
@@ -59,6 +69,11 @@ func (s *Server) SetTLSConfig(config *tls.Config) {
 	s.tlsConfig = config
 }
 
+// SetPluginRegistry 设置插件注册表
+func (s *Server) SetPluginRegistry(registry *plugin.Registry) {
+	s.pluginRegistry = registry
+}
+
 // Run 启动服务端
 func (s *Server) Run() error {
 	addr := fmt.Sprintf("%s:%d", s.bindAddr, s.bindPort)
@@ -95,7 +110,7 @@ func (s *Server) Run() error {
 func (s *Server) handleConnection(conn net.Conn) {
 	defer conn.Close()
 
-	conn.SetReadDeadline(time.Now().Add(10 * time.Second))
+	conn.SetReadDeadline(time.Now().Add(authTimeout))
 
 	msg, err := protocol.ReadMessage(conn)
 	if err != nil {
@@ -148,6 +163,7 @@ func (s *Server) setupClientSession(conn net.Conn, clientID string, rules []prot
 		Session:   session,
 		Rules:     rules,
 		Listeners: make(map[int]net.Listener),
+		UDPConns:  make(map[int]*net.UDPConn),
 		LastPing:  time.Now(),
 	}
 
@@ -169,7 +185,10 @@ func (s *Server) setupClientSession(conn net.Conn, clientID string, rules []prot
 // sendAuthResponse 发送认证响应
 func (s *Server) sendAuthResponse(conn net.Conn, success bool, message string) error {
 	resp := protocol.AuthResponse{Success: success, Message: message}
-	msg, _ := protocol.NewMessage(protocol.MsgTypeAuthResp, resp)
+	msg, err := protocol.NewMessage(protocol.MsgTypeAuthResp, resp)
+	if err != nil {
+		return err
+	}
 	return protocol.WriteMessage(conn, msg)
 }
 
@@ -182,7 +201,10 @@ func (s *Server) sendProxyConfig(session *yamux.Session, rules []protocol.ProxyR
 	defer stream.Close()
 
 	cfg := protocol.ProxyConfig{Rules: rules}
-	msg, _ := protocol.NewMessage(protocol.MsgTypeProxyConfig, cfg)
+	msg, err := protocol.NewMessage(protocol.MsgTypeProxyConfig, cfg)
+	if err != nil {
+		return err
+	}
 	return protocol.WriteMessage(stream, msg)
 }
 
@@ -203,6 +225,10 @@ func (s *Server) unregisterClient(cs *ClientSession) {
 		ln.Close()
 		s.portManager.Release(port)
 	}
+	for port, conn := range cs.UDPConns {
+		conn.Close()
+		s.portManager.Release(port)
+	}
 	cs.mu.Unlock()
 
 	delete(s.clients, cs.ID)
@@ -211,6 +237,18 @@ func (s *Server) unregisterClient(cs *ClientSession) {
 // startProxyListeners 启动代理监听
 func (s *Server) startProxyListeners(cs *ClientSession) {
 	for _, rule := range cs.Rules {
+		ruleType := rule.Type
+		if ruleType == "" {
+			ruleType = "tcp"
+		}
+
+		// UDP 单独处理
+		if ruleType == "udp" {
+			s.startUDPListener(cs, rule)
+			continue
+		}
+
+		// TCP 类型
 		if err := s.portManager.Reserve(rule.RemotePort, cs.ID); err != nil {
 			log.Printf("[Server] Port %d error: %v", rule.RemotePort, err)
 			continue
@@ -227,15 +265,12 @@ func (s *Server) startProxyListeners(cs *ClientSession) {
 		cs.Listeners[rule.RemotePort] = ln
 		cs.mu.Unlock()
 
-		ruleType := rule.Type
-		if ruleType == "" {
-			ruleType = "tcp"
-		}
-
 		switch ruleType {
-		case "socks5", "http":
-			log.Printf("[Server] %s proxy %s on :%d",
-				ruleType, rule.Name, rule.RemotePort)
+		case "socks5":
+			log.Printf("[Server] SOCKS5 proxy %s on :%d", rule.Name, rule.RemotePort)
+			go s.acceptProxyServerConns(cs, ln, rule)
+		case "http", "https":
+			log.Printf("[Server] HTTP proxy %s on :%d", rule.Name, rule.RemotePort)
 			go s.acceptProxyServerConns(cs, ln, rule)
 		default:
 			log.Printf("[Server] TCP proxy %s: :%d -> %s:%d",
@@ -259,8 +294,23 @@ func (s *Server) acceptProxyConns(cs *ClientSession, ln net.Listener, rule proto
 // acceptProxyServerConns 接受 SOCKS5/HTTP 代理连接
 func (s *Server) acceptProxyServerConns(cs *ClientSession, ln net.Listener, rule protocol.ProxyRule) {
 	dialer := proxy.NewTunnelDialer(cs.Session)
-	proxyServer := proxy.NewServer(rule.Type, dialer)
 
+	// 优先使用插件系统
+	if s.pluginRegistry != nil {
+		if handler, err := s.pluginRegistry.Get(rule.Type); err == nil {
+			handler.Init(rule.PluginConfig)
+			for {
+				conn, err := ln.Accept()
+				if err != nil {
+					return
+				}
+				go handler.HandleConn(conn, dialer)
+			}
+		}
+	}
+
+	// 回退到内置 proxy 实现
+	proxyServer := proxy.NewServer(rule.Type, dialer)
 	for {
 		conn, err := ln.Accept()
 		if err != nil {
@@ -309,13 +359,12 @@ func (s *Server) heartbeatLoop(cs *ClientSession) {
 			}
 			cs.mu.Unlock()
 
-			stream, err := cs.Session.Open()
-			if err != nil {
-				return
+			// 发送心跳并等待响应
+			if s.sendHeartbeat(cs) {
+				cs.mu.Lock()
+				cs.LastPing = time.Now()
+				cs.mu.Unlock()
 			}
-			msg := &protocol.Message{Type: protocol.MsgTypeHeartbeat}
-			protocol.WriteMessage(stream, msg)
-			stream.Close()
 
 		case <-cs.Session.CloseChan():
 			return
@@ -323,6 +372,31 @@ func (s *Server) heartbeatLoop(cs *ClientSession) {
 	}
 }
 
+// sendHeartbeat 发送心跳并等待响应
+func (s *Server) sendHeartbeat(cs *ClientSession) bool {
+	stream, err := cs.Session.Open()
+	if err != nil {
+		return false
+	}
+	defer stream.Close()
+
+	// 设置读写超时
+	stream.SetDeadline(time.Now().Add(heartbeatTimeout))
+
+	msg := &protocol.Message{Type: protocol.MsgTypeHeartbeat}
+	if err := protocol.WriteMessage(stream, msg); err != nil {
+		return false
+	}
+
+	// 等待心跳响应
+	resp, err := protocol.ReadMessage(stream)
+	if err != nil {
+		return false
+	}
+
+	return resp.Type == protocol.MsgTypeHeartbeatAck
+}
+
 // GetClientStatus 获取客户端状态
 func (s *Server) GetClientStatus(clientID string) (online bool, lastPing string) {
 	s.mu.RLock()
@@ -341,17 +415,22 @@ func (s *Server) GetAllClientStatus() map[string]struct {
 	Online   bool
 	LastPing string
 } {
+	// 先复制客户端引用，避免嵌套锁
 	s.mu.RLock()
-	defer s.mu.RUnlock()
+	clients := make([]*ClientSession, 0, len(s.clients))
+	for _, cs := range s.clients {
+		clients = append(clients, cs)
+	}
+	s.mu.RUnlock()
 
 	result := make(map[string]struct {
 		Online   bool
 		LastPing string
 	})
 
-	for id, cs := range s.clients {
+	for _, cs := range clients {
 		cs.mu.Lock()
-		result[id] = struct {
+		result[cs.ID] = struct {
 			Online   bool
 			LastPing string
 		}{
@@ -364,8 +443,9 @@ func (s *Server) GetAllClientStatus() map[string]struct {
 }
 
 // ReloadConfig 重新加载配置
+// 注意: 当前版本不支持热重载，需要重启服务
 func (s *Server) ReloadConfig() error {
-	return nil
+	return fmt.Errorf("hot reload not supported, please restart the server")
 }
 
 // GetBindAddr 获取绑定地址
@@ -377,3 +457,87 @@ func (s *Server) GetBindAddr() string {
 func (s *Server) GetBindPort() int {
 	return s.bindPort
 }
+
+// startUDPListener 启动 UDP 监听
+func (s *Server) startUDPListener(cs *ClientSession, rule protocol.ProxyRule) {
+	if err := s.portManager.Reserve(rule.RemotePort, cs.ID); err != nil {
+		log.Printf("[Server] UDP port %d error: %v", rule.RemotePort, err)
+		return
+	}
+
+	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf(":%d", rule.RemotePort))
+	if err != nil {
+		log.Printf("[Server] UDP resolve error: %v", err)
+		s.portManager.Release(rule.RemotePort)
+		return
+	}
+
+	conn, err := net.ListenUDP("udp", addr)
+	if err != nil {
+		log.Printf("[Server] UDP listen %d error: %v", rule.RemotePort, err)
+		s.portManager.Release(rule.RemotePort)
+		return
+	}
+
+	cs.mu.Lock()
+	cs.UDPConns[rule.RemotePort] = conn
+	cs.mu.Unlock()
+
+	log.Printf("[Server] UDP proxy %s: :%d -> %s:%d",
+		rule.Name, rule.RemotePort, rule.LocalIP, rule.LocalPort)
+
+	go s.handleUDPConn(cs, conn, rule)
+}
+
+// handleUDPConn 处理 UDP 连接
+func (s *Server) handleUDPConn(cs *ClientSession, conn *net.UDPConn, rule protocol.ProxyRule) {
+	buf := make([]byte, udpBufferSize)
+
+	for {
+		n, clientAddr, err := conn.ReadFromUDP(buf)
+		if err != nil {
+			return
+		}
+
+		// 封装 UDP 数据包发送到客户端
+		packet := protocol.UDPPacket{
+			RemotePort: rule.RemotePort,
+			ClientAddr: clientAddr.String(),
+			Data:       buf[:n],
+		}
+
+		go s.sendUDPPacket(cs, conn, clientAddr, packet)
+	}
+}
+
+// sendUDPPacket 发送 UDP 数据包到客户端
+func (s *Server) sendUDPPacket(cs *ClientSession, conn *net.UDPConn, clientAddr *net.UDPAddr, packet protocol.UDPPacket) {
+	stream, err := cs.Session.Open()
+	if err != nil {
+		return
+	}
+	defer stream.Close()
+
+	msg, err := protocol.NewMessage(protocol.MsgTypeUDPData, packet)
+	if err != nil {
+		return
+	}
+
+	if err := protocol.WriteMessage(stream, msg); err != nil {
+		return
+	}
+
+	// 等待客户端响应
+	respMsg, err := protocol.ReadMessage(stream)
+	if err != nil {
+		return
+	}
+
+	if respMsg.Type == protocol.MsgTypeUDPData {
+		var respPacket protocol.UDPPacket
+		if err := respMsg.ParsePayload(&respPacket); err != nil {
+			return
+		}
+		conn.WriteToUDP(respPacket.Data, clientAddr)
+	}
+}