diff --git a/hosts/dust/default.nix b/hosts/dust/default.nix
index a8bf80b..85af147 100644
--- a/hosts/dust/default.nix
+++ b/hosts/dust/default.nix
@@ -165,4 +165,30 @@
       "org.freedesktop.impl.portal.Inhibit" = "none";
     };
   };
+
+  services.sing-box.settings = {
+    outbounds = [
+      {
+        type = "selector";
+        tag = "select";
+        outbounds = [
+          "tyo0"
+          "direct"
+        ];
+        default = "tyo0";
+      }
+    ];
+
+    route = {
+      final = "select";
+    };
+
+    experimental = {
+      clash_api = {
+        external_controller = "127.0.0.1:9090";
+        external_ui = pkgs.metacubexd;
+        secret = "hunter2";
+      };
+    };
+  };
 }
diff --git a/hosts/tyo0/Caddyfile b/hosts/tyo0/Caddyfile
index d2f0cab..d5e9c8b 100644
--- a/hosts/tyo0/Caddyfile
+++ b/hosts/tyo0/Caddyfile
@@ -1,11 +1,3 @@
-{
-	# Disables HTTP/3 for Hysteria
-	# https://github.com/apernet/hysteria/issues/768
-	servers :443 {
-		protocols h1 h2 h2c
-	}
-}
-
 (default) {
 	encode zstd gzip
 	handle_path /robots.txt {
diff --git a/hosts/tyo0/default.nix b/hosts/tyo0/default.nix
index c16908b..58ec563 100644
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@@ -10,7 +10,6 @@
     ./anti-feature.nix
 
     ./services/forgejo.nix
-    ./services/hysteria.nix
     ./services/keycloak.nix
     ./services/miniflux.nix
     ./services/murmur.nix
@@ -18,6 +17,7 @@
     ./services/pixivfe.nix
     ./services/redlib.nix
     ./services/searx.nix
+    ./services/sing-box.nix
     ./services/uptime-kuma.nix
     ./services/vaultwarden.nix
     ./services/wastebin.nix
@@ -38,8 +38,8 @@
 
   ### Secrets
   sops.secrets = lib.mapAttrs (_name: value: value // { sopsFile = ./secrets.yaml; }) {
-    "hysteria/auth" = {
-      restartUnits = [ "hysteria.service" ];
+    "sing-box/auth" = {
+      restartUnits = [ "sing-box.service" ];
     };
     "pixivfe/environment" = {
       restartUnits = [ "pixivfe.service" ];
@@ -56,11 +56,11 @@
   };
 
   ### Services
-  networking.firewall.allowedUDPPorts = [ 443 ]; # hysteria
+  networking.firewall.allowedUDPPorts = [ 443 ];
   networking.firewall.allowedTCPPorts = [
     80
     443
-  ]; # caddy
+  ];
 
   systemd.tmpfiles.settings = {
     "10-www" = {
diff --git a/hosts/tyo0/secrets.yaml b/hosts/tyo0/secrets.yaml
index 269952f..2c2dc3b 100644
--- a/hosts/tyo0/secrets.yaml
+++ b/hosts/tyo0/secrets.yaml
@@ -1,5 +1,5 @@
-hysteria:
-    auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
+sing-box:
+    auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
 searx:
     environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
 pixivfe:
@@ -32,8 +32,8 @@ sops:
             UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
             n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-12T12:55:54Z"
-    mac: ENC[AES256_GCM,data:H1zm+Rk9F9SkRbANU4GYjhZpys3e5qQNBBsdIbgXD3AZTAKZVyemT6Vb8k0ufkfzQ98L0Xrm/S1JQFvcyaZqRHv+C2GW3F34FlSS4IOtaJz9IgVIdvaM4WvaOTtpC5B+5CKnA/oBPOmhEBCdi2LIjzrUltEzKpemWHkIIT2eHQA=,iv:1RCjLEz0W+tHQep4EguweYKSfePXa1VE3+gzlcFsAug=,tag:Oonqihfe83l5SNOmLjOPYg==,type:str]
+    lastmodified: "2024-08-27T20:25:39Z"
+    mac: ENC[AES256_GCM,data:Jg5dJZtIz8ZM30T1+iLLIDBghqn7JWIKirJzF0UfhlMJ1EGM1tjbuW4ZecPlSsqi3mYsA/Ns5eG8/jFeyUhs9WIsPvNTU62n8JMBwFeGAwdQO7QmmLXGuxyfJKtMrvn2IQxNx5jE97ag4atxdHNRiO5xChXYfWxgNvkskA1CJ0w=,iv:z9gOkUTN/ddYDPXVzefbN3P+ZuLrXV6LPbGIWRnP/gQ=,tag:AP5dnT6u+dA/sY6zmfkjXA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/hosts/tyo0/services/hysteria.nix b/hosts/tyo0/services/hysteria.nix
deleted file mode 100644
index 9bc4ec4..0000000
--- a/hosts/tyo0/services/hysteria.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ config, ... }:
-{
-  services.hysteria = {
-    enable = true;
-    settings = {
-      auth = {
-        type = "userpass";
-        userpass = {
-          _secret = "/run/credentials/hysteria.service/auth";
-          quote = false;
-        };
-      };
-      masquerade = {
-        type = "proxy";
-        proxy.url = "https://ny4.dev/";
-      };
-      tls = {
-        cert = "/run/credentials/hysteria.service/cert";
-        key = "/run/credentials/hysteria.service/key";
-      };
-    };
-  };
-
-  systemd.services."hysteria".serviceConfig.LoadCredential = [
-    # FIXME: remove hardcoded path
-    "auth:${config.sops.secrets."hysteria/auth".path}"
-    "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
-    "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
-  ];
-}
diff --git a/hosts/tyo0/services/sing-box.nix b/hosts/tyo0/services/sing-box.nix
new file mode 100644
index 0000000..826d5ce
--- /dev/null
+++ b/hosts/tyo0/services/sing-box.nix
@@ -0,0 +1,56 @@
+{ config, ... }:
+{
+  networking.firewall.allowedTCPPorts = [
+    27253
+  ];
+
+  services.sing-box = {
+    enable = true;
+    settings = {
+      log = {
+        level = "info";
+      };
+
+      inbounds = [
+        {
+          type = "vless";
+          tag = "inbound";
+          listen = "0.0.0.0";
+          listen_port = 27253;
+          users = {
+            _secret = "/run/credentials/sing-box.service/auth";
+            quote = false;
+          };
+          tls = {
+            enabled = true;
+            server_name = "tyo0.ny4.dev";
+            certificate_path = "/run/credentials/sing-box.service/cert";
+            key_path = "/run/credentials/sing-box.service/key";
+          };
+        }
+      ];
+
+      outbounds = [
+        {
+          type = "direct";
+          tag = "direct";
+        }
+      ];
+
+      route = {
+        final = "direct";
+      };
+    };
+  };
+
+  systemd.services."sing-box".serviceConfig.LoadCredential =
+    let
+      # FIXME: remove hardcoded path
+      path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev";
+    in
+    [
+      "auth:${config.sops.secrets."sing-box/auth".path}"
+      "cert:${path}/tyo0.ny4.dev.crt"
+      "key:${path}/tyo0.ny4.dev.key"
+    ];
+}
diff --git a/nixos/profiles/sing-box/default.nix b/nixos/profiles/sing-box/default.nix
index 9abbd2d..d9dbff2 100644
--- a/nixos/profiles/sing-box/default.nix
+++ b/nixos/profiles/sing-box/default.nix
@@ -1,4 +1,5 @@
 {
+  lib,
   pkgs,
   config,
   ...
@@ -24,11 +25,12 @@
 
       outbounds = [
         {
-          type = "hysteria2";
+          type = "vless";
           tag = "tyo0";
           server = "tyo0.ny4.dev";
-          server_port = 443;
-          password._secret = config.sops.secrets."sing-box/tyo0".path;
+          server_port = 27253;
+          uuid = "29e54ee5-43f5-4891-b750-ca73c7e3b2b3";
+          flow = "xtls-rprx-vision";
           tls.enabled = true;
         }
         {
@@ -76,15 +78,7 @@
           }
         ];
 
-        final = "tyo0";
-      };
-
-      experimental = {
-        clash_api = {
-          external_controller = "127.0.0.1:9090";
-          external_ui = pkgs.metacubexd;
-          secret = "hunter2";
-        };
+        final = lib.mkDefault "tyo0";
       };
     };
   };
diff --git a/nixos/profiles/sing-box/secrets.yaml b/nixos/profiles/sing-box/secrets.yaml
index 1f47ad2..1aa9358 100644
--- a/nixos/profiles/sing-box/secrets.yaml
+++ b/nixos/profiles/sing-box/secrets.yaml
@@ -1,5 +1,5 @@
 sing-box:
-    tyo0: ENC[AES256_GCM,data:c1WIyaAXyiir4VRcggvJ0drgxOi24+s=,iv:1CufURfG6PL+iv54LOkh6kdjjf6Pa8uvyWsRX4rBTls=,tag:M5PzRvKJzQzhpv3z6XlG9A==,type:str]
+    tyo0: ENC[AES256_GCM,data:IIUqglE+FqlD1LlRkpCuRqaOysEe4BxUIlGBEhUwgw/dDGBK,iv:ojryKlJgA9R7dTlcqKZ9BmGSHdZQ4BDMYRYLlJwbCXc=,tag:MDhlfxgQQ84UUdZ+ZWvaWQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -33,8 +33,8 @@ sops:
             NTdHRTVNeUxYUHYzQzIvMlZlTFhoVkEKcjzpxTP25gadACwH6g9SZCsw2KPoNiQ6
             JsMOOy+JUrIzGDftkDYzQhxg+fDWPMnRVzk5EMEw5AU2RghrrJzTWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-24T07:58:00Z"
-    mac: ENC[AES256_GCM,data:gbgaZ6fGr8sIaEPMTJeTr4nHEkfWDMwNPstEjfn580go8Ogg3cIW0Lca1nPERCI7XimswjT9V6FnxV8HtTZ+VH3jZsuB/Zu0lYpCsTx//wY0meWWHtOINFZ6Qn9dl6CTRi/QgmNJPKjPPYcHg0ECGY/Iv8s44Mj0aXthVN61huk=,iv:8y+vjDSWaVt7kQkvu499+bK3lYB3moVtAQJ4UvfLYv4=,tag:XAhiF7cw8i8ilj3Dp/zoDw==,type:str]
+    lastmodified: "2024-08-27T20:29:35Z"
+    mac: ENC[AES256_GCM,data:RA8pX6oMrKz4f7aX0UwTAa3P/QYt1IX8FO9yl/ViaUoPYQ5WD3o5Zh7FX40QDUdLZkfFJqO+P+gr5ZqRJ+lZRSNRXmO0vx9C7KMPEMweNz+0hmE15OKXcfEjTbEu+GW9vgoj6TyQ8OahJZ4pF7DNtg0+/B7LzmhgrRaKq7zLdng=,iv:x1zD7US6VmLfeY1tH3/+fHL4ECM4UyYCzv5qxD1ikEw=,tag:kA+AFntpC+sKpCa9/Q1Bjw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0