Dokodemo-door — Xray-core
Dokodemo (Japanese for "any-door") is Xray's transparent-proxy inbound. It listens on one or more ports and forwards every accepted connection to a fixed destination — or, on Linux, to the connection's original pre-NAT destination via SO_ORIGINAL_DST / IP_TRANSPARENT.
Inbound
settings for an inbound of "protocol": "dokodemo-door":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
allowedNetwork | *NetworkList | (any) | tcp | udp | tcp,udp | Transport protocols the inbound accepts. Canonical name for the legacy `network` field. |
rewriteAddress | *Address | (unset) | <host> | Destination address forwarded traffic is rewritten to. Used when `portMap` does not match and `followRedirect` is false. Canonical name for the legacy `address` field. |
rewritePort | uint16 | 0 | <port> | Destination port for forwarded traffic. Canonical name for the legacy `port` field. |
network | *NetworkList | (alias) | (alias of allowedNetwork) | Legacy alias for `allowedNetwork`; if set it overrides it at build time. |
address | *Address | (alias) | (alias of rewriteAddress) | Legacy alias for `rewriteAddress`; still accepted and copied over at build time. |
port | uint16 | (alias) | (alias of rewritePort) | Legacy alias for `rewritePort`. |
portMap | map[string]string | {} | {<src-port>: <host:port>} | Per-port destination overrides. Keys are listening ports (as strings); values are `host:port` literals. Each value is validated at config build. |
followRedirect | bool | false | true | false | Read the original destination from the OS (Linux iptables SO_ORIGINAL_DST / tproxy). When true, `address`/`port` become the fallback target if recovery fails. |
userLevel | uint32 | 0 | <uint32> | Default policy level applied to forwarded connections. |
Source: infra/conf/dokodemo.go:10-20 · pinned at v26.6.1 (94ffd50)
Examples
Static port-forwarder — accept on :5353 and forward to 1.1.1.1:53:
json
{
"inbounds": [
{
"tag": "dns-forward",
"listen": "0.0.0.0",
"port": 5353,
"protocol": "dokodemo-door",
"settings": {
"address": "1.1.1.1",
"port": 53,
"network": "tcp,udp"
}
}
]
}Per-port mapping — accept on multiple ports and forward each to a different destination:
json
{
"inbounds": [
{
"tag": "multi-forward",
"listen": "0.0.0.0",
"port": "80,443,5353",
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"portMap": {
"80": "10.0.0.10:80",
"443": "10.0.0.10:443",
"5353": "1.1.1.1:53"
}
}
}
]
}Linux transparent-proxy receiver:
json
{
"inbounds": [
{
"tag": "tproxy",
"listen": "0.0.0.0",
"port": 12345,
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"streamSettings": {
"sockopt": { "tproxy": "tproxy" }
}
}
]
}Notes
- Recent Xray renamed the fields:
allowedNetwork/rewriteAddress/rewritePortare the canonical names, and the oldernetwork/address/portare accepted as aliases (copied onto the new fields at build time). The examples below use the legacy names, which still work; new configs can use either. portMapvalues that are not validhost:portliterals fail at startup (infra/conf/dokodemo.go:39-43).- For
followRedirect: trueto recover the original destination, the listening socket needsIP_TRANSPARENT(TPROXY) or the inbound must be the iptables REDIRECT target. Set this viastreamSettings.sockopt.tproxy. - When neither
address/portnorportMapmatch andfollowRedirectcannot recover a destination, the connection is closed. - The inbound's listening
portfield on the parent inbound object accepts both a single port and a comma-separated list ("80,443") or range ("5000-5010") — the standard inbound port-list syntax.
Cross-core notes
- sing-box does not have a dedicated dokodemo struct. Use the Direct inbound — its
override_address/override_portfields cover the static-target case, and TPROXY mode is enabled viatcp_fast_open/ sniff options at the inbound level. - mihomo offers two flavors: an entry under
listeners:withtype: tunnel, or the top-leveltunnels:block with a compact comma-separated string form. See Tunnel — mihomo.
Source: infra/conf/dokodemo.go:10-20 · v26.6.1 (94ffd50)