diff --git a/compile/clash b/compile/clash
new file mode 100644
index 00000000..48e6e8a5
Binary files /dev/null and b/compile/clash differ
diff --git a/config/config.go b/config/config.go
index eba2d936..5cd7ce13 100644
--- a/config/config.go
+++ b/config/config.go
@@ -197,7 +197,6 @@ type Config struct {
 	TLS           *TLS
 
 	WanInput *inbound.WanInput
-	TlsUser  []auth.AuthUser
 }
 
 type RawNTP struct {
@@ -623,9 +622,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 
 	config.Users = parseAuthentication(rawCfg.Authentication)
 
-	if rawCfg.WanInput.Port != 0 {
-		config.TlsUser = parseAuthentication(rawCfg.WanInput.Authentication)
-	}
 	config.WanInput = &rawCfg.WanInput
 
 	config.Tunnels = rawCfg.Tunnels
diff --git a/hub/executor/executor.go b/hub/executor/executor.go
index fc5ecd97..8a60d4e5 100644
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@@ -91,7 +91,6 @@ func ApplyConfig(cfg *config.Config, force bool) {
 	}
 
 	updateUsers(cfg.Users)
-	updateUsersTls(cfg.TlsUser)
 	updateProxies(cfg.Proxies, cfg.Providers)
 	updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders)
 	updateSniffer(cfg.Sniffer)
@@ -425,14 +424,6 @@ func updateUsers(users []auth.AuthUser) {
 	}
 }
 
-func updateUsersTls(users []auth.AuthUser) {
-	authenticator := auth.NewAuthenticator(users)
-	authStore.SetAuthenticatorTls(authenticator)
-	if authenticator != nil {
-		log.Infoln("Authentication tls of local server updated")
-	}
-}
-
 func updateProfile(cfg *config.Config) {
 	profileCfg := cfg.Profile
 
diff --git a/listener/auth/auth.go b/listener/auth/auth.go
index cea8ee55..46f552b8 100644
--- a/listener/auth/auth.go
+++ b/listener/auth/auth.go
@@ -5,17 +5,11 @@ import (
 )
 
 var authenticator auth.Authenticator
-var authenticatorTls auth.Authenticator
 
 func Authenticator() auth.Authenticator {
 	return authenticator
 }
-func AuthenticatorTls() auth.Authenticator {
-	return authenticatorTls
-}
+
 func SetAuthenticator(au auth.Authenticator) {
 	authenticator = au
 }
-func SetAuthenticatorTls(au auth.Authenticator) {
-	authenticatorTls = au
-}
diff --git a/listener/mixed/handle_tls.go b/listener/mixed/handle_tls.go
index 28eca2eb..b593f85f 100644
--- a/listener/mixed/handle_tls.go
+++ b/listener/mixed/handle_tls.go
@@ -124,7 +124,7 @@ func handleConnTls(conn net.Conn, tlsProxy *inbound.TLSProxy, tunnel C.Tunnel) {
 		return
 	}
 	if head[0] == socks5.Version {
-		socks.HandleSocks5Tls(myConn, tunnel)
+		socks.HandleSocks5(myConn, tunnel)
 	} else {
 		defer myConn.Close()
 
diff --git a/listener/mixed/sshd.go b/listener/mixed/sshd.go
index 487fc848..aa4fb441 100644
--- a/listener/mixed/sshd.go
+++ b/listener/mixed/sshd.go
@@ -62,11 +62,13 @@ func InitSShServer(tunnel_ C.Tunnel) {
 }
 
 func passwordHandler(ctx ssh.Context, password string) bool {
-	author := authStore.AuthenticatorTls()
+	author := authStore.Authenticator()
+	if inbound.SkipAuthRemoteAddr(ctx.RemoteAddr()) {
+		author = nil
+	}
 	if author == nil {
 		return true
 	}
-
 	if author.Verify(ctx.User(), password) {
 		return true
 	}
diff --git a/listener/socks/tcp.go b/listener/socks/tcp.go
index 51290050..f2696e3f 100644
--- a/listener/socks/tcp.go
+++ b/listener/socks/tcp.go
@@ -98,11 +98,12 @@ func HandleSocks4(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition)
 	if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) {
 		authenticator = nil
 	}
-	addr, _, _, err := socks4.ServerHandshake(conn, authenticator)
+	addr, _, user, err := socks4.ServerHandshake(conn, authenticator)
 	if err != nil {
 		conn.Close()
 		return
 	}
+	additions = append(additions, inbound.WithInUser(user))
 	tunnel.HandleTCPConn(inbound.NewSocket(socks5.ParseAddr(addr), conn, C.SOCKS4, additions...))
 }
 
@@ -111,7 +112,7 @@ func HandleSocks5(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition)
 	if inbound.SkipAuthRemoteAddr(conn.RemoteAddr()) {
 		authenticator = nil
 	}
-	target, command, _, err := socks5.ServerHandshake(conn, authenticator)
+	target, command, user, err := socks5.ServerHandshake(conn, authenticator)
 	if err != nil {
 		conn.Close()
 		return
@@ -121,19 +122,6 @@ func HandleSocks5(conn net.Conn, tunnel C.Tunnel, additions ...inbound.Addition)
 		io.Copy(io.Discard, conn)
 		return
 	}
+	additions = append(additions, inbound.WithInUser(user))
 	tunnel.HandleTCPConn(inbound.NewSocket(target, conn, C.SOCKS5, additions...))
 }
-
-func HandleSocks5Tls(conn net.Conn, tunnel C.Tunnel) {
-	target, command, _, err := socks5.ServerHandshake(conn, authStore.AuthenticatorTls())
-	if err != nil {
-		conn.Close()
-		return
-	}
-	if command == socks5.CmdUDPAssociate {
-		defer conn.Close()
-		io.Copy(io.Discard, conn)
-		return
-	}
-	tunnel.HandleTCPConn(inbound.NewSocket(target, conn, C.SOCKS5))
-}
diff --git a/main.go b/main.go
index c3a7f49c..ac0b251f 100644
--- a/main.go
+++ b/main.go
@@ -49,6 +49,7 @@ func init() {
 	flag.BoolVar(&geodataMode, "m", false, "set geodata mode")
 	flag.BoolVar(&version, "v", false, "show current version of mihomo")
 	flag.BoolVar(&testConfig, "t", false, "test configuration and exit")
+	flag.StringVar(&service, "s", "", "Service control action: status, install (as a service), uninstall (as a service), start(in daemon), stop(daemon), restart(stop then start)")
 	flag.Parse()
 
 	flagset = map[string]bool{}