diff --git a/common/mux/server.go b/common/mux/server.go
index 55e3a674..47a6d3dc 100644
--- a/common/mux/server.go
+++ b/common/mux/server.go
@@ -132,6 +132,12 @@ func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata,
 		ctx = log.ContextWithAccessMessage(ctx, msg)
 	}
 
+	if network := session.AllowedNetworkFromContext(ctx); network != net.Network_Unknown {
+		if meta.Target.Network != network {
+			return newError("unexpected network ", meta.Target.Network) // it will break the whole Mux connection
+		}
+	}
+
 	if meta.GlobalID != [8]byte{} {
 		mb, err := NewPacketReader(reader, &meta.Target).ReadMultiBuffer()
 		if err != nil {
diff --git a/common/session/context.go b/common/session/context.go
index 71e4b154..329a5a65 100644
--- a/common/session/context.go
+++ b/common/session/context.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	_ "unsafe"
 
+	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/routing"
 )
 
@@ -22,6 +23,7 @@ const (
 	trackedConnectionErrorKey
 	dispatcherKey
 	timeoutOnlyKey
+	allowedNetworkKey
 )
 
 // ContextWithID returns a new context with the given ID.
@@ -147,3 +149,14 @@ func TimeoutOnlyFromContext(ctx context.Context) bool {
 	}
 	return false
 }
+
+func ContextWithAllowedNetwork(ctx context.Context, network net.Network) context.Context {
+	return context.WithValue(ctx, allowedNetworkKey, network)
+}
+
+func AllowedNetworkFromContext(ctx context.Context) net.Network {
+	if val, ok := ctx.Value(allowedNetworkKey).(net.Network); ok {
+		return val
+	}
+	return net.Network_Unknown
+}
diff --git a/proxy/vless/inbound/inbound.go b/proxy/vless/inbound/inbound.go
index c8a69444..8d9b9b43 100644
--- a/proxy/vless/inbound/inbound.go
+++ b/proxy/vless/inbound/inbound.go
@@ -495,7 +495,7 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection s
 			return newError(account.ID.String() + " is not able to use " + requestAddons.Flow).AtWarning()
 		}
 	case "":
-		if account.Flow == vless.XRV && (request.Command == protocol.RequestCommandTCP || isMuxAndNotXUDP(request, first)) {
+		if account.Flow == vless.XRV && request.Command == protocol.RequestCommandTCP {
 			return newError(account.ID.String() + " is not able to use \"\". Note that the pure TLS proxy has certain TLS in TLS characters.").AtWarning()
 		}
 	default:
@@ -510,6 +510,8 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection s
 			Reason: "",
 			Email:  request.User.Email,
 		})
+	} else if account.Flow == vless.XRV {
+		ctx = session.ContextWithAllowedNetwork(ctx, net.Network_UDP)
 	}
 
 	sessionPolicy = h.policyManager.ForLevel(request.User.Level)