Surge is a powerful tool on macOS, offering excellent features like Dashboard traffic auditing and SSID-based policy switching. However, its primary drawback is its conservative approach to protocol support. Currently, it does not natively support VLESS (Vision/Reality) or Hysteria2.

If you have these high-performance nodes but prefer the Surge interface, the most effective solution is to use sing-box as a local backend.

Layered Architecture Logic

In this setup, Surge handles the Control Plane (rules, policy groups, and SSID switching), while sing-box handles the Data Plane (network protocols). Surge forwards traffic to the local sing-box instance via SOCKS5, which then establishes the encrypted connection to the remote server.

Architecture Diagram (Logic Flow)

graph LR subgraph Surge_Control [Surge - Control Plane] Rules{Rule Match System} Dashboard((Dashboard)) Scripts((Scripts/SSID Policies)) end subgraph SingBox_Data [sing-box - Data Plane] Inbound[SOCKS5 Inbound: 7891] Outbound[Protocol: VLESS / H2 / Reality] end App[App Traffic] --> Rules Rules -- "DIRECT" --> Direct[Direct Outbound] Rules -- "SOCKS5 Forward" --> Inbound Inbound --> Outbound Outbound --> Remote[Remote Server]

Core Configuration Example

1. sing-box Configuration (Backend)

sing-box acts as a local proxy listening on port 7891 to bridge the protocols Surge lacks.

~/.config/sing-box/config.json:

{
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "127.0.0.1",
      "listen_port": 7891
    }
  ],
  "outbounds": [
    {
      "type": "vless",
      "tag": "proxy-node",
      "server": "your-server.com",
      "server_port": 443,
      "uuid": "your-uuid",
      "flow": "xtls-rprx-vision",
      "tls": { "enabled": true, "server_name": "your-server.com" }
    }
  ]
}

2. Surge Configuration (Frontend)

In Surge, add the sing-box backend as a standard SOCKS5 proxy.

[Proxy]
# Forward specific traffic to sing-box
SingBox = socks5, 127.0.0.1, 7891

[Rule]
# Leverage Surge’s rule engine
DOMAIN-SUFFIX, google.com, SingBox
FINAL, DIRECT

Why Use Surge Instead of Just sing-box?

While sing-box supports more protocols, Surge remains the preferred tool for daily use on macOS for several reasons:

  1. Dashboard: Its real-time auditing and auditing logs are invaluable for troubleshooting network issues.
  2. SSID Automation: Surge can automatically switch policies depending on whether you are on office or home Wi-Fi.
  3. Scripting: Its JavaScript integration allows for advanced logic that isn’t easily replicable in other tools.

Conclusion

The main advantage of this layered architecture is decoupling. When new protocols are released, you only need to update the lightweight sing-box backend. Your complex Surge rules and scripts remain stable and unchanged. This setup provides the best possible balance between protocol support and user experience on macOS.