diff --git a/cmd/config.go b/cmd/config.go
index 46f5a6f..9a804e8 100644
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -52,6 +52,11 @@ type serverConfig struct {
 	DisableMTUDiscovery bool   `json:"disable_mtu_discovery"`
 	IPv6Only            bool   `json:"ipv6_only"`
 	Resolver            string `json:"resolver"`
+	SOCKS5Outbound      struct {
+		Server   string `json:"server"`
+		User     string `json:"user"`
+		Password string `json:"password"`
+	} `json:"socks5_outbound"`
 }
 
 func (c *serverConfig) Check() error {
diff --git a/cmd/server.go b/cmd/server.go
index a47fc2b..cd6e096 100644
--- a/cmd/server.go
+++ b/cmd/server.go
@@ -144,6 +144,17 @@ func server(config *serverConfig) {
 	if config.IPv6Only {
 		transport.DefaultServerTransport.IPv6Only = true
 	}
+	// SOCKS5 outbound
+	if config.SOCKS5Outbound.Server != "" {
+		ob, err := transport.NewSOCKS5Client(config.SOCKS5Outbound.Server,
+			config.SOCKS5Outbound.User, config.SOCKS5Outbound.Password, 10*time.Second)
+		if err != nil {
+			logrus.WithFields(logrus.Fields{
+				"error": err,
+			}).Fatal("Failed to initialize SOCKS5 outbound")
+		}
+		transport.DefaultServerTransport.SOCKS5Client = ob
+	}
 	// ACL
 	var aclEngine *acl.Engine
 	if len(config.ACL) > 0 {
diff --git a/go.mod b/go.mod
index 45371d7..7c796f9 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/viper v1.10.1
-	github.com/txthinking/socks5 v0.0.0-20210326104807-61b5745ff346
+	github.com/txthinking/socks5 v0.0.0-20220212043548-414499347d4a
 	github.com/yosuke-furukawa/json5 v0.1.1
 )
 
@@ -56,7 +56,7 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/txthinking/runnergroup v0.0.0-20210326110939-37fc67d0da7c // indirect
+	github.com/txthinking/runnergroup v0.0.0-20210608031112-152c7c4432bf // indirect
 	github.com/txthinking/x v0.0.0-20210326105829-476fab902fbe // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
diff --git a/go.sum b/go.sum
index 311a20c..67ddacf 100644
--- a/go.sum
+++ b/go.sum
@@ -505,10 +505,10 @@ github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cb
 github.com/tobyxdd/quic-go v0.25.1-0.20220224051149-310bd1bfaf1f h1:phddE/foYEnuZOgKfmfYVcnXBvV5cjhGrqBtSETqvQ0=
 github.com/tobyxdd/quic-go v0.25.1-0.20220224051149-310bd1bfaf1f/go.mod h1:YtzP8bxRVCBlO77yRanE264+fY/T2U9ZlW1AaHOsMOg=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
-github.com/txthinking/runnergroup v0.0.0-20210326110939-37fc67d0da7c h1:6WIrmZPMl2Q61vozy5MfJNfD6CAgivGFgqvXsrho8GM=
-github.com/txthinking/runnergroup v0.0.0-20210326110939-37fc67d0da7c/go.mod h1:CLUSJbazqETbaR+i0YAhXBICV9TrKH93pziccMhmhpM=
-github.com/txthinking/socks5 v0.0.0-20210326104807-61b5745ff346 h1:czf2yvkvrQA9CfHK3S0UaE+Sh8jYIgCWlSzYLJjMHJQ=
-github.com/txthinking/socks5 v0.0.0-20210326104807-61b5745ff346/go.mod h1:d3n8NJ6QMRb6I/WAlp4z5ZPAoaeqDmX5NgVZA0mhe+I=
+github.com/txthinking/runnergroup v0.0.0-20210608031112-152c7c4432bf h1:7PflaKRtU4np/epFxRXlFhlzLXZzKFrH5/I4so5Ove0=
+github.com/txthinking/runnergroup v0.0.0-20210608031112-152c7c4432bf/go.mod h1:CLUSJbazqETbaR+i0YAhXBICV9TrKH93pziccMhmhpM=
+github.com/txthinking/socks5 v0.0.0-20220212043548-414499347d4a h1:BOqgJ4jku0LHPDoR51RD8Mxmo0LHxCzJT/M9MemYdHo=
+github.com/txthinking/socks5 v0.0.0-20220212043548-414499347d4a/go.mod h1:7NloQcrxaZYKURWph5HLxVDlIwMHJXCPkeWPtpftsIg=
 github.com/txthinking/x v0.0.0-20210326105829-476fab902fbe h1:gMWxZxBFRAXqoGkwkYlPX2zvyyKNWJpxOxCrjqJkm5A=
 github.com/txthinking/x v0.0.0-20210326105829-476fab902fbe/go.mod h1:WgqbSEmUYSjEV3B1qmee/PpP2NYEz4bL9/+mF1ma+s4=
 github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
diff --git a/pkg/core/server_client.go b/pkg/core/server_client.go
index 5b3c26c..eff83e2 100644
--- a/pkg/core/server_client.go
+++ b/pkg/core/server_client.go
@@ -35,12 +35,12 @@ type serverClient struct {
 	ConnGauge              prometheus.Gauge
 
 	udpSessionMutex  sync.RWMutex
-	udpSessionMap    map[uint32]*net.UDPConn
+	udpSessionMap    map[uint32]transport.PUDPConn
 	nextUDPSessionID uint32
 	udpDefragger     defragger
 }
 
-func newServerClient(v2 bool, cs quic.Session, transport *transport.ServerTransport, auth []byte, disableUDP bool, ACLEngine *acl.Engine,
+func newServerClient(v2 bool, cs quic.Session, tr *transport.ServerTransport, auth []byte, disableUDP bool, ACLEngine *acl.Engine,
 	CTCPRequestFunc TCPRequestFunc, CTCPErrorFunc TCPErrorFunc,
 	CUDPRequestFunc UDPRequestFunc, CUDPErrorFunc UDPErrorFunc,
 	UpCounterVec, DownCounterVec *prometheus.CounterVec,
@@ -48,7 +48,7 @@ func newServerClient(v2 bool, cs quic.Session, transport *transport.ServerTransp
 	sc := &serverClient{
 		V2:              v2,
 		CS:              cs,
-		Transport:       transport,
+		Transport:       tr,
 		Auth:            auth,
 		ClientAddr:      cs.RemoteAddr(),
 		DisableUDP:      disableUDP,
@@ -57,7 +57,7 @@ func newServerClient(v2 bool, cs quic.Session, transport *transport.ServerTransp
 		CTCPErrorFunc:   CTCPErrorFunc,
 		CUDPRequestFunc: CUDPRequestFunc,
 		CUDPErrorFunc:   CUDPErrorFunc,
-		udpSessionMap:   make(map[uint32]*net.UDPConn),
+		udpSessionMap:   make(map[uint32]transport.PUDPConn),
 	}
 	if UpCounterVec != nil && DownCounterVec != nil && ConnGaugeVec != nil {
 		authB64 := base64.StdEncoding.EncodeToString(auth)
@@ -365,6 +365,7 @@ func (c *serverClient) handleUDP(stream quic.Stream) {
 				break
 			}
 		}
+		_ = stream.Close()
 	}()
 
 	// Hold the stream until it's closed by the client
diff --git a/pkg/transport/server.go b/pkg/transport/server.go
index fc003c4..56bc451 100644
--- a/pkg/transport/server.go
+++ b/pkg/transport/server.go
@@ -13,8 +13,15 @@ import (
 )
 
 type ServerTransport struct {
-	Dialer   *net.Dialer
-	IPv6Only bool
+	Dialer       *net.Dialer
+	IPv6Only     bool
+	SOCKS5Client *SOCKS5Client
+}
+
+type PUDPConn interface {
+	ReadFromUDP([]byte) (int, *net.UDPAddr, error)
+	WriteToUDP([]byte, *net.UDPAddr) (int, error)
+	Close() error
 }
 
 var DefaultServerTransport = &ServerTransport{
@@ -93,13 +100,21 @@ func (ct *ServerTransport) ResolveIPAddr(address string) (*net.IPAddr, error) {
 }
 
 func (ct *ServerTransport) DialTCP(raddr *net.TCPAddr) (*net.TCPConn, error) {
-	conn, err := ct.Dialer.Dial("tcp", raddr.String())
-	if err != nil {
-		return nil, err
+	if ct.SOCKS5Client != nil {
+		return ct.SOCKS5Client.DialTCP(raddr)
+	} else {
+		conn, err := ct.Dialer.Dial("tcp", raddr.String())
+		if err != nil {
+			return nil, err
+		}
+		return conn.(*net.TCPConn), nil
 	}
-	return conn.(*net.TCPConn), nil
 }
 
-func (ct *ServerTransport) ListenUDP() (*net.UDPConn, error) {
-	return net.ListenUDP("udp", nil)
+func (ct *ServerTransport) ListenUDP() (PUDPConn, error) {
+	if ct.SOCKS5Client != nil {
+		return ct.SOCKS5Client.ListenUDP()
+	} else {
+		return net.ListenUDP("udp", nil)
+	}
 }
diff --git a/pkg/transport/socks5.go b/pkg/transport/socks5.go
new file mode 100644
index 0000000..e693caa
--- /dev/null
+++ b/pkg/transport/socks5.go
@@ -0,0 +1,276 @@
+package transport
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"github.com/txthinking/socks5"
+	"net"
+	"time"
+)
+
+type SOCKS5Client struct {
+	ServerTCPAddr *net.TCPAddr
+	Username      string
+	Password      string
+	NegTimeout    time.Duration
+}
+
+func NewSOCKS5Client(serverAddr string, username string, password string, negTimeout time.Duration) (*SOCKS5Client, error) {
+	tcpAddr, err := net.ResolveTCPAddr("tcp", serverAddr)
+	if err != nil {
+		return nil, err
+	}
+	return &SOCKS5Client{
+		ServerTCPAddr: tcpAddr,
+		Username:      username,
+		Password:      password,
+		NegTimeout:    negTimeout,
+	}, nil
+}
+
+func (c *SOCKS5Client) negotiate(conn *net.TCPConn) error {
+	m := []byte{socks5.MethodNone}
+	if c.Username != "" && c.Password != "" {
+		m = append(m, socks5.MethodUsernamePassword)
+	}
+	rq := socks5.NewNegotiationRequest(m)
+	_, err := rq.WriteTo(conn)
+	if err != nil {
+		return err
+	}
+	rs, err := socks5.NewNegotiationReplyFrom(conn)
+	if err != nil {
+		return err
+	}
+	if rs.Method == socks5.MethodUsernamePassword {
+		urq := socks5.NewUserPassNegotiationRequest([]byte(c.Username), []byte(c.Password))
+		_, err = urq.WriteTo(conn)
+		if err != nil {
+			return err
+		}
+		urs, err := socks5.NewUserPassNegotiationReplyFrom(conn)
+		if err != nil {
+			return err
+		}
+		if urs.Status != socks5.UserPassStatusSuccess {
+			return errors.New("username or password error")
+		}
+	} else if rs.Method != socks5.MethodNone {
+		return errors.New("unsupported auth method")
+	}
+	return nil
+}
+
+func (c *SOCKS5Client) request(conn *net.TCPConn, r *socks5.Request) (*socks5.Reply, error) {
+	if _, err := r.WriteTo(conn); err != nil {
+		return nil, err
+	}
+	reply, err := socks5.NewReplyFrom(conn)
+	if err != nil {
+		return nil, err
+	}
+	return reply, nil
+}
+
+func (c *SOCKS5Client) DialTCP(raddr *net.TCPAddr) (*net.TCPConn, error) {
+	conn, err := net.DialTCP("tcp", nil, c.ServerTCPAddr)
+	if err != nil {
+		return nil, err
+	}
+	if err := conn.SetDeadline(time.Now().Add(c.NegTimeout)); err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	err = c.negotiate(conn)
+	if err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	atyp, addr, port, err := addrToSOCKS5Addr(raddr)
+	if err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	r := socks5.NewRequest(socks5.CmdConnect, atyp, addr, port)
+	reply, err := c.request(conn, r)
+	if err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	if reply.Rep != socks5.RepSuccess {
+		_ = conn.Close()
+		return nil, fmt.Errorf("request failed: %d", reply.Rep)
+	}
+	// Negotiation succeed, disable timeout
+	if err := conn.SetDeadline(time.Time{}); err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	return conn, nil
+}
+
+func (c *SOCKS5Client) ListenUDP() (*socks5UDPConn, error) {
+	conn, err := net.DialTCP("tcp", nil, c.ServerTCPAddr)
+	if err != nil {
+		return nil, err
+	}
+	if err := conn.SetDeadline(time.Now().Add(c.NegTimeout)); err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	err = c.negotiate(conn)
+	if err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	r := socks5.NewRequest(socks5.CmdUDP, socks5.ATYPIPv4, nil, nil)
+	reply, err := c.request(conn, r)
+	if err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	if reply.Rep != socks5.RepSuccess {
+		_ = conn.Close()
+		return nil, fmt.Errorf("request failed: %d", reply.Rep)
+	}
+	// Negotiation succeed, disable timeout
+	if err := conn.SetDeadline(time.Time{}); err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	udpRelayAddr, err := socks5AddrToUDPAddr(reply.Atyp, reply.BndAddr, reply.BndPort)
+	if err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	udpConn, err := net.DialUDP("udp", nil, udpRelayAddr)
+	if err != nil {
+		_ = conn.Close()
+		return nil, err
+	}
+	sc := &socks5UDPConn{
+		tcpConn: conn,
+		udpConn: udpConn,
+	}
+	go sc.hold()
+	return sc, nil
+}
+
+type socks5UDPConn struct {
+	tcpConn *net.TCPConn
+	udpConn *net.UDPConn
+}
+
+func (c *socks5UDPConn) hold() {
+	buf := make([]byte, 1024)
+	for {
+		_, err := c.tcpConn.Read(buf)
+		if err != nil {
+			break
+		}
+	}
+	_ = c.tcpConn.Close()
+	_ = c.udpConn.Close()
+}
+
+func (c *socks5UDPConn) ReadFromUDP(b []byte) (int, *net.UDPAddr, error) {
+	n, err := c.udpConn.Read(b)
+	if err != nil {
+		return 0, nil, err
+	}
+	d, err := socks5.NewDatagramFromBytes(b[:n])
+	if err != nil {
+		return 0, nil, err
+	}
+	addr, err := socks5AddrToUDPAddr(d.Atyp, d.DstAddr, d.DstPort)
+	if err != nil {
+		return 0, nil, err
+	}
+	n = copy(b, d.Data)
+	return n, addr, nil
+}
+
+func (c *socks5UDPConn) WriteToUDP(b []byte, addr *net.UDPAddr) (int, error) {
+	atyp, dstAddr, dstPort, err := addrToSOCKS5Addr(addr)
+	if err != nil {
+		return 0, err
+	}
+	d := socks5.NewDatagram(atyp, dstAddr, dstPort, b)
+	_, err = c.udpConn.Write(d.Bytes())
+	if err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}
+
+func (c *socks5UDPConn) Close() error {
+	_ = c.tcpConn.Close()
+	_ = c.udpConn.Close()
+	return nil
+}
+
+func socks5AddrToUDPAddr(atyp byte, addr []byte, port []byte) (*net.UDPAddr, error) {
+	iPort := int(binary.BigEndian.Uint16(port))
+	switch atyp {
+	case socks5.ATYPIPv4:
+		if len(addr) != 4 {
+			return nil, errors.New("invalid ipv4 address")
+		}
+		return &net.UDPAddr{
+			IP:   addr,
+			Port: iPort,
+		}, nil
+	case socks5.ATYPIPv6:
+		if len(addr) != 16 {
+			return nil, errors.New("invalid ipv6 address")
+		}
+		return &net.UDPAddr{
+			IP:   addr,
+			Port: iPort,
+		}, nil
+	case socks5.ATYPDomain:
+		if len(addr) == 0 {
+			return nil, errors.New("invalid domain address")
+		}
+		ipAddr, err := net.ResolveIPAddr("ip", string(addr))
+		if err != nil {
+			return nil, err
+		}
+		return &net.UDPAddr{
+			IP:   ipAddr.IP,
+			Port: iPort,
+			Zone: ipAddr.Zone,
+		}, nil
+	default:
+		return nil, errors.New("unsupported address type")
+	}
+}
+
+func addrToSOCKS5Addr(addr net.Addr) (byte, []byte, []byte, error) {
+	var addrIP net.IP
+	var addrPort int
+	if tcpAddr, ok := addr.(*net.TCPAddr); ok {
+		addrIP = tcpAddr.IP
+		addrPort = tcpAddr.Port
+	} else if udpAddr, ok := addr.(*net.UDPAddr); ok {
+		addrIP = udpAddr.IP
+		addrPort = udpAddr.Port
+	} else {
+		return 0, nil, nil, errors.New("unsupported address type")
+	}
+	var atyp byte
+	var saddr, sport []byte
+	if ip4 := addrIP.To4(); ip4 != nil {
+		atyp = socks5.ATYPIPv4
+		saddr = addrIP
+	} else if ip6 := addrIP.To16(); ip6 != nil {
+		atyp = socks5.ATYPIPv6
+		saddr = ip6
+	} else {
+		return 0, nil, nil, errors.New("unsupported address type")
+	}
+	sport = make([]byte, 2)
+	binary.BigEndian.PutUint16(sport, uint16(addrPort))
+	return atyp, saddr, sport, nil
+}