diff --git a/protocol/vless/inbound.go b/protocol/vless/inbound.go
index 40b6f72f..19d40724 100644
--- a/protocol/vless/inbound.go
+++ b/protocol/vless/inbound.go
@@ -194,12 +194,6 @@ func (h *Inbound) NewConnectionEx(ctx context.Context, conn net.Conn, metadata a
 		}
 		conn = tlsConn
 	}
-	h.ssmMutex.RLock()
-	tracker := h.tracker
-	h.ssmMutex.RUnlock()
-	if tracker != nil {
-		conn = tracker.TrackConnection(conn, metadata)
-	}
 	err := h.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, metadata.Source, onClose)
 	if err != nil {
 		N.CloseOnHandshakeFailure(conn, onClose, err)
@@ -222,6 +216,12 @@ func (h *Inbound) newConnectionEx(ctx context.Context, conn net.Conn, metadata a
 		metadata.User = user
 	}
 	h.logger.InfoContext(ctx, "[", user, "] inbound connection to ", metadata.Destination)
+	h.ssmMutex.RLock()
+	tracker := h.tracker
+	h.ssmMutex.RUnlock()
+	if tracker != nil {
+		conn = tracker.TrackConnection(conn, metadata)
+	}
 	h.router.RouteConnectionEx(ctx, conn, metadata, onClose)
 }
 
diff --git a/service/xboard/service.go b/service/xboard/service.go
index 05b49970..d5b28475 100644
--- a/service/xboard/service.go
+++ b/service/xboard/service.go
@@ -76,6 +76,7 @@ type Service struct {
 	inboundManager adapter.InboundManager
 	protocol       string
 	vlessFlow      string
+	vlessServerName string
 	ssCipher       string // stored for user key derivation in syncUsers
 	ssServerKey    string // stored for SS2022 per-user key extraction
 }
@@ -658,7 +659,8 @@ func (s *Service) setupNode() error {
 
 	s.logger.Info("Xboard protocol identified: ", protocol)
 	s.protocol = protocol
-	s.vlessFlow = inner.Flow
+	s.vlessFlow = ""
+	s.vlessServerName = ""
 
 	var listenAddr badoption.Addr
 	if addr, err := netip.ParseAddr(inner.ListenIP); err == nil {
@@ -677,6 +679,9 @@ func (s *Service) setupNode() error {
 	var tlsOptions option.InboundTLSOptions
 	securityType := inner.TLS
 	tlsSettings := mergedTLSSettings(inner, config)
+	if tlsSettings != nil && tlsSettings.ServerName != "" {
+		s.vlessServerName = tlsSettings.ServerName
+	}
 	hasCertificate := applyCertConfig(&tlsOptions, config.CertConfig)
 	if config.CertConfig != nil && !hasCertificate && config.CertConfig.CertMode != "" && config.CertConfig.CertMode != "none" {
 		s.logger.Warn("Xboard cert_config present but unsupported or incomplete for local TLS. cert_mode=", config.CertConfig.CertMode)
@@ -792,6 +797,17 @@ func (s *Service) setupNode() error {
 		}
 
 		if protocol == "vless" {
+			if tlsSettings != nil && tlsSettings.ServerName != "" {
+				s.logger.Info("Xboard VLESS server_name from panel: ", tlsSettings.ServerName)
+			}
+			resolvedFlow := inner.Flow
+			if resolvedFlow == "xtls-rprx-vision" {
+				if !tlsOptions.Enabled || (transport != nil && transport.Type != "") {
+					s.logger.Warn("Xboard VLESS flow xtls-rprx-vision ignored because inbound is not raw TLS/REALITY over TCP")
+					resolvedFlow = ""
+				}
+			}
+			s.vlessFlow = resolvedFlow
 			opts := &option.VLESSInboundOptions{
 				ListenOptions: listen,
 				InboundTLSOptionsContainer: option.InboundTLSOptionsContainer{
@@ -1219,6 +1235,9 @@ func (s *Service) syncUsers() {
 		if s.protocol == "vless" && flow == "" {
 			flow = s.vlessFlow
 		}
+		if s.protocol == "vless" && flow == "xtls-rprx-vision" && s.vlessServerName == "" {
+			s.logger.Warn("Xboard VLESS flow xtls-rprx-vision kept but panel did not provide server_name")
+		}
 
 		newUsers[userName] = userData{
 			ID:    u.ID,