Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

透明代理无法代理本机,但是可以代理局域网内主机,不知道是否是bug #2895

Open
oule opened this issue Feb 20, 2024 · 1 comment
Open

透明代理无法代理本机,但是可以代理局域网内主机,不知道是否是bug #2895

oule opened this issue Feb 20, 2024 · 1 comment

Comments

@oule
Copy link

oule commented Feb 20, 2024
edited

你正在使用哪个版本的 V2Ray?

V2Ray 5.12.1 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.21.4 linux/amd64)
A unified platform for anti-censorship.

你的使用场景是什么?

在网关服务器上通过v2ray+wireguard透明代理局域网和本机

你看到的异常现象是什么?

局域网内机器DNS解析正常,访问墙内外网站正常
在网关服务器上
nslookup baidu.com 192.168.192.1正常, 192.168.192.1是网关服务器内网ip,局域网主机的网关ip
nslookup baidu.com 223.5.5.5报错,如下:
;; reply from unexpected source: 114.211.218.212#51206, expected 223.5.5.5#53
114.211.218.212是网关服务器公网ip,使用ppp拨号

你期待看到的正常表现是怎样的?

期待网关服务器的这个配置(v2ray+wireguard)不但能代理局域网,也能代理本机访问内外网

请附上你的配置

服务端配置:

v2ray配置:

{
  "inbounds": [
    {
      "tag": "all-in",
      "listen": "0.0.0.0",
      "port": 1081,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy"
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv4"
      },
      "streamSettings": {
        "sockopt": {
          "mark": 3
        }
      }
    },
    {
      "tag": "directByWarp",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv4"
      },
      "streamSettings": {
        "sockopt": {
          "mark": 2
        }
      }
    },
    {
      "tag": "blocked",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    },
    {
      "tag": "dns-out",
      "protocol": "dns",
      "streamSettings": {
        "sockopt": {
          "mark": 2
        }
      }
    }
  ],
  "dns": {
    "hosts": {
      "geosite:category-ads-all": "127.0.0.1",
      "dns.google": "8.8.8.8",
      "dns.pub": "119.29.29.29",
      "dns.alidns.com": "223.5.5.5"
    },
    "servers": [
      {
        "address": "https://1.1.1.1/dns-query",
        "domains": [
          "geosite:geolocation-!cn"
        ],
        "expectIPs": [
          "geoip:!cn"
        ]
      },
      "1.1.1.1",
      "8.8.8.8",
      {
        "address": "119.29.29.29",
        "domains": [
          "geosite:cn"
        ],
        "expectIPs": [
          "geoip:cn"
        ]
      },
      "223.5.5.5",
      "localhost"
    ],
    "queryStrategy": "UseIPv4"
  },
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "domainMatcher": "mph",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "all-in",
          "sock-in"
        ],
        "port": 53,
        "network": "udp",
        "outboundTag": "dns-out"
      },
      {
        "type": "field",
        "ip": [
          "geoip:private",
          "geoip:cn"
        ],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "domain": [
          "geosite:private",
          "geosite:cn",
          "geosite:tld-cn",
          "geosite:icloud"
        ],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "ip": [
          "1.1.1.1",
          "8.8.8.8"
        ],
        "outboundTag": "directByWarp"
      },
      {
        "type": "field",
        "domain": [
          "geosite:geolocation-!cn",
          "geosite:google",
          "domain:googleapis.cn",
          "dns.google",
          "domain:gstatic.com"
        ],
        "outboundTag": "directByWarp"
      },
      {
        "type": "field",
        "network": "tcp,udp",
        "outboundTag": "directByWarp"
      }
    ]
  }
}

wireguard配置:

[Interface]
Address = 172.16.0.2/32
Address = wwwwwwww
MTU = 1280
Table = off
SaveConfig = false
ListenPort = 56501
FwMark = 0xca6c
PrivateKey = n/1SUtzH0JuVo51h2
#DNS = 1.1.1.1
PostUp = /etc/wireguard/scripts/wg.postup.sh
PreDown = /etc/wireguard/scripts/wg.predown.sh

[Peer]
PublicKey = bmXOC+F1FxH5/1SUtzH0JuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 162.159.193.8:2408
#persistent-keepalive = 25

iptables配置:

*filter
:INPUT ACCEPT [20320:1886379]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [382462:38252399]
:reject - [0:0]
:syn_flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -m comment --comment "fw3: Allow-Ping" -j ACCEPT
-A INPUT -i ppp0 -j reject
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o ppp0 -m conntrack --ctstate INVALID -m comment --comment "fw3: Prevent NAT leakage" -j DROP
-A FORWARD -i eth1 -o virbr0 -j ACCEPT
-A FORWARD -i eth1 -o docker0 -j ACCEPT
-A FORWARD -i eth1 -o ppp0 -j ACCEPT
-A FORWARD -j reject
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o ppp0 -m conntrack --ctstate INVALID -m comment --comment "fw3: Prevent NAT leakage" -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [650747:58449226]
:INPUT ACCEPT [450707:46109947]
:OUTPUT ACCEPT [335355:29291001]
:POSTROUTING ACCEPT [478755:35027001]
:v2ray - [0:0]
-A POSTROUTING -s 192.168.192.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 10.20.30.0/24 -o ppp0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [846615:959839947]
:INPUT ACCEPT [1203918:1012330052]
:FORWARD ACCEPT [343:46133]
:OUTPUT ACCEPT [741531:951412701]
:POSTROUTING ACCEPT [741893:951470285]
:PROXY_LAN - [0:0]
:PROXY_LOCAL - [0:0]
-A PREROUTING -j PROXY_LAN
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j PROXY_LOCAL
-A PROXY_LAN -i ppp0 -j RETURN
-A PROXY_LAN -d 127.0.0.1/32 -j RETURN
-A PROXY_LAN -d 172.16.0.2/32 -j RETURN
-A PROXY_LAN -d 224.0.0.0/4 -j RETURN
-A PROXY_LAN -d 255.255.255.255/32 -j RETURN
-A PROXY_LAN -d 192.168.0.0/16 -p tcp -j RETURN
-A PROXY_LAN -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN
-A PROXY_LAN -m mark --mark 0x2 -j RETURN
-A PROXY_LAN -m mark --mark 0x3 -j RETURN
-A PROXY_LAN -p udp -j TPROXY --on-port 1081 --on-ip 127.0.0.1 --tproxy-mark 0x1/0xffffffff
-A PROXY_LAN -p tcp -j TPROXY --on-port 1081 --on-ip 127.0.0.1 --tproxy-mark 0x1/0xffffffff
-A PROXY_LOCAL -d 162.159.193.8/32 -j RETURN
-A PROXY_LOCAL -d 127.0.0.1/32 -j RETURN
-A PROXY_LOCAL -d 172.16.0.2/32 -j RETURN
-A PROXY_LOCAL -d 224.0.0.0/4 -j RETURN
-A PROXY_LOCAL -d 255.255.255.255/32 -j RETURN
-A PROXY_LOCAL -d 192.168.0.0/16 -p tcp -j RETURN
-A PROXY_LOCAL -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN
-A PROXY_LOCAL -m mark --mark 0x2 -j RETURN
-A PROXY_LOCAL -m mark --mark 0x3 -j RETURN
-A PROXY_LOCAL -p udp -j MARK --set-xmark 0x1/0xffffffff
-A PROXY_LOCAL -p tcp -j MARK --set-xmark 0x1/0xffffffff
COMMIT
*raw
:PREROUTING ACCEPT [1273068:1055378267]
:OUTPUT ACCEPT [782017:997774469]
-A OUTPUT -d 110.242.68.66/32 -j TRACE
-A OUTPUT -d 39.156.66.10/32 -j TRACE
COMMIT
*security
:INPUT ACCEPT [32786728:29345084492]
:FORWARD ACCEPT [12240:1787897]
:OUTPUT ACCEPT [19667552:27363691142]
COMMIT

策略路由 配置:

ip rule add fwmark 1 table 100
ip route add local default dev lo table 100

ip rule add fwmark 2 table 200
ip route add default dev warp table 200

网络接口:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
    link/ether 10:91:27:e9:c1:3b brd ff:ff:ff:ff:ff:ff
    altname enp1s0
    inet6 fe80::1291:21ff:fee9:c13b/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UP group default qlen 1000
    link/ether 10:91:27:e9:c1:3c brd ff:ff:ff:ff:ff:ff
    altname enp4s0
    inet 192.168.192.1/24 brd 192.168.192.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::1291:27ff:fee9:c13c/64 scope link 
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq state UNKNOWN group default qlen 500
    link/none 
    inet 10.20.30.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::f9e7:a9a1:cc9f:494a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq state UNKNOWN group default qlen 3
    link/ppp 
    inet 114.211.218.212 peer 114.211.218.1/32 scope global ppp0
       valid_lft forever preferred_lft forever
    inet6 fe80::fce1:bdb1:a4ab:28b4 peer fe80::9a3f:61ff:fe46:19a5/128 scope link 
       valid_lft forever preferred_lft forever
6: warp: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 172.16.0.2/32 scope global warp
       valid_lft forever preferred_lft forever
    inet6 2606:4700:111:86f1:a5a1:e7:508e:ac0e/128 scope global 
       valid_lft forever preferred_lft forever

客户端配置:

这里的v2ray 没有使用客户端,因为只是用了两个freedom做出站,分别打了不同的防火墙标记

请附上出错时软件输出的错误日志

v2ray错误日志:

2024/02/20 16:15:20 [Debug] transport/internet/udp: UDP original destination: udp:223.5.5.5:53
2024/02/20 16:15:20 [Debug] [3701554336] proxy/dokodemo: processing connection from: 114.211.218.212:10346
2024/02/20 16:15:20 [Info] [3701554336] proxy/dokodemo: received request for 114.211.218.212:10346
2024/02/20 16:15:20 [Info] [3701554336] app/dispatcher: taking detour [dns-out] for [udp:223.5.5.5:53]
2024/02/20 16:15:20 [Info] [3701554336] proxy/dns: handling DNS traffic to udp:223.5.5.5:53
2024/02/20 16:15:20 [Debug] app/dns: domain baidu.com matches following rules: [geosite:cn(DNS idx:2)]
2024/02/20 16:15:20 [Debug] app/dns: domain baidu.com will use DNS in order: [UDP:119.29.29.29:53 UDP:1.1.1.1:53 UDP:8.8.8.8:53 UDP:223.5.5.5:53 localhost] [TypeA]
2024/02/20 16:15:20 [Debug] app/dns: UDP:119.29.29.29:53 querying DNS for: baidu.com.
2024/02/20 16:15:20 [Debug] transport/internet/udp: dispatch request to: udp:119.29.29.29:53
2024/02/20 16:15:20 [Info] app/dns: UDP:119.29.29.29:53 got answer: baidu.com. TypeA -> [39.156.66.10 110.242.68.66] 6.883311ms
2024/02/20 16:15:20 [Debug] app/dns: UDP:119.29.29.29:53 updating IP records for domain:baidu.com.
2024/02/20 16:15:20 [Debug] app/dns: domain baidu.com expectIPs [39.156.66.10 110.242.68.66] matched at server UDP:119.29.29.29:53
2024/02/20 16:15:20 [Debug] transport/internet/udp: UDP original destination: udp:114.211.218.212:10346
2024/02/20 16:15:20 [Debug] [584765885] proxy/dokodemo: processing connection from: 223.5.5.5:53
2024/02/20 16:15:20 [Info] [584765885] proxy/dokodemo: received request for 223.5.5.5:53
2024/02/20 16:15:20 [Info] [584765885] transport/internet: failed to bind source address to [114 211 218 212] > address already in use
2024/02/20 16:15:20 [Info] [584765885] app/dispatcher: taking detour [direct] for [udp:114.211.218.212:10346]
2024/02/20 16:15:20 [Info] [584765885] proxy/freedom: opening connection to udp:114.211.218.212:10346

服务器端错误日志:

没有服务器端,或者说服务器端就是客户端

客户端错误日志:

nslookup baidu.com 223.5.5.5
;; reply from unexpected source: 114.211.218.212#51206, expected 223.5.5.5#53

请附上访问日志

49570 2024/02/20 16:15:20 114.211.218.212:10346 accepted udp:223.5.5.5:53 [dns-out]
49571 2024/02/20 16:15:20 223.5.5.5:53 accepted udp:114.211.218.212:10346 [direct]

其它相关的配置文件(如 Nginx)和相关日志

没有

如果 V2Ray 无法启动,请附上 --test 命令的输出

可以启动

如果 V2Ray 服务运行异常,请附上 journal 日志

没有
@oule
Copy link
Author

oule commented Feb 20, 2024

bind source address应该bind 223.5.5.5,为什么bind 本机公网ip 114.211.218.212呢?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oule