Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

任意门 tproxy 模式无法透明代理 IPv6 TCP #48

Closed
LGA1150 opened this issue Dec 8, 2020 · 25 comments
Closed

任意门 tproxy 模式无法透明代理 IPv6 TCP #48

LGA1150 opened this issue Dec 8, 2020 · 25 comments

Comments

@LGA1150
Copy link

LGA1150 commented Dec 8, 2020

配置文件见 v2fly/v2ray-core#320
客户端,服务端均为 Xray 1.1.2

IPv6 TCP 无法代理,出现以下错误

2020/12/08 08:00:59 [Info] transport/internet/tcp: failed to call getsockopt > no such file or directory
2020/12/08 08:00:59 [Info] [1507096704] app/proxyman/inbound: failed to get original destination > transport/internet/tcp: failed to call getsockopt
2020/12/08 08:00:59 [Debug] [1507096704] proxy/dokodemo: processing connection from: [隐藏]:51500
2020/12/08 08:00:59 [Info] [1507096704] app/proxyman/inbound: connection ends > proxy/dokodemo: unable to get destination

IPv6 UDP 正常

2020/12/08 08:03:43 [Debug] transport/internet/udp: UDP original destination: udp:[2001:4860:4860::8888]:53
2020/12/08 08:03:43 [Debug] [3285941684] proxy/dokodemo: processing connection from: [隐藏]:60665
2020/12/08 08:03:43 [Info] [3285941684] proxy/dokodemo: received request for [隐藏]:60665
2020/12/08 08:03:43 [Info] [3285941684] app/dispatcher: default route for udp:[2001:4860:4860::8888]:53
2020/12/08 08:03:43 [Info] [3285941684] transport/internet/tcp: dialing TCP to tcp:隐藏:443
2020/12/08 08:03:43 [隐藏]:60665 accepted udp:[2001:4860:4860::8888]:53
2020/12/08 08:03:43 [Info] [3285941684] proxy/vless/outbound: tunneling request to udp:[2001:4860:4860::8888]:53 via tcp:隐藏:443
@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

你的架构是?等下给你发个测试版

@LGA1150
Copy link
Author

LGA1150 commented Dec 8, 2020

客户端是 linux-arm32-v7a,服务端 linux x64

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

Xray-linux-64.zip
Xray-linux-arm32-v7a.zip

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

Xray-linux-64.zip
Xray-linux-arm32-v7a.zip

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

都试一试(我倾向于第二次上传的),顺便看看会不会影响 UDP

@LGA1150
Copy link
Author

LGA1150 commented Dec 8, 2020

第一个,TCP UDP 都不通了,日志无记录
第二个,TCP 不通 UDP 通,一样的问题

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

Xray-linux-arm32-v7a.zip

看日志专用版本,请把日志发上来,看看有没有 success 字样

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

Xray-linux-arm32-v7a.zip

同样是看日志版本,我没有复现错误的环境,只能这样试了,麻烦及时反馈

@LGA1150
Copy link
Author

LGA1150 commented Dec 8, 2020

两个都是这样,不过 no such file or directory 错误变成了 invalid argument

Xray 1.1.2 (Xray, Penetrates Everything.) Custom (go1.15.6 linux/arm)
A unified platform for anti-censorship.
2020/12/08 11:52:57 [Info] main/jsonem: Reading config: xray.json
2020/12/08 11:52:57 [Debug] app/log: Logger started
2020/12/08 11:52:57 [Debug] app/proxyman/inbound: creating stream worker on [::]:1234
2020/12/08 11:52:57 [Info] transport/internet/tcp: listening TCP on [::]:1234
2020/12/08 11:52:57 [Info] transport/internet/udp: listening UDP on [::]:1234
2020/12/08 11:52:57 [Warning] core: Xray 1.1.2 started
2020/12/08 11:52:59 [Info] transport/internet/tcp: failed to call getsockopt > invalid argument
2020/12/08 11:52:59 [Info] [3229931270] app/proxyman/inbound: failed to get original destination > transport/internet/tcp: failed to call getsockopt
2020/12/08 11:52:59 [Debug] [3229931270] proxy/dokodemo: processing connection from: [隐藏]:50094
2020/12/08 11:52:59 [Info] [3229931270] app/proxyman/inbound: connection ends > proxy/dokodemo: unable to get destination

@ghost
Copy link

ghost commented Dec 8, 2020

请问你是任意门开启tproxy + ip6tables tcp tproxy + ip6tables udp tproxy的配置吗?

@LGA1150
Copy link
Author

LGA1150 commented Dec 8, 2020

请问你是任意门开启tproxy + ip6tables tcp tproxy + ip6tables udp tproxy的配置吗?

是的

@ghost
Copy link

ghost commented Dec 8, 2020
edited by ghost
Loading

请问你是任意门开启tproxy + ip6tables tcp tproxy + ip6tables udp tproxy的配置吗?

是的

这可能是个bug。据群友提供的方法,你可以暂时把 任意门tproxy 改为 redirect(ip6tables iptables规则不需要改),应该就能连上了。待修复之后,再换回tproxy

@LGA1150
Copy link
Author

LGA1150 commented Dec 8, 2020

这可能是个bug。据群友提供的方法,你可以暂时把 任意门tproxy 改为 redirect(ip6tables iptables规则不需要改),应该就能连上了。待修复之后,再换回tproxy

测试无效

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

Xray-linux-arm32-v7a.zip

研究了一下,重写了相关代码,试试有没有问题

@LGA1150
Copy link
Author

LGA1150 commented Dec 8, 2020

现在没有 getsockopt 错误了,但是 TCP 目标端口是错的,忘了 htons?

2020/12/08 13:55:25 [Debug] [3007832930] proxy/dokodemo: processing connection from: [隐藏]:51810
2020/12/08 13:55:25 [Info] [3007832930] proxy/dokodemo: received request for [隐藏]:51810
2020/12/08 13:55:25 [隐藏]:51810 accepted tcp:[2001:4860:4860::8888]:13568 <-- 请求的是 TCP 53,这里变成了 13568
2020/12/08 13:55:25 [Info] [3007832930] app/dispatcher: default route for tcp:[2001:4860:4860::8888]:13568
2020/12/08 13:55:25 [Info] [3007832930] transport/internet/tcp: dialing TCP to tcp:隐藏:443
2020/12/08 13:55:25 [Info] [3007832930] proxy/vless/outbound: tunneling request to tcp:[2001:4860:4860::8888]:13568 via tcp:隐藏:443

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

@LGA1150

有点奇怪,IPv6 地址正确吗?IPv4 有没有问题?

@LGA1150
Copy link
Author

LGA1150 commented Dec 8, 2020

发现就是大小端的问题, ((53 << 8) & 0xff00) | ((53 >> 8) & 0xff) == 13568
dig 加上 -p 13568 就通了

IPv4 TCP 直接识别不出目标 IP 了

2020/12/08 14:10:38 [Debug] [2201659112] proxy/dokodemo: processing connection from: 隐藏:46237
2020/12/08 14:10:38 [Info] [2201659112] proxy/dokodemo: received request for 隐藏:46237
2020/12/08 14:10:38 [Info] [2201659112] app/dispatcher: default route for tcp:0.0.0.0:13568 <-- 请求的是 8.8.4.4:53
2020/12/08 14:10:38 [Info] [2201659112] transport/internet/tcp: dialing TCP to tcp:隐藏:443
2020/12/08 14:10:38 隐藏:46237 accepted tcp:0.0.0.0:13568
2020/12/08 14:10:38 [Info] [2201659112] proxy/vless/outbound: tunneling request to tcp:0.0.0.0:13568 via tcp:隐藏:443
2020/12/08 14:10:39 [Info] [2201659112] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to decode response header > proxy/vless/encoding: failed to read response version > EOF

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020
edited
Loading

目前不能确定不同架构上 syscall 返回端口的字节序,好像有点棘手

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

TCP 目标 IPv4 估计也是类似的问题,我是取 16 个字节中前 4 个字节,但是按照你机器上的顺序,可能要取后 4 个字节才对

我试试能不能利用这个特性让它 work

@RPRX
Copy link
Member

RPRX commented Dec 8, 2020

Xray-linux-arm32-v7a.zip

先试试这个版本在你的机器上是否正常,包括 IPv4

@badO1a5A90
Copy link
Member

badO1a5A90 commented Dec 8, 2020
edited
Loading

我用同样的iptable测试完全可用(就是你的 v2fly/v2ray-core#320 设置),包括1.0.0版本开始.
可能和系统架构及字长有关?

@RPRX
Copy link
Member

RPRX commented Dec 9, 2020

其实昨天我一直有个疑惑,即你设置的是 tproxy,而我改的是 redirect,为什么也会生效?还以为是 followRedirect 覆盖了设置

直到群友指出,你的配置是错的,sockopt 应写在 streamSettings 内,否则实际上你用到的是 redirect

对于 redirect,文档的描述是“仅支持 TCP/IPv4 和 UDP 连接”,我还发现了这个 v2ray/v2ray-core#1309 (comment)

但根据我昨天的研究和修改,为 redirect 增加 TCP/IPv6 支持并不是不可能做到的,所以这成了新的目标

@LGA1150
Copy link
Author

LGA1150 commented Dec 9, 2020

直到群友指出,你的配置是错的,sockopt 应写在 streamSettings 内,否则实际上你用到的是 redirect

原来如此,加到 streamSettings 内就正常了

@LGA1150 LGA1150 mentioned this issue Dec 9, 2020
Closed
@RPRX
Copy link
Member

RPRX commented Dec 9, 2020

现在没有 getsockopt 错误了,但是 TCP 目标端口是错的,忘了 htons?

2020/12/08 13:55:25 [Debug] [3007832930] proxy/dokodemo: processing connection from: [隐藏]:51810
2020/12/08 13:55:25 [Info] [3007832930] proxy/dokodemo: received request for [隐藏]:51810
2020/12/08 13:55:25 [隐藏]:51810 accepted tcp:[2001:4860:4860::8888]:13568 <-- 请求的是 TCP 53,这里变成了 13568
2020/12/08 13:55:25 [Info] [3007832930] app/dispatcher: default route for tcp:[2001:4860:4860::8888]:13568
2020/12/08 13:55:25 [Info] [3007832930] transport/internet/tcp: dialing TCP to tcp:隐藏:443
2020/12/08 13:55:25 [Info] [3007832930] proxy/vless/outbound: tunneling request to tcp:[2001:4860:4860::8888]:13568 via tcp:隐藏:443

你这里的 iptables 是 tproxy 吗?应该会 err 才对啊(而不只是端口错误

@badO1a5A90
Copy link
Member

badO1a5A90 commented Dec 9, 2020
edited
Loading

发现就是大小端的问题, ((53 << 8) & 0xff00) | ((53 >> 8) & 0xff) == 13568
dig 加上 -p 13568 就通了

IPv4 TCP 直接识别不出目标 IP 了

2020/12/08 14:10:38 [Debug] [2201659112] proxy/dokodemo: processing connection from: 隐藏:46237
2020/12/08 14:10:38 [Info] [2201659112] proxy/dokodemo: received request for 隐藏:46237
2020/12/08 14:10:38 [Info] [2201659112] app/dispatcher: default route for tcp:0.0.0.0:13568 <-- 请求的是 8.8.4.4:53
2020/12/08 14:10:38 [Info] [2201659112] transport/internet/tcp: dialing TCP to tcp:隐藏:443
2020/12/08 14:10:38 隐藏:46237 accepted tcp:0.0.0.0:13568
2020/12/08 14:10:38 [Info] [2201659112] proxy/vless/outbound: tunneling request to tcp:0.0.0.0:13568 via tcp:隐藏:443
2020/12/08 14:10:39 [Info] [2201659112] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to decode response header > proxy/vless/encoding: failed to read response version > EOF

你没有修改sockopt到streamSettings之前,xray应该一直是保持redir模式的(默认,因为你写的tproxy位置错了没生效).
所以 只有mangle表的规则的话 应该一直是 failed to call getsockopt > no such file or directory
这里测试的时候,xray居然收到转发了.(ip和端口错误可能是代码中获取地址和没反转高低位的问题)
是不是因为这个时候已经加了nat表规则,所以转发生效了(可能在kirin让你测试redir的时候)(事实上xray一直工作在redir)

RPRX added a commit that referenced this issue Dec 9, 2020
@RPRX
Refactor: Support TCP/IPv6 in REDIRECT mode
f1eb5e3 
十分感谢 @badO1a5A90 @LGA1150 协助测试

#48 (comment)

v2ray/v2ray-core#1309 (comment)
@LGA1150 LGA1150 closed this as completed Dec 9, 2020
mwhorse46 added a commit to mwhorse46/Xray-core that referenced this issue Feb 19, 2023
@mwhorse46
Refactor: Support TCP/IPv6 in REDIRECT mode
331bc85 
十分感谢 @badO1a5A90 @LGA1150 协助测试

XTLS/Xray-core#48 (comment)

v2ray/v2ray-core#1309 (comment)
rampagekiller0725 added a commit to rampagekiller0725/wox that referenced this issue Jun 29, 2023
@rampagekiller0725
Refactor: Support TCP/IPv6 in REDIRECT mode
011d544 
十分感谢 @badO1a5A90 @LGA1150 协助测试

XTLS/Xray-core#48 (comment)

v2ray/v2ray-core#1309 (comment)
Autumn216 added a commit to Autumn216/wox that referenced this issue Oct 31, 2023
@Autumn216
Refactor: Support TCP/IPv6 in REDIRECT mode
4ec21c5 
十分感谢 @badO1a5A90 @LGA1150 协助测试

XTLS/Xray-core#48 (comment)

v2ray/v2ray-core#1309 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@badO1a5A90 @LGA1150 @RPRX