Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTP同步问题 #1133

Closed
bookyue opened this issue Dec 31, 2020 · 7 comments
Closed

NTP同步问题 #1133

bookyue opened this issue Dec 31, 2020 · 7 comments
Labels
Stale

Comments

@bookyue
Copy link

bookyue commented Dec 31, 2020
edited
Loading

问题:

在以下模式下,ntp time out of sync

  • Fake-IP(增强)模式
  • Redir-Host(兼容)模式
  • Fake-IP(TUN-混合)模式
  • Redir-Host(TUN-混合)模式

在以下模式下,ntp works normally

  • Redir-Host(TUN)模式
  • Fake-IP(TUN)模式

所有测试条件均经subconverter转换开启udp转发,且节点支持udp转发
其中Fake-IP(增强)模式Redir-Host(兼容)模式均开启UDP流量转发

NTP server: ntp.aliyun.com
@bookyue
Copy link
Author

bookyue commented Dec 31, 2020
edited
Loading

OpenClash 调试日志

生成时间: 2020-12-31 22:26:33
插件版本: v0.41.13-beta


#===================== 系统信息 =====================#

主机型号: Raspberry Pi 3 Model B Plus Rev 1.3
固件版本: OpenWrt SNAPSHOT r0-dd9fecc
LuCI版本: git-20.343.54716-6fc079f-1
内核版本: 5.4.47-OPENFANS+20200622-v8
处理器架构: aarch64_cortex-a53

#此项在使用Tun模式时应为ACCEPT
防火墙转发: ACCEPT

#此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
jsonfilter: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
进程pid: 26192
运行权限: 26192: = cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource+eip
运行用户: nobody
已选择的架构: linux-armv8

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2020.12.24.gb05bba1
Tun内核文件: 存在
Tun内核运行权限: 正常

Game内核版本: v0.17.0-232-ge389e33
Game内核文件: 存在
Game内核运行权限: 正常

Dev内核版本: v1.3.5-2-g02d029d
Dev内核文件: 存在
Dev内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/config.yaml
启动配置文件: /etc/openclash/config.yaml
运行模式: fake-ip-mix
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 启用
自定义DNS: 启用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 停用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090
proxy-groups:
- name: "\U0001F680 节点选择"
  type: select
  proxies:
  - DIRECT
- name: "\U0001F30D 国外媒体"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "\U0001F3AF 全球直连"
- name: "\U0001F4F2 电报信息"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "\U0001F3AF 全球直连"
- name: Ⓜ️ 微软服务
  type: select
  proxies:
  - "\U0001F3AF 全球直连"
  - "\U0001F680 节点选择"
- name: "\U0001F34E 苹果服务"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "\U0001F3AF 全球直连"
- name: "\U0001F4E2 谷歌FCM"
  type: select
  proxies:
- name: "\U0001F3AF 全球直连"
  type: select
  proxies:
  - DIRECT
  - "\U0001F680 节点选择"
- name: "\U0001F6D1 全球拦截"
  type: select
  proxies:
  - REJECT
  - DIRECT
- name: "\U0001F343 应用净化"
  type: select
  proxies:
  - REJECT
  - DIRECT
- name: "\U0001F41F 漏网之鱼"
  type: select
  proxies:
  - "\U0001F680 节点选择"
  - "\U0001F3AF 全球直连"
rules:
- "GEOIP,CN,\U0001F3AF 全球直连"
- "MATCH,\U0001F41F 漏网之鱼"
dns:
  nameserver:
  - 114.114.114.114
  - 119.29.29.29
  - 119.28.28.28
  - 223.5.5.5
  fallback:
  - https://cloudflare-dns.com/dns-query
  - https://dns.google/dns-query
  - tls://dns.google:853
  - https://1.1.1.1/dns-query
  - tls://1.1.1.1:853
  - tls://8.8.8.8:853
  enable: true
  ipv6: false
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  listen: 127.0.0.1:7874
  fake-ip-filter:
  - "*.lan"
  - time.windows.com
  - time.nist.gov
  - time.apple.com
  - time.asia.apple.com
  - "*.ntp.org.cn"
  - "*.openwrt.pool.ntp.org"
  - time1.cloud.tencent.com
  - time.ustc.edu.cn
  - pool.ntp.org
  - ntp.ubuntu.com
  - ntp.aliyun.com
  - ntp1.aliyun.com
  - ntp2.aliyun.com
  - ntp3.aliyun.com
  - ntp4.aliyun.com
  - ntp5.aliyun.com
  - ntp6.aliyun.com
  - ntp7.aliyun.com
  - time1.aliyun.com
  - time2.aliyun.com
  - time3.aliyun.com
  - time4.aliyun.com
  - time5.aliyun.com
  - time6.aliyun.com
  - time7.aliyun.com
  - "*.time.edu.cn"
  - time1.apple.com
  - time2.apple.com
  - time3.apple.com
  - time4.apple.com
  - time5.apple.com
  - time6.apple.com
  - time7.apple.com
  - time1.google.com
  - time2.google.com
  - time3.google.com
  - time4.google.com
  - music.163.com
  - "*.music.163.com"
  - "*.126.net"
  - musicapi.taihe.com
  - music.taihe.com
  - songsearch.kugou.com
  - trackercdn.kugou.com
  - "*.kuwo.cn"
  - api-jooxtt.sanook.com
  - api.joox.com
  - joox.com
  - y.qq.com
  - "*.y.qq.com"
  - streamoc.music.tc.qq.com
  - mobileoc.music.tc.qq.com
  - isure.stream.qqmusic.qq.com
  - dl.stream.qqmusic.qq.com
  - aqqmusic.tc.qq.com
  - amobile.music.tc.qq.com
  - "*.xiami.com"
  - "*.music.migu.cn"
  - music.migu.cn
  - "*.msftconnecttest.com"
  - "*.msftncsi.com"
  - localhost.ptlogin2.qq.com
  - "+.srv.nintendo.net"
  - "+.stun.playstation.net"
  - xbox.*.microsoft.com
  - "+.xboxlive.com"
  - proxy.golang.org
  - stun.*.*
  - stun.*.*.*
  - heartbeat.belkin.com
  - "*.linksys.com"
  - "*.linksyssmartwifi.com"
  fallback-filter:
    geoip: false
    ipcidr:
    - 0.0.0.0/8
    - 10.0.0.0/8
    - 100.64.0.0/10
    - 127.0.0.0/8
    - 169.254.0.0/16
    - 172.16.0.0/12
    - 192.0.0.0/24
    - 192.0.2.0/24
    - 192.88.99.0/24
    - 192.168.0.0/16
    - 198.18.0.0/15
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 224.0.0.0/4
    - 240.0.0.0/4
    - 255.255.255.255/32
    - "+.google.com"
    - "+.facebook.com"
    - "+.youtube.com"
    - "+.githubusercontent.com"
redir-port: 7892
mixed-port: 7893
bind-address: "*"
external-ui: "/usr/share/openclash/dashboard"
ipv6: false
tun:
  enable: true
  stack: system
  dns-hijack:
  - tcp://8.8.8.8:53
  - tcp://8.8.4.4:53
interface-name: br-lan

#===================== 防火墙设置 =====================#

#NAT chain

# Generated by iptables-save v1.8.4 on Thu Dec 31 22:26:38 2020
*nat
:PREROUTING ACCEPT [4679:623573]
:INPUT ACCEPT [3427:370077]
:OUTPUT ACCEPT [3838:405471]
:POSTROUTING ACCEPT [0:0]
:DOCKER_OUTPUT - [0:0]
:DOCKER_POSTROUTING - [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A PREROUTING -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:42941
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:55304
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 42941 -j SNAT --to-source :53
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 55304 -j SNAT --to-source :53
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -p tcp -m tcp --sport 1194 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A openclash_output -m owner ! --uid-owner 65534 -m set ! --match-set common_ports dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j REDIRECT --to-ports 7892
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Dec 31 22:26:38 2020

#Mangle chain

# Generated by iptables-save v1.8.4 on Thu Dec 31 22:26:38 2020
*mangle
:PREROUTING ACCEPT [818577:722220196]
:INPUT ACCEPT [811839:719807108]
:FORWARD ACCEPT [6434:2392786]
:OUTPUT ACCEPT [561038:671358720]
:POSTROUTING ACCEPT [567460:673744602]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_output - [0:0]
-A PREROUTING -p udp -j openclash
-A PREROUTING -p tcp -m tcp --dport 53 -j openclash_dns_hijack
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A OUTPUT -j openclash_output
-A OUTPUT -j RRDIPT_OUTPUT
-A RRDIPT_FORWARD -s 192.168.1.18/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.1.18/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.1.200/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.1.200/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.1.240/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.1.240/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.1.137/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.1.137/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.1.1/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.1.1/32 -j RETURN
-A RRDIPT_FORWARD -s 192.168.1.148/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.1.148/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_INPUT -i br-lan -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A RRDIPT_OUTPUT -o br-lan -j RETURN
-A openclash -p udp -m udp --dport 1194 -j RETURN
-A openclash -p udp -m udp --dport 500 -j RETURN
-A openclash -p udp -m udp --dport 546 -j RETURN
-A openclash -p udp -m udp --dport 68 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.8.8/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_dns_hijack -d 8.8.4.4/32 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 1194 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 546 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -p udp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Thu Dec 31 22:26:38 2020

#===================== IPSET状态 =====================#

Name: music
Name: localnetwork
Name: common_ports

#===================== 路由表状态 =====================#

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
198.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 utun
#ip route list
default via 192.168.1.1 dev br-lan proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.120 
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1 
#ip rule show
0:	from all lookup local
32765:	from all fwmark 0x162 lookup 354
32766:	from all lookup main
32767:	from all lookup default

#===================== Tun设备状态 =====================#

utun: tun pi filter

#===================== 端口占用状态 =====================#

tcp        0      0 198.18.0.1:7777         0.0.0.0:*               LISTEN      26192/clash
tcp        0      0 :::7890                 :::*                    LISTEN      26192/clash
tcp        0      0 :::7891                 :::*                    LISTEN      26192/clash
tcp        0      0 :::7892                 :::*                    LISTEN      26192/clash
tcp        0      0 :::7893                 :::*                    LISTEN      26192/clash
tcp        0      0 :::9090                 :::*                    LISTEN      26192/clash
udp        0      0 198.18.0.1:7777         0.0.0.0:*                           26192/clash
udp        0      0 127.0.0.1:7874          0.0.0.0:*                           26192/clash
udp        0      0 :::42529                :::*                                26192/clash
udp        0      0 :::39481                :::*                                26192/clash
udp        0      0 :::7891                 :::*                                26192/clash
udp        0      0 :::7892                 :::*                                26192/clash
udp        0      0 :::7893                 :::*                                26192/clash
udp        0      0 :::59175                :::*                                26192/clash
udp        0      0 :::50001                :::*                                26192/clash
udp        0      0 :::33204                :::*                                26192/clash
udp        0      0 :::39414                :::*                                26192/clash

#===================== 测试本机DNS查询 =====================#

Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      www.baidu.com
Address 1: 198.18.0.55
*** Can't find www.baidu.com: No answer

#===================== resolv.conf.d =====================#

# Interface lan
nameserver 192.168.1.1

#===================== 测试本机网络连接 =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Thu, 31 Dec 2020 14:26:38 GMT
Etag: "575e1f7c-115"
Last-Modified: Mon, 13 Jun 2016 02:50:36 GMT
Pragma: no-cache
Server: bfe/1.0.8.18


#===================== 测试本机网络下载 =====================#

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 80
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "549bddd7cb641fe9050935528320d001fc602448ba2771cc93f376d0c25a91c9"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Via: 1.1 varnish (Varnish/6.0), 1.1 varnish
X-GitHub-Request-Id: 200E:2D08:1912577:1C8C573:5FEDDAD4
Accept-Ranges: bytes
Date: Thu, 31 Dec 2020 14:26:38 GMT
X-Served-By: cache-hkg17927-HKG
X-Cache: MISS, HIT
X-Cache-Hits: 0, 4
X-Timer: S1609424799.841188,VS0,VE0
Vary: Authorization,Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 984c08a6f209ed836867916b286b82dc7506e4a7
Expires: Thu, 31 Dec 2020 14:31:38 GMT
Source-Age: 212

@ghost
Copy link

ghost commented Dec 31, 2020

你用的ntp服务器是什么?自己添加到fake ip filter里试试。

@bookyue
Copy link
Author

bookyue commented Dec 31, 2020

你用的ntp服务器是什么?自己添加到fake ip filter里试试。

抱歉,明明记得写了NTP server,刚刚一看确实没写上去。
ntp.aliyun.com,确实是已经在默认的fake ip filter list里面了。

@lingyunzhiss
Copy link

NTP同步在子网内失效。
我只能用redir-host兼容模式,其他模式下无法登录战舰世界的国服。
偶然间发现电视盒断电后没从网络获得时间,从子网内WIN10的机器也NTP同步失败。
OpenClash 调试日志

生成时间: 2021-04-10 03:58:53
插件版本: v0.42.04-beta
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息


#===================== 系统信息 =====================#

主机型号: To be filled by O.E.M. To be filled by O.E.M.
固件版本: Openwrt Koolshare Router V2.37 r17471-8ed31dafdf
LuCI版本: git-21.046.64947-cb0979f
内核版本: 5.4.108
处理器架构: x86_64

#此项在使用Tun模式时应为ACCEPT
防火墙转发: ACCEPT

#此项有值时建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
jsonfilter: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
进程pid: 21070
运行权限: 21070: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource=i
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2021.04.08
Tun内核文件: 存在
Tun内核运行权限: 正常

Game内核版本: 20210310-11-g1e1ab69
Game内核文件: 存在
Game内核运行权限: 正常

Dev内核版本: v1.5.0
Dev内核文件: 存在
Dev内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/Clash.yaml
启动配置文件: /etc/openclash/Clash.yaml
运行模式: redir-host
默认代理模式: rule
UDP流量转发(tproxy): 启用
DNS劫持: 启用
自定义DNS: 启用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 启用
仅代理命中规则流量: 启用
仅允许常用端口流量: 停用
绕过中国大陆IP: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: silent
external-controller: 10.0.10.1:9090
proxy-groups:
- name: Proxies
  type: select
  ------------------------此处省略
rules:
-------------------------此处省略

dns:
  nameserver:
  - 119.29.29.29
  - 119.28.28.28
  - 223.5.5.5
  - tls://dns.rubyfish.cn:853
  fallback:
  - tls://1.0.0.1:853
  - tls://8.8.4.4:853
  enable: true
  ipv6: false
  enhanced-mode: redir-host
  listen: 127.0.0.1:7874
  fallback-filter:
    geoip: false
    ipcidr:
    - 0.0.0.0/8
    - 10.0.0.0/8
    - 100.64.0.0/10
    - 127.0.0.0/8
    - 169.254.0.0/16
    - 172.16.0.0/12
    - 192.0.0.0/24
    - 192.0.2.0/24
    - 192.88.99.0/24
    - 192.168.0.0/16
    - 198.18.0.0/15
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 224.0.0.0/4
    - 240.0.0.0/4
    - 255.255.255.255/32
    domain:
    - "+.google.com"
    - "+.facebook.com"
    - "+.youtube.com"
    - "+.githubusercontent.com"
redir-port: 7892
mixed-port: 7893
bind-address: 10.0.10.1
external-ui: "/usr/share/openclash/dashboard"
ipv6: false
profile:
  store-selected: true

#===================== 防火墙设置 =====================#

#NAT chain

# Generated by iptables-save v1.8.7 on Sat Apr 10 03:58:56 2021
*nat
:PREROUTING ACCEPT [5460:331881]
:INPUT ACCEPT [8955:551935]
:OUTPUT ACCEPT [13644:996496]
:POSTROUTING ACCEPT [1308:90055]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:openclash - [0:0]
:openclash_output - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -d 8.8.4.4/32 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 7892
-A PREROUTING -m mac --mac-source 5e:ac:80:ec:9b:94 -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source 32:8a:7a:4a:0b:25 -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source de:e8:ca:78:b4:60 -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source fc:e9:98:e4:c2:28 -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source 40:bc:60:6b:b5:d1 -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source 18:d7:17:9e:72:f3 -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source b8:94:36:ea:d6:9d -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source 90:c5:4a:45:4f:d7 -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source 66:a9:41:82:75:8f -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source b8:c7:4a:28:79:29 -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source a8:be:27:4e:d6:fd -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source 32:cb:c3:c5:33:4e -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source 36:ff:2a:36:4e:9b -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -m mac --mac-source b8:c1:11:38:ba:cc -m comment --comment softcenter_mia -j RETURN
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment dns_hijack -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment dns_hijack -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -j openclash
-A OUTPUT -j openclash_output
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A MINIUPNPD -p udp -m udp --dport 26497 -j DNAT --to-destination 10.0.10.5:26497
-A MINIUPNPD -p udp -m udp --dport 20724 -j DNAT --to-destination 10.0.10.126:20724
-A MINIUPNPD -p udp -m udp --dport 43824 -j DNAT --to-destination 10.0.10.126:43824
-A MINIUPNPD -p tcp -m tcp --dport 25430 -j DNAT --to-destination 10.0.10.120:25430
-A MINIUPNPD -p udp -m udp --dport 25430 -j DNAT --to-destination 10.0.10.120:25430
-A MINIUPNPD-POSTROUTING -s 10.0.10.5/32 -p udp -m udp --sport 26497 -j MASQUERADE --to-ports 26497
-A MINIUPNPD-POSTROUTING -s 10.0.10.126/32 -p udp -m udp --sport 20724 -j MASQUERADE --to-ports 20724
-A MINIUPNPD-POSTROUTING -s 10.0.10.126/32 -p udp -m udp --sport 43824 -j MASQUERADE --to-ports 43824
-A MINIUPNPD-POSTROUTING -s 10.0.10.120/32 -p tcp -m tcp --sport 25430 -j MASQUERADE --to-ports 25430
-A MINIUPNPD-POSTROUTING -s 10.0.10.120/32 -p udp -m udp --sport 25430 -j MASQUERADE --to-ports 25430
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -m set --match-set china_ip_route dst -j RETURN
-A openclash -p tcp -j REDIRECT --to-ports 7892
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -m set --match-set china_ip_route dst -j RETURN
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j DNAT --to-destination 10.0.10.1:7892
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Sat Apr 10 03:58:56 2021

#Mangle chain

# Generated by iptables-save v1.8.7 on Sat Apr 10 03:58:56 2021
*mangle
:PREROUTING ACCEPT [10003274:9360827551]
:INPUT ACCEPT [9629303:9102117311]
:FORWARD ACCEPT [366048:258189465]
:OUTPUT ACCEPT [4989705:20353666250]
:POSTROUTING ACCEPT [5355288:20611845292]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
-A PREROUTING -p udp -j openclash
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j RRDIPT_OUTPUT
-A RRDIPT_FORWARD -s 10.0.10.26/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.26/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.52/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.52/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.2/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.2/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.3/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.3/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.68/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.68/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.5/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.5/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.6/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.6/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.9/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.9/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.101/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.101/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.111/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.111/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.120/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.120/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.105/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.105/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.121/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.130/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.123/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.123/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.131/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.131/32 -j RETURN
-A RRDIPT_FORWARD -s 169.254.46.37/32 -j RETURN
-A RRDIPT_FORWARD -d 169.254.46.37/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.124/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.124/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.125/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.125/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.142/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.142/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.150/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.150/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.127/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.127/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.137/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.137/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.129/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.129/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.148/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.148/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.52/32 -j RETURN
-A RRDIPT_FORWARD -d 10.0.10.121/32 -j RETURN
-A RRDIPT_FORWARD -s 10.0.10.130/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_INPUT -i pppoe-wan -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A RRDIPT_OUTPUT -o pppoe-wan -j RETURN
-A openclash -p udp -m udp --dport 500 -j RETURN
-A openclash -p udp -m udp --dport 546 -j RETURN
-A openclash -p udp -m udp --dport 68 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -m set --match-set china_ip_route dst -j RETURN
-A openclash -p udp -m udp --dport 53 -j RETURN
-A openclash -p udp -j TPROXY --on-port 7892 --on-ip 0.0.0.0 --tproxy-mark 0x162/0xffffffff
COMMIT
# Completed on Sat Apr 10 03:58:56 2021

#===================== IPSET状态 =====================#

Name: china_ip_route
Name: localnetwork

#===================== 路由表状态 =====================#

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         100.94.192.1    0.0.0.0         UG    0      0        0 pppoe-wan
10.0.10.0       0.0.0.0         255.255.255.0   U     0      0        0 br-lan
100.94.192.1    0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
#ip route list
default via 100.94.192.1 dev pppoe-wan proto static 
10.0.10.0/24 dev br-lan proto kernel scope link src 10.0.10.1 
100.94.192.1 dev pppoe-wan proto kernel scope link src 100.95.24.95 
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.2 
#ip rule show
0:	from all lookup local
788:	from all fwmark 0x162 lookup 354
789:	from all fwmark 0x7 lookup 310
32766:	from all lookup main
32767:	from all lookup default

#===================== 端口占用状态 =====================#

tcp        0      0 10.0.10.1:9090          0.0.0.0:*               LISTEN      21070/clash
tcp        0      0 10.0.10.1:7890          0.0.0.0:*               LISTEN      21070/clash
tcp        0      0 10.0.10.1:7891          0.0.0.0:*               LISTEN      21070/clash
tcp        0      0 10.0.10.1:7892          0.0.0.0:*               LISTEN      21070/clash
tcp        0      0 10.0.10.1:7893          0.0.0.0:*               LISTEN      21070/clash
udp        0      0 127.0.0.1:7874          0.0.0.0:*                           21070/clash
udp        0      0 10.0.10.1:7891          0.0.0.0:*                           21070/clash
udp        0      0 10.0.10.1:7893          0.0.0.0:*                           21070/clash
udp        0      0 :::62419                :::*                                21070/clash

#===================== 测试本机DNS查询 =====================#


Name:      www.baidu.com
Address 1: 14.215.177.39
Address 2: 14.215.177.38

#===================== resolv.conf.d =====================#

# Interface wan
nameserver 222.246.129.80
nameserver 59.51.78.210

#===================== 测试本机网络连接 =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Fri, 09 Apr 2021 19:58:56 GMT
Etag: "575e1f72-115"
Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
Pragma: no-cache
Server: bfe/1.0.8.18


#===================== 测试本机网络下载 =====================#

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 80
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "44842fbfd0d46b48a8ccab1ec8255bfc4e6c18fe30fb6696e6f50a8fe80df561"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 852A:5211:3155C0:3D7523:60700CBD
Accept-Ranges: bytes
Date: Fri, 09 Apr 2021 19:58:57 GMT
Via: 1.1 varnish
X-Served-By: cache-hkg17929-HKG
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1617998337.080432,VS0,VE282
Vary: Authorization,Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: a2d8638d2f285020f48d59e7cd4a42596fd126aa
Expires: Fri, 09 Apr 2021 20:03:57 GMT
Source-Age: 0


#===================== 最近运行日志 =====================#

2021-04-09 22:14:09 Warning: OpenClash Now Disabled, Need Start From Luci Page, Exit...
2021-04-09 22:13:58 OpenClash Update Successful
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Domestic"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Spotify"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider GlobalTV"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Scholar"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider AsianTV"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider AdBlock"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Steam"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Telegram"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Proxies"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Netease Music"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider PayPal"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Speedtest"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Others"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Auto - UrlTest"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Netflix"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Microsoft"
time="2021-04-09T22:14:27+08:00" level=info msg="Start initial compatible provider Apple"
2021-04-09 22:14:32 Groups History:Clash.yaml Restore Successful
2021-04-09 22:14:12 OpenClash Start Successful
2021-04-10 03:40:22 Watchdog: Reset Firewall For Enabling Redirect.

@zhao1009
Copy link

zhao1009 commented Aug 7, 2021

I got the same issue, is there any solution for this?

@chenyujie95
Copy link

我也是一样的问题,Google tv盒子的ntp服务没法同步,开启Fake-IP(TUN)模式就正常,应该也是udp流量的问题

@github-actions
Copy link
Contributor

github-actions bot commented Feb 1, 2022

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

@github-actions github-actions bot added the Stale label Feb 1, 2022
@github-actions github-actions bot closed this as completed Feb 7, 2022
@WFANG12719 WFANG12719 mentioned this issue Feb 17, 2024
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zhao1009 @lingyunzhiss @bookyue @chenyujie95