sing-box icon indicating copy to clipboard operation
sing-box copied to clipboard
verified publisher icon SagerNet

TUN透明代理拦截不到局域网设备DNS请求

Open oden66 opened this issue 1 year ago • 3 comments

Operating system

Linux

System version

Ubuntu22.04

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.9.3

Environment: go1.22.4 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 085f60337799afc906069b540a38368968c123e4
CGO: disabled

Description

ubuntu: ip:192.168.6.11 echo 1 > /proc/sys/net/ipv4/ip_forward tun模式

windows: ip:192.168.6.10 geteway:192.168.6.11 dns:8.8.8.8

在ubuntu的singbox日志中看不到windows的入站信息。

Reproduction

配置文件:

{
    "log": {
        "disabled": false,
        "level": "info",
        "output": "/var/log/box.log",
        "timestamp": true
      },
      "dns": {
        "servers": [
          {
            "tag": "alidns",
            "address": "https://223.5.5.5/dns-query",
            "address_strategy": "prefer_ipv4",
            "strategy": "ipv4_only",
            "detour": "direct"
          },
          {
            "tag": "cf",
            "address": "https://1.1.1.1/dns-query",
            "strategy": "ipv4_only",
            "detour": "direct"
          },
          {
            "tag": "block",
            "address": "rcode://success"
          }
        ],
        "rules": [
          {
            "geosite": [
              "cn"
            ],
            "domain_suffix": [
              ".cn"
            ],
            "server": "alidns",
            "disable_cache": false
          },
          {
            "geosite": [
              "category-ads-all"
            ],
            "server": "block",
            "disable_cache": true
          }
        ],
        "final": "cf",
        "strategy": "",
        "disable_cache": false,
        "disable_expire": false
      },
      "inbounds": [
        {
          "tag": "tun-in",
          "type": "tun",
	  "inet4_address": "172.19.0.1/30",
          "auto_route": true,
          "strict_route": true,
          "stack": "system",
          "mtu": 9000,
          "sniff": true
        }
      ],
      "outbounds": [
        {
            "type": "vmess",
            "tag": "proxy",
          
            "server": "***",
            "server_port": 80,
            "uuid": "***",
            "security": "auto",
            "alter_id": 0,
            "network": "tcp",
            "transport": {
                "type": "ws",
                "path": "/",
                "headers": {
                  "Host": "tms.dingtalk.com"
                }
            },
            "tcp_fast_open": false
        },
        {
          "type": "direct",
          "tag": "direct"
        },
        {
          "type": "block",
          "tag": "block"
        },
        {
          "type": "dns",
          "tag": "dns-out"
        }
      ],
      "route": {
        "geoip": {
          "path": "geoip.db",
          "download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
          "download_detour": "direct"
        },
        "geosite": {
          "path": "geosite.db",
          "download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
          "download_detour": "direct"
        },
        "rules": [
          {
            "protocol": "dns",
            "outbound": "dns-out"
          },
          {
            "geosite": [
              "cn",
              "private"
            ],
            "geoip": [
              "cn",
              "private"
            ],
            "domain_suffix": [
              ".cn"
            ],
            "outbound": "direct"
          },
          {
            "geosite": [
              "category-ads-all"
            ],
            "outbound": "block"
          }
        ],
        "auto_detect_interface": true,
        "final": "proxy"
      },
      "experimental": {}
}

经过询问后被被告知删除 "strict_route": true,删除后windows可以正常访问,把网线断掉后再插上,sing-box又拦截不到windows的dns请求,日志中没有入站信息,ip转发是开启的。

Logs

+0800 2024-06-29 12:47:27 INFO [782101917 0ms] inbound/tun[tun-in]: inbound connection from 192.168.6.10:10072 +0800 2024-06-29 12:47:27 INFO [782101917 0ms] inbound/tun[tun-in]: inbound connection to 8.8.4.4:443 +0800 2024-06-29 12:47:27 INFO [782101917 3ms] outbound/vmess[proxy]: outbound connection to 8.8.4.4:443 +0800 2024-06-29 12:47:31 ERROR router: missing default interface +0800 2024-06-29 12:47:31 INFO [2553377043 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:40522 +0800 2024-06-29 12:47:31 INFO [2553377043 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2024-06-29 12:47:31 INFO [144957692 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:43152 +0800 2024-06-29 12:47:31 INFO [144957692 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2024-06-29 12:47:31 INFO [4083768830 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:48283 +0800 2024-06-29 12:47:31 INFO [4083768830 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2024-06-29 12:47:31 INFO outbound/direct[direct]: outbound connection to 1.1.1.1:443 +0800 2024-06-29 12:47:31 ERROR dns: exchange failed for connectivity-check.ubuntu.com. IN A: dial tcp 1.1.1.1:443: no route to internet +0800 2024-06-29 12:47:32 INFO [2311840661 0ms] inbound/tun[tun-in]: inbound connection from 172.19.0.1:42254 +0800 2024-06-29 12:47:32 INFO [2311840661 0ms] inbound/tun[tun-in]: inbound connection to 142.251.2.188:5228 +0800 2024-06-29 12:47:32 INFO [2311840661 1ms] outbound/vmess[proxy]: outbound connection to 142.251.2.188:5228 +0800 2024-06-29 12:47:32 ERROR [2311840661 1ms] inbound/tun[tun-in]: dial tcp 112.3.30.169:80: no route to internet +0800 2024-06-29 12:47:32 INFO [2487906546 0ms] inbound/tun[tun-in]: inbound connection from 172.19.0.1:42260 +0800 2024-06-29 12:47:32 INFO [2487906546 0ms] inbound/tun[tun-in]: inbound connection to 142.251.2.188:5228 +0800 2024-06-29 12:47:32 INFO [2487906546 1ms] outbound/vmess[proxy]: outbound connection to 142.251.2.188:5228 +0800 2024-06-29 12:47:32 ERROR [2487906546 1ms] inbound/tun[tun-in]: dial tcp 112.3.30.169:80: no route to internet +0800 2024-06-29 12:47:36 INFO [4135245585 0ms] inbound/tun[tun-in]: inbound packet connection from 172.19.0.1:43152 +0800 2024-06-29 12:47:36 INFO [4135245585 0ms] inbound/tun[tun-in]: inbound packet connection to 172.19.0.2:53 +0800 2024-06-29 12:47:36 INFO outbound/direct[direct]: outbound connection to 1.1.1.1:443

No response

Supporter

Integrity requirements

  • [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
  • [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
  • [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
  • [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

oden66 avatar Jun 29 '24 07:06 oden66

我用了nftables修改防火墙规则才行,TUN不是会自动添加路由规则吗

oden66 avatar Jun 29 '24 11:06 oden66

用nftables 如何修改规则?

wade0317 avatar Jul 17 '24 17:07 wade0317

tun auto_route+strict_route 的路由规则只限定于本机发出的流量。大致是iprule: from all iff lo lookup 9000这样子。可以通过nftable解决其他网卡进来的流量,也可以通过ip rule来解决。我个人觉得ip rule来解决更好。 添加一下ip rule: from network_gate lookup 9001(nop直连) from all iff wan_interface lookup 9001(nop直连) from local_ip/range iff lan_interface lookup 9000(sing tun) 就好了。

simplerick-simplefun avatar Jul 25 '24 16:07 simplerick-simplefun