search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.06k stars 14.1k forks source link

nekoray: sing-box TUN doesn't work #337578

Open khankul opened 2 months ago

khankul commented 2 months ago

Describe the bug

nekoray supports different proxy cores, the out-of-the-box choices being Xray and sing-box. TUN mode works with Xray, but attempting to use it with sing-box results in an error after entering the password. (I'm debugging an issue where the proxy starts to leak my local IP in some places, so for starters I really need to check of the issue persists with sing-box.)

Steps To Reproduce

Steps to reproduce the behavior:

  1. Confirm that TUN mode works with Xray core using a valid proxy
  2. Switch the core to sing-box, and restart the program
  3. Make sure no other nekoray/nekobox processes are running in the background
  4. Test a proxy connection with sing-box core
  5. Initialize TUN mode with sing-box core

Expected behavior

After accepting the password, a TUN adapter is set up and the traffic is routed through it.

Screenshots

image

Additional context

This problem was not present on Arch Linux, with the same version of nekoray.

Notify maintainers

@TomaSajt :wave:

Metadata

Using the latest kernel and a mess in channels because I've installed this install out of another install on the same disk (because I craved bcachefs), which didn't carry the proper channels over. Let me know if it's not how it should look.

 - system: `"x86_64-linux"`
 - host os: `Linux 6.10.4, NixOS, 24.05 (Uakari), 24.05.3914.c3d4ac725177`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.5`
 - channels(root): `"nixos-24.05, nixos-24.05-24.05, unstable"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
khankul commented 2 months ago

I've managed to make sing-box TUN work by disabling "Internal Tun" in the TUN settings. I am not aware of any security implications of this. It seems to be enabled by default in nekoray, so it's probably supposed to work.

s0me1newithhand7s commented 2 months ago

maybe polkit will help?

khankul commented 2 months ago

I'm not sure how, since it's already installed and is used when nekoray prompts for a password to activate TUN. On that note, I remember that on Arch, nekoray grants itself capabilities/permissions/etc when you enter the password for the first time and doesn't ask for it when starting TUN later. I've tried to recreate this behavior with NixOS security wrappers, but nekoray doesn't let itself run with setuid 0. Setting capabilities also doesn't seem to work:

  security.wrappers = {
    nekobox_core = {
      owner = "root";
      group = "root";
      source = "${pkgs.nekoray.nekobox-core}/bin/nekobox_core";
      capabilities = "cap_net_admin=ep";
    };
  };

After rebuilding:

[user@nixos:~]$ sudo getcap /nix/store/b3ddwiwaz46i28xjs1a7izpfbl1884q5-nekobox-core-3.26/bin/nekobox_core 
(no output)
[user@nixos:~]$
s0me1newithhand7s commented 2 months ago

understood

TomaSajt commented 2 months ago

Sorry I didn't respond earlier, it's just that I don't actually know how to use this program, I'm just the person who managed to package it. So I can't really help you with this, sorry.

@Aleksanaa I remember you telling me previously that you'd also like to maintain the package. If so, could you add yourself as a maintainer? You probably know how to help with using this package better than me.

BROsandr commented 1 month ago

I am using its http proxy ability instead of "Tun" while browsing :(

Aleksanaa commented 1 month ago

@Aleksanaa I remember you telling me previously that you'd also like to maintain the package. If so, could you add yourself as a maintainer? You probably know how to help with using this package better than me.

Okay then.

Aleksanaa commented 1 month ago

Setting capabilities also doesn't seem to work:

It's not there. The store path won't have capabilities, but a wrapper is created in /run/wrappers/bin, and added to the PATH before other default paths.

However, setting capabilities still won't simply work, as nekoray is searching for cores in the same directory:

https://github.com/NixOS/nixpkgs/blob/99dc8785f6a0adac95f5e2ab05cc2e1bf666d172/pkgs/by-name/ne/nekoray/package.nix#L117-L119

I'll try to patch it to spawn core from PATH, not sure if that will work though. I can write a NixOS module afterwards.

s0me1newithhand7s commented 1 month ago

Setting capabilities also doesn't seem to work:

It's not there. The store path won't have capabilities, but a wrapper is created in /run/wrappers/bin, and added to the PATH before other default paths.

However, setting capabilities still won't simply work, as nekoray is searching for cores in the same directory:

https://github.com/NixOS/nixpkgs/blob/99dc8785f6a0adac95f5e2ab05cc2e1bf666d172/pkgs/by-name/ne/nekoray/package.nix#L117-L119

I'll try to patch it to spawn core from PATH, not sure if that will work though. I can write a NixOS module afterwards.

in case you'll write NixOS module - can we ask nix-community about home-manager module?

Aleksanaa commented 1 month ago

can we ask nix-community about home-manager module?

No, home-manager module cannot set privileges. In case you want to write configuration declaratively (why for a GUI manager?), you can write a module.

s0me1newithhand7s commented 1 month ago

can we ask nix-community about home-manager module?

No, home-manager module cannot set privileges. In case you want to write configuration declaratively (why for a GUI manager?), you can write a module.

okay, understood, and thx