Hysteria2 Server Inbound 开启 Sniff 后 Client STUN NAT 绑定测试 Fail

[SimonTLS]

Operating system

Windows

System version

Windows 10 LTSC

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.9.0-rc.4

Environment: go1.22.1 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: dce6053c3f37e2e578de4af106f3db0edf24e73d
CGO: disabled

Description

Hysteria2 Inbound 开启 Sniff 后 STUN 测试 Fail，关闭 Sniff 后正常 使用 NatTypeTester 连接 Socks5 测试 RFC 5780，提示绑定测试 Fail 但 RFC 3489 测试结果为 FullCone https://github.com/HMBSbige/NatTypeTester

Reproduction

Server Config

{ "log": { "level": "debug", "timestamp": true }, "dns": { "servers": [ { "tag": "cloudflare", "address": "tls://1.1.1.1", "strategy": "ipv4_only", "detour": "direct" } ] }, "inbounds": [ { "type": "hysteria2", "listen": "::", "listen_port": 10000, "sniff": true, "users": [ { "password": "test" } ], "tls": { "enabled": true, "certificate_path": "crt", "key_path": "key" } } ], "outbounds": [ { "type": "direct", "tag": "direct" }, { "type": "block", "tag": "block" } ] }

Client Config

{ "log": { "level": "debug", "timestamp": true }, "dns": { "servers": [ { "tag": "local", "address": "tls://1.1.1.1", "detour": "proxy" } ], "strategy": "ipv4_only" }, "inbounds": [ { "type": "socks", "tag": "socks", "listen": "127.0.0.1", "listen_port": 12345, "sniff": true, "domain_strategy": "ipv4_only" } ], "outbounds": [ { "type": "hysteria2", "tag": "proxy", "server": "127.0.0.1", "server_port": 10000, "password": "test", "tls": { "enabled": true, "disable_sni": true, "insecure": true } }, { "type": "direct", "tag": "direct" }, { "type": "block", "tag": "block" }, { "type": "dns", "tag": "dns-out" } ], "route": { "auto_detect_interface": true } }

Logs

Server Log
+0800 2024-04-04 22:06:28 INFO router: updated default interface 以太网, index 8
+0800 2024-04-04 22:06:28 INFO inbound/hysteria2[0]: udp server started at [::]:10000
+0800 2024-04-04 22:06:28 INFO sing-box started (0.11s)
+0800 2024-04-04 22:06:33 INFO [2976692661 0ms] inbound/hysteria2[0]: inbound packet connection from [::ffff:127.0.0.1]:59533
+0800 2024-04-04 22:06:33 INFO [2976692661 0ms] inbound/hysteria2[0]: inbound packet connection to 124.222.49.56:3478
+0800 2024-04-04 22:06:33 DEBUG [2976692661 0ms] router: sniffed packet protocol: stun
+0800 2024-04-04 22:06:33 INFO [2976692661 0ms] outbound/direct[direct]: outbound packet connection

Client Log
+0800 2024-04-04 22:06:25 INFO router: updated default interface 以太网, index 8
+0800 2024-04-04 22:06:25 INFO inbound/socks[socks]: tcp server started at 127.0.0.1:12345
+0800 2024-04-04 22:06:25 INFO sing-box started (0.11s)
+0800 2024-04-04 22:06:33 INFO [894207738 0ms] inbound/socks[socks]: inbound connection from 127.0.0.1:5989
+0800 2024-04-04 22:06:33 INFO [894207738 2ms] inbound/socks[socks]: inbound packet connection to 0.0.0.0:59531
+0800 2024-04-04 22:06:33 DEBUG [894207738 2ms] router: sniffed packet protocol: stun
+0800 2024-04-04 22:06:33 INFO [894207738 2ms] outbound/hysteria2[proxy]: outbound packet connection to 124.222.49.56:3478
+0800 2024-04-04 22:06:36 DEBUG [894207738 3.1s] inbound/socks[socks]: connection closed: process connection from 127.0.0.1:5989: upload: read udp 127.0.0.1:59532: use of closed network connection | download: io: read/write on closed pipe

Supporter

• [ ] I am a sponsor

Integrity requirements

• [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[dyhkwong]

https://github.com/SagerNet/sing/blob/3f6c423e76f0c33bcb926b0d69168734951db23f/common/canceler/packet.go#L25-L31

[Zxneric]

stun测试fail是一个sing-quic内部的bug导致的，只会在hysteria/hysteria2/tuic上发生

1650

[dyhkwong]

stun 测试 fail 是服务端问题，不是客户端问题，与 #1650 无关，请不要劫持 issue。这是服务端 sniff 成功后的 canceler.NewPacketConn 引起的，服务端不开启 sniff 则不会测试 fail。

stun测试fail是一个sing-quic内部的bug导致的，只会在hysteria/hysteria2/tuic上发生

1650

[Zxneric]

可能我弄错了吧，我也是因为stun测试fail才注意到 #1650的问题的

[Zxneric]

在 1.9.0-rc.6 上，开启 sniff 后 stun 测试 fail，inbound 配置如下。

{
      "auto_route": true,
      "interface_name": "singbox",
      "inet4_address": "172.19.0.1/30",
      "type": "tun",
      "stack": "gvisor",
      "strict_route": true,
      "sniff": true,
      "udp_disable_domain_unmapping": true
    }

服务端使用的是 V2Ray 和 Hysteria 的官方实现最新版本，并且确认在 Hysteria 官方客户端实现的 tun 模式下没有此问题。

[Zxneric]

我怀疑这是因为 RFC 3489，RFC 5389，RFC 5780 的不同细节导致的。 鉴于 stun 只占流量中的极小部分，且协议有过破坏变更。我建议直接删除关于 stun 的 sniff。 在 wireshark 中 stun 被 分为 classic stun 和 stun，因为 RFC 5389 修改了 stun 的结构定义。

[SimonTLS]

v1.9.0-rc.7 Fixed Thanks!!!