WireGuard outbound not working since v1.9.1

[1sixth]

Operating system

Linux

System version

NixOS/7d916e7

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.9.1

Environment: go1.22.3 linux/amd64
Tags: with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api,with_gvisor
CGO: enabled

Description

WireGuard outbound stops working after I upgraded from v1.9.0 to v1.9.1. The first bad commit is 7003ef40a3cbabdf44420dd84ced36551a52296b.

Reproduction

• Run sing-box with the following config:

  {
  "log": {
      "level": "debug"
  },
  "inbounds": [
      {
          "type": "mixed",
          "listen": "127.0.0.1",
          "listen_port": 2080
      }
  ],
  "outbounds": [
      {
          "type": "wireguard",
          "server": "engage.cloudflareclient.com",
          "server_port": 2408,
          "local_address": [
              "172.16.0.2/32",
              "2606:4700:110:80cc:1f38:3ee7:66df:e4d2/128"
          ],
          "private_key": "OLLn4E0tI1nFswQVWqA2YV6iDu6WQG5C6mIO671ZkW4=",
          "peer_public_key": "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
      }
  ]
  }

• Use the inbound.
• As of v1.9.0, everything works fine.
• In v1.9.1, timeout.

Logs

v1.9.0:

INFO[0000] router: updated default interface enp0s3, index 2
DEBUG[0000] dns: lookup domain engage.cloudflareclient.com
INFO[0000] dns: lookup succeed for engage.cloudflareclient.com: 2606:4700:d0::a29f:c001 162.159.192.1
DEBUG[0000] outbound/wireguard[0]: routine: handshake worker 2 - started
DEBUG[0000] outbound/wireguard[0]: routine: handshake worker 3 - started
DEBUG[0000] outbound/wireguard[0]: routine: handshake worker 1 - started
DEBUG[0000] outbound/wireguard[0]: routine: encryption worker 2 - started
DEBUG[0000] outbound/wireguard[0]: routine: decryption worker 2 - started
DEBUG[0000] outbound/wireguard[0]: routine: decryption worker 3 - started
DEBUG[0000] outbound/wireguard[0]: routine: decryption worker 4 - started
DEBUG[0000] outbound/wireguard[0]: routine: encryption worker 4 - started
DEBUG[0000] outbound/wireguard[0]: routine: decryption worker 1 - started
DEBUG[0000] outbound/wireguard[0]: routine: handshake worker 4 - started
DEBUG[0000] outbound/wireguard[0]: routine: tun reader - started
DEBUG[0000] outbound/wireguard[0]: uapi: updating private key
DEBUG[0000] outbound/wireguard[0]: routine: encryption worker 3 - started
DEBUG[0000] outbound/wireguard[0]: routine: encryption worker 1 - started
DEBUG[0000] outbound/wireguard[0]: routine: event worker - started
DEBUG[0000] outbound/wireguard[0]: peer(bmXO…fgyo) - uapi: created
DEBUG[0000] outbound/wireguard[0]: peer(bmXO…fgyo) - uapi: updating endpoint
DEBUG[0000] outbound/wireguard[0]: peer(bmXO…fgyo) - uapi: adding allowedip
DEBUG[0000] outbound/wireguard[0]: peer(bmXO…fgyo) - uapi: adding allowedip
DEBUG[0000] outbound/wireguard[0]: interface up requested
DEBUG[0000] outbound/wireguard[0]: udp bind has been updated
DEBUG[0000] outbound/wireguard[0]: peer(bmXO…fgyo) - starting
DEBUG[0000] outbound/wireguard[0]: peer(bmXO…fgyo) - routine: sequential sender - started
DEBUG[0000] outbound/wireguard[0]: routine: receive incoming receive - started
DEBUG[0000] outbound/wireguard[0]: peer(bmXO…fgyo) - routine: sequential receiver - started
DEBUG[0000] outbound/wireguard[0]: interface state was Down, requested Up, now Up
INFO[0000] inbound/mixed[0]: tcp server started at 127.0.0.1:2080
INFO[0000] sing-box started (0.99s)
DEBUG[0004] outbound/wireguard[0]: peer(bmXO…fgyo) - sending handshake initiation
DEBUG[0004] outbound/wireguard[0]: peer(bmXO…fgyo) - received handshake response
INFO[0016] [1942613375 0ms] inbound/mixed[0]: inbound connection from 127.0.0.1:41622
INFO[0016] [1942613375 5ms] inbound/mixed[0]: inbound connection to x.com:80
DEBUG[0016] [1942613375 6ms] dns: lookup domain x.com
INFO[0016] [1942613375 52ms] dns: lookup succeed for x.com: 104.244.42.129 104.244.42.65 104.244.42.1 104.244.42.193
INFO[0016] [1942613375 52ms] outbound/wireguard[0]: outbound connection to 104.244.42.129:80
DEBUG[0016] [1942613375 157ms] inbound/mixed[0]: connection closed: process connection from 127.0.0.1:41622: read http request: EOF
DEBUG[0032] outbound/wireguard[0]: peer(bmXO…fgyo) - retrying handshake because we stopped hearing back after 15 seconds
DEBUG[0032] outbound/wireguard[0]: peer(bmXO…fgyo) - sending handshake initiation
DEBUG[0032] outbound/wireguard[0]: peer(bmXO…fgyo) - received handshake response
DEBUG[0032] outbound/wireguard[0]: peer(bmXO…fgyo) - sending keepalive packet

v1.9.1:

INFO[0000] router: updated default interface enp0s3, index 2
INFO[0000] inbound/mixed[0]: tcp server started at 127.0.0.1:2080
INFO[0000] sing-box started (0.22s)
INFO[0003] [1291559798 0ms] inbound/mixed[0]: inbound connection from 127.0.0.1:46164
INFO[0003] [1291559798 6ms] inbound/mixed[0]: inbound connection to x.com:80
DEBUG[0003] [1291559798 9ms] dns: lookup domain x.com
INFO[0003] [1291559798 59ms] dns: lookup succeed for x.com: 104.244.42.1 104.244.42.193 104.244.42.129 104.244.42.65
INFO[0003] [1291559798 59ms] outbound/wireguard[0]: outbound connection to 104.244.42.1:80
INFO[0008] [1291559798 5.6s] outbound/wireguard[0]: outbound connection to 104.244.42.193:80
INFO[0013] [1291559798 10.6s] outbound/wireguard[0]: outbound connection to 104.244.42.129:80
INFO[0018] [1291559798 15.6s] outbound/wireguard[0]: outbound connection to 104.244.42.65:80
DEBUG[0023] [1291559798 20.6s] inbound/mixed[0]: connection closed: process connection from 127.0.0.1:46164: dial tcp 104.244.42.1:80: i/o timeout | dial tcp 104.244.42.193:80: i/o timeout | dial tcp 104.244.42.129:80: i/o timeout | dial tcp 104.244.42.65:80: i/o timeout | Get "http://x.com/": io: read/write on closed pipe

Supporter

• [ ] I am a sponsor

Integrity requirements

• [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[nekohasekai]

Update to the latest version.