Closed dani0854 closed 1 year ago
There have been reports from Iranian users that shadow-tls has been blocked, possibly based on local DNS lookups. Regardless, shadow-tls and other similar technologies may have been banned in places where China exports censorship technology.
Now having an identical problem with Shadowsocks. Looks like packets have no problem traveling from client to server, but get dropped on the way back from server to client.
Disabled all firewall, didn't help. Also checked from client in different city in Russia, and it works.
Could be specific ISP, or Moscow problem.
(Or as usual I am missing something trivial)
The fact that it works on one ISP but doesn't work on another may have place because of the type of censorship mechanism that these ISPs have. Not all the internet providers in RU have "TSPU" (last generation of DPI systems) installed.
What confuses me in your log, I see the message "processed invalid connection". Doesn't it mean that the connection reaches the server, but the server refuses it for some reason?
Could you please try to connect to the same server using the same ISP, just not from your computer, but from the mobile device over WiFi (try Nekobox or V2RayNG client for example).
And one more question, do you have some uTLS fingerprint set on the client? Don't see it in the config.
Unfortunately, I am in a different country. And only have access via raspberry pi. But it all started when VPN stopped working on relative iphone, with sing-box app. Since this relative is not great with tech, it's hard for me to debug it from a phone remotely. So I stripped most of the config and started debugging from a raspberry pi I have in the same network. But relative says it also doesn't work on mobile connection.
Since I stripped uTLS fingerprint, I assume it takes default value of chrome
I did performed tcpdump, seems some packets get dropped on the way to server
Client:
tcpdump -i eth0 host <server ip>
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:31:19.502256 IP 192.168.70.10.40950 > <server ip>.https: Flags [S], seq 2099491376, win 64240, options [mss 1460,sackOK,TS val 1548141506 ecr 0,nop,wscale 7], length 0
19:31:19.553756 IP <server ip>.https > 192.168.70.10.40950: Flags [S.], seq 758334370, ack 2099491377, win 43440, options [mss 1460,sackOK,TS val 3252776925 ecr 1548141506,nop,wscale 11], length 0
19:31:19.553816 IP 192.168.70.10.40950 > <server ip>.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 1548141557 ecr 3252776925], length 0
19:31:19.556233 IP 192.168.70.10.40950 > <server ip>.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548141560 ecr 3252776925], length 517
19:31:19.818127 IP 192.168.70.10.40950 > <server ip>.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548141822 ecr 3252776925], length 517
19:31:20.074145 IP 192.168.70.10.40950 > <server ip>.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548142078 ecr 3252776925], length 517
19:31:20.586151 IP 192.168.70.10.40950 > <server ip>.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548142590 ecr 3252776925], length 517
19:31:21.610165 IP 192.168.70.10.40950 > <server ip>.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548143614 ecr 3252776925], length 517
19:31:23.658163 IP 192.168.70.10.40950 > <server ip>.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548145662 ecr 3252776925], length 517
19:31:24.554351 IP 192.168.70.10.40950 > <server ip>.https: Flags [F.], seq 518, ack 1, win 502, options [nop,nop,TS val 1548146558 ecr 3252776925], length 0
19:31:27.754169 IP 192.168.70.10.40950 > <server ip>.https: Flags [FP.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548149758 ecr 3252776925], length 517
19:31:35.946161 IP 192.168.70.10.40950 > <server ip>.https: Flags [FP.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548157950 ecr 3252776925], length 517
19:31:52.330169 IP 192.168.70.10.40950 > <server ip>.https: Flags [FP.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 1548174334 ecr 3252776925], length 517
Server:
tcpdump -i eth0 host <client ip>
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:31:19.533672 IP <client ip>.1328 > sing-box.https: Flags [S], seq 2099491376, win 64240, options [mss 1460,sackOK,TS val 1548141506 ecr 0,nop,wscale 7], length 0
16:31:19.533763 IP sing-box.https > <client ip>.1328: Flags [S.], seq 758334370, ack 2099491377, win 43440, options [mss 1460,sackOK,TS val 3252776925 ecr 1548141506,nop,wscale 11], length 0
16:31:19.584490 IP <client ip>.1328 > sing-box.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 1548141557 ecr 3252776925], length 0
16:31:34.598289 IP sing-box.https > <client ip>.1328: Flags [.], ack 1, win 22, options [nop,nop,TS val 3252791990 ecr 1548141557], length 0
16:31:39.608748 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252797000 ecr 1548141557], length 0
16:31:39.878259 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252797270 ecr 1548141557], length 0
16:31:40.134285 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252797526 ecr 1548141557], length 0
16:31:40.646285 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252798038 ecr 1548141557], length 0
16:31:41.670269 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252799062 ecr 1548141557], length 0
16:31:43.718303 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252801110 ecr 1548141557], length 0
16:31:47.910274 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252805302 ecr 1548141557], length 0
16:31:56.102276 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252813494 ecr 1548141557], length 0
16:32:12.486255 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252829878 ecr 1548141557], length 0
16:32:45.510266 IP sing-box.https > <client ip>.1328: Flags [F.], seq 1, ack 1, win 22, options [nop,nop,TS val 3252862902 ecr 1548141557], length 0
The problem seemed to happen only between clients in Russia, and a specific server. So I migrated to a new server, and the issue has disappeared. I guess the best long term solution will be to use something like Cloudflare.
Since it is not an issue of sing-box, I am closing this issue. Thanks for the help.
Welcome
Description of the problem
I have a problem connecting from Russia. Client is in Russia, and server is in Germany. I have tried connecting with exactly same client config from different country and it worked. For some reason, when connecting from Russia, I get
context deadline exceeded
.I have checked time on client and server, which turns out it was correct. Also, I can easily telnet from client into port 443 on server.
Also, TLS handshake seems to get stuck on a client in Russia:
Seems to get stuck, in other countries it works perfectly. Moreover, on a client in Russia, TLS handshake works perfectly when running
curl -v https://www.amazon.de
I am afraid at that point my knowledge is insufficient to continue debugging it on my own. I looked through news and issues, couldn't find anything relevant.
Version of sing-box
Server and client configuration file
Server and client log file