search

SagerNet / sing-box

The universal proxy platform
https://sing-box.sagernet.org/
Other
19.97k stars 2.37k forks source link

TUIC 协议不能在服务端按照域名分流出口流量 #776

Closed miaomier closed 1 year ago

miaomier commented 1 year ago

操作系统

Windows

系统版本

Windows 10 22H2

安装类型

sing-box 原始命令行程序

如果您使用图形客户端程序,请提供该程序版本。

No response

版本

```console sing-box version 1.4.0-beta.5 Environment: go1.21.0 windows/amd64 Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api Revision: 7cd8dbdb4d6bad9170071d3c411efd2427ae653b CGO: disabled ```

描述

TUIC 协议不能在服务端按照域名分流出口流量,推测是服务端的 TUIC 入口不能 sniff 出域名导致的。

如果在客户端的入口删掉 domain_strategy 选项,不进行 DNS 解析,在服务端可以按照域名分流,但是在服务端的日志输出中也没有出现 sniff 信息。

重现方式

使用 Chrome 浏览器测试,通过代理插件设置代理为 sing-box 的入站端口 socks5://127.0.0.1:7890,然后访问 www.baidu.com。以下是精简过后的配置,使用本地回环 127.0.0.1 模拟。

预期的结果是在服务端 sniff 出域名 www.baidu.com,然后按照路由规则走 direct-out 出站,但事实是走了兜底出站 block,与预期不符。

客户端配置

{
  "log": {
    "level": "debug",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "ali-dns",
        "address": "tls://223.6.6.6",
        "detour": "direct-out"
      }
    ]
  },
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "127.0.0.1",
      "listen_port": 7890,
      "domain_strategy": "prefer_ipv4"
    }
  ],
  "outbounds": [
    {
      "type": "tuic",
      "tag": "tuic-out",
      "server": "127.0.0.1",
      "server_port": 17890,
      "uuid": "5bf314ed-1831-4d98-ba0e-53d6854fe64c",
      "password": "password",
      "tls": {
        "enabled": true,
        "server_name": "xxx.tld",
        "alpn": "h3"
      }
    },
    {
      "type": "direct",
      "tag": "direct-out"
    }
  ]
}

服务端配置

{
  "log": {
    "level": "debug",
    "timestamp": true
  },
  "inbounds": [
    {
      "type": "tuic",
      "tag": "tuic-in",
      "listen": "127.0.0.1",
      "listen_port": 17890,
      "sniff": true,
      "users": [
        {
          "name": "tuic",
          "uuid": "5bf314ed-1831-4d98-ba0e-53d6854fe64c",
          "password": "password"
        }
      ],
      "tls": {
        "enabled": true,
        "server_name": "xxx.tld",
        "alpn": "h3",
        "certificate_path": "fullchain.pem",
        "key_path": "privkey.pem"
      }
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct-out"
    },
    {
      "type": "block",
      "tag": "block"
    }
  ],
  "route": {
    "rules": [
      {
        "domain": "www.baidu.com",
        "outbound": "direct-out"
      }
    ],
    "final": "block"
  }
}

日志

客户端日志 ```console $ sing-box run -c tuic-client.json +0800 2023-08-13 23:26:06 INFO router: updated default interface ethernet, index 3 +0800 2023-08-13 23:26:06 INFO inbound/mixed[mixed-in]: tcp server started at 127.0.0.1:7890 +0800 2023-08-13 23:26:06 INFO sing-box started (0.11s) +0800 2023-08-13 23:26:09 INFO [1504145626 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:43114 +0800 2023-08-13 23:26:09 INFO [1504145626 1ms] inbound/mixed[mixed-in]: inbound connection to www.baidu.com:443 +0800 2023-08-13 23:26:09 DEBUG [1504145626 1ms] dns: lookup domain www.baidu.com +0800 2023-08-13 23:26:09 INFO outbound/direct[direct-out]: outbound connection to 223.6.6.6:853 +0800 2023-08-13 23:26:09 DEBUG dns: exchanged www.baidu.com NOERROR 109 +0800 2023-08-13 23:26:09 DEBUG dns: exchanged www.baidu.com NOERROR 67 +0800 2023-08-13 23:26:09 INFO dns: exchanged www.baidu.com CNAME www.baidu.com. 67 IN CNAME www.a.shifen.com. +0800 2023-08-13 23:26:09 INFO dns: exchanged www.baidu.com CNAME www.baidu.com. 109 IN CNAME www.a.shifen.com. +0800 2023-08-13 23:26:09 INFO dns: exchanged www.baidu.com A www.a.shifen.com. 67 IN A 14.119.104.189 +0800 2023-08-13 23:26:09 INFO dns: exchanged www.baidu.com SOA a.shifen.com. 109 IN SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 2308130020 5 5 2592000 3600 +0800 2023-08-13 23:26:09 INFO dns: exchanged www.baidu.com A www.a.shifen.com. 67 IN A 14.119.104.254 +0800 2023-08-13 23:26:09 INFO dns: exchanged www.baidu.com OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x006d, udp: 4096 +0800 2023-08-13 23:26:09 INFO dns: exchanged www.baidu.com OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x0043, udp: 4096 +0800 2023-08-13 23:26:09 INFO [1504145626 59ms] dns: lookup succeed for www.baidu.com: 14.119.104.189 14.119.104.254 +0800 2023-08-13 23:26:09 DEBUG [1504145626 60ms] dns: resolved [14.119.104.189 14.119.104.254] +0800 2023-08-13 23:26:09 INFO [1504145626 60ms] outbound/tuic[tuic-out]: outbound connection to 14.119.104.189:443 +0800 2023-08-13 23:26:09 INFO [1824890557 0ms] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:43116 +0800 2023-08-13 23:26:09 INFO [1824890557 0ms] inbound/mixed[mixed-in]: inbound connection to www.baidu.com:443 +0800 2023-08-13 23:26:09 DEBUG [1824890557 1ms] dns: lookup domain www.baidu.com +0800 2023-08-13 23:26:09 INFO [1824890557 1ms] dns: lookup succeed for www.baidu.com: 14.119.104.189 14.119.104.254 +0800 2023-08-13 23:26:09 DEBUG [1824890557 2ms] dns: resolved [14.119.104.189 14.119.104.254] +0800 2023-08-13 23:26:09 INFO [1824890557 2ms] outbound/tuic[tuic-out]: outbound connection to 14.119.104.189:443 ``` 服务端日志 ```console $ sing-box run -c tuic-server.json +0800 2023-08-13 23:26:02 INFO router: updated default interface ethernet, index 3 +0800 2023-08-13 23:26:02 INFO inbound/tuic[tuic-in]: udp server started at 127.0.0.1:17890 +0800 2023-08-13 23:26:02 INFO sing-box started (0.11s) +0800 2023-08-13 23:26:09 INFO [3039807440 0ms] inbound/tuic[tuic-in]: inbound connection to 14.119.104.189:443 +0800 2023-08-13 23:26:09 INFO [3039807440 0ms] outbound/block[block]: blocked connection to 14.119.104.189:443 +0800 2023-08-13 23:26:09 INFO [2938854263 0ms] inbound/tuic[tuic-in]: inbound connection to 14.119.104.189:443 +0800 2023-08-13 23:26:09 INFO [2938854263 1ms] outbound/block[block]: blocked connection to 14.119.104.189:443 ```
wangxiaoerYah commented 1 year ago

确实有这个问题,使用tuic时服务端分流会失效。我之前以为只是我自己有这个问题,因为我是全局流量转发到服务器的,在服务器进行分流,使用tuic时,日志中经常是ip地址,没有嗅探到域名,这就导致IP地址直接走了默认出站,没有走域名规则。

wangxiaoerYah commented 1 year ago

我服务端使用的beta版本,Android使用了sfa beta,最新版本。

同时还有一个问题,在使用1.4beta6时Android端如果使用tun入站和tuic出站有概率自动停止,复现步骤就是点击下方的toolbar按钮,随机点击任意按钮,之后点击dashboard时sfa就会闪退,回退到1.4beta5就没有这个问题了。

@nekohasekai

nekohasekai commented 1 year ago

增加 sniff_timeout

miaomier commented 1 year ago

增加 sniff_timeout

已经尝试过把 sniff_timeout 设置为 30s5m10m 等值都是超时,没有 sniff 出结果。

wangxiaoerYah commented 1 year ago

增加 sniff_timeout

已经尝试过把 sniff_timeout 设置为 30s5m10m 等值都是超时,没有 sniff 出结果。

同样没有用,我设置的4s,你这10分钟就夸张啦😂。