nekohasekai
commented
1 year ago 我看见您将 auto_route 设为了 false,请提供您自行设置的防火墙与路由信息。
Closed yingziwu closed 1 year ago
nekohasekai
commented
1 year ago 我看见您将 auto_route 设为了 false,请提供您自行设置的防火墙与路由信息。
yingziwu
commented
1 year ago 我看见您将 auto_route 设为了 false,请提供您自行设置的防火墙与路由信息。
使用 curl 测试时,我已使用 --interface tun0 参数指定了传出网络接口为 tun0 (即 sing-box tun 接口),排除了系统路由表的干扰,因此 auto_route 设为 false 并不影响测试结果。
此外,通过 wireshark 抓包也可以确认 tun0 接口确实收到 curl 发起的请求。
nekohasekai
commented
1 year ago 由于一些原因,我仍然认为是路由原因,请将您要访问的地址添加到 inet6_route_address,打开 auto_route 并检查结果。
yingziwu
commented
1 year ago 同样出错,不过错误的方式有所改变。
根据 zhuanlan.zhihu.com 解析结果修正后的配置文件。
$ dig zhuanlan.zhihu.com aaaa
; <<>> DiG 9.18.18 <<>> zhuanlan.zhihu.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24650
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;zhuanlan.zhihu.com. IN AAAA
;; ANSWER SECTION:
zhuanlan.zhihu.com. 490 IN CNAME gslb-dsa.zhihu.com.
gslb-dsa.zhihu.com. 124 IN CNAME gslb-dsa-tc.zhihu.com.
gslb-dsa-tc.zhihu.com. 124 IN CNAME e589fa51.zhihu.com.dsa.dnsv1.com.
e589fa51.zhihu.com.dsa.dnsv1.com. 577 IN CNAME j1hqc7ee.sched.d0-dk.tdnsdp1.cn.
j1hqc7ee.sched.d0-dk.tdnsdp1.cn. 197 IN CNAME j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com.
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:872b:e02:101:6c::ce
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:8719:2000:1c0:6c::43
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:871a:5500:c:20::18
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:8726:1001:162:62::a8
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:872b:e02:101:6c::cc
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:8719:40a:13::45
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:872b:e02:101:6c::cf
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:8722:6140:1:40::2d
j1hqc7ee.51-65.cjt.cdnjn01.cenvandns.com. 197 IN AAAA 2408:8710:20:1022:3e::3
;; Query time: 59 msec
;; SERVER: 192.168.10.1#53(192.168.10.1) (UDP)
;; WHEN: Fri Aug 25 21:30:40 CST 2023
;; MSG SIZE rcvd: 511{
"log": {
"level": "trace"
},
"inbounds": [
{
"type": "tun",
"tag": "tun-in",
"interface_name": "tun0",
"inet4_address": "172.18.0.1/30",
"inet6_address": "fdfe:ddba:9876::1/126",
"stack": "gvisor",
"auto_route": true,
"inet6_route_address": [
"2408:872b:e02:101:6c::ce/64",
"2408:8722:6140:1:40::2d/64",
"2408:8719:2000:1c0:6c::43/64",
"2408:871a:5500:c:20::18/64",
"2408:8710:20:1022:3e::3/64",
"2408:8719:40a:13::45/64",
"2408:8726:1001:162:62::a8/64"
],
"strict_route": false,
"sniff": true
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct",
"connect_timeout": "2m"
},
{
"type": "block",
"tag": "block"
}
],
"route": {
"rules": [
{
"geosite": "category-ads-all",
"outbound": "block"
}
],
"final": "direct",
"auto_detect_interface": true
}
}运行 sing-box 前,curl 可正常访问。
$ curl -vs -o /dev/null -6 --connect-timeout 15 --connect-to "::[2408:8719:2000:1c0:6c::43]:" https://zhuanlan.zhihu.com
* processing: https://zhuanlan.zhihu.com
* Connecting to hostname: 2408:8719:2000:1c0:6c::43
* Trying [2408:8719:2000:1c0:6c::43]:443...
* Connected to 2408:8719:2000:1c0:6c::43 (2408:8719:2000:1c0:6c::43) port 443
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3982 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: C=CN; ST=\U5317\U4EAC\U5E02; O=\U667A\U8005\U56DB\U6D77\UFF08\U5317\U4EAC\UFF09\U6280\U672F\U6709\U9650\U516C\U53F8; CN=*.zhihu.com
* start date: Dec 5 00:00:00 2022 GMT
* expire date: Jan 5 23:59:59 2024 GMT
* subjectAltName: host "zhuanlan.zhihu.com" matched cert's "*.zhihu.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust CN RSA CA G1
* SSL certificate verify ok.
} [5 bytes data]
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: zhuanlan.zhihu.com]
* h2 [:path: /]
* h2 [user-agent: curl/8.2.1]
* h2 [accept: */*]
* Using Stream ID: 1
} [5 bytes data]
> GET / HTTP/2
> Host: zhuanlan.zhihu.com
> User-Agent: curl/8.2.1
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
< HTTP/2 200
< server: CLOUD ELB 1.0.0
< date: Fri, 25 Aug 2023 13:43:59 GMT
< content-type: text/html; charset=utf-8
< vary: Accept-Encoding
< vary: Accept-Encoding
< vary: Accept-Encoding
< set-cookie: _zap=5a4778ae-4762-4f8e-aed3-24626acd8db7; path=/; expires=Sun, 24 Aug 2025 13:43:58 GMT; domain=.zhihu.com
< set-cookie: _xsrf=cd5744bf-b2cc-4de4-94dd-1abf620e2ce6; path=/; domain=.zhihu.com
< set-cookie: d_c0=APDQf6lPSxePTgasj-xJsb3SypAgt9b0s5w=|1692971038; Path=/; Domain=zhihu.com; Expires=Tue, 25 Aug 2026 13:43:58 GMT
< content-security-policy: default-src * blob:; img-src * data: blob: resource: t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; connect-src * wss: blob: resource:; frame-src 'self' *.zhihu.com mailto: tel: weixin: *.vzuu.com mo.m.taobao.com getpocket.com note.youdao.com safari-extension://com.evernote.safari.clipper-Q79WDW8YH9 blob: mtt: zhihujs: captcha.guard.qcloud.com pos.baidu.com dup.baidustatic.com openapi.baidu.com wappass.baidu.com passport.baidu.com *.cme.qcloud.com vs-cdn.tencent-cloud.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; script-src 'self' blob: *.zhihu.com g.alicdn.com qzonestyle.gtimg.cn res.wx.qq.com open.mobile.qq.com 'unsafe-eval' unpkg.zhimg.com unicom.zhimg.com resource: zhihu-live.zhimg.com captcha.gtimg.com captcha.guard.qcloud.com pagead2.googlesyndication.com cpro.baidustatic.com pos.baidu.com dup.baidustatic.com i.hao61.net jsapi.qq.com 'nonce-1199258a-4fbd-4f7d-985f-28c88ef5ad1d' hm.baidu.com zz.bdstatic.com b.bdstatic.com imgcache.qq.com vs-cdn.tencent-cloud.com www.mangren.com www.yunmd.net zhihu.govwza.cn p.cnwza.cn ssl.captcha.qq.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; style-src 'self' 'unsafe-inline' *.zhihu.com unicom.zhimg.com resource: captcha.gtimg.com www.mangren.com ssl.captcha.qq.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; font-src * data:; frame-ancestors *.zhihu.com
< x-content-security-policy: default-src * blob:; img-src * data: blob: resource: t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; connect-src * wss: blob: resource:; frame-src 'self' *.zhihu.com mailto: tel: weixin: *.vzuu.com mo.m.taobao.com getpocket.com note.youdao.com safari-extension://com.evernote.safari.clipper-Q79WDW8YH9 blob: mtt: zhihujs: captcha.guard.qcloud.com pos.baidu.com dup.baidustatic.com openapi.baidu.com wappass.baidu.com passport.baidu.com *.cme.qcloud.com vs-cdn.tencent-cloud.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; script-src 'self' blob: *.zhihu.com g.alicdn.com qzonestyle.gtimg.cn res.wx.qq.com open.mobile.qq.com 'unsafe-eval' unpkg.zhimg.com unicom.zhimg.com resource: zhihu-live.zhimg.com captcha.gtimg.com captcha.guard.qcloud.com pagead2.googlesyndication.com cpro.baidustatic.com pos.baidu.com dup.baidustatic.com i.hao61.net jsapi.qq.com 'nonce-1199258a-4fbd-4f7d-985f-28c88ef5ad1d' hm.baidu.com zz.bdstatic.com b.bdstatic.com imgcache.qq.com vs-cdn.tencent-cloud.com www.mangren.com www.yunmd.net zhihu.govwza.cn p.cnwza.cn ssl.captcha.qq.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; style-src 'self' 'unsafe-inline' *.zhihu.com unicom.zhimg.com resource: captcha.gtimg.com www.mangren.com ssl.captcha.qq.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; font-src * data:; frame-ancestors *.zhihu.com
< x-webkit-csp: default-src * blob:; img-src * data: blob: resource: t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; connect-src * wss: blob: resource:; frame-src 'self' *.zhihu.com mailto: tel: weixin: *.vzuu.com mo.m.taobao.com getpocket.com note.youdao.com safari-extension://com.evernote.safari.clipper-Q79WDW8YH9 blob: mtt: zhihujs: captcha.guard.qcloud.com pos.baidu.com dup.baidustatic.com openapi.baidu.com wappass.baidu.com passport.baidu.com *.cme.qcloud.com vs-cdn.tencent-cloud.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; script-src 'self' blob: *.zhihu.com g.alicdn.com qzonestyle.gtimg.cn res.wx.qq.com open.mobile.qq.com 'unsafe-eval' unpkg.zhimg.com unicom.zhimg.com resource: zhihu-live.zhimg.com captcha.gtimg.com captcha.guard.qcloud.com pagead2.googlesyndication.com cpro.baidustatic.com pos.baidu.com dup.baidustatic.com i.hao61.net jsapi.qq.com 'nonce-1199258a-4fbd-4f7d-985f-28c88ef5ad1d' hm.baidu.com zz.bdstatic.com b.bdstatic.com imgcache.qq.com vs-cdn.tencent-cloud.com www.mangren.com www.yunmd.net zhihu.govwza.cn p.cnwza.cn ssl.captcha.qq.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; style-src 'self' 'unsafe-inline' *.zhihu.com unicom.zhimg.com resource: captcha.gtimg.com www.mangren.com ssl.captcha.qq.com t.captcha.qq.com *.dun.163yun.com *.dun.163.com *.126.net *.nosdn.127.net nos.netease.com; font-src * data:; frame-ancestors *.zhihu.com
< x-frame-options: SAMEORIGIN
< strict-transport-security: max-age=15552000; includeSubDomains
< surrogate-control: no-store
< pragma: no-cache
< expires: 0
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< x-backend-response: 0.376
< referrer-policy: no-referrer-when-downgrade
< x-secng-response: 0.382000207901
< x-lb-timing: 0.383
< x-idc-id: 2
< set-cookie: KLBRSID=af132c66e9ed2b57686ff5c489976b91|1692971038|1692971038; Path=/
< cache-control: must-revalidate, proxy-revalidate, no-cache, no-store
< content-length: 39707
< x-nws-log-uuid: 6710906036282034269
< x-cache-lookup: Cache Miss
< x-edge-timing: 0.399
< x-cdn-provider: tencent
<
{ [37648 bytes data]
* Connection #0 to host 2408:8719:2000:1c0:6c::43 left intact启动 sing-box,curl 报错 SSL connection timeout。
$ curl -vs -o /dev/null -6 --connect-timeout 15 --connect-to "::[2408:8719:2000:1c0:6c::43]:" https://zhuanlan.zhihu.com
* processing: https://zhuanlan.zhihu.com
* Connecting to hostname: 2408:8719:2000:1c0:6c::43
* Trying [2408:8719:2000:1c0:6c::43]:443...
* Connected to 2408:8719:2000:1c0:6c::43 (2408:8719:2000:1c0:6c::43) port 443
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* SSL connection timeout
* Closing connectionsing-box 相关 log
INFO[0041] [1244096163 0ms] inbound/tun[tun-in]: inbound connection from [fdfe:ddba:9876::1]:58506
INFO[0041] [1244096163 0ms] inbound/tun[tun-in]: inbound connection to [2408:8719:2000:1c0:6c::43]:443
DEBUG[0041] [1244096163 301ms] router: sniffed protocol: tls, domain: zhuanlan.zhihu.com
INFO[0041] [1244096163 301ms] outbound/direct[direct]: outbound connection to [2408:8719:2000:1c0:6c::43]:443
DEBUG[0161] [1244096163 2m0s] inbound/tun[tun-in]: connection closed: dial tcp [2408:8719:2000:1c0:6c::43]:443: i/o timeouttun0 接口抓包结果
wlp1s0 接口抓包结果
nekohasekai
commented
1 year ago 我们曾为了修复接口没有路由就无法使用 IPv6 创建了一个替代规则 (https://github.com/SagerNet/sing-tun/blob/7545dc2d5641922d6a7a05e11cc36211fa539798/tun_linux.go#L267 ),对于此问题您可以新建一个 issue 以讨论如何在没有路由时发起连接。
关于您的新问题,即 tun 无法连接某个地址或所有地址,由于其触发条件过于常见,请重新检查并打开一个新的问题。
github-actions[bot]
commented
1 year ago This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
Operating system
Linux
System version
Arch Linux 6.4.11-arch2-1.1
Installation type
Original sing-box Command Line
If you are using a graphical client, please provide the version of the client.
No response
Version
Description
On linux, the tun inbound with gVisor stack, the sing-box does not respond to incoming ipv6 requests, but respond to ipv4 requests.
Reproduction
gvisor.json
start sing-box
start test with curl
Logs