search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
24.42k stars 3.82k forks source link

透明代理CPU占用率高 #1095

Closed edisonleung1 closed 5 months ago

edisonleung1 commented 2 years ago

系统配置

Esxi虚拟机 Intel(R) Xeon(R) CPU E5-2689 0 @ 2.60GHz 1G RAM

Linux ubnt.cmdschool.org 4.19.0-20-amd64 #1 SMP Debian 4.19.235-1 (2022-03-17) x86_64 GNU/Linux

DNS服务器使用主网关的

1) 你正在使用哪个版本的 XRay?(如果服务器和客户端使用了不同版本,请注明)

● xray.service - Xray Service Loaded: loaded (/etc/systemd/system/xray.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/xray.service.d └─10-donot_touch_single_conf.conf Active: active (running) since Sun 2022-06-05 16:14:52 EDT; 7s ago Docs: https://github.com/xtls Main PID: 19121 (xray) Tasks: 9 (limit: 1147) Memory: 41.9M CGroup: /system.slice/xray.service └─19121 /usr/local/bin/xray run -config /usr/local/etc/xray/config.json

Jun 05 16:14:52 ubnt.cmdschool.org systemd[1]: Started Xray Service. Jun 05 16:14:52 ubnt.cmdschool.org xray[19121]: Xray 1.5.5 (Xray, Penetrates Everything.) Custom (go1.18.1 linux/amd64) Jun 05 16:14:52 ubnt.cmdschool.org xray[19121]: A unified platform for anti-censorship. Jun 05 16:14:52 ubnt.cmdschool.org xray[19121]: 2022/06/05 16:14:52 [Info] infra/conf/serial: Reading config: /usr/local/etc/xray/config.json

2) 你的使用场景是什么?比如使用 Chrome 通过 Socks/VMess 代理观看 YouTube 视频。

家用透明代理无缝访问各个地区资源

3) 你看到的不正常的现象是什么?(请描述具体现象,比如访问超时,TLS 证书错误等)

CPU占用率长期接近满,CPU从1核心加到4核情况都复现 已经参照https://github.com/v2ray/v2ray-core/issues/2621 增加 iptables -t mangle -A V2RAY -j RETURN -m mark --mark 0xff CPU占用率依然居高不下

4) 你期待看到的正确表现是怎样的?

5) 请附上你的配置(提交 Issue 前请隐藏服务器端IP地址)。

服务器端配置:

   {
    "log": {
        "loglevel": "warning",
        "access": "/var/log/xray/access.log",
        "error": "/var/log/xray/error.log"
    },
    "routing": {
        "domainStrategy": "IPOnDemand",
        "rules": [
            {
                "type": "field",
                "inboundTag": "vless",
                "outboundTag": "direct"
            },
            { // 直连 123 端口 UDP 流量(NTP 协议)
                "type": "field",
                "inboundTag": [
                    "transparent"
                ],
                "port": 123,
                "network": "udp",
                "outboundTag": "direct"
            },
            { // 劫持 53 端口 UDP 流量,使用 V2Ray 的 DNS
                "type": "field",
                "inboundTag": [
                    "transparent"
                ],
                "port": 53,
                "network": "udp",
                "outboundTag": "dns-out"
            },
            {
                "type": "field",
                "inboundtag": [
                    "transparent"
                ],
                "outboundTag": "US_LA",
                "domain": [
                    "geosite:spotify",
                    "geosite:hbo",
                    "geosite:netflix",
                    "geosite:steam",
                    "geosite:amazon"
                ]
            },
            {
                "type": "field",
                "inboundtag": [
                    "transparent"
                ],
                "outboundTag": "US_IV",
                "domain": [
                    "geosite:hulu"
                ]
            },
            {
                "type": "field",
                "inboundtag": [
                    "transparent"
                ],
                "outboundTag": "CN_GZ",
                "domain": [
                    "geosite:bilibili",
                    "geosite:iqiyi",
                    "geosite:youku",
                    "geosite:umeng",
                    "geosite:aliyun",
                    "domain:speedtest.cn",
                    "vv.video.qq.com",
                    "domain:nos.netease.com",
                    "domain:music.163.com",
                    "domain:music.126.net",
                    "domain:music.qq.com",
                    "domain:qqmusic.qq.com",
                    "domain:tencentmusic.com"
                ]
            },
            {
                "type": "field",
                "domain": [
                    "geosite:category-ads-all"
                ],
                "outboundTag": "block"
            },
            {
                "type": "field",
                "protocol": [
                    "bittorrent"
                ],
                "outboundTag": "direct"
            }
        ]
    },
    "inbounds": [
        {
            "tag": "transparent",
            "protocol": "dokodemo-door",
            "port": *,
            "settings": {
                "network": "tcp,udp",
                "followRedirect": true
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            },
            "streamSettings": {
                "sockopt": {
                    "tproxy": "tproxy",
                    "mark": 255
                }
            }
        },
        {
            "tag": "vless",
            "protocol": "vless",
            "port": 443,
            "settings": {
                "clients": [
                    {
                        "id": "*",
                        "flow": "xtls-rprx-direct",
                        "level": 0
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                    {
                        "dest": "/dev/shm/default.sock",
                        "xver": 1
                    },
                    {
                        "alpn": "h2",
                        "dest": "/dev/shm/h2c.sock",
                        "xver": 1
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "xtls",
                "xtlsSettings": {
                    "allowInsecure": false,
                    "alpn": [
                        "h2",
                        "http/1.1"
                    ],
                    "certificates": [
                        {
                            "certificateFile": "*",
                            "keyFile": "*"
                        }
                    ]
                }
            }
        }
    ],
    "outbounds": [
        {
            "tag": "direct",
            "protocol": "freedom",
            "settings": {
                "streamSettings": {
                    "sockopt": {
                        "mark": 255
                    }
                }
            }
        },
        {
            "tag": "block",
            "protocol": "blackhole",
            "settings": {
                "response": {
                    "type": "http"
                }
            }
        },
        {
            "tag": "dns-out",
            "protocol": "dns",
            "streamSettings": {
                "sockopt": {
                    "mark": 255
                }
            }
        },
        {
            "tag": "US_LA",
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "*",
                        "port": 443,
                        "users": [
                            {
                                "email": "a@a.a",
                                "id": "*",
                                "flow": "xtls-rprx-direct",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "xtls",
                "xtlsSettings": {
                    "serverName": "*",
                    "sockopt": {
                        "mark": 255
                    }
                }
            }
        },
        {
            "tag": "US_IV",
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "*",
                        "port": 443,
                        "users": [
                            {
                                "email": "love@v2fly.org",
                                "id": "*",
                                "flow": "xtls-rprx-direct",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "network": "tcp",
            "security": "xtls",
            "xtlsSettings": {
                "serverName": "domain"
            },
            "streamSettings": {
                "sockopt": {
                    "mark": 255
                }
            }
        },
        {
            "tag": "CN_GZ",
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "*",
                        "port": *,
                        "users": [
                            {
                                "id": "*",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "sockopt": {
                    "mark": 255
                }
            }
        }
    ]
}

客户端配置:

    // 在这里附上客户端配置

6) 请附上出错时软件输出的错误日志。在 Linux 中,日志通常在 /var/log/v2ray/error.log 文件中。

服务器端错误日志:

    2022/06/04 16:27:51 [Warning] [2289254030] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: failed to find an available destination > common/retry: [dial tcp *: operation was canceled dial tcp: operation was canceled] > common/retry: all retry attempts failed

7) 请附上访问日志。在 Linux 中,日志通常在 /var/log/v2ray/access.log 文件中。

    无可见异常

8) 其它相关的配置文件(如 Nginx)和相关日志。

Iptables

设置策略路由

ip rule add fwmark 1 table 100 ip route add local 0.0.0.0/0 dev lo table 100

代理局域网设备

iptables -t mangle -N V2RAY iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN iptables -t mangle -A V2RAY -d -p tcp -j RETURN # 直连局域网,避免 V2Ray 无法启动时无法连网关的 SSH,如果你配置的是其他网段(如 10.x.x.x 等),则修改成自己的 iptables -t mangle -A V2RAY -d -p udp ! --dport 53 -j RETURN # 直连局域网,53 端口除外(因为要使用 V2Ray 的 iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port --tproxy-mark 1 # 给 UDP 打标记 1,转发至 12345 端口 iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port --tproxy-mark 1 # 给 TCP 打标记 1,转发至 12345 端口 iptables -t mangle -A PREROUTING -j V2RAY # 应用规则

cod1ingcoding commented 2 years ago

正常,多分点内存吧。golang占用内存多。再多分几个核。

wy580477 commented 2 years ago

dns是不是回环了,你用的主路由地址dns,然后iptables规则局域网53端口不直连。

不建议新手上来就学dns 53端口劫持,很容易掉坑里去。客户端设置一下dns又不是很难。

edisonleung1 commented 1 year ago

dns是不是回环了,你用的主路由地址dns,然后iptables规则局域网53端口不直连。

不建议新手上来就学dns 53端口劫持,很容易掉坑里去。客户端设置一下dns又不是很难。

因为要看iqiyi和有些客户端不支持设置DNS等原因还是希望使用DNS劫持,谢谢你的建议但是如果能提出解决方案就更好了