search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
24.44k stars 3.83k forks source link

tproxy 代理的QUIC网站走了 direct #1804

Closed heygo1345678 closed 1 year ago

heygo1345678 commented 1 year ago

{ "tag":"transparent", "port": 12345, "protocol": "dokodemo-door", "settings": { "network": "tcp,udp", "followRedirect": true },

"sniffing": { "enabled": true, "destOverride": [

  "http",
            "tls",
            "quic"

        ]

    },

"streamSettings": { "sockopt": { "tproxy": "tproxy", // 透明代理使用 TPROXY 方式 "mark":255 } } }, 出站是 cf cdn+ vmess + wss 2023/03/15 18:26:27 DOH//1.1.1.1 got answer: quic.nginx.org -> [35.214.218.230] 207.605394ms 2023/03/15 18:26:27 DOH//1.1.1.1 got answer: quic.nginx.org -> [] 208.256312ms 2023/03/15 18:26:27 192.168.1.4:9198 accepted tcp:35.214.218.230:443 [transparent -> proxy] 2023/03/15 18:26:27 192.168.1.4:9199 accepted tcp:35.214.218.230:443 [transparent -> proxy] 2023/03/15 18:26:30 192.168.1.4:53128 accepted udp:35.214.218.230:443 [transparent -> direct]

xray的 tproxy透明代理 sniffing quic是不是有bug? 先是[transparent -> proxy],之后变成[transparent -> direct] 上面是测试nginx的quic demo,DNS和路由都加了代理, 测试YouTube也是相同问题, 开ipv6 tproxy, youtube也是一样,虽然后面回落到只走tcp了,这DNS不泄露,也给通过quic漏了,xray 1.8.0版本,v2fly改天测试看看是不是也是这样, 会不会就是年久失修的udp断流问题呢: https://github.com/v2ray/v2ray-core/issues/1432 image

heygo1345678 commented 1 year ago

目前只能drop掉udp 443解决了,太不靠谱了 iptables -t mangle -I V2RAY -p udp --dport 443 -j DROP iptables -t mangle -I V2RAY_MASK -p udp --dport 443 -j DROP

heygo1345678 commented 1 year ago

我疏忽了,没有认真搜历史issue,加上我这个一共三个issue相同问题: https://github.com/XTLS/Xray-core/issues/328 https://github.com/XTLS/Xray-core/issues/448 目前看之前答复就是xray sniffing 不支持 QUIC。 但是文档却有quic:https://xtls.github.io/config/inbound.html#sniffingobject https://www.v2fly.org/v5/config/inbound.html#%E6%94%AF%E6%8C%81%E7%9A%84%E4%BB%A3%E7%90%86%E5%8D%8F%E8%AE%AE

看 sing-box的文档:https://sing-box.sagernet.org/zh/configuration/route/sniff/ 也是支持sniffing QUIC的: https://sing-box.sagernet.org/zh/configuration/route/sniff/

那么 @nekohasekai 世界大佬, sing-box的tproxy的sniffing是真的可以sniffing QUIC的吗,还是只是文档都一样,实际不支持

IRN-Kawakaze commented 1 year ago

理论上xray-core目前确实支持quic sniffing。

隔壁v2ray的quic sniffing实现是近期才修复的 https://github.com/v2fly/v2ray-core/pull/2335 ,实施于 v5.4.0(pre-release)。也许是因为xray-core存在同样的bug?你可以先去试试隔壁修复后的quic sniffing好不好使。

Fangliding commented 1 year ago

上次我去看sniffing文档里没有quic 但是我检查过相关代码确实存在sniffing quic的相关代码 但是群里有人说没用 我猜应该是坏了 就没管 可能后来有谁看代码里有就加上了让lz踩坑了()

nekohasekai commented 1 year ago

所有的 quic sniffing 应该都是我写的,如果 sing-box 的不能用,请开 issue;xray 的不能用你可以同步一下代码(

heygo1345678 commented 1 year ago

理论上xray-core目前确实支持quic sniffing。

隔壁v2ray的quic sniffing实现是近期才修复的 v2fly/v2ray-core#2335 ,实施于 v5.4.0(pre-release)。也许是因为xray-core存在同样的bug?你可以先去试试隔壁修复后的quic sniffing好不好使。 v2ray v5.4.0版本的 quic sniffing我测试了,没有问题,这个修复有效,sing-box目前还没有测试

2023/03/19 08:50:54 [Info] app/dns: DOH//1.1.1.1 got answer: quic.nginx.org. TypeA -> [35.214.218.230] 417.026704ms 2023/03/19 08:50:54 [Debug] app/dns: domain quic.nginx.org matches following rules: [nginx.org(DNS idx:0)] 2023/03/19 08:50:54 [Debug] app/dns: domain quic.nginx.org will use DNS in order: [DOH//1.1.1.1] [TypeA] 2023/03/19 08:50:54 [Debug] app/dns: domain quic.nginx.org will use DNS in order: [DOH//1.1.1.1] [TypeAAAA] 2023/03/19 08:50:54 [Info] app/dns: DOH//1.1.1.1 querying: quic.nginx.org. 2023/03/19 08:50:54 [Info] app/dns: DOH//1.1.1.1 got answer: quic.nginx.org. TypeAAAA -> [] 416.473492ms 2023/03/19 08:50:56 [Info] [3127533985] app/dispatcher: sniffed domain: quic.nginx.org for tcp:35.214.218.230:443 2023/03/19 08:50:56 [Info] [3127533985] app/dispatcher: taking detour [proxy] for [tcp:quic.nginx.org:443] 2023/03/19 08:50:57 [Info] [3127533985] proxy/vmess/outbound: tunneling request to tcp:quic.nginx.org:443 via cf:443 2023/03/19 08:51:01 [Info] [3818921917] app/dispatcher: sniffed domain: quic.nginx.org for udp:35.214.218.230:443 2023/03/19 08:51:01 [Info] [3818921917] app/dispatcher: taking detour [proxy] for [udp:quic.nginx.org:443] 2023/03/19 08:51:01 [Info] [3818921917] proxy/vmess/outbound: tunneling request to udp:quic.nginx.org:443 via cf:443

2023/03/19 08:50:56 192.168.1.4:12622 accepted tcp:35.214.218.230:443 [proxy] 2023/03/19 08:50:56 192.168.1.4:12622 accepted tcp:35.214.218.230:443 [proxy] 2023/03/19 08:51:01 [Debug] transport/internet/udp: UDP original destination: udp:35.214.218.230:443 2023/03/19 08:51:01 192.168.1.4:54406 accepted udp:35.214.218.230:443 [proxy]

heygo1345678 commented 1 year ago

由于这个 https://github.com/XTLS/Xray-core/pull/1885 已经合并,我测试了xray1.8.1 quic sniffer可以正常工作了,虽然是不推荐代理quic流量

客户端日志: 2023/05/07 08:09:20 192.168.1.4:59444 accepted udp:35.214.218.230:443 [transparent -> proxy] 2023/05/07 08:09:20 192.168.1.4:5832 accepted tcp:35.214.218.230:443 [transparent -> proxy] 2023/05/07 08:09:20 192.168.1.4:5831 accepted tcp:35.214.218.230:443 [transparent -> proxy] 2023/05/07 08:09:20 TCP//8.8.4.4:53 got answer: quic.nginx.org -> [35.214.218.230] 126.54437ms 2023/05/07 08:09:20 TCP//8.8.4.4:53 got answer: quic.nginx.org -> [] 126.486768ms 2023/05/07 08:09:20 TCP//8.8.4.4:53 got answer: quic.nginx.org -> [35.214.218.230] 155.691253ms 2023/05/07 08:09:20 TCP//8.8.4.4:53 got answer: quic.nginx.org -> [] 155.60485ms

服务端日志(我开了routeonly,所以透明代理传递IP到vps了):

2023/05/07 00:09:20 [240:3]:55842 accepted tcp:35.214.218.230:443 [VLESS-GRPC-Reality >> direct] 2023/05/07 00:09:20 [240:3]:55842 accepted udp:35.214.218.230:443 [VLESS-GRPC-Reality >> direct]