search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
25.54k stars 3.95k forks source link

common/protocol: unknown address type: 0 #2507

Closed f0def closed 1 year ago

f0def commented 1 year ago

Hi all, thank you for the great product!

I want to run wireguard through vless tunnel (wireguard protocol is blocked, I want to hide it). Something like this:
image

When I run xray at Server1 and trying to connect to it from wireguard's client I see error in log proxy/socks: failed to parse UDP request > proxy/socks: failed to read UDP header > common/protocol: unknown address type: 0. What does it mean and what can be done to fix it?

./xray -c ~/Documents/xray.json
Xray 1.8.4 (Xray, Penetrates Everything.) Custom (go1.21.0 darwin/arm64)
A unified platform for anti-censorship.
2023/09/01 00:52:04 [Info] infra/conf/serial: Reading config: ~/Documents/xray.json
2023/09/01 00:52:04 [Debug] app/log: Logger started
2023/09/01 00:52:04 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:1080
2023/09/01 00:52:04 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:1080
2023/09/01 00:52:04 [Info] transport/internet/udp: listening UDP on 127.0.0.1:1080
2023/09/01 00:52:04 [Warning] core: Xray 1.8.4 started
2023/09/01 00:52:14 [Info] [2600521449] proxy/socks: client UDP connection from udp:127.0.0.1:64796
2023/09/01 00:52:14 [Info] [2600521449] proxy/socks: failed to parse UDP request > proxy/socks: failed to read UDP header > common/protocol: unknown address type: 0

Here my xray.conf

{
    "log": {
        "loglevel": "debug"
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 1080,
            "protocol": "socks",
            "settings": {
                "udp": true
            },
            "tag": "socks"
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "example.com",
                        "port": 443,
                        "users": [
                            {
                                "id": "581b2235-6d63-4612-ae3c-d42d8bb043c4",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                  "show": false,
                  "fingerprint": "chrome",
                  "serverName": "discordapp.com",
                  "publicKey": "UOKkySZpUGZDErP0Ov4BH9nNISrfHh6MsL-DcYYjIzw",
                  "shortId": ""
                }
            },
            "tag": "vless"
        },
        {
            "protocol": "freedom",
            "tag": "direct"
        }
    ]
}

And wireguard's client.conf

[Interface]
PrivateKey = ********
Address = 10.49.0.2/32
DNS = 171.12.110.32

[Peer]
PublicKey = ********
PresharedKey = ********
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 127.0.0.1:1080
cty123 commented 1 year ago

I don't think this would work, because on the inbound side you have configured to use socks5 protocol, which means the Wireguard client needs to open connection to your socks5 inbound(xray-core client) and perform handshake first, before asking it to forward Wireguard traffic to your remote server. Based on your config, it looks like the Wireguard client was simply treating your socks5 inbound as its peer server, which it is not. The error message here is expected, because the Wireguard client wasn't talking to socks5 inbound in socks protocol, and xray-core failed to parse the request header.

computerscot commented 1 year ago

You need to use dokodemo-door https://computerscot.github.io/wireguard-over-xray.html

f0def commented 1 year ago

Thank you for responses. I've tried https://computerscot.github.io/wireguard-over-xray.html but faced with the fact that there is no traffic (I'm using port 51620 for wireguard). Maybe I missed something important?

./xray -c xray.json
Xray 1.8.4 (Xray, Penetrates Everything.) Custom (go1.21.0 darwin/arm64)
A unified platform for anti-censorship.
2023/09/01 09:50:50 [Info] infra/conf/serial: Reading config: xray.json
2023/09/01 09:50:50 [Debug] app/log: Logger started
2023/09/01 09:50:50 [Info] transport/internet/udp: listening UDP on 0.0.0.0:51620
2023/09/01 09:50:50 [Warning] core: Xray 1.8.4 started
2023/09/01 09:50:54 [Debug] [3852324921] proxy/dokodemo: processing connection from: 127.0.0.1:57265
2023/09/01 09:50:54 [Info] [3852324921] proxy/dokodemo: received request for 127.0.0.1:57265
2023/09/01 09:50:54 [Info] [3852324921] app/dispatcher: default route for udp:127.0.0.1:51620
2023/09/01 09:50:54 127.0.0.1:57265 accepted udp:127.0.0.1:51620 [wireguard >> vless]
2023/09/01 09:50:54 [Info] [3852324921] transport/internet/tcp: dialing TCP to tcp:134.5.36.176:443
2023/09/01 09:50:54 [Debug] transport/internet: dialing to tcp:134.5.36.176:443

Xray server and wireguard server configurations remained the same. But I changed xray client configuration to

{
    "log": {
        "loglevel": "debug"
    },
    "inbounds": [
        {
            "tag": "wireguard",
            "port": 51620,
            "protocol": "dokodemo-door",
            "settings":{
                "address": "127.0.0.1",
                "port": 51620,
                "network": "udp"
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "example.com",
                        "port": 443,
                        "users": [
                            {
                                "id": "581b2235-6d63-4612-ae3c-d42d8bb043c4",
                                "encryption": "none",
                                "level": 0
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                  "show": false,
                  "fingerprint": "chrome",
                  "serverName": "discordapp.com",
                  "publicKey": "UOKkySZpUGZDErP0Ov4BH9nNISrfHh6MsL-DcYYjIzw",
                  "shortId": ""
                }
            },
            "tag": "vless"
        },
        {
            "protocol": "freedom",
            "tag": "direct"
        }
    ]
}

and wireguard client to

[Interface]
PrivateKey = ********
Address = 10.49.0.2/32
DNS = 171.12.110.32

[Peer]
PublicKey = ********
PresharedKey = ********
Endpoint = 127.0.0.1:51620
AllowedIPs = 0.0.0.0/1, 128.0.0.0/6, 132.0.0.0/7, 134.0.0.0/14, 134.4.0.0/16, 134.5.0.0/19, 134.5.32.0/22, 134.5.36.0/25, 134.5.36.128/27, 134.5.36.160/28, 134.5.36.177/32, 134.5.36.178/31, 134.5.36.180/30, 134.5.36.184/29, 134.5.36.192/26, 134.5.37.0/24, 134.5.38.0/23, 134.5.40.0/21, 134.5.48.0/20, 134.5.64.0/18, 134.5.128.0/17, 134.6.0.0/15, 134.8.0.0/13, 134.16.0.0/12, 134.32.0.0/11, 134.64.0.0/10, 134.128.0.0/9, 135.0.0.0/8, 136.0.0.0/5, 144.0.0.0/4, 160.0.0.0/3, 192.0.0.0/2, ::/0
tanwov commented 1 year ago

I use ClashMeta to support it

https://github.com/MetaCubeX/Clash.Meta/blob/Meta/docs/config.yaml

# wireguard
  - name: "wg"
    type: wireguard
    server: 162.159.192.1
    port: 2480
    ip: 172.16.0.2
    ipv6: fd01:5ca1:ab1e:80fa:ab85:6eea:213f:f4a5
    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
    #    pre-shared-key: 31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM=
    private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
    udp: true
    reserved: "U4An"
    # 数组格式也是合法的
    # reserved: [209,98,59]
    # 一个出站代理的标识。当值不为空时,将使用指定的 proxy 发出连接
    # dialer-proxy: "ss1"

The dialer-proxy can be the vless proxy

f0def commented 1 year ago

Thank you for all your replies.

I figured out the reason. My problem was in AllowedIPs, it contains ::/0 at the end (https://github.com/XTLS/Xray-core/issues/2507#issuecomment-1702161379):

AllowedIPs = 0.0.0.0/1, 128.0.0.0/6, 132.0.0.0/7, 134.0.0.0/14, 134.4.0.0/16, 134.5.0.0/19, 134.5.32.0/22, 134.5.36.0/25, 134.5.36.128/27, 134.5.36.160/28, 134.5.36.177/32, 134.5.36.178/31, 134.5.36.180/30, 134.5.36.184/29, 134.5.36.192/26, 134.5.37.0/24, 134.5.38.0/23, 134.5.40.0/21, 134.5.48.0/20, 134.5.64.0/18, 134.5.128.0/17, 134.6.0.0/15, 134.8.0.0/13, 134.16.0.0/12, 134.32.0.0/11, 134.64.0.0/10, 134.128.0.0/9, 135.0.0.0/8, 136.0.0.0/5, 144.0.0.0/4, 160.0.0.0/3, 192.0.0.0/2, ::/0

I had to remove ::/0 and everything worked for me. I'm assuming that the problem was caused by the fact that I did not exclude the ipv6 address of my Server2 (it has both IPv4 and IPv6). https://computerscot.github.io/wireguard-over-xray.html was very helpfull.

I will close the issue.