search

XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
25.63k stars 3.96k forks source link

wireguard kernelmode异常 #2849

Closed HXHGTS closed 10 months ago

HXHGTS commented 11 months ago

系统Debian12,root权限下运行xray 1.8.6,使用下面的配置会导致无法启动:

{
    "inbounds":[
        {
            "tag":"WIREGUARD-INBOUND",
            "port":10086,
            "protocol":"wireguard",
            "settings":{
                "secretKey":"xxxxxxxxxxxxxxxxxxxxxx",
                "peers":[
                    {
                        "publicKey":"xxxxxxxxxxxxxxxxxxxxxx",
                        "preSharedKey":"xxxxxxxxxxxxxxxxxxx",
                        "allowedIPs":[
                            "10.0.0.0/24",
                            "fd10:0000:100::1/48"
                        ]
                    }
                ],
                "kernelMode":true,
                "mtu":1280
            }
        },
        {
            "tag":"VLESS-TCP-INBOUND",
            "port":8443,
            "protocol":"vless",
            "sniffing":{
                "enabled":true,
                "destOverride":[
                    "fakedns+others"
                ]
            },
            "settings":{
                "clients":[
                    {
                        "id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                    }
                ],
                "decryption":"none",
                "fallbacks":[
                    {
                        "dest":"xxxxxxxxxxxxxxxxxxxxxxxxx:80"
                    },
                    {
                        "path":"/xxxxxxxxxxxxx",
                        "dest":1081,
                        "xver":1
                    }
                ]
            },
            "streamSettings":{
                "network":"tcp",
                "security":"tls",
                "tlsSettings":{
                    "alpn":[
                        "[http/1.1](https://www.json.cn/http/1.1)"
                    ],
                    "certificates":[
                        {
                            "certificateFile":"/usr/local/etc/xray/xxx.pem",
                            "keyFile":"/usr/local/etc/xray/xxx.pem"
                        }
                    ]
                }
            }
        },
        {
            "tag":"VLESS-WS-INBOUND",
            "port":1081,
            "listen":"127.0.0.1",
            "protocol":"vless",
            "sniffing":{
                "enabled":true,
                "destOverride":[
                    "fakedns+others"
                ]
            },
            "settings":{
                "clients":[
                    {
                        "id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                    }
                ],
                "decryption":"none"
            },
            "streamSettings":{
                "network":"ws",
                "security":"none",
                "wsSettings":{
                    "acceptProxyProtocol":true,
                    "path":"/xxxxxxxxxx"
                }
            }
        }
    ],
    "outbounds":[
        {
            "protocol":"blackhole",
            "settings":{
                "response":{
                    "type":"none"
                }
            },
            "tag":"REJECT"
        },
        {
            "protocol":"dns",
            "settings":{
                "address":"8.8.8.8",
                "port":53,
                "nonIPQuery":"skip"
            },
            "tag":"DNS-OUTBOUND"
        },
        {
            "tag":"INTERNET_OUT",
            "protocol":"freedom",
            "settings":{
                "domainStrategy":"UseIP"
            }
        }
    ],
    "routing":{
        "rules":[
            {
                "type":"field",
                "inboundTag":[
                    "VLESS-TCP-INBOUND",
                    "VLESS-WS-INBOUND"
                ],
                "port":53,
                "network":"tcp,udp",
                "outboundTag":"DNS-OUTBOUND"
            },
            {
                "type":"field",
                "inboundTag":[
                    "DNS-INBOUND"
                ],
                "network":"tcp,udp",
                "outboundTag":"INTERNET_OUT"
            },
            {
                "type":"field",
                "outboundTag":"INTERNET_OUT",
                "network":"udp,tcp"
            }
        ]
    },
    "dns":{
        "servers":[
            {
                "address":"2001:4860:4860::8888",
                "port":53
            },
            {
                "address":"2001:4860:4860::8844",
                "port":53
            },
            {
                "address":"8.8.8.8",
                "port":53
            },
            {
                "address":"8.8.4.4",
                "port":53
            }
        ],
        "queryStrategy":"UseIP",
        "disableFallbackIfMatch":true,
        "tag":"DNS-INBOUND"
    }
}

报错截图: image vps是kvm虚拟化,也不存在权限不足,就没明白为什么会用不了

有意思的是,如果仅在outbound里面配置wireguard,且kernelmode设置为true,xay会创建一个wg0的网卡,能看到有流量在跑,此时网络访问完全正常,但仍然会报TODO: support promiscuous mode错误

HXHGTS commented 11 months ago

仅在outbound里面配置wireguard时创建了wg0虚拟网卡且有流量在跑的截图: image

仅在outbound里面配置wireguard时的状态: image

此时可以正常上网: image

us254 commented 10 months ago

Setting kernelmode to false means that the software will not use the operating system's kernel-mode features for its operations but rather will fall back to a userspace implementation.

The log message "Failed to create server > proxy/wireguard: TODO: support promiscuous mode" suggests that the xray service is attempting to use features related to WireGuard that are not yet implemented ("TODO") in the version of xray they're running, specifically the promiscuous mode for networking.

Promiscuous mode is a network configuration where a network device intercepts and reads each network packet that arrives in its entirety. This mode is used in various applications involving packet sniffing or bridge network configurations.

{
  "inbounds": [
    {
      "tag": "wgserver",
      "port": 8888,
      "protocol": "wireguard",
      "settings": {
        "secretKey": "yIw6sjOIp94Ni4mdlPm3GMJ4PvowqGVDZ1Ouw+f7Ukc=",
        "peers": [
          {
            "publicKey": "VvME/dCl8xvuWXljnNqRJFBeekk32SfjGqf/vKbXB2M=",
            "allowedIPs": [
              "192.168.1.0/24"
            ]
          }
        ],
        "kernelMode": false,
        "mtu": 1412
      }
    }
  ]
}
yuhan6665 commented 10 months ago

Inbound 目前不支持 "kernelMode":true