hysteria2.0:openclash/passwall 都会导致hysteria2.0的socks/http proxy出问题

duzefu commented 10 months ago

1. 拓扑

openclash / passwall 和 hysteria2.0 client在同一个Openwrt上运行 , openclash/passwall 通过 socks/http本地代理连接hysteria

2.服务端/客户端配置

server.yaml

# listen: :443 

acme:
  domains:
    - xxx.com 
  email: abuse@godaddy.com

auth:
  type: password
  password: xxxxx

masquerade: 
  type: proxy
  proxy:
    url: https://www.bing.com/ 
    rewriteHost: true

client.yaml

server: xxx.com:443

auth: xxxxx

bandwidth:
  up: 20 mbps
  down: 100 mbps

socks5:
  listen: 0.0.0.0:10808

http:
  listen: 0.0.0.0:10809

3.openclash/passwall 配置

我在这两个客户端都设置了: 1.不禁用quic (我不确定这个需不需要) 2.xxx.com走直连

4.实际结果

完全无法连接上任何国外网站通过-l debug的log来看只能看到request的log,看不到close connection的log.

2023-09-07T20:47:03+08:00       INFO    HTTP proxy server listening     {"addr": "0.0.0.0:11081"}
2023-09-07T20:47:03+08:00       DEBUG   checking for updates    {"version": "v2.0.0", "platform": "linux", "arch": "amd64", "channel": "release"}
2023-09-07T20:47:03+08:00       INFO    SOCKS5 server listening {"addr": "0.0.0.0:21080"}
2023-09-07T20:47:04+08:00       DEBUG   no update available
2023-09-07T20:47:38+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:44378", "reqAddr": "150.230.112.59:53162"}
2023-09-07T20:47:38+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:44390", "reqAddr": "65.108.73.207:51719"}
2023-09-07T20:47:38+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:44394", "reqAddr": "192.18.148.172:51836"}
2023-09-07T20:47:39+08:00       DEBUG   SOCKS5 TCP closed       {"addr": "192.168.200.2:44378", "reqAddr": "150.230.112.59:53162"}
2023-09-07T20:47:39+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57090", "reqAddr": "142.251.222.14:443"}
2023-09-07T20:47:39+08:00       DEBUG   SOCKS5 TCP closed       {"addr": "192.168.200.2:44390", "reqAddr": "65.108.73.207:51719"}
2023-09-07T20:47:40+08:00       DEBUG   SOCKS5 TCP closed       {"addr": "192.168.200.2:44394", "reqAddr": "192.18.148.172:51836"}
2023-09-07T20:47:40+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57100", "reqAddr": "50.93.13.229:45887"}
2023-09-07T20:47:40+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57108", "reqAddr": "51.15.177.190:51413"}
2023-09-07T20:47:41+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57120", "reqAddr": "34.89.30.59:1337"}
2023-09-07T20:47:41+08:00       ERROR   SOCKS5 TCP error        {"addr": "192.168.200.2:57120", "reqAddr": "34.89.30.59:1337", "error": "dial error: dial tcp4 34.89.30.59:1337: connect: connection refused"}
2023-09-07T20:47:41+08:00       DEBUG   SOCKS5 TCP closed       {"addr": "192.168.200.2:57100", "reqAddr": "50.93.13.229:45887"}
2023-09-07T20:47:42+08:00       DEBUG   SOCKS5 TCP closed       {"addr": "192.168.200.2:57108", "reqAddr": "51.15.177.190:51413"}
2023-09-07T20:47:43+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57134", "reqAddr": "99.36.164.235:29303"}
2023-09-07T20:47:44+08:00       DEBUG   SOCKS5 TCP closed       {"addr": "192.168.200.2:57134", "reqAddr": "99.36.164.235:29303"}
2023-09-07T20:47:45+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57136", "reqAddr": "193.189.100.188:80"}
2023-09-07T20:47:47+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57138", "reqAddr": "193.189.100.187:80"}
2023-09-07T20:47:47+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57148", "reqAddr": "216.250.247.140:1096"}
2023-09-07T20:47:47+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:57150", "reqAddr": "223.16.99.207:56096"}
2023-09-07T20:47:49+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36724", "reqAddr": "193.189.100.188:80"}
2023-09-07T20:47:49+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36726", "reqAddr": "203.208.50.33:443"}
2023-09-07T20:47:50+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36732", "reqAddr": "www.google.com:443"}
2023-09-07T20:47:50+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36746", "reqAddr": "76.233.78.158:36881"}
2023-09-07T20:47:51+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36754", "reqAddr": "142.251.222.14:443"}
2023-09-07T20:47:51+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36762", "reqAddr": "142.251.42.142:443"}
2023-09-07T20:47:53+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36776", "reqAddr": "142.251.42.142:443"}
2023-09-07T20:47:53+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36796", "reqAddr": "142.251.42.142:443"}
2023-09-07T20:47:53+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36782", "reqAddr": "142.251.42.142:443"}
2023-09-07T20:47:53+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36806", "reqAddr": "13.107.21.239:443"}
2023-09-07T20:47:53+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36822", "reqAddr": "13.107.21.239:443"}
2023-09-07T20:47:53+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36826", "reqAddr": "58.110.249.37:16881"}
2023-09-07T20:47:54+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36828", "reqAddr": "35.227.12.84:1337"}
2023-09-07T20:47:54+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36836", "reqAddr": "50.93.13.229:45887"}
2023-09-07T20:47:54+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36844", "reqAddr": "104.245.98.141:16881"}
2023-09-07T20:47:55+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36852", "reqAddr": "34.89.30.59:1337"}
2023-09-07T20:47:55+08:00       ERROR   SOCKS5 TCP error        {"addr": "192.168.200.2:57136", "reqAddr": "193.189.100.188:80", "error": "dial error: dial tcp4 193.189.100.188:80: i/o timeout"}
2023-09-07T20:47:55+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36860", "reqAddr": "124.8.39.244:59487"}
2023-09-07T20:47:56+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36862", "reqAddr": "20.190.148.165:443"}
2023-09-07T20:47:56+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36866", "reqAddr": "20.190.148.165:443"}
2023-09-07T20:47:57+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36876", "reqAddr": "incoming.telemetry.mozilla.org:443"}
2023-09-07T20:47:57+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36882", "reqAddr": "aus5.mozilla.org:443"}
2023-09-07T20:47:57+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36892", "reqAddr": "cloud.bluestacks.com:443"}
2023-09-07T20:47:57+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36908", "reqAddr": "220.134.192.204:24967"}
2023-09-07T20:47:57+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36918", "reqAddr": "23.95.247.210:59254"}
2023-09-07T20:47:58+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36928", "reqAddr": "54.226.96.64:443"}
2023-09-07T20:47:58+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:36936", "reqAddr": "54.226.96.64:443"}
2023-09-07T20:47:59+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:59288", "reqAddr": "195.201.199.204:49375"}
2023-09-07T20:47:59+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:59302", "reqAddr": "152.67.49.130:51579"}
2023-09-07T20:48:00+08:00       DEBUG   SOCKS5 TCP request      {"addr": "192.168.200.2:59304", "reqAddr": "193.189.100.186:80"}

5.额外测试

我关闭了openclash/passwall , 在pc上用clash for windows / v2rayn 测试了socks5的代理.是可以正常使用的所以我怀疑是否有什么循环代理请求.但是我不确定,我检查了clash的log并没有看到爆发性的log(如果有循环请求的话,应该疯狂打log才对)

我之前用的hysteria1.x的版本,同样的拓扑,没有问题但是我不是用域名(直接指定IP,但是hysteria2不允许这样?),也不是443端口.我不确定和这个是否有关

maskedeken commented 9 months ago

这个或许跟GSO有关，禁用GSO试试

duzefu commented 9 months ago

这个或许跟GSO有关，禁用GSO试试

要如何禁用呢?文档里面没写

maskedeken commented 9 months ago

这个或许跟GSO有关，禁用GSO试试

要如何禁用呢?文档里面没写

export QUIC_DISABLE_GSO=true

duzefu commented 9 months ago

这个或许跟GSO有关，禁用GSO试试

要如何禁用呢?文档里面没写

export QUIC_DISABLE_GSO=true

一样不行

maskedeken commented 9 months ago

这个或许跟GSO有关，禁用GSO试试

要如何禁用呢?文档里面没写

export QUIC_DISABLE_GSO=true

一样不行

手误，应该是 export QUIC_GO_DISABLE_GSO=true

maskedeken commented 9 months ago

试了一下，这种情况只会出现在客户端是原版，服务端是sing-box的情况，如果两端都是原版则可以通

tobyxdd commented 9 months ago

~~那找 singbox 反馈~~

搞错了我以为上面的是题主

paddy-w commented 9 months ago

补一个，通过passwall访问，服务端接收到的reqAddr都是ip，ACL使用域名无效

duzefu commented 9 months ago

似乎和clash的分流规则有关系。我使用订阅转换软件subconverter来生成openclash的配置文件。使用的模版如下

http://****/sub?target=clash&new_name=true&url=*****&insert=false&config=https%3A%2F%2Fraw.githubusercontent.com%2FACL4SSR%2FACL4SSR%2Fmaster%2FClash%2Fconfig%2FACL4SSR_Online.ini

当我设置漏网之鱼走直连的时候。似乎hysteria2就能用了。我不确定hysteria2相比hysteria1究竟会额外请求一些什么网站的信息导致产生了环路。我查看了openclash的log也没有发现有什么值得注意的。

不过有一个是确定的：一旦hysteria2客户端，被使用上述配置的openclash使用了。那他的socks/http代理就不会再响应正常请求----即使我在openclash中不再使用hysteria2客户端的socks端口。改用pc来测试socks代理可用性，依旧不行。直到我手动重启hysteria2 client

JunHe001 commented 8 months ago

ERROR SOCKS5 TCP error {"addr": "xxx.xxx.x.xxx:6582", "reqAddr": "xx.xx.xx.xx:443", "error": "dial error: dial tcp4 xx.xxx.xxx.xx:443: i/o timeout"} ERROR SOCKS5 TCP error {"addr": "xxx.xxx.x.xxx:6589", "reqAddr": "xxx.xxx.xxx.xx:443", "error": "dial error: dial tcp4 xxx.xxx.xxx.xx:443: connect: network is unreachable"}

我是遇到上边问题，修改内核参数net.netfilter.nf_conntrack_udp_timeout_stream=43200貌似有些改善，你可以试试

JunHe001 commented 8 months ago

quic: maxIdleTimeout: 120s keepAlivePeriod: 60s 配置文件里这两个参数调整为最大值，也有些改善

JsonSong89 commented 7 months ago

题主clash指向的socks代理用的ip是什么我发现我用ddns的域名就不行,用局域网ip就没问题

duzefu commented 7 months ago

题主clash指向的socks代理用的ip是什么我发现我用ddns的域名就不行,用局域网ip就没问题

内网IP地址,127.0.0.1

sysytemofxxx commented 6 months ago

似乎和clash的分流规则有关系。我使用订阅转换软件subconverter来生成openclash的配置文件。使用的模版如下
http://****/sub?target=clash&new_name=true&url=*****&insert=false&config=https%3A%2F%2Fraw.githubusercontent.com%2FACL4SSR%2FACL4SSR%2Fmaster%2FClash%2Fconfig%2FACL4SSR_Online.ini
当我设置漏网之鱼走直连的时候。似乎hysteria2就能用了。我不确定hysteria2相比hysteria1究竟会额外请求一些什么网站的信息导致产生了环路。我查看了openclash的log也没有发现有什么值得注意的。

不过有一个是确定的：一旦hysteria2客户端，被使用上述配置的openclash使用了。那他的socks/http代理就不会再响应正常请求----即使我在openclash中不再使用hysteria2客户端的socks端口。改用pc来测试socks代理可用性，依旧不行。直到我手动重启hysteria2 client

我也发现了这个问题，我使用的lhie1 规则，Others设置非Hysteria2节点，就不会出问题，一旦Others设置为Hysteria2节点，就会出现卡死，不再响应正常请求。

doggie1989 commented 3 months ago

passwall 的路由器本机udp要选择不代理，不然hysteria2是udp的，是发不出来的，在里面兜圈子，我也是你这个方案，关闭了这个才能通。

apernet / hysteria