关于透明代理问题请教

onlyJinx commented 2 years ago

我在路由器上使用v2ray来透明代理时可以正常使用，但是由于某种原因，我要把服务器改成naiveproxy，所以我在v2ray原基础上做了修改

使用naiveproxy在本地监听7777端口，部分配置如下
```
{
"listen": "socks://127.0.0.1:7777",
...
}
```

删掉v2ray所有outbounds，然后创建一个本地socks指向naiveproxy。

"outbounds": [
{
    "tag": "proxy_naive",
    "protocol": "socks",
    "settings": {
      "servers": [
        {
          "address": "127.0.0.1",
          "port": 7777
        }
      ]
    }
}

现在naiveproxy上会出现ERR_SOCKS_CONNECTION_FAILED

[1001/191346.816336:INFO:naive_connection.cc(250)] Connection 995 to github.com:443
[1001/191349.592304:INFO:naive_proxy.cc(183)] Connection 996 closed: ERR_SOCKS_CONNECTION_FAILED
[1001/191353.601649:INFO:naive_connection.cc(250)] Connection 997 to wpad.vnet.valeo.com:80
[1001/191353.775444:INFO:naive_proxy.cc(183)] Connection 997 closed: OK
[1001/191427.839002:INFO:naive_connection.cc(250)] Connection 998 to beacons.gvt2.com:443
[1001/191427.846996:INFO:naive_connection.cc(250)] Connection 999 to beacons3.gvt2.com:443
[1001/191509.299540:INFO:naive_proxy.cc(183)] Connection 945 closed: OK
[1001/191547.482796:INFO:naive_proxy.cc(183)] Connection 995 closed: OK
[1001/191557.304404:INFO:naive_connection.cc(250)] Connection 1000 to clients4.google.com:443
[1001/191631.340610:INFO:naive_connection.cc(250)] Connection 1001 to github.com:443
[1001/191729.209428:INFO:naive_proxy.cc(183)] Connection 987 closed: OK
[1001/191733.579492:INFO:naive_proxy.cc(183)] Connection 1002 closed: ERR_SOCKS_CONNECTION_FAILED
[1001/191737.582469:INFO:naive_proxy.cc(183)] Connection 1003 closed: ERR_SOCKS_CONNECTION_FAILED
[1001/191740.919108:INFO:naive_proxy.cc(183)] Connection 992 closed: OK
[1001/191741.831407:INFO:naive_proxy.cc(183)] Connection 1004 closed: ERR_SOCKS_CONNECTION_FAILED
[1001/191744.508988:INFO:naive_proxy.cc(183)] Connection 585 closed: OK
[1001/191744.828306:INFO:naive_connection.cc(250)] Connection 1005 to connectivitycheck.gstatic.com:80
[1001/191744.834103:INFO:naive_connection.cc(250)] Connection 1006 to connectivitycheck.gstatic.com:443
[1001/191745.007893:INFO:naive_proxy.cc(183)] Connection 1005 closed: OK
[1001/191745.601580:INFO:naive_proxy.cc(183)] Connection 1006 closed: OK
[1001/191745.832915:INFO:naive_proxy.cc(183)] Connection 1007 closed: ERR_SOCKS_CONNECTION_FAILED
[1001/191749.843079:INFO:naive_proxy.cc(183)] Connection 1008 closed: ERR_SOCKS_CONNECTION_FAILED
[1001/191751.049594:INFO:naive_proxy.cc(183)] Connection 1009 closed: ERR_SOCKS_CONNECTION_FAILED
[1001/191751.985588:INFO:naive_connection.cc(250)] Connection 1010 to mtalk.google.com:5228
[1001/191753.852171:INFO:naive_proxy.cc(183)] Connection 1011 closed: ERR_SOCKS_CONNECTION_FAILED
[1001/191755.052237:INFO:naive_proxy.cc(183)] Connection 1012 closed: ERR_SOCKS_CONNECTION_FAILED

是不是因为解析DNS的udp流量走到了naive但是naive不支持udp导致的？请问有没有什么好的方法可以让naive搭配v2ray使用？我现在的方式就是，新开一个outbounds，专门让DNS流量走这个。但是我不想新开一个，想让所有需要代理的流量都走naive。

klzgrad commented 2 years ago

目前比较好的做法是在代理服务器上开一个tcp dns服务器，127.0.0.1:1234，然后再v2ray里面采用tcp dns解析，地址设到127.0.0.1:1234，然后把这个地址路由到远端。这样tcp dns是从隧道里面走，1rtt，不产生tcp握手的rtt。

onlyJinx commented 2 years ago

不好意思，再请教一下，我按照你的建议使用DNSProxy在我的VPS上搭建了tcp dns服务器，运行日志如下

root@debian:~/linux-amd64# ./dnsproxy -p 1234 -u 8.8.8.8 8 -v
2021/10/05 08:58:10 [info] Starting the DNS proxy
2021/10/05 08:58:10 7169#1 [debug] Upstream 0: 8.8.8.8:53
2021/10/05 08:58:10 7169#1 [info] Starting the DNS proxy server
2021/10/05 08:58:10 7169#1 [info] Creating the UDP server socket
2021/10/05 08:58:10 7169#1 [info] Listening to udp://[::]:1234
2021/10/05 08:58:10 7169#1 [info] Creating a TCP server socket
2021/10/05 08:58:10 7169#1 [info] Listening to tcp://[::]:1234
2021/10/05 08:58:10 7169#6 [info] Entering the UDP listener loop on [::]:1234
2021/10/05 08:58:10 7169#7 [info] Entering the tcp listener loop on [::]:1234

然后再把v2ray的dns服务器指向tcp://127.0.0.1:1234再将这个127.0.0.1进行代理发给naive，再由naive发给naive服务端。但是实际运行的时候好像不是我预想的样子。v2ray把tcp://127.0.0.1:1234发给naive客户端之后好像naive发不出去？DNSProxy这边收不到任何信息。我已经想不出来到底是哪里出问题了，所以请教一下，（不过，如果写成tcp://我的vps地址:1234似乎是可以正常解析DNS）下面是日志： V2ray(已使用grep 127.0.0.1过滤)

2021/10/05 12:53:25 [Info] app/dispatcher: taking detour [naiveProxy] for [tcp:127.0.0.1:1234]
2021/10/05 12:53:25 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7777
2021/10/05 12:53:26 [Info] app/dispatcher: taking detour [naiveProxy] for [tcp:127.0.0.1:1234]
2021/10/05 12:53:26 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7777
2021/10/05 12:53:26 [Info] app/dns: failed to lookup ip for domain beacons2.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:26 [Info] app/dns: failed to lookup ip for domain beacons3.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:26 [Info] app/dns: failed to lookup ip for domain beacons.gcp.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:26 [Info] app/dns: failed to lookup ip for domain beacons.gcp.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:27 [Info] app/dispatcher: taking detour [naiveProxy] for [tcp:127.0.0.1:1234]
2021/10/05 12:53:27 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7777
2021/10/05 12:53:27 [Info] app/dispatcher: taking detour [naiveProxy] for [tcp:127.0.0.1:1234]
2021/10/05 12:53:27 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7777
2021/10/05 12:53:27 [Info] app/dispatcher: taking detour [naiveProxy] for [tcp:127.0.0.1:1234]
2021/10/05 12:53:27 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7777
2021/10/05 12:53:28 [Info] app/dns: failed to lookup ip for domain beacons.gcp.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:28 [Info] app/dns: failed to lookup ip for domain client.wns.windows.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:28 [Info] app/dispatcher: taking detour [naiveProxy] for [tcp:127.0.0.1:1234]
2021/10/05 12:53:28 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7777
2021/10/05 12:53:28 [Info] app/dns: failed to lookup ip for domain beacons3.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:28 [Info] app/dns: failed to lookup ip for domain beacons2.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:28 [Info] app/dns: failed to lookup ip for domain client.wns.windows.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:29 [Info] app/dns: failed to lookup ip for domain beacons3.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:29 [Info] app/dispatcher: taking detour [naiveProxy] for [tcp:127.0.0.1:1234]
2021/10/05 12:53:29 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7777
2021/10/05 12:53:29 [Info] app/dns: failed to lookup ip for domain beacons2.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:29 [Info] app/dispatcher: taking detour [naiveProxy] for [tcp:127.0.0.1:1234]
2021/10/05 12:53:29 [Info] transport/internet/tcp: dialing TCP to tcp:127.0.0.1:7777
2021/10/05 12:53:29 [Info] app/dns: failed to lookup ip for domain client.wns.windows.com at server TCP//127.0.0.1:1234 > context deadline exceeded
2021/10/05 12:53:30 [Info] app/dns: failed to lookup ip for domain beacons.gcp.gvt2.com at server TCP//127.0.0.1:1234 > context deadline exceeded

Naive:

[1005/205200.104051:INFO:naive_connection.cc(250)] Connection 3241 to www.google.com:443
[1005/205200.143941:INFO:naive_connection.cc(250)] Connection 3242 to 127.0.0.1:1234
[1005/205200.616778:INFO:naive_proxy.cc(183)] Connection 3242 closed: OK
[1005/205202.273592:INFO:naive_connection.cc(250)] Connection 3243 to 127.0.0.1:1234
[1005/205202.374996:INFO:naive_connection.cc(250)] Connection 3244 to alive.github.com:443
[1005/205202.516843:INFO:naive_proxy.cc(183)] Connection 3243 closed: OK
[1005/205203.081847:INFO:naive_connection.cc(250)] Connection 3245 to 127.0.0.1:1234
[1005/205203.533488:INFO:naive_proxy.cc(183)] Connection 3245 closed: OK
[1005/205203.655459:INFO:naive_connection.cc(250)] Connection 3246 to 127.0.0.1:1234
[1005/205203.761323:INFO:naive_proxy.cc(183)] Connection 3244 closed: OK
[1005/205203.821262:INFO:naive_proxy.cc(183)] Connection 3246 closed: OK
[1005/205204.657511:INFO:naive_connection.cc(250)] Connection 3247 to 127.0.0.1:1234
[1005/205204.810992:INFO:naive_connection.cc(250)] Connection 3248 to 127.0.0.1:1234
[1005/205204.827296:INFO:naive_proxy.cc(183)] Connection 3247 closed: OK
[1005/205204.989066:INFO:naive_proxy.cc(183)] Connection 3248 closed: OK
[1005/205205.381337:INFO:naive_connection.cc(250)] Connection 3249 to 127.0.0.1:1234
[1005/205205.586179:INFO:naive_proxy.cc(183)] Connection 3249 closed: OK
[1005/205206.300177:INFO:naive_connection.cc(250)] Connection 3250 to play.google.com:443
[1005/205206.381777:INFO:naive_connection.cc(250)] Connection 3251 to 127.0.0.1:1234
[1005/205206.543584:INFO:naive_proxy.cc(183)] Connection 3251 closed: OK
[1005/205206.659424:INFO:naive_connection.cc(250)] Connection 3252 to 127.0.0.1:1234
[1005/205206.856343:INFO:naive_proxy.cc(183)] Connection 3252 closed: OK
[1005/205207.107232:INFO:naive_connection.cc(250)] Connection 3253 to 127.0.0.1:1234
[1005/205207.268389:INFO:naive_proxy.cc(183)] Connection 3253 closed: OK
[1005/205208.384178:INFO:naive_connection.cc(250)] Connection 3254 to 127.0.0.1:1234
[1005/205208.556770:INFO:naive_proxy.cc(183)] Connection 3254 closed: OK
[1005/205208.854948:INFO:naive_connection.cc(250)] Connection 3255 to 127.0.0.1:1234
[1005/205209.036814:INFO:naive_proxy.cc(183)] Connection 3255 closed: OK
[1005/205209.235779:INFO:naive_proxy.cc(183)] Connection 3236 closed: OK

v2ray完证配置文件

``` { "log": { "loglevel": "info" }, "inbounds": [ { "tag": "all-in", "port": 12345, "protocol": "dokodemo-door", "settings": { "network": "tcp,udp", "followRedirect": true }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] }, "streamSettings": { "sockopt": { "tproxy": "tproxy" } } } ], "outbounds": [ { "tag": "naiveProxy", "protocol": "socks", "settings": { "servers": [ { "address": "127.0.0.1", "port": 7777 } ] } }, { "tag": "direct", "protocol": "freedom", "settings": { "domainStrategy": "UseIPv4" } }, { "tag": "dns-out", "protocol": "dns", "settings": { "address": "1.1.1.1" }, "proxySettings": { "tag": "dnsOnly" } } ], "dns": { "servers": [ "tcp://127.0.0.1:1234", { "address": "119.29.29.29", "port": 53, "domains": [ "geosite:cn" ] } ], "queryStrategy": "UseIPv4" }, "routing": { "domainStrategy": "IPOnDemand", "domainMatcher": "mph", "rules": [ { "type": "field", "inboundTag": ["all-in"], "port": 53, "outboundTag": "dns-out" }, { "type": "field", "domain": [ "geosite:cn" ], "outboundTag": "direct" }, { "type": "field", "ip": [ "127.0.0.1" ], "outboundTag": "naiveProxy" }, { "type": "field", "ip": [ "119.29.29.29", "geoip:cn" ], "outboundTag": "direct" } ] } } ```

klzgrad commented 2 years ago

Caddyfile里面需要一个acl，默认是屏蔽127.0.0.1的。

route {
  forward_proxy {
    ...
    acl {
      allow 127.0.0.1
    }
  }

如果tcp://我的vps地址:1234能用，效果也一样。

不一定要自己下载dnsproxy，dnsmasq就行了。

onlyJinx commented 2 years ago

哇塞，按照你的提示加了acl就可以了，我一直没搞清楚那一步除了问题，原来是naive那边默认屏蔽了，感谢感谢。不用tcp://我的vps地址:1234主要是我的服务器还有其他服务，不想让整个服务器地址都都代理。

onlyJinx commented 2 years ago

这我就有点好奇了，我allow 127.0.0.1后会不会造成什么负面影响吗？不过，就算有影响，感觉不会太大，因为我在写iptables rule的时候，就写了-d 127.0.0.0/8 -j RETURN

klzgrad / naiveproxy

关于透明代理问题请教 #229