search

kuoruan / luci-app-v2ray

LuCI support for V2Ray
1.18k stars 284 forks source link

透明代理,Op自身无法上网 #309

Open ygcaicn opened 3 years ago

ygcaicn commented 3 years ago

透明代理,DNS的UDP流量,和全部TCP流量都转到到1081,没有用前置分流。

image

查看iptables,貌似一切都没有问题

image

测试发现,在局域网内的设备分流什么都没有问题,在Op上所有Tcp流量都出不去,表现为无法curl,另外UDP的DNS流量正常能正常到v2ray。

iptables日志分析

路由器本地 curl 123.58.180.8

root@OpenWrt:/etc/v2ray# logread -f

[LOG-OUTPUT-raw]IN= OUT=eth4 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
[LOG-OUTPUT-mangle]IN= OUT=eth4 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
[LOG-OUTPUT-nat]IN= OUT=eth4 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1
[LOG-OUTPUT-filter]IN= OUT=eth4 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1

进入POSTROUTING之前查路由表,由于带有MARK=0x1,自定义路由表生效,重新确定OUT

[LOG-POSTROUTING-mangle]IN= OUT=lo SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1
[LOG-POSTROUTING-nat]IN= OUT=lo SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1

重新投递到了lo IN变为lo

[LOG-PREROUTING-raw]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1
[LOG-PREROUTING-mangle]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1

PREROUTING链之后,进行查路由表,由于带有MARK=0x1,自定义路由表生效,确定OUT为本地进程(local process)

[LOG-INPUT-mangle]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1
[LOG-INPUT-filter]IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9305 DF PROTO=TCP SPT=53648 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x1

到此数据包投递给本机进程

然后就没有检测到v2ray发出的流量,没有出现MARK=0xff的流量。

同时tail -f /var/log/v2ray* | grep 123.58.180.8 没有任何日志输出(v2ray log level debug)

如果在局域网内设备curl 123.58.180.8的话,v2ray有日志产生

局域网内主机 curl 123.58.180.8

[LOG-PREROUTING-raw]IN=br-lan OUT= MAC=************************ SRC=192.168.6.138 DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31512 DF PROTO=TCP SPT=49080 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
[LOG-PREROUTING-mangle]IN=br-lan OUT= MAC=************************ SRC=192.168.6.138 DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31512 DF PROTO=TCP SPT=49080 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
[LOG-PREROUTING-nat]IN=br-lan OUT= MAC=************************ SRC=192.168.6.138 DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31512 DF PROTO=TCP SPT=49080 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x1

[LOG-INPUT-mangle]IN=br-lan OUT= MAC=************************ SRC=192.168.6.138 DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31512 DF PROTO=TCP SPT=49080 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x1
[LOG-INPUT-filter]IN=br-lan OUT= MAC=************************ SRC=192.168.6.138 DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31512 DF PROTO=TCP SPT=49080 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x1
[LOG-INPUT-nat]IN=br-lan OUT= MAC=************************ SRC=192.168.6.138 DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31512 DF PROTO=TCP SPT=49080 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x1

[LOG-OUTPUT-raw]IN= OUT=eth4 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41503 DF PROTO=TCP SPT=55994 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0xff
[LOG-OUTPUT-mangle]IN= OUT=eth4 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41503 DF PROTO=TCP SPT=55994 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0xff
[LOG-OUTPUT-nat]IN= OUT=eth4 SRC=*.*.*.* DST=123.58.180.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41503 DF PROTO=TCP SPT=55994 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0xff
Yochee commented 3 years ago

+1 我目前是把router本身要访问的 alidns.aliyuncs.com whatismyip.akamai.com mirrors.cloud.tencent.com 这几个域名写在直连列表里

liudanning commented 3 years ago

遇到一样的问题,关闭 TProxy 后 op 能正常上网,原因还没具体了解。有空可以 debug 看看。