search

morytyann / OpenWrt-mihomo

Transparent Proxy with Mihomo on OpenWrt.
MIT License
1.21k stars 140 forks source link

[BUG]旁路由无法代理路由本机的docker #125

Closed haohaoget closed 2 months ago

haohaoget commented 2 months ago

自查步骤

确认

系统

ImmortalWrt

系统版本

LuCI openwrt-23.05

插件版本

1.7.2

硬件架构

aarch64_generic

BUG 描述

旁路由无法代理路由本机的docker,具体表现为docker无法访问api.openai.com,返回地址为国内被污染ip; 已开启ipv4代理,路由器代理,局域网代理(误ipv6)。由于使用mosdns作为上游dns,关闭IPv4 DNS 劫持

预期行为

可以正常支持代理docker内部路由

复现步骤

打开mihomo,打开docker访问外放

插件配置

参考https://www.qichiyu.com/132.html

配置文件

No response

插件日志

No response

核心日志

No response

附加信息

No response

morytyann commented 2 months ago

开启IPv6 DNS 劫持再试试

haohaoget commented 2 months ago

仍然不行,docker内访问的任何流量都没有进入mihomo。openclash是可以正常使用的,不知道是哪个地方的设置会影响docker流量的分流呢?

morytyann commented 2 months ago

代理模式是TUN吗?用TUN模式试一下?

morytyann commented 2 months ago

等我搭个带Docker的环境测试解决吧。

haohaoget commented 2 months ago

代理模式是TUN吗?用TUN模式试一下?

是的用的tun模式(透明代理页均启用),勾选绕过中国大陆ip;规则模式,匹配进程禁用,取消勾选统一延迟;tun设置:栈mixed,通用分段卸载65536;fakeip模式,勾选Fake-IP 缓存,覆盖 DNS 服务器(均为127.0.0.1:5335);嗅探配置均勾选;无混入文件

haohaoget commented 2 months ago

配置文件:

geox-url:
  geosite: https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat
  geoip: https://cdn.jsdelivr.net/gh/soffchen/geoip@release/geoip.dat
  mmdb: https://mirror.ghproxy.com/https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip-lite.metadb
  asn: https://mirror.ghproxy.com/https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb
allow-lan: true
bind-address: "*"
mode: rule
log-level: warning
external-controller: 0.0.0.0:9090
tproxy-port: 7892
socks-port: 1080
mixed-port: 7890
secret: 123456
external-ui: "ui"
ipv6: true
geodata-mode: true
geodata-loader: standard
find-process-mode: 'off'
tcp-concurrent: true
global-client-fingerprint: chrome
sniffer:
  enable: true
  force-dns-mapping: true
  parse-pure-ip: true
  override-destination: true
  sniff:
    HTTP:
      override-destination: true
      ports:
        - 80
        - 8080-8880
    TLS:
      override-destination: true
      ports:
        - 443
        - 8443
    QUIC:
      override-destination: true
      ports:
        - 443
        - 8443
profile:
  store-selected: true
  store-fake-ip: true
dns:
  enable: true
  ipv6: false
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  listen: 0.0.0.0:1053
  fallback-filter:
    geoip: true
    geoip-code: CN
    ipcidr:
      - 0.0.0.0/8
      - 10.0.0.0/8
      - 100.64.0.0/10
      - 127.0.0.0/8
      - 169.254.0.0/16
      - 172.16.0.0/12
      - 192.0.0.0/24
      - 192.0.2.0/24
      - 192.88.99.0/24
      - 192.168.0.0/16
      - 198.18.0.0/15
      - 198.51.100.0/24
      - 203.0.113.0/24
      - 224.0.0.0/4
      - 240.0.0.0/4
      - 255.255.255.255/32
    domain:
      - "+.google.com"
      - "+.facebook.com"
      - "+.youtube.com"
      - "+.githubusercontent.com"
      - "+.googlevideo.com"
      - "+.msftconnecttest.com"
      - "+.msftncsi.com"
      - msftconnecttest.com
      - msftncsi.com
  fake-ip-filter:
    - "*.lan"
  use-system-hosts: false
  use-hosts: false
  proxy-server-nameserver:
    - 127.0.0.1:5335
  nameserver:
    - 127.0.0.1:5335
  fallback:
    - 127.0.0.1:5335
proxy-providers:

proxies:

proxy-groups:
  - name: 全局设置
    type: select
    proxies:
      - 自动选择
      - 手动选择
      - DIRECT
  - name: 自动选择
    type: url-test
    use:
      - 
    filter: 
    url: http://www.gstatic.com/generate_204
    interval: 3600
    tolerance: 20

rule-providers:
  Advertising:
    type: http
    behavior: classical
    path: "./rule_provider/Advertising.yaml"
    url: https://fastly.jsdelivr.net/gh/blackmatrix7/ios_rule_script@master/rule/Clash/Advertising/Advertising_Classical.yaml
    interval: 604800

rules:
  - DST-PORT,7895,REJECT
  - DST-PORT,7892,REJECT
  - IP-CIDR,198.18.0.1/16,REJECT,no-resolve
  - RULE-SET,Advertising,REJECT
  - GEOSITE,category-games@cn,DIRECT
  - GEOSITE,geolocation-cn,DIRECT
  - GEOSITE,gfw,全局设置
  - GEOIP,telegram,全局设置,no-resolve
  - GEOIP,private,DIRECT,no-resolve
  - GEOSITE,geolocation-!cn,not-cn
  - GEOIP,cn,DIRECT,no-resolve
  - MATCH,Final
redir-port: 7891
port: 8080
interface-name: eth0
tun:
  enable: true
  stack: mixed
  device: tun
  auto-route: false
  auto-detect-interface: false
  dns-hijack:
    - tcp://any:53
  mtu: 9000
  gso: true
  gso-max-size: 65536
  endpoint-independent-nat: false
  auto-redirect: false
unified-delay: false
keep-alive-interval: 600
external-ui-name: metacubexd
external-ui-url: https://mirror.ghproxy.com/https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip
geo-auto-update: true
geo-update-interval: 24
morytyann commented 2 months ago

嗯,等等吧,我需要搭建环境,复现了再找和解决问题。

morytyann commented 2 months ago

第一次忘了用TUN模式所以不行,切成TUN后就可以了,旁路由 + ImmortalWrt 23.05,只安装了Docker和MTP image

morytyann commented 2 months ago

抱歉,刚才忘了关DNS重定向了…… 关掉后我试了在容器里解析域名,可以返回fake-ip,面板也能看到日志,确实是兼容的。 你确定你的DNS重定向关掉了吗?

image

morytyann commented 2 months ago

我用你的配置测试了,还是没法复现,先关掉了,你有新进展再来回复吧。

haohaoget commented 1 month ago

可能确实是我的问题,我确定关了DNS重定向,我用的是mosdns作为dns分流解析,但是关了mosdns用原始配置也不行。

haohaoget commented 3 weeks ago

找到原因了,使用tproxy需要执行以下命令(参考): sysctl -w net.bridge.bridge-nf-call-arptables=0 sysctl -w net.bridge.bridge-nf-call-ip6tables=0 sysctl -w net.bridge.bridge-nf-call-iptables=0

morytyann commented 15 hours ago

有些反应TPROXY模式局域网客户端无法代理的,也可以通过这个解决。 我已经在v1.9.2修复,可以自动修改/还原状态,不需要手动执行了。

感谢你的贡献。🤞