search

v2fly / v2ray-core

A platform for building proxies to bypass network restrictions.
https://v2fly.org
MIT License
28.76k stars 4.57k forks source link

Arch Linux 配置tproxy透明代理时,dns查询会循环转发 #328

Closed liujtani closed 3 years ago

liujtani commented 3 years ago

除非特殊情况,请完整填写所有问题。不按模板发的 issue 将直接被关闭。 如果你遇到的问题不是 V2Ray 的 bug,比如你不清楚要如何配置,请使用Discussion进行讨论。

  1. 你正在使用哪个版本的 V2Ray?(如果服务器和客户端使用了不同版本,请注明)

    • 4.31.1
    • 4.31.0

  2. 你的使用场景是什么?比如使用 Chrome 通过 Socks/VMess 代理观看 YouTube 视频。

    Arch Linux 下配置透明代理,dns 查询会循环转发,设备无法连网。参考文章:透明代理(TPROXY) | 新 V2Ray 白话文指南

  3. 你看到的不正常的现象是什么?(请描述具体现象,比如访问超时,TLS 证书错误等)

    1. 如果 iptables 没有 RETURN dns 查询,就会进入 v2ray 的 dokodemo-door 入站协议,然后就会出现 dns 查询循环转发的现象,设备无法联网。我这里用的是 192.168.0.1 这个 dns 服务器,但是换用其他的 dns(例如 223.5.5.5) 服务器也会循环转发。如果 iptables 过滤(RETURN)了 dns 查询,则可以正常上网,透明代理可以生效,也可以访问 google 等网站。不过,我有点小疑问:iptables 过滤掉 dns 查询,那么 dns 就不会代理到 v2ray,dns 查询会在本地进行,在本地查询进行应该会有 dns 污染吧,为什么还可以翻墙?
    2. 似乎 dns 出站协议,没有使用内置的 dns 服务器进行查询,我使用 WireShark 抓包,没有抓到内置 dns 服务器发的包。
    3. 所有出站协议都设置了SO_MARK,在 iptables 中插入一条规则,iptables -t mangle -I V2RAY 1 -m mark --mark 0xff,然后使用 iptables -nvxL --line-numbers 发现这条规则计数为 0,说明在 V2RAY_MASK 中正确拦截了 SO_MAKR == 255 的包。感觉 v2ray 好像没有为 dns 查询设置 SO_MARK

  4. 你期待看到的正确表现是怎样的?

    不要出现循环转发

  5. 请附上你的配置(提交 Issue 前请隐藏服务器端 IP 地址)。

    客户端配置:

    {
 "dns": {
   "servers": ["1.1.1.1"]
 },
 "inbounds": [
   {
     "listen": "127.0.0.1",
     "port": 8888,
     "protocol": "http",
     "settings": {},
     "sniffing": {
       "enabled": false
     },
     "tag": "http_IN"
   },
   {
     "listen": "127.0.0.1",
     "port": 1088,
     "protocol": "socks",
     "settings": {
       "auth": "noauth",
       "ip": "127.0.0.1",
       "udp": true,
       "userLevel": 0
     },
     "sniffing": {
       "enabled": false
     },
     "tag": "socks_IN"
   },
   {
     "listen": "127.0.0.1",
     "port": 1090,
     "protocol": "dokodemo-door",
     "settings": {
       "address": "",
       "followRedirect": true,
       "network": "tcp,udp",
       "port": 0,
       "timeout": 0,
       "userLevel": 0
     },
     "sniffing": {
       "destOverride": ["http", "tls"],
       "enabled": true
     },
     "streamSettings": {
       "sockopt": {
         "tproxy": "tproxy"
       }
     },
     "tag": "tproxy_IN"
   }
 ],
 "outbounds": [
   {
     "protocol": "vmess",
     "sendThrough": "0.0.0.0",
     "settings": {
       "vnext": [
         {
           "address": "*",
           "port": 1009,
           "users": [
             {
               "alterId": 0,
               "id": "*",
               "level": 0,
               "security": "auto",
               "testsEnabled": "none"
             }
           ]
         }
       ]
     },
     "streamSettings": {
       "sockopt": {
         "mark": 255,
         "tcpFastOpen": false,
         "tproxy": "off"
       }
     },
     "tag": "outBound_PROXY"
   },
   {
     "protocol": "freedom",
     "sendThrough": "0.0.0.0",
     "settings": {
       "domainStrategy": "UseIP",
       "redirect": ":0",
       "userLevel": 0
     },
     "streamSettings": {
       "kcpSettings": {},
       "sockopt": {
         "mark": 255
       }
     },
     "tag": "outBound_DIRECT"
   },
   {
     "protocol": "blackhole",
     "sendThrough": "0.0.0.0",
     "settings": {
       "response": {
         "type": "none"
       }
     },
     "streamSettings": {
       "kcpSettings": {},
       "sockopt": {
         "mark": 255
       }
     },
     "tag": "outBound_BLACKHOLE"
   },
   {
     "protocol": "dns",
     "streamSettings": {
       "kcpSettings": {},
       "sockopt": {
         "mark": 255
       }
     },
     "tag": "dns-out"
   }
 ],
 "routing": {
   "domainStrategy": "AsIs",
   "rules": [
     {
       "inboundTag": ["tproxy_IN", "tproxy_IN_V6", "socks_IN"],
       "outboundTag": "dns-out",
       "port": "53",
       "type": "field"
     },
     {
       "ip": ["geoip:private"],
       "outboundTag": "outBound_DIRECT",
       "type": "field"
     },
     {
       "domain": ["geosite:category-ads-all"],
       "outboundTag": "outBound_BLACKHOLE",
       "type": "field"
     },
     {
       "domain": [
         "geosite:google",
         "geosite:github",
         "geosite:netflix",
         "geosite:steam",
         "geosite:telegram",
         "geosite:tumblr",
         "domain:naver.com",
         "geosite:bbc",
         "domain:gvt1.com",
         "domain:textnow.com",
         "domain:twitch.tv",
         "domain:wikileaks.org"
       ],
       "outboundTag": "outBound_PROXY",
       "type": "field"
     },
     {
       "domain": [
         "domain:12306.com",
         "domain:51ym.me",
         "domain:52pojie.cn",
         "domain:8686c.com",
         "domain:abercrombie.com",
         "domain:adobesc.com",
         "domain:air-matters.com",
         "domain:air-matters.io",
         "domain:airtable.com",
         "domain:akadns.net",
         "domain:apache.org",
         "domain:api.crisp.chat",
         "domain:api.termius.com",
         "domain:appshike.com",
         "domain:appstore.com",
         "domain:aweme.snssdk.com",
         "domain:bababian.com",
         "domain:battle.net",
         "domain:beatsbydre.com",
         "domain:bet365.com",
         "domain:bilibili.cn",
         "domain:ccgslb.com",
         "domain:ccgslb.net",
         "domain:chunbo.com",
         "domain:chunboimg.com",
         "domain:clashroyaleapp.com",
         "domain:cloudsigma.com",
         "domain:cloudxns.net",
         "domain:cmfu.com",
         "domain:culturedcode.com",
         "domain:dct-cloud.com",
         "domain:didialift.com",
         "domain:douyutv.com",
         "domain:duokan.com",
         "domain:dytt8.net",
         "domain:easou.com",
         "domain:ecitic.net",
         "domain:eclipse.org",
         "domain:eudic.net",
         "domain:ewqcxz.com",
         "domain:fir.im",
         "domain:frdic.com",
         "domain:fresh-ideas.cc",
         "domain:godic.net",
         "domain:goodread.com",
         "domain:haibian.com",
         "domain:hdslb.net",
         "domain:hollisterco.com",
         "domain:hongxiu.com",
         "domain:hxcdn.net",
         "domain:images.unsplash.com",
         "domain:img4me.com",
         "domain:ipify.org",
         "domain:ixdzs.com",
         "domain:jd.hk",
         "domain:jianshuapi.com",
         "domain:jomodns.com",
         "domain:jsboxbbs.com",
         "domain:knewone.com",
         "domain:kuaidi100.com",
         "domain:lemicp.com",
         "domain:letvcloud.com",
         "domain:lizhi.io",
         "domain:localizecdn.com",
         "domain:lucifr.com",
         "domain:luoo.net",
         "domain:mai.tn",
         "domain:maven.org",
         "domain:miwifi.com",
         "domain:moji.com",
         "domain:moke.com",
         "domain:mtalk.google.com",
         "domain:mxhichina.com",
         "domain:myqcloud.com",
         "domain:myunlu.com",
         "domain:netease.com",
         "domain:nfoservers.com",
         "domain:nssurge.com",
         "domain:nuomi.com",
         "domain:ourdvs.com",
         "domain:overcast.fm",
         "domain:paypal.com",
         "domain:paypalobjects.com",
         "domain:pgyer.com",
         "domain:qdaily.com",
         "domain:qdmm.com",
         "domain:qin.io",
         "domain:qingmang.me",
         "domain:qingmang.mobi",
         "domain:qqurl.com",
         "domain:rarbg.to",
         "domain:rrmj.tv",
         "domain:ruguoapp.com",
         "domain:sm.ms",
         "domain:snwx.com",
         "domain:soku.com",
         "domain:startssl.com",
         "domain:store.steampowered.com",
         "domain:symcd.com",
         "domain:teamviewer.com",
         "domain:tmzvps.com",
         "domain:trello.com",
         "domain:trellocdn.com",
         "domain:ttmeiju.com",
         "domain:udache.com",
         "domain:uxengine.net",
         "domain:weather.bjango.com",
         "domain:weather.com",
         "domain:webqxs.com",
         "domain:weico.cc",
         "domain:wenku8.net",
         "domain:werewolf.53site.com",
         "domain:windowsupdate.com",
         "domain:wkcdn.com",
         "domain:workflowy.com",
         "domain:xdrig.com",
         "domain:xiaojukeji.com",
         "domain:xiaomi.net",
         "domain:xiaomicp.com",
         "domain:ximalaya.com",
         "domain:xitek.com",
         "domain:xmcdn.com",
         "domain:xslb.net",
         "domain:xteko.com",
         "domain:yach.me",
         "domain:yixia.com",
         "domain:yunjiasu-cdn.net",
         "domain:zealer.com",
         "domain:zgslb.net",
         "domain:zimuzu.tv",
         "domain:zmz002.com",
         "domain:samsungdm.com",
         "domain:zhihu.com",
         "domain:ntp.org",
         "domain:fnf-gfw-node.top"
       ],
       "outboundTag": "outBound_DIRECT",
       "type": "field"
     }
   ]
 }
}

    iptables 及 策略路由设置:

    # 策略路由
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
# iptables
# 代理局域网设备
iptables -t mangle -N V2RAY
iptables -t mangle -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A V2RAY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p tcp -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN # 这里没有把dns查询过滤掉,如果使用192.168.0.1的dns服务器就会出现环路
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 1090 --tproxy-mark 1 # 给 UDP 打标记 1,转发至 1090 端口
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 1090 --tproxy-mark 1 # 给 TCP 打标记 1,转发至 1090 端口
iptables -t mangle -A PREROUTING -j V2RAY

# 代理网关本机
iptables -t mangle -N V2RAY_MASK
iptables -t mangle -A V2RAY_MASK -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN # 直连局域网,53 端口除外(因为要使用 V2Ray 的 DNS)
iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff # 直连 SO_MARK 为 0xff 的流量(0xff 是 16 进制数,数值上等同与上面V2Ray 配置的 255),此规则目的是避免代理本机(网关)流量出现回环问题
iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1 # 给 UDP 打标记,重路由
iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1 # 给 TCP 打标记,重路由
iptables -t mangle -A OUTPUT -j V2RAY_MASK

  6. 请附上出错时软件输出的错误日志。在 Linux 中,日志通常在 /var/log/v2ray/error.log 文件中。

    客户端错误日志:

    2020/10/17 10:21:48 [Warning] v2ray.com/core: V2Ray 4.31.1 started
2020/10/17 10:21:48 192.168.0.109:49843 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:48 192.168.0.109:42886 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:48 192.168.0.109:56841 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:48 192.168.0.109:41190 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:49 192.168.0.109:38009 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:49 192.168.0.109:33774 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:50 192.168.0.109:59550 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:51 192.168.0.109:38481 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:51 192.168.0.109:52801 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:52 192.168.0.109:42511 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:52 192.168.0.109:46727 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:53 192.168.0.109:57047 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:54 [Warning] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/vmess/outbound: failed to find an available destination > v2ray.com/ core/common/retry: [dial tcp: operation was canceled] > v2ray.com/core/common/retry: all retry attempts failed
2020/10/17 10:21:54 192.168.0.109:48365 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:54 192.168.0.109:38033 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:55 192.168.0.109:33632 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:55 192.168.0.109:39639 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:56 192.168.0.109:33705 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:56 192.168.0.109:48148 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:58 [Warning] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/vmess/outbound: failed to find an available destination > v2ray.com/ core/common/retry: [dial tcp: operation was canceled] > v2ray.com/core/common/retry: all retry attempts failed
2020/10/17 10:21:58 192.168.0.109:48619 accepted udp:192.168.0.1:53 [dns-out]
2020/10/17 10:21:58 192.168.0.109:40970 accepted udp:192.168.0.1:53 [dns-out]
mejinotdove commented 3 years ago

add this rule: iptables -t mangle -A V2RAY -m addrtype --dst-type LOCAL -j RETURN

Loyalsoldier commented 3 years ago

参考 https://github.com/v2fly/v2ray-core/discussions/505