search

v2ray / discussion

For general discussion over Project V development and usage.
299 stars 34 forks source link

wss+nginx+cf - can't connect via domain #292

Closed itshaadi closed 5 years ago

itshaadi commented 5 years ago

recently, my VPS got walled. even though it was behind a CDN. here is my setup, I would like to know why I can't connect to the server (a new one, which hasn't been walled) via domain name. but I can connect via IP.

and if this address field is just for v2ray's routing (and it's not exposed), then why It got walled?

Client

{
    "inbounds": [{
      "port": 1080,
      "listen": "0.0.0.0",
      "protocol": "socks",
      "tag": "socks",
      "settings": {
        "udp": false
      },
      "sniffing": {
          "enabled": false,
          "destOverride": ["http", "tls"]
      },
      "domainOverride": [
              "http",
              "tls"
          ]
    }],
    "outbounds": [
      {
      "protocol": "vmess",
      "settings": {
        "vnext": [{
          "address": "MY_DOMAIN", // all retry attempts failed
          "port": 443,
          "users": [{
              "id": "0f8f939c-668f-406f-5ad5-4c2e19eebd2c",
              "security": "aes-128-gcm"
          }]
        }]
      },
      "streamSettings": {
          "network": "ws",
          "wsSettings": {
              "path": "/downloadstream",
              "headers": {
                  "Host": "MYDOMAIN_COM"
                }
          },
          "security": "tls",
          "tlsSettings": {
              "serverName": "MYDOMAIN_COM",
              "allowInsecure": false
          },
          "tag": "vmess-out"
      }
    }]
  }

server

{
  "inbound": {
    "port": 19487,
    "protocol": "vmess",
    "settings": {
      "clients": [{
        "id": "0f8f939c-668f-406f-5ad5-4c2e19eebd2c",
        "level": 1
      }]
    },
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "connectionReuse": false,
        "path": "/downloadstream"
      }
    },
    "detour": {
      "to": "vmess-detour"
    }
  },
  "outbound": {
    "protocol": "freedom",
    "settings": {}
  },
  "inboundDetour": [{
      "protocol": "vmess",
      "port": "45000-45999",
      "tag": "vmess-detour",
      "settings": {},
      "allocate": {
        "strategy": "random",
        "concurrency": 5,
        "refresh": 5
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
          "connectionReuse": false,
          "path": "/downloadstream"
        }
      }
    }
  ],
  "outboundDetour": [{
    "protocol": "blackhole",
    "settings": {},
    "tag": "blocked"
  }],
  "routing": {
    "strategy": "rules",
    "settings": {
      "rules": [{
        "type": "field",
        "ip": [
          "0.0.0.0/8",
          "10.0.0.0/8",
          "100.64.0.0/10",
          "127.0.0.0/8",
          "169.254.0.0/16",
          "172.16.0.0/12",
          "192.0.0.0/24",
          "192.0.2.0/24",
          "192.168.0.0/16",
          "198.18.0.0/15",
          "198.51.100.0/24",
          "203.0.113.0/24",
          "::1/128",
          "fc00::/7",
          "fe80::/10"
        ],
        "outboundTag": "blocked"
      }]
    }
  }
}

nginx

    upstream v2ray {
        server 127.0.0.1:19487;
    }

    # proxy_pass to v2ray only if it's a websocket connection
    location /downloadstream {
        access_log /var/log/nginx/websocket.access.log main;
        proxy_pass http://my_domain.com;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_intercept_errors on;
        if ($http_upgrade = "websocket" ) {
            proxy_pass http://v2ray;
        }
    }
kslr commented 5 years ago

Add logs

itshaadi commented 5 years ago

I can verify that the issue is not present when using v2ray with just a socks5 inbound. however when using tun2socks and changing my default gateway to tun1, this happens:

logs from v2ray

2019/07/11 16:30:54 [Warning] [1004810014] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/vmess/outbound: failed to find an available destination > v2ray.com/core/common/retry: [v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://nextcloud.pcdns.ir/downloadstream):  > dial tcp: lookup nextcloud.pcdns.ir on [::1]:53: dial udp [::1]:53: socket: too many open files v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://nextcloud.pcdns.ir/downloadstream):  > read tcp 240.0.0.1:37070->104.31.78.203:443: i/o timeout v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://nextcloud.pcdns.ir/downloadstream):  > dial tcp: operation was canceled] > v2ray.com/core/common/retry: all retry attempts failed

also logs from v2ray docker container (this isn't the VPS it's my home server)

2019/07/11 11:52:14 [Warning] [459052501] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/vmess/outbound: failed to find an available destination > v2ray.com/core/common/retry: [v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://nextcloud.pcdns.ir/downloadstream):  > dial tcp: lookup nextcloud.pcdns.ir on 127.0.0.11:53: read udp 127.0.0.1:33282->127.0.0.11:53: i/o timeout v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://nextcloud.pcdns.ir/downloadstream):  > dial tcp: operation was canceled] > v2ray.com/core/common/retry: all retry attempts failed
2019/07/11 11:52:15 [Warning] [2793147498] v2ray.com/core/app/proxyman/outbound: failed to process outbound traffic > v2ray.com/core/proxy/vmess/outbound: failed to find an available destination > v2ray.com/core/common/retry: [v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://nextcloud.pcdns.ir/downloadstream):  > dial tcp: operation was canceled] > v2ray.com/core/common/retry: all retry attempts failed

and here is how I use tun2socks (eycorsican/go-tun2socks - v1.15.0):

ip tuntap add mode tun dev tun1
ip addr add 240.0.0.1 dev tun1
ip link set dev tun1 up
ip route del default
ip route add default via 240.0.0.1
ip route add SERVER_IP_HERE via 192.168.30.3
./tun2socks tunAddr 240.0.0.2 -tunGw 240.0.0.1 -proxyServer 127.0.0.1:1080

there are no error logs from server side, this appears to be a DNS issue, also I am using DNSCrypt.

itshaadi commented 5 years ago

https://github.com/eycorsican/go-tun2socks/issues/35#issuecomment-464418313 - I followed this comment previously which led to blocking the IP. could this be the reason?

kingwilliam commented 5 years ago

See your client setting has enabled TLS, but nginx can't see tls

Are you using cloudflare? What is your cf-crypto-ssl setting?

Such as your client-(ws+tls)->CDN-(ws)->VPS Your cf-crypto-ssl need set "felxible"

Such as your client-(ws+tls)->CDN-(ws+tls)->VPS Your cf-crypto-ssl need "Full / Full (strict) / Strict (SSL-Only Origin Pull)" and need insert valid certificate into nginx

Please refer to :

v2ray/discussion : V2Ray直接访问IP正常,套上CDN就访问失败 #294 https://github.com/v2ray/discussion/issues/294#issuecomment-515636783

CLOUDFLARE : End-to-end HTTPS with Cloudflare - Part 3: SSL options https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options

NGINX : Configuring HTTPS servers http://nginx.org/en/docs/http/configuring_https_servers.html

itshaadi commented 5 years ago

I took a deeper look at v2ray and was able to understand the situation better. I also applied @kingwilliam tips, thank you.