search

vernesong / OpenClash

A Clash Client For OpenWrt
MIT License
16.55k stars 3.06k forks source link

旁路由 TUN模式完全无法使用,国内国外都没有连接。 #1835

Closed warcns closed 2 years ago

warcns commented 2 years ago

大佬好,我的网络环境是openwrt作为旁路由使用,经测试redir和fake-ip模式下的tun模式都无法使用,表现为打开tun模式后完全无法上网,国内国外网站都无法打开,而且clash控制台上也看不到连接信息。能否提供一下帮助,以下是调试信息,非常感谢!~

2-11 05:44:22 level=info msg="DNS server listening at: 0.0.0.0:7874" 2021-12-11 05:44:22 level=info msg="Start initial compatible provider Ⓜ️ 微软服务" 2021-12-11 05:44:22 level=info msg="Start initial compatible provider 🎶 网易音乐" 2021-12-11 05:44:22 level=info msg="Start initial compatible provider 🕹 SONY PS" 2021-12-11 05:44:22 level=info msg="Start initial compatible provider 🎥 奈飞视频" 2021-12-11 05:36:13 level=warning msg="[TCP] dial 🎯 全球直连 (match GeoIP/CN) to p.conn.t002.ottcn.com:7512 error: dial tcp4 163.177.72.156:7512: i/o timeout" 2021-12-11 05:36:07 level=warning msg="[TCP] dial 🎯 全球直连 (match GeoIP/CN) to 125.39.240.55:443 error: dial tcp4 125.39.240.55:443: i/o timeout" 2021-12-11 05:36:07 level=warning msg="[TCP] dial 🎯 全球直连 (match GeoIP/CN) to 58.251.139.182:443 error: dial tcp4 58.251.139.182:443: i/o timeout" 2021-12-11 05:36:07 level=warning msg="[TCP] dial 🎯 全球直连 (match GeoIP/CN) to 125.39.240.55:443 error: dial tcp4 125.39.240.55:443: i/o timeout" 2021-12-11 05:36:07 level=warning msg="[TCP] dial 🎯 全球直连 (match GeoIP/CN) to 58.251.139.182:443 error: dial tcp4 58.251.139.182:443: i/o timeout" 2021-12-11 05:36:06 level=info msg="[TCP] 192.168.0.101:62153 --> gateway.fe.apple-dns.net:443 match Match() using 🐟 漏网之鱼[[Trojan] 🇭🇰 香港 AIA [South]]" 2021-12-11 05:36:06 level=warning msg="[TCP] dial 🎯 全球直连 (match GeoIP/CN) to p.conn.t002.ottcn.com:7512 error: dial tcp4 163.177.72.156:7512: i/o timeout"

2021-12-10 21:45:26 提示:开始预解析 Netflix 域名... 2021-12-10 21:44:26 OpenClash 启动成功,请等待服务器上线! 2021-12-10 21:44:26 第十步: 添加计划任务,启动进程守护程序... 2021-12-10 21:44:26 正在设置第二DNS服务器列表... 2021-12-10 21:44:25 第九步: 重启 Dnsmasq 程序... 2021-12-10 21:44:25 第八步: 设置防火墙规则... 2021-12-10 21:44:25 第七步: 设置控制面板... 2021-12-10 21:44:25 第六步: 等待主程序下载外部文件... 2021-12-10 21:44:22 第五步: 检查内核启动状态... 2021-12-10 21:44:22 提示: 检测到配置了 TUN 内核专属功能,调用 TUN 内核启动... 2021-12-10 21:44:22 第四步: 启动主程序... 2021-12-10 21:44:20 第三步: 修改配置文件... 2021-12-10 21:44:20 提示: 由于文件【 /etc/config/openclash 】被修改,暂停快速启动... 2021-12-10 21:44:20 第二步: 组件运行前检查... 2021-12-10 21:44:20 第一步: 获取配置... 2021-12-10 21:44:20 OpenClash 开始启动... 2021-12-10 21:44:20 第六步:删除 OpenClash 残留文件... 2021-12-10 21:44:20 第五步: 重启 Dnsmasq 程序... 2021-12-10 21:44:20 第四步: 关闭 Clash 主程序... 2021-12-10 21:44:20 第三步: 关闭 OpenClash 守护程序... 2021-12-10 21:44:19 第二步: 删除 OpenClash 防火墙规则... 2021-12-10 21:44:19 第一步: 备份当前策略组状态... 2021-12-10 21:44:19 OpenClash 开始关闭... 2021-12-10 21:37:12 提示:Disney Plus 域名预解析完成! 2021-12-10 21:37:07 提示:开始预解析 Disney Plus 域名... 2021-12-10 21:37:07 提示:Netflix 域名预解析完成!

warcns commented 2 years ago

OpenClash 调试日志

生成时间: 2021-12-10 21:46:08 插件版本: v0.44.03-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息



#===================== 系统信息 =====================#

主机型号: Intel(R) Core(TM) i5-6600T CPU @ 2.70GHz : 4 Core 4 Thread
固件版本: OpenWrt GDQ v8-1_[2020]
LuCI版本: git-20.191.36863-eee6bae-1
内核版本: 4.19.131
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: 

#此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
iptables-mod-tproxy: 已安装
kmod-ipt-tproxy: 已安装
iptables-mod-extra: 已安装
kmod-ipt-extra: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
ruby-dbm: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci-19.07): 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
进程pid: 10561 6686
运行权限: 10561: =ep
6686: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2021.12.07
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.8.0-7-g075d8ed
Dev内核文件: 存在
Dev内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/DlerCloud-Paofu-Smart.yaml
启动配置文件: /etc/openclash/DlerCloud-Paofu-Smart.yaml
运行模式: fake-ip-tun
默认代理模式: rule
UDP流量转发(tproxy): 停用
DNS劫持: 启用
自定义DNS: 启用
IPV6代理: 停用
IPV6-DNS解析: 启用
禁用Dnsmasq缓存: 启用
自定义规则: 启用
仅允许内网: 停用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
script:
##  shortcuts:
##    quic: network == 'udp' and dst_port == 443 and (geoip(resolve_ip(host)) != 'CN' or geoip(dst_ip) != 'CN')
##    time-limit: in_cidr(src_ip,'192.168.1.2/32') and time.now().hour < 20 or time.now().hour > 21
##    time-limit: src_ip == '192.168.1.2' and time.now().hour < 20 or time.now().hour > 21

rules:
##- SCRIPT,quic,REJECT #shortcuts rule
##- SCRIPT,time-limit,REJECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

##排序在上的规则优先生效,如添加(去除规则前的#号):
##IP段:192.168.1.2-192.168.1.200 直连
- SRC-IP-CIDR,192.168.0.2/31,DIRECT
##- SRC-IP-CIDR,192.168.1.4/30,DIRECT
##- SRC-IP-CIDR,192.168.1.8/29,DIRECT
##- SRC-IP-CIDR,192.168.1.16/28,DIRECT
##- SRC-IP-CIDR,192.168.1.32/27,DIRECT
##- SRC-IP-CIDR,192.168.1.64/26,DIRECT
##- SRC-IP-CIDR,192.168.1.128/26,DIRECT
##- SRC-IP-CIDR,192.168.1.192/29,DIRECT
##- SRC-IP-CIDR,192.168.1.200/32,DIRECT

##IP段:192.168.1.202-192.168.1.255 直连
##- SRC-IP-CIDR,192.168.1.202/31,DIRECT
##- SRC-IP-CIDR,192.168.1.204/30,DIRECT
##- SRC-IP-CIDR,192.168.1.208/28,DIRECT
##- SRC-IP-CIDR,192.168.1.224/27,DIRECT

##此时IP为192.168.1.1和192.168.1.201的客户端流量走代理(策略),其余客户端不走代理
##因为Fake-IP模式下,IP地址为192.168.1.1的路由器自身流量可走代理(策略),所以需要排除

##仅设置路由器自身直连:
##- SRC-IP-CIDR,192.168.1.1/32,DIRECT
##- SRC-IP-CIDR,198.18.0.1/32,DIRECT

##DDNS
##- DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkipv6.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkip.synology.com,DIRECT
##- DOMAIN-SUFFIX,ifconfig.co,DIRECT
##- DOMAIN-SUFFIX,api.myip.com,DIRECT
##- DOMAIN-SUFFIX,ip-api.com,DIRECT
##- DOMAIN-SUFFIX,ipapi.co,DIRECT
##- DOMAIN-SUFFIX,ip6.seeip.org,DIRECT
##- DOMAIN-SUFFIX,members.3322.org,DIRECT

##在线IP段转CIDR地址:http://ip2cidr.com
#===================== 自定义规则 二 =====================#
script:
##  shortcuts:
##    common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]

rules:
##- SCRIPT,common_port,DIRECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: silent
external-controller: 0.0.0.0:9090

dns:
  nameserver:
  - 114.114.114.114
  - 119.29.29.29
  - https://doh.pub/dns-query
  - https://dns.alidns.com/dns-query
  fallback:
  - https://dns.cloudflare.com/dns-query
  - tls://8.8.8.8:853
  - https://public.dns.iij.jp/dns-query
  - https://jp.tiar.app/dns-query
  - https://jp.tiarap.org/dns-query
  - tls://dot.tiar.app
  enable: true
  ipv6: true
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  listen: 0.0.0.0:7874
  fake-ip-filter:
  - "*.lan"
  - "*.localdomain"
  - "*.example"
  - "*.invalid"
  - "*.localhost"
  - "*.test"
  - "*.local"
  - "*.home.arpa"
  - time.*.com
  - time.*.gov
  - time.*.edu.cn
  - time.*.apple.com
  - time1.*.com
  - time2.*.com
  - time3.*.com
  - time4.*.com
  - time5.*.com
  - time6.*.com
  - time7.*.com
  - ntp.*.com
  - ntp1.*.com
  - ntp2.*.com
  - ntp3.*.com
  - ntp4.*.com
  - ntp5.*.com
  - ntp6.*.com
  - ntp7.*.com
  - "*.time.edu.cn"
  - "*.ntp.org.cn"
  - "+.pool.ntp.org"
  - time1.cloud.tencent.com
  - music.163.com
  - "*.music.163.com"
  - "*.126.net"
  - musicapi.taihe.com
  - music.taihe.com
  - songsearch.kugou.com
  - trackercdn.kugou.com
  - "*.kuwo.cn"
  - api-jooxtt.sanook.com
  - api.joox.com
  - joox.com
  - y.qq.com
  - "*.y.qq.com"
  - streamoc.music.tc.qq.com
  - mobileoc.music.tc.qq.com
  - isure.stream.qqmusic.qq.com
  - dl.stream.qqmusic.qq.com
  - aqqmusic.tc.qq.com
  - amobile.music.tc.qq.com
  - "*.xiami.com"
  - "*.music.migu.cn"
  - music.migu.cn
  - "*.msftconnecttest.com"
  - "*.msftncsi.com"
  - msftconnecttest.com
  - msftncsi.com
  - localhost.ptlogin2.qq.com
  - localhost.sec.qq.com
  - "+.srv.nintendo.net"
  - "+.playstation.net"
  - "+.playstation.com"
  - ''
  - xbox.*.microsoft.com
  - xnotify.xboxlive.com
  - "+.battlenet.com.cn"
  - "+.wotgame.cn"
  - "+.wggames.cn"
  - "+.wowsgame.cn"
  - "+.wargaming.net"
  - proxy.golang.org
  - stun.*.*
  - stun.*.*.*
  - "+.stun.*.*"
  - "+.stun.*.*.*"
  - "+.stun.*.*.*.*"
  - heartbeat.belkin.com
  - "*.linksys.com"
  - "*.linksyssmartwifi.com"
  - "*.router.asus.com"
  - mesu.apple.com
  - swscan.apple.com
  - swquery.apple.com
  - swdownload.apple.com
  - swcdn.apple.com
  - swdist.apple.com
  - lens.l.google.com
  - stun.l.google.com
  - "+.nflxvideo.net"
  - "*.square-enix.com"
  - "*.finalfantasyxiv.com"
  - "*.ffxiv.com"
  - "*.mcdn.bilivideo.cn"
  - "+.media.dssott.com"
  default-nameserver:
  - 114.114.114.114
  - 119.29.29.29
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
bind-address: "*"
external-ui: "/usr/share/openclash/dashboard"
ipv6: false
tun:
  enable: true
  stack: system
  dns-hijack:
  - tcp://8.8.8.8:53
  - tcp://8.8.4.4:53
profile:
  store-selected: true
  store-fake-ip: false

#===================== 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.4 on Fri Dec 10 21:46:09 2021
*nat
:PREROUTING ACCEPT [2824:357527]
:INPUT ACCEPT [1618:256634]
:OUTPUT ACCEPT [4221:296304]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -p tcp -m comment --comment "OpenClash TCP DNS Hijack" -m tcp --dport 53 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 53 -m comment --comment "DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -m comment --comment "DNS Hijack" -j REDIRECT --to-ports 53
-A PREROUTING -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A DOCKER -i docker0 -j RETURN
-A MINIUPNPD -p udp -m udp --dport 9308 -j DNAT --to-destination 192.168.0.102:9308
-A MINIUPNPD -p udp -m udp --dport 26487 -j DNAT --to-destination 192.168.0.100:26487
-A MINIUPNPD -p udp -m udp --dport 24086 -j DNAT --to-destination 192.168.0.100:24086
-A MINIUPNPD -p udp -m udp --dport 50645 -j DNAT --to-destination 192.168.0.220:30477
-A MINIUPNPD -p udp -m udp --dport 8567 -j DNAT --to-destination 192.168.0.199:8567
-A MINIUPNPD-POSTROUTING -s 192.168.0.220/32 -p udp -m udp --sport 30477 -j MASQUERADE --to-ports 50645
-A zone_lan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -j MINIUPNPD
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j FULLCONENAT
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3" -j FULLCONENAT
COMMIT
# Completed on Fri Dec 10 21:46:09 2021

#IPv4 Mangle chain

# Generated by iptables-save v1.8.4 on Fri Dec 10 21:46:09 2021
*mangle
:PREROUTING ACCEPT [25529:3242200]
:INPUT ACCEPT [22185:3034338]
:FORWARD ACCEPT [3321:205766]
:OUTPUT ACCEPT [20283:2838253]
:POSTROUTING ACCEPT [23259:2992369]
:RRDIPT_FORWARD - [0:0]
:RRDIPT_INPUT - [0:0]
:RRDIPT_OUTPUT - [0:0]
:openclash - [0:0]
:openclash_dns_hijack - [0:0]
:openclash_output - [0:0]
-A PREROUTING -j openclash
-A INPUT -j RRDIPT_INPUT
-A FORWARD -j RRDIPT_FORWARD
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j openclash_output
-A OUTPUT -j RRDIPT_OUTPUT
-A RRDIPT_FORWARD -s 192.168.0.1/32 -j RETURN
-A RRDIPT_FORWARD -d 192.168.0.1/32 -j RETURN
-A RRDIPT_INPUT -i eth0 -j RETURN
-A RRDIPT_OUTPUT -o eth0 -j RETURN
-A openclash -p udp -m udp --sport 1194 -j RETURN
-A openclash -p tcp -m tcp --sport 1194 -j RETURN
-A openclash -p tcp -m tcp --sport 1688 -j RETURN
-A openclash -p tcp -m tcp --sport 10240 -j RETURN
-A openclash -p udp -m udp --sport 4500 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 500 -j RETURN
-A openclash -p udp -m udp --sport 68 -j RETURN
-A openclash -m set --match-set localnetwork dst -j RETURN
-A openclash -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p udp -m udp --sport 1194 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1194 -j RETURN
-A openclash_output -p tcp -m tcp --sport 1688 -j RETURN
-A openclash_output -p tcp -m tcp --sport 10240 -j RETURN
-A openclash_output -p udp -m udp --sport 4500 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 500 -j RETURN
-A openclash_output -p udp -m udp --sport 68 -j RETURN
-A openclash_output -m set --match-set localnetwork dst -j RETURN
-A openclash_output -d 198.18.0.0/16 -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
-A openclash_output -p tcp -m owner ! --uid-owner 65534 -j MARK --set-xmark 0x162/0xffffffff
COMMIT
# Completed on Fri Dec 10 21:46:09 2021

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.4 on Fri Dec 10 21:46:09 2021
*nat
:PREROUTING ACCEPT [35524:9499803]
:INPUT ACCEPT [35524:9499803]
:OUTPUT ACCEPT [37920:8694906]
:POSTROUTING ACCEPT [37920:8694906]
COMMIT
# Completed on Fri Dec 10 21:46:09 2021

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.4 on Fri Dec 10 21:46:09 2021
*mangle
:PREROUTING ACCEPT [1607364:452917504]
:INPUT ACCEPT [1607175:452903912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92985:67231622]
:POSTROUTING ACCEPT [93599:67293636]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Dec 10 21:46:09 2021

#===================== IPSET状态 =====================#

Name: cn
Name: ct
Name: cnc
Name: cmcc
Name: crtc
Name: cernet
Name: gwbn
Name: othernet
Name: china
Name: music
Name: mwan3_connected_v4
Name: mwan3_connected_v6
Name: mwan3_source_v6
Name: mwan3_dynamic_v4
Name: mwan3_dynamic_v6
Name: mwan3_custom_v4
Name: mwan3_custom_v6
Name: china_ip_route
Name: localnetwork
Name: mwan3_connected

#===================== 路由表状态 =====================#

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
198.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 utun
#ip route list
default via 192.168.0.1 dev eth1 proto static 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2 
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1 
#ip rule show
0:  from all lookup local
32765:  from all fwmark 0x162 lookup 354
32766:  from all lookup main
32767:  from all lookup default

#===================== Tun设备状态 =====================#

utun: tun

#===================== 端口占用状态 =====================#

tcp        0      0 198.18.0.1:7777         0.0.0.0:*               LISTEN      6686/clash
tcp        0      0 :::7890                 :::*                    LISTEN      6686/clash
tcp        0      0 :::7891                 :::*                    LISTEN      6686/clash
tcp        0      0 :::7892                 :::*                    LISTEN      6686/clash
tcp        0      0 :::7893                 :::*                    LISTEN      6686/clash
tcp        0      0 :::7895                 :::*                    LISTEN      6686/clash
tcp        0      0 :::9090                 :::*                    LISTEN      6686/clash
udp        0      0 198.18.0.1:7777         0.0.0.0:*                           6686/clash
udp        0      0 :::7874                 :::*                                6686/clash
udp        0      0 :::7891                 :::*                                6686/clash
udp        0      0 :::7892                 :::*                                6686/clash
udp        0      0 :::7893                 :::*                                6686/clash
udp        0      0 :::7895                 :::*                                6686/clash

#===================== 测试本机DNS查询 =====================#

Server:     127.0.0.1
Address:    127.0.0.1#53

Name:   www.baidu.com
Address: 198.18.0.2

#===================== resolv.conf.d =====================#

# Interface lan
nameserver 192.168.0.1

#===================== 测试本机网络连接 =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Fri, 10 Dec 2021 13:46:10 GMT
Etag: "575e1f59-115"
Last-Modified: Mon, 13 Jun 2016 02:50:01 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载 =====================#

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 80
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "edb7bbdc24fe353e9d705caa4d82e5ea142d226e8e3f13d9a5326d512fb8cddf"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 5A0E:210C:B1D4:3AEAF:61B1863B
Accept-Ranges: bytes
Date: Fri, 10 Dec 2021 13:46:11 GMT
Via: 1.1 varnish
X-Served-By: cache-bur17534-BUR
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1639143971.907011,VS0,VE98
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 017c4bae0de5f61b369eac167048fc078ca00614
Expires: Fri, 10 Dec 2021 13:51:11 GMT
Source-Age: 0

#===================== 最近运行日志 =====================#

2021-12-10 21:44:20 Step 2: Check The Components...
2021-12-10 21:44:20 Tip: Because of the file【 /etc/config/openclash 】modificated, Pause quick start...
2021-12-10 21:44:20 Step 3: Modify The Config File...
2021-12-10 21:44:22 Step 4: Start Running The Clash Core...
2021-12-10 21:44:22 Tip: Detected The Exclusive Function of The TUN Core, Use TUN Core to Start...
2021-12-10 21:44:22 Step 5: Check The Core Status...
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🎥 奈飞节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🍏 苹果电视"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider ⭐️ 收藏节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🔮 负载均衡"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🐟 漏网之鱼"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🍃 应用净化"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider Ⓜ️ 微软云盘"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🎮 游戏平台"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🇸🇬 狮城节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider ♻️ 自动选择"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🌏 出海媒体"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 📲 电报消息"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 📢 谷歌FCM"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🚀 手动切换"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🇯🇵 日本节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🔯 故障转移"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 📹 油管视频"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🎯 全球直连"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🌥 自动选择 泡芙"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🎮 游戏节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🇨🇳 台湾节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🇭🇰 香港节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider ♻️ 自动选择 AIA"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🇰🇷 韩国节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🌏 国内媒体"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🍎 苹果服务"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🌍 国外媒体"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🛑 广告拦截"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 📺 巴哈姆特"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🇺🇲 美国节点"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🚀 节点选择"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🎥 奈飞视频"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🕹 SONY PS"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider 🎶 网易音乐"
time="2021-12-10T21:44:22+08:00" level=info msg="Start initial compatible provider Ⓜ️ 微软服务"
time="2021-12-10T21:44:22+08:00" level=info msg="DNS server listening at: 0.0.0.0:7874"
2021-12-10 21:44:25 Step 6: Wait For The File Downloading...
2021-12-10 21:44:25 Step 7: Set Control Panel...
2021-12-10 21:44:25 Step 8: Set Firewall Rules...
2021-12-10 21:44:25 Step 9: Restart Dnsmasq...
2021-12-10 21:44:26 Setting Secondary DNS Server List...
2021-12-10 21:44:26 Step 10: Add Cron Rules, Start Daemons...
2021-12-10 21:44:26 OpenClash Start Successful!
2021-12-10 21:45:26 Tip: Start Prefetch Netflix Domains...

#===================== 活动连接信息 =====================#
vernesong commented 2 years ago

没看出来有啥问题,只有tun不行?你在调试日志页面测试下链接看有没有结果

warcns commented 2 years ago

没看出来有啥问题,只有tun不行?你在调试日志页面测试下链接看有没有结果

是的大佬,只有tun不行,只要打开tun就像断网了一样。在tun模式测试连接提示这个:

找不到任何连接日志!

  1. 可能是插件未在运行
  2. 可能是缓存导致浏览直接使用IP地址进行访问
  3. 可能是DNS未劫持成功,导致Clash无法正确反推出域名连接
  4. 可能是所填地址无法进行解析和连接

而且控制台看不到任何活动连接,也没有报错信息。

此外,tun模式下,网络栈选 system 的时候 内核日志 没任何报错,网络栈选Gvisor的时候,内核日志debug会一直提示:

2021-12-11 09:13:31 level=warning msg="Can't create TCP Endpoint in ipstack: connection was refused" 2021-12-11 09:13:31 level=warning msg="Can't create TCP Endpoint in ipstack: connection was refused" 2021-12-11 09:13:31 level=warning msg="Can't create TCP Endpoint in ipstack: connection was refused"

warcns commented 2 years ago

有没有可能是因为防火墙设置的问题,我是旁路由,只用了一个lan口。防火墙配置如下:

截屏2021-12-11 上午1 25 54

还加3句旁路由需要的防火墙自定义规则:

iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -I POSTROUTING -j MASQUERADE

vernesong commented 2 years ago

绑定接口eth1 删除iptables -t nat -I POSTROUTING -j MASQUERADE 测试路由本机的连接是不是正常的

warcns commented 2 years ago

绑定接口eth1 删除iptables -t nat -I POSTROUTING -j MASQUERADE 测试路由本机的连接是不是正常的

大佬厉害了!删除防火墙的这句 iptables -t nat -I POSTROUTING -j MASQUERADE 就好了!终于能用fakeip混合模式了。。。

太感谢了!

elonj commented 2 years ago

删除防火墙的这句 iptables -t nat -I POSTROUTING -j MASQUERADE

请问删除防火墙的这句 iptables -t nat -I POSTROUTING -j MASQUERADE之后,旁路由还起作用吗?

warcns commented 2 years ago

删除防火墙的这句 iptables -t nat -I POSTROUTING -j MASQUERADE

请问删除防火墙的这句 iptables -t nat -I POSTROUTING -j MASQUERADE之后,旁路由还起作用吗?

起作用,一切正常。

lbwstco commented 2 years ago

删除防火墙的这句 iptables -t nat -I POSTROUTING -j MASQUERADE

请问删除防火墙的这句 iptables -t nat -I POSTROUTING -j MASQUERADE之后,旁路由还起作用吗?

起作用,一切正常。

删了有个问题,端口转发ddns在内网不生效,无法在内网用域名访问

mistertuangyuan commented 2 years ago

同样感谢

nevertoday commented 1 year ago

我是内网可以,外网不能访问后台,奇怪! 之前还行,这几波更新下来,彻底不行了, 奇怪!

vernesong commented 1 year ago

说白了就是内网出去的时候经过clash会nat导致不对等而链接失败,所以可以在黑白名单里面手动把内网需要转发的端口绕过

hpqqph commented 10 months ago

说白了就是内网出去的时候经过clash会nat导致不对等而链接失败,所以可以在黑白名单里面手动把内网需要转发的端口绕过

具体如何设置呢?比如2345端口要绕过,在哪里设置?