vernesong / OpenClash

A Clash Client For OpenWrt
MIT License
17.54k stars 3.18k forks source link

[Feature] 建议将TUN模式默认的DNS劫持协议从TCP改成Any #3318

Closed magict4 closed 1 year ago

magict4 commented 1 year ago

Verify Steps

Describe the Feature

现在的行为: 当通过 LuciUi 把 OpenClash 的 Running Mode 改成 Tun 模式之后,如果用户的配置文件里面没有 Tun 模式的相关配置, OpenClash会自动添加 dns-hijack = 'tcp://any:53'。

建议的行为: 将默认的添加值改为 dns-hijack = 'any:53' 来劫持TCD/UDP流量,而不是仅仅劫持TCP流量。

原因: 大部分的 DNS 请求还是通过 UDP。默认值如果能覆盖大部分的情况可能会更好。

用例:现在不少 Andorid 设备会将系统的默认 DNS 设为8.8.8.8。有些设备不允许用户修改 DNS,如 ChromeCast。有些虽然允许用户修改,但是会给予8.8.8.8更好的优先级,例如 FireTV。 为了劫持 8.8.8.8 的 DNS 请求,需要在软路由上开启 OpenClash 的 TUN 模式。但是现在默认的 TUN 模式只会劫持 TCP 的 DNS 请求,而 Andriod 设备大部分还是通过 UDP 发起 DNS 请求,所以 DNS 请求不会被默认的 OpenClash Tun 模式截获。

Describe the Solution

可能相关的代码: https://github.com/vernesong/OpenClash/blob/9ee0f02ed7615a62f960c9ee2f951dd1b47e2411/luci-app-openclash/root/usr/share/openclash/yml_change.sh#L481

Describe Alternatives

用户通过配置文件自行修改 dns-hijack 来劫持 DNS UDP 请求,但是需要用户对 clash 以及 OpenClash 的运行机制以及配置有一定了解。

Additional Context

No response

vernesong commented 1 year ago

udp在防火墙已经劫持了

magict4 commented 1 year ago

请问方便link一下对应的代码吗?是这段吗?https://github.com/vernesong/OpenClash/blob/9ee0f02ed7615a62f960c9ee2f951dd1b47e2411/luci-app-openclash/root/etc/init.d/openclash#LL1779C111-L1779C135

这是debug日志,打开 fake-ip tun模式之后,可以看到8.8.8.8:53出现在 core log 中。是否代表 8.8.8.8 没有被成功拦截?

OpenClash 调试日志

生成时间: 2023-06-06 04:26:42 插件版本: v0.45.121-beta 隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息



#===================== 系统信息 =====================#

主机型号: FriendlyElec NanoPi R4S
固件版本: OpenWrt 22.03.5 r20134-5f15225c1e
LuCI版本: git-23.093.42303-d58cd69
内核版本: 5.10.176
处理器架构: aarch64_generic

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: server

DNS劫持: Dnsmasq 转发
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#7874

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
kmod-nft-tproxy: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核:TUN
进程pid: 10497
运行权限: 10497: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-arm64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限
Tun内核版本: 2023.04.16-20-g212da6a
Tun内核文件: 存在
Tun内核运行权限: 正常

Dev内核版本: v1.15.1-17-g6ecd96e
Dev内核文件: 存在
Dev内核运行权限: 正常

Meta内核版本: alpha-g6b1a438
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/test.yaml
启动配置文件: /etc/openclash/test.yaml
运行模式: fake-ip-tun
默认代理模式: rule
UDP流量转发(tproxy): 启用
自定义DNS: 停用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 启用
自定义规则: 停用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 停用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
allow-lan: true
mode: rule
log-level: info
external-controller: 0.0.0.0:9090
dns:
  enable: true
  listen: 0.0.0.0:7874
  enhanced-mode: fake-ip
  fake-ip-range: 198.18.0.1/16
  default-nameserver:
  - 8.8.8.8
  nameserver:
  - 8.8.8.8
  ipv6: false
proxy-groups:
- name: clash
  type: select
  proxies:
  - node1
  - node2
rules:
- DST-PORT,7895,REJECT
- DST-PORT,7892,REJECT
- IP-CIDR,198.18.0.1/16,REJECT,no-resolve
- DOMAIN-SUFFIX,gitv.tv,clash
- DOMAIN-SUFFIX,iqiyi.com,clash
- DOMAIN-SUFFIX,qy.net,clash
- DOMAIN-SUFFIX,qpic.cn,clash
- DOMAIN-SUFFIX,gtimg.cn,clash
- DOMAIN-SUFFIX,atianqi.com,clash
- DOMAIN-SUFFIX,cpatrk.net,clash
- DOMAIN-SUFFIX,tymcdn.com,clash
- GEOIP,CN,clash,no-resolve
- MATCH,DIRECT
redir-port: 7892
tproxy-port: 7895
mixed-port: 7893
bind-address: "*"
external-ui: "/usr/share/openclash/ui"
ipv6: false
experimental:
  sniff-tls-sni: true
tun:
  enable: true
  stack: system
  auto-route: false
  auto-detect-interface: false
  dns-hijack:
  - tcp://any:53
profile:
  store-selected: true
authentication:
- 省略

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

#Simple Demo:
    #General Demo
    #1--config path
    #2--key name
    #3--value
    #ruby_edit "$CONFIG_FILE" "['redir-port']" "7892"
    #ruby_edit "$CONFIG_FILE" "['secret']" "123456"
    #ruby_edit "$CONFIG_FILE" "['dns']['enable']" "true"

    #Hash Demo
    #1--config path
    #2--key name
    #3--hash type value
    #ruby_edit "$CONFIG_FILE" "['experimental']" "{'sniff-tls-sni'=>true}"
    #ruby_edit "$CONFIG_FILE" "['sniffer']" "{'sniffing'=>['tls','http']}"

    #Array Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value
    #ruby_arr_insert "$CONFIG_FILE" "['dns']['nameserver']" "0" "114.114.114.114"

    #Array Add From Yaml File Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value file path
    #5--value key name in #4 file
    #ruby_arr_add_file "$CONFIG_FILE" "['dns']['fallback-filter']['ipcidr']" "0" "/etc/openclash/custom/openclash_custom_fallback_filter.yaml" "['fallback-filter']['ipcidr']"

#Ruby Script Demo:
    #ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
    #   begin
    #      Value = YAML.load_file('$CONFIG_FILE');
    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
    #   end;

        #General
    #   begin
    #   Thread.new{
    #      Value['redir-port']=7892;
    #      Value['tproxy-port']=7895;
    #      Value['port']=7890;
    #      Value['socks-port']=7891;
    #      Value['mixed-port']=7893;
    #   }.join;

    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
    #   ensure
    #      File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
    #   end" 2>/dev/null >> $LOG_FILE

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

#IPv4 Mangle chain

#IPv4 Filter chain

#IPv6 NAT chain

#IPv6 Mangle chain

#IPv6 Filter chain

#===================== NFTABLES 防火墙设置 =====================#

table inet fw4 {
    chain input {
        type filter hook input priority filter; policy accept;
        iifname "eth0" ip saddr != @localnetwork counter packets 0 bytes 0 jump openclash_wan_input
        iifname "lo" accept comment "!fw4: Accept traffic from loopback"
        ct state established,related accept comment "!fw4: Allow inbound established and related flows"
        tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
        iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
        iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
    }
}
table inet fw4 {
    chain forward {
        type filter hook forward priority filter; policy drop;
        oifname "utun" udp dport 443 ip daddr != @china_ip_route counter packets 0 bytes 0 reject with icmp port-unreachable comment "OpenClash QUIC REJECT"
        meta l4proto { tcp, udp } oifname "utun" counter packets 13657 bytes 3708672 accept comment "OpenClash TUN Forward"
        ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
        iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
        iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        jump handle_reject
    }
}
table inet fw4 {
    chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        meta nfproto ipv4 tcp dport 53 counter packets 0 bytes 0 accept comment "OpenClash TCP DNS Hijack"
    }
}
table inet fw4 {
    chain srcnat {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
    }
}
table inet fw4 {
    chain nat_output {
        type nat hook output priority filter - 1; policy accept;
    }
}
table inet fw4 {
    chain mangle_prerouting {
        type filter hook prerouting priority mangle; policy accept;
        meta l4proto { tcp, udp } counter packets 141814 bytes 48919435 jump openclash_mangle
    }
}
table inet fw4 {
    chain mangle_output {
        type route hook output priority mangle; policy accept;
        meta l4proto { tcp, udp } counter packets 53924 bytes 17240938 jump openclash_mangle_output
    }
}
table inet fw4 {
    chain openclash_mangle {
        meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 68 counter packets 4 bytes 1320 return
        meta l4proto { tcp, udp } iifname "utun" counter packets 29192 bytes 12633582 return
        ip daddr @localnetwork counter packets 96153 bytes 31311246 return
        ip protocol udp counter packets 630 bytes 42786 jump openclash_upnp
        meta l4proto { tcp, udp } th dport 0-65535 meta mark set 0x00000162 counter packets 16615 bytes 5127109
    }
}
table inet fw4 {
    chain openclash_mangle_output {
        meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 68 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 32266 bytes 5007868 return
        meta l4proto { tcp, udp } th dport 0-65535 ip daddr 198.18.0.0/16 meta mark set 0x00000162 counter packets 11138 bytes 8543248
        tcp dport 0-65535 meta skuid != 65534 meta mark set 0x00000162 counter packets 49 bytes 4698
    }
}
table inet fw4 {
    chain openclash_wan_input {
        udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
        tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
    }
}
table inet fw4 {
    chain openclash_dns_hijack {
    }
}

#===================== IPSET状态 =====================#

#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.4.1     0.0.0.0         UG    0      0        0 br-lan
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
198.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 utun

#ip route list
default via 192.168.4.1 dev br-lan proto static 
192.168.4.0/24 dev br-lan proto kernel scope link src 192.168.4.2 
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1 

#ip rule show
0:  from all lookup local
32765:  from all fwmark 0x162 lookup 354
32766:  from all lookup main
32767:  from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
fdad:ee5c:5ccc::/48                         ::                                      !n    2147483647 2        0 lo      
fe80::/64                                   ::                                      U     256    7        0 br-lan  
fe80::/64                                   ::                                      U     256    1        0 utun    
::/0                                        ::                                      !n    -1     1        0 lo      
::1/128                                     ::                                      Un    0      8        0 lo      
fe80::/128                                  ::                                      Un    0      4        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 utun    
fe80::8034:28ff:fe78:ccf4/128               ::                                      Un    0      4        0 br-lan  
fe80::beca:13a7:9bce:bbc5/128               ::                                      Un    0      2        0 utun    
ff00::/8                                    ::                                      U     256    7        0 br-lan  
ff00::/8                                    ::                                      U     256    1        0 utun    
::/0                                        ::                                      !n    -1     1        0 lo      

#ip -6 route list
unreachable fdad:ee5c:5ccc::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev utun proto kernel metric 256 pref medium

#ip -6 rule show
0:  from all lookup local
32766:  from all lookup main

#===================== Tun设备状态 =====================#

utun: tun pi multi_queue filter

#===================== 端口占用状态 =====================#

tcp        0      0 198.18.0.1:7777         0.0.0.0:*               LISTEN      10497/clash
tcp        0      0 :::7890                 :::*                    LISTEN      10497/clash
tcp        0      0 :::7891                 :::*                    LISTEN      10497/clash
tcp        0      0 :::7892                 :::*                    LISTEN      10497/clash
tcp        0      0 :::7893                 :::*                    LISTEN      10497/clash
tcp        0      0 :::7895                 :::*                    LISTEN      10497/clash
tcp        0      0 :::9090                 :::*                    LISTEN      10497/clash
udp        0      0 :::52487                :::*                                10497/clash
...省略

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

Name:   www.baidu.com
Address: 198.18.0.6

#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 1
  data: geo-p42.instagram.com.
  name: www.instagram.com.
  type: 5

  TTL: 1
  data: z-p42-instagram.c10r.instagram.com.
  name: geo-p42.instagram.com.
  type: 5

  TTL: 1
  data: 157.240.3.174
  name: z-p42-instagram.c10r.instagram.com.
  type: 1

Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface lan
nameserver 119.29.29.29
nameserver 8.8.8.8

#===================== 测试本机网络连接(www.baidu.com) =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Tue, 06 Jun 2023 04:26:47 GMT
Etag: "575e1f6f-115"
Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

HTTP/2 200 
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: text/plain; charset=utf-8
etag: "20367810d6b16552859ed1f051bfbd4e18233617a5eb4443364fd2b5d49bb469"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: 66A8:3F6B:137F6C6:1717173:647E8030
accept-ranges: bytes
date: Tue, 06 Jun 2023 04:26:47 GMT
via: 1.1 varnish
x-served-by: cache-bfi-krnt7300119-BFI
x-cache: HIT
x-cache-hits: 1
x-timer: S1686025607.341830,VS0,VE131
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
x-fastly-request-id: 13e4d151b45114524e573f4e02a606d084ad51ba
expires: Tue, 06 Jun 2023 04:31:47 GMT
source-age: 0
content-length: 83

#===================== 最近运行日志(自动切换为Debug模式) =====================#

04:26:31 INF [TCP] connected lAddr=192.168.4.88:54948 rAddr=esdk.tymcdn.com:443 mode=rule rule=DomainSuffix(tymcdn.com) proxy=clash[node1]
04:26:31 INF [TCP] connected lAddr=192.168.4.88:60546 rAddr=8.25.82.227:80 mode=rule rule=Match() proxy=DIRECT
04:26:31 INF [UDP] connected lAddr=192.168.4.88:62089 rAddr=8.8.8.8:53 mode=rule rule=Match() proxy=DIRECT
04:26:31 INF [TCP] connected lAddr=192.168.4.88:35242 rAddr=222.73.33.241:80 mode=rule rule=GeoIP(CN) proxy=clash[node1]
04:26:32 INF [TCP] connected lAddr=192.168.4.88:38906 rAddr=163.181.66.209:80 mode=rule rule=Match() proxy=DIRECT
...省略

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#

#===================== 活动连接信息 =====================#

1. SourceIP:【192.168.4.88】 - Host:【api.amazon.com】 - DestinationIP:【52.46.131.169】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【DIRECT】
2. SourceIP:【192.168.4.88】 - Host:【Empty】 - DestinationIP:【8.8.8.8】 - Network:【udp】 - RulePayload:【】 - Lastchain:【DIRECT】
3. SourceIP:【192.168.4.88】 - Host:【Empty】 - DestinationIP:【163.181.66.209】 - Network:【tcp】 - RulePayload:【】 - Lastchain:【DIRECT】
... 省略
github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

kobetang125125 commented 12 months ago

请问有TUN 的最新内核下载文件 ?请求! 微信图片_20231120215323