search

vernesong / OpenClash

A Clash Client For OpenWrt
MIT License
17.54k stars 3.18k forks source link

[Bug] [版本0.45.121-beta]121版本会导致内网Luci管理出现无法正常运作 #3371

Closed MoonBright closed 1 year ago

MoonBright commented 1 year ago

Verify Steps

OpenClash Version

v0.45.121-beta

Bug on Environment

Official OpenWrt

Bug on Platform

Linux-arm64

To Reproduce

  1. 使用OpenWRT版本22.03或22.05,使用了友善官方和Cooluc的两个固件版本;
  2. 升级到最新的客户端版本0.45.121版本;
  3. 出现内网Luci未返回数据,即内网无法管理的错误。

Describe the Bug

  1. 将软路由做旁路由,开启Openclash后,会导致内网luci无法访问,SSH也同样断链;
  2. 未开启OpenClash,且已经SSH连接,可以通过命令关闭OC,才能实现内网Luci页面的正常访问。
  3. 导致无法升级客户端。

OpenClash Log

OpenClash 调试日志

生成时间: 2023-06-29 22:35:04 插件版本: v0.45.121-beta

===================== 系统信息 =====================

主机型号: FriendlyElec NanoPi R5S 固件版本: OpenWrt 22.03.5 LuCI版本: 内核版本: 6.1.32 处理器架构: aarch64_generic

此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP

IPV6-DHCP:

DNS劫持: Dnsmasq 转发

DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址

Dnsmasq转发设置: 127.0.0.1#7874

===================== 依赖检查 =====================

dnsmasq-full: 已安装 coreutils: 已安装 coreutils-nohup: 已安装 bash: 已安装 curl: 已安装 ca-certificates: 已安装 ipset: 已安装 ip-full: 已安装 libcap: 已安装 libcap-bin: 已安装 ruby: 已安装 ruby-yaml: 已安装 ruby-psych: 已安装 ruby-pstore: 已安装 kmod-tun(TUN模式): 已安装 luci-compat(Luci >= 19.07): 已安装 kmod-inet-diag(PROCESS-NAME): 已安装 unzip: 已安装 kmod-nft-tproxy: 已安装

===================== 内核检查 =====================

运行状态: 运行中 运行内核:TUN 进程pid: 19678 运行权限: 19678: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_resource=eip 运行用户: 已选择的架构: linux-arm64

下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限

Tun内核版本: 2023.04.16-20-g212da6a Tun内核文件: 存在 Tun内核运行权限: 正常

Dev内核版本: v1.15.1-7-g6eee226 Dev内核文件: 存在 Dev内核运行权限: 正常

Meta内核版本: alpha-g6b1a438 Meta内核文件: 存在 Meta内核运行权限: 正常

===================== 插件设置 =====================

当前配置文件: /etc/openclash/config/dogess.yaml 启动配置文件: /etc/openclash/dogess.yaml 运行模式: fake-ip 默认代理模式: rule UDP流量转发(tproxy): 启用 自定义DNS: 启用 IPV6代理: 停用 IPV6-DNS解析: 停用 禁用Dnsmasq缓存: 启用 自定义规则: 停用 仅允许内网: 启用 仅代理命中规则流量: 停用 仅允许常用端口流量: 停用 绕过中国大陆IP: 停用 路由本机代理: 启用

启动异常时建议关闭此项后重试

混合节点: 停用 保留配置: 停用

启动异常时建议关闭此项后重试

第三方规则: 停用

===================== 配置文件 =====================

port: 7890 socks-port: 7891 allow-lan: true mode: rule log-level: info external-controller: 0.0.0.0:9090 dns: enable: true ipv6: false listen: 0.0.0.0:7874 enhanced-mode: fake-ip default-nameserver:

redir-port: 7892 tproxy-port: 7895 mixed-port: 7893 bind-address: "*" external-ui: "/usr/share/openclash/ui" ipv6: false interface-name: br-lan experimental: sniff-tls-sni: true profile: store-selected: true authentication:

===================== 自定义覆写设置 =====================

!/bin/sh

. /usr/share/openclash/ruby.sh . /usr/share/openclash/log.sh . /lib/functions.sh

This script is called by /etc/init.d/openclash

Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..." LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S")) LOG_FILE="/tmp/openclash.log" CONFIG_FILE="$1" #config path

Simple Demo:

#General Demo
#1--config path
#2--key name
#3--value
#ruby_edit "$CONFIG_FILE" "['redir-port']" "7892"
#ruby_edit "$CONFIG_FILE" "['secret']" "123456"
#ruby_edit "$CONFIG_FILE" "['dns']['enable']" "true"

#Hash Demo
#1--config path
#2--key name
#3--hash type value
#ruby_edit "$CONFIG_FILE" "['experimental']" "{'sniff-tls-sni'=>true}"
#ruby_edit "$CONFIG_FILE" "['sniffer']" "{'sniffing'=>['tls','http']}"

#Array Demo:
#1--config path
#2--key name
#3--position(start from 0, end with -1)
#4--value
#ruby_arr_insert "$CONFIG_FILE" "['dns']['nameserver']" "0" "114.114.114.114"

#Array Add From Yaml File Demo:
#1--config path
#2--key name
#3--position(start from 0, end with -1)
#4--value file path
#5--value key name in #4 file
#ruby_arr_add_file "$CONFIG_FILE" "['dns']['fallback-filter']['ipcidr']" "0" "/etc/openclash/custom/openclash_custom_fallback_filter.yaml" "['fallback-filter']['ipcidr']"

Ruby Script Demo:

#ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
#   begin
#      Value = YAML.load_file('$CONFIG_FILE');
#   rescue Exception => e
#      puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
#   end;

    #General
#   begin
#   Thread.new{
#      Value['redir-port']=7892;
#      Value['tproxy-port']=7895;
#      Value['port']=7890;
#      Value['socks-port']=7891;
#      Value['mixed-port']=7893;
#   }.join;

#   rescue Exception => e
#      puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
#   ensure
#      File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
#   end" 2>/dev/null >> $LOG_FILE

exit 0

===================== 自定义防火墙设置 =====================

!/bin/sh

. /usr/share/openclash/log.sh . /lib/functions.sh

This script is called by /etc/init.d/openclash

Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0

===================== IPTABLES 防火墙设置 =====================

IPv4 NAT chain

Generated by iptables-save v1.8.7 on Thu Jun 29 22:35:11 2023

*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN COMMIT

Completed on Thu Jun 29 22:35:11 2023

IPv4 Mangle chain

Generated by iptables-save v1.8.7 on Thu Jun 29 22:35:11 2023

*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT

Completed on Thu Jun 29 22:35:11 2023

IPv4 Filter chain

Generated by iptables-save v1.8.7 on Thu Jun 29 22:35:11 2023

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT

Completed on Thu Jun 29 22:35:11 2023

IPv6 NAT chain

Generated by ip6tables-save v1.8.7 on Thu Jun 29 22:35:11 2023

*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT

Completed on Thu Jun 29 22:35:11 2023

IPv6 Mangle chain

Generated by ip6tables-save v1.8.7 on Thu Jun 29 22:35:11 2023

*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT

Completed on Thu Jun 29 22:35:11 2023

IPv6 Filter chain

Generated by ip6tables-save v1.8.7 on Thu Jun 29 22:35:11 2023

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT

Completed on Thu Jun 29 22:35:11 2023

===================== NFTABLES 防火墙设置 =====================

table inet fw4 { chain input { type filter hook input priority filter; policy accept; udp dport 443 ip daddr != @china_ip_route counter packets 232 bytes 293256 reject with icmp port-unreachable comment "OpenClash QUIC REJECT" iifname "eth0" ip saddr != @localnetwork counter packets 0 bytes 0 jump openclash_wan_input iifname "lo" accept comment "!fw4: Accept traffic from loopback" ct state established,related accept comment "!fw4: Allow inbound established and related flows" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "docker0" jump input_docker comment "!fw4: Handle docker IPv4/IPv6 input traffic" } } table inet fw4 { chain forward { type filter hook forward priority filter; policy accept; meta l4proto { tcp, udp } flow add @ft ct state established,related accept comment "!fw4: Allow forwarded established and related flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "docker0" jump forward_docker comment "!fw4: Handle docker IPv4/IPv6 forward traffic" jump upnp_forward comment "Hook into miniupnpd forwarding chain" } } table inet fw4 { chain dstnat { type nat hook prerouting priority dstnat; policy accept; ip daddr { 8.8.4.4, 8.8.8.8 } tcp dport 53 counter packets 0 bytes 0 redirect to :7892 comment "OpenClash Google DNS Hijack" jump upnp_prerouting comment "Hook into miniupnpd prerouting chain" ip protocol tcp counter packets 478 bytes 25024 jump openclash } } table inet fw4 { chain srcnat { type nat hook postrouting priority srcnat; policy accept; oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic" oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" jump upnp_postrouting comment "Hook into miniupnpd postrouting chain" } } table inet fw4 { chain nat_output { type nat hook output priority filter - 1; policy accept; ip protocol tcp counter packets 1694 bytes 101640 jump openclash_output } } table inet fw4 { chain mangle_prerouting { type filter hook prerouting priority mangle; policy accept; ip protocol udp counter packets 3106 bytes 739626 jump openclash_mangle } } table inet fw4 { chain mangle_output { type route hook output priority mangle; policy accept; } } table inet fw4 { chain openclash { meta nfproto ipv4 tcp sport 1688 counter packets 0 bytes 0 return ip daddr @localnetwork counter packets 0 bytes 0 return ip protocol tcp ip daddr 198.18.0.0/16 counter packets 182 bytes 9608 redirect to :7892 ip protocol tcp counter packets 296 bytes 15416 redirect to :7892 } } table inet fw4 { chain openclash_mangle { meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return meta nfproto ipv4 udp sport 68 counter packets 0 bytes 0 return ip daddr @localnetwork counter packets 1294 bytes 149977 return udp dport 53 counter packets 172 bytes 10973 return meta l4proto udp ip daddr 198.18.0.0/16 meta mark set 0x00000162 tproxy ip to 127.0.0.1:7895 counter packets 248 bytes 277278 accept ip protocol udp counter packets 1392 bytes 301398 jump openclash_upnp meta l4proto udp meta mark set 0x00000162 tproxy ip to 127.0.0.1:7895 counter packets 1292 bytes 286170 accept } } table inet fw4 { chain openclash_output { meta nfproto ipv4 tcp sport 1688 counter packets 0 bytes 0 return ip daddr @localnetwork counter packets 106 bytes 6360 return ip protocol tcp ip daddr 198.18.0.0/16 meta skuid != 65534 counter packets 1 bytes 60 redirect to :7892 ip protocol tcp meta skuid != 65534 counter packets 277 bytes 16620 redirect to :7892 } } table inet fw4 { chain openclash_wan_input { udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject } }

===================== IPSET状态 =====================

===================== 路由表状态 =====================

IPv4

route -n

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.2.101 0.0.0.0 UG 0 0 0 br-lan 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

ip route list

default via 192.168.2.101 dev br-lan proto static 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.121

ip rule show

0: from all lookup local 32765: from all fwmark 0x162 lookup 354 32766: from all lookup main 32767: from all lookup default

===================== 端口占用状态 =====================

tcp 0 0 :::9090 ::: LISTEN 19678/clash tcp 0 0 :::7892 ::: LISTEN 19678/clash tcp 0 0 :::7893 ::: LISTEN 19678/clash tcp 0 0 :::7895 ::: LISTEN 19678/clash tcp 0 0 :::7890 ::: LISTEN 19678/clash tcp 0 0 :::7891 ::: LISTEN 19678/clash udp 0 0 :::42046 ::: 19678/clash udp 0 0 :::37954 ::: 19678/clash udp 0 0 :::56435 ::: 19678/clash udp 0 0 :::58510 ::: 19678/clash udp 0 0 :::44249 ::: 19678/clash udp 0 0 :::36102 ::: 19678/clash udp 0 0 :::44388 ::: 19678/clash udp 0 0 :::38257 ::: 19678/clash udp 0 0 :::58744 ::: 19678/clash udp 0 0 :::54650 ::: 19678/clash udp 0 0 :::58781 ::: 19678/clash udp 0 0 :::52740 ::: 19678/clash udp 0 0 :::40459 ::: 19678/clash udp 0 0 :::60940 ::: 19678/clash udp 0 0 :::40496 ::: 19678/clash udp 0 0 :::46665 ::: 19678/clash udp 0 0 :::7874 ::: 19678/clash udp 0 0 :::7891 ::: 19678/clash udp 0 0 :::7892 ::: 19678/clash udp 0 0 :::48853 ::: 19678/clash udp 0 0 :::7893 ::: 19678/clash udp 0 0 :::7895 ::: 19678/clash udp 0 0 :::36587 ::: 19678/clash udp 0 0 :::50975 ::: 19678/clash udp 0 0 :::50976 ::: 19678/clash udp 0 0 :::48991 ::: 19678/clash udp 0 0 :::42862 ::: 19678/clash udp 0 0 :::40855 ::: 19678/clash udp 0 0 :::49062 ::: 19678/clash udp 0 0 :::45025 ::: 19678/clash udp 0 0 :::36835 ::: 19678/clash udp 0 0 :::53227 ::: 19678/clash udp 0 0 :::34798 ::: 19678/clash udp 0 0 :::32782 ::: 19678/clash udp 0 0 :::32835 ::: 19678/clash udp 0 0 :::45147 ::: 19678/clash udp 0 0 :::53342 ::: 19678/clash udp 0 0 :::39007 ::: 19678/clash udp 0 0 :::32888 ::: 19678/clash udp 0 0 :::57582 ::: 19678/clash udp 0 0 :::51443 ::: 19678/clash udp 0 0 :::43322 ::: 19678/clash udp 0 0 :::47429 ::: 19678/clash udp 0 0 :::47439 ::: 19678/clash udp 0 0 :::49487 ::: 19678/clash udp 0 0 :::49501 ::: 19678/clash udp 0 0 :::45425 ::: 19678/clash udp 0 0 :::33143 ::: 19678/clash udp 0 0 :::53629 ::: 19678/clash udp 0 0 :::53701 ::: 19678/clash udp 0 0 :::47583 ::: 19678/clash udp 0 0 :::49677 ::: 19678/clash udp 0 0 :::49699 ::: 19678/clash udp 0 0 :::49706 ::: 19678/clash udp 0 0 :::37422 ::: 19678/clash udp 0 0 :::49736 ::: 19678/clash udp 0 0 :::49750 ::: 19678/clash udp 0 0 :::53879 ::: 19678/clash udp 0 0 :::35450 ::: 19678/clash udp 0 0 :::33483 ::: 19678/clash udp 0 0 :::43741 ::: 19678/clash udp 0 0 :::41761 ::: 19678/clash udp 0 0 :::47912 ::: 19678/clash udp 0 0 :::43869 ::: 19678/clash udp 0 0 :::43910 ::: 19678/clash udp 0 0 :::33681 ::: 19678/clash udp 0 0 :::35746 ::: 19678/clash udp 0 0 :::58298 ::: 19678/clash udp 0 0 :::41932 ::: 19678/clash udp 0 0 :::56297 ::: 19678/clash udp 0 0 :::48106 ::: 19678/clash udp 0 0 :::35859 ::: 19678/clash

===================== 测试本机DNS查询(www.baidu.com) =====================

Server: 127.0.0.1 Address: 127.0.0.1:53

Name: www.baidu.com Address: 198.18.0.69

===================== 测试内核DNS查询(www.instagram.com) =====================

Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

===================== /tmp/resolv.conf.d/resolv.conf.auto =====================

Interface lan

nameserver 119.29.29.29 nameserver 8.8.8.8

OpenClash Config

No response

Expected Behavior

请解决在该情况下,导致的Luci内网无法访问的情况。

Screenshots

image

lurenJBD commented 1 year ago

image 是的我也遇到相似的状况,表现为,访问不了OpenWRT Web页面,SSH拒绝连接。但能Ping通ip

vernesong commented 1 year ago

暂时没法复现,看你的日志也挺正常的,是不是主题要联网导致的

lurenJBD commented 1 year ago

目前我的解决办法是降级luci-app-openclash的版本到112(121的上一个版本),然后一切正常。

使用的OpenWRT固件是KoolCenter的iStore 2022年06月版,此前一直都是正常使用openclash的,虽然121更新确实有一段时间了,但就是近期(2023年7月1日)开始遇到无法访问openwrt web页面和SSH,包括DNS查询。

固件里面只安装并运行了 ADG 和 OpenClash

vernesong commented 1 year ago

你先升级129

MoonBright commented 1 year ago

12

你先升级129

129升级后,在R5S上面还是会复现。https://r5s.cooluc.com/ 固件版本23.05 我刚升级就无法访问了

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days