vernesong / OpenClash

A Clash Client For OpenWrt
MIT License
17.36k stars 3.17k forks source link

[Bug] 证书错误(Meta) #4118

Open scegg opened 2 weeks ago

scegg commented 2 weeks ago

Verify Steps

OpenClash Version

v0.46.033-256

Bug on Environment

Other

OpenWrt Version

6.6.48

Bug on Platform

Linux-amd64(x86-64)

Describe the Bug

现象:访问某些不特定的网站时会提示证书错误,证书是其他网站的证书。重启openclash可修复,等待一段时间又会出现。 模式:Meta(redir),不支持FakeIP DNS:试用了mosdns和clash的内部dns均是如此。 IPv6:我的网络不支持IPv6;配置文件中IPv6为false;插件设置中IPv6两个选项均未勾选。

To Reproduce

开启openclash,等待一段时间后,浏览器访问网站(facebook/youtube/google/wikipedia等)

OpenClash Log

OpenClash 调试日志

生成时间: 2024-10-14 15:24:48
插件版本: v0.46.033-256
隐私提示: 上传此日志前请注意检查、屏蔽公网IP、节点、密码等相关敏感信息

#===================== 系统信息 =====================#

主机型号: Techvision TVI7309X
固件版本: Kwrt 23.05-SNAPSHOT 09.05.2024
LuCI版本: 
内核版本: 6.6.48
处理器架构: x86_64

#此项有值时,如不使用IPv6,建议到网络-接口-lan的设置中禁用IPV6的DHCP
IPV6-DHCP: hybrid

DNS劫持: 停用
#DNS劫持为Dnsmasq时,此项结果应仅有配置文件的DNS监听地址
Dnsmasq转发设置: 127.0.0.1#5335

#===================== 依赖检查 =====================#

dnsmasq-full: 已安装
coreutils: 已安装
coreutils-nohup: 已安装
bash: 已安装
curl: 已安装
ca-certificates: 已安装
ipset: 已安装
ip-full: 已安装
libcap: 已安装
libcap-bin: 已安装
ruby: 已安装
ruby-yaml: 已安装
ruby-psych: 已安装
ruby-pstore: 已安装
kmod-tun(TUN模式): 已安装
luci-compat(Luci >= 19.07): 已安装
kmod-inet-diag(PROCESS-NAME): 已安装
unzip: 已安装
kmod-nft-tproxy: 已安装

#===================== 内核检查 =====================#

运行状态: 运行中
运行内核:Meta
进程pid: 15074
运行权限: 15074: cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_ptrace,cap_sys_admin,cap_sys_resource=eip
运行用户: nobody
已选择的架构: linux-amd64

#下方无法显示内核版本号时请确认您的内核版本是否正确或者有无权限

Meta内核版本: alpha-g59a2b24
Meta内核文件: 存在
Meta内核运行权限: 正常

#===================== 插件设置 =====================#

当前配置文件: /etc/openclash/config/WithSelfDNS.yaml
启动配置文件: /etc/openclash/WithSelfDNS.yaml
运行模式: redir-host-mix
默认代理模式: rule
UDP流量转发(tproxy): 停用
自定义DNS: 停用
IPV6代理: 停用
IPV6-DNS解析: 停用
禁用Dnsmasq缓存: 停用
自定义规则: 启用
仅允许内网: 启用
仅代理命中规则流量: 停用
仅允许常用端口流量: 停用
绕过中国大陆IP: 启用
路由本机代理: 启用

#启动异常时建议关闭此项后重试
混合节点: 停用
保留配置: 停用

#启动异常时建议关闭此项后重试
第三方规则: 停用

#===================== 自定义规则 一 =====================#
script:
##  shortcuts:
##    Notice: The core timezone is UTC
##    CST 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    内核时区为UTC,故以下time.now()函数的取值需要根据本地时区进行转换
##    北京时间(CST) 20:00-24:00 = time.now().hour > 12 and time.now().hour < 16
##    quic: network == 'udp' and dst_port == 443 and (geoip(resolve_ip(host)) != 'CN' or geoip(dst_ip) != 'CN')
##    time-limit: in_cidr(src_ip,'192.168.1.2/32') and time.now().hour < 20 or time.now().hour > 21
##    time-limit: src_ip == '192.168.1.2' and time.now().hour < 20 or time.now().hour > 21

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
- PROCESS-NAME,tailscaled,DIRECT
- PROCESS-NAME,zerotier-one,DIRECT
##- SCRIPT,quic,REJECT #shortcuts rule
##- SCRIPT,time-limit,REJECT #shortcuts rule

##- PROCESS-NAME,curl,DIRECT #匹配路由自身进程(curl直连)
##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

##排序在上的规则优先生效,如添加(去除规则前的#号):
##IP段:192.168.1.2-192.168.1.200 直连
##- SRC-IP-CIDR,192.168.1.2/31,DIRECT
##- SRC-IP-CIDR,192.168.1.4/30,DIRECT
##- SRC-IP-CIDR,192.168.1.8/29,DIRECT
##- SRC-IP-CIDR,192.168.1.16/28,DIRECT
##- SRC-IP-CIDR,192.168.1.32/27,DIRECT
##- SRC-IP-CIDR,192.168.1.64/26,DIRECT
##- SRC-IP-CIDR,192.168.1.128/26,DIRECT
##- SRC-IP-CIDR,192.168.1.192/29,DIRECT
##- SRC-IP-CIDR,192.168.1.200/32,DIRECT

##IP段:192.168.1.202-192.168.1.255 直连
##- SRC-IP-CIDR,192.168.1.202/31,DIRECT
##- SRC-IP-CIDR,192.168.1.204/30,DIRECT
##- SRC-IP-CIDR,192.168.1.208/28,DIRECT
##- SRC-IP-CIDR,192.168.1.224/27,DIRECT

##此时IP为192.168.1.1和192.168.1.201的客户端流量走代理(策略),其余客户端不走代理
##因为Fake-IP模式下,IP地址为192.168.1.1的路由器自身流量可走代理(策略),所以需要排除

##仅设置路由器自身直连:
##- SRC-IP-CIDR,192.168.1.1/32,DIRECT
##- SRC-IP-CIDR,198.18.0.1/32,DIRECT

##DDNS
##- DOMAIN-SUFFIX,checkip.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkipv6.dyndns.org,DIRECT
##- DOMAIN-SUFFIX,checkip.synology.com,DIRECT
##- DOMAIN-SUFFIX,ifconfig.co,DIRECT
##- DOMAIN-SUFFIX,api.myip.com,DIRECT
##- DOMAIN-SUFFIX,ip-api.com,DIRECT
##- DOMAIN-SUFFIX,ipapi.co,DIRECT
##- DOMAIN-SUFFIX,ip6.seeip.org,DIRECT
##- DOMAIN-SUFFIX,members.3322.org,DIRECT

##在线IP段转CIDR地址:http://ip2cidr.com
#===================== 自定义规则 二 =====================#
script:
##  shortcuts:
##    common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]

##  code: |
##    def main(ctx, metadata):
##        directkeywordlist = ["baidu"]
##        for directkeyword in directkeywordlist:
##          if directkeyword in metadata["host"]:
##            ctx.log('[Script] matched keyword %s use direct' % directkeyword)
##            return "DIRECT"

rules:
##- SCRIPT,common_port,DIRECT #shortcuts rule

##- DOMAIN-SUFFIX,google.com,Proxy #匹配域名后缀(交由Proxy代理服务器组)
##- DOMAIN-KEYWORD,google,Proxy #匹配域名关键字(交由Proxy代理服务器组)
##- DOMAIN,google.com,Proxy #匹配域名(交由Proxy代理服务器组)
##- DOMAIN-SUFFIX,ad.com,REJECT #匹配域名后缀(拒绝)
##- IP-CIDR,127.0.0.0/8,DIRECT #匹配数据目标IP(直连)
##- SRC-IP-CIDR,192.168.1.201/32,DIRECT #匹配数据发起IP(直连)
##- DST-PORT,80,DIRECT #匹配数据目标端口(直连)
##- SRC-PORT,7777,DIRECT #匹配数据源端口(直连)

#===================== 配置文件 =====================#

port: 7890
socks-port: 7891
redir-port: 7892
mixed-port: 7893
allow-lan: true
mode: rule
log-level: silent
ipv6: false
external-controller: 0.0.0.0:9090
keep-alive-interval: 180
dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:7874
  proxy-server-nameserver:
  - 114.114.114.114
  - 119.29.29.29
  nameserver-policy:
    geosite:gfw,greatfire,bing:
    - tls://8.8.8.8#Main Switch
    - tls://1.1.1.1#Main Switch
    geosite:blizzard:
    - 114.114.114.114
    - 119.29.29.29
  nameserver:
  - 114.114.114.114
  - 119.29.29.29
  fallback:
  - tls://8.8.8.8#Main Switch
  - tls://1.1.1.1#Main Switch
  fallback-filter:
    geoip: true
    geoip-code: CN
    ipcidr:
    - 240.0.0.0/4
    - 0.0.0.0/32
    - 127.0.0.1/32
  enhanced-mode: redir-host
hosts:
  NAS.local: 10.252.252.250
proxy-groups:
- name: Main Switch
  type: select
  proxies:
  - Auto Fallback Mode
....
  - DIRECT

#===================== 自定义覆写设置 =====================#

#!/bin/sh
. /usr/share/openclash/ruby.sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom overwrite scripts here, they will be take effict after the OpenClash own srcipts

LOG_OUT "Tip: Start Running Custom Overwrite Scripts..."
LOGTIME=$(echo $(date "+%Y-%m-%d %H:%M:%S"))
LOG_FILE="/tmp/openclash.log"
CONFIG_FILE="$1" #config path

#Simple Demo:
    #General Demo
    #1--config path
    #2--key name
    #3--value
    #ruby_edit "$CONFIG_FILE" "['redir-port']" "7892"
    #ruby_edit "$CONFIG_FILE" "['secret']" "123456"
    #ruby_edit "$CONFIG_FILE" "['dns']['enable']" "true"

    #Hash Demo
    #1--config path
    #2--key name
    #3--hash type value
    #ruby_edit "$CONFIG_FILE" "['experimental']" "{'sniff-tls-sni'=>true}"
    #ruby_edit "$CONFIG_FILE" "['sniffer']" "{'sniffing'=>['tls','http']}"

    #Array Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value
    #ruby_arr_insert "$CONFIG_FILE" "['dns']['nameserver']" "0" "114.114.114.114"

    #Array Add From Yaml File Demo:
    #1--config path
    #2--key name
    #3--position(start from 0, end with -1)
    #4--value file path
    #5--value key name in #4 file
    #ruby_arr_add_file "$CONFIG_FILE" "['dns']['fallback-filter']['ipcidr']" "0" "/etc/openclash/custom/openclash_custom_fallback_filter.yaml" "['fallback-filter']['ipcidr']"

#Ruby Script Demo:
    #ruby -ryaml -rYAML -I "/usr/share/openclash" -E UTF-8 -e "
    #   begin
    #      Value = YAML.load_file('$CONFIG_FILE');
    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Load File Failed,【' + e.message + '】';
    #   end;

        #General
    #   begin
    #   Thread.new{
    #      Value['redir-port']=7892;
    #      Value['tproxy-port']=7895;
    #      Value['port']=7890;
    #      Value['socks-port']=7891;
    #      Value['mixed-port']=7893;
    #   }.join;

    #   rescue Exception => e
    #      puts '${LOGTIME} Error: Set General Failed,【' + e.message + '】';
    #   ensure
    #      File.open('$CONFIG_FILE','w') {|f| YAML.dump(Value, f)};
    #   end" 2>/dev/null >> $LOG_FILE

exit 0
#===================== 自定义防火墙设置 =====================#

#!/bin/sh
. /usr/share/openclash/log.sh
. /lib/functions.sh

# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules

LOG_OUT "Tip: Start Add Custom Firewall Rules..."

exit 0
#===================== IPTABLES 防火墙设置 =====================#

#IPv4 NAT chain

# Generated by iptables-save v1.8.8 (nf_tables) on Mon Oct 14 15:24:49 2024
*nat
:PREROUTING ACCEPT [89266:7959193]
:INPUT ACCEPT [53837:4470855]
:OUTPUT ACCEPT [263839:22781985]
:POSTROUTING ACCEPT [312335:27057753]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Mon Oct 14 15:24:49 2024

#IPv4 Mangle chain

# Generated by iptables-save v1.8.8 (nf_tables) on Mon Oct 14 15:24:49 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Oct 14 15:24:49 2024

#IPv4 Filter chain

# Generated by iptables-save v1.8.8 (nf_tables) on Mon Oct 14 15:24:49 2024
*filter
:INPUT ACCEPT [4456238:4735120441]
:FORWARD ACCEPT [242496:72152768]
:OUTPUT ACCEPT [5824508:6223504745]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-MAN - [0:0]
:DOCKER-USER - [0:0]
:SOCAT - [0:0]
-A INPUT -j SOCAT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-MAN -i br-lan -o docker0 -j RETURN
-A DOCKER-MAN -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A DOCKER-MAN -o docker0 -m conntrack --ctstate INVALID,NEW -j DROP
-A DOCKER-MAN -j RETURN
-A DOCKER-USER -j DOCKER-MAN
-A DOCKER-USER -j RETURN
-A SOCAT -p tcp -m tcp --dport 21080 -m comment --comment HomeRouter2-Socks5 -j ACCEPT
-A SOCAT -p tcp -m tcp --dport 31080 -m comment --comment NAS-Socks5 -j ACCEPT
COMMIT
# Completed on Mon Oct 14 15:24:49 2024

#IPv6 NAT chain

# Generated by ip6tables-save v1.8.8 on Mon Oct 14 15:24:49 2024
*nat
:PREROUTING ACCEPT [2634:655886]
:INPUT ACCEPT [3673:755140]
:OUTPUT ACCEPT [1460:148294]
:POSTROUTING ACCEPT [1492:150854]
COMMIT
# Completed on Mon Oct 14 15:24:49 2024

#IPv6 Mangle chain

# Generated by ip6tables-save v1.8.8 on Mon Oct 14 15:24:49 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Oct 14 15:24:49 2024

#IPv6 Filter chain

# Generated by ip6tables-save v1.8.8 on Mon Oct 14 15:24:49 2024
*filter
:INPUT ACCEPT [90527:11202314]
:FORWARD ACCEPT [102:7536]
:OUTPUT ACCEPT [106316:26890331]
:SOCAT - [0:0]
-A INPUT -j SOCAT
-A SOCAT -p tcp -m tcp --dport 21080 -m comment --comment HomeRouter2-Socks5 -j ACCEPT
-A SOCAT -p tcp -m tcp --dport 31080 -m comment --comment NAS-Socks5 -j ACCEPT
COMMIT
# Completed on Mon Oct 14 15:24:49 2024

#===================== NFTABLES 防火墙设置 =====================#

table inet fw4 {
    chain input {
        type filter hook input priority filter; policy accept;
        meta l4proto { tcp, udp } iifname "utun" counter packets 0 bytes 0 accept comment "OpenClash TUN Input"
        iifname "pppoe-wan" ip saddr != @localnetwork counter packets 66690 bytes 30300009 jump openclash_wan_input
        iif "lo" accept comment "!fw4: Accept traffic from loopback"
        ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
        tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
        iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
        iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        iifname "ztbpaetd7x" jump input_Zerotier comment "!fw4: Handle Zerotier IPv4/IPv6 input traffic"
        iifname "tailscale0" jump input_Tailscale comment "!fw4: Handle Tailscale IPv4/IPv6 input traffic"
        iifname "eth3" jump input_iptv comment "!fw4: Handle iptv IPv4/IPv6 input traffic"
        iifname "docker0" jump input_docker comment "!fw4: Handle docker IPv4/IPv6 input traffic"
        iifname "tailscale0" jump input_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 input traffic"
    }
}
table inet fw4 {
    chain forward {
        type filter hook forward priority filter; policy drop;
        meta l4proto { tcp, udp } iifname "utun" counter packets 43 bytes 20525 accept comment "OpenClash TUN Forward"
        meta l4proto { tcp, udp } oifname "utun" counter packets 427 bytes 69809 accept comment "OpenClash TUN Forward"
        ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
        iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
        iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
        iifname "ztbpaetd7x" jump forward_Zerotier comment "!fw4: Handle Zerotier IPv4/IPv6 forward traffic"
        iifname "tailscale0" jump forward_Tailscale comment "!fw4: Handle Tailscale IPv4/IPv6 forward traffic"
        iifname "eth3" jump forward_iptv comment "!fw4: Handle iptv IPv4/IPv6 forward traffic"
        iifname "docker0" jump forward_docker comment "!fw4: Handle docker IPv4/IPv6 forward traffic"
        iifname "tailscale0" jump forward_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 forward traffic"
        jump upnp_forward comment "Hook into miniupnpd forwarding chain"
        jump handle_reject
    }
}
table inet fw4 {
    chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
        iifname "ztbpaetd7x" jump dstnat_Zerotier comment "!fw4: Handle Zerotier IPv4/IPv6 dstnat traffic"
        iifname "tailscale0" jump dstnat_Tailscale comment "!fw4: Handle Tailscale IPv4/IPv6 dstnat traffic"
        iifname "eth3" jump dstnat_iptv comment "!fw4: Handle iptv IPv4/IPv6 dstnat traffic"
        iifname "tailscale0" jump dstnat_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 dstnat traffic"
        jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
        ip protocol tcp counter packets 4166 bytes 260065 jump openclash
    }
}
table inet fw4 {
    chain srcnat {
        type nat hook postrouting priority srcnat; policy accept;
        meta nfproto ipv4 oifname "utun" counter packets 249 bytes 51940 return comment "OpenClash TUN Postrouting"
        oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        oifname "ztbpaetd7x" jump srcnat_Zerotier comment "!fw4: Handle Zerotier IPv4/IPv6 srcnat traffic"
        oifname "tailscale0" jump srcnat_Tailscale comment "!fw4: Handle Tailscale IPv4/IPv6 srcnat traffic"
        oifname "eth3" jump srcnat_iptv comment "!fw4: Handle iptv IPv4/IPv6 srcnat traffic"
        oifname "tailscale0" jump srcnat_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 srcnat traffic"
        jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
    }
}
table inet fw4 {
    chain nat_output {
        type nat hook output priority filter - 1; policy accept;
        meta skuid != 65534 meta nfproto ipv4 tcp dport 53 counter packets 1 bytes 60 accept comment "OpenClash TCP DNS Hijack"
        ip protocol tcp counter packets 3514 bytes 210840 jump openclash_output
    }
}
table inet fw4 {
    chain mangle_prerouting {
        type filter hook prerouting priority mangle; policy accept;
        ip protocol udp counter packets 34247 bytes 6304808 jump openclash_mangle
    }
}
table inet fw4 {
    chain mangle_output {
        type route hook output priority mangle; policy accept;
        meta nfproto ipv4 meta l4proto { tcp, udp } counter packets 138053 bytes 48880062 jump openclash_mangle_output
    }
}
table inet fw4 {
    chain openclash {
        meta nfproto ipv4 tcp sport 1688 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 350 bytes 21792 return
        ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter packets 1505 bytes 90525 return
        ip protocol tcp counter packets 2314 bytes 147940 redirect to :7892
    }
}
table inet fw4 {
    chain openclash_mangle {
        meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 68 counter packets 461 bytes 151208 return
        meta l4proto { tcp, udp } iifname "utun" counter packets 43 bytes 20525 return
        ip daddr @localnetwork counter packets 31016 bytes 5674652 return
        ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter packets 1908 bytes 342988 return
        ip protocol udp counter packets 821 bytes 115625 jump openclash_upnp
        meta l4proto { tcp, udp } th dport 0-65535 meta mark set 0x00000162 counter packets 821 bytes 115625
    }
}
table inet fw4 {
    chain openclash_mangle_output {
        meta nfproto ipv4 udp sport 500 counter packets 0 bytes 0 return
        meta nfproto ipv4 udp sport 68 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 51401 bytes 36234553 return
    }
}
table inet fw4 {
    chain openclash_output {
        meta nfproto ipv4 tcp sport 1688 counter packets 0 bytes 0 return
        ip daddr @localnetwork counter packets 92 bytes 5520 return
        meta skuid != 65534 ip daddr @china_ip_route ip daddr != @china_ip_route_pass counter packets 8 bytes 480 return
        ip protocol tcp meta skuid != 65534 counter packets 269 bytes 16140 redirect to :7892
    }
}
table inet fw4 {
    chain openclash_wan_input {
        udp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
        tcp dport { 7874, 7890, 7891, 7892, 7893, 7895, 9090 } counter packets 0 bytes 0 reject
    }
}
table inet fw4 {
    chain openclash_dns_hijack {
    }
}

#===================== IPSET状态 =====================#

#===================== 路由表状态 =====================#

#IPv4

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         100.127.248.1   0.0.0.0         UG    0      0        0 pppoe-wan
10.252.250.0    0.0.0.0         255.255.255.0   U     0      0        0 ztbpaetd7x
10.252.251.0    10.252.252.254  255.255.255.0   UG    0      0        0 br-lan
10.252.252.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan
10.252.253.0    0.0.0.0         255.255.255.0   U     0      0        0 eth3
100.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 tailscale0
100.127.248.1   0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
198.18.0.0      0.0.0.0         255.255.255.252 U     0      0        0 utun
239.77.0.0      10.252.253.253  255.255.0.0     UG    0      0        0 eth3
239.253.0.0     10.252.253.253  255.255.0.0     UG    0      0        0 eth3

#ip route list
default via 100.127.248.1 dev pppoe-wan proto static 
10.252.250.0/24 dev ztbpaetd7x proto kernel scope link src 10.252.250.130 
10.252.251.0/24 via 10.252.252.254 dev br-lan proto static 
10.252.252.0/24 dev br-lan proto kernel scope link src 10.252.252.253 
10.252.253.0/24 dev eth3 proto kernel scope link src 10.252.253.101 
100.0.0.0/8 dev tailscale0 proto kernel scope link src 100.126.95.142 
100.127.248.1 dev pppoe-wan proto kernel scope link src *WAN IP*.195 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
198.18.0.0/30 dev utun proto kernel scope link src 198.18.0.1 
239.77.0.0/16 via 10.252.253.253 dev eth3 proto static 
239.253.0.0/16 via 10.252.253.253 dev eth3 proto static 

#ip rule show
0:  from all lookup local
5209:   from all fwmark 0x162 lookup 354
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
32766:  from all lookup main
32767:  from all lookup default

#IPv6

#route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
::/0                                        ::                                      !n    -1     1        0 lo      
::/0                                        ::                                      !n    -1     1        0 lo      
fc18:2a3f:e400::/40                         ::                                      U     256    5        0 ztbpaetd7x
fd58:7a08:f6de::/64                         ::                                      U     1024   6        0 br-lan  
fd58:7a08:f6de:4::/62                       fe80::10d2:647a:fbdc:3a7f               UG    1024   1        0 br-lan  
fd58:7a08:f6de::/48                         ::                                      !n    2147483647 4        0 lo      
fd88:5033:8390:7a0c:6799:9300::/88          ::                                      U     256    5        0 ztbpaetd7x
fe80::/64                                   ::                                      U     256    1        0 eth0    
fe80::/64                                   ::                                      U     256    5        0 br-lan  
fe80::/64                                   ::                                      U     256    1        0 eth3    
fe80::/64                                   ::                                      U     256    1        0 ztbpaetd7x
fe80::/64                                   ::                                      U     256    1        0 tailscale0
fe80::/64                                   ::                                      U     256    1        0 utun    
::/0                                        ::                                      !n    -1     1        0 lo      
::1/128                                     ::                                      Un    0      6        0 lo      
fc18:2a3f:e400::/128                        ::                                      Un    0      3        0 ztbpaetd7x
fc18:2a3f:e480:835f:1b3e::1/128             ::                                      Un    0      7        0 ztbpaetd7x
fd58:7a08:f6de::/128                        ::                                      Un    0      3        0 br-lan  
fd58:7a08:f6de::1/128                       ::                                      Un    0      10       0 br-lan  
fd88:5033:8390:7a0c:6799:9300::/128         ::                                      Un    0      3        0 ztbpaetd7x
fd88:5033:8390:7a0c:6799:9380:835f:1b3e/128 ::                                      Un    0      7        0 ztbpaetd7x
fe80::/128                                  ::                                      Un    0      6        0 eth0    
fe80::/128                                  ::                                      Un    0      3        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 eth3    
fe80::/128                                  ::                                      Un    0      3        0 ztbpaetd7x
fe80::/128                                  ::                                      Un    0      3        0 tailscale0
fe80::/128                                  ::                                      Un    0      3        0 utun    
fe80::2bd1:e096:59f9:ab02/128               ::                                      Un    0      2        0 tailscale0
fe80::62be:b4ff:fe07:d6f5/128               ::                                      Un    0      4        0 eth0    
fe80::62be:b4ff:fe07:d6f6/128               ::                                      Un    0      6        0 br-lan  
fe80::62be:b4ff:fe07:d6f8/128               ::                                      Un    0      2        0 eth3    
fe80::9640:b676:15d9:9576/128               ::                                      Un    0      2        0 utun    
fe80::dcde:fbff:fe78:8afb/128               ::                                      Un    0      7        0 ztbpaetd7x
ff00::/8                                    ::                                      U     256    6        0 br-lan  
ff00::/8                                    ::                                      U     256    1        0 eth0    
ff00::/8                                    ::                                      U     256    1        0 eth3    
ff00::/8                                    ::                                      U     256    5        0 ztbpaetd7x
ff00::/8                                    ::                                      U     256    1        0 tailscale0
ff00::/8                                    ::                                      U     256    3        0 utun    
::/0                                        ::                                      !n    -1     1        0 lo      

#ip -6 route list
fc18:2a3f:e400::/40 dev ztbpaetd7x proto kernel metric 256 pref medium
fd58:7a08:f6de::/64 dev br-lan proto static metric 1024 pref medium
fd58:7a08:f6de:4::/62 via fe80::10d2:647a:fbdc:3a7f dev br-lan proto static metric 1024 pref medium
unreachable fd58:7a08:f6de::/48 dev lo proto static metric 2147483647 pref medium
fd88:5033:8390:7a0c:6799:9300::/88 dev ztbpaetd7x proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth3 proto kernel metric 256 pref medium
fe80::/64 dev ztbpaetd7x proto kernel metric 256 pref medium
fe80::/64 dev tailscale0 proto kernel metric 256 pref medium
fe80::/64 dev utun proto kernel metric 256 pref medium

#ip -6 rule show
0:  from all lookup local
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
32766:  from all lookup main

#===================== Tun设备状态 =====================#

ztbpaetd7x: tap
tailscale0: tun vnet_hdr
utun: tun vnet_hdr

#===================== 端口占用状态 =====================#

tcp        0      0 198.18.0.1:43623        0.0.0.0:*               LISTEN      15074/clash
tcp        0      0 :::9090                 :::*                    LISTEN      15074/clash
tcp        0      0 :::7895                 :::*                    LISTEN      15074/clash
tcp        0      0 :::7893                 :::*                    LISTEN      15074/clash
tcp        0      0 :::7892                 :::*                    LISTEN      15074/clash
tcp        0      0 :::7891                 :::*                    LISTEN      15074/clash
tcp        0      0 :::7890                 :::*                    LISTEN      15074/clash
udp        0      0 :::52300                :::*                                15074/clash
udp        0      0 :::54892                :::*                                15074/clash
udp        0      0 :::7874                 :::*                                15074/clash
udp        0      0 :::7891                 :::*                                15074/clash
udp        0      0 :::7892                 :::*                                15074/clash
udp        0      0 :::7893                 :::*                                15074/clash
udp        0      0 :::7895                 :::*                                15074/clash
udp        0      0 :::39095                :::*                                15074/clash
udp        0      0 :::53632                :::*                                15074/clash
udp        0      0 :::46028                :::*                                15074/clash

#===================== 测试本机DNS查询(www.baidu.com) =====================#

Server:     127.0.0.1
Address:    127.0.0.1:53

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 240e:ff:e020:966:0:ff:b042:f296
Name:   www.a.shifen.com
Address: 240e:ff:e020:9ae:0:ff:b014:8e8b

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 183.2.172.42
Name:   www.a.shifen.com
Address: 183.2.172.185

#===================== 测试内核DNS查询(www.instagram.com) =====================#

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 1
  Qclass: 1

Answer: 
  TTL: 3587
  data: z-p42-instagram.c10r.instagram.com.
  name: www.instagram.com.
  type: 5

  TTL: 47
  data: 163.70.158.174
  name: z-p42-instagram.c10r.instagram.com.
  type: 1

Status: 0
TC: false
RD: true
RA: true
AD: false
CD: false

Question: 
  Name: www.instagram.com.
  Qtype: 28
  Qclass: 1

Answer: 
  TTL: 3551
  data: z-p42-instagram.c10r.instagram.com.
  name: www.instagram.com.
  type: 5

  TTL: 11
  data: 2a03:2880:f215:e8:face:b00c:0:4420
  name: z-p42-instagram.c10r.instagram.com.
  type: 28

Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

#===================== /tmp/resolv.conf.d/resolv.conf.auto =====================#

# Interface iptv
# Interface lan
nameserver 223.5.5.5
# Interface wan

#===================== 测试本机网络连接(www.baidu.com) =====================#

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Mon, 14 Oct 2024 07:24:49 GMT
Etag: "575e1f71-115"
Last-Modified: Mon, 13 Jun 2016 02:50:25 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

#===================== 测试本机网络下载(raw.githubusercontent.com) =====================#

HTTP/2 200 
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: text/plain; charset=utf-8
etag: "f6037a93c68519d7041a3b4df325b61c424ec255b45dfeb063371319e39b0d96"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: 4850:2BE692:1EFED9:246674:670CC741
accept-ranges: bytes
date: Mon, 14 Oct 2024 07:24:49 GMT
via: 1.1 varnish
x-served-by: cache-qpg120085-QPG
x-cache: MISS
x-cache-hits: 0
x-timer: S1728890690.698599,VS0,VE295
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: c2b3bdac320018d25ba203c1cd7d2a8fae5aa23c
expires: Mon, 14 Oct 2024 07:29:49 GMT
source-age: 0
content-length: 1071

#===================== 最近运行日志(自动切换为Debug模式) =====================#

2024-10-14 11:09:24 Tip: Start Add Custom Firewall Rules...
2024-10-14 15:12:50 OpenClash Restart...
2024-10-14 15:12:50 OpenClash Stoping...
2024-10-14 15:12:50 Step 1: Backup The Current Groups State...
2024-10-14 15:12:50 Step 2: Delete OpenClash Firewall Rules...
2024-10-14 15:12:52 Step 3: Close The OpenClash Daemons...
2024-10-14 15:12:52 Step 4: Close The Clash Core Process...
2024-10-14 15:12:52 Step 5: Restart Dnsmasq...
2024-10-14 15:12:52 Step 6: Delete OpenClash Residue File...
2024-10-14 15:12:52 OpenClash Start Running...
2024-10-14 15:12:52 Step 1: Get The Configuration...
2024-10-14 15:12:52 Step 2: Check The Components...
2024-10-14 15:12:52 Tip: Because of the file【 /etc/config/openclash 】modificated, Pause quick start...
2024-10-14 15:12:52 Step 3: Modify The Config File...
2024-10-14 15:12:53 Tip: You have seted the authentication of SOCKS5/HTTP(S) proxy with【allen:18666219075】
2024-10-14 15:12:53 Error: Set authentication Failed,【undefined method `merge!' for ["allen:18666219075"]:Array】
2024-10-14 15:12:53 Tip: Start Running Custom Overwrite Scripts...
2024-10-14 15:12:53 Step 4: Start Running The Clash Core...
2024-10-14 15:12:53 Test The Config File First...
time="2024-10-14T07:12:54.245116524Z" level=info msg="Start initial configuration in progress"
time="2024-10-14T07:12:54.246464363Z" level=warning msg="The group [Home SN Redirected] with relay type is deprecated, please using dialer-proxy instead"
time="2024-10-14T07:12:54.24713215Z" level=info msg="Geodata Loader mode: standard"
time="2024-10-14T07:12:54.247140499Z" level=info msg="Geosite Matcher implementation: succinct"
time="2024-10-14T07:12:54.24728562Z" level=info msg="Load GeoIP rule: cn"
time="2024-10-14T07:12:54.496333215Z" level=info msg="Load GeoIP rule: private"
time="2024-10-14T07:12:54.740127518Z" level=info msg="Finished initial GeoIP rule private => DIRECT, records: 18"
time="2024-10-14T07:12:54.740229068Z" level=info msg="Load GeoSite rule: cn"
time="2024-10-14T07:12:55.174914598Z" level=info msg="Load GeoSite rule: private"
time="2024-10-14T07:12:55.288562272Z" level=info msg="Finished initial GeoSite rule private => DIRECT, records: 131"
time="2024-10-14T07:12:55.28871228Z" level=info msg="Load GeoIP rule: telegram"
time="2024-10-14T07:12:55.546536993Z" level=info msg="Finished initial GeoIP rule telegram => Main Switch, records: 12"
time="2024-10-14T07:12:55.546653698Z" level=info msg="Load GeoSite rule: blizzard"
time="2024-10-14T07:12:55.654377441Z" level=info msg="Finished initial GeoSite rule blizzard => Blizzard, records: 23"
time="2024-10-14T07:12:55.654474549Z" level=info msg="Load GeoSite rule: bing"
time="2024-10-14T07:12:55.755249501Z" level=info msg="Finished initial GeoSite rule bing => For AI, records: 35"
time="2024-10-14T07:12:55.755338104Z" level=info msg="Load GeoSite rule: jetbrains-ai"
time="2024-10-14T07:12:55.862489322Z" level=info msg="Finished initial GeoSite rule jetbrains-ai => For AI, records: 2"
time="2024-10-14T07:12:55.862608945Z" level=info msg="Load GeoSite rule: apple"
time="2024-10-14T07:12:55.974616053Z" level=info msg="Finished initial GeoSite rule apple => Apple, records: 1771"
time="2024-10-14T07:12:55.974749669Z" level=info msg="Finished initial GeoSite rule cn => China, records: 90365"
time="2024-10-14T07:12:55.974785742Z" level=info msg="Finished initial GeoIP rule cn => China, records: 19032"
time="2024-10-14T07:12:55.974814051Z" level=info msg="Load GeoSite rule: gfw"
time="2024-10-14T07:12:56.112603494Z" level=info msg="Finished initial GeoSite rule gfw => Main Switch, records: 6120"
time="2024-10-14T07:12:56.112723323Z" level=info msg="Load GeoSite rule: greatfire"
time="2024-10-14T07:12:56.212813092Z" level=info msg="Finished initial GeoSite rule greatfire => Main Switch, records: 8"
time="2024-10-14T07:12:56.2129108Z" level=info msg="Load GeoSite rule: microsoft"
time="2024-10-14T07:12:56.320210622Z" level=info msg="Finished initial GeoSite rule microsoft => Microsoft, records: 633"
time="2024-10-14T07:12:56.320310285Z" level=info msg="Finished initial GeoIP rule private => DIRECT, records: 18"
time="2024-10-14T07:12:56.320393053Z" level=info msg="Finished initial GeoSite rule gfw => dns.nameserver-policy, records: 6120"
time="2024-10-14T07:12:56.320420761Z" level=info msg="Finished initial GeoSite rule greatfire => dns.nameserver-policy, records: 8"
time="2024-10-14T07:12:56.320452389Z" level=info msg="Finished initial GeoSite rule bing => dns.nameserver-policy, records: 35"
time="2024-10-14T07:12:56.32047705Z" level=info msg="Finished initial GeoSite rule blizzard => dns.nameserver-policy, records: 23"
time="2024-10-14T07:12:56.320516201Z" level=info msg="Finished initial GeoIP rule cn => dns.fallback-filter.geoip, records: 19032"
time="2024-10-14T07:12:56.320572659Z" level=info msg="Initial configuration complete, total time: 2075ms"
2024-10-14 15:12:56 configuration file【/etc/openclash/WithSelfDNS.yaml】test is successful
2024-10-14 15:12:57 Step 5: Check The Core Status...
time="2024-10-14T07:12:58.065500851Z" level=info msg="Start initial configuration in progress"
time="2024-10-14T07:12:58.066770625Z" level=warning msg="The group [Home SN Redirected] with relay type is deprecated, please using dialer-proxy instead"
time="2024-10-14T07:12:58.067871195Z" level=info msg="Geodata Loader mode: standard"
time="2024-10-14T07:12:58.067890011Z" level=info msg="Geosite Matcher implementation: succinct"
time="2024-10-14T07:12:58.068030487Z" level=info msg="Load GeoIP rule: cn"
time="2024-10-14T07:12:58.313066614Z" level=info msg="Load GeoIP rule: private"
time="2024-10-14T07:12:58.551215364Z" level=info msg="Finished initial GeoIP rule private => DIRECT, records: 18"
time="2024-10-14T07:12:58.551332679Z" level=info msg="Load GeoSite rule: cn"
time="2024-10-14T07:12:58.974658583Z" level=info msg="Load GeoSite rule: private"
time="2024-10-14T07:12:59.08823813Z" level=info msg="Finished initial GeoSite rule private => DIRECT, records: 131"
time="2024-10-14T07:12:59.088355234Z" level=info msg="Load GeoIP rule: telegram"
time="2024-10-14T07:12:59.361813655Z" level=info msg="Finished initial GeoIP rule telegram => Main Switch, records: 12"
time="2024-10-14T07:12:59.361913755Z" level=info msg="Load GeoSite rule: blizzard"
time="2024-10-14T07:12:59.45900113Z" level=info msg="Finished initial GeoSite rule blizzard => Blizzard, records: 23"
time="2024-10-14T07:12:59.459103681Z" level=info msg="Load GeoSite rule: bing"
time="2024-10-14T07:12:59.559840584Z" level=info msg="Finished initial GeoSite rule bing => For AI, records: 35"
time="2024-10-14T07:12:59.559945654Z" level=info msg="Load GeoSite rule: jetbrains-ai"
time="2024-10-14T07:12:59.656174685Z" level=info msg="Finished initial GeoSite rule jetbrains-ai => For AI, records: 2"
time="2024-10-14T07:12:59.656287027Z" level=info msg="Load GeoSite rule: apple"
time="2024-10-14T07:12:59.762092008Z" level=info msg="Finished initial GeoSite rule apple => Apple, records: 1771"
time="2024-10-14T07:12:59.762192793Z" level=info msg="Finished initial GeoSite rule cn => China, records: 90365"
time="2024-10-14T07:12:59.762223975Z" level=info msg="Finished initial GeoIP rule cn => China, records: 19032"
time="2024-10-14T07:12:59.762253636Z" level=info msg="Load GeoSite rule: gfw"
time="2024-10-14T07:12:59.8827349Z" level=info msg="Finished initial GeoSite rule gfw => Main Switch, records: 6120"
time="2024-10-14T07:12:59.882855219Z" level=info msg="Load GeoSite rule: greatfire"
time="2024-10-14T07:12:59.991190099Z" level=info msg="Finished initial GeoSite rule greatfire => Main Switch, records: 8"
time="2024-10-14T07:12:59.991291942Z" level=info msg="Load GeoSite rule: microsoft"
time="2024-10-14T07:13:00.100809045Z" level=info msg="Finished initial GeoSite rule microsoft => Microsoft, records: 633"
time="2024-10-14T07:13:00.100917036Z" level=info msg="Finished initial GeoIP rule private => DIRECT, records: 18"
time="2024-10-14T07:13:00.101018961Z" level=info msg="Finished initial GeoSite rule gfw => dns.nameserver-policy, records: 6120"
time="2024-10-14T07:13:00.101083227Z" level=info msg="Finished initial GeoSite rule greatfire => dns.nameserver-policy, records: 8"
time="2024-10-14T07:13:00.101110313Z" level=info msg="Finished initial GeoSite rule bing => dns.nameserver-policy, records: 35"
time="2024-10-14T07:13:00.101133805Z" level=info msg="Finished initial GeoSite rule blizzard => dns.nameserver-policy, records: 23"
time="2024-10-14T07:13:00.101179146Z" level=info msg="Finished initial GeoIP rule cn => dns.fallback-filter.geoip, records: 19032"
time="2024-10-14T07:13:00.101238042Z" level=info msg="Initial configuration complete, total time: 2035ms"
2024-10-14 15:13:00 Step 6: Set Firewall Rules...
2024-10-14 15:13:00 Tip: DNS Hijacking is Disabled...
2024-10-14 15:13:00 Tip: Firewall4 was Detected, Use NFTABLE Rules...
2024-10-14 15:13:01 Tip: Waiting for TUN Interface Start...
2024-10-14 15:13:01 Tip: Start Add Port Bypassing Rules For Firewall Redirect and Firewall Rules...
2024-10-14 15:13:01 Tip: Start Add Custom Firewall Rules...
2024-10-14 15:13:01 Step 7: Restart Dnsmasq...
2024-10-14 15:13:01 Step 8: Add Cron Rules, Start Daemons...
2024-10-14 15:13:01 Warning: OpenClash Start Successful, Please Note That Network May Abnormal With IPv6's DHCP Server

#===================== 最近运行日志获取完成(自动切换为silent模式) =====================#

#===================== 活动连接信息 =====================#

OpenClash Config

No response

Expected Behavior

不会出现证书错误

Additional Context

No response

xiaoyangdkj commented 2 weeks ago

自定义DNS: 停用 proxy-server-nameserver:

Interface lan nameserver 223.5.5.5

后面好像不用看了,mosdns开了相当于没开

scegg commented 2 weeks ago

自定义DNS: 停用 proxy-server-nameserver:

  • 114.114.114.114
  • 119.29.29.29

Interface lan nameserver 223.5.5.5

后面好像不用看了,mosdns开了相当于没开

proxy-server-nameserver不是只用来解析代理服务器的dns吗? 这个配置并不是用mosdns的。mosdns就直接让本地mosdns解析而已。

附MOSDNS版配置文件DNS段:

dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:7874
  nameserver:
  - 127.0.0.1:5335
  enhanced-mode: redir-host
xiaoyangdkj commented 2 weeks ago

自定义DNS: 停用 proxy-server-nameserver:

  • 114.114.114.114
  • 119.29.29.29

Interface lan nameserver 223.5.5.5

后面好像不用看了,mosdns开了相当于没开

proxy-server-nameserver不是只用来解析代理服务器的dns吗? 这个配置并不是用mosdns的。mosdns就直接让本地mosdns解析而已。

附MOSDNS版配置文件DNS段:

dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:7874
  nameserver:
  - 127.0.0.1:5335
  enhanced-mode: redir-host

抱歉,疏忽了。 不过,在启用了“绕过大陆模式”的情况下,好像nameserver直接用海外dns/交给mosdns就行。 新版本的mihomo内核的sni嗅探后返回的日志结果不是“域名”形式了,而是“ip”,不太清楚它目前的工作状态。 目前推测的是内地的nameserver存在dns抢答现象,你可以尝试一下修改成海外doh后看看会不会复现

scegg commented 2 weeks ago

自定义DNS: 停用 proxy-server-nameserver:

  • 114.114.114.114
  • 119.29.29.29

Interface lan nameserver 223.5.5.5 后面好像不用看了,mosdns开了相当于没开

proxy-server-nameserver不是只用来解析代理服务器的dns吗? 这个配置并不是用mosdns的。mosdns就直接让本地mosdns解析而已。 附MOSDNS版配置文件DNS段:

dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:7874
  nameserver:
  - 127.0.0.1:5335
  enhanced-mode: redir-host

抱歉,疏忽了。 不过,在启用了“绕过大陆模式”的情况下,好像nameserver直接用海外dns/交给mosdns就行。 新版本的mihomo内核的sni嗅探后返回的日志结果不是“域名”形式了,而是“ip”,不太清楚它目前的工作状态。 目前推测的是内地的nameserver存在dns抢答现象,你可以尝试一下修改成海外doh后看看会不会复现

问题是就算用上面这个让mosdns接管的方式,依旧会出现同样的问题。所以怀疑可能问题不是出在“初次dns解析”过程,而是更深层,或者与嗅探有关。

xiaoyangdkj commented 2 weeks ago

我对你的dnsmasq目前的工作状态表示好奇,你或许应该检查一下网络接口“lan”的设置(因为我前一段时间刚好遇到了类似的问题)

你的Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

Interface iptv Interface lan nameserver 223.5.5.5 # dns解析服务默认先由阿里云提供,你缓存的dns解析结果或许不来自openclash

我的/tmp/resolv.conf文件 search lan nameserver 127.0.0.1 nameserver ::1 dns解析服务由本地的dnsmasq提供,当openclash启用dns劫持时,dns查询请求会被重定向到openclashScreenshot_20241015_022457_com.android.chrome_edit_1815458502547459.jpg

scegg commented 2 weeks ago

我对你的dnsmasq目前的工作状态表示好奇,你或许应该检查一下网络接口“lan”的设置(因为我前一段时间刚好遇到了类似的问题)

你的Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

Interface iptv Interface lan nameserver 223.5.5.5 # dns解析服务默认先由阿里云提供,你缓存的dns解析结果或许不来自openclash

我的/tmp/resolv.conf文件 search lan nameserver 127.0.0.1 nameserver ::1 dns解析服务由本地的dnsmasq提供,当openclash启用dns劫持时,dns查询请求会被重定向到openclashScreenshot_20241015_022457_com.android.chrome_edit_1815458502547459.jpg

对,网卡我设置了DNS。但dnsmasq设置为直接转发到mosdns。

image image

难道mosdns会再读取一次lan的设置还是怎样?我mosdns用的是默认配置,只修改了RemoteDNS。

xiaoyangdkj commented 2 weeks ago

我对你的dnsmasq目前的工作状态表示好奇,你或许应该检查一下网络接口“lan”的设置(因为我前一段时间刚好遇到了类似的问题)

你的Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto

Interface iptv Interface lan nameserver 223.5.5.5 # dns解析服务默认先由阿里云提供,你缓存的dns解析结果或许不来自openclash

我的/tmp/resolv.conf文件 search lan nameserver 127.0.0.1 nameserver ::1 dns解析服务由本地的dnsmasq提供,当openclash启用dns劫持时,dns查询请求会被重定向到openclashScreenshot_20241015_022457_com.android.chrome_edit_1815458502547459.jpg

对,网卡我设置了DNS。但dnsmasq设置为直接转发到mosdns。

image image

难道mosdns会再读取一次lan的设置还是怎样?我mosdns用的是默认配置,只修改了RemoteDNS。

“mosdns会再读取一次lan的设置还是怎样” 并不是,一般情况下mosdns读取的是wan口的dns设置,这一般就是我们在“首页”里看到的“ipv4上游”的dns

这里的自定义dns,指的是openwrt通告给下面设备“这是他们目前可用的dns” 也就是说,其他设备如果遵守规则的话,压根不会用openwrt的dns(或者mosdns),而是都去用223.5.5.5的dns

任何验证这一点呢?Windows电脑可以打开“控制面板”,查看连接openwrt的“网卡属性”,看看目前的“ipv4 dns”是否为223.5.5.5

scegg commented 2 weeks ago

我对你的dnsmasq目前的工作状态表示好奇,你或许应该检查一下网络接口“lan”的设置(因为我前一段时间刚好遇到了类似的问题) 你的Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto Interface iptv Interface lan nameserver 223.5.5.5 # dns解析服务默认先由阿里云提供,你缓存的dns解析结果或许不来自openclash 我的/tmp/resolv.conf文件 search lan nameserver 127.0.0.1 nameserver ::1 dns解析服务由本地的dnsmasq提供,当openclash启用dns劫持时,dns查询请求会被重定向到openclashScreenshot_20241015_022457_com.android.chrome_edit_1815458502547459.jpg

对,网卡我设置了DNS。但dnsmasq设置为直接转发到mosdns。

image image

难道mosdns会再读取一次lan的设置还是怎样?我mosdns用的是默认配置,只修改了RemoteDNS。

“mosdns会再读取一次lan的设置还是怎样” 并不是,一般情况下mosdns读取的是wan口的dns设置,这一般就是我们在“首页”里看到的“ipv4上游”的dns

这里的自定义dns,指的是openwrt通告给下面设备“这是他们目前可用的dns” 也就是说,其他设备如果遵守规则的话,压根不会用openwrt的dns(或者mosdns),而是都去用223.5.5.5的dns

任何验证这一点呢?Windows电脑可以打开“控制面板”,查看连接openwrt的“网卡属性”,看看目前的“ipv4 dns”是否为223.5.5.5

这到没。这边所有终端的DNS都是指向了路由器。

xiaoyangdkj commented 2 weeks ago

我对你的dnsmasq目前的工作状态表示好奇,你或许应该检查一下网络接口“lan”的设置(因为我前一段时间刚好遇到了类似的问题) 你的Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto Interface iptv Interface lan nameserver 223.5.5.5 # dns解析服务默认先由阿里云提供,你缓存的dns解析结果或许不来自openclash 我的/tmp/resolv.conf文件 search lan nameserver 127.0.0.1 nameserver ::1 dns解析服务由本地的dnsmasq提供,当openclash启用dns劫持时,dns查询请求会被重定向到openclash Screenshot_20241015_022457_com.android.chrome_edit_1815458502547459.jpg

对,网卡我设置了DNS。 但dnsmasq设置为直接转发到mosdns。

image image

难道mosdns会再读取一次lan的设置还是怎样? 我mosdns用的是默认配置,只修改了RemoteDNS。

“mosdns会再读取一次lan的设置还是怎样” 并不是,一般情况下mosdns读取的是wan口的dns设置,这一般就是我们在“首页”里看到的“ipv4上游”的dns 这里的自定义dns,指的是openwrt通告给下面设备“这是他们目前可用的dns” 也就是说,其他设备如果遵守规则的话,压根不会用openwrt的dns(或者mosdns),而是都去用223.5.5.5的dns 任何验证这一点呢? Windows电脑可以打开“控制面板”,查看连接openwrt的“网卡属性”,看看目前的“ipv4 dns”是否为223.5.5.5

这到没。 这边所有终端的DNS都是指向了路由器。

为了稳妥期间,还是建议变动一下。 把lan接口的自定义dns删掉,只留下“使用默认网关”,保存并应用。这时候路由器可能没网(如果没有wan口的dns设置的话), 请不要担心,前往mosdns(或者直接把openclash的dns劫持打开再启动openclash也行),把它的开关、自定义国内dns、DNS 转发,都打开,尝试把他们的请求重定向到mosdns,然后重启openclash 访问goo.gle,查看是否为"私密连接不安全,该网站使用了*.facebook.com的证书"“该网站启用了HSTS,目前无法https访问”“accounts.google.com”,如果没有,则成功解决

scegg commented 2 weeks ago

好的多谢您。我先删了lan上的dns设定,观察几天看看。

yellowsavant commented 2 weeks ago

我的经验是开了下游dns缓存,很大概率在clash重启后造成证书连线重合问题,所以我把下游dns缓存机制都关闭后,问题就不再出现了

scegg commented 2 weeks ago

我的经验是开了下游dns缓存,很大概率在clash重启后造成证书连线重合问题,所以我把下游dns缓存机制都关闭后,问题就不再出现了

但是并没有用到FakeIP啊。Meta不支持FakeIP。

yellowsavant commented 2 weeks ago

我的经验是开了下游dns缓存,很大概率在clash重启后造成证书连线重合问题,所以我把下游dns缓存机制都关闭后,问题就不再出现了

但是并没有用到FakeIP啊。Meta不支持FakeIP。

Meta core支持fake-ip的呀,不过不论是真ip还是假ip方案,其实我的经验就是dns缓存问题,而且大概率发生在clash重启时 因为我做了两层NAT,每一层都有自己的DNS,把两层DNS缓存关闭后(只做dns forwarder)问题就没再发生了 你的情况我不清楚,我只说我自己的情况让你参考下哦

scegg commented 2 weeks ago

我的经验是开了下游dns缓存,很大概率在clash重启后造成证书连线重合问题,所以我把下游dns缓存机制都关闭后,问题就不再出现了

但是并没有用到FakeIP啊。Meta不支持FakeIP。

Meta core支持fake-ip的呀,不过不论是真ip还是假ip方案,其实我的经验就是dns缓存问题,而且大概率发生在clash重启时 因为我做了两层NAT,每一层都有自己的DNS,把两层DNS缓存关闭后(只做dns forwarder)问题就没再发生了 你的情况我不清楚,我只说我自己的情况让你参考下哦

嗯。但我这里只要发生错误时,手工重启一下openclash就会修复,可能不是cache的问题。

yellowsavant commented 2 weeks ago

我的经验是开了下游dns缓存,很大概率在clash重启后造成证书连线重合问题,所以我把下游dns缓存机制都关闭后,问题就不再出现了

但是并没有用到FakeIP啊。Meta不支持FakeIP。

Meta core支持fake-ip的呀,不过不论是真ip还是假ip方案,其实我的经验就是dns缓存问题,而且大概率发生在clash重启时 因为我做了两层NAT,每一层都有自己的DNS,把两层DNS缓存关闭后(只做dns forwarder)问题就没再发生了 你的情况我不清楚,我只说我自己的情况让你参考下哦

嗯。但我这里只要发生错误时,手工重启一下openclash就会修复,可能不是cache的问题。

最近这几版貌似都有一些问题,已退回042

scegg commented 2 weeks ago

我对你的dnsmasq目前的工作状态表示好奇,你或许应该检查一下网络接口“lan”的设置(因为我前一段时间刚好遇到了类似的问题) 你的Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto Interface iptv Interface lan nameserver 223.5.5.5 # dns解析服务默认先由阿里云提供,你缓存的dns解析结果或许不来自openclash 我的/tmp/resolv.conf文件 search lan nameserver 127.0.0.1 nameserver ::1 dns解析服务由本地的dnsmasq提供,当openclash启用dns劫持时,dns查询请求会被重定向到openclash Screenshot_20241015_022457_com.android.chrome_edit_1815458502547459.jpg

对,网卡我设置了DNS。 但dnsmasq设置为直接转发到mosdns。

image image

难道mosdns会再读取一次lan的设置还是怎样? 我mosdns用的是默认配置,只修改了RemoteDNS。

“mosdns会再读取一次lan的设置还是怎样” 并不是,一般情况下mosdns读取的是wan口的dns设置,这一般就是我们在“首页”里看到的“ipv4上游”的dns 这里的自定义dns,指的是openwrt通告给下面设备“这是他们目前可用的dns” 也就是说,其他设备如果遵守规则的话,压根不会用openwrt的dns(或者mosdns),而是都去用223.5.5.5的dns 任何验证这一点呢? Windows电脑可以打开“控制面板”,查看连接openwrt的“网卡属性”,看看目前的“ipv4 dns”是否为223.5.5.5

这到没。 这边所有终端的DNS都是指向了路由器。

为了稳妥期间,还是建议变动一下。 把lan接口的自定义dns删掉,只留下“使用默认网关”,保存并应用。这时候路由器可能没网(如果没有wan口的dns设置的话), 请不要担心,前往mosdns(或者直接把openclash的dns劫持打开再启动openclash也行),把它的开关、自定义国内dns、DNS 转发,都打开,尝试把他们的请求重定向到mosdns,然后重启openclash 访问goo.gle,查看是否为"私密连接不安全,该网站使用了*.facebook.com的证书"“该网站启用了HSTS,目前无法https访问”“accounts.google.com”,如果没有,则成功解决

删除自定义dns后3小时问题又出现。看来这个至少不是唯一原因。

xiaoyangdkj commented 2 weeks ago

我对你的dnsmasq目前的工作状态表示好奇,你或许应该检查一下网络接口“lan”的设置(因为我前一段时间刚好遇到了类似的问题) 你的Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto Interface iptv Interface lan nameserver 223.5.5.5 # dns解析服务默认先由阿里云提供,你缓存的dns解析结果或许不来自openclash 我的/tmp/resolv.conf文件 search lan nameserver 127.0.0.1 nameserver ::1 dns解析服务由本地的dnsmasq提供,当openclash启用dns劫持时,dns查询请求会被重定向到openclash Screenshot_20241015_022457_com.android.chrome_edit_1815458502547459.jpg

对,网卡我设置了DNS。 但dnsmasq设置为直接转发到mosdns。

image image

难道mosdns会再读取一次lan的设置还是怎样? 我mosdns用的是默认配置,只修改了RemoteDNS。

“mosdns会再读取一次lan的设置还是怎样” 并不是,一般情况下mosdns读取的是wan口的dns设置,这一般就是我们在“首页”里看到的“ipv4上游”的dns 这里的自定义dns,指的是openwrt通告给下面设备“这是他们目前可用的dns” 也就是说,其他设备如果遵守规则的话,压根不会用openwrt的dns(或者mosdns),而是都去用223.5.5.5的dns 任何验证这一点呢? Windows电脑可以打开“控制面板”,查看连接openwrt的“网卡属性”,看看目前的“ipv4 dns”是否为223.5.5.5

这到没。 这边所有终端的DNS都是指向了路由器。

为了稳妥期间,还是建议变动一下。 把lan接口的自定义dns删掉,只留下“使用默认网关”,保存并应用。这时候路由器可能没网(如果没有wan口的dns设置的话), 请不要担心,前往mosdns(或者直接把openclash的dns劫持打开再启动openclash也行),把它的开关、自定义国内dns、DNS 转发,都打开,尝试把他们的请求重定向到mosdns,然后重启openclash 访问goo.gle,查看是否为"私密连接不安全,该网站使用了*.facebook.com的证书"“该网站启用了HSTS,目前无法https访问”“accounts.google.com”,如果没有,则成功解决

删除自定义dns后3小时问题又出现。看来这个至少不是唯一原因。

测试一下开关飞行模式,我在修改完后 先后让手机飞行模式(刷新dns缓存),前往浏览器关闭安全dns(避免发生错误请求),开启mosdns分流, 现在再也没出现过这种情况 还有一种可能,这个可能性需要自己判断,前一段时间我使用的机场节点ip被送中了,在更换节点后这种非私密连接的问题得到缓解 我也是像你一样“后3小时问题又出现”才排查出这个问题的 实在不行的话可以试试fake-ip,它会试图劫持每一个经过clash内核的流量

我刚好就是在042出现的问题,但现在已经更新了openclash和mihomo内核,很抱歉没有办法帮你判断问题来源 引用一下 “Fake-IP 模式在客户端发起 DNS 请求时会立即返回一个保留地址(198.18.0.1/16),同时向上游 DNS 服务器查询结果,如果判定返回结果为污染或者命中代理规则,则直接发送域名至代理服务器进行远端解析。”

scegg commented 2 weeks ago

我对你的dnsmasq目前的工作状态表示好奇,你或许应该检查一下网络接口“lan”的设置(因为我前一段时间刚好遇到了类似的问题) 你的Dnsmasq 当前默认 resolv 文件:/tmp/resolv.conf.d/resolv.conf.auto Interface iptv Interface lan nameserver 223.5.5.5 # dns解析服务默认先由阿里云提供,你缓存的dns解析结果或许不来自openclash 我的/tmp/resolv.conf文件 search lan nameserver 127.0.0.1 nameserver ::1 dns解析服务由本地的dnsmasq提供,当openclash启用dns劫持时,dns查询请求会被重定向到openclash Screenshot_20241015_022457_com.android.chrome_edit_1815458502547459.jpg

对,网卡我设置了DNS。 但dnsmasq设置为直接转发到mosdns。

image image

难道mosdns会再读取一次lan的设置还是怎样? 我mosdns用的是默认配置,只修改了RemoteDNS。

“mosdns会再读取一次lan的设置还是怎样” 并不是,一般情况下mosdns读取的是wan口的dns设置,这一般就是我们在“首页”里看到的“ipv4上游”的dns 这里的自定义dns,指的是openwrt通告给下面设备“这是他们目前可用的dns” 也就是说,其他设备如果遵守规则的话,压根不会用openwrt的dns(或者mosdns),而是都去用223.5.5.5的dns 任何验证这一点呢? Windows电脑可以打开“控制面板”,查看连接openwrt的“网卡属性”,看看目前的“ipv4 dns”是否为223.5.5.5

这到没。 这边所有终端的DNS都是指向了路由器。

为了稳妥期间,还是建议变动一下。 把lan接口的自定义dns删掉,只留下“使用默认网关”,保存并应用。这时候路由器可能没网(如果没有wan口的dns设置的话), 请不要担心,前往mosdns(或者直接把openclash的dns劫持打开再启动openclash也行),把它的开关、自定义国内dns、DNS 转发,都打开,尝试把他们的请求重定向到mosdns,然后重启openclash 访问goo.gle,查看是否为"私密连接不安全,该网站使用了*.facebook.com的证书"“该网站启用了HSTS,目前无法https访问”“accounts.google.com”,如果没有,则成功解决

删除自定义dns后3小时问题又出现。看来这个至少不是唯一原因。

测试一下开关飞行模式,我在修改完后 先后让手机飞行模式(刷新dns缓存),前往浏览器关闭安全dns(避免发生错误请求),开启mosdns分流, 现在再也没出现过这种情况 还有一种可能,这个可能性需要自己判断,前一段时间我使用的机场节点ip被送中了,在更换节点后这种非私密连接的问题得到缓解 我也是像你一样“后3小时问题又出现”才排查出这个问题的 实在不行的话可以试试fake-ip,它会试图劫持每一个经过clash内核的流量

我刚好就是在042出现的问题,但现在已经更新了openclash和mihomo内核,很抱歉没有办法帮你判断问题来源 引用一下 “Fake-IP 模式在客户端发起 DNS 请求时会立即返回一个保留地址(198.18.0.1/16),同时向上游 DNS 服务器查询结果,如果判定返回结果为污染或者命中代理规则,则直接发送域名至代理服务器进行远端解析。”

嗯。也是最近的几个版本才开始出现问题的。而且我记得是从arm64先开始出问题(较为频繁,现在差不多5分钟就能复现),x86最近才开始出问题。由于网络精神洁癖等病症,不想用FakeIP。

Claire9518 commented 2 weeks ago

自定义DNS: 停用 proxy-server-nameserver:

  • 114.114.114.114
  • 119.29.29.29

Interface lan nameserver 223.5.5.5 后面好像不用看了,mosdns开了相当于没开

proxy-server-nameserver不是只用来解析代理服务器的dns吗? 这个配置并不是用mosdns的。mosdns就直接让本地mosdns解析而已。 附MOSDNS版配置文件DNS段:

dns:
  enable: true
  ipv6: false
  listen: 0.0.0.0:7874
  nameserver:
  - 127.0.0.1:5335
  enhanced-mode: redir-host

抱歉,疏忽了。 不过,在启用了“绕过大陆模式”的情况下,好像nameserver直接用海外dns/交给mosdns就行。 新版本的mihomo内核的sni嗅探后返回的日志结果不是“域名”形式了,而是“ip”,不太清楚它目前的工作状态。 目前推测的是内地的nameserver存在dns抢答现象,你可以尝试一下修改成海外doh后看看会不会复现

嗅探可能不是新版mihomo内核的问题,我尝试使用新版内核和039版本,嗅探结果是域名,但是042之后就成了ip