[Bug]: 用SING-BOX生成的服务端TUIC配置还是错误。

shan869 commented 2 months ago

描述您遇到的bug

我之前提交过BUG，/usr/lib/lua/luci/passwall/util_sing-box.lua 文件TUIC出错。后来FIX了，虽然启动不报错，但是配置文件貌似连不上的，好像不对的。以下为生成的配置。 { "tls": { "enabled": true, "key_path": "\/root\/private.key", "certificate_path": "\/root\/self-sign.cer" }, "type": "tuic", "zero_rtt_handshake": false, "listen": "::", "users": [ { "password": "1234", "uuid": "2c697aa0-4db3-4af2-846a-26cac340277f", "name": "2c697aa0-4db3-4af2-846a-26cac340277f" }, { "password": "1234", "uuid": "61dc05b6-022d-4c7d-a5c1-2ad0a7f55b53", "name": "61dc05b6-022d-4c7d-a5c1-2ad0a7f55b53" } ], "heartbeat": "3s", "congestion_control": "cubic", "listen_port": 33344, "tag": "inbound" } 但是我查阅TUIC服务端配置： "users": { "00000000-0000-0000-0000-000000000000": "PASSWORD_0", "00000000-0000-0000-0000-000000000001": "PASSWORD_1" },关于USER格式是这样才对。其他字段有无错，我暂时也确认不了。我发一下官网配置吧。 { // The socket address to listen on "server": "[::]:443",

// User list, contains user UUID and password
"users": {
    "00000000-0000-0000-0000-000000000000": "PASSWORD_0",
    "00000000-0000-0000-0000-000000000001": "PASSWORD_1"
},

// The path to the certificate file
"certificate": "PATH/TO/CERTIFICATE",

// The path to the private key file
"private_key": "PATH/TO/PRIVATE_KEY",

// Optional. Congestion control algorithm, available options:
// "cubic", "new_reno", "bbr"
// Default: "cubic"
"congestion_control": "cubic",

// Optional. Application layer protocol negotiation
// Default being empty (no ALPN)
"alpn": ["h3", "spdy/3.1"],

// Optional. If the server should create separate UDP sockets for relaying IPv6 UDP packets
// Default: true
"udp_relay_ipv6": true,

// Optional. Enable 0-RTT QUIC connection handshake on the server side
// This is not impacting much on the performance, as the protocol is fully multiplexed
// WARNING: Disabling this is highly recommended, as it is vulnerable to replay attacks. See https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones
// Default: false
"zero_rtt_handshake": false,

// Optional. Set if the listening socket should be dual-stack
// If this option is not set, the socket behavior is platform dependent
"dual_stack": true,

// Optional. How long the server should wait for the client to send the authentication command
// Default: 3s
"auth_timeout": "3s",

// Optional. Maximum duration server expects for task negotiation
// Default: 3s
"task_negotiation_timeout": "3s",

// Optional. How long the server should wait before closing an idle connection
// Default: 10s
"max_idle_time": "10s",

// Optional. Maximum packet size the server can receive from outbound UDP sockets, in bytes
// Default: 1500
"max_external_packet_size": 1500,

// Optional. Maximum number of bytes to transmit to a peer without acknowledgment
// Should be set to at least the expected connection latency multiplied by the maximum desired throughput
// Default: 8MiB * 2
"send_window": 16777216,

// Optional. Maximum number of bytes the peer may transmit without acknowledgement on any one stream before becoming blocked
// Should be set to at least the expected connection latency multiplied by the maximum desired throughput
// Default: 8MiB
"receive_window": 8388608,

// Optional. Interval between UDP packet fragment garbage collection
// Default: 3s
"gc_interval": "3s",

// Optional. How long the server should keep a UDP packet fragment. Outdated fragments will be dropped
// Default: 15s
"gc_lifetime": "15s",

// Optional. Set the log level
// Default: "warn"
"log_level": "warn"

}

复现此Bug的步骤

SING-BOX 服务端 TUIC 配置不报错但是连不上。

您想要实现的目的

FIX

日志信息

FIX

截图

No response

系统相关信息

其他信息

No response

shan869 commented 2 months ago

我改了发现原来FIX好像还是对的，这个先让我测试一下。

shan869 commented 2 months ago

查了一下，配置为这样的：{ "server": "[::]:52408", "users": { "8e21e704-9ac8-4fb8-bef1-6c9d7d7e390b": "RnJ5BfJ3" }, "certificate": "/opt/tuic/fullchain.pem", "private_key": "/opt/tuic/privkey.pem", "congestion_control": "bbr", "alpn": ["h3", "spdy/3.1"], "udp_relay_ipv6": true, "zero_rtt_handshake": false, "auth_timeout": "3s", "max_idle_time": "10s", "max_external_packet_size": 1500, "gc_interval": "3s", "gc_lifetime": "15s", "log_level": "warn" }

其中 "certificate": "/opt/tuic/fullchain.pem", "private_key": "/opt/tuic/privkey.pem", 跟自动生成的"key_path": "/root/private.key", "certificate_path": "/root/self-sign.cer" 字段都对不上，又鉴于TUIC作者自己都不要项目了，所以这个ISSUE随便吧。

lwb1978 commented 2 months ago

你上次提供的fix代码整体是没有问题的，你不要去查原版tuic的服务端配置，sing-box的tuic配置与原版不一样的，详见:https://github.com/SagerNet/sing-box/blob/dev-next/docs/configuration/inbound/tuic.zh.md?plain=1 如果你有时间的话可以研究下具体哪个参数导致无法链接的。

shan869 commented 1 month ago

是我LUCI界面漏了QUIC TLS ALPN参数，写上h3 。然后客户端也加上，就行了。PASSWALL tuic配置没有错了。

lwb1978 commented 1 month ago

好

xiaorouji / openwrt-passwall