Closed Paper-Dragon closed 5 months ago
xjasonlyu
commented
10 months ago Hi there, do you have direct access to 8.8.8.8 DNS?
This issue is caused by dns lookup error, as you're using a domain based proxy param. Try using the proxy server IP to see if this problem is resolved.
Paper-Dragon
commented
10 months ago As mentioned above。 i use icmp protocol ping to verify route rule
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=64 time=1.192 ms
64 bytes from 8.8.8.8: seq=1 ttl=64 time=0.333 ms
64 bytes from 8.8.8.8: seq=2 ttl=64 time=0.622 ms
64 bytes from 8.8.8.8: seq=3 ttl=64 time=0.424 ms
64 bytes from 8.8.8.8: seq=4 ttl=64 time=0.496 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.333/0.613/1.192 ms
/ # ^C
I try to use the way you said it, log is first ,verify socks is avaliable
[root@linux ~]# curl --socks socks5://nscxxx:CavFxxx@162.0.220.2xx:46631 cip.cc
IP : 143.55.129.2xx
地址 : 美国 纽约州 纽约
运营商 : fitnyc.edu
数据二 : 美国 | 纽约技术大学
数据三 : 美国纽约纽约
URL : http://www.cip.cc/143.55.129.2xx[root@linux ~]# docker run -it -e LOGLEVEL=debug -e PROXY=socks5://nscxxx:CavFxxx@162.0.220.2x:46631 -v '/dev/net/tun:/dev/net/tun' --cap-add=NET_ADMIN xjasonlyu/tun2socks:v2.5.1
INFO[0000] [DIALER] set fwmark: 0x22b
INFO[0000] [STACK] tun://tun0 <-> socks5://162.0.220.2x:46631verify command
/ # nslookup google.com 8.8.8.8
;; connection timed out; no servers could be reached
/ #error log
[root@linux ~]# docker run -it -e LOGLEVEL=debug -e PROXY=socks5://nscoxxx:CavFxxx@162.0.220.2xx:46631 -v '/dev/net/tun:/dev/net/tun' --cap-add=NET_ADMIN xjasonlyu/tun2socks:v2.5.1
INFO[0000] [DIALER] set fwmark: 0x22b
INFO[0000] [STACK] tun://tun0 <-> socks5://162.0.220.2xx:46631
WARN[0068] [UDP] dial 8.8.8.8:53: connect to 162.0.220.2xx:46631: dial tcp 162.0.220.2xx:46631: i/o timeoutCan you test if curl is working in the docker container?
Paper-Dragon
commented
10 months ago Because the bottom of image is apline ,there are not have curl command,so i use wget command
[root@VM-4-10-centos ~]# docker run -d --restart=always -e LOGLEVEL=debug -e PROXY=socks5://nscoxxx:CavFxxx@162.0.220.2x:46631 -v '/dev/net/tun:/dev/net/tun' --cap-add=NET_ADMIN xjasonlyu/tun2socks:v2.5.0
c8dd9d48ebec1244becf75dcff507c320267f20a53c706684492e4b50d63cda5
[root@VM-4-10-centos ~]# docker exec -it c8 sh
/ # echo "nameserver 8.8.8.8" > /etc/resolv.conf;
/ #
/ # ping baidu.com
ping: bad address 'baidu.com'
/ # curl http://43.136.116.195/
sh: curl: not found
/ # fetch http://43.136.116.195/
sh: fetch: not found
/ # curl
sh: curl: not found
/ # wget http://43.136.116.195/
Connecting to 43.136.116.195 (43.136.116.195:80)
wget: error getting response: Connection reset by peer
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=64 time=0.226 ms
64 bytes from 8.8.8.8: seq=1 ttl=64 time=0.208 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.208/0.217/0.226 ms
/ # ^C
/ #
LOGS
[root@VM-4-10-centos ~]# docker logs c8
time="2023-08-28T04:33:36Z" level=info msg="[DIALER] set fwmark: 0x22b"
time="2023-08-28T04:33:36Z" level=info msg="[STACK] tun://tun0 <-> socks5://162.0.220.216:46631"
time="2023-08-28T04:34:16Z" level=warning msg="[UDP] dial 8.8.8.8:53: connect to 162.0.220.216:46631: dial tcp 162.0.220.216:46631: i/o timeout"
[root@VM-4-10-centos ~]# docker logs c8 -f
time="2023-08-28T04:33:36Z" level=info msg="[DIALER] set fwmark: 0x22b"
time="2023-08-28T04:33:36Z" level=info msg="[STACK] tun://tun0 <-> socks5://162.0.220.216:46631"
time="2023-08-28T04:34:16Z" level=warning msg="[UDP] dial 8.8.8.8:53: connect to 162.0.220.216:46631: dial tcp 162.0.220.216:46631: i/o timeout"
time="2023-08-28T04:35:25Z" level=warning msg="[TCP] dial 43.136.116.195:80: connect to 162.0.220.216:46631: dial tcp 162.0.220.216:46631: i/o timeout"
It seems that your proxy server cannot be connected in the container. There might be a routing issue in your setup.
Paper-Dragon
commented
10 months ago Thank you for your patient reply。 this is my route table.
/ # ip rule
0: from all lookup local
32764: from all to 198.18.0.1/15 fwmark 0x22b prohibit
32765: not from all fwmark 0x22b lookup 555
32766: from all lookup main
32767: from all lookup default
/ # ip route
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
198.18.0.0/15 dev tun0 proto kernel scope link src 198.18.0.1
/ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
198.18.0.0 0.0.0.0 255.254.0.0 U 0 0 0 tun0
/ #
maybe useful
/ # ip -d l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP mode DEFAULT group default qlen 500
link/none promiscuity 0
tun type tun pi off vnet_hdr off persist on addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 promiscuity 0
veth addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 500
link/none
inet 198.18.0.1/15 scope global tun0
valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ #this is fun route table
/ # ip route list table 255
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 172.17.0.0 dev eth0 proto kernel scope link src 172.17.0.2
local 172.17.0.2 dev eth0 proto kernel scope host src 172.17.0.2
broadcast 172.17.255.255 dev eth0 proto kernel scope link src 172.17.0.2
broadcast 198.18.0.0 dev tun0 proto kernel scope link src 198.18.0.1
local 198.18.0.1 dev tun0 proto kernel scope host src 198.18.0.1
broadcast 198.19.255.255 dev tun0 proto kernel scope link src 198.18.0.1
/ # ip route list table 254
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
198.18.0.0/15 dev tun0 proto kernel scope link src 198.18.0.1
/ # ip route list table 555
default dev tun0 scope link
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
198.18.0.0/15 dev tun0 proto kernel scope link src 198.18.0.1
/ # ip route list table 253
github-actions[bot]
commented
8 months ago This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
engageub
commented
8 months ago Hi, I see timeout issues when I try to run in https://labs.play-with-docker.com/ It uses the container franela/dind to run instance. Please find the screenshot below. Play with docker is free to use. You may run tun2socks on it to replicate the issue.
Thank you
Paper-Dragon
commented
8 months ago Hi @engageub
I already know that this issue is due to a problem with the transmission of DNS traffic.
I have a solution on my side using the command
ip rule add iif lo ipproto udp dport 53 lookup main; Bypass DNS traffic, let port 53 traffic bypass the tun network card, this method is provided that the kernel is the latest version and the iproute2 tool is installed. I looked at the website you gave, and the website you gave is kernel version 4.4, which does not support this command.
Another approach is to use the SOCKS5 protocol to support UDP transport.
The last method is to wish the author to support UDP transport over TCP.
Paper-Dragon
commented
8 months ago Hi @engageub , Maybe u want repo https://github.com/blechschmidt/tun2proxy ,Native support for proxying DNS over TCP, any docker image problem about this repo , u can issue me.
engageub
commented
8 months ago Hi @Paper-Dragon , Thank you for the response and clarification. Regarding ip rule for port 53 of UDP, it has already been implemented in InternetIncome Script. The repo mentioned above is working fine on play with docker. The options mentioned in the repo are what I was looking for. Thank you for providing the link.
Thank you
engageub
commented
8 months ago HI @Paper-Dragon, DNS is not working all the time while using repo repo so raised an issue to tun2proxy (https://github.com/blechschmidt/tun2proxy/issues/73). I had similar problem with tun2socks so had to bypass dns port 53. But with tun2proxy the option DNS=direct does not work with docker and iptables is not installed by default in the container. I see you are one of the contributors for tun2proxy so you may have an idea on how to ignore port 53 of UDP when using DNS=direct option.
Thank you
github-actions[bot]
commented
6 months ago This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
Verify steps
Version
v2.5.0
What OS are you seeing the problem on?
No response
Description
can not connct to dns server through socks proxy,I make sure socks is avaliable, i try to use command
curl --socks xxxx:xxxx.com:3000 cip.ccverify socks is ok. i think this is a bug.CLI or Config
verify command
Logs
How to Reproduce
No response