search

xjasonlyu / tun2socks

tun2socks - powered by gVisor TCP/IP stack
https://github.com/xjasonlyu/tun2socks/wiki
GNU General Public License v3.0
2.84k stars 403 forks source link

[Bug] WARN[0004] [UDP] dial 8.8.8.8:53: client handshake: EOF #345

Closed shakibamoshiri closed 2 months ago

shakibamoshiri commented 3 months ago

Verify steps

Version

tun2socks-2.5.2

What OS are you seeing the problem on?

Linux

Description

The DNS request from the host machine (tun2socks is running) seems malfunctioning and socks5 server log tells that it is a zombie request. The valid result with curl has no issue, but the same request via tun2socks2 fails

CLI or Config

make a tun interface

ip tuntap add dev tun77 mode tun
ip addr add 192.168.77.1/30 brd + dev tun77
ip link set tun77 up

run a local socks5 proxy via SSH

ssh -vvvNTCD 127.0.0.1:7373 REMOTE_SERVER

curl check

curl -v --socks5-hostname 127.0.0.1:7373 ip.homeip.ir

run tun2socks5

tun2socks -loglevel debug -device tun77 -proxy socks5://127.0.0.1:7373

try to resolve a domain name or recheck with curl

dig ip.homeip.ir  # timeout 

curl ip.homeip.ir # timeout

nameservers

cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 1.0.0.2

Logs

### tun2socks2 log

INFO[0000] [STACK] tun://tun77 <-> socks5://127.0.0.1:7373 
WARN[0001] [UDP] dial 8.8.8.8:53: client handshake: EOF 
WARN[0001] [UDP] dial 8.8.8.8:53: client handshake: EOF 
WARN[0001] [UDP] dial 8.8.8.8:53: client handshake: EOF 
WARN[0002] [UDP] dial 1.0.0.2:53: client handshake: EOF 
WARN[0006] [UDP] dial 1.0.0.2:53: client handshake: EOF 
WARN[0006] [UDP] dial 1.0.0.2:53: client handshake: EOF 
WARN[0007] [UDP] dial 8.8.8.8:53: client handshake: EOF 
WARN[0007] [UDP] dial 8.8.8.8:53: client handshake: EOF 
WARN[0007] [UDP] dial 8.8.8.8:53: client handshake: EOF 
WARN[0008] [UDP] dial 1.0.0.2:53: client handshake: EOF 
WARN[0012] [UDP] dial 1.0.0.2:53: client handshake: EOF 
WARN[0012] [UDP] dial 1.0.0.2:53: client handshake: EOF 
WARN[0013] [UDP] dial 8.8.8.8:53: client handshake: EOF 
WARN[0014] [UDP] dial 1.0.0.2:53: client handshake: EOF

### ssh log for valid request via curl --socks5-hostname 

...
...
debug1: channel 1: new [dynamic-tcpip]
debug2: channel 1: pre_dynamic: have 0
debug2: channel 1: pre_dynamic: have 4
debug2: channel 1: decode socks5
debug2: channel 1: socks5 auth done
debug2: channel 1: pre_dynamic: need more
debug2: channel 1: pre_dynamic: have 0
debug2: channel 1: pre_dynamic: have 19
debug2: channel 1: decode socks5
debug2: channel 1: socks5 post auth
debug2: channel 1: dynamic request: socks5 host ip.homeip.ir port 80 command 1

### ssh log for DNS query when tun2socks is up and running 

debug1: channel 2: new [dynamic-tcpip]
debug2: channel 1: pre_dynamic: have 3
debug2: channel 1: decode socks5
debug2: channel 1: socks5 auth done
debug2: channel 1: pre_dynamic: need more
debug2: channel 2: pre_dynamic: have 0
debug2: channel 1: pre_dynamic: have 0
debug2: channel 2: pre_dynamic: have 0
debug2: channel 1: pre_dynamic: have 10
debug2: channel 1: decode socks5
debug2: channel 1: socks5 post auth
debug2: channel 1: only socks5 connect supported
debug2: channel 1: zombie
debug2: channel 1: garbage collecting
debug1: channel 1: free: dynamic-tcpip, nchannels 3
debug3: channel 1: status: The following connections are open:
  #2 dynamic-tcpip (t13 nr0 i0/0 o0/0 e[closed]/0 fd 6/6/-1 sock 6 cc -1)

How to Reproduce

As mentioned above

shakibamoshiri commented 3 months ago

Reading the WiKi tells that we should setup our own DNS servers on linux https://github.com/xjasonlyu/tun2socks/wiki/DNS-Configuration but the provided link https://www.cyberciti.biz/faq/howto-linux-bsd-unix-set-dns-nameserver/ is not about DNS server , it is about setting nameservers I am wrong or right? if namserver is needed, all Linux servers already do, if local DNS server is needed , the link/doc is incorrect ?

shakibamoshiri commented 3 months ago

it seems the main issue is UDP traffic is being forwarded to the socks5 server which is SSH -D and it does not support that . trying to separate UDP traffic from TCP seems be the solution. I will update the result here.

xjasonlyu commented 3 months ago

yeah, SSH is not an ideal proxy server especially if you want to also forward UDP traffic.

shakibamoshiri commented 3 months ago

@xjasonlyu with iproute2 I somehow separated UDP traffic from TCP and could make work but opening sites like YouTube caused errors since there were many mixed UDP and TCP requests seeing some

errors

On the other hand I am curious Android applications like

how do they make it work reliably and correcting? They use SSH and a local socks5 proxy and mange to forward the full traffic even on non-root devices, But cannot making it work on Linux with root privilege is frustrating

xjasonlyu commented 3 months ago

@shakibamoshiri I am not familiar with the applications you mentioned, but there are some approaches like UDP over TCP to solve this kind of problem. Also, most of the UDP traffic comes from DNS queries, so it can also be solved by using DOH or DOT for example.

shakibamoshiri commented 3 months ago

They are Android applications that act like a VPN . They forward full traffic via a local socks5 proxy by the help of tun2socks libraries. The authentication is based on SSH -- thus I thought and wanted to test this setup on a Linux server. The only issue is unsupported UDP forwarding of openssh-client .

A new test with wstunnel that forwards UDP with the same setup works correctly . No UDP WARN i saw 

INFO[0003] [UDP] 192.168.77.2:32999 <-> 8.8.8.8:53      
INFO[0003] [UDP] 192.168.77.2:33984 <-> 8.8.8.8:53      
INFO[0003] [TCP] 192.168.77.2:57392 <-> 66.102.1.188:5228 
INFO[0004] [UDP] 192.168.77.2:57970 <-> 1.1.1.2:53      
INFO[0004] [UDP] 192.168.77.2:55235 <-> 1.1.1.2:53      
INFO[0004] [UDP] 192.168.77.2:51407 <-> 1.1.1.2:53      
INFO[0004] [UDP] 192.168.77.2:35074 <-> 1.1.1.2:53      
INFO[0004] [UDP] 192.168.77.2:51001 <-> 1.1.1.2:53      
INFO[0004] [UDP] 192.168.77.2:34543 <-> 1.1.1.2:53      
INFO[0005] [UDP] 192.168.77.2:33333 <-> 1.1.1.2:53      
INFO[0005] [UDP] 192.168.77.2:37457 <-> 1.1.1.2:53      
INFO[0005] [UDP] 192.168.77.2:42162 <-> 1.1.1.2:53      
INFO[0005] [UDP] 192.168.77.2:59906 <-> 1.1.1.2:53      
INFO[0005] [UDP] 192.168.77.2:40178 <-> 1.1.1.2:53      
INFO[0008] [UDP] 192.168.77.2:42124 <-> 1.1.1.2:53      
INFO[0008] [UDP] 192.168.77.2:55277 <-> 1.1.1.2:53      
INFO[0008] [UDP] 192.168.77.2:39736 <-> 1.1.1.2:53      
INFO[0008] [UDP] 192.168.77.2:42508 <-> 1.1.1.2:53      
INFO[0008] [UDP] 192.168.77.2:60137 <-> 1.1.1.2:53      
INFO[0008] [UDP] 192.168.77.2:50307 <-> 1.1.1.2:53

Hope i find some time , update your WiKi/tutorial and give a full setup so no others blame tun2socks as the source of the issue.

Thanks

shakibamoshiri commented 3 months ago

@xjasonlyu how can I update the WiKI or add some real setup ? At the moment I am testing 

[ wg-client ] =====> [ hop-1 wg-server + tun2socks + ws-tunnel ] <===== [ hop-2 ws-tunnel ] =====> Free Internet

I works even it is slow, but give the point of a full setup

ws-tunnel is slow

shahradelahi commented 3 months ago

Hello @shakibamoshiri,

I had a similar issue with the DNS resolver. I was using Shadowsocks as the proxy server, which uses TCP by default. However, the DNS resolver on my system was using UDP, which was causing the problem.

If your proxy server doesn't support UDP connections, I highly suggest changing the DNS resolver configuration.

For Linux users, a workaround is to add the following line to the /etc/resolv.conf file:

options use-vc

https://man7.org/linux/man-pages/man5/resolv.conf.5.html

Please let me know if this helped you.

shakibamoshiri commented 3 months ago

Hello @shakibamoshiri,

I had a similar issue with the DNS resolver. I was using Shadowsocks as the proxy server, which uses TCP by default. However, the DNS resolver on my system was using UDP, which was causing the problem.

If your proxy server doesn't support UDP connections, I highly suggest changing the DNS resolver configuration.

For Linux users, a workaround is to add the following line to the /etc/resolv.conf file:

options use-vc

https://man7.org/linux/man-pages/man5/resolv.conf.5.html

Please let me know if this helped you.

Hi , actually I found that the main issue is the socks5 (implemented by openssh) not tun2socks
Also it is not just the DNS request , opening YouTube for example would cause many errors
The right solution is to use a socks5 server that support TCP and UDP. Testing these tools showed no errors

Thank you for the reply