Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Kernel wireguard outbound not work when enabled TUN #1728

Closed
8 of 9 tasks
qiangxinglin opened this issue Dec 18, 2024 · 1 comment
Closed
8 of 9 tasks

[Bug] Kernel wireguard outbound not work when enabled TUN #1728

qiangxinglin opened this issue Dec 18, 2024 · 1 comment
Labels
invalid This doesn't seem right

Comments

@qiangxinglin
Copy link

qiangxinglin commented Dec 18, 2024
edited
Loading

Verify steps

  • I have read the documentation and understand the meaning of all the configuration items I have written, rather than just piling up seemingly useful options or default values.
  • I have carefully reviewed the documentation and have not resolved the issue.
  • I have searched the Issue Tracker for the issue I want to raise and did not find it.
  • I am a non-Chinese user.
  • I have tested with the latest Alpha branch version, and the issue still persists.
  • I have provided the server and client configuration files and processes that can reproduce the issue locally, rather than a sanitized complex client configuration file.
  • I provided the simplest configuration that can be used to reproduce the errors in my report, rather than relying on remote servers or piling on a lot of unnecessary configurations for reproduction.
  • I have provided complete logs, rather than just the parts I think are useful out of confidence in my own intelligence.
  • I have directly reproduced the error using the Mihomo command-line program, rather than using other tools or scripts.

Operating System

Linux

System Version

Linux 5.15.163-1.el7.x86_64

Mihomo Version

Mihomo Meta v1.19.0 linux amd64 with go1.20.14 Mon Dec 9 09:51:29 UTC 2024
Use tags: with_gvisor

Configuration File

mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info

dns:
  enable: true
  ipv6: false
  listen: 127.0.0.1:53
  default-nameserver:
    - 223.5.5.5
    - 8.8.8.8
  enhanced-mode: redir-host
  nameserver:
    - https://223.5.5.5/dns-query
    - tls://101.101.101.101:853
    - https://1.12.12.12/dns-query
  fallback:
    - tcp://208.67.222.222:443
    - tls://dns.google

sniffer:
  enable: true
  force-dns-mapping: true
  parse-pure-ip: true
  sniff:
    HTTP:
      ports: [80, 8080-8880]
    TLS:
      ports: [443, 8443]
    QUIC:
      ports: [443, 8443]

tun:
  enable: true
  stack: mixed
  auto-route: true
  auto-redirect: true
  auto-detect-interface: true
  dns-hijack:
    - udp://any:53
  device: utun0
  strict-route: false
  udp-timeout: 300
  endpoint-independent-nat: false
  route-exclude-address:
  - 10.0.0.0/8
  - 100.64.0.0/10
  - 172.16.0.0/12
  - 192.168.0.0/16
  - fc00::/7
  include-uid:
  - 1020

proxies:
  - {name: socks, server: 192.168.50.1, port: 23456, type: socks5, udp: true}

proxy-groups:
  - name: PROXY
    type: select
    proxies:
      - socks
  - name: Others
    type: select
    proxies:
      - PROXY
      - DIRECT

rules:
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,Others

Description

The system has already setup up a kernel level wireguard NIC.

> wg
interface: wg0
  public key: HIDDEN
  private key: (hidden)
  listening port: 51820

peer: HIDDEN
  endpoint: HIDDEN
  allowed ips: 192.168.2.2/32

peer: HIDDEN
  endpoint: HIDDEN
  allowed ips: 192.168.2.3/32, 192.168.50.0/24, 100.64.0.0/10

> ip route
default via 10.0.2.1 dev bond0 proto static metric 300 
10.0.2.0/24 dev bond0 proto kernel scope link src 10.0.2.23 metric 300 
100.64.0.0/10 dev wg0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
OMIT SOME DOCKER BRIDGE
192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.1 
192.168.50.0/24 dev wg0 scope link 
198.18.0.0/30 dev utun0 proto kernel scope link src 198.18.0.1

I want to use the proxy (socks5) that already been setup on host 192.168.50.1:23456. So without Meta, I can successfully
curl -x socks5://192.168.50.1:23456 https://www.google.com

Now, the problem is, the Linux server is a shared resource with others, I'd like to create a TUN device only for myself (tun.include-uid).
So I tried to use tun module on Meta with the above configuration. If I do not enable the tun module, the proxy through externel wireguard socks5 works fine (I can verify it by test the latency on metacubexd dashboard). But when I enable the tun, the socks proxy does not work. I have already excluded the wireguard routes by specifying tun.route-exclude-address

Reproduction Steps

See above

Logs

level=warning msg="[TCP] dial Others (match Match/) 192.168.2.2:58498 --> 8.8.8.8:853 error: 192.168.50.1:23456 connect error: connect failed: dial tcp 192.168.50.1:23456: i/o timeout"
level=warning msg="[TCP] dial PROXY (match RuleSet/proxy) 192.168.2.2:53110 --> dns.cloudflare.com:443 error: 192.168.50.1:23456 connect error: connect failed: dial tcp 192.168.50.1:23456: i/o timeout"
@qiangxinglin qiangxinglin added the bug Something isn't working label Dec 18, 2024
@xishang0128
Copy link
Contributor

https://wiki.metacubex.one/en/config/proxies/#interface-name

It seems you haven't fully reviewed the document

@xishang0128 xishang0128 added invalid This doesn't seem right and removed bug Something isn't working labels Dec 20, 2024
@eli-yip eli-yip mentioned this issue Jan 31, 2025
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qiangxinglin @xishang0128