[Bug] 开启TUN后无法连接到WG内网服务

[eli-yip]

验证步骤

• 我已经阅读了 文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
• 我仔细看过 文档 并未解决问题
• 我已在 Issue Tracker 中寻找过我要提出的问题，并且没有找到
• 我是中文用户，而非其他语言用户
• 我已经使用最新的 Alpha 分支版本测试过，问题依旧存在
• 我提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
• 我提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器或者堆砌大量对于复现无用的配置等。
• 我提供了完整的日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
• 我直接使用 Mihomo 命令行程序重现了错误，而不是使用其他工具或脚本。

操作系统

Linux

系统版本

Ubuntu Server 22.04

Mihomo 版本

Mihomo Meta v1.19.1 linux amd64 with go1.23.4 Tue Dec 31 16:58:30 UTC 2024
Use tags: with_gvisor

配置文件

hc: &hc
  type: http
  interval: 86400
  health-check:
    enable: true
    url: https://cp.cloudflare.com
    interval: 300
    timeout: 1000
    tolerance: 100

proxy-providers:
  my-proxy:
    <<: *hc
    url: ""
    override:
      additional-prefix: "[my-proxy]"

proxies:
  - name: "WG"
    type: direct
    udp: true
    interface-name: wg0
    routing-mark: 6667

mode: rule
log-level: debug
mixed-port: 7890
ipv6: true
allow-lan: true
unified-delay: true
tcp-concurrent: true
external-controller: 0.0.0.0:9090
external-ui: ui
external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"

geodata-loader: standard
geo-auto-update: true
geo-update-interval: 24
geox-url:
  geoip: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat"
  geosite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat"
  mmdb: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country.mmdb"

find-process-mode: strict
global-client-fingerprint: random

profile:
  store-selected: true
  store-fake-ip: true

sniffer:
  enable: true
  sniff:
    HTTP:
      ports: [80, 8080-8880]
      override-destination: true
    TLS:
      ports: [443, 8443]
    QUIC:
      ports: [443, 8443]
  skip-domain:
    - "Mijia Cloud"
    - "+.push.apple.com"

tun:
  enable: true
  stack: mixed
  dns-hijack:
    - "any:53"
    - "tcp://any:53"
  auto-route: true
  auto-redirect: true
  auto-detect-interface: true

dns:
  enable: true
  ipv6: true
  # listen: 0.0.0.0:1059
  respect-rules: true
  enhanced-mode: fake-ip
  fake-ip-filter:
    - "*"
    - "+.lan"
    - "+.local"
    - "+.market.xiaomi.com"
  default-nameserver:
    - 223.5.5.5
  nameserver:
    - 223.5.5.5
    - 119.29.29.29
  proxy-server-nameserver:
    - https://120.53.53.53/dns-query
    - https://223.5.5.5/dns-query
  nameserver-policy:
    "geosite:cn,private":
      - https://120.53.53.53/dns-query
      - https://223.5.5.5/dns-query
    "geosite:!cn,!private":
      - "https://dns.cloudflare.com/dns-query"
      - "https://dns.google/dns-query"

proxy-groups:
  - name: Default
    type: select
    proxies: [低倍率, 自动选择, DIRECT, 全部节点]

  - name: 低倍率
    type: url-test
    include-all: true
    filter: "实验性|日用|0.20x"

  - name: 全部节点
    type: select
    include-all: true

  - name: 自动选择
    type: url-test
    include-all: true
    tolerance: 10

rules:
  - GEOSITE,CN,DIRECT
  - IP-CIDR,10.88.10.0/24,WG
  - GEOIP,CN,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  - IP-CIDR,172.16.0.0/12,DIRECT
  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,100.64.0.0/10,DIRECT
  - IP-CIDR,127.0.0.0/8,DIRECT
  - MATCH,Default

描述

同时运行wireguard和mihomo时，可以ping通其他wireguard节点，但是无法访问DNS结果为本机Wireguard IP的服务。

例如，我在Cloudflare DNS面板将test.mydomain.com解析到10.88.10.2（本机Wireguard IP），如果执行curl -I https://test.mydomain.com，显示：

$ curl -I https://test.mydomain.com
curl: (35) error:0A000126:SSL routines::unexpected eof while reading

如果关闭mihomo，则是可以访问这个网址的：

$ curl -I https://test.mydomain.com
HTTP/2 200
alt-svc: h3=":443"; ma=2592000
date: Fri, 31 Jan 2025 11:49:33 GMT

mihomo日志如下：

DEBU[2025-01-31T19:42:06.685828117+08:00] [DNS] cache hit test.example.com --> [10.88.10.2] A, expire at 2025-01-31 19:46:35
DEBU[2025-01-31T19:42:06.685892516+08:00] [DNS] cache hit test.example.com --> [] AAAA, expire at 2025-01-31 20:11:35
WARN[2025-01-31T19:42:06.686233999+08:00] [TCP] dial WG (match IPCIDR/10.88.10.0/24) 198.18.0.1:60764 --> test.example.com:443 error: dial tcp 10.88.10.2:443: connect: no route to host

可以看出mihomo正确解析出了IP，但是无法路由，这是我的路由表信息：

$ ip rule
0:      from all lookup local
9000:   from all to 198.18.0.0/30 lookup 2022
9001:   not from all dport 53 lookup main suppress_prefixlength 0
9001:   from all ipproto icmp goto 9010
9001:   from all iif Meta goto 9010
9002:   not from all iif lo lookup 2022
9002:   from 0.0.0.0 iif lo lookup 2022
9002:   from 198.18.0.0/30 iif lo lookup 2022
9010:   from all nop
32766:  from all lookup main
32767:  from all lookup default

$ ip route show table 2022
default via 198.18.0.2 dev Meta

$ ip route show table main
default via 192.168.5.1 dev eno1 proto dhcp src 192.168.5.20 metric 100
10.88.10.0/24 dev wg0 proto kernel scope link src 10.88.10.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-cedacbabdb88 proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-7c2769437b03 proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-2b1827af5547 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-9e904fb55376 proto kernel scope link src 172.21.0.1
192.168.5.0/24 dev eno1 proto kernel scope link src 192.168.5.20 metric 100
192.168.5.1 dev eno1 proto dhcp scope link src 192.168.5.20 metric 100
198.18.0.0/30 dev Meta proto kernel scope link src 198.18.0.1

$ ip addr show dev Meta
469: Meta: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 198.18.0.1/30 brd 198.18.0.3 scope global Meta
       valid_lft forever preferred_lft forever
    inet6 fdfe:dcba:9876::1/126 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::d449:781:4ee3:75f8/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

我院先是使用Clash，同样是TUN模式，没有额外为Wireguard配置Proxy，Clash时的路由表：

$ ip rule
0:      from all lookup local
9500:   not from all dport 53 lookup main suppress_prefixlength 0
9510:   not from all iif lo lookup 1970566510
9520:   from 0.0.0.0 iif lo uidrange 0-4294967294 lookup 1970566510
9530:   from 198.18.0.1 iif lo uidrange 0-4294967294 lookup 1970566510
32766:  from all lookup main
32767:  from all lookup default

$ ip route show table 1970566510
default dev utun proto static

$ ip route show table main
default via 192.168.5.1 dev eno1 proto dhcp src 192.168.5.20 metric 100
10.88.10.0/24 dev wg0 proto kernel scope link src 10.88.10.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-cedacbabdb88 proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-7c2769437b03 proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-2b1827af5547 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-9e904fb55376 proto kernel scope link src 172.21.0.1
192.168.5.0/24 dev eno1 proto kernel scope link src 192.168.5.20 metric 100
192.168.5.1 dev eno1 proto dhcp scope link src 192.168.5.20 metric 100
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1

我的wireguard状态：

$ sudo wg
interface: wg0
  public key:/cf8ETXrI+KNicwretIThUGMWXM=
  private key: (hidden)
  listening port: 40186

peer: 
  endpoint: :51280
  allowed ips: 10.88.10.15/32
  latest handshake: 6 seconds ago
  transfer: 16.69 KiB received, 47.96 KiB sent
  persistent keepalive: every 25 seconds

peer:/6GjfqGeWbkq5nAhdOFc=
  endpoint: :28386
  allowed ips: 10.88.10.1/32
  latest handshake: 18 seconds ago
  transfer: 525.88 KiB received, 54.70 KiB sent
  persistent keepalive: every 25 seconds

peer: /uCrlowIb409T2dDg=
  endpoint: :51280
  allowed ips: 10.88.10.11/32, 10.88.10.12/32, 10.88.10.14/32
  latest handshake: 10 minutes, 47 seconds ago
  transfer: 604 B received, 16.37 KiB sent
  persistent keepalive: every 25 seconds

我已经根据 #1728 添加了名为WG的Proxy（见上方配置文件），然而并没有什么用。

重现方式

如上。

日志

如上。