Dokodemo UDP转发导致断流 #1432
Comments
|
很多isp对udp会进行qos。 |
|
这个现象不是ISP对UDP进行QoS的原因。VMess 是基于 TCP 的协议,对于 UDP 包 V2Ray 会转成 TCP 再传输。 |
|
@Git-XiaoQin 对于 UDP 包 V2Ray 会转成 TCP 再传输?哪不是更慢? |
|
补充下情况:当开启UDP转发时,UDP包确实转发出去了,验证方式: dig www.youtube.com @8.8.8.8Youtube 启用了QUIC传输,不过有问题导致连接异常,过段时间浏览器主动切断QUIC渐渐恢复正常。 |
|
建议关闭Chrome的QUIC支持。 https://halfrost.com/quic_start/ 参考:三. 实现 QUIC 前置条件 |
|
相同问题参考:https://github.com/wangyu-/UDPspeeder/issues/126 ip route add local default dev lo table 100
ip rule add fwmark 1 lookup 100
iptables -t mangle -N V2RAYUDP
iptables -t mangle -A V2RAYUDP -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAYUDP -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAYUDP -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAYUDP -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A V2RAYUDP -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAYUDP -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A V2RAYUDP -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAYUDP -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAYUDP -p udp --dport 443 -j DROP
iptables -t mangle -A V2RAYUDP -p udp -j TPROXY --on-port 1066 --tproxy-mark 0x01/0x01
iptables -t mangle -A PREROUTING -p udp -j V2RAYUDP{
"protocol": "dokodemo-door",
"port": 1066,
"settings": {
"network": "udp",
"timeout": 0,
"followRedirect": true,
"sockopt": {
"tproxy": "tproxy"
}
}
} |
|
redsocks没有这样的问题。 |
可以,用TPROXY转发流量到redsocks,redsocks发往v2ray |
|
这边也出现了这个问题,从 tun2socks 改成 TPROXY 配置之后 UDP 就开始断流,Android 的 YouTube 和 Google 搜索都无法使用,Whatsapp 的语音通话也会在连接几秒后中断。 {
"log": {
"loglevel": "warning",
"error": "",
"access": ""
},
"inbound": {
"port": 1080,
"listen": "0.0.0.0",
"protocol": "socks",
"sniffing": {
"enabled": false
},
"settings": {
"auth": "noauth",
"udp": true
}
},
"inboundDetour": [{
"port": 3128,
"listen": "0.0.0.0",
"protocol": "http",
"sniffing": {
"enabled": false
},
"settings": {
"accounts": [],
"allowTransparent": false
}
}, {
"port": 11111,
"listen": "127.0.0.1",
"protocol": "dokodemo-door",
"sniffing": {
"enabled": false
},
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"streamSettings": {
"sockopt": {
"tproxy": "tproxy",
"mark": 2
}
}
}, {
"port": 22222,
"listen": "127.0.0.1",
"protocol": "dokodemo-door",
"sniffing": {
"enabled": false
},
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"streamSettings": {
"sockopt": {
"tproxy": "redirect",
"mark": 2
}
}
}],
"routing": {
"strategy": "rules",
"settings": {
"domainStrategy": "AsIs",
"rules": [{
"type": "field",
"port": "17300",
"network": "tcp",
"outboundTag": "udpgw"
}, {
"type": "field",
"ip": ["geoip:cn"],
"outboundTag": "direct"
}, {
"type": "field",
"ip": ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"],
"outboundTag": "blackhole"
}, {
"type": "field",
"network": "udp",
"port": "53",
"outboundTag": "dns"
}, {
"type": "field",
"network": "udp",
"port": "443",
"outboundTag": "blackhole"
}, {
"type": "field",
"network": "udp",
"outboundTag": "udpgw"
}]
}
},
"outbound": {
"mux": {
"enabled": false
},
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "${V2RAY_SERVER}",
"port": 443,
"users": [
{
"id": "${V2RAY_USER_ID}",
"alterId": ${V2RAY_ALTER_ID}
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"sockopt": {
"mark": 2
},
"tlsSettings": {
"serverName": "${V2RAY_TLS_SERVER_NAME}"
},
"wsSettings":{
"path": "${V2RAY_WS_PATH}",
"headers": {
"Host": "${V2RAY_TLS_SERVER_NAME}"
}
}
}
},
"outboundDetour": [{
"mux": {
"concurrency": ${V2RAY_MUX_CONCURRENCY},
"enabled": ${V2RAY_MUX}
},
"tag": "dns",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "${V2RAY_SERVER}",
"port": 443,
"users": [
{
"id": "${V2RAY_USER_ID}",
"alterId": ${V2RAY_ALTER_ID}
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"sockopt": {
"mark": 2
},
"tlsSettings": {
"serverName": "${V2RAY_TLS_SERVER_NAME}"
},
"wsSettings":{
"path": "${V2RAY_WS_PATH}",
"headers": {
"Host": "${V2RAY_TLS_SERVER_NAME}"
}
}
}
}, {
"mux": {
"concurrency": ${V2RAY_MUX_CONCURRENCY},
"enabled": ${V2RAY_MUX}
},
"tag": "udpgw",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "${V2RAY_SERVER}",
"port": 443,
"users": [
{
"id": "${V2RAY_USER_ID}",
"alterId": ${V2RAY_ALTER_ID}
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"sockopt": {
"mark": 2
},
"tlsSettings": {
"serverName": "${V2RAY_TLS_SERVER_NAME}"
},
"wsSettings":{
"path": "${V2RAY_WS_PATH}",
"headers": {
"Host": "${V2RAY_TLS_SERVER_NAME}"
}
}
}
}, {
"tag": "blackhole",
"protocol": "blackhole"
}, {
"tag": "direct",
"protocol": "freedom",
"streamSettings": {
"sockopt": {
"mark": 2
}
}
}]
}启动脚本: #!/bin/bash
set -eu
IPT=$(which iptables)
function iptables {
set -eu
$IPT -w 15 "$@"
}
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
iptables -t mangle -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -t mangle -A FORWARD -m pkttype --pkt-type broadcast -j DROP
iptables -t mangle -A OUTPUT -m pkttype --pkt-type broadcast -j DROP
iptables -t mangle -A PREROUTING -m pkttype --pkt-type broadcast -j DROP
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip route flush table 100
ip route replace local default dev lo table 100
ip rule del fwmark 1 lookup 100 || true
ip rule add fwmark 1 lookup 100
iptables -t nat -N V2RAY
iptables -t mangle -N V2RAY
iptables -t mangle -N V2RAY_MARK
iptables -t nat -A V2RAY -m mark --mark 2 -j RETURN
# Ignore LANs and any other addresses you'd like to bypass the proxy
# See Wikipedia and RFC5735 for full list of reserved networks.
function add_exclude {
set -eu
iptables -t nat -A V2RAY -d $1 -j RETURN
iptables -t mangle -A V2RAY_MARK -d $1 -j RETURN
}
add_exclude 0.0.0.0/8
add_exclude 10.0.0.0/8
add_exclude 127.0.0.0/8
# GCP uses 169.254.169.254 as DNS
# add_exclude 169.254.0.0/16
add_exclude 172.16.0.0/12
add_exclude 192.168.0.0/16
add_exclude 224.0.0.0/4
add_exclude 240.0.0.0/4
iptables -t mangle -A V2RAY -m addrtype --dst-type LOCAL -j RETURN
iptables -t mangle -A V2RAY -p udp -m udp --dport 443 -j DROP
# Anything else should be redirected to Dokodemo-door's local port
iptables -t nat -A V2RAY -p tcp -j REDIRECT --to-ports 22222
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 11111 --on-ip 127.0.0.1 --tproxy-mark 0x01/0x01
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 11111 --on-ip 127.0.0.1 --tproxy-mark 0x01/0x01
iptables -t mangle -A V2RAY_MARK -m mark --mark 2 -j RETURN
iptables -t mangle -A V2RAY_MARK -p udp -m udp --dport 443 -j DROP
iptables -t mangle -A V2RAY_MARK -j MARK --set-mark 1
# Apply the rules
iptables -t nat -A OUTPUT -j V2RAY
iptables -t mangle -A PREROUTING -j V2RAY
iptables -t mangle -A OUTPUT -p udp -j V2RAY_MARK
cd /opt
if [ ! -n "$V2RAY_TLS_SERVER_NAME" ]; then
export V2RAY_TLS_SERVER_NAME="$V2RAY_SERVER"
fi
envsubst < config.json.template > config.json
exec v2ray -config config.json
|
试试楼上的方案:TPRoxy-> RedSocks -> V2Ray |
可以的话我希望不要加入其它工具,不然直接用 tun2socks 就可以了。 |
|
我大概找到原因了,稍后会发 PR 或者另一个 issue。 |
|
@SAPikachu 有解决方案了吗? |
|
最新的build應該是修復了,不過我沒有測試過。我自己用的補丁沒有通過PR。
…On Fri, Feb 15, 2019, 15:19 Tomas ***@***.***> wrote:
@SAPikachu <https://github.com/SAPikachu> 有解决方案了吗?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1432 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAn6AF7Z_orGsxsCYO3fRKYTDoEpUQR9ks5vNl9jgaJpZM4YxvsY>
.
|
我刚测试了,还是一样的问题,用最新的Core在我的MacOS Mojave上测试的,一样的UDP只能到几百Kbps的速度。 |
|
是速度上不去還是斷流?這裡處理的是斷流問題,如果只是不能滿速的話可能是別的原因。
…On Mon, Feb 18, 2019, 15:25 Tomas ***@***.***> wrote:
最新的build應該是修復了,不過我沒有測試過。我自己用的補丁沒有通過PR。
… <#m_-7474245154498548698_>
On Fri, Feb 15, 2019, 15:19 Tomas ***@***.***> wrote: @SAPikachu
<https://github.com/SAPikachu> https://github.com/SAPikachu 有解决方案了吗? —
You are receiving this because you were mentioned. Reply to this email
directly, view it on GitHub <#1432 (comment)
<#1432 (comment)>>,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAn6AF7Z_orGsxsCYO3fRKYTDoEpUQR9ks5vNl9jgaJpZM4YxvsY
.
我刚测试了,还是一样的问题,用最新的Core在我的MacOS Mojave上测试的,一样的UDP只能到几百Kbps的速度。
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1432 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAn6AKSW3NXxmQ1QXCbdk5w3ybTMG43Tks5vOlWDgaJpZM4YxvsY>
.
|
是速度上不去。ss + kcp可以到30Mbps,v2ray mKCP / QUIC,只能到15Kbps 然而,相同的配置,在Linux和Windows上面都是好的,就是在MacOS上有问题。可以看我的Bug Report #1527 |
|
哦,這個issue處理的是dokodemo的問題,如果我沒有搞錯的話和Mac應該是不相關的。
…On Mon, Feb 18, 2019, 17:07 Tomas ***@***.***> wrote:
是速度上不去還是斷流?這裡處理的是斷流問題,如果只是不能滿速的話可能是別的原因。
… <#m_-6191739884931831827_>
On Mon, Feb 18, 2019, 15:25 Tomas ***@***.***> wrote:
最新的build應該是修復了,不過我沒有測試過。我自己用的補丁沒有通過PR。 … <#m_-7474245154498548698_> On Fri,
Feb 15, 2019, 15:19 Tomas ***@***.***> wrote: @SAPikachu
<https://github.com/SAPikachu> https://github.com/SAPikachu
https://github.com/SAPikachu 有解决方案了吗? — You are receiving this because
you were mentioned. Reply to this email directly, view it on GitHub <#1432
<#1432> (comment) <#1432
(comment)
<#1432 (comment)>>>,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAn6AF7Z_orGsxsCYO3fRKYTDoEpUQR9ks5vNl9jgaJpZM4YxvsY
. 我刚测试了,还是一样的问题,用最新的Core在我的MacOS Mojave上测试的,一样的UDP只能到几百Kbps的速度。 — You are
receiving this because you were mentioned. Reply to this email directly,
view it on GitHub <#1432 (comment)
<#1432 (comment)>>,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAn6AKSW3NXxmQ1QXCbdk5w3ybTMG43Tks5vOlWDgaJpZM4YxvsY
.
是速度上不去。ss + kcp可以到30Mbps,v2ray mKCP / QUIC,只能到15Kbps
在fast.com上测试的结果。很奇怪的是,上传是OK的,就是下载有问题。也就是Downlink有问题。
然而,相同的配置,在Linux和Windows上面都是好的,就是在MacOS上有问题。可以看我的Bug Report #1527
<#1527>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1432 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAn6AJa6GdEeeSMbd9F4lmitJLbMV4SJks5vOm1JgaJpZM4YxvsY>
.
|
不是和Mac有关,而是和UDP有关。我在Fedora 28上面也重现了这个问题。目前我还没有找到具体的原因,只是在mac系统和Fedora28上面重现了这个UDP的问题。 |
|
这个bug还在,转发udp游戏包的时候大概10s钟会断 |
|
最新4.21.3还是有这个问题,游戏udp包会断流 |
|
v2ray的udp转发是不是废的,我也遇到了这个问题,解决不了 |
|
4.22.1还是这样,用TPROXY直接转发到v2ray不行,中继一个redsocks或者tun2socks就没问题了,期间还有一个现象,v2ray疯狂从目的地址返回数据包到源地址,本来想自己改改提交pr,奈何看不懂v2ray的逻辑 |
4.23.1 也有这个问题 1000 多行日志,全是这种。 |
|
V2RAY透明代理 去掉了是解决问题的关键。 |
|
This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days |
|
大神啊!!!终于找到问题所在了!!!! 一直以为是dns的问题, 折腾smartdns, adguard, 手机刷国际版, 能试的方法都试了,但是都不行. 现在试了只要关闭udp转发瞬间就好了, 肉眼可见速度好转. |
|
2023年了,v2ray和xray 还是有相同的问题。 |
{ 2023/03/15 18:26:27 DOH//1.1.1.1 got answer: quic.nginx.org -> [35.214.218.230] 207.605394ms xray的 tproxy透明代理 sniffing quic是不是有bug? 先是[transparent -> proxy],之后变成[transparent -> direct] |
|
|
问过一些网友,给的方案居然是屏蔽 UDP 443 端口,直接不用 QUIC 了。 |
|
我也只能这样了drop udp443: |
你的使用场景是什么?比如使用 Chrome 通过 Socks/VMess 代理观看 YouTube 视频。
V2ray + iptables 做为TCP、UDP透明代理
你看到的不正常的现象是什么?(请描述具体现象,比如访问超时,TLS 证书错误等)
在访问支持QUIC的网站时突然卡了。具体表现:Youtube打开视频页面,视频加载速度突然降到几百kbps,过几十秒后渐渐恢复。
相同配置关闭UDP转发正常。
刷新页面前只开启TCP转发,开启UDP转发后刷新页面,看到出现断流现象
5) 请附上你的配置(提交 Issue 前请隐藏服务器端IP地址)。
V2ray配置:
iptables 配置:
The text was updated successfully, but these errors were encountered: