[Bug] Kernel wireguard outbound not work when enabled TUN #1728
Description
Verify steps
- I have read the documentation and understand the meaning of all the configuration items I have written, rather than just piling up seemingly useful options or default values.
- I have carefully reviewed the documentation and have not resolved the issue.
- I have searched the Issue Tracker for the issue I want to raise and did not find it.
- I am a non-Chinese user.
- I have tested with the latest Alpha branch version, and the issue still persists.
- I have provided the server and client configuration files and processes that can reproduce the issue locally, rather than a sanitized complex client configuration file.
- I provided the simplest configuration that can be used to reproduce the errors in my report, rather than relying on remote servers or piling on a lot of unnecessary configurations for reproduction.
- I have provided complete logs, rather than just the parts I think are useful out of confidence in my own intelligence.
- I have directly reproduced the error using the Mihomo command-line program, rather than using other tools or scripts.
Operating System
Linux
System Version
Linux 5.15.163-1.el7.x86_64
Mihomo Version
Mihomo Meta v1.19.0 linux amd64 with go1.20.14 Mon Dec 9 09:51:29 UTC 2024
Use tags: with_gvisor
Configuration File
mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
dns:
enable: true
ipv6: false
listen: 127.0.0.1:53
default-nameserver:
- 223.5.5.5
- 8.8.8.8
enhanced-mode: redir-host
nameserver:
- https://223.5.5.5/dns-query
- tls://101.101.101.101:853
- https://1.12.12.12/dns-query
fallback:
- tcp://208.67.222.222:443
- tls://dns.google
sniffer:
enable: true
force-dns-mapping: true
parse-pure-ip: true
sniff:
HTTP:
ports: [80, 8080-8880]
TLS:
ports: [443, 8443]
QUIC:
ports: [443, 8443]
tun:
enable: true
stack: mixed
auto-route: true
auto-redirect: true
auto-detect-interface: true
dns-hijack:
- udp://any:53
device: utun0
strict-route: false
udp-timeout: 300
endpoint-independent-nat: false
route-exclude-address:
- 10.0.0.0/8
- 100.64.0.0/10
- 172.16.0.0/12
- 192.168.0.0/16
- fc00::/7
include-uid:
- 1020
proxies:
- {name: socks, server: 192.168.50.1, port: 23456, type: socks5, udp: true}
proxy-groups:
- name: PROXY
type: select
proxies:
- socks
- name: Others
type: select
proxies:
- PROXY
- DIRECT
rules:
- GEOIP,LAN,DIRECT
- GEOIP,CN,DIRECT
- MATCH,OthersDescription
The system has already setup up a kernel level wireguard NIC.
> wg
interface: wg0
public key: HIDDEN
private key: (hidden)
listening port: 51820
peer: HIDDEN
endpoint: HIDDEN
allowed ips: 192.168.2.2/32
peer: HIDDEN
endpoint: HIDDEN
allowed ips: 192.168.2.3/32, 192.168.50.0/24, 100.64.0.0/10
> ip route
default via 10.0.2.1 dev bond0 proto static metric 300
10.0.2.0/24 dev bond0 proto kernel scope link src 10.0.2.23 metric 300
100.64.0.0/10 dev wg0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
OMIT SOME DOCKER BRIDGE
192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.1
192.168.50.0/24 dev wg0 scope link
198.18.0.0/30 dev utun0 proto kernel scope link src 198.18.0.1
I want to use the proxy (socks5) that already been setup on host 192.168.50.1:23456. So without Meta, I can successfully
curl -x socks5://192.168.50.1:23456 https://www.google.com
Now, the problem is, the Linux server is a shared resource with others, I'd like to create a TUN device only for myself (tun.include-uid).
So I tried to use tun module on Meta with the above configuration. If I do not enable the tun module, the proxy through externel wireguard socks5 works fine (I can verify it by test the latency on metacubexd dashboard). But when I enable the tun, the socks proxy does not work. I have already excluded the wireguard routes by specifying tun.route-exclude-address
Reproduction Steps
See above
Logs
level=warning msg="[TCP] dial Others (match Match/) 192.168.2.2:58498 --> 8.8.8.8:853 error: 192.168.50.1:23456 connect error: connect failed: dial tcp 192.168.50.1:23456: i/o timeout"
level=warning msg="[TCP] dial PROXY (match RuleSet/proxy) 192.168.2.2:53110 --> dns.cloudflare.com:443 error: 192.168.50.1:23456 connect error: connect failed: dial tcp 192.168.50.1:23456: i/o timeout"