[Bug] 开启TUN后无法连接到WG内网服务 #1819
Description
验证步骤
- 我已经阅读了 文档,了解所有我编写的配置文件项的含义,而不是大量堆砌看似有用的选项或默认值。
- 我仔细看过 文档 并未解决问题
- 我已在 Issue Tracker 中寻找过我要提出的问题,并且没有找到
- 我是中文用户,而非其他语言用户
- 我已经使用最新的 Alpha 分支版本测试过,问题依旧存在
- 我提供了可以在本地重现该问题的服务器、客户端配置文件与流程,而不是一个脱敏的复杂客户端配置文件。
- 我提供了可用于重现我报告的错误的最简配置,而不是依赖远程服务器或者堆砌大量对于复现无用的配置等。
- 我提供了完整的日志,而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
- 我直接使用 Mihomo 命令行程序重现了错误,而不是使用其他工具或脚本。
操作系统
Linux
系统版本
Ubuntu Server 22.04
Mihomo 版本
Mihomo Meta v1.19.1 linux amd64 with go1.23.4 Tue Dec 31 16:58:30 UTC 2024
Use tags: with_gvisor
配置文件
hc: &hc
type: http
interval: 86400
health-check:
enable: true
url: https://cp.cloudflare.com
interval: 300
timeout: 1000
tolerance: 100
proxy-providers:
my-proxy:
<<: *hc
url: ""
override:
additional-prefix: "[my-proxy]"
proxies:
- name: "WG"
type: direct
udp: true
interface-name: wg0
routing-mark: 6667
mode: rule
log-level: debug
mixed-port: 7890
ipv6: true
allow-lan: true
unified-delay: true
tcp-concurrent: true
external-controller: 0.0.0.0:9090
external-ui: ui
external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"
geodata-loader: standard
geo-auto-update: true
geo-update-interval: 24
geox-url:
geoip: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geoip.dat"
geosite: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/geosite.dat"
mmdb: "https://github.com/MetaCubeX/meta-rules-dat/releases/download/latest/country.mmdb"
find-process-mode: strict
global-client-fingerprint: random
profile:
store-selected: true
store-fake-ip: true
sniffer:
enable: true
sniff:
HTTP:
ports: [80, 8080-8880]
override-destination: true
TLS:
ports: [443, 8443]
QUIC:
ports: [443, 8443]
skip-domain:
- "Mijia Cloud"
- "+.push.apple.com"
tun:
enable: true
stack: mixed
dns-hijack:
- "any:53"
- "tcp://any:53"
auto-route: true
auto-redirect: true
auto-detect-interface: true
dns:
enable: true
ipv6: true
# listen: 0.0.0.0:1059
respect-rules: true
enhanced-mode: fake-ip
fake-ip-filter:
- "*"
- "+.lan"
- "+.local"
- "+.market.xiaomi.com"
default-nameserver:
- 223.5.5.5
nameserver:
- 223.5.5.5
- 119.29.29.29
proxy-server-nameserver:
- https://120.53.53.53/dns-query
- https://223.5.5.5/dns-query
nameserver-policy:
"geosite:cn,private":
- https://120.53.53.53/dns-query
- https://223.5.5.5/dns-query
"geosite:!cn,!private":
- "https://dns.cloudflare.com/dns-query"
- "https://dns.google/dns-query"
proxy-groups:
- name: Default
type: select
proxies: [低倍率, 自动选择, DIRECT, 全部节点]
- name: 低倍率
type: url-test
include-all: true
filter: "实验性|日用|0.20x"
- name: 全部节点
type: select
include-all: true
- name: 自动选择
type: url-test
include-all: true
tolerance: 10
rules:
- GEOSITE,CN,DIRECT
- IP-CIDR,10.88.10.0/24,WG
- GEOIP,CN,DIRECT
- IP-CIDR,10.0.0.0/8,DIRECT
- IP-CIDR,172.16.0.0/12,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
- IP-CIDR,100.64.0.0/10,DIRECT
- IP-CIDR,127.0.0.0/8,DIRECT
- MATCH,Default描述
同时运行wireguard和mihomo时,可以ping通其他wireguard节点,但是无法访问DNS结果为本机Wireguard IP的服务。
例如,我在Cloudflare DNS面板将test.mydomain.com解析到10.88.10.2(本机Wireguard IP),如果执行curl -I https://test.mydomain.com,显示:
$ curl -I https://test.mydomain.com
curl: (35) error:0A000126:SSL routines::unexpected eof while reading如果关闭mihomo,则是可以访问这个网址的:
$ curl -I https://test.mydomain.com
HTTP/2 200
alt-svc: h3=":443"; ma=2592000
date: Fri, 31 Jan 2025 11:49:33 GMTmihomo日志如下:
DEBU[2025-01-31T19:42:06.685828117+08:00] [DNS] cache hit test.example.com --> [10.88.10.2] A, expire at 2025-01-31 19:46:35
DEBU[2025-01-31T19:42:06.685892516+08:00] [DNS] cache hit test.example.com --> [] AAAA, expire at 2025-01-31 20:11:35
WARN[2025-01-31T19:42:06.686233999+08:00] [TCP] dial WG (match IPCIDR/10.88.10.0/24) 198.18.0.1:60764 --> test.example.com:443 error: dial tcp 10.88.10.2:443: connect: no route to host
可以看出mihomo正确解析出了IP,但是无法路由,这是我的路由表信息:
$ ip rule
0: from all lookup local
9000: from all to 198.18.0.0/30 lookup 2022
9001: not from all dport 53 lookup main suppress_prefixlength 0
9001: from all ipproto icmp goto 9010
9001: from all iif Meta goto 9010
9002: not from all iif lo lookup 2022
9002: from 0.0.0.0 iif lo lookup 2022
9002: from 198.18.0.0/30 iif lo lookup 2022
9010: from all nop
32766: from all lookup main
32767: from all lookup default
$ ip route show table 2022
default via 198.18.0.2 dev Meta
$ ip route show table main
default via 192.168.5.1 dev eno1 proto dhcp src 192.168.5.20 metric 100
10.88.10.0/24 dev wg0 proto kernel scope link src 10.88.10.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-cedacbabdb88 proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-7c2769437b03 proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-2b1827af5547 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-9e904fb55376 proto kernel scope link src 172.21.0.1
192.168.5.0/24 dev eno1 proto kernel scope link src 192.168.5.20 metric 100
192.168.5.1 dev eno1 proto dhcp scope link src 192.168.5.20 metric 100
198.18.0.0/30 dev Meta proto kernel scope link src 198.18.0.1
$ ip addr show dev Meta
469: Meta: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 198.18.0.1/30 brd 198.18.0.3 scope global Meta
valid_lft forever preferred_lft forever
inet6 fdfe:dcba:9876::1/126 scope global
valid_lft forever preferred_lft forever
inet6 fe80::d449:781:4ee3:75f8/64 scope link stable-privacy
valid_lft forever preferred_lft forever我院先是使用Clash,同样是TUN模式,没有额外为Wireguard配置Proxy,Clash时的路由表:
$ ip rule
0: from all lookup local
9500: not from all dport 53 lookup main suppress_prefixlength 0
9510: not from all iif lo lookup 1970566510
9520: from 0.0.0.0 iif lo uidrange 0-4294967294 lookup 1970566510
9530: from 198.18.0.1 iif lo uidrange 0-4294967294 lookup 1970566510
32766: from all lookup main
32767: from all lookup default
$ ip route show table 1970566510
default dev utun proto static
$ ip route show table main
default via 192.168.5.1 dev eno1 proto dhcp src 192.168.5.20 metric 100
10.88.10.0/24 dev wg0 proto kernel scope link src 10.88.10.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-cedacbabdb88 proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-7c2769437b03 proto kernel scope link src 172.19.0.1
172.20.0.0/16 dev br-2b1827af5547 proto kernel scope link src 172.20.0.1
172.21.0.0/16 dev br-9e904fb55376 proto kernel scope link src 172.21.0.1
192.168.5.0/24 dev eno1 proto kernel scope link src 192.168.5.20 metric 100
192.168.5.1 dev eno1 proto dhcp scope link src 192.168.5.20 metric 100
198.18.0.0/16 dev utun proto kernel scope link src 198.18.0.1我的wireguard状态:
$ sudo wg
interface: wg0
public key:/cf8ETXrI+KNicwretIThUGMWXM=
private key: (hidden)
listening port: 40186
peer:
endpoint: :51280
allowed ips: 10.88.10.15/32
latest handshake: 6 seconds ago
transfer: 16.69 KiB received, 47.96 KiB sent
persistent keepalive: every 25 seconds
peer:/6GjfqGeWbkq5nAhdOFc=
endpoint: :28386
allowed ips: 10.88.10.1/32
latest handshake: 18 seconds ago
transfer: 525.88 KiB received, 54.70 KiB sent
persistent keepalive: every 25 seconds
peer: /uCrlowIb409T2dDg=
endpoint: :51280
allowed ips: 10.88.10.11/32, 10.88.10.12/32, 10.88.10.14/32
latest handshake: 10 minutes, 47 seconds ago
transfer: 604 B received, 16.37 KiB sent
persistent keepalive: every 25 seconds我已经根据 #1728 添加了名为WG的Proxy(见上方配置文件),然而并没有什么用。
重现方式
如上。
日志
如上。