В nekoray на windows 10:
tun mode whitelist работает некорректно и пускает через себя всю систему, а должен только процессы из whitelist
благодарю, буду пробовать
Отслеживание процессов работает только в режиме TUN. Если вы выбрали “Встроенный Tun*”, в этом режиме TUN конфиг объединиться с обычным и будет запущено не два xray или sing-box, а лишь один с общим конфигом. TUN работает как виртуальное подключение и в любом случае весь трафик прогоняет через себя, нужен он чтобы видеть путь к процессу и на основе этого фильтровать.
Так вот, когда используется моно процесс - конфиг кривой, вы можете в этом убедится через “Поделится → Экспортировать конфиг”.
Основная заминка в том, что по умолчанию в маршрутах “final” установлен как “proxy”, а в режиме разделённых окон для TUN “final” прописан как “bypass”. Какие тут есть варианты?
- Самый простой, отключаем “Встроенный Tun*” чтобы для процессов запускался отдельный конфиг, для всего остального тоже;
- Настраиваем всё ручками используя logical правила.
К примеру я придерживаюсь следующего принципа для стратегии final: proxy только для выбранных процессов.
в rules на самое дно опускаем правило для процесса
{
"outbound": "proxy",
"process_name": [
"Discord.exe",
"Update.exe"
]
}
поднимаемся на верх и меняем final на bypass
"final": "bypass",
а где же логика, можно спросить?
я использую обход для доступной зоны и перебиваю нужным правилами сверху
вот картинка целиком, читаем снизу вверх
"route": {
"final": "bypass",
"rules": [
{ // Если нужно наложение для процесса используем logical, полезно для geocdn или youtube после google
"type": "logical",
"mode": "and",
"rules": [
{
"geosite": [
"discord",
"youtube"
]
},
{
"process_name": [
"Discord.exe",
"Update.exe"
]
}
],
"outbound": "proxy"
},
{ // Перебиваем для всего гео домены
"domain_suffix": [
".ir"
],
"geosite": [
"google"
],
"outbound": "bypass"
},
{ // Перебиваем для всего geo ip
"geoip": [
"ir"
],
"outbound": "bypass"
},
{ // Перебиваем для всего приватные ip
"ip_is_private": true,
"outbound": "bypass"
},
{ // Только для процессов выводим в прокси
"outbound": "proxy",
"process_name": [
"Discord.exe",
"Update.exe"
]
}
]
}
Что мы на выходе получаем? Остаётся полный TUN для выбранных процессов, а весь остальной трафик идёт напрямую? У меня проблема похожая. Скачав последнюю бетку 4.0, со встроенным туном у меня белый список работает, проксирует только то, что нужно, но при открытии сайтов из браузера, который в белый список для проксирования не входит, неко все равно проводит некую обработку, пропускает через сервак судя по всему, понимает что проксировать не нужно и пускает байпасом. Т.е. некий инпут лаг я чувствую при этом сценарии, и хочу поинтересоваться, при данном конфиге эта проблема пофиксится?
Если использовать подобную схему, то да, мы на выходе получаем проксирование только определенных процессов. Если нет каких либо дополнительных правил схему можно сократить до
"route": {
"final": "bypass",
{ // Перебиваем для всего приватные ip
"ip_is_private": true,
"outbound": "bypass"
},
{ // Только для процессов выводим в прокси
"outbound": "proxy",
"process_name": [
"Discord.exe",
"Update.exe"
]
}
]
}
Аналогичные правила хорошо бы и для dns секции добавить.
Относительно инпут лага, он в схеме с TUN в любом случае будет при старте соединения (1-3ms зависимо от раздутых правил), если хотите полностью его избежать, то это возможно только с ручной настройкой прокси в приложениях где это возможно и никак иначе, чтобы именно само приложение определяло для себя куда ходить.
ну там как будто не 1-3ms, я так замечаю, если сам сервак перегружен впски, то оно может и несколько секунд висеть
Не должно, только если sniff_override_destination или reverse_mapping в true, так как они насилуют dns, правила отрабатывают локально, для самой машины задержка должна быть минимальна, мы естественно говорим про локальный клиент и фильтрацию локальных процессов. При тормознутом DNS и множестве запросов можно попробовать переписать TTL в dns правилах "rewrite_ttl": 28800 и включить кеш для отказов "store_rdrc": true
“sniff_override_destination”: false , а reverse_mapping вообще нету
вот я щас просто в моменте альттабнулся в браузер, открыл озон, который помимо процесса еще и по геоайпи должен не проксироваться, получил нормальный такой лаг и вот что в логах
Спойлер
INFO[0603] [3201561675 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx
INFO[0603] [3201561675 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0603] [3201561675 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0603] dns: exchanged stats.vk-portal.net A stats.vk-portal.net. 272 IN A xx.xx.xx.xx
INFO[0603] [1058693205 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:xx.xx.xx.xx
INFO[0603] [1058693205 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0603] [1058693205 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0603] [1058693205 0ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0603] dns: exchanged stats.vk-portal.net A stats.vk-portal.net. 272 IN A xx.xx.xx.xx
INFO[0604] [2470248214 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:64874
INFO[0604] [2470248214 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0604] [2470248214 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0604] dns: exchanged bifrost.vivaldi.com A bifrost.vivaldi.com. 120 IN A xx.xx.xx.xx
INFO[0604] [27643922 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61875
INFO[0604] [27643922 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0604] [27643922 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0604] [27643922 0ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0604] dns: exchanged bifrost.vivaldi.com A bifrost.vivaldi.com. 120 IN A xx.xx.xx.xx
ERROR[0608] dns: exchange failed for ozon.ru. IN A: lookup ozon.ru: i/o timeout
ERROR[0608] dns: exchange failed for ozon.ru. IN A: lookup ozon.ru: operation was canceled
ERROR[0608] dns: exchange failed for ozon.ru. IN A: lookup ozon.ru: operation was canceled
ERROR[0608] dns: exchange failed for ozon.ru. IN A: lookup ozon.ru: operation was canceled
ERROR[0608] dns: exchange failed for ozon.ru. IN A: lookup ozon.ru: operation was canceled
INFO[0609] [3401884075 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:60228
INFO[0609] [3401884075 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0609] [3401884075 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0609] [1765476771 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:60985
INFO[0609] [1765476771 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0609] [1765476771 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0609] [1765476771 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0609] dns: exchanged dns.msftncsi.com A dns.msftncsi.com. 17 IN A xx.xx.xx.xx
INFO[0609] dns: exchanged dns.msftncsi.com A dns.msftncsi.com. 17 IN A xx.xx.xx.xx
INFO[0609] [778881140 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:63454
INFO[0609] [778881140 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0609] [778881140 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0615] [867408169 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:60111
INFO[0615] [867408169 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0615] [867408169 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0615] [867408169 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0615] [3449262751 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:50307
INFO[0615] [3449262751 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0615] [3449262751 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0616] dns: exchanged play.google.com A play.google.com. 300 IN A xx.xx.xx.xx
INFO[0616] [1520234091 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:54243
INFO[0616] [1520234091 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0616] [1520234091 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0616] dns: cached play.google.com A play.google.com. 299 IN A xx.xx.xx.xx
INFO[0616] [3348733976 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61877
INFO[0616] [3348733976 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0616] [3348733976 1ms] outbound/vless[proxy]: outbound connection to xx.xx.xx.xx:443
INFO[0616] dns: exchanged play.google.com A play.google.com. 197 IN A xx.xx.xx.xx
INFO[0616] dns: exchanged play.google.com SOA google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. xx.xx.xx.xx
INFO[0616] dns: exchanged play.google.com SOA google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. xx.xx.xx.xx
INFO[0616] [3348733976 148ms] outbound/vless[proxy]: outbound connection to xx.xx.xx.xx:443
ERROR[0619] dns: exchange failed for www.ozon.ru. IN A: lookup www.ozon.ru: i/o timeout
ERROR[0619] dns: exchange failed for www.ozon.ru. IN A: lookup www.ozon.ru: operation was canceled
ERROR[0619] dns: exchange failed for www.ozon.ru. IN A: lookup www.ozon.ru: operation was canceled
ERROR[0619] dns: exchange failed for www.ozon.ru. IN A: lookup www.ozon.ru: operation was canceled
ERROR[0619] dns: exchange failed for www.ozon.ru. IN A: lookup www.ozon.ru: operation was canceled
INFO[0620] [838971003 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:57997
INFO[0620] [838971003 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0620] [838971003 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0620] [838971003 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0620] [684439540 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:60987
INFO[0620] [684439540 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0620] [1576783644 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:51059
INFO[0620] [1576783644 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0620] [684439540 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0620] [1576783644 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0620] [684439540 1ms] outbound/direct[bypass]: outbound packet connection
INFO[0620] [4079921284 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:53468
INFO[0620] [4079921284 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0620] [4079921284 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0621] [1326365875 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:62525
INFO[0621] [1326365875 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0621] [1326365875 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0621] dns: exchanged cdn1.ozonusercontent.com CNAME cdn1.ozonusercontent.com. 221 IN CNAME edge-mmedia-lb.ozone.ru.
INFO[0621] dns: exchanged cdn1.ozonusercontent.com A edge-mmedia-lb.ozone.ru. 221 IN A xx.xx.xx.xx
INFO[0621] dns: exchanged cdn1.ozonusercontent.com A edge-mmedia-lb.ozone.ru. 221 IN A xx.xx.xx.xx
INFO[0621] [567517468 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:63869
INFO[0621] [567517468 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0621] [567517468 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0621] [567517468 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0621] dns: exchanged cdn1.ozonusercontent.com CNAME cdn1.ozonusercontent.com. 96 IN CNAME edge-mmedia-lb.ozone.ru.
INFO[0621] dns: exchanged cdn1.ozonusercontent.com A edge-mmedia-lb.ozone.ru. 96 IN A xx.xx.xx.xx
INFO[0621] dns: exchanged cdn1.ozonusercontent.com A edge-mmedia-lb.ozone.ru. 96 IN A xx.xx.xx.xx
INFO[0621] [1620951015 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61879
INFO[0621] [1620951015 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0621] [1620951015 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0621] [1620951015 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0621] [4090609774 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61881
INFO[0621] [4090609774 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:8080
INFO[0621] [4090609774 0ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:8080
ERROR[0630] dns: exchange failed for st.ozone.ru. IN A: lookup st.ozone.ru: i/o timeout
ERROR[0630] dns: exchange failed for st.ozone.ru. IN A: lookup st.ozone.ru: operation was canceled
ERROR[0630] dns: exchange failed for st.ozone.ru. IN A: lookup st.ozone.ru: operation was canceled
ERROR[0630] dns: exchange failed for st.ozone.ru. IN A: lookup st.ozone.ru: operation was canceled
ERROR[0630] dns: exchange failed for st.ozone.ru. IN A: lookup st.ozone.ru: operation was canceled
ERROR[0631] dns: exchange failed for ir-2.ozone.ru. IN A: lookup ir-2.ozone.ru: i/o timeout
ERROR[0631] dns: exchange failed for ir-2.ozone.ru. IN A: lookup ir-2.ozone.ru: operation was canceled
ERROR[0631] dns: exchange failed for ir-2.ozone.ru. IN A: lookup ir-2.ozone.ru: operation was canceled
ERROR[0631] dns: exchange failed for ir-2.ozone.ru. IN A: lookup ir-2.ozone.ru: operation was canceled
ERROR[0631] dns: exchange failed for ir-2.ozone.ru. IN A: lookup ir-2.ozone.ru: operation was canceled
INFO[0632] [3185401635 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:57432
INFO[0632] [3185401635 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0632] [3185401635 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [3185401635 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0632] [555816126 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61883
INFO[0632] [555816126 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] [555816126 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [555816126 0ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0632] [1233291715 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:62710
INFO[0632] [1233291715 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0632] [1233291715 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [1233291715 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0632] [1641750125 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61885
INFO[0632] [1641750125 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] [1641750125 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [1641750125 0ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
ERROR[0632] [1083690989 5m41s] inbound/tun[tun-in]: download: raw-read tcp xx.xx.xx.xx:61604->xx.xx.xx.xx:80: An existing connection was forcibly closed by the remote host.
INFO[0632] [2399230989 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:59154
INFO[0632] [2399230989 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0632] [2399230989 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0632] [2600775942 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:63090
INFO[0632] [2600775942 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0632] [2600775942 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0632] [3849125006 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:52753
INFO[0632] [3849125006 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0632] [3849125006 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0632] dns: exchanged ocsp.globalsign.com CNAME ocsp.globalsign.com. 234 IN CNAME global.prd.cdn.globalsign.com.
INFO[0632] dns: exchanged ocsp.globalsign.com CNAME global.prd.cdn.globalsign.com. 234 IN CNAME cdn.globalsigncdn.com.cdn.cloudflare.net.
INFO[0632] dns: exchanged ocsp.globalsign.com A cdn.globalsigncdn.com.cdn.cloudflare.net. 234 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged ocsp.globalsign.com A cdn.globalsigncdn.com.cdn.cloudflare.net. 234 IN A xx.xx.xx.xx
INFO[0632] [1066541159 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61887
INFO[0632] [1066541159 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:80
INFO[0632] [1066541159 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [1066541159 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:80
INFO[0632] dns: exchanged ocsp.globalsign.com CNAME ocsp.globalsign.com. 276 IN CNAME global.prd.cdn.globalsign.com.
INFO[0632] dns: exchanged ocsp.globalsign.com CNAME global.prd.cdn.globalsign.com. 276 IN CNAME cdn.globalsigncdn.com.cdn.cloudflare.net.
INFO[0632] dns: exchanged ocsp.globalsign.com A cdn.globalsigncdn.com.cdn.cloudflare.net. 276 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged ocsp.globalsign.com A cdn.globalsigncdn.com.cdn.cloudflare.net. 276 IN A xx.xx.xx.xx
INFO[0632] [2651529950 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61889
INFO[0632] [2651529950 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] [2826113552 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61890
INFO[0632] [2826113552 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] [4181788425 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61891
INFO[0632] [4181788425 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] [957016265 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61892
INFO[0632] [957016265 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] [1338555140 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61893
INFO[0632] [1338555140 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] dns: exchanged s.deepl.com CNAME s.deepl.com. 300 IN CNAME hpkaj.deepl.com.
INFO[0632] dns: exchanged s.deepl.com CNAME hpkaj.deepl.com. 300 IN CNAME 46a2e5c3c5a64e218b60f2c2ee76b750.pacloudflare.com.
INFO[0632] dns: exchanged s.deepl.com A 46a2e5c3c5a64e218b60f2c2ee76b750.pacloudflare.com. 300 IN A xx.xx.xx.xx
INFO[0632] [2651529950 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [2651529950 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0632] [2826113552 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [2826113552 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0632] [4181788425 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [4181788425 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0632] [957016265 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [957016265 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0632] [1338555140 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [1338555140 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0632] [1135949303 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61899
INFO[0632] [1135949303 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] [1135949303 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [1135949303 0ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0632] [3215767973 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:51198
INFO[0632] [3215767973 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx
INFO[0632] [3215767973 0ms] router: found process path: C:\Windows\System32\svchost.exe
INFO[0632] dns: exchanged s.deepl.com CNAME s.deepl.com. 300 IN CNAME hpkaj.deepl.com.
INFO[0632] dns: exchanged s.deepl.com CNAME hpkaj.deepl.com. 300 IN CNAME 46a2e5c3c5a64e218b60f2c2ee76b750.pacloudflare.com.
INFO[0632] dns: exchanged s.deepl.com A 46a2e5c3c5a64e218b60f2c2ee76b750.pacloudflare.com. 300 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] dns: exchanged 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com A 7ng6v3lu3c.execute-api.us-east-1.amazonaws.com. 60 IN A xx.xx.xx.xx
INFO[0632] [2297705604 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:55567
INFO[0632] [2297705604 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0632] [2297705604 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [2297705604 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0632] [1046287425 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61901
INFO[0632] [1046287425 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0632] [1046287425 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0632] [1046287425 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
INFO[0633] [2543815819 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:55210
INFO[0633] [2543815819 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0633] [2543815819 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0633] [2543815819 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0633] [4018843444 0ms] inbound/tun[tun-in]: inbound packet connection from xx.xx.xx.xx:50685
INFO[0633] [4018843444 0ms] inbound/tun[tun-in]: inbound packet connection to xx.xx.xx.xx:443
INFO[0633] [4018843444 0ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0633] [4018843444 0ms] outbound/direct[bypass]: outbound packet connection
INFO[0633] [2543370102 0ms] inbound/tun[tun-in]: inbound connection from xx.xx.xx.xx:61903
INFO[0633] [2543370102 0ms] inbound/tun[tun-in]: inbound connection to xx.xx.xx.xx:443
INFO[0633] [2543370102 1ms] router: found process path: C:\Program Files\Application\vivaldi.exe
INFO[0633] [2543370102 1ms] outbound/direct[bypass]: outbound connection to xx.xx.xx.xx:443
dns для прямых запросов local? Если да, то попробуйте вписать какой-нибудь. Например https://1.1.1.1/dns-query
сейчас local, до этого doh.pub/dns-query был - то же самое
По ошибке явно мы не смогли достучаться до dns сервера, нужно убедится в его доступности из источника, дальше гадать всё равно что на кофейной гуще, так как нужен полный sing-box конфиг
При использовании TUN в качестве direct dns надо указывать стандартный незащищённый, идеально просто локальный (к примеру от роутера если стационар), вот минимальный жизнеспособный конфиг, где всё идёт в пропуск кроме chrome.exe, обращаю внимание, что также мы обязаны отлавливать dns запросы и заворачивать их на внутреннюю службу, в любом стандартном конфиге это будет даже при mixed
{
"dns": {
"final": "dns-direct",
"independent_cache": true,
"rules": [
{
"process_name": ["chrome.exe"],
"server": "dns-remote"
}
],
"servers": [
{
"address": "https://dns.google/dns-query", // любой dns для проксированных
"address_resolver": "dns-direct",
"detour": "proxy", // только через прокси
"strategy": "ipv4_only",
"tag": "dns-remote"
},
{
"address": "77.88.8.8", // незащищенный dns для прямых запросов
"address_resolver": "dns-local",
"detour": "direct", // только напрямую
"strategy": "ipv4_only",
"tag": "dns-direct"
},
{
"address": "local",
"detour": "direct",
"tag": "dns-local"
}
]
},
"inbounds": [
{
"auto_route": true,
"domain_strategy": "ipv4_only",
"endpoint_independent_nat": false,
"inet4_address": "172.19.0.1/28",
"interface_name": "neko-tun",
"mtu": 9000,
"sniff": true,
"sniff_override_destination": false,
"stack": "gvisor",
"strict_route": false,
"tag": "tun-in",
"type": "tun"
}
],
"log": {
"level": "warn"
},
"outbounds": [ // настройки прокси
{
"domain_strategy": "ipv4_only",
"server": "192.168.1.1",
"server_port": 1080,
"tag": "proxy",
"type": "socks"
},
{
"tag": "direct",
"type": "direct"
},
{
"tag": "bypass",
"type": "direct"
},
{ // обязательно должно быть
"tag": "dns-out",
"type": "dns"
}
],
"route": {
"auto_detect_interface": true,
"final": "bypass",
"rules": [ // ловим любые стандартные dns запросы
{
"outbound": "dns-out",
"port": [53]
},
{
"outbound": "dns-out",
"protocol": "dns"
},
{
"ip_is_private": true,
"outbound": "bypass"
},
{
"outbound": "proxy",
"process_name": ["chrome.exe"]
}
]
}
}
прикол в том, что этот лог, который я скинул на "local"днсе и есть, и такое случается нередко, пару секунд пролаг и потом сайт загружается
Спойлер
{
“dns”: {
“independent_cache”: true,
“rules”: [
{
“outbound”: “any”,
“server”: “direct”
},
{
“domain”: [
“xxxxxxxxxxx”
],
“domain_keyword”: [
],
“domain_regex”: [
],
“domain_suffix”: [
“ru”,
“su”,
“xn–p1ai”
],
“geosite”: [
],
“server”: “dns-direct”
},
{
“query_type”: [
32,
33
],
“server”: “dns-block”
},
{
“domain_suffix”: “.lan”,
“server”: “dns-block”
}
],
“servers”: [
{
“address”: “https://dns.google/dns-query”,
“address_resolver”: “dns-local”,
“detour”: “proxy”,
“strategy”: “ipv4_only”,
“tag”: “dns-remote”
},
{
“address”: “local”,
“address_resolver”: “dns-local”,
“detour”: “direct”,
“strategy”: “ipv4_only”,
“tag”: “dns-direct”
},
{
“address”: “rcode://success”,
“tag”: “dns-block”
},
{
“address”: “local”,
“detour”: “direct”,
“tag”: “dns-local”
}
]
}
значит локальный ресолвер уходит в луп или блочится, нужно узнать его адрес через nslookup и верхним правилом пропустить его, вероятнее всего там адрес из tun и добавление его сети исправит ситуацию
{
"outbound": "bypass",
"ip_cidr": [
"172.19.0.1/28"
],
"protocol": "dns"
}
но без полного конфига сложно судить
Спойлер
{
“dns”: {
“independent_cache”: true,
“rules”: [
{
“outbound”: “any”,
“server”: “direct”
},
{
“domain”: [
“xxxxxxxxxxxxxx”
],
“domain_keyword”: [
],
“domain_regex”: [
],
“domain_suffix”: [
“ru”,
“su”,
“xn–p1ai”
],
“geosite”: [
],
“server”: “dns-direct”
},
{
“query_type”: [
32,
33
],
“server”: “dns-block”
},
{
“domain_suffix”: “.lan”,
“server”: “dns-block”
}
],
“servers”: [
{
“address”: “https://dns.google/dns-query”,
“address_resolver”: “dns-local”,
“detour”: “proxy”,
“strategy”: “ipv4_only”,
“tag”: “dns-remote”
},
{
“address”: “local”,
“address_resolver”: “dns-local”,
“detour”: “direct”,
“strategy”: “ipv4_only”,
“tag”: “dns-direct”
},
{
“address”: “rcode://success”,
“tag”: “dns-block”
},
{
“address”: “local”,
“detour”: “direct”,
“tag”: “dns-local”
}
]
},
“inbounds”: [
{
“domain_strategy”: “”,
“listen”: “127.0.0.1”,
“listen_port”: 2080,
“sniff”: true,
“sniff_override_destination”: false,
“tag”: “mixed-in”,
“type”: “mixed”
},
{
“auto_route”: true,
“domain_strategy”: “”,
“endpoint_independent_nat”: true,
“inet4_address”: “xxxxxxxx”,
“interface_name”: “neko-tun”,
“mtu”: 9000,
“sniff”: true,
“sniff_override_destination”: false,
“stack”: “gvisor”,
“strict_route”: false,
“tag”: “tun-in”,
“type”: “tun”
}
],
“log”: {
“level”: “info”
},
“outbounds”: [
{
“domain_strategy”: “”,
“flow”: “xxxxxxxxxx”,
“packet_encoding”: “”,
“server”: “xxxxxxxxxxxx”,
“server_port”: 443,
“tag”: “proxy”,
“tls”: {
“enabled”: true,
“reality”: {
“enabled”: true,
“public_key”: “xxxxxxxxxxxxxxxxxxxx”,
“short_id”: “”
},
“server_name”: “xxxxxxxxxxxxxxxxx”,
“utls”: {
“enabled”: true,
“fingerprint”: “chrome”
}
},
“type”: “vless”,
“uuid”: “xxxxxxxxxxxxxxxxxxxx”
},
{
“tag”: “direct”,
“type”: “direct”
},
{
“tag”: “bypass”,
“type”: “direct”
},
{
“tag”: “block”,
“type”: “block”
},
{
“tag”: “dns-out”,
“type”: “dns”
}
],
“route”: {
“auto_detect_interface”: true,
“final”: “bypass”,
“geoip”: {
“path”: “xxxxxxxxxxx/nekoray/geoip.db”
},
“geosite”: {
“path”: “xxxxxxxxxxx/nekoray/geosite.db”
},
“rules”: [
{
“outbound”: “dns-out”,
“protocol”: “dns”
},
{
“domain”: [
],
“domain_keyword”: [
],
“domain_regex”: [
],
“domain_suffix”: [
“ru”,
“su”,
“xn–p1ai”
],
“geosite”: [
],
“outbound”: “bypass”
},
{
“geoip”: [
“ru”,
“private”
],
“ip_cidr”: [
],
“outbound”: “bypass”
},
{
“network”: “udp”,
“outbound”: “block”,
“port”: [
135,
137,
138,
139,
5353
]
},
{
“ip_cidr”: [
“xxxxxxxxxxx”,
“xxxxxxxxxxx”
],
“outbound”: “block”
},
{
“outbound”: “block”,
“source_ip_cidr”: [
“xxxxxxxxxxxxx”,
“xxxxxxxxxxxxx”
]
},
{
“outbound”: “proxy”,
“process_name”: [
“firefox.exe”,
“Discord.exe”,
“Update.exe”,
“NVIDIA GeForce Experience.exe”,
“NvBroadcast.Container.exe”,
“nvcontainer.exe”,
“NVDisplay.Container.exe”,
“NVIDIA Share.exe”,
“NVIDIA Web Helper.exe”,
“nvsphelper64.exe”
]
}
]
}
}
В твоём случае как и предлагал выше, либо вместо local в dns прописываешь публичный адрес без tls или https, обычный, стандартный 8.8.8.8, либо добавляешь в пропуск tun подсеть на dns запросы, и проверять это всё добро через nslookup, mixed если не раздаешь прокси можно грохнуть.
Или
{
"dns": {
"final": "dns-direct",
"strategy": "ipv4_only",
"independent_cache": true,
"rules": [
{
"process_name": ["chrome.exe"],
"server": "dns-remote"
}
],
"servers": [
{
"address": "https://dns.google/dns-query",
"address_resolver": "dns-direct",
"detour": "proxy",
"tag": "dns-remote"
},
{
"address": "tls://common.dot.dns.yandex.net",
"address_resolver": "dns-local",
"detour": "direct",
"tag": "dns-direct"
},
{
"address": "local",
"detour": "direct-in",
"tag": "dns-local"
}
]
},
"inbounds": [
{
"auto_route": true,
"endpoint_independent_nat": true,
"inet4_address": "172.19.0.1/28",
"interface_name": "neko-tun",
"mtu": 9000,
"sniff": true,
"sniff_override_destination": false,
"stack": "gvisor",
"strict_route": false,
"tag": "tun-in",
"type": "tun"
}
],
"log": {
"level": "warn"
},
"outbounds": [
{
"tag": "proxy",
"type": "socks"
},
{
"tag": "direct",
"type": "direct"
},
{
"tag": "bypass",
"type": "direct"
},
{
"tag": "dns-out",
"type": "dns"
}
],
"route": {
"auto_detect_interface": true,
"final": "bypass",
"rules": [
{
"outbound": "bypass",
"ip_cidr": [
"172.19.0.1/28"
],
"protocol": "dns"
},
{
"outbound": "dns-out",
"protocol": "dns"
},
{
"outbound": "dns-out",
"protocol": "dns"
},
{
"outbound": "proxy",
"process_name": ["chrome.exe"]
}
]
}
}
или
{
"dns": {
"final": "dns-local",
"strategy": "ipv4_only",
"independent_cache": true,
"rules": [
{
"process_name": ["chrome.exe"],
"server": "dns-remote"
}
],
"servers": [
{
"address": "https://dns.google/dns-query",
"address_resolver": "dns-local",
"detour": "proxy",
"tag": "dns-remote"
},
{
"address": "8.8.8.8",
"detour": "direct-in",
"tag": "dns-local"
}
]
},
"inbounds": [
{
"auto_route": true,
"endpoint_independent_nat": true,
"inet4_address": "172.19.0.1/28",
"interface_name": "neko-tun",
"mtu": 9000,
"sniff": true,
"sniff_override_destination": false,
"stack": "gvisor",
"strict_route": false,
"tag": "tun-in",
"type": "tun"
}
],
"log": {
"level": "warn"
},
"outbounds": [
{
"tag": "proxy",
"type": "socks"
},
{
"tag": "direct",
"type": "direct"
},
{
"tag": "bypass",
"type": "direct"
},
{
"tag": "dns-out",
"type": "dns"
}
],
"route": {
"auto_detect_interface": true,
"final": "bypass",
"rules": [
{
"outbound": "dns-out",
"protocol": "dns"
},
{
"outbound": "dns-out",
"protocol": "dns"
},
{
"outbound": "proxy",
"process_name": ["chrome.exe"]
}
]
}
}
спасибо, буду пробовать, щас поставил обычный яндекс без шифрования, пока что нареканий не вижу. А чем по итогу это вызвано?
Tun перехватывает весь трафик и защищённый запрос улетает в роутинг и зависает во встроенном dns без разрешения. В случае ipv6 + tun, DNS и вовсе отвалится, так как будет вставлять в интерфейс адрес по которому не будет ресолвить адреса, так как рабочий ресолвер будет только на ipv4, так что там вообще нельзя указывать local, по этому в любой конфигурации у китайцев DNS Alibaba открытый