We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux
OpenWrt 23.05.3 内核版本5.15.150
sing-box 原始命令行程序
No response
root in ~ λ sing-box version sing-box version 1.10.0-beta.11 Environment: go1.23.1 linux/amd64 Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api Revision: 19295f651b13ea1b811c6894409b5e0077c4d349 CGO: disabled
在负责NAT的OpenWrt上使用sing-box做透明网关代理,会导致原本设置的路由规则(包括通信规则和端口转发)失效。 似乎是sing-box一刀切接管了所有接口流量导致的,具体原理迫于nft/iptables苦手整不清楚。
据我观察openclash的解决方法是通过init.d运行脚本,在启动前获取OpenWrt的防火墙配置,去做额外的规则RETURN跳过打标进行规避。 跟sing-box有一点不同的是openclash中将流量重定向到clash内核是启动脚本实现的,而非像sing-box一样auto-redir。 从命名推测是在firewall_redirect_exclude和firewall_rule_exclude这两个函数中实现的。
如果网关和NAT分离在两个host,sing-box只在网关上运行就不需要考虑防火墙,sing-box无疑是目前最易于使用的透明网关代理实现。
虽然严格来说这并不是sing-box的问题,但还是希望在NAT的OpenWrt上也可以简单地开启网关代理。 突然想到这种OS特化的适配好像更应该通过特定的软件包,例如[luci-app-]sing-box,在init.d启动脚本中实现。
/usr/bin/sing-box run -c /etc/sing-box/config.json -D /usr/share/sing-box
以下是删除了无关项目的配置文件/etc/sing-box/config.json
/etc/sing-box/config.json
{ "inbounds": [ { "type": "mixed", "tag": "mixed-in", "listen": "::", "listen_port": 8888 }, { "type": "direct", "tag": "dns-in", "listen": "::", "listen_port": 5053 }, { "type": "tun", "tag": "tun-in", "interface_name": "tunsb", "mtu": 9000, "gso": false, "address": "172.18.0.1/24", "auto_route": true, "auto_redirect": true, "strict_route": false, "route_address": [ "0.0.0.0/1", "128.0.0.0/1", "::/1", "8000::/1" ], "route_exclude_address": [ "10.0.0.0/8", "172.16.0.0/24", "192.168.0.0/16", "fc00::/7" ], "sniff": true, "sniff_override_destination": true } ], "route": { "final": "FINAL", "auto_detect_interface": true }, "experimental": { "cache_file": { "enabled": true } } }
N/A sing-box可以按预期正常运行,因此sing-box日志就不贴了
The text was updated successfully, but these errors were encountered:
试试 0ef4f80
Sorry, something went wrong.
感动,这么快就patch了。但是我目前暂时没有测试条件,只好蹲一个有缘人或者等我回家了
看起来改动不大,要是能合并到某个带预编译的分支就好了,不仅是nft苦手更是编译苦手🥲
GOOS=linux GOARCH=arm64 make
No branches or pull requests
操作系统
Linux
系统版本
OpenWrt 23.05.3 内核版本5.15.150
安装类型
sing-box 原始命令行程序
如果您使用图形客户端程序,请提供该程序版本。
No response
版本
描述
在负责NAT的OpenWrt上使用sing-box做透明网关代理,会导致原本设置的路由规则(包括通信规则和端口转发)失效。
似乎是sing-box一刀切接管了所有接口流量导致的,具体原理迫于nft/iptables苦手整不清楚。
据我观察openclash的解决方法是通过init.d运行脚本,在启动前获取OpenWrt的防火墙配置,去做额外的规则RETURN跳过打标进行规避。
跟sing-box有一点不同的是openclash中将流量重定向到clash内核是启动脚本实现的,而非像sing-box一样auto-redir。
从命名推测是在firewall_redirect_exclude和firewall_rule_exclude这两个函数中实现的。
如果网关和NAT分离在两个host,sing-box只在网关上运行就不需要考虑防火墙,sing-box无疑是目前最易于使用的透明网关代理实现。
虽然严格来说这并不是sing-box的问题,但还是希望在NAT的OpenWrt上也可以简单地开启网关代理。突然想到这种OS特化的适配好像更应该通过特定的软件包,例如[luci-app-]sing-box,在init.d启动脚本中实现。
重现方式
/usr/bin/sing-box run -c /etc/sing-box/config.json -D /usr/share/sing-box
以下是删除了无关项目的配置文件
/etc/sing-box/config.json
日志
支持我们
完整性要求
The text was updated successfully, but these errors were encountered: