mirror of
https://github.com/SagerNet/sing-box.git
synced 2024-11-09 10:33:14 +00:00
documentation: Add manuel for mitigating tunnelvision attacks
This commit is contained in:
parent
65c71049ea
commit
9ffdbba2ed
38
docs/manual/misc/tunnelvision.md
Normal file
38
docs/manual/misc/tunnelvision.md
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
---
|
||||||
|
icon: material/book-lock-open
|
||||||
|
---
|
||||||
|
|
||||||
|
# TunnelVision
|
||||||
|
|
||||||
|
TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
|
||||||
|
so that traffic does not go through the VPN.
|
||||||
|
|
||||||
|
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
|
||||||
|
|
||||||
|
## Status
|
||||||
|
|
||||||
|
### Android
|
||||||
|
|
||||||
|
Android does not handle DHCP option 121 and is not affected.
|
||||||
|
|
||||||
|
### Apple platforms
|
||||||
|
|
||||||
|
Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
|
||||||
|
then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
|
||||||
|
|
||||||
|
Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
|
||||||
|
and the `system` and `mixed` stacks are not available.
|
||||||
|
|
||||||
|
### Linux
|
||||||
|
|
||||||
|
Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
|
||||||
|
|
||||||
|
### Windows
|
||||||
|
|
||||||
|
No solution yet.
|
||||||
|
|
||||||
|
## Workarounds
|
||||||
|
|
||||||
|
* Don't connect to untrusted networks
|
||||||
|
* Relay untrusted network through another device
|
||||||
|
* Just ignore it
|
|
@ -1,208 +0,0 @@
|
||||||
---
|
|
||||||
icon: material/alpha-t-box
|
|
||||||
---
|
|
||||||
|
|
||||||
# TUIC
|
|
||||||
|
|
||||||
A recently popular Chinese-made simple protocol based on QUIC, the selling point is the BBR congestion control algorithm.
|
|
||||||
|
|
||||||
!!! warning
|
|
||||||
|
|
||||||
Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
|
|
||||||
|
|
||||||
| Specification | Binary Characteristics | Active Detect Hiddenness |
|
|
||||||
|-----------------------------------------------------------|------------------------|--------------------------|
|
|
||||||
| [GitHub](https://github.com/EAimTY/tuic/blob/dev/SPEC.md) | :material-alert: | :material-check: |
|
|
||||||
|
|
||||||
## Password Generator
|
|
||||||
|
|
||||||
| Generated UUID | Generated Password | Action |
|
|
||||||
|------------------------|----------------------------|-----------------------------------------------------------------|
|
|
||||||
| <code id="uuid"><code> | <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
|
|
||||||
|
|
||||||
<script>
|
|
||||||
function generateUUID() {
|
|
||||||
const uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
|
|
||||||
let r = Math.random() * 16 | 0,
|
|
||||||
v = c === 'x' ? r : (r & 0x3 | 0x8);
|
|
||||||
return v.toString(16);
|
|
||||||
});
|
|
||||||
document.getElementById("uuid").textContent = uuid;
|
|
||||||
}
|
|
||||||
function generatePassword() {
|
|
||||||
const array = new Uint8Array(16);
|
|
||||||
window.crypto.getRandomValues(array);
|
|
||||||
document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
|
|
||||||
}
|
|
||||||
function generate() {
|
|
||||||
generateUUID();
|
|
||||||
generatePassword();
|
|
||||||
}
|
|
||||||
generate();
|
|
||||||
</script>
|
|
||||||
|
|
||||||
## :material-server: Server Example
|
|
||||||
|
|
||||||
=== ":material-harddisk: With local certificate"
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"inbounds": [
|
|
||||||
{
|
|
||||||
"type": "tuic",
|
|
||||||
"listen": "::",
|
|
||||||
"listen_port": 8080,
|
|
||||||
"users": [
|
|
||||||
{
|
|
||||||
"name": "sekai",
|
|
||||||
"uuid": "<uuid>",
|
|
||||||
"password": "<password>"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"congestion_control": "bbr",
|
|
||||||
"tls": {
|
|
||||||
"enabled": true,
|
|
||||||
"server_name": "example.org",
|
|
||||||
"key_path": "/path/to/key.pem",
|
|
||||||
"certificate_path": "/path/to/certificate.pem"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
=== ":material-auto-fix: With ACME"
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"inbounds": [
|
|
||||||
{
|
|
||||||
"type": "tuic",
|
|
||||||
"listen": "::",
|
|
||||||
"listen_port": 8080,
|
|
||||||
"users": [
|
|
||||||
{
|
|
||||||
"name": "sekai",
|
|
||||||
"uuid": "<uuid>",
|
|
||||||
"password": "<password>"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"congestion_control": "bbr",
|
|
||||||
"tls": {
|
|
||||||
"enabled": true,
|
|
||||||
"server_name": "example.org",
|
|
||||||
"acme": {
|
|
||||||
"domain": "example.org",
|
|
||||||
"email": "admin@example.org"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
=== ":material-cloud: With ACME and Cloudflare API"
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"inbounds": [
|
|
||||||
{
|
|
||||||
"type": "tuic",
|
|
||||||
"listen": "::",
|
|
||||||
"listen_port": 8080,
|
|
||||||
"users": [
|
|
||||||
{
|
|
||||||
"name": "sekai",
|
|
||||||
"uuid": "<uuid>",
|
|
||||||
"password": "<password>"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"congestion_control": "bbr",
|
|
||||||
"tls": {
|
|
||||||
"enabled": true,
|
|
||||||
"server_name": "example.org",
|
|
||||||
"acme": {
|
|
||||||
"domain": "example.org",
|
|
||||||
"email": "admin@example.org",
|
|
||||||
"dns01_challenge": {
|
|
||||||
"provider": "cloudflare",
|
|
||||||
"api_token": "my_token"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## :material-cellphone-link: Client Example
|
|
||||||
|
|
||||||
=== ":material-web-check: With valid certificate"
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"outbounds": [
|
|
||||||
{
|
|
||||||
"type": "tuic",
|
|
||||||
"server": "127.0.0.1",
|
|
||||||
"server_port": 8080,
|
|
||||||
"uuid": "<uuid>",
|
|
||||||
"password": "<password>",
|
|
||||||
"congestion_control": "bbr",
|
|
||||||
"tls": {
|
|
||||||
"enabled": true,
|
|
||||||
"server_name": "example.org"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
=== ":material-check: With self-sign certificate"
|
|
||||||
|
|
||||||
!!! info "Tip"
|
|
||||||
|
|
||||||
Use `sing-box merge` command to merge configuration and certificate into one file.
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"outbounds": [
|
|
||||||
{
|
|
||||||
"type": "tuic",
|
|
||||||
"server": "127.0.0.1",
|
|
||||||
"server_port": 8080,
|
|
||||||
"uuid": "<uuid>",
|
|
||||||
"password": "<password>",
|
|
||||||
"congestion_control": "bbr",
|
|
||||||
"tls": {
|
|
||||||
"enabled": true,
|
|
||||||
"server_name": "example.org",
|
|
||||||
"certificate_path": "/path/to/certificate.pem"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
=== ":material-alert: Ignore certificate verification"
|
|
||||||
|
|
||||||
```json
|
|
||||||
{
|
|
||||||
"outbounds": [
|
|
||||||
{
|
|
||||||
"type": "tuic",
|
|
||||||
"server": "127.0.0.1",
|
|
||||||
"server_port": 8080,
|
|
||||||
"uuid": "<uuid>",
|
|
||||||
"password": "<password>",
|
|
||||||
"congestion_control": "bbr",
|
|
||||||
"tls": {
|
|
||||||
"enabled": true,
|
|
||||||
"server_name": "example.org",
|
|
||||||
"insecure": true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
|
@ -66,8 +66,9 @@ nav:
|
||||||
- Proxy Protocol:
|
- Proxy Protocol:
|
||||||
- Shadowsocks: manual/proxy-protocol/shadowsocks.md
|
- Shadowsocks: manual/proxy-protocol/shadowsocks.md
|
||||||
- Trojan: manual/proxy-protocol/trojan.md
|
- Trojan: manual/proxy-protocol/trojan.md
|
||||||
- TUIC: manual/proxy-protocol/tuic.md
|
|
||||||
- Hysteria 2: manual/proxy-protocol/hysteria2.md
|
- Hysteria 2: manual/proxy-protocol/hysteria2.md
|
||||||
|
- Misc:
|
||||||
|
- TunnelVision: manual/misc/tunnelvision.md
|
||||||
- Configuration:
|
- Configuration:
|
||||||
- configuration/index.md
|
- configuration/index.md
|
||||||
- Log:
|
- Log:
|
||||||
|
|
Loading…
Reference in a new issue