From b2cd78d279109c315b95f792bd60e434dadbb82c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Sun, 6 Nov 2022 10:15:13 +0800 Subject: [PATCH] Move WFP manipulation to strict route --- docs/changelog.md | 1 + docs/configuration/inbound/tun.md | 11 +++++++++-- docs/configuration/inbound/tun.zh.md | 17 ++++++++++++----- go.mod | 2 +- go.sum | 4 ++-- 5 files changed, 25 insertions(+), 10 deletions(-) diff --git a/docs/changelog.md b/docs/changelog.md index c3d25ab6..c2c879a7 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -3,6 +3,7 @@ * Split bind_address into ipv4 and ipv6 * Fix WireGuard outbound panic when close * Fix macOS Ventura process name match +* Move WFP manipulation to strict route #### 1.1-beta12 diff --git a/docs/configuration/inbound/tun.md b/docs/configuration/inbound/tun.md index ed3259a9..0528fec4 100644 --- a/docs/configuration/inbound/tun.md +++ b/docs/configuration/inbound/tun.md @@ -93,16 +93,23 @@ Set the default route to the Tun. #### strict_route -*In Linux*: - Enforce strict routing rules when `auto_route` is enabled: +*In Linux*: + * Let unsupported network unreachable * Route all connections to tun It prevents address leaks and makes DNS hijacking work on Android and Linux with systemd-resolved, but your device will not be accessible by others. +*In Windows*: + +* Add firewall rules to prevent DNS leak caused by + Windows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29) + +It may prevent some applications (such as VirtualBox) from working properly in certain situations. + #### inet4_route_address Use custom routes instead of default when `auto_route` is enabled. diff --git a/docs/configuration/inbound/tun.zh.md b/docs/configuration/inbound/tun.zh.md index e353570a..80c63108 100644 --- a/docs/configuration/inbound/tun.zh.md +++ b/docs/configuration/inbound/tun.zh.md @@ -8,7 +8,6 @@ { "type": "tun", "tag": "tun-in", - "interface_name": "tun0", "inet4_address": "172.19.0.1/30", "inet6_address": "fdfe:dcba:9876::1/126", @@ -47,8 +46,8 @@ "exclude_package": [ "com.android.captiveportallogin" ], - - ... // 监听字段 + ... + // 监听字段 } ``` @@ -94,15 +93,23 @@ tun 接口的 IPv6 前缀。 #### strict_route -*在 Linux 中*: - 启用 `auto_route` 时执行严格的路由规则。 +*在 Linux 中*: + * 让不支持的网络无法到达 * 将所有连接路由到 tun 它可以防止地址泄漏,并使 DNS 劫持在 Android 和使用 systemd-resolved 的 Linux 上工作,但你的设备将无法其他设备被访问。 +*在 Windows 中*: + +* 添加防火墙规则以阻止 Windows + 的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29) + 造成的 DNS 泄露 + +它可能会使某些应用程序(如 VirtualBox)在某些情况下无法正常工作。 + #### inet4_route_address 启用 `auto_route` 时使用自定义路由而不是默认路由。 diff --git a/go.mod b/go.mod index 41b709dd..15103726 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4 github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 - github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07 + github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e diff --git a/go.sum b/go.sum index 57955ea1..7f4603a0 100644 --- a/go.sum +++ b/go.sum @@ -138,8 +138,8 @@ github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403 h1:kKDO97rx+JVJ4 github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403/go.mod h1:cyL9DHbBZ0Xlt/8VD0i6yeiDayH0KzWGNQb8MYhhz7g= github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4= github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM= -github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07 h1:zupkkVVFWv0QsLPjxEzlzXlLfDk1hUujK8ctJSIKFCI= -github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU= +github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f h1:CXF+nErOb9f7qiHingSgTa2/lJAgmEFtAQ47oVwdRGU= +github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU= github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685 h1:AZzFNRR/ZwMTceUQ1b/mxx6oyKqmFymdMn/yleJmoVM= github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM= github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=