Tailscale endpoint未正确处理100.64.0.0/10网段

[qiangxinglin]

操作系统

Windows

系统版本

Win10 LTSC 21H2

安装类型

sing-box 原始命令行程序

如果您使用图形客户端程序，请提供该程序版本。

No response

版本

sing-box version 1.12.0-beta.11

Environment: go1.24.3 windows/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale
Revision: 3222b627149a93a486b95d5f75d8401592445db6
CGO: disabled

描述

singbox 在使用tailscale endpoint时, 不会将100.64.0.0/10网段交给endpoint直接发出, 而会fallback到最后的route.final

重现方式

假设tailscale网络中包含其他设备 DEVICE-A, LAN IP 192.168.50.1, --advertise-routes 192.168.50.0/24, tailscale分配的IP 100.120.120.120

singbox配置如下

  "inbounds": [
    {
      "type": "tun",
      "address": [
        "172.19.0.1/30"
      ],
      "auto_route": true,
      "strict_route": false
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "trojan",
      "server": "MY_SERVER",
      "tag": "proxy"
    }
  ],
  "dns": {
    "strategy": "ipv4_only",
    "final": "google",
    "servers": [
      {
        "tag": "local",
        "type": "https",
        "server": "223.5.5.5"
      },
      {
        "tag": "google",
        "type": "tls",
        "server": "8.8.8.8",
        "detour": "proxy"
      },
      {
        "tag": "ts-dns",
        "type": "tailscale",
        "endpoint": "ts-ep",
        "accept_default_resolvers": true
      }
    ],
    "rules": [
      {
        "ip_accept_any": true,
        "server": "ts-dns",
        "domain_suffix": "ts.net"
      },
      {
        "rule_set": "geosite-geolocation-cn",
        "server": "local"
      },
      {
        "type": "logical",
        "mode": "and",
        "rules": [
          {
            "rule_set": "geosite-geolocation-!cn",
            "invert": true
          },
          {
            "rule_set": "geoip-cn"
          }
        ],
        "server": "local"
      }
    ]
  },
  "route": {
    "rules": [
      {
        "action": "sniff"
      },
      {
        "protocol": "dns",
        "action": "hijack-dns"
      },
      {
        "ip_cidr": [
          "192.168.50.0/24"
        ],
        "outbound": "ts-ep"
      },
      {
        "ip_is_private": true,
        "outbound": "direct"
      }
    ],
    "default_domain_resolver": {
      "server": "local",
      "rewrite_ttl": 60
    },
    "final": "proxy",
    "auto_detect_interface": true
  },
  "endpoints": [
    {
      "type": "tailscale",
      "tag": "ts-ep",
      "state_directory": "tailscale"
    }
  ]

curl http://192.168.50.1/, 日志如下

INFO [4082243690 0ms] inbound/tun[0]: inbound connection from 172.19.0.1:62676
INFO [4082243690 0ms] inbound/tun[0]: inbound connection to 192.168.50.1:80
DEBUG [4082243690 0ms] router: match[0] => sniff
DEBUG [4082243690 27ms] router: sniffed protocol: http, domain: 192.168.50.1
DEBUG [4082243690 27ms] router: match[2] ip_cidr=[192.168.50.0/16] => route(ts-ep)
INFO [4082243690 27ms] endpoint/tailscale[ts-ep]: outbound connection to 192.168.50.1:80

curl http://100.120.120.120/, 日志如下

INFO [3128191560 0ms] inbound/tun[0]: inbound connection from 172.19.0.1:63473
INFO [3128191560 0ms] inbound/tun[0]: inbound connection to 100.120.120.120:80
DEBUG [3128191560 0ms] router: match[0] => sniff
DEBUG [3128191560 0ms] router: sniffed protocol: http, domain: 100.120.120.120
INFO [3128191560 2ms] outbound/trojan[proxy]: outbound connection to 100.120.120.120:80

可以看出在使用100.120.120.120的IP进行请求时, singbox使用了route.final 进行连接而未使用ts-ep直连
备注: 即使将100.64.0.0/10加入route.rules[].ip_cidr仍然无效

      {
        "ip_cidr": [
          "100.64.0.0/10",
          "192.168.50.0/24"
        ],
        "outbound": "ts-ep"
      },

日志

支持我们

• 我已经 赞助

完整性要求

• 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
• 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
• 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
• 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。

[YouM1225-1]

好像同样的问题，无法访问内网网段