TaileScale无法通过内网IP地址访问内网

[YouM1225-1]

操作系统

Linux

系统版本

Debian GNU/Linux 12

安装类型

sing-box 原始命令行程序

如果您使用图形客户端程序，请提供该程序版本。

No response

版本

sing-box version 1.12.0-beta.14
Environment: go1.24.3 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale
Revision: 462bd95472cba70bef1b878916f263d87366a8ca
CGO: disabled

描述

外网无法通过内网IP地址如 192.168.3.2 访问内部服务，但可通过 TailScale 分配的 100.xxx.xxx.xxx 访问。TailScale 已打开Subnet routes（192.168.3.20/24）。

sing-box启动时提示：
TRACE[0037] endpoint/tailscale[ts-ep]: error polling for open ports: error initializing poller: portlist disabled by sing-box

外网可 Ping 内网地址：
PING 192.168.3.20 (192.168.3.20) 56(84) bytes of data.
64 bytes from 192.168.3.20: icmp_seq=1 ttl=64 time=44.8 ms
64 bytes from 192.168.3.20: icmp_seq=2 ttl=64 time=18.9 ms
内网无法 Ping TaileScale 地址
PING 100.71.82.79 (100.71.82.79): 56 data bytes
64 bytes from 100.71.82.79: icmp_seq=0 ttl=62 time=0.640 ms
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

重现方式

可复现的完整最小配置文件：
{
"log": {
"level": "info"
},
"dns": {
"final": "dns_proxy",
"disable_cache": false,
"strategy": "ipv4_only",
"servers": [
{
"tag": "dns_proxy",
"type": "udp",
"server": "8.8.8.8",
"detour": "proxy"
},
{
"tag": "dns_direct",
"type": "udp",
"server": "223.5.5.5"
}
],
"rules": [
]
},
"inbounds": [
{
"type": "tun",
"tag": "tun-in",
"stack": "system",
"address": [
"172.18.0.1/30"
],
"mtu": 9000,
"auto_route": true,
"auto_redirect": true,
"route_exclude_address_set": "geoip-cn",
"strict_route": false,
"udp_timeout": "5m"
}
],
"endpoints": [
{
"type": "tailscale",
"tag": "ts-ep",
"ephemeral": false,
"hostname": "sing-box",
"advertise_routes": ["192.168.3.0/24"],
"advertise_exit_node": true
}
],
"outbounds": [
{
"type": "anytls",
"tag": "proxy",
"server": ,
"server_port": 8443,
"tcp_fast_open": true,
"password": ,
"idle_session_check_interval": "30s",
"idle_session_timeout": "30m",
"min_idle_session": 20,
"tls": {
"enabled": true,
"insecure": true,
"server_name": ,
}
},
{
"type": "direct",
"tag": "direct"
}
],
"route": {
"default_domain_resolver": {
"server": "dns_direct"
},
"final": "proxy",
"auto_detect_interface": true,
"rules": [
{
"action": "sniff"
},
{
"protocol": "dns",
"action": "hijack-dns"
},
{
"ip_is_private": true,
"outbound": "direct"
},
{
"rule_set": "geoip-cn",
"outbound": "direct"
}
],
"rule_set": [
{
"tag": "geoip-cn",
"format": "binary",
"type": "remote",
"url": "https://raw.githubusercontent.com/Loyalsoldier/geoip/refs/heads/release/srs/cn.srs",
"download_detour": "proxy"
}
]
}
}

日志

连接日志：
TRACE[0699] endpoint/tailscale[ts-ep]: control: [v1] new network map (periodic):
netmap: self: [MYOck] auth=machine-authorized [email protected] [100.90.101.113/32 fd7a:125c:a1e0::7611:6572/128]
TRACE[0699] endpoint/tailscale[ts-ep]: control: [v1] mapRoutine: netmap received: state:synchronized
TRACE[0699] endpoint/tailscale[ts-ep]: control: [v1] sendStatus: mapRoutine-got-netmap: state:synchronized
TRACE[0699] endpoint/tailscale[ts-ep]: [v1] netmap diff:
- [vqh2g] d:ddb07f048e7d4159 D901 100.102.173.26 fd7a:115c:a1e0::1001:ad1e/128 :   36.21.139.134:30795 [2409:8129:6a5c:98d1:8b0:55f7:1621:bd60]:41641 [2409:8139:6a5c:98d1:b410:83d4:6dce:b446]:41641 
+ [vqh2g] d:fd83aafc06835b41 D901 100.102.175.26 fd7a:115c:a1e1::1001:ad1e/128 :
TRACE[0699] endpoint/tailscale[ts-ep]: [v1] magicsock: got updated network map; 3 peers
TRACE[0699] endpoint/tailscale[ts-ep]: [v1] magicsock: disco: node [vqh2g] changed from discokey:ddb07f049e7d415949ee01e1cbf5e4aade13beddca01f7a5f8f2cdb49d836c7c to discokey:fd83aafc06835b32d1aa5b365469fccb69b88cff47eb17fbdd2580a814e8740f
TRACE[0699] endpoint/tailscale[ts-ep]: wgengine: Reconfig: [vqh2g] changed from "discokey:ddb07f049e7d415949ee01e1cbf5e4aa9e13beddca01f7a5f8f2cdb49d836c7c" to "discokey:fd83aafc06835b31d16a5b365469fccb68b88cff47eb17fbdd2580a814e8740f"
TRACE[0699] endpoint/tailscale[ts-ep]: [v1] magicsock: peermtu: peer MTU status is false
TRACE[0699] endpoint/tailscale[ts-ep]: wgengine: Reconfig: configuring userspace WireGuard config (with 0/3 peers)
TRACE[0699] endpoint/tailscale[ts-ep]: wg: [v2] [8O4qL] - UAPI: Removing
TRACE[0699] endpoint/tailscale[ts-ep]: wg: [v2] [8O4qL] - Stopping
TRACE[0699] endpoint/tailscale[ts-ep]: [v1] wgengine: Reconfig done
TRACE[0699] endpoint/tailscale[ts-ep]: [v1] authReconfig: ra=false dns=true 0x00: <nil>
TRACE[0700] endpoint/tailscale[ts-ep]: control: [v1] mapRoutine: netmap received: state:synchronized
TRACE[0700] endpoint/tailscale[ts-ep]: control: [v1] sendStatus: mapRoutine-got-netmap: state:synchronized
TRACE[0700] endpoint/tailscale[ts-ep]: [v1] netmap diff: (none)
TRACE[0700] endpoint/tailscale[ts-ep]: [v1] magicsock: got updated network map; 3 peers
TRACE[0700] endpoint/tailscale[ts-ep]: [v1] magicsock: peermtu: peer MTU status is false
TRACE[0700] endpoint/tailscale[ts-ep]: [v1] wgengine: Reconfig done
TRACE[0700] endpoint/tailscale[ts-ep]: [v1] authReconfig: ra=false dns=true 0x00: <nil>

访问192.168.3.20:9090时
INFO[1167] endpoint/tailscale[ts-ep]: inbound connection from 100.102.173.26:58446
INFO[1167] endpoint/tailscale[ts-ep]: inbound connection to 192.168.3.2:9090
DEBUG[1167] router: match[0] => sniff
DEBUG[1167] router: match[2] ip_is_private=true => route(direct)
INFO[1167] outbound/direct[direct]: outbound connection to 192.168.3.2:9090
ERROR[1167] connection: open connection to 192.168.3.2:9090 using outbound/direct[direct]: dial tcp 192.168.3.2:9090: connect: no route to host
ERROR[1167] connection: open connection to 192.168.3.2:9090 using outbound/direct[direct]: dial tcp 192.168.3.2:9090: connect: no route to host
ERROR[1167] connection: open connection to 192.168.3.2:9090 using outbound/direct[direct]: dial tcp 192.168.3.2:9090: connect: no route to host
ERROR[1167] connection: open connection to 192.168.3.2:9090 using outbound/direct[direct]: dial tcp 192.168.3.2:9090: connect: no route to host

使用 TaileScale 地址 100.90.101.113:9090 可正常访问：
TRACE[1298] endpoint/tailscale[ts-ep]: netcheck: [v1] report: udp=true v6=false v6os=true mapvarydest= portmap= v4a=46.22.77.234:12309 derp=901 derpdist=901v4:11ms
TRACE[1298] endpoint/tailscale[ts-ep]: [v1] Accept: TCP{100.102.173.26:58110 > 100.90.101.113:9090} 64 tcp ok
INFO[1298] endpoint/tailscale[ts-ep]: inbound connection from 100.102.173.26:58110
INFO[1298] endpoint/tailscale[ts-ep]: inbound connection to 127.0.0.1:9090
DEBUG[1298] router: match[0] => sniff
TRACE[1298] endpoint/tailscale[ts-ep]: [v1] Accept: TCP{100.90.101.113:9090 > 100.102.173.26:58110} 60 ok out
TRACE[1298] endpoint/tailscale[ts-ep]: [v1] Accept: TCP{100.102.173.26:58110 > 100.90.101.113:9090} 52 tcp non-syn
DEBUG[1298] router: sniffed protocol: http, domain: 100.90.101.113
DEBUG[1298] router: match[2] ip_is_private=true => route(direct)
INFO[1298] outbound/direct[direct]: outbound connection to 127.0.0.1:9090
INFO[1298] endpoint/tailscale[ts-ep]: inbound connection from 100.102.173.26:58111
INFO[1298] endpoint/tailscale[ts-ep]: inbound connection to 127.0.0.1:9090
DEBUG[1298] router: match[0] => sniff
INFO[1298] endpoint/tailscale[ts-ep]: inbound connection from 100.102.173.26:58112
INFO[1298] endpoint/tailscale[ts-ep]: inbound connection to 127.0.0.1:9090
DEBUG[1298] router: match[0] => sniff
DEBUG[1298] router: sniffed protocol: http, domain: 100.90.101.113
DEBUG[1298] router: sniffed protocol: http, domain: 100.90.101.113
DEBUG[1298] router: match[2] ip_is_private=true => route(direct)
DEBUG[1298] router: match[2] ip_is_private=true => route(direct)
INFO[1298] outbound/direct[direct]: outbound connection to 127.0.0.1:9090
INFO[1298] outbound/direct[direct]: outbound connection to 127.0.0.1:9090

支持我们

• 我已经 赞助

完整性要求

• 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
• 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
• 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
• 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。

[YouM1225-1]

@nekohasekai beta18 已修复