Try to fix sing-tun hotspot

reference from https://github.com/Kr328/vpn-gateway
CHIZI-0618 · Jul 2, 2024 · dc78cdb · dc78cdb
1 parent e7f3e07
commit dc78cdb
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 22 deletions.
diff --git a/box/scripts/box.config b/box/scripts/box.config
@@ -9,6 +9,7 @@ clash_dns_listen="0.0.0.0:${clash_dns_port}"
 fake_ip_range_v4="198.18.0.0/15"
 fake_ip_range_v6="fc00::/18"
 tun_device="tun0"
+tun_forward="enable"
 
 box_user_group="root:net_admin"
 # If you want to change the user or group, you must make the Box core in the /system/bin directory, otherwise the changes will not take effect.

diff --git a/box/scripts/box.service b/box/scripts/box.service
@@ -37,24 +37,6 @@ log() {
   esac
 }
 
-create_tun_link() {
-  mkdir -p /dev/net
-  [ ! -L /dev/net/tun ] && ln -s /dev/tun /dev/net/tun
-}
-
-probe_tun_device() {
-  ifconfig | grep -q ${tun_device} || return 1
-}
-
-forward() {
-  iptables -w 100 $1 FORWARD -o ${tun_device} -j ACCEPT
-  iptables -w 100 $1 FORWARD -i ${tun_device} -j ACCEPT
-  ip6tables -w 100 $1 FORWARD -o ${tun_device} -j ACCEPT
-  ip6tables -w 100 $1 FORWARD -i ${tun_device} -j ACCEPT
-  echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter=2
-  echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter=2
-}
-
 check_permission() {
   if which ${bin_name} | grep -q "/system/bin/" ; then
     box_user=$(echo ${box_user_group} | awk -F ':' '{print $1}')
@@ -186,15 +168,12 @@ display_bin_status() {
 start_service() {
   if check_permission ; then
     log Info "${bin_name} will be started with the ${box_user_group} user group."
-    [ "${proxy_method}" != "TPROXY" ] && create_tun_link
     if start_bin && wait_bin_listen ; then
       log Info "${bin_name} service is running. ( PID: $(cat ${pid_file}) )"
-      probe_tun_device && forward -I
       return 0
     else
       if bin_pid=$(pidof ${bin_name}) ; then
         log Warn "${bin_name} service is running but may not listening. ( PID: ${bin_pid} )"
-        probe_tun_device && forward -I
         return 0
       else
         log Error "start ${bin_name} service failed, please check the ${run_path}/error_${bin_name}.log file."
@@ -212,7 +191,6 @@ stop_service() {
   if display_bin_status ; then
     log Warn "stopping ${bin_name} service."
     kill $(cat ${pid_file}) || killall ${bin_name}
-    forward -D >> /dev/null 2>&1
     sleep 1
     display_bin_status
   fi

diff --git a/box/scripts/box.tproxy b/box/scripts/box.tproxy
@@ -429,6 +429,88 @@ enable_ipv6() {
   echo 0 > /proc/sys/net/ipv6/conf/wlan0/disable_ipv6
 }
 
+# create_tun_link() {
+#   mkdir -p /dev/net
+#   [ ! -L /dev/net/tun ] && ln -s /dev/tun /dev/net/tun
+# }
+
+probe_tun_device() {
+  ifconfig | grep -q ${tun_device} || return 1
+}
+
+probe_tun_index() {
+  while [ ! -f "/data/misc/net/rt_tables" ] ; do
+    sleep 3
+  done
+  cat /data/misc/net/rt_tables | while read -r index name ; do
+    if [ ${name} = ${tun_device} ] ; then
+      tun_table_index=${index}
+      return 0
+    fi
+  done
+  return 1
+}
+
+tun_forward_ip_rules() {
+  ip rule $1 iif lo goto 6000 pref 5000
+  ip rule $1 iif ${tun_device} lookup main suppress_prefixlength 0 pref 5010
+  ip rule $1 iif ${tun_device} goto 6000 pref 5020
+  ip rule $1 from 10.0.0.0/8 lookup ${tun_table_index} pref 5030
+  ip rule $1 from 172.16.0.0/12 lookup ${tun_table_index} pref 5040
+  ip rule $1 from 192.168.0.0/16 lookup ${tun_table_index} pref 5050
+  ip rule $1 nop pref 6000
+}
+
+tun_forward_ip_rules_del() {
+  ip rule del pref 5000
+  ip rule del pref 5010
+  ip rule del pref 5020
+  ip rule del pref 5030
+  ip rule del pref 5040
+  ip rule del pref 5050
+  ip rule del pref 6000
+}
+
+tun_forward_iptables_rules() {
+  # iptables $1 FORWARD -s 10.0.0.0/8 -o ${tun_device} -j ACCEPT
+  # iptables $1 FORWARD -s 172.16.0.0/12 -o ${tun_device} -j ACCEPT
+  # iptables $1 FORWARD -s 192.168.0.0/16 -o ${tun_device} -j ACCEPT
+  iptables $1 FORWARD -i ${tun_device} -j ACCEPT
+  iptables $1 FORWARD -o ${tun_device} -j ACCEPT
+  # iptables $1 PREROUTING -t nat ! -i ${tun_device} -s 10.0.0.0/8 -p udp --dport 53 -j DNAT --to 1.1.1.1
+  # iptables $1 PREROUTING -t nat ! -i ${tun_device} -s 172.16.0.0/12 -p udp --dport 53 -j DNAT --to 1.1.1.1
+  # iptables $1 PREROUTING -t nat ! -i ${tun_device} -s 192.168.0.0/16 -p udp --dport 53 -j DNAT --to 1.1.1.1
+  iptables $1 PREROUTING -t nat ! -i ${tun_device} -p udp --dport 53 -j DNAT --to 1.1.1.1
+  ip6tables $1 FORWARD -j REJECT --reject-with icmp6-no-route
+}
+
+tun_forward_enable() {
+  # create_tun_link
+  probe_tun_device && tun_forward_iptables_rules "-I"
+  probe_tun_index && tun_forward_ip_rules "add"
+
+  echo 1 > /proc/sys/net/ipv4/ip_forward
+  echo 0 > /dev/ip_forward_stub
+  chown $(stat -c '%u:%g' /data/misc/net/rt_tables) /dev/ip_forward_stub
+  chcon $(stat -Z -c '%C' /data/misc/net/rt_tables) /dev/ip_forward_stub
+  mount -o bind /dev/ip_forward_stub /proc/sys/net/ipv4/ip_forward
+
+  log Info "tun hotspot support is enabled."
+}
+
+tun_forward_disable() {
+  # tun_forward_ip_rules "del" >> /dev/null 2>&1
+  tun_forward_ip_rules_del >> /dev/null 2>&1
+  tun_forward_iptables_rules "-D" >> /dev/null 2>&1
+  log Warn "tun hotspot support is disabled."
+}
+
+if [ "${tun_forward}" = "enable" ] ; then
+  tun_forward_enable
+else
+  tun_forward_disable
+fi
+
 if [ "${proxy_mode}" = "core" ] ; then
   iptables="iptables -w 100" && stop_tproxy >> /dev/null 2>&1
   iptables="ip6tables -w 100" && stop_tproxy >> /dev/null 2>&1
@@ -545,6 +627,12 @@ case "$1" in
     disable_ipv6
     log Warn "disable IPv6."
     ;;
+  tun_forward_enable)
+    tun_forward_enable
+    ;;
+  tun_forward_disable)
+    tun_forward_disable
+    ;;
   *)
     log Error "$0 $1 usage: $0 {enable|disable|renew|enable_ipv6|disable_ipv6}"
     ;;