Skip to content

feat & fix: 添加对自定义 MTU 的支持,使用 PBR 修复端口映射导致的非对称路由死锁 #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ccbkkb merged 1 commit into from
Apr 30, 2026
+34 −11
Merged

feat & fix: 添加对自定义 MTU 的支持,使用 PBR 修复端口映射导致的非对称路由死锁 #36

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 34 additions & 11 deletions entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,49 +73,72 @@ fi
# 1. 智能提取出纯 IPv4 地址 (防止 wgcf v2.2.30 将双栈 IP 写在同一行导致误杀)
IPV4_ADDR=$(grep '^Address' "$WG_CONF" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}' | head -n 1)

# 2. 物理删除所有原始的 Address, AllowedIPs, DNS,防止 RTNETLINK 崩溃或 DNS 死锁
# 2. 物理删除所有原始的 Address, AllowedIPs, DNS
sed -i '/^Address/d' "$WG_CONF"
sed -i '/^AllowedIPs/d' "$WG_CONF"
sed -i '/^DNS.*/d' "$WG_CONF"
# 清除可能存在的旧 MTU (兼容 Alpine Busybox 的正则写法)
sed -i '/^[Mm][Tt][Uu].*/d' "$WG_CONF"

# 3. 重建最纯净的 IPv4 路由规则
if [ -n "$IPV4_ADDR" ]; then
sed -i "/\[Interface\]/a Address = $IPV4_ADDR" "$WG_CONF"
fi

# 4. 动态注入 MTU 变量 (默认 1280)
WG_MTU=${MTU:-1280}
sed -i "/\[Interface\]/a MTU = $WG_MTU" "$WG_CONF"
echo "==> [MicroWARP] 🛜 MTU 值已设置为: $WG_MTU"

sed -i "/\[Peer\]/a AllowedIPs = 0.0.0.0\/0" "$WG_CONF"

# 删除 Alpine 系统自带 wg-quick 中不兼容的路由标记
sed -i '/src_valid_mark/d' /usr/bin/wg-quick

# 【新增:抗断流绝杀】强制注入 15 秒 UDP 心跳保活,对抗运营商 QoS 丢包
# 【核心功能】强制注入 15 秒 UDP 心跳保活,对抗运营商 QoS 丢包
if ! grep -q "PersistentKeepalive" "$WG_CONF"; then
sed -i '/\[Peer\]/a PersistentKeepalive = 15' "$WG_CONF"
else
sed -i 's/PersistentKeepalive.*/PersistentKeepalive = 15/g' "$WG_CONF"
fi

# 【新增:防阻断绝杀】针对 HK/US 强校验机房,注入自定义优选 Endpoint IP
# 【核心功能】针对 HK/US 强校验机房,注入自定义优选 Endpoint IP
if [ -n "$ENDPOINT_IP" ]; then
echo "==> [MicroWARP] 🔀 检测到自定义 Endpoint IP,正在覆盖默认节点: $ENDPOINT_IP"
echo "==>[MicroWARP] 🔀 检测到自定义 Endpoint IP,正在覆盖默认节点: $ENDPOINT_IP"
sed -i "s/^Endpoint.*/Endpoint = $ENDPOINT_IP/g" "$WG_CONF"
fi

# ==========================================
# 3. 拉起内核网卡
# 3. 拉起内核网卡 & 修复非对称路由
# ==========================================
# 在启用 WARP 前记录 100.64.0.0/10 的原始回程路径,避免发布端口后 Tailscale 客户端握手卡死
# 3.1 记录 100.64.0.0/10 的原始回程路径,避免发布端口后 Tailscale 客户端握手卡死
PRE_WARP_ROUTE=$(ip route get 100.64.0.1 2>/dev/null | head -n 1 || true)
PRE_WARP_GW=$(printf '%s\n' "$PRE_WARP_ROUTE" | awk '{for (i = 1; i <= NF; i++) if ($i == "via") print $(i + 1)}')
PRE_WARP_DEV=$(printf '%s\n' "$PRE_WARP_ROUTE" | awk '{for (i = 1; i <= NF; i++) if ($i == "dev") print $(i + 1)}')

# 3.2 记录当前容器主网卡 IP 和网关,用于修复外部入站流量的非对称路由
ORIG_GW=$(ip -4 route show default | awk '{print $3}' | head -n 1)
ORIG_DEV=$(ip -4 route show default | awk '{print $5}' | head -n 1)
if [ -n "$ORIG_DEV" ]; then
ORIG_IP=$(ip -4 addr show dev "$ORIG_DEV" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n 1)
fi

echo "==> [MicroWARP] 正在启动 Linux 内核级 wg0 网卡..."
wg-quick up wg0 > /dev/null 2>&1

# 仅在 WARP 启动前确实存在原始回程路径时恢复 100.64.0.0/10,减少对非 Tailscale 场景的影响
# 3.3 注入源地址策略路由 (Policy-Based Routing) 修复入站非对称路由劫持
if [ -n "$ORIG_IP" ] && [ -n "$ORIG_GW" ] $$ [ -n "$ORIG_DEV" ]; then
echo "==> [MicroWARP] 正在注入策略路由修复非对称路由死锁 (源IP: $ORIG_IP)..."
# 添加容错 || true,防止部分精简版内核不支持多路由表导致启动崩溃
ip rule add from "$ORIG_IP" table 128 priority 100 2>/dev/null || true
ip route add table 128 default via "$ORIG_GW" dev "$ORIG_DEV" 2>/dev/null || true
fi

# 3.4 恢复 Tailscale 等指定内网网段的回程路由
TAILSCALE_CIDR=${TAILSCALE_CIDR:-"100.64.0.0/10"}
if [ -n "$PRE_WARP_GW" ] && [ -n "$PRE_WARP_DEV" ]; then
if ip route replace "$TAILSCALE_CIDR" via "$PRE_WARP_GW" dev "$PRE_WARP_DEV" > /dev/null 2>&1; then
echo "==> [MicroWARP] 已为 ${TAILSCALE_CIDR} 恢复 WARP 启动前的回程路由: via ${PRE_WARP_GW} dev ${PRE_WARP_DEV}"
echo "==>[MicroWARP] 已为 ${TAILSCALE_CIDR} 恢复 WARP 启动前的回程路由: via ${PRE_WARP_GW} dev ${PRE_WARP_DEV}"
fi
fi

Expand All @@ -131,12 +154,12 @@ LISTEN_ADDR=${BIND_ADDR:-"0.0.0.0"}
LISTEN_PORT=${BIND_PORT:-"1080"}

if [ -n "$SOCKS_USER" ] && [ -n "$SOCKS_PASS" ]; then
echo "==> [MicroWARP] 🔒 身份认证已开启 (User: $SOCKS_USER)"
echo "==> [MicroWARP] 🚀 MicroSOCKS 引擎已启动,正在监听 ${LISTEN_ADDR}:${LISTEN_PORT}"
echo "==>[MicroWARP] 🔒 身份认证已开启 (User: $SOCKS_USER)"
echo "==>[MicroWARP] 🚀 MicroSOCKS 引擎已启动,正在监听 ${LISTEN_ADDR}:${LISTEN_PORT}"
# 使用 exec 接管进程,实现 Zero-Overhead 的底层进程控制
exec microsocks -i "$LISTEN_ADDR" -p "$LISTEN_PORT" -u "$SOCKS_USER" -P "$SOCKS_PASS"
else
echo "==> [MicroWARP] ⚠️ 未设置密码,当前为公开访问模式"
echo "==>[MicroWARP] 🚀 MicroSOCKS 引擎已启动,正在监听 ${LISTEN_ADDR}:${LISTEN_PORT}"
echo "==> [MicroWARP] 🚀 MicroSOCKS 引擎已启动,正在监听 ${LISTEN_ADDR}:${LISTEN_PORT}"
exec microsocks -i "$LISTEN_ADDR" -p "$LISTEN_PORT"
fi
Loading