Home Explore Help
Register Sign In
Apq
/
sing-box
mirror of https://github.com/SagerNet/sing-box.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

documentation: Add manuel for mitigating tunnelvision attacks

世界 1 year ago
parent
65c71049ea
commit
9ffdbba2ed
3 changed files with 40 additions and 209 deletions
Split View Show Diff Stats
  1. 38 0
      docs/manual/misc/tunnelvision.md
  2. 0 208
      docs/manual/proxy-protocol/tuic.md
  3. 2 1
      mkdocs.yml

+ 38 - 0
docs/manual/misc/tunnelvision.md
View File 

@@ -0,0 +1,38 @@
 
+---
 
+icon: material/book-lock-open
 
+---
 
+
 
+# TunnelVision
 
+
 
+TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
 
+so that traffic does not go through the VPN.
 
+
 
+Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
 
+
 
+## Status
 
+
 
+### Android
 
+
 
+Android does not handle DHCP option 121 and is not affected.
 
+
 
+### Apple platforms
 
+
 
+Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
 
+then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
 
+
 
+Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
 
+and the `system` and `mixed` stacks are not available.
 
+
 
+### Linux
 
+
 
+Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
 
+
 
+### Windows
 
+
 
+No solution yet.
 
+
 
+## Workarounds
 
+
 
+* Don't connect to untrusted networks
 
+* Relay untrusted network through another device
 
+* Just ignore it

+ 0 - 208
docs/manual/proxy-protocol/tuic.md
View File 

@@ -1,208 +0,0 @@
 
----
 
-icon: material/alpha-t-box
 
----
 
-
 
-# TUIC
 
-
 
-A recently popular Chinese-made simple protocol based on QUIC, the selling point is the BBR congestion control algorithm.
 
-
 
-!!! warning
 
-
 
-    Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies.
 
-
 
-| Specification                                             | Binary Characteristics | Active Detect Hiddenness |
 
-|-----------------------------------------------------------|------------------------|--------------------------|
 
-| [GitHub](https://github.com/EAimTY/tuic/blob/dev/SPEC.md) | :material-alert:       | :material-check:         | 
-
 
-## Password Generator
 
-
 
-| Generated UUID         | Generated  Password        | Action                                                          |
 
-|------------------------|----------------------------|-----------------------------------------------------------------|
 
-| <code id="uuid"><code> | <code id="password"><code> | <button class="md-button" onclick="generate()">Refresh</button> |
 
-
 
-<script>
 
-    function generateUUID() {
 
-        const uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
 
-            let r = Math.random() * 16 | 0,
 
-            v = c === 'x' ? r : (r & 0x3 | 0x8);
 
-            return v.toString(16);
 
-        });
 
-        document.getElementById("uuid").textContent = uuid;
 
-    }
 
-    function generatePassword() {
 
-        const array = new Uint8Array(16);
 
-        window.crypto.getRandomValues(array);
 
-        document.getElementById("password").textContent = btoa(String.fromCharCode.apply(null, array));
 
-    }
 
-    function generate() {
 
-        generateUUID();
 
-        generatePassword();
 
-    }
 
-    generate();
 
-</script>
 
-
 
-## :material-server: Server Example
 
-
 
-=== ":material-harddisk: With local certificate"
 
-
 
-    ```json
 
-     {
 
-      "inbounds": [
 
-        {
 
-          "type": "tuic",
 
-          "listen": "::",
 
-          "listen_port": 8080,
 
-          "users": [
 
-            {
 
-              "name": "sekai",
 
-              "uuid": "<uuid>",
 
-              "password": "<password>"
 
-            }
 
-          ],
 
-          "congestion_control": "bbr",
 
-          "tls": {
 
-            "enabled": true,
 
-            "server_name": "example.org",
 
-            "key_path": "/path/to/key.pem",
 
-            "certificate_path": "/path/to/certificate.pem"
 
-          }
 
-        }
 
-      ]
 
-    }
 
-    ```
 
-
 
-=== ":material-auto-fix: With ACME"
 
-
 
-    ```json
 
-    {
 
-      "inbounds": [
 
-        {
 
-          "type": "tuic",
 
-          "listen": "::",
 
-          "listen_port": 8080,
 
-          "users": [
 
-            {
 
-              "name": "sekai",
 
-              "uuid": "<uuid>",
 
-              "password": "<password>"
 
-            }
 
-          ],
 
-          "congestion_control": "bbr",
 
-          "tls": {
 
-            "enabled": true,
 
-            "server_name": "example.org",
 
-            "acme": {
 
-              "domain": "example.org",
 
-              "email": "[email protected]"
 
-            }
 
-          }
 
-        }
 
-      ]
 
-    }
 
-    ```
 
-
 
-=== ":material-cloud: With ACME and Cloudflare API"
 
-
 
-    ```json
 
-    {
 
-      "inbounds": [
 
-        {
 
-          "type": "tuic",
 
-          "listen": "::",
 
-          "listen_port": 8080,
 
-          "users": [
 
-            {
 
-              "name": "sekai",
 
-              "uuid": "<uuid>",
 
-              "password": "<password>"
 
-            }
 
-          ],
 
-          "congestion_control": "bbr",
 
-          "tls": {
 
-            "enabled": true,
 
-            "server_name": "example.org",
 
-            "acme": {
 
-              "domain": "example.org",
 
-              "email": "[email protected]",
 
-              "dns01_challenge": {
 
-                "provider": "cloudflare",
 
-                "api_token": "my_token"
 
-              }
 
-            }
 
-          }
 
-        }
 
-      ]
 
-    }
 
-    ```
 
-
 
-## :material-cellphone-link: Client Example
 
-
 
-=== ":material-web-check: With valid certificate"
 
-
 
-    ```json
 
-    {
 
-      "outbounds": [
 
-        {
 
-          "type": "tuic",
 
-          "server": "127.0.0.1",
 
-          "server_port": 8080,
 
-          "uuid": "<uuid>",
 
-          "password": "<password>",
 
-          "congestion_control": "bbr",
 
-          "tls": {
 
-            "enabled": true,
 
-            "server_name": "example.org"
 
-          }
 
-        }
 
-      ]
 
-    }
 
-    ```
 
-
 
-=== ":material-check: With self-sign certificate"
 
-
 
-    !!! info "Tip"
 
-        
-        Use `sing-box merge` command to merge configuration and certificate into one file.
 
-
 
-    ```json
 
-    {
 
-      "outbounds": [
 
-        {
 
-          "type": "tuic",
 
-          "server": "127.0.0.1",
 
-          "server_port": 8080,
 
-          "uuid": "<uuid>",
 
-          "password": "<password>",
 
-          "congestion_control": "bbr",
 
-          "tls": {
 
-            "enabled": true,
 
-            "server_name": "example.org",
 
-            "certificate_path": "/path/to/certificate.pem"
 
-          }
 
-        }
 
-      ]
 
-    }
 
-    ```
 
-
 
-=== ":material-alert: Ignore certificate verification"
 
-
 
-    ```json
 
-    {
 
-      "outbounds": [
 
-        {
 
-          "type": "tuic",
 
-          "server": "127.0.0.1",
 
-          "server_port": 8080,
 
-          "uuid": "<uuid>",
 
-          "password": "<password>",
 
-          "congestion_control": "bbr",
 
-          "tls": {
 
-            "enabled": true,
 
-            "server_name": "example.org",
 
-            "insecure": true
 
-          }
 
-        }
 
-      ]
 
-    }
 
-    ```
 
-

+ 2 - 1
mkdocs.yml
View File 

@@ -66,8 +66,9 @@ nav:
 
       - Proxy Protocol:
 
           - Shadowsocks: manual/proxy-protocol/shadowsocks.md
 
           - Trojan: manual/proxy-protocol/trojan.md
 
-          - TUIC: manual/proxy-protocol/tuic.md
 
           - Hysteria 2: manual/proxy-protocol/hysteria2.md
 
+      - Misc:
 
+          - TunnelVision: manual/misc/tunnelvision.md
 
   - Configuration:
 
       - configuration/index.md
 
       - Log: