sing-box
sing-box copied to clipboard
SagerNet
shadowTLS V2+Shadowsocks2022 error
Welcome
- [X] Yes, I'm using the latest major release. Only such installations are supported.
- [X] Yes, I'm using the latest Golang release. Only such installations are supported.
- [X] Yes, I've searched similar issues on GitHub and didn't find any.
- [X] Yes, I've included all information below (version, config, log, etc).
Description of the problem
I have update sing-box version to 1.1-beta9 and using shadowTLS V2 + shadowscoks2022,and I got some errors like this:
ERROR [1788001177] inbound/shadowtls[shadowtls-in]: process connection from 1.2.3.4:3252: inject ss-in: shadowsocks: serve TCP from 1.2.3.4:3252: cipher: message authentication failed
And the proxy can't work.While I am pretty sure the method and the password used in shadowsocks both sides are the same,plz see my configs and logs~
Version of sing-box
$ sing-box version
[INF] 版本信息:sing-box version 1.1-beta9
Environment: go1.19.2 linux/amd64
Tags: with_gvisor,with_quic,with_wireguard,with_clash_api
Revision: 143b62218040348c7c165ecec27c25e324dffee9
Server and client configuration file
server:
{
"log": {
"disabled": false,
"level": "info",
"output": "/usr/local/sing-box/sing-box.log",
"timestamp": true
},
"dns": {
"servers": [
{
"tag": "google-tls",
"address": "local",
"address_strategy": "prefer_ipv4",
"strategy": "ipv4_only",
"detour": "direct"
},
{
"tag": "google-udp",
"address": "8.8.8.8",
"address_strategy": "prefer_ipv4",
"strategy": "prefer_ipv4",
"detour": "direct"
}
],
"strategy": "prefer_ipv4",
"disable_cache": false,
"disable_expire": false
},
"inbounds": [
{
"type": "shadowtls",
"tag": "shadowtls-in",
"listen": "0.0.0.0",
"listen_port": 8443,
"version": 2,
"password": "fuck me till the daylight",
"handshake": {
"server": "cloud.tencent.com",
"server_port": 443
},
"detour": "ss-in"
},
{
"type": "shadowsocks",
"tag": "ss-in",
"listen": "127.0.0.1",
"method": "2022-blake3-aes-128-gcm",
"password": "uRK6ehupzMWF2DLQPkMx/Q=="
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
},
{
"type": "block",
"tag": "block"
},
{
"type": "dns",
"tag": "dns-out"
}
],
"route": {
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
},
{
"inbound": [
"ss-in"
],
"geosite": [
"cn",
"category-ads-all"
],
"geoip": [
"cn"
],
"source_geoip": [
"private"
],
"outbound": "block"
},
{
"geosite": "cn",
"geoip": "cn",
"outbound": "block"
}
],
"geoip": {
"path": "geoip.db",
"download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
"download_detour": "direct"
},
"geosite": {
"path": "geosite.db",
"download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
"download_detour": "direct"
},
"final": "direct",
"auto_detect_interface": true
}
}
client:
{
"log": {
"disabled": false,
"level": "info",
"output": "C:\\Windows\\System32\\sing-box-1.0.3-windows-amd64\\sing-box.log",
"timestamp": true
},
"dns": {
"servers": [
{
"tag": "google",
"address": "tls://8.8.8.8"
},
{
"tag": "local",
"address": "223.5.5.5",
"detour": "direct"
}
],
"rules": [
{
"domain": "servername.com",
"geosite": "cn",
"server": "local"
}
],
"strategy": "ipv4_only"
},
"inbounds": [
{
"type": "tun",
"inet4_address": "172.19.0.1/30",
"auto_route": true,
"mtu": 1500,
"sniff": true
}
],
"outbounds": [
{
"type": "shadowsocks",
"tag": "shadowsocks-out",
"method": "2022-blake3-aes-128-gcm",
"password": "uRK6ehupzMWF2DLQPkMx/Q==",
"domain_strategy": "ipv4_only",
"detour": "shadowtls-out"
},
{
"type": "shadowtls",
"tag": "shadowtls-out",
"server": "servername.com",
"server_port": 8443,
"version": 2,
"password": "fuck me till the daylight",
"tls": {
"enabled": true,
"server_name": "cloud.tencent.com"
}
},
{
"type": "direct",
"tag": "direct"
},
{
"type": "block",
"tag": "block"
},
{
"type": "dns",
"tag": "dns-out"
}
],
"route": {
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
},
{
"geosite": "category-ads-all",
"outbound": "block"
},
{
"geosite": "cn",
"geoip": "cn",
"outbound": "direct"
}
],
"auto_detect_interface": true,
"final": "shadowtls-out"
}
}
Server and client log file
Server Side:
+0800 2022-10-11 00:18:11 INFO router: loaded geoip database: 250 codes
+0800 2022-10-11 00:18:11 INFO router: loaded geosite database: 1266 codes
+0800 2022-10-11 00:18:11 INFO router: updated default interface eth0, index 2
+0800 2022-10-11 00:18:11 INFO inbound/vmess[vmess-in]: tcp server started at 0.0.0.0:8443
+0800 2022-10-11 00:18:11 INFO sing-box started (0.200s)
+0800 2022-10-11 00:20:13 INFO router: loaded geoip database: 250 codes
+0800 2022-10-11 00:20:13 INFO router: loaded geosite database: 1266 codes
+0800 2022-10-11 00:20:13 INFO router: updated default interface eth0, index 2
+0800 2022-10-11 00:20:13 INFO inbound/shadowtls[shadowtls-in]: tcp server started at 0.0.0.0:8443
+0800 2022-10-11 00:20:13 INFO inbound/shadowsocks[ss-in]: tcp server started at 127.0.0.1:36161
+0800 2022-10-11 00:20:13 INFO inbound/shadowsocks[ss-in]: udp server started at 127.0.0.1:43571
+0800 2022-10-11 00:20:13 INFO sing-box started (0.177s)
+0800 2022-10-11 00:27:17 INFO [281036863] inbound/shadowtls[shadowtls-in]: inbound connection from xxxxxxxx:4383
+0800 2022-10-11 00:27:18 INFO [281036863] dns: lookup succeed for cloud.tencent.com: 43.152.56.217 43.152.54.219
+0800 2022-10-11 00:27:18 INFO [281036863] inbound/shadowtls[shadowtls-in]: inbound connection to xxxxxxxxx:8443
+0800 2022-10-11 00:27:18 ERROR [281036863] inbound/shadowtls[shadowtls-in]: process connection from xxxxxxx:4383: inject ss-in: shadowsocks: serve TCP from xxxxxxxx:4383: cipher: message authentication failed
+0800 2022-10-11 00:27:28 INFO [4206031310] inbound/shadowtls[shadowtls-in]: inbound connection from xxxxxxxx:4416
+0800 2022-10-11 00:27:28 INFO [4206031310] dns: lookup succeed for cloud.tencent.com: 43.152.56.217 43.152.54.219
+0800 2022-10-11 00:27:29 INFO [4206031310] inbound/shadowtls[shadowtls-in]: inbound connection to xxxxxx:8443
+0800 2022-10-11 00:27:29 ERROR [4206031310] inbound/shadowtls[shadowtls-in]: process connection from xxxxxxxxx:4416: inject ss-in: shadowsocks: serve TCP from xxxxxxx:4416: cipher: message authentication failed
+0800 2022-10-11 00:27:39 INFO [4064482476] inbound/shadowtls[shadowtls-in]: inbound connection from xxxxxx:4450
+0800 2022-10-11 00:27:39 INFO [4064482476] dns: lookup succeed for cloud.tencent.com: 43.152.56.217 43.152.54.219
+0800 2022-10-11 00:27:40 INFO [4064482476] inbound/shadowtls[shadowtls-in]: inbound connection to xxxxxxxxx:8443
+0800 2022-10-11 00:27:40 ERROR [4064482476] inbound/shadowtls[shadowtls-in]: process connection from xxxxxxxxx:4450: inject ss-in: shadowsocks: serve TCP from xxxxxxx:4450: cipher: message authentication failed
+0800 2022-10-11 00:30:54 INFO [972447190] inbound/shadowtls[shadowtls-in]: inbound connection from xxxxxxxxxx:1370
@FranzKafkaYu Do you also have this problem when testing locally with the same configuration? I have no problem with the local test, but when I deploying to my server (two server, one in US and another in China), it's not get work, and the error message is different from yours:
ERROR[0136] [3160378722] inbound/shadowtls[0]: process connection from ***.***.***.***:34298: inject shadowsocks-in: shadowsocks: serve TCP from ***.***.***.***:34298: salt not unique
Please submit FULL configuration and logs.
I have updated infos all you need,plz check~
It looks like the shadowtls passwords don't match.
Sorry.It's my bad.I uploaded wrong configs here,now I have updated them again~
@nekohasekai I’m sorry to bother you.But can u check this issue again?
@FranzKafkaYu Do you also have this problem when testing locally with the same configuration? I have no problem with the local test, but when I deploying to my server (two server, one in US and another in China), it's not get work, and the error message is different from yours:
ERROR[0136] [3160378722] inbound/shadowtls[0]: process connection from ***.***.***.***:34298: inject shadowsocks-in: shadowsocks: serve TCP from ***.***.***.***:34298: salt not unique
Additional information: I re-tested it today. On my computer, the error log is the same as @FranzKafkaYu , and the above log is print on the server side(shadowTLS with shadowsocks).
Server(US): inbounds: shadowTLS + shadowsocks(AEAD-2022)
↕
Server(CN): inbounds: direct, outbounds: shadowTLS
↕
Client: outbounds: shadowsocks(AEAD-2022)
The strange thing is that there is no problem with the local test (3 singbox instances with same config and only the ports are different)
@FranzKafkaYu Do you also have this problem when testing locally with the same configuration? I have no problem with the local test, but when I deploying to my server (two server, one in US and another in China), it's not get work, and the error message is different from yours:
ERROR[0136] [3160378722] inbound/shadowtls[0]: process connection from ***.***.***.***:34298: inject shadowsocks-in: shadowsocks: serve TCP from ***.***.***.***:34298: salt not uniqueAdditional information: I re-tested it today. On my computer, the error log is the same as @FranzKafkaYu , and the above log is print on the server side(shadowTLS with shadowsocks).
Server(US): inbounds: shadowTLS + shadowsocks(AEAD-2022) ↕ Server(CN): inbounds: direct, outbounds: shadowTLS ↕ Client: outbounds: shadowsocks(AEAD-2022)The strange thing is that there is no problem with the local test (3 singbox instances with same config and only the ports are different)
What do you mean local test,you mean Client connect Server directly without any relay servers?If so could you please share your configs?I have tried many times with the configs above and can't access networks.I have no idea why it can't work.
What do you mean
local test,you mean Client connect Server directly without any relay servers?If so could you please share your configs?I have tried many times with the configs above and can't access networks.I have no idea why it can't work.
@FranzKafkaYu Start 3 sing-box instance with the same config as the servers. but all run in my personal laptop.
This may be caused by shadowsocks AEAD 2022's probe protection, you can switch to old shadowsocks AEAD ciphers.
This may be caused by shadowsocks AEAD 2022's probe protection, you can switch to old shadowsocks AEAD ciphers.
Unfortunately, old shadowsocks AEAD ciphers does not support single-port multi-user https://github.com/SagerNet/sing-box/issues/38 , is there a plan to make it happen?
This may be caused by shadowsocks AEAD 2022's probe protection, you can switch to old shadowsocks AEAD ciphers.
@nekohasekai Unfortunately I have a test after changing to the old shadowsocks AEAD ciphers,including aes-256-gcm and aes-128-gcm,the problem still exist.
Shadows TLS v2 + SS 2022 works for me?
Server outbound { "tag": "shadowsocks-in", "listen": "::", "listen_port": 23333, "type": "shadowsocks", "method": "2022-blake3-aes-128-gcm", "password": "xxxx" }, { "type": "shadowtls", "listen": "::", "listen_port": 10010, "sniff": true, "sniff_override_destination": true, "version": 2, "handshake": { "server": "download.microsoft.com", "server_port": 443 }, "detour": "shadowsocks-in" },
Client outbound { "tag": "shadowtls", "type": "shadowsocks", "method": "2022-blake3-aes-128-gcm", "password": "xxxx", "detour": "shadowtls-out" }, { "type": "shadowtls", "tag": "shadowtls-out", "server": "1111", "server_port": 10010, "version": 2, "tls": { "enabled": true, "server_name": "download.microsoft.com" } },
@everyx Can you share your shadowsocks +shadowTLS V2 configs here?I have tried shadowsocks with different ciphers. Same errors here.I would like to compare your configurations with mine to see whether there exist something i missed.
@SimonWe1 Probably because you are not using aead2022 multi-user feature, you can try set multiple users password, and it's will broken.
@FranzKafkaYu I have the same problem as you
Shadows TLS v2 + SS 2022 works for me?
Server outbound { "tag": "shadowsocks-in", "listen": "::", "listen_port": 23333, "type": "shadowsocks", "method": "2022-blake3-aes-128-gcm", "password": "xxxx" }, { "type": "shadowtls", "listen": "::", "listen_port": 10010, "sniff": true, "sniff_override_destination": true, "version": 2, "handshake": { "server": "download.microsoft.com", "server_port": 443 }, "detour": "shadowsocks-in" },
Client outbound { "tag": "shadowtls", "type": "shadowsocks", "method": "2022-blake3-aes-128-gcm", "password": "xxxx", "detour": "shadowtls-out" }, { "type": "shadowtls", "tag": "shadowtls-out", "server": "1111", "server_port": 10010, "version": 2, "tls": { "enabled": true, "server_name": "download.microsoft.com" } },
@SimonWe1 In your server and client config,no password part in shadowTLS while shdaowTLS v2 need that according document,this should be a bug.
@everyx thanks for your reply.
1.0.6 client windows 64 decode config: outbound options: json: unknown field "version"
1.0.6 client windows 64 decode config: outbound options: json: unknown field "version"
only pre-release version support shadowTLS v2 now
@FranzKafkaYu I switched to the ShadowTLS + VMESS, you can use the docker image everyx/sing-box:edge I compiled to test if it is fixed
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}