tailscaile: Fix using TUN auto redirect with tailscale system interface

2026-06-22 10:34:12 +03:00 · 2026-03-10 17:54:23 +08:00
parent 45353fbe2c
commit bbedd5383a
5 changed files with 24 additions and 42 deletions
--- a/go.mod
+++ b/go.mod
@@ -42,7 +42,7 @@ require (
 	github.com/sagernet/sing-tun v0.8.2
 	github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1
 	github.com/sagernet/smux v1.5.50-sing-box-mod.1
-	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260310072802-158edadd59bd
+	github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260310090001-e76c5dd4bd45
 	github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.10.2
--- a/go.sum
+++ b/go.sum
@@ -254,8 +254,8 @@ github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1 h1:aSwUNYUkV
 github.com/sagernet/sing-vmess v0.2.8-0.20250909125414-3aed155119a1/go.mod h1:P11scgTxMxVVQ8dlM27yNm3Cro40mD0+gHbnqrNGDuY=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1 h1:XkJcivBC9V4wBjiGXIXZ229aZCU1hzcbp6kSkkyQ478=
 github.com/sagernet/smux v1.5.50-sing-box-mod.1/go.mod h1:NjhsCEWedJm7eFLyhuBgIEzwfhRmytrUoiLluxs5Sk8=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260310072802-158edadd59bd h1:WUVQsTUCr0OEWXoB6uPXaqup7SjMUFOkOHe0XBcpLn4=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260310090001-e76c5dd4bd45 h1:J/Yn7XspzVcfSgKD30Tv3m6lqp64HwftBL6XnZMQiBI=
-github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260310072802-158edadd59bd/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
+github.com/sagernet/tailscale v1.92.4-sing-box-1.13-mod.6.0.20260310090001-e76c5dd4bd45/go.mod h1:m87GAn4UcesHQF3leaPFEINZETO5za1LGn1GJdNDgNc=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c h1:f9cXNB+IOOPnR8DOLMTpr42jf7naxh5Un5Y09BBf5Cg=
 github.com/sagernet/wireguard-go v0.0.2-beta.1.0.20260224074747-506b7631853c/go.mod h1:WUxgxUDZoCF2sxVmW+STSxatP02Qn3FcafTiI2BLtE0=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
--- a/protocol/tailscale/endpoint.go
+++ b/protocol/tailscale/endpoint.go
@@ -48,6 +48,7 @@ import (
 	"github.com/sagernet/tailscale/ipn"
 	tsDNS "github.com/sagernet/tailscale/net/dns"
 	"github.com/sagernet/tailscale/net/netmon"
 	"github.com/sagernet/tailscale/net/netns"
 	"github.com/sagernet/tailscale/net/tsaddr"
 	tsTUN "github.com/sagernet/tailscale/net/tstun"
 	"github.com/sagernet/tailscale/tsnet"
@@ -288,9 +289,6 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 				}
 			}), nil
 		})
 		if runtime.GOOS == "android" {
 			setAndroidProtectFunc(t.platformInterface)
 		}
 	}
 	if t.systemInterface {
 		mtu := t.systemInterfaceMTU
@@ -336,9 +334,22 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {
 		t.systemDialer = systemDialer
 		t.server.TunDevice = wgTunDevice
 		t.server.RouterWrapper = func(inner router.Router) router.Router {
-			return &exitRouteFilteringRouter{Router: inner}
+			return &addressOnlyRouter{Router: inner}
 		}
 	}
 	if mark := t.network.AutoRedirectOutputMark(); mark > 0 {
 		controlFunc := t.network.AutoRedirectOutputMarkFunc()
 		if bindFunc := t.network.AutoDetectInterfaceFunc(); bindFunc != nil {
 			controlFunc = control.Append(controlFunc, bindFunc)
 		}
 		netns.SetControlFunc(controlFunc)
 	} else if runtime.GOOS == "android" && t.platformInterface != nil {
 		netns.SetControlFunc(func(network, address string, c syscall.RawConn) error {
 			return control.Raw(c, func(fd uintptr) error {
 				return t.platformInterface.AutoDetectInterfaceControl(int(fd))
 			})
 		})
 	}
 	err := t.server.Start()
 	if err != nil {
 		if t.systemTun != nil {
@@ -464,9 +475,7 @@ func (t *Endpoint) watchState() {
 func (t *Endpoint) Close() error {
 	netmon.RegisterInterfaceGetter(nil)
-	if runtime.GOOS == "android" {
+	netns.SetControlFunc(nil)
 		setAndroidProtectFunc(nil)
 	}
 	if t.fallbackTCPCloser != nil {
 		t.fallbackTCPCloser()
 		t.fallbackTCPCloser = nil
@@ -841,16 +850,15 @@ func (c *dnsConfigurtor) Close() error {
 	return nil
 }
-type exitRouteFilteringRouter struct {
+type addressOnlyRouter struct {
 	router.Router
 }
-func (r *exitRouteFilteringRouter) Set(config *router.Config) error {
+func (r *addressOnlyRouter) Set(config *router.Config) error {
 	if config != nil {
-		config = config.Clone()
+		config = &router.Config{
-		config.Routes = common.Filter(config.Routes, func(prefix netip.Prefix) bool {
+			LocalAddrs: config.LocalAddrs,
-			return !tsaddr.IsExitRoute(prefix)
+		}
 		})
 	}
 	return r.Router.Set(config)
 }
--- a/protocol/tailscale/protect_android.go
+++ b/protocol/tailscale/protect_android.go
@@ -1,18 +0,0 @@
 //go:build with_gvisor
 package tailscale
 import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/tailscale/net/netns"
 )
 func setAndroidProtectFunc(platformInterface adapter.PlatformInterface) {
 	if platformInterface != nil {
 		netns.SetAndroidProtectFunc(func(fd int) error {
 			return platformInterface.AutoDetectInterfaceControl(fd)
 		})
 	} else {
 		netns.SetAndroidProtectFunc(nil)
 	}
 }
--- a/protocol/tailscale/protect_nonandroid.go
+++ b/protocol/tailscale/protect_nonandroid.go
@@ -1,8 +0,0 @@
 //go:build with_gvisor && !android
 package tailscale
 import "github.com/sagernet/sing-box/adapter"
 func setAndroidProtectFunc(platformInterface adapter.PlatformInterface) {
 }