通过 Dante socks5 代理服务器调用的电​​报不工作 [英] Telegram calls via Dante socks5 proxy server not working

问题描述

我已将 Ubuntu 16.04 上的 Dante 1.4 配置为 Telegram 的 socks5 代理.

I've confugured Dante 1.4on Ubuntu 16.04 as a socks5 proxy for Telegram.

聊天有效，但语音通话无效，连接"失败.

Chats are working, but voice calls are not, failing at "Connecting".

我需要配置一些特殊的东西来代理 Telegram 语音流量吗?

Is there something special I need to configure in order to proxy Telegram voice traffic?

我使用单个非特权 (>1024) TCP/UDP 端口 + 登录名 + 密码进行连接.

I'm using a single non priveleged (>1024) TCP/UDP port + login + password for connection.

谢谢！

UPD:这是我试图给某人打电话时的日志:

UPD: Thats piece of log while i am trying to call somebody:

Apr 15 23:05:38 (1523736338.510915) danted[22977]: info: pass(1): udp/udpassociate [: username%USER@0.0.0.0.0 192.168.1.30.36562

Apr 15 23:08:33 (1523736513.020190) danted[22989]: info: pass(1): udp/udpassociate [: username%USER@0.0.0.0.0 192.168.1.30.49065

我可以在目标设备上接听电话，但连接循环并在 30 秒后出现错误.

I can answer the call at destination device but connection is looping and getting error after 30 seconds.

推荐答案

使用 Socks 代理 UDP 比看起来要复杂一些，所以让我们从头开始.

Proxying UDP with socks is a bit more complex than it might seem, so let's start from the beginning.

Telegram 调用 使用 rel="noreferrer".Socks5 RFC1928 定义了以下用于中继 UDP 的序列:

Telegram calls use UDP with socks. Socks5 RFC1928 defines the following sequence for relaying UDP:

1. 客户端实例化一个 TCP socks5 连接.
2. 客户端发送一个 UDP ASSOCIATE 请求，其中包含客户端的源地址和端口，这些请求将用于向socks5 服务器发送 UDP 数据报.它们可能是零(在 Telegram 中是)(第 4 节).
3. Socks5 服务器绑定一个随机 UDP 端口，用于为该 TCP 袜子5 连接中继数据报，并发送 UDP ASSOCIATE 响应，其中包含客户端应发送要中继的数据报的地址和端口(第 6 节)).
4. 要发送数据报，客户端必须向有效负载添加一个标头，其中包含目标地址和端口，服务器应在其中中继该数据报(第 7 节).
5. 服务器将保持 UDP 端口绑定，直到 TCP socks5 连接终止.

1. Client instantiates a TCP socks5 connection.
2. Client sends a UDP ASSOCIATE request, containing the client's source address and port, which will be used to send UDP datagrams to the socks5 Server. They might be zeros (in Telegram they are) (section 4).
3. Socks5 Server binds a random UDP port for relaying datagrams for this TCP socks5 connection and sends a UDP ASSOCIATE response, containing the address and port where the client should send the datagrams to be relayed (section 6).
4. To send a datagram, the Client must add a header to the payload, containing a destination address and port, where the server should relay that datagram (section 7).
5. Server will keep the UDP port bound until the TCP socks5 connection terminates.

如您所见，仅打开一个 TCP 端口是不够的.为了使 UDP 正常工作，客户端必须可以访问自动绑定的 UDP 端口.NAT 和防火墙可能会使情况进一步复杂化.

As you can see, opening a single TCP port is not enough. For UDP to work correctly, the automatically bound UDP port must be reachable by client. NATs and Firewalls might further complicate the situation.

1. 电报调用是点对点的，所以应该允许 udpassociate 命令0/0:

socks pass {
    from: 0.0.0.0/0
    to: 0.0.0.0/0
    # udp.portrange: 40000-45000
    command: udpassociate
    log: error connect disconnect
}

udpreply(用于实际中继，上面的第 4 步)也应该允许给所有人使用:

udpreply (that's for the actual relaying, the 4'th step above) should also be allowed to everyone as well:

socks pass {
    from: 0.0.0.0/0
    to: 0.0.0.0/0
    command: udpreply
    log: error connect disconnect
}

如果您的 socks5 服务器位于防火墙后面，请打开一系列 UDP 端口(例如 40000-45000)并添加 udp.portrange: 40000-45000> 行到 udpassociate 块(请参阅第一点中注释掉的示例).然后 Dante 将仅绑定该范围内的 UDP 端口.

If your socks5 Server is behind a firewall, open a range of UDP ports (say 40000-45000) and add the udp.portrange: 40000-45000 line to the udpassociate block (see the commented out example in the first point). Then Dante would bind UDP ports in that range only.

如果您的 socks5 服务器位于 NAT 之后，则响应 UDP ASSOCIATE 请求中返回的目标地址将是本地 IP，而不是外部 IP.客户端不太可能访问该本地 IP，因此发送的数据报将被静默丢弃.

If your socks5 Server is behind a NAT, then the returned destination address in the response to UDP ASSOCIATE request would be a local IP, rather than the external one. That local IP is unlikely to be reachable by the client, so the sent datagrams would be silently dropped.

不幸的是，Dante 使用 TCP 连接的目标地址作为客户端应将 UDP 数据报发送到的地址(参见 源代码中的注释).NAT 将该地址从外部地址转换为本地地址，因此 Dante 假设客户端可以使用该目标地址访问代理的假设被打破.

Unfortunately, Dante uses the destination address of the TCP connection as the one where the client should send UDP datagrams to (see the comment in the source code). NAT mangles this address from an external to a local one, so the Dante's assumption that the client can reach the proxy using that destination address is broken.

一种不涉及修补 Dante 的可能解决方案是使用 iptables 将目标地址从本地更改为外部地址(假设它是已知的并且不会更改):

A possible solution, which doesn't involve patching Dante, would be to use iptables to change the destination address from a local to the external one (assuming that it's known and doesn't change):

# 203.0.113.12 – the external IP
# 1080/tcp - Dante TCP port
# 40000:45000 – Dante UDP portrange
iptables -t nat -A PREROUTING -p tcp --dport 1080 -j DNAT --to-destination 203.0.113.12
iptables -t nat -A PREROUTING -p udp --dport 40000:45000 -j DNAT --to-destination 203.0.113.12

# If external address is not added to any network device on that 
# machine, then add it to the loopback interface, so the kernel 
# would know where to route the DNATed packets:
ip addr add 203.0.113.12/32 dev lo

这篇关于通过 Dante socks5 代理服务器调用的电​​报不工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！