diff --git a/frontend/src/pages/xray/overrides/NordModal.tsx b/frontend/src/pages/xray/overrides/NordModal.tsx index efde508e1..8ba37cd48 100644 --- a/frontend/src/pages/xray/overrides/NordModal.tsx +++ b/frontend/src/pages/xray/overrides/NordModal.tsx @@ -209,7 +209,10 @@ export default function NordModal({ secretKey: nordData?.private_key, address: ['10.5.0.2/32'], peers: [{ publicKey, endpoint: `${server.station}:51820` }], - noKernelTun: false, + // Userspace TUN — same reasoning as the WARP outbound (#5205): kernel + // TUN fails silently on many VPS setups and diverges from the data + // path the panel's connectivity test exercises. + noKernelTun: true, }, }; } diff --git a/frontend/src/pages/xray/overrides/WarpModal.tsx b/frontend/src/pages/xray/overrides/WarpModal.tsx index b495aa4fe..085583ebc 100644 --- a/frontend/src/pages/xray/overrides/WarpModal.tsx +++ b/frontend/src/pages/xray/overrides/WarpModal.tsx @@ -103,9 +103,17 @@ export default function WarpModal({ secretKey: data?.private_key, address: addressesFor(cfg.interface?.addresses || {}), reserved: reservedFor(cfg.client_id ?? data?.client_id), - domainStrategy: 'ForceIP', + // Prefer IPv4 with IPv6 fallback: plain ForceIP may pick the AAAA + // record for engage.cloudflareclient.com, and a host with + // half-configured IPv6 then blackholes the handshake with no error + // logged (#5205). + domainStrategy: 'ForceIPv4v6', peers: [{ publicKey: peer.public_key, endpoint: peer.endpoint?.host }], - noKernelTun: false, + // Userspace TUN: kernel TUN needs CAP_NET_ADMIN + fwmark routing and + // fails silently on many VPS setups, and it is a different data path + // than the panel's connectivity test (which always probes with + // noKernelTun=true), so "test ok" and "traffic flows" can disagree. + noKernelTun: true, }, }; setStagedOutbound(outbound);