From 09a887f95cd76c400a8c2a45b2ae11134acbde29 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Thu, 11 Jun 2026 21:49:45 +0200 Subject: [PATCH] fix(warp): prefer IPv4 with v6 fallback and userspace TUN in generated WireGuard outbounds (#5205) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The generated WARP outbound used domainStrategy ForceIP, which may pick the AAAA record for engage.cloudflareclient.com; on a host with half-configured IPv6 the handshake then blackholes with nothing in the logs. ForceIPv4v6 prefers IPv4 and still falls back to IPv6 on v6-only hosts, matching the official WARP client's behavior. It also set noKernelTun: false, so with root privileges the real outbound used kernel TUN — a path that needs CAP_NET_ADMIN plus fwmark routing and fails silently on many VPS setups — while the panel's connectivity probe always tests with noKernelTun: true. The status check and real traffic exercised different data paths and could disagree. Generate WARP and NordVPN outbounds with the userspace TUN so both follow the path the probe validates. Only affects newly added/reset outbounds; existing templates keep their saved settings. --- frontend/src/pages/xray/overrides/NordModal.tsx | 5 ++++- frontend/src/pages/xray/overrides/WarpModal.tsx | 12 ++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/frontend/src/pages/xray/overrides/NordModal.tsx b/frontend/src/pages/xray/overrides/NordModal.tsx index efde508e1..8ba37cd48 100644 --- a/frontend/src/pages/xray/overrides/NordModal.tsx +++ b/frontend/src/pages/xray/overrides/NordModal.tsx @@ -209,7 +209,10 @@ export default function NordModal({ secretKey: nordData?.private_key, address: ['10.5.0.2/32'], peers: [{ publicKey, endpoint: `${server.station}:51820` }], - noKernelTun: false, + // Userspace TUN — same reasoning as the WARP outbound (#5205): kernel + // TUN fails silently on many VPS setups and diverges from the data + // path the panel's connectivity test exercises. + noKernelTun: true, }, }; } diff --git a/frontend/src/pages/xray/overrides/WarpModal.tsx b/frontend/src/pages/xray/overrides/WarpModal.tsx index b495aa4fe..085583ebc 100644 --- a/frontend/src/pages/xray/overrides/WarpModal.tsx +++ b/frontend/src/pages/xray/overrides/WarpModal.tsx @@ -103,9 +103,17 @@ export default function WarpModal({ secretKey: data?.private_key, address: addressesFor(cfg.interface?.addresses || {}), reserved: reservedFor(cfg.client_id ?? data?.client_id), - domainStrategy: 'ForceIP', + // Prefer IPv4 with IPv6 fallback: plain ForceIP may pick the AAAA + // record for engage.cloudflareclient.com, and a host with + // half-configured IPv6 then blackholes the handshake with no error + // logged (#5205). + domainStrategy: 'ForceIPv4v6', peers: [{ publicKey: peer.public_key, endpoint: peer.endpoint?.host }], - noKernelTun: false, + // Userspace TUN: kernel TUN needs CAP_NET_ADMIN + fwmark routing and + // fails silently on many VPS setups, and it is a different data path + // than the panel's connectivity test (which always probes with + // noKernelTun=true), so "test ok" and "traffic flows" can disagree. + noKernelTun: true, }, }; setStagedOutbound(outbound);