System TUN does not work in v2raya

I am using the v2raya client on an MT3000 router, router firmware 4.8.0-op24.

Everything works fine when v2raya is in tproxy mode.

But I need to ping the Internet connection after v2raya, which, as I understand it, can be achieved in system tun mode, because then the “tun0” interface appears, through which, in theory, ping tests can be performed.

I basically did everything according to the instructions from chatgpt, because I am a beginner in this field.

He recommended the following:

Step 1. Checking system-tun

Open System → Startup and make sure that v2raya is working.

Enable system-tun mode in the v2rayA web interface.

Check that the tun0 interface appears in LuCI:

Status → Network → Interfaces

There should be tun0.

Step 2. Add a new interface in LuCI

Go to Network → Interfaces → click Add new interface.

Name it, for example, V2RAY_TUN.

Select Protocol: Unmanaged.

In the Cover the following interface field, select tun0.

Save.

Step 3. Firewall zone

Go to Network → Firewall.

Add a new v2ray zone.

Input: reject

Output: accept

Forward: reject

Masquerading: on

MSS clamping: on

Link the V2RAY_TUN interface to it.

In the Forwarding section, do the following:

lan → v2ray (i.e., all LAN traffic will go through the tunnel).

and many other similar things, but the problem is the same: there is virtually no Internet connection in this case, and the following errors mainly appear: “ERR_CONNECTION_REFUSED”, “DNS_PROBE_FINISHED_BAD_SECURE_CONFIG”, “DNS_PROBE_STARTED”

Could someone help me set all this up, preferably explaining it in a way that is understandable to a beginner?

My knowledge is extremely limited.

But here is what I learned:

• V2raya is difficult to understand when you want to host a server, there aren't much tutorials about this making a clear abstraction between the two, but from what I understand there should be a config file you need change in CLI which shows more options than the web ui (v2raya), the ui is only for client.

It started to make more sense for me when using a different ui called x3-ui, afaik there is not a openwrt package for this, but there is docker, this is a really good looking ui and very clean to understand, and for me a much cleaner abstraction between server and client, it looks kinda like wg-easy.

From what I think, is that VLESS is the most recommended one with xray reality.

• doko-door, an doko-door is more a proxy from what I understand, and that proxy can then finally forward it to a tun or wg interface.

I don't think any of these protocols should use a interface, but I'm not entirely sure, I think it wants to replace the routing and works more as a transparant proxy/vpn on 0.0.0.0/0 (on all the internet), if this is true, it might give unwanted effects for the vpn software from gl-inet.

As for these.

ERR_CONNECTION_REFUSED: firewall rejected connection, or v2ray replied with reject, 100% something firewall related, if the input of its firewall zone is set to accept, try using accept on forward to.

DNS_PROBE_FINISHED_BAD_SECURE_CONFIG: this is not so known for me, but maybe v2ray uses some type of bogon ip in which the browser doesn't like?, or bad dnssec, you may want to look into that in dhcp settings in openwrt luci, edit: according a quick Google this would mean the ip cannot be found to the domain.

DNS_PROBE_STARTED: this says it had detected a dns, or some type of connection but failed, i.e often refused by the first error.

This is when these errors were projected on chrome browser, if v2ray has its own errors and logs this can mean something totally different.

Edit:

I think you might miss a route for your dns, or if I compare it with the equivalent for wireguard: allowedips

3X-UI is a web interface for configuring settings, or, in simpler terms, a server. I need to configure the client on the router, which is connected to the server configured using 3X-UI.

Specifically, I need a “ping check” that will check the connection after v2raya (all traffic goes through v2raya).

For the ping check, I found watchdog ( GitHub - 4IceG/luci-app-lite-watchdog: Simple internet connection monitor. Connection tester based on the method of testing pings to a given address. (LuCI JS) | OpenWrt >= 21.02 ).

But for it to work, I need an interface. In tproxy mode, v2raya does not create an interface, so I have two options: either try through the LAN interface, or select system tun mode to get an interface from v2raya (tun0).

In the case of LAN (the ping check goes directly to my modem, which I don't need; I need the ping to be after the VPN), in the case of tun0, my internet doesn't work at all.

Hmm I only can relate with other protocols like vxlans.

Will the tun device appear after an restart?, for me this is required for vxlan.

I wonder if it is the same bug, it needs to be shown as a dsa device or in cli command ifconfig.

Appears

I have been playing a little on my 3x-ui and between my mobile with v2box.

I came to the conclusion none of my configurations work, but I could see the client was online in 3x-ui.

I was able to ping addresses like 9.9.9.9 but domain resolution failed.

After alot of researching I came to the conclusion most clients (v2ray clients), wants to use their own dns servers, I disabled this and it worked.

On a windows client v2rayn I was able to read the dns requests where exceeding time out.

My suspicioun is that maybe because my upstream dns is nextdns, and maybe one of these client options want to spoof or do some magic it will not work, I disabled it and it worked.

I don't know if it will have more security implications but these where some of my foundings.

Can you check if v2raya has a certain dns server section?, disable all.

To know how to do it)

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.