更新外部IP时报错

Lam0008

更新外部IP时报错，socket closed by remote peer，以下是日志

2023-04-25 18:13:44.779571 <WARNING> [SGMExternalIP] Failed to obtain external IP address: Error Domain=SGSocketErrorDomain Code=6 "Socket closed by remote peer" UserInfo={NSLocalizedDescription=Socket closed by remote peer}

owenlynda

Lam0008 Surge uses api.my-ip.io to obtain external IP and the IP changes recently from 18.134.24.67 to 91.107.217.147

So, I mapped this in [Host] and it works:

api.my-ip.io = 91.107.217.147, 18.134.24.67

but I used this without # to obtain the IPs

api.my-ip.io = server:https://dns.nextdns.io/mynextDNSID/MacOS

SurgeTeam

Surge Mac 使用的一个第三方服务出现了异常，将在下个版本更换为 STUN 的方式获取外部 IP。

owenlynda

SurgeTeam I'm afraid, most people might not like STUN domains as a test of external IP as it leaks WebRTC except if you have a UDP-relay supported Policy and most STUN are UDP based. I hope you consider these things before implementation

SurgeTeam

owenlynda The external IP function itself is used to obtain the current network's external IP address, and has nothing to do with the issue of IP address leakage.

owenlynda

SurgeTeam It may lead to a leakage when using only Surge system proxy agent and another third party application for the VIF instead of enhanced Mode. Well, it can be manipulated to work together but I think it's best to use a TCP domain to obtain external IP instead of STUN

SurgeTeam

owenlynda

In order to obtain the external IP, Surge must communicate with an external server to obtain the real IP address. This communication process has nothing to do with the proxy server and must be requested directly; otherwise, the obtained IP address will be that of the proxy. This is also unrelated to whether system proxy and enhanced mode are enabled. There is no difference between using TCP or STUN/UDP.

In this case, IP address leakage can only occur by observing data packets on the link. But if attackers can already access data packets on the link, obtaining device's IP address is easy for them without such complexity.

owenlynda

SurgeTeam How about a case where the user has blocked all STUN servers lists system-wide using a Firewall App like Murus/Vallum in order to prevent leakage? It will report an error. But it's all good, Surge is great and it can still be manipulated to work without leakage.
I hope the STUN domain you're adding in the next version will be a unique one different from google STUN servers so that it can be allowed to bypass the firewall by a rule.

owenlynda

Thanks SurgeTeam the new domain to update external IP in 4.11.2 works great. Please, add the support for mapping specific domains to use DoH3 or DoQUIC in [Host] for surge Mac v4.

owenlynda

OR
another good suggestion: add a new feature where the domain to obtain the external IP address can be customized.
I think that'll be better and elegant.