Skip to content

feat: traceroute (mtr) support for gVisor TUN and WireGuard tunnels#70

Open
xdqi wants to merge 3 commits into
SagerNet:devfrom
xdqi:feature/mtr-support
Open

feat: traceroute (mtr) support for gVisor TUN and WireGuard tunnels#70
xdqi wants to merge 3 commits into
SagerNet:devfrom
xdqi:feature/mtr-support

Conversation

@xdqi
Copy link
Copy Markdown

@xdqi xdqi commented May 4, 2026

Add traceroute/mtr support through gVisor-based TUN and WireGuard tunnels, enabling ICMP, UDP and TCP traceroute modes.

Features

  • ICMP error forwarding: Forward ICMPv4/v6 TimeExceeded and DstUnreachable messages from the network back to the client, enabling traceroute to discover intermediate hops
  • Source rewriting: Rewrite ICMP error source addresses so traceroute tools receive correctly attributed responses
  • Ping TTL support: Read and set TTL/HopLimit on ICMP echo requests (Unix and Windows)
  • UDP DirectRoute: Handle UDP traceroute packets (high dst port range) by forwarding them with decremented TTL and returning ICMP Port Unreachable when appropriate
  • TCP DirectRoute: Handle TCP SYN traceroute packets similarly
  • DirectRoute wrapper: Unified wrapper to combine ICMP error forwarding with UDP/TCP DirectRoute handlers
  • Configurable TTL decrement: Control whether TTL is decremented before forwarding

Dependencies

Changes

  • 15+ new/modified files in the ping/ and stack packages
  • New test coverage for ICMP, UDP and TCP traceroute modes
  • Configurable via DirectRouteOptions in stack setup

xdqi added 3 commits May 4, 2026 12:28
@xdqi
feat: ICMP error forwarding and ping TTL support
2da50cf 
Add ICMP Time Exceeded and Destination Unreachable error handling
to the ICMPForwarder, enabling traceroute (mtr) to work through
gVisor-based TUN and WireGuard tunnels.

- Add transport error loop for receiving ICMP errors via gVisor dispatch
- Add SourceRewriter for NAT-aware ICMP error rewriting
- Preserve original TTL/HopLimit when forwarding ICMP packets
- Add platform-specific TTL setting via raw socket options
- Handle ICMPv6 error forwarding with IPv6 header synthesis
- Refactor ping session management and error listener setup
@xdqi
feat: UDP and TCP DirectRoute for traceroute
3e6c690 
Add UDP and TCP raw socket support for DirectRoute, enabling
mtr --udp and mtr --tcp to work through gVisor-based tunnels.

- Add UDPDestination with raw socket sending and ICMP error matching
- Add TCPDestination with raw SYN socket for TCP traceroute
- Add TCP/UDP source rewriting in SourceRewriter
- Integrate UDP/TCP DirectRoute handlers in gVisor forwarders
- Add TTL guard for UDP DirectRoute packets
- Add comprehensive tests for UDP DirectRoute and SourceRewriter
@xdqi
feat: DirectRoute wrapper and configurable TTL decrement
db6db1a 
Extract DirectRoute logic from TCPForwarder/UDPForwarder into
standalone wrapper functions, enabling any gVisor transport handler
to be wrapped with DirectRoute support without code duplication.

- Add WrapTCPHandlerWithDirectRoute and WrapUDPHandlerWithDirectRoute
- Add MaxTracerouteHopLimit configuration for TUN stack
- Add TTL decrement with ICMP Time Exceeded generation for VPN mode
- Extract checkTracerouteTTL and setsockoptTTL helpers
- TCPForwarder and UDPForwarder are now pure proxy forwarders
@xdqi xdqi mentioned this pull request May 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xdqi