diff --git a/openmptcprouter/files/etc/init.d/openmptcprouter-vps b/openmptcprouter/files/etc/init.d/openmptcprouter-vps
index 03a1029fa..d2c592e6d 100755
--- a/openmptcprouter/files/etc/init.d/openmptcprouter-vps
+++ b/openmptcprouter/files/etc/init.d/openmptcprouter-vps
@@ -276,8 +276,8 @@ _get_vps_config() {
 	fi
 	vpsip="$(uci -q get openmptcprouter.${servername}.ip)"
 	if [ "$(uci -q get shadowsocks-libev.sss0.server)" != "127.0.0.1" ] && [ "$(uci -q get shadowsocks-libev.sss0.server)" != "$vpsip" ] && [ "$(uci -q get openmptcprouter.settings.ha)" != "1" ]; then
+		config_foreach _set_ss_server server "server" $vpsip
 		uci -q batch <<-EOF >/dev/null
-			set shadowsocks-libev.sss0.server="$vpsip"
 			commit shadowsocks-libev
 		EOF
 		if [ "$(uci -q get shadowsocks-libev.sss0.disabled)" = "0" ]; then
@@ -342,7 +342,74 @@ _get_vps_config() {
 	fi
 }
 
-_set_pihole() {
+_get_gre_tunnel() {
+	[ -z "$vps_config" ] && vps_config=$(_get_json "config")
+	[ -z "$vps_config" ] && return
+	gre_tunnel_state="$(echo "$vps_config" | jsonfilter -q -e '@.gre_tunnel.enabled')"
+	if [ "$gre_tunnel_state" = "true" ]; then
+		i=0
+		echo "$vps_config" | jsonfilter -q -e '@.gre_tunnel.config[*]' |
+		while IFS= read -r tunnel; do
+			peeraddr="$(echo $tunnel | jsonfilter -q -e '@.remote_ip')"
+			ipaddr="$(echo $tunnel | jsonfilter -q -e '@.local_ip')"
+			publicaddr="$(echo $tunnel | jsonfilter -q -e '@.public_ip')"
+			uci -q batch <<-EOF >/dev/null
+				set network.omrip${i}=interface
+				set network.omrip${i}.label="Tunnel for $publicaddr"
+				set network.omrip${i}.proto=gre
+				set network.omrip${i}.nohostroute='1'
+				set network.omrip${i}.ipv6='0'
+				set network.omrip${i}.defaultroute='0'
+				set network.omrip${i}.multipath='off'
+				set network.omrip${i}.peerdns='0'
+				set network.omrip${i}.ip4table='vpn'
+				set network.omrip${i}.peeraddr="$peeraddr"
+				set network.omrip${i}.ipaddr="$ipaddr"
+				commit network
+				add_list firewall.zone_vpn.network="omrip${i}"
+				commit firewall
+			EOF
+			
+			ssport="$(echo $tunnel | jsonfilter -q -e '@.shadowsocks_port')"
+			uci -q batch <<-EOF >/dev/null
+				set shadowsocks-libev.omrip${i}server=server
+				set shadowsocks-libev.omrip${i}server.label="Server with public IP $publicaddr"
+				set shadowsocks-libev.omrip${i}server.server_port="$ssport"
+				set shadowsocks-libev.omrip${i}server.method="$(uci -q get shadowsocks-libev.sss0.method)"
+				set shadowsocks-libev.omrip${i}server.key="$(uci -q get shadowsocks-libev.sss0.key)"
+				set shadowsocks-libev.omrip${i}=ss_redir
+				set shadowsocks-libev.omrip${i}.label="ss-redir for public IP $publicaddr"
+				set shadowsocks-libev.omrip${i}.server="omrip${i}server"
+				set shadowsocks-libev.omrip${i}.local_port="230$i"
+				set shadowsocks-libev.omrip${i}.mode='tcp_and_udp'
+				set shadowsocks-libev.omrip${i}.reuse_port='1'
+				set shadowsocks-libev.omrip${i}.mptcp='1'
+				set shadowsocks-libev.omrip${i}.ipv6_first='1'
+				set shadowsocks-libev.omrip${i}.timeout="$(uci -q get shadowsocks-libev.omrip${i}.timeout)"
+				set shadowsocks-libev.omrip${i}.fast_open="$(uci -q get shadowsocks-libev.omrip${i}.fast_open)"
+				set shadowsocks-libev.omrip${i}.no_delay="$(uci -q get shadowsocks-libev.omrip${i}.no_delay)"
+				set shadowsocks-libev.omrip${i}_rule=ss_rules
+				set shadowsocks-libev.omrip${i}_rule.label="Rules for public IP $publicaddr"
+				set shadowsocks-libev.omrip${i}_rule.server="omrip${i}server"
+				set shadowsocks-libev.omrip${i}_rule.disabled='1'
+				set shadowsocks-libev.omrip${i}_rule.src_default='forward'
+				set shadowsocks-libev.omrip${i}_rule.dst_default='forward'
+				set shadowsocks-libev.omrip${i}_rule.local_default='forward'
+				set shadowsocks-libev.omrip${i}_rule.redir_tcp="omrip${i}"
+				commit shadowsocks-libev
+			EOF
+			if [ "$(uci -q get shadowsocks-libev.omrip${i}server.disabled)" = "" ]; then
+				uci -q set shadowsocks-libev.omrip${i}server.disabled='1'
+			fi
+			if [ "$(uci -q get shadowsocks-libev.omrip${i}.local_address)" = "" ]; then
+				uci -q set shadowsocks-libev.omrip${i}.local_address='::'
+			fi
+			i=$((i+1))
+		done
+	fi
+}
+
+_get_pihole() {
 	[ -z "$vps_config" ] && vps_config=$(_get_json "config")
 	[ -z "$vps_config" ] && return
 	vpn="$(uci -q get openmptcprouter.settings.vpn)"
@@ -576,6 +643,7 @@ _vps_firewall_redirect_port() {
 	config_get src_dport $1 src_dport
 	config_get family $1 family "ipv4"
 	config_get enabled $1 enabled "1"
+	config_get src_dip $1 src_dip
 	[ "$(echo $src_dport | cut -d'-' -f2)" -ge "65000" ] && {
 		logger -t "OMR-VPS" "You can't redirect ports >= 65000, they are needed by OpenMPTCProuter Server part"
 		uci -q delete firewall.$1
@@ -585,56 +653,110 @@ _vps_firewall_redirect_port() {
 		if [ "$proto" = "tcp udp" ]; then
 			checkfw=""
 			if [ "$family" = "ipv4" ]; then
-				checkfw=$(echo "$vpsfwlist" | grep "$src_dport	# OMR $username redirect router $src_dport port tcp")
+				if [ "$src_dip" = "" ]; then
+					checkfw=$(echo "$vpsfwlist" | grep "$src_dport	# OMR $username redirect router $src_dport port tcp")
+				else
+					checkfw=$(echo "$vpsfwlist" | grep "# OMR $username redirect router $src_dport port tcp to $src_dip")
+				fi
 			else
-				checkfw=$(echo "$vpsfw6list" | grep "$src_dport	# OMR $username redirect router $src_dport port tcp")
+				if [ "$src_dip" = "" ]; then
+					checkfw=$(echo "$vpsfw6list" | grep "$src_dport	# OMR $username redirect router $src_dport port tcp")
+				else
+					checkfw=$(echo "$vpsfw6list" | grep "# OMR $username redirect router $src_dport port tcp to $src_dip")
+				fi
 			fi
 			if [ "$checkfw" = "" ]; then
-				settings='{"name" : "router '$src_dport'","port" : "'$src_dport'","proto" : "tcp","fwtype" : "DNAT","ipproto" : "'$family'"}'
+				settings='{"name" : "router '$src_dport'","port" : "'$src_dport'","source_dip" : "'$src_dip'","proto" : "tcp","fwtype" : "DNAT","ipproto" : "'$family'"}'
 				_set_json "shorewallopen" "$settings"
 			fi
 			if [ "$family" = "ipv4" ]; then
-				vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR $username redirect router $src_dport port tcp")
-				[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR redirect router $src_dport port tcp")
+				if [ "$src_dip" = "" ]; then
+					vpsfwlist=$(echo "$vpsfwlist" | grep -v "# OMR $username redirect router $src_dport port tcp")
+					[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "# OMR redirect router $src_dport port tcp")
+				else
+					vpsfwlist=$(echo "$vpsfwlist" | grep -v "# OMR $username redirect router $src_dport port tcp to $src_dip")
+					[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "# OMR redirect router $src_dport port tcp to $src_dip")
+				fi
 			else
-				vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR $username redirect router $src_dport port tcp")
-				[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR redirect router $src_dport port tcp")
+				if [ "$src_dip" = "" ]; then
+					vpsfw6list=$(echo "$vpsfw6list" | grep -v "# OMR $username redirect router $src_dport port tcp")
+					[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "# OMR redirect router $src_dport port tcp")
+				else
+					vpsfw6list=$(echo "$vpsfw6list" | grep -v "# OMR $username redirect router $src_dport port tcp to $src_dip")
+					[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "# OMR redirect router $src_dport port tcp to $src_dip")
+				fi
 			fi
 
 			checkfw=""
 			if [ "$family" = "ipv4" ]; then
-				checkfw=$(echo "$vpsfwlist" | grep "$src_dport	# OMR $username redirect router $src_dport port udp")
+				if [ "$src_dip" = "" ]; then
+					checkfw=$(echo "$vpsfwlist" | grep "$src_dport	# OMR $username redirect router $src_dport port udp")
+				else
+					checkfw=$(echo "$vpsfwlist" | grep "# OMR $username redirect router $src_dport port udp to $src_dip")
+				fi
 			else
-				checkfw=$(echo "$vpsfw6list" | grep "$src_dport	# OMR $username redirect router $src_dport port udp")
+				if [ "$src_dip" = "" ]; then
+					checkfw=$(echo "$vpsfw6list" | grep "$src_dport	# OMR $username redirect router $src_dport port udp")
+				else
+					checkfw=$(echo "$vpsfw6list" | grep "# OMR $username redirect router $src_dport port udp to $src_dip")
+				fi
 			fi
 			if [ "$checkfw" = "" ]; then
-				settings='{"name" : "router '$src_dport'","port" : "'$src_dport'","proto" : "udp","fwtype" : "DNAT","ipproto" : "'$family'"}'
+				settings='{"name" : "router '$src_dport'","port" : "'$src_dport'","source_dip" : "'$src_dip'","proto" : "udp","fwtype" : "DNAT","ipproto" : "'$family'"}'
 				_set_json "shorewallopen" "$settings"
 			fi
 			if [ "$family" = "ipv4" ]; then
-				vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR $username redirect router $src_dport port udp")
-				[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR redirect router $src_dport port udp")
+				if [ "$src_dip" = "" ]; then
+					vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR $username redirect router $src_dport port udp")
+					[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR redirect router $src_dport port udp")
+				else
+					vpsfwlist=$(echo "$vpsfwlist" | grep -v "# OMR $username redirect router $src_dport port udp to $src_dip")
+					[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "# OMR redirect router $src_dport port udp to $src_dip")
+				fi
 			else
-				vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR $username redirect router $src_dport port udp")
-				[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR redirect router $src_dport port udp")
+				if [ "$src_dip" = "" ]; then
+					vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR $username redirect router $src_dport port udp")
+					[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR redirect router $src_dport port udp")
+				else
+					vpsfw6list=$(echo "$vpsfw6list" | grep -v "# OMR $username redirect router $src_dport port udp to $src_dip")
+					[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "# OMR redirect router $src_dport port udp to $src_dip")
+				fi
 			fi
 		else
 			checkfw=""
 			if [ "$family" = "ipv4" ]; then
-				checkfw=$(echo "$vpsfwlist" | grep "$src_dport	# OMR $username redirect router $src_dport port $proto")
+				if [ "$src_dip" = "" ]; then
+					checkfw=$(echo "$vpsfwlist" | grep "$src_dport	# OMR $username redirect router $src_dport port $proto")
+				else
+					checkfw=$(echo "$vpsfwlist" | grep "# OMR $username redirect router $src_dport port $proto to $src_dip")
+				fi
 			else
-				checkfw=$(echo "$vpsfw6list" | grep "$src_dport	# OMR $username redirect router $src_dport port $proto")
+				if [ "$src_dip" = "" ]; then
+					checkfw=$(echo "$vpsfw6list" | grep "$src_dport	# OMR $username redirect router $src_dport port $proto")
+				else
+					checkfw=$(echo "$vpsfw6list" | grep "# OMR $username redirect router $src_dport port $proto to $src_dip")
+				fi
 			fi
 			if [ "$checkfw" = "" ]; then
-				settings='{"name" : "router '$src_dport'","port" : "'$src_dport'","proto" : "'$proto'","fwtype" : "DNAT","ipproto" : "'$family'"}'
+				settings='{"name" : "router '$src_dport'","port" : "'$src_dport'","source_dip" : "'$src_dip'","proto" : "'$proto'","fwtype" : "DNAT","ipproto" : "'$family'"}'
 				_set_json "shorewallopen" "$settings"
 			fi
 			if [ "$family" = "ipv4" ]; then
-				vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR $username redirect router $src_dport port $proto")
-				[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR redirect router $src_dport port $proto")
+				if [ "$src_dip" = "" ]; then
+					vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR $username redirect router $src_dport port $proto")
+					[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "$src_dport	# OMR redirect router $src_dport port $proto")
+				else
+					vpsfwlist=$(echo "$vpsfwlist" | grep -v "# OMR $username redirect router $src_dport port $proto to $src_dip")
+					[ "$username" = "openmptcprouter" ] && vpsfwlist=$(echo "$vpsfwlist" | grep -v "# OMR redirect router $src_dport port $proto to $src_dip")
+				fi
 			else
-				vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR $username redirect router $src_dport port $proto")
-				[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR redirect router $src_dport port $proto")
+				if [ "$src_dip" = "" ]; then
+					vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR $username redirect router $src_dport port $proto")
+					[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "$src_dport	# OMR redirect router $src_dport port $proto")
+				else
+					vpsfw6list=$(echo "$vpsfw6list" | grep -v "# OMR $username redirect router $src_dport port $proto to $src_dip")
+					[ "$username" = "openmptcprouter" ] && vpsfw6list=$(echo "$vpsfw6list" | grep -v "# OMR redirect router $src_dport port $proto to $src_dip")
+				fi
 			fi
 		fi
 	}
@@ -697,6 +819,13 @@ _set_vps_firewall() {
 }
 
 set_vps_firewall() {
+	fw3 -q print | grep 'vpn.* -d' |
+	while IFS=$"\n" read -r c; do
+		eval $(echo $c | sed 's/-A/-D/')
+		newrule=$(echo $c | sed -E -e 's/ -d ([^ ])*//' -e 's/ -s ([^ ])*//')
+		eval $(echo $newrule | sed 's/-A/-C/') || eval $newrule
+	done
+	#'
 	config_load openmptcprouter
 	config_foreach _set_vps_firewall server
 }
@@ -712,6 +841,17 @@ _set_ss_redir() {
 	uci -q set shadowsocks-libev.$1.$option=$value
 }
 
+_set_ss_server() {
+	local option=$2
+	local value=$3
+	if [ "$value" = "true" ]; then
+		value=1
+	elif [ "$value" = "false" ]; then
+		value=0
+	fi
+	[ "$(echo $1 | grep omr)" != "" ] && uci -q set shadowsocks-libev.$1.$option=$value
+}
+
 _set_config_from_vps() {
 	local shadowsocks_disabled vpn glorytun_state redirect shorewall_redirect mlvpn_key openvpn_key dsvpn_key
 	[ -z "$vps_config" ] && vps_config=$(_get_json "config")
@@ -797,10 +937,16 @@ _set_config_from_vps() {
 			set shadowsocks-libev.sss0.obfs_type=$ss_obfs_type
 			set shadowsocks-libev.sss0.obfs_host=$ss_obfs_host
 		EOF
+		config_foreach _set_ss_server server "key" $ss_key
+		config_foreach _set_ss_server server "method" $ss_method
+		config_foreach _set_ss_server server "obfs" $ss_obfs
+		config_foreach _set_ss_server server "obfs_plugin" $ss_obfs_plugin
+		config_foreach _set_ss_server server "obfs_type" $ss_obfs_type
+		config_foreach _set_ss_server server "obfs_host" $ss_obfs_host
 		if [ "$(uci -q get shadowsocks-libev.sss0.server)" != "127.0.0.1" ]; then
-			uci -q set shadowsocks-libev.sss0.server="$vpsip"
+			config_foreach _set_ss_server server "server" $vpsip
 		fi
-		uci -q commit shadowsocks-libev.sss0
+		uci -q commit shadowsocks-libev
 		logger -t "OMR-VPS" "Shadowsocks restart..."
 		/etc/init.d/shadowsocks-libev restart >/dev/null 2>&1
 	fi
@@ -1201,6 +1347,7 @@ _config_service() {
 	error=0
 	[ "$(uci -q get openmptcprouter.${servername}.get_config)" = "1" ] && {
 		_set_config_from_vps
+		_get_gre_tunnel
 	}
 
 	_get_vps_config
@@ -1215,9 +1362,9 @@ _config_service() {
 				uci -q batch <<-EOF >/dev/null
 					set glorytun.vpn.chacha20="0"
 					commit glorytun
-					set shadowsocks-libev.sss0.method="aes-256-gcm"
-					commit shadowsocks-libev
 				EOF
+				config_foreach _set_ss_server server "method" "aes-256-gcm"
+				uci -q commit shadowsocks-libev
 			fi
 		}
 		[ -n "$vps_config" ] && uci -q set openmptcprouter.settings.firstboot=0
@@ -1276,7 +1423,7 @@ _set_pihole_server() {
 		EOF
 		return
 	}
-	_set_pihole $pservername
+	_get_pihole $pservername
 }
 
 set_pihole() {