From ad982dc3c610944aba010cdd7998a37d8b45b9ea Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Tue, 31 Dec 2019 18:41:12 +0100 Subject: [PATCH 01/13] Really fix OpenVPN conf --- openvpn-tun0.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-tun0.conf b/openvpn-tun0.conf index e7193ff..2b64eda 100644 --- a/openvpn-tun0.conf +++ b/openvpn-tun0.conf @@ -8,10 +8,10 @@ duplicate-cn verb 3 server 10.255.252.0 255.255.255.0 ca /etc/openvpn/ca/pki/ca.crt -cert /etc/openvpn/ca/issued/server.crt -key /etc/openvpn/ca/private/server.key +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key dh /etc/openvpn/server/dh2048.pem -crl-verify /etc/openvpn/ca/crl.pem +crl-verify /etc/openvpn/ca/pki/crl.pem keepalive 10 120 sndbuf 0 rcvbuf 0 \ No newline at end of file From 8998e9827980b4bceccd5447b3a13280d4acfc2f Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 1 Jan 2020 11:32:18 +0100 Subject: [PATCH 02/13] Fix https://github.com/Ysurac/openmptcprouter/issues/774 --- debian9-x86_64.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index bbf0582..9489dd9 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -478,6 +478,7 @@ if [ "$OPENVPN" = "yes" ]; then if [ ! -d /etc/openvpn/ca ]; then make-cadir /etc/openvpn/ca fi + mkdir -p /etc/openvpn/ca/pki/private /etc/openvpn/ca/pki/issued mv /etc/openvpn/server/ca.crt /etc/openvpn/ca/pki/ca.crt mv /etc/openvpn/server/ca.key /etc/openvpn/ca/pki/private/ca.key mv /etc/openvpn/server/server.crt /etc/openvpn/ca/pki/issued/server.crt From 5e9a5b1b81440e1e9b488f8864bd865afe1bcbc7 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 1 Jan 2020 17:00:41 +0100 Subject: [PATCH 03/13] Add server username --- debian9-x86_64.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index 9489dd9..48b03a5 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -740,6 +740,8 @@ if [ "$update" = "0" ]; then echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' echo 'OpenMPTCProuter Server key (you need OpenMPTCProuter >= 0.42):' echo $OMR_ADMIN_PASS + echo 'OpenMPTCProuter Server username (you need OpenMPTCProuter >= 0.42):' + echo 'openmptcprouter' echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' echo '====================================================================================' fi @@ -804,6 +806,7 @@ if [ "$update" = "0" ]; then cat >> /root/openmptcprouter_config.txt <<-EOF Your OpenMPTCProuter ADMIN API Server key: $OMR_ADMIN_PASS_ADMIN Your OpenMPTCProuter Server key: $OMR_ADMIN_PASS + Your OpenMPTCProuter Server username: openmptcprouter EOF fi else @@ -843,11 +846,14 @@ else if ! grep -q 'VPS Admin key' /root/openmptcprouter_config.txt ; then cat >> /root/openmptcprouter_config.txt <<-EOF Your OpenMPTCProuter Server key: $OMR_ADMIN_PASS + Your OpenMPTCProuter Server username: openmptcprouter EOF echo '====================================================================================' echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' echo 'OpenMPTCProuter Server key (you need OpenMPTCProuter >= 0.42):' echo $OMR_ADMIN_PASS + echo 'OpenMPTCProuter Server username (you need OpenMPTCProuter >= 0.42):' + echo 'openmptcprouter' echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' echo '====================================================================================' fi From 5ba8f5acb38f46066a3bfe9e8ed598474801a776 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Fri, 3 Jan 2020 12:03:29 +0100 Subject: [PATCH 04/13] Fix install script for openvpn and ubuntu --- debian9-x86_64.sh | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index 48b03a5..157895b 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -474,6 +474,26 @@ if [ "$OPENVPN" = "yes" ]; then # cd /etc/openvpn/server # openvpn --genkey --secret static.key #fi + if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ]; then + wget -O /tmp/EasyRSA-unix-v${EASYRSA_VERSION}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v${EASYRSA_VERSION}.tgz + cd /tmp + tar xzvf EasyRSA-unix-v${EASYRSA_VERSION}.tgz + cd /tmp/EasyRSA-v${EASYRSA_VERSION} + mkdir -p /etc/openvpn/ca/pki/private /etc/openvpn/ca/pki/issued + ./easyrsa init-pki + ./easyrsa --batch build-ca nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "openmptcprouter" nopass + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + mv pki/ca.crt /etc/openvpn/ca/pki/ca.crt + mv pki/private/ca.key /etc/openvpn/ca/pki/private/ca.key + mv pki/issued/server.crt /etc/openvpn/ca/pki/issued/server.crt + mv pki/private/server.key /etc/openvpn/ca/pki/private/server.key + mv pki/crl.pem /etc/openvpn/ca/pki/crl.pem + mv pki/issued/openmptcprouter.crt /etc/openvpn/ca/pki/issued/openmptcprouter.crt + mv pki/private/openmptcprouter.key /etc/openvpn/ca/pki/private/openmptcprouter.key + fi + if [ -f "/etc/openvpn/server/server.crt" ]; then if [ ! -d /etc/openvpn/ca ]; then make-cadir /etc/openvpn/ca @@ -496,9 +516,13 @@ if [ "$OPENVPN" = "yes" ]; then ./easyrsa init-pki ./easyrsa --batch build-ca nopass EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "client" nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "openmptcprouter" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl fi + if [ ! -f "/etc/openvpn/ca/pki/issued/openmptcprouter.crt" ]; then + mv /etc/openvpn/ca/pki/issued/client.crt /etc/openvpn/ca/pki/issued/openmptcprouter.crt + mv /etc/openvpn/ca/pki/private/client.key /etc/openvpn/ca/pki/private/openmptcprouter.key + fi wget -O /etc/openvpn/tun0.conf https://www.openmptcprouter.com/${VPSPATH}/openvpn-tun0.conf wget -O /etc/openvpn/tun1.conf https://www.openmptcprouter.com/${VPSPATH}/openvpn-tun1.conf systemctl enable openvpn@tun0.service @@ -766,6 +790,10 @@ if [ "$update" = "0" ]; then if [ "$OMR_ADMIN" = "yes" ]; then echo 'OpenMPTCProuter API Admin key: ' echo $OMR_ADMIN_PASS_ADMIN + echo 'OpenMPTCProuter Server key: ' + echo $OMR_ADMIN_PASS + echo 'OpenMPTCProuter Server username: ' + echo 'openmptcprouter' fi if [ "$VPS_CERT" = "0" ]; then echo 'No working domain detected, not able to generate certificate for v2ray.' From 2976a51dd861b9238a211f4db45cab4766f846a7 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Fri, 3 Jan 2020 13:37:13 +0100 Subject: [PATCH 05/13] fix dh2048 creation on ubuntu --- debian9-x86_64.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index 157895b..ac3933c 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -475,6 +475,7 @@ if [ "$OPENVPN" = "yes" ]; then # openvpn --genkey --secret static.key #fi if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ]; then + openssl dhparam -out /etc/openvpn/server/dh2048.pem 2048 wget -O /tmp/EasyRSA-unix-v${EASYRSA_VERSION}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v${EASYRSA_VERSION}.tgz cd /tmp tar xzvf EasyRSA-unix-v${EASYRSA_VERSION}.tgz From e55e23497d5fb8c581e8d1f4409836fbc6b925a9 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Sat, 4 Jan 2020 14:47:15 +0100 Subject: [PATCH 06/13] check if dh2048 exist else create it --- debian9-x86_64.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index ac3933c..b1ac351 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -475,7 +475,6 @@ if [ "$OPENVPN" = "yes" ]; then # openvpn --genkey --secret static.key #fi if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ]; then - openssl dhparam -out /etc/openvpn/server/dh2048.pem 2048 wget -O /tmp/EasyRSA-unix-v${EASYRSA_VERSION}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v${EASYRSA_VERSION}.tgz cd /tmp tar xzvf EasyRSA-unix-v${EASYRSA_VERSION}.tgz @@ -509,7 +508,6 @@ if [ "$OPENVPN" = "yes" ]; then mv /etc/openvpn/client/client.key /etc/openvpn/ca/pki/private/openmptcprouter.key fi if [ ! -f "/etc/openvpn/ca/pki/issued/server.crt" ]; then - openssl dhparam -out /etc/openvpn/server/dh2048.pem 2048 if [ ! -d /etc/openvpn/ca ]; then make-cadir /etc/openvpn/ca fi @@ -524,6 +522,9 @@ if [ "$OPENVPN" = "yes" ]; then mv /etc/openvpn/ca/pki/issued/client.crt /etc/openvpn/ca/pki/issued/openmptcprouter.crt mv /etc/openvpn/ca/pki/private/client.key /etc/openvpn/ca/pki/private/openmptcprouter.key fi + if [ ! -f "/etc/openvpn/server/dh2048.pem" ]; then + openssl dhparam -out /etc/openvpn/server/dh2048.pem 2048 + fi wget -O /etc/openvpn/tun0.conf https://www.openmptcprouter.com/${VPSPATH}/openvpn-tun0.conf wget -O /etc/openvpn/tun1.conf https://www.openmptcprouter.com/${VPSPATH}/openvpn-tun1.conf systemctl enable openvpn@tun0.service From d8bdaf6608cddd405a74cd6ea7b67f2e20f066b1 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Sun, 5 Jan 2020 14:45:50 +0100 Subject: [PATCH 07/13] Update admin API script --- debian9-x86_64.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index b1ac351..a6aff23 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -23,7 +23,7 @@ GLORYTUN_UDP_VERSION="b9aaab661fb879e891d34a91b5d2e78088fd9d9d" #MLVPN_VERSION="8f9720978b28c1954f9f229525333547283316d2" MLVPN_VERSION="f45cec350a6879b8b020143a78134a022b5df2a7" OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4" -OMR_ADMIN_VERSION="6e819bc92915f8ce222107c951a384967c70247d" +OMR_ADMIN_VERSION="a86c245cca16ea56283a6fe60cb1ef88b6b800f7" DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a" #V2RAY_VERSION="v1.1.0" V2RAY_VERSION="v1.2.0-2-g68e2207" From 18f854de53aa9cc51b28ccf1ed66d0fc7629a7b6 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Mon, 6 Jan 2020 12:45:41 +0100 Subject: [PATCH 08/13] Update omr-admin script --- debian9-x86_64.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index a6aff23..1512031 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -23,7 +23,7 @@ GLORYTUN_UDP_VERSION="b9aaab661fb879e891d34a91b5d2e78088fd9d9d" #MLVPN_VERSION="8f9720978b28c1954f9f229525333547283316d2" MLVPN_VERSION="f45cec350a6879b8b020143a78134a022b5df2a7" OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4" -OMR_ADMIN_VERSION="a86c245cca16ea56283a6fe60cb1ef88b6b800f7" +OMR_ADMIN_VERSION="2de76967faa74700d7a8c1cc8ce781a82796614f" DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a" #V2RAY_VERSION="v1.1.0" V2RAY_VERSION="v1.2.0-2-g68e2207" From f46fd4d47a7dd6092844446c361de6cbe2c6a00a Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Mon, 6 Jan 2020 21:19:46 +0100 Subject: [PATCH 09/13] Update omr-admin --- debian9-x86_64.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index 1512031..d93053d 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -23,7 +23,7 @@ GLORYTUN_UDP_VERSION="b9aaab661fb879e891d34a91b5d2e78088fd9d9d" #MLVPN_VERSION="8f9720978b28c1954f9f229525333547283316d2" MLVPN_VERSION="f45cec350a6879b8b020143a78134a022b5df2a7" OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4" -OMR_ADMIN_VERSION="2de76967faa74700d7a8c1cc8ce781a82796614f" +OMR_ADMIN_VERSION="f3b3a4dbe1cbd2d45ebb80d12ec365c56369ffea" DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a" #V2RAY_VERSION="v1.1.0" V2RAY_VERSION="v1.2.0-2-g68e2207" From 3085b2e9a61b896b3f2a97a93a29a4ca87639bc6 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Tue, 7 Jan 2020 08:01:34 +0100 Subject: [PATCH 10/13] Check that update is not running --- debian9-x86_64.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index d93053d..5cf4169 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -39,8 +39,6 @@ umask 0022 export LC_ALL=C export PATH=$PATH:/sbin export DEBIAN_FRONTEND=noninteractive -rm -f /var/lib/dpkg/lock -rm -f /var/lib/dpkg/lock-frontend # Check Linux version if test -f /etc/os-release ; then @@ -59,6 +57,19 @@ elif [ "$ID" != "debian" ] && [ "$ID" != "ubuntu" ]; then exit 1 fi +# Check if DPKG is locked and for broken packages +dpkg -i /dev/zero 2>/dev/null +if [ "$?" -eq 2 ]; then + echo "E: dpkg database is locked. Check that an update is not running in background..." + exit 1 +fi +apt-get check >/dev/null 2>&1 +if [ "$?" -ne 0 ]; then + echo "E: \`apt-get check\` failed, you may have broken packages. Aborting..." + exit 1 +fi + + # Fix old string... if [ -f /etc/motd ] && grep --quiet 'OpenMPCTProuter VPS' /etc/motd ; then sed -i 's/OpenMPCTProuter/OpenMPTCProuter/g' /etc/motd From 11d8e11918237baead5b73369acd7709113daa6f Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Thu, 9 Jan 2020 22:00:50 +0100 Subject: [PATCH 11/13] WIP: multi users VPN and FW --- debian9-x86_64.sh | 37 +++++++++++++++++++++---------------- glorytun-tcp@.service.in | 1 + glorytun-udp@.service.in | 1 + openvpn-tun0.conf | 8 +++++++- 4 files changed, 30 insertions(+), 17 deletions(-) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index 5cf4169..27db2d6 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -251,24 +251,24 @@ if ! grep -q mctcp_desync /etc/modules ; then echo mctcp_desync >> /etc/modules fi # Load ndiffports module at boot time -if ! grep -q mctcp_ndiffports /etc/modules ; then - echo mctcp_ndiffports >> /etc/modules +if ! grep -q mptcp_ndiffports /etc/modules ; then + echo mptcp_ndiffports >> /etc/modules fi # Load redundant module at boot time -if ! grep -q mctcp_redundant /etc/modules ; then - echo mctcp_redundant >> /etc/modules +if ! grep -q mptcp_redundant /etc/modules ; then + echo mptcp_redundant >> /etc/modules fi # Load rr module at boot time -if ! grep -q mctcp_rr /etc/modules ; then - echo mctcp_rr >> /etc/modules +if ! grep -q mptcp_rr /etc/modules ; then + echo mptcp_rr >> /etc/modules fi # Load mctcp ECF scheduler at boot time -if ! grep -q mctcp_ecf /etc/modules ; then - echo mctcp_ecf >> /etc/modules +if ! grep -q mptcp_ecf /etc/modules ; then + echo mptcp_ecf >> /etc/modules fi # Load mctcp BLEST scheduler at boot time -if ! grep -q mctcp_blest /etc/modules ; then - echo mctcp_blest >> /etc/modules +if ! grep -q mptcp_blest /etc/modules ; then + echo mptcp_blest >> /etc/modules fi if systemctl -q is-active omr-admin.service; then @@ -494,7 +494,7 @@ if [ "$OPENVPN" = "yes" ]; then ./easyrsa init-pki ./easyrsa --batch build-ca nopass EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "openmptcprouter" nopass + EASYRSA_CERT_EXPIRE=3650 EASYRSA_REQ_CN=openmptcprouter ./easyrsa build-client-full "openmptcprouter" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl mv pki/ca.crt /etc/openvpn/ca/pki/ca.crt mv pki/private/ca.key /etc/openvpn/ca/pki/private/ca.key @@ -538,6 +538,7 @@ if [ "$OPENVPN" = "yes" ]; then fi wget -O /etc/openvpn/tun0.conf https://www.openmptcprouter.com/${VPSPATH}/openvpn-tun0.conf wget -O /etc/openvpn/tun1.conf https://www.openmptcprouter.com/${VPSPATH}/openvpn-tun1.conf + mkdir -p /etc/openvpn/ccd systemctl enable openvpn@tun0.service systemctl enable openvpn@tun1.service fi @@ -564,8 +565,10 @@ rm /lib/systemd/network/glorytun* wget -O /usr/local/bin/glorytun-udp-run https://www.openmptcprouter.com/${VPSPATH}/glorytun-udp-run chmod 755 /usr/local/bin/glorytun-udp-run wget -O /lib/systemd/system/glorytun-udp@.service https://www.openmptcprouter.com/${VPSPATH}/glorytun-udp%40.service.in -wget -O /lib/systemd/network/glorytun-udp.network https://www.openmptcprouter.com/${VPSPATH}/glorytun-udp.network +#wget -O /lib/systemd/network/glorytun-udp.network https://www.openmptcprouter.com/${VPSPATH}/glorytun-udp.network +rm -f /lib/systemd/network/glorytun-udp.network mkdir -p /etc/glorytun-udp +wget -O /etc/glorytun-udp/post.sh https://www.openmptcprouter.com/${VPSPATH}/glorytun-udp-post.sh wget -O /etc/glorytun-udp/tun0 https://www.openmptcprouter.com/${VPSPATH}/tun0.glorytun-udp if [ "$update" = "0" ] || [ ! -f /etc/glorytun-udp/tun0.key ]; then echo "$GLORYTUN_PASS" > /etc/glorytun-udp/tun0.key @@ -638,8 +641,10 @@ cp glorytun /usr/local/bin/glorytun-tcp wget -O /usr/local/bin/glorytun-tcp-run https://www.openmptcprouter.com/${VPSPATH}/glorytun-tcp-run chmod 755 /usr/local/bin/glorytun-tcp-run wget -O /lib/systemd/system/glorytun-tcp@.service https://www.openmptcprouter.com/${VPSPATH}/glorytun-tcp%40.service.in -wget -O /lib/systemd/network/glorytun-tcp.network https://www.openmptcprouter.com/${VPSPATH}/glorytun.network +#wget -O /lib/systemd/network/glorytun-tcp.network https://www.openmptcprouter.com/${VPSPATH}/glorytun.network +rm -f /lib/systemd/network/glorytun-tcp.network mkdir -p /etc/glorytun-tcp +wget -O /etc/glorytun-tcp/post.sh https://www.openmptcprouter.com/${VPSPATH}/glorytun-tcp-post.sh wget -O /etc/glorytun-tcp/tun0 https://www.openmptcprouter.com/${VPSPATH}/tun0.glorytun if [ "$update" = "0" ]; then echo "$GLORYTUN_PASS" > /etc/glorytun-tcp/tun0.key @@ -801,7 +806,7 @@ if [ "$update" = "0" ]; then echo $MLVPN_PASS fi if [ "$OMR_ADMIN" = "yes" ]; then - echo 'OpenMPTCProuter API Admin key: ' + echo "OpenMPTCProuter API Admin key (only for configuration via API, you don't need it): " echo $OMR_ADMIN_PASS_ADMIN echo 'OpenMPTCProuter Server key: ' echo $OMR_ADMIN_PASS @@ -845,7 +850,7 @@ if [ "$update" = "0" ]; then fi if [ "$OMR_ADMIN" = "yes" ]; then cat >> /root/openmptcprouter_config.txt <<-EOF - Your OpenMPTCProuter ADMIN API Server key: $OMR_ADMIN_PASS_ADMIN + Your OpenMPTCProuter ADMIN API Server key (only for configuration via API access, you don't need it): $OMR_ADMIN_PASS_ADMIN Your OpenMPTCProuter Server key: $OMR_ADMIN_PASS Your OpenMPTCProuter Server username: openmptcprouter EOF @@ -884,7 +889,7 @@ else echo 'Restarting OpenMPTCProuter VPS admin' systemctl -q restart omr-admin echo 'done' - if ! grep -q 'VPS Admin key' /root/openmptcprouter_config.txt ; then + if ! grep -q 'Server key' /root/openmptcprouter_config.txt ; then cat >> /root/openmptcprouter_config.txt <<-EOF Your OpenMPTCProuter Server key: $OMR_ADMIN_PASS Your OpenMPTCProuter Server username: openmptcprouter diff --git a/glorytun-tcp@.service.in b/glorytun-tcp@.service.in index 1d9eaa5..af16739 100644 --- a/glorytun-tcp@.service.in +++ b/glorytun-tcp@.service.in @@ -6,6 +6,7 @@ After=network.target network-online.target Type=simple Restart=always ExecStart=/usr/local/bin/glorytun-tcp-run /etc/glorytun-tcp/%i +ExecStartPost=-/etc/glorytun-tcp/post.sh %i CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW [Install] diff --git a/glorytun-udp@.service.in b/glorytun-udp@.service.in index 3a38fa2..de534f0 100644 --- a/glorytun-udp@.service.in +++ b/glorytun-udp@.service.in @@ -7,6 +7,7 @@ Type=simple Restart=always EnvironmentFile=/etc/glorytun-udp/%i ExecStart=/usr/local/bin/glorytun-udp-run /etc/glorytun-udp/%i +ExecStartPost=-/etc/glorytun-udp/post.sh %i CapabilityBoundingSet=CAP_NET_ADMIN [Install] diff --git a/openvpn-tun0.conf b/openvpn-tun0.conf index 2b64eda..fdafd80 100644 --- a/openvpn-tun0.conf +++ b/openvpn-tun0.conf @@ -1,4 +1,6 @@ dev tun0 +user nobody +group nogroup cipher AES-256-CBC proto tcp port 65301 @@ -14,4 +16,8 @@ dh /etc/openvpn/server/dh2048.pem crl-verify /etc/openvpn/ca/pki/crl.pem keepalive 10 120 sndbuf 0 -rcvbuf 0 \ No newline at end of file +rcvbuf 0 +tls-server +tls-version-min 1.2 +compress lzo +push "route 10.255.252.1 255.255.255.255" \ No newline at end of file From 33a9f4fd2199487d0ff794872e78664b2c25fb6b Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Thu, 9 Jan 2020 22:21:27 +0100 Subject: [PATCH 12/13] Update OMR server API --- debian9-x86_64.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index 27db2d6..bb02845 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -23,7 +23,7 @@ GLORYTUN_UDP_VERSION="b9aaab661fb879e891d34a91b5d2e78088fd9d9d" #MLVPN_VERSION="8f9720978b28c1954f9f229525333547283316d2" MLVPN_VERSION="f45cec350a6879b8b020143a78134a022b5df2a7" OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4" -OMR_ADMIN_VERSION="f3b3a4dbe1cbd2d45ebb80d12ec365c56369ffea" +OMR_ADMIN_VERSION="196557de165ee29bd23986f66eed2e6072af3f5c" DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a" #V2RAY_VERSION="v1.1.0" V2RAY_VERSION="v1.2.0-2-g68e2207" From 4c588eb74d6035d2a7ae817dc46168bb8540d6b1 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Sat, 8 Feb 2020 19:46:57 +0100 Subject: [PATCH 13/13] Latest changes to VPS script --- debian9-x86_64.sh | 74 +++++++++++++++++++++++++++------------- glorytun-tcp@.service.in | 2 +- glorytun-udp@.service.in | 2 +- omr-service | 4 +-- openvpn-tun0.conf | 3 +- shorewall4/interfaces | 11 +++--- shorewall4/policy | 3 +- shorewall4/stoppedrules | 22 ++++++------ shorewall6/interfaces | 4 +-- shorewall6/params | 3 +- shorewall6/params.vpn | 0 11 files changed, 77 insertions(+), 51 deletions(-) create mode 100644 shorewall6/params.vpn diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index bb02845..8e23067 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -19,14 +19,14 @@ INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | grep -m 1 -Po '(?<=dev KERNEL_VERSION="4.19.80" KERNEL_PACKAGE_VERSION="1.6+c62d9f6" KERNEL_RELEASE="${KERNEL_VERSION}-mptcp_${KERNEL_PACKAGE_VERSION}" -GLORYTUN_UDP_VERSION="b9aaab661fb879e891d34a91b5d2e78088fd9d9d" +GLORYTUN_UDP_VERSION="7f30cdc5ee2e89f0008144ad71f4c0bd4215a0f4" #MLVPN_VERSION="8f9720978b28c1954f9f229525333547283316d2" MLVPN_VERSION="f45cec350a6879b8b020143a78134a022b5df2a7" OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4" -OMR_ADMIN_VERSION="196557de165ee29bd23986f66eed2e6072af3f5c" +OMR_ADMIN_VERSION="60a72b11bedb94ccc03da58d8c418642c0230402" DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a" #V2RAY_VERSION="v1.1.0" -V2RAY_VERSION="v1.2.0-2-g68e2207" +V2RAY_VERSION="v1.2.0-8-g59b8f4f" EASYRSA_VERSION="3.0.6" SHADOWSOCKS_VERSION="3.3.3" VPS_DOMAIN=${VPS_DOMAIN:-$(wget -4 -qO- -T 2 http://hostname.openmptcprouter.com)} @@ -58,11 +58,11 @@ elif [ "$ID" != "debian" ] && [ "$ID" != "ubuntu" ]; then fi # Check if DPKG is locked and for broken packages -dpkg -i /dev/zero 2>/dev/null -if [ "$?" -eq 2 ]; then - echo "E: dpkg database is locked. Check that an update is not running in background..." - exit 1 -fi +#dpkg -i /dev/zero 2>/dev/null +#if [ "$?" -eq 2 ]; then +# echo "E: dpkg database is locked. Check that an update is not running in background..." +# exit 1 +#fi apt-get check >/dev/null 2>&1 if [ "$?" -ne 0 ]; then echo "E: \`apt-get check\` failed, you may have broken packages. Aborting..." @@ -173,6 +173,8 @@ wget https://github.com/Ysurac/shadowsocks-libev/commit/31b93ac2b054bc3f68ea0156 patch -p1 < 31b93ac2b054bc3f68ea01569649e6882d72218e.patch wget https://github.com/Ysurac/shadowsocks-libev/commit/2e52734b3bf176966e78e77cf080a1e8c6b2b570.patch patch -p1 < 2e52734b3bf176966e78e77cf080a1e8c6b2b570.patch +wget https://github.com/Ysurac/shadowsocks-libev/commit/dd1baa91e975a69508f9ad67d75d72624c773d24.patch +patch -p1 < dd1baa91e975a69508f9ad67d75d72624c773d24.patch # Shadowsocks eBPF support #wget https://raw.githubusercontent.com/Ysurac/openmptcprouter-feeds/master/shadowsocks-libev/patches/030-eBPF.patch #patch -p1 < 030-eBPF.patch @@ -306,10 +308,11 @@ if [ "$OMR_ADMIN" = "yes" ]; then fi #apt-get -y install unzip gunicorn python3-flask-restful python3-openssl python3-pip python3-setuptools python3-wheel #apt-get -y install unzip python3-openssl python3-pip python3-setuptools python3-wheel + apt-get -y install python3-passlib python3-jwt python3-netaddr echo '-- pip3 install needed python modules' - #pip3 -q install flask-jwt-simple netjsonconfig - pip3 install pyjwt passlib uvicorn fastapi netjsonconfig python-multipart - mkdir -p /etc/openmptcprouter-vps-admin + #pip3 install pyjwt passlib uvicorn fastapi netjsonconfig python-multipart netaddr + pip3 install fastapi netjsonconfig python-multipart uvicorn + mkdir -p /etc/openmptcprouter-vps-admin/omr-6in4 mkdir -p /var/opt/openmptcprouter wget -O /lib/systemd/system/omr-admin.service https://www.openmptcprouter.com/${VPSPATH}/omr-admin.service.in wget -O /tmp/openmptcprouter-vps-admin.zip https://github.com/Ysurac/openmptcprouter-vps-admin/archive/${OMR_ADMIN_VERSION}.zip @@ -318,8 +321,11 @@ if [ "$OMR_ADMIN" = "yes" ]; then if [ -f /usr/local/bin/omr-admin.py ]; then apt-get -y install jq cp /tmp/openmptcprouter-vps-admin-${OMR_ADMIN_VERSION}/omr-admin.py /usr/local/bin/ - OMR_ADMIN_PASS=$(grep -Po '"'"pass"'"\s*:\s*"\K([^"]*)' /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d "\n") - [ -z "$OMR_ADMIN_PASS" ] && OMR_ADMIN_PASS=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].openmptcprouter.user_password | tr -d "\n") + OMR_ADMIN_PASS2=$(grep -Po '"'"pass"'"\s*:\s*"\K([^"]*)' /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d "\n") + [ -z "$OMR_ADMIN_PASS2" ] && OMR_ADMIN_PASS2=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].openmptcprouter.user_password | tr -d "\n") + [ -n "$OMR_ADMIN_PASS2" ] && OMR_ADMIN_PASS=$OMR_ADMIN_PASS2 + OMR_ADMIN_PASS_ADMIN2=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].admin.user_password | tr -d "\n") + [ -n "$OMR_ADMIN_PASS_ADMIN2" ] && OMR_ADMIN_PASS_ADMIN=$OMR_ADMIN_PASS_ADMIN2 else cp /tmp/openmptcprouter-vps-admin-${OMR_ADMIN_VERSION}/omr-admin-config.json /etc/openmptcprouter-vps-admin/ cp /tmp/openmptcprouter-vps-admin-${OMR_ADMIN_VERSION}/omr-admin.py /usr/local/bin/ @@ -350,8 +356,14 @@ if [ "$update" = "0" ] || [ ! -f /etc/shadowsocks-libev/manager.json ]; then #wget -O /etc/shadowsocks-libev/config.json https://www.openmptcprouter.com/${VPSPATH}/config.json wget -O /etc/shadowsocks-libev/manager.json https://www.openmptcprouter.com/${VPSPATH}/manager.json SHADOWSOCKS_PASS_JSON=$(echo $SHADOWSOCKS_PASS | sed 's/+/-/g; s/\//_/g;') + if [ $NBCPU -gt 1 ]; then + for i in $NBCPU; do + sed -i '0,/65101/ s/ "65101.*/&\n&/' manager.json + done + fi #sed -i "s:MySecretKey:$SHADOWSOCKS_PASS_JSON:g" /etc/shadowsocks-libev/config.json sed -i "s:MySecretKey:$SHADOWSOCKS_PASS_JSON:g" /etc/shadowsocks-libev/manager.json + [ "$(ip -6 a)" = "" ] && sed -i '/"\[::0\]"/d' /etc/shadowsocks-libev/manager.json fi [ ! -f /etc/shadowsocks-libev/local.acl ] && touch /etc/shadowsocks-libev/local.acl #sed -i 's:aes-256-cfb:chacha20:g' /etc/shadowsocks-libev/config.json @@ -569,6 +581,7 @@ wget -O /lib/systemd/system/glorytun-udp@.service https://www.openmptcprouter.co rm -f /lib/systemd/network/glorytun-udp.network mkdir -p /etc/glorytun-udp wget -O /etc/glorytun-udp/post.sh https://www.openmptcprouter.com/${VPSPATH}/glorytun-udp-post.sh +chmod 755 /etc/glorytun-udp/post.sh wget -O /etc/glorytun-udp/tun0 https://www.openmptcprouter.com/${VPSPATH}/tun0.glorytun-udp if [ "$update" = "0" ] || [ ! -f /etc/glorytun-udp/tun0.key ]; then echo "$GLORYTUN_PASS" > /etc/glorytun-udp/tun0.key @@ -588,6 +601,7 @@ if [ "$DSVPN" = "yes" ]; then echo 'A Dead Simple VPN' # Install A Dead Simple VPN if systemctl -q is-active dsvpn-server.service; then + systemctl -q disable dsvpn-server > /dev/null 2>&1 systemctl -q stop dsvpn-server > /dev/null 2>&1 fi rm -f /var/lib/dpkg/lock @@ -603,12 +617,19 @@ if [ "$DSVPN" = "yes" ]; then make CFLAGS='-DNO_DEFAULT_ROUTES -DNO_DEFAULT_FIREWALL' make install rm -f /lib/systemd/system/dsvpn/* - wget -O /lib/systemd/system/dsvpn-server.service https://www.openmptcprouter.com/${VPSPATH}/dsvpn-server.service.in + #wget -O /lib/systemd/system/dsvpn-server.service https://www.openmptcprouter.com/${VPSPATH}/dsvpn-server.service.in + wget -O /usr/local/bin/dsvpn-run https://www.openmptcprouter.com/${VPSPATH}/dsvpn-run + chmod 755 /usr/local/bin/dsvpn-run + wget -O /lib/systemd/system/dsvpn-server@.service https://www.openmptcprouter.com/${VPSPATH}/dsvpn-server%40.service.in mkdir -p /etc/dsvpn - if [ "$update" = "0" ] || [ ! -f /etc/dsvpn/dsvpn.key ]; then - echo "$DSVPN_PASS" > /etc/dsvpn/dsvpn.key + wget -O /etc/dsvpn/dsvpn0 https://www.openmptcprouter.com/${VPSPATH}/dsvpn0-config + if [ -f /etc/dsvpn/dsvpn.key ]; then + mv /etc/dsvpn/dsvpn.key /etc/dsvpn/dsvpn0.key fi - systemctl enable dsvpn-server.service + if [ "$update" = "0" ] || [ ! -f /etc/dsvpn/dsvpn0.key ]; then + echo "$DSVPN_PASS" > /etc/dsvpn/dsvpn0.key + fi + systemctl enable dsvpn-server@dsvpn0.service cd /tmp rm -rf /tmp/dsvpn fi @@ -645,6 +666,7 @@ wget -O /lib/systemd/system/glorytun-tcp@.service https://www.openmptcprouter.co rm -f /lib/systemd/network/glorytun-tcp.network mkdir -p /etc/glorytun-tcp wget -O /etc/glorytun-tcp/post.sh https://www.openmptcprouter.com/${VPSPATH}/glorytun-tcp-post.sh +chmod 755 /etc/glorytun-tcp/post.sh wget -O /etc/glorytun-tcp/tun0 https://www.openmptcprouter.com/${VPSPATH}/tun0.glorytun if [ "$update" = "0" ]; then echo "$GLORYTUN_PASS" > /etc/glorytun-tcp/tun0.key @@ -664,14 +686,17 @@ wget -O /usr/local/bin/multipath https://www.openmptcprouter.com/${VPSPATH}/mult chmod 755 /usr/local/bin/multipath # Add OpenMPTCProuter service -wget -O /usr/local/bin/omr-service https://www.openmptcprouter.com/${VPSPATH}/omr-service -chmod 755 /usr/local/bin/omr-service -wget -O /lib/systemd/system/omr.service https://www.openmptcprouter.com/${VPSPATH}/omr.service.in +#wget -O /usr/local/bin/omr-service https://www.openmptcprouter.com/${VPSPATH}/omr-service +#chmod 755 /usr/local/bin/omr-service +#wget -O /lib/systemd/system/omr.service https://www.openmptcprouter.com/${VPSPATH}/omr.service.in +wget -O /usr/local/bin/omr-6in4-run https://www.openmptcprouter.com/${VPSPATH}/omr-6in4-run +chmod 755 /usr/local/bin/omr-6in4-run +wget -O /lib/systemd/system/omr6in4@.service https://www.openmptcprouter.com/${VPSPATH}/omr6in4%40.service.in if systemctl -q is-active omr-6in4.service; then systemctl -q stop omr-6in4 > /dev/null 2>&1 systemctl -q disable omr-6in4 > /dev/null 2>&1 fi -systemctl enable omr.service +#systemctl enable omr.service # Change SSH port to 65222 sed -i 's:#Port 22:Port 65222:g' /etc/ssh/sshd_config @@ -703,6 +728,7 @@ else wget -O /etc/shorewall/stoppedrules https://www.openmptcprouter.com/${VPSPATH}/shorewall4/stoppedrules wget -O /etc/shorewall/tcinterfaces https://www.openmptcprouter.com/${VPSPATH}/shorewall4/tcinterfaces wget -O /etc/shorewall/shorewall.conf https://www.openmptcprouter.com/${VPSPATH}/shorewall4/shorewall.conf + wget -O /etc/shorewall/policy https://www.openmptcprouter.com/${VPSPATH}/shorewall4/policy wget -O /etc/shorewall/params https://www.openmptcprouter.com/${VPSPATH}/shorewall4/params wget -O /etc/shorewall/params.vpn https://www.openmptcprouter.com/${VPSPATH}/shorewall4/params.vpn wget -O /etc/shorewall/params.net https://www.openmptcprouter.com/${VPSPATH}/shorewall4/params.net @@ -871,7 +897,7 @@ else fi if [ "$DSVPN" = "yes" ]; then echo 'Restarting dsvpn...' - systemctl -q start dsvpn-server + systemctl -q start dsvpn-server@dsvpn0 echo 'done' fi echo 'Restarting glorytun and omr...' @@ -896,9 +922,9 @@ else EOF echo '====================================================================================' echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' - echo 'OpenMPTCProuter Server key (you need OpenMPTCProuter >= 0.42):' + echo 'OpenMPTCProuter Server key:' echo $OMR_ADMIN_PASS - echo 'OpenMPTCProuter Server username (you need OpenMPTCProuter >= 0.42):' + echo 'OpenMPTCProuter Server username:' echo 'openmptcprouter' echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' echo '====================================================================================' diff --git a/glorytun-tcp@.service.in b/glorytun-tcp@.service.in index af16739..5fdc62b 100644 --- a/glorytun-tcp@.service.in +++ b/glorytun-tcp@.service.in @@ -6,7 +6,7 @@ After=network.target network-online.target Type=simple Restart=always ExecStart=/usr/local/bin/glorytun-tcp-run /etc/glorytun-tcp/%i -ExecStartPost=-/etc/glorytun-tcp/post.sh %i +ExecStartPost=-/etc/glorytun-tcp/post.sh /etc/glorytun-tcp/%i CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW [Install] diff --git a/glorytun-udp@.service.in b/glorytun-udp@.service.in index de534f0..8d1314f 100644 --- a/glorytun-udp@.service.in +++ b/glorytun-udp@.service.in @@ -7,7 +7,7 @@ Type=simple Restart=always EnvironmentFile=/etc/glorytun-udp/%i ExecStart=/usr/local/bin/glorytun-udp-run /etc/glorytun-udp/%i -ExecStartPost=-/etc/glorytun-udp/post.sh %i +ExecStartPost=-/etc/glorytun-udp/post.sh /etc/glorytun-udp/%i CapabilityBoundingSet=CAP_NET_ADMIN [Install] diff --git a/omr-service b/omr-service index 704d3c4..4320f55 100755 --- a/omr-service +++ b/omr-service @@ -26,7 +26,7 @@ if [ "$(ip link show omr-6in4 up 2>/dev/null)" ]; then ip tunnel change omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1 else ip tunnel add omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1 - ip addr add fe80::a00:1/64 dev omr-6in4 >/dev/null 2>&1 + ip addr add fe80::a00:1/126 dev omr-6in4 >/dev/null 2>&1 fi ip link set omr-6in4 up ip route replace fd00::/8 via fe80::a00:2 dev omr-6in4 @@ -99,7 +99,7 @@ $allip_mlvpn" ip tunnel change omr-6in4 mode sit remote $ipd local $ip echo "VPS_ADDR=$ip" > /etc/shorewall/params.vpn echo "OMR_ADDR=$ipd" >> /etc/shorewall/params.vpn - iface=$(ip -4 addr | grep $ip | awk '{print $7}' | tr -d "\n") + iface=$(ip -4 addr | grep $ip/ | awk '{print $7}' | tr -d "\n") echo "VPS_IFACE=$iface" >> /etc/shorewall/params.vpn systemctl reload shorewall _multipath diff --git a/openvpn-tun0.conf b/openvpn-tun0.conf index fdafd80..c95e3b4 100644 --- a/openvpn-tun0.conf +++ b/openvpn-tun0.conf @@ -20,4 +20,5 @@ rcvbuf 0 tls-server tls-version-min 1.2 compress lzo -push "route 10.255.252.1 255.255.255.255" \ No newline at end of file +push "route 10.255.252.1 255.255.255.255" +client-config-dir ccd diff --git a/shorewall4/interfaces b/shorewall4/interfaces index 388d4d4..09e61b0 100644 --- a/shorewall4/interfaces +++ b/shorewall4/interfaces @@ -15,10 +15,9 @@ ############################################################################### #ZONE INTERFACE OPTIONS net $NET_IFACE dhcp,tcpflags,routefilter,nosmurfs,sourceroute=0 -vpn gt-tun0 nosmurfs,routefilter,tcpflags -vpn gt-udp-tun0 nosmurfs,routefilter,tcpflags -vpn mlvpn0 nosmurfs,routefilter,tcpflags -vpn tun0 nosmurfs,routefilter,tcpflags -vpn tun1 nosmurfs,routefilter,tcpflags -vpn dsvpn0 nosmurfs,routefilter,tcpflags +vpn gt-tun+ nosmurfs,routefilter,tcpflags +vpn gt-udp-tun+ nosmurfs,routefilter,tcpflags +vpn mlvpn+ nosmurfs,routefilter,tcpflags +vpn tun+ nosmurfs,routefilter,tcpflags +vpn dsvpn+ nosmurfs,routefilter,tcpflags diff --git a/shorewall4/policy b/shorewall4/policy index 7d12fd2..59142ff 100644 --- a/shorewall4/policy +++ b/shorewall4/policy @@ -18,6 +18,7 @@ vpn fw ACCEPT fw vpn ACCEPT fw net ACCEPT net all DROP info +vpn vpn DROP # THE FOLLOWING POLICY MUST BE LAST -all all REJECT info +all all REJECT info diff --git a/shorewall4/stoppedrules b/shorewall4/stoppedrules index 9ef4d10..aa5bfd5 100644 --- a/shorewall4/stoppedrules +++ b/shorewall4/stoppedrules @@ -13,16 +13,14 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) -ACCEPT gt-tun0 - -ACCEPT - gt-tun0 -ACCEPT gt-udp-tun0 - -ACCEPT - gt-udp-tun0 -ACCEPT mlvpn0 - -ACCEPT - mlvpn0 -ACCEPT dsvpn0 - -ACCEPT - dsvpn0 -ACCEPT tun0 - -ACCEPT - tun0 -ACCEPT tun1 - -ACCEPT - tun1 +ACCEPT gt-tun+ - +ACCEPT - gt-tun+ +ACCEPT gt-udp-tun+ - +ACCEPT - gt-udp-tun+ +ACCEPT mlvpn+ - +ACCEPT - mlvpn+ +ACCEPT dsvpn+ - +ACCEPT - dsvpn+ +ACCEPT tun+ - +ACCEPT - tun+ diff --git a/shorewall6/interfaces b/shorewall6/interfaces index 3894002..8109c26 100644 --- a/shorewall6/interfaces +++ b/shorewall6/interfaces @@ -14,6 +14,6 @@ ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS -net $NET_IFACE dhcp,tcpflags,rpfilter,forward=1 -vpn omr-6in4 tcpflags,forward=1 +net $NET_IFACE dhcp,tcpflags,rpfilter,forward=1,routeback +vpn omr-6in4 tcpflags,forward=1,routeback diff --git a/shorewall6/params b/shorewall6/params index 112eb98..1249080 100644 --- a/shorewall6/params +++ b/shorewall6/params @@ -21,4 +21,5 @@ # net eth0 - dhcp,nosmurfs # ############################################################################### -INCLUDE params.net \ No newline at end of file +INCLUDE params.net +INCLUDE params.vpn diff --git a/shorewall6/params.vpn b/shorewall6/params.vpn new file mode 100644 index 0000000..e69de29