From 55433c52e4df0acc0fd8cc9f248071b7f2609704 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Mon, 11 Jun 2018 14:53:08 +0000 Subject: [PATCH] Add MLVPN support, change glorytun network --- debian9-x86_64-mlvpn.sh | 127 ++++++++++++++++++++++++++++++++++++++++ debian9-x86_64.sh | 32 ++++++---- glorytun-udp.network | 2 +- glorytun.network | 8 +-- mlvpn.network | 17 ++++++ mlvpn0.conf | 41 +++++++++++++ omr-6in4-service | 12 +++- shorewall4/interfaces | 1 + shorewall4/params | 1 + shorewall4/params.vpn | 2 + shorewall4/rules | 11 +--- shorewall4/snat | 3 +- shorewall4/stoppedrules | 2 + 13 files changed, 231 insertions(+), 28 deletions(-) create mode 100644 debian9-x86_64-mlvpn.sh create mode 100644 mlvpn.network create mode 100644 mlvpn0.conf create mode 100644 shorewall4/params.vpn diff --git a/debian9-x86_64-mlvpn.sh b/debian9-x86_64-mlvpn.sh new file mode 100644 index 0000000..cb879e9 --- /dev/null +++ b/debian9-x86_64-mlvpn.sh @@ -0,0 +1,127 @@ +#!/bin/sh +MLVPN_PASS=${MLVPN_PASS:-$(head -c 32 /dev/urandom | base64 -w0)} +INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | awk '{print $5}' | tr -d "\n")} +DEBIAN_VERSION=$(sed 's/\..*//' /etc/debian_version) + +set -e +umask 0022 +update="0" +if [ $DEBIAN_VERSION -ne 9 ]; then + echo "This script only work with Debian Stretch (9.x)" + exit 1 +fi + +if [ -f "/etc/mlvpn/mlvpn0.conf" ] ; then + update="1" +fi +if ! grep -q 'DefaultLimitNOFILE=65536' /etc/systemd/system.conf ; then + echo 'DefaultLimitNOFILE=65536' >> /etc/systemd/system.conf +fi + +# Install MLVPN +if systemctl -q is-active mlvpn@mlvpn0.service; then + systemctl -q stop mlvpn@mlvpn0 > /dev/null 2>&1 +fi +apt-get -y install build-essential pkg-config autoconf automake +cd /tmp +wget -O /tmp/mlvpn-2.3.2.tar.gz https://github.com/zehome/MLVPN/archive/2.3.2.tar.gz +cd /tmp +tar xzf mlvpn-2.3.2.tar.gz +cd MLVPN-2.3.2 +./autogen.sh +./configure +make +make install +wget -O /lib/systemd/network/mlvpn.network http://www.openmptcprouter.com/server/mlvpn.network +mkdir -p /etc/mlvpn +if [ "$update" = "0" ]; then + wget -O /etc/mlvpn/mlvpn0.conf http://www.openmptcprouter.com/server/mlvpn0.conf + sed -i "s:MLVPN_PASS:$MLVPN_PASS:" /etc/mlvpn/mlvpn0.conf +fi +systemctl enable mlvpn@mlvpn0.service +systemctl enable systemd-networkd.service +cd /tmp +rm -r /tmp/MLVPN-2.3.2 + +# Add 6in4 support +wget -O /usr/local/bin/omr-6in4 http://www.openmptcprouter.com/server/omr-6in4 +chmod 755 /usr/local/bin/omr-6in4 +wget -O /usr/local/bin/omr-6in4-service http://www.openmptcprouter.com/server/omr-6in4-service +chmod 755 /usr/local/bin/omr-6in4-service +wget -O /lib/systemd/system/omr-6in4.service http://www.openmptcprouter.com/server/omr-6in4.service.in +systemctl enable omr-6in4.service + +# Change SSH port to 65222 +sed -i 's:#Port 22:Port 65222:g' /etc/ssh/sshd_config +sed -i 's:Port 22:Port 65222:g' /etc/ssh/sshd_config + +# Remove Bind9 if available +#systemctl -q disable bind9 + +# Remove fail2ban if available +#systemctl -q disable fail2ban + +if [ "$update" = "0" ]; then + # Install and configure the firewall using shorewall + apt-get -y install shorewall shorewall6 + wget -O /etc/shorewall/openmptcprouter-shorewall.tar.gz http://www.openmptcprouter.com/server/openmptcprouter-shorewall.tar.gz + tar xzf /etc/shorewall/openmptcprouter-shorewall.tar.gz -C /etc/shorewall + rm /etc/shorewall/openmptcprouter-shorewall.tar.gz + sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/* + systemctl enable shorewall + wget -O /etc/shorewall6/openmptcprouter-shorewall6.tar.gz http://www.openmptcprouter.com/server/openmptcprouter-shorewall6.tar.gz + tar xzf /etc/shorewall6/openmptcprouter-shorewall6.tar.gz -C /etc/shorewall6 + rm /etc/shorewall6/openmptcprouter-shorewall6.tar.gz + sed -i "s:eth0:$INTERFACE:g" /etc/shorewall6/* + systemctl enable shorewall6 +else + # Update only needed firewall files + wget -O /etc/shorewall/interfaces http://www.openmptcprouter.com/server/shorewall4/interfaces + wget -O /etc/shorewall/snat http://www.openmptcprouter.com/server/shorewall4/snat + wget -O /etc/shorewall/stoppedrules http://www.openmptcprouter.com/server/shorewall4/stoppedrules + sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/* + wget -O /etc/shorewall6/interfaces http://www.openmptcprouter.com/server/shorewall6/interfaces + wget -O /etc/shorewall6/stoppedrules http://www.openmptcprouter.com/server/shorewall6/stoppedrules + sed -i "s:eth0:$INTERFACE:g" /etc/shorewall6/* +fi + +if [ "$update" = "0" ]; then + # Display important info + echo '==========================================================================================' + echo 'OpenMPTCProuter VPS MLVPN is now configured !' + echo 'SSH port: 65222 (instead of port 22)' + echo 'MLVPN first port: 65201' + echo 'Your MLVPN password: ' + echo $MLVPN_PASS + echo '==========================================================================================' + echo 'Keys are also saved in /root/openmptcprouter_mlvpn_config.txt, you are free to remove them' + echo '==========================================================================================' + + # Save info in file + cat > /root/openmptcprouter_mlvpn_config.txt <<-EOF + SSH port: 65222 (instead of port 22) + MLVPN first port: 65201 + Your MLVPN password: + ${MLVPN_PASS} + EOF + if [ -f "/root/openmptcprouter_config.txt" ]; then + cat >> /root/openmptcprouter_config.txt <<-EOF + MLVPN first port: 65201 + Your MLVPN password: + ${MLVPN_PASS} + EOF + fi +else + echo '====================================================================================' + echo 'OpenMPTCProuter VPS MLVPN is now updated !' + echo 'Keys are not changed, shorewall rules files preserved' + echo '====================================================================================' + echo 'Restarting mlvpn and omr-6in4...' + systemctl -q start mlvpn@mlvpn0 + systemctl -q restart omr-6in4 + echo 'done' + echo 'Restarting shorewall...' + systemctl -q restart shorewall + systemctl -q restart shorewall6 + echo 'done' +fi diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index 4332bdb..0ca5d34 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -4,6 +4,7 @@ GLORYTUN_PASS=${GLORYTUN_PASS:-$(od -vN "32" -An -tx1 /dev/urandom | tr '[:lowe #NBCPU=${NBCPU:-$(nproc --all | tr -d "\n")} NBCPU=${NBCPU:-$(grep -c '^processor' /proc/cpuinfo | tr -d "\n")} OBFS=${OBFS:-no} +MLVPN=${MLVPN:-no} INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | awk '{print $5}' | tr -d "\n")} DEBIAN_VERSION=$(sed 's/\..*//' /etc/debian_version) @@ -35,8 +36,8 @@ cd /boot apt-get -y install rename rename 's/^bzImage/vmlinuz/s' * >/dev/null 2>&1 #apt-get -y install linux-mptcp -dpkg -i /tmp/linux-image-4.14.24-mptcp-64056fa.amd64.deb -dpkg -i /tmp/linux-headers-4.14.24-mptcp-64056fa.amd64.deb +dpkg -E -i /tmp/linux-image-4.14.24-mptcp-64056fa.amd64.deb +dpkg -E -i /tmp/linux-headers-4.14.24-mptcp-64056fa.amd64.deb # Check if mptcp kernel is grub default kernel echo "Set MPTCP kernel as grub default..." @@ -46,19 +47,19 @@ bash update-grub.sh 4.14.24-mptcp #apt -t stretch-backports -y install shadowsocks-libev ## Compile Shadowsocks -wget -O /tmp/shadowsocks-libev-3.1.3.tar.gz http://github.com/shadowsocks/shadowsocks-libev/releases/download/v3.1.3/shadowsocks-libev-3.1.3.tar.gz +wget -O /tmp/shadowsocks-libev-3.2.0.tar.gz http://github.com/shadowsocks/shadowsocks-libev/releases/download/v3.2.0/shadowsocks-libev-3.2.0.tar.gz cd /tmp -tar xzf shadowsocks-libev-3.1.3.tar.gz -cd shadowsocks-libev-3.1.3 -wget https://github.com/Ysurac/openmptcprouter-feeds/raw/5b2caab3f98cc14e6b5fdb80a95fcd1ac61630ff/shadowsocks-libev/patches/020-NOCRYPTO.patch +tar xzf shadowsocks-libev-3.2.0.tar.gz +cd shadowsocks-libev-3.2.0 +wget https://raw.githubusercontent.com/Ysurac/openmptcprouter-feeds/master/shadowsocks-libev/patches/020-NOCRYPTO.patch patch -p1 < 020-NOCRYPTO.patch apt-get -y install --no-install-recommends devscripts equivs apg libcap2-bin libpam-cap apt -y -t stretch-backports install libsodium-dev mk-build-deps --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" dpkg-buildpackage -b -us -uc cd .. -dpkg -i shadowsocks-libev_3.1.3-1_amd64.deb -rm -r /tmp/shadowsocks-libev-3.1.3 +dpkg -i shadowsocks-libev_3.2.0-1_amd64.deb +rm -r /tmp/shadowsocks-libev-3.2.0 # Load OLIA Congestion module at boot time if ! grep -q olia /etc/modules ; then @@ -102,6 +103,14 @@ if [ "$OBFS" = "yes" ]; then sed -i 's%"mptcp": true%"mptcp": true,\n"plugin": "/usr/local/bin/obfs-server --obfs http --mptcp --fast-open"%' /etc/shadowsocks-libev/config.json fi +if [ "$MLVPN" = "yes" ]; then + cd /tmp + wget http://www.openmptcprouter.com/server/debian9-x86_64-mlvpn.sh + chmod u+x debian9-x86_64-mlvpn.sh + sh debian9-x86_64-mlvpn.sh + rm debian9-x86_64-mlvpn.sh +fi + # Install Glorytun UDP if systemctl -q is-active glorytun-udp@tun0.service; then systemctl -q stop glorytun-udp@tun0 > /dev/null 2>&1 @@ -212,9 +221,9 @@ fi # Add OpenMPTCProuter VPS script version to /etc/motd if grep --quiet 'OpenMPTCProuter VPS' /etc/motd; then - sed -i 's:< OpenMPTCProuter VPS [0-9]*\.[0-9]* >:< OpenMPCTProuter VPS 0.20 >:' /etc/motd + sed -i 's:< OpenMPTCProuter VPS [0-9]*\.[0-9]* >:< OpenMPCTProuter VPS 0.21 >:' /etc/motd else - echo '< OpenMPTCProuter VPS 0.20 >' >> /etc/motd + echo '< OpenMPTCProuter VPS 0.21 >' >> /etc/motd fi if [ "$update" = "0" ]; then @@ -251,6 +260,9 @@ if [ "$update" = "0" ]; then Your glorytun key: ${GLORYTUN_PASS} EOF + if [ -f "/root/openmptcprouter_mlvpn_config.txt" ]; then + cat /root/openmptcprouter_mlvpn_config.txt >> /root/openmptcprouter_config.txt + fi else echo '====================================================================================' echo 'OpenMPTCProuter VPS is now updated !' diff --git a/glorytun-udp.network b/glorytun-udp.network index 5714228..e4e27ed 100644 --- a/glorytun-udp.network +++ b/glorytun-udp.network @@ -3,7 +3,7 @@ Name=gt-udp-* [Network] Description=Glorytun server device -Address=0.0.0.0/24 +Address=10.255.254.1/24 DHCPServer=yes IPMasquerade=yes diff --git a/glorytun.network b/glorytun.network index 7f00c76..9529320 100644 --- a/glorytun.network +++ b/glorytun.network @@ -2,17 +2,17 @@ Name=gt-* [Link] -MTUBytes=1280 +MTUBytes=1400 [Network] Description=Glorytun server device -Address=0.0.0.0/24 +Address=10.255.255.1/24 DHCPServer=yes IPMasquerade=yes [DHCPServer] -PoolOffset=2 -PoolSize=1 +PoolOffset=1 +PoolSize=2 EmitDNS=no EmitNTP=no DNS=9.9.9.9 diff --git a/mlvpn.network b/mlvpn.network new file mode 100644 index 0000000..36d4d43 --- /dev/null +++ b/mlvpn.network @@ -0,0 +1,17 @@ +[Match] +Name=mlvpn* + +[Network] +Description=MLVPN tunnel +Address=10.255.253.1/24 +DHCPServer=yes +IPMasquerade=yes + +[DHCPServer] +PoolOffset=2 +PoolSize=1 +EmitDNS=no +EmitNTP=no +DNS=9.9.9.9 +DefaultLeaseTimeSec=12h +MaxLeaseTimeSec=24h \ No newline at end of file diff --git a/mlvpn0.conf b/mlvpn0.conf new file mode 100644 index 0000000..a3d2f55 --- /dev/null +++ b/mlvpn0.conf @@ -0,0 +1,41 @@ +[general] +tuntap = "tun" +mode = "server" +interface_name = "mlvpn0" +timeout = 30 +password = "MLVPN_PASS" +reorder_buffer_size = 64 +loss_tolerence = 50 + +[wan1] +bindport = 65201 +bindhost = "0.0.0.0" + +[wan2] +bindport = 65202 +bindhost = "0.0.0.0" + +[wan3] +bindport = 65203 +bindhost = "0.0.0.0" + +[wan4] +bindport = 65204 +bindhost = "0.0.0.0" + +[wan5] +bindport = 65205 +bindhost = "0.0.0.0" + +[wan6] +bindport = 65206 +bindhost = "0.0.0.0" + +[wan7] +bindport = 65207 +bindhost = "0.0.0.0" + +[wan8] +bindport = 65208 +bindhost = "0.0.0.0" + diff --git a/omr-6in4-service b/omr-6in4-service index 55c3018..be30d17 100755 --- a/omr-6in4-service +++ b/omr-6in4-service @@ -10,9 +10,9 @@ fi # Add IPv6 tunnel if [ "$(ip link show omr-6in4 up)" ]; then - ip tunnel change omr-6in4 mode sit remote 10.0.0.2 local 10.0.0.1 + ip tunnel change omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1 else - ip tunnel add omr-6in4 mode sit remote 10.0.0.2 local 10.0.0.1 + ip tunnel add omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1 fi ip link set omr-6in4 up ip route replace fd00::/8 via fe80::a00:2 dev omr-6in4 @@ -38,8 +38,10 @@ while true; do if ! $(exit $status); then allip_tcp=$(ip -4 addr show gt-tun0 | grep inet) allip_udp=$(ip -4 addr show gt-udp-tun0 | grep inet) + allip_mlvpn=$(ip -4 addr show mlvpn0 | grep inet) allip="$allip_tcp -$allip_udp" +$allip_udp +$allip_mlvpn" while IFS= read -r inet; do ip=$(echo $inet | awk '{print $2}' | cut -d/ -f1 | tr -d "\n") ipd=$(echo $ip | sed 's/.1/.2/' | tr -d "\n") @@ -47,6 +49,10 @@ $allip_udp" status=$? if $(exit $status); then ip tunnel change omr-6in4 mode sit remote $ipd local $ip + echo "OMR_ADDR=$ipd" > /etc/shorewall/params.vpn + iface=$(ip -4 addr | grep $ip | awk '{print $7}' | tr -d "\n") + echo "OMR_IFACE=$iface" >> /etc/shorewall/params.vpn + systemctl reload shorewall break fi done < <(printf '%s\n' "$allip") diff --git a/shorewall4/interfaces b/shorewall4/interfaces index 2fc0ad3..3aa7d7d 100644 --- a/shorewall4/interfaces +++ b/shorewall4/interfaces @@ -17,4 +17,5 @@ net eth0 dhcp,tcpflags,routefilter,nosmurfs,logmartians,sourceroute=0 vpn gt-tun0 nosmurfs,routefilter,logmartians,tcpflags vpn gt-udp-tun0 nosmurfs,routefilter,logmartians,tcpflags +vpn mlvpn0 nosmurfs,routefilter,logmartians,tcpflags diff --git a/shorewall4/params b/shorewall4/params index 0c50d58..85dde3b 100644 --- a/shorewall4/params +++ b/shorewall4/params @@ -22,3 +22,4 @@ # net eth0 130.252.100.255 routefilter,norfc1918 # ############################################################################### +INCLUDE params.vpn \ No newline at end of file diff --git a/shorewall4/params.vpn b/shorewall4/params.vpn new file mode 100644 index 0000000..fe8a205 --- /dev/null +++ b/shorewall4/params.vpn @@ -0,0 +1,2 @@ +OMR_ADDR=10.0.0.1 +OMR_IFACE=gt-tun0 diff --git a/shorewall4/rules b/shorewall4/rules index 1e3c89c..b76a78d 100644 --- a/shorewall4/rules +++ b/shorewall4/rules @@ -55,12 +55,7 @@ ACCEPT net $FW tcp 65222 # DHCPfwd(ACCEPT) $FW vpn # -# Redirect all port from 1 to 64999 to the VPN UDP client from the network +# Redirect all port from 1 to 64999 to the VPN client from the network # -#DNAT net vpn:10.0.1.2 tcp 1-64999 -#DNAT net vpn:10.0.1.2 udp 1-64999 -# -# Redirect all port from 1 to 64999 to the VPN TCP client from the network -# -#DNAT net vpn:10.0.0.2 tcp 1-64999 -#DNAT net vpn:10.0.0.2 udp 1-64999 +#DNAT net vpn:$OMR_ADDR tcp 1-64999 +#DNAT net vpn:$OMR_ADDR udp 1-64999 diff --git a/shorewall4/snat b/shorewall4/snat index 1004537..a27d927 100644 --- a/shorewall4/snat +++ b/shorewall4/snat @@ -20,5 +20,4 @@ MASQUERADE 10.0.0.0/8,\ 172.16.0.0/12,\ 192.168.0.0/16 eth0 # SNAT from VPN server for all VPN clients -SNAT(10.0.0.1) 0.0.0.0/0 gt-tun0 -SNAT(10.0.1.1) 0.0.0.0/0 gt-udp-tun0 +SNAT($OMR_ADDR) 0.0.0.0/0 $OMR_IFACE diff --git a/shorewall4/stoppedrules b/shorewall4/stoppedrules index 9a4639c..30fc23c 100644 --- a/shorewall4/stoppedrules +++ b/shorewall4/stoppedrules @@ -17,4 +17,6 @@ ACCEPT gt-tun0 - ACCEPT - gt-tun0 ACCEPT gt-udp-tun0 - ACCEPT - gt-udp-tun0 +ACCEPT mlvpn0 - +ACCEPT - mlvpn0