OpenMPTCProuter VPS script 0.14 initial commit

2025-02-12 11:21:56 +00:00 · 2018-03-30 07:52:49 +00:00 · 2018-03-30 07:52:49 +00:00 · 5a2f5390c6
commit 5a2f5390c6
24 changed files with 1293 additions and 0 deletions
--- a/config.json
+++ b/config.json
@ -0,0 +1,14 @@
+{
+    "server":["[::0]", "0.0.0.0"],
+    "server_port":65101,
+    "local_port":1081,
+    "mode":"tcp_and_udp",
+    "key":"MySecretKey",
+    "timeout":120,
+    "method":"aes-256-cfb",
+    "verbose":2,
+    "prefer_ipv6": true,
+    "fast_open": true,
+    "reuse_port": true,
+    "mptcp": true
+}
--- a/debian9-x86_64.sh
+++ b/debian9-x86_64.sh
@ -0,0 +1,163 @@
+#!/bin/sh
+SHADOWSOCKS_PASS=${SHADOWSOCKS_PASS:-$(head -c 32 /dev/urandom | base64 -w0)}
+GLORYTUN_PASS=${GLORYTUN_PASS:-$(od  -vN "32" -An -tx1 /dev/urandom | tr '[:lower:]' '[:upper:]' | tr -d " \n")}
+#NBCPU=${NBCPU:-$(nproc --all | tr -d "\n")}
+NBCPU=${NBCPU:-$(grep -c '^processor' /proc/cpuinfo | tr -d "\n")}
+OBFS=${OBFS:-no}
+INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | awk '{print $5}' | tr -d "\n")}
+
+set -e
+umask 0022
+
+# Install mptcp kernel and shadowsocks
+apt-get update
+apt-get -y install dirmngr
+#apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 379CE192D401AB61
+#echo 'deb http://dl.bintray.com/cpaasch/deb jessie main' >> /etc/apt/sources.list
+echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/stretch-backports.list
+apt-get update
+wget -O /tmp/linux-image-4.14.24-mptcp-64056fa.amd64.deb http://www.openmptcprouter.com/kernel/linux-image-4.14.24-mptcp-64056fa.amd64.deb
+wget -O /tmp/linux-headers-4.14.24-mptcp-64056fa.amd64.deb http://www.openmptcprouter.com/kernel/linux-headers-4.14.24-mptcp-64056fa.amd64.deb
+#apt-get -y install linux-mptcp
+dpkg -i /tmp/linux-image-4.14.24-mptcp-64056fa.amd64.deb
+dpkg -i /tmp/linux-headers-4.14.24-mptcp-64056fa.amd64.deb
+
+#apt -t stretch-backports -y install shadowsocks-libev
+## Compile Shadowsocks
+wget -O /tmp/shadowsocks-libev-3.1.3.tar.gz http://github.com/shadowsocks/shadowsocks-libev/releases/download/v3.1.3/shadowsocks-libev-3.1.3.tar.gz
+cd /tmp
+tar xzf shadowsocks-libev-3.1.3.tar.gz
+cd shadowsocks-libev-3.1.3
+wget http://github.com/Ysurac/openmptcprouter-feeds/raw/master/shadowsocks-libev/patches/020-NOCRYPTO.patch
+patch -p1 < 020-NOCRYPTO.patch
+apt-get -y install --no-install-recommends devscripts equivs apg libcap2-bin libpam-cap
+apt -y -t stretch-backports install libsodium-dev
+mk-build-deps --root-cmd sudo --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y"
+dpkg-buildpackage -b -us -uc
+cd ..
+dpkg -i shadowsocks-libev_3.1.3-1_amd64.deb
+
+# Load OLIA Congestion module at boot time
+if ! grep -q olia /etc/modules ; then
+	echo mptcp_olia >> /etc/modules
+fi
+
+# Get shadowsocks optimization
+wget -O /etc/sysctl.d/90-shadowsocks.conf http://www.openmptcprouter.com/server/shadowsocks.conf
+
+# Install shadowsocks config and add a shadowsocks by CPU
+wget -O /etc/shadowsocks-libev/config.json http://www.openmptcprouter.com/server/config.json
+SHADOWSOCKS_PASS_JSON=$(echo $SHADOWSOCKS_PASS | sed 's/+/-/g; s/\//_/g;')
+sed -i "s:MySecretKey:$SHADOWSOCKS_PASS_JSON:g" /etc/shadowsocks-libev/config.json
+#sed -i 's:json:json --mptcp:g' /lib/systemd/system/shadowsocks-libev-server@.service
+systemctl disable shadowsocks-libev
+systemctl enable shadowsocks-libev-server@config.service
+if [ $NBCPU -gt 1 ]; then
+	for i in $NBCPU; do
+		ln -fs /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/config$i.json
+		systemctl enable shadowsocks-libev-server@config$i.service
+	done
+fi
+if ! grep -q 'DefaultLimitNOFILE=65536' /etc/systemd/system.conf ; then
+	echo 'DefaultLimitNOFILE=65536' >> /etc/systemd/system.conf
+fi
+
+# Install simple-obfs
+if [ "$OBFS" = "yes" ]; then
+	cd /tmp
+	sudo apt-get install -y --no-install-recommends build-essential autoconf libtool libssl-dev libpcre3-dev libev-dev asciidoc xmlto automake git ca-certificates
+	git clone https://github.com/shadowsocks/simple-obfs.git /tmp/simple-obfs
+	cd /tmp/simple-obfs
+	git submodule update --init --recursive
+	./autogen.sh
+	./configure && make
+	make install
+	cd /tmp
+	rm -rf /tmp/simple-obfs
+	sed -i 's%"mptcp": true%"mptcp": true,\n"plugin": "/usr/local/bin/obfs-server --obfs http --mptcp --fast-open"%' /etc/shadowsocks-libev/config.json
+fi
+
+# Install Glorytun UDP
+#apt-get -y install meson pkg-config ca-certificates
+#cd /root
+#wget https://github.com/angt/glorytun/releases/download/v0.0.93-mud/glorytun-0.0.93-mud.tar.gz
+#tar xzf glorytun-0.0.93-mud.tar.gz
+#cd glorytun-0.0.93-mud
+#meson build
+#ninja -C build install
+#sed -i 's:EmitDNS=yes:EmitDNS=no:g' /lib/systemd/network/glorytun.network
+
+# Install Glorytun TCP
+apt -t stretch-backports -y install libsodium-dev
+apt-get -y install build-essential pkg-config autoconf automake
+cd /tmp
+wget -O /tmp/glorytun-0.0.35.tar.gz http://github.com/angt/glorytun/releases/download/v0.0.35/glorytun-0.0.35.tar.gz
+cd /tmp
+tar xzf glorytun-0.0.35.tar.gz
+cd glorytun-0.0.35
+./autogen.sh
+./configure
+make
+cp glorytun /usr/local/bin/glorytun-tcp
+wget -O /usr/local/bin/glorytun-tcp-run http://www.openmptcprouter.com/server/glorytun-tcp-run
+chmod 755 /usr/local/bin/glorytun-tcp-run
+wget -O /lib/systemd/system/glorytun-tcp@.service http://www.openmptcprouter.com/server/glorytun-tcp%40.service.in
+wget -O /lib/systemd/network/glorytun.network http://www.openmptcprouter.com/server/glorytun.network
+mkdir -p /etc/glorytun-tcp
+wget -O /etc/glorytun-tcp/tun0 http://www.openmptcprouter.com/server/tun0.glorytun
+echo "$GLORYTUN_PASS" > /etc/glorytun-tcp/tun0.key
+systemctl enable glorytun-tcp@tun0.service
+systemctl enable systemd-networkd.service
+cd /tmp
+rm -r /tmp/glorytun-0.0.35
+
+# Load tun module at boot time
+if ! grep -q tun /etc/modules ; then
+	echo tun >> /etc/modules
+fi
+
+
+# Change SSH port to 65222
+sed -i 's:#Port 22:Port 65222:g' /etc/ssh/sshd_config
+sed -i 's:Port 22:Port 65222:g' /etc/ssh/sshd_config
+
+# Remove Bind9 if available
+#systemctl -q disable bind9
+
+# Remove fail2ban if available
+#systemctl -q disable fail2ban
+
+# Install and configure the firewall using shorewall
+apt-get -y install shorewall shorewall6
+wget -O /etc/shorewall/openmptcprouter-shorewall.tar.gz http://www.openmptcprouter.com/server/openmptcprouter-shorewall.tar.gz
+tar xzf /etc/shorewall/openmptcprouter-shorewall.tar.gz -C /etc/shorewall
+rm /etc/shorewall/openmptcprouter-shorewall.tar.gz
+sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/*
+systemctl enable shorewall
+wget -O /etc/shorewall6/openmptcprouter-shorewall6.tar.gz http://www.openmptcprouter.com/server/openmptcprouter-shorewall6.tar.gz
+tar xzf /etc/shorewall6/openmptcprouter-shorewall6.tar.gz -C /etc/shorewall6
+rm /etc/shorewall6/openmptcprouter-shorewall6.tar.gz
+sed -i "s:eth0:$INTERFACE:g" /etc/shorewall6/*
+systemctl enable shorewall6
+
+# Add OpenMPTCProuter VPS script version to /etc/motd
+if grep --quiet 'OpenMPTCProuter VPS' /etc/motd; then
+	sed -i 's:< OpenMPTCProuter VPS [0-9]*\.[0-9]* >:< OpenMPCTProuter VPS 0.14 >:' /etc/motd
+else
+	echo '< OpenMPCTProuter VPS 0.14 >' >> /etc/motd
+fi
+
+# Display important info
+echo '================================================================================'
+echo 'OpenMPTCProuter VPS is now configured !'
+echo 'SSH port: 65222 (instead of port 22)'
+echo 'Shadowsocks port: 65101'
+echo 'Shadowsocks encryption: aes-256-cfb'
+echo 'Your shadowsocks key: '
+echo $SHADOWSOCKS_PASS
+echo 'Glorytun port: 65001'
+echo 'Glorytun encryption: chacha20'
+echo 'Your glorytun key: '
+echo $GLORYTUN_PASS
+echo 'You need to reboot to enable MPTCP, shadowsocks, glorytun and shorewall'
+echo '================================================================================'
--- a/21
+++ b/21
@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -f "$1" ]; then
+        echo "usage: $(basename "$0") FILE"
+        exit 1
+fi
+
+. "$(readlink -f "$1")"
+
+DEV="gt${HOST:+c}-$(basename "$1")"
+
+exec glorytun-tcp \
+	${SERVER:+listener} \
+	keyfile "$1".key \
+	${DEV:+dev "$DEV"} \
+	${HOST:+host "$HOST"} \
+	${PORT:+port "$PORT"} \
+	${MPTCP:+mptcp} \
+	${OPTIONS:+$OPTIONS}
--- a/glorytun-tcp@.service.in
+++ b/glorytun-tcp@.service.in
@ -0,0 +1,12 @@
+[Unit]
+Description=Glorytun TCP on %I
+After=network.target network-online.target
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/local/bin/glorytun-tcp-run /etc/glorytun-tcp/%i
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+
+[Install]
+WantedBy=multi-user.target
--- a/glorytun.network
+++ b/glorytun.network
@ -0,0 +1,14 @@
+[Match]
+Name=gt-*
+
+[Network]
+Description=Glorytun server device
+Address=0.0.0.0/24
+DHCPServer=yes
+IPMasquerade=yes
+
+[DHCPServer]
+PoolOffset=2
+PoolSize=1
+EmitDNS=no
+DNS=9.9.9.9
--- a/shadowsocks.conf
+++ b/shadowsocks.conf
@ -0,0 +1,46 @@
+# local sysctl settings can be stored in this directory
+# max open files
+fs.file-max = 51200
+# max read buffer
+net.core.rmem_max = 134217728
+# max write buffer
+net.core.wmem_max = 134217728
+# default read buffer
+net.core.rmem_default = 65536
+# default write buffer
+net.core.wmem_default = 65536
+# max processor input queue
+net.core.netdev_max_backlog = 4096
+# max backlog
+net.core.somaxconn = 4096
+
+# resist SYN flood attacks
+net.ipv4.tcp_syncookies = 1
+# reuse timewait sockets when safe
+net.ipv4.tcp_tw_reuse = 1
+# turn off fast timewait sockets recycling
+net.ipv4.tcp_tw_recycle = 0
+# short FIN timeout
+net.ipv4.tcp_fin_timeout = 30
+# short keepalive time
+net.ipv4.tcp_keepalive_time = 2400
+# outbound port range
+net.ipv4.ip_local_port_range = 10000 65000
+# max SYN backlog
+net.ipv4.tcp_max_syn_backlog = 4096
+# max timewait sockets held by system simultaneously
+net.ipv4.tcp_max_tw_buckets = 10000
+# turn on TCP Fast Open on both client and server side
+net.ipv4.tcp_fastopen = 3
+# TCP receive buffer
+net.ipv4.tcp_rmem = 4096 87380 134217728
+# TCP write buffer
+net.ipv4.tcp_wmem = 4096 65536 134217728
+# turn on path MTU discovery
+net.ipv4.tcp_mtu_probing = 0
+
+# for low-latency network, use cubic instead
+net.ipv4.tcp_congestion_control = olia
+
+# Default conntrack is too small
+net.netfilter.nf_conntrack_max=131072
--- a/shorewall4/conntrack
+++ b/shorewall4/conntrack
@ -0,0 +1,53 @@
+#
+# Shorewall -- /etc/shorewall/conntrack
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+?FORMAT 3
+######################################################################################################
+#ACTION			SOURCE		DEST		PROTO	DPORT		SPORT	USER	SWITCH
+
+?if $AUTOHELPERS && __CT_TARGET
+
+?if __AMANDA_HELPER
+CT:helper:amanda:PO	-		-		udp	10080
+?endif
+
+?if __FTP_HELPER
+CT:helper:ftp:PO	-		-		tcp	21
+?endif
+
+?if __H323_HELPER
+CT:helper:RAS:PO	-		-		udp	1719
+CT:helper:Q.931:PO	-		-		tcp	1720
+?endif
+
+?if __IRC_HELPER
+CT:helper:irc:PO	-		-		tcp	6667
+?endif
+
+?if __NETBIOS_NS_HELPER
+CT:helper:netbios-ns:PO	-		-		udp	137
+?endif
+
+?if __PPTP_HELPER
+CT:helper:pptp:PO	-		-		tcp	1723
+?endif
+
+?if __SANE_HELPER
+CT:helper:sane:PO	-		-		tcp	6566
+?endif
+
+?if __SIP_HELPER
+CT:helper:sip:PO	-		-		udp	5060
+?endif
+
+?if __SNMP_HELPER
+CT:helper:snmp:PO	-		-		udp	161
+?endif
+
+?if __TFTP_HELPER
+CT:helper:tftp:PO	-		-		udp	69
+?endif
+
+?endif
--- a/shorewall4/interfaces
+++ b/shorewall4/interfaces
@ -0,0 +1,19 @@
+#
+# Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-interfaces"
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ZONE   INTERFACE       OPTIONS
+net	eth0            dhcp,tcpflags,routefilter,nosmurfs,logmartians,sourceroute=0
+vpn	gt-tun0        nosmurfs,routefilter,logmartians,tcpflags
+
--- a/shorewall4/params
+++ b/shorewall4/params
@ -0,0 +1,24 @@
+#
+# Shorewall -- /etc/shorewall/params
+#
+# Assign any variables that you need here.
+#
+# It is suggested that variable names begin with an upper case letter
+# to distinguish them from variables used internally within the
+# Shorewall programs
+#
+# Example:
+#
+#	NET_IF=eth0
+#	NET_BCAST=130.252.100.255
+#	NET_OPTIONS=routefilter,norfc1918
+#
+# Example (/etc/shorewall/interfaces record):
+#
+#	net	$NET_IF		$NET_BCAST	$NET_OPTIONS
+#
+# The result will be the same as if the record had been written
+#
+#	net	eth0		130.252.100.255	routefilter,norfc1918
+#
+###############################################################################
--- a/shorewall4/policy
+++ b/shorewall4/policy
@ -0,0 +1,23 @@
+#
+# Shorewall version 4.0 - Sample Policy File for two-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-policy"
+###############################################################################
+#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+
+vpn             net             ACCEPT
+vpn             fw             ACCEPT
+fw              vpn             ACCEPT
+fw              net             ACCEPT
+net             all             DROP            info
+# THE FOLLOWING POLICY MUST BE LAST
+all             all             REJECT          info
+
--- a/shorewall4/rules
+++ b/shorewall4/rules
@ -0,0 +1,61 @@
+#
+# Shorewall version 4.0 - Sample Rules File for two-interface configuration.
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-rules"
+######################################################################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS         SWITCH          HELPER
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)   net             all             tcp
+#
+#       Accept DNS connections from the firewall to the network
+#
+DNS(ACCEPT)     $FW             net
+#
+#       Allow Ping from/to the VPN
+#
+Ping(ACCEPT)    vpn             $FW
+Ping(ACCEPT)    $FW             vpn
+#
+#       Allow Ping from the firewall to the network
+#
+Ping(ACCEPT)    $FW             net
+#
+# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
+#
+#Ping(DROP)     net             $FW
+Ping(ACCEPT)    net             $FW
+#
+#	Accept connection from port > 65000 for shadowsocks and glorytun on the firewall
+#
+ACCEPT          net             $FW             tcp     65000-65535
+ACCEPT          net             $FW             udp     65000-65535
+#
+#	Accept connection from SSH to the firewall
+#
+ACCEPT          net             $FW             tcp     65222
+#
+#	DHCP forward to the VPN from the firewall
+#
+DHCPfwd(ACCEPT)	$FW		vpn
+#
+#	Redirect all port from 1 to 64999 to the VPN client from the network
+#
+#DNAT		net		vpn:10.0.0.2	tcp	1-64999
+#DNAT		net		vpn:10.0.0.2	udp	1-64999
--- a/shorewall4/shorewall.conf
+++ b/shorewall4/shorewall.conf
@ -0,0 +1,295 @@
+###############################################################################
+#
+#  Shorewall Version 5 -- /etc/shorewall/shorewall.conf
+#
+#  For information about the settings in this file, type "man shorewall.conf"
+#
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#			     V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
+
+LOG_BACKEND=
+
+LOG_MARTIANS=Yes
+
+LOG_VERBOSITY=2
+
+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+MACLIST_LOG_LEVEL=info
+
+RELATED_LOG_LEVEL=
+
+RPFILTER_LOG_LEVEL=info
+
+SFILTER_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+STARTUP_LOG=/var/log/shorewall-init.log
+
+TCP_FLAGS_LOG_LEVEL=info
+
+UNTRACKED_LOG_LEVEL=
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+ARPTABLES=
+
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+
+GEOIPDIR=/usr/share/xt_geoip/LE
+
+IPTABLES=
+
+IP=
+
+IPSET=
+
+LOCKFILE=
+
+MODULESDIR=
+
+NFACCT=
+
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
+
+PERL=/usr/bin/perl
+
+RESTOREFILE=restore
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=""
+
+TC=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+ACCEPT_DEFAULT=none
+DROP_DEFAULT=Drop
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT=Reject
+
+###############################################################################
+#			 R S H / R C P	C O M M A N D S
+###############################################################################
+
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADD_IP_ALIASES=No
+
+ADD_SNAT_ALIASES=No
+
+ADMINISABSENTMINDED=Yes
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
+
+AUTOMAKE=No
+
+BASIC_FILTERS=No
+
+BLACKLIST="NEW,INVALID,UNTRACKED"
+
+CHAIN_SCRIPTS=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DEFER_DNS_RESOLUTION=Yes
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+DISABLE_IPV6=No
+
+DOCKER=No
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+HELPERS=
+
+IGNOREUNKNOWNVARIABLES=No
+
+IMPLICIT_CONTINUE=No
+
+INLINE_MATCHES=No
+
+IPSET_WARNINGS=Yes
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=No
+
+LOAD_HELPERS_ONLY=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=No
+
+MINIUPNPD=No
+
+MODULE_SUFFIX=ko
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=0
+
+OPTIMIZE_ACCOUNTING=No
+
+REJECT_ACTION=
+
+REQUIRE_INTERFACE=No
+
+RESTART=restart
+
+RESTORE_DEFAULT_ROUTE=Yes
+
+RESTORE_ROUTEMARKS=Yes
+
+RETAIN_ALIASES=No
+
+ROUTE_FILTER=Yes
+
+SAVE_ARPTABLES=No
+
+SAVE_IPSETS=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+TRACK_PROVIDERS=No
+
+TRACK_RULES=No
+
+USE_DEFAULT_RT=Yes
+
+USE_PHYSICAL_NAMES=No
+
+USE_RT_NAMES=No
+
+VERBOSE_MESSAGES=Yes
+
+WARNOLDCAPVERSION=Yes
+
+WORKAROUNDS=No
+
+ZERO_MARKS=No
+
+ZONE2ZONE=-
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+INVALID_DISPOSITION=CONTINUE
+
+MACLIST_DISPOSITION=REJECT
+
+RELATED_DISPOSITION=ACCEPT
+
+RPFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
+
+UNTRACKED_DISPOSITION=CONTINUE
+
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/shorewall4/snat
+++ b/shorewall4/snat
@ -0,0 +1,23 @@
+#
+# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
+# Copyright (C) 2006-2016 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+#
+MASQUERADE		10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16		eth0
+# SNAT from VPN server for all VPN clients
+SNAT(10.0.0.1)		0.0.0.0/0		gt-tun0
--- a/shorewall4/stoppedrules
+++ b/shorewall4/stoppedrules
@ -0,0 +1,18 @@
+#
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
+#                                                       PORT(S)         PORT(S)
+ACCEPT          gt-tun0         -
+ACCEPT          -               gt-tun0
+
--- a/shorewall4/zones
+++ b/shorewall4/zones
@ -0,0 +1,19 @@
+#
+# Shorewall version 4.0 - Sample Zones File for two-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-zones"
+###############################################################################
+#ZONE   TYPE    OPTIONS                 IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4
+vpn     ipv4
+
--- a/shorewall6/conntrack
+++ b/shorewall6/conntrack
@ -0,0 +1,53 @@
+#
+# Shorewall6 -- /etc/shorewall6/conntrack
+#
+# For information about entries in this file, type "man shorewall6-conntrack"
+#
+?FORMAT 3
+##############################################################################################
+#ACTION			SOURCE		DEST		PROTO	DPORT	SPORT	USER	SWITCH
+
+?if $AUTOHELPERS && __CT_TARGET
+
+?if __AMANDA_HELPER
+CT:helper:amanda:PO	-		-		udp	10080
+?endif
+
+?if __FTP_HELPER
+CT:helper:ftp:PO	-		-		tcp	21
+?endif
+
+?if __H323_HELPER
+CT:helper:RAS:PO	-		-		udp	1719
+CT:helper:Q.931:PO	-		-		tcp	1720
+?endif
+
+?if __IRC_HELPER
+CT:helper:irc:PO	-		-		tcp	6667
+?endif
+
+?if __NETBIOS_NS_HELPER
+CT:helper:netbios-ns:PO	-		-		udp	137
+?endif
+
+?if __PPTP_HELPER
+CT:helper:pptp:PO	-		-		tcp	1723
+?endif
+
+?if __SANE_HELPER
+CT:helper:sane:PO	-		-		tcp	6566
+?endif
+
+?if __SIP_HELPER
+CT:helper:sip:PO	-		-		udp	5060
+?endif
+
+?if __SNMP_HELPER
+CT:helper:snmp:PO	-		-		udp	161
+?endif
+
+?if __TFTP_HELPER
+CT:helper:tftp:PO	-		-		udp	69
+?endif
+
+?endif
--- a/shorewall6/interfaces
+++ b/shorewall6/interfaces
@ -0,0 +1,19 @@
+#
+# Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-interfaces"
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ZONE   INTERFACE       OPTIONS
+net	eth0            dhcp,tcpflags,nosmurfs,sourceroute=0
+vpn	gt-tun0        nosmurfs,tcpflags
+
--- a/shorewall6/params
+++ b/shorewall6/params
@ -0,0 +1,23 @@
+#
+# Shorewall6 -- /etc/shorewall6/params
+#
+# Assign any variables that you need here.
+#
+# It is suggested that variable names begin with an upper case letter
+# to distinguish them from variables used internally within the
+# Shorewall6 programs
+#
+# Example:
+#
+#	NET_IF=eth0
+#	NET_OPTIONS=dhcp,nosmurfs
+#
+# Example (/etc/shorewall6/interfaces record):
+#
+#	net	$NET_IF		-	$NET_OPTIONS
+#
+# The result will be the same as if the record had been written
+#
+#	net	eth0		-	dhcp,nosmurfs
+#
+###############################################################################
--- a/shorewall6/policy
+++ b/shorewall6/policy
@ -0,0 +1,23 @@
+#
+# Shorewall version 4.0 - Sample Policy File for two-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-policy"
+###############################################################################
+#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
+
+vpn             net             ACCEPT
+vpn             fw              ACCEPT
+fw              vpn             ACCEPT
+fw              net             ACCEPT
+net             all             DROP            info
+# THE FOLLOWING POLICY MUST BE LAST
+all             all             REJECT          info
+
--- a/shorewall6/rules
+++ b/shorewall6/rules
@ -0,0 +1,60 @@
+#
+# Shorewall version 4.0 - Sample Rules File for two-interface configuration.
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-rules"
+######################################################################################################################################################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS         SWITCH          HELPER
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)   net             all             tcp
+#
+#       Accept DNS connections from the firewall to the network
+#
+DNS(ACCEPT)     $FW             net
+#
+#       Allow Ping from/to the VPN
+#
+Ping(ACCEPT)    vpn             $FW
+Ping(ACCEPT)    $FW             vpn
+#
+#       Allow Ping from the firewall to the network
+#
+Ping(ACCEPT)    $FW             net
+#
+# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
+#
+#Ping(DROP)     net             $FW
+Ping(ACCEPT)    net             $FW
+#
+#	Accept connection from port > 65000 for shadowsocks and glorytun on the firewall
+#
+ACCEPT          net             $FW             tcp     65000-65535
+ACCEPT          net             $FW             udp     65000-65535
+#
+#	Accept connection from SSH to the firewall
+#
+ACCEPT          net             $FW             tcp     65222
+#
+#	DHCP forward to the VPN from the firewall
+#
+DHCPfwd(ACCEPT)	$FW		vpn
+#
+#	Redirect all port from 1 to 64999 to the VPN client from the network
+#
+#DNAT		net		vpn:10.0.0.2	tcp	1-64999
--- a/shorewall6/shorewall6.conf
+++ b/shorewall6/shorewall6.conf
@ -0,0 +1,268 @@
+###############################################################################
+#
+#  Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
+#
+#  For information about the settings in this file, type "man shorewall6.conf"
+#
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#			     V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			        P A G E R
+###############################################################################
+
+PAGER=
+
+###############################################################################
+#			     F I R E W A L L
+###############################################################################
+
+FIREWALL=
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+BLACKLIST_LOG_LEVEL=
+
+INVALID_LOG_LEVEL=
+
+LOG_BACKEND=
+
+LOG_VERBOSITY=2
+
+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGLIMIT=
+
+LOGTAGONLY=No
+
+MACLIST_LOG_LEVEL=info
+
+RELATED_LOG_LEVEL=
+
+RPFILTER_LOG_LEVEL=info
+
+SFILTER_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+STARTUP_LOG=/var/log/shorewall6-init.log
+
+TCP_FLAGS_LOG_LEVEL=info
+
+UNTRACKED_LOG_LEVEL=
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
+
+GEOIPDIR=/usr/share/xt_geoip/LE
+
+IP6TABLES=
+
+IP=
+
+IPSET=
+
+LOCKFILE=
+
+MODULESDIR=
+
+NFACCT=
+
+PERL=/usr/bin/perl
+
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
+
+RESTOREFILE=restore
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=""
+
+TC=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+ACCEPT_DEFAULT=none
+DROP_DEFAULT=Drop
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT=Reject
+
+###############################################################################
+#			 R S H / R C P	C O M M A N D S
+###############################################################################
+
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADMINISABSENTMINDED=Yes
+
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes
+
+AUTOMAKE=No
+
+BASIC_FILTERS=No
+
+BLACKLIST="NEW,INVALID,UNTRACKED"
+
+CHAIN_SCRIPTS=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=No
+
+COMPLETE=No
+
+DEFER_DNS_RESOLUTION=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=Yes
+
+HELPERS=
+
+IGNOREUNKNOWNVARIABLES=No
+
+IMPLICIT_CONTINUE=No
+
+INLINE_MATCHES=No
+
+IPSET_WARNINGS=Yes
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=Yes
+
+LOAD_HELPERS_ONLY=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MUTEX_TIMEOUT=60
+
+OPTIMIZE=1
+
+OPTIMIZE_ACCOUNTING=No
+
+REJECT_ACTION=
+
+REQUIRE_INTERFACE=No
+
+RESTART=restart
+
+RESTORE_ROUTEMARKS=Yes
+
+SAVE_IPSETS=No
+
+TC_ENABLED=No
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+TRACK_PROVIDERS=No
+
+TRACK_RULES=No
+
+USE_DEFAULT_RT=Yes
+
+USE_PHYSICAL_NAMES=No
+
+USE_RT_NAMES=No
+
+VERBOSE_MESSAGES=Yes
+
+WARNOLDCAPVERSION=Yes
+
+WORKAROUNDS=No
+
+ZERO_MARKS=No
+
+ZONE2ZONE=-
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+INVALID_DISPOSITION=CONTINUE
+
+MACLIST_DISPOSITION=REJECT
+
+RELATED_DISPOSITION=ACCEPT
+
+SFILTER_DISPOSITION=DROP
+
+RPFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
+
+UNTRACKED_DISPOSITION=CONTINUE
+
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
+#LAST LINE -- DO NOT REMOVE
--- a/shorewall6/stoppedrules
+++ b/shorewall6/stoppedrules
@ -0,0 +1,18 @@
+#
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
+#                                                       PORT(S)         PORT(S)
+ACCEPT          gt-tun0         -
+ACCEPT          -               gt-tun0
+
--- a/shorewall6/zones
+++ b/shorewall6/zones
@ -0,0 +1,19 @@
+#
+# Shorewall version 4.0 - Sample Zones File for two-interface configuration.
+# Copyright (C) 2006-2014 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-zones"
+###############################################################################
+#ZONE   TYPE    OPTIONS                 IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv6
+vpn     ipv6
+
--- a/tun0.glorytun
+++ b/tun0.glorytun
@ -0,0 +1,5 @@
+PORT=65001
+DEV=tun0
+SERVER=true
+MPTCP=true
+OPTIONS="chacha20 multiqueue keepalive"