Merge pull request #5 from Ysurac/develop

tongbu20200921
2025-03-09 15:50:00 +00:00 · 2020-09-21 10:09:43 +08:00 · 2020-09-21 10:09:43 +08:00 · 944b314a71
commit 944b314a71
parent 6c2af1b843 d6b3042be4
20 changed files with 708 additions and 332 deletions
--- a/debian9-x86_64.sh
+++ b/debian9-x86_64.sh
--- a/dsvpn-server.service.in
+++ b/dsvpn-server.service.in
@ -1,5 +1,6 @@
 [Unit]
 Description=Dead Simple VPN - Server
+After=network.target network-online.target

 [Service]
 ExecStart=/usr/local/sbin/dsvpn server /etc/dsvpn/dsvpn.key auto 65011 dsvpn0 10.255.251.1 10.255.251.2
--- a/dsvpn-server@.service.in
+++ b/dsvpn-server@.service.in
@ -1,5 +1,6 @@
 [Unit]
 Description=Dead Simple VPN - Server on %I
+After=network.target network-online.target

 [Service]
 ExecStart=/usr/local/bin/dsvpn-run /etc/dsvpn/%i
--- a/glorytun-tcp-post.sh
+++ b/glorytun-tcp-post.sh
@ -1,9 +1,13 @@
 #!/bin/sh
+[ ! -f $(readlink -f "$1") ] && exit 1
 . "$(readlink -f "$1")"

 INTF=gt-${DEV}
 [ -z "$LOCALIP" ] && LOCALIP="10.255.255.1"
 [ -z "$BROADCASTIP" ] && BROADCASTIP="10.255.255.3"
+while [ -z "$(ip link show $INTF)" ]; do
+	sleep 2
+done
 [ "$(ip addr show dev $INTF | grep -o 'inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | grep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*')" != "$LOCALIP" ] && {
 	ip link set dev ${INTF} up 2>&1 >/dev/null
 	ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
--- a/glorytun-udp-post.sh
+++ b/glorytun-udp-post.sh
@ -1,10 +1,15 @@
 #!/bin/sh
+[ ! -f $(readlink -f "$1") ] && exit 1
 . "$(readlink -f "$1")"

 INTF=gt-udp-${DEV}
 [ -z "$LOCALIP" ] && LOCALIP="10.255.254.1"
 [ -z "$BROADCASTIP" ] && BROADCASTIP="10.255.254.3"
+while [ -z "$(ip link show $INTF)" ]; do
+	sleep 2
+done
 [ "$(ip addr show dev $INTF | grep -o 'inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | grep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*')" != "$LOCALIP" ] && {
 	ip link set dev ${INTF} up 2>&1 >/dev/null
 	ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
 }
+ip link set $INTF txqlen 100
--- a/manager.json
+++ b/manager.json
@ -9,7 +9,7 @@
    ],
    "method": "chacha20-ietf-poly1305",
    "fast_open": true,
-    "timeout": 600,
+    "timeout": 1000,
    "port_key": {
        "65101": "MySecretKey",
    },
--- a/mlvpn@.service.in
+++ b/mlvpn@.service.in
@ -2,6 +2,7 @@
 Description=MLVPN connection to %i
 PartOf=mlvpn.service
 ReloadPropagatedFrom=mlvpn.service
+After=network.target network-online.target

 [Service]
 Type=notify
--- a/1
+++ b/1
@ -16,6 +16,7 @@ if [ "$1" = "start" ]; then
        ip tunnel add ${DEV} mode sit remote ${REMOTEIP} local ${LOCALIP}
        ip -6 addr add ${LOCALIP6} dev ${DEV}
        ip link set ${DEV} up
+        [ -n "$ULA" ] && ip route replace ${ULA} via $(echo ${REMOTEIP6} | cut -d/ -f1) dev ${DEV}
 fi
 if [ "$1" = "stop" ]; then
        ip tunnel del ${DEV}
--- a/50
+++ b/50
@ -6,9 +6,9 @@ _multipath() {
 	source /etc/shorewall/params.net
 	for intf in `ls -1 /sys/class/net`; do
 		if [ "$intf" = "$NET_IFACE" ]; then
-			multipath $intf on
+			[ "$(multipath $intf | tr -d '\n')" != "$intf is in default mode" ] && multipath $intf on
 		else
-			multipath $intf off
+			[ "$(multipath $intf | tr -d '\n')" != "$intf is deactivated" ] && multipath $intf off
 		fi
 	done
 }
@ -16,30 +16,64 @@ _multipath() {
 _glorytun_udp() {
 	[ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep server)" ] && {
 		logger -t "OMR-Service" "Restart Glorytun-UDP"
-		systemctl -q restart glorytun-udp@*
+		systemctl -q restart 'glorytun-udp@*'
 	}
-	for intf in /etc/glorytun-udp/*; do
-		/etc/glorytun-udp/post.sh /etc/glorytun-udp/${intf}
+	for intf in /etc/glorytun-udp/tun*; do
+		[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-udp/post.sh ${intf}
 	done
 }

 _glorytun_tcp() {
-	for intf in /etc/glorytun-tcp/*; do
-		/etc/glorytun-tcp/post.sh /etc/glorytun-tcp/${intf}
+	for intf in /etc/glorytun-tcp/tun*; do
+		[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-tcp/post.sh ${intf}
 	done
 }

 _omr_api() {
-	[ -z "$(curl -s -k -m 1 https://127.0.0.1:65500/)" ] && {
+	[ -z "$(curl -s -k -m 30 https://127.0.0.1:65500/)" ] && {
 		logger -t "OMR-Service" "Restart OMR-Admin"
 		systemctl -q restart omr-admin
 	}
 }

+_lan_route() {
+	cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -c '.users[0][]' |
+	while IFS=$"\n" read -r c; do
+		vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip')
+		if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then
+			echo "$c" | jq -c '.lanips //empty' | 
+			while IFS=$"\n" read -r d; do
+				network=$(ipcalc -n $d | grep Network | awk '{print $2}')
+				[ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip 2>&1 >/dev/null
+			done
+		fi
+	done
+}
+
+_gre_tunnels() {
+	. "$(readlink -f "/etc/shorewall/params.vpn")"
+	for intf in /etc/openmptcprouter-vps-admin/intf/*; do
+		if [ -f "$intf" ]; then
+			. "$(readlink -f "$intf")"
+			iface="$(basename $intf)"
+			if [ "$(ip tunnel show $iface 2>/dev/null | awk '{print $4}')" != "$OMR_ADDR" ]; then
+				ip tunnel del $iface 2>&1 >/dev/null
+				ip tunnel add $iface mode gre local $INTFADDR remote $OMR_ADDR
+				ip link set $iface up
+				ip addr add $LOCALIP dev $iface
+				ip route add $NETWORK dev $iface 2>&1 >/dev/null
+			fi
+		fi
+	done
+}
+
+
 while true; do
 	_glorytun_udp
 	_glorytun_tcp
 	_multipath
 	_omr_api
+	_lan_route
+	_gre_tunnels
 	sleep 10
 done
--- a/omr.service.in
+++ b/omr.service.in
@ -6,7 +6,7 @@ After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.s
 Type=simple
 Restart=always
 ExecStart=/usr/local/bin/omr-service
-ExecStop=/usr/local/bin/omr-service stop
+KillSignal=9
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW

 [Install]
--- a/openmptcprouter-shorewall.tar.gz
+++ b/openmptcprouter-shorewall.tar.gz
--- a/openmptcprouter-shorewall6.tar.gz
+++ b/openmptcprouter-shorewall6.tar.gz
--- a/shadowsocks-libev-manager@.service.in
+++ b/shadowsocks-libev-manager@.service.in
@ -8,7 +8,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 LimitNOFILE=99999
 LimitNPROC=99999
-ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json
+ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json --manager-address 127.0.0.1:8839
 Restart=always

 [Install]
--- a/shadowsocks.conf
+++ b/shadowsocks.conf
@ -2,10 +2,10 @@
 # max open files
 fs.file-max = 512000
 # max read buffer
-net.core.rmem_max = 150000000
+net.core.rmem_max = 67108864
 # max write buffer
-net.core.wmem_max = 75000000
-net.core.optmem_max = 75000000
+net.core.wmem_max = 67108864
+net.core.optmem_max = 33554432
 # default read buffer
 net.core.rmem_default = 131072
 # default write buffer
@ -28,19 +28,19 @@ net.ipv4.tcp_keepalive_time = 7200
 # outbound port range
 net.ipv4.ip_local_port_range = 9999 65000
 # max SYN backlog
-net.ipv4.tcp_max_syn_backlog = 4096
+net.ipv4.tcp_max_syn_backlog = 10240
 # max timewait sockets held by system simultaneously
 net.ipv4.tcp_max_tw_buckets = 10000
 # turn on TCP Fast Open on both client and server side
 net.ipv4.tcp_fastopen = 3
 # TCP buffer
-net.ipv4.tcp_mem = 768174 75000000 150000000
+net.ipv4.tcp_mem = 8092 131072 67108864
 # UDP buffer
-net.ipv4.udp_mem = 768174 75000000 150000000
+net.ipv4.udp_mem = 8092 131072 67108864
 # TCP receive buffer
-net.ipv4.tcp_rmem = 4096 524288 75000000
+net.ipv4.tcp_rmem = 4096 87380 33554432
 # TCP write buffer
-net.ipv4.tcp_wmem = 4096 524288 75000000
+net.ipv4.tcp_wmem = 4096 65536 33554432
 # turn on path MTU discovery
 net.ipv4.tcp_mtu_probing = 0

@ -51,8 +51,9 @@ net.core.default_qdisc = fq
 net.netfilter.nf_conntrack_max = 131072

 net.ipv4.conf.all.log_martians = 0
+net.ipv4.conf.default.log_martians = 0

 # MPTCP settings
 net.mptcp.mptcp_checksum = 0
-net.mptcp.mptcp_syn_retries = 1
+net.mptcp.mptcp_syn_retries = 2
 net.ipv4.tcp_ecn=1
--- a/shorewall4/interfaces
+++ b/shorewall4/interfaces
@ -20,4 +20,5 @@ vpn	gt-udp-tun+	nosmurfs,tcpflags
 vpn	mlvpn+		nosmurfs,tcpflags
 vpn	tun+		nosmurfs,tcpflags
 vpn	dsvpn+		nosmurfs,tcpflags
+vpn	gre-user+	nosmurfs,tcpflags

--- a/shorewall4/shorewall.conf
+++ b/shorewall4/shorewall.conf
@ -108,10 +108,11 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"

 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/shorewall6/shorewall6.conf
+++ b/shorewall6/shorewall6.conf
@ -105,10 +105,11 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"

 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/shorewall6/snat
+++ b/shorewall6/snat
@ -18,4 +18,4 @@
 MASQUERADE		fe80::/10,\
 			fd00::/8		$NET_IFACE
 # SNAT from VPN server for all VPN clients
-SNAT(fe80::a00:1)		::/0		omr-6in4-user+
+#SNAT(fe80::a00:1)		::/0		omr-6in4-user+
--- a/tun0.glorytun
+++ b/tun0.glorytun
@ -3,4 +3,4 @@ DEV=tun0
 SERVER=true
 MPTCP=true
 IPV6=true
-OPTIONS="chacha20 retry count -1 const 5000000 timeout 10000 keepalive count 5 idle 20 interval 2 buffer-size 32768 multiqueue"
+OPTIONS="chacha20 retry count -1 const 500000 timeout 5000 keepalive count 5 idle 20 interval 2 buffer-size 32768 multiqueue"
--- a/v2ray-server.json
+++ b/v2ray-server.json
@ -0,0 +1,124 @@
+{
+	"log": {
+		"loglevel": "debug",
+		"error": "/tmp/v2rayError.log"
+	},
+	"transport": {
+		"tcpSettings": {},
+		"wsSettings": {},
+		"kcpSettings": {
+			"mtu": 1460,
+			"tti": 10,
+			"uplinkCapacity": 100,
+			"downlinkCapacity": 100,
+			"congestion": false,
+			"readBufferSize": 8,
+			"writeBufferSize": 8
+		}
+	},
+	"inbounds": [
+		{
+			"tag": "Vmess-In1",
+			"port": 65228,
+			"protocol": "vless",
+			"settings": {
+				"disableInsecureEncryption": false,
+				"clients": [
+					{
+						"id": "V2RAY_UUID",
+						"level": 0,
+						"alterId": 0,
+						"email": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"listen": "127.0.0.1",
+			"port": 10085,
+			"protocol": "dokodemo-door",
+			"settings": {
+				"address": "127.0.0.1"
+			},
+			"tag": "api"
+		}
+	],
+	"outbounds": [
+		{
+			"protocol": "freedom",
+			"settings": {
+				"userLevel": 0
+			},
+			"tag": "direct"
+		}
+	],
+	"routing": {
+		"rules": [
+			{
+				"type": "field",
+				"inboundTag": [
+					"Vmess-In1"
+				],
+				"outboundTag": "WH-Lan1",
+				"domain": [
+					"full:WH-Lan1"
+				]
+			},
+			{
+				"inboundTag": [
+					"api"
+				],
+				"outboundTag": "api",
+				"type": "field"
+			}
+		]
+	},
+	"reverse": {
+		"portals": [
+			{
+				"tag": "WH-Lan1",
+				"domain": "WH-Lan1"
+			}
+		]
+	},
+	"stats": {},
+	"api": {
+		"tag": "api",
+		"services": [
+			"HandlerService",
+			"LoggerService",
+			"StatsService"
+		]
+	},
+	"policy": {
+		"levels": {
+			"0": {
+				"uplinkOnly": 0,
+				"downlinkOnly": 0,
+				"bufferSize": 512,
+				"connIdle": 1200,
+				"statsUserUplink": true,
+				"statsUserDownlink": true
+			}
+		},
+		"system": {
+			"statsInboundUplink": true,
+			"statsInboundDownlink": true
+		}
+	}
+}