Merge pull request #5 from Ysurac/develop

tongbu20200921
2025-03-09 15:50:00 +00:00 · 2020-09-21 10:09:43 +08:00 · 2020-09-21 10:09:43 +08:00 · 944b314a71
commit 944b314a71
parent 6c2af1b843 d6b3042be4
20 changed files with 708 additions and 332 deletions
--- a/debian9-x86_64.sh
+++ b/debian9-x86_64.sh
--- a/dsvpn-server.service.in
+++ b/dsvpn-server.service.in
@ -1,5 +1,6 @@
 [Unit]
 Description=Dead Simple VPN - Server
 After=network.target network-online.target
 [Service]
 ExecStart=/usr/local/sbin/dsvpn server /etc/dsvpn/dsvpn.key auto 65011 dsvpn0 10.255.251.1 10.255.251.2
--- a/dsvpn-server@.service.in
+++ b/dsvpn-server@.service.in
@ -1,5 +1,6 @@
 [Unit]
 Description=Dead Simple VPN - Server on %I
 After=network.target network-online.target
 [Service]
 ExecStart=/usr/local/bin/dsvpn-run /etc/dsvpn/%i
--- a/glorytun-tcp-post.sh
+++ b/glorytun-tcp-post.sh
@ -1,9 +1,13 @@
 #!/bin/sh
 [ ! -f $(readlink -f "$1") ] && exit 1
 . "$(readlink -f "$1")"
 INTF=gt-${DEV}
 [ -z "$LOCALIP" ] && LOCALIP="10.255.255.1"
 [ -z "$BROADCASTIP" ] && BROADCASTIP="10.255.255.3"
 while [ -z "$(ip link show $INTF)" ]; do
 	sleep 2
 done
 [ "$(ip addr show dev $INTF | grep -o 'inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | grep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*')" != "$LOCALIP" ] && {
 	ip link set dev ${INTF} up 2>&1 >/dev/null
 	ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
--- a/glorytun-udp-post.sh
+++ b/glorytun-udp-post.sh
@ -1,10 +1,15 @@
 #!/bin/sh
 [ ! -f $(readlink -f "$1") ] && exit 1
 . "$(readlink -f "$1")"
 INTF=gt-udp-${DEV}
 [ -z "$LOCALIP" ] && LOCALIP="10.255.254.1"
 [ -z "$BROADCASTIP" ] && BROADCASTIP="10.255.254.3"
 while [ -z "$(ip link show $INTF)" ]; do
 	sleep 2
 done
 [ "$(ip addr show dev $INTF | grep -o 'inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | grep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*')" != "$LOCALIP" ] && {
 	ip link set dev ${INTF} up 2>&1 >/dev/null
 	ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
 }
 ip link set $INTF txqlen 100
--- a/manager.json
+++ b/manager.json
@ -9,7 +9,7 @@
    ],
    "method": "chacha20-ietf-poly1305",
    "fast_open": true,
-    "timeout": 600,
+    "timeout": 1000,
    "port_key": {
        "65101": "MySecretKey",
    },
--- a/mlvpn@.service.in
+++ b/mlvpn@.service.in
@ -2,6 +2,7 @@
 Description=MLVPN connection to %i
 PartOf=mlvpn.service
 ReloadPropagatedFrom=mlvpn.service
 After=network.target network-online.target
 [Service]
 Type=notify
--- a/1
+++ b/1
@ -16,6 +16,7 @@ if [ "$1" = "start" ]; then
        ip tunnel add ${DEV} mode sit remote ${REMOTEIP} local ${LOCALIP}
        ip -6 addr add ${LOCALIP6} dev ${DEV}
        ip link set ${DEV} up
        [ -n "$ULA" ] && ip route replace ${ULA} via $(echo ${REMOTEIP6} | cut -d/ -f1) dev ${DEV}
 fi
 if [ "$1" = "stop" ]; then
        ip tunnel del ${DEV}
--- a/50
+++ b/50
@ -6,9 +6,9 @@ _multipath() {
 	source /etc/shorewall/params.net
 	for intf in `ls -1 /sys/class/net`; do
 		if [ "$intf" = "$NET_IFACE" ]; then
-			multipath $intf on
+			[ "$(multipath $intf | tr -d '\n')" != "$intf is in default mode" ] && multipath $intf on
 		else
-			multipath $intf off
+			[ "$(multipath $intf | tr -d '\n')" != "$intf is deactivated" ] && multipath $intf off
 		fi
 	done
 }
@ -16,30 +16,64 @@ _multipath() {
 _glorytun_udp() {
 	[ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep server)" ] && {
 		logger -t "OMR-Service" "Restart Glorytun-UDP"
-		systemctl -q restart glorytun-udp@*
+		systemctl -q restart 'glorytun-udp@*'
 	}
-	for intf in /etc/glorytun-udp/*; do
+	for intf in /etc/glorytun-udp/tun*; do
-		/etc/glorytun-udp/post.sh /etc/glorytun-udp/${intf}
+		[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-udp/post.sh ${intf}
 	done
 }
 _glorytun_tcp() {
-	for intf in /etc/glorytun-tcp/*; do
+	for intf in /etc/glorytun-tcp/tun*; do
-		/etc/glorytun-tcp/post.sh /etc/glorytun-tcp/${intf}
+		[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-tcp/post.sh ${intf}
 	done
 }
 _omr_api() {
-	[ -z "$(curl -s -k -m 1 https://127.0.0.1:65500/)" ] && {
+	[ -z "$(curl -s -k -m 30 https://127.0.0.1:65500/)" ] && {
 		logger -t "OMR-Service" "Restart OMR-Admin"
 		systemctl -q restart omr-admin
 	}
 }
 _lan_route() {
 	cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -c '.users[0][]' |
 	while IFS=$"\n" read -r c; do
 		vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip')
 		if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then
 			echo "$c" | jq -c '.lanips //empty' | 
 			while IFS=$"\n" read -r d; do
 				network=$(ipcalc -n $d | grep Network | awk '{print $2}')
 				[ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip 2>&1 >/dev/null
 			done
 		fi
 	done
 }
 _gre_tunnels() {
 	. "$(readlink -f "/etc/shorewall/params.vpn")"
 	for intf in /etc/openmptcprouter-vps-admin/intf/*; do
 		if [ -f "$intf" ]; then
 			. "$(readlink -f "$intf")"
 			iface="$(basename $intf)"
 			if [ "$(ip tunnel show $iface 2>/dev/null | awk '{print $4}')" != "$OMR_ADDR" ]; then
 				ip tunnel del $iface 2>&1 >/dev/null
 				ip tunnel add $iface mode gre local $INTFADDR remote $OMR_ADDR
 				ip link set $iface up
 				ip addr add $LOCALIP dev $iface
 				ip route add $NETWORK dev $iface 2>&1 >/dev/null
 			fi
 		fi
 	done
 }
 while true; do
 	_glorytun_udp
 	_glorytun_tcp
 	_multipath
 	_omr_api
 	_lan_route
 	_gre_tunnels
 	sleep 10
 done
--- a/omr.service.in
+++ b/omr.service.in
@ -6,7 +6,7 @@ After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.s
 Type=simple
 Restart=always
 ExecStart=/usr/local/bin/omr-service
-ExecStop=/usr/local/bin/omr-service stop
+KillSignal=9
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 [Install]
--- a/openmptcprouter-shorewall.tar.gz
+++ b/openmptcprouter-shorewall.tar.gz
--- a/openmptcprouter-shorewall6.tar.gz
+++ b/openmptcprouter-shorewall6.tar.gz
--- a/shadowsocks-libev-manager@.service.in
+++ b/shadowsocks-libev-manager@.service.in
@ -8,7 +8,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 LimitNOFILE=99999
 LimitNPROC=99999
-ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json
+ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json --manager-address 127.0.0.1:8839
 Restart=always
 [Install]
--- a/shadowsocks.conf
+++ b/shadowsocks.conf
@ -2,10 +2,10 @@
 # max open files
 fs.file-max = 512000
 # max read buffer
-net.core.rmem_max = 150000000
+net.core.rmem_max = 67108864
 # max write buffer
-net.core.wmem_max = 75000000
+net.core.wmem_max = 67108864
-net.core.optmem_max = 75000000
+net.core.optmem_max = 33554432
 # default read buffer
 net.core.rmem_default = 131072
 # default write buffer
@ -28,19 +28,19 @@ net.ipv4.tcp_keepalive_time = 7200
 # outbound port range
 net.ipv4.ip_local_port_range = 9999 65000
 # max SYN backlog
-net.ipv4.tcp_max_syn_backlog = 4096
+net.ipv4.tcp_max_syn_backlog = 10240
 # max timewait sockets held by system simultaneously
 net.ipv4.tcp_max_tw_buckets = 10000
 # turn on TCP Fast Open on both client and server side
 net.ipv4.tcp_fastopen = 3
 # TCP buffer
-net.ipv4.tcp_mem = 768174 75000000 150000000
+net.ipv4.tcp_mem = 8092 131072 67108864
 # UDP buffer
-net.ipv4.udp_mem = 768174 75000000 150000000
+net.ipv4.udp_mem = 8092 131072 67108864
 # TCP receive buffer
-net.ipv4.tcp_rmem = 4096 524288 75000000
+net.ipv4.tcp_rmem = 4096 87380 33554432
 # TCP write buffer
-net.ipv4.tcp_wmem = 4096 524288 75000000
+net.ipv4.tcp_wmem = 4096 65536 33554432
 # turn on path MTU discovery
 net.ipv4.tcp_mtu_probing = 0
@ -51,8 +51,9 @@ net.core.default_qdisc = fq
 net.netfilter.nf_conntrack_max = 131072
 net.ipv4.conf.all.log_martians = 0
 net.ipv4.conf.default.log_martians = 0
 # MPTCP settings
 net.mptcp.mptcp_checksum = 0
-net.mptcp.mptcp_syn_retries = 1
+net.mptcp.mptcp_syn_retries = 2
 net.ipv4.tcp_ecn=1
--- a/shorewall4/interfaces
+++ b/shorewall4/interfaces
@ -20,4 +20,5 @@ vpn	gt-udp-tun+	nosmurfs,tcpflags
 vpn	mlvpn+		nosmurfs,tcpflags
 vpn	tun+		nosmurfs,tcpflags
 vpn	dsvpn+		nosmurfs,tcpflags
 vpn	gre-user+	nosmurfs,tcpflags
--- a/shorewall4/shorewall.conf
+++ b/shorewall4/shorewall.conf
@ -108,10 +108,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/shorewall6/shorewall6.conf
+++ b/shorewall6/shorewall6.conf
@ -105,10 +105,11 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
--- a/shorewall6/snat
+++ b/shorewall6/snat
@ -18,4 +18,4 @@
 MASQUERADE		fe80::/10,\
 			fd00::/8		$NET_IFACE
 # SNAT from VPN server for all VPN clients
-SNAT(fe80::a00:1)		::/0		omr-6in4-user+
+#SNAT(fe80::a00:1)		::/0		omr-6in4-user+
--- a/tun0.glorytun
+++ b/tun0.glorytun
@ -3,4 +3,4 @@ DEV=tun0
 SERVER=true
 MPTCP=true
 IPV6=true
-OPTIONS="chacha20 retry count -1 const 5000000 timeout 10000 keepalive count 5 idle 20 interval 2 buffer-size 32768 multiqueue"
+OPTIONS="chacha20 retry count -1 const 500000 timeout 5000 keepalive count 5 idle 20 interval 2 buffer-size 32768 multiqueue"
--- a/v2ray-server.json
+++ b/v2ray-server.json
@ -0,0 +1,124 @@
 {
 	"log": {
 		"loglevel": "debug",
 		"error": "/tmp/v2rayError.log"
 	},
 	"transport": {
 		"tcpSettings": {},
 		"wsSettings": {},
 		"kcpSettings": {
 			"mtu": 1460,
 			"tti": 10,
 			"uplinkCapacity": 100,
 			"downlinkCapacity": 100,
 			"congestion": false,
 			"readBufferSize": 8,
 			"writeBufferSize": 8
 		}
 	},
 	"inbounds": [
 		{
 			"tag": "Vmess-In1",
 			"port": 65228,
 			"protocol": "vless",
 			"settings": {
 				"disableInsecureEncryption": false,
 				"clients": [
 					{
 						"id": "V2RAY_UUID",
 						"level": 0,
 						"alterId": 0,
 						"email": "openmptcprouter"
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 					"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"listen": "127.0.0.1",
 			"port": 10085,
 			"protocol": "dokodemo-door",
 			"settings": {
 				"address": "127.0.0.1"
 			},
 			"tag": "api"
 		}
 	],
 	"outbounds": [
 		{
 			"protocol": "freedom",
 			"settings": {
 				"userLevel": 0
 			},
 			"tag": "direct"
 		}
 	],
 	"routing": {
 		"rules": [
 			{
 				"type": "field",
 				"inboundTag": [
 					"Vmess-In1"
 				],
 				"outboundTag": "WH-Lan1",
 				"domain": [
 					"full:WH-Lan1"
 				]
 			},
 			{
 				"inboundTag": [
 					"api"
 				],
 				"outboundTag": "api",
 				"type": "field"
 			}
 		]
 	},
 	"reverse": {
 		"portals": [
 			{
 				"tag": "WH-Lan1",
 				"domain": "WH-Lan1"
 			}
 		]
 	},
 	"stats": {},
 	"api": {
 		"tag": "api",
 		"services": [
 			"HandlerService",
 			"LoggerService",
 			"StatsService"
 		]
 	},
 	"policy": {
 		"levels": {
 			"0": {
 				"uplinkOnly": 0,
 				"downlinkOnly": 0,
 				"bufferSize": 512,
 				"connIdle": 1200,
 				"statsUserUplink": true,
 				"statsUserDownlink": true
 			}
 		},
 		"system": {
 			"statsInboundUplink": true,
 			"statsInboundDownlink": true
 		}
 	}
 }