mptcp/openmptcprouter-vps
1
0
Fork 0
mirror of https://github.com/Ysurac/openmptcprouter-vps.git synced 2025-02-12 11:21:56 +00:00
Code Issues Releases Wiki Activity

Update omr-admin API, add gre-tunnel and lan-routes as options, add OpenVPN to fail2ban

Browse source
This commit is contained in:
Ycarus (Yannick Chabanois) 2024-08-09 15:35:17 +00:00
parent 5abd262382
commit b76adb8a24
4 changed files with 59 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
debian9-x86_64.sh
View file

@ -47,6 +47,7 @@ if [ "$KERNEL" != "5.4" ]; then
fi fi
NOINTERNET=${NOINTERNET:-no} NOINTERNET=${NOINTERNET:-no}
GRETUNNELS=${GRETUNNELS:-yes} GRETUNNELS=${GRETUNNELS:-yes}
LANROUTES=${LANROUTES:-yes}
REINSTALL=${REINSTALL:-yes} REINSTALL=${REINSTALL:-yes}
SPEEDTEST=${SPEEDTEST:-yes} SPEEDTEST=${SPEEDTEST:-yes}
IPERF=${IPERF:-yes} IPERF=${IPERF:-yes}
@ -77,8 +78,8 @@ MLVPN_BINARY_VERSION="3.0.0+20211028.git.ddafba3"
UBOND_VERSION="31af0f69ebb6d07ed9348dca2fced33b956cedee" UBOND_VERSION="31af0f69ebb6d07ed9348dca2fced33b956cedee"
OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4" OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4"
OBFS_BINARY_VERSION="0.0.5-1" OBFS_BINARY_VERSION="0.0.5-1"
OMR_ADMIN_VERSION="9e86294e416ad7bdc812a941c7cc89f97b90315d" OMR_ADMIN_VERSION="24030b76868296c5869cfa8a032fd43c7d60df39"
OMR_ADMIN_BINARY_VERSION="0.12+20240725" OMR_ADMIN_BINARY_VERSION="0.12+20240802"
#OMR_ADMIN_BINARY_VERSION="0.3+20220827" #OMR_ADMIN_BINARY_VERSION="0.3+20220827"
DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a" DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a"
DSVPN_BINARY_VERSION="0.1.4-2" DSVPN_BINARY_VERSION="0.1.4-2"
@ -835,10 +836,18 @@ if [ "$OMR_ADMIN" = "yes" ]; then
sed -i "s:AdminMySecretKey:$OMR_ADMIN_PASS_ADMIN:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json sed -i "s:AdminMySecretKey:$OMR_ADMIN_PASS_ADMIN:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json
sed -i "s:MySecretKey:$OMR_ADMIN_PASS:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json sed -i "s:MySecretKey:$OMR_ADMIN_PASS:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json
[ "$NOINTERNET" = "yes" ] && { [ "$NOINTERNET" = "yes" ] && {
sed -i 's/"port": 65500,/"port": 65500,\n "internet": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json jq '. + {internet: false}' omr-admin-config.json > omr-admin-config.json.tmp
mv omr-admin-config.json.tmp omr-admin-config.json
#sed -i 's/"port": 65500,/"port": 65500,\n "internet": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json
} }
[ "$GRETUNNELS" = "no" ] && { [ "$GRETUNNELS" = "no" ] && {
sed -i 's/"port": 65500,/"port": 65500,\n "gre_tunnels": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json jq '. + {gre_tunnels: false}' omr-admin-config.json > omr-admin-config.json.tmp
mv omr-admin-config.json.tmp omr-admin-config.json
#sed -i 's/"port": 65500,/"port": 65500,\n "gre_tunnels": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json
}
[ "$LANROUTES" = "no" ] && {
jq '. + {lan_routes: false}' omr-admin-config.json > omr-admin-config.json.tmp
mv omr-admin-config.json.tmp omr-admin-config.json
} }
chmod 644 /lib/systemd/system/omr-admin.service chmod 644 /lib/systemd/system/omr-admin.service
#chmod 644 /lib/systemd/system/omr-admin-ipv6.service #chmod 644 /lib/systemd/system/omr-admin-ipv6.service
@ -1380,6 +1389,7 @@ if [ "$FAIL2BAN" = "yes" ]; then
apt-get -y install fail2ban apt-get -y install fail2ban
systemctl enable fail2ban systemctl enable fail2ban
wget -O /etc/fail2ban/jail.d/openmptcprouter.conf ${VPSURL}${VPSPATH}/fail2ban-jail-openmptcprouter.conf wget -O /etc/fail2ban/jail.d/openmptcprouter.conf ${VPSURL}${VPSPATH}/fail2ban-jail-openmptcprouter.conf
wget -O /etc/fail2ban/filter.d/openmptcprouter.conf ${VPSURL}${VPSPATH}/fail2ban-filter-openvpn.conf
echo "Install Fail2ban done" echo "Install Fail2ban done"
fi fi
@ -1767,8 +1777,10 @@ if [ "$update" = "0" ]; then
fi fi
tar xzf /etc/shorewall/openmptcprouter-shorewall.tar.gz -C /etc/shorewall tar xzf /etc/shorewall/openmptcprouter-shorewall.tar.gz -C /etc/shorewall
rm /etc/shorewall/openmptcprouter-shorewall.tar.gz rm /etc/shorewall/openmptcprouter-shorewall.tar.gz
sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/* if [ -n "$INTERFACE" ]; then
systemctl enable shorewall sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/*
systemctl enable shorewall
fi
if [ "$LOCALFILES" = "no" ]; then if [ "$LOCALFILES" = "no" ]; then
wget -O /etc/shorewall6/openmptcprouter-shorewall6.tar.gz ${VPSURL}${VPSPATH}/openmptcprouter-shorewall6.tar.gz wget -O /etc/shorewall6/openmptcprouter-shorewall6.tar.gz ${VPSURL}${VPSPATH}/openmptcprouter-shorewall6.tar.gz
else else
@ -1776,8 +1788,10 @@ if [ "$update" = "0" ]; then
fi fi
tar xzf /etc/shorewall6/openmptcprouter-shorewall6.tar.gz -C /etc/shorewall6 tar xzf /etc/shorewall6/openmptcprouter-shorewall6.tar.gz -C /etc/shorewall6
rm /etc/shorewall6/openmptcprouter-shorewall6.tar.gz rm /etc/shorewall6/openmptcprouter-shorewall6.tar.gz
sed -i "s:eth0:$INTERFACE6:g" /etc/shorewall6/* if [ -n "$INTERFACE6" ]; then
systemctl enable shorewall6 sed -i "s:eth0:$INTERFACE6:g" /etc/shorewall6/*
systemctl enable shorewall6
fi
else else
# Update only needed firewall files # Update only needed firewall files
if [ "$LOCALFILES" = "no" ]; then if [ "$LOCALFILES" = "no" ]; then
@ -2117,10 +2131,11 @@ else
# fi # fi
echo 'done' echo 'done'
echo 'Restarting shorewall...' echo 'Restarting shorewall...'
systemctl -q restart shorewall [ -n "$INTERFACE" ] && systemctl -q restart shorewall >/dev/null 2>&1 || true
systemctl -q restart shorewall6 [ -n "$INTERFACE6" ] && systemctl -q restart shorewall6 >/dev/null 2>&1 || true
echo 'done' echo 'done'
echo '====================================================================================' echo '===================================================================================='
echo '\033[1m /!\ You need to reboot to use latest MPTCP kernel /!\ \033[0m' echo '\033[1m /!\ You need to reboot to use latest MPTCP kernel /!\ \033[0m'
echo '====================================================================================' echo '===================================================================================='
fi fi
exit 0

10
fail2ban-filter-openvpn.conf Normal file
View file

@ -0,0 +1,10 @@
[INCLUDES]
before = common.conf
[Definition]
_daemon = ovpn-server
failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
%(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
%(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}
maxlines = 1

15
fail2ban-jail-openmptcprouter.conf
View file

@ -4,3 +4,18 @@ banaction = shorewall
[sshd] [sshd]
enabled = true enabled = true
[openvpn_tcp]
enabled = true
port = 65301
protocol = tcp
filter = openvpn
maxretry = 5
[openvpn_udp]
enabled = true
port = 65301
protocol = udp
filter = openvpn
maxretry = 5

11
omr-service
View file

@ -114,12 +114,15 @@ _lan_route() {
while IFS=$"\n" read -r c; do while IFS=$"\n" read -r c; do
if [ -n "$c" ]; then if [ -n "$c" ]; then
vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip') vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip')
username=$(echo "$c" | jq -r '.username')
if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then
echo "$c" | jq -c -r '.lanips[]? //empty' | echo "$c" | jq -c -r '.lanips[]? //empty' |
while IFS=$"\n" read -r d; do while IFS=$"\n" read -r d; do
if [ "$d" != "" ]; then if [ "$d" != "" ]; then
network=$(ipcalc -n $d | grep Network | awk '{print $2}') network=$(ipcalc -n $d | grep Network | awk '{print $2}')
netmask=$(ipcalc -n $d | grep Netmask | awk '{print $2}')
[ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip >/dev/null 2>&1 [ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip >/dev/null 2>&1
[ -n "$network" ] && [ -n "$netmask" ] && [ -z "$(grep ${network} /etc/openvpn/cdd/${username})" ] && echo "iroute $network $netmask" >> /etc/openvpn/ccd/${username}
fi fi
done done
fi fi
@ -178,6 +181,10 @@ ip link add omr-bonding type bond >/dev/null 2>&1
#[ -n "$(uname -r | grep '6.1')" ] && { #[ -n "$(uname -r | grep '6.1')" ] && {
# stap -g /usr/share/systemtap-mptcp/mptcp-app.stap 2>&1 & # stap -g /usr/share/systemtap-mptcp/mptcp-app.stap 2>&1 &
#} #}
gre_tunnels="$(jq -c '.gre_tunnels' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
lan_routes="$(jq -c '.lan_routes' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
while true; do while true; do
_glorytun_udp _glorytun_udp
_glorytun_tcp _glorytun_tcp
@ -189,8 +196,8 @@ while true; do
_wireguard _wireguard
_multipath _multipath
_omr_api _omr_api
_lan_route [ "$lan_routes" != "false" ] && _lan_route
_gre_tunnels [ "$gre_tunnels" != "false" ] && _gre_tunnels
_openvpn_bonding _openvpn_bonding
sleep 10 sleep 10
done done