mirror of
https://github.com/Ysurac/openmptcprouter-vps.git
synced 2025-02-12 11:21:56 +00:00
Update omr-admin API, add gre-tunnel and lan-routes as options, add OpenVPN to fail2ban
This commit is contained in:
Ycarus (Yannick Chabanois)
parent
5abd262382
commit
b76adb8a24
4 changed files with 59 additions and 12 deletions
|
|
@ -47,6 +47,7 @@ if [ "$KERNEL" != "5.4" ]; then
|
|||
fi
|
||||
NOINTERNET=${NOINTERNET:-no}
|
||||
GRETUNNELS=${GRETUNNELS:-yes}
|
||||
LANROUTES=${LANROUTES:-yes}
|
||||
REINSTALL=${REINSTALL:-yes}
|
||||
SPEEDTEST=${SPEEDTEST:-yes}
|
||||
IPERF=${IPERF:-yes}
|
||||
|
|
@ -77,8 +78,8 @@ MLVPN_BINARY_VERSION="3.0.0+20211028.git.ddafba3"
|
|||
UBOND_VERSION="31af0f69ebb6d07ed9348dca2fced33b956cedee"
|
||||
OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4"
|
||||
OBFS_BINARY_VERSION="0.0.5-1"
|
||||
OMR_ADMIN_VERSION="9e86294e416ad7bdc812a941c7cc89f97b90315d"
|
||||
OMR_ADMIN_BINARY_VERSION="0.12+20240725"
|
||||
OMR_ADMIN_VERSION="24030b76868296c5869cfa8a032fd43c7d60df39"
|
||||
OMR_ADMIN_BINARY_VERSION="0.12+20240802"
|
||||
#OMR_ADMIN_BINARY_VERSION="0.3+20220827"
|
||||
DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a"
|
||||
DSVPN_BINARY_VERSION="0.1.4-2"
|
||||
|
|
@ -835,10 +836,18 @@ if [ "$OMR_ADMIN" = "yes" ]; then
|
|||
sed -i "s:AdminMySecretKey:$OMR_ADMIN_PASS_ADMIN:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json
|
||||
sed -i "s:MySecretKey:$OMR_ADMIN_PASS:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json
|
||||
[ "$NOINTERNET" = "yes" ] && {
|
||||
sed -i 's/"port": 65500,/"port": 65500,\n "internet": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json
|
||||
jq '. + {internet: false}' omr-admin-config.json > omr-admin-config.json.tmp
|
||||
mv omr-admin-config.json.tmp omr-admin-config.json
|
||||
#sed -i 's/"port": 65500,/"port": 65500,\n "internet": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json
|
||||
}
|
||||
[ "$GRETUNNELS" = "no" ] && {
|
||||
sed -i 's/"port": 65500,/"port": 65500,\n "gre_tunnels": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json
|
||||
jq '. + {gre_tunnels: false}' omr-admin-config.json > omr-admin-config.json.tmp
|
||||
mv omr-admin-config.json.tmp omr-admin-config.json
|
||||
#sed -i 's/"port": 65500,/"port": 65500,\n "gre_tunnels": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json
|
||||
}
|
||||
[ "$LANROUTES" = "no" ] && {
|
||||
jq '. + {lan_routes: false}' omr-admin-config.json > omr-admin-config.json.tmp
|
||||
mv omr-admin-config.json.tmp omr-admin-config.json
|
||||
}
|
||||
chmod 644 /lib/systemd/system/omr-admin.service
|
||||
#chmod 644 /lib/systemd/system/omr-admin-ipv6.service
|
||||
|
|
@ -1380,6 +1389,7 @@ if [ "$FAIL2BAN" = "yes" ]; then
|
|||
apt-get -y install fail2ban
|
||||
systemctl enable fail2ban
|
||||
wget -O /etc/fail2ban/jail.d/openmptcprouter.conf ${VPSURL}${VPSPATH}/fail2ban-jail-openmptcprouter.conf
|
||||
wget -O /etc/fail2ban/filter.d/openmptcprouter.conf ${VPSURL}${VPSPATH}/fail2ban-filter-openvpn.conf
|
||||
echo "Install Fail2ban done"
|
||||
fi
|
||||
|
||||
|
|
@ -1767,8 +1777,10 @@ if [ "$update" = "0" ]; then
|
|||
fi
|
||||
tar xzf /etc/shorewall/openmptcprouter-shorewall.tar.gz -C /etc/shorewall
|
||||
rm /etc/shorewall/openmptcprouter-shorewall.tar.gz
|
||||
if [ -n "$INTERFACE" ]; then
|
||||
sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/*
|
||||
systemctl enable shorewall
|
||||
fi
|
||||
if [ "$LOCALFILES" = "no" ]; then
|
||||
wget -O /etc/shorewall6/openmptcprouter-shorewall6.tar.gz ${VPSURL}${VPSPATH}/openmptcprouter-shorewall6.tar.gz
|
||||
else
|
||||
|
|
@ -1776,8 +1788,10 @@ if [ "$update" = "0" ]; then
|
|||
fi
|
||||
tar xzf /etc/shorewall6/openmptcprouter-shorewall6.tar.gz -C /etc/shorewall6
|
||||
rm /etc/shorewall6/openmptcprouter-shorewall6.tar.gz
|
||||
if [ -n "$INTERFACE6" ]; then
|
||||
sed -i "s:eth0:$INTERFACE6:g" /etc/shorewall6/*
|
||||
systemctl enable shorewall6
|
||||
fi
|
||||
else
|
||||
# Update only needed firewall files
|
||||
if [ "$LOCALFILES" = "no" ]; then
|
||||
|
|
@ -2117,10 +2131,11 @@ else
|
|||
# fi
|
||||
echo 'done'
|
||||
echo 'Restarting shorewall...'
|
||||
systemctl -q restart shorewall
|
||||
systemctl -q restart shorewall6
|
||||
[ -n "$INTERFACE" ] && systemctl -q restart shorewall >/dev/null 2>&1 || true
|
||||
[ -n "$INTERFACE6" ] && systemctl -q restart shorewall6 >/dev/null 2>&1 || true
|
||||
echo 'done'
|
||||
echo '===================================================================================='
|
||||
echo '\033[1m /!\ You need to reboot to use latest MPTCP kernel /!\ \033[0m'
|
||||
echo '===================================================================================='
|
||||
fi
|
||||
exit 0
|
||||
10
fail2ban-filter-openvpn.conf
Normal file
10
fail2ban-filter-openvpn.conf
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
[INCLUDES]
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
_daemon = ovpn-server
|
||||
failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
|
||||
%(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
|
||||
%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
|
||||
%(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}
|
||||
maxlines = 1
|
||||
|
|
@ -4,3 +4,18 @@ banaction = shorewall
|
|||
|
||||
[sshd]
|
||||
enabled = true
|
||||
|
||||
[openvpn_tcp]
|
||||
enabled = true
|
||||
port = 65301
|
||||
protocol = tcp
|
||||
filter = openvpn
|
||||
maxretry = 5
|
||||
|
||||
[openvpn_udp]
|
||||
enabled = true
|
||||
port = 65301
|
||||
protocol = udp
|
||||
filter = openvpn
|
||||
maxretry = 5
|
||||
|
||||
|
|
|
|||
11
omr-service
11
omr-service
|
|
@ -114,12 +114,15 @@ _lan_route() {
|
|||
while IFS=$"\n" read -r c; do
|
||||
if [ -n "$c" ]; then
|
||||
vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip')
|
||||
username=$(echo "$c" | jq -r '.username')
|
||||
if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then
|
||||
echo "$c" | jq -c -r '.lanips[]? //empty' |
|
||||
while IFS=$"\n" read -r d; do
|
||||
if [ "$d" != "" ]; then
|
||||
network=$(ipcalc -n $d | grep Network | awk '{print $2}')
|
||||
netmask=$(ipcalc -n $d | grep Netmask | awk '{print $2}')
|
||||
[ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip >/dev/null 2>&1
|
||||
[ -n "$network" ] && [ -n "$netmask" ] && [ -z "$(grep ${network} /etc/openvpn/cdd/${username})" ] && echo "iroute $network $netmask" >> /etc/openvpn/ccd/${username}
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
|
@ -178,6 +181,10 @@ ip link add omr-bonding type bond >/dev/null 2>&1
|
|||
#[ -n "$(uname -r | grep '6.1')" ] && {
|
||||
# stap -g /usr/share/systemtap-mptcp/mptcp-app.stap 2>&1 &
|
||||
#}
|
||||
|
||||
gre_tunnels="$(jq -c '.gre_tunnels' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
|
||||
lan_routes="$(jq -c '.lan_routes' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
|
||||
|
||||
while true; do
|
||||
_glorytun_udp
|
||||
_glorytun_tcp
|
||||
|
|
@ -189,8 +196,8 @@ while true; do
|
|||
_wireguard
|
||||
_multipath
|
||||
_omr_api
|
||||
_lan_route
|
||||
_gre_tunnels
|
||||
[ "$lan_routes" != "false" ] && _lan_route
|
||||
[ "$gre_tunnels" != "false" ] && _gre_tunnels
|
||||
_openvpn_bonding
|
||||
sleep 10
|
||||
done
|
||||
|
|
|
|||
Loading…
Reference in a new issue