diff --git a/debian/control b/debian/control
index 0da3629..72af96a 100644
--- a/debian/control
+++ b/debian/control
@@ -17,8 +17,8 @@ Depends:
  unzip,
  tracebox,
  omr-iperf3,
- omr-shadowsocks-libev (= 3.3.5-1),
- omr-vps-admin (= 0.3+20210304),
+ omr-shadowsocks-libev (= 3.3.5-2),
+ omr-vps-admin (= 0.3+20210508),
  omr-simple-obfs,
  omr-mlvpn (= 3.0.0+20201216.git.2263bab),
  omr-glorytun (= 0.3.4-4),
diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh
index 9e9b397..99f120a 100755
--- a/debian9-x86_64.sh
+++ b/debian9-x86_64.sh
@@ -31,7 +31,7 @@ WIREGUARD=${WIREGUARD:-yes}
 SOURCES=${SOURCES:-no}
 NOINTERNET=${NOINTERNET:-no}
 REINSTALL=${REINSTALL:-yes}
-SPEEDTEST=${SPEEDTEST:-no}
+SPEEDTEST=${SPEEDTEST:-yes}
 LOCALFILES=${LOCALFILES:-no}
 INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | grep -m 1 -Po '(?<=dev )(\S+)' | tr -d "\n")}
 KERNEL_VERSION="5.4.100"
@@ -53,8 +53,8 @@ DSVPN_BINARY_VERSION="0.1.4-2"
 V2RAY_VERSION="4.35.1"
 V2RAY_PLUGIN_VERSION="4.35.1"
 EASYRSA_VERSION="3.0.6"
-SHADOWSOCKS_VERSION="cadf278d476d0e5679c3e67390b271276a8dc54a"
-SHADOWSOCKS_BINARY_VERSION="3.3.5-1"
+SHADOWSOCKS_VERSION="bf44f710b4a0c451809279383acc847995c35ead"
+SHADOWSOCKS_BINARY_VERSION="3.3.5-2"
 DEFAULT_USER="openmptcprouter"
 VPS_DOMAIN=${VPS_DOMAIN:-$(wget -4 -qO- -T 2 http://hostname.openmptcprouter.com)}
 VPSPATH="server-test"
@@ -100,6 +100,13 @@ if [ "$ARCH" != "amd64" ]; then
 	exit 1
 fi
 
+echo "Check virtualized environment"
+VIRT="$(systemd-detect-virt 2>/dev/null || true)"
+if [ -z "$(uname -a | grep mptcp)" ] && [ -n "$VIRT" ] && ([ "$VIRT" = "openvz" ] || [ "$VIRT" = "lxc" ] || [ "$VIRT" = "docker" ]); then
+	echo "Container are not supported: kernel can't be modified."
+	exit 1
+fi
+
 # Check if DPKG is locked and for broken packages
 #dpkg -i /dev/zero 2>/dev/null
 #if [ "$?" -eq 2 ]; then
@@ -269,6 +276,7 @@ else
 		apt-get -y install linux-image-${KERNEL_VERSION}-mptcp=${KERNEL_PACKAGE_VERSION} linux-headers-${KERNEL_VERSION}-mptcp=${KERNEL_PACKAGE_VERSION}
 	fi
 fi
+
 # Check if mptcp kernel is grub default kernel
 echo "Set MPTCP kernel as grub default..."
 if [ "$LOCALFILES" = "no" ]; then
@@ -280,7 +288,7 @@ fi
 rm -f /etc/grub.d/30_os-prober
 bash update-grub.sh ${KERNEL_VERSION}-mptcp
 bash update-grub.sh ${KERNEL_RELEASE}
-sed -i 's/default="1>0"/default="0"/' /boot/grub/grub.cfg 2>&1 >/dev/null
+[ -f /boot/grub/grub.cfg ] && sed -i 's/default="1>0"/default="0"/' /boot/grub/grub.cfg 2>&1 >/dev/null
 
 echo "Install tracebox OpenMPTCProuter edition"
 apt-get -y -o Dpkg::Options::="--force-overwrite" install tracebox
@@ -1240,9 +1248,9 @@ if [ "$TLS" = "yes" ]; then
 fi
 
 if [ "$SPEEDTEST" = "yes" ]; then
-	if [ ! -f /usr/share/omr-server/speedtest/test.img ]; then
+	mkdir -p /usr/share/omr-server/speedtest
+	if [ ! -f /usr/share/omr-server/speedtest/test.img ] && [ "$(df /usr/share/omr-server/speedtest | awk '/[0-9]%/{print $(NF-2)}')" -gt 2000000 ]; then
 		echo "Generate speedtest image..."
-		mkdir -p /usr/share/omr-server/speedtest
 		dd if=/dev/urandom of=/usr/share/omr-server/speedtest/test.img count=1024 bs=1048576
 		echo "Done"
 	fi
diff --git a/omr-service b/omr-service
index d6d751d..e1eaa5e 100755
--- a/omr-service
+++ b/omr-service
@@ -44,8 +44,15 @@ _dsvpn() {
 	[ -n "$(ip -6 r show 64:ff9b::/96 dev dsvpn0)" ] && ip -6 r del 64:ff9b::/96 dev dsvpn0 2>&1 >/dev/null
 }
 
+_shadowsocks() {
+	[ -z "$(pgrep ss-server)" ] && {
+		logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks"
+		systemctl restart shadowsocks-libev-manager@manager
+	}
+}
+
 _wireguard() {
-	[ -n "$(ip a show dev wg0)" ] && ip a add 10.255.247.1/24 dev wg0 2>&1 >/dev/null
+	[ -z "$(ip a show dev wg0 | grep '10.255.247.1')" ] && ip a add 10.255.247.1/24 dev wg0 2>&1 >/dev/null
 }
 
 
@@ -113,11 +120,13 @@ _openvpn_bonding() {
 	fi
 }
 
+sysctl -p /etc/sysctl.d/90-shadowsocks.conf 2>&1 >/dev/null
 modprobe bonding 2>&1 >/dev/null
 ip link add omr-bonding type bond 2>&1 >/dev/null
 while true; do
 	_glorytun_udp
 	_glorytun_tcp
+	_shadowsocks
 	_dsvpn
 	_wireguard
 	_multipath
diff --git a/openmptcprouter-shorewall.tar.gz b/openmptcprouter-shorewall.tar.gz
index f458408..3568414 100644
Binary files a/openmptcprouter-shorewall.tar.gz and b/openmptcprouter-shorewall.tar.gz differ
diff --git a/shadowsocks.conf b/shadowsocks.conf
index 302bbe0..5fb5da0 100644
--- a/shadowsocks.conf
+++ b/shadowsocks.conf
@@ -23,6 +23,8 @@ net.ipv4.tcp_tw_reuse = 1
 #net.ipv4.tcp_tw_recycle = 0
 # short FIN timeout
 net.ipv4.tcp_fin_timeout = 80
+# Increase max orphans
+net.ipv4.tcp_max_orphans = 16384
 # short keepalive time
 net.ipv4.tcp_keepalive_time = 7200
 # outbound port range
@@ -49,6 +51,7 @@ net.ipv4.tcp_congestion_control = cubic
 net.core.default_qdisc = fq
 # Default conntrack is too small
 net.netfilter.nf_conntrack_max = 131072
+net.netfilter.nf_conntrack_tcp_timeout_established = 86400
 
 net.ipv4.conf.all.log_martians = 0
 net.ipv4.conf.default.log_martians = 0
diff --git a/shorewall4/snat b/shorewall4/snat
index a240a09..8435e40 100644
--- a/shorewall4/snat
+++ b/shorewall4/snat
@@ -15,7 +15,14 @@
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
-MASQUERADE		10.255.0.0/16,\
+MASQUERADE		10.255.247.0/24,\
+			10.255.248.0/24,\
+			10.255.250.0/24,\
+			10.255.251.0/24,\
+			10.255.252.0/24,\
+			10.255.253.0/24,\
+			10.255.254.0/24,\
+			10.255.255.0/24,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16		$NET_IFACE