From dcf20947f2fa16134f7783f28b8b922152c56858 Mon Sep 17 00:00:00 2001
From: "Ycarus (Yannick Chabanois)" <ycarus@zugaina.org>
Date: Fri, 4 May 2018 06:28:28 +0000
Subject: [PATCH] Add 6in4 support

---
 debian9-x86_64.sh        | 42 +++++++++++++++++++++++++++++++---------
 glorytun-tcp@.service.in |  2 ++
 glorytun-udp-run         | 18 +++++++++++++++++
 glorytun-udp.network     | 16 +++++++++++++++
 glorytun-udp@.service.in | 13 +++++++++++++
 omr-6in4                 | 27 ++++++++++++++++++++++++++
 shorewall6/interfaces    |  4 ++--
 shorewall6/policy        |  6 ++----
 shorewall6/rules         |  1 +
 shorewall6/snat          | 21 ++++++++++++++++++++
 shorewall6/stoppedrules  |  4 ++--
 tun0.glorytun            |  1 +
 tun0.glorytun-udp        |  4 ++++
 13 files changed, 142 insertions(+), 17 deletions(-)
 create mode 100644 glorytun-udp-run
 create mode 100644 glorytun-udp.network
 create mode 100644 glorytun-udp@.service.in
 create mode 100755 omr-6in4
 create mode 100644 shorewall6/snat
 create mode 100644 tun0.glorytun-udp

diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh
index 73aaef4..ed23d5d 100644
--- a/debian9-x86_64.sh
+++ b/debian9-x86_64.sh
@@ -5,10 +5,16 @@ GLORYTUN_PASS=${GLORYTUN_PASS:-$(od  -vN "32" -An -tx1 /dev/urandom | tr '[:lowe
 NBCPU=${NBCPU:-$(grep -c '^processor' /proc/cpuinfo | tr -d "\n")}
 OBFS=${OBFS:-no}
 INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | awk '{print $5}' | tr -d "\n")}
+DEBIAN_VERSION=$(sed 's/\..*//' /etc/debian_version)
 
 set -e
 umask 0022
 
+if [ $DEBIAN_VERSION -ne 9 ]; then
+	echo "This script only work with Debian Stretch (9.x)"
+	exit 1
+fi
+
 # Install mptcp kernel and shadowsocks
 apt-get update
 apt-get -y install dirmngr patch
@@ -32,10 +38,11 @@ wget http://github.com/Ysurac/openmptcprouter-feeds/raw/master/shadowsocks-libev
 patch -p1 < 020-NOCRYPTO.patch
 apt-get -y install --no-install-recommends devscripts equivs apg libcap2-bin libpam-cap
 apt -y -t stretch-backports install libsodium-dev
-mk-build-deps --root-cmd sudo --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y"
+mk-build-deps --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y"
 dpkg-buildpackage -b -us -uc
 cd ..
 dpkg -i shadowsocks-libev_3.1.3-1_amd64.deb
+rm -r /tmp/shadowsocks-libev-3.1.3
 
 # Load OLIA Congestion module at boot time
 if ! grep -q olia /etc/modules ; then
@@ -79,13 +86,27 @@ fi
 
 # Install Glorytun UDP
 #apt-get -y install meson pkg-config ca-certificates
-#cd /root
-#wget https://github.com/angt/glorytun/releases/download/v0.0.93-mud/glorytun-0.0.93-mud.tar.gz
-#tar xzf glorytun-0.0.93-mud.tar.gz
-#cd glorytun-0.0.93-mud
+#cd /tmp
+#wget -O /tmp/glorytun-0.0.98-mud.tar.gz https://github.com/angt/glorytun/releases/download/v0.0.98-mud/glorytun-0.0.98-mud.tar.gz
+#tar xzf glorytun-0.0.98-mud.tar.gz
+#cd glorytun-0.0.98-mud
 #meson build
 #ninja -C build install
 #sed -i 's:EmitDNS=yes:EmitDNS=no:g' /lib/systemd/network/glorytun.network
+#rm /lib/systemd/system/glorytun*
+#rm /lib/systemd/network/glorytun*
+#wget -O /usr/local/bin/glorytun-run http://www.openmptcprouter.com/server/glorytun-udp-run
+#chmod 755 /usr/local/bin/glorytun-run
+#wget -O /lib/systemd/system/glorytun-udp@.service http://www.openmptcprouter.com/server/glorytun-udp%40.service.in
+#wget -O /lib/systemd/network/glorytun-udp.network http://www.openmptcprouter.com/server/glorytun-udp.network
+#mkdir -p /etc/glorytun-udp
+#wget -O /etc/glorytun-udp/tun0 http://www.openmptcprouter.com/server/tun0.glorytun-udp
+#echo "$GLORYTUN_PASS" > /etc/glorytun-udp/tun0.key
+#systemctl enable glorytun-udp@tun0.service
+#systemctl enable systemd-networkd.service
+#cd /tmp
+#rm -r /tmp/glorytun-0.0.98-mud
+
 
 # Install Glorytun TCP
 apt -t stretch-backports -y install libsodium-dev
@@ -101,8 +122,10 @@ make
 cp glorytun /usr/local/bin/glorytun-tcp
 wget -O /usr/local/bin/glorytun-tcp-run http://www.openmptcprouter.com/server/glorytun-tcp-run
 chmod 755 /usr/local/bin/glorytun-tcp-run
+wget -O /usr/local/bin/omr-6in4 http://www.openmptcprouter.com/server/omr-6in4
+chmod 755 /usr/local/bin/omr-6in4
 wget -O /lib/systemd/system/glorytun-tcp@.service http://www.openmptcprouter.com/server/glorytun-tcp%40.service.in
-wget -O /lib/systemd/network/glorytun.network http://www.openmptcprouter.com/server/glorytun.network
+wget -O /lib/systemd/network/glorytun-tcp.network http://www.openmptcprouter.com/server/glorytun.network
 mkdir -p /etc/glorytun-tcp
 wget -O /etc/glorytun-tcp/tun0 http://www.openmptcprouter.com/server/tun0.glorytun
 echo "$GLORYTUN_PASS" > /etc/glorytun-tcp/tun0.key
@@ -142,9 +165,9 @@ systemctl enable shorewall6
 
 # Add OpenMPTCProuter VPS script version to /etc/motd
 if grep --quiet 'OpenMPTCProuter VPS' /etc/motd; then
-	sed -i 's:< OpenMPTCProuter VPS [0-9]*\.[0-9]* >:< OpenMPCTProuter VPS 0.15 >:' /etc/motd
+	sed -i 's:< OpenMPTCProuter VPS [0-9]*\.[0-9]* >:< OpenMPCTProuter VPS 0.17 >:' /etc/motd
 else
-	echo '< OpenMPCTProuter VPS 0.15 >' >> /etc/motd
+	echo '< OpenMPCTProuter VPS 0.17 >' >> /etc/motd
 fi
 
 # Display important info
@@ -159,5 +182,6 @@ echo 'Glorytun port: 65001'
 echo 'Glorytun encryption: chacha20'
 echo 'Your glorytun key: '
 echo $GLORYTUN_PASS
-echo 'You need to reboot to enable MPTCP, shadowsocks, glorytun and shorewall'
+echo '================================================================================'
+echo '/!\ You need to reboot to enable MPTCP, shadowsocks, glorytun and shorewall /!\'
 echo '================================================================================'
diff --git a/glorytun-tcp@.service.in b/glorytun-tcp@.service.in
index 1d9eaa5..c433fc6 100644
--- a/glorytun-tcp@.service.in
+++ b/glorytun-tcp@.service.in
@@ -6,6 +6,8 @@ After=network.target network-online.target
 Type=simple
 Restart=always
 ExecStart=/usr/local/bin/glorytun-tcp-run /etc/glorytun-tcp/%i
+ExecStartPost=/usr/local/bin/omr-6in4 /etc/glorytun-tcp/%i start
+ExecStopPost=/usr/local/bin/omr-6in4 /etc/glorytun-tcp/%i stop
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 
 [Install]
diff --git a/glorytun-udp-run b/glorytun-udp-run
new file mode 100644
index 0000000..bc717c3
--- /dev/null
+++ b/glorytun-udp-run
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -f "$1" ]; then
+        echo "usage: $(basename "$0") FILE"
+        exit 1
+fi
+
+. "$(readlink -f "$1")"
+
+DEV="gt${HOST:+c}-udp-$(basename "$1")"
+
+exec glorytun \
+	bin $BIND $BIND_PORT
+	${DEV:+dev "$DEV"} \
+	${HOST:+to "$HOST" "$PORT"} \
+	${OPTIONS:+$OPTIONS}
diff --git a/glorytun-udp.network b/glorytun-udp.network
new file mode 100644
index 0000000..da792ab
--- /dev/null
+++ b/glorytun-udp.network
@@ -0,0 +1,16 @@
+[Match]
+Name=gt-udp-*
+
+[Network]
+Description=Glorytun server device
+Address=0.0.0.0/24
+DHCPServer=yes
+IPMasquerade=yes
+
+[DHCPServer]
+PoolOffset=2
+PoolSize=1
+EmitDNS=no
+DNS=9.9.9.9
+DefaultLeaseTimeSec=12h
+MaxLeaseTimeSec=24h
\ No newline at end of file
diff --git a/glorytun-udp@.service.in b/glorytun-udp@.service.in
new file mode 100644
index 0000000..e92201a
--- /dev/null
+++ b/glorytun-udp@.service.in
@@ -0,0 +1,13 @@
+[Unit]
+Description=Glorytun UDP on %I
+After=network.target network-online.target
+
+[Service]
+Type=simple
+Restart=always
+EnvironmentFile=/etc/glorytun-udp/%i
+ExecStart=/usr/local/bin/glorytun-run keyfile /etc/glorytun-udp/%i.key
+CapabilityBoundingSet=CAP_NET_ADMIN
+
+[Install]
+WantedBy=multi-user.target
diff --git a/omr-6in4 b/omr-6in4
new file mode 100755
index 0000000..fff6d32
--- /dev/null
+++ b/omr-6in4
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -f "$1" ]; then
+        echo "usage: $(basename "$0") FILE"
+        exit 1
+fi
+
+. "$(readlink -f "$1")"
+
+if [ "$2" = "start" ]; then
+	if [ "$IPV6" = true ]; then
+		# Add IPv6 tunnel
+		if [ "$(ip link show omr-6in4 up)" ]; then
+			ip tunnel change omr-6in4 mode sit remote 10.0.0.2 local 10.0.0.1
+		else
+			ip tunnel add omr-6in4 mode sit remote 10.0.0.2 local 10.0.0.1
+		fi
+		ip link set omr-6in4 up
+		ip route replace fd00::/8 via fe80::a00:2 dev omr-6in4
+	fi
+elif [ "$(ip link show omr-6in4 up)" ]; then
+	ip route del fd00::/8 via fe80::a00:2 dev omr-6in4
+	ip link set omr-6in4 down
+	ip tunnel del omr-6in4
+fi
\ No newline at end of file
diff --git a/shorewall6/interfaces b/shorewall6/interfaces
index 4db72ad..98d5a1f 100644
--- a/shorewall6/interfaces
+++ b/shorewall6/interfaces
@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE   INTERFACE       OPTIONS
-net	eth0            dhcp,tcpflags,nosmurfs,sourceroute=0
-vpn	gt-tun0        nosmurfs,tcpflags
+net	eth0            dhcp,tcpflags,rpfilter,forward=1
+vpn	omr-6in4        tcpflags,forward=1
 
diff --git a/shorewall6/policy b/shorewall6/policy
index 4743cf4..dd80aa7 100644
--- a/shorewall6/policy
+++ b/shorewall6/policy
@@ -13,10 +13,8 @@
 ###############################################################################
 #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
 
-vpn             net             ACCEPT
-vpn             fw              ACCEPT
-fw              vpn             ACCEPT
-fw              net             ACCEPT
+vpn             all             ACCEPT		info
+fw              all             ACCEPT
 net             all             DROP            info
 # THE FOLLOWING POLICY MUST BE LAST
 all             all             REJECT          info
diff --git a/shorewall6/rules b/shorewall6/rules
index 5cd35d7..bddeacd 100644
--- a/shorewall6/rules
+++ b/shorewall6/rules
@@ -31,6 +31,7 @@ DNS(ACCEPT)     $FW             net
 #       Allow Ping from/to the VPN
 #
 Ping(ACCEPT)    vpn             $FW
+Ping(ACCEPT)    vpn             net
 Ping(ACCEPT)    $FW             vpn
 #
 #       Allow Ping from the firewall to the network
diff --git a/shorewall6/snat b/shorewall6/snat
new file mode 100644
index 0000000..b1046e4
--- /dev/null
+++ b/shorewall6/snat
@@ -0,0 +1,21 @@
+#
+# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
+# Copyright (C) 2006-2016 by the Shorewall Team
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# See the file README.txt for further details.
+#------------------------------------------------------------------------------
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+###########################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+#
+MASQUERADE		fe80::/10,\
+			fd00::/8		eth0
+# SNAT from VPN server for all VPN clients
+SNAT(fe80::a00:1)		::/0		omr-6in4
diff --git a/shorewall6/stoppedrules b/shorewall6/stoppedrules
index cc75ac4..5d964af 100644
--- a/shorewall6/stoppedrules
+++ b/shorewall6/stoppedrules
@@ -13,6 +13,6 @@
 ###############################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
 #                                                       PORT(S)         PORT(S)
-ACCEPT          gt-tun0         -
-ACCEPT          -               gt-tun0
+ACCEPT		omr-6in4	-
+ACCEPT		-		omr-6in4
 
diff --git a/tun0.glorytun b/tun0.glorytun
index cdd4501..d09e345 100644
--- a/tun0.glorytun
+++ b/tun0.glorytun
@@ -2,4 +2,5 @@ PORT=65001
 DEV=tun0
 SERVER=true
 MPTCP=true
+IPV6=true
 OPTIONS="chacha20 multiqueue keepalive"
\ No newline at end of file
diff --git a/tun0.glorytun-udp b/tun0.glorytun-udp
new file mode 100644
index 0000000..a89e1a8
--- /dev/null
+++ b/tun0.glorytun-udp
@@ -0,0 +1,4 @@
+BIND=0.0.0.0
+BIND_PORT=65001
+DEV=tun0
+OPTIONS="chacha persist"