Merge pull request #3 from Ysurac/develop

tongbu
2025-03-09 15:50:00 +00:00 · 2020-03-10 05:48:59 -07:00 · 2020-03-10 05:48:59 -07:00 · e35da806bd
commit e35da806bd
parent eacd7c20fa 4285efb8c7
15 changed files with 48 additions and 143 deletions
--- a/debian9-x86_64.sh
+++ b/debian9-x86_64.sh
@ -16,14 +16,14 @@ MLVPN_PASS=${MLVPN_PASS:-$(head -c 32 /dev/urandom | base64 -w0)}
 OPENVPN=${OPENVPN:-yes}
 DSVPN=${DSVPN:-yes}
 INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | grep -m 1 -Po '(?<=dev )(\S+)' | tr -d "\n")}
-KERNEL_VERSION="4.19.80"
-KERNEL_PACKAGE_VERSION="1.6+c62d9f6"
+KERNEL_VERSION="4.19.104"
+KERNEL_PACKAGE_VERSION="1.7+b864616"
 KERNEL_RELEASE="${KERNEL_VERSION}-mptcp_${KERNEL_PACKAGE_VERSION}"
-GLORYTUN_UDP_VERSION="13703fb15fb6a225ccf2488e3680ac14331c1c9e"
+GLORYTUN_UDP_VERSION="a9408e799ddbb74b5476fba70a495770322cd327"
 #MLVPN_VERSION="8f9720978b28c1954f9f229525333547283316d2"
 MLVPN_VERSION="f45cec350a6879b8b020143a78134a022b5df2a7"
 OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4"
-OMR_ADMIN_VERSION="9f69540b62b9919123dc39e256421ad4d55f51dc"
+OMR_ADMIN_VERSION="0bee06d21605c9d9b4494a77e71043ce432aa5c2"
 DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a"
 #V2RAY_VERSION="v1.1.0"
 V2RAY_VERSION="v1.2.0-8-g59b8f4f"
@ -503,12 +503,12 @@ if [ "$OPENVPN" = "yes" ]; then
 	#	cd /etc/openvpn/server
 	#	openvpn --genkey --secret static.key
 	#fi
-	if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ]; then
+	if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ] && [ ! -d /etc/openvpn/ca ]; then
 		wget -O /tmp/EasyRSA-unix-v${EASYRSA_VERSION}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v${EASYRSA_VERSION}.tgz
 		cd /tmp
 		tar xzvf EasyRSA-unix-v${EASYRSA_VERSION}.tgz
 		cd /tmp/EasyRSA-v${EASYRSA_VERSION}
-		mkdir /etc/openvpn/ca
+		mkdir -p /etc/openvpn/ca
 		cp easyrsa /etc/openvpn/ca/
 		cp openssl-easyrsa.cnf /etc/openvpn/ca/
 		cp vars.example /etc/openvpn/ca/vars
@ -570,7 +570,7 @@ fi
 echo 'Glorytun UDP'
 # Install Glorytun UDP
 if systemctl -q is-active glorytun-udp@tun0.service; then
-	systemctl -q stop glorytun-udp@tun0 > /dev/null 2>&1
+	systemctl -q stop glorytun-udp@* > /dev/null 2>&1
 fi
 rm -f /var/lib/dpkg/lock
 rm -f /var/lib/dpkg/lock-frontend
@ -648,7 +648,7 @@ fi

 # Install Glorytun TCP
 if systemctl -q is-active glorytun-tcp@tun0.service; then
-	systemctl -q stop glorytun-tcp@tun0 > /dev/null 2>&1
+	systemctl -q stop glorytun-tcp@* > /dev/null 2>&1
 fi
 if [ "$ID" = "debian" ]; then
 	if [ "$VERSION_ID" = "9" ]; then
@ -708,6 +708,7 @@ if systemctl -q is-active omr-6in4.service; then
 	systemctl -q stop omr-6in4 > /dev/null 2>&1
 	systemctl -q disable omr-6in4 > /dev/null 2>&1
 fi
+systemctl enable omr6in4@user0.service
 systemctl enable omr.service

 # Change SSH port to 65222
@ -749,6 +750,7 @@ else
 	sed -i 's:10.0.0.2:$OMR_ADDR:g' /etc/shorewall/rules
 	wget -O /etc/shorewall6/params https://www.openmptcprouter.com/${VPSPATH}/shorewall6/params
 	wget -O /etc/shorewall6/params.net https://www.openmptcprouter.com/${VPSPATH}/shorewall6/params.net
+	wget -O /etc/shorewall6/params.vpn https://www.openmptcprouter.com/${VPSPATH}/shorewall6/params.vpn
 	wget -O /etc/shorewall6/interfaces https://www.openmptcprouter.com/${VPSPATH}/shorewall6/interfaces
 	wget -O /etc/shorewall6/stoppedrules https://www.openmptcprouter.com/${VPSPATH}/shorewall6/stoppedrules
 	wget -O /etc/shorewall6/snat https://www.openmptcprouter.com/${VPSPATH}/shorewall6/snat
@ -904,18 +906,20 @@ else
 	echo 'done'
 	if [ "$MLVPN" = "yes" ]; then
 		echo 'Restarting mlvpn...'
-		systemctl -q start mlvpn@mlvpn0
+		systemctl -q restart mlvpn@mlvpn0
 		echo 'done'
 	fi
 	if [ "$DSVPN" = "yes" ]; then
 		echo 'Restarting dsvpn...'
-		systemctl -q start dsvpn-server@dsvpn0
+		systemctl -q restart dsvpn-server@* || true
 		echo 'done'
 	fi
-	echo 'Restarting glorytun and omr...'
-	systemctl -q start glorytun-tcp@tun0
-	systemctl -q start glorytun-udp@tun0
-	systemctl -q restart omr
+	echo 'Restarting glorytun...'
+	systemctl -q restart glorytun-tcp@* || true
+	systemctl -q restart glorytun-udp@* || true
+	echo 'done'
+	echo 'Restarting omr6in4...'
+	systemctl -q restart omr6in4@* || true
 	echo 'done'
 	if [ "$OPENVPN" = "yes" ]; then
 		echo 'Restarting OpenVPN'
@ -953,6 +957,9 @@ else
 	echo 'Apply latest sysctl...'
 	sysctl -p /etc/sysctl.d/90-shadowsocks.conf > /dev/null 2>&1
 	echo 'done'
+	echo 'Restarting omr...'
+	systemctl -q restart omr
+	echo 'done'
 	echo 'Restarting shadowsocks...'
 	systemctl -q restart shadowsocks-libev-manager@manager
 #	if [ $NBCPU -gt 1 ]; then
--- a/mlvpn@.service.in
+++ b/mlvpn@.service.in
@ -9,7 +9,7 @@ NotifyAccess=main
 ExecStart=/usr/local/sbin/mlvpn --config /etc/mlvpn/%i.conf --name %i --user mlvpn --quiet
 ExecReload=/bin/kill -HUP $MAINPID
 WorkingDirectory=/etc/mlvpn
-Restart=on-failure
+Restart=always

 [Install]
 WantedBy=multi-user.target
--- a/112
+++ b/112
@ -1,13 +1,5 @@
 #!/bin/bash
 # OpenMPTCProuter VPS service script
-# This script configure 6in4, multipath and firewall for current VPN
-
-if [ "$1" = "stop" ] && [ "$(ip link show omr-6in4 up 2>/dev/null)" ]; then
-	ip route del fd00::/8 via fe80::a00:2 dev omr-6in4
-	ip link set omr-6in4 down
-	ip tunnel del omr-6in4
-	exit 0
-fi

 _multipath() {
 	# Force multipath status
@ -21,109 +13,7 @@ _multipath() {
 	done
 }

-# Add IPv6 tunnel
-if [ "$(ip link show omr-6in4 up 2>/dev/null)" ]; then
-	ip tunnel change omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1
-else
-	ip tunnel add omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1
-	ip addr add fe80::a00:1/126 dev omr-6in4 >/dev/null 2>&1
-fi
-ip link set omr-6in4 up
-ip route replace fd00::/8 via fe80::a00:2 dev omr-6in4
-
-_ping() {
-	local host=$1
-	ret=$(ping -4 "${host}" \
-		-W 5 \
-		-c 1 \
-		-q
-	)
-	[ -n "$ret" ] && echo "$ret" | grep -s " 0% packet loss" > /dev/null && {
-		return
-	}
-	false
-}
-
-_ping_range() {
-	local network=$1
-	for i in {2..50} ;do 
-		_ping $network$i
-		pingr=$?
-		if $(exit $pingr); then
-			ipd=$network$i
-			return
-		fi
-	done
-	false
-}
-
 while true; do
-	source /etc/shorewall/params.vpn
-	iface=""
-	currentaddr=$(ip addr show omr-6in4 | grep link/sit | awk '{print $2}' | tr -d "\n")
-	currentpeer=$(ip addr show omr-6in4 | grep link/sit | awk '{print $4}' | tr -d "\n")
-	if [ -n "$currentpeer" ]; then
-		_ping $currentpeer
-		status=$?
-		if ! $(exit $status) || [ "$currentpeer" != "$OMR_ADDR" ]; then
-			allip_tcp=$(ip -4 addr show gt-tun0 2>/dev/null | grep inet)
-			allip_udp=$(ip -4 addr show gt-udp-tun0 2>/dev/null | grep inet)
-			[ -d "/sys/class/net/mlvpn0" ] && allip_mlvpn=$(ip -4 addr show mlvpn0 2>/dev/null | grep inet)
-			[ -d "/sys/class/net/tun0" ] && allip_openvpn=$(ip -4 addr show tun0 2>/dev/null | grep inet)
-			[ -d "/sys/class/net/dsvpn0" ] && allip_dsvpn=$(ip -4 addr show dsvpn0 2>/dev/null | grep inet)
-			if [ -f /etc/openmptcprouter-vps-admin/current-vpn ]; then
-				current_vpn="$(cat /etc/openmptcprouter-vps-admin/current-vpn)"
-				[ "$current_vpn" = "glorytun_tcp" ] && allip="$allip_tcp"
-				[ "$current_vpn" = "glorytun_udp" ] && allip="$allip_udp"
-				[ "$current_vpn" = "mlvpn" ] && allip="$allip_mlvpn"
-				[ "$current_vpn" = "openvpn" ] && allip="$allip_openvpn"
-				[ "$current_vpn" = "dsvpn" ] && allip="$allip_dsvpn"
-			fi
-			if [ -z "$allip" ]; then
-				allip="$allip_tcp
-$allip_udp
-$allip_openvpn
-$allip_dsvpn
-$allip_mlvpn"
-			fi
-			while IFS= read -r inet; do
-				ip=$(echo $inet | awk '{print $2}' | cut -d/ -f1 | tr -d "\n")
-				if [ "$ip" != "" ]; then
-					_ping_range $(echo $ip | sed 's/.1$/./' | tr -d "\n")
-					statusr=$?
-					if $(exit $statusr); then
-						_ping $ipd
-						statusp=$?
-						if $(exit $statusp); then
-							logger -t "OMR-Service" "Set new 6in4 tunnel IPs"
-							ip tunnel change omr-6in4 mode sit remote $ipd local $ip
-							echo "VPS_ADDR=$ip" > /etc/shorewall/params.vpn
-							echo "OMR_ADDR=$ipd" >> /etc/shorewall/params.vpn
-							iface=$(ip -4 addr | grep $ip/ | awk '{print $7}' | tr -d "\n")
-							echo "VPS_IFACE=$iface" >> /etc/shorewall/params.vpn
-							systemctl reload shorewall
-							_multipath
-							break
-						fi
-					fi
-				fi
-			done < <(printf '%s\n' "$allip")
-			[ -z "$iface" ] && [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && {
-				logger -t "OMR-Service" "Restart Glorytun and networkd"
-				current_vpn="$(cat /etc/openmptcprouter-vps-admin/current-vpn)"
-				[ "$current_vpn" = "glorytun_tcp" ] && systemctl -q restart glorytun-tcp@tun0
-				[ "$current_vpn" = "glorytun_udp" ] && systemctl -q restart glorytun-udp@tun0
-				#systemctl -q restart systemd-networkd
-				_multipath
-				sleep 10
-			}
-		fi
-	fi
-	#result="$(curl -Isk -m 30 https://127.0.0.1:65500/status | head -n 1 | grep 405)"
-	#if [ "$result" = "" ]; then
-	#	logger -t "OMR-Service" "Restart OMR Admin"
-	#	systemctl -q restart omr-admin
-	#	sleep 10
-	#fi
+	_multipath
 	sleep 10
 done
--- a/omr6in4@.service.in
+++ b/omr6in4@.service.in
@ -5,7 +5,8 @@ After=network.target network-online.target
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/omr-6in4-run start /etc/openmptcprouter-vps-admin/omr-6in4/%i
-ExecStop=/usr/local/bin/omr-6in4-run start /etc/openmptcprouter-vps-admin/omr-6in4/%i
+RemainAfterExit=true
+ExecStop=/usr/local/bin/omr-6in4-run stop /etc/openmptcprouter-vps-admin/omr-6in4/%i

 [Install]
 WantedBy=multi-user.target
--- a/openmptcprouter-shorewall.tar.gz
+++ b/openmptcprouter-shorewall.tar.gz
--- a/openmptcprouter-shorewall6.tar.gz
+++ b/openmptcprouter-shorewall6.tar.gz
--- a/openvpn-tun0.conf
+++ b/openvpn-tun0.conf
@ -6,6 +6,7 @@ proto tcp
 port 65301
 persist-tun
 persist-key
+reneg-sec 0
 duplicate-cn
 verb 3
 server 10.255.252.0 255.255.255.0
@ -14,7 +15,7 @@ cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
-keepalive 10 120
+keepalive 10 240
 sndbuf 0
 rcvbuf 0
 tls-server
--- a/openvpn-tun1.conf
+++ b/openvpn-tun1.conf
@ -4,6 +4,7 @@ proto udp
 port 65301
 persist-tun
 persist-key
+reneg-sec 0
 duplicate-cn
 #ncp-disable
 #mssfix 1300
@ -14,4 +15,4 @@ cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
-keepalive 10 120
+keepalive 10 240
--- a/shadowsocks-libev-manager@.service.in
+++ b/shadowsocks-libev-manager@.service.in
@ -6,7 +6,10 @@ After=network-online.target
 Type=simple
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+LimitNOFILE=99999
+LimitNPROC=99999
 ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json
+Restart=always

 [Install]
 WantedBy=multi-user.target
--- a/shadowsocks.conf
+++ b/shadowsocks.conf
@ -50,6 +50,8 @@ net.core.default_qdisc = fq
 # Default conntrack is too small
 net.netfilter.nf_conntrack_max = 131072

+net.ipv4.conf.all.log_martians = 0
+
 # MPTCP settings
 net.mptcp.mptcp_checksum = 0
 net.mptcp.mptcp_syn_retries = 1
--- a/shorewall4/interfaces
+++ b/shorewall4/interfaces
@ -15,9 +15,9 @@
 ###############################################################################
 #ZONE   INTERFACE       OPTIONS
 net	$NET_IFACE	dhcp,tcpflags,routefilter,nosmurfs,sourceroute=0
-vpn	gt-tun+		nosmurfs,routefilter,tcpflags
-vpn	gt-udp-tun+	nosmurfs,routefilter,tcpflags
-vpn	mlvpn+		nosmurfs,routefilter,tcpflags
-vpn	tun+		nosmurfs,routefilter,tcpflags
-vpn	dsvpn+		nosmurfs,routefilter,tcpflags
+vpn	gt-tun+		nosmurfs,tcpflags
+vpn	gt-udp-tun+	nosmurfs,tcpflags
+vpn	mlvpn+		nosmurfs,tcpflags
+vpn	tun+		nosmurfs,tcpflags
+vpn	dsvpn+		nosmurfs,tcpflags

--- a/shorewall4/shorewall.conf
+++ b/shorewall4/shorewall.conf
@ -144,7 +144,7 @@ BASIC_FILTERS=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

-CHAIN_SCRIPTS=Yes
+#CHAIN_SCRIPTS=Yes

 CLAMPMSS=No

@ -180,7 +180,7 @@ IGNOREUNKNOWNVARIABLES=No

 IMPLICIT_CONTINUE=No

-INLINE_MATCHES=No
+#INLINE_MATCHES=No

 IPSET_WARNINGS=Yes

@ -188,7 +188,7 @@ IP_FORWARDING=On

 KEEP_RT_TABLES=No

-LOAD_HELPERS_ONLY=Yes
+#LOAD_HELPERS_ONLY=Yes

 MACLIST_TABLE=filter

@ -196,13 +196,13 @@ MACLIST_TTL=

 MANGLE_ENABLED=Yes

-MAPOLDACTIONS=No
+#MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

 MINIUPNPD=No

-MODULE_SUFFIX=ko
+#MODULE_SUFFIX=ko

 MULTICAST=No

--- a/shorewall6/interfaces
+++ b/shorewall6/interfaces
@ -15,5 +15,5 @@
 ###############################################################################
 #ZONE   INTERFACE       OPTIONS
 net	$NET_IFACE            dhcp,tcpflags,rpfilter,forward=1,routeback
-vpn	omr-6in4        tcpflags,forward=1,routeback
+vpn	omr-6in4-user+        tcpflags,forward=1,routeback

--- a/shorewall6/snat
+++ b/shorewall6/snat
@ -18,4 +18,4 @@
 MASQUERADE		fe80::/10,\
 			fd00::/8		$NET_IFACE
 # SNAT from VPN server for all VPN clients
-SNAT(fe80::a00:1)		::/0		omr-6in4
+SNAT(fe80::a00:1)		::/0		omr-6in4-user+
--- a/shorewall6/stoppedrules
+++ b/shorewall6/stoppedrules
@ -13,6 +13,6 @@
 ###############################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
 #                                                       PORT(S)         PORT(S)
-ACCEPT		omr-6in4	-
-ACCEPT		-		omr-6in4
+#ACCEPT		omr-6in4	-
+#ACCEPT		-		omr-6in4