diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh index 06efc7e..02702c3 100644 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -16,14 +16,14 @@ MLVPN_PASS=${MLVPN_PASS:-$(head -c 32 /dev/urandom | base64 -w0)} OPENVPN=${OPENVPN:-yes} DSVPN=${DSVPN:-yes} INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | grep -m 1 -Po '(?<=dev )(\S+)' | tr -d "\n")} -KERNEL_VERSION="4.19.80" -KERNEL_PACKAGE_VERSION="1.6+c62d9f6" +KERNEL_VERSION="4.19.104" +KERNEL_PACKAGE_VERSION="1.7+b864616" KERNEL_RELEASE="${KERNEL_VERSION}-mptcp_${KERNEL_PACKAGE_VERSION}" -GLORYTUN_UDP_VERSION="13703fb15fb6a225ccf2488e3680ac14331c1c9e" +GLORYTUN_UDP_VERSION="a9408e799ddbb74b5476fba70a495770322cd327" #MLVPN_VERSION="8f9720978b28c1954f9f229525333547283316d2" MLVPN_VERSION="f45cec350a6879b8b020143a78134a022b5df2a7" OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4" -OMR_ADMIN_VERSION="9f69540b62b9919123dc39e256421ad4d55f51dc" +OMR_ADMIN_VERSION="0bee06d21605c9d9b4494a77e71043ce432aa5c2" DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a" #V2RAY_VERSION="v1.1.0" V2RAY_VERSION="v1.2.0-8-g59b8f4f" @@ -503,12 +503,12 @@ if [ "$OPENVPN" = "yes" ]; then # cd /etc/openvpn/server # openvpn --genkey --secret static.key #fi - if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ]; then + if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ] && [ ! -d /etc/openvpn/ca ]; then wget -O /tmp/EasyRSA-unix-v${EASYRSA_VERSION}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v${EASYRSA_VERSION}.tgz cd /tmp tar xzvf EasyRSA-unix-v${EASYRSA_VERSION}.tgz cd /tmp/EasyRSA-v${EASYRSA_VERSION} - mkdir /etc/openvpn/ca + mkdir -p /etc/openvpn/ca cp easyrsa /etc/openvpn/ca/ cp openssl-easyrsa.cnf /etc/openvpn/ca/ cp vars.example /etc/openvpn/ca/vars @@ -570,7 +570,7 @@ fi echo 'Glorytun UDP' # Install Glorytun UDP if systemctl -q is-active glorytun-udp@tun0.service; then - systemctl -q stop glorytun-udp@tun0 > /dev/null 2>&1 + systemctl -q stop glorytun-udp@* > /dev/null 2>&1 fi rm -f /var/lib/dpkg/lock rm -f /var/lib/dpkg/lock-frontend @@ -648,7 +648,7 @@ fi # Install Glorytun TCP if systemctl -q is-active glorytun-tcp@tun0.service; then - systemctl -q stop glorytun-tcp@tun0 > /dev/null 2>&1 + systemctl -q stop glorytun-tcp@* > /dev/null 2>&1 fi if [ "$ID" = "debian" ]; then if [ "$VERSION_ID" = "9" ]; then @@ -708,6 +708,7 @@ if systemctl -q is-active omr-6in4.service; then systemctl -q stop omr-6in4 > /dev/null 2>&1 systemctl -q disable omr-6in4 > /dev/null 2>&1 fi +systemctl enable omr6in4@user0.service systemctl enable omr.service # Change SSH port to 65222 @@ -749,6 +750,7 @@ else sed -i 's:10.0.0.2:$OMR_ADDR:g' /etc/shorewall/rules wget -O /etc/shorewall6/params https://www.openmptcprouter.com/${VPSPATH}/shorewall6/params wget -O /etc/shorewall6/params.net https://www.openmptcprouter.com/${VPSPATH}/shorewall6/params.net + wget -O /etc/shorewall6/params.vpn https://www.openmptcprouter.com/${VPSPATH}/shorewall6/params.vpn wget -O /etc/shorewall6/interfaces https://www.openmptcprouter.com/${VPSPATH}/shorewall6/interfaces wget -O /etc/shorewall6/stoppedrules https://www.openmptcprouter.com/${VPSPATH}/shorewall6/stoppedrules wget -O /etc/shorewall6/snat https://www.openmptcprouter.com/${VPSPATH}/shorewall6/snat @@ -904,18 +906,20 @@ else echo 'done' if [ "$MLVPN" = "yes" ]; then echo 'Restarting mlvpn...' - systemctl -q start mlvpn@mlvpn0 + systemctl -q restart mlvpn@mlvpn0 echo 'done' fi if [ "$DSVPN" = "yes" ]; then echo 'Restarting dsvpn...' - systemctl -q start dsvpn-server@dsvpn0 + systemctl -q restart dsvpn-server@* || true echo 'done' fi - echo 'Restarting glorytun and omr...' - systemctl -q start glorytun-tcp@tun0 - systemctl -q start glorytun-udp@tun0 - systemctl -q restart omr + echo 'Restarting glorytun...' + systemctl -q restart glorytun-tcp@* || true + systemctl -q restart glorytun-udp@* || true + echo 'done' + echo 'Restarting omr6in4...' + systemctl -q restart omr6in4@* || true echo 'done' if [ "$OPENVPN" = "yes" ]; then echo 'Restarting OpenVPN' @@ -953,6 +957,9 @@ else echo 'Apply latest sysctl...' sysctl -p /etc/sysctl.d/90-shadowsocks.conf > /dev/null 2>&1 echo 'done' + echo 'Restarting omr...' + systemctl -q restart omr + echo 'done' echo 'Restarting shadowsocks...' systemctl -q restart shadowsocks-libev-manager@manager # if [ $NBCPU -gt 1 ]; then diff --git a/mlvpn@.service.in b/mlvpn@.service.in index 2074d75..bda7c50 100644 --- a/mlvpn@.service.in +++ b/mlvpn@.service.in @@ -9,7 +9,7 @@ NotifyAccess=main ExecStart=/usr/local/sbin/mlvpn --config /etc/mlvpn/%i.conf --name %i --user mlvpn --quiet ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/mlvpn -Restart=on-failure +Restart=always [Install] WantedBy=multi-user.target diff --git a/omr-service b/omr-service index 44f0305..c439d32 100755 --- a/omr-service +++ b/omr-service @@ -1,13 +1,5 @@ #!/bin/bash # OpenMPTCProuter VPS service script -# This script configure 6in4, multipath and firewall for current VPN - -if [ "$1" = "stop" ] && [ "$(ip link show omr-6in4 up 2>/dev/null)" ]; then - ip route del fd00::/8 via fe80::a00:2 dev omr-6in4 - ip link set omr-6in4 down - ip tunnel del omr-6in4 - exit 0 -fi _multipath() { # Force multipath status @@ -21,109 +13,7 @@ _multipath() { done } -# Add IPv6 tunnel -if [ "$(ip link show omr-6in4 up 2>/dev/null)" ]; then - ip tunnel change omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1 -else - ip tunnel add omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1 - ip addr add fe80::a00:1/126 dev omr-6in4 >/dev/null 2>&1 -fi -ip link set omr-6in4 up -ip route replace fd00::/8 via fe80::a00:2 dev omr-6in4 - -_ping() { - local host=$1 - ret=$(ping -4 "${host}" \ - -W 5 \ - -c 1 \ - -q - ) - [ -n "$ret" ] && echo "$ret" | grep -s " 0% packet loss" > /dev/null && { - return - } - false -} - -_ping_range() { - local network=$1 - for i in {2..50} ;do - _ping $network$i - pingr=$? - if $(exit $pingr); then - ipd=$network$i - return - fi - done - false -} - while true; do - source /etc/shorewall/params.vpn - iface="" - currentaddr=$(ip addr show omr-6in4 | grep link/sit | awk '{print $2}' | tr -d "\n") - currentpeer=$(ip addr show omr-6in4 | grep link/sit | awk '{print $4}' | tr -d "\n") - if [ -n "$currentpeer" ]; then - _ping $currentpeer - status=$? - if ! $(exit $status) || [ "$currentpeer" != "$OMR_ADDR" ]; then - allip_tcp=$(ip -4 addr show gt-tun0 2>/dev/null | grep inet) - allip_udp=$(ip -4 addr show gt-udp-tun0 2>/dev/null | grep inet) - [ -d "/sys/class/net/mlvpn0" ] && allip_mlvpn=$(ip -4 addr show mlvpn0 2>/dev/null | grep inet) - [ -d "/sys/class/net/tun0" ] && allip_openvpn=$(ip -4 addr show tun0 2>/dev/null | grep inet) - [ -d "/sys/class/net/dsvpn0" ] && allip_dsvpn=$(ip -4 addr show dsvpn0 2>/dev/null | grep inet) - if [ -f /etc/openmptcprouter-vps-admin/current-vpn ]; then - current_vpn="$(cat /etc/openmptcprouter-vps-admin/current-vpn)" - [ "$current_vpn" = "glorytun_tcp" ] && allip="$allip_tcp" - [ "$current_vpn" = "glorytun_udp" ] && allip="$allip_udp" - [ "$current_vpn" = "mlvpn" ] && allip="$allip_mlvpn" - [ "$current_vpn" = "openvpn" ] && allip="$allip_openvpn" - [ "$current_vpn" = "dsvpn" ] && allip="$allip_dsvpn" - fi - if [ -z "$allip" ]; then - allip="$allip_tcp -$allip_udp -$allip_openvpn -$allip_dsvpn -$allip_mlvpn" - fi - while IFS= read -r inet; do - ip=$(echo $inet | awk '{print $2}' | cut -d/ -f1 | tr -d "\n") - if [ "$ip" != "" ]; then - _ping_range $(echo $ip | sed 's/.1$/./' | tr -d "\n") - statusr=$? - if $(exit $statusr); then - _ping $ipd - statusp=$? - if $(exit $statusp); then - logger -t "OMR-Service" "Set new 6in4 tunnel IPs" - ip tunnel change omr-6in4 mode sit remote $ipd local $ip - echo "VPS_ADDR=$ip" > /etc/shorewall/params.vpn - echo "OMR_ADDR=$ipd" >> /etc/shorewall/params.vpn - iface=$(ip -4 addr | grep $ip/ | awk '{print $7}' | tr -d "\n") - echo "VPS_IFACE=$iface" >> /etc/shorewall/params.vpn - systemctl reload shorewall - _multipath - break - fi - fi - fi - done < <(printf '%s\n' "$allip") - [ -z "$iface" ] && [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && { - logger -t "OMR-Service" "Restart Glorytun and networkd" - current_vpn="$(cat /etc/openmptcprouter-vps-admin/current-vpn)" - [ "$current_vpn" = "glorytun_tcp" ] && systemctl -q restart glorytun-tcp@tun0 - [ "$current_vpn" = "glorytun_udp" ] && systemctl -q restart glorytun-udp@tun0 - #systemctl -q restart systemd-networkd - _multipath - sleep 10 - } - fi - fi - #result="$(curl -Isk -m 30 https://127.0.0.1:65500/status | head -n 1 | grep 405)" - #if [ "$result" = "" ]; then - # logger -t "OMR-Service" "Restart OMR Admin" - # systemctl -q restart omr-admin - # sleep 10 - #fi + _multipath sleep 10 done diff --git a/omr6in4@.service.in b/omr6in4@.service.in index 71b3542..a2e9722 100644 --- a/omr6in4@.service.in +++ b/omr6in4@.service.in @@ -5,7 +5,8 @@ After=network.target network-online.target [Service] Type=oneshot ExecStart=/usr/local/bin/omr-6in4-run start /etc/openmptcprouter-vps-admin/omr-6in4/%i -ExecStop=/usr/local/bin/omr-6in4-run start /etc/openmptcprouter-vps-admin/omr-6in4/%i +RemainAfterExit=true +ExecStop=/usr/local/bin/omr-6in4-run stop /etc/openmptcprouter-vps-admin/omr-6in4/%i [Install] WantedBy=multi-user.target diff --git a/openmptcprouter-shorewall.tar.gz b/openmptcprouter-shorewall.tar.gz index 35205d4..d8fc2a6 100644 Binary files a/openmptcprouter-shorewall.tar.gz and b/openmptcprouter-shorewall.tar.gz differ diff --git a/openmptcprouter-shorewall6.tar.gz b/openmptcprouter-shorewall6.tar.gz index b43e80d..2d368a8 100644 Binary files a/openmptcprouter-shorewall6.tar.gz and b/openmptcprouter-shorewall6.tar.gz differ diff --git a/openvpn-tun0.conf b/openvpn-tun0.conf index 2b09931..fc778d9 100644 --- a/openvpn-tun0.conf +++ b/openvpn-tun0.conf @@ -6,6 +6,7 @@ proto tcp port 65301 persist-tun persist-key +reneg-sec 0 duplicate-cn verb 3 server 10.255.252.0 255.255.255.0 @@ -14,7 +15,7 @@ cert /etc/openvpn/ca/pki/issued/server.crt key /etc/openvpn/ca/pki/private/server.key dh /etc/openvpn/server/dh2048.pem crl-verify /etc/openvpn/ca/pki/crl.pem -keepalive 10 120 +keepalive 10 240 sndbuf 0 rcvbuf 0 tls-server diff --git a/openvpn-tun1.conf b/openvpn-tun1.conf index 29daffe..a5028f6 100644 --- a/openvpn-tun1.conf +++ b/openvpn-tun1.conf @@ -4,6 +4,7 @@ proto udp port 65301 persist-tun persist-key +reneg-sec 0 duplicate-cn #ncp-disable #mssfix 1300 @@ -14,4 +15,4 @@ cert /etc/openvpn/ca/pki/issued/server.crt key /etc/openvpn/ca/pki/private/server.key dh /etc/openvpn/server/dh2048.pem crl-verify /etc/openvpn/ca/pki/crl.pem -keepalive 10 120 +keepalive 10 240 diff --git a/shadowsocks-libev-manager@.service.in b/shadowsocks-libev-manager@.service.in index c8d60c6..3a5eaa8 100644 --- a/shadowsocks-libev-manager@.service.in +++ b/shadowsocks-libev-manager@.service.in @@ -6,7 +6,10 @@ After=network-online.target Type=simple CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE +LimitNOFILE=99999 +LimitNPROC=99999 ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json +Restart=always [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/shadowsocks.conf b/shadowsocks.conf index 0325bb9..00337dc 100644 --- a/shadowsocks.conf +++ b/shadowsocks.conf @@ -50,6 +50,8 @@ net.core.default_qdisc = fq # Default conntrack is too small net.netfilter.nf_conntrack_max = 131072 +net.ipv4.conf.all.log_martians = 0 + # MPTCP settings net.mptcp.mptcp_checksum = 0 net.mptcp.mptcp_syn_retries = 1 diff --git a/shorewall4/interfaces b/shorewall4/interfaces index 09e61b0..b667114 100644 --- a/shorewall4/interfaces +++ b/shorewall4/interfaces @@ -15,9 +15,9 @@ ############################################################################### #ZONE INTERFACE OPTIONS net $NET_IFACE dhcp,tcpflags,routefilter,nosmurfs,sourceroute=0 -vpn gt-tun+ nosmurfs,routefilter,tcpflags -vpn gt-udp-tun+ nosmurfs,routefilter,tcpflags -vpn mlvpn+ nosmurfs,routefilter,tcpflags -vpn tun+ nosmurfs,routefilter,tcpflags -vpn dsvpn+ nosmurfs,routefilter,tcpflags +vpn gt-tun+ nosmurfs,tcpflags +vpn gt-udp-tun+ nosmurfs,tcpflags +vpn mlvpn+ nosmurfs,tcpflags +vpn tun+ nosmurfs,tcpflags +vpn dsvpn+ nosmurfs,tcpflags diff --git a/shorewall4/shorewall.conf b/shorewall4/shorewall.conf index e82701f..2061a8e 100644 --- a/shorewall4/shorewall.conf +++ b/shorewall4/shorewall.conf @@ -144,7 +144,7 @@ BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" -CHAIN_SCRIPTS=Yes +#CHAIN_SCRIPTS=Yes CLAMPMSS=No @@ -180,7 +180,7 @@ IGNOREUNKNOWNVARIABLES=No IMPLICIT_CONTINUE=No -INLINE_MATCHES=No +#INLINE_MATCHES=No IPSET_WARNINGS=Yes @@ -188,7 +188,7 @@ IP_FORWARDING=On KEEP_RT_TABLES=No -LOAD_HELPERS_ONLY=Yes +#LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter @@ -196,13 +196,13 @@ MACLIST_TTL= MANGLE_ENABLED=Yes -MAPOLDACTIONS=No +#MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MINIUPNPD=No -MODULE_SUFFIX=ko +#MODULE_SUFFIX=ko MULTICAST=No diff --git a/shorewall6/interfaces b/shorewall6/interfaces index 8109c26..b7e0d24 100644 --- a/shorewall6/interfaces +++ b/shorewall6/interfaces @@ -15,5 +15,5 @@ ############################################################################### #ZONE INTERFACE OPTIONS net $NET_IFACE dhcp,tcpflags,rpfilter,forward=1,routeback -vpn omr-6in4 tcpflags,forward=1,routeback +vpn omr-6in4-user+ tcpflags,forward=1,routeback diff --git a/shorewall6/snat b/shorewall6/snat index 7468de7..ee175db 100644 --- a/shorewall6/snat +++ b/shorewall6/snat @@ -18,4 +18,4 @@ MASQUERADE fe80::/10,\ fd00::/8 $NET_IFACE # SNAT from VPN server for all VPN clients -SNAT(fe80::a00:1) ::/0 omr-6in4 +SNAT(fe80::a00:1) ::/0 omr-6in4-user+ diff --git a/shorewall6/stoppedrules b/shorewall6/stoppedrules index 5d964af..7262894 100644 --- a/shorewall6/stoppedrules +++ b/shorewall6/stoppedrules @@ -13,6 +13,6 @@ ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) -ACCEPT omr-6in4 - -ACCEPT - omr-6in4 +#ACCEPT omr-6in4 - +#ACCEPT - omr-6in4