diff --git a/debian-x86_64.sh b/debian-x86_64.sh new file mode 120000 index 0000000..814a06c --- /dev/null +++ b/debian-x86_64.sh @@ -0,0 +1 @@ +debian9-x86_64.sh \ No newline at end of file diff --git a/debian.sh b/debian.sh new file mode 120000 index 0000000..814a06c --- /dev/null +++ b/debian.sh @@ -0,0 +1 @@ +debian9-x86_64.sh \ No newline at end of file diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..db2a6a9 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,23 @@ +omr-server (0.1030) unstable; urgency=medium + + * Many changes + + -- OpenMPTCProuter Wed, 10 Apr 2024 19:35:34 +0200 + +omr-server (0.1028) unstable; urgency=medium + + * Many changes + + -- OpenMPTCProuter Fri, 14 Oct 2022 09:02:22 +0200 + +omr-server (0.1026) unstable; urgency=medium + + * Many changes + + -- OpenMPTCProuter Mon, 14 Jun 2021 07:43:42 +0200 + +omr-server (0.1025-test) unstable; urgency=medium + + * Wireguard support and fixed + + -- OpenMPTCProuter Thu, 04 Mar 2021 14:36:12 +0200 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..9a03714 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +10 \ No newline at end of file diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..72af96a --- /dev/null +++ b/debian/control @@ -0,0 +1,37 @@ +Source: omr-server +Section: net +Priority: optional +Maintainer: OpenMPTCProuter +Build-Depends: debhelper (>= 10) +X-Python-Version: >= 3.2 +Standards-Version: 0.0.1 +Homepage: https://github.com/ysurac/openmptcprouter-vps + +Package: omr-server +Architecture: all +Multi-Arch: foreign +Depends: + curl, + rename, + libcurl4, + unzip, + tracebox, + omr-iperf3, + omr-shadowsocks-libev (= 3.3.5-2), + omr-vps-admin (= 0.3+20210508), + omr-simple-obfs, + omr-mlvpn (= 3.0.0+20201216.git.2263bab), + omr-glorytun (= 0.3.4-4), + omr-glorytun-tcp (= 0.0.35-3), + omr-dsvpn (= 0.1.4-2), + shorewall, + shorewall6, + iptables, + v2ray-plugin (= 4.35.1), + v2ray (=4.35.1), + linux-image-5.4.100-mptcp (= 1.18+9d3f35b), + ${misc:Depends} +Provides: omr-server +Conflicts: omr-server +Replaces: omr-server +Description: OpenMPTCProuter Server script \ No newline at end of file diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..57ee50d --- /dev/null +++ b/debian/postinst @@ -0,0 +1,16 @@ +#!/bin/sh -e + +test $DEBIAN_SCRIPT_DEBUG && set -v -x + +# use debconf +. /usr/share/debconf/confmodule + +sed -i -e "s/^LOCALFILES=.*$/LOCALFILES=no/" -e "s/^SOURCES=.*$/SOURCES=no/" /usr/share/omr-server/debian9-x86_64.sh +systemctl daemon-reload +systemctl restart omr-update + +db_stop + +#DEBHELPER# +exit 0 +# vim:set ai et sts=2 sw=2 tw=0: \ No newline at end of file diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..9a69cc6 --- /dev/null +++ b/debian/rules @@ -0,0 +1,18 @@ +#!/usr/bin/make -f +#export DH_VERBOSE = 1 + +# Security Hardening +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +%: + dh $@ + +override_dh_auto_install: + mkdir -p $(CURDIR)/debian/omr-server/usr/share/omr-server + find . -type f -xtype f -not -iname '*/debian/*' -not -iname '*/.git/*' -exec cp '{}' "$(CURDIR)/debian/omr-server/usr/share/omr-server/{}" ';' + cp -r ./shorewall4 $(CURDIR)/debian/omr-server/usr/share/omr-server/ + cp -r ./shorewall6 $(CURDIR)/debian/omr-server/usr/share/omr-server/ + cp -r ./bin $(CURDIR)/debian/omr-server/usr/share/omr-server/ + mkdir -p $(CURDIR)/debian/etc/openmptcprouter-vps-admin + touch $(CURDIR)/debian/etc/openmptcprouter-vps-admin/update-bin + diff --git a/debian11-x86_64.sh b/debian11-x86_64.sh new file mode 120000 index 0000000..814a06c --- /dev/null +++ b/debian11-x86_64.sh @@ -0,0 +1 @@ +debian9-x86_64.sh \ No newline at end of file diff --git a/debian12-x86_64.sh b/debian12-x86_64.sh new file mode 120000 index 0000000..814a06c --- /dev/null +++ b/debian12-x86_64.sh @@ -0,0 +1 @@ +debian9-x86_64.sh \ No newline at end of file diff --git a/debian9-x86_64.sh b/debian9-x86_64.sh old mode 100644 new mode 100755 index d76c87e..631e431 --- a/debian9-x86_64.sh +++ b/debian9-x86_64.sh @@ -1,20 +1,31 @@ #!/bin/sh # -# Copyright (C) 2018-2020 Ycarus (Yannick Chabanois) for OpenMPTCProuter +# Copyright (C) 2018-2024 Ycarus (Yannick Chabanois) for OpenMPTCProuter # # This is free software, licensed under the GNU General Public License v3 or later. # See /LICENSE for more information. # +KERNEL=${KERNEL:-6.6} +UPSTREAM=${UPSTREAM:-no} +[ "$UPSTREAM" = "yes" ] && KERNEL="6.1" +UPSTREAM6=${UPSTREAM6:-no} +[ "$UPSTREAM6" = "yes" ] && KERNEL="6.1" SHADOWSOCKS_PASS=${SHADOWSOCKS_PASS:-$(head -c 32 /dev/urandom | base64 -w0)} GLORYTUN_PASS=${GLORYTUN_PASS:-$(od -vN "32" -An -tx1 /dev/urandom | tr '[:lower:]' '[:upper:]' | tr -d " \n")} DSVPN_PASS=${DSVPN_PASS:-$(od -vN "32" -An -tx1 /dev/urandom | tr '[:lower:]' '[:upper:]' | tr -d " \n")} #NBCPU=${NBCPU:-$(nproc --all | tr -d "\n")} NBCPU=${NBCPU:-$(grep -c '^processor' /proc/cpuinfo | tr -d "\n")} OBFS=${OBFS:-yes} -V2RAY_PLUGIN=${V2RAY_PLUGIN:-yes} +V2RAY_PLUGIN=${V2RAY_PLUGIN:-no} V2RAY=${V2RAY:-yes} V2RAY_UUID=${V2RAY_UUID:-$(cat /proc/sys/kernel/random/uuid | tr -d "\n")} +XRAY=${XRAY:-yes} +XRAY_UUID=${XRAY_UUID:-$V2RAY_UUID} +SHADOWSOCKS=${SHADOWSOCKS:-yes} +SHADOWSOCKS_GO=${SHADOWSOCKS_GO:-yes} +PSK=${PSK:-$(head -c 32 /dev/urandom | base64 -w0)} +UPSK=${UPSK:-$(head -c 32 /dev/urandom | base64 -w0)} UPDATE_OS=${UPDATE_OS:-yes} UPDATE=${UPDATE:-yes} TLS=${TLS:-yes} @@ -26,31 +37,74 @@ MLVPN_PASS=${MLVPN_PASS:-$(head -c 32 /dev/urandom | base64 -w0)} UBOND=${UBOND:-no} UBOND_PASS=${UBOND_PASS:-$(head -c 32 /dev/urandom | base64 -w0)} OPENVPN=${OPENVPN:-yes} +OPENVPN_BONDING=${OPENVPN_BONDING:-yes} DSVPN=${DSVPN:-yes} -SOURCES=${SOURCES:-yes} +WIREGUARD=${WIREGUARD:-yes} +FAIL2BAN=${FAIL2BAN:-yes} +SOURCES=${SOURCES:-no} +if [ "$KERNEL" != "5.4" ]; then + SOURCES="yes" +fi NOINTERNET=${NOINTERNET:-no} -SPEEDTEST=${SPEEDTEST:-no} +GRETUNNELS=${GRETUNNELS:-yes} +LANROUTES=${LANROUTES:-yes} +REINSTALL=${REINSTALL:-yes} +SPEEDTEST=${SPEEDTEST:-yes} +IPERF=${IPERF:-yes} LOCALFILES=${LOCALFILES:-no} INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | grep -m 1 -Po '(?<=dev )(\S+)' | tr -d "\n")} -KERNEL_VERSION="5.4.74" -KERNEL_PACKAGE_VERSION="1.14+9d3f35b" +INTERFACE6=${INTERFACE6:-$(ip -o -6 route show to default | grep -m 1 -Po '(?<=dev )(\S+)' | tr -d "\n")} +[ -z "$INTERFACE6" ] && INTERFACE6="$INTERFACE" +KERNEL_VERSION="5.4.207" +KERNEL_PACKAGE_VERSION="1.22" KERNEL_RELEASE="${KERNEL_VERSION}-mptcp_${KERNEL_PACKAGE_VERSION}" -GLORYTUN_UDP_VERSION="97607fdf5c6c33df512ed85190a1fd93b5f45e77" +#if [ "$KERNEL" = "5.15" ]; then +# KERNEL_VERSION="5.15.57" +# KERNEL_PACKAGE_VERSION="1.6" +# KERNEL_RELEASE="${KERNEL_VERSION}-mptcp_${KERNEL_VERSION}-${KERNEL_PACKAGE_VERSION}" +#fi +if [ "$KERNEL" = "6.1" ]; then + KERNEL_VERSION="6.1.0" + KERNEL_PACKAGE_VERSION="1.30" + KERNEL_RELEASE="${KERNEL_VERSION}-mptcp_${KERNEL_PACKAGE_VERSION}" +fi +GLORYTUN_UDP=${GLORYTUN_UDP:-yes} +GLORYTUN_UDP_VERSION="23100474922259d00a8c0c4b00a0c8de89202cf9" +GLORYTUN_UDP_BINARY_VERSION="0.3.4-5" +GLORYTUN_TCP=${GLORYTUN_TCP:-yes} +# Old Glorytun TCP version if sources is not enabled... +GLORYTUN_TCP_BINARY_VERSION="0.0.35-6" #MLVPN_VERSION="8f9720978b28c1954f9f229525333547283316d2" -MLVPN_VERSION="f45cec350a6879b8b020143a78134a022b5df2a7" -UBOND_VERSION="672100fb57913ffd29caad63517e145a5974b078" +MLVPN_VERSION="8aa1b16d843ea68734e2520e39a34cb7f3d61b2b" +MLVPN_BINARY_VERSION="3.0.0+20211028.git.ddafba3" +UBOND_VERSION="31af0f69ebb6d07ed9348dca2fced33b956cedee" OBFS_VERSION="486bebd9208539058e57e23a12f23103016e09b4" -OMR_ADMIN_VERSION="774aceb357e989676ed9a06d411db41bdfa3bf03" +OBFS_BINARY_VERSION="0.0.5-1" +OMR_ADMIN_VERSION="7e98b32ebf549f87e9d20072acc80a87a562cb7d" +OMR_ADMIN_BINARY_VERSION="0.14+20250220" +#OMR_ADMIN_BINARY_VERSION="0.3+20220827" DSVPN_VERSION="3b99d2ef6c02b2ef68b5784bec8adfdd55b29b1a" -#V2RAY_VERSION="v1.1.0" -V2RAY_PLUGIN_VERSION="v1.4.3" +DSVPN_BINARY_VERSION="0.1.4-2" +V2RAY_VERSION="5.7.0" +V2RAY_PLUGIN_VERSION="4.43.0" +XRAY_VERSION="24.11.5" EASYRSA_VERSION="3.0.6" -SHADOWSOCKS_VERSION="38871da8baf5cfa400983dcdf918397e48655203" +#SHADOWSOCKS_VERSION="7407b214f335f0e2068a8622ef3674d868218e17" +#if [ "$UPSTREAM" = "yes" ] || [ "$UPSTREAM6" = "yes" ]; then + SHADOWSOCKS_VERSION="8fc18fcba3226e31f9f2bb9e60d6be6a1837862b" +#fi +IPROUTE2_VERSION="29da83f89f6e1fe528c59131a01f5d43bcd0a000" +SHADOWSOCKS_BINARY_VERSION="3.3.5-3" +SHADOWSOCKS_GO_VERSION="1.13.0" +DEFAULT_USER="openmptcprouter" VPS_DOMAIN=${VPS_DOMAIN:-$(wget -4 -qO- -T 2 http://hostname.openmptcprouter.com)} -VPSPATH="server" +VPSPATH="server-test" +VPS_PUBLIC_IP=${VPS_PUBLIC_IP:-$(wget -4 -qO- -T 2 http://ip.openmptcprouter.com)} VPSURL="https://www.openmptcprouter.com/" +REPO="repo.openmptcprouter.com" +CHINA=${CHINA:-no} -OMR_VERSION="0.1021" +OMR_VERSION="0.1032-test" DIR=$( pwd ) #" @@ -63,6 +117,12 @@ export DEBIAN_FRONTEND=noninteractive echo "Check user..." if [ "$(id -u)" -ne 0 ]; then echo 'Please run as root.' >&2; exit 1; fi +# Check Kernel +if [ "$KERNEL" != "5.4" ] && [ "$KERNEL" != "6.1" ] && [ "$KERNEL" != "6.6" ] && [ "$KERNEL" != "6.10" ] && [ "$KERNEL" != "6.11" ] && [ "$KERNEL" != "6.12" ]; then + echo "Only kernels 5.4, 6.1, 6.6, 6.10 and 6.11 are currently supported" + exit 1 +fi + # Check Linux version echo "Check Linux version..." if test -f /etc/os-release ; then @@ -70,24 +130,35 @@ if test -f /etc/os-release ; then else . /usr/lib/os-release fi -if [ "$ID" = "debian" ] && [ "$VERSION_ID" != "9" ] && [ "$VERSION_ID" != "10" ]; then - echo "This script only work with Debian Stretch (9.x) or Debian Buster (10.x)" +if [ "$ID" = "debian" ] && [ "$VERSION_ID" != "9" ] && [ "$VERSION_ID" != "10" ] && [ "$VERSION_ID" != "11" ] && [ "$VERSION_ID" != "12" ]; then + echo "This script only work with Debian Stretch (9.x), Debian Buster (10.x), Debian Bullseye (11.x) or Debian Bookworm (12.x)" exit 1 -elif [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" != "18.04" ] && [ "$VERSION_ID" != "19.04" ] && [ "$VERSION_ID" != "20.04" ]; then - echo "This script only work with Ubuntu 18.04, 19.04 or 20.04" +elif [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" != "18.04" ] && [ "$VERSION_ID" != "19.04" ] && [ "$VERSION_ID" != "20.04" ] && [ "$VERSION_ID" != "22.04" ]; then + echo "This script only work with Ubuntu 18.04, 19.04, 20.04 or 22.04" + echo "Use debian when possible" exit 1 elif [ "$ID" != "debian" ] && [ "$ID" != "ubuntu" ]; then - echo "This script only work with Ubuntu 18.04, Ubuntu 19.04, Debian Stretch (9.x) or Debian Buster (10.x)" + echo "This script only work with Ubuntu 18.04, Ubuntu 19.04, Ubutun 20.04, Ubuntu 22.04, Debian Stretch (9.x), Debian Buster (10.x), Debian Bullseye (11.x) or Debian Bookworm (12.x)" + echo "Use Debian when possible" exit 1 fi echo "Check architecture..." ARCH=$(dpkg --print-architecture | tr -d "\n") -if [ "$ARCH" != "amd64" ]; then - echo "Only x86_64 (amd64) is supported" +if ([ "$KERNEL" = "5.4" ] || [ "$KERNEL" = "5.15" ]) && [ "$ARCH" != "amd64" ] && [ "$ID" != "debian" ]; then + echo "Only x86_64 (amd64) is supported on this OS" exit 1 fi +if [ "$KERNEL" = "5.4" ] || [ "$KERNEL" = "5.15" ]; then + echo "Check virtualized environment" + VIRT="$(systemd-detect-virt 2>/dev/null || true)" + if [ -z "$(uname -a | grep mptcp)" ] && [ -n "$VIRT" ] && ([ "$VIRT" = "openvz" ] || [ "$VIRT" = "lxc" ] || [ "$VIRT" = "docker" ]); then + echo "Container are not supported: kernel can't be modified." + exit 1 + fi +fi + # Check if DPKG is locked and for broken packages #dpkg -i /dev/zero 2>/dev/null #if [ "$?" -eq 2 ]; then @@ -95,10 +166,11 @@ fi # exit 1 #fi echo "Check about broken packages..." -apt-get check >/dev/null 2>&1 -if [ "$?" -ne 0 ]; then - echo "E: \`apt-get check\` failed, you may have broken packages. Aborting..." - exit 1 +if ! eval apt-get check >/dev/null 2>&1 ; then + if ! eval apt-get -f install -y 2>&1 ; then + echo "E: \`apt-get check\` failed, you may have broken packages. Aborting..." + exit 1 + fi fi # Fix old string... @@ -122,227 +194,612 @@ if [ "$UPDATE" = "yes" ]; then fi echo "Update mode" fi +# Force update key +#[ -f /etc/apt/sources.list.d/openmptcprouter.list ] && { +# echo "Update OpenMPTCProuter repo key" +# #wget -O - http://repo.openmptcprouter.com/openmptcprouter.gpg.key | apt-key add - +# wget https://${REPO}/openmptcprouter.gpg.key -O /etc/apt/trusted.gpg.d/openmptcprouter.gpg +#} + +CURRENT_OMR="$(grep -s 'OpenMPTCProuter VPS' /etc/* | awk '{print $4}')" +if [ "$REINSTALL" = "no" ] && [ "$CURRENT_OMR" = "$OMR_VERSION" ]; then + exit 1 +fi + +# Force update key +[ -f /etc/apt/sources.list.d/openmptcprouter.list ] && { + echo "Update ${REPO} key" + apt-key del '2FDF 70C8 228B 7F04 42FE 59F6 608F D17B 2B24 D936' >/dev/null 2>&1 + if [ "$CHINA" = "yes" ]; then + #wget -O - https://gitee.com/ysurac/openmptcprouter-vps-debian/raw/main/openmptcprouter.gpg.key | apt-key add - + wget https://gitlab.com/ysurac/openmptcprouter-vps-debian/raw/main/openmptcprouter.gpg.key -O /etc/apt/trusted.gpg.d/openmptcprouter.gpg + else + #wget -O - https://${REPO}/openmptcprouter.gpg.key | apt-key add - + wget https://${REPO}/openmptcprouter.gpg.key -O /etc/apt/trusted.gpg.d/openmptcprouter.gpg + fi +} echo "Remove lock and update packages list..." +rm -f /etc/apt/sources.list.d/xanmod* +rm -f /etc/apt/trusted.gpg.d/xanmod* + rm -f /var/lib/dpkg/lock rm -f /var/lib/dpkg/lock-frontend rm -f /var/cache/apt/archives/lock -apt-get update +rm -f /etc/apt/sources.list.d/buster-backports.list +rm -f /etc/apt/sources.list.d/stretch-backports.list +[ ! -f /etc/apt/sources.list ] && touch /etc/apt/sources.list +sed -i '/buster-backports/d' /etc/apt/sources.list +sed -i '/stretch-backports/d' /etc/apt/sources.list +if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "9" ]; then + apt-get update +else + apt-get update --allow-releaseinfo-change +fi rm -f /var/lib/dpkg/lock rm -f /var/lib/dpkg/lock-frontend rm -f /var/cache/apt/archives/lock echo "Install apt-transport-https, gnupg and openssh-server..." -apt-get -y install apt-transport-https gnupg openssh-server +apt-get -y install apt-transport-https gnupg openssh-server libcrypt1 zstd #if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "9" ] && [ "$UPDATE_DEBIAN" = "yes" ] && [ "$update" = "0" ]; then if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "9" ] && [ "$UPDATE_OS" = "yes" ]; then echo "Update Debian 9 Stretch to Debian 10 Buster" - apt-get -y -f --force-yes upgrade - apt-get -y -f --force-yes dist-upgrade + apt-get -y -f --force-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades upgrade + apt-get -y -f --force-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades dist-upgrade sed -i 's:stretch:buster:g' /etc/apt/sources.list - apt-get update - apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" upgrade - apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade + apt-get update --allow-releaseinfo-change + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades upgrade + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades dist-upgrade VERSION_ID="10" fi +if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "10" ] && [ "$UPDATE_OS" = "yes" ]; then + echo "Update Debian 10 Buster to Debian 11 Bullseye" + apt-get -y -f --force-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades upgrade + apt-get -y -f --force-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades dist-upgrade + sed -i 's:buster:bullseye:g' /etc/apt/sources.list + sed -i 's:archive:deb:g' /etc/apt/sources.list + sed -i 's:bullseye/updates:bullseye-security:g' /etc/apt/sources.list + apt-get update --allow-releaseinfo-change + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades upgrade + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades dist-upgrade + VERSION_ID="11" +fi +if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "11" ] && [ "$UPDATE_OS" = "yes" ]; then + echo "Update Debian 11 Bullseye to Debian 12 Bookworm" + apt-get -y -f --force-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades upgrade + apt-get -y -f --force-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades dist-upgrade + sed -i 's:archive:deb:g' /etc/apt/sources.list + sed -i 's:bullseye:bookworm:g' /etc/apt/sources.list + apt-get update --allow-releaseinfo-change + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades upgrade + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" --allow-downgrades dist-upgrade + VERSION_ID="12" +fi if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ] && [ "$UPDATE_OS" = "yes" ]; then echo "Update Ubuntu 18.04 to Ubuntu 20.04" - apt-get -y -f --force-yes upgrade - apt-get -y -f --force-yes dist-upgrade + apt-get -y -f --force-yes --allow-downgrades upgrade + apt-get -y -f --force-yes --allow-downgrades dist-upgrade sed -i 's:bionic:focal:g' /etc/apt/sources.list - apt-get update + apt-get update --allow-releaseinfo-change apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" upgrade apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade VERSION_ID="20.04" fi +if [ "$ID" = "ubuntu" ] && [ "$VERSION_ID" = "18.04" ] && [ "$UPDATE_OS" = "yes" ]; then + echo "Update Ubuntu 20.04 to Ubuntu 22.04" + apt-get -y -f --force-yes --allow-downgrades upgrade + apt-get -y -f --force-yes --allow-downgrades dist-upgrade + sed -i 's:focal:jammy:g' /etc/apt/sources.list + apt-get update --allow-releaseinfo-change + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" upgrade + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade + VERSION_ID="22.04" +fi + # Add OpenMPTCProuter repo echo "Add OpenMPTCProuter repo..." -echo 'deb [arch=amd64] https://repo.openmptcprouter.com stretch main' > /etc/apt/sources.list.d/openmptcprouter.list -cat < /etc/apt/sources.list.d/openmptcprouter.list + cat /var/lib/openmptcprouter-vps-debian/openmptcprouter.gpg.key | apt-key add - + if [ ! -d /usr/share/omr-server-git ]; then + #git clone https://gitee.com/ysurac/openmptcprouter-vps.git /usr/share/omr-server-git + git clone https://gitlab.com/ysurac/openmptcprouter-vps.git /usr/share/omr-server-git + fi + cd /usr/share/omr-server-git + git pull + if [ "$VPSPATH" = "server-test" ]; then + git checkout develop + else + git checkout master + fi + LOCALFILES="yes" + TLS="no" + DIR="/usr/share/omr-server-git" +else + echo "deb [arch=amd64] https://${REPO} buster main" > /etc/apt/sources.list.d/openmptcprouter.list + cat <<-EOF | tee /etc/apt/preferences.d/openmptcprouter.pref + Explanation: Prefer OpenMPTCProuter provided packages over the Debian native ones + Package: * + Pin: origin ${REPO} + Pin-Priority: 1001 + EOF + if [ -n "$(echo $OMR_VERSION | grep test)" ]; then + echo "deb [arch=amd64] https://${REPO} next main" > /etc/apt/sources.list.d/openmptcprouter-test.list +# cat <<-EOF | tee -a /etc/apt/preferences.d/openmptcprouter.pref +# Explanation: Prefer OpenMPTCProuter provided packages over the Debian native ones +# Package: * +# Pin: origin ${REPO} +# Pin-Priority: 1002 +# EOF + else + rm -f /etc/apt/sources.list.d/openmptcprouter-test.list + fi + if [ "$ID" = "debian" ] && ([ "$VERSION_ID" = "11" ] || [ "$VERSION_ID" = "12" ]); then + cat <<-EOF | tee -a /etc/apt/preferences.d/openmptcprouter.pref + Explanation: Prefer libuv1 Debian native package + Package: libuv1 + Pin: version * + Pin-Priority: 1003 + EOF + fi + #wget -O - https://${REPO}/openmptcprouter.gpg.key | apt-key add - + wget https://${REPO}/openmptcprouter.gpg.key -O /etc/apt/trusted.gpg.d/openmptcprouter.gpg +fi -# Install mptcp kernel and shadowsocks -echo "Install mptcp kernel and shadowsocks..." -apt-get update -sleep 2 -apt-get -y install dirmngr patch #apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 379CE192D401AB61 if [ "$ID" = "debian" ]; then if [ "$VERSION_ID" = "9" ]; then #echo 'deb http://dl.bintray.com/cpaasch/deb jessie main' >> /etc/apt/sources.list echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/stretch-backports.list fi + # Add buster-backports repo + echo 'deb http://archive.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/buster-backports.list + if [ "$VERSION_ID" = "12" ]; then + echo 'deb http://deb.debian.org/debian bullseye main' > /etc/apt/sources.list.d/bullseye.list + fi elif [ "$ID" = "ubuntu" ]; then echo 'deb http://archive.ubuntu.com/ubuntu bionic-backports main' > /etc/apt/sources.list.d/bionic-backports.list echo 'deb http://archive.ubuntu.com/ubuntu bionic universe' > /etc/apt/sources.list.d/bionic-universe.list + [ "$VERSION_ID" = "22.04" ] && { + apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32 + echo 'deb http://old-releases.ubuntu.com/ubuntu impish main universe' > /etc/apt/sources.list.d/impish-universe.list + } fi -apt-get update +# Install mptcp kernel and shadowsocks +echo "Install mptcp kernel and shadowsocks..." +apt-get update --allow-releaseinfo-change sleep 2 -wget -O /tmp/linux-image-${KERNEL_RELEASE}_amd64.deb ${VPSURL}kernel/linux-image-${KERNEL_RELEASE}_amd64.deb -wget -O /tmp/linux-headers-${KERNEL_RELEASE}_amd64.deb ${VPSURL}kernel/linux-headers-${KERNEL_RELEASE}_amd64.deb -# Rename bzImage to vmlinuz, needed when custom kernel was used -cd /boot -apt-get -y install rename curl libcurl4 unzip git -rename 's/^bzImage/vmlinuz/s' * >/dev/null 2>&1 -#apt-get -y install linux-mptcp -#dpkg --remove --force-remove-reinstreq linux-image-${KERNEL_VERSION}-mptcp -#dpkg --remove --force-remove-reinstreq linux-headers-${KERNEL_VERSION}-mptcp -if [ "$(dpkg -l | grep linux-image-${KERNEL_VERSION} | grep ${KERNEL_PACKAGE_VERSION})" = "" ]; then - echo "Install kernel linux-image-${KERNEL_RELEASE}" - echo "\033[1m !!! if kernel install fail run: dpkg --remove --force-remove-reinstreq linux-image-${KERNEL_VERSION}-mptcp !!! \033[0m" - dpkg --force-all -i -B /tmp/linux-headers-${KERNEL_RELEASE}_amd64.deb - dpkg --force-all -i -B /tmp/linux-image-${KERNEL_RELEASE}_amd64.deb -fi +apt-get -y install dirmngr patch rename curl libcurl4 unzip pkg-config ipset -# Check if mptcp kernel is grub default kernel -echo "Set MPTCP kernel as grub default..." -if [ "$LOCALFILES" = "no" ]; then - wget -O /tmp/update-grub.sh ${VPSURL}${VPSPATH}/update-grub.sh - cd /tmp -else - cd ${DIR} -fi -bash update-grub.sh ${KERNEL_VERSION}-mptcp -bash update-grub.sh ${KERNEL_RELEASE} - -echo "Install tracebox OpenMPTCProuter edition" -apt-get -y -o Dpkg::Options::="--force-overwrite" install tracebox -echo "Install iperf3 OpenMPTCProuter edition" -apt-get -y -o Dpkg::Options::="--force-overwrite" install omr-iperf3 - -apt-get -y remove shadowsocks-libev - -if [ "$SOURCES" = "yes" ]; then - #apt -t stretch-backports -y install shadowsocks-libev - ## Compile Shadowsocks - #rm -rf /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION} - #wget -O /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION}.tar.gz http://github.com/shadowsocks/shadowsocks-libev/releases/download/v${SHADOWSOCKS_VERSION}/shadowsocks-libev-${SHADOWSOCKS_VERSION}.tar.gz - cd /tmp - rm -rf shadowsocks-libev - git clone https://github.com/Ysurac/shadowsocks-libev.git - cd shadowsocks-libev - git checkout ${SHADOWSOCKS_VERSION} - git submodule update --init --recursive - #tar xzf shadowsocks-libev-${SHADOWSOCKS_VERSION}.tar.gz - #cd shadowsocks-libev-${SHADOWSOCKS_VERSION} - #wget https://raw.githubusercontent.com/Ysurac/openmptcprouter-feeds/master/shadowsocks-libev/patches/020-NOCRYPTO.patch - #patch -p1 < 020-NOCRYPTO.patch - #wget https://github.com/Ysurac/shadowsocks-libev/commit/31b93ac2b054bc3f68ea01569649e6882d72218e.patch - #patch -p1 < 31b93ac2b054bc3f68ea01569649e6882d72218e.patch - #wget https://github.com/Ysurac/shadowsocks-libev/commit/2e52734b3bf176966e78e77cf080a1e8c6b2b570.patch - #patch -p1 < 2e52734b3bf176966e78e77cf080a1e8c6b2b570.patch - #wget https://github.com/Ysurac/shadowsocks-libev/commit/dd1baa91e975a69508f9ad67d75d72624c773d24.patch - #patch -p1 < dd1baa91e975a69508f9ad67d75d72624c773d24.patch - # Shadowsocks eBPF support - #wget https://raw.githubusercontent.com/Ysurac/openmptcprouter-feeds/master/shadowsocks-libev/patches/030-eBPF.patch - #patch -p1 < 030-eBPF.patch - #rm -f /var/lib/dpkg/lock - #apt-get install -y --no-install-recommends build-essential git ca-certificates libcap-dev libelf-dev libpcap-dev - #cd /tmp - #rm -rf libbpf - #git clone https://github.com/libbpf/libbpf.git - #cd libbpf - #if [ "$ID" = "debian" ]; then - # rm -f /var/lib/dpkg/lock - # apt -y -t stretch-backports install linux-libc-dev - #elif [ "$ID" = "ubuntu" ]; then - # rm -f /var/lib/dpkg/lock - # apt-get -y install linux-libc-dev - #fi - #BUILD_SHARED=y make -C src CFLAGS="$CFLAGS -DCOMPAT_NEED_REALLOCARRAY" - #cp /tmp/libbpf/src/libbpf.so /usr/lib - #cp /tmp/libbpf/src/*.h /usr/include/bpf - #cd /tmp - #rm -rf /tmp/libbpf - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - apt-get -y install --no-install-recommends devscripts equivs apg libcap2-bin libpam-cap libc-ares2 libc-ares-dev libev4 haveged libpcre3-dev - sleep 1 - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - systemctl enable haveged - - if [ "$ID" = "debian" ]; then - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - if [ "$VERSION_ID" = "9" ]; then - apt -y -t stretch-backports install libsodium-dev - else - apt -y install libsodium-dev - fi - elif [ "$ID" = "ubuntu" ]; then - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - apt-get -y install libsodium-dev +if [ -z "$(dpkg-query -l | grep grub)" ]; then + if [ -d /boot/grub2 ]; then + apt-get -y install grub2 + elif [ -d /boot/grub ]; then + apt-get -y install grub-legacy fi - #cd /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION} - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - mk-build-deps --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - dpkg-buildpackage -b -us -uc - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - cd /tmp - #dpkg -i shadowsocks-libev_*.deb - dpkg -i omr-shadowsocks-libev_*.deb - #mkdir -p /usr/lib/shadowsocks-libev - #cp -f /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION}/src/*.ebpf /usr/lib/shadowsocks-libev - #rm -rf /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION} - rm -rf /tmp/shadowsocks-libev -else - apt-get -y -o Dpkg::Options::="--force-overwrite" install omr-shadowsocks-libev + [ -n "$(grep 'net.ifnames=0' /boot/grub/grub.cfg)" ] && [ ! -f /etc/default/grub ] && { + echo 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"' > /etc/default/grub + } fi -# Load OLIA Congestion module at boot time -if ! grep -q olia /etc/modules ; then - echo mptcp_olia >> /etc/modules + +if [ -z "$(dpkg-query -l | grep grub)" ]; then + if [ -d /boot/grub2 ]; then + apt-get -y install grub2 + elif [ -d /boot/grub ]; then + apt-get -y install grub-legacy + fi + [ -n "$(grep 'net.ifnames=0' /boot/grub/grub.cfg)" ] && [ ! -f /etc/default/grub ] && { + echo 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"' > /etc/default/grub + } fi -# Load WVEGAS Congestion module at boot time -if ! grep -q wvegas /etc/modules ; then - echo mptcp_wvegas >> /etc/modules +if [ "$KERNEL" = "5.4" ] || [ "$KERNEL" = "5.15" ]; then + if [ "$SOURCES" = "yes" ]; then + wget -O /tmp/linux-image-${KERNEL_RELEASE}_amd64.deb ${VPSURL}kernel/linux-image-${KERNEL_RELEASE}_amd64.deb + wget -O /tmp/linux-headers-${KERNEL_RELEASE}_amd64.deb ${VPSURL}kernel/linux-headers-${KERNEL_RELEASE}_amd64.deb + # Rename bzImage to vmlinuz, needed when custom kernel was used + cd /boot + apt-get -y install git + rename 's/^bzImage/vmlinuz/s' * >/dev/null 2>&1 + #apt-get -y install linux-mptcp + #dpkg --remove --force-remove-reinstreq linux-image-${KERNEL_VERSION}-mptcp + #dpkg --remove --force-remove-reinstreq linux-headers-${KERNEL_VERSION}-mptcp + if [ "$(dpkg -l | grep linux-image-${KERNEL_VERSION} | grep ${KERNEL_PACKAGE_VERSION})" = "" ]; then + echo "Install kernel linux-image-${KERNEL_RELEASE} source release" + echo "\033[1m !!! if kernel install fail run: dpkg --remove --force-remove-reinstreq linux-image-${KERNEL_VERSION}-mptcp !!! \033[0m" + dpkg --force-all -i -B /tmp/linux-headers-${KERNEL_RELEASE}_amd64.deb + dpkg --force-all -i -B /tmp/linux-image-${KERNEL_RELEASE}_amd64.deb + fi + else + cd /boot + rename 's/^bzImage/vmlinuz/s' * >/dev/null 2>&1 + if [ "$(dpkg -l | grep linux-image-${KERNEL_VERSION} | grep ${KERNEL_PACKAGE_VERSION})" = "" ]; then + echo "Install kernel linux-image-${KERNEL_RELEASE}" + echo "\033[1m !!! if kernel install fail run: dpkg --remove --force-remove-reinstreq linux-image-${KERNEL_VERSION}-mptcp !!! \033[0m" + apt-get -y install linux-image-${KERNEL_VERSION}-mptcp=${KERNEL_PACKAGE_VERSION} linux-headers-${KERNEL_VERSION}-mptcp=${KERNEL_PACKAGE_VERSION} + fi + fi + + + # Check if mptcp kernel is grub default kernel + echo "Set MPTCP kernel as grub default..." + if [ "$LOCALFILES" = "no" ]; then + wget -O /tmp/update-grub.sh ${VPSURL}${VPSPATH}/update-grub.sh + cd /tmp + else + cd ${DIR} + fi + [ -f /boot/grub/grub.cfg ] && [ -z "$(grep ${KERNEL_VERSION}-mptcp /boot/grub/grub.cfg)" ] && [ -n "$(which grub-mkconfig)" ] && grub-mkconfig -o /boot/grub/grub.cfg + rm -f /etc/grub.d/30_os-prober + bash update-grub.sh ${KERNEL_VERSION}-mptcp + bash update-grub.sh ${KERNEL_RELEASE} + [ -f /boot/grub/grub.cfg ] && sed -i 's/default="1>0"/default="0"/' /boot/grub/grub.cfg >/dev/null 2>&1 +elif [ "$KERNEL" = "6.6" ] && [ "$ARCH" = "amd64" ]; then + # awk command from xanmod website + PSABI=$(awk 'BEGIN { while (!/flags/) if (getline < "/proc/cpuinfo" != 1) exit 1; if (/lm/&&/cmov/&&/cx8/&&/fpu/&&/fxsr/&&/mmx/&&/syscall/&&/sse2/) level = 1; if (level == 1 && /cx16/&&/lahf/&&/popcnt/&&/sse4_1/&&/sse4_2/&&/ssse3/) level = 2; if (level == 2 && /avx/&&/avx2/&&/bmi1/&&/bmi2/&&/f16c/&&/fma/&&/abm/&&/movbe/&&/xsave/) level = 3; if (level == 3 && /avx512f/&&/avx512bw/&&/avx512cd/&&/avx512dq/&&/avx512vl/) level = 4; if (level > 0) { print "x64v" level; exit level + 1 }; exit 1;}' | tr -d "\n") + KERNEL_VERSION="6.6.36" + KERNEL_REV="0~20240628.g36640c1" + wget -O /tmp/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb ${VPSURL}kernel/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + wget -O /tmp/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb ${VPSURL}kernel/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + echo "Install kernel linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1 source release" + dpkg --force-all -i -B /tmp/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + dpkg --force-all -i -B /tmp/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + +# wget -qO - https://dl.xanmod.org/archive.key | gpg --batch --yes --dearmor -vo /usr/share/keyrings/xanmod-archive-keyring.gpg +# echo 'deb [signed-by=/usr/share/keyrings/xanmod-archive-keyring.gpg] http://deb.xanmod.org releases main' | tee /etc/apt/sources.list.d/xanmod-release.list +# apt-get update +# apt-get -y install linux-xanmod-lts-x64v3 + [ -f /etc/default/grub ] && { + sed -i "s@^\(GRUB_DEFAULT=\).*@\1\"0\"@" /etc/default/grub >/dev/null 2>&1 + [ -f /boot/grub/grub.cfg ] && grub-mkconfig -o /boot/grub/grub.cfg >/dev/null 2>&1 + } +elif [ "$KERNEL" = "6.10" ] && [ "$ARCH" = "amd64" ]; then + # awk command from xanmod website + PSABI=$(awk 'BEGIN { while (!/flags/) if (getline < "/proc/cpuinfo" != 1) exit 1; if (/lm/&&/cmov/&&/cx8/&&/fpu/&&/fxsr/&&/mmx/&&/syscall/&&/sse2/) level = 1; if (level == 1 && /cx16/&&/lahf/&&/popcnt/&&/sse4_1/&&/sse4_2/&&/ssse3/) level = 2; if (level == 2 && /avx/&&/avx2/&&/bmi1/&&/bmi2/&&/f16c/&&/fma/&&/abm/&&/movbe/&&/xsave/) level = 3; if (level == 3 && /avx512f/&&/avx512bw/&&/avx512cd/&&/avx512dq/&&/avx512vl/) level = 4; if (level > 0) { print "x64v" level; exit level + 1 }; exit 1;}' | tr -d "\n") + if [ "$PSABI" = "x64v1" ]; then + echo "psABI x86-64-v1 not supported by Xanmod kernel 6.10, use an older kernel" + exit 0 + fi + KERNEL_VERSION="6.10.2" + KERNEL_REV="0~20240728.gae7b555" + wget -O /tmp/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb ${VPSURL}kernel/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + wget -O /tmp/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb ${VPSURL}kernel/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + echo "Install kernel linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1 source release" + dpkg --force-all -i -B /tmp/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + dpkg --force-all -i -B /tmp/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + +# wget -qO - https://dl.xanmod.org/archive.key | gpg --batch --yes --dearmor -vo /usr/share/keyrings/xanmod-archive-keyring.gpg +# echo 'deb [signed-by=/usr/share/keyrings/xanmod-archive-keyring.gpg] http://deb.xanmod.org releases main' | tee /etc/apt/sources.list.d/xanmod-release.list +# apt-get update +# apt-get -y install linux-xanmod-lts-x64v3 + [ -f /etc/default/grub ] && { + sed -i "s@^\(GRUB_DEFAULT=\).*@\1\"0\"@" /etc/default/grub >/dev/null 2>&1 + [ -f /boot/grub/grub.cfg ] && grub-mkconfig -o /boot/grub/grub.cfg >/dev/null 2>&1 + } +elif [ "$KERNEL" = "6.11" ] && [ "$ARCH" = "amd64" ]; then + # awk command from xanmod website + PSABI=$(awk 'BEGIN { while (!/flags/) if (getline < "/proc/cpuinfo" != 1) exit 1; if (/lm/&&/cmov/&&/cx8/&&/fpu/&&/fxsr/&&/mmx/&&/syscall/&&/sse2/) level = 1; if (level == 1 && /cx16/&&/lahf/&&/popcnt/&&/sse4_1/&&/sse4_2/&&/ssse3/) level = 2; if (level == 2 && /avx/&&/avx2/&&/bmi1/&&/bmi2/&&/f16c/&&/fma/&&/abm/&&/movbe/&&/xsave/) level = 3; if (level == 3 && /avx512f/&&/avx512bw/&&/avx512cd/&&/avx512dq/&&/avx512vl/) level = 4; if (level > 0) { print "x64v" level; exit level + 1 }; exit 1;}' | tr -d "\n") + if [ "$PSABI" = "x64v1" ]; then + echo "psABI x86-64-v1 not supported by Xanmod kernel 6.11, use an older kernel" + exit 0 + fi + KERNEL_VERSION="6.11.0" + KERNEL_REV="0~20240916.g9c60408" + wget -O /tmp/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb ${VPSURL}kernel/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + wget -O /tmp/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb ${VPSURL}kernel/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + echo "Install kernel linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1 source release" + dpkg --force-all -i -B /tmp/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + dpkg --force-all -i -B /tmp/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + +# wget -qO - https://dl.xanmod.org/archive.key | gpg --batch --yes --dearmor -vo /usr/share/keyrings/xanmod-archive-keyring.gpg +# echo 'deb [signed-by=/usr/share/keyrings/xanmod-archive-keyring.gpg] http://deb.xanmod.org releases main' | tee /etc/apt/sources.list.d/xanmod-release.list +# apt-get update +# apt-get -y install linux-xanmod-lts-x64v3 + [ -f /etc/default/grub ] && { + sed -i "s@^\(GRUB_DEFAULT=\).*@\1\"0\"@" /etc/default/grub >/dev/null 2>&1 + [ -f /boot/grub/grub.cfg ] && grub-mkconfig -o /boot/grub/grub.cfg >/dev/null 2>&1 + } +elif [ "$KERNEL" = "6.12" ] && [ "$ARCH" = "amd64" ]; then + # awk command from xanmod website + PSABI=$(awk 'BEGIN { while (!/flags/) if (getline < "/proc/cpuinfo" != 1) exit 1; if (/lm/&&/cmov/&&/cx8/&&/fpu/&&/fxsr/&&/mmx/&&/syscall/&&/sse2/) level = 1; if (level == 1 && /cx16/&&/lahf/&&/popcnt/&&/sse4_1/&&/sse4_2/&&/ssse3/) level = 2; if (level == 2 && /avx/&&/avx2/&&/bmi1/&&/bmi2/&&/f16c/&&/fma/&&/abm/&&/movbe/&&/xsave/) level = 3; if (level == 3 && /avx512f/&&/avx512bw/&&/avx512cd/&&/avx512dq/&&/avx512vl/) level = 4; if (level > 0) { print "x64v" level; exit level + 1 }; exit 1;}' | tr -d "\n") + if [ "$PSABI" = "x64v4" ]; then + PSABI="x64v3" + fi + KERNEL_VERSION="6.12.15" + KERNEL_REV="0~20250219.g6e42b4c" + wget -O /tmp/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb ${VPSURL}kernel/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + wget -O /tmp/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb ${VPSURL}kernel/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + echo "Install kernel linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1 source release" + dpkg --force-all -i -B /tmp/linux-headers-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + dpkg --force-all -i -B /tmp/linux-image-${KERNEL_VERSION}-${PSABI}-xanmod1_${KERNEL_VERSION}-${PSABI}-xanmod1-${KERNEL_REV}_amd64.deb + +# wget -qO - https://dl.xanmod.org/archive.key | gpg --batch --yes --dearmor -vo /usr/share/keyrings/xanmod-archive-keyring.gpg +# echo 'deb [signed-by=/usr/share/keyrings/xanmod-archive-keyring.gpg] http://deb.xanmod.org releases main' | tee /etc/apt/sources.list.d/xanmod-release.list +# apt-get update +# apt-get -y install linux-xanmod-lts-x64v3 + [ -f /etc/default/grub ] && { + sed -i "s@^\(GRUB_DEFAULT=\).*@\1\"0\"@" /etc/default/grub >/dev/null 2>&1 + [ -f /boot/grub/grub.cfg ] && grub-mkconfig -o /boot/grub/grub.cfg >/dev/null 2>&1 + } +elif [ "$KERNEL" = "6.6" ] && [ "$ID" = "debian" ]; then + echo 'deb http://deb.debian.org/debian bookworm-backports main' > /etc/apt/sources.list.d/bookworm-backports.list + apt-get update + latestkernel=$(apt-cache search linux-image-6.6 | grep -v headers | grep -v dbg | grep -v rt | tail -n 1 | cut -d" " -f1) + latestkernelheaders=$(echo $latestkernel | sed 's/image/headers/g') + apt-get -y install $latestkernel $latestkernelheaders + [ -f /etc/default/grub ] && { + sed -i "s@^\(GRUB_DEFAULT=\).*@\1\"0\"@" /etc/default/grub >/dev/null 2>&1 + [ -f /boot/grub/grub.cfg ] && grub-mkconfig -o /boot/grub/grub.cfg >/dev/null 2>&1 + } +else + if [ "$ID" = "ubuntu" ] && [ -z "$(uname -a | grep '6.1')" ]; then + apt-get -y install $(apt-cache search linux-image-unsigned-6.1 | tail -n 1 | cut -d" " -f1) + fi + [ -f /etc/default/grub ] && { + sed -i "s@^\(GRUB_DEFAULT=\).*@\1\"0\"@" /etc/default/grub >/dev/null 2>&1 + [ -f /boot/grub/grub.cfg ] && grub-mkconfig -o /boot/grub/grub.cfg >/dev/null 2>&1 + } fi -# Load BALIA Congestion module at boot time -if ! grep -q balia /etc/modules ; then - echo mptcp_balia >> /etc/modules + +if [ "$ARCH" = "amd64" ]; then + echo "Install tracebox OpenMPTCProuter edition" + apt-get -y -o Dpkg::Options::="--force-overwrite" install tracebox fi +if [ "$IPERF" = "yes" ]; then + #echo "Install iperf3 OpenMPTCProuter edition" + #apt-get -y -o Dpkg::Options::="--force-overwrite" install omr-iperf3 + #chmod 644 /lib/systemd/system/iperf3.service + echo "Install iperf3" + [ "$ARCH" = "amd64" ] && apt-get -y remove omr-iperf3 omr-libiperf0 >/dev/null 2>&1 + if [ "$SOURCES" = "yes" ]; then + apt-get -y remove iperf3 libiperf0 + apt-get -y install xz-utils devscripts + cd /tmp + rm -rf iperf-3.18 + wget https://github.com/esnet/iperf/releases/download/3.18/iperf-3.18.tar.gz + tar xzf iperf-3.18.tar.gz + cd iperf-3.18 + wget --waitretry=1 --read-timeout=20 --timeout=15 -t 5 --continue --no-dns-cache http://deb.debian.org/debian/pool/main/i/iperf3/iperf3_3.18-1.debian.tar.xz + tar xJf iperf3_3.18-1.debian.tar.xz + sleep 1 + echo "Install iperf3 dependencies..." + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + mk-build-deps --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + echo "Build iperf3 package...." + dpkg-buildpackage -b -us -uc >/dev/null 2>&1 + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + cd /tmp + echo "Install iperf3 package..." + dpkg -i iperf3_3.18-1_amd64.deb libiperf0_3.18-1_amd64.deb >/dev/null 2>&1 + rm -rf iperf-3.18 + rm -f iperf* libiperf* + else + apt-get -y install iperf3 libiperf0 + fi + if [ ! -f "/etc/iperf3/private.pem" ]; then + mkdir -p /etc/iperf3 + openssl genrsa -out /etc/iperf3/private.pem 2048 + openssl rsa -in /etc/iperf3/private.pem -outform PEM -pubout -out /etc/iperf3/public.pem + IPERFPASS=$(echo -n "{openmptcprouter}openmptcprouter" | sha256sum | awk '{ print $1 }') + echo "openmptcprouter,$IPERFPASS" > /etc/iperf3/users.csv + fi + chown -Rf iperf3 /etc/iperf3 || true + systemctl enable iperf3.service || true + mkdir -p /etc/systemd/system/iperf3.service.d + if [ "$LOCALFILES" = "no" ]; then + wget -O /etc/systemd/system/iperf3.service.d/override.conf ${VPSURL}${VPSPATH}/iperf3.override.conf + else + cp ${DIR}/iperf3.override.conf /etc/systemd/system/iperf3.service.d/override.conf + fi + echo "iperf3 installed" +fi + +rm -f /var/lib/dpkg/lock +rm -f /var/lib/dpkg/lock-frontend + +if [ "$KERNEL" != "5.4" ]; then + echo "Compile and install mptcpize..." + apt-get -y install --no-install-recommends build-essential + cd /tmp + apt-get -y install git + git clone https://github.com/Ysurac/mptcpize.git + cd mptcpize + make + make install + cd /tmp + rm -rf /tmp/mptcpize + if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "12" ]; then + apt-get -y install iproute2 + else + echo "Compile and install iproute2..." + apt-get -y install --no-install-recommends bison libbison-dev flex + #wget https://mirrors.edge.kernel.org/pub/linux/utils/net/iproute2/iproute2-5.16.0.tar.gz + #tar xzf iproute2-5.16.0.tar.gz + #cd iproute2-5.16.0 + git clone git://git.kernel.org/pub/scm/network/iproute2/iproute2.git + cd iproute2 + git checkout 29da83f89f6e1fe528c59131a01f5d43bcd0a000 + make + make install + cd /tmp + fi + rm -rf iproute2 + + if [ "$ID" = "debian" ]; then + echo "MPTCPize iperf3..." + mptcpize enable iperf3 >/dev/null 2>&1 || true + fi + + #if [ "$UPSTREAM6" = "yes" ]; then + # apt-get -y install $(dpkg --get-selections | grep linux-image-6.1 | grep -v dbg | cut -f1)-dbg + # apt-get -y install systemtap + # mkdir -p /usr/share/systemtap-mptcp + # wget -O /usr/share/systemtap-mptcp/mptcp-app.stap ${VPSURL}${VPSPATH}/mptcp-app.stap + #fi +fi + +echo "Remove Shadowsocks-libev..." +apt-get -y remove shadowsocks-libev >/dev/null 2>&1 || true +if [ "$SHADOWSOCKS" = "yes" ]; then + echo "Install Shadowsocks-libev..." + if [ "$SOURCES" = "yes" ]; then + #apt -t stretch-backports -y install shadowsocks-libev + ## Compile Shadowsocks + #rm -rf /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION} + #wget -O /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION}.tar.gz http://github.com/shadowsocks/shadowsocks-libev/releases/download/v${SHADOWSOCKS_VERSION}/shadowsocks-libev-${SHADOWSOCKS_VERSION}.tar.gz + cd /tmp + rm -rf shadowsocks-libev + git clone https://github.com/Ysurac/shadowsocks-libev.git + cd shadowsocks-libev + git checkout ${SHADOWSOCKS_VERSION} + git submodule update --init --recursive + #tar xzf shadowsocks-libev-${SHADOWSOCKS_VERSION}.tar.gz + #cd shadowsocks-libev-${SHADOWSOCKS_VERSION} + #wget https://raw.githubusercontent.com/Ysurac/openmptcprouter-feeds/master/shadowsocks-libev/patches/020-NOCRYPTO.patch + #patch -p1 < 020-NOCRYPTO.patch + #wget https://github.com/Ysurac/shadowsocks-libev/commit/31b93ac2b054bc3f68ea01569649e6882d72218e.patch + #patch -p1 < 31b93ac2b054bc3f68ea01569649e6882d72218e.patch + #wget https://github.com/Ysurac/shadowsocks-libev/commit/2e52734b3bf176966e78e77cf080a1e8c6b2b570.patch + #patch -p1 < 2e52734b3bf176966e78e77cf080a1e8c6b2b570.patch + #wget https://github.com/Ysurac/shadowsocks-libev/commit/dd1baa91e975a69508f9ad67d75d72624c773d24.patch + #patch -p1 < dd1baa91e975a69508f9ad67d75d72624c773d24.patch + # Shadowsocks eBPF support + #wget https://raw.githubusercontent.com/Ysurac/openmptcprouter-feeds/master/shadowsocks-libev/patches/030-eBPF.patch + #patch -p1 < 030-eBPF.patch + #rm -f /var/lib/dpkg/lock + #apt-get install -y --no-install-recommends build-essential git ca-certificates libcap-dev libelf-dev libpcap-dev + #cd /tmp + #rm -rf libbpf + #git clone https://github.com/libbpf/libbpf.git + #cd libbpf + #if [ "$ID" = "debian" ]; then + # rm -f /var/lib/dpkg/lock + # apt -y -t stretch-backports install linux-libc-dev + #elif [ "$ID" = "ubuntu" ]; then + # rm -f /var/lib/dpkg/lock + # apt-get -y install linux-libc-dev + #fi + #BUILD_SHARED=y make -C src CFLAGS="$CFLAGS -DCOMPAT_NEED_REALLOCARRAY" + #cp /tmp/libbpf/src/libbpf.so /usr/lib + #cp /tmp/libbpf/src/*.h /usr/include/bpf + #cd /tmp + #rm -rf /tmp/libbpf + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + apt-get -y install --no-install-recommends devscripts equivs apg libcap2-bin libpam-cap libc-ares2 libc-ares-dev libev4 haveged libpcre3-dev + apt-get -y install --no-install-recommends asciidoc-base asciidoc-common docbook-xml docbook-xsl libev-dev libmbedcrypto3 libmbedtls-dev libmbedtls12 libmbedx509-0 libxml2-utils libxslt1.1 pkg-config sgml-base sgml-data xml-core xmlto xsltproc + sleep 1 + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + systemctl enable haveged + if [ "$ID" = "debian" ]; then + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + if [ "$VERSION_ID" = "9" ]; then + apt -y -t stretch-backports install libsodium-dev + else + apt -y install libsodium-dev + fi + elif [ "$ID" = "ubuntu" ]; then + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + apt-get -y install libsodium-dev + fi + #cd /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION} + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + mk-build-deps --install --tool "apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y" >/dev/null 2>&1 + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + dpkg-buildpackage -b -us -uc >/dev/null 2>&1 + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + cd /tmp + #dpkg -i shadowsocks-libev_*.deb + dpkg -i omr-shadowsocks-libev_*.deb >/dev/null 2>&1 + #mkdir -p /usr/lib/shadowsocks-libev + #cp -f /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION}/src/*.ebpf /usr/lib/shadowsocks-libev + #rm -rf /tmp/shadowsocks-libev-${SHADOWSOCKS_VERSION} + rm -rf /tmp/shadowsocks-libev + else + apt-get -y -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-overwrite" install omr-shadowsocks-libev=${SHADOWSOCKS_BINARY_VERSION} + fi +fi + +echo "Add modules on server start..." # Load BBR Congestion module at boot time if ! grep -q bbr /etc/modules ; then echo tcp_bbr >> /etc/modules fi -# Load mctcpdesync Congestion module at boot time -if ! grep -q mctcp_desync /etc/modules ; then - echo mctcp_desync >> /etc/modules -fi -# Load ndiffports module at boot time -if ! grep -q mptcp_ndiffports /etc/modules ; then - echo mptcp_ndiffports >> /etc/modules -fi -# Load redundant module at boot time -if ! grep -q mptcp_redundant /etc/modules ; then - echo mptcp_redundant >> /etc/modules -fi -# Load rr module at boot time -if ! grep -q mptcp_rr /etc/modules ; then - echo mptcp_rr >> /etc/modules -fi -# Load mctcp ECF scheduler at boot time -if ! grep -q mptcp_ecf /etc/modules ; then - echo mptcp_ecf >> /etc/modules -fi -# Load mctcp BLEST scheduler at boot time -if ! grep -q mptcp_blest /etc/modules ; then - echo mptcp_blest >> /etc/modules + +if [ "$KERNEL" = "5.4" ]; then + # Load OLIA Congestion module at boot time + if ! grep -q olia /etc/modules ; then + echo mptcp_olia >> /etc/modules + fi + # Load WVEGAS Congestion module at boot time + if ! grep -q wvegas /etc/modules ; then + echo mptcp_wvegas >> /etc/modules + fi + # Load BALIA Congestion module at boot time + if ! grep -q balia /etc/modules ; then + echo mptcp_balia >> /etc/modules + fi + # Load BBRv2 Congestion module at boot time + if ! grep -q bbr2 /etc/modules ; then + echo tcp_bbr2 >> /etc/modules + fi + # Load mctcpdesync Congestion module at boot time + if ! grep -q mctcp_desync /etc/modules ; then + echo mctcp_desync >> /etc/modules + fi + # Load ndiffports module at boot time + if ! grep -q mptcp_ndiffports /etc/modules ; then + echo mptcp_ndiffports >> /etc/modules + fi + # Load redundant module at boot time + if ! grep -q mptcp_redundant /etc/modules ; then + echo mptcp_redundant >> /etc/modules + fi + # Load rr module at boot time + if ! grep -q mptcp_rr /etc/modules ; then + echo mptcp_rr >> /etc/modules + fi + # Load mctcp ECF scheduler at boot time + if ! grep -q mptcp_ecf /etc/modules ; then + echo mptcp_ecf >> /etc/modules + fi + # Load mctcp BLEST scheduler at boot time + if ! grep -q mptcp_blest /etc/modules ; then + echo mptcp_blest >> /etc/modules + fi fi -if systemctl -q is-active omr-admin.service; then - systemctl -q stop omr-admin > /dev/null 2>&1 +echo "Stop OpenMPTCProuter VPS admin" +if systemctl -q is-active omr-admin.service 2>/dev/null; then + systemctl -q stop omr-admin > /dev/null 2>&1 || true +fi +if systemctl -q is-active omr-admin-ipv6.service 2>/dev/null; then + systemctl -q stop omr-admin-ipv6 > /dev/null 2>&1 || true + systemctl -q disable omr-admin-ipv6 > /dev/null 2>&1 || true fi if [ "$OMR_ADMIN" = "yes" ]; then @@ -380,24 +837,56 @@ if [ "$OMR_ADMIN" = "yes" ]; then apt-get -y remove python3-jwt pip3 -q install pyjwt else - apt-get -y install python3-passlib python3-jwt python3-netaddr libuv1 python3-uvloop + if [ "$ID" = "debian" ] && ([ "$VERSION_ID" = "10" ] || [ "$VERSION_ID" = "11" ] || [ "$VERSION_ID" = "12" ]); then + if [ "$VERSION_ID" = "12" ]; then + apt-get -y --allow-downgrades install python3-passlib python3-jwt python3-netaddr libuv1 + pip3 -q install uvloop --break-system-packages + else + apt-get -y --allow-downgrades install python3-passlib python3-jwt python3-netaddr libuv1 + pip3 -q install uvloop + fi + else + apt-get -y --allow-downgrades install python3-passlib python3-jwt python3-netaddr libuv1 python3-uvloop + fi fi - apt-get -y install python3-uvicorn jq ipcalc python3-netifaces python3-aiofiles python3-psutil + apt-get -y --allow-downgrades install python3-uvicorn jq ipcalc python3-netifaces python3-aiofiles python3-psutil python3-requests pwgen echo '-- pip3 install needed python modules' + echo "If you see any error here, I really don't care: it's about a module not used for home users" #pip3 install pyjwt passlib uvicorn fastapi netjsonconfig python-multipart netaddr #pip3 -q install fastapi netjsonconfig python-multipart uvicorn -U - pip3 -q install fastapi netjsonconfig python-multipart -U + if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "12" ]; then + #pip3 -q install netjsonconfig --break-system-packages + pip3 -q install fastapi -U --break-system-packages + pip3 -q install jsonschema -U --break-system-packages + pip3 -q install python-multipart jinja2 -U --break-system-packages + pip3 -q install starlette --break-system-packages + pip3 -q install starlette --break-system-packages + else + #pip3 -q install netjsonconfig + if [ "$ID" = "ubuntu" ] || ([ "$ID" = "debian" ] && [ "$VERSION_ID" = "10" ]); then + pip3 -q install fastapi==0.99.1 -U + else + pip3 -q install fastapi -U + fi + pip3 -q install fastapi -U + pip3 -q install jsonschema -U + pip3 -q install python-multipart jinja2 -U + pip3 -q install starlette + pip3 -q install starlette + fi mkdir -p /etc/openmptcprouter-vps-admin/omr-6in4 mkdir -p /etc/openmptcprouter-vps-admin/intf - [ ! -f "/etc/openmptcprouter-vps-admin/current-vpn" ] && echo "glorytun_tcp" > /etc/openmptcprouter-vps-admin/current-vpn + #[ ! -f "/etc/openmptcprouter-vps-admin/current-vpn" ] && echo "glorytun_tcp" > /etc/openmptcprouter-vps-admin/current-vpn + [ ! -f "/etc/openmptcprouter-vps-admin/current-vpn" ] && echo "openvpn" > /etc/openmptcprouter-vps-admin/current-vpn mkdir -p /var/opt/openmptcprouter if [ "$SOURCES" = "yes" ]; then wget -O /lib/systemd/system/omr-admin.service ${VPSURL}${VPSPATH}/omr-admin.service.in + #wget -O /lib/systemd/system/omr-admin-ipv6.service ${VPSURL}${VPSPATH}/omr-admin-ipv6.service.in wget -O /tmp/openmptcprouter-vps-admin.zip https://github.com/Ysurac/openmptcprouter-vps-admin/archive/${OMR_ADMIN_VERSION}.zip cd /tmp unzip -q -o openmptcprouter-vps-admin.zip cp /tmp/openmptcprouter-vps-admin-${OMR_ADMIN_VERSION}/omr-admin.py /usr/local/bin/ - if [ -f /usr/local/bin/omr-admin.py ]; then + if [ -f /usr/local/bin/omr-admin.py ] || [ -f /etc/openmptcprouter-vps-admin/omr-admin-config.json ]; then OMR_ADMIN_PASS2=$(grep -Po '"'"pass"'"\s*:\s*"\K([^"]*)' /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d "\n") [ -z "$OMR_ADMIN_PASS2" ] && OMR_ADMIN_PASS2=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].openmptcprouter.user_password | tr -d "\n") [ -n "$OMR_ADMIN_PASS2" ] && OMR_ADMIN_PASS=$OMR_ADMIN_PASS2 @@ -412,84 +901,142 @@ if [ "$OMR_ADMIN" = "yes" ]; then cp /tmp/openmptcprouter-vps-admin-${OMR_ADMIN_VERSION}/omr-admin.py /usr/local/bin/ cd /etc/openmptcprouter-vps-admin fi - openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout key.pem -out cert.pem -subj "/C=US/ST=Oregon/L=Portland/O=OpenMPTCProuterVPS/OU=Org/CN=www.openmptcprouter.vps" - sed -i "s:AdminMySecretKey:$OMR_ADMIN_PASS_ADMIN:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json - sed -i "s:MySecretKey:$OMR_ADMIN_PASS:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json - [ "$NOINTERNET" = "yes" ] && { - sed -i 's/"port": 65500,/"port": 65500,\n "internet": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json - } - chmod u+x /usr/local/bin/omr-admin.py - systemctl enable omr-admin.service rm -rf /tmp/tmp/openmptcprouter-vps-admin-${OMR_ADMIN_VERSION} + chmod u+x /usr/local/bin/omr-admin.py else - apt-get -y install omr-vps-admin - OMR_ADMIN_PASS=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].openmptcprouter.user_password | tr -d "\n") - OMR_ADMIN_PASS_ADMIN=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].admin.user_password | tr -d "\n") + if [ -f /etc/openmptcprouter-vps-admin/omr-admin-config.json ]; then + OMR_ADMIN_PASS2=$(grep -Po '"'"pass"'"\s*:\s*"\K([^"]*)' /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d "\n") + [ -z "$OMR_ADMIN_PASS2" ] && OMR_ADMIN_PASS2=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].openmptcprouter.user_password | tr -d "\n") + [ -n "$OMR_ADMIN_PASS2" ] && [ "$OMR_ADMIN_PASS2" != "MySecretKey" ] && OMR_ADMIN_PASS=$OMR_ADMIN_PASS2 + OMR_ADMIN_PASS_ADMIN2=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].admin.user_password | tr -d "\n") + [ -n "$OMR_ADMIN_PASS_ADMIN2" ] && [ "$OMR_ADMIN_PASS_ADMIN2" != "AdminMySecretKey" ] && OMR_ADMIN_PASS_ADMIN=$OMR_ADMIN_PASS_ADMIN2 + fi + apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-overwrite" -y --allow-downgrades install omr-vps-admin=${OMR_ADMIN_BINARY_VERSION} + if [ ! -f /etc/openmptcprouter-vps-admin/omr-admin-config.json ]; then + cp /usr/share/omr-admin/omr-admin-config.json /etc/openmptcprouter-vps-admin/ + fi + #OMR_ADMIN_PASS=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].openmptcprouter.user_password | tr -d "\n") + #OMR_ADMIN_PASS_ADMIN=$(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r .users[0].admin.user_password | tr -d "\n") + fi + if [ ! -f /etc/openmptcprouter-vps-admin/key.pem ]; then + cd /etc/openmptcprouter-vps-admin + openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout key.pem -out cert.pem -subj "/C=US/ST=Oregon/L=Portland/O=OpenMPTCProuterVPS/OU=Org/CN=www.openmptcprouter.vps" + fi + sed -i "s:openmptcptouter:${DEFAULT_USER}:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json + sed -i "s:AdminMySecretKey:$OMR_ADMIN_PASS_ADMIN:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json + sed -i "s:MySecretKey:$OMR_ADMIN_PASS:g" /etc/openmptcprouter-vps-admin/omr-admin-config.json + [ "$NOINTERNET" = "yes" ] && { + jq '. + {internet: false}' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp + mv /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp /etc/openmptcprouter-vps-admin/omr-admin-config.json + #sed -i 's/"port": 65500,/"port": 65500,\n "internet": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json + } + [ "$GRETUNNELS" = "no" ] && { + jq '. + {gre_tunnels: false}' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp + mv /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp /etc/openmptcprouter-vps-admin/omr-admin-config.json + #sed -i 's/"port": 65500,/"port": 65500,\n "gre_tunnels": false,/' /etc/openmptcprouter-vps-admin/omr-admin-config.json + } + [ "$LANROUTES" = "no" ] && { + jq '. + {lan_routes: false}' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp + mv /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp /etc/openmptcprouter-vps-admin/omr-admin-config.json + } + chmod 644 /lib/systemd/system/omr-admin.service + #chmod 644 /lib/systemd/system/omr-admin-ipv6.service + #[ "$(ip -6 a)" != "" ] && sed -i 's/0.0.0.0/::/g' /usr/local/bin/omr-admin.py + #[ "$(ip -6 a)" != "" ] && { + # systemctl enable omr-admin-ipv6.service + #} + systemctl enable omr-admin.service + if [ "$KERNEL" != "5.4" ]; then + mptcpize enable omr-admin.service >/dev/null 2>&1 + #[ "$(ip -6 a)" != "" ] && mptcpize enable omr-admin-ipv6.service >/dev/null 2>&1 + fi + if systemctl -q is-active omr-admin-ipv6.service 2>/dev/null; then + systemctl -q stop omr-admin-ipv6 >/dev/null 2>&1 + systemctl -q disable omr-admin-ipv6 >/dev/null 2>&1 fi - fi # Get shadowsocks optimization if [ "$LOCALFILES" = "no" ]; then - wget -O /etc/sysctl.d/90-shadowsocks.conf ${VPSURL}${VPSPATH}/shadowsocks.conf + if [ "$KERNEL" != "5.4" ]; then + wget -O /etc/sysctl.d/90-shadowsocks.conf ${VPSURL}${VPSPATH}/shadowsocks.6.1.conf + else + wget -O /etc/sysctl.d/90-shadowsocks.conf ${VPSURL}${VPSPATH}/shadowsocks.conf + fi else - cp ${DIR}/shadowsocks.conf /etc/sysctl.d/90-shadowsocks.conf + if [ "$KERNEL" != "5.4" ]; then + cp ${DIR}/shadowsocks.6.1.conf /etc/sysctl.d/90-shadowsocks.conf + else + cp ${DIR}/shadowsocks.conf /etc/sysctl.d/90-shadowsocks.conf + fi fi -if [ "$update" != 0 ]; then - if [ ! -f /etc/shadowsocks-libev/manager.json ]; then - SHADOWSOCKS_PASS=$(grep -Po '"'"key"'"\s*:\s*"\K([^"]*)' /etc/shadowsocks-libev/config.json | tr -d "\n" | sed 's/-/+/g; s/_/\//g;') - else - SHADOWSOCKS_PASS=$(grep -Po '"'"65101"'":\s*"\K([^"]*)' /etc/shadowsocks-libev/manager.json | tr -d "\n" | sed 's/-/+/g; s/_/\//g;') +if [ "$SHADOWSOCKS" = "yes" ]; then + if [ "$update" != 0 ]; then + if [ ! -f /etc/shadowsocks-libev/manager.json ]; then + SHADOWSOCKS_PASS=$(grep -Po '"'"key"'"\s*:\s*"\K([^"]*)' /etc/shadowsocks-libev/config.json | tr -d "\n" | sed 's/-/+/g; s/_/\//g;') + elif [ -f /etc/shadowsocks-libev/manager.json ]; then + SHADOWSOCKS_PASS=$(grep -Po '"'"65101"'":\s*"\K([^"]*)' /etc/shadowsocks-libev/manager.json | tr -d "\n" | sed 's/-/+/g; s/_/\//g;') + fi fi -fi -# Install shadowsocks config and add a shadowsocks by CPU -if [ "$update" = "0" ] || [ ! -f /etc/shadowsocks-libev/manager.json ]; then - if [ "$LOCALFILES" = "no" ]; then - wget -O /etc/shadowsocks-libev/manager.json ${VPSURL}${VPSPATH}/manager.json - else - cp ${DIR}/manager.json /etc/shadowsocks-libev/manager.json - fi - SHADOWSOCKS_PASS_JSON=$(echo $SHADOWSOCKS_PASS | sed 's/+/-/g; s/\//_/g;') - if [ "$NBCPU" -gt "1" ]; then - for i in $(seq 2 NBCPU); do + # Install shadowsocks config and add a shadowsocks by CPU + if [ "$update" = "0" ] || [ ! -f /etc/shadowsocks-libev/manager.json ]; then + if [ "$LOCALFILES" = "no" ]; then + wget -O /etc/shadowsocks-libev/manager.json ${VPSURL}${VPSPATH}/manager.json + else + cp ${DIR}/manager.json /etc/shadowsocks-libev/manager.json + fi + SHADOWSOCKS_PASS_JSON=$(echo $SHADOWSOCKS_PASS | sed 's/+/-/g; s/\//_/g;') + if [ "$NBCPU" -gt "1" ]; then + for i in $(seq 2 NBCPU); do + sed -i '0,/65101/ s/ "65101.*/&\n&/' /etc/shadowsocks-libev/manager.json + done + fi + #sed -i "s:MySecretKey:$SHADOWSOCKS_PASS_JSON:g" /etc/shadowsocks-libev/config.json + sed -i "s:MySecretKey:$SHADOWSOCKS_PASS_JSON:g" /etc/shadowsocks-libev/manager.json + [ "$(ip -6 a 2>/dev/null)" = "" ] && sed -i '/"\[::0\]"/d' /etc/shadowsocks-libev/manager.json + elif [ "$update" != "0" ] && [ -f /etc/shadowsocks-libev/manager.json ] && [ "$(grep -c '65101' /etc/shadowsocks-libev/manager.json | tr -d '\n')" != "$NBCPU" ] && [ -z "$(grep port_conf /etc/shadowsocks-libev/manager.json)" ]; then + for i in $(seq 2 $NBCPU); do sed -i '0,/65101/ s/ "65101.*/&\n&/' /etc/shadowsocks-libev/manager.json done + sed -i 's/ "65101.*"$/&,/' /etc/shadowsocks-libev/manager.json + fi + [ ! -f /etc/shadowsocks-libev/local.acl ] && touch /etc/shadowsocks-libev/local.acl + #sed -i 's:aes-256-cfb:chacha20:g' /etc/shadowsocks-libev/config.json + #sed -i 's:json:json --no-delay:g' /lib/systemd/system/shadowsocks-libev-server@.service + if [ "$LOCALFILES" = "no" ]; then + wget -O /lib/systemd/system/shadowsocks-libev-manager@.service ${VPSURL}${VPSPATH}/shadowsocks-libev-manager@.service.in + else + cp ${DIR}/shadowsocks-libev-manager@.service.in /lib/systemd/system/shadowsocks-libev-manager@.service + fi + if systemctl -q is-enabled shadowsocks-libev 2>/dev/null; then + systemctl -q disable shadowsocks-libev + fi + [ -f /etc/shadowsocks-libev/config.json ] && systemctl disable shadowsocks-libev-server@config.service + systemctl enable shadowsocks-libev-manager@manager.service + if [ $NBCPU -gt 1 ]; then + for i in $(seq 1 $NBCPU); do + [ -f /etc/shadowsocks-libev/config$i.json ] && systemctl is-enabled shadowsocks-libev && systemctl disable shadowsocks-libev-server@config$i.service + done + fi + if systemctl -q is-active shadowsocks-libev-manager@manager 2>/dev/null; then + systemctl -q stop shadowsocks-libev-manager@manager > /dev/null 2>&1 fi - #sed -i "s:MySecretKey:$SHADOWSOCKS_PASS_JSON:g" /etc/shadowsocks-libev/config.json - sed -i "s:MySecretKey:$SHADOWSOCKS_PASS_JSON:g" /etc/shadowsocks-libev/manager.json - [ "$(ip -6 a)" = "" ] && sed -i '/"\[::0\]"/d' /etc/shadowsocks-libev/manager.json -elif [ "$update" != "0" ] && [ -f /etc/shadowsocks-libev/manager.json ] && [ "$(grep -c '65101' /etc/shadowsocks-libev/manager.json | tr -d '\n')" != "$NBCPU" ] && [ -z "$(grep port_conf /etc/shadowsocks-libev/manager.json)" ]; then - for i in $(seq 2 $NBCPU); do - sed -i '0,/65101/ s/ "65101.*/&\n&/' /etc/shadowsocks-libev/manager.json - done - sed -i 's/ "65101.*"$/&,/' /etc/shadowsocks-libev/manager.json -fi -[ ! -f /etc/shadowsocks-libev/local.acl ] && touch /etc/shadowsocks-libev/local.acl -#sed -i 's:aes-256-cfb:chacha20:g' /etc/shadowsocks-libev/config.json -#sed -i 's:json:json --no-delay:g' /lib/systemd/system/shadowsocks-libev-server@.service -if [ "$LOCALFILES" = "no" ]; then - wget -O /lib/systemd/system/shadowsocks-libev-manager@.service ${VPSURL}${VPSPATH}/shadowsocks-libev-manager@.service.in -else - cp ${DIR}/shadowsocks-libev-manager@.service.in /lib/systemd/system/shadowsocks-libev-manager@.service -fi -if systemctl -q is-enabled shadowsocks-libev; then - systemctl -q disable shadowsocks-libev -fi -[ -f /etc/shadowsocks-libev/config.json ] && systemctl disable shadowsocks-libev-server@config.service -systemctl enable shadowsocks-libev-manager@manager.service -if [ $NBCPU -gt 1 ]; then - for i in $(seq 1 $NBCPU); do - [ -f /etc/shadowsocks-libev/config$i.json ] && systemctl is-enabled shadowsocks-libev && systemctl disable shadowsocks-libev-server@config$i.service - done fi if ! grep -q 'DefaultLimitNOFILE=65536' /etc/systemd/system.conf ; then echo 'DefaultLimitNOFILE=65536' >> /etc/systemd/system.conf fi -if systemctl -q is-active shadowsocks-libev-manager@manager; then - systemctl -q stop shadowsocks-libev-manager@manager > /dev/null 2>&1 +if [ "$LOCALFILES" = "no" ]; then + wget -O /lib/systemd/system/omr-update.service ${VPSURL}${VPSPATH}/omr-update.service.in + wget -O /usr/bin/omr-update ${VPSURL}${VPSPATH}/omr-update + chmod 755 /usr/bin/omr-update +else + cp ${DIR}/omr-update.service.in /lib/systemd/system/omr-update.service + cp ${DIR}/omr-update /usr/bin/omr-update + chmod 755 /usr/bin/omr-update fi +chmod 644 /lib/systemd/system/omr-update.service # Install simple-obfs if [ "$OBFS" = "yes" ]; then @@ -516,7 +1063,9 @@ if [ "$OBFS" = "yes" ]; then cd /tmp rm -rf /tmp/simple-obfs else - apt-get -y -o Dpkg::Options::="--force-overwrite" install omr-simple-obfs + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + apt-get -y -o Dpkg::Options::="--force-overwrite" install omr-simple-obfs=${OBFS_BINARY_VERSION} fi #sed -i 's%"mptcp": true%"mptcp": true,\n"plugin": "/usr/local/bin/obfs-server",\n"plugin_opts": "obfs=http;mptcp;fast-open;t=400"%' /etc/shadowsocks-libev/config.json fi @@ -524,52 +1073,250 @@ fi # Install v2ray-plugin if [ "$V2RAY_PLUGIN" = "yes" ]; then echo "Install v2ray plugin" - rm -rf /tmp/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz - #wget -O /tmp/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz https://github.com/shadowsocks/v2ray-plugin/releases/download/${V2RAY_PLUGIN_VERSION}/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz - #wget -O /tmp/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz ${VPSURL}${VPSPATH}/bin/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz - wget -O /tmp/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz https://github.com/teddysun/v2ray-plugin/releases/download/v1.4.3/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz - cd /tmp - tar xzvf v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz - cp -f v2ray-plugin_linux_amd64 /usr/local/bin/v2ray-plugin - cd /tmp - rm -rf /tmp/v2ray-plugin_linux_amd64 - rm -rf /tmp/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz + if [ "$SOURCES" = "yes" ]; then + rm -rf /tmp/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz + #wget -O /tmp/v2ray-plugin-linux-amd64-v${V2RAY_PLUGIN_VERSION}.tar.gz https://github.com/shadowsocks/v2ray-plugin/releases/download/${V2RAY_PLUGIN_VERSION}/v2ray-plugin-linux-amd64-v${V2RAY_PLUGIN_VERSION}.tar.gz + #wget -O /tmp/v2ray-plugin-linux-amd64-v${V2RAY_PLUGIN_VERSION}.tar.gz ${VPSURL}${VPSPATH}/bin/v2ray-plugin-linux-amd64-v${V2RAY_PLUGIN_VERSION}.tar.gz + wget -O /tmp/v2ray-plugin-linux-amd64-v${V2RAY_PLUGIN_VERSION}.tar.gz https://github.com/teddysun/v2ray-plugin/releases/download/v${V2RAY_PLUGIN_VERSION}/v2ray-plugin-linux-amd64-v${V2RAY_PLUGIN_VERSION}.tar.gz + cd /tmp + tar xzvf v2ray-plugin-linux-amd64-v${V2RAY_PLUGIN_VERSION}.tar.gz + cp -f v2ray-plugin_linux_amd64 /usr/local/bin/v2ray-plugin + cd /tmp + rm -rf /tmp/v2ray-plugin_linux_amd64 + rm -rf /tmp/v2ray-plugin-linux-amd64-${V2RAY_PLUGIN_VERSION}.tar.gz - #rm -rf /tmp/v2ray-plugin - #cd /tmp - #rm -f /var/lib/dpkg/lock - #apt-get install -y --no-install-recommends git ca-certificates golang-go - #git clone https://github.com/shadowsocks/v2ray-plugin.git /tmp/v2ray-plugin - #cd /tmp/v2ray-plugin - #git checkout ${V2RAY_PLUGIN_VERSION} - #git submodule update --init --recursive - #CGO_ENABLED=0 go build -o v2ray-plugin - #cp v2ray-plugin /usr/local/bin/v2ray-plugin - #cd /tmp - #rm -rf /tmp/simple-obfs + #rm -rf /tmp/v2ray-plugin + #cd /tmp + #rm -f /var/lib/dpkg/lock + #apt-get install -y --no-install-recommends git ca-certificates golang-go + #git clone https://github.com/shadowsocks/v2ray-plugin.git /tmp/v2ray-plugin + #cd /tmp/v2ray-plugin + #git checkout ${V2RAY_PLUGIN_VERSION} + #git submodule update --init --recursive + #CGO_ENABLED=0 go build -o v2ray-plugin + #cp v2ray-plugin /usr/local/bin/v2ray-plugin + #cd /tmp + #rm -rf /tmp/simple-obfs + else + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + apt-get -y install v2ray-plugin=${V2RAY_PLUGIN_VERSION} + fi fi -if [ "$OBFS" = "no" ] && [ "$V2RAY_PLUGIN" = "no" ]; then +if [ "$OBFS" = "no" ] && [ "$V2RAY_PLUGIN" = "no" ] && [ -f /etc/shadowsocks-libev/config.json ]; then sed -i -e '/plugin/d' -e 's/,,//' /etc/shadowsocks-libev/config.json fi -if systemctl -q is-active v2ray.service; then +if systemctl -q is-active shadowsocks-go.service 2>/dev/null; then + systemctl -q stop shadowsocks-go > /dev/null 2>&1 + systemctl -q disable shadowsocks-go > /dev/null 2>&1 +fi + +if [ "$SHADOWSOCKS_GO" = "yes" ]; then + if [ "$SOURCES" = "yes" ] || [ "$ARCH" = "arm64" ]; then + if [ "$ARCH" = "amd64" ]; then + wget -O /tmp/shadowsocks-go-${SHADOWSOCKS_GO_VERSION}-amd64.deb ${VPSURL}/debian/shadowsocks-go-${SHADOWSOCKS_GO_VERSION}-amd64.deb + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + dpkg --force-all -i -B /tmp/shadowsocks-go-${SHADOWSOCKS_GO_VERSION}-amd64.deb + rm -f /tmp/shadowsocks-go-${SHADOWSOCKS_GO_VERSION}-amd64.deb + elif [ "$ARCH" = "arm64" ]; then + wget -O /tmp/shadowsocks-go-${SHADOWSOCKS_GO_VERSION}-arm64.deb ${VPSURL}/debian/shadowsocks-go-${SHADOWSOCKS_GO_VERSION}-arm64.deb + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + dpkg --force-all -i -B /tmp/shadowsocks-go-${SHADOWSOCKS_GO_VERSION}-arm64.deb + rm -f /tmp/shadowsocks-go-${SHADOWSOCKS_GO_VERSION}-arm64.deb + fi + else + apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-overwrite" -y install shadowsocks-go=${SHADOWSOCKS_GO_VERSION} + fi + if [ -f /etc/shadowsocks-go/server.json ]; then + PSK2=$(grep -Po '"'"psk"'"\s*:\s*"\K([^"]*)' /etc/shadowsocks-go/server.json | head -n 1 | tr -d "\n") + [ -n "$PSK2" ] && [ "$PSK2" != "PSK" ] && [ "$PSK2" != "null" ] && PSK="$PSK2" + UPSK2=$(grep -Po '"'"openmptcprouter"'"\s*:\s*"\K([^"]*)' /etc/shadowsocks-go/upsks.json | head -n 1 | tr -d "\n") + [ -n "$UPSK2" ] && [ "$UPSK2" != "UPSK" ] && [ "$UPSK2" != "null" ] && UPSK="$UPSK2" + fi + wget -O /etc/shadowsocks-go/server.json ${VPSURL}${VPSPATH}/shadowsocks-go.server.json + sed -i "s:\"PSK\":\"$PSK\":g" /etc/shadowsocks-go/server.json + sed -i "s:UPSK:$UPSK:g" /etc/shadowsocks-go/upsks.json + jq -M 'del(.users[0].openmptcprouter."shadowsocks-go")' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.new + mv -f /etc/openmptcprouter-vps-admin/omr-admin-config.json /etc/openmptcprouter-vps-admin/omr-admin-config.json.bak + mv -f /etc/openmptcprouter-vps-admin/omr-admin-config.json.new /etc/openmptcprouter-vps-admin/omr-admin-config.json + + chmod 644 /lib/systemd/system/shadowsocks-go.service + systemctl daemon-reload + systemctl enable shadowsocks-go.service +fi + + +if systemctl -q is-active v2ray.service 2>/dev/null; then systemctl -q stop v2ray > /dev/null 2>&1 systemctl -q disable v2ray > /dev/null 2>&1 fi if [ "$V2RAY" = "yes" ]; then - apt-get -y -o Dpkg::Options::="--force-overwrite" install v2ray - if [ ! -f /etc/v2ray/v2ray-server.json ]; then + #apt-get -y -o Dpkg::Options::="--force-overwrite" install v2ray + if [ "$SOURCES" = "yes" ] || [ "$ARCH" = "arm64" ]; then + if [ "$ARCH" = "amd64" ]; then + wget -O /tmp/v2ray-${V2RAY_VERSION}-amd64.deb ${VPSURL}/debian/v2ray-${V2RAY_VERSION}-amd64.deb + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + dpkg --force-all -i -B /tmp/v2ray-${V2RAY_VERSION}-amd64.deb + rm -f /tmp/v2ray-${V2RAY_VERSION}-amd64.deb + elif [ "$ARCH" = "arm64" ]; then + wget -O /tmp/v2ray-${V2RAY_VERSION}-arm64.deb ${VPSURL}/debian/v2ray-${V2RAY_VERSION}-arm64.deb + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + dpkg --force-all -i -B /tmp/v2ray-${V2RAY_VERSION}-arm64.deb + rm -f /tmp/v2ray-${V2RAY_VERSION}-arm64.deb + fi +# else +# [ "$ARCH" = "i386" ] && V2RAY_FILENAME="v2ray-linux-32.zip" +# [ "$ARCH" = "amd64" ] && V2RAY_FILENAME="v2ray-linux-64.zip" +# [ "$ARCH" = "armel" ] && V2RAY_FILENAME="v2ray-linux-arm32-v7a.zip" +# [ "$ARCH" = "armhf" ] && V2RAY_FILENAME="v2ray-linux-arm32-v7a.zip" +# [ "$ARCH" = "arm64" ] && V2RAY_FILENAME="v2ray-linux-arm64-v8a.zip" +# [ "$ARCH" = "mips64el" ] && V2RAY_FILENAME="v2ray-linux-mips64le.zip" +# [ "$ARCH" = "mipsel" ] && V2RAY_FILENAME="v2ray-linux-mips32le.zip" +# [ "$ARCH" = "riscv64" ] && V2RAY_FILENAME="v2ray-linux-riscv64.zip" +# wget -O /tmp/v2ray-${V2RAY_VERSION}.zip https://github.com/v2fly/v2ray-core/releases/download/v${V2RAY_VERSION}/${V2RAY_FILENAME} +# cd /tmp +# rm -rf v2ray +# mkdir -p v2ray +# cd v2ray +# unzip /tmp/v2ray-${V2RAY_VERSION}.zip +# cp v2ray /usr/bin/ +# cp geoip.dat /usr/bin/ +# cp geosite.dat /usr/bin/ +# wget -O /lib/systemd/system/v2ray.service ${VPSURL}${VPSPATH}/v2ray.service +# fi + else + apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-overwrite" -y install v2ray=${V2RAY_VERSION} + fi + if [ -f /etc/v2ray/v2ray-server.json ]; then + V2RAY_UUID2=$(grep -Po '"'"id"'"\s*:\s*"\K([^"]*)' /etc/v2ray/v2ray-server.json | head -n 1 | tr -d "\n") + [ -n "$V2RAY_UUID2" ] && V2RAY_UUID="$V2RAY_UUID2" + fi + #if [ ! -f /etc/v2ray/v2ray-server.json ]; then wget -O /etc/v2ray/v2ray-server.json ${VPSURL}${VPSPATH}/v2ray-server.json sed -i "s:V2RAY_UUID:$V2RAY_UUID:g" /etc/v2ray/v2ray-server.json - rm /etc/v2ray/config.json - ln -s /etc/v2ray/v2ray-server.json /etc/v2ray/config.json + #fi + if [ "$KERNEL" != "5.4" ] && [ -z "$(grep mptcp /etc/v2ray/v2ray-server.json | grep true)" ]; then + sed -i 's/"sockopt": {/&\n "mptcp": true,/' /etc/v2ray/v2ray-server.json fi + rm -f /etc/v2ray/config.json + ln -s /etc/v2ray/v2ray-server.json /etc/v2ray/config.json + #if [ -f /etc/systemd/system/v2ray.service.dpkg-dist ]; then + # mv -f /etc/systemd/system/v2ray.service.dpkg-dist /etc/systemd/system/v2ray.service + #fi + if [ "$LOCALFILES" = "no" ]; then + wget -O /lib/systemd/system/v2ray.service ${VPSURL}${VPSPATH}/v2ray.service + else + cp ${DIR}/v2ray.service /lib/systemd/system/v2ray.service + fi + chmod 644 /lib/systemd/system/v2ray.service + systemctl daemon-reload systemctl enable v2ray.service + #if [ "$UPSTREAM" = "yes" ] || [ "$UPSTREAM6" = "yes" ]; then + # mptcpize enable v2ray + #fi fi -if systemctl -q is-active mlvpn@mlvpn0.service; then +if systemctl -q is-active xray.service 2>/dev/null; then + systemctl -q stop xray > /dev/null 2>&1 + systemctl -q disable xray > /dev/null 2>&1 +fi + +if [ "$XRAY" = "yes" ]; then + #apt-get -y -o Dpkg::Options::="--force-overwrite" install xray + if [ "$SOURCES" = "yes" ] || [ "$ARCH" = "arm64" ]; then + if [ "$ARCH" = "amd64" ]; then + wget -O /tmp/xray-${XRAY_VERSION}-amd64.deb ${VPSURL}/debian/xray-${XRAY_VERSION}-amd64.deb + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + dpkg --force-all -i -B /tmp/xray-${XRAY_VERSION}-amd64.deb + rm -f /tmp/xray-${XRAY_VERSION}-amd64.deb + elif [ "$ARCH" = "arm64" ]; then + wget -O /tmp/xray-${XRAY_VERSION}-arm64.deb ${VPSURL}/debian/xray-${XRAY_VERSION}-arm64.deb + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + dpkg --force-all -i -B /tmp/xray-${XRAY_VERSION}-arm64.deb + rm -f /tmp/xray-${XRAY_VERSION}-arm64.deb + fi + else + apt-get -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-overwrite" -y install xray=${XRAY_VERSION} + fi + if [ -f /etc/xray/xray-server.json ]; then + XRAY_UUID2=$(grep -Po '"'"id"'"\s*:\s*"\K([^"]*)' /etc/xray/xray-server.json | head -n 1 | tr -d "\n") + [ -n "$XRAY_UUID2" ] && [ "$XRAY_UUID2" != "XRAY_UUID" ] && [ "$XRAY_UUID2" != "V2RAY_UUID" ] && XRAY_UUID="$XRAY_UUID2" + PSK2=$(jq -r '.inbounds[] | select(.tag=="omrin-shadowsocks-tunnel") | .settings.password' /etc/xray/xray-server.json | tr -d "\n") + [ "$PSK2" != "null" ] && [ -n "$PSK2" ] && [ "$PSK2" != "XRAY_PSK" ] && PSK="$PSK2" + UPSK2=$(jq -r '.inbounds[] | select(.tag=="omrin-shadowsocks-tunnel") | .settings.clients[] | select(.email=="openmptcprouter") | .password' /etc/xray/xray-server.json | tr -d "\n") + [ "$UPSK2" != "null" ] && [ -n "$UPSK2" ] && [ "$UPSK2" != "XRAY_UPSK" ] && UPSK="$UPSK2" + XRAY_X25519_PRIVATE_KEY2=$(grep -Po '"'"privateKey"'"\s*:\s*"\K([^"]*)' /etc/xray/xray-vless_reality.json | head -n 1 | tr -d "\n") + [ -n "$XRAY_X25519_PRIVATE_KEY2" ] && [ "$XRAY_X25519_PRIVATE_KEY2" != "XRAY_X25519_PRIVATE_KEY" ] && XRAY_X25519_PRIVATE_KEY="$XRAY_X25519_PRIVATE_KEY2" + XRAY_X25519_PUBLIC_KEY2=$(grep -Po '"'"publicKey"'"\s*:\s*"\K([^"]*)' /etc/xray/xray-vless_reality.json | head -n 1 | tr -d "\n") + [ -n "$XRAY_X25519_PUBLIC_KEY2" ] && [ "$XRAY_X25519_PUBLIC_KEY2" != "XRAY_X25519_PUBLIC_KEY" ] && XRAY_X25519_PUBLIC_KEY="$XRAY_X25519_PUBLIC_KEY2" + #jq -M 'del(.transport)' /etc/xray/xray-server.json > /etc/xray/xray-server.json.tmp + #mv -f /etc/xray/xray-server.json.tmp /etc/xray/xray-server.json + + fi + jq -M 'del(.users[0].openmptcprouter.xray)' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.new + mv -f /etc/openmptcprouter-vps-admin/omr-admin-config.json /etc/openmptcprouter-vps-admin/omr-admin-config.json.bak + mv -f /etc/openmptcprouter-vps-admin/omr-admin-config.json.new /etc/openmptcprouter-vps-admin/omr-admin-config.json + if [ ! -f /etc/xray/xray-server.json ] || [ -z "$(grep -i mptcp /etc/xray/xray-server.json | grep true)" ] || [ -z "$(grep -i transport /etc/xray/xray-server.json)" ]; then + wget -O /etc/xray/xray-server.json ${VPSURL}${VPSPATH}/xray-server.json + sed -i "s:XRAY_UUID:$XRAY_UUID:g" /etc/xray/xray-server.json + sed -i "s:V2RAY_UUID:$XRAY_UUID:g" /etc/xray/xray-server.json + sed -i "s:XRAY_PSK:$PSK:g" /etc/xray/xray-server.json + sed -i "s:XRAY_UPSK:$UPSK:g" /etc/xray/xray-server.json + wget -O /etc/xray/xray-vless-reality.json ${VPSURL}${VPSPATH}/xray-vless-reality.json + if [ -z "$XRAY_X25519_PRIVATE_KEY" ]; then + XRAY_X25519_KEYS=$(/usr/bin/xray x25519) + XRAY_X25519_PRIVATE_KEY=$(echo "${XRAY_X25519_KEYS}" | grep Private | awk '{ print $3 }' | tr -d "\n") + XRAY_X25519_PUBLIC_KEY=$(echo "${XRAY_X25519_KEYS}" | grep Public | awk '{ print $3 }' | tr -d "\n") + fi + sed -i "s:XRAY_UUID:$XRAY_UUID:g" /etc/xray/xray-vless-reality.json + sed -i "s:XRAY_X25519_PRIVATE_KEY:$XRAY_X25519_PRIVATE_KEY:g" /etc/xray/xray-vless-reality.json + sed -i "s:XRAY_X25519_PUBLIC_KEY:$XRAY_X25519_PUBLIC_KEY:g" /etc/xray/xray-vless-reality.json + for xrayuser in $(cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -r '.users[0][].username'); do + if [ "$xrayuser" != "admin" ] && [ "$xrayuser" != "openmptcprouter" ]; then + xrayid="$(/usr/bin/xray uuid)" + jq --arg xrayuser "$xrayuser" --arg xrayid "$xrayid" '(.inbounds[] | select(.tag=="omrin-tunnel") | .settings.clients) += [{"level": 0, "alterId": 0, "email": $xrayuser,"id": $xrayid}]' /etc/xray/xray-server.json > /etc/xray/xray-server.json.tmp + mv /etc/xray/xray-server.json.tmp /etc/xray/xray-server.json + jq --arg xrayuser "$xrayuser" --arg xrayid "$xrayid" '(.inbounds[] | select(.tag=="omrin-vmess-tunnel") | .settings.clients) += [{"level": 0, "alterId": 0, "email": $xrayuser,"id": $xrayid}]' /etc/xray/xray-server.json > /etc/xray/xray-server.json.tmp + mv /etc/xray/xray-server.json.tmp /etc/xray/xray-server.json + jq --arg xrayuser "$xrayuser" --arg xrayid "$xrayid" '(.inbounds[] | select(.tag=="omrin-socks-tunnel") | .settings.accounts) += [{"user": $xrayuser,"pass": $xrayid}]' /etc/xray/xray-server.json > /etc/xray/xray-server.json.tmp + mv /etc/xray/xray-server.json.tmp /etc/xray/xray-server.json + jq --arg xrayuser "$xrayuser" --arg xrayid "$xrayid" '(.inbounds[] | select(.tag=="omrin-trojan-tunnel") | .settings.clients) += [{"level": 0, "alterId": 0, "email": $xrayuser,"id": $xrayid}]' /etc/xray/xray-server.json > /etc/xray/xray-server.json.tmp + mv /etc/xray/xray-server.json.tmp /etc/xray/xray-server.json + [ -e /etc/shadowsocks-go/upsks.json ] && shadowsockspass="$(jq --arg xrayuser $xrayuser -r '.[$xrayuser]' /etc/shadowsocks-go/upsks.json)" + [ -z "$shadowsockspass" ] && shadowsockspass=$(head -c 32 /dev/urandom | base64 -w0) + jq --arg xrayuser "$xrayuser" --arg shadowsockspass "$shadowsockspass" '(.inbounds[] | select(.tag=="omrin-shadowsocks-tunnel") | .settings.clients) += [{"email": $xrayuser,"password": $shadowsockspass}]' /etc/xray/xray-server.json > /etc/xray/xray-server.json.tmp + mv /etc/xray/xray-server.json.tmp /etc/xray/xray-server.json + fi + done + fi + #if ([ "$UPSTREAM" = "yes" ] || [ "$UPSTREAM6" = "yes" ]) && [ -z "$(grep mptcp /etc/xray/xray-server.json | grep true)" ]; then + # sed -i 's/"sockopt": {/&\n "mptcp": true,/' /etc/xray/xray-server.json + #fi + rm -f /etc/xray/config.json + ln -s /etc/xray/xray-server.json /etc/xray/config.json + #if [ -f /etc/systemd/system/xray.service.dpkg-dist ]; then + # mv -f /etc/systemd/system/xray.service.dpkg-dist /etc/systemd/system/xray.service + #fi + if [ "$LOCALFILES" = "no" ]; then + wget -O /lib/systemd/system/xray.service ${VPSURL}${VPSPATH}/xray.service + else + cp ${DIR}/xray.service /lib/systemd/system/xray.service + fi + chmod 644 /lib/systemd/system/xray.service + systemctl daemon-reload + systemctl enable xray.service +fi + +if systemctl -q is-active mlvpn@mlvpn0.service 2>/dev/null; then systemctl -q stop mlvpn@mlvpn0 > /dev/null 2>&1 systemctl -q disable mlvpn@mlvpn0 > /dev/null 2>&1 fi @@ -581,6 +1328,7 @@ if [ "$MLVPN" = "yes" ]; then if [ -f /etc/mlvpn/mlvpn0.conf ]; then mlvpnupdate="1" fi + mkdir -p /etc/mlvpn if [ "$SOURCES" = "yes" ]; then rm -f /var/lib/dpkg/lock rm -f /var/lib/dpkg/lock-frontend @@ -588,7 +1336,8 @@ if [ "$MLVPN" = "yes" ]; then rm -rf /tmp/mlvpn cd /tmp #git clone https://github.com/markfoodyburton/MLVPN.git /tmp/mlvpn - git clone https://github.com/flohoff/MLVPN.git /tmp/mlvpn + #git clone https://github.com/flohoff/MLVPN.git /tmp/mlvpn + git clone https://github.com/zehome/MLVPN.git /tmp/mlvpn #git clone https://github.com/link4all/MLVPN.git /tmp/mlvpn cd /tmp/mlvpn git checkout ${MLVPN_VERSION} @@ -598,23 +1347,26 @@ if [ "$MLVPN" = "yes" ]; then make install cd /tmp rm -rf /tmp/mlvpn - else - apt-get -y -o Dpkg::Options::="--force-overwrite" install mlvpn - fi - if [ "$LOCALFILES" = "no" ]; then - wget -O /lib/systemd/network/mlvpn.network ${VPSURL}${VPSPATH}/mlvpn.network - wget -O /lib/systemd/system/mlvpn@.service ${VPSURL}${VPSPATH}/mlvpn@.service.in - else - cp ${DIR}/mlvpn.network /lib/systemd/network/mlvpn.network - cp ${DIR}/mlvpn@.service.in /lib/systemd/system/mlvpn@.service - fi - mkdir -p /etc/mlvpn - if [ "$mlvpnupdate" = "0" ]; then if [ "$LOCALFILES" = "no" ]; then - wget -O /etc/mlvpn/mlvpn0.conf ${VPSURL}${VPSPATH}/mlvpn0.conf + wget -O /lib/systemd/network/mlvpn.network ${VPSURL}${VPSPATH}/mlvpn.network + wget -O /lib/systemd/system/mlvpn@.service ${VPSURL}${VPSPATH}/mlvpn@.service.in else - cp ${DIR}/mlvpn0.conf /etc/mlvpn/mlvpn0.conf + cp ${DIR}/mlvpn.network /lib/systemd/network/mlvpn.network + cp ${DIR}/mlvpn@.service.in /lib/systemd/system/mlvpn@.service fi + if [ "$mlvpnupdate" = "0" ]; then + if [ "$LOCALFILES" = "no" ]; then + wget -O /etc/mlvpn/mlvpn0.conf ${VPSURL}${VPSPATH}/mlvpn0.conf + else + cp ${DIR}/mlvpn0.conf /etc/mlvpn/mlvpn0.conf + fi + fi + else + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + apt-get -y -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" install omr-mlvpn=${MLVPN_BINARY_VERSION} + fi + if [ "$mlvpnupdate" = "0" ]; then sed -i "s:MLVPN_PASS:$MLVPN_PASS:" /etc/mlvpn/mlvpn0.conf fi chmod 0600 /etc/mlvpn/mlvpn0.conf @@ -626,11 +1378,7 @@ if [ "$MLVPN" = "yes" ]; then systemctl enable systemd-networkd.service echo "install mlvpn done" fi -if systemctl -q is-active openvpn-server@tun0.service; then - systemctl -q stop openvpn-server@tun0 > /dev/null 2>&1 - systemctl -q disable openvpn-server@tun0 > /dev/null 2>&1 -fi -if systemctl -q is-active ubond@ubond0.service; then +if systemctl -q is-active ubond@ubond0.service 2>/dev/null; then systemctl -q stop ubond@ubond0 > /dev/null 2>&1 systemctl -q disable ubond@ubond0 > /dev/null 2>&1 fi @@ -685,7 +1433,76 @@ if [ "$UBOND" = "yes" ]; then systemctl enable systemd-networkd.service echo "install ubond done" fi -if systemctl -q is-active openvpn-server@tun0.service; then + +if systemctl -q is-active wg-quick@wg0.service 2>/dev/null; then + systemctl -q stop wg-quick@wg0 > /dev/null 2>&1 + systemctl -q disable wg-quick@wg0 > /dev/null 2>&1 +fi + +if [ "$WIREGUARD" = "yes" ]; then + echo "Install WireGuard" + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + apt-get -y install wireguard-tools --no-install-recommends + if [ ! -f /etc/wireguard/wg0.conf ]; then + cd /etc/wireguard + umask 077; wg genkey | tee vpn-server-private.key | wg pubkey > vpn-server-public.key + cat > /etc/wireguard/wg0.conf <<-EOF + [Interface] + PrivateKey = $(cat /etc/wireguard/vpn-server-private.key | tr -d "\n") + ListenPort = 65311 + Address = 10.255.247.1/24 + SaveConfig = true + EOF + fi + systemctl enable wg-quick@wg0 + if [ ! -f /etc/wireguard/client-wg0.conf ]; then + cd /etc/wireguard + umask 077; wg genkey | tee vpn-client-private.key | wg pubkey > vpn-client-public.key + cat > /etc/wireguard/client-wg0.conf <<-EOF + [Interface] + PrivateKey = $(cat /etc/wireguard/vpn-server-private.key | tr -d "\n") + ListenPort = 65312 + Address = 10.255.246.1/24 + SaveConfig = true + + [Peer] + PublicKey = $(cat /etc/wireguard/vpn-client-public.key | tr -d "\n") + AllowedIPs = 10.255.246.2/32 + EOF + fi + if [ ! -f /root/wireguard-client.conf ]; then + cat > /root/wireguard-client.conf <<-EOF + [Interface] + Address = 10.255.246.2/24 + PrivateKey = $(cat /etc/wireguard/vpn-client-private.key | tr -d "\n") + + [Peer] + PublicKey = $(cat /etc/wireguard/vpn-server-public.key | tr -d "\n") + Endpoint = ${VPS_PUBLIC_IP}:65312 + AllowedIPs = 0.0.0.0/0, ::/0, 192.168.100.0/24 + EOF + fi + systemctl enable wg-quick@client-wg0 + echo "Install wireguard done" +fi + +if systemctl -q is-active fail2ban.service 2>/dev/null; then + systemctl -q stop fail2ban > /dev/null 2>&1 + systemctl -q disable fail2ban > /dev/null 2>&1 +fi +if [ "$FAIL2BAN" = "yes" ]; then + echo "Install Fail2ban" + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + apt-get -y install fail2ban python3-systemd + systemctl enable fail2ban + wget -O /etc/fail2ban/jail.d/openmptcprouter.conf ${VPSURL}${VPSPATH}/fail2ban-jail-openmptcprouter.conf + wget -O /etc/fail2ban/filter.d/openvpn.conf ${VPSURL}${VPSPATH}/fail2ban-filter-openvpn.conf + echo "Install Fail2ban done" +fi + +if systemctl -q is-active openvpn-server@tun0.service 2>/dev/null; then systemctl -q stop openvpn-server@tun0 > /dev/null 2>&1 systemctl -q disable openvpn-server@tun0 > /dev/null 2>&1 fi @@ -745,11 +1562,11 @@ if [ "$OPENVPN" = "yes" ]; then make-cadir /etc/openvpn/ca fi cd /etc/openvpn/ca - ./easyrsa init-pki + ./easyrsa --batch init-pki >/dev/null 2>&1 ./easyrsa --batch build-ca nopass - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "openmptcprouter" nopass - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-server-full server nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "openmptcprouter" nopass + EASYRSA_CRL_DAYS=3650 ./easyrsa --batch gen-crl fi if [ ! -f "/etc/openvpn/ca/pki/issued/openmptcprouter.crt" ]; then mv /etc/openvpn/ca/pki/issued/client.crt /etc/openvpn/ca/pki/issued/openmptcprouter.crt @@ -759,73 +1576,145 @@ if [ "$OPENVPN" = "yes" ]; then openssl dhparam -out /etc/openvpn/server/dh2048.pem 2048 fi if [ "$LOCALFILES" = "no" ]; then - wget -O /etc/openvpn/tun0.conf ${VPSURL}${VPSPATH}/openvpn-tun0.conf - wget -O /etc/openvpn/tun1.conf ${VPSURL}${VPSPATH}/openvpn-tun1.conf + if [ "$KERNEL" != "5.4" ]; then + wget -O /etc/openvpn/tun0.conf ${VPSURL}${VPSPATH}/openvpn-tun0.6.1.conf + wget -O /etc/openvpn/tun1.conf ${VPSURL}${VPSPATH}/openvpn-tun1.6.1.conf + else + wget -O /etc/openvpn/tun0.conf ${VPSURL}${VPSPATH}/openvpn-tun0.conf + wget -O /etc/openvpn/tun1.conf ${VPSURL}${VPSPATH}/openvpn-tun1.conf + fi + if [ "$OPENVPN_BONDING" = "yes" ]; then + wget -O /etc/openvpn/bonding1.conf ${VPSURL}${VPSPATH}/openvpn-bonding1.conf + wget -O /etc/openvpn/bonding2.conf ${VPSURL}${VPSPATH}/openvpn-bonding2.conf + wget -O /etc/openvpn/bonding3.conf ${VPSURL}${VPSPATH}/openvpn-bonding3.conf + wget -O /etc/openvpn/bonding4.conf ${VPSURL}${VPSPATH}/openvpn-bonding4.conf + wget -O /etc/openvpn/bonding5.conf ${VPSURL}${VPSPATH}/openvpn-bonding5.conf + wget -O /etc/openvpn/bonding6.conf ${VPSURL}${VPSPATH}/openvpn-bonding6.conf + wget -O /etc/openvpn/bonding7.conf ${VPSURL}${VPSPATH}/openvpn-bonding7.conf + wget -O /etc/openvpn/bonding8.conf ${VPSURL}${VPSPATH}/openvpn-bonding8.conf + fi else - cp ${DIR}/openvpn-tun0.conf /etc/openvpn/tun0.conf - cp ${DIR}/openvpn-tun1.conf /etc/openvpn/tun1.conf + if [ "$KERNEL" != "5.4" ]; then + cp ${DIR}/openvpn-tun0.6.1.conf /etc/openvpn/tun0.conf + cp ${DIR}/openvpn-tun1.6.1.conf /etc/openvpn/tun1.conf + else + cp ${DIR}/openvpn-tun0.conf /etc/openvpn/tun0.conf + cp ${DIR}/openvpn-tun1.conf /etc/openvpn/tun1.conf + fi + if [ "$OPENVPN_BONDING" = "yes" ]; then + cp ${DIR}/openvpn-bonding1.conf /etc/openvpn/bonding1.conf + cp ${DIR}/openvpn-bonding2.conf /etc/openvpn/bonding2.conf + cp ${DIR}/openvpn-bonding3.conf /etc/openvpn/bonding3.conf + cp ${DIR}/openvpn-bonding4.conf /etc/openvpn/bonding4.conf + cp ${DIR}/openvpn-bonding5.conf /etc/openvpn/bonding5.conf + cp ${DIR}/openvpn-bonding6.conf /etc/openvpn/bonding6.conf + cp ${DIR}/openvpn-bonding7.conf /etc/openvpn/bonding7.conf + cp ${DIR}/openvpn-bonding8.conf /etc/openvpn/bonding8.conf + fi + fi + if [ "$(ip -6 a 2>/dev/null)" = "" ]; then + sed -i 's/proto tcp6-server//' /etc/openvpn/tun0.conf + sed -i 's/proto udp6//' /etc/openvpn/tun1.conf + if [ "$OPENVPN_BONDING" = "yes" ]; then + sed -i 's/proto udp6//' /etc/openvpn/bonding1.conf + sed -i 's/proto udp6//' /etc/openvpn/bonding2.conf + sed -i 's/proto udp6//' /etc/openvpn/bonding3.conf + sed -i 's/proto udp6//' /etc/openvpn/bonding4.conf + sed -i 's/proto udp6//' /etc/openvpn/bonding5.conf + sed -i 's/proto udp6//' /etc/openvpn/bonding6.conf + sed -i 's/proto udp6//' /etc/openvpn/bonding7.conf + sed -i 's/proto udp6//' /etc/openvpn/bonding8.conf + fi fi mkdir -p /etc/openvpn/ccd + if [ ! -f /etc/openvpn/ccd/ipp_tcp.txt ]; then + echo 'openmptcprouter,10.255.250.2,' > /etc/openvpn/ccd/ipp_tcp.txt + fi + if [ ! -f /etc/openvpn/ccd/ipp_udp.txt ]; then + echo 'openmptcprouter,10.255.252.2,' > /etc/openvpn/ccd/ipp_udp.txt + fi + chmod 644 /lib/systemd/system/openvpn*.service systemctl enable openvpn@tun0.service systemctl enable openvpn@tun1.service + if [ "$KERNEL" != "5.4" ]; then + mptcpize enable openvpn@tun0 >/dev/null 2>&1 + fi + if [ "$OPENVPN_BONDING" = "yes" ]; then + systemctl enable openvpn@bonding1.service + systemctl enable openvpn@bonding2.service + systemctl enable openvpn@bonding3.service + systemctl enable openvpn@bonding4.service + systemctl enable openvpn@bonding5.service + systemctl enable openvpn@bonding6.service + systemctl enable openvpn@bonding7.service + systemctl enable openvpn@bonding8.service + fi fi echo 'Glorytun UDP' # Install Glorytun UDP -if systemctl -q is-active glorytun-udp@tun0.service; then +if systemctl -q is-active glorytun-udp@tun0.service 2>/dev/null; then systemctl -q stop 'glorytun-udp@*' > /dev/null 2>&1 fi -if [ "$SOURCES" = "yes" ]; then - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - apt-get install -y --no-install-recommends build-essential git ca-certificates meson pkg-config - rm -rf /tmp/glorytun-udp - cd /tmp - git clone https://github.com/angt/glorytun.git /tmp/glorytun-udp - cd /tmp/glorytun-udp - git checkout ${GLORYTUN_UDP_VERSION} - git submodule update --init --recursive - meson build - ninja -C build install - sed -i 's:EmitDNS=yes:EmitDNS=no:g' /lib/systemd/network/glorytun.network - rm /lib/systemd/system/glorytun* - rm /lib/systemd/network/glorytun* - if [ "$LOCALFILES" = "no" ]; then - wget -O /usr/local/bin/glorytun-udp-run ${VPSURL}${VPSPATH}/glorytun-udp-run +if [ "$GLORYTUN_UDP" = "yes" ]; then + if [ "$SOURCES" = "yes" ]; then + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + rm -f /usr/bin/glorytun + apt-get install -y --no-install-recommends build-essential git ca-certificates meson pkg-config + rm -rf /tmp/glorytun-udp + cd /tmp + git clone https://github.com/Ysurac/glorytun.git /tmp/glorytun-udp + cd /tmp/glorytun-udp + git checkout ${GLORYTUN_UDP_VERSION} + git submodule update --init --recursive + meson build + ninja -C build install + sed -i 's:EmitDNS=yes:EmitDNS=no:g' /lib/systemd/network/glorytun.network + rm /lib/systemd/system/glorytun* + rm /lib/systemd/network/glorytun* + if [ "$LOCALFILES" = "no" ]; then + wget -O /usr/local/bin/glorytun-udp-run ${VPSURL}${VPSPATH}/glorytun-udp-run + else + cp ${DIR}/glorytun-udp-run /usr/local/bin/glorytun-udp-run + fi + chmod 755 /usr/local/bin/glorytun-udp-run + if [ "$LOCALFILES" = "no" ]; then + wget -O /lib/systemd/system/glorytun-udp@.service ${VPSURL}${VPSPATH}/glorytun-udp%40.service.in + else + cp ${DIR}/glorytun-udp@.service.in /lib/systemd/system/glorytun-udp@.service + fi + chmod 644 /lib/systemd/system/glorytun-udp@.service + #wget -O /lib/systemd/network/glorytun-udp.network ${VPSURL}${VPSPATH}/glorytun-udp.network + rm -f /lib/systemd/network/glorytun-udp.network + mkdir -p /etc/glorytun-udp + if [ "$LOCALFILES" = "no" ]; then + wget -O /etc/glorytun-udp/post.sh ${VPSURL}${VPSPATH}/glorytun-udp-post.sh + wget -O /etc/glorytun-udp/tun0 ${VPSURL}${VPSPATH}/tun0.glorytun-udp + else + cp ${DIR}/glorytun-udp-post.sh /etc/glorytun-udp/post.sh + cp ${DIR}/tun0.glorytun-udp /etc/glorytun-udp/tun0 + fi + chmod 755 /etc/glorytun-udp/post.sh + if [ "$update" = "0" ] || [ ! -f /etc/glorytun-udp/tun0.key ]; then + echo "$GLORYTUN_PASS" > /etc/glorytun-udp/tun0.key + elif [ ! -f /etc/glorytun-udp/tun0.key ] && [ -f /etc/glorytun-tcp/tun0.key ]; then + cp /etc/glorytun-tcp/tun0.key /etc/glorytun-udp/tun0.key + fi + systemctl enable glorytun-udp@tun0.service + systemctl enable systemd-networkd.service + cd /tmp + rm -rf /tmp/glorytun-udp else - cp ${DIR}/glorytun-udp-run /usr/local/bin/glorytun-udp-run + rm -f /usr/local/bin/glorytun + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install --reinstall omr-glorytun=${GLORYTUN_UDP_BINARY_VERSION} + chmod 644 /lib/systemd/system/glorytun-udp@.service + GLORYTUN_PASS="$(cat /etc/glorytun-udp/tun0.key | tr -d '\n')" fi - chmod 755 /usr/local/bin/glorytun-udp-run - if [ "$LOCALFILES" = "no" ]; then - wget -O /lib/systemd/system/glorytun-udp@.service ${VPSURL}${VPSPATH}/glorytun-udp%40.service.in - else - cp ${DIR}/glorytun-udp@.service.in /lib/systemd/system/glorytun-udp@.service - fi - #wget -O /lib/systemd/network/glorytun-udp.network ${VPSURL}${VPSPATH}/glorytun-udp.network - rm -f /lib/systemd/network/glorytun-udp.network - mkdir -p /etc/glorytun-udp - if [ "$LOCALFILES" = "no" ]; then - wget -O /etc/glorytun-udp/post.sh ${VPSURL}${VPSPATH}/glorytun-udp-post.sh - wget -O /etc/glorytun-udp/tun0 ${VPSURL}${VPSPATH}/tun0.glorytun-udp - else - cp ${DIR}/glorytun-udp-post.sh /etc/glorytun-udp/post.sh - cp ${DIR}/tun0.glorytun-udp /etc/glorytun-udp/tun0 - fi - chmod 755 /etc/glorytun-udp/post.sh - if [ "$update" = "0" ] || [ ! -f /etc/glorytun-udp/tun0.key ]; then - echo "$GLORYTUN_PASS" > /etc/glorytun-udp/tun0.key - elif [ ! -f /etc/glorytun-udp/tun0.key ] && [ -f /etc/glorytun-tcp/tun0.key ]; then - cp /etc/glorytun-tcp/tun0.key /etc/glorytun-udp/tun0.key - fi - systemctl enable glorytun-udp@tun0.service - systemctl enable systemd-networkd.service - cd /tmp - rm -rf /tmp/glorytun-udp -else - apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install omr-glorytun - GLORYTUN_PASS="$(cat /etc/glorytun-udp/tun0.key | tr -d '\n')" + [ "$(ip -6 a 2>/dev/null)" != "" ] && sed -i 's/0.0.0.0/::/g' /etc/glorytun-udp/tun0 fi + # Add chrony for time sync apt-get install -y chrony systemctl enable chrony @@ -833,7 +1722,7 @@ systemctl enable chrony if [ "$DSVPN" = "yes" ]; then echo 'A Dead Simple VPN' # Install A Dead Simple VPN - if systemctl -q is-active dsvpn-server.service; then + if systemctl -q is-active dsvpn-server.service 2>/dev/null; then systemctl -q disable dsvpn-server > /dev/null 2>&1 systemctl -q stop dsvpn-server > /dev/null 2>&1 fi @@ -843,17 +1732,16 @@ if [ "$DSVPN" = "yes" ]; then apt-get install -y --no-install-recommends build-essential git ca-certificates rm -rf /tmp/dsvpn cd /tmp - git clone https://github.com/jedisct1/dsvpn.git /tmp/dsvpn + git clone https://github.com/ysurac/dsvpn.git /tmp/dsvpn cd /tmp/dsvpn git checkout ${DSVPN_VERSION} - wget https://github.com/Ysurac/openmptcprouter-feeds/raw/develop/dsvpn/patches/nofirewall.patch - patch -p1 < nofirewall.patch make CFLAGS='-DNO_DEFAULT_ROUTES -DNO_DEFAULT_FIREWALL' make install rm -f /lib/systemd/system/dsvpn/* wget -O /usr/local/bin/dsvpn-run ${VPSURL}${VPSPATH}/dsvpn-run chmod 755 /usr/local/bin/dsvpn-run wget -O /lib/systemd/system/dsvpn-server@.service ${VPSURL}${VPSPATH}/dsvpn-server%40.service.in + chmod 644 /lib/systemd/system/dsvpn-server@.service mkdir -p /etc/dsvpn wget -O /etc/dsvpn/dsvpn0 ${VPSURL}${VPSPATH}/dsvpn0-config if [ -f /etc/dsvpn/dsvpn.key ]; then @@ -866,59 +1754,75 @@ if [ "$DSVPN" = "yes" ]; then cd /tmp rm -rf /tmp/dsvpn else - apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install omr-dsvpn + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install omr-dsvpn=${DSVPN_BINARY_VERSION} + chmod 644 /lib/systemd/system/dsvpn-server@.service DSVPN_PASS=$(cat /etc/dsvpn/dsvpn0.key | tr -d "\n") fi + if [ "$KERNEL" != "5.4" ]; then + mptcpize enable dsvpn-server@dsvpn0 >/dev/null 2>&1 + fi fi # Install Glorytun TCP -if systemctl -q is-active glorytun-tcp@tun0.service; then +if systemctl -q is-active glorytun-tcp@tun0.service 2>/dev/null; then systemctl -q stop 'glorytun-tcp@*' > /dev/null 2>&1 fi -if [ "$SOURCES" = "yes" ]; then - if [ "$ID" = "debian" ]; then - if [ "$VERSION_ID" = "9" ]; then - apt -t stretch-backports -y install libsodium-dev - else - apt -y install libsodium-dev +if [ "$GLORYTUN_TCP" = "yes" ]; then + if [ "$SOURCES" = "yes" ]; then + if [ "$ID" = "debian" ]; then + if [ "$VERSION_ID" = "9" ]; then + apt -t stretch-backports -y install libsodium-dev + else + apt -y install libsodium-dev + fi + elif [ "$ID" = "ubuntu" ]; then + apt-get -y install libsodium-dev fi - elif [ "$ID" = "ubuntu" ]; then - apt-get -y install libsodium-dev + rm -f /var/lib/dpkg/lock + rm -f /var/lib/dpkg/lock-frontend + rm -f /usr/bin/glorytun-tcp + apt-get -y install build-essential pkg-config autoconf automake + rm -rf /tmp/glorytun-0.0.35 + cd /tmp + if [ "$KERNEL" != "5.4" ]; then + wget -O /tmp/glorytun-0.0.35.tar.gz https://github.com/Ysurac/glorytun/archive/refs/heads/tcp.tar.gz + else + wget -O /tmp/glorytun-0.0.35.tar.gz https://github.com/angt/glorytun/releases/download/v0.0.35/glorytun-0.0.35.tar.gz + fi + tar xzf glorytun-0.0.35.tar.gz + if [ "$KERNEL" != "5.4" ]; then + mv /tmp/glorytun-tcp /tmp/glorytun-0.0.35 + fi + cd glorytun-0.0.35 + ./autogen.sh + ./configure + make + cp glorytun /usr/local/bin/glorytun-tcp + wget -O /usr/local/bin/glorytun-tcp-run ${VPSURL}${VPSPATH}/glorytun-tcp-run + chmod 755 /usr/local/bin/glorytun-tcp-run + wget -O /lib/systemd/system/glorytun-tcp@.service ${VPSURL}${VPSPATH}/glorytun-tcp%40.service.in + #wget -O /lib/systemd/network/glorytun-tcp.network ${VPSURL}${VPSPATH}/glorytun.network + chmod 644 /lib/systemd/system/glorytun-tcp@.service + rm -f /lib/systemd/network/glorytun-tcp.network + mkdir -p /etc/glorytun-tcp + wget -O /etc/glorytun-tcp/post.sh ${VPSURL}${VPSPATH}/glorytun-tcp-post.sh + chmod 755 /etc/glorytun-tcp/post.sh + wget -O /etc/glorytun-tcp/tun0 ${VPSURL}${VPSPATH}/tun0.glorytun + if [ "$update" = "0" ]; then + echo "$GLORYTUN_PASS" > /etc/glorytun-tcp/tun0.key + fi + systemctl enable glorytun-tcp@tun0.service + #systemctl enable systemd-networkd.service + cd /tmp + rm -rf /tmp/glorytun-0.0.35 + else + rm -f /usr/local/bin/glorytun-tcp + apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install --reinstall omr-glorytun-tcp=${GLORYTUN_TCP_BINARY_VERSION} fi - rm -f /var/lib/dpkg/lock - rm -f /var/lib/dpkg/lock-frontend - apt-get -y install build-essential pkg-config autoconf automake - rm -rf /tmp/glorytun-0.0.35 - cd /tmp - wget -O /tmp/glorytun-0.0.35.tar.gz http://github.com/angt/glorytun/releases/download/v0.0.35/glorytun-0.0.35.tar.gz - tar xzf glorytun-0.0.35.tar.gz - cd glorytun-0.0.35 - ./autogen.sh - ./configure - make - cp glorytun /usr/local/bin/glorytun-tcp - wget -O /usr/local/bin/glorytun-tcp-run ${VPSURL}${VPSPATH}/glorytun-tcp-run - chmod 755 /usr/local/bin/glorytun-tcp-run - wget -O /lib/systemd/system/glorytun-tcp@.service ${VPSURL}${VPSPATH}/glorytun-tcp%40.service.in - #wget -O /lib/systemd/network/glorytun-tcp.network ${VPSURL}${VPSPATH}/glorytun.network - rm -f /lib/systemd/network/glorytun-tcp.network - mkdir -p /etc/glorytun-tcp - wget -O /etc/glorytun-tcp/post.sh ${VPSURL}${VPSPATH}/glorytun-tcp-post.sh - chmod 755 /etc/glorytun-tcp/post.sh - wget -O /etc/glorytun-tcp/tun0 ${VPSURL}${VPSPATH}/tun0.glorytun - if [ "$update" = "0" ]; then - echo "$GLORYTUN_PASS" > /etc/glorytun-tcp/tun0.key - fi - systemctl enable glorytun-tcp@tun0.service - #systemctl enable systemd-networkd.service - cd /tmp - rm -rf /tmp/glorytun-0.0.35 -else - apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-overwrite" install omr-glorytun-tcp + [ "$(ip -6 a)" != "" ] && sed -i 's/0.0.0.0/::/g' /etc/glorytun-tcp/tun0 fi - # Load tun module at boot time if ! grep -q tun /etc/modules ; then echo tun >> /etc/modules @@ -932,26 +1836,49 @@ else fi chmod 755 /usr/local/bin/multipath +# Add omr-test-speed utility +if [ "$LOCALFILES" = "no" ]; then + wget -O /usr/local/bin/omr-test-speed ${VPSURL}${VPSPATH}/omr-test-speed +else + cp ${DIR}/omr-test-speed /usr/local/bin/omr-test-speed +fi +chmod 755 /usr/local/bin/omr-test-speed + # Add OpenMPTCProuter service if [ "$LOCALFILES" = "no" ]; then wget -O /usr/local/bin/omr-service ${VPSURL}${VPSPATH}/omr-service wget -O /lib/systemd/system/omr.service ${VPSURL}${VPSPATH}/omr.service.in wget -O /usr/local/bin/omr-6in4-run ${VPSURL}${VPSPATH}/omr-6in4-run wget -O /lib/systemd/system/omr6in4@.service ${VPSURL}${VPSPATH}/omr6in4%40.service.in + wget -O /usr/local/bin/omr-bypass ${VPSURL}${VPSPATH}/omr-bypass + wget -O /lib/systemd/system/omr-bypass.service ${VPSURL}${VPSPATH}/omr-bypass.service.in + wget -O /lib/systemd/system/omr-bypass.timer ${VPSURL}${VPSPATH}/omr-bypass.timer.in else cp ${DIR}/omr-service /usr/local/bin/omr-service cp ${DIR}/omr.service.in /lib/systemd/system/omr.service cp ${DIR}/omr-6in4-run /usr/local/bin/omr-6in4-run cp ${DIR}/omr6in4@.service.in /lib/systemd/system/omr6in4@.service + cp ${DIR}/omr-bypass /usr/local/bin/omr-bypass + cp ${DIR}/omr-bypass.service.in /lib/systemd/system/omr-bypass.service + cp ${DIR}/omr-bypass.timer.in /lib/systemd/system/omr-bypass.timer + fi +chmod 644 /lib/systemd/system/omr.service +chmod 644 /lib/systemd/system/omr6in4@.service chmod 755 /usr/local/bin/omr-service +chmod 755 /usr/local/bin/omr-bypass chmod 755 /usr/local/bin/omr-6in4-run -if systemctl -q is-active omr-6in4.service; then +chmod 644 /lib/systemd/system/omr-bypass.service +chmod 644 /lib/systemd/system/omr-bypass.timer +systemctl daemon-reload +if systemctl -q is-active omr-6in4.service 2>/dev/null; then systemctl -q stop omr-6in4 > /dev/null 2>&1 systemctl -q disable omr-6in4 > /dev/null 2>&1 fi systemctl enable omr6in4@user0.service systemctl enable omr.service +systemctl enable omr-bypass.timer +systemctl enable omr-bypass.service # Change SSH port to 65222 sed -i 's:#Port 22:Port 65222:g' /etc/ssh/sshd_config @@ -973,8 +1900,10 @@ if [ "$update" = "0" ]; then fi tar xzf /etc/shorewall/openmptcprouter-shorewall.tar.gz -C /etc/shorewall rm /etc/shorewall/openmptcprouter-shorewall.tar.gz - sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/* - systemctl enable shorewall + if [ -n "$INTERFACE" ]; then + sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/* + systemctl enable shorewall + fi if [ "$LOCALFILES" = "no" ]; then wget -O /etc/shorewall6/openmptcprouter-shorewall6.tar.gz ${VPSURL}${VPSPATH}/openmptcprouter-shorewall6.tar.gz else @@ -982,48 +1911,49 @@ if [ "$update" = "0" ]; then fi tar xzf /etc/shorewall6/openmptcprouter-shorewall6.tar.gz -C /etc/shorewall6 rm /etc/shorewall6/openmptcprouter-shorewall6.tar.gz - sed -i "s:eth0:$INTERFACE:g" /etc/shorewall6/* - systemctl enable shorewall6 + if [ -n "$INTERFACE6" ]; then + sed -i "s:eth0:$INTERFACE6:g" /etc/shorewall6/* + systemctl enable shorewall6 + fi else # Update only needed firewall files if [ "$LOCALFILES" = "no" ]; then - wget -O /etc/shorewall/interfaces ${VPSURL}${VPSPATH}/shorewall4/interfaces - wget -O /etc/shorewall/snat ${VPSURL}${VPSPATH}/shorewall4/snat - wget -O /etc/shorewall/stoppedrules ${VPSURL}${VPSPATH}/shorewall4/stoppedrules - wget -O /etc/shorewall/tcinterfaces ${VPSURL}${VPSPATH}/shorewall4/tcinterfaces - wget -O /etc/shorewall/shorewall.conf ${VPSURL}${VPSPATH}/shorewall4/shorewall.conf - wget -O /etc/shorewall/policy ${VPSURL}${VPSPATH}/shorewall4/policy - wget -O /etc/shorewall/params ${VPSURL}${VPSPATH}/shorewall4/params - wget -O /etc/shorewall/params.vpn ${VPSURL}${VPSPATH}/shorewall4/params.vpn - wget -O /etc/shorewall/params.net ${VPSURL}${VPSPATH}/shorewall4/params.net - wget -O /etc/shorewall6/params ${VPSURL}${VPSPATH}/shorewall6/params - wget -O /etc/shorewall6/params.net ${VPSURL}${VPSPATH}/shorewall6/params.net - wget -O /etc/shorewall6/params.vpn ${VPSURL}${VPSPATH}/shorewall6/params.vpn - wget -O /etc/shorewall6/interfaces ${VPSURL}${VPSPATH}/shorewall6/interfaces - wget -O /etc/shorewall6/stoppedrules ${VPSURL}${VPSPATH}/shorewall6/stoppedrules - wget -O /etc/shorewall6/snat ${VPSURL}${VPSPATH}/shorewall6/snat - else - cp ${DIR}/shorewall4/interfaces /etc/shorewall/interfaces - cp ${DIR}/shorewall4/snat /etc/shorewall/snat - cp ${DIR}/shorewall4/stoppedrules /etc/shorewall/stoppedrules - cp ${DIR}/shorewall4/tcinterfaces /etc/shorewall/tcinterfaces - cp ${DIR}/shorewall4/shorewall.conf /etc/shorewall/shorewall.conf - cp ${DIR}/shorewall4/policy /etc/shorewall/policy - cp ${DIR}/shorewall4/params /etc/shorewall/params - cp ${DIR}/shorewall4/params.vpn /etc/shorewall/params.vpn - cp ${DIR}/shorewall4/params.net /etc/shorewall/params.net - cp ${DIR}/shorewall6/params /etc/shorewall6/params - cp ${DIR}/shorewall6/params.net /etc/shorewall6/params.net - cp ${DIR}/shorewall6/params.vpn /etc/shorewall6/params.vpn - cp ${DIR}/shorewall6/interfaces /etc/shorewall6/interfaces - cp ${DIR}/shorewall6/stoppedrules /etc/shorewall6/stoppedrules - cp ${DIR}/shorewall6/snat /etc/shorewall6/snat + mkdir -p ${DIR} + wget -O ${DIR}/openmptcprouter-shorewall.tar.gz ${VPSURL}${VPSPATH}/openmptcprouter-shorewall.tar.gz + wget -O ${DIR}/openmptcprouter-shorewall6.tar.gz ${VPSURL}${VPSPATH}/openmptcprouter-shorewall6.tar.gz + mkdir -p ${DIR}/shorewall4 + tar xzvf ${DIR}/openmptcprouter-shorewall.tar.gz -C ${DIR}/shorewall4 + mkdir -p ${DIR}/shorewall6 + tar xzvf ${DIR}/openmptcprouter-shorewall6.tar.gz -C ${DIR}/shorewall6 fi + cp ${DIR}/shorewall4/interfaces /etc/shorewall/interfaces + cp ${DIR}/shorewall4/snat /etc/shorewall/snat + cp ${DIR}/shorewall4/stoppedrules /etc/shorewall/stoppedrules + cp ${DIR}/shorewall4/tcinterfaces /etc/shorewall/tcinterfaces + cp ${DIR}/shorewall4/shorewall.conf /etc/shorewall/shorewall.conf + cp ${DIR}/shorewall4/policy /etc/shorewall/policy + cp ${DIR}/shorewall4/params /etc/shorewall/params + cp ${DIR}/shorewall4/zones /etc/shorewall/zones + #cp ${DIR}/shorewall4/params.vpn /etc/shorewall/params.vpn + #cp ${DIR}/shorewall4/params.net /etc/shorewall/params.net + cp ${DIR}/shorewall6/params /etc/shorewall6/params + #cp ${DIR}/shorewall6/params.net /etc/shorewall6/params.net + #cp ${DIR}/shorewall6/params.vpn /etc/shorewall6/params.vpn + cp ${DIR}/shorewall6/interfaces /etc/shorewall6/interfaces + cp ${DIR}/shorewall6/stoppedrules /etc/shorewall6/stoppedrules + cp ${DIR}/shorewall6/snat /etc/shorewall6/snat sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/* sed -i 's/^.*#DNAT/#DNAT/g' /etc/shorewall/rules sed -i 's:10.0.0.2:$OMR_ADDR:g' /etc/shorewall/rules - sed -i "s:eth0:$INTERFACE:g" /etc/shorewall6/* + sed -i "s:eth0:$INTERFACE6:g" /etc/shorewall6/* + if [ "$LOCALFILES" = "no" ]; then + rm -rf ${DIR}/shorewall4 + rm -rf ${DIR}/shorewall6 + rm -f ${DIR}/openmptcprouter-shorewall.tar.gz + rm -f ${DIR}/openmptcprouter-shorewall6.tar.gz + fi fi +[ -z "$(grep nf_conntrack_sip /etc/modprobe.d/blacklist.conf)" ] && echo 'blacklist nf_conntrack_sip' >> /etc/modprobe.d/blacklist.conf if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "10" ]; then apt-get -y install iptables update-alternatives --set iptables /usr/sbin/iptables-legacy @@ -1035,19 +1965,31 @@ if ([ "$ID" = "debian" ] && [ "$VERSION_ID" = "10" ]) || ([ "$ID" = "ubuntu" ] & sed -i 's:DROP_DEFAULT=Drop:DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)":g' /etc/shorewall6/shorewall6.conf sed -i 's:REJECT_DEFAULT=Reject:REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)":g' /etc/shorewall6/shorewall6.conf fi +if [ "$(ip r | awk '/default/&&/src/ {print $7}')" != "" ] && [ "$(ip r | awk '/default/&&/src/ {print $7}')" != "dhcp" ]; then + sed -i "s/MASQUERADE/SNAT($(ip r | awk '/default/&&/src/ {print $7}'))/" /etc/shorewall/snat +fi + +# Limit /var/log/journal size +sed -i 's/#SystemMaxUse=/SystemMaxUse=100M/' /etc/systemd/journald.conf if [ "$TLS" = "yes" ]; then VPS_CERT=0 - apt-get -y install dnsutils socat - if [ "$VPS_DOMAIN" != "" ] && [ "$(dig +noidnout +noall +answer $VPS_DOMAIN)" != "" ] && [ "$(ping -c 1 -w 1 $VPS_DOMAIN)" ]; then + apt-get -y install socat cron + if [ "$VPS_DOMAIN" != "" ] && [ "$(getent hosts $VPS_DOMAIN | awk '{ print $1; exit }')" != "" ] && [ "$(ping -c 1 -w 1 $VPS_DOMAIN)" ]; then if [ ! -f "/root/.acme.sh/$VPS_DOMAIN/$VPS_DOMAIN.cer" ]; then echo "Generate certificate for V2Ray" set +e #[ "$(shorewall status | grep stopped)" = "" ] && shorewall open all all tcp 443 curl https://get.acme.sh | sh systemctl -q restart shorewall - ~/.acme.sh/acme.sh --force --alpn --issue -d $VPS_DOMAIN --pre-hook 'shorewall open all all tcp 443 2>&1 >/dev/null' --post-hook 'shorewall close all all tcp 443 2>&1 >/dev/null' 2>&1 >/dev/null + ~/.acme.sh/acme.sh --force --alpn --issue -d $VPS_DOMAIN --pre-hook 'shorewall open all all tcp 443 >/dev/null 2>&1' --post-hook 'shorewall close all all tcp 443 >/dev/null 2>&1' >/dev/null 2>&1 set -e + if [ -f /root/.acme.sh/$VPS_DOMAIN/$VPS_DOMAIN.cer ]; then + rm -f /etc/openmptcprouter-vps-admin/cert.pem + ln -s /root/.acme.sh/$VPS_DOMAIN/$VPS_DOMAIN.cer /etc/openmptcprouter-vps-admin/cert.pem + rm -f /etc/openmptcprouter-vps-admin/key.pem + ln -s /root/.acme.sh/$VPS_DOMAIN/$VPS_DOMAIN.key /etc/openmptcprouter-vps-admin/key.pem + fi # mkdir -p /etc/ssl/v2ray # ln -f -s /root/.acme.sh/$reverse/$reverse.key /etc/ssl/v2ray/omr.key # ln -f -s /root/.acme.sh/$reverse/fullchain.cer /etc/ssl/v2ray/omr.cer @@ -1060,9 +2002,9 @@ if [ "$TLS" = "yes" ]; then fi if [ "$SPEEDTEST" = "yes" ]; then - if [ ! -f /usr/share/omr-server/speedtest/test.img ]; then + mkdir -p /usr/share/omr-server/speedtest + if [ ! -f /usr/share/omr-server/speedtest/test.img ] && [ "$(df /usr/share/omr-server/speedtest | awk '/[0-9]%/{print $(NF-2)}')" -gt 2000000 ]; then echo "Generate speedtest image..." - mkdir -p /usr/share/omr-server/speedtest dd if=/dev/urandom of=/usr/share/omr-server/speedtest/test.img count=1024 bs=1048576 echo "Done" fi @@ -1087,11 +2029,16 @@ else echo "< OpenMPTCProuter VPS $OMR_VERSION >" > /etc/motd fi +if [ "$SOURCES" != "yes" ]; then + apt-get -y install omr-server=${OMR_VERSION} >/dev/null 2>&1 || true + rm -f /etc/openmtpcprouter-vps-admin/update-bin +fi + if [ "$update" = "0" ]; then # Display important info echo '====================================================================================' echo "OpenMPTCProuter Server $OMR_VERSION is now installed !" - echo '\033[4m\0331mSSH port: 65222 (instead of port 22)\033[0m' + echo '\033[1m SSH port: 65222 (instead of port 22)\033[0m' if [ "$OMR_ADMIN" = "yes" ]; then echo '====================================================================================' echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' @@ -1106,12 +2053,14 @@ if [ "$update" = "0" ]; then echo 'Shadowsocks encryption: chacha20' echo 'Your shadowsocks key: ' echo $SHADOWSOCKS_PASS + echo 'Your shadowsocks 2022 key: ' + echo "${PSK}:${UPSK}" echo 'Glorytun port: 65001' echo 'Glorytun encryption: chacha20' echo 'Your glorytun key: ' echo $GLORYTUN_PASS if [ "$DSVPN" = "yes" ]; then - echo 'A Dead Simple VPN port: 65011' + echo 'A Dead Simple VPN port: 65401' echo 'A Dead Simple VPN key: ' echo $DSVPN_PASS fi @@ -1142,35 +2091,49 @@ if [ "$update" = "0" ]; then echo '====================================================================================' echo '\033[1m /!\ You need to reboot to enable MPTCP, shadowsocks, glorytun and shorewall /!\ \033[0m' echo '------------------------------------------------------------------------------------' - echo ' After reboot, check with uname -a that the kernel name contain mptcp.' + echo ' For kernel 5.4, after reboot, check with uname -a that the kernel name contain mptcp.' echo ' Else, you may have to modify GRUB_DEFAULT in /etc/default/grub' + echo ' For 6.x kernels, check that a 6.x kernel is used, no kernel name changes.' echo '====================================================================================' # Save info in file cat > /root/openmptcprouter_config.txt <<-EOF SSH port: 65222 (instead of port 22) - Shadowsocks port: 65101 - Shadowsocks encryption: chacha20 - Your shadowsocks key: ${SHADOWSOCKS_PASS} - Glorytun port: 65001 - Glorytun encryption: chacha20 - Your glorytun key: ${GLORYTUN_PASS} EOF + if [ "$SHADOWSOCKS" = "yes" ]; then + cat >> /root/openmptcprouter_config.txt <<-EOF + Shadowsocks port: 65101 + Shadowsocks encryption: chacha20 + Your shadowsocks key: ${SHADOWSOCKS_PASS} + EOF + fi + if [ "$SHADOWSOCKS_GO" = "yes" ]; then + cat >> /root/openmptcprouter_config.txt <<-EOF + Your shadowsocks 2022 key: ${PSK}:${UPSK} + EOF + fi + if ([ "$GLORYTUN_TCP" = "yes" ] || [ "$GLORYTUN_UDP" = "yes" ]); then + cat >> /root/openmptcprouter_config.txt <<-EOF + Glorytun port: 65001 + Glorytun encryption: chacha20 + Your glorytun key: ${GLORYTUN_PASS} + EOF + fi if [ "$DSVPN" = "yes" ]; then cat >> /root/openmptcprouter_config.txt <<-EOF - A Dead Simple VPN port: 65011 + A Dead Simple VPN port: 65401 A Dead Simple VPN key: ${DSVPN_PASS} EOF fi if [ "$MLVPN" = "yes" ]; then cat >> /root/openmptcprouter_config.txt <<-EOF - MLVPN first port: 65201' + MLVPN first port: 65201 Your MLVPN password: $MLVPN_PASS EOF fi if [ "$UBOND" = "yes" ]; then cat >> /root/openmptcprouter_config.txt <<-EOF - UBOND first port: 65251' + UBOND first port: 65251 Your UBOND password: $UBOND_PASS EOF fi @@ -1181,6 +2144,7 @@ if [ "$update" = "0" ]; then Your OpenMPTCProuter Server username: openmptcprouter EOF fi + #systemctl -q restart sshd else echo '====================================================================================' echo "OpenMPTCProuter Server is now updated to version $OMR_VERSION !" @@ -1208,18 +2172,27 @@ else systemctl -q restart v2ray echo 'done' fi + if [ "$XRAY" = "yes" ]; then + echo 'Restarting xray...' + systemctl -q restart xray + echo 'done' + fi if [ "$DSVPN" = "yes" ]; then echo 'Restarting dsvpn...' systemctl -q start dsvpn-server@dsvpn0 || true systemctl -q restart 'dsvpn-server@*' || true echo 'done' fi - echo 'Restarting glorytun...' - systemctl -q start glorytun-tcp@tun0 || true - systemctl -q restart 'glorytun-tcp@*' || true - systemctl -q start glorytun-udp@tun0 || true - systemctl -q restart 'glorytun-udp@*' || true - echo 'done' + if [ "$GLORYTUN_TCP" = "yes" ]; then + echo 'Restarting glorytun tcp...' + systemctl -q start glorytun-tcp@tun0 || true + systemctl -q restart 'glorytun-tcp@*' || true + fi + if [ "$GLORYTUN_UDP" = "yes" ]; then + systemctl -q start glorytun-udp@tun0 || true + systemctl -q restart 'glorytun-udp@*' || true + echo 'done' + fi echo 'Restarting omr6in4...' systemctl -q start omr6in4@user0 || true systemctl -q restart omr6in4@* || true @@ -1230,6 +2203,11 @@ else systemctl -q restart openvpn@tun1 echo 'done' fi + if [ "$WIREGUARD" = "yes" ]; then + echo 'Restarting WireGuard' + systemctl -q restart wg-quick@wg0 + echo 'done' + fi if [ "$OMR_ADMIN" = "yes" ]; then echo 'Restarting OpenMPTCProuter VPS admin' systemctl -q restart omr-admin @@ -1247,28 +2225,40 @@ else echo 'openmptcprouter' echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' echo '====================================================================================' + else + echo '!!! Keys are in /root/openmptcprouter_config.txt !!!' fi fi if [ "$VPS_CERT" = "0" ]; then echo 'No working domain detected, not able to generate certificate for v2ray.' echo 'You can set VPS_DOMAIN to a working domain if you want a certificate.' fi - echo 'Restarting shorewall...' - systemctl -q restart shorewall - systemctl -q restart shorewall6 - echo 'done' echo 'Apply latest sysctl...' - sysctl -p /etc/sysctl.d/90-shadowsocks.conf > /dev/null 2>&1 + sysctl -p /etc/sysctl.d/90-shadowsocks.conf > /dev/null 2>&1 || true echo 'done' echo 'Restarting omr...' systemctl -q restart omr echo 'done' - echo 'Restarting shadowsocks...' - systemctl -q restart shadowsocks-libev-manager@manager + if [ "$SHADOWSOCKS" = "yes" ]; then + echo 'Restarting shadowsocks...' + systemctl -q restart shadowsocks-libev-manager@manager + fi + if [ "$SHADOWSOCKS_GO" = "yes" ]; then + echo 'Restarting shadowsocks-go...' + systemctl -q restart shadowsocks-go + fi # if [ $NBCPU -gt 1 ]; then # for i in $NBCPU; do # systemctl restart shadowsocks-libev-server@config$i # done # fi echo 'done' + echo 'Restarting shorewall...' + [ -n "$INTERFACE" ] && systemctl -q restart shorewall >/dev/null 2>&1 || true + [ -n "$INTERFACE6" ] && systemctl -q restart shorewall6 >/dev/null 2>&1 || true + echo 'done' + echo '====================================================================================' + echo '\033[1m /!\ You need to reboot to use latest MPTCP kernel /!\ \033[0m' + echo '====================================================================================' fi +exit 0 \ No newline at end of file diff --git a/dsvpn-run b/dsvpn-run index e4000c2..f4a2a5d 100644 --- a/dsvpn-run +++ b/dsvpn-run @@ -12,7 +12,7 @@ fi exec dsvpn \ ${MODE} \ "$1".key \ - auto \ + ${HOST:-auto} \ ${PORT} \ ${DEV} \ ${LOCALTUNIP} \ diff --git a/dsvpn0-config b/dsvpn0-config index 933e98b..647f160 100644 --- a/dsvpn0-config +++ b/dsvpn0-config @@ -1,4 +1,5 @@ PORT=65401 +HOST=0.0.0.0 DEV=dsvpn0 MODE=server LOCALTUNIP=10.255.251.1 diff --git a/fail2ban-filter-openvpn.conf b/fail2ban-filter-openvpn.conf new file mode 100644 index 0000000..1a53b2f --- /dev/null +++ b/fail2ban-filter-openvpn.conf @@ -0,0 +1,10 @@ +[INCLUDES] +before = common.conf + +[Definition] +_daemon = ovpn-server +failregex =%(__prefix_line)s:[0-9]{4,5} TLS Auth Error:.* + %(__prefix_line)s:[0-9]{4,5} VERIFY ERROR:.* + %(__prefix_line)s:[0-9]{4,5} TLS Error: TLS handshake failed.* + %(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]:[0-9]{4,5} +maxlines = 1 diff --git a/fail2ban-jail-openmptcprouter.conf b/fail2ban-jail-openmptcprouter.conf new file mode 100644 index 0000000..45cf34d --- /dev/null +++ b/fail2ban-jail-openmptcprouter.conf @@ -0,0 +1,21 @@ +[DEFAULT] +backend = systemd +banaction = shorewall + +[sshd] +enabled = true + +[openvpn_tcp] +enabled = true +port = 65301 +protocol = tcp +filter = openvpn +maxretry = 5 + +[openvpn_udp] +enabled = true +port = 65301 +protocol = udp +filter = openvpn +maxretry = 5 + diff --git a/glorytun-tcp-run b/glorytun-tcp-run index 9ccbee6..0572861 100644 --- a/glorytun-tcp-run +++ b/glorytun-tcp-run @@ -9,7 +9,7 @@ fi . "$(readlink -f "$1")" -DEV="gt${HOST:+c}-$(basename "$1")" +DEV="gt-$(basename "$1")" exec glorytun-tcp \ ${SERVER:+listener} \ diff --git a/glorytun-udp-post.sh b/glorytun-udp-post.sh index 2c1dc40..51a20f0 100644 --- a/glorytun-udp-post.sh +++ b/glorytun-udp-post.sh @@ -13,4 +13,5 @@ done ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null } tc qdisc replace dev $INTF root cake -ip link set $INTF txqlen 100 \ No newline at end of file +ip link set $INTF txqlen 100 +glorytun set dev gt-udp-tun0 kxtimeout 7d 2>&1 >/dev/null \ No newline at end of file diff --git a/glorytun-udp-run b/glorytun-udp-run index d393056..fb66c92 100644 --- a/glorytun-udp-run +++ b/glorytun-udp-run @@ -9,11 +9,10 @@ fi . "$(readlink -f "$1")" -DEV="gt${HOST:+c}-udp-$(basename "$1")" +DEV="gt-udp-$(basename "$1")" exec glorytun \ - bind $BIND $BIND_PORT \ + bind to addr ${HOST:-::} port ${PORT:-5000} from addr $BIND port $BIND_PORT \ keyfile "$1".key \ ${DEV:+dev "$DEV"} \ - ${HOST:+to "$HOST" "$PORT"} \ ${OPTIONS:+$OPTIONS} diff --git a/iperf3.override.conf b/iperf3.override.conf new file mode 100644 index 0000000..94edfcc --- /dev/null +++ b/iperf3.override.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/private.pem \ No newline at end of file diff --git a/iperf3.service.in b/iperf3.service.in index 72d8094..03f7ff2 100644 --- a/iperf3.service.in +++ b/iperf3.service.in @@ -3,7 +3,7 @@ Description=iperf3 Requires=network.target [Service] -ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/public.pem +ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/private.pem Restart=on-failure [Install] diff --git a/multipath b/multipath old mode 100644 new mode 100755 index cee0743..bc90876 --- a/multipath +++ b/multipath @@ -6,9 +6,8 @@ # Released under GPL 3 or later if [ -d "/proc/sys/net/mptcp" ]; then - if [ `cat /proc/sys/net/mptcp/mptcp_enabled` = 0 ]; then + if ([ -f /proc/sys/net/mptcp/mptcp_enabled ] && [ `cat /proc/sys/net/mptcp/mptcp_enabled` = 0 ]) || ([ -f /proc/sys/net/mptcp/enabled ] && [ `cat /proc/sys/net/mptcp/enabled` = 0 ]); then echo "MPTCP is disabled!" - echo "Please set net.mptcp.mptcp_enabled = 1" exit 1 fi else @@ -26,7 +25,7 @@ case $1 in echo " multipath device {on | off | backup | handover}" echo echo "show established conections: -c" - echo "show mullmesh info: -f" + echo "show fullmesh info: -f" echo "show kernel config: -k" echo echo "Flag on the device, to enable/disable MPTCP for this interface. The backup-flag" @@ -43,12 +42,28 @@ case $1 in cat /proc/net/mptcp_fullmesh exit 0;; "-k") - echo Enabled: `cat /proc/sys/net/mptcp/mptcp_enabled` - echo Path Manager: `cat /proc/sys/net/mptcp/mptcp_path_manager` - echo Use checksum: `cat /proc/sys/net/mptcp/mptcp_checksum` - echo Scheduler: `cat /proc/sys/net/mptcp/mptcp_scheduler` - echo Syn retries: `cat /proc/sys/net/mptcp/mptcp_syn_retries` - echo Debugmode: `cat /proc/sys/net/mptcp/mptcp_debug` + if [ -f /proc/sys/net/mptcp/mptcp_enabled ]; then + echo Enabled: `cat /proc/sys/net/mptcp/mptcp_enabled` + elif [ -f /proc/sys/net/mptcp/enabled ]; then + echo Enabled: `cat /proc/sys/net/mptcp/enabled` + fi + if [ -f /proc/sys/net/mptcp/mptcp_path_manager ]; then + echo Path Manager: `cat /proc/sys/net/mptcp/mptcp_path_manager` + fi + if [ -f /proc/sys/net/mptcp/mptcp_checksum ]; then + echo Use checksum: `cat /proc/sys/net/mptcp/mptcp_checksum` + else + echo Use checksum: `cat /proc/sys/net/mptcp/checksum_enabled` + fi + if [ -f /proc/sys/net/mptcp/mptcp_scheduler ]; then + echo Scheduler: `cat /proc/sys/net/mptcp/mptcp_scheduler` + fi + if [ -f /proc/sys/net/mptcp/mptcp_syn_retries ]; then + echo Syn retries: `cat /proc/sys/net/mptcp/mptcp_syn_retries` + fi + if [ -f /proc/sys/net/mptcp/mptcp_debug ]; then + echo Debugmode: `cat /proc/sys/net/mptcp/mptcp_debug` + fi echo echo See http://multipath-tcp.org/ for details exit 0 ;; @@ -65,38 +80,98 @@ TYPE="$2" #FLAG_PATH=`find /sys/devices/ -path "*/net/$DEVICE/flags"` [ -d "/sys/class/net/$DEVICE/" ] || { - echo "Device '$DEVICE' can't found!" - echo "Use the hardware name like in ifconfig" + #echo "Device '$DEVICE' can't found!" + #echo "Use the hardware name like in ifconfig" exit 1 } -FLAG_PATH="/sys/class/net/$DEVICE/flags" -IFF=`cat $FLAG_PATH` +if [ -f /proc/sys/net/mptcp/mptcp_enabled ]; then + FLAG_PATH="/sys/class/net/$DEVICE/flags" + IFF=`cat $FLAG_PATH` -IFF_OFF="0x80000" -IFF_ON="0x00" -IFF_BACKUP="0x100000" -IFF_HANDOVER="0x200000" -IFF_MASK="0x380000" + IFF_OFF="0x80000" + IFF_ON="0x00" + IFF_BACKUP="0x100000" + IFF_HANDOVER="0x200000" + IFF_MASK="0x380000" -case $TYPE in - "off") FLAG=$IFF_OFF;; - "on") FLAG=$IFF_ON;; - "backup") FLAG=$IFF_BACKUP;; - "handover") FLAG=$IFF_HANDOVER;; - "") - IFF=`printf "0x%02x" $(($IFF&$IFF_MASK))` - case "$IFF" in - $IFF_OFF) echo $DEVICE is deactivated;; - $IFF_ON) echo $DEVICE is in default mode;; - $IFF_BACKUP) echo $DEVICE is in backup mode;; - $IFF_HANDOVER) echo $DEVICE is in handover mode;; - *) echo "Unkown state!" && exit 1;; - esac - exit 0;; - *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;; -esac + case $TYPE in + "off") FLAG=$IFF_OFF;; + "on") FLAG=$IFF_ON;; + "backup") FLAG=$IFF_BACKUP;; + "handover") FLAG=$IFF_HANDOVER;; + "") + IFF=`printf "0x%02x" $(($IFF&$IFF_MASK))` + case "$IFF" in + $IFF_OFF) echo $DEVICE is deactivated;; + $IFF_ON) echo $DEVICE is in default mode;; + $IFF_BACKUP) echo $DEVICE is in backup mode;; + $IFF_HANDOVER) echo $DEVICE is in handover mode;; + *) echo "Unkown state!" && exit 1;; + esac + exit 0;; + *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;; + esac -printf "0x%02x" $(($(($IFF^$(($IFF&$IFF_MASK))))|$FLAG)) > $FLAG_PATH + printf "0x%02x" $(($(($IFF^$(($IFF&$IFF_MASK))))|$FLAG)) > $FLAG_PATH +else + ID=$(ip mptcp endpoint show | grep -m 1 "dev $DEVICE" | awk '{print $3}') + IFF=$(ip mptcp endpoint show | grep -m 1 "dev $DEVICE" | awk '{print $4}') + #IP=$(ip a show $DEVICE | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p') + [ -f /usr/bin/jsonfilter ] && IP=$(ip -j a show $DEVICE | jsonfilter -e '@[0].addr_info[*].local') + [ -f /usr/bin/jq ] && IP=$(ip -j a show $DEVICE | jq -r '.[0].addr_info[].local') + RMID=$(ip mptcp endpoint show | grep '::ffff' | awk '{ print $3 }') + [ -n "$RMID" ] && ip mptcp endpoint delete id $RMID 2>&1 >/dev/null + case $TYPE in + "off") + [ -n "$ID" ] && { + for i in $ID; do + ip mptcp endpoint delete id $i 2>&1 >/dev/null + done + } + exit 0;; + "on") + [ -n "$ID" ] && { + for i in $ID; do + ip mptcp endpoint delete id $i 2>&1 >/dev/null + done + } + for i in $IP; do + ip mptcp endpoint add $i dev $DEVICE subflow fullmesh + done + exit 0;; + "signal") + [ -n "$ID" ] && { + for i in $ID; do + ip mptcp endpoint delete id $i 2>&1 >/dev/null + done + } + for i in $IP; do + ip mptcp endpoint add $i dev $DEVICE signal + done + exit 0;; + "backup") + [ -n "$ID" ] && { + for i in $ID; do + ip mptcp endpoint delete id $i 2>&1 >/dev/null + done + } + for i in $IP; do + ip mptcp endpoint add $i dev $DEVICE backup fullmesh + done + exit 0;; + "") + case "$IFF" in + "") echo $DEVICE is deactivated;; + "subflow") echo $DEVICE is in default mode;; + "backup") echo $DEVICE is in backup mode;; + "signal") echo $DEVICE is in signal mode;; + "fullmesh") echo $DEVICE is in fullmesh mode;; + *) echo "$DEVICE Unkown state!" && exit 1;; + esac + exit 0;; + *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;; + esac +fi diff --git a/old-v2ray.service b/old-v2ray.service new file mode 100644 index 0000000..9ed715a --- /dev/null +++ b/old-v2ray.service @@ -0,0 +1,25 @@ +[Unit] +Description=V2Ray - A unified platform for anti-censorship +Documentation=https://v2ray.com https://guide.v2fly.org +After=network.target nss-lookup.target +Wants=network-online.target + +[Service] +# If the version of systemd is 240 or above, then uncommenting Type=exec and commenting out Type=simple +#Type=exec +Type=simple +# Runs as root or add CAP_NET_BIND_SERVICE ability can bind 1 to 1024 port. +# This service runs as root. You may consider to run it as another user for security concerns. +# By uncommenting User=v2ray and commenting out User=root, the service will run as user v2ray. +# More discussion at https://github.com/v2ray/v2ray-core/issues/1011 +User=root +#User=v2ray +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW +NoNewPrivileges=yes +ExecStart=/usr/bin/v2ray -config /etc/v2ray/config.json +Restart=on-failure +# Don't restart in the case of configuration error +RestartPreventExitStatus=23 + +[Install] +WantedBy=multi-user.target diff --git a/omr-6in4-run b/omr-6in4-run index ea5faad..ae91dce 100755 --- a/omr-6in4-run +++ b/omr-6in4-run @@ -3,7 +3,7 @@ set -e if [ ! -f "$2" ]; then - echo "usage: $(basename "$0") FILE" + echo "usage: $(basename "$0") start FILE" exit 1 fi diff --git a/omr-admin-ipv6.service.in b/omr-admin-ipv6.service.in new file mode 100644 index 0000000..9af8b55 --- /dev/null +++ b/omr-admin-ipv6.service.in @@ -0,0 +1,12 @@ +[Unit] +Description=OMR-Admin IPv6 +After=network.target network-online.target + +[Service] +Type=simple +Restart=always +ExecStart=/usr/local/bin/omr-admin.py --host="::" +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_FOWNER CAP_SETFCAP + +[Install] +WantedBy=multi-user.target diff --git a/omr-admin.service.in b/omr-admin.service.in index d76318a..ba30724 100644 --- a/omr-admin.service.in +++ b/omr-admin.service.in @@ -6,7 +6,7 @@ After=network.target network-online.target Type=simple Restart=always ExecStart=/usr/local/bin/omr-admin.py -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_FOWNER CAP_SETFCAP [Install] WantedBy=multi-user.target diff --git a/omr-bypass b/omr-bypass new file mode 100755 index 0000000..5aa8e02 --- /dev/null +++ b/omr-bypass @@ -0,0 +1,82 @@ +#!/bin/sh +# Copyright (C) 2023 Ycarus (Yannick Chabanois) for OpenMPTCProuter +# Released under GPL 3. See LICENSE for the full terms. + +[ ! -f /etc/openmptcprouter-vps-admin/omr-bypass.json ] && exit 0 + +# Configuration +INTERFACE="$(jq -M -r .bypass_intf /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')" +[ "$INTERFACE" = "null" ] && INTERFACE="vpn1" +GATEWAY="$(ip r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')" +GATEWAY6="$(ip -6 r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')" +TABLE="991337" +MARK="0x539" + +CHECKSUM="$(md5sum /etc/openmptcprouter-vps-admin/omr-bypass.json | awk '{print $1}' | tr -d '\n')" +PREVIOUS_CHECKSUM="$(jq -M -r .bypass_checksum /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')" +[ "$CHECKSUM" = "$PREVIOUS_CHECKSUM" ] && exit 0 +jq -M --arg c "$CHECKSUM" '.bypass_checksum = $c' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp +mv /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp /etc/openmptcprouter-vps-admin/omr-admin-config.json +# Action +ipset -q flush omr_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null +ipset -q flush omr6_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null +ipset -q --exist restore <<-EOF +create omr_dst_bypass_srv_${INTERFACE} hash:net hashsize 64 +create omr6_dst_bypass_srv_${INTERFACE} hash:net family inet6 hashsize 64 +EOF +ipv4=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv4[]) +for ip in $ipv4; do + ipset -q add omr_dst_bypass_srv_${INTERFACE} $ip +done +ipv6=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv6[]) +for ip in $ipv6; do + ipset -q add omr6_dst_bypass_srv_${INTERFACE} $ip +done +iptables-save --counters 2>/dev/null | grep -v omr-bypass | iptables-restore -w --counters 2>/dev/null +iptables-restore -w --wait=60 --noflush <<-EOF +*mangle +:omr-bypass - +-A PREROUTING -j omr-bypass +COMMIT +EOF +iptables-restore -w --wait=60 --noflush <<-EOF +*mangle +:omr-bypass-local - +-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local +COMMIT +EOF +iptables-restore -w --wait=60 --noflush <<-EOF +*mangle +-A omr-bypass -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK} +-A omr-bypass -m mark --mark ${MARK} -j RETURN +-A omr-bypass-local -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK} +-A omr-bypass-local -m mark --mark ${MARK} -j RETURN +COMMIT +EOF +ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1 +ip route replace default via ${GATEWAY} dev ${INTERFACE} table ${TABLE} +ip6tables-save --counters 2>/dev/null | grep -v omr-bypass | ip6tables-restore -w --counters 2>/dev/null +ip6tables-restore -w --wait=60 --noflush <<-EOF +*mangle +:omr-bypass - +-A PREROUTING -j omr-bypass +COMMIT +EOF +ip6tables-restore -w --wait=60 --noflush <<-EOF +*mangle +:omr-bypass-local - +-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local +COMMIT +EOF +ip6tables-restore -w --wait=60 --noflush <<-EOF +*mangle +-A omr-bypass -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK} +-A omr-bypass -m mark --mark ${MARK} -j RETURN +-A omr-bypass-local -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK} +-A omr-bypass-local -m mark --mark ${MARK} -j RETURN +COMMIT +EOF +if [ -n "$GATEWAY6" ]; then + ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1 + ip route replace default via ${GATEWAY6} dev ${INTERFACE} table ${TABLE} +fi \ No newline at end of file diff --git a/omr-bypass.service.in b/omr-bypass.service.in new file mode 100644 index 0000000..0d49437 --- /dev/null +++ b/omr-bypass.service.in @@ -0,0 +1,12 @@ +[Unit] +Description=OMR-ByPass +After=network.target network-online.target shorewall.service + +[Service] +Type=simple +ExecStart=/usr/local/bin/omr-bypass +KillSignal=9 +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW + +[Install] +WantedBy=multi-user.target diff --git a/omr-bypass.timer.in b/omr-bypass.timer.in new file mode 100644 index 0000000..85d7eb7 --- /dev/null +++ b/omr-bypass.timer.in @@ -0,0 +1,8 @@ +[Unit] +Description=Timer for omr-bypass + +[Timer] +OnUnitActiveSec=300 + +[Install] +WantedBy=timers.target diff --git a/omr-pihole.sh b/omr-pihole.sh index 20a023f..b8b0c27 100644 --- a/omr-pihole.sh +++ b/omr-pihole.sh @@ -8,6 +8,11 @@ if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "9" ]; then echo "This script doesn't work with Debian Stretch (9.x)" exit 1 fi +if [ "$(id -u)" -ne 0 ]; then + echo "You must run the script as root" + exit 1 +fi + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "You can select any interface and set any IPs during Pi-hole configuration, this will be modified for OpenMPTCProuter at the end." echo "Don't apply Pi-hole firewall rules." @@ -26,13 +31,14 @@ $SERVER["socket"] == "10.255.252.1:80" { } $SERVER["socket"] == "10.255.251.1:80" { } $SERVER["socket"] == "10.255.253.1:80" { } EOF -systemctl -q restart lighttpd +systemctl list-unit-files lighttpd.service &>/dev/null && systemctl -q restart lighttpd grep -v -e PIHOLE_INTERFACE -e IPV4_ADDRESS -e IPV6_ADDRESS /etc/pihole/setupVars.conf > /etc/pihole/setupVars.new.conf mv /etc/pihole/setupVars.new.conf /etc/pihole/setupVars.conf cat >> /etc/pihole/setupVars.conf <<-EOF PIHOLE_INTERFACE=gt-tun0 IPV4_ADDRESS=10.255.0.0/16 -IPV6_ADDRESS=fe80::aff:ff01/64 +IPV6_ADDRESS=fd00::a00:/106 +RATE_LIMIT=0/0 EOF grep -v interface /etc/dnsmasq.d/01-pihole.conf > /etc/dnsmasq.d/01-pihole.new.conf diff --git a/omr-service b/omr-service index 38002d3..e927ab6 100755 --- a/omr-service +++ b/omr-service @@ -5,81 +5,228 @@ _multipath() { # Force multipath status source /etc/shorewall/params.net for intf in `ls -1 /sys/class/net`; do - if [ "$intf" = "$NET_IFACE" ]; then - [ "$(multipath $intf | tr -d '\n')" != "$intf is in default mode" ] && multipath $intf on - else - [ "$(multipath $intf | tr -d '\n')" != "$intf is deactivated" ] && multipath $intf off + if [ "$intf" != "bonding_masters" ]; then + if ([ "$(ip a show dev lo | grep -v inet6 | grep global)" != "" ] && [ "$intf" = "lo" ]) || ([ "$intf" = "$NET_IFACE" ] && [ "$(ip a show dev lo | grep -v inet6 | grep global)" = "" ]); then + [ -f /proc/sys/net/mptcp/mptcp_enabled ] && [ "$(multipath $intf | tr -d '\n')" != "$intf is in default mode" ] && multipath $intf on >/dev/null 2>&1 + [ -f /proc/sys/net/mptcp/enabled ] && [ "$(multipath $intf | tr -d '\n')" != "$intf is in signal mode" ] && { + multipath $intf signal >/dev/null 2>&1 + ip mptcp limits set subflows 8 add_addr_accepted 8 >/dev/null 2>&1 + } + else + [ "$(multipath $intf | tr -d '\n')" != "$intf is deactivated" ] && multipath $intf off >/dev/null 2>&1 + fi fi done } _glorytun_udp() { - [ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep tunnel)" ] && { - logger -t "OMR-Service" "Restart Glorytun-UDP" - systemctl -q restart 'glorytun-udp@*' - } - for intf in /etc/glorytun-udp/tun*; do - [ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-udp/post.sh ${intf} - done + #if [ -n "$(systemctl -a | grep 'glorytun-udp')" ]; then + if systemctl list-unit-files glorytun-udp@.service >/dev/null; then + [ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep tunnel)" ] && { + logger -t "OMR-Service" "Restart Glorytun-UDP" + systemctl -q restart 'glorytun-udp@*' + sleep 10 + } + for intf in /etc/glorytun-udp/tun*; do + [ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-udp/post.sh ${intf} + done + #ip link set mtu 9000 dev gt-udp-tun0 >/dev/null 2>&1 + fi } _glorytun_tcp() { - for intf in /etc/glorytun-tcp/tun*; do - [ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-tcp/post.sh ${intf} - done - if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "glorytun_tcp" ]; then - if [ "$(ping -c 5 -w 5 10.255.255.2 | grep '100%')" != "" ]; then - logger -t "OMR-Service" "No answer from VPN client end, restart Glorytun-TCP" - systemctl restart glorytun-tcp@tun0 + #if [ -n "$(systemctl -a | grep 'glorytun-tcp')" ]; then + if systemctl list-unit-files glorytun-tcp@.service >/dev/null; then + for intf in /etc/glorytun-tcp/tun*; do + [ "$(echo $intf | grep key)" = "" ] && timeout 10 /etc/glorytun-tcp/post.sh ${intf} + done + if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "glorytun_tcp" ]; then + localip="$(cat /etc/glorytun-tcp/tun0 | grep LOCALIP | cut -d '=' -f2)" + [ -z "$localip" ] && localip="10.255.255.1" + remoteip="$(echo $localip | sed 's/\.1/\.2/')" + if [ "$(ping -c 3 -w 10 $remoteip | grep '100%')" != "" ] && ([ -z "$(pgrep glorytun-tcp)" ] || [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep glorytun-tcp)/exe ))" -gt "300" ]); then + logger -t "OMR-Service" "No answer from VPN client end, restart Glorytun-TCP" + systemctl restart glorytun-tcp@tun0 + sleep 10 + fi + fi + #ip link set mtu 9000 dev gt-tun0 >/dev/null 2>&1 + fi +} + +_dsvpn() { + #if [ -n "$(systemctl -a | grep 'dsvpn')" ]; then + if systemctl list-unit-files dsvpn-server@.service >/dev/null; then + [ -n "$(ip -6 r show 64:ff9b::/96 dev dsvpn0)" ] && ip -6 r del 64:ff9b::/96 dev dsvpn0 >/dev/null 2>&1 + if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "dsvpn" ]; then + localip="$(cat /etc/dsvpn/dsvpn0 | grep LOCALTUNIP | cut -d '=' -f2)" + [ -z "$localip" ] && localip="10.255.251.1" + remoteip="$(echo $localip | sed 's/\.1/\.2/')" + if [ "$(ping -c 5 -w 5 $remoteip | grep '100%')" != "" ] && [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep dsvpn)/exe ))" -gt "300" ]; then + logger -t "OMR-Service" "No answer from VPN client end, restart DSVPN" + systemctl restart dsvpn-server@dsvpn0 + fi + #ip link set mtu 9000 dev dsvpn0 >/dev/null 2>&1 fi fi } +_shadowsocks() { + if systemctl list-unit-files shadowsocks-libev-manager@.service >/dev/null; then + [ -z "$(pgrep ss-server)" ] && { + logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks libev" + systemctl restart shadowsocks-libev-manager@manager + } + fi +} + +_shadowsocks_go() { + if systemctl list-unit-files shadowsocks-go.service >/dev/null; then + [ -z "$(pgrep shadowsocks-go)" ] && { + logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks go" + systemctl restart shadowsocks-go + } + fi +} + +_xray() { + if systemctl list-unit-files xray.service >/dev/null; then + [ -z "$(pgrep xray)" ] && { + logger -t "OMR-Service" "ss-server not detected, restart XRay" + systemctl restart xray + } + fi +} + +_v2ray() { + if systemctl list-unit-files v2ray.service >/dev/null; then + [ -z "$(pgrep v2ray)" ] && { + logger -t "OMR-Service" "ss-server not detected, restart V2Ray" + systemctl restart v2ray + } + fi +} + +_wireguard() { + #if [ -n "$(systemctl -a | grep 'wg')" ]; then + if systemctl list-unit-files wg-quick@.service >/dev/null; then + [ -z "$(ip a show dev wg0 | grep '10.255.247.1')" ] && ip a add 10.255.247.1/24 dev wg0 >/dev/null 2>&1 + [ -z "$(ip a show dev client-wg0 | grep '10.255.246.1')" ] && ip a add 10.255.246.1/24 dev client-wg0 >/dev/null 2>&1 + fi +} + + _omr_api() { - [ -z "$(curl -s -k -m 30 https://127.0.0.1:65500/)" ] && { - logger -t "OMR-Service" "Restart OMR-Admin" + [ -z "$(pgrep curl)" ] && [ -z "$(curl -s -k -m 30 https://127.0.0.1:65500/)" ] && { + logger -t "OMR-Service" "Can't contact API, restart OMR-Admin" systemctl -q restart omr-admin } } _lan_route() { - cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -c '.users[0][]' | + jq -c '.users[0][]?' /etc/openmptcprouter-vps-admin/omr-admin-config.json | while IFS=$"\n" read -r c; do - vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip') - if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then - echo "$c" | jq -c '.lanips //empty' | - while IFS=$"\n" read -r d; do - network=$(ipcalc -n $d | grep Network | awk '{print $2}') - [ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip 2>&1 >/dev/null - done + if [ -n "$c" ]; then + vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip') + username=$(echo "$c" | jq -r '.username') + if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then + echo "$c" | jq -c -r '.lanips[]? //empty' | + while IFS=$"\n" read -r d; do + if [ "$d" != "" ]; then + network=$(ipcalc -n $d | grep Network | awk '{print $2}') + networkonly=$(ipcalc -n $d | grep Network | awk '{print $2}' | cut -d/ -f1) + netmask=$(ipcalc -n $d | grep Netmask | awk '{print $2}') + [ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip >/dev/null 2>&1 + [ -n "$networkonly" ] && [ -n "$netmask" ] && ([ ! -f /etc/openvpn/ccd/${username} ] || [ -z "$(grep $networkonly /etc/openvpn/ccd/${username})" ]) && echo "iroute $networkonly $netmask" >> /etc/openvpn/ccd/${username} + fi + done + fi fi done } _gre_tunnels() { . "$(readlink -f "/etc/shorewall/params.vpn")" - for intf in /etc/openmptcprouter-vps-admin/intf/*; do - if [ -f "$intf" ]; then - . "$(readlink -f "$intf")" - iface="$(basename $intf)" - if [ "$(ip tunnel show $iface 2>/dev/null | awk '{print $4}')" != "$REMOTEIP" ]; then - ip tunnel del $iface 2>&1 >/dev/null - ip tunnel add $iface mode gre local $INTFADDR remote $REMOTEIP - ip link set $iface up - ip addr add $LOCALIP dev $iface - ip route add $NETWORK dev $iface 2>&1 >/dev/null + if [ -n "$OMR_ADDR" ]; then + for intf in /etc/openmptcprouter-vps-admin/intf/*; do + if [ -f "$intf" ]; then + . "$(readlink -f "$intf")" + iface="$(basename $intf)" + if [ "$(ip tunnel show $iface 2>/dev/null | awk '{print $4}')" != "$OMR_ADDR" ]; then + [ -n "$(ip tunnel show $iface 2>/dev/null)" ] && ip tunnel del $iface >/dev/null 2>&1 + ip tunnel add $iface mode gre local $INTFADDR remote $OMR_ADDR >/dev/null 2>&1 + ip link set $iface up >/dev/null 2>&1 + ip addr add $LOCALIP dev $iface >/dev/null 2>&1 + ip route add $NETWORK dev $iface >/dev/null 2>&1 + fi fi - fi - done + done + fi } +_openvpn_bonding() { + if [ "$(ip link show ovpnbonding1 2>/dev/null)" != "" ] && ([ "$(ip link show ovpnbonding1 2>/dev/null | grep SLAVE)" = "" ] || [ "$(ip link show omr-bonding 2>/dev/null | grep DOWN)" != "" ] || [ "$(ip link show | grep ovpnbonding | grep -c SLAVE | tr -d '\n')" != "8" ]); then + echo 0 > /sys/class/net/omr-bonding/bonding/mode >/dev/null 2>&1 + ip link set ovpnbonding1 master omr-bonding >/dev/null 2>&1 + ip link set ovpnbonding1 up >/dev/null 2>&1 + ip link set ovpnbonding2 master omr-bonding >/dev/null 2>&1 + ip link set ovpnbonding2 up >/dev/null 2>&1 + ip link set ovpnbonding3 master omr-bonding >/dev/null 2>&1 + ip link set ovpnbonding3 up >/dev/null 2>&1 + ip link set ovpnbonding4 master omr-bonding >/dev/null 2>&1 + ip link set ovpnbonding4 up >/dev/null 2>&1 + ip link set ovpnbonding5 master omr-bonding >/dev/null 2>&1 + ip link set ovpnbonding5 up >/dev/null 2>&1 + ip link set ovpnbonding6 master omr-bonding >/dev/null 2>&1 + ip link set ovpnbonding6 up >/dev/null 2>&1 + ip link set ovpnbonding7 master omr-bonding >/dev/null 2>&1 + ip link set ovpnbonding7 up >/dev/null 2>&1 + ip link set ovpnbonding8 master omr-bonding >/dev/null 2>&1 + ip link set ovpnbonding8 up >/dev/null 2>&1 + ip link set omr-bonding up mtu 1440 >/dev/null 2>&1 + ip a add 10.255.248.1 dev omr-bonding >/dev/null 2>&1 + ip r add 10.255.248.0/24 dev omr-bonding >/dev/null 2>&1 + ip r add 10.255.248.2 dev omr-bonding src 10.255.248.1 >/dev/null 2>&1 + fi +} + +_vpn1() { + vpn1route=$(ip r show dev vpn1 2>/dev/null | grep '0.0.0.0') + [ -z "$vpn1route" ] && vpn1route=$(ip r show dev vpn1 2>/dev/null | grep 'default') + if [ -n "$vpn1route" ]; then + ip r del $vpn1route + vpn1gw="$(echo \"$vpn1route\" | awk '{ print $3 }')" + ip r a default via $vpngw dev vpn1 table 991337 + for route in $(ip r show dev vpn1); do + ip r a $route table 991337 + done + fi +} + +sysctl -p /etc/sysctl.d/90-shadowsocks.conf >/dev/null 2>&1 +modprobe bonding >/dev/null 2>&1 +ip link add omr-bonding type bond >/dev/null 2>&1 +#[ -n "$(uname -r | grep '6.1')" ] && { +# stap -g /usr/share/systemtap-mptcp/mptcp-app.stap 2>&1 & +#} + +gre_tunnels="$(jq -c '.gre_tunnels' /etc/openmptcprouter-vps-admin/omr-admin-config.json)" +lan_routes="$(jq -c '.lan_routes' /etc/openmptcprouter-vps-admin/omr-admin-config.json)" while true; do _glorytun_udp _glorytun_tcp + _shadowsocks + _shadowsocks_go + _xray + _v2ray + _dsvpn + _wireguard _multipath _omr_api - _lan_route - _gre_tunnels + [ "$lan_routes" != "false" ] && _lan_route + [ "$gre_tunnels" != "false" ] && _gre_tunnels + _openvpn_bonding + _vpn1 sleep 10 done diff --git a/omr-test-speed b/omr-test-speed new file mode 100644 index 0000000..15666e1 --- /dev/null +++ b/omr-test-speed @@ -0,0 +1,55 @@ +#!/bin/sh +# vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 : +HETZNER=false +if [ "$1" = "hetzner" ]; then + HETZNER=true + INTERFACE="$2" +else + INTERFACE="$1" +fi + +[ -n "$INTERFACE" ] && [ ! -d "/sys/class/net/$INTERFACE" ] && { + echo "You must use a real interface. You wan find them using 'ip a' for example" + exit 0 +} + +if [ "$HETZNER" = false ]; then + echo "Select best test server..." + HOSTLST="http://speedtest.frankfurt.linode.com/garbage.php?ckSize=10000 http://speedtest.tokyo2.linode.com/garbage.php?ckSize=10000 http://speedtest.singapore.linode.com/garbage.php?ckSize=10000 http://speedtest.newark.linode.com/garbage.php?ckSize=10000 http://speedtest.atlanta.linode.com/garbage.php?ckSize=10000 http://speedtest.dallas.linode.com/garbage.php?ckSize=10000 http://speedtest.fremont.linode.com/garbage.php?ckSize=10000 http://speedtest.tele2.net/1000GB.zip https://speed.hetzner.de/10GB.bin http://ipv4.bouygues.testdebit.info/10G.iso http://par.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin http://ams.download.datapacket.com/10000mb.bin http://fra.download.datapacket.com/10000mb.bin http://lon.download.datapacket.com/10000mb.bin http://mad.download.datapacket.com/10000mb.bin http://prg.download.datapacket.com/10000mb.bin http://sto.download.datapacket.com/10000mb.bin http://vie.download.datapacket.com/10000mb.bin http://war.download.datapacket.com/10000mb.bin http://atl.download.datapacket.com/10000mb.bin http://chi.download.datapacket.com/10000mb.bin http://lax.download.datapacket.com/10000mb.bin http://mia.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin" + bestping="9999" + for pinghost in $HOSTLST; do + domain=$(echo $pinghost | awk -F/ '{print $3}') + if [ -z "$INTERFACE" ]; then + ping=$(ping -c1 -w2 $domain | cut -d "/" -s -f5 | cut -d "." -f1) + else + ping=$(ping -c1 -w2 -I $INTERFACE -B $domain | cut -d "/" -s -f5 | cut -d "." -f1) + fi + echo "host: $domain - ping: $ping" + if [ -n "$ping" ] && [ "$ping" -lt "$bestping" ]; then + bestping=$ping + HOST=$pinghost + fi + done +fi + +[ -z "$HOST" ] && HOST="https://speed.hetzner.de/10GB.bin" + +echo "Best server is $HOST, running test:" +trap : HUP INT TERM +if [ -z "$INTERFACE" ]; then + curl -4 -o /dev/null $HOST || echo +else + domain=$(echo $HOST | awk -F/ '{print $3}') + hostip=$(dig +nocmd +noall +answer A $domain | grep -v CNAME | awk '{print $5}' | tr '\n' ' ') + if [ -n "$(ipset list 2>/dev/null | grep ss_rules)" ]; then + for ip in $hostip; do + ipset add ss_rules_dst_bypass_all $ip + done + fi + curl -4 -o /dev/null --interface $INTERFACE $HOST || echo + if [ -n "$(ipset list 2>/dev/null | grep ss_rules)" ]; then + for ip in $hostip; do + ipset del ss_rules_dst_bypass_all $ip + done + fi +fi diff --git a/omr-test-speedv6 b/omr-test-speedv6 new file mode 100644 index 0000000..3db10fe --- /dev/null +++ b/omr-test-speedv6 @@ -0,0 +1,56 @@ +#!/bin/sh +# vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 : +HETZNER=false +if [ "$1" = "hetzner" ]; then + HETZNER=true + INTERFACE="$2" +else + INTERFACE="$1" +fi + +[ -n "$INTERFACE" ] && [ ! -d "/sys/class/net/$INTERFACE" ] && { + echo "You must use a real interface. You wan find them using 'ip a' for example" + exit 0 +} + + +if [ "$HETZNER" = false ]; then + echo "Select best test server..." + HOSTLST="http://speedtest.frankfurt.linode.com/garbage.php?ckSize=10000 http://speedtest.tokyo2.linode.com/garbage.php?ckSize=10000 http://speedtest.singapore.linode.com/garbage.php?ckSize=10000 http://speedtest.newark.linode.com/garbage.php?ckSize=10000 http://speedtest.atlanta.linode.com/garbage.php?ckSize=10000 http://speedtest.dallas.linode.com/garbage.php?ckSize=10000 http://speedtest.fremont.linode.com/garbage.php?ckSize=10000 http://speedtest.tele2.net/1000GB.zip https://speed.hetzner.de/10GB.bin http://ipv6.bouygues.testdebit.info/10G.iso http://par.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin http://ams.download.datapacket.com/10000mb.bin http://fra.download.datapacket.com/10000mb.bin http://lon.download.datapacket.com/10000mb.bin http://mad.download.datapacket.com/10000mb.bin http://prg.download.datapacket.com/10000mb.bin http://sto.download.datapacket.com/10000mb.bin http://vie.download.datapacket.com/10000mb.bin http://war.download.datapacket.com/10000mb.bin http://atl.download.datapacket.com/10000mb.bin http://chi.download.datapacket.com/10000mb.bin http://lax.download.datapacket.com/10000mb.bin http://mia.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin" + bestping="9999" + for pinghost in $HOSTLST; do + domain=$(echo $pinghost | awk -F/ '{print $3}') + if [ -z "$INTERFACE" ]; then + ping=$(ping -6 -c1 -w2 $domain | cut -d "/" -s -f5 | cut -d "." -f1) + else + ping=$(ping -6 -c1 -w2 -I $INTERFACE -B $domain | cut -d "/" -s -f5 | cut -d "." -f1) + fi + echo "host: $domain - ping: $ping" + if [ -n "$ping" ] && [ "$ping" -lt "$bestping" ]; then + bestping=$ping + HOST=$pinghost + fi + done +fi + +[ -z "$HOST" ] && HOST="https://speed.hetzner.de/10GB.bin" + +echo "Best server is $HOST, running test:" +trap : HUP INT TERM +if [ -z "$INTERFACE" ]; then + curl -6 $HOST >/dev/null || echo +else + domain=$(echo $HOST | awk -F/ '{print $3}') + hostip=$(dig +nocmd +noall +answer AAAA $domain | grep -v CNAME | awk '{print $5}' | tr '\n' ' ') + if [ -n "$(ipset list 2>/dev/null | grep ss_rules6)" ]; then + for ip in $hostip; do + ipset add ss_rules6_dst_bypass_all $ip + done + fi + curl -6 --interface $INTERFACE $HOST >/dev/null || echo + if [ -n "$(ipset list 2>/dev/null | grep ss_rules6)" ]; then + for ip in $hostip; do + ipset del ss_rules6_dst_bypass_all $ip + done + fi +fi diff --git a/omr-update b/omr-update new file mode 100755 index 0000000..6c3a094 --- /dev/null +++ b/omr-update @@ -0,0 +1,11 @@ +#!/bin/sh +if [ -f /etc/openmptcprouter-vps-admin/update ]; then + wget -O - http://www.openmptcprouter.com/server/debian.sh | sh + rm -f /etc/openmptcprouter-vps-admin/update + reboot +fi +if [ -f /etc/openmptcprouter-vps-admin/update-bin ]; then + LOCALFILES=yes SOURCES=yes REINSTALL=no /usr/share/omr-server/debian9-x86_64.sh + rm -f /etc/openmptcprouter-vps-admin/update-bin + #reboot +fi diff --git a/omr-update.service.in b/omr-update.service.in new file mode 100644 index 0000000..99120f8 --- /dev/null +++ b/omr-update.service.in @@ -0,0 +1,15 @@ +[Unit] +Description=OMR Update +After=network.target network-online.target + +[Service] +Type=simple +Restart=no +ExecStart=/usr/bin/omr-update +#ExecStart=/usr/share/omr-server/debian9-x86_64.sh +AmbientCapabilities= +StandardOutput=file:/var/log/omr-update.log +StandardError=file:/var/log/omr-update.log + +[Install] +WantedBy=multi-user.target diff --git a/omr.service.in b/omr.service.in index 4e17716..0e9352b 100644 --- a/omr.service.in +++ b/omr.service.in @@ -1,6 +1,6 @@ [Unit] Description=OMR -After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.service +After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.service shorewall.service [Service] Type=simple diff --git a/openmptcprouter-shorewall.tar.gz b/openmptcprouter-shorewall.tar.gz index 5a98446..fcc04f3 100644 Binary files a/openmptcprouter-shorewall.tar.gz and b/openmptcprouter-shorewall.tar.gz differ diff --git a/openmptcprouter-shorewall6.tar.gz b/openmptcprouter-shorewall6.tar.gz index 2f4dee4..e186946 100644 Binary files a/openmptcprouter-shorewall6.tar.gz and b/openmptcprouter-shorewall6.tar.gz differ diff --git a/openvpn-bonding1.conf b/openvpn-bonding1.conf new file mode 100644 index 0000000..45a07d7 --- /dev/null +++ b/openvpn-bonding1.conf @@ -0,0 +1,18 @@ +dev ovpnbonding1 +dev-type tap +cipher AES-256-CBC +proto udp +proto udp6 +port 65351 +persist-tun +persist-key +reneg-sec 0 +verb 3 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 100 2400 +mode server +tls-server diff --git a/openvpn-bonding2.conf b/openvpn-bonding2.conf new file mode 100644 index 0000000..71798b4 --- /dev/null +++ b/openvpn-bonding2.conf @@ -0,0 +1,18 @@ +dev ovpnbonding2 +dev-type tap +cipher AES-256-CBC +proto udp +proto udp6 +port 65352 +persist-tun +persist-key +reneg-sec 0 +verb 3 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 100 2400 +mode server +tls-server diff --git a/openvpn-bonding3.conf b/openvpn-bonding3.conf new file mode 100644 index 0000000..9614a96 --- /dev/null +++ b/openvpn-bonding3.conf @@ -0,0 +1,18 @@ +dev ovpnbonding3 +dev-type tap +cipher AES-256-CBC +proto udp +proto udp6 +port 65353 +persist-tun +persist-key +reneg-sec 0 +verb 3 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 100 2400 +mode server +tls-server diff --git a/openvpn-bonding4.conf b/openvpn-bonding4.conf new file mode 100644 index 0000000..846f5dc --- /dev/null +++ b/openvpn-bonding4.conf @@ -0,0 +1,18 @@ +dev ovpnbonding4 +dev-type tap +cipher AES-256-CBC +proto udp +proto udp6 +port 65354 +persist-tun +persist-key +reneg-sec 0 +verb 3 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 100 2400 +mode server +tls-server diff --git a/openvpn-bonding5.conf b/openvpn-bonding5.conf new file mode 100644 index 0000000..aafccd3 --- /dev/null +++ b/openvpn-bonding5.conf @@ -0,0 +1,18 @@ +dev ovpnbonding5 +dev-type tap +cipher AES-256-CBC +proto udp +proto udp6 +port 65355 +persist-tun +persist-key +reneg-sec 0 +verb 3 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 100 2400 +mode server +tls-server diff --git a/openvpn-bonding6.conf b/openvpn-bonding6.conf new file mode 100644 index 0000000..30b2067 --- /dev/null +++ b/openvpn-bonding6.conf @@ -0,0 +1,18 @@ +dev ovpnbonding6 +dev-type tap +cipher AES-256-CBC +proto udp +proto udp6 +port 65356 +persist-tun +persist-key +reneg-sec 0 +verb 3 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 100 2400 +mode server +tls-server diff --git a/openvpn-bonding7.conf b/openvpn-bonding7.conf new file mode 100644 index 0000000..c5f1fe1 --- /dev/null +++ b/openvpn-bonding7.conf @@ -0,0 +1,18 @@ +dev ovpnbonding7 +dev-type tap +cipher AES-256-CBC +proto udp +proto udp6 +port 65357 +persist-tun +persist-key +reneg-sec 0 +verb 3 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 100 2400 +mode server +tls-server diff --git a/openvpn-bonding8.conf b/openvpn-bonding8.conf new file mode 100644 index 0000000..dbdd11b --- /dev/null +++ b/openvpn-bonding8.conf @@ -0,0 +1,18 @@ +dev ovpnbonding8 +dev-type tap +cipher AES-256-CBC +proto udp +proto udp6 +port 65358 +persist-tun +persist-key +reneg-sec 0 +verb 3 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 100 2400 +mode server +tls-server diff --git a/openvpn-tun0.6.1.conf b/openvpn-tun0.6.1.conf new file mode 100644 index 0000000..bc93c87 --- /dev/null +++ b/openvpn-tun0.6.1.conf @@ -0,0 +1,34 @@ +topology subnet +dev tun0 +user nobody +group nogroup +data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 +disable-dco +proto tcp-server +proto tcp6-server +port 65301 +persist-tun +persist-key +duplicate-cn +verb 3 +server 10.255.252.0 255.255.255.0 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 10 240 +txqueuelen 1000 +sndbuf 262144 +push "sndbuf 262144" +rcvbuf 262144 +push "rcvbuf 262144" +tun-mtu 1420 +tls-server +tls-version-min 1.2 +#push "route 10.255.252.1 255.255.255.255" +client-config-dir ccd +ifconfig-pool-persist ccd/ipp_tcp.txt +passtos +management 127.0.0.1 65302 +tcp-nodelay diff --git a/openvpn-tun0.conf b/openvpn-tun0.conf index fc778d9..a6d1864 100644 --- a/openvpn-tun0.conf +++ b/openvpn-tun0.conf @@ -18,8 +18,12 @@ crl-verify /etc/openvpn/ca/pki/crl.pem keepalive 10 240 sndbuf 0 rcvbuf 0 +txqueuelen 2000 +tun-mtu 1400 +mssfix 1360 tls-server tls-version-min 1.2 #compress lzo -push "route 10.255.252.1 255.255.255.255" +#push "route 10.255.252.1 255.255.255.255" client-config-dir ccd +management localhost 65302 diff --git a/openvpn-tun1.6.1.conf b/openvpn-tun1.6.1.conf new file mode 100644 index 0000000..6d91a8e --- /dev/null +++ b/openvpn-tun1.6.1.conf @@ -0,0 +1,30 @@ +topology subnet +dev tun1 +data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 +proto udp +proto udp6 +port 65301 +persist-tun +persist-key +duplicate-cn +verb 3 +server 10.255.250.0 255.255.255.0 +ca /etc/openvpn/ca/pki/ca.crt +cert /etc/openvpn/ca/pki/issued/server.crt +key /etc/openvpn/ca/pki/private/server.key +dh /etc/openvpn/server/dh2048.pem +crl-verify /etc/openvpn/ca/pki/crl.pem +keepalive 10 240 +txqueuelen 1000 +sndbuf 262144 +push "sndbuf 262144" +rcvbuf 262144 +push "rcvbuf 262144" +tun-mtu 1420 +tls-server +tls-version-min 1.2 +push "route 10.255.250.1 255.255.255.255" +#client-config-dir ccd +#ifconfig-pool-persist ccd/ipp_udp.txt +#fast-io +passtos diff --git a/shadowsocks-go.server.json b/shadowsocks-go.server.json new file mode 100644 index 0000000..7d4704a --- /dev/null +++ b/shadowsocks-go.server.json @@ -0,0 +1,37 @@ +{ + "servers": [ + { + "name": "ss-2022", + "protocol": "2022-blake3-aes-256-gcm", + "tcpListeners": [ + { + "network": "tcp", + "address": ":65280", + "fastOpen": false, + "reusePort": false, + "multipath": true + } + ], + "enableTCP": true, + "listenerTFO": true, + "enableUDP": true, + "mtu": 1500, + "psk": "PSK", + "uPSKStorePath": "/etc/shadowsocks-go/upsks.json" + } + ], + "stats": { + "enabled": true + }, + "api": { + "enabled": true, + "debugPprof": false, + "trustedProxies": [], + "listeners": [ + { + "network": "tcp", + "address": "127.0.0.1:65279" + } + ] + } +} \ No newline at end of file diff --git a/shadowsocks.6.1.conf b/shadowsocks.6.1.conf new file mode 100644 index 0000000..7828850 --- /dev/null +++ b/shadowsocks.6.1.conf @@ -0,0 +1,77 @@ +# local sysctl settings can be stored in this directory +# max open files +fs.file-max = 512000 +# max read buffer +net.core.rmem_max = 7500000 +# max write buffer +net.core.wmem_max = 7500000 +#net.core.optmem_max = 33554432 +# default read buffer +#net.core.rmem_default = 16777216 +# default write buffer +#net.core.wmem_default = 16777216 +# max processor input queue +net.core.netdev_max_backlog = 10000 +# max backlog +net.core.somaxconn = 16384 + +# resist SYN flood attacks +net.ipv4.tcp_syncookies = 1 +# reuse timewait sockets when safe +net.ipv4.tcp_tw_reuse = 1 +# turn off fast timewait sockets recycling +#net.ipv4.tcp_tw_recycle = 0 +# short FIN timeout +net.ipv4.tcp_fin_timeout = 30 +# Increase max orphans +net.ipv4.tcp_max_orphans = 16384 +# short keepalive time +net.ipv4.tcp_keepalive_time = 7200 +# outbound port range +net.ipv4.ip_local_port_range = 9999 65000 +# max SYN backlog +net.ipv4.tcp_max_syn_backlog = 4096 +# max timewait sockets held by system simultaneously +net.ipv4.tcp_max_tw_buckets = 16384 +# turn on TCP Fast Open on both client and server side +net.ipv4.tcp_fastopen = 3 +# TCP buffer +net.ipv4.tcp_mem = 409600 819200 1638400 +# UDP buffer +net.ipv4.udp_mem = 4096 87380 16777216 +# TCP receive buffer +net.ipv4.tcp_rmem = 4096 87380 16777216 +# TCP write buffer +net.ipv4.tcp_wmem = 4096 87380 16777216 +# turn on path MTU discovery +net.ipv4.tcp_mtu_probing = 0 +# 1/8 * available memory in receive buffer +net.ipv4.tcp_adv_win_scale=-3 +# limits the size of unsent bytes in the write queue +net.ipv4.tcp_notsent_lowat = 131072 + +# for low-latency network, use cubic instead +net.core.default_qdisc = fq +# Default conntrack is too small +net.netfilter.nf_conntrack_max = 524288 +net.netfilter.nf_conntrack_buckets=131072 +net.netfilter.nf_conntrack_tcp_timeout_established = 86400 + +net.ipv4.conf.all.log_martians = 0 +net.ipv4.conf.default.log_martians = 0 + +# MPTCP settings +net.ipv4.tcp_ecn = 2 +net.mptcp.checksum_enabled = 0 +net.mptcp.add_addr_timeout = 120 +net.mptcp.allow_join_initial_addr_port = 1 +net.mptcp.enabled = 1 +net.mptcp.pm_type = 0 +net.mptcp.stale_loss_cnt = 4 +net.mptcp.mptcp_checksum=0 +net.mptcp.mptcp_path_manager=fullmesh +net.mptcp.mptcp_scheduler=mptcp_burst +net.mptcp.mptcp_syn_retries=4 +net.mptcp.mptcp_version=1 +net.mptcp.checksum_enabled=0 +net.ipv4.tcp_congestion_control=bbr \ No newline at end of file diff --git a/shadowsocks.conf b/shadowsocks.conf index 302bbe0..aa9587f 100644 --- a/shadowsocks.conf +++ b/shadowsocks.conf @@ -22,7 +22,9 @@ net.ipv4.tcp_tw_reuse = 1 # turn off fast timewait sockets recycling #net.ipv4.tcp_tw_recycle = 0 # short FIN timeout -net.ipv4.tcp_fin_timeout = 80 +net.ipv4.tcp_fin_timeout = 30 +# Increase max orphans +net.ipv4.tcp_max_orphans = 16384 # short keepalive time net.ipv4.tcp_keepalive_time = 7200 # outbound port range @@ -45,16 +47,18 @@ net.ipv4.tcp_wmem = 4096 65536 33554432 net.ipv4.tcp_mtu_probing = 0 # for low-latency network, use cubic instead -net.ipv4.tcp_congestion_control = cubic +net.ipv4.tcp_congestion_control = bbr net.core.default_qdisc = fq # Default conntrack is too small -net.netfilter.nf_conntrack_max = 131072 +net.netfilter.nf_conntrack_max = 524288 +net.netfilter.nf_conntrack_buckets=131072 +net.netfilter.nf_conntrack_tcp_timeout_established = 86400 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 # MPTCP settings net.mptcp.mptcp_checksum = 0 -net.mptcp.mptcp_syn_retries = 2 +net.mptcp.mptcp_syn_retries = 4 net.mptcp.mptcp_scheduler = blest -net.ipv4.tcp_ecn=1 +net.ipv4.tcp_ecn = 2 diff --git a/shorewall4/interfaces b/shorewall4/interfaces index 2f3e3ac..bb8b644 100644 --- a/shorewall4/interfaces +++ b/shorewall4/interfaces @@ -19,6 +19,8 @@ vpn gt-tun+ nosmurfs,tcpflags vpn gt-udp-tun+ nosmurfs,tcpflags vpn mlvpn+ nosmurfs,tcpflags vpn tun+ nosmurfs,tcpflags +vpn wg+ nosmurfs,tcpflags +vpncl client-wg+ nosmurfs,tcpflags vpn dsvpn+ nosmurfs,tcpflags vpn gre-user+ nosmurfs,tcpflags - +vpn omr-bonding nosmurfs,tcpflags diff --git a/shorewall4/params.vpn b/shorewall4/params.vpn index e4082cb..074e6ec 100644 --- a/shorewall4/params.vpn +++ b/shorewall4/params.vpn @@ -1,3 +1,3 @@ -VPS_ADDR=10.255.255.1 -OMR_ADDR=10.255.255.2 -VPS_IFACE=gt-tun0 +VPS_ADDR=10.255.252.1 +OMR_ADDR=10.255.252.2 +VPS_IFACE=tun0 diff --git a/shorewall4/policy b/shorewall4/policy index 59142ff..910acb0 100644 --- a/shorewall4/policy +++ b/shorewall4/policy @@ -17,8 +17,10 @@ vpn net ACCEPT vpn fw ACCEPT fw vpn ACCEPT fw net ACCEPT -net all DROP info +net all DROP vpn vpn DROP +vpncl vpn ACCEPT +vpn vpncl ACCEPT # THE FOLLOWING POLICY MUST BE LAST -all all REJECT info +all all REJECT diff --git a/shorewall4/shorewall.conf b/shorewall4/shorewall.conf index 11bd54a..d1ed03f 100644 --- a/shorewall4/shorewall.conf +++ b/shorewall4/shorewall.conf @@ -149,13 +149,13 @@ BLACKLIST="NEW,INVALID,UNTRACKED" CLAMPMSS=No -CLEAR_TC=Yes +CLEAR_TC=No COMPLETE=No DEFER_DNS_RESOLUTION=Yes -DELETE_THEN_ADD=Yes +DELETE_THEN_ADD=No DETECT_DNAT_IPADDRS=No @@ -233,7 +233,7 @@ SAVE_ARPTABLES=No SAVE_IPSETS=No -TC_ENABLED=Simple +TC_ENABLED=No TC_EXPERT=No diff --git a/shorewall4/snat b/shorewall4/snat index a240a09..8435e40 100644 --- a/shorewall4/snat +++ b/shorewall4/snat @@ -15,7 +15,14 @@ ########################################################################################################################################### #ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY # -MASQUERADE 10.255.0.0/16,\ +MASQUERADE 10.255.247.0/24,\ + 10.255.248.0/24,\ + 10.255.250.0/24,\ + 10.255.251.0/24,\ + 10.255.252.0/24,\ + 10.255.253.0/24,\ + 10.255.254.0/24,\ + 10.255.255.0/24,\ 169.254.0.0/16,\ 172.16.0.0/12,\ 192.168.0.0/16 $NET_IFACE diff --git a/shorewall4/stoppedrules b/shorewall4/stoppedrules index aa5bfd5..30eeac9 100644 --- a/shorewall4/stoppedrules +++ b/shorewall4/stoppedrules @@ -23,4 +23,8 @@ ACCEPT dsvpn+ - ACCEPT - dsvpn+ ACCEPT tun+ - ACCEPT - tun+ +ACCEPT wg+ - +ACCEPT - wg+ +ACCEPT client-wg+ - +ACCEPT - client-wg+ diff --git a/shorewall4/tcinterfaces b/shorewall4/tcinterfaces index 106fbc6..376cc36 100644 --- a/shorewall4/tcinterfaces +++ b/shorewall4/tcinterfaces @@ -1,3 +1,3 @@ #INTERFACE TYPE IN-BANDWIDTH OUT-BANDWIDTH $NET_IFACE External -$VPS_IFACE Internal \ No newline at end of file +#$VPS_IFACE Internal \ No newline at end of file diff --git a/shorewall4/zones b/shorewall4/zones index 62fff26..095a8e6 100644 --- a/shorewall4/zones +++ b/shorewall4/zones @@ -16,4 +16,5 @@ fw firewall net ipv4 vpn ipv4 +vpncl ipv4 diff --git a/shorewall6/params.vpn b/shorewall6/params.vpn index e69de29..a7a7058 100644 --- a/shorewall6/params.vpn +++ b/shorewall6/params.vpn @@ -0,0 +1 @@ +OMR_ADDR=fe80::a00:2 diff --git a/shorewall6/policy b/shorewall6/policy index 9a01ad9..8b37313 100644 --- a/shorewall6/policy +++ b/shorewall6/policy @@ -15,7 +15,7 @@ vpn all ACCEPT fw all ACCEPT -net all DROP info +net all DROP # THE FOLLOWING POLICY MUST BE LAST -all all REJECT info +all all REJECT diff --git a/shorewall6/shorewall6.conf b/shorewall6/shorewall6.conf index 8ab80ab..699a0f2 100644 --- a/shorewall6/shorewall6.conf +++ b/shorewall6/shorewall6.conf @@ -138,7 +138,7 @@ BASIC_FILTERS=No BLACKLIST="NEW,INVALID,UNTRACKED" -CHAIN_SCRIPTS=Yes +#CHAIN_SCRIPTS=Yes CLAMPMSS=No @@ -168,7 +168,7 @@ IGNOREUNKNOWNVARIABLES=No IMPLICIT_CONTINUE=No -INLINE_MATCHES=No +#INLINE_MATCHES=No IPSET_WARNINGS=Yes @@ -176,7 +176,7 @@ IP_FORWARDING=On KEEP_RT_TABLES=Yes -LOAD_HELPERS_ONLY=Yes +#LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter diff --git a/tun0.glorytun b/tun0.glorytun index abd7ab1..92b9816 100644 --- a/tun0.glorytun +++ b/tun0.glorytun @@ -1,6 +1,7 @@ PORT=65001 +HOST=0.0.0.0 DEV=tun0 SERVER=true MPTCP=true IPV6=true -OPTIONS="chacha20 retry count -1 const 500000 timeout 5000 keepalive count 5 idle 20 interval 2 buffer-size 32768 multiqueue" \ No newline at end of file +OPTIONS="chacha20 retry count -1 const 5000000 timeout 5000 keepalive count 5 idle 20 interval 2 buffer-size 65536 multiqueue" \ No newline at end of file diff --git a/tun0.glorytun-udp b/tun0.glorytun-udp index a89e1a8..670bbac 100644 --- a/tun0.glorytun-udp +++ b/tun0.glorytun-udp @@ -1,4 +1,6 @@ BIND=0.0.0.0 BIND_PORT=65001 +HOST=0.0.0.0 +PORT=5000 DEV=tun0 OPTIONS="chacha persist" diff --git a/ubond.network b/ubond.network new file mode 100644 index 0000000..814ae03 --- /dev/null +++ b/ubond.network @@ -0,0 +1,17 @@ +[Match] +Name=ubond* + +[Network] +Description=UBOND tunnel +Address=10.255.248.1/24 +DHCPServer=yes +IPMasquerade=yes + +[DHCPServer] +PoolOffset=2 +PoolSize=50 +EmitDNS=no +EmitNTP=no +DNS=9.9.9.9 +DefaultLeaseTimeSec=12h +MaxLeaseTimeSec=24h \ No newline at end of file diff --git a/ubond0.conf b/ubond0.conf new file mode 100644 index 0000000..b6063fd --- /dev/null +++ b/ubond0.conf @@ -0,0 +1,42 @@ +[general] +tuntap = "tun" +mode = "server" +interface_name = "ubond0" +timeout = 30 +password = "UBOND_PASS" +reorder_buffer = yes +reorder_buffer_size = 64 +loss_tolerence = 50 + +[wan1] +bindport = 65251 +bindhost = "0.0.0.0" + +[wan2] +bindport = 65252 +bindhost = "0.0.0.0" + +[wan3] +bindport = 65253 +bindhost = "0.0.0.0" + +[wan4] +bindport = 65254 +bindhost = "0.0.0.0" + +[wan5] +bindport = 65255 +bindhost = "0.0.0.0" + +[wan6] +bindport = 65256 +bindhost = "0.0.0.0" + +[wan7] +bindport = 65257 +bindhost = "0.0.0.0" + +[wan8] +bindport = 65258 +bindhost = "0.0.0.0" + diff --git a/ubond@.service.in b/ubond@.service.in new file mode 100644 index 0000000..18f8be6 --- /dev/null +++ b/ubond@.service.in @@ -0,0 +1,16 @@ +[Unit] +Description=UBOND connection to %i +PartOf=ubond.service +ReloadPropagatedFrom=ubond.service +After=network.target network-online.target + +[Service] +Type=notify +NotifyAccess=main +ExecStart=/usr/local/sbin/ubond --config /etc/ubond/%i.conf --name %i --user ubond --quiet +ExecReload=/bin/kill -HUP $MAINPID +WorkingDirectory=/etc/ubond +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/ubuntu19.04-x86_64.sh b/ubuntu19.04-x86_64.sh new file mode 120000 index 0000000..814a06c --- /dev/null +++ b/ubuntu19.04-x86_64.sh @@ -0,0 +1 @@ +debian9-x86_64.sh \ No newline at end of file diff --git a/ubuntu20.04-x86_64.sh b/ubuntu20.04-x86_64.sh new file mode 120000 index 0000000..814a06c --- /dev/null +++ b/ubuntu20.04-x86_64.sh @@ -0,0 +1 @@ +debian9-x86_64.sh \ No newline at end of file diff --git a/v2ray-server.json b/v2ray-server.json index 5d2b544..95f8dbf 100644 --- a/v2ray-server.json +++ b/v2ray-server.json @@ -1,6 +1,6 @@ { "log": { - "loglevel": "debug", + "loglevel": "error", "error": "/tmp/v2rayError.log" }, "transport": { @@ -34,6 +34,7 @@ }, "streamSettings": { "sockopt": { + "mptcp": true, "mark": 0 }, "network": "tcp", @@ -48,6 +49,98 @@ } } }, + { + "tag": "omrin-vmess-tunnel", + "port": 65230, + "protocol": "vmess", + "settings": { + "decryption": "none", + "clients": [ + { + "id": "V2RAY_UUID", + "level": 0, + "alterId": 0, + "email": "openmptcprouter" + } + ] + }, + "streamSettings": { + "sockopt": { + "mptcp": true, + "mark": 0 + }, + "network": "tcp", + "security": "tls", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/openvpn/ca/pki/issued/server.crt", + "keyFile": "/etc/openvpn/ca/pki/private/server.key" + } + ] + } + } + }, + { + "tag": "omrin-socks-tunnel", + "port": 65231, + "protocol": "socks", + "settings": { + "auth": "password", + "accounts": [ + { + "pass": "V2RAY_UUID", + "user": "openmptcprouter" + } + ] + }, + "streamSettings": { + "sockopt": { + "mptcp": true, + "mark": 0 + }, + "network": "tcp", + "security": "tls", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/openvpn/ca/pki/issued/server.crt", + "keyFile": "/etc/openvpn/ca/pki/private/server.key" + } + ] + } + } + }, + { + "tag": "omrin-trojan-tunnel", + "port": 65229, + "protocol": "trojan", + "settings": { + "clients": [ + { + "password": "V2RAY_UUID", + "email": "openmptcprouter", + "level": 0 + } + ] + }, + "streamSettings": { + "sockopt": { + "mptcp": true, + "mark": 0 + }, + "network": "tcp", + "security": "tls", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/openvpn/ca/pki/issued/server.crt", + "keyFile": "/etc/openvpn/ca/pki/private/server.key" + } + ] + } + } + }, { "listen": "127.0.0.1", "port": 10085, @@ -72,7 +165,10 @@ { "type": "field", "inboundTag": [ - "omrin-tunnel" + "omrin-tunnel", + "omrin-vmess-tunnel", + "omrin-socks-tunnel", + "omrin-trojan-tunnel" ], "outboundTag": "OMRLan", "domain": [ diff --git a/v2ray.service b/v2ray.service new file mode 100644 index 0000000..f97647e --- /dev/null +++ b/v2ray.service @@ -0,0 +1,18 @@ +[Unit] +Description=V2Ray Service +Documentation=https://www.v2fly.org/ +After=network.target nss-lookup.target +Wants=network-online.target + +[Service] +User=root +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW +NoNewPrivileges=true +ExecStart=/usr/bin/v2ray run -config /etc/v2ray/v2ray-server.json +Restart=always +RestartPreventExitStatus=23 +StartLimitInterval=0 + +[Install] +WantedBy=multi-user.target diff --git a/xray-server.json b/xray-server.json new file mode 100644 index 0000000..14c62ee --- /dev/null +++ b/xray-server.json @@ -0,0 +1,232 @@ +{ + "log": { + "loglevel": "error", + "error": "/tmp/v2rayError.log" + }, + "inbounds": [ + { + "tag": "omrin-tunnel", + "port": 65248, + "protocol": "vless", + "settings": { + "decryption": "none", + "clients": [ + { + "id": "V2RAY_UUID", + "level": 0, + "alterId": 0, + "email": "openmptcprouter" + } + ] + }, + "streamSettings": { + "sockopt": { + "tcpMptcp": true, + "mark": 0 + }, + "network": "tcp", + "security": "tls", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/openvpn/ca/pki/issued/server.crt", + "keyFile": "/etc/openvpn/ca/pki/private/server.key" + } + ] + } + } + }, + { + "tag": "omrin-vmess-tunnel", + "port": 65250, + "protocol": "vmess", + "settings": { + "decryption": "none", + "clients": [ + { + "id": "V2RAY_UUID", + "level": 0, + "alterId": 0, + "email": "openmptcprouter" + } + ] + }, + "streamSettings": { + "sockopt": { + "tcpMptcp": true, + "mark": 0 + }, + "network": "tcp", + "security": "tls", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/openvpn/ca/pki/issued/server.crt", + "keyFile": "/etc/openvpn/ca/pki/private/server.key" + } + ] + } + } + }, + { + "tag": "omrin-socks-tunnel", + "port": 65251, + "protocol": "socks", + "settings": { + "auth": "password", + "accounts": [ + { + "pass": "V2RAY_UUID", + "user": "openmptcprouter" + } + ] + }, + "streamSettings": { + "sockopt": { + "tcpMptcp": true, + "mark": 0 + }, + "network": "tcp", + "security": "tls", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/openvpn/ca/pki/issued/server.crt", + "keyFile": "/etc/openvpn/ca/pki/private/server.key" + } + ] + } + } + }, + { + "tag": "omrin-trojan-tunnel", + "port": 65249, + "protocol": "trojan", + "settings": { + "clients": [ + { + "password": "V2RAY_UUID", + "email": "openmptcprouter", + "level": 0 + } + ] + }, + "streamSettings": { + "sockopt": { + "tcpMptcp": true, + "mark": 0 + }, + "network": "tcp", + "security": "tls", + "tlsSettings": { + "certificates": [ + { + "certificateFile": "/etc/openvpn/ca/pki/issued/server.crt", + "keyFile": "/etc/openvpn/ca/pki/private/server.key" + } + ] + } + } + }, + { + "tag": "omrin-shadowsocks-tunnel", + "port": 65252, + "protocol": "shadowsocks", + "settings": { + "password": "XRAY_PSK", + "method": "2022-blake3-aes-256-gcm", + "network": "tcp,udp", + "clients": [ + { + "password": "XRAY_UPSK", + "email": "openmptcprouter" + } + ] + }, + "streamSettings": { + "sockopt": { + "tcpMptcp": true, + "mark": 0 + }, + "network": "tcp" + } + }, + { + "listen": "127.0.0.1", + "port": 10086, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1" + }, + "tag": "api" + } + ], + "outbounds": [ + { + "protocol": "freedom", + "settings": { + "userLevel": 0 + }, + "tag": "direct" + } + ], + "routing": { + "rules": [ + { + "type": "field", + "inboundTag": [ + "omrin-tunnel", + "omrin-vless-reality", + "omrin-vmess-tunnel", + "omrin-socks-tunnel", + "omrin-trojan-tunnel" + ], + "outboundTag": "OMRLan", + "domain": [ + "full:omr.lan" + ] + }, + { + "inboundTag": [ + "api" + ], + "outboundTag": "api", + "type": "field" + } + ] + }, + "reverse": { + "portals": [ + { + "tag": "OMRLan", + "domain": "omr.lan" + } + ] + }, + "stats": {}, + "api": { + "tag": "api", + "listen": "127.0.0.1:65080", + "services": [ + "HandlerService", + "LoggerService", + "StatsService" + ] + }, + "policy": { + "levels": { + "0": { + "uplinkOnly": 0, + "downlinkOnly": 0, + "bufferSize": 512, + "connIdle": 2400, + "statsUserUplink": true, + "statsUserDownlink": true + } + }, + "system": { + "statsInboundUplink": true, + "statsInboundDownlink": true + } + } +} diff --git a/xray-vless-reality.json b/xray-vless-reality.json new file mode 100644 index 0000000..ca1a9c6 --- /dev/null +++ b/xray-vless-reality.json @@ -0,0 +1,47 @@ +{ + "inbounds": [ + { + "port": 443, + "tag": "omrin-vless-reality", + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "XRAY_UUID", + "flow": "xtls-rprx-vision" + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "tcp", + "security": "reality", + "realitySettings": { + "dest": "1.1.1.1:443", + "serverNames": [ + "" + ], + "privateKey": "XRAY_X25519_PRIVATE_KEY", + "publicKey": "XRAY_X25519_PUBLIC_KEY", + "shortIds": [ + "" + ] + }, + "sockopt": { + "tcpMptcp": true, + "mark": 0 + } + } + } + ], + "routing": { + "rules": [ + { + "type": "field", + "inboundTag": [ + "omrin-vless-reality" + ] + } + ] + } +} \ No newline at end of file diff --git a/xray.service b/xray.service new file mode 100644 index 0000000..a1df9e4 --- /dev/null +++ b/xray.service @@ -0,0 +1,18 @@ +[Unit] +Description=XRay Service +Documentation=https://xtls.github.io/ +After=network.target nss-lookup.target +Wants=network-online.target + +[Service] +User=root +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW +NoNewPrivileges=true +ExecStart=/usr/bin/xray run -config /etc/xray/xray-server.json +Restart=always +RestartPreventExitStatus=23 +StartLimitInterval=0 + +[Install] +WantedBy=multi-user.target