2025-03-09 15:50:00 +00:00
81 changed files with 549 additions and 3512 deletions
--- a/debian-x86_64.sh
+++ b/debian-x86_64.sh
@ -1 +0,0 @@
 debian9-x86_64.sh
--- a/debian.sh
+++ b/debian.sh
@ -1 +0,0 @@
 debian9-x86_64.sh
--- a/debian/changelog
+++ b/debian/changelog
@ -1,23 +0,0 @@
 omr-server (0.1030) unstable; urgency=medium
    * Many changes
 -- OpenMPTCProuter <contact@openmptcprouter.com>  Wed, 10 Apr 2024 19:35:34 +0200
 omr-server (0.1028) unstable; urgency=medium
    * Many changes
 -- OpenMPTCProuter <contact@openmptcprouter.com>  Fri, 14 Oct 2022 09:02:22 +0200
 omr-server (0.1026) unstable; urgency=medium
    * Many changes
 -- OpenMPTCProuter <contact@openmptcprouter.com>  Mon, 14 Jun 2021 07:43:42 +0200
 omr-server (0.1025-test) unstable; urgency=medium
    * Wireguard support and fixed
 -- OpenMPTCProuter <contact@openmptcprouter.com>  Thu, 04 Mar 2021 14:36:12 +0200
--- a/debian/compat
+++ b/debian/compat
@ -1 +0,0 @@
 10
--- a/debian/control
+++ b/debian/control
@ -1,37 +0,0 @@
 Source: omr-server
 Section: net
 Priority: optional
 Maintainer: OpenMPTCProuter <contact@openmptcprouter.com>
 Build-Depends: debhelper (>= 10)
 X-Python-Version: >= 3.2
 Standards-Version: 0.0.1
 Homepage: https://github.com/ysurac/openmptcprouter-vps
 Package: omr-server
 Architecture: all
 Multi-Arch: foreign
 Depends:
 curl,
 rename,
 libcurl4,
 unzip,
 tracebox,
 omr-iperf3,
 omr-shadowsocks-libev (= 3.3.5-2),
 omr-vps-admin (= 0.3+20210508),
 omr-simple-obfs,
 omr-mlvpn (= 3.0.0+20201216.git.2263bab),
 omr-glorytun (= 0.3.4-4),
 omr-glorytun-tcp (= 0.0.35-3),
 omr-dsvpn (= 0.1.4-2),
 shorewall,
 shorewall6,
 iptables,
 v2ray-plugin (= 4.35.1),
 v2ray (=4.35.1),
 linux-image-5.4.100-mptcp (= 1.18+9d3f35b),
 ${misc:Depends}
 Provides: omr-server
 Conflicts: omr-server
 Replaces: omr-server
 Description: OpenMPTCProuter Server script
--- a/debian/postinst
+++ b/debian/postinst
@ -1,16 +0,0 @@
 #!/bin/sh -e
 test $DEBIAN_SCRIPT_DEBUG && set -v -x
 # use debconf
 . /usr/share/debconf/confmodule
 sed -i -e "s/^LOCALFILES=.*$/LOCALFILES=no/" -e "s/^SOURCES=.*$/SOURCES=no/" /usr/share/omr-server/debian9-x86_64.sh
 systemctl daemon-reload
 systemctl restart omr-update
 db_stop
 #DEBHELPER#
 exit 0
 # vim:set ai et sts=2 sw=2 tw=0:
--- a/debian/rules
+++ b/debian/rules
@ -1,18 +0,0 @@
 #!/usr/bin/make -f
 #export DH_VERBOSE = 1
 # Security Hardening
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 %:
 	dh $@
 override_dh_auto_install:
 	mkdir -p $(CURDIR)/debian/omr-server/usr/share/omr-server
 	find . -type f -xtype f -not -iname '*/debian/*' -not -iname '*/.git/*' -exec cp '{}' "$(CURDIR)/debian/omr-server/usr/share/omr-server/{}" ';'
 	cp -r ./shorewall4 $(CURDIR)/debian/omr-server/usr/share/omr-server/
 	cp -r ./shorewall6 $(CURDIR)/debian/omr-server/usr/share/omr-server/
 	cp -r ./bin $(CURDIR)/debian/omr-server/usr/share/omr-server/
 	mkdir -p $(CURDIR)/debian/etc/openmptcprouter-vps-admin
 	touch $(CURDIR)/debian/etc/openmptcprouter-vps-admin/update-bin
--- a/debian11-x86_64.sh
+++ b/debian11-x86_64.sh
@ -1 +0,0 @@
 debian9-x86_64.sh
--- a/debian12-x86_64.sh
+++ b/debian12-x86_64.sh
@ -1 +0,0 @@
 debian9-x86_64.sh
--- a/debian9-x86_64.sh
+++ b/debian9-x86_64.sh
--- a/2
+++ b/2
@ -12,7 +12,7 @@ fi
 exec dsvpn \
 	${MODE} \
 	"$1".key \
-	${HOST:-auto} \
+	auto \
 	${PORT} \
 	${DEV} \
 	${LOCALTUNIP} \
--- a/dsvpn-server.service.in
+++ b/dsvpn-server.service.in
@ -1,6 +1,5 @@
 [Unit]
 Description=Dead Simple VPN - Server
 After=network.target network-online.target
 [Service]
 ExecStart=/usr/local/sbin/dsvpn server /etc/dsvpn/dsvpn.key auto 65011 dsvpn0 10.255.251.1 10.255.251.2
--- a/dsvpn-server@.service.in
+++ b/dsvpn-server@.service.in
@ -1,6 +1,5 @@
 [Unit]
 Description=Dead Simple VPN - Server on %I
 After=network.target network-online.target
 [Service]
 ExecStart=/usr/local/bin/dsvpn-run /etc/dsvpn/%i
--- a/1
+++ b/1
@ -1,5 +1,4 @@
 PORT=65401
 HOST=0.0.0.0
 DEV=dsvpn0
 MODE=server
 LOCALTUNIP=10.255.251.1
--- a/fail2ban-filter-openvpn.conf
+++ b/fail2ban-filter-openvpn.conf
@ -1,10 +0,0 @@
 [INCLUDES]
 before = common.conf
 [Definition] 
 _daemon = ovpn-server
 failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
           %(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
           %(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
           %(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}
 maxlines = 1
--- a/fail2ban-jail-openmptcprouter.conf
+++ b/fail2ban-jail-openmptcprouter.conf
@ -1,21 +0,0 @@
 [DEFAULT]
 backend = systemd
 banaction = shorewall
 [sshd]
 enabled = true
 [openvpn_tcp]
 enabled = true
 port = 65301
 protocol = tcp
 filter = openvpn
 maxretry = 5
 [openvpn_udp]
 enabled = true
 port = 65301
 protocol = udp
 filter = openvpn
 maxretry = 5
--- a/glorytun-tcp-post.sh
+++ b/glorytun-tcp-post.sh
@ -1,14 +1,8 @@
 #!/bin/sh
 [ ! -f $(readlink -f "$1") ] && exit 1
 . "$(readlink -f "$1")"
 INTF=gt-${DEV}
 [ -z "$LOCALIP" ] && LOCALIP="10.255.255.1"
 [ -z "$BROADCASTIP" ] && BROADCASTIP="10.255.255.3"
-while [ -z "$(ip link show $INTF 2>/dev/null)" ]; do
+ip link set dev ${INTF} up 2>&1 >/dev/null
-	sleep 2
+ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
 done
 [ "$(ip addr show dev $INTF | grep -o 'inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | grep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*')" != "$LOCALIP" ] && {
 	ip link set dev ${INTF} up 2>&1 >/dev/null
 	ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
 }
--- a/2
+++ b/2
@ -9,7 +9,7 @@ fi
 . "$(readlink -f "$1")"
-DEV="gt-$(basename "$1")"
+DEV="gt${HOST:+c}-$(basename "$1")"
 exec glorytun-tcp \
 	${SERVER:+listener} \
--- a/glorytun-udp-post.sh
+++ b/glorytun-udp-post.sh
@ -1,17 +1,8 @@
 #!/bin/sh
 [ ! -f $(readlink -f "$1") ] && exit 1
 . "$(readlink -f "$1")"
 INTF=gt-udp-${DEV}
 [ -z "$LOCALIP" ] && LOCALIP="10.255.254.1"
 [ -z "$BROADCASTIP" ] && BROADCASTIP="10.255.254.3"
-while [ -z "$(ip link show $INTF 2>/dev/null)" ]; do
+ip link set dev ${INTF} up 2>&1 >/dev/null
-	sleep 2
+ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
 done
 [ "$(ip addr show dev $INTF | grep -o 'inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | grep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*')" != "$LOCALIP" ] && {
 	ip link set dev ${INTF} up 2>&1 >/dev/null
 	ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
 }
 tc qdisc replace dev $INTF root cake
 ip link set $INTF txqlen 100
 glorytun set dev gt-udp-tun0 kxtimeout 7d 2>&1 >/dev/null
--- a/5
+++ b/5
@ -9,10 +9,11 @@ fi
 . "$(readlink -f "$1")"
-DEV="gt-udp-$(basename "$1")"
+DEV="gt${HOST:+c}-udp-$(basename "$1")"
 exec glorytun \
-	bind to addr ${HOST:-::} port ${PORT:-5000} from addr $BIND port $BIND_PORT \
+	bind $BIND $BIND_PORT \
 	keyfile "$1".key \
 	${DEV:+dev "$DEV"} \
 	${HOST:+to "$HOST" "$PORT"} \
 	${OPTIONS:+$OPTIONS}
--- a/iperf3.override.conf
+++ b/iperf3.override.conf
@ -1,3 +0,0 @@
 [Service]
 ExecStart=
 ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/private.pem
--- a/iperf3.service.in
+++ b/iperf3.service.in
@ -3,7 +3,7 @@ Description=iperf3
 Requires=network.target
 [Service]
-ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/private.pem
+ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/public.pem
 Restart=on-failure
 [Install]
--- a/manager.json
+++ b/manager.json
@ -9,7 +9,7 @@
    ],
    "method": "chacha20-ietf-poly1305",
    "fast_open": true,
-    "timeout": 1000,
+    "timeout": 600,
    "port_key": {
        "65101": "MySecretKey",
    },
--- a/mlvpn0.conf
+++ b/mlvpn0.conf
@ -5,7 +5,7 @@ interface_name = "mlvpn0"
 timeout = 30
 password = "MLVPN_PASS"
 reorder_buffer = yes
-reorder_buffer_size = 128
+reorder_buffer_size = 64
 loss_tolerence = 50
 [wan1]
--- a/mlvpn@.service.in
+++ b/mlvpn@.service.in
@ -2,7 +2,6 @@
 Description=MLVPN connection to %i
 PartOf=mlvpn.service
 ReloadPropagatedFrom=mlvpn.service
 After=network.target network-online.target
 [Service]
 Type=notify
--- a/147
+++ b/147
@ -6,8 +6,9 @@
 # Released under GPL 3 or later
 if [ -d "/proc/sys/net/mptcp" ]; then
-        if ([ -f /proc/sys/net/mptcp/mptcp_enabled ] && [ `cat /proc/sys/net/mptcp/mptcp_enabled` = 0 ]) || ([ -f /proc/sys/net/mptcp/enabled ] && [ `cat /proc/sys/net/mptcp/enabled` = 0 ]); then
+        if [ `cat /proc/sys/net/mptcp/mptcp_enabled` = 0 ]; then
                echo "MPTCP is disabled!"
                echo "Please set net.mptcp.mptcp_enabled = 1"
                exit 1
        fi
 else
@ -25,7 +26,7 @@ case $1 in
        echo "  multipath device {on | off | backup | handover}"
        echo
        echo "show established conections: -c"
-        echo "show fullmesh info: -f"
+        echo "show mullmesh info: -f"
        echo "show kernel config: -k"
        echo
        echo "Flag on the device, to enable/disable MPTCP for this interface. The backup-flag"
@ -42,28 +43,12 @@ case $1 in
        cat /proc/net/mptcp_fullmesh
        exit 0;;
   "-k")
-        if [ -f /proc/sys/net/mptcp/mptcp_enabled ]; then
+        echo Enabled: `cat /proc/sys/net/mptcp/mptcp_enabled`
-            echo Enabled: `cat /proc/sys/net/mptcp/mptcp_enabled`
+        echo Path Manager: `cat /proc/sys/net/mptcp/mptcp_path_manager`
-        elif [ -f /proc/sys/net/mptcp/enabled ]; then
+        echo Use checksum: `cat /proc/sys/net/mptcp/mptcp_checksum`
-            echo Enabled: `cat /proc/sys/net/mptcp/enabled`
+        echo Scheduler: `cat /proc/sys/net/mptcp/mptcp_scheduler`
-        fi
+        echo Syn retries: `cat /proc/sys/net/mptcp/mptcp_syn_retries`
-        if [ -f /proc/sys/net/mptcp/mptcp_path_manager ]; then
+        echo Debugmode: `cat /proc/sys/net/mptcp/mptcp_debug`
            echo Path Manager: `cat /proc/sys/net/mptcp/mptcp_path_manager`
        fi
        if [ -f /proc/sys/net/mptcp/mptcp_checksum ]; then
            echo Use checksum: `cat /proc/sys/net/mptcp/mptcp_checksum`
        else
            echo Use checksum: `cat /proc/sys/net/mptcp/checksum_enabled`
        fi
        if [ -f /proc/sys/net/mptcp/mptcp_scheduler ]; then
            echo Scheduler: `cat /proc/sys/net/mptcp/mptcp_scheduler`
        fi
        if [ -f /proc/sys/net/mptcp/mptcp_syn_retries ]; then
            echo Syn retries: `cat /proc/sys/net/mptcp/mptcp_syn_retries`
        fi
        if [ -f /proc/sys/net/mptcp/mptcp_debug ]; then
            echo Debugmode: `cat /proc/sys/net/mptcp/mptcp_debug`
        fi
        echo
        echo See http://multipath-tcp.org/ for details
        exit 0 ;;
@ -80,98 +65,38 @@ TYPE="$2"
 #FLAG_PATH=`find /sys/devices/ -path "*/net/$DEVICE/flags"`
 [ -d "/sys/class/net/$DEVICE/" ] || {
-        #echo "Device '$DEVICE' can't found!"
+        echo "Device '$DEVICE' can't found!"
-        #echo "Use the hardware name like in ifconfig"
+        echo "Use the hardware name like in ifconfig"
        exit 1
 }
-if [ -f /proc/sys/net/mptcp/mptcp_enabled ]; then
+FLAG_PATH="/sys/class/net/$DEVICE/flags"
-        FLAG_PATH="/sys/class/net/$DEVICE/flags"
+IFF=`cat $FLAG_PATH`
        IFF=`cat $FLAG_PATH`
-        IFF_OFF="0x80000"
+IFF_OFF="0x80000"
-        IFF_ON="0x00"
+IFF_ON="0x00"
-        IFF_BACKUP="0x100000"
+IFF_BACKUP="0x100000"
-        IFF_HANDOVER="0x200000"
+IFF_HANDOVER="0x200000"
-        IFF_MASK="0x380000"
+IFF_MASK="0x380000"
-        case $TYPE in
+case $TYPE in
-                "off")          FLAG=$IFF_OFF;;
+        "off")          FLAG=$IFF_OFF;;
-                "on")           FLAG=$IFF_ON;;
+        "on")           FLAG=$IFF_ON;;
-                "backup")       FLAG=$IFF_BACKUP;;
+        "backup")       FLAG=$IFF_BACKUP;;
-                "handover")     FLAG=$IFF_HANDOVER;;
+        "handover")     FLAG=$IFF_HANDOVER;;
-                "")
+        "")
-                        IFF=`printf "0x%02x" $(($IFF&$IFF_MASK))`
+                IFF=`printf "0x%02x" $(($IFF&$IFF_MASK))`
-                        case "$IFF" in
+                case "$IFF" in
-                                $IFF_OFF)       echo $DEVICE is deactivated;;
+                        $IFF_OFF)       echo $DEVICE is deactivated;;
-                                $IFF_ON)        echo $DEVICE is in default mode;;
+                        $IFF_ON)        echo $DEVICE is in default mode;;
-                                $IFF_BACKUP)    echo $DEVICE is in backup mode;;
+                        $IFF_BACKUP)    echo $DEVICE is in backup mode;;
-                                $IFF_HANDOVER)  echo $DEVICE is in handover mode;;
+                        $IFF_HANDOVER)  echo $DEVICE is in handover mode;;
-                                *) echo "Unkown state!" && exit 1;;
+                        *) echo "Unkown state!" && exit 1;;
-                        esac
+                esac
-                        exit 0;;
+                exit 0;;
-                *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;;
+        *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;;
-        esac
+esac
-        printf "0x%02x" $(($(($IFF^$(($IFF&$IFF_MASK))))|$FLAG)) > $FLAG_PATH
+printf "0x%02x" $(($(($IFF^$(($IFF&$IFF_MASK))))|$FLAG)) > $FLAG_PATH
 else
        ID=$(ip mptcp endpoint show | grep -m 1 "dev $DEVICE" | awk '{print $3}')
        IFF=$(ip mptcp endpoint show | grep -m 1 "dev $DEVICE" | awk '{print $4}')
        #IP=$(ip a show $DEVICE | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p')
 	[ -f /usr/bin/jsonfilter ] && IP=$(ip -j a show $DEVICE | jsonfilter -e '@[0].addr_info[*].local')
        [ -f /usr/bin/jq ] && IP=$(ip -j a show $DEVICE | jq -r '.[0].addr_info[].local')
 	RMID=$(ip mptcp endpoint show | grep '::ffff' | awk '{ print $3 }')
        [ -n "$RMID" ] && ip mptcp endpoint delete id $RMID 2>&1 >/dev/null
        case $TYPE in
                "off")
                        [ -n "$ID" ] && {
                            for i in $ID; do
                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
                            done
                        }
                        exit 0;;
                "on")
                        [ -n "$ID" ] && {
                            for i in $ID; do
                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
                            done
                        }
                        for i in $IP; do
                            ip mptcp endpoint add $i dev $DEVICE subflow fullmesh
                        done
                        exit 0;;
                "signal")
                        [ -n "$ID" ] && {
                            for i in $ID; do
                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
                            done
                        }
                        for i in $IP; do
                            ip mptcp endpoint add $i dev $DEVICE signal
                        done
                        exit 0;;
                "backup")
                        [ -n "$ID" ] && {
                            for i in $ID; do
                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
                            done
                        }
                        for i in $IP; do
                            ip mptcp endpoint add $i dev $DEVICE backup fullmesh
                        done
                        exit 0;;
                "")
                        case "$IFF" in
                                "")          echo $DEVICE is deactivated;;
                                "subflow")   echo $DEVICE is in default mode;;
                                "backup")    echo $DEVICE is in backup mode;;
                                "signal")    echo $DEVICE is in signal mode;;
                                "fullmesh")  echo $DEVICE is in fullmesh mode;;
                                *)           echo "$DEVICE Unkown state!" && exit 1;;
                        esac
                        exit 0;;
                *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;;
        esac
 fi
--- a/old-v2ray.service
+++ b/old-v2ray.service
@ -1,25 +0,0 @@
 [Unit]
 Description=V2Ray - A unified platform for anti-censorship
 Documentation=https://v2ray.com https://guide.v2fly.org
 After=network.target nss-lookup.target
 Wants=network-online.target
 [Service]
 # If the version of systemd is 240 or above, then uncommenting Type=exec and commenting out Type=simple
 #Type=exec
 Type=simple
 # Runs as root or add CAP_NET_BIND_SERVICE ability can bind 1 to 1024 port.
 # This service runs as root. You may consider to run it as another user for security concerns.
 # By uncommenting User=v2ray and commenting out User=root, the service will run as user v2ray.
 # More discussion at https://github.com/v2ray/v2ray-core/issues/1011
 User=root
 #User=v2ray
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
 NoNewPrivileges=yes
 ExecStart=/usr/bin/v2ray -config /etc/v2ray/config.json
 Restart=on-failure
 # Don't restart in the case of configuration error
 RestartPreventExitStatus=23
 [Install]
 WantedBy=multi-user.target
--- a/3
+++ b/3
@ -3,7 +3,7 @@
 set -e
 if [ ! -f "$2" ]; then
-        echo "usage: $(basename "$0") start FILE"
+        echo "usage: $(basename "$0") FILE"
        exit 1
 fi
@ -16,7 +16,6 @@ if [ "$1" = "start" ]; then
        ip tunnel add ${DEV} mode sit remote ${REMOTEIP} local ${LOCALIP}
        ip -6 addr add ${LOCALIP6} dev ${DEV}
        ip link set ${DEV} up
        [ -n "$ULA" ] && [ "$ULA" != "auto" ] && ip route replace ${ULA} via $(echo ${REMOTEIP6} | cut -d/ -f1) dev ${DEV}
 fi
 if [ "$1" = "stop" ]; then
        ip tunnel del ${DEV}
--- a/omr-admin-ipv6.service.in
+++ b/omr-admin-ipv6.service.in
@ -1,12 +0,0 @@
 [Unit]
 Description=OMR-Admin IPv6
 After=network.target network-online.target
 [Service]
 Type=simple
 Restart=always
 ExecStart=/usr/local/bin/omr-admin.py --host="::"
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_FOWNER CAP_SETFCAP
 [Install]
 WantedBy=multi-user.target
--- a/omr-admin.service.in
+++ b/omr-admin.service.in
@ -6,7 +6,7 @@ After=network.target network-online.target
 Type=simple
 Restart=always
 ExecStart=/usr/local/bin/omr-admin.py
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_FOWNER CAP_SETFCAP
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 [Install]
 WantedBy=multi-user.target
--- a/82
+++ b/82
@ -1,82 +0,0 @@
 #!/bin/sh
 # Copyright (C) 2023 Ycarus (Yannick Chabanois) <ycarus@zugaina.org> for OpenMPTCProuter
 # Released under GPL 3. See LICENSE for the full terms.
 [ ! -f /etc/openmptcprouter-vps-admin/omr-bypass.json ] && exit 0
 # Configuration
 INTERFACE="$(jq -M -r .bypass_intf /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')"
 [ "$INTERFACE" = "null" ] && INTERFACE="vpn1"
 GATEWAY="$(ip r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')"
 GATEWAY6="$(ip -6 r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')"
 TABLE="991337"
 MARK="0x539"
 CHECKSUM="$(md5sum /etc/openmptcprouter-vps-admin/omr-bypass.json | awk '{print $1}' | tr -d '\n')"
 PREVIOUS_CHECKSUM="$(jq -M -r .bypass_checksum /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')"
 [ "$CHECKSUM" = "$PREVIOUS_CHECKSUM" ] && exit 0
 jq -M --arg c "$CHECKSUM" '.bypass_checksum = $c' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp
 mv /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp /etc/openmptcprouter-vps-admin/omr-admin-config.json
 # Action
 ipset -q flush omr_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null
 ipset -q flush omr6_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null
 ipset -q --exist restore <<-EOF
 create omr_dst_bypass_srv_${INTERFACE} hash:net hashsize 64
 create omr6_dst_bypass_srv_${INTERFACE} hash:net family inet6 hashsize 64
 EOF
 ipv4=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv4[])
 for ip in $ipv4; do
 	ipset -q add omr_dst_bypass_srv_${INTERFACE} $ip
 done
 ipv6=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv6[])
 for ip in $ipv6; do
 	ipset -q add omr6_dst_bypass_srv_${INTERFACE} $ip
 done
 iptables-save --counters 2>/dev/null | grep -v omr-bypass | iptables-restore -w --counters 2>/dev/null
 iptables-restore -w --wait=60 --noflush <<-EOF
 *mangle
 :omr-bypass -
 -A PREROUTING -j omr-bypass
 COMMIT
 EOF
 iptables-restore -w --wait=60 --noflush <<-EOF
 *mangle
 :omr-bypass-local -
 -A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
 COMMIT
 EOF
 iptables-restore -w --wait=60 --noflush <<-EOF
 *mangle
 -A omr-bypass -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
 -A omr-bypass -m mark --mark ${MARK} -j RETURN
 -A omr-bypass-local -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
 -A omr-bypass-local -m mark --mark ${MARK} -j RETURN
 COMMIT
 EOF
 ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1
 ip route replace default via ${GATEWAY} dev ${INTERFACE} table ${TABLE}
 ip6tables-save --counters 2>/dev/null | grep -v omr-bypass | ip6tables-restore -w --counters 2>/dev/null
 ip6tables-restore -w --wait=60 --noflush <<-EOF
 *mangle
 :omr-bypass -
 -A PREROUTING -j omr-bypass
 COMMIT
 EOF
 ip6tables-restore -w --wait=60 --noflush <<-EOF
 *mangle
 :omr-bypass-local -
 -A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
 COMMIT
 EOF
 ip6tables-restore -w --wait=60 --noflush <<-EOF
 *mangle
 -A omr-bypass -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
 -A omr-bypass -m mark --mark ${MARK} -j RETURN
 -A omr-bypass-local -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
 -A omr-bypass-local -m mark --mark ${MARK} -j RETURN
 COMMIT
 EOF
 if [ -n "$GATEWAY6" ]; then
 	ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1
 	ip route replace default via ${GATEWAY6} dev ${INTERFACE} table ${TABLE}
 fi
--- a/omr-bypass.service.in
+++ b/omr-bypass.service.in
@ -1,12 +0,0 @@
 [Unit]
 Description=OMR-ByPass
 After=network.target network-online.target shorewall.service
 [Service]
 Type=simple
 ExecStart=/usr/local/bin/omr-bypass
 KillSignal=9
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 [Install]
 WantedBy=multi-user.target
--- a/omr-bypass.timer.in
+++ b/omr-bypass.timer.in
@ -1,8 +0,0 @@
 [Unit]
 Description=Timer for omr-bypass
 [Timer]
 OnUnitActiveSec=300
 [Install]
 WantedBy=timers.target
--- a/omr-pihole.sh
+++ b/omr-pihole.sh
@ -8,11 +8,6 @@ if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "9" ]; then
        echo "This script doesn't work with Debian Stretch (9.x)"
        exit 1
 fi
 if [ "$(id -u)" -ne 0 ]; then
 	echo "You must run the script as root"
 	exit 1
 fi
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
 echo "You can select any interface and set any IPs during Pi-hole configuration, this will be modified for OpenMPTCProuter at the end."
 echo "Don't apply Pi-hole firewall rules."
@ -31,14 +26,13 @@ $SERVER["socket"] == "10.255.252.1:80" { }
 $SERVER["socket"] == "10.255.251.1:80" { }
 $SERVER["socket"] == "10.255.253.1:80" { }
 EOF
-systemctl list-unit-files lighttpd.service &>/dev/null && systemctl -q restart lighttpd
+systemctl -q restart lighttpd
 grep -v -e PIHOLE_INTERFACE -e IPV4_ADDRESS -e IPV6_ADDRESS /etc/pihole/setupVars.conf > /etc/pihole/setupVars.new.conf
 mv /etc/pihole/setupVars.new.conf /etc/pihole/setupVars.conf
 cat >> /etc/pihole/setupVars.conf <<-EOF
 PIHOLE_INTERFACE=gt-tun0
 IPV4_ADDRESS=10.255.0.0/16
-IPV6_ADDRESS=fd00::a00:/106
+IPV6_ADDRESS=fe80::aff:ff01/64
 RATE_LIMIT=0/0
 EOF
 grep -v interface /etc/dnsmasq.d/01-pihole.conf > /etc/dnsmasq.d/01-pihole.new.conf
--- a/217
+++ b/217
@ -5,228 +5,31 @@ _multipath() {
 	# Force multipath status
 	source /etc/shorewall/params.net
 	for intf in `ls -1 /sys/class/net`; do
-		if [ "$intf" != "bonding_masters" ]; then
+		if [ "$intf" = "$NET_IFACE" ]; then
-			if ([ "$(ip a show dev lo | grep -v inet6 | grep global)" != "" ] && [ "$intf" = "lo" ]) || ([ "$intf" = "$NET_IFACE" ] && [ "$(ip a show dev lo | grep -v inet6 | grep global)" = "" ]); then
+			multipath $intf on
-				[ -f /proc/sys/net/mptcp/mptcp_enabled ] && [ "$(multipath $intf | tr -d '\n')" != "$intf is in default mode" ] && multipath $intf on >/dev/null 2>&1
+		else
-				[ -f /proc/sys/net/mptcp/enabled ] && [ "$(multipath $intf | tr -d '\n')" != "$intf is in signal mode" ] && {
+			multipath $intf off
 					multipath $intf signal >/dev/null 2>&1
 					ip mptcp limits set subflows 8 add_addr_accepted 8 >/dev/null 2>&1
 				}
 			else
 				[ "$(multipath $intf | tr -d '\n')" != "$intf is deactivated" ] && multipath $intf off >/dev/null 2>&1
 			fi
 		fi
 	done
 }
 _glorytun_udp() {
-	#if [ -n "$(systemctl -a | grep 'glorytun-udp')" ]; then
+	[ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep server)" ] && {
-	if systemctl list-unit-files glorytun-udp@.service >/dev/null; then
+		logger -t "OMR-Service" "Restart Glorytun-UDP"
-		[ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep tunnel)" ] && {
+		systemctl -q restart glorytun-udp@*
-			logger -t "OMR-Service" "Restart Glorytun-UDP"
+	}
 			systemctl -q restart 'glorytun-udp@*'
 			sleep 10
 		}
 		for intf in /etc/glorytun-udp/tun*; do
 			[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-udp/post.sh ${intf}
 		done
 		#ip link set mtu 9000 dev gt-udp-tun0 >/dev/null 2>&1
 	fi
 }
 _glorytun_tcp() {
 	#if [ -n "$(systemctl -a | grep 'glorytun-tcp')" ]; then
 	if systemctl list-unit-files glorytun-tcp@.service >/dev/null; then
 		for intf in /etc/glorytun-tcp/tun*; do
 			[ "$(echo $intf | grep key)" = "" ] && timeout 10 /etc/glorytun-tcp/post.sh ${intf}
 		done
 		if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "glorytun_tcp" ]; then
 			localip="$(cat /etc/glorytun-tcp/tun0 | grep LOCALIP | cut -d '=' -f2)"
 			[ -z "$localip" ] && localip="10.255.255.1"
 			remoteip="$(echo $localip | sed 's/\.1/\.2/')"
 			if [ "$(ping -c 3 -w 10 $remoteip | grep '100%')" != "" ] && ([ -z "$(pgrep glorytun-tcp)" ] || [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep glorytun-tcp)/exe ))" -gt "300" ]); then
 				logger -t "OMR-Service" "No answer from VPN client end, restart Glorytun-TCP"
 				systemctl restart glorytun-tcp@tun0
 				sleep 10
 			fi
 		fi
 		#ip link set mtu 9000 dev gt-tun0 >/dev/null 2>&1
 	fi
 }
 _dsvpn() {
 	#if [ -n "$(systemctl -a | grep 'dsvpn')" ]; then
 	if systemctl list-unit-files dsvpn-server@.service >/dev/null; then
 		[ -n "$(ip -6 r show 64:ff9b::/96 dev dsvpn0)" ] && ip -6 r del 64:ff9b::/96 dev dsvpn0 >/dev/null 2>&1
 		if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "dsvpn" ]; then
 			localip="$(cat /etc/dsvpn/dsvpn0 | grep LOCALTUNIP | cut -d '=' -f2)"
 			[ -z "$localip" ] && localip="10.255.251.1"
 			remoteip="$(echo $localip | sed 's/\.1/\.2/')"
 			if [ "$(ping -c 5 -w 5 $remoteip | grep '100%')" != "" ] && [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep dsvpn)/exe ))" -gt "300" ]; then
 				logger -t "OMR-Service" "No answer from VPN client end, restart DSVPN"
 				systemctl restart dsvpn-server@dsvpn0
 			fi
 			#ip link set mtu 9000 dev dsvpn0 >/dev/null 2>&1
 		fi
 	fi
 }
 _shadowsocks() {
 	if systemctl list-unit-files shadowsocks-libev-manager@.service >/dev/null; then
 		[ -z "$(pgrep ss-server)" ] && {
 			logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks libev"
 			systemctl restart shadowsocks-libev-manager@manager
 		}
 	fi
 }
 _shadowsocks_go() {
 	if systemctl list-unit-files shadowsocks-go.service >/dev/null; then
 		[ -z "$(pgrep shadowsocks-go)" ] && {
 			logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks go"
 			systemctl restart shadowsocks-go
 		}
 	fi
 }
 _xray() {
 	if systemctl list-unit-files xray.service >/dev/null; then
 		[ -z "$(pgrep xray)" ] && {
 			logger -t "OMR-Service" "ss-server not detected, restart XRay"
 			systemctl restart xray
 		}
 	fi
 }
 _v2ray() {
 	if systemctl list-unit-files v2ray.service >/dev/null; then
 		[ -z "$(pgrep v2ray)" ] && {
 			logger -t "OMR-Service" "ss-server not detected, restart V2Ray"
 			systemctl restart v2ray
 		}
 	fi
 }
 _wireguard() {
 	#if [ -n "$(systemctl -a | grep 'wg')" ]; then
 	if systemctl list-unit-files wg-quick@.service >/dev/null; then
 		[ -z "$(ip a show dev wg0 | grep '10.255.247.1')" ] && ip a add 10.255.247.1/24 dev wg0 >/dev/null 2>&1
 		[ -z "$(ip a show dev client-wg0 | grep '10.255.246.1')" ] && ip a add 10.255.246.1/24 dev client-wg0 >/dev/null 2>&1
 	fi
 }
 _omr_api() {
-	[ -z "$(pgrep curl)" ] && [ -z "$(curl -s -k -m 30 https://127.0.0.1:65500/)" ] && {
+	[ -z "$(curl -s -k -m 1 https://127.0.0.1:65500/)" ] && {
-		logger -t "OMR-Service" "Can't contact API, restart OMR-Admin"
+		logger -t "OMR-Service" "Restart OMR-Admin"
 		systemctl -q restart omr-admin
 	}
 }
 _lan_route() {
 	jq -c '.users[0][]?' /etc/openmptcprouter-vps-admin/omr-admin-config.json |
 	while IFS=$"\n" read -r c; do
 		if [ -n "$c" ]; then
 			vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip')
 			username=$(echo "$c" | jq -r '.username')
 			if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then
 				echo "$c" | jq -c -r '.lanips[]? //empty' | 
 				while IFS=$"\n" read -r d; do
 					if [ "$d" != "" ]; then
 						network=$(ipcalc -n $d | grep Network | awk '{print $2}')
 						networkonly=$(ipcalc -n $d | grep Network | awk '{print $2}' | cut -d/ -f1)
 						netmask=$(ipcalc -n $d | grep Netmask | awk '{print $2}')
 						[ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip >/dev/null 2>&1
 						[ -n "$networkonly" ] && [ -n "$netmask" ] && ([ ! -f /etc/openvpn/ccd/${username} ] || [ -z "$(grep $networkonly /etc/openvpn/ccd/${username})" ]) && echo "iroute $networkonly $netmask" >> /etc/openvpn/ccd/${username}
 					fi
 				done
 			fi
 		fi
 	done
 }
 _gre_tunnels() {
 	. "$(readlink -f "/etc/shorewall/params.vpn")"
 	if [ -n "$OMR_ADDR" ]; then
 		for intf in /etc/openmptcprouter-vps-admin/intf/*; do
 			if [ -f "$intf" ]; then
 				. "$(readlink -f "$intf")"
 				iface="$(basename $intf)"
 				if [ "$(ip tunnel show $iface 2>/dev/null | awk '{print $4}')" != "$OMR_ADDR" ]; then
 					[ -n "$(ip tunnel show $iface 2>/dev/null)" ] && ip tunnel del $iface >/dev/null 2>&1
 					ip tunnel add $iface mode gre local $INTFADDR remote $OMR_ADDR >/dev/null 2>&1
 					ip link set $iface up >/dev/null 2>&1
 					ip addr add $LOCALIP dev $iface >/dev/null 2>&1
 					ip route add $NETWORK dev $iface >/dev/null 2>&1
 				fi
 			fi
 		done
 	fi
 }
 _openvpn_bonding() {
 	if [ "$(ip link show ovpnbonding1 2>/dev/null)" != "" ] && ([ "$(ip link show ovpnbonding1 2>/dev/null | grep SLAVE)" = "" ] || [ "$(ip link show omr-bonding 2>/dev/null | grep DOWN)" != "" ] || [ "$(ip link show | grep ovpnbonding | grep -c SLAVE | tr -d '\n')" != "8" ]); then
 		echo 0 > /sys/class/net/omr-bonding/bonding/mode >/dev/null 2>&1
 		ip link set ovpnbonding1 master omr-bonding >/dev/null 2>&1
 		ip link set ovpnbonding1 up >/dev/null 2>&1
 		ip link set ovpnbonding2 master omr-bonding >/dev/null 2>&1
 		ip link set ovpnbonding2 up >/dev/null 2>&1
 		ip link set ovpnbonding3 master omr-bonding >/dev/null 2>&1
 		ip link set ovpnbonding3 up >/dev/null 2>&1
 		ip link set ovpnbonding4 master omr-bonding >/dev/null 2>&1
 		ip link set ovpnbonding4 up >/dev/null 2>&1
 		ip link set ovpnbonding5 master omr-bonding >/dev/null 2>&1
 		ip link set ovpnbonding5 up >/dev/null 2>&1
 		ip link set ovpnbonding6 master omr-bonding >/dev/null 2>&1
 		ip link set ovpnbonding6 up >/dev/null 2>&1
 		ip link set ovpnbonding7 master omr-bonding >/dev/null 2>&1
 		ip link set ovpnbonding7 up >/dev/null 2>&1
 		ip link set ovpnbonding8 master omr-bonding >/dev/null 2>&1
 		ip link set ovpnbonding8 up >/dev/null 2>&1
 		ip link set omr-bonding up mtu 1440 >/dev/null 2>&1
 		ip a add 10.255.248.1 dev omr-bonding >/dev/null 2>&1
 		ip r add 10.255.248.0/24 dev omr-bonding >/dev/null 2>&1
 		ip r add 10.255.248.2 dev omr-bonding src 10.255.248.1 >/dev/null 2>&1
 	fi
 }
 _vpn1() {
 	vpn1route=$(ip r show dev vpn1 2>/dev/null | grep '0.0.0.0')
 	[ -z "$vpn1route" ] && vpn1route=$(ip r show dev vpn1 2>/dev/null | grep 'default')
 	if [ -n "$vpn1route" ]; then
 		ip r del $vpn1route
 		vpn1gw="$(echo \"$vpn1route\" | awk '{ print $3 }')"
 		ip r a default via $vpngw dev vpn1 table 991337
 		for route in $(ip r show dev vpn1); do
 			ip r a $route table 991337
 		done
 	fi
 }
 sysctl -p /etc/sysctl.d/90-shadowsocks.conf >/dev/null 2>&1
 modprobe bonding >/dev/null 2>&1
 ip link add omr-bonding type bond >/dev/null 2>&1
 #[ -n "$(uname -r | grep '6.1')" ] && {
 #	stap -g /usr/share/systemtap-mptcp/mptcp-app.stap 2>&1 &
 #}
 gre_tunnels="$(jq -c '.gre_tunnels' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
 lan_routes="$(jq -c '.lan_routes' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
 while true; do
 	_glorytun_udp
 	_glorytun_tcp
 	_shadowsocks
 	_shadowsocks_go
 	_xray
 	_v2ray
 	_dsvpn
 	_wireguard
 	_multipath
 	_omr_api
 	[ "$lan_routes" != "false" ] && _lan_route
 	[ "$gre_tunnels" != "false" ] && _gre_tunnels
 	_openvpn_bonding
 	_vpn1
 	sleep 10
 done
--- a/55
+++ b/55
@ -1,55 +0,0 @@
 #!/bin/sh
 # vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 :
 HETZNER=false
 if [ "$1" = "hetzner" ]; then
 	HETZNER=true
 	INTERFACE="$2"
 else
 	INTERFACE="$1"
 fi
 [ -n "$INTERFACE" ] && [ ! -d "/sys/class/net/$INTERFACE" ] && {
 	echo "You must use a real interface. You wan find them using 'ip a' for example"
 	exit 0
 }
 if [ "$HETZNER" = false ]; then
 	echo "Select best test server..."
 	HOSTLST="http://speedtest.frankfurt.linode.com/garbage.php?ckSize=10000 http://speedtest.tokyo2.linode.com/garbage.php?ckSize=10000 http://speedtest.singapore.linode.com/garbage.php?ckSize=10000 http://speedtest.newark.linode.com/garbage.php?ckSize=10000 http://speedtest.atlanta.linode.com/garbage.php?ckSize=10000 http://speedtest.dallas.linode.com/garbage.php?ckSize=10000 http://speedtest.fremont.linode.com/garbage.php?ckSize=10000 http://speedtest.tele2.net/1000GB.zip https://speed.hetzner.de/10GB.bin http://ipv4.bouygues.testdebit.info/10G.iso http://par.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin http://ams.download.datapacket.com/10000mb.bin http://fra.download.datapacket.com/10000mb.bin http://lon.download.datapacket.com/10000mb.bin http://mad.download.datapacket.com/10000mb.bin http://prg.download.datapacket.com/10000mb.bin http://sto.download.datapacket.com/10000mb.bin http://vie.download.datapacket.com/10000mb.bin http://war.download.datapacket.com/10000mb.bin http://atl.download.datapacket.com/10000mb.bin http://chi.download.datapacket.com/10000mb.bin http://lax.download.datapacket.com/10000mb.bin http://mia.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin"
 	bestping="9999"
 	for pinghost in $HOSTLST; do
 		domain=$(echo $pinghost | awk -F/ '{print $3}')
 		if [ -z "$INTERFACE" ]; then
 			ping=$(ping -c1 -w2 $domain | cut -d "/" -s -f5 | cut -d "." -f1)
 		else
 			ping=$(ping -c1 -w2 -I $INTERFACE -B $domain | cut -d "/" -s -f5 | cut -d "." -f1)
 		fi
 		echo "host: $domain - ping: $ping"
 		if [ -n "$ping" ] && [ "$ping" -lt "$bestping" ]; then
 			bestping=$ping
 			HOST=$pinghost
 		fi
 	done
 fi
 [ -z "$HOST" ] && HOST="https://speed.hetzner.de/10GB.bin"
 echo "Best server is $HOST, running test:"
 trap : HUP INT TERM
 if [ -z "$INTERFACE" ]; then
 	curl -4 -o /dev/null $HOST || echo
 else
 	domain=$(echo $HOST | awk -F/ '{print $3}')
 	hostip=$(dig +nocmd +noall +answer A $domain | grep -v CNAME | awk '{print $5}' | tr '\n' ' ')
 	if [ -n "$(ipset list 2>/dev/null | grep ss_rules)" ]; then
 		for ip in $hostip; do
 			ipset add ss_rules_dst_bypass_all $ip
 		done
 	fi
 	curl -4 -o /dev/null --interface $INTERFACE $HOST || echo
 	if [ -n "$(ipset list 2>/dev/null | grep ss_rules)" ]; then
 		for ip in $hostip; do
 			ipset del ss_rules_dst_bypass_all $ip
 		done
 	fi
 fi
--- a/56
+++ b/56
@ -1,56 +0,0 @@
 #!/bin/sh
 # vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 :
 HETZNER=false
 if [ "$1" = "hetzner" ]; then
 	HETZNER=true
 	INTERFACE="$2"
 else
 	INTERFACE="$1"
 fi
 [ -n "$INTERFACE" ] && [ ! -d "/sys/class/net/$INTERFACE" ] && {
 	echo "You must use a real interface. You wan find them using 'ip a' for example"
 	exit 0
 }
 if [ "$HETZNER" = false ]; then
 	echo "Select best test server..."
 	HOSTLST="http://speedtest.frankfurt.linode.com/garbage.php?ckSize=10000 http://speedtest.tokyo2.linode.com/garbage.php?ckSize=10000 http://speedtest.singapore.linode.com/garbage.php?ckSize=10000 http://speedtest.newark.linode.com/garbage.php?ckSize=10000 http://speedtest.atlanta.linode.com/garbage.php?ckSize=10000 http://speedtest.dallas.linode.com/garbage.php?ckSize=10000 http://speedtest.fremont.linode.com/garbage.php?ckSize=10000 http://speedtest.tele2.net/1000GB.zip https://speed.hetzner.de/10GB.bin http://ipv6.bouygues.testdebit.info/10G.iso http://par.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin http://ams.download.datapacket.com/10000mb.bin http://fra.download.datapacket.com/10000mb.bin http://lon.download.datapacket.com/10000mb.bin http://mad.download.datapacket.com/10000mb.bin http://prg.download.datapacket.com/10000mb.bin http://sto.download.datapacket.com/10000mb.bin http://vie.download.datapacket.com/10000mb.bin http://war.download.datapacket.com/10000mb.bin http://atl.download.datapacket.com/10000mb.bin http://chi.download.datapacket.com/10000mb.bin http://lax.download.datapacket.com/10000mb.bin http://mia.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin"
 	bestping="9999"
 	for pinghost in $HOSTLST; do
 		domain=$(echo $pinghost | awk -F/ '{print $3}')
 		if [ -z "$INTERFACE" ]; then
 			ping=$(ping -6 -c1 -w2 $domain | cut -d "/" -s -f5 | cut -d "." -f1)
 		else
 			ping=$(ping -6 -c1 -w2 -I $INTERFACE -B $domain | cut -d "/" -s -f5 | cut -d "." -f1)
 		fi
 		echo "host: $domain - ping: $ping"
 		if [ -n "$ping" ] && [ "$ping" -lt "$bestping" ]; then
 			bestping=$ping
 			HOST=$pinghost
 		fi
 	done
 fi
 [ -z "$HOST" ] && HOST="https://speed.hetzner.de/10GB.bin"
 echo "Best server is $HOST, running test:"
 trap : HUP INT TERM
 if [ -z "$INTERFACE" ]; then
 	curl -6 $HOST >/dev/null || echo
 else
 	domain=$(echo $HOST | awk -F/ '{print $3}')
 	hostip=$(dig +nocmd +noall +answer AAAA $domain | grep -v CNAME | awk '{print $5}' | tr '\n' ' ')
 	if [ -n "$(ipset list 2>/dev/null | grep ss_rules6)" ]; then
 		for ip in $hostip; do
 			ipset add ss_rules6_dst_bypass_all $ip
 		done
 	fi
 	curl -6 --interface $INTERFACE $HOST >/dev/null || echo
 	if [ -n "$(ipset list 2>/dev/null | grep ss_rules6)" ]; then
 		for ip in $hostip; do
 			ipset del ss_rules6_dst_bypass_all $ip
 		done
 	fi
 fi
--- a/11
+++ b/11
@ -1,11 +0,0 @@
 #!/bin/sh
 if [ -f /etc/openmptcprouter-vps-admin/update ]; then
        wget -O - http://www.openmptcprouter.com/server/debian.sh | sh
        rm -f /etc/openmptcprouter-vps-admin/update
        reboot
 fi
 if [ -f /etc/openmptcprouter-vps-admin/update-bin ]; then
        LOCALFILES=yes SOURCES=yes REINSTALL=no /usr/share/omr-server/debian9-x86_64.sh
        rm -f /etc/openmptcprouter-vps-admin/update-bin
        #reboot
 fi
--- a/omr-update.service.in
+++ b/omr-update.service.in
@ -1,15 +0,0 @@
 [Unit]
 Description=OMR Update
 After=network.target network-online.target
 [Service]
 Type=simple
 Restart=no
 ExecStart=/usr/bin/omr-update
 #ExecStart=/usr/share/omr-server/debian9-x86_64.sh
 AmbientCapabilities=
 StandardOutput=file:/var/log/omr-update.log
 StandardError=file:/var/log/omr-update.log
 [Install]
 WantedBy=multi-user.target
--- a/omr.service.in
+++ b/omr.service.in
@ -1,12 +1,12 @@
 [Unit]
 Description=OMR
-After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.service shorewall.service
+After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.service
 [Service]
 Type=simple
 Restart=always
 ExecStart=/usr/local/bin/omr-service
-KillSignal=9
+ExecStop=/usr/local/bin/omr-service stop
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 [Install]
--- a/openmptcprouter-shorewall.tar.gz
+++ b/openmptcprouter-shorewall.tar.gz
--- a/openmptcprouter-shorewall6.tar.gz
+++ b/openmptcprouter-shorewall6.tar.gz
--- a/openvpn-bonding1.conf
+++ b/openvpn-bonding1.conf
@ -1,18 +0,0 @@
 dev ovpnbonding1
 dev-type tap
 cipher AES-256-CBC
 proto udp
 proto udp6
 port 65351
 persist-tun
 persist-key
 reneg-sec 0
 verb 3
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 100 2400
 mode server
 tls-server
--- a/openvpn-bonding2.conf
+++ b/openvpn-bonding2.conf
@ -1,18 +0,0 @@
 dev ovpnbonding2
 dev-type tap
 cipher AES-256-CBC
 proto udp
 proto udp6
 port 65352
 persist-tun
 persist-key
 reneg-sec 0
 verb 3
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 100 2400
 mode server
 tls-server
--- a/openvpn-bonding3.conf
+++ b/openvpn-bonding3.conf
@ -1,18 +0,0 @@
 dev ovpnbonding3
 dev-type tap
 cipher AES-256-CBC
 proto udp
 proto udp6
 port 65353
 persist-tun
 persist-key
 reneg-sec 0
 verb 3
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 100 2400
 mode server
 tls-server
--- a/openvpn-bonding4.conf
+++ b/openvpn-bonding4.conf
@ -1,18 +0,0 @@
 dev ovpnbonding4
 dev-type tap
 cipher AES-256-CBC
 proto udp
 proto udp6
 port 65354
 persist-tun
 persist-key
 reneg-sec 0
 verb 3
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 100 2400
 mode server
 tls-server
--- a/openvpn-bonding5.conf
+++ b/openvpn-bonding5.conf
@ -1,18 +0,0 @@
 dev ovpnbonding5
 dev-type tap
 cipher AES-256-CBC
 proto udp
 proto udp6
 port 65355
 persist-tun
 persist-key
 reneg-sec 0
 verb 3
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 100 2400
 mode server
 tls-server
--- a/openvpn-bonding6.conf
+++ b/openvpn-bonding6.conf
@ -1,18 +0,0 @@
 dev ovpnbonding6
 dev-type tap
 cipher AES-256-CBC
 proto udp
 proto udp6
 port 65356
 persist-tun
 persist-key
 reneg-sec 0
 verb 3
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 100 2400
 mode server
 tls-server
--- a/openvpn-bonding7.conf
+++ b/openvpn-bonding7.conf
@ -1,18 +0,0 @@
 dev ovpnbonding7
 dev-type tap
 cipher AES-256-CBC
 proto udp
 proto udp6
 port 65357
 persist-tun
 persist-key
 reneg-sec 0
 verb 3
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 100 2400
 mode server
 tls-server
--- a/openvpn-bonding8.conf
+++ b/openvpn-bonding8.conf
@ -1,18 +0,0 @@
 dev ovpnbonding8
 dev-type tap
 cipher AES-256-CBC
 proto udp
 proto udp6
 port 65358
 persist-tun
 persist-key
 reneg-sec 0
 verb 3
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 100 2400
 mode server
 tls-server
--- a/openvpn-tun0.6.1.conf
+++ b/openvpn-tun0.6.1.conf
@ -1,34 +0,0 @@
 topology subnet
 dev tun0
 user nobody
 group nogroup
 data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
 disable-dco
 proto tcp-server
 proto tcp6-server
 port 65301
 persist-tun
 persist-key
 duplicate-cn
 verb 3
 server 10.255.252.0 255.255.255.0
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 10 240
 txqueuelen 1000
 sndbuf 262144
 push "sndbuf 262144"
 rcvbuf 262144
 push "rcvbuf 262144"
 tun-mtu 1420
 tls-server
 tls-version-min 1.2
 #push "route 10.255.252.1 255.255.255.255"
 client-config-dir ccd
 ifconfig-pool-persist ccd/ipp_tcp.txt
 passtos
 management 127.0.0.1 65302
 tcp-nodelay
--- a/openvpn-tun0.conf
+++ b/openvpn-tun0.conf
@ -18,12 +18,8 @@ crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 10 240
 sndbuf 0
 rcvbuf 0
 txqueuelen 2000
 tun-mtu 1400
 mssfix 1360
 tls-server
 tls-version-min 1.2
 #compress lzo
-#push "route 10.255.252.1 255.255.255.255"
+push "route 10.255.252.1 255.255.255.255"
 client-config-dir ccd
 management localhost 65302
--- a/openvpn-tun1.6.1.conf
+++ b/openvpn-tun1.6.1.conf
@ -1,30 +0,0 @@
 topology subnet
 dev tun1
 data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
 proto udp
 proto udp6
 port 65301
 persist-tun
 persist-key
 duplicate-cn
 verb 3
 server 10.255.250.0 255.255.255.0
 ca /etc/openvpn/ca/pki/ca.crt
 cert /etc/openvpn/ca/pki/issued/server.crt
 key /etc/openvpn/ca/pki/private/server.key
 dh /etc/openvpn/server/dh2048.pem
 crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 10 240
 txqueuelen 1000
 sndbuf 262144
 push "sndbuf 262144"
 rcvbuf 262144
 push "rcvbuf 262144"
 tun-mtu 1420
 tls-server
 tls-version-min 1.2
 push "route 10.255.250.1 255.255.255.255"
 #client-config-dir ccd
 #ifconfig-pool-persist ccd/ipp_udp.txt
 #fast-io
 passtos
--- a/shadowsocks-go.server.json
+++ b/shadowsocks-go.server.json
@ -1,37 +0,0 @@
 {
    "servers": [
        {
            "name": "ss-2022",
            "protocol": "2022-blake3-aes-256-gcm",
            "tcpListeners": [
            {
                "network": "tcp",
                "address": ":65280",
                "fastOpen": false,
                "reusePort": false,
                "multipath": true
            }
            ],
            "enableTCP": true,
            "listenerTFO": true,
            "enableUDP": true,
            "mtu": 1500,
            "psk": "PSK",
            "uPSKStorePath": "/etc/shadowsocks-go/upsks.json"
        }
    ],
    "stats": {
        "enabled": true
    },
    "api": {
        "enabled": true,
        "debugPprof": false,
        "trustedProxies": [],
        "listeners": [
        {
                "network": "tcp",
                "address": "127.0.0.1:65279"
        }
        ]
    }
 }
--- a/shadowsocks-libev-manager@.service.in
+++ b/shadowsocks-libev-manager@.service.in
@ -8,7 +8,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 LimitNOFILE=99999
 LimitNPROC=99999
-ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json --manager-address 127.0.0.1:8839
+ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json
 Restart=always
 [Install]
--- a/shadowsocks.6.1.conf
+++ b/shadowsocks.6.1.conf
@ -1,77 +0,0 @@
 # local sysctl settings can be stored in this directory
 # max open files
 fs.file-max = 512000
 # max read buffer
 net.core.rmem_max = 7500000
 # max write buffer
 net.core.wmem_max = 7500000
 #net.core.optmem_max = 33554432
 # default read buffer
 #net.core.rmem_default = 16777216
 # default write buffer
 #net.core.wmem_default = 16777216
 # max processor input queue
 net.core.netdev_max_backlog = 10000
 # max backlog
 net.core.somaxconn = 16384
 # resist SYN flood attacks
 net.ipv4.tcp_syncookies = 1
 # reuse timewait sockets when safe
 net.ipv4.tcp_tw_reuse = 1
 # turn off fast timewait sockets recycling
 #net.ipv4.tcp_tw_recycle = 0
 # short FIN timeout
 net.ipv4.tcp_fin_timeout = 30
 # Increase max orphans
 net.ipv4.tcp_max_orphans = 16384
 # short keepalive time
 net.ipv4.tcp_keepalive_time = 7200
 # outbound port range
 net.ipv4.ip_local_port_range = 9999 65000
 # max SYN backlog
 net.ipv4.tcp_max_syn_backlog = 4096
 # max timewait sockets held by system simultaneously
 net.ipv4.tcp_max_tw_buckets = 16384
 # turn on TCP Fast Open on both client and server side
 net.ipv4.tcp_fastopen = 3
 # TCP buffer
 net.ipv4.tcp_mem = 409600 819200 1638400
 # UDP buffer
 net.ipv4.udp_mem = 4096 87380 16777216
 # TCP receive buffer
 net.ipv4.tcp_rmem = 4096 87380 16777216
 # TCP write buffer
 net.ipv4.tcp_wmem = 4096 87380 16777216
 # turn on path MTU discovery
 net.ipv4.tcp_mtu_probing = 0
 # 1/8 * available memory in receive buffer
 net.ipv4.tcp_adv_win_scale=-3
 # limits the size of unsent bytes in the write queue
 net.ipv4.tcp_notsent_lowat = 131072
 # for low-latency network, use cubic instead
 net.core.default_qdisc = fq
 # Default conntrack is too small
 net.netfilter.nf_conntrack_max = 524288
 net.netfilter.nf_conntrack_buckets=131072
 net.netfilter.nf_conntrack_tcp_timeout_established = 86400
 net.ipv4.conf.all.log_martians = 0
 net.ipv4.conf.default.log_martians = 0
 # MPTCP settings
 net.ipv4.tcp_ecn = 2
 net.mptcp.checksum_enabled = 0
 net.mptcp.add_addr_timeout = 120
 net.mptcp.allow_join_initial_addr_port = 1
 net.mptcp.enabled = 1
 net.mptcp.pm_type = 0
 net.mptcp.stale_loss_cnt = 4
 net.mptcp.mptcp_checksum=0
 net.mptcp.mptcp_path_manager=fullmesh
 net.mptcp.mptcp_scheduler=mptcp_burst
 net.mptcp.mptcp_syn_retries=4
 net.mptcp.mptcp_version=1
 net.mptcp.checksum_enabled=0
 net.ipv4.tcp_congestion_control=bbr
--- a/shadowsocks.conf
+++ b/shadowsocks.conf
@ -2,10 +2,10 @@
 # max open files
 fs.file-max = 512000
 # max read buffer
-net.core.rmem_max = 67108864
+net.core.rmem_max = 150000000
 # max write buffer
-net.core.wmem_max = 67108864
+net.core.wmem_max = 75000000
-net.core.optmem_max = 33554432
+net.core.optmem_max = 75000000
 # default read buffer
 net.core.rmem_default = 131072
 # default write buffer
@ -22,27 +22,25 @@ net.ipv4.tcp_tw_reuse = 1
 # turn off fast timewait sockets recycling
 #net.ipv4.tcp_tw_recycle = 0
 # short FIN timeout
-net.ipv4.tcp_fin_timeout = 30
+net.ipv4.tcp_fin_timeout = 80
 # Increase max orphans
 net.ipv4.tcp_max_orphans = 16384
 # short keepalive time
 net.ipv4.tcp_keepalive_time = 7200
 # outbound port range
 net.ipv4.ip_local_port_range = 9999 65000
 # max SYN backlog
-net.ipv4.tcp_max_syn_backlog = 10240
+net.ipv4.tcp_max_syn_backlog = 4096
 # max timewait sockets held by system simultaneously
 net.ipv4.tcp_max_tw_buckets = 10000
 # turn on TCP Fast Open on both client and server side
 net.ipv4.tcp_fastopen = 3
 # TCP buffer
-net.ipv4.tcp_mem = 8092 131072 67108864
+net.ipv4.tcp_mem = 768174 75000000 150000000
 # UDP buffer
-net.ipv4.udp_mem = 8092 131072 67108864
+net.ipv4.udp_mem = 768174 75000000 150000000
 # TCP receive buffer
-net.ipv4.tcp_rmem = 4096 87380 33554432
+net.ipv4.tcp_rmem = 4096 524288 75000000
 # TCP write buffer
-net.ipv4.tcp_wmem = 4096 65536 33554432
+net.ipv4.tcp_wmem = 4096 524288 75000000
 # turn on path MTU discovery
 net.ipv4.tcp_mtu_probing = 0
@ -50,15 +48,11 @@ net.ipv4.tcp_mtu_probing = 0
 net.ipv4.tcp_congestion_control = bbr
 net.core.default_qdisc = fq
 # Default conntrack is too small
-net.netfilter.nf_conntrack_max = 524288
+net.netfilter.nf_conntrack_max = 131072
 net.netfilter.nf_conntrack_buckets=131072
 net.netfilter.nf_conntrack_tcp_timeout_established = 86400
 net.ipv4.conf.all.log_martians = 0
 net.ipv4.conf.default.log_martians = 0
 # MPTCP settings
 net.mptcp.mptcp_checksum = 0
-net.mptcp.mptcp_syn_retries = 4
+net.mptcp.mptcp_syn_retries = 1
-net.mptcp.mptcp_scheduler = blest
+net.ipv4.tcp_ecn=1
 net.ipv4.tcp_ecn = 2
--- a/shorewall4/interfaces
+++ b/shorewall4/interfaces
@ -19,8 +19,5 @@ vpn	gt-tun+		nosmurfs,tcpflags
 vpn	gt-udp-tun+	nosmurfs,tcpflags
 vpn	mlvpn+		nosmurfs,tcpflags
 vpn	tun+		nosmurfs,tcpflags
 vpn	wg+		nosmurfs,tcpflags
 vpncl	client-wg+	nosmurfs,tcpflags
 vpn	dsvpn+		nosmurfs,tcpflags
-vpn	gre-user+	nosmurfs,tcpflags
+
 vpn	omr-bonding	nosmurfs,tcpflags
--- a/shorewall4/params.vpn
+++ b/shorewall4/params.vpn
@ -1,3 +1,3 @@
-VPS_ADDR=10.255.252.1
+VPS_ADDR=10.255.255.1
-OMR_ADDR=10.255.252.2
+OMR_ADDR=10.255.255.2
-VPS_IFACE=tun0
+VPS_IFACE=gt-tun0
--- a/shorewall4/policy
+++ b/shorewall4/policy
@ -17,10 +17,8 @@ vpn             net             ACCEPT
 vpn             fw             ACCEPT
 fw              vpn             ACCEPT
 fw              net             ACCEPT
-net             all             DROP
+net             all             DROP            info
 vpn		vpn		DROP
 vpncl		vpn		ACCEPT
 vpn		vpncl		ACCEPT
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT
+all		all		REJECT		info
--- a/shorewall4/shorewall.conf
+++ b/shorewall4/shorewall.conf
@ -39,7 +39,7 @@ INVALID_LOG_LEVEL=
 LOG_BACKEND=
-LOG_MARTIANS=No
+LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
@ -108,11 +108,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT=Drop
 DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
+REJECT_DEFAULT=Reject
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@ -149,13 +148,13 @@ BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
-CLEAR_TC=No
+CLEAR_TC=Yes
 COMPLETE=No
 DEFER_DNS_RESOLUTION=Yes
-DELETE_THEN_ADD=No
+DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
@ -233,7 +232,7 @@ SAVE_ARPTABLES=No
 SAVE_IPSETS=No
-TC_ENABLED=No
+TC_ENABLED=Simple
 TC_EXPERT=No
--- a/shorewall4/snat
+++ b/shorewall4/snat
@ -15,14 +15,7 @@
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
-MASQUERADE		10.255.247.0/24,\
+MASQUERADE		10.255.0.0/16,\
 			10.255.248.0/24,\
 			10.255.250.0/24,\
 			10.255.251.0/24,\
 			10.255.252.0/24,\
 			10.255.253.0/24,\
 			10.255.254.0/24,\
 			10.255.255.0/24,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16		$NET_IFACE
--- a/shorewall4/stoppedrules
+++ b/shorewall4/stoppedrules
@ -23,8 +23,4 @@ ACCEPT          dsvpn+		-
 ACCEPT          -               dsvpn+
 ACCEPT          tun+		-
 ACCEPT          -               tun+
 ACCEPT          wg+		-
 ACCEPT          -               wg+
 ACCEPT          client-wg+	-
 ACCEPT          -               client-wg+
--- a/shorewall4/tcinterfaces
+++ b/shorewall4/tcinterfaces
@ -1,3 +1,3 @@
 #INTERFACE             TYPE          IN-BANDWIDTH        OUT-BANDWIDTH
 $NET_IFACE		External
-#$VPS_IFACE		Internal
+$VPS_IFACE		Internal
--- a/shorewall4/zones
+++ b/shorewall4/zones
@ -16,5 +16,4 @@
 fw      firewall
 net     ipv4
 vpn     ipv4
 vpncl   ipv4
--- a/shorewall6/params.vpn
+++ b/shorewall6/params.vpn
@ -1 +0,0 @@
 OMR_ADDR=fe80::a00:2
--- a/shorewall6/policy
+++ b/shorewall6/policy
@ -15,7 +15,7 @@
 vpn             all             ACCEPT
 fw              all             ACCEPT
-net             all             DROP
+net             all             DROP            info
 # THE FOLLOWING POLICY MUST BE LAST
-all             all             REJECT
+all             all             REJECT          info
--- a/shorewall6/shorewall6.conf
+++ b/shorewall6/shorewall6.conf
@ -105,11 +105,10 @@ TC=
 ###############################################################################
 ACCEPT_DEFAULT=none
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT=Drop
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
+REJECT_DEFAULT=Reject
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@ -138,7 +137,7 @@ BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
-#CHAIN_SCRIPTS=Yes
+CHAIN_SCRIPTS=Yes
 CLAMPMSS=No
@ -168,7 +167,7 @@ IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
-#INLINE_MATCHES=No
+INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
@ -176,7 +175,7 @@ IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
-#LOAD_HELPERS_ONLY=Yes
+LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
--- a/shorewall6/snat
+++ b/shorewall6/snat
@ -18,4 +18,4 @@
 MASQUERADE		fe80::/10,\
 			fd00::/8		$NET_IFACE
 # SNAT from VPN server for all VPN clients
-#SNAT(fe80::a00:1)		::/0		omr-6in4-user+
+SNAT(fe80::a00:1)		::/0		omr-6in4-user+
--- a/tun0.glorytun
+++ b/tun0.glorytun
@ -1,7 +1,6 @@
 PORT=65001
 HOST=0.0.0.0
 DEV=tun0
 SERVER=true
 MPTCP=true
 IPV6=true
-OPTIONS="chacha20 retry count -1 const 5000000 timeout 5000 keepalive count 5 idle 20 interval 2 buffer-size 65536 multiqueue"
+OPTIONS="chacha20 retry count -1 const 5000000 timeout 10000 keepalive count 5 idle 20 interval 2 buffer-size 32768 multiqueue"
--- a/tun0.glorytun-udp
+++ b/tun0.glorytun-udp
@ -1,6 +1,4 @@
 BIND=0.0.0.0
 BIND_PORT=65001
 HOST=0.0.0.0
 PORT=5000
 DEV=tun0
 OPTIONS="chacha persist"
--- a/ubond.network
+++ b/ubond.network
@ -1,17 +0,0 @@
 [Match]
 Name=ubond*
 [Network]
 Description=UBOND tunnel
 Address=10.255.248.1/24
 DHCPServer=yes
 IPMasquerade=yes
 [DHCPServer]
 PoolOffset=2
 PoolSize=50
 EmitDNS=no
 EmitNTP=no
 DNS=9.9.9.9
 DefaultLeaseTimeSec=12h
 MaxLeaseTimeSec=24h
--- a/ubond0.conf
+++ b/ubond0.conf
@ -1,42 +0,0 @@
 [general]
 tuntap = "tun"
 mode = "server"
 interface_name = "ubond0"
 timeout = 30
 password = "UBOND_PASS"
 reorder_buffer = yes
 reorder_buffer_size = 64
 loss_tolerence = 50
 [wan1]
 bindport = 65251
 bindhost = "0.0.0.0"
 [wan2]
 bindport = 65252
 bindhost = "0.0.0.0"
 [wan3]
 bindport = 65253
 bindhost = "0.0.0.0"
 [wan4]
 bindport = 65254
 bindhost = "0.0.0.0"
 [wan5]
 bindport = 65255
 bindhost = "0.0.0.0"
 [wan6]
 bindport = 65256
 bindhost = "0.0.0.0"
 [wan7]
 bindport = 65257
 bindhost = "0.0.0.0"
 [wan8]
 bindport = 65258
 bindhost = "0.0.0.0"
--- a/ubond@.service.in
+++ b/ubond@.service.in
@ -1,16 +0,0 @@
 [Unit]
 Description=UBOND connection to %i
 PartOf=ubond.service
 ReloadPropagatedFrom=ubond.service
 After=network.target network-online.target
 [Service]
 Type=notify
 NotifyAccess=main
 ExecStart=/usr/local/sbin/ubond --config /etc/ubond/%i.conf --name %i --user ubond --quiet
 ExecReload=/bin/kill -HUP $MAINPID
 WorkingDirectory=/etc/ubond
 Restart=always
 [Install]
 WantedBy=multi-user.target
--- a/ubuntu19.04-x86_64.sh
+++ b/ubuntu19.04-x86_64.sh
@ -1 +0,0 @@
 debian9-x86_64.sh
--- a/ubuntu20.04-x86_64.sh
+++ b/ubuntu20.04-x86_64.sh
@ -1 +0,0 @@
 debian9-x86_64.sh
--- a/v2ray-server.json
+++ b/v2ray-server.json
@ -1,220 +0,0 @@
 {
 	"log": {
 		"loglevel": "error",
 		"error": "/tmp/v2rayError.log"
 	},
 	"transport": {
 		"tcpSettings": {},
 		"wsSettings": {},
 		"kcpSettings": {
 			"mtu": 1460,
 			"tti": 10,
 			"uplinkCapacity": 100,
 			"downlinkCapacity": 100,
 			"congestion": false,
 			"readBufferSize": 8,
 			"writeBufferSize": 8
 		}
 	},
 	"inbounds": [
 		{
 			"tag": "omrin-tunnel",
 			"port": 65228,
 			"protocol": "vless",
 			"settings": {
 				"decryption": "none",
 				"clients": [
 					{
 						"id": "V2RAY_UUID",
 						"level": 0,
 						"alterId": 0,
 						"email": "openmptcprouter"
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"mptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 					"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"tag": "omrin-vmess-tunnel",
 			"port": 65230,
 			"protocol": "vmess",
 			"settings": {
 				"decryption": "none",
 				"clients": [
 					{
 						"id": "V2RAY_UUID",
 						"level": 0,
 						"alterId": 0,
 						"email": "openmptcprouter"
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"mptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 					"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"tag": "omrin-socks-tunnel",
 			"port": 65231,
 			"protocol": "socks",
 			"settings": {
 				"auth": "password",
 				"accounts": [
 					{
 						"pass": "V2RAY_UUID",
 						"user": "openmptcprouter"
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"mptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 					"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"tag": "omrin-trojan-tunnel",
 			"port": 65229,
 			"protocol": "trojan",
 			"settings": {
 				"clients": [
 					{
 						"password": "V2RAY_UUID",
 						"email": "openmptcprouter",
 						"level": 0
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"mptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 				"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"listen": "127.0.0.1",
 			"port": 10085,
 			"protocol": "dokodemo-door",
 			"settings": {
 				"address": "127.0.0.1"
 			},
 			"tag": "api"
 		}
 	],
 	"outbounds": [
 		{
 			"protocol": "freedom",
 			"settings": {
 				"userLevel": 0
 			},
 			"tag": "direct"
 		}
 	],
 	"routing": {
 		"rules": [
 			{
 				"type": "field",
 				"inboundTag": [
 					"omrin-tunnel",
 					"omrin-vmess-tunnel",
 					"omrin-socks-tunnel",
 					"omrin-trojan-tunnel"
 				],
 				"outboundTag": "OMRLan",
 				"domain": [
 					"full:omr.lan"
 				]
 			},
 			{
 				"inboundTag": [
 					"api"
 				],
 				"outboundTag": "api",
 				"type": "field"
 			}
 		]
 	},
 	"reverse": {
 		"portals": [
 			{
 				"tag": "OMRLan",
 				"domain": "omr.lan"
 			}
 		]
 	},
 	"stats": {},
 	"api": {
 		"tag": "api",
 		"services": [
 			"HandlerService",
 			"LoggerService",
 			"StatsService"
 		]
 	},
 	"policy": {
 		"levels": {
 			"0": {
 				"uplinkOnly": 0,
 				"downlinkOnly": 0,
 				"bufferSize": 512,
 				"connIdle": 2400,
 				"statsUserUplink": true,
 				"statsUserDownlink": true
 			}
 		},
 		"system": {
 			"statsInboundUplink": true,
 			"statsInboundDownlink": true
 		}
 	}
 }
--- a/v2ray.service
+++ b/v2ray.service
@ -1,18 +0,0 @@
 [Unit]
 Description=V2Ray Service
 Documentation=https://www.v2fly.org/
 After=network.target nss-lookup.target
 Wants=network-online.target
 [Service]
 User=root
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
 NoNewPrivileges=true
 ExecStart=/usr/bin/v2ray run -config /etc/v2ray/v2ray-server.json
 Restart=always
 RestartPreventExitStatus=23
 StartLimitInterval=0
 [Install]
 WantedBy=multi-user.target
--- a/xray-server.json
+++ b/xray-server.json
@ -1,232 +0,0 @@
 {
 	"log": {
 		"loglevel": "error",
 		"error": "/tmp/v2rayError.log"
 	},
 	"inbounds": [
 		{
 			"tag": "omrin-tunnel",
 			"port": 65248,
 			"protocol": "vless",
 			"settings": {
 				"decryption": "none",
 				"clients": [
 					{
 						"id": "V2RAY_UUID",
 						"level": 0,
 						"alterId": 0,
 						"email": "openmptcprouter"
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"tcpMptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 					"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"tag": "omrin-vmess-tunnel",
 			"port": 65250,
 			"protocol": "vmess",
 			"settings": {
 				"decryption": "none",
 				"clients": [
 					{
 						"id": "V2RAY_UUID",
 						"level": 0,
 						"alterId": 0,
 						"email": "openmptcprouter"
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"tcpMptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 					"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"tag": "omrin-socks-tunnel",
 			"port": 65251,
 			"protocol": "socks",
 			"settings": {
 				"auth": "password",
 				"accounts": [
 					{
 						"pass": "V2RAY_UUID",
 						"user": "openmptcprouter"
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"tcpMptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 					"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"tag": "omrin-trojan-tunnel",
 			"port": 65249,
 			"protocol": "trojan",
 			"settings": {
 				"clients": [
 					{
 						"password": "V2RAY_UUID",
 						"email": "openmptcprouter",
 						"level": 0
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"tcpMptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
 				"security": "tls",
 				"tlsSettings": {
 				"certificates": [
 						{
 							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
 							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
 						}
 					]
 				}
 			}
 		},
 		{
 			"tag": "omrin-shadowsocks-tunnel",
 			"port": 65252,
 			"protocol": "shadowsocks",
 			"settings": {
 				"password": "XRAY_PSK",
 				"method": "2022-blake3-aes-256-gcm",
 				"network": "tcp,udp",
 				"clients": [
 					{
 						"password": "XRAY_UPSK",
 						"email": "openmptcprouter"
 					}
 				]
 			},
 			"streamSettings": {
 				"sockopt": {
 					"tcpMptcp": true,
 					"mark": 0
 				},
 				"network": "tcp"
 			}
 		},
 		{
 			"listen": "127.0.0.1",
 			"port": 10086,
 			"protocol": "dokodemo-door",
 			"settings": {
 				"address": "127.0.0.1"
 			},
 			"tag": "api"
 		}
 	],
 	"outbounds": [
 		{
 			"protocol": "freedom",
 			"settings": {
 				"userLevel": 0
 			},
 			"tag": "direct"
 		}
 	],
 	"routing": {
 		"rules": [
 			{
 				"type": "field",
 				"inboundTag": [
 					"omrin-tunnel",
 					"omrin-vless-reality",
 					"omrin-vmess-tunnel",
 					"omrin-socks-tunnel",
 					"omrin-trojan-tunnel"
 				],
 				"outboundTag": "OMRLan",
 				"domain": [
 					"full:omr.lan"
 				]
 			},
 			{
 				"inboundTag": [
 					"api"
 				],
 				"outboundTag": "api",
 				"type": "field"
 			}
 		]
 	},
 	"reverse": {
 		"portals": [
 			{
 				"tag": "OMRLan",
 				"domain": "omr.lan"
 			}
 		]
 	},
 	"stats": {},
 	"api": {
 		"tag": "api",
 		"listen": "127.0.0.1:65080",
 		"services": [
 			"HandlerService",
 			"LoggerService",
 			"StatsService"
 		]
 	},
 	"policy": {
 		"levels": {
 			"0": {
 				"uplinkOnly": 0,
 				"downlinkOnly": 0,
 				"bufferSize": 512,
 				"connIdle": 2400,
 				"statsUserUplink": true,
 				"statsUserDownlink": true
 			}
 		},
 		"system": {
 			"statsInboundUplink": true,
 			"statsInboundDownlink": true
 		}
 	}
 }
--- a/xray-vless-reality.json
+++ b/xray-vless-reality.json
@ -1,47 +0,0 @@
 {
    "inbounds": [
        {
            "port": 443,
            "tag": "omrin-vless-reality",
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "XRAY_UUID",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "dest": "1.1.1.1:443",
                    "serverNames": [
                        ""
                    ],
                    "privateKey": "XRAY_X25519_PRIVATE_KEY",
                    "publicKey": "XRAY_X25519_PUBLIC_KEY",
                    "shortIds": [
                        ""
                    ]
                },
                "sockopt": {
                    "tcpMptcp": true,
                    "mark": 0
                }
            }
        }
    ],
    "routing": {
        "rules": [
            {
                "type": "field",
                "inboundTag": [
                    "omrin-vless-reality"
                ]
            }
        ]
   }
 }
--- a/xray.service
+++ b/xray.service
@ -1,18 +0,0 @@
 [Unit]
 Description=XRay Service
 Documentation=https://xtls.github.io/
 After=network.target nss-lookup.target
 Wants=network-online.target
 [Service]
 User=root
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
 NoNewPrivileges=true
 ExecStart=/usr/bin/xray run -config /etc/xray/xray-server.json
 Restart=always
 RestartPreventExitStatus=23
 StartLimitInterval=0
 [Install]
 WantedBy=multi-user.target