Update Shadowsocks to 1.13.0

debian-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

debian.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

debian/changelog

@@ -0,0 +1,23 @@
+omr-server (0.1030) unstable; urgency=medium
+
+    * Many changes
+
+ -- OpenMPTCProuter <contact@openmptcprouter.com>  Wed, 10 Apr 2024 19:35:34 +0200
+
+omr-server (0.1028) unstable; urgency=medium
+
+    * Many changes
+
+ -- OpenMPTCProuter <contact@openmptcprouter.com>  Fri, 14 Oct 2022 09:02:22 +0200
+
+omr-server (0.1026) unstable; urgency=medium
+
+    * Many changes
+
+ -- OpenMPTCProuter <contact@openmptcprouter.com>  Mon, 14 Jun 2021 07:43:42 +0200
+
+omr-server (0.1025-test) unstable; urgency=medium
+
+    * Wireguard support and fixed
+
+ -- OpenMPTCProuter <contact@openmptcprouter.com>  Thu, 04 Mar 2021 14:36:12 +0200

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,37 @@
+Source: omr-server
+Section: net
+Priority: optional
+Maintainer: OpenMPTCProuter <contact@openmptcprouter.com>
+Build-Depends: debhelper (>= 10)
+X-Python-Version: >= 3.2
+Standards-Version: 0.0.1
+Homepage: https://github.com/ysurac/openmptcprouter-vps
+
+Package: omr-server
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ curl,
+ rename,
+ libcurl4,
+ unzip,
+ tracebox,
+ omr-iperf3,
+ omr-shadowsocks-libev (= 3.3.5-2),
+ omr-vps-admin (= 0.3+20210508),
+ omr-simple-obfs,
+ omr-mlvpn (= 3.0.0+20201216.git.2263bab),
+ omr-glorytun (= 0.3.4-4),
+ omr-glorytun-tcp (= 0.0.35-3),
+ omr-dsvpn (= 0.1.4-2),
+ shorewall,
+ shorewall6,
+ iptables,
+ v2ray-plugin (= 4.35.1),
+ v2ray (=4.35.1),
+ linux-image-5.4.100-mptcp (= 1.18+9d3f35b),
+ ${misc:Depends}
+Provides: omr-server
+Conflicts: omr-server
+Replaces: omr-server
+Description: OpenMPTCProuter Server script

debian/postinst

@@ -0,0 +1,16 @@
+#!/bin/sh -e
+
+test $DEBIAN_SCRIPT_DEBUG && set -v -x
+
+# use debconf
+. /usr/share/debconf/confmodule
+
+sed -i -e "s/^LOCALFILES=.*$/LOCALFILES=no/" -e "s/^SOURCES=.*$/SOURCES=no/" /usr/share/omr-server/debian9-x86_64.sh
+systemctl daemon-reload
+systemctl restart omr-update
+
+db_stop
+
+#DEBHELPER#
+exit 0
+# vim:set ai et sts=2 sw=2 tw=0:

debian/rules

@@ -0,0 +1,18 @@
+#!/usr/bin/make -f
+#export DH_VERBOSE = 1
+
+# Security Hardening
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+%:
+	dh $@
+
+override_dh_auto_install:
+	mkdir -p $(CURDIR)/debian/omr-server/usr/share/omr-server
+	find . -type f -xtype f -not -iname '*/debian/*' -not -iname '*/.git/*' -exec cp '{}' "$(CURDIR)/debian/omr-server/usr/share/omr-server/{}" ';'
+	cp -r ./shorewall4 $(CURDIR)/debian/omr-server/usr/share/omr-server/
+	cp -r ./shorewall6 $(CURDIR)/debian/omr-server/usr/share/omr-server/
+	cp -r ./bin $(CURDIR)/debian/omr-server/usr/share/omr-server/
+	mkdir -p $(CURDIR)/debian/etc/openmptcprouter-vps-admin
+	touch $(CURDIR)/debian/etc/openmptcprouter-vps-admin/update-bin
+

debian11-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

debian12-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

dsvpn-run

@@ -12,7 +12,7 @@ fi
 exec dsvpn \
 	${MODE} \
 	"$1".key \
-	auto \
+	${HOST:-auto} \
 	${PORT} \
 	${DEV} \
 	${LOCALTUNIP} \

dsvpn0-config

@@ -1,4 +1,5 @@
 PORT=65401
+HOST=0.0.0.0
 DEV=dsvpn0
 MODE=server
 LOCALTUNIP=10.255.251.1

fail2ban-filter-openvpn.conf

@@ -0,0 +1,10 @@
+[INCLUDES]
+before = common.conf
+
+[Definition] 
+_daemon = ovpn-server
+failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
+           %(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
+           %(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
+           %(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}
+maxlines = 1

fail2ban-jail-openmptcprouter.conf

@@ -0,0 +1,21 @@
+[DEFAULT]
+backend = systemd
+banaction = shorewall
+
+[sshd]
+enabled = true
+
+[openvpn_tcp]
+enabled = true
+port = 65301
+protocol = tcp
+filter = openvpn
+maxretry = 5
+
+[openvpn_udp]
+enabled = true
+port = 65301
+protocol = udp
+filter = openvpn
+maxretry = 5
+

glorytun-tcp-run

@@ -9,7 +9,7 @@ fi
 
 . "$(readlink -f "$1")"
 
-DEV="gt${HOST:+c}-$(basename "$1")"
+DEV="gt-$(basename "$1")"
 
 exec glorytun-tcp \
 	${SERVER:+listener} \

glorytun-udp-run

@@ -9,11 +9,10 @@ fi
 
 . "$(readlink -f "$1")"
 
-DEV="gt${HOST:+c}-udp-$(basename "$1")"
+DEV="gt-udp-$(basename "$1")"
 
 exec glorytun \
-	bind from addr $BIND port $BIND_PORT \
+	bind to addr ${HOST:-::} port ${PORT:-5000} from addr $BIND port $BIND_PORT \
 	keyfile "$1".key \
 	${DEV:+dev "$DEV"} \
-	${HOST:+to addr "$HOST" port "$PORT"} \
 	${OPTIONS:+$OPTIONS}

iperf3.override.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/private.pem

iperf3.service.in

@@ -3,7 +3,7 @@ Description=iperf3
 Requires=network.target
 
 [Service]
-ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/public.pem
+ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/private.pem
 Restart=on-failure
 
 [Install]

multipath

@@ -6,9 +6,8 @@
 # Released under GPL 3 or later
 
 if [ -d "/proc/sys/net/mptcp" ]; then
-        if [ `cat /proc/sys/net/mptcp/mptcp_enabled` = 0 ]; then
+        if ([ -f /proc/sys/net/mptcp/mptcp_enabled ] && [ `cat /proc/sys/net/mptcp/mptcp_enabled` = 0 ]) || ([ -f /proc/sys/net/mptcp/enabled ] && [ `cat /proc/sys/net/mptcp/enabled` = 0 ]); then
                 echo "MPTCP is disabled!"
-                echo "Please set net.mptcp.mptcp_enabled = 1"
                 exit 1
         fi
 else
@@ -26,7 +25,7 @@ case $1 in
         echo "  multipath device {on | off | backup | handover}"
         echo
         echo "show established conections: -c"
-        echo "show mullmesh info: -f"
+        echo "show fullmesh info: -f"
         echo "show kernel config: -k"
         echo
         echo "Flag on the device, to enable/disable MPTCP for this interface. The backup-flag"
@@ -43,12 +42,28 @@ case $1 in
         cat /proc/net/mptcp_fullmesh
         exit 0;;
    "-k")
-        echo Enabled: `cat /proc/sys/net/mptcp/mptcp_enabled`
+        if [ -f /proc/sys/net/mptcp/mptcp_enabled ]; then
-        echo Path Manager: `cat /proc/sys/net/mptcp/mptcp_path_manager`
+            echo Enabled: `cat /proc/sys/net/mptcp/mptcp_enabled`
-        echo Use checksum: `cat /proc/sys/net/mptcp/mptcp_checksum`
+        elif [ -f /proc/sys/net/mptcp/enabled ]; then
-        echo Scheduler: `cat /proc/sys/net/mptcp/mptcp_scheduler`
+            echo Enabled: `cat /proc/sys/net/mptcp/enabled`
-        echo Syn retries: `cat /proc/sys/net/mptcp/mptcp_syn_retries`
+        fi
-        echo Debugmode: `cat /proc/sys/net/mptcp/mptcp_debug`
+        if [ -f /proc/sys/net/mptcp/mptcp_path_manager ]; then
+            echo Path Manager: `cat /proc/sys/net/mptcp/mptcp_path_manager`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_checksum ]; then
+            echo Use checksum: `cat /proc/sys/net/mptcp/mptcp_checksum`
+        else
+            echo Use checksum: `cat /proc/sys/net/mptcp/checksum_enabled`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_scheduler ]; then
+            echo Scheduler: `cat /proc/sys/net/mptcp/mptcp_scheduler`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_syn_retries ]; then
+            echo Syn retries: `cat /proc/sys/net/mptcp/mptcp_syn_retries`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_debug ]; then
+            echo Debugmode: `cat /proc/sys/net/mptcp/mptcp_debug`
+        fi
         echo
         echo See http://multipath-tcp.org/ for details
         exit 0 ;;
@@ -65,38 +80,98 @@ TYPE="$2"
 #FLAG_PATH=`find /sys/devices/ -path "*/net/$DEVICE/flags"`
 
 [ -d "/sys/class/net/$DEVICE/" ] || {
-        echo "Device '$DEVICE' can't found!"
+        #echo "Device '$DEVICE' can't found!"
-        echo "Use the hardware name like in ifconfig"
+        #echo "Use the hardware name like in ifconfig"
         exit 1
 }
 
-FLAG_PATH="/sys/class/net/$DEVICE/flags"
+if [ -f /proc/sys/net/mptcp/mptcp_enabled ]; then
-IFF=`cat $FLAG_PATH`
+        FLAG_PATH="/sys/class/net/$DEVICE/flags"
+        IFF=`cat $FLAG_PATH`
 
-IFF_OFF="0x80000"
+        IFF_OFF="0x80000"
-IFF_ON="0x00"
+        IFF_ON="0x00"
-IFF_BACKUP="0x100000"
+        IFF_BACKUP="0x100000"
-IFF_HANDOVER="0x200000"
+        IFF_HANDOVER="0x200000"
-IFF_MASK="0x380000"
+        IFF_MASK="0x380000"
 
-case $TYPE in
+        case $TYPE in
-        "off")          FLAG=$IFF_OFF;;
+                "off")          FLAG=$IFF_OFF;;
-        "on")           FLAG=$IFF_ON;;
+                "on")           FLAG=$IFF_ON;;
-        "backup")       FLAG=$IFF_BACKUP;;
+                "backup")       FLAG=$IFF_BACKUP;;
-        "handover")     FLAG=$IFF_HANDOVER;;
+                "handover")     FLAG=$IFF_HANDOVER;;
-        "")
+                "")
-                IFF=`printf "0x%02x" $(($IFF&$IFF_MASK))`
+                        IFF=`printf "0x%02x" $(($IFF&$IFF_MASK))`
-                case "$IFF" in
+                        case "$IFF" in
-                        $IFF_OFF)       echo $DEVICE is deactivated;;
+                                $IFF_OFF)       echo $DEVICE is deactivated;;
-                        $IFF_ON)        echo $DEVICE is in default mode;;
+                                $IFF_ON)        echo $DEVICE is in default mode;;
-                        $IFF_BACKUP)    echo $DEVICE is in backup mode;;
+                                $IFF_BACKUP)    echo $DEVICE is in backup mode;;
-                        $IFF_HANDOVER)  echo $DEVICE is in handover mode;;
+                                $IFF_HANDOVER)  echo $DEVICE is in handover mode;;
-                        *) echo "Unkown state!" && exit 1;;
+                                *) echo "Unkown state!" && exit 1;;
-                esac
+                        esac
-                exit 0;;
+                        exit 0;;
-        *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;;
+                *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;;
-esac
+        esac
 
-printf "0x%02x" $(($(($IFF^$(($IFF&$IFF_MASK))))|$FLAG)) > $FLAG_PATH
+        printf "0x%02x" $(($(($IFF^$(($IFF&$IFF_MASK))))|$FLAG)) > $FLAG_PATH
+else
+        ID=$(ip mptcp endpoint show | grep -m 1 "dev $DEVICE" | awk '{print $3}')
+        IFF=$(ip mptcp endpoint show | grep -m 1 "dev $DEVICE" | awk '{print $4}')
+        #IP=$(ip a show $DEVICE | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p')
+	[ -f /usr/bin/jsonfilter ] && IP=$(ip -j a show $DEVICE | jsonfilter -e '@[0].addr_info[*].local')
+        [ -f /usr/bin/jq ] && IP=$(ip -j a show $DEVICE | jq -r '.[0].addr_info[].local')
+	RMID=$(ip mptcp endpoint show | grep '::ffff' | awk '{ print $3 }')
+        [ -n "$RMID" ] && ip mptcp endpoint delete id $RMID 2>&1 >/dev/null
+        case $TYPE in
+                "off")
+                        [ -n "$ID" ] && {
+                            for i in $ID; do
+                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
+                            done
+                        }
+                        exit 0;;
+                "on")
+                        [ -n "$ID" ] && {
+                            for i in $ID; do
+                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
+                            done
+                        }
+                        for i in $IP; do
+                            ip mptcp endpoint add $i dev $DEVICE subflow fullmesh
+                        done
+                        exit 0;;
+                "signal")
+                        [ -n "$ID" ] && {
+                            for i in $ID; do
+                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
+                            done
+                        }
+                        for i in $IP; do
+                            ip mptcp endpoint add $i dev $DEVICE signal
+                        done
+                        exit 0;;
+                "backup")
+                        [ -n "$ID" ] && {
+                            for i in $ID; do
+                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
+                            done
+                        }
+                        for i in $IP; do
+                            ip mptcp endpoint add $i dev $DEVICE backup fullmesh
+                        done
+                        exit 0;;
+                "")
+                        case "$IFF" in
+                                "")          echo $DEVICE is deactivated;;
+                                "subflow")   echo $DEVICE is in default mode;;
+                                "backup")    echo $DEVICE is in backup mode;;
+                                "signal")    echo $DEVICE is in signal mode;;
+                                "fullmesh")  echo $DEVICE is in fullmesh mode;;
+                                *)           echo "$DEVICE Unkown state!" && exit 1;;
+                        esac
+                        exit 0;;
+                *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;;
+        esac
 
+fi
 

omr-admin-ipv6.service.in

@@ -0,0 +1,12 @@
+[Unit]
+Description=OMR-Admin IPv6
+After=network.target network-online.target
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/local/bin/omr-admin.py --host="::"
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_FOWNER CAP_SETFCAP
+
+[Install]
+WantedBy=multi-user.target

omr-admin.service.in

@@ -6,7 +6,7 @@ After=network.target network-online.target
 Type=simple
 Restart=always
 ExecStart=/usr/local/bin/omr-admin.py
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_FOWNER CAP_SETFCAP
 
 [Install]
 WantedBy=multi-user.target

omr-bypass

@@ -0,0 +1,82 @@
+#!/bin/sh
+# Copyright (C) 2023 Ycarus (Yannick Chabanois) <ycarus@zugaina.org> for OpenMPTCProuter
+# Released under GPL 3. See LICENSE for the full terms.
+
+[ ! -f /etc/openmptcprouter-vps-admin/omr-bypass.json ] && exit 0
+
+# Configuration
+INTERFACE="$(jq -M -r .bypass_intf /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')"
+[ "$INTERFACE" = "null" ] && INTERFACE="vpn1"
+GATEWAY="$(ip r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')"
+GATEWAY6="$(ip -6 r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')"
+TABLE="991337"
+MARK="0x539"
+
+CHECKSUM="$(md5sum /etc/openmptcprouter-vps-admin/omr-bypass.json | awk '{print $1}' | tr -d '\n')"
+PREVIOUS_CHECKSUM="$(jq -M -r .bypass_checksum /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')"
+[ "$CHECKSUM" = "$PREVIOUS_CHECKSUM" ] && exit 0
+jq -M --arg c "$CHECKSUM" '.bypass_checksum = $c' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp
+mv /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp /etc/openmptcprouter-vps-admin/omr-admin-config.json
+# Action
+ipset -q flush omr_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null
+ipset -q flush omr6_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null
+ipset -q --exist restore <<-EOF
+create omr_dst_bypass_srv_${INTERFACE} hash:net hashsize 64
+create omr6_dst_bypass_srv_${INTERFACE} hash:net family inet6 hashsize 64
+EOF
+ipv4=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv4[])
+for ip in $ipv4; do
+	ipset -q add omr_dst_bypass_srv_${INTERFACE} $ip
+done
+ipv6=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv6[])
+for ip in $ipv6; do
+	ipset -q add omr6_dst_bypass_srv_${INTERFACE} $ip
+done
+iptables-save --counters 2>/dev/null | grep -v omr-bypass | iptables-restore -w --counters 2>/dev/null
+iptables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+:omr-bypass -
+-A PREROUTING -j omr-bypass
+COMMIT
+EOF
+iptables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+:omr-bypass-local -
+-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
+COMMIT
+EOF
+iptables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+-A omr-bypass -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
+-A omr-bypass -m mark --mark ${MARK} -j RETURN
+-A omr-bypass-local -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
+-A omr-bypass-local -m mark --mark ${MARK} -j RETURN
+COMMIT
+EOF
+ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1
+ip route replace default via ${GATEWAY} dev ${INTERFACE} table ${TABLE}
+ip6tables-save --counters 2>/dev/null | grep -v omr-bypass | ip6tables-restore -w --counters 2>/dev/null
+ip6tables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+:omr-bypass -
+-A PREROUTING -j omr-bypass
+COMMIT
+EOF
+ip6tables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+:omr-bypass-local -
+-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
+COMMIT
+EOF
+ip6tables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+-A omr-bypass -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
+-A omr-bypass -m mark --mark ${MARK} -j RETURN
+-A omr-bypass-local -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
+-A omr-bypass-local -m mark --mark ${MARK} -j RETURN
+COMMIT
+EOF
+if [ -n "$GATEWAY6" ]; then
+	ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1
+	ip route replace default via ${GATEWAY6} dev ${INTERFACE} table ${TABLE}
+fi

omr-bypass.service.in

@@ -0,0 +1,12 @@
+[Unit]
+Description=OMR-ByPass
+After=network.target network-online.target shorewall.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/omr-bypass
+KillSignal=9
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+
+[Install]
+WantedBy=multi-user.target

omr-bypass.timer.in

@@ -0,0 +1,8 @@
+[Unit]
+Description=Timer for omr-bypass
+
+[Timer]
+OnUnitActiveSec=300
+
+[Install]
+WantedBy=timers.target

omr-pihole.sh

@@ -8,6 +8,11 @@ if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "9" ]; then
         echo "This script doesn't work with Debian Stretch (9.x)"
         exit 1
 fi
+if [ "$(id -u)" -ne 0 ]; then
+	echo "You must run the script as root"
+	exit 1
+fi
+
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
 echo "You can select any interface and set any IPs during Pi-hole configuration, this will be modified for OpenMPTCProuter at the end."
 echo "Don't apply Pi-hole firewall rules."
@@ -26,13 +31,14 @@ $SERVER["socket"] == "10.255.252.1:80" { }
 $SERVER["socket"] == "10.255.251.1:80" { }
 $SERVER["socket"] == "10.255.253.1:80" { }
 EOF
-systemctl -q restart lighttpd
+systemctl list-unit-files lighttpd.service &>/dev/null && systemctl -q restart lighttpd
 grep -v -e PIHOLE_INTERFACE -e IPV4_ADDRESS -e IPV6_ADDRESS /etc/pihole/setupVars.conf > /etc/pihole/setupVars.new.conf
 mv /etc/pihole/setupVars.new.conf /etc/pihole/setupVars.conf
 cat >> /etc/pihole/setupVars.conf <<-EOF
 PIHOLE_INTERFACE=gt-tun0
 IPV4_ADDRESS=10.255.0.0/16
-IPV6_ADDRESS=fe80::aff:ff01/64
+IPV6_ADDRESS=fd00::a00:/106
+RATE_LIMIT=0/0
 EOF
 
 grep -v interface /etc/dnsmasq.d/01-pihole.conf > /etc/dnsmasq.d/01-pihole.new.conf

omr-service

@@ -6,110 +6,227 @@ _multipath() {
 	source /etc/shorewall/params.net
 	for intf in `ls -1 /sys/class/net`; do
 		if [ "$intf" != "bonding_masters" ]; then
-			if [ "$intf" = "$NET_IFACE" ]; then
+			if ([ "$(ip a show dev lo | grep -v inet6 | grep global)" != "" ] && [ "$intf" = "lo" ]) || ([ "$intf" = "$NET_IFACE" ] && [ "$(ip a show dev lo | grep -v inet6 | grep global)" = "" ]); then
-				[ "$(multipath $intf | tr -d '\n')" != "$intf is in default mode" ] && multipath $intf on
+				[ -f /proc/sys/net/mptcp/mptcp_enabled ] && [ "$(multipath $intf | tr -d '\n')" != "$intf is in default mode" ] && multipath $intf on >/dev/null 2>&1
+				[ -f /proc/sys/net/mptcp/enabled ] && [ "$(multipath $intf | tr -d '\n')" != "$intf is in signal mode" ] && {
+					multipath $intf signal >/dev/null 2>&1
+					ip mptcp limits set subflows 8 add_addr_accepted 8 >/dev/null 2>&1
+				}
 			else
-				[ "$(multipath $intf | tr -d '\n')" != "$intf is deactivated" ] && multipath $intf off
+				[ "$(multipath $intf | tr -d '\n')" != "$intf is deactivated" ] && multipath $intf off >/dev/null 2>&1
 			fi
 		fi
 	done
 }
 
 _glorytun_udp() {
-	[ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep tunnel)" ] && {
+	#if [ -n "$(systemctl -a | grep 'glorytun-udp')" ]; then
-		logger -t "OMR-Service" "Restart Glorytun-UDP"
+	if systemctl list-unit-files glorytun-udp@.service >/dev/null; then
-		systemctl -q restart 'glorytun-udp@*'
+		[ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep tunnel)" ] && {
-	}
+			logger -t "OMR-Service" "Restart Glorytun-UDP"
-	for intf in /etc/glorytun-udp/tun*; do
+			systemctl -q restart 'glorytun-udp@*'
-		[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-udp/post.sh ${intf}
+			sleep 10
-	done
+		}
+		for intf in /etc/glorytun-udp/tun*; do
+			[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-udp/post.sh ${intf}
+		done
+		#ip link set mtu 9000 dev gt-udp-tun0 >/dev/null 2>&1
+	fi
 }
 
 _glorytun_tcp() {
-	for intf in /etc/glorytun-tcp/tun*; do
+	#if [ -n "$(systemctl -a | grep 'glorytun-tcp')" ]; then
-		[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-tcp/post.sh ${intf}
+	if systemctl list-unit-files glorytun-tcp@.service >/dev/null; then
-	done
+		for intf in /etc/glorytun-tcp/tun*; do
-	if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "glorytun_tcp" ]; then
+			[ "$(echo $intf | grep key)" = "" ] && timeout 10 /etc/glorytun-tcp/post.sh ${intf}
-		if [ "$(ping -c 5 -w 5 10.255.255.2 | grep '100%')" != "" ] && [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep glorytun-tcp)/exe ))" -gt "300" ]; then
+		done
-			logger -t "OMR-Service" "No answer from VPN client end, restart Glorytun-TCP"
+		if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "glorytun_tcp" ]; then
-			systemctl restart glorytun-tcp@tun0
+			localip="$(cat /etc/glorytun-tcp/tun0 | grep LOCALIP | cut -d '=' -f2)"
+			[ -z "$localip" ] && localip="10.255.255.1"
+			remoteip="$(echo $localip | sed 's/\.1/\.2/')"
+			if [ "$(ping -c 3 -w 10 $remoteip | grep '100%')" != "" ] && ([ -z "$(pgrep glorytun-tcp)" ] || [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep glorytun-tcp)/exe ))" -gt "300" ]); then
+				logger -t "OMR-Service" "No answer from VPN client end, restart Glorytun-TCP"
+				systemctl restart glorytun-tcp@tun0
+				sleep 10
+			fi
+		fi
+		#ip link set mtu 9000 dev gt-tun0 >/dev/null 2>&1
+	fi
+}
+
+_dsvpn() {
+	#if [ -n "$(systemctl -a | grep 'dsvpn')" ]; then
+	if systemctl list-unit-files dsvpn-server@.service >/dev/null; then
+		[ -n "$(ip -6 r show 64:ff9b::/96 dev dsvpn0)" ] && ip -6 r del 64:ff9b::/96 dev dsvpn0 >/dev/null 2>&1
+		if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "dsvpn" ]; then
+			localip="$(cat /etc/dsvpn/dsvpn0 | grep LOCALTUNIP | cut -d '=' -f2)"
+			[ -z "$localip" ] && localip="10.255.251.1"
+			remoteip="$(echo $localip | sed 's/\.1/\.2/')"
+			if [ "$(ping -c 5 -w 5 $remoteip | grep '100%')" != "" ] && [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep dsvpn)/exe ))" -gt "300" ]; then
+				logger -t "OMR-Service" "No answer from VPN client end, restart DSVPN"
+				systemctl restart dsvpn-server@dsvpn0
+			fi
+			#ip link set mtu 9000 dev dsvpn0 >/dev/null 2>&1
 		fi
 	fi
 }
 
+_shadowsocks() {
+	if systemctl list-unit-files shadowsocks-libev-manager@.service >/dev/null; then
+		[ -z "$(pgrep ss-server)" ] && {
+			logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks libev"
+			systemctl restart shadowsocks-libev-manager@manager
+		}
+	fi
+}
+
+_shadowsocks_go() {
+	if systemctl list-unit-files shadowsocks-go.service >/dev/null; then
+		[ -z "$(pgrep shadowsocks-go)" ] && {
+			logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks go"
+			systemctl restart shadowsocks-go
+		}
+	fi
+}
+
+_xray() {
+	if systemctl list-unit-files xray.service >/dev/null; then
+		[ -z "$(pgrep xray)" ] && {
+			logger -t "OMR-Service" "ss-server not detected, restart XRay"
+			systemctl restart xray
+		}
+	fi
+}
+
+_v2ray() {
+	if systemctl list-unit-files v2ray.service >/dev/null; then
+		[ -z "$(pgrep v2ray)" ] && {
+			logger -t "OMR-Service" "ss-server not detected, restart V2Ray"
+			systemctl restart v2ray
+		}
+	fi
+}
+
+_wireguard() {
+	#if [ -n "$(systemctl -a | grep 'wg')" ]; then
+	if systemctl list-unit-files wg-quick@.service >/dev/null; then
+		[ -z "$(ip a show dev wg0 | grep '10.255.247.1')" ] && ip a add 10.255.247.1/24 dev wg0 >/dev/null 2>&1
+		[ -z "$(ip a show dev client-wg0 | grep '10.255.246.1')" ] && ip a add 10.255.246.1/24 dev client-wg0 >/dev/null 2>&1
+	fi
+}
+
+
 _omr_api() {
-	[ -z "$(curl -s -k -m 30 https://127.0.0.1:65500/)" ] && {
+	[ -z "$(pgrep curl)" ] && [ -z "$(curl -s -k -m 30 https://127.0.0.1:65500/)" ] && {
-		logger -t "OMR-Service" "Restart OMR-Admin"
+		logger -t "OMR-Service" "Can't contact API, restart OMR-Admin"
 		systemctl -q restart omr-admin
 	}
 }
 
 _lan_route() {
-	cat /etc/openmptcprouter-vps-admin/omr-admin-config.json | jq -c '.users[0][]' |
+	jq -c '.users[0][]?' /etc/openmptcprouter-vps-admin/omr-admin-config.json |
 	while IFS=$"\n" read -r c; do
-		vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip')
+		if [ -n "$c" ]; then
-		if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then
+			vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip')
-			echo "$c" | jq -c '.lanips //empty' | 
+			username=$(echo "$c" | jq -r '.username')
-			while IFS=$"\n" read -r d; do
+			if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then
-				network=$(ipcalc -n $d | grep Network | awk '{print $2}')
+				echo "$c" | jq -c -r '.lanips[]? //empty' | 
-				[ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip 2>&1 >/dev/null
+				while IFS=$"\n" read -r d; do
-			done
+					if [ "$d" != "" ]; then
+						network=$(ipcalc -n $d | grep Network | awk '{print $2}')
+						networkonly=$(ipcalc -n $d | grep Network | awk '{print $2}' | cut -d/ -f1)
+						netmask=$(ipcalc -n $d | grep Netmask | awk '{print $2}')
+						[ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip >/dev/null 2>&1
+						[ -n "$networkonly" ] && [ -n "$netmask" ] && ([ ! -f /etc/openvpn/ccd/${username} ] || [ -z "$(grep $networkonly /etc/openvpn/ccd/${username})" ]) && echo "iroute $networkonly $netmask" >> /etc/openvpn/ccd/${username}
+					fi
+				done
+			fi
 		fi
 	done
 }
 
 _gre_tunnels() {
 	. "$(readlink -f "/etc/shorewall/params.vpn")"
-	for intf in /etc/openmptcprouter-vps-admin/intf/*; do
+	if [ -n "$OMR_ADDR" ]; then
-		if [ -f "$intf" ]; then
+		for intf in /etc/openmptcprouter-vps-admin/intf/*; do
-			. "$(readlink -f "$intf")"
+			if [ -f "$intf" ]; then
-			iface="$(basename $intf)"
+				. "$(readlink -f "$intf")"
-			if [ "$(ip tunnel show $iface 2>/dev/null | awk '{print $4}')" != "$OMR_ADDR" ]; then
+				iface="$(basename $intf)"
-				ip tunnel del $iface 2>&1 >/dev/null
+				if [ "$(ip tunnel show $iface 2>/dev/null | awk '{print $4}')" != "$OMR_ADDR" ]; then
-				ip tunnel add $iface mode gre local $INTFADDR remote $OMR_ADDR
+					[ -n "$(ip tunnel show $iface 2>/dev/null)" ] && ip tunnel del $iface >/dev/null 2>&1
-				ip link set $iface up
+					ip tunnel add $iface mode gre local $INTFADDR remote $OMR_ADDR >/dev/null 2>&1
-				ip addr add $LOCALIP dev $iface
+					ip link set $iface up >/dev/null 2>&1
-				ip route add $NETWORK dev $iface 2>&1 >/dev/null
+					ip addr add $LOCALIP dev $iface >/dev/null 2>&1
+					ip route add $NETWORK dev $iface >/dev/null 2>&1
+				fi
 			fi
-		fi
+		done
-	done
-}
-
-_openvpn_bonding() {
-	if [ "$(ip link show ovpnbonding1)" != "" ] && ([ "$(ip link show ovpnbonding1 | grep SLAVE)" = "" ] || [ "$(ip link show omr-bonding | grep DOWN)" != "" ] || [ "$(ip link show | grep ovpnbonding | grep -c SLAVE | tr -d '\n')" != "8" ]); then
-		echo 0 > /sys/class/net/omr-bonding/bonding/mode
-		ip link set ovpnbonding1 master omr-bonding 2>&1 >/dev/null
-		ip link set ovpnbonding1 up
-		ip link set ovpnbonding2 master omr-bonding 2>&1 >/dev/null
-		ip link set ovpnbonding2 up
-		ip link set ovpnbonding3 master omr-bonding 2>&1 >/dev/null
-		ip link set ovpnbonding3 up
-		ip link set ovpnbonding4 master omr-bonding 2>&1 >/dev/null
-		ip link set ovpnbonding4 up
-		ip link set ovpnbonding5 master omr-bonding 2>&1 >/dev/null
-		ip link set ovpnbonding5 up
-		ip link set ovpnbonding6 master omr-bonding 2>&1 >/dev/null
-		ip link set ovpnbonding6 up
-		ip link set ovpnbonding7 master omr-bonding 2>&1 >/dev/null
-		ip link set ovpnbonding7 up
-		ip link set ovpnbonding8 master omr-bonding 2>&1 >/dev/null
-		ip link set ovpnbonding8 up
-		ip link set omr-bonding up mtu 1440 2>&1 >/dev/null
-		ip a add 10.255.248.1 dev omr-bonding 2>&1 >/dev/null
-		ip r add 10.255.248.0/24 dev omr-bonding 2>&1 >/dev/null
-		ip r add 10.255.248.2 dev omr-bonding src 10.255.248.1 2>&1 >/dev/null
 	fi
 }
 
-modprobe bonding 2>&1 >/dev/null
+_openvpn_bonding() {
-ip link add omr-bonding type bond 2>&1 >/dev/null
+	if [ "$(ip link show ovpnbonding1 2>/dev/null)" != "" ] && ([ "$(ip link show ovpnbonding1 2>/dev/null | grep SLAVE)" = "" ] || [ "$(ip link show omr-bonding 2>/dev/null | grep DOWN)" != "" ] || [ "$(ip link show | grep ovpnbonding | grep -c SLAVE | tr -d '\n')" != "8" ]); then
+		echo 0 > /sys/class/net/omr-bonding/bonding/mode >/dev/null 2>&1
+		ip link set ovpnbonding1 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding1 up >/dev/null 2>&1
+		ip link set ovpnbonding2 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding2 up >/dev/null 2>&1
+		ip link set ovpnbonding3 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding3 up >/dev/null 2>&1
+		ip link set ovpnbonding4 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding4 up >/dev/null 2>&1
+		ip link set ovpnbonding5 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding5 up >/dev/null 2>&1
+		ip link set ovpnbonding6 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding6 up >/dev/null 2>&1
+		ip link set ovpnbonding7 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding7 up >/dev/null 2>&1
+		ip link set ovpnbonding8 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding8 up >/dev/null 2>&1
+		ip link set omr-bonding up mtu 1440 >/dev/null 2>&1
+		ip a add 10.255.248.1 dev omr-bonding >/dev/null 2>&1
+		ip r add 10.255.248.0/24 dev omr-bonding >/dev/null 2>&1
+		ip r add 10.255.248.2 dev omr-bonding src 10.255.248.1 >/dev/null 2>&1
+	fi
+}
+
+_vpn1() {
+	vpn1route=$(ip r show dev vpn1 2>/dev/null | grep '0.0.0.0')
+	[ -z "$vpn1route" ] && vpn1route=$(ip r show dev vpn1 2>/dev/null | grep 'default')
+	if [ -n "$vpn1route" ]; then
+		ip r del $vpn1route
+		vpn1gw="$(echo \"$vpn1route\" | awk '{ print $3 }')"
+		ip r a default via $vpngw dev vpn1 table 991337
+		for route in $(ip r show dev vpn1); do
+			ip r a $route table 991337
+		done
+	fi
+}
+
+sysctl -p /etc/sysctl.d/90-shadowsocks.conf >/dev/null 2>&1
+modprobe bonding >/dev/null 2>&1
+ip link add omr-bonding type bond >/dev/null 2>&1
+#[ -n "$(uname -r | grep '6.1')" ] && {
+#	stap -g /usr/share/systemtap-mptcp/mptcp-app.stap 2>&1 &
+#}
+
+gre_tunnels="$(jq -c '.gre_tunnels' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
+lan_routes="$(jq -c '.lan_routes' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
+
 while true; do
 	_glorytun_udp
 	_glorytun_tcp
+	_shadowsocks
+	_shadowsocks_go
+	_xray
+	_v2ray
+	_dsvpn
+	_wireguard
 	_multipath
 	_omr_api
-	_lan_route
+	[ "$lan_routes" != "false" ] && _lan_route
-	_gre_tunnels
+	[ "$gre_tunnels" != "false" ] && _gre_tunnels
 	_openvpn_bonding
+	_vpn1
 	sleep 10
 done

omr-test-speed

@@ -0,0 +1,55 @@
+#!/bin/sh
+# vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 :
+HETZNER=false
+if [ "$1" = "hetzner" ]; then
+	HETZNER=true
+	INTERFACE="$2"
+else
+	INTERFACE="$1"
+fi
+
+[ -n "$INTERFACE" ] && [ ! -d "/sys/class/net/$INTERFACE" ] && {
+	echo "You must use a real interface. You wan find them using 'ip a' for example"
+	exit 0
+}
+
+if [ "$HETZNER" = false ]; then
+	echo "Select best test server..."
+	HOSTLST="http://speedtest.frankfurt.linode.com/garbage.php?ckSize=10000 http://speedtest.tokyo2.linode.com/garbage.php?ckSize=10000 http://speedtest.singapore.linode.com/garbage.php?ckSize=10000 http://speedtest.newark.linode.com/garbage.php?ckSize=10000 http://speedtest.atlanta.linode.com/garbage.php?ckSize=10000 http://speedtest.dallas.linode.com/garbage.php?ckSize=10000 http://speedtest.fremont.linode.com/garbage.php?ckSize=10000 http://speedtest.tele2.net/1000GB.zip https://speed.hetzner.de/10GB.bin http://ipv4.bouygues.testdebit.info/10G.iso http://par.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin http://ams.download.datapacket.com/10000mb.bin http://fra.download.datapacket.com/10000mb.bin http://lon.download.datapacket.com/10000mb.bin http://mad.download.datapacket.com/10000mb.bin http://prg.download.datapacket.com/10000mb.bin http://sto.download.datapacket.com/10000mb.bin http://vie.download.datapacket.com/10000mb.bin http://war.download.datapacket.com/10000mb.bin http://atl.download.datapacket.com/10000mb.bin http://chi.download.datapacket.com/10000mb.bin http://lax.download.datapacket.com/10000mb.bin http://mia.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin"
+	bestping="9999"
+	for pinghost in $HOSTLST; do
+		domain=$(echo $pinghost | awk -F/ '{print $3}')
+		if [ -z "$INTERFACE" ]; then
+			ping=$(ping -c1 -w2 $domain | cut -d "/" -s -f5 | cut -d "." -f1)
+		else
+			ping=$(ping -c1 -w2 -I $INTERFACE -B $domain | cut -d "/" -s -f5 | cut -d "." -f1)
+		fi
+		echo "host: $domain - ping: $ping"
+		if [ -n "$ping" ] && [ "$ping" -lt "$bestping" ]; then
+			bestping=$ping
+			HOST=$pinghost
+		fi
+	done
+fi
+
+[ -z "$HOST" ] && HOST="https://speed.hetzner.de/10GB.bin"
+
+echo "Best server is $HOST, running test:"
+trap : HUP INT TERM
+if [ -z "$INTERFACE" ]; then
+	curl -4 -o /dev/null $HOST || echo
+else
+	domain=$(echo $HOST | awk -F/ '{print $3}')
+	hostip=$(dig +nocmd +noall +answer A $domain | grep -v CNAME | awk '{print $5}' | tr '\n' ' ')
+	if [ -n "$(ipset list 2>/dev/null | grep ss_rules)" ]; then
+		for ip in $hostip; do
+			ipset add ss_rules_dst_bypass_all $ip
+		done
+	fi
+	curl -4 -o /dev/null --interface $INTERFACE $HOST || echo
+	if [ -n "$(ipset list 2>/dev/null | grep ss_rules)" ]; then
+		for ip in $hostip; do
+			ipset del ss_rules_dst_bypass_all $ip
+		done
+	fi
+fi

omr-test-speedv6

@@ -0,0 +1,56 @@
+#!/bin/sh
+# vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 :
+HETZNER=false
+if [ "$1" = "hetzner" ]; then
+	HETZNER=true
+	INTERFACE="$2"
+else
+	INTERFACE="$1"
+fi
+
+[ -n "$INTERFACE" ] && [ ! -d "/sys/class/net/$INTERFACE" ] && {
+	echo "You must use a real interface. You wan find them using 'ip a' for example"
+	exit 0
+}
+
+
+if [ "$HETZNER" = false ]; then
+	echo "Select best test server..."
+	HOSTLST="http://speedtest.frankfurt.linode.com/garbage.php?ckSize=10000 http://speedtest.tokyo2.linode.com/garbage.php?ckSize=10000 http://speedtest.singapore.linode.com/garbage.php?ckSize=10000 http://speedtest.newark.linode.com/garbage.php?ckSize=10000 http://speedtest.atlanta.linode.com/garbage.php?ckSize=10000 http://speedtest.dallas.linode.com/garbage.php?ckSize=10000 http://speedtest.fremont.linode.com/garbage.php?ckSize=10000 http://speedtest.tele2.net/1000GB.zip https://speed.hetzner.de/10GB.bin http://ipv6.bouygues.testdebit.info/10G.iso http://par.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin http://ams.download.datapacket.com/10000mb.bin http://fra.download.datapacket.com/10000mb.bin http://lon.download.datapacket.com/10000mb.bin http://mad.download.datapacket.com/10000mb.bin http://prg.download.datapacket.com/10000mb.bin http://sto.download.datapacket.com/10000mb.bin http://vie.download.datapacket.com/10000mb.bin http://war.download.datapacket.com/10000mb.bin http://atl.download.datapacket.com/10000mb.bin http://chi.download.datapacket.com/10000mb.bin http://lax.download.datapacket.com/10000mb.bin http://mia.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin"
+	bestping="9999"
+	for pinghost in $HOSTLST; do
+		domain=$(echo $pinghost | awk -F/ '{print $3}')
+		if [ -z "$INTERFACE" ]; then
+			ping=$(ping -6 -c1 -w2 $domain | cut -d "/" -s -f5 | cut -d "." -f1)
+		else
+			ping=$(ping -6 -c1 -w2 -I $INTERFACE -B $domain | cut -d "/" -s -f5 | cut -d "." -f1)
+		fi
+		echo "host: $domain - ping: $ping"
+		if [ -n "$ping" ] && [ "$ping" -lt "$bestping" ]; then
+			bestping=$ping
+			HOST=$pinghost
+		fi
+	done
+fi
+
+[ -z "$HOST" ] && HOST="https://speed.hetzner.de/10GB.bin"
+
+echo "Best server is $HOST, running test:"
+trap : HUP INT TERM
+if [ -z "$INTERFACE" ]; then
+	curl -6 $HOST >/dev/null || echo
+else
+	domain=$(echo $HOST | awk -F/ '{print $3}')
+	hostip=$(dig +nocmd +noall +answer AAAA $domain | grep -v CNAME | awk '{print $5}' | tr '\n' ' ')
+	if [ -n "$(ipset list 2>/dev/null | grep ss_rules6)" ]; then
+		for ip in $hostip; do
+			ipset add ss_rules6_dst_bypass_all $ip
+		done
+	fi
+	curl -6 --interface $INTERFACE $HOST >/dev/null || echo
+	if [ -n "$(ipset list 2>/dev/null | grep ss_rules6)" ]; then
+		for ip in $hostip; do
+			ipset del ss_rules6_dst_bypass_all $ip
+		done
+	fi
+fi

omr-update

@@ -0,0 +1,11 @@
+#!/bin/sh
+if [ -f /etc/openmptcprouter-vps-admin/update ]; then
+        wget -O - http://www.openmptcprouter.com/server/debian.sh | sh
+        rm -f /etc/openmptcprouter-vps-admin/update
+        reboot
+fi
+if [ -f /etc/openmptcprouter-vps-admin/update-bin ]; then
+        LOCALFILES=yes SOURCES=yes REINSTALL=no /usr/share/omr-server/debian9-x86_64.sh
+        rm -f /etc/openmptcprouter-vps-admin/update-bin
+        #reboot
+fi

omr-update.service.in

@@ -0,0 +1,15 @@
+[Unit]
+Description=OMR Update
+After=network.target network-online.target
+
+[Service]
+Type=simple
+Restart=no
+ExecStart=/usr/bin/omr-update
+#ExecStart=/usr/share/omr-server/debian9-x86_64.sh
+AmbientCapabilities=
+StandardOutput=file:/var/log/omr-update.log
+StandardError=file:/var/log/omr-update.log
+
+[Install]
+WantedBy=multi-user.target

omr.service.in

@@ -1,6 +1,6 @@
 [Unit]
 Description=OMR
-After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.service
+After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.service shorewall.service
 
 [Service]
 Type=simple

openvpn-bonding1.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding1
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65351
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding2.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding2
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65352
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding3.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding3
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65353
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding4.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding4
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65354
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding5.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding5
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65355
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding6.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding6
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65356
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding7.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding7
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65357
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding8.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding8
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65358
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-tun0.6.1.conf

@@ -0,0 +1,34 @@
+topology subnet
+dev tun0
+user nobody
+group nogroup
+data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
+disable-dco
+proto tcp-server
+proto tcp6-server
+port 65301
+persist-tun
+persist-key
+duplicate-cn
+verb 3
+server 10.255.252.0 255.255.255.0
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 10 240
+txqueuelen 1000
+sndbuf 262144
+push "sndbuf 262144"
+rcvbuf 262144
+push "rcvbuf 262144"
+tun-mtu 1420
+tls-server
+tls-version-min 1.2
+#push "route 10.255.252.1 255.255.255.255"
+client-config-dir ccd
+ifconfig-pool-persist ccd/ipp_tcp.txt
+passtos
+management 127.0.0.1 65302
+tcp-nodelay

openvpn-tun0.conf

@@ -18,8 +18,12 @@ crl-verify /etc/openvpn/ca/pki/crl.pem
 keepalive 10 240
 sndbuf 0
 rcvbuf 0
+txqueuelen 2000
+tun-mtu 1400
+mssfix 1360
 tls-server
 tls-version-min 1.2
 #compress lzo
-push "route 10.255.252.1 255.255.255.255"
+#push "route 10.255.252.1 255.255.255.255"
 client-config-dir ccd
+management localhost 65302

openvpn-tun1.6.1.conf

@@ -0,0 +1,30 @@
+topology subnet
+dev tun1
+data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
+proto udp
+proto udp6
+port 65301
+persist-tun
+persist-key
+duplicate-cn
+verb 3
+server 10.255.250.0 255.255.255.0
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 10 240
+txqueuelen 1000
+sndbuf 262144
+push "sndbuf 262144"
+rcvbuf 262144
+push "rcvbuf 262144"
+tun-mtu 1420
+tls-server
+tls-version-min 1.2
+push "route 10.255.250.1 255.255.255.255"
+#client-config-dir ccd
+#ifconfig-pool-persist ccd/ipp_udp.txt
+#fast-io
+passtos

shadowsocks-go.server.json

@@ -0,0 +1,37 @@
+{
+    "servers": [
+        {
+            "name": "ss-2022",
+            "protocol": "2022-blake3-aes-256-gcm",
+            "tcpListeners": [
+            {
+                "network": "tcp",
+                "address": ":65280",
+                "fastOpen": false,
+                "reusePort": false,
+                "multipath": true
+            }
+            ],
+            "enableTCP": true,
+            "listenerTFO": true,
+            "enableUDP": true,
+            "mtu": 1500,
+            "psk": "PSK",
+            "uPSKStorePath": "/etc/shadowsocks-go/upsks.json"
+        }
+    ],
+    "stats": {
+        "enabled": true
+    },
+    "api": {
+        "enabled": true,
+        "debugPprof": false,
+        "trustedProxies": [],
+        "listeners": [
+        {
+                "network": "tcp",
+                "address": "127.0.0.1:65279"
+        }
+        ]
+    }
+}

shadowsocks.6.1.conf

@@ -0,0 +1,77 @@
+# local sysctl settings can be stored in this directory
+# max open files
+fs.file-max = 512000
+# max read buffer
+net.core.rmem_max = 7500000
+# max write buffer
+net.core.wmem_max = 7500000
+#net.core.optmem_max = 33554432
+# default read buffer
+#net.core.rmem_default = 16777216
+# default write buffer
+#net.core.wmem_default = 16777216
+# max processor input queue
+net.core.netdev_max_backlog = 10000
+# max backlog
+net.core.somaxconn = 16384
+
+# resist SYN flood attacks
+net.ipv4.tcp_syncookies = 1
+# reuse timewait sockets when safe
+net.ipv4.tcp_tw_reuse = 1
+# turn off fast timewait sockets recycling
+#net.ipv4.tcp_tw_recycle = 0
+# short FIN timeout
+net.ipv4.tcp_fin_timeout = 30
+# Increase max orphans
+net.ipv4.tcp_max_orphans = 16384
+# short keepalive time
+net.ipv4.tcp_keepalive_time = 7200
+# outbound port range
+net.ipv4.ip_local_port_range = 9999 65000
+# max SYN backlog
+net.ipv4.tcp_max_syn_backlog = 4096
+# max timewait sockets held by system simultaneously
+net.ipv4.tcp_max_tw_buckets = 16384
+# turn on TCP Fast Open on both client and server side
+net.ipv4.tcp_fastopen = 3
+# TCP buffer
+net.ipv4.tcp_mem = 409600 819200 1638400
+# UDP buffer
+net.ipv4.udp_mem = 4096 87380 16777216
+# TCP receive buffer
+net.ipv4.tcp_rmem = 4096 87380 16777216
+# TCP write buffer
+net.ipv4.tcp_wmem = 4096 87380 16777216
+# turn on path MTU discovery
+net.ipv4.tcp_mtu_probing = 0
+# 1/8 * available memory in receive buffer
+net.ipv4.tcp_adv_win_scale=-3
+# limits the size of unsent bytes in the write queue
+net.ipv4.tcp_notsent_lowat = 131072
+
+# for low-latency network, use cubic instead
+net.core.default_qdisc = fq
+# Default conntrack is too small
+net.netfilter.nf_conntrack_max = 524288
+net.netfilter.nf_conntrack_buckets=131072
+net.netfilter.nf_conntrack_tcp_timeout_established = 86400
+
+net.ipv4.conf.all.log_martians = 0
+net.ipv4.conf.default.log_martians = 0
+
+# MPTCP settings
+net.ipv4.tcp_ecn = 2
+net.mptcp.checksum_enabled = 0
+net.mptcp.add_addr_timeout = 120
+net.mptcp.allow_join_initial_addr_port = 1
+net.mptcp.enabled = 1
+net.mptcp.pm_type = 0
+net.mptcp.stale_loss_cnt = 4
+net.mptcp.mptcp_checksum=0
+net.mptcp.mptcp_path_manager=fullmesh
+net.mptcp.mptcp_scheduler=mptcp_burst
+net.mptcp.mptcp_syn_retries=4
+net.mptcp.mptcp_version=1
+net.mptcp.checksum_enabled=0
+net.ipv4.tcp_congestion_control=bbr

shadowsocks.conf

@@ -22,7 +22,9 @@ net.ipv4.tcp_tw_reuse = 1
 # turn off fast timewait sockets recycling
 #net.ipv4.tcp_tw_recycle = 0
 # short FIN timeout
-net.ipv4.tcp_fin_timeout = 80
+net.ipv4.tcp_fin_timeout = 30
+# Increase max orphans
+net.ipv4.tcp_max_orphans = 16384
 # short keepalive time
 net.ipv4.tcp_keepalive_time = 7200
 # outbound port range
@@ -45,16 +47,18 @@ net.ipv4.tcp_wmem = 4096 65536 33554432
 net.ipv4.tcp_mtu_probing = 0
 
 # for low-latency network, use cubic instead
-net.ipv4.tcp_congestion_control = cubic
+net.ipv4.tcp_congestion_control = bbr
 net.core.default_qdisc = fq
 # Default conntrack is too small
-net.netfilter.nf_conntrack_max = 131072
+net.netfilter.nf_conntrack_max = 524288
+net.netfilter.nf_conntrack_buckets=131072
+net.netfilter.nf_conntrack_tcp_timeout_established = 86400
 
 net.ipv4.conf.all.log_martians = 0
 net.ipv4.conf.default.log_martians = 0
 
 # MPTCP settings
 net.mptcp.mptcp_checksum = 0
-net.mptcp.mptcp_syn_retries = 2
+net.mptcp.mptcp_syn_retries = 4
 net.mptcp.mptcp_scheduler = blest
-net.ipv4.tcp_ecn=1
+net.ipv4.tcp_ecn = 2

shorewall4/interfaces

@@ -19,6 +19,8 @@ vpn	gt-tun+		nosmurfs,tcpflags
 vpn	gt-udp-tun+	nosmurfs,tcpflags
 vpn	mlvpn+		nosmurfs,tcpflags
 vpn	tun+		nosmurfs,tcpflags
+vpn	wg+		nosmurfs,tcpflags
+vpncl	client-wg+	nosmurfs,tcpflags
 vpn	dsvpn+		nosmurfs,tcpflags
 vpn	gre-user+	nosmurfs,tcpflags
 vpn	omr-bonding	nosmurfs,tcpflags

shorewall4/params.vpn

@@ -1,3 +1,3 @@
-VPS_ADDR=10.255.255.1
+VPS_ADDR=10.255.252.1
-OMR_ADDR=10.255.255.2
+OMR_ADDR=10.255.252.2
-VPS_IFACE=gt-tun0
+VPS_IFACE=tun0

shorewall4/policy

@@ -17,8 +17,10 @@ vpn             net             ACCEPT
 vpn             fw             ACCEPT
 fw              vpn             ACCEPT
 fw              net             ACCEPT
-net             all             DROP            info
+net             all             DROP
 vpn		vpn		DROP
+vpncl		vpn		ACCEPT
+vpn		vpncl		ACCEPT
 # THE FOLLOWING POLICY MUST BE LAST
-all		all		REJECT		info
+all		all		REJECT
 

shorewall4/shorewall.conf

@@ -149,13 +149,13 @@ BLACKLIST="NEW,INVALID,UNTRACKED"
 
 CLAMPMSS=No
 
-CLEAR_TC=Yes
+CLEAR_TC=No
 
 COMPLETE=No
 
 DEFER_DNS_RESOLUTION=Yes
 
-DELETE_THEN_ADD=Yes
+DELETE_THEN_ADD=No
 
 DETECT_DNAT_IPADDRS=No
 
@@ -233,7 +233,7 @@ SAVE_ARPTABLES=No
 
 SAVE_IPSETS=No
 
-TC_ENABLED=Simple
+TC_ENABLED=No
 
 TC_EXPERT=No
 

shorewall4/snat

@@ -15,7 +15,14 @@
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
-MASQUERADE		10.255.0.0/16,\
+MASQUERADE		10.255.247.0/24,\
+			10.255.248.0/24,\
+			10.255.250.0/24,\
+			10.255.251.0/24,\
+			10.255.252.0/24,\
+			10.255.253.0/24,\
+			10.255.254.0/24,\
+			10.255.255.0/24,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
 			192.168.0.0/16		$NET_IFACE

shorewall4/stoppedrules

@@ -23,4 +23,8 @@ ACCEPT          dsvpn+		-
 ACCEPT          -               dsvpn+
 ACCEPT          tun+		-
 ACCEPT          -               tun+
+ACCEPT          wg+		-
+ACCEPT          -               wg+
+ACCEPT          client-wg+	-
+ACCEPT          -               client-wg+
 

shorewall4/tcinterfaces

@@ -1,3 +1,3 @@
 #INTERFACE             TYPE          IN-BANDWIDTH        OUT-BANDWIDTH
 $NET_IFACE		External
-$VPS_IFACE		Internal
+#$VPS_IFACE		Internal

shorewall4/zones

@@ -16,4 +16,5 @@
 fw      firewall
 net     ipv4
 vpn     ipv4
+vpncl   ipv4
 

shorewall6/params.vpn

@@ -0,0 +1 @@
+OMR_ADDR=fe80::a00:2

shorewall6/policy

@@ -15,7 +15,7 @@
 
 vpn             all             ACCEPT
 fw              all             ACCEPT
-net             all             DROP            info
+net             all             DROP
 # THE FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
+all             all             REJECT
 

shorewall6/shorewall6.conf

@@ -138,7 +138,7 @@ BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
-CHAIN_SCRIPTS=Yes
+#CHAIN_SCRIPTS=Yes
 
 CLAMPMSS=No
 
@@ -168,7 +168,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
+#INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
@@ -176,7 +176,7 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
+#LOAD_HELPERS_ONLY=Yes
 
 MACLIST_TABLE=filter
 

tun0.glorytun

@@ -1,6 +1,7 @@
 PORT=65001
+HOST=0.0.0.0
 DEV=tun0
 SERVER=true
 MPTCP=true
 IPV6=true
-OPTIONS="chacha20 retry count -1 const 500000 timeout 5000 keepalive count 5 idle 20 interval 2 buffer-size 32768 multiqueue"
+OPTIONS="chacha20 retry count -1 const 5000000 timeout 5000 keepalive count 5 idle 20 interval 2 buffer-size 65536 multiqueue"

tun0.glorytun-udp

@@ -1,4 +1,6 @@
 BIND=0.0.0.0
 BIND_PORT=65001
+HOST=0.0.0.0
+PORT=5000
 DEV=tun0
 OPTIONS="chacha persist"

ubond.network

@@ -0,0 +1,17 @@
+[Match]
+Name=ubond*
+
+[Network]
+Description=UBOND tunnel
+Address=10.255.248.1/24
+DHCPServer=yes
+IPMasquerade=yes
+
+[DHCPServer]
+PoolOffset=2
+PoolSize=50
+EmitDNS=no
+EmitNTP=no
+DNS=9.9.9.9
+DefaultLeaseTimeSec=12h
+MaxLeaseTimeSec=24h

ubond0.conf

@@ -0,0 +1,42 @@
+[general]
+tuntap = "tun"
+mode = "server"
+interface_name = "ubond0"
+timeout = 30
+password = "UBOND_PASS"
+reorder_buffer = yes
+reorder_buffer_size = 64
+loss_tolerence = 50
+
+[wan1]
+bindport = 65251
+bindhost = "0.0.0.0"
+
+[wan2]
+bindport = 65252
+bindhost = "0.0.0.0"
+
+[wan3]
+bindport = 65253
+bindhost = "0.0.0.0"
+
+[wan4]
+bindport = 65254
+bindhost = "0.0.0.0"
+
+[wan5]
+bindport = 65255
+bindhost = "0.0.0.0"
+
+[wan6]
+bindport = 65256
+bindhost = "0.0.0.0"
+
+[wan7]
+bindport = 65257
+bindhost = "0.0.0.0"
+
+[wan8]
+bindport = 65258
+bindhost = "0.0.0.0"
+

ubond@.service.in

@@ -0,0 +1,16 @@
+[Unit]
+Description=UBOND connection to %i
+PartOf=ubond.service
+ReloadPropagatedFrom=ubond.service
+After=network.target network-online.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+ExecStart=/usr/local/sbin/ubond --config /etc/ubond/%i.conf --name %i --user ubond --quiet
+ExecReload=/bin/kill -HUP $MAINPID
+WorkingDirectory=/etc/ubond
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

ubuntu19.04-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

ubuntu20.04-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

v2ray-server.json

@@ -1,6 +1,6 @@
 {
 	"log": {
-		"loglevel": "debug",
+		"loglevel": "error",
 		"error": "/tmp/v2rayError.log"
 	},
 	"transport": {
@@ -34,6 +34,7 @@
 			},
 			"streamSettings": {
 				"sockopt": {
+					"mptcp": true,
 					"mark": 0
 				},
 				"network": "tcp",
@@ -48,6 +49,98 @@
 				}
 			}
 		},
+		{
+			"tag": "omrin-vmess-tunnel",
+			"port": 65230,
+			"protocol": "vmess",
+			"settings": {
+				"decryption": "none",
+				"clients": [
+					{
+						"id": "V2RAY_UUID",
+						"level": 0,
+						"alterId": 0,
+						"email": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-socks-tunnel",
+			"port": 65231,
+			"protocol": "socks",
+			"settings": {
+				"auth": "password",
+				"accounts": [
+					{
+						"pass": "V2RAY_UUID",
+						"user": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-trojan-tunnel",
+			"port": 65229,
+			"protocol": "trojan",
+			"settings": {
+				"clients": [
+					{
+						"password": "V2RAY_UUID",
+						"email": "openmptcprouter",
+						"level": 0
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+				"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
 		{
 			"listen": "127.0.0.1",
 			"port": 10085,
@@ -72,7 +165,10 @@
 			{
 				"type": "field",
 				"inboundTag": [
-					"omrin-tunnel"
+					"omrin-tunnel",
+					"omrin-vmess-tunnel",
+					"omrin-socks-tunnel",
+					"omrin-trojan-tunnel"
 				],
 				"outboundTag": "OMRLan",
 				"domain": [

v2ray.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=V2Ray Service
+Documentation=https://www.v2fly.org/
+After=network.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+User=root
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+NoNewPrivileges=true
+ExecStart=/usr/bin/v2ray run -config /etc/v2ray/v2ray-server.json
+Restart=always
+RestartPreventExitStatus=23
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target

xray-server.json

@@ -0,0 +1,232 @@
+{
+	"log": {
+		"loglevel": "error",
+		"error": "/tmp/v2rayError.log"
+	},
+	"inbounds": [
+		{
+			"tag": "omrin-tunnel",
+			"port": 65248,
+			"protocol": "vless",
+			"settings": {
+				"decryption": "none",
+				"clients": [
+					{
+						"id": "V2RAY_UUID",
+						"level": 0,
+						"alterId": 0,
+						"email": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"tcpMptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-vmess-tunnel",
+			"port": 65250,
+			"protocol": "vmess",
+			"settings": {
+				"decryption": "none",
+				"clients": [
+					{
+						"id": "V2RAY_UUID",
+						"level": 0,
+						"alterId": 0,
+						"email": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"tcpMptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-socks-tunnel",
+			"port": 65251,
+			"protocol": "socks",
+			"settings": {
+				"auth": "password",
+				"accounts": [
+					{
+						"pass": "V2RAY_UUID",
+						"user": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"tcpMptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-trojan-tunnel",
+			"port": 65249,
+			"protocol": "trojan",
+			"settings": {
+				"clients": [
+					{
+						"password": "V2RAY_UUID",
+						"email": "openmptcprouter",
+						"level": 0
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"tcpMptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+				"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-shadowsocks-tunnel",
+			"port": 65252,
+			"protocol": "shadowsocks",
+			"settings": {
+				"password": "XRAY_PSK",
+				"method": "2022-blake3-aes-256-gcm",
+				"network": "tcp,udp",
+				"clients": [
+					{
+						"password": "XRAY_UPSK",
+						"email": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"tcpMptcp": true,
+					"mark": 0
+				},
+				"network": "tcp"
+			}
+		},
+		{
+			"listen": "127.0.0.1",
+			"port": 10086,
+			"protocol": "dokodemo-door",
+			"settings": {
+				"address": "127.0.0.1"
+			},
+			"tag": "api"
+		}
+	],
+	"outbounds": [
+		{
+			"protocol": "freedom",
+			"settings": {
+				"userLevel": 0
+			},
+			"tag": "direct"
+		}
+	],
+	"routing": {
+		"rules": [
+			{
+				"type": "field",
+				"inboundTag": [
+					"omrin-tunnel",
+					"omrin-vless-reality",
+					"omrin-vmess-tunnel",
+					"omrin-socks-tunnel",
+					"omrin-trojan-tunnel"
+				],
+				"outboundTag": "OMRLan",
+				"domain": [
+					"full:omr.lan"
+				]
+			},
+			{
+				"inboundTag": [
+					"api"
+				],
+				"outboundTag": "api",
+				"type": "field"
+			}
+		]
+	},
+	"reverse": {
+		"portals": [
+			{
+				"tag": "OMRLan",
+				"domain": "omr.lan"
+			}
+		]
+	},
+	"stats": {},
+	"api": {
+		"tag": "api",
+		"listen": "127.0.0.1:65080",
+		"services": [
+			"HandlerService",
+			"LoggerService",
+			"StatsService"
+		]
+	},
+	"policy": {
+		"levels": {
+			"0": {
+				"uplinkOnly": 0,
+				"downlinkOnly": 0,
+				"bufferSize": 512,
+				"connIdle": 2400,
+				"statsUserUplink": true,
+				"statsUserDownlink": true
+			}
+		},
+		"system": {
+			"statsInboundUplink": true,
+			"statsInboundDownlink": true
+		}
+	}
+}

xray-vless-reality.json

@@ -0,0 +1,47 @@
+{
+    "inbounds": [
+        {
+            "port": 443,
+            "tag": "omrin-vless-reality",
+            "protocol": "vless",
+            "settings": {
+                "clients": [
+                    {
+                        "id": "XRAY_UUID",
+                        "flow": "xtls-rprx-vision"
+                    }
+                ],
+                "decryption": "none"
+            },
+            "streamSettings": {
+                "network": "tcp",
+                "security": "reality",
+                "realitySettings": {
+                    "dest": "1.1.1.1:443",
+                    "serverNames": [
+                        ""
+                    ],
+                    "privateKey": "XRAY_X25519_PRIVATE_KEY",
+                    "publicKey": "XRAY_X25519_PUBLIC_KEY",
+                    "shortIds": [
+                        ""
+                    ]
+                },
+                "sockopt": {
+                    "tcpMptcp": true,
+                    "mark": 0
+                }
+            }
+        }
+    ],
+    "routing": {
+        "rules": [
+            {
+                "type": "field",
+                "inboundTag": [
+                    "omrin-vless-reality"
+                ]
+            }
+        ]
+   }
+}

xray.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=XRay Service
+Documentation=https://xtls.github.io/
+After=network.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+User=root
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
+NoNewPrivileges=true
+ExecStart=/usr/bin/xray run -config /etc/xray/xray-server.json
+Restart=always
+RestartPreventExitStatus=23
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target