Update Shadowsocks to 1.13.0

config.json

@@ -4,11 +4,13 @@
     "local_port":1081,
     "mode":"tcp_and_udp",
     "key":"MySecretKey",
-    "timeout":400,
-    "method":"aes-256-cfb",
+    "timeout":600,
+    "method":"chacha20-ietf-poly1305",
     "verbose":0,
     "prefer_ipv6": false,
     "fast_open": true,
+    "no_delay": true,
     "reuse_port": true,
+    "ipv6_first": true,
     "mptcp": true
 }

debian-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

debian.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

debian/changelog

@@ -0,0 +1,23 @@
+omr-server (0.1030) unstable; urgency=medium
+
+    * Many changes
+
+ -- OpenMPTCProuter <contact@openmptcprouter.com>  Wed, 10 Apr 2024 19:35:34 +0200
+
+omr-server (0.1028) unstable; urgency=medium
+
+    * Many changes
+
+ -- OpenMPTCProuter <contact@openmptcprouter.com>  Fri, 14 Oct 2022 09:02:22 +0200
+
+omr-server (0.1026) unstable; urgency=medium
+
+    * Many changes
+
+ -- OpenMPTCProuter <contact@openmptcprouter.com>  Mon, 14 Jun 2021 07:43:42 +0200
+
+omr-server (0.1025-test) unstable; urgency=medium
+
+    * Wireguard support and fixed
+
+ -- OpenMPTCProuter <contact@openmptcprouter.com>  Thu, 04 Mar 2021 14:36:12 +0200

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,37 @@
+Source: omr-server
+Section: net
+Priority: optional
+Maintainer: OpenMPTCProuter <contact@openmptcprouter.com>
+Build-Depends: debhelper (>= 10)
+X-Python-Version: >= 3.2
+Standards-Version: 0.0.1
+Homepage: https://github.com/ysurac/openmptcprouter-vps
+
+Package: omr-server
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ curl,
+ rename,
+ libcurl4,
+ unzip,
+ tracebox,
+ omr-iperf3,
+ omr-shadowsocks-libev (= 3.3.5-2),
+ omr-vps-admin (= 0.3+20210508),
+ omr-simple-obfs,
+ omr-mlvpn (= 3.0.0+20201216.git.2263bab),
+ omr-glorytun (= 0.3.4-4),
+ omr-glorytun-tcp (= 0.0.35-3),
+ omr-dsvpn (= 0.1.4-2),
+ shorewall,
+ shorewall6,
+ iptables,
+ v2ray-plugin (= 4.35.1),
+ v2ray (=4.35.1),
+ linux-image-5.4.100-mptcp (= 1.18+9d3f35b),
+ ${misc:Depends}
+Provides: omr-server
+Conflicts: omr-server
+Replaces: omr-server
+Description: OpenMPTCProuter Server script

debian/postinst

@@ -0,0 +1,16 @@
+#!/bin/sh -e
+
+test $DEBIAN_SCRIPT_DEBUG && set -v -x
+
+# use debconf
+. /usr/share/debconf/confmodule
+
+sed -i -e "s/^LOCALFILES=.*$/LOCALFILES=no/" -e "s/^SOURCES=.*$/SOURCES=no/" /usr/share/omr-server/debian9-x86_64.sh
+systemctl daemon-reload
+systemctl restart omr-update
+
+db_stop
+
+#DEBHELPER#
+exit 0
+# vim:set ai et sts=2 sw=2 tw=0:

debian/rules

@@ -0,0 +1,18 @@
+#!/usr/bin/make -f
+#export DH_VERBOSE = 1
+
+# Security Hardening
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+%:
+	dh $@
+
+override_dh_auto_install:
+	mkdir -p $(CURDIR)/debian/omr-server/usr/share/omr-server
+	find . -type f -xtype f -not -iname '*/debian/*' -not -iname '*/.git/*' -exec cp '{}' "$(CURDIR)/debian/omr-server/usr/share/omr-server/{}" ';'
+	cp -r ./shorewall4 $(CURDIR)/debian/omr-server/usr/share/omr-server/
+	cp -r ./shorewall6 $(CURDIR)/debian/omr-server/usr/share/omr-server/
+	cp -r ./bin $(CURDIR)/debian/omr-server/usr/share/omr-server/
+	mkdir -p $(CURDIR)/debian/etc/openmptcprouter-vps-admin
+	touch $(CURDIR)/debian/etc/openmptcprouter-vps-admin/update-bin
+

debian10-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

debian11-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

debian12-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

debian9-x86_64-bin.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+set -e
+umask 0022
+export LC_ALL=C
+
+#rm -f /var/lib/dpkg/lock
+#rm -f /var/cache/apt/archives/lock
+
+# Check Linux version
+if test -f /etc/os-release ; then
+	. /etc/os-release
+else
+	. /usr/lib/os-release
+fi
+if [ "$ID" = "debian" ] && [ "$VERSION_ID" != "9" ]; then
+	echo "This script only work with Debian Stretch (9.x)"
+	exit 1
+elif [ "$ID" != "debian" ]; then
+	echo "This script only work with Debian Stretch (9.x)"
+	exit 1
+fi
+
+apt-get update
+apt-get -y install apt-transport-https
+
+echo 'deb https://repo.openmptcprouter.com stretch main' > /etc/apt/sources.list.d/openmptcprouter.list
+cat <<EOF | tee /etc/apt/preferences.d/openmptcprouter.pref
+Explanation: Prefer OpenMPTCProuter provided packages over the Debian native ones
+Package: *
+Pin: origin repo.openmptcprouter.com
+Pin-Priority: 1001
+EOF
+
+echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/stretch-backports.list
+wget -O - http://repo.openmptcprouter.com/openmptcprouter.gpg.key | apt-key add -
+apt-get update
+apt-get -y install dirmngr patch rename curl
+# Rename bzImage to vmlinuz, needed when custom kernel was used
+cd /boot
+rename 's/^bzImage/vmlinuz/s' * >/dev/null 2>&1
+#rm -f /var/lib/dpkg/lock
+#rm -f /var/cache/apt/archives/lock
+rm -f /etc/kernel-img.conf
+echo "Install all"
+DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-overwrite" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" install omr-vps
+
+systemctl -q enable shorewall
+systemctl -q enable shorewall6
+
+# Change SSH port to 65222
+sed -i 's:#Port 22:Port 65222:g' /etc/ssh/sshd_config
+sed -i 's:Port 22:Port 65222:g' /etc/ssh/sshd_config
+
+echo "OpenMPTCProuter VPS is now installed !"
+cat /root/openmptcprouter_config.txt

debian9-x86_64-mlvpn.sh

@@ -1,137 +0,0 @@
-#!/bin/sh
-MLVPN_PASS=${MLVPN_PASS:-$(head -c 32 /dev/urandom | base64 -w0)}
-INTERFACE=${INTERFACE:-$(ip -o -4 route show to default | awk '{print $5}' | tr -d "\n")}
-DEBIAN_VERSION=$(sed 's/\..*//' /etc/debian_version)
-
-set -e
-umask 0022
-update="0"
-if [ $DEBIAN_VERSION -ne 9 ]; then
-	echo "This script only work with Debian Stretch (9.x)"
-	exit 1
-fi
-
-if [ -f "/etc/mlvpn/mlvpn0.conf" ] ; then
-	update="1"
-fi
-if ! grep -q 'DefaultLimitNOFILE=65536' /etc/systemd/system.conf ; then
-	echo 'DefaultLimitNOFILE=65536' >> /etc/systemd/system.conf
-fi
-
-# Install MLVPN
-if systemctl -q is-active mlvpn@mlvpn0.service; then
-	systemctl -q stop mlvpn@mlvpn0 > /dev/null 2>&1
-fi
-apt-get -y install build-essential pkg-config autoconf automake libpcap-dev unzip
-rm -rf /tmp/MLVPN-new-reorder
-cd /tmp
-#wget -O /tmp/mlvpn-2.3.2.tar.gz https://github.com/zehome/MLVPN/archive/2.3.2.tar.gz
-wget -O /tmp/new-reorder.zip https://github.com/markfoodyburton/MLVPN/archive/new-reorder.zip
-cd /tmp
-#tar xzf mlvpn-2.3.2.tar.gz
-#cd MLVPN-2.3.2
-unzip new-reorder.zip
-cd MLVPN-new-reorder
-./autogen.sh
-./configure --sysconfdir=/etc
-make
-make install
-wget -O /lib/systemd/network/mlvpn.network http://www.openmptcprouter.com/server/mlvpn.network
-mkdir -p /etc/mlvpn
-if [ "$update" = "0" ]; then
-	wget -O /etc/mlvpn/mlvpn0.conf http://www.openmptcprouter.com/server/mlvpn0.conf
-	sed -i "s:MLVPN_PASS:$MLVPN_PASS:" /etc/mlvpn/mlvpn0.conf
-fi
-chmod 0600 /etc/mlvpn/mlvpn0.conf
-adduser --quiet --system --home /var/run/mlvpn --shell /usr/sbin/nologin mlvpn
-systemctl enable mlvpn@mlvpn0.service
-systemctl enable systemd-networkd.service
-cd /tmp
-#rm -rf /tmp/MLVPN-2.3.2
-rm -rf /tmp/MLVPN-new-reorder
-
-# Add 6in4 support
-wget -O /usr/local/bin/omr-6in4 http://www.openmptcprouter.com/server/omr-6in4
-chmod 755 /usr/local/bin/omr-6in4
-wget -O /usr/local/bin/omr-6in4-service http://www.openmptcprouter.com/server/omr-6in4-service
-chmod 755 /usr/local/bin/omr-6in4-service
-wget -O /lib/systemd/system/omr-6in4.service http://www.openmptcprouter.com/server/omr-6in4.service.in
-systemctl enable omr-6in4.service
-
-# Change SSH port to 65222
-sed -i 's:#Port 22:Port 65222:g' /etc/ssh/sshd_config
-sed -i 's:Port 22:Port 65222:g' /etc/ssh/sshd_config
-
-# Remove Bind9 if available
-#systemctl -q disable bind9
-
-# Remove fail2ban if available
-#systemctl -q disable fail2ban
-
-if [ "$update" = "0" ]; then
-	# Install and configure the firewall using shorewall
-	apt-get -y install shorewall shorewall6
-	wget -O /etc/shorewall/openmptcprouter-shorewall.tar.gz http://www.openmptcprouter.com/server/openmptcprouter-shorewall.tar.gz
-	tar xzf /etc/shorewall/openmptcprouter-shorewall.tar.gz -C /etc/shorewall
-	rm /etc/shorewall/openmptcprouter-shorewall.tar.gz
-	sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/*
-	systemctl enable shorewall
-	wget -O /etc/shorewall6/openmptcprouter-shorewall6.tar.gz http://www.openmptcprouter.com/server/openmptcprouter-shorewall6.tar.gz
-	tar xzf /etc/shorewall6/openmptcprouter-shorewall6.tar.gz -C /etc/shorewall6
-	rm /etc/shorewall6/openmptcprouter-shorewall6.tar.gz
-	sed -i "s:eth0:$INTERFACE:g" /etc/shorewall6/*
-	systemctl enable shorewall6
-else
-	# Update only needed firewall files
-	wget -O /etc/shorewall/interfaces http://www.openmptcprouter.com/server/shorewall4/interfaces
-	wget -O /etc/shorewall/snat http://www.openmptcprouter.com/server/shorewall4/snat
-	wget -O /etc/shorewall/stoppedrules http://www.openmptcprouter.com/server/shorewall4/stoppedrules
-	wget -O /etc/shorewall/params.vpn http://www.openmptcprouter.com/server/shorewall4/params.vpn
-	wget -O /etc/shorewall/params http://www.openmptcprouter.com/server/shorewall4/params
-	sed -i "s:eth0:$INTERFACE:g" /etc/shorewall/*
-	sed -i 's:10.0.0.2:$OMR_ADDR:g' /etc/shorewall/rules
-	wget -O /etc/shorewall6/interfaces http://www.openmptcprouter.com/server/shorewall6/interfaces
-	wget -O /etc/shorewall6/stoppedrules http://www.openmptcprouter.com/server/shorewall6/stoppedrules
-	sed -i "s:eth0:$INTERFACE:g" /etc/shorewall6/*
-fi
-
-if [ "$update" = "0" ]; then
-	# Display important info
-	echo '=========================================================================================='
-	echo 'OpenMPTCProuter VPS MLVPN is now configured !'
-	echo 'SSH port: 65222 (instead of port 22)'
-	echo 'MLVPN first port: 65201'
-	echo 'Your MLVPN password: '
-	echo $MLVPN_PASS
-	echo '=========================================================================================='
-	echo 'Keys are also saved in /root/openmptcprouter_mlvpn_config.txt, you are free to remove them'
-	echo '=========================================================================================='
-
-	# Save info in file
-	cat > /root/openmptcprouter_mlvpn_config.txt <<-EOF
-	SSH port: 65222 (instead of port 22)
-	MLVPN first port: 65201
-	Your MLVPN password:
-	${MLVPN_PASS}
-	EOF
-	if [ -f "/root/openmptcprouter_config.txt" ]; then
-		cat >> /root/openmptcprouter_config.txt <<-EOF
-		MLVPN first port: 65201
-		Your MLVPN password:
-		${MLVPN_PASS}
-		EOF
-	fi
-else
-	echo '===================================================================================='
-	echo 'OpenMPTCProuter VPS MLVPN is now updated !'
-	echo 'Keys are not changed, shorewall rules files preserved'
-	echo '===================================================================================='
-	echo 'Restarting mlvpn and omr-6in4...'
-	systemctl -q start mlvpn@mlvpn0
-	systemctl -q restart omr-6in4
-	echo 'done'
-	echo 'Restarting shorewall...'
-	systemctl -q restart shorewall
-	systemctl -q restart shorewall6
-	echo 'done'
-fi

dsvpn-run

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -f "$1" ]; then
+        echo "usage: $(basename "$0") FILE"
+        exit 1
+fi
+
+. "$(readlink -f "$1")"
+
+exec dsvpn \
+	${MODE} \
+	"$1".key \
+	${HOST:-auto} \
+	${PORT} \
+	${DEV} \
+	${LOCALTUNIP} \
+	${REMOTETUNIP}

dsvpn-server.service.in

@@ -0,0 +1,11 @@
+[Unit]
+Description=Dead Simple VPN - Server
+After=network.target network-online.target
+
+[Service]
+ExecStart=/usr/local/sbin/dsvpn server /etc/dsvpn/dsvpn.key auto 65011 dsvpn0 10.255.251.1 10.255.251.2
+Restart=always
+RestartSec=15
+
+[Install]
+WantedBy=network.target

dsvpn-server@.service.in

@@ -0,0 +1,11 @@
+[Unit]
+Description=Dead Simple VPN - Server on %I
+After=network.target network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/dsvpn-run /etc/dsvpn/%i
+Restart=always
+RestartSec=15
+
+[Install]
+WantedBy=network.target

dsvpn0-config

@@ -0,0 +1,6 @@
+PORT=65401
+HOST=0.0.0.0
+DEV=dsvpn0
+MODE=server
+LOCALTUNIP=10.255.251.1
+REMOTETUNIP=10.255.251.2

fail2ban-filter-openvpn.conf

@@ -0,0 +1,10 @@
+[INCLUDES]
+before = common.conf
+
+[Definition] 
+_daemon = ovpn-server
+failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
+           %(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
+           %(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
+           %(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}
+maxlines = 1

fail2ban-jail-openmptcprouter.conf

@@ -0,0 +1,21 @@
+[DEFAULT]
+backend = systemd
+banaction = shorewall
+
+[sshd]
+enabled = true
+
+[openvpn_tcp]
+enabled = true
+port = 65301
+protocol = tcp
+filter = openvpn
+maxretry = 5
+
+[openvpn_udp]
+enabled = true
+port = 65301
+protocol = udp
+filter = openvpn
+maxretry = 5
+

glorytun-tcp-post.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+[ ! -f $(readlink -f "$1") ] && exit 1
+. "$(readlink -f "$1")"
+
+INTF=gt-${DEV}
+[ -z "$LOCALIP" ] && LOCALIP="10.255.255.1"
+[ -z "$BROADCASTIP" ] && BROADCASTIP="10.255.255.3"
+while [ -z "$(ip link show $INTF 2>/dev/null)" ]; do
+	sleep 2
+done
+[ "$(ip addr show dev $INTF | grep -o 'inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | grep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*')" != "$LOCALIP" ] && {
+	ip link set dev ${INTF} up 2>&1 >/dev/null
+	ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
+}

glorytun-tcp-run

@@ -9,7 +9,7 @@ fi
 
 . "$(readlink -f "$1")"
 
-DEV="gt${HOST:+c}-$(basename "$1")"
+DEV="gt-$(basename "$1")"
 
 exec glorytun-tcp \
 	${SERVER:+listener} \

glorytun-tcp@.service.in

@@ -6,6 +6,7 @@ After=network.target network-online.target
 Type=simple
 Restart=always
 ExecStart=/usr/local/bin/glorytun-tcp-run /etc/glorytun-tcp/%i
+ExecStartPost=-/etc/glorytun-tcp/post.sh /etc/glorytun-tcp/%i
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 
 [Install]

glorytun-udp-post.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+[ ! -f $(readlink -f "$1") ] && exit 1
+. "$(readlink -f "$1")"
+
+INTF=gt-udp-${DEV}
+[ -z "$LOCALIP" ] && LOCALIP="10.255.254.1"
+[ -z "$BROADCASTIP" ] && BROADCASTIP="10.255.254.3"
+while [ -z "$(ip link show $INTF 2>/dev/null)" ]; do
+	sleep 2
+done
+[ "$(ip addr show dev $INTF | grep -o 'inet [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*' | grep -o '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*')" != "$LOCALIP" ] && {
+	ip link set dev ${INTF} up 2>&1 >/dev/null
+	ip addr add ${LOCALIP}/30 brd ${BROADCASTIP} dev ${INTF} 2>&1 >/dev/null
+}
+tc qdisc replace dev $INTF root cake
+ip link set $INTF txqlen 100
+glorytun set dev gt-udp-tun0 kxtimeout 7d 2>&1 >/dev/null

glorytun-udp-run

@@ -9,11 +9,10 @@ fi
 
 . "$(readlink -f "$1")"
 
-DEV="gt${HOST:+c}-udp-$(basename "$1")"
+DEV="gt-udp-$(basename "$1")"
 
 exec glorytun \
-	bind $BIND $BIND_PORT \
+	bind to addr ${HOST:-::} port ${PORT:-5000} from addr $BIND port $BIND_PORT \
 	keyfile "$1".key \
 	${DEV:+dev "$DEV"} \
-	${HOST:+to "$HOST" "$PORT"} \
 	${OPTIONS:+$OPTIONS}

glorytun-udp.network

@@ -1,5 +1,5 @@
 [Match]
-Name=gt-udp-*
+Name=gt-udp-tun*
 
 [Network]
 Description=Glorytun server device
@@ -9,9 +9,9 @@ IPMasquerade=yes
 
 [DHCPServer]
 PoolOffset=2
-PoolSize=1
+PoolSize=50
 EmitDNS=no
 EmitNTP=no
 DNS=9.9.9.9
-DefaultLeaseTimeSec=12h
-MaxLeaseTimeSec=24h
+DefaultLeaseTimeSec=2h
+MaxLeaseTimeSec=4h

glorytun-udp@.service.in

@@ -7,6 +7,7 @@ Type=simple
 Restart=always
 EnvironmentFile=/etc/glorytun-udp/%i
 ExecStart=/usr/local/bin/glorytun-udp-run /etc/glorytun-udp/%i
+ExecStartPost=-/etc/glorytun-udp/post.sh /etc/glorytun-udp/%i
 CapabilityBoundingSet=CAP_NET_ADMIN
 
 [Install]

glorytun.network

@@ -1,8 +1,8 @@
 [Match]
-Name=gt-*
+Name=gt-tun*
 
 [Link]
-MTUBytes=1400
+MTUBytes=1500
 
 [Network]
 Description=Glorytun server device
@@ -12,9 +12,9 @@ IPMasquerade=yes
 
 [DHCPServer]
 PoolOffset=1
-PoolSize=2
+PoolSize=50
 EmitDNS=no
 EmitNTP=no
 DNS=9.9.9.9
-DefaultLeaseTimeSec=12h
-MaxLeaseTimeSec=24h
+DefaultLeaseTimeSec=2h
+MaxLeaseTimeSec=4h

iperf3.override.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/private.pem

iperf3.service.in

@@ -0,0 +1,10 @@
+[Unit]
+Description=iperf3
+Requires=network.target
+
+[Service]
+ExecStart=/usr/bin/iperf3 -s -p 65400 --authorized-users-path /etc/iperf3/users.csv --rsa-private-key-path /etc/iperf3/private.pem
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

manager.json

@@ -0,0 +1,22 @@
+{
+    "mptcp": true,
+    "ipv6_first": true,
+    "no_delay": true,
+    "ebpf": false,
+    "server": [
+        "[::0]",
+        "0.0.0.0"
+    ],
+    "method": "chacha20-ietf-poly1305",
+    "fast_open": true,
+    "timeout": 1000,
+    "port_key": {
+        "65101": "MySecretKey",
+    },
+    "local_port": 1081,
+    "verbose": 0,
+    "acl": "/etc/shadowsocks-libev/local.acl",
+    "mode": "tcp_and_udp",
+    "reuse_port": true,
+    "prefer_ipv6": false
+}

mlvpn.network

@@ -9,7 +9,7 @@ IPMasquerade=yes
 
 [DHCPServer]
 PoolOffset=2
-PoolSize=1
+PoolSize=50
 EmitDNS=no
 EmitNTP=no
 DNS=9.9.9.9

mlvpn0.conf

@@ -5,7 +5,7 @@ interface_name = "mlvpn0"
 timeout = 30
 password = "MLVPN_PASS"
 reorder_buffer = yes
-reorder_buffer_size = 64
+reorder_buffer_size = 128
 loss_tolerence = 50
 
 [wan1]

mlvpn@.service.in

@@ -0,0 +1,18 @@
+[Unit]
+Description=MLVPN connection to %i
+PartOf=mlvpn.service
+ReloadPropagatedFrom=mlvpn.service
+After=network.target network-online.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+ExecStart=/usr/local/sbin/mlvpn --config /etc/mlvpn/%i.conf --name %i --user mlvpn --quiet
+ExecReload=/bin/kill -HUP $MAINPID
+WorkingDirectory=/etc/mlvpn
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+

multipath

@@ -0,0 +1,177 @@
+#!/bin/sh
+#
+# Update the MP-TCP flags without the pached iproute2
+#
+# Author: Mario Krueger <openwrt at xedp3x.de>
+# Released under GPL 3 or later
+
+if [ -d "/proc/sys/net/mptcp" ]; then
+        if ([ -f /proc/sys/net/mptcp/mptcp_enabled ] && [ `cat /proc/sys/net/mptcp/mptcp_enabled` = 0 ]) || ([ -f /proc/sys/net/mptcp/enabled ] && [ `cat /proc/sys/net/mptcp/enabled` = 0 ]); then
+                echo "MPTCP is disabled!"
+                exit 1
+        fi
+else
+        echo "Your device don't support multipath-TCP."
+        echo "You have to install the pached kernel to use MPTCP."
+        echo "See http://multipath-tcp.org/ for details"
+        exit 1
+fi
+
+case $1 in
+   "-h")
+        echo "          Multipath-TCP configuration tool"
+        echo "show/update flags:"
+        echo "  multipath [device]"
+        echo "  multipath device {on | off | backup | handover}"
+        echo
+        echo "show established conections: -c"
+        echo "show fullmesh info: -f"
+        echo "show kernel config: -k"
+        echo
+        echo "Flag on the device, to enable/disable MPTCP for this interface. The backup-flag"
+        echo "will allow a subflow to be established across this interface, but only be used"
+        echo "as backup. Handover-flag indicates that his interface is not used at all (even "
+        echo "no subflow being established), as long as there are other interfaces available."
+        echo "See http://multipath-tcp.org/ for details"
+        echo
+        exit 0 ;;
+   "-c")
+        cat /proc/net/mptcp_net/mptcp
+        exit 0;;
+   "-f")
+        cat /proc/net/mptcp_fullmesh
+        exit 0;;
+   "-k")
+        if [ -f /proc/sys/net/mptcp/mptcp_enabled ]; then
+            echo Enabled: `cat /proc/sys/net/mptcp/mptcp_enabled`
+        elif [ -f /proc/sys/net/mptcp/enabled ]; then
+            echo Enabled: `cat /proc/sys/net/mptcp/enabled`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_path_manager ]; then
+            echo Path Manager: `cat /proc/sys/net/mptcp/mptcp_path_manager`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_checksum ]; then
+            echo Use checksum: `cat /proc/sys/net/mptcp/mptcp_checksum`
+        else
+            echo Use checksum: `cat /proc/sys/net/mptcp/checksum_enabled`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_scheduler ]; then
+            echo Scheduler: `cat /proc/sys/net/mptcp/mptcp_scheduler`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_syn_retries ]; then
+            echo Syn retries: `cat /proc/sys/net/mptcp/mptcp_syn_retries`
+        fi
+        if [ -f /proc/sys/net/mptcp/mptcp_debug ]; then
+            echo Debugmode: `cat /proc/sys/net/mptcp/mptcp_debug`
+        fi
+        echo
+        echo See http://multipath-tcp.org/ for details
+        exit 0 ;;
+   "")
+        for ifpath in /sys/class/net/*; do
+                $0 ${ifpath##*/}
+        done
+        exit 0;;
+   *);;
+esac
+
+DEVICE="$1"
+TYPE="$2"
+#FLAG_PATH=`find /sys/devices/ -path "*/net/$DEVICE/flags"`
+
+[ -d "/sys/class/net/$DEVICE/" ] || {
+        #echo "Device '$DEVICE' can't found!"
+        #echo "Use the hardware name like in ifconfig"
+        exit 1
+}
+
+if [ -f /proc/sys/net/mptcp/mptcp_enabled ]; then
+        FLAG_PATH="/sys/class/net/$DEVICE/flags"
+        IFF=`cat $FLAG_PATH`
+
+        IFF_OFF="0x80000"
+        IFF_ON="0x00"
+        IFF_BACKUP="0x100000"
+        IFF_HANDOVER="0x200000"
+        IFF_MASK="0x380000"
+
+        case $TYPE in
+                "off")          FLAG=$IFF_OFF;;
+                "on")           FLAG=$IFF_ON;;
+                "backup")       FLAG=$IFF_BACKUP;;
+                "handover")     FLAG=$IFF_HANDOVER;;
+                "")
+                        IFF=`printf "0x%02x" $(($IFF&$IFF_MASK))`
+                        case "$IFF" in
+                                $IFF_OFF)       echo $DEVICE is deactivated;;
+                                $IFF_ON)        echo $DEVICE is in default mode;;
+                                $IFF_BACKUP)    echo $DEVICE is in backup mode;;
+                                $IFF_HANDOVER)  echo $DEVICE is in handover mode;;
+                                *) echo "Unkown state!" && exit 1;;
+                        esac
+                        exit 0;;
+                *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;;
+        esac
+
+        printf "0x%02x" $(($(($IFF^$(($IFF&$IFF_MASK))))|$FLAG)) > $FLAG_PATH
+else
+        ID=$(ip mptcp endpoint show | grep -m 1 "dev $DEVICE" | awk '{print $3}')
+        IFF=$(ip mptcp endpoint show | grep -m 1 "dev $DEVICE" | awk '{print $4}')
+        #IP=$(ip a show $DEVICE | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p')
+	[ -f /usr/bin/jsonfilter ] && IP=$(ip -j a show $DEVICE | jsonfilter -e '@[0].addr_info[*].local')
+        [ -f /usr/bin/jq ] && IP=$(ip -j a show $DEVICE | jq -r '.[0].addr_info[].local')
+	RMID=$(ip mptcp endpoint show | grep '::ffff' | awk '{ print $3 }')
+        [ -n "$RMID" ] && ip mptcp endpoint delete id $RMID 2>&1 >/dev/null
+        case $TYPE in
+                "off")
+                        [ -n "$ID" ] && {
+                            for i in $ID; do
+                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
+                            done
+                        }
+                        exit 0;;
+                "on")
+                        [ -n "$ID" ] && {
+                            for i in $ID; do
+                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
+                            done
+                        }
+                        for i in $IP; do
+                            ip mptcp endpoint add $i dev $DEVICE subflow fullmesh
+                        done
+                        exit 0;;
+                "signal")
+                        [ -n "$ID" ] && {
+                            for i in $ID; do
+                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
+                            done
+                        }
+                        for i in $IP; do
+                            ip mptcp endpoint add $i dev $DEVICE signal
+                        done
+                        exit 0;;
+                "backup")
+                        [ -n "$ID" ] && {
+                            for i in $ID; do
+                                ip mptcp endpoint delete id $i 2>&1 >/dev/null
+                            done
+                        }
+                        for i in $IP; do
+                            ip mptcp endpoint add $i dev $DEVICE backup fullmesh
+                        done
+                        exit 0;;
+                "")
+                        case "$IFF" in
+                                "")          echo $DEVICE is deactivated;;
+                                "subflow")   echo $DEVICE is in default mode;;
+                                "backup")    echo $DEVICE is in backup mode;;
+                                "signal")    echo $DEVICE is in signal mode;;
+                                "fullmesh")  echo $DEVICE is in fullmesh mode;;
+                                *)           echo "$DEVICE Unkown state!" && exit 1;;
+                        esac
+                        exit 0;;
+                *) echo "Unkown flag! Use 'multipath -h' for help" && exit 1;;
+        esac
+
+fi
+

old-v2ray.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=V2Ray - A unified platform for anti-censorship
+Documentation=https://v2ray.com https://guide.v2fly.org
+After=network.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+# If the version of systemd is 240 or above, then uncommenting Type=exec and commenting out Type=simple
+#Type=exec
+Type=simple
+# Runs as root or add CAP_NET_BIND_SERVICE ability can bind 1 to 1024 port.
+# This service runs as root. You may consider to run it as another user for security concerns.
+# By uncommenting User=v2ray and commenting out User=root, the service will run as user v2ray.
+# More discussion at https://github.com/v2ray/v2ray-core/issues/1011
+User=root
+#User=v2ray
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
+NoNewPrivileges=yes
+ExecStart=/usr/bin/v2ray -config /etc/v2ray/config.json
+Restart=on-failure
+# Don't restart in the case of configuration error
+RestartPreventExitStatus=23
+
+[Install]
+WantedBy=multi-user.target

omr-6in4-run

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -f "$2" ]; then
+        echo "usage: $(basename "$0") start FILE"
+        exit 1
+fi
+
+. "$(readlink -f "$2")"
+
+DEV="omr-6in4-$(basename "$2")"
+
+if [ "$1" = "start" ]; then
+        [ -n "$(ip tunnel show ${DEV})" ] && ip tunnel del ${DEV} 2>&1 >/dev/null
+        ip tunnel add ${DEV} mode sit remote ${REMOTEIP} local ${LOCALIP}
+        ip -6 addr add ${LOCALIP6} dev ${DEV}
+        ip link set ${DEV} up
+        [ -n "$ULA" ] && [ "$ULA" != "auto" ] && ip route replace ${ULA} via $(echo ${REMOTEIP6} | cut -d/ -f1) dev ${DEV}
+fi
+if [ "$1" = "stop" ]; then
+        ip tunnel del ${DEV}
+fi

omr-6in4-service

@@ -1,74 +0,0 @@
-#!/bin/bash
-# OpenMPTCProuter VPS 6in4 service script
-
-if [ "$1" = "stop" ] && [ "$(ip link show omr-6in4 up 2>/dev/null)" ]; then
-	ip route del fd00::/8 via fe80::a00:2 dev omr-6in4
-	ip link set omr-6in4 down
-	ip tunnel del omr-6in4
-	exit 0
-fi
-
-# Add IPv6 tunnel
-if [ "$(ip link show omr-6in4 up 2>/dev/null)" ]; then
-	ip tunnel change omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1
-else
-	ip tunnel add omr-6in4 mode sit remote 10.255.255.2 local 10.255.255.1
-	ip addr add fe80::a00:1/64 dev omr-6in4 >/dev/null 2>&1
-fi
-ip link set omr-6in4 up
-ip route replace fd00::/8 via fe80::a00:2 dev omr-6in4
-
-_ping() {
-	local host=$1
-	ret=$(ping -4 "${host}" \
-		-W 5 \
-		-c 1 \
-		-q
-	) && echo "$ret" | grep -sq "0% packet loss" && {
-		return
-	}
-	false
-}
-
-while true; do
-	source /etc/shorewall/params.vpn
-	iface=""
-	currentaddr=$(ip addr show omr-6in4 | grep link/sit | awk '{print $2}' | tr -d "\n")
-	currentpeer=$(ip addr show omr-6in4 | grep link/sit | awk '{print $4}' | tr -d "\n")
-	if [ -n "$currentpeer" ]; then
-		_ping $currentpeer
-		status=$?
-		if ! $(exit $status) || [ "$currentpeer" != "$OMR_ADDR" ]; then
-			allip_tcp=$(ip -4 addr show gt-tun0 2>/dev/null | grep inet)
-			allip_udp=$(ip -4 addr show gt-udp-tun0 2>/dev/null | grep inet)
-			allip_mlvpn=$(ip -4 addr show mlvpn0 2>/dev/null | grep inet)
-			allip_openvpn=$(ip -4 addr show tun0 2>/dev/null | grep inet)
-			allip="$allip_tcp
-$allip_udp
-$allip_openvpn
-$allip_mlvpn"
-			while IFS= read -r inet; do
-				ip=$(echo $inet | awk '{print $2}' | cut -d/ -f1 | tr -d "\n")
-				ipd=$(echo $ip | sed 's/.1/.2/' | tr -d "\n")
-				if [ "$ipd" != "" ]; then
-					_ping $ipd
-					statusp=$?
-					if $(exit $statusp); then
-						ip tunnel change omr-6in4 mode sit remote $ipd local $ip
-						echo "VPS_ADDR=$ip" > /etc/shorewall/params.vpn
-						echo "OMR_ADDR=$ipd" >> /etc/shorewall/params.vpn
-						iface=$(ip -4 addr | grep $ip | awk '{print $7}' | tr -d "\n")
-						echo "VPS_IFACE=$iface" >> /etc/shorewall/params.vpn
-						systemctl reload shorewall
-						break
-					fi
-				fi
-			done < <(printf '%s\n' "$allip")
-			[ -z "$iface" ] && {
-				systemctl -q restart systemd-networkd
-				sleep 10
-			}
-		fi
-	fi
-	sleep 5
-done

omr-admin-ipv6.service.in

@@ -0,0 +1,12 @@
+[Unit]
+Description=OMR-Admin IPv6
+After=network.target network-online.target
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/local/bin/omr-admin.py --host="::"
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_FOWNER CAP_SETFCAP
+
+[Install]
+WantedBy=multi-user.target

omr-admin.service.in

@@ -0,0 +1,12 @@
+[Unit]
+Description=OMR-Admin
+After=network.target network-online.target
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/local/bin/omr-admin.py
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_FOWNER CAP_SETFCAP
+
+[Install]
+WantedBy=multi-user.target

omr-bypass

@@ -0,0 +1,82 @@
+#!/bin/sh
+# Copyright (C) 2023 Ycarus (Yannick Chabanois) <ycarus@zugaina.org> for OpenMPTCProuter
+# Released under GPL 3. See LICENSE for the full terms.
+
+[ ! -f /etc/openmptcprouter-vps-admin/omr-bypass.json ] && exit 0
+
+# Configuration
+INTERFACE="$(jq -M -r .bypass_intf /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')"
+[ "$INTERFACE" = "null" ] && INTERFACE="vpn1"
+GATEWAY="$(ip r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')"
+GATEWAY6="$(ip -6 r show dev ${INTERFACE} | awk '/via/ {print $3}' | tr -d '\n')"
+TABLE="991337"
+MARK="0x539"
+
+CHECKSUM="$(md5sum /etc/openmptcprouter-vps-admin/omr-bypass.json | awk '{print $1}' | tr -d '\n')"
+PREVIOUS_CHECKSUM="$(jq -M -r .bypass_checksum /etc/openmptcprouter-vps-admin/omr-admin-config.json | tr -d '\n')"
+[ "$CHECKSUM" = "$PREVIOUS_CHECKSUM" ] && exit 0
+jq -M --arg c "$CHECKSUM" '.bypass_checksum = $c' /etc/openmptcprouter-vps-admin/omr-admin-config.json > /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp
+mv /etc/openmptcprouter-vps-admin/omr-admin-config.json.tmp /etc/openmptcprouter-vps-admin/omr-admin-config.json
+# Action
+ipset -q flush omr_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null
+ipset -q flush omr6_dst_bypass_srv_${INTERFACE} 2>&1 > /dev/null
+ipset -q --exist restore <<-EOF
+create omr_dst_bypass_srv_${INTERFACE} hash:net hashsize 64
+create omr6_dst_bypass_srv_${INTERFACE} hash:net family inet6 hashsize 64
+EOF
+ipv4=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv4[])
+for ip in $ipv4; do
+	ipset -q add omr_dst_bypass_srv_${INTERFACE} $ip
+done
+ipv6=$(cat /etc/openmptcprouter-vps-admin/omr-bypass.json | jq -r .${INTERFACE}.ipv6[])
+for ip in $ipv6; do
+	ipset -q add omr6_dst_bypass_srv_${INTERFACE} $ip
+done
+iptables-save --counters 2>/dev/null | grep -v omr-bypass | iptables-restore -w --counters 2>/dev/null
+iptables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+:omr-bypass -
+-A PREROUTING -j omr-bypass
+COMMIT
+EOF
+iptables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+:omr-bypass-local -
+-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
+COMMIT
+EOF
+iptables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+-A omr-bypass -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
+-A omr-bypass -m mark --mark ${MARK} -j RETURN
+-A omr-bypass-local -m set --match-set omr_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
+-A omr-bypass-local -m mark --mark ${MARK} -j RETURN
+COMMIT
+EOF
+ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1
+ip route replace default via ${GATEWAY} dev ${INTERFACE} table ${TABLE}
+ip6tables-save --counters 2>/dev/null | grep -v omr-bypass | ip6tables-restore -w --counters 2>/dev/null
+ip6tables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+:omr-bypass -
+-A PREROUTING -j omr-bypass
+COMMIT
+EOF
+ip6tables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+:omr-bypass-local -
+-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
+COMMIT
+EOF
+ip6tables-restore -w --wait=60 --noflush <<-EOF
+*mangle
+-A omr-bypass -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
+-A omr-bypass -m mark --mark ${MARK} -j RETURN
+-A omr-bypass-local -m set --match-set omr6_dst_bypass_srv_${INTERFACE} dst -j MARK --set-mark ${MARK}
+-A omr-bypass-local -m mark --mark ${MARK} -j RETURN
+COMMIT
+EOF
+if [ -n "$GATEWAY6" ]; then
+	ip rule add prio 1 fwmark ${MARK} lookup ${TABLE} > /dev/null 2>&1
+	ip route replace default via ${GATEWAY6} dev ${INTERFACE} table ${TABLE}
+fi

omr-bypass.service.in

@@ -0,0 +1,12 @@
+[Unit]
+Description=OMR-ByPass
+After=network.target network-online.target shorewall.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/omr-bypass
+KillSignal=9
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+
+[Install]
+WantedBy=multi-user.target

omr-bypass.timer.in

@@ -0,0 +1,8 @@
+[Unit]
+Description=Timer for omr-bypass
+
+[Timer]
+OnUnitActiveSec=300
+
+[Install]
+WantedBy=timers.target

omr-pihole.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+if [ -f /etc/os-release ]; then
+	. /etc/os-release
+else
+	. /usr/lib/os-release
+fi
+if [ "$ID" = "debian" ] && [ "$VERSION_ID" = "9" ]; then
+        echo "This script doesn't work with Debian Stretch (9.x)"
+        exit 1
+fi
+if [ "$(id -u)" -ne 0 ]; then
+	echo "You must run the script as root"
+	exit 1
+fi
+
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+echo "You can select any interface and set any IPs during Pi-hole configuration, this will be modified for OpenMPTCProuter at the end."
+echo "Don't apply Pi-hole firewall rules."
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+[ "`tty`" != "not a tty" ] && read -n 1 -s -r -p "Press any key to continue" || sleep 5
+
+echo "Run Pi-hole install script..."
+curl -sSL https://install.pi-hole.net | bash
+echo "Done"
+echo "-------------------------------------------------------------------------------------------------------------------------------"
+echo "OMR Pi-hole configuration..."
+cat > /etc/lighttpd/external.conf << 'EOF'
+server.bind="10.255.255.1"
+$SERVER["socket"] == "10.255.254.1:80" { }
+$SERVER["socket"] == "10.255.252.1:80" { }
+$SERVER["socket"] == "10.255.251.1:80" { }
+$SERVER["socket"] == "10.255.253.1:80" { }
+EOF
+systemctl list-unit-files lighttpd.service &>/dev/null && systemctl -q restart lighttpd
+grep -v -e PIHOLE_INTERFACE -e IPV4_ADDRESS -e IPV6_ADDRESS /etc/pihole/setupVars.conf > /etc/pihole/setupVars.new.conf
+mv /etc/pihole/setupVars.new.conf /etc/pihole/setupVars.conf
+cat >> /etc/pihole/setupVars.conf <<-EOF
+PIHOLE_INTERFACE=gt-tun0
+IPV4_ADDRESS=10.255.0.0/16
+IPV6_ADDRESS=fd00::a00:/106
+RATE_LIMIT=0/0
+EOF
+
+grep -v interface /etc/dnsmasq.d/01-pihole.conf > /etc/dnsmasq.d/01-pihole.new.conf
+mv /etc/dnsmasq.d/01-pihole.new.conf /etc/dnsmasq.d/01-pihole.conf
+cat > /etc/dnsmasq.d/99-omr.conf <<-EOF
+interface=gt-tun0
+interface=gt-udp-tun0
+interface=tun0
+interface=mlvpn0
+interface=dsvpn0
+EOF
+systemctl -q restart pihole-FTL
+echo "Done"
+echo "======================================================================================================================================"
+echo "To use Pi-hole in OpenMPTCProuter, you need to 'Save & Apply' the wizard again in System->OpenMPTCProuter then reboot OpenMPTCProuter."
+echo "Web interface will be available on 10.255.255.1 if you use Glorytun TCP, 10.255.254.1 if you use Glorytun UDP."
+echo "======================================================================================================================================"
+exit 0

omr-service

@@ -0,0 +1,232 @@
+#!/bin/bash
+# OpenMPTCProuter VPS service script
+
+_multipath() {
+	# Force multipath status
+	source /etc/shorewall/params.net
+	for intf in `ls -1 /sys/class/net`; do
+		if [ "$intf" != "bonding_masters" ]; then
+			if ([ "$(ip a show dev lo | grep -v inet6 | grep global)" != "" ] && [ "$intf" = "lo" ]) || ([ "$intf" = "$NET_IFACE" ] && [ "$(ip a show dev lo | grep -v inet6 | grep global)" = "" ]); then
+				[ -f /proc/sys/net/mptcp/mptcp_enabled ] && [ "$(multipath $intf | tr -d '\n')" != "$intf is in default mode" ] && multipath $intf on >/dev/null 2>&1
+				[ -f /proc/sys/net/mptcp/enabled ] && [ "$(multipath $intf | tr -d '\n')" != "$intf is in signal mode" ] && {
+					multipath $intf signal >/dev/null 2>&1
+					ip mptcp limits set subflows 8 add_addr_accepted 8 >/dev/null 2>&1
+				}
+			else
+				[ "$(multipath $intf | tr -d '\n')" != "$intf is deactivated" ] && multipath $intf off >/dev/null 2>&1
+			fi
+		fi
+	done
+}
+
+_glorytun_udp() {
+	#if [ -n "$(systemctl -a | grep 'glorytun-udp')" ]; then
+	if systemctl list-unit-files glorytun-udp@.service >/dev/null; then
+		[ -z "$(glorytun show dev gt-udp-tun0 2>/dev/null | grep tunnel)" ] && {
+			logger -t "OMR-Service" "Restart Glorytun-UDP"
+			systemctl -q restart 'glorytun-udp@*'
+			sleep 10
+		}
+		for intf in /etc/glorytun-udp/tun*; do
+			[ "$(echo $intf | grep key)" = "" ] && /etc/glorytun-udp/post.sh ${intf}
+		done
+		#ip link set mtu 9000 dev gt-udp-tun0 >/dev/null 2>&1
+	fi
+}
+
+_glorytun_tcp() {
+	#if [ -n "$(systemctl -a | grep 'glorytun-tcp')" ]; then
+	if systemctl list-unit-files glorytun-tcp@.service >/dev/null; then
+		for intf in /etc/glorytun-tcp/tun*; do
+			[ "$(echo $intf | grep key)" = "" ] && timeout 10 /etc/glorytun-tcp/post.sh ${intf}
+		done
+		if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "glorytun_tcp" ]; then
+			localip="$(cat /etc/glorytun-tcp/tun0 | grep LOCALIP | cut -d '=' -f2)"
+			[ -z "$localip" ] && localip="10.255.255.1"
+			remoteip="$(echo $localip | sed 's/\.1/\.2/')"
+			if [ "$(ping -c 3 -w 10 $remoteip | grep '100%')" != "" ] && ([ -z "$(pgrep glorytun-tcp)" ] || [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep glorytun-tcp)/exe ))" -gt "300" ]); then
+				logger -t "OMR-Service" "No answer from VPN client end, restart Glorytun-TCP"
+				systemctl restart glorytun-tcp@tun0
+				sleep 10
+			fi
+		fi
+		#ip link set mtu 9000 dev gt-tun0 >/dev/null 2>&1
+	fi
+}
+
+_dsvpn() {
+	#if [ -n "$(systemctl -a | grep 'dsvpn')" ]; then
+	if systemctl list-unit-files dsvpn-server@.service >/dev/null; then
+		[ -n "$(ip -6 r show 64:ff9b::/96 dev dsvpn0)" ] && ip -6 r del 64:ff9b::/96 dev dsvpn0 >/dev/null 2>&1
+		if [ -f /etc/openmptcprouter-vps-admin/current-vpn ] && [ "$(cat /etc/openmptcprouter-vps-admin/current-vpn)" = "dsvpn" ]; then
+			localip="$(cat /etc/dsvpn/dsvpn0 | grep LOCALTUNIP | cut -d '=' -f2)"
+			[ -z "$localip" ] && localip="10.255.251.1"
+			remoteip="$(echo $localip | sed 's/\.1/\.2/')"
+			if [ "$(ping -c 5 -w 5 $remoteip | grep '100%')" != "" ] && [ "$(expr $(date +%s) - $(stat -c %Y /proc/$(pgrep dsvpn)/exe ))" -gt "300" ]; then
+				logger -t "OMR-Service" "No answer from VPN client end, restart DSVPN"
+				systemctl restart dsvpn-server@dsvpn0
+			fi
+			#ip link set mtu 9000 dev dsvpn0 >/dev/null 2>&1
+		fi
+	fi
+}
+
+_shadowsocks() {
+	if systemctl list-unit-files shadowsocks-libev-manager@.service >/dev/null; then
+		[ -z "$(pgrep ss-server)" ] && {
+			logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks libev"
+			systemctl restart shadowsocks-libev-manager@manager
+		}
+	fi
+}
+
+_shadowsocks_go() {
+	if systemctl list-unit-files shadowsocks-go.service >/dev/null; then
+		[ -z "$(pgrep shadowsocks-go)" ] && {
+			logger -t "OMR-Service" "ss-server not detected, restart Shadowsocks go"
+			systemctl restart shadowsocks-go
+		}
+	fi
+}
+
+_xray() {
+	if systemctl list-unit-files xray.service >/dev/null; then
+		[ -z "$(pgrep xray)" ] && {
+			logger -t "OMR-Service" "ss-server not detected, restart XRay"
+			systemctl restart xray
+		}
+	fi
+}
+
+_v2ray() {
+	if systemctl list-unit-files v2ray.service >/dev/null; then
+		[ -z "$(pgrep v2ray)" ] && {
+			logger -t "OMR-Service" "ss-server not detected, restart V2Ray"
+			systemctl restart v2ray
+		}
+	fi
+}
+
+_wireguard() {
+	#if [ -n "$(systemctl -a | grep 'wg')" ]; then
+	if systemctl list-unit-files wg-quick@.service >/dev/null; then
+		[ -z "$(ip a show dev wg0 | grep '10.255.247.1')" ] && ip a add 10.255.247.1/24 dev wg0 >/dev/null 2>&1
+		[ -z "$(ip a show dev client-wg0 | grep '10.255.246.1')" ] && ip a add 10.255.246.1/24 dev client-wg0 >/dev/null 2>&1
+	fi
+}
+
+
+_omr_api() {
+	[ -z "$(pgrep curl)" ] && [ -z "$(curl -s -k -m 30 https://127.0.0.1:65500/)" ] && {
+		logger -t "OMR-Service" "Can't contact API, restart OMR-Admin"
+		systemctl -q restart omr-admin
+	}
+}
+
+_lan_route() {
+	jq -c '.users[0][]?' /etc/openmptcprouter-vps-admin/omr-admin-config.json |
+	while IFS=$"\n" read -r c; do
+		if [ -n "$c" ]; then
+			vpnremoteip=$(echo "$c" | jq -r '.vpnremoteip')
+			username=$(echo "$c" | jq -r '.username')
+			if [ -n "$vpnremoteip" ] && [ "$vpnremoteip" != "null" ]; then
+				echo "$c" | jq -c -r '.lanips[]? //empty' | 
+				while IFS=$"\n" read -r d; do
+					if [ "$d" != "" ]; then
+						network=$(ipcalc -n $d | grep Network | awk '{print $2}')
+						networkonly=$(ipcalc -n $d | grep Network | awk '{print $2}' | cut -d/ -f1)
+						netmask=$(ipcalc -n $d | grep Netmask | awk '{print $2}')
+						[ -n "$network" ] && [ -z "$(ip r show $network via $vpnremoteip)" ] && ip r replace $network via $vpnremoteip >/dev/null 2>&1
+						[ -n "$networkonly" ] && [ -n "$netmask" ] && ([ ! -f /etc/openvpn/ccd/${username} ] || [ -z "$(grep $networkonly /etc/openvpn/ccd/${username})" ]) && echo "iroute $networkonly $netmask" >> /etc/openvpn/ccd/${username}
+					fi
+				done
+			fi
+		fi
+	done
+}
+
+_gre_tunnels() {
+	. "$(readlink -f "/etc/shorewall/params.vpn")"
+	if [ -n "$OMR_ADDR" ]; then
+		for intf in /etc/openmptcprouter-vps-admin/intf/*; do
+			if [ -f "$intf" ]; then
+				. "$(readlink -f "$intf")"
+				iface="$(basename $intf)"
+				if [ "$(ip tunnel show $iface 2>/dev/null | awk '{print $4}')" != "$OMR_ADDR" ]; then
+					[ -n "$(ip tunnel show $iface 2>/dev/null)" ] && ip tunnel del $iface >/dev/null 2>&1
+					ip tunnel add $iface mode gre local $INTFADDR remote $OMR_ADDR >/dev/null 2>&1
+					ip link set $iface up >/dev/null 2>&1
+					ip addr add $LOCALIP dev $iface >/dev/null 2>&1
+					ip route add $NETWORK dev $iface >/dev/null 2>&1
+				fi
+			fi
+		done
+	fi
+}
+
+_openvpn_bonding() {
+	if [ "$(ip link show ovpnbonding1 2>/dev/null)" != "" ] && ([ "$(ip link show ovpnbonding1 2>/dev/null | grep SLAVE)" = "" ] || [ "$(ip link show omr-bonding 2>/dev/null | grep DOWN)" != "" ] || [ "$(ip link show | grep ovpnbonding | grep -c SLAVE | tr -d '\n')" != "8" ]); then
+		echo 0 > /sys/class/net/omr-bonding/bonding/mode >/dev/null 2>&1
+		ip link set ovpnbonding1 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding1 up >/dev/null 2>&1
+		ip link set ovpnbonding2 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding2 up >/dev/null 2>&1
+		ip link set ovpnbonding3 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding3 up >/dev/null 2>&1
+		ip link set ovpnbonding4 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding4 up >/dev/null 2>&1
+		ip link set ovpnbonding5 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding5 up >/dev/null 2>&1
+		ip link set ovpnbonding6 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding6 up >/dev/null 2>&1
+		ip link set ovpnbonding7 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding7 up >/dev/null 2>&1
+		ip link set ovpnbonding8 master omr-bonding >/dev/null 2>&1
+		ip link set ovpnbonding8 up >/dev/null 2>&1
+		ip link set omr-bonding up mtu 1440 >/dev/null 2>&1
+		ip a add 10.255.248.1 dev omr-bonding >/dev/null 2>&1
+		ip r add 10.255.248.0/24 dev omr-bonding >/dev/null 2>&1
+		ip r add 10.255.248.2 dev omr-bonding src 10.255.248.1 >/dev/null 2>&1
+	fi
+}
+
+_vpn1() {
+	vpn1route=$(ip r show dev vpn1 2>/dev/null | grep '0.0.0.0')
+	[ -z "$vpn1route" ] && vpn1route=$(ip r show dev vpn1 2>/dev/null | grep 'default')
+	if [ -n "$vpn1route" ]; then
+		ip r del $vpn1route
+		vpn1gw="$(echo \"$vpn1route\" | awk '{ print $3 }')"
+		ip r a default via $vpngw dev vpn1 table 991337
+		for route in $(ip r show dev vpn1); do
+			ip r a $route table 991337
+		done
+	fi
+}
+
+sysctl -p /etc/sysctl.d/90-shadowsocks.conf >/dev/null 2>&1
+modprobe bonding >/dev/null 2>&1
+ip link add omr-bonding type bond >/dev/null 2>&1
+#[ -n "$(uname -r | grep '6.1')" ] && {
+#	stap -g /usr/share/systemtap-mptcp/mptcp-app.stap 2>&1 &
+#}
+
+gre_tunnels="$(jq -c '.gre_tunnels' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
+lan_routes="$(jq -c '.lan_routes' /etc/openmptcprouter-vps-admin/omr-admin-config.json)"
+
+while true; do
+	_glorytun_udp
+	_glorytun_tcp
+	_shadowsocks
+	_shadowsocks_go
+	_xray
+	_v2ray
+	_dsvpn
+	_wireguard
+	_multipath
+	_omr_api
+	[ "$lan_routes" != "false" ] && _lan_route
+	[ "$gre_tunnels" != "false" ] && _gre_tunnels
+	_openvpn_bonding
+	_vpn1
+	sleep 10
+done

omr-test-speed

@@ -0,0 +1,55 @@
+#!/bin/sh
+# vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 :
+HETZNER=false
+if [ "$1" = "hetzner" ]; then
+	HETZNER=true
+	INTERFACE="$2"
+else
+	INTERFACE="$1"
+fi
+
+[ -n "$INTERFACE" ] && [ ! -d "/sys/class/net/$INTERFACE" ] && {
+	echo "You must use a real interface. You wan find them using 'ip a' for example"
+	exit 0
+}
+
+if [ "$HETZNER" = false ]; then
+	echo "Select best test server..."
+	HOSTLST="http://speedtest.frankfurt.linode.com/garbage.php?ckSize=10000 http://speedtest.tokyo2.linode.com/garbage.php?ckSize=10000 http://speedtest.singapore.linode.com/garbage.php?ckSize=10000 http://speedtest.newark.linode.com/garbage.php?ckSize=10000 http://speedtest.atlanta.linode.com/garbage.php?ckSize=10000 http://speedtest.dallas.linode.com/garbage.php?ckSize=10000 http://speedtest.fremont.linode.com/garbage.php?ckSize=10000 http://speedtest.tele2.net/1000GB.zip https://speed.hetzner.de/10GB.bin http://ipv4.bouygues.testdebit.info/10G.iso http://par.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin http://ams.download.datapacket.com/10000mb.bin http://fra.download.datapacket.com/10000mb.bin http://lon.download.datapacket.com/10000mb.bin http://mad.download.datapacket.com/10000mb.bin http://prg.download.datapacket.com/10000mb.bin http://sto.download.datapacket.com/10000mb.bin http://vie.download.datapacket.com/10000mb.bin http://war.download.datapacket.com/10000mb.bin http://atl.download.datapacket.com/10000mb.bin http://chi.download.datapacket.com/10000mb.bin http://lax.download.datapacket.com/10000mb.bin http://mia.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin"
+	bestping="9999"
+	for pinghost in $HOSTLST; do
+		domain=$(echo $pinghost | awk -F/ '{print $3}')
+		if [ -z "$INTERFACE" ]; then
+			ping=$(ping -c1 -w2 $domain | cut -d "/" -s -f5 | cut -d "." -f1)
+		else
+			ping=$(ping -c1 -w2 -I $INTERFACE -B $domain | cut -d "/" -s -f5 | cut -d "." -f1)
+		fi
+		echo "host: $domain - ping: $ping"
+		if [ -n "$ping" ] && [ "$ping" -lt "$bestping" ]; then
+			bestping=$ping
+			HOST=$pinghost
+		fi
+	done
+fi
+
+[ -z "$HOST" ] && HOST="https://speed.hetzner.de/10GB.bin"
+
+echo "Best server is $HOST, running test:"
+trap : HUP INT TERM
+if [ -z "$INTERFACE" ]; then
+	curl -4 -o /dev/null $HOST || echo
+else
+	domain=$(echo $HOST | awk -F/ '{print $3}')
+	hostip=$(dig +nocmd +noall +answer A $domain | grep -v CNAME | awk '{print $5}' | tr '\n' ' ')
+	if [ -n "$(ipset list 2>/dev/null | grep ss_rules)" ]; then
+		for ip in $hostip; do
+			ipset add ss_rules_dst_bypass_all $ip
+		done
+	fi
+	curl -4 -o /dev/null --interface $INTERFACE $HOST || echo
+	if [ -n "$(ipset list 2>/dev/null | grep ss_rules)" ]; then
+		for ip in $hostip; do
+			ipset del ss_rules_dst_bypass_all $ip
+		done
+	fi
+fi

omr-test-speedv6

@@ -0,0 +1,56 @@
+#!/bin/sh
+# vim: set noexpandtab tabstop=4 shiftwidth=4 softtabstop=4 :
+HETZNER=false
+if [ "$1" = "hetzner" ]; then
+	HETZNER=true
+	INTERFACE="$2"
+else
+	INTERFACE="$1"
+fi
+
+[ -n "$INTERFACE" ] && [ ! -d "/sys/class/net/$INTERFACE" ] && {
+	echo "You must use a real interface. You wan find them using 'ip a' for example"
+	exit 0
+}
+
+
+if [ "$HETZNER" = false ]; then
+	echo "Select best test server..."
+	HOSTLST="http://speedtest.frankfurt.linode.com/garbage.php?ckSize=10000 http://speedtest.tokyo2.linode.com/garbage.php?ckSize=10000 http://speedtest.singapore.linode.com/garbage.php?ckSize=10000 http://speedtest.newark.linode.com/garbage.php?ckSize=10000 http://speedtest.atlanta.linode.com/garbage.php?ckSize=10000 http://speedtest.dallas.linode.com/garbage.php?ckSize=10000 http://speedtest.fremont.linode.com/garbage.php?ckSize=10000 http://speedtest.tele2.net/1000GB.zip https://speed.hetzner.de/10GB.bin http://ipv6.bouygues.testdebit.info/10G.iso http://par.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin http://ams.download.datapacket.com/10000mb.bin http://fra.download.datapacket.com/10000mb.bin http://lon.download.datapacket.com/10000mb.bin http://mad.download.datapacket.com/10000mb.bin http://prg.download.datapacket.com/10000mb.bin http://sto.download.datapacket.com/10000mb.bin http://vie.download.datapacket.com/10000mb.bin http://war.download.datapacket.com/10000mb.bin http://atl.download.datapacket.com/10000mb.bin http://chi.download.datapacket.com/10000mb.bin http://lax.download.datapacket.com/10000mb.bin http://mia.download.datapacket.com/10000mb.bin http://nyc.download.datapacket.com/10000mb.bin"
+	bestping="9999"
+	for pinghost in $HOSTLST; do
+		domain=$(echo $pinghost | awk -F/ '{print $3}')
+		if [ -z "$INTERFACE" ]; then
+			ping=$(ping -6 -c1 -w2 $domain | cut -d "/" -s -f5 | cut -d "." -f1)
+		else
+			ping=$(ping -6 -c1 -w2 -I $INTERFACE -B $domain | cut -d "/" -s -f5 | cut -d "." -f1)
+		fi
+		echo "host: $domain - ping: $ping"
+		if [ -n "$ping" ] && [ "$ping" -lt "$bestping" ]; then
+			bestping=$ping
+			HOST=$pinghost
+		fi
+	done
+fi
+
+[ -z "$HOST" ] && HOST="https://speed.hetzner.de/10GB.bin"
+
+echo "Best server is $HOST, running test:"
+trap : HUP INT TERM
+if [ -z "$INTERFACE" ]; then
+	curl -6 $HOST >/dev/null || echo
+else
+	domain=$(echo $HOST | awk -F/ '{print $3}')
+	hostip=$(dig +nocmd +noall +answer AAAA $domain | grep -v CNAME | awk '{print $5}' | tr '\n' ' ')
+	if [ -n "$(ipset list 2>/dev/null | grep ss_rules6)" ]; then
+		for ip in $hostip; do
+			ipset add ss_rules6_dst_bypass_all $ip
+		done
+	fi
+	curl -6 --interface $INTERFACE $HOST >/dev/null || echo
+	if [ -n "$(ipset list 2>/dev/null | grep ss_rules6)" ]; then
+		for ip in $hostip; do
+			ipset del ss_rules6_dst_bypass_all $ip
+		done
+	fi
+fi

omr-update

@@ -0,0 +1,11 @@
+#!/bin/sh
+if [ -f /etc/openmptcprouter-vps-admin/update ]; then
+        wget -O - http://www.openmptcprouter.com/server/debian.sh | sh
+        rm -f /etc/openmptcprouter-vps-admin/update
+        reboot
+fi
+if [ -f /etc/openmptcprouter-vps-admin/update-bin ]; then
+        LOCALFILES=yes SOURCES=yes REINSTALL=no /usr/share/omr-server/debian9-x86_64.sh
+        rm -f /etc/openmptcprouter-vps-admin/update-bin
+        #reboot
+fi

omr-update.service.in

@@ -0,0 +1,15 @@
+[Unit]
+Description=OMR Update
+After=network.target network-online.target
+
+[Service]
+Type=simple
+Restart=no
+ExecStart=/usr/bin/omr-update
+#ExecStart=/usr/share/omr-server/debian9-x86_64.sh
+AmbientCapabilities=
+StandardOutput=file:/var/log/omr-update.log
+StandardError=file:/var/log/omr-update.log
+
+[Install]
+WantedBy=multi-user.target

omr.service.in

@@ -1,12 +1,12 @@
 [Unit]
-Description=OMR-6in4
-After=network.target network-online.target glorytun-tcp@.service
+Description=OMR
+After=network.target network-online.target glorytun-tcp@.service glorytun-udp@.service shorewall.service
 
 [Service]
 Type=simple
 Restart=always
-ExecStart=/usr/local/bin/omr-6in4-service
-ExecStop=/usr/local/bin/omr-6in4-service stop
+ExecStart=/usr/local/bin/omr-service
+KillSignal=9
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
 
 [Install]

omr6in4@.service.in

@@ -0,0 +1,12 @@
+[Unit]
+Description=OMR6IN4 on %I
+After=network.target network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/omr-6in4-run start /etc/openmptcprouter-vps-admin/omr-6in4/%i
+RemainAfterExit=true
+ExecStop=/usr/local/bin/omr-6in4-run stop /etc/openmptcprouter-vps-admin/omr-6in4/%i
+
+[Install]
+WantedBy=multi-user.target

openvpn-bonding1.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding1
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65351
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding2.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding2
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65352
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding3.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding3
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65353
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding4.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding4
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65354
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding5.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding5
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65355
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding6.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding6
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65356
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding7.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding7
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65357
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-bonding8.conf

@@ -0,0 +1,18 @@
+dev ovpnbonding8
+dev-type tap
+cipher AES-256-CBC
+proto udp
+proto udp6
+port 65358
+persist-tun
+persist-key
+reneg-sec 0
+verb 3
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 100 2400
+mode server
+tls-server

openvpn-tun0.6.1.conf

@@ -0,0 +1,34 @@
+topology subnet
+dev tun0
+user nobody
+group nogroup
+data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
+disable-dco
+proto tcp-server
+proto tcp6-server
+port 65301
+persist-tun
+persist-key
+duplicate-cn
+verb 3
+server 10.255.252.0 255.255.255.0
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 10 240
+txqueuelen 1000
+sndbuf 262144
+push "sndbuf 262144"
+rcvbuf 262144
+push "rcvbuf 262144"
+tun-mtu 1420
+tls-server
+tls-version-min 1.2
+#push "route 10.255.252.1 255.255.255.255"
+client-config-dir ccd
+ifconfig-pool-persist ccd/ipp_tcp.txt
+passtos
+management 127.0.0.1 65302
+tcp-nodelay

openvpn-tun0.conf

@@ -1,9 +1,29 @@
-dev tun
-secret /etc/openvpn/server/static.key
+dev tun0
+user nobody
+group nogroup
 cipher AES-256-CBC
-compress lz4
-proto tcp-server
+proto tcp
 port 65301
 persist-tun
 persist-key
-
+reneg-sec 0
+duplicate-cn
+verb 3
+server 10.255.252.0 255.255.255.0
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 10 240
+sndbuf 0
+rcvbuf 0
+txqueuelen 2000
+tun-mtu 1400
+mssfix 1360
+tls-server
+tls-version-min 1.2
+#compress lzo
+#push "route 10.255.252.1 255.255.255.255"
+client-config-dir ccd
+management localhost 65302

openvpn-tun1.6.1.conf

@@ -0,0 +1,30 @@
+topology subnet
+dev tun1
+data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
+proto udp
+proto udp6
+port 65301
+persist-tun
+persist-key
+duplicate-cn
+verb 3
+server 10.255.250.0 255.255.255.0
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 10 240
+txqueuelen 1000
+sndbuf 262144
+push "sndbuf 262144"
+rcvbuf 262144
+push "rcvbuf 262144"
+tun-mtu 1420
+tls-server
+tls-version-min 1.2
+push "route 10.255.250.1 255.255.255.255"
+#client-config-dir ccd
+#ifconfig-pool-persist ccd/ipp_udp.txt
+#fast-io
+passtos

openvpn-tun1.conf

@@ -0,0 +1,18 @@
+dev tun1
+cipher AES-256-CBC
+proto udp
+port 65301
+persist-tun
+persist-key
+reneg-sec 0
+duplicate-cn
+#ncp-disable
+#mssfix 1300
+verb 3
+server 10.255.250.0 255.255.255.0
+ca /etc/openvpn/ca/pki/ca.crt
+cert /etc/openvpn/ca/pki/issued/server.crt
+key /etc/openvpn/ca/pki/private/server.key
+dh /etc/openvpn/server/dh2048.pem
+crl-verify /etc/openvpn/ca/pki/crl.pem
+keepalive 10 240

openvpn.network

@@ -1,5 +1,5 @@
 [Match]
-Name=tun*
+Name=tun0
 
 [Network]
 Description=OpenVPN tunnel
@@ -9,7 +9,7 @@ IPMasquerade=yes
 
 [DHCPServer]
 PoolOffset=2
-PoolSize=1
+PoolSize=50
 EmitDNS=no
 EmitNTP=no
 DNS=9.9.9.9

shadowsocks-go.server.json

@@ -0,0 +1,37 @@
+{
+    "servers": [
+        {
+            "name": "ss-2022",
+            "protocol": "2022-blake3-aes-256-gcm",
+            "tcpListeners": [
+            {
+                "network": "tcp",
+                "address": ":65280",
+                "fastOpen": false,
+                "reusePort": false,
+                "multipath": true
+            }
+            ],
+            "enableTCP": true,
+            "listenerTFO": true,
+            "enableUDP": true,
+            "mtu": 1500,
+            "psk": "PSK",
+            "uPSKStorePath": "/etc/shadowsocks-go/upsks.json"
+        }
+    ],
+    "stats": {
+        "enabled": true
+    },
+    "api": {
+        "enabled": true,
+        "debugPprof": false,
+        "trustedProxies": [],
+        "listeners": [
+        {
+                "network": "tcp",
+                "address": "127.0.0.1:65279"
+        }
+        ]
+    }
+}

shadowsocks-libev-manager@.service.in

@@ -0,0 +1,15 @@
+[Unit]
+Description=Shadowsocks-Libev Custom Manager Service for %I
+After=network-online.target
+
+[Service]
+Type=simple
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+LimitNOFILE=99999
+LimitNPROC=99999
+ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks-libev/%i.json --manager-address 127.0.0.1:8839
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

shadowsocks.6.1.conf

@@ -0,0 +1,77 @@
+# local sysctl settings can be stored in this directory
+# max open files
+fs.file-max = 512000
+# max read buffer
+net.core.rmem_max = 7500000
+# max write buffer
+net.core.wmem_max = 7500000
+#net.core.optmem_max = 33554432
+# default read buffer
+#net.core.rmem_default = 16777216
+# default write buffer
+#net.core.wmem_default = 16777216
+# max processor input queue
+net.core.netdev_max_backlog = 10000
+# max backlog
+net.core.somaxconn = 16384
+
+# resist SYN flood attacks
+net.ipv4.tcp_syncookies = 1
+# reuse timewait sockets when safe
+net.ipv4.tcp_tw_reuse = 1
+# turn off fast timewait sockets recycling
+#net.ipv4.tcp_tw_recycle = 0
+# short FIN timeout
+net.ipv4.tcp_fin_timeout = 30
+# Increase max orphans
+net.ipv4.tcp_max_orphans = 16384
+# short keepalive time
+net.ipv4.tcp_keepalive_time = 7200
+# outbound port range
+net.ipv4.ip_local_port_range = 9999 65000
+# max SYN backlog
+net.ipv4.tcp_max_syn_backlog = 4096
+# max timewait sockets held by system simultaneously
+net.ipv4.tcp_max_tw_buckets = 16384
+# turn on TCP Fast Open on both client and server side
+net.ipv4.tcp_fastopen = 3
+# TCP buffer
+net.ipv4.tcp_mem = 409600 819200 1638400
+# UDP buffer
+net.ipv4.udp_mem = 4096 87380 16777216
+# TCP receive buffer
+net.ipv4.tcp_rmem = 4096 87380 16777216
+# TCP write buffer
+net.ipv4.tcp_wmem = 4096 87380 16777216
+# turn on path MTU discovery
+net.ipv4.tcp_mtu_probing = 0
+# 1/8 * available memory in receive buffer
+net.ipv4.tcp_adv_win_scale=-3
+# limits the size of unsent bytes in the write queue
+net.ipv4.tcp_notsent_lowat = 131072
+
+# for low-latency network, use cubic instead
+net.core.default_qdisc = fq
+# Default conntrack is too small
+net.netfilter.nf_conntrack_max = 524288
+net.netfilter.nf_conntrack_buckets=131072
+net.netfilter.nf_conntrack_tcp_timeout_established = 86400
+
+net.ipv4.conf.all.log_martians = 0
+net.ipv4.conf.default.log_martians = 0
+
+# MPTCP settings
+net.ipv4.tcp_ecn = 2
+net.mptcp.checksum_enabled = 0
+net.mptcp.add_addr_timeout = 120
+net.mptcp.allow_join_initial_addr_port = 1
+net.mptcp.enabled = 1
+net.mptcp.pm_type = 0
+net.mptcp.stale_loss_cnt = 4
+net.mptcp.mptcp_checksum=0
+net.mptcp.mptcp_path_manager=fullmesh
+net.mptcp.mptcp_scheduler=mptcp_burst
+net.mptcp.mptcp_syn_retries=4
+net.mptcp.mptcp_version=1
+net.mptcp.checksum_enabled=0
+net.ipv4.tcp_congestion_control=bbr

shadowsocks.conf

@@ -2,13 +2,14 @@
 # max open files
 fs.file-max = 512000
 # max read buffer
-net.core.rmem_max = 134217728
+net.core.rmem_max = 67108864
 # max write buffer
-net.core.wmem_max = 134217728
+net.core.wmem_max = 67108864
+net.core.optmem_max = 33554432
 # default read buffer
-net.core.rmem_default = 65536
+net.core.rmem_default = 131072
 # default write buffer
-net.core.wmem_default = 65536
+net.core.wmem_default = 131072
 # max processor input queue
 net.core.netdev_max_backlog = 4096
 # max backlog
@@ -19,34 +20,45 @@ net.ipv4.tcp_syncookies = 1
 # reuse timewait sockets when safe
 net.ipv4.tcp_tw_reuse = 1
 # turn off fast timewait sockets recycling
-net.ipv4.tcp_tw_recycle = 0
+#net.ipv4.tcp_tw_recycle = 0
 # short FIN timeout
-net.ipv4.tcp_fin_timeout = 20
+net.ipv4.tcp_fin_timeout = 30
+# Increase max orphans
+net.ipv4.tcp_max_orphans = 16384
 # short keepalive time
-net.ipv4.tcp_keepalive_time = 1200
+net.ipv4.tcp_keepalive_time = 7200
 # outbound port range
-net.ipv4.ip_local_port_range = 10000 65000
+net.ipv4.ip_local_port_range = 9999 65000
 # max SYN backlog
-net.ipv4.tcp_max_syn_backlog = 4096
+net.ipv4.tcp_max_syn_backlog = 10240
 # max timewait sockets held by system simultaneously
 net.ipv4.tcp_max_tw_buckets = 10000
 # turn on TCP Fast Open on both client and server side
 net.ipv4.tcp_fastopen = 3
 # TCP buffer
-net.ipv4.tcp_mem = 134217728 134277728 134217728
+net.ipv4.tcp_mem = 8092 131072 67108864
+# UDP buffer
+net.ipv4.udp_mem = 8092 131072 67108864
 # TCP receive buffer
-net.ipv4.tcp_rmem = 4096 87380 134217728
+net.ipv4.tcp_rmem = 4096 87380 33554432
 # TCP write buffer
-net.ipv4.tcp_wmem = 4096 87380 134217728
+net.ipv4.tcp_wmem = 4096 65536 33554432
 # turn on path MTU discovery
 net.ipv4.tcp_mtu_probing = 0
 
 # for low-latency network, use cubic instead
-net.ipv4.tcp_congestion_control = olia
-
+net.ipv4.tcp_congestion_control = bbr
+net.core.default_qdisc = fq
 # Default conntrack is too small
-net.netfilter.nf_conntrack_max = 131072
+net.netfilter.nf_conntrack_max = 524288
+net.netfilter.nf_conntrack_buckets=131072
+net.netfilter.nf_conntrack_tcp_timeout_established = 86400
+
+net.ipv4.conf.all.log_martians = 0
+net.ipv4.conf.default.log_martians = 0
 
 # MPTCP settings
 net.mptcp.mptcp_checksum = 0
-net.mptcp.mptcp_syn_retries = 20
+net.mptcp.mptcp_syn_retries = 4
+net.mptcp.mptcp_scheduler = blest
+net.ipv4.tcp_ecn = 2

shorewall4/interfaces

@@ -14,9 +14,13 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE   INTERFACE       OPTIONS
-net	eth0		dhcp,tcpflags,routefilter,nosmurfs,logmartians,sourceroute=0
-vpn	gt-tun0		nosmurfs,routefilter,logmartians,tcpflags
-vpn	gt-udp-tun0	nosmurfs,routefilter,logmartians,tcpflags
-vpn	mlvpn0		nosmurfs,routefilter,logmartians,tcpflags
-vpn	tun0		nosmurfs,routefilter,logmartians,tcpflags
-
+net	$NET_IFACE	dhcp,tcpflags,routefilter,nosmurfs,sourceroute=0
+vpn	gt-tun+		nosmurfs,tcpflags
+vpn	gt-udp-tun+	nosmurfs,tcpflags
+vpn	mlvpn+		nosmurfs,tcpflags
+vpn	tun+		nosmurfs,tcpflags
+vpn	wg+		nosmurfs,tcpflags
+vpncl	client-wg+	nosmurfs,tcpflags
+vpn	dsvpn+		nosmurfs,tcpflags
+vpn	gre-user+	nosmurfs,tcpflags
+vpn	omr-bonding	nosmurfs,tcpflags

shorewall4/params

@@ -22,4 +22,5 @@
 #	net	eth0		130.252.100.255	routefilter,norfc1918
 #
 ###############################################################################
+INCLUDE params.net
 INCLUDE params.vpn

shorewall4/params.net

@@ -0,0 +1 @@
+NET_IFACE=eth0

shorewall4/params.vpn

@@ -1,3 +1,3 @@
-VPS_ADDR=10.255.255.1
-OMR_ADDR=10.255.255.2
-VPS_IFACE=gt-tun0
+VPS_ADDR=10.255.252.1
+OMR_ADDR=10.255.252.2
+VPS_IFACE=tun0

shorewall4/policy

@@ -17,7 +17,10 @@ vpn             net             ACCEPT
 vpn             fw             ACCEPT
 fw              vpn             ACCEPT
 fw              net             ACCEPT
-net             all             DROP            info
+net             all             DROP
+vpn		vpn		DROP
+vpncl		vpn		ACCEPT
+vpn		vpncl		ACCEPT
 # THE FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
+all		all		REJECT
 

shorewall4/shorewall.conf

@@ -39,7 +39,7 @@ INVALID_LOG_LEVEL=
 
 LOG_BACKEND=
 
-LOG_MARTIANS=Yes
+LOG_MARTIANS=No
 
 LOG_VERBOSITY=2
 
@@ -108,10 +108,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
+BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -144,17 +145,17 @@ BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
-CHAIN_SCRIPTS=Yes
+#CHAIN_SCRIPTS=Yes
 
 CLAMPMSS=No
 
-CLEAR_TC=Yes
+CLEAR_TC=No
 
 COMPLETE=No
 
 DEFER_DNS_RESOLUTION=Yes
 
-DELETE_THEN_ADD=Yes
+DELETE_THEN_ADD=No
 
 DETECT_DNAT_IPADDRS=No
 
@@ -180,7 +181,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
+#INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
@@ -188,7 +189,7 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
+#LOAD_HELPERS_ONLY=Yes
 
 MACLIST_TABLE=filter
 
@@ -196,13 +197,13 @@ MACLIST_TTL=
 
 MANGLE_ENABLED=Yes
 
-MAPOLDACTIONS=No
+#MAPOLDACTIONS=No
 
 MARK_IN_FORWARD_CHAIN=No
 
 MINIUPNPD=No
 
-MODULE_SUFFIX=ko
+#MODULE_SUFFIX=ko
 
 MULTICAST=No
 
@@ -232,7 +233,7 @@ SAVE_ARPTABLES=No
 
 SAVE_IPSETS=No
 
-TC_ENABLED=Internal
+TC_ENABLED=No
 
 TC_EXPERT=No
 

shorewall4/snat

@@ -15,9 +15,16 @@
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
-MASQUERADE		10.0.0.0/8,\
+MASQUERADE		10.255.247.0/24,\
+			10.255.248.0/24,\
+			10.255.250.0/24,\
+			10.255.251.0/24,\
+			10.255.252.0/24,\
+			10.255.253.0/24,\
+			10.255.254.0/24,\
+			10.255.255.0/24,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
-			192.168.0.0/16		eth0
+			192.168.0.0/16		$NET_IFACE
 # SNAT from VPN server for all VPN clients
 #SNAT($VPS_ADDR)		0.0.0.0/0		$VPS_IFACE

shorewall4/stoppedrules

@@ -13,12 +13,18 @@
 ###############################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
 #                                                       PORT(S)         PORT(S)
-ACCEPT          gt-tun0         -
-ACCEPT          -               gt-tun0
-ACCEPT          gt-udp-tun0     -
-ACCEPT          -               gt-udp-tun0
-ACCEPT          mlvpn0		-
-ACCEPT          -               mlvpn0
-ACCEPT          tun0		-
-ACCEPT          -               tun0
+ACCEPT          gt-tun+         -
+ACCEPT          -               gt-tun+
+ACCEPT          gt-udp-tun+     -
+ACCEPT          -               gt-udp-tun+
+ACCEPT          mlvpn+		-
+ACCEPT          -               mlvpn+
+ACCEPT          dsvpn+		-
+ACCEPT          -               dsvpn+
+ACCEPT          tun+		-
+ACCEPT          -               tun+
+ACCEPT          wg+		-
+ACCEPT          -               wg+
+ACCEPT          client-wg+	-
+ACCEPT          -               client-wg+
 

shorewall4/tcinterfaces

@@ -0,0 +1,3 @@
+#INTERFACE             TYPE          IN-BANDWIDTH        OUT-BANDWIDTH
+$NET_IFACE		External
+#$VPS_IFACE		Internal

shorewall4/zones

@@ -16,4 +16,5 @@
 fw      firewall
 net     ipv4
 vpn     ipv4
+vpncl   ipv4
 

shorewall6/interfaces

@@ -14,6 +14,6 @@
 ?FORMAT 2
 ###############################################################################
 #ZONE   INTERFACE       OPTIONS
-net	eth0            dhcp,tcpflags,rpfilter,forward=1
-vpn	omr-6in4        tcpflags,forward=1
+net	$NET_IFACE            dhcp,tcpflags,rpfilter,forward=1,routeback
+vpn	omr-6in4-user+        tcpflags,forward=1,routeback
 

shorewall6/params

@@ -21,3 +21,5 @@
 #	net	eth0		-	dhcp,nosmurfs
 #
 ###############################################################################
+INCLUDE params.net
+INCLUDE params.vpn

shorewall6/params.net

@@ -0,0 +1 @@
+NET_IFACE=eth0

shorewall6/params.vpn

@@ -0,0 +1 @@
+OMR_ADDR=fe80::a00:2

shorewall6/policy

@@ -13,9 +13,9 @@
 ###############################################################################
 #SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
 
-vpn             all             ACCEPT		info
+vpn             all             ACCEPT
 fw              all             ACCEPT
-net             all             DROP            info
+net             all             DROP
 # THE FOLLOWING POLICY MUST BE LAST
-all             all             REJECT          info
+all             all             REJECT
 

shorewall6/rules

@@ -30,18 +30,18 @@ DNS(ACCEPT)     $FW             net
 #
 #       Allow Ping from/to the VPN
 #
-Ping(ACCEPT)    vpn             $FW
-Ping(ACCEPT)    vpn             net
-Ping(ACCEPT)    $FW             vpn
+ACCEPT		vpn		$FW		ipv6-icmp
+ACCEPT		vpn		net		ipv6-icmp
+ACCEPT		$FW		vpn		ipv6-icmp
 #
 #       Allow Ping from the firewall to the network
 #
-Ping(ACCEPT)    $FW             net
+ACCEPT		$FW		net		ipv6-icmp
 #
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 #
-#Ping(DROP)     net             $FW
-Ping(ACCEPT)    net             $FW
+#DROP		net             $FW		ipv6-icmp
+ACCEPT		net		$FW		ipv6-icmp
 #
 #	Accept connection from port > 65000 for shadowsocks and glorytun on the firewall
 #
@@ -54,7 +54,8 @@ ACCEPT          net             $FW             tcp     65222
 #
 #	DHCP forward to the VPN from the firewall
 #
-DHCPfwd(ACCEPT)	$FW		vpn
+ACCEPT		$FW		vpn		udp	53
+ACCEPT		vpn		net		udp	53
 #
 #	Redirect all port from 1 to 64999 to the VPN client from the network
 #

shorewall6/shorewall6.conf

@@ -105,10 +105,11 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 
 ###############################################################################
 #			 R S H / R C P	C O M M A N D S
@@ -137,7 +138,7 @@ BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
 
-CHAIN_SCRIPTS=Yes
+#CHAIN_SCRIPTS=Yes
 
 CLAMPMSS=No
 
@@ -167,7 +168,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=No
+#INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 
@@ -175,7 +176,7 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
+#LOAD_HELPERS_ONLY=Yes
 
 MACLIST_TABLE=filter
 

shorewall6/snat

@@ -16,6 +16,6 @@
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 MASQUERADE		fe80::/10,\
-			fd00::/8		eth0
+			fd00::/8		$NET_IFACE
 # SNAT from VPN server for all VPN clients
-SNAT(fe80::a00:1)		::/0		omr-6in4
+#SNAT(fe80::a00:1)		::/0		omr-6in4-user+

shorewall6/stoppedrules

@@ -13,6 +13,6 @@
 ###############################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST            SOURCE
 #                                                       PORT(S)         PORT(S)
-ACCEPT		omr-6in4	-
-ACCEPT		-		omr-6in4
+#ACCEPT		omr-6in4	-
+#ACCEPT		-		omr-6in4
 

tun0.glorytun

@@ -1,6 +1,7 @@
 PORT=65001
+HOST=0.0.0.0
 DEV=tun0
 SERVER=true
 MPTCP=true
 IPV6=true
-OPTIONS="chacha20 multiqueue keepalive"
+OPTIONS="chacha20 retry count -1 const 5000000 timeout 5000 keepalive count 5 idle 20 interval 2 buffer-size 65536 multiqueue"

tun0.glorytun-udp

@@ -1,4 +1,6 @@
 BIND=0.0.0.0
 BIND_PORT=65001
+HOST=0.0.0.0
+PORT=5000
 DEV=tun0
 OPTIONS="chacha persist"

ubond.network

@@ -0,0 +1,17 @@
+[Match]
+Name=ubond*
+
+[Network]
+Description=UBOND tunnel
+Address=10.255.248.1/24
+DHCPServer=yes
+IPMasquerade=yes
+
+[DHCPServer]
+PoolOffset=2
+PoolSize=50
+EmitDNS=no
+EmitNTP=no
+DNS=9.9.9.9
+DefaultLeaseTimeSec=12h
+MaxLeaseTimeSec=24h

ubond0.conf

@@ -0,0 +1,42 @@
+[general]
+tuntap = "tun"
+mode = "server"
+interface_name = "ubond0"
+timeout = 30
+password = "UBOND_PASS"
+reorder_buffer = yes
+reorder_buffer_size = 64
+loss_tolerence = 50
+
+[wan1]
+bindport = 65251
+bindhost = "0.0.0.0"
+
+[wan2]
+bindport = 65252
+bindhost = "0.0.0.0"
+
+[wan3]
+bindport = 65253
+bindhost = "0.0.0.0"
+
+[wan4]
+bindport = 65254
+bindhost = "0.0.0.0"
+
+[wan5]
+bindport = 65255
+bindhost = "0.0.0.0"
+
+[wan6]
+bindport = 65256
+bindhost = "0.0.0.0"
+
+[wan7]
+bindport = 65257
+bindhost = "0.0.0.0"
+
+[wan8]
+bindport = 65258
+bindhost = "0.0.0.0"
+

ubond@.service.in

@@ -0,0 +1,16 @@
+[Unit]
+Description=UBOND connection to %i
+PartOf=ubond.service
+ReloadPropagatedFrom=ubond.service
+After=network.target network-online.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+ExecStart=/usr/local/sbin/ubond --config /etc/ubond/%i.conf --name %i --user ubond --quiet
+ExecReload=/bin/kill -HUP $MAINPID
+WorkingDirectory=/etc/ubond
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

ubuntu18.04-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

ubuntu19.04-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

ubuntu20.04-x86_64.sh

@@ -0,0 +1 @@
+debian9-x86_64.sh

update-grub.sh

@@ -8,15 +8,17 @@ config_file="$(find /boot/grub* -maxdepth 1 -name grub.cfg 2>/dev/null)"
 deflt_file="$(find /etc/default \( -name grub -o -name grub2 \) 2>/dev/null)"
 [ $deflt_file ] || exit 0
 
-if [ -z "$(grep -m 1 vmlinuz $config_file | grep $kernel)" ]; then
+#if [ -z "$(grep -m 1 vmlinuz $config_file | grep $kernel)" ]; then
 	x=0
 	sed -n -e 's@\([^'\"\'']*\)['\"\'']\([^'\"\'']*\).*@\1\2@' -e '/\(menuentry\) /p' <$config_file | \
 		while IFS= read ln
 		do
 			if [ -n "$(echo $ln | grep $kernel)" ]; then
-				sed -i "s@^\(GRUB_DEFAULT=\).*@\1\"$x\"@" $deflt_file
+				x=$(expr $x - 1)
+				sed -i "s@^\(GRUB_DEFAULT=\).*@\1\"1>$x\"@" $deflt_file
+				[ -f /boot/grub/grub.cfg ] && grub-mkconfig -o /boot/grub/grub.cfg >/dev/null 2>&1
 				exit 0
 			fi
 			x=$(expr $x + 1)
 		done | sed 's@\(menuentry\) @@'
-fi
+#fi

v2ray-server.json

@@ -0,0 +1,220 @@
+{
+	"log": {
+		"loglevel": "error",
+		"error": "/tmp/v2rayError.log"
+	},
+	"transport": {
+		"tcpSettings": {},
+		"wsSettings": {},
+		"kcpSettings": {
+			"mtu": 1460,
+			"tti": 10,
+			"uplinkCapacity": 100,
+			"downlinkCapacity": 100,
+			"congestion": false,
+			"readBufferSize": 8,
+			"writeBufferSize": 8
+		}
+	},
+	"inbounds": [
+		{
+			"tag": "omrin-tunnel",
+			"port": 65228,
+			"protocol": "vless",
+			"settings": {
+				"decryption": "none",
+				"clients": [
+					{
+						"id": "V2RAY_UUID",
+						"level": 0,
+						"alterId": 0,
+						"email": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-vmess-tunnel",
+			"port": 65230,
+			"protocol": "vmess",
+			"settings": {
+				"decryption": "none",
+				"clients": [
+					{
+						"id": "V2RAY_UUID",
+						"level": 0,
+						"alterId": 0,
+						"email": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-socks-tunnel",
+			"port": 65231,
+			"protocol": "socks",
+			"settings": {
+				"auth": "password",
+				"accounts": [
+					{
+						"pass": "V2RAY_UUID",
+						"user": "openmptcprouter"
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+					"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"tag": "omrin-trojan-tunnel",
+			"port": 65229,
+			"protocol": "trojan",
+			"settings": {
+				"clients": [
+					{
+						"password": "V2RAY_UUID",
+						"email": "openmptcprouter",
+						"level": 0
+					}
+				]
+			},
+			"streamSettings": {
+				"sockopt": {
+					"mptcp": true,
+					"mark": 0
+				},
+				"network": "tcp",
+				"security": "tls",
+				"tlsSettings": {
+				"certificates": [
+						{
+							"certificateFile": "/etc/openvpn/ca/pki/issued/server.crt",
+							"keyFile": "/etc/openvpn/ca/pki/private/server.key"
+						}
+					]
+				}
+			}
+		},
+		{
+			"listen": "127.0.0.1",
+			"port": 10085,
+			"protocol": "dokodemo-door",
+			"settings": {
+				"address": "127.0.0.1"
+			},
+			"tag": "api"
+		}
+	],
+	"outbounds": [
+		{
+			"protocol": "freedom",
+			"settings": {
+				"userLevel": 0
+			},
+			"tag": "direct"
+		}
+	],
+	"routing": {
+		"rules": [
+			{
+				"type": "field",
+				"inboundTag": [
+					"omrin-tunnel",
+					"omrin-vmess-tunnel",
+					"omrin-socks-tunnel",
+					"omrin-trojan-tunnel"
+				],
+				"outboundTag": "OMRLan",
+				"domain": [
+					"full:omr.lan"
+				]
+			},
+			{
+				"inboundTag": [
+					"api"
+				],
+				"outboundTag": "api",
+				"type": "field"
+			}
+		]
+	},
+	"reverse": {
+		"portals": [
+			{
+				"tag": "OMRLan",
+				"domain": "omr.lan"
+			}
+		]
+	},
+	"stats": {},
+	"api": {
+		"tag": "api",
+		"services": [
+			"HandlerService",
+			"LoggerService",
+			"StatsService"
+		]
+	},
+	"policy": {
+		"levels": {
+			"0": {
+				"uplinkOnly": 0,
+				"downlinkOnly": 0,
+				"bufferSize": 512,
+				"connIdle": 2400,
+				"statsUserUplink": true,
+				"statsUserDownlink": true
+			}
+		},
+		"system": {
+			"statsInboundUplink": true,
+			"statsInboundDownlink": true
+		}
+	}
+}