diff options
| author |  jet tsang zeon-git <zeon-git@jettsang.com>
| 2021-09-01 16:48:48 +0800 |
|---|---|---|
| committer | jet tsang zeon-git <zeon-git@jettsang.com>
| 2021-09-01 16:48:48 +0800 |
| commit | f930b288682794a9791b8e72e8e66f509cbd0e19 (patch) | |
| tree | ea48672b1c26af2a6e4cf5b36ce99d8e1b110d04 /src | |
| download | network-toolchain-f930b288682794a9791b8e72e8e66f509cbd0e19.tar.gz network-toolchain-f930b288682794a9791b8e72e8e66f509cbd0e19.tar.bz2 network-toolchain-f930b288682794a9791b8e72e8e66f509cbd0e19.zip | |
reinit the project
Signed-off-by: jet tsang zeon-git <zeon-git@jettsang.com>
Diffstat (limited to 'src')
| -rwxr-xr-x | src/badvpn.sh | 186 | ||||
| -rwxr-xr-x | src/lib.sh | 198 | ||||
| -rwxr-xr-x | src/ssu.sh | 115 | ||||
| -rw-r--r-- | src/sysctl.conf | 46 | ||||
| -rwxr-xr-x | src/wg.sh | 44 |
5 files changed, 589 insertions, 0 deletions
diff --git a/src/badvpn.sh b/src/badvpn.sh new file mode 100755 index 0000000..056a3ad --- /dev/null +++ b/src/badvpn.sh @@ -0,0 +1,186 @@ +#!/bin/bash +LIBROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +BINPATH=$LIBROOT/../bin +PKGPATH=$LIBROOT/../pkg +IPLISTPATH=$LIBROOT/../iplist +mkdir -p $PKGPATH +DEFAULTROUTETXT=$(ip route get 114.114.114.114 | awk 'NR==1{print}') +DEV=$(echo $DEFAULTROUTETXT | awk '{print $3}') +DEFAULTROUTE=$(echo $DEFAULTROUTETXT | awk '{print $1}') + +GOTUN2SOCKS_BIN_PATH="$BINPATH/gotun2socks_$WORDSTUFFIX" +function badvpn::install_badvpn() { + case $OSRELEASE in + ubuntu) + apt update + apt-get install -y --no-install-recommends build-essential net-tools \ + cmake libssl-dev pkg-config libnspr4-dev libnss3-dev + cd $PKGPATH + git clone https://github.com/ambrop72/badvpn + cd badvpn + mkdir build + cd build + cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local + make install + ;; + arch) + pacman -Sy --noconfirm badvpn + ;; + esac +} + +function badvpn::stoptun() { + killall badvpn-tun2socks 2>&1 > /dev/null + ip tuntap del dev tun64 mode tun +} + + +function badvpn::server_badvpn() { + ip tuntap del dev tun88 mode tun + ip tuntap add dev tun88 mode tun + ip addr add 10.19.88.64/24 dev tun88 + ifconfig tun88 up + badvpn-udpgw --listen-addr 10.19.88.64:7300 --loglevel none & +} + +function badvpn::makeudptun() { + badvpn::stoptun + ip tuntap add dev tun64 mode tun + ip addr add 10.19.89.63/24 dev tun64 + ip -6 addr add fd00::01:1989:0604:63/64 dev tun64 + ifconfig tun64 up + ip route add 10.19.89.0/24 dev tun64 + ip route add 10.19.88.0/24 via 10.19.89.64 dev tun64 + badvpn-tun2socks --tundev tun64 \ + --netif-ipaddr 10.19.89.64 \ + --netif-ip6addr fd00::01:1989:0604:64 \ + --netif-netmask 255.255.255.0 \ + --socks-server-addr 127.0.0.1:10800 \ + --udpgw-remote-server-addr 10.19.88.64:7300 \ + --loglevel none 2>&1 > /dev/null & +} + + +function badvpn::makeudptuncustom() { + badvpn::stoptun + ip tuntap add dev tun64 mode tun + ip addr add 10.19.89.63/24 dev tun64 + ip -6 addr add fd00::01:1989:0604:63/64 dev tun64 + ifconfig tun64 up + ip route add 10.19.89.0/24 dev tun64 + ip route add 10.19.88.0/24 via 10.19.89.64 dev tun64 + badvpn-tun2socks --tundev tun64 \ + --netif-ipaddr 10.19.89.64 \ + --netif-ip6addr fd00::01:1989:0604:64 \ + --netif-netmask 255.255.255.0 \ + --socks-server-addr $1 \ + --udpgw-remote-server-addr 10.19.88.64:7300 \ + --loglevel none 2>&1 > /dev/null & +} + +function badvpn::maketun() { + badvpn::stoptun + ip tuntap add dev tun64 mode tun + ip addr add 10.19.89.63/24 dev tun64 + ip -6 addr add fd00::01:1989:0604:63/64 dev tun64 + ifconfig tun64 up + route add -net 10.19.89.0/24 dev tun64 + badvpn-tun2socks --tundev tun64 \ + --netif-ipaddr 10.19.89.64 \ + --netif-ip6addr fd00::01:1989:0604:64 \ + --netif-netmask 255.255.255.0 \ + --socks-server-addr 127.0.0.1:10800 \ + --loglevel none 2>&1 > /dev/null & +} + +function badvpn::tunroute(){ + $GFWPATH/gfw-up6.sh tun64 fd00::01:1989:0604:64 2>&1 > /dev/null & + ip route delete default + ip route add default via 10.19.89.64 dev tun64 +} +function badvpn::route() { + $GFWPATH/gfw-up.sh 10.19.89.64 2>&1 > /dev/null & + $GFWPATH/gfw-up6.sh tun64 fd00::01:1989:0604:64 2>&1 > /dev/null & +} + +function badvpn::nogwroute() { + badvpn::route +} + +function badvpn::sockscnroute() { + badvpn::maketun + server=$1 + case $OSNAME in + Linux) + if [ "$DEV" != "ppp0" ]; then + ip route add $server via $DEFAULTROUTE > /dev/null 2>&1 > /dev/null + else + ip route add $server dev ppp0 > /dev/null 2>&1 > /dev/null + fi + ip route delete default + ip route add default via 10.19.89.64 dev tun64 + for ip in $(cat $GFWPATH/iplist/cn_rules); do + if [ "$DEV" != "ppp0" ]; then + ip route add $ip via $DEFAULTROUTE > /dev/null 2>&1 > /dev/null + else + ip route add $ip dev ppp0 > /dev/null 2>&1 > /dev/null + fi + done + $GFWPATH/gfw-up6.sh tun64 fd00::01:1989:0604:64 2>&1 > /dev/null & + ;; + Darwin) + ;; + *) + exit 1 + ;; + esac +} +function badvpn::pppcnroute() { + badvpn::maketun + server=$1 + case $OSNAME in + Linux) + ip route add $server dev ppp0 > /dev/null 2>&1 > /dev/null + ip route delete deufalt > /dev/null 2>&1 > /dev/null + ip route add default via 10.19.89.64 dev tun64 > /dev/null 2>&1 > /dev/null + for ip in $(cat $GFWPATH/iplist/cn_rules); do + ip route add $ip dev ppp0 > /dev/null 2>&1 > /dev/null + done + $GFWPATH/gfw-up6.sh tun64 fd00::01:1989:0604:64 2>&1 > /dev/null & + ;; + Darwin) + ;; + *) + exit 1 + ;; + esac +} +function badvpn::cnroute() { + case $OSNAME in + Linux) + for ip in $(cat $GFWPATH/iplist/cn_rules); do + ip route add $ip dev ppp0 > /dev/null 2>&1 > /dev/null + done + ;; + Darwin) + ;; + *) + exit 1 + ;; + esac +} + +function badvpn::cnroutecustom() { + case $OSNAME in + Linux) + for ip in $(cat $GFWPATH/iplist/cn_rules); do + ip route add $ip via $1 dev $2 > /dev/null 2>&1 > /dev/null + done + ;; + Darwin) + ;; + *) + exit 1 + ;; + esac +} diff --git a/src/lib.sh b/src/lib.sh new file mode 100755 index 0000000..2dcf236 --- /dev/null +++ b/src/lib.sh @@ -0,0 +1,198 @@ +#!/bin/bash +ARCHITECTURE=$(uname -m) +OSNAME=$(uname) +LIBROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +IPLISTPATH=$LIBROOT/../iplist +OSRELEASE="" + +case $ARCHITECTURE in +x86_64) + WORDSTUFFIX="linux_amd64" + ;; +armv7l) + WORDSTUFFIX="linux_arm7" + ;; +armv6l) + WORDSTUFFIX="linux_arm6" + ;; +aarch64) + WORDSTUFFIX="linux_arm7" + ;; +*) + exit 1 + ;; +esac + +case $OSNAME in +Linux) + OSRELEASE=$(source /etc/os-release && echo $ID) + ;; +Darwin) + OSRELEASE="macos" + ;; +esac + +function nt::iptables_clear() { + ip6tables -D INPUT -p tcp --tcp-flags RST RST -j DROP + iptables -D INPUT -p tcp --tcp-flags RST RST -j DROP +} +function nt::iptables_nat(){ + sysctl -w net.ipv4.conf.all.forwarding=1 + sysctl -w net.ipv6.conf.all.forwarding=1 + iptables -P INPUT ACCEPT + iptables -P FORWARD ACCEPT + iptables -P OUTPUT ACCEPT + ip6tables -P INPUT ACCEPT + ip6tables -P FORWARD ACCEPT + ip6tables -P OUTPUT ACCEPT + iptables -t nat -F + ip6tables -t nat -F + iptables -t mangle -F + ip6tables -t mangle -F + iptables -F + iptables -X + ip6tables -F + ip6tables -X + iptables -t nat -A POSTROUTING -j MASQUERADE + #ip6tables -t nat -A POSTROUTING -j MASQUERADE + iptables -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu + ip6tables -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu +} + +function nt::iptables_snat(){ + # nt::iptables_snat 10.0.0.0/8 wan x.x.x.x + iptables -t nat -A POSTROUTING -s $1 -o $2 -j SNAT --to-source $3 +} + +function nt::ip2int() +{ + local a b c d + { IFS=. read a b c d; } <<< $1 + echo $(((((((a << 8) | b) << 8) | c) << 8) | d)) +} + +function nt::int2ip() +{ + local ui32=$1; shift + local ip n + for n in 1 2 3 4; do + ip=$((ui32 & 0xff))${ip:+.}$ip + ui32=$((ui32 >> 8)) + done + echo $ip +} + +function nt::netmask() +{ +# Example: netmask 24 => 255.255.255.0 + local mask=$((0xffffffff << (32 - $1))); shift + int2ip $mask +} + + +function nt::broadcast() +{ +# Example: broadcast 192.0.2.0 24 => 192.0.2.255 + local addr=$(ip2int $1); shift + local mask=$((0xffffffff << (32 -$1))); shift + int2ip $((addr | ~mask)) +} + +function nt::network() +{ +# Example: network 192.0.2.0 24 => 192.0.2.0 + local addr=$(ip2int $1); shift + local mask=$((0xffffffff << (32 -$1))); shift + int2ip $((addr & mask)) +} + + +function nt::portforward() +{ + sourceip=$1 + sourceport=$2 + destinationip=$3 + destinationport=$4 + iptables -t nat -A PREROUTING -d $sourceip -p tcp --dport $sourceport -j DNAT --to $destinationip:$destinationport +} + + +function nt::world_route() { + case $OSNAME in + Linux) + for ip in $(cat $IPLISTPATH/world_rules); do + ip route add $ip via $1 dev $2 > /dev/null 2>&1 > /dev/null + done + ;; + Darwin) + ;; + *) + exit 1 + ;; + esac +} + +function nt::world_route6() { + case $OSNAME in + Linux) + for ip in $(cat $IPLISTPATH/v6_world_rules); do + ip -6 route add $ip via $1 dev $2 > /dev/null 2>&1 > /dev/null + done + ;; + Darwin) + ;; + *) + exit 1 + ;; + esac +} + + +function nt::remove_world_route() { + case $OSNAME in + Linux) + for ip in $(cat $IPLISTPATH/world_rules); do + ip route del $ip> /dev/null 2>&1 > /dev/null + done + ;; + Darwin) + ;; + *) + exit 1 + ;; + esac +} + +function nt::remove_world_route6() { + case $OSNAME in + Linux) + for ip in $(cat $IPLISTPATH/v6_world_rules); do + ip -6 route del $ip> /dev/null 2>&1 > /dev/null + done + ;; + Darwin) + ;; + *) + exit 1 + ;; + esac +} + + +function nt::add_world_rule(){ + echo $1 >> $IPLISTPATH/own_world_rules + ip route add $1 via $2 dev $3 +} + +function nt::add_v6_world_rule(){ + # nt::add_v6_world_rule 2a02:26f0:6e00::/48 fc80:1989:604:2021::1 wg1 + echo $1 >> $IPLISTPATH/v6_world_rules + ip -6 route add $1 via $2 dev $3 +} + + +echo "ARCH: $ARCHITECTURE" +echo "Libroot:" $LIBROOT +source $LIBROOT/wg.sh +source $LIBROOT/ssu.sh +source $LIBROOT/badvpn.sh diff --git a/src/ssu.sh b/src/ssu.sh new file mode 100755 index 0000000..bd73adf --- /dev/null +++ b/src/ssu.sh @@ -0,0 +1,115 @@ +#!/bin/bash +LIBROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +BINPATH=$LIBROOT/../bin +IPLISTPATH=$LIBROOT/../iplist +V2RAY_PLUGIN_BIN_PATH="$BINPATH/v2ray-plugin_$WORDSTUFFIX" + +function ss::install() { + case $OSRELEASE in + ubuntu) + apt-get update + apt-get install -y shadowsocks-libev + systemctl stop shadowsocks-libev + systemctl disable shadowsocks-libev + ;; + arch) + pacman -Sy --noconfirm shadowsocks-libev + systemctl disable shadowsocks-libev + esac +} + +function ss::server_start() { + sport=$1 + password=$2 + ss-server \ + -s :: \ + -p $sport \ + -k $password \ + -u \ + --fast-open \ + -m chacha20-ietf-poly1305 \ + --plugin "$V2RAY_PLUGIN_BIN_PATH" \ + --plugin-opts "server" #& +} + +function ss::server_stop() { + killall ss-server $V2RAY_PLUGIN_BIN_PATH +} + +function ss::client_start() { + ss::client_stop + serverip=$1 + sport=$2 + password=$3 + ss-local \ + -s $serverip \ + -p $sport \ + -k $password \ + -m chacha20-ietf-poly1305 \ + --fast-open --reuse-port \ + --plugin "$V2RAY_PLUGIN_BIN_PATH" \ + --plugin-opts "host=valipl-vip.cp31.ott.cibntv.net" \ + -b 127.0.0.1 -l 10800 & +} +function ss::client_mstart() { + ss::client_stop + serverip=$1 + sport=$2 + password=$3 + m=$4 + opt=$5 + ss-local \ + -s $serverip \ + -p $sport \ + -k $password \ + -m $m \ + --fast-open \ + --plugin "$V2RAY_PLUGIN_BIN_PATH" \ + --plugin-opts "$opt" \ + -b 127.0.0.1 -l 10800 & +} + +function ss::client_nstart() { + ss::client_stop + serverip=$1 + sport=$2 + password=$3 + m=$4 + opt=$5 + ss-local \ + -s $serverip \ + -p $sport \ + -k $password \ + -m $m \ + --fast-open \ + -b 127.0.0.1 -l 10800 & +} + +function ss::client_stop() { + killall ss-local $V2RAY_PLUGIN_BIN_PATH +} + +function ss::generate_tls() { + CN=$1 + casubj="/C=BE/ST=GFW/L=GFWCITY/O=Internation Fuckgfw inc./OU=FUCKGFW/CN=GlobalSign Organization Validation CA - SHA256 - G2" + tlssubj="/C=CN/ST=GFW/L=GFWCITY/O=Internation Fuckgfw inc./OU=FUCKGFW/CN=$CN" + mkdir -p /tmp/sstls + cd /tmp/sstls + openssl \ + req \ + -nodes \ + -new -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650 \ + -subj "$casubj" + + openssl \ + req \ + -nodes \ + -newkey rsa:4096 \ + -keyout server.key \ + -out server.csr \ + -subj "$tlssubj" + + openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt +} + +echo "lib ss loaded." diff --git a/src/sysctl.conf b/src/sysctl.conf new file mode 100644 index 0000000..b702003 --- /dev/null +++ b/src/sysctl.conf @@ -0,0 +1,46 @@ +fs.file-max = 1024000 +# max read buffer +net.core.rmem_max = 67108864 +# max write buffer +net.core.wmem_max = 67108864 +# default read buffer +net.core.rmem_default = 65536 +# default write buffer +net.core.wmem_default = 65536 +# max processor input queue +net.core.netdev_max_backlog = 4096 +# max backlog +net.core.somaxconn = 4096 +# resist SYN flood attacks +net.ipv4.tcp_syncookies = 1 +# reuse timewait sockets when safe +net.ipv4.tcp_tw_reuse = 1 +# turn off fast timewait sockets recycling +net.ipv4.tcp_tw_recycle = 0 +# short FIN timeout +net.ipv4.tcp_fin_timeout = 30 +# short keepalive time +net.ipv4.tcp_keepalive_time = 1200 +# outbound port range +net.ipv4.ip_local_port_range = 10000 65000 +# max SYN backlog +net.ipv4.tcp_max_syn_backlog = 4096 +# max timewait sockets held by system simultaneously +net.ipv4.tcp_max_tw_buckets = 5000 +# TCP receive buffer +net.ipv4.tcp_rmem = 4096 87380 67108864 +# TCP write buffer +net.ipv4.tcp_wmem = 4096 65536 67108864 +# turn on path MTU discovery +net.ipv4.tcp_mtu_probing = 1 + +net.ipv6.conf.all.accept_ra = 2 + + +net.ipv4.ip_forward=1 +net.ipv4.tcp_congestion_control = bbr +net.core.default_qdisc = fq + +net.ipv4.tcp_fastopen = 3 + +net.ipv4.icmp_echo_ignore_all=0 diff --git a/src/wg.sh b/src/wg.sh new file mode 100755 index 0000000..d11c59a --- /dev/null +++ b/src/wg.sh @@ -0,0 +1,44 @@ +#!/bin/bash +LIBROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +function wg::install() { + case $OSRELEASE in + ubuntu) + apt update + apt install wireguard + ;; + arch) + pacman -Sy --noconfirm wireguard-tools + ;; + esac +} + +function wg::start() { + dev=$1 + privatekey=$2 + localip=$3 + localip6=$4 + port=$5 + ip link del dev $dev type wireguard + ip link add dev $dev type wireguard + ip address add dev $dev $localip + ip -6 addr add $localip6 dev $dev + wg set wg0 listen-port $port private-key $privatekey + ip link set up dev $dev +} + +function wg::gen_peer(){ + numpath=$1 + peer=$2 +} + +function wg::genkey() { + wg genkey | tee privatekey | wg pubkey > publickey +} + +function wg::client_stop() { + ip link set down dev $1 + ip link del dev $1 +} + +echo "lib wg loaded." + |