-
Notifications
You must be signed in to change notification settings - Fork 7
/
gretunnel4ubuntuR.sh
271 lines (235 loc) · 8.64 KB
/
gretunnel4ubuntuR.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
#!/bin/bash
#本脚本适用/etc/network/interfaces被接管、没有rc.local的ubuntu
_green() {
printf '\033[1;31;32m'
printf -- "%b" "$1"
printf '\033[0m'
}
_red() {
printf '\033[1;31;31m'
printf -- "%b" "$1"
printf '\033[0m'
}
_yellow() {
printf '\033[1;31;33m'
printf -- "%b" "$1"
printf '\033[0m'
}
if [[ $(/usr/bin/id -u) -ne 0 ]]; then
sudoCmd="sudo"
else
sudoCmd=""
fi
#copied & modified from atrandys trojan scripts
#copy from 秋水逸冰 ss scripts
if [[ -f /etc/redhat-release ]]; then
release="centos"
systemPackage="yum"
elif cat /etc/issue | grep -Eqi "debian"; then
release="debian"
systemPackage="apt-get"
elif cat /etc/issue | grep -Eqi "ubuntu"; then
release="ubuntu"
systemPackage="apt-get"
elif cat /etc/issue | grep -Eqi "centos|red hat|redhat"; then
release="centos"
systemPackage="yum"
elif cat /proc/version | grep -Eqi "debian"; then
release="debian"
systemPackage="apt-get"
elif cat /proc/version | grep -Eqi "ubuntu"; then
release="ubuntu"
systemPackage="apt-get"
elif cat /proc/version | grep -Eqi "centos|red hat|redhat"; then
release="centos"
systemPackage="yum"
fi
read -rp "请输入本机隧道内网ip: " gre_ip
read -rp "请输入对端隧道内网ip: " gre_ip_peer
read -rp "请输入ipsec预共享密码: " psk
#加载gre模块
echo "ip_gre" >> /etc/modules
_green 'load gre module...done.\n'
#安装必要的软件
${sudoCmd} ${systemPackage} install -y net-tools dnsutils wget -qq
#关闭网络管理(如果开启的话)
${sudoCmd} systemctl stop NetworkManager
${sudoCmd} systemctl disable NetworkManager
_green 'stop & disable networkManager...done.\n'
#创建gre接口
local_ip=`ifconfig -a|grep -o -e 'inet [0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}'|grep -v "127.0.0"|awk '{print $2}'| head -n 1`
remote_ip=$(dig ipv4.fclouds.xyz @1.1.1.1 +short)
${sudoCmd} ip tunnel add tun0 mode gre remote ${remote_ip} local ${local_ip} ttl 255
${sudoCmd} ip link set tun0 up
${sudoCmd} ip addr add ${gre_ip}/24 dev tun0
_green 'create gre interface...done.\n'
#安装并配置ipsec
${sudoCmd} ${systemPackage} install -y libreswan -qq
${sudoCmd} systemctl enable ipsec
${sudoCmd} cat >/etc/ipsec.d/gre1.conf <<-EOF
conn gre1
type=transport
left=%defaultroute
leftprotoport=gre
right=${remote_ip}
rightprotoport=gre
ike=aes128-sha1;modp1024
phase2alg=aes128-sha1,aes256-sha256
nat-keepalive=yes
keyingtries=30
dpddelay=10
dpdtimeout=120
dpdaction=restart
ikelifetime=8h
keylife=24h
pfs=no
authby=secret
auto=start
EOF
#创建预共享密码
#${sudoCmd} ${systemPackage} install -y pwgen -qq
#psk=$(pwgen -1cny 10)
${sudoCmd} cat >/etc/ipsec.d/gre1.secrets <<-EOF
%any 0.0.0.0: PSK "${psk}"
EOF
${sudoCmd} ipsec restart
_green 'install ipsec for gre...done.\n'
#配置系统内核sysctl
${sudoCmd} cat >>/etc/sysctl.conf <<-EOF
#打开IP转发
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.ip_forward = 1
#去除ICMP重定向警告
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
#去除 rp_filter 警告
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.erspan0.rp_filter=0
net.ipv4.conf.gre0.rp_filter=0
net.ipv4.conf.gretap0.rp_filter=0
net.ipv4.conf.ip_vti0.rp_filter=0
net.ipv4.conf.tun0.rp_filter=0
vm.overcommit_memory = 1
fs.file-max = 1000000
fs.inotify.max_user_instances = 8192
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 32768
EOF
${sudoCmd} sysctl -p
_green 'set sysctl...done.\n'
#安装并配置smartdns,可选
#${sudoCmd} ${systemPackage} install -y curl tar -qq
#API_URL="https://api.github.com/repos/pymumu/smartdns/releases/latest"
#DOWNLOAD_URL="$(curl -H "Accept: application/json" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0" -s "${API_URL}" --connect-timeout 10| grep 'browser_download_url' | grep 'x86_64-linux-all' | cut -d\" -f4)"
#${sudoCmd} curl -L -H "Cache-Control: no-cache" -o "/tmp/smartdns.tar.gz" "${DOWNLOAD_URL}"
#${sudoCmd} tar -zxf /tmp/smartdns.tar.gz -C /tmp
#${sudoCmd} chmod +x /tmp/smartdns/install
#${sudoCmd} /tmp/smartdns/install -i
#${sudoCmd} systemctl stop smartdns.service
#${sudoCmd} curl -sL https://raw.githubusercontent.com/goodffd/tool/master/smartdns_remote.conf > /etc/smartdns/smartdns.conf
#${sudoCmd} systemctl start smartdns.service
#域名解析指向本地并加锁
#${sudoCmd} sed -i 's/#DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
#${sudoCmd} mv /etc/resolv.conf /etc/resolv.conf.bak
#echo "nameserver 127.0.0.1" > /etc/resolv.conf
#${sudoCmd} chattr +i /etc/resolv.conf
#_green 'install smartdns...done.\n'
#安装iptables并配置systemd服务(含gre接口开机加载)
${sudoCmd} ${systemPackage} install -y iptables -qq
${sudoCmd} cat > /etc/network-conf.sh <<-EOF
#!/bin/bash
common() {
is_exist=\$(iptables-save | grep -- "-A POSTROUTING -o eth0 -j MASQUERADE")
if [[ -z "\${is_exist}" ]]; then
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
fi
is_exist=\$(iptables-save | grep -- "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
if [[ -z "\${is_exist}" ]]; then
iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
local_ip=\$(ifconfig -a|grep -o -e 'inet [0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}'|grep -v "127.0.0"|awk '{print \$2}'| head -n 1)
remote_ip=\$(dig ipv4.fclouds.xyz @1.1.1.1 +short)
ip tunnel add tun0 mode gre remote \${remote_ip} local \${local_ip} ttl 255
ip link set tun0 up
ip addr add ${gre_ip}/24 dev tun0
ping -i 10 -s 0 ${gre_ip_peer}
}
common &
sleep infinity
EOF
${sudoCmd} chmod +x /etc/network-conf.sh
cat > /etc/systemd/system/network-conf.service <<-EOF
[Unit]
Description=network conf service
After=network.target network-online.target nss-lookup.target
Wants=network-online.target
[Service]
ExecStart=/etc/network-conf.sh
Restart=on-failure
[Install]
WantedBy=default.target
EOF
systemctl enable network-conf.service
systemctl start network-conf.service
_green 'install iptables & nat masquerdo & Change MSS & gretunnel load at start...done.\n'
#配置自动更新gre和ipsec配置文件里的动态对端ip(ros侧)脚本->可用下面的域名模式,也可调整为ros侧通过ssh连到vps进行ip更改
#${sudoCmd} cat >/root/monitor.sh <<-EOF
##!/bin/bash
#local_ip=\$(/sbin/ifconfig -a|grep -o -e 'inet [0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}'|grep -v "127.0.0"|awk '{print \$2}'|head -n 1)
#oldip=\$(ip addr show tun0|grep -o -e 'peer [0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}'|awk '{print \$2}')
#newip=\$(dig ipv4.fclouds.xyz @1.1.1.1 +short|tail -n 1)
#while true; do
# VALID_CHECK=\$(echo \${newip}|awk -F. '\$1<=255&&\$2<=255&&\$3<=255&&\$4<=255{print "yes"}')
# if [ \${VALID_CHECK:-no} == "yes" ]; then
# break
# else
# newip=\$(dig ipv4.fclouds.xyz @1.1.1.1 +short|tail -n 1)
# fi
#done
#if [ "\${oldip}" = "\${newip}" ]; then
# ping ${gre_ip_peer} -c5
# echo "No Change IP!"
#else
# ip tunnel del tun0
# ip tunnel add tun0 mode gre remote \${newip} local \${local_ip} ttl 255
# ip link set tun0 up
# ip addr add ${gre_ip}/24 dev tun0
# sed -i '5c \ right='\${newip}'' /etc/ipsec.d/gre1.conf
# sleep 1
# /usr/sbin/ipsec restart
# ping ${gre_ip_peer} -c5
# echo "IP updated!"
#fi
#EOF
#${sudoCmd} chmod +x /root/monitor.sh
#echo "*/1 * * * * bash /root/monitor.sh >> /var/log/monitor.log 2>&1" >> /var/spool/cron/crontabs/root
#echo "0 */1 * * * rm -f /var/log/monitor.log" >> /var/spool/cron/crontabs/root
#${sudoCmd} systemctl restart cron
#_green 'cron ddns scripts...done.\n'
#echo "*/1 * * * * ping ${gre_ip_peer} -c5 >> /var/log/grekeepalive.log 2>&1" >> /var/spool/cron/crontabs/root
#echo "0 0 * * 1 rm -f /var/log/grekeepalive.log" >> /var/spool/cron/crontabs/root
#_green 'cron scripts...done.\n'