mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-04-04 21:53:37 +03:00
Code Issues Projects Releases Wiki Activity

Merge branch 'hwdsl2:master' into master

Browse source
This commit is contained in:
Leo Liu 2022-02-10 13:37:58 +09:00 committed by GitHub
commit 4caf811575
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
22 changed files with 1340 additions and 2895 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

107
.github/workflows/check_urls.yml vendored Normal file
View file

@ -0,0 +1,107 @@
#
# Copyright (C) 2020-2022 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
name: check_urls
on: workflow_call
jobs:
check_urls:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0
with:
persist-credentials: false
- name: Check
run: |
cd "$GITHUB_WORKSPACE"
mkdir workdir
cd workdir
set -ex
export DEBIAN_FRONTEND=noninteractive
sudo apt-get -yqq update
sudo apt-get -yqq install wget curl
wg="wget -t 3 -T 30 -nv -O"
gh="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master"
gi="https://git.io"
$wg vpnsetup.sh "$gi/vpnsetup"
$wg vpnsetup_centos.sh "$gi/vpnsetup-centos"
$wg vpnsetup_amzn.sh "$gi/vpnsetup-amzn"
$wg vpnsetup_ubuntu.sh "$gi/vpnsetup-ubuntu"
$wg vpnsetup_alpine.sh "$gi/vpnsetup-alpine"
$wg quickstart.sh "$gi/vpnquickstart"
$wg ikev2setup.sh "$gi/ikev2setup"
$wg vpnupgrade.sh "$gi/vpnupgrade"
$wg vpnupgrade_centos.sh "$gi/vpnupgrade-centos"
$wg vpnupgrade_amzn.sh "$gi/vpnupgrade-amzn"
$wg vpnupgrade_ubuntu.sh "$gi/vpnupgrade-ubuntu"
$wg vpnupgrade_alpine.sh "$gi/vpnupgrade-alpine"
$wg vpnuninstall.sh "$gi/vpnuninstall"
$wg vpnsetup2.sh "$gh/vpnsetup.sh"
$wg vpnsetup_centos2.sh "$gh/vpnsetup_centos.sh"
$wg vpnsetup_amzn2.sh "$gh/vpnsetup_amzn.sh"
$wg vpnsetup_ubuntu2.sh "$gh/vpnsetup_ubuntu.sh"
$wg vpnsetup_alpine2.sh "$gh/vpnsetup_alpine.sh"
$wg quickstart2.sh "$gh/extras/quickstart.sh"
$wg ikev2setup2.sh "$gh/extras/ikev2setup.sh"
$wg vpnupgrade2.sh "$gh/extras/vpnupgrade.sh"
$wg vpnupgrade_centos2.sh "$gh/extras/vpnupgrade_centos.sh"
$wg vpnupgrade_amzn2.sh "$gh/extras/vpnupgrade_amzn.sh"
$wg vpnupgrade_ubuntu2.sh "$gh/extras/vpnupgrade_ubuntu.sh"
$wg vpnupgrade_alpine2.sh "$gh/extras/vpnupgrade_alpine.sh"
$wg vpnuninstall2.sh "$gh/extras/vpnuninstall.sh"
diff vpnsetup.sh ../vpnsetup.sh
diff vpnsetup_centos.sh ../vpnsetup_centos.sh
diff vpnsetup_amzn.sh ../vpnsetup_amzn.sh
diff vpnsetup_ubuntu.sh ../vpnsetup_ubuntu.sh
diff vpnsetup_alpine.sh ../vpnsetup_alpine.sh
diff quickstart.sh ../extras/quickstart.sh
diff ikev2setup.sh ../extras/ikev2setup.sh
diff vpnupgrade.sh ../extras/vpnupgrade.sh
diff vpnupgrade_centos.sh ../extras/vpnupgrade_centos.sh
diff vpnupgrade_amzn.sh ../extras/vpnupgrade_amzn.sh
diff vpnupgrade_ubuntu.sh ../extras/vpnupgrade_ubuntu.sh
diff vpnupgrade_alpine.sh ../extras/vpnupgrade_alpine.sh
diff vpnuninstall.sh ../extras/vpnuninstall.sh
diff vpnsetup2.sh ../vpnsetup.sh
diff vpnsetup_centos2.sh ../vpnsetup_centos.sh
diff vpnsetup_amzn2.sh ../vpnsetup_amzn.sh
diff vpnsetup_ubuntu2.sh ../vpnsetup_ubuntu.sh
diff vpnsetup_alpine2.sh ../vpnsetup_alpine.sh
diff quickstart2.sh ../extras/quickstart.sh
diff ikev2setup2.sh ../extras/ikev2setup.sh
diff vpnupgrade2.sh ../extras/vpnupgrade.sh
diff vpnupgrade_centos2.sh ../extras/vpnupgrade_centos.sh
diff vpnupgrade_amzn2.sh ../extras/vpnupgrade_amzn.sh
diff vpnupgrade_ubuntu2.sh ../extras/vpnupgrade_ubuntu.sh
diff vpnupgrade_alpine2.sh ../extras/vpnupgrade_alpine.sh
diff vpnuninstall2.sh ../extras/vpnuninstall.sh
url1="https://mirrors.kernel.org/ubuntu/pool/main/n/nss"
url2="https://mirrors.kernel.org/ubuntu/pool/universe/n/nss"
deb1="libnss3_3.49.1-1ubuntu1.6_amd64.deb"
deb2="libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb"
deb3="libnss3-tools_3.49.1-1ubuntu1.6_amd64.deb"
$wg 1.deb "$url1/$deb1"
$wg 2.deb "$url1/$deb2"
$wg 3.deb "$url2/$deb3"
bl="https://bit.ly"
curl -fsSI "$bl/addvpnuser" | grep -q 'add_vpn_user.sh'
curl -fsSI "$bl/delvpnuser" | grep -q 'del_vpn_user.sh'
curl -fsSI "$bl/updatevpnusers" | grep -q 'update_vpn_users.sh'
curl -fsSI "$bl/ikev2onlymode" | grep -q 'ikev2onlymode.sh'

1418
.github/workflows/cron.yml vendored
View file

File diff suppressed because it is too large Load diff

1446
.github/workflows/main.yml vendored
View file

File diff suppressed because it is too large Load diff

38
.github/workflows/shellcheck.yml vendored Normal file
View file

@ -0,0 +1,38 @@
#
# Copyright (C) 2020-2022 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
name: shellcheck
on: workflow_call
jobs:
shellcheck:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # 2.4.0
with:
persist-credentials: false
- name: Check
run: |
if [ ! -x /usr/bin/shellcheck ]; then
export DEBIAN_FRONTEND=noninteractive
sudo apt-get -yqq update
sudo apt-get -yqq install shellcheck
fi
cd "$GITHUB_WORKSPACE"
pwd
ls -ld vpnsetup.sh
export SHELLCHECK_OPTS="-e SC1090,SC1091"
shellcheck --version
shopt -s globstar
ls -ld -- **/*.sh
shellcheck **/*.sh

508
.github/workflows/test_set_1.yml vendored Normal file
View file

@ -0,0 +1,508 @@
#
# Copyright (C) 2020-2022 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
name: test_set_1
on: workflow_call
jobs:
test_set_1:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2'
strategy:
matrix:
os_version: ["centos:8s", "centos:7", "rockylinux:8", "almalinux:8", "amazonlinux:2"]
fail-fast: false
env:
OS_VERSION: ${{ matrix.os_version }}
steps:
- name: Build
run: |
mkdir -p "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
cd "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
cat > run.sh <<'EOF'
#!/bin/bash
set -eEx
log1=/var/log/secure
log2=/var/log/messages
trap 'catch $? $LINENO' ERR
catch() {
echo "Error $1 occurred on line $2."
cat -n -- "$0" | tail -n+"$(($2 - 3))" | head -n7
exit 1
}
restart_ipsec() {
if ! command -v amazon-linux-extras; then
systemctl restart ipsec
fi
echo "Waiting for IPsec to restart."
count=0
while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do
[ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; }
count=$((count+1))
printf '%s' '.'
sleep 0.5
done
echo
}
restart_fail2ban() {
rm -f /var/log/fail2ban.log
systemctl restart fail2ban
echo "Waiting for Fail2ban to restart."
count=0
while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do
[ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; }
count=$((count+1))
printf '%s' '.'
sleep 0.5
done
echo
}
yum -y -q update
yum -y -q install wget rsyslog
systemctl start rsyslog
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh
sh vpnsetup.sh
systemctl start xl2tpd
restart_ipsec
restart_fail2ban
cat /var/log/fail2ban.log
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nvL
iptables -nvL | grep -q 'ppp+'
iptables -nvL | grep -q '192\.168\.43\.0/24'
iptables -nvL -t nat
iptables -nvL -t nat | grep -q '192\.168\.42\.0/24'
iptables -nvL -t nat | grep -q '192\.168\.43\.0/24'
grep pluto "$log1"
grep xl2tpd "$log2"
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall
bash vpnunst.sh <<ANSWERS
y
ANSWERS
rm -f /usr/bin/ikev2.sh /opt/src/ikev2.sh
if grep -qi stream /etc/redhat-release; then
mkdir /etc/xl2tpd
fi
wget -t 3 -T 30 -nv -O quickstart.sh https://git.io/vpnquickstart
sed -i -e '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' \
-e '/sleep 1/a sed -i "/swan_ver_latest=/s/^/#/" /opt/src/ikev2.sh' quickstart.sh
sh quickstart.sh
systemctl restart xl2tpd
restart_ipsec
restart_fail2ban
cat /var/log/fail2ban.log
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nvL
iptables -nvL | grep -q 'ppp+'
iptables -nvL | grep -q '192\.168\.43\.0/24'
iptables -nvL -t nat
iptables -nvL -t nat | grep -q '192\.168\.42\.0/24'
iptables -nvL -t nat | grep -q '192\.168\.43\.0/24'
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
ls -ld /etc/ipsec.d/vpnclient.mobileconfig
ls -ld /etc/ipsec.d/vpnclient.sswan
ls -ld /etc/ipsec.d/vpnclient.p12
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
bash vpnunst.sh <<ANSWERS
y
ANSWERS
rm -f /usr/bin/ikev2.sh /opt/src/ikev2.sh
if grep -qi stream /etc/redhat-release; then
mkdir /etc/xl2tpd
fi
if [ "$1" != "amazon" ]; then
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-centos
else
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-amzn
fi
sed -i '/swan_ver_latest=/s/^/#/' vpnsetup.sh
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
VPN_DNS_SRV1='1.1.1.1' \
VPN_DNS_SRV2='1.0.0.1' \
bash vpnsetup.sh
systemctl restart xl2tpd
restart_ipsec
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nvL
iptables -nvL | grep -q 'ppp+'
iptables -nvL | grep -q '192\.168\.43\.0/24'
iptables -nvL -t nat
iptables -nvL -t nat | grep -q '192\.168\.42\.0/24'
iptables -nvL -t nat | grep -q '192\.168\.43\.0/24'
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
grep -q "your_ipsec_pre_shared_key" /etc/ipsec.secrets
grep -q "your_vpn_username" /etc/ppp/chap-secrets
grep -q "your_vpn_password" /etc/ppp/chap-secrets
grep -q "your_vpn_username" /etc/ipsec.d/passwd
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.conf
grep -q 'ms-dns 1.1.1.1' /etc/ppp/options.xl2tpd
grep -q 'ms-dns 1.0.0.1' /etc/ppp/options.xl2tpd
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup # hwdsl2
sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh
bash ikev2.sh <<ANSWERS
y
ANSWERS
grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf
ls -ld /etc/ipsec.d/vpnclient.mobileconfig
ls -ld /etc/ipsec.d/vpnclient.sswan
ls -ld /etc/ipsec.d/vpnclient.p12
restart_ipsec
grep pluto "$log1" | tail -n 20
ipsec status | grep -q ikev2-cp
bash ikev2.sh <<ANSWERS
1
invalidclient:
vpnclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh <<ANSWERS
2
nonexistclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh <<ANSWERS
3
ANSWERS
bash ikev2.sh <<ANSWERS
4
nonexistclient
vpnclient2
y
ANSWERS
bash ikev2.sh <<ANSWERS 2>&1 | grep -i "abort"
4
vpnclient2
ANSWERS
bash ikev2.sh <<ANSWERS 2>&1 | grep -i "abort"
2
vpnclient2
ANSWERS
bash ikev2.sh <<ANSWERS
100
6
ANSWERS
bash ikev2.sh <<ANSWERS 2>&1 | grep -i "abort"
5
ANSWERS
bash ikev2.sh <<ANSWERS
5
y
ANSWERS
restart_ipsec
ls -ld /etc/ipsec.d/ikev2.conf && exit 1
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp && exit 1
certutil -L -d sql:/etc/ipsec.d
rm -f /etc/ipsec.d/vpnclient*
VPN_DNS_SRV1=invaliddns \
bash ikev2.sh --auto 2>&1 | grep -i "invalid"
sed -i '/^include /d' /etc/ipsec.conf
VPN_CLIENT_NAME=vpnclient1 \
VPN_DNS_NAME=vpn.example.com \
VPN_DNS_SRV1=1.1.1.1 \
VPN_DNS_SRV2=1.0.0.1 \
bash ikev2.sh --auto
grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf
ls -ld /etc/ipsec.d/vpnclient1.mobileconfig
ls -ld /etc/ipsec.d/vpnclient1.sswan
ls -ld /etc/ipsec.d/vpnclient1.p12
grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig
grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan
restart_ipsec
ipsec status | grep -q ikev2-cp
bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning"
bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid"
bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists"
bash ikev2.sh --addclient vpnclient2
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist"
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh --exportclient vpnclient2
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid"
bash ikev2.sh --listclients | grep "vpnclient1 \+valid"
bash ikev2.sh --listclients | grep "vpnclient2 \+valid"
bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist"
bash ikev2.sh --revokeclient vpnclient2 <<ANSWERS
y
ANSWERS
bash ikev2.sh --listclients | grep "vpnclient2 \+revoked"
bash ikev2.sh --revokeclient vpnclient2 2>&1 | grep -i "already been revoked"
bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked"
bash ikev2.sh -h 2>&1 | grep -i "usage:"
bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:"
bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid"
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
bash ikev2.sh <<ANSWERS
y
invalidfqdn
vpn.example.com
y
invaliddns
1.1.1.1
invaliddns
1.0.0.1
y
ANSWERS
grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
bash ikev2.sh <<ANSWERS
invalidip
1.2.3.4
invalidclient:
vpnclient1
1000
12
y
1.1.1.1
y
ANSWERS
grep -q 'leftid=1.2.3.4' /etc/ipsec.d/ikev2.conf
grep -q 'modecfgdns=1.1.1.1' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
VPN_DNS_SRV1=1.1.1.1 \
bash ikev2.sh --auto
grep -q 'modecfgdns=1.1.1.1' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
bash ikev2.sh --auto
grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade
sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpnup.sh"' vpnup.sh
for ver in 4.4 ""; do
sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh
bash vpnup.sh <<ANSWERS
y
ANSWERS
restart_ipsec
ipsec --version | grep "$ver"
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
done
if [ "$1" != "amazon" ]; then
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-centos
else
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-amzn
fi
sed -i '/swan_ver_latest=/s/^/#/' vpnup.sh
for ver in 4.5 ""; do
sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh
bash vpnup.sh <<ANSWERS
y
ANSWERS
restart_ipsec
ipsec --version | grep "$ver"
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
done
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
ls -ld /etc/ipsec.d/ikev2.conf && exit 1
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp && exit 1
certutil -L -d sql:/etc/ipsec.d
exit 0
EOF
if [ "$OS_VERSION" = "centos:8s" ]; then
echo "FROM quay.io/centos/centos:stream8" > Dockerfile
else
echo "FROM $OS_VERSION" > Dockerfile
fi
cat >> Dockerfile <<'EOF'
ENV container docker
WORKDIR /opt/src
RUN if command -v amazon-linux-extras; then amazon-linux-extras install -y kernel-ng; fi
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ "$i" = \
systemd-tmpfiles-setup.service ] || rm -f "$i"; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*; \
rm -f /etc/systemd/system/*.wants/*; \
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*; \
rm -f /lib/systemd/system/anaconda.target.wants/*;
COPY ./run.sh /opt/src/run.sh
RUN chmod 755 /opt/src/run.sh
VOLUME [ "/sys/fs/cgroup" ]
CMD ["/sbin/init"]
EOF
cat Dockerfile
cat run.sh
docker build -t "${OS_VERSION//:}-test" .
- name: Test
run: |
docker run -d --name "${OS_VERSION//:}-test-1" -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--privileged "${OS_VERSION//:}-test"
sleep 5
docker exec "${OS_VERSION//:}-test-1" /opt/src/run.sh "${OS_VERSION::6}"
- name: Clear
if: always()
run: |
rm -rf "$GITHUB_WORKSPACE/testing/${OS_VERSION//:}"
docker rm -f "${OS_VERSION//:}-test-1" || true
docker rmi "${OS_VERSION//:}-test" || true

493
.github/workflows/test_set_2.yml vendored Normal file
View file

@ -0,0 +1,493 @@
#
# Copyright (C) 2020-2022 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
name: test_set_2
on: workflow_call
jobs:
test_set_2:
runs-on: ubuntu-20.04
if: github.repository_owner == 'hwdsl2'
strategy:
matrix:
os_version: ["ubuntu:20.04", "ubuntu:18.04", "debian:11", "debian:10", "debian:9", "alpine:3.14", "alpine:3.15"]
fail-fast: false
container:
image: ${{ matrix.os_version }}
options: --cap-add=NET_ADMIN --device=/dev/ppp
steps:
- name: Test
run: |
set -ex
os_type=""
[ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID")
[ -z "$os_type" ] && exit 1
log1=/var/log/auth.log
if [ "$os_type" = "alpine" ]; then
log2=/var/log/messages
else
log2=/var/log/syslog
fi
restart_ipsec() {
if [ "$os_type" = "alpine" ]; then
ipsec whack --shutdown || true
ipsec pluto --config /etc/ipsec.conf
fi
echo "Waiting for IPsec to restart."
count=0
while ! grep -q "pluto\[$(cat /var/run/pluto/pluto.pid)\]: listening for IKE messages" "$log1"; do
[ "$count" -ge "30" ] && { echo "IPsec failed to start."; exit 1; }
count=$((count+1))
printf '%s' '.'
sleep 0.5
done
echo
}
restart_fail2ban() {
rm -f /var/log/fail2ban.log
service fail2ban restart
echo "Waiting for Fail2ban to restart."
count=0
while ! grep -qs -E "Jail '(sshd?|ssh-iptables)' started" /var/log/fail2ban.log; do
[ "$count" -ge "30" ] && { echo "Fail2ban failed to start."; exit 1; }
count=$((count+1))
printf '%s' '.'
sleep 0.5
done
echo
}
mkdir -p /opt/src
cd /opt/src
echo "# hwdsl2" > run.sh
if [ "$os_type" = "alpine" ]; then
apk add -U wget rsyslog
rsyslogd
else
export DEBIAN_FRONTEND=noninteractive
apt-get -yqq update
apt-get -yqq dist-upgrade
apt-get -yqq install wget rsyslog
service rsyslog start
fi
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup
sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' vpnsetup.sh
sh vpnsetup.sh
if [ "$os_type" = "alpine" ]; then
ipsec initnss
xl2tpd -c /etc/xl2tpd/xl2tpd.conf
restart_ipsec
else
restart_ipsec
restart_fail2ban
cat /var/log/fail2ban.log
fi
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nvL
iptables -nvL | grep -q 'ppp+'
iptables -nvL | grep -q '192\.168\.43\.0/24'
iptables -nvL -t nat
iptables -nvL -t nat | grep -q '192\.168\.42\.0/24'
iptables -nvL -t nat | grep -q '192\.168\.43\.0/24'
grep pluto "$log1"
grep xl2tpd "$log2"
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
wget -t 3 -T 30 -nv -O vpnunst.sh https://git.io/vpnuninstall
bash vpnunst.sh <<ANSWERS
y
ANSWERS
rm -f /usr/bin/ikev2.sh /opt/src/ikev2.sh
if [ "$os_type" = "alpine" ]; then
killall pluto || true
killall xl2tpd || true
fi
wget -t 3 -T 30 -nv -O quickstart.sh https://git.io/vpnquickstart
sed -i -e '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpn.sh"' \
-e '/sleep 1/a sed -i "/swan_ver_latest=/s/^/#/" /opt/src/ikev2.sh' quickstart.sh
sh quickstart.sh
if [ "$os_type" = "alpine" ]; then
xl2tpd -c /etc/xl2tpd/xl2tpd.conf
restart_ipsec
else
restart_ipsec
restart_fail2ban
cat /var/log/fail2ban.log
fi
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nvL
iptables -nvL | grep -q 'ppp+'
iptables -nvL | grep -q '192\.168\.43\.0/24'
iptables -nvL -t nat
iptables -nvL -t nat | grep -q '192\.168\.42\.0/24'
iptables -nvL -t nat | grep -q '192\.168\.43\.0/24'
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
ls -ld /etc/ipsec.d/vpnclient.mobileconfig
ls -ld /etc/ipsec.d/vpnclient.sswan
ls -ld /etc/ipsec.d/vpnclient.p12
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
bash vpnunst.sh <<ANSWERS
y
ANSWERS
rm -f /usr/bin/ikev2.sh /opt/src/ikev2.sh
if [ "$os_type" = "alpine" ]; then
killall pluto || true
killall xl2tpd || true
fi
if [ "$os_type" = "alpine" ]; then
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-alpine
else
wget -t 3 -T 30 -nv -O vpnsetup.sh https://git.io/vpnsetup-ubuntu
fi
sed -i '/swan_ver_latest=/s/^/#/' vpnsetup.sh
VPN_IPSEC_PSK='your_ipsec_pre_shared_key' \
VPN_USER='your_vpn_username' \
VPN_PASSWORD='your_vpn_password' \
VPN_DNS_SRV1='1.1.1.1' \
VPN_DNS_SRV2='1.0.0.1' \
bash vpnsetup.sh
if [ "$os_type" = "alpine" ]; then
ipsec initnss
xl2tpd -c /etc/xl2tpd/xl2tpd.conf
fi
restart_ipsec
netstat -anpu | grep pluto
netstat -anpu | grep xl2tpd
iptables -nvL
iptables -nvL | grep -q 'ppp+'
iptables -nvL | grep -q '192\.168\.43\.0/24'
iptables -nvL -t nat
iptables -nvL -t nat | grep -q '192\.168\.42\.0/24'
iptables -nvL -t nat | grep -q '192\.168\.43\.0/24'
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
grep -q "your_ipsec_pre_shared_key" /etc/ipsec.secrets
grep -q "your_vpn_username" /etc/ppp/chap-secrets
grep -q "your_vpn_password" /etc/ppp/chap-secrets
grep -q "your_vpn_username" /etc/ipsec.d/passwd
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.conf
grep -q 'ms-dns 1.1.1.1' /etc/ppp/options.xl2tpd
grep -q 'ms-dns 1.0.0.1' /etc/ppp/options.xl2tpd
ls -l /usr/bin/ikev2.sh
ls -l /opt/src/ikev2.sh
wget -t 3 -T 30 -nv -O ikev2.sh https://git.io/ikev2setup
sed -i '/swan_ver_latest=/s/^/#/' ikev2.sh
bash ikev2.sh <<ANSWERS
y
ANSWERS
grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf
ls -ld /etc/ipsec.d/vpnclient.mobileconfig
ls -ld /etc/ipsec.d/vpnclient.sswan
ls -ld /etc/ipsec.d/vpnclient.p12
restart_ipsec
grep pluto "$log1" | tail -n 20
ipsec status | grep -q ikev2-cp
bash ikev2.sh <<ANSWERS
1
invalidclient:
vpnclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh <<ANSWERS
2
nonexistclient
vpnclient2
ANSWERS
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh <<ANSWERS
3
ANSWERS
bash ikev2.sh <<ANSWERS
4
nonexistclient
vpnclient2
y
ANSWERS
bash ikev2.sh <<ANSWERS 2>&1 | grep -i "abort"
4
vpnclient2
ANSWERS
bash ikev2.sh <<ANSWERS 2>&1 | grep -i "abort"
2
vpnclient2
ANSWERS
bash ikev2.sh <<ANSWERS
100
6
ANSWERS
bash ikev2.sh <<ANSWERS 2>&1 | grep -i "abort"
5
ANSWERS
bash ikev2.sh <<ANSWERS
5
y
ANSWERS
restart_ipsec
ls -ld /etc/ipsec.d/ikev2.conf && exit 1
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp && exit 1
certutil -L -d sql:/etc/ipsec.d
rm -f /etc/ipsec.d/vpnclient*
VPN_DNS_SRV1=invaliddns \
bash ikev2.sh --auto 2>&1 | grep -i "invalid"
if [ "$os_type" = "alpine" ]; then
apk del uuidgen
else
apt-get -yqq remove uuid-runtime
fi
sed -i '/^include /d' /etc/ipsec.conf
VPN_CLIENT_NAME=vpnclient1 \
VPN_DNS_NAME=vpn.example.com \
VPN_DNS_SRV1=1.1.1.1 \
VPN_DNS_SRV2=1.0.0.1 \
bash ikev2.sh --auto
grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf
ls -ld /etc/ipsec.d/vpnclient1.mobileconfig
ls -ld /etc/ipsec.d/vpnclient1.sswan
ls -ld /etc/ipsec.d/vpnclient1.p12
grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.mobileconfig
grep -q 'vpn.example.com' /etc/ipsec.d/vpnclient1.sswan
restart_ipsec
ipsec status | grep -q ikev2-cp
bash ikev2.sh --auto --addclient invalidclient: 2>&1 | grep -i "warning"
bash ikev2.sh --addclient invalidclient: 2>&1 | grep -i "invalid"
bash ikev2.sh --addclient vpnclient1 2>&1 | grep -i "already exists"
bash ikev2.sh --addclient vpnclient2
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh --exportclient nonexistclient 2>&1 | grep -i "does not exist"
rm -f /etc/ipsec.d/vpnclient2*
bash ikev2.sh --exportclient vpnclient2
ls -ld /etc/ipsec.d/vpnclient2.mobileconfig
ls -ld /etc/ipsec.d/vpnclient2.sswan
ls -ld /etc/ipsec.d/vpnclient2.p12
bash ikev2.sh --addclient vpnclient2 --exportclient vpnclient2 2>&1 | grep -i "invalid"
bash ikev2.sh --listclients | grep "vpnclient1 \+valid"
bash ikev2.sh --listclients | grep "vpnclient2 \+valid"
bash ikev2.sh --revokeclient nonexistclient 2>&1 | grep -i "does not exist"
bash ikev2.sh --revokeclient vpnclient2 <<ANSWERS
y
ANSWERS
bash ikev2.sh --listclients | grep "vpnclient2 \+revoked"
bash ikev2.sh --revokeclient vpnclient2 2>&1 | grep -i "already been revoked"
bash ikev2.sh --exportclient vpnclient2 2>&1 | grep -i "revoked"
bash ikev2.sh -h 2>&1 | grep -i "usage:"
bash ikev2.sh --invalidoption 2>&1 | grep -i "usage:"
bash ikev2.sh --removeikev2 --exportclient vpnclient1 2>&1 | grep -i "invalid"
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
bash ikev2.sh <<ANSWERS
y
invalidfqdn
vpn.example.com
y
invaliddns
1.1.1.1
invaliddns
1.0.0.1
y
ANSWERS
grep -q 'leftid=@vpn.example.com' /etc/ipsec.d/ikev2.conf
grep -q 'modecfgdns="1.1.1.1 1.0.0.1"' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
bash ikev2.sh <<ANSWERS
invalidip
1.2.3.4
invalidclient:
vpnclient1
1000
12
y
1.1.1.1
y
ANSWERS
grep -q 'leftid=1.2.3.4' /etc/ipsec.d/ikev2.conf
grep -q 'modecfgdns=1.1.1.1' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
VPN_DNS_SRV1=1.1.1.1 \
bash ikev2.sh --auto
grep -q 'modecfgdns=1.1.1.1' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
bash ikev2.sh --auto
grep -q 'modecfgdns="8.8.8.8 8.8.4.4"' /etc/ipsec.d/ikev2.conf
restart_ipsec
ipsec status | grep -q ikev2-cp
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade
sed -i '/curl /a sed -i "/swan_ver_latest=/s/^/#/" "$tmpdir/vpnup.sh"' vpnup.sh
[ "$os_type" = "alpine" ] && ver1=4.5 || ver1=4.4
for ver in "$ver1" ""; do
if [ "$os_type" = "alpine" ]; then
ipsec whack --shutdown || true
fi
sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh
bash vpnup.sh <<ANSWERS
y
ANSWERS
restart_ipsec
ipsec --version | grep "$ver"
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
done
if [ "$os_type" = "alpine" ]; then
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-alpine
else
wget -t 3 -T 30 -nv -O vpnup.sh https://git.io/vpnupgrade-ubuntu
fi
sed -i '/swan_ver_latest=/s/^/#/' vpnup.sh
for ver in 4.5 ""; do
if [ "$os_type" = "alpine" ]; then
ipsec whack --shutdown || true
fi
sed -i "s/^SWAN_VER=.*/SWAN_VER=$ver/" vpnup.sh
bash vpnup.sh <<ANSWERS
y
ANSWERS
restart_ipsec
ipsec --version | grep "$ver"
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
done
bash ikev2.sh --removeikev2 <<ANSWERS
y
ANSWERS
restart_ipsec
ls -ld /etc/ipsec.d/ikev2.conf && exit 1
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp && exit 1
certutil -L -d sql:/etc/ipsec.d

4
README-zh.md
View file

@ -88,7 +88,7 @@ wget https://git.io/vpnquickstart -O vpn.sh && sudo sh vpn.sh
## 安装说明
首先,更新你的系统:运行 `apt-get update && apt-get dist-upgrade` (Ubuntu/Debian) 或者 `yum update` 并重启。这一步是可选的,但推荐。
首先,更新你的系统:运行 `sudo apt-get update && sudo apt-get dist-upgrade` (Ubuntu/Debian) 或者 `sudo yum update` 并重启。这一步是可选的,但推荐。
要安装 VPN请从以下选项中选择一个
@ -202,7 +202,7 @@ wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
- [VPN 分流](docs/advanced-usage-zh.md#vpn-分流)
- [访问 VPN 服务器的网段](docs/advanced-usage-zh.md#访问-vpn-服务器的网段)
- [更改 IPTables 规则](docs/advanced-usage-zh.md#更改-iptables-规则)
- [部署Google BBR拥塞控制算法](docs/advanced-usage-zh.md#部署google-bbr拥塞控制算法)
- [部署 Google BBR 拥塞控制算法](docs/advanced-usage-zh.md#部署-google-bbr-拥塞控制算法)
## 问题和反馈

3
README.md
View file

@ -88,7 +88,7 @@ A pre-built [Docker image](https://github.com/hwdsl2/docker-ipsec-vpn-server) is
## Installation
First, update your system with `apt-get update && apt-get dist-upgrade` (Ubuntu/Debian) or `yum update` and reboot. This is optional, but recommended.
First, update your system with `sudo apt-get update && sudo apt-get dist-upgrade` (Ubuntu/Debian) or `sudo yum update` and reboot. This is optional, but recommended.
To install the VPN, please choose one of the following options:
@ -202,6 +202,7 @@ See [Advanced usage](docs/advanced-usage.md).
- [Split tunneling](docs/advanced-usage.md#split-tunneling)
- [Access VPN server's subnet](docs/advanced-usage.md#access-vpn-servers-subnet)
- [Modify IPTables rules](docs/advanced-usage.md#modify-iptables-rules)
- [Deploy Google BBR congestion control algorithm](docs/advanced-usage.md#deploy-google-bbr-congestion-control-algorithm)
## Bugs & Questions

8
docs/advanced-usage-zh.md
View file

@ -10,7 +10,7 @@
* [VPN 分流](#vpn-分流)
* [访问 VPN 服务器的网段](#访问-vpn-服务器的网段)
* [更改 IPTables 规则](#更改-iptables-规则)
* [部署Google BBR拥塞控制算法](#部署google-bbr拥塞控制算法)
* [部署 Google BBR 拥塞控制算法](#部署-google-bbr-拥塞控制算法)
## 使用其他的 DNS 服务器
@ -280,11 +280,11 @@ iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o "$netif" -j MASQUERADE
**注:** 如果使用 Rocky Linux, AlmaLinux 或者 CentOS/RHEL 8 并且在安装 VPN 时 firewalld 正在运行,则可能已配置 nftables。在这种情况下编辑 `/etc/sysconfig/nftables.conf` 而不是 `/etc/sysconfig/iptables`
## 部署Google BBR拥塞控制算法
## 部署 Google BBR 拥塞控制算法
VPN服务器搭建完成后可以通过部署Google BBR拥塞控制算法提升性能。
VPN 服务器搭建完成后,可以通过部署 Google BBR 拥塞控制算法提升性能。
这通常只需要在配置文件 `/etc/sysctl.conf` 中插入设定即可完成。但是部分Linux发行版可能需要额外更新Linux Kernel
这通常只需要在配置文件 `/etc/sysctl.conf` 中插入设定即可完成。但是部分 Linux 发行版可能需要额外更新 Linux 内核
详细的部署方法,可以参考[这篇文档](bbr-zh.md)。

9
docs/advanced-usage.md
View file

@ -10,6 +10,7 @@
* [Split tunneling](#split-tunneling)
* [Access VPN server's subnet](#access-vpn-servers-subnet)
* [Modify IPTables rules](#modify-iptables-rules)
* [Deploy Google BBR congestion control algorithm](#deploy-google-bbr-congestion-control-algorithm)
## Use alternative DNS servers
@ -280,6 +281,14 @@ If you want to modify the IPTables rules after install, edit `/etc/iptables.rule
**Note:** If using Rocky Linux, AlmaLinux or CentOS/RHEL 8 and firewalld was active during VPN setup, nftables may be configured. In this case, edit `/etc/sysconfig/nftables.conf` instead of `/etc/sysconfig/iptables`.
## Deploy Google BBR congestion control algorithm
After the VPN server is set up, the performance can be improved by deploying the Google BBR congestion control algorithm.
This is usually done by modifying the configuration file `/etc/sysctl.conf`. However, some Linux distributions may additionally require updates to the Linux kernel.
For detailed deployment methods, please refer to [this document](bbr.md).
## License
Copyright (C) 2021-2022 [Lin Song](https://github.com/hwdsl2) [![View my profile on LinkedIn](https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png)](https://www.linkedin.com/in/linsongui)

50
docs/bbr-zh.md
View file

@ -1,22 +1,24 @@
# Google BBR
# 高级用法:部署 Google BBR 拥塞控制算法
Google BBR是一种由Google开发的拥塞控制算法它能够显著提升服务器吞吐率并降低延迟。
*其他语言版本: [English](bbr.md), [简体中文](bbr-zh.md)。*
Google BBR已经被内置于Linux Kernel 4.9及更高版本中,但是需要手动开启。
Google BBR是一种拥塞控制算法它能够显著提升服务器吞吐率并降低延迟。
Google BBR已经被内置于Linux内核4.9及更高版本中,但是需要手动开启。
关于Google BBR算法可以在这篇[官方博客](https://cloud.google.com/blog/products/networking/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster)或者这个[官方库](https://github.com/google/bbr)中找到更多信息。
## 准备
可以通过命令 `uname -r` 来查看当前Linux Kernel版本。版本大于等于4.9时,可以直接参照[下方的说明](#部署google-bbr)部署BBR。
可以通过命令 `uname -r` 来查看当前Linux内核版本。版本大于等于4.9时,可以直接参照[下方的说明](#部署-google-bbr)部署BBR。
通常而言Ubuntu 18.04+, Debian 10+CentOS 8+及RHEL 8+的内核版本都大于4.9。但是对于CentOS 7或者Amazon Linux 2需要通过以下的方式更新内核之后才能部署Google BBR。
### Amazon Linux 2
Amazon Linux 2提供过经过验证的新版Linux Kernel并可以通过启用预置的Extras库安装。
Amazon Linux 2提供过经过验证的新版Linux内核并可以通过启用预置的Extras库安装。
1. 启用 `kernel-ng` Extras 库
1. 从Extras库安装 `kernel-ng`
```bash
sudo amazon-linux-extras install kernel-ng
```
@ -28,53 +30,53 @@ Amazon Linux 2提供过经过验证的新版Linux Kernel并可以通过启用
```bash
sudo reboot
```
4. 检查Linux Kernel版本
4. 检查Linux内核版本
```bash
uname -r
```
### CentOS 7
当使用CentOS 7时需要安装由ELRepo Project提供的新版Linux Kernel。可以在[这个页面](http://elrepo.org/tiki/kernel-ml)找到有关ELRepo Project提供的Linux Kernel的更多信息。
当使用CentOS 7时需要安装由ELRepo Project提供的新版Linux内核。可以在[这个页面](http://elrepo.org/tiki/kernel-ml)找到有关ELRepo Project提供的Linux内核的更多信息。
以下的安装说明,因为缺少可供参考的中文文档,暂仅提供英文版
参见下面的安装说明
1. Import ELRepo Project's public key.
1. 导入ELRepo Project的公钥。
```bash
sudo rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
```
2. Install ELRepo for RHEL-7, SL-7 or CentOS-7.
2. 为 RHEL-7、SL-7 或 CentOS-7 安装 ELRepo。
```bash
sudo yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
```
3. Install `kernel-ml`.
3. 安装 `kernel-ml`
```bash
sudo yum --enablerepo=elrepo-kernel install kernel-ml
```
4. Confirm the result.
4. 确认结果。
```bash
rpm -qa | grep kernel
```
You should see `kernel-ml-xxx` in output.
5. Show all entries in the grub2 menu and setup `kernel-ml`.
你应该在输出中看到 `kernel-ml-xxx`
5. 显示 grub2 菜单中的所有条目并设置 `kernel-ml`
```bash
sudo egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \'
```
**Indexing starts at `0`.**
For example, when the `kernel-ml` is located at `1`, use the command below to activate `kernel-ml`.
**索引从 `0` 开始。**
例如,当 `kernel-ml` 位于 `1` 时,使用下面的命令来激活 `kernel-ml`
```bash
sudo grub2-set-default 1
```
6. Reboot.
6. 重启。
```bash
sudo reboot
```
7. Check Linux kernel version.
7. 检查 Linux 内核版本。
```bash
uname -r
```
## 部署Google BBR
## 部署 Google BBR
在这个部分我们将通过修改配置文件启动Google BBR。
@ -82,7 +84,7 @@ Amazon Linux 2提供过经过验证的新版Linux Kernel并可以通过启用
```bash
sudo cp /etc/sysctl.conf /etc/sysctl.conf.backup
```
2. 修改`/etc/sysctl.conf`
2. 修改 `/etc/sysctl.conf`
```bash
sudo vim /etc/sysctl.conf
```
@ -103,4 +105,8 @@ Amazon Linux 2提供过经过验证的新版Linux Kernel并可以通过启用
# bbr
lsmod | grep bbr
# tcp_bbr 16384 0
```
```
## 作者
版权所有 (C) 2022 [Leo Liu](https://github.com/optimusleobear)

113
docs/bbr.md Normal file
View file

@ -0,0 +1,113 @@
# Advanced usage: Deploy Google BBR congestion control algorithm
*Read this in other languages: [English](bbr.md), [简体中文](bbr-zh.md).*
Google BBR is a congestion control algorithm that could significantly increase server throughput and reduce latency.
Google BBR has been built into Linux kernel 4.9 and higher, but needs to be manually turned on.
To learn more about the Google BBR algorithm, see this [official blog](https://cloud.google.com/blog/products/networking/tcp-bbr-congestion-control-comes-to-gcp-your-internet-just-got-faster) or this [official repository](https://github.com/google/bbr).
## Prepare
You can check the current Linux kernel version with the command `uname -r`. When the version is greater than or equal to 4.9, you can deploy BBR directly by referring to the [instructions below](#deploy-google-bbr).
Generally speaking, the kernel versions of Ubuntu 18.04+, Debian 10+, CentOS 8+ and RHEL 8+ are greater than 4.9. But for CentOS 7 or Amazon Linux 2, you need to update the kernel in the following ways before deploying Google BBR.
### Amazon Linux 2
Amazon Linux 2 provides newer versions of the verified Linux kernel, which can be installed from the Extras repository.
1. Install `kernel-ng` from the Extras repository
```bash
sudo amazon-linux-extras install kernel-ng
```
2. Update packages
```bash
sudo yum update
```
3. Restart the system
```bash
sudo reboot
```
4. Check the Linux kernel version
```bash
uname -r
```
### CentOS 7
When using CentOS 7, a newer Linux kernel provided by the ELRepo Project needs to be installed. More information about the Linux kernels provided by the ELRepo Project can be found at [this page](http://elrepo.org/tiki/kernel-ml).
Refer to the installation instructions below.
1. Import ELRepo Project's public key.
```bash
sudo rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
```
2. Install ELRepo for RHEL-7, SL-7 or CentOS-7.
```bash
sudo yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
```
3. Install `kernel-ml`.
```bash
sudo yum --enablerepo=elrepo-kernel install kernel-ml
```
4. Confirm the result.
```bash
rpm -qa | grep kernel
```
You should see `kernel-ml-xxx` in output.
5. Show all entries in the grub2 menu and setup `kernel-ml`.
```bash
sudo egrep ^menuentry /etc/grub2.cfg | cut -f 2 -d \'
```
**Indexing starts at `0`.**
For example, when the `kernel-ml` is located at `1`, use the command below to activate `kernel-ml`.
```bash
sudo grub2-set-default 1
```
6. Reboot.
```bash
sudo reboot
```
7. Check Linux kernel version.
```bash
uname -r
```
## Deploy Google BBR
In this section, we will start Google BBR by modifying the configuration file.
1. Backup `/etc/sysctl.conf`
```bash
sudo cp /etc/sysctl.conf /etc/sysctl.conf.backup
```
2. Modify `/etc/sysctl.conf`
```bash
sudo vim /etc/sysctl.conf
```
Add the following lines to the file
```
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
```
3. Enable Google BBR
```bash
sudo sysctl -p
```
4. Check Google BBR status
```bash
sudo sysctl net.ipv4.tcp_available_congestion_control
# net.ipv4.tcp_available_congestion_control = reno cubic bbr
sudo sysctl -n net.ipv4.tcp_congestion_control
# bbr
lsmod | grep bbr
# tcp_bbr 16384 0
```
## Author
Copyright (C) 2022 [Leo Liu](https://github.com/optimusleobear)
Translated by [Lin Song](https://github.com/hwdsl2)

4
extras/ikev2setup.sh
View file

@ -686,7 +686,7 @@ install_base64_uuidgen() {
bigecho2 "Installing required packages..."
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
export DEBIAN_FRONTEND=noninteractive
apt-get -yqq update || exiterr "'apt-get update' failed."
apt-get -yqq update || apt-get -yqq update || exiterr "'apt-get update' failed."
fi
fi
if ! command -v base64 >/dev/null 2>&1; then
@ -1018,7 +1018,7 @@ apply_ubuntu1804_nss_fix() {
if wget -t 3 -T 30 -q -O "$tmpdir/1.deb" "$nss_url1/$nss_deb1" \
&& wget -t 3 -T 30 -q -O "$tmpdir/2.deb" "$nss_url1/$nss_deb2" \
&& wget -t 3 -T 30 -q -O "$tmpdir/3.deb" "$nss_url2/$nss_deb3"; then
apt-get -yqq update
apt-get -yqq update || apt-get -yqq update
apt-get -yqq install "$tmpdir/1.deb" "$tmpdir/2.deb" "$tmpdir/3.deb" >/dev/null
fi
/bin/rm -f "$tmpdir/1.deb" "$tmpdir/2.deb" "$tmpdir/3.deb"

6
extras/quickstart.sh
View file

@ -153,16 +153,16 @@ install_pkgs() {
export DEBIAN_FRONTEND=noninteractive
(
set -x
apt-get -yqq update
apt-get -yqq update || apt-get -yqq update
) || exiterr "'apt-get update' failed."
(
set -x
apt-get -yqq install wget >/dev/null
apt-get -yqq install wget >/dev/null || apt-get -yqq install wget >/dev/null
) || exiterr "'apt-get install wget' failed."
elif [ "$os_type" != "alpine" ]; then
(
set -x
yum -y -q install wget >/dev/null
yum -y -q install wget >/dev/null || yum -y -q install wget >/dev/null
) || exiterr "'yum install wget' failed."
fi
fi

6
extras/vpnupgrade.sh
View file

@ -108,16 +108,16 @@ install_pkgs() {
export DEBIAN_FRONTEND=noninteractive
(
set -x
apt-get -yqq update
apt-get -yqq update || apt-get -yqq update
) || exiterr "'apt-get update' failed."
(
set -x
apt-get -yqq install wget >/dev/null
apt-get -yqq install wget >/dev/null || apt-get -yqq install wget >/dev/null
) || exiterr "'apt-get install wget' failed."
elif [ "$os_type" != "alpine" ]; then
(
set -x
yum -y -q install wget >/dev/null
yum -y -q install wget >/dev/null || yum -y -q install wget >/dev/null
) || exiterr "'yum install wget' failed."
fi
fi

2
extras/vpnupgrade_alpine.sh
View file

@ -169,6 +169,7 @@ get_libreswan() {
install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
service ipsec stop >/dev/null 2>&1
sed -i '28s/stdlib\.h/sys\/types.h/' include/fd.h
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s
@ -187,6 +188,7 @@ EOF
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
service ipsec start >/dev/null 2>&1
exiterr "Libreswan $SWAN_VER failed to build."
fi
}

2
extras/vpnupgrade_amzn.sh
View file

@ -153,6 +153,7 @@ get_libreswan() {
install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
service ipsec stop >/dev/null 2>&1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s
@ -176,6 +177,7 @@ EOF
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
service ipsec start >/dev/null 2>&1
exiterr "Libreswan $SWAN_VER failed to build."
fi
}

2
extras/vpnupgrade_centos.sh
View file

@ -189,6 +189,7 @@ get_libreswan() {
install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
service ipsec stop >/dev/null 2>&1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s
@ -212,6 +213,7 @@ EOF
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
service ipsec start >/dev/null 2>&1
exiterr "Libreswan $SWAN_VER failed to build."
fi
}

4
extras/vpnupgrade_ubuntu.sh
View file

@ -157,7 +157,7 @@ update_apt_cache() {
export DEBIAN_FRONTEND=noninteractive
(
set -x
apt-get -yqq update
apt-get -yqq update || apt-get -yqq update
) || exiterr "'apt-get update' failed."
}
@ -188,6 +188,7 @@ get_libreswan() {
install_libreswan() {
bigecho "Compiling and installing Libreswan, please wait..."
cd "libreswan-$SWAN_VER" || exit 1
service ipsec stop >/dev/null 2>&1
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w -s
@ -219,6 +220,7 @@ EOF
cd /opt/src || exit 1
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
service ipsec start >/dev/null 2>&1
exiterr "Libreswan $SWAN_VER failed to build."
fi
}

6
vpnsetup.sh
View file

@ -206,16 +206,16 @@ install_pkgs() {
export DEBIAN_FRONTEND=noninteractive
(
set -x
apt-get -yqq update
apt-get -yqq update || apt-get -yqq update
) || exiterr "'apt-get update' failed."
(
set -x
apt-get -yqq install wget >/dev/null
apt-get -yqq install wget >/dev/null || apt-get -yqq install wget >/dev/null
) || exiterr "'apt-get install wget' failed."
elif [ "$os_type" != "alpine" ]; then
(
set -x
yum -y -q install wget >/dev/null
yum -y -q install wget >/dev/null || yum -y -q install wget >/dev/null
) || exiterr "'yum install wget' failed."
fi
fi

2
vpnsetup_centos.sh
View file

@ -143,6 +143,8 @@ install_setup_pkgs() {
(
set -x
yum -y -q install wget bind-utils openssl tar \
iptables iproute gawk grep sed net-tools >/dev/null \
|| yum -y -q install wget bind-utils openssl tar \
iptables iproute gawk grep sed net-tools >/dev/null
) || exiterr2
}

4
vpnsetup_ubuntu.sh
View file

@ -169,7 +169,7 @@ update_apt_cache() {
export DEBIAN_FRONTEND=noninteractive
(
set -x
apt-get -yqq update
apt-get -yqq update || apt-get -yqq update
) || exiterr "'apt-get update' failed."
}
@ -177,6 +177,8 @@ install_setup_pkgs() {
(
set -x
apt-get -yqq install wget dnsutils openssl \
iptables iproute2 gawk grep sed net-tools >/dev/null \
|| apt-get -yqq install wget dnsutils openssl \
iptables iproute2 gawk grep sed net-tools >/dev/null
) || exiterr2
}