#!/bin/bash clear RED='\E[1;31m' GREEN='\E[1;32m' YELLOW='\E[1;33m' BLUE='\E[1;34m' PURPLE='\E[1;35m' CYAN='\E[1;36m' WHITE='\E[1;37m' cRES='\E[0m' chmod 777 /tmp architecture=$(dpkg --print-architecture) [[ "openvz lxc lxc-libvirt systemd-nspawn docker podman proot pouch" =~ $(systemd-detect-virt) ]] && virt_type="container" export DEBIAN_FRONTEND=noninteractive branch="main" [[ -f "/etc/nginx/conf.d/default.conf" ]] && sed -i 's/fastopen=128/fastopen=500/g' /etc/nginx/conf.d/default.conf pkgDEP(){ [[ -n $(dpkg -l | awk '{print$2}' | grep '^ipset$') ]] && apt remove --purge ipset [[ -n $(dpkg -l | awk '{print$2}' | grep '^haveged$') ]] && apt remove --purge haveged [[ -n $(dpkg -l | awk '{print$2}' | grep '^subversion$') ]] && apt remove --purge subversion [[ -n $(dpkg -l | awk '{print$2}' | grep '^os-prober$') ]] && apt remove --purge os-prober [[ -n $(dpkg -l | awk '{print$2}' | grep '^systemd-timesyncd$') ]] && apt remove --purge systemd-timesyncd unset aptPKG [[ -z $(dpkg -l | awk '{print$2}' | grep '^sudo$') ]] && aptPKG+=(sudo) [[ -z $(dpkg -l | awk '{print$2}' | grep '^wget$') ]] && aptPKG+=(wget) [[ -z $(dpkg -l | awk '{print$2}' | grep '^curl$') ]] && aptPKG+=(curl) [[ -z $(dpkg -l | awk '{print$2}' | grep '^git$') ]] && aptPKG+=(git) [[ -z $(dpkg -l | awk '{print$2}' | grep '^locales$') ]] && aptPKG+=(locales) [[ -z $(dpkg -l | awk '{print$2}' | grep '^psmisc$') ]] && aptPKG+=(psmisc) [[ -z $(dpkg -l | awk '{print$2}' | grep '^idn2$') ]] && aptPKG+=(idn2) [[ -z $(dpkg -l | awk '{print$2}' | grep '^dns-root-data$') ]] && aptPKG+=(dns-root-data) [[ -z $(dpkg -l | awk '{print$2}' | grep '^netcat-openbsd$') ]] && aptPKG+=(netcat-openbsd) [[ -z $(dpkg -l | awk '{print$2}' | grep '^dnsutils$') ]] && aptPKG+=(dnsutils) [[ -z $(dpkg -l | awk '{print$2}' | grep '^net-tools$') ]] && aptPKG+=(net-tools) [[ -z $(dpkg -l | awk '{print$2}' | grep '^resolvconf$') ]] && aptPKG+=(resolvconf) [[ -z $(dpkg -l | awk '{print$2}' | grep '^nftables$') ]] && aptPKG+=(nftables) [[ -z $(dpkg -l | awk '{print$2}' | grep '^ca-certificates$') ]] && aptPKG+=(ca-certificates) [[ -z $(dpkg -l | awk '{print$2}' | grep '^apt-transport-https$') ]] && aptPKG+=(apt-transport-https) [[ -z $(dpkg -l | awk '{print$2}' | grep '^gnupg2$') ]] && aptPKG+=(gnupg2) [[ -z $(dpkg -l | awk '{print$2}' | grep '^unzip$') ]] && aptPKG+=(unzip) [[ -z $(dpkg -l | awk '{print$2}' | grep '^zstd$') ]] && aptPKG+=(zstd) [[ -z $(dpkg -l | awk '{print$2}' | grep '^jq$') ]] && aptPKG+=(jq) [[ -z $(dpkg -l | awk '{print$2}' | grep '^bc$') ]] && aptPKG+=(bc) [[ -z $(dpkg -l | awk '{print$2}' | grep '^moreutils$') ]] && aptPKG+=(moreutils) [[ -z $(dpkg -l | awk '{print$2}' | grep '^rng-tools-debian$') ]] && aptPKG+=(rng-tools-debian) [[ -z $(dpkg -l | awk '{print$2}' | grep '^chrony$') ]] && aptPKG+=(chrony) [[ -z $(dpkg -l | awk '{print$2}' | grep '^socat$') ]] && aptPKG+=(socat) [[ -z $(dpkg -l | awk '{print$2}' | grep '^screen$') ]] && aptPKG+=(screen) [[ -z $(dpkg -l | awk '{print$2}' | grep '^ethtool$') ]] && aptPKG+=(ethtool) [[ -z $(dpkg -l | awk '{print$2}' | grep '^qrencode$') ]] && aptPKG+=(qrencode) [[ -z $(dpkg -l | awk '{print$2}' | grep '^sqlite3$') ]] && aptPKG+=(sqlite3) [[ -z $(dpkg -l | awk '{print$2}' | grep '^unbound$') ]] && aptPKG+=(unbound) [[ -z $(dpkg -l | awk '{print$2}' | grep '^libmimalloc2.0') ]] && aptPKG+=(libmimalloc2.0) [[ -z $(dpkg -l | awk '{print$2}' | grep '^irqbalance$') ]] && [[ $(nproc --all) -gt 1 ]] && aptPKG+=(irqbalance) [[ -n $aptPKG ]] && apt update && apt install $(echo ${aptPKG[@]}) } checkSum(){ sha256sumL=$(sha256sum $1 2>/dev/null | awk '{print$1}') if [[ $sha256sumL = $2 ]]; then echo "true" elif [[ $sha256sumL != $2 ]]; then echo "false" fi } repoDL(){ echo -e "${WHITE}[...]\c" && echo -e "\t${WHITE}Repository${cRES}\r\c" sha256sum_de_GWD=$(curl -fsSLo- https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/de_GWD_"$architecture".zip.sha256sum) sha256sum_don_server=$(curl -fsSLo- https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/resource/doh/doh_s_"$architecture".sha256sum) sha256sum_nginx=$(curl -fsSLo- https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/resource/nginx/nginx_"$architecture".sha256sum) sha256sum_nginxConf=$(curl -fsSLo- https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/resource/nginx/nginxConf.zip.sha256sum) sha256sum_sample=$(curl -fsSLo- https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/resource/server/sample.zip.sha256sum) if [[ $(checkSum /opt/de_GWD/doh-server $sha256sum_don_server) = "false" ]]; then rm -rf /tmp/doh-server wget --show-progress -cqO /tmp/doh-server https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/resource/doh/doh_s_$architecture [[ $(checkSum /tmp/doh-server $sha256sum_don_server) = "false" ]] && echo -e "${RED}Download Failed${cRES}" && exit [[ $(checkSum /tmp/doh-server $sha256sum_don_server) = "true" ]] && mv -f /tmp/doh-server /opt/de_GWD/doh-server && chmod +x /opt/de_GWD/doh-server fi if [[ $(checkSum /usr/sbin/nginx $sha256sum_nginx) = "false" ]]; then rm -rf /tmp/nginx wget --show-progress -cqO /tmp/nginx https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/resource/nginx/nginx_"$architecture" [[ $(checkSum /tmp/nginx $sha256sum_nginx) = "false" ]] && echo -e "${RED}Download Failed${cRES}" && exit [[ $(checkSum /tmp/nginx $sha256sum_nginx) = "true" ]] && mv -f /tmp/nginx /usr/sbin/nginx && chmod +x /usr/sbin/nginx fi if [[ $(checkSum /opt/de_GWD/.repo/de_GWD.zip $sha256sum_de_GWD) = "false" ]]; then rm -rf /tmp/de_GWD.zip wget --show-progress -cqO /tmp/de_GWD.zip https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/de_GWD_"$architecture".zip [[ $(checkSum /tmp/de_GWD.zip $sha256sum_de_GWD) = "false" ]] && echo -e "${RED}Download Failed${cRES}" && exit [[ $(checkSum /tmp/de_GWD.zip $sha256sum_de_GWD) = "true" ]] && mv -f /tmp/de_GWD.zip /opt/de_GWD/.repo/de_GWD.zip fi if [[ $(checkSum /opt/de_GWD/.repo/nginxConf.zip $sha256sum_nginxConf) = "false" ]]; then rm -rf /tmp/nginxConf.zip wget --show-progress -cqO /tmp/nginxConf.zip https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/resource/nginx/nginxConf.zip [[ $(checkSum /tmp/nginxConf.zip $sha256sum_nginxConf) = "false" ]] && echo -e "${RED}Download Failed${cRES}" && exit [[ $(checkSum /tmp/nginxConf.zip $sha256sum_nginxConf) = "true" ]] && mv -f /tmp/nginxConf.zip /opt/de_GWD/.repo/nginxConf.zip fi if [[ $(checkSum /opt/de_GWD/.repo/sample.zip $sha256sum_sample) = "false" ]]; then rm -rf /tmp/sample.zip wget --show-progress -cqO /tmp/sample.zip https://raw.githubusercontent.com/jacyl4/de_GWD/$branch/resource/server/sample.zip [[ $(checkSum /tmp/sample.zip $sha256sum_sample) = "false" ]] && echo -e "${RED}Download Failed${cRES}" && exit [[ $(checkSum /tmp/sample.zip $sha256sum_sample) = "true" ]] && mv -f /tmp/sample.zip /opt/de_GWD/.repo/sample.zip fi localVer=$(awk 'NR==1' /opt/de_GWD/version.php 2>/dev/null) remoteVer=$(curl -fsSLo- https://raw.githubusercontent.com/jacyl4/de_GWD/main/version.php | head -n 1) if [[ $localVer != $remoteVer ]]; then rm -rf /tmp/version.php wget --show-progress -cqO /tmp/version.php https://raw.githubusercontent.com/jacyl4/de_GWD/main/version.php [[ $? -ne 0 ]] && echo -e "${WHITE}Version File${RED} Download Failed${cRES}" && exit [[ $(du -sk /tmp/version.php 2>/dev/null | awk '{print$1}') -ge 4 ]] && mv -f /tmp/version.php /opt/de_GWD/version.php fi echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}Repository${cRES}" } preUpdate(){ [[ -f "/etc/nginx/conf.d/HSTS" ]] && rm -rf /etc/nginx/conf.d/HSTS [[ -f "/etc/nginx/conf.d/ssl_certificate" ]] && rm -rf /etc/nginx/conf.d/ssl_certificate if [[ -d "/opt/AdGuardHome" ]]; then systemctl stop AdGuardHome >/dev/null 2>&1 rm -rf /etc/systemd/system/AdGuardHome.service rm -rf /lib/systemd/system/AdGuardHome.service rm -rf /opt/AdGuardHome rm -rf /usr/bin/yq fi if [[ -f "/opt/de_GWD/iptablesrules-up" ]]; then systemctl disable iptablesrules >/dev/null 2>&1 systemctl stop iptablesrules >/dev/null 2>&1 rm -rf /etc/systemd/system/iptablesrules.service >/dev/null 2>&1 rm -rf /lib/systemd/system/iptablesrules.service >/dev/null 2>&1 systemctl daemon-reload >/dev/null rm -rf /opt/de_GWD/iptablesrules-down rm -rf /opt/de_GWD/iptablesrules-up rm -rf /opt/de_GWD/Q4amSun fi if [[ -n $(systemctl list-units | grep 'pihole') ]]; then systemctl stop pihole-FTL rm -rf /etc/.pihole /etc/pihole /opt/pihole /usr/bin/pihole-FTL /usr/local/bin/pihole /var/www/html/admin /var/log/pihole* /etc/dnsmasq.d/* rm -rf /etc/systemd/system/pihole-FTL.service systemctl daemon-reload fi [[ ! -f "/var/www/ssl/de_GWD.cer" ]] && mv -f /var/www/ssl/*.cer /var/www/ssl/de_GWD.cer && sed -i '/ssl_certificate /c\ssl_certificate \/var\/www\/ssl\/de_GWD.cer;' /etc/nginx/conf.d/default.conf [[ ! -f "/var/www/ssl/de_GWD.key" ]] && mv -f /var/www/ssl/*.key /var/www/ssl/de_GWD.key && sed -i '/ssl_certificate_key /c\ssl_certificate_key \/var\/www\/ssl\/de_GWD.key;' /etc/nginx/conf.d/default.conf [[ -f "/etc/nginx/conf.d/merge.sh" ]] && rm -rf /etc/nginx/conf.d/* rm -rf /var/log/auth.log rm -rf /usr/local/bin/autoUpdate rm -rf /usr/local/bin/iptablesrules* rm -rf /usr/local/bin/Q2H rm -rf /usr/local/bin/version.php rm -rf /usr/local/bin/vtrui rm -rf /usr/bin/yq rm -rf /etc/dns-over-https rm -rf /etc/nginx/conf.d/0_serverUpstream rm -rf /etc/nginx/conf.d/4_v2Proxy rm -rf /opt/de_GWD/.repo/vtrui.zip rm -rf /opt/de_GWD/.repo/IPchnroute rm -rf /opt/de_GWD/clearKernel rm -rf /dev/shm/de_GWD.socket* rm -rf /etc/dnsmasq.d/00-wg.conf rm -rf /etc/dnsmasq.d/99-extra.conf [[ -f "/etc/rc.local" ]] && rm -rf /etc/rc.local if [[ -n $(systemctl list-unit-files --type=service | grep 'rc_online') ]]; then systemctl stop rc_online rm -rf /etc/systemd/system/rc_online.service systemctl daemon-reload >/dev/null fi service cron stop ethernetnum=$(find /sys/class/net ! -type d | xargs --max-args=1 realpath | grep 'device' | xargs -n 1 | grep -v 'virtual' | grep -v 'ifb' | awk -F'/' '{print$NF}' | head -n1) localAddrCIDR=$(ip -4 a | grep "$ethernetnum" | grep -Po '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/\d{1,2}\b' | head -n 1) localAddr=$(echo $localAddrCIDR | cut -d/ -f1) domain=$(awk '/server_name/ {print$2;exit}' /etc/nginx/conf.d/default.conf | sed 's/.$//') topDomain=$(echo $domain | rev | awk -F. '{print $1"."$2}' | rev) port=$(awk '/ssl .* reuseport/ {print$2}' /etc/nginx/conf.d/default.conf | grep '^[[:digit:]]*$' | head -n1) [[ -z $port ]] && port="443" path=$(jq -r '.inbounds[0].streamSettings.wsSettings.path' /opt/de_GWD/vtrui/config.json 2>/dev/null | grep -v '^null$') uuids=$(jq -r '.inbounds[0].settings.clients[].id' /opt/de_GWD/vtrui/config.json 2>/dev/null | grep -v '^null$') } preInstall(){ sync; echo 3 >/proc/sys/vm/drop_caches >/dev/null 2>&1 rm -rf /etc/resolv.conf cat << EOF >/etc/resolv.conf nameserver 1.1.1.1 nameserver 8.8.8.8 EOF if [[ $(systemctl is-active swap.target) != "active" ]]; then systemctl unmask swap.target >/dev/null 2>&1 systemctl start swap.target >/dev/null 2>&1 fi if [[ $(free -m | awk 'NR==3{print$2}') = "0" ]] && [[ $virt_type != "container" ]]; then if [[ $(df -T / | awk '{print$2}' | tail -n 1) = "btrfs" ]]; then btrfs subvolume create /swap 2>/dev/null btrfs filesystem mkswapfile --size 1g --uuid clear /swap/swapfile 2>/dev/null swapon /swap/swapfile sed -i "/swapfile/d" /etc/fstab echo "/swap/swapfile none swap defaults 0 0" >>/etc/fstab else fallocate -l 1G /swapfile 2>/dev/null dd if=/dev/zero of=/swapfile bs=1M count=1024 status=progress 2>/dev/null chmod 600 /swapfile mkswap -U clear /swapfile swapon /swapfile sed -i "/swapfile/d" /etc/fstab echo "/swapfile none swap defaults 0 0" >>/etc/fstab fi echo "RESUME=" >/etc/initramfs-tools/conf.d/resume fi mkdir -p /opt/de_GWD mkdir -p /opt/de_GWD/.repo cat << "EOF" >/opt/de_GWD/tcpTime date -s "$(wget -qSO- --max-redirect=0 whatismyip.akamai.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z" [[ $? -ne "0" ]]&& date -s "$(curl -sI cloudflare.com| grep -i '^date:'|cut -d' ' -f2-)" hwclock -w EOF chmod +x /opt/de_GWD/tcpTime [[ $virt_type != "container" ]] && /opt/de_GWD/tcpTime cat << EOF >/etc/apt/apt.conf.d/01InstallLess APT::Get::Assume-Yes "true"; APT::Install-Recommends "false"; APT::Install-Suggests "false"; EOF cat << EOF >/etc/apt/apt.conf.d/71debconf Dpkg::Options { "--force-confdef"; "--force-confold"; }; EOF sed -i '/ulimit -SHn/d' /etc/profile sed -i '/ulimit -c/d' /etc/profile sed -i '/ulimit -d/d' /etc/profile sed -i '/ulimit -f/d' /etc/profile sed -i '/ulimit -m/d' /etc/profile sed -i '/ulimit -s/d' /etc/profile sed -i '/ulimit -t/d' /etc/profile sed -i '/ulimit -u/d' /etc/profile sed -i '/ulimit -v/d' /etc/profile sed -i '/HISTCONTROL=/d' /etc/profile sed -i '/alias reboot=/d' /etc/profile cat << EOF >>/etc/profile ulimit -SHn 1000000 ulimit -t 65536 ulimit -u 65536 ulimit -c 65536 ulimit -d unlimited ulimit -f unlimited ulimit -s unlimited ulimit -v unlimited HISTCONTROL=ignoredups alias reboot="sudo systemctl reboot" EOF source /etc/profile sed -i '/pam_limits.so/d' /etc/pam.d/common-session echo "session required pam_limits.so" >>/etc/pam.d/common-session cat << EOF >/etc/security/limits.conf root soft nofile 1000000 root hard nofile 1000000 root soft nproc 1000000 root hard nproc 1000000 root soft core 1000000 root hard core 1000000 root hard memlock unlimited root soft memlock unlimited www-data soft nofile 1000000 www-data hard nofile 1000000 www-data soft nproc 1000000 www-data hard nproc 1000000 www-data soft core 1000000 www-data hard core 1000000 www-data hard memlock unlimited www-data soft memlock unlimited * soft nofile 1000000 * hard nofile 1000000 * soft nproc 1000000 * hard nproc 1000000 * soft core 1000000 * hard core 1000000 * hard memlock unlimited * soft memlock unlimited EOF sed -i '/DefaultLimitCORE/d' /etc/systemd/system.conf sed -i '/DefaultLimitNOFILE/d' /etc/systemd/system.conf sed -i '/DefaultLimitNPROC/d' /etc/systemd/system.conf cat >>'/etc/systemd/system.conf' </etc/apt/sources.list deb http://cloudfront.debian.net/debian bookworm main contrib non-free non-free-firmware deb http://cloudfront.debian.net/debian-security bookworm-security main contrib non-free non-free-firmware deb http://cloudfront.debian.net/debian bookworm-updates main contrib non-free non-free-firmware deb http://cloudfront.debian.net/debian bookworm-backports main contrib non-free non-free-firmware EOF apt update --fix-missing && apt upgrade --allow-downgrades -y apt full-upgrade -y && apt autoremove --purge -y && apt clean -y && apt autoclean -y pkgDEP cat << EOF >/etc/default/rng-tools-debian # -*- mode: sh -*- #- # Configuration for the rng-tools-debian initscript # Set to the input source for random data, leave undefined # for the initscript to attempt auto-detection. Set to /dev/null # for the viapadlock driver. #HRNGDEVICE=/dev/hwrng #HRNGDEVICE=/dev/null HRNGDEVICE=/dev/urandom # Additional options to send to rngd. See the rngd(8) manpage for # more information. Do not specify -r/--rng-device here, use # HRNGDEVICE for that instead. #RNGDOPTIONS="--hrng=intelfwh --fill-watermark=90% --feed-interval=1" #RNGDOPTIONS="--hrng=viakernel --fill-watermark=90% --feed-interval=1" #RNGDOPTIONS="--hrng=viapadlock --fill-watermark=90% --feed-interval=1" # For TPM (also add tpm-rng to /etc/initramfs-tools/modules or /etc/modules): #RNGDOPTIONS="--fill-watermark=90% --feed-interval=1" # If you need to configure which RNG to use, do it here: #HRNGSELECT="virtio_rng.0" # Use this instead of sysfsutils, which starts too late. EOF systemctl restart rng-tools cat << EOF >/etc/chrony/chrony.conf server time.cloudflare.com iburst server time1.google.com iburst server time1.apple.com iburst server ntp-3.arkena.net iburst driftfile /var/lib/chrony/chrony.drift logdir /var/log/chrony maxupdateskew 100.0 rtcsync makestep 1 3 leapsectz right/UTC EOF systemctl restart chrony systemctl enable chrony >/dev/null 2>&1 rm -rf /etc/resolv.conf cat << EOF >/etc/resolv.conf nameserver 127.0.0.1 EOF mkdir -p /etc/unbound cat << EOF >/etc/unbound/unbound.conf server: verbosity: 0 interface: 127.0.0.1 port: 53 do-ip4: yes do-udp: yes do-tcp: yes do-ip6: no prefer-ip6: no edns-buffer-size: 1232 prefetch: yes so-reuseport: yes so-rcvbuf: 4m so-sndbuf: 4m num-threads: 2 msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 forward-zone: name: "." forward-addr: 1.1.1.1 forward-addr: 1.0.0.1 forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 forward-addr: 9.9.9.9 forward-addr: 208.67.222.222 forward-first: no EOF rm -rf /lib/systemd/system/unbound.service cat << "EOF" >/etc/systemd/system/unbound.service [Unit] Description=Unbound DNS server After=network.target [Service] Type=simple Restart=on-failure ReadOnlyPaths=/etc/unbound ExecStart=/usr/sbin/unbound -d ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target EOF systemctl daemon-reload >/dev/null systemctl restart unbound >/dev/null 2>&1 systemctl enable unbound >/dev/null 2>&1 rm -rf /etc/resolvconf/update.d/unbound >/dev/null 2>&1 rm -rf /etc/systemd/resolved.conf >/dev/null 2>&1 systemctl mask --now systemd-resolved >/dev/null 2>&1 rm -rf /etc/resolvconf/resolv.conf.d/* >/etc/resolvconf/resolv.conf.d/original >/etc/resolvconf/resolv.conf.d/base >/etc/resolvconf/resolv.conf.d/tail rm -rf /etc/resolv.conf rm -rf /run/resolvconf/interface cat << EOF >/etc/resolvconf/resolv.conf.d/head nameserver 127.0.0.1 EOF if [[ -f "/etc/resolvconf/run/resolv.conf" ]]; then ln -sf /etc/resolvconf/run/resolv.conf /etc/resolv.conf elif [[ -f "/run/resolvconf/resolv.conf" ]]; then ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf fi sed -i '/dns-nameservers /d' /etc/network/interfaces resolvconf -u [[ -n $(which setenforce) ]] && setenforce 0 [[ -f "/etc/selinux/config" ]] && sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config [[ -f "/etc/ld.so.preload" ]] && sed -i "/libjemalloc/d" /etc/ld.so.preload ldconfig DPKGclean=$(dpkg --list | grep "^rc" | cut -d " " -f 3) [[ -n $DPKGclean ]] && echo $DPKGclean | xargs sudo dpkg --purge rm -rf /var/log/journal/* systemctl restart systemd-journald >/dev/null 2>&1 localeSet=`cat << EOF LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8 LC_CTYPE="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_PAPER="en_US.UTF-8" LC_NAME="en_US.UTF-8" LC_ADDRESS="en_US.UTF-8" LC_TELEPHONE="en_US.UTF-8" LC_MEASUREMENT="en_US.UTF-8" LC_IDENTIFICATION="en_US.UTF-8" LC_ALL=en_US.UTF-8 EOF ` if [[ -z $(localectl list-locales | grep "en_US.UTF-8") ]]; then echo "$localeSet" >/etc/default/locale echo "en_US.UTF-8 UTF-8" >/etc/locale.gen locale-gen "en_US.UTF-8" localectl set-locale en_US.UTF-8 update-locale LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8 LC_ALL=en_US.UTF-8 fi [[ $(date +"%Z %z") != "CST +0800" ]] && timedatectl set-timezone "Asia/Shanghai" timedatectl set-local-rtc 0 >/dev/null 2>&1 timedatectl set-ntp true if [[ $virt_type != "container" ]]; then sed -i '/nf_conntrack/d' /etc/modules-load.d/modules.conf sed -i '/ifb/d' /etc/modules-load.d/modules.conf cat << EOF >>/etc/modules-load.d/modules.conf nf_conntrack ifb sch_cake EOF modprobe nf_conntrack modprobe ifb modprobe sch_cake cat << EOF >/etc/sysctl.conf kernel.sysrq = 438 vm.overcommit_memory = 1 vm.swappiness = 5 vm.dirty_ratio = 10 vm.dirty_background_ratio = 5 fs.file-max = 1000000 fs.inotify.max_user_instances = 8192 fs.inotify.max_queued_events = 16384 fs.inotify.max_user_watches = 8192 net.unix.max_dgram_qlen = 1024 net.netfilter.nf_conntrack_acct = 0 net.netfilter.nf_conntrack_checksum = 0 net.netfilter.nf_conntrack_events = 1 net.netfilter.nf_conntrack_timestamp = 0 net.netfilter.nf_conntrack_max = 1048576 net.netfilter.nf_conntrack_buckets = 65536 net.netfilter.nf_conntrack_tcp_loose = 1 net.netfilter.nf_conntrack_tcp_be_liberal = 1 net.netfilter.nf_conntrack_tcp_max_retrans = 3 net.netfilter.nf_conntrack_generic_timeout = 60 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 15 net.netfilter.nf_conntrack_tcp_timeout_close = 5 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 30 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 30 net.netfilter.nf_conntrack_tcp_timeout_established = 3600 net.netfilter.nf_conntrack_sctp_timeout_established = 3600 net.netfilter.nf_conntrack_udp_timeout = 15 net.netfilter.nf_conntrack_udp_timeout_stream = 45 net.core.somaxconn = 32768 net.core.netdev_max_backlog = 65536 net.core.optmem_max = 524288 net.core.rmem_default = 524288 net.core.wmem_default = 524288 net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.mptcp.enabled = 1 net.ipv4.route.gc_timeout = 60 net.ipv4.conf.all.arp_accept = 0 net.ipv4.conf.default.arp_accept = 0 net.ipv4.conf.all.arp_announce = 2 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.default.arp_ignore = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.route_localnet = 1 net.ipv4.route.flush = 1 net.ipv4.ip_local_port_range = 1024 65535 net.ipv4.ip_local_reserved_ports = 53,9853,9890 net.ipv4.ip_forward = 1 net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1 net.ipv4.ip_no_pmtu_disc = 0 net.ipv4.udp_mem = 4096 32768 524288 net.ipv4.udp_rmem_min = 131072 net.ipv4.udp_wmem_min = 131072 net.ipv4.tcp_mem = 16384 131072 1048576 net.ipv4.tcp_rmem = 4096 524288 8388608 net.ipv4.tcp_wmem = 4096 524288 8388608 net.ipv4.tcp_max_tw_buckets = 131072 net.ipv4.tcp_max_orphans = 131072 net.ipv4.tcp_max_syn_backlog = 32768 net.ipv4.tcp_notsent_lowat = 131072 net.ipv4.tcp_limit_output_bytes = 1048576 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_moderate_rcvbuf = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_workaround_signed_windows = 0 net.ipv4.tcp_mtu_probing = 0 net.ipv4.tcp_mtu_probe_floor = 512 net.ipv4.tcp_base_mss = 1460 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_no_ssthresh_metrics_save = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_frto = 0 net.ipv4.tcp_recovery = 1 net.ipv4.tcp_early_retrans = 3 net.ipv4.tcp_min_rtt_wlen = 120 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_ecn = 0 net.ipv4.tcp_fin_timeout = 10 net.ipv4.tcp_fastopen = 3 net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0 net.ipv4.tcp_fastopen_key = 00000000-00000000-00000000-00000000 net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_tw_reuse = 0 net.ipv4.tcp_syn_retries = 3 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_retries2 = 8 net.ipv4.tcp_orphan_retries = 0 net.ipv4.tcp_challenge_ack_limit = 10000 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_retrans_collapse = 0 net.ipv4.tcp_autocorking = 0 net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_congestion_control = bbr net.core.default_qdisc = cake EOF sync sysctl -p >/dev/null 2>&1 fi if [[ -n $(dpkg -l | awk '{print$2}' | grep '^docker-ce$') ]] && [[ -n $(dpkg -l | awk '{print$2}' | grep '^containerd.io$') ]]; then mkdir -p /etc/docker/ systemctl stop docker docker.socket containerd cat << EOF >/etc/docker/daemon.json { "iptables": false } EOF systemctl restart docker fi cat << EOF >/etc/rc_online.local #!/bin/bash echo madvise >/sys/kernel/mm/transparent_hugepage/enabled $(which ip) route show table local | grep -v 'linkdown' | grep -v 'broadcast' | while read line; do line=\$(echo \$line | awk -F' mtu ' '{print\$1}') $(which ip) route change \$line mtu 1500 initcwnd 1000 initrwnd 1000 fastopen_no_cookie 1 congctl lock cubic done $(which ip) route show table local | grep ' dev lo ' | while read line; do line=\$(echo \$line | awk -F' mtu ' '{print\$1}') $(which ip) route change \$line mtu 65520 initcwnd 1000 initrwnd 1000 fastopen_no_cookie 1 congctl lock cubic done NIC_local=\$($(which ip) route | grep -v 'linkdown' | grep -v 'broadcast' | grep -v 'scope' | awk -F' dev ' '{print\$2}' | cut -d' ' -f1) $(which ip) route | grep " dev \$NIC_local " | while read line; do line=\$(echo \$line | awk -F' mtu ' '{print\$1}') $(which ip) route change \$line mtu 1500 fastopen_no_cookie 1 congctl lock $(sysctl net.ipv4.tcp_congestion_control | awk -F' = ' '{print$2}') done NIC_device=\$(find /sys/class/net ! -type d | xargs --max-args=1 realpath | grep 'device') for ifb in \$(echo \$NIC_device | xargs -n 1 | grep 'virtual' | awk -F'/' '{print\$NF}' | grep '^ifb'); do $(which ip) link set \$ifb down $(which ip) link delete \$ifb done $(which ip) link set lo qlen 10000 mtu 65520 $(which tc) qdisc del dev lo root >/dev/null 2>&1 $(which tc) qdisc add dev lo root cake unlimited rtt 50us diffserv4 dual-srchost nonat nowash no-split-gso ack-filter-aggressive raw egress $(which ip) link add name ifb4lo type ifb >/dev/null 2>&1 $(which tc) qdisc del dev lo ingress >/dev/null 2>&1 $(which tc) qdisc add dev lo handle ffff: ingress $(which tc) qdisc del dev ifb4lo root >/dev/null 2>&1 $(which tc) qdisc add dev ifb4lo root cake unlimited rtt 50us diffserv4 dual-dsthost nonat nowash no-split-gso no-ack-filter raw ingress $(which ip) link set ifb4lo qlen 10000 mtu 65520 $(which ip) link set ifb4lo up $(which tc) filter add dev lo parent ffff: matchall action mirred egress redirect dev ifb4lo echo \$NIC_device | xargs -n 1 | grep 'virtual' | awk -F'/' '{print\$NF}' | grep -v 'docker' | grep -v 'ifb' | grep -v '^lo\$' | while read line; do MTU_NUM=\$(< /sys/class/net/\$line/mtu) ifb4eth=\$(echo "ifb4\$line" | cut -c 1-15) $(which ip) link set \$line qlen 10001 mtu \$MTU_NUM $(which tc) qdisc del dev \$line root >/dev/null 2>&1 $(which tc) qdisc add dev \$line root cake unlimited rtt 200us diffserv4 dual-srchost nonat nowash no-split-gso ack-filter raw overhead 18 mpu 64 egress $(which ip) link add name \$ifb4eth type ifb >/dev/null 2>&1 $(which tc) qdisc del dev \$line ingress >/dev/null 2>&1 $(which tc) qdisc add dev \$line handle ffff: ingress $(which tc) qdisc del dev \$ifb4eth root >/dev/null 2>&1 $(which tc) qdisc add dev \$ifb4eth root cake unlimited rtt 200us diffserv4 dual-dsthost nonat nowash no-split-gso no-ack-filter raw overhead 18 mpu 64 ingress $(which ip) link set \$ifb4eth qlen 10001 mtu \$MTU_NUM $(which ip) link set \$ifb4eth up $(which tc) filter add dev \$line parent ffff: matchall action mirred egress redirect dev \$ifb4eth done echo \$NIC_device | xargs -n 1 | grep -v 'virtual' | awk -F'/' '{print\$NF}' | while read line; do MTU_NUM=\$(< /sys/class/net/\$line/mtu) ifb4eth=\$(echo "ifb4\$line" | cut -c 1-15) $(which ip) link set \$line qlen 10001 mtu \$MTU_NUM $(which tc) qdisc del dev \$line root >/dev/null 2>&1 $(which tc) qdisc add dev \$line root cake unlimited besteffort dual-srchost nonat nowash no-split-gso ack-filter ethernet egress $(which ip) link add name \$ifb4eth type ifb >/dev/null 2>&1 $(which tc) qdisc del dev \$line ingress >/dev/null 2>&1 $(which tc) qdisc add dev \$line handle ffff: ingress $(which tc) qdisc del dev \$ifb4eth root >/dev/null 2>&1 $(which tc) qdisc add dev \$ifb4eth root cake unlimited diffserv4 dual-dsthost nonat nowash no-split-gso no-ack-filter ethernet ingress $(which ip) link set \$ifb4eth qlen 10001 mtu \$MTU_NUM $(which ip) link set \$ifb4eth up $(which tc) filter add dev \$line parent ffff: matchall action mirred egress redirect dev \$ifb4eth $(which ethtool) -s \$line duplex full >/dev/null 2>&1 $(which ethtool) -K \$line rx on tx on sg off gro off gso off tx-gso-partial off lro off tso off ufo off >/dev/null 2>&1 done $(which ip) tcp_metrics flush $(which ip) route flush cache EOF chmod +x /etc/rc_online.local mkdir -p /etc/systemd/system/networking.service.d/ cat << EOF >/etc/systemd/system/networking.service.d/override.conf [Service] ExecStartPost=/etc/rc_online.local EOF systemctl daemon-reload >/dev/null } installNftables(){ rm -rf /etc/nftables* rm -rf /opt/de_GWD/nftables mkdir -p /opt/de_GWD/nftables cat << "EOF" >/opt/de_GWD/nftables/flowtable_eth.sh #!/bin/bash interface_FT=$(find /sys/class/net ! -type d | xargs --max-args=1 realpath | grep 'device' | awk -F'/' '{print$NF}' | xargs -n1 | grep -v '^lo$' | grep -v '^ifb4lo$') interface_BF=() while IFS= read -r line; do interface_BF+=("$line") done <<< "$interface_FT" echo "define flowtable_eth = { $(IFS=, ; echo "${interface_BF[*]}") };" >/opt/de_GWD/nftables/flowtable.eth EOF chmod +x /opt/de_GWD/nftables/flowtable_eth.sh cat << "EOF" >/opt/de_GWD/nftables/default.nft #!/usr/sbin/nft -f include "/opt/de_GWD/nftables/flowtable.eth" table inet bypassflow { flowtable Acceleration { hook ingress priority -300; devices = $flowtable_eth; } chain bypasschain { type filter hook forward priority -300; policy accept; ip daddr 172.16.0.0/24 flow offload @Acceleration ip saddr 172.16.0.0/24 flow offload @Acceleration ip daddr 172.17.0.0/16 flow offload @Acceleration ip saddr 172.17.0.0/16 flow offload @Acceleration } } table inet filter { chain INPUT { type filter hook input priority 0; policy accept; iifname lo accept iifname "wgcf" accept iifname "docker0" accept iifname "ifb4lo" accept iifname "ifb4wgcf" accept ct state established,related accept tcp flags != syn ct state new drop tcp flags & (fin|syn) == (fin|syn) drop tcp flags & (syn|rst) == (syn|rst) drop tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop tcp flags & (fin|psh|urg) == (fin|psh|urg) drop ct state invalid counter drop # Drop 53 in meta l4proto { tcp, udp } th dport 53 drop meta l4proto { tcp, udp } th dport 4711 drop } chain FORWARD { type filter hook forward priority 0; policy accept; # WireGuard traffic iifname "ifb4wgcf" accept iifname "wgcf" accept oifname "wgcf" accept # Docker traffic counter jump DOCKER-USER counter jump DOCKER-ISOLATION-STAGE-1 oifname "docker0" ct state related,established counter accept oifname "docker0" counter jump DOCKER iifname "docker0" oifname != "docker0" counter accept iifname "docker0" oifname "docker0" counter accept } chain OUTPUT { type filter hook output priority 0; policy accept; } chain DOCKER { } chain DOCKER-USER { counter accept } chain DOCKER-ISOLATION-STAGE-1 { iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2 counter return } chain DOCKER-ISOLATION-STAGE-2 { oifname "docker0" counter drop counter return } } table inet router { chain DOCKER { iifname "docker0" counter accept } chain INPUT { type nat hook input priority -100; policy accept; } chain OUTPUT { type nat hook output priority -100; policy accept; ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; tcp flags & (syn|rst) == syn counter tcp option maxseg size set 1460 # Docker fib daddr type local counter jump DOCKER } chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; # Docker oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade } } EOF chmod +x /opt/de_GWD/nftables/default.nft rm -rf /lib/systemd/system/nftables.service cat << EOF >/etc/systemd/system/nftables.service [Unit] Description=nftables Wants=network-pre.target Before=network-pre.target shutdown.target Conflicts=shutdown.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes StandardInput=null ProtectSystem=full ProtectHome=true ExecStart=/bin/bash -c '/etc/rc_online.local' ; /bin/bash -c '/opt/de_GWD/nftables/flowtable_eth.sh' ; /usr/sbin/nft -f /opt/de_GWD/nftables/default.nft ExecStop=/usr/sbin/nft flush ruleset [Install] WantedBy=sysinit.target EOF systemctl daemon-reload >/dev/null systemctl enable nftables >/dev/null 2>&1 systemctl restart nftables } installDOH(){ echo -e "${WHITE}[...]\c" && echo -e "\t${WHITE}Install DoH server${cRES}\r\c" cat << EOF >/opt/de_GWD/doh-server.conf listen = [ "127.0.0.1:9853" ] path = "/dq" upstream = [ "udp:127.0.0.1:53", "tcp:127.0.0.1:53" ] timeout = 10 tries = 3 verbose = false log_guessed_client_ip = false ecs_allow_non_global_ip = false ecs_use_precise_ip = false EOF mkdir -p /etc/NetworkManager/dispatcher.d cat << "EOF" > /etc/NetworkManager/dispatcher.d/doh-server #!/bin/bash case "$2" in up) /usr/bin/systemctl is-active doh-server.service >/dev/null && /usr/bin/systemctl restart doh-server.service ;; down) /usr/bin/systemctl is-active doh-server.service >/dev/null && /usr/bin/systemctl restart doh-server.service ;; *) exit 0 ;; esac EOF chmod +x /etc/NetworkManager/dispatcher.d/doh-server rm -rf /lib/systemd/system/doh-server.service cat << "EOF" >/etc/systemd/system/doh-server.service [Unit] Description=DNS-over-HTTPS server After=network.target [Service] User=root Type=simple ExecStart=/opt/de_GWD/doh-server -conf /opt/de_GWD/doh-server.conf Restart=always RestartSec=2 TimeoutStopSec=5 Nice=-8 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload >/dev/null systemctl enable doh-server >/dev/null 2>&1 echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}Install DoH server${cRES}" } installXray(){ echo -e "${WHITE}[...]\c" && echo -e "\t${WHITE}Install Xray${cRES}\r\c" rm -rf /opt/de_GWD/vtrui mkdir -p /opt/de_GWD/vtrui if [[ -n $(unzip -tq /opt/de_GWD/.repo/de_GWD.zip | grep "No errors detected in compressed data") ]]; then rm -rf /tmp/de_GWD unzip /opt/de_GWD/.repo/de_GWD.zip -d /tmp/de_GWD >/dev/null 2>&1 mv -f /tmp/de_GWD/xray /opt/de_GWD/vtrui/vtrui chmod +x /opt/de_GWD/vtrui/vtrui rm -rf /tmp/de_GWD* else rm -rf /opt/de_GWD/.repo/de_GWD.zip echo -e "${WHITE}de_GWD Zip${RED} Download Failed${cRES}" && exit fi rm -rf /lib/systemd/system/vtrui.service cat << EOF >/etc/systemd/system/vtrui.service [Unit] Description=vtrui After=network.target nss-lookup.target [Service] User=www-data ExecStart=/opt/de_GWD/vtrui/vtrui run -confdir /opt/de_GWD/vtrui Restart=on-failure RestartPreventExitStatus=23 Nice=-8 AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_NET_BIND_SERVICE NoNewPrivileges=true LimitNOFILE=10000000 LimitNPROC=10000000 LimitCORE=10000000 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload >/dev/null echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}Install Xray${cRES}" } installNginx(){ echo -e "${WHITE}[...]\c" && echo -e "\t${WHITE}Install NGINX${cRES}\r\c" mkdir -p "/var/www/html" mkdir -p "/var/www/ssl" mkdir -p "/etc/nginx" mkdir -p "/etc/nginx/conf.d" mkdir -p "/etc/nginx/stream.d" mkdir -p "/var/log/nginx" mkdir -p "/var/cache/nginx/client_temp" mkdir -p "/var/cache/nginx/proxy_temp" mkdir -p "/var/cache/nginx/fastcgi_temp" mkdir -p "/var/cache/nginx/scgi_temp" mkdir -p "/var/cache/nginx/uwsgi_temp" if [[ -n $(unzip -tq /opt/de_GWD/.repo/nginxConf.zip | grep "No errors detected in compressed data") ]]; then rm -rf /tmp/nginxConf find /etc/nginx/ -type f | grep -v "conf.d" | grep -v "stream.d" | xargs -i rm {} unzip /opt/de_GWD/.repo/nginxConf.zip -d /etc/nginx >/dev/null rm -rf /tmp/nginxConf else rm -rf /opt/de_GWD/.repo/nginxConf.zip echo -e "${WHITE}NGINX Configure${RED} Download Failed${cRES}" && exit fi rm -rf /tmp/nginx rm -rf /lib/systemd/system/nginx.service cat << EOF >/etc/systemd/system/nginx.service [Unit] Description=NGINX After=network.target [Service] Type=forking PIDFile=/run/nginx.pid ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf ExecReload=/usr/sbin/nginx -s reload ExecStop=$(which kill) -s QUIT \$MAINPID KillMode=process Restart=always RestartSec=2 TimeoutStopSec=5 Nice=-9 [Install] WantedBy=multi-user.target EOF mkdir -p "/etc/systemd/system/nginx.service.d" printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" >/etc/systemd/system/nginx.service.d/override.conf if [[ $virt_type = "container" ]]; then sed -i '/Nice=/d' /etc/systemd/system/nginx.service fi systemctl daemon-reload >/dev/null [[ ! -f "/var/www/ssl/dhparam.pem" ]] && openssl dhparam -out /var/www/ssl/dhparam.pem 2048 echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}Install NGINX${cRES}" } makeSSL_D(){ crontab -l 2>/dev/null >/tmp/now.cron sed -i '/acme.sh/d' /tmp/now.cron crontab /tmp/now.cron rm -rf /tmp/now.cron rm -rf "/root/.acme.sh" export CF_Key="$CFapikey" export CF_Email="$CFemail" if [[ $(systemctl is-active 'nginx') != "active" ]]; then systemctl restart nginx if [[ $? -ne 0 ]]; then sed -i '/Nice=/d' /etc/systemd/system/nginx.service systemctl daemon-reload >/dev/null systemctl restart nginx fi else systemctl force-reload nginx fi rm -rf /var/www/ssl/*.cer rm -rf /var/www/ssl/*.key find /var/www/ssl/*.pem | grep -v "dhparam.pem" | xargs -I {} rm -rf {} curl https://get.acme.sh | sh "/root/.acme.sh"/acme.sh --upgrade --auto-upgrade "/root/.acme.sh"/acme.sh --set-default-ca --server letsencrypt "/root/.acme.sh"/acme.sh --issue --dns dns_cf -d $topDomain -d *.$topDomain -k ec-256 --dnssleep 180 "/root/.acme.sh"/acme.sh --installcert -d $topDomain \ --key-file /var/www/ssl/de_GWD.key \ --fullchain-file /var/www/ssl/de_GWD.cer \ --reloadcmd "systemctl force-reload nginx" \ --ecc chmod 644 /var/www/ssl/*.key } makeSSL_W(){ crontab -l 2>/dev/null >/tmp/now.cron sed -i '/acme.sh/d' /tmp/now.cron crontab /tmp/now.cron rm -rf /tmp/now.cron rm -rf "/root/.acme.sh" rm -rf /etc/nginx/conf.d/80.conf rm -rf /etc/nginx/conf.d/default.conf cat << EOF >/etc/nginx/conf.d/default.conf # SERVER_BASE_START server { listen 80 reuseport; server_name $domain; root /var/www/html; index index.php index.html index.htm; # SERVER_BASE_END } EOF if [[ $(systemctl is-active 'nginx') != "active" ]]; then systemctl restart nginx if [[ $? -ne 0 ]]; then sed -i '/Nice=/d' /etc/systemd/system/nginx.service systemctl daemon-reload >/dev/null systemctl restart nginx fi else systemctl force-reload nginx fi rm -rf /var/www/ssl/*.cer rm -rf /var/www/ssl/*.key find /var/www/ssl/*.pem | grep -v "dhparam.pem" | xargs -I {} rm -rf {} curl https://get.acme.sh | sh "/root/.acme.sh"/acme.sh --upgrade --auto-upgrade "/root/.acme.sh"/acme.sh --set-default-ca --server letsencrypt "/root/.acme.sh"/acme.sh --issue -d $domain -w /var/www/html -k ec-256 "/root/.acme.sh"/acme.sh --installcert -d $domain \ --key-file /var/www/ssl/de_GWD.key \ --fullchain-file /var/www/ssl/de_GWD.cer \ --reloadcmd "systemctl force-reload nginx" \ --ecc chmod 644 /var/www/ssl/*.key } nginxWebConf(){ if [[ $port = "443" ]]; then cat << EOF >/etc/nginx/conf.d/80.conf server { listen 80 reuseport; server_name $domain; return 301 https://\$server_name\$request_uri; } EOF else rm -rf /etc/nginx/conf.d/80.conf fi touch /etc/nginx/conf.d/default.conf sed -i '/SERVER_BASE_START/,/SERVER_BASE_END/d' /etc/nginx/conf.d/default.conf sed -i '/DOH_START/,/DOH_END/d' /etc/nginx/conf.d/default.conf sed -i '/V2_START/,/V2_END/d' /etc/nginx/conf.d/default.conf sed -i '$s/}$//' /etc/nginx/conf.d/default.conf until [[ $(head -1 /etc/nginx/conf.d/default.conf | cat -e) != "$" ]]; do sed -i '1d' /etc/nginx/conf.d/default.conf done until [[ $(tail -1 /etc/nginx/conf.d/default.conf | cat -e) != "$" ]]; do sed -i '$d' /etc/nginx/conf.d/default.conf done cat << EOF >/etc/nginx/conf.d/.HSTS add_header X-Download-Options "noopen" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; EOF cat << EOF >/etc/nginx/conf.d/.ssl_certs ssl_certificate /var/www/ssl/de_GWD.cer; ssl_certificate_key /var/www/ssl/de_GWD.key; ssl_dhparam /var/www/ssl/dhparam.pem; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; ssl_ecdh_curve X25519:secp384r1; ssl_conf_command Options KTLS; ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; ssl_session_tickets off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 6h; ssl_buffer_size 4k; ssl_stapling off; ssl_stapling_verify off; ssl_early_data on; proxy_set_header Early-Data \$ssl_early_data; EOF cat << EOF >/etc/nginx/conf.d/default.conf # SERVER_BASE_START upstream xray { server 127.0.0.1:9890; keepalive 32; } server { listen $port default quic reuseport; listen $port default ssl fastopen=500 reuseport; http2 on; server_name $domain; root /var/www/html; index index.php index.html index.htm; error_page 497 https://\$host:$port\$request_uri; add_header Alt-Svc 'h3=":443";ma=86400,quic=":443"; ma=2592000; v="46,43"'; include /etc/nginx/conf.d/.HSTS; add_header Referrer-Policy "origin" always; add_header Pragma "no-cache" always; include /etc/nginx/conf.d/.ssl_certs; # SERVER_BASE_END # DOH_START location /dq { proxy_pass http://127.0.0.1:9853/dq; proxy_http_version 1.1; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_connect_timeout 600; proxy_read_timeout 600; proxy_send_timeout 600; chunked_transfer_encoding off; proxy_redirect off; proxy_store off; proxy_cache off; proxy_buffering off; proxy_buffer_size 4k; proxy_busy_buffers_size 16k; proxy_buffers 4 16k; add_header Cache-Control no-cache; } # DOH_END # V2_START location $path { if (\$http_upgrade != "websocket") { return 404; } proxy_pass http://xray; proxy_http_version 1.1; proxy_set_header Host \$host; proxy_set_header Upgrade "websocket"; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Real-PORT \$remote_port; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_connect_timeout 600; proxy_read_timeout 600; proxy_send_timeout 600; chunked_transfer_encoding off; proxy_redirect off; proxy_store off; proxy_cache off; proxy_buffering off; proxy_buffer_size 4k; proxy_busy_buffers_size 16k; proxy_buffers 4 16k; add_header Cache-Control no-cache; } # V2_END $(cat /etc/nginx/conf.d/default.conf 2>/dev/null) } EOF } XrayInbound(){ cat << EOF >/opt/de_GWD/vtrui/config.json { "log": { "access":"none", "error":"none", "loglevel":"none" }, "dns":{ "tag":"dnsflow", "disableCache":true, "servers":["tcp+local://127.0.0.1:53"] }, "routing":{ "rules":[ ] }, "inbounds":[ { "listen":"127.0.0.1", "port": 9890, "protocol":"vmess", "settings":{ "clients":[] }, "streamSettings":{ "network":"ws", "security":"none", "wsSettings":{ "path":"$path" }, "sockopt": { "tcpFastOpen": true, "tcpMptcp": true } }, "sniffing": { "enabled": true, "destOverride": [ "http", "tls", "quic" ] } } ] } EOF for uuid in $uuids; do uuidStr='{"id": "'$uuid'", "alterId":0}' jq --argjson uuidStr "$uuidStr" '.inbounds[0].settings.clients+=[$uuidStr]' /opt/de_GWD/vtrui/config.json | sponge /opt/de_GWD/vtrui/config.json done } XrayOutboundDirect(){ OBdir=`cat << EOF { "tag":"direct", "protocol":"freedom", "streamSettings":{"sockopt":{"tcpFastOpen":true,"tcpNoDelay":true}} } EOF ` OBblo=`cat << EOF { "tag":"blocked", "protocol":"blackhole", "settings":{"response":{"type":"http"}} } EOF ` jq '.outbounds=[]' /opt/de_GWD/vtrui/config.json |\ jq --argjson OBdir "$OBdir" '.outbounds+=[$OBdir]' |\ jq --argjson OBblo "$OBblo" '.outbounds+=[$OBblo]' | sponge /opt/de_GWD/vtrui/config.json } postInstall(){ echo -e "${WHITE}[...]\c" && echo -e "\t${WHITE}Post Install${cRES}\r\c" if [[ -z $(ls /var/www/html 2>/dev/null | grep index) ]]; then if [[ -n $(unzip -tq /opt/de_GWD/.repo/sample.zip | grep "No errors detected in compressed data") ]]; then rm -rf /tmp/sample unzip /opt/de_GWD/.repo/sample.zip -d /tmp >/dev/null 2>&1 cp -rf /tmp/sample/* /var/www/html/ rm -rf /tmp/sample else rm -rf /opt/de_GWD/.repo/sample.zip echo -e "${WHITE}Sample Zip${RED} Download Failed${cRES}" && exit fi fi if [[ $(du -sk /var/www/html/spt 2>/dev/null | awk '{print$1}') -lt 102400 ]]; then dd if=/dev/zero of=/var/www/html/spt bs=1k count=100k status=progress fi cat << "EOF" >/opt/de_GWD/Q2H #!/bin/bash virt=$(systemd-detect-virt) virtCON="openvz lxc lxc-libvirt systemd-nspawn docker podman rkt wsl proot pouch" [[ $virt_type != "container" ]] && /opt/de_GWD/tcpTime rm -rf ~/server* rm -rf ~/wget-log rm -rf /var/log/*1* rm -rf /var/log/*2* rm -rf /var/log/*.gz EOF chmod +x /opt/de_GWD/Q2H /opt/de_GWD/Q2H cat << "EOF" >/opt/de_GWD/Qday #!/bin/bash if [[ -n $(openssl x509 -enddate -noout -in /var/www/ssl/de_GWD.cer -checkend 259200 | grep "Certificate will expire") ]] && [[ -d "/root/.acme.sh" ]]; then "/root/.acme.sh"/acme.sh --set-default-ca --server letsencrypt "/root/.acme.sh"/acme.sh --cron --force --home "/root/.acme.sh" sslFolder=$(ls "/root/.acme.sh" | grep '_ecc') cp -f "/root/.acme.sh"/$sslFolder/fullchain.cer /var/www/ssl/de_GWD.cer cp -f "/root/.acme.sh"/$sslFolder/*.key /var/www/ssl/de_GWD.key chmod 644 /var/www/ssl/*.key fi EOF chmod +x /opt/de_GWD/Qday cat << "EOF" >/etc/rc_kernel.local #!/bin/bash PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' rm -f /var/cache/apt/archives/lock rm -f /var/lib/apt/lists/lock rm -f /var/lib/dpkg/lock rm -f /var/lib/dpkg/lock-frontend dpkg --configure -a dpkg --list | grep linux-image | awk '{print $2}' | grep -Fv $(uname -r) | while read line; do apt autoremove --purge -y $line done dpkg --list | grep linux-headers | awk '{print $2}' | grep -Fv $(uname -r) | while read line; do apt autoremove --purge -y $line done EOF chmod +x /etc/rc_kernel.local crontab -l 2>/dev/null >/tmp/now.cron sed -i '/\/opt\/de_GWD\/Qprobe/d' /tmp/now.cron sed -i '/\/opt\/de_GWD\/Q2H/d' /tmp/now.cron sed -i '/\/opt\/de_GWD\/Qday/d' /tmp/now.cron sed -i '/\/opt\/de_GWD\/Q4amSun/d' /tmp/now.cron sed -i '/\/opt\/de_GWD\/clearKernel/d' /tmp/now.cron sed -i '/\/etc\/rc_.*/d' /tmp/now.cron cat << EOF >>/tmp/now.cron 0 */2 * * * /opt/de_GWD/Q2H 0 0 * * * /opt/de_GWD/Qday @reboot sleep 15 && /etc/rc_kernel.local EOF crontab /tmp/now.cron rm -rf /tmp/now.cron service cron restart echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}Post Install${cRES}" cat << "EOF" >/tmp/comRestart #!/bin/bash virt=$(systemd-detect-virt) [[ -n $(echo "openvz lxc lxc-libvirt systemd-nspawn docker podman rkt wsl proot pouch" | grep $virt) ]] && virt_type="container" if [[ $virt_type = "container" ]]; then sed -i '/de_GWD.socket/c\proxy_pass http://127.0.0.1:9896;' /etc/nginx/conf.d/default.conf jq 'del(.inbounds[0].listen)' /opt/de_GWD/vtrui/config.json |\ jq '.inbounds[0].port=9896' | sponge /opt/de_GWD/vtrui/config.json fi systemctl restart doh-server if [[ $? -ne 0 ]]; then sed -i '/Nice=/d' /etc/systemd/system/doh-server.service systemctl daemon-reload >/dev/null systemctl restart doh-server fi systemctl enable vtrui >/dev/null 2>&1 systemctl restart vtrui if [[ $? -ne 0 ]]; then sed -i '/Nice=/d' /etc/systemd/system/vtrui.service systemctl daemon-reload >/dev/null systemctl restart vtrui fi systemctl enable vtrui >/dev/null 2>&1 systemctl restart nginx if [[ $? -ne 0 ]]; then sed -i '/Nice=/d' /etc/systemd/system/nginx.service systemctl daemon-reload >/dev/null systemctl restart nginx fi systemctl enable nginx >/dev/null 2>&1 rm -rf /tmp/comRestart EOF chmod +x /tmp/comRestart screen -dmS comRestart /tmp/comRestart sleep 3 } checkKernel(){ if [[ $(dpkg --list | grep linux-image | wc -l) != "1" ]]; then echo -e "${WHITE}[ ${YELLOW}! ${WHITE}]\c" && echo -e "\t${YELLOW}Kernel updated & reboot${cRES}" sleep 2 sudo reboot exit fi } installkernel(){ bash <(wget --show-progress -cqO- https://raw.githubusercontent.com/jacyl4/de_GWD/main/resource/kernel/installkernel) } changeDomain(){ echo -e "${GREEN}================== ${cRES}" echo -e "${GREEN} Input new domain${cRES}" echo -e "${GREEN}================== ${cRES}" read vpsdomainP domain=$(echo $vpsdomainP | cut -d: -f1) topDomain=$(echo $domain | rev | awk -F. '{print $1"."$2}' | rev) port=$(echo $vpsdomainP | cut -d: -f2| grep '^[[:digit:]]*$') [[ -z $port ]] && port="443" path=$(jq -r '.inbounds[0].streamSettings.wsSettings.path' /opt/de_GWD/vtrui/config.json 2>/dev/null | grep -v '^null$') if [[ $port = "443" ]]; then makeSSL_W else echo -e "${GREEN}=============================== ${cRES}" echo -e "${GREEN} Cloudflare API KEY${cRES}" echo -e "${GREEN}=============================== ${cRES}" read CFapikey echo -e "${GREEN}=============================== ${cRES}" echo -e "${GREEN} Cloudflare Email${cRES}" echo -e "${GREEN}=============================== ${cRES}" read CFemail makeSSL_D fi nginxWebConf systemctl force-reload nginx echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}Domain and Certificates ${GREEN}Changed${cRES}" } changeXrayVerify(){ echo -e "${GREEN}========== ${cRES}" echo -e "${GREEN} New UUID${cRES}" echo -e "${GREEN}========== ${cRES}" read nuuid echo -e "${GREEN}========== ${cRES}" echo -e "${GREEN} New Path${cRES}" echo -e "${GREEN}========== ${cRES}" read npath domain=$(awk '/server_name/ {print$2;exit}' /etc/nginx/conf.d/default.conf | sed 's/.$//') topDomain=$(echo $domain | rev | awk -F. '{print $1"."$2}' | rev) port=$(awk '/ssl .* reuseport/ {print$2}' /etc/nginx/conf.d/default.conf | grep '^[[:digit:]]*$') path=$npath uuids=$nuuid nginxWebConf systemctl force-reload nginx XrayInbound XrayOutboundDirect systemctl restart vtrui >/dev/null 2>&1 echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}Xray UUID & Path ${GREEN}Changed${cRES}" } changeWGCF(){ echo -e "${GREEN}================================================ ${cRES}" echo -e "${GREEN}[1]: Enable Cloudflare wireguard upstream (WARP) ${cRES}" echo -e "${GREEN}[2]: Delete Cloudflare wireguard upstream (WARP) ${cRES}" echo -e "${GREEN}================================================ ${cRES}" read -s -n 1 WGCFswitch echo -e "${WHITE}[...${WHITE}]\c" && echo -e "\t${WHITE}Switching Cloudflare wireguard upstream (WARP)${cRES}\r\c" if [[ $WGCFswitch = "1" ]]; then uname -r 2>&1 | grep -o '[0-9.]*' | head -n 1 >/tmp/kernelVer echo "5.6" >>/tmp/kernelVer ethernetnum=$(find /sys/class/net ! -type d | xargs --max-args=1 realpath | grep 'device' | xargs -n 1 | grep -v 'virtual' | grep -v 'ifb' | awk -F'/' '{print$NF}' | head -n1) if [[ $(cat /tmp/kernelVer |sort -rV | head -n 1) = "5.6" ]]; then echo -e "${WHITE}[ ${YELLOW}! ${WHITE}]\c" && echo -e "\t${YELLOW}Update kernel first! ${cRES}" else localAddrIPv4=$(ip -4 a | grep inet | grep -v '127.0.0.1' | awk '{print $2}' | cut -d'/' -f1 | head -n 1) if [[ -n $localAddrIPv4 ]]; then unset aptPKG [[ -z $(dpkg -l | awk '{print$2}' | grep '^wireguard-tools$') ]] && aptPKG+=(wireguard-tools) [[ -n $aptPKG ]] && apt update && apt install $(echo ${aptPKG[@]}) ghREPO="ViRb3/wgcf" ghPackage="linux_$architecture" curl -fsSL https://api.github.com/repos/${ghREPO}/releases/latest | grep -E 'browser_download_url' | grep $ghPackage | cut -d '"' -f 4 | wget --show-progress -qi - -O /tmp/wgcf [[ $(du -sk /tmp/wgcf 2>/dev/null | awk '{print$1}') -gt 8000 ]] && mv /tmp/wgcf /usr/local/bin/wgcf && chmod +x /usr/local/bin/wgcf if [[ -x "/usr/local/bin/wgcf" ]]; then echo | wgcf register wgcf generate PrivateKey=$(cat wgcf-profile.conf | awk '/PrivateKey/{print$3}') PublicKey=$(cat wgcf-profile.conf | awk '/PublicKey/{print$3}') cat << EOF >/etc/wireguard/wgcf.conf [Interface] PrivateKey = $PrivateKey Address = 172.16.0.2/24 PostUp = ip rule add from $localAddrIPv4 lookup main; ip rule add ipproto udp dport 53 lookup main; PostDown = ip rule del from $localAddrIPv4 lookup main; ip rule del ipproto udp dport 53 lookup main; DNS = 172.16.0.2 MTU = 1420 [Peer] PublicKey = $PublicKey EndPoint = engage.cloudflareclient.com:2408 AllowedIPs = 0.0.0.0/0 AllowedIPs = ::/0 PersistentKeepalive = 15 EOF rm -rf wgcf-account.toml >/dev/null 2>&1 rm -rf wgcf-profile.conf >/dev/null 2>&1 fi rm -rf /lib/systemd/system/wg-quick@.service cat << EOF >/etc/systemd/system/wg-quick@.service [Unit] Description=WireGuard via wg-quick(8) for %I After=network-online.target nss-lookup.target Wants=network-online.target nss-lookup.target PartOf=wg-quick.target [Service] User=root Type=oneshot ExecStart=/usr/bin/wg-quick up %i ExecStartPost=/etc/rc_online.local ExecStop=/usr/bin/wg-quick down %i ExecStopPost=/etc/rc_online.local ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity RemainAfterExit=yes [Install] WantedBy=multi-user.target EOF systemctl daemon-reload >/dev/null cat << "EOF" >/tmp/WGCFstart #!/bin/bash systemctl enable wg-quick@wgcf systemctl restart wg-quick@wgcf sed -i '/net.ipv4.ip_forward =/c\net.ipv4.ip_forward = 1 net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.default.forwarding = 1' /etc/sysctl.conf sysctl -p >/dev/null 2>&1 rm -rf /run/resolvconf/interface sed -i '/dns-nameservers /d' /etc/network/interfaces resolvconf -u /etc/rc_online.local rm -rf /tmp/WGCFstart EOF chmod +x /tmp/WGCFstart screen -dmS WGCFstart /tmp/WGCFstart sleep 3 wanIP=$(curl -4sSL whatismyip.akamai.com | grep -Po '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}') [[ -z $wanIP ]] && wanIP=$(curl -4sSL ifconfig.me | grep -Po '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}') echo -e "${BLUE}------------------------------------------------------------- ${cRES}" [[ $localAddrIPv4 != $wanIP ]] && echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}Cloudflare wireguard upstream (WARP) ${GREEN}Enabled${cRES}" [[ $localAddrIPv4 == $wanIP ]] && echo -e "${WHITE}[ ${RED}✕ ${WHITE}]\c" && echo -e "\t${WHITE}Cloudflare wireguard upstream (WARP) ${RED}Failed${cRES}" echo -e "${BLUE}------------------------------------------------------------- ${cRES}" else echo -e "${WHITE}[ ${RED}✕ ${WHITE}]\c" && echo -e "\t${RED}This vps has no IPv4 address${cRES}" fi fi elif [[ $WGCFswitch = "2" ]]; then cat << "EOF" >/tmp/WGCFstop #!/bin/bash systemctl stop wg-quick@wgcf systemctl disable wg-quick@wgcf rm -rf /run/resolvconf/interface sed -i '/dns-nameservers /d' /etc/network/interfaces resolvconf -u /etc/rc_online.local rm -rf /tmp/WGCFstop EOF chmod +x /tmp/WGCFstop screen -dmS WGCFstop /tmp/WGCFstop echo -e "${WHITE}[ ${RED}✕ ${WHITE}]\c" && echo -e "\t${WHITE}Cloudflare wireguard upstream (WARP) ${RED}Disabled${cRES}" fi } changeTCPPF(){ echo -e "${GREEN}============================ ${cRES}" echo -e "${GREEN}[1]: Set TCP Port Forward${cRES}" echo -e "${GREEN}[2]: Delete TCP Port Forward${cRES}" echo -e "${GREEN}============================ ${cRES}" read -s -n 1 tcpPFsw echo -e "${WHITE}[...${WHITE}]\c" && echo -e "\t${WHITE}Modifying TCP Port Forward settings${cRES}\r\c" if [[ $tcpPFsw = "1" ]]; then echo -e "${GREEN}======================= ${cRES}" echo -e "${GREEN}Upstream Domain & Port${cRES}" echo -e "${GREEN}======================= ${cRES}" read upDomainP echo -e "${GREEN}======================= ${cRES}" echo -e "${GREEN}Local Port${cRES}" echo -e "${GREEN}======================= ${cRES}" read localP upDomain=$(echo $upDomainP | cut -d: -f1) upPort=$(echo $upDomainP | cut -d: -f2| grep '^[[:digit:]]*$') unset aptPKG [[ -z $(dpkg -l | awk '{print$2}' | grep '^haproxy$') ]] && aptPKG+=(haproxy) [[ -n $aptPKG ]] && apt update && apt install $(echo ${aptPKG[@]}) cat << EOF >/etc/haproxy/haproxy.cfg global ulimit-n 500000 maxconn 200000 defaults mode tcp option dontlognull timeout connect 10s timeout client 1m timeout server 1m timeout check 10s resolvers local nameserver dns 127.0.0.1:53 resolve_retries 3 timeout retry 3s hold valid 10s accepted_payload_size 8192 frontend $upDomain bind :$localP default_backend $upDomain backend $upDomain server endpoint $upDomainP check resolvers local init-addr none EOF rm -rf /lib/systemd/system/haproxy.service cat << "EOF" >/etc/systemd/system/haproxy.service [Unit] Description=HAProxy After=network.target rsyslog.service [Service] User=root Type=notify EnvironmentFile=-/etc/default/haproxy Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS ExecReload=$(which kill) -USR2 $MAINPID KillMode=mixed Restart=always RestartSec=2 TimeoutStopSec=5 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload >/dev/null systemctl enable haproxy >/dev/null 2>&1 systemctl restart haproxy domain=$(awk '/server_name/ {print$2;exit}' /etc/nginx/conf.d/default.conf | sed 's/.$//') echo -e "${BLUE}------------------------------------------------ ${cRES}" echo -e "${GREEN}TCP Port Forward${cRES}" echo echo -e "${BLUE}Address: ${YELLOW}$domain:$localP${cRES}" echo -e "${BLUE}tls: ${YELLOW}$upDomain${cRES}" echo -e "${BLUE}------------------------------------------------ ${cRES}" echo echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}TCP Port Forward ${GREEN}Deployed${cRES}" elif [[ $tcpPFsw = "2" ]]; then systemctl stop haproxy systemctl disable haproxy rm -rf /etc/haproxy/haproxy.cfg >/dev/null 2>&1 echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}TCP Port Forward ${GREEN}Deleted${cRES}" fi } printNode(){ vpsdomain=$(awk '/server_name/ {print$2;exit}' /etc/nginx/conf.d/default.conf | sed 's/.$//') port=$(awk '/ssl .* reuseport/ {print$2}' /etc/nginx/conf.d/default.conf) if [[ $port = "443" ]]; then vpsdomainP=$vpsdomain else vpsdomainP=$vpsdomain:$port fi path=$(jq -r '.inbounds[0].streamSettings.wsSettings.path' /opt/de_GWD/vtrui/config.json 2>/dev/null | grep -v '^null$') uuids=$(jq -r '.inbounds[0].settings.clients[].id' /opt/de_GWD/vtrui/config.json 2>/dev/null | grep -v '^null$') if [[ $(systemctl is-active 'haproxy') == "active" ]]; then echo -e "${BLUE}-------------------------------------------------- ${cRES}" echo -e "${GREEN}HAProxy TCP Port Forward${cRES}" echo awk '/frontend/' /etc/haproxy/haproxy.cfg | while read line; do upDomain=$(echo $line | awk '{print$2}') localPort=$(awk "/frontend $upDomain/{getline; print}" /etc/haproxy/haproxy.cfg | cut -d: -f2) upDomainP=$(awk "/backend $upDomain/{getline; print\$3}" /etc/haproxy/haproxy.cfg) echo -e "${BLUE}Address: ${YELLOW}$vpsdomain:$localPort${cRES}" echo -e "${BLUE}tls: ${YELLOW}$upDomain${cRES}" echo done fi echo -e "${BLUE}-------------------------------------------------- ${cRES}" echo -e "${GREEN}Node Information${cRES}" echo echo -e "${BLUE}DoH: ${YELLOW}$vpsdomainP/dq${cRES}" echo -e "${BLUE}Address: ${YELLOW}$vpsdomainP${cRES}" echo -e "${BLUE}UUID: ${YELLOW}$uuids${cRES}" echo -e "${BLUE}Path: ${YELLOW}$path${cRES}" echo echo -e "${BLUE}QR code: ${cRES}" subAddr=$(echo -n "$(jq -r '.inbounds[0].settings.clients[0].id' /opt/de_GWD/vtrui/config.json 2>/dev/null | grep -v '^null$')@$vpsdomain:$port") subUrl="vmess://${subAddr}?encryption=auto&type=ws&security=tls&tlsAllowInsecure=false&path=${path}&host=${vpsdomain}&sni=${vpsdomain}&tfo=1#${vpsdomain}:${port}" qrencode -t UTF8 -s 1 -m 3 $subUrl echo echo -e "${BLUE}-------------------------------------------------- ${cRES}" } installGWD(){ echo -e "${GREEN}================== ${cRES}" echo -e "${GREEN} Input VPS domain${cRES}" echo -e "${GREEN}================== ${cRES}" read vpsdomainP domain=$(echo $vpsdomainP | cut -d: -f1) topDomain=$(echo $domain | rev | awk -F. '{print $1"."$2}' | rev) port=$(echo $vpsdomainP | cut -d: -f2 | grep '^[[:digit:]]*$') [[ -z $port ]] && port="443" if [[ $port != "443" ]]; then echo -e "${GREEN}=============================== ${cRES}" echo -e "${GREEN} Cloudflare API KEY${cRES}" echo -e "${GREEN}=============================== ${cRES}" read CFapikey echo -e "${GREEN}=============================== ${cRES}" echo -e "${GREEN} Cloudflare Email${cRES}" echo -e "${GREEN}=============================== ${cRES}" read CFemail fi uuids=$(cat /proc/sys/kernel/random/uuid) path="/$(echo $uuids | awk '{print substr($0,length($1)-5)}')" ethernetnum=$(find /sys/class/net ! -type d | xargs --max-args=1 realpath | grep 'device' | xargs -n 1 | grep -v 'virtual' | grep -v 'ifb' | awk -F'/' '{print$NF}' | head -n1) localAddrCIDR=$(ip -4 a | grep "$ethernetnum" | grep -Po '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/\d{1,2}\b' | head -n 1) localAddr=$(echo $localAddrCIDR | cut -d/ -f1) if [[ $(cat /etc/os-release | grep VERSION= | cut -d'(' -f2 | cut -d')' -f1) == "stretch" ]]; then cat << EOF >/etc/apt/sources.list deb http://deb.debian.org/debian bookworm main non-free-firmware deb-src http://deb.debian.org/debian bookworm main non-free-firmware deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware deb http://deb.debian.org/debian bookworm-updates main non-free-firmware deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware EOF sed -i "s/ stretch / buster /g" /etc/apt/sources.list.d/* >/dev/null 2>&1 apt update --fix-missing && apt upgrade --allow-downgrades -y apt full-upgrade -y && apt autoremove --purge -y && apt clean -y && apt autoclean -y fi cat << EOF >/etc/apt/sources.list deb http://deb.debian.org/debian bookworm main non-free-firmware deb-src http://deb.debian.org/debian bookworm main non-free-firmware deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware deb http://deb.debian.org/debian bookworm-updates main non-free-firmware deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware deb http://deb.debian.org/debian bookworm-backports main non-free-firmware deb-src http://deb.debian.org/debian bookworm-backports main non-free-firmware EOF sed -i "s/ buster / bookworm /g" /etc/apt/sources.list.d/* >/dev/null 2>&1 sed -i "s/ bullseye / bookworm /g" /etc/apt/sources.list.d/* >/dev/null 2>&1 apt update --fix-missing && apt upgrade --allow-downgrades -y apt full-upgrade -y && apt autoremove --purge -y && apt clean -y && apt autoclean -y preInstall [[ $virt_type != "container" ]] && installNftables repoDL installDOH installNginx installXray if [[ $port == "443" ]]; then makeSSL_W else makeSSL_D fi nginxWebConf XrayInbound XrayOutboundDirect postInstall enableAutoUpdate printNode echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}de_GWD ${GREEN}Installed${cRES}" } updateGWD(){ [[ ! -f "/opt/de_GWD/version.php" ]] && echo -e "${RED}This is not server${cRES}" && exit preUpdate preInstall [[ $virt_type != "container" ]] && installNftables repoDL installDOH installNginx installXray nginxWebConf XrayInbound XrayOutboundDirect postInstall echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}de_GWD ${GREEN}Updated${cRES}" checkKernel } enableAutoUpdate(){ cat << "EOF" >/opt/de_GWD/autoUpdate #!/bin/bash localVer=$(awk 'NR==1' /opt/de_GWD/version.php) remoteVer=$(curl -fsSLo- https://raw.githubusercontent.com/jacyl4/de_GWD/main/version.php | head -n 1) echo $localVer >/tmp/de_GWD_Ver echo $remoteVer >>/tmp/de_GWD_Ver VerCP=$(cat /tmp/de_GWD_Ver | sort -rV | uniq | awk NR==2) if [[ $VerCP == $localVer ]]; then rm -rf /tmp/autoUpdate wget -t 5 -T 10 -cqO /tmp/autoUpdate https://raw.githubusercontent.com/jacyl4/de_GWD/main/server if [[ $(du -sk /tmp/autoUpdate 2>/dev/null | awk '{print$1}') -gt 70 ]]; then sed -i '$d' /tmp/autoUpdate echo "updateGWD" >> /tmp/autoUpdate chmod +x /tmp/autoUpdate /tmp/autoUpdate rm -rf /tmp/autoUpdate fi fi rm -rf /tmp/de_GWD_Ver rm -rf /tmp/autoUpdate EOF chmod +x /opt/de_GWD/autoUpdate crontab -l 2>/dev/null > /tmp/now.cron sed -i '/autoUpdate/d' /tmp/now.cron echo '30 4 * * * /opt/de_GWD/autoUpdate' >> /tmp/now.cron crontab /tmp/now.cron rm -rf /tmp/now.cron } autoUpdateGWD(){ echo -e "${GREEN}======================== ${cRES}" echo -e "${GREEN}[Y]: Turn on AutoUpdate${cRES}" echo -e "${GREEN}[N]: Turn off AutoUpdate${cRES}" echo -e "${GREEN}======================== ${cRES}" read -s -n 1 autoUpdateswitch echo -e "${WHITE}[...${WHITE}]\c" && echo -e "\t${WHITE}Modifying AutoUpdate settings${cRES}\r\c" if [[ $autoUpdateswitch = "Y" ]] || [[ $autoUpdateswitch = "y" ]]; then enableAutoUpdate echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}AutoUpdate ${GREEN}On${cRES}" elif [[ $autoUpdateswitch = "N" ]] || [[ $autoUpdateswitch = "n" ]]; then crontab -l 2>/dev/null > /tmp/now.cron sed -i '/autoUpdate/d' /tmp/now.cron crontab /tmp/now.cron rm -rf /tmp/now.cron rm -rf /opt/de_GWD/autoUpdate echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]\c" && echo -e "\t${WHITE}AutoUpdate ${RED}Off${cRES}" fi } CFspeedTest(){ ghREPO="makotom/cfspeed" ghPackage="linux-$architecture.tar.gz" if [[ $(/var/www/html/cfspeed -v 2>/dev/null | awk '{print$2}') != $(curl -fsSL https://api.github.com/repos/${ghREPO}/releases/latest | grep -E 'tag_name' | cut -d '"' -f 4) ]]; then rm -rf /tmp/cfspeed* curl -fsSL https://api.github.com/repos/${ghREPO}/releases/latest | grep -E 'browser_download_url' | grep $ghPackage | cut -d '"' -f 4 | wget --show-progress -qi - -O /tmp/cfspeed.tar.gz tar -zxvf /tmp/cfspeed.tar.gz -C /tmp >/dev/null 2>&1 mv -f /tmp/cfspeed /var/www/html/cfspeed >/dev/null 2>&1 chmod +x /var/www/html/cfspeed >/dev/null 2>&1 fi /var/www/html/cfspeed exit } start_menu(){ echo if [[ -f "/var/www/ssl/de_GWD.cer" ]]; then sslExpireDate=$(openssl x509 -enddate -noout -in /var/www/ssl/de_GWD.cer | sed 's/notAfter=//') else sslExpireDate="not exist" fi if [[ $(systemctl is-active 'nginx') = "active" ]]; then echo -e "${WHITE} Nginx \c" && echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]${cRES}" elif [[ ! -x "/usr/sbin/nginx" ]]; then echo -e "${WHITE} Nginx \c" && echo -e "${WHITE}[ ${YELLOW}! ${WHITE}]${cRES}" else echo -e "${WHITE} Nginx \c" && echo -e "${WHITE}[ ${RED}✕ ${WHITE}]${cRES}" fi if [[ $(systemctl is-active 'vtrui') = "active" ]]; then echo -e "${WHITE} Xray \c" && echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]${cRES}" elif [[ ! -x "/opt/de_GWD/vtrui/vtrui" ]]; then echo -e "${WHITE} Xray \c" && echo -e "${WHITE}[ ${YELLOW}! ${WHITE}]${cRES}" else echo -e "${WHITE} Xray \c" && echo -e "${WHITE}[ ${RED}✕ ${WHITE}]${cRES}" fi if [[ $(systemctl is-active 'doh-server') = "active" ]]; then echo -e "${WHITE} DoH serverr \c" && echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]${cRES}" elif [[ ! -f "/opt/de_GWD/doh-server" ]]; then echo -e "${WHITE} DoH serverr \c" && echo -e "${WHITE}[ ${YELLOW}! ${WHITE}]${cRES}" else echo -e "${WHITE} DoH serverr \c" && echo -e "${WHITE}[ ${RED}✕ ${WHITE}]${cRES}" fi if [[ -n $(crontab -l 2>&1 | grep "autoUpdate") ]] && [[ -f "/opt/de_GWD/autoUpdate" ]]; then echo -e "${WHITE} AutoUpdate \c" && echo -e "${WHITE}[ ${GREEN}✓ ${WHITE}]${cRES}" else echo -e "${WHITE} AutoUpdate \c" && echo -e "${WHITE}[ ${WHITE}- ${WHITE}]${cRES}" fi echo -e "${BLUE}$virt${cRES}" [[ -f "/opt/de_GWD/version.php" ]] && echo -e "${BLUE}Version: ${YELLOW}$(echo $(awk 'NR==1' /opt/de_GWD/version.php)) ${cRES}" [[ $(systemctl is-active 'wg-quick@wgcf') = "active" ]] && echo -e "${PURPLE}[Enabled] Cloudflare wireguard upstream (WARP) ${cRES}" [[ $(systemctl is-active 'haproxy') = "active" ]] && echo -e "${PURPLE}[Enabled] HAProxy TCP Port Forward${cRES}" if [[ $virt_type = "container" ]]; then echo -e "${BLUE}---------------------------------------------------------------- ${cRES}" echo -e "${BLUE}Debian Version: $(cat /etc/os-release | grep VERSION= | cut -d'(' -f2 | cut -d')' -f1) ${cRES}" echo -e "${BLUE}Kernel: $(uname -r) ${cRES}" echo -e "${BLUE}---------------------------------------------------------------- ${cRES}" echo -e "${BLUE}SSL certificate expires on: $sslExpireDate${cRES}" echo -e "${GREEN}============SERVER============================================== ${cRES}" echo -e "${GREEN} __ _______ ______ ${cRES}" echo -e "${GREEN} ____/ /__ / ____/ | / / __ \ ${cRES}" echo -e "${GREEN} / __ / _ \ / / __ | | /| / / / / / ${cRES}" echo -e "${GREEN}/ /_/ / __/ / /_/ / | |/ |/ / /_/ / ${cRES}" echo -e "${GREEN}\__,_/\___/____\____/ |__/|__/_____/ ${cRES}" echo -e "${GREEN} /_____/ ${cRES}" echo echo -e "${GREEN}Require: Debian (amd64 && arm64) ${cRES}" echo -e "${GREEN}Author: JacyL4${cRES}" echo -e "${GREEN}================================================================ ${cRES}" echo echo -e "${GREEN}1. Install de_GWD${cRES}" echo -e "${GREEN}2. Install lkl-haproxy${cRES}" echo -e "${RED}4. Change domain and generate new certificate${cRES}" echo -e "${RED}5. Change Xray path & UUID${cRES}" echo -e "${YELLOW}0. Update de_GWD${cRES}" echo -e "${RED}00.AutoUpdate turn on/off${cRES}" echo -e "${GREEN}11.Print Xray node information${cRES}" echo -e "${GREEN}12.Localhost cloudflare speedtest${cRES}" echo -e "${CYAN}44.Set TCP Port Forward${cRES}" echo -e "${RED}CTRL+C EXIT${cRES}" echo read -p "Select:" num case "$num" in 1) installGWD start_menu ;; 2) bash <(wget --no-check-certificate -qO- https://github.com/mzz2017/lkl-haproxy/raw/master/lkl-haproxy.sh) ;; 4) changeDomain start_menu ;; 5) changeXrayVerify start_menu ;; 0) updateGWD start_menu ;; 00) autoUpdateGWD start_menu ;; 11) printNode start_menu ;; 12) CFspeedTest start_menu ;; 44) changeTCPPF start_menu ;; *) clear echo -e "${RED}Wrong number${cRES}" sleep 1s start_menu ;; esac else echo -e "${BLUE}---------------------------------------------------------------- ${cRES}" echo -e "${BLUE}Debian Version: $(cat /etc/os-release | grep VERSION= | cut -d'(' -f2 | cut -d')' -f1) ${cRES}" echo -e "${BLUE}Kernel: $(uname -r) ${cRES}" echo -e "${BLUE}---------------------------------------------------------------- ${cRES}" echo -e "${BLUE}SSL certificate expires on: $sslExpireDate${cRES}" echo -e "${GREEN}============SERVER============================================== ${cRES}" echo -e "${GREEN} __ _______ ______ ${cRES}" echo -e "${GREEN} ____/ /__ / ____/ | / / __ \ ${cRES}" echo -e "${GREEN} / __ / _ \ / / __ | | /| / / / / / ${cRES}" echo -e "${GREEN}/ /_/ / __/ / /_/ / | |/ |/ / /_/ / ${cRES}" echo -e "${GREEN}\__,_/\___/____\____/ |__/|__/_____/ ${cRES}" echo -e "${GREEN} /_____/ ${cRES}" echo echo -e "${GREEN}Require: Debian (amd64 && arm64) ${cRES}" echo -e "${GREEN}Author: JacyL4${cRES}" echo -e "${GREEN}================================================================ ${cRES}" echo echo -e "${GREEN}1. Install de_GWD${cRES}" echo -e "${GREEN}2. Install new kernel and reboot${cRES}" echo -e "${RED}3. Change domain and generate new certificate${cRES}" echo -e "${RED}4. Change Xray path & UUID${cRES}" echo -e "${YELLOW}0. Update de_GWD${cRES}" echo -e "${RED}00.AutoUpdate turn on/off${cRES}" echo -e "${GREEN}11.Print Xray node information${cRES}" echo -e "${GREEN}12.Localhost cloudflare speedtest${cRES}" echo -e "${CYAN}33.Set Cloudflare wireguard upstream (WARP) ${cRES}" echo -e "${CYAN}44.Set TCP Port Forward${cRES}" echo -e "${RED}CTRL+C EXIT${cRES}" echo read -p "Select:" num case "$num" in 1) installGWD start_menu ;; 2) installkernel start_menu ;; 3) changeDomain start_menu ;; 4) changeXrayVerify start_menu ;; 0) updateGWD start_menu ;; 00) autoUpdateGWD start_menu ;; 11) printNode start_menu ;; 12) CFspeedTest start_menu ;; 33) changeWGCF start_menu ;; 44) changeTCPPF start_menu ;; *) clear echo -e "${RED}Wrong number${cRES}" sleep 1s start_menu ;; esac fi } start_menu