From 96d50509bc81cafd7c1ab228eef4a06dbb2384e6 Mon Sep 17 00:00:00 2001 From: "oleg.vodyanov91@gmail.com" Date: Sun, 25 May 2025 00:47:39 +0400 Subject: [PATCH] add vpn role --- ansible/roles/vpn/files/shadosocks | 9 ++ ansible/roles/vpn/files/shadowsocks.service | 12 ++ ansible/roles/vpn/tasks/main.yml | 24 ++++ ansible/roles/vpn/templates/script.sh | 143 ++++++++++++++++++++ ansible/vpn.yml | 7 + 5 files changed, 195 insertions(+) create mode 100644 ansible/roles/vpn/files/shadosocks create mode 100644 ansible/roles/vpn/files/shadowsocks.service create mode 100644 ansible/roles/vpn/tasks/main.yml create mode 100644 ansible/roles/vpn/templates/script.sh create mode 100644 ansible/vpn.yml diff --git a/ansible/roles/vpn/files/shadosocks b/ansible/roles/vpn/files/shadosocks new file mode 100644 index 0000000..132a3c5 --- /dev/null +++ b/ansible/roles/vpn/files/shadosocks @@ -0,0 +1,9 @@ +/var/log/ss-redir.log +{ + daily + missingok + rotate 1 + compress + notifempty + copytruncate +} \ No newline at end of file diff --git a/ansible/roles/vpn/files/shadowsocks.service b/ansible/roles/vpn/files/shadowsocks.service new file mode 100644 index 0000000..ead3e86 --- /dev/null +++ b/ansible/roles/vpn/files/shadowsocks.service @@ -0,0 +1,12 @@ +[Unit] +Description=Shadowsocks TProxy Setup +After=network.target +Wants=network.target + +[Service] +Type=oneshot +ExecStart=/home/ovodianov/script.sh restart +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/ansible/roles/vpn/tasks/main.yml b/ansible/roles/vpn/tasks/main.yml new file mode 100644 index 0000000..e403f0f --- /dev/null +++ b/ansible/roles/vpn/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: install shadowsocks + apt: + name: "{{ item }}" + state: present + loop: + - shadowsocks-libev + +- name: copy configs + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: "{{ item.mode }}" + loop: + - { src: 'shadowsocks.service', dest: '/etc/systemd/system/', mode: '0600' } + - { src: 'shadosocks', dest: '/etc/logrotate.d/', mode: '0644' } + +- name: copy shadowsocks redirect script + template: + src: script.sh + dest: /root/ + mode: '0600' \ No newline at end of file diff --git a/ansible/roles/vpn/templates/script.sh b/ansible/roles/vpn/templates/script.sh new file mode 100644 index 0000000..5f4a100 --- /dev/null +++ b/ansible/roles/vpn/templates/script.sh @@ -0,0 +1,143 @@ +#!/bin/bash + +start_ssredir() { + # please modify MyIP, MyPort, etc. + (ss-redir -s {{ vpn_ip }} -p {{ vpn_port }} -m chacha20-ietf-poly1305 -k {{ vpn_passwd }} -b 127.0.0.1 -l {{ vpn_dst_port }} --no-delay -u -T -v >/var/log/ss-redir.log &) +} + +stop_ssredir() { + kill -9 $(pidof ss-redir) &>/dev/null +} + +start_iptables() { + ##################### SSREDIR ##################### + iptables -t mangle -N SSREDIR + + # connection-mark -> packet-mark + iptables -t mangle -A SSREDIR -j CONNMARK --restore-mark + iptables -t mangle -A SSREDIR -m mark --mark 0x2333 -j RETURN + + # please modify MyIP, MyPort, etc. + # ignore traffic sent to ss-server + iptables -t mangle -A SSREDIR -p tcp -d {{ vpn_ip }} --dport {{ vpn_port }} -j RETURN + iptables -t mangle -A SSREDIR -p udp -d {{ vpn_ip }} --dport {{ vpn_port }} -j RETURN + + # ignore traffic sent to reserved addresses + iptables -t mangle -A SSREDIR -d 0.0.0.0/8 -j RETURN + iptables -t mangle -A SSREDIR -d 10.0.0.0/8 -j RETURN + iptables -t mangle -A SSREDIR -d 100.64.0.0/10 -j RETURN + iptables -t mangle -A SSREDIR -d 127.0.0.0/8 -j RETURN + iptables -t mangle -A SSREDIR -d 169.254.0.0/16 -j RETURN + iptables -t mangle -A SSREDIR -d 172.16.0.0/12 -j RETURN + iptables -t mangle -A SSREDIR -d 192.0.0.0/24 -j RETURN + iptables -t mangle -A SSREDIR -d 192.0.2.0/24 -j RETURN + iptables -t mangle -A SSREDIR -d 192.88.99.0/24 -j RETURN + iptables -t mangle -A SSREDIR -d 192.168.0.0/16 -j RETURN + iptables -t mangle -A SSREDIR -d 198.18.0.0/15 -j RETURN + iptables -t mangle -A SSREDIR -d 198.51.100.0/24 -j RETURN + iptables -t mangle -A SSREDIR -d 203.0.113.0/24 -j RETURN + iptables -t mangle -A SSREDIR -d 224.0.0.0/4 -j RETURN + iptables -t mangle -A SSREDIR -d 240.0.0.0/4 -j RETURN + iptables -t mangle -A SSREDIR -d 255.255.255.255/32 -j RETURN + + # mark the first packet of the connection + iptables -t mangle -A SSREDIR -p tcp --syn -j MARK --set-mark 0x2333 + iptables -t mangle -A SSREDIR -p udp -m conntrack --ctstate NEW -j MARK --set-mark 0x2333 + + # packet-mark -> connection-mark + iptables -t mangle -A SSREDIR -j CONNMARK --save-mark + + ##################### OUTPUT ##################### + # proxy the outgoing traffic from this machine + iptables -t mangle -A OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR + iptables -t mangle -A OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR + + ##################### PREROUTING ##################### + # proxy traffic passing through this machine (other->other) + iptables -t mangle -A PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR + iptables -t mangle -A PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR + + # hand over the marked package to TPROXY for processing + iptables -t mangle -A PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 + iptables -t mangle -A PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 +} + +stop_iptables() { + ##################### PREROUTING ##################### + iptables -t mangle -D PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 &>/dev/null + iptables -t mangle -D PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080 &>/dev/null + + iptables -t mangle -D PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null + iptables -t mangle -D PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null + + ##################### OUTPUT ##################### + iptables -t mangle -D OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null + iptables -t mangle -D OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR &>/dev/null + + ##################### SSREDIR ##################### + iptables -t mangle -F SSREDIR &>/dev/null + iptables -t mangle -X SSREDIR &>/dev/null +} + +start_iproute2() { + ip route add local default dev lo table 100 + ip rule add fwmark 0x2333 table 100 +} + +stop_iproute2() { + ip rule del table 100 &>/dev/null + ip route flush table 100 &>/dev/null +} + +start_resolvconf() { + # or nameserver 8.8.8.8, etc. + echo "nameserver 8.8.8.8" >/etc/resolv.conf +} + +stop_resolvconf() { + echo "nameserver 114.114.114.114" >/etc/resolv.conf +} + +start() { + echo "start ..." + start_ssredir + start_iptables + start_iproute2 + start_resolvconf + echo "start end" +} + +stop() { + echo "stop ..." + stop_resolvconf + stop_iproute2 + stop_iptables + stop_ssredir + echo "stop end" +} + +restart() { + stop + sleep 1 + start +} + +main() { + if [ $# -eq 0 ]; then + echo "usage: $0 start|stop|restart ..." + return 1 + fi + + for funcname in "$@"; do + if [ "$(type -t $funcname)" != 'function' ]; then + echo "'$funcname' not a shell function" + return 1 + fi + done + + for funcname in "$@"; do + $funcname + done + return 0 +} +main "$@" \ No newline at end of file diff --git a/ansible/vpn.yml b/ansible/vpn.yml new file mode 100644 index 0000000..ed25522 --- /dev/null +++ b/ansible/vpn.yml @@ -0,0 +1,7 @@ +--- +- hosts: vpn + become: true + vars_files: + - /Users/o.vodianov/Documents/home.lab.local/vars.yml + roles: + - vpn \ No newline at end of file