Merge branch 'dev' into support_podman

2025-03-14 16:57:02 +04:00 · 2025-03-14 16:57:02 +04:00 · 9b695df78d
commit 9b695df78d
parent edee3fec10 9dea98f020
696 changed files with 38920 additions and 16680 deletions
--- a/client/server_scripts/awg/configure_container.sh
+++ b/client/server_scripts/awg/configure_container.sh
@ -12,7 +12,7 @@ echo $WIREGUARD_PSK > /opt/amnezia/awg/wireguard_psk.key
 cat > /opt/amnezia/awg/wg0.conf <<EOF
 [Interface]
 PrivateKey = $WIREGUARD_SERVER_PRIVATE_KEY
-Address = $WIREGUARD_SUBNET_IP/$WIREGUARD_SUBNET_CIDR
+Address = $AWG_SUBNET_IP/$WIREGUARD_SUBNET_CIDR
 ListenPort = $AWG_SERVER_PORT
 Jc = $JUNK_PACKET_COUNT
 Jmin = $JUNK_PACKET_MIN_SIZE
--- a/client/server_scripts/awg/start.sh
+++ b/client/server_scripts/awg/start.sh
@ -17,12 +17,12 @@ iptables -A FORWARD -i wg0 -j ACCEPT
 iptables -A OUTPUT -o wg0 -j ACCEPT

 # Allow forwarding traffic only from the VPN.
-iptables -A FORWARD -i wg0 -o eth0 -s $WIREGUARD_SUBNET_IP/$WIREGUARD_SUBNET_CIDR -j ACCEPT
-iptables -A FORWARD -i wg0 -o eth1 -s $WIREGUARD_SUBNET_IP/$WIREGUARD_SUBNET_CIDR -j ACCEPT
+iptables -A FORWARD -i wg0 -o eth0 -s $AWG_SUBNET_IP/$WIREGUARD_SUBNET_CIDR -j ACCEPT
+iptables -A FORWARD -i wg0 -o eth1 -s $AWG_SUBNET_IP/$WIREGUARD_SUBNET_CIDR -j ACCEPT

 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-iptables -t nat -A POSTROUTING -s $WIREGUARD_SUBNET_IP/$WIREGUARD_SUBNET_CIDR -o eth0 -j MASQUERADE
-iptables -t nat -A POSTROUTING -s $WIREGUARD_SUBNET_IP/$WIREGUARD_SUBNET_CIDR -o eth1 -j MASQUERADE
+iptables -t nat -A POSTROUTING -s $AWG_SUBNET_IP/$WIREGUARD_SUBNET_CIDR -o eth0 -j MASQUERADE
+iptables -t nat -A POSTROUTING -s $AWG_SUBNET_IP/$WIREGUARD_SUBNET_CIDR -o eth1 -j MASQUERADE

 tail -f /dev/null
--- a/client/server_scripts/install_docker.sh
+++ b/client/server_scripts/install_docker.sh
@ -24,9 +24,12 @@ if [ -n "$(sudo docker --version 2>&1 | grep moby-engine)" ]; then echo "Docker
 elif [ -n "$(sudo docker --version 2>&1 | grep podman)" ]; then check_srv="podman.socket podman"; docker_pkg="podman-docker";\
  if [ -n "$(sudo docker --version 2>&1 | grep /etc/containers/nodocker)" ]; then sudo touch /etc/containers/nodocker; fi;\
 fi;\
+if [ "$(cat /sys/module/apparmor/parameters/enabled 2>/dev/null)" = "Y" ]; then \
+  if ! command -v apparmor_parser > /dev/null 2>&1; then sudo $pm $check_pkgs; sudo $pm $silent_inst apparmor; fi;\
+fi;\
 if [ "$(systemctl is-active $check_srv | head -n1)" != "active" ]; then \
  sudo $pm $check_pkgs; sudo $pm $silent_inst $docker_pkg;\
  sleep 5; sudo systemctl start $check_srv; sleep 5;\
  if [ "$(systemctl is-active $check_srv | head -n1)" != "active" ]; then echo "Failed to status docker"; echo "command not found"; exit 1; fi;\
 fi;\
-sudo docker --version
+sudo docker --version
--- a/client/server_scripts/ipsec/configure_container.sh
+++ b/client/server_scripts/ipsec/configure_container.sh
@ -33,14 +33,14 @@ conn shared
  right=%any
  encapsulation=yes
  authby=secret
-  pfs=no
+  pfs=yes
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ikev2=never
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
@ -244,9 +244,9 @@ conn ikev2-cp
  auto=add
  ikev2=insist
  rekey=no
-  pfs=no
-  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
-  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
+  pfs=yes
+  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp2048,aes128-sha1;modp2048
+  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes
--- a/client/server_scripts/xray/configure_container.sh
+++ b/client/server_scripts/xray/configure_container.sh
@ -29,7 +29,7 @@ cat > /opt/amnezia/xray/server.json <<EOF
    },
    "inbounds": [
        {
-            "port": 443,
+            "port": $XRAY_SERVER_PORT,
            "protocol": "vless",
            "settings": {
                "clients": [
--- a/client/server_scripts/xray/run_container.sh
+++ b/client/server_scripts/xray/run_container.sh
@ -4,7 +4,7 @@ sudo docker run -d \
 --log-driver none \
 --restart always \
 --cap-add=NET_ADMIN \
-p 443:443/tcp \
+-p $XRAY_SERVER_PORT:$XRAY_SERVER_PORT/tcp \
 --name $CONTAINER_NAME $CONTAINER_NAME

 sudo docker network connect amnezia-dns-net $CONTAINER_NAME
@ -13,5 +13,5 @@ sudo docker network connect amnezia-dns-net $CONTAINER_NAME
 sudo docker exec -i $CONTAINER_NAME bash -c 'mkdir -p /dev/net; if [ ! -c /dev/net/tun ]; then mknod /dev/net/tun c 10 200; fi'

 # Prevent to route packets outside of the container in case if server behind of the NAT
-sudo docker exec -i $CONTAINER_NAME sh -c "ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up"
+#sudo docker exec -i $CONTAINER_NAME sh -c "ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up"

--- a/client/server_scripts/xray/start.sh
+++ b/client/server_scripts/xray/start.sh
@ -3,7 +3,7 @@
 # This scripts copied from Amnezia client to Docker container to /opt/amnezia and launched every time container starts

 echo "Container startup"
-ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up
+#ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up

 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--- a/client/server_scripts/xray/template.json
+++ b/client/server_scripts/xray/template.json
@ -19,7 +19,7 @@
                "vnext": [
                    {
                        "address": "$SERVER_IP_ADDRESS",
-                        "port": 443,
+                        "port": $XRAY_SERVER_PORT,
                        "users": [
                            {
                                "id": "$XRAY_CLIENT_ID",