174 lines
5.6 KiB
Bash
Executable File
174 lines
5.6 KiB
Bash
Executable File
#!/bin/bash
|
|
# vpn-optimize.sh — полная оптимизация Debian 12 под VPN/X-Ray
|
|
# Сеть (BBR, буферы, бэклог), nofile, лимиты systemd, x-ui override
|
|
|
|
# Запуск: curl -fsSL https://gitea.creative-tg1.ru/CREATIVE_tg1/for-servers/raw/branch/main/server/vpn-optimize.sh | sudo bash
|
|
|
|
set -e
|
|
|
|
LIMIT_NOFILE=65535
|
|
|
|
echo "============================================"
|
|
echo " VPN Server Optimization — Debian 12"
|
|
echo "============================================"
|
|
echo ""
|
|
|
|
# ── 1. Сеть (sysctl) ─────────────────────────────────────
|
|
|
|
echo "[1/4] Сетевые оптимизации (sysctl)..."
|
|
|
|
cat >/etc/sysctl.d/99-vpn-network.conf <<SYSEOF
|
|
#################################################
|
|
# Queueing + Congestion Control
|
|
#################################################
|
|
net.core.default_qdisc = fq
|
|
net.ipv4.tcp_congestion_control = bbr
|
|
|
|
#################################################
|
|
# Socket buffers
|
|
#################################################
|
|
net.core.rmem_default = 262144
|
|
net.core.wmem_default = 262144
|
|
net.core.rmem_max = 16777216
|
|
net.core.wmem_max = 16777216
|
|
|
|
#################################################
|
|
# Network backlog
|
|
#################################################
|
|
net.core.netdev_max_backlog = 250000
|
|
net.core.somaxconn = 4096
|
|
|
|
#################################################
|
|
# TCP buffers
|
|
#################################################
|
|
net.ipv4.tcp_rmem = 4096 87380 16777216
|
|
net.ipv4.tcp_wmem = 4096 65536 16777216
|
|
|
|
#################################################
|
|
# UDP buffers
|
|
#################################################
|
|
net.ipv4.udp_rmem_min = 16384
|
|
net.ipv4.udp_wmem_min = 16384
|
|
|
|
#################################################
|
|
# Security / routing
|
|
#################################################
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv4.conf.all.send_redirects = 0
|
|
net.ipv4.conf.default.send_redirects = 0
|
|
|
|
#################################################
|
|
# Keepalive
|
|
#################################################
|
|
net.ipv4.tcp_keepalive_time = 600
|
|
net.ipv4.tcp_keepalive_intvl = 60
|
|
net.ipv4.tcp_keepalive_probes = 10
|
|
|
|
#################################################
|
|
# Ephemeral ports
|
|
#################################################
|
|
net.ipv4.ip_local_port_range = 1024 65535
|
|
|
|
#################################################
|
|
# TCP fastopen (клиент + сервер)
|
|
#################################################
|
|
net.ipv4.tcp_fastopen = 3
|
|
|
|
#################################################
|
|
# TCP TIME_WAIT reuse / recycle
|
|
#################################################
|
|
net.ipv4.tcp_tw_reuse = 1
|
|
|
|
#################################################
|
|
# Максимальное количество открытых сокетов
|
|
#################################################
|
|
net.ipv4.tcp_max_tw_buckets = 2000000
|
|
net.core.optmem_max = 81920
|
|
|
|
#################################################
|
|
# SYN backlog + retries
|
|
#################################################
|
|
net.ipv4.tcp_max_syn_backlog = 8192
|
|
net.ipv4.tcp_syn_retries = 2
|
|
net.ipv4.tcp_synack_retries = 2
|
|
|
|
#################################################
|
|
# TCP keepalive на уровне сокетов
|
|
#################################################
|
|
net.ipv4.tcp_fin_timeout = 15
|
|
SYSEOF
|
|
|
|
sysctl --system >/dev/null 2>&1
|
|
echo " OK"
|
|
|
|
# ── 2. ulimit (root + * ) ────────────────────────────────
|
|
|
|
echo "[2/4] Лимиты файловых дескрипторов (limits.d)..."
|
|
|
|
cat >/etc/security/limits.d/90-nofile.conf <<LIMEOF
|
|
* soft nofile ${LIMIT_NOFILE}
|
|
* hard nofile ${LIMIT_NOFILE}
|
|
root soft nofile ${LIMIT_NOFILE}
|
|
root hard nofile ${LIMIT_NOFILE}
|
|
LIMEOF
|
|
|
|
echo " OK"
|
|
|
|
# ── 3. systemd DefaultLimitNOFILE ────────────────────────
|
|
|
|
echo "[3/4] Лимиты systemd (DefaultLimitNOFILE)..."
|
|
|
|
for conf in /etc/systemd/system.conf /etc/systemd/user.conf; do
|
|
if grep -q "^#DefaultLimitNOFILE=" "$conf" 2>/dev/null; then
|
|
sed -i "s/^#DefaultLimitNOFILE=.*/DefaultLimitNOFILE=${LIMIT_NOFILE}/" "$conf"
|
|
elif ! grep -q "^DefaultLimitNOFILE=" "$conf" 2>/dev/null; then
|
|
echo "DefaultLimitNOFILE=${LIMIT_NOFILE}" >> "$conf"
|
|
else
|
|
sed -i "s/^DefaultLimitNOFILE=.*/DefaultLimitNOFILE=${LIMIT_NOFILE}/" "$conf"
|
|
fi
|
|
done
|
|
|
|
systemctl daemon-reload
|
|
echo " OK"
|
|
|
|
# ── 4. x-ui override (если есть) ─────────────────────────
|
|
|
|
echo "[4/4] Override для x-ui..."
|
|
|
|
mkdir -p /etc/systemd/system/x-ui.service.d
|
|
|
|
cat >/etc/systemd/system/x-ui.service.d/override.conf <<SVDEOF
|
|
[Service]
|
|
LimitNOFILE=${LIMIT_NOFILE}
|
|
SVDEOF
|
|
|
|
systemctl daemon-reload
|
|
|
|
if systemctl is-active --quiet x-ui 2>/dev/null; then
|
|
systemctl restart x-ui
|
|
echo " OK (restarted)"
|
|
else
|
|
echo " OK (x-ui не запущен)"
|
|
fi
|
|
|
|
# ── Итоги ─────────────────────────────────────────────────
|
|
|
|
echo ""
|
|
echo "============================================"
|
|
echo " Итог"
|
|
echo "============================================"
|
|
echo ""
|
|
echo "Сеть:"
|
|
sysctl net.core.default_qdisc
|
|
sysctl net.ipv4.tcp_congestion_control
|
|
echo "Soft ulimit: $(ulimit -Sn)"
|
|
echo "Hard ulimit: $(ulimit -Hn)"
|
|
echo ""
|
|
if systemctl is-active --quiet x-ui 2>/dev/null; then
|
|
echo "x-ui LimitNOFILE: $(systemctl show x-ui | grep ^LimitNOFILE=)"
|
|
fi
|
|
echo ""
|
|
echo "Готово."
|
|
echo "После перезагрузки сессии / машины — ulimit -n покажет ${LIMIT_NOFILE}"
|