From e976c5d31ab227310aa22650a0b3d46cbbd6805f Mon Sep 17 00:00:00 2001
From: Zaicheng Qi <vmlinz@gmail.com>
Date: Thu, 18 Jun 2015 18:50:54 +0800
Subject: [PATCH] Implement shadowsocks relay according to the wiki

---
 roles/ss-relay/defaults/main.yml        |  4 ++
 roles/ss-relay/files/setup_ss_relay     | 16 ++++++++
 roles/ss-relay/handlers/main.yml        |  4 ++
 roles/ss-relay/tasks/main.yml           |  9 +++++
 roles/ss-relay/tasks/setup_ss_relay.yml | 50 +++++++++++++++++++++++++
 ss-relay.yml                            |  8 ++++
 6 files changed, 91 insertions(+)
 create mode 100644 roles/ss-relay/defaults/main.yml
 create mode 100755 roles/ss-relay/files/setup_ss_relay
 create mode 100644 roles/ss-relay/handlers/main.yml
 create mode 100644 roles/ss-relay/tasks/main.yml
 create mode 100644 roles/ss-relay/tasks/setup_ss_relay.yml
 create mode 100644 ss-relay.yml

diff --git a/roles/ss-relay/defaults/main.yml b/roles/ss-relay/defaults/main.yml
new file mode 100644
index 0000000..bb29253
--- /dev/null
+++ b/roles/ss-relay/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+ss_relay_src_port: 8839
+ss_relay_dst_ip: 127.0.0.1
+ss_relay_dst_port: 8839
diff --git a/roles/ss-relay/files/setup_ss_relay b/roles/ss-relay/files/setup_ss_relay
new file mode 100755
index 0000000..48d4823
--- /dev/null
+++ b/roles/ss-relay/files/setup_ss_relay
@@ -0,0 +1,16 @@
+#!/bin/sh
+#set -e
+
+IPTABLES="/sbin/iptables"
+
+SS_RELAY_SRC_IP=$1 
+SS_RELAY_SRC_PORT=$2
+SS_RELAY_DST_IP=$3
+SS_RELAY_DST_PORT=$4
+
+$IPTABLES -t nat -A PREROUTING -p tcp --dport $SS_RELAY_SRC_PORT -j DNAT --to-destination $SS_RELAY_DST_IP:$SS_RELAY_DST_PORT
+$IPTABLES -t nat -A PREROUTING -p udp --dport $SS_RELAY_SRC_PORT -j DNAT --to-destination $SS_RELAY_DST_IP:$SS_RELAY_DST_PORT
+$IPTABLES -t nat -A POSTROUTING -p tcp -d $SS_RELAY_DST_IP --dport $SS_RELAY_DST_PORT -j SNAT --to-source $SS_RELAY_SRC_IP
+$IPTABLES -t nat -A POSTROUTING -p udp -d $SS_RELAY_DST_IP --dport $SS_RELAY_DST_PORT -j SNAT --to-source $SS_RELAY_SRC_IP
+
+echo "Shadowsocks relay rules are set up"
diff --git a/roles/ss-relay/handlers/main.yml b/roles/ss-relay/handlers/main.yml
new file mode 100644
index 0000000..23a6bf7
--- /dev/null
+++ b/roles/ss-relay/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: setup ss relay
+  command: "/opt/ss-relay/setup_ss_relay {{ ansible_default_ipv4.address }} {{ ss_relay_src_port }} {{ ss_relay_dst_ip }} {{ ss_relay_dst_port }}"
+  tags:
+    - ss-relay
diff --git a/roles/ss-relay/tasks/main.yml b/roles/ss-relay/tasks/main.yml
new file mode 100644
index 0000000..db233e6
--- /dev/null
+++ b/roles/ss-relay/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+# shadowsocks relay server
+
+- name: ensure working dir exists
+  action: file path=/opt/ss-relay/ state=directory
+  tags:
+    - ss-relay
+
+- include: setup_ss_relay.yml
diff --git a/roles/ss-relay/tasks/setup_ss_relay.yml b/roles/ss-relay/tasks/setup_ss_relay.yml
new file mode 100644
index 0000000..0eedf13
--- /dev/null
+++ b/roles/ss-relay/tasks/setup_ss_relay.yml
@@ -0,0 +1,50 @@
+# Shadowsocks relay https://github.com/shadowsocks/shadowsocks/wiki/Setup-a-Shadowsocks-relay with both udp and tcp
+# setup nat rules
+- name: upload setup_ss_relay script
+  copy: src=setup_ss_relay
+        dest=/opt/ss-relay/setup_ss_relay
+        mode=755
+  notify:
+    - setup ss relay
+  tags: ss-relay
+
+# ensure rules are loaded when booting up
+- name: make sure setup_ss_relay is in rc.local
+  lineinfile: dest=/etc/rc.local 
+              insertafter="^#" 
+              regexp="/opt/ss-relay/setup_ss_relay" 
+              line="/opt/ss-relay/setup_ss_relay {{ ansible_default_ipv4.address }} {{ ss_relay_src_port }} {{ ss_relay_dst_ip }} {{ ss_relay_dst_port }}"
+              state=present
+  tags: ss-relay
+
+# see https://github.com/clowwindy/shadowsocks/wiki/Optimizing-Shadowsocks
+- name: update sysctl for performance
+  sysctl: name="{{ item.name }}" value="{{ item.value }}" state=present reload=yes
+  with_items:
+    - {"name" : "fs.file-max", "value" : "51200"}
+    - {"name" : "net.core.rmem_max", "value" : "67108864 "}
+    - {"name" : "net.core.wmem_max", "value" : "67108864 "}
+    - {"name" : "net.core.netdev_max_backlog", "value" : "250000"}
+    - {"name" : "net.core.somaxconn", "value" : "3240000"}
+    - {"name" : "net.ipv4.tcp_syncookies", "value" : "1"}
+    - {"name" : "net.ipv4.tcp_tw_reuse", "value" : "1"}
+    - {"name" : "net.ipv4.tcp_tw_recycle", "value" : "0"}
+    - {"name" : "net.ipv4.tcp_fin_timeout", "value" : "30"}
+    - {"name" : "net.ipv4.tcp_keepalive_time", "value" : "1200"}
+    - {"name" : "net.ipv4.ip_local_port_range", "value" : "10000 65000"}
+    - {"name" : "net.ipv4.tcp_max_syn_backlog", "value" : "8192"}
+    - {"name" : "net.ipv4.tcp_max_tw_buckets", "value" : "5000"}
+    - {"name" : "net.ipv4.tcp_fastopen", "value" : "3"}
+    - {"name" : "net.ipv4.tcp_rmem", "value" : "4096 87380 67108864"}
+    - {"name" : "net.ipv4.tcp_wmem", "value" : "4096 65536 67108864"}
+    - {"name" : "net.ipv4.tcp_mtu_probing", "value" : "1"}
+  tags:
+    - ss-relay
+
+- name: enable ip forwarding
+  sysctl: name="{{ item.name }}" value="{{ item.value }}" state=present reload=yes
+  with_items:
+    - {"name" : "net.ipv4.ip_forward", "value" : "1"}
+  tags:
+    - ss-relay
+
diff --git a/ss-relay.yml b/ss-relay.yml
new file mode 100644
index 0000000..13b9744
--- /dev/null
+++ b/ss-relay.yml
@@ -0,0 +1,8 @@
+---
+# shadowsocks relay
+# https://github.com/shadowsocks/shadowsocks/wiki/Setup-a-Shadowsocks-relay
+
+- hosts: ss-relay
+
+  roles:
+    - ss-relay