Implement shadowsocks relay according to the wiki

roles/ss-relay/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+ss_relay_src_port: 8839
+ss_relay_dst_ip: 127.0.0.1
+ss_relay_dst_port: 8839

roles/ss-relay/files/setup_ss_relay

@@ -0,0 +1,16 @@
+#!/bin/sh
+#set -e
+
+IPTABLES="/sbin/iptables"
+
+SS_RELAY_SRC_IP=$1 
+SS_RELAY_SRC_PORT=$2
+SS_RELAY_DST_IP=$3
+SS_RELAY_DST_PORT=$4
+
+$IPTABLES -t nat -A PREROUTING -p tcp --dport $SS_RELAY_SRC_PORT -j DNAT --to-destination $SS_RELAY_DST_IP:$SS_RELAY_DST_PORT
+$IPTABLES -t nat -A PREROUTING -p udp --dport $SS_RELAY_SRC_PORT -j DNAT --to-destination $SS_RELAY_DST_IP:$SS_RELAY_DST_PORT
+$IPTABLES -t nat -A POSTROUTING -p tcp -d $SS_RELAY_DST_IP --dport $SS_RELAY_DST_PORT -j SNAT --to-source $SS_RELAY_SRC_IP
+$IPTABLES -t nat -A POSTROUTING -p udp -d $SS_RELAY_DST_IP --dport $SS_RELAY_DST_PORT -j SNAT --to-source $SS_RELAY_SRC_IP
+
+echo "Shadowsocks relay rules are set up"

roles/ss-relay/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: setup ss relay
+  command: "/opt/ss-relay/setup_ss_relay {{ ansible_default_ipv4.address }} {{ ss_relay_src_port }} {{ ss_relay_dst_ip }} {{ ss_relay_dst_port }}"
+  tags:
+    - ss-relay

roles/ss-relay/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+# shadowsocks relay server
+
+- name: ensure working dir exists
+  action: file path=/opt/ss-relay/ state=directory
+  tags:
+    - ss-relay
+
+- include: setup_ss_relay.yml

roles/ss-relay/tasks/setup_ss_relay.yml

@@ -0,0 +1,50 @@
+# Shadowsocks relay https://github.com/shadowsocks/shadowsocks/wiki/Setup-a-Shadowsocks-relay with both udp and tcp
+# setup nat rules
+- name: upload setup_ss_relay script
+  copy: src=setup_ss_relay
+        dest=/opt/ss-relay/setup_ss_relay
+        mode=755
+  notify:
+    - setup ss relay
+  tags: ss-relay
+
+# ensure rules are loaded when booting up
+- name: make sure setup_ss_relay is in rc.local
+  lineinfile: dest=/etc/rc.local 
+              insertafter="^#" 
+              regexp="/opt/ss-relay/setup_ss_relay" 
+              line="/opt/ss-relay/setup_ss_relay {{ ansible_default_ipv4.address }} {{ ss_relay_src_port }} {{ ss_relay_dst_ip }} {{ ss_relay_dst_port }}"
+              state=present
+  tags: ss-relay
+
+# see https://github.com/clowwindy/shadowsocks/wiki/Optimizing-Shadowsocks
+- name: update sysctl for performance
+  sysctl: name="{{ item.name }}" value="{{ item.value }}" state=present reload=yes
+  with_items:
+    - {"name" : "fs.file-max", "value" : "51200"}
+    - {"name" : "net.core.rmem_max", "value" : "67108864 "}
+    - {"name" : "net.core.wmem_max", "value" : "67108864 "}
+    - {"name" : "net.core.netdev_max_backlog", "value" : "250000"}
+    - {"name" : "net.core.somaxconn", "value" : "3240000"}
+    - {"name" : "net.ipv4.tcp_syncookies", "value" : "1"}
+    - {"name" : "net.ipv4.tcp_tw_reuse", "value" : "1"}
+    - {"name" : "net.ipv4.tcp_tw_recycle", "value" : "0"}
+    - {"name" : "net.ipv4.tcp_fin_timeout", "value" : "30"}
+    - {"name" : "net.ipv4.tcp_keepalive_time", "value" : "1200"}
+    - {"name" : "net.ipv4.ip_local_port_range", "value" : "10000 65000"}
+    - {"name" : "net.ipv4.tcp_max_syn_backlog", "value" : "8192"}
+    - {"name" : "net.ipv4.tcp_max_tw_buckets", "value" : "5000"}
+    - {"name" : "net.ipv4.tcp_fastopen", "value" : "3"}
+    - {"name" : "net.ipv4.tcp_rmem", "value" : "4096 87380 67108864"}
+    - {"name" : "net.ipv4.tcp_wmem", "value" : "4096 65536 67108864"}
+    - {"name" : "net.ipv4.tcp_mtu_probing", "value" : "1"}
+  tags:
+    - ss-relay
+
+- name: enable ip forwarding
+  sysctl: name="{{ item.name }}" value="{{ item.value }}" state=present reload=yes
+  with_items:
+    - {"name" : "net.ipv4.ip_forward", "value" : "1"}
+  tags:
+    - ss-relay
+

ss-relay.yml

@@ -0,0 +1,8 @@
+---
+# shadowsocks relay
+# https://github.com/shadowsocks/shadowsocks/wiki/Setup-a-Shadowsocks-relay
+
+- hosts: ss-relay
+
+  roles:
+    - ss-relay