#!/bin/sh # ================================================================= # 🚀 ImmortalWrt 全自动配置 (单臂/双臂通用版) # 防火墙规则不依赖 source zone,直接匹配 source IP # ================================================================= GREEN='\033[0;32m'; YELLOW='\033[1;33m'; RED='\033[0;31m'; NC='\033[0m' APPS="luci-theme-argon luci-app-argon-config luci-i18n-argon-config-zh-cn luci-app-commands luci-i18n-commands-zh-cn kmod-wireguard wireguard-tools luci-proto-wireguard kmod-tcp-bbr" echo -e "${YELLOW}>>> 启动配置 (万能版)... ${NC}" # --- 0. 环境检测 --- PM=""; INSTALL_CMD=""; UPDATE_CMD="" if command -v apk >/dev/null 2>&1; then PM="apk"; INSTALL_CMD="apk add"; UPDATE_CMD="apk update" echo -e "📦 环境: ${GREEN}APK (ImmortalWrt 25+)${NC}" elif command -v opkg >/dev/null 2>&1; then PM="opkg"; INSTALL_CMD="opkg install"; UPDATE_CMD="opkg update" echo -e "📦 环境: ${GREEN}OPKG${NC}" else echo -e "${RED}❌ 未知系统${NC}"; exit 1 fi check_step() { if [ $? -ne 0 ]; then echo -e "${RED}❌ [$1] 失败${NC}"; exit 1; else echo -e "${GREEN}✅ [$1] 成功${NC}"; echo ""; fi } # ================================================================= # 🛡️ 第0步:注入“万能”防火墙规则 (最优先执行) # ================================================================= echo -e "${YELLOW}▶️ 第0步:配置 Tailscale 通行证...${NC}" uci delete firewall.tailscale_safety >/dev/null 2>&1 uci set firewall.tailscale_safety=rule uci set firewall.tailscale_safety.name='Allow-Tailscale-Anywhere' # ⚠️ 不指定 src='wan',防止单臂路由未绑定接口导致匹配失败 # 只要源 IP 对了,不管从哪个口进来,都放行! uci set firewall.tailscale_safety.src_ip='100.64.0.0/10' uci set firewall.tailscale_safety.target='ACCEPT' uci set firewall.tailscale_safety.proto='tcp udp' # 目标端口: 22(SSH) 80/443(Web) uci set firewall.tailscale_safety.dest_port='22 80 443' # 显式指定目标为“本设备” (Input) uci set firewall.tailscale_safety.dest='*' uci commit firewall /etc/init.d/firewall reload check_step "防火墙规则 (万能版)" echo -e "${GREEN}🛡️ 防火墙已加固!允许 100.64.x.x 访问 22/80/443。${NC}" echo "" # ================================================================= # 📦 第1步:更新与基础依赖 # ================================================================= echo -e "${YELLOW}▶️ 第1步:更新列表 & 安装下载工具...${NC}" $UPDATE_CMD if [ "$PM" = "apk" ]; then apk add curl ca-certificates wget else opkg install curl ca-certificates wget-ssl || opkg install wget libustream-openssl fi check_step "基础依赖安装" # ================================================================= # 📥 第2步:安装 APP # ================================================================= echo -e "${YELLOW}▶️ 第2步:安装自定义 APP...${NC}" echo -e "📋 计划安装: ${GREEN}$APPS${NC}" for APP in $APPS; do echo -n " 正在安装 $APP ... " $INSTALL_CMD $APP >/dev/null 2>&1 if [ $? -eq 0 ]; then echo -e "${GREEN}[OK]${NC}"; else echo -e "${RED}[Fail]${NC}"; echo -e "${RED}❌ 警告:[$APP] 安装失败,请检查包名。${NC}" exit 1; fi done echo -e "${GREEN}✅ 所有 APP 安装完毕${NC} " # ================================================================= # 🚀 第3步:开启 BBR (清洗+修正) # ================================================================= echo -e "${YELLOW}▶️ 第3步:开启 BBR 加速...${NC}" # 清理旧配置 sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf # 写入新配置 echo "net.core.default_qdisc=fq_codel" >> /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf # 生效 sysctl -p >/dev/null 2>&1 # 验证 RESULT=$(sysctl net.ipv4.tcp_congestion_control | awk '{print $3}') if [ "$RESULT" = "bbr" ]; then echo -e "${GREEN}🎉 系统配置完成!BBR 已启动。${NC}"; else echo -e "${RED}❌ BBR 开启失败,请检查内核支持。${NC}"; fi