Files accompanying A Transparent Ad-Blocking VPN via SoftEther + Privoxy

before.rules

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

*nat
:POSTROUTING ACCEPT [0:0]
# Forward http traffic through Privoxy
-A PREROUTING -s 10.10.1.1/24 -p tcp -m multiport --dport 80 -j DNAT --to-destination 192.168.129.39:8118
# Forward all VPN traffic through public interface.
# Use this in a dynamic IP setting
# -A POSTROUTING -s 10.10.1.1/24 -o eth0 -j MASQUERADE
# Use this in a static IP setting
-A POSTROUTING -o eth0 -s 10.10.1.1/24 -j SNAT --to-source 192.155.88.116

# tell ufw to process the lines
COMMIT


# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

# NAT rules
-A ufw-before-input -s 10.10.1.1/24 -m state --state NEW -j ACCEPT
-A ufw-before-output -s 10.10.1.1/24 -m state --state NEW -j ACCEPT
-A ufw-before-forward -s 10.10.1.1/24 -m state --state NEW -j ACCEPT

-A ufw-before-forward -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

config

# /etc/privoxy/config

confdir /etc/privoxy

#  2.5. actionsfile
#  =================
#
#  Specifies:
#
#      The actions file(s) to use
#
#  Type of value:
#
#      Complete file name, relative to confdir
#
#  Default values:
#
#        match-all.action # Actions that are applied to all sites and maybe overruled later on.
#
#        default.action   # Main actions file
#
#        user.action      # User customizations
#
#  Effect if unset:
#
#      No actions are taken at all. More or less neutral proxying.
#
#  Notes:
#
#      Multiple actionsfile lines are permitted, and are in fact
#      recommended!
#
#      The default values are default.action, which is the "main"
#      actions file maintained by the developers, and user.action,
#      where you can make your personal additions.
#
#      Actions files contain all the per site and per URL
#      configuration for ad blocking, cookie management, privacy
#      considerations, etc.
#
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action   # Main actions file
actionsfile user.action      # User customizations
actionsfile ab2p.system.action
actionsfile ab2p.action
#
#  2.6. filterfile
#  ================
#
#  Specifies:
#
#      The filter file(s) to use
#
#  Type of value:
#
#      File name, relative to confdir
#
#  Default value:
#
#      default.filter (Unix) or default.filter.txt (Windows)
#
#  Effect if unset:
#
#      No textual content filtering takes place, i.e. all +filter{name}
#      actions in the actions files are turned neutral.
#
#  Notes:
#
#      Multiple filterfile lines are permitted.
#
#      The filter files contain content modification rules that use
#      regular expressions. These rules permit powerful changes on
#      the content of Web pages, and optionally the headers as well,
#      e.g., you could try to disable your favorite JavaScript
#      annoyances, re-write the actual displayed text, or just have
#      some fun playing buzzword bingo with web pages.
#
#      The +filter{name} actions rely on the relevant filter (name)
#      to be defined in a filter file!
#
#      A pre-defined filter file called default.filter that contains
#      a number of useful filters for common problems is included in
#      the distribution. See the section on the filter action for a
#      list.
#
#      It is recommended to place any locally adapted filters into a
#      separate file, such as user.filter.
#
filterfile default.filter
filterfile user.filter      # User customizations
filterfile ab2p.system.filter
filterfile ab2p.filter

#  4. ACCESS CONTROL AND SECURITY
#  ===============================
#
#  This section of the config file controls the security-relevant
#  aspects of Privoxy's configuration.
#
#
#  4.1. listen-address
#  ====================
#
#  Specifies:
#
#      The address and TCP port on which Privoxy will listen for
#      client requests.
#
#  Type of value:
#
#      [IP-Address]:Port
#
#      [Hostname]:Port
#
#  Default value:
#
#      127.0.0.1:8118
#
#  Effect if unset:
#
#      Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is
#      suitable and recommended for home users who run Privoxy on the
#      same machine as their browser.
#
#  Notes:
#
#      You will need to configure your browser(s) to this proxy
#      address and port.
#
#      If you already have another service running on port 8118, or
#      if you want to serve requests from other machines (e.g. on
#      your local network) as well, you will need to override the
#      default.
#
#      You can use this statement multiple times to make Privoxy
#      listen on more ports or more IP addresses. Suitable if your
#      operating system does not support sharing IPv6 and IPv4
#      protocols on the same socket.
#
#      If a hostname is used instead of an IP address, Privoxy will
#      try to resolve it to an IP address and if there are multiple,
#      use the first one returned.
#
#      If the address for the hostname isn't already known on the
#      system (for example because it's in /etc/hostname), this may
#      result in DNS traffic.
#
#      If the specified address isn't available on the system, or if
#      the hostname can't be resolved, Privoxy will fail to start.
#
#      IPv6 addresses containing colons have to be quoted by
#      brackets. They can only be used if Privoxy has been compiled
#      with IPv6 support. If you aren't sure if your version supports
#      it, have a look at http://config.privoxy.org/show-status.
#
#      Some operating systems will prefer IPv6 to IPv4 addresses even
#      if the system has no IPv6 connectivity which is usually not
#      expected by the user. Some even rely on DNS to resolve
#      localhost which mean the "localhost" address used may not
#      actually be local.
#
#      It is therefore recommended to explicitly configure the
#      intended IP address instead of relying on the operating
#      system, unless there's a strong reason not to.
#
#      If you leave out the address, Privoxy will bind to all IPv4
#      interfaces (addresses) on your machine and may become
#      reachable from the Internet and/or the local network. Be aware
#      that some GNU/Linux distributions modify that behaviour
#      without updating the documentation. Check for non-standard
#      patches if your Privoxy version behaves differently.
#
#      If you configure Privoxy to be reachable from the network,
#      consider using access control lists (ACL's, see below), and/or
#      a firewall.
#
#      If you open Privoxy to untrusted users, you will also want to
#      make sure that the following actions are disabled:
#      enable-edit-actions and enable-remote-toggle
#
#  Example:
#
#      Suppose you are running Privoxy on a machine which has the
#      address 192.168.0.1 on your local private network
#      (192.168.0.0) and has another outside connection with a
#      different address. You want it to serve requests from inside
#      only:
#
#        listen-address  192.168.0.1:8118
#
#      Suppose you are running Privoxy on an IPv6-capable machine and
#      you want it to listen on the IPv6 address of the loopback
#      device:
#
#        listen-address [::1]:8118
#
#listen-address  127.0.0.1:8118
listen-address $PRIVATE_IP:8118
#  4.2. toggle
#  ============
#
#  Specifies:
#
#      Initial state of "toggle" status
#
#  Type of value:
#
#      1 or 0
#
#  Default value:
#
#      1
#
#  Effect if unset:
#
#      Act as if toggled on
#
#  Notes:
#
#      If set to 0, Privoxy will start in "toggled off" mode, i.e.
#      mostly behave like a normal, content-neutral proxy with both
#      ad blocking and content filtering disabled. See
#      enable-remote-toggle below.
#
toggle  1
#
#  4.3. enable-remote-toggle
#  ==========================
#
#  Specifies:
#
#      Whether or not the web-based toggle feature may be used
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      The web-based toggle feature is disabled.
#
#  Notes:
#
#      When toggled off, Privoxy mostly acts like a normal,
#      content-neutral proxy, i.e. doesn't block ads or filter
#      content.
#
#      Access to the toggle feature can not be controlled separately
#      by "ACLs" or HTTP authentication, so that everybody who can
#      access Privoxy (see "ACLs" and listen-address above) can
#      toggle it for all users. So this option is not recommended for
#      multi-user environments with untrusted users.
#
#      Note that malicious client side code (e.g Java) is also
#      capable of using this option.
#
#      As a lot of Privoxy users don't read documentation, this
#      feature is disabled by default.
#
#      Note that you must have compiled Privoxy with support for this
#      feature, otherwise this option has no effect.
#
enable-remote-toggle  1
#
#  4.4. enable-remote-http-toggle
#  ===============================
#
#  Specifies:
#
#      Whether or not Privoxy recognizes special HTTP headers to
#      change its behaviour.
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      Privoxy ignores special HTTP headers.
#
#  Notes:
#
#      When toggled on, the client can change Privoxy's behaviour by
#      setting special HTTP headers. Currently the only supported
#      special header is "X-Filter: No", to disable filtering for the
#      ongoing request, even if it is enabled in one of the action
#      files.
#
#      This feature is disabled by default. If you are using Privoxy
#      in a environment with trusted clients, you may enable this
#      feature at your discretion. Note that malicious client side
#      code (e.g Java) is also capable of using this feature.
#
#      This option will be removed in future releases as it has been
#      obsoleted by the more general header taggers.
#
enable-remote-http-toggle  0
#
#  4.5. enable-edit-actions
#  =========================
#
#  Specifies:
#
#      Whether or not the web-based actions file editor may be used
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      The web-based actions file editor is disabled.
#
#  Notes:
#
#      Access to the editor can not be controlled separately by
#      "ACLs" or HTTP authentication, so that everybody who can
#      access Privoxy (see "ACLs" and listen-address above) can
#      modify its configuration for all users.
#
#      This option is not recommended for environments with untrusted
#      users and as a lot of Privoxy users don't read documentation,
#      this feature is disabled by default.
#
#      Note that malicious client side code (e.g Java) is also
#      capable of using the actions editor and you shouldn't enable
#      this options unless you understand the consequences and are
#      sure your browser is configured correctly.
#
#      Note that you must have compiled Privoxy with support for this
#      feature, otherwise this option has no effect.
#
enable-edit-actions 1
#
#  4.6. enforce-blocks
#  ====================
#
#  Specifies:
#
#      Whether the user is allowed to ignore blocks and can "go there
#      anyway".
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      Blocks are not enforced.
#
#  Notes:
#
#      Privoxy is mainly used to block and filter requests as a
#      service to the user, for example to block ads and other junk
#      that clogs the pipes. Privoxy's configuration isn't perfect
#      and sometimes innocent pages are blocked. In this situation it
#      makes sense to allow the user to enforce the request and have
#      Privoxy ignore the block.
#
#      In the default configuration Privoxy's "Blocked" page contains
#      a "go there anyway" link to adds a special string (the force
#      prefix) to the request URL. If that link is used, Privoxy will
#      detect the force prefix, remove it again and let the request
#      pass.
#
#      Of course Privoxy can also be used to enforce a network
#      policy. In that case the user obviously should not be able to
#      bypass any blocks, and that's what the "enforce-blocks" option
#      is for. If it's enabled, Privoxy hides the "go there anyway"
#      link. If the user adds the force prefix by hand, it will not
#      be accepted and the circumvention attempt is logged.
#
#  Examples:
#
#      enforce-blocks 1
#
enforce-blocks 0
#  4.9. enable-proxy-authentication-forwarding
#  ============================================
#
#  Specifies:
#
#      Whether or not proxy authentication through Privoxy should
#      work.
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      Proxy authentication headers are removed.
#
#  Notes:
#
#      Privoxy itself does not support proxy authentication, but can
#      allow clients to authenticate against Privoxy's parent proxy.
#
#      By default Privoxy (3.0.21 and later) don't do that and remove
#      Proxy-Authorization headers in requests and Proxy-Authenticate
#      headers in responses to make it harder for malicious sites to
#      trick inexperienced users into providing login information.
#
#      If this option is enabled the headers are forwarded.
#
#      Enabling this option is not recommended if there is no parent
#      proxy that requires authentication or if the local network
#      between Privoxy and the parent proxy isn't trustworthy. If
#      proxy authentication is only required for some requests, it is
#      recommended to use a client header filter to remove the
#      authentication headers for requests where they aren't needed.
#
enable-proxy-authentication-forwarding 0
#
#  5.3. forwarded-connect-retries
#  ===============================
#
#  Specifies:
#
#      How often Privoxy retries if a forwarded connection request
#      fails.
#
#  Type of value:
#
#      Number of retries.
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      Connections forwarded through other proxies are treated like
#      direct connections and no retry attempts are made.
#
#  Notes:
#
#      forwarded-connect-retries is mainly interesting for socks4a
#      connections, where Privoxy can't detect why the connections
#      failed. The connection might have failed because of a DNS
#      timeout in which case a retry makes sense, but it might also
#      have failed because the server doesn't exist or isn't
#      reachable. In this case the retry will just delay the
#      appearance of Privoxy's error message.
#
#      Note that in the context of this option, "forwarded
#      connections" includes all connections that Privoxy forwards
#      through other proxies. This option is not limited to the HTTP
#      CONNECT method.
#
#      Only use this option, if you are getting lots of
#      forwarding-related error messages that go away when you try
#      again manually. Start with a small value and check Privoxy's
#      logfile from time to time, to see how many retries are usually
#      needed.
#
#  Examples:
#
#      forwarded-connect-retries 1
#
forwarded-connect-retries  0
#
#  6. MISCELLANEOUS
#  =================
#
#  6.1. accept-intercepted-requests
#  =================================
#
#  Specifies:
#
#      Whether intercepted requests should be treated as valid.
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      Only proxy requests are accepted, intercepted requests are
#      treated as invalid.
#
#  Notes:
#
#      If you don't trust your clients and want to force them to use
#      Privoxy, enable this option and configure your packet filter
#      to redirect outgoing HTTP connections into Privoxy.
#
#      Note that intercepting encrypted connections (HTTPS) isn't
#      supported.
#
#      Make sure that Privoxy's own requests aren't redirected as
#      well. Additionally take care that Privoxy can't intentionally
#      connect to itself, otherwise you could run into redirection
#      loops if Privoxy's listening port is reachable by the outside
#      or an attacker has access to the pages you visit.
#
#  Examples:
#
#      accept-intercepted-requests 1
#
accept-intercepted-requests 1
#
#  6.2. allow-cgi-request-crunching
#  =================================
#
#  Specifies:
#
#      Whether requests to Privoxy's CGI pages can be blocked or
#      redirected.
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      Privoxy ignores block and redirect actions for its CGI pages.
#
#  Notes:
#
#      By default Privoxy ignores block or redirect actions for its
#      CGI pages. Intercepting these requests can be useful in
#      multi-user setups to implement fine-grained access control,
#      but it can also render the complete web interface useless and
#      make debugging problems painful if done without care.
#
#      Don't enable this option unless you're sure that you really
#      need it.
#
#  Examples:
#
#      allow-cgi-request-crunching 1
#
allow-cgi-request-crunching 0
#
#  6.3. split-large-forms
#  =======================
#
#  Specifies:
#
#      Whether the CGI interface should stay compatible with broken
#      HTTP clients.
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      The CGI form generate long GET URLs.
#
#  Notes:
#
#      Privoxy's CGI forms can lead to rather long URLs. This isn't a
#      problem as far as the HTTP standard is concerned, but it can
#      confuse clients with arbitrary URL length limitations.
#
#      Enabling split-large-forms causes Privoxy to divide big forms
#      into smaller ones to keep the URL length down. It makes
#      editing a lot less convenient and you can no longer submit all
#      changes at once, but at least it works around this browser
#      bug.
#
#      If you don't notice any editing problems, there is no reason
#      to enable this option, but if one of the submit buttons
#      appears to be broken, you should give it a try.
#
#  Examples:
#
#      split-large-forms 1
#
split-large-forms 0
#
#  6.4. keep-alive-timeout
#  ========================
#
#  Specifies:
#
#      Number of seconds after which an open connection will no
#      longer be reused.
#
#  Type of value:
#
#      Time in seconds.
#
#  Default value:
#
#      None
#
#  Effect if unset:
#
#      Connections are not kept alive.
#
#  Notes:
#
#      This option allows clients to keep the connection to Privoxy
#      alive. If the server supports it, Privoxy will keep the
#      connection to the server alive as well. Under certain
#      circumstances this may result in speed-ups.
#
#      By default, Privoxy will close the connection to the server if
#      the client connection gets closed, or if the specified timeout
#      has been reached without a new request coming in. This
#      behaviour can be changed with the connection-sharing option.
#
#      This option has no effect if Privoxy has been compiled without
#      keep-alive support.
#
#      Note that a timeout of five seconds as used in the default
#      configuration file significantly decreases the number of
#      connections that will be reused. The value is used because
#      some browsers limit the number of connections they open to a
#      single host and apply the same limit to proxies. This can
#      result in a single website "grabbing" all the connections the
#      browser allows, which means connections to other websites
#      can't be opened until the connections currently in use time
#      out.
#
#      Several users have reported this as a Privoxy bug, so the
#      default value has been reduced. Consider increasing it to 300
#      seconds or even more if you think your browser can handle it.
#      If your browser appears to be hanging, it probably can't.
#
#  Examples:
#
#      keep-alive-timeout 300
#
keep-alive-timeout 300
#
#  6.5. tolerate-pipelining
#  =========================
#
#  Specifies:
#
#      Whether or not pipelined requests should be served.
#
#  Type of value:
#
#      0 or 1.
#
#  Default value:
#
#      None
#
#  Effect if unset:
#
#      If Privoxy receives more than one request at once, it
#      terminates the client connection after serving the first one.
#
#  Notes:
#
#      Privoxy currently doesn't pipeline outgoing requests, thus
#      allowing pipelining on the client connection is not guaranteed
#      to improve the performance.
#
#      By default Privoxy tries to discourage clients from pipelining
#      by discarding aggressively pipelined requests, which forces
#      the client to resend them through a new connection.
#
#      This option lets Privoxy tolerate pipelining. Whether or not
#      that improves performance mainly depends on the client
#      configuration.
#
#      If you are seeing problems with pages not properly loading,
#      disabling this option could work around the problem.
#
#  Examples:
#
#      tolerate-pipelining 1
#
tolerate-pipelining 1
#
#  6.6. default-server-timeout
#  ============================
#
#  Specifies:
#
#      Assumed server-side keep-alive timeout if not specified by the
#      server.
#
#  Type of value:
#
#      Time in seconds.
#
#  Default value:
#
#      None
#
#  Effect if unset:
#
#      Connections for which the server didn't specify the keep-alive
#      timeout are not reused.
#
#  Notes:
#
#      Enabling this option significantly increases the number of
#      connections that are reused, provided the keep-alive-timeout
#      option is also enabled.
#
#      While it also increases the number of connections problems
#      when Privoxy tries to reuse a connection that already has been
#      closed on the server side, or is closed while Privoxy is
#      trying to reuse it, this should only be a problem if it
#      happens for the first request sent by the client. If it
#      happens for requests on reused client connections, Privoxy
#      will simply close the connection and the client is supposed to
#      retry the request without bothering the user.
#
#      Enabling this option is therefore only recommended if the
#      connection-sharing option is disabled.
#
#      It is an error to specify a value larger than the
#      keep-alive-timeout value.
#
#      This option has no effect if Privoxy has been compiled without
#      keep-alive support.
#
#  Examples:
#
#      default-server-timeout 60
#
default-server-timeout 60
#
#  6.7. connection-sharing
#  ========================
#
#  Specifies:
#
#      Whether or not outgoing connections that have been kept alive
#      should be shared between different incoming connections.
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      None
#
#  Effect if unset:
#
#      Connections are not shared.
#
#  Notes:
#
#      This option has no effect if Privoxy has been compiled without
#      keep-alive support, or if it's disabled.
#
#  Notes:
#
#      Note that reusing connections doesn't necessary cause
#      speedups. There are also a few privacy implications you should
#      be aware of.
#
#      If this option is effective, outgoing connections are shared
#      between clients (if there are more than one) and closing the
#      browser that initiated the outgoing connection does no longer
#      affect the connection between Privoxy and the server unless
#      the client's request hasn't been completed yet.
#
#      If the outgoing connection is idle, it will not be closed
#      until either Privoxy's or the server's timeout is reached.
#      While it's open, the server knows that the system running
#      Privoxy is still there.
#
#      If there are more than one client (maybe even belonging to
#      multiple users), they will be able to reuse each others
#      connections. This is potentially dangerous in case of
#      authentication schemes like NTLM where only the connection is
#      authenticated, instead of requiring authentication for each
#      request.
#
#      If there is only a single client, and if said client can keep
#      connections alive on its own, enabling this option has next to
#      no effect. If the client doesn't support connection
#      keep-alive, enabling this option may make sense as it allows
#      Privoxy to keep outgoing connections alive even if the client
#      itself doesn't support it.
#
#      You should also be aware that enabling this option increases
#      the likelihood of getting the "No server or forwarder data"
#      error message, especially if you are using a slow connection
#      to the Internet.
#
#      This option should only be used by experienced users who
#      understand the risks and can weight them against the benefits.
#
#  Examples:
#
#      connection-sharing 1
#
#connection-sharing 1
#
#  6.8. socket-timeout
#  ====================
#
#  Specifies:
#
#      Number of seconds after which a socket times out if no data is
#      received.
#
#  Type of value:
#
#      Time in seconds.
#
#  Default value:
#
#      None
#
#  Effect if unset:
#
#      A default value of 300 seconds is used.
#
#  Notes:
#
#      The default is quite high and you probably want to reduce it.
#      If you aren't using an occasionally slow proxy like Tor,
#      reducing it to a few seconds should be fine.
#
#  Examples:
#
#      socket-timeout 300
#
socket-timeout 10
#
#  6.9. max-client-connections
#  ============================
#
#  Specifies:
#
#      Maximum number of client connections that will be served.
#
#  Type of value:
#
#      Positive number.
#
#  Default value:
#
#      128
#
#  Effect if unset:
#
#      Connections are served until a resource limit is reached.
#
#  Notes:
#
#      Privoxy creates one thread (or process) for every incoming
#      client connection that isn't rejected based on the access
#      control settings.
#
#      If the system is powerful enough, Privoxy can theoretically
#      deal with several hundred (or thousand) connections at the
#      same time, but some operating systems enforce resource limits
#      by shutting down offending processes and their default limits
#      may be below the ones Privoxy would require under heavy load.
#
#      Configuring Privoxy to enforce a connection limit below the
#      thread or process limit used by the operating system makes
#      sure this doesn't happen. Simply increasing the operating
#      system's limit would work too, but if Privoxy isn't the only
#      application running on the system, you may actually want to
#      limit the resources used by Privoxy.
#
#      If Privoxy is only used by a single trusted user, limiting the
#      number of client connections is probably unnecessary. If there
#      are multiple possibly untrusted users you probably still want
#      to additionally use a packet filter to limit the maximal
#      number of incoming connections per client. Otherwise a
#      malicious user could intentionally create a high number of
#      connections to prevent other users from using Privoxy.
#
#      Obviously using this option only makes sense if you choose a
#      limit below the one enforced by the operating system.
#
#      One most POSIX-compliant systems Privoxy can't properly deal
#      with more than FD_SETSIZE file descriptors at the same time
#      and has to reject connections if the limit is reached. This
#      will likely change in a future version, but currently this
#      limit can't be increased without recompiling Privoxy with a
#      different FD_SETSIZE limit.
#
#  Examples:
#
#      max-client-connections 256
#
max-client-connections 4096
#
#  6.11. enable-compression
#  =========================
#
#  Specifies:
#
#      Whether or not buffered content is compressed before delivery.
#
#  Type of value:
#
#      0 or 1
#
#  Default value:
#
#      0
#
#  Effect if unset:
#
#      Privoxy does not compress buffered content.
#
#  Effect if set:
#
#      Privoxy compresses buffered content before delivering it to
#      the client, provided the client supports it.
#
#  Notes:
#
#      This directive is only supported if Privoxy has been compiled
#      with FEATURE_COMPRESSION, which should not to be confused with
#      FEATURE_ZLIB.
#
#      Compressing buffered content is mainly useful if Privoxy and
#      the client are running on different systems. If they are
#      running on the same system, enabling compression is likely to
#      slow things down. If you didn't measure otherwise, you should
#      assume that it does and keep this option disabled.
#
#      Privoxy will not compress buffered content below a certain
#      length.
#
enable-compression 1
#
#  6.12. compression-level
#  ========================
#
#  Specifies:
#
#      The compression level that is passed to the zlib library when
#      compressing buffered content.
#
#  Type of value:
#
#      Positive number ranging from 0 to 9.
#
#  Default value:
#
#      1
#
#  Notes:
#
#      Compressing the data more takes usually longer than
#      compressing it less or not compressing it at all. Which level
#      is best depends on the connection between Privoxy and the
#      client. If you can't be bothered to benchmark it for yourself,
#      you should stick with the default and keep compression
#      disabled.
#
#      If compression is disabled, the compression level is
#      irrelevant.
#
#  Examples:
#
#          # Best speed (compared to the other levels)
#          compression-level 1
#
#          # Best compression
#          compression-level 9
#
#          # No compression. Only useful for testing as the added header
#          # slightly increases the amount of data that has to be sent.
#          # If your benchmark shows that using this compression level
#          # is superior to using no compression at all, the benchmark
#          # is likely to be flawed.
#          compression-level 0
#
#
compression-level 9

dhcpd.conf

# option definitions common to all supported networks...
option domain-name "xxx";
option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
ddns-update-style none;

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.

subnet $PUBLIC_IP netmask 255.255.255.0 {
}

subnet $PRIVATE_IP netmask 255.255.128.0 {
}

# This is a very basic subnet declaration.
subnet 10.10.1.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option routers 10.10.1.1;
  range 10.10.1.47 10.10.1.57;
}

softethervpn-server.dhcpd.conf

# Unit override for softethervpn-server.service
[Unit]
Before=dhcpd4@tap_soft.service network@tap_soft.service
Requires=dhcpd4@tap_soft.service network@tap_soft.service

softethervpn-server.privoxy.conf

# Unit override for softethervpn-server.service
[Unit]
Requires=privoxy.service

ufw-softether

[SoftEther]
title=SoftEther VPN
description=SoftEther VPN
ports=500,1701,4500/udp|1701,1723/tcp

vpn.mobileconfig

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadType</key>
        <string>com.apple.vpn.managed</string>

        <key>PayloadVersion</key>
        <integer>1</integer>

        <key>PayloadIdentifier</key>
        <string>com.example.config.vpn</string>

        <key>PayloadUUID</key>
        <string>....</string>

        <key>PayloadDisplayName</key>
        <string>VPN</string>

        <key>UserDefinedName</key>
        <string>VPN</string>

        <key>OverridePrimary</key>
        <true/>

        <key>IPv4</key>
        <dict>
          <key>OverridePrimary</key>
          <integer>1</integer>
        </dict>

        <key>VPNType</key>
        <string>L2TP</string>

        <key>ProviderType</key>
        <string>packet-tunnel</string>

        <key>PPP</key>
        <dict>
          <key>AuthName</key>
          <string>exampleusername</string>

          <key>TokenCard</key>
          <false/>

          <key>AuthPassword</key>
          <string>password</string>

          <key>CommRemoteAddress</key>
          <string>$PUBLIC_IP</string>
        </dict>

        <key>IPSec</key>
        <dict>
          <key>AuthenticationMethod</key>
          <string>SharedSecret</string>

          <key>LocalIdentifierType</key>
          <string>KeyID</string>

          <key>SharedSecret</key>
          <data>YS1zZWNyZXQ=</data>

          <key>OnDemandEnabled</key>
          <integer>1</integer>
          <key>OnDemandRules</key>
          <array>
            <dict>
              <key>Action</key>
              <string>Connect</string>
            </dict>
          </array>
        </dict>

        <key>Proxies</key>
        <dict>
          <key>HTTPSEnable</key>
          <integer>1</integer>
          <key>HTTPSProxy</key>
          <string>$PRIVATE_IP</string>
          <key>HTTPSPort</key>
          <integer>8118</integer>
        </dict>

      </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>AdBlock VPN</string>

    <key>PayloadDescription</key>
    <string>Setups a VPN with transparent http proxy for compression
    and adblocking, and a global http(s) proxy to attempt to block
    other ads and compress other content over https.</string>

    <key>PayloadIdentifier</key>
    <string>com.example.config</string>

    <key>PayloadUUID</key>
    <string>....</string>

    <key>PayloadType</key>
    <string>Configuration</string>

    <key>PayloadVersion</key>
    <integer>1</integer>
  </dict>
</plist>