node-accelerator
A set of shell scripts that optimize, harden, and diagnose Linux servers running VPN node software, tuning the kernel for high network throughput, adding firewall and intrusion prevention, and producing a pass/warning health report.
Node-accelerator is a collection of shell scripts for tuning, securing, and diagnosing Linux servers that run VPN node software, specifically setups using Xray with VLESS-Reality, xHTTP, Hysteria2, and TUIC protocols. The README is written in Russian, and the project targets Debian 11 through 13 and Ubuntu 20.04 through 24.04. All three modules are designed to be safe to run more than once without causing problems, and every change can be undone with a single rollback command.
The optimizer script pushes a server toward higher network throughput. It installs the XanMod kernel variant with BBRv3 congestion control, adjusts dozens of kernel network settings including socket buffer sizes and connection tracking limits, and distributes incoming packet processing across all available CPU cores. On a typical cloud server, all incoming traffic handling defaults to a single CPU core, which becomes a bottleneck before the network card does. The script also raises system limits on open files and processes, disables transparent huge pages, and sets the CPU governor to performance mode.
The protection script sets up a firewall using nftables and installs CrowdSec, a community-driven intrusion prevention system. It adds per-IP rate limits on new TCP connections and UDP packets, automatically bans addresses that probe closed ports, blocks common port-scan packet types, and guards against SSH brute force. Importantly it manages only its own nftables table rather than wiping the entire ruleset, so existing Docker networking and CrowdSec rules are left untouched. IPv6 is covered alongside IPv4 throughout. A built-in safety timer resets the firewall rules automatically if you lose SSH access after applying them.
The diagnostics script produces a read-only report covering kernel version, BBR status, network settings, connection tracking, firewall state, and open ports, with a pass or warning marker next to each item and suggestions for what to fix.
The project's README notes that it replaces an older toolkit that had incorrect rule ordering, global rate limits instead of per-IP limits, and no IPv6 coverage.
Where it fits
- Run the optimizer script on a VPS to install the XanMod kernel with BBRv3 and spread packet processing across all CPU cores, removing the single-core network bottleneck
- Apply the protection script to add per-IP connection rate limits and CrowdSec intrusion prevention without breaking existing Docker networking
- Run the diagnostics script to get a pass/warning health report on kernel version, BBR status, firewall state, and open ports before going live
- Roll back any script's changes with a single rollback command if something breaks after applying the optimizations