TESTING.md

# Testing Checklist

Use this checklist to verify your VPN network is working correctly.

## Pre-Deployment Tests

### DE VDS

- [ ] SSH access working
- [ ] System updated (`apt update && apt upgrade`)
- [ ] Adequate disk space (`df -h`)
- [ ] No port conflicts on 51821 (`ss -ulnp | grep 51821`)

### RU VDS

- [ ] SSH access working
- [ ] System updated (`apt update && apt upgrade`)
- [ ] Adequate disk space (`df -h`)
- [ ] No port conflicts on 51820 (`ss -ulnp | grep 51820`)
- [ ] No DNS conflicts on port 53 (`ss -ulnp | grep :53`)

## Post-Setup Tests

### DE VDS

- [ ] WireGuard installed (`wg version`)
- [ ] IP forwarding enabled (`cat /proc/sys/net/ipv4/ip_forward` = 1)
- [ ] WireGuard keys generated (`ls /etc/wireguard/keys/`)
- [ ] nftables config exists (`ls /etc/nftables.conf`)
- [ ] Services enabled (not yet started)

### RU VDS

- [ ] WireGuard installed (`wg version`)
- [ ] dnsmasq installed (`dnsmasq -v`)
- [ ] nftables installed (`nft -v`)
- [ ] IP forwarding enabled (`cat /proc/sys/net/ipv4/ip_forward` = 1)
- [ ] WireGuard keys generated (`ls /etc/wireguard/keys/`)
- [ ] Routing table added (`grep proxy /etc/iproute2/rt_tables`)
- [ ] Update script exists (`ls /etc/wireguard/update-direct-routes.sh`)
- [ ] All configs in place
- [ ] Services enabled (not yet started)

## Post-Configuration Tests (After Key Exchange)

### DE VDS

- [ ] wg0.conf contains RU public key (no `__RU_DE_TUNNEL_PUBLIC_KEY__` placeholder)
- [ ] nftables service started (`systemctl status nftables`)
- [ ] wg-quick@wg0 started (`systemctl status wg-quick@wg0`)
- [ ] wg0 interface exists (`ip addr show wg0`)
- [ ] wg0 has correct IP (`ip addr show wg0 | grep 10.20.0.2`)

### RU VDS

- [ ] wg1.conf contains DE public key (no `__DE_SERVER_PUBLIC_KEY__` placeholder)
- [ ] dnsmasq started (`systemctl status dnsmasq`)
- [ ] wg-quick@wg1 started (`systemctl status wg-quick@wg1`)
- [ ] wg-quick@wg0 started (`systemctl status wg-quick@wg0`)
- [ ] wg1 interface exists (`ip addr show wg1`)
- [ ] wg0 interface exists (`ip addr show wg0`)
- [ ] wg1 has correct IP (`ip addr show wg1 | grep 10.20.0.1`)
- [ ] wg0 has correct IP (`ip addr show wg0 | grep 10.10.0.1`)

## Tunnel Tests

### From RU VDS

- [ ] Can ping DE VDS: `ping -c 4 10.20.0.2`
- [ ] WireGuard handshake established: `wg show wg1 | grep "latest handshake"`
- [ ] Transfer counters incrementing: `wg show wg1 | grep transfer`

### From DE VDS

- [ ] WireGuard handshake established: `wg show wg0 | grep "latest handshake"`
- [ ] Shows RU VDS as peer: `wg show wg0 peers`
- [ ] Transfer counters incrementing: `wg show wg0 | grep transfer`

## Routing Tests (Before Client Connection)

### RU VDS

- [ ] Proxy routing table exists: `ip route show table proxy`
- [ ] Default route via DE: `ip route show table proxy | grep "default via 10.20.0.2"`
- [ ] Policy routing rule exists: `ip rule show | grep proxy`
- [ ] nftables 'direct' set exists: `nft list set ip vpn-routing direct`
- [ ] nftables prerouting chain exists: `nft list chain ip vpn-routing prerouting`
- [ ] Russian IP ranges loaded: `nft list set ip vpn-routing direct | grep -c elements`

## Client Connection Tests

### First Client Addition

- [ ] Client added successfully: `/root/add-client.sh testclient`
- [ ] Client keys generated: `ls /etc/wireguard/keys/client_testclient.*`
- [ ] Client config created: `ls /etc/wireguard/clients/testclient.conf`
- [ ] QR code generated successfully
- [ ] Peer added to wg0: `wg show wg0 peers | grep -f /etc/wireguard/keys/client_testclient.pub`

### Client Connection (From Client Device)

- [ ] WireGuard app installed
- [ ] Config imported successfully
- [ ] Connection established
- [ ] No connection errors in app

### Basic Connectivity (From Client)

- [ ] Can ping VPN gateway: `ping 10.10.0.1`
- [ ] Can ping DE VDS: `ping 10.20.0.2`
- [ ] DNS resolution works: `nslookup google.com`
- [ ] DNS uses correct server: `nslookup google.com 10.10.0.1`

### Routing Verification (From Client)

- [ ] External IP shows DE VDS: `curl ifconfig.me` (should be 194.31.173.178)
- [ ] Can access international sites: `curl -I https://google.com`
- [ ] Can access Russian sites: `curl -I https://yandex.ru`

### IP-Based Routing (From Client)

Russian IPs are pre-loaded from RIPE database:

- [ ] Verify Russian IP ranges are loaded on RU VDS: `nft list set ip vpn-routing direct | wc -l`
- [ ] Visit `https://yandex.ru` from client (should be fast, direct route)
- [ ] Visit `https://mail.ru` from client (should be fast, direct route)
- [ ] Visit `https://google.com` from client (should go through DE tunnel)

### Advanced Routing Tests

From client, check routing paths:

- [ ] Traceroute to Russian site shows no DE hop
  ```bash
  traceroute yandex.ru
  # Should NOT show 10.20.0.x
  ```

- [ ] Traceroute to international site shows DE hop
  ```bash
  traceroute google.com
  # Should show 10.20.0.x in path
  ```

## Performance Tests

### Latency (From Client)

- [ ] Latency to VPN gateway: `ping -c 10 10.10.0.1`
  - Expected: < 50ms (depends on your location)
- [ ] Latency through tunnel: `ping -c 10 8.8.8.8`
  - Expected: 50-150ms (via DE)

### Bandwidth (From Client)

- [ ] Download speed test: `curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000`
- [ ] Should get reasonable speeds (depends on VDS specs)

## Client Management Tests

### List Clients

- [ ] List shows active client: `/root/list-clients.sh`
- [ ] Shows correct IP assignment
- [ ] Shows latest handshake

### Disable Client

- [ ] Disable client: `/root/disable-client.sh testclient`
- [ ] Client no longer in wg show: `wg show wg0 peers`
- [ ] Client cannot connect
- [ ] Keys still exist: `ls /etc/wireguard/keys/client_testclient.*`

### Enable Client

- [ ] Enable client: `/root/enable-client.sh testclient`
- [ ] Client appears in wg show: `wg show wg0 peers`
- [ ] Client can connect again

### Add Multiple Clients

- [ ] Add 2nd client: `/root/add-client.sh client2`
- [ ] Gets different IP (10.10.0.3)
- [ ] Both clients can connect simultaneously
- [ ] Both clients in list: `/root/list-clients.sh`

### Remove Client

- [ ] Remove client: `/root/remove-client.sh testclient`
- [ ] Client not in wg show
- [ ] Keys deleted: `ls /etc/wireguard/keys/client_testclient.* 2>&1 | grep "No such file"`
- [ ] Config deleted: `ls /etc/wireguard/clients/testclient.conf 2>&1 | grep "No such file"`

## Stress Tests

### Multiple Concurrent Clients

- [ ] Add 5 clients
- [ ] All connect simultaneously
- [ ] All can browse internet
- [ ] Check server load: `top` (CPU should be low)
- [ ] Check memory: `free -h` (should have free memory)

### Continuous Traffic

- [ ] Stream video through VPN for 10 minutes
- [ ] No disconnections
- [ ] Stable speed
- [ ] Check for errors: `journalctl -u wg-quick@wg0 -n 50`

## Security Tests

### Firewall Rules (DE VDS)

- [ ] Port 51821 only accepts from RU IP:
  ```bash
  # From another host (should fail)
  nc -u 194.31.173.178 51821
  ```

- [ ] SSH still accessible (if configured)
- [ ] Other ports closed

### Firewall Rules (RU VDS)

- [ ] Port 51820 accepts WireGuard connections
- [ ] DNS only from VPN clients:
  ```bash
  # From outside (should fail)
  dig @176.124.216.197 google.com
  ```

- [ ] SSH still accessible
- [ ] Other ports closed

### DNS Leak Test (From Client)

- [ ] Check DNS server used: visit https://dnsleaktest.com/
- [ ] Should show RU VDS or your VPN as DNS server
- [ ] Should NOT show your ISP's DNS

## Failure Recovery Tests

### Restart Services

- [ ] Restart wg-quick@wg0 on RU VDS
- [ ] Clients reconnect automatically
- [ ] No connection loss > 30 seconds

### Reboot Tests

- [ ] Reboot DE VDS: `reboot`
- [ ] Services auto-start after boot
- [ ] Tunnel re-establishes

- [ ] Reboot RU VDS: `reboot`
- [ ] Services auto-start after boot
- [ ] Clients can reconnect

## Logs Check

### No Errors in Logs

- [ ] DE VDS WireGuard: `journalctl -u wg-quick@wg0 -n 50 --no-pager`
- [ ] RU VDS WireGuard wg0: `journalctl -u wg-quick@wg0 -n 50 --no-pager`
- [ ] RU VDS WireGuard wg1: `journalctl -u wg-quick@wg1 -n 50 --no-pager`
- [ ] RU VDS dnsmasq: `journalctl -u dnsmasq -n 50 --no-pager`

## Final Verification

- [ ] All clients can connect
- [ ] Russian domains route directly (fast)
- [ ] International domains route through DE (working)
- [ ] DNS resolution working
- [ ] No errors in logs
- [ ] Services set to auto-start
- [ ] Documentation updated with actual client names
- [ ] Backup of /etc/wireguard/ created

## Troubleshooting References

If any tests fail, refer to:
- [DEPLOYMENT.md](DEPLOYMENT.md) - Troubleshooting section
- [IMPLEMENTATION.md](IMPLEMENTATION.md) - Detailed implementation steps

## Test Results Template

```
Date: ____________________
Tester: __________________

Pre-Deployment: ☐ Pass ☐ Fail
Post-Setup: ☐ Pass ☐ Fail
Tunnel Tests: ☐ Pass ☐ Fail
Routing Tests: ☐ Pass ☐ Fail
Client Tests: ☐ Pass ☐ Fail
Performance: ☐ Pass ☐ Fail
Security: ☐ Pass ☐ Fail
Recovery: ☐ Pass ☐ Fail

Notes:
_____________________________________
_____________________________________
_____________________________________
```
Init 2026-02-02 20:11:05 +03:00			`# Testing Checklist`

			`Use this checklist to verify your VPN network is working correctly.`

			`## Pre-Deployment Tests`

			`### DE VDS`

			`- [ ] SSH access working`
			- [ ] System updated (`apt update && apt upgrade`)
			- [ ] Adequate disk space (`df -h`)
			- [ ] No port conflicts on 51821 (`ss -ulnp \| grep 51821`)

			`### RU VDS`

			`- [ ] SSH access working`
			- [ ] System updated (`apt update && apt upgrade`)
			- [ ] Adequate disk space (`df -h`)
			- [ ] No port conflicts on 51820 (`ss -ulnp \| grep 51820`)
			- [ ] No DNS conflicts on port 53 (`ss -ulnp \| grep :53`)

			`## Post-Setup Tests`

			`### DE VDS`

			- [ ] WireGuard installed (`wg version`)
			- [ ] IP forwarding enabled (`cat /proc/sys/net/ipv4/ip_forward` = 1)
			- [ ] WireGuard keys generated (`ls /etc/wireguard/keys/`)
			- [ ] nftables config exists (`ls /etc/nftables.conf`)
			`- [ ] Services enabled (not yet started)`

			`### RU VDS`

			- [ ] WireGuard installed (`wg version`)
			- [ ] dnsmasq installed (`dnsmasq -v`)
Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			- [ ] nftables installed (`nft -v`)
Init 2026-02-02 20:11:05 +03:00			- [ ] IP forwarding enabled (`cat /proc/sys/net/ipv4/ip_forward` = 1)
			- [ ] WireGuard keys generated (`ls /etc/wireguard/keys/`)
			- [ ] Routing table added (`grep proxy /etc/iproute2/rt_tables`)
Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			- [ ] Update script exists (`ls /etc/wireguard/update-direct-routes.sh`)
Init 2026-02-02 20:11:05 +03:00			`- [ ] All configs in place`
			`- [ ] Services enabled (not yet started)`

			`## Post-Configuration Tests (After Key Exchange)`

			`### DE VDS`

			- [ ] wg0.conf contains RU public key (no `__RU_DE_TUNNEL_PUBLIC_KEY__` placeholder)
			- [ ] nftables service started (`systemctl status nftables`)
			- [ ] wg-quick@wg0 started (`systemctl status wg-quick@wg0`)
			- [ ] wg0 interface exists (`ip addr show wg0`)
			- [ ] wg0 has correct IP (`ip addr show wg0 \| grep 10.20.0.2`)

			`### RU VDS`

			- [ ] wg1.conf contains DE public key (no `__DE_SERVER_PUBLIC_KEY__` placeholder)
			- [ ] dnsmasq started (`systemctl status dnsmasq`)
			- [ ] wg-quick@wg1 started (`systemctl status wg-quick@wg1`)
			- [ ] wg-quick@wg0 started (`systemctl status wg-quick@wg0`)
			- [ ] wg1 interface exists (`ip addr show wg1`)
			- [ ] wg0 interface exists (`ip addr show wg0`)
			- [ ] wg1 has correct IP (`ip addr show wg1 \| grep 10.20.0.1`)
			- [ ] wg0 has correct IP (`ip addr show wg0 \| grep 10.10.0.1`)

			`## Tunnel Tests`

			`### From RU VDS`

			- [ ] Can ping DE VDS: `ping -c 4 10.20.0.2`
			- [ ] WireGuard handshake established: `wg show wg1 \| grep "latest handshake"`
			- [ ] Transfer counters incrementing: `wg show wg1 \| grep transfer`

			`### From DE VDS`

			- [ ] WireGuard handshake established: `wg show wg0 \| grep "latest handshake"`
			- [ ] Shows RU VDS as peer: `wg show wg0 peers`
			- [ ] Transfer counters incrementing: `wg show wg0 \| grep transfer`

			`## Routing Tests (Before Client Connection)`

			`### RU VDS`

			- [ ] Proxy routing table exists: `ip route show table proxy`
			- [ ] Default route via DE: `ip route show table proxy \| grep "default via 10.20.0.2"`
			- [ ] Policy routing rule exists: `ip rule show \| grep proxy`
Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			- [ ] nftables 'direct' set exists: `nft list set ip vpn-routing direct`
			- [ ] nftables prerouting chain exists: `nft list chain ip vpn-routing prerouting`
			- [ ] Russian IP ranges loaded: `nft list set ip vpn-routing direct \| grep -c elements`
Init 2026-02-02 20:11:05 +03:00
			`## Client Connection Tests`

			`### First Client Addition`

			- [ ] Client added successfully: `/root/add-client.sh testclient`
			- [ ] Client keys generated: `ls /etc/wireguard/keys/client_testclient.*`
			- [ ] Client config created: `ls /etc/wireguard/clients/testclient.conf`
			`- [ ] QR code generated successfully`
			- [ ] Peer added to wg0: `wg show wg0 peers \| grep -f /etc/wireguard/keys/client_testclient.pub`

			`### Client Connection (From Client Device)`

			`- [ ] WireGuard app installed`
			`- [ ] Config imported successfully`
			`- [ ] Connection established`
			`- [ ] No connection errors in app`

			`### Basic Connectivity (From Client)`

			- [ ] Can ping VPN gateway: `ping 10.10.0.1`
			- [ ] Can ping DE VDS: `ping 10.20.0.2`
			- [ ] DNS resolution works: `nslookup google.com`
			- [ ] DNS uses correct server: `nslookup google.com 10.10.0.1`

			`### Routing Verification (From Client)`

			- [ ] External IP shows DE VDS: `curl ifconfig.me` (should be 194.31.173.178)
			- [ ] Can access international sites: `curl -I https://google.com`
			- [ ] Can access Russian sites: `curl -I https://yandex.ru`

Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			`### IP-Based Routing (From Client)`
Init 2026-02-02 20:11:05 +03:00
Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			`Russian IPs are pre-loaded from RIPE database:`
Init 2026-02-02 20:11:05 +03:00
Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			- [ ] Verify Russian IP ranges are loaded on RU VDS: `nft list set ip vpn-routing direct \| wc -l`
			- [ ] Visit `https://yandex.ru` from client (should be fast, direct route)
			- [ ] Visit `https://mail.ru` from client (should be fast, direct route)
			- [ ] Visit `https://google.com` from client (should go through DE tunnel)
Init 2026-02-02 20:11:05 +03:00
			`### Advanced Routing Tests`

			`From client, check routing paths:`

			`- [ ] Traceroute to Russian site shows no DE hop`
			```bash
			`traceroute yandex.ru`
			`# Should NOT show 10.20.0.x`
			```

			`- [ ] Traceroute to international site shows DE hop`
			```bash
			`traceroute google.com`
			`# Should show 10.20.0.x in path`
			```

			`## Performance Tests`

			`### Latency (From Client)`

			- [ ] Latency to VPN gateway: `ping -c 10 10.10.0.1`
			`- Expected: < 50ms (depends on your location)`
			- [ ] Latency through tunnel: `ping -c 10 8.8.8.8`
			`- Expected: 50-150ms (via DE)`

			`### Bandwidth (From Client)`

			- [ ] Download speed test: `curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000`
			`- [ ] Should get reasonable speeds (depends on VDS specs)`

			`## Client Management Tests`

			`### List Clients`

			- [ ] List shows active client: `/root/list-clients.sh`
			`- [ ] Shows correct IP assignment`
			`- [ ] Shows latest handshake`

			`### Disable Client`

			- [ ] Disable client: `/root/disable-client.sh testclient`
			- [ ] Client no longer in wg show: `wg show wg0 peers`
			`- [ ] Client cannot connect`
			- [ ] Keys still exist: `ls /etc/wireguard/keys/client_testclient.*`

			`### Enable Client`

			- [ ] Enable client: `/root/enable-client.sh testclient`
			- [ ] Client appears in wg show: `wg show wg0 peers`
			`- [ ] Client can connect again`

			`### Add Multiple Clients`

			- [ ] Add 2nd client: `/root/add-client.sh client2`
			`- [ ] Gets different IP (10.10.0.3)`
			`- [ ] Both clients can connect simultaneously`
			- [ ] Both clients in list: `/root/list-clients.sh`

			`### Remove Client`

			- [ ] Remove client: `/root/remove-client.sh testclient`
			`- [ ] Client not in wg show`
			- [ ] Keys deleted: `ls /etc/wireguard/keys/client_testclient.* 2>&1 \| grep "No such file"`
			- [ ] Config deleted: `ls /etc/wireguard/clients/testclient.conf 2>&1 \| grep "No such file"`

			`## Stress Tests`

			`### Multiple Concurrent Clients`

			`- [ ] Add 5 clients`
			`- [ ] All connect simultaneously`
			`- [ ] All can browse internet`
			- [ ] Check server load: `top` (CPU should be low)
			- [ ] Check memory: `free -h` (should have free memory)

			`### Continuous Traffic`

			`- [ ] Stream video through VPN for 10 minutes`
			`- [ ] No disconnections`
			`- [ ] Stable speed`
			- [ ] Check for errors: `journalctl -u wg-quick@wg0 -n 50`

			`## Security Tests`

			`### Firewall Rules (DE VDS)`

			`- [ ] Port 51821 only accepts from RU IP:`
			```bash
			`# From another host (should fail)`
			`nc -u 194.31.173.178 51821`
			```

			`- [ ] SSH still accessible (if configured)`
			`- [ ] Other ports closed`

			`### Firewall Rules (RU VDS)`

			`- [ ] Port 51820 accepts WireGuard connections`
			`- [ ] DNS only from VPN clients:`
			```bash
			`# From outside (should fail)`
			`dig @176.124.216.197 google.com`
			```

			`- [ ] SSH still accessible`
			`- [ ] Other ports closed`

			`### DNS Leak Test (From Client)`

			`- [ ] Check DNS server used: visit https://dnsleaktest.com/`
			`- [ ] Should show RU VDS or your VPN as DNS server`
			`- [ ] Should NOT show your ISP's DNS`

			`## Failure Recovery Tests`

			`### Restart Services`

			`- [ ] Restart wg-quick@wg0 on RU VDS`
			`- [ ] Clients reconnect automatically`
			`- [ ] No connection loss > 30 seconds`

			`### Reboot Tests`

			- [ ] Reboot DE VDS: `reboot`
			`- [ ] Services auto-start after boot`
			`- [ ] Tunnel re-establishes`

			- [ ] Reboot RU VDS: `reboot`
			`- [ ] Services auto-start after boot`
			`- [ ] Clients can reconnect`

			`## Logs Check`

			`### No Errors in Logs`

			- [ ] DE VDS WireGuard: `journalctl -u wg-quick@wg0 -n 50 --no-pager`
			- [ ] RU VDS WireGuard wg0: `journalctl -u wg-quick@wg0 -n 50 --no-pager`
			- [ ] RU VDS WireGuard wg1: `journalctl -u wg-quick@wg1 -n 50 --no-pager`
			- [ ] RU VDS dnsmasq: `journalctl -u dnsmasq -n 50 --no-pager`

			`## Final Verification`

			`- [ ] All clients can connect`
			`- [ ] Russian domains route directly (fast)`
			`- [ ] International domains route through DE (working)`
			`- [ ] DNS resolution working`
			`- [ ] No errors in logs`
			`- [ ] Services set to auto-start`
			`- [ ] Documentation updated with actual client names`
			`- [ ] Backup of /etc/wireguard/ created`

			`## Troubleshooting References`

			`If any tests fail, refer to:`
			`- [DEPLOYMENT.md](DEPLOYMENT.md) - Troubleshooting section`
			`- [IMPLEMENTATION.md](IMPLEMENTATION.md) - Detailed implementation steps`

			`## Test Results Template`

			```
			`Date: ____________________`
			`Tester: __________________`

			`Pre-Deployment: ☐ Pass ☐ Fail`
			`Post-Setup: ☐ Pass ☐ Fail`
			`Tunnel Tests: ☐ Pass ☐ Fail`
			`Routing Tests: ☐ Pass ☐ Fail`
			`Client Tests: ☐ Pass ☐ Fail`
			`Performance: ☐ Pass ☐ Fail`
			`Security: ☐ Pass ☐ Fail`
			`Recovery: ☐ Pass ☐ Fail`

			`Notes:`
			`_____________________________________`
			`_____________________________________`
			`_____________________________________`
			```