vpn/DEPLOYMENT.md

# Deployment Guide

This guide walks you through deploying the VPN network on your actual servers.

## Prerequisites

- SSH access to both VDS servers
- Root or sudo privileges
- Basic familiarity with Linux command line

## Infrastructure

| Server | IP | Role |
|--------|-----|------|
| DE VDS | 194.31.173.178 | Exit node (Debian 13) |
| RU VDS | 176.124.216.197 | Gateway (Debian 12) |

---

## Step 1: Deploy DE VDS (Exit Node)

### 1.1 Copy setup script to DE VDS

From your local machine:

```bash
scp scripts/setup-de-vds.sh root@194.31.173.178:/root/
```

### 1.2 Run setup script

SSH into DE VDS:

```bash
ssh root@194.31.173.178
```

Run the setup:

```bash
cd /root
chmod +x setup-de-vds.sh
./setup-de-vds.sh
```

### 1.3 Save the DE VDS public key

The script will output the DE VDS public key. **Copy it** - you'll need it for RU VDS.

Example output:
```
Your DE VDS public key is:
Xabc123def456ghi789jkl012mno345pqr678stu901vwx234=
```

**Do not start services yet** - we need to exchange keys first.

---

## Step 2: Deploy RU VDS (Gateway)

### 2.1 Copy setup script to RU VDS

From your local machine:

```bash
scp scripts/setup-ru-vds.sh root@176.124.216.197:/root/
```

### 2.2 Run setup script

SSH into RU VDS:

```bash
ssh root@176.124.216.197
```

Run the setup:

```bash
cd /root
chmod +x setup-ru-vds.sh
./setup-ru-vds.sh
```

### 2.3 Save the RU VDS keys

The script will output two public keys:

1. **Server key** - for clients (you'll use this later when adding clients)
2. **DE tunnel key** - for DE VDS

Example output:
```
Server key (for clients):
Yabc123def456ghi789jkl012mno345pqr678stu901vwx234=

DE tunnel key (for DE VDS):
Zabc123def456ghi789jkl012mno345pqr678stu901vwx234=
```

**Copy both keys** and keep them safe.

**Do not start services yet** - we need to configure keys first.

---

## Step 3: Exchange Keys

### 3.1 Configure DE VDS with RU key

SSH into DE VDS:

```bash
ssh root@194.31.173.178
```

Edit WireGuard config:

```bash
nano /etc/wireguard/wg0.conf
```

Replace `__RU_DE_TUNNEL_PUBLIC_KEY__` with the **RU DE tunnel key** (the second key from RU VDS).

Save and exit (Ctrl+X, Y, Enter).

### 3.2 Configure RU VDS with DE key

SSH into RU VDS:

```bash
ssh root@176.124.216.197
```

Edit WireGuard config:

```bash
nano /etc/wireguard/wg1.conf
```

Replace `__DE_SERVER_PUBLIC_KEY__` with the **DE VDS public key**.

Save and exit (Ctrl+X, Y, Enter).

---

## Step 4: Start Services

### 4.1 Start DE VDS services

SSH into DE VDS:

```bash
ssh root@194.31.173.178
```

Start services:

```bash
systemctl start nftables
systemctl start wg-quick@wg0
```

Check status:

```bash
systemctl status wg-quick@wg0
wg show
```

You should see:
- `wg0` interface with IP `10.20.0.2/30`
- No handshake yet (RU VDS not connected)

### 4.2 Start RU VDS services

SSH into RU VDS:

```bash
ssh root@176.124.216.197
```

Start services:

```bash
systemctl start dnsmasq
systemctl start wg-quick@wg1
systemctl start wg-quick@wg0
```

Check status:

```bash
systemctl status wg-quick@wg1
systemctl status wg-quick@wg0
systemctl status dnsmasq
```

---

## Step 5: Verify Tunnel

### 5.1 Test from RU VDS

```bash
# Ping DE VDS through tunnel
ping -c 4 10.20.0.2

# Check WireGuard handshake
wg show wg1
```

You should see:
- Successful ping responses
- Recent handshake timestamp
- Transfer data counters

### 5.2 Test from DE VDS

```bash
# Check WireGuard handshake
wg show wg0

# You should see recent handshake from RU VDS
```

### 5.3 Check routing on RU VDS

```bash
# Check routing table
ip route show table proxy

# Check nftables set (will be empty until IP ranges are loaded)
nft list set ip vpn-routing direct

# Check policy routing rules
ip rule show
```

Expected output:
- Routing table `proxy` should have default route via `10.20.0.2`
- nftables set `direct` should exist
- Policy routing rule for `10.10.0.0/24` with fwmark `0x1`

### 5.4 Load Russian IP ranges

```bash
# Load Russian IP ranges into nftables (takes 1-2 minutes)
/etc/wireguard/update-direct-routes.sh

# Verify ranges were loaded
nft list set ip vpn-routing direct | head -20
```

---

## Step 6: Add First Client

### 6.1 Copy client management scripts to RU VDS

From your local machine:

```bash
scp scripts/add-client.sh root@176.124.216.197:/root/
scp scripts/list-clients.sh root@176.124.216.197:/root/
scp scripts/disable-client.sh root@176.124.216.197:/root/
scp scripts/enable-client.sh root@176.124.216.197:/root/
scp scripts/remove-client.sh root@176.124.216.197:/root/
```

### 6.2 Add a client

SSH into RU VDS:

```bash
ssh root@176.124.216.197
```

Add client (replace "phone" with your device name):

```bash
chmod +x /root/*.sh
/root/add-client.sh phone
```

The script will:
1. Generate client keys
2. Assign IP address (starting from 10.10.0.2)
3. Add peer to WireGuard
4. Create client config file
5. Display QR code for mobile devices

### 6.3 Transfer configuration to client

**For mobile devices:**
- Scan the QR code with WireGuard app

**For desktop/laptop:**
- Copy the configuration file from RU VDS:
  ```bash
  cat /etc/wireguard/clients/phone.conf
  ```
- Save it locally as `phone.conf`
- Import into WireGuard client

---

## Step 7: Test Client Connection

### 7.1 Connect from client

1. Open WireGuard app/client
2. Import/scan the configuration
3. Connect

### 7.2 Test basic connectivity

From the client device:

```bash
# Test VPN gateway
ping 10.10.0.1

# Test DNS
nslookup google.com
nslookup yandex.ru
```

### 7.3 Test routing

From the client device:

```bash
# Check external IP (should show DE VDS IP: 194.31.173.178)
curl ifconfig.me

# Visit a Russian site, then check ipset on RU VDS
```

On RU VDS:

```bash
# Check that Russian IP ranges are loaded
nft list set ip vpn-routing direct | wc -l

# Should show many IP ranges (thousands)
```

### 7.4 Advanced testing

Test that Russian IPs go direct:

```bash
# From client - visit some Russian sites
curl -I https://yandex.ru
curl -I https://mail.ru

# These should be fast (direct routing)
```

Test that other domains go through DE:

```bash
# From client
traceroute google.com
# Should show hop through 10.20.0.x

traceroute yandex.ru
# Should NOT show 10.20.0.x hop (goes direct)
```

---

## Step 8: Client Management

### List all clients

```bash
/root/list-clients.sh
```

### Add another client

```bash
/root/add-client.sh laptop
```

### Disable a client temporarily

```bash
/root/disable-client.sh phone
```

### Enable a disabled client

```bash
/root/enable-client.sh phone
```

### Permanently remove a client

```bash
/root/remove-client.sh phone
```

---

## Troubleshooting

### Tunnel not working

**Check WireGuard status:**
```bash
# On both servers
wg show
systemctl status wg-quick@wg0
systemctl status wg-quick@wg1  # RU only
```

**Check if ports are open:**
```bash
# On DE VDS
ss -ulnp | grep 51821

# On RU VDS
ss -ulnp | grep 51820
```

**Check firewall:**
```bash
nft list ruleset
```

### DNS not working

**Check dnsmasq:**
```bash
# On RU VDS
systemctl status dnsmasq
journalctl -u dnsmasq -n 50
```

**Test DNS locally:**
```bash
dig @127.0.0.1 google.com
dig @10.10.0.1 yandex.ru
```

### Routing not working

**Check routing tables:**
```bash
# On RU VDS
ip route show table proxy
ip rule show
```

**Check nftables set:**
```bash
nft list set ip vpn-routing direct | head -20
```

**Check nftables rules:**
```bash
nft list chain ip vpn-routing prerouting
```

### Client can't connect

**Check client config:**
- Correct server IP (176.124.216.197)
- Correct port (51820)
- Correct DNS (10.10.0.1)

**Check server logs:**
```bash
# On RU VDS
journalctl -u wg-quick@wg0 -f
```

**Check if peer is added:**
```bash
wg show wg0
```

---

## Maintenance

### View logs

```bash
# WireGuard
journalctl -u wg-quick@wg0 -f
journalctl -u wg-quick@wg1 -f

# dnsmasq
journalctl -u dnsmasq -f

# System
dmesg | grep -i wireguard
```

### Restart services

```bash
# RU VDS
systemctl restart wg-quick@wg0
systemctl restart wg-quick@wg1
systemctl restart dnsmasq

# DE VDS
systemctl restart wg-quick@wg0
```

### Update system packages

```bash
apt update && apt upgrade -y
```

### Backup configurations

```bash
# On both servers
tar -czf wireguard-backup-$(date +%Y%m%d).tar.gz /etc/wireguard/
```

---

## Security Best Practices

1. **Change SSH port** from default 22
2. **Use SSH keys** instead of passwords
3. **Enable automatic security updates:**
   ```bash
   apt install unattended-upgrades
   dpkg-reconfigure -plow unattended-upgrades
   ```
4. **Monitor logs** regularly
5. **Keep WireGuard keys secure** - never share them
6. **Rotate client keys** periodically
7. **Remove unused clients** promptly

---

## Performance Optimization

### If experiencing slow speeds:

1. **Check MTU settings:**
   ```bash
   # Add to WireGuard config
   MTU = 1420
   ```

2. **Enable BBR congestion control:**
   ```bash
   echo "net.core.default_qdisc=fq" >> /etc/sysctl.d/99-vpn.conf
   echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.d/99-vpn.conf
   sysctl -p /etc/sysctl.d/99-vpn.conf
   ```

3. **Increase UDP buffer sizes:**
   ```bash
   echo "net.core.rmem_max=2500000" >> /etc/sysctl.d/99-vpn.conf
   echo "net.core.wmem_max=2500000" >> /etc/sysctl.d/99-vpn.conf
   sysctl -p /etc/sysctl.d/99-vpn.conf
   ```

---

## Next Steps

- [ ] Deploy to production servers
- [ ] Add first client
- [ ] Test routing for .ru domains
- [ ] Test routing for international domains
- [ ] Set up monitoring (optional)
- [ ] Document server access credentials securely
- [ ] Schedule regular backups

---

## Quick Reference

### Key Files

**DE VDS:**
- `/etc/wireguard/wg0.conf` - WireGuard config
- `/etc/nftables.conf` - Firewall rules
- `/etc/wireguard/keys/` - WireGuard keys

**RU VDS:**
- `/etc/wireguard/wg0.conf` - User VPN config
- `/etc/wireguard/wg1.conf` - DE tunnel config
- `/etc/wireguard/postup.sh` - Routing setup
- `/etc/wireguard/postdown.sh` - Routing cleanup
- `/etc/dnsmasq.d/vpn-routing.conf` - DNS config
- `/etc/nftables.conf` - Firewall rules
- `/etc/wireguard/clients/` - Client configs

### Common Commands

```bash
# Check WireGuard status
wg show

# List clients
/root/list-clients.sh

# Add client
/root/add-client.sh <name>

# View logs
journalctl -u wg-quick@wg0 -f

# Test tunnel
ping 10.20.0.2

# Check routing
ip route show table proxy
nft list set ip vpn-routing direct | head -20

# Update Russian IP ranges
/etc/wireguard/update-direct-routes.sh
```